1inCOMPLIANCE

ISSUE 22/WINTER 2015

QUARTERLY JOURNAL OF THE INTERNATIONAL COMPLIANCE ASSOCIATION

Counter Terrorist Financing: The CTF Conundrum

Anti-TBML: The road to enlightenment

Attestations:Don’t rush in…

Inside this issue:

International regulation: A global conspiracy

inCOMPLIANCE

2 inCOMPLIANCE

ADVERT

ICA PROFESSIONAL POSTGRADUATE DIPLOMA

IN FINANCIAL CRIME COMPLIANCE

Wilmington Risk & Compliance

ICTA

937

For senior AML and financial crime prevention professionals

• Demonstrate advanced skills in critical thinking, risk assessment and business strategy

• Drive your personal leadership ambitions and display competencies in judgement, strategic thinking, problem solving and technical knowledge

• Develop new ideas, explore cutting-edge best practice and gain a global perspective of financial crime compliance

• Achieve `Certified Professional’ status

• Become automatically eligible for Fellowship of the International Compliance Association (the highest grade of membership) FICA

• Gain M-level credits towards a Master’s degree Awarded in

association with:

Find out more at www.int-comp.org/fcc-postgrad or get in touch on +44(0)121 362 7534 or at ict@int-comp.com

Training provided by:

3inCOMPLIANCE

CONTENTSMessage from Bill Howarth 4

Opinion: International Regulation 5

Opinion: Compliance and CSR 7

Opinion: Financial integrity, stability and inclusion 10

Insight: Counter Terrorist Financing 13

Insight: KYC utilities 16

Insight: Anti-TBML 19

Insight: Crowdfunding 22

Insight: e-commerce 25

Insight: Attestations 27

Insight: Cyber Security 29

Insight: MiFID II 30

What next?For many within the UK financial sector, 2015 will be defined by the surprises thrown up by the general election, the impacts of which will continue to reverberate through the industry well into next year. The Conservative victory was followed swiftly by the resignation of FCA Chief Executive, Martin Wheatley (after George Osborne’s decision not to renew his contract), and the sacking of Antony Jenkins as Group Chief Executive of Barclays. These two events may point to the direction regulation will take in 2016.

Both Wheatley and Jenkins were appointed to bring about transformative cultural change within their respective organisations. Jenkins, appointed in the summer of 2012 in the wake of the Libor scandal, was charged with reforming Barclays’ culture and restoring consumer trust in the bank’s integrity. Three years seems hardly sufficient to turn that particular oil tanker, let alone keep it on its new course. Similarly, Wheatley’s task was to oversee the introduction of a new “outcomes based” regulator, focused on conduct, with a proactive stance and policy of “credible deterrence”. In his own words, he had “unfinished business” at the regulator; not surprisingly, given his short tenure.

Regime change is typically out of step with industry’s requirements for stability, clarity and consistency. But with change — both at the national and international level — becoming the norm rather than the exception, the key for business and compliance will be to anticipate and adapt.

James ThomasEditorinCOMPLIANCE

inCOMPLIANCEIssue 22 Winter 2015

Publisher: International Compliance Associationica@int-comp.org

Editor: James Thomasjthomas284@btinternet.com

Design: Thom Baker & Emma Brackenridgecreativedesigners@wilmingtontraining.co.uk

Production: Dorinda Gibbons & Sophy Lloyddgibbons@int-comp.org sophy.lloyd@int-comp.org

Advertising Queries: Lily Harwoodlharwood@int-comp.org

Chief Executive, International Compliance Association:Bill Howarthbhowarth@int-comp.org

ICA Membership Enquiries: Dorinda Gibbons & Sophy Lloydica@int-comp.org

ICA Qualification Enquiries: Michelle Reeceict@int-comp.org

International Compliance Association CPD - 1 point

Advice to ReadersinCOMPLIANCE is published four times a year by the International Compliance Association. Reproduction, copying, extraction, or redistribution by any means of the whole or part of this publication must not be undertaken without the written permission of the publishers. inCOMPLIANCE is distributed as a free member benefit to all members of the International Compliance Association. Articles are published in good faith without responsibility on the part of the publishers or authors for loss occasioned to any person acting or refraining from action as a result of any views expressed therein. Opinions expressed in this publication should not be regarded as the official view of the ICA or as the personal views of the Editorial Board members of inCOMPLIANCE. All rights reserved in respect of all articles, drawings, photographs etc published in inCOMPLIANCE anywhere in the world. Reproduction or imitations of these are expressly forbidden without permission of the publishers.

Printed in England

4 inCOMPLIANCE

This will be my last editorial as the CEO of ICA, following my change of role to Life President of the Association and the appointment of a new CEO.

It is 14 years since ICA began with myself and Charles Brady (ICA Chairman), two of the founding members, establishing the body as a not-for-profit association, working closely with the Alliance Manchester Business School, University of Manchester (known as MBS back then), and the British Bankers’ Association (BBA).

In that time I have seen many positive changes around the professionalisation of the compliance function and the status of compliance professionals. Compliance is now one of the top 10 professions of choice and the growth in independence, empowerment and involvement in corporate strategy, for many compliance professionals, has been significant.

In tandem with this elevation of the profession, ICA has grown significantly too. Since 2001 we have:

• awarded over 100,000 certifications;• taught students in over 100 countries; and• established regional and national offices and partners in 28 countries.

This level of growth has inevitably led to the need to expand the team across all levels – and the latest additions include the appointment of:

• Helen Langton as Managing Director of International Compliance Training (ICT), our principal training provider;

• Sally Scutt as Strategic Advisor to ICA; and most recently• Phil Ryan as CEO of ICA

As we close 2015, I felt it would be an ideal opportunity to hand across the editorial overview of inCOMPLIANCE to Phil, but rest assured that I will remain actively involved in the affairs of the Association and look forward to seeing you at an upcoming conference, open day or residential training event.

On that note, let me introduce Phil….

Bill HowarthLife President

Just a quick note from me to introduce myself to our members and readers, and to thank Bill for laying such a strong foundation since ICA was formed and for the great work he and his team have done in paving the way for the growth of the compliance profession.

I look forward to meeting our members and graduates in the coming months as we begin work on the next phase of our development. The priority for me is to develop the membership offer – including both the continuous professional development (CPD) functionality and the career zone tools and resources – and to open the doors to a whole new level of membership.

More on all of these initiatives in the next issue! In the meantime, if any members need to talk to me personally you can contact me

by email or mobile. My contact details are:E: phil.ryan@int-comp.orgM: 07738825751

Phil RyanChief Executive Officer

The Dawn of a New Era

Editorial Board

Kathryn Cearns, Herbert Smith Freehills, kathryn.cearns@hsf.com

Jee Meng Chen, HSBC jee.meng.chen@hsbc.com.sg

Jacob Ghanty, K&L Gates LLP, Jacob.Ghanty@klgates.com

Tom Salmond, Ernst & Young LLP, tsalmond@uk.ey.com

Irwin Spilka, Stonehage, irwin.spilka@stonehage.com

David Symes, Compliance Recruitment, david@compliancerecruitment.com

Rachel Waldren, ANZ, Rachel.Waldren@anz.com

5inCOMPLIANCE

OPINION: INTERNATIONAL REGULATION

I often wonder whether anyone is really watching the dynamics of international regulation. Does anyone comprehend the substantial impact on banks that results from the ever-increasing rush of regulation as regulators

strive to protect their financial markets, their banks and ultimately taxpayers’ funds? I don’t think so. I am not sure if this is a conspiracy theory under a grand global master plan, or just the result of unintended consequences.

Triple threatThree key concerns leap out.

The first is that the ever-increasing financial impositions on capital, liquidity, and leverage via Basel III/IV/CRD are driving down the profitability of banks to the point where they may ultimately end up as public utilities.

The second is that the regulations designed to protect and bring stability to the global economies, are in fact reintroducing unpredictability, contagion and systemic risk that the regulators have worked so hard to minimise.1

The third (and the primary focus of this article) is that the fragmentation caused by the differing approaches of the regulators – i.e. the USA (Volcker via prohibition); the UK (Vickers via ring-fencing), and Europe (Liikenan via hybrid) – is substantially impacting the business models upon which international and multi-regional banks operate. Very few within the industry fully understand the implications on strategy, financial resources, products and, most importantly, on financial strength. Let me say this more directly: these changes are eroding the economies of scale that international banks can offer, and are driving the industry back towards fragmented, disjointed, standalone entities.

A step backTo place this in context, we need to take a step back and briefly review some of the “achievements” in the regulatory reform agenda. • We have seen Basel III correct the capital definitional

deficiency resulting from Basel I [1988] (not Basel II) and now the industry has both substantially improved definitions and quantums of Tier 1 capital (T1), after it was correctly shown during the global financial crisis that pre-existing T1 was deficient in times of stress.

• We have seen the groundwork by the global regulators to reduce systemic risk through initiatives improving the soundness

and safety of banks and market infrastructure. This has included “recovery and resolution” planning for globally strategic banks (which includes granting powers to national authorities to require banks to change their legal and operational structures, and even banks’ business models); combined with “bail-in” tools (which are complicated due to the mandatory “single point of entry” which limits intragroup support).

• We have seen the advance of the wholesale and retail conduct regimes.

• We have seen substantial compliance costs resulting from the introduction of FATCA and its UK, Cayman Island and OECD equivalents (binding 50+ countries)… better hide your money under the mattress.

• We have seen recent pronouncements including a move to “outcomes” based regulation: future European Financial Transactions Tax (EU FTT) and pre-funding of deposit guarantee schemes; improvements in risk governance and risk culture; restrictions on bankers’ remuneration; and the most recent and expensive initiative issued by the Basel Committee (BIS) around the quality and centricity of customer and risk data via BCBS239 (also known as “Principles for Effective Risk Data Aggregation and Risk Reporting”, effective 1 January 2016).

This is an awful lot of regulation (and cost) to digest, so let us focus on the issue at hand, namely, the aforementioned impact on international business models resulting from the fragmented approaches of the regulators. These regulatory contradictions create massive inefficiencies arising from: • Direct structural separation (e.g. Volcker via prohibition);• Direct economic impact (via capital, funding and liquidity); and • Localisation (operational, staffing and economic resources).

In order to comply with these clashing regulatory approaches large banks operating internationally are being forced make contradictory and inefficient decisions regarding the separation of economic, operational and legal issues. Let us understand the impact of each of these in turn.

1. Direct regulation – structural separationThe regulatory premise: to reduce the size and complexity of “too big to fail” banking groups and to protect insured retail deposits from investment banking activities.

(a) USA (Volcker via prohibition) – The USA introduced the “Volcker Rule” as part of the Dodd-Frank Act. It prohibits

Dean Rowan considers the strategic impact of international regulations on banks

A global conspiracy

6 inCOMPLIANCE

OPINION: INTERNATIONAL REGULATION

banks from proprietary trading and restricts investment in hedge funds and private equity by commercial banks and their affiliates, i.e. it prevents federally-insured banks from using their own money when investing in certain risky assets. The Act further directs the Federal Reserve to impose enhanced prudential requirements on systemically identified non-bank institutions.

(b) UK (Vickers via ring-fencing) – The Financial Services (Banking Reform) Act 2013 (the “Banking Reform Act”) implemented the recommendations of the Independent Commission on Banking (the “Vickers Report”) and the Parliamentary Commission on Banking Standards. It requires the ring-fencing of retail banking from the riskier activities of investment banking. There are also requirements for local capitalisation, local liquidity and locally responsible management (localisation).

(c) Europe (Liikanen via hybrid) – Europe followed the UK and USA in late 2014 when the European Commission passed structural measures for improving the resilience of EU banks, based on the “Liikanen Report” (October 2012). These prohibit banks from proprietary trading (defined as trading for the sole purpose of making profits for a bank’s own account) and from owning, holding shares in, or sponsoring alternative investment funds. They require the vehicles to operate as subsidiaries rather than branches, demanding minimum local liquidity, capital, stress testing and a limitation on intragroup support (which reduces potential support from home countries).

The hybrid component arises from the discretionary structural separation power granted to national authorities to prohibit a “core” credit institution (a bank that takes deposits covered by a Deposit Guarantee Scheme) from undertaking trading activities. The twist is that, despite this discretion, there is a mandatory structural separation when a bank’s trading activities exceed a set of assessment metrics (including size, complexity, profitability, resolvability and systemic impact).

2. Direct economic impact – on capital, funding and liquidity The additional financial and economic imposts coming from Basel III include: • capital surcharges applied to globally systemically important

financial institutions, set at 0.5% and 2.5% for 29 global systemically important banks (e.g. the UK’s Systemic Risk Buffer [SRB] CET +3% = CET1 to 10%]

• separate capital surcharges for domestically important financial institutions

• “recovery and resolution planning” requirements• the need to hold “bail-in-able” debt • the inefficient use of capital and liquidity via localisation or

subsidiarisation.

The future only becomes bleaker (and more expensive) with Basel IV in the pipeline, with: • significantly higher capital (e.g. large exposures set at 5% of

common equity Tier I threshold) • mandatory improvements in capital management• changes in risk-weighting combined with less risk sensitivity to

capital ratios and internal modelling (resulting in higher capital) • increasing focus on stress testing • increased reporting, including standard reporting models

(using predetermined templates)

• reduced reliance on Pillar 1• the unknown impact resulting from the impact of the leverage

ratio and other parallel regulatory tracks (e.g. OTC derivatives, developing their own capital standards).

3. LocalisationHost country regulators are becoming ever more focused on preventing/managing the failure of a foreign bank operating in their jurisdiction, and in maintaining the market’s critical infrastructure in the event of distress/failure, in order to maintain liquidity and confidence and ultimately to protect domestic banks, creditors and taxpayers.

