Categories
Blog

AML Trends for 2022

I recently had the chance to visit with Koby Bambilia, Managing Director at K2 Integrity. We looked at some key anti-money laundering (AML) trends in 2021 and how they might impact AML investigations, prevention and enforcement going forward into 2022. We consider the impact to-date from the passage of the AML Law of 2020 then move to some of the key questions on AML going into 2022. Has COVID and the global crises created shifts which allowed bad actors take advantage of the financial system? Finally, what are some of the key risks to mitigate these risks and get ahead of the rule making as we head into 2022?
We began by considering the focus of Department of Treasury (Treasury) and its regulators. Here there are several topics that were given priority as part of the national Strategy for Countering Corruption, terrorism and other illicit activities. These priorities include cybercrime, virtual foreign currency, domestic terror financing, criminal organizations, human trafficking, smuggling, drug trafficking, corruption, fraud and proliferation financing. Bambilia related, “we can easily see that the list is quite extensive yet. There is something in common for all these priorities. If you look at the priorities, they include predicate crimes that generate illicit funds thought assets, which allows criminal actors to launder through the financial system.” As money laundering is linked to all these priorities it remains a priority.
Bambilia believes financial institutions need to incorporate these AML priorities into their risk-based Bank Secrecy Act (BSA) compliance programs by assessing the potential risk associated with the client base, the products and service services they offer, in conjunction with their geographic areas and countries of operations. Bambilia believes that government examiners will soon ask to see and review what steps banks and financial institutions have taken with regards to these priorities. In other words, whatever steps you take Document, Document, and Document so you can show the regulators when they come knocking.
As Treasury continues to issue regulations stemming from the AML Law of 2020, banks and financial institutions should be prepared to face new and revised beneficial ownerships and obligations in 2022. Bambilia believes, “December’s proposed rule to implement the Corporate Transparency Act, gave us all the preview into the Treasury Department’s mind and approach to developing a national registry of beneficial ownership information.” Moreover, this should also act as a reminder to meticulously follow the Beneficial Ownership Rule, which requires covered financial institutions to identify beneficial owners of each customer at the time a new account is being opened and to determine the true and official owners based on both the control and ownership prongs. Bambilia also noted, “looking ahead into 2022, beyond the immediate implications, the proposed rule will also require changes to existing customer due diligence obligations for financial institutions.” Finally, they will most probably be the subject of a future FinCEN rule making.
It is clear that COVID-19 had immense impact on everything relating to illegal activities and bad actors. Ransomware is the tool most bad actors are using, even with financial institutions. Bambilia related, “those nefarious actors are probing to obtain both customer and commercial credentials, as well as proprietary information to defraud financial institutions and to disrupt business functions.” Interestingly, Bambilia and colleagues observed a significant increase in criminal attempts to exploit the pandemic through phishing campaigns and business extortions, email compromise and traditional fraud schemes.
Tying all this back to our initial discussion, the proceeds of these activities are being channeled and funneled through the regular banking and financial systems. This puts a higher burden on financial institutions as they are uniquely positioned to observe and detect the suspicious activity that results from cybercrime. Now they are required to report it through the normal channels of Suspicious Activity Report. This has led to an increased need for financial institutions to process, review and monitor transactions that go through their system and evaluate those transactions with a sufficient and comprehensive set of skills required to identify the illegal activities and to properly report it to authorities.
Just as ransomware attacks have become more ubiquitous so have ransomware payments. In September 2021, OFAC issued an updated advisory on potential sanction risks for facilitating ransomware payments, which is specifically designed to disrupting criminal networks and virtual currency exchanges responsible for laundering these ransom payments to encourage improved cyber security across all sectors, including the banking industry. Bambilia said this “emphasized the need to properly report ransomware incidents and related sanctions to US government agencies, including both Treasury and law enforcement.” It also re-emphasized the need to properly monitor bank transactions for potential illegal activities.
We turned to a discussion of what businesses and financial institutions need to do to prepare for the upcoming regulations and increased enforcement. Bambilia emphasized that a strong compliance program for AML, BSA and sanctions is the best place to start and build upon going forward. Bambilia laid them out as follows:

