PODCAST SERIES: Navigating Risk

risk management by Protiviti
PODCAST SERIES: Navigating Risk

Protiviti’s navigating risk podcast series brings together our Hong Kong risk and compliance experts as they share insights designed to launch you into the future of risk management and transform your organisation from the inside out.

Episode 1 - Decoding the Hong Kong-Related Sanctions Programme

In this podcast, we're in talk with Nick Turner, a sanctions attorney at Steptoe & Johnson here in Hong Kong, as tells us what are the most common questions that his clients ask about Hong Kong-Related Sanctions and its effects on the Hong Kong-US Dollar clearing.
Navigating Risk
Josh Heiliczer

View Transcript
Josh Heiliczer
Josh

I'm Josh Heiliczer, Greater China Risk and Compliance leader in Asia Pacific financial crime compliance subject matter expert for Protiviti. This podcast will seek to bring interesting perspectives to critical risk and compliance issues facing financial institutions in Greater China and across the region. The goal is to provide these viewpoints to you in a concise manner, likely alternating between a guest Q&A format and Protiviti adds some of the insights. The views expressed do not necessarily represent the views of Protiviti or its guest. The information is not intended to be legal analysis or advice. Listeners should consider the unique circumstances of their own companies and consult with council before taking any decisions.

Connect with me on LinkedIn if there is a topic you would like the podcast to focus on in the future. I’m looking forward to beginning this journey with you today and our first guest, Nick Turner, a sanctions attorney at Steptoe & Johnson here in Hong Kong.

Nick, thanks for joining us here on the podcast here with Protiviti. What are some of the key questions your clients are asking about the Hong Kong related sanctions?

Nick Turner
Nick
Hi, Josh. Thanks for having me here today. This is a really good question. We’ve had a couple of weeks now since the sanctions were announced against 11 Hong Kong and PRC government officials. These are what we call “blocking sanctions,” which means they result in an asset freeze of any property or interest in property of the designated individuals when that property is in the United States or within the possession or control of a US person. So, that’s the first key question. What do we do with property or interest in property of these 11 officials? The answer is if you’re a non-US financial institution, you have to ensure that when you deal in that property, for example, a wire transfer, it might be landing a deposit account, or another kind of financial service, you’re not involving US persons or the US financial system, which basically means US banks. If you do that, it could be a violation of the OFAC prohibitions. The other thing people are very concerned about is the Hong Kong Autonomy Act. Because the Hong Kong Autonomy Act in Section 7, provides for what we call “secondary sanctions” against foreign financial institutions that “knowingly engage in significant transactions with individuals who are identified under the Hong Kong Autonomy Act.” Now, what’s interesting is that the executive order that was used for these sanctions and the Hong Kong Autonomy Act are two separate documents. So, what we’re really waiting for is another report to come out under the Hong Kong Autonomy Act, and on the basis of that report, financial institutions will know who the individuals or entities are that could lead to secondary sanctions. So, you can see there’s a lot of moving parts and it’s pretty complicated, but I think most banks in Hong Kong have great advice and have done a good job so far of responding.
Josh Heiliczer
Josh
Great. That’s really a lot of information actually to take in just in that question. One of the questions we’re getting from a lot of our clients right now is, what effect it would have on the Hong Kong US dollar clearing? So, the local interbank clearing of US dollars.
Nick Turner
Nick

This is one of the biggest misperceptions about OFAC sanctions. A lot of people think that OFAC sanctions apply to US dollar transactions globally, but that’s actually a little bit misleading. OFAC sanctions are focused on US persons and that includes US companies, US financial institutions for example, but they apply regardless of currency. So, you could have a Hong Kong dollar transaction which takes place in Hong Kong but is processed by the branch of a US financial institution, and that would be subject to OFAC sanctions even though it’s in Hong Kong dollars. If we flip that on its head and we imagine that we have a transaction in US dollars, but it takes place entirely outside of the US financial system without the involvement of US persons, that actually is not subject to the executive order or to most OFAC sanctions. There are some exceptions, but this isn’t one of them. So, when we look at local clearing in Hong Kong, the question we have to ask is not what the currency is, but who are the banks involved and the persons involved. If we have US persons, that’s something that OFAC has enforcement jurisdiction over. If we don’t, then it falls outside of that jurisdiction.

Josh Heiliczer
Josh
Great. So, it sounds like there are some limitations around the sanctions. I would assume a lot of your clients are coming to you for some advice right now. Once you get some of that legal advice and once you provide some of that clarification, how is it getting implemented? I mean for example, when we’re talking about the sanction names, a lot of banks will go for a Big Bang approach and say, “Okay, names on the list,” and so, it doesn’t matter where the transaction is or how it’s occurring, it’s going to flag an exception.
Nick Turner
Nick

Right, and that’s one of the things that’s challenging about this particular sanctions program. So, we know that when OFAC issues sanctions under some programs like the North Korea or the Iran program, you’re right. A lot of banks will just look at the names on the list and make an easy decision to do no business with them. That’s more complicated with the Hong Kong sanctions and some other sanctions programs where companies are more likely to have business with those individuals or even want to continue doing business with those individuals for one reason or another. In that case when it comes to implementing the advice, it really requires a financial institution or any other company to understand from an operational perspective where their touchpoints are with the US financial system and with US persons, and to make sure that they have excellent controls to manage that risk. It’s a level of operational understanding that some companies don’t have yet, but I think they’re going to have to develop it as US sanctions become more complicated and apply it more and more in Hong Kong. It’s just something we’re going to have to learn.

Josh Heiliczer
Josh

We’re getting a lot of questions from clients around how to operation-wise, some of the advice that they’re getting from attorneys like yourself or internal council that they might have. I think one of the key areas is really around or handling given the additional volume of exceptions particularly for those types of banks going through a Big Bang approach. Being secondly, what we’re also seeing is reviews of customer information for potential nexus, and while some banks have digitized a lot of this information, we’re still seeing a lot of paper valid reviews. I think finally, we’re also seeing can you ringfence some of the relationships from some of the potential transactions that might be prohibited or even maybe closer to the line. I guess one other factor that we’re seeing now is how can you plan ahead? You mentioned initially is sort of another report coming out around the sanctions in terms of how they’re going to be implemented, but how can you plan for some of the new potential sanctions where the potential risk that might come out of these sanctions in the future once they’re clarified?

Nick Turner
Nick

Well, you’re right that there’s a lot of uncertainty about sanctions. I think a great example has to do with the WeChat executive order that was released surprisingly on August 14th. We’re still waiting to find out what that means. What it demonstrates is that the White House and the US government in general have a lot of authority to create sanctions and other kinds of restrictions virtually out of thin air in order to respond to international developments. So, one thing that you have to watch, if you want to try to predict where sanctions are going, is developments. You have to be very sensitive to politics and to international relations, you have to pay close attention to the US-China relationship and try to listen to what both sides are saying.

There is some good news though. This administration, in particular, has been very good about signaling where it’s going. A lot of the things that have happened in recent weeks weren’t really surprises because we had some advance notice. Sometimes, months or weeks of notice, that some of these things were going to happen. While we didn’t know the specifics, we were at least able to start thinking ahead, planning, and mapping out for our clients where they needed to have certain controls. So, there is something that you can do even if you don’t know all of the details today.

Josh Heiliczer
Josh
I think one of the things we’re seeing with a lot of our clients, we’re advising a lot of clients, is really first and foremost, conducting a risk assessment looking for some potential exposures. I know a number of banks who are looking through their large corporate books, looking at things like suppliers, where it could there be some impacts, and whether or not there might be a need for a potential look back on some transactions, or additional backlogs in terms of sanctions exceptions, and needing to do some backlog clearance, so we’re actively talking to clients who are on that as well. So I guess, maybe just to sum up, Nick, I mean, where do you think things are going and what are you looking in terms of your clients’ advice and how they are handling it?
Nick Turner
Nick
I think what we’re watching for above all is for information to come from the US Treasury Department on some of the key terms in the Hong Kong Autonomy Act, how they plan to handle those reports that I mentioned, and how financial institutions in Hong Kong can demonstrate a certain level of compliance with the US sanctions that will help reduce the likelihood that they’re going to be targeted for secondary sanctions by the administration. Of course, we’re all watching to see what happens with the US election. If we have a new administration, there might be some changes to some of these policies. Although, I think the general expectation is that the US-China relationship will remain largely where it is today, but hopefully, there will be some developments on the diplomatic front.
 
By the way, on Monday, the 31st of August, there’s going to be a webinar hosted by Dow Jones with me and Josh. We’re going to be talking about a lot of these issues, plus a lot of other things. So, I would encourage your listeners to tune in. It’s on Monday, the 31st of August.

 

Josh Heiliczer
Josh
Nick, I really appreciate you joining us. Also, I look forward to seeing you on the webinar next Monday.
Nick Turner
Nick
Thanks, Josh.

Episode 2 - Compliance in the Insurance Sector across APAC

In this podcast, Josh Heiliczer - managing director of risk and compliance for Greater China, Hong Kong and China and the financial crime compliance leader for Asia discusses about overall compliance in the insurance industry as well as sales practices with Zac Ezekiel from Manulife. He is the Asia Chief Compliance Officer.
Navigating Risk
Josh Heiliczer

