Compliance Professional Resources David DeMartino 212.257.6500 ext.1 ddemartino@compliancepros.net | ||||||
 | ||||||
| October 2009 | ||||||
| This issue's articles: |
||||||
|
10 Ways to Avoid an Enforcement Action Effective Staffing and Consulting Practices to Avoid or Remediate An Enforcement Action Navigating a Cease & Desist Order Employment, Labor and Benefits Alert The Impact of E-Discovery on Record Retention Programs |
||||||
10 Ways to Avoid an Enforcement Action |
||||||
|
by David DeMartino, Managing Partner Compliance Professional Resources, LLC There are certainly critical areas that should be focused on when trying to protect your organization from being involved in an enforcement action. Here are 10 areas that you should focus on. 1) Always address the recommendations of the regulators from the previous audit. Too many times firms listen but do not react to the recommendations of the regulators. If a regulator tells you that it would be advisable to modify a policy or procedure or enhance staffing or deal with technology issues or makes any sound recommendation. These recommendations should be taken very seriously. Not taking action is a recipe for future problems. 2) Always upgrade your AML technology. AML technology vendors create major releases usually once a year. These releases are generally full of new methodologies to detect suspicious activities and in most cases should be acted upon. These changes are based upon both peer best practices but also regulator recommendations in many cases. Not upgrading your system on a consistent basis is like not upgrading your PC anti-virus software. If that were to happen after several cycles your anti-virus software would become irrelevant. Also, keep in mind that you may have an examiner that has just performed an exam for a bank that fits your operational blueprint and they use the same AML technology as you and are using the latest vendor version. In that instance your organization would be at a disadvantage. 3) Maximize the technology you have. Today's AML technology has tremendous reach and capabilities. All too many times I find that FI's are only scratching the surface as it relates to the utilization of vendor capabilities that exist as standard capabilities within the application. Underutilization is a red flag for regulators! 4) Honing of BSA and OFAC algorithms. Over time ALL OFAC and BSA detection algorithms will drift. This is due to changes in the client mix and customer activity as well as shifts in technology algorithms. Therefore it is essential that periodically a re- honing of your technology take place. Consider it a tune up for your AML system. Regulators expect that AML technology will maximize the find potentials while minimizing the false positives. This is an investment that will save you time and money in the long run. |
 5) AML Gap assessments. As the regulations change or get tweaked, and examiners expectations also change, it is essential that a full annual AML Gap assessment be performed that addresses any potential gaps, or risks. Qualified AML consultants will be able to determine critical gaps vs. industry best practices. This is especially true when it comes to AML technology review. 6) Address all understaffing issues. Compliance management must insist that their respective departments are fully staffed. I have seen time and time again instances where organizations know that they are understaffed yet seem not to make the needed investment. Understaffing leads to overwhelming workloads and therefore human error. Regulators easily pick up on this, which is not a good position to be in. 7) Risk Aasessments. All business lines need to be looked at from a risk assessment perspective. Poor EDD/KYC/CDD methodology will certainly lead to criticisms by the regulators, it is essential that fair risk based assessment be performed across all business lines. It makes sense to use outside consultants, who will give you a different viewpoint and business perspective. 8) Training. This is a must! It has to be up to date, performed annually, taken by everyone including executive management and graded. I would steer away from self-training. Compliance managers who have to juggle day-to-day issues simply may not be up to date on all changes and issues. Additionally, outside training professionals tend to have a higher value proposition with staff. 9) Educate yourself and understand what your peers are doing. Go to every critical conference. Become a member of a local compliance group. Read all the trade publications. By doing this you will become expert. You will see what your peers are doing or not doing. This education is invaluable and lends to credibility with the examiners. 10) Err on the side of being conservative. When in doubt, go the extra mile; add the extra work and scrutiny to a process. It will pay dividends in the end. Remember STOP PLAYING REGULATORY ROULETTE. Taking chances is not a recipe for success but one for potential disaster. |
|||||
| Back to top | ||||||
