Skip to main content
Category

Blog

Feb 01
Love0

A New Dawn for AML Compliance + 7 Questions You Should be Asking

By Blog, Featured

To those in the anti-money laundering practice, Nina Simone’s memorable singing that it’s a “new dawn” and “a new day” may be best suited to the recently-passed Anti-Money Laundering Act (AMLA) of 2020. Passed as part of a broader National Defense Authorization Act (NDAA), the AMLA is likely the most sweeping financial crime-related law update in the U.S. since the USA PATRIOT Act almost two decades ago.

There are, of course, some appropriately-hyped provisions within the AMLA, as well as a few that are related to it, that bear a little bit more attention from compliance practitioners. 

WATCH: [Compliance Over Coffee] Preparing for the Next Wave of U.S. Regulatory Changes 

There’s Risk, then there’s Risk

The AMLA is clearly written, with no in-between-the-lines review needed. As a result, the Secretary of the Treasury will review components of current BSA/AML requirements to see where “adjustments” are necessary. From there, a report that will effectively de-prioritize what the AMLA calls “noncomplex” reporting will be issued, perhaps such as Suspicious Activity Reports (SARs) that deal with run-of-the-mill structuring. 

SARs as a Strategic Priority

The big shift with the AMLA is that there will be yet another report on “strategic priorities,” meaning that SAR reporting is going back to its roots as an information gathering tool for law enforcement and intelligence agencies. Still, what the AMLA hasn’t clarified is whether financial institutions will be able to forgo the “simple” SARs to focus on the more “valuable” SARs, or whether banks will be on double duty to report both. Risk assessments will be put in the same boat as SARs; having to review for those strategic priorities while still looking for the risks unique to their bank’s profile.  

READ MORE: How Bad is PPP Fraud in Financial Services?

 

Anonymously Speaking

Maybe the most lauded of the AMLA’s provisions is the Corporate Transparency Act (CTA), which doesn’t criminalize or ban shell companies as a structure, but requires that most incorporated entities fall in line with beneficial ownership requirements. The biggest change is that the CTA requires FIs to collect historical information that was exempt from the 2018 regulation’s requirements. FinCEN will then create a registry, with certain exceptions, and will allow FIs to scrub KYC data for their due diligence processes against that list. The mechanics of the list, collection, and verification process aren’t known, meaning that FIs will have to continue to take a risk-based approach to business types. 

READ MORE: SEC Priorities and a Changing of the Guard in 2021

 

Corruption in Politics and Art

What should get special attention, tying into the NDAA, is the emphasis on the risk related to corrupt political leaders (see the “Kleptocracy Asset Recovery Reward Act”) as well as arts and antiquities dealers. The NDAA goes further here by expanding the foreign bank account records held by a U.S. affiliate, such as KYC information, making those records fair game for subpoena.  

READ MORE: What Recent OCC Enforcements Signal for Firms

 

7 Questions You Should be Asking

While we wait for the underlying regulations from the AMLA, a few lingering questions remain. First of all, where the AMLA references the intention to streamline and automate, will firms be held accountable if they don’t find ways to do so? Not very likely.  

However, as FIs are required to automate more processes and reporting, will there be a risk of over-automation while regulators challenge the insufficiency of a BSA/AML compliance program’s human touch?  

There is still time before the one-year window for the Treasury to issue supporting regulations kicks in. In the meantime, here are a few questions that FIs should be asking:

1. Are we asking enough questions? Or, minimally, are we asking the right questions for LLP/LLC-type customers? Are we prepared to retroactively work towards data collection beyond the 2018 Customer Due Diligence (CDD) rule’s requirements?

2. What are we doing in terms of Politically Exposed Persons screening? Are we looking for stolen government funds? 

3. How will we risk-rate art/antiquity dealers going forward?

4. What’s the status and strength of our risk assessment process? Have we kicked the tires on the methodology recently? Will we be ready when new priorities emerge? Or will we be behind and at risk of missing critical requirements ?

5. Are our SARs “highly” useful to law enforcement? Or do we need to reinvent our processes with a closer eye on crime and intelligence?

6. If we are going to revamp our SAR processes, what are the best ways to make sure that second-line testing and audit are on board?

7. What should we automate? Where can we innovate? What processes are the most vulnerable to regulatory gaps?

Automate Regulatory Knowledge for AML Compliance

When it comes to identifying your requirements and obligations for AMLA and other regulations, automation can be especially helpful. 

The process of collecting regulatory updates across multiple sources is time-consuming—and it’s only step one of a multi-step process. The next step of determining which updates will actually impact your firm is even more of a challenge.

Ascent is a regulatory knowledge solution, which automatically surfaces the right information and pinpoints your firm’s obligations. Ascent helps compliance teams zero in on the regulation that is relevant to the firm, freeing up time and resources to focus on higher-value activities such as maintaining policies and procedures and executing compliance throughout the firm.

INFOGRAPHIC: Regulatory Knowledge Automation, Explained

Jan 22
Love0

OCC’s Heightened Standards [Part 2/2]: Use Key Risk Indicators to Unify Compliance

By Blog

In Part 1 of this writeup, we discussed the approach that the Office of the Comptroller of the Currency (OCC) has taken in recent enforcement actions related to the Heightened Standards guidelines.

In contextualizing their oversight, it’s worth noting that the OCC also recently issued the Director’s Book: Role of Directors for National Banks and Federal Savings Associations and, in so doing, referenced back to their other guidebook on Corporate and Risk Governance. As with other publications and advisories, these guidebooks are an opportunity for financial institutions and covered entities to conduct an impact analysis using Key Risk Indicators (KRI) to ensure that there are no gaps between their compliance programs and the updated guidance.

