The Importance of Data Lineage for AML System

By Vishal Ranjane, Managing Director
Risk and Compliance

 

 

 

Financial organizations have long embraced the advantages that information technology offers, and many are looking forward to larger digitalization initiatives to gain market advantage. Customers appreciate the convenience of digital offerings, while firms enjoy the reduction in operating costs that information technology enables. Of course, in the multifaceted, highly regulated environment in which financial institutions operate, mastering the complexity of this digital future is both rewarding and risky.

In any financial firm’s application landscape, data flows from system to system. In an ideal world, key data gathered at the front end (customer-facing systems) makes it to the back-end systems without hitches. In reality, in the application architecture of almost any financial institution, systems are sometimes imperfectly integrated, often as a result of multiple acquisitions, and data does not always make the journey from system to system without some amount of attrition or change. However, banks and other financial institutions that handle customer data must be able to demonstrate that the information which originates upstream, in customer-facing systems, is the same information found in the bank’s risk and compliance systems downstream. This is where data lineage becomes important.

Data lineage tells the complete story of how data within an organization was produced, consumed, and manipulated by the organization’s applications. It traces the data’s movement through systems.

Once, it was sufficient to demonstrate to regulators that the right policies were in place, that the right procedures were followed, and the right reports were generated and reviewed to protect against threats like fraud and money laundering. Now, financial institutions must be able to demonstrate to regulators that they are using complete and accurate data to monitor for these activities.

Asserting data legitimacy

An organization asserts de facto data legitimacy when it relies on the integrity of its data for key reporting or decision-making activities, such as those involved with risk and compliance solutions. It is imperative that data from upstream systems of record or points of capture arrives in these downstream risk and compliance systems in a manner that does not materially alter or obscure the content received from the system of record or point of capture.

De facto data legitimacy claims is an area of focus for regulatory authorities who require that these claims be documented and proven. The recent Part 504 regulation by the State of New York Department of Financial Services emphasizes the importance of data lineage in an AML context, stating that a covered institution must not only identify all data sources that contain data relevant to its transaction monitoring and watchlist filtering programs, but also must ensure that these programs include the validation of the integrity, accuracy, and quality of the data to ensure that an accurate and complete set of data flows into these programs. In addition, the regulation specifically notes data mapping as a key component of end-to-end pre- and post-implementation testing of transaction monitoring and watchlist filtering programs.

Going back to the firm’s application landscape, upstream data – data entered initially by the customer, for example – may not survive the journey downstream, and facts about the transaction may be lost with each hop from system to system. Can an auditor know if a particular transaction was made with a teller, a wire, or via an ATM, for example? Was a deposit made by check or cash?

Data lineage documentation can be done using a variety of tools ranging from simple to sophisticated. In smaller, less complex systems, simple spreadsheets and diagramming tools may suffice, while large financial institutions may deploy vendor toolsets to automate tedious and error-prone capture and documentation activities.

Data lineage as part of data governance

Establishing the data lineage should, of course, be more than just an exercise in documenting what’s already in place. Performing this level of analysis and uncovering previously unknown silent errors or gaps in the data being used to manage AML risks and generate reports should lead to increased accuracy and confidence in the reports and management information presented to senior management, internal audit and regulators. An additional benefit is getting better insights into customer behavior – a value for any business.

Having a sustainable data lineage initiative is only the start. To be sustainable over the long run, such initiative needs to be part of a larger data governance program that is firm-wide and involves all departments and functions. Data governance efforts are viewed well by regulators, who increasingly put pressure on financial institutions to formally document business processes, data controls, source-to-target mapping, and defend all activities around data management. A Protiviti white paper, “AML and Data Governance: How Well Do You KYD?,” provides more information and may be of relevance to your company.

Benjamin Kelly of Protiviti’s Regulatory Risk and Compliance practice contributed to this content.

In the UK, 2017-2018 Priorities for Financial Services Firms Published

By Bernadine Reese, Managing Director
Risk and Compliance, UK

 

 

 

The UK Financial Conduct Authority (FCA) has issued its annual business plan for fiscal year 2017-2018. The FCA is the conduct regulator for 56,000 financial services firms and financial markets in the UK and the prudential regulator for over 18,000 of those firms. Its annual business plan and mission statement gives firms and consumers greater clarity about how the regulator intends to prioritize its interventions in financial markets over the next 12 months.

