issue 48 incompliance · huge insight on aspects of the business model, potentially down to...
TRANSCRIPT
ISSUE 48
YOUR MAGAZINE FROM THE INTERNATIONAL COMPLIANCE ASSOCIATION
inCOMPLIANCE ®
Facing up to fraud
Look ahead Compliance transformation
p.17 p.20
£4.95 where sold separately
p.24
Enabling agility
inCOMPLIANCE®3
NEWThe ICA PlaylistKeep current, keep interested and hit your CPD target
Find out more https://compassoc.org/ICA-Playlist
ICAA13476
Curated by our experts, our new monthly playlist will provide a selection of videos, podcasts and reports from across the ICA continuous learning universe on topics relevant to you, your role and the issues of today.
Each playlist will total a minimum of 3 hours CPD.
https://compassoc.org/ICA-Playlist
inCOMPLIANCE®3
Editorial Board
Kathryn Cearns, Independent Consultant, [email protected]
Jee Meng Chen, Commerzbank, [email protected]
Jacob Ghanty, Kemp Little LLP, [email protected]
Tim Porter, Director, TPA (Consulting) Ltd, [email protected]
Tom Salmond, Ernst & Young LLP, [email protected]
David Symes, Compliance Recruitment, [email protected]
Rachel Waldren, Murray Waldren Consulting, [email protected]
inCOMPLIANCE®Issue 48
Publisher:
International Compliance Association
Editor: James [email protected]
Design: Design & Document [email protected]
Production: Claudia [email protected]
Advertising Queries: Sarah Walsh+44 (0) 121 362 7659 (3133)[email protected]
Executive President, International Compliance Association: Bill [email protected]
ICA Events Enquiries: Jo [email protected]
ICA Membership Enquiries: Tom [email protected]
ICA Qualification Enquiries: Debbie [email protected]
Article Enquiries [email protected]
International Compliance Association CPD - 2 hours
Advice to Readers
inCOMPLIANCE® is published six times a year by the International Compliance Association. Reproduction, copying, extraction, or redistribution by any means of the whole or part of this publication must not be undertaken without the written permission of the publishers.
inCOMPLIANCE® is distributed as a free member benefit to all members of the International Compliance Association.
Articles are published in good faith without responsibility on the part of the publishers or authors for loss occasioned to any person acting or refraining from action as a result of any views expressed therein. Opinions expressed in this publication should not be regarded as the official view of the ICA or as the personal views of the Editorial Board members of inCOMPLIANCE®.
All rights reserved in respect of all articles, drawings, photographs etc published in inCOMPLIANCE® anywhere in the world. Reproduction or imitations of these are expressly forbidden without permission of the publishers.
Printed in England
Around this time ten years ago I was preparing to publish the first issue of inCOMPLIANCE. In the US, Dodd-Frank had just been enacted. In the UK, George Osborne had just announced plans to break up the Financial Services Authority.
Looking back, it is striking how much has happened in the intervening years. But while compliance practitioners have witnessed a decade of change, it is also striking how, fundamentally, much remains the same. As ICA President, Bill Howarth, wrote in that first edition: “The first issue of ICA’s new journal is a defining moment … it marks the culmination of many years’ hard work in nurturing and developing a community of compliance, AML and financial crime prevention professionals … ICA is passionate about driving standards of professionalism forwards and believes in ongoing development”.
That same passion and drive underpins ICA’s latest initiative – The BIG Compliance Festival – which aims to maintain discussion, dialogue and community in the face of the current challenging conditions (p.8). COVID-19 will have an indelible impact on our futures, but while our attention is firmly focused on finding the best way forward, an occasional glance back may help to remind us of what we value and should seek to retain.
What we valueJames Thomas
Editor
inCOMPLIANCE®5
3 Editor’s commentWhile our attention is firmly focused on finding the best way
through the COVID crisis, an occasional glance back may help to remind us of what we value and should seek to retain, writes James Thomas
6 ICA news A roundup of the latest news and events from the ICA
8News InsightJames Thomas and David Robson report on the opening
days of ICA’s BIG Compliance Festival 11Enabling agility Richard Mais considers how effective operational risk
management can enable enterprise agility and support innovation in a rapidly-changing environment
14Spotlight on emerging risks COVID-19 is driving
changes to customer behaviour, organised fraud attempts and supply chain risk. Ted Rugman and Tom Wallbank look at recent developments in the market and how firms are responding
17 Facing up to fraud Anuradha Shaw discusses
the need for a coordinated effort between public and private partners in response to new risks post-COVID-19
20 Look aheadGunjan Sinha considers the importance of GRC
in the age of COVID-19
22Ensuring trust in crypto Blair Halliday and James
Thomas discuss the importance of regulation and compliance within the crypto sector
24Compliance transformation Dee McManus considers
the influence of transforming work structures on regulatory expectations and compliance programmes
28The state of the art Maria Shalimova
and Anastasia Kondrashova offer a practitioner’s perspective on the challenges of transaction monitoring
inCOMPLIANCE®
4
ContentsREGULAR FEATURES
PAGE 11
IN THIS ISSUE
PAGE 22
PAGE 24
inCOMPLIANCE®5
32Surviving and thriving Amii Barnard-Bahn
considers the challenges of leadership in a time of unpredictable change
35Make 10 minutes count Anuradha Shaw offers
advice on how to communicate in the Boardroom
38When the whistle blows Julie Goodway reminds
firms of the importance of having an effective whistleblowing policy
40 At the gate Noel Bartolo considers some examples of
efforts that individuals can make to disguise bribery
Have you thought about writing an article for inCOMPLIANCE®?Writing an article is a great opportunity to raise your profile within ICA and present a topic of relevance to your fellow members. Writing an article on anti-money laundering, compliance, financial crime or associated disciplines will also earn you valuable CPD!
Visit tinyurl.com/writeanarticle and download our document on Article writing tips and Blogging Best Practice to enhance your skills in this area and learn about structure, themes and writing style.
Please note: you don’t have to be an ICA Member to register your interest in submitting.
If you are interested in writing an article for inCOMPLIANCE, email us at: [email protected] and remember to include your full name and your topic of interest.
PAGE 32
PAGE 40
PAGE 35
inCOMPLIANCE®7
COVID-19: MENTAL HEALTH
inCOMPLIANCE®
6
As we attempt to come out of a difficult period of lockdown, I want to look forward to the future and focus on some real milestones achieved at ICA.
Partnership with Alliance Manchester Business School: a 20-year celebration – ICA has been working with Alliance Manchester Business School (AMBS) for more than 20 years in a quality-assured educational partnership that has provided certifications to nearly 150,000 professionals around the world. AMBS is regarded as one of the best universities in the world with strong expertise in professional education. This partnership is unique in higher education and merges the best of academia with the professional excellence of ICA.
The BIG Compliance Festival 2020 – Launched in June 2020, this unique event, which features 70+ speakers in 60+ sessions in a three-part series, is the largest online event of its kind for compliance professionals in 2020. Part one in early June was received with great acclaim and is a credit to the ICA organisers and participants. Part two, starting in September, promises to be just as engaging, informative and enjoyable.
Singapore re-accreditation – ICA has worked with the government education authorities in Singapore for over 15 years providing training and qualifications in governance, risk and compliance and anti money laundering, which are mapped to local and international standards and competencies. ICA has recently acquired re-accreditation to offer Advanced Certificates, mapped to the new competencies, with new Diplomas being offered from September 2020. We are especially proud of this great achievement.
In this edition of InCOMPLIANCE we’re covering a diverse range of topics, such as: operational risk, transaction monitoring, whistleblowing, implementing a GRC programme, fraud risk, bribery typologies and compliance transformation. I hope you enjoy reading this month’s edition.
Bill Howarth ICA President
To the future
inCOMPLIANCE®7
ICA NEWS
ICA launches the BIGGEST online event for compliance professionals in 2020 The BIG Compliance festival launched at the beginning of June. This immersive virtual experience will take place in three parts – in June-July, September-October and November-December 2020 – featuring more than 70 speakers in over 60 sessions, supplemented by live Q&As, podcasts, whitepapers, roundtables, and a range of supplementary resources.
The BIG Compliance Festival will attract world-class speakers to address topics including change and culture, communication, operational risk, managing fraud, RegTech, financial crime, leadership, and sustainability, sharing best practice and practical tips to prepare compliance professionals for the challenges of the future.
Bill Howarth, ICA President, commented: “I’m delighted that we are able to bring our Members and the wider compliance community together for this unique virtual event. So much has changed in the last few months and we wanted to provide a platform where compliance and financial crime prevention professionals can connect, collaborate and discover how they can better navigate the rest of the year and beyond in an accessible and affordable way.”
To find out more and to get tickets, visit: https://bigcompfest2020.int-comp.org/
ICA extends its qualifications to compliance professionals in PakistanICA has extended its qualifications to compliance professionals in Pakistan with a new, strategic partnership. ICA has partnered with Sigma Risk to offer ICA Certificates, Specialist Certificates, Advanced Certificates and Diploma courses in the fields of regulatory compliance, customer due diligence, anti money laundering, financial crime prevention, governance, risk and compliance, and many more in the country.
ICA qualifications are an internationally-recognised benchmark of excellence, designed to ensure global best practice and the highest ethical conduct, and are awarded in association with The University of Manchester, Alliance Manchester Business School.
Sigma Risk offers bespoke services in financial crime risk mitigation. The company specialises in training, enterprise risk assessment, financial crime advisory services, policy gap analysis, and AML remediation.
ICA announces new partnership in the Czech RepublicWe are pleased to announce that we have signed a partnership with the Czech Compliance Association (CCA), a non-profit membership organisation for compliance and legal professionals, to offer ICA’s suite of accredited qualifications in the Czech Republic.
The partnership comes at a time of increased fraud and financial crime risk for all organisations as a result of the COVID-19 pandemic, underlining the importance of upskilling compliance and financial crime professionals in order to effectively detect and manage risk.
All ICA Certificates and Specialist Certificates will be offered to CCA members at a special discounted rate until 30 September 2020, along with a 15% discount on all other ICA qualifications. ICA is also waiving its student membership fee for CCA members.
inCOMPLIANCE®9
NEWS INSIGHT
inCOMPLIANCE®
8
COVID-19 has turned our worlds upside down, challenging the ways in which we live and
work. This was reflected in both the content and the format of this year’s ICA Annual Conference, with the traditional two-day event giving way to a multi-day online ‘BIG Compliance Festival’, which started in June and will run until December.
Driving ahead with a reimagined ‘virtual’ conference, rather than simply cancelling the event, represents ICA’s commitment to supporting both community and innovation. There have been challenges, but the reception and engagement from delegates has, to date, been extremely positive, with over 700 individuals attending so far, from 63 countries. The possibilities for the future look exciting, with the technology enabling live audience interaction via Q&As and polls, and providing a forum for delegates to network and post their thoughts and questions after the event, within designated ‘Community Zones’.
Champion the futureEach day of the festival has a theme, which for day one was – not surprisingly – ‘change’. Respected performance coach, Jamil Qureshi, opened proceedings with a thought-provoking presentation on ‘Maximising potential in a time of change’. In keeping with the innovative spirit underlying the festival, he urged delegates to think
differently and to embrace change, suggesting that “you can’t trust the future to anyone who champions the past”. The theme of community also came through powerfully as he argued that “companies no longer compete against companies; networks compete against networks. You can only be as strong as your network”. Moreover, he added that “communities outperform bureaucracies and hierarchies when it comes to maximising talent.”
In that vein, he also suggested that successfully navigating the current crisis may be less about what you know than about how you apply that knowledge. “High technical knowledge is no longer as valuable as it used to be,” he suggested. “Knowing a lot isn’t going to get you out of the current situation. The way that we head towards something better is to think about what we know in a different way.”
Significantly, thinking differently requires organisations (and the individuals that comprise them) to reassess their purpose. “The assumptions that our world is based upon are being roundly challenged,” he concluded. “Certain things that people thought were
an investment weren’t an investment; they were a cost on our children’s future. Organisations are looking increasingly at what ‘sustainable’ means. If global warming plays out as it might, then COVID-19 is a walk in the park.”
A better placePicking up on this thread, David Blunt, Head of Conduct Specialists, Financial Conduct Authority (FCA), gave a similarly engaging presentation on ‘The evolving nature of culture’, urging regulated firms to look closely at their culture and purpose.
“Healthy cultures, we believe, are purposeful and safe,” he said, adding that the FCA, when assessing firms’ cultures, will pay particular attention to four drivers: purpose; leadership; approach to rewarding and managing people; and governance, including systems and controls and oversight of the business. Purpose, he continued, might be found by answering the question: “How is the world a better place by your company being here?”
In terms of leadership and people, he highlighted the particular
Thinking differentlyJames Thomas and David Robson report on the opening
days of ICA’s BIG Compliance Festival
Compliance used to be about technicalcompetence. Post-credit crisis it became about leadership. Now it’s about how to deal with individuals, resources and commercial pressures
inCOMPLIANCE®9
NEWS INSIGHT
challenges presented by a wholesale shift to homeworking. “Leaders should consider how a dispersed working environment changes the impact they haveon their teams and organisations,” he advised, adding that, “firms should therefore support their managers to be culture leaders – empowering them to take the time to support their teams and giving them the headspace to keep culture on the agenda.”
He also urged firms to consider which changes, necessitated by the current circumstances, that they may wish to retain. “While for many there is a strong desire to ‘go back’,” he suggested, “we mustn’t go back blindly. Perhaps we shouldn’t even frame our thinking in terms of ‘going back’, but instead as ‘returning to the office’ – looking to the future instead of the past, which provides the opportunity to do things better.”
