Into the light?

ISSUE 36

YOUR MAGAZINE FROM THE INTERNATIONAL COMPLIANCE ASSOCIATION

inCOMPLIANCE ®

Politics, panic and pandemonium?

Getting the measure

Avoiding the pitfalls

p.14 p.17

£4.95 where sold separately

p.42

inCOMPLIANCE®3

inCOMPLIANCE®3

inCOMPLIANCE®3

ICA’s inaugural Asia Pacific conference:The BIG Compliance Conversation

is coming to Singapore! 20-21 November 2018, Marina Bay Sands

On the back of the huge success of the BIG Compliance Conversation London, we’re taking the conference on the road to Singapore!

Expect a day packed full of practical insight with inspirational keynote speakers and industry thought leaders from the ICA Fellowship as well as pre-conference masterclasses delving more deeply into the latest hot topics.

This event is designed to get compliance professionals talking about the latest risks, challenges and opportunities in the world of regulatory and financial crime compliance and to help move the compliance agenda forward. Key takeaways from conference will include peer discussions and practical insight that provide valuable opportunities to share with your teams.

Find out more: www.int-comp.org/conference-singapore

ICAA845

inCOMPLIANCE®3

inCOMPLIANCE®3

inCOMPLIANCE®3

Editorial Board

Kathryn Cearns, Independent Consultant, kathryn.cearns@brixtonroaduk.com

Jee Meng Chen, Commerzbank, jeemeng.chen@commerzbank.com

Jacob Ghanty, Kemp Little LLP, jacob.ghanty@kemplittle.com

Tim Porter, Director, TPA (Consulting) Ltd, Tim.Porter@TPACLTD.com

Tom Salmond, Ernst & Young LLP, tsalmond@uk.ey.com

David Symes, Compliance Recruitment, david@compliancerecruitment.com

Rachel Waldren, ANZ, Rachel.Waldren@anz.com

inCOMPLIANCE®Issue 36

Publisher: International Compliance Associationica@int-comp.org

Editor: James Thomasjthomas284@btinternet.com

Design: Design & Document Servicesdesign.enquiries@wilmingtonplc.com

Production: Dorinda Gibbons & Sophy Lloyddgibbons@int-comp.org sophy.lloyd@int-comp.org

Advertising Queries: Dorinda Gibbonsdgibbons@int-comp.org

Executive President, International Compliance Association: Bill Howarthbhowarth@int-comp.org

ICA Membership Enquiries: Jo Lewismembership@int-comp.org

ICA Qualification Enquiries: Debbie Priceict@int-comp.com

Article Enquiries contributions@int-comp.org

International Compliance Association CPD - 2 points

Advice to Readers

inCOMPLIANCE® is published six times a year by the International Compliance Association. Reproduction, copying, extraction, or redistribution by any means of the whole or part of this publication must not be undertaken without the written permission of the publishers.

inCOMPLIANCE® is distributed as a free member benefit to all members of the International Compliance Association.

Articles are published in good faith without responsibility on the part of the publishers or authors for loss occasioned to any person acting or refraining from action as a result of any views expressed therein. Opinions expressed in this publication should not be regarded as the official view of the ICA or as the personal views of the Editorial Board members of inCOMPLIANCE®.

All rights reserved in respect of all articles, drawings, photographs etc published in inCOMPLIANCE® anywhere in the world. Reproduction or imitations of these are expressly forbidden without permission of the publishers.

Printed in England

As this edition of inCOMPLIANCE® goes to press, England is celebrating its first successful penalty shootout in World Cup history, with heat wave temperatures in the UK adding to the ‘feel good’ factor. But while the tournament is providing entertainment for millions worldwide, the persistent backdrop of corruption within the game is hard to overlook.

Notably, the Ghana Football Association scandal – in which the Association’s president was filmed apparently accepting a bribe – casts its shadow over proceedings, with many suggesting that African football more broadly is being held back by bribery and corruption. Similarly, David Walsh, writing in The Times, urged readers not to blame Lionel Messi for Argentina’s shortcomings at the tournament, as “the real culprit is corruption in the Argentine FA”.

And, of course, underpinning the entire piece are accusations of impropriety within the bidding process, detailed by Ken

Bensinger in his recent book, Red Card: FIFA and the Fall of the Most Powerful Men in Sports. Released to coincide with the tournament, extracts from the book have been widely reproduced. And Bensinger’s description of FIFA’s executive boardroom at its Headquarters in Zurich – buried three storeys underground – is particularly telling. Bensinger writes: “No sunlight was allowed to penetrate the enclosure, Blatter explained on occasion of the building’s opening, because ‘places where people make decisions should contain only indirect light’.” Let us hope for more transparency in the game in the future.

A funny old game?James Thomas

Editor

inCOMPLIANCE®5

inCOMPLIANCE®5

inCOMPLIANCE®

4inCOMPLIANCE®

5

Contents

3 Editor’s commentThe bright party lights of the World Cup cast the darkest of

shadows, writes James Thomas

6 ICA News A roundup of the latest news and events from the ICA

8 Industry NewsA summary of recent developments affecting

Financial Crime Prevention, GRC, AML and CDD professionals

17SM&CRDavid Jackman highlights the challenges of, and

approaches to, measuring performance under the SM&CR

28Career CornerDurshan Mistry provides his take, for

the modern-day risk professional, on how to win friends and influence people … and build a successful career in the process

10Into the light?David Robson considers the impact of declination

upon self-reporting under the FCPA

14 Politics, panic and pandemonium?

Vladimir Berezansky discusses the politicisation of compliance

20 A matter of trustIn an era of synthetic

identities, Niel Bester stresses the need for trust

22 Raising the stakesTim Porter and Nick

Parfitt consider the compliance challenges facing the gaming industry

25 Stronger together Sally Afonso makes

the case for cross-sector learning to develop the strength of the compliance profession and the individuals within it

REGULAR FEATURES IN THIS ISSUE

PAGE 10

PAGE 25

inCOMPLIANCE®5

inCOMPLIANCE®5

inCOMPLIANCE®5

31 Making waves James Young suggests how junior compliance

professionals can make an impact at the early stages of their career

34 Between the linesSherin Han and Jee

Meng Chen assess the purpose and value of the FCR Assurance function

38 The Magnitsky Provisions: a compliance

challenge?Diana Czugler and David Jones consider the compliance implications associated with the introduction of Magnitsky provisions in the UK

42 Avoiding the pitfallsSalima Nanji offers some

tips to avoid falling foul of the GDPR

45 Managing Fraud & Risk in the Prepaid Sector

Diane Brocklebank provides an overview of financial crime risk and regulation within the prepaid sector

Have you thought about writing an article for inCOMPLIANCE®?Writing an article is a great opportunity to raise your profile within ICA and present a topic of relevance to your fellow members. Writing an article on anti-money laundering, compliance, financial crime or associated disciplines will also earn you valuable CPD!

Visit tinyurl.com/writeanarticle and download our document on Article writing tips and Blogging Best Practice to enhance your skills in this area and learn about structure, themes and writing style.

Please note: you don’t have to be an ICA Member to register your interest in submitting.

If you are interested in writing an article for inCOMPLIANCE, email us at: membership@int-comp.org and remember to include your full name and your topic of interest.

PAGE 34

PAGE 42

inCOMPLIANCE®7

inCOMPLIANCE®7

Reaching the pinnacle

Professional education has changed significantly over the past few years. In my role as Chairman of ICA, I wanted to share with you some recent innovative developments in our higher-education offerings for senior compliance professionals.

As the leading professional body in compliance education, and in collaboration with the University of Manchester Alliance Business School, ICA has developed highly-regarded vocational qualifications for the sector. In response to growing demand for higher-level qualifications, ICA has created two new Professional Post-Graduate Diplomas (PPGDip) in the areas of Governance, Risk and Compliance (GRC) and Financial Crime Compliance (FCC).

The ICA PPGDip is the pinnacle of the ICA education regime and was created for busy professionals who are operating at, or aspire to operate at, leadership level. Typically, it takes nine months to complete a PPGDip, and during that time students attend nine high-level face-to-face masterclasses before completing a formal assessment.

To minimise the demand on delegates’ time, we condensed the masterclass delivery into two intensive residential weekends, held at the world-renowned university centre of Oxford here in the UK. We make all the arrangements, including accommodation and private dinners with guest speakers. It’s ideal for time-pressed business people and students also fly to Britain from all parts of the globe. The weekends also offer fantastic networking opportunities in the peaceful environment of some of the most distinguished Oxford colleges.

A particular area of innovation is the introduction of oral assessment by way of competency-based interviews as well as assessment of candidates’ written submissions. This dual-facing approach appeals particularly to students who embrace the concept of face-to-face assessment.

Graduates from the programmes can top up their qualifications if they so wish; the PPGDip qualifies candidates for direct entry into Masters degrees online at universities globally. These PPGDip programmes have become major flagship qualifications for ICA and have been received enthusiastically by delegates and employers alike.

Well done to the ICA and International Compliance Training teams.

Bill Howarth ICA President

inCOMPLIANCE®

6

inCOMPLIANCE®7

ICA NEWS

inCOMPLIANCE®7

ICA Award Ceremony April 2018It has come to our attention that a successful graduate was omitted from the Roll of Honour displayed in the May edition of inCOMPLIANCE®. We are sorry for this oversight and want to congratulate Ozlem Alemdar Aksu on her successful achievement of the ICA International Diploma in Governance Risk and Compliance.

Make your Contribution! We are always looking for new people to add their contributions through articles, blogs, and knowledge pieces for our CPD centre. If you’d like to contribute an article as part of the BIG Compliance Conversation get in touch with us at contributions@int-comp.org. Don’t worry if this is your first time writing for us, we will assist you in any way that we can. Find out more and join our compliance community #BigCompConvo.

The BIG Compliance Conversation is coming to Singapore Following the success of ICA’s Annual Conference in London in April, we are taking the BIG Compliance Conversation to Singapore in November. Take a look at the advert on pg 2 for more details.

Exciting new partnership with the European Bank for Reconstruction and Development In our pursuit of global best practice, ICA is proud to partner with the European Bank for Reconstruction and Development (EBRD) on a number of initiatives in trade-based financial crime compliance.

For the first time in the history of ICA and EBRD, two institutions will be jointly funding scholarships for two qualifications that will be offered to EBRD’s partner banks: the ICA Certificate in Know Your Customer (KYC) / Customer Due Diligence (CDD) and the ICA Specialist Certificate in Trade-Based Money Laundering (TBML). To ensure wider awareness of international financial crime compliance practices among state authorities, the training will also be offered to the central banks in selected countries of operation.

The ICA and EBRD jointly-funded qualifications are designed to achieve educational excellence in the areas of KYC/CDD and AML by fostering a holistic approach, tailored for the specific needs of the target audience operating within 120 EBRD partner banks.

For more information please read the full press release here http://bit.ly/2I2Tgvh

Dates for your Diary While we don’t want to see the end of Summer, we are already looking to the Autumn for the ICA Open Day, briefing events and Member CPD Hot Topic Events. We will be visiting Athens, Dublin, Guernsey, Hong Kong, Isle of Man, Jersey, London, Madrid, Manchester and Singapore, so if you are a member and want to come along to a free CPD event and network with your fellow members, or are interested in an ICA qualification then come and see us at one of the events. See the advert on pg 47 or visit the ICA website for more details.

inCOMPLIANCE®9

inCOMPLIANCE®

8inCOMPLIANCE®

9

inCOMPLIANCE®8

INDUSTRY NEWS

J5: international collaboration on tax crimeThe Joint Chiefs of Global Tax Enforcement (J5), a new taskforce dedicated to tackling international tax crime and money laundering through the sharing of information and expertise, launched this month. The J5 comprises senior officials from the tax and criminal authorities in the UK, Canada, the Netherlands, the United States and Australia, who will “work together on joint operations to crack down on those who make a living out of enabling tax crime”.

“International cooperation and information sharing are reaching new levels as the implementation of the OECD’s Common Reporting Standard continues. However, we have never before had a group of jurisdictions actively working together,” commented Richard Morley, Partner in the Tax Dispute Resolution Team at BDO. “Collaboration between the five countries will prove a vital tool and a good example of how world leaders can tackle tax fraud as it becomes ever more complex. The ability to share information and expertise, and to craft effective plans and strategies on a joint basis, will bring a new level of transparency to the fight against global tax fraud.”

https://www.gov.uk/government/news/tax-chiefs-unite-to-tackle-international-tax-crime

Fraud: Anticipating the future “Why are we still so bad at seeing fraud coming and trying to design it out of our great innovations?” asks a new report by the Fraud Advisory Panel, which is celebrating its 20th anniversary. “The explosion of fraud and cybercrime is not an act of nature,” suggests the report. “Nor did it appear without warning. It represents a comprehensive failure of imagination by industry, law enforcement and government. A failure which allowed new technology to rapidly increase the exposure of honest citizens to predatory crime while simultaneously hobbling their guardians.”

The report includes contributions from leading thinkers in the areas of artificial intelligence, cybersecurity, data, Blockchain and beyond, outlining their views on emerging fraud threats. It can be downloaded at:

https://www.fraudadvisorypanel.org/wp-content/uploads/2018/06/Fraud-Futures-WEB-July-2018.pdf

Industry News

inCOMPLIANCE®9

inCOMPLIANCE®9

INDUSTRY NEWS

Half of investors uncertain over wealth management fees

UK wealth managers may be falling short in terms of the accessibility and transparency of fees, in spite of the Financial Conduct Authority’s (FCA) recent recommendation that “Consumers should now see the full costs and charges, expressed as a single fee, for most transactions in investment products, and on an ongoing basis” (FCA Occasional Paper no. 32: “Now you see it: drawing attention to charges in the asset management industry”).

According to a Netwealth survey, conducted by YouGov, half of investors are not sure about all the fees they are being charged by their wealth manager. 37% only knew “most” or “some” of the fees and charges they are paying, while 13% were unclear about any of the fees and charges they are paying. Only 35% had immediate access to information on fees, while 44% could only discover such information through their annual (25%), quarterly (14%) or monthly statements (5%). Nevertheless, 72% stated that “transparency around how fees are charged” is now the most important factor when choosing a wealth manager.

According to Charlotte Ransom, CEO of Netwealth: “Our research indicates that traditional wealth managers are taking advantage of their clients’ trust. They make it extremely difficult for clients to see how their portfolios are performing and to understand fully both the level and the impact of fees that can have such huge negative consequences on their long term savings.”

