Subscribe to our monthly newsletter Cliff Notes to stay at the forefront of technology and compliance.
To those in the anti-money laundering practice, Nina Simone’s memorable singing that it’s a “new dawn” and “a new day” may be best suited to the recently-passed Anti-Money Laundering Act (AMLA) of 2020. Passed as part of a broader National Defense Authorization Act (NDAA), the AMLA is likely the most sweeping financial crime-related law update in the U.S. since the USA PATRIOT Act almost two decades ago.
There are, of course, some appropriately-hyped provisions within the AMLA, as well as a few that are related to it, that bear a little bit more attention from compliance practitioners.
WATCH: [Compliance Over Coffee] Preparing for the Next Wave of U.S. Regulatory Changes
—
There’s Risk, then there’s Risk
The AMLA is clearly written, with no in-between-the-lines review needed. As a result, the Secretary of the Treasury will review components of current BSA/AML requirements to see where “adjustments” are necessary. From there, a report that will effectively de-prioritize what the AMLA calls “noncomplex” reporting will be issued, perhaps such as Suspicious Activity Reports (SARs) that deal with run-of-the-mill structuring.
SARs as a Strategic Priority
The big shift with the AMLA is that there will be yet another report on “strategic priorities,” meaning that SAR reporting is going back to its roots as an information gathering tool for law enforcement and intelligence agencies. Still, what the AMLA hasn’t clarified is whether financial institutions will be able to forgo the “simple” SARs to focus on the more “valuable” SARs, or whether banks will be on double duty to report both. Risk assessments will be put in the same boat as SARs; having to review for those strategic priorities while still looking for the risks unique to their bank’s profile.
READ MORE: How Bad is PPP Fraud in Financial Services?
Anonymously Speaking
Maybe the most lauded of the AMLA’s provisions is the Corporate Transparency Act (CTA), which doesn’t criminalize or ban shell companies as a structure, but requires that most incorporated entities fall in line with beneficial ownership requirements. The biggest change is that the CTA requires FIs to collect historical information that was exempt from the 2018 regulation’s requirements. FinCEN will then create a registry, with certain exceptions, and will allow FIs to scrub KYC data for their due diligence processes against that list. The mechanics of the list, collection, and verification process aren’t known, meaning that FIs will have to continue to take a risk-based approach to business types.
READ MORE: SEC Priorities and a Changing of the Guard in 2021
Corruption in Politics and Art
What should get special attention, tying into the NDAA, is the emphasis on the risk related to corrupt political leaders (see the “Kleptocracy Asset Recovery Reward Act”) as well as arts and antiquities dealers. The NDAA goes further here by expanding the foreign bank account records held by a U.S. affiliate, such as KYC information, making those records fair game for subpoena.
READ MORE: What Recent OCC Enforcements Signal for Firms
7 Questions You Should be Asking
While we wait for the underlying regulations from the AMLA, a few lingering questions remain. First of all, where the AMLA references the intention to streamline and automate, will firms be held accountable if they don’t find ways to do so? Not very likely.
However, as FIs are required to automate more processes and reporting, will there be a risk of over-automation while regulators challenge the insufficiency of a BSA/AML compliance program’s human touch?
There is still time before the one-year window for the Treasury to issue supporting regulations kicks in. In the meantime, here are a few questions that FIs should be asking:
1. Are we asking enough questions? Or, minimally, are we asking the right questions for LLP/LLC-type customers? Are we prepared to retroactively work towards data collection beyond the 2018 Customer Due Diligence (CDD) rule’s requirements?
2. What are we doing in terms of Politically Exposed Persons screening? Are we looking for stolen government funds?
3. How will we risk-rate art/antiquity dealers going forward?
4. What’s the status and strength of our risk assessment process? Have we kicked the tires on the methodology recently? Will we be ready when new priorities emerge? Or will we be behind and at risk of missing critical requirements ?
5. Are our SARs “highly” useful to law enforcement? Or do we need to reinvent our processes with a closer eye on crime and intelligence?
6. If we are going to revamp our SAR processes, what are the best ways to make sure that second-line testing and audit are on board?