View Transcript
Josh Heiliczer
Josh
Welcome to Protiviti Podcast. This is Josh Heiliczer. I'm the managing director of risk and compliance for Greater China, Hong Kong and China and the financial crime compliance leader for Asia here at Protiviti. I'm grateful to have Zac Ezekiel with me from Manulife. He is the Asia Chief Compliance Officer and really interested to hear what he has to say about overall compliance in the insurance industry as well as sales practices. Hi, Zac, really great to have you with us today. First of all, thanks a lot of coming onto the podcast. We really appreciate it.
Zac Ezekiel
Zac
Thanks for having me.
Josh Heiliczer
Josh
This part of our series here at Protiviti and so we’re trying to now branch out and meet with some insurance professionals as well. I appreciate your experience over at Manulife, and one of the things I think that a lot of people listening to the podcast would be interested in as there are a lot of compliance professionals is your career journey. So, how you got to be the chief privacy officer or working at a Canadian bank to out here in Asia with Manulife, and now their chief compliance officer for Asia.
Zac Ezekiel
Zac
Yes, sure. I mean I had spent some time in Asia earlier in my career actually. I met my wife out in Asia and spent a really fun three years in different countries and in a different industry actually. After awhile with the bank in Canada, my wife and I were kind of missing the action over out in Asia and it was a good time in my career to try and change it up. So, I did want to make sure that I ended up with a company that had a sound compliance culture and I knew some folks from Manulife, so I had a couple of conversations and eventually I had a compliance role in Singapore came up. So, my wife and I sold our stuff and packed our bags and moved to Singapore in 2014, and from there just sort of progressed to the compliance organisation within Manulife.
Josh Heiliczer
Josh
Wow. It’s interesting. I know, when I moved out here, selling all the stuff, you get everything on the boat coming out here so it’s definitely an experience moving out here. So, one of the things that we’re discussing is that you’re really focused now in looking into sales conduct risk, sales practices. A number of financial services firms are looking at that, specifically for the insurance sector. What are the risks around that?
Zac Ezekiel
Zac
Sure. I mean, I think it’s useful to sort of step back and think about why financial services companies are putting the focus onto - including insurance, are putting their focus onto sales conduct risk that they are, and I think there’s kind of, as in many things, a bit of a carrot and a stick happening. The stick is, as you know, there have been some big scandals with banks that were selling products to customers that didn’t even appreciate that they were buying the products, opening accounts, credit cards, things like that. I think the fear for any financial services company is that your sales aren’t real, that your customers aren’t buying what they think that they're buying. So, we all want to make sure that we’ve got the best possible experience for customers. But there’s also I think a carrot aspect to that, which is all of us, insurance, the modern life insurance industry is about 250 years old. We have been, traditionally, pretty set in our ways, pretty paper-based, pretty in love with our own way of doing business, and I think companies are focusing more on getting closed to the customer and ensuring that there’s a good customer experience. So, I think what you're seeing now is a great marriage between the focus on the customer and legitimate concern about misconduct and wanting to make sure that we don’t have any of that in our environment.
Josh Heiliczer
Josh
I mean, one of the things with life insurance I guess, historically, as well is that you used to just buy a term policy. It’s term policy, you pay your premium. If something happens then you get the benefit or your family gets the benefit. Now, in the world of annuities and returns and investment linkages, you have situations where, for any insurance firm, because you’ve got a massive amount of agents, distributors out there, they might have customers hearing about promises that might not come true.
Zac Ezekiel
Zac
Yes, absolutely. I mean certainly you're right, the products have gotten more complex and that puts a challenge on advisers to make sure that they're taking the customer through a needs analysis, making sure the customer understands what they're buying. Yes, I mean sales people can be under pressure just like anybody else, and occasionally, they can either not explain the product properly just through errors or omissions, or you can actually end up with some conduct that isn't what the life insurer wants. So, definitely, we want to make sure that we have controls in place to detect that when it happens.
Josh Heiliczer
Josh
What are some of the major ways you detect it, because I guess from an insurance perspective, if you're an agent, broker or whatever you might be, you are commission-based, so you're only eating what you kill, and so while 95% of them are probably going to be great, you're going to have some of them that will have an incentive to try to drive up their commission maybe unnecessarily. So, how would you monitor for that?
Zac Ezekiel
Zac
I mean, you're absolutely right that with a commission-based sales force you do need to monitor but I think you're also absolutely right that I think for the vast majority of insurance agents they're fantastic advocates for our customers. I mean you certainly see in the claims process and even in the underwriting processes that agents will do a lot for the customers. In terms of detecting misconduct, there’s kind of the traditional sort of old school ways and then there’s sort of a new school that’s emerging with new technologies. So, the old school stuff was very kind of complaint based. So, if a customer called you up and said that they had a concern, you would sort of record it and you would do an investigation. Talk to them, talk to the agent, collect the evidence, do a report. I think all of us monitor metrics like persistency or replacement of policies, which is kind of our sort of insurance version of churning. I think, certainly, Manulife puts a lot of attention into making sure that we get the right advisors. We talk about premium agencies, so making sure that we do the right due diligence on our agents but also the other distributors that we use like brokers and banks.
Overtime, I think, certainly we have and other life insurers are as well added to that. So, you're seeing - we’re putting a lot of energy right now into post sales calling so at least for high risk products or vulnerable customers, making sure that we contact them and asking them how the sales process went and did it meet their expectation. Do they understand the product that they bought? A lot of firms are experimenting with mystery shopping or also different kinds of post-sales testing, looking at incentives. So, you talk about eat what you kill and there is that overarching incentive to make sure that you feed yourself and feed your family, but I think companies can really kind of influence that a little and they can make it worse or they can make it better through their incentive structure. So, we have a pretty robust process for looking for that with our senior sales officers. The really unique thing with sort of the emergence of analytics technologies is the ability to take all of these data points and focusing on particular distributors that are problematic or particular products that are problematic. So, if there’s a lot of confusion around a particular product, do you need to improve the training that you provide to your distributors on that product or even different classes of customers? So, that’s I think kind of the next wave of improving our analytic approach to sales conduct.
Josh Heiliczer
Josh
I mean, how do you get all the data? I mean is it readily available or is that sort of a challenge now as well in terms of just getting everything you need to feed the analytics?
Zac Ezekiel
Zac
I think a lot of it was always there and that’s kind of the beauty of the analytics revolution, if you will, is realising that all the stuff that you were collecting for other purposes can be used and aggregated to spread out outliers and things like that. So, a lot of it we always had. There are new points of references like as we’ve added post-sales calling. That’s a new indicator that we can feed in there but I think not just in sales conduct but I think a lot of us in financial services are realising that just the power of the information that we have.
Josh Heiliczer
Josh
How do you just in terms of different countries, I assume, you're looking at various things across the board throughout Asia, globally, as well. I mean you mentioned through the churning surrounding replacing policies, you look at certain distributors, you look at the post-sales calls process. Are there things that are localised for each of the different countries? You're operating in a lot of countries here in Asia that you need to concern yourself with. So, sort of in addition sort of to the generalised, overall risk, bespoke monitoring for various countries.
Zac Ezekiel
Zac
Yes. I hope this doesn’t sound like a commercial but I think I feel it’s true about Manulife that we’ve always had as kind of core principles and they're actually in our value statement. Do the right thing and obsess about customers. So, we’ve always been pretty focused on that. So, that means that we are very interested in kind of an overall baseline framework and standard that we’re going to hold ourselves to and our distributors to in all the markets that we operate, even in cases where there might not be regulatory requirement around it. In some of the countries where we operate, insurance is very new. People have not had a long tradition of insurance for example in countries like Cambodia or Myanmar.
We want to make sure that we get off on the right foot and set up a great reputation for our product that we think is really useful. So, to answer your question, I think we do look at it fairly uniformly across markets and want similar things. Obviously, there are different kinds of products that are popular in different kinds of markets. So, for example, some of these mandatory national savings programmes, like in Singapore and in Hong Kong have unique challenges around regulatory requirements that you need to follow. Particular kinds of fraud that are more prevalent in these sorts of pensions businesses and in other kinds of businesses that you need to watch and monitor for. That’s one of the reasons, for example, that we put focus on monitoring sales mix. If people are selling a lot of these products relative to other kinds of products, we want to know and we want to understand that.
Josh Heiliczer
Josh
Great. Zac, we really appreciate you joining us for the podcast and I think there are a lot of great insightful points for our audience and looking forward to maybe having you back again next time.
Zac Ezekiel
Zac
Thanks a lot. Thanks for having me.

Episode 3 – Transaction Monitoring and Fraud Detection in the Post-COVID Era

In this podcast, we're catching up with Michael Wassell, head of fraud detection for health care in the New York State Attorney General's Office as he discusses transaction monitoring and fraud detection in a post COVID era in both the across industries.
Navigating Risk
Josh Heiliczer

View Transcript
Josh Heiliczer
Josh

Mike, thank you for joining me here on the podcast. I really appreciate it. How are you doing today?

Michael Wassell
Mike
I’m doing very well, Josh, and thank you for having me. I’m really excited to be part of your new podcast. I think the platform that you have created is really worthwhile, and I’m happy to be part of it.
Josh Heiliczer
Josh
Thank you, Mike. I really appreciate it. A number of financial crime professionals are listening to the podcast. Would you be able to discuss your career journey from the government to Goldman Sachs and back?
Michael Wassell
Mike

Well, I can try, but it’s certainly not been a straight line of a career. Before I do, I want to just get a quick disclaimer out of the way, if that’s OK. That is just that the views, thoughts and opinions expressed by me in this podcast are solely mine and don’t necessarily reflect those of the New York State Attorney General’s Office. Your question about government, private sector and back to government – it seems like I couldn’t make my mind up along the way, but it’s all worked out in the end.

Josh Heiliczer
Josh
It usually does.
Michael Wassell
Mike

Yes. In my unique circumstance, what it’s done for is, it’s really given me an appreciation for the hard work that’s being done on all sides. As a former bank regulator, I helped to enforce the Bank Secrecy Act in the United States on financial institutions that we regulated. Just to give your listeners an idea of what a bank regulator does to enforce the rules around anti-money laundering, I was part of the team within the Department of Financial Services that read every single SAR filing by our covered financial institutions. I know that maybe by today’s standards on how many – the numerous filings that are made – that might not be possible, but we did it. We had a good-size group that would be assigned to different financial institutions and read every one of their filings, and then we would meet on a monthly basis. We would talk them over.

Josh Heiliczer
Josh

I think it’s really great to hear, because a lot of people today within the industry sometimes feel like they file a Suspicious Activity Report, or here in Hong Kong, a Suspicious Transaction Report, and it just goes into the ether sometimes. To hear that from a regulatory perspective, I think, is really comforting to a lot of the audience.

Michael Wassell
Mike

Yes. That’s incredibly important. The STRs or SARs, wherever you happen to be, are so useful. We opened up formal investigations based on the filings. We were a smaller group, so we couldn’t open up investigations in everything that we thought was worthwhile. We referred some SARs and STRs to other partners in law enforcement just to make sure that good ones didn’t fall through the cracks. The other thing, Josh, that I want to mention is that – and, especially, this is true today – is that there is always an analytics part of looking at SAR filings, looking at the big picture, looking at trends, and that is useful information for law enforcement to have.

It’s also very helpful for those that enforce the rules to be able to see what financial institutions are doing and, maybe more importantly, what are they not doing. There was once instance I recall where we were sitting around the room and going through all the SAR filings, and there was a bank that had been in the news, and the question came up, “Have you seen any filings from that financial institution lately?” No one could remember one. We went back because we have the ability to go into the repository of all filings, and we did a search on that bank. Sure enough, there hadn’t been any filings.

You can imagine what a regulator thinks when a financial institution has never filed. It’s certainly not because there was never a suspicious transaction going through their account. That generated a separate investigation into that financial institution, with noteworthy outcomes.

Josh Heiliczer
Josh
I think it’s interesting that you mention something like that as well, because there’s been a sea change here in Asia. I’d say when I first got out here, most financial institutions looked at Suspicious Transaction Report filings or Suspicious Activity Report filings as a black mark that you didn’t want to have any. You didn’t want to get on the regulator’s radar. Really, over the last five to eight years, it’s changed dramatically that a lot of institutions that had never filed before are filing now, and the regulators have to talk about overfiling in some areas.
Michael Wassell
Mike

Interesting, yes. When I was in the private sector, my leadership teams were always advocating for filing to demonstrate that, number one, we had a programme that identified and reported activity when it was appropriate. The other thing we hoped it did was generate some goodwill, good faith, because with the thousands and tens of thousands of transactions going through accounts every day, there are going to be things that occur that you were unable to detect even though you had reasonable tools to identify risk. When a regulator would come up and, like I used to do in the past, we would look at filings as one of the things to give us an idea, a sense of, “Well, was this financial institution making a good-faith effort in identifying or reporting risk?” That would give us a sense going in the door, “How are they doing?”

Josh Heiliczer
Josh

You’ve gone from the public sector to the private sector; now, you’re back. I think it’s been a great career journey, but what makes you good at finding issues in those places? I mean, how do you go about uncovering potential suspicious activity or fraud?

Michael Wassell
Mike

Well, Josh, that’s a great question, and I don’t think there’s any one single right answer for it. I can share with you my own perspective and my own observations working in the government in seven different jobs I had with government, and then the private sector, and what I think works. One is just having a good nose for issue spotting. That could be something you’re born with or something that can be learned, I think. Having some life experience is also good, and everybody has their own perspective. You don’t have to have been a detective or an enforcement regulator to really understand risk when it comes across your desk.

Sometimes, it’s just a matter of effort. I remember my mentors from the Manhattan District Attorney’s Office would tell me, “Hey, Mike, you make your luck.” I didn’t really understand what that meant at that time, but I understand it now. It’s basically, if you work at something hard enough, good things are going to come from it. So, just sitting back and looking at alerts passively probably isn’t going to make you shine at the end of the day in finding a really noteworthy risk. Having natural curiosity, I think, is important too, and related to that is your ability to think creatively. I term it thinking suspiciously about what you’re looking at. This is something I also learned way back in the day when I worked in the Manhattan DA’s office.

I’ve been through a police academy. I’ve been through the FBI National Academy. I have a law enforcement mentality in terms of looking at things potentially suspiciously. I remember my first day out of the academy, I was in the field. I was with a senior investigator, and we’re just getting coffee heading out in the field, sitting in a car across from a coffee shop. We had gotten our coffee, and we’re sitting there. We were looking at the front door, and out walks a gentleman with a baseball cap shielded over his eyes with a bag in his hand, and he’s walking quickly out of the store. The senior detective asked me, “Well, Mike, what do you see there?” I go, “I see somebody with coffee running late for work.”