SEC proposes whistleblower amendmentsThe Securities and Exchange Commission has proposed amendments to its whistleblower programme. The proposals provide stronger incentives for whistleblowers, although some of the proposals may also deter some whistleblowers from stepping forward. The proposed amendments include:

• Permitting awards based on deferred prosecution agreements (“DPAs”) and non-prosecution agreements (“NPAs”)

• The prevention of potential “double recovery”

• Additional considerations for small and exceedingly large awards.

https://www.sec.gov/rules/proposed/2018/34-83557.pdf

FSB cyber security consultation paperIn July the Financial Stability Board (FSB) will publish a consultation paper on the common cyber lexicon that it has been developing. The lexicon is designed to support the work of the FSB, standard-setting bodies, authorities and private sector participants to address cyber security and cyber resilience in the financial sector, in the following areas:

• The development of a cross-sector understanding of cyber security and cyber resilience terminology

• Working to assess and monitor financial stability risks of cyber risk scenarios

• Information sharing as appropriate; and

• Work by the FSB and/or standard-setting bodies to provide guidance related to cyber security and cyber resilience, including to identify effective practices.

http://www.fsb.org/wp-content/uploads/P200318.pdf

EBA paper critical of Brexit preparationsThe UK financial sector’s preparations for Brexit are “inadequate”, according to the European Banking Authority (EBA). In an opinion published at the end of June, the EBA stated that it has been monitoring the level of contingency planning and other preparations being undertaken by financial institutions and it believes that “this planning should advance more rapidly in a number of areas”.

The Authority added that: “Where planning is taking place, some financial institutions appear to be delaying triggering the necessary actions. The time for the required actions to be taken is reducing. Financial institutions should not rely on public sector solutions, as they may not be proposed and/or agreed.”

However, the Chief Executive of the UK Financial Conduct Authority (FCA), Andrew Bailey, has robustly challenged the EBA’s claims, telling The Times CEO summit: “The idea that institutions in London have done no preparation, no thinking about Brexit, I’m afraid, and with all due respect to the EBA, is considerably wide of the mark.”

The FCA has confirmed that it is currently preparing “for a range of scenarios, including one in which the UK leaves the EU on 29 March 2019 without a withdrawal agreement and implementation period having been ratified between the UK Government and the EU.” The FCA also intends to consult this Autumn regarding necessary amendments to its Handbook related to Brexit.

Meanwhile, reports suggest that Barclays is preparing to relocate several roles from its London investment banking operations to Frankfurt ahead of Brexit, following on from previous reports that it aims to expand its Dublin operations. Goldman Sachs is also believed to be planning to relocate several roles to Frankfurt. It is further rumoured that Bank of America will be moving senior bankers from London to Paris, while JPMorgan is believed to be planning to expand its Milan office.

http://www.eba.europa.eu/documents/10180/2137845/EBA+Opinion+on+Brexit+preparations+(EBA-Op-2018-05).pdf

inCOMPLIANCE®11

CORRUPTION

Get more on the CPD Portal• 40 Shades of FCPA

https://www.int-comp.org/cpd/40FCPA• Internal controls in an FCPA compliance programme

https://www.int-comp.org/cpd/internalcontrols

Not a member?For access to the ICA CPD Portal, among other benefits, become a member today: www.int-comp.org/membership/why-become-a-member

inCOMPLIANCE®

10inCOMPLIANCE®

11

inCOMPLIANCE®11

CORRUPTION

Into the light?David Robson considers the impact of declination

upon self-reporting under the FCPA

Transparency, accountability and ‘doing the right thing’ are not concepts we traditionally

think about when considering incidents of corruption. Indeed, they don’t seem to sit comfortably at all. Yet as anti-corruption legislation evolves, these notions are becoming increasingly intertwined.

The FCPA: a change in approach The US Foreign Corrupt Practices Act (FCPA) is well known across the world. Its extraterritorial provision, coupled with an appetite for enforcement, mean that the FCPA is a key consideration for compliance professionals. And, interestingly, in line with much of the compliance environment, it is going through something of a change.

April 2016 saw the US Department of Justice (DoJ) launch what was referred to as the ‘Pilot Programme’. This was intended to “provide guidance to our prosecutors for corporate resolutions in FCPA cases, motivate companies to voluntarily self-disclose FCPA-related misconduct, fully cooperate, and, where appropriate, remediate flaws in their controls and compliance programmes.”1

Transparency and accountability were identified as prime motivators and this was reflected in the potential outcome of an investigation: “when a company not only cooperates and remediates, but also voluntarily self-discloses misconduct, it is eligible for the full range of potential mitigation

credit”. A key element of this was that there may also be a declination of prosecution.

In the first year of the Pilot Programme, the FCPA Unit received 22 voluntary disclosures, compared with 13 during the previous year. The Programme was extended again in April 2017 until, in late 2017, it was enhanced and transformed into policy. In total, during the year and a half that it was in effect, the FCPA Unit received 30 voluntary disclosures, compared with 18 during the previous 18-month period.2 This indicates that organisations were engaging with it, and the opportunities it presented in terms of transparency and accountability were gaining traction. And, one would imagine, the declination of prosecution played a role in that.

What does a declination mean?As it suggests, this essentially

means that the organisation may not be prosecuted. This is outlined further in the finalised FCPA Corporate Enforcement Policy: “When a company has voluntarily self-disclosed misconduct in an FCPA matter, fully cooperated, and timely and appropriately remediated, all in accordance with the standards set forth, there will be a presumption that the company will receive a declination”.3

What is interesting about this is that, if conditions are met, the declination is suggested to be the default position. Again, it seems this sets clarity for firms and prosecutors, underpinning the consistency of approach from both sides and motivating organisations to self-report an incident of non-compliance. In an age of increasing enforcement actions, this could be viewed as a shift of approach from the ‘stick’ to the ‘carrot’ – encouraging (rewarding?) organisations to ‘do the right thing’ rather than attempt to cover up any wrongdoing. As noted

Although designed to influence culture and approach, the FCPA Corporate Enforcement Policy remains a post-event tool. To get as far as a declination, acorruption event must have taken place. So arguably, the influence doesn’t reduce the number of incidents of corrupt activity, so much as encourage them to come to light

inCOMPLIANCE®11

inCOMPLIANCE®13

inCOMPLIANCE®

12

CORRUPTION

inCOMPLIANCE®

12

by Deputy Attorney General Rod Rosenstein “We want to provide an incentive for good conduct”.4

Dun & Bradstreet: a textbook response?In April 2018, Dun & Bradstreet (D&B) agreed to pay more than US$9m via an administrative order to resolve FCPA charges arising from the activity of two Chinese subsidiaries. This followed self-reporting of the activity, which dated back to 2012 and involved improper payments to Chinese officials.

This represented disgorgement of US$6,077,820, which represented profits gained as a result of the conduct, prejudgment interest of $1,143,664, and a civil money penalty of $2m payable to the US Securities and Exchange Commission. The case did not go to court.

The US Department of Justice noted this disgorgement and issued a declination letter: “based upon the information known to the Department at this time, we have declined prosecution consistent with the FCPA Corporate Enforcement Policy. We have reached this conclusion despite the bribery committed by employees of the Company's subsidiaries in China”.5

The reasons for this were that Dun & Bradstreet:

• Identified the misconduct• Promptly and

voluntarily self-disclosed• Undertook a thorough investigation• Fully co-operated, which included:

• Identifying all individuals involved in or responsible for the misconduct

• Providing the DoJ with all facts relating to that misconduct

• Making current and former employees available for interviews

• Translating foreign language documents into English

• Took steps to enhance its internal compliance programme and accounting controls

• Fully remediated, which included terminating the employment of 11 individuals involved in the China misconduct (including an officer of the China subsidiary and other senior employees of one subsidiary) and disciplining other employees by reducing bonuses, reducing salaries, lowering performance reviews, and formally reprimanding them.

In doing so, Dun & Bradstreet was assessed as being in alignment with the terms laid out in the FCPA Corporate Enforcement Policy.

Whilst it could be argued that there may still be an element of subjectivity in the application of the declination methodology (albeit this is more around the ‘aggravating circumstances’ clauses in the policy), the basis of ‘what good looks like’ in response to a corruption event which falls under FCPA jurisdiction certainly seems clearer now than it has been. But it’s important to remember that prosecution is certainly not a thing of the past.

The importance of culture and controlsThere is, of course, an interesting juxtaposition here, touched upon at the start of this piece. Although designed to influence culture and approach, the FCPA Corporate Enforcement Policy remains a post-event tool. To get as far as a declination, a corruption event must have taken place. So, arguably, the influence doesn’t reduce the number of incidents of corrupt activity, so much as encourage them to come

to light. The statistics outlined above certainly support that perspective.

As such, it is reactive rather than proactive.

An effective focus on transparency, accountability and ‘doing the right thing’ must surely also manifest in a strong compliance culture and control framework in an organisation in a proactive way. If not, we end up in a situation where the framework was strong enough to demonstrate that an incident was well dealt with post-event, but not sufficient to prevent it happening in the first place.

A declination may be a ‘good’ result for an organisation. But putting a halt to corruption would be a better result for all concerned.

This article is written from the perspective of an interested observer rather than an FCPA expert. If you have an opinion on the contents of this article, please get in touch with inCOMPLIANCE® and join the ICA's Big Compliance Conversation #BigCompConvo

David Robson is Associate Director Research & Development at International Compliance Training

In an age ofincreasing enforcement actions, this could be viewed as ashift of approach from the ‘stick’ to the ‘carrot’ – encouraging (rewarding?) organisations to‘do the right thing’ rather than attempt to cover up any wrong doing

1. https://www.justice.gov/archives/opa/blog/criminal-division-launches-new-fcpa-pilot-program

2. https://www.justice.gov/opa/speech/deputy-attorney-general-rosenstein-delivers-remarks-34th-international-conference-foreign

3. https://www.justice.gov/criminal-fraud/file/838416/download

4. https://www.justice.gov/opa/speech/deputy-attorney-general-rosenstein-delivers-remarks-34th-international-conference-foreign

5. https://www.justice.gov/criminal-fraud/file/1055401/download

inCOMPLIANCE®13

The ICA are seeking experienced compliance professionals to assist with the marking of assignments for the following programs:

ICA Diploma in Governance, Risk and Compliance

ICA Advanced Certificate in Compliance

ICA Advanced Certificate in Business Compliance

ICA Advanced Certificate in Legal Compliance

We are looking for individuals with strong industry experience and/or a good academic background; excellent written skills are also essential. Markers are required to keep to tight schedules but workloads can be adjusted to fit around full time employment. This role would be ideal for someone wishing to work part-time.

The position offers excellent rates of pay and membership of the ICA. Experience of marking is not necessary as any interested persons will be trained and mentored through the process by the ICA Assessment team.

ICA markersCompliance positions

If you are interested in becoming a member of the team please submit your CV to Phillip Bryant, ICA Senior Manager for Qualifications and Assessment at Phillip.bryant@int-comp.org or call +44 121 362 7657 to discuss further.

ICAA824

Our new Jobzone is now open! Updated on a regular basis, Jobzone is designed to help you progress your career by providing you with all of the latest industry news. Professional and Fellow members can also advertise jobs here, for free!

If you are interested in placing an advert, please contact jobzone@int-comp.org for further details.

Visit www.int-comp.org/careers/job-zone for further details.

ICAA575

inCOMPLIANCE®15

inCOMPLIANCE®

14

REGULATION AND POLITICS

Politics most certainly makes for strange bedfellows ... and if we toss East-West geopolitics, Brexit, and Anglo-American anti-money laundering (AML) policymaking

into the mix, the resulting brew is well nigh explosive. Herewith, a few ostensibly unrelated developments from the frontlines:

• USA – The latest (2017) round of Russian sanctions – the Countering America’s Adversaries Through Sanctions Act (CAATSA) – articulated a wider list of so-called 'Friends of Putin' (the ‘Oligarchs Report’ as mandated by Sec. 241) who, whilst not necessarily subject to specific sanctions – such as the Specifically Designated Nationals (SDNs) of the original (2014) sanctions regime – were effectively named as ‘sanctionable’ and, therefore, subject to a much greater margin of risk vis-à-vis existing and potential business counterparties, who suddenly had little choice but to blacklist them pre-emptively.1

• Cyprus – Media reports indicate that the compliance services of Cypriot banks have suddenly initiated a review of Russian bank account owners, requiring that they explain the grounds for all their transactions over the past 15 (!) years. Apparently, this new initiative

was the direct result of a recent visit to the country by representatives of the US Treasury Department’s Office of Foreign Assets Control (OFAC). Their mission was reported as intending to “cut off money laundering channels around the world, as well as ensure the sanctions are complied with.”2

• Latvia – In March 2018, the US Government warned Latvia that its banks are still involved in money laundering despite the enforced liquidation of ABLV, the country’s third-largest lender, following similar allegations, according to the Baltic state’s finance minister.3

• UK – Russian oligarch Roman Abramovich has been denied renewal of his UK investor’s visa, following which he applied for and received an Israeli passport. However, UK government officials have indicated that Mr Abramovich should not feel at ease to enter and leave the UK at will, even though, by law, his new passport permits him to visit the UK on business for up to six months per trip.4 (This particular expression of the UK government’s recently adopted policy of froideur also cost supporters of the Chelsea Football Club a new stadium that Mr Abramovich had been planning to build.)

Politics, panic and pandemonium?Vladimir Berezansky discusses the politicisation

of compliance

inCOMPLIANCE®15

REGULATION AND POLITICS

These are all aftershocks of shifting tectonic plates – in this case, the sheer bulk of Russian offshore wealth abutting the reinforced vigour of enhanced AML vigilance, primarily by US and UK regulators. As the above examples illustrate, we are witnessing a collision on an epic scale – ripples of great tides of historical forces that stretch back to 1991, and even as far back as 1917.

Shifting definitions, evolving understandingsOn a disturbingly wide and increasing scale, the description of someone or something as being ‘Russian’ now evokes a visceral reaction – quite literally, an adrenaline jolt from the medulla oblongata – rather than entering as information to be weighed and analysed by the cerebral cortex. Indeed, the atmosphere, at times, borders on open panic and pandemonium. In early June, for example, British and foreign media reported that Arron Banks, a UK businessman who funded one of the main campaigns for Brexit, had “links with Russia”. Links with Russia?! Stop the presses!!5

To be sure, there is usually a kernel of truth – perhaps more than one – to the circumstances giving rise to such waves of collective paranoia; but the level of discourse has become so debased that key players – primarily, politicians and regulators – have seemingly lost the ability to distinguish policies that tendentiously assert their nation’s unilateral advantage from regulatory standards that must, by all means, remain neutral as being universal.