7. What should we automate? Where can we innovate? What processes are the most vulnerable to regulatory gaps?
Automate Regulatory Knowledge for AML Compliance
When it comes to identifying your requirements and obligations for AMLA and other regulations, automation can be especially helpful.
The process of collecting regulatory updates across multiple sources is time-consuming—and it’s only step one of a multi-step process. The next step of determining which updates will actually impact your firm is even more of a challenge.
Ascent is a regulatory knowledge solution, which automatically surfaces the right information and pinpoints your firm’s obligations. Ascent helps compliance teams zero in on the regulation that is relevant to the firm, freeing up time and resources to focus on higher-value activities such as maintaining policies and procedures and executing compliance throughout the firm.
INFOGRAPHIC: Regulatory Knowledge Automation, Explained
In Part 1 of this writeup, we discussed the approach that the Office of the Comptroller of the Currency (OCC) has taken in recent enforcement actions related to the Heightened Standards guidelines.
In contextualizing their oversight, it’s worth noting that the OCC also recently issued the Director’s Book: Role of Directors for National Banks and Federal Savings Associations and, in so doing, referenced back to their other guidebook on Corporate and Risk Governance. As with other publications and advisories, these guidebooks are an opportunity for financial institutions and covered entities to conduct an impact analysis using Key Risk Indicators (KRI) to ensure that there are no gaps between their compliance programs and the updated guidance.
To that end, there are a few remaining facets of the OCC’s Q4 consent orders that may need to be factored into such a review.
READ MORE: OCC’s Heightened Standards [Part 1/2]
—
Dirty Data
Making Metrics Matter
There has been a recent trend in the enforcement action space for regulators to focus on data quality and more technological issues within those assessments, oftentimes noting the poor quality or lack of data validation and system integration. In both of the late-year consent orders, the OCC focused on data risk management and data governance.
The OCC also called out the need for processes in the collection, review, and dissemination of compliance-related metrics. Both KRIs and general metrics seem to be within scope in these consent orders, with the call of the consent orders’ articles speaking to the need to have processes and procedures to ensure that:
1) Compliance-related metrics are collected;
2) are robust;
3) support informed decision-making in regards to both the objective risks at issue, as well as the banks’ overall risk governance framework, and;
4) that there is senior management and board-level review of the same.
Who Watches the Watchers?
Expectations of Senior Management
As noted in part one of this review, the OCC is focused on how staff throughout the organization support the risk governance framework. The consent orders flat out state that governance and oversight at the upper echelons of the organization are just as significant. While onlookers aren’t privy to the nature of the subjective findings at organizations, those of us in the analysis space can glean that either robust metrics were not being collected, were not of sufficient quality to support the risk governance framework, or were not being sufficiently reviewed at senior levels within the organization. Senior management, through boards or committees, should be apprised of risk-related metrics and KRIs. As stated in the consent orders, the metrics and KRIs themselves should be granular and have both warning lines and limits related to their subjective risk categories. Ostensibly, the OCC expects to see that there are:
1) Procedures for the collection and validation of risk governance framework-related metrics, which include the frequency of submission to and seniority levels of the reviewers;
2) Charters or other supporting documentation noting that those governing committees (or comparable entities) are in fact being given those metrics; and
3) Minutes or other supporting information to show that senior management is providing credible evidence for the same.
LEARN MORE: How an integrated risk management approach transforms organizations
Many Hands Make Light Work
A More Connected Risk Management Framework
As with other areas of compliance, the risk governance framework is an all-hands endeavor. The gist of these enforcement actions is that certain areas of the organization may have been waning in their support of the banks’ compliance posture, without compensating from other areas. While the Corporate and Risk Governance expectations have been in place for over six years, the consent orders at issue were on a multi-hundred-million dollar scale, which should give any onlooker pause.
As with other trigger events, this is an opportunity for financial institutions to pause and evaluate, for better or worse, where their compliance programs are in comparison to these reiterated expectations. Regulatory technology can help firms with this evaluation, connecting disparate systems and teams within their organizations, spotlighting areas of risk, and, in turn, enabling a more unified culture of compliance.
LEARN MORE: What is RegTech?
