which way next? · • artificial intelligence and robots • multiple regulation implementation...
TRANSCRIPT
Which way next?
ISSUE 35
YOUR MAGAZINE FROM THE INTERNATIONAL COMPLIANCE ASSOCIATION
inCOMPLIANCE ®
Compliance… and beyond
#FixFacebook Getting personal
p.12 p.27
£4.95 where sold separately
p.33
inCOMPLIANCE®3
inCOMPLIANCE®3
inCOMPLIANCE®3
FREE RISK INSIGHTS MAGAZINE60+ pages of thought leadership articles, interviews and reports.
ACCESS ISSUE SEVEN, PLUS ALL PREVIOUS AND FUTURE ISSUES HERE: www.cefpro.com/magazine
ISSUE SEVEN INCLUDES AUTHORS FROM:
BankUnited | MUFG | Regions Bank | Bank of America | Fifth Third Bank | FASB | Lloyds Banking Group | TISA | Federal Reserve Bank of St. Louis | Credit Agricole and many more.
KEY TOPICS THAT ARE ADDRESSED IN ISSUE SEVEN:
CECL | Operational Risk | Fraud & Financial Crime | Technology & Innovation | Regulatory Challenges | Model Risk | Recovery & Resolution and more.
RISK INSIGHTS APRIL - JUNE 2018
ISSUE SEVEN www.risk-insights.com
Real World Perspective on Financial Risk and RegulationWritten by the industry, for the industry
EDITOR’S PICKSOPERATIONAL RISK
Fixing operational risk capital: Five challenges for modeling operational risk
MUFG
CECL Developing effective forecasts that
fulfill requirements PNC
TECHNOLOGY & INNOVATION Reviewing operational requirements for
PSD2 TISA
FRAUD & FINANCIAL CRIME Understanding the interactions between
cyber-crime and fraud prevention LLOYDS BANKING GROUP
RECOVERY & RESOLUTION Reviewing the ability to identify
critical vendors and services CITIZENS BANK
inCOMPLIANCE®3
inCOMPLIANCE®3
inCOMPLIANCE®3
Editorial Board
Kathryn Cearns, Independent Consultant, [email protected]
Jee Meng Chen, Commerzbank, [email protected]
Jacob Ghanty, Kemp Little LLP, [email protected]
Tim Porter, Director, TPA (Consulting) Ltd, [email protected]
Tom Salmond, Ernst & Young LLP, [email protected]
David Symes, Compliance Recruitment, [email protected]
Rachel Waldren, ANZ, [email protected]
inCOMPLIANCE®Issue 35
Publisher: International Compliance [email protected]
Editor: James [email protected]
Design: Design & Document [email protected]
Production: Dorinda Gibbons & Sophy [email protected] [email protected]
Advertising Queries: Dorinda [email protected]
Executive President, International Compliance Association: Bill [email protected]
ICA Membership Enquiries: Jo [email protected]
ICA Qualification Enquiries: Debbie [email protected]
Article Enquiries [email protected]
International Compliance Association CPD - 2 points
Advice to Readers
inCOMPLIANCE® is published six times a year by the International Compliance Association. Reproduction, copying, extraction, or redistribution by any means of the whole or part of this publication must not be undertaken without the written permission of the publishers.
inCOMPLIANCE® is distributed as a free member benefit to all members of the International Compliance Association.
Articles are published in good faith without responsibility on the part of the publishers or authors for loss occasioned to any person acting or refraining from action as a result of any views expressed therein. Opinions expressed in this publication should not be regarded as the official view of the ICA or as the personal views of the Editorial Board members of inCOMPLIANCE®.
All rights reserved in respect of all articles, drawings, photographs etc published in inCOMPLIANCE® anywhere in the world. Reproduction or imitations of these are expressly forbidden without permission of the publishers.
Printed in England
It’s likely that your inbox has recently been inundated with messages from companies (many of which you may not recall providing your details to) asking you to reconfirm your subscription to their services (that you possibly don’t recall subscribing to in the first place). For many people this will have been the most visible impact to date of the forthcoming General Data Protection Regulation (GDPR). The increasing rate at which these emails have flooded into my inbox creates the impression of a panic ahead of the implementation of GDPR at the end of this month. Several recent studies tend to support this view.
According to research by ThinkMarble, “73% of UK businesses remain unaware of the lawful basis for processing data and 25% still do not know or are unsure of where the personal data that they are responsible for is currently held”. The same study found that 79% of businesses have
not reviewed their data protection policy and 71% have not reviewed their privacy policy in preparation for GDPR, whilst 27% have no data protection policy in place.
Similarly, a survey by KPMG International, of senior legal counsel at 448 institutions, found that 54% felt that their businesses were not prepared for GDPR just one month ahead of the regulations coming into force. Moreover, only 10% had checked whether third-parties (including companies that they outsource their data processing to) are in compliance with GDPR. The coming weeks and months could prove challenging.
Ready for GDPR?James Thomas
Editor
inCOMPLIANCE®5
inCOMPLIANCE®5
inCOMPLIANCE®
4inCOMPLIANCE®
5
Contents
3 Editor’s commentThe advent of the General Data Protection Regulation later
this month looks set to catch out the unprepared, writes James Thomas
6 ICA News A roundup of the latest news and events from the ICA
8 Industry NewsA summary of recent developments affecting
Financial Crime Prevention, GRC, AML and CDD professionals
18SM&CRIs compliance still the place for a creative and
challenging professional career, or will it become just another operations function? asks David Jackman
36Career CornerKeeley Fitzsimmons emphasises the
importance of training and an organic growth model
10ICA Award Ceremony
12 Compliance… and beyondHow can compliance make
a difference? James Thomas reports from the ICA’s annual conference
21 A holistic viewSally Afonso considers the dual character of
compliance as both a function and a discipline, and its development in both emerging and established sectors and jurisdictions
23 Compliance after #MeToo What are the implications
of the recent #MeToo movement for compliance? Vera Cherepanova and David Symes debate the issue
27 #FixFacebook Sites such as Facebook urgently need to get their
act together. The Cambridge Analytica debacle is only the tip of the iceberg and the social media giants, as well as the leading search engine providers, have all built their houses on shaky foundations, writes Mark Johnson
REGULAR FEATURES IN THIS ISSUE
PAGE 12
PAGE 27
inCOMPLIANCE®5
inCOMPLIANCE®5
inCOMPLIANCE®5
30 Moving to real-time Banks and financial
institutions can enhance the effectiveness of their AML processes by using real-time search tools to complement their use of static databases, writes Jane Jee
33 Getting personalThomas Wan Chee Kien
considers the personal liability of compliance officers, and offers advice for those looking to protect themselves
39 Tales from the cryptJames Emery-Barker
considers the issues surrounding the regulation of cryptocurrencies
41 The chronicles of planet integrity Anastasia Savvateeva
reports on the main highlights of the OECD Global Anti-Corruption & Integrity Forum 2018
Have you thought about writing an article for inCOMPLIANCE®?Writing an article is a great opportunity to raise your profile within ICA and present a topic of relevance to your fellow members. Writing an article on anti-money laundering, compliance, financial crime or associated disciplines will also earn you valuable CPD!
Visit tinyurl.com/writeanarticle and download our document on Article writing tips and Blogging Best Practice to enhance your skills in this area and learn about structure, themes and writing style.
Please note: you don’t have to be an ICA Member to register your interest in submitting.
If you are interested in writing an article for inCOMPLIANCE, email us at: [email protected] and remember to include your full name and your topic of interest.
PAGE 33
PAGE 39
inCOMPLIANCE®7
inCOMPLIANCE®
6inCOMPLIANCE®
7
The ICA held the 21st Award Ceremony for graduating Members on 19 April, a ceremony that was attended by graduands from 21 different countries. As always, it was a great pleasure to officiate at this occasion and to welcome and celebrate with the Members and their families and friends.
The Award Ceremony was preceded by a Members’ Dinner the prior evening and a sell-out ICA Conference, entitled The Big Compliance Conversation, which focused upon the compliance engagement ICA is having with its global community on current issues impacting professionals today. I am delighted to report that the ICA membership has grown significantly following the launch of the new Membership Scheme and CPD Portal, and has increased by 8,000 since 2016.
I am looking forward to visiting our Members and partners in the Far East in May with events and meetings in Malaysia and Singapore scheduled.
The newly-constituted ICA Technical Advisory Board held its second meeting recently and, as part of its feedback, identified the key issues impacting on compliance professionals today. These are:• Cyber security / cyber-enabled fraud• Cryptocurrencies• FinTech / RegTech• Artificial intelligence and robots• Multiple regulation implementation• Culture• GDPR• Establishing cross border competence in global groups• How to transform risk culture• CDD in the digital world• Vendor and third party management• Bribery and corruption• Recruitment
There is clearly a lot of work to do.
Bill Howarth,Executive President
Celebrating Success
Bill Howarth, ICA Executive President
ICA Policy PapersICA will be producing policy papers for submission to regulators and other stakeholder bodies, with a view to representing and furthering ICA Members’ interests within key policy debates. The first of these policy papers will be a response to the UK Financial Conduct Authority’s recent Discussion Paper DP18/2: Transforming Culture in Financial Services.
Reflecting the diverse views of ICA’s ever-expanding membership – while offering a positive, coherent and well-informed contribution to such debates – is of critical importance to us. In a forthcoming edition of inCOMPLIANCE® we will provide further details about how these policy papers will be produced, the procedures through which they will be approved, and the opportunities that will exist for Members to engage in the process.
City Week 2018We attended and exhibited at the City Week 2018, International Financial Services Forum, in London in April. The conference sessions, delivered by influential speakers from the world of politics, banking and economics were topical, challenging and provoked profound debate amongst the delegates. Our representatives enjoyed discussing current issues and challenges with attendees and there was significant interest in the role ICA is playing in helping to professionalise compliance.
The Big Compliance ConversationDon’t forget to read the write-up of our 10th Annual Conference in this issue (p.12) which forms part of the Big Compliance Conversation, our global initiative to get the compliance community talking about the issues of today and tomorrow. #BigCompConvo
inCOMPLIANCE®7
ICA NEWS
inCOMPLIANCE®7
Hong Kong Briefing Session ICA hosted a briefing session on 1 March 2018 in Hong Kong. The keynote speech, by our Regional Director Andrew Glover, highlighted the changing consumer perceptions towards banking and financial institutions, and the current fast-paced regulatory environment. Andrew emphasised the importance of ICA qualifications and the need for compliance and AML training to bolster individuals’ competence standards and their ability to anticipate and manage future challenges.
Andrew also moderated a panel discussion centred on Hong Kong’s FATF Mutual Evaluation with three further industry experts: Vincent Tang, Director of Financial Services of Ernst & Young, Lisa Brander, Regional Head of AML of CLSA and AI Demeter, Managing Director of Bridger Intelligence Limited. The panellists highlighted the implications of the National Risk Assessment on money laundering and terrorist-financing which is an opportunity for senior management and all finance professionals to improve their understanding and assessment of risk control at various levels.
Given the weaknesses identified in the last Mutual Evaluation report in 2012, the panel expected to see changes to some aspects of the Anti-Money Laundering and Counter-Terrorist Financing (Financial Institutions) Ordinance (AMLO), including in the areas of new reporting requirements for designated non-financial businesses and professions (DNFBPs).
To maintain the effectiveness of Hong Kong’s financial system and AML control, the panel recommended raising the transparency and consistency of AML/KYC standards, broadening the knowledge and skills in enhancing customer due diligence (CDD) and ensuring the right level of scrutiny in organisations. They noted that FinTech, RegTech and information in wire transfer would make data transaction monitoring, onboarding and CDD process more efficient but give rise to underlying financial crime risks of technological development that compliance practitioners must manage to stay ahead of the potential risks and opportunities for AML/CFT risk management. The audience raised many questions about the implications of more regulation and its application.
Look out for more hot topic sessions, events and conferences held as part of the Big Compliance Conversation.
Croatia and SloveniaFollowing on from our news last issue about the launch of the suite of ICA Qualifications with our new partner, the European Institute for Compliance and Ethics (EICE), we ran briefing sessions about ICA qualifications in Zagreb and Ljubljana in March.
Many attendees have since become ICA Members and have signed up for an ICA qualification. We wish all students the best of luck with their studies and we look forward to working with EICE to continue developing the ICA community in this region.
New book by ICA’s David JackmanICA Strategic Adviser, David Jackman, has published a new book: Corporate Maturity and the Authentic Company. The book introduces the concept of ‘corporate maturity’, which offers a holistic view of an organisation’s performance, culture and resilience. It outlines a model of corporate maturity applicable to any sector and demonstrates how an organisation can enhance its maturity, particularly through a focus on ethics, good governance and community outcomes.
inCOMPLIANCE®9
inCOMPLIANCE®
8inCOMPLIANCE®
9
inCOMPLIANCE®8
INDUSTRY NEWS
Cyber attacks growing more sophisticatedCybercriminals are becoming more methodical and organised, according to the tenth annual Trustwave Global Security Report. The report reveals the top security threats, breaches by industry, and cybercrime trends of 2017 and highlights trends witnessed over the last ten years.
Notably, Trustwave found that there has been a move by cybercriminals towards more sophisticated attacks targeting head offices. Half of the incidents investigated involved corporate and internal networks (up from 43% in 2016) followed by e-commerce environments (30%), while incidents impacting point-of-sale systems decreased by more than a third.
The report also found a large disparity when breaches are detected internally versus externally. The median time between intrusion and detection for externally detected compromises was 83 days in 2017, a stark increase from 65 days in 2016. Median time between intrusion and detection for compromises discovered internally, however, dropped to zero days in 2017 from 16 days in 2016, meaning businesses discovered the majority of breaches the same day they happened.
https://www2.trustwave.com/GlobalSecurityReport.html
British Overseas Territories must publish ownership registers by 2020 The individuals behind companies established in the British Overseas Territories must be identified in public registers, following the UK Government's acceptance of a cross-party amendment to the Sanctions and Anti-Money Laundering Bill.
Under the amendment, any British Overseas Territory that has not already done so will be required to introduce a public register by 2020. However, a separate amendment, covering the Crown Dependencies, was not approved.
The move has been hailed as a major step forward in the fight against money laundering and tax evasion. According to Transparency International: “If counted together, the United Kingdom and its Overseas Territories and Crown Dependencies would top the Financial Secrecy Index, given the staggering scale of their undisclosed financial activities.”
