Compliance News Roundup: The Clearing House AML Recommendations, CFPB on Alternative Data and More

Protiviti published its March issue of Compliance Insights this week. We sat down with Steven Stachowicz, Managing Director with Protiviti’s Risk and Compliance practice, to discuss some of the highlights. Listen to our podcast below, or click on the “Continue Reading” link to read the interview.

 

In-Depth Interview, Compliance Insights [transcript] Continue reading

Four Ways for Insurers to Prepare for New NAIC Cybersecurity Rules

By Adam Hamm, Managing Director
Risk and Compliance

 

 

 

Cybersecurity and technology represent immense challenges and opportunities for all insurers and financial services companies. Organizations need to protect sensitive information and customer data to the greatest extent possible, and to recover as quickly as possible in the event of a breach.

Insurance companies store large amounts of personal information about their policyholders. Cybercriminals know this, and have been increasingly targeting insurers. The past two years have seen a dramatic increase in successful cyberattacks, exposing the personally-identifiable information of more than 100 million Americans. As a result, state insurance regulators have been looking for ways to protect consumers and ensure the integrity of the industry. This month, New York became the first state to adopt cybersecurity guidelines. And the National Association of Insurance Commissioners (NAIC) is working towards completing its Data Security Model Law.

Continue reading

New York Steps Up With First State-Level Cybersecurity Regulations for Financial Services Companies

By Adam Hamm, Managing Director
Risk & Compliance

 

 

 

With the future of federal regulations uncertain, the New York Department of Financial Services (NYDFS) has taken cybersecurity matters into its own hands. Effective March 1,, 2017, banks, insurers and other financial services regulated by the NYSDFS must maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry.

New York is the first state to adopt comprehensive cybersecurity regulation. Others are watching closely. The National Association of Insurance Commissioners (NAIC) is still crafting its own highly anticipated cybersecurity model law, and comparisons between the two frameworks will continue. We will be following up on these developments as they happen, as well as monitoring whether other states will follow New York’s lead.

Much more than a ritual box-checking exercise, the New York regulation requires the state’s banks, insurance companies and other financial service providers to each conduct a thorough cybersecurity risk assessment and design a robust cybersecurity program based on the findings.

Risk assessments will vary according to the individual risk profile of each covered entity but, generally, the documented risk assessment needs to do the following:

  • Provide criteria for the evaluation and categorization of identified cybersecurity risks or threats which the entity may face.
  • Design criteria for the assessment of the confidentiality, integrity, security and availability of the entity’s information systems and nonpublic information, including the adequacy of existing controls in the context of identified risks.
  • Develop a risk mitigation program that describes how actual risks will be mitigated (or accepted) and how the company will monitor these risks. It is important to document the systems that are in place to detect and defend against cyberattacks, and test employee response to ensure that protocols are both followed and effective.
  • Develop policies and procedures for the implementation and operation of the cybersecurity program, and train employees in these procedures.

In addition, each entity must designate a qualified chief information security officer (CISO) to administer the cybersecurity program. This may not be news to larger financial institutions, but for a smaller entity it may be a brand new requirement that requires some restructuring.

A CISO doesn’t have to come from within the entity’s ranks. Third parties can provide the CISO oversight services in an outsourced capacity. It is important to note, however, that while the responsibility for the oversight can be delegated, liability for the risk as well as for compliance is not transferable and remains with the entity.

There are many more specific details in the NYDFS regulation that covered entities will need to carefully look into as they shape their cybersecurity programs. Among them are specific initiatives that companies will either need to undertake now, or review to make sure they comply with the rule: incident response plan, data encryption, multi-factor authentication, third-party service provider security policies, penetration testing and vulnerability assessments, access privileges, and an audit trail for all these efforts, among others.

Covered entities have until February 15, 2018, to submit their first certification of compliance (annual requirement). This is a very short timeframe. I would urge companies to begin their risk assessments with utmost speed to ensure adequate time to identify and remediate any security gaps before the 2018 compliance deadline.

You can read the full regulation here.

From Tiny Tech to Populism: Latest Issue of PreView Scans the Global Risk Horizon

jason-dailyBy Jason Daily, Director
Risk and Compliance

 

 

 

Imagine a DNA-programmed nanoparticle capable of hacking cancer cells, a plankton-sized carbon tube that can remove pollutants from water, or food packaging that changes color in the presence of dangerous bacteria. Nanotechnology, with a market predicted to reach almost $13 billion by 2021, has the potential to change the world, and every industry — from healthcare to the military — has a stake in its advances.