End-to-End Compliance with Ascent
When it comes to identifying the risks associated with regulatory compliance, it’s important to start from the beginning. At Ascent, we use world-class AI to help firms rapidly and accurately identify their regulatory obligations, at the most granular level possible. This granularity, or precision, is especially important when trying to set a regulatory compliance framework for the first time or address any gaps within your existing regulatory compliance framework. Ascent then keeps your obligations up to date automatically.
READ MORE: 3 Definitions of Regulatory Mapping
To help firms build a more connected risk governance framework, Ascent seamlessly integrates with GRC platforms. With a single source of regulatory truth, the three lines of defense can all work from the same data towards the same goals.
To learn more about Ascent and its API integrations, contact us directly. For more information about risk and compliance strategies such as IRM and the technology that powers them, subscribe to our monthly newsletter Cliff Notes below.
Subscribe
— Peter and Ascent Founder Brian Clark discuss a variety of topics—from potential regulatory changes under ...
Read More
2020 was a year that was remarkable for one very obvious reason. However, with the exception of one multi-billion dollar fine handed out by the Securities and Exchange Commission and another more unique fine from New York regulators related to the nefarious Jeffrey Epstein, it was a relatively quiet year in the financial compliance enforcement space. Yet, late in the year, the Office of the Comptroller of the Currency (OCC) issued some enforcement actions that caught the industry’s attention.
What was interesting about these particular consent orders was that they provided a rare insight into the OCC’s view of the Heightened Standards for Large Financial Institutions and how gaps in risk and compliance might be potentially treated. Unlike enforcement actions related to financial crime or anti-money laundering compliance, these two consent orders did not provide comprehensive statements of fact. As a result, while onlookers must extrapolate and deduce what the OCC was focused on, a few salient points can be drawn.
READ MORE: OCC’s Heightened Standards [Part 2/2]
—
Stricter Definitions on the Three Lines of Defense
The consent orders focused very heavily on covered financial institutions’ delineation of the three lines of defense—front-line units, independent risk management, and independent testing. Effectively, the consent order serves as a reminder to financial institutions to establish and routinely evaluate the roles and responsibilities of those divisions within the organization, in order to ensure that they support the company’s risk governance framework. Calling out responsibilities at the more granular level, this might require an evaluation of the role or job descriptions, team functions, and overall organizational structure to ensure that risks are adequately monitored and escalated as necessary.
The inference from these consent orders, and therefore regulatory expectation, is that each role-holder and team understand what risk management means to their function, and where that fits into the overall picture. One callout from the consent orders is the need to train staff on their relationship to the risk governance framework as another means to ensure better ongoing alignment.
READ MORE: How an Integrated Risk Management Approach Transforms Organizations
Strong Governance Expected Over Policies and Procedures
While it again would have been useful to see more details around the institutions at issue and what the regulator’s underlying concerns were, further extrapolations can be found in the available language. An additional highlight of these enforcement actions, and more broadly, to the expectations of Heightened Standards, is the objective and subjective nature of policies and procedures.
The OCC makes clear that covered entities should have strong governance over policies and procedures, which includes time-bound and trigger event-driven reviews of policies and procedures, documented ownership of those documents, and processes to ensure that all affected teams/functions within the company are fully aware of those updates.
LEARN MORE: How to Fuel Your GRC with Ascent Data
As with the roles and responsibilities of individual staff, the OCC goes further to state that, subjectively speaking, policies and procedures are meant to be aligned to and show support of their relative compliance risks as well as the company’s overall risk governance framework. Casual observers do not, and will not, know whether or not the penalized organization had what regulators considered to be “arbitrary” or “detached” policies/procedures, but the implication is clear—connectivity and risk management must be the common thread.
In our next post, we will make further inferences from the Heightened Standards around:
- Data and Metrics
- Senior Management Oversight
READ MORE: SEC Priorities: Cryptocurrency Regulation and a Changing of the Guard
Track and Manage Your Changing OCC Obligations
With enforcement actions continuing to be issued by the OCC and other regulators, financial firms can’t afford to miss a regulatory obligation or rule change.