The plan sets outs FCA’s cross-sector and individual sector priorities for the next 12 months. It identifies the following cross-sector priorities: culture and governance, financial crime and anti-money laundering (AML), promoting competition and innovation, technological change and resilience, treatment of existing customers, and consumer vulnerability and access.

The main individual sector priorities focus on the need to continue with the implementation of the Markets in Financial Instruments Directive (MiFID II); improving competition in all areas of financial services; supporting the implementation of ring-fencing in retail banking; and assessing the developing market for automated advice models (robo-advice) in the retail investment market.

A fundamental part of the plan is the risk outlook, which identifies key trends and emerging risks that help form the regulators’ priorities for the coming year. Technological change, cybercrime and resilience are noted as major risks. However, many of the largest risks detailed in the FCA’s risk outlook are external: international events, demographic changes, the course of the UK economy, and the impact of the UK’s decision to leave the European Union (EU), commonly known as Brexit.

We published a recent Flash Report, which lays out specifics and reasoning around each of this priorities. Financial firms in the UK are advised to familiarize themselves with the report so they can determine where to focus their compliance efforts and to better understand the regulator’s expectations.

What’s the Latest on Fintech Charters and What About That Russian Laundry?

In the April edition of Compliance Insights, we discuss the Office of the Comptroller of the Currency’s draft supplement, released in March, which further outlines the application guidelines for fintech bank charters (covered previously in our January issue). We also lay out previously unknown details of the “Russian Laundromat” money laundering scheme, as reported by the Organized Crime and Corruption Reporting Project, and we touch on the CFPB’s latest, $1.75 million enforcement action. Listen to our interview with Steven Stachowicz, Managing Director with Protiviti’s Risk and Compliance practice, at the audio link below. Full transcript of the conversation follows.

 

In-Depth Interview, Compliance Insights [transcript]

April 24, 2017

 Kevin Donahue: Hello. This is Kevin Donahue, Senior Director with Protiviti, welcoming you to a new installment of Powerful Insights. I’m talking today with Steven Stachowicz, a Managing Director and leader with Protiviti’s Risk and Compliance practice, and we’re going to be covering just some of the highlights from the April edition of Protiviti’s Compliance Insights newsletter. Steven, as always, thanks for joining me.

Steven Stachowicz: Hi, Kevin. Thanks for having me today.

Kevin Donahue: Steve, to start off, in the lead article of this month’s newsletter, we summarize a new licensing manual supplement from the OCC that applies to fintechs seeking a special-purpose national bank charter. Steven, what are some of the notable points in the OCC’s draft supplement?

Continue reading

Compliance News Roundup: The Clearing House AML Recommendations, CFPB on Alternative Data and More

Protiviti published its March issue of Compliance Insights this week. We sat down with Steven Stachowicz, Managing Director with Protiviti’s Risk and Compliance practice, to discuss some of the highlights. Listen to our podcast below, or click on the “Continue Reading” link to read the interview.

 

In-Depth Interview, Compliance Insights [transcript] Continue reading

A New and Better AML Regime?

Carol Beaumier

By Carol Beaumier, Executive Vice President and Managing Director
Regulatory Compliance Practice

 

 

 

On February 16, 2017, The Clearing House (a banking association and payments company that is owned by twenty-five of the largest commercial banks) released a report entitled A New Paradigm: Redesigning the U.S. AML/CFT Framework to Protect National Security and Aid Law Enforcement. The report analyzes the current effectiveness of the U.S. anti-money laundering/counter-terrorism financing (AML/CFT) regime, identifies fundamental problems, and proposes a series of reforms to address them. It is the output of two closed-door sessions held in 2016 that were attended by sixty senior former and current officials from law enforcement, national security, bank regulation and domestic policy; leaders of prominent think tanks in the areas of economic policy, development, and national security; consultants and lawyers practicing in the field; fintech CEOs; and the heads of AML/CFT at multiple major financial institutions.

