Compliance News Roundup: The Clearing House AML Recommendations, CFPB on Alternative Data and More

Protiviti published its March issue of Compliance Insights this week. We sat down with Steven Stachowicz, Managing Director with Protiviti’s Risk and Compliance practice, to discuss some of the highlights. Listen to our podcast below, or click on the “Continue Reading” link to read the interview.

 

In-Depth Interview, Compliance Insights [transcript] Continue reading

Embracing Analytics in Auditing: New Protiviti Survey Takes a Look

In a digital world, the time for internal audit functions to embrace analytics is now. This is the most significant takeaway from Protiviti’s 2017 Internal Audit Capabilities and Needs Survey, released today. The results show that chief audit executives and internal audit professionals increasingly are leveraging analytics in the audit process, as well as for a host of continuous auditing and monitoring activities.

Learn more by watching our video below. For more information and our full report, visit www.protiviti.com/IASurvey.

Four Ways for Insurers to Prepare for New NAIC Cybersecurity Rules

By Adam Hamm, Managing Director
Risk and Compliance

 

 

 

Cybersecurity and technology represent immense challenges and opportunities for all insurers and financial services companies. Organizations need to protect sensitive information and customer data to the greatest extent possible, and to recover as quickly as possible in the event of a breach.

Insurance companies store large amounts of personal information about their policyholders. Cybercriminals know this, and have been increasingly targeting insurers. The past two years have seen a dramatic increase in successful cyberattacks, exposing the personally-identifiable information of more than 100 million Americans. As a result, state insurance regulators have been looking for ways to protect consumers and ensure the integrity of the industry. This month, New York became the first state to adopt cybersecurity guidelines. And the National Association of Insurance Commissioners (NAIC) is working towards completing its Data Security Model Law.

Continue reading

New York Steps Up With First State-Level Cybersecurity Regulations for Financial Services Companies

By Adam Hamm, Managing Director
Risk & Compliance

 

 

 

With the future of federal regulations uncertain, the New York Department of Financial Services (NYDFS) has taken cybersecurity matters into its own hands. Effective March 1,, 2017, banks, insurers and other financial services regulated by the NYSDFS must maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry.

New York is the first state to adopt comprehensive cybersecurity regulation. Others are watching closely. The National Association of Insurance Commissioners (NAIC) is still crafting its own highly anticipated cybersecurity model law, and comparisons between the two frameworks will continue. We will be following up on these developments as they happen, as well as monitoring whether other states will follow New York’s lead.

Much more than a ritual box-checking exercise, the New York regulation requires the state’s banks, insurance companies and other financial service providers to each conduct a thorough cybersecurity risk assessment and design a robust cybersecurity program based on the findings.

Risk assessments will vary according to the individual risk profile of each covered entity but, generally, the documented risk assessment needs to do the following:

  • Provide criteria for the evaluation and categorization of identified cybersecurity risks or threats which the entity may face.
  • Design criteria for the assessment of the confidentiality, integrity, security and availability of the entity’s information systems and nonpublic information, including the adequacy of existing controls in the context of identified risks.
  • Develop a risk mitigation program that describes how actual risks will be mitigated (or accepted) and how the company will monitor these risks. It is important to document the systems that are in place to detect and defend against cyberattacks, and test employee response to ensure that protocols are both followed and effective.
  • Develop policies and procedures for the implementation and operation of the cybersecurity program, and train employees in these procedures.

In addition, each entity must designate a qualified chief information security officer (CISO) to administer the cybersecurity program. This may not be news to larger financial institutions, but for a smaller entity it may be a brand new requirement that requires some restructuring.

A CISO doesn’t have to come from within the entity’s ranks. Third parties can provide the CISO oversight services in an outsourced capacity. It is important to note, however, that while the responsibility for the oversight can be delegated, liability for the risk as well as for compliance is not transferable and remains with the entity.

There are many more specific details in the NYDFS regulation that covered entities will need to carefully look into as they shape their cybersecurity programs. Among them are specific initiatives that companies will either need to undertake now, or review to make sure they comply with the rule: incident response plan, data encryption, multi-factor authentication, third-party service provider security policies, penetration testing and vulnerability assessments, access privileges, and an audit trail for all these efforts, among others.

Covered entities have until February 15, 2018, to submit their first certification of compliance (annual requirement). This is a very short timeframe. I would urge companies to begin their risk assessments with utmost speed to ensure adequate time to identify and remediate any security gaps before the 2018 compliance deadline.

You can read the full regulation here.

Some Considerations for Manufacturers as U.S. Lawmakers Work to Peel Back Regulations

Sharon LindstromBy Sharon Lindstrom, Managing Director
Manufacturing and Distribution Industry Leader

 

 

 

It took the new Trump administration essentially no time to start issuing executive orders and presidential memoranda designed to ease regulations on U.S. businesses. Certain changes the administration is advocating would be welcome news for manufacturing and distribution companies, such as:

  • A presidential memorandum that is intended to streamline federal permitting processes for, and to reduce regulatory burdens that affect, domestic manufacturers.
  • An executive order that orders a review of the Dodd-Frank Wall Street Reform and Consumer Protection Act (DFA). Scaling back these financial regulations, which were instituted in 2010 following the financial crisis, would reduce reporting requirements for many businesses.

