Compliance Insights Podcast: Virtual Currencies and Sanctions Risk, Latest CFPB Actions, FINRA’s Annual Report

The Protiviti View,

In the latest podcast edition of Compliance Insights, Protiviti senior director Sean Kulczycki and senior manager Denis Camilo discuss in depth some of the issues from our latest Compliance Insights newsletter. Download the latest newsletter at www.protiviti.com/compliance-insights. Full transcript of the podcast follows.

In-Depth Interview – Compliance Insights podcast
January 30, 2019 [Transcript]

Kevin Donahue: Hello, this is Kevin Donahue, Senior Director with the marketing group of Protiviti, welcoming you to a new installment of Powerful Insights. In this episode today, we’re going to be talking about some of the topics we cover in the latest issue of Compliance Insights, Protiviti’s monthly newsletter covering key topics and trends happening in the compliance space for financial services organizations. I’m pleased to be talking today with Sean Kulczycki and Denis Camilo with Protiviti’s risk and compliance practice. Sean is a Senior Director while Denis is a Senior Manager. Denis, it’s great to speak with you today.

Denis Camilo: Great to speak with you too, Kevin.

Kevin Donahue: Sean, it’s great for you to join as well.

Sean Kulczycki: Thank you, Kevin. Glad to be here.

Kevin Donahue: Sean, let me toss the first question to you. In our latest issue of Compliance Insights, we have an article that highlights the connection between virtual currencies, such as Bitcoin, and sanctions risk. Who should heed this risk exactly and what should be done to minimize it?

Sean Kulczycki: Thanks, Kevin. Let me first say what we mean by virtual currency. OFAC defines virtual currency as a digital representation of value that functions as a medium of exchange, a unit of account, or a stored value. It is neither issued nor guaranteed legal tender by any jurisdiction. As you mentioned, Bitcoin is perhaps the most prominent example of a virtual currency. As far as who needs to heed this risk – as we point out in our Compliance Insights article, OFAC issued Frequently Asked Questions related to sanctions compliance and virtual currency in March of last year. One of those FAQs points out that the obligations of a U.S. person with respect to sanctions compliance is essentially the same regardless of whether a transaction occurs in virtual currency or in traditional currency, sometimes referred to as fiat currency, which is just currency that is actually backed by a government, such as dollars or Euro. When talking about who needs to heed this risk, we start with the general principle that the rules that apply to virtual currency are really no different than the rules that apply to any other type of transaction.

Now, as far as the general restrictions on U.S. persons with respect to OFAC, essentially U.S. persons are prohibited from engaging in transactions that are prohibited by OFAC sanctions such as transactions with persons that are blocked or blocked property, those that are on specially designated nationals list. Likewise, transactions occurring through a virtual currency with a sanctioned person would similarly be prohibited. From a logical perspective, and maybe this is obvious, but the entities really that need to heed this risk the most would be those that deal in virtual currency in any way. From a practice standpoint, who does this affect? The FAQ issued by OFAC provides some good guidance on that as well. They identify that companies such as technology companies that might have involvement with virtual currency, administrators of virtual currency, exchangers, and then users of digital currency as well, as well as payment processors, as being most likely to be impacted by the emergence of virtual currency. At this point, I think it seems like it will have a limited impact on traditional financial institutions such as banks. Really, technology is changing so fast that it’s probably a good idea that all financial institutions stay aware of what’s going on in this area.

One of the things I think that’s probably worth mentioning is that in November, OFAC added for the first time two digital currency addresses to the SDN list. These addresses were associated with two Iran-based individuals who helped exchange digital currency ransom payments into Iranian currency on behalf of Iranian militia cyber actors that were involved in the SamSam ransomware scheme that was initiated originally in 2015. While there are still only two digital currency addresses on the SDN list, it is an issue that an impacted identity should be aware of and that list is likely to seem to grow as far as the number of digital currency addresses that might be on the SDN list. As far as what institutions should do, OFAC suggested, and I think we agree, that organizations that deal in virtual currency really should develop tailored risk-based compliance programs that address their sanctions risk, likely using a risk assessment of some sort and adopting other measures that are appropriate for the particular institutions. Another consideration is that many of the organizations impacted are likely to be new to sanctions compliance, so something they might want to consider is to seek the guidance of an experienced third-party to help them implement such a program.

Kevin Donahue: Thanks, Sean. There’s undoubtedly a lot going on with that issue and our readers can learn more about it by reading that article we have in Compliance Insights. Sean, in another article, we note that the Consumer Financial Protection Bureau issued a consent order in a case where a large U.S. bank committed serious violations of the Fair Credit Reporting Act and Regulation V of the CFPB Act of 2010. One key there is it then took many months to correct these errors affecting consumers. In your view, what can be learned from this case?

Sean Kulczycki: Yes. Sure, Kevin. That’s a good question. Just to provide some background to listeners that may not have read the article or may not be that familiar with the Fair Credit Reporting Act. The FCRA is essentially a consumer protection statute that was enacted to promote the accuracy, fairness and privacy of information included within the consumer’s credit file at the credit reporting agencies, such as Equifax, TransUnion, or Experian, to name the big three. Obviously, financial institutions are heavy users of this information, but they’re also heavy furnishers of information, meaning they provide the information that is within those files. Both elements here, their usage of it and their providing that information, are subject to the Fair Credit Reporting Act and Regulation V. That is really what this enforcement action was about.

To summarize the case a bit more specifically, the CFPB found that the institution, one, obtained consumer reports when it’s not allowed to. It didn’t have a permissible purpose, in other words. Two, that the institution furnished information that was inaccurate and failed to update this inaccurate information when it learned about the inaccuracy. Three, failed to report the information as disputed when a consumer disagreed with what was in their credit file, which is the requirement of the statute. And then lastly, failed to maintain adequate policies and procedures for ensuring accurate reporting. That’s what was on the table or what the institution was found to have been in violation of.

