AI in AML, Consumer Protection Developments Discussed in Protiviti’s Latest Compliance Insights Podcast (Now Available)

Christine Bucy of Protiviti’s Risk and Compliance practice joins Steven Stachowicz in this latest podcast to discuss the next frontier in  AML compliance — artificial intelligence. Also hear Steven’s take on the latest in consumer protection activity from the Consumer Financial Protection Bureau. This discussion is in addition to what you’ll find in the complete July issue of Compliance Insights, available for download here.

 

______________________________________________

In-Depth Interview, Compliance Insights [transcript]
July 27, 2017 at 10:09 AM

Kevin Donahue: Hello. This is Kevin Donahue, Senior Director with Protiviti, welcoming you to a new installment of Powerful Insights. Today, we’re going to be discussing some of the highlights from the July issue of Protiviti’s Compliance Insights newsletter. I’m pleased to be joined today by Steven Stachowicz, a Managing Director with Protiviti’s Risk and Compliance practice, and Christine Bucy, an Associate Director with Protiviti’s Risk and Compliance group.

Continue reading

Criminal Finances Act 2017 Aimed at Terrorist Financing Affects All Firms With UK Operations

By Bernadine Reese, Managing Director
Risk and Compliance, Protiviti UK

 

 

 

One of the recent examples of efforts to clamp down on terrorist financing and tax evasion comes from the UK, where the Criminal Finances Act 2017 received Royal Assent in April.

The Act, expected to take effect this September, is being touted as a powerful new tool in the investigation and prosecution of tax evasion and terrorist financing crime in the UK. In response to concerns raised by regulated firms, it also includes provisions that will make it easier for firms to share information on potential criminal activity, without violating privacy laws.

Essentially, the Act introduces two new offences of failure to prevent facilitation of a foreign tax evasion and UK tax evasion. The Act is intended to hold companies automatically liable, by criminalising the facilitation of domestic and foreign tax evasion by means of not having “reasonable prevention procedures” in place to prevent their “associated persons” from facilitating it. “Associated persons” is a purposely broad term and can include the employees, agents, subcontractors, or anyone else who performs work for or on behalf of the company. Protiviti has published a paper addressing some of the most common concerns regarding the new Act as a series of frequently asked questions. Here are some of them:

Q: How does the new law tackle terrorism?

A: A number of provisions that address money laundering will apply broadly to persons suspected of terrorist financing, or property that has been acquired with terrorist funds or with the intended purpose to facilitate terrorist financing. The law provides mechanisms for both voluntary and mandatory disclosures by regulated firms, as well as provisions for the seizure and freezing of assets.

Q: What is the difference between “tax avoidance” and “tax evasion?”

A: While the distinction between tax evasion and tax avoidance continues to be politically sensitive, tax avoidance is generally considered to be the lawful minimization of one’s tax burden — for example, taking legal tax deductions on expenses. Tax evasion is the unlawful non-payment of taxes that are legally due to the government. Examples might include intentionally misreporting taxable income in order to pay lower (or no) taxes, concealing assets in overseas accounts, failing to file a tax return, using false documentation, or deliberately suppressing taxable income.

Q: What are “reasonable prevention procedures?”

A: The paper examines this in detail, but briefly, law enforcement will be looking for evidence of top-level commitment to anti-money laundering; regular risk assessments; proportional, rather than one-size-fits-all, approach to risk as part of the organization’s overall risk management efforts; due diligence; robust communication; and monitoring and review of account activities.

Q: What should our priorities be to get ready for the new legislation?

