Introducing Compliance Insights: Protiviti’s Monthly Roundup of News for Financial Services Firms

Steven StachowiczBy Steven Stachowicz, Managing Director
Risk and Compliance



With global banking regulation consistently ranking as a top concern for financial service industry executives and directors, Protiviti has launched Compliance Insights, a monthly advisory newsletter designed to provide financial services industry (FSI) executives with timely news on issues that are relevant now.

Although primarily focused on banking compliance matters related to consumer protection, privacy, anti-money laundering/anti-terrorist financing, and sanctions, this short newsletter also includes topics applicable to other types of financial institutions, including those in capital markets and emerging financial technology (“fintech”).

The information we choose for our monthly briefing is not intended to be a complete picture of the FSI compliance landscape, but to provide clear and concise summaries on key topics we consider of interest to the industry.  We’re not going to cover everything; rather, each month we’ll highlight a handful of issues, tapping our subject-matter experts for analyses of the latest changes in rules and guidance.

Our inaugural issue, launched in July, led with a couple of updates on global payment systems.  In the wake of cyberattacks on the Society for Worldwide Interbank Financial Telecommunication (SWIFT) payments network, which facilitates cross-border interbank transfers, both SWIFT and the Federal Financial Institutions Examination Council (FFIEC) issued reminders to institutions of the need to manage risks associated with interbank electronic transactions. We also shared new guidance from the Wolfsberg Group of International Financial Institutions, an association of 13 global banks with a common goal of developing effective anti-money laundering (AML) standards. The guidance is related to financial institutions’ use of certain SWIFT services.

Other topics included:

  • Proposed rules from the SEC limiting the use of derivative investments by mutual funds;
  • The long-anticipated proposal from the Consumer Financial Protection Bureau (CFPB) on rules governing payday, vehicle title, and other short-term, small-dollar loans; and
  • The possibility of fintech firms obtaining limited-purpose national bank charters, enabling them to operate under uniform federal regulation and supervision.

Our August issue, released last week, provides updates on another CFPB proposal, this one focused on third-party debt collection practices, plus several other topics we consider relevant:

  • A joint regulatory update of Community Reinvestment Act (CRA) Q&As
  • Increased regulatory scrutiny of potential money laundering at card clubs, casino-like gambling establishments offering exclusively card games
  • A ruling by a Miami judge in an anti-money laundering case that calls into question whether bitcoins are “money”
  • Upcoming changes to the Military Lending Act (MLA), which extends additional consumer lending protections to active-duty military personnel and their dependents

We hope you’ll find this resource useful – please let us know if you do or if you have any suggestions or suggested topics. It is part of our ongoing effort to help financial service institutions face the future with confidence.

You can subscribe to Compliance Insights or send us your feedback here.

Blockchain Unchained: Bitcoin Was Just the Beginning

EdPage_croppedBy Ed Page, Managing Director
IT Consulting



These days, it seems that everyone in the financial services industry is talking about distributed consensus ledger (DCL) technology, commonly known as blockchain. The real-time transaction and settlement technology is viewed by some as the breakthrough that’s going to revolutionize electronic payments systems, and by others as the technological grenade that’s going to rip a hole in the world of banking systems as we know it. The truth is, nobody knows how things will turn out with any degree of certainty.

In my opinion, blockchain is potentially one of the most disruptive business technologies to emerge in the digital age, replacing the traditional bookkeeping system of single private ledgers kept in siloed databases and updated in daily batch settlements with a chain of shared, encrypted public ledgers, linked and validated by network consensus in real time to enable instantaneous settlement. Transactions are said to be “immutable,” because they are confirmed by the network, and cannot be altered by an individual.

In essence, blockchain serves the same function as the current system of clearinghouses and transaction networks that handle most electronic payments and money transfers, including ATM transactions, correspondent banking, credit card purchases and electronic funds transfers. And that’s just one application. Other uses range from secure document transfer and trading of stocks and bonds, to cybersecurity and internal audit.

As you might imagine with something so fundamentally different from what came before it, expert opinions on the benefits, risks and applications are all over the map and often contradictory. The technology itself fosters such contradictions.