Now, as far as what can be learned, I guess I’m of the opinion that something can be learned from pretty much every public enforcement action that’s issued by a regulatory agency. At the most basic level, the consent order provides tangible evidence that the issue of requirement that was the subject matter of that consent order in an issue of requirement that the agency is looking at closely, in this case the CFPB. It may seem overly simplistic but I think it’s critical information for all stakeholders and financial institutions, including first-line of defense compliance departments and internal audit. If you think about it, there are really too many requirements for the CFPB to look at all of them with equal emphasis. Knowing where they’re going to look is a bit like knowing the test questions before the test.  And while the goal should probably be to ensure compliance of all requirements, I think putting additional resources in areas known to have caused problems for other institutions is really a sound risk-based approach. It’s also reasonable for a financial institution to say, “Hey, if another institution is having trouble with this requirement, maybe there’s something we’re missing as well.” Now, one thing I’ll say is that those comments in particular are probably true of all enforcement actions. With respect to this particular enforcement action, I would say that there are not really any bombshells for financial institutions to learn as something that they would not have known before and could not have known before.

The Fair Credit Reporting Act and the consumer reporting accuracy issue has been an interest of the CFPB pretty much since its inception. I think this was clear back as far as 2012 when the CFPB took steps to become the first government agency ever to directly supervise the national credit reporting agencies. The Bureau’s interest in consumer reporting has been longstanding and it’s also been highlighted in other ways such as through the CFPB’s Supervisory Highlights publications, compliance bulletins, consumer advisory, and even other enforcement actions. Even though there are no bombshells here, it’s definitely a good reminder to financial institutions that they need to keep this issue front and center to avoid a similar outcome that this institution faced.

Kevin Donahue: Thanks, Sean. Great rundown. Denis, let’s bring you into the conversation here. My question for you is, the Financial Industry Regulatory Authority, or FINRA, issued its annual report highlighting four specific areas of concern that related to broker-dealer practices. Why don’t you give us a rundown of these findings and what consequences they may have for broker-dealers as well as, maybe most importantly, their clients?

Denis Camilo: Thank you, Kevin. As you’re aware, in December 2018, FINRA did issue the report for the examination findings and as you mentioned, they highlighted four observations which I’m going to go discuss briefly. The first observation is regarding suitability where FINRA was reviewing their compliance for Rule 2111, which is their suitability rule. This requires that a brokerage firm deal fairly with their customer. However, instances were noted where the broker-dealers were either not conducting a reasonable due diligence necessary to reach a suitability analysis. As a result, they were either recommending unsuitable securities or excessively trading on behalf of a customer.

In addition, the letter also highlights that some registered representatives did not consider the customer’s financial situation when recommending an investment to their customer, so what we need to do is keep in mind that Rule 2111 is going to prohibit a recommendation of transaction unless the firm has reasonable basis to believe that that customer has the financial ability to meet this commitment. Suitability is very important to FINRA. FINRA wants to make sure that the firms are also enforcing supervisory systems and run supervisory procedures related to suitability because overall, broker firms should review these systems to ensure that they are working properly. This just seems to be very imperative for their upcoming priorities in 2019.

Now, a second observation that was noted was related to fixed income markups and disclosure, where FINRA was reviewing compliance with an amendment for Rule 2232, which is for customer confirmations. This became effective in May 2018. They highlighted several areas where firms were falling short of compliance. For example, there was a failure to enter information into an order entry system. Traders weren’t entering the correct information which resulted in inaccurate markups or markdowns, which were required to be disclosed to that customer. There was also improper adjustment in prevailing market prices, where FINRA was observing instances where the firm was inaccurately adjusting the market prices, which also resulted in inaccurate disclosures to customer and confirmation. What we need to keep in mind is it is important for a brokerage firm to look beyond surface-level compliance when reviewing markup and markdown as the FINRA rule is going to focus on the actions that the firm is taking in order to make sure that these markup and markdown requirements are not delaying any executions.

In its third observation, FINRA addressed views of authority prevailing to NASD Rule 2510, which is a rule that discusses discretionary accounts. FINRA was reviewing and noticed some concerns where the firm was abusing certain authorities on behalf of this customer. Some registered representatives exercise the discretionary power of attorney without authorization of their client. As an example, FINRA observed some registered representatives were executing transaction on a customer account without getting the proper authorization from the client. Firms that permit these discretionary accounts need to establish and maintain a robust system in order to capture this and make sure that their registered representatives are in compliance with all the rules.

Then in its final point, FINRA highlighted diligence for the private placement. During 2018, FINRA was observing instances when firms are failing to conduct a reasonable due diligence on private placement while recommending and offering to investors and failing to meet their supervisory requirements. Specifically, no additional research was performed when there was a new offering or if some of the firms were doing additional investigation for red flags because they thought that they knew the customer already. FINRA noted that there was also an overreliance on these third-party vendors when conducting reviews of the due diligence and identifying red flags. The firms need to perform a reasonable due diligence analysis to conduct an independent research in all aspects of this offering. We have to keep in mind that firms conducting these due diligence analyses are required to document the whole process through and through. As we noted in our Compliance highlight, the broker-dealers need to make sure that they’re complying with this rule and it is a continuous focus as they continue to be in compliance with the rules going forward.

Kevin Donahue: Well, Sean and Denis, I want to thank you very much for joining me today to discuss these key issues we covered in our latest issue of Compliance Insights. Again, I invite our audience to visit protiviti.com/Compliance-Insights where you can find our latest issue as well as prior issues of this newsletter.

[End of Transcript]

Add comment