PODCAST SERIES: Navigating Risk

PODCAST SERIES: Navigating Risk
PODCAST SERIES: Navigating Risk

Protiviti’s navigating risk podcast series brings together our Hong Kong risk and compliance experts as they share insights designed to launch you into the future of risk management and transform your organisation from the inside out.

Episode 1 - Decoding the Hong Kong-Related Sanctions Programme

In this podcast, we're in talk with Nick Turner, a sanctions attorney at Steptoe & Johnson here in Hong Kong, as tells us what are the most common questions that his clients ask about Hong Kong-Related Sanctions and its effects on the Hong Kong-US Dollar clearing.
Navigating Risk
Josh Heiliczer

View Transcript
Josh Heiliczer
Josh

I'm Josh Heiliczer, Greater China Risk and Compliance leader in Asia Pacific financial crime compliance subject matter expert for Protiviti. This podcast will seek to bring interesting perspectives to critical risk and compliance issues facing financial institutions in Greater China and across the region. The goal is to provide these viewpoints to you in a concise manner, likely alternating between a guest Q&A format and Protiviti adds some of the insights. The views expressed do not necessarily represent the views of Protiviti or its guest. The information is not intended to be legal analysis or advice. Listeners should consider the unique circumstances of their own companies and consult with council before taking any decisions.

Connect with me on LinkedIn if there is a topic you would like the podcast to focus on in the future. I’m looking forward to beginning this journey with you today and our first guest, Nick Turner, a sanctions attorney at Steptoe & Johnson here in Hong Kong.

Nick, thanks for joining us here on the podcast here with Protiviti. What are some of the key questions your clients are asking about the Hong Kong related sanctions?

Nick Turner
Nick
Hi, Josh. Thanks for having me here today. This is a really good question. We’ve had a couple of weeks now since the sanctions were announced against 11 Hong Kong and PRC government officials. These are what we call “blocking sanctions,” which means they result in an asset freeze of any property or interest in property of the designated individuals when that property is in the United States or within the possession or control of a US person. So, that’s the first key question. What do we do with property or interest in property of these 11 officials? The answer is if you’re a non-US financial institution, you have to ensure that when you deal in that property, for example, a wire transfer, it might be landing a deposit account, or another kind of financial service, you’re not involving US persons or the US financial system, which basically means US banks. If you do that, it could be a violation of the OFAC prohibitions. The other thing people are very concerned about is the Hong Kong Autonomy Act. Because the Hong Kong Autonomy Act in Section 7, provides for what we call “secondary sanctions” against foreign financial institutions that “knowingly engage in significant transactions with individuals who are identified under the Hong Kong Autonomy Act.” Now, what’s interesting is that the executive order that was used for these sanctions and the Hong Kong Autonomy Act are two separate documents. So, what we’re really waiting for is another report to come out under the Hong Kong Autonomy Act, and on the basis of that report, financial institutions will know who the individuals or entities are that could lead to secondary sanctions. So, you can see there’s a lot of moving parts and it’s pretty complicated, but I think most banks in Hong Kong have great advice and have done a good job so far of responding.
Josh Heiliczer
Josh
Great. That’s really a lot of information actually to take in just in that question. One of the questions we’re getting from a lot of our clients right now is, what effect it would have on the Hong Kong US dollar clearing? So, the local interbank clearing of US dollars.
Nick Turner
Nick

This is one of the biggest misperceptions about OFAC sanctions. A lot of people think that OFAC sanctions apply to US dollar transactions globally, but that’s actually a little bit misleading. OFAC sanctions are focused on US persons and that includes US companies, US financial institutions for example, but they apply regardless of currency. So, you could have a Hong Kong dollar transaction which takes place in Hong Kong but is processed by the branch of a US financial institution, and that would be subject to OFAC sanctions even though it’s in Hong Kong dollars. If we flip that on its head and we imagine that we have a transaction in US dollars, but it takes place entirely outside of the US financial system without the involvement of US persons, that actually is not subject to the executive order or to most OFAC sanctions. There are some exceptions, but this isn’t one of them. So, when we look at local clearing in Hong Kong, the question we have to ask is not what the currency is, but who are the banks involved and the persons involved. If we have US persons, that’s something that OFAC has enforcement jurisdiction over. If we don’t, then it falls outside of that jurisdiction.

Josh Heiliczer
Josh
Great. So, it sounds like there are some limitations around the sanctions. I would assume a lot of your clients are coming to you for some advice right now. Once you get some of that legal advice and once you provide some of that clarification, how is it getting implemented? I mean for example, when we’re talking about the sanction names, a lot of banks will go for a Big Bang approach and say, “Okay, names on the list,” and so, it doesn’t matter where the transaction is or how it’s occurring, it’s going to flag an exception.
Nick Turner
Nick

Right, and that’s one of the things that’s challenging about this particular sanctions program. So, we know that when OFAC issues sanctions under some programs like the North Korea or the Iran program, you’re right. A lot of banks will just look at the names on the list and make an easy decision to do no business with them. That’s more complicated with the Hong Kong sanctions and some other sanctions programs where companies are more likely to have business with those individuals or even want to continue doing business with those individuals for one reason or another. In that case when it comes to implementing the advice, it really requires a financial institution or any other company to understand from an operational perspective where their touchpoints are with the US financial system and with US persons, and to make sure that they have excellent controls to manage that risk. It’s a level of operational understanding that some companies don’t have yet, but I think they’re going to have to develop it as US sanctions become more complicated and apply it more and more in Hong Kong. It’s just something we’re going to have to learn.

Josh Heiliczer
Josh

We’re getting a lot of questions from clients around how to operation-wise, some of the advice that they’re getting from attorneys like yourself or internal council that they might have. I think one of the key areas is really around or handling given the additional volume of exceptions particularly for those types of banks going through a Big Bang approach. Being secondly, what we’re also seeing is reviews of customer information for potential nexus, and while some banks have digitized a lot of this information, we’re still seeing a lot of paper valid reviews. I think finally, we’re also seeing can you ringfence some of the relationships from some of the potential transactions that might be prohibited or even maybe closer to the line. I guess one other factor that we’re seeing now is how can you plan ahead? You mentioned initially is sort of another report coming out around the sanctions in terms of how they’re going to be implemented, but how can you plan for some of the new potential sanctions where the potential risk that might come out of these sanctions in the future once they’re clarified?

Nick Turner
Nick

Well, you’re right that there’s a lot of uncertainty about sanctions. I think a great example has to do with the WeChat executive order that was released surprisingly on August 14th. We’re still waiting to find out what that means. What it demonstrates is that the White House and the US government in general have a lot of authority to create sanctions and other kinds of restrictions virtually out of thin air in order to respond to international developments. So, one thing that you have to watch, if you want to try to predict where sanctions are going, is developments. You have to be very sensitive to politics and to international relations, you have to pay close attention to the US-China relationship and try to listen to what both sides are saying.

There is some good news though. This administration, in particular, has been very good about signaling where it’s going. A lot of the things that have happened in recent weeks weren’t really surprises because we had some advance notice. Sometimes, months or weeks of notice, that some of these things were going to happen. While we didn’t know the specifics, we were at least able to start thinking ahead, planning, and mapping out for our clients where they needed to have certain controls. So, there is something that you can do even if you don’t know all of the details today.

Josh Heiliczer
Josh
I think one of the things we’re seeing with a lot of our clients, we’re advising a lot of clients, is really first and foremost, conducting a risk assessment looking for some potential exposures. I know a number of banks who are looking through their large corporate books, looking at things like suppliers, where it could there be some impacts, and whether or not there might be a need for a potential look back on some transactions, or additional backlogs in terms of sanctions exceptions, and needing to do some backlog clearance, so we’re actively talking to clients who are on that as well. So I guess, maybe just to sum up, Nick, I mean, where do you think things are going and what are you looking in terms of your clients’ advice and how they are handling it?
Nick Turner
Nick
I think what we’re watching for above all is for information to come from the US Treasury Department on some of the key terms in the Hong Kong Autonomy Act, how they plan to handle those reports that I mentioned, and how financial institutions in Hong Kong can demonstrate a certain level of compliance with the US sanctions that will help reduce the likelihood that they’re going to be targeted for secondary sanctions by the administration. Of course, we’re all watching to see what happens with the US election. If we have a new administration, there might be some changes to some of these policies. Although, I think the general expectation is that the US-China relationship will remain largely where it is today, but hopefully, there will be some developments on the diplomatic front.
 
By the way, on Monday, the 31st of August, there’s going to be a webinar hosted by Dow Jones with me and Josh. We’re going to be talking about a lot of these issues, plus a lot of other things. So, I would encourage your listeners to tune in. It’s on Monday, the 31st of August.

 

Josh Heiliczer
Josh
Nick, I really appreciate you joining us. Also, I look forward to seeing you on the webinar next Monday.
Nick Turner
Nick
Thanks, Josh.