A: Protiviti has put together a four-point plan:

  1. Understand how the new law affects your business and customers: The scope of the Act seems broad but many of its provisions relate to increasing transparency and information sharing intended to prevent the money trail from going any further, and to tackling financial crime, which now includes tax offences within its definition. Customers likely to be the target of increased scrutiny under this law include corporate clients with complex company structures; individuals who use tax planners, such as celebrities and politicians; wealthier private clients with large asset holdings and/or associations with low-tax offshore jurisdictions; and entities, such as religious organizations and charities, which may be used as vehicles for terrorist financing. A risk assessment will need to be performed.
  2. Review and update policies and procedures: Once senior management has articulated its position on tax evasion, this should be communicated through the firm’s policies and procedures in a clear and practical way. In particular, firms will be expected to demonstrate that they have “reasonable prevention procedures” in place to combat the facilitation of tax evasion and should consider whether new or additional procedures are necessary, including those for associated persons, depending on risk levels and potential exposure.
  3. Prepare and train staff: Identify staff likely to be impacted by the new legislation — such as customer-facing teams, compliance, and internal audit. Prepare and give tailored training to relevant employees to ensure that they are aware of legislative changes and the impact on their role. Circulate regular communications to reinforce the company’s policy and staff’s responsibilities.
  4. Review existing clients: Consistent with taking reasonable prevention procedures, firms should adopt a risk-based approach to dealing with the assessment of their existing customer base. This might include an immediate review of those customers considered to be at the highest risk of tax evasion, while lower risk customers might be covered as part of the firm’s periodic review of “know your customer” information for anti-money laundering purposes. Firms will need to plan and take action according to the risks presented by their existing customer base.

Companies should seek help early rather than late with some of the more complex and tedious elements of complying with the new legislation, including conducting a gap analysis, developing risk-based evaluations, reviewing customer files and providing training. For a detailed analysis of the UK Criminal Finances Act 2017, download the free paper from our website.

A New Look at Politically Exposed Persons – Focus on Risk, not Rules

By Matt Taylor, Managing Director
Risk and Compliance, Protiviti UK

 

 

 

Implementation of the European Union’s (EU) Fourth Anti-Money Laundering Directive (4AMLD) went into effect on Monday, June 26, for all EU countries. Back in April, Protiviti sponsored a “PEP Breakfast” in anticipation of this directive, at which we had the opportunity to share information with key clients and other leading industry figures about the changes now in effect. The discussion centered on the UK’s Financial Conduct Authority’s Guidance Consultation, which provides guidelines on how to implement 4AMLD in the UK, and spells out how the new regulations will change firms’ design of – and approach to – enhanced scrutiny of accounts with high money-laundering risk, including those associated with “politically exposed persons,” or PEPs. The PEP Breakfast presented details regarding the changing approach to PEPs, and offered participants the opportunity to compare notes and learn from one another’s approaches to changing anti-money laundering (AML) regulations and best practices in the EU and UK.

With 4AMLD now in force, it seems like a good time to recap some of this discussion.

PEPs are individuals whose position and/or influence in government or public bodies may present heightened risks of financial crime, generally bribery and corruption. AML regulations require obliged organizations to consider subjecting such individuals to enhanced due diligence to identify, mitigate and manage such potential heightened risks.

Historically, many financial institutions have approached the potential heightened risk of PEPs on a “one size fits all” and “once a PEP, always a PEP” basis. The new regulations (and indeed, maturing risk assessment models) are driving a move to a more risk-based approach to identifying, mitigating and managing the potential heightened risk of financial crime posed by PEPs.

A more risk-based approach to PEPs includes, among other things:

  • A detailed assessment of the real financial crime risk inherent in the PEP’s current (or recent) role in the public body and ability to exert control or influence over areas which pose a heightened risk of bribery and corruption. PEPs who have been out of public office for, say, 18 months may no longer pose any heightened risk since they can no longer control or influence decisions that could make them open to bribery or corruption.
  • A thorough review of the risks posed by relatives and close associates (RCAs) of the PEP. PEPs are often sophisticated individuals and know that their financial dealings are subject to enhanced scrutiny, and may use relatives and/or close associates to act as nominees, “independent consultants” or the like in corrupt transactions.
  • Not distinguishing between “domestic” and “non-domestic” PEPs in the overall assessment of heightened financial crime. Local government officials, for example, may have control or strong influence over building development planning consent or licences, which can result in large profits for property developers and the like. In addition, the distinction between domestic and non-domestic PEPs is not practical for multinational financial institutions where clients may have accounts in multiple jurisdictions regardless of where they were initially on-boarded.
  • Enhanced transaction monitoring for PEPs and RCAs (if they are a customer or linked to a customer).
  • A recognition that negative news and other public information sources are open to manipulation in certain circumstances.

