The Payments InstituteJuly 21-24, 2019 • Emory University, Atlanta GA

AML and Sanctions Compliance

Crossing Organizational Silos to Ensure Compliance

1

The Game Plan

• Overview of AML and Sanctions Compliance

– Applicable Law

– Recent Enforcement Actions

• Compliance Challenges and Opportunities

• Strategies for Breaking Down Silos

• Discussion of Scenarios

2

A View on Compliance• Compliance = Crime Prevention and Customer Service

– Crime Prevention: Protecting the financial system, the company and its customers from criminals

– Customer Service: Ensuring a good customer experience and reducing friction in transactions

• Fraud and Money Laundering go hand-in-hand

– Predicate offenses: Is this money laundering?

– Should a Suspicious Activity Report (SAR) be filed?

– Who should be engaged to address serious and reoccurring issues?

3

Three Truths and a Lie

• Compliance should be “baked-in” to the company’s business functions

• Information held by one part of the company is imputed to the entire company

• Compliance is the sole responsibility of the Compliance Department

• All employees should be empowered to refer suspicious activity to the Compliance Department

4

Dispelling the Myth

• Compliance is everyone’s responsibility!

• Looking at effective compliance:

– Who is responsible for compliance?

– What are the Compliance Department’s interactions with other business functions?

– Where does the Compliance Department fit into the organization?

– How does the C-Suite treat compliance?

5

Bank Secrecy Act (BSA)

• The BSA requires financial institutions to:

– Keep records of cash purchases of negotiable instruments

– File reports of cash transactions exceeding $10,000 (daily aggregate amount)

• Report suspicious activity that might signify:

– Money laundering

– Tax evasion

– Other criminal activities

• Suspicious Activity Reports (“SARs”) are filed with FinCEN and searchable by government entities

6

USA PATRIOT Act of 2001

The PATRIOT Act amended the BSA and requires:

• Government-institution information sharing and voluntary information sharing among financial institutions

• A program for verification of customer identity

• Enhanced due diligence programs

• AML programs across the financial services industry

7

Office of Foreign Assets Control

Specifically, financial institutions under U.S. jurisdiction must:

• Block transactions of "Specially Designated Nationals" and "Blocked Persons" – shorthand is “SDNs”

• Prohibit financial transactions with specified countries, unless “licensed” by OFAC

• Block or reject prohibited transactions with SDNs or hold funds and report to OFAC if money received.

8

OFAC Compliance Program Requirements

OFAC rules do not require any specific compliance program requirements. However, an effective OFAC program should:

• Implement and maintain written policies and procedures for screening transactions and new customers

• Have a compliance officer to monitor compliance and oversee blocked funds

• Conduct OFAC risk assessments for various products and departments

• Maintain guidelines and internal controls to ensure the periodic screening of all existing customer accounts

9

OFAC Compliance Program Requirements (cont'd)

• Implement and maintain procedures for obtaining and maintaining up-to-date OFAC lists

• Ensure methods are in place for conveying timely OFAC updates

• Establish procedures for handling and reporting prohibited OFAC transactions

• Issue guidance for SAR filings on OFAC matches

• Conduct an annual internal review or audit of the OFACprocesses in each affected department

• Conduct training for all appropriate employees

10

Who is Paying Attention? • The Department of Treasury:

– Financial Crimes Enforcement Network (“FinCEN”)

– Internal Revenue Service (“IRS”)

– Office of Foreign Assets Control (“OFAC”)

• State Regulators and Supervisory Agencies

11

Who is Paying Attention? (cont’d)

• Other Regulators:

– Office of the Comptroller of the Currency

– Board of Federal Reserve System

– Federal Deposit Insurance Corporation

– National Credit Union Administration

– Securities and Exchange Commission

• Self-regulatory organizations (FINRA, NYSE, etc.)

12

Who is Paying Attention? (cont’d)

Federal criminal investigations into AML/OFAC violations:

Department of Justice

– U.S. Attorney's Offices

– The Money Laundering and Asset Recovery Section (MLARS)

– Federal Bureau of Investigation

FTC and CFPB (consumer protection)

13

By the Numbers

• Federal enforcement of U.S. anti-money laundering rules jumped nearly 30 percent in 2018 after hitting record lows in each of the prior two years, according to data reviewed by ACAMS moneylaundering.com.

• Nearly half of the 71 total enforcement actions issued last year by the Financial Crimes Enforcement Network, Office of the Comptroller of the Currency, Federal Reserve and FDIC, targeted institutions and individuals that violated AML rules, and roughly half of those AML-related actions came with monetary penalties.

14

The Penalties – Civil (Federal)

• Negligence

– $500 for negligent violation of any provision or regulation under the BSA.

