In August 2017, the Office of Compliance Inspections and Examinations (“OCIE”) of the Securities and Exchange Commission released the results of its second Cybersecurity Initiative, which examined cybersecurity-related preparedness and implementation efforts by 75 regulated financial entities. The resulting OCIE Risk Alert depicts an industry demonstrating heightened sensitivity to cyber risks, but also experiencing gaps between policy ambition and day-to-day execution, and confronting growing pains associated with accelerated change, including the introduction of significant new policies and procedures that may lack focus or consistent implementation. While the Risk Alert directly addresses the cybersecurity procedures of broker-dealers, investment advisers, and other SEC-regulated entities, companies in all industries should consider assessing their practices with respect to the issues highlighted by the SEC. Continue reading
By Robert W. Werner
The compliance infrastructure for managing financial crime risk at financial institutions is intended to be based on utilizing a risk-based, rather than rule-based, approach. A risk-based approach seeks to allocate resources commensurate with varying risk levels, reflecting the fact that financial institutions cannot eliminate all the risk of illicit activity occurring within an institution without completely shutting down all of its business. To optimize compliance, financial institutions must balance the need to provide legitimate and critical financial services and products with appropriate controls designed to mitigate the financial crime risk associated with those services and products to appropriate levels.
Where activity would violate law or regulation, the calculus is easy because the activity is simply prohibited. However, most legitimate activity will necessarily allow for some level of risk that it may be abused by criminals to facilitate illicit conduct or to exploit products and services for illicit purposes. Arriving at the right balance within this context requires an understanding of the risks, what level of controls can reasonably be put in place to mitigate that risk, and then making judgments based on an institution’s tolerance for reputational, regulatory and operational risk, about whether to engage in the activity. This last element, the exercise of judgment, must be arrived at within the framework of an institution’s risk appetite statement. Continue reading
The Board’s audit committee is well advised to receive an update on the risk and compliance lessons from the recent Wells Fargo sales practices controversy. The general counsel, teaming with the chief risk & compliance officer, would be well suited to deliver this update. As well-chronicled in the recently released special investigative report (“Report”), the “20/20” lessons from the controversy transcend the financial services industry, to offer value to corporate boards across industry sectors. These lessons demonstrate how matters of organizational structure, corporate culture, and risk identification and reporting can coalesce in undisciplined circumstances to create significant corporate exposure. In several respects, these lessons prompt comparisons to the conclusions reached by investigative counsel in the GM ignition switch controversy of 2014. This comparison may help underscore the basic risk oversight message to the audit committee; i.e., that these issues have arisen in several of the largest U.S. companies and may arise again without proper supervision. Continue reading
A proactive, systematic risk assessment is an essential first step to developing and implementing any corporate compliance program, regardless of your industry or the compliance areas you are targeting. As US enforcement authorities have explained, “One-size-fits-all compliance programs are generally ill-conceived and ineffective because resources inevitably are spread too thin, with too much focus on low-risk markets and transactions to the detriment of high-risk areas.” The Department of Justice specifically identified the effectiveness of a company’s compliance risk assessment as a foundational consideration when evaluating whether to bring charges against a company and in negotiating a plea or other remedies. Moreover, in a corporate environment characterized by lean performance, tailoring your compliance program to your company’s actual risks is a business necessity.
A deliberate, iterative self-assessment methodology is crucial to obtaining the benefits of both mitigating enforcement risk and achieving a high-efficiency compliance program. Continue reading
A fund manager typically spends most of its time not only contemplating how to maximize returns for investors, but also navigating the array of compliance and regulatory concerns involved in running a private fund. Because the manager is so caught up in thinking about these daily considerations, it may lose sight of the multitude of issues that arise when it comes time to wind down that same fund. If the manager exercises some foresight regarding the fund’s eventual wind-down and puts proper procedures in place, however, the whole process can be both smoother and less fraught with legal and regulatory risks. Once a manager decides to wind down a fund, it must navigate myriad considerations and decisions during the process. Continue reading
Over the past several years, financial institutions in the United States and abroad have increasingly engaged in a “slimming down” of their client base. They have done so by deciding not to accept certain types of clients ranging from individuals engaged in specific industries –such as trade merchants, precious metal dealers or “politically exposed persons” (a term of art to be discussed below) – to whole categories of businesses or entities such as money service businesses, charities and foreign banks. This trend, which is now commonly referred to as “de-risking,” has significant collateral consequences for those using the global financial network.This blog will discuss de-risking, its causes and consequences, and some of the solutions that have been proposed to address the unintended results of this practice.
Since the passage of the USA PATRIOT Act in 2001 in response to the September 11th terrorist attacks – some would argue even before that – regulators in the U.S. and elsewhere have singled out certain categories of individuals and entities that either are strictly forbidden to hold accounts with financial institutions or, more routinely, require enhanced reviews by the institutions in which the accounts are maintained. The first category of accounts – those that are forbidden – includes entities such as “shell banks,” which are foreign banks without a physical presence in any country. Pursuant to law, U.S. financial institutions may not maintain accounts for such entities. Continue reading