Ascent is a regulatory automation solution that automatically generates regulatory obligations targeted to your firm, surfaces relevant rule changes, then updates your obligations accordingly. With an API integration, you can also fuel your GRC or other workflow systems with Ascent data, allowing you to trigger change alerts and map regulatory changes to your controls, policies and procedures.
Spend less time analyzing dense legal text and more time implementing compliance throughout the business.
READ MORE: Behind the Scenes: Ascent’s RegulationAI™ and Why It’s Different
To learn how Ascent can help you identify your regulatory obligations and changes, contact us.
For more articles like these, subscribe to our monthly Cliff Notes newsletter below.
Subscribe
[pardot-form id=”323″ title=”Cliff Notes Subscriber Form”]
There seems to be a sharp correlation between the scientific and banking industries’ efforts to abate the harm caused by the COVID-19 pandemic and criminals trying to exploit those efforts for illicit gains. No sooner was the virus upon us that scammers, fraudsters, and novice exploiters began to try to find ways to abuse peoples’ fear and the support programs emplaced. The Paycheck Protection Program (PPP) has been especially vulnerable. Here’s a look at the different types of PPP fraud that have taken place throughout the pandemic and how financial firms are responding.
—
PPP’s Good Intentions Lead to Bad Acts
The Small Business Administration issued a series of loan programs in early 2020 that were designed to aid small businesses impacted by the quarantine and so-called “lockdown” restrictions. The Paycheck Protection Program alone has given out over USD $523 billion since the program’s inception. Between the urgency to get the program launched and the minimal guidance in place to spot-check for potential fraud, banks found themselves processing hundreds or even thousands of these loans with little-to-no compliance and risk management.
As of September, the Department of Justice (DOJ) had already brought 40 cases against individuals who may have fraudulently obtained loans through these programs.
A few highlights of PPP fraud cases:
- A current player in the NFL who was charged as part of a USD $24 million PPP loan fraud scheme. According to the DOJ, the subject participated in a broader scheme to solicit straw buyers to take out forgivable loans in exchange for a kickback/percentage of those loans. In addition, the subject obtained over USD $1.2 million in loans for his own company, then withdrew over USD $300,000 in cash after buying a Rolex and going shopping.
- In another scheme, the subjects applied for over 80 PPP loans, falsifying tax and payroll expenses. At the time of their arrest, they had over 1,100 fake paychecks, the proceeds of which were used to buy a new Porsche and a Lamborghini.
A duo claiming to be farmers who applied for over USD $1.1 million in loans. Declaring funds for a number of businesses, one subject in the case said that they had a farm in their Miami-area yard, and employed 18 staffers in necessitation of over USD $800,000 in payroll.
Financial Firms Go On Offense
Another dubious fraud scheme that has arisen since the pandemic is counterfeit and fraudulent PPE, supplies, and treatments. The FTC has routinely warned about fake preventative treatments, and the FDA has noted that there is only one approved at-home test kit. Since February, stories have surfaced about counterfeit masks, respirators, and other PPE. On almost the same day that a vaccine was approved for emergency use, Homeland Security Investigations issued red flags for counterfeit vaccines. In fact, EUROPOL simultaneously confirmed investigations into organized crime groups engaging in the sale of counterfeit vaccines.
As with any other fraud, financial institutions have shifted from defense to offense. One senior compliance officer speaking anonymously noted that their institution was heavily investigating pandemic-related lending fraud, looking specifically for small businesses that appeared to be spending PPP loan proceeds in an unusual way. Other compliance practitioners noted that transaction monitoring parameters and analytics-driven searches were yielding a staggering number of cases of potential fraud. At the heart of these cases, per one investigator, was the inability to verify the recipient’s loan documentation or substantiate the legitimacy of their business, noting that many of the companies they had investigated were, in reality, established days before applying for the loan.
Uncertain Impact on Financial Regulation
The true depth of the fraud remains to be seen, but as with many other lessons learned, the pandemic has yielded a number of key takeaways for financial services going forward. The hope is that, like the virus itself, the need for those lessons will soon be in decline.
Until then, it’s likely that these acts of fraud will continue to shape financial regulation, especially in how regulators will treat relief programs in the future. For now, it’s important for compliance teams to not only monitor the rule changes and updates that result from the pandemic response, but also to create a system of record when implementing them.
