Criminal Finances Act 2017 Aimed at Terrorist Financing Affects All Firms With UK Operations

By Bernadine Reese, Managing Director
Risk and Compliance, Protiviti UK

 

 

 

One of the recent examples of efforts to clamp down on terrorist financing and tax evasion comes from the UK, where the Criminal Finances Act 2017 received Royal Assent in April.

The Act, expected to take effect this September, is being touted as a powerful new tool in the investigation and prosecution of tax evasion and terrorist financing crime in the UK. In response to concerns raised by regulated firms, it also includes provisions that will make it easier for firms to share information on potential criminal activity, without violating privacy laws.

Essentially, the Act introduces two new offences of failure to prevent facilitation of a foreign tax evasion and UK tax evasion. The Act is intended to hold companies automatically liable, by criminalising the facilitation of domestic and foreign tax evasion by means of not having “reasonable prevention procedures” in place to prevent their “associated persons” from facilitating it. “Associated persons” is a purposely broad term and can include the employees, agents, subcontractors, or anyone else who performs work for or on behalf of the company. Protiviti has published a paper addressing some of the most common concerns regarding the new Act as a series of frequently asked questions. Here are some of them:

Q: How does the new law tackle terrorism?

A: A number of provisions that address money laundering will apply broadly to persons suspected of terrorist financing, or property that has been acquired with terrorist funds or with the intended purpose to facilitate terrorist financing. The law provides mechanisms for both voluntary and mandatory disclosures by regulated firms, as well as provisions for the seizure and freezing of assets.

Q: What is the difference between “tax avoidance” and “tax evasion?”

A: While the distinction between tax evasion and tax avoidance continues to be politically sensitive, tax avoidance is generally considered to be the lawful minimization of one’s tax burden — for example, taking legal tax deductions on expenses. Tax evasion is the unlawful non-payment of taxes that are legally due to the government. Examples might include intentionally misreporting taxable income in order to pay lower (or no) taxes, concealing assets in overseas accounts, failing to file a tax return, using false documentation, or deliberately suppressing taxable income.

Q: What are “reasonable prevention procedures?”

A: The paper examines this in detail, but briefly, law enforcement will be looking for evidence of top-level commitment to anti-money laundering; regular risk assessments; proportional, rather than one-size-fits-all, approach to risk as part of the organization’s overall risk management efforts; due diligence; robust communication; and monitoring and review of account activities.

Q: What should our priorities be to get ready for the new legislation?

A: Protiviti has put together a four-point plan:

  1. Understand how the new law affects your business and customers: The scope of the Act seems broad but many of its provisions relate to increasing transparency and information sharing intended to prevent the money trail from going any further, and to tackling financial crime, which now includes tax offences within its definition. Customers likely to be the target of increased scrutiny under this law include corporate clients with complex company structures; individuals who use tax planners, such as celebrities and politicians; wealthier private clients with large asset holdings and/or associations with low-tax offshore jurisdictions; and entities, such as religious organizations and charities, which may be used as vehicles for terrorist financing. A risk assessment will need to be performed.
  2. Review and update policies and procedures: Once senior management has articulated its position on tax evasion, this should be communicated through the firm’s policies and procedures in a clear and practical way. In particular, firms will be expected to demonstrate that they have “reasonable prevention procedures” in place to combat the facilitation of tax evasion and should consider whether new or additional procedures are necessary, including those for associated persons, depending on risk levels and potential exposure.
  3. Prepare and train staff: Identify staff likely to be impacted by the new legislation — such as customer-facing teams, compliance, and internal audit. Prepare and give tailored training to relevant employees to ensure that they are aware of legislative changes and the impact on their role. Circulate regular communications to reinforce the company’s policy and staff’s responsibilities.
  4. Review existing clients: Consistent with taking reasonable prevention procedures, firms should adopt a risk-based approach to dealing with the assessment of their existing customer base. This might include an immediate review of those customers considered to be at the highest risk of tax evasion, while lower risk customers might be covered as part of the firm’s periodic review of “know your customer” information for anti-money laundering purposes. Firms will need to plan and take action according to the risks presented by their existing customer base.

