SOX risk assessment

Listen: Protiviti Compliance Experts Discuss Recent CFPB News, Online Betting Supreme Court Ruling

In the podcast below, Christine Bucy and Sean Kulczycki analyze recent news from Compliance Insights – Protiviti’s monthly compliance newsletter and podcast series. To read all issues, visit


In-Depth Interview
Compliance Insights July 2, 2018 [transcript]

Kevin Donahue: Hello, and welcome to a new installment of Powerful Insights. This is Kevin Donahue, a Senior Director with our marketing group. I’m pleased to be joined today by Sean Kulczycki, a Senior Director with Protiviti’s Risk and Compliance Practice, along with Christine Bucy, an Associate Director with our Risk and Compliance group, and we’re going to be talking a little bit today about recent issues of Compliance Insights, our monthly newsletters, focused on key topics regarding compliance matters in the financial services industry. Christine, thanks for joining me today.

Christine Bucy: Thanks for having me.

Kevin Donahue: And Sean, it’s great to speak with you as well

Sean Kulczycki: Thanks Kevin; you too.

Kevin Donahue: So Sean, let me toss to you the first question here. In our latest edition of Compliance Insights, we talked about the CFPB’s semi-annual regulatory agenda. Can you comment on the directional changes that the bureau’s undergoing that may be evident from the agenda? I guess we’re looking to know, is the Bureau narrowing its mission, and what are some of the things it’s focusing on?

Sean Kulczycki: That’s a great question, Kevin. I think technically that the Bureau’s mission and their objectives are fixed by the Dodd-Frank Act, but I think it’s fair to say that the Bureau is changing how it interprets and prioritizes, and even executes, on its mission and objectives. Any observer would probably say that clearly, these changes are kind of moving towards more of a reduced level of regulation. For example, it’s been discussed in the June newsletter, the CFPB identified three key priorities within the regulatory agenda and one of them was to reconsider prior rule-making. Although they didn’t state what they were going to reconsider, observers would say that it’s pretty clear, when they reconsider those, the goal was to kind of reduce the regulatory burden associated with those particular rules. I think that in and of itself is a good indication of the Bureau’s directional change, and where they’re headed. Another priority that was identified within the semi-annual agenda was for the Bureau to continue selective rule-making, a rule-making that had been started previously. And interestingly, the rule-making that is primary focused relates to the Fair Debt Collection Practices Act, and many observers think that this will actually just be a beneficial regulation to the financial services industry rather than adding to the regulatory burden. Conversely, on the other side, the rule-making that was in process that may not have been so industry-friendly; and a good example of that would be rule-makings related to overdrafts, those have been put on hold for now.

So there’s definitely a trend I think towards a more industry-friendly CFPB, and I think the semi-annual regulatory agenda definitely demonstrates that. Another item that they appear to be focused on was actually one of their statutory objectives that require that the Bureau ensure outdated, unnecessary and unduly burdens of regulations are identified and addressed. This can be seen in the creation of what they call the “Office of Cost-Benefit Analysis,” which occurred in May, and that’s thought to be an office that is going to be looking at regulations to see whether or not they really need to be put into place. And again, it’s sort of a focus, I think, on what may be a less intensive regulatory scheme for financial institutions.

Kevin Donahue: Thanks, Sean. Let me ask you one more question about the Bureau. There’s been talk about Congress overturning the Bureau’s guidance on indirect auto lending. Is that a change that’s expected to have a significant impact on organizations

Sean Kulczycki: Yes, I think the level of impact may depend on an institution’s overall risk appetite. And to refresh our listeners, in May of 2018, the Senate and House of Representatives utilized what’s known as the Congressional Review Act to repeal CFP Bulletin 2013-02, which relates to indirect auto lending, in compliance with the Equal Credit Opportunity Act, which is a statute that prohibits discrimination. And the guidance, essentially – the CFPB guidance, which was repealed – essentially warned financial institutions, which purchased loans from automobile dealerships, that they may be liable for discriminatory practices of the dealers that originate the loans, even though the financial institutions aren’t directly involved in pricing necessarily, and aren’t the creditors.

So that was the guidance that was repealed, and the interesting aspect is that it was a repeal of a guidance document, and so essentially the underlying laws and regulations on which that guidance was based are still in effect. Based on that, there are some different perspectives, I think, within the industry on what the significance of that appeal is and what the legal impact is. As a result, I think, we might see some wide variations in the level of impact of that change. Institutions that have a healthier risk appetite may use that repeal as a rationale to be a little bit more aggressive with their indirect auto loan pricing and working with the indirect dealers. On the other hand, institutions that have sort of a lesser or lower risk appetite may take more of a latency approach. But I think in either case, we’ll try to be watching that and report on that in future editions of our Compliance Insights newsletter.