  • First, make sure that your policies and procedures adequately address the new regulations, then update and validate your BSA risk assessment accordingly. Your risk assessment should consider factors like banks, products and services, customer entities and geographic locations and operating jurisdictions.
  • Second, a designated individual that is responsible for the day-to-day compliance and who is familiar with the new requirements, who has the full support of both senior management and the Board of Directors to manage these changes.
  • Third, update your current system of internal controls to reflect the change in regulation, then monitor and update as appropriate. Your controls testing should help you determine if your internal controls can effectively detect and identify possible breaches of your policies and procedures.
  • Fourth, work together with your internal audit function to assure their yearly audits to assess the effectiveness of the updated compliance program.
  • Fifth, training. Here Bambilia re-emphasized the importance of training via properly tailored and targeted trainings. They constitute a key element in the ability to successfully implement any new policies, procedures and controls for any new regulations.

We ended  by recognizing that it is up to all employees, not simply the compliance function, to be a part of these new efforts. Employees need to understand their role on the first line of defense and how to report up violations or raise their collective hands to ask for information as AML regulations continue to evolve. COVID-19 has impacted compliance functions in many ways so compliance will have to re-double its efforts as well. Banks and financial institutions must commit the requisite resources to upgrading their compliance programs to meet these new regulatory requirements as well.
Bambilia concluded, “I will end by saying that the world of financial crimes continues to evolve. And our thinking must be as always one step ahead of those looking to take advantage of our financial systems. It is not just about identifying it, understanding today’s threats, but also being prepared for the threats of tomorrow.”
Check out the K2 Integrity website here. Check out my full interview of Koby Bambilia here.