He said, “Well, yes, that’s probably what it is. But it could be that he just held up that store, and he’s running out with a bag of cash.” Look, I want to make something clear about thinking suspiciously, because sometimes people get the wrong idea. At the end of the day, most of the things that we look at in government and in the private sector turn out to be benign, right? We know that, but if you don’t ask the question, if you don’t put the effort in, if you don’t apply your life experience and your sense of issue spotting that you’ve developed, it’s going to be less likely that you actually uncover something. That’s what I mean by thinking suspiciously about what we’re looking at.

Josh Heiliczer
Josh
I think that’s really true, Mike. I mean, even in coming out here to Asia, the way that I look at things now just by having been out here and seeing the lay of the land is completely different from when I was looking at them working in New York. You see a transaction. You see what’s going on, but to get that real understanding and what might be going on here, it almost takes being in that place a lot of times.
Michael Wassell
Mike

That’s right. We’ve all worked in different environments. One thing, I think, is always sort of the same, which is, you’re going to have certain people on the team who, over time, seem to catch more things, whether you’re a detective or working for the government, or you’re an AML officer looking at alerts and identifying risks. It’s the people that are really dedicated and have developed these skills that seemed to consistently come up with those things that are really worthwhile. Josh, I don’t know if I ever told you this, but we were just saying we worked together. I do miss those days. I’ve got to say you were the most tenacious investigator I have ever worked with. That resulted in finding very interesting things, I remember. That was a really good experience. I know that has served you well.

Josh Heiliczer
Josh
Oh, definitely. I mean, I learned a lot from you. I think most of the way I write, and most of the way that I continue to look at issues with clients today, is based on that time. I can remember still a number of times when we were looking into the exchange control laws, and I had no idea about exchange controls. I think you had some understanding. It’s a matter of ultimately looking at the transactional activity and then saying, “Well, this seems a little weird that guys who have millions and millions of dollars might be transferring money from a money exchange into a private bank.” You’re like, “Well, let’s do a little bit of digging, and let’s try to uncover it.” I think that’s something that definitely, as a mentor, you always fostered in me, that we were not necessarily looking to close out an investigation or close out an alert with what might be the easiest response.
Michael Wassell
Mike

Well, Josh, you have me blushing here. I appreciate those kind words.

Josh Heiliczer
Josh

Your focus right now is definitely a little bit different. You’ve moved into the healthcare fraud space. How has the recent pandemic, with COVID and everything, changed your focus around how you’re looking at fraud and what you’re doing now?

Michael Wassell
Mike

Well, it’s been very interesting. If you have me back in a year, I might be able to talk to you about some publicly available information on specific cases that we are working on today. I can tell you this, that after every major event, there are fraudsters that come out of the woodwork. It could be an earthquake. It could be a typhoon. It can be 9/11. These major events invite the fraudsters to come out and see if they can’t leverage that event and make some money from it.

The healthcare industry isn’t any different. It’s a massive industry, as we all know. Even if a small, very small, percentage of it represents fraud, you could be talking about significant funds. We have a data analytics team. We’re looking at spikes in activity that wouldn’t be explained through a reasonable way of looking at things. A spike in activity – for example, when the pandemic began, office visits to providers slowed down pretty rapidly, as you can imagine. Certain types of procedures slowed down very rapidly. Yet, there could be providers out there who have an unfettered continuation of business, which could raise a question worth looking into.

Outlier behavior – something that we’re always looking for, and certainly true in the pandemic. Looking at similarly situated providers, maybe they share a specialty in the same region, yet one of those providers seems to be doing something differently. We look at a combination of procedures sometimes as an outlier behavior, where I have a provider billing things in combination which their other colleagues aren’t doing. That generates a question. It’s not necessarily fraud, but it’s something that causes us to start looking at it more carefully.

It’s something that’s new for our agency in this time is telemedicine, which hadn’t previously been covered by New York State Medicaid, and now it is. We know from our colleagues that worked in Medicare that there are opportunities for fraud in telemedicine. We’re looking at that. If, for example, a provider last year had just – making up numbers – a thousand patients, and now, all of a sudden, they’re billing at a rate of 5,000 or 10,000 patients, something is different. Something happened. How? Did they legitimately expand their business that quickly, or is there something else going on?

With COVID, you have testing for the COVID virus. There are accepted healthcare-approved tests, and then there are other tests which are used when there are more health-related complications, which are much more expensive, and this is an opportunity for what we would term unnecessary testing, unnecessary billing and overbilling. We’re looking at all these issues. One other thing that a good investigator or a good analyst, I feel, can look for is the obvious. Don’t ignore the obvious, right?

Josh Heiliczer
Josh

Sure.

Michael Wassell
Mike

In financial institutions – bringing it back to your audience for a second – it’s oftentimes the client that everybody knew about. It’s the one that everybody knew was going to be a problem but was difficult to tackle either because of the revenue stream or for some other reason. Those are the ones that make the difference between a really good compliance officer and an OK one, where the compliance officer doesn’t back down. They make a record of, “Hey, I’m not satisfied with these explanations. Obviously, something is going on here. We need to escalate it within the financial institution and get more people involved.” I think that’s really important for your listeners to follow. It is the hardest thing, I think, for a compliance officer.

Josh Heiliczer
Josh

Absolutely. I think that going after those things that are difficult clients, significant clients or areas that you might not have a good understanding of, but you have to learn about – the business is always going to challenge you. Front office is going to challenge you. You need to be able to back up your questions with a real understanding of the industries and what you’re talking about. It’s interesting when you talk about the healthcare industry – it jumps out in my mind around trade finance. You see spikes in activity. You see clients that are maybe operating in the same type of business but transacting in a completely different way – outlier behavior, like you mentioned.

Now, while banks don’t necessarily have telemedicine, the rise in remote onboarding during the pandemic, in particular, here in Hong Kong, but all over the world, where you don’t see clients, where you have transactional activity taking place outside of a branch – all of these things have led to a rise in fraud. A lot of fraud associated with, whether it’d be business-email compromise or other types of IT support schemes, and it’s not only necessarily directed at customers. It could also be directed at the employees themselves.

Then, you mentioned the overbilling piece. You have a lot of potentially overinvoicing or multiple invoicing that you might be able to see now that might not have been occurring previously because you have new trade flows. While you expect new trade flows or you expect additional trade flows from some of the PPE providers in particular, or businesses that have maybe recently got into that industry, you might not see it in the same way across that peer group. So, that’s something that you would want to question.

Michael Wassell
Mike

Exactly. Josh, one of the other things, getting back to your question about “What are we doing during COVID?” is actually, one of our highest priorities is to identify patient abuse and neglect. We have many Medicaid recipients in nursing facilities, and they are some of the most vulnerable of our population. Of course, during the pandemic, they’re a high-risk population. So, we’re doing everything we can to ensure that they are getting proper treatment by the facilities that they are residing in. We set up a hotline to take calls from family members who may become aware of issues in a facility. Quite often – surprisingly, maybe, to some – we hear from staff that work in these facilities because they are trying to do the right thing, but they aren’t being adequately staffed.

We use that to trigger investigations. When we go in, there are a couple of things we look for: One is, we want to ensure that proper safeguards have been taken to protect the residents and, actually, the staff. Are they wearing personal protective equipment? Has the facility purchased that stuff? Is there enough qualified staff? This costs money. Having qualified staff is going to dip into the revenue of the facility. If it’s a facility that is looking to divert funds for its own benefit, then there’s going to be less to go around to hire the right staff. Then, part of the staff that are on, that are there, are they being adequately trained? Do they know how they’re supposed to handle residents to avoid them contracting the virus?

Some of your listeners might be saying, “It’s interesting, patient abuse and neglect, but I work in a financial institution, and that really has nothing to do with abuse and neglect in a nursing facility,” for example. To that, I would say when I look at the big picture, we’re looking at nursing facilities who may be diverting funds, engaging in self-dealing, and that’s not something that our group will readily see, because we don’t see those bank accounts, but your listeners might. They may see self-dealing going on. They may see unusual transactions and accounts.

The outcome is that those monies are being diverted from what otherwise would have gone to ensuring those safeguards, hiring qualified staff and training those staff. So, it all comes full circle – from my perspective, anyway – that we’re working hand in hand here, the government and the private sector. We’re all trying to do good here. If we share some of what we’re seeing, if financial institutions identify this kind of activity, there could be a big picture behind it that they don’t readily see. So, reporting it could do all kinds of good. I encourage people to report things if there is no reasonable explanation for it.

Josh Heiliczer
Josh

I think that’s really important – that if you are a bank connecting those dots, it’s really just helping the government and investigators in the public sector, hopefully, start to piece that puzzle together. I know in the United States, there’s Section 314(b) of the PATRIOT Act, which allows financial institutions to talk to each other and maybe piece things together a little bit more before it’s turned over to the government or even with the government. Here, we have FMLIT in Hong Kong, which is a task force involving the police, the HKMA and the top 10 retail banks. So, those are definitely things ­– typologies and trends – that are looked at within that group.

I think also to your point around the nexus between fraud and some of the personal medical equipment that’s going on is, we have a raft of manufacturers in this region that are making PPE. Some of them may be sending the PPE to providers in the United States or other regions. It could either be not of the right quality, and you might be able to see that because of the amount of money they’re spending on the types of materials that they’re using, or because they’re diverting funds, or you might even be able to see some of these providers that are getting it paying exorbitant prices or paying really reduced prices. Those can yield some red flags.

Michael Wassell
Mike

That’s a great point. There is a human element to all this. Yes, you’re living in a world of finance, but there are people’s lives that are at stake here. It is really life and death here in the nursing facilities. If you can identify fraud and report it, then something can be done about it. It can actually help improve lives. It can help ensure safety for those residents who really don’t have anyone else looking out for them. That’s something that when you work in a financial institution, you may not see it. It may not be as obvious as when you’re working in the government, where you’re coming in contact with these families. You’re coming in contact with the staff who really care about their job, who really want to do the right thing. I do think it’s important to share with your listeners the importance of their work and what good can come from it in protecting the lives of those who really can’t protect themselves.

Josh Heiliczer
Josh

I think, definitely, your group is helping save lives in the pandemic and even before. I think that all of us, from our work in the financial crime space, whether it’d be some of the organisations involved in human trafficking here that are fighting against that and working to uncover typologies, or even some of the drugs and other illicit activity that can sometimes go through a financial institution – people that are working and looking at alerts or working within the Financial Crime Compliance Department can be on the frontline of preventing that.

Michael Wassell
Mike

I couldn’t agree more.

Josh Heiliczer
Josh

In this new environment, what can financial institutions do to spot fraud more readily?

Michael Wassell
Mike

That’s a good question. I would just say the old rules apply here. You look for reasonableness. When there’s something unusual happening, try to identify a reasonable explanation for it. Knowing your customer, knowing what’s expected activity in the account, yes, that is drummed into everybody’s heads. I know that, but it’s true. If you know what the customer does, if you know their source of wealth and you know what’s expected in the account, what’s different going on from those expectations, that should trigger a review.

I know realistically, folks, that there are so many alerts generated. There is always pressure to review them efficiently and expeditiously, but there will be the occasional alert that really deserves a deeper dive. Looking at what’s reasonable, looking at the customer’s profile, I think is a good place to start. In government, also, we have access to some information. I’m sure some of your listeners are saying, “Look, we don’t see how providers are billing. It’s not really within our wheelhouse to see everything that one of our clients, if they happen to be a healthcare provider, is doing in their business.” I agree with that. You can’t see the whole picture. In government, we see the billings. Our data warehouse contains over seven billion claims, believe it or not.

Josh Heiliczer
Josh

Yes, it’s amazing. That’s an amazing amount of data.

Michael Wassell
Mike

Our data team has a field day with it. We can do all kinds of peer analysis. We can look at specialists – I mentioned that before. Our agency, we can request information. We can subpoena information. We can call people in and put them on the record under oath. We can see industry trends. We can see what’s going on with the peers over time in a particular healthcare specialty, and we can see if things are trending up or down and try to identify the root cause of that.