Episode 2 - Compliance in the Insurance Sector across APAC

In this podcast, Josh Heiliczer - managing director of risk and compliance for Greater China, Hong Kong and China and the financial crime compliance leader for Asia discusses about overall compliance in the insurance industry as well as sales practices with Zac Ezekiel from Manulife. He is the Asia Chief Compliance Officer.
Navigating Risk
Josh Heiliczer

View Transcript
joshua-heiliczer
Josh
Welcome to Protiviti Podcast. This is Josh Heiliczer. I'm the managing director of risk and compliance for Greater China, Hong Kong and China and the financial crime compliance leader for Asia here at Protiviti. I'm grateful to have Zac Ezekiel with me from Manulife. He is the Asia Chief Compliance Officer and really interested to hear what he has to say about overall compliance in the insurance industry as well as sales practices. Hi, Zac, really great to have you with us today. First of all, thanks a lot of coming onto the podcast. We really appreciate it.
Zac
Zac
Thanks for having me.
joshua-heiliczer
Josh
This part of our series here at Protiviti and so we’re trying to now branch out and meet with some insurance professionals as well. I appreciate your experience over at Manulife, and one of the things I think that a lot of people listening to the podcast would be interested in as there are a lot of compliance professionals is your career journey. So, how you got to be the chief privacy officer or working at a Canadian bank to out here in Asia with Manulife, and now their chief compliance officer for Asia.
Zac
Zac
Yes, sure. I mean I had spent some time in Asia earlier in my career actually. I met my wife out in Asia and spent a really fun three years in different countries and in a different industry actually. After awhile with the bank in Canada, my wife and I were kind of missing the action over out in Asia and it was a good time in my career to try and change it up. So, I did want to make sure that I ended up with a company that had a sound compliance culture and I knew some folks from Manulife, so I had a couple of conversations and eventually I had a compliance role in Singapore came up. So, my wife and I sold our stuff and packed our bags and moved to Singapore in 2014, and from there just sort of progressed to the compliance organisation within Manulife.
joshua-heiliczer
Josh
Wow. It’s interesting. I know, when I moved out here, selling all the stuff, you get everything on the boat coming out here so it’s definitely an experience moving out here. So, one of the things that we’re discussing is that you’re really focused now in looking into sales conduct risk, sales practices. A number of financial services firms are looking at that, specifically for the insurance sector. What are the risks around that?
Zac
Zac
Sure. I mean, I think it’s useful to sort of step back and think about why financial services companies are putting the focus onto - including insurance, are putting their focus onto sales conduct risk that they are, and I think there’s kind of, as in many things, a bit of a carrot and a stick happening. The stick is, as you know, there have been some big scandals with banks that were selling products to customers that didn’t even appreciate that they were buying the products, opening accounts, credit cards, things like that. I think the fear for any financial services company is that your sales aren’t real, that your customers aren’t buying what they think that they're buying. So, we all want to make sure that we’ve got the best possible experience for customers. But there’s also I think a carrot aspect to that, which is all of us, insurance, the modern life insurance industry is about 250 years old. We have been, traditionally, pretty set in our ways, pretty paper-based, pretty in love with our own way of doing business, and I think companies are focusing more on getting closed to the customer and ensuring that there’s a good customer experience. So, I think what you're seeing now is a great marriage between the focus on the customer and legitimate concern about misconduct and wanting to make sure that we don’t have any of that in our environment.
joshua-heiliczer
Josh
I mean, one of the things with life insurance I guess, historically, as well is that you used to just buy a term policy. It’s term policy, you pay your premium. If something happens then you get the benefit or your family gets the benefit. Now, in the world of annuities and returns and investment linkages, you have situations where, for any insurance firm, because you’ve got a massive amount of agents, distributors out there, they might have customers hearing about promises that might not come true.
Zac
Zac
Yes, absolutely. I mean certainly you're right, the products have gotten more complex and that puts a challenge on advisers to make sure that they're taking the customer through a needs analysis, making sure the customer understands what they're buying. Yes, I mean sales people can be under pressure just like anybody else, and occasionally, they can either not explain the product properly just through errors or omissions, or you can actually end up with some conduct that isn't what the life insurer wants. So, definitely, we want to make sure that we have controls in place to detect that when it happens.
joshua-heiliczer
Josh
What are some of the major ways you detect it, because I guess from an insurance perspective, if you're an agent, broker or whatever you might be, you are commission-based, so you're only eating what you kill, and so while 95% of them are probably going to be great, you're going to have some of them that will have an incentive to try to drive up their commission maybe unnecessarily. So, how would you monitor for that?
Zac
Zac
I mean, you're absolutely right that with a commission-based sales force you do need to monitor but I think you're also absolutely right that I think for the vast majority of insurance agents they're fantastic advocates for our customers. I mean you certainly see in the claims process and even in the underwriting processes that agents will do a lot for the customers. In terms of detecting misconduct, there’s kind of the traditional sort of old school ways and then there’s sort of a new school that’s emerging with new technologies. So, the old school stuff was very kind of complaint based. So, if a customer called you up and said that they had a concern, you would sort of record it and you would do an investigation. Talk to them, talk to the agent, collect the evidence, do a report. I think all of us monitor metrics like persistency or replacement of policies, which is kind of our sort of insurance version of churning. I think, certainly, Manulife puts a lot of attention into making sure that we get the right advisors. We talk about premium agencies, so making sure that we do the right due diligence on our agents but also the other distributors that we use like brokers and banks.
Overtime, I think, certainly we have and other life insurers are as well added to that. So, you're seeing - we’re putting a lot of energy right now into post sales calling so at least for high risk products or vulnerable customers, making sure that we contact them and asking them how the sales process went and did it meet their expectation. Do they understand the product that they bought? A lot of firms are experimenting with mystery shopping or also different kinds of post-sales testing, looking at incentives. So, you talk about eat what you kill and there is that overarching incentive to make sure that you feed yourself and feed your family, but I think companies can really kind of influence that a little and they can make it worse or they can make it better through their incentive structure. So, we have a pretty robust process for looking for that with our senior sales officers. The really unique thing with sort of the emergence of analytics technologies is the ability to take all of these data points and focusing on particular distributors that are problematic or particular products that are problematic. So, if there’s a lot of confusion around a particular product, do you need to improve the training that you provide to your distributors on that product or even different classes of customers? So, that’s I think kind of the next wave of improving our analytic approach to sales conduct.
joshua-heiliczer
Josh
I mean, how do you get all the data? I mean is it readily available or is that sort of a challenge now as well in terms of just getting everything you need to feed the analytics?
Zac
Zac
I think a lot of it was always there and that’s kind of the beauty of the analytics revolution, if you will, is realising that all the stuff that you were collecting for other purposes can be used and aggregated to spread out outliers and things like that. So, a lot of it we always had. There are new points of references like as we’ve added post-sales calling. That’s a new indicator that we can feed in there but I think not just in sales conduct but I think a lot of us in financial services are realising that just the power of the information that we have.
joshua-heiliczer
Josh
How do you just in terms of different countries, I assume, you're looking at various things across the board throughout Asia, globally, as well. I mean you mentioned through the churning surrounding replacing policies, you look at certain distributors, you look at the post-sales calls process. Are there things that are localised for each of the different countries? You're operating in a lot of countries here in Asia that you need to concern yourself with. So, sort of in addition sort of to the generalised, overall risk, bespoke monitoring for various countries.
Zac
Zac
Yes. I hope this doesn’t sound like a commercial but I think I feel it’s true about Manulife that we’ve always had as kind of core principles and they're actually in our value statement. Do the right thing and obsess about customers. So, we’ve always been pretty focused on that. So, that means that we are very interested in kind of an overall baseline framework and standard that we’re going to hold ourselves to and our distributors to in all the markets that we operate, even in cases where there might not be regulatory requirement around it. In some of the countries where we operate, insurance is very new. People have not had a long tradition of insurance for example in countries like Cambodia or Myanmar.
We want to make sure that we get off on the right foot and set up a great reputation for our product that we think is really useful. So, to answer your question, I think we do look at it fairly uniformly across markets and want similar things. Obviously, there are different kinds of products that are popular in different kinds of markets. So, for example, some of these mandatory national savings programmes, like in Singapore and in Hong Kong have unique challenges around regulatory requirements that you need to follow. Particular kinds of fraud that are more prevalent in these sorts of pensions businesses and in other kinds of businesses that you need to watch and monitor for. That’s one of the reasons, for example, that we put focus on monitoring sales mix. If people are selling a lot of these products relative to other kinds of products, we want to know and we want to understand that.
joshua-heiliczer
Josh
Great. Zac, we really appreciate you joining us for the podcast and I think there are a lot of great insightful points for our audience and looking forward to maybe having you back again next time.
Zac
Zac
Thanks a lot. Thanks for having me.

Episode 3 – Transaction Monitoring and Fraud Detection in the Post-COVID Era

In this podcast, we're catching up with Michael Wassell, head of fraud detection for health care in the New York State Attorney General's Office as he discusses transaction monitoring and fraud detection in a post COVID era in both the across industries.
Navigating Risk
Josh Heiliczer

View Transcript
Josh

Mike, thank you for joining me here on the podcast. I really appreciate it. How are you doing today?

