What You Should've Learned at ACAMS - Days 2 and 3

Posted by Neal Reiter on Apr 13, 2017 6:00:00 AM

Summary: Days 2 and 3 discussed how ISIS is losing, cyber, the risks associated with banking marketplace lending, what a culture of compliance means, how to handle cyber based extortion, fraud & ransomware attacks, and how AML personnel are dinosaurs.

ISIS is losing, and that’s not always a good thing    

Malcolm Nance, Former US Intelligence Officer and Counter-Terrorism Analyst for NBC News, discussed terrorism and how ISIS is losing. It’s losing its land and revenue. As a result, their ability to wage physical jihad is reduced, which is why it's even more important for AML professionals to be diligent of Terrorist Financing. Ghost Jihad, or attacks by small groups or lone wolves is what’s next.

Nance then discussed the goal of terrorism: projection of power to scare others. That's why ISIS uses brutality from the 6th century. However, before they harness global media they need money, and what AML professionals do is vitally important to preventing that from happening.


Nance then discussed the goal of terrorism: projection of power to scare others.

 

The convergence of Fraud, AML, and cyber, including the Darkweb

Just like Fraud and Anti-Money Laundering should not be siloed, cyber must also be combined to support Anti-Money Laundering programs. Today, 80% of IRS Money Laundering investigations have a digital component. Money launders have moved online, and, as a result regulators expect IP addresses to be included in SAR's.

80percent aml.png
of IRS Money Laundering investigations have a digital component.

The Darkweb is not accessible using standard browsers. What this means is that you can't stumble onto the darkweb, you must purposely login. The purpose of the darkweb is anonymity. For example, in Egypt, you can be arrested for criticizing the president, and using the darkweb provides a much larger degree of anonymity. However, you can also use it to sell illegal drugs online.

Chief Richard Weber of the IRS Criminal Investigation Group discussed how the IRS monitors the darkweb where fraudsters communicate about how to file false income tax returns and what works, where are the security vulnerabilities, etc.

Read our Sanctions Screening white paper


No one’s banking Crowdfunding and Marketplace lenders

Crowdfunding and Marketplace lending have permeated American culture, Indiegogo, Lending Club and Funding Circle are household names. In 2015, crowdfunding sites alone raised $34B. However, they are still considered high-risk by banks. 

In a room with over 100 bankers, not one admitted to banking either crowdfunding sites or marketplace lenders.

 Brian Stoeckert of Stratis Advisory led the panel that talked about the risks. Questions banks can ask to surface potential risks:

  1. Where does company reside? - Do you consider high-risk?
  2. Who are all the co-founders? - Are they PEP’s? What is their location?
  3. Is the workforce distributed? - Do they work in acceptable locations, e.g. there are a large amount of software engineers in Iran
  4. Who funded the company? Often wealthy individuals, but what if it’s a PEP or shell company? Do you know beneficial owners?
  5. Will you mandate their compliance posture?  Banks maintain a significant amount of leverage on how the company can operate and a majority of these companies aren't regulated in any way
  6. Do you understand the risks? Banks understand compliance risk, but it’s the company risk that you must understand: (a) Do they have enough funding? 90% of start-ups fail; (b) Pressure to increase market share trumps everything, including compliance; (c) Companies may pivot 7 times in 6 months.      
  7. Where are their customers going to be?

A little preparation goes a long way when it comes to cyber-based extortion, fraud and ransomware attacks.

This session discussed the following:

  • Threat environment
  • Defense/Response Strategies
  • FinCEN’s Regulatory Guidance

Threat environment - The main way criminals access accounts isn't hacking into them; it's actually much less impressive.

  • Credential replay: Individuals reuse username and password across sites, 73% of people use PW's across multiple sites, 50% use it for all sites. With data breaches, usernames and passwords are readily available.
  • Phishing: There was a 308% YoY increase in phishing attacks.

The proper defense/response strategies if your Financial Institution gets accessed.

Average breach is $221 per record. Here's a breakdown of what can increase or decrease that cost:

response differentiators.png

Response Differentiators:

1) Incident Response Team: Document who the key personnel (legal, compliance, external, InfoSec) are and what their roll is in  the event of a breach. This should be regularly reviewed.    

3) Training your staff on what to do, running drills.

4) Business Continuity: manage downtime in event of breach.

5) 3rd Party Involvement: 25% of breaches are via 3rd parties. Important to ask anyone with access to your data how they’re storing it & who has access.

6) Cloud Migration: Consistent pattern of lack of rigor when it comes to privacy.

7) Rush: Must follow the regulatory requirements for reporting, but be mindful of the message, don't want wrong/inaccurate info go out. After the OPM breach there were 5 emails that went out.      

