Compliance News Roundup: The Clearing House AML Recommendations, CFPB on Alternative Data and More

Protiviti published its March issue of Compliance Insights this week. We sat down with Steven Stachowicz, Managing Director with Protiviti’s Risk and Compliance practice, to discuss some of the highlights. Listen to our podcast below, or click on the “Continue Reading” link to read the interview.


In-Depth Interview, Compliance Insights [transcript] Continue reading

Four Ways for Insurers to Prepare for New NAIC Cybersecurity Rules

By Adam Hamm, Managing Director
Risk and Compliance




Cybersecurity and technology represent immense challenges and opportunities for all insurers and financial services companies. Organizations need to protect sensitive information and customer data to the greatest extent possible, and to recover as quickly as possible in the event of a breach.

Insurance companies store large amounts of personal information about their policyholders. Cybercriminals know this, and have been increasingly targeting insurers. The past two years have seen a dramatic increase in successful cyberattacks, exposing the personally-identifiable information of more than 100 million Americans. As a result, state insurance regulators have been looking for ways to protect consumers and ensure the integrity of the industry. This month, New York became the first state to adopt cybersecurity guidelines. And the National Association of Insurance Commissioners (NAIC) is working towards completing its Data Security Model Law.

Continue reading

OCC Handbook Update Consolidates 13 Years of Evolving Financial Services Audit Policy and Guidance

Cory Gunderson MD NYCBy Michael Thor, Leader of Protiviti’s North American Internal Audit Practice
Cory Gunderson, Global Leader, Financial Services



On December 30, the federal Office of the Comptroller of the Currency (OCC) issued OCC Bulletin 2016-47, Revised Comptroller’s Handbook Booklet and Rescissions. The handbook is the official field guide for federal bank examiners. The update consolidates 13 years of policy changes and guidance to create a single source of truth for all audit-related supervisory matters going forward.

Further, the bulletin expands the definition of internal audit to include consultation and advisory services, and emphasizes the internal auditor’s role in risk assessment and assurance.

Although the handbook is primarily intended for bank examiners to guide their supervisory review, it is a public document, which gives financial institutions the opportunity to review requirements and remediate gaps prior to an examination. In that sense, it serves as an open-book test.

At 152 pages, the bulletin is heavy reading. We published a Flash Report last month, which offers a high-level summary. Highlighted changes include policy and guidance related to:

  • Additional focus on risk management and internal audit’s role in providing assurance that the system is in place and operating effectively
  • Clarification of risk-based auditing and the need for dynamic audit plans and risk assessments
  • Internal audit’s role in challenging management’s strategic decisions (effective challenge)
  • Audit committee composition and responsibilities
  • The chief auditor’s independence with respect to administrative reporting relationships
  • Continuous auditing
  • Talent management
  • Identification and reporting of the root cause of control deficiencies and thematic control issues
  • Non-internal audit assurance activities

The bulletin also highlights the need for increased governance and oversight by boards and audit committees and the need for more robust policies and procedures around internal audit methodologies, including risk assessment, execution and reporting.

Much of the featured guidance is sourced from OCC Bulletins, the OCC’s heightened standards for certain large banks (12 CFR, Part 30), and internal audit guidance issued by the Basel Committee on Banking Supervision (BCBS). Changes by standard-setting bodies (the American Institute of Certified Public Accountants, The Committee of Sponsoring Organizations of the Treadway Commission, and more), were also incorporated.

There shouldn’t be any shocks here. These are things financial institutions have been hearing from their examination teams for years. The bulletin just brings everything under one umbrella.

Nor should anyone look to the bulletin for implementation instruction. Any changes in the bulletin are principles-based.

Taken as a whole, OCC Bulletin 2016-47 paints a picture of the escalating expectations and responsibilities placed on internal and external auditors, particularly in the years since the 2008 financial collapse. All this has happened over a span of several years, and it’s easy to miss the full scope of change, which only becomes apparent when everything is pulled together under one umbrella.

Read the full Flash Report here.

A New and Better AML Regime?