Companies should seek help early rather than late with some of the more complex and tedious elements of complying with the new legislation, including conducting a gap analysis, developing risk-based evaluations, reviewing customer files and providing training. For a detailed analysis of the UK Criminal Finances Act 2017, download the free paper from our website.

Consumer Protections, Personal Liability for Executives and More – Our June Compliance Podcast Is Here

By Steven Stachowicz, Managing Director
Risk and Compliance

 

 

 

This month’s roundup of compliance news includes two CFPB-related articles – on the Bureau’s efforts to collect information on small and minority business lending with the purpose of rulemaking in that area, and its focus on consumer reporting and improving the completeness and accuracy of data provided to consumer reporting agencies by various entities. We also discuss the most recent, $250,000 penalty on an individual in a corporate BSA/AML compliance matter. The June issue of Compliance Insights, wraps up with an update on OCC procedures related to violations of OCC laws and regulations.

Listen to our podcast below. Transcript of the conversation follows.

 

In-Depth Interview, Compliance Insights [transcript]

June 28, 2017

Kevin Donahue: Hello, this is Kevin Donahue, Senior Director with Protiviti, welcoming you to a new installment of Powerful Insights. I’m speaking today with Steven Stachowicz, a Managing Director with Protiviti and a leader within the firm’s Risk and Compliance practice. Protiviti recently published the June edition of Compliance Insights and I’m going to talk to Steve a little bit about some of the highlights from that newsletter. Steve, thanks for joining me today. Continue reading

A New Look at Politically Exposed Persons – Focus on Risk, not Rules

By Matt Taylor, Managing Director
Risk and Compliance, Protiviti UK

 

 

 

Implementation of the European Union’s (EU) Fourth Anti-Money Laundering Directive (4AMLD) went into effect on Monday, June 26, for all EU countries. Back in April, Protiviti sponsored a “PEP Breakfast” in anticipation of this directive, at which we had the opportunity to share information with key clients and other leading industry figures about the changes now in effect. The discussion centered on the UK’s Financial Conduct Authority’s Guidance Consultation, which provides guidelines on how to implement 4AMLD in the UK, and spells out how the new regulations will change firms’ design of – and approach to – enhanced scrutiny of accounts with high money-laundering risk, including those associated with “politically exposed persons,” or PEPs. The PEP Breakfast presented details regarding the changing approach to PEPs, and offered participants the opportunity to compare notes and learn from one another’s approaches to changing anti-money laundering (AML) regulations and best practices in the EU and UK.

With 4AMLD now in force, it seems like a good time to recap some of this discussion.

PEPs are individuals whose position and/or influence in government or public bodies may present heightened risks of financial crime, generally bribery and corruption. AML regulations require obliged organizations to consider subjecting such individuals to enhanced due diligence to identify, mitigate and manage such potential heightened risks.

Historically, many financial institutions have approached the potential heightened risk of PEPs on a “one size fits all” and “once a PEP, always a PEP” basis. The new regulations (and indeed, maturing risk assessment models) are driving a move to a more risk-based approach to identifying, mitigating and managing the potential heightened risk of financial crime posed by PEPs.