Potential Suspension of DFA Section 1502

One DFA-related change that the Trump administration is reportedly considering could benefit many manufacturing and distribution companies: suspension of Section 1502. The so-called Conflict Minerals Rule requires certain public companies to disclose whether they use specific conflict minerals that originated from the Democratic Republic of the Congo or nine adjoining “Covered Countries.” Conflict minerals, such as tin, tantalum, tungsten and gold, are used to manufacture products across a wide range of industries, including technology and consumer products. Section 1502 required companies to assess whether any manufactured products contained such minerals and determine whether these materials originated in the Covered Countries by conducting supply chain due diligence and reporting annually.

Overtime Exemption Rule on Ice

The future is also uncertain for the controversial Fair Labor Standards Act overtime rule, which was introduced during the Obama administration and was supposed to go into effect on December 1, 2016. The rule increased the threshold for overtime pay whereby salaried workers who earn less than US$47,476 annually would be eligible for overtime pay when they work more than 40 hours a week. Companies must either compensate these workers with overtime pay or raise their salaries so they are above the threshold.

The National Association of Manufacturing’s Center for Manufacturing Research has estimated that overtime costs for manufacturers will reach $24 billion within the next 10 years under the Obama overtime regulations. However, the final overtime exemption rule under the Fair Labor Standards Act was blocked by a federal court in Texas one week before its effective date. In January, the Trump administration essentially put the rule on ice following a regulations freeze.

Regulatory Risk: It’s Still Out There

Manufacturing and distribution executives must consider the potential risks that accompany regulatory changes that are already in the works or that may be on the horizon. Industry executives who took part in the latest Executive Perspectives on Top Risks Survey from Protiviti and North Carolina State University’s ERM Initiative cited the following as a top risk for their companies in 2017: Regulatory changes and regulatory scrutiny may heighten, noticeably affecting the manner in which our products or services will be produced or delivered.

Change takes time, and many of the regulatory changes proposed in recent weeks could take years to fully play out. As The Wall Street Journal noted in a recent article about Trump’s executive order stipulating that government agencies eliminate two regulations for each new regulation they introduce: “[Any] effort to scrap a regulation triggers its own process, complete with draft rules, comment periods, and regulation rewriting. That process [also] can be subject to litigation.”

While certain changes would be welcome by manufacturing companies, the changing global trade landscape must be monitored vigilantly, as well. The Trump administration’s approach to trade and negative view toward multinational trade agreements are likely to create previously unanticipated challenges, costs and risks for manufacturing and distribution companies inside and outside of the U.S. For some of these businesses in the U.S., any potential regulatory relief may be offset, at least in the short term, by revisions to free trade agreements that could impact the ability to conduct business with trusted partners in other countries.

Still, for now, manufacturing and distribution companies have a lot to be optimistic about. Even before Trump took office and started taking steps to ease regulations, there were signs that the U.S. manufacturing industry was beginning to grow again. The Institute for Supply Management Index hit 56 percent in January, rising 1.5 percentage points from December and exceeding many economists’ expectations. This is the fastest pace of growth in more than two years.

A New and Better AML Regime?

Carol Beaumier

By Carol Beaumier, Executive Vice President and Managing Director
Regulatory Compliance Practice

 

 

 

On February 16, 2017, The Clearing House (a banking association and payments company that is owned by twenty-five of the largest commercial banks) released a report entitled A New Paradigm: Redesigning the U.S. AML/CFT Framework to Protect National Security and Aid Law Enforcement. The report analyzes the current effectiveness of the U.S. anti-money laundering/counter-terrorism financing (AML/CFT) regime, identifies fundamental problems, and proposes a series of reforms to address them. It is the output of two closed-door sessions held in 2016 that were attended by sixty senior former and current officials from law enforcement, national security, bank regulation and domestic policy; leaders of prominent think tanks in the areas of economic policy, development, and national security; consultants and lawyers practicing in the field; fintech CEOs; and the heads of AML/CFT at multiple major financial institutions.

The report concludes, in effect, that the current U.S. AML/CFT Framework is based on an amalgam of sometimes-conflicting requirements and focuses more on process than outcomes, and that combatting money laundering and terrorist financing continues to be hindered by communication barriers between law enforcement and the financial services industry, and among financial institutions themselves.