LeadershipClosing out day one, Paul Asare-Archer, FICA, Director of Compliance, Telefonica UK Limited (O2), provided some key practitioner insights into building and sustaining an effective compliance culture during the current climate.
Echoing Jamil Qureshi’s earlier remarks regarding the value and application of knowledge, he argued that: “Compliance used to be about technical competence. Post-credit crisis it became about leadership. Now it’s about how to deal with individuals, resources and commercial pressures .”
Amidst the changing demands of the role, emotional intelligence is rising to the fore as an increasingly necessary and valued skill. “How do we communicate, collaborate, and act in an emotionally intelligent way, rather than just rely on our technical knowledge?” he asked. “We have to be visible, collaborative and show that we care.”
He provided examples of measures he had taken to maintain contact with his team during lockdown, and to develop and maintain morale whilst being sensitive to the varied personal circumstances of his team members.
His presentation provided both a fitting conclusion to the first day and a precursor to day two, for which the theme was ‘communication’. In an entertaining presentation,
Tony Masgrove and Stuart Rhys Thomas, of communication company Masgroves, offered key advice on effective communication, based on the principles of ‘Objective’, ‘Audience’, ‘Channel’, ‘Who’ and ‘Message’. With regard to how not to communicate, Tony Masgrove pointed out that: “During the crisis there have been examples from all over the world in which senior leaders have stepped outside the lockdown rules and the masses have turned on them. If we take that into a working environment, that is a big reminder for leaders that if you don’t lead by example there will be a big authenticity gap.”
In the second session of the day, Shaun Hurst, Director, Solutions Engineering, Smarsh, highlighted the changing communications landscape post-COVID, marked by the incredible growth in the use of online communication tools. He highlighted the opportunities presented by these technologies, asking: “If the current situation were happening 10 years ago, would we be as productive as we are able to be today? And how much bigger would the impact to the economy have been?” Such platforms have had an indelible impact on our approach to work. “People are realising that you can be productive working from home,” he explained. “These tools are a big part of realising that productivity.” He also pointed out the risks associated with such change. “Mobile phone call lengths increased from average 2 minutes to six minutes as a result of COVID-19,” he said. “There is a challenge in storing that voice data, but also putting compliance controls around it. With traders doing their trading and communicating from home, for example, controls are more important than ever.”
Creativity and compassionConcluding the second day of the Festival, Iona Bain, journalist, broadcaster and writer of the Young Money Blog, focused on the impact of COVID upon the financial security of younger people, and highlighted the need for financial providers to effectively service the needs of these vulnerable consumers.
“Young people face a triple shock of job losses, disruption to their education and training, and barriers to finding and doing work,” she explained. In
addition to these challenges, the crisis has introduced a heightened risk of financial crime, with young people particularly in the firing line. “These are unusual times, with banks being seen to communicate with their customers in an unusual way. Fraudsters have taken advantage of this,” she explained, “Younger people are exposed to the online world in a way that older people aren’t. Whereas older people have more resources and an infrastructure to detach from that online world, younger people live their lives almost entirely online.”
The responsibilities of financial institutions are clear, she argued, both
with regard to their communication with younger customers and the design and delivery of products aimed at these customers. “When dealing with younger people, financial institutions must have common sense, clear communication, creativity and compassion,” she urged, recalling Paul Asare-Archer’s words on the importance of responding to the crisis with emotional intelligence. Moreover, she added, the imperatives to get this right have both a moral and a commercial dimension. “You will be judged on how you help this generation in particular,” she suggested, before echoing both Jamil Qureshi and David Blunt in adding that “financial institutions that have better-informed customers are going to have better outcomes ”.
The opening days of the Festival provided much food for thought, examining both the challenges and potential responses to the current crisis. What was clear throughout was that the role of compliance within any response will be of fundamental importance. We hope you will join us for the remainder of the Festival by booking a ticket via https://bigcompfest2020.int-comp.org/. All sessions from Part One have been recorded and will be available to view until the end of August.
Financial institutionsthat have better-informed customersare going to havebetter outcomes
inCOMPLIANCE®11
inCOMPLIANCE®11
Join us for Part Two of the BIGGEST online event for regulatory and financial crime professionals in 2020!
Keep an eye out for the agenda coming soon https://bigcompfest2020.int-comp.org/
Over 700 professionals joined us for Part One of the festival in June/July and registrations will soon be open for Part Two beginning in September, where we’ll be exploring cyber risk, career development and leadership, outsourcing and developments in the MENA and APAC regions.
ICAA13603
https://bigcompfest2020.int-comp.org/
inCOMPLIANCE®11
Enabling agilityRichard Mais considers how effective operational risk management can enable enterprise agility and support innovation in a rapidly-changing environment
COVID-19 has challenged almost every part of our personal and working lives and has done so
at a scale, pace and duration few, if any, predicted. As such – and being mindful and respectful of the tragic outcomes we have witnessed – it has provided an unprecedented test of our risk management processes and systems, in particular those relating to non-financial risk.
Lessons learnedSo, what have we observed and learned? That, generally, firms responded well to protect the most important things: customers, staff, and reputation.
They undertook a rapid shift to remote working arrangements for staff, reviewed and amended supply chains and adjusted operations accordingly in order to continue to provide products and services.
This was against a massive programme of stimulus packages being conceived, designed and distributed at pace in order to protect livelihoods, companies and the economy. Vulnerable customers, and those in temporary financial difficulty, were at the forefront
RISK MANAGEMENT
inCOMPLIANCE®11
inCOMPLIANCE®
12inCOMPLIANCE®
13
with interest holidays on loans being offered and financial institutions had to contend with significant demand on remote channels, whilst managing increased levels of staff absences and demands on remote working infrastructure. By way of example, 48% of consumers are using banking services (personal or family) more digitally now than before COVID-19 restrictions began, with around four out of five customers saying that they are likely to continue accessing these services digitally post-COVID-19.1
As our recent research suggests: “What was once impossible is now possible. What was once essential and routine, is now open to question. If nothing else, the Coronavirus pandemic has provided a moment of global reflection on what really matters and what new reality can be forged – for individuals, households and organisations.”2
A response, not a playbookThe response was supported by regulatory action in the form of guidance (e.g. on fair treatment of customers, payment holidays and complaint handling), procedural expectations (e.g. on identity verification methods) and the postponement of consultation responses (e.g. relating to operational resilience initiatives) and certain reporting requirements.
This response from the industry was, however, typically that – a response – rather than enacting a well-considered, comprehensive and tested playbook that contemplated, through detailed analysis, the depth, breadth and likely duration of the impact of this event on organisations, the business environment in which they operate, and the general economy.
Following the likes of SARS and bird flu, the risk of a pandemic will probably have been on the risk register of the majority of, if not all, financial services firms. But therein lies the challenge (or opportunity as we like to put it!). Having any risk on a risk register does not necessarily equate to correctly anticipating exactly how it materialises, nor the magnitude of the impact. It does not necessarily lead to any form of management, action, decision making or proper assurance.
Nor does it provide any insight into some of the more valuable aspects of risk assessment: How vulnerable are we? How much of our exposure can we contain? How quickly, and for how long, will we be impacted?
Being inquisitive for answers to these sorts of questions should make
Boards and senior managers feel more prepared in the future. Similarly, it may trigger a change in tack for risk functions to reconsider the current methods they use, the data and skills they have, and the mix and priority of their work.
Bringing risk to lifeIt still feels as if the industry is basing much of its non-financial risk management approaches on methods designed under Basel 2 (and dating back to the early 2000s!).
Whilst these serve a purpose, they were not designed to support active risk management; rather, they are mechanisms through which to capture data to support scenarios
that generated an appropriate level of capital holdings for extreme events (such as COVID-19!).
Put differently, our current non-financial risk management system typically points towards establishing a significant self-insurance process, in which there is a danger of Boards and other stakeholders taking false comfort in sizeable capital holdings, thinking that this means that threats and vulnerabilities are actively being addressed. The periodic method (usually manual) of updating the ‘Risk and Control Self-Assessment’ (RCSA), and confirming that all historical loss events are captured, can make for more robust capital modelling processes. However, it does little, one could argue, for generating foresight and promoting agility unless there is a smart process in place for turning that data into something useful. This is particularly pertinent given the ‘accelerant’ nature of COVID-19 where so much has changed so quickly on a global basis.
Boards should now look to see how effective their non-financial risk management actually is. They will be asking whether it has kept pace and whether existing risk management
approaches (including the typical ‘three lines of defence’ and governance process) have delivered the level of value expected.
A good place for them to start would be to consider actual, observable outcomes rather than the simple existence of risk framework and process ‘stuff’. If we cut to the chase on the features of contemporary, non-financial risk management (and avoid the intellectual cul-de-sac of Basel 2) we will probably end up close to ISO 31000 (2018)3, where risk is defined as the effect of uncertainty on objectives rather than a myopic focus on loss and downside. This ‘uncertainty’ based approach is attractive. It makes risk
RISK MANAGEMENT
Think of the value that a non-financialrisk model could provide if it could link the potential impact of a pandemic to the potential achievement of business objectives
Our current non-financial risk management system typically points towards establishing a significant self-insurance process, in whichthere is a danger of Boards and other stakeholderstaking false comfort in sizeable capital holdings
inCOMPLIANCE®13
RISK MANAGEMENT
real with a commercial focus and provides optionality. Risk appetite can now come to life; it can be articulated in terms of priority of objectives, allowing those accountable for running the business to really engage in the trade-offs of taking risk and directing steps to limit uncertainty. Furthermore, it promotes inquiry and analysis on the topic of uncertainty.
Returning to the earlier point on observable outcomes a good success measure would be the number of decisions made, pre-emptively, by a Board or senior management group that can be traced to a stated business objective, based on non-financial risk analysis and an assessment of uncertainty.
A new mindsetThis new way of thinking and doing, however, will not emerge organically. There will need to be investment and a new mindset, which aligns to wider business priorities, such as innovation. Rather controversially, one could suggest that a pandemic is not a risk, but is instead a cause or driver of the sort of uncertainty contemplated in the ISO 31000 definition (as demonstrated, just having ‘pandemic’ on the risk register has not necessarily prepared organisations that well for recent events!).
Think of the value that a non-financial risk model could provide if it could link the potential impact of a pandemic to the potential achievement of business objectives. It could provide huge insight on aspects of the business model, potentially down to individual products and services, as well as locations and outsource providers. It could also indicate where, relative to the current stated risk appetite, controls are likely to be stretched or become ineffective or non-operational. With this insight, Boards and senior management can start to make more informed and evidencable decisions, show agility and generally act with more confidence. This could provide substantial benefits for managing inherently unpredictable or disruptive adverse events, as well as positive disruption, including innovation.
Indeed, our research reveals “a great sense of potential, right when the
planet needs it. Leaders have spoken about ‘bottling’ the recent surge of enterprise agility and inventiveness the crisis brought about.”4
A risk management environment such as this will also better support predictive modelling of considerations such as a second wave of infections, the compounding effects of geo-political uncertainty, and the less transparent and visible implications of the new working environments in which many firms have found themselves. For example, there is a high chance that, whilst there will be some ‘return to office’, many workers will remain at home either permanently or for part of their working time. Historically we have made educated assessments on the effectiveness of controls. However, this is unlikely to be sufficient to deal with limitations of continued remote leadership, staggered working arrangements, lower morale, loss of incentives to perform tasks competently and uphold standards and so forth within existing control environments.
Similarly, due to the lack of proximity, ‘hands on’ training and support is less available, which might result in less obvious implications such as ‘ethical drift’ where remote workers start to feel less connected to the values and purpose of their organisations. Conversely, staff may feel that they are now even more connected to a renewed purpose of their organisation and communities, creating an energising effect on their contribution and better work/life balance with less commuting. Either way, with so many moving parts and different dimensions, the levels of risk exposure (or uncertainty) will have changed; the facts and the truth may be way off the opinions and perceptions of management in terms of exposure.
As such, processes and controls that have been created through the initial response phase now need to be formalised and the impacts better understood, modelled and reported.
Improved insightA more data-led and analytics-based risk management environment can start to weave together multiple data streams and create a much more
informed view of potential impact resulting in more future-proofed organisations. Armed with this much-improved insight and with confidence in their enhanced and sustained risk management practices, Boards and senior management should feel more able to demonstrate their agility in proactively taking pre-emptive decisions in line with stated business purpose and objectives. In turn, this should increase investor confidence, customer trust, employee dedication and regulatory credibility.
Who would have thought that improving the quality of non-financial risk management could be so commercially and ethically rewarding?!
Richard Mais is an Associate Partner in EY’s Business Consulting team, working with clients
to transform and enhance their non-financial risk management systems
This article summarises complex issues and is not intended to be a substitute for detailed research or the exercise of professional judgment. Neither the author nor the global Ernst & Young organisation or any of its member firms can accept any responsibility for loss related to any person acting on the information in this article.