Categories
Blog

Culture, Training and Compliance – Part 2

I recently had the chance to visit with Koby Bambilia, Managing Director, at K2 Integrity. We discussed skills development and regulatory changes, together with tailored and risked based training. Bambilia has an interesting perspective on compliance training because of his unique background in the field. In addition to being a former compliance professional, he is also a former prosecutor. You do not often see that combination in a person specializing in compliance training.  We started with the basic concept of training – in any regulatory guidance, both here in the US or abroad, which is always considered by the regulators as one of the pillars of Bank Secrecy Act (BSA) compliance program.
 Skills Development and Meeting Regulatory Needs
Bambilia emphasized the regulators’ expectations for skills training. He has increasingly seen that “regulators are looking at the skills and career paths of bank employees. In other words, do the employees in their specific roles have the right set of knowledge, skills, and expertise to carry out their compliance responsibilities?” This has moved beyond strictly “compliance related roles but business-oriented roles as well.” He provided some examples such as private banking, loan officers, tellers, trade finance functions and correspondent banking departments. He stated, “The examiners will sample and check what experience and skills such employees have and what type of training they have received.” This led Bambilia to conclude, “thinking critically about whether the employees in key roles possess the right set of skills and expertise should guide institutions as they develop their training program, especially the long-term ones.”
I asked Bambilia if he could provide an example of such a situation. He recalled one institution where he worked which had more than 13,000 employees. As you might expect, there were multiple training requirements for employees. One of the challenges faced by the compliance function was how to verify all employees had completed the compliance training. Some 93% of employees completed compliance training so the challenge was to reach the remaining 7%. As Bambilia remarked, “We understood that it must be dealt with, and sometimes you have to take drastic measures to demonstrate that you are serious about compliance and serious when it comes addressing the regulatory expectations around compliance training.”
The compliance department went to the Board and proposed that any employee not completing their required compliance training would receive a 33.3% cut of the annual bonus. This stick approach worked and the completion numbers when up to 98%. What about the remaining 2%? They lost 33.3% of their annual discretionary bonus. The result was the next the completion rate for compliance training went up to 100%. But completion rates on employee compliance training are not enough as Bambilia said the regulators also want to see that the “compliance function has the right set of skills needed to perform their respective roles and duties. So, it’s something to think about and be prepared for before your next examination.”
We concluded our discussion by considering if finding solutions for compliance training “workarounds” or lack of employee participation has improved or dropped. Bambilia began by noting a very important aspect of compliance training, “with the right approach employees can be educated that training is not a form of punishment but actually a valuable tool which can help them do their job right. This is critical in keeping institutions “out of trouble.”” As Bambilia further explained, one of the functions of compliance is to “protect the Bank and the clients but it is also there to protect employees. And employees knowing through training what they have to do will keep them safe.”
Bambilia believes that now there are “better systems for e-learning and training solutions to ensure people are actually taking and completing these trainings. These systems can track, check the number of tries for passing the exam and even send the reminders.” Finally, institutions are moving toward more bite sized training (See: Espresso Training Shots). Bambilia explained that this can lead to not an entire day/week course but something that can fit within the regular workday; and this is even more applicable in today’s environment where most of us are working remotely, either in full or in hybrid mode.
Tailored and Risked Based Training
We next turned to why tailored and risked based training is so now critical. Getting ahead of regulators and ensuring your institution has skills-based trainings is critical. But more than this, regulators now want to see specific risk-based training, tailored to individual needs. This approach is not limited to financial institution regulators but the US Department of Justice (DOJ), Securities and Exchange Commission (SEC), FinCEN, Office of Foreign Asset Control (OFAC) also favor this approach. Initially, he noted that an institution cannot have a blanket training without follow-up trainings on specific job functions.
Some of the different needs for different employee classifications include bank tellers, who need to know more about cash transactions and regulatory requirements, such as Currency Transaction Report (CTR) and pouch activities. This is obviously different from private wealth managers. Employees in trade finance departments need to know more than others on sanctions and embargoes. Moving on to third party relationships, correspondent banking departments need to know, for example, the red flags for nested accounts. Private bankers, who are covered under the Foreign Account Tax Compliance Act (FATCA), must be trained on the law so they can be more vigilant and aware for detecting tax evasions.
The key is that each group requires its unique training and since every institution has a different set of risks, institutions should understand that one form of training cannot fit all situations. Tailored training is a key element and, as Bambilia noted, “a universal one, regardless of the institution’s size, risks, and resources. The example of the examiner saying training is like a burger…demonstrates the need to assure proper and tailored training throughout the institution.” The bottom line is that there is no one training model which will fit all your employees.
Training begins, literally at the beginning with the requirement that a compliance professional must know the risk-profile of an organization, where the blind spots may be, and what exposures may emerge. Obviously, the past year during Covid-19 brought new risks in the working from home environment and those risks are changing again as we return to work. Your risk profile would include the types of products and services the institution provides. If you do not have corresponding banking accounts and your bank does not provide banking services to other financial institutions – and in this case corresponding bank related training may not be relevant. Similarly, if you are a financial investment institution and do not deal with cash, you do not need to train on those requirements. Yet as risks change and new threats emerge, it is important to equip your operational teams on the front lines with the skills to manage these changes, which can be triggered either by a new regulation or by a new product or service your institution wants to provide going forward. A compliance professional must continually assess compliance risks. Here Bambilia recommends having regular ongoing communication with the ““field”, don’t just stay at the headquarters and send emails – go visit some of the branches, and some of the departments; you get valuable insights.”
Bambilia concluded that it “may feel like a heavy lift up front, it can pay its dividends – not just from a compliance perspective but also from an angle of operational efficiencies – you are assuring that your operation and IT staff know what to do going forward. If they know what to do – that will save a lot of pain and effort on their side, but also for you as a compliance officer.”
K2 Integrity has developed an online training platform and resource center, Dedicated Online Financial Integrity Network (DOLFIN), to help clients with their training requirements and provide more diverse options for training content and modalities. Find out more about DOLFIN here. For more information on K2 Integrity click here.