To revert briefly to basic principles, financial regulatory regimes exist to ensure equal access to and fair play within financial markets. Barriers to market entry – e.g. licences – must be applied in a fair, unbiased and transparent manner in order to preserve market integrity, as well as (no less important) the perception thereof. Applying these commendable principles becomes more difficult, however, at the ‘fringes’ of a financial regulatory regime. This usually arises in aspects of regulatory control that are inherently more susceptible to politicisation, such as trade sanctions, anti-monopoly / anti-trust restrictions, and AML / Countering the Financing of Terrorism (CFT).

The challenge is to step back from the fray in order to assess for oneself the extent to which some aspect of a financial regulatory regime has been inordinately politicised. What criteria might be applied in making this assessment? Any analysis should begin with the positing of a spectrum that, at one end, contains broadly recognised policy goals – i.e. preventing almost universally identified ‘bad actors’ such as narcotraffickers, organised criminal groups that profit from exploiting inadequately protected persons (primarily women and children), third world dictators, and other corrupt government officials, etc., from benefiting from or legitimising the proceeds of their illicit activities – and at the other end are grouped what might be deemed more subjective or politicised priorities.

The key in such an exercise is to extrapolate various vantages that might have differing – even conflicting – views as to which regulatory policy goals should be deemed subjective. For example, Cuban Americans in Miami might consider maintaining an embargo on their Cuban homeland

as a broadly recognised policy goal; but the vast majority of the world’s population might consider this a subjective, politicised priority. The same might apply for a Taiwanese citizen’s assessment of the need to maintain an embargo on mainland China, or an Arab nation’s boycott of Israel.

The point here is not to pick and choose which financial regulatory restrictions are to be enforced and which might be ignored. The remit of the Compliance function is to apply and enforce the entire financial regulatory regime within a given jurisdiction accurately and vigorously. But having a conceptual tool for sorting the more policy driven, subjective priorities from more widely accepted imperatives provides a methodology for defining a hierarchy within each jurisdiction.

Practically, one would anticipate that, whilst those regulatory controls grouped towards the ‘universal’ end of the spectrum are unlikely to be amended or rescinded frequently, those that tend toward the ‘subjective’ end might be susceptible to more regular revisions and, perhaps, eventual annulment. This exercise also serves as a sanity test to avoid becoming lost in the turmoil of today’s highly politicised regulatory atmosphere.

The level of discourse has become so debased that key players – primarily, politicians and regulators – have seemingly lost the abilityto distinguish policies that tendentiously assert their nation’s unilateral advantagefrom regulatory standards that must, by all means, remain neutral as being universalHue and cryTurning our attention to the current hue and cry over ‘links to Russia’ and similar partisan initiatives, it is clear that universal directives are being co-mingled – including by design, in part – with more ephemeral, politicised agendas. A potentially more constructive approach to this Gordian knot of policies would be to acknowledge that certain aspects associated at the present time with specifically Russian off-shore practices also serve to highlight more universal issues that require broadly focused application.

Shall we select a few of the more widely covered recent regulatory initiatives to see how this construct might be usefully applied?

CAATSA – This latest addition to the US array of sanctions aimed at Russia adds a novel definitional category – i.e. the ‘Oligarchs List’ – to the typology of sanctions previously articulated by the presidential executive orders of 2014. By its very definition, this is a subjective and ambiguous mechanism that, if anything, serves only to blur or confuse the

inCOMPLIANCE®17

inCOMPLIANCE®

16inCOMPLIANCE®

17

REGULATION AND POLITICS

earlier, more clearly delineated categories. It would seem logical to place this new law rather far toward the ‘subjective, politicised’ end of the spectrum.

GDPR – Even though the General Data Protection Regulation is a new6 regulatory regime, it replaces a previous (1995) European Union Directive that was deemed outdated due to relevant intervening technological developments. GDPR articulates data protection rules for exporting EU personal data abroad and mandates their implementation by foreign organisations that process personal data pertaining to EU residents. Its premises include seven specifically defined guidelines7 that seem arguably universal in nature and are intended to be applied as widely as possible.

If one were to extrapolate the vantage of a party not captured perforce by GDPR’s jurisdictional reach – for example, an Australian bank – would GDPR’s purpose and scope seem to support more broadly recognised policy goals, or rather be aimed at achieving ‘subjective, politicised’ purposes? Chances are that a licensed financial institution in Australia would already be committed to some version of most or all of the GDPR’s policy goals; and should such an Australian bank decide to continue maintaining client and counterparty relationships with EU citizens and legal entities, then implementing corresponding adjustments to its pre-existing data protection regime – even if tedious, at first – would be consistent with universally recognised best practices that are no doubt reflected in Australia’s domestic financial regulatory and data protection regimes.

Unexplained Wealth / Interim Freezing Orders – I propose these most recent AML enforcement measures9 as representative of the broader campaign recently unleashed by the UK financial regulatory authorities, together with HMRC and the Serious Fraud Office, to address what has been described repeatedly in the media – and most recently in Parliament – as a significant lack of vigour on the part of these oversight entities, especially with regard to gaining control over vast quantities of allegedly criminal proceeds that have coursed in and through the UK from Russia.

Another way to frame this issue is: can a partisan political

agenda ‘taint’ a decision to enhance or refocus a putatively earnest effort to pursue a compliance mandate? Would a decision to arm the UK’s financial regulatory and investigative authorities with these same enhancements be – or appear to be – more objective or ‘legitimate’ without the brash declarations of war on ‘dodgy Russian’ money? If, as in this instance, the core normative imperative – i.e. intercepting and preventing the flow of tainted (if not criminal) overseas proceeds into the UK’s banks, financial system and luxury goods markets – is unassailable, then does arguably irrelevant political spin damage the integrity of this initiative, or its results?

For the moment, the only available answer is: let’s wait and see. As has been convincingly demonstrated by information divulged in the Panama and Paradise Papers10, there are more than just a few ‘true Brits’ – including cabinet ministers, Members of the Peerage, and even the Royal Family – among the high net-worth individuals and families that have been aggressively exploring the outer boundaries of legality in creatively structuring their off-shore wealth. It stands to reason that a good faith effort to ‘name and shame’ the most vigorous abusers of off-shore special purpose vehicles, anonymous trusts, tax optimisation schemes, etc., is highly likely to unearth a representative share of the home grown British elite. Indeed, it is precisely this prospect that is likely to have played an outsize role in forestalling a vigorous campaign of this nature until the present.

So, for now, these latest enhanced enforcement measures might be placed quite properly at the very centre of our spectrum-construct pending subsequent evidence as to how they are being applied – and toward what ends.

Vladimir Berezansky was one of the first foreign professionals to bring Western (US, UK, EU) regulatory compliance leadership to the Russian/CIS/CEE financial services market. He has more than 15 years of work experience in Russia/CIS and Eastern

Europe, as well as Cyprus, Switzerland and in London’s financial market

1. See: https://www.treasury.gov/resource-center/sanctions/OFAC-Enforcement/Pages/20180315.aspx and http://prod-upp-image-read.ft.com/40911a30-057c-11e8-9650-9c0ad2d7c5b5

2. https://en.crimerussia.com/gromkie-dela/cyprus-tightens-regulations-on-bank-accounts/3. https://www.ft.com/content/9784ba4a-22ff-11e8-add1-0e8958b189ea 4. https://www.theguardian.com/football/2018/may/31/chelsea-shelve-stamford-bridge-investment-climate 5. https://www.reuters.com/article/us-britain-eu-russia/brexit-campaigner-banks-says-story-on-russian-ties-absolute-

garbage-idUSKBN1J60MB 6. GDPR entered into effect 25 May 20187. (1) Lawfulness, fairness and transparency; (2) Purpose limitation; (3) Data minimisation; (4) Accuracy; (5) Storage

limitation; (6) Integrity and confidentiality (security); and (7) Accountability. See, e.g., https://gdpr- info.eu/art-5-gdpr/8. See, e.g., http://www.amlpartners.com/news/aml-compliance/uk-report-blasts-london-russian-money-

laundering/#%2EWxqOnKx3icA%2Elinkedin and http://www.spearswms.com/offshore-offense-hmrcs-tax- evasion-hunt-begun/

9. See, e.g., https://www.independent.co.uk/news/world/europe/oligarchs-sanctions-russia-corruption-british- government-london-salisbury-a8360666.html and https://www.cnbc.com/2018/05/21/london-is-a-laundromat- for-russias-dirty-money-uk-report-warns.html

10. See, e.g., my analysis of the Panama Papers, inCOMPLIANCE Issue No28 (March 2017) and the Paradise Papers, inCOMPLIANCE Issue No34 (March 2018).

inCOMPLIANCE®17

inCOMPLIANCE®17

inCOMPLIANCE®17

Getting the measure

David Jackman highlights the challenges of, and approaches to, measuring performance under the SM&CR

SM&CR

inCOMPLIANCE®17

inCOMPLIANCE®19

inCOMPLIANCE®19

SM&CR

inCOMPLIANCE®

18

Many will be familiar with the adage ‘what you measure is what you get’.

It is generally cited as a warning to everyone in risk and compliance that by selecting certain indicators (in any business) you are in danger of steering corporate behaviour towards fulfilling those measures, often to the exclusion of everything else. The indicators and measures selected soon become ‘targets’, and other desirable behaviours that happen not to be measured get ignored, and are probably not rewarded. This is the basis of target-driven selling, which has underpinned mis-selling in many sections of the industry.

The trend in compliance for many years has been to avoid or mitigate such problems by widening the basis of measurement using balanced scorecards, which are intended to offset productivity measures with a basket of quality-of-business and compliance measures (such as the number of complaints, breaches, or levels of persistency as proxies for

suitability). These may or may not connect to remuneration.

This perfectly logical methodology is a regulatory requirement within some jurisdictions, such as in Singapore, where a balanced scorecard approach is required for measuring and setting compensation for financial advisers. This approach is given greater force by coupling measures directly to claw-back. However, it is worth mentioning that there is a risk of unintended consequences here too in that, by requiring certain compliance behaviours, lower overall standards may emerge as practitioners settle for the regulatory minimum standards rather than working towards a more aspirational level.

SM&CR dashboardAs we turn our attention to the UK Financial Conduct Authority’s (FCA) Senior Management & Certification Regime (SM&CR) (and related initiatives emerging in other jurisdictions) any compliance

dashboard or data gathering exercise must consider:

(i) What are the (combination of) possible measures that could provide sufficient comfort to the Board that the necessary SM&CR conduct and culture is (becoming) embedded? (see suggestions in column 2 of Box 1)

(ii) How should the firm demonstrate suitable systems and controls to its regulators? (see suggestions in column 3 of Box 1).

Some of these measures could be displayed in an integrated SM&CR dashboard reviewed at each Board meeting or may form extensions to existing dashboards, while some of these measures will need to be verified by internal audit.

Clearly, some of these measures may emerge as being more important for certain sectors and types of firm, but I suggest that measures around statements of responsibility / duty of responsibility and the code of conduct will emerge as most significant for the Board and for the regulator.

BOX 1: Suggested measures of SM&CR for the board and compliance

Element of SM&CR Requirements

Measures of SM&CR Culture Systems and Controls

Senior management functions (SMF)

• All governing and required SMFs filled and approved

• Number of roles with new occupants

• SMFs all correctly identified • No gaps or overlaps

Statements of responsibility + checks and references

• % coverage of key risk framework• % coverage of SMF training

• Correct checks + refs • Assess F&P • Updated /resubmitted when significant

changes

Duty of responsibility • Any duty issue ‘activated’ by FCA• Number of conditions applied

• Transparent reporting to board and esp. NEDs

Prescribed responsibilities

• Additional specific board MI on countering financial crime, client money (if applicable), board obligations / capabilities

• Appropriate PR allocations / outsourcing• Dashboard on FCC, CASS Regular board

evaluation with chair

Code of conduct • Integrity ‘breaches’• Consumer / market outcomes dash• Regulatory relationship appraisal

• Integrity monitoring• TCF / other dashboard• Code training records

Certification regime • Integrity ‘breaches’• Consumer / market outcomes dash• Regulatory relationship appraisal

• Correctly identify scope• T&C and F&P effective• Certification or notices

Enhanced regime only • Overall resp. check • SMF handovers• Compliance / audit resourcing check

• Additional SMF and Pres. Resp. correctly identified

• Responsibility maps

inCOMPLIANCE®19

inCOMPLIANCE®19

SM&CR

IndicatorsMany will recall the introduction of Treating Customers Fairly (TCF) by the UK Financial Services Authority (FSA) in 2006-7. There was much discussion about appropriate management information, and, over time, TCF dashboards have become an established part of the way in which Compliance reports to the Board. SM&CR is a cultural initiative of similar import and appropriate practice will undoubtedly emerge.

Part of the TCF approach taken by the FSA was to suggest qualitative indicators rather than to prescribe precise measures. The FSA published a paper on indicators of good TCF culture that can still be accessed at: https://www.fca.org.uk/publication/archive/fsa-tcf-culture.pdf

Following the structure and style of this publication it should be possible to start to elucidate indicators of a positive or negative SM&CR culture. Some examples are included in Box 2.

A challenge to complianceSM&CR preparation and implementation is a matter of consistently building a values-led internal culture in the organisation and, as it forms a major component of the 2018-19 FCA Business Plan¹, we can expect a good deal of regulatory focus on our preparations this year. It represents a challenge to Compliance to position its role firmly as part of the overall governance and risk framework. It is also an opportunity to strengthen connections with the Board, and the non-executive directors (NEDs) especially, ensuring that a coherent and resilient culture is developed.

Finally, it is worth noting that SM&CR also puts Training and Competence (and fitness and properness) firmly back on the map, so you will need to be sure that all senior management functions and staff in the certification regime are appropriately trained and qualified. This will be important at recruitment and as part of an annual review process. Since Compliance is

specifically mentioned in the prescribed responsibilities of SM&CR, it is also of paramount importance that Compliance and all elements of anti-money laundering and countering financial crime are adequately resourced and individually and collectively fully trained and qualified to the highest level.