A more risk-based approach to PEPs includes, among other things:

  • A detailed assessment of the real financial crime risk inherent in the PEP’s current (or recent) role in the public body and ability to exert control or influence over areas which pose a heightened risk of bribery and corruption. PEPs who have been out of public office for, say, 18 months may no longer pose any heightened risk since they can no longer control or influence decisions that could make them open to bribery or corruption.
  • A thorough review of the risks posed by relatives and close associates (RCAs) of the PEP. PEPs are often sophisticated individuals and know that their financial dealings are subject to enhanced scrutiny, and may use relatives and/or close associates to act as nominees, “independent consultants” or the like in corrupt transactions.
  • Not distinguishing between “domestic” and “non-domestic” PEPs in the overall assessment of heightened financial crime. Local government officials, for example, may have control or strong influence over building development planning consent or licences, which can result in large profits for property developers and the like. In addition, the distinction between domestic and non-domestic PEPs is not practical for multinational financial institutions where clients may have accounts in multiple jurisdictions regardless of where they were initially on-boarded.
  • Enhanced transaction monitoring for PEPs and RCAs (if they are a customer or linked to a customer).
  • A recognition that negative news and other public information sources are open to manipulation in certain circumstances.

In addition, a holistic AML approach to the risk of bribery and corruption should focus on those industries and/or countries which currently carry a higher risk of such activities. These would include, for example, oil and gas companies in developing countries with ranking PEPs on their boards, or global sports organizations, where transfer fees (including layers of agents/consultants) and salaries and other payments in the tens of millions create a heightened risk of bribery and corruption.

What will these changes mean for financial services firms’ day-to-day operations? Up-to-date, detailed and (where necessary) verified “know your customer” information about customers is crucial. Red flags might be garnered from business records, powers of attorney, contracts for services rendered, and even social media profiles. PEPs’ direct (or more commonly indirect through RCAs) links to offshore entities and other opaque ownership structures is perhaps the biggest red flag of all. In general, PEPs and their RCAs will seek to place funds in jurisdictions and entities that are most likely to shield them from reporting to tax or regulatory authorities either through anonymity or due to a lack of such reporting.

Organizations must review their approach to PEP risk in light of changes to regulations and a maturing view on financial crime risks to focus resources on true, rather than merely theoretical, risk. Asking the following questions will help:

  • Has the organization designed a method of assessing risk appropriate to its business model? “Method” implies a rigorous, documented approach not only to the process of identifying the real risk, but also to the process of monitoring the PEPs and RCAs to ensure such risk is mitigated and managed.
  • Is the established approach being applied appropriately and consistently? Firms should be able to demonstrate that the documented methods are applied without exception. For example, the organization’s procedures should be designed to identify both foreign and domestic PEPs and all the jurisdictions in which the company operates.
  • Does the organization invest effort to validate that its approach has been effective? Regulators will be assessing whether the methods in place are applied consistently and are yielding meaningful results in identifying, mitigating and managing risk and, where appropriate, reporting suspicious activity.

Updates to the definition of and approach to PEPs is just one of several changes required by 4AMLD. Others include the introduction of registers of ultimate beneficial owners for companies and other legal entities, including trusts; the removal of the entitlement for automatic application of simplified due diligence; and the addition of tax evasion as a predicate offence to money laundering. And 5AMLD is hot on 4AMLD’s heels. 5AMLD will broaden the definition of obliged entities to include virtual currencies, anonymous prepaid cards and other digital currencies, plus further changes to tighten AML control requirements. Banks should waste no time in making sure they are prepared to comply with the new rules, and seek help promptly where needed.

EU Payments Directive Opens Door to Open Banking

By Bernadine Reese, Managing Director
Risk and Compliance, Protiviti UK

 

 

 

The second European Payment Services Directive (PSD2) is scheduled to become law on January 13, 2018. Heralded as a way to make it faster, easier and less expensive for consumers to pay for goods and services, it also forces European banks to share customer data and payment infrastructure with third-party service providers and disruptive new competitors known as fintechs.

For better or worse, banks will soon have to comply with the law. Their only choice lies in whether to embrace this disruption and use it as the catalyst for an “open banking” business model, or succumb to the competitive threat.

The European Parliament adopted PSD2 in October 2015 to promote innovation (especially by third-party providers), enhance payment security and standardise payment systems across Europe. Its practical effects would be to:

  • Regulate fintechs that fall within the wider definition of what is regulated in payment services
  • Limit transaction fees and rebates
  • Require banks to open their payment infrastructure and customer data to third-party financial service providers; and
  • Provide new protections to consumers and users of payment services.