Use of Nanomaterials by Industry

With that potential, of course, comes risk. Nanotech may be applied in controversial ways — such as surveillance, or weapons capable of attacking people, plants or livestock at the molecular level. The technology is not visible to the naked eye, raising concern among some, who worry that self-replicating nanobots could destroy the planet if not properly controlled.

Nanotech is only one of the macro-level trends we’re watching as part of Protiviti’s ongoing PreView global risk series. We evaluate emerging risks according to the five global risk categories established by the World Economic Forum. In the January edition, in addition to nanotechnology, we consider the risk of a global water crisis and the “morality” of thinking machines, and we look ahead at the risk of marching populism and what cybersecurity means on a national and global scale.

WEF Global Risk Categories

The flip side of risk is opportunity. While governments and industries grapple with the shortage of fresh, clean water, particularly in developing countries, opportunities for water applications of nanotechnologies abound. As artificial intelligence increasingly replaces humans in making key decisions, opportunities to improve the underlying algorithms can translate into market share and increased profits for the early movers. And finally, with cyber the new warfare, governments and companies have an opportunity to stake a claim in the cybersecurity space by designing products, as well as policies, that protect both digital assets and societal freedoms.

Several of the topics in our current issue are a continuation from previous issues. This trend will continue, as the risks we are keeping an eye on evolve over time and their implications change, sometimes quickly. Whether continuing or newly emerging, such as populism, all of these risks are fascinating to follow, and imperative to take into consideration in mapping long-term business strategies. That’s probably one reason why our PreView series is among our most popular publications.

I encourage you to both read and share our latest issue with your board and executives, to spark discussion and help ensure these emerging risks are part of risk discussions. And, we encourage a discussion here as well. Tell us what you think in the comments.

Regulatory Activity Unabated Despite Uncertain Regulatory Outlook

Steve StachowiczBy Steven Stachowicz, Managing Director
Risk & Compliance

 

 

 

A month into the new U.S. administration, it’s clear that the political landscape is shifting. The administration has issued executive orders calling for a review of existing laws and regulations based on how they promote certain “core principles” related to the regulation of the U.S. financial system; a review of the Department of Labor’s Fiduciary Rule scheduled to take effect later in 2017; and an “implement one, repeal two” standard for the issuance of new regulations. Talk abounds about congressional actions aimed at actual or possible legislation, such as the TAILOR Act and the Financial CHOICE Act, which would affect the current regulatory structure as well.

The long-term ramifications of these actions for financial services regulation, supervision and enforcement are still unknown, and it may be some time before we have a clear view of what the future will look like. Meanwhile, financial institutions must still contend with the regulatory structure that exists today. Regulatory or self-regulatory agencies at the state, federal and even international levels are continuing to move forward with their existing supervisory and regulatory responsibilities. We address these in the February edition of Compliance Insights.

  • In the anti-money laundering (AML) space, we note that the Conference of State Bank Supervisors released a Bank Secrecy Act/AML Self-Assessment Tool to help financial institutions better manage money laundering risk. Risk assessments are top of mind for regulators, who consider logical, well-balanced and robust assessments the focal point of a sound risk management program. The self-assessment tool was issued not only to help provide transparency into how risks are assessed, monitored and communicated within an institution, but also to promote greater transparency among institutions to benefit the broader financial services industry.
  • Within the securities space, the Financial Industry Regulatory Authority (FINRA) published its Regulatory and Examination Priorities Letter for 2017, which identifies known and potential risks facing broker-dealers, investor relationship management and market operations. FINRA uses the annual priorities letter to communicate areas of focus for its information requests and examinations for the upcoming year. The 2017 letter highlights the “blocking and tackling” roles of compliance, supervision and risk management through FINRA’s focus on reviewing firms’ business models, internal control systems and client relationship management. Priorities identified for 2017 include: monitoring brokers with a history of disciplinary actions or complaints; sales practices; financial risk management and liquidity; operational risks; and market integrity.
  • Privacy concerns are atop the agenda for the European Commission (EC), which published the draft text of a proposed e-privacy regulation that, if adopted, would replace the EC’s current ePrivacy Directive with a more expansive regulation. Data privacy is a top priority for the EC, which seeks to establish a new privacy legal framework for electronic communications as part of a digital single market. The proposed regulation was developed with the intent to create better access for consumers and businesses to digital goods and services, level the playing field for digital networks, facilitate development of innovative services, and increase the growth potential of the digital economy.
  • Finally, the Consumer Financial Protection Bureau (CFPB) recently sued a bank for apparent unfair and deceptive practices related to enrolling customers into overdraft protection services. The suit contends that the bank violated the CFPB provision for implementing the Electronic Funds Transfer Act by misleading customers that overdraft protection was mandatory, concealing fees, deceptively seeking consent, and pushing back against customers who questioned the opt-in requests. Notably, the CFPB cites that the bank’s employee incentive program likely contributed to these issues, further highlighting the attention that the regulatory agencies are placing on sales practices and incentive compensation programs.