Categories
Innovation in Compliance

Integrity Matters: Culture, Training and Compliance – Part 3: Skills Development and Meeting Regulatory Needs

Welcome to this special podcast series, Integrity Matters: Culture, Training and Compliance, sponsored by K2 Integrity. This week I visit with Koby Bambilia, Managing Director, and Tina Rampino, Associate Managing Director. Over this series, we are breaking down corporate culture, compliance training and communications by discussing topics such as breaking down the big picture on culture, espresso shots of training, skills development and regulatory changes, tailored and risked based training and operational aspects of training. In Part 3, I am joined by Koby Bambilia to discuss the intersection of meeting compliance skill development and regulatory requirements.

Bambilia has an interesting perspective on compliance training because of his unique background in the field. In addition to being a former compliance professional, he is also a former prosecutor. You do not often see that combination in a person specializing in compliance training.  We started with the basic concept of training – in any regulatory guidance, both here in the US or abroad, which is always considered by the regulators as one of the pillars of Bank Secrecy Act (BSA) compliance program. Obviously the more your staff is trained, the easier your job as a compliance officer will be.
This is where the first line of defense becomes so critical. Who knows clients better than the front-line bank officers who deal with them on a regular basis? This leads Bambilia to note that the role of a compliance professional is to provide the first line of defense with “the appropriate tools so in turn they will to be able to perform their duties; and the method in which you provide such tools are through robust and comprehensive training program.”
Additionally, Bambilia emphasized the regulators’ expectations for skills training. He has increasingly seen that “regulators are looking at the skills and career paths of bank employees. In other words, do the employees in their specific roles have the right set of knowledge, skills, and expertise to carry out their compliance responsibilities?” This has moved beyond strictly “compliance related roles but business-oriented roles as well.” He provided some examples such as private banking, loan officers, tellers, trade finance functions and correspondent banking departments. He stated, “The examiners will sample and check what experience and skills such employees have and what type of training they have received.” This led Bambilia to conclude, “thinking critically about whether the employees in key roles possess the right set of skills and expertise should guide institutions as they develop their training program, especially the long-term ones.”
I asked Bambilia if he could provide an example of such a situation. He recalled one institution where he worked which had more than 13,000 employees. As you might expect, there were multiple training requirements for employees. One of the challenges faced by the compliance function was how to verify all employees had completed the compliance training. Some 93% of employees completed compliance training so the challenge was to reach the remaining 7%. As Bambilia remarked, “We understood that it must be dealt with, and sometimes you have to take drastic measures to demonstrate that you are serious about compliance and serious when it comes addressing the regulatory expectations around compliance training.”
The compliance department went to the Board and proposed that any employee not completing their required compliance training would receive a 33.3% cut of the annual bonus. This stick approach worked and the completion numbers when up to 98%. What about the remaining 2%? They lost 33.3% of their annual discretionary bonus. The result was the next the completion rate for compliance training went up to 100%. But completion rates on employee compliance training are not enough as Bambilia said the regulators also want to see that the “compliance function has the right set of skills needed to perform their respective roles and duties. So, it’s something to think about and be prepared for before your next examination.”
We concluded our discussion by considering if finding solutions for compliance training “workarounds” or lack of employee participation has improved or dropped. Bambilia began by noting a very important aspect of compliance training, “with the right approach employees can be educated that training is not a form of punishment but actually a valuable tool which can help them do their job right. This is critical in keeping institutions “out of trouble.”” As Bambilia further explained, one of the functions of compliance is to “protect the Bank and the clients but it is also there to protect employees. And employees knowing through training what they have to do will keep them safe.”
Bambilia believes that now there are “better systems for e-learning and training solutions to ensure people are actually taking and completing these trainings. These systems can track, check the number of tries for passing the exam and even send the reminders.” Finally, institutions are moving toward more bite sized training (See: Espresso Training Shots). Bambilia explained that this can lead to not an entire day/week course but something that can fit within the regular workday; and this is even more applicable in today’s environment where most of us are working remotely, either in full or in hybrid mode.
K2 Integrity has developed an online training platform and resource center, Dedicated Online Financial Integrity Network (DOLFIN), to help clients with their training requirements and provide more diverse options for training content and modalities. Find out more about DOLFIN here. For more information on K2 Integrity click here.