Industry News
inCOMPLIANCE®9
inCOMPLIANCE®9
INDUSTRY NEWS
IMF steps up engagement on corruption and governance The International Monetary Fund (IMF) is developing a new framework for “stepping up engagement on governance and corruption”, according to Christine Lagarde, IMF Managing Director. In a recent paper, the IMF found that, while the principles underpinning its established governance policy were “the right ones”, implementation “was uneven”. “We did not always hold members to the same standard for similar actions,” she wrote in a blog announcing the framework. “Our analysis too often lacked clarity.” The new framework promises “more systematic, evenhanded, effective, and candid engagement with member countries”.
The framework will also consider the facilitation of corrupt practices by private actors. “To do this, we will be encouraging our member countries to volunteer to have their legal and institutional frameworks assessed by the Fund – to see whether they criminalise and prosecute foreign bribery and have mechanisms to stop the laundering and concealment of dirty money,” Ms Lagarde wrote, adding that all of the G7 countries, plus Austria and the Czech Republic, have volunteered for this assessment.
http://www.imf.org/en/Publications/Policy-Papers/Issues/2018/04/20/pp030918-review-of-1997-guidance-note-on-governance
FCA Business Plan publishedThe UK FCA has published its Business Plan for 2018/19, including seven cross sector priorities:
• Firms’ culture and governance
• Financial crime (fraud and scams) and AML
• Data security, resilience and outsourcing
• Innovation, big data, technology and competition
• Treatment of existing customers
• Long-term savings and pensions and intergenerational differences
• High-cost credit
The Business Plan also highlights the work being generated by Brexit, with the FCA stressing that “our EU withdrawal work outside our redeployed resources is £16m”.
MAS endorses updated Wolfsberg QuestionnaireThe Wolfsberg Group’s updated Correspondent Banking Due Diligence Questionnaire (CBDDQ) has been endorsed by the Monetary Authority of Singapore (MAS). Published earlier this year, the updated questionnaire was welcomed by the Basel Committee on Banking Supervision, the Committee on Payments and Markets Infrastructures, the Financial Action Task Force and the Financial Stability Board.
Ms Ho Hern Shin, Assistant Managing Director, MAS, said: “The CBDDQ will enhance global access to finance and promote trade. We urge banks in Singapore to incorporate the questionnaire into their risk assessment process for setting up cross-border correspondent banking relationships.”
https://wolfsberg-principles.com/wolfsbergcb
RegTech MENA 2018 highlights potential and challenges of technologyBy Tim Porter
The third RegTech MENA conference was held in Dubai on 23 and 24 April, with a broad cross section of speakers and panelists from financial institutions, consultancies and vendors making for an interesting range of ideas and views. Among the prevailing themes were:
• The undoubted potential of RegTech (although speakers emphasised the need to stay focused on specific use cases rather than thinking RegTech is the answer to all compliance problems)
• Local regulators are supportive and positive – the Financial Services Regulatory Authority of Abu Dhabi encouraged firms to come and talk to them, and others spoke of the need for collaboration between firms, the regulators and providers. It should be ok to test and learn, and even fail, as a blame culture will stifle innovation
• Vendors demonstrated the more obvious applications around on-boarding, CDD and screening, emphasising the potential to process data at speed and scale
• However, the challenges surrounding data were highlighted in terms of availability, quality and relevance, not to mention the integration challenges with legacy systems.
RegTech solutions need to be adaptable and flexible in order to keep pace with regulatory changes. However, regulators themselves are also becoming users of RegTech to strengthen supervision in areas such as market abuse detection (for example, the term ‘SupTech’ has been coined by the Monetary Authority of Singapore). An interesting question was raised around accountability for decision making underpinned by machine learning, but a number of speakers reminded us that there remains a human element to compliance.
Blockchain produced one of the more interesting panel discussions, with panelists noting that the Dubai government is creating a favourable environment for the development of blockchain technology, although the translation from proofs of concept to institutionalisation is a challenge.
https://www.regtechmena.com
inCOMPLIANCE®
10inCOMPLIANCE®
11
ICA ANNUAL CONFERENCE
inCOMPLIANCE®11
inCOMPLIANCE®11
inCOMPLIANCE®11
inCOMPLIANCE®
10
Award Ceremony Roll of Honour
ICA hosted its bi-annual Award Ceremony at the prestigious Middle Temple in London on 19 April 2018, where students celebrated their success with friends and
family. Those who had achieved Fellowship and Professional Member status were presented with their lapel pins and those who received special achievement awards were recognised. Thank you to everyone who attended and we congratulate all our students once again on their fantastic achievements.
ICA Advanced Certificate in Anti Money Laundering
Salma Abdulhakeem AlbaghliVelina AtanasovaMatthew BeardEnos BukukuSylvia CowanJohn GillamIda Gjestrum
Suresh Vellore HarigopalCatherine JuddNauman Khan
Peter Owusu-AppiahSherley RiveroKristin Rystad
Patricia San MiguelRachel ThompsonSamantha Ward
Vinay Wilfred
ICA Advanced Certificate in Business Compliance
Victoria Whitby
ICA Advanced Certificate in Compliance
Massimiliano BosiDarrell Carless
Sahar Badreddine DandanChanel DixsonStacey Francis
Emma HartShantal KhouriAmanda NockFederica Rosa
Amina TkhashokovaJulie von Barnekow
Maša Zalar
inCOMPLIANCE®11
ICA AWARD CEREMONY
inCOMPLIANCE®11
INDUSTRY NEWS
inCOMPLIANCE®11
inCOMPLIANCE®11
inCOMPLIANCE®11
ICA Advanced Certificate in Managing Sanctions Risk
Jennifer Waterhouse
ICA Advanced Certificate in Practical Due Diligence
Astrid BattainiSuganya CulletonAdebayo DanielsPhil Manwaring
Aleksei Poboinev
ICA Diploma in Anti Money Laundering
Adetutu AjayiFathiya Al Balushi
Micin AliPhil Barrett
Lawrence S BukaAurangzeb Chaudhry
Ingema EdholmEphraim Ehrhardt
James Emery-BarkerSydney FerreiraAudrin Francis
Roberto FreiwaldJemma Gibbons
Pedro GiraldoPaul Goldsmith
Fatima GrayClarinda GrundyRachel Haywood
Ian HuttonDoug Ing
Manpreet KaurLuke Lavender
Lauren LeeChristopher Lindsay
Kelley MacNabAndy Mulley
Mark Rilwan Onafeku-BadmusRiitta Seppälä
Mithil ShahParminder TurnaKay Whitewood
ICA Diploma in Governance, Risk &
Compliance
Joanna AgiusNadim AwadSian BarkerPalak Bedi
Nicola ChildsJanine Coupe
Neil CurtisNigel Darby
Martin De VilleDimitar DimovEmma GibsonMark Johnson
Stuart MacBrideAndrew MasonDonna Moore
Mary-Ann Ooi Suan KimAmanda Osuagwu
Bibi Pearce JohnsonSonata Petniunaite
Yanan QiuNadesu Ramesh
Antonia RontogianniAdrian Rutter
Stephan SchaeferValada Tsoukia
Peter Yates
ICA Diploma in Financial Crime Prevention
Salim Al MushaifriHalima Balushi
Sean BeerTim BescobyTracey Carty
Esther ChukwuochaCarmen Garcia-Nieto
Peter HackneyLouise HarperYulia Logue
Adele SchirinziKim Sparks
Amanda Toop
ICA Professional Postgraduate Diploma
in Financial Crime Compliance
Gino CamporeseJean-Phillippe Coste
Tyrone GriffithsJane Ngan
Gloria Perez TorresMarta RequeijoIlham TamimiNeil Whiley
Yogita Yadav
ICA Professional Postgraduate Diploma in Governance Risk &
Compliance
Doris BajahSimon Boyle
Samantha DewhurstChristopher Dimbylow
Mark EverardVladimir Gromov
Esperanza HernandezBahare Heywood
Robert KurauDarren McInnes
Sian Wright
ICA Fellows
Osa AiweriogheneSamantha Dewhurst
Mark EverardVladimir GromovBahare HeywoodMarta RequeijoIlham TamimiNeil Whiley
Yogita Yadav
inCOMPLIANCE®11
ICA AWARD CEREMONY
Outstanding Achievement Awards
Matthew Beard ICA Advanced
Certificate in Anti Money Laundering
Jennifer Waterhouse ICA Advanced Certificate in
Managing Sanctions
Phil Barrett ICA Diploma in Anti Money Laundering
Stuart MacBride ICA Diploma in
Governance Risk and Compliance
Louise HarperICA Diploma in Financial Crime
Prevention
inCOMPLIANCE®13
inCOMPLIANCE®
12inCOMPLIANCE®
13
ICA ANNUAL CONFERENCE
inCOMPLIANCE®
12
Conversations about compliance – big and small – often focus on its current challenges and future role, and on the opportunities that exist for compliance to establish
itself as a key strategic adviser to the business, whether through supporting a culture that ensures the ‘right’ outcomes for customers, through minimising regulatory sanctions and the associated reputational damage, or through otherwise leveraging competitive business advantage.
The ICA’s 10th annual conference – The Big Compliance Conversation, which took place on 19th April – invited delegates to expand the discussion still further, to look beyond the boundaries of their organisations at the broader contribution that the profession can make to society, for example through raising awareness of key issues and through sharing information with other organisations and regulatory authorities.
Conversation and communityThe concept of ‘working beyond organisational boundaries’ recurred throughout the day, in various guises. As Bill Howarth, ICA Executive President, explained in opening the event, the ICA is building towards its 2020 vision, “taking stock of where compliance is and where it’s going” and, having added many new members over the last 12 months, a big part of that vision and strategy involves “building communities”.
Picking up on the theme, keynote speaker, Tom Cardamone, Managing Director of Global Financial Integrity, asked the audience: “How can we look beyond the rules and regulations to ensure global financial integrity?” The problem of illicit financial flows is showing little sign of abating, he argued. “We are surrounded by illicit money and most people don’t recognise it, and when they do it’s often met with a
Compliance… and beyond
How can compliance make a difference? James Thomas reports from the ICA’s annual conference
Cardamone: Consider being advocates within your institutions to try to get them to be more active in this area, to try to address the opacity in the global financial system
inCOMPLIANCE®13
inCOMPLIANCE®13
ICA ANNUAL CONFERENCE
shrug,” he suggested. “Even those of us with a professional involvement in financial crime prevention can become immune due to the constant ‘drip, drip, drip’ of news.”
Global Financial Integrity estimates that volumes of illicit money coming out of developing countries have increased by approximately 6% per annum on average since 2008. Significantly, he suggested, this has been facilitated by the financial system. “It is legal in most countries to have
an anonymous shell company,” he said. “We have created this. But I have yet to see a convincing argument as to why somebody would need to have an anonymous shell company. ‘Offshore’ has become a euphemism for opacity, and it is that opacity that I believe is the great scourge of the financial system.”
He outlined the scale of the task of reversing this trend, suggesting that “since the financial crisis, anonymous
Box 1: How can technology help compliance?The impact of rapid technological developments upon the role of compliance has been a key consideration within the Big Compliance Conversation to date. A panel session followed the keynote presentation, which examined the question: “How can technology help compliance?”
Chairing the panel, Pekka Dare, Director, International Compliance Training (ICT), Learning and Development, asked the panel for their views on the impact of RegTech and FinTech, whether it would result in a “bloodbath” of compliance practitioners, or whether it would enable the profession to work better and combat financial crime more effectively in the future.
The panel – which included individuals from both a practitioner and a vendor background – offered a range of perspectives. According to Justin Hunt, Digital Leadership Forum, RegTech and FinTech represent an “incredible opportunity” for individuals in compliance to shape the future of innovation. However, he did concede that the complexity of such technologies nevertheless presents obstacles. A fundamental question is whether it will be possible to understand how and why such systems arrive at the decisions they reach. “The technology itself is very difficult to understand, and it’s going to be challenging to understand why AI makes particular decisions to help you fight financial crime,” he said, adding that “Organisations will be looking to ‘best of breed’ third party providers for AI services, but the difficulty is that there are bound to be situations where the complexity of the AI decisionmaking will not be easy to interpret. It won’t be completely possible to understand why the machines are making the decisions that they are making.”
Such concerns prompted a question from the floor, from Kevin Parle: if nobody actually understands how the technology is working, is that compatible with accountability requirements under the Senior Managers and Certification Regime? The answer is, as yet, not completely clear, not least because the regulators themselves are also playing ‘catch up’ in terms of developing an understanding of these technologies (although, as Mark Dunn, Head of Entity Due Diligence and Monitoring, Lexis Nexis, suggested, initiatives such as the FCA’s regulatory sandbox and Innovate project show that the regulators are starting to educate themselves).
From a practitioner perspective, the associated absence of regulatory ‘soft’ endorsement of new technologies creates a further potential disincentive to their adoption, on top of any uncertainties surrounding both the capabilities of these technologies and their functioning. According to Vivek Padmanabhan FICA, Head of Compliance, Transaction Banking, AME, Standard Chartered: “Five or ten years ago when banks were using, say, LexisNexis or WorldCheck to do their screening, the regulator wouldn’t ask us to understand the mechanics of how those systems worked. Vendors would create systems that regulators would have confidence in.” However, as Mr Hunt remarked, regulators “will not approve a single ‘best of breed’ provider because the risk of having one algorithm serving the whole system is too great. There needs to be a diversity of suppliers.”
A further challenge with technologies involving machine learning revolves in part around that recurring theme of the conference: 'sharing'. According to Mr Hunt: “Software used to run on the fact that it just followed orders. The big difference with machine learning is that the programmes learn from the data that you provide them with, so they need ‘test and learn’ environments, piloting, and proofs of concept.” Because those in the financial sector are accustomed to keeping data to themselves, this may prove hugely challenging to achieve in practice, holding back the development and diffusion of these technologies.
Greater collaboration, between vendors and practitioners, will also be needed, to ensure that vendors create systems that are both fit for purpose, and that can be readily understood and accessed. Preferably, systems should provide a holistic solution. According to Mr Padmanabhan the compliance function has reached a “crunch point”. “Traditional models have really been challenged since the financial crisis, and the people cost of compliance has really increased,” he said, “but there have been very limited benefits to existing cost reduction strategies. A lot of us have siloed, single purpose systems, and this is a problem I have seen with a lot of the vendors too. Can vendors offer us more integrated solutions?” Mr Hunt suggested that “vendors need to make sure that what they deliver is friendly and easy to use, and the compliance community must push back and make this clear to the vendors”. This problem remains some way from being solved, suggested Neil Marshall, Data & Screening Specialist, Finscan: “The systems we put in place ten or fifteen years ago, while starting out with the best of intentions, were not necessarily the answer. We have ended up with ‘remediation factories’. We’ve still got the same problems, we’re just throwing more people at it.”