To that end, there are a few remaining facets of the OCC’s Q4 consent orders that may need to be factored into such a review.

READ MORE: OCC’s Heightened Standards [Part 1/2]

Dirty Data

Making Metrics Matter

There has been a recent trend in the enforcement action space for regulators to focus on data quality and more technological issues within those assessments, oftentimes noting the poor quality or lack of data validation and system integration. In both of the late-year consent orders, the OCC focused on data risk management and data governance.

The OCC also called out the need for processes in the collection, review, and dissemination of compliance-related metrics. Both KRIs and general metrics seem to be within scope in these consent orders, with the call of the consent orders’ articles speaking to the need to have processes and procedures to ensure that:

1) Compliance-related metrics are collected;

2) are robust;

3) support informed decision-making in regards to both the objective risks at issue, as well as the banks’ overall risk governance framework, and;

4) that there is senior management and board-level review of the same.  

Who Watches the Watchers?

Expectations of Senior Management

As noted in part one of this review, the OCC is focused on how staff throughout the organization support the risk governance framework. The consent orders flat out state that governance and oversight at the upper echelons of the organization are just as significant. While onlookers aren’t privy to the nature of the subjective findings at organizations, those of us in the analysis space can glean that either robust metrics were not being collected, were not of sufficient quality to support the risk governance framework, or were not being sufficiently reviewed at senior levels within the organization. Senior management, through boards or committees, should be apprised of risk-related metrics and KRIs. As stated in the consent orders, the metrics and KRIs themselves should be granular and have both warning lines and limits related to their subjective risk categories. Ostensibly, the OCC expects to see that there are:

1) Procedures for the collection and validation of risk governance framework-related metrics, which include the frequency of submission to and seniority levels of the reviewers;

2) Charters or other supporting documentation noting that those governing committees (or comparable entities) are in fact being given those metrics; and 

3) Minutes or other supporting information to show that senior management is providing credible evidence for the same.

LEARN MORE: How an integrated risk management approach transforms organizations

 

Many Hands Make Light Work

A More Connected Risk Management Framework

As with other areas of compliance, the risk governance framework is an all-hands endeavor. The gist of these enforcement actions is that certain areas of the organization may have been waning in their support of the banks’ compliance posture, without compensating from other areas. While the Corporate and Risk Governance expectations have been in place for over six years, the consent orders at issue were on a multi-hundred-million dollar scale, which should give any onlooker pause. 

As with other trigger events, this is an opportunity for financial institutions to pause and evaluate, for better or worse, where their compliance programs are in comparison to these reiterated expectations. Regulatory technology can help firms with this evaluation, connecting disparate systems and teams within their organizations, spotlighting areas of risk, and, in turn, enabling a more unified culture of compliance.

LEARN MORE: What is RegTech?

 

End-to-End Compliance with Ascent

When it comes to identifying the risks associated with regulatory compliance, it’s important to start from the beginning. At Ascent, we use world-class AI to help firms rapidly and accurately identify their regulatory obligations, at the most granular level possible. This granularity, or precision, is especially important when trying to set a regulatory compliance framework for the first time or address any gaps within your existing regulatory compliance framework. Ascent then keeps your obligations up to date automatically.

READ MORE: 3 Definitions of Regulatory Mapping

 

To help firms build a more connected risk governance framework, Ascent seamlessly integrates with GRC platforms. With a single source of regulatory truth, the three lines of defense can all work from the same data towards the same goals.

To learn more about Ascent and its API integrations, contact us directly. For more information about risk and compliance strategies such as IRM and the technology that powers them, subscribe to our monthly newsletter Cliff Notes below.

 

Subscribe


Jan 19
Love0

OCC’s Heightened Standards [Part 1/2]: What Recent Enforcement Actions Signal for Firms

By Blog

2020 was a year that was remarkable for one very obvious reason. However, with the exception of one multi-billion dollar fine handed out by the Securities and Exchange Commission and another more unique fine from New York regulators related to the nefarious Jeffrey Epstein, it was a relatively quiet year in the financial compliance enforcement space. Yet, late in the year, the Office of the Comptroller of the Currency (OCC) issued some enforcement actions that caught the industry’s attention. 

What was interesting about these particular consent orders was that they provided a rare insight into the OCC’s view of the Heightened Standards for Large Financial Institutions and how gaps in risk and compliance might be potentially treated. Unlike enforcement actions related to financial crime or anti-money laundering compliance, these two consent orders did not provide comprehensive statements of fact.  As a result, while onlookers must extrapolate and deduce what the OCC was focused on, a few salient points can be drawn.

READ MORE: OCC’s Heightened Standards [Part 2/2]

Stricter Definitions on the Three Lines of Defense

The consent orders focused very heavily on covered financial institutions’ delineation of the three lines of defense—front-line units, independent risk management, and independent testing. Effectively, the consent order serves as a reminder to financial institutions to establish and routinely evaluate the roles and responsibilities of those divisions within the organization, in order to ensure that they support the company’s risk governance framework. Calling out responsibilities at the more granular level, this might require an evaluation of the role or job descriptions, team functions, and overall organizational structure to ensure that risks are adequately monitored and escalated as necessary.

The inference from these consent orders, and therefore regulatory expectation, is that each role-holder and team understand what risk management means to their function, and where that fits into the overall picture. One callout from the consent orders is the need to train staff on their relationship to the risk governance framework as another means to ensure better ongoing alignment.  

READ MORE: How an Integrated Risk Management Approach Transforms Organizations

Strong Governance Expected Over Policies and Procedures

While it again would have been useful to see more details around the institutions at issue and what the regulator’s underlying concerns were, further extrapolations can be found in the available language. An additional highlight of these enforcement actions, and more broadly, to the expectations of Heightened Standards, is the objective and subjective nature of policies and procedures. 