In addition, a holistic AML approach to the risk of bribery and corruption should focus on those industries and/or countries which currently carry a higher risk of such activities. These would include, for example, oil and gas companies in developing countries with ranking PEPs on their boards, or global sports organizations, where transfer fees (including layers of agents/consultants) and salaries and other payments in the tens of millions create a heightened risk of bribery and corruption.

What will these changes mean for financial services firms’ day-to-day operations? Up-to-date, detailed and (where necessary) verified “know your customer” information about customers is crucial. Red flags might be garnered from business records, powers of attorney, contracts for services rendered, and even social media profiles. PEPs’ direct (or more commonly indirect through RCAs) links to offshore entities and other opaque ownership structures is perhaps the biggest red flag of all. In general, PEPs and their RCAs will seek to place funds in jurisdictions and entities that are most likely to shield them from reporting to tax or regulatory authorities either through anonymity or due to a lack of such reporting.

Organizations must review their approach to PEP risk in light of changes to regulations and a maturing view on financial crime risks to focus resources on true, rather than merely theoretical, risk. Asking the following questions will help:

  • Has the organization designed a method of assessing risk appropriate to its business model? “Method” implies a rigorous, documented approach not only to the process of identifying the real risk, but also to the process of monitoring the PEPs and RCAs to ensure such risk is mitigated and managed.
  • Is the established approach being applied appropriately and consistently? Firms should be able to demonstrate that the documented methods are applied without exception. For example, the organization’s procedures should be designed to identify both foreign and domestic PEPs and all the jurisdictions in which the company operates.
  • Does the organization invest effort to validate that its approach has been effective? Regulators will be assessing whether the methods in place are applied consistently and are yielding meaningful results in identifying, mitigating and managing risk and, where appropriate, reporting suspicious activity.

Updates to the definition of and approach to PEPs is just one of several changes required by 4AMLD. Others include the introduction of registers of ultimate beneficial owners for companies and other legal entities, including trusts; the removal of the entitlement for automatic application of simplified due diligence; and the addition of tax evasion as a predicate offence to money laundering. And 5AMLD is hot on 4AMLD’s heels. 5AMLD will broaden the definition of obliged entities to include virtual currencies, anonymous prepaid cards and other digital currencies, plus further changes to tighten AML control requirements. Banks should waste no time in making sure they are prepared to comply with the new rules, and seek help promptly where needed.

The Importance of Data Lineage for AML Systems

By Vishal Ranjane, Managing Director
Risk and Compliance

 

 

 

Financial organizations have long embraced the advantages that information technology offers, and many are looking forward to larger digitalization initiatives to gain market advantage. Customers appreciate the convenience of digital offerings, while firms enjoy the reduction in operating costs that information technology enables. Of course, in the multifaceted, highly regulated environment in which financial institutions operate, mastering the complexity of this digital future is both rewarding and risky.

In any financial firm’s application landscape, data flows from system to system. In an ideal world, key data gathered at the front end (customer-facing systems) makes it to the back-end systems without hitches. In reality, in the application architecture of almost any financial institution, systems are sometimes imperfectly integrated, often as a result of multiple acquisitions, and data does not always make the journey from system to system without some amount of attrition or change. However, banks and other financial institutions that handle customer data must be able to demonstrate that the information which originates upstream, in customer-facing systems, is the same information found in the bank’s risk and compliance systems downstream. This is where data lineage becomes important.

Data lineage tells the complete story of how data within an organization was produced, consumed, and manipulated by the organization’s applications. It traces the data’s movement through systems.

Once, it was sufficient to demonstrate to regulators that the right policies were in place, that the right procedures were followed, and the right reports were generated and reviewed to protect against threats like fraud and money laundering. Now, financial institutions must be able to demonstrate to regulators that they are using complete and accurate data to monitor for these activities.

