Tag: Radical Compliance

Categories
Blog

Bank of America Enforcement Action and Using Data Analytics

Data analytics has become an essential tool in the field of compliance and risk management. It allows compliance officers to assess the effectiveness of their programs and identify potential risks before they escalate into major issues. In a recent episode of the podcast “Compliance into the Weeds,” Tom Fox and Matt Kelly, discussed not only the importance of having data analytics in a compliance program but actually using the data in a risk management strategy.

The Consumer Financial Protection Bureau (CFPB) recently fined Bank of America $12 million for mishandling data analytics, specifically around accurate data about home mortgage applications. The bank had all the necessary data to assess its compliance risks, but it failed to maintain continuous monitoring, leading to compliance issues. This case serves as a reminder of the need for ongoing data analysis for proactive risk management.

The CFPB found that Bank of America violated the Home Mortgage Disclosure Act, a law on the around since the time I graduated from High School, that being 1975. The law itself requires mortgage lenders to collect demographic data about home loan applicants and report that data to various federal agencies. Bank of America settled the matter without admitting nor denying the allegation and agreed to the aforementioned $12 million fine.

As Matt noted in his Radical Compliance blog post, “Dig into the details of the settlement order, and you can see how data analytics, auditing, and monitoring all play a crucial role in assuring compliance with a regulation like this. Given that so many other business sectors have similar obligations to collect and report lots of data to regulators, maybe this case isn’t so obscure after all.”

The enforcement action drives home the clear lesson that data analytics is not a one-time tool to determine violations or identify risks. It should be used as a monitoring device that runs continuously to provide early warnings when risks enter the red zone. Bank of America’s mistake was treating data analytics as a one-time solution to a problem, rather than a long-term monitoring tool. They implemented analytics in 2013, found the error, introduced a control to correct it, and then switched it off when the problem seemed to be solved. However, the problem recurred, leading to the CFPB penalty.

As noted, is the high level of importance around surveillance and monitoring in the banking and financial services industry. These sectors have extensive monitoring and surveillance practices, recording every email and phone call to prevent improper messaging and manage risk. While this level of monitoring may seem draconian to other industries, it has proven effective in ensuring compliance and preventing fraud in those arenas.

The Bank of America case demonstrates that compliance officers often already have the necessary data for analysis; they just need to identify which information to study. In this case, the bank had all the data it needed to assess the compliance risk of information not provided in home loan applications. They implemented a monthly report to crack down on the abuse, resulting in a significant drop in the information not provided group. However, when they ceased the report in 2016, the rate started to increase again, ultimately leading to the violation and penalty.

The use of data analytics to monitor the effectiveness of controls was also a key lesson from the enforcement action. When Bank of America instituted monitoring to determine who was filling out the reports, they obtained significant information and saw a drop in the information not provided group. This strategy raises the stakes around the question of whether being watched or monitored can influence individuals to follow controls and do the right thing.

Data analytics should not only be used to analyze the effectiveness of compliance programs but also to analyze overall activity within an organization to identify compliance risks. Compliance officers should strive for analytics that run continuously, providing insights into the state of affairs over the long term. This approach allows for early detection of risks and enables business units to manage their own risks effectively.

The Bank of America case serves as a valuable lesson for compliance officers in any industry. It highlights the importance of ongoing data analysis, continuous monitoring, and the need to consider data analytics as a long-term risk management tool. By leveraging data analytics effectively, organizations can proactively identify and mitigate compliance risks, ultimately avoiding costly penalties and reputational damage.

Data analytics plays a crucial role in compliance and risk management. It enables compliance officers to assess program effectiveness, identify potential risks, and monitor activities for early warnings. The Bank of America case underscores the importance of continuous data analysis and monitoring in proactive risk management. By embracing data analytics as a long-term risk management tool, organizations can enhance their compliance efforts and safeguard against potential violations.

Categories
Blog

The Importance of Trust, Accountability, and Ethics in the Workplace

Trust, accountability, and ethics are fundamental pillars of a healthy and successful workplace. They form the foundation upon which organizations build strong relationships with their employees, customers, and stakeholders. In the most recent episode of the podcast “Compliance into the Weeds,” Tom Fox and Matt Kelly discussed the importance of these factors in light of a wrongful termination lawsuit filed against Citibank by a former employee.

The importance of trust, accountability, and ethics in the workplace cannot be overstated. These elements are the bedrock of a healthy corporate culture and are crucial for maintaining a positive and productive work environment. I believe that a broader conversation about these topics is necessary within corporations, with a need for employees to understand the importance of trust, accountability, and adherence to policies and procedures. While there is great cynicism that exists among the public and the workforce regarding ethical enforcement particularly when banks which have paid literally billions of dollars in fines are involved, it is up to each employee to commit to doing the right thing, even when it is difficult.