Financial institutions – of course, the focus is going to be on funds, movements of funds. Are there payouts? We mentioned nursing facilities. Are there payments to third parties that may be not at arm’s length when you investigate the owners of these third parties, and what are the explanations for those third-party transactions? Is there a lot of in-and-out activity? Are there spikes in income where you wouldn’t necessarily expect there to be? Those are some things that I think financial institutions see and they can look into – use it as a springboard into an investigation.

Josh Heiliczer
Josh
Sure. One of the problems – and you mentioned it right up front in your last answer – is that there is a vast amount of alerts that are out there. Ultimately, some of these rules-based monitoring systems are creating a haystack to spot a needle, but then, when you find that needle, you don’t want to be rushed to be able to find it. One of the things is, how do you get better at finding those real nuggets, or needles within that haystack, so that you can spend time on those, make the referrals, have those investigations? We’re starting to see it with some of the banks out here. Is there a way to potentially merge some of the monitoring activity that goes on from a transaction-monitoring AML perspective and a fraud perspective, for instance?
Michael Wassell
Mike

Well, I think there is. I also think that financial institutions really need to decide for themselves how best to do it. Merging two disparate groups is one approach. Offering some platform where there’s a cross-divisional communication going on is really what I think you’re after here. You want to share information. You want to use it as a training opportunity. In the two financial institutions that I had worked in, we had those types of efforts in both places. I worked in an environment that was very collaborative across divisions within compliance.

What does this do? Well, if you get these disparate groups together, you can understand the client better. That client is going to have different touchpoints. Maybe they are trading in one part of the financial institutions. Maybe they’re doing a banking activity. If you don’t see the whole picture, you don’t really know or understand that client’s activity holistically.

Can you do this with every customer? No, but you can do it for other ones that are hitting your radar regularly. You can say, “Hey, look, I’ve looked at this client using the tools that we have. Let me bring it to this other group and see if it’s hitting their radar as well. Maybe something happening outside of our shop is going on that can help explain benignly what I’m looking at – or maybe, alternatively, it would add suspicion to what’s going on.”

The other thing is, by having this cross-divisional communication, you get to talk about the rules a little bit more. I mean we’ve all sat through or given anti-money laundering training. You sit there for an hour, talk about the rules, and then you go back to your job.

Josh Heiliczer
Josh

That’s usually boring as hell because there’s nothing relevant to you within those trainings. One of the things that I always try to do when I’m giving training is make it interactive, tailor to the audience, but nine times out of 10, even when I have to take the AML training internally, whether I was at banks or whether even when I came here or at EY, I tell you, it’s just like watching paint dry.

Michael Wassell
Mike

Well, I hope I was an exception to that, Josh.

Josh Heiliczer
Josh

I’m not talking about you.

Michael Wassell
Mike

That’s OK, that’s OK. It’s so hard.

Josh Heiliczer
Josh

They’ve got all these computer programmes now. That’s like autotrain, and you tick the box.

Michael Wassell
Mike

Right. Why is this important, Josh? There are a lot of nuances. The people that work in those anti-money laundering rules – the financial crime compliance personnel who live and breathe these rules because they have to – they are responsible for ensuring the appropriate reporting of activity. They know this stuff. The people, the other folks around the firm, whether they work in compliance or not, are less familiar, because that’s not part of what they have to deal with every day. If you can get these groups together, you could share these nuances, and over time, people will understand it a little bit better.

If you were to ask people cold, like, “Hey, do you have to report a transaction even if it didn’t happen?” Let’s say a customer proposed to do something – it was an attempt at transaction – but compliance got involved, and they shared with the business, they discussed, and they said, “No, we’re not going to allow this to happen, because it would have been suspicious if it happened – it would have been a problem,” do you have to report that? Now, I don’t know.

I know in the U.S., the answer is yes, you have to report attempted transactions under certain circumstances. I don’t know about all the regions where your listeners are all located, but that’s the kind of information that financial crime compliance personnel can share. It’s usually going to be happening outside of a training, because it’s a nuanced thing. It’s something that you’re not going to get in a quick training programme.

The other thing is – and this is probably even more difficult, but more important to really gain appreciation for – the threshold of suspicion: When have you reached a reportable event? The people, again, that live and breathe these rules, they’re the ones that really have to understand when something is reportable. Josh, I think you would agree, they usually have a lower bar than other people around the firm will have. Many people say, “Well, that’s not really suspicious. We don’t know a crime took place here.” You might hear that. Well, you know what? Let government worry about whether a crime has occurred. As a financial institution, I would really strongly encourage people that if you’re even having a conversation about whether a crime might have occurred, that’s probably met a threshold of suspicious that requires a reporting in most jurisdictions.

Josh Heiliczer
Josh

I think in pretty much every jurisdiction. Here in Hong Kong, proposed transactions, as well, would be reportable. I think your point about getting together and discussing issues across compliance teams or with legal or fraud teams across the financial institutions is really key. I have seen it also work well with the front office as well. A lot of times, front office people, particularly once they have really good training that shows that there is some activity that could be suspicious going on in their neck of the woods, will say, “You know what? I’ve actually seen a client” – or “I have seen a group of clients” – “acting differently than I would expect them with the market.” They ultimately refer behavior to you or refer activity to you, and, quite frankly, those are more beneficial, at least, in my experience than any alert you could get.

Michael Wassell
Mike

Excellent point, Josh. You asked me earlier, “What makes somebody good at issue spotting?” So, we could talk about at the individual level, and then we could talk about at the team level. I think it’s interesting to look at the composition of the team. If you have different perspectives, different backgrounds, on that team, I think that’s also very valuable.

We both have been in environments where this has occurred – where you have people who worked in the operations area of the firm come in as analysts looking at transactions. They have a great appreciation of how things work operationally, and they have a unique perspective of what would be unusual, I think. We’ve had businesspeople, relationship managers, work in financial crime compliance also very successfully because they’re coming in it from a perspective from the client: Would a client want to do this? Would they want to do that? What would be in it for them to want to do something like this?

Josh Heiliczer
Josh

Absolutely.

Michael Wassell
Mike
I think talking about what you’re looking at – talking about the risks, sharing the risks, whether it’s cross-divisional or within the team – it’s always good to have a diverse cross section of staff doing this work and talking about what they’re looking at.
Josh Heiliczer
Josh

One key area that I have seen, at least in the last couple of years, is trade finance. These guys who work in the trades finance base know all the products. You could take an AML person to the end of the earth, and they will never understand all the trade finance products. They might understand the risk. They might understand overinvoicing and underinvoicing, but they’re never going to understand these products. I’ve tried for several years now – read papers, try to learn. You can’t learn just by looking at suspicious activity all the time. You need that insight from somebody who’s actually done the work a lot of times to be able to make sense of it, or even complex trading issues.

Michael Wassell
Mike

It’s good to know your limitations, It’s good to be OK with that and do something about it. Sometimes it means talking to the right people, and sometimes it means hiring those people to help you walk through the thicket that we live in.

Josh Heiliczer
Josh

It’s like the basketball adage – I know this from experience – you can’t teach height, so my basketball career was pretty much over after grade school.

Michael Wassell
Mike

The other thing I just – one final thought on this cross-divisional communication is, I think it helps develop your staff professionally to expose them to other parts of the firm and give them an opportunity to learn those things. Maybe they don’t become the trade finance experts, but you know what? I worked with someone who went on to become an investment banker. I worked with people who went into other roles in the firm or outside the firm, seeking other opportunities because they got the tools. They learned a lot about the other parts of the firm, and being exposed in financial crime compliance to other areas, I think, sets you up for a good, sound career whether you stay in financial crime compliance, which I believe offers many opportunities for career growth.

In some cases, people will move on. You want to encourage that and not discourage that. I always felt that you don’t want to keep people in their place by limiting the opportunities for growth, because then you’re going to have what? You’re going to have a bunch of dissatisfied staffers who are going to stick around anyway. That might be a little controversial for hiring managers to hear, but there’s an opportunity to share opinions, and that’s mine.

Josh Heiliczer
Josh

Sure. I think you want your – being a good manager is about having your staff grow and giving them opportunities. You mentioned somebody that started out in financial crime compliance, but I haven’t thought of the guy for years. Chester Lui – he went from being within financial crime compliance at Goldman. He’s a private banker now, and he’s moved on to a couple of institutions. Now, I hear he’s got a pretty good book. I haven’t seen him since. Chester, if you’re listening, I’d love to get together for lunch.

Michael Wassell
Mike
I would, too. It’ll probably cold by the time it gets to me, but ­–
Josh Heiliczer
Josh

We’ll have to fly you out here in private. Maybe we can get you a plane.

Michael Wassell
Mike
Josh, I am with the government, and that’ll be prohibited –
Josh Heiliczer
Josh

Oh, that’s true. That’s true.

Michael Wassell
Mike

But I appreciate the offer.

Josh Heiliczer
Josh

That’s true. So, some final thoughts: I think we covered a lot of ground in the podcast – a lot of great insights – but just some final thoughts from you, Mike.

Michael Wassell
Mike

Well, first, Josh, thank you for having me. This has been a fun experience, and I didn’t really know what to expect. This has been really fun putting on my old hat a little bit, sharing a little bit about what we’re doing at the New York State Attorney General’s Office in our Medicaid fraud-control unit. I hope that your listeners found some of that interesting. Look, the work that your listeners do, it's invaluable. The SARs, when they’re filed, can do so much good to alert law enforcement to activity that would not have come across otherwise. So, it’s really important what you’re doing. So, keep it up, and I mean that. That’s not hyperbole.

No one sees the whole picture. You think, government, oh, we’re all-seeing. No, no. We don’t see it unless you bring it to our attention in some cases. It’s being the good citizen, some people call it, but it’s really important work, and I know – and many people in government know – how difficult that job is. We talked about some of the challenges, and there are others, but you should know that your work is important and it’s meaningful. There is an outcome. There are people’s lives that are impacted by what you do.

Keep up the good work to the extent that your rules permit this. It is permitted in the U.S. to make what we call affirmative referrals: Pick up the phone. Call somebody in government. Alert them that an STR or SAR has been filed, because Josh, you touched on it earlier – there’s been a significant increase in filings over the years, and it’s very tough. It’s not like I mentioned about in the old days, when our group would read every one. We couldn’t do that today, realistically. They are going to be really important ones, filings that might not be seen by anyone.

So, if you feel you came across something important, certainly, in the healthcare sector, that’s something we’d like to hear from you on if your regulations permit it. When you do file, give all the information. I used to think of myself as sort of a news reporter: What information does a reader need to know to really understand what happened in this situation? What are all the relevant factors? Who, what, when, where, and why? Not like, “Let me just write as little possible so I get credit for filing.” No. That’s not so helpful. Adding the color – there could be more information known about the entity that you’re reporting on that the government’s aware of. So, the more information you provide can make the information get to where it needs to go, and you’re more likely to get the right outcome. I know it means more work, but that makes it a more meaningful process, and we all want our work to be meaningful.

Josh Heiliczer
Josh

Yes. Absolutely, Mike. I think how many times, when we’re looking at an investigation or reviewing a client, and something as small as an address or a matched phone number or a client account that might be related in some small way because they received some transactions from there make the difference in an investigation. Really trying to put all that information really helps any investigator. It helps the government definitely, from when I had spoken with the regulators and yourself.

Mike, I really appreciate you coming on the podcast. Thank you very much. I look forward to catching up with you again soon.

Michael Wassell
Mike

Thank you, Josh. I look forward to coming back next year and talking about some of the cases that we brought during COVID.

Josh Heiliczer
Josh

Maybe you’ll be able to travel over here, and we can do it live.

Michael Wassell
Mike
There you go again. I would love to as a private citizen.
Josh Heiliczer
Josh

Yes. That’s great. Thanks a lot, Mike.

Michael Wassell
Mike
Thank you, Josh.

Episode 4 – Prepping for a Monitor Visit or Regulatory Review

In this podcast, we're catching up with Henry Yu, head of financial crime for the APAC region at Natixis to discuss best practices when it comes to planning for a monitor visit or regulatory review.
Navigating Risk
Josh Heiliczer

View Transcript
Josh Heiliczer
Josh

Hello, everybody. Good day! This is Josh Heiliczer here on the Protiviti podcast. We’re focusing on risk and compliance issues, today. I’m a managing director here in the Hong Kong office of Protiviti, and I lead the Risk & Compliance practice for Greater China, and I’m the subject-matter expert for financial crime compliance.