David Jackman is Strategic Adviser to ICA, Chair of three regulated financial services firms, and was previously head

of FSA Training and Competence and Business Ethics. He is the author of The Compliance Revolution (2015) and Corporate Maturity and the Authentic Company (2018)

BOX 2: Suggested initial indicators of positive and negative SM&CR culture

Aspect of Culture Positive indicators Negative indicators

Leadership • Board takes an active leadership of SM&CR with regular updates to staff and regulators

• Clear, consistent emphasis on integrity and code of conduct

• SM&CR positioned as a regulatory imposition and cost

• Little regulatory transparency

Strategy • SMFs clear on risk appetite, risk management and measuring consumer outcomes

• Firms prefer de-risking and outsourcing

Decision-making and challenge

• SMFs set out and record their reasons for making decisions, explain or educate where necessary, and then stand by their decisions – supported by the firm

• SMFs willing to challenge if SM&CR and Code compromised

• Commonly, SMF and prescribed responsibility is syndicated – individuals are un-willing to make or sign off decisions on their own to avoid sole accountability

Controls • Clearly understood lines of responsibility, well documented, no unnecessary overlaps

• Demonstration of suitable and regular SMF oversight

• Correct reference checking and reporting to FCA

• Unwillingness to define responsibilities, to review map, or define duties; leaving gaps or overlaps in control

Performance management

• Direct measurement of integrity, training on fulfilling the SM&CR responsibilities and exercising related duties

• No SM&CR or F&P / Code of conduct specific training. No SM&CR specific records

Reward • Direct connection made between reward and weight/scope of responsibilities, exercise of duties and measures relating to the code of conduct

• No obvious link between pay and reward and SM&CR allocated responsibilities/ duties/ code of conduct

1. https://www.fca.org.uk/publications/corporate-documents/our-business-plan-2018-19

inCOMPLIANCE®21

inCOMPLIANCE®

20

CYBERCRIME

Any bank knows that customers’ money isn’t safe in their accounts unless the bank has good security in place. Unfortunately, a trend is now emerging

in which fraudsters don’t even need to impersonate a real person in order to steal from banks. They simply create a fictional identity and apply for credit in the fake person’s name. Known in the industry as ‘synthetic identity fraud’, this form of cybercrime is on the rise as personal data is becoming increasingly easy to get hold of.

Synthetic identities: invent and spendSynthetic identity fraud occurs through the creation of false identities using components of real identities, such as addresses, dates of birth, national insurance or social security numbers, often of minors or the deceased. For fraudsters who know where to look (and are willing to pay the price) personal data is relatively easy to come by. In some marketplaces on the dark web, 'fullz' – full sets of people’s personal information – can be bought, while other forums offer classes1 on stealing credit card information. A recent investigation uncovered an advertisement on a dark web forum for newborn babies’ social security numbers.2 The personal information of infants is especially sought-after: it provides fraudsters with access to a clean credit history, and it often takes years before the theft is detected (which is usually not until the child is old enough to apply for a credit card).

In countries such as the United States, where there is no strict national identity system in place, it’s not difficult to make up a plausible name and address with a rarely-used (or also fictitious) social security number with which to apply for credit. Synthetic identity fraud entails the fraudster putting together a fake persona, and giving that persona credibility over months – or years – by transacting small amounts in their name, establishing a history that enables the persona to qualify for credit. Once a worthwhile limit of credit has been granted, whether in the form of a card or a loan, the fraudster spends ('busts out') up to that limit and then disappears, abandoning the synthetic identity.

Systems: checks and challengesThis type of theft is difficult for banks to prevent in the

absence of definitive, government-managed identity records. In the US, the government has established the Consent-Based Social Security Number Verification (CBSV) service to assist in this regard, but the service doesn’t currently allow for the cross-checking of an identity against a social security number without the consent of the individual under investigation – and, incredibly enough, this consent must be given via post.

In the UK, despite the fact that the government has hit quite a few snags in its attempts to implement an online national identity verification system, residents at least have the physical (photocard) driver’s license or biometric passport to serve as proof of their identity. This means that synthetic identity fraud is not as easy to perpetrate in the UK as in the US. To create a synthetic identity for the purposes of opening a bank account, for example, a fraudster would have to manufacture proof of identity – a physical, secured, tamper-evident artifact – making UK banks a prohibitively bothersome target.

The digital movementInsisting that new applicants visit a bricks-and-mortar branch improves security, but makes for the kind of second-rate customer experience that 21st-century banking customers simply will not tolerate. In fact, remote (online or mobile) account opening has become crucial to achieving scale in most consumer businesses of the digital age. Wherever regulation allows it, banks are waiving the requirement for new applicants to visit a branch or prove possession of a government issued-identity, even for loans.

But as finance moves away from the physical and into the virtual realm, fraudsters are also capitalising on the opportunities the digital era presents. Mobile capture technology provider Mitek predicts3 that 2018 will see 150 million new account opening fraud attempts at financial institutions, up from 80 million last year. The trend is likely to continue as businesses increasingly focus on digital transformation, expanding the products and services they offer consumers on digital platforms. With more consumers signing on, of course, the amount of data being made available grows at an alarming pace. For fraudsters with their sights set on consumer data, it’s hunting season.

A matter of trustIn an era of synthetic identities,

Niel Bester stresses the need for trust

inCOMPLIANCE®21

CYBERCRIME

Juniper predicts4 that customer data breaches will cost business some $8tn over the next five years.

A mobile solutionAcross the financial industry, the response to these kinds of threats has been largely fragmented. Many traditional banks are building their own solutions or looking at best-of-breed offerings, while smaller players in the industry may not have the resources to innovate.

One approach that has proven successful is leveraging the consumer’s mobile device for the purposes of identification and authentication. Offering a solution that addresses the often-conflicting issues of convenience, security, and innovation, the mobile device can be a powerful means of combating various forms of fraud and cybercrime. Authentication, in essence, comes down to proving the identity or validity of a person, action, or process. In the financial industry, authentication best practices dictate an approach that combines multiple authentication factors – for example something a consumer has (a possession factor, like a phone or hardware token), something they are (a factor of inherence, such as a fingerprint), and something they know (like a password). Further data points based on contextual information, such as geolocation, can provide additional security.

Using the mobile device itself as the possession factor makes it one of the strongest authentication factors that exist. By means of digital certificate technology and end-to-end encryption, it is possible to mutually validate both the consumer’s device and the bank, allowing both parties to be certain that they are communicating with a legitimate entity through a secure channel. The integrity of the data that is transmitted can also be verified.

The capabilities of blockchainThe emergence of what is referred to as ‘self-sovereign

identity’ might offer another solution. In countries that do not have robust, government-hosted systems to rely on, independent identity networks based on blockchain can be established. An individual would then have a selection of facts about themselves (e.g. that they are over 18, or that a scanned passport belongs to them) attested by a widely trusted third party, such as their bank, and would get this attestation recorded on a cryptographically-secured distributed ledger.

When the individual then applies for, say, a mobile phone contract, they would instruct the mobile operator to check the legitimacy of the information in their application via the distributed ledger. The mobile operator would be able to check the ledger for an attestation of the individual’s information by a reliable party (in this case, the individual’s bank). The individual would be able to select only the relevant facts from the group of attested information to be shared with the mobile operator, and, at the moment of sharing, would provide consent for that sharing in real time.

Self-sovereign identity systems show much promise as an everyday use case for distributed ledger technology. However, the success of such systems would be dependent on buy-in from large organisations, governments, and online service providers seeing the business benefit of a distributed approach and making the effort to develop a liability framework for public attestations.

A matter of trustA key issue in the fight against digital fraud is trust – whether it be a trusted device identity, a secure communications channel between a device and an organisation that instils trust in the integrity of the communications, or a trusted third party that can attest to the validity of information. The digital transformation has turned personal data into a hot commodity – for organisations looking to use that data to offer consumers new products and services, and for fraudsters wanting to steal it for criminal purposes. But it has also led to the realisation that teaming up with a trusted partner can enable banks to protect their customers, meet their demands for convenience and compelling products and services, and remain two steps ahead of fraudsters.

Niel Bester is SVP Products at Entersekt

1. http://money.cnn.com/2017/07/19/technology/credit-card-stealing-class-digital-shadows/index.html?iid=EL

2. http://money.cnn.com/2018/01/22/technology/infant-data-dark-web-identity-theft/index.html

3. https://www.miteksystems.com/press-releases/mitek-announces-2018-predictions-blockchain-fraud-and-identity-verification

4. https://www.juniperresearch.com/press/press-releases/cybersecurity-data-breaches

Self-sovereign identity systems show much promise as an everyday use case for distributed ledger technology. However, the success of such systems would be dependent onbuy-in from largeorganisations, governments,and online service providersseeing the business benefitof a distributed approach and making the effort to develop a liability framework for public attestations

inCOMPLIANCE®23

inCOMPLIANCE®

22

GAMING

Raising the stakesTim Porter and Nick Parfitt consider the compliance

challenges facing the gaming industry

inCOMPLIANCE®23

In the first in a two-part series, we consider the current state of regulation in the gaming and gambling sector in the UK, some of the specific features of compliance, and

the near-term challenges that operators face. In the second instalment we will share insights from the global industry and suggest a model for compliance.

Scope and scaleLet’s start with some background, beginning with terminology. ‘Gaming’ is increasingly associated with video and electronic games rather than the practice of gambling. We use the terms ‘gaming’ and ‘gambling’ synonymously in this article. The UK's Gambling Act of 2005 defines gambling as “betting, gaming or participating in a lottery”. The UK regulator is the UK Gambling Commission (UKGC), which exists to “licence and regulate people and businesses that provide gambling”. Gambling activities are categorised by the regulator into sectors: arcades, betting, bingo, casinos, lotteries and gaming machines. UKGC permits gambling and grants licences under the Gambling (Licensing and Advertising) Act 2014 in line with the following “licensing objectives”:• Preventing gambling from being a source of crime or

disorder, being associated with crime or disorder, or being used to support crime

• Ensuring that gambling is conducted in a fair and open way

• Protecting children and other vulnerable persons from being harmed or exploited by gambling.1

The gambling industry in the UK is now worth around £13.8bn2, employing around 107,000 people3 across some 2,800 different operators. UKGC has a staff of around 300 and a budget of £20m.

From an anti-money laundering / counter-terrorist financing (AML/CTF) perspective, casinos have been regulated since 2007, but it wasn’t until the introduction of the 4th EU Anti-Money Laundering Directive (4AMLD) in 2017 that the rest of the gaming industry came under regulation. So now, for online gaming operations through to the local bookmaker, preventing money laundering and countering terrorist financing are critical, and appropriate processes and controls must be in place. UKGC has provided comprehensive guidance on AML/CTF in two documents: one for casinos and one for the rest of the sector.4 In March this year, it published its “Money laundering and terrorist financing risk assessment 2017”5 and it expects all operators to be aware of these risks in their operations.

Eyes downAnd the regulator isn’t taking any nonsense. It has issued fines totalling £8.3m in 2018 so far, as well as publishing a detailed report on the state of compliance within online, UK-registered casino operators. It’s interesting to note that whilst AML fines account for the majority of the value of penalties, the regulator’s focus on strengthening social responsibility in gambling has led to a much larger number of individual fines relating to these types of breaches.

As recently as 20 June 2018, UKGC announced a penalty against 32Red for failure to protect a consumer from gambling-related harm, and weaknesses in AML processes.

Readers are likely to be have heard that fixed-odds betting terminals (FOBTs), described as a “social blight”6 by Matt Hancock, the UK’s Digital, Culture, Media and Sport Secretary, have reduced stakes from £100 to £2. In a single year, there were 233,000 cases in which individual gamblers lost more than £1,000 each7 on these machines. The move to reduce stakes will, of course, cut revenues to bookmakers, but it seems to us to be both welcome and long overdue.

Cultural and business-model nuances of gamingThere are considerable differences in the business risks and relative maturity of compliance within the gambling industry. Traditional onshore casino operators have better-established and more rigorous controls in place compared with online operators, some of whom are based offshore. This may not be surprising, given that 4AMLD is relatively new.

There are also, in our view, clear cultural and behavioural differences between different operators. Concerns over brand and reputation mean that well-established onshore operations have lower risk tolerances, and their dedicated compliance teams are more expert in dealing with the risks to which they are subject. However, the fact that gamblers principally use cash in onshore outlets creates a high degree of opacity in which to launder illicit funds. And while AML/CTF programmes are better established in these outlets, they are often inconsistent and inadequate, as recent UKGC penalties show.

Note that in the gambling sector money laundering tends to be the exchange of funds acquired criminally for money or assets that appear to be legitimate, with gambling operators used for channelling the funds through a form of legitimate business transaction or structure. However, the proceeds of crime may also be used to fund gambling as a leisure activity for criminals themselves. Both typologies may be deeper-rooted in casinos and bookmakers.

Compared with traditional onshore businesses, online gaming operators tend to be highly entrepreneurial and tech-savvy. The have seen rapid growth over the past five years, and may not have given regulatory requirements and compliance the priority they deserve. But it is interesting to note too that the perceived AML/CTF risk in online

GAMING

Get more on the CPD Portal• A money laundering magnet - betting and gaming

industry https://www.int-comp.org/cpd/AMLmagnet/bettinggaming

Not a member?For access to the ICA CPD Portal, among other benefits, become a member today: www.int-comp.org/membership/why-become-a-member

inCOMPLIANCE®25

gaming is much lower than in onshore operations, because everything is digital and in many cases traceable back to a bank account. This is particularly relevant to operators’ obligations to ensure responsible gambling; to monitor behavioural patterns beyond actual spend; to identify gamblers who have opted for ‘self-exclusion’; and to be able to quickly report concerns to the regulator. It does, however, assume that appropriate systems and controls are in place and working, a relatively big assumption that we will examine shortly.

A clean sweepFollowing a thematic review of the sector, UKGC wrote in January of this year to all 195 UK online casino operators warning them to review their procedures and to improve measures that protect customers and prevent money laundering. MLROs were even identified as having no formal qualifications and in some cases were “unable to provide suitable explanations as to what constitutes money laundering”.8 These findings – combined with a lack of customer account usage monitoring, poor analysis of players’ socioeconomic indicators and no rigour in filing Suspicious Activity Reports – suggest that even basic Know Your Customer principles appear to be absent.

This poor understanding of customer behaviour is also reflected in the UKGC’s findings, which showed failure to detect “potential signs of problem gambling based on consumers' gambling pattern and spend” that “in many cases, however … did not trigger a customer interaction”. This suggests that account behaviour is either not being monitored at all or is simply being ignored. It also calls into question whether a player’s actual funds and income supports their level of play, and whether the associated AML implications are understood and controlled effectively.

Failure to address these concerns could result in licences to operate in the UK being revoked. The UKGC further stated that it is investigating 17 online operators and considering whether five of these require a licence review.9

Where to from here for online operators?These organisations have a great deal of work to do if they are to stay in business. The level of effort and cost required should not be underestimated. However, the regulatory and compliance focus should be seen less as a challenge and more as an opportunity to move forward. Successful companies have found a balance between short-term initiatives and longer-term structural changes.

In the short term, operators should carry out the following initiatives:• Apply customer due diligence (CDD) measures to any

transaction that amounts to €2,000 or more, whether in a single operation or in several operations that appear to be linked. IT systems need to be capable of monitoring scenarios to support compliance with this regulation.