Asserting data legitimacy

An organization asserts de facto data legitimacy when it relies on the integrity of its data for key reporting or decision-making activities, such as those involved with risk and compliance solutions. It is imperative that data from upstream systems of record or points of capture arrives in these downstream risk and compliance systems in a manner that does not materially alter or obscure the content received from the system of record or point of capture.

De facto data legitimacy claims is an area of focus for regulatory authorities who require that these claims be documented and proven. The recent Part 504 regulation by the State of New York Department of Financial Services emphasizes the importance of data lineage in an AML context, stating that a covered institution must not only identify all data sources that contain data relevant to its transaction monitoring and watchlist filtering programs, but also must ensure that these programs include the validation of the integrity, accuracy, and quality of the data to ensure that an accurate and complete set of data flows into these programs. In addition, the regulation specifically notes data mapping as a key component of end-to-end pre- and post-implementation testing of transaction monitoring and watchlist filtering programs.

Going back to the firm’s application landscape, upstream data – data entered initially by the customer, for example – may not survive the journey downstream, and facts about the transaction may be lost with each hop from system to system. Can an auditor know if a particular transaction was made with a teller, a wire, or via an ATM, for example? Was a deposit made by check or cash?

Data lineage documentation can be done using a variety of tools ranging from simple to sophisticated. In smaller, less complex systems, simple spreadsheets and diagramming tools may suffice, while large financial institutions may deploy vendor toolsets to automate tedious and error-prone capture and documentation activities.

Data lineage as part of data governance

Establishing the data lineage should, of course, be more than just an exercise in documenting what’s already in place. Performing this level of analysis and uncovering previously unknown silent errors or gaps in the data being used to manage AML risks and generate reports should lead to increased accuracy and confidence in the reports and management information presented to senior management, internal audit and regulators. An additional benefit is getting better insights into customer behavior – a value for any business.

Having a sustainable data lineage initiative is only the start. To be sustainable over the long run, such initiative needs to be part of a larger data governance program that is firm-wide and involves all departments and functions. Data governance efforts are viewed well by regulators, who increasingly put pressure on financial institutions to formally document business processes, data controls, source-to-target mapping, and defend all activities around data management. A Protiviti white paper, “AML and Data Governance: How Well Do You KYD?,” provides more information and may be of relevance to your company.

Benjamin Kelly of Protiviti’s Regulatory Risk and Compliance practice contributed to this content.

Compliance News Roundup: The Clearing House AML Recommendations, CFPB on Alternative Data and More

Protiviti published its March issue of Compliance Insights this week. We sat down with Steven Stachowicz, Managing Director with Protiviti’s Risk and Compliance practice, to discuss some of the highlights. Listen to our podcast below, or click on the “Continue Reading” link to read the interview.

 

In-Depth Interview, Compliance Insights [transcript] Continue reading

A New and Better AML Regime?

Carol Beaumier

By Carol Beaumier, Executive Vice President and Managing Director
Regulatory Compliance Practice

 

 

 

On February 16, 2017, The Clearing House (a banking association and payments company that is owned by twenty-five of the largest commercial banks) released a report entitled A New Paradigm: Redesigning the U.S. AML/CFT Framework to Protect National Security and Aid Law Enforcement. The report analyzes the current effectiveness of the U.S. anti-money laundering/counter-terrorism financing (AML/CFT) regime, identifies fundamental problems, and proposes a series of reforms to address them. It is the output of two closed-door sessions held in 2016 that were attended by sixty senior former and current officials from law enforcement, national security, bank regulation and domestic policy; leaders of prominent think tanks in the areas of economic policy, development, and national security; consultants and lawyers practicing in the field; fintech CEOs; and the heads of AML/CFT at multiple major financial institutions.

The report concludes, in effect, that the current U.S. AML/CFT Framework is based on an amalgam of sometimes-conflicting requirements and focuses more on process than outcomes, and that combatting money laundering and terrorist financing continues to be hindered by communication barriers between law enforcement and the financial services industry, and among financial institutions themselves.