Carol Beaumier

By Carol Beaumier, Executive Vice President and Managing Director
Regulatory Compliance Practice




On February 16, 2017, The Clearing House (a banking association and payments company that is owned by twenty-five of the largest commercial banks) released a report entitled A New Paradigm: Redesigning the U.S. AML/CFT Framework to Protect National Security and Aid Law Enforcement. The report analyzes the current effectiveness of the U.S. anti-money laundering/counter-terrorism financing (AML/CFT) regime, identifies fundamental problems, and proposes a series of reforms to address them. It is the output of two closed-door sessions held in 2016 that were attended by sixty senior former and current officials from law enforcement, national security, bank regulation and domestic policy; leaders of prominent think tanks in the areas of economic policy, development, and national security; consultants and lawyers practicing in the field; fintech CEOs; and the heads of AML/CFT at multiple major financial institutions.

The report concludes, in effect, that the current U.S. AML/CFT Framework is based on an amalgam of sometimes-conflicting requirements and focuses more on process than outcomes, and that combatting money laundering and terrorist financing continues to be hindered by communication barriers between law enforcement and the financial services industry, and among financial institutions themselves.

What the report advocates in two sets of recommendations – those for immediate implementation and those for further study – is a complete overhaul of the existing regulatory and supervisory regime. Specifically, the report identifies seven reforms for immediate action:

  1. AML/CFT supervision should be rationalized by having the Financial Crimes Enforcement Network (FinCEN) reclaim sole supervisory responsibility for large, multinational financial institutions and by requiring the Department of Treasury, through its Office of Terrorism and Financial Intelligence (TFI), and FinCEN to establish a robust and inclusive annual process to establish AML/CFT priorities. The perceived benefits of these actions would be (a) greater focus on outcomes and the development of useful information to law enforcement, as opposed to the process-based approach taken by prudential supervisors, and (b) better alignment between law enforcement objectives and financial institutions’ AML/CFT programs.
  2. Congress should enact legislation, already pending in various forms, that prevents the establishment of anonymous companies and requires the reporting of beneficial owner information at the time of incorporation. Not to be confused with the FinCEN Customer Due Diligence (CDD) requirements that will obligate financial institutions, by May 2018, to collect beneficial ownership on legal entities, this recommendation is intended to require the collection of beneficial ownership at the time of company incorporation and whenever such information changes, and to make this information routinely available to FinCEN, law enforcement and financial institutions. This would shift the burden of gathering beneficial ownership information from the financial services industry to governmental bodies that incorporate these entities and, thus, free up financial services resources and allow them to spend more time on the detection of illicit activity.
  3. The Treasury TFI Office should strongly encourage innovation, and FinCEN should propose a safe harbor rule allowing financial institutions to innovate in a financial intelligence unit (FIU) “sandbox” without fear of examiner sanction. This would apply not only to large, multinational financial institutions that, through their direct collaboration with FinCEN, would presumably be leaders in innovation, but also to other financial institutions, which may have been reluctant to innovate for fear of their prudential regulators not being willing to accept new and different approaches.
  4. Policymakers should de-prioritize the investigation and reporting of activity of limited law enforcement or national security interest. This could be accomplished by raising the SAR reporting thresholds; eliminating SAR filings for insider abuse; and reviewing all existing SAR reporting guidance for relevancy (e.g., why should large financial institutions need to file SARs on cyberattacks when they typically engage in real-time communications with law enforcement when such attacks occur?). As with other recommendations, the impetus here is to free up resources to focus on what is really important.
  5. Policymakers should further facilitate the flow of raw data from financial institutions to law enforcement to assist with the modernization of the current AML/CFT technological paradigm. This would allow FinCEN to use big data analytics to identify illicit activity that cannot be detected by an individual financial institution.
  6. Regulatory or statutory changes should be made to the safe harbor provision in the USA PATRIOT Act (Section 314(b)) to further encourage information sharing among financial institutions, including the potential use of shared utilities to allow for more robust analysis of data. These changes should: (a) make it clear that information sharing extends to financial institutions’ attempts to identify suspicious activity and is not limited to sharing information about potential suspicious activity – e.g., information sharing might apply during the onboarding process when a financial institution may have questions about or find gaps in information provided by a prospective client; (b) broaden the safe harbor to other types of illicit activity beyond money laundering and terrorist financing; and (c) extend the safe harbor to technology companies and other nonfinancial services companies to allow for greater freedom to develop information-sharing platforms.
  7. Policymakers should enhance the legal certainty regarding the use and disclosure of SARs. The perceived benefits of allowing broader sharing of SAR information within a financial institution, including cross-border sharing, would be better transaction monitoring and higher quality SARs that provide more useful information for law enforcement.