1. p.28 Human Signals, Exploring emerging human behaviour and service purpose during C19, Tracking today’s behaviours to find tomorrow’s solutions, Edition 3, June 2020, EY-Seren
2. p.11, Human Signals, Exploring emerging human behaviour and service purpose during C19, Tracking today’s behaviours to find tomorrow’s solutions, Edition 3, June 2020, EY-Seren
3. https://www.iso.org/obp/ui#iso:std:iso:31000:ed-2:v1:en
4. p.11, Human Signals, Exploring emerging human behaviour and service purpose during C19, Tracking today’s behaviours to find tomorrow’s solutions, Edition 3, June 2020, EY-Seren
inCOMPLIANCE®15
inCOMPLIANCE®14
FRAUD RISK
Spotlight on emerging risksCOVID-19 is driving changes to customer behaviour, organised fraud attempts and supply chain risk. Ted Rugman and Tom Wallbank look at recent developments in the market and how firms are responding
The COVID-19 pandemic has heightened the risk of fraud due to an abrupt change in
working practices, as well as increasing pressure on organisations, their customers and their supply chains. In addition, many governments have announced support packages for businesses using financial services institutions as a vector, which will open up new avenues for fraudsters. This article focuses on the heightened external fraud risks associated with the COVID-19 crisis. These include:• Increased pressure on banks to
support customers who are affected by COVID-19, and attempts by fraudsters to take advantage of the funding and relief available from banks and governments. Insurers are likely to come under the same pressure once their policyholders start to make business interruption claims.
• Fraudsters are rapidly adjusting their
approaches to take advantage of the crisis (for example, distributing malware or redirecting payments).
• The squeeze on revenues and incomes may increase the pressure on customers to commit first-party fraud (such as fraudulent loan applications). All finance and insurance requests and claims, even for the most long-standing customer relationships, should therefore be subject to additional scrutiny.
• Remote working and the greater
use of less secure home networks increases fraud and cyber risks. In addition, enterprise-wide controls to prevent and detect fraud and network breaches may not be designed to operate in near-100% virtual environments.
• The Payment Systems Regulator announced that it would not take any action against banks that delayed the introduction of Confirmation of Payee (CoP) until 30 June 2020 – several months after it was due to
inCOMPLIANCE®15
inCOMPLIANCE®14
FRAUD RISK
be introduced. CoP is an important initiative to help combat scams by checking that the account name on the recipient bank account matches the name provided when the payment details are being input.
Scams and fraud against firms’ customersDuring these uncertain and unpredictable times, fraudsters will attempt to take advantage of the situation. As customers fall victim to fraud, they will look to their banks and insurers to cover their losses. Some recent examples of current fraud types include:• Charities fraud – Fraudulent
charities target victims for donations. Such schemes can originate from social media, emails, websites, mailings, telephone calls and other similar methods.
• Investment scams – With the economic turndown negatively impacting pension funds, as well as increased unemployment, fraudsters are targeting individuals with ‘get rich quick’ investment scams and pensions scams.
• Stimulus loan fee scams – Fraudsters impersonate financial advisers and offer to assist businesses to navigate the process for claiming from government stimulus fees. The fraudsters request upfront payment of a fee before disappearing.
• Cyber fraud – Malicious cyber actors will attempt to take advantage of public interest in topical news, such as local infection rates or changes to public services, to disseminate malware.
• Invoice redirection fraud – Businesses and commercial banking customers will be at increased risk as their operations adjust to cope with the impact of COVID-19 (for example, finance teams working remotely may be more susceptible to invoice redirection fraud). We have heard of several cases of this type of fraud involving global banks whose customers have lost more than £5m
Whilst we are seeing some increase in the fraud typologies listed above, the industry has not yet experienced the large increase that we might
have expected. A common theme we are hearing is that it is still too early to see the real impact of increased fraud. There is also a danger that fraudsters are adapting and developing modus operandi which have not been detected yet.
Fraud related to government stimulus supportAs well as fraudsters targeting banks’ customers, fraudsters will also target the banks themselves. Many businesses are urgently in need of financial support from the government stimulus packages. As at 24 May the UK's Bounce Back Loan Scheme (BBLS) had paid out £18.49bn of loans to over 600,000 businesses. As at the same date the Coronavirus Business Interruption Loan Scheme (CBILS) had seen £8.15bn of loans approved to over 80,000 businesses.1
There is a lot of pressure on banks to quickly process applications and pay out funds to those in need. In doing so there is a risk that fraud checks are not applied as thoroughly as usual, or that sophisticated fraud schemes are not identified. Fraudsters are attempting to capitalise on this process by submitting fictitious claims, as well as legitimate businesses trying to defraud the schemes by submitting multiple applications. We are also aware of an increase in business banking customers claiming to be in financial difficulty as a result of COVID-19 when their business model and competitors’ performance suggest they should be unaffected.
In many cases the fraud losses might not be identified until further down the line when the loans are due for repayment. Banks are having to carefully balance the need to quickly pay out stimulus funds, the parameters of the loan schemes and the potential risk of increased fraud exposure. The Financial Times has reported that UK banks are warning that 40-50% of BBLs may eventually default.2
On 6 May the UK Financial Conduct Authority (FCA) published its expectations on how firms should
apply appropriate fraud and financial crime controls during the current climate.3 The FCA recognises there are currently unique operational challenges and it acknowledges that firms may need to prioritise their resources so long as this is done using a risk-based approach and that there is a plan in place to return to normal processes as soon as reasonably possible. Maintaining a clear audit trail of the decisions taken and rationale will be important, especially in a rapidly-changing environment where speed is of the essence and people are working under increased pressure.
On the 4 May, the FCA published guidance for applying customer due diligence measures in relation to businesses who are applying to the CBILS and BBLS4.
What does this mean for fraud professionals? The remainder of this article outlines the immediate actions that should be taken.
Personnel changes• Focus on educating employees on
the increased risks from fraudsters seeking to capitalise on the current disruption. Consider the best communication channels and the need to provide practical examples which can cut through an increased level of internal communication in the current environment
• Consider combatting the heightened fraud risk by moving personnel, especially financial crime data analysts, from other parts of the organisation to respond to the changes in fraud alerts, or to support with reviewing applications for stimulus loans. Fraud teams are also redeploying resources internally to respond to the changes in the volume of fraud alerts, as the mix of transaction types generating those alerts changes.
Profiling and identification• Evaluate introducing facial or voice
biometrics as part of the customer identification process. A number of organisations were introducing this
As well as fraudsters targeting banks’customers, fraudsters will also target the banks themselves
inCOMPLIANCE®
16inCOMPLIANCE®
17
prior to the pandemic. This may need to be expanded to other products and services as the crisis continues.
• Tailor fraud profiling systems to ensure they appropriately monitor customers’ new behaviour patterns. Systems should focus on known data points such as customers’ phone numbers and IP addresses/device profile. Organisations should also increase their reliance on two-factor authentication. Records should be kept of any changes made to fraud controls to enable banks to respond to any future queries from regulators, or in connection with government-backed loan schemes.
• Banks should remain vigilant to heightened risks of application fraud from fraudsters, while they contend with higher than usual volumes of applications for loans and credit cards. Application fraud controls may need to be reviewed and tweaked.
Fraud typologies and risk categorisation • Consider phishing as a higher fraud
risk vector and use lessons learnt from past attacks. The UK National Fraud Intelligence Bureau reported that it has received multiple reports about COVID-19-themed phishing emails, attempting to trick people into opening malicious attachments or revealing sensitive personal and financial information.
• Re-evaluate your customer risk strategies. Some categories of customers, such as non-profit organisations, charities, and healthcare and medical device manufacturers, may be considered as higher-risk categories, especially now, as they could become the conduits through which fraudsters attempt to penetrate financial systems.
• Closely monitor fraud losses and emerging fraud typologies. This can be achieved by fine-tuning the thresholds in fraud detection systems and focusing on identifying new fraud typologies. Monitor bad debt write-offs, which will likely include first-party fraud losses.
Customer support• Remain focused on protecting
customers from scams. This may
include tailoring warning messages during the payment journey, tweaking payment risk scoring based on emerging scams, or adjusting the thresholds required for manual review of higher-risk payments. Many financial services organisations are providing additional customer education to raise awareness of new fraud and scam risks. This should be tailored to the customer type, for example, different messaging will be required for business banking customers and retail customers.
• Continue to look at ways to prioritise the process for obtaining customer recoveries for large scam losses. This process may quickly come under strain, with key employees working remotely or with increased levels of absences and receiving banks operating under similar constraints.
After the crisis has settled• A review of major new contracts
issued, and transactions and payments made over the crisis period, should be undertaken, to understand if any risk mitigation and management is required. Consider leveraging technology to make these processes easier (e.g. analytics to review high-volume, lower-value transactions such as gifts and entertainment, or payments to third parties to identify outliers during this period). This also applies to any insurance claims stemming from events during the crisis period.
• Firms that have participated in the BBLS and Coronavirus Large Business Interruption Loan Scheme (CLBILS) can perform ongoing data analytics to identify customers who are of higher fraud risk, for example, analysing whether funding amounts are in line with expectations and being used for the purposes you would expect. Whilst the funds have already been paid out it may not be too late to trace and recover funds.
• A review of vulnerabilities that have arisen from the crisis-specific controls that were not adequately designed or not operating effectively or efficiently should be undertaken. Consider whether any controls that were revealed to be redundant could be streamlined.
• Organisations should confirm that whistleblowing channels and supporting infrastructure are still available to employees and third parties to report any inappropriate behaviour identified during the COVID-19 crisis. Review the level of capability or capacity to investigate at the first opportunity, to enable analysis of matters reported.
Many firms are preparing for an increase in investigations and litigation following the crisis and are assessing their internal capabilities to respond, for example, team size, expertise, data availability and data analytics capabilities. The firms which have established appropriate governance, ownership, audit trails and the ability to rapidly respond to changing circumstances will be best placed to manage risk and support customers through the current environment, as well as the next phase.
Ted Rugman is a Director and Tom Wallbank a Manager in EY’s Financial Crime & Forensics team, working with financial services clients to enhance their fraud risk control frameworks and investigate cases
of complex fraud. [email protected]; [email protected]
This article summarises complex issues and is not intended to be a substitute for detailed research or the exercise of professional judgment. Neither the author nor the global Ernst & Young organisation or any of its member firms can accept any responsibility for loss related to any person acting on the information in this article.
FRAUD RISK
1. https://compassoc.org/business-loan-stats
2. https://compassoc.org/bounce-back-borrowers
3. https://compassoc.org/financial-crime-systems
4. https://compassoc.org/coronavirus-loan
inCOMPLIANCE®17
Facing up to fraudAnuradha Shaw discusses the need for a coordinated effort between public and private partners in response to new risks post-COVID-19
FRAUD RISK
inCOMPLIANCE®19
inCOMPLIANCE®
18
FRAUD RISK
The COVID-19 pandemic has created global disruption for which we have no recovery playbook. A global economic recovery roadmap is yet to be conceived
and the gutted economy is bound to limp along under stimulus life support until an extensive recovery model is engineered. Add the following realities into the mix:• It seems certain that there will be a reordering of the global
economic, political and social order once the pandemic begins to recede.
• There will be increased uncertainties in human interactions causing long lasting transformations in the work environment.
• Small and medium-sized enterprises, which have historically sustained employment numbers, purchasing power, economic growth and wealth creation, will suffer the shedding of hundreds of millions of jobs or be restructured with bold new visionary policies. In the US alone more than 30 million jobs have been lost and it is unclear how many of these will be restored unchanged once the country recovers.1 Many jobs will never return as multiple organisations declare bankruptcy and drop thousands more employees every day.
• There is likely to be a complete redesign of higher education as travel restrictions between countries may remain in place for some time to come. The positive legacies of cultural and social connections, which have become a significant element of the higher education experience, will have to give way to completely new types of education solutions that promote learning as well as cross-cultural understanding.
• The demand for corporate real estate will face the quickly emerging realisation that at least 40% of the work undertaken in office premises can be more economically and efficiently farmed out to ‘work from home’ alternatives. For example, Twitter has already instituted a ‘work from home forever’ protocol and many other organisations are set to follow suit.
• The potential (opportunity?) for fundamental changes to consumer behaviour and psychology may impact consumption, markets, investments and loyalties to corporations. The new normal for businesses that will emerge as a result of this tectonic consumer-led shift in priorities has to assume that climate change concerns and sustainability of the natural and business environment are going to be a common drumbeat for building consumer loyalties.
• While airlines scramble to stay out of bankruptcy, it seems likely that business travel will become rare. It is now clear that travel could expose talented human capital to grievous health risks. Business travel had contributed (until now) a large chunk of airlines’ earnings. That business model is now for the history books. Digital alternatives for business conversations, exchanges and
communication are already proving to be effective. Travel will become more of a luxury pursuit for the adventurous, rather than a business convenience.
• A brand-new networked economy is being born out of the disastrous fallout of the pandemic. Rapid migration to digital technologies will be the most significant investment opportunity for businesses to stay relevant and profitable in the post-pandemic environment.
• Digitally-driven economies are going to be using technologically-enhanced modes of managing the globalised exchange of financial, data, communication and supply chain flows, and therefore there is a need to reset the language of compliance.
• To add to this range of complex new situations, new definitions are emerging for what the term ‘national security’ means and what could threaten it. We know now that we need to add microscopic viruses (man-made as bio-weapons or naturally occurring) to the threats from foreign armies, terrorists, spy organisations or criminal networks. This realisation has changed all our previous calculations of risk exposures.
A stabilising roleCuriously, while the last global crisis of 2007-2008 came out of destabilising actions operating within the financial system, the crisis recovery this time around seems to be centred on the actions that the financial system will initiate to bring about a stabilising recovery roadmap. Banks are going to play a critical role as systemic stabilisers to create and support market liquidity while handling the trillions of dollars walking out of the doors of government coffers as stimulus funds. This is in a new era of public-private partnership with the Federal Reserve and the European Central Bank having cut their rates to zero and the governments of most nations directing stimulus funds through the banking system to communities ravaged by the pandemic.