Mike
I’m doing very well, Josh, and thank you for having me. I’m really excited to be part of your new podcast. I think the platform that you have created is really worthwhile, and I’m happy to be part of it.
Josh
Thank you, Mike. I really appreciate it. A number of financial crime professionals are listening to the podcast. Would you be able to discuss your career journey from the government to Goldman Sachs and back?
Mike

Well, I can try, but it’s certainly not been a straight line of a career. Before I do, I want to just get a quick disclaimer out of the way, if that’s OK. That is just that the views, thoughts and opinions expressed by me in this podcast are solely mine and don’t necessarily reflect those of the New York State Attorney General’s Office. Your question about government, private sector and back to government – it seems like I couldn’t make my mind up along the way, but it’s all worked out in the end.

Josh
It usually does.
Mike

Yes. In my unique circumstance, what it’s done for is, it’s really given me an appreciation for the hard work that’s being done on all sides. As a former bank regulator, I helped to enforce the Bank Secrecy Act in the United States on financial institutions that we regulated. Just to give your listeners an idea of what a bank regulator does to enforce the rules around anti-money laundering, I was part of the team within the Department of Financial Services that read every single SAR filing by our covered financial institutions. I know that maybe by today’s standards on how many – the numerous filings that are made – that might not be possible, but we did it. We had a good-size group that would be assigned to different financial institutions and read every one of their filings, and then we would meet on a monthly basis. We would talk them over.

Josh

I think it’s really great to hear, because a lot of people today within the industry sometimes feel like they file a Suspicious Activity Report, or here in Hong Kong, a Suspicious Transaction Report, and it just goes into the ether sometimes. To hear that from a regulatory perspective, I think, is really comforting to a lot of the audience.

Mike

Yes. That’s incredibly important. The STRs or SARs, wherever you happen to be, are so useful. We opened up formal investigations based on the filings. We were a smaller group, so we couldn’t open up investigations in everything that we thought was worthwhile. We referred some SARs and STRs to other partners in law enforcement just to make sure that good ones didn’t fall through the cracks. The other thing, Josh, that I want to mention is that – and, especially, this is true today – is that there is always an analytics part of looking at SAR filings, looking at the big picture, looking at trends, and that is useful information for law enforcement to have.

It’s also very helpful for those that enforce the rules to be able to see what financial institutions are doing and, maybe more importantly, what are they not doing. There was once instance I recall where we were sitting around the room and going through all the SAR filings, and there was a bank that had been in the news, and the question came up, “Have you seen any filings from that financial institution lately?” No one could remember one. We went back because we have the ability to go into the repository of all filings, and we did a search on that bank. Sure enough, there hadn’t been any filings.

You can imagine what a regulator thinks when a financial institution has never filed. It’s certainly not because there was never a suspicious transaction going through their account. That generated a separate investigation into that financial institution, with noteworthy outcomes.

Josh
I think it’s interesting that you mention something like that as well, because there’s been a sea change here in Asia. I’d say when I first got out here, most financial institutions looked at Suspicious Transaction Report filings or Suspicious Activity Report filings as a black mark that you didn’t want to have any. You didn’t want to get on the regulator’s radar. Really, over the last five to eight years, it’s changed dramatically that a lot of institutions that had never filed before are filing now, and the regulators have to talk about overfiling in some areas.
Mike

Interesting, yes. When I was in the private sector, my leadership teams were always advocating for filing to demonstrate that, number one, we had a programme that identified and reported activity when it was appropriate. The other thing we hoped it did was generate some goodwill, good faith, because with the thousands and tens of thousands of transactions going through accounts every day, there are going to be things that occur that you were unable to detect even though you had reasonable tools to identify risk. When a regulator would come up and, like I used to do in the past, we would look at filings as one of the things to give us an idea, a sense of, “Well, was this financial institution making a good-faith effort in identifying or reporting risk?” That would give us a sense going in the door, “How are they doing?”

Josh

You’ve gone from the public sector to the private sector; now, you’re back. I think it’s been a great career journey, but what makes you good at finding issues in those places? I mean, how do you go about uncovering potential suspicious activity or fraud?

Mike

Well, Josh, that’s a great question, and I don’t think there’s any one single right answer for it. I can share with you my own perspective and my own observations working in the government in seven different jobs I had with government, and then the private sector, and what I think works. One is just having a good nose for issue spotting. That could be something you’re born with or something that can be learned, I think. Having some life experience is also good, and everybody has their own perspective. You don’t have to have been a detective or an enforcement regulator to really understand risk when it comes across your desk.

Sometimes, it’s just a matter of effort. I remember my mentors from the Manhattan District Attorney’s Office would tell me, “Hey, Mike, you make your luck.” I didn’t really understand what that meant at that time, but I understand it now. It’s basically, if you work at something hard enough, good things are going to come from it. So, just sitting back and looking at alerts passively probably isn’t going to make you shine at the end of the day in finding a really noteworthy risk. Having natural curiosity, I think, is important too, and related to that is your ability to think creatively. I term it thinking suspiciously about what you’re looking at. This is something I also learned way back in the day when I worked in the Manhattan DA’s office.

I’ve been through a police academy. I’ve been through the FBI National Academy. I have a law enforcement mentality in terms of looking at things potentially suspiciously. I remember my first day out of the academy, I was in the field. I was with a senior investigator, and we’re just getting coffee heading out in the field, sitting in a car across from a coffee shop. We had gotten our coffee, and we’re sitting there. We were looking at the front door, and out walks a gentleman with a baseball cap shielded over his eyes with a bag in his hand, and he’s walking quickly out of the store. The senior detective asked me, “Well, Mike, what do you see there?” I go, “I see somebody with coffee running late for work.”

He said, “Well, yes, that’s probably what it is. But it could be that he just held up that store, and he’s running out with a bag of cash.” Look, I want to make something clear about thinking suspiciously, because sometimes people get the wrong idea. At the end of the day, most of the things that we look at in government and in the private sector turn out to be benign, right? We know that, but if you don’t ask the question, if you don’t put the effort in, if you don’t apply your life experience and your sense of issue spotting that you’ve developed, it’s going to be less likely that you actually uncover something. That’s what I mean by thinking suspiciously about what we’re looking at.

Josh
I think that’s really true, Mike. I mean, even in coming out here to Asia, the way that I look at things now just by having been out here and seeing the lay of the land is completely different from when I was looking at them working in New York. You see a transaction. You see what’s going on, but to get that real understanding and what might be going on here, it almost takes being in that place a lot of times.
Mike

That’s right. We’ve all worked in different environments. One thing, I think, is always sort of the same, which is, you’re going to have certain people on the team who, over time, seem to catch more things, whether you’re a detective or working for the government, or you’re an AML officer looking at alerts and identifying risks. It’s the people that are really dedicated and have developed these skills that seemed to consistently come up with those things that are really worthwhile. Josh, I don’t know if I ever told you this, but we were just saying we worked together. I do miss those days. I’ve got to say you were the most tenacious investigator I have ever worked with. That resulted in finding very interesting things, I remember. That was a really good experience. I know that has served you well.

Josh
Oh, definitely. I mean, I learned a lot from you. I think most of the way I write, and most of the way that I continue to look at issues with clients today, is based on that time. I can remember still a number of times when we were looking into the exchange control laws, and I had no idea about exchange controls. I think you had some understanding. It’s a matter of ultimately looking at the transactional activity and then saying, “Well, this seems a little weird that guys who have millions and millions of dollars might be transferring money from a money exchange into a private bank.” You’re like, “Well, let’s do a little bit of digging, and let’s try to uncover it.” I think that’s something that definitely, as a mentor, you always fostered in me, that we were not necessarily looking to close out an investigation or close out an alert with what might be the easiest response.
Mike

Well, Josh, you have me blushing here. I appreciate those kind words.

Josh

Your focus right now is definitely a little bit different. You’ve moved into the healthcare fraud space. How has the recent pandemic, with COVID and everything, changed your focus around how you’re looking at fraud and what you’re doing now?

Mike

Well, it’s been very interesting. If you have me back in a year, I might be able to talk to you about some publicly available information on specific cases that we are working on today. I can tell you this, that after every major event, there are fraudsters that come out of the woodwork. It could be an earthquake. It could be a typhoon. It can be 9/11. These major events invite the fraudsters to come out and see if they can’t leverage that event and make some money from it.

The healthcare industry isn’t any different. It’s a massive industry, as we all know. Even if a small, very small, percentage of it represents fraud, you could be talking about significant funds. We have a data analytics team. We’re looking at spikes in activity that wouldn’t be explained through a reasonable way of looking at things. A spike in activity – for example, when the pandemic began, office visits to providers slowed down pretty rapidly, as you can imagine. Certain types of procedures slowed down very rapidly. Yet, there could be providers out there who have an unfettered continuation of business, which could raise a question worth looking into.

Outlier behavior – something that we’re always looking for, and certainly true in the pandemic. Looking at similarly situated providers, maybe they share a specialty in the same region, yet one of those providers seems to be doing something differently. We look at a combination of procedures sometimes as an outlier behavior, where I have a provider billing things in combination which their other colleagues aren’t doing. That generates a question. It’s not necessarily fraud, but it’s something that causes us to start looking at it more carefully.