Areas identified for additional study include:

  • Exploring the broader use of AML/CFT utilities to promote information sharing, and address barriers that hamper their use
  • Affording greater protection from discovery of SAR supporting materials
  • Balancing and clarifying the responsibilities of the public and private sectors for preventing financial crime
  • Establishing a procedure for “no action” letters whereby financial institutions could query FinCEN to determine how it would react to certain facts and circumstances
  • Providing the financial services industry with clearer standards of what constitutes an effective AML/CFT program
  • Improving coordination among the governmental players with a stake in combating money laundering and terrorist financing, and
  • Modernizing the SAR reporting regime to provide additional guidance on when to file or not file a SAR.

While there are pros and cons to be debated on many of the recommendations, the report, in summary, reveals the long-standing frustration of both the financial services industry and law enforcement with the current regime’s ineffectiveness. Financial institutions, with limited direction from the government, invest huge sums of money and dedicate large teams of people to “find the needle in the haystack” only to find their compliance efforts are often criticized by their regulators, even in the absence of actual wrongdoing. Law enforcement, for its part, tries to manage large volumes of information presented to it in the form of required reports from the financial services industry, much of which not very useful in identifying the real criminals and risks. The solution seems simple: communication and coordination. Effecting that solution will likely prove difficult, especially in the short term with a new administration that has already staked out an aggressive regulatory reform agenda. But, that doesn’t mean it’s not worth trying.

Regulatory Activity Unabated Despite Uncertain Regulatory Outlook

Steve StachowiczBy Steven Stachowicz, Managing Director
Risk & Compliance




A month into the new U.S. administration, it’s clear that the political landscape is shifting. The administration has issued executive orders calling for a review of existing laws and regulations based on how they promote certain “core principles” related to the regulation of the U.S. financial system; a review of the Department of Labor’s Fiduciary Rule scheduled to take effect later in 2017; and an “implement one, repeal two” standard for the issuance of new regulations. Talk abounds about congressional actions aimed at actual or possible legislation, such as the TAILOR Act and the Financial CHOICE Act, which would affect the current regulatory structure as well.

The long-term ramifications of these actions for financial services regulation, supervision and enforcement are still unknown, and it may be some time before we have a clear view of what the future will look like. Meanwhile, financial institutions must still contend with the regulatory structure that exists today. Regulatory or self-regulatory agencies at the state, federal and even international levels are continuing to move forward with their existing supervisory and regulatory responsibilities. We address these in the February edition of Compliance Insights.

  • In the anti-money laundering (AML) space, we note that the Conference of State Bank Supervisors released a Bank Secrecy Act/AML Self-Assessment Tool to help financial institutions better manage money laundering risk. Risk assessments are top of mind for regulators, who consider logical, well-balanced and robust assessments the focal point of a sound risk management program. The self-assessment tool was issued not only to help provide transparency into how risks are assessed, monitored and communicated within an institution, but also to promote greater transparency among institutions to benefit the broader financial services industry.
  • Within the securities space, the Financial Industry Regulatory Authority (FINRA) published its Regulatory and Examination Priorities Letter for 2017, which identifies known and potential risks facing broker-dealers, investor relationship management and market operations. FINRA uses the annual priorities letter to communicate areas of focus for its information requests and examinations for the upcoming year. The 2017 letter highlights the “blocking and tackling” roles of compliance, supervision and risk management through FINRA’s focus on reviewing firms’ business models, internal control systems and client relationship management. Priorities identified for 2017 include: monitoring brokers with a history of disciplinary actions or complaints; sales practices; financial risk management and liquidity; operational risks; and market integrity.
  • Privacy concerns are atop the agenda for the European Commission (EC), which published the draft text of a proposed e-privacy regulation that, if adopted, would replace the EC’s current ePrivacy Directive with a more expansive regulation. Data privacy is a top priority for the EC, which seeks to establish a new privacy legal framework for electronic communications as part of a digital single market. The proposed regulation was developed with the intent to create better access for consumers and businesses to digital goods and services, level the playing field for digital networks, facilitate development of innovative services, and increase the growth potential of the digital economy.
  • Finally, the Consumer Financial Protection Bureau (CFPB) recently sued a bank for apparent unfair and deceptive practices related to enrolling customers into overdraft protection services. The suit contends that the bank violated the CFPB provision for implementing the Electronic Funds Transfer Act by misleading customers that overdraft protection was mandatory, concealing fees, deceptively seeking consent, and pushing back against customers who questioned the opt-in requests. Notably, the CFPB cites that the bank’s employee incentive program likely contributed to these issues, further highlighting the attention that the regulatory agencies are placing on sales practices and incentive compensation programs.

