In February 2017, The Clearing House (TCH), a trade association with a mission to advocate regulatory, legislative and legal policy issues on behalf of systematically-important banks, released a report analyzing the current effectiveness of the U.S. anti-money laundering (AML) and countering the financing of terrorism (CFT) regulatory regime. The report, developed by a diverse and influential group of stakeholders over the course of a year, includes recommendations intended for immediate implementation aimed at reforming the existing U.S. AML and CFT regime. In the report, TCH calls on regulators and lawmakers to address how AML and CFT rules are implemented and enforced. It also urges enhancements to the framework for countering terrorism, what it considers to be outdated and ill-suited.
TCH lays out seven recommended reforms for immediate implementation:
- Rationalize Supervision. To better align law enforcement objectives and financial institutions’ AML and CFT programs, TCH suggests the Financial Crimes Enforcement Network (FinCEN), which has rulemaking and examination authority for compliance with the Bank Secrecy Act (BSA), be assigned sole supervisory responsibility for large, multinational financial institutions. (Federal banking agencies currently have that responsibility.) The report also calls for FinCEN to create a robust annual process to establish AML and CFT priorities for financial institutions.
- Improve Transparency in Beneficial Ownership. To help prevent the misuse of corporate vehicles for money laundering, TCH recommends that the U.S. Congress enacts legislation to prevent the establishment of anonymous companies. This would require natural person(s) who have ultimate controlling ownership of a legal entity be identified as the beneficial owner of a company at the time of incorporation.
- Support Innovation. TCH recommends that the U.S. Department of Treasury, through its Office of Terrorism and Financial Intelligence (TFI), encourage innovation to help financial institutions’ AML financial intelligence units (FIU) become more agile and responsive to increasingly sophisticated money laundering techniques. TCH further recommends that FinCEN propose a safe harbor rule enabling FIUs to innovate without fear of examiner scrutiny.
- De-prioritize SAR Reporting Activities. In the report, TCH recommends that policymakers de-prioritize investigation and reporting of activities of limited law enforcement or national security interest. TCH suggests, for example, raising suspicious activity report (SAR) reporting thresholds, eliminating SAR filings for insider abuse, and reviewing all existing SAR reporting guidance for relevancy.
- Improve Flow of Data. As potentially useful data often is not provided to law enforcement in real time or in a consistent format, TCH recommends that policymakers find ways to improve the flow of raw data reported by financial institutions when a SAR is filed. TCH proposes establishing a mechanism to enable financial institutions to safely share bulk data directly with FinCEN. Further, to improve tracking and monitoring of potentially suspicious activities, TCH suggests that law enforcement and financial intelligence community professionals analyze the data provided to FinCEN and provide regular feedback to financial institutions.
- Encourage Information Sharing. TCH recommends that changes be made to the information sharing provisions of the USA PATRIOT Act to promote greater sharing of information. Specifically, it suggests establishing and utilizing a shared database of AML information gathered from multiple sources, both private and public, to allow for more robust analysis of data by financial institutions and law enforcement.
- Enhance SAR Reporting Practices. TCH recommends clarifying that SAR investigatory materials be treated as confidential in private litigation settings. Because the disclosure of SAR information in private litigation could undermine investigations, TCH suggests that new guidance or legislation regarding the use and disclosure of SARs would improve transaction monitoring and may result in higher quality SARs.
The report also includes items for additional study, including exploring the use of shared AML and CFT databases, improving coordination among government agencies, modernizing SAR reporting, and providing clearer guidance on what constitutes an effective AML and CFT program.
Both the financial services industry and law enforcement have, for some time, expressed frustration about the lack of effectiveness of the current regulatory regime. TCH suggests that coordination and communication between compliance functions and business lines of financial institutions with regulatory and law enforcement stakeholders will be key to improving the U.S. AML and CFT regime in a new and unpredictable administration. Financial institutions should familiarize themselves with the findings and recommendations of the report and stay abreast of any feedback that is provided by lawmakers and regulators, so they can respond readily to any changes necessary to their programs.