As Matt noted in a Radical Compliance blog post, “Our tale, first reported by the Financial Times, involves one Szabolcs Fekete, who had been an analyst with Citibank’s London offices since 2015. In July 2022 Fekete had to take a three-day business trip to Amsterdam. He took along his romantic partner for the trip, and while there he billed a coffee and sandwich for his partner to his corporate expense account. Except, Fekete tried to cover it up by submitting a receipt for two sandwiches and two coffees, all for him.” He was subsequently fired for dishonesty on an expense report and lying to his supervisor and investigators when questioned about his submitted expenses. While the amount in question may seem trivial, (less than €100) the case highlights the potential consequences of dishonesty, even in seemingly minor matters.

One of the key takeaways from this case is the significance of trust in the workplace. Trust is the cornerstone of any successful organization. It is the belief that individuals can rely on each other to act with integrity, honesty, and transparency. When trust is compromised, it can have far-reaching implications for the overall culture and effectiveness of the organization.

The case also underscores the importance of accountability. Accountability means taking responsibility for one’s actions and being answerable for the outcomes. In this case, Fekete’s dishonesty led to a breach of trust, and he was held accountable for his actions. Organizations must have clear corporate values, policies, and training programs in place to prevent unethical behavior and promote accountability among employees.

Ethics, too, play a crucial role in the workplace. Ethics refers to the moral principles that guide individuals’ behavior and decision-making. It is about doing the right thing, even when it may be difficult or inconvenient. The case of Fekete highlights the need for employees to have a genuine commitment to ethical conduct, even in situations where it may be tempting to cut corners or bend the rules.

Balancing these factors can be challenging. On one hand, organizations must establish a culture of trust and accountability, where employees feel empowered to act ethically and take responsibility for their actions. On the other hand, organizations must also have systems in place to detect and address unethical behavior, ensuring that trust is not misplaced.

The episode also raises the question of the impact of these factors on decision-making. When faced with ethical dilemmas, individuals and organizations must consider the potential consequences of their actions. One thing we have learned from Enron going forward, if someone is willing to break ethical rules at a minor level, it raises concerns about their integrity and the potential for more significant breaches in the future.

Yet there is another, more troubling aspect to this matter that compliance and ethics professionals must consider. Pilita Clark, also writing in the FT noted, “Except the response to this story has been anything but straightforward. Most striking of all is the level of derision directed not at Fekete but at Citi. At the time of writing, more than 500 people had digitally applauded one FT reader who wrote in response to the story: “You can’t lie in a bank, unless it’s a really big lie.”

Clearly folks are still not happy that large financial institutions paid billions in fines without seemingly missing a beat. Clark went on to write, “Some of the largest costs related to the 2007-2008 financial crisis, but big sums arose in more recent years, including $402mn in 2018 to settle the bank’s role in a conspiracy to manipulate foreign exchange markets. Citi was among 20 large banks that collectively paid more than £377bn in such costs between 2008 and 2018, as a result of mis-selling, money-laundering, market abuse and other” misdemeanors.

In conclusion, the importance of trust, accountability, and ethics in the workplace cannot be overstated. These factors form the bedrock of a healthy and ethical organizational culture. The case discussed in the podcast episode serves as a reminder of the potential consequences of dishonesty and the need for clear corporate values, policies, and training programs. It also emphasizes the importance of individual responsibility in maintaining an ethical workplace. By prioritizing trust, accountability, and ethics, organizations can create an environment where employees feel empowered to act with integrity and make ethical decisions, ultimately leading to long-term success.

Categories
Blog

Messaging App Compliance in Regulated Industries: Lessons from Recent Enforcement Actions

In recent years, regulated industries, particularly broker-dealer firms like Wells Fargo and Morgan Stanley, have faced increased scrutiny from regulatory bodies due to their lack of compliance in policing messaging apps. The Securities and Exchange Commission (SEC) recently announced charges against 10 firms in their capacity as broker-dealers and one dually registered broker-dealer and investment adviser for widespread and longstanding failures by the firms and their employees to maintain and preserve electronic communications. The firms admitted the facts outlined in their respective SEC orders. These firms collectively “agreed to pay combined penalties of $289 million and have begun implementing improvements to their compliance policies and procedures to address these violations.” Additionally, the Commodity Futures Trading Commission (CFTC) ordered four financial institutions to pay $260 million for recordkeeping and supervision failures due to the widespread use of unapproved communication methods.