The OCC makes clear that covered entities should have strong governance over policies and procedures, which includes time-bound and trigger event-driven reviews of policies and procedures, documented ownership of those documents, and processes to ensure that all affected teams/functions within the company are fully aware of those updates. 

LEARN MORE: How to Fuel Your GRC with Ascent Data

 

As with the roles and responsibilities of individual staff, the OCC goes further to state that, subjectively speaking, policies and procedures are meant to be aligned to and show support of their relative compliance risks as well as the company’s overall risk governance framework. Casual observers do not, and will not, know whether or not the penalized organization had what regulators considered to be “arbitrary” or “detached” policies/procedures, but the implication is clear—connectivity and risk management must be the common thread.  

In our next post, we will make further inferences from the Heightened Standards around: 

  • Data and Metrics
  • Senior Management Oversight

READ MORE: SEC Priorities: Cryptocurrency Regulation and a Changing of the Guard

 

Track and Manage Your Changing OCC Obligations

With enforcement actions continuing to be issued by the OCC and other regulators, financial firms can’t afford to miss a regulatory obligation or rule change.  

Ascent is a regulatory automation solution that automatically generates regulatory obligations targeted to your firm, surfaces relevant rule changes, then updates your obligations accordingly. With an API integration, you can also fuel your GRC or other workflow systems with Ascent data, allowing you to trigger change alerts and map regulatory changes to your controls, policies and procedures. 

Spend less time analyzing dense legal text and more time implementing compliance throughout the business. 

READ MORE: Behind the Scenes: Ascent’s RegulationAI and Why It’s Different

 

To learn how Ascent can help you identify your regulatory obligations and changes, contact us.

For more articles like these, subscribe to our monthly Cliff Notes newsletter below. 

 

Subscribe

[pardot-form id=”323″ title=”Cliff Notes Subscriber Form”]
Jan 11
Love0

How Bad is PPP Fraud in Financial Services?

By Blog

There seems to be a sharp correlation between the scientific and banking industries’ efforts to abate the harm caused by the COVID-19 pandemic and criminals trying to exploit those efforts for illicit gains. No sooner was the virus upon us that scammers, fraudsters, and novice exploiters began to try to find ways to abuse peoples’ fear and the support programs emplaced. The Paycheck Protection Program (PPP) has been especially vulnerable. Here’s a look at the different types of PPP fraud that have taken place throughout the pandemic and how financial firms are responding.

PPP’s Good Intentions Lead to Bad Acts

The Small Business Administration issued a series of loan programs in early 2020 that were designed to aid small businesses impacted by the quarantine and so-called “lockdown” restrictions. The Paycheck Protection Program alone has given out over USD $523 billion since the program’s inception. Between the urgency to get the program launched and the minimal guidance in place to spot-check for potential fraud, banks found themselves processing hundreds or even thousands of these loans with little-to-no compliance and risk management.

As of September, the Department of Justice (DOJ) had already brought 40 cases against individuals who may have fraudulently obtained loans through these programs.

A few highlights of PPP fraud cases:

  • A current player in the NFL who was charged as part of a USD $24 million PPP loan fraud scheme. According to the DOJ,  the subject participated in a broader scheme to solicit straw buyers to take out forgivable loans in exchange for a kickback/percentage of those loans. In addition, the subject obtained over USD $1.2 million in loans for his own company, then withdrew over USD $300,000 in cash after buying a Rolex and going shopping.
  • In another scheme, the subjects applied for over 80 PPP loans, falsifying tax and payroll expenses. At the time of their arrest, they had over 1,100 fake paychecks, the proceeds of which were used to buy a new Porsche and a Lamborghini.  

A duo claiming to be farmers who applied for over USD $1.1 million in loans. Declaring funds for a number of businesses, one subject in the case said that they had a farm in their Miami-area yard, and employed 18 staffers in necessitation of over USD $800,000 in payroll. 

Financial Firms Go On Offense

Another dubious fraud scheme that has arisen since the pandemic is counterfeit and fraudulent PPE, supplies, and treatments. The FTC has routinely warned about fake preventative treatments, and the FDA has noted that there is only one approved at-home test kit. Since February, stories have surfaced about counterfeit masks, respirators, and other PPE. On almost the same day that a vaccine was approved for emergency use, Homeland Security Investigations issued red flags for counterfeit vaccines. In fact, EUROPOL simultaneously confirmed investigations into organized crime groups engaging in the sale of counterfeit vaccines.  

As with any other fraud, financial institutions have shifted from defense to offense. One senior compliance officer speaking anonymously noted that their institution was heavily investigating pandemic-related lending fraud, looking specifically for small businesses that appeared to be spending PPP loan proceeds in an unusual way. Other compliance practitioners noted that transaction monitoring parameters and analytics-driven searches were yielding a staggering number of cases of potential fraud. At the heart of these cases, per one investigator, was the inability to verify the recipient’s loan documentation or substantiate the legitimacy of their business, noting that many of the companies they had investigated were, in reality, established days before applying for the loan. 

Uncertain Impact on Financial Regulation

The true depth of the fraud remains to be seen, but as with many other lessons learned, the pandemic has yielded a number of key takeaways for financial services going forward. The hope is that, like the virus itself, the need for those lessons will soon be in decline.  

Until then, it’s likely that these acts of fraud will continue to shape financial regulation, especially in how regulators will treat relief programs in the future. For now, it’s important for compliance teams to not only monitor the rule changes and updates that result from the pandemic response, but also to create a system of record when implementing them. 

