Doubling Down on AML: Higher Stakes for Casino Compliance

steve-wangBy Steve Wang, Managing Director
Internal Audit and Financial Advisory

 

 

 

Despite recent improvements in the gaming industry’s efforts to combat money laundering, enforcement actions by U.S. and foreign regulators have put casino operators on notice that their anti-money laundering (AML) programs and related internal controls are being subjected to greater scrutiny.

Consequences have escalated, and compliance officers face personal liability for AML violations on their watch, as a result of a court ruling that the Bank Secrecy Act (BSA) allows owners, officers, directors and employees to be held accountable, along with the organization.

Pillars of an Effective AML Program

Pillars of an Effective AML Program

Over the past two years, the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) has levied seven fines, for a total of $110 million — more than double the volume, and almost ten times the dollar value, of all AML fines against casinos in the previous 11 years. Future penalties may also be on the rise. The Federal Civil Penalties Inflation Adjustment Improvements Act, effective last August, requires agencies, including FinCEN, to make “catch-up” adjustments to the fines, as well as annual inflation adjustments. Many civil penalties haven’t been adjusted in decades, which means that penalties could rise substantially. And FinCEN isn’t the only federal agency levying fines. The U.S. Treasury and the Department of Justice have also fined casinos.

Casinos have long been the focus of government scrutiny because of the large amounts of cash they handle, which make them particularly vulnerable to money laundering and terrorist financing risks. But not all news is bad. A research report from the American Gaming Association suggests that the gaming industry has taken significant steps to comply with AML and counter-terrorism financing (CTF) requirements. In its December 2016 Mutual Evaluation Report, the international Financial Action Task Force (FATF) commented favorably on the increased number of quality SAR filings by casinos — 50,941 in 2015, versus 21,308 in 2012.

Nevertheless, the increased emphasis on disclosure runs counter to an established industry practice of protecting the privacy of high rollers, and so casino operators and their compliance staff may feel uncertain about the best way to reconcile their disclosure obligations with business objectives.

Protiviti recommends that casino compliance officers take actions to mitigate the compliance risk, such as:

  • Share risk assessments with the proper stakeholders – Effective AML programs should take a risk-based approach, which starts with conducting a risk assessment at the property level. Assessments should be reported to executive leadership, and used to customize compliance programs with a particular focus on customer due diligence (CDD) and transaction monitoring.
  • Develop and share CDD standards with employees – CDD programs must evolve and take a risk-based approach to gaining a better understanding of patron relationships and identifying those that may pose a threat. Additional security should be assigned to those higher-risk customers to verify sources of wealth, known associates, game play, and screening against government sanctions lists. Enhanced due diligence policies should be in writing and align with heightened regulatory expectations and industry best practices.
  • Request additional resources – Higher stakes and expanding regulatory requirements mean more people, dollars and systems will have to be dedicated to AML compliance. It is essential that compliance officers request sufficient funding support from executive leadership. Given the recent focus on individual liability, it’s in their best interests.
  • Share information with other casinos – Threat information can be exchanged legally under the safe harbor provision of the U.S. PATRIOT Act, Section 314(b); however, casinos were generally not aware that they are covered under the provision. Casinos are also allowed to share SARs with other casinos under the same parent company located in the U.S. Both of these rules make compliance easier, and casinos should update their sharing policies and procedures to reflect that.
  • Stay current in AML training – Management should revisit AML training modules for different job roles, both for casino operators and compliance personnel. Operators should be taught to recognize red flags, such as large transactions with minimal gaming activity and cash transactions that appear to be structured to stay under the $10,000 federal transaction reporting standards.

The recent Protiviti flash report, Higher Stakes for Casino AML Compliance, offers a wealth of additional information on the topic. You can download it here.

