Presentation is loading. Please wait.

Presentation is loading. Please wait.

Recent Regulatory Developments

Published byBlanka Švecová Modified over 5 years ago

Similar presentations

Presentation on theme: "Recent Regulatory Developments"— Presentation transcript:

1 Recent Regulatory Developments
Presented by Jeff Ross SVP, BSA/AML Compliance Officer at Green Dot Corporation

2 FinCEN -- Advisory on establishing and maintaining a BSA/AML “Culture of Compliance.”
Regardless of its size and business model, a financial institution with a poor culture of compliance is likely to have shortcomings in its BSA/AML program. A financial institution can strengthen its BSA/AML compliance culture by ensuring that : its leadership actively supports and understands compliance efforts; efforts to manage and mitigate BSA/AML deficiencies and risks are not compromised by revenue interests; relevant information from the various departments within the organization is shared with compliance staff to further BSA/AML efforts; the institution devotes adequate resources to its compliance function; the compliance program is effective by, among other things, ensuring that it is tested by an independent and competent party; and its leadership and staff understand the purpose of its BSA/AML efforts and how its reporting is used. The following is the Advisory in its entirety:

3 FinCEN Beneficial Ownership/CDD Regulation
On May 11, 2016, FinCEN released the text of its Customer Due Diligence (“CDD”) Final Rule, that adds ongoing CDD as a “Fifth Pillar” to an effective anti-money laundering program. Under the Final Rule, that will become fully- effective on May 11,  2018, “covered financial institutions” must conduct CDD on certain “legal entity customers” that open new accounts. FinCEN considers CDD as consisting of the following four elements: (1) identifying and verifying the identity of customers (Old); (2) identifying and verifying the identity of beneficial owners of legal entity customers (New); (3) understanding the nature and purpose of customer relationships (Old); and (4) conducting ongoing monitoring for reporting suspicious transactions, and, on a risk-based-basis, maintaining and updating customer information(Old, but enhanced).   Under FinCEN’s existing rules, the first element of CDD already is satisfied by the existing customer identification program (“CIP”) requirements of covered financial institutions, and the third and fourth elements are described by FinCEN as “already implicitly required for covered financial institutions to comply with their suspicious activity reporting requirements.” According to the Final Rule, the only new requirement is the obligation to take explicit steps to identify and verify the identity of the natural persons who are the beneficial owners of legal entity customers. The AML program requirement for each category of covered financial institutions has been amended explicitly to include risk-based procedures for conducting ongoing CDD so banks can understand the nature and purpose of customer relationships for the purpose of developing a customer risk profile. See also FinCEN FAQs: Frequently Asked Questions Regarding Customer Due Diligence Requirements for Financial Institutions, (July 19, 2016),

4 Cyber SAR Guidance January 31, 2017 Duncan DeVille, SVP and Global
Head of Financial Crimes Compliance DRAFT

5 Cyber SAR overview What is the requirement?
On October 25, 2016, the United States Department of Treasury’s Financial Crimes Enforcement Network (FinCEN) issued an Advisory to help financial institutions understand how to fulfill their Bank Secrecy Act (BSA) obligations with regard to cyber-events and cyber-enabled crime. The advisory indicates that SAR reporting is mandatory for cyber-events where the financial institution knows, suspects or has reason to suspect a cyber-event was intended, in whole or in part, to conduct, facilitate, or affect a transaction or a series of transactions. This advisory does not change existing BSA requirements or other regulatory obligations for financial institutions. Financial institutions should continue to follow federal and state requirements and guidance on cyber-related reporting and compliance obligations. Who is affected by the advisory? Financial Institutions including Prepaid programs What needs to be done? Financial institutions are mandated to report suspicious “cyber-events” or “cyber-enabled crime” involving or aggregating $5,000 or more in funds or other assets and conducted or attempted by, at or through the institutions. AML policies and procedures should be updated to include Cyber Events Risk assessments should be updated to include potentials exposure to Cyber-related activities Cybersecurity and fraud-prevention units should determine whether a cyberattack triggers a mandatory SAR or merits a voluntary SAR FinCEN also encourages financial institutions to exchange cyber-related intelligence with through the Patriot Act 314(b) program for additional knowledge that may improve their suspicious activity reporting. Technically not a new reg but .... What really changes here? More technical info is requires AND have to report unsuccessful cyber attempt (but not continual cyber probing – and a cumulative SAR is allowed) The $5K threshold won’t buy you much space since the FI must consider the transaction (or attempted transaction) in aggregate. Also, even if the bad guys weren’t trying to steal $$, other info has value – and a denial of service attack does too. At the very least this should result in a voluntary SAR. We pulled together a Cyber SAR team at WU – key is that your cyber security folks and AML compliance folks be talking, so that the former’s info can get into the latter’s SARs Your audit and risk assessments should include cyber SAR. P&P should be amended 12016 Compliance Priority