And what of the feared “bloodbath”? On that issue the panel was unanimous. As Mark Dunn explained: “The role of compliance is here to stay, because no matter how clever the machine is, you will have to have somebody driving it.”
inCOMPLIANCE®15
inCOMPLIANCE®
14
ICA ANNUAL CONFERENCE
shell companies have boomed… perhaps the crisis provided an impetus for people to move their money offshore”. He added that, even where steps have been made to improve transparency, implementing such measures has, in practice, fallen short. While praising the UK for leading the way in developing public beneficial ownership registries, he reminded the audience that 4,000 toddlers are currently listed as UK business owners. “It’s wonderful to have a registry, but if it’s not accurate and you can game the system fairly easily, then it’s not effective,” he remarked.
Mr Cardamone called on delegates to “consider being advocates within your institutions to try to get them to be more active in this area, to try to address the opacity in the global financial system”. This, he suggested, requires action at the local, regional and global level. Notably, at the regional level, he urged financial institutions to engage in greater information sharing, and in better communication between industry and government. He also suggested that compliance practitioners can help to create the political will to drive change.
Finally, a question from the floor highlighted the competing demands that compliance professionals must currently juggle, namely how to balance the transparency initiative against the right to privacy (to the forefront of many peoples’ minds, given the GDPR). “I’m all for privacy,” replied Mr
Cardamone. “My bank account is private. But it’s not secret. Privacy is a good thing. But we have seen over and over the harm that secrecy does.”
Who shares wins? The theme of information sharing carried across into ICA Fellow Dr Steve Strickland’s presentation, “Is it time to ‘Go Beyond Compliance’?” Explaining his decision to join Deutsche Bank as Director of Anti-Financial Crime, he suggested “the bigger the problem, the more motivated I am”, and throughout his talk he highlighted how his background at the City of London Police has influenced his approach to his subsequent career in industry, both at Barclays and within his current job.
“Do we consider our role as being to protect our organisations, or is it something different?” he challenged the audience. “Who would describe their role as being a key component of the criminal justice system? I was when I was a police officer, and I would say the same now. And that is fundamental to what I do and how I look at the challenge. If you’re only looking at it through the lens of protecting your organisation, you are not going to make a difference.”
The Joint Money Laundering Intelligence Taskforce (JMLIT) provides a prime example of “going beyond compliance”, he suggested. “It’s a voluntary public-private sector initiative, and membership is not mandated by regulation or legislation,” he said. “It’s a time commitment, so why would you do it? Because you want to make a difference. I have people dedicated full-time to JMLIT. It’s our commitment to making a difference. It’s how we take an active part in the criminal justice system.”
Holding open town halls provides a further example of Deutsche Bank’s commitment to sharing information with other banks. “If you don’t share this information you are not preventing criminal activity, you’re just displacing it,” he argued. Such activities may go against traditional commercial objectives, and a question from the floor asked how compliance can achieve buy-in for them. Mr Strickland suggested that past failures provide an opportunity to emphasise the value-add of compliance. “I’m lucky, because Deutsche Bank is one of those banks that is in spotlight,” he said, “and any bank that has problems will be more prepared to listen. When your management board see nothing but bad press, good news carries huge weight.”
Communication and cultureThe challenge of influencing the business formed a centrepiece of the next presentation – How can you work with the business to develop a compliance culture? – delivered by ICA Fellow Julie Sadler, Managing Director, Bankhall.
“Compliance as an influencer is down to you,” she said. “There are probably no tangible outputs you can provide other than your board reports, so it is a tough role.” She emphasised the importance of communication and confidence as two ingredients essential to influencing compliance culture. In terms of the former, she stressed the importance of quality written work, as well as of verbal skills. “A lot of how you embed compliance within your business depends on the meetings and conversations that you have,” she said,
Strickland: If you don’t share information you are not preventing criminal activity, you’re just displacing it
Sadler: Compliance and confidence go hand in hand
inCOMPLIANCE®15
ICA ANNUAL CONFERENCE
“Give your team training on how to communicate better with others.” Good communication is not only about what you say, it is also about how you say it. “How easy is it for you to feel your blood pressure going up when you can see something is not right and nobody is listening to you?” she asked. “Always be non-emotional when you’re working with the business and providing feedback.”
When communicating the importance of a compliance culture, the word ‘compliance’ may itself be a hindrance. “What is a ‘compliance culture’?” she asked. “The ideal position is where the word ‘compliance’ never needs to be said, because the ethos and trading of your business is built around wanting to do the right thing and delivering the right outcomes. I think the word compliance is seen to be a negative, and that’s historic. But if you replaced it with ‘doing the right thing’ business leaders might be pleasantly surprised. When we say ‘you need to comply’ that can get people defensive right away.”
Good communication requires confidence, which is also fundamental to managing stakeholders and retaining your independence. “Compliance and confidence go hand in hand,” she explained, adding that compliance officers need the confidence to flag up culture problems where they have tangible evidence of them. “It’s tough in compliance, because you’re managing so many relationships,” she continued. “Decisions are made by people that have got the right level of influence but also the right level of credibility within their business. You must make sure you have clear stakeholder management with the right personnel within your business. Be seen at the right meetings, be a leader, and have courage.”
A high risk environmentThe role and value of the financial sector was again to the
forefront within ICA Fellow Brendan Leddy’s presentation: Burden vs benefit? Doing business with high-risk jurisdictions.
Box 2: Further discussionFollowing the panel session, the conversation continued within a range of concurrent breakout sessions. Paul Asare-Archer FICA, Head of Compliance, Telefonica UK (02) described the characteristics of a high performing compliance team and explained how to build one. Cherise Cox-Nottage FICA, Executive Director, Head of Legal and Compliance Departments, UBS Trustees (Bahamas) Ltd, reflected on the on the fallout from the Panama/Paradise Papers and sought to challenge erroneous and anachronistic perceptions of the Caribbean, such as: "Your AML/CFT Regimes are not up to 'our' legal and regulatory standards"; "There's all sorts of illicit cash and crime proceeds awash in your nations"; and "You all look alike to me". To demonstrate her point she compared a 2017 OECD Peer Review Report on Germany, against one for the Cayman Islands.
David McClean, Joint Deputy Head of Enforcement and Engagement, OFSI HM Treasury, offered an overview of OFSI developments over the last 12 months in the areas of implementation, outreach, compliance and licencing, before providing a deeper dive into the sanctions regime against Iran and North Korea. He invited the audience to consider how they would respond to a range of scenarios, and gave advice regarding high risk indicators and behaviours, and approaches.
Adrian Burton FICA, Channels Business Risk Director, Community Banking Business Risk, Lloyds Banking Group, gave a presentation on execution risk, or “the risk that a company’s plans will not work… [which] usually applies at a time of change, for example, when introducing new systems or entering a new market” – concerns that will be to the forefront of practitioners’ minds in the current fast-changing operating environment. He offered advice on factors that risk teams should consider with regards to implementation planning, customer impact, colleague impact, external influences, and monitoring. Summing up, he urged delegates to:
• Define your change risk appetite and risk monitoring• Establish appropriate governance • Achieve clarity around the role of the accountable executive• Plan around resource capacity and capabilities• Create robust monitoring and measuring tools to assess post-implementation
David Brain, Head of Financial Crime, Bovill, provided guidance on regulatory reviews, with the overriding message that “prevention is better than cure”. He urged firms that are subject to reviews to be well prepared, open and honest, and to engage with the regulators with genuine interest. Finally, Gary Brown, GDPR UK Programme Director, Santander UK, suggested a list of 10 things that an organisation should have in place prior to implementing GDPR:
• Create staff awareness• Identify where personal data is stored• Appoint a DPO• Identify and assess suppliers• Locate your data entry points• Formalise processes to uphold rights• Formalise your data breach process• Review and update policies• Identify key products, processes and services• Delete data no longer used
Strickland: Who would describe their role as being a key component of the criminal justice system?
inCOMPLIANCE®
16inCOMPLIANCE®
17inCOMPLIANCE®
17
ICA ANNUAL CONFERENCE
“Give your team training on how to communicate better with others.” Good communication is not only about what you say, it is also about how you say it. “How easy is it for you to feel your blood pressure going up when you can see something is not right and nobody is listening to you?” she asked. “Always be non-emotional when you’re working with the business and providing feedback.”
When communicating the importance of a compliance culture, the word ‘compliance’ may itself be a hindrance. “What is a ‘compliance culture’?” she asked. “The ideal position is where the word ‘compliance’ never needs to be said, because the ethos and trading of your business is built around wanting to do the right thing and delivering the right outcomes. I think the word compliance is seen to be a negative, and that’s historic. But if you replaced it with ‘doing the right thing’ business leaders might be pleasantly surprised. When we say ‘you need to comply’ that can get people defensive right away.”
Good communication requires confidence, which is also fundamental to managing stakeholders and retaining your independence. “Compliance and confidence go hand in hand,” she explained, adding that compliance officers need the confidence to flag up culture problems where they have tangible evidence of them. “It’s tough in compliance, because you’re managing so many relationships,” she continued. “Decisions are made by people that have got the right level of influence but also the right level of credibility within their business. You must make sure you have clear stakeholder management with the right personnel within your business. Be seen at the right meetings, be a leader, and have courage.”
A high risk environmentThe role and value of the financial sector was again to the forefront within ICA Fellow Brendan Leddy’s presentation: Burden vs benefit? Doing business with high-risk jurisdictions. Mr Leddy described his experience of high-risk jurisdictions as Head of Compliance and MLRO at British Arab Commercial Bank (BACB).
“At BACB we get to experience the consequences of de-risking,” he said, reminding the audience that, according to the World Bank, half the global population doesn’t have access to a bank account. While some jurisdictions bring higher risk of illicit cash flows, bribery, corruption and the weak rule of law, the policy of ‘de-risking’ has serious global implications for
financial inclusion. “Do these risks mean that you shouldn’t do business in these countries?” he asked. “Even if a jurisdiction is high risk that does not mean that you can’t do business in that jurisdiction. The idea is to mitigate risk rather than completely eliminate it. Frameworks should not be preventative, but should be for assisting due diligence.”
Operating within such jurisdictions emphasises the importance of the bank’s risk appetite. “The risk appetite statement should be continually reviewed,” he explained. “It should be known within the bank, and particularly by the commercially-minded within the bank. In our bank risk appetite is determined at the most senior level.” BACB’s high risk appetite resulted in a regulatory visit following their submission to the Financial Conduct Authority’s (FCA) REP-CRIM report. The experience was challenging, but valuable, he recalled: “The visit demonstrated the importance of an audit trail: all of your thinking should be consigned to paper. You should welcome a review… it’s like a free audit!”
Such a challenging environment offers professional rewards, however. “You need resources to identify risk,” he continued. “There needs to be appreciation of the level of risk associated with the jurisdiction and the entity. You need to take a view as to whether or not reputational damage might be the end result of a decision you take. But this is where the head of compliance can earn their bread and butter.”
Winning the fightClosing the conference, Ruth Dearnley, CEO, Stop the Traffik, provided a sobering NGO perspective on the potential of compliance to influence change beyond organisational boundaries. “The buying and selling of people is the fastest growing crime today,” she explained. “The skillset of the people in this room is key to stopping trafficking.”
Again, information sharing was regarded as being of fundamental importance. “We will not rescue our way out of this crime,” she suggested. “For every rescue there is a vacancy. We will not prosecute our way out of this crime, although we do need successful prosecutions. There is no solution that is just ‘there’. We are having to learn and discover, and I have learned that we will not do this unless we are intelligence led.”
In what could have been a slogan for the conference, she concluded: “we cannot prevent unless we share”.
Dearnley: We cannot prevent unless we share
Leddy: The idea is to mitigate risk rather than completely eliminate it
inCOMPLIANCE®17
inCOMPLIANCE®17
TECHNOLOGY
Broadgate Search are a specialist recruitment company who concentrate on placing governance professionals at a mid to senior level. This would include all areas of compliance, risk and audit.
We work from our offices in London, Manchester and Dublin, operating globally.
FOR MORE INFORMATION: Visit www.broadgatesearch.com or email [email protected]
LONDON: +44 (0) 203 817 9757 DUBLIN: +353 (1) 6087748 MANCHESTER: +44 (0) 161 509 5481
CORPORATE GOVERNANCE RECRUITMENT
We provide the highest level of integrity, commitment, results and delivery from our team. Building long-term sustainable
relationships are at the heart of what we do.
OUR DIVISIONS
INTEGRITY TO THE CORE
Focusing on the market’s distinct verticals means we consistently deliver exceptional results across the financial spectrum.
OUR ACADEMIC PARTNER
TRA
TRANSFORMATION & CHANGE
ACTUARIAL
ACTAUD
AUDITCOMPLIANCE
COM
RISK
RIS FIN
FINANCE
inCOMPLIANCE®19
SM&CR
inCOMPLIANCE®
18
Which way next?
Is compliance still the place for a creative and challenging professional career, or will it
become just another operations function? asks David Jackman
inCOMPLIANCE®19
SM&CR
It’s over. Job done. Retail compliance has reached its high watermark and the major strategic call has been achieved. Quietly, with little fuss, the first bank – Barclays – carried out its ring-fencing operation over the Easter holiday, in fact
on 1 April. You would hardly have known (unless, presumably, you are that bank’s customer) that anything had changed. I was relaxing after a special anniversary meal in a local restaurant, gazing over the watery fells, and just happened to glance at an article in an abandoned newspaper when I noticed the news. If I think back to all the commotion and objection that greeted the proposals for ring-fencing following the Independent Commission on Banking report on the 2008 crash, how small the actual event seems now.
This is the ultimate piece of consumer protection. Drastic, some might argue, strategic, striking right at the core of the banking system and almost returning us to an earlier age of high street banking as a form of utility. We remember the purpose is to separate everyday personal and business banking from the riskier (“casino”) investment banking, so that losses in one do not bring down the other. The changes necessary have cost the largest banks many millions of pounds. All the other “large banks” will follow after court hearings this year, and the splits will have to be completed by 1 January 2019.
What now?What more is compliance to achieve? Retail banking compliance will be straightforward consumer protection along the familiar lines of KYC, suitability, protecting client money, responsible marketing, sound T&Cs etc. Investment banking compliance may become much less pivotal because the strategic risk is lower, and regulators have the scope to allow, potentially, a lighter touch regime – especially in the UK if they choose to use the newly-won Brexit freedoms.
What else is there to do? Ring-fencing is enough strategic change for a generation. Of course, there will still be over-pricing in some (credit and insurance) sectors to smooth out, RegTech sandboxing, data security to manage and the vulnerable customer agenda to expand, but these paths are now well worn and initiatives will be increasingly international and beyond our influence.