| Effective Staffing and Consulting Practices to Avoid or Remediate An Enforcement Action |
||||||
|
by Len Adams, CPC Managing Partner, Compliance Professional Resources, LLC CEO, Adams Consulting Group, LLC Managing Partner, The ARD Group There are many factors that lead to an enforcement action being levied against a financial institution. More often than not, one or several of the following are contributing factors:
Technology is oftentimes a culprit. Either the institution does not have the proper technology, or, almost as often, has technology, but is not utilizing it to its full capability. One of the main causes of this is either staff has not received proper training with regard to the full capability of the technology or, staff has not kept up with current versions. One the most effective ways to ensure this does not occur is to perform a Technology Utilization Review to determine how what version of software is being used. As part of this review, staff members should be evaluated in terms of their knowledge of all the capabilities available from current technology. Remediation of shortcomings would include upgrade of technology to most current versions, along with additional training to get staff "up to speed" on full utilization. This can be accomplished either via the Technology provider, in house staff (if current on Technology) or outside consultants. One of the more difficult components that can cause an EA is ineffective management, either at the most senior level or at the senior compliance level. A willingness to turn a blind eye or unwillingness to stand up to senior management at the local or head office level when engaging in practices that are contrary to US regulations will result in serious fines and enforcement actions. One of the most effective ways to solve this issue is to engage a third party to perform Independent Audit of Compliance activities. An independent review can serve to identify weaknesses in controls, transactional activity and management shortcomings. If performed on a timely basis and shortcomings are remediate, it will avoid an EA. If done post EA, it will certainly assist in having it listed in a timely manner. |
Staffing, while a stand alone factor, is one of the most critical of all the factors. Often, the reason for an EA can be traced back to improper training, understaffed environment, and improper use of technology or a poor match in the Senior Compliance role. Every staff member must be closely reviewed to determine if and where a "weak link" occurs. Once that weak link is isolated, then proper remediation from a staffing viewpoint must be addressed. This remediation can include replacing staff members who have been ineffective. This can be determined by completing a Staffing Audit. An audit of this type would include a review of all job descriptions, performance reviews, and interviews with internal staff to identify weaknesses in skills, motivation, etc. This review would also identify optimal staffing levels to ensure that existing staff is not stretched too thin, as well as to ensure that positions are filled with the correct skill sets. If an EA is levied, it is a generally accepted practice to bring in outside staff to perform a Transactional Review, to determine why and how questionable activities may have occurred. This can be accomplished via a look back process, completed by independent third parties. Another component that can lead to an EA is an outdated Policies & Procedures manual. In many cases, if policies and procedures with regard to compliance have not been kept up to date with current regulations, and, these updates have NOT been conveyed to staff, an institution is running the risk of engaging in activities that will run afoul of the regulators. The most effective method to ensure that this does not occur is to perform a comprehensive review of current policies and procedures as they relate to the most current regulations. This is ideally performed by an independent third party. Training or lack thereof is another very important issue that must be considered. In many cases, particularly if there has been any staff turnover. Unfortunately, far too many financial institutions fail to perform continuous training. Moreover, when bringing in additional staff, training cycles may have been missed, causing a lack of effective knowledge transfer. The best method to insure that this does not occur is:
|
|||||
| Back to top | ||||||
| Navigating a Cease & Desist Order (As a Small Fish in a Big Pond) |
||||||
|