It’s something that’s new for our agency in this time is telemedicine, which hadn’t previously been covered by New York State Medicaid, and now it is. We know from our colleagues that worked in Medicare that there are opportunities for fraud in telemedicine. We’re looking at that. If, for example, a provider last year had just – making up numbers – a thousand patients, and now, all of a sudden, they’re billing at a rate of 5,000 or 10,000 patients, something is different. Something happened. How? Did they legitimately expand their business that quickly, or is there something else going on?

With COVID, you have testing for the COVID virus. There are accepted healthcare-approved tests, and then there are other tests which are used when there are more health-related complications, which are much more expensive, and this is an opportunity for what we would term unnecessary testing, unnecessary billing and overbilling. We’re looking at all these issues. One other thing that a good investigator or a good analyst, I feel, can look for is the obvious. Don’t ignore the obvious, right?

Josh

Sure.

Mike

In financial institutions – bringing it back to your audience for a second – it’s oftentimes the client that everybody knew about. It’s the one that everybody knew was going to be a problem but was difficult to tackle either because of the revenue stream or for some other reason. Those are the ones that make the difference between a really good compliance officer and an OK one, where the compliance officer doesn’t back down. They make a record of, “Hey, I’m not satisfied with these explanations. Obviously, something is going on here. We need to escalate it within the financial institution and get more people involved.” I think that’s really important for your listeners to follow. It is the hardest thing, I think, for a compliance officer.

Josh

Absolutely. I think that going after those things that are difficult clients, significant clients or areas that you might not have a good understanding of, but you have to learn about – the business is always going to challenge you. Front office is going to challenge you. You need to be able to back up your questions with a real understanding of the industries and what you’re talking about. It’s interesting when you talk about the healthcare industry – it jumps out in my mind around trade finance. You see spikes in activity. You see clients that are maybe operating in the same type of business but transacting in a completely different way – outlier behavior, like you mentioned.

Now, while banks don’t necessarily have telemedicine, the rise in remote onboarding during the pandemic, in particular, here in Hong Kong, but all over the world, where you don’t see clients, where you have transactional activity taking place outside of a branch – all of these things have led to a rise in fraud. A lot of fraud associated with, whether it’d be business-email compromise or other types of IT support schemes, and it’s not only necessarily directed at customers. It could also be directed at the employees themselves.

Then, you mentioned the overbilling piece. You have a lot of potentially overinvoicing or multiple invoicing that you might be able to see now that might not have been occurring previously because you have new trade flows. While you expect new trade flows or you expect additional trade flows from some of the PPE providers in particular, or businesses that have maybe recently got into that industry, you might not see it in the same way across that peer group. So, that’s something that you would want to question.

Mike

Exactly. Josh, one of the other things, getting back to your question about “What are we doing during COVID?” is actually, one of our highest priorities is to identify patient abuse and neglect. We have many Medicaid recipients in nursing facilities, and they are some of the most vulnerable of our population. Of course, during the pandemic, they’re a high-risk population. So, we’re doing everything we can to ensure that they are getting proper treatment by the facilities that they are residing in. We set up a hotline to take calls from family members who may become aware of issues in a facility. Quite often – surprisingly, maybe, to some – we hear from staff that work in these facilities because they are trying to do the right thing, but they aren’t being adequately staffed.

We use that to trigger investigations. When we go in, there are a couple of things we look for: One is, we want to ensure that proper safeguards have been taken to protect the residents and, actually, the staff. Are they wearing personal protective equipment? Has the facility purchased that stuff? Is there enough qualified staff? This costs money. Having qualified staff is going to dip into the revenue of the facility. If it’s a facility that is looking to divert funds for its own benefit, then there’s going to be less to go around to hire the right staff. Then, part of the staff that are on, that are there, are they being adequately trained? Do they know how they’re supposed to handle residents to avoid them contracting the virus?

Some of your listeners might be saying, “It’s interesting, patient abuse and neglect, but I work in a financial institution, and that really has nothing to do with abuse and neglect in a nursing facility,” for example. To that, I would say when I look at the big picture, we’re looking at nursing facilities who may be diverting funds, engaging in self-dealing, and that’s not something that our group will readily see, because we don’t see those bank accounts, but your listeners might. They may see self-dealing going on. They may see unusual transactions and accounts.

The outcome is that those monies are being diverted from what otherwise would have gone to ensuring those safeguards, hiring qualified staff and training those staff. So, it all comes full circle – from my perspective, anyway – that we’re working hand in hand here, the government and the private sector. We’re all trying to do good here. If we share some of what we’re seeing, if financial institutions identify this kind of activity, there could be a big picture behind it that they don’t readily see. So, reporting it could do all kinds of good. I encourage people to report things if there is no reasonable explanation for it.

Josh

I think that’s really important – that if you are a bank connecting those dots, it’s really just helping the government and investigators in the public sector, hopefully, start to piece that puzzle together. I know in the United States, there’s Section 314(b) of the PATRIOT Act, which allows financial institutions to talk to each other and maybe piece things together a little bit more before it’s turned over to the government or even with the government. Here, we have FMLIT in Hong Kong, which is a task force involving the police, the HKMA and the top 10 retail banks. So, those are definitely things ­– typologies and trends – that are looked at within that group.

I think also to your point around the nexus between fraud and some of the personal medical equipment that’s going on is, we have a raft of manufacturers in this region that are making PPE. Some of them may be sending the PPE to providers in the United States or other regions. It could either be not of the right quality, and you might be able to see that because of the amount of money they’re spending on the types of materials that they’re using, or because they’re diverting funds, or you might even be able to see some of these providers that are getting it paying exorbitant prices or paying really reduced prices. Those can yield some red flags.

Mike

That’s a great point. There is a human element to all this. Yes, you’re living in a world of finance, but there are people’s lives that are at stake here. It is really life and death here in the nursing facilities. If you can identify fraud and report it, then something can be done about it. It can actually help improve lives. It can help ensure safety for those residents who really don’t have anyone else looking out for them. That’s something that when you work in a financial institution, you may not see it. It may not be as obvious as when you’re working in the government, where you’re coming in contact with these families. You’re coming in contact with the staff who really care about their job, who really want to do the right thing. I do think it’s important to share with your listeners the importance of their work and what good can come from it in protecting the lives of those who really can’t protect themselves.

Josh

I think, definitely, your group is helping save lives in the pandemic and even before. I think that all of us, from our work in the financial crime space, whether it’d be some of the organisations involved in human trafficking here that are fighting against that and working to uncover typologies, or even some of the drugs and other illicit activity that can sometimes go through a financial institution – people that are working and looking at alerts or working within the Financial Crime Compliance Department can be on the frontline of preventing that.

Mike

I couldn’t agree more.

Josh

In this new environment, what can financial institutions do to spot fraud more readily?

Mike

That’s a good question. I would just say the old rules apply here. You look for reasonableness. When there’s something unusual happening, try to identify a reasonable explanation for it. Knowing your customer, knowing what’s expected activity in the account, yes, that is drummed into everybody’s heads. I know that, but it’s true. If you know what the customer does, if you know their source of wealth and you know what’s expected in the account, what’s different going on from those expectations, that should trigger a review.

I know realistically, folks, that there are so many alerts generated. There is always pressure to review them efficiently and expeditiously, but there will be the occasional alert that really deserves a deeper dive. Looking at what’s reasonable, looking at the customer’s profile, I think is a good place to start. In government, also, we have access to some information. I’m sure some of your listeners are saying, “Look, we don’t see how providers are billing. It’s not really within our wheelhouse to see everything that one of our clients, if they happen to be a healthcare provider, is doing in their business.” I agree with that. You can’t see the whole picture. In government, we see the billings. Our data warehouse contains over seven billion claims, believe it or not.

Josh

Yes, it’s amazing. That’s an amazing amount of data.

Mike

Our data team has a field day with it. We can do all kinds of peer analysis. We can look at specialists – I mentioned that before. Our agency, we can request information. We can subpoena information. We can call people in and put them on the record under oath. We can see industry trends. We can see what’s going on with the peers over time in a particular healthcare specialty, and we can see if things are trending up or down and try to identify the root cause of that.

Financial institutions – of course, the focus is going to be on funds, movements of funds. Are there payouts? We mentioned nursing facilities. Are there payments to third parties that may be not at arm’s length when you investigate the owners of these third parties, and what are the explanations for those third-party transactions? Is there a lot of in-and-out activity? Are there spikes in income where you wouldn’t necessarily expect there to be? Those are some things that I think financial institutions see and they can look into – use it as a springboard into an investigation.