Kevin Donahue: Great info, thanks Sean. Christine, let’s bring you into the conversation here; I want to ask you a question about something I certainly heard a lot about as a sports fan. The Supreme Court recently ruled that – as part of an online gaming case, it was essentially eliminating a federal ban on online sports betting, and is now leaving that regulation to the states to establish, or not establish, I imagine. This opens up a potentially lucrative market for sports betting outlets and the payment processors behind them, even as FINCen warns against increased anti-money laundering risk, or I guess money laundering risk. Can you tell our audience how this ruling may impact the current landscape, and how should sports betting outlets and other industry players guard against the ML risks?

Christine Bucy: Sure, thanks, Kevin. Yes, put simply, back in May of this year, the Supreme Court ruled that federal law can no longer force the States to ban sports betting. Put another way: every state can now choose to pass legislation that would legalize sports betting. While we’ve heard that some states have already signaled that they plan to legalize sports betting, I think the hunch generally out there is that many more states will follow suit and take advantage of – as you’re calling it – this potentially lucrative business opportunity. So, as a result of this ruling, I think we can expect to see a pretty dramatic shift in the betting landscape. What I mean by that is that I think we’re expecting to see a host of new outlets and methods of betting likely to crop up. To me, this would include venues that have a physical presence. So, think of your kiosks or your convenience stores or your brick-and-mortar shops, also your online betting websites. Then of course, as your online presence and footprints begin to grow, so does the use of maybe mobile applications. I think this will also impact payment processors, and of course, potentially, credit card companies, if they elect to modify their policies and say, “Hey, yes, we would like to begin accepting betting on our cards.” And then, of course, it will also affect your regulators and your law enforcement officials.

So, again, the landscape’s not only changing with the increased presence of sports betting outlets, it’s also changing because I think we’re expecting to see a higher volume of cash and web-based transactions. And with this higher volume, of course, comes more AML risk, so these betting operations, of course then need to comply with the AML laws and regulations. So, Kevin, to the second prong of your question, I think, generally, anyone looking to take advantage of this ruling is going to need to proactively either build, if they don’t already have one, or re-review their AML compliance programs to address these new risks. First priority that comes to mind is that these sports betting operations will need to develop comprehensive KYC or Know Your Customer programs to really understand who the customer or patron is behind the bet, and help determine whether there’s a legitimate source of wealth and funds behind the bet. So, when asking, “Okay, what should some of these sports betting outlets – what do they need to do?” One thing that comes to mind is making sure that you have these risk-based vetting process programs in place before the betting takes place. So, to me, this includes your standard CIP check: the name, the date of birth, your address; potentially asking about employment status, background checks, and then potentially running your customer or patron name against your watchlist searches; against an FBI lists or OFAC lists, etc. And again, I say “potentially” because these programs are all risk-based, based on what you’re seeing on the customer, the patron, potentially based on the size of the wager as well.

Another control would be around tracking play. We see tracking activity at the banking level. We often review monitoring transactions, similarly, for sports betting, I think these different operations, they’re going to need to have certain controls in place to trigger alerts when certain activities are becoming suspicious. Lastly, as alluded to in the Compliance Insights piece, I think one of the more significant red flags or risks associated with sports betting is the use of intermediaries, or what we’re calling third-party betting. So, in these cases, the intermediaries have really no incentive to disclose that a transaction is being done on behalf of someone else, or the third party, which essentially is disguising the third party’s role in the transaction at all, and obscuring the source of wealth and funds. So, again, in conjunction with the KYC checks that we mentioned before and the activity monitoring, I think these sports betting operations are really going to need to ramp up their training efforts with their employees to make sure they are aware of these indicators of third-party betting.

So, again, the landscape is definitely shifting. There are a lot of things in that, a lot of new compliance requirements that these operations are going to need to comply with, and I think it’s safe to say that federal regulators will be closely monitoring this in the months and years to come

Kevin Donahue: Thanks Christine, and thanks Sean, both of you, for joining me today to discuss some of the latest issues that we’ve covered in our Compliance Insights newsletters. I want to invite our audience to visit, where you can find our most recent issues of this informative newsletter.

– End of Recording –

Add comment