So what is the future compliance, at least in the UK? Is it still the place for a creative and challenging professional career, or will it become just another operations function? I am in the process of recruiting a new Head of Risk and Compliance – what sort of skillset should I be looking for, and what sort of job will it be in the future? This is an important question for me but also, perhaps, the central question for the ICA, and all ICA Members.
There is no alternative for the profession but to embrace this fundamental change in focus from technical to strategic, from process to culture
The answerThe answer, conceptually and philosophically as well as practically, comes partly from the Senior Management and Certification Regime (SM&CR). For regulators, I sense, this is something of an unknown… not a gamble by any means, but I am not sure anyone is certain how it will work out. So we should factor this in if we are to have a “big” compliance conversation.
SM&CR is meant to shift responsibility away from compliance and onto the shoulders of individual line managers and directors. Anyone external to the business might argue that this is a good thing in terms of consumer protection, but it is obviously a significant challenge to the existing role and status of compliance departments and officers. As the Financial Conduct Authority (FCA) moves itsoffices out to Stratford in 2018, a step away from the main centres of activity, is this a metaphor for compliance’s role becoming more arms length:
inCOMPLIANCE®
20inCOMPLIANCE®
21inCOMPLIANCE®
21inCOMPLIANCE®
21
SM&CR
inCOMPLIANCE®21
inCOMPLIANCE®21
inCOMPLIANCE®21
inCOMPLIANCE®
20
to crunch the data, map and facilitate the responsibilities of others, meekly advise or enable others to take the real decisions, interpret the regulatory utterances and, of course, train? Or is the FCA’s move the portent of a bright, progressive new future with compliance able to be ahead of the game, strategic, leading change, taking on responsibilities for enterprise and the creation of new markets? How will this all work out? We need to know.
Looking for signs, it is interesting that the first priority for the FCA Business plan 2018/19 – the first published under new Chairman, Charles Randell – is firms’ culture and governance, which should drive behaviours and produce outcomes likely to benefit consumers and markets. This is the SM&CR’s central aim and the rules will be published finally in summer 2018. But I notice the caution of the word ‘should’. Does the FCA have some doubt that SM&CR will deliver the promised land?
It is possible that pension transfers, particularly defined benefit schemes, will be the first test of the effectiveness of devolved responsibility. This will be bolstered by a welcome return to focusing on T&C and interventional charging structures – a consultation paper is due out soon as part of the wider Retirement
Outcomes Review. I suspect that SM&CR has got to be made to work, much in the same way as TCF (treating customers fairly) had to be made to work, even after some poor industry take-up and a series of false starts. In a series of articles in this magazine, we considered some of the practical issues around implementing SM&CR in all firms. These are worth referring back to if you are unclear. A comprehensive and holistic approach is needed.
Change in focusThe real regulatory test for any firm will become a test of corporate attitude and ethics, what I refer to elsewhere as corporate maturity.1 The FCA plan says: “we seek to form judgements as to whether the drivers of behaviour we are interested in as a regulator are driving appropriate behaviours which are unlikely to cause harm”.2 Regulatory tolerance for low-level poor behaviour, feeble excuses, trying to avoid responsibility, unnecessary delays and tactical inaction will have to be near to zero. There can be neither the resources, nor the ‘political’ capital to spend time on what is increasingly seen as ‘immature’ behaviour, especially when the key accountability of the regulators is tied up with leaving the EU.
So who is best placed to ensure that SM&CR embeds successfully? It has to be compliance, and if the key
to managing regulatory risk is ‘good’ attitudes, values, good governance practices and role disciplines, then it is compliance that has to have the
wide range of soft skills necessary to introduce and then maintain this kind of ‘strong but subtle’ ‘soft engineering’.
There is no alternative for the profession but to embrace this fundamental change in focus from technical to strategic, from process to culture. This is a step up which is entirely feasible but the greatest challenge in my view is educating colleagues to understand what is required and to accept that compliance has a far more wide-reaching role, higher up the production chain and, crucially, in the boardroom. This is a project that the ICA can help with considerably and does require co-ordinated and concerted action. Even in a ring-fenced world there is a lot to be done to progress the quality of corporate culture, markets integrity and consumer protection. The task starts now.
David Jackman is Chairman of, or co-chairs, three financial services companies and was formerly head of training and
competence, and business ethics at the FSA (now FCA). He is a tutor for ICA and a strategic advisor. He as recently published a second textbook on compliance entitled Corporate Maturity and the Authentic Company.
1. Jackman, D. (2018) Corporate Maturity and the Authentic Company, Business Expert Press, New York
2. FCA Business Plan 2018/18 pp21-22
Get more on the CPD Portal• Maintaining competitiveness under the SM&CR
https://www.int-comp.org/cpd/maintainingSMCR• Culture and individual responsibility: checklist for firms in the new SMCR
https://www.int-comp.org/cpd/checklistSMR• Extension of the SMCR to all FSMA authorised firms
https://www.int-comp.org/cpd/SMCRextension
Not a member?For access to the ICA CPD Portal, among other benefits, become a member today: www.int-comp.org/membership/why-become-a-member
The greatest challenge is educating colleagues to understand what is required and to accept that compliance has a far more wide-reaching role, higher up the production chain and, crucially, in the boardroom
inCOMPLIANCE®21
inCOMPLIANCE®21
inCOMPLIANCE®21
THE COMPLIANCE PROFESSION
inCOMPLIANCE®21
inCOMPLIANCE®21
inCOMPLIANCE®21
As a profession, compliance is in flux. Although compliance may be more established within some sectors, jurisdictions and organisations than others,
all individuals working in the field share the common challenge of contributing to the ongoing evolution of compliance, both as a function and a discipline. As the field and the professionals working within it pursue operational excellence, greater expertise, and business relevance, it is crucial to put down confident and collaborative roots.
Compliance professionals must continuously develop themselves along with the roles and responsibilities in their programmes. In some cases, this is because they operate in an industry that has long been highly-regulated and is contending with changing supervisory and business expectations, or within which corporate strategies are being redefined towards compliance risk management. In other cases, compliance is a relatively new player – either because the industry is coming under new supervisory attention or due to burgeoning self-regulatory efforts – defining itself in the support landscape amongst more established counterparties such as HR, legal, risk, and audit, while maturing its competencies. In both of these scenarios, the compliance profession as a whole experiences ongoing improvement, just as the individuals working within it must be dedicated to career-long learning that is both deep and broad.
The compliance dichotomyFundamentals first: at its core compliance is a concrete pursuit, in which rules, regulations, and expectations regarding ethics and integrity are integrated into an organisation’s policies and procedures. In this application, the compliance profession is absolute, used to create a controls framework to ensure adherence to legal and regulatory expectations as well as to test and evaluate the adequacy of that framework. Providing routine advice, contributing to the implementation of regulatory updates, and project management consultancy are all part of this rules-based approach to compliance risk management. In order for any new or expanding compliance programme to succeed and sustain its independence, it is essential to establish sound standards and implement best practices, create basic rules
and ensure adherence to them.Compliance must also be based on values. Compliance is
evolving not just in principle but also in spirit. In probing the space between existing control frameworks and the societal expectations and norms they seek to address, compliance programmes can be drivers for organisational progress and for justice. The aspirational nature of compliance can also be inspirational to its growth as a profession, as it may explore both tensions and synergies that exist between formal laws, regulations or internal rules and the moral values of broader society. This is just as central to establishing a mature compliance practice as performing risk assessments and carrying out monitoring programmes.
This dichotomy – concrete and absolute on the one hand, esoteric and evolving on the other – captures the dual character of compliance. Considering the distinctions inherent in the functional aspects versus the disciplinary aspects of the compliance profession is helpful to form a full understanding of its development potential in both modes.
As compliance transforms from a state of simple existence or necessity to one of a maturing, and then established, identity driven by expertise and integrity, a duality in its nature as a profession becomes clear. In practice it is practical and task-based – in organisational terms, a function – as well as theoretical and culturally-oriented – a discipline.
Compliance emerging as a functionAs a function, compliance addresses relevant risks by designing control frameworks and defence strategies, integrates external laws and regulations into internal policies and procedures, identifies the most relevant programme priorities to promote within the business, and contributes to communication and management strategies. This is the
In order to be effective, the compliance officer and the overall programme must both be credible and strategically informed
A holistic viewSally Afonso considers the dual character of compliance as both
a function and a discipline, and its development in both emerging and established sectors and jurisdictions
inCOMPLIANCE®23
inCOMPLIANCE®
22
THE COMPLIANCE PROFESSION
work – both in business as usual as well as in consultancy – of keeping in line and up to date within the ever-changing regulatory and legislative landscape.
Functional compliance is responsible for ensuring that organisations are set up to abide by industry and supervisory requirements. This includes designing governance, risk and compliance (GRC) strategies and structures for senior management, executive committees and boards, and external stakeholders such as regulatory entities. These GRC tasks create the formal systems and processes that are intended to encourage employee and organisational integrity, while creating disincentives against (and penalties for) instances of misconduct.
The compliance function can distinguish itself and make a compelling proposition for its added value by leveraging its ability to align with counterparties in other support departments, especially legal and HR. An effective compliance function will need to understand its overall position within the umbrella of risk for governance purposes, and to develop itself by taking an integrated approach to its priorities.
Alongside this crucial interdependence, another major goal of the compliance function is to establish independence that positions it laterally to audit, with audit making retrospective assessments and suggesting corrective measures, while compliance flexes between the self-analysis of deep dives and forward-looking strategic planning. This visibility for compliance, on its own and in relation to others, enhances lasting viability.
Compliance emerging as a disciplineAs a discipline, compliance goes beyond all of the above structural efforts to ensure awareness of, and steps to comply with, all relevant laws and regulations.
In developing a perspective as a discipline, compliance puts the rules-based controls into values-based practice by developing meaningful, direct relationships with the business via advice and communications, targeted to create incentives for ethical decision-making, encouraging integrity, and positively impacting business strategy. In order for compliance to mature to a level where its contributions are respected alongside those from more traditional support functions, the profession must intimately link its practical concerns to the dynamic commercial needs in the broader context of the organisation.
To this end, disciplinary compliance builds upon the fundamental principles and frameworks imagined within functional compliance, and applies them on an ongoing basis with business partners and stakeholders. This is where the rubber really meets the road between a compliance officer and his or her business. In order to be effective, the compliance officer and the overall programme must both be credible and strategically informed – competent in relevant business practices, expert in compliance subject matter.
At its best, compliance is a relationship-based activity, which revolves around maintaining ongoing dialogues, collaborating with stakeholders and other functional
partners, suggesting agile responses to business developments, and maintaining a bird’s-eye view of the business landscape. All of this can only be achieved by pro-active, personal engagement.
Compliance professionals can seek a seat at the table with functional counterparties as well as business partners by getting to know everyone, being open, offering and accepting different viewpoints, listening, and developing an understanding before providing advice. Instilling understanding of and fluency in the individual choices and behaviours that organisations want to encourage or require – via dilemma analysis, discussion, and compliance awareness dialogues – is something that compliance programmes should lead with as they develop their reputations within organisations as important business partners.
Continued growth Linking these functional and disciplinary aspects into a single holistic approach allows a compliance professional to both operationalise and contextualise the aims of his or her programme. This blended approach creates a perspective that is both practical and pro-active, prescriptive and predictive. Through this approach, a maturing compliance programme can cultivate an identity that is business-necessary as well as independently motivated, offering unique expertise in both insight and oversight.
Compliance programmes must master and then transcend their functional emphasis on organisational or external standards, linking expectations for conduct to solid defence strategies. One development goal for compliance professionals is to take this further, analysing and addressing the ethical and moral issues that emerge in order to ensure that policies and procedures in place address real risks. This informs business decisions that are sometimes hard, but that are underpinned by an interest in integrity.
Emerging compliance programmes must leverage the structures and foundations of the compliance function, and the disciplinary potential of the profession, to take these frameworks from academic requirements to living, practical considerations within the robust organisational culture of compliance. Best practice involves embracing both approaches and refining the necessary skills in parallel, developing both as individuals and as a profession by establishing fundamental, functional controls and then expressing a disciplinary identity and independence.
From this integrated foundation, both compliance practitioners and the profession in which they work will emerge as valuable and distinctive partners to and participants in the businesses they serve. The future of compliance relies on establishing a credible voice that speaks competently and consistently, and then proving this in practice through maintaining relationships and
championing values.
Sally Afonso is a compliance advisor experienced in the financial services industry. She can be reached on Twitter at: @complyblog
THE COMPLIANCE PROFESSION
inCOMPLIANCE®23
Compliance after
HARASSMENT IN THE WORKPLACE
The ICA’s ongoing “Big Compliance Conversation” hopes to encourage discussion
and debate on emerging issues regarding the future of compliance. In that spirit, this article offers two different perspectives on the impact of the recent #MeToo movement
upon the roles and responsibilities of compliance professionals.
How instrumental should compliance be in the fight against workplace harassment? Should compliance be at the centre of driving anti-harassment initiatives and, if so, how? If not, should compliance instead
provide a supporting role to the efforts of HR and legal departments?
Note: The views expressed by the authors are entirely their own and do not represent the opinions of either the ICA or of inCOMPLIANCE® magazine.
What are the implications of the recent #MeToo movement for compliance? Vera Cherepanova and David Symes debate the issue
How instrumental should compliance be in the fight against workplace harassment? Should compliance be at the centre of driving anti-harassment initiatives and, if so, how?
inCOMPLIANCE®25
inCOMPLIANCE®
24
HARASSMENT IN THE WORKPLACE
inCOMPLIANCE®25
Taking the Lead By Vera Cherepanova Recent months have seen the rise of an unprecedented global movement against sexual harassment and assault. It has been estimated that #MeToo has been retweeted almost 2 million times across 85 countries.1 This global ‘hotline’ facilitated the widespread sharing of stories of sexual harassment and kickstarted an ongoing international conversation over sexual misconduct, particularly in the workplace.
For those of us that work in compliance the #MeToo movement also raises a number of practical considerations. Sexual harassment cuts across all industries, affecting all classes of people. Incidents can be found in entertainment, sports, politics, media, financial institutions and IT corporations. Those who are posting and tweeting revelations within social media may be employees of your organisation and in the majority of cases it took them years (if not decades!) to come forward. It’s time to rethink what constitutes a harassment-free workplace environment and revisit your anti-harassment policies, fostering a cultural shift in attitudes to this issue.
Legal requirementsIn the UK, the Equality Act2 defines sexual harassment as “unwanted conduct of a sexual nature which has the purpose or effect of violating someone’s dignity, or creating an intimidating, hostile, degrading, humiliating or offensive environment for them.” To establish whether sexual harassment has occurred, the ‘unwantedness’ the circumstances surrounding the case should be evaluated, including (but not limited to):• whether the employee complained about the conduct at
the time it occurred• whether the employee’s own conduct was consistent with
the claim that the conduct was unwelcome.