Josh
Sure. One of the problems – and you mentioned it right up front in your last answer – is that there is a vast amount of alerts that are out there. Ultimately, some of these rules-based monitoring systems are creating a haystack to spot a needle, but then, when you find that needle, you don’t want to be rushed to be able to find it. One of the things is, how do you get better at finding those real nuggets, or needles within that haystack, so that you can spend time on those, make the referrals, have those investigations? We’re starting to see it with some of the banks out here. Is there a way to potentially merge some of the monitoring activity that goes on from a transaction-monitoring AML perspective and a fraud perspective, for instance?
Mike

Well, I think there is. I also think that financial institutions really need to decide for themselves how best to do it. Merging two disparate groups is one approach. Offering some platform where there’s a cross-divisional communication going on is really what I think you’re after here. You want to share information. You want to use it as a training opportunity. In the two financial institutions that I had worked in, we had those types of efforts in both places. I worked in an environment that was very collaborative across divisions within compliance.

What does this do? Well, if you get these disparate groups together, you can understand the client better. That client is going to have different touchpoints. Maybe they are trading in one part of the financial institutions. Maybe they’re doing a banking activity. If you don’t see the whole picture, you don’t really know or understand that client’s activity holistically.

Can you do this with every customer? No, but you can do it for other ones that are hitting your radar regularly. You can say, “Hey, look, I’ve looked at this client using the tools that we have. Let me bring it to this other group and see if it’s hitting their radar as well. Maybe something happening outside of our shop is going on that can help explain benignly what I’m looking at – or maybe, alternatively, it would add suspicion to what’s going on.”

The other thing is, by having this cross-divisional communication, you get to talk about the rules a little bit more. I mean we’ve all sat through or given anti-money laundering training. You sit there for an hour, talk about the rules, and then you go back to your job.

Josh

That’s usually boring as hell because there’s nothing relevant to you within those trainings. One of the things that I always try to do when I’m giving training is make it interactive, tailor to the audience, but nine times out of 10, even when I have to take the AML training internally, whether I was at banks or whether even when I came here or at EY, I tell you, it’s just like watching paint dry.

Mike

Well, I hope I was an exception to that, Josh.

Josh

I’m not talking about you.

Mike

That’s OK, that’s OK. It’s so hard.

Josh

They’ve got all these computer programmes now. That’s like autotrain, and you tick the box.

Mike

Right. Why is this important, Josh? There are a lot of nuances. The people that work in those anti-money laundering rules – the financial crime compliance personnel who live and breathe these rules because they have to – they are responsible for ensuring the appropriate reporting of activity. They know this stuff. The people, the other folks around the firm, whether they work in compliance or not, are less familiar, because that’s not part of what they have to deal with every day. If you can get these groups together, you could share these nuances, and over time, people will understand it a little bit better.

If you were to ask people cold, like, “Hey, do you have to report a transaction even if it didn’t happen?” Let’s say a customer proposed to do something – it was an attempt at transaction – but compliance got involved, and they shared with the business, they discussed, and they said, “No, we’re not going to allow this to happen, because it would have been suspicious if it happened – it would have been a problem,” do you have to report that? Now, I don’t know.

I know in the U.S., the answer is yes, you have to report attempted transactions under certain circumstances. I don’t know about all the regions where your listeners are all located, but that’s the kind of information that financial crime compliance personnel can share. It’s usually going to be happening outside of a training, because it’s a nuanced thing. It’s something that you’re not going to get in a quick training programme.

The other thing is – and this is probably even more difficult, but more important to really gain appreciation for – the threshold of suspicion: When have you reached a reportable event? The people, again, that live and breathe these rules, they’re the ones that really have to understand when something is reportable. Josh, I think you would agree, they usually have a lower bar than other people around the firm will have. Many people say, “Well, that’s not really suspicious. We don’t know a crime took place here.” You might hear that. Well, you know what? Let government worry about whether a crime has occurred. As a financial institution, I would really strongly encourage people that if you’re even having a conversation about whether a crime might have occurred, that’s probably met a threshold of suspicious that requires a reporting in most jurisdictions.

Josh

I think in pretty much every jurisdiction. Here in Hong Kong, proposed transactions, as well, would be reportable. I think your point about getting together and discussing issues across compliance teams or with legal or fraud teams across the financial institutions is really key. I have seen it also work well with the front office as well. A lot of times, front office people, particularly once they have really good training that shows that there is some activity that could be suspicious going on in their neck of the woods, will say, “You know what? I’ve actually seen a client” – or “I have seen a group of clients” – “acting differently than I would expect them with the market.” They ultimately refer behavior to you or refer activity to you, and, quite frankly, those are more beneficial, at least, in my experience than any alert you could get.

Mike

Excellent point, Josh. You asked me earlier, “What makes somebody good at issue spotting?” So, we could talk about at the individual level, and then we could talk about at the team level. I think it’s interesting to look at the composition of the team. If you have different perspectives, different backgrounds, on that team, I think that’s also very valuable.

We both have been in environments where this has occurred – where you have people who worked in the operations area of the firm come in as analysts looking at transactions. They have a great appreciation of how things work operationally, and they have a unique perspective of what would be unusual, I think. We’ve had businesspeople, relationship managers, work in financial crime compliance also very successfully because they’re coming in it from a perspective from the client: Would a client want to do this? Would they want to do that? What would be in it for them to want to do something like this?

Josh

Absolutely.

Mike
I think talking about what you’re looking at – talking about the risks, sharing the risks, whether it’s cross-divisional or within the team – it’s always good to have a diverse cross section of staff doing this work and talking about what they’re looking at.
Josh

One key area that I have seen, at least in the last couple of years, is trade finance. These guys who work in the trades finance base know all the products. You could take an AML person to the end of the earth, and they will never understand all the trade finance products. They might understand the risk. They might understand overinvoicing and underinvoicing, but they’re never going to understand these products. I’ve tried for several years now – read papers, try to learn. You can’t learn just by looking at suspicious activity all the time. You need that insight from somebody who’s actually done the work a lot of times to be able to make sense of it, or even complex trading issues.

Mike

It’s good to know your limitations, It’s good to be OK with that and do something about it. Sometimes it means talking to the right people, and sometimes it means hiring those people to help you walk through the thicket that we live in.

Josh

It’s like the basketball adage – I know this from experience – you can’t teach height, so my basketball career was pretty much over after grade school.

Mike

The other thing I just – one final thought on this cross-divisional communication is, I think it helps develop your staff professionally to expose them to other parts of the firm and give them an opportunity to learn those things. Maybe they don’t become the trade finance experts, but you know what? I worked with someone who went on to become an investment banker. I worked with people who went into other roles in the firm or outside the firm, seeking other opportunities because they got the tools. They learned a lot about the other parts of the firm, and being exposed in financial crime compliance to other areas, I think, sets you up for a good, sound career whether you stay in financial crime compliance, which I believe offers many opportunities for career growth.

In some cases, people will move on. You want to encourage that and not discourage that. I always felt that you don’t want to keep people in their place by limiting the opportunities for growth, because then you’re going to have what? You’re going to have a bunch of dissatisfied staffers who are going to stick around anyway. That might be a little controversial for hiring managers to hear, but there’s an opportunity to share opinions, and that’s mine.

Josh

Sure. I think you want your – being a good manager is about having your staff grow and giving them opportunities. You mentioned somebody that started out in financial crime compliance, but I haven’t thought of the guy for years. Chester Lui – he went from being within financial crime compliance at Goldman. He’s a private banker now, and he’s moved on to a couple of institutions. Now, I hear he’s got a pretty good book. I haven’t seen him since. Chester, if you’re listening, I’d love to get together for lunch.

Mike
I would, too. It’ll probably cold by the time it gets to me, but ­–
Josh

We’ll have to fly you out here in private. Maybe we can get you a plane.

Mike
Josh, I am with the government, and that’ll be prohibited –
Josh

Oh, that’s true. That’s true.

Mike

But I appreciate the offer.

Josh

That’s true. So, some final thoughts: I think we covered a lot of ground in the podcast – a lot of great insights – but just some final thoughts from you, Mike.

Mike

Well, first, Josh, thank you for having me. This has been a fun experience, and I didn’t really know what to expect. This has been really fun putting on my old hat a little bit, sharing a little bit about what we’re doing at the New York State Attorney General’s Office in our Medicaid fraud-control unit. I hope that your listeners found some of that interesting. Look, the work that your listeners do, it's invaluable. The SARs, when they’re filed, can do so much good to alert law enforcement to activity that would not have come across otherwise. So, it’s really important what you’re doing. So, keep it up, and I mean that. That’s not hyperbole.

No one sees the whole picture. You think, government, oh, we’re all-seeing. No, no. We don’t see it unless you bring it to our attention in some cases. It’s being the good citizen, some people call it, but it’s really important work, and I know – and many people in government know – how difficult that job is. We talked about some of the challenges, and there are others, but you should know that your work is important and it’s meaningful. There is an outcome. There are people’s lives that are impacted by what you do.

Keep up the good work to the extent that your rules permit this. It is permitted in the U.S. to make what we call affirmative referrals: Pick up the phone. Call somebody in government. Alert them that an STR or SAR has been filed, because Josh, you touched on it earlier – there’s been a significant increase in filings over the years, and it’s very tough. It’s not like I mentioned about in the old days, when our group would read every one. We couldn’t do that today, realistically. They are going to be really important ones, filings that might not be seen by anyone.