It’s great to have Henry Yu with us today. Henry is the head of financial crime for the APAC region at Natixis and was previously involved in managing the monitorship for HSBC here and out in Asia. He has had a number of prior roles at Credit Suisse, Goldman Sachs, with the Hong Kong police — very well distinguished. Also, I should add, he’s a professor, teaching a class at HKU. So, Henry, it’s great to have you on the podcast. How are you doing today?

Henry Yu
Henry
I’m good. Thank you very much for your invite, Josh. Thank you very much, indeed. It’s my pleasure. It’s my honour to be with you today.
Josh Heiliczer
Josh
Excellent, Henry. So, we’re here to talk about preparing for a monitor visit or a regulatory exam. It’s a big topic these days. Although it seems as though our regulators are now moving to some virtual exams, they still are coming on-site as well. So, what do you need to do to prepare for an exam? You have a lot of experience with this at HSBC and now at Natixis as well, so I’m eager to hear your thoughts.
Henry Yu
Henry

Thanks a lot, Josh. Now, before I answer your questions, if I may, I have to do a standard disclaimer. What I’m trying to share with everyone here in this podcast is from my own experience. It’s nothing confidential, so nothing related to particular incidents or particular facts that I have been working on with various banks. It does not represent any of the positions of any of the banks, including the one that I’m working on at the moment.

So, your first question, if I hear correctly, is, “How do we prepare for different types of examinations — either monitor visits or regulator visits?” Before I answer this question, we need to understand why your regulator is coming to you. To understand where they’re coming from is the first thing that is very important, and we need to know about it.

There are different scenarios. It might be just a regular visit. There might be a thematical review: You’re just one of those banks or financial institutions picked out by your local regulators. It might be because of certain incidents that have happened to your financial institution, unfortunately, that we see in different types of monitorship or inspections, per se. So, this is the first one. So, understanding what the regulators are looking for is the most important. There’s what we call the KYR — know your regulators — so this is just like a KYC. You need to understand where they’re coming from.

Then, the second thing we need to bear in mind, the fundamental thing, is to stick to the facts of what happened, because when we’re talking about different types of inspections, review or monitorship, it is a look-back exercise. It’s not about forward-looking exercises, it’s a look-back exercise. So, the rule of thumb is, stick to the facts — understanding the scope as well, understanding where they’re coming from —and understand the scope of your review or inspections or monitorship. That’s very important as well. These are the things that you need to bear in mind as well.

Third, it’s communications, early communications with the regulators or monitorship — understanding what they’re looking for. Most likely, normally, the regulator will come up with a list of questions or a list of expectations as well. So, this is the quick start on how to be first prepared for the visit, and second, internally, once you’ve got all this basic information, you need to mobilise different departments.

The regulator visit is, more likely, not only the compliance work. This is a very important concept. The visit is not just the work of compliance. You need to mobilise different stakeholders within the bank. For example, nowadays, and very importantly, all direct leaders around the world are talking about senior management oversight, so these are the key important things that you need to be aware about. You need to engage your senior management so that they are on top of that. You have the full support of your senior management both locally or regionally, or even globally, about an upcoming regulator visit or inspection. And then —

Josh Heiliczer
Josh
You mentioned senior management, and that’s really an important topic. Particularly, if it’s an unexpected or difficult request, how do you get their attention quickly, and do you want to prepare them through mock interviews, or how is best to get them ready to particularly, if they have to meet a regulator?
Henry Yu
Henry

We don’t use mock interviews. This is something that we try to avoid, and, in some circumstances, it will become illegal and not allowable by certain regulators as well. If you’re doing mock interviews, the worst-case scenario would be somebody, when they’re being asked and being pushed, they say, “Well, my compliance guy told me to answer in such a way,” then we come to a very difficult situation. This is not what we want to see.

Having said that, we need to help them prepare and to understand what they are looking at. What do we have, because it’s a look-back exercise? What had happened, whether good or bad, or whether there was something that we have been missing, we were unable to perform perfectly as to what used to be. Just be open, have acceptance of this outcome. This is very important — not trying to cover anything up. That’s another key point, but, having said that, the most important thing is, if we can proactively identify any kind of shortcoming, what is the plan? Are we able to demonstrate to the regulator that this is something that we have already engaged third parties on that are working on it, for an improvement, and that’s a good story to tell — proactiveness, or sometimes you can always mitigate it in practice per se. This is the key.

Josh Heiliczer
Josh

Being proactive is definitely key. I mean, I’ve definitely seen it with a lot of the regulatory issues that I’ve come across, whether it be from when I joined Protiviti, or even before. I guess, in terms of being proactive, this is also an ongoing exercise. Even through the regulator might be there, it’s also some of that awareness in training. How do you generate that awareness, even before the regulator shows up, around some of the seriousness of the issues and preparing on an ongoing basis? As you’ve mentioned earlier, and rightly so, it’s very key to check what the regulatory expectations and guidelines are, particularly if you’re not able to engage in mock interviews.

Henry Yu
Henry

That’s a very good question, indeed. At a high level, the culture is the key. If we look back to all the institutions — where they get into trouble of different kinds — they have something in common. Whoever the regulator is, it is also written in some of the regulations, if you look at how they determine the sentencings or the seriousness of the shortcoming or the offenses, it’s systematic error. People, they know it — that culture. So, when you’ve got this, that element, I would have to say that this is a big problem.

The question is, how do we try to avoid that? There are a few things: First of all, tone at the top. We always talk about it, about how we are making sure we are with the tone at the top, how we understand that. One of the very key and very important truths is what we call the risk assessment. From the AML FCC world, we have the institution of risk assessment, but even from the bigger compliance or even at-risk, we have risk assessment. The only recommended risk assessment or self-assessment is helping the financial institutions to self-identify where are the high-risk areas, where are the areas that they need to draw their attention to. And then the second truth is continuing testing, continuing reassurance, internal auditing as well. That’s a very important thing as well.

If there is an upcoming change in regulations, the basic truth for each and every compliance officer to do is to do an in-depth analysis of where your programmes needs to be improved as well. So, in a nutshell, it’s a continuous risk assessment that brings up the awareness of the whole bank, and particularly the senior management is the key. The major banks, nowadays, they are doing pretty good in engaging, but I see that that’s where there were certain incidents where this exercise of risk assessment is still in very, very extreme cases, that people still think that this is only compliance work. No, it is not. It is the most important responsibility of the bank as a whole.

Josh Heiliczer
Josh
It’s a really good point. Tone at the top and conduct are really going to be focuses for all regulators globally. We’ve seen that recently in some of the recent risk issues that have happened within banks, and making sure that that risk assessment is there, refreshed, and senior management know about it and are aware of all those issues and how you are mediating anything that may have come up are really keys. Henry, I really appreciate you coming on the podcast today, and this is the Protiviti podcast.
Henry Yu
Henry

Thank you very much, indeed. It is my pleasure.


Episode 5 – Unlearning to Run a Success FCC Programmme at a Fintech

Protiviti’s Greater China risk and compliance lead Josh Heiliczer delves into why Tencent’s Group Head of Sanctions and International Anti-Money Laundering, Henry Chan, transitioned from a career in Corporate Banking to Compliance and how the tech giant manage financial crime risks.
Navigating Risk
Josh Heiliczer

View Transcript
Josh Heiliczer
Josh

Hi, how are you doing? Good day, this is Josh Heiliczer. I’m the managing director here at Protiviti in Hong Kong, in Greater China. I lead the risk and compliance practice over here, and I’m glad to have you on my podcast again. I have Henry Chan over here from Tencent. He is the global head of sanctions and anti-money laundering controls over at Tencent, and I really appreciate him joining us today. Thank you.

Henry Chan
Henry
Thank you for having me in this podcast. It’s my privilege to be speaking here.
Josh Heiliczer
Josh
Excellent, Henry. Great to see you. So, we have a lot of compliance professionals listening to the podcast. Would you be able to discuss your current journey going from particularly HSBC in the banking world to Tencent, which is clearly - that has payment operations, not a bank?
Henry Chan
Henry

Okay. So, in terms of my career journey, I spent the first 10 years of my career as a corporate banker at HSBC before I made the transition into financial crime compliance. So, I found my experience has a lot of impacts for me as a compliance specialist because I could really analyse each circumstance from both sides of the coin. So, I’m able to picture how every recommendations the FCC department makes will impact the business as well as the customer. So, with that mindset, I was able to build very good working relationships with the business stakeholders, and that’s one of the top assets that any FCC practitioner could have. Not on the line, HSBC has been an amazing platform for me to hone my skillsets as a FCC specialist. I was given the opportunity to lead the monitoring and testing division, and I also lead the AML functions for the bank in Hong Kong. So, for those roles, I oversee the role of the good financial crime global standards, the large-scale FCC remediation exercises, the revamp of the TM investigations and STR processes, and also to set the golden standards for FCC testing across the APEC region. So, in 2019, I left HSBC to join Tencent and became the group head of sanctions and international AML. Overseeing the FCC matters for Tencent across all the international businesses, and that includes both the FinTech as well as the non-financial internet-based businesses in over 50 countries. So far, it has been a wonderful, yet challenging journey as the company is aggressively expanding more and more into the international markets through the globalisation of this very strong existing [Audio Gap]

Josh Heiliczer
Josh
You make a really good point. A really interesting point for people in our podcast of your career journey – how do you go from being a corporate banker to working in the AML space? When you started out as a corporate banker, I’m sure you didn’t say, “Wow, I’m going to compliance at some point in time.” I know when I was starting out, a lot of the bankers used to view the compliance department and financial crime as the business prevention union.
Henry Chan
Henry

Yes. I get that question a lot from both my team members and people I’ve spoken to, and people I work with. Of course, when I started my career, I did not plan to spend, say, 10 years in corporate banking and then switch on to FCC. When I started banking, FCC did not even exist. So, I think I’ve had that transition at one point, when I had this project where I was sent to New York, in fact, as a corporate banker to work on the designing of the STR investigation process for our corporate banking relationships. So, at the point, I thought, “Okay, people I worked with were really good compliance specialists; they’re lawyers, they’re accountants, they’re auditors.” But one thing I realised; they had no clue about the business itself. So, I saw there’s actually a lot of value that someone coming from business with the experience of the customers and the products to work in the compliance space. So, that’s where I drew my interest and thought, “Okay, I think I have leverage going into compliance and do a really good job there.” So, that’s where it triggered my transition thought.

Josh Heiliczer
Josh

Look, it’s definitely something that broadens your mindset when you’re looking at compliance issues and risks, particularly if you understand how the business works, you understand what’s normal activity and what’s not normal activity, how you really get in contact with a client as opposed to sending them an email that ends up in their spam folder. So, those are really key, I think. So, now, you’re working with global remit around virtual payment channels and WeChat Pay; how many people are using that internationally; it’s an amazing product for gaming. How do you go about understanding the risks for all of the areas that you’re operating in from gaming to virtual payment channels and all the different jurisdictions you’re operating in?