The banking system is going to face a major stress test, not only from the organic changes taking place as a consequence of the economic fallout from the crisis, but also from the those who would challenge the resilience of the system through new versions of frauds, scams, money laundering typologies and other financial crimes that emerge after every such disruption. Here too, a new language of compliance needs to be engineered to combat these emerging threats.
Banks are going to playa critical role as systemic stabilisers to create and support market liquidity
An expanded complianceframework – sustaining a seamless, coordinated effort between financial and other private sector stakeholders and government, intelligence and law enforcement partners,led by good data analytics – needs to be developed
inCOMPLIANCE®19
FRAUD RISK
Analytical dissonanceThere are some structural fault lines that open up the global financial system to enhanced risks in these times of stress in which bad actors prey upon the vulnerable (as always) through the banking system.
As an example, since 2009 advanced data analytics have expanded from the private sector and into the intelligence and risk management community. But recent events and case studies suggest that scams and frauds have become exponentially rampant because data analytics has not been deployed broadly within the halls of government. Current government efforts to stave off an economic crash, through the injection of hundreds of billions of dollars in stimulus disbursements, are being scuttled by scams that use this analytical dissonance as open doors to opportunity.
For example, the US Department of Justice has uncovered multiple instances of fraud in the federal small business coronavirus relief programme and other stimulus funds. Initial investigations have uncovered more than $500,000 diverted from eligible small businesses to a brace of identified fraudsters. With a few billion dollars in play in this government-funded scheme, the Pandora’s Box of bank fraud incidents is still waiting to be opened.2
The pandemic has laid bare the gaping holes in government's dated data management capabilities to track disbursement integrity and spending. Coronavirus oversight is lagging even as trillions of dollars of additional relief funds are expected to head out the doors of governments worldwide. The US generated at least 3,600 possible cases (within the first month of initial financial stimulus hitting the economy) of fraudulent attempts just in hawking coronavirus cures and sites attempting to install malware and ransom ware viruses on networks. The rate of fraudulent attempts increased to 3,000 to 4,000 cybercrime complaints per day, as per data released by the Department of Justice.
One of the first attacks, in mid-March, directed email recipients to open a World Health Organisation (WHO) public announcement for protection against the virus. Opening the attachment permitted access to the computer for cybercriminals to harvest data. The US Attorney General, William Barr, has also referenced coronavirus-related
ransomware that locks computer files until a ransom is paid to release the files. This exposes both large and small businesses to a range of risks from mere theft or extortion to corporate espionage, hacking, and theft of intellectual property.
Smartphones are the new target for fraudsters, with apps promising to track the spread of the virus around your location in real time but actually permitting criminals to listen in on your conversations through your microphone, watch you through your smartphone camera, comb through you messages to harvest useful information for stealing your identity, or access your financial or banking information.3
An expanded compliance frameworkAn expanded compliance framework – sustaining a seamless, coordinated effort between financial and other private sector stakeholders and government, intelligence and law enforcement partners, led by good data analytics – needs to be developed in hitherto unimagined ways to control a situation that exposes entire populations of vulnerable citizens (and trillions of dollars flowing through the financial system intended to protect those citizens) to nefarious players.
The global compliance environment is going to witness a sea change as the height of the pandemic passes. Compliance will have to include efforts such as early ‘takedowns’ of suspicious websites, identifying and managing the risk of compromised cyber security through monitoring ‘early indicators’ of compromised data, and more rapid law enforcement escalations to take down malicious activities and vulnerabilities. International standards setting bodies need to address this urgently.
Criminal activity in the cyber domain (impacting national infrastructures that are supposed to protect citizens) is no longer just an illegal activity but operates on the red line of threats to national security as the physical and economic health concerns of entire populations are implicated. Compliance has therefore suddenly assumed the level of an essential service for preserving national security along with its traditional role in supporting corporate health .
But there is opportunity even in the face of these daunting challenges! In the words of Rahm Emanual, Chief of Staff for President Barack Obama, “Never allow a good crisis to go to waste. It’s an opportunity to do things you once thought were impossible”.
For the past five years Anuradha Shaw has been working out of Toronto, Canada, as an Accredited External Trainer and Training Programmes Content Developer with the ICA. She has forty years of international
banking and business management experience across several continents and the arctic region
1. Source: Peter Bergen: CNN National Security Analyst and Daniel Rothenberg
2. Source: Hill.TV, Justine Coleman on US Federal Court Filings: May 6th 2020
3. Source: USA Today: Marc Saltzman
The banking system is going to face a major stress test, not only from the organic changes taking place as a consequence of the economic fallout from the crisis, but also from the those who wouldchallenge the resilience of the system through new versions of frauds, scams, money laundering typologiesand other financial crimes
inCOMPLIANCE®
20inCOMPLIANCE®
21
COVID-19: MENTAL HEALTH
In the years since the 2008 financial crash, banks and financial institutions have been subject to stringent
regulatory scrutiny at every level. With many organisations today spanning several different regions and continents, the daily work for governance, risk, and compliance (GRC) teams to meet compliance and regulatory standards was already a challenging task.
However, the COVID-19 pandemic has meant the pressure on GRC teams and processes has now increased significantly. The sudden onset of the coronavirus outbreak led to a huge transition in the way we live and work across the world as people are being advised to stay at home and social distance wherever possible.
Not only has the lockdown
severely impacted people’s daily routines, supply chains and business operations have also taken a hit and companies have had to scramble to enact their business continuity plans to mitigate any further disruption.
This has led to a great strain on GRC teams to keep a handle on all risk exposure that could lead to an unfortunate scandal. This article will
GRC
Look aheadGunjan Sinha considers the importance of GRC in the age of COVID-19
inCOMPLIANCE®21
GRC
explore the importance of GRC in the age of COVID-19 and consider how businesses can ensure they have the best processes in place to remain compliant, adhere to regulations and protect themselves from unforeseen risks.
Why we need GRCEven before the chaos of the coronavirus, many scandals and incidents were widely reported in the media. Although 2019 was an incredible year of growth, it was also a year of many accounting scandals1, which included all of the Big Four who were fined by the UK Competition and Markets Authority (CMA) for failing to surpass the 90% ‘good quality audit’ target.
Verizon’s report2 on data breach investigations in 2019, which analysed more than 40,000 incidents, also showed us that more than a third of data breaches involve internal actors. Some of these data breaches by internal employees will have been unintentional, but others will have been deliberate, providing just another example of how some risks can increase with employees isolated across multiple locations and distanced from their colleagues.
The importance of companies needing a GRC team and systems in place has never been more profound than in this climate, in which the risks of a compliance or regulatory failure are heightened. However, it is also critical for companies to consider how effective their current GRC processes are and whether they need to implement processes that are better able to handle the ongoing impact of the disease.
The benefits of forward-looking risk management With the scale and scope of risks changing at an unprecedented pace, it is not enough for businesses to simply react to risks when they occur. The success of a business in these times will depend on its ability to look ahead and to be proactive in terms of understanding emerging risks and their impact on the business.
Hence, forward-looking risk management is essential for business to implement as this approach
improves an organisation’s ability to manage existing and emerging risks, quickly react to unwanted events or crises, and consequently save on costs from any potential fines that may be incurred without it.
It is also vital that business leaders and GRC teams understand that this risk management programme can only successfully analyse past trends, predict future scenarios, and proactively prepare for such scenarios if they first have access to complete and high-quality data. Research by Gartner3 found that poor data quality, created from multiple information siloes by numerous business units and operations in different geographic locations, was responsible for an average loss of $15m per year.
Companies are already experiencing a volatile economic environment, so it is crucial that businesses abandon restrictive siloes and create a single, centralised information hub to ensure they are not exposing themselves to potentially eye-watering fines. High-quality and reliable data can also better support the swift decision-making that is currently needed by companies and help them avoid taking any ill-informed action.
Maintaining resilience amid chaosIn the past few weeks, companies around the world have put their business continuity plans to the test and witnessed the effectiveness of them in being able to respond to such an unforeseen crisis. Many of these plans were likely to have been drafted well before the pandemic struck, and some companies were even caught out by not having an effective plan in place at all.
Now, however, every business will be prioritising business continuity plans to ensure they can maintain resilience and protect essential operations for any future crises. Given
the uncertainty of the coronavirus and how long it will take to find a vaccine, it is clear that any plans may need to be flexible to any lockdown updates that governments around the world may enforce in the weeks and months to come.
This is where having an effective GRC team and a forward-looking risk management will be advantageous to companies as they will have complete oversight of the business’ vulnerabilities at any time and be able to adapt plans that maintain resilience and business continuity to whatever situation arises.
COVID-19 will be a challenge that will continue to affect our lives and dominate discussions in the Boardroom for a long time to come. There will be a constant need for GRC teams to monitor, react and adapt to risks to not only ensure the business stays on the right side of compliance, but also to protect essential operations and maintain resilience in these troubling times.
Having the right tools and capabilities to prepare and adequately respond to emerging, unforeseen risks will be crucial. If your business has not already prioritised GRC and implemented an effective risk management programme that tackles any blind spots, now is most definitely the time to act.
Gunjan Sinha is Executive Chairman, MetricStream
1. https://compassoc.org/accountancy-scandals
2. https://compassoc.org/data-breach-report
3. https://compassoc.org/data-quality
With the scale and scope of riskschanging at an unprecedented pace, it is not enough for businesses to simplyreact to risks when they occur
inCOMPLIANCE®23
PROFILE
inCOMPLIANCE®
22
Like any emerging, disruptive phenomenon, blockchain – the technology underpinning cryptocurrencies – presents a rapidly-evolving matrix of risks and opportunities.
On the one hand, the financial crime risk resulting from the pseudo-anonymity offered by cryptocurrencies has been well-documented, as have real-world examples of their use by financial criminals.1 On the other hand, “blockchain enthusiasts promote the transparency and immutability of distributed ledger networks … as a compelling solution to many, if not all, KYC and AML issues”.2
Building trustHowever, to date, the challenge of regulating cryptocurrencies3 has contributed to an inconsistency in regulatory approach to crypto, both between and within jurisdictions, with “abrupt changes in national policy and regulatory treatment of cryptocurrencies [serving] to
offer cover to those seeking to exploit them for criminal purposes”.4 Consequently, there has been a “significant uncertainty about how to approach cryptoassets from a compliance standpoint.”5
Within the cryptocurrency sector there is therefore a growing appreciation of the importance of a consistent regulatory approach and the need for robust compliance, in order to ensure the credibility, long-term growth and stability of the industry. I discussed this issue recently with ICA Fellow, Blair Halliday.
Earlier this year, Blair was appointed Chief Compliance Officer, Europe at cryptocurrency exchange and custodian, Gemini, and he believes that regulation and compliance are key to the sector’s future. “The market has matured a lot, but certainly there have been negative views of the sector in the past. We want to help demonstrate that crypto is a secure space and a good place for people to do business,”
Ensuring trust in crypto
Blair Halliday and James Thomas discuss the importance of regulation and compliance within the crypto sector
inCOMPLIANCE®23
PROFILE
he explains, “Looking forward, we want to be seen as the most trusted cryptocurrency exchange and custodian for individuals and institutions around the world.”
Smart and agilePrior to his role at Gemini, Blair worked at crypto platform, Circle. However, he also has considerable experience within more traditional financial institutions, including 14 years at RBS and executive positions across the payments sector. He is therefore well-placed to consider the state of regulation and compliance within traditional banking when compared with emerging sectors, and to assess the scale of the challenge facing the latter in the implementation of regulations and controls.
“Traditional banking has been around for a long time and there’s been a lot of investment and evolution in that space, whereas crypto is developing its pathway and the technology is still evolving,” he explains. “Building a programme from the ground up takes a lot of effort, but the fundamental of any AML or compliance department – in the crypto space or otherwise – is understanding the business, trying to pre-empt customer levels, the way your product is going to be used, and building a programme that has the agility to respond to that. We may not have the workforce of a traditional banking institution, but our scale and the technology we use – both third party and proprietary – enable us to be both smart and agile.”
When developing a compliance programme, culture, and the tone from the top of the organisation, are also key prerequisites. As Blair explains: “Gemini has four pillars to the business: security, compliance, licensing and product. On that basis alone, three of those four are very strongly in the compliance and control space.”
Gemini was founded by Cameron and Tyler Winklevoss, who bought their first bitcoin in 2012, when the sector was still in its infancy. Recognising the significant impact that blockchain technology and cryptocurrencies were poised to have on the future of financial services, they acknowledged the need to address the risks and develop trusted and easy places to buy, sell and store cryptocurrency. “They see Gemini as a long-term play, and they want it to be at the forefront of crypto not just today and tomorrow but for the future. They see security and compliance as a central part of how to deliver that,” says Blair. “From the outset they have established a really strong compliance-focused ethos. The emphasis is very much on how fundamental compliance and security are to the business and the industry. That tone from the top filters down.”
In line with this focus on compliance, and the company’s plans to expand into new jurisdictions, Gemini has recently hired a new Global Chief Compliance Officer, ex-Morgan Stanley Global Head of Financial Crime, Noah Perlman. More broadly, when recruiting for compliance roles in general, the company places emphasis on both experience and relevant compliance qualifications. “When I’m looking at hiring people, the fact that they have attained ICA qualifications is really interesting to me,” explains Blair, “ICA really adds credibility and value as the main accreditation body in the compliance space. When I was
invited to be an ICA Fellow I was delighted, I’m very proud to be associated with ICA.”