Ascent is a regulatory knowledge solution that can pinpoint financial firms’ regulatory obligations and keep them updated as rules change. This dynamic regulatory knowledge can be mapped to applicable areas of business and seamlessly connected to a separate GRC solution to create a traceable system of compliance.

INFOGRAPHIC: Regulatory Knowledge Automation, Explained

 

To learn how Ascent can help you identify your regulatory obligations and changes, contact us.

For more articles like these, subscribe to our monthly Cliff Notes newsletter below.

 

Subscribe


Jan 07
Love2

Ascent Named as One of Chicago’s Best Places to Work and Best Small Companies to Work for in 2021 by Built In

By Blog, Culture

Chicago IL (January 8, 2021) Ascent, an AI-driven solution that helps financial services institutions automate regulatory compliance, today announced that it was named to Built In Chicago’s lists of Best Places to Work and Best Small Companies to Work for in 2021. Companies are selected based on data submitted by companies and their employees around compensation and benefits, culture, and growth opportunities.

Jon Leitner, Ascent CEO, commented, “We’re honored to once again be recognized as a top place to work in Chicago. The past year has been difficult for many, and as a team we’ve overcome many challenges. The key to each and every success has been the strength, resiliency and talent of our people. We’re committed to continuing to build a work environment that our employees are proud to be a part of.”

Carrie Pinkham, VP of People, added, “Though the past year of remote work has proven difficult  for many companies, there are incredible opportunities that arise from having a distributed workforce. As we continue to grow as a locally-known company, we are also excited about becoming a workplace leader far beyond the borders of Chicago. We’ll do that by conscientiously creating an inclusive environment that continually grows, challenges, and rewards our people.” 

Ascent is a first-mover in building RegulationAI™, a technology that helps compliance teams understand exactly what they need to do in order to remain compliant with complex financial regulation, thereby reducing risk, protecting firms’ reputations, and avoiding potentially crippling fines. 

“Our mission at Ascent is to create a world where companies don’t have to choose between spending massive amounts of money or not following the law,” commented Brian Clark, Founder and President. “By making it easier for businesses to comply, we free their resources to focus on commercial endeavors and delivering the best possible experience to their customers. This represents a massive global business challenge, and we’re excited to continue building a team that is galvanized around solving it.”

Ascent has been rapidly gaining momentum since its founding in 2015. Since its inception, Ascent has expanded to 45+ full-time employees and secured $26.7M in funding. 

 

About Built In
Working in tech is a way of life. Built In helps people live it with purpose. Across the most vibrant tech hubs in the US, Built In helps tech professionals stay on top of tech news and trends, expand their networks and carve out futures at companies they believe in. Built In attracts a niche audience of 1 million tech professionals every month and, in 2019, the company hit a milestone, serving 1,100 companies annually. Built In recently launched BuiltIn.com, a national hub for tech trend coverage and resources to help professionals grow in their careers. 

National Site: BuiltIn.com

Local Sites: BuiltInChicago.com | BuiltInLA.com | BuiltInColorado.com | BuiltInAustin.com | BuiltInNYC.com | BuiltInBoston.com | BuiltInSeattle.com | BuiltInSF.com

Best Places to Work Methodology

Built In’s list rates companies algorithmically based on compensation data and employer benefits. Rank is determined by combining a company’s score in each of these categories.

 

Subscribe to our monthly newsletter below to receive helpful content designed to keep you at the forefront of compliance and technology.

 

Subscribe


Jan 03
Love0

Brexit Impact: A Look at the Next Normal

By Blog

Back in 2016 when the concept of the United Kingdom’s exit from the European Union (“EU”) seemed like a fantastical proposition, the prospect of the referendum’s success let alone its implications seemed like a mystery. The question for financial institutions now becomes how to implement and maintain a newly-domesticated compliance framework in the face of regulatory uncertainty. 

The Story on Domestic Data

The larger focus for financial services will be on sustainability of domestic and international compliance frameworks for areas such as data, sanctions, and overall governance. 

The UK has implemented a host of regulatory expectations in the past few years, from MiFID to the Senior Managers’ Regime. While those regulations will continue, financial services must continue to enmesh international laws with touch and concern to the UK in their programs.

Despite the UK’s exit from the EU, the parameters of the General Data Protection Regulation (“GDPR”) will continue to be enforceable. In fact, GDPR has been a primary area of international enforcement, with two UK-centric breaches in 2020 totaling in USD $56 million in penalties alone. 

CASE STUDY: How a Global Top 50 Bank Pinpointed Its GDPR Obligations Using Ascent

 

Similarly, despite infrequent enforcement actions for sanctions violations from the UK in the past few years (OFSI issued its first ever sanctions penalty in 2020 since its establishment four years prior), the UK Sanctions and Anti-Money Laundering Act of 2018 will continue to pose challenges for UK banks wishing to keep a foot in the international space.

In late December, the Financial Conduct Authority (“FCA”) issued the final Temporary Transitional Power (TTP) directions. Firms should be well-versed in the TTP directions, as they outline which regulations are expected to be maintained throughout the transaction and which have exemptions until the end of the transition period in March 2022. While these provisions apply to existing entities, the FCA was careful to note that the TTP does not apply to new European Economic Area entities seeking to onshore. 

Business as Usual for AML

As part of the EU, the UK would have historically been adhering to the framework of the EU’s Anti-Money Laundering Directives (“AMLD”). This would have been leveraged to set the framework for an anti-money laundering compliance program, from the “pillars” approach derived from the Financial Action Task Force (FATF) standards, to threshold for transaction monitoring. 