The report concludes, in effect, that the current U.S. AML/CFT Framework is based on an amalgam of sometimes-conflicting requirements and focuses more on process than outcomes, and that combatting money laundering and terrorist financing continues to be hindered by communication barriers between law enforcement and the financial services industry, and among financial institutions themselves.

What the report advocates in two sets of recommendations – those for immediate implementation and those for further study – is a complete overhaul of the existing regulatory and supervisory regime. Specifically, the report identifies seven reforms for immediate action:

  1. AML/CFT supervision should be rationalized by having the Financial Crimes Enforcement Network (FinCEN) reclaim sole supervisory responsibility for large, multinational financial institutions and by requiring the Department of Treasury, through its Office of Terrorism and Financial Intelligence (TFI), and FinCEN to establish a robust and inclusive annual process to establish AML/CFT priorities. The perceived benefits of these actions would be (a) greater focus on outcomes and the development of useful information to law enforcement, as opposed to the process-based approach taken by prudential supervisors, and (b) better alignment between law enforcement objectives and financial institutions’ AML/CFT programs.
  2. Congress should enact legislation, already pending in various forms, that prevents the establishment of anonymous companies and requires the reporting of beneficial owner information at the time of incorporation. Not to be confused with the FinCEN Customer Due Diligence (CDD) requirements that will obligate financial institutions, by May 2018, to collect beneficial ownership on legal entities, this recommendation is intended to require the collection of beneficial ownership at the time of company incorporation and whenever such information changes, and to make this information routinely available to FinCEN, law enforcement and financial institutions. This would shift the burden of gathering beneficial ownership information from the financial services industry to governmental bodies that incorporate these entities and, thus, free up financial services resources and allow them to spend more time on the detection of illicit activity.
  3. The Treasury TFI Office should strongly encourage innovation, and FinCEN should propose a safe harbor rule allowing financial institutions to innovate in a financial intelligence unit (FIU) “sandbox” without fear of examiner sanction. This would apply not only to large, multinational financial institutions that, through their direct collaboration with FinCEN, would presumably be leaders in innovation, but also to other financial institutions, which may have been reluctant to innovate for fear of their prudential regulators not being willing to accept new and different approaches.
  4. Policymakers should de-prioritize the investigation and reporting of activity of limited law enforcement or national security interest. This could be accomplished by raising the SAR reporting thresholds; eliminating SAR filings for insider abuse; and reviewing all existing SAR reporting guidance for relevancy (e.g., why should large financial institutions need to file SARs on cyberattacks when they typically engage in real-time communications with law enforcement when such attacks occur?). As with other recommendations, the impetus here is to free up resources to focus on what is really important.
  5. Policymakers should further facilitate the flow of raw data from financial institutions to law enforcement to assist with the modernization of the current AML/CFT technological paradigm. This would allow FinCEN to use big data analytics to identify illicit activity that cannot be detected by an individual financial institution.
  6. Regulatory or statutory changes should be made to the safe harbor provision in the USA PATRIOT Act (Section 314(b)) to further encourage information sharing among financial institutions, including the potential use of shared utilities to allow for more robust analysis of data. These changes should: (a) make it clear that information sharing extends to financial institutions’ attempts to identify suspicious activity and is not limited to sharing information about potential suspicious activity – e.g., information sharing might apply during the onboarding process when a financial institution may have questions about or find gaps in information provided by a prospective client; (b) broaden the safe harbor to other types of illicit activity beyond money laundering and terrorist financing; and (c) extend the safe harbor to technology companies and other nonfinancial services companies to allow for greater freedom to develop information-sharing platforms.
  7. Policymakers should enhance the legal certainty regarding the use and disclosure of SARs. The perceived benefits of allowing broader sharing of SAR information within a financial institution, including cross-border sharing, would be better transaction monitoring and higher quality SARs that provide more useful information for law enforcement.

