Categories
Compliance Kitchen

Additional Sanctions on Russia


The State Department published a fact sheet of additional sanctions on Russia in regards to the Navalny poisoning situation.  The Kitchen summarizes the latest restrictions.

Categories
Daily Compliance News

September 16, 2021 the $114 Million edition


In today’s edition of Daily Compliance News:

  • FBI failures in Nassar probe. (Houston Chronicle)
  • SEC awards 2 whistleblowers $114MM? (WSJ)
  • Lawyer arranged hit, on himself. (BBC)
  • DOJ alleges fraud in medical analytics. (NPR)
Categories
Life with GDPR

To Pay or Not to Pay

In this episode Jonathan Armstrong and Tom Fox are back to discuss issues relating to data privacy, data protection and GDPR. In this episode the always difficult decision of whether to pay or not to pay a ransomware demand.

Some of the questions we consider include:

  1. How does a ransomware attack occur?
  2. What are the potential legal and commercial risks of paying ransoms?
  3. What about specific new laws to ban ransomware payments?
  4. What should you do if your organization is faced with a ransomware attack?
  5. What can you do to guard against a ransomware attack?

Resources
Check out the Cordery Compliance, client alert on this topic, click here. For more information on Cordery Compliance, go their website here. Also check out the GDPR Navigator, one of the top resources for GDPR Compliance by clicking here.

