Category Archives: Risk management

AML Information Sharing in a Technology-Enabled and Privacy-Conscious World

by Kevin Petrasic, Paul Saltzman, Jonah Anderson, Jeremy Kuester, John Wagner, Rebecca Copcutt, and John Timmons

Financial firms play an integral role in preventing, identifying, investigating and reporting criminal activity, including terrorist financing, money laundering, and many other finance-related crimes. It is a critical role that depends on financial firms having the information they need to identify and report potentially suspicious activity and provide other relevant information to law enforcement. However, there are significant barriers to information sharing throughout the US anti-money laundering (“AML”) regime. These barriers limit the effectiveness of AML information sharing within a financial institution, among financial institutions, and between financial institutions and law enforcement.

Much has changed in the 17 years following the passage of the USA PATRIOT Act (“Patriot Act”), which, among other things, sought to enable greater information sharing among law enforcement, regulators and financial institutions regarding AML risks. Of note, Section 314(a) of the Patriot Act and its implementing regulations (“Section 314(a)”) enables federal, state, local and European Union law enforcement agencies to reach out to US financial institutions through the US Treasury Department’s Financial Crimes Enforcement Network (“FinCEN”) to locate accounts and transactions of persons that may be involved in terrorism or money laundering. Section 314(b) of the Patriot Act and its implementing regulations (“Section 314(b)”) provides a limited safe harbor for financial institutions to share information with one another in order to better identify and report potential money laundering or terrorist activities. Continue reading

Firm Reputation Following Accounting Frauds: Evidence from Employee Ratings

by Christos A. Makridis and Yuqing Zhou

Intangible capital is becoming an increasingly important determinant of firm value. For example, the ratio of intangible capital to the United States’ GNP is totaling 1.7, according to McGrattan and Prescott (2010).[1] Companies are further prioritizing their brand and perception among consumers and the media, which can affect the way they do business by influencing corporate strategy and investment. In this sense, how employees and/or the general public think about a company can ultimately influence the company’s ability to retain and attract talented employees, which is an integral determinant of firm value.[2]

While there are many different circumstances that firms find themselves in, some can be particularly damaging. For example, the public revelation of a cyber security breach can have lasting reputational effects when a company prides itself on privacy and security, as was the case with Equifax and their 2017 breach.[3] Much like data breaches, the public revelation of an accounting fraud can have a lasting effect on a company’s reputational capital. If employees and/or the public do not trust senior leadership, then employee engagement and retention will quickly dwindle. No one wants to work for an infamous company, especially skilled workers, given their ability to find alternative options in the labor market. Continue reading

The Vital Report that Directors are Overlooking

by Stephen Stubben and Kyle Welch

With limited time, corporate directors are accustomed to monitoring firms by using aggregated information that is supplied by firms’ management. Nearly every task conducted by a board of directors involves data curated by employees working for a firm’s CEO. A critical challenge for directors is to be informed of important situations that may have been lost in data aggregation or that may have been selectively not reported. Indeed, this is why firms with stellar directors and high-quality external auditors still have major public debacles. One way a corporate director can obtain unfiltered information regarding a firm’s operations and potential problems within a firm is by reviewing reports made by employees through internal reporting systems (also known as internal whistleblowing systems). The problem with this solution is that there have been differing views and understandings as to how to appropriately manage these systems and interpret these submitted reports—until now. Continue reading

CFTC Announces Two Significant Awards By Whistleblower Program

by Breon S. Peace, Nowell D. Bamberger, and Patrick C. Swiber

On July 12 and 16, 2018, the U.S. Commodity Futures Trading Commission (“CFTC”) announced two awards to whistleblowers, one its largest-ever award, approximately $30 million, and another its first award to a whistleblower living in a foreign country.[1]  These awards—along with recent proposed changes meant to bolster the Securities and Exchange Commission’s (“SEC” or “Commission”) own whistleblower regime—demonstrate that such programs likely will continue to be significant parts of the enforcement programs of both agencies and necessarily help shape their enforcement agendas in the coming years.

The Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank”) authorized the CFTC to pay awards of between 10 and 30 percent to whistleblowers who voluntarily provide original information to the CFTC leading to the successful enforcement of an action resulting in monetary sanctions exceeding $1 million.[2]  Following the introduction of implementing rules, the CFTC’s program became effective in October 2011.  Over the next six-and-a-half years, the CFTC has paid whistleblower bounties on only four prior occasions, with awards ranging from $50,000 to $10 million.  The $30 million award announced last week, thus, reflects a significant increase.  This week’s award to a foreign whistleblower also represents another first for the CFTC’s program and reflects the global scope of the program. Continue reading

Cyber-Attacks and Stock Market Activity

by Dr. Daniele Bianchi and Dr. Onur Tosun

Security breaches and hacking cost publicly traded companies billions of dollars annually in stolen assets, lost business, and damaged reputations. Although detailed data are difficult to collate, the 2017’s annual Cost of Data Breach Study run by the Ponemon Institute for IBM estimated that the average per-capita cost of data breaches reached an all-time high of $225 (a 60% increase over the last decade). This is as much of a concern for businesses as it is for regulators.