In practical terms, PSD2 would create an open banking environment where banks would be required to share a customer’s personal financial data, at the customer request, with any regulated account information service provider (AISP), while the bank still retains responsibility for the risk and compliance aspects of the customer and his or her data. This will be done through an application programming interface (API) that complies with a set of technical standards set forth by PSD2.

For sure, this expanded access and consolidation of data increases existing risks (i.e., fraud) and poses new potential risks to the current business model of certain institutions such as banks, but it bring opportunities as well — particularly for challenger banks, and for traditional banks that choose to do more than the bare minimum PSD2 compliance. Perhaps a bit surprisingly, the prevailing sentiment — even among some bankers — is one of excitement and optimism.

Time will tell what innovations and unintended consequences PSD2 will create. In the most likely scenario, the financial services industry will see a dramatic rise in mobile technology driven by APIs. In the future, banks wishing to remain competitive will use API to build an “ecosystem” with not just payment providers but merchants, so they would remain their customers’ “everyday bank.” The use of APIs in financial services has been hampered by privacy rules and the private ownership of data and infrastructure. PSD2 clears those hurdles.

Consider this small sampling of possibilities:

  • Account aggregation, which provides consumers with an overview of all accounts held across different institutions, without having to log into multiple proprietary customer portals.
  • Automated balances sweeping across multiple accounts to maximise interest payments and minimise debit balances.
  • “Marketplace” banks that offer lowest-cost services for loans, overdrafts and foreign currency transfers.
  • Credit decisions based on actual data by any institution and not just the institution currently providing bank account services — increasing choice and competition.
  • Payment facilities for the Internet of Things, such as, say, a self-replenishing refrigerator authorized to “shop” on the owner’s behalf, or a car that can pay for fuel or recharge without the customer leaving the vehicle.

There will be winners and losers. Potentially the biggest winners will be consumers and entities making and receiving payments within the European Economic Area. Cost and lack of competition in the existing payment space has been a concern for European regulators, and the opening up is likely to drive costs down for banks and consumers alike as competition increases.

An issue I deliberately did not mention here is data security and the safeguards built into PSD2 to ensure that personally identifiable data is protected. This is a topic for a discussion of its own right, and we will be covering the security aspect of PSD2 here on this blog and elsewhere. In the meantime, you can bet that PSD2 will be front and center, when the European financial services industry gathers June 26-28 in Copenhagen for Money 20/20. I hope to see you there!

John Harvie, Business Performance Improvement, Protiviti UK and Justin Pang, Risk and Compliance, Protiviti UK contributed to this content.

Financial Firm Auditors: Are You Ready to Audit Under CECL?

 

 

By Charles Soranno, Managing Director
Financial Reporting Compliance and Internal Audit

and Benjamin Shiu, Director, Model Risk Management

 

Amid widespread concern that Generally Accepted Accounting Principles (GAAP) are inadequate when it comes to advising investors on deteriorating credit quality, the Financial Accounting Standards Board (FASB) has issued a new methodology. The new standard, known as Current Expected Credit Loss, or CECL, uses data analytics to forecast expected losses based on internal and external trends, as well as borrower-specific information. In its simplest form, CECL replaces the old standard of actual or “incurred” loss with a forward-looking estimate of “expected loss” over the foreseeable future. (See our analysis of its anticipated impact.)

The standard was originally scheduled to become effective for public companies in December 2018, but that deadline has been pushed back to December 2020, with private companies to follow a year later.

CECL represents a significant change with far-reaching implications for loss reserves. And yet, just one in ten affected companies has made any significant effort to assess the potential impact and prepare for the change.

Protiviti conducted a webinar recently aimed at internal auditors trying to get the ball rolling at their organizations. As is often the case, the webinar generated more questions than we were able to address during the live session. We want to address some of the additional questions here.