Categories
Blog

Culture, Training and Compliance – Part 2

I recently had the chance to visit with Koby Bambilia, Managing Director, at K2 Integrity. We discussed skills development and regulatory changes, together with tailored and risked based training. Bambilia has an interesting perspective on compliance training because of his unique background in the field. In addition to being a former compliance professional, he is also a former prosecutor. You do not often see that combination in a person specializing in compliance training.  We started with the basic concept of training – in any regulatory guidance, both here in the US or abroad, which is always considered by the regulators as one of the pillars of Bank Secrecy Act (BSA) compliance program.
 Skills Development and Meeting Regulatory Needs
Bambilia emphasized the regulators’ expectations for skills training. He has increasingly seen that “regulators are looking at the skills and career paths of bank employees. In other words, do the employees in their specific roles have the right set of knowledge, skills, and expertise to carry out their compliance responsibilities?” This has moved beyond strictly “compliance related roles but business-oriented roles as well.” He provided some examples such as private banking, loan officers, tellers, trade finance functions and correspondent banking departments. He stated, “The examiners will sample and check what experience and skills such employees have and what type of training they have received.” This led Bambilia to conclude, “thinking critically about whether the employees in key roles possess the right set of skills and expertise should guide institutions as they develop their training program, especially the long-term ones.”
I asked Bambilia if he could provide an example of such a situation. He recalled one institution where he worked which had more than 13,000 employees. As you might expect, there were multiple training requirements for employees. One of the challenges faced by the compliance function was how to verify all employees had completed the compliance training. Some 93% of employees completed compliance training so the challenge was to reach the remaining 7%. As Bambilia remarked, “We understood that it must be dealt with, and sometimes you have to take drastic measures to demonstrate that you are serious about compliance and serious when it comes addressing the regulatory expectations around compliance training.”
The compliance department went to the Board and proposed that any employee not completing their required compliance training would receive a 33.3% cut of the annual bonus. This stick approach worked and the completion numbers when up to 98%. What about the remaining 2%? They lost 33.3% of their annual discretionary bonus. The result was the next the completion rate for compliance training went up to 100%. But completion rates on employee compliance training are not enough as Bambilia said the regulators also want to see that the “compliance function has the right set of skills needed to perform their respective roles and duties. So, it’s something to think about and be prepared for before your next examination.”
We concluded our discussion by considering if finding solutions for compliance training “workarounds” or lack of employee participation has improved or dropped. Bambilia began by noting a very important aspect of compliance training, “with the right approach employees can be educated that training is not a form of punishment but actually a valuable tool which can help them do their job right. This is critical in keeping institutions “out of trouble.”” As Bambilia further explained, one of the functions of compliance is to “protect the Bank and the clients but it is also there to protect employees. And employees knowing through training what they have to do will keep them safe.”
Bambilia believes that now there are “better systems for e-learning and training solutions to ensure people are actually taking and completing these trainings. These systems can track, check the number of tries for passing the exam and even send the reminders.” Finally, institutions are moving toward more bite sized training (See: Espresso Training Shots). Bambilia explained that this can lead to not an entire day/week course but something that can fit within the regular workday; and this is even more applicable in today’s environment where most of us are working remotely, either in full or in hybrid mode.
Tailored and Risked Based Training
We next turned to why tailored and risked based training is so now critical. Getting ahead of regulators and ensuring your institution has skills-based trainings is critical. But more than this, regulators now want to see specific risk-based training, tailored to individual needs. This approach is not limited to financial institution regulators but the US Department of Justice (DOJ), Securities and Exchange Commission (SEC), FinCEN, Office of Foreign Asset Control (OFAC) also favor this approach. Initially, he noted that an institution cannot have a blanket training without follow-up trainings on specific job functions.
Some of the different needs for different employee classifications include bank tellers, who need to know more about cash transactions and regulatory requirements, such as Currency Transaction Report (CTR) and pouch activities. This is obviously different from private wealth managers. Employees in trade finance departments need to know more than others on sanctions and embargoes. Moving on to third party relationships, correspondent banking departments need to know, for example, the red flags for nested accounts. Private bankers, who are covered under the Foreign Account Tax Compliance Act (FATCA), must be trained on the law so they can be more vigilant and aware for detecting tax evasions.
The key is that each group requires its unique training and since every institution has a different set of risks, institutions should understand that one form of training cannot fit all situations. Tailored training is a key element and, as Bambilia noted, “a universal one, regardless of the institution’s size, risks, and resources. The example of the examiner saying training is like a burger…demonstrates the need to assure proper and tailored training throughout the institution.” The bottom line is that there is no one training model which will fit all your employees.
Training begins, literally at the beginning with the requirement that a compliance professional must know the risk-profile of an organization, where the blind spots may be, and what exposures may emerge. Obviously, the past year during Covid-19 brought new risks in the working from home environment and those risks are changing again as we return to work. Your risk profile would include the types of products and services the institution provides. If you do not have corresponding banking accounts and your bank does not provide banking services to other financial institutions – and in this case corresponding bank related training may not be relevant. Similarly, if you are a financial investment institution and do not deal with cash, you do not need to train on those requirements. Yet as risks change and new threats emerge, it is important to equip your operational teams on the front lines with the skills to manage these changes, which can be triggered either by a new regulation or by a new product or service your institution wants to provide going forward. A compliance professional must continually assess compliance risks. Here Bambilia recommends having regular ongoing communication with the ““field”, don’t just stay at the headquarters and send emails – go visit some of the branches, and some of the departments; you get valuable insights.”
Bambilia concluded that it “may feel like a heavy lift up front, it can pay its dividends – not just from a compliance perspective but also from an angle of operational efficiencies – you are assuring that your operation and IT staff know what to do going forward. If they know what to do – that will save a lot of pain and effort on their side, but also for you as a compliance officer.”
K2 Integrity has developed an online training platform and resource center, Dedicated Online Financial Integrity Network (DOLFIN), to help clients with their training requirements and provide more diverse options for training content and modalities. Find out more about DOLFIN here. For more information on K2 Integrity click here.

Categories
Innovation in Compliance

Integrity Matters: Culture, Training and Compliance – Part 4: Tailored and Risked Based Training

Welcome to this special podcast series, Integrity Matters: Culture, Training and Compliance, sponsored by K2 Integrity. This week I visit with Koby Bambilia, Managing Director, and Tina Rampino, Associate Managing Director. Over the series, we break down corporate culture, compliance training and communications. Topics include breaking down the big picture on culture, espresso shots of training, skills development and regulatory changes, tailored and risked based training and operational aspects of training. In Part 4, I am joined by Koby Bambilia to discuss why tailored and risked based training is so critical now.