by Carl Cheek, AML/BSA Consultant I don't believe there is a financial initiation that expects to find itself the target of a Memorandum of Understanding (MOU), or a Cease & Desist Order issued by a Federal or State regulatory jurisdiction. However, should you find yourself in this position or just want to avoid the pitfalls and costs to your company and its reputation, then perhaps my experience may help you to navigate through the darkest of these corporate times. Financial institutions that have been named in a Cease & Desist Order, commonly referred to as a Consent Order ("CO"), because of a signed agreement between the parties, are now publicly listed as a "Troubled Bank" severally limiting the bank to expand business, deviate from its current banking and investments obligations, or make any modifications to the bank's existing core systems. Any changes at this point must be with the expressed authorization of the issuing regulators. I found that most banks under a consent orders were cited for non compliance issues, (malum prohibitum), opposed to criminal intent to violate US law. The banks in this situation appear to have failed to have adequate an effective compliance program to properly monitor, warehouse, and analyze transactional data, a strong Customer Identification Program ("CIP"), or a comprehensive Consumer Compliance program in place. Conversely, you can have a high-end compliance network but the lack of experienced personnel can unwittingly undermine the best laid plans of a compliance department. The MOU is usually the Governments first step of the legal action naming your institution as a troubled bank, and citing areas that need immediate attention and corrective actions. By signing the MOU, you basically stipulate to the facts and agree that your institution recognizes the deficiencies cited within the articles of the CO, but that you neither admit nor deny any wrong doing at this time. As such, the subject bank is now the focus of the Regulator who closely monitors the bank's daily operations and ensures that all articles cited within the C.O. are met. The articles list the bank's deficiencies and mandate the corrective actions needed within a fixed period of time. Prior to the lifting of a C.O. the bank must demonstrate that it has corrected these deficiencies through independent sources, and maintain a "Sustainability" in the corrective actions implemented, which can perpetuate through several annual audit cycles. Don't expect a quick resolution because the wheels of justice move slow - but you on the other hand are expected to move quickly and immediately respond to all matters requiring attention. Basically, what it comes down to is that the bank is frozen in time until the C.O. is lifted. It's most certain that a compliance system and methodology recognized as deficient by the regulators will lead to one of the articles calling for a "Look-back" review of one or more years of transactional static data. The review is intended to identify suspicious transactions that most likely were missed during the initial compliance monitoring process. This is a very costly endeavor for the bank and should be budgeted accordingly. Typically, most Look-back projects consist of between 1- 100 analysts driven by the size of the bank, with an average cost of $250.00 - $300.00 per hour for each consultant hired. Also, depending on the volume of wires and complexity of the transactions the project may run between 3–6 months, or longer. Needless to say, this will affect the institutions annual earnings because the bank will be prohibited from increasing business to offset these expenses while the order is in place. 
|
Additionally, under these circumstances the regulators are likely to issue an article requiring the bank to contract an independent accounting firm who will plan a full scope audit schedule on an annual basis. These audits will cover all facets of your Bank Secrecy Act ("BSA") requirements and consumer compliance programs, including lending, deposits, intermediary wires, asset quality, credit reviews, payroll and personnel, etc. The independent accounting firm hired must be accredited and approved by your regulator prior to the engagement. Had your bank only been required to conduct internal audits in the past, you will now incur the added expense of this service. Notably, it's important to understand that I fully support the engagement of an independent public accounting firms, especially under these conditions to assist in correcting the course of the financial institution's internal controls, policies and procedures. Under the scope of the C.O. the bank may also be required to replace selected management personnel, and hire a qualified BSA Officer. These management positions must be approved by your regulator within 90 days of their starting date. In March of 2007, I was employed by an international bank that maintained a small branch presence in the U.S., but was one of hundreds branches and affiliates worldwide. My engagement was contingent upon several factors; to lead the bank through an enforcement action by the bank's regulators, the issuing agency of the bank's 2004 imposed Cease and Desist order; gather an experienced team of analysts and perform a mandated two year Look-back project of transactional static data; creating an automated compliance hub to warehouse, monitor and analyze all transaction data of the bank's many financial products; and ensure that the bank maintains and updates it's Policies & Procedures in conjunction with