Protiviti published its March issue of Compliance Insights this week. We sat down with Steven Stachowicz, Managing Director with Protiviti’s Risk and Compliance practice, to discuss some of the highlights. Listen to our podcast below, or click on the “Continue Reading” link to read the interview.
In-Depth Interview, Compliance Insights [transcript]
March 17, 2017
Kevin Donahue: Hi, this is Kevin Donahue, Senior Director with Protiviti, welcoming you to a new installment of Powerful Insights. I’m joined today by Steven Stachowicz, a Managing Director with Protiviti’s Risk and Compliance practice and we’re going to be discussing some of the highlights covered in Protiviti’s latest issue of Compliance Insights, a monthly roundup of compliance news in the market. Steve, thanks for joining me today.
Steven Stachowicz: Thank you for having me.
Kevin Donahue: Steve, first question for you. Last month the Clearing House released a report analyzing the current effectiveness of the US AML and counterterrorism financing regulatory regime. Based on its recommendations, it appears that the industry in law enforcement saw a need for improvement in a number of areas. What did the Clearing House report say?
Steven Stachowicz: The report addresses a number of things and I think it’s an interesting read put together over the course of a year by a number of top thinkers in the space. I think it’s also reflective of some of the perhaps frustrations, if you will, of the regulatory regime within the US for AML. So the report has a number of recommendations not necessarily directed at financial institutions, but really directed at lawmakers and regulators and policymakers here within the States to make more efficient and more effective the current regulatory structure and some of the output of it, make it more dynamic to tackle the emerging risks that anti-money laundering and anti-terrorist financing compliance faces today.
So for instance, there’s commentary around rationalizing supervision which is, to some degree, fragmented today between FinCEN as well as the prudential banking regulators, but also we see commentary around reprioritizing suspicious activity reporting priorities. There’s been a lot of conversation about defensive filings and over-filings, a degree of over-cautionary activity on the behalf of banks that, frankly, the financial institutions know about because law enforcement has said itself that many of them are not particularly useful to them in their activities today.
So are there opportunities and should there be opportunities? The Clearing House recommended there are, in fact, opportunities to make certain changes, like changing the threshold, eliminating certain SAR filings for certain types of activities and really looking at the overall reporting guidance that’s going out there to the industry to make it clearer to them in terms of what to do.
The idea that data needs to be more freely shared among financial institutions and between financial institutions and the law enforcement and regulatory agencies is certainly a pretty big deal as well. So the Clearing House report focuses a good deal on making structural changes to the U.S. regulatory regime to combat anti-money laundering and anti-terrorist financing, and where it lands and what happens coming out of this will be most certainly very interesting, and I think financial institutions are going to be interested in reviewing the report. I’m afraid I don’t think they’ll find some of the observations in it all that surprising, sort of living and breathing AML the way that they do today. I think what’s going to be interesting for financial institutions, for all of us, frankly, is to see what and how lawmakers and regulators respond to the recommendations that the Clearing House makes.
Kevin Donahue: Great. Steve, following up on some of those points and I guess bigger picture here, there’s been a lot of AML news and updates lately. Are things in the AML space moving quickly? If so, why?
Steven Stachowicz: So AML’s always going to be something that’s quite dynamic, and I don’t think that surprises anybody in that regard. I think we talk a lot more around emerging risks related to data and cybersecurity, for instance, today are some very hot topics, but we talk a bit about SIFMA and some of the messaging that FINRA provided at SIFMA conference that we address here in this newsletter, and among the things that they talk about in addition to a number of these emerging issues is really fundamental AML compliance as well.
So for as fast and as much as everything changes, many of the troubles that financial institutions get into or experience are very, very fundamental things in terms of making sure that systems are properly tuned to detect suspicious trades or trading patterns if you’re talking about a broker-dealer, for instance. Producing timely and adequate suspicious activity reporting, making sure that procedures and policies are being followed from an account opening perspective, from a KYC and CIP, making sure that all of these fundamental elements are being executed routinely with high quality.