Foreign banks are increasingly being required to operate within the host country as subsidiaries rather than branches, or are being localised to meet host standards on liquidity, capital, stress-testing, bail-in liabilities and governance and risk management.

This is substantive. It forces the inefficient use of economic and financial resources, which become “locked in”. For global or multi-regional banks it substantially reduces their ability to efficiently use capital and liquidity. Bail-in liabilities can only be accessed at the group, primary vehicle level and so intragroup funding is reduced. Credit risk and capital use is increased by booking transactions in multiple jurisdictions, which decreases the benefits of netting achieved through “single site booking” or “regional site” booking. Similarly, collateral is less effective.

When an external rating is involved, localisation or subsidiarisation increases the complexity and can remove/reduce ratings with its concurrent impact on increased funding costs.

From a business perspective this has a substantial impact on global or multi-regional banks whose efficiency is being eroded on multiple fronts. It reduces the advantages of scale and the quantum of intragroup services that can be provided.

From a country of operation perspective, banks face the issue that when a jurisdiction faces a situation of distress, despite all the statements of international co-operation and coordination, a home country regulator will always preferentially look after and minimise the impact on its own jurisdiction.

The bottom lineGlobal competitiveness is being impacted by reduced economies of scale, increased capital requirements, reduced available liquidity, and increases in cost base due to the need for localised staff. These regulatory reforms are driving banks’ business models, increasing pricing and reducing the flexibility of the products banks can offer and the clients and markets they can serve. Ultimately the cost of continuing to increase regulation is borne by the customers, and by shareholders by way of reduced return on equity. The bottom line is a permanent downward drag on economic growth.

So, have we reached a tipping point where the costs of regulation actually exceed the benefits? This question remains unanswered. Does the cost of stability exceed the benefit of avoiding future periods of financial instability? Only time will tell.

Dean Rowan is the Regional Director of the Professional Risk Managers International Association (PRMIA) and Advisory Board Member of the International Compliance

Association (ICA).

1. “Into the Shadows” incompliance Issue 20, p.13

7inCOMPLIANCE

OPINION: COMPLIANCE AND CSR

Corporate social responsibility (CSR) is becoming an integral part of contemporary business. CSR is understood

as: responsibility for the impacts of decisions and activities on society and the environment through transparent and ethical business practices.1 The ISO26000 standard outlines that socially responsible behaviour rests on seven principles: accountability, transparency, ethical behaviour, respect for stakeholder interests, respect for the rule of law, respect for international norms of behaviour, and respect for human rights.2 Ideally, a company’s CSR policy should be integrated into its business strategy.

The definition of CSR outlined above assumes that compliance is an unconditional factor of a company’s sustainability. This article considers whether compliance is merely an internal function of the company or whether it also affects broader society and sustainable development.

The role of non-financial reportingVarious stakeholders are placing ever-increasing attention upon non-financial aspects of companies’ activities, through greater scrutiny of the quality of disclosure of non-financial information and the development of criteria for its evaluation.3 For this reason, CSR reporting is of real significance today, demonstrating and enabling assessment of companies’ CSR performance.

There is currently a range of CSR reporting including sustainability reports, CSR reports, environmental and social reports, corporate responsibility and sustainability reports, and integrated reporting. Such reporting details the

company's contribution to a country’s development through the disclosure of information about the company’s economic, environmental and social performance and its influence on society and the environment.4

CSR is closely related to GRC (governance, risk management, and compliance) – three pillars united in the purpose of assuring that an organisation meets its objectives. While GRC is aimed at achieving company goals, CSR demonstrates how companies do so: how they effectively manage external influences, maintain sustainability, and meet the interests of stakeholders and, ultimately, society. Thus through CSR reporting companies strive to:• reflect the relationship between CSR

and strategic objectives• inform all stakeholders and the public• demonstrate the sustainability of the

company• show projects in development• enhance the reputation of the company.

The Russian Union of Industrialists and Entrepreneurs (RSPP) in its analytical review of corporate non-financial reports for 2012-2014 calls public reporting a “mirror” reflecting business activity.

Compliance as an integral part of non-financial reportingBusiness analysts and consultants emphasise the growing interest of investors and stakeholders in sustainability reporting and, in particular, in how sustainability issues affect broader aspects of business, including business continuity, employee attraction and retention, reputation and the right to operate. Ernst & Young (EY) point out that the approach to sustainability reporting has shifted

to risk reduction and mitigation5 (i.e. how companies operate with regards to inherent risks to their business).

Collecting and analysing information on sustainability for disclosure does not only help to identify risks, but can also reveal opportunities for improving efficiency and uncover new markets. This can have a significant impact on overall performance and investors’ perceptions and access to capital.6 As KPMG’s Yvo de Boer suggests: “Corporate responsibility reporting is the means by which a business can understand both its exposure to the risks of these changes and its potential to profit from the new commercial opportunities.”7

KPMG outline six key sustainability-related risks that companies face8, including reputational, regulatory and legal (which are, of course, components of compliance risk). Thus, from a CSR perspective, managing compliance risk is relevant not only to the interests of the company but also to its shareholders, investors and society.

Moreover, research conducted by EY9 found that a majority of respondents believe that risk-mitigation is one of the key objectives of a sustainability strategy. According to EY, compliance and operational performance are becoming more influential in sustainability strategy.

Sustainability reporting guidelinesThere are no strict rules regarding the structure or content of CSR reporting. Indeed, there is not even a standard title for CSR reports; the most commonly used being the “sustainability report”. However, there are several guidelines for preparing sustainability reports, including the United Nations Global Compact (UNGC – an initiative promoting sustainability

A broader function?

Svetlana Snezhko considers the role of compliance in corporate social responsibility

8 inCOMPLIANCE

OPINION: COMPLIANCE AND CSR

and socially responsible practices and reporting on them), AA1000 (a series of standards on accountability, responsibility and sustainability), ISO26000, and the Global reporting initiative (GRI) which is becoming established as a universal methodology for non-financial reporting.

The GRI contains recommendations on the inclusion of compliance issues in sustainability reporting (compliance with laws and regulations, compliance with environmental standards, compliance towards customer service and product responsibility). It is noteworthy that within the GRI guidelines10 anti-corruption and compliance are included as separately distinguished themes within the category of “Society”. The GRI requires companies to provide information on their adherence to environmental norms and applicable legislation. In particular, recommendations related to information disclosure on compliance in the report include the monetary value of significant fines as well as non-monetary sanctions along with the related cases or those arising through dispute resolution mechanisms.

Recommendations on anti-corruption compliance disclosure contain rather detailed sets of issues relating to risk-assessment, training and communication, including communication to employees on policies and procedures, as well as to business parties and management. The recommendations promote detailed information disclosure on incidents revealed, including public legal cases regarding corruption brought against an organisation or its employees.

Within the category “Product responsibility” there are also recommendations regarding compliance with regulations and codes such as marketing and customer health and services, and incidents of non-compliance.

In case an organisation has not revealed any cases of non-compliance with laws and regulation then these should also be reported, with disclosure of measures taken to secure compliance.

Disclosure of compliance programmesWhile we are used to understanding compliance as an internal function, it is now being publicly disclosed. Since 2012 Transparency International (TI) has been evaluating the transparency of corporate reporting among the largest publicly-listed and traded companies and of leading emerging market companies. Companies

are being assessed on three criteria11 including anti-corruption programmes, and examination of reporting on anti-corruption programmes, together with further transparency practices TI has been evaluating since 2008.

The TI report for 201412 reveals that 97% of companies committed to comply with laws. In particular, it provides an overview of companies declaring prohibition of facilitation payments, their transparency in political contributions and consistency of anti-corruption policies with criteria used to assess the anti-corruption programmes dimension in the report including geographical criteria.

Based on the results of corporate reporting transparency, TI annually ranks companies. It also calls for governments and regulatory bodies, investors and even civil society organisations to demand greater transparency from multinational companies. The publication of elements of anti-corruption compliance demonstrates a company’s commitment to fighting corruption, its tolerance of fair business conduct and integrity, and increases its responsibility and accountability to stakeholders and the public.

The main finding of the report is that, according to the three parameters, market-leading companies continue to achieve the best results in anti-corruption transparency, indicating that such companies strive to disclose their anti-corruption programmes. Overall ratings show that the best performers are European companies and the worst performing are Asian companies, while there were only three large corporations from Russia included in the report (see Box 1 for a detailed view of non-financial reporting in Russia).

Anti-corruption and AML as sustainability factorsCompliance as an internal function aims to protect the company from exposure to compliance risk. However, it also has an impact on social and economic relations. Thus, the priority of anti-corruption compliance to protect businesses against the claims of regulators simultaneously fights corruption as an obstacle to fair business relations. Companies that favour bribery and corruptive business practices stimulate the growth of such unsound practices. This is why today anti-corruption is considered as a manifest direction within CSR activities.

Similarly, managing money-laundering risk is a priority for financial organisations since its occurrence may cost a business its licence and/or incur high financial penalties. Companies with poor anti-money laundering (AML) controls can become partners in a chain of money-laundering that subsequently can be used for such criminal purposes as drugs distribution, illicit arms or financing of terrorism. There is no need to look far for an example: Britain has been denounced as having a “woefully inadequate” anti-money laundering system.13 Another crime expert earlier pronounced London the global money-laundering centre of the world’s drug trade. The situation is the result of ignorance of “know your customer” rules within the UK financial services.14 And this is in the leading country on AML legislation and rules!

These are examples of how the compliance function, in pursuing business goals, influences the broader sustainability of society and thus serves CSR goals. Another interesting example of CSR activity in the financial sector is the improving financial literacy of the population. This social advance is directly linked to business interests since it is easier to offer and

BOX 1: NON-FINANCIAL REPORTING IN RUSSIA Non-financial reporting in Russia has a 15-year history. RSPP maintains a register of Russian companies issuing non-financial reports, which now totals 151 mainly large public or state-owned companies who, as a rule, demonstrate greater openness. This is a low figure, given that there are about 7,000 joint-stock companies in Russia15, only 2% of which issue non-financial reports. Moreover, 20% of reporting companies (for 2012-2014) are Russian representatives and affiliates of foreign corporations. Nonetheless RSPP regards development of non-financial reporting by Russian companies as “progressive”.

Today, preparation of non-financial reporting is regarded as quite an urgent issue and it is discussed in business circles and among consultants and analysts. Current topical issues of non-financial reporting include: materiality (either the report should include a range of issues concerning value creation in the long term, or reporting on the environmental, economic and social spheres); methods of collecting information; the volume of the report; correlation with the company’s strategy; justification for the selection of report items; and reporting format.

9inCOMPLIANCE

ADVERT

OPINION: COMPLIANCE AND CSR

sell products to the customer when he/she understands what is in his/her interest: either to invest in shares, open a deposit account or enter into a life insurance programme with a saving instrument.

Firm rootsCurrently the structure, content and framework of a non-financial report are not yet formalised, although business analysts, advisors and senior managers are giving thought to the issue.

Despite this uncertainty about non-financial reporting today, compliance is firmly rooted as a chief area of disclosure. While it is included in the guidelines for the preparation of such reports, albeit in an advisory nature, the role of compliance in sustainability is clear, as is the importance of reflecting compliance programmes within reports. In fact, today the question “how often has the company been held liable for non-compliance?” is no longer relevant to a company’s reputation. Instead the question should be: “what do companies do to avoid being held liable, and how effective are these measures?”

Svetlana Snezhko is Affiliates & Subsidiaries Compliance Head at Mobile TeleSystems PJSC and an ICA Graduate with a PhD in Sociology of management

1. ISO260002. http://www.triplepundit.com/2011/03/iso-26000-definition-social-responsibility/3. Responsible business practices in the mirror of reporting: Analytical review of corporate non-financial

reports for 2012-2014 by Russian Union of Industrialists and Entrepreneurs (RSPP). http://media.rspp.ru/document/1/1/3/1310e25ab7ebd8f22b8baa594bce857c.pdf .

4. ibid5. 2013 Six growing trends in corporate sustainability. An EY survey in cooperation with GreenBiz Group,

http://www.ey.com/Publication/vwLUAssets/Six_growing_trends_in_corporate_sustainability_2013/$FILE/Six_growing_trends_in_corporate_sustainability_2013.pdf p. 13

6. http://www.ey.com/Publication/vwLUAssets/EY-Sustainability-reporting-the-time-is-now/$FILE/EY-Sustainability-reporting-the-time-is-now.pdf p.6.

7. https://www.kpmg.com/Global/en/IssuesAndInsights/ArticlesPublications/corporate-responsibility/Documents/kpmg-survey-of-corporate-responsibility-reporting-2013.pdf

8. https://www.kpmg.com/Global/en/IssuesAndInsights/ArticlesPublications/corporate-responsibility/Documents/kpmg-survey-of-corporate-responsibility-reporting-2013.pdf p. 49.

9. http://www.ey.com/Publication/vwLUAssets/EY-Sustainability-reporting-the-time-is-now/$FILE/EY-Sustainability-reporting-the-time-is-now.pdf p.6-7.