the bank's improvements, while seeking Board approval of said changes on an annual basis. Naturally, to ensure continued compliance I needed to implement internal testing of our BSA and Compliance programs, and install training for all bank employees with online software that enable's management to tailor the training material to each department's specific needs. Sounds easy, right! However, those of us who are familiar with this experience know the long and arduous task involved in the lifting of a C.O. and mitigating the potential Civil Monetary Penalty ("CMP"), that seems to loom over the bank as a dark cloud. Removing the C.O. isn't science, but a steadfast focus in changing the culture of the bank and it's response to the regulator's findings and recommendations. Transparency is paramount, and an honest approach is the best approach. In my prior life as a Special Agent for the U.S. Treasury Department, I was required to testify in criminal cases, and at times during cross examination a question would be raised that would seem to hurt the prosecution's case. I found by answering these questions honestly, regardless of the short term damage and effect, it would inevitably lend to my creditability over the course of the trial, which in most cases ended in convictions. This holds true in your response to the regulators. If you don't remember anything else about this article, remember this one consequential point; it's not the act but the cover-up that will hurt your bank the most. Recognize the error, be transparent and make a concerted effort to correct the error while the regulators are still on site, or immediately thereafter. Remember, as a Foreign Bank Organization (FBO), a C.O. will not only affect your combined (ROCA) ratings, but will heighten your CAMALS risk assessment fees which will increase the bank's cost of doing business. The lifting of the court order is a total team effort, and can only be accomplished through the unwavering support of your institution, and without the support of these principles you will most likely fail. And with failure comes the potential loss of the bank's Charter, Civil Monetary Penalties, or worse. One consequent is certain; it will damage the bank's reputation which is immeasurable in terms of revenue and ability to expand future market share. As a result of our efforts, the bank's Federal Regulators lifted the four year old Consent Order, and in their final ruling chose not to issue our bank Civil Monetary Penalty. |
|||||
| Back to top | ||||||
| Employment, Labor and Benefits Alert: New York Employers Should Begin Issuing Offer Letters to All New Hires To Comply with Amended Provisions of the New York Labor Law |
||||||
|
by Richard Block, Mintz Levin Effective on October 26, 2009, New York employers will be obligated to notify new employees, in writing, about certain terms and conditions of employment, and to obtain an employee's written acknowledgement confirming his or her receipt of this information. Employers that do not comply with the new law are subject to monetary penalties. As a practical matter, employers would be well-served by addressing these terms and conditions of employment at the outset of the relationship, to avoid future disagreements with employees.  What To Include and When To Send Beginning October 26, 2009, amended Labor Law §195 will require that an employer notify new employees, at the time of hiring and in writing, about the following:
|
Additionally, employers must obtain from each new employee a written acknowledgement confirming that he or she received the foregoing information. The acknowledgment must satisfy any content and form requirements that the Commissioner of Labor will publish. Penalties of Noncompliance If the Commissioner of Labor determines that an employer has not complied with amended §195, he or she may issue a compliance order to the employer and the following monetary penalties, as applicable: 1) $1,000 for the first violation; 2) $2,000 for the second violation; and 3) $3,000 for the third or subsequent violation. (N.Y. Lab. Law §218(1)). Best Practices Where an employee acknowledges, in writing, his or her receipt of a notice specifying the regular and overtime rate of pay and the pay day, the possibility of a future disagreement concerning the terms and conditions of employment is diminished. Thus, providing new employees with this information is advisable as a best practice for employers, even aside from the prospect of having to pay statutory penalties for noncompliance with §195. Although amended §195 does not become effective until October 26, 2009, employers should consider crafting compliant offer letters immediately. In addition, beginning October 26, 2009, employers should get, from each new employee, a written acknowledgment that satisfies any content and form requirements that the Commissioner of Labor publishes. For assistance in this area, please contact a member of your Mintz Levin client service team at www.Mintz.com. |
|||||
| Back to top | ||||||
