Categories
FCPA Compliance Report

FTX and Risk: Part 1 – Financial Institutions

Welcome to the award-winning FCPA Compliance Report, the most senior podcast in compliance. In this episode, I begin a 2-part series on the subjects of FTX and risk. I am joined by Gilbert Paiz and Andrew Gay, principals in the Texas Hill Country Advisors. In Part 1, we consider risk and risk management through the lens of US domiciled financial institutions and how their risk management protocols help to not only assess risk, but manage risk throughout the life cycle of a banking customer relationship. In Part 2, we will consider individual risk in investing and what type of background information, questions and due diligence individuals should engage in and how these questions and background investigations apply equally to larger investments made by sophisticated investors, hedge funds  and institutional investors; who should have made them before investing in FTX but they all failed to do so.

Some of the highlights include:

·      How do banks think of risk?

·      What internal processes or controls are in place to help a bank manage its risks?

·      What types of oversight do banks and financial institutions use to help manage risk?

·      Why are levels of review so critical?

·      How do banks think about customers in terms of risk?

·      Who decides how much risk to allow a customer to engage in with a banks money, whether through loans or other capital?

·      Do bank employees receive ongoing training on risk management issues?

·      What tech is in place to facilitate the management of risk?

 Resources

Texas Hill Country Advisors

Categories
Daily Compliance News

December 3, 2022 the to all, without regard to numbers, wealth, or rank Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you four compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee and listen to the Daily Compliance News. All from the Compliance Podcast Network.

Stories we are following in today’s edition of Daily Compliance News:

·       FTX was risk-management-free.  (WSJ)

·       Trump, Trump judge slammed.  (NYT) 

·       Banks failing to comply with AML laws? (The Guardian)

·       Will Ramaphosa resign? (Globe&Mail)

Categories
Popcorn and Compliance

Compliance Lessons from Dr. Jekyll and Mr. Hyde

I have always loved the classic Universal monster movies from the 1930s. This month I am exploring one movie each week to mine it for leadership and compliance lessons. For our final entry in this short series on Popcorn and Compliance, I look at the 1931 version of Dr. Jekyll and Mr. Hyde, starring Fredric March, who plays a possessed doctor who tests his new formula that can unleash people’s inner demons. The film is an adaptation of The Strange Case of Dr. Jekyll and Mr. Hyde, the 1886 Robert Louis Stevenson tale of a man who takes a potion that turns him from a mild-mannered man of science into a homicidal maniac. The film was a critical and commercial success upon its release. Nominated for three Academy Awards, March won the award for Best Actor. We consider some of the compliance professional’s lessons around moral licensing, ego depletion, and time of day in a risk management regime.

Resources

Why Bosses can be Dr. Jekyll and Mr. Hyde

Categories
Daily Compliance News

October 29, 2022 the World Series Edition

In today’s edition of Daily Compliance News:

  • Credit Suisse names new CCO. (WSJ)
  • Removing sanctions against Tornado Cash. (WSJ)
  • A crisis in curling. (NPR)
  • Astros return to World Series. (WSJ)
Categories
Greetings and Felicitations

Great Structures Week V: The Tacoma Narrows Bridge Failure and Preventing Failure in Your Compliance Program

Welcome to the Greetings and Felicitations, a podcast where I explore topics that might not seem directly related to compliance but influence our profession. In this special series, I consider many structural engineering concepts are apt descriptors for an anti-corruption compliance program. In this concluding episode 5, I consider the Tacoma Narrows Bridge failure and preventing failure in your compliance program. Highlights include:

  • Why and how did the Tacoma Narrows Bridge fail?
  • What are the key lessons it provides to compliance professionals?
  • Why are 3rd parties still the greatest risk to any compliance program?
  • What steps can you take to manage third parties most effectively?
  • Why is continuous monitoring key to managing risk?

Resources

 “Understanding the World’s Greatest Structures: Science and Innovation from Antiquity to Modernity”, taught by Professor Stephen Ressler from The Teaching Company.

Categories
Compliance Into the Weeds

Internal Controls Lessons from Cyber Failures in Wisconsin

Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to more fully explore a subject. In this episode, we deep dive into recent failures detected in the state of Wisconsin regarding cyber security risks around election integrity. Highlights include:

  • The risks were uncovered.
  • What is a material risk?
  • Why Multi-Factor Authentication is important cyber security control.
  • What are the consequences of a single point of failure?
  • How and when should redefine a hazard?
  • What does CISA say about MFAs?

Resources

Matt in Radical Compliance

Categories
Daily Compliance News

May 3, 2022 the Fat Leonard Trial to Resume Edition


In today’s edition of Daily Compliance News:

  • Fat Leonard Trial to resume. (KPBS)
  • Tensions at Google over AI and ethics. (NYT)
  • EU hits Apple on antitrust concerns. (WaPo)
  • Do banks lack basic risk management controls? (Reuters)
Categories
Innovation in Compliance

A Behavioral Approach to Risk Management with Vera Cherepanova


 
Tom Fox welcomes back Vera Cherepanova on this episode of the Innovation in Compliance Podcast. Vera is an ethics advocate, consultant, author and speaker. She joins Tom to talk about behavioral risks, the steps behavioral scientists take to analyze risk, and strategies from financial institutions that other industries can use.
 

 
Behavioral Risk in The Banking Sector
Behavioral risk is more or less the same across every industry. What is specific to the financial industry however, and banking in particular, is that the individuals work with money. This creates higher risk as the outcomes can be more immediately seen and felt by the customers. 
 