“Stay Nimble”: The Mantra for Manufacturing and Distribution Companies in 2017

Sharon LindstromBy Sharon Lindstrom, Managing Director
Manufacturing and Distribution Industry Leader

 

 

 

For manufacturing and distribution (M&D) companies, which are already well-conditioned to operating in an uncertain global environment, 2017 promises to continue to keep them on their toes. At the very least, it is likely to present a mixed bag of new challenges and opportunities, and executives will need to ensure that their organizations are nimble enough to pivot quickly when faced with disruptive change.

Among the challenges that M&D companies may face this year are the potential negative impacts on trade stemming from the “hard Brexit” course that British Prime Minister Theresa May has set for the United Kingdom. Meanwhile, the new Trump administration’s approach to trade is already proving to be a source of consternation for longtime trade partners like China, Canada and Mexico. President Trump has already pulled the United States out of the Trans-Pacific Partnership (TPP) negotiations and is expected to sign an executive order to renegotiate the North American Free Trade Agreement (NAFTA). With the volume of cross-border imports and exports, the impact on M&D companies could be significant.

On the other hand, possible opportunities for M&D companies include easing and/or elimination of certain environmental regulations in the United States. President Trump told auto industry leaders at a recent roundtable that in the U.S. “environmental regulations are out of control.” Less than a week later, he signed an executive order to reduce regulation and control regulatory costs. The order requires that agencies eliminate two regulations for every one they propose. The Environmental Protection Agency is, of course, one of those agencies.

Also among the flurry of executive orders newly inked by Trump is the “Presidential Memorandum Streamlining Permitting and Reducing Regulatory Burdens for Domestic Manufacturing,” which “directs executive departments and agencies … to support the expansion of manufacturing in the United States through expedited reviews of and approvals for proposals to construct or expand manufacturing facilities and through reductions in regulatory burdens affecting domestic manufacturing.” This order is welcome news to manufacturers, especially those that already believed economic conditions under the Trump administration would be favorable to support their new facility or facility expansion plans. Furthermore, this order does not cover the corporate tax reform that is expected in 2017.

In short, there has been no shortage of dramatic change already in the new year. Interestingly, executives at M&D companies sensed months ago that 2017 would likely be another year of economic uncertainty for their industry – though they may not have known the exact kind or level of uncertainty it would bring.

When Protiviti and North Carolina State University’s ERM Initiative embarked on their research for the latest Executive Perspectives on Top Risks Survey, the Brexit vote had not yet taken place, and the major parties in the U.S. presidential election had not yet nominated their candidates. Nevertheless, executives cited the following as the number one and number two top risks for their industry:

  1. Economic conditions in markets we currently serve may significantly restrict growth opportunities for our organization, and
  2. Anticipated volatility in global financial markets and currencies may create significantly challenging issues for our organization to address.

Both of these macroeconomic risks held the same top positions in the previous year’s survey. This, in my opinion, reflects the ongoing challenges that M&D companies face in a global economy. These challenges are driven not only by political uncertainty and trade agreement considerations, but also by supply chain and sourcing vulnerabilities and currency devaluations.

All this underscores why “Stay Nimble” should continue to be the mantra for M&D companies this year. The rapid-fire changes we have seen so far should not lead to paralysis and/or stagnation. The old adage, “When one door closes, another one opens” has never been more true. The events that have unfolded in the first few weeks of 2017 suggest that businesses in this industry group should be prepared to adapt and innovate swiftly to take advantage of the doors that open.

NIST Seeks Comments on Cybersecurity Framework Draft

andrew-retrumrandy-armknechtBy Andrew Retrum, Managing Director, Technology Consulting, Cybersecurity

and Randy Armknecht, Director, Technology Consulting, Cybersecurity

 

Last month, the National Institute of Standards and Technology (NIST) published a discussion draft of revisions to the NIST Cybersecurity Framework (CSF Version 1.1). The draft, though still subject to change, provides new details on NIST’s recommendations for cyber supply chain risk management (SCRM), clarifies key terms, and introduces cybersecurity measurement metrics. Although this is a voluntary framework, the Financial Industry Regulatory Authority (FINRA) and others require organizations under their jurisdiction to adopt and declare a framework, and the NIST CSF is one of the most commonly used.