Regulatory Guidance:

FinCEN:

  • They don’t believe cyber and AML are different things. Traffickers are using cyber means to achieve their goals.        
  • Guidance released because AML departments weren’t collaborating with cyber security units.
  • Upgrading the SAR form with more fields related to Cyber.
Analysis of the SWIFT attack showed creative use of offshore jurisdictions. A dissolved Hong Kong company transmitted wires to a Chinese company incorporated in Samoa and the directors have Chinese names and addresses in Saudi Arabia.

 

AML staff and regulators are dinosaurs

FinTech: Companies using technology to improve existing financial services.

RegTech: Companies who’s purpose is to support companies with regulatory requirements.

RegTech is here because if you can improve a large FI’s processes by 5%, that’s a huge lift. However, at this point in time it’s regulators who are the roadblock. For example, Suspicious Activity Reports (SARs) are produced for law enforcement, but it’s regulators who judge their quality. FI’s were described as a restaurant where they have to cook for the health inspector instead of patrons. As a result, innovative solutions don’t have the confidence of regulators and must be done in parallel.

However, no one expects this to continue in the future. Even in five years the technology will drive a very different process that will reduce cost, provide better information and in a more timely manner. This will be endorsed by law enforcement as they're the consumer and it helps them perform their job.

Part of this involves a new type of AML staff. This is already apparent in companies like AirBnB that pair data scientists with experienced AML staff. In the future, these roles will merge, with AML staff learning data science and how to create different kind of machine learning models including, linear regression, supervised, unsupervised and neural nets.

  Are you a FinTech Start-Up? Know which AML Regulations apply to you

 

No one can define 'Culture of Compliance' but regulators know it when they see it.

This session put details to the amorphous term because there's no checklist, instead it's up to the discretion of the examiner. 

Here's what the regulators say:

FinCEN:

  • Commitment of an organization's leaders
  • Risks are not compromised by revenue interests
  • Every senior executive must know how its reporting is used and how the compliance program is being tested
OCC:
  • Culture that does not condone or encourage imprudent risk taking, unethical behavior, or the circumvention of laws, regulations, or safe and sound policies and procedures.

Holds employees accountable, including the board:

  • Set expectations for desired behaviors, convey the expectations, and ensure those behaviors are linked to performance reviews and compensation practices.
  • Promote clear lines of authority and accountability.
  • Hold management accountable for the transparent and timely flow of information.

To promote a sound corporate culture, management should:

  • Reinforce the corporate culture with all employees.
  • Integrate the culture into the bank’s strategic planning process and risk management practices.
  • Ensure continuous employee communication and training regarding risk management practices and standards of conduct.
  • Report and escalate material risk issues, suspected fraud, and illegal or unethical activities to the board.                
FINRA
  1. Whether control functions are valued within the organization
  2. Whether policy or control breaches are tolerated
  3. Whether the organization proactively seeks to identify risk and compliance events
  4. Whether supervisors are effective role models of firm culture;
  5. Whether sub-cultures (e.g. at a branch office, a trading desk or an investment banking department) that may not conform to overall corporate culture are identified and addressed.

Here's what practitioners say:

1) Combination of work environment, company mission, value, ethics, expectations, and goals

  • Compliance Officer must have authority and independence.
  • Companies will have policies and procedures but holes from top down and bottom up.
    • Top down - had committee, but no review of policies and procedures, check the box
    • Bottom down - no understanding on business level, training of what the issues are, ability to escalate issues if bad sales practices
  • Seat at the table in all major discussions including development of new product or marketing
  • Employee evaluation process to help promote risk culture

2) Personality of an organization

  • Must establish an identity
  • Are you having in-depths conversations about your highest risk?
  • Are you putting difficult decisions on table and making tough calls?
  • Can staff escalate issues up the chain?
  • How engaged are senior executives, and how engaged is middle management?

3) Way an organization perceives the world and responds to events

  • Are things swept under the rug?
  • Infighting between business and compliance
  • If there’s a problem, how are you turning it around
    • Culture change takes takes 5+ years
    • Sometimes it’s getting external trainers & training for everyone

4) Norms & values that drive behaviors within an organization

  • What's your risk appetite?
  • Are staff rewarded for finding errors?
  • Are fines considered a speeding ticket or a red flag?
  • Can business/compliance self-identify issues? If so, do they get credit?


Without a doubt, ACAMS is always a great place to learn, meet industry professionals, and even refresh our AML knowledge. We hope you’ve found this summary helpful - and don’t hesitate to contact us if you have further questions. We look forward to seeing you there next time around!