Even as Washington sorts itself out, financial institutions cannot lose sight of regulatory obligations and expectations that exist at the local, state, federal or even international level. The regulatory environment is likely to be quite dynamic in the foreseeable future, and financial institutions will remain challenged to manage their risks in this environment and not relax their compliance efforts.

Continue to follow our monthly roundups of compliance news here and on our site. The February issue is available here.


Regulatory Hot Topics in Financial Services for 2017


Scott JonesBryan Comite, MD NYCBy Scott Jones, Managing Director
Internal Audit and Financial Advisory
Bryan Comite, Managing Director

Business Performance Improvement


Regulatory compliance is always top of mind in the financial services industry, and all the more so this year, with the sweeping, and sometimes conflicting, changes that many expect on the American political landscape. So it wasn’t surprising that our annual regulatory recap webinar for members of The IIA’s Financial Services Audit Center, conducted at the end of last year, drew a large and engaged audience.

The election of Donald Trump and Republican gains in the legislative branch suggest we may be heading into a period of regulatory reform. Indeed, President Trump said during the election process that he wanted to repeal aspects of the Dodd-Frank Wall Street Reform and Consumer Protection Act, and some analysts predict impact to the Consumer Financial Protection Bureau (CFPB), which was created under the Act.

On the other hand, the President has advocated reinstatement of Glass-Steagall, a Depression-era law barring banks from engaging in investment activities. The law was repealed under President Bill Clinton in 1999 — a move that the current president says set the stage for the financial crisis of 2007-2008.

And that’s just the tip of the iceberg. A change of control in Washington means new agency heads and a predicted slowdown in the pace of enforcement activities as the new administration finds its footing.

Nevertheless, financial institutions need to operate under the current rules and regulations until, and if, new regulations replace them. There have been several recent regulatory developments of note, and they were the subject the November edition of our Compliance Insights newsletter, summarized here. Specifically, they are:

  • New prepaid rules — The CFPB finalized a rule that significantly changes the regulatory environment for financial institutions offering prepaid accounts. The new rule provides stronger protections for consumers of prepaid accounts, including new protections for “hybrid” prepaid cards that contain credit features.
  • Reporting cybersecurity issues — The Financial Crimes Enforcement Network (FinCEN) published an advisory to assist financial institutions in fulfilling their Bank Secrecy Act (BSA) obligations regarding the reporting of suspicious activities related to cybersecurity issues.
  • Foreign correspondent banking risks — The Office of the Comptroller of the Currency (OCC) published guidance on the periodic risk re-evaluation of foreign correspondent banking, which is applicable to all OCC-supervised national banks that maintain these relationships. The OCC advises these financial institutions to routinely re-evaluate foreign correspondent banking portfolios.
  • Fiduciary guidance — The Department of Labor (DOL) released both the first and second in a series of frequently asked questions (FAQs) to provide additional guidance on the implementation of its new fiduciary rule, which concerns the expansion of the types of retirement products and communications that trigger fiduciary status for retirement investment advisers and is designed to ensure the advisers’ actions are aligned with the best interests of their clients. Recent press has reported that, as a result of the presidential election, there is a potential for actions to be taken that may modify the implementation of the rule, but no specific details or timing have been released.

Looking ahead to 2017, we anticipate that examiners will focus on sales practices and incentives; cybersecurity; compliance management, especially in the second line of defense; compliance with Bank Secrecy Act/anti-money laundering rules; stress testing; and vendor management.

We’d like to leave internal audit departments within financial institutions with some key points we believe are essential to an effective internal audit performance in this dynamic regulatory environment. Some are intuitive. Some may be new to some, if not others.