Here are some of the highlights from the NIST draft:

  • The NIST CSF, which currently has 22 control categories, will add another one, SCRM, in the identity domain, and eight subcategories — five for SCRM, and three in the “Protect” category. In addition, five existing controls have been clarified.
  • SCRM is now a critical consideration in the NIST CSF, in recognition of the fact that many organizations are outsourcing key business processes to, or sharing sensitive data with, third parties. The federal Office of the Comptroller of the Currency and other agencies have drafted regulations, titled Enhanced Cyber Risk Management Standards, addressing this “external dependency management.”
  • A new section, Section 4, has been added. Called “Measuring and Demonstrating Cybersecurity,” the new section contains suggestions on how to measure and demonstrate the efficacy of cybersecurity. The framework recommends a close relationship between cybersecurity and business objectives. Metrics are separated into four categories: practices, process, management and technical. Measurements should align with business objectives and should demonstrate a cause-and-effect relationship. NIST recommends that organizations should tailor the measures and metrics to their own level of maturity. The new Section 4 does not, however, offer concrete examples of what specific cybersecurity metrics should be included in a control dashboard.

We think these revisions will help the NIST CSF align more closely with regulatory and industry priorities, such as identity and access management, SCRM vendor risk management, metrics and cybersecurity threat intelligence. Considering these are the same areas that often come up as areas of concern for Protiviti during field engagements, we think the changes are necessary and appropriate.

Click here for our flash report on this topic.

Staying Agile a Top Concern for Technology, Media and Communications Companies in 2017

 

Gordon Tucker

By Gordon Tucker, Managing Director
Technology, Media and Communications Industry Leader

 

 

 

The phrase “innovate or die” has long been a mantra for businesses in the technology, media and communications (TMC) industry. As Satya Nadella wrote to employees on his first day as CEO of Microsoft, “Our industry does not respect tradition — it only respects innovation.”

But the results of a recent survey, Executive Perspectives on Top Risks for 2017, from Protiviti and North Carolina State University’s ERM Initiative, suggest that many executives in the TMC industry group now consider “innovate or die” to be more of an urgent warning than a motivational slogan. They are concerned that their firms will struggle to sustain the agility needed to compete in an increasingly complex and dynamic technology landscape.

According to the survey, executives’ top concern for 2017 continues to be the same as the two previous years: Rapid speed of disruptive innovations and/or new technologies may outpace our organization’s ability to compete and/or manage the risk appropriately, without making significant changes to our business model.

There are two key reasons this risk continues to preoccupy the minds of executives and directors at many TMC companies:

  • Rapid changes are becoming routine for organizations. More important, these so-called “changes” are anything but ordinary; rather, they are industry-shifting innovations, especially in the areas of digital transformation: mobility, data analytics, artificial intelligence and robotics, 3D printing and sensors, that require more than a mere adjustment to one or two parts of the business. These are shifts that have executives thinking more about how — and if — they can effectively harness these forces of disruption to shift their own internal operations and those of their partners in the supply chain to maintain a competitive position.
  • Disruptive companies that are created today are launched with systems and processes incorporating current digital capabilities; often, these companies enjoy an “out of the gate” advantage over more established companies that must make substantial changes to legacy systems and processes to compete.

The way for TMC companies to keep pace with agile competitors is, of course, to become more agile themselves. Following are strategies these organizations should consider adopting so they can compete effectively in the rapidly evolving digital economy while managing risk appropriately:

  • Make innovation a top — and ongoing — priority for the entire organization; an innovation mindset should be deeply engrained in the corporate culture.
  • Strive to become an “early mover — e.g., become adept at detecting early signs of market shifts that affect the validity of the enterprise’s critical strategic assumptions and make decisions on whether to act on those signs.
  • Encourage cross-departmental collaboration on technology and innovation initiatives, especially at the C-level, so that the business, IT and internal audit leaders understand and are actively discussing potential risks and opportunities.
  • Ensure discussions about technology risks are happening at the board level.