10. www.globalreporting.org/resourcelibrary/GRIG4-Part1-Reporting-Principles-and-Standard-Disclosures.pdf11. Organizational transparency – information on company’s holding, country-by-country reporting – financial

information on a country-by-country reporting // Transparency in corporate reporting http://files.transparency.org/content/download/1839/12366/file/2014_TransparencyInCorporateReporting_EN.pdf

12. ibid 13. http://www.reuters.com/article/2015/11/23/us-britain-moneylaundering-idUSKBN0TC00520151123#pDBJT

cbu5AoZk8hO.9714. http://www.independent.co.uk/news/uk/crime/london-is-now-the-global-moneylaundering-centre-for-the-

drug-trade-says-crime-expert-10366262.html15. Responsible business practices in the mirror of reporting: Analytical review of corporate non-financial

reports for 2012-2014 by Russian Union of Industrialists and Entrepreneurs (RSPP). http://media.rspp.ru/document/1/1/3/1310e25ab7ebd8f22b8baa594bce857c.pdf

� e Financial Services Institute (FSI) of the British Virgin Islands (‘BVI’) is seeking full-time professional studies tutors to be based in the BVI on initial 2 year contracts. � e ideal candidates will have experience in delivering courses, for the o� shore � nancial services industry, which lead to a quali� cation from professional associations such as ICSA, STEP and ICA.

Responsibilities:

• Lecturing of the professional studies courses, such as STEP certi� cates and diplomas, ICSA o� shore � nance and administration courses, and ICA compliance quali� cations.

• Work closely with the FSI’s Business Manager to establish and co-ordinate a cohesive structure in which to o� er professional courses to BVI students.

• To take on additional � nancial services related training and education projects, under the guidance of the FSI Board.

If you are looking for an exciting and rewarding role, located in the Caribbean sunshine and beautiful surroundings of the BVI, and you � t the requirements above, we would love to hear from you.

� e professional tutors selected would be arriving at an exciting time for the FSI as it works towards becoming an independent Business School and a Centre of Excellence

for � nancial services training in the region. We o� er a very competitive salary package (low tax) for this 2 year initial contract position with the FSI. Résumés with references may be submitted to:

Dr. Derry A. Hodge, Business Manager � e Financial Services Institute at H. Lavity Stoutt Community College Paraquita Bay Campus P.O. Box 3097 Road Town, Tortola, VG1110 British Virgin Islands

Tel: (284) 852-7173, Fax: (284) 494-4996 Email: derhodge@hlscc.edu.vg

10 inCOMPLIANCE

OPINION: FINANCIAL INTEGRITY, STABILITY AND INCLUSION

Financial inclusion has been having something of a moment lately. According to the latest World Bank Global Financial Inclusion (or “Global Findex”) database,1 the number of adults without an account –

with a bank, other financial institution, or mobile money provider – fell by 700m between 2011 and 2014, down to 2bn. Currently 62% of adults have an account, up from 51% in 2011.

The issue was also high on the agenda of the movers and shakers attending the World Bank and International Monetary Fund (IMF) Annual Meetings in October 2015, which featured an expert seminar2 discussing the current state of play. The seminar panel concluded that financial inclusion has an important role to play in economic development at micro and macro levels, at the same time highlighting the dual challenge of supporting innovation while mitigating risk.

An evolving debateAchieving that balance is at the heart of the financial inclusion vs. financial integrity debate. This is not a new phenomenon but one that continues to evolve. We have observed financial institutions busily de-risking, with many remittance businesses working in regions seen as “high risk” cut off from banking services. In the process, their customers in those territories are left struggling to access essential funds sent from contacts elsewhere, increasing the probability that they are driven towards informal, unregulated financial channels. At best, these may be costly and inconvenient. At worst, as the Financial Action Task Force (FATF) points out: “Alternative or underground providers can… become a ready conduit for illicit transactions that are difficult for governmental authorities to detect and that undermine AML/CFT efforts.”

INTO THE LIGHTEden Dema, Mary Munford and David Robson consider the challenge of balancing financial inclusion, financial integrity and financial stability

Meanwhile, the growth of new technologies continues, contributing, for example, to the rise of banking services delivered by mobile phones. The Global Findex, referring to mobile phone-based services used to pay bills or to send and receive money (which can be used without a financial institution account), reveals that 58% of adults in Kenya have a mobile money account and the figure across East Africa is 20%.

While such developments are generally seen as a positive in terms of inclusion, it is important that such technology-based innovations are developed in parallel with efforts to ensure financial integrity. For example, mobile money in Kenya is linked to biometric national IDs, allowing KYC procedures to be streamlined and conducted much faster than with traditional banking yet without compromising financial integrity. In contrast, virtual currencies such as bitcoin are usually unregulated, and may facilitate anonymous use. As such they have been highlighted by FATF as a potential money laundering and terrorist financing risk.

Working togetherFATF’s Guidance and Recommendations on AML/CFT and Financial Inclusion3 are designed to enable a flexible approach, to support entry-level banking and other products aimed at drawing the unbanked into the mainstream financial sector. As the Guidance states: “The challenge is finding the right level of protection for a particular financial environment.” Essentially, rather than considering financial inclusion and financial integrity as warring siblings, consideration should be paid as to how one can support the other.

Indeed, well-defined financial policies should pursue four core objectives simultaneously: financial stability, financial inclusion, financial integrity and consumer protection. In collaboration with financial policymakers, the Consultative Group to Assist the Poor (CGAP) has developed the I-SIP methodology (Inclusion, Stability, Integrity, Protection)4 that enables policymakers to understand and optimise the linkages between these policy objectives while at the same time minimising trade-offs.

The remainder of this article focuses in particular on the relationship between financial inclusion and financial stability, and how financial policymakers can manage these dual responsibilities most effectively.

What are financial inclusion and financial stability?Financial inclusion is commonly understood as a way to provide financial services to those who do not have them. It embraces three core elements: access, usage and quality of financial services. The Global Partnership for Financial Inclusion (GPFI) has defined financial inclusion as “a state in which all working age adults have effective access to credit, savings, payments, and insurance from formal service providers.”5

Financial inclusion allows the unbanked and underbanked segments of society to join the formal financial system, which ultimately helps to alleviate poverty, promote job security, improve livelihoods and advance social empowerment.

The South African Reserve Bank has defined financial stability as the smooth operation of a system of financial intermediation between households, firms and the government through a range of financial institutions. Financial inclusion and

11inCOMPLIANCE

OPINION: FINANCIAL INTEGRITY, STABILITY AND INCLUSION

financial stability are not ends in themselves, but rather facilitate sustainable and balanced economic growth.

Various research studies and surveys6 have shown that financial inclusion plays an important role in achieving financial stability if policymakers can effectively apply the principle of proportionality, which balances risks and benefits against the costs of regulation and supervision while maximising results. The South African Reserve Bank has supported this approach with seven guidance statements,7 and the State Bank of Pakistan has offered six I-SIP propositions8 that ease the design and implementation of policy interventions by identifying, managing and optimising the linkages among financial inclusion, financial stability, financial integrity and consumer protection.

Complementary linkages In a CGAP brief, the four objectives of I-SIP are described as “inter-related and, under the right conditions, positively related. Yet failings on one dimension are likely to lead to problems on others.”9 The International Association of Insurance Supervisors (IAIS) reinforces this idea: “Financial inclusion contributes to financial stability. It is an important element in delivering fair, safe and stable financial markets in a jurisdiction.”10

Research on the linkages between financial inclusion and financial stability has concluded that:• An inclusive financial sector will have a more diversified and

stable retail deposit base, which should make the financial system more stable. Financial inclusion may also diversify credit portfolios and reduce concentrated lending, which in turn reduces systemic risk.

• Financial inclusion is a harbinger of economic stability. Job creation, poverty reduction and food security all contribute to financial stability.

• An inclusive financial system achieves balanced and sustainable economic growth by ensuring every individual enjoys a share of this growth. This in turn contributes to political, social and financial stability.

• A strong and resilient financial system promotes confidence in the system, which makes it more attractive to those who are financially excluded.

• Financial stability can have a positive impact on forces that reduce key prices, making financial services more affordable.

How do policymakers manage these twin responsibilities?It is important that policymakers optimise the linkages between financial inclusion and financial stability. However, they must be careful to avoid policy interventions that achieve one at the expense of the other, or achieve neither in the short to medium term by failing to coordinate and share inter-agency responsibilities. The good news is that even though trade-offs are inevitable when pursuing these objectives, they can be managed with minimal impacts.

Different countries have tried different approaches. While some have based their approach on past experience,11 others have taken a conservative approach. Regardless of the approach, it is imperative that national policymakers follow the I-SIP guidance below, which has been altered slightly to reflect financial inclusion and financial stability objectives:1. Clearly define financial stability and financial inclusion to

provide clear guidance on national policy design and enable effective monitoring and measurement.

2. A structured approach to identifying material linkages between financial inclusion and financial stability objectives, which may arise when implementing a specific policy, helps to manage and optimise linkages and avoid false or unnecessary trade-offs.

3. Inter- and intra-agency collaboration is critical to designing, monitoring and adapting policy interventions that optimise linkages not only between financial inclusion and financial stability objectives, but between broader national objectives as well.

4. Using specific indicators and targets to regularly collect and analyse data on policy interventions enables policymakers to monitor the effects of the policy on financial inclusion and financial stability and to calibrate linkages over time.

5. Periodic, structured consultation with providers in proportion to the scale of the proposed changes helps to identify and manage linkages as the market develops.

6. Optimising the linkages between financial inclusion and financial stability requires a commitment by policymakers to adapt policy and regulation as data and other evidence come to light and effects are observed.

The six I-SIP propositions above can serve as guidance for policymakers to create the right approach. One important consideration, however, is the ability of policymakers to synchronise the applicable propositions when developing and adopting a proportionate approach12 customised to their country’s needs.

Another important aspect will be ensuring that the global and national standards and policies being implemented to enhance the stability of the financial system (e.g. new Basel III regulations) do not unintentionally financially exclude individuals and small businesses, particularly in developing countries. Efforts such as the Alliance for Financial Inclusion (AFI)’s to develop an “extended risk framework” that takes the risks of financial exclusion into account, which can arise from overly restrictive global standards or disproportionate implementation of standards by policymakers, will be important to ensuring financial inclusion and financial stability policies can be pursued in tandem.13

Out of the darkness…During the World Bank/IMF seminar referred to in the introduction to this article, IMF Deputy Managing Director Min Zhu urged regulators to “keep an open mind” with

“Inter- and intra-agency collaboration is critical to designing, monitoring and adapting policy interventions that optimise linkages not only between financial inclusion and financial stability objectives, but between broader national objectives as well”

12 inCOMPLIANCE

the aim of achieving an acceptable balance between actual risks and potential benefits. That view closely echoes FATF’s Guidance that AML/TF controls should “not inhibit access to well-regulated financial services for financially excluded and underserved groups”14. Klaus Prochaska, Senior Policy Analyst and Knowledge Manager at AFI, puts it this way: “If you get customers into the financial system… the transactions they perform are on the grid. So a good system of financial integrity brings even the small transactions out of the dark and into the light, and aids the poor people as much as the integrity of the system.”15

The World Bank Group and partners are currently working towards the ambitious target of achieving universal financial access for working-age adults by 2020, via an account or an electronic route to store money, send payments and receive deposits. With new technologies making this level of inclusion increasingly possible, governments, standard-setting bodies and supervisors will also need to develop policy and regulatory approaches that enable inclusion to flourish while firmly closing any gaps that threaten financial stability and integrity. AFI is playing a key role in bringing policymakers into dialogue with global standard setters in order to ensure that the global dialogue on financial regulation takes full account of developing and emerging country perspectives, particularly their need to deploy innovative technologies to advance financial inclusion in their jurisdictions. For example, AFI’s Global Standards Proportionality Working Group gives developing countries a voice in the global policy dialogue on financial regulation and supervision, with the aim that financial inclusion is pursued alongside a safe and sound financial system.

Switching the perspective from “inclusion vs. integrity and stability” to a position where financial integrity, stability and financial inclusion can not only coexist, but can also reinforce and enhance each other, seems a good place to start that journey “into the light.”

Eden Dema is Deputy Governor of the Royal Monetary Authority of Bhutan and Chair of AFI’s Financial Inclusion Strategy Peer Learning Group, Mary Munford is Editorial Manager at International Compliance Training and David Robson is Head of Research & Development International Compliance Training

ACKNOWLEDGMENTSEden Dema is grateful to Mr. Robin Newnham, Head of Capacity Building and Policy Analysis at AFI for his professional support.