For example, while blockchain transactions are considered to be extremely transparent, the anonymity of those transactions has raised anti-money laundering (AML) and Bank Secrecy Act (BSA) concerns — to use an analogy, while the game itself is transparent, the players are not. And despite the widespread (and accurate) belief that blockchain transactions are secure, hackers recently raided a cryptocurrency exchange, making off with millions of dollars in real cash, from transactions conducted in Bitcoin via blockchain.

I bring up the hacker attack to illustrate that while blockchain does, in fact, protect the integrity of the transaction, open ledger cryptocurrency networks remain vulnerable at the nodes, the various businesses that house customer data.

With closed or permission-based blockchains being viewed increasingly as the future in banking, such obstacles will surely be overcome, but it is important to recognize that we are in a “Wild West” period where hackers and fraudsters are trying as hard to beat the system as others are trying to build it.

Once the “frontier” aspect of blockchain wears out and it begins to find its place into the mainstream of banking technology, financial institutions will need to take other, equally important issues into consideration. Here are a few of the wrinkles that will need to be ironed out:

  • Legacy environment — The old ways may not be elegant, or what everybody wants to use, but they are so embedded in the financial services ecosystem that it will take time and effort to change. Overcoming that inertia and figuring out how to integrate old and new in a 24/7/365 transactional environment is going to be a challenge. Regardless of the time it takes, the writing is on the wall for legacy systems.
  • Vested interests — As a technology that eliminates intermediaries, blockchain has the potential to disrupt the powerful and established institutions that own, and profit from, the movement of money among financial institutions. New business models will inevitably emerge.
  • Regulation — Although transactions are transparent, the ability to track money movement in this environment is still undeveloped. Anti-money laundering (AML) is expensive for banks, and the people who launder money tend to spread their activities across multiple institutions, making tracing those activities in their entirety difficult. Blockchain has the potential to shift regulatory focus and burden away from individual institutions and to the exchange network itself. Businesses are already forming to address that need.

Although it is too early for anyone to have all the answers, financial service executives and internal auditors need to become conversant in blockchain to avoid being blindsided by this rapidly evolving disruptor. For a good primer on blockchain, I’d recommend Volume 3, Issue 2 of Protiviti’s PreView series on emerging risks. We’re going to stay on top of this topic for you. Stay tuned!

Strategic Risks: How Can CAEs Up Their Game?

The latest Common Body of Knowledge (CBOK) survey of internal audit stakeholders reports 7 out of 10 stakeholders want audit leaders to focus on strategic risks, as well as operational, compliance and financial risks, during an audit.

The message is loud and clear. Board members and senior executives are saying they wish to look to the internal audit function for insights that will help them stay ahead of the curve on managing strategic risks — a responsibility that requires collaborations across all lines of defense.

The last thing we, as internal auditors, ever want to hear when something goes wrong is: “Where was internal audit?” But how can CAEs up their game to ensure that this doesn’t happen, particularly when there is increased interest in strategic disruption risk? I recently had the pleasure of addressing this topic joined by an outstanding CAE – Chuck Windeknecht, Vice President of the Internal Audit Department at Atlas Air Worldwide, at The IIA International Conference in New York.

A progressive CAE establishes relevance with the board of directors by understanding the organization’s business objectives, strategy and culture, and identifying risks that could impede the successful execution and achievement of the organization’s strategy and objectives. This baseline understanding positions the organization and the internal audit function to constantly scan the horizon and sift through the noise so the audit committee and executive team can be given strategically relevant insights – something they don’t already know.