| The Impact of E-Discovery on Record Retention Programs |
||||||
|
by Michael Guarino, Esq., CRCM Metropolitan National Bank Operations Risk Management The Impact of E-Discovery on Record Retention Programs
Requests for Production of Electronic Records & Files ("E-Discovery") Under the E-SIGN Act (the "Act"), which became effective March 1, 2001, an electronic record1 can satisfy most legal record retention requirements for contracts or other records2 (including requirements that a record must be retained in its original form) provided that it complies with the applicable criteria. An electronic record that meets these standards will satisfy a legal requirement that a contract or other record (such as a consumer disclosure) must be retained in writing (15 USC 7001(d)). As a result of the 2006 amendments to the Federal Rules of Civil Procedure ("FRCP"), several key issues for banks and other holders of records in electronic form were addressed in the context of litigation and subpoena requests for information. Rules of "E-Discovery" were formalized, based upon the following concepts:
These provisions and the requirement to provide all records on a "timely retrieval" basis established by the courts and expected by regulators, impact how all records are stored and destroyed or deleted for many types of financial record keepers. However, a key component that is often neglected is the need to establish a "Hold" provision in order to delay the pending destruction/deletion of paper or electronic files upon notice of litigation, a subpoena or regulatory inquiry. Under the amended FRCP, the requesting party has a right to the Metadata as part of the right to an electronic record, which is quickly evolving into a key discovery tool in tracking the genesis of documents, which can sometimes make or break a case. |
Managing Your E-Discovery Risks Failure to comply with these responsibilities can subject a bank to a variety of risks (e.g., inadvertent or inappropriate destruction, disposal or misplacement of records, failure to timely destroy or reply to a required production, unauthorized intrusion or alteration, etc.), due to varying and sometimes complex modes in which bank records are maintained internally and with outside service providers. An additional concern can arise even when fully complying with these requirements and related procedures – the required but unintended disclosure of negative information, either of the bank or your customer, contained in records that should have been destroyed according to legal/regulatory or internal Record Retention guidelines. Once the bank is served with notice of the litigation or subpoena, your 'legal hold' process must be triggered and such records identified as related to the matter must be preserved and produced in court or to a regulator. Accordingly, the Bank's E-Discovery and record retention practices should be subject to robust and on-going risk management oversight. Strong policy guidelines are of particular importance when a bank conducts such activities in numerous locations and in various modes, and should include, at a minimum:
Through the approval of a comprehensive Program by the Board or its designated Committee, as well as on-going oversight by management of the day-to-day process, the interests of a bank, its corporate parent and subsidiaries, as well as those of their respective customers, will be better served in meeting these requirements. The recent flurry of cases resulting in sanctions totaling millions of dollars for failure to follow such procedures is a clear barometer of the level of scrutiny and the need to proactively address these issues. 1Under the Act, an "electronic record" is a contract or other record created, generated, communicated, or stored by electronic means. 2Checks and other negotiable instruments governed by the Uniform Commercial Code are specifically excluded from the Act. For background on the legal status of and requirements for electronic images of checks, see Check 21 Act, Pub. L. No. 108-100, 117 Stat. 1177 (codified at 12 USC 5001-5018). |
|||||
| Back to top | ||||||
| About CPR | ||||||
 | ||||||
|
CPR is a unique regulatory compliance services firm. A unique blend of compliance recruiting services (executive, permanent, and temporary), and compliance consulting services. Add in managing partners that have essentially pioneered the industry, this makes CPR clearly a leader in the Regulatory Compliance service space. Our commitment to excellence in all phases of our business is unparalleled. As it relates to recruiting, we will provide you with the best most skilled candidates, we work tirelessly to get the right person, after we completely understand your needs. Our Compliance consultant services are surgically focused on getting the job done as expeditiously as possible, and without crippling your budget. We only provide seasoned and experienced consultants, always with the correct skill sets. Our goal is to get it right the first time. |
||||||
www.compliancepros.net | ||||||