– $50,000 for a “pattern of negligent violations”

• Willful Violation

– greater of the amount involved in the transaction (up to $100,000) or $25,000

– Calculated on per-SAR basis

• Parallel Action may be taken by:

– FTC/CFPB

– State Regulators

15

The Penalties – Criminal (Federal)

• Criminal Exposure

– $250,000 or imprisonment for up to 5 years may be imposed for willfulviolations of any provision of the BSA

– If the violation is accompanied by a violation of another law, or is part of a pattern of practice of illegal activity involving more than $100,000 in a twelve month period, a fine of $500,000 or imprisonment for up to ten years, or both, may be imposed

• Other Consequences

– Loss of ability to do business

– Reputational damage

– Operational costs

– Litigation costs and adverse rulings

16

Common Compliance Program Failures

• For regulated financial institutions, the most common compliance program failures include:

– Failing to have a written program that adequately covers the required elements

– Failing to properly implement and maintain the program

– Allowing suspicious activity to go unreported – i.e., not enough SARs filed

– Structuring transactions to avoid reporting requirements or cases of insider complicity

• Big fines result from “business” overruling compliance decisions

17

Recent Headlines• FinCEN assessed roughly $75 million in nonconcurrent AML penalties in 2018, including $5 million against Swiss

lender UBS’ New Jersey-based brokerage, UBS Financial Services, for failing to implement an AML program designed to prevent clients from using securities accounts to move funds instead of make trades.

• In February 2019 U.S. Bank National Association agreed to pay $528 million to federal regulators and the Justice Department for manipulating its monitoring software to limit transactional alerts, short-staffing its compliance department, quashing internal dissent and withholding incriminating information from the OCC.

• In January 2019 the Federal Reserve fined Taiwan’s Mega International Commercial Bank Co. $29 million for AML violations and deficient risk-management practices.

• Deutsche Bank offices were searched in November 2018 as part of a money-laundering investigation, in the latest example of an allegedly siloed compliance culture because suspicious activity reports were allegedly not handled as required. In 2017, the bank paid a $425 million fine in New York for helping clients of its Moscow office illegally move $10 billion out of Russia. Also last year, the Federal Reserve fined Deutsche Bank $41 million for failing to have an effective system for complying with bank secrecy laws and laws to prevent money laundering.

• The New York State Department of Financial Services, or DFS, collected the most AML-related penalties in the United States for the third year in a row, led by the $420 million assessed against Société Générale as part of the total $1.3 billion in outlays the French lender made to the state regulator, the Justice Department, the Treasury Department’s Office of Foreign Assets Control, or OFAC, and the Fed. The $81 million fine disclosed against SociétéGénérale in November 2018 for violating U.S. sanctions against Cuba represents the largest action concluded by the Fed in terms of value.

• And there are a lot more stories out there…

18

Individual Liability• Thomas Haider, former MoneyGram CCO

– Personally fined $1 million by FinCEN (2014)– Paid $250,000 as settlement (2017)

• Dirceu P. Magalhaes, former private banking senior manager for Royal Bank of Canada– Personally fined $100,000 for not conducting adequate due diligence on the transactions or on the

parties to the transactions, among other violations (2018)– Prohibited from future participation in any manner in a U.S. financial institution of any kind

• Janet Chu, former chief financial officer for Merchants Bank of California– Personally fined $35,000 for allowing a currency dealer to circumvent account-opening procedures

(2018)– Four other Merchants Bank executives targeted in OCC investigation

• Robert Eide, former Aegis CEO – Personally fined $40,000 by SEC (2018) (alleging violation of Exchange Act Rule 17a-8 which

mandates that broker-dealers comply with the SAR reporting requirements of the BSA) – Company fined $1.3 million

• Linda Busby, former RJFS Inc. AML compliance officer– Personally fined $25,000 by FINRA and suspended for three months (2016)– Company fined $17 million

19

The Compliance Challenge

• Internal conflict between profit objectives of key stakeholders and compliance objectives.

• New resources are always needed to keep pace with the criminals

• Must meet new regulatory expectations – increased accountability

• Investors demand greater transparency and integrity

• Organizations work in silos; for example responsibility for preventing financial crimes is assigned to a single department instead of engaging the entire organization.

20

Scenario: But I Know This Customer

A customer wants to establish a sizable relationship with a financial institution. The AML officer is not comfortable with the client's explanation for the source of the funds, but the client manager is vouching for the client and is eager to open the relationship quickly. What should the AML officer do to validate the client's sources of funds?