A ‘hostile’ work environment generally means that the unwanted conduct is so severe and pervasive that it alters the conditions of the employment. Therefore, in the majority of cases, a pattern of offensive conduct would be required to confirm that sexual harassment has taken place.
Behaviours that constitute sexual misconduct come in different forms. Examples may include suggestive remarks or sex-based slurs, gossip about one’s personal sex life, unwanted touching, the display or dissemination of pornography, or requests or demands for sex. Clearly, sexual harassment doesn’t necessarily involve physical contact, as some might think.
Sensitive topicAlthough the legislation unambiguously recognises sexual harassment as a form of discrimination and prohibited conduct, the magnitude of the problem is still nationwide. A recent BBC survey3 showed that half of British women and one fifth of men have experienced incidents of sexual harassment at work or at their place of study. An earlier study by the TUC and Everyday Sexism4 found that 25% of women polled had experienced unwanted touching, while 20% were exposed to unwelcome verbal sexual advances.
However, only one in five reported such misconduct to their employer, with the main reason for not reporting being the absence of a supportive culture in the organisation. Many felt ashamed and thought their allegations would not be taken seriously. Others feared retaliation. Indeed, the TUC report5 found that nearly 20% of reported cases relate to harassment from a direct manager or someone else with direct authority over them. Raising a concern in these circumstances, without the prospect of a proper investigation, could mean risking one’s job.
What should be done to change these worrying figures? How can organisations foster a culture of zero-tolerance towards sexual harassment and abuse in the workplace? What follows are some practical steps that compliance officers can consider to revamp existing corporate compliance programmes:• A clear policy – Ensure you have a stated policy against
sexual harassment, whether as a separate document or as a section in the code of conduct. Given that cases of sexual misconduct are not always straightforward, it would make sense to include examples that are easily understood. To ensure that the policy is widely understood, make sure that the information is contained within the employee handbook and within orientation procedures for new hires.
• Relevant training – Many companies include questions on harassment within annual compliance training, but in some cases this clearly won’t suffice. Based on a risk-oriented approach, evaluate and assess together with HR whether any departments may require a tailored in-depth programme and whether it should target everyone or be gender-specific. Ensure the training materials are comprehensive and foster a broader discussion regarding inappropriate workplace behaviours.
• Empowered management – Middle management needs to be trained to recognise and respond to sexual harassment in a responsible manner and in accordance with the law. Team leaders can help prevent sexual harassment from occurring by enforcing the existing policies and creating a harassment-free environment in their teams. Therefore, it is crucial to ensure they are equipped with knowledge and skills to identify and address inappropriate behaviour.
• Independent reporting processes – Whether your company is using a third-party or an internal hotline, it is important to ensure that employees are well aware of its availability for reporting all types of workplace allegations, including harassment cases they have experienced or observed. Given the sensitivity of the topic, it may be worth identifying a responsible individual (or gender-specific individuals) within the HR department in the event that individuals feel more comfortable reporting incidents in person.
• Impartial investigations and timely response – Any
inCOMPLIANCE®25
inCOMPLIANCE®25
inCOMPLIANCE®25
It’s time to rethink what constitutes a harassment-free workplace environment and revisit your anti-harassment policies, fostering a cultural shift in attitudes to this issue
inCOMPLIANCE®25
HARASSMENT IN THE WORKPLACE
inCOMPLIANCE®25
A Supporting RoleBy David Symes Without taking away from the importance and overall relevance of the #MeToo campaign, and indeed Vera’s impressive analysis and suggested action points, I would argue that the direct implications for compliance departments and staff are limited.
We’ve come a long way…When I started work setting up compliance for a FTSE 100 insurance group (30 years ago this month, the same week that proactive compliance was first implemented in the UK), the workplace was very different. I soon realised that compliance was seen as a ‘necessary evil’ by the relatively modern-thinking City-based investment management staff. However, as soon as I became involved in the nationwide life and pensions sales force (and their backing administrative departments) I became rapidly aware that we were perceived as far worse (i.e. not only the source of considerably increased paperwork but potentially responsible for a direct reduction in the income of those involved in sales, or indirectly benefiting via bonus schemes etc) and often we were either sidelined or else at best tolerated but frequently ignored.
Much has happened since then, including the TCF initiatives and the retail distribution review, and I would hope that, within the retail sector, many of those attitudes have changed. Indeed, everything I see and hear leads me to believe that every few years the view of compliance progresses towards being seen as a genuine value-add to a firm, whether in avoiding regulatory breaches (and all the associated ramifications in time and cost, as well as reputation) or even better in assisting in obtaining competitive advantage in the design and implementation of new products and services, sometimes globally.
A reversion in attitudes?However, this belated recognition of compliance has been hard earned, and I don’t believe that taking on an internal leadership role to implement changes required by the #MeToo initiative, let alone involvement in the ongoing policing of such and/or investigation of incidents, would enhance this. Indeed, it may lead to a reversion for compliance to ‘necessary evil’ status, to the detriment of the main regulatory purpose of compliance functions.
Moreover, when considering the role of HR (supported by an in house or external legal function), who generally are accustomed with handling most aspects of the underlying issues involved (be they preventative behavioural requirements or the legally complex processes involved when incidents occur or are alleged), then the role of compliance should be in support only if required. Compliance officers are neither trained in these sometimes finer points of human rather than corporate behaviour, nor have the time to deal with them, given the myriad of competing demands on compliance functions (be it carrying out monitoring, routine operational issues and/or special investigations or indeed coping with the never-ending timeline of regulatory change).
inCOMPLIANCE®25
inCOMPLIANCE®25
inCOMPLIANCE®25
1. https://www.cbsnews.com/news/metoo-reaches-85-countries-with-1-7-million-tweets/
2. https://www.legislation.gov.uk/ukpga/2010/15/sec-tion/26
3. http://www.bbc.com/news/uk-41741615 4. https://www.tuc.org.uk/research-analysis/reports/
still-just-bit-banter; separate studies by Opinium and Michael Lewin solicitors found similar results: https://www.telegraph.co.uk/news/2017/10/25/two-five-women-have-sexually-harassed-workplace-poll-shows/; http://michaellewin.co.uk/sexual-harass-ment-in-the-workplace/
5. ibid.6. https://link.springer.com/chap-
ter/10.1007/978-3-540-70818-6_9
investigation of a harassment case creates discomfort for all parties: the victim, the accused, and the witness(es). Therefore, it is crucial to conduct investigations in a respectful, objective and unbiased manner to ensure the protection of privacy and rights for everyone involved. If the allegations are confirmed, corrective action should be taken immediately to mitigate the risk of any additional harm to the victim or company. Your remedial action should be proportionate to the seriousness of the revealed misconduct. And, of course, thoroughly document your every step.
• Leadership in sync – Whether we want it or not, people tend to imitate the behaviour of their leaders.6 Therefore, ensure that you have top-management buy-in to proceed with your anti-harassment initiatives. Without an explicit commitment to an ethical organisational culture, employees may not feel supported in reporting of sexual misconduct. Middle management plays a key role in cascading down the organisational values to their team members, so make sure they are fully onboard.
#MeToo AftermathThe #MeToo campaign has uncovered the existing magnitude of inappropriate sexual behaviour in the workplace; so overwhelming that it can no longer be dismissed or otherwise ignored by employers. Employers’ inaction or improper action would have far-reaching consequences, affecting the workplace environment, employee morale, and ultimately the company’s bottom line. Therefore, it is vital to promote a harassment-free organisational culture, not just from a legalistic perspective of compliance initiatives, but also because it is just good for the business.
Vera Cherepanova, FCCA, CIA, MSc has more than 10 years’ experience as a compliance officer. She is currently a self-employed ethics and compliance consultant based in Milan, Italy. She speaks English, French, Italian, and Russian. She can be reached at: [email protected].
inCOMPLIANCE®27
inCOMPLIANCE®27
inCOMPLIANCE®
26
HARASSMENT IN THE WORKPLACE
Limits to involvementNonetheless, there will be instances in which compliance will need to be involved, including when assessing the fit and proper standing of staff under the current Approved Persons regime and ongoing Senior Management and Certification Regime (and of course when assessing and monitoring Appointed Representatives) or if elements of formal customer dissatisfaction arise from any aspects of this. Also, particularly in smaller organisations which may not have a fully staffed HR function, compliance could be of value in helping with policy and procedural design as well as reporting criteria and parameters, if requested. Lastly, as part of any senior leadership team, the head of compliance can certainly use their experience in the broader discussions as to how to effect strategic cultural change as well as tactical advice on monitoring, hotlines/whistleblowing and training.
However, in conclusion, I for one firmly believe that were compliance to have any direct responsibility for implementing or monitoring this it would be detrimental to the role and successful achievement of mainstream compliance objectives.
David Symes FCA is MD of Compliance Recruitment Solutions, is a former Deputy Head of Compliance for a FTSE 100 Group, and also chairs the Institute of Chartered Accountants London Compliance Group. He can be reached on:[email protected]
Where you stand on the above issues will no doubt vary depending upon your own experience, the type and size of organisations you’ve worked in, as well a host of other personal and professional factors, and our aim is to represent this diversity of backgrounds and opinions in the pages of inCOMPLIANCE®.
Within a rapidly-evolving social, political, technological and regulatory landscape, the role of compliance is being progressively defined and re-defined. The ICA launched “the Big Compliance Conversation” in the belief that compliance professionals should be fully engaged in driving the debate around the future purpose and direction of the profession. If you wish to get involved in this, and other, discussions, please join the conversation online:
Join https://www.linkedin.com/groups/122458
@intcompassocTo view the latest tweets use: #BigCompConvo
To view the latest tweets use: #BigCompConvo
Contact [email protected] for more information. | www.finscan.com
ComprehensiveAnti-Money Laundering
Solution
Multi-Language capability
Transaction Monitoring
Real-time transaction Screening
Beneficial Owner DueDiligence & Screening
Sanctions & PEP Screening
ID Validation
Untitled-1 1 4/27/2018 9:48:01 AM
inCOMPLIANCE®27
inCOMPLIANCE®27
DATA SECURITY
#FixFacebookThe Cambridge Analytica debacle is only the tip of the iceberg
and the social media giants, as well as the leading search engine providers, have all built their houses on shaky foundations,
writes Mark Johnson
As Facebook and Twitter scramble clumsily to address the huge reputational harm
they have suffered during the recent election ‘hacking’ and Cambridge Analytica data exploitation fiascos, these leading social media sites appear to be missing some very basic points:• The absence of effective identity
verification options creates huge risks for genuine users
• The need for users to opt-in to security rather than having to opt-out is a major flaw
• The fact that users are treated as ‘identity capital’ and not as customers is perverse
There is no question that sites like these have been hugely successful, yet these are glaring and very basic holes in their models. The solutions now being rolled out, such as the removal of one of over 100 available search features by Facebook, fail to rectify them. My take on the election ‘hacking’ story is that the scope of social media for swaying public sentiment is being overstated: targeting users who already have a clear bias merely reinforces that bias. As to the 5,000 data points Cambridge Analytica reportedly holds on each US citizen, well… hmmm… #ShowMeTheMoney. But social media users face other serious and longstanding risks. That these have not already been fixed is a disgrace and a travesty.
Faking itEstimates vary, but sites like Facebook, LinkedIn and Twitter are riddled with
fake, duplicate or partially falsified profiles. I have seen figures suggesting that 5% to 10% of accounts are fakes on some major sites and my experience as an internet investigator suggests that the true numbers are higher.
If users are indeed capital, in the sense that their personal and lifestyle data has real financial value to the sites that hold it, what does this level of false personas say about the underlying worth of the social media asset base? Are fake accounts simply unidentified sub-prime assets that provide no value to marketeers while polluting the rest of the asset base and distorting any analysis the sites perform or facilitate? If so, which accounts and in what volume? Sites that cannot answer these basic questions really are falling short. #Marketcap.
Many of these fake profiles are used by fraudsters and other criminals, either to find or to con victims. Others are used by Bots or stalkers, and some are setup by angry ex-partners seeking revenge. I recently assisted on a case in which a 19-year-old hairdresser had managed to create 42 sophisticated fake profiles on a leading social media site, which she then used to target her ex-boyfriend’s new partner en masse. Sites such as Facebook have a clear duty of care to their users, given that they have prompted them to post a raft of personal details online, with the default settings generally being the least secure ones, thus exposing them to exactly this type of risk.
Identity verificationAn obvious way to improve security would be to add optional identity verification that conforms to online banking standards: give me the choice to validate myself, then give me a “green tick”. If I choose to do so, allow me to block and un-friend, with a single click, all those who have not opted to validate themselves: give them a “red cross”. Then automatically prevent any red cross from messaging, friending or viewing the profile of any green tick. #SocialFork.
Let’s have two communities on social media: those who are willing to validate themselves, who share a desire for better security, and those who do not wish to do so, who share a desire for anonymity. The two should never mix.
Let’s have two communities on social media: those who are willing to validate themselves, who share a desire for better security, and those who do not wish to do so, who share a desire for anonymity. The two should never mix
inCOMPLIANCE®29
inCOMPLIANCE®
28inCOMPLIANCE®
29
DATA SECURITY
Opting-out vs Opting-in to securityCurrently, Facebook’s users (for example) must work through a long list of security options and then opt-in to the more secure settings, despite the fact that they have been allowed to add sensitive personal data to their very public profiles.
This is bizarre. It’s the reverse of every security protocol I have ever seen and certainly flies in the face of recent regulations, such as GDPR in Europe. You don’t opt-in to security at your bank, at the hospital, or at any normal location where your data is held, so why should you need to opt-in when you go online? It also flies in the face of common sense. Simply making the list clearer and easier to access, as Facebook is now doing, dodges the real issue, which is that in most modern settings the doors to our houses are locked by default and not merely when we consciously choose to lock them.
In the same spirit, every social media user should be assigned the most secure settings by default. Don’t display my personal data to public view unless I tell you to and don’t permanently record my activities unless I specifically state that I want them recorded. #TimeLine-TimeOut.
If the sites don’t want to adopt this standard, then regulators must force them to do so. Let the sites innovate and find new ways to make money from marketing. Let users opt-out of security if they so wish, but ensure that they explicitly accept the resulting risks when they make this choice. Let’s face it, these sites are nice to have around but they are not nearly as important as they claim to be. It’s the secure internet that really matters, not the social media platforms and the billions of cat videos they hold. #ProtectMeNow
Users are not just ‘identity capital’The social media market has long regarded its users as capital, as a commercial asset rather than as customers. This is why the sites are generally free to use: the paying customers are the large organisations operating behind the scenes that crave the supposed benefits of the
Big Data sets created by these sites. This needs to change. If my data is of value to Facebook, Twitter or LinkedIn and others, if it forms a component of their asset base, if they base their valuation on the number and quality of users they have, then we can only draw one of two conclusions:1. I am a customer and I am paying for my access
to the service with my data, or;2. I am a stakeholder and I am due a share of the
value created from the monetization of my data.