Regulatory relationshipsGemini’s strong compliance culture has also underpinned the positive approach that it has taken to engaging with new regulators within those jurisdictions that it is targeting.
The business is currently licensed by the New York State Department of Financial Services (NYDFS) and, at the time of writing, is seeking a license in the UK from the Financial Conduct Authority (FCA). “Gemini in Europe is our first international market outside the US, but the company is about six years old, so the programme is quite developed,” Blair explains. “While we do have the benefit of a strong compliance programme in place to springboard from as we expand into Europe, we’re an ‘ask for permission’ type of company. Regulatory relationships and guidance have therefore been critical within our expansion into the UK market. The FCA has been incredibly supportive and we’ve enjoyed a good relationship with them throughout the application process. We’ve had great engagement with them and I’ve previously sat on a number of panels and working groups with them. They are certainly keen to be aware of what’s happening, to develop their understanding and to stay close to the cutting edge on crypto.”
A level playing fieldWith that in mind, Blair believes that things are moving in the right direction in terms of balancing the often-conflicting objectives of promoting innovation while securing robust regulation.
“Crypto has suffered from this ‘wild west’ comparison in the past,” he suggests, “but having been involved with different firms, my experience is that the best crypto firms understand the importance of getting compliance right and the importance of developing trust in the industry. Looking ahead, the goal is to ensure that firms that are doing the right thing are benefiting from that as well. A key challenge with crypto is that it is a very international space and a customer of Gemini Europe could easily be a customer of an exchange based in another jurisdiction globally. With FATF travel rule requirements and OECD looking to broaden common reporting standards to capture crypto too, we want to ensure that everyone is on a level playing field, required to deliver the same level of security and controls, and that the bad actors are squeezed out of the market.”
1. Deepa Chandrasekhar, “A brief history of Bitcoin”, inCOMPLIANCE Issue 15, p.14
2. Anastasia Savvateeva and Vladimir Berezansky, “The new dimension” inCOMPLIANCE issue 32 p.18
3. Nick Parfitt, “Cryptic Clues”, inCOMPLIANCE, Issue 42, p.37
4. Ibid. Footnote 25. Kaluwa Maitre “Joining the Revolution” inCOMPLIANCE
Issue 43, p.30
inCOMPLIANCE®25
inCOMPLIANCE®
24
CHANGE
Compliance transformation Dee McManus considers the influence of transforming work structures on regulatory expectations and compliance programmes
inCOMPLIANCE®25
CHANGE
The COVID-19 pandemic has changed our work-life structures significantly. The speed with
which we were able to convert to a work-from-home environment during lockdown was testament to how effective business continuity planning (BCP) and resilience risk management plans were. However, as lockdown measures begin to ease and social contact begins to increase (albeit limited to social hub ‘bubbles’) what will our work-life structures look like and what will be the future of our work environment in this ‘new normal’?
This article considers the emerging trends and risks that financial services institutions (FSIs) will face, given that remote working is likely to remain mainstream for these firms for the foreseeable future.
Operationally, FSIs responded well to the onset of the COVID crisis. The speed with which they enacted effective incident response planning was acknowledged by the regulators. However, as we emerge from lockdown, FSIs must focus on the longer term strategies for strengthened operational and financial resilience, coupled with a continued focus on treating customers fairly and maintaining market integrity.
As we move towards the new normal and the situation evolves, we expect to see a shift in focus and re-prioritisation of operational and conduct risks. Regulators remain steadfast in their strategic business plan objectives, these being firmly aligned to the key objectives set out below.
Operational resilience In the UK, the shared Bank of England, Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) consultation on Building Operational Resilience sets out very clear expectations of the role of the Board and individual management to establish a resilience risk appetite, identify the most critical business services and map the resource services that support these important business activities. It is this process of critical services mapping that enables firms to identify where vulnerabilities may exist in people, processes and technology and to adjust accordingly, driving change where this is most
needed (whether a call for further investment, redeployment of resources or enhanced technology supports to enable continuity of service with minimal impact to the consumer when disruption events occur). The response deadline to this Consultation was extended to 1 October 2020, a further demonstration that our regulators remain mindful of the current challenges faced by FSIs.
Fraud prevention Unfortunately, there are the opportunists who continue to exploit the COVID situation to maximise their criminal gains. Financial services firms remain at risk from heightened levels of fraud, including cyber fraud. London City Police alone recorded a 400% increase in reported fraud during March 2020. The FCA has flagged the importance of remaining vigilant to these new types of fraud. It is imperative that FSIs take steps to keep ahead of these emerging threats, allocating sufficient resources to support robust fraud risk management measures. These are further explored below. Recognising the risks that remote working brings for a firm, FSIs should look to reconfigure their fraud risk prevention programmes to support the ability to assess both external and internal fraud activity.
Financial crimeLinked to fraud prevention is the requirement to deploy adequate resource support to ensure the continued efficacy of systems and controls in the ongoing fight against financial crime. In a statement to the industry, the FCA has warned FSIs not to modify their risk appetite by virtue of addressing operational challenges that could impede on the ability to undertake transaction monitoring and sanctions screening processes. Timely suspicious activity reporting (SAR) must be maintained. While it is recognised that FSIs may need to re-prioritise or delay certain activities, the challenges of detecting terrorist financing remain and FSIs must not weaken their controls for such high-risk activity in an environment in which financial crime risk is ever increasing.
Additionally, FSIs are asked to bring flexibility to customer identification verifications where the FCA has listed means with which verification can continue remotely as most firms would deploy in normal circumstances. The FCA has been clear to outline this is not a relaxation of requirements or that taking one measure in isolation would be sufficient. FSIs are reminded to continue customer identity verification in line with the overall risk assessment and risk profile of the customer.
In an effort to streamline and support a unified approach to AML standards, the EU Commission announced, on 7 May 2020, the adoption of an action plan for a comprehensive policy and single EU rulebook on preventing money laundering and terrorism financing. This action plan is built around six core pillars:• Effective implementation of
existing rules• A single EU rulebook• EU-level supervision• A support and cooperation mechanism
for financial intelligence units• Better use of information to enforce
criminal law• A stronger EU in the world.
The Commission intends to deliver on these core actions by early 2021 with an open public consultation underway until 29 July 2020. While it is yet to be determined how Brexit will impact on the UK’s adoption of similar standards and information sharing post-31 December 2020 as a third country, the new action plan will help address fragmentation of the rules and uneven supervision across the Member States. FSIs with EU operations or seeking access to European markets post-Brexit will be keeping close track of these new AML measures as they are firmed up post-consultation.
These new measures, coupled with the increasing financial crime risk exposures arising from COVID, are the catalyst for many FSIs to take stock and re-assess the efficacy of their financial crime compliance framework and target operating model, using the opportunity to draw stronger connectivity and inter-linkage with fraud prevention risk programmes and effective resilience risk management.
inCOMPLIANCE®27
inCOMPLIANCE®
26
CHANGE
TCF and flexibility with vulnerable customers The regulators’ strategic focus on the fair treatment of customers is never far from our minds. Almost every regulatory statement during the COVID crisis has served to act as a reminder to firms to ensure the fair treatment of customers is firmly embedded within all business practices and activities. How FSIs treat their most vulnerable customers during and post-COVID crisis will certainly feed into the regulatory assessment of the FSI’s culture, values and purpose.
To that end, UK FSIs were reminded in the ‘Dear CEO’ letters of April 2020, and follow up statements, to ensure suitability of creditworthiness and an easing of financial pressures on vulnerable customers seeking new or amended terms to existing debt facilities. Alongside this, as FSIs face their own financial resilience challenges, the FCA has reminded firms against causing financial harm or impact to customers. While there may be significant downward pressures on revenues and fee incomes, FSIs were reminded that cutting corners on governance or systems and controls may lead to increased financial crime, market abuse, unsuitable advice to customers, mis-selling increasing complaints and required redress.
SMCRIn early April, the FCA provided much-welcomed clarity for solo-regulated firms with regard to the 12-week interim rule, allowing for modification by consent of up to a maximum period of 36 weeks for interim absences. FSIs are reminded to ensure the reallocation of prescribed responsibilities for such absences, although the reallocation can cover interim resources and does not require assignment to an approved SMF. Updated Statements of Responsibility are not required to be submitted in these circumstances. However, FSIs are reminded to keep these on file to help give clarity on expected roles and responsibilities.
While FSIs had to make difficult and challenging decisions around employee furloughing, the FCA gave clarity that the role of the SMF16, Compliance Oversight and SMF17, Money Laundering Reporting Officer and SMF29 Limited Scope Function are considered key risk roles and should only be reallocated as a last resort.
As we move into the second part of 2020, FSIs will be giving consideration to meeting their Fitness and Proprietary assessment of their SMF and certified populations. Remaining mindful of remote working structures, firms will need to have deployed effective management oversight programmes to help support and monitor employee behaviour and conduct. The continued assessment for compliance with conduct rules is further complicated by the separation of management from their teams. How firms have continued to assess this level of compliance and monitor for conduct breaches will help shape the annual reporting and evidence gathering to certifying the individual’s fitness and proprietary assessment to undertake their role.
Remote working The operation of remote working has brought many challenges for FSIs. Alongside ensuring the safety and wellbeing of the firm’s workforce, data security and the increased cyber-threats have been firmly on the minds of the senior leadership teams. Most FSIs have addressed these concerns through enhanced monitoring and deployment of additional security measures where exposures or weaknesses were identified.
Linked to SMCR above, most FSIs have, at this juncture, undertaken a robust review of their conduct risk framework and assessed how employees continue to comply with the conduct rules and expected behaviours. However, the aspect of conduct is much more than a monitoring of compliance against the rules. Leadership teams are encouraged to give consideration to the workplace
culture in a remote environment. While management teams may have
focussed on operational and financial resilience in the earlier days of the pandemic, the FCA has stated that FSIs should focus on the promotion and cultivation of healthy cultures in a dispersed environment, with management playing a key role in providing motivation, direction and purpose alongside support to their employees. The importance of fostering social interactions, communication and creating interdependencies between colleagues’ work programmes is key to shaping culture and building trust. It is imperative that a strong support network is also in place for new joiners, ensuring that new employees become immersed in corporate values and code of conduct from the outset and are supported by strong management infrastructure to help build and link the individual’s efforts into the overall culture narrative.
The actions of todayWhether remote working stays within the mainstream is yet to be determined, and perhaps aspects of how we work will also change as we settle into this new workplace. Our compliance programmes will also change to support this workplace transformation. However, fundamentally, ensuring fair treatment of customers, continued service delivery through effective resilience risk management, ensuring the efficacy of financial crime compliance and the fraud prevention agendas of our regulators have remained steadfast.
How successfully FSIs adapt their compliance programmes to align to the workplace transformation remains to be seen, for it is the actions of today by which firms will be judged and measured on tomorrow.
Dee McManus is Head of Financial Crime and Fraud Advisory at Konexo UK
How FSIs treat their most vulnerable customers during and post-COVID crisis will certainly feed into the regulatory assessment of the FSI’s culture, values and purpose
inCOMPLIANCE®27
SANCTIONS
Gain specialist knowledge to enhance your career
Find out more https://www.int-comp.org/specialist-certificates
ICAA13604
ICA Specialist Certificates are practical, accessible online courses that provide a deeper dive into key areas of risk in your business or particular industry sectors. Gain actionable knowledge quickly to boost your confidence and credibility.
Study online, in your own time and at your own pace
Gain an ICA certification in just 1-3 months
Add specialist AML or compliance skills to your professional profile
NEWThe ICA Playlist
https://www.int-comp.org/specialist-certificates
inCOMPLIANCE®
28inCOMPLIANCE®
29
TRANSACTION MONITORING
The COVID-19 pandemic has created new money laundering and terrorist financing trends, with direct implications for financial crime investigations and
transaction monitoring (TM) activities. This article offers practical advice on calibrating IT systems to the needs of anti-financial crime subject matter experts.
A broader approachA comprehensive risk assessment, such as the Financial Action Task Force’s (FATF) Mutual Evaluation Reports, serves as a starting point for any discussion of anti-money laundering and counter terrorist financing (AML/CTF). FATF has adopted a complementary approach for assessing both technical compliance with its recommendations and the effectiveness of countries’ AML/CFT systems.
With regard to technical compliance, the assessment addresses specific requirements of FATF recommendations as they relate to a country’s legal and institutional framework, as well as the powers and procedures of competent authorities. The effectiveness assessment fundamentally differs from the technical compliance assessment and is aimed at assessing adequacy of the implementation of FATF recommendations and the extent to which the legal and institutional framework produces the expected results. FATF and FATF-style regional bodies regularly perform their own investigations of financial crime trends and publish guidelines.1
These supra-national acts and practical guidelines are reflected in legislation at a national level, but countries should also monitor local financial crime trends and
continuously extend their regulatory requirements to keep on track of changing circumstances. Nevertheless, financial crime controls at a state level may not react immediately to new trends.
Financial institutions (FIs) should aim to effectively detect suspicious activity at an early stage of the crime. They should adopt a broader approach to monitoring of financial crimes, and TM systems must be flexible enough to detect new and unknown trends, rather than adhering narrowly to standard regulatory requirements. The following sections consider current approaches to TM and areas in which TM is being developed.
Transactions filteringBasic ‘classic’ approaches to automated transactions monitoring – so-called transactions filtering – involve the analysis of a single transaction: whether it comprises a red flag or it doesn’t. Such approaches may still be useful where the triggers are very simple, for example, where a high-risk jurisdiction or a high-risk counterparty is involved; where there is a match with blacklists; where the purpose of the payment contains suspicious keywords (like ‘bomb’, ‘drugs’ etc); or if mandatory transaction details are not provided (anonymous transactions).