Henry Chan
Henry

Yes, that’s a very big question. It’s something that I need to tackle on a daily basis right now, and sometimes it keeps me awake at night. Well, on the surface, it’s really daunting to imagine how any team could go about understanding and localising the financial crime risk associated with over 50 countries. Without revealing any trade secrets, of course, I could share with everyone the approach that I’ve taken in managing the financial crime risk of this massive portfolio. So, at the group level, I maintain a set of AML inspection standards that will be used as guiding principle to all the group activities globally. The standards are fairly universal and based on rules and regulations standards across major jurisdictions such as China, Hong Kong, EU, America, etcetera, etcetera. So, on top of that, we also have a methodology on how to risk rates all the 250 plus countries in the world. So, that gives us a good idea on where we need to avoid doing businesses with from a risk management standpoint. In terms of the countries that we have business exposures in, I would broadly categorise them into three buckets, each with a unique approach to risk management. So, the first bucket is markets where we have an actual presence in. So, it could mean that we have a physical office on the ground, financial licenses acquired, or material business operations in the local markets. So for these markets, I would have actual compliance officers on the ground to support the AML activities. These would be individuals who have good knowledge of the local risk and good relationship with the local regulators. So, we are constantly on top of the landscape. A second type of market we have is where we have indirect business participations in, and we do not have an actual office or financial licenses locally. So, for example, in some markets where we have standards or payment services to the local markets, but we rely on local third-party institutions to facilitate transactions. While our exposure to these markets is indirect, we still need to manage the financial crime exposures through understanding and managing our local institutional partners. So, we have a set of stringent standards for the selection of these local institutional partners, as well as a robust systematic approach to continuously monitor their activities to ensure that the risk that we’re exposed to do not exceed our [appetite] in each of these markets. The third and final type of market that we have exposure in is those that we don’t have any local participations in. As an internet company, it’s inevitable that our customers and end users are located all over the world. So, for these markets we have to – first and foremost, I’m sure that users from comprehensive sanctioned countries are not allowed access to our products and services. This is technically achieved through IP blocking technologies. On the other hand, we also need to have monitoring controls in place to detect irregular activities coming from pockets of IPs or countries where we think we’re in suspicion. So, in conclusion, above all these measures and controls in place, it is critical that we have good understanding of the risk profiles of our products, sufficient transparency to our customer’s profiles, awareness of the latest financial crime pathologies, and then distilling all of those into appropriate controls.

Josh Heiliczer
Josh
Yes. Look, it’s a vast new universe clearly from the time you got into banking to now working at a company like Tencent. It’s clearly a completely different type of offering, risk profile in countries that you’re operating in links back in to maybe your experience in HSBC as well where you ran the monitoring and testing programme over there. How do you run a good monitoring and testing programme, and how does that change now, maybe that you’re at a place that is operating in so many different markets?
Henry Chan
Henry

Okay. Let me address the second part of the question first. I think it’s an important learning point I had and actually something I could share with everyone. Making the transition from a traditional bank to an internet company, although doing seemingly the same job in compliance, financial crime compliance in specific. I think coming into Tencent, I had this mindset being a lifetime banker, I thought, “Okay, things should happen just like how the bank should. Oh, we should have this control in place. We should have this policy in place. Oh, things don’t work like that from the bank.” I used to say that a lot in meetings. “Oh, things at HSBC works this way.” But then I realised the longer I spent in this company, the more I realised that they're actually a completely different organisation. One thing that I have to do and consciously remind myself is I have to unlearn everything that I’ve learnt in HSBC. [Laughter] Once you get through that point, you unlearnt everything, then it’s distills down to your understanding of risk. The true nature of risk doesn’t change wherever you go. Which organisation, financial, law financial, banks, internet company, any corporate; risk is risk. Once you have that appreciation, understanding, and the skillset to analyse risk, that is actually universal, and it’s applicable in any place you go to. So, I went through that process of unlearning, and then realise I still have the skillset with me, and then learnt the entire new process again with that skillset in mind.

Josh Heiliczer
Josh
It’s really interesting you mentioned the unlearning point because you look at a lot of the ways that traditional financial institutions are now trying to set up virtual banks, digital banks, whether it’s HSBC, or now Standard Chartered or any other virtual banks in Hong Kong. A lot of times, you see them trying to separate from the rest of the bank because they don’t want to have that legacy of knowledge around how the bank was operating. It’s interesting to hear you say how that extends to financial crime risk, sanctions risks, a number of different risks because you’re right; you got to spot the risk, obviously. That issue spotting, that risk assessment, that knowledge is always going to be key. However, it’s going to take a different form at an internet company, a FinTech, or a gaming company as well.
Henry Chan
Henry

Right. Right. So, yes, it would be a major flaw if you try to run or manage a financial crime programme of, say, a virtual bank or a non-bank institution, just like if you were running it as a bank, especially a very large and traditional one.

Josh Heiliczer
Josh

Sure.

Henry Chan
Henry

That took me a while to get adapted to, and it’s one major learning for anyone who’s going to make these types of transitions.

Josh Heiliczer
Josh
Yes, that’s great. Henry, I really appreciate your time. It’s been really great catching up with you. Thank you for joining us here on the risk and compliance podcast of Protiviti. This is Josh Heiliczer, and I hope you will be with us next time as well.
Henry Chan
Henry

Thank you, Josh. [Music]


Episode 6 – Running a Successful Financial Crime Programme in Financial Services

Josh Heiliczer chats with Scott Burton, the APAC Financial Crime Head at Deutsche Bank. Scott delves into why persistence, transparency and a holistic view of Financial Crime are imperative to run a successful programme.
Navigating Risk
Josh Heiliczer

View Transcript
Josh Heiliczer
Josh

Hello and welcome to the Protiviti Podcast on Risk and Compliance. I’m Josh Heiliczer, Managing Director for Risk and Compliance here at Greater China at Protiviti. I’m glad to be joined by Scott Burton from Deutsche Bank. Scott is the APAC Anti-Financial Crime Head and, previous to that, has a lot of experience at a number of different institutions here in APAC. So, really happy to be with Scott today. Thank you for joining us.

Scott Burton
Scott
Hi, Josh.
Josh Heiliczer
Josh
Scott, a number of compliance professionals are listening to podcasts. You have a really distinguished career going from Australia. I think last time we talked about how you had those boots coming from a rural farming area in Australia to ultimately London, Hong Kong, a lot of different places, and you were head of Financial Crime at Credit Suisse globally. Then you went over to JP Morgan and now you’re at Deutsche Bank. Can you just tell us a little bit about your career journey?
Scott Burton
Scott

Yes, sure. Not so much of rural farming area but a beach area, somewhere that’s pretty relaxed, pretty laid back. So, I would have to say that this career wasn’t something that I would have anticipated when I was thinking as to what I wanted to do when I grew up, that’s for sure. I think the career journey particularly into financial crime was one that first started a little over 20 years ago. So, I had an opportunity to do some project work. I was working at a consulting firm prior to joining what was Credit Suisse First Boston in Hong Kong and that was to - and establish a KYC programme for the bank in Asia. I thought, “Look, this sounds great. It sounds like a good opportunity to be an in-house project person. I’ll do it for a year or two and just see what happens from there.” So, a little bit ad lib, but this was just prior to September 11, the Bali bombings and all that stuff in the early 2000. This was in the late 90s and I had no idea what was happening next and I thought that this would be something that would just be a stepping stone into I’m not quite sure what, but an opportunity to work in Asia and to broaden my horizons. I did this project and that was in conjunction with the compliance and operations areas, establishing a KYC Control framework for the bank across all the jurisdictions that they were operating and analysing the rules and regs and making sure that we had, as part of the account opening process, collecting the right documentation. This was at the very early stages of what everybody sees as normal course of business these days. That’s where I first got into this area and it was off the back of my previous consulting experience, due diligence experience with consulting firms. I had worked on the investment banking side as an analyst. This is where I first landed and jumped into this area. It then sort of rolled on from there as a result of developments - September 11, Bali bombings, et cetera, where the organisation that I was working with the at that time realised that they needed compliance people in this space. So, it was pretty much green fields. I was the person in Asia to be full time in this area. It’s always a part-time role for people that were doing broader compliance roles. Then it just grew from there. I joined the compliance function at CSFB. They all grew to cover all of the Credit Suisse here in the region including the private bank and then ultimately to become the global co-head for financial crime at Credit Suisse. I then moved on to JP. That was a role that very much involved transforming the Financial Crime Programme there which was a challenge over a four-year period, developing a team, making sure that we had the right controls in place. I think everybody would be aware at that point in time they were under a lot of scrutiny from the regulators in the US and I needed to develop the Financial Crime Programme and my experience helped to make sure that the right controls were put in place, a team was built and that was certainly an enjoyable experience. Deutsche Bank, I’ve been there for four years now, the regional head of Financial Crime, and again working very hard to continue to improve the programme there, to develop the team, to make sure that we got the right controls in place and that’s effectively been the journey over the last 20 years now.

Josh Heiliczer
Josh
Yes, Scott. I think that’s really great. I find, from my experience, my career as well, different projects that I have done whether it was exposure to transaction monitoring early on or working in a different area when I was exposed to correspondent banking at Citi and Bank of America. Those types of transformation projects, I think, for a lot of young professionals are really keys to understanding where your niche might be within the financial crime field, understanding whether or not it might be the right place for you, but also having the ability to be versatile in your skill set as well. So, it is really important. You mentioned projects and transformations. One of the things that I think is really difficult working out here in Asia, I’ve seen it now in the over 10 years since I’ve been out here is that if you were working for a bank that’s headquartered in the US or Europe, it’s not headquartered necessarily in Asia or in Hong Kong, it can be very hold to get your needs prioritised just because you’re in a time zone out here in the Far East and the regulator might not be breathing down your neck as hard as it might be breathing down your neck in the US or Europe or UK. So, how do you go about really getting your needs prioritised in the global agenda and what you need to run a successful programme?
Scott Burton
Scott

It’s always a challenge and I think there’s a number of things that you need to consider, a number things that you need to do and just going through them and just off the top of my head, I think planning is important, persistence, clearer articulation, making sure that you can articulate the pros and cons, the cost and benefits of doing something or not doing something. Just going back to these, I think planning, I spend quite a bit of time thinking about what we need to do here in the region. If we can’t get technology at the time that I would like technology here in the region, what do we do to mitigate the risk? Making sure that you’ve got a clear direction and a clear strategy here in the region, being persistent with our global colleagues and counterparts in terms of making sure that the agenda that we have here in the region is front and center for them too and for it not to drop off the table, making sure that I get the management’s support here from the business here in the region, to make sure that our needs are met is also an important criteria or important thing to do as well. Reiterate again that look, it is a challenge and sometimes it could be fires burning in other regions that puts your needs further down the list, but as I mentioned before, persistence is key. Then when you’re putting your business case forward, making sure that you’ve outlined what the pros are, what the cons are of doing things. What the costs are, what the benefits are? You’re making it clear everybody’s aware of that if we don’t do something then this is what a potential outcome would be and is everybody comfortable with that? It could be much easier. You could have some regulatory pressure to do something here in the region and that obviously makes things a lot easier to push through.

Josh Heiliczer
Josh

Sure. In terms of Asia itself, Asia is really a growth area for Deutsche Bank clearly now. Everybody is trying to move in to China on a more greater basis at this point, hiring from a business perspective is moving forward. How do liaise with the regional regulators say MAS or HKMA or others on some of your regulatory priorities? It might be true that out of overseas – and I know when you were at JP Morgan you were working significantly on the US OCC issues. How do you deal with that? How do you let them know what’s going on and how that’s going to affect Hong Kong, Singapore or other areas in Asia?

Scott Burton
Scott

I wouldn’t say it’s a challenge per se but it can be complicated in terms of being able to clearly articulate the situation. I think it’s very important to be as transparent as you possibly can. Sometimes there’s restrictions as to what you can and cannot say from a legal perspective but working with your global counterparts to be as transparent as you possibly can in terms of what the issues are and what, if it’s a global bank, is doing from the global perspective to deal with the particular issues that they have, and how that specifically impacts a local jurisdiction. Sometimes, to draw that out all global projects, sometimes it’s very easy to, sometimes it’s not so easy to, and to be able to do that promptly, and to be as comprehensive as you can, and the way that I’ve always tried to do this is to organise it in a way to say, “This is what we’re doing from a global perspective.” In addition, these are some of the things that we’re looking to do regionally which will impact this particular jurisdiction. Here’s some specific things as well that we’re trying to do from a local jurisdictional perspective and try to put that plan together to make it more clear as to how everything fits together.