From a practitioner’s perspective, the EU AMLD set basic criteria that were then enhanced or supplemented, as needed, at the country level. In the absence of those directives, the UK will now rely entirely on the Proceeds of Crime Act (“POCA”) and its interpretation by regulators to determine firms’ adherence to AML standards. The FCA has not had a particularly robust enforcement year in terms of AML enforcement, with only two notable penalties issued for compliance-related failures. In fact, the absence of such enforcement actions has been cited in the press as a relative laxity by the regulator. 

Perhaps due to Brexit or exacerbated by it, the FCA has not made clear that AML compliance will be a priority over conduct-related enforcement in the coming year. Given the EU’s spate of Baltic-related fines and penalties, the first AML fine of 2021 may in fact be related to the same.  

The Way Forward

There is, as was expected when Brexit was first announced, a bit of trailblazing to be expected in the next few years. The shifting regulatory expectations around conduct over AML and sanctions enforcements is suggestive, but not dispositive. While the FCA has recently provided a rulebook with post-Brexit expectations, unlike their peers in the US, wavers have been embedded with those expectations, some as far out as 2022.  Perhaps drawing from their peers (subsidiaries and affiliates too) in the US, UK-based banks will need to leverage a far more conservative risk-based approach until the updated regulatory expectations become more certain.  

In the meantime, new technology such as regulatory knowledge automation can help financial firms keep tabs on enforcements, updates, and rule changes as they are issued. Today, many firms continue to try to manage and synthesize this influx of information in the same ways that it always has — by increasing personnel to do the work manually. 

INFOGRAPHIC: Regulatory Knowledge Automation, Explained

 

But missing even the finest detail within a body of regulation or rule amendment can be disastrous for a firm. Like the proverbial needle in the haystack, any obligation missed among the thousands of lines of regulatory information could have severe consequences come audit time. 

Regulatory knowledge automation uses machine learning (ML) and natural language processing (NLP) to complete this work in mere minutes, at a fraction of the cost, and with greater accuracy than manual efforts.

READ MORE: How to set a foundation for your regulatory compliance framework

 

For more information about RegTech, regulatory knowledge automation, and articles like these,  subscribe to our monthly Cliff Notes newsletter.

 

Subscribe


Dec 21
Love0

SEC Priorities: Cryptocurrency Regulation and a Changing of the Guard

By Blog

Despite the pandemic, Reuters reports that the U.S. Securities and Exchange Commission (SEC) has had a banner year, with more than 700 cases and enforcement actions. As of November, that number represented over USD $4.7 billion in penalties, fines, and disgorgements assessed. The ratio of fines to penalties is a bit askew, considering that one fine alone represented a USD $1.2 billion settlement.

Still, the agency has been particularly busy with disclosure and regulatory-related penalties, in contrast to a mere seven enforcement actions by the Financial Crimes Enforcement Network (FinCEN). Of course there is an issue of the remit of the respective agencies that would need to be taken into consideration, but one priority of the SEC has seemed to remain squarely in the initial coin offering (ICO) / cryptocurrency-related space. Here’s a look back at SEC cryptocurrency regulation from this year and what’s to come from SEC leadership in 2021.

ICOs Strictly Subjected to Howey Test

The SEC announces its enforcement priorities annually, and 2020 was no different, if only in that respect.  At the start of the year, the Office of Compliance Inspections and Examination (OCIE) released its 2020 Examination Priorities, and in it the agency noted that “digital assets” would be a priority. Many of the enforcement actions that occurred throughout the year were related to either ICOs, either as fraudulent schemes or due to poor regulatory disclosures.

The SEC has treated ICOs fairly strictly over the past few years, perhaps punctuated by the Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934: The DAO (the “DAO”), released in mid-2017. This report galvanized the agency’s approach to tokenization and ICOs, noting that strict adherence to the Howey test (i.e., an investment of money and expectation of profit as the result of a common enterprise, with the profits coming from the efforts of a third party) would apply to ICOs.

To that end, ICOs who tested the SEC’s resolve found that the failure to register or seek an exemption to the Howey criteria would result in multi-million dollar penalties.  In one enforcement action in particular, the SEC noted that the ICO in question—though it knew or had reason to know that it was a security based on the DAO report and prongs of the Howey Test—continued to sell its offering without making appropriate disclosures to its investors.  

READ MORE: The Most Telling Guidance of 2020: Corporate Compliance Programs, AML & More

 

Changing of the SEC Guard

The current chairman of the SEC, Jay Clayton, has publicly stated that he intends to step down from the position, leaving the incoming administration to make a nomination. Clayton’s tenure was remarkable, and has seen lauding from both sides of the aisle.  The two current names being floated to replace him are Gary Gensler, former chairman of the Commodities Futures Trading Commission (CFTC), and former prosecutor Preet Bharara. Already named to President Elect Biden’s transition team, Gensler has no shortage of experience dealing with both regulators and the private sector.

During his time at the CFTC, Gensler pushed for sweeping regulation of swap trades and has been viewed as someone who—as a former partner at Goldman Sachs—could potentially deliver diplomatic regulatory outcomes. Bharara, on the other hand, poses a far more significant shift in regulatory tone. Bharara is known, and well-respected, for his work on major insider trading and white collar cases.

Despite the significant number of actions under Clayton’s tenure (over 3,000 examinations in 2020 alone), Bharara’s appointment would signal a no-nonsense approach to both civil and regulatory engagements.

Preparing for What (and Who) is Next

Other names circulated are Dodd-Frank contributor Michael Barr, as well as Allison Lee (a former securities law practitioner and currently an SEC commissioner) and Kara Stein (a former SEC commissioner) who would both bring senior-level, hands-on experience to the position. There are innumerable variables still at play after the outcome of the November 2020 election. Needless to say, the SEC and other high-profile regulatory positions will keep Wall Street waiting with baited breath, and those of us in the bleachers a lot to consider. 