Areas identified for additional study include:

  • Exploring the broader use of AML/CFT utilities to promote information sharing, and address barriers that hamper their use
  • Affording greater protection from discovery of SAR supporting materials
  • Balancing and clarifying the responsibilities of the public and private sectors for preventing financial crime
  • Establishing a procedure for “no action” letters whereby financial institutions could query FinCEN to determine how it would react to certain facts and circumstances
  • Providing the financial services industry with clearer standards of what constitutes an effective AML/CFT program
  • Improving coordination among the governmental players with a stake in combating money laundering and terrorist financing, and
  • Modernizing the SAR reporting regime to provide additional guidance on when to file or not file a SAR.

While there are pros and cons to be debated on many of the recommendations, the report, in summary, reveals the long-standing frustration of both the financial services industry and law enforcement with the current regime’s ineffectiveness. Financial institutions, with limited direction from the government, invest huge sums of money and dedicate large teams of people to “find the needle in the haystack” only to find their compliance efforts are often criticized by their regulators, even in the absence of actual wrongdoing. Law enforcement, for its part, tries to manage large volumes of information presented to it in the form of required reports from the financial services industry, much of which not very useful in identifying the real criminals and risks. The solution seems simple: communication and coordination. Effecting that solution will likely prove difficult, especially in the short term with a new administration that has already staked out an aggressive regulatory reform agenda. But, that doesn’t mean it’s not worth trying.

Anticipating the Fifth EU AML Directive: What Financial Institutions Need to Know

matt-taylorBy Matt Taylor, Managing Director
Regulatory Compliance Practice

 

 

 

Money laundering regulations are proving to be as complicated as the shadowy financial transactions they are trying to prevent. A case in point: The Fourth European Union Anti-Money Laundering Directive (4AMLD), approved in 2015 and scheduled to go into effect June 26, 2017, has already been supplanted by 5AMLD — amended text addressing threats that have emerged in the period between the adoption and implementation of 4AMLD.

As it stands, the agreed 4AMLD text and effective date will remain, but financial institutions should anticipate additional regulatory changes from 5AMLD shortly thereafter. We issued a flash report last week, which outlines the proposed changes in 5AMLD and provides recommendations on how financial institutions can prepare for them.

There are five main requirements proposed by the 5AMLD that affect financial institutions:

  1. Virtual currencies. The 5th AMLD adds virtual currencies, anonymous prepaid cards and other digital currencies, such as bitcoin exchanges and wallet services, to the list of activities carrying the risk of terror financing. The 5AMLD better defines “virtual currencies” under EU law, and includes the requirement to adopt this legal definition in AML legislation across all member states. Under the proposed amendment, providers engaged in exchange services between virtual and hard currencies and custodian wallet providers will be required to apply customer due diligence (CDD), similar to what is already required for hard currency transactions.
  1. Identifying prepaid card owners. EU member states will be required to identify the customer in the case of remote payment transactions where the amount paid exceeds EUR50. After 36 months from the date 5AMLD enters into force (a date still to be determined), identification requirements will apply to all remote payment transactions. Certain exemptions may apply for “low-risk” customers where defined risk-mitigating factors are met.
  1. Beneficial ownership registers. Member states must comply with register requirements within 18 months of the 5AMLD implementation date. Registers must be interconnected to the European Central Platform within 18 months of implementation in accordance with the technical specifications and procedures set out in Article 4C of Directive 2009/101/EC. Technical requirements, including access controls and operational challenges, should also be considered and tested in preparation for compliance with 5AMLD requirements.
  1. Enhanced information sharing. 5AMLD requires member states to establish automated data clearinghouses at the national level to aggregate individual account ownership across multiple institutions. Data must be searchable by account holder, beneficial owner, IBAN number, and open and close dates, as applicable. Powers of EU Financial Intelligence Units (FIUs) will be enhanced through 5AMLD, as they will be permitted to request information from any obliged entity and would no longer be limited to identification of a predicate offense or suspicious activity report prior to an information request. The proposed amendments make information more easily accessible and align with international best practices.
  1. High-risk third countries. Member states will be required to apply specific enhanced due diligence (EDD) measures for transactions involving entities on a list of “high-risk third countries” defined by the European Commission. This is intended to reduce regulatory differences between member states, where some EU countries offer less-stringent controls in exchange for higher fees, allowing terrorists to exploit the weaknesses in these measures.