A. Accept the client manager's approval of the client.

B. Allow the account to be opened but be sure to monitor the account activity.

C. Perform a background investigation to determine whether the client's source of funds is credible.

D. Decline the account.

21

The Silos

• Silos can be both vertical and horizontal

• Separate organization structures support individual risk types

– Money Laundering

– Sanctions Compliance

– Account/Card Fraud

– Internal Fraud

• Silo-based approach less likely to stand up to attacks that cut across multiple business lines

• Unable to spot trends or patterns of behavior across the organization

22

Common Silo Issues• Business decisions are made without taking into account

compliance issues

• Customer complaints are not escalated or tracked

• Lawsuits, subpoenas and investigatory requests are not properly taken into account

• Technology is implemented without consideration for compliance obligations and functions

• Risk assessments do not give enough weight to regulatory risks

• Customer service is not sufficiently addressed when new processes or systems are added

• The Compliance Department is not provided access to full customer information held in other departments

23

Why Breakdown the Silos?

• Silos limit the sharing of information within an organization

• Customers are not static and shared information provides a better customer security and monitoring

• Promotes understanding of the customer relationship end-to-end

• Moves companies away from the “transaction-based” relationship into a “holistic” relationship

• Allows triangulation of customer information

24

5 Steps to Breaking Down Silos*• Create a Unified Vision

– Move from a “my department” mentality to “our organization” mentality

– Executive teams must buy-in and lead the employees

• Work Towards Achieving a Common Goal– Focus on contextual issues, not behavioral issues

– Identify true barriers and don’t get sidetracked

• Motivate and Incentivize– Communicate to employees how the changes will improve the organization

– Customize incentives to match work functions

• Execute and Measure– Empowerment and accountability are key

– Use routine and constant reinforcement

• Collaborate and Create– Keep meetings on task but encourage creative problem solving

– Encourage collaboration through informal sharing – keep the team thinking*Based on an article by Brent Gleeson, Forbes, available at https://www.forbes.com/sites/brentgleeson/2017/06/20/why-silos-kill-the-ability-to-communicate-a-unified-vision-and-5-ways-to-eliminate-them/#469b1cdc29a4

25

Communication is Key

• Engage with the C-Suite and organizational leadership

• Provide visibility to compliance challenges

– Explain why certain processes are necessary

– Build the explanation around legal and regulatory requirements

• Create an iterative risk management process that involves all stakeholders

– “Bake-in” compliance to products and services

– Ensure that the Compliance Department is involved in key decisions

26

People, Processes, Technology and Data

• Create a central and consistent environment based on three building blocks:– Data

• Share across AML, fraud, sanctions compliance and cybersecurity

• Establish common standards and controls that account for applicable data protection laws

– Models• Link models to provide holistic view of the customer

• Use AML and fraud prevention data to validate or disprove conclusions from other organizational units

– Workflows• Develop consistent enterprise-level case management system

• Use a central hub for investigations and action plans – eases internal bottlenecks

• Pooling cross-organizational data can lead to:– Identification of patterns through linking of activities across risk categories, business lines and

geographies

– Proactive system and process enhancements to address emerging trends

– Ability to efficiently respond to attacks

– Timely responses to internal and external requests for information

– Increased efficiency in business functions

27

The Account Life Cycle28

Scenario: The Subpoena Black Hole

A company is renewing a large contract with a business partner. Over the past year, the Legal Department has received multiple subpoenas related to the business partner’s transactions.

What are the potential issues?

29

Strategies: Moving from Reactive to Proactive

• Tie each compliance function back to a legal or regulatory requirement or company policy

• Listen to concerns from stakeholders and document discussions

• Have a process to deal with requested “exceptions”

• Put together cross-department teams to:

– Develop compliance strategies

– Address emergency situations

– Participate in the risk assessment process

30

The First Tool: Risk Assessment• A Risk Assessment is a thorough look at your organization to identify those

activities, situations, processes, etc. that may cause harm.

• Risk Assessments are very important as they form an integral part of a compliance program. They help to:– Create awareness of the risks faced by an organization as a whole.– Identify who may be at risk (e.g., customers, business operations, the public, etc.).– Determine whether a control program is required for a particular risk.– Determine if existing control measures are adequate or if additional measures are

needed.– Prevent losses to customers, the business and third parties, especially when done at the

design or planning stage.– Prioritize risks and control measures (e.g., budgeting, deployment of resources, etc.).– Meet legal requirements where applicable.

• Make the Risk Assessment process a cross-department exercise– Create a repeatable, documented process.– Use surveys and periodic meetings to identify new or changing risks.– Leverage existing internal processes to obtain efficiency.