Even more troubling is the involvement of senior managers in these misconducts, leading the SEC to require an independent compliance consultant in multiple settlements. This highlights the significance of overall corporate culture and the need for stricter compliance measures. Matt Kelly and I recently explored these enforcement actions, the reforms that companies must implement, the role of consultants in reviewing these reforms, and the potential risks and consequences of using messaging apps for business purposes in a Compliance into the Weeds podcast.

Reforms in regulated industries focus on policies and procedures, messaging policies, and employee training. Companies must establish clear messaging policies that outline the acceptable use of communication channels and the importance of recordkeeping obligations. Training employees on these policies and ensuring their understanding is equally vital. Additionally, companies must track training records and allegations of policy violations, making them readily available for review. Next, both ongoing monitoring and continuous improvement must be utilized. Finally, do not forget the need for disciplinary frameworks, with repeat offenders and senior employees potentially facing more severe discipline.

The enforcement crackdown by the SEC and CFTC has already resulted in significant penalties, with fines totaling a staggering $550 million. J.P. Morgan was the first bank to face such a settlement decree, setting a precedent for other banks. This raises speculation about whether the misconduct will continue and if there will be additional enforcement actions. While some large securities firms have yet to be targeted, all regulated industries must take note and proactively address compliance issues.

As noted above, using improper messaging apps for business communication is a significant concern for regulators. Moreover, these violations of securities laws occurred due to employees using ephemeral messaging apps like WhatsApp and Snapchat, which turn off record preservation. Once again, the involvement of supervisory employees and managers in using these apps is even more alarming, further angering the regulators. The SEC’s requirement for an independent compliance consultant in multiple settlements indicates a focus on corporate culture and the need to address senior managers’ involvement.

While these enforcement actions focused on regulated industries, it raises an important question about whether non-regulated industries could also face similar exposure to the SEC. The Justice Department has emphasized taking messaging and communication app risks seriously for all companies. Therefore, even if a company operates outside the purview of specific regulations, it is crucial to consider the potential risks and consequences of using improper messaging apps for business purposes. In a Radical Compliance blog post, Kelly noted, “That is a terrible look for a company. It paints the picture of a management team not interested in good ethical conduct, and we all know how that goes over with the Justice Department when evaluating the state of your compliance program.”

We desired to shed some light on the recent enforcement actions against regulated industries for their lack of compliance in policing messaging apps. The fines and penalties imposed by the SEC and CFTC highlight the seriousness of these violations. Companies must implement reforms, establish robust policies and procedures, and prioritize employee training to ensure compliance. The conversation also underscores the potential risks and consequences of using improper messaging apps for business communication. All companies must prioritize compliance and take proactive measures to address these concerns regardless of industry. By doing so, companies can foster a culture of integrity and avoid the hefty fines and reputational damage associated with non-compliance.

Categories
Blog

Auditing AI

The recent kerfuffle over an AI tool misinterpreting instructions to make a woman look more professional as making her look Caucasian has raised important questions about how to audit AI code to avoid undesirable outcomes. AI instruments are behaving in a fundamentally different way than most other types of apps and systems, and auditing AI code for implicit bias is not yet feasible. Matt Kelly recently wrote a blog post on this topic on Radical Compliance. I thought it would make a great podcast so this week’s episode of Compliance into the Weeds is dedicated to it. I also thought it was so important that I should blog about it as well.

It started when MIT grad student Rona Wang tested an AI tool called Playground AI to modify a photo of herself wearing an MIT T-shirt to look ‘more professional’. Rather than replacing the T-shirt she was wearing with more professional business attire to achieve a more professional look, the AI tool interpreted the instruction to make her look more professional as making her look Caucasian. Wang posted a before and after comparison of her photo on Twitter, which caused a big kerfuffle in the AI world about how this happened. The CEO of Playground AI responded to Wang on Twitter saying “We’re quite displeased with this and hope to solve it”.

We began with a discussion of the implications of implicit bias in AI code. Matt suggested that the code in the AI app may have been influenced by the disproportionate number of white people on LinkedIn. It may not be the fault of the AI program, but rather a result of structural bias and racism in the world. Matt believes that at this point, it is impossible for a human to audit the code of AI programs like Chat GPT, which evaluates data according to 1.76 trillion different parameters. Unfortunately, it is not possible to eliminate implicit bias in AI code by simply correcting a few parameters. Matt compared it to the difficulty of eliminating implicit bias in AI code to the difficulty of eliminating racism in the human brain.

AI can handle 1.7 trillion parameters of data, but it is difficult to audit for an ethical outcome. AI can misinterpret structural racism and inequities that exist in the world. AI can be used to filter out images that are not representative of the population as a whole. Auditing AI is difficult because there are few people who know how to design and audit these programs. AI decisions may have life and death consequences, but there is no way to audit them yet.