Q: Isn’t the “foreseeable future” loss prediction based on “historical losses” as well? It’s hard to see how CECL offers any real improvement if the underlying data is essentially the same.

A: The forecast into the foreseeable future could be based on historical experiences (losses) and management judgment based on the most updated information.

For the forecasting based on historical losses, data is essential, and that is why CECL implementation will require companies to retain a variety of historical data over a much longer time horizon and analyze it against external information, such as FICO scores, loan-to-value and debt-to-income ratios, and debt service coverage. Internal audit will need to provide assurance on data completeness. With a longer time horizon and more variety of historical data, the CECL model should be able to better estimate the loss under different foreseeable future scenarios. Most companies already have such data saved. Even those who don’t, if they start saving data now, will have four years of historical data to work with by 2020.

For the forecasting based on management judgment, unlike the incurred loss model, the CECL model explicitly requires management to take into account the current information and identify the future scenarios for loss estimation.

Q: With the implementation of CECL, will there also be a corresponding allowance for loan and lease losses (ALLL) requirement on the lending institution?

A: Yes. Regulators published a Joint Statement on CECL on June 17, 2016. Expect more on ALLL in the future, but the June 17 statement is already out there.

Q: Isn’t stress modeling sometimes subjective even when using a third party?

A: Not necessarily. Third-party vendors typically use industry-level data to develop their models, and these models then serve as objective benchmarks against which institutional assets can be evaluated.

Q: What is going to be expected of internal auditors under CECL? Will we be expected to audit the ALLL process and controls over the model, or will we be expected to perform full model validation as well?

A: Both would be expected. Right now, internal auditors should be talking to management to ensure there is transparency into the portfolio and the credit quality evaluation process. There should be clear lines of reporting and communication to the board, and internal audit must remain close to the process throughout to ensure that the model is being applied, and that the model itself is valid as a predictor of credit losses in the foreseeable future.

As we discussed during the webinar, and at the highest level, processes, data sources and accounting will be changing under the CECL guidance. Whenever processes change, internal controls must be reassessed to make sure that no new critical risks have been created and that all critical risk areas have adequate controls in place.

Once in place, the controls must be tested by internal audit. For example, here are some critical concerns:

  • Data, process and judgments – Internal audit must collect and test company loss experience and other past events. Some of the processes will require judgment; those judgements must be articulated and supported by evidence. Forecasts on factors that affect collectability, either internal or third-party, must be validated and back-tested.
  • Other models – For some institutions, Asset Liability Management (ALM) and DFAST/CCAR models, because they incorporate effective lifetime and credit risk assessment, may be utilized (or modified) for CECL estimates as well. However, these models are used for regulatory and management purposes, not as a source of disclosures in financial statements.
  • Documenting processes and controls – Documenting processes and controls will be a major undertaking. Ideally, areas of control weakness in the new processes should be identified as the processes are being developed, not after the fact.
  • New skill sets – Many internal audit departments may require skills in data and modelling. Adequate budget must be provided for staff and training.

Q: Do you advise firms to develop benchmarking CECL models?

A: It may not be necessary to develop a complete benchmarking model. Nevertheless, during the development process, it is reasonable to assume that after considering a variety of alternative approaches, data and assumptions, a benchmarking model may emerge as a side product of verifying the performance of the primary model.

The bottom line is that the time for the internal audit function to develop key CECL-related objectives is now. What auditors have to audit has changed significantly. Data has a certain subjectivity, and auditors must ensure that subjectivity is reduced. In addition, auditors have to increase their skill competency – they have to increase their understanding of modeling and data analytics. To provide assurance, auditors must become confident of their skills and ability to analyze credit risk. The archived webinar is a good first step.

Jeff Marsh of Protiviti’s Risk and Compliance practice co-presented the webinar and contributed to the development of this content.