Josh Heiliczer
Josh
Yes. I think, Scott, you made some really great points in terms of how you’re able to prioritise and work with regulators and one of these that I’d like the audience to take forward most of all especially if you’re working the Risk and Compliance space then in Financial Crime is that really these regulatory projects are great opportunities for you from a career perspective. You can learn so much. You can learn and liaise with a lot of different stakeholders, much more than if you’re siloed and working in a particular space, maybe covering an area or aspect of financial crime. So, I would say to you, if you can volunteer to take some of these projects up and work on them, that will be time consuming but it will also be very rewarding from a knowledge and a career perspective going forward.
Scott Burton
Scott

I agree. I think what I encourage is for people to take stretch assignments where they can. I think, from a career development perspective, that it’s really important to get exposure to as many areas of financial crime as you can. I think just because of the way that our area of expertise has grown that people have become very specialised in sanctions or in bribery and corruption, for example. There’s not a lot of people out there that have more understanding of the different areas of Fin-Crime. I think it’s okay also to be as strict as they may in a certain area but there is also certainly demand for people, and particularly as you get more senior, you have to really have experience across the variety of areas in Fin-Crime and this is the way to do it.

Josh Heiliczer
Josh
Sure. I think the best transaction monitoring investigators or analysts, the best KYC analysts, the best people working on source of wealth or sanctions are those people that are able to look at things in an interrelated in interconnected the level, and maybe they’re able to spot a risk factor whether it’s fraud or a bribery and corruption case from looking at something that might be an alert in a different context or a red flag in a different context, and building on those cases.
Scott Burton
Scott

Holistic view is really important and then it even extends further to some of the other risk-types outside financial crime as well and people with that ability to identify those risks, that’s where there will always be a demand for people with that skill set.

Josh Heiliczer
Josh

Absolutely. You heard it from Scott first. That’s how you can make yourself valuable in the AI and computer age. Scott, thanks a lot for joining us here on the Risk and Compliance Podcast at Protiviti. This is Josh Heiliczer and I’ll be with you next time. Thanks a lot.


Episode 7 – Steering Clear of the Punitive Measures Imposed by the Hong Kong Monetary Authority

Join host Josh Heiliczer and Urszula McCormack, Partner at King & Wood Mallesons, for a discussion about the biggest fines imposed by the Hong Kong Monetary Authority in its history and what banks can do to avoid these in the future.
Navigating Risk
Josh Heiliczer

View Transcript
Josh Heiliczer
Josh

Hello, and welcome to the risk and compliance podcast here at Protiviti. This is Josh Heiliczer. I’m a managing director here in the Greater China practice. I am the FCC, financial crime subject-matter expert, for the region as well as the Risk & Compliance head for Hong Kong.

I’m grateful to be here with Urszula McCormack. She’s a partner at King & Wood Mallesons. She is a veteran Hong Kong attorney. She’s been around for a long time assisting the HKMA, a number of banks. We got to work a little bit together on the KYC utility project when I was at another firm, and I’m happy to be here with her today.

I have Urszula here because we wanted to talk about the recent HKMA fines a couple of Fridays ago — it seems like they love to announce these on Fridays. The HKMA fines not one bank, not two banks, not three banks but four banks. This is equal to the amount of fines the HKMA has had throughout the entire time of their history. They’ve only had four fines previously, the first fine being back in 2015, with State Bank of India, and now, they have four fines on one day. So Urszula, I’m happy to have you here with us and wanted to get your viewpoint: What are the key points of these fines, because four fines in one day is a lot to go through, especially when you only had to go through four fines in about five years?

Urszula McCormack
Urszula

First, it’s great to be here with you, Josh. Yes, we’ve got four fines, four banks and HK$44 million in fines. We’ve got this grouping of banks that have been fined together with common lapses in relation to the monitoring of customer relationships and certain deficiencies in customer due diligence, as well as high-risk situations.

What is especially important, first, is that there are unique circumstances with each of these banks, but there are certainly some commonalities with the fines that we’ve seen over the past few years. I’m remembering that 2012 was when the AMLO was implemented, and we saw quite some time before penalties started to roll in — I think 2015 was the first one. It takes a long time, and we have a series of lapses that were recognized to have occurred sometime ago, and that was also recognized by the HKMA — that these aren’t necessarily things that occurred after years and years of well-worn experience within the industry. Some of this related to slightly new areas with a historical conduct.

That was taken into account with the fines as well, but in general, what we’re talking about is a lot to do with how we monitor, on an ongoing basis, customers, and some of the deficiencies that were identified were really attached to — well, not blatant disregard for the law, but an attempt to operationalize the law. That’s the common story that we see with a lot of institutions — they’re trying hard to establish these systems, these controls, and sometimes they don’t get there, they don’t do the job, and they are found wanting.

Of course, we do see certain aspects, particularly relating to high-risk situations, complex structures, PEP scenarios where those situations are inherently hard, but we have seen the HKMA have not a lot of tolerance for that even as far back as the Coutts fine several years ago. We’re seeing a focus on basic customer due diligence and on good ongoing monitoring as well as handling of those high-risk situations.
Josh Heiliczer
Josh
Those are all key points. In one of the cases, there was a systems failure that affected one of the banks significantly and led to a delay in periodic review, led to screening issues for politically exposed persons. What do you think banks can do to avoid some of the systems failures? And then, one other point is, you mentioned some of the operational failures — one of the fines also had this idea of sending a negative-consent mailer, out to clients, and if they didn’t update in time or didn’t tell you about anything in three weeks, they just assumed everything was fine.
Urszula McCormack
Urszula

Yes, two really important themes, because those themes aren’t just relevant to AML. They’re relevant to bank activities as a whole. If we look at the technology side of systems failure, we’ve seen quite significant progress in the adoption of technology by banks. We now have regtech adoption initiatives by the HKMA encouraging the adoption of technology. We’ve had a series of focused investigations and inquiries on areas as expensive as algorithmic trading by the SEC — AI focus as well. This story of both utilizing technology and having the controls in place to be able to test, to be able to verify, to be able to check and monitor, is incredibly important. What we’ve seen is the technology guidance around and expectations grow as the expectations around adoption have grown.

Now, we’re still a little bit behind in terms of what good testing, good monitoring, looks like, but what we’re seeing in these fines is that the regulator has very little tolerance for systemic failures of themselves where they feel that management should’ve known, there should’ve been some sort of test, there should’ve been some sort of human review to make sure that things were actually working as they should. That’s on systems.

The final thing I will say on that is that there’s no doubt that technology is so important to AML. If we look at things like dealing with dual-use goods in trade finance, you cannot do that just with manual procedures. You need the data analytics to be able to work out whether a particular item, a particular trade, is problematic. All of that means technology is important, but then, we need the systems to work.

The next bit in terms of this point around looking at the customer interaction recognizes — and we’re all guilty of this: We don’t respond to our banks when they ask us for updated suitability assessments or for additional documents. It’s boring. It’s just another task on the list, and banks really struggle with this. The customers just want to get on with their transactions, with their day-to-day business, with their lives. What this attempt is to do is to say, “Tell us — here’s what we have in relation to you. Tell us if it’s wrong, if it’s not great, we’ll go. I will leave you alone.”

Unfortunately, that doesn’t cut it. We’ve seen a similar problem where banks were also trying to deal with unclaimed assets as well. Customers don’t even respond when you tell them that you’ve got their assets as well and that you might as well donate them to charity. This point around contactability, keeping that relationship fresh, is important, and what’s interesting is, the private banks perhaps do this better because they have human interaction with their clients — they see them. And so it’s harder for those who used to operate branches, who don’t see their customers anymore, and where those emails just aren’t getting answered.

Josh Heiliczer
Josh

It’s interesting you mentioned the periodic-review point. It’s something that we see a lot of our clients struggle with. We’re working with a lot of private banks now in that space as well. They have some personalized touch, the private banks, but even though, in theory, they’re supposed to be meeting with them in person, they can’t because of the pandemic, to a large extent.

One of the factors that we continually see as being a problem is that you mentioned suitability, the KYC documentation, source of wealth, transaction monitoring, FATCA/CRS from a tax perspective. Clients get bombarded, and it doesn’t matter whether you’re in a private bank or not. Maybe they’re able to bring it all together better, although it doesn’t always seem that way. Clients seem to get bombarded by stuff. I know I do get bombarded with stuff, and so I don’t answer it, because I don’t want to be bombarded with stuff, and so that leads to difficulty with the relationship.

Where banks in particular, or security brokers or private banks, can bring everything together to have one reach-out, to have a coordinated discussion with a client so that you’re not continually pestering them, that works a lot better, but given the systems issues that a lot of the banks face, and silos with all these different processes, it’s very difficult to do that.

From a systems-failure perspective, one of the things that we would advise a lot of our clients is that they should have ongoing systems testing — so, try to do it every year, every two years. The HKMA has tried to bring this out, particularly in the screening space with some of their thematic reviews, and so that’s what the HKMA is expecting banks to do — the SFC as well. Also, the regulators regionally — us in particular as well.

China has now been very focused on systems as well, so those are all very big things, and then, on the mailer piece, if you’re an overseas operation operating in Hong Kong, one of the keys to be able to operate effectively is to get the right guidance from an adviser, whether that be an attorney or whether it be a consulting firm, to make sure that you’re meeting the regulatory standards, because what might work in another jurisdiction may not work in Hong Kong.
Urszula McCormack
Urszula

Josh, you’ve raised so many great points. Just taking that last one look, systems build — they’re so expensive. They’re often driven by the home office. They take several years, and by the time that you’ve factored in local requirements, you’re five years into the project and several millions of dollars, and it’s hard. Certainly, doing that iteratively, doing it often, doing it early and having that flow of information around standards and expectations, even the fact that some jurisdictions in Asia — and Hong Kong is a great example — are tougher in terms of what you need to obtain.

The only thing I want to pick up on is this point around bombardment of communications, and in terms of lining up the regulatory requirements, whether it’s for CRS or whether it’s for FATCA or whether it’s for AML, that’s so important — to make the customer feel like you’re being organized about what you’re asking from them, and to consider whether all of the marketing that gets sent to your customer results in so much noise that it’s very difficult for the customer to discern what’s actually for them and what is perhaps a little bit more for the bank.

In that regard, one of the problems that we see behind the scenes is incentives to go through AML too quickly, so that shortcuts occur. This is what we see when we have banks reach out to us on potential breach situations: They identify that there was a poor culture that was incentivized through speed, through just getting these things done quickly, rather than using it as an opportunity to build relationships and do things better.

Josh Heiliczer
Josh

Definitely, in the private banking space, we say to our clients, “Look, source-of-wealth is an opportunity to build your relationship.” It’s not a hassle to go back and show your client that you don’t really know them and you don’t know how they are in their wealth. It’s difficult. It’s a difficult conversation to manage. You have to be skilled as a relationship manager to do it, and not all relationship managers are necessarily going to be so adept at doing that.

We’re close to running out of time here, but a couple of questions to just finish up. One is, why did it take so long? Most of the activity, as you mentioned — the anti-money laundering ordinance came into effect here in Hong Kong in 2012. A lot of the activity stems right from when the anti-money laundering ordinance went into effect. Yes, you’re not going to get everything right. The HKMA was probably giving some grace period to allow banks to adapt and to go forward and build their programs. We see that in one of the cases, the activity ended in 2014. Two of the cases, it ended in 2016, and one of the cases, there was some activity going up to 2018, but they all seem to be very historical activity. Why does it take so long in terms of going through the enforcement process with the HKMA?

Urszula McCormack
Urszula

The starting point is how it gets there in the first place, and that can arise through a self-identified issue that takes quite some time to work out. Usually, when we have someone reach out to us, there is quite a lot of time that’s spent to identify not only whether there was a fault but also, why was it a broader issue? There’s some initial engagement with the case officer to sound out the next steps. There is a period of review, agreeing on a remediation plan, And at some point, when it gets to enforcing, it will flip over and move down that enforcement channel, and then, when we move into the enforcement channel, it then takes a while as well. In some cases, the review might go back to the very beginning in terms of circumstances, the root causes, the other types of issues, and it may be an opportunity to then review what else might be problematic within the institution.