FURTHER READING

AFI’s Peer Learning Program with the Global Standard-Setting Bodies:

http://www.afi-global.org/sites/default/files/pdfimages/afi_gpf2014_ ssbs_fact_sheet_aw_low_res.pdf

Alliance for Financial Inclusion. 2013. 2013 Global Policy Forum Report. http://www.afi-global.org/sites/default/files/publications/ gpf2013_report_low_res.pdf

CGAP. 2012. Financial Inclusion and the Linkages to Stability, Integrity and Protection: Insights from the South African Experience. http:// www.cgap.org/sites/default/files/I-SIP%20Report_1.pdf

CGAP. 2014. Inclusion, Stability, Integrity, and Protection: Observations and Lessons for the I-SIP Methodology from Pakistan. http://www.cgap. org/sites/default/files/Working-Paper-I-SIP-Pakistan-June-2014l.pdf

Governor Atiur Rahman, Bangladesh Bank. 2014. The Mutually Supportive Relationship between Financial Inclusion and Financial Stability. http://www.afi-global.org/sites/default/files/publications/ afivp1-11.pdf

Governor Zeti Akhtar Aziz, Bank Negara Malaysia. 2014. Keynote Address at the 2014 AFI Global Policy Forum. http://www.afi-global.org/ sites/default/files/publications/8.1_g_keynote_afiglobalforumsept14_-_ final_28for_distribution29.pdf

Her Majesty Queen Máxima, UNSGSA for Inclusive Finance for Development. 2013. Keynote Address at the 2013 AFI Global Policy Forum. http://www.koninklijkhuis.nl/globale-paginas/taalrubrieken/ english/speeches/speeches-archive/2013/september/speech-by-hm- queen-maxima-unsgsa-honorary-patron-of-the-g20-global-partnership- for-financial-inclusion/

IAIS. 2012. Application Paper on Regulation and Supervision Supporting Inclusive Insurance Markets. http://newsletter.iaisweb.org/ newsletterlink-381?newsid=878&call=1

Three country case studies (Russia, South Africa and Pakistan):

http://bankablefrontier.com/wp-content/uploads/documents/BFA-RMC- ISIP-Russia-Final-Report_website_eng.pdf

UN ESCAP. 2013. Forward-looking macroeconomic policies for inclusive and sustainable development. http://www.un.org/en/development/ desa/policy/capacity/presentations/newyork/dpad-egm-dec-2013- presentation-anis.pdf

OPINION: FINANCIAL INTEGRITY, STABILITY AND INCLUSION

1. The Global Findex Database 2014: http://www.worldbank.org/en/programs/globalfindex2. AFI press release, Financial inclusion takes center stage at World Bank-IMF Flagship Seminar in Lima, Peru: http://www.afi-global.org/news/2015/10/09/financial-inclusion-takes-

center-stage-world-bank-imf-flagship-seminar-lima-peru3. http://www.fatf-gafi.org/documents/documents/fatfguidanceonanti-moneylaunderingandterroristfinancingmeasuresandfinancialinclusion.html4. http://www.cgap.org5. 2011 GPFI white paper6. GPFI white paper 2011, CGAP website7. CGAP South Africa I-SIP report8. CGAP Pakistan I-SIP report9. Robert Cull, Asli Demirjuc-Kunt and Timothy Lyman, 20 May 2012, “Financial Inclusion and Stability: What Does Research Show?”, http://www. cgap.org/publications/

financial-inclusion-and-stabil- ity-what-does-research-show-0 10. IAIS application paper on regulation and supervision supporting an inclusive insurance market11. CGAP South Africa I-SIP report12. The G20 Principles for Innovative Financial Inclusion define the “principle of proportionality” as “Balancing of risks and benefits against costs of regulation and supervision”13. AFI’s Peer Learning Program with the global standard-setting bodies: http://www.afi-global.org/sites/ default/files/pdfimages/afi_gpf2014_ssbs_fact_sheet_aw_low_res.pdf14. http://www.fatf-gafi.org/documents/documents/fatfguidanceonanti-moneylaunderingandterroristfinancingmeasuresandfinancialinclusion.html15. “A Balancing Act” by James Thomas and Emmanuel Ioannides, pages 5-7, inCOMPLIANCE, Winter 2014 edition

13inCOMPLIANCE

INSIGHT: COUNTER TERRORIST FINANCING

As this article goes to press, the sheer scale of the recent tragic terrorist attack on Paris is only starting

to sink in. It is not yet fully clear how this atrocity was funded, whether its perpetrators took advantage of the likes of cryptocurrency and encrypted communication or whether they avoided detection by choosing precisely the opposite tactics and using cash, low value electronic payments and traditional communication. Either way, the tragic events once again demonstrated the potential for devastation inherent in small, local cells and the sheer complexity of tracking them from a financial perspective. Counter terrorist financing (CTF) is still, very much, a new challenge.

CTF, AML and risk mitigationEver since the events and aftermath of 9/11 thrust the issue of terrorist financing into the public eye to an extent previously unseen, CTF has been almost invariably linked in the regulated world with traditional Anti Money Laundering (AML). Under pressure from the law and the regulators, obliged entities have looked to integrate the concept of CTF within their policies and procedures. Keen to demonstrate not just an appreciation of the risks and threats of terrorist financing but also a drive to stamp it out, regulated entities – for the most part – started including CTF-specific language within their existing AML frameworks. And, when faced with risks outside of their full understanding and ability to directly influence, they in some instances

engaged in wholesale de-risking. The problem with terrorist financing

– and the key reason why institutions’ attempts at mitigating risk in the area have not been anywhere near as successful as their efforts with regards to traditional money laundering – is the fact that it is actually quite removed from money laundering. Therefore, the simple recycling of known methods to attempt to combat it is unlikely to yield results.

While money laundering is concerned with making the proceeds of crime appear lawful and viable for use in the open, legitimate market, terrorist financing is not desperately concerned with disguising the provenance of funds, apart from perhaps creating a veneer of legitimacy to avoid immediate detection. Terrorists’ real concern is ensuring there is a funding stream supporting their enterprise. Where traditional AML

The CTF ConundrumAlbert Galloni considers why many regulated entities have struggled to mitigate terrorist financing risk

14 inCOMPLIANCE

INSIGHT: COUNTER TERRORIST FINANCING

focuses around the “three stages” of placement, layering and integration of pre-obtained proceeds of crime, CTF fully embraces the generation of criminal assets stage as well, effectively rendering its cycle a four-stage process.

Where AML professionals may legitimately choose to start the focus of their work once criminal assets (usually monetary) appear on their horizon, CTF practitioners must fully assess the previous stage. This is particularly true of practitioners in the financial services sector as products and services can be exploited in their entirety in the drive to facilitate the funding of terrorism therefore becoming accessories to crime in all but name.

It’s also vital to appreciate that the core objective of terrorist financing is dual. On the one hand it is about the collection of funds by all means necessary. On the other it is also about the efficient dispatching of these very funds over to individuals or cells to enable them to carry out atrocities. It is therefore less about the mere disguising and more about the end-to-end collection, laundering and further use process. To a degree, it is a scenario closer to that of fraud, in which the acquisitive stage (which sits before the traditional “three stages” of AML) is fully embedded in the cycle as it merges acquisitive crime with the placement stage.

Operating below the radarHowever, these are not the only differences. While money laundering usually revolves around larger proceeds of crime (again, as far as monetary value of the assets is concerned), terrorist financing can lubricate the network of terror it supports through a larger number of smaller amounts. This poses a significant monitoring and detection concern with most institutions having – over the years – finely tuned their monitoring systems and frameworks towards the identification of large sums, regardless of them being single payments or “smurfed” into many smaller ones.

The “fluid” nature of terrorism also needs to be taken into account. Terrorist groups today no longer resemble the unified (top-down) structures of yesteryear. They tend to fundamentally belong to two very separate categories. On the one hand are the “banner” groups

(Al Qaida, IS etc). On the other hand are hundreds, if not thousands, of banner-group-inspired splinter groups and sometimes individuals. Understanding this difference is key in formulating a coherent and ultimately effective CTF framework.

Whereas the first group tend to model their operational framework on corporations (in terms of their command structure, contingency and resilience, “message”, strategic vision and presumably high running costs) the latter group belong and act locally, often in complete isolation, and can operate and deliver with ruthless efficiency and comparatively minimal costs. It was reported at the time that the attack on the Madrid transport network in March 2004 was estimated to have cost a mere $10,000 with the atrocity of 7/7 on the London transport network the following year estimated at an even lower $1,000.

All this means that whilst the top level groups require traditional money laundering methods, tactics and strategies, smaller groups can in fact fund their contribution with techniques likely to stay well below the radar of traditional monitoring systems. They can also rely, as well as on out-and-out criminality, on a degree of ingenuity in fund-raising and spending that can very easily blend in what could pass for “normal” patterns.

To understand this key difference, take the exploitation of the black market for archaeological artefacts, for example. Whilst likely to be a key criminal revenue-generator for top level organisations, it is extremely unlikely to be of any value at all for independent, local cells unable to create and sustain the network to make such a niche and vastly profitable trade valuable to them. And whilst a degree of corporate vehicle misuse is likely to be a feature across all levels, it is arguable that its true benefits are more likely to be felt at the top level again where large amounts can be generated and managed – a key feature of traditional money laundering.

That is not to say, however, that the “lower tier” equates to lower risk. Far from it, in fact, as the examples above from London and Madrid demonstrate. From a financial perspective, take for example the exploitation of charity. Terrorist organisations have historically been deft at drumming up support – and donations – for their objectives

from sympathetic communities and individuals, often under the guise of charity. Today’s financial environment, geared towards ease of use and speed of execution, presents a perfect opportunity for those looking to exploit goodwill or even deceive in order to collect funds rapidly and efficiently.

Evil twinsWhere the threat becomes holistic and merges the work of both the top tier and the lower-level players is in the synergy between terrorism and organised crime.

The link between organised crime and terror networks has been explored before, in academic studies. Broadly, these studies have identified the formation of strategic alliances between organised crime networks and high-level terrorist organisations designed to provide ground-level coverage and mutual financial gain: an alliance of “evil twins forming a nexus” (to use the language of a famous 2009 article in Forensic Examiner journal1) driven by greed on the criminal side and the desire to exploit organised crime’s notoriously efficient logistics chains by terrorists in order to fund their activities.

It is within this context that one should assess activities from the sale of counterfeit goods and the smuggling of tobacco products, through to human trafficking. Each and every activity can deliver exceptional financial gains for organisations involved in them. And, in order to succeed, they require strategic planning and alliances at the top and tight execution at ground level. This is where the unholy alliance of organised criminal networks and terrorism really comes into its element.

With each party able to provide value to the enterprise at both levels, and profit margins extremely lucrative across the board, known examples of such alliances include people trafficking (from refugees to exploited workers in – for example – the sex industry), sanctions breaches (delivering much needed weapons and more to sanctioned entities), counterfeit goods (where proceeds of sales can fund both the top and the bottom tier of terrorist organisations) and tobacco smuggling (a key feature of IRA funding during the Troubles, among others).

Then, of course, there is that other key revenue-generator: the global drug trade, once again a trade that links

15inCOMPLIANCE

INSIGHT: COUNTER TERRORIST FINANCING

ICA SPECIALIST CERTIFICATE IN CONDUCT RISK

• Development of the conduct agenda• Core components of conduct risk• What does good conduct look like for a firm? • Know your responsibilities and accountabilities • What does good conduct look like for customers?• Meeting the customer's objectives - the outcomes focused approach • The importance of good conduct market• Impacts of poor market conduct

Find out more at ww.int-comp.org/conductrisk or get in touch with ICT for course details at ict@int-comp.com or +44(0)121 362 7501.

Training provided by:Awarded in

association with:

A brand new course that delves into the fundamentals of conduct risk. You will explore key regulatory developments that a�ect your firm and its stakeholders and will gain an understanding of how to respond to these challenges. Content covered includes:

ICTM938

Wilmington Risk & Compliance

ICA Professional and Fellow; Certified

Professional Members receive a 20% discount

on all Specialist Certificate courses

terrorist groups (take, for instance, the production of Opium in Afghanistan), criminal networks and potentially that insidious group – small, low-level terror cells worldwide – that could fund their activities via local drug dealing.

An assymetric approachIt is in this multi-faceted and frankly maze-like context that approaches such as de-risking have to be assessed. And while there is a strong argument suggesting that de-risking can in fact have the insidious unintended consequence of driving criminal behaviours further underground with the subsequent loss of intelligence-gathering for Financial Intelligence Units, there is an equally strong argument suggesting that risk avoidance is truly the only option when threats are so difficult to detect.

In order to truly make a positive difference in the fight against terrorist financing, regulated entities need to appreciate the need to differentiate between different types of terror-related threats. While traditional AML can support in the fight against the

top tier, an “asymmetric approach” is required at the granular level. KYC must once again be at the forefront of the effort against both threats, provided the due diligence exercise is designed to spot inconsistencies and analysts are encouraged to think laterally and assess how the seemingly straightforward customer in front of them could in fact be a front for something much more sinister.

Ingenuity needs to be taken into account also. Just as ingenuity is behind some of the most sinister terrorist tactics (from liquid explosives in drinks bottles to the use of female suicide bombers) it is also a key factor in the misuse of products and services. Early consideration is required to ensure that product enhancements designed to make honest customers’ lives simpler cannot also be exploited to, for instance, rapidly channel unchecked funds between individuals and cells. Possible mis-use needs to be mapped out against possible threats, with safeguards and monitoring firmly in place.

Greater understandingAbove all, obliged entities need to enhance their understanding of terrorism and the profiles of those likely to be involved in it so as to be able to identify deviations from the norm and real-life threats, not simply conceptual risks. They need to look at parallel monitoring which takes into account small amounts and high velocity. They need the expertise of those involved in the fight against terrorism within law enforcement in order to stay on top of developments and return the favour with intelligence-gathering.

Albert Galloni is Director of AML and MLRO (EMEA) for a global payments firm

1. The Forensic Examiner: 'Evil Twins: The Crime-Terror Nexus'. Volume 18, Issue 4 Autumn / Winter 2009 pages 16-29

16 inCOMPLIANCE

INSIGHT: KYC UTILITIES

In the face of regulatory change, evolving business needs and an increasingly competitive marketplace, banks remain focused on new clients, client retention, cross-selling and enhancing the client experience. A sizeable portion of such

efforts has been directed at strengthening client onboarding and know your customer (KYC) control, and exploring different opportunities to reduce the cost of and lead time to on-board prospective clients. Further attention has been placed on performing periodic reviews of existing clients whilst improving controls and the client experience. This has led to a reassessment of the optimal KYC operating model, workflows and the need for differentiated service models for top-tier clients.

Developing a broader KYC operating model to embrace utility offering(s) in the future which support targeted customer segments with KYC requirements, applying analytics to customer risk assessment, and streamlining new client and periodic review processes provide opportunities for differentiation.

KYC utilities: features and functions Over the past few years, there have been increasing moves to develop industry utilities focused on different market segments, driven by a range of business needs. The landscape of the KYC utilities is still evolving and widespread adoption of the utility services model has not yet materialised in the financial services industry. A variety of technology providers, consultancies and data providers have announced (or have been rumoured to have formed) partnerships of some form in order to create new utilities that can share data between banks. There are currently four main providers who have made announcements to the market (see Figure 1).