The Regulator’s Role
“The regulator has a very limited role in mandating culture because no regulator can mandate what kind of a culture and organization needs to have,” Vera begins. The compliance regulator can mandate what the culture is, but how that corporate culture is going to be in reality will not be up to them. Speaking specifically of the UK and the Netherlands, Vera expresses that the regulators in these regions have played a largely educational role in the business industries. She gives Tom a few examples of the events the regulators have done in these regions.
 
Assessing Behavioural Risk
Tom asks Vera to talk about some of the practical steps behavioral scientists take when analyzing behavioral risk. Vera cautions that the first thing to understand when applying behavioral science is that interventions don’t always work. The first thing that scientists do is assess risk using a method called ethnography. They want to understand what is really happening inside organizational teams. They focus on subcultures, and then compare that against what is written in policies and regulations. Holistic cultural assessments aren’t done as behavioral scientists concentrate on specific teams. Surveys are also only used to categorize the data the scientists have collected, and to generalize some of their observations. 
 
Strategies To Emulate
The methods financial institutions use to conduct audits are accessible for any industry. Looking into behavioral risk on top of a risk management framework is one concept that can be emulated across industries, as well as using subculture audits. These skills will be modified for each industry but Vera remarks that the basic concepts will be the same across the board.
 
Resources
Vera Cherepanova | LinkedIn 
Studio Etica
European Banks Are Behavioral Risk Pioneers. No, Really
 
 

Categories
Innovation in Compliance

Right Question to the Right Person at the Right Time with Ishan Girdhar


 
Ishan Girdhar is Tom Fox’s guest in this week’s show. He is the CEO and founder of Privva, a cloud-based platform that streamlines data security to enable law firms to easily implement their own risk assessment. Tom and Ishan explore risk management in the new hybrid work era and what compliance professionals need to be thinking about in the coming years in that regard.  
 

 
The New Normal
The new hybrid work environment is here to stay. More companies are going back to the office but with fewer employees on site. This means that company leaders and compliance officers need to find a way to manage risk around virtual collaboration and communication technologies in a remote work environment. They will need to make sure that all employees are connected in a secure way. “When you have people working from home and working remotely, access to sensitive information grew exponentially… Many people have devices like Alexa or Google Home; those are devices that are recording every conversation that’s happening in your home,” Ishan cautions. Implementing policies that ensure employees aren’t working in the vicinity of these devices and making sure that companies lock-on set intervals, will go a long way in mitigating the risk that is posed from working in this environment.
 
Keep Communications Focus
Employees have to act as stewards and maintain and adhere to company policies surrounding risk and compliance. Tom asks Ishan how he keeps a communications focus in his organization, in a way that doesn’t lead to compliance fatigue. Compliance officers need to ensure that they’re actively capturing communication across their organizations, and that they have the tools to do so. “Make sure that your tech stack has the right capabilities to capture information and communication across your network,” Ishan remarks. Communicating the right ways to work with your clients and employees is also something that companies need to be thinking about. Use the right tools and the right steps to make sure your actions are in line with your internal corporate policies; the compliance departments can have access to that information if it’s required.  Make sure that the data is integrated and that all of that dialogue is time-stamped so it can be captured together. 
 
Creating Effective Cybersecurity
“Every product that technology brings to make your lives easier, better, faster, and cheaper for your clients comes with cybersecurity risk,” Ishan tells Tom. In order to mitigate cybersecurity risk, consistent training of your employees is necessary. Cybersecurity needs to be built into the culture of your organization and is a way for you to do your jobs in a timely and efficient way. Compliance professionals should be on top of what’s happening in the market with regard to new threats and risks. Have detailed policy monitoring and reporting requirements, and ensure you’re adapting your policies to the new norm. 
 
Third-Party Risk
Tom posits that third-party risk is beyond company to company, and that it’s actually the entire scope of your communication. Third-party risk is your suppliers, your partners, and your customers. Companies need to think about where their data is hidden, and where it’s going. “How is it leaving your environment? Where is it going? What’s the sensitivity of that data?” These are the questions Ishan implores leaders to think about. The biggest challenge with third-party risk management is that you have a say, but you don’t have full authority in enforcing change. It is also a two-way street in that as a company, you are also a custodian of information and you have to understand your minimum baselines, the security controls that are nonstarters for you, and what risks you’re willing to accept. If you are sending sensitive data to a third party, you have to include management and leadership as part of that conversation and process. 
 
What’s Next
Buying technology that will be sustainable going forward is one of the best ways to respond to cybersecurity risks in the coming future. Privacy is also a big challenge that companies are going to face. “Build out your budget and make sure that you have the right investments in place as you continue to grow and continue to go into the future leading up to 2025,” Ishan advises Tom and the audience. 
 
Resources
Ishan Girdhar | LinkedIn | Twitter
Privva
 

Categories
Compliance Into the Weeds

What is Risk?


Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. This week Matt and Tom take a deep dive into different types of risk including  cybersecurity and anti-corruption to lead a broader discuss about the nature of risk, risk management and the future of compliance. Some of the issues we consider are:

  • What is risk?
  • What are the roles of the CISO and CCO for risk management?
  • Who owns risk?
  • What does a BOD want to see around risk management?
  • What does this mean for compliance officers?

 Resources
Matt’s blog post on Radical Compliance:
The Cracks in Third Party Risk Management