6 Cyber - New York Department of Financial Services
What is the requirement? Due to the ongoing growth of cyber threats within the financial industry, NYDFS has proposed the regulation 23 NYCRR 500, Cybersecurity Requirements for Financial Service Companies: “This regulation is designed to promote the protection of customer information as well as the information technology systems of regulated entities. This regulation requires each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion. Senior management must take this issue seriously and be responsible for the organization’s cybersecurity program and file an annual certification confirming compliance with these regulations. A regulated entity’s cybersecurity program must ensure the safety and soundness of the institution and protect its customers.” Who is affected by the advisory? All regulated institutions including Prepaid programs Create and document a Cybersecurity Program To Include: Appointment Chief Information Security Officer Training and Monitoring of appropriate staff Encryption of Nonpublic Information Create or revise your Multi-Factor Authentication Conduct Penetration Testing and Vulnerability Assessments Hire Cybersecurity Personnel and Intelligence (can be a 3rd party) If a third party is hired, create a Third Party Service Provider Security Policy Incident Response Plan Creation a Cybersecurity Policy To Include: Access Privileges Application Security Create Audit Trail for all testing and events Create or Revise your Risk Assessment To Include: Criteria for evaluation categories of cybersecurity risks Requirements on how identified risk will be mitigated 12016 Compliance Priority

7 Defining cyber events Cyber-Event:
An attempt to compromise or gain unauthorized electronic access to electronic systems, services, resources, or information. Cyber-Enabled Crime: Illegal activities (e.g., fraud, money laundering, identity theft) carried out or facilitated by electronic systems and devices, such as networks and computers. Cyber-Related Information: Information that describes technical details of electronic activity and behavior, such as IP addresses, timestamps, and Indicators of Compromise (IOCs). Cyber-related information also includes, but is not limited to, data regarding the digital footprint of individuals and their behavior. 12016 Compliance Priority

8 Mandatory reporting events
A financial institution is required to report a suspicious transaction conducted or attempted by, at, or through the institution that involves or aggregates to $5,000 or more in funds or other assets. “If a financial institution knows, suspects, or has reason to suspect that a cyber-event was intended, in whole or in part, to conduct, facilitate, or affect a transaction or a series of transactions, it should be considered part of an attempt to conduct a suspicious transaction or series of transactions. Cyber-events targeting financial institutions that could affect a transaction or series of transactions would be reportable as suspicious transactions because they are unauthorized, relevant to a possible violation of law or regulation, and regularly involve efforts to acquire funds through illegal activities.” Other regulators that require SARs be filed regarding certain computer-related crimes: Office of the Comptroller of the Currency (OCC) The Board of Governors of the Federal Reserve System (FRB) The Federal Deposit Insurance Corporation (FDIC) The National Credit Union Administration (NCUA) In determining whether a cyber-event should be reported, a financial institution should consider all available information surrounding the cyber-event, including its nature and the information and systems targeted. Similarly, to determine monetary amounts involved in the transactions or attempted transactions, a financial institution should consider in aggregate the funds and assets involved in or put at risk by the cyber-event. 12016 Compliance Priority

9 Mandatory reporting events – cont’d
Mandatory Reporting Example: “Through a malware intrusion (a type of cyber-event), cybercriminals gain access to a bank’s systems and information. Following its detection, the bank determines the cyber-event put $500,000 of customer funds at risk, based on the systems and/or information targeted by the cyber-event. Accordingly, the bank reasonably suspects the intrusion was in part intended to enable the perpetrators to conduct unauthorized transactions using customers’ funds. The bank must file a SAR because it has reason to suspect the cybercriminals, through the malware-intrusion, intended to conduct or could have conducted unauthorized transactions aggregating or involving at least $5,000 in funds or assets. As explained in the next section, the bank should include all available information in the SAR relevant to the suspicious activity, including cyber-related information such as a description and signatures of the cyber-event, attack vectors, command-and-control nodes, etc.” In determining whether a cyber-event should be reported, a financial institution should consider all available information surrounding the cyber-event, including its nature and the information and systems targeted. Similarly, to determine monetary amounts involved in the transactions or attempted transactions, a financial institution should consider in aggregate the funds and assets involved in or put at risk by the cyber-event. 12016 Compliance Priority