• Conduct enhanced due diligence (EDD) where a customer presents a higher risk of money laundering,

and put a risk assessment model in place to determine which customers pose a higher risk.

• Develop the capability to monitor customer accounts. UKGC found little evidence of ongoing monitoring of customer accounts, which means that operators are in breach of Regulation 28(11) of The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017. It also means that money laundering and/or responsible gambling issues go unreported.

Being under regulatory scrutiny is not comfortable. But with the correct focus, business engagement and culture – the ‘tone at the top’, ‘mood in the middle’ and ‘buzz at the bottom’ – change is possible. As banking industry players are doing, gaming operators should learn from successful peers and use what they learn to differentiate themselves and create competitive advantage.

In our follow-up article we will look at the gaming industry globally, exploring the jurisdictional nuances of the online operators, sharing views from the operators and looking at a longer term model for compliance in the industry.

Tim Porter is Director at Tim Porter Associates.

Nick Parfitt is Head of Market Planning at C6 Intelligence Group

inCOMPLIANCE®

24

GAMING

1. http://www.gamblingcommission.gov.uk/about/Who-we-are-and-what-we-do/Who-we-are-and-what-we-do.aspx

2. http://live-gamblecom.cloud.contensis.com/PDF/Annual-report-and-accounts-2016-2017.pdf

3. Ibid4. http://www.gamblingcommission.gov.uk/for-

gambling-businesses/Compliance/General-compliance/AML/How-to-comply/How-to-comply-with-your-anti-money-laundering-responsibilities.aspx

5. http://www.gamblingcommission.gov.uk/PDF/AML/Money-laundering-and-terrorist-financing-risk-assessment-March-2018.pdf

6. https://www.thetimes.co.uk/article/2-limit-to-curb-crack-cocaine-of-gambling-ftc6v37hr

7. https://www.theguardian.com/commentisfree/2018/may/17/the-guardian-view-on-fixed-odds-betting-terminals-the-bookies-lose-at-last

8. http://www.gamblingcommission.gov.uk/news-action-and-statistics/news/2018/Letter-to-online-casino-operators.aspx

9. Ibid.

inCOMPLIANCE®25

THE COMPLIANCE PROFESSION

Stronger togetherSally Afonso makes the case for cross-sector learning to develop the strength of the compliance profession and

the individuals within it

As compliance professionals, we are stronger together. We may work across different industries, and within businesses that are subject to varying degrees of

regulatory supervision. However, the unifying thread of a bold and defined compliance philosophy, which guides the controls and cultures of all of our organisations, binds us tightly across all our divisions.

As we work towards continuous improvement in both our compliance programmes and in our personal careers, we should look out for opportunities to learn from, and influence, other compliance professionals. We must keep focused on deepening our talent pool as a profession and

casting a broad net in order to make connections and gain interesting perspectives and experiences in doing so.

Through this, we may further develop the connectedness of the compliance profession

across all of our boundaries – organisational, jurisdictional, national, and cultural – as well

as set durable and ambitious standards and expectations within our own

programmes and careers.

Personal experienceMy own experiences of the last

few years have demonstrated the value of the above

pursuits. One focus of my recent compliance career has been to challenge the far reaches of my comfort zone and seek

inCOMPLIANCE®25

inCOMPLIANCE®27

THE COMPLIANCE PROFESSION

personal growth through networking, information sharing, and studying the professional experiences of my fellow compliance officers.

I’ve done this on two main levels – between cultures and across sectors. I am an American and my entire career in compliance has been in the financial sector. I worked in asset management throughout the 2008 financial crisis. In 2015, I moved from Los Angeles to Amsterdam, and from a small, traditional investment adviser to a large global banking institution. In the three years that followed, I learned a great deal about values-based compliance and the importance of organisational culture when working in a ‘three lines of defence’ model.

Although the 2018 implementation of the Markets in Financial Instruments Directive II (MiFID II) in the financial sector across the EU reminded me in many ways of the efforts in 2005-2007 to mature the compliance profession and operationalise the values of programmes of investment advisers, my experiences working in the Netherlands opened my eyes to the value of compliance risk management beyond the extremely strict, rules-based approach that was my previous norm. The cultural point of view that I gained in translating my American compliance approach to a bespoke way of working in a European framework allowed me to see the great strengths and inspiring ways to grow in both modes.

Cross-sector connectionsIn 2018, I’ve taken my commitment to open-mindedness to the next level by seeking to establish cross-sector connections. Though I work in banking and intend to continue to do so, I’ve tried to network as much as possible with compliance officers working in different industries. This has given me a much greater understanding of the common challenges we all have in our profession and the value we can bring by considering standard, universal approaches towards tackling these challenges.

We should look to share experiences and ideas, not only in our own teams or departments, but in our broader networks as well – and the sky’s the limit! We should consider

everyone working in compliance as our colleagues and look to share with and learn from them, however possible. Whether it’s exchanging stories about lessons learned from previous risk assessments or regulatory examinations, or comparing expectations about upcoming developments in the risk landscape, points of view from afar are often refreshing and informative.

Keeping the lessons of the financial sector in mind, experience and expertise from this industry can be applied to compliance programmes and shared between professional counterparties in different industries in a triple-pronged approach: (1) between a highly-regulated industry and less regulated ones; (2) between an established compliance programme and those that are emerging; and (3) between a sector in which regulation is increasing and those sectors that may take inspiration for broader development from such changes.

Highly-regulated and less (or self) regulated industriesDirectives by (and examination priorities of) regulators have often set the compliance programme priorities of organisations in the financial sector. This is a necessary evil, of course, as we must answer to the relevant competent authority in order to uphold fairness and efficacy in the markets and for customers. However, anticipating the biggest

upcoming issues for supervisors and getting ahead of them is a better approach than waiting to be told to correct deficiencies that haven’t been defined yet.

Self-regulatory efforts are good business for everyone. Companies that aspire on their own to meet standards set in other sectors (for example in up-scaled privacy programmes) support an integrated and forward-looking approach to both commercial and compliance efforts. Such organisations will be prepared for potential legislative or regulatory changes that may not be in place today, but could be introduced in the future.

As in the example of data privacy and information security improvement initiatives, regulators are not the only ones who appreciate compliance’s potential value-add to an organisation. Business-driven decisions to take the initiative in embedding compliance programmes into compliance strategy and planning can also appeal to consumers, business partners, and affiliates or other stakeholders. All of these parties also value the pro-active transparency, controls structure, and guiding philosophy that a professional compliance programme brings to an organisation.

Finally, the recurring need for corrective action and stronger enforcement in the financial sector shows that we have a long way to go beyond ‘adhering to regulations or not’. Rules-based approaches to compliance risk management simply don’t suffice. On its own, it’s not enough to follow the existing rules (if any) and create a strict conscription in order to ensure that employees and related parties meet conduct expectations and are punished if they don’t. On the contrary, compliance programmes should anticipate the real risks present in their businesses and blend existing or practical rules with policies and procedures that embody the organisation’s values.

The end result of the above approach is a principles-based compliance programme that is agile, pragmatic, and realistic.

inCOMPLIANCE®

26

Anticipating the biggest upcoming issues for supervisorsand getting ahead of them is a better approach than waiting to betold to correct deficiencies that haven’t been defined yet

inCOMPLIANCE®27

THE COMPLIANCE PROFESSION

Established and emerging compliance programmesIn the financial sector, compliance programmes are typically established in firms, created by regulatory requirement or business necessity. These programmes are often mature within themselves, even if seeking enhancement or recovering from inadequacies and failures. Roles and responsibilities, organisational dynamics, and operational scope may be already defined, subject to change and improvement. By contrast, emerging compliance programmes that are newly independent or less firmly embedded in companies may find themselves preoccupied with resolving these existential tasks.

Practically speaking, however, both established and emerging compliance programmes must focus on three foundational pursuits, which underscore the philosophy of the programme and are necessary for the success of its objectives: • First, we must constantly improve

our business knowledge to be more effective sparring partners. This allows us to increase our commercial expertise and organisational sensitivity

• Second, we must strengthen our cross-functional collaborations to align with important partners such as HR and legal for added value

• Third, we must elevate our compliance programmes from a ‘business as usual’ emphasis into a more ambitious posture of further developing the discipline.

The above goals capitalise on key traits that individuals in less highly-regulated sectors already possess in spades, because their functions have traditionally focused on translating values into standards and cultivating advisory, business-focused relationships.

The work on these tasks is never done, and so a professional in an organisation that has been striving towards these goals for some time can give instructive advice to an individual working within a compliance programme that is just getting started on them. At the same time, a professional from an emerging programme can reach up within the network to offer new ideas, a simpler take on overwrought problems, and a vision that’s free from legacy issues.

General impact of sector-specific regulatory changeOne of the defining characteristics of the post-global economic crisis financial sector has been continuous change. At a global level, the financial sector has experienced rapid and ongoing regulatory reform. New requirements from supervisors and legislative or legal updates constantly exert demands on compliance professionals in the financial sector to keep up to speed, anticipate new needs, and competently advise their business partners. Organisations and sectors that are not subject to these intense supervisory frameworks may still take inspiration from the efforts of others to comply with and respond to them.

Responding to and anticipating emerging trends in supervision requires an effective ‘inner game’ for planning, with ‘big-picture thinking’ regarding controls frameworks and organisational culture initiatives. Collaborative learning between compliance professionals can be helpful for enhancing these strategic skills, which ought to be blind to business-content and focused instead on compliance mindset and creative risk management techniques.

Keeping pace with regulatory change through continuous

improvement benefits from the existence of a diversity of viewpoints within the compliance community. Self-development through broad networking allows ongoing learning that includes picking up best (and worst) practices from other sectors. This helps professionals to understand where individual organisations and sectors sit within the compliance life cycle, to identify directions of future growth, and to reveal how to guide such development.

Bringing the two previous points together, strategic thinking must be seen by all as a core competency of the compliance profession. The commonality between the regulatory compliance approach of highly-regulated sectors and the ‘soft’ controls emphasis in less-regulated sectors is the role of compliance as a culture carrier in the organisation. Compliance has the potential to be the connective tissue between commercial ambition and current or future demands of a varied and ever-changing set of risks, requirements, and expectations.

Out of many, oneTo return to where we began, we should redefine our thinking about who our colleagues are to extend these relationships, moving from the people who work within our organisations past or present, to include everyone else who is working to thoughtfully and sustainably move the compliance profession forward. Out of our many different experiences and specialties, and our diverse business needs and regulatory requirements, we should work together to form one strong compliance profession, based on a shared philosophy and desire for excellence.

Sally Afonso is a compliance adviser experienced in the financial services industry. She can be reached on Twitter at: @complyblog

Compliance has the potential to be theconnective tissue between commercial ambition and current or future demands of a varied and ever-changing set of risks, requirements, and expectations

inCOMPLIANCE®29

inCOMPLIANCE®

28

CAREER CORNER

Boardroom friend, leader and all-round

people personDurshan Mistry provides his take, for the modern-day risk

professional, on how to win friends and influence people… and build a successful career in the process

When Dale Carnegie published his best-selling book – “How to Win Friends and Influence People” – in the 1930s, the term ‘Risk Professional’ had not yet been

coined. Carnegie’s own view of risk was typical of business at that time and was the dominant view for many years. “Take a chance,” he said. “All life is a chance. The man who goes farthest is generally the one who is willing to do and dare.”

In those good old / bad old days, which prevailed until as recently as 20 years ago, the Chief Risk Officer’s (CRO) role tended to be fulfilled by technically-minded actuary types. They reported to the Chief Financial Officer and their role was seen (and viewed by them) as that of a quasi-accountant, primarily there to ensure a company’s financial health – no more, no less. The risk professional was frequently viewed negatively, as a necessary evil or even as a brake on inspirational ideas for company growth.

The modern risk professionalWell, those days have gone. Welcome to the world of the modern risk professional: at senior level, reporting to the Board, a leader of people, with a requirement for significant business insight and great communication skills; there to contribute to building company success and, along with it, their own career.

First, though, let’s stand back for a minute. Why are risk professionals now so crucial to the wellbeing of a company? Why have the demands of the role changed?

The answer can be summed up in one word: reputation. You can add to that, of course, ‘regulation’. But reputation is fundamental, in my view, and comes first.

The increase in global connectivity means that when a company or institution falls victim to a risk, the whole world knows – almost straight away. Whether it is KFC running out of chicken or Facebook, in effect, pimping out your personal data, when systems go wrong – or are misused – a company’s reputation, at best, can be severely dented or, at worst, damaged beyond repair. For financial services, the risk of reputational damage is particularly important because trust in the institution is core to the confidence of the public in that

institution and, therefore, to profitability and growth. If you damage that trust, the outcome is potentially catastrophic. At the very least, it will take work to repair and will have considerable cost implications.

The sharp rise in publicity around issues of risk since the turn of the millennium – fuelled by the rise of the internet – has elevated risk strategies to a Boardroom level issue. This has been further intensified, of course, by the rise in statutory regulation to protect us, the customer, against the effects of failed risk policies, a rise which is itself a reflection of the general mood of the public.

How has this change in perception of the significance of risk on business health and strategy impacted on the role of the modern risk professional? How has the role changed? And what are financial services and other regulated industries now looking for in a risk professional?

Speaking the same languageIn my job as a financial services risk recruitment consultant, I talk to clients and potential candidates every day. Every

The sharp rise in publicity around issues of risk since the turn of the millennium – fuelled by the rise of the internet – has elevated risk strategies to a boardroom level issue. This has been further intensified, of course, by the rise in statutory regulation to protect us, the customer, against the effects of failed risk policies

inCOMPLIANCE®29

CAREER CORNER

day, clients tell me what they are looking for – and it’s a lot more than someone with good technical skills. My work has made me only too aware of the crucial importance, in today’s world, of leadership skills in the successful career progression of any senior risk professional.

One of my clients explained it brilliantly when I was discussing the attributes of a good risk professional with him. He equated the situation to a top football team with an all-star squad looking to hire a new coach. They hire the world’s most recognised and respected coach… but he speaks a completely different language to everyone at the club and he knows nothing about the way the club works. It’s then a team with all the top talent in the world and a leader who can’t communicate with the players; a leader who can’t possibly understand his players’ motivations or explain his ideas and tactics because there’s no shared language and no mutual understanding of culture and mindset.

A senior risk professional is like the coach. Why would the Board-level executives want a risk leader who can’t communicate, who doesn’t know all levels and areas of the business and who talks a kind of technospeak, which is a foreign language to most people in the company? It doesn’t matter how technically skilled the CRO is, if they don’t know where the potential risks are in the business they are joining, if they can’t influence the stakeholders into upholding systems that protect against risk, and if they can’t explain to the non-risk literate stakeholders why embedding a specific framework matters, then from a strategic standpoint their usefulness becomes questionable.