READ MORE: What are “granular” obligations in RegTech, and how do they reduce your risk?

 

No matter who takes the helm at the SEC (and at other U.S. regulators), it’s important for financial institutions to keep tabs on regulation at both the national and state level. It’s within these agencies that incremental changes occur and often catch organizations off guard. Be sure that your firm is ready for what’s next. Shore up your compliance and risk strategy by identifying all of your key risk factors, including any potential gaps in your firm’s regulatory obligations / requirements.

READ MORE: Regulatory Change Management: A Tech-Based Approach

 

Ascent helps banks and other financial firms stay above the rising tide of regulation, from the SEC and other regulators. Learn more about our regulatory coverage here.

To stay up on the latest in regulatory technology and other news, subscribe to our monthly Cliff Notes newsletter below.

Subscribe


Dec 14
Love0

The Most Telling Guidance of 2020: Corporate Compliance Programs, AML & More

By Blog

There has been no shortage of media chatter in the very unusual 2020 calendar year.  For those concerned with organizational compliance, the release and re-release of regulatory guidance and legislation — particularly around BSA/AML and corporate compliance programs — has been nearly unparalleled.  As we will show, these developments have significant implications, if not direct calls to action, for banks.   

The BSA/AML Manual Hits Hard

At the risk of hyperbole, the Federal Financial Institutions Examination Council’s (“FFIEC”) Bank Secrecy Act/Anti-Money Laundering (“BSA/AML”) Examination Manual (the “Manual”) is perhaps the most sacrosanct of all regulatory frameworks. Intended to serve as a field guide for examiners, instead its outlines and parameters are utilized by banks’ BSA/AML compliance departments as the foundation for their compliance programs and by auditors as a basis for testing protocols. Updated in April, the Manual was not radically updated but the updates that were made were significant.  First and foremost, the Manual makes reference to “other illicit activity” as a nod to the nebulous nexuses between crimes like healthcare fraud, corruption, and money laundering.  The Manual further updates provisions in regards to risk assessments (while not flat out requiring them) and board-level oversight, broadly, requiring that banks ensure that their compliance programs are tailored to their unique risk profiles.  

Perhaps the most significant updates include expansions to the expectations around training.  Where only a paragraph existed previously, the updated Manual expands its expectations to have role-based technical and subject-matter training, along with much more precise guidance on the expectations for board of directors training.

READ MORE: Regulatory mapping is key to compliance. Are you doing it effectively?

 

A Major Emphasis on Corporate Compliance Programs

As many compliance practitioners were settling into remote working, the U.S. Department of Justice (USDOJ) re-issued its Evaluation of Corporate Compliance Programs (the “Guidance”).  In examining whether to consider and the depth of criminal penalties, prosecutors too (harkening back to the Manual) should look at whether the organization at issue maintains and leverages a risk assessment to inform decisions about compliance and mitigate the risk of misconduct.  The Guidance goes on to note that perhaps one of the most important factors is, based on the risk assessment, how were allocations for staffing, technology, and resources such as training allocated.  Were cost centers given hiring priority over compliance staff?  Is the annual compliance training program a leaflet?  Are the sales staff on top-of-the-line computers while the compliance and audit teams are using ineffective tech? 

All seem like fair questions. 

The Guidance directly states that compliance should be built into the compensation scheme, and that it should be a considerable factor in the allocation of (or withholding of) bonuses.  Lastly, the Guidance reiterates the need for ongoing monitoring, testing, and escalation of the state of misconduct-related controls and their investigations.  

READ MORE: How an Integrated Risk Management (IRM) approach can transform your organization

 

On the AML Horizon

There are two fairly significant developments  pending approval, and we cannot emphasize “pending” enough – a shell company transparency provision and the Anti-Money Laundering Act of 2020.  They are both embedded within a defense spending bill that the White House has threatened to veto for unrelated reasons. The shell company provision would mandate the registration of beneficial owners with the Treasury department, effectively ending anonymous shell company use within the U.S.  

Secondarily, if passed, the Anti-Money Laundering Act of 2020 would mandate that the Secretary of the Treasury take steps to “streamline” BSA/AML compliance requirements.  In its September Advance Notice of Proposed Rulemaking (“ANPRM”), FinCEN sought input from the banking community on how to make more “effective” use of BSA/AML systems and processed, skewing more in favor of law enforcement’s needs than compliance.  The proposed AML Act seems to end-run the feedback solicited by the ANPRM, and place the obligation with the Treasury to ease, reduce, or otherwise better facilitate the production and utilization of BSA/AML-related information.  

While the approval of the AML Act and its governing bill are in a tentative state, the ongoing developments in this space speak to big changes for the BSA/AML compliance space going forward.  

Keeping Pace with Change: A Tech-Based Approach

While these regulatory developments are broad reaching, their impact is different at each financial institution. This leaves Compliance teams with the tall order of reading through and analyzing the regulatory text to determine which parts of the Manual or the Guidance applies to their organizations — which can be like looking for a needle in a haystack.

According to an Ascent internal analysis, 65 percent of the regulatory text (the haystack) is made up of definitions and clarifications. The remaining 35 percent, which actually consists of obligations, is what compliance teams need to be reviewing in order to determine what regulatory requirements and obligations specifically apply to their firm (the needle).

READ MORE: Regulatory Change Management: A Tech-Based Approach

Ascent can help banks and other financial firms stay above the rising tide of regulatory change. Read this article to learn how our RegTech platform can help your firm quickly produce “granular obligations” and keep them current as new regulatory developments arise.