What the report advocates in two sets of recommendations – those for immediate implementation and those for further study – is a complete overhaul of the existing regulatory and supervisory regime. Specifically, the report identifies seven reforms for immediate action:

  1. AML/CFT supervision should be rationalized by having the Financial Crimes Enforcement Network (FinCEN) reclaim sole supervisory responsibility for large, multinational financial institutions and by requiring the Department of Treasury, through its Office of Terrorism and Financial Intelligence (TFI), and FinCEN to establish a robust and inclusive annual process to establish AML/CFT priorities. The perceived benefits of these actions would be (a) greater focus on outcomes and the development of useful information to law enforcement, as opposed to the process-based approach taken by prudential supervisors, and (b) better alignment between law enforcement objectives and financial institutions’ AML/CFT programs.
  2. Congress should enact legislation, already pending in various forms, that prevents the establishment of anonymous companies and requires the reporting of beneficial owner information at the time of incorporation. Not to be confused with the FinCEN Customer Due Diligence (CDD) requirements that will obligate financial institutions, by May 2018, to collect beneficial ownership on legal entities, this recommendation is intended to require the collection of beneficial ownership at the time of company incorporation and whenever such information changes, and to make this information routinely available to FinCEN, law enforcement and financial institutions. This would shift the burden of gathering beneficial ownership information from the financial services industry to governmental bodies that incorporate these entities and, thus, free up financial services resources and allow them to spend more time on the detection of illicit activity.
  3. The Treasury TFI Office should strongly encourage innovation, and FinCEN should propose a safe harbor rule allowing financial institutions to innovate in a financial intelligence unit (FIU) “sandbox” without fear of examiner sanction. This would apply not only to large, multinational financial institutions that, through their direct collaboration with FinCEN, would presumably be leaders in innovation, but also to other financial institutions, which may have been reluctant to innovate for fear of their prudential regulators not being willing to accept new and different approaches.
  4. Policymakers should de-prioritize the investigation and reporting of activity of limited law enforcement or national security interest. This could be accomplished by raising the SAR reporting thresholds; eliminating SAR filings for insider abuse; and reviewing all existing SAR reporting guidance for relevancy (e.g., why should large financial institutions need to file SARs on cyberattacks when they typically engage in real-time communications with law enforcement when such attacks occur?). As with other recommendations, the impetus here is to free up resources to focus on what is really important.
  5. Policymakers should further facilitate the flow of raw data from financial institutions to law enforcement to assist with the modernization of the current AML/CFT technological paradigm. This would allow FinCEN to use big data analytics to identify illicit activity that cannot be detected by an individual financial institution.
  6. Regulatory or statutory changes should be made to the safe harbor provision in the USA PATRIOT Act (Section 314(b)) to further encourage information sharing among financial institutions, including the potential use of shared utilities to allow for more robust analysis of data. These changes should: (a) make it clear that information sharing extends to financial institutions’ attempts to identify suspicious activity and is not limited to sharing information about potential suspicious activity – e.g., information sharing might apply during the onboarding process when a financial institution may have questions about or find gaps in information provided by a prospective client; (b) broaden the safe harbor to other types of illicit activity beyond money laundering and terrorist financing; and (c) extend the safe harbor to technology companies and other nonfinancial services companies to allow for greater freedom to develop information-sharing platforms.
  7. Policymakers should enhance the legal certainty regarding the use and disclosure of SARs. The perceived benefits of allowing broader sharing of SAR information within a financial institution, including cross-border sharing, would be better transaction monitoring and higher quality SARs that provide more useful information for law enforcement.

Areas identified for additional study include:

  • Exploring the broader use of AML/CFT utilities to promote information sharing, and address barriers that hamper their use
  • Affording greater protection from discovery of SAR supporting materials
  • Balancing and clarifying the responsibilities of the public and private sectors for preventing financial crime
  • Establishing a procedure for “no action” letters whereby financial institutions could query FinCEN to determine how it would react to certain facts and circumstances
  • Providing the financial services industry with clearer standards of what constitutes an effective AML/CFT program
  • Improving coordination among the governmental players with a stake in combating money laundering and terrorist financing, and
  • Modernizing the SAR reporting regime to provide additional guidance on when to file or not file a SAR.

While there are pros and cons to be debated on many of the recommendations, the report, in summary, reveals the long-standing frustration of both the financial services industry and law enforcement with the current regime’s ineffectiveness. Financial institutions, with limited direction from the government, invest huge sums of money and dedicate large teams of people to “find the needle in the haystack” only to find their compliance efforts are often criticized by their regulators, even in the absence of actual wrongdoing. Law enforcement, for its part, tries to manage large volumes of information presented to it in the form of required reports from the financial services industry, much of which not very useful in identifying the real criminals and risks. The solution seems simple: communication and coordination. Effecting that solution will likely prove difficult, especially in the short term with a new administration that has already staked out an aggressive regulatory reform agenda. But, that doesn’t mean it’s not worth trying.

2016 Vendor Risk Management Benchmark Study Results Released

infographic-2016-vendor-risk-management-benchmark-studyProtiviti and the Shared Assessments Program recently released the results of our jointly conducted 2016 Vendor Risk Management Benchmark Study.

This is the third year that Shared Assessments and Protiviti have partnered on this research, which is based on the comprehensive Vendor Risk Management Maturity Model (VRMMM) developed by the Shared Assessments Program. At right, you’ll find our infographic, and below is our podcast featuring Gary Roboff, senior advisor to Santa Fe Group and Shared Assessments Program, and Cal Slemp, managing director for Protiviti and leader of the firm’s Security Program and Strategy Services practice, discussing the key findings.

Learn more and find our full report at sharedassessments.org and protiviti.com/vendor-risk.