Key strengthsIn this brave, new world, what exactly are the requirements for a good risk professional? How can they win friends and influence people and achieve career and personal success? When interviewing for a more strategic role, what attributes do I seek to encourage a candidate to highlight beyond technical skills? What do I look for? What do I know the client wants?

Some of those wider strengths I have already alluded to but here’s my list of some key attributes – outside of the technical – that I think are important: • Communication – When implementing a framework, your

stakeholders are more likely to enact the changes that you are making to their processes if you explain why you

are making them. Often, they are highly resistant because they have been working in a certain way for a long time and they haven’t seen any issue arise from it… so why change? It is your job to explain the potential risks, to bring potential scenarios alive to them so they can understand why the changes matter.

• Empathy – If you take the time to sympathise with and understand the role of others, and to appreciate how risk is (to them) a minor facet of a their role, you’d be surprised at how much impact you can have. Acknowledge the demands you are making of other people, relate to the difficulties it causes them in executing their roles, and relate to their concerns.

• Personality – The image of risk is often, even today, that it is filled with boffins with few people skills. I know, from personal experience, that this is not the case, but your stakeholders often need to be convinced. They need to know that you are not just there to set up and implement systems but that you have a personality, you are fun and friendly. Humour works wonders.

• Business Insight – You need to understand the business you are in, be flexible in your approach so that the technical safeguards you want to introduce (which may be the same between different organisations) take account of the particular product, division, culture of the organisation you are in or hoping to join.

• Imagination – if you are interviewing, you need to convince the Board that you know what technical systems will support a good risk strategy, but also how your approach can enhance the organisation’s general strategy for growth and sustainability The Boardroom view of risk professionals is in the process of huge change. Their role is now being seen less as an impediment to growth and more as a necessity which, handled well, will allow a company to grow as freely as possible; in short, to flourish. As a result, it is more important than it has ever been for risk professionals to appreciate how to work effectively inside an organisation.

You need to be able to win friends and influence people. Get that right (at interview and in the role), and couple it with good technical skills, and your career can soar.

Durshan Mistry is a Recruitment Consultant at Broadgate Search, focusing on risk in financial services durshan.mistry@broadgatesearch.com

A senior risk professional is like the coach. Why would the board-level executives want a risk leader who can’t communicate, who doesn’t know all levels and areas of the business and who talks a kind of technospeak, which is a foreign language to most people in the company?

If you take the time to sympathise with and understand the role of others, and to appreciate how riskis (to them) a minor facet of a their role, you’d be surprised at how much impact you can have

inCOMPLIANCE®

30inCOMPLIANCE®

31

Broadgate Search are a specialist recruitment company who concentrate on placing governance professionals at a mid to senior level. This would include all areas of compliance, risk and audit.

We work from our offices in London, Manchester and Dublin, operating globally.

FOR MORE INFORMATION: Visit www.broadgatesearch.com or email enquiries@broadgatesearch.com

LONDON: +44 (0) 203 817 9757 DUBLIN: +353 (1) 6087748 MANCHESTER: +44 (0) 161 509 5481

CORPORATE GOVERNANCE RECRUITMENT

We provide the highest level of integrity, commitment, results and delivery from our team. Building long-term sustainable

relationships are at the heart of what we do.

OUR DIVISIONS

INTEGRITY TO THE CORE

Focusing on the market’s distinct verticals means we consistently deliver exceptional results across the financial spectrum.

OUR ACADEMIC PARTNER

TRA

TRANSFORMATION & CHANGE

ACTUARIAL

ACTAUD

AUDITCOMPLIANCE

COM

RISK

RIS FIN

FINANCE

inCOMPLIANCE®31

THE JUNIOR COMPLIANCE OFFICER

Making wavesJames Young considers how junior compliance professionals can

make an impact in the early stages of their career

Regardless of seniority, compliance professionals have the same overarching

responsibility – to ensure the business operates within the regulatory framework through the provision of advice, training, monitoring, relationship management, and challenge to senior stakeholders. Looking back on the early days of my compliance career, I didn’t know what to expect and I found it very difficult to make any kind of impact in my role. Now a senior member of the profession, my own struggles as a junior led me to start a blog looking at how junior compliance professionals can make an impact at the early stages of their career. Below, I share two of the hot topics of my blog to date – challenging the business and regulatory interpretation / communication.

The art of challenge Confronting the business on something that has gone wrong is probably the hardest part of a compliance officer's role. This is especially true for junior compliance professionals who may be tasked with challenging senior colleagues who have been at the company longer and are more familiar with its operations. It is important

to remember that this comes with the territory of being a compliance officer. Here are a few thoughts (developed through trial and error) I took forward in the early stages of my career to really make an impact when challenging the business, which have proved to be quite successful.

Reality check – Compliance is not the most important function in the business. Fundamentally, the business exists to make a profit and compliance is there to support this goal. A top tip for juniors is to ensure you understand your role in the wider context of the business's operations and how you are going to add value. I like to think of compliance's purpose as being to help the business safely take the maximum amount of regulatory risk through the development of pragmatic solutions to regulatory issues identified. Don’t make the mistake of assuming that compliance is the reason the business remains open!

Create a ‘win win’ – Another very useful tip when engaging the business on compliance requirements is being able to illustrate the benefits of compliance to the employee you're engaging with, the customer and the business. Think about the efficiencies offered by an effective compliance system and how to frame this to the

business. For example, I was once tasked with rolling out a uniform procedure across several international offices and was met with strong resistance from an operations manager who oversaw the sites. She saw the roll out as unnecessary and thought that the existing (out of date) procedures did the job but failed to see the increased efficiency in harmonisation in terms of staff training, quality improvement and reduction in key person risk. Framing the roll out in this way aligned our objectives and created a ‘win win’ scenario, and compliance suddenly became a competitive advantage. If you can master this at the junior level, you will really make an impact!

Paving the way – In a previous article1, I explored the importance of the compliance function building positive relationships with the business. This is fundamental to ensuring the compliance function is effective, is trusted within the business, and is kept informed. For the junior compliance officer, getting out into the business and making yourself known is a key strategy. Talk to people about compliance in the context of their role, and continually reinforce the message that you, as a compliance professional, are there to help. Company social

inCOMPLIANCE®33

events can be an excellent way to break down barriers and solidify relationships inside the office.

Everybody’s human – when faced with the adversity of having to challenge the business, it is important to appreciate that everybody is human and is faced with pressures and targets in their own business areas. Taking the time to understand each department, its operations and the challenges of its teams will allow you to be informed when providing challenge, show empathy and gain greater traction on your compliance journey.

Regulatory interpretationAnother fundamental aspect of a compliance officer’s role is interpreting regulation and deciding what this means for the business. While an abundance of material is available on interpreting regulations for businesses, there is little to none on the

methodology behind the process.Break it down – When looking at

regulation, I like to strip it down to the fundamentals and ask the following questions: • What is the regulation trying to

achieve? Having a solid understanding of this will pave the way as you comb through the detail and will give you a better understanding of each rule as you analyse it. It will also prepare you for the inevitable question from the business, "why has this regulation been brought in?" Personally, I have found exploring the "why" with the business has been a

key factor in winning them over.• Where are the key themes of

the regulation? Avoid getting bogged down in the detail, keep in mind the purpose of the regulation, remove the jargon and summarise each provision in general, bitesize terms of no more than three bullet points. Breaking it down in this way will greatly aid your understanding!

Think for yourself – When asking yourself the questions above, the importance of thinking for yourself is vital. Read, digest and critically analyse the primary source (i.e. the text of the actual regulation / statute / directive etc) and come up with your own views about what you think it means for your firm.

Only then should you turn to secondary sources (i.e. guidance papers, seminars etc.), which should be used to challenge

and solidify your

THE JUNIOR COMPLIANCE OFFICER

inCOMPLIANCE®

32inCOMPLIANCE®

33

inCOMPLIANCE®33

understanding and provide an insight into how other firms in your sector are interpreting the regulations and implementing solutions. I typically read 6-12 secondary sources to get a good picture of what the sector is doing and ensure I am on the right track with my interpretation. It will be very tempting to place reliance on secondary material (there is enough of it out there!). However, this is a short-term gain and adopting this approach will never allow you to truly hone your ability to understand the regulations and become an expert in the field.

Look to the horizon – Horizon scanning is a simple yet key tool in the successful management of regulatory risk. A fundamental factor

in assessing risk is probability. The earlier you identify a piece

of regulation that impacts your organisation, the more time you have to understand it and help

your business understand it, which equates to less

probability that your company will become non-compliant! A top tip that helped me as a junior was to devise a list of key websites that provide you with updates and put them into a document or spreadsheet for regular review. The most important

sources can be reviewed and ticked off every morning; the less important / impactful sources can be reviewed less frequently.

Communicating the requirementsOnce you get to grips with what the regulation means, how you communicate compliance requirements to the business is crucial.

Consider your audience – The Board is not going to want a three-page road map on how the business’ call centre is going to comply with new complaints rules. Equally, the call centre is not going to want (or need) a one pager on the firm's overarching strategy. Failing to tailor your regulatory communications to the intended audience doesn't help anybody and actually increases your firm's risk of non-compliance as is creates the risk that requirements are misunderstood and applied incorrectly.

Accuracy is key – It may seem simple, but I cannot stress enough the importance of spelling and grammar being accurate when sending compliance communications to the business. The last thing you want is your audience to be distracted by obvious errors when you are attempting to get your

message across. Although not the most exciting task, taking the extra time to proof read thoroughly pays dividends. Remember, senior business personnel will take an interest in what compliance has to say and you do not want to get noticed for the wrong reasons (i.e. typos!).

Know your regulator – As compliance professionals, we speak a lot about the importance of ‘tone from the top’. In the compliance hierarchy, the very top is the regulator, so it is fundamental that you take the time to understand your regulator and its agenda. Start with the regulator’s objectives and understand what they are trying to achieve. Look to speeches and key publications from senior individuals to get to grips with the agenda. Understanding this from an early stage of your career will serve you well as you progress.

James Young LL.M. Dip (GRC) MICA is Head of Compliance at Dr Martens Airwair International Limited. Any views expressed are those of the author and not that of Dr Martens.LinkedIn - https://www.linkedin.com/in/james-young-74806a130/

THE JUNIOR COMPLIANCE OFFICER

Further reading

Further guidance be read on my blog: thejuniorcomplianceofficer makingwaves.wordpress.com

1. Stepping up, inCOMPLIANCE® issue 33, p.34

Confronting the business on something that has gone wrong is probably the hardest part of a compliance officer's role. This is especially true for junior compliance professionals who may be tasked with challenging senior colleagues who have been at the company longer and are more familiar with its operations

inCOMPLIANCE®33

inCOMPLIANCE®35

inCOMPLIANCE®

34

FINANCIAL CRIME ASSURANCE

Between the lines Sherin Han and Jee Meng Chen consider the purpose and value of

the FCR Assurance function

inCOMPLIANCE®35

FINANCIAL CRIME ASSURANCE

The landscape of financial crime risk has been transformed in recent years with ever-

increasing lapses in the anti-money laundering (AML) risk controls of global financial institutions. In 2017, the UK Financial Conduct Authority (FCA) imposed its largest financial penalty ever (£163,076,224) on a bank for AML controls failings.1 In the same year, the Monetary Authority of Singapore (MAS) shut down two banks and imposed financial penalties on eight banks in relation to weaknesses in customer due diligence (CDD) and inadequate monitoring of customers’ transactions and activities during the 1MDB2 review.

The attentions of law enforcement do not stop short at institutions. In one recent case an AML Compliance Officer was fined for failure to file hundreds of Suspicious Activity Reports (SARs) for security transactions with red flags indicators.3

Going furtherThe conventional approach (i.e. where risk governance is performed via the ‘three of lines of defence’ [LoD]) may not be sufficient for proactive financial crime risk management purposes, and banks are recognising the need to go further. Subsets of the LoDs – namely the 1.5 LoD and 2.5 LoD – have evolved in order to address the dynamic financial crime environment. The 0.5 line demarcation is significant, as conducting independent assurance on the first and second LoDs respectively should provide early warning indicators to business units before risk events crystallise.

Depending on the size of the institution, the 1.5 LoD may refer to the Business Risk Controls Management or Risk Controls function that sits within the first LoD. This function typically carries out controls monitoring and testing to validate that the first LoD’s processes and controls are operating as intended. The 2.5 LoD refers to the assurance reviews of

the first and second LoDs. In the area of financial crime risk

compliance, the 2.5 LoD (i.e. the Financial Crime Assurance – or FCR Assurance – function) is gradually gaining momentum. But is FCR Assurance a fad or ‘the new kid in the block’? This article examines the essence of FCR Assurance and challenges the view that it is ‘just another gimmick’, where a watchman watches the watchman.

Different approach, different outcomeAn FCR Assurance model may cover annual review plans in relation to the monitoring and testing of Financial Crimes Risks’ controls and, where there are observations from such test(s), work to ensure that appropriate action plans are proposed by the business to mitigate risks. Additionally, the action plans are validated, post mortem, to ascertain

the effectiveness of the controls and their implementation.

Generally, assurance reviews involve historical testing based on procedural requirements over a specific period; a proactive approach (i.e. focusing on the prevailing financial crime climate and whether the current control mechanisms are able to mitigate such risks). Such reviews are thematic in nature and seek to detect risk control gaps based on the present (and changing) risks, as opposed to mere

testing of adherence to procedures (i.e. a ‘check-box’ mentality).

Let us take an example of a review of CDD for offshore customers. The reviewer made the following observations of the sampled customer:

a) The customer resides in Indonesia and has declared himself as a self-employed consultant whose company is established in Indonesia, earning an annual income of approximately SG$500,000.

b)In the last six months, the customer’s account has had multiple inward remittances of varying amounts (e.g. £20,000-35,000 and US$10,000-15,000) from two UK companies, with the reference ‘Salaries’. These were followed by outward remittances to the customer’s Indonesian bank account with the reference ‘Expenses’.

c) During account opening, the customer had explained that he would be receiving salaries from these two UK companies for consultancy work provided and there are no changes to his profile.

d)The CDD reviewer reviewed the account’s transactional activities and passed the account as non-suspicious on the basis that the transactions were commensurate with the client’s declared

Conducting independent assurance on the first and secondlines of defence respectively should provide early warning indicators to business units before risk events crystallise

An effective 2.5 LoD requires a cultural shift in mindset, a focus on outcomesthrough risk-based thematic reviews,and, most importantly, FCR Assurance reviewers with appropriate skillsets. Moreover, an outcome-based review, differentiated by clear objective outcomes, should focus on the substance of risk rather than the form

inCOMPLIANCE®

36inCOMPLIANCE®

37

FINANCIAL CRIME ASSURANCE

income and declared activities.If the sample testing was reviewed

based purely on process and procedural requirements, it would likely be noted as a ‘pass’ since the CDD was carried out with the Know Your Customer (KYC) checklist being fulfilled and transactions were consistent with the KYC information obtained. By contrast, if a pro-active, risk-focused review approach were adopted, the result could be a ‘fail’ due to the combination of several red flags detected in the account that resembled traces of potential tax evasion and potential money-laundering based on off-shoring of income under the guise of salary through unknown source of funds of the cross-border funds received from UK shell companies and intermediating funds through an offshore account.