However, with the advent of digital technologies financial criminals have become increasingly creative and have developed a greater awareness of (and ability to avoid) basic controls. This doesn’t mean that FIs should not apply transactions filtering, rather that they should not rely on its effectiveness.
Instead, a more productive use of this approach is to apply it as a preventive measure alongside standard screening against blacklists (TF, fraud and sanctions control). Moreover, a transaction should also successfully pass some basic ML controls before its execution.
Scenario-based monitoringThe other approach for effective automated transactions monitoring is scenario-based monitoring, in which the client’s transaction is screened using several rules, comprising a financial crime scenario.
The state of the artMaria Shalimova and Anastasia Kondrashova
offer a practitioner’s perspective on the challenges of transaction monitoring
Transaction monitoringsystems must be flexible enough to detect new and unknown trends, rather than adhering narrowly to standard regulatory requirements
inCOMPLIANCE®29
TRANSACTION MONITORING
Scenario-based filtering is based on a particular combination of suspicious criteria (mandatory or recommended by the regulator) intended to detect well-known, established financial crime schemes. Given that scenarios regularly overlap between each other, FIs must find the balance between making TM controls (a) broad enough to detect wide variety of financial crime schemes and (b) precise enough to avoid false positives and reduce capacity spent on manual monitoring.
This problem can be partially solved by combining Know Your Client (KYC) data and TM data into a single picture of expected clients’ behaviour by dividing clients into different segments and comparing their transaction flows within segments to detect deviations.
Many vendors offer ‘of-the-shelf’ TM systems with predefined segmentation rules intended to identify deviations in client’s behaviour from the common practice. However, before choosing any vendor it is necessary to ensure that segmentation rules are properly calibrated. In reality, there should be at least three-step segmentation: 1. By banking products – This allows the application of
different filters based on distinctive transactions flows inherent to particular products.
2. By clients’ average turnover – This allows FIs to split their client population into micro-, small, medium, and large businesses and, therefore, to establish reasonable threshold values for suspicious transactions. Numbers for this segmentation can be determined by each FI independently, or be based on existing legislative frameworks
3. By clients’ industry type – This allows the FI to predict a client’s normal behaviour comparing it to other market players.
As result of this three-step segmentation approach, scenarios that usually pose a challenge to automated TM systems (such as requiring detection of the ‘market practice’ and ‘economic sense’ of a transaction) can be transformed into IT language.
Correctly selected threshold values not only reduce false positives in the system, but also highlight the real suspicious criteria. Setting thresholds too high, however, may mask some unusual client activities, which will not trigger an alert as they will be below the threshold
While a scenario-based approach, plus relevant client segmentation, may produce effective results, practical experience suggests that, currently, TM systems cannot accommodate the full range of possible client parameters. Generally, TM systems support some basic KYC indexes – such as ‘PEP Flag’ or ‘Risk Score’ – but only a few may simultaneously compare a charter capital with a daily/monthly turnover through an account and calculate total outgoings to different offshore jurisdictions.
Moreover, as financial crimes become increasingly complicated, recommendations and scenarios from FATF, FIUs and regulators are becoming increasingly granular, requiring the incorporation of multiple different categories of transactions data at the same time.
Take, for example, the tax evasion requirements implemented in Russia. Russia was one of the first
countries to incorporate suspicious scenarios for the detection of tax evasion schemes. The Russian regulator requires FIs to identify schemes with tax evasion and encashment via several criteria applied simultaneously: an outgoing payment has to be stopped and analysed before its execution, in case of the following risk triggers: a. KYC red flags:
• Newly-registered company• The account was newly opened• The client is not a medium- or large business• The client is not an FI borrower• The client is not on a blacklist provided by the
regulator• The client’s tax duties comprise less than 2% of
outgoing turnoverb. TM red flags:
• number of outgoing transactions ‘without VAT’ comprises 3 million RUR per day at the time of the transaction
• the percentage of outgoing transactions ‘without VAT’ comprises 65% of average outgoing turnover for last five business days
• percentage of incoming transactions ‘with VAT’ comprises 65% of average incoming turnover.
This is not an exhaustive list of risk triggers provided by the regulator for just a single suspicious activity scenario. But it should be clear that it requires that that outgoing and incoming flows should be constantly monitored through different types of filters including purpose of payment, and parallel calculation of incoming and outgoing flow bearing in mind red flags provided by KYC data.
The challenge of achieving 100% compliance is clear, given that all these auto-controls must be performed before the next transaction execution. Moreover, although the vast majority of known red flags and scenarios are based on analysis of client’s transactions post-execution, regulators increasingly expect FIs, and their TM systems, to take preventive (i.e. anticipatory and proactive) action.
It is worth noting that trend analysis is a core element of a TM system’s effectiveness. Trend analysis – which should include an overview of existing and prospective FI products and services, an overall profile of client population, and key risks identified during KYC procedures – allows the detection of: (i) expected client behavior, (ii) potential trends, and (iii) areas for enhancement of existing controls.
Machine learningTM systems are evolving all the time, with many offering solutions combining transactions filtering and scenario-based monitoring functionality, or scenario-based monitoring enhanced by client segmentation. Moreover, some offer not only post-transaction but real-time TM.
For some time, the idea of applying machine learning to transactions monitoring has been a promising one, for several reasons: 1. Deep investigation using big data – Many government/
publicly available sources contain small pieces of information about clients and their counterparties,
inCOMPLIANCE®31
inCOMPLIANCE®
30
TRANSACTION MONITORING
which, when combined, can provide the FI with a clear picture of the legitimacy of their business profiles
2. Automatic detection of new schemes – As machine learning systems are continually learning they may foresee new financial crime schemes without human involvement
3. Reduction in costs associated with manual review of transactions.
Some companies have successfully implemented machinelearning technologies into their systems.2 However, practical implementation by FIs is complicated because: 1. In order to provide the system with a learning material,
the FI should have perfect, crystal clear data regarding which transactions are suspicious and which transactions present normal business activity covering a considerable period (preferably from three to five years). It is rare for organisations to boast such data quality;
2. Calibrating the system requires considerable human input in tuning the system and teaching it to distinguish suspicious activity from false positives.
These, and other, practical implementation challenges have become the subject of much discussions among both FIs3 and vendors.4
For now, machine learning technologies are being gradually introduced into TM systems focused on the avoidance of multiple false positives, although the potential of the technology is yet to be realised. In practice, achieving the full potential of machine learning may require the involvement of regulators, for example through the provision of materials for ‘teaching’ these systems, based on the broad picture of financial crime schemes that is currently only available to government authorities.
Next generation TM systems Another promising approach to TM controls enhancement is the use of Big Data for deep investigations.
There are well-established systems (such as Dow Jones, Thomson Reuters at the global level, and Interfax and Kontur at the local Russian level), collecting information from media sources and blacklists that may provide FIs with a background information about their clients.
The main challenge for these service providers is to merge data from an unlimited number of sources to one standardised view. Moreover, due diligence of open sources is limited by country borders and the public availability of information (especially when offshore jurisdictions are involved). Therefore, in practice such service can only satisfy FIs’ needs to a certain extent and must be used in combination with other TM controls.
The latest round of development in TM systems has
been strongly driven by the dissemination of online payment instruments and the advent of of FinTech and cryptocurrencies. The immediacy of modern money transfers has necessitated a re-organisation of TM controls to respond to a new reality in which the basic principle ‘follow the money’ is not working anymore.
Furthermore, in response to the anonymity offered by a variety of payment services, some companies have begun to search for background information about transaction participants in open sources and to combine this information with their payment flow. A great example of that is Chinalysis5, which, working in cooperation with various government and law enforcement entities, offers a surveillance system for cryptocurrencies for detecting real money laundering and terrorism financing schemes.6
An upward trajectoryThere is no a magic pill to resolve all TM issues, and only time will prove the efficiency and efficacy of TM systems and controls. However, further digitalisation of clients’ information will increase the significance of TM within financial crime investigations. With the growing complexity of financial crimes and development of TM controls, the role of financial crime investigators will grow, as will the standards for this profession.
Maria Shalimova PhD is an ICA Fellow and compliance-qualified professional with 15 years’ compliance experience, working primarily in international companies and financial institutions. She specialises in compliance, with experience both in the
commercial and banking sectors, including AML/CFT, global sanctions compliance, anti-bribery, compliance risk assessment, regulatory compliance and more
Anastasia Kondrashova is Master of Law, CAMS-certified specialist with five years’ experience in financial crime investigations. In the last three years, she has led projects on TM systems development, assessment of AML-service
providers for financial institution’s requirements, and calibration of filtering rules of different TM systems
1. Examples: Money Laundering and Terrorist Financing Vulnerabilities of Legal Professionals, https://compassoc.org/fatf-vulnerabilities; Best practices on Beneficial Ownership for Legal Persons, https://compassoc.org/fatf-beneficial-ownership
2. https://compassoc.org/SAS-software 3. https://compassoc.org/machine-learning 4. https://compassoc.org/evolving-AML 5. https://compassoc.org/chainalysis 6. https://compassoc.org/blockchain-surveillance
Further digitalisation ofclients’ information will increase the significance of transaction monitoring within financial crime investigations
NEW ICA Essentials
Practical, flexible workshops for your teamsICA Essentials workshops are live virtual learning sessions designed to boost your teams’ capabilities, making an instant impact on your risk management approach. The workshop can be tailored to reflect your team and organisational priorities including specific references to your policies and procedures.
The series covers:• Compliance• Anti Money Laundering• Financial Crime Prevention• KYC/CDD• Managing Sanctions Risk• Anti Corruption• Conduct Risk
• Money Laundering in Betting and Gaming
• Money Laundering Risk in New Technologies
• Become eligible for ICA Fellowship, the highest grade of membership
ICAA13608
Find out more https://www.int-comp.org/corporate/ica-essentials/
inCOMPLIANCE®31
PEPS
NEW ICA Essentials
Practical, flexible workshops for your teamsICA Essentials workshops are live virtual learning sessions designed to boost your teams’ capabilities, making an instant impact on your risk management approach. The workshop can be tailored to reflect your team and organisational priorities including specific references to your policies and procedures.
The series covers:• Compliance• Anti Money Laundering• Financial Crime Prevention• KYC/CDD• Managing Sanctions Risk• Anti Corruption• Conduct Risk
• Money Laundering in Betting and Gaming
• Money Laundering Risk in New Technologies
• Become eligible for ICA Fellowship, the highest grade of membership
ICAA13608
Find out more https://www.int-comp.org/corporate/ica-essentials/https://www.int-comp.org/corporate/ica-essentials
inCOMPLIANCE®33
inCOMPLIANCE®
32
LEADERSHIP
As compliance and risk professionals, we are accustomed to challenge. It’s
the nature of our role and becomes part of our DNA to detect tough situations. Some might even say we thrive on it.
This pandemic, however, has challenged even the most resilient among us. As one colleague put it to me recently, we are, for the first time, having to constantly live in the present. We can’t truly plan for the future. A great deal, perhaps most, of our business dealings and personal lives have been cancelled, and all prospective commitments feel like a big question mark on the calendar.
So how do we lead and impart the relevance of compliance and ethics roles in these times of uncertainty? Here are five things you can do
now to survive and thrive in your organisation.
1. Leverage a business mindset: think like a business owner, not a risk leaderIt’s a time to influence, not to implement. Ask yourself this question: “In a time of pay cuts, furloughs, and business model disruption, what problems are my stakeholders paying me to prevent and solve?” Asking this will help you stay relevant and be viewed as a strategic partner.
A few industries are experiencing a windfall of growth (and those should of course continue to increase their investment in compliance), but most are suffering. If your C-suite colleagues are making cuts, compliance will be expected to do its share. It’s important
to get ahead of the game rather than being sidelined because you don’t make the right compromises. This is more of an art rather than a science.
Consider this exercise: think through where you can cut back without sacrificing essential functions and be ready with your ‘crisis plan’ (e.g. temporary cutback) proposal. Come to the table before you’re asked (or told!). If cost reductions are necessary, being proactive helps to ensure you have a strong voice in the decision.
One of my clients recently negotiated with his executive team to delay a major compliance implementation by six months, in exchange for an airtight promise that it would be in the 2021 budget.
Some of my clients are scaling back operating costs (e.g. reducing monitoring frequency, delaying
Surviving and thriving
Amii Barnard-Bahn considers the challenges of leadership in a time of unpredictable change
inCOMPLIANCE®33
LEADERSHIP
‘nice to have’ enhancements such as Code of Conduct or system updates) to keep their teams and headcount intact. You can always buy more robust online training and compliance systems, but great compliance colleagues who know your culture and business are hard (and costly) to replace. Take a cue from start-ups: what does the ‘minimum viable product’ for compliance look like? If you must reduce operations, when times are good again you can ramp back up and still have the best team in place.
2. Strategise around influence and power: double down on your networkHaving a strong network is key to being informed of current
business challenges and revenue-generating strategies in order to align your compliance focus and stay relevant. Make a list of your top five stakeholders. Set up time with them every couple of weeks and ask three questions: (1) What is their toughest challenge? (2) How can you help? and (3) What one thing can you do to be more effective in your role? This demonstrates many leadership skills (e.g. empathy, partnership, courage, and humility) that are always keys to success but become critical in a crisis.