Even as Washington sorts itself out, financial institutions cannot lose sight of regulatory obligations and expectations that exist at the local, state, federal or even international level. The regulatory environment is likely to be quite dynamic in the foreseeable future, and financial institutions will remain challenged to manage their risks in this environment and not relax their compliance efforts.

Continue to follow our monthly roundups of compliance news here and on our site. The February issue is available here.

 

Anticipating the Fifth EU AML Directive: What Financial Institutions Need to Know

matt-taylorBy Matt Taylor, Managing Director
Regulatory Compliance Practice

 

 

 

Money laundering regulations are proving to be as complicated as the shadowy financial transactions they are trying to prevent. A case in point: The Fourth European Union Anti-Money Laundering Directive (4AMLD), approved in 2015 and scheduled to go into effect June 26, 2017, has already been supplanted by 5AMLD — amended text addressing threats that have emerged in the period between the adoption and implementation of 4AMLD.

As it stands, the agreed 4AMLD text and effective date will remain, but financial institutions should anticipate additional regulatory changes from 5AMLD shortly thereafter. We issued a flash report last week, which outlines the proposed changes in 5AMLD and provides recommendations on how financial institutions can prepare for them.

There are five main requirements proposed by the 5AMLD that affect financial institutions:

  1. Virtual currencies. The 5th AMLD adds virtual currencies, anonymous prepaid cards and other digital currencies, such as bitcoin exchanges and wallet services, to the list of activities carrying the risk of terror financing. The 5AMLD better defines “virtual currencies” under EU law, and includes the requirement to adopt this legal definition in AML legislation across all member states. Under the proposed amendment, providers engaged in exchange services between virtual and hard currencies and custodian wallet providers will be required to apply customer due diligence (CDD), similar to what is already required for hard currency transactions.
  1. Identifying prepaid card owners. EU member states will be required to identify the customer in the case of remote payment transactions where the amount paid exceeds EUR50. After 36 months from the date 5AMLD enters into force (a date still to be determined), identification requirements will apply to all remote payment transactions. Certain exemptions may apply for “low-risk” customers where defined risk-mitigating factors are met.
  1. Beneficial ownership registers. Member states must comply with register requirements within 18 months of the 5AMLD implementation date. Registers must be interconnected to the European Central Platform within 18 months of implementation in accordance with the technical specifications and procedures set out in Article 4C of Directive 2009/101/EC. Technical requirements, including access controls and operational challenges, should also be considered and tested in preparation for compliance with 5AMLD requirements.
  1. Enhanced information sharing. 5AMLD requires member states to establish automated data clearinghouses at the national level to aggregate individual account ownership across multiple institutions. Data must be searchable by account holder, beneficial owner, IBAN number, and open and close dates, as applicable. Powers of EU Financial Intelligence Units (FIUs) will be enhanced through 5AMLD, as they will be permitted to request information from any obliged entity and would no longer be limited to identification of a predicate offense or suspicious activity report prior to an information request. The proposed amendments make information more easily accessible and align with international best practices.
  1. High-risk third countries. Member states will be required to apply specific enhanced due diligence (EDD) measures for transactions involving entities on a list of “high-risk third countries” defined by the European Commission. This is intended to reduce regulatory differences between member states, where some EU countries offer less-stringent controls in exchange for higher fees, allowing terrorists to exploit the weaknesses in these measures.