Put differently, the same review (albeit with different testing approaches, i.e. with the latter focusing on the underlying risks) would make a difference in the risk identification process. Only when the risks are duly identified and the magnitude quantified can the appropriate risk control measures be evaluated to address the inadequacies.

IndependenceFurther, to implement an effective assurance review, independence is of the utmost importance. Independence carries two elements. Firstly, the reviewer is freed from conditions that threaten the assurance review and/or to execute the tasks in an unbiased manner. Secondly, the reviewer has direct and unrestricted access to senior management. From a functional reporting perspective, the FCR Assurance function should stay independent from the business as well as mainstream Financial Crime Compliance to avoid potential conflicts of interest. The independence in reporting lines, however, does not denote that FCR Assurance should maintain an iron rod, rather it can exist as a ‘co-pilot’ with the business and/or Compliance function to steer the bank towards effective FCR controls.

Using the case illustrated above, the root cause of the risk identified could be a lack of plausibility assessment at customer onboarding and during the CDD review. That is, while the client may have provided information to the bank, there ought to be further assessment of that information rather than taking it at face value. FCR Assurance could provide views on the control measures to be implemented from a business improvement perspective rather than appearing as a censure (i.e. a control lapse).

Approach and skillsetsAn effective 2.5 LoD requires a cultural shift in mindset, a focus on outcomes through risk-based thematic reviews, and, most importantly, FCR Assurance reviewers with appropriate skillsets.

Moreover, an outcome-based review, differentiated by clear objective outcomes, should focus on the substance of risk rather than the form. Given the limited resources for each review, for each test step that is undertaken and any potential issue that is being observed the reviewer could consider whether there is any substantive impact to the objective outcome of the review. The value of each review is to identify the critical gaps that could have adverse impacts on the bank if not resolved in a timely manner.

Last but not the least, staff competency is essential. Traditionally, a reviewer with a background in audit and/or assurance would fit the role. Another approach is to consider hiring an all-rounder (i.e. with practical experience in areas such as onboarding, business risk controls design/execution, or AML system and process experience).

The practical challenge in a review is not centred on checking whether

a procedural requirement is being followed, it is the ability to identify relevant FCR issues and how potential control gaps could be resolved. Each risk issue should be considered against mutli-faceted variables, such as controls design, process efficiency, viability of control-execution, and so forth, which could have client impact implications. As such, diverse skillsets may bring FCR Assurance to a higher plane. In addition, reviewers must be able to manage different – and possibly conflicting – stakeholder interests, and should be courageous enough to stand firm amid differing views and pressure.

Sherin Han has over 10 years experience in FCR assurance, AML investigation, risk controls, process and operational risk within retail, private banking and wealth management. Currently, Sherin is working in FCR assurance for a foreign bank. Jee Meng Chen is MLRO of Commerzbank Singapore

1. https://www.fca.org.uk/news/press-releases/fca-fines-deutsche-bank-163-million-anti-money-laundering-controls-failure

2. https://www.straitstimes.com/business/banking/1mdb-review-is-over-but-the-effects-are-long-term

3. https://www.lexology.com/library/detail.aspx?g=1b5e08b9-04e4-4604-8dff-f46edd1c60f7

The conventional approach – where risk governance is performed via the ‘three of lines of defence’ – may not be sufficient for proactive financial crime risk management purposes, and banks are recognising the need to go further

inCOMPLIANCE®37

CAREER CORNER

Is your firm ready for certification?Maintain standards and safeguard your businessICA Audit provides your company with Management System Certification mapped to ISO Standards. ICA Audit is suitable for any regulated organisation looking to identify risks within their management systems to enhance their compliance management processes.

Why ICA Audit?• gain the confidence of regulators• recognise and manage risks• optimise efficiency and costs• provide additional defence for regulatory scrutiny• achieve business growth opportunities• achieve public sector contracts

Are you aware of a problem but unsure as to the cause? ICA Audit helps you drill down to the heart of the issue and highlight the key areas which require attention.

Safeguard your firm. Contact us today:

www.int-comp.org/icaaudit +44 (0) 121 362 3532

ICA AUDIT

ICAA831

INSPIRATIONAL LEARNING FOR YOUR TEAMS

Our in-house training is available all over the world. We've worked with hundreds of clients including HSBC, EY, PayPal and Vodafone and we can do the same for you. Call us on +44(0) 121 362 7678 to discuss your training needs or visit www.int-comp.com/in-house

As ICA′s longest standing training partner, we′ve been providing their qualifications in-house to both small firms and multi-nationals for the last 16 years. We also offer tailored regulatory and financial crime compliance training solutions based on the unique the needs of your firm.

• Increase the knowledge, skills, performance and confidence of your staff• Enhance your firm′s risk management• Gain competitive advantage and retain the best talent

ICAA652

inCOMPLIANCE®39

The Magnitsky Provisions:

a compliance challenge?

Diana Czugler and David Jones consider the compliance implications associated with the

introduction of Magnitsky provisions in the UK

MAGNITSKY PROVISIONS

inCOMPLIANCE®

38

inCOMPLIANCE®39

In April 2017, the passage of the Criminal Finances Act 2017 marked the introduction of the UK’s first Magnitsky provisions. Named after Russian lawyer Sergei Magnitsky,

who died in Russian custody in 2009 having been jailed while investigating corruption, Magnitsky laws are designed to target gross abusers of human rights and have in recent years been introduced by several other countries around the globe (the US, Canada, Lithuania, Estonia and Latvia at the time of writing).

A new section – 241A – was added to the Proceeds of Crime Act 2002 (POCA) in order to enable UK enforcement authorities to initiate High Court proceedings to recover assets believed to be linked to gross human rights abuses or violations outside the UK by way of a Civil Recovery Order (CRO); which can be supported by interim freezing orders and Unexplained Wealth Orders (UWOs). This is the first of the UK’s two Magnitsky provisions.

Shortly afterwards, a second Magnitsky provision made it onto the UK statute books, as part of the Sanctions and Anti-Money Laundering Act 2018 (SAMLA). A Minister may (if there are good reasons to do so and it is considered a reasonable course of action) make sanctions regulations for the purpose of providing accountability for, or to be a deterrent to, gross violations of human rights, or to otherwise promote compliance with international human rights law or respect for human rights, or to promote compliance with international humanitarian law. The type of sanctions most likely to be imposed on this basis are financial sanctions, under which the target of the sanctions would be the subject of an asset freeze, and would be expected to be supplemented by immigration sanctions. A breach of all types of sanctions is a criminal offence, punishable by criminal or civil penalties.

The key distinction between the two Magnitsky provisions is that the asset recovery provision under POCA seeks to permanently deprive the target of specified property, whereas the sanctions provision under SAMLA seeks to temporarily prohibit or restrict certain dealings with the target or the target’s property. These differences are key to understanding the respective impact of the two Magnitsky provisions and the compliance issues they raise.

Sanctions or asset recovery: which has greater impact? Looking at the two Magnitsky provisions from the perspective of someone who may become a target, the sanctions provisions are likely to have a greater impact in practice than the asset recovery provisions.

Although ostensibly temporary, sanctions can remain in place for many years and it is impossible to predict their duration in advance. Financial sanctions not only prevent dealings with funds in the target’s possession and economic resources at their disposal, but they also operate to prevent further funds or economic resources being made available to the target or for their benefit in the future. By contrast, asset recovery provisions only target specified property. Financial sanctions also have a much greater potential to cause reputational damage, as the consolidated list of targets in the UK is available online and is regularly consulted for due diligence purposes; whereas the making of a civil recovery order would not necessarily give rise to the same degree of publicity.

MAGNITSKY PROVISIONS

inCOMPLIANCE®41

inCOMPLIANCE®

40

MAGNITSKY PROVISIONS

A final distinction is their respective extraterritorial reach. Whilst UK sanctions will apply not just in the UK but also to all activities outside the UK undertaken by UK nationals and UK-incorporated entities, civil recovery orders can only be made for property outside the UK if there is a sufficient UK nexus and can only be enforced with the agreement of the country or territory in question.

How to ensure that you comply The asset recovery provisions and the sanctions provisions also give rise to different compliance dilemmas, for targets as well as those with whom they interact.

Breaches of sanctions are expected to result in criminal liability on the part of anyone who knows or has reasonable cause to suspect that they are engaging in sanctioned activities. Compliance therefore requires sufficient due diligence to ensure that any links with sanctioned persons are discovered in advance of any dealings. The adoption of Magnitsky sanctions should not require any change to the way in which this type of sanctions screening is currently conducted. The targets are more likely to be individuals than entities. So, to guard against inadvertent breaches, internal policies and procedures should be sensitive to the risk that such persons may act through a third party in order to avoid alerting anyone to the existence of sanctions. Individuals and entities alike should also be alive to the possibility that they may themselves become the targets of Magnitsky sanctions as a result of their relationships with gross human rights abusers.

The first step should be to carefully evaluate the various risks attached to a particular transaction. This risk-mapping phase might include, for example, considering: • The geographic regions that are involved with the

transaction • The particular goods or services concerned, and • The identity of the counterparty to the transaction.

The aim of the exercise should be to get a clear sense of whether there is any risk of gross human rights abuses, or gross human rights abusers, being linked to the transaction.

A deeper reviewOnce the risk profile of a transaction has been established, the next step, if necessary, will be a deeper review to obtain more information on the parties involved. The requirement is to know your customer (KYC), which includes determining their identity, the nature of their activities, and the source of their funds. In recent years, there have been some concerns (particularly in the US) about regulators moving towards a new, much more complex, standard of ‘knowing your

customer’s customer’ (KYCC), that is to say determining who your customer is doing business with. However, this is not the current standard required, with there being no signs of a shift in the UK in the immediate future.

Knowing your customer in the context of the Magnitsky sanctions requires a business to determine who actually or beneficially owns the customer and to ensure, as discussed above, that the customer is not a third party through which a sanctioned person or a gross human rights abuser is acting.

By contrast, the asset recovery provisions give rise to different kinds of potential liability exposure. Firstly, there is the risk of acting in breach of an interim freezing order. There is now also the liability risk faced by a respondent to a UWO, who is required to disclose any interest they may have in specified property, as criminal liability may arise for any false or misleading statements made in this connection. Secondly, there is the risk faced by third parties of holding interests in property that later may become the subject of civil recovery proceedings due to another person’s interest in the same property. The risk of the latter can be mitigated by careful due diligence.

Resolutely embracedDespite calls from many quarters for their use at the earliest opportunity we have yet to see the operation of the Magnitsky provisions in practice, whether in isolation or in combination. In whatever form they are relied on, they are likely to give rise to compliance challenges for those affected. What is clear, however, is that Magnitsky provisions have now been resolutely embraced by the UK.

Diana Czugler is an Associate and David Jones is a Trainee at Peters & Peters LLP

Breaches of sanctions are expected to result in criminal liability on the part of anyone who knows or has reasonable cause to suspect that they are engaging in sanctioned activities. Compliance therefore requires sufficient due diligence to ensure that any links with sanctioned persons are discovered in advance of any dealings

Get more on the CPD Portal• Managing sanctions risk - Hot Topic Presentation

Slides https://www.int-comp.org/cpd/msriskpresentation

• A Quick Guide to Sanctions Myths https://www.int-comp.org/cpd/SanctionsMyths

• Complying with international sanctions https://www.int-comp.org/cpd/complyingintsanctions

• Not a member?For access to the ICA CPD Portal, among other benefits, become a member today: www.int-comp.org/membership/why-become-a-member

inCOMPLIANCE®41

FREE RISK INSIGHTS MAGAZINE60+ pages of thought leadership articles, interviews and reports.

ACCESS ISSUE SEVEN, PLUS ALL PREVIOUS AND FUTURE ISSUES HERE: www.cefpro.com/magazine

ISSUE SEVEN INCLUDES AUTHORS FROM:

BankUnited | MUFG | Regions Bank | Bank of America | Fifth Third Bank | FASB | Lloyds Banking Group | TISA | Federal Reserve Bank of St. Louis | Credit Agricole and many more.

KEY TOPICS THAT ARE ADDRESSED IN ISSUE SEVEN:

CECL | Operational Risk | Fraud & Financial Crime | Technology & Innovation | Regulatory Challenges | Model Risk | Recovery & Resolution and more.

RISK INSIGHTS APRIL - JUNE 2018

ISSUE SEVEN www.risk-insights.com

Real World Perspective on Financial Risk and RegulationWritten by the industry, for the industry

EDITOR’S PICKSOPERATIONAL RISK

Fixing operational risk capital: Five challenges for modeling operational risk

MUFG

CECL Developing effective forecasts that

fulfill requirements PNC

TECHNOLOGY & INNOVATION Reviewing operational requirements for

PSD2 TISA

FRAUD & FINANCIAL CRIME Understanding the interactions between

cyber-crime and fraud prevention LLOYDS BANKING GROUP

RECOVERY & RESOLUTION Reviewing the ability to identify

critical vendors and services CITIZENS BANK

inCOMPLIANCE®43

inCOMPLIANCE®

42

GDPR

Avoiding the pitfalls

Salima Nanji offers some tips to avoid falling foul of the GDPR

I doubt if there is a single person reading this article that hasn’t already heard or read about the General Data Protection Regulation (GDPR). Indeed, paradoxically, this

new regulation has increased the number of emails flooding into everyone’s inboxes recently, as companies (some you’ve possibly never heard of) scrambled to get permission to continue using your data beyond 25 May 2018, when GDPR became law.

What’s it all about?There is a saying “if the product is free then you are the product” – think Facebook, LinkedIn, Gmail and Twitter (and many others) and you get the idea. Companies have used the maturity of the internet and the advent of the Cloud to build new digital business models around the acquisition and analysis of your personal data, which they then directly exploit or sell (by now they consider it to be their property) to others, usually without your express consent.