If you’d like to contact a team member directly, you can do so here

To stay up on the latest in regulatory technology and other news, subscribe to our monthly Cliff Notes newsletter below.

Subscribe


Dec 03
Love0
A former regulator’s take on AI, Big Tech, and RCM

A former regulator’s take on AI, Big Tech, and RCM

By Blog

Rick Bonhof. Managing Consultant, SynechronWe recently sat down with Rick Bonhof, a managing consultant who leads the Amsterdam regulatory change and compliance practice within the business consulting arm of Synechron—a leading digital transformation consulting firm that accelerates digital initiatives for banks, asset managers, and insurance companies around the world.

In his role, Bonhof oversees a team of experts who help clients build the regulatory framework that enables compliance. As an advisor for the digital-first firm, Bonhof is hyperfocused on making compliance more efficient through the use of technology, leveraging emerging tech such as machine learning and existing systems such as GRCs.

Prior to Synechron, Bonhof served as a supervision officer for Dutch regulator Autoriteit Financiële Markten (AFM) at the height of the 2008 financial crisis. After spending seven years crafting and executing supervisory strategy for AFM, he decided to redirect his work from supervising firms to actually helping them become compliant with regulation. And so, after witnessing how Synechron helped a number of financial institutions get back on track with EMIR (the EU equivalent of Dodd Frank in the US), Bonhof transitioned to the firm.

During our sit-down, Bonhof shared his blended supervisory-consultative perspective on a variety of topics—from the role of regulatory change management during the COVID-19 pandemic to how Big Tech will shape the future of financial services.

Editor’s note: This interview has been lightly edited for clarity.

Setting the Record Straight on Regulators

Touching on his experience as a former regulator, Bonhof kicked off our conversation by sharing what he wished compliance professionals knew about regulators, and what he wished he had known as a regulator. 

When I made the switch from regulator to consultant, I realized that a lot of financial firms are afraid of regulators. But the reality is that regulators are people too and most are not out to fine you. What I think compliance professionals sometimes forget is that if you’re able to explain to regulators why you made certain decisions and how you implemented certain requirements, they’ll listen to you.

“A lot of financial firms are afraid of regulators. But the reality is that regulators are people too and most are not out to fine you.”

My advice to compliance professionals is to document their interpretation of the rule and why they applied the rule in a certain way according to their interpretation, so they have all of the information they need when it comes time to talk to regulators.

On the flip side, what I wish I had known as a regulator was, no matter how simple a request for information may seem on paper, it doesn’t actually mean that there’s a clearcut way to gather requested information or to implement a new rule. Many financial institutions do not start out as multinational global-spending institutions—they grow through mergers, acquisitions, and restructuring.

So there’s a whole collection of teams that suddenly need to contribute to this “one simple request,” making it not so simple after all.

Managing Regulatory Change in the Time of COVID 

Bonhof has long emphasized the importance of having a well-documented regulatory change management (RCM) strategy, especially when it comes to major events such as financial crises, election years and of course — the COVID-19 pandemic.

When it comes to regulatory change management, my mantra has been “take control, be in control, and demonstrate control.” 

“Take control” is about understanding what your obligations are, understanding the impact of them, and then implementing and enforcing a compliant process.

“Be in control” is about understanding where your firm is in terms of compliance with the requirements, and revisiting both its requirements and compliance processes frequently. You should not only be control testing your processes to understand whether your firm is compliant with existing rules, but also monitoring whether there’s a change coming that could impact compliance with those rules. And, if there is a change on the horizon, then you need to go back to “take control” and proactively act on it.

Lastly, “demonstrate control” is about being able to take the evidence that you have and explain both internally and externally to what extent you comply with those measures.

How to Avoid Dropping the Ball on RCM

In Bonhof’s view, the biggest mistake that firms can make when implementing RCM best practices, is to treat them as a one-time solution. 

Most regulatory change management processes are driven by a regulatory change implementation date. Let’s say that a firm has to comply with X, Y, and Z by January 1, 2021. What I’ve found (and even been guilty of myself) is that many firms focus solely on making that milestone without the end result in mind. So once the firm does reach it, everyone sort of drops the ball and says, “We’re done, we made it.” But that’s the wrong approach because 2021 does not mark the end of implementing that change, it actually marks the start of it. 

What I’ve found (and even been guilty of myself) is that many firms focus solely on making [a] milestone without the end result in mind.

Firms are expected to be compliant with that new rule, and need to have a roadmap that accounts for what comes after that date. Firms often put makeshift technical solutions in place to meet the deadline, but then what happens is the technical solution silently becomes the structural solution. The result is that there’s no roadmap beyond that point to account for new data that needs to be tracked or changed, resulting in an issue of data quality and therefore explainability. 

COVID Response: Swings of the Regulatory Pendulum

To Bonhof, regulatory change management has never been more important as the pandemic response continues to fold. While he and his team have seen the easing of certain regulatory requirements, they have also seen the mounting impact of others.

On the one hand, the regulatory response to the pandemic has been to suspend certain requirements in order to alleviate the burden of regulation. However, at the same time, we’ve also seen an increase in requests for financial firms to implement certain risk measures from regulators such as the European Securities and Markets Authority

For example, we had an “intelligent lockdown” in the Netherlands that prohibited us from going to the shops or the cinema. As a result, this (like other lockdowns across the globe) had a large impact on service providers, as many businesses had outstanding loans with financial institutions and were suddenly not able to make good on those loans. This has led to a tipping of scales with regulators adding more capital reporting requirements, while continuing to suspend or delay implementation of other regulatory requirements. For example, ESMA deferred the final two phases of its bilateral margin requirements to provide additional operational capacity for counterparties to respond to the immediate impact of COVID-19. 