Then in addition, I think from a second line perspective, from a corporate compliance perspective, making sure that there is a robust risk assessment, that there is robust monitoring and testing in place, that there is a robust issues management in place. So as fast and as much as things change in the anti-money laundering space, that’s not exactly a new concept, right? I mean, anti-money laundering is the detection of that criminal activity and there’s always an element out there that’s looking for a new way to exploit the system. It’s how the institution’s responding.
The institution needs to be innovative, needs to be aware of what’s going on from an emerging risk perspective and be able to react to it. That reaction and that ability to adapt their program is the fundamental AML compliance I’m talking about, that organizations need to make sure that they can do that, and where we see shortfalls, where the regulators see shortfalls oftentimes, is in these fundamental elements of an AML program that should exist, but don’t.
Kevin Donahue: Great, Steve. In our time left today, I’d like to cover a couple of other areas with you. First, the Consumer Financial Protection Bureau. The CFPB is seeking feedback on potentially using alternative forms of data and modeling techniques to evaluate a consumer’s credit worthiness. Why is this noteworthy?
Steven Stachowicz: It’s noteworthy perhaps because it is unknown, it is nonstandard, it is emerging and cutting edge, it is fraught with opportunity and risk, I suppose. So consumer lenders, mortgage lenders, that most of us just frankly as consumers use on a regular basis and as consumers, we know that these things exist. We use credit reports, the very typical credit reports that outline your credit activity for the student loans, the auto loans, the home mortgage loans that you may have. Your credit card is another example.
It’s very traditional, it’s very routinized, it’s very readily-understood data that’s available through a number of large nationwide consumer reporting agencies. Alternative data is less known or understood and it’s fraught with a variety of other untested risks, and it’s an emerging concept, particularly in the fintech space, where there’s ways where – for fintechs who are not obviously traditional banks where customers can just walk in the door, but these non-bank companies are looking for alternative ways to validate customer credit worthiness of customers that they don’t otherwise see or can touch, and/or that don’t have some of the more mainstream credit history that some borrowers might have.
The Bureau, among its many objectives, does in fact and is in fact interested in how credit is made readily accessible to consumers. So the idea that there are alternative forms of data to traditional credit reports that could be used to evaluate the credit worthiness of a consumer who otherwise doesn’t have a traditional credit history for whatever reason – there’s a number of reasons why that might happen. I mean my 80-year-old parents, for instance, haven’t had a loan in years. They might be among the category of individuals we’re talking about here.
The idea that there is this alternative form of data, it’s quite appealing, and these fintechs are aware of that, the traditional bank lenders are certainly aware of that, the consumer reporting agencies themselves are aware of that and have access to, or are evaluating obtaining, this type of information. So it’s no surprise now that the regulatory agencies are also asking questions about “Well, the benefits, some of them seem relatively obvious. Maybe there’re others we’re not thinking about. What are the risks or downsides as well?”
I think that those are going to warrant quite a bit of attention because there certainly are a lot of fraud, a lot of dangers that alternative data is fraught with. It’s not as readily understood as consumer report information because it might not be as standardized. It’s going to take more to explain to consumers the source of the information that’s used to evaluate them from a credit perspective, and some of these forms may not be tested from a fair lending or disparate treatment, disparate impact perspective too, the way that consumer report information might be.
So obviously there’s a concern about discriminatory impacts, privacy-related impacts, transparency to consumers of what’s going on, how they can dispute inaccurate information and so on. So it most certainly is noteworthy for so many reasons, but it’s here now, I think, and I think the banks and non-banks and the consumer reporting agencies and the regulators all alike are starting to think about what are these other forms of data, what are the risks of using them, what are the benefits of using them, how do we address this as an industry?
Kevin Donahue: I have no doubt we’ll be hearing much more about this in the months to come. Hey Steve, final question for you as we close out our discussion, the Office of the Comptroller of the Currency recently issued guidance pertaining to third-party risk management. What kind of risks are we talking about here?
