In August 2017, the Office of Compliance Inspections and Examinations (“OCIE”) of the Securities and Exchange Commission released the results of its second Cybersecurity Initiative, which examined cybersecurity-related preparedness and implementation efforts by 75 regulated financial entities. The resulting OCIE Risk Alert depicts an industry demonstrating heightened sensitivity to cyber risks, but also experiencing gaps between policy ambition and day-to-day execution, and confronting growing pains associated with accelerated change, including the introduction of significant new policies and procedures that may lack focus or consistent implementation. While the Risk Alert directly addresses the cybersecurity procedures of broker-dealers, investment advisers, and other SEC-regulated entities, companies in all industries should consider assessing their practices with respect to the issues highlighted by the SEC. Continue reading
By Robert W. Werner
The compliance infrastructure for managing financial crime risk at financial institutions is intended to be based on utilizing a risk-based, rather than rule-based, approach. A risk-based approach seeks to allocate resources commensurate with varying risk levels, reflecting the fact that financial institutions cannot eliminate all the risk of illicit activity occurring within an institution without completely shutting down all of its business. To optimize compliance, financial institutions must balance the need to provide legitimate and critical financial services and products with appropriate controls designed to mitigate the financial crime risk associated with those services and products to appropriate levels.
Where activity would violate law or regulation, the calculus is easy because the activity is simply prohibited. However, most legitimate activity will necessarily allow for some level of risk that it may be abused by criminals to facilitate illicit conduct or to exploit products and services for illicit purposes. Arriving at the right balance within this context requires an understanding of the risks, what level of controls can reasonably be put in place to mitigate that risk, and then making judgments based on an institution’s tolerance for reputational, regulatory and operational risk, about whether to engage in the activity. This last element, the exercise of judgment, must be arrived at within the framework of an institution’s risk appetite statement. Continue reading
On May 4, 2017, the U.S. Attorney’s Office for the Southern District of New York (“SDNY”) and the Financial Crimes Enforcement Network (“FinCEN”) announced the settlement of civil claims brought under the Bank Secrecy Act (“BSA”) against the former Chief Compliance Officer of MoneyGram International, Inc. (“MoneyGram”), Thomas Haider, stemming from MoneyGram’s failure to implement and maintain an effective anti-money laundering (“AML”) program or to timely file suspicious activity reports (“SARs”). The settlement represented the resolution of the first-ever suit filed by the federal government against an individual compliance officer in the finance industry, and is likely to add fuel to increasing anxiety regarding the Department of Justice’s (“DOJ”) willingness to hold corporate executives liable for compliance failings. Continue reading
by Daniel Alter
The Enforcement Action:
On September 8, 2016, the U.S. Consumer Financial Protection Bureau (“CFPB”), the U.S. Comptroller of the Currency (“OCC”), and the Los Angeles City Attorney (“LACA”) announced that they had settled regulatory enforcement and consumer protection actions against Wells Fargo Bank, NA (“Wells Fargo” or “Bank”), the nation’s second largest bank. As disclosed by the CFPB’s investigation, the nature and scope of the Bank’s misconduct was truly astounding.
The CFBP found that, over the course of more than five years, thousands of Wells Fargo employees had: (1) opened more than 1.5 million deposit accounts without client consent; (2) transferred funds between client accounts without client consent; (3) applied for almost 600,000 client credit cards without client consent; (4) issued client debit cards without client consent; and (5) enrolled clients in on-line banking services without client consent. As a result of these unauthorized and abusive transactions, the Bank charged customers approximately $2 million in fraudulent deposit-account fees and more than $400,000 in fraudulent credit-card related fees.