To do so, CAEs must be alert, informed, and able to quickly discern the vital signs of change. Success is not a matter of luck, but of preparation that leads to doing four things really well:

  1. Understand the critical assumptions underlying the business model. From an internal audit perspective, this is important to be able to adopt a contrarian view, as well as constantly be on the lookout for changes that could disrupt and threaten the company’s strategic plans and business model. CAEs must be able to access and understand opposing points of view within and outside the organization. But they need a context – and that context would be the organization’s strategic assumptions. That’s not to say auditors shouldn’t remain focused on important operational, compliance and reporting issues. The key is to leverage all available technology and tools to allow themselves more time to think strategically.
  2. Help the organization apply scenario analysis capabilities to evaluate potential situations. As the third line of defense, internal audit is one of the organization’s key components of a comprehensive risk management organization. Accordingly, if internal audit could help identify an event or combination of events that could invalidate one or more of the critical assumptions on a timely basis, it would contribute value to the organization’s leadership. While it is universally accepted that risk assessments must be refreshed periodically, the internal auditor’s line of sight is directed to timely recognition of emerging and changing risks.
  3. Ensure the organization’s intelligence gathering activities are aligned with the key indicators evidencing that scenarios of greatest concern are either developing or have occurred. It is one thing to know what can derail the strategy. It is another to align intelligence gathering with factors that signal when such events or circumstances are occurring or have occurred. Competitive intelligence creates enterprisewide transparency by seeking out forward-looking nontraditional information and data that may offer decision makers a contrarian view and early warning signs. Internal audit is well suited to assist the organization’s efforts with analyzing its early alert capabilities to more effectively mitigate the impact of disruptive developments. The understanding of strategic assumptions and an effective contrarian viewpoint enable this analysis.
  4. Help distill and de-mystify timely information about assumptions, scenario analyses and intelligence gathered. Reporting insights to decision makers is what it’s all about – setting us apart and establishing our relevance. To this end, it is critical to establish direct access to customer and marketplace feedback and provide insights that are unfiltered by the suppression occurring when information passes through traditional information siloes. Internal audit should place an emphasis on improving risk information across the organization. That can lead to better information for decision-making used in the business.

To echo my colleague Brian Christensen, these are exciting times for the internal audit profession. Our strategic advice and insight are being sought like never before. We’ve come a long way to get here. Now that all eyes are on us, it is critically important to perform with skill, intelligence and dedication, to prove that our leaders’ faith and trust in us are well-placed.


Sourcing SOX Compliance Costs: Fewer Controls, More Scrutiny

Nichole MiniceBy Nichole Minice, Managing Director
Internal Audit and Financial Advisory



In a recent post recapping our webinar on rising SOX compliance costs, we cited increased external auditor scrutiny of “information produced by entity” (IPE), or electronic audit evidence, as contributing significantly to the increase in costs, with the testing and validation of IPE requiring almost twice the eight-hour average time required to test other internal controls.

External auditors of public companies have come under increasing pressure from the Public Company Accounting Oversight Board (PCAOB). One area of particular emphasis has been the reliance of external auditors on IPE, and the need for increased rigor to ensure that the information is accurate and reliable.

IPE is the raw material from which external audits are crafted. It is, therefore, critical for organizations to be able to “show their work” in a way that can easily be verified and validated. This applies both to the integrity of the data itself and the processes underlying the generation of reports that control owners rely upon when executing an internal control. Under PCAOB standards, an external auditor should rely on an entity-produced report or spreadsheet only if there is sufficient evidence to prove that the information within the IPE document is both accurate and complete.

In my own field experience, it’s not unusual to encounter anywhere from 100 to 150 process-level controls. Because of the precision required by external auditors to meet the PCAOB standards, each of these controls might require 12 to 14 hours to test.

Overall, one in five public companies tests IPE every time a control is tested. Again, while respondents to our survey reported a decrease in the number of controls tested, the amount of effort being spent on the controls they do test has increased, and IPE certainly is one of the big contributors to that.

In such an environment, it’s easy to see how automated controls might significantly reduce the time and effort required for verification, particularly in comparison with a traditional spreadsheet in which every formula is a potential point of failure.

A more robust information technology environment provides a more reliable control environment, so we expect to see automated controls lead to a lot more efficiencies and eliminate human errors associated with manual entries into spreadsheets.

Not surprisingly, we’ve noticed that large accelerated and accelerated filers — entities that have adopted automated controls and reporting out of necessity and therefore tend to be more mature in their control environment — are doing the best job of managing the increasingly granular and transparent reporting requirements.

But companies of all sizes are making progress in this area, and we expect to see that continue. Well over half of the organizations surveyed reported that they have at least moderate plans to continue to automate their controls in 2016. We certainly see this trend at our clients and anticipate seeing more as organizations evolve from newly-public into more established entities.