KYC utilities typically perform the key services of information collection, management and monitoring, with activities requiring judgment remaining the responsibility of financial institutions (FI). As the KYC utility solution landscape keeps evolving, a number of key criteria can be applied when evaluating the potential of utilities to meet FI’s needs.

Key criteria FIs may consider when evaluating membership of a KYC utility include:1. Line of business coverage 2. Geographic coverage 3. Scope of services 4. Partner banks5. Signed up clients6. Live customer bases7. Delivery model8. Pricing

Benefits of KYC utility modelThere are clear benefits of adopting the KYC utility model to support a broader KYC operating model, as FIs will be able to minimise duplication of effort, reallocate resources to higher value activities, and focus on risk assessment related activities. There are still several services that will need to be performed by the FI. Figure 2 illustrates how KYC utilities can be leveraged to support a KYC operating model.

Key considerations include:1. Guiding principles

• Will the utility manage group-wide KYC risk and regulatory obligations?

• Will the utility look to centralise core KYC activities into specialist centres of excellence?

• Will the utility provide a consistently good customer experience?

2. Service model• What services will be provided to differing client segments?• Will the utility provide a “full service” for selected clients? • Which KYC services are offered by the utility vs the FI? • Will the utility provide a “hybrid model” encompassing all

clients (i.e. differentiated KYC services based on an anti-money laundering [AML] risk profile)?

3. Client segmentation• How should clients be segmented and prioritised for

inclusion in the utility?• What criteria will be used to segment clients in scope of

the utility (e.g. client type, client value, client industry, client geography, client products)?

4. Operating model options• How should the utility be designed to provide services to

clients?• Which operating model option will be best suited to

support the design of the utility (e.g. hybrid model, single global operation)?

5. Roll out strategy• How and when are KYC cases transitioned to the utility?

Utilities do not come without challenges that the KYC utility model will need to overcome if it is to be widely adopted in the financial services industry. The KYC area has seen the highest number of utility offerings with at least four key offerings co-existing and competing to capture market share. This has forced many institutions to evaluate which provider(s) they could align with and how the role of utilities will evolve (i.e. will we see multiple providers co-existing or a dominant provider capturing significant market share?).

New modelsPatrick Craig and Dimitris Vougiouklis examine the state of the market for KYC utilities

17inCOMPLIANCE

INSIGHT: KYC UTILITIES

Challenges of KYC utility models1. Risk management – The use of KYC utilities does not remove

any of the risk that lies with the FIs that decide to externalise KYC services to a utility provider.

2. AML / KYC standards – Defining a common definition of AML / KYC standards is difficult due to absence of regulatory guidance

3. Cybercrime – Sharing client documents and data with an external provider exposes FIs to information security risks which have to be managed

4. Data management – Access to reference data to enable client data enrichment and increase data quality

5. KYC operating model – Operating model changes are required across people, process and technology to enable transition to KYC utility model

The potential use of a utility has to be considered against wider drivers and ongoing activities to strengthen compliance within organisations. Organisations should assess whether moving selected functions to a utility would allow them to focus more on activities that offer the opportunity to better manage customer risk and opportunity, such as the use of analytics.

Importance of analytics As KYC utility offerings continue to evolve, FIs are faced with heightened regulatory scrutiny and are spending significant effort and cost on large remediation exercises. It is common practice for FIs to risk rate their customers using static customer risk assessment (CRA) models. This is undertaken when first establishing a relationship with the customer and during the relationship when performing ongoing due diligence following trigger events or during periodic review cycles.

Static approach to customer risk assessmentThe CRA models consider a number of money laundering factors and weights to derive the overall money laundering risk rating of the customer and often classify them as high, medium and low risk (or variants thereof). Typical money laundering risk assessment factors include:1. Product(s) / services being accessed by the customer 2. Geographies to which the customer is linked3. Entity type, the complexity of the customer’s ownership

structure4. Customer industry, or occupation 5. Delivery channel

As a result of the risk rating determined by the CRA model, different levels of due diligence are applied. It also determines the frequency of periodic review, for example on a one year (high risk), three year (medium risk) or five year (low risk) basis.

Large-scale remediation exercises often require support from a significant number of resources for a prolonged period of time, increasing the cost of compliance. Implementing dynamic customer risk assessment can reduce cost of running high volume and prolonged remediation exercises as part of ongoing due diligence cycles. In addition it allows an enhanced risk based approach (RBA) to manage money laundering, through looking at groups of customers depending on their changing overall risk profiles.

How can dynamic customer risk assessment help manage money laundering risk? The customer risk assessment process segments customers into similar groups based on demographic factors such as age group, occupation, income, net wealth, and residential address, and models the expected peer group behaviour by calculating averages and comparing deviation from standard behaviour by peer group and account usage.

Compliance officers can examine the aggregate risk by peer group and by account usage that enables them to identify high risk customers and remediate them at different points in time determined by the FI (for example immediately, monthly, quarterly etc). Implementing a dynamic customer risk assessment enables better management of money laundering risk in a constantly evolving risk ecosystem.

Benefits of dynamic customer risk assessment1. Provides a statistically validated method to prioritise due

diligence reviews on high risk entities as well as across the entire customer population

2. Allows FIs to focus their resources and effort on riskiest entities3. Allows lower volume of ongoing due diligence reviews for

medium and low risk customers whose expected behaviour does not deviate from the norm of their peer groups

4. Integrates a customer’s risk classification into ongoing transaction monitoring to provide a more holistic view of risk

5. Provides continuous re-assessment of risk rating that supports a RBA to AML and Counter Terrorism Financing (CTF)

Challenges of dynamic customer risk assessmentOnce a FI decides to apply an analytics route to support CRA further thought needs to be given on how to overcome current challenges around: 1. Poor and misaligned client data. Investment is needed to

maintain a high quality golden source data: A single source of the customer allows the enterprise to “know the customer”

2. Lack of single view of the customer (360° Customer View) that provides insight into all customer relationships, activity, and touch points

3. Out of date segmentation models. Peer group analytics require an up-to-date and validated segmentation mode of definable characteristics to subdivide the customer population into segments.

There are five potential areas that FIs should consider as they embark on a KYC transformation journey: 1. Segmentation model: Have in place a documented customer

segmentation model 2. KYC utility features and functions: In scope services offered

by each of the KYC utilities mapped against defined customer segments

3. High quality golden source data: A single source of the customer data allows the enterprise to truly “know the customer” and build a single customer view

4. Data standards: Define data standards, data points and documentation specifications required to exchange information with one or many KYC utilities

5. KYC target operating model: Design the KYC target operating model including processes, organisational structure,

18 inCOMPLIANCE

07/01/2014 19/03/2014 22/05/2014 29/07/2014

Signed up Bank of America Merrill Lynch, Citi, Commerzbank, JPMorgan, Société Générale, Standard Chartered, Barclays

Partnering with BNY Mellon, Barclays, Credit Suisse, Goldman Sachs, JP Morgan, State Street

INSIGHT: KYC UTILITIES

roles and responsibilities and technology standards that will support the successful leverage of new technologies and utility shared service models

Moving forward with KYC transformationAs regulatory pressure continues to drive more activity to combat money laundering, FIs will need to look for advanced technologies and new, shared service operating models to tackle financial crime threats. There is an opportunity for FIs to lead the transformation by re-defining their KYC operating models, reducing their involvement in non-core activities and playing an active role in creating common set of data standards that allow sharing of KYC information with selected partners. Whilst KYC utilities may provide significant future enhancements, the

current state of the market does not provide the necessary breadth and scope to fully replace internal processes.

Patrick Craig is a Financial Services Partner in EY’s Financial Crime solution and assists clients with transformation strategies to combat financial crime. Dimitris Vougiouklis is a Manager in EY’s Financial Crime solution and works with clients to tackle financial crime and enhance KYC controls across the financial services sector.

This article summarises complex issues and is not intended to be a substitute for detailed research or the exercise of professional judgment. Neither the author nor the global Ernst & Young organisation or any of its member firms can accept any responsibility for loss related to any person acting on the information in this article.

SWIFT KY\C Registery

Regulatory Themes AML, KYC, FATCA, Dodd-Frank and EMIR

Line of Business Correspondent Banks

Geography Global

Document Collection & Management

ID Verification

Screening

Ongoing Monitoring (includes reminders and alerts)

Thomson Reuters Accelus Org ID

Regulatory Themes AML, FATCA, Dodd-Frank, EMIR and MIFID

Line of Business Correspondent Banks, Capital markets, Commercial Banking

Geography Global, 200+ Countries

Document Collection & Management

ID Verification

Screening (Use of Accelus World Check)

Ongoing Monitoring (refresh of records that have not incurred “monitoring triggers”)

GENPACT & Markit

Regulatory Themes AML, KYC, FATCA, Dodd-Frank, EMIR and MIFID

Line of Business Asset Managers, Hedge Funds, Corporates

Geography Global

Document Collection & Management

ID Verification

Screening (screening for sanctions, PEPs adverse media)

Ongoing Monitoring (annual refresh, self-service documentation update)

DTCC Clarient

Regulatory Themes KYC/AML, FATCA, Dodd-Frank and EMIR

Line of Business Broker Dealers, Investment Managers, Hedge Funds and Corporates

Geography Global, 135k+ entities from 140 Countries

Document Collection & Management

ID Verification

Screening

Ongoing Monitoring (refresh process in place, frequency not specified)

Figure 1: KYC Utilities Landscape

1 2 3 4

KYC High Level Operating Model

Market

1. Region EMEA US APAC

2. Customers Buy Side Sell SideCorrespondent Banks

Front Office

3. Relationship Management6. Document Collection

4. Sales Support

5. KYC Trigger & Initiation 7. Document Review

Middle Office8. Document Management 9. Document Verification

10. Screening 11. Risk Review & Approval

Back Office12. Account Opening

13. Monitoring & Maintenance

Central Functions

14. Compliance

15. Risk Management

16. Technology

SWIFT KYC Role

Clarient Entity Hub Role

TR Accelus Org ID Role

Genpact/Markit KYC Role

Utility RoleFinancial

Institution Role

Figure 2: KYC High Level Operating Model

19inCOMPLIANCE

INSIGHT: ANTI-TBML

Developing and emerging economies lost $6.6tn in illicit financial flows between 2003 and 2012.1 The vast majority (77.8%) of these were due to trade mis-invoicing. In 2011, Global Financial Integrity (GFI) estimated that $950bn flowed illicitly out of poor countries. Four-fifths of this was from

trade-based money laundering (TBML) linked to arms smuggling, drug trafficking, terrorism or public corruption.2

The road to enlightenment

Jee Meng Chen outlines the principles of TFC risk management and profiling TFC perpetrators

Jee Meng is currently heading up the in-country AML function for HSBC in Singapore

20 inCOMPLIANCE

INSIGHT: ANTI-TBML

The study of trade crimesSometime in June 2000 I had my first encounter with TBML. I had an exchange of views with the Head of the Trade Finance Department, a veteran trade finance practitioner, on the observed anomalous trade patterns of a trade commission trader. However, the discussion did not shed any additional insights, and resulted in an outcome that you may be familiar with, namely: “something is wrong somewhere… but I just cannot pinpoint what and where exactly it is”.

In 2009 I was invited to present to a group of Regulators on the topic of “Trade Finance Compliance Issues”. The agenda was to explain the evolving money laundering issues and in particular how Letters of Credit (L/C) could be used as a conduit to facilitate trade crimes. While the audience looked interested, they were seemingly unconvinced. At the end of the presentation a senior official spoke with me in private. His message, in essence, was: “It is much easier to launder monies through casinos. Don’t you agree? I cannot understand why anyone would take the effort to falsify documents. The frontier of money laundering is casinos.”

Last year while I was sharing my analysis of the red flags relating to a client’s trade transactions, the Head of Trade Finance asked a question, which I was not fully prepared for:

Head: “What do you think the client was really intending to do?”Me: [after a pause] “I suspected it was a U-turn.”Head: “What is that supposed to mean and why did the client do so?”

Those familiar with international trade financing will appreciate that the discussion as to whether L/Cs will remain relevant or go into extinction has been going on for over a decade. To date the L/C remains an integral part of trade financing. In the same light, more than 14 years had elapsed since my first TBML encounter and, despite the initial scepticism, trade finance crimes (TFC) remained very much alive. The risk management of TFC necessitates the understanding of how trade crimes manifest themselves and how typologies continuously evolve, as criminals react to the industry’s anti-TBML controls.

This article focuses on two themes: the principles of TFC risk management and profiling the traits of TFC perpetrators.

TFC Risk ManagementThere are three fundamental TFC risk management principles.a. Risk points: entry and exit – Risks manifest when a transaction

/ documents enter the bank’s processing system and exit upon settlement or, in some instances, expiry. Footprints are created when risks enter and exit. Simply put, to understand how risks manifest and exit, financial institutions may map the various trade products to the product processing lifecycle. However, a TFC perpetrator who knows that documents leave behind trail may attempt to structure the transactions to minimise the footprints in each financial institution. Apart from having the right type of management information indicators, a strong knowledge of the ongoing trade crime typologies is essential.

b. Same event, different risks – A criminal typology is not necessarily discrete in nature; it is multi-faceted. Bank and/or compliance practitioners must wear multiple lenses to dissect a particular risk event. To illustrate this point, let us take trade mis-invoicing (under invoicing), as an example. From the

export point of view, the financing bank should be cognisant of the possibilities, e.g.: 1. Is there a potential tax evasion issue, if the transaction is not

contemplated on an arms-length basis?2. Is there an attempt to under-declare the applicable customs

duties?