A final suggestion for TMC organizations to consider as they work to become more agile: Make sure employees are engaged and committed to new corporate strategies, which increases the likelihood of gaining a sustainable competitive advantage.

To this end, TMC companies should take the advice of Pat Wadors, senior vice president of LinkedIn’s global talent organization, who wrote recently: “Leaders in today’s organizations [must] figure out the best ways to identify, reward, and motivate top agile talent while supporting the constant need to learn. To atrophy is to lose in the market.”

Taking a Global Look at IT Audit Best Practices – ISACA/Protiviti Survey

infographic-6th-annual-it-audit-benchmarking-survey-isaca-protivitiProtiviti and ISACA, a global business technology professional association for IT audit/assurance, governance, risk and information security professionals, have released the results of our joint annual IT Audit Benchmarking Survey. Key takeaways from this year’s study include the following:

  • Cybersecurity is viewed as the top technology challenge.
  • There appears to be more executive-level interest in IT audit.
  • More CAEs are assuming a direct leadership role for IT audit.
  • Most IT audit shops have a significant or moderate level of involvement in key technology projects.
  • Most IT audit shops perform IT audit risk assessments, though a majority do so annually or less frequently.

Take a look at our infographic and video here. For more information and to download a complimentary copy of our report, A Global Look at IT Audit Best Practices – Assessing the International Leaders in an Annual ISACA/Protiviti Survey, visit www.protiviti.com/ITauditsurvey.

Public Breach Disclosure Laws Up the Ante on Security – But Do They Work as Intended?

david-taylorkall-loperBy David Taylor, Managing Director
Technology Consulting, Security and Privacy

and Kall Loper, Director
Technology Consulting, Security and Privacy

 

On January 3, The Massachusetts Office of Consumer Affairs and Business Regulation announced that it will report all data breaches to a publicly accessible state website. Previously, this information could only be obtained with a public record request. The new site includes summary information of the breach and is organized by year. The breached organization’s name, the magnitude of the breach and the type of information exposed (Social Security numbers, credit card numbers, etc.) are included in the summary, among other details.

The Massachusetts office’s decision follows other recent examples of states tightening their breach notification statutes and definitions of what constitutes sensitive information. Forty-seven states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have all enacted laws requiring companies transacting business with residents of their state to report data breaches.

Any law that intends to protect consumers is, on its face, a good one. However, we feel that a direct, pain-stimulus motivation such as Massachusetts’ public breach notification reporting may work against a more effective approach to remediation by forcing short-term, technical responses that do not necessarily ensure security over the long term.

Faced with a public breach disclosure, there is a tendency for companies to seek to end the pain of public exposure as quickly as possible. But rather than encouraging breached companies to address the complex causes of the breach, public breach reporting encourages narrowly tailored investigations and short-term remediations. A quick-to-implement response such as a firewall or an intrusion detection system may remediate the specific problem found, but not the class of vulnerabilities, or any security architecture failings, employee practices or organizational data use patterns.

Often, system-wide vulnerabilities are not addressed for fear of finding more problems that require reporting, potentially causing further erosion of public confidence, brand value or market capitalization. This ostrich-like approach is surprisingly common, and lengthy, expensive lawsuits are often the result. Unfortunately, direct reporting laws, like the recent one from Massachusetts, only intensify the desire to avoid further discovery for fear of immediate penalties.

In addition to the business risks mentioned above, a technical knowledge gap often holds companies back when it comes to remediating the vulnerabilities leading to the breach. Holistic breach recovery requires a broad range of capabilities, from expertise in technical security practices and organization security practices, like identity and access management, to expertise in public relations, legal and electronic discovery processes, project management and information governance policies.