5AMLD has proved to be more controversial than 4AMLD, particularly with prepaid cards and virtual currencies being more tightly regulated and uncertainty regarding the implementation of centralized registers. Nevertheless, there is an ambitious timeframe for its adoption. With 4AMLD expected to become effective June 26, 2017 it is reasonable to assume that 5AMLD will become effective shortly thereafter, if not concurrently, and obliged entities should be ready to implement the proposed 5AMLD requirements.

Download the flash report for additional details and recommendations.

Doubling Down on AML: Higher Stakes for Casino Compliance

steve-wangBy Steve Wang, Managing Director
Internal Audit and Financial Advisory

 

 

 

Despite recent improvements in the gaming industry’s efforts to combat money laundering, enforcement actions by U.S. and foreign regulators have put casino operators on notice that their anti-money laundering (AML) programs and related internal controls are being subjected to greater scrutiny.

Consequences have escalated, and compliance officers face personal liability for AML violations on their watch, as a result of a court ruling that the Bank Secrecy Act (BSA) allows owners, officers, directors and employees to be held accountable, along with the organization.

Pillars of an Effective AML Program

Pillars of an Effective AML Program

Over the past two years, the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) has levied seven fines, for a total of $110 million — more than double the volume, and almost ten times the dollar value, of all AML fines against casinos in the previous 11 years. Future penalties may also be on the rise. The Federal Civil Penalties Inflation Adjustment Improvements Act, effective last August, requires agencies, including FinCEN, to make “catch-up” adjustments to the fines, as well as annual inflation adjustments. Many civil penalties haven’t been adjusted in decades, which means that penalties could rise substantially. And FinCEN isn’t the only federal agency levying fines. The U.S. Treasury and the Department of Justice have also fined casinos.

Casinos have long been the focus of government scrutiny because of the large amounts of cash they handle, which make them particularly vulnerable to money laundering and terrorist financing risks. But not all news is bad. A research report from the American Gaming Association suggests that the gaming industry has taken significant steps to comply with AML and counter-terrorism financing (CTF) requirements. In its December 2016 Mutual Evaluation Report, the international Financial Action Task Force (FATF) commented favorably on the increased number of quality SAR filings by casinos — 50,941 in 2015, versus 21,308 in 2012.

Nevertheless, the increased emphasis on disclosure runs counter to an established industry practice of protecting the privacy of high rollers, and so casino operators and their compliance staff may feel uncertain about the best way to reconcile their disclosure obligations with business objectives.

Protiviti recommends that casino compliance officers take actions to mitigate the compliance risk, such as:

  • Share risk assessments with the proper stakeholders – Effective AML programs should take a risk-based approach, which starts with conducting a risk assessment at the property level. Assessments should be reported to executive leadership, and used to customize compliance programs with a particular focus on customer due diligence (CDD) and transaction monitoring.
  • Develop and share CDD standards with employees – CDD programs must evolve and take a risk-based approach to gaining a better understanding of patron relationships and identifying those that may pose a threat. Additional security should be assigned to those higher-risk customers to verify sources of wealth, known associates, game play, and screening against government sanctions lists. Enhanced due diligence policies should be in writing and align with heightened regulatory expectations and industry best practices.
  • Request additional resources – Higher stakes and expanding regulatory requirements mean more people, dollars and systems will have to be dedicated to AML compliance. It is essential that compliance officers request sufficient funding support from executive leadership. Given the recent focus on individual liability, it’s in their best interests.
  • Share information with other casinos – Threat information can be exchanged legally under the safe harbor provision of the U.S. PATRIOT Act, Section 314(b); however, casinos were generally not aware that they are covered under the provision. Casinos are also allowed to share SARs with other casinos under the same parent company located in the U.S. Both of these rules make compliance easier, and casinos should update their sharing policies and procedures to reflect that.
  • Stay current in AML training – Management should revisit AML training modules for different job roles, both for casino operators and compliance personnel. Operators should be taught to recognize red flags, such as large transactions with minimal gaming activity and cash transactions that appear to be structured to stay under the $10,000 federal transaction reporting standards.

The recent Protiviti flash report, Higher Stakes for Casino AML Compliance, offers a wealth of additional information on the topic. You can download it here.