On the import leg, the bank handling the documents should be mindful that an under-invoiced cargo represents an intrinsic cross border transfer of wealth. What happens if this modus operandi is simply an attempt to transfer wealth to an organisation linked to criminal and/or terrorist activities? What risks are we talking about where under-invoicing is concerned? Is it TBML, fraud, tax evasion, customs evasion, terrorist financing, etc? c. Integrated versus compartmentalised – The spectrum of TFCs

ranges from well-known typologies to “emerging” typologies, as Box 1 shows. While one may segment TFC into various categories, the fundamental risk management concept does not change. The way that a compliance practitioner is trained (note: assuming he or she is trained) to detect fraudulent trade transactions underpins many of the other requisite core skills needed to identify TFCs. For example, a working knowledge of L/C enables the compliance practitioner to identify potential red flags and enables the right questions to be asked (i) prior to transactional-execution, (ii) along the lifecycle of a transaction and/or, (iii) post transaction settlement / execution.

The effective risk management of TFC requires financial institutions to integrate the following elements to manage customer portfolios and transactional risk:

• CDD / KYC and knowing your customers’ customers.• trade finance crime risk processes instituted within the

trade financing operational framework.• ongoing trade compliance surveillance.• evolving TFC typologies integrated into the bank’s TFC risk

management and compliance processes.

BOX 1: SPECTRUM OF TRADE FINANCE CRIMES

1. Trade frauds• Phantom shipment• Circular transactions• Bunker fraud• Fraudulent alteration of the Bill of Lading

2. Smuggling / shipment of counterfeits

3. Terrorist financing via trade

4. Trade sanctions

5. TBML• Over-invoicing• Short-shipping• Under-invoicing• Over-invoicing• Double financing/multiple invoicing

6. Tax evasion

7. Proliferation financing• Deliberate obfuscation of the type of goods

8. Transshipment risks

9. Illicit international flows• Round tripping

21inCOMPLIANCE

INSIGHT: ANTI-TBML

The profile of TFC perpetratorsAn understanding of the various types of perpetrators forms the backbone of effective TFC risk management. In Sun Tzu’s “Art of Warfare” knowing the enemy constitutes 50% of the victory equation. As the saying goes: “to catch a criminal, think like one”.

Financial institutions are confronted with three dominant issues. Firstly, generating the appropriate TFC-focused management information reporting indicators and using the same information for trade compliance surveillance remains a considerable challenge. Secondly, no financial institution should ever be over-confident in its customers’ CDD. Thirdly, customers who have, unfortunately, fallen into the world of crime, understand the banks’ processes and the mindset of the relationship managers (RM) and the trade processors and are therefore better able to circumvent the requisite documentary checks.

For the purpose of illustration, customers are segmented into the following behavioural types:a. The novice – This group of customers is “new” to the trading

business and easily lured by “too good to be true” scams. Holding on to fictitious documents, they are convinced that they have secured lucrative deals and cannot comprehend why the financial institutions are not interested. These customers are oblivious to the tell-tale signs of fraud. Generally, financial institutions are quite insulated from such fraudulent schemes, as the mere size of the transaction raises eyebrows. Such novice customers are a source of heightened risk if they are left largely unmanaged and/or the assigned RM has too many customers under his/her care to pay particular attention to their financing needs.

b. Victims of circumstance – When the economy or sub-segments of it undergo a tumultuous downturn, financial institutions should be alerted to possible manifestation of crime. Honest businessmen who are directly hit by their own misjudgement of the supply/demand conditions, and/or suppliers or buyers who had defaulted on their obligations, could be tempted to recover their losses through “quick fixes” (as opposed to winding-up business operations), through the following: • Engaging in trade frauds (e.g. phantom shipments, kiting of

L/Cs, etc) and performing a Houdini act before the scheme is exposed.

• Lending their trade facilities in exchange for commissions on a transactional basis (see more below).

• Being willing accomplices to fraudulent trade practices.• Losing management control of the company to a white

knight (who, of course, is no knight in shining armour) who uses the company for a totally different intent while appearing “legitimate”.

As this group of customers is already clients of the bank, it may be difficult to detect criminal traits in the first instance. Financial institutions should be alerted to the following (non-exhaustive) list of indicators:

1. Change of customers’ trading patterns: a. Frequency of trade facilities utilisation increases.b. Types of products traded changes.c. Change of trading counterparties.

2. The customer concerned appears to be losing control of the business operations (i.e. not cognisant of the new products and/or markets ventured into).

3. Inclusion of new shareholders (where rationale provided by the client is that of corporate re-vitalisation)

c. Trading commission agent – If the customer’s business is set up as a commission agent and the financing bank is aware of this at the outset then this poses less of an issue (provided that the appropriate controls are instituted). But if the customer changes its modus operandi and did not disclose the same, the inherent risks to the financial institutions vary depending on (i) who the actual trade applicants are, (ii) the types of goods shipped, and (iii) the countries involved. There are different issues related to the trading activities of trading commission agents. Fundamentally, it boils down to KYC and know your customer’s customers.

d. The “Professionals” – TFC professionals can be categorised into two groups:• Ex-professionals, for instance, bankers, trade finance

specialists, accountants, logistics specialists who become consultants and lend their expertise to “businessmen” whose intention is to perpetrate trade crimes. The motto of this group of ex-professionals is: “What Is In For Me?” As they know the intricacies of the banking and shipping operations, they are equally adept at concealing their tracks

• Businessmen who set-up their business operations (regardless of the corporate size) to defraud. The Solo metals fraud was perhaps the classic case and epitomised an integrated fraudulent business empire.

With the latter, there are certain red flags: 1. A fairly infant business (e.g. two to three years in operations)

that exhibits phenomenal business growth. The question is: “how did the prospect / client accomplish the growth vis-à-vis its peer groups?”

2. The place of business operation. This factor correlates to the company’s business growth. For example, if the business is thriving, it is likely that the business premise is domiciled in an upscale commercial area to give it a credible outlook. Conversely, if the business is registered in an upscale commercial area but the business turnover appears lack-lustre, the issue is “how does the business sustain its operating expenses?” For example, if a business is operating in high rental commercial district, but the commercial invoice issued, say, in the month of May denotes that it is only the sixth transaction year-to-date, this raises the suspicion of business viability.

3. The absence of proper corporate letterhead on the issued invoices.

4. Vague description on the proforma and/or actual invoices.

The above classification is by no means exhaustive. The essence is: Know Who You Are Dealing With.

The long and winding road…Albert Einstein once said, “The more I learn, the more I realise how much I don't know.” After some 15 years I am still, to this day, confronted with issues that I do not have answers for. Maybe, one day, enlightenment will come… but until then…

1. http://www.gfintegrity.org/report/2014-global-report-illicit-financial-flows-from-developing-countries-2003-2012/

2. http://www.efinancialnews.com/story/2015-04-20/trade-finance-units-anti-money-laundering; Trade finance units hunt terrorists and crime gangs by Liz Salecka

The wisdom of crowds

22 inCOMPLIANCE

A couple of months ago, a family friends’ daughter asked her father whether she could use his credit card to buy a

new jacket from Kickstarter (an internet website). The jacket is no ordinary jacket; marketed towards frequent travellers, it possesses 15 different features ranging from a built-in neck pillow to a microfiber cloth for cleaning glasses. The cost ($149) served as a commitment of purchase; when pooled with another 29,500 interested buyers it would enable/fund the promoters to start commercially producing the jackets. She hastened to add that the credit card would only be debited if the promoters succeeded in raising the minimum amount they had initially solicited on the website ($20,000). Our curiosity piqued, we checked Kickstarter for more details – it transpired that the “Baubax” jacket had successfully raised over $9m (450 times the initial amount required), and is the fourth most funded Kickstarter project of all time!

This is a classic example of crowdfunding, an internet-based means of raising money from the public for a charity, business, project, or startup. It matches investors to businesses, donors to charities, and borrowers to lenders, all through the medium of a website.

Exponential growthKickstarter, Crowdcube, Indiegogo, Lets Venture, and Catapooolt are various crowdfunding websites that have gained publicity in the past three years. Kickstarter states that "9.3m people have backed a Kickstarter project; 2.9m people have backed more than one project and 347 thousand people have backed ten or more projects".1 Individuals have invested anything from $1 to $100,000.

Substantial funds can be (and have been) raised through crowdfunding, and this is projected to increase exponentially. The Tabb Group estimates that “the market will hit $17bn in 2015 with more than 1,000 new platforms formed. Some funding will come from angel investors who could invest $50bn in 2015 across all funding opportunities compared to $22.9bn in 2012. A more conservative estimate puts the figure at $28bn.”2

Crowdfunding received a significant boost in 2012 when President Obama signed the Jumpstart our Small Business Startup (JOBS) bill, thereby easing various security regulations and paving the way for US small businesses to raise funds from the public. Committing money via the internet can take less than 10 minutes nowadays, side-stepping the onerous due diligence/disclosure requirements from companies hesitant to raise money through an initial public offering (IPO) or through the secondary markets. Most recently, the Securities and Exchange Commission (SEC) voted to approve equity crowdfunding rules for investors, allowing startups to find investors through brokers or online platforms.3 Although it was American legislation, the JOBS bill had a ripple effect on the worldwide crowdfunding market.

Crowdfunding typesCrowdfunding falls under three categories:1. Donation or reward/product based –

Donors contribute money to the project through the internet portals as discussed above. If it is a donation, the consumer only receives the charity’s goodwill. However, if the model works on a reward basis, consumers receive the good/service they have paid for as a reward for investing. Once funds have been

INSIGHT: CROWDFUNDING

Deepa Chandrasekhar considers the AML risks associated with crowdfunding

23inCOMPLIANCE

INSIGHT: CROWDFUNDING

raised for production, goods are shipped to the donor post-manufacture.

2. Lending based – Borrowers raise money with a promise to return it with interest (at a pre-specified rate) after a particular tenure. One example is a British company offering bonds to potential investors. For an initial investment of £500 (and above) the firm offers to pay investors a fixed-rate return of 8% gross interest p.a. for an initial four years. At the end of the four-year period and on every anniversary thereafter, investors have the choice to continue holding the bond for another year (on the same terms) or to give the company a six-month notice period of redemption. The 8% bonds appealed to investors – at the last count, 336 investors had committed to funding £681,500.4

3. Equity based – Investors transfer money to the entrepreneur in lieu of a share/ownership stake in the company or project, and are entitled to dividends at a later date. One British company aims to raise £200,000 to produce vegetables/salad greens in underground spaces in London using LED lights/hydroponics. The company was offering both Class A and B shares. Investors who put in more than £25,000 were entitled to Class A shares with full voting rights, while investors committing amounts under £25,000 received Class B shares with no voting rights/pre-emption. The business exit strategy for investors was anticipated to be over a five-year timeline, including the traditional possibilities of listing on a small capitalisation market, sale of the business to a fresh produce company/private equity firm, or a possible management buyout.

Risks of crowdfundingWhile crowdfunding is a boon for potential entrepreneurs and SMEs having difficulty accessing credit from banks, there exists a high risk of money laundering and terrorist financing, stemming from three key areas:1. Investments made on crowdfunding

platforms could be used to disguise the illicit origin of funds – Initial investment into projects can be done through nameless, prepaid credit cards (i.e. those not linked to any bank account and not requiring any identification on purchase). These are available legally/freely in the market. Such cards are activated by registering online (not a problem for money

launderers who normally use spurious addresses needing no validation). In the UK, these prepaid cards can easily be topped up using cash at several PayPoint or epay vendors. The cards can also be used to buy goods and services online; one such brand can be loaded one time up to £200, with a limit of £11,250 per year.

The prepaid card represents the “placement” stage of money laundering, while the crowdfunding portal is the “layering” stage. Depending on the business model, projects that are unsuccessful in meeting their fundraising target normally return funds to investors through wire transfers/cheques (the “integration” stage).

Another possible scenario occurs when there is collusion between the project owner and investors, with the former floating a project that was never intended to be completed. The small amount of investment required per customer poses no barrier to money launderers who can line up several individuals to make their initial investments by giving them either the cash funded prepaid cards or paying them in cash and using their genuine credit cards.

2. Collusion between investors and investee companies – While some projects include the entrepreneur’s financial information/background details, the majority of solicitations posted on crowdfunding websites lack transparency. A spurious investor seeking to purchase bulk contraband (e.g. fake branded handbags), could crowd-fund a sham company owned by the distributor of the pirated goods. The investor/buyer could receive the (essentially worthless) handbags and equity. The distributor in turn would receive wire-transferred funds under the guise of a legitimate crowdfunding operation, making it easier to integrate the laundered money into the financial system.

This modus operandi could also work in the donor model of crowdfunding. If over 100 fake investors crowd-fund a false company that supposedly does overseas charity work, money is exchanged for worthless equity in the firm. The crowdfunding portal provides legitimacy for international funds transfer requests from the charity, which routes these through the financial system and integrates them with genuine funds. Of late, numerous charities have been accused or convicted in court of using

1. https://www.kickstarter.com/learn?ref=nav;

2. http://www.huffingtonpost.com/david-drake/crowdfunding-grows-up-4-t_b_6398444.html

3. http://www.wired.com/2015/11/you-too-can-now-invest-in-startups-what-could-go-wrong/?utm_source=pocket&utm_medium=email&utm_campaign=pockethits

4. https://www.crowdcube.com/investment/square-pie-19666

5. http://sanfrancisco.cbslocal.com/2015/06/30/questionable-crowdfunding-campaigns-may-be-new-nigerian-prince-scams/

6. https://hex3.tilt.com/aclock-the-first-connected-alarm-clock

7. http://gawker.com/we-are-raising-200-000-to-buy-and-publish-the-rob-ford-508230073

8. Zachary R0bock, The Risk of Money Laundering through Crowdfunding : A Funding Portal's Guide to Compliance and Crime Fighting, Michigan Business & Entrepreneurial Law Review.