Ascent is a regulatory knowledge solution that can pinpoint financial firms’ regulatory obligations and keep them updated as rules change. This dynamic regulatory knowledge can be mapped to applicable areas of business and seamlessly connected to a separate GRC solution to create a traceable system of compliance.
INFOGRAPHIC: Regulatory Knowledge Automation, Explained
To learn how Ascent can help you identify your regulatory obligations and changes, contact us.
For more articles like these, subscribe to our monthly Cliff Notes newsletter below.
Subscribe
Chicago IL (January 8, 2021) – Ascent, an AI-driven solution that helps financial services institutions automate regulatory compliance, today announced that it was named to Built In Chicago’s lists of Best Places to Work and Best Small Companies to Work for in 2021. Companies are selected based on data submitted by companies and their employees around compensation and benefits, culture, and growth opportunities.
Jon Leitner, Ascent CEO, commented, “We’re honored to once again be recognized as a top place to work in Chicago. The past year has been difficult for many, and as a team we’ve overcome many challenges. The key to each and every success has been the strength, resiliency and talent of our people. We’re committed to continuing to build a work environment that our employees are proud to be a part of.”
Carrie Pinkham, VP of People, added, “Though the past year of remote work has proven difficult for many companies, there are incredible opportunities that arise from having a distributed workforce. As we continue to grow as a locally-known company, we are also excited about becoming a workplace leader far beyond the borders of Chicago. We’ll do that by conscientiously creating an inclusive environment that continually grows, challenges, and rewards our people.”
Ascent is a first-mover in building RegulationAI™, a technology that helps compliance teams understand exactly what they need to do in order to remain compliant with complex financial regulation, thereby reducing risk, protecting firms’ reputations, and avoiding potentially crippling fines.
“Our mission at Ascent is to create a world where companies don’t have to choose between spending massive amounts of money or not following the law,” commented Brian Clark, Founder and President. “By making it easier for businesses to comply, we free their resources to focus on commercial endeavors and delivering the best possible experience to their customers. This represents a massive global business challenge, and we’re excited to continue building a team that is galvanized around solving it.”
Ascent has been rapidly gaining momentum since its founding in 2015. Since its inception, Ascent has expanded to 45+ full-time employees and secured $26.7M in funding.
About Built In
Working in tech is a way of life. Built In helps people live it with purpose. Across the most vibrant tech hubs in the US, Built In helps tech professionals stay on top of tech news and trends, expand their networks and carve out futures at companies they believe in. Built In attracts a niche audience of 1 million tech professionals every month and, in 2019, the company hit a milestone, serving 1,100 companies annually. Built In recently launched BuiltIn.com, a national hub for tech trend coverage and resources to help professionals grow in their careers.
National Site: BuiltIn.com
Local Sites: BuiltInChicago.com | BuiltInLA.com | BuiltInColorado.com | BuiltInAustin.com | BuiltInNYC.com | BuiltInBoston.com | BuiltInSeattle.com | BuiltInSF.com
Best Places to Work Methodology
Built In’s list rates companies algorithmically based on compensation data and employer benefits. Rank is determined by combining a company’s score in each of these categories.
Subscribe to our monthly newsletter below to receive helpful content designed to keep you at the forefront of compliance and technology.
Subscribe
Back in 2016 when the concept of the United Kingdom’s exit from the European Union (“EU”) seemed like a fantastical proposition, the prospect of the referendum’s success let alone its implications seemed like a mystery. The question for financial institutions now becomes how to implement and maintain a newly-domesticated compliance framework in the face of regulatory uncertainty.
—
The Story on Domestic Data
The larger focus for financial services will be on sustainability of domestic and international compliance frameworks for areas such as data, sanctions, and overall governance.
The UK has implemented a host of regulatory expectations in the past few years, from MiFID to the Senior Managers’ Regime. While those regulations will continue, financial services must continue to enmesh international laws with touch and concern to the UK in their programs.
Despite the UK’s exit from the EU, the parameters of the General Data Protection Regulation (“GDPR”) will continue to be enforceable. In fact, GDPR has been a primary area of international enforcement, with two UK-centric breaches in 2020 totaling in USD $56 million in penalties alone.