5AMLD has proved to be more controversial than 4AMLD, particularly with prepaid cards and virtual currencies being more tightly regulated and uncertainty regarding the implementation of centralized registers. Nevertheless, there is an ambitious timeframe for its adoption. With 4AMLD expected to become effective June 26, 2017 it is reasonable to assume that 5AMLD will become effective shortly thereafter, if not concurrently, and obliged entities should be ready to implement the proposed 5AMLD requirements.

Download the flash report for additional details and recommendations.

Doubling Down on AML: Higher Stakes for Casino Compliance

steve-wangBy Steve Wang, Managing Director
Internal Audit and Financial Advisory

 

 

 

Despite recent improvements in the gaming industry’s efforts to combat money laundering, enforcement actions by U.S. and foreign regulators have put casino operators on notice that their anti-money laundering (AML) programs and related internal controls are being subjected to greater scrutiny.

Consequences have escalated, and compliance officers face personal liability for AML violations on their watch, as a result of a court ruling that the Bank Secrecy Act (BSA) allows owners, officers, directors and employees to be held accountable, along with the organization.

Pillars of an Effective AML Program

Pillars of an Effective AML Program

Over the past two years, the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) has levied seven fines, for a total of $110 million — more than double the volume, and almost ten times the dollar value, of all AML fines against casinos in the previous 11 years. Future penalties may also be on the rise. The Federal Civil Penalties Inflation Adjustment Improvements Act, effective last August, requires agencies, including FinCEN, to make “catch-up” adjustments to the fines, as well as annual inflation adjustments. Many civil penalties haven’t been adjusted in decades, which means that penalties could rise substantially. And FinCEN isn’t the only federal agency levying fines. The U.S. Treasury and the Department of Justice have also fined casinos.

Casinos have long been the focus of government scrutiny because of the large amounts of cash they handle, which make them particularly vulnerable to money laundering and terrorist financing risks. But not all news is bad. A research report from the American Gaming Association suggests that the gaming industry has taken significant steps to comply with AML and counter-terrorism financing (CTF) requirements. In its December 2016 Mutual Evaluation Report, the international Financial Action Task Force (FATF) commented favorably on the increased number of quality SAR filings by casinos — 50,941 in 2015, versus 21,308 in 2012.

Nevertheless, the increased emphasis on disclosure runs counter to an established industry practice of protecting the privacy of high rollers, and so casino operators and their compliance staff may feel uncertain about the best way to reconcile their disclosure obligations with business objectives.

Protiviti recommends that casino compliance officers take actions to mitigate the compliance risk, such as:

  • Share risk assessments with the proper stakeholders – Effective AML programs should take a risk-based approach, which starts with conducting a risk assessment at the property level. Assessments should be reported to executive leadership, and used to customize compliance programs with a particular focus on customer due diligence (CDD) and transaction monitoring.
  • Develop and share CDD standards with employees – CDD programs must evolve and take a risk-based approach to gaining a better understanding of patron relationships and identifying those that may pose a threat. Additional security should be assigned to those higher-risk customers to verify sources of wealth, known associates, game play, and screening against government sanctions lists. Enhanced due diligence policies should be in writing and align with heightened regulatory expectations and industry best practices.
  • Request additional resources – Higher stakes and expanding regulatory requirements mean more people, dollars and systems will have to be dedicated to AML compliance. It is essential that compliance officers request sufficient funding support from executive leadership. Given the recent focus on individual liability, it’s in their best interests.
  • Share information with other casinos – Threat information can be exchanged legally under the safe harbor provision of the U.S. PATRIOT Act, Section 314(b); however, casinos were generally not aware that they are covered under the provision. Casinos are also allowed to share SARs with other casinos under the same parent company located in the U.S. Both of these rules make compliance easier, and casinos should update their sharing policies and procedures to reflect that.
  • Stay current in AML training – Management should revisit AML training modules for different job roles, both for casino operators and compliance personnel. Operators should be taught to recognize red flags, such as large transactions with minimal gaming activity and cash transactions that appear to be structured to stay under the $10,000 federal transaction reporting standards.

The recent Protiviti flash report, Higher Stakes for Casino AML Compliance, offers a wealth of additional information on the topic. You can download it here.