9. Regulation Crowdfunding, supra Note 2 at 66557 - 58

24 inCOMPLIANCE

INSIGHT: CROWDFUNDING

their revenues to fund terrorism or revolutionary movements, rather than for the humanitarian purposes for which the contributions were ostensibly collected.

3. Fraud – While crowdfunding is a popular source of finance for growing companies and genuine charitable causes, there have been instances in which products have not been shipped to buyers in the Reward/Product Model. An investor who paid $100 for two smart watches on the crowdfunding site Tilt.com, never received them.5 To make matters more complex, he discovered that the company running the campaign – called Hex36 – was simultaneously marketing the offer on two other crowdfunding sites. Close to $300,000 was raised for the company (which vanished without a trace). A website still exists portraying the smartwatch’s features in glowing terms. Any information about the individual behind the project is conspicuously absent.

Another bizarre but well-publicised case in Canada resulted in raising $200,000 for the publication of a video showing Rob Ford (the Mayor of Toronto at the time) allegedly consuming cocaine. The American website Gawker.com openly advertised: "We've seen a video of him smoking crack cocaine, and the people who have the video would like to sell it. Through the miracle of crowdfunding, you can help. Please consider donating to the Rob Ford Crackstarter."7 Gawker successfully raised the funds from chagrined members of the public who donated funds to oust the Mayor. Unfortunately for the website, however, the seller broke off contact. The money raised from the public was finally split evenly between four Canadian charities to help curb drug addictions/crime. Ford was forced to step down once the video was recovered by the Toronto police. He then entered a drug rehabilitation programme. However, the case raised several ethical/criminal/regulatory issues, including whether it was acceptable to raise capital through crowdfunding to fund the activities of a criminal syndicate.

Mitigants to money laundering from crowdfunding1. Threshold Limits – As crowdfunding

is still a nascent industry, regulation has been lax or non-existent in several jurisdictions. The USA has

been successful in imposing some checks. For example, if an investor has an annual income/net worth under $100,000, then they can only invest in securities worth up to $2,000 or 5% of their annual income/net worth (whichever is greater). Similarly, an investor with an annual income/net worth of over $100,000 can buy securities worth 10% of their annual income/net worth with an overall annual cap of $100,000. The limit is cumulative across all crowdfunding investments made by the issuer.8

2. Requirements for Issuers – The JOBS Act also requires issuers to disclose basic information on the company – location, ownership/capital structure, identities of its officers, directors and shareholders who own 20% or more of the issuer. Details on the target offering amount, a brief description of its business plan and the proposed use of funds must also be submitted. Depending on the size of crowdfunding, audited or reviewed financials must be disclosed. Another important requirement is that the issuer must be a domestic company, domiciled and incorporated in the USA. This does not, however, prevent an issuer from incorporating a local firm, receiving funds and immediately remitting the funds overseas. While this does not eliminate the risk of money laundering, it does empower law enforcers to investigate potential frauds and establish the jurisdiction of a lawsuit in the event there is a need to do so.

3. Requirements for intermediaries – In a bid to alleviate fraud/money laundering concerns, funding portals are prohibited from “offering investment advice or recommendations”. Nor are the portals permitted to “hold, manage, possess or otherwise handle investor funds or securities”. It is hence mandatory for the website to use the services of a bank/another money service provider, or credit card companies. While primary contact between the investor and the issuer is through the crowdfunding website, the actual exchange of funds for stock, has to be conducted by a financial institution.9

The JOBS Act also requires funding portals to obtain a “background and securities enforcement check” on the issuer, directors, officers, and 20% or more of its shareholders. The SEC's

regulations provide that the portals should comply with local anti-money laundering requirements.

Early daysDespite the challenges, crowdfunding carries significant promise for issuers, providing feasible funding opportunities that would have otherwise been unattainable, structured post-sales feedback processes from consumers, and the chance to transform an idea into reality. For consumers it is the chance to be an early adopter of what could be the “next big-thing”, or to buy a new/revolutionary product with key functional benefits. It must be noted that crowdfunding is a nascent industry that has developed due to the advent of technology/globalisation in the 21st century; the full set of checks and balances has not been developed yet.

Despite the exponential growth of crowdfunding in the past decade, there is no guarantee that it will become a fully-fledged developed industry any time soon. One only has to take a look at the banking industry as an example – a mature, prosperous, and highly-regulated sector over five hundred years old yet still coming to grips with various compliance/AML/KYC issues worldwide.

While certain regulatory measures in crowdfunding are being developed in the USA, they are practically nonexistent in several developing countries. As fraud and money laundering cases gain prominence, there will be moves to step up due diligence measures undertaken by the crowdfunding website portals and the financial institutions which are the repository of funds. Time will tell the nature and extremity of these challenges… and also whether our friends’ daughter receives her jacket.

Deepa Chandrasekhar is a senior banker based in the Kingdom of Bahrain. Social media research for this article was conducted by Vishakh Chandrasekhar, a post-graduate student at Durham University, United Kingdom. The views expressed in this article are theirs alone, and do not reflect those of their respective organisations.

25inCOMPLIANCE

INSIGHT: E-COMMERCE

The ability to make an order in an online store and pay by debit card is something we take for granted. However, it is a complex process involving banks, processing centres and payment gateways. This article

considers the risks faced by every participant in this process, including financial, regulatory, legal and reputational risks (see Figure 1). These are considered mainly in relation to payment by debit cards, which carry much greater risks compared with other payment methods and account for the majority of transactions (on average 90% in my opinion) in e-commerce.

Financial risksFinancial risk stems from both the merchant and from carders. No member of the International Payment System (IPS) – whether the issuer, acquirer or merchant – is immune to fraudulent acts by online stores or carders. Debit card transactions can be challenged for virtually any reason. The IPS rules have a section dedicated to complaints handling, which describes different codes of appeal suitable for almost any situation, from non-delivery to fraudulent transactions. The result will depend on a reasonable analysis of the situation by the acquirer and completeness of the documents provided by the merchant.

Regulatory risksRegulatory risk includes all risks associated with possible consequences of the actions of local and foreign market regulators.

Local regulators include the Central Bank, the police, various financial control services and so on. The effect of local regulators will differ for different categories of IPS member. For example, an acquiring bank will be subject to one set of regulators; while a payment gateway will be subject to another, depending upon whether it is related to the financial settlement with the merchant or only provides information and maintenance.

The processes and rules regarding the use of debit card payments are detailed in the IPS rules (VISA and MasterCard). Any deviation from the rules may result in financial loss and, in some cases, exclusion of IPS membership and prohibition from active participation in card business.

Legal risksLegal risks refer to the risks associated with litigation. Many IPS members mistakenly assume that IPS rules override all others. For example, there is a perception that if a bank refuses to reimburse funds for disputed transactions this decision is final and cannot be challenged. However, this is not the case. The cardholder has an agreement with the bank, which is regulated by local laws, and the rules of IPS are not important for him. Similarly, IPS rules are often regarded by online stores as being of secondary importance as their business activities are based upon the acquiring contract. Courts also accord little significance to the rules of IPS, and will appeal instead to existing contracts and current legislation.

A risk-e businessNikolay Bocharov reviews e-commerce risks

Figure 1: Types of risk

Online stores

Card Holders

International Payment System

Local and foreign

Regulators

Financial (Economic) Regulatory

RISK

26 inCOMPLIANCE

INSIGHT: E-COMMERCE

Reputational risksReputational risks incorporate the negative outcomes of all other types of risks. Banks’ losses from fraudulent card transactions will often be several times lower than, for example, losses from non-repayment of loans by borrowers. However, fraudulent transactions damage the reputation of banks and reduce overall customer confidence in the debit card as a convenient and safe financial instrument. That is why both members of the payment process and payment systems pay great attention to anti-fraud issues. It should also be noted that different risks are often interrelated; for example, regulatory risk often includes financial aspects.

Ways to minimise risk1. Monitoring the transactions of participants in the payment process is essential in the fight against fraud perpetrated by both individual carders and light-fingered merchants. The former category (except for organised groups) may involve only a few operations, while the latter may involve hundreds or even thousands of fraudulent transactions. This may result not only in huge financial losses but in the possibility of exceeding the fraud thresholds set by IPS, such as Merchant Fraud Performance Program (MFPP) or Global Merchant Audit Program (GMAP). This in turn, depending on the level of excess, can lead to fines and even suspension of IPS membership for the merchant or the bank.

Typically, such an upsurge in fraud occurs at night or during the holidays, so continuous online transaction monitoring is essential. The duty operator must detect suspicious activity in time and act proactively to block questionable transactions. Most often, the cost of additional staff and software pays for itself many times over by reducing the losses caused by this type of fraud.

2. Creating antifraud systems and their constant optimisation – It is essential to have a good antifraud system at the heart of the monitoring process. Different systems offer different options for analysis, for example “reject the operation”, “skip it” or “skip and send for subsequent monitoring”.

If you use the option of not sending the financial clearing file of suspicious transaction to the issuing bank, or cancel the transaction, the fraudsters will be quickly frustrated by your system and will seek other victims, since even if the operation was successful, it would be cancelled later. This option is not available for all merchants, however it is quite applicable in such activities as the purchase of air and train tickets, tours, forex and many others.

The “automatic blocking” function is also worth mentioning. This allows you to act preventively at the beginning of fraudulent activity so that, for example, where the monitor notices suspicious transactions all parameters are blocked: PAN, e-mail address, device ID, and others. The carder may change PAN, for example, but the e-mail address remains the same, so the system will automatically block all parameters of the transaction associated with the previously blocked parameter. However, when using this function care must be taken not to cancel normal transactions inadvertently. The ratio of successful transactions to rejected ones is a very important factor to be considered when setting up an antifraud system.

3. Backing-up certain critical limits that work independently – Aircraft systems are known to be duplicated. The same should be done with the most critical settings of the antifraud system, as technical failures are not uncommon. The limits and

restrictions to be duplicated should be defined by the owner according to their needs, but should mostly concern: the number of transactions performed on one card; the transaction amount both for each individual transaction and in total; day and night time limits; and individual limits on high-risk merchants or for entire groups of merchants.

4. Building relationships with merchants in a proper way, and providing them consultancy services or other support – This is a very important issue in cases when the operation is subsequently chargebacked by the cardholder. This may arise in many situations, including upon non-delivery of goods or the provision of a poor-quality service, improper magazine subscription, or an attempt to exchange previously purchased plane tickets. It is no secret that if the transaction cannot be chargebacked by fraudulent code, some banks use a trick and try to chargeback the transaction by using other codes, such as: RC 30 - Service not provided or merchandise not received, RC 53 - Not as described, etc. It is therefore necessary to build a sound defence, so that the merchant can always provide certain evidence of the provision of services or delivery, in a word to demonstrate that the debit was legal and in line with IPS rules. To do this, it is necessary to build a good relationship with the merchant and give him full support.

5. Checking merchants periodically when connected in order to comply with all legal requirements as well as the rules of IPS – As mentioned earlier, a merchant is a source of very considerable risk. When connecting merchants the following parameters are tested: the website, its age and attendance, the presence of advertising and feedback, the existence of groups in social networks, the positions of the site in search engines by key phrases, all kinds of website ranking, the level of trust, the compliance of website content with the IPS rules applied to merchants, the presence of return policy and delivery, clear offer, contact details of support, information on the legal entity, and much more. The legal entity and the appointment of its directors and beneficial owners are checked. Whether the directors are nominal is also relevant from an Anti Money Laundering (AML) perspective. Much attention is paid to the country in which the legal entity is registered, and whether the activities of a merchant are prohibited, restricted or requiring licensing. The list could go on, since merchant verification is a complex multi-level process.

6. Analysing undetected fraudulent transactions, and recording fraudulent transactions and appealed transactions on a permanent basis – In fact, this is a correction of mistakes. Those who do not learn from their mistakes will suffer from them again in the future.

7. Compliance with the IPS rules – According to the IPS rules, the procedure of “compliance” allows an issuing bank with no rights for chargeback to challenge the transaction, invoking non-compliance with the IPS rules by other members which resulted in his losses. Accordingly, by observing IPS rules you will secure yourself not only against various fines (up to US$200,000 and higher, for example, under the BRAM programme) but also against the challenging of transactions due to non-compliance.

Nikolay Bocharov is Head of Risk Control and Anti-fraud at RBK Money

27inCOMPLIANCE

INSIGHT: ATTESTATIONS

Since attestations came into prominence in late 2012, they have become an essential part of the UK Financial Conduct Authority’s (FCA) supervisory toolkit and a reflection that the regulatory spotlight is

shining brighter than ever before on individuals. Their aim is to ensure accountability from senior management in all regulated firms and they commonly require an approved individual to take responsibility for confirming that the company has the appropriate governance arrangements or systems and controls in place. This development is particularly pertinent for members of the International Compliance Association, as it involves those working in governance, compliance, risk and financial crime prevention roles.

Attestations are often used in conjunction with other FCA supervisory powers, but at their core they are a means by which the FCA can gain personal commitment from an approved person that specific action has been (or will be) taken, often without requiring ongoing regulatory involvement. The FCA's aim is to ensure that there is clear accountability and senior management focus towards making any necessary changes.