So, if you feel you came across something important, certainly, in the healthcare sector, that’s something we’d like to hear from you on if your regulations permit it. When you do file, give all the information. I used to think of myself as sort of a news reporter: What information does a reader need to know to really understand what happened in this situation? What are all the relevant factors? Who, what, when, where, and why? Not like, “Let me just write as little possible so I get credit for filing.” No. That’s not so helpful. Adding the color – there could be more information known about the entity that you’re reporting on that the government’s aware of. So, the more information you provide can make the information get to where it needs to go, and you’re more likely to get the right outcome. I know it means more work, but that makes it a more meaningful process, and we all want our work to be meaningful.

Josh

Yes. Absolutely, Mike. I think how many times, when we’re looking at an investigation or reviewing a client, and something as small as an address or a matched phone number or a client account that might be related in some small way because they received some transactions from there make the difference in an investigation. Really trying to put all that information really helps any investigator. It helps the government definitely, from when I had spoken with the regulators and yourself.

Mike, I really appreciate you coming on the podcast. Thank you very much. I look forward to catching up with you again soon.

Mike

Thank you, Josh. I look forward to coming back next year and talking about some of the cases that we brought during COVID.

Josh

Maybe you’ll be able to travel over here, and we can do it live.

Mike
There you go again. I would love to as a private citizen.
Josh

Yes. That’s great. Thanks a lot, Mike.

Mike
Thank you, Josh.

Episode 4 – Prepping for a Monitor Visit or Regulatory Review

In this podcast, we're catching up with Henry Yu, head of financial crime for the APAC region at Natixis to discuss best practices when it comes to planning for a monitor visit or regulatory review.
Navigating Risk
Josh Heiliczer

View Transcript
Josh

Hello, everybody. Good day! This is Josh Heiliczer here on the Protiviti podcast. We’re focusing on risk and compliance issues, today. I’m a managing director here in the Hong Kong office of Protiviti, and I lead the Risk & Compliance practice for Greater China, and I’m the subject-matter expert for financial crime compliance.

It’s great to have Henry Yu with us today. Henry is the head of financial crime for the APAC region at Natixis and was previously involved in managing the monitorship for HSBC here and out in Asia. He has had a number of prior roles at Credit Suisse, Goldman Sachs, with the Hong Kong police — very well distinguished. Also, I should add, he’s a professor, teaching a class at HKU. So, Henry, it’s great to have you on the podcast. How are you doing today?

Henry
I’m good. Thank you very much for your invite, Josh. Thank you very much, indeed. It’s my pleasure. It’s my honour to be with you today.
Josh
Excellent, Henry. So, we’re here to talk about preparing for a monitor visit or a regulatory exam. It’s a big topic these days. Although it seems as though our regulators are now moving to some virtual exams, they still are coming on-site as well. So, what do you need to do to prepare for an exam? You have a lot of experience with this at HSBC and now at Natixis as well, so I’m eager to hear your thoughts.
Henry

Thanks a lot, Josh. Now, before I answer your questions, if I may, I have to do a standard disclaimer. What I’m trying to share with everyone here in this podcast is from my own experience. It’s nothing confidential, so nothing related to particular incidents or particular facts that I have been working on with various banks. It does not represent any of the positions of any of the banks, including the one that I’m working on at the moment.

So, your first question, if I hear correctly, is, “How do we prepare for different types of examinations — either monitor visits or regulator visits?” Before I answer this question, we need to understand why your regulator is coming to you. To understand where they’re coming from is the first thing that is very important, and we need to know about it.

There are different scenarios. It might be just a regular visit. There might be a thematical review: You’re just one of those banks or financial institutions picked out by your local regulators. It might be because of certain incidents that have happened to your financial institution, unfortunately, that we see in different types of monitorship or inspections, per se. So, this is the first one. So, understanding what the regulators are looking for is the most important. There’s what we call the KYR — know your regulators — so this is just like a KYC. You need to understand where they’re coming from.

Then, the second thing we need to bear in mind, the fundamental thing, is to stick to the facts of what happened, because when we’re talking about different types of inspections, review or monitorship, it is a look-back exercise. It’s not about forward-looking exercises, it’s a look-back exercise. So, the rule of thumb is, stick to the facts — understanding the scope as well, understanding where they’re coming from —and understand the scope of your review or inspections or monitorship. That’s very important as well. These are the things that you need to bear in mind as well.

Third, it’s communications, early communications with the regulators or monitorship — understanding what they’re looking for. Most likely, normally, the regulator will come up with a list of questions or a list of expectations as well. So, this is the quick start on how to be first prepared for the visit, and second, internally, once you’ve got all this basic information, you need to mobilise different departments.

The regulator visit is, more likely, not only the compliance work. This is a very important concept. The visit is not just the work of compliance. You need to mobilise different stakeholders within the bank. For example, nowadays, and very importantly, all direct leaders around the world are talking about senior management oversight, so these are the key important things that you need to be aware about. You need to engage your senior management so that they are on top of that. You have the full support of your senior management both locally or regionally, or even globally, about an upcoming regulator visit or inspection. And then —

Josh
You mentioned senior management, and that’s really an important topic. Particularly, if it’s an unexpected or difficult request, how do you get their attention quickly, and do you want to prepare them through mock interviews, or how is best to get them ready to particularly, if they have to meet a regulator?
Henry

We don’t use mock interviews. This is something that we try to avoid, and, in some circumstances, it will become illegal and not allowable by certain regulators as well. If you’re doing mock interviews, the worst-case scenario would be somebody, when they’re being asked and being pushed, they say, “Well, my compliance guy told me to answer in such a way,” then we come to a very difficult situation. This is not what we want to see.

Having said that, we need to help them prepare and to understand what they are looking at. What do we have, because it’s a look-back exercise? What had happened, whether good or bad, or whether there was something that we have been missing, we were unable to perform perfectly as to what used to be. Just be open, have acceptance of this outcome. This is very important — not trying to cover anything up. That’s another key point, but, having said that, the most important thing is, if we can proactively identify any kind of shortcoming, what is the plan? Are we able to demonstrate to the regulator that this is something that we have already engaged third parties on that are working on it, for an improvement, and that’s a good story to tell — proactiveness, or sometimes you can always mitigate it in practice per se. This is the key.

Josh

Being proactive is definitely key. I mean, I’ve definitely seen it with a lot of the regulatory issues that I’ve come across, whether it be from when I joined Protiviti, or even before. I guess, in terms of being proactive, this is also an ongoing exercise. Even through the regulator might be there, it’s also some of that awareness in training. How do you generate that awareness, even before the regulator shows up, around some of the seriousness of the issues and preparing on an ongoing basis? As you’ve mentioned earlier, and rightly so, it’s very key to check what the regulatory expectations and guidelines are, particularly if you’re not able to engage in mock interviews.

Henry

That’s a very good question, indeed. At a high level, the culture is the key. If we look back to all the institutions — where they get into trouble of different kinds — they have something in common. Whoever the regulator is, it is also written in some of the regulations, if you look at how they determine the sentencings or the seriousness of the shortcoming or the offenses, it’s systematic error. People, they know it — that culture. So, when you’ve got this, that element, I would have to say that this is a big problem.

The question is, how do we try to avoid that? There are a few things: First of all, tone at the top. We always talk about it, about how we are making sure we are with the tone at the top, how we understand that. One of the very key and very important truths is what we call the risk assessment. From the AML FCC world, we have the institution of risk assessment, but even from the bigger compliance or even at-risk, we have risk assessment. The only recommended risk assessment or self-assessment is helping the financial institutions to self-identify where are the high-risk areas, where are the areas that they need to draw their attention to. And then the second truth is continuing testing, continuing reassurance, internal auditing as well. That’s a very important thing as well.

If there is an upcoming change in regulations, the basic truth for each and every compliance officer to do is to do an in-depth analysis of where your programmes needs to be improved as well. So, in a nutshell, it’s a continuous risk assessment that brings up the awareness of the whole bank, and particularly the senior management is the key. The major banks, nowadays, they are doing pretty good in engaging, but I see that that’s where there were certain incidents where this exercise of risk assessment is still in very, very extreme cases, that people still think that this is only compliance work. No, it is not. It is the most important responsibility of the bank as a whole.

Josh
It’s a really good point. Tone at the top and conduct are really going to be focuses for all regulators globally. We’ve seen that recently in some of the recent risk issues that have happened within banks, and making sure that that risk assessment is there, refreshed, and senior management know about it and are aware of all those issues and how you are mediating anything that may have come up are really keys. Henry, I really appreciate you coming on the podcast today, and this is the Protiviti podcast.
Henry

Thank you very much, indeed. It is my pleasure.


Episode 5 – Unlearning to Run a Success FCC Programmme at a Fintech

Protiviti’s Greater China risk and compliance lead Josh Heiliczer delves into why Tencent’s Group Head of Sanctions and International Anti-Money Laundering, Henry Chan, transitioned from a career in Corporate Banking to Compliance and how the tech giant manage financial crime risks.
Navigating Risk
Josh Heiliczer

View Transcript
Josh

Hi, how are you doing? Good day, this is Josh Heiliczer. I’m the managing director here at Protiviti in Hong Kong, in Greater China. I lead the risk and compliance practice over here, and I’m glad to have you on my podcast again. I have Henry Chan over here from Tencent. He is the global head of sanctions and anti-money laundering controls over at Tencent, and I really appreciate him joining us today. Thank you.