Bottom line: In the current audit environment, organizations are placing an increasing emphasis on quality over quantity of controls. We’re seeing controls getting stronger, and the rigor from external audit related to PCAOB pressure certainly has an impact on that. I also think that companies are reaping the benefits of these strong controls that they can rely on internally and are looking to reduce the amount of controls that they ultimately have to focus on. It is important in all this that companies have a solid rationale behind their testing approach and communicate with their external auditors early and often.

From New York to Hong Kong: The Need for a Global AML Program

Carol BeaumierBy Carol Beaumier, Executive Vice-President and Managing Director
Regulatory Compliance Practice



Money launderers don’t recognize geographical boundaries and, while they often seek to launder money in those jurisdictions with the weakest regulatory environment, they are also attracted to major markets, which can accommodate large-scale movement of funds. They are masters at exploiting any weaknesses caused by differences among national anti-money laundering (AML) systems, which is why the regulation of money laundering needs to be a global effort.

Three major global financial centers – New York, London and Hong Kong – do share a high degree of commonality with the global AML principles of the Financial Action Task Force (FATF). Despite their common approach to AML, requirements are implemented or enforced differently, with a number of nuances within each jurisdiction – and potentially more in the future as the UK shapes its financial crime regime in a post-Brexit environment. This can be a minefield for global financial institutions seeking to establish and maintain an effective, global AML compliance program.

On the regulatory side, financial regulators have taken a proactive approach to close cross-regional collaboration and joint enforcement activities. This impacts financial institutions, as they may find themselves subject to the same inquiries in multiple jurisdictions at the same time. This regulatory approach highlights the need for compliance teams to be aligned and connected regionally as well as globally.

We discuss these issues, and much more, in a recently published white paper, The Challenges of Managing a Global AML Program. The paper examines the differences among the three global financial centers in four specific areas: regulatory examination and enforcement, correspondent banking, information sharing, and AML technology. It also considers the implications of these differences for financial institutions seeking to implement global AML programs and provides advice on how firms can implement efficiently a compliant AML program that is cost-effective and provides more value to the business.

The white paper offers a comprehensive discussion that’s worth your read. Financial services is, without question, a global business, and while money laundering will not go away any time soon, understanding how to align your global AML program to the nuances of key AML jurisdictions will go a long way in ensuring compliance.

Internal Audit Around the World: Collaboration, Technology and the Female CAE

Susan HaseleyBy Susan Haseley, Managing Director
Internal Audit and Financial Advisory



Technology is creating new areas of risk for businesses, requiring a collaborative mindset and strong relationships to manage risk effectively. At the same time, technology is creating new opportunities to improve how internal auditors manage risk – opportunities that come with the same requirements of collaboration and relationship-building. These changes to the internal audit landscape are becoming evident at a time when more women than ever before have risen to positions of senior leadership.

In our twelfth annual edition of Internal Auditing Around the World, we explore the accelerating change wrought by technology as a source of opportunity and as a source of risk. We also decided to focus this year’s edition solely on the viewpoints of women leaders in internal audit. This combination of themes yields a fresh perspective on the growing drive to collaborate – with IT, business units, senior management and external partners – to leverage specialist knowledge, harness emerging technologies and build influential relationships as trusted advisers to the enterprise.

Technology is going to completely change the way we audit,” says Kathy Swain, Vice President of Internal Audit at Horizon Blue Cross Blue Shield of New Jersey. “As more businesses are built entirely on technology, internal audit will need to follow suit.

In no area is this more true than in data analytics, a technological innovation embraced by many of this year’s internal audit leaders as a way to continuously monitor for emerging risks and potential optimizations. At Nordstrom, business intelligence serves not only to support the internal audit function, but also to share insights relevant to business decision-makers.

These insights will allow our team to become even better at what we’re already good at – risks and controls,” says Dominique Vincenti, Nordstrom’s Vice President of Internal Audit and Financial Controls. “They will also help us to underscore the direct value that the function is providing to Nordstrom in many other ways.

