In January 2017, state regulators and the Conference of State Bank Supervisors (CSBS) released a Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Self-Assessment Tool to help financial institutions self-evaluate and better manage money laundering risk. Risk assessments are a top-of-mind consideration for regulators, who consider logical, well-balanced and robust assessments the focal point of a sound risk management program. The self-assessment tool was issued not only to help provide transparency into how risks are assessed, monitored and communicated within an institution but also to promote greater transparency among institutions to benefit the broader financial services industry.
Along with the self-assessment tool, the CSBS issued instructions and a narrated tutorial to aid users in understanding its intent and design. The CSBS makes clear that using the self-assessment tool is not required, nor is using it a substitute for performing a periodic BSA/AML risk assessment. Rather, institutions that elect to use the self-assessment tool should utilize it to support their existing risk assessment process and in conjunction with risk assessment guidance set forth in the BSA/AML Examination Manual of the Federal Financial Institutions Examination Council (FFIEC).
Consistent with the FFIEC’s manual, the self-assessment tool includes three prepopulated categories: products and services, customers and entities, and geographic locations. The framework of the self-assessment tool is designed to help users classify inherent risks, describe and assess the strength of corresponding mitigating controls, and return a corresponding residual risk level. The self-assessment tool, which has a flexible design, can be customized to a financial institution’s specific business operations. It can also be adjusted as necessary to capture changes in both the regulatory environment and a financial institution’s strategic direction.
To help support the effort of fostering greater transparency within the financial services industry, self-evaluate for BSA/AML risks and potentially reduce the regulatory burden of BSA/AML requirements, financial institutions should familiarize themselves with the self-assessment tool and evaluate whether it could strengthen their existing risk assessment process.
Financial institutions that elect to use the self-assessment tool should:
- Ensure that the results are considered within their periodic BSA/AML risk assessment.
- Review and revise BSA/AML risk assessment methodologies to incorporate the new self-assessment tool.
- Set an internal standard that prescribes a frequency for utilizing the self-assessment tool.
- Ensure that BSA/AML risk assessment narratives and underlying tools align with and address the results of the completed self-assessment tool.
In January 2017, the Financial Industry Regulatory Authority (FINRA) published its Regulatory and Examination Priorities Letter for 2017, which identifies known and potential risks facing broker-dealers, investor relationship management and market operations. FINRA uses the annual priorities letter to communicate areas of focus for its information requests and examinations for the upcoming year.
The 2017 priorities letter highlights the “blocking and tackling” roles of compliance, supervision and risk management through FINRA’s focus on reviewing firms’ business models, internal control systems and client relationship management. Priorities identified for 2017 include:
- High-Risk and Recidivist Brokers. Reviewing firms’ supervision processes for hiring and monitoring brokers with disciplinary records or a history of past complaints and observations
- Sales Practices. Assessing the adequacy of firms’ internal controls for monitoring the suitability of investment recommendations, and for detecting and preventing brokers from providing fraudulent, abusive or improper advice (with a concentrated emphasis on senior investors and retirement planning). FINRA indicated that it may review firms’ compliance through monitoring trading activity, monitoring electronic communications (including social media), observing record-retention practices and following procedures for monitoring brokers’ private securities transactions.
- Financial Risks. Evaluating firms’ liquidity planning and abilities to withstand stressful economic conditions, as well as assessing their financial risk management practices and compliance with new margin requirements for certain covered transactions.
- Operational Risks. Assessing firms’ cybersecurity programs and the tailored application of these programs to their business models and activities. FINRA indicated that it may review how firms manage client-sensitive information and third-party relationships and will continue to examine firms’ anti-money laundering (AML) programs.
- Market Integrity. Examining market participant behavior for potentially manipulative trading patterns by firms or their customers and reviewing firms’ trade-execution and trade-settlement practices.
The priorities letter underscores the significance of monitoring broker-dealer conduct, internal controls and oversight, investor relationship management, and market operations. To prepare for regulatory examinations in 2017, firms should consider assessing the strength of their internal controls and the effectiveness of their current compliance programs against the priorities in the priorities letter.
In January 2017, the European Commission (EC) published the draft text of a proposed e-privacy regulation that, if adopted, would replace the EC’s current ePrivacy Directive with a more expansive regulation. The regulation is in furtherance of the EC’s stated goal of creating a Digital Single Market and, together with the General Data Protection Regulation (GDPR), will eventually establish a new privacy legal framework for electronic communications. The proposed regulation was developed with the intent to create better access for consumers and businesses to digital goods and services, level the proverbial playing field for digital networks, facilitate development of innovative services, and increase the growth potential of the digital economy. The proposed regulation is scheduled to go into effect at the same time as the GDPR in May 2018.
Though a number of technical provisions apply to providers of electronic communication services, certain provisions apply more broadly to financial institutions. These include:
- Direct E-Marketing. The proposed regulation expands the definitions of direct marketing and electronic communications and applies restrictions to all direct marketing electronic communications to both individuals and commercial recipients. For individual recipients, the regulation will require the sender to obtain the end user’s prior consent for direct marketing purposes. Once given, the end user’s consent can be withdrawn at any time; however, consent will not be required when marketing the provider’s own similar products or services. For commercial recipients, the EC defers to the 28 European member-state countries to regulate such communications to ensure that the legitimate interest of corporate end users is sufficiently protected from unsolicited communications.
The proposed regulation also addresses call identification and blocking, whereby users of electronic communication services are allowed to block the identification of their phone numbers when placing outbound calls or block calls where the number of the inbound caller has been withheld.
Financial institutions that engage in marketing or electronic communications to individuals and commercial recipients in the EU should be familiar with the proposed regulations and ensure that these regulatory changes are identified and tracked through existing regulatory change-management processes. As the proposed regulation navigates the legislative process, financial institutions can prepare for these changes by evaluating and determining — through privacy impact assessments, legal counsel or other means — whether these changes will have an impact, particularly when engaged in any of the activities covered under the regulation.
In January 2017, the Consumer Financial Protection Bureau (CFPB) sued a Minnesota-based bank for apparent unfair and deceptive practices related to enrolling customers into overdraft-protection services. Under Regulation E, the CFPB’s regulation implementing the Electronic Funds Transfer Act (EFTA), banks cannot charge overdraft fees on deposits accounts for certain transactions (specifically, onetime debit card transactions or automated teller machine (ATM) withdrawals) without first obtaining a consumer’s consent. In the suit, the CFPB contended that the bank violated the EFTA by:
- Misleading customers when opening new accounts that overdraft-protection services were mandatory
- Concealing the fees associated with overdraft-protection services at the time of new account opening
- Deceptively seeking customer consent while attempting to sign up existing customers for overdraft-protection services
- Pushing back on customers that questioned the opt-in requests
The suit further describes how the bank relied on overdraft fees to increase revenue and improperly incentivized employees to increase opt-in rates when opening new checking accounts through incentive compensation bonuses. In the suit, the CFPB indicates that the bank by 2014 had enrolled approximately 65 percent of its deposit account customers into the overdraft-protection services, nearly triple the rate of peer banks.
This action is the latest effort by the CFPB to monitor and deter illegal overdraft practices employed by financial institutions and follows other recent CFPB enforcement actions taken against other banks. Though the regulatory requirements related to overdraft-protection programs are not new, financial institutions should take steps to validate the appropriateness of their current practices related to overdraft-protection programs and customer opt-in processes, evaluating specifically any scripting, sales incentives/goals programs and other metrics or reporting to detect and address any potential concerns.