10 Voluntary reporting events
FinCEN encourages, but does not require, financial institutions to report egregious, significant, or damaging cyber-events and cyber-enabled crime when such events and crime do not otherwise require the filing of a SAR. Voluntary example: “A Money Services Business (MSB) knows or suspects a Distributed Denial of Service (DDoS) attack prevented or distracted its cybersecurity or other appropriate personnel from immediately detecting or stopping an unauthorized $2,000 wire transfer. A DDoS attack that disrupts a financial institution’s website and disables the institution’s online banking services for a significant period of time. After mitigating and investigating the DDoS attack, the affected financial institution determines the attack was not intended to and could not have affected any transactions. Although a financial institution is not required to report such DDoS attack, FinCEN encourages the financial institution to consider filing a SAR because the attack caused online banking disruptions that were particularly damaging to the institution.” Important to remember voluntary reporting of cyber-events, provides valuable information to law enforcement 12016 Compliance Priority

11 Cyber-related information to include
Source and Destination Information IP address and port information with respective date timestamps in UTC Uniform Resource Locator (URL) addresses Attack vectors Command-and-control nodes File Information Suspected malware filenames MD5, SHA-1, or SHA-256 hash information content Subject User Names addresses Social media account/screen names System Modifications Registry Modifications Indicators of Compromise (IOCs) Common vulnerabilities and exposures (CVEs) Involved Account Information Affected account information Involved virtual currency accounts (case sensitive) When available this information should be reported within the SAR. financial institutions should include available Internet Protocol (IP) addresses and accompanying timestamps associated with fraudulent wire transfers being reported, even if a cyber-event was not involved in the suspicious activity. Similarly, when suspicious transactions do involve cyber-events, a financial institution should include in SARs all relevant and available information regarding the suspicious transactions and the cyber-event—including the type, magnitude, and methodology of the cyber-event as well as signatures and facts on a network or system that indicate a cyber-event. 12016 Compliance Priority DRAFT

12 Interagency Guidance for Prepaid Cards
Presented by Patrick Burnett VP and Corporate Counsel Comdata

13 Overview On March 21, 2016, interagency guidance was promulgated by The Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the U.S. Department of Treasury’s Financial Crimes Enforcement Network (FinCEN) (collectively referred to as the “Agencies”) regarding prepaid access. The full text of this guidance may be found at:

14 CIP Rule In 2003, the Agencies issued the CIP rule that requires a bank to obtain information sufficient to form a reasonable belief regarding the identity of each “customer” opening a new “account.” The bank’s CIP must include risk-based procedures for verifying its customers’ identities to the extent reasonable and practicable. In particular, the CIP rule requires banks to implement a CIP that includes certain minimum requirements. CIP must include procedures for opening an account that, at a minimum, must include obtaining a name, date of birth, address, and identification number from a customer who is an individual. CIP must also include identity verification procedures that describe when and how the bank will verify the customer’s identity using documentary or non-documentary methods. CIP is subject to recordkeeping and notice requirements. New guidance clarifies the CIP requirements regarding prepaid cards issued by a financial institution.

15 Key Determinations The two key determinations for application of CIP in relation to prepaid cards revolve around who is the “customer” of the financial institution and whether an “account” relationship has been established. “Account” An “account” is defined in the CIP rule as “a formal banking relationship established to provide or engage in services, dealings, or other financial transactions, including a deposit account, a transaction or asset account, a credit account or other extension of credit.” An account does not include “products and services for which a formal banking relationship is not generally established with a person, such as check cashing, wire transfer, or the sale of a check or money order.” Certain prepaid cards exhibit characteristics that are analogous to deposit accounts. For purposes of the CIP rule, prepaid cards are accounts when: They provide the cardholder with the ability to reload funds; or They provide the cardholder with access to credit or overdraft features.

16 Cards that are accounts requiring CIP of the cardholder
General purpose prepaid cards may be reloaded by the cardholder or another party on behalf of the cardholder in a manner that is similar to the way in which funds can be added to a traditional deposit, asset, or transaction account. General purpose prepaid cards that permit withdrawals in excess of the card balance and also may provide the cardholder with access to an overdraft line or an established line of credit similar to a lender/borrower or credit card relationship. HSA Cards allow employee or employer contributions to the card balance and the employee establishes the account. Since the employee establishes the account, CIP must be performed on the employee.