What the report advocates in two sets of recommendations – those for immediate implementation and those for further study – is a complete overhaul of the existing regulatory and supervisory regime. Specifically, the report identifies seven reforms for immediate action:

  1. AML/CFT supervision should be rationalized by having the Financial Crimes Enforcement Network (FinCEN) reclaim sole supervisory responsibility for large, multinational financial institutions and by requiring the Department of Treasury, through its Office of Terrorism and Financial Intelligence (TFI), and FinCEN to establish a robust and inclusive annual process to establish AML/CFT priorities. The perceived benefits of these actions would be (a) greater focus on outcomes and the development of useful information to law enforcement, as opposed to the process-based approach taken by prudential supervisors, and (b) better alignment between law enforcement objectives and financial institutions’ AML/CFT programs.
  2. Congress should enact legislation, already pending in various forms, that prevents the establishment of anonymous companies and requires the reporting of beneficial owner information at the time of incorporation. Not to be confused with the FinCEN Customer Due Diligence (CDD) requirements that will obligate financial institutions, by May 2018, to collect beneficial ownership on legal entities, this recommendation is intended to require the collection of beneficial ownership at the time of company incorporation and whenever such information changes, and to make this information routinely available to FinCEN, law enforcement and financial institutions. This would shift the burden of gathering beneficial ownership information from the financial services industry to governmental bodies that incorporate these entities and, thus, free up financial services resources and allow them to spend more time on the detection of illicit activity.
  3. The Treasury TFI Office should strongly encourage innovation, and FinCEN should propose a safe harbor rule allowing financial institutions to innovate in a financial intelligence unit (FIU) “sandbox” without fear of examiner sanction. This would apply not only to large, multinational financial institutions that, through their direct collaboration with FinCEN, would presumably be leaders in innovation, but also to other financial institutions, which may have been reluctant to innovate for fear of their prudential regulators not being willing to accept new and different approaches.
  4. Policymakers should de-prioritize the investigation and reporting of activity of limited law enforcement or national security interest. This could be accomplished by raising the SAR reporting thresholds; eliminating SAR filings for insider abuse; and reviewing all existing SAR reporting guidance for relevancy (e.g., why should large financial institutions need to file SARs on cyberattacks when they typically engage in real-time communications with law enforcement when such attacks occur?). As with other recommendations, the impetus here is to free up resources to focus on what is really important.
  5. Policymakers should further facilitate the flow of raw data from financial institutions to law enforcement to assist with the modernization of the current AML/CFT technological paradigm. This would allow FinCEN to use big data analytics to identify illicit activity that cannot be detected by an individual financial institution.
  6. Regulatory or statutory changes should be made to the safe harbor provision in the USA PATRIOT Act (Section 314(b)) to further encourage information sharing among financial institutions, including the potential use of shared utilities to allow for more robust analysis of data. These changes should: (a) make it clear that information sharing extends to financial institutions’ attempts to identify suspicious activity and is not limited to sharing information about potential suspicious activity – e.g., information sharing might apply during the onboarding process when a financial institution may have questions about or find gaps in information provided by a prospective client; (b) broaden the safe harbor to other types of illicit activity beyond money laundering and terrorist financing; and (c) extend the safe harbor to technology companies and other nonfinancial services companies to allow for greater freedom to develop information-sharing platforms.
  7. Policymakers should enhance the legal certainty regarding the use and disclosure of SARs. The perceived benefits of allowing broader sharing of SAR information within a financial institution, including cross-border sharing, would be better transaction monitoring and higher quality SARs that provide more useful information for law enforcement.

Areas identified for additional study include:

  • Exploring the broader use of AML/CFT utilities to promote information sharing, and address barriers that hamper their use
  • Affording greater protection from discovery of SAR supporting materials
  • Balancing and clarifying the responsibilities of the public and private sectors for preventing financial crime
  • Establishing a procedure for “no action” letters whereby financial institutions could query FinCEN to determine how it would react to certain facts and circumstances
  • Providing the financial services industry with clearer standards of what constitutes an effective AML/CFT program
  • Improving coordination among the governmental players with a stake in combating money laundering and terrorist financing, and
  • Modernizing the SAR reporting regime to provide additional guidance on when to file or not file a SAR.