Henry Chan
Henry
Thank you for having me in this podcast. It’s my privilege to be speaking here.
Josh
Excellent, Henry. Great to see you. So, we have a lot of compliance professionals listening to the podcast. Would you be able to discuss your current journey going from particularly HSBC in the banking world to Tencent, which is clearly - that has payment operations, not a bank?
Henry Chan
Henry

Okay. So, in terms of my career journey, I spent the first 10 years of my career as a corporate banker at HSBC before I made the transition into financial crime compliance. So, I found my experience has a lot of impacts for me as a compliance specialist because I could really analyse each circumstance from both sides of the coin. So, I’m able to picture how every recommendations the FCC department makes will impact the business as well as the customer. So, with that mindset, I was able to build very good working relationships with the business stakeholders, and that’s one of the top assets that any FCC practitioner could have. Not on the line, HSBC has been an amazing platform for me to hone my skillsets as a FCC specialist. I was given the opportunity to lead the monitoring and testing division, and I also lead the AML functions for the bank in Hong Kong. So, for those roles, I oversee the role of the good financial crime global standards, the large-scale FCC remediation exercises, the revamp of the TM investigations and STR processes, and also to set the golden standards for FCC testing across the APEC region. So, in 2019, I left HSBC to join Tencent and became the group head of sanctions and international AML. Overseeing the FCC matters for Tencent across all the international businesses, and that includes both the FinTech as well as the non-financial internet-based businesses in over 50 countries. So far, it has been a wonderful, yet challenging journey as the company is aggressively expanding more and more into the international markets through the globalisation of this very strong existing [Audio Gap]

Josh
You make a really good point. A really interesting point for people in our podcast of your career journey – how do you go from being a corporate banker to working in the AML space? When you started out as a corporate banker, I’m sure you didn’t say, “Wow, I’m going to compliance at some point in time.” I know when I was starting out, a lot of the bankers used to view the compliance department and financial crime as the business prevention union.
Henry Chan
Henry

Yes. I get that question a lot from both my team members and people I’ve spoken to, and people I work with. Of course, when I started my career, I did not plan to spend, say, 10 years in corporate banking and then switch on to FCC. When I started banking, FCC did not even exist. So, I think I’ve had that transition at one point, when I had this project where I was sent to New York, in fact, as a corporate banker to work on the designing of the STR investigation process for our corporate banking relationships. So, at the point, I thought, “Okay, people I worked with were really good compliance specialists; they’re lawyers, they’re accountants, they’re auditors.” But one thing I realised; they had no clue about the business itself. So, I saw there’s actually a lot of value that someone coming from business with the experience of the customers and the products to work in the compliance space. So, that’s where I drew my interest and thought, “Okay, I think I have leverage going into compliance and do a really good job there.” So, that’s where it triggered my transition thought.

Josh

Look, it’s definitely something that broadens your mindset when you’re looking at compliance issues and risks, particularly if you understand how the business works, you understand what’s normal activity and what’s not normal activity, how you really get in contact with a client as opposed to sending them an email that ends up in their spam folder. So, those are really key, I think. So, now, you’re working with global remit around virtual payment channels and WeChat Pay; how many people are using that internationally; it’s an amazing product for gaming. How do you go about understanding the risks for all of the areas that you’re operating in from gaming to virtual payment channels and all the different jurisdictions you’re operating in?

Henry Chan
Henry

Yes, that’s a very big question. It’s something that I need to tackle on a daily basis right now, and sometimes it keeps me awake at night. Well, on the surface, it’s really daunting to imagine how any team could go about understanding and localising the financial crime risk associated with over 50 countries. Without revealing any trade secrets, of course, I could share with everyone the approach that I’ve taken in managing the financial crime risk of this massive portfolio. So, at the group level, I maintain a set of AML inspection standards that will be used as guiding principle to all the group activities globally. The standards are fairly universal and based on rules and regulations standards across major jurisdictions such as China, Hong Kong, EU, America, etcetera, etcetera. So, on top of that, we also have a methodology on how to risk rates all the 250 plus countries in the world. So, that gives us a good idea on where we need to avoid doing businesses with from a risk management standpoint. In terms of the countries that we have business exposures in, I would broadly categorise them into three buckets, each with a unique approach to risk management. So, the first bucket is markets where we have an actual presence in. So, it could mean that we have a physical office on the ground, financial licenses acquired, or material business operations in the local markets. So for these markets, I would have actual compliance officers on the ground to support the AML activities. These would be individuals who have good knowledge of the local risk and good relationship with the local regulators. So, we are constantly on top of the landscape. A second type of market we have is where we have indirect business participations in, and we do not have an actual office or financial licenses locally. So, for example, in some markets where we have standards or payment services to the local markets, but we rely on local third-party institutions to facilitate transactions. While our exposure to these markets is indirect, we still need to manage the financial crime exposures through understanding and managing our local institutional partners. So, we have a set of stringent standards for the selection of these local institutional partners, as well as a robust systematic approach to continuously monitor their activities to ensure that the risk that we’re exposed to do not exceed our [appetite] in each of these markets. The third and final type of market that we have exposure in is those that we don’t have any local participations in. As an internet company, it’s inevitable that our customers and end users are located all over the world. So, for these markets we have to – first and foremost, I’m sure that users from comprehensive sanctioned countries are not allowed access to our products and services. This is technically achieved through IP blocking technologies. On the other hand, we also need to have monitoring controls in place to detect irregular activities coming from pockets of IPs or countries where we think we’re in suspicion. So, in conclusion, above all these measures and controls in place, it is critical that we have good understanding of the risk profiles of our products, sufficient transparency to our customer’s profiles, awareness of the latest financial crime pathologies, and then distilling all of those into appropriate controls.

Josh
Yes. Look, it’s a vast new universe clearly from the time you got into banking to now working at a company like Tencent. It’s clearly a completely different type of offering, risk profile in countries that you’re operating in links back in to maybe your experience in HSBC as well where you ran the monitoring and testing programme over there. How do you run a good monitoring and testing programme, and how does that change now, maybe that you’re at a place that is operating in so many different markets?
Henry Chan
Henry

Okay. Let me address the second part of the question first. I think it’s an important learning point I had and actually something I could share with everyone. Making the transition from a traditional bank to an internet company, although doing seemingly the same job in compliance, financial crime compliance in specific. I think coming into Tencent, I had this mindset being a lifetime banker, I thought, “Okay, things should happen just like how the bank should. Oh, we should have this control in place. We should have this policy in place. Oh, things don’t work like that from the bank.” I used to say that a lot in meetings. “Oh, things at HSBC works this way.” But then I realised the longer I spent in this company, the more I realised that they're actually a completely different organisation. One thing that I have to do and consciously remind myself is I have to unlearn everything that I’ve learnt in HSBC. [Laughter] Once you get through that point, you unlearnt everything, then it’s distills down to your understanding of risk. The true nature of risk doesn’t change wherever you go. Which organisation, financial, law financial, banks, internet company, any corporate; risk is risk. Once you have that appreciation, understanding, and the skillset to analyse risk, that is actually universal, and it’s applicable in any place you go to. So, I went through that process of unlearning, and then realise I still have the skillset with me, and then learnt the entire new process again with that skillset in mind.

Josh
It’s really interesting you mentioned the unlearning point because you look at a lot of the ways that traditional financial institutions are now trying to set up virtual banks, digital banks, whether it’s HSBC, or now Standard Chartered or any other virtual banks in Hong Kong. A lot of times, you see them trying to separate from the rest of the bank because they don’t want to have that legacy of knowledge around how the bank was operating. It’s interesting to hear you say how that extends to financial crime risk, sanctions risks, a number of different risks because you’re right; you got to spot the risk, obviously. That issue spotting, that risk assessment, that knowledge is always going to be key. However, it’s going to take a different form at an internet company, a FinTech, or a gaming company as well.
Henry Chan
Henry

Right. Right. So, yes, it would be a major flaw if you try to run or manage a financial crime programme of, say, a virtual bank or a non-bank institution, just like if you were running it as a bank, especially a very large and traditional one.

Josh

Sure.

Henry Chan
Henry

That took me a while to get adapted to, and it’s one major learning for anyone who’s going to make these types of transitions.

Josh
Yes, that’s great. Henry, I really appreciate your time. It’s been really great catching up with you. Thank you for joining us here on the risk and compliance podcast of Protiviti. This is Josh Heiliczer, and I hope you will be with us next time as well.
Henry Chan
Henry

Thank you, Josh. [Music]


Episode 6 – Running a Successful Financial Crime Programme in Financial Services

Josh Heileczer chats with Scott Burton, the APAC Financial Crime Head at Deutsche Bank. Scott delves into why persistence, transparency and a holistic view of Financial Crime are imperative to run a successful programme.
Navigating Risk
Josh Heiliczer

View Transcript
Josh

Hello and welcome to the Protiviti Podcast on Risk and Compliance. I’m Josh Heiliczer, Managing Director for Risk and Compliance here at Greater China at Protiviti. I’m glad to be joined by Scott Burton from Deutsche Bank. Scott is the APAC Anti-Financial Crime Head and, previous to that, has a lot of experience at a number of different institutions here in APAC. So, really happy to be with Scott today. Thank you for joining us.