  • It all starts with an internal audit risk assessment and internal audit plan development. The right plan in this environment anticipates change. Interview various constituents in your organization (general counsel, chief compliance officers), as well as trusted advisers outside your organization. In addition to required annual reviews — AML, BSA, SAFE Act, and others — it’s important to understand your examiner’s expectations regarding emerging risks.
  • Having the right expertise is important. After developing an internal audit plan, it’s wise to take stock of the internal audit team and proactively address any capabilities gaps, internally through training, or externally through trusted partners with subject-matter expertise.
  • Flexibility and scalability are critical this year given the possibility of regulatory change. We’ve heard from many audit executives who say they are dedicating more special-project time to their internal audit plans, just in case.
  • And, as always, relationship management is key. In times of change, it is especially important to keep in close touch with the chief compliance officer and the compliance organization. We may not be able to anticipate all the changes we encounter, but how we react to that change can make all the difference. With the right frame of mind, proper planning, and the right team of advisers, internal audit departments can look to 2017 with confidence.

Bank Charters for Fintech Companies Top January Compliance News

Steven StachowiczBy Steven Stachowicz, Managing Director
Risk and Compliance




In December 2016, the Office of the Comptroller of the Currency (OCC), which oversees many of the largest banks in the country, released its plans to consider granting special-purpose national bank charters to a broad range of financial technology (fintech) companies, who are engaged in providing technology-driven financial products and services to consumers and small businesses. The idea is not without controversy as policy makers and industry participants alike debate the pros and cons of chartering such companies, and it raises important questions regarding the standards to which these companies will be held and the benefits to consumers such a move will provide.

The OCC plan tops the news in the January 2017 edition of Compliance Insights, and is highlighted there in further depth.

The products and services that fintech companies offer today rival many heavily regulated banking institutions, including in the areas of consumer and mortgage lending, payment services, financial planning and wealth management. Clearly, the OCC believes chartering these companies to be in the public interest, with the potential to both expand financial inclusion and empower customers to take more control of their finances. It is also an opportunity for the OCC to exert greater supervisory oversight of such companies, ensuring that they engage in safe and sound behaviors and treat consumers fairly, while also encouraging financial innovation.

The OCC makes clear that obtaining such a charter won’t be easy – fintechs will have to demonstrate sound business plans, appropriate risk management, and fundamentally strong financial strength and performance to meet the OCC’s high standards. As fintechs weigh the advantages of a charter against these costs, hardly anyone expects a rush of applicants in the short-term. However, with the proliferation of innovative technologies for financial products and services and increasing consumer adoption of these technologies, it is likely only a matter of time before you see the acronym “N.A.” (for “National Association”) at the end of the name of your favorite online consumer lender or payments provider.

In other compliance news:

  • The Consumer Financial Protection Bureau has released its semi-annual rulemaking agenda and announced its fair lending-specific priorities for 2017. Both announcements provide insights to the financial services industry regarding the agency’s rule-making and supervisory priorities in the upcoming year. Noteworthy items on the Fall 2016 rule-making agenda included arbitration, debt collection and integrated mortgage disclosures. In 2017, the CFPB will be targeting any potential redlining of minority neighborhoods, the role of race and ethnicity in mortgage and student loan workout options, and lending risks related to minority and women-owned small businesses.
  • The Financial Action Task Force (FATF) has published its first evaluation report since 2006. The international standards body, designed to develop and promote anti-money laundering and terrorist financing policies, gave the United States high marks, but identified several areas for improvement.
  • India’s effort to crack down on illegal cash holdings by voiding all 500 and 1,000 rupee notes has had the unintended consequence of digitizing the country’s illicit cash flow. The effort, which removed 86 percent of the country’s cash in circulation, has spawned money laundering networks and alternative money transfer systems. U.S. financial institutions should continue to pay close attention to this developing situation and monitor the potential money laundering risks to their institution.
  • And finally, the Federal Reserve Bank of New York is spearheading an effort to find alternatives to the London Interbank Offered Rate (LIBOR) in the wake of evidence that several banks had colluded to report rates favorable to their trading positions. A decision is expected later this year.

All of these issues are discussed in greater detail in the January 2017 edition of Compliance Insights. Links offering a deeper dive into each of the specific topics are also available.