Without an appropriate formulation of goals and planning, a post-breach remediation can be an expensive exercise in seeking psychological comfort and not much more. Vendors will flock to the breached company’s executives with “solutions” that often do not address the root causes of the organization’s failure. Solution-based answers are good if the goal is to show a lot of activity and reportable benefits; however, when the cash stream ends, the solution vendors depart, leaving the company without a long-term plan toward a more secure organization.

Effective post-breach remediation is a planned set of specific activities that ultimately becomes part of the ongoing information security structure. Among these activities are:

  • Organizational change to address the security practices of end users through employee training and implementation of a company-driven plan to grow security awareness
  • Information policies that take into consideration data protection priorities and are designed to eliminate unnecessary risk and minimize unavoidable risk
  • Information governance, to make information available only to those who need it, but also keep it accessible and flexible based on the company’s needs
  • Agile and responsive security through solutions appropriate to the company’s sustainable efforts and long-term goals.

The developments in laws intended to protect consumers’ personal information from exposure point to a trend – there will be more, not less, required of companies in that regard. The sooner and more comprehensively the complex causes of the breach are addressed, the less there is a chance of a repeated event. Only through a comprehensive and thoughtful response will companies lessen the long-term damage to their public image, brand value and bottom line.

Will Hiring Hackers Help Energy’s Cybersecurity Efforts?

 

Tyler Chase

cal-slempBy Tyler Chase, Managing Director
Energy and Utilities Industry Leader

and Cal Slemp, Managing Director
IT Security and Privacy Practice Leader

 

The chief cybersecurity engineer for a major industrial process company advocated not long ago that oil and gas companies hire hackers to improve their cybersecurity defenses. At an annual European-Middle East-Africa user group conference in The Hague last October, Eric Knapp urged attendees to drop their negative perceptions and put hackers to work on their teams.

Knapp’s advice followed a presentation of survey findings stating that 82 percent of oil and gas industry respondents have experienced an increase in successful cyberattacks over the past 12 months. Executives of European petrochemical companies SARAS and SABIC estimated that cyberattacks cost businesses up to $400 billion per year.

Several weeks earlier, the World Energy Council (WEC) issued a report that, among other conclusions, found that the demand for cyber specialists is growing twice as fast as for all other IT jobs. The WEC cited research linking recent high-profile security breaches to a shortage of almost one million skilled cybersecurity professionals.

Our perspective:

The idea of leveraging “hackers” needs to be put into context. Many organizations have resources (internally or through consulting firms) who mimic the activity that various types of real hackers execute to illegally break into a company’s IT infrastructure. These “white hat” penetration testers are excellent at testing infrastructures, applications, networks and databases. The use of trained personnel who act as hackers but have written agreements and rules of engagement can make a lot of sense for an organization and is worth considering.

However, cybersecurity, much like other strategic initiatives, cannot be addressed with technology resources or tools alone. It requires a joint effort among departments and employees of all levels. In the same way that police cannot solve all crimes by themselves (despite being the “experts”), cybersecurity professionals need the knowledge and assistance of everyone in the organization. Employees who have been educated on matters of cybersecurity become empowered and thus an extension of the security program.

Finding the similarities between cyber risks and existing risks (e.g., safety) can help translate this subject to nontechnical resources. Many of the lessons learned with regard to overall risk management through more traditional departments, such as internal audit or compliance, can be applied to cybersecurity. Sharing data points that are already being collected by these departments can add value to analyzing security threats. At an even higher level, sharing information across the industry in cyber intelligence groups (CIGs) can allow firms to collaborate on specific threats and solutions, and share data that can add value to their overall threat analyses.

Is hiring “hackers” the answer to the cybersecurity challenge? It’s not quite that simple. White hat hackers certainly have a key skill set organizations need to face the growing threat of cyber crime, but the ultimate success of an organization lies in how well the leadership empowers the overall enterprise to combat cyber risks together.

Luis Castillo of Protiviti Technology Consulting contributed to the development of this content.