The GDPR aims to redress the balance of power in favour of the individual to whom the data relates and ultimately belongs. It harmonises European data protection laws making the transport of data easier; it will encourage businesses to take data protection and cyber security seriously; and it is designed to be able to cope with advances in technology. It aims primarily to give control over personal data back to citizens and residents and to simplify the regulatory environment for international business. As you will be aware there have been scores of massive data breaches recently, affecting the personal data of millions of users. Breaches of this nature will not become extinct as a result of GDPR, but there will be far more transparency and there will be penalties for companies that have failed to secure or have misused the personal data of users.

Many non-EU based businesses have assumed that the GDPR doesn’t apply to them. Unfortunately, if your company processes the personal data of any EU citizens, regardless of where you’re located, you are expected to follow all of the regulation. GDPR also brings a new set of 'digital rights' for EU citizens. This is particularly relevant when the economic value of personal data rises in a digital economy.

Here to stayGDPR promises to be one of the most far-reaching and ambitious consumer protection programmes ever devised. Its implementation is likely to cause some businesses difficulty. But it is important to remember that it is being introduced to protect users’ rights at a time in which almost every conceivable aspect of our lives is stored online and is highly vulnerable to exposure and exploitation.

In order to comply with GDPR, strategies must be formulated with stakeholders from across you organisation – including IT, Legal, Compliance and the data owners themselves. The bottom line is that GDPR is here to stay, so firms must get on board, embrace the change and learn how to innovate, grow and compete within a new regulatory landscape.

Top 5 tips / pitfallsGDPR compliance is not just a matter of ticking a few boxes. The regulation demands that you are able to demonstrate compliance with its data processing principles. This involves taking a risk-based approach to data protection ensuring appropriate policies and procedures are in place to deal with the transparency, accountability and individuals’ rights provisions. In addition, you must build a workplace culture of data privacy and security.

Below, I outline five potential pitfalls associated with GDPR compliance, and highlight tips to avoid them:

1) You can’t demonstrate compliance to regulators and consumers – The regulator will deem non-compliance if you can’t demonstrate that you have consent for the data that you have collected. Fully understanding why you collect and hold data is therefore crucial. My first tip is to stop collecting data that you don’t have a legitimate need for. GDPR requires that individuals are given an explanation of how their data is used and if you cannot articulate this then that provides a good indicator of impending trouble with the regulator.

2) You didn’t delete the data as required under the right of erasure (i.e. not knowing where personal data is stored, and/or how to delete its master record upon request) – GDPR is about knowing what data you have, what you are doing with it, where it is stored, who has access to it, and how you are safeguarding it.

inCOMPLIANCE®43

inCOMPLIANCE®43

GDPR

inCOMPLIANCE®43

inCOMPLIANCE®45

inCOMPLIANCE®

44

GDPR

Therefore, my second tip relates to the importance of knowing your data and documenting it thoroughly. As part of your preparation for GDPR, you should review the personal data that your organisation holds and in particular consider:• Where it came from• Whether ‘opt-in’ consent was obtained and/or whether

the consent needs to be refreshed• Why you hold the data and/or whether it can now be

securely deleted• How you use the data, and• Who you share the data with.

It is then important to review the results of your audit and consider whether the data is held in a manner that is GDPR-compliant. You also should focus on how you are actively managing personal data and mapping it to your business processes.

3) Your workforce lacks awareness and/or understanding of GDPR requirements – Tony Blair famously stressed the importance of ‘education, education and education’ in his 1997 Manifesto and, in relation to GDPR, education (times three) must be a priority of the company. Ignorance will not be an excuse for non-compliance. My third tip, therefore, is to train staff on the enhanced data rights given to individuals under the GDPR. All staff should be aware of key changes, such as no longer being able to charge for responding to subject access requests. The education process begins at the very top level of your organisation and there should be collaboration between the Boardroom and the IT department in ensuring this. This includes employees that interact with new customers or users, those that maintain CRM systems, and even data entry personnel.

4)You haven’t got the right help involved internally – Tip 4 concerns the importance of getting the right help within your company:• Integrate your IT and Marketing departments – Between

the threat of cybercrime and the necessity for specific monitoring and implementation strategies, your IT and Marketing departments are here to help you. Those who use market technology will now have a greater reason to invest in and use secure and customised IT solutions to stay on the right side of the regulations, and the right side of the consumers’ trust.

• Hire a Data Protection Officer (DPO) – The GDPR assigns liability to the data processors and controllers and does not require smaller operations to hire a data officer. But doing so is an investment that is worth some serious consideration. The potential damage to your company’s bottom line is not worth the risk. If nothing else, the GDPR has a singular message: consumer information deserves to remain private. So anything you can do to stay in compliance will help you overall.

• Get senior management involved – Your programme needs to involve senior management from its inception to ensure it is incorporated into the Board and management’s agenda and is fully supported throughout its lifecycle.

5) You haven’t got the right help externally – After looking inside your company, it is also important to get external help:• Complete a thorough audit of your current data security

system – The best way to ensure compliance is to have an accurate assessment of your current data processes. That way you can identify high-risk areas and fix any potential problem areas before enforcement begins.

• Work with third-party providers who are GDPR-compliant – This includes your email service provider, your CRM service and your marketing and PR agencies. You can be held responsible for breaches made by processors you work with. It’s important to ensure that all aspects of your data processing are in compliance.

The importance of implementationGDPR has attracted media and business interest because of the considerable fines for non-compliance. However, not all infringements of the GDPR will lead to such fines. A regulator is not going to say you shouldn’t have had a breach. They are going to say you should have had the policies, procedures, and response structure to prevent such a breach and to solve it quickly.

It will be the responsibility of a company’s DPO or data controllers to ensure that European users’ data is being sufficiently protected and/or anonymised, and the data controllers will be among the first to be held to account if breaches or violations are reported.

Besides the power to impose fines, a range of corrective powers and sanctions exist to enforce the GDPR. The administrative fines are discretionary rather than mandatory; they must be imposed on a case-by-case basis and must be “effective, proportionate and dissuasive”.

Compliance with this regulation is going to be an on-going process that will need to adapt as the firm’s business changes, and as the external risk environment evolves.

In summary, GDPR promises to be one of the most far-reaching and ambitious consumer protection programmes ever devised. In following my five simple tips I believe your company can successfully become GDPR compliant.

Salima Nanji is a lawyer and has provided legal and compliance services for a range of multinational companies. She holds a controlled function and works in the financial services industry in London

Stop collecting data that you don’t have a legitimate need for. GDPR requires that individuals are given an explanation of how their data is used and if you cannot articulate this then that provides a good indicator of impending trouble with the regulator

inCOMPLIANCE®45

THE PREPAID SECTOR

Prepaid: addressing

preconceptions Diane Brocklebank provides an overview of financial crime risk

and regulation within the prepaid sector

Prepaid technology underpins a vast range of financial products and services, from everyday

payment accounts and challenger bank accounts to travel money, corporate incentive and expense management solutions. Prepaid has become a driving force for innovation in payments and is enabling the high-growth FinTech sector to spearhead the development of new products with feature-rich, innovative technology that solves a multitude of customer needs.

One of the most striking aspects of prepaid continues to be its growth. Globally, the prepaid market is set to reach more than $500bn by 2020, according to Mastercard-commissioned research from Euromonitor. Currently, Europe dominates the global prepaid market: the compound annual growth rate for prepaid in the region between 2014 and 2021 is forecast at 18.6%, compared with 7.8% for consumer debit and 5.8% for consumer credit.1 The key driver fuelling this growth globally is prepaid’s ability to provide a platform that offers many different payment products and services for consumers, businesses and governments.

However, in spite of this growth, there remains a relative lack of understanding about the prepaid card industry amongst other sectors. This article offers an outline of current trends in the sector, with regards to risk and regulation.

What do we mean by ‘prepaid’? Prepaid products, such as cards, are generally termed ‘closed’ or ‘open’ loop. A closed loop card can be exchanged for goods and services only in a limited or pre-defined number of outlets (for example, store cards, fuel cards and transport cards).

By contrast, open loop cards are branded by one of the card schemes such as Mastercard or Visa and can be used at multiple locations both at retail outlets and in some cases to withdraw cash at ATMs. Certain types of prepaid cards or vouchers can also be used to make payments online. Most prepaid products, which can be used in much the same way as a credit or debit card, must abide by EU Payment Services and E-Money Regulations.

Prepaid products are used in several ways. For example, they are used by consumers as an alternative to a traditional bank account, by governments as a means to disburse welfare payments, and by businesses to control and manage expenses (see Figure 1).

Reloadable and non-reloadable prepaid productsIn general, non-reloadable or ‘single-use’ prepaid cards are purchased or issued with a fixed value pre-loaded onto the card and cannot be topped up. Examples include gift cards, rebate cards and cards issued as part of an employee reward or incentive scheme.

Reloadable cards include travel money cards, payroll cards and cards that are used instead of bank-issued credit or debit cards.

Figure 1: Uses of prepaid products

Sector Prepaid Solutions

Consumer • Alternative to a traditional bank account• Travel money• Multi-store gift cards

Business • Alternative to business credit and debit cards• Expense management • Employee rewards and incentives • Insurance claim pay-outs• Payroll, e.g. for migrant workers

Government/Local Authorities

• Benefits disbursement

inCOMPLIANCE®

46inCOMPLIANCE®

47

THE PREPAID SECTOR

Rules and regulations Contrary to popular misconceptions, the UK prepaid sector is highly regulated. Except for products such as those that can only be used in a single or ‘limited’ number of outlets such as store cards, transport cards and fuel cards, all prepaid products must be authorised and regulated by the UK Financial Conduct Authority (FCA) and issued by an authorised e-money institution (EMI) or Payment Institution (PI).

Products provided by EMIs and PIs all fall within the scope of the Electronic Money Regulations 2011 and the Payment Services Regulations 2017, which implement the Second Electronic Money Directive (2EMD) and the revised Payment Services Directive (PSD2) respectively, and the Money Laundering Regulations 2017 which implement the Fourth Anti-Money Laundering Directive (4AMLD).

Safeguarding Regulation requires all authorised e-money and payment institutions to ring-fence the funds they receive from customers by placing them in a separate account with a credit institution authorised by the Prudential Regulation Authority (PRA; or equivalent Member State competent authorities) to accept deposits. This means that consumers are protected if the issuer of the product becomes insolvent.

Managing fraud and risk The prepaid sector invests heavily in the creation and continual improvement of transaction monitoring systems to prevent

products from being used for unlawful purposes, such as money laundering and terrorist financing, and in accordance with anti-money laundering, terrorist financing and the criminal finances legislation. The sector engages with law enforcement and is informed by the output of international and national bodies such as the FATF (Financial Action Task Force) and FIUs.

It is important to note that the majority of prepaid accounts that can be used in much the same way as a traditional bank account are subject to the same due diligence checks that are applied to any other type of financial instrument (e.g. transaction alerts, exception reporting and picking up on suspicious transaction patterns based on rules aimed at spotting behaviours that reflect money laundering and terrorist financing typologies, which are then further investigated).

Even for products that rely on the regulatory exemption from Customer Due Diligence (CDD) for low-risk, low-value prepaid products under the 4MLD, transaction monitoring systems invariably allow issuers of prepaid products to link multiple transactions to specific computing devices. By blocking computing devices that are linked to suspicious usage patterns, as well as transactions showing suspicious usage patterns, issuers can mitigate the risk of these products being used for unlawful purposes.

Prepaid transactions are far more

traceable than cash, due to the availability of detailed transaction records, including time stamps, merchant details, and information about where and when the prepaid product was originally purchased. This data enables transactions to be linked with other sources, such as security cameras and, where the prepaid product has been used to purchase a product online, the delivery address given to the retailers, providing law enforcement with valuable information and evidence. These risk mitigation measures can be effectively applied even without fully identifying the customer.

Furthermore, reloadable prepaid products offer enhanced possibilities for monitoring user behaviour as they are typically used over a longer period of time for larger numbers of transactions, enabling providers of prepaid products to gather more comprehensive usage data, such as the place where funds were loaded, place of use, IP addresses and devices used to initiate payments that can be more reliably traced back to a single individual.

The prepaid sector continually works to identify typologies and where possible share information with others on threats detected. Critically, all this information can be used by law enforcement agencies to gather necessary evidence to investigate, identify and prosecute individuals who use prepaid products for unlawful purposes.

Diane Brocklebank is Commercial Director of PIF, the not-for-profit industry body formed in 2007 to represent the prepaid financial services sector.

1. Mastercard commissioned Euromonitor market sizing study 2016

Contrary to popular misconceptions, theUK prepaid sector is highly regulated. Except for products such as those that can only be used in a single or ‘limited’ number of outlets such as store cards, transport cards and fuel cards, all prepaid products must be authorised and regulated by the UK Financial Conduct Authority

inCOMPLIANCE®47

????????????????????????????

ICA Award Ceremony 14 November 2018 – London

ICA Conference Singapore 20-21 November 2018 – Singapore

ICA Hot Topic events 4 September 2018 - Isle of Man

11 September 2018 - Dublin 12 September 2018 - Jersey

20 September 2018 - Guernsey 20 September 2018 - London

27 September 2018 - Manchester

ICA qualification briefing sessions

31 July 2018 - Hong Kong 14 August 2018 - Singapore

4 September 2018 - Isle of Man 11 September 2018 - Dublin 12 September 2018 - Jersey

20 September 2018 - Guernsey 20 September 2018 - London 26 September 2018 - Madrid 27 September 2018 - Athens

ICA online live Q&A sessions 3 September 2018

ICA Events 2018Dates for your diary

ICAA850

For further information on all ICA events, please visit www.int–comp.org/eventswww.int–comp.org/events

inCOMPLIANCE®48

Head OfficeWrens Court | 52-54 Victoria Road |

Sutton Coldfield | Birmingham | B72 1SX | UNITED KINGDOMTel: +44 (0) 121 362 7747

Email: ica@int-comp.org www.int-comp.org

International Compliance Association CPD - 2 points

Advice to Readers

inCOMPLIANCE® is published by the International Compliance Association. Reproduction, copying, extraction, or redistribution by any means of the

whole or part of this publication must not be undertaken without the written permission of the publishers.

inCOMPLIANCE® is distributed as a free member benefit to all members of the International Compliance Association.

Articles are published in good faith without responsibility on the part of the publishers or authors for loss occasioned to any person acting or refraining

from action as a result of any views expressed therein. Opinions expressed in this publication should not be regarded as the official view of the ICA or as the

personal views of the Editorial Board members of inCOMPLIANCE®.

All rights reserved in respect of all articles, drawings, photographs etc published in inCOMPLIANCE® anywhere in the world. Reproduction or imitations of these

are expressly forbidden without permission of the publishers.

Printed in England

ICAM647