Steven Stachowicz: What we see the OCC having done in January of 2017 is they issued supplemental examination procedures to guidance that they issued to the industry in 2013 related to third-party risk management.
The 2013 guidance has been used now for a number of years by the financial institutions in terms of understanding the OCC’s expectations related to their engagement of third-party service providers, and third-party service providers who provide any number of services to the institution and/or with whom the institution might be partnering. So if you think about a credit card affinity relationship or something of that nature, where it’s less of maybe a service provider relationship and more of a partnership, but nonetheless, it’s a third-party relationship, and it’s a risk that the OCC expects national banks are addressing.
We see, although the OCC issued this and it pertains to national banks and thrifts under their supervision, the FDIC, the Federal Reserve all have relatively similar concepts. The exam procedures, it’s not that they specifically provide guidance to the industry – they provide guidance to the examiners in terms of how to evaluate third-party risks – but I think what’s notable about the procedures that have come out is that it provides financial institutions more insight into how their examiners may be looking at third-party risk and some guidance in a way, if you will, as to how the institution itself might be evaluating the strength and effectiveness of its third-party risk management program in preparation for what the OCC might.
So the exam procedures have pages and pages and pages of various procedures and risks that the OCC could tackle. It’s not, from what we understand, the expectation that in every situation, in every exam of third-party risk management, the OCC is likely to execute all of these procedures. The OCC exam procedures are really meant to be risk-based and this is really guidance to examiners on what to look for and then maybe what to dive into, and they split it up into two different areas, if you will: there’s quantity of risk and then there’s quality of risk management.
When an examiner is looking at a national bank or an OCC-regulated institution, their first set of procedures are really going to be around identifying the quantity of risk that third-party relationships pose to the bank. Who is an organization maintaining relationships with? What’s their inventory of third-party relationships? How are they categorizing them? What are the types of services that are being provided? How many of these relationships are truly critical and in turn have meaning to the OCC and to their supervised institutions? What are the various types of risks that they pose from a credit risk or a compliance risk or a reputation risk?
A service provider could pose all of those or some of those in differing forms, and the OCC points out that there are some relationships that may be higher risks than others. So most of us know, it’s sort of emerging, the concept of fintech and marketplace lending and so on. Those relationships with financial technology providers or some of these marketplace lenders, for instance, may pose more risk than some of the more traditional correspondent lending relationships that banks have.
So okay, if you’ve got this type of risk, how are you managing it? How are the third-party risk management protocols and program in general – how are those things integrated into the overall enterprise risk management framework of an organization? Is it a separate discipline or is it really truly fully integrated? What sort of mechanisms exist to monitor the risks that these various relationships pose?
Again, focusing to some degree also on how are critical relationships being managed and how are some of those higher risk relationships like with fintech companies being monitored by the organization as well? Along those lines, what sort of diligence is occurring not only in the upfront, but throughout the life and life cycle of working with a third-party service provider? Are they obtaining certain reporting? Are they routinely monitoring? Are they going in and auditing? What does that look like within the financial institutions?
So it’s helpful to have the exam procedures if you’re a financial institution because they give you a little bit more insight as to how the OCC is probably going to look at this and it really provides some guidance in that regard and some opportunity, I think, importantly, for financial institutions to take these exam procedures and run their own self-assessment to the extent that they’re not already, to say “Where do we think we’re doing well,” number one, but “Where do we think we have opportunities,” number two, “to make enhancements or to better tell the story of what we’re doing or address those soft spots in our program that we know that we might have in advance of an examination?”
Kevin Donahue: Steve, I want to thank you very much for joining me today to share your thoughts on this latest compliance news in the financial services industry. I want to invite our audience to visit Protiviti.com/compliance-insights where you can find the latest issue of our Compliance Insights newsletter as well as prior issues we’ve published.