Scott
Hi, Josh.
Josh
Scott, a number of compliance professionals are listening to podcasts. You have a really distinguished career going from Australia. I think last time we talked about how you had those boots coming from a rural farming area in Australia to ultimately London, Hong Kong, a lot of different places, and you were head of Financial Crime at Credit Suisse globally. Then you went over to JP Morgan and now you’re at Deutsche Bank. Can you just tell us a little bit about your career journey?
Scott

Yes, sure. Not so much of rural farming area but a beach area, somewhere that’s pretty relaxed, pretty laid back. So, I would have to say that this career wasn’t something that I would have anticipated when I was thinking as to what I wanted to do when I grew up, that’s for sure. I think the career journey particularly into financial crime was one that first started a little over 20 years ago. So, I had an opportunity to do some project work. I was working at a consulting firm prior to joining what was Credit Suisse First Boston in Hong Kong and that was to - and establish a KYC programme for the bank in Asia. I thought, “Look, this sounds great. It sounds like a good opportunity to be an in-house project person. I’ll do it for a year or two and just see what happens from there.” So, a little bit ad lib, but this was just prior to September 11, the Bali bombings and all that stuff in the early 2000. This was in the late 90s and I had no idea what was happening next and I thought that this would be something that would just be a stepping stone into I’m not quite sure what, but an opportunity to work in Asia and to broaden my horizons. I did this project and that was in conjunction with the compliance and operations areas, establishing a KYC Control framework for the bank across all the jurisdictions that they were operating and analysing the rules and regs and making sure that we had, as part of the account opening process, collecting the right documentation. This was at the very early stages of what everybody sees as normal course of business these days. That’s where I first got into this area and it was off the back of my previous consulting experience, due diligence experience with consulting firms. I had worked on the investment banking side as an analyst. This is where I first landed and jumped into this area. It then sort of rolled on from there as a result of developments - September 11, Bali bombings, et cetera, where the organisation that I was working with the at that time realised that they needed compliance people in this space. So, it was pretty much green fields. I was the person in Asia to be full time in this area. It’s always a part-time role for people that were doing broader compliance roles. Then it just grew from there. I joined the compliance function at CSFB. They all grew to cover all of the Credit Suisse here in the region including the private bank and then ultimately to become the global co-head for financial crime at Credit Suisse. I then moved on to JP. That was a role that very much involved transforming the Financial Crime Programme there which was a challenge over a four-year period, developing a team, making sure that we had the right controls in place. I think everybody would be aware at that point in time they were under a lot of scrutiny from the regulators in the US and I needed to develop the Financial Crime Programme and my experience helped to make sure that the right controls were put in place, a team was built and that was certainly an enjoyable experience. Deutsche Bank, I’ve been there for four years now, the regional head of Financial Crime, and again working very hard to continue to improve the programme there, to develop the team, to make sure that we got the right controls in place and that’s effectively been the journey over the last 20 years now.

Josh
Yes, Scott. I think that’s really great. I find, from my experience, my career as well, different projects that I have done whether it was exposure to transaction monitoring early on or working in a different area when I was exposed to correspondent banking at Citi and Bank of America. Those types of transformation projects, I think, for a lot of young professionals are really keys to understanding where your niche might be within the financial crime field, understanding whether or not it might be the right place for you, but also having the ability to be versatile in your skill set as well. So, it is really important. You mentioned projects and transformations. One of the things that I think is really difficult working out here in Asia, I’ve seen it now in the over 10 years since I’ve been out here is that if you were working for a bank that’s headquartered in the US or Europe, it’s not headquartered necessarily in Asia or in Hong Kong, it can be very hold to get your needs prioritised just because you’re in a time zone out here in the Far East and the regulator might not be breathing down your neck as hard as it might be breathing down your neck in the US or Europe or UK. So, how do you go about really getting your needs prioritised in the global agenda and what you need to run a successful programme?
Scott

It’s always a challenge and I think there’s a number of things that you need to consider, a number things that you need to do and just going through them and just off the top of my head, I think planning is important, persistence, clearer articulation, making sure that you can articulate the pros and cons, the cost and benefits of doing something or not doing something. Just going back to these, I think planning, I spend quite a bit of time thinking about what we need to do here in the region. If we can’t get technology at the time that I would like technology here in the region, what do we do to mitigate the risk? Making sure that you’ve got a clear direction and a clear strategy here in the region, being persistent with our global colleagues and counterparts in terms of making sure that the agenda that we have here in the region is front and center for them too and for it not to drop off the table, making sure that I get the management’s support here from the business here in the region, to make sure that our needs are met is also an important criteria or important thing to do as well. Reiterate again that look, it is a challenge and sometimes it could be fires burning in other regions that puts your needs further down the list, but as I mentioned before, persistence is key. Then when you’re putting your business case forward, making sure that you’ve outlined what the pros are, what the cons are of doing things. What the costs are, what the benefits are? You’re making it clear everybody’s aware of that if we don’t do something then this is what a potential outcome would be and is everybody comfortable with that? It could be much easier. You could have some regulatory pressure to do something here in the region and that obviously makes things a lot easier to push through.

Josh

Sure. In terms of Asia itself, Asia is really a growth area for Deutsche Bank clearly now. Everybody is trying to move in to China on a more greater basis at this point, hiring from a business perspective is moving forward. How do liaise with the regional regulators say MAS or HKMA or others on some of your regulatory priorities? It might be true that out of overseas – and I know when you were at JP Morgan you were working significantly on the US OCC issues. How do you deal with that? How do you let them know what’s going on and how that’s going to affect Hong Kong, Singapore or other areas in Asia?

Scott

I wouldn’t say it’s a challenge per se but it can be complicated in terms of being able to clearly articulate the situation. I think it’s very important to be as transparent as you possibly can. Sometimes there’s restrictions as to what you can and cannot say from a legal perspective but working with your global counterparts to be as transparent as you possibly can in terms of what the issues are and what, if it’s a global bank, is doing from the global perspective to deal with the particular issues that they have, and how that specifically impacts a local jurisdiction. Sometimes, to draw that out all global projects, sometimes it’s very easy to, sometimes it’s not so easy to, and to be able to do that promptly, and to be as comprehensive as you can, and the way that I’ve always tried to do this is to organise it in a way to say, “This is what we’re doing from a global perspective.” In addition, these are some of the things that we’re looking to do regionally which will impact this particular jurisdiction. Here’s some specific things as well that we’re trying to do from a local jurisdictional perspective and try to put that plan together to make it more clear as to how everything fits together.

Josh
Yes. I think, Scott, you made some really great points in terms of how you’re able to prioritise and work with regulators and one of these that I’d like the audience to take forward most of all especially if you’re working the Risk and Compliance space then in Financial Crime is that really these regulatory projects are great opportunities for you from a career perspective. You can learn so much. You can learn and liaise with a lot of different stakeholders, much more than if you’re siloed and working in a particular space, maybe covering an area or aspect of financial crime. So, I would say to you, if you can volunteer to take some of these projects up and work on them, that will be time consuming but it will also be very rewarding from a knowledge and a career perspective going forward.
Scott

I agree. I think what I encourage is for people to take stretch assignments where they can. I think, from a career development perspective, that it’s really important to get exposure to as many areas of financial crime as you can. I think just because of the way that our area of expertise has grown that people have become very specialised in sanctions or in bribery and corruption, for example. There’s not a lot of people out there that have more understanding of the different areas of Fin-Crime. I think it’s okay also to be as strict as they may in a certain area but there is also certainly demand for people, and particularly as you get more senior, you have to really have experience across the variety of areas in Fin-Crime and this is the way to do it.

Josh
Sure. I think the best transaction monitoring investigators or analysts, the best KYC analysts, the best people working on source of wealth or sanctions are those people that are able to look at things in an interrelated in interconnected the level, and maybe they’re able to spot a risk factor whether it’s fraud or a bribery and corruption case from looking at something that might be an alert in a different context or a red flag in a different context, and building on those cases.
Scott

Holistic view is really important and then it even extends further to some of the other risk-types outside financial crime as well and people with that ability to identify those risks, that’s where there will always be a demand for people with that skill set.

Josh

Absolutely. You heard it from Scott first. That’s how you can make yourself valuable in the AI and computer age. Scott, thanks a lot for joining us here on the Risk and Compliance Podcast at Protiviti. This is Josh Heiliczer and I’ll be with you next time. Thanks a lot.

 

SUBSCRIBE TO VIDEOS:

Ready to work with us?

Josh Heiliczer
Joshua Heiliczer
Managing Director
+852 2238 0400
Linked