In neither of these models am I mere identity capital with no claim to make. In both models the data custodian has a clear duty of care with respect to my personal data. Any other model is unjustifiable and constitutes exploitation of gullible citizens by large corporations. This is the kind of corporate misconduct that government regulators are paid to identify and then address. Let’s see more of that please. #Payback #Man-Up #RegulateThat.
Sites like Facebook must get their act together. Let me assure you that the Cambridge Analytica debacle is only the tip of the iceberg and social media giants, as well as the leading search engine providers, have built their houses on shaky foundations. It’s time they mend their ways or pay the long-overdue price. The Wild West days of unbridled data exploitation and an out-of-control Big Data market are likely to end soon. Fundamental change is probably on the way as regulators around the world finally wake up from a decade-long slumber and fully embrace their duty of care.
We can already see users gaining much greater control over who can see what; witness Google’s account clean-up initiative.1 Expect to see a large segment of the user base sharing less and only sharing with a tighter circle of friends. And expect to hear an increasing clamour from lobbying groups presenting users’ claims for a financial stake in the huge mountain of personal and lifestyle data we have chosen to post online and which we could very easily decide to stop posting and start deleting. #Post-It-Not. #FixFacebook.
Mark Johnson is a security veteran with 40 years international experience in the military, drug enforcement, high tech crime control and internet investigations arenas. www.
linkedin.com/in/markjohnsontrmg/
1. https://www.huffingtonpost.co.uk/entry/google-knows-literally-everything-about-you-heres-how-to-stop-it_uk_5abb68dde4b06409775b7d2b
Sites such as Facebook have a clear duty of care to their users, given that they have prompted them to post a raft of personal details online, with the default settings generally being the least secure ones
inCOMPLIANCE®29
inCOMPLIANCE®29
DATA SECURITY
The Wild West days of unbridled data exploitation and an out-of-control Big Data market are likely to end soon. Fundamental change is probably on the way as regulators around the world finally wake up from a decade-long slumber and fully embrace their duty of care
inCOMPLIANCE®
30inCOMPLIANCE®
31
Money launderers and those who commit financial crimes are getting smarter in their
efforts to conceal the origin of their funds. Using the latest technology and often taking advantage of privacy and data protection laws, many criminals can take steps to hide their murky past. It’s no wonder, then, that people such as the outgoing head of Europol, Rob Wainwright, are concerned that Europe is losing the fight against financial crime.1
For banks, financial institutions and other companies that are in industries with a high money laundering risk, identifying these bad actors is necessary to comply with the law, avoid fines and protect reputations. Such companies have been spending ever-increasing sums of money on compliance, often with little real tangible benefit. They
need purpose-designed technology to achieve greater efficiency and avoid negative consequences.
Static limitationsThe major static databases have long been a key part of this technology mix, providing an incredibly rich source of information to help banks comply with stringent anti-money laundering (AML) legislation in a variety of ways. They offer a resource to help banks identify whether new or existing customers – individuals or businesses – have links with money laundering, terrorism or other financial crime via stringent Know Your Customer (KYC) and Know Your Business (KYB) checks. In doing so, they help simplify the compliance process for management teams.
However, recent court cases in the UK and beyond have highlighted
AML PROCESSES
Moving to real-time Banks and financial institutions can enhance the effectiveness
of their AML processes by using real-time search tools to complement their use of static databases, writes Jane Jee
The expansion of the internet, combined with advances in global communications networks, means that the informationavailable to banks on the individuals and organisations that they do business with must be accurate and accessed in real time
inCOMPLIANCE®31
AML PROCESSES
the potential limitations of relying exclusively on static databases to carry out KYC checks.
Last year, for instance, it was reported that Finsbury Park Mosque had “won an apology and damages” from a leading database provider “after it was erroneously included on a global database linking it to terrorism activities”.2 The mosque’s risk status had long been downgraded by intelligence services and terror watchdogs, due to the efforts of its new leadership team. However, the information about the mosque had not been updated in the databases used by major UK banks, leading to its bank account being closed incorrectly.
As this case shows, it may be desirable for banks and financial institutions to enhance their static databases with complementary checks to ensure their KYC and KYB processes remain effective. But what do such organisations need to know to optimise their due diligence procedures?
Understanding the issueThe incident involving Finsbury Park Mosque serves to highlight the consequences of failing to optimise AML compliance processes. A heavy penalty was meted out to the data solution provider that provided out-of-date adverse information.
The key issue here is that there may be a lag between the data contained in even the most up-to-date static registers and information available elsewhere, on the web, the deep web and in media outlets. The expansion of the internet, combined with advances in global communications networks, means that the information available to bankson the individuals and organisations that they do business with must be accurate and accessed in real time. It is, therefore, imperative that such institutions take steps to make sure they act on up-to-date information when a customer applies to them and ongoing monitoring of customers takes place at appropriate intervals (which, in the case of high-risk customers, may be continually).
In this climate – with so much information to sift through, and the need to search thoroughly and
frequently – financial institutions may wish to complement their use of static databases with new search tools capable of performing the tasks quickly and accurately. Imagine trying to navigate the web without Google, or the globe without a compass. Real time searching is vital to ensure checks are as thorough as possible, while minimising the burden on human compliance managers.
Addressing the problem nowFor financial institutions operating in the UK, in particular, it is important to address this problem sooner rather than later. Brexit is on the horizon and the UK is updating its AML legislation to ensure it continues to be a world-leading financial hub, while tackling international financial crime. Such regulatory changes make it all the more important for banks and financial institutions to improve their due diligence processes.
The Sanctions and Anti-Money Laundering Bill 2017-193, for example, is set to replace existing EU directives in the UK. This includes new requirements for KYC checks by banks, and for businesses and other organisations in other sectors considered to be at risk of money laundering. The legislation includes a new sanctions list not just for PEPs and REPs, but for companies that fail to perform appropriate due diligence by exploring all the information available to them.
To meet these requirements, it is imperative that banks and financial institutions fully understand the definitions of PEPs found in the legislation. They should also understand what is meant by the term “REP” – an American concept, referring to individuals that are subject to adverse information or so-called “negative news”.
In addition to all of this, they must understand how individuals can become REPs and PEPs, so that they can take the most suitable steps to perform deeper due diligence.
Finding complementary solutionsSo, with all this in mind, what can banks and financial institutions do
to make their KYC checks and due diligence processes fit for the future?
The answer rests in the many advances in regulatory technology (RegTech) over recent years. There is a new generation of “real-time” search tools that has been developed to be an ideal complement to static databases, helping to support banks and financial institutions.
In particular, advanced search tools featuring innovative artificial intelligence (AI) technology are capable of carrying out quick and accurate searches not just of the web and deep web, but a huge number and variety of databases and watchlists too. These tools are able to search such sources for information in real time and in multiple languages, helping to maximise the likelihood of spotting adverse information relating to customers. This is particularly helpful if they are based – or carry out activity – overseas.
More than this, the technology is able to carry out KYC checks on multiple customers simultaneously and, if necessary, search continuously, 24 hours a day, seven days a week. Doing all of this, it can flag any adverse intelligence to human compliance managers the instant it appears, without any delay.
When used as a complement to static databases, real-time search tools can play a key role in helping banks and financial institutions do all they can to identify bad actors. In doing so, such organisations can maintain the best possible defence against money laundering and terrorist financing.
Time to actInternational money laundering remains a serious problem, with negative economic and social consequences for nations around the world. It is no wonder that governments globally are working hard to tackle the issue through legislation and collaboration with businesses.
Banks and other members of the financial sector have a vital role in helping to identify and prevent crime. By incorporating static databases into their due diligence processes, they are already making incredible progress in supporting
inCOMPLIANCE®
32inCOMPLIANCE®
33inCOMPLIANCE®
33inCOMPLIANCE®
33inCOMPLIANCE®
33
governments in achieving this goal.However, with the globalisation of
the financial system and the expansion of the global communications network, the amount of information available on individuals and businesses is growing exponentially. It is becoming harder for human compliance managers to carry out comprehensive KYC checks on their own, and even more of a challenge for them to take account of any delays in updating the information available on databases and watchlists.
This makes it essential that financial institutions take steps to upgrade their compliance processes by complementing their existing databases with new technology capable of accessing and monitoring all the new information as and when it arrives. Unless regulated entities act now, they could be risking penalties for non-compliance. More than that, they could be leaving gaps in national and international defences for criminals to exploit, with negative repercussions for wider society.
Jane Jee is CEO of regulatory technology experts, Kompli-Global
The views in this article are the author’s and do not represent those of the ICA. If you wish to get involved in this, and other, discussions, please join the conversation online:
Join https://www.linkedin.com/ groups/122458 @intcompassoc
To view the latest tweets use: #BigCompConvo.
1. https://www.politico.eu/article/europe-money-laundering-is-losing-the-fight-against-dirty-money-europol-crime-rob-wainwright/
2. https://www.theguardian.com/uk-news/2017/feb/01/finsbury-park-mosque-wins-apology-and-damages-from-reuters; and http://www.middleeasteye.net/news/london-mosque-wins-apology-over-terrorism-database-listing-805588886e
3. https://researchbriefings.parliament.uk/ResearchBriefing/Summary/CBP-8232#fullreport
AML PROCESSES
Real time searching is vital to ensure checks are as thorough as possible, while minimising the burden on human compliance managers
ICA Specialist Certificate in Trade Based Money LaunderingThe amounts criminals are laundering through trade based money laundering is estimated at hundreds of billions of dollars per year.
The ICA Specialist Certificate in Trade Based Money Laundering explores the anti money laundering and counter terrorist financing risks that exist within the international trade environment, giving you or your team’s the skills and tools to manage this risk effectively.
Practical. Relevant. Accessible.
Learn more at www.int-comp.org/qualifications
ICAA798
inCOMPLIANCE®33
PERSONAL LIABILITY
inCOMPLIANCE®33
inCOMPLIANCE®33
inCOMPLIANCE®33
Getting personal Thomas Wan Chee Kien considers the personal liability
of compliance officers, and offers advice for those looking to protect themselves
In recent years, a perception has emerged that compliance officers have become more exposed, on
a personal level, to regulatory and government enforcement action, especially given the increasing number of regulatory and criminal cases, financial sanctions and accountability regimes.1 Against this backdrop, many are questioning the personal risks that compliance officers face.
Through examining a number of recent examples, this article considers the personal liabilities of compliance officers under the various accountability regimes,
and the expectations and desired outcomes of regulators and law enforcement. It also proposes ways in which compliance officers can better safeguard themselves.
Regulators’ expectationsA number of recent examples highlight the regulators’ views on compliance officers.
In November 2015, the former US deputy attorney general Sally Yates addressed the American Banking Association and American Bar Association Money Laundering Enforcement Conference, saying that: “compliance professionals are the Department of Justice’s crucial partner in the fight against white-collar crime”.2
In May 2016, in the case of Taft v Agricultural Bank of China, Ltd3, Judge Paul A Engelmayer in the Southern District of New York ruled that a compliance officer at the Agricultural Bank of China (ABC) could bring a claim for retaliation under the
whistleblower protections contained in the Bank Secrecy Act. The court agreed with the plaintiff, Natasha Taft, that a memorandum she wrote to the Federal Reserve Bank of New York against ABC constituted an independent report and not one made on behalf of ABC in her capacity as a compliance officer. “Compliance officers act as arms of the government, and this decision reinforces the rights that these individuals have in the workplace,” said Brian Heller, a lawyer for Taft.
In March 2015, Georgina Philippou, the then-acting Director of Enforcement and Market Oversight of the UK Financial Conduct Authority (FCA) said, when imposing a fine on a chief compliance officer for Bank of Beirut4: “We are reliant on compliance officers ... to act as an important line of defence, to support effective regulation at firms and to show backbone even when challenged by their colleagues.”
In June 2015, in a public statement titled “The Role of Chief Compliance Officers Must be Supported”, Commissioner Luis A Aguilar of the US Securities and Exchange Commission (SEC) said: “Chief compliance officers of Investment Advisers (CCOs) play an important and crucial role in fostering integrity in the securities industry. They are responsible for making sure that their firms comply with the rules that apply to their operations. As part of that effort, CCOs typically work with senior corporate leadership to instil a culture of compliance, nurture an environment where employees understand the value of honesty and
integrity, and encourage everyone to take compliance issues seriously. CCOs of investment advisers (as with CCOs of other regulated entities) also work to prevent violations from occurring in the first place and, thus, prevent violations from causing harm to the firm, its investors, and market participants. Given the vital role that CCOs play, they need to be supported. Simply stated, the Commission needs capable and honest CCOs to help protect investors and the integrity of the capital markets … Moreover, the Commission has used its Whistleblower programme, to protect and reward CCOs who did the right thing”.
He added that: “CCOs are vital to the protection of investors and the integrity of the capital markets. To that end, the Commission works to support CCOs who strive to do their jobs competently, diligently, and in good faith – and these CCOs should have nothing to fear from the SEC.”
In June 2015, Commissioner Daniel M Gallagher, in a Statement on Recent SEC Settlements Charging Chief Compliance Officers With Violations of Investment Advisers Act Rule 206(4)5, said: “The risk is much too high for the compensation. In my experience, firms tend to compensate compliance personnel relatively poorly, especially compared to other associated persons possessing the supervisory securities licenses compliance personnel typically have, likely because their work does not generate profits directly. But because of their responsibilities, compliance personnel receive a great deal of attention in investigations,
ICA Specialist Certificate in Trade Based Money LaunderingThe amounts criminals are laundering through trade based money laundering is estimated at hundreds of billions of dollars per year.
The ICA Specialist Certificate in Trade Based Money Laundering explores the anti money laundering and counter terrorist financing risks that exist within the international trade environment, giving you or your team’s the skills and tools to manage this risk effectively.
Practical. Relevant. Accessible.
Learn more at www.int-comp.org/qualifications
ICAA798
inCOMPLIANCE®35
inCOMPLIANCE®35
inCOMPLIANCE®
34inCOMPLIANCE®
35
PERSONAL LIABILITY
and every time a violation is detected there is, quite naturally, a tendency for investigators to inquire into the reasons that compliance did not detect the violation first, or prevent it from happening at all. The temptation to look to compliance for the ‘low hanging fruit’, however, should be resisted. There is a real risk that excessive focus on violations by compliance personnel will discourage competent persons from going into compliance, and thereby undermine the purpose of compliance programmes in general. That is, we should strive to avoid the perverse incentives that will naturally flow from targeting compliance personnel who are willing to run into the fires that so often occur at regulated entities.”