Some internal audit groups take a different approach – they collaborate with external partners not only to gain access to specialized expertise, but also to leverage technologies not available in-house. “We’re not necessarily making huge technology investments,” says Julie Eason, CNL Financial Group’s Internal Audit Director. “When I don’t have the tech internally, I rely on my co-sourced partners.

Last but not least, cybersecurity is a growing area of risk that has led internal audit functions to partner closely with IT. Monica Frazer, Vice President of Internal Audit for Baylor Scott & White Health, holds meetings with the chief information security officer at least once a month, and has new hires undergo extensive training in relationship-building skills. This emphasis on collaboration pays off, according to the surveys Frazer’s department holds after every audit. “We’re really viewed as a trusted business adviser,” says Frazer.

Mari Yonezawa, Chief Audit Executive at Obara Group, sums up this year’s theme well: “If auditors have strong communication skills, they can build good relationships, and the audits will go more smoothly.” Then she adds, “I think this is why women make good auditors. We tend to be effective communicators.

The full volume of our 12th edition of Internal Audit Around the World is available here – peruse at your leisure and let us know your thoughts.

AICPA Issues Audit Risk Alert on Revenue Recognition, With More Guidance to Come

Charles Soranno - MD New JerseyBy Charles Soranno, Managing Director
Financial Reporting Compliance and Internal Audit



The American Institute of Certified Public Accountants (AICPA) recently issued an Audit Risk Alert on Revenue Recognition – an early and significant entry in what will be a growing body of guidance concerning the Financial Accounting Standards Board’s (FASB’s) new revenue recognition standard. It’s an important resource for preparers and auditors, because it explains the new revenue recognition accounting and auditing requirements for financial reporting and governance, expected to be released in 2017. The detailed Flash Report we published on July 11 gives an overview of this important alert, provides background on the new revenue recognition standard, and describes the implementation and internal control considerations it will engender.

In 2017, the AICPA will issue a new Revenue Recognition Guide, including several industry-specific implementation guides. The sheer volume of upcoming guidance stresses the significance of the new standard, and hints at the scope and number of implementation challenges confronting preparers and auditors of financial reports. Companies will want to act now to ensure an effective and timely transition to compliance.

After the FASB announced last summer that it is deferring implementation of the new standard by a year, the standard is now finally scheduled to go into effect – as early as 2017 for some entities, with others (those who prefer to keep to the original timeline) permitted to begin early application in 2016.

Accountants and financial reporting managers, as well as internal auditors and others charged with financial reporting compliance and governance, will benefit from becoming familiar the issues that must be addressed not only during the transition but also afterward. Thus, the alert should serve as a helpful resource for understanding the standard itself as well as its impacts on accounting, financial reporting, and disclosures.

The AICPA’s alert explains the new standard’s principles and emphasizes points that preparers and auditors should consider to avoid misstatements of revenue. The alert also mentions auditors’ responsibilities regarding consideration of fraud in conjunction with a financial statement audit. Preparers and auditors should recognize that improper revenue recognition is a fraud risk, and that misstatements can arise not only from overstatement, but sometimes also from understatement, of revenue.

FASB’s new revenue recognition standard will require management to exercise more judgment, and potentially formulate more estimates, in recognizing revenue than it ever has before. Organizations will want to design an effective system of internal controls to address the heightened financial reporting risk. The AICPA alert includes a table that aligns the new standard’s five-step revenue recognition model to corresponding control activities that could support compliance, and suggests that audit committees and executives include revenue recognition considerations in their audit plans.

As this new standard comes into effect, internal auditors might want to extend their monitoring of internal controls to management’s ongoing implementation of the new revenue recognition standard, and encourage its integration into their organizations’ audit plans. Familiarity with the standard’s requirements and technical accounting acumen are, of course, essential.

Beyond changes to accounting and reporting, the new revenue recognition accounting standard will prompt changes to “people, processes and technology.” AICPA’s publication of the alert – and their forthcoming comprehensive implementation guides – demonstrate the importance of mastering the material, planning the transition early, and making a plan to monitor results after implementing the changes.

Access our detailed Flash Report here.