While there are pros and cons to be debated on many of the recommendations, the report, in summary, reveals the long-standing frustration of both the financial services industry and law enforcement with the current regime’s ineffectiveness. Financial institutions, with limited direction from the government, invest huge sums of money and dedicate large teams of people to “find the needle in the haystack” only to find their compliance efforts are often criticized by their regulators, even in the absence of actual wrongdoing. Law enforcement, for its part, tries to manage large volumes of information presented to it in the form of required reports from the financial services industry, much of which not very useful in identifying the real criminals and risks. The solution seems simple: communication and coordination. Effecting that solution will likely prove difficult, especially in the short term with a new administration that has already staked out an aggressive regulatory reform agenda. But, that doesn’t mean it’s not worth trying.

Anticipating the Fifth EU AML Directive: What Financial Institutions Need to Know

matt-taylorBy Matt Taylor, Managing Director
Regulatory Compliance Practice

 

 

 

Money laundering regulations are proving to be as complicated as the shadowy financial transactions they are trying to prevent. A case in point: The Fourth European Union Anti-Money Laundering Directive (4AMLD), approved in 2015 and scheduled to go into effect June 26, 2017, has already been supplanted by 5AMLD — amended text addressing threats that have emerged in the period between the adoption and implementation of 4AMLD.

As it stands, the agreed 4AMLD text and effective date will remain, but financial institutions should anticipate additional regulatory changes from 5AMLD shortly thereafter. We issued a flash report last week, which outlines the proposed changes in 5AMLD and provides recommendations on how financial institutions can prepare for them.

There are five main requirements proposed by the 5AMLD that affect financial institutions:

  1. Virtual currencies. The 5th AMLD adds virtual currencies, anonymous prepaid cards and other digital currencies, such as bitcoin exchanges and wallet services, to the list of activities carrying the risk of terror financing. The 5AMLD better defines “virtual currencies” under EU law, and includes the requirement to adopt this legal definition in AML legislation across all member states. Under the proposed amendment, providers engaged in exchange services between virtual and hard currencies and custodian wallet providers will be required to apply customer due diligence (CDD), similar to what is already required for hard currency transactions.
  1. Identifying prepaid card owners. EU member states will be required to identify the customer in the case of remote payment transactions where the amount paid exceeds EUR50. After 36 months from the date 5AMLD enters into force (a date still to be determined), identification requirements will apply to all remote payment transactions. Certain exemptions may apply for “low-risk” customers where defined risk-mitigating factors are met.
  1. Beneficial ownership registers. Member states must comply with register requirements within 18 months of the 5AMLD implementation date. Registers must be interconnected to the European Central Platform within 18 months of implementation in accordance with the technical specifications and procedures set out in Article 4C of Directive 2009/101/EC. Technical requirements, including access controls and operational challenges, should also be considered and tested in preparation for compliance with 5AMLD requirements.
  1. Enhanced information sharing. 5AMLD requires member states to establish automated data clearinghouses at the national level to aggregate individual account ownership across multiple institutions. Data must be searchable by account holder, beneficial owner, IBAN number, and open and close dates, as applicable. Powers of EU Financial Intelligence Units (FIUs) will be enhanced through 5AMLD, as they will be permitted to request information from any obliged entity and would no longer be limited to identification of a predicate offense or suspicious activity report prior to an information request. The proposed amendments make information more easily accessible and align with international best practices.
  1. High-risk third countries. Member states will be required to apply specific enhanced due diligence (EDD) measures for transactions involving entities on a list of “high-risk third countries” defined by the European Commission. This is intended to reduce regulatory differences between member states, where some EU countries offer less-stringent controls in exchange for higher fees, allowing terrorists to exploit the weaknesses in these measures.

5AMLD has proved to be more controversial than 4AMLD, particularly with prepaid cards and virtual currencies being more tightly regulated and uncertainty regarding the implementation of centralized registers. Nevertheless, there is an ambitious timeframe for its adoption. With 4AMLD expected to become effective June 26, 2017 it is reasonable to assume that 5AMLD will become effective shortly thereafter, if not concurrently, and obliged entities should be ready to implement the proposed 5AMLD requirements.

Download the flash report for additional details and recommendations.