CASE STUDY: How a Global Top 50 Bank Pinpointed Its GDPR Obligations Using Ascent
Similarly, despite infrequent enforcement actions for sanctions violations from the UK in the past few years (OFSI issued its first ever sanctions penalty in 2020 since its establishment four years prior), the UK Sanctions and Anti-Money Laundering Act of 2018 will continue to pose challenges for UK banks wishing to keep a foot in the international space.
In late December, the Financial Conduct Authority (“FCA”) issued the final Temporary Transitional Power (TTP) directions. Firms should be well-versed in the TTP directions, as they outline which regulations are expected to be maintained throughout the transaction and which have exemptions until the end of the transition period in March 2022. While these provisions apply to existing entities, the FCA was careful to note that the TTP does not apply to new European Economic Area entities seeking to onshore.
Business as Usual for AML
As part of the EU, the UK would have historically been adhering to the framework of the EU’s Anti-Money Laundering Directives (“AMLD”). This would have been leveraged to set the framework for an anti-money laundering compliance program, from the “pillars” approach derived from the Financial Action Task Force (FATF) standards, to threshold for transaction monitoring.
From a practitioner’s perspective, the EU AMLD set basic criteria that were then enhanced or supplemented, as needed, at the country level. In the absence of those directives, the UK will now rely entirely on the Proceeds of Crime Act (“POCA”) and its interpretation by regulators to determine firms’ adherence to AML standards. The FCA has not had a particularly robust enforcement year in terms of AML enforcement, with only two notable penalties issued for compliance-related failures. In fact, the absence of such enforcement actions has been cited in the press as a relative laxity by the regulator.
Perhaps due to Brexit or exacerbated by it, the FCA has not made clear that AML compliance will be a priority over conduct-related enforcement in the coming year. Given the EU’s spate of Baltic-related fines and penalties, the first AML fine of 2021 may in fact be related to the same.
The Way Forward
There is, as was expected when Brexit was first announced, a bit of trailblazing to be expected in the next few years. The shifting regulatory expectations around conduct over AML and sanctions enforcements is suggestive, but not dispositive. While the FCA has recently provided a rulebook with post-Brexit expectations, unlike their peers in the US, wavers have been embedded with those expectations, some as far out as 2022. Perhaps drawing from their peers (subsidiaries and affiliates too) in the US, UK-based banks will need to leverage a far more conservative risk-based approach until the updated regulatory expectations become more certain.
In the meantime, new technology such as regulatory knowledge automation can help financial firms keep tabs on enforcements, updates, and rule changes as they are issued. Today, many firms continue to try to manage and synthesize this influx of information in the same ways that it always has — by increasing personnel to do the work manually.
INFOGRAPHIC: Regulatory Knowledge Automation, Explained
But missing even the finest detail within a body of regulation or rule amendment can be disastrous for a firm. Like the proverbial needle in the haystack, any obligation missed among the thousands of lines of regulatory information could have severe consequences come audit time.
Regulatory knowledge automation uses machine learning (ML) and natural language processing (NLP) to complete this work in mere minutes, at a fraction of the cost, and with greater accuracy than manual efforts.
READ MORE: How to set a foundation for your regulatory compliance framework
For more information about RegTech, regulatory knowledge automation, and articles like these, subscribe to our monthly Cliff Notes newsletter.
Subscribe
Despite the pandemic, Reuters reports that the U.S. Securities and Exchange Commission (SEC) has had a banner year, with more than 700 cases and enforcement actions. As of November, that number represented over USD $4.7 billion in penalties, fines, and disgorgements assessed. The ratio of fines to penalties is a bit askew, considering that one fine alone represented a USD $1.2 billion settlement.
Still, the agency has been particularly busy with disclosure and regulatory-related penalties, in contrast to a mere seven enforcement actions by the Financial Crimes Enforcement Network (FinCEN). Of course there is an issue of the remit of the respective agencies that would need to be taken into consideration, but one priority of the SEC has seemed to remain squarely in the initial coin offering (ICO) / cryptocurrency-related space. Here’s a look back at SEC cryptocurrency regulation from this year and what’s to come from SEC leadership in 2021.