Josh Heiliczer
Josh
Would it be fair to say like it’s almost like a reinvestigation to a certain extent from the supervisory team that did the original inspection?
Urszula McCormack
Urszula

It’s a different lens, so, yes, in our experience, it can feel like you’re starting again. Obviously, we expect that there’s a great degree of information-sharing, but it can certainly feel that way, and you have many rounds of discussions, many submissions that need to be made, interviews with relevant individuals to work through, and to its great credit, the HKMA is following a process, and it’s trying to do so. Then after that, of course, it takes some time to discuss the potential outcomes to provide an opportunity for the bank to respond. And again, that might wind its way through. In the case of the four, we don’t know, in all cases, whether there was a degree to wait to publish them together as well.

Josh Heiliczer
Josh
What if you just want to fall on the sword and settle? Is that a possibility? You just say, “I acknowledge it. These are record fines for the HKMA, but they’re not record fines globally. I’m a multinational bank. I don’t want to have to continue to report this in my annual report that I’m being investigated by the HKMA.” Can that happen?
Urszula McCormack
Urszula

To a degree, each bank will make an assessment as to how hard it goes to justify a particular activity, versus falling on the sword and saying, “This was just a stuff-up.” That latter approach is rare, but in any case, yes, the HKMA will still want to satisfy itself that it has followed its process through, that its findings are robust, that the fine is appropriate, so it still ends up taking time.

Josh Heiliczer
Josh

What do you see coming up? Do you see more enforcement actions? Do you think there’s more stuff in the pipeline? How long? Do you think we’re going to start to get to more recent activity — say, fines where activity has occurred within the last two or three years?

Urszula McCormack
Urszula

When we look at the mutual-evaluation-related materials for the FATF reviews, you see as an ongoing trend — and frankly, in every mutual-evaluation report worldwide, that enforcement is often front and center. We’re at a point where the regime is quite robust. We’re responding to new risks. We’re looking at virtual-assets-sector evolution, but in terms of banking, the practices are good. The next wave really needs to be around demonstrating enforcement action, and the focus will be on systems, on their resilience, on their capability, particularly, as we now have the group of virtual banks involved as well. We have remote-onboarding-related issues as well, and some of those areas will certainly be of interest to the HKMA in terms of enforcement. There’s always low-hanging fruit in relation to general breaches, but that point on technology will be important.

Josh Heiliczer
Josh

That’s great, Urszula. I thank you for joining us here on the risk and compliance podcast. Most importantly, we’re going to see different types of fines coming up in the future. A lot of the systems testing is going to be key. Thanks a lot for joining us, and I’m Josh Heiliczer. Have a good day.


Episode 8 – Mobilising Financial Institutions to Fight Against Modern Slavery

Protiviti’s Managing Director, Josh Heiliczer, speaks with Matt Friedman of Mekong Club, a business association mobilising institutions to fight against human trafficking. This podcast highlights the growing responsibility of financial institutions against modern slavery and how they can prevent it, or detect it, alert law enforcement, and stop it.
Navigating Risk
Josh Heiliczer

View Transcript
Josh Heiliczer
Josh

Hi, this is Josh Heiliczer on the Protiviti Risk & Compliance podcast. I am a managing director in the Greater China region. I lead the risk and compliance practice for Hong Kong and China and the financial crime compliance solution across APAC. My guest today is Matt Friedman. He’s the head of the Mekong Club. It’s an organisation dedicated to fighting human trafficking. They work with a lot of banks, a lot of different industry players. They have manufacturing groups; they have different things across the region. I’d say Matt is probably the foremost expert in the region on human trafficking and modern slavery and I’m really happy that he’s with us today.

Matt Friedman
Matt

It’s great to be here. Thank you. 

Josh Heiliczer
Josh
Great. So, first of all, great to have you here. It was amazing to have you come speak to our team, the risk and compliance team and the greater Protiviti last year, and we’re looking to do more with you this year. But one question that we really get a lot of focus about and I think is a basic question as we hear a lot about human trafficking, modern slavery; What exactly is that?
Matt Friedman
Matt

Human trafficking is a phenomenon whereby a person is tricked and deceived into a situation where they have work but they don’t get paid and they can’t leave. So, just to say what it’s not, it’s not a person who works in a factory and is getting cheated but can walk out the door. In this particular case, they’re held in place. There’s about 40 million people around the world who are in this situation. Here in Asia, about 62% of the modern slaves are here. The difference between human trafficking and modern slavery as terminology, human trafficking as a terminology basically identifies the movement of a person from one place to another to then be exploited, hence trafficking. Whereas modern slavery focuses on the exploitation, the fact that the person doesn’t get paid, they’re in a slave-like circumstance. Slavery was initially suggested but because when people think about slavery, they think about what happened a long time ago, so they put the word modern next to it. It’s a phenomenon that has about 25,000 people entering per day, or a new slaver every four seconds. So, it’s a big deal and it’s a big problem for not only Asia, but for the rest of the world as well. 

Josh Heiliczer
Josh

Yes, I think you’ve highlighted a number of issues. I think a lot of times it’s hiding in plain sight whether you’re in Hong Kong or other major cities and you don’t think that this is going to be a big issue. It tends to be that. Matt, how did you get involved in this area? It’s not something that you hear a lot of people getting involved particularly in the way that you did, and so it would be great to hear that story.

Matt Friedman
Matt

Well, my history goes all the way back about 30 years. I was living and working in Nepal, I was a public health officer, and I had the HIV AIDS portfolio, and we were finding girls 12 to 13 years old who were HIV-positive. Couldn’t understand what was going on so I started to go and interview them and heard the same story over and over again, how a trafficker would go into a community, befriend a girl who was 12 years old, ask for her hand in marriage, he’d actually marry her, and then instead of taking her to the capital Kathmandu, which is what he says to the family, he takes her to the brothels in Mumbai, and sells her to the brothels. She’s commercially gang raped until she agrees to have sex with 10 guys a day, every day and does this for a couple of years until she gets sick and they throw her out on the street and then she’s sent home. So, I was hearing this story over and over again, but I didn’t understand the real evil of it. I didn’t cross over into activism until I actually went to those brothels. I was invited by the Indian government to do public health checks. I had a police officer with me, went into one of these brothels, and there was an 11-year-old trafficking victim. She saw me, saw an opportunity, literally ran up, wrapped herself around me and said, “Save me, save me. They’re doing terrible things to me.” I turned to the cop and said, “We need to get her out of here.” He said, “We can’t do that.” I said, “How come you’re a cop?” He says, “Well, if you try to leave, we’ll both be killed.” So, to make a long story short, we left, we came back with a lot more police, but of course she was gone. And I tell this story because I wasn’t one of those 15-year-olds that said, “When I grow up, I want to be an activist.” In fact, I did everything I could not to. But I was so affected by kind of the picture of this girl in my mind, the failure of not helping her that I did what a lot of activists do. I surrendered to the fact that now that I know about this, this is what I’m going to do with my life, and 30 years later, here I am talking on this podcast. 

Josh Heiliczer
Josh

First of all, it’s a really heart-wrenching story. I have a son that’s nine years old and to think about that being his situation two years from now is really sad and breaks your heart for the people that are affected and as you mentioned, first and foremost, whether it’s a girl or a boy or somebody else who’s involved, it’s heartbreaking for them but it’s also heartbreaking for their families as well. It tears them apart. I guess you mentioned that story in terms of the girl that you interacted with, the prostitution that she was forced to be exposed to. I guess from the clients that we work with most, how can financial institutions get involved in detecting it? What can they do, whether it be through their transaction monitoring process, KYC process, through other means like discussions with regulators or NGOs like yourself? What can they do to detect this activity, stop it and alert law enforcement or to prevent or stop it totally?

Matt Friedman
Matt

I think the first thing is that there has to be more awareness. I do presentations across Asia, and I’m always surprised at how few bankers really know much about the issue. They hear bits and pieces, and they hear about typologies and various other things but they don’t really have a framework in their mind, and the reason why this is relevant and is important is profits generated from this are $150 billion. If any of this gets into a legitimate bank, it’s money laundering. There was a fine of AUD 1.3 billion by a bank that didn’t look into online sexual exploitation of children. So, the banks have to understand this.

So, awareness is needed. The awareness has to go all the way up to the top of the bank, the C-suite level and the board. They need to understand the issue and they need to make sure that there are resources available. In addition to that, you need a point person or team of people within the organisation that are trained that if anything comes up relevant to this topic, they’re the ones that you go to. There needs to be training that is provided to the various groups. Procurement needs to understand this because there are supply chain issues that they have to take into consideration related to modern slavery. The risk assessment people, the compliance people, the anti-money laundering people need to understand the typologies that are related to modern slavery which outlines the relationship between the perpetrator and the victim, the various transactions that take place, which of them could be nefarious and red flag indicators, how you take those clusters of red flags and apply it to big data to look at patterns, so that you can run the data the same way you do for anything related to anti-money laundering or any other kind of illegal activity. There has to be risk assessment due diligence. So, if you’re, for example, in Malaysia and somebody approaches you for a letter of credit or a loan for palm oil, you need to know that that is considered to be a relatively hot topic in that particular location. So doing your due diligence, doing your research, understanding where the vulnerability is important, and then being able to have a remediation plan. If you find that one of your clients has an issue, what do you do and how do you do it in order to ensure that this is fixed in a sustainable way that doesn’t allow for it to be a problem over time.
 

Josh Heiliczer
Josh
Yes Matt, I couldn’t agree with you more. I think two concrete examples that I’ve seen within the financial institution space where they’ve had good success in terms of detecting modern slavery activity, human trafficking activity have been one where there’s some discussions with the regulators about places where potential activity like prostitution is occurring. So, I know that one bank looked at different locations. They got some information from the police force, and they ultimately stopped banking in those locations. Then the second example was where they were looking at processing times of credit card transactions. One in particular was a nail salon that was processing a huge amount of transactions at 2:00 AM. You know, nail salons are not necessarily open then, or during the COVID times. Take a place like Hong Kong or the US or other places where businesses are significantly closed because they can’t be open, and yet they’re still processing transactions. Those can be some significant red flags to really look at. Looking at activity that is anomalous for that particular entity and having the right partnership with the regulators, police force, within the jurisdiction to get some additional information that can help you target your monitoring activity and target your reviews.
Matt Friedman
Matt

Yes, one of the things that we just are in the process of putting out as a tool is a series of questions, that law enforcement can use too, related to when they arrest somebody, what are the criminal transactions that take place, where is the money moving and so forth. If they are not taught how to go about doing that then they are unable to know that this is very relevant information that if shared with the financial community could help to make a difference. Now, one of the constraints that we all know is privacy laws and the fact that you’re not able to share certain information, but anonymised and in the form of typologies, all types of systems procedures and approaches that the criminals can use can be used as part of the training to sensitise institutions on what they need to do and how they need to do it in order for their suspicious transaction reports to relate this particular problem to the right people, the regulators, the law enforcement people and so forth.

Josh Heiliczer
Josh
Yes, it’s really true. I also think the rise of public private partnerships, whether you look at ACIP in Singapore or Finlet in Hong Kong or the Fintel Alliance in Australia. Those are great forums in terms of sharing information because generally, you can find exceptions to privacy laws within that.
Matt Friedman
Matt

Yes, and I think that the privacy laws in some ways need to be kind of tested. To what extent can you exchange information? I know this from my public health days where we would go and do an inspection of a hospital and they’d say, “Well, the laws basically prevent us doing X, Y, and Z,” and we heard this enough that we went back to the laws and came to realise that there was a lot of flexibility. You could do a lot more than what people thought you could do. You know, when terrorism became a big issue and then they changed the laws related to how you could share related to that, I would argue that this is a form of terrorism, that they should be looking at to see whether or not more flexibility could be built into kind of an interagency type sharing with law enforcement and with the banks and so forth that ensures that the criminals don’t get away with what they get away with.

Josh Heiliczer
Josh

Yes, I couldn’t agree with you more on that. Well, Matt, really appreciate your time today and I really think it was insightful to gain an understanding of your story, also human trafficking, modern slavery, and some specific examples of where financial institutions can work on detecting some of that activity and hopefully reporting that to regulators and working within the public private partnership. Thanks a lot, Matt.

Matt Friedman
Matt

Thank you for the opportunity.

SUBSCRIBE TO VIDEOS:

Ready to work with us?