As a matter of fact, the knock-on effect of a data breach can substantially affect a company’s reputation, resulting in abnormal customer turnover and loss of goodwill, which in turn affect firms’ policies and ultimately revenues and profits. For this reason, companies are often reluctant to reveal information about security breaches due to fear of both short-term and long-term market reactions.

Continue reading

Governance and Culture – The Conversation Boards are Having Now

by Ben Morgan and Holly Insley

Corporate governance has long been an area of focus for boards and recent proposals in the UK have ensured that this remains the case.

The Financial Reporting Council consulted in late 2017 on proposed changes to its Corporate Governance Code for quoted companies.  The final text of the changes is expected to be published this summer, for introduction in 2019. 

The focus on governance extends beyond the quoted company arena.  Legislation laid before Parliament in June 2018 will, amongst other things, require large UK private companies to disclose in their annual directors’ report details of the corporate governance arrangements they have operated during the previous year. At the same time, a consultation has been launched on proposed corporate governance principles for large private companies, which the government hopes will be adopted by those companies as an appropriate framework when complying with the new governance-related reporting requirement. Continue reading

NIST Releases an Updated Version of its Cybersecurity Framework

by Sabastian V. NilesMarshall L. Miller, and Jeohn Salone Favors

Last week, the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) released an updated Cybersecurity Framework (PDF: 1,038 KB) that revises NIST’s baseline recommendations for the design of cybersecurity risk management programs.  In announcing its release, Commerce Secretary Wilbur Ross described the updated Framework as “a must do for all CEOs” and recommended that “every company” adopt the Framework as its “first line of defense.”  As with the prior version, the updated NIST Framework provides a useful tool to guide and benchmark company approaches to cybersecurity risk and will impact how regulators evaluate cybersecurity programs and incident responses across sectors. Continue reading

FinCEN Releases Frequently Asked Questions Regarding Customer Due Diligence and Beneficial Ownership Requirements

by David S. Cohen, Franca Harris Gutierrez, Sharon Cohen Levin, Jeremy Dresner and Michael Romais

Last week the Financial Crimes Enforcement Network (FinCEN) issued much-anticipated Frequently Asked Questions (PDF: 387 KB) (FAQs) that provide additional guidance to financial institutions relating to the implementation of the new Customer Due Diligence Rule (CDD Rule), set to go into effect on May 11, 2018.[1] In general, the FAQs clarify certain issues that have caused implementation challenges for financial institutions. While FinCEN’s earlier guidance provided a general overview of the CDD Rule—including the purpose of the rule, the institutions to which it is applicable, and some relevant definitions—the new FAQs provide greater detail for financial institutions seeking to comply with the CDD Rule. The FAQs are meant to assist covered financial institutions in understanding the scope of their customer due diligence (CDD) obligations, as well as the rule’s impact on their broader anti-money laundering (AML) compliance. While the guidance is helpful in clarifying some of FinCEN’s expectations, the implementation challenge lies in applying the CDD Rule to a financial institution’s specific products and services.

As financial institutions work to meet the CDD Rule’s fast-approaching May 11 compliance deadline, they should pay special attention to the following key areas summarized below. Continue reading

Hacking Global Reputations

by Pat Akey, Stefan Lewellen, and Inessa Liskovich

Corporations have reputations, just like individuals. However, the costs of protecting a corporate reputation, or the costs of losing one, are not well understood. Negative reputation shocks can be costly, and recent scandals at well-known firms such as News Corp. and Volkswagen have reaffirmed the fragility of corporate reputations. However, corporations can also invest in technologies such as corporate social responsibility (CSR) to build their reputations or to provide insurance against a future reputation shock. In a recent paper, we find that negative reputation shocks are at least partially insurable through CSR and that firms actively invest in CSR as the result of a negative reputation shock. Continue reading

Maximizing Value and Avoiding Pitfalls when Purchasing Cyber Insurance

by Ian Boczko, Marshall L. Miller, and Timothy C. Sprague

In recent years, companies have heightened their focus on cybersecurity issues, dedicating substantially more resources to mitigating escalating cyber risks.  Increasingly, these efforts include purchasing some form of cyber insurance.   

Any cyber insurance policy should supplement, rather than replace, a cybersecurity risk mitigation program.  While such a policy may be a useful element of a multifaceted strategy, cyber insurance is far from a panacea.  First, the size and types of damages resulting from a catastrophic cyber incursion can exceed even significant policy limits.  Additionally, cyber insurance coverage is unlikely to extend to reputational losses or intellectual property theft.  Moreover, the cyber insurance market is relatively young and policy forms are still evolving.  Thus, cyber insurance does not have the same claims history or established understanding of policy terms that can be found in more mature insurance markets.    Continue reading