3. Cultivate presence: let gravitas centre you to act from a place of strengthSome days this is easier said than done, but it’s important to boss back fear. The ability to remain calm and clearheaded while others are panicking or behaving badly inspires confidence in you as a leader. In times of extended crisis, like the one we’re currently going through, publicly maintaining gravitas for long periods requires a foundation of mental fortitude and resilience. Commit to a personal strategy for refreshing your energy reserve through a deliberate practice of self-care. Get up and move between meetings, take a lunch break with your kids, listen to some of your favourite music. Set healthy limits for you and your team. Don’t allow your flow to get sapped from too many Zoom meetings.
We are, for the first time, having to constantly live in the present
inCOMPLIANCE®35
In addition to cultivating a calm presence for others, since your interactions and opportunities to show ‘you’ve got this’ will mostly be online, it’s time to brush up your executive presence and home office tech to put your best foot forward. Adhere to such things as good lighting, positioning of your camera to be at eye level, a professional backdrop (or a good virtual one!). But take a lesson from a recent mishap illustrated on Buzzfeed News and don’t become a potato.1
4. Create a culture of safety for connection: you have to meet people where they areA lot of people are operating in fear, for their health, job security, and personal finances. As discussed in a recent Harvard Business Review article2, we are collectively suffering from anticipatory grief, the loss of things to come or things that may not happen. As compliance and ethics professionals, we know the importance of psychological safety for creating a ‘speak-up’ culture. The pandemic has broadened our scope to encompass even more of an imperative: safety is critical to healthy workplace culture. No one can focus on the work if this basic need is not met.
5. Be an active steward of company cultureAs one CFO client told me: “The biggest surprise has been our realisation that we can run this company virtually.” While perhaps not a unique realisation of late (depending on your industry), the striking thing about this company is that its culture exemplifies Silicon Valley workplace culture. Yes, like the TV show: ping pong, a putting green, catered food and top-of-the-line all-you-can-eat snacks, cold brew and kombucha on tap, frequent and creative appreciation celebrations, and in-person open Q&A with the CEO. If they close or
substantially reduce office locations, what will it mean for this culture when it transitions to virtual? How does that impact loyalty, communication of company values, rules of conduct, and a commitment to ethical behaviour?
With the stay-in-place guidance and employees working from home, this team’s sense of purpose and morale was in a complete slump. In a workshop, we reframed the team purpose to be one of creating community and connection, despite the physical distancing. And their ideas were off and running: virtual celebrations, rolling out an IM channel, and mailing care packages to employees for key milestones.
While HR, finance, communications, and facilities are often the first functions engaged in this crisis, make sure you are on the pandemic response team and have a voice in the evolving company culture conversation. Who do you want your company to be when COVID-19 leaves the room?
What next?I know I started off by saying we are living in the present and can’t truly plan for the future, but it’s important to start planning for what we already know will come next. True to our historical knowledge as compliance and ethics professionals, there will always be another crisis.
Below is a list of some trends this time and place will forever alter:• Increased remote work – IT
infrastructures have been modified and many employees – and businesses – will prefer this going forward.
• Intense scrutiny of business travel – We have mastered online meetings and many conferences have found ways to bring more attendees in with virtual events.
• Conflict over what safety ‘looks like’ – Once businesses start ‘re-boarding’, workplace conflict will increase over organisational
and interpersonal health protocols. Workplace policies (like remote work) may need an overhaul.
• Reliance on quantitative data (which will be easier to get) vs qualitative (more difficult), such as evaluating truthfulness of a witness in an investigation.
• The near-eradication of personal and professional boundaries – The increased lack of personal privacy from remote work may bring us closer, but it will also increase employment risk from the eroding of professional protocols that can increase employee relations issues, such as favouritism or unfair treatment.
Compliance needs to be thinking about these trends and how we do our job. What we do, such as helping people and organisations do the right thing, will not change, and that will be our north star through this fog.
Amii Barnard-Bahn is a former Fortune Global 50 executive and has been recognised by Forbes as one of the world’s
leading coaches for compliance and legal executives. A Fellow at the Harvard Institute of Coaching and member of Marshall Goldsmith’s 100 Coaches, Amii earned her law degree from Georgetown and BA from Tufts and is a guest lecturer at UC Berkeley’s Haas School of Business.
This article has been republished with permission from Compliance Week, a US-based information service on corporate governance, risk, and compliance. Compliance Week is a sister company to the International Compliance Association. Both organisations are under the umbrella of Wilmington plc. To read more visit www.complianceweek.com
inCOMPLIANCE®34
AFFOSLEADERSHIP
1. https://compassoc.org/buzzfeed-video-meeting
2. https://compassoc.org/discomfort-grief
Having a strong network is key to beinginformed of current business challenges and revenue-generating strategies in order to align your compliance focusand stay relevant
inCOMPLIANCE®35
SOFT SKILLS
Make 10 minutes count
Anuradha Shaw offers advice on how to communicate in the Boardroom
‘Education is the kindling of a flame, not the filling of a vessel’ – Socrates
Nowhere is the above maxim more relevant than in the sphere of professional upskilling and training for specialised positions. In the world of banking,
specifically, investment in training is a powerful tool for building specialists who can manage the turbocharged demands of their profession with confidence, commitment, understanding and knowledge. Unlike an academic classroom, where information and knowledge are dispensed by experts, a training room is a safe space in which knowledge and experience in a specific field are shared among the training facilitators and the professionals who attend. A certain magic begins to manifest when everybody understands that shared knowledge and experiences build best practices that everyone can take back to their jobs the next day.
Indeed, in the years that I have been engaged as a trainer by ICA, I have come to regard the training room as a magical space, and have been privileged to be the observer and recipient of countless moments of best practices in play. I would like to share some examples in which I learned more than I taught!
An intellectual grenadeIn 2010, as all banks were extricating themselves from the ravages of the financial crisis, Muneera (not her real name) was a delegate among 22 others in a session I was leading in the Kingdom of Bahrain for a group of compliance managers.
Muneera, a Chief Compliance Officer representing an A-List bank in the Kingdom, presented a slight figure, unusually youthful looking for such an important role, unassuming, extremely modest in attire (as is the custom in that region), and was a quiet and self-effacing presence within the group. But I knew, from my own scanning of delegate profiles well before the session, that she was highly-educated and a star performer with a wonderful reputation for effectiveness in her role at her bank. I looked forward to peeling away the quiet personality and learning what made an effective leader like Muneera operate. I was
in for the biggest surprise, witnessing a magical moment (truly the Holy Grail of every educator) unfold right in front of my eyes in that classroom!
That particular session dealt with a discussion of the skills that are critical for a compliance role (which incidentally usually leads to a robust round of contributions from all delegates, with ‘communication skills’ being the most common and favoured response). Allowing time to receive other responses (such as management skills, team leadership skills, project management skills, writing skills etcl) from different parts of the room, my next question landed like intellectual grenade among the group: “Many of you in this room report to the Board of Directors at your bank. Talk to me about the challenges you have faced in developing and presenting your report to the Board. What skill has been your best friend in that role?”
I could see several in the room struggling with the answer to my question, possibly wondering about confidentiality issues relating to their internal reporting to top management, and whether it was permitted to answer such a question in the presence of an outsider like me. As I have said many times in other classrooms, there is never a bad or wrong answer in a classroom, just a badly-worded question from the facilitator. I made a mental note to keep this in mind next time, but the question was already out there and there seemed to be no takers, until, that is, Muneera indicated that she would respond ... and what a gold standard of a response it was!
Getting buy inMuneera had been given a 10-minute slot to present the Compliance Report to the Board at the very end of a three-day Board meeting at her bank (a woefully inadequate time slot) because “no one wanted to hear bad news”! Remember this was 2010 when bad news was all we bankers had to report? When she arrived at the Boardroom, to present her report, all she could hear was papers and folders being slapped together and briefcases being slammed shut as the Board members prepared to flee to the airports and head home after three days in that country. Her appearance caused a momentary pause
inCOMPLIANCE®37
inCOMPLIANCE®37
and Muneera
leveraged her opportunity within
that pause to lay out her case on behalf of her bank,
managing to get their complete attention and buy in.
I asked how she achieved this and her response (reproduced here verbatim) was a
learning moment for all of us in the room.Muneera said she understood four important facts
about the role and responsibilities of the members of the Board, as well as their trained response to issues, which are as follows:1. The Board of Directors is the principal entity charged
with the mission of an organisation and delegated to provide the vision of the bank to enable its mission.
2. The Board enforces the vision and mission through tactically-structured policy directions.
3. The Board is trained to sign off, modify or reject the monetary values (risks, costs and rewards) associated with its policy directives and enforcement,
4. It falls upon the person presenting to the Board to use these insights in the service of the bank.
Muneera presented to the Board her
analysis of the compliance issues and successes in the bank by dovetailing each item
with the Board’s stated mission and policy directives. She also made mention of the rewards accrued, in
tangible and intangible ways, from the good work done through successful compliance execution at every level within her bank.
More importantly, she reported to the Board on the compliance challenges, failures, and ameliorative steps required in the form of systems upgrades, retraining of staff and new hiring, as well as the costs associated with these steps. The ameliorative steps needed were expressed in terms of cost assessments and financial rewards accruing to the bank if her requirements were approved. She also presented the risks, costs and penalties in financial terms that the bank would incur if her request was not approved by the Board.
She now had the undivided attention of every member of the Board … and their respect.
She had made her ten minute time slot count.
Speak the languageShe reiterated to us that Board members are trained to think in terms of numbers, risks assessments, costs and rewards aligned to their policies, and the importance of speaking the language they understand. In that particular forum she said she required the language of numbers.
I now opened up the class to discuss what they learned from Muneera’s experience and was encouraged to hear many in the room agreeing that understanding one’s audience, and speaking the language that the audience understands is the distilled essence of ‘communication
inCOMPLIANCE®36
SOFT SKILLS
inCOMPLIANCE®37
inCOMPLIANCE®37
skills’. More often than not, this term is thrown out in classrooms as a panacea for all communication successes (or failures). It is only the very experienced in the game that can truly enlighten us on what it really means in the workplace.
Compliance officers have to use this skill, tailoring it to multiple audiences every single day. The skill requires spanning language and training distortions, human and personal motivations, cultural divides, business needs, performance pressures and push backs, in house hierarchy, among the many other pressures of their unique job description.
Compliance teams are the back of the line soldiers committed to correcting the course of daily battles at their bank to secure and stabilise one of the most important institutions of a nation. Looking to the future, the real battle for supremacy and global domination is going to be fought in the financial centres, Boardrooms, capital markets and cyberspace. Legacy battlefronts of land and territory, ways of life, cultures, political boundaries and so forth – which used to use military hardware and human fodder in the battlefields – are soon going to become anachronisms for the history books. The future is already here with us in the guise of financial stability, protecting our financial institutions and consolidating financial strength and global economic power as the new frontier. In this battle, compliance professionals like Muneera, who understand the battle lines and use their skills to protect and support their financial institutions with confidence, intelligence and commitment, provide yeoman services. They use their education, training and insights to construct the wisdom they need to protect their institutions.
These are heroes that walk among us and we salute them!
For the past five years Anuradha Shaw has been working out of Toronto, Canada, as an Accredited External Trainer and Training Programmes Content Developer with the ICA. She has forty
years of international banking and business management experience across several continents and the arctic region.
SOFT SKILLS
inCOMPLIANCE®39
WHISTLEBLOWERS
inCOMPLIANCE®
38
According to research¹, the past year saw a spike in the number of whistleblowers raising concerns directly to the Financial Conduct Authority
(FCA) about UK financial firms. In particular, accounts of inappropriate professional behaviour rose by 35%. The research also found that those willing to disclose their identity had increased. Perhaps workers feel safeguarded by the UK’s whistleblowing legislation?
The Public Interest Disclosure Act 1998 (as amended) (PIDA) certainly offers a remedy to workers suffering detriments after whistleblowing. But to be protected certain criteria must be met. This leaves many whistleblowers vulnerable, and the whistleblowing charity, Protect (formerly Public Concern at Work), is currently campaigning for the law to be overhauled.
What does it take for workers to be covered by PIDA? This article considers what constitutes a ‘qualifying disclosure’ and a ‘protected disclosure’ criterion, both of which need to be met according to the current legislation.
A ‘qualifying disclosure’Workers will often make a broad-brush allegation and believe they are safe from reprisals. This is a mistake. To be a ‘qualifying disclosure’ there must be an actual disclosure of information. Hence, a generalised complaint that a firm ‘is not acting appropriately’ will not on its own meet the definition of a qualifying disclosure. More specific information needs to be provided. Also, the mere gathering of information will not be sufficient.
Threatening to blow the whistle is not a qualifying disclosure either. Such a tactic could backfire on the employee, resulting in disciplinary action against them for blackmail.
Problems can also arise if a worker gathers evidence in a way that inadvertently amounts to misconduct. In the case of Bolton School v Evans, Mr Evans reported an unsecure IT system (which amounted to a protected disclosure), but he then hacked into the system to support his point. The Court of Appeal ruled that the separate act of hacking was not protected. The employer had not been at fault when disciplining Mr Evans for his unauthorised hacking.
Another PIDA condition is that a worker must genuinely
and reasonably believe the information being disclosed tends to show one or more of the following categories of wrongdoing: criminal offence, breach of any legal obligation, miscarriage of justice, danger to health and safety of any individual, environmental damage, and/or the deliberate concealing of any such information.