—
ICOs Strictly Subjected to Howey Test
The SEC announces its enforcement priorities annually, and 2020 was no different, if only in that respect. At the start of the year, the Office of Compliance Inspections and Examination (OCIE) released its 2020 Examination Priorities, and in it the agency noted that “digital assets” would be a priority. Many of the enforcement actions that occurred throughout the year were related to either ICOs, either as fraudulent schemes or due to poor regulatory disclosures.
The SEC has treated ICOs fairly strictly over the past few years, perhaps punctuated by the Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934: The DAO (the “DAO”), released in mid-2017. This report galvanized the agency’s approach to tokenization and ICOs, noting that strict adherence to the Howey test (i.e., an investment of money and expectation of profit as the result of a common enterprise, with the profits coming from the efforts of a third party) would apply to ICOs.
To that end, ICOs who tested the SEC’s resolve found that the failure to register or seek an exemption to the Howey criteria would result in multi-million dollar penalties. In one enforcement action in particular, the SEC noted that the ICO in question—though it knew or had reason to know that it was a security based on the DAO report and prongs of the Howey Test—continued to sell its offering without making appropriate disclosures to its investors.
READ MORE: The Most Telling Guidance of 2020: Corporate Compliance Programs, AML & More
Changing of the SEC Guard
The current chairman of the SEC, Jay Clayton, has publicly stated that he intends to step down from the position, leaving the incoming administration to make a nomination. Clayton’s tenure was remarkable, and has seen lauding from both sides of the aisle. The two current names being floated to replace him are Gary Gensler, former chairman of the Commodities Futures Trading Commission (CFTC), and former prosecutor Preet Bharara. Already named to President Elect Biden’s transition team, Gensler has no shortage of experience dealing with both regulators and the private sector.
During his time at the CFTC, Gensler pushed for sweeping regulation of swap trades and has been viewed as someone who—as a former partner at Goldman Sachs—could potentially deliver diplomatic regulatory outcomes. Bharara, on the other hand, poses a far more significant shift in regulatory tone. Bharara is known, and well-respected, for his work on major insider trading and white collar cases.
Despite the significant number of actions under Clayton’s tenure (over 3,000 examinations in 2020 alone), Bharara’s appointment would signal a no-nonsense approach to both civil and regulatory engagements.
Preparing for What (and Who) is Next
Other names circulated are Dodd-Frank contributor Michael Barr, as well as Allison Lee (a former securities law practitioner and currently an SEC commissioner) and Kara Stein (a former SEC commissioner) who would both bring senior-level, hands-on experience to the position. There are innumerable variables still at play after the outcome of the November 2020 election. Needless to say, the SEC and other high-profile regulatory positions will keep Wall Street waiting with baited breath, and those of us in the bleachers a lot to consider.
READ MORE: What are “granular” obligations in RegTech, and how do they reduce your risk?
No matter who takes the helm at the SEC (and at other U.S. regulators), it’s important for financial institutions to keep tabs on regulation at both the national and state level. It’s within these agencies that incremental changes occur and often catch organizations off guard. Be sure that your firm is ready for what’s next. Shore up your compliance and risk strategy by identifying all of your key risk factors, including any potential gaps in your firm’s regulatory obligations / requirements.
READ MORE: Regulatory Change Management: A Tech-Based Approach
Ascent helps banks and other financial firms stay above the rising tide of regulation, from the SEC and other regulators. Learn more about our regulatory coverage here.
There has been no shortage of media chatter in the very unusual 2020 calendar year. For those concerned with organizational compliance, the release and re-release of regulatory guidance and legislation — particularly around BSA/AML and corporate compliance programs — has been nearly unparalleled. As we will show, these developments have significant implications, if not direct calls to action, for banks.