Who should sign on the dotted line? The person signing the attestation should be the most relevant significant influence function holder (for example, the individual who is responsible for the area of the firm in which the issue has arisen or who is responsible for addressing the issue). However, while attestations were originally intended for the most senior management, we are increasingly seeing them directed towards compliance officers for whom it may not be appropriate to take on the personal liability attestations bring without at least the CEO or a Board member attesting alongside them.

Ultimately, the question of appropriateness of the individual is for the regulator to decide, in (we would hope) dialogue with the firm, the individual(s) concerned, and their respective advisers. The most appropriate person(s) to make an attestation will very much depend on the situation of the firm, the objectives of the attestation, and the particular factual circumstances surrounding the FCA’s request. There are

no “right” or “wrong” individuals. However, we would generally expect most attestations that undertake to take future actions to be made by the most senior individual(s) in the firm who has/have both the necessary authority and responsibility to initiate the changes required.

Dealing with a false or breached attestationAttestations are an enforcement tool and it is important to remember that, in seeking an attestation, the FCA is trying to ensure both personal accountability and senior management focus for implementing any future action required by the regulator. The FCA’s stance on enforcement action more generally is clear: it intends to pursue more cases against individuals and hold members of senior management accountable for their actions.

DON’T RUSH IN…With the FCA’s supervisory toolkit focusing squarely on the individual Jacqui Hatfield and Melanie Shone explain how to protect your workforce in the face of an attestation

28 inCOMPLIANCE

INSIGHT: ATTESTATIONS

This, of course, echoes the forthcoming introduction of the Senior Managers Regime and Senior Insurance Managers Regime, and extension of the Senior Managers and Certification Regime across the regulated financial services sector.

Ultimately those providing an attestation, and also potentially the firm itself, remain exposed to the full suite of enforcement measures open to the FCA to take for regulatory breaches (this may include, for example, public censure, financial penalties or suspension/withdrawal of permissions).

There are several key issues to consider if the attestation, having been made, turns out to have been untrue or any of its terms not complied with.

Understanding the risk of enforcement action Firstly, the firm and individual should consider the potential for any action to be taken under the terms of the attestation itself. At a very high level, a failure to act with integrity could result in enforcement action against an individual for breach of Statement 1 of the Statement of Principles for Approved Persons. In addition, approved persons are required to act with due care, skill and diligence in performing their accountable functions and managing the business for which they are responsible (including taking reasonable steps to adequately inform the attester about the affairs of the business). If the individual made the attestation as to a statement of affairs without exercising such care and reasonableness, there could be a question over their compliance with Statement 2 and Statement 6 (amongst others) of the Statement of Principles for Approved Persons.

The Supervision (SUP) Manual of the FCA Handbook requires that a firm must take reasonable steps to ensure that all information it gives to the appropriate regulator is factually accurate or, in the case of estimates and judgments, fairly and properly based after appropriate enquiries have been made by the firm.

An attestation given as to a particular state of affairs or future action, combined with a failure to have (i) taken reasonable steps or (ii) carried out appropriate enquiries as to that state of affairs, could leave both the attester and firm exposed to enforcement action.

Notifying the regulator Secondly, the firm and its approved persons have an obligation to deal openly and cooperatively with the FCA (Principle 4 of the Principles of Business and Principle 11 of the Statement of Principles for Approved Persons). Firms are also subject to rules that require them to notify the regulator in the event

that (i) any information they have provided to it is or may have been false, misleading or inaccurate, or (ii) information has (or may have) changed in a material particular. Consequently, there is also a related question of whether the individual/firm should notify the regulator that the attestation turned out to be (or may be) false, misleading or inaccurate.

This is a highly sensitive area on which we would suggest that firms seek specialist advice at the earliest opportunity.

Action for underlying regulatory breachesThere will undoubtedly be an underlying question of regulatory compliance that motivates the FCA towards requesting an attestation to be given. For example, consider that an attestation was given to the effect that the firm has adequate systems and controls in place in relation to a specific area of concern to the FCA, and that it then materialises that the firm’s systems and controls were in fact inadequate. Subsequent enforcement action by the FCA could be both in respect of the false attestation and also for any underlying systems and controls breaches themselves.

Key takeawaysIn summary, it is of crucial importance for those individuals working in the fields of risk, compliance, governance, and financial crime prevention receiving a request for an attestation to remain cautious, not rush into providing an attestation to the FCA, and to carefully consider all the relevant facts and circumstances of the situation.

The scope, content and timing of the proposed attestation should be given careful consideration, alongside the objectives the FCA is thereby attempting to achieve. Independent legal advice can help individuals to evaluate and consider the potential consequences and personal risks, and to help them (and the firm) to put together a tailored strategy in order to mitigate these.

The FCA has publically stated that attestations should be clear and realistic: i.e. specific, achievable and have realistic (but demanding) timelines. Depending on the circumstances, it may also be necessary to engage in constructive dialogue and negotiation with the FCA on the proposed terms of the attestation.

Jacqui Hatfield is a Partner and Melanie Shone a Trainee at Reed Smith

“While attestations were originally intended for the most senior management, we are increasingly seeing them directed towards compliance officers” “The scope, content and

timing of the proposed attestation should be given careful consideration, alongside the objectives the FCA is thereby attempting to achieve”

29inCOMPLIANCE

INSIGHT: CYBER SECURITY

Cyber security programmes are struggling, and in many cases failing, to keep up with new system threats. The lifecycle for an average piece of technology is about three to five years and cyber

security programmes are repeatedly becoming out-of-date as new techniques and technologies are constantly introduced.

In a field that is just a few decades old, where technology turns over every few years, it is not a simple case of identifying best practise for firms. However, if unacceptable downtime due to malware, failed audits, and data leakage aren't clear enough indicators, here are some revealing clues that suggest your security programme isn’t up to scratch.

Patching is a painful one-off exercise rather than a routine processFor some firms, dealing with huge security flaws like Heartbleed, Shellshock, and Poodle meant that IT had to drop everything else to get things resolved quickly. In a healthy organisation, patching should become a routine process and IT should have a strong grasp on what needs to be patched. This is where a clear, robust change control policy must come into place.

You don’t know where all your key assets are locatedGood security means keeping your eye on the ball, and in this case the ball is your critical assets. An up-to-date inventory should be available at any given time and a good inventory system should also outline what software and data are on each system. This should be supplemented with a clear information classification regime, as well as an asset management programme. Inventories should extend beyond the PC and include removable media, mobile devices and cloud deployments.

Risk analysis is just a gap analysis against best practices or audit requirementsAsset awareness is a foundational component of risk management, but it is not sufficient in isolation. Risk analysis is a lot more than just reviewing a checklist of controls and it should be as collaborative, dynamic and realistic as possible. An indicator of a risk analysis deficiency is when business initiatives are being blocked unilaterally because "they aren't safe" without rational and quantifiable justifications.

Risk analysis should be the basis for an organisation’s security policies with numerous good risk analysis methodologies available, including FAIR and NIST Special Publication 800-30. When performing a risk analysis, firms should remember to document all assumptions, look for dependencies, and then keep in mind that there is no such thing as a closed system.

Security policies are inches thick and no one ever reads themThe goal of a security policy is that anyone in the company can read it and easily understand at a high-level the firm’s objectives around how it manages risk and what they are expected to do. Technical detail and procedures are not policy, they are process documentation and should be left out of the main policy document, to ensure the actual implementation does not become overly complicated. Ideally, security policies should only change when risk or risk tolerances change within organisations. Policy objectives should be tied into solving business problems and match organisational activity. Technical jargon belongs in IT and Security Operations.

The IT Department manages technology and the Security Department adds security as an afterthoughtSecurity is not an add-on and should be incorporated into the actual technology based on clear guidance from the security policy. The primary job of IT is supporting business units, which means meeting user demands, fire-fighting major problems, and implementing projects. Security may be one of many priorities, but it should be the most important one. IT teams need to understand the importance of a solid security policy and not just address it on a case-by-case basis. There needs to be a security team in place that not only manages security issues, but guides the actual IT Operations. Ideally, these should be as two distinct groups with different management structures.

Over-focus on operational controls and under-focus on day-to-day security workSecurity personnel can often get distracted by tinkering with firewalls, anti-virus solutions, password settings, and vulnerability scanners. The reality is that security demands difficult, tedious and repetitive tasks like inventory, incident response, risk monitoring, and threat analysis. It also requires building well-considered security architecture, proper systems analysis, and solving and resolving on-going business needs. If security spends all day focused on spam filters, they'll have no time for risk analysis and end up behind the curve.

Practices that were once considered normal for cyber security now have little value in a modern enterprise. Obsolete practices are likely to result in a security programme that is in fire-fighting mode and addresses fixes in an ad-hoc manner. Whether it’s the pre-audit panic, analysis paralysis or rushing from one incident to the next, this is a fast ticket to burnout and missing something vital that could lead to a breach.

Read the signsRay Pompon highlights the warning signs that demonstrate a cyber security programme is obsolete

Ray Pompon is Director of Security for Linedata

30 inCOMPLIANCE

INSIGHT: MIFID II

One of the central requirements of the MiFID II proposals for asset management firms is

the recording of all telephone-based conversations that may lead to the execution of orders. Despite the cost burden and disruption arguments against conversation recording, the industry cannot hide from the MiFID II changes and many firms will need to scope, implement and test recording solutions before the January 2017 deadline.

Conversation recording has been dubbed by many as a core solution to previous conduct failings. However, firms should not only consider how audio recording can meet the requirements of MiFID II, but also how they can create a competitive advantage by utilising technology that demonstrates a commitment to transparency and always acting in the best interests of their clients.

Remedying inaccurate manual methods Current manual methods of recording telephone, electronic and face-to-face communications relating to the execution of orders, such as meeting notes and client on-boarding documentation, have been found to be less than accurate. Using high-quality audio recording systems can help to remove any traces of doubt around what was said and agreed to during an interaction. These recordings can subsequently be used to provide compliant evidence, identify instances of market abuse, and aid in the resolution of complaints. Some solutions can also provide this

evidence in a fraction of the time it has previously taken to manually identify and collate this information.

Firms may choose to make these recordings available to their clients in the event of a query. Those firms acting early in the implementation of these arrangements may also find themselves benefitting from a competitive advantage. Clients are likely to prefer a firm that is committed to providing evidence that they are consistently acting in the client’s best interests.

This technology can also potentially create improvements and efficiencies in areas that do not require such recording technology, but which may benefit from its use. Examples of this could be the recording of Board and Committee meetings and undertaking initial or ongoing due diligence of third party providers and outsourced arrangements.

Improving transparency for greater assuranceA key benefit of recording all client interactions is that it increases transparency by providing clients with assurance that the firms they are dealing with are committed to improving the client experience and providing clients with outcomes that meet their needs and circumstances.

MiFID II introduces a number of measures to improve transparency levels across the trading environment. These measures centre on clear and appropriate information disclosure, with certain provisions around post-trade transparency requiring near real-time disclosure. Call recording can provide the level of accuracy required by these

new measures, providing the system is suitably robust and is backed up by technology that can process and publish the large quantities of data required to remain compliant.

Augmenting governance over the product lifecycleAnother requirement of MiFID II is for product manufacturers to assume “oversight obligations” throughout the life of the product, in turn obligating them to ensure that the product is only being sold to suitable investors and that those investors are kept informed of any “material” changes. Recording conversations around these obligations can help firms to streamline the process of evidencing compliance in this area and to build strong communication channels between product manufacturers, asset managers, third party outsourced arrangements and their end clients.

The introduction of new, complex legislation such as MiFID II presents not only a challenge but an opportunity for firms to review their systems and processes to identify areas where conversation recording technology could be harnessed. In addition to compliance with new regulations, benefits can also include creating efficiencies within firms’ existing processes and improving the level of service provided to clients.

Chris Martin is a Senior Regulatory Consultant at The Consulting Consortium (TCC) and RecordSure

For the record…Chris Martin outlines the potential for harnessing the power of conversation recording for wider MiFID II compliance

31inCOMPLIANCE

THE V ANNUAL ICA CONFERENCECompliance: Optimization and Effectiveness

18TH FEBRUARY 2016SWISSÔTEL KRASNYE HOLMY, ZURICH CONFERENCE HALL Kosmodamianskaya nab., 52 bld. 6, 115054 Moscow, Russia

HIGHLIGHTSRequirements to compliance systems in foreign practice and the impact of their fulfilment on liability for violations. The approach of different regulators in single jurisdiction

A new ISO member in the Compliance family – introducing the ISO 37001: Anti-Bribery Management System Standard. International standardization of assessment systems

Impact on organizations of the national AML/CFT risk assessment focused on the industry, operations, or regulatory nuances

What techniques and methods are effective in development of internal corporate values and internal and external communications

SPEAKERSEkaterina Pustovalova Regional Director, Russia and CIS,

Fellow ICA; CEO, ICS

Viri Chauhan Global Head of GRC,

ICT, training arm for ICA

Andrey Tsyganov Deputy Head of the Federal Antimonopoly

Service of the Russian Federation (FAS

Russia)

Oleg Zenkov Advisor to the Deputy Minister of Economic

Development of the Russian Federation

— head of the Federal Agency for State

Property Management

Elena A. Panfilova, Vice-Chair, Transparency International;

Chair of the Management Board,

Transparency International – Russia

Get more information and register sending request to ics@becompliant.ru

International ComplianceServices

In Association with:

32 inCOMPLIANCE

Head OfficeWrens Court | 52-54 Victoria Road |

Sutton Coldfield | Birmingham | B72 1SX | UNITED KINGDOMTel: +44 (0) 121 362 7747 Fax: +44 (0) 121 240 3002

Email: ica@int-comp.org www.int-comp.orgICTM642