On the Importance of Innovation in IRM

While regulators have been more forgiving during the pandemic, they have also become increasingly more aware of all of the possible gap—bringing the topic of Integrated Risk Management (IRM) to the fore. Here’s Bonhof’s take on IRM.

Integrated Risk Management allows you to identify what risks exist within your firm, define a response to those risks, and then determine whether your firm is within that risk appetite. Ultimately, IRM combines all of those processes and rolls them up into a multi-level process chart where you can prioritize risks and pinpoint which ones are of the highest risk to your firm. 

IRM is such a hot concept right now because regulators are putting more emphasis on it.

As part of Synechron’s FinLabs RegTech accelerator suite, I’ve actually had the opportunity to work on automating parts of IRM. Knowing how effective your controls are is a key part of integrated risk management, so we built an intelligent control testing environment that maps a firm’s individual control statements into a decision tree that automatically runs against a data set to help firms quickly pinpoint whether a control is effective or not. This advancement frees up compliance teams’ valuable resources so they can focus on remediating any deficiencies.

These types of innovation are becoming more important as Integrated Risk Management continues to gain more traction. IRM is such a hot concept right now because regulators are putting more emphasis on it. For example, ESMA recently published a consultation paper that assessed the suitability of the management at financial institutions, which concluded that the highest levels of management (including at the board level) need to understand their firms’ requirements, how they are complying with them, and what the state of the firm’s risk management looks like.  

Clash of the Titans: Big Banking vs. Big Tech

As an innovator in his own right, Bonhof is naturally drawn to industry disruptors. In particular, he has been following the rise of digital banks and believes that it’s only a matter of time until Big Tech enters into the banking industry as well.

The rise in digital banks has served as a catalyst for digital transformation in the industry at large. In order to stay competitive with digital banks, traditional banks have worked to provide digital services to their customers. For customers, having a digital bank account becomes more of a commodity because it opens up a whole ecosystem of additional services around it. 

For digital banks, their competitive advantage is that they’re not burdened by a chain linked system of legacy tools or processes, so they can get it right immediately. Digital banks can be more nimble when it comes to things like digital client onboarding processes and company reporting. On the other hand, it’s difficult for digital banks to achieve the same scale as larger banks. Plus, they’re bound to face the same kind of regulatory requirements as incumbent banks and will need to comply with them, lessening some of their initial competitive edge.

When Big Tech enters the market, it will drive a significant change that some incumbent banks will likely not be able to transition through and will lose traction within the market. 

What I’m really curious about is when Big Tech will officially enter into the banking space. Today, we have Apple Pay and Google Pay, but I think that it’s just a matter of time before they’re adding banking services to their offering. At that point the market will change. Digital banks just mark the beginning of the banking industry’s digital transformation. When Big Tech enters the market, it will drive a significant change that some incumbent banks will likely not be able to transition through and will lose traction within the market. 

Financial Firms and Regulators to Step Up Their AI Game

With the high likelihood of Big Tech companies entering the market in addition to other innovations in financial services, Bonhof is encouraging the industry to direct its focus toward emerging technologies such as Artificial Intelligence (AI) now, before it’s too late.

I think regulators really need to step up their digital game. They need to understand the tech component that goes into digital banking. AFM just compiled an insightful trend report where they spoke around their fears about Big Tech entering into the financial market. Today, Big Tech is predominantly supervised by privacy watchdogs. But, if Big Tech entered the financial market tomorrow, financial market regulators would not always be allowed to share information with those supervisory agencies, so that would make supervision really difficult. 

Regulators are just now issuing responses around the use of AI, which center around the concepts of explainability and trustworthiness. Together, they are two sides of the same coin because they help explain the decisions that come out of algorithms and apply fair principles that limit their biases. However, I still think that we have a ways to go and that regulation around the use of AI will only continue to increase in the future as the digital market matures.

The Role of AI in Regulatory Compliance

According to Bonhof, the role of AI is not just limited to the mechanics of digital banking. It applies to regulatory compliance too.

We recognize that regulators are starting to provide guidelines around AI, so we are changing the way that we advise our clients about AI. AI was once the new and exciting thing to talk about. Now it’s the means to an end. We’re looking at where AI models can help firms improve explainability in their compliance processes. 

AI was once the new and exciting thing to talk about. Now it’s the means to an end.

Using robotics (or AI) helps automate certain regulatory compliance processes such as horizon scanning, and makes the outcomes of those processes more predictable and reliable. AI allows teams to focus less time doing the monotonous work of running these processes and more time on investigating outliers. Instead, the “robot” leads the processes and identifies areas where there are inconsistencies that require the review of compliance experts.

On Implementing RegTech: Final Advice

So, what’s Bonhof’s advice to firms that are looking to implement new technologies in their compliance programs? “Be really clear about what you want to achieve in your compliance program and therefore what you want the technology to achieve.”

First, you need to understand where you are and where you want to go. For instance, if your firm was just fined by a regulator, then you’ll likely need to find a solution that can help you become more compliant. On the other hand, if your organization is in a good place but needs to become more efficient, then it’s likely you’ll need a different tech stack than the firm that was recently fined. When you understand what you want to achieve by adding technology, then you can better pinpoint the right type of technology solution for your compliance program.

 

If you’d like to learn more about Synechron, visit their website. To learn more about Rick Bonhof, connect with him on LinkedIn

If you’d like to contact an Ascent team member, you can do so here. Stay tuned for our next interview from the lines of defense. All interviews will be featured in our monthly Cliff Notes newsletter, which you can subscribe to below.

Subscribe to Cliff Notes