In this episode we went into the weeds of specific tailored and risk-based training. Getting ahead of regulators and ensuring your institution has skills-based trainings is critical. But more than this, regulators now want to see specific risk-based training, tailored to individual needs. This approach is not limited to financial institution regulators but the US Department of Justice (DOJ), Securities and Exchange Commission (SEC), FinCEN, Office of Foreign Asset Control (OFAC) also favor this approach. I asked Bambilia if he could provide some examples from the world of financial institutions and financial services firms. Initially, he noted that an institution cannot have a blanket training without follow-up trainings on specific job functions.
Some of the different needs for different employee classifications include bank tellers, who need to know more about cash transactions and regulatory requirements, such as Currency Transaction Report (CTR) and pouch activities. This is obviously different from private wealth managers. Employees in trade finance departments need to know more than others on sanctions and embargoes. Moving on to third party relationships, correspondent banking departments need to know, for example, the red flags for nested accounts. Private bankers, who are covered under the Foreign Account Tax Compliance Act (FATCA), must be trained on the law so they can be more vigilant and aware for detecting tax evasions.
The key is that each group requires its unique training and since every institution has a different set of risks, institutions should understand that one form of training cannot fit all situations. Tailored training is a key element and, as Bambilia noted, “a universal one, regardless of the institution’s size, risks, and resources. The example of the examiner saying training is like a burger…demonstrates the need to assure proper and tailored training throughout the institution.” The bottom line is that there is no one training model which will fit all your employees.
Training begins, literally at the beginning with the requirement that a compliance professional must know the risk-profile of an organization, where the blind spots may be, and what exposures may emerge. Obviously, the past year during Covid-19 brought new risks in the working from home environment and those risks are changing again as we return to work. Your risk profile would include the types of products and services the institution provides. If you do not have corresponding banking accounts and your bank does not provide banking services to other financial institutions – and in this case corresponding bank related training may not be relevant. Similarly, if you are a financial investment institution and do not deal with cash, you do not need to train on those requirements. Yet as risks change and new threats emerge, it is important to equip your operational teams on the front lines with the skills to manage these changes, which can be triggered either by a new regulation or by a new product or service your institution wants to provide going forward. A compliance professional must continually assess compliance risks. Here Bambilia recommends having regular ongoing communication with the ““field”, don’t just stay at the headquarters and send emails – go visit some of the branches, and some of the departments; you get valuable insights.”
 Bambilia provided a couple of specific examples. In July 2017 FinCEN has announced changes to the CTR form 104, which included some fundamental changes and significant modifications to the CTR batch submissions. The client understood the importance in assuring their relevant staff were in full understanding of the new requirements and asked us to conduct in person training sessions for the relevant departments. Bambilia related, “this pro-active approach gained some priceless credit points at the very next regulatory examination, when examiners asked specifically to review how the Bank dealt with these new regulatory obligations.”
Bambilia pointed to another example, FATCA, a massive regulation imposed mostly on non-US financial institutions and had tremendous impact on almost every aspect at a Bank’s operations. One of the first challenges was how to introduce 500+ pages of new regulation to employees. Some ways Bambilia and his compliance team did so was to create “animated video clips of no more than 120 seconds which jumped into the employee’s screens once a month and while not interfering with their daily work – we got really good feedback on how they made the new regulation more manageable and understandable.”
Bambilia concluded that it “may feel like a heavy lift up front, it can pay its dividends – not just from a compliance perspective but also from an angle of operational efficiencies – you are assuring that your operation and IT staff know what to do going forward. If they know what to do – that will save a lot of pain and effort on their side, but also for you as a compliance officer.”
K2 Integrity has developed an online training platform and resource center, Dedicated Online Financial Integrity Network (DOLFIN), to help clients with their training requirements and provide more diverse options for training content and modalities. Find out more about DOLFIN here. For more information on K2 Integrity click here.