States Champion Regulatory Streamlining; CFPB Remains Focused on Consumer Loan Servicing and Fair Lending

By Carol Beaumier, Executive Vice President and Managing Director
Regulatory Compliance Practice

 

 

 

While regulatory relief remains a topic within the Beltway, the Conference of State Bank Supervisors (CSBS), the nationwide organization of financial regulators from all 50 states, the District of Columbia, Guam, Puerto Rico and the U.S. Virgin Islands, has already taken action to streamline the multistate regulatory oversight framework for one group of its regulated entities – money services businesses (MSB). In April, the CSBS launched the Money Services Business Call Report (MSB Call Report) which will allow MSBs to submit a single periodic financial form and other activity reports rather than deal with state-specific reporting requirements in varying formats. The MSB Call Report includes a Financial Condition Report, Transaction Activity Report, Permissible Investment Report and (to be added in the fourth quarter 2017) a Transaction Destination Country Report. The initial report was due by May 15, 2017. While individual states need to opt into this reporting, this move is nonetheless a step in the right direction for the MSB community.

Among the topics on the agenda of the Consumer Financial Protection Bureau (CFPB) are mortgage servicing rights for consumers and fair lending. The CFPB’s 2016 final rule amending certain provisions of Regulation X (Real Estate Settlement Procedures Act) and Regulation Z (Truth in Lending) will be effective in October 2017. The rule requires a series of modifications to the procedures and technology platforms used by mortgage services. These modifications affect, among other things, key definitions (successors in interest, delinquency), lender-placed insurance, loss mitigation, communications with borrowers in bankruptcy, and periodic statements and coupon books. With the effective date less than six months away, mortgage services need to understand and be prepared to implement all of the required changes.

The 2016 CFPB Fair Lending Report, published in April, signals the agency’s fair lending priorities for 2017. These include identification of redlining activities; mortgage and student loan servicing issues based on race, ethnicity, sex or age; and fair lending challenges faced by women-owned and minority-owned businesses. Lenders engaged in mortgage and student loan servicing and small business lending activities should consider stepping up their monitoring and testing of these areas in preparation for upcoming CFPB examinations.

Learn more about these developments in our May issue of Compliance Insightsavailable here, and review our monthly recap of compliance developments on the same site.

In the UK, 2017-2018 Priorities for Financial Services Firms Published

By Bernadine Reese, Managing Director
Risk and Compliance, UK

 

 

 

The UK Financial Conduct Authority (FCA) has issued its annual business plan for fiscal year 2017-2018. The FCA is the conduct regulator for 56,000 financial services firms and financial markets in the UK and the prudential regulator for over 18,000 of those firms. Its annual business plan and mission statement gives firms and consumers greater clarity about how the regulator intends to prioritize its interventions in financial markets over the next 12 months.

The plan sets outs FCA’s cross-sector and individual sector priorities for the next 12 months. It identifies the following cross-sector priorities: culture and governance, financial crime and anti-money laundering (AML), promoting competition and innovation, technological change and resilience, treatment of existing customers, and consumer vulnerability and access.

The main individual sector priorities focus on the need to continue with the implementation of the Markets in Financial Instruments Directive (MiFID II); improving competition in all areas of financial services; supporting the implementation of ring-fencing in retail banking; and assessing the developing market for automated advice models (robo-advice) in the retail investment market.

A fundamental part of the plan is the risk outlook, which identifies key trends and emerging risks that help form the regulators’ priorities for the coming year. Technological change, cybercrime and resilience are noted as major risks. However, many of the largest risks detailed in the FCA’s risk outlook are external: international events, demographic changes, the course of the UK economy, and the impact of the UK’s decision to leave the European Union (EU), commonly known as Brexit.

We published a recent Flash Report, which lays out specifics and reasoning around each of this priorities. Financial firms in the UK are advised to familiarize themselves with the report so they can determine where to focus their compliance efforts and to better understand the regulator’s expectations.