31

Risk, Risk and More Risk

• Legal and Regulatory Compliance Risk

• Operational Risk

• Credit Risk

• Market Risk

• Asset and Liability Management and Liquidity Risk

• Insurance Risk

• Reputational Risk

• Concentration Risk

32

The Risk Assessment Process

• Identify the risks

• Determine who might be harmed and how if a risk event occurs

• Evaluate the risks and implement control measures

• Record the risk assessment findings and implement them

• Review your assessment and update periodically or as necessary

33

Risk within the Risk Assessment• Assume that regulators and law enforcement will see the risk

assessment process and documents

• An inadequate risk assessment process can become a liability if:– The organization was aware of a particular risk but didn’t take

sufficient mitigation – Key departments or employees were excluded from the process– Risk mitigation or elimination strategies are inconsistently applied– Business interests are elevated over consumer protection and

compliance requirements– Insufficient resources are provided to address legal and regulatory

risks– The risk assessment process is conducted infrequently or becomes

stale

• Ensure that risks to consumers and the public are prioritized!

34

Scenario: Not Enough in the Budget

The 2019 Risk Assessment identifies a growing risk of accounts being compromised by fraud scams. The AML Compliance Officer states in an e-mail that there are not enough employees to address the increase in fraud. The CFO replies that the organization is looking to find cost savings by consolidating compliance employees’ job responsibilities and hiring more employees is not an option.

What are the potential issues?

35

Too Much Communication?• Provide outlets for employee concerns

– Hotlines – Internal escalation process

• Establish policies on appropriate e-mail communications– Stick to the facts; don’t make assumptions– Avoid sarcasm and hyperbole – Ensure necessary stakeholders are included

• Manage communications with law enforcement and regulators– Establish formal points of contact– Document communications and results– Meet deadlines for information requests

36

Scenario: No One Listens to Me

Members of the compliance team have regular communications with law enforcement. One team member remarks in an e-mail to an investigator that: “If you send me an e-mail saying the client is under investigation, I might be able to get management to finally take action.”

What are the potential issues?

37

Building Off the Four Pillars

The BSA requires FIs to implement an effective compliance program. The program must include, at a minimum:

1. Internal controls to ensure ongoing compliance

2. Designated person responsible for coordinating and monitoring the compliance program (AML Officer)

3. Training

4. Procedures for independent testing

38

Keep a Pillar from Becoming a Silo• Compliance processes should not become mini-silos

• Engage in intradepartmental information sharing

• A good example:– Employees responsible for SAR filing shares trends and feedback

from law enforcement with employees responsible for transaction monitoring

– The AML Compliance Officer informs management of the trends and sufficient resources are allocated to addressing the trends

– Trends and new monitoring procedures are incorporated into training for all employees

• In compliance there is no “business as usual” – especially when it comes to fraud, money laundering and sanctions evasion.

39

Internal Controls: Opportunities

• Educate employees about how transactions are monitored

– Can help evolve the culture of compliance

– Effects change through awareness

• Set triggers for the review of certain activities

• Use common methodology when identifying and scoring risk

40

Scenario: The Low Risk Product

The company is offering a new bill payment product. Three weeks before the “roll-out,” the sales team informs the Compliance Department about the new product but contends that it is low risk and, therefore, AML monitoring and sanctions screening are unnecessary.

What are the potential issues?

41

Scenario: Can’t We Turn It Down

A senior executive states that the OFACsanctions screening software’s fuzzy match function is generating too many false-positives. She asks if the Compliance Department can move to “100-percent” name matching.

What are the potential issues?

42

Overlooked Resource: Internal Audit• Common Complaints about Internal Audit

– No Subject Matter Expertise– Ridged Review Findings– Protective of Audit Findings

• Solutions– Educate the Internal Audit Team– Plan reviews in coordination with external Independent BSA Reviews and

program developments– Engage in regular communications– Discuss how the Audit Report will be used

• Key Challenge – The Bad Report– Assume that a regulator or law enforcement will receive the Audit Report– Be careful about asking Internal Audit to change a finding; stick to the facts– Always respond to the Audit Report in writing and document the actions taken

to address the findings

43

Scenario: You Got It Wrong

Internal Audit’s Report of Examination found that the company failed to file a SAR in a number of instances where the AML Compliance Officer determined a SAR was not required. The AML Compliance Officer wants the Report changed to reflect her point of view.

What are the potential issues?

44

Class Materials

• Trends: https://www.moneylaundering.com/news/us-aml-enforcement-continued-climbing-in-2018/

• Enforcement Actions: https://www.fincen.gov/news-room/enforcement-actions and https://www.justice.gov/criminal-mlars/mlars-press-releases

• Tone from the Top: https://www.fincen.gov/sites/default/files/advisory/FIN-2014-A007.pdf

• Sanctions Compliance Overview: https://www.treasury.gov/resource-center/sanctions/Documents/framework_ofac_cc.pdf

• The Risk Assessment: Sample Legal, Regulatory & Compliance Risk Assessment (provided to class)

45

Contact Information46

MATTHEW C. LUZADDERPartner

Kelley Drye & Warren LLP

Investigations and Compliance

(312) 857-2623

mluzadder@kelleydrye.com