Compliance officers would bewell advised to take prudent stepsto better safeguardthemselves in thecurrent regulatoryenforcementenvironment
Remaining uncertaintyWhile the above developments are generally positive for the compliance profession and compliance officer, there remains some uncertainty as to personal liability, as currently there are not any global laws or regulations that explicitly ‘protect’ the compliance officer when doing their job and discharging their duties responsibly and dutifully.
Thus, in the meantime, compliance officers would be well advised to take prudent steps to better safeguard themselves in the current regulatory enforcement environment. Some possible steps are:• To get a clear mandate and formal
appointment of the compliance role from the board
• To develop a clear job description and a clear mission statement for the compliance group and compliance function
• To obtain formal appointment in writing and from the regulator
• To obtain adequate indemnification and insurance protection from the firm / employer
• To document clear lines of supervision and reporting (with clear supervisory liabilities) within the firm
• To work closely with the regulator(s) and understand their regulatory and supervisory objectives
• To review the firm’s policies and procedures, using a risk-based approach and compliance risk assessments. Repeal any that it is not possible to follow or adhere to
• To continue all required compliance testing and reviews, even during emergencies
• To respond to all material audit and regulatory findings, breaches and non-compliance immediately, and get senior management attention to do so
• To respond to all red flags of possible misconduct. Pay particular attention to whistle-blowing, customer complaint and staff misconduct reports
• To negotiate but not compromise on what is not acceptable under the law and regulations
• To address the ‘two or multiple hats’ problem, in which compliance officers have to perform other functions in addition to the key compliance role
• To escalate all material issues to the board and senior management.
• To request permission to obtain advice from independent legal counsel if there is a disagreement with senior management
• To contemplate whistle-blowing or resigning only as a last resort if the board and/or senior management are not willing to address serious concerns.
Wan Chee Kien, Thomas is the Tutor at ICTA in Singapore, and teaches various ICA courses in GRC, AML/CFT and FCP in
Asia-Pac. He is a FICA, IBFA and CFTP (Snr)
1. e.g. the UK FCA’s Senior Managers Regime, the Hong Kong SFC’s Managers in Charge, and ASIC’s Banking Executive Accountability Regime in Australia. Others are contemplating similar regimes, e.g. Malaysia (http://www.bnm.gov.my/index.php?ch=en_announcement&pg=en_announcement&ac=608) and Singapore (http://www.mas.gov.sg/News-and-Publications/Consultation-Paper/2018/Consultation-Paper-on-Proposed-Guidelines-on-Individual-Accountability-and-Conduct.aspx)
2. https://www.justice.gov/opa/speech/deputy-attorney-general-sally-quillian-yates-delivers-remarks-american-banking-0
3. https://law.justia.com/cases/federal/district-courts/new-york/
4. https://www.fca.org.uk/news/press-releases/financial-conduct-authority-imposes-%C2%A321m-fine-and-places-restriction-bank-beirut
5. https://www.sec.gov/news/statement/sec-cco-settlements-iaa-rule-206-4-7.html
Get more on the CPD Portal• The complexities of CCO liability
https://www.int-comp.org/cpd/complexcco
• Evolution in the role of compliance officer https://www.int-comp.org/cpd/evolutionco
• The Role of the Compliance Officer as Psychologist https://www.int-comp.org/cpd/COPsychologist
Not a member?For access to the ICA CPD Portal, among other benefits, become a member today: www.int-comp.org/membership/why-become-a-member
inCOMPLIANCE®35
inCOMPLIANCE®35
inCOMPLIANCE®35
PERSONAL LIABILITY
While developments are generally positive for the compliance profession and compliance officer, there remains some uncertainty as to personal liability, as there are not any global laws orregulations that explicitly ‘protect’ the compliance officer when doing their job and discharging their duties responsibly and dutifully
inCOMPLIANCE®
36inCOMPLIANCE®
37inCOMPLIANCE®
37
CAREER CORNER
Box 1: Some questions answered – ICA qualifications I thought it would be helpful to include some advice if you are thinking of completing an ICA qualification. Believe it or not, I have been asked each and every one of the questions below at least once:• “I’m a lawyer and would like to move into compliance, which qualification should I do?” Depending on your current level of compliance knowledge there are a few that could be relevant to you. There is an
Advanced Certificate in Legal Compliance that could be beneficial or, if your knowledge isn’t up to that level, consider the Certificate in Compliance.
• “I am currently working in the police force and I would like to get into financial crime. How do I do that?” It really depends on which aspect of financial crime you want to go into. There are numerous qualifications based around
anti-corruption, combating the financing of terrorism, AML and fraud. Any of the qualifications would enhance your employment prospects, but it really depends on which one floats your boat!
• “I’ve just finished university and I’m on track to get a 2:1 in Criminology, what could I do to improve my chances of getting a job in this line of work straight away?”
The beauty of the ICA is that there are various levels of qualification available. So, for someone at this level, I would recommend an introductory qualification – consider, perhaps, the Certificate in AML, or the Certificate in Financial Crime Prevention.
• “I’m highly experienced in my current role and head up the compliance department but I am keen to continue learning, is there anything that I can do to enhance my compliance knowledge further?”
Yes! Consider the Professional Postgraduate Diploma in Governance, Risk and Compliance – it has been specifically designed for senior industry practitioners.
• “Are the qualifications face-to-face or can you do them online too?” You have a mixture of face-to-face, online and in-house, so there is a method to suit all!
Lifelong learningKeeley Fitzsimmons emphasises the importance
of training and an organic growth model
Since I began working in compliance recruitment around five years ago, I have seen a change in the behaviours and attitudes of many organisations
when it comes to hiring. When I first started in this line of work, the demand for highly-qualified and experienced compliance professionals was strong. Companies wanted to buy in expertise. Now it’s quite the opposite. Businesses are looking to hire a much larger percentage of junior to mid-level individuals, rather than simply buy in the expertise from outside and graft it onto existing team structures.
Why? Of course, from a company’s point of view, the less experience you have, the cheaper you are to hire. But I don’t believe that money is the core factor underlying this trend. Companies are beginning to understand the value of training staff. They want to train new employees from scratch – to progress and develop individuals from within – in other words to follow an organic model of growth.
Organic growth is the growth rate that a company can achieve by increasing output internally. In basic terms, it is the expansion of a firm using its own resources to boost productivity and profitability. Clearly, this involves creating structures and systems that engage all staff, the establishment of a common culture and shared language that embodies the spirit of the firm’s own organic growth model, and it must be led from the top. So, what do you need to put in place to succeed with this model?
Training and the organic growth modelTraining is key to the success of this model. Personally, I have always seen the value in this approach, which is probably part of the reason why I have now moved from a recruitment role in to a training and development role! Not only does training, and the potential it creates for internal promotion, enhance individuals’ self-worth, it also
inCOMPLIANCE®37
allows employees to see ahead, to plan a career path in terms of their own personal growth, crucially, within the company they have joined.
When employees aren’t becoming bored, when they are learning new skills, when they are constantly faced with new challenges, staff retention improves. And the culture of the company remains energetic and engaged, which makes for an attractive workplace environment and builds and reinforces that all-important corporate loyalty.
It’s also important to note that this emphasis on training isn’t just aimed at the inexperienced and, for the organic growth model to be successful, it shouldn’t be confined to new entrants. As Albert Einstein said: “Intellectual growth should commence at birth and cease only at death.” Henry Ford was more blunt: “Anyone who stops learning is old, whether at 20 or 80. Anyone who keeps learning stays young.” It doesn’t do to get complacent and to take the view that training shouldn’t have to apply to you, just because you are a deputy head of or even a head of department. The significance of learning is that it never stops and, within the organic model properly applied, senior staff will be enhancing their skills through training throughout their career and, as a result, helping to boost the sustainability of their company.
In my view, the most successful organisations (and this applies across multiple industries) are open-minded and willing to take on change. This means they are constantly evolving and adapting but without destroying core culture along the way.
A world of no trainingImagine a world without training. What would that look like? Well, in all likelihood it would be complete and utter chaos! You arrive at a company and you are thrown in the deep end. It’s ‘sink or swim’. Well, you want to ‘swim’ so you use all the resources available to you – you copy other people, you try anything that might work. It’s stressful. You might pick up bad habits and bad practices that will not benefit you or the company. You might quit.
Of course, it takes time to train employees, and time is money. Money wasted? Well actually, no. The real question businesses should be asking themselves is: "What is the cost if you don’t train an employee?”
The challenge in today’s business world is that some companies are still stuck in the old mindset of seeing training merely as an expense rather than as an investment. What needs to be realised is that an 'untrained' employee will: a) inevitably not have the knowledge to use company resources properly and b) probably not feel valued enough to stay loyal to the firm.
Investing in training is, of course, an expense but failing to do so is a risky business strategy. And the rewards – in terms of business profitability and strong, sustainable growth – are clear to see. The concept of training is transferable across all industries. It is disappointing that there are companies out there that are continuing to hire someone to do a job and don’t really care that they will move on quite quickly because there is no organic growth model with the appropriate training / skills development / career structure in place. How long will it be before these companies realise the impact this short-term thinking has?
Choose the right modelWhat can you train in? In short, the answer is 'anything'. Whether it’s internally at work or something you are passionate about outside of work, there is almost a 100% guarantee that you will be able to do some sort of training and that it will have some kind of benefit to your employability. Want to learn how to scuba dive? Go to Barracuda Point and take some lessons (yes, this has been voted the number one scuba diving point in the world by scuba aficionados).
Specifically, within compliance, you want to become a specialist in a particular area of compliance? Try the ICA intermediate qualifications. You want to move over to compliance? Well the ICA has the training opportunities you need to make the move into this new field (see, for example, Box 1).
Undertaking training and continuing qualifications to enhance career prospects is becoming an increasingly significant part of modern business. Although there are exceptions, the business model that values training – to maintain growth and retain staff – is rapidly becoming the norm. When you are considering taking on a new role, check out the training process: it will tell you a lot about the company you are thinking of joining. Is it forward thinking, committed to staff development or stuck in an outmoded business model based on the individual’s ability merely to ‘get on with the job’? I know which model I would choose. Do you?
Keeley Fitzsimmons is a Principal Consultant at Broadgate Search. She specialises in placing all types of compliance professionals of all levels. She is also Broadgate Search’s Diversity and Inclusion Ambassador. Please get in
touch if you’d like to arrange a conversation with her.
Email: keeley. [email protected] Tel: 0203 817 9757
inCOMPLIANCE®37
CAREER CORNER
Companies are beginning to understand the value of training staff. They want to train new employees from scratch – to progress and develop individuals from within
For the organic growth model to be successful, it shouldn’t be confined to new entrants
inCOMPLIANCE®
38inCOMPLIANCE®
39
INSPIRATIONAL LEARNING FOR YOUR TEAMS
Our in-house training is available all over the world. We've worked with hundreds of clients including HSBC, EY, PayPal and Vodafone and we can do the same for you. Call us on +44(0) 121 362 7678 to discuss your training needs or visit www.int-comp.com/in-house
As ICA′s longest standing training partner, we′ve been providing their qualifications in-house to both small firms and multi-nationals for the last 16 years. We also offer tailored regulatory and financial crime compliance training solutions based on the unique the needs of your firm.
• Increase the knowledge, skills, performance and confidence of your staff• Enhance your firm′s risk management• Gain competitive advantage and retain the best talent
ICAA652
Revalidate and recertify your Diploma knowledge• Anti Money Laundering • Governance, Risk and Compliance • Financial Crime Prevention
Keeping up to date in a formally recognised way is important for any regulatory or financial crime compliance professional. If you completed your ICA Diploma over two years ago, you can now recertify your qualification with this affordable and accessible top-up programme.
The programme includes two virtual classrooms run by our training partner, International Compliance Training, covering the latest hot topics, case studies as well as group discussions and assignment preparation. Refresh your knowledge and skills and demonstrate your commitment to CPD by recertifying your ICA Diploma.
For further information please visit www.int-comp.org/masterclass
ICAA808
inCOMPLIANCE®39
CRYPTOCURRENCY REGULATION
Tales from the cryptJames Emery-Barker considers the issues surrounding the
regulation of cryptocurrencies
Within recent months the speculation and commentary regarding
cryptocurrency regulation has fluctuated as exponentially as the price of Bitcoins.
Christine Lagarde, head of the IMF, publicly stated that international regulatory action on cryptocurrencies is “inevitable” and the Central Bank Governors of France and Germany requested that the monetary implications of cryptocurrencies be part of 2018’s G20 talks.
The U.S. Treasury’s Office of Terrorism and Financial Intelligence
undersecretary has also called on the international community for stronger cryptocurrency regulations, highlighting as an example of US intentions the $110m penalty levied at cryptocurrency exchange BTC-e¹ for failure to register as a money transmitter.
Following the 2018 Bitcoin price slump, the recent decision by Lloyds and Virgin Money to disallow credit facilities to be utilised for their purchase shows that banks are now considering the credit risk implications of cryptocurrencies alongside their previous financial crime concerns. On 12 February, the European Supervisory
Agencies released a statement warning consumers of the risks of buying virtual currencies, including price volatility, lack of transparency and the lack of consumer information available.
Risk appetiteBitcoin speculation and criminal exploitation of the mechanism has partially eclipsed the intentions of the original libertarians who set up cryptocurrencies as a peer-to-peer intellectual exercise.
Research into banking industry practice suggests that the appetite for allowing individual customers
INSPIRATIONAL LEARNING FOR YOUR TEAMS
Our in-house training is available all over the world. We've worked with hundreds of clients including HSBC, EY, PayPal and Vodafone and we can do the same for you. Call us on +44(0) 121 362 7678 to discuss your training needs or visit www.int-comp.com/in-house
As ICA′s longest standing training partner, we′ve been providing their qualifications in-house to both small firms and multi-nationals for the last 16 years. We also offer tailored regulatory and financial crime compliance training solutions based on the unique the needs of your firm.
• Increase the knowledge, skills, performance and confidence of your staff• Enhance your firm′s risk management• Gain competitive advantage and retain the best talent
ICAA652
Revalidate and recertify your Diploma knowledge• Anti Money Laundering • Governance, Risk and Compliance • Financial Crime Prevention
Keeping up to date in a formally recognised way is important for any regulatory or financial crime compliance professional. If you completed your ICA Diploma over two years ago, you can now recertify your qualification with this affordable and accessible top-up programme.