17 Cards that are not “accounts” requiring CIP of the cardholder
Payroll cards where the employer (or the employer’s agent) is the only person that may deposit funds into the payroll card account. In these cases, the employer should be considered the bank’s customer for purposes of the CIP rule. In that case, the bank need not apply its CIP to each employee. The employer should be considered to be the customer even if there are subaccounts that are attributable to each employee. However, if the employee is permitted to access credit through the card, or reload the payroll card account from sources other than the employer, there is an account established for the employee as well and CIP will need to be conducted for the employee as well as the employer. Government Benefit Cards issued under government benefit programs to distribute government benefits or other payments if the government benefits card program permits only government funds to be loaded onto the card and does not provide access to credit. In addition, since the term “customer” does not include a department or agency of the United States, of any state, or any political subdivision of any state, a bank that issues such a government benefit card is not required to apply its CIP to the government agency establishing the benefit card account. However, the card allows non-government funds to be loaded onto the card or provides access to credit, then a customer relationship is established with the cardholder and CIP must be performed on the cardholder. Flexible Spending Arrangements and Health Reimbursement Arrangements. Because no person other than the employer (or employer’s agent) establishes an FSA or HRA, makes deposits into the FSA or HRA, and distributes funds from the FSA or HRA, the employer should be the issuing bank’s customer for purposes of the CIP rule and no CIP is required of the cardholder.

Download ppt "Recent Regulatory Developments"

Similar presentations

1 2 Note: The following slides represent suggestions to enhance the writing of a SAR narrative. This information should be used in conjunction with the.

1 2 Note: The following slides represent suggestions to enhance the writing of a SAR narrative. This information should be used in conjunction with the.
Red Flags Rule BAS Forum August 18, 2010. What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
Bodnar/Hopwood AIS 7th Ed1 Chapter 5 u TRANSACTION PROCESSING AND INTERNAL CONTROL PROCESS.

Bodnar/Hopwood AIS 7th Ed1 Chapter 5 u TRANSACTION PROCESSING AND INTERNAL CONTROL PROCESS.
©2012 CliftonLarsonAllen LLP 1 111 Red Flags- Why This Matters to You An overview of the FACT Act Identity Theft Red Flag Rule and its current impact.

©2012 CliftonLarsonAllen LLP Red Flags- Why This Matters to You An overview of the FACT Act Identity Theft Red Flag Rule and its current impact.
Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.

Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.
1 Financial Crimes Enforcement Network “FinCEN” Anna Fotias Senior Regulatory Compliance Specialist Office of Regulatory Policy 202-354-6400

1 Financial Crimes Enforcement Network “FinCEN” Anna Fotias Senior Regulatory Compliance Specialist Office of Regulatory Policy
Anti-Money Laundering and OFAC Compliance for Transfer Agents SSA Annual Conference July 25, 2008.

Anti-Money Laundering and OFAC Compliance for Transfer Agents SSA Annual Conference July 25, 2008.
07-08Available from BankersOnline.com Bank Secrecy Act (BSA) For New Hires.

07-08Available from BankersOnline.com Bank Secrecy Act (BSA) For New Hires.
Anti-Money Laundering (AML)

Anti-Money Laundering (AML)
1 Supplement to the Guideline on Prevention of Money Laundering Hong Kong Monetary Authority 8 June 2004.

1 Supplement to the Guideline on Prevention of Money Laundering Hong Kong Monetary Authority 8 June 2004.
Security Controls – What Works

Security Controls – What Works
Mª ANGELA JIMENEZ 1 UNIT 4. EXTERNAL AUDIT BASIS CONCEPTS.

Mª ANGELA JIMENEZ 1 UNIT 4. EXTERNAL AUDIT BASIS CONCEPTS.
Supplier Ethics: Program Checklist

Supplier Ethics: Program Checklist
Money Laundering 23 September 2014. Contents 1 What is money laundering? 2. The ‘primary’ money laundering offences 3. Failure to report and tipping off.

Money Laundering 23 September Contents 1 What is money laundering? 2. The ‘primary’ money laundering offences 3. Failure to report and tipping off.
Network security policy: best practices

Network security policy: best practices
Top 10 Things a New BSA Officer Must Know. What is Associated Risk Group? Premier provider of BSA/AML regulatory best practices to financial institutions.

Top 10 Things a New BSA Officer Must Know. What is Associated Risk Group? Premier provider of BSA/AML regulatory best practices to financial institutions.
Revisions to the FFIEC BSA/AML Examination Manual and Federal Reserve Board BSA/AML Examination Findings and Issues Timothy P. Leary Senior Special AML.

Revisions to the FFIEC BSA/AML Examination Manual and Federal Reserve Board BSA/AML Examination Findings and Issues Timothy P. Leary Senior Special AML.
Bank Secrecy Act Staying One Step Ahead of Your BSA Examiner September 2009 AMLA Chicago Chapter Event.

Bank Secrecy Act Staying One Step Ahead of Your BSA Examiner September 2009 AMLA Chicago Chapter Event.
Global Treasury Services Latin America Operating Risk.

Global Treasury Services Latin America Operating Risk.

Similar presentations

Ads by Google