Companies using AI in the hiring process must consider whether they will scrap the AI tool and use another, use human HR people and recruiters, or have auditors and coders sit down and try and figure out the problem. Additionally, there is a risk of implicit bias when someone must define the pool of data that the AI is looking at. New York City has a regulation requiring employers to audit AI tools used in the hiring process at least annually, but this is only a small step towards addressing the issue of implicit bias in AI.

Auditing AI code for implicit bias is a complex process. AI tools used in the hiring process can range from keyword matching to Chat GPT. While it is important for companies to audit their AI tools, it is also important to consider the data that is being used to train the AI. If the data is biased, the AI will be biased as well. To ensure that AI tools are not biased, companies should consider using a diverse set of data and conducting regular audits of the AI tools.

The Wang incident over an AI tool misinterpreting instructions to make a woman look more professional as making her look Caucasian is a reminder of the importance of auditing AI code to avoid undesirable outcomes. AI instruments are behaving in a fundamentally different way than most other types of apps and systems, and auditing AI code for implicit bias is not yet feasible. Companies using AI in the hiring process must consider whether they will scrap the AI tool and use another, use human HR people and recruiters, or have auditors and coders sit down and try and figure out the problem.

Finally, there is a risk of implicit bias when someone has to define the pool of data that the AI is looking at. New York City has a regulation requiring employers to audit AI tools used in the hiring process at least annually, but this is only a small step towards addressing the issue of implicit bias in AI. To ensure that AI tools are not biased, companies should consider using a diverse set of data and conducting regular audits of the AI tools.

For the complete discussion of this issue check out this week’s episode of Compliance into the Weeds.

Categories
Blog

Danske Bank: Part 5 – Final Thoughts

Over the past several blog posts, we have been exploring the Danske Bank A/S (Danske Bank), AML enforcement action in which Danske Bank pled guilty and agreed to forfeit $2 billion to resolve the US investigation into its fraud on US banks. Danske Bank also settled with the Securities and Exchange Commission (SEC) for misleading US investors about the bank’s anti-money laundering (AML) compliance program in its Estonian branch and failed to disclose the risks posed by the program’s significant deficiencies.

Banks Still Behaving Badly

According to Violation Tracker, the top 10 banks for fines and penalties for this century are as follows:

TOP 10 CURRENT PARENT COMPANIES TOTAL PENALTY $ NUMBER OF RECORDS
Bank of America $83,354,221,356 271
JPMorgan Chase $36,129,286,132 223
Citigroup $25,740,655,365 159
Wells Fargo $22,081,458,643 229
Deutsche Bank $18,541,562,802 79
UBS $17,082,743,334 106
Goldman Sachs $16,603,475,848 90
NatWest Group PLC $13,515,546,857 31
Credit Suisse $11,427,400,126 52
Morgan Stanley $10,167,765,234 190

In 2022, the top fines involving banks are:

  • Danske Bank: $2.4 billion
  • Bank of America: $225 million
  • Citigroup: $200 million
  • Goldman Sachs: $200 million
  • Morgan Stanley: $200 million
  • Credit Suisse: $200 million
  • Barclays: $200 million
  • Deutsche Bank: $200 million
  • Nomura: $100 million

For whatever reason, banks cannot seem to get it anything near right. Willie Sutton is alleged to have said the reason he robbed banks was because “that’s where the money was.” Now it seems the banks are the bad guys, and the regulators continually have to lay out what seems massive fines and penalties to banks. Yet banks seem oblivious to playing within the bounds of the law. Perhaps, and to broaden out Consumer Financial Protection Bureau (CFPB) head Rohit Chopra’s statement announcing the latest fine against a bank, Wells Fargo at $3.7 billion “Wells Fargo’s rinse-repeat cycle of violating the law” needs to be updated to banks “rinse-repeat cycle of violating the law.”

M&A Double Trouble

Purchasing a corrupt entity is certainly one thing but allowing it to stay corrupt is quite another. As I often say, if an acquisition target engaged in bribery and corruption, or indeed money-laundering, before you acquired them and continue to do so after said purchase; it is not them but you who are now breaking the law. When Danske Bank purchased the branch that became Danske Estonia, it was aware that a substantial portion of the Estonian branch’s customers were “non-residents of Estonia, a group of accounts known as the Non-Resident Portfolio or “NRP” and that many of the NRP customers were from Russia and other former Soviet-bloc countries. These NRP customers’ practices included well-known red flags for potential money laundering: for example, frequent use of offshore LLPs and nominee directors to obscure or conceal beneficial ownership information, use of unregulated intermediaries to carry out transactions on behalf of unknown clients, and ties to jurisdictions with enhanced money laundering risks. Some of these practices were known to Danske in 2007.”