—
The BSA/AML Manual Hits Hard
At the risk of hyperbole, the Federal Financial Institutions Examination Council’s (“FFIEC”) Bank Secrecy Act/Anti-Money Laundering (“BSA/AML”) Examination Manual (the “Manual”) is perhaps the most sacrosanct of all regulatory frameworks. Intended to serve as a field guide for examiners, instead its outlines and parameters are utilized by banks’ BSA/AML compliance departments as the foundation for their compliance programs and by auditors as a basis for testing protocols. Updated in April, the Manual was not radically updated but the updates that were made were significant. First and foremost, the Manual makes reference to “other illicit activity” as a nod to the nebulous nexuses between crimes like healthcare fraud, corruption, and money laundering. The Manual further updates provisions in regards to risk assessments (while not flat out requiring them) and board-level oversight, broadly, requiring that banks ensure that their compliance programs are tailored to their unique risk profiles.
Perhaps the most significant updates include expansions to the expectations around training. Where only a paragraph existed previously, the updated Manual expands its expectations to have role-based technical and subject-matter training, along with much more precise guidance on the expectations for board of directors training.
READ MORE: Regulatory mapping is key to compliance. Are you doing it effectively?
A Major Emphasis on Corporate Compliance Programs
As many compliance practitioners were settling into remote working, the U.S. Department of Justice (USDOJ) re-issued its Evaluation of Corporate Compliance Programs (the “Guidance”). In examining whether to consider and the depth of criminal penalties, prosecutors too (harkening back to the Manual) should look at whether the organization at issue maintains and leverages a risk assessment to inform decisions about compliance and mitigate the risk of misconduct. The Guidance goes on to note that perhaps one of the most important factors is, based on the risk assessment, how were allocations for staffing, technology, and resources such as training allocated. Were cost centers given hiring priority over compliance staff? Is the annual compliance training program a leaflet? Are the sales staff on top-of-the-line computers while the compliance and audit teams are using ineffective tech?
All seem like fair questions.
The Guidance directly states that compliance should be built into the compensation scheme, and that it should be a considerable factor in the allocation of (or withholding of) bonuses. Lastly, the Guidance reiterates the need for ongoing monitoring, testing, and escalation of the state of misconduct-related controls and their investigations.
READ MORE: How an Integrated Risk Management (IRM) approach can transform your organization
On the AML Horizon
There are two fairly significant developments pending approval, and we cannot emphasize “pending” enough – a shell company transparency provision and the Anti-Money Laundering Act of 2020. They are both embedded within a defense spending bill that the White House has threatened to veto for unrelated reasons. The shell company provision would mandate the registration of beneficial owners with the Treasury department, effectively ending anonymous shell company use within the U.S.
Secondarily, if passed, the Anti-Money Laundering Act of 2020 would mandate that the Secretary of the Treasury take steps to “streamline” BSA/AML compliance requirements. In its September Advance Notice of Proposed Rulemaking (“ANPRM”), FinCEN sought input from the banking community on how to make more “effective” use of BSA/AML systems and processed, skewing more in favor of law enforcement’s needs than compliance. The proposed AML Act seems to end-run the feedback solicited by the ANPRM, and place the obligation with the Treasury to ease, reduce, or otherwise better facilitate the production and utilization of BSA/AML-related information.
While the approval of the AML Act and its governing bill are in a tentative state, the ongoing developments in this space speak to big changes for the BSA/AML compliance space going forward.
Keeping Pace with Change: A Tech-Based Approach
While these regulatory developments are broad reaching, their impact is different at each financial institution. This leaves Compliance teams with the tall order of reading through and analyzing the regulatory text to determine which parts of the Manual or the Guidance applies to their organizations — which can be like looking for a needle in a haystack.
According to an Ascent internal analysis, 65 percent of the regulatory text (the haystack) is made up of definitions and clarifications. The remaining 35 percent, which actually consists of obligations, is what compliance teams need to be reviewing in order to determine what regulatory requirements and obligations specifically apply to their firm (the needle).
READ MORE: Regulatory Change Management: A Tech-Based Approach
Ascent can help banks and other financial firms stay above the rising tide of regulatory change. Read this article to learn how our RegTech platform can help your firm quickly produce “granular obligations” and keep them current as new regulatory developments arise.
If you’d like to contact a team member directly, you can do so here
To stay up on the latest in regulatory technology and other news, subscribe to our monthly Cliff Notes newsletter below.