The whistleblower also has to reasonably believe that the disclosure is in the ‘public interest’. This does not mean that it must be in the interests of the entirety of the public. The recent Employment Appeal Tribunal case of Okwu v Rise Community Action Ltd confirms that public interest need not be an employee’s primary motivation to blow the whistle. Whilst Miss Okwu reported data protection concerns when defending her own poor performance, there was nothing to suggest her complaints were not believed to be in the public interest.
A ‘protected disclosure’The final step is that the disclosure must be made to a specified category of persons. This includes the employer. A worker may also whistleblow directly to a relevant regulatory body (the statute provides a full list of such bodies) provided the worker has a reasonable belief that the information disclosed is substantially true. Unfortunately, the fact that more reports are being made to the regulatory body might suggest a lack of trust in financial institutions to take appropriate action themselves, which is another big issue for a separate discussion.
Having said that, there can be times when it would be
When the whistle blows
Julie Goodway reminds firms of the importance of having an effective whistleblowing policy
It makes commercial sensefor a firm to have a clear whistleblowing policy so that everyone knows how to raise a complaint and can be assured it will be dealt with promptly and thoroughly without fear of repercussion
inCOMPLIANCE®39
in the public interest to disclose directly to the police or to the media. In such situations, the worker must not be disclosing for personal gain and must reasonably believe the disclosure is substantially true and take steps to determine this. They must also have previously disclosed the information to their employer (unless they reasonably believed that in doing so either they would be subject to a detriment, or that material evidence would be concealed or destroyed, or because it is an exceptionally serious case). Further, the disclosure must be reasonable in the circumstances. Therefore, if the employer has taken no steps to address the whistleblower’s concerns then it is more likely to be regarded as reasonable to disclose.
Whistleblowing detrimentThis serves as a reminder of the importance for firms to have an effective whistleblowing policy. Such policies encourage a culture in which wrongdoing can be addressed and thereby make it less likely that a worker will report their concerns externally. Further, if an employer has an effective policy and the worker goes straight to the media, then they are likely to lose their whistleblowing law rights.
Where a worker suffers a disadvantage, the courts will look at the reason for this. In detriment cases, the test is whether the whistleblowing played more than a trivial part in the employer’s reason for the unjust treatment, whereas for claims of automatic unfair dismissal to succeed the disclosure must be the principal reason, not just a reason, for the dismissal (which means that it is more difficult for employees to succeed with such claims).
It may be necessary to look beyond a dismissing manager’s reasons. In the recent case of Jhuti v Royal Mail, the Supreme Court determined that Ms Jhuti had been automatically unfairly dismissed even though the person dismissing her was unaware she was a whistleblower. Ms Jhuti had raised concerns to her line manager in 2013 about regulatory guidance violations. In retaliation, the line manager subjected Ms Jhuti to performance reviews and produced a misleading report about her work, which was relied upon in good faith by the dismissing manager when deciding to dismiss Mrs Jhuti. The Supreme Court ruled “if a person … determines that she … should be dismissed for a reason but hides it behind an invented reason which the decision-maker adopts, the reason for the dismissal is the hidden reason rather than the invented reason.”
Lessons learnedRegardless of the barriers to succeeding with whistleblowing claims, employers will want to avoid such claims. Firstly, the compensation awarded is uncapped. Second, there is the cost of defending such claims and the risk of reputational damage of a public hearing. It therefore makes commercial sense for a firm to have a clear whistleblowing policy so that everyone knows how to raise a complaint and can be assured it will be dealt with promptly and thoroughly without fear of repercussion. Also having an individual in the organisation identified as a whistleblowing champion can help to ensure that any complaints are directed to this one person.
With more staff working from home or furloughed many other challenges become apparent. There is the risk of malpractices to be covered up or that those who may have been preparing to whistleblow hold off from doing so,
perhaps from fear of job losses. They may also be unclear as to how they should whistleblow internally if they don’t have access to their employer’s whistleblowing policy.
It will therefore be sensible for firms to remind their staff that they take whistleblowing seriously and the steps they should take to report this. Also, although investigating matters may be more challenging currently with staff gradually returning to workplaces but mostly working remotely, this should not prevent steps being taken.
Finally, it is worth noting that companies can ignore their workers’ concerns at their own peril. The decision in Rihan v Ernst and Young Global Ltd – a civil claim and brought outside of the UK’s whistleblowing legislation as the claimant worked outside of Britain – highlights this best. Mr Rihan was a partner at an EY entity in Dubai. When preparing an audit report on a Dubai gold dealer he uncovered significant non-compliance with international standards. After Mr Rihan reported these concerns to his firm, he was allegedly pressurised to produce a report favourable to the dealer. Mr Rihan subsequently resigned. The High Court held that EY was under a duty to prevent him from suffering financial loss by conducting the audit in an ethical manner, and awarded Mr Rihan $10.8m in damages for loss of earnings.
Julie Goodway is a Senior Associate in the employment department of specialist law firm Thomas Mansfield www.thomasmansfield.com
1. https://compassoc.org/whistleblower-reports
WHISTLEBLOWERS
With more staff working from home or furloughed many other challenges become apparent. There is the risk of malpractices to be covered up or that those who may have been preparing to whistleblow hold off from doing so, perhaps from fear of job losses
inCOMPLIANCE®41
inCOMPLIANCE®
40
BRIBERY
At the gateNoel Bartolo considers some examples of efforts
that individuals can make to disguise bribery
inCOMPLIANCE®41
BRIBERY
As Barnabe Rich famously said: “Honesty stands at the gate and knocks, and bribery
enters in”. And I can’t agree with him more, as I skim through the newspaper reports of bribery scandals, such as the Airbus scandal (recently settled for a record sum of $4bn under a plea bargain agreement with the UK, French and US authorities) or the case of two senior officers of UK printing firm, Smith & Ouzman Ltd, who bribed African officials with payments of £395,074 to secure contracts in Kenya and Mauritania.
Such bribes are often cleverly disguised in order to distance the bribe-giver and the bribe-taker. The following typologies outline how a perpetrator may execute bribes whilst creating an element of distance between the interested parties.
The white phone Several countries in southern Africa suffer from high levels of corruption, as Transparency International’s Corruption Perception Index would attest. Public officials in these countries may routinely engage in illicit extorsion practices on foreigners to augment their salaries, while executives and high-ranking officials may adopt unethical approaches to managing public official expectations. For example, the practice of paying a bribe to a traffic policeman (should you fall under his radar) is more efficient than contesting the citation and paying the fine.
One such example was shared with me through an acquaintance who used to work as a security official and driver in the region (the details have been changed to protect the source).
‘Tom’ was sitting in the front passenger seat, accompanying a bank executive to the airport. It was his second week in the country offering protection services to several bank executives who were conducting a country visit. He had taken the route several times and was already familiar with the landmarks and potential risk points. Upon entering a secondary road as per the planned route, he heard the wail of a traffic police siren. A quick look in the mirror confirmed that there was a policeman in full uniform.
inCOMPLIANCE®43
inCOMPLIANCE®
42
BRIBERY
As the driver pulled to the side of the road, Tom wondered what had gone wrong as the car hadn’t been speeding. While the driver engaged in a discussion with the policeman, Tom’s concern grew, but he was greeted with a half-smile and a calm look from the bank executive, telling him that this was a normal protocol.
It transpired that the policeman had stopped the car, claiming that they had driven the wrong way down a one-way road. Tom was taken back at this claim, he was sure that this was not the case as he had been through this route before. However, the bank executive had already understood everything.
A faint ringing was then heard in the glove compartment, which the bank executive asked Tom to open. Inside was a white phone, vibrating excitedly, and with a small wad of cash strapped to it with a rubber band.
The bank executive told Tom that the call was for the officer and he should hand the phone over. Tom quietly handed the phone to the policeman who in turn appeared to understand and react to the ploy. The policeman backed away from the car, walked a few metres, before returning a few seconds later. He gently offered to escort the car to the airport to ensure against any additional delays along the way.
No mention of the phone, nor the cash, was made by the policeman or the bank executive. However, Tom soon figured out that this was a normal toll that had to be paid in order to avoid delays when driving on the airport route.
Consultancy and securing contracts Competition can be fierce when bidding for the acquisition of a franchise. While a franchise dictates the ways in which a product must be promoted, the shop design and the overall corporate image that must be adhered to, the initial pain and upfront costs of conforming to such requirements is often justified by the potential gains of securing the exclusive rights to sell often sought-after and popular products in a defined area, particularly in a small Island nation, where the owner
of the franchise may be the exclusive country franchise owner.
It is the role of the franchise adjudication committee to determine the most appropriate business candidate, through the bidding process. For those interested in securing the franchise agreement, this is where insider information and consultants may come in handy, particularly individuals who have access to the franchise committee and can help drive the message home with a little extra incentive. This typically takes the form of a financial incentive, and the perpetrator of such a bribe must find a clever way of disguising the movement of funds and rendering such activity as ‘legitimate’.
Imagine a scenario in which you – the bribe giver – are aiming to secure the granting of a franchise for an international makeup brand. Given the international nature of the brand, other country managers or individuals with significant influence might give a ‘helping hand’ to secure the contract. But how would the payment be conducted?
Once a ‘friendly’ country manager has been identified, you would invite them over for the weekend to build a relationship. The justification for this visit is simple: as a result of the country manager’s experience, he/she can provide some hints and tips on how to prepare the shop floor layout, pre-book marketing campaigns and offer advice on which advertising medium proved the most effective in other countries. Naturally, since this is a hospitality initiative, such expense must be justified in the accounting books. Also, considering that this is an investment into a future profit-making venture, you may resort to extravagance, to ensure that the right notes are struck.
Following a weekend of entertainment, during which the investment in friendship is sealed, it is time to discuss business and the real reason for hosting. At this point, the conversation revolves around what you really need, how you would like a helping hand in securing the franchise agreement, highlighting that you would be happy to cover any necessary expenses. More often than
not the country manager will go out of his way and help his new contact.
Sealing this with a payment for the trouble taken is always advisable since this creates a financial bond to the commitment. Naturally, crossing customs with a large bundle of cash is no longer an acceptable norm whilst bank transfers have become an easily trackable medium. Bank drafts, however, are an acceptable compromise, especially when the value is modest in comparison to the payment values handled. Also, the receiving party is distanced from the remitter since the bank draft does not bear the name of the ordering party.
On a final note, should the payment institution manage to identify the payment as a red flag and question the reason why such payment is being effected, you can always resort to the original consultancy meeting by drawing up a quick consultancy agreement contract covering the term of the visit. With the T’s crossed and the I’s dotted the story would have the necessary element of credibility to cover the tracks whilst securing the franchise agreement.
Outside of the normBanks and financial institutions need to exercise additional due diligence with payments that fall outside the norm, especially when there is a change in the payment medium, usually utilised by the remitter. Whilst such transactions may be difficult to detect (especially if the value is modest) understanding the client profile is key to identifying and understanding what is unusual about the activity.
Noel Bartolo occupied the role of Head – AML investigations & Deputy MLRO for HSBC Bank Malta
plc and has over 20 years’ experience in the banking industry. Following the implementation of the Fourth Anti Money Laundering Directive, he joined the gaming industry in order to widen his exposure to money laundering typologies. Noel is currently the MLRO for Gaming Innovation Group
Find out more https://compassoc.org/postgrad-GRC
ICAA13607
Become a leader in Governance, Risk and ComplianceNOW ONLINE!
The ICA Professional Postgraduate Diploma in Governance, Risk and Compliance is an executive programme for senior industry practitioners. The course will enable you to operate at the highest level within your organisation and provide you with unique skills to drive your leadership ambitions.
• Enhance your international profile• Develop new ideas to accelerate your effectiveness as
a senior manager• Learn from and share experiences with a global network
of likeminded individuals• Become eligible for ICA Fellowship (the highest grade
of membership)
inCOMPLIANCE®43
Find out more https://compassoc.org/postgrad-GRC
ICAA13607
Become a leader in Governance, Risk and ComplianceNOW ONLINE!
The ICA Professional Postgraduate Diploma in Governance, Risk and Compliance is an executive programme for senior industry practitioners. The course will enable you to operate at the highest level within your organisation and provide you with unique skills to drive your leadership ambitions.
• Enhance your international profile• Develop new ideas to accelerate your effectiveness as
a senior manager• Learn from and share experiences with a global network
of likeminded individuals• Become eligible for ICA Fellowship (the highest grade
of membership)
https://www.int-comp.org/programme/?title=ICA-Professional-Postgraduate-Diploma-in-Governance-Risk-Compliance
Head OfficeWrens Court | 52-54 Victoria Road |
Sutton Coldfield | Birmingham | B72 1SX | UNITED KINGDOMTel: +44 (0) 121 362 7747
Email: [email protected] www.int-comp.org
International Compliance Association CPD - 2 hours
Advice to Readers
inCOMPLIANCE® is published by the International Compliance Association. Reproduction, copying, extraction, or redistribution by any means of the
whole or part of this publication must not be undertaken without the written permission of the publishers.
inCOMPLIANCE® is distributed as a free member benefit to all members of the International Compliance Association.
Articles are published in good faith without responsibility on the part of the publishers or authors for loss occasioned to any person acting or refraining
from action as a result of any views expressed therein. Opinions expressed in this publication should not be regarded as the official view of the ICA or as the
personal views of the Editorial Board members of inCOMPLIANCE®.
All rights reserved in respect of all articles, drawings, photographs etc published in inCOMPLIANCE® anywhere in the world. Reproduction or imitations of these
are expressly forbidden without permission of the publishers.
Printed in England
ICAB13524