But here is where Danske Bank sealed its fate. As detailed by Matt Kelly in Radical Compliance, calling it the “fatal mistake by bank leadership”; and as laid out in the Plea Agreement, “Danske Bank canceled the migration to the central technology system because the executive board, consisting of Danske Bank senior executives, concluded it would “simply be too expensive” and could cause irregularities.” This allowed Danske Estonia to “maintain its own antiquated IT systems, with no automated customer due diligence or transaction monitoring — simply because bringing the Estonia branch up to acceptable compliance standards would be too expensive. Danske leaders didn’t have the requisite commitment to effective compliance, and from there its AML troubles flowed.”

Money, Money, Money

Perhaps the biggest problem for Danske Bank was the one in the mirror and its addiction to the filthy lucre generated by its Estonia Branch. Both Danske Bank itself and the regulatory authorities made clear the actual AML failures which were ongoing. According to the SEC Order, in “February 2014, Danske hired an external, independent third party to conduct a limited review of Danske Estonia’s AML practices” who concluded into only two months that there were “numerous AML deficiencies that left Danske Estonia highly susceptible to money laundering, including 17 identified as “critical or significant” control deficiencies. Danske’s legal department recommended and retained a third party to conduct a comprehensive internal investigation of Danske Estonia’s customers and transactions and to investigate allegations of employee misconduct. However, Danske senior management canceled the contract and decided to conduct the investigation internally. An internal Danske working group conducted only limited additional investigation of Danske Estonia at that time.”

The regulators identified the illegal issues as well. The Estonia FSA conducted a series of examinations at Danske Estonia and provided a draft report to Danske Estonia which detailed extensive facts concerning willful violations of Estonian AML law by Danske Estonia employees. The report stated, “Danske systematically establishes business relationships with persons in whose activities it is possible to see the simplest and most common suspicious circumstances” and concluded that Danske Estonia systematically ignored Estonian AML law. Danske acknowledged the severity of the Estonian FSA’s findings in communications, including one in which a Danske manager stated, “It is a total and fundamental failure in doing what we should do and doing what we claim to do. This just even more underline[s] the need of full clean up now.” [Emphasis added.] Another manager stated, “The executive summary of the . . . letter is brutal to say the least and is as close to the worst I have ever read within the AML/CTF area. . . . [I]f just half of the executive summary is correct, then this is much more about shutting all non-domestic business down than it is about KYC procedures . . . .” Nonetheless, instead of terminating the NRP business, Danske management opted to continue it because of the profits it generated.” [emphasis in original]

So, we leave this sordid saga of the US DOJ and SEC bringing an AML enforcement action against a Danish bank. At least the US is willing to bring such an enforcement action.

Categories
Compliance Into the Weeds

Unintended Consequences of CCO Certifications

Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to more fully explore a subject. In this episode, we take a deep dive into some of the unintended consequences of CCO certifications as required by the Department of Justice.  Highlights include:

·      What happened to reasonable and proportional?

·      What about control override?

·      What is the purpose of compliance training?

·      What is effective compliance training?

·      Is compliance training complimentary to compliance training effectiveness?

Resources

Matt in Radical Compliance

Categories
Compliance Into the Weeds

Company Size and State of Their Compliance Programs

Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. This week, Matt and Tom take a look at the recent ECI report on the Differences Between Small, Medium And Large Enterprises E&C Programs. Highlights include:

·      Where did this ECI report derive its data?

·      Why are middle sized companies in such bad condition regarding compliance program?

·      Why are middle sized companies having the most issues?

·       When is the time for compliance SME at a company?

·      When should a company institute robust internal controls?

Resources 
Matt in Radical Compliance
ECI Report – Differences Between Small, Medium And Large Enterprises E&C Programs

Categories
Compliance Into the Weeds

Two Obscure Academic Papers and Compliance


Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. This week, Matt and Tom take up two recent academic papers which every compliance practitioner should study as they provide insight about how communications can impact both fraud prevention and compliance. Some of the issues we consider

  • Berger and Lee on state FCA claims cutting overall accounting fraud.
  • Jinjie Lin on SEC tweeting and reduction of SEC violations.
  • What do these communication strategies portend?
  • How can they be used by the compliance professional?
  • Why whistleblowing does more than simply prevent fraud, waste and abuse. Itimproves the bottom line.
  • Investment in communications strategies pays off.

Resources
Matt in Radical Compliance