This widespread client deception was not driven, however, by the relatively de minimis revenue that it generated for Wells Fargo. Rather, the CFPB concluded that the Bank’s “employees engaged in [the misconduct] to satisfy sales goals and earn financial rewards under [the Bank’s] incentive compensation program.” In all, Wells Fargo “terminated roughly 5300 employees” over five years “for engaging” in these schemes – which is an astonishing number of dishonest personnel and nothing less than an internal compliance disaster. Continue reading
Financial services firms and market participants face an ever-evolving landscape of regulatory programs designed to encourage and enable whistleblowers to report potential misconduct. On August 30, 2016, the US Commodity Futures Trading Commission (CFTC) published proposed amendments to its whistleblower program. Drawing from the agency’s experience in administering its program over the past five years, as well as strides the US Securities and Exchange Commission (SEC) has made in administering its analogous program, the CFTC’s proposal aims to enhance the whistleblower review process and adopt new enforcement authority for whistleblower retaliation. Continue reading
Over the past several years, financial institutions in the United States and abroad have increasingly engaged in a “slimming down” of their client base. They have done so by deciding not to accept certain types of clients ranging from individuals engaged in specific industries –such as trade merchants, precious metal dealers or “politically exposed persons” (a term of art to be discussed below) – to whole categories of businesses or entities such as money service businesses, charities and foreign banks. This trend, which is now commonly referred to as “de-risking,” has significant collateral consequences for those using the global financial network.This blog will discuss de-risking, its causes and consequences, and some of the solutions that have been proposed to address the unintended results of this practice.
Since the passage of the USA PATRIOT Act in 2001 in response to the September 11th terrorist attacks – some would argue even before that – regulators in the U.S. and elsewhere have singled out certain categories of individuals and entities that either are strictly forbidden to hold accounts with financial institutions or, more routinely, require enhanced reviews by the institutions in which the accounts are maintained. The first category of accounts – those that are forbidden – includes entities such as “shell banks,” which are foreign banks without a physical presence in any country. Pursuant to law, U.S. financial institutions may not maintain accounts for such entities. Continue reading
In a recent piece published in the Yale Law Journal Forum, I describe data collected concerning prosecutions of banks. I describe how while formerly quite rare, bank prosecutions have increased in numbers and in the size of penalties. I also analyze the approach of prosecutors and ask whether it is sufficiently effective. Continue reading
FBI Director James Comey was grilled last week on Capitol Hill where Republicans condemned and Democrats lauded his decision to not recommend prosecuting presidential candidate Hillary Clinton for her actions of handling (mishandling) classified information. As I watched Comey’s testimony, I was struck by how two groups of people could look at the same acts of a person and have such polarizing views as to whether or not a criminal act had occurred. Politics aside, we need to have more of a consensus on what constitutes a crime. Continue reading
by James Fanto
Technology raises many interesting issues for the growing field of compliance and could even transform the nature of this control position. The main question to be asked in this post is whether that transformation would make compliance more, or less, effective in accomplishing its mission of ensuring that an organization and its agents comply with laws, regulations and professional and ethical standards. The argument would go something like this. As in so many other activities, information technology and data analytics provide tools to compliance officers, particularly, although not exclusively, in their tasks of surveillance and monitoring. In regulated domains, in fact, regulators use this technology for their own supervision of firms and expect compliance officers to do the same. This use could result in a model of compliance officers sitting in front of a digital dashboard that enables them to monitor the firm’s activities for compliance. The question is whether this new model will enhance the efficiency of compliance officers or whether it will distance them from the activities themselves and from the firm’s employees. Continue reading
Among the reforms emanating from the global financial crisis, few are as enticing as the idea of improving the culture of banking.
Nearly everyone agrees that there was something wrong with attitudes and behaviors in the financial services industry in the years before the crisis. Nearly everyone also endorses the proposition that inappropriate risk-taking and disdain for regulation contributed to the excesses characteristic of those years. And there’s broad consensus that a respectful attitude towards risk management and compliance can help protect against another crisis. There’s a lot of merit in these ideas.
But whenever one observes this sort of piling on, it’s useful to ask what we’re missing. Continue reading