The programme includes two virtual classrooms run by our training partner, International Compliance Training, covering the latest hot topics, case studies as well as group discussions and assignment preparation. Refresh your knowledge and skills and demonstrate your commitment to CPD by recertifying your ICA Diploma.
For further information please visit www.int-comp.org/masterclass
ICAA808
inCOMPLIANCE®41
inCOMPLIANCE®
40
CRYPTOCURRENCY REGULATION
to transact as Bitcoin traders varies, with closure of accounts highlighting Bitcoin activity being commonplace where deemed outside risk appetite. Interestingly, Facebook has similarly considered cryptocurrency adverts as being outside risk appetite.
However, given that there are over 1,000 different types of cryptocurrencies in circulation, and that the technology offers distinct trading advantages through blockchain ledger recording, the avoidance of FX issues and the inbuilt ability to record contractual information, it is unlikely that they will simply disappear. As of September 2015, there were over 14.6 million Bitcoins in circulation with a total market value of $3.4bn.
Cryptocurrencies are therefore no longer the sole preserve of specialists, as Bitcoin ATMs and debit cards are becoming increasingly popular, allowing virtual payments to be both made and received by the general public. Bitcoin mining and speculation is now performed on an almost industrial level with thousands of machines being utilised for this process, becoming big business outside the realms of the individual.
Regulation therefore does seem inevitable, perhaps following the US, Japanese and Australian models, which are in early stages of implementation.
If regulation makes it illegal to utilise unregulated cryptocurrencies to purchase tangible assets this may make them less attractive to criminals. Additionally regulation may assist consumer protection in scenarios where people have been encouraged to invest in dubious schemes such as the alleged pyramid scheme, One Coin, which was recently closed down by Bulgarian authorities. The lack of current regulation and monitoring means it is difficult to know the true scope and size of unmeasured criminal activity taking place.
Potential issuesThere are conflicting legal precedents over whether cryptocurrency is a legal and recognised currency, or outside the parameters of money laundering prosecution, which means defining the scope and depth of future regulation will be problematic and likely to be
provoke court arguments around tangibility, human rights and proof of ownership. Current scenarios highlighting this interpretative problem include bankruptcy and divorce situations.
As cryptocurrencies are not issued by any central authority they are currently, theoretically, immune to government interference or manipulation. The currency is therefore not backed against government assets with a value that fluctuates solely based on supply and demand.
Whilst there is an argument that the ethereal nature of a cryptocurrency is little different to a debt instrument that has been divided and subdivided tenfold beyond its inherent backed value, investors cannot reasonably expect governments to protect or back losses as they might with conventional savings protection, or to prop up a cryptocurrency that gets into financial difficulty.
Being virtual and without a central repository, a digital cryptocurrency balance can potentially be wiped out. Once all mined Bitcoins are in circulation it will be interesting to observe whether the current ledger maintenance continues when there is no reward from mining. Given the proposed inclusion of environmental crime as a predicate offence in the 6th Money laundering Directive it may similarly become less attractive to mine cryptocurrencies on an industrial scale.
Lastly, there is also the argument that the regulated sector could be seen as colluding to discredit and devalue cryptocurrencies such as Bitcoin. However, given the impersonal nature and lack of ownership of Bitcoins it is unlikely this could result in legal cases unless Bitcoin investors sought a class action against the entire regulated sector.
Practical implementationFollowing regulation in the US, the Securities & Exchange Commission is encountering examples of Initial Coin Offerings being conducted illegally. Their arrangers are bypassing laws with complex and structured offerings to disguise the true offering. Money laundering regulation therefore will need to develop in line with sophisticated attempts to evade detection.
Regulation may further drive underground the number of illegal or non-regulated currencies, which will simply be used in a peer to peer manner or on the dark web, and remain completely undetected by the regulated sector. From a purely practical perspective banks will have to develop controls to identify cryptocurrencies that extend beyond basic monitoring systems identifying crypto exchanges via merchant codes.
Users wishing to remain anonymous have already stated utilising ‘mixing’ services, which will mix cryptocurrencies with that of strangers. Companies offering these services are commonplace and openly called names like ‘Bitlaunder’ to anonymise the history of the cryptocurrency. When co-mingled with legitimate activity banks will again face monitoring and due diligence costs of implementing methods of detection.
Financial crime concerns aside, it will be interesting to observe whether the regulators will expect the traditionally regulated sector to identify and protect customers deemed as vulnerable utilising cryptocurrencies, who face financial hardship from bogus schemes or price slumps. Arguably, given the general public's lack of understanding of cryptocurrencies, most users could potentially be deemed as vulnerable in this respect.
In practical terms the regulated sector will be expected to address these risks. Even by embracing cryptocurrencies within this sphere, it may transpire that the costs of regulation and policing may ironically be at least partially picked up by the same financial institutions that are largely ambivalent towards these emergent technologies.
James Emery-Barker is a Financial Crime Manager, Operational Risk at Tesco Bank
1. https://www.coindesk.com/alleged-btc-e-administrator-i-do-not-consider-myself-guilty/
inCOMPLIANCE®41
OECD GLOBAL ANTI-CORRUPTION FORUM
The Chronicles of Planet Integrity
Anastasia Savvateeva reports from the OECD Global Anti-Corruption & Integrity Forum 2018
In the last week of March over 2,000 professionals from a variety of fields within the private and public sector, as well as from NGOs and other international bodies, convened at
the OECD Global Anti-Corruption & Integrity Forum – Planet Integrity: Building a Fairer Society – an event that promised to provide valuable insights, best practices, and support.
The 6th edition of the Forum featured many prominent speakers and placed a notable emphasis on gender equality and women’s rights. Indeed, out of 127 delegates almost 50% were women, including many involved in projects of public interest, activists, independent journalists, lawyers, private sector employees and politicians.
As in previous years1 the agenda was tightly focused, revolving around the different aspects of building and promoting integrity and implementing anti-corruption policies and procedures. Several practical workshops provided concrete knowledge and vision on specific issues such as tax, illicit trade, human trafficking, public infrastructure and many others.
Episode I: Houston, we have a problemAngel Gurria, OECD Secretary General, opened the event on a somewhat pessimistic note, with a discussion of the OECD’s main findings in respect of trends and challenges surrounding integrity and anti-corruption.
“Planet Integrity is not a distant dream, it’s an urgent necessity,” he told the audience. “Our citizens are losing faith; a situation that worsened with the crisis. On average, only two fifths of citizens in OECD countries (42%) have trust in their national government. Trust in business is slightly better, but not by much. In 2017, just over half of the people
surveyed by the Edelman Trust Barometer (52%) trusted business. Corruption is often a faceless and borderless crime.”
His dismay was shared by Katrin Jakobsdottir and Erna Solberg, Prime Ministers of Iceland and Norway respectively, who admitted that while the Nordics are viewed as model countries, “serious issues with integrity and corruption may exist”.
According to Gabriela Michetti, Argentina’s Vice-President, countries do not lack decent anti-corruption laws, what they lack is enforcement. Without enforcement, it is impossible to create an adequate framework to fight corruption.
As Transparency International Chair, Delia Ferreira Rubio, reasonably pointed out: “Today, many public leaders and private companies’ management boards announce their commitment to integrity. They know what integrity is. But they do not understand what commitment is.”
With that in mind, the OECD has turned the spotlight on the importance of educating the youth about integrity. A special report2 was presented during the Forum and a new educational programme was announced.
Finally, some thought-provoking points were made on the latest OECD Foreign Bribery Report (2014), which stated that intermediaries were involved in three out of four foreign bribery cases; bribes were promised, offered or given mostly to employees of public (i.e. state-owned) enterprises; only 2% of cases were instigated by whistleblowers; and 69% of cases were settled with sanctions. These key findings outlined some of the topics discussed during the parallel sessions.
Episode II: Breaking the conspiracy of silenceWhistleblowing (and whistleblower protection) was one of the focal points of the Forum, especially following recent multiple murders of investigative journalists in Slovakia and Malta. Such concerns are timely: indeed, several countries – including the host of the event, France – have adopted anti-corruption laws that also provide for whistleblower protection. However – as seen recently in the US, where the Supreme Court, in February 2018, reversed a previous decision of the Court of Appeals, adopting a more restrictive definition of a whistleblower under the Dodd-Frank Act3 – most of these laws do not clearly define a whistleblower and offer protection only in limited circumstances.
The OECD has turned the spotlight on the importance of educating the youth about integrity. A special report was presented during the Forum and a new educational programme was announced
inCOMPLIANCE®43
inCOMPLIANCE®
42
OECD GLOBAL ANTI-CORRUPTION FORUM
inCOMPLIANCE®
42
In France, several recent laws dealing with corruption issues even create overlapping regimes for whistleblowers.
Finally, with a new French Bill on “business secrecy”, initially intended to protect French companies from abusive competitive practices, unfair competition and theft of trade secrets, whistleblowers will have to prove that, when disclosing misconduct and wrongdoings, they act “in good faith”. This has already led to concerns being raised by journalists and civil society in France, as well as by the OECD.
Speakers underlined the increasing role played by social media in whistleblowing. Indeed, Dorothée Myriam Kellou, a freelance journalist, found information on Lafarge payments to terrorist organisations in Syria on Facebook pages of its Syrian employees.
Another issue raising concerns is the rewards paid to whistleblowers: should we pay them to be honest and blow the whistle, when it is their civic duty to report wrongdoings? Or are we paying them for the risks they take by disclosing unethical or illegal behaviour?
Episode III: Forbidden planet or a new hope?A growing number of bribery cases of have been resolved through non-trial resolutions. The first settlement of this kind ever achieved in continental Europe saw the light in France, through the French equivalent of a deferred prosecution agreement – the “convention judiciaire d’intérêt public” – newly-introduced under the Sapin II Anti-corruption Law.According to Daniel Kahn, Chief FCPA Unit at the US DoJ,: “As additional countries step up and engage in the fight against corruption, there are additional complexities and obstacles that arise, both for the various authorities investigating and prosecuting the cases and for the companies and individuals subject to those enforcement efforts. But those are complexities and obstacles we must and will confront and overcome in order to most effectively combat transnational corruption”4.
This statement closely echoes the need for cooperation between authorities, especially with regards to cross-border corruption. This topic was the particular focus of one of the parallel session on day two, when Drago Kos, Chair of OECD Working group on Bribery, underlined the necessity of making international cooperation practical and the potential that tax authorities have to further the fight against corruption.
However, this cooperation would be incomplete without the input from state-owned and private companies.
As Marco Reggiani, General Counsel of Snam, put it: “Integrity is in your mind, but also in your heart”. Frans Timmermans, First Vice-President of the European Commission, was convinced: “You cannot be slightly fair. You are fair or you are not”.
Spreading the wordIn summary, the Forum provided useful practical ideas for participants to take away, digest, and apply in their roles. As one of the attendees, Adriana Peralta Ramos, Chief Compliance Officer at El Palacio de Hierro (Mexico), put it: “It was an event full of learning opportunities and the sharing of best practices, example cases and experiences. I also welcomed the emphasis that was placed on spreading the message about improving integrity through educating children and future generations. In all, it was a positive event, which outlined both the tools and the energy to tackle corruption, a fight that each of us must see as our own.”
There is still considerable progress to be made in the global fight against corruption. I will hope to see some of you at the next OECD Global Forum for Integrity & Anti-Corruption.
Please note that all the opinions expressed in this article are personal ideas of the author and the interviewees and should not be considered as views of their respective employers.
Anastasia Savvateeva, AICA, Cert(FinCrime), Adv.Cert (CDD) works in the Compliance Department in a large audit firm. She deals with issues related to anti-money laundering, KYC/CDD and financial crime prevention. She is also responsible
for quality/compliance controls and works on regulatory compliance issues. Prior to this, she dealt with financial crime issues in the banking and financial sector. https://fr.linkedin.com/in/anastasiasavvateeva/en
1. Previous OECD Integrity Forums dealt with integrity in a specific context, e.g. in 2016 it tackled corruption and integrity in global trade; in 2015 it focused on integrity in investments
2. “Education For Integrity: Teaching on Anti-Corruption, Values and the Rule of Law”, OECD, 2018
3. Digital Realty Trust, Inc. v Somers (21/02/2018), US Supreme Court
4. Interview of Daniel Kahn given to the OECD, note prepared for the session on Settling Foreign Bribery Cases with Non-Trial Resolutions
Get more on the CPD Portal• Bribery & Corruption: Case studies to consider Best
Practice in Managing Risk https://www.int-comp.org/cpd/bcbestpractice
• Laundering the proceeds of corruption - Part I https://www.int-comp.org/cpd/corruptionpart1
• 1MDB, ‘the world’s biggest financial scandal' https://www.int-comp.org/cpd/1mbdscandal
Not a member?For access to the ICA CPD Portal, among other benefits, ebecome a member today: www.int-comp.org/membership
inCOMPLIANCE®43
Contact our approved training provider, International Compliance Training for enrolment and studying queries:
0121 362 7534 | [email protected]
ICAA791-A4
Education is the fuel that drives professionalismDemonstrate your commitment to regulatory and financial crime complianceThe ICA Diploma series is designed for the experienced practitioner looking to underpin their expertise with a professional, recognised qualification.
• ICA Diploma in Governance, Risk and Compliance • ICA International Diploma in Anti Money Laundering • ICA Diploma in Financial Crime Prevention
Awarded in conjunction with the Alliance Manchester Business School, the University of Manchester you can be assured that you’re studying for a worthwhile qualification that is the benchmark of excellence.
What does it cost?
ICA Membership fee: £97 + VAT
Course fee: £3350 + VAT
Find out more at www.int-comp.org/diplomas
inCOMPLIANCE®44
Head OfficeWrens Court | 52-54 Victoria Road |
Sutton Coldfield | Birmingham | B72 1SX | UNITED KINGDOMTel: +44 (0) 121 362 7747
Email: [email protected] www.int-comp.org
International Compliance Association CPD - 2 points
Advice to Readers
inCOMPLIANCE® is published by the International Compliance Association. Reproduction, copying, extraction, or redistribution by any means of the
whole or part of this publication must not be undertaken without the written permission of the publishers.
inCOMPLIANCE® is distributed as a free member benefit to all members of the International Compliance Association.
Articles are published in good faith without responsibility on the part of the publishers or authors for loss occasioned to any person acting or refraining
from action as a result of any views expressed therein. Opinions expressed in this publication should not be regarded as the official view of the ICA or as the
personal views of the Editorial Board members of inCOMPLIANCE®.
All rights reserved in respect of all articles, drawings, photographs etc published in inCOMPLIANCE® anywhere in the world. Reproduction or imitations of these
are expressly forbidden without permission of the publishers.
Printed in England
ICAM646