Consumer reports, which contain information regarding the financial performance of a consumer’s established credit accounts, such as credit cards, student loans or mortgages, are a source of valuable information to financial institutions in evaluating the creditworthiness of consumers applying for new credit. The Consumer Financial Protection Bureau (CFPB) notes, however, that millions of Americans, including younger Americans, recent immigrants, and those who do not use credit actively, have a limited credit history or none at all. Further, certain types of information about a consumer, such as utility payment history, rent payments or deposit account activity, are not generally contained within consumer reports even though they could be indicative of a consumer’s creditworthiness. (These alternative sources of credit information are beginning to receive more consideration from credit reporting agencies, non-bank creditors — particularly in the financial technology, or fintech, space — and regulators.)
In February 2017, the CFPB issued a Request for Information regarding the use of alternative forms of data and modeling techniques in the evaluation of consumer creditworthiness. Specifically, the CFPB is seeking feedback on the benefits and risks of incorporating certain information not usually captured in consumer credit reports in the credit evaluation and underwriting process and how this practice may expand access to credit for many Americans. As an increasing number of lenders are considering or already are utilizing this information, the CFPB is seeking to understand further the types of alternative data available, the methods used to gather and analyze this information, and the potential impacts on both financial institutions and consumers.
For consumers who lack sufficient credit history to produce a credit score under most current credit scoring models, access to credit may be limited by lenders relying heavily, or solely, on furnished credit reporting information. Arguably, expanded data points available to lenders could increase access to credit for these individuals. Lenders may be able to better assess consumer creditworthiness with this additional (and sometimes, more current) data, more accurately identify consumers who are more or less likely to default, and even gain operational efficiencies that decrease costs and facilitate an increase in loan volume (particularly for smaller loans).
Conversely, the CFPB outlines several potential risks stemming from the use of alternative data:
- Due to the sensitive and personal nature of this type of information, privacy and security concerns could be raised in cases where data is collected, shared, or utilized without consumer knowledge or consent.
- Alternative data could be more prone to inaccuracies or incompleteness due to the use of less-stringent standards for compiling this data compared to traditional consumer reporting information.
- In the event errors or omissions exist that affect the underwriting evaluation of a credit application, consumers may not have visibility into the information used as part of the decision, or have the means to correct such inaccuracies if such action is warranted.
- Consumers looking to improve their creditworthiness may not be able to influence certain types of alternative data.
- The use of alternative data and modeling techniques could make it more difficult for consumers to understand, and for lenders to explain, the factors leading to a credit decision.
- The use of certain types of alternative data could result in other unintended or undesired effects for certain populations of consumers. Lenders using these sources would need to guard against potential discrimination and other violations of law.
The CFPB’s request for information is part of its broader strategy related to encourage financial innovation and access to credit, while also providing consumers appropriate protections from unfair, deceptive, or abusive acts or practices. Financial institutions considering alternative sources of consumer credit information, along with other producers and users of this information, should consider the benefits and risks as outlined by the CFPB. To the extent that alternative data is currently used in the underwriting of consumer financial products and services, financial institutions should make certain that such use of information is accurate and responsible and that privacy, discrimination and other legal risks outlined by the CFPB are addressed appropriately.
In January 2017, the Office of the Comptroller of the Currency (OCC) issued a bulletin that includes long-awaited examination procedures related to its 2013 guidance on third-party risk management. These procedures are designed to provide OCC examiners with guidance for tailoring their examinations of supervised banks’ third-party risk management programs and to provide useful insight into some of the broader questions financial institutions have been struggling with over the past three years. Notable areas of OCC attention include:
- Quantity of Risk. OCC examiners will first evaluate the quantity of risk that third-party relationships pose to a bank.
- Examiners will determine whether a bank maintains a complete and accurate inventory all third-party relationships, including affiliates, other banks, financial market utilities, fintech partnerships (such as with marketplace lenders), referral arrangements, and those entities to which the bank has delegated fiduciary activities.
- Examiners will evaluate closely whether a bank maintains critical data about its relationships, including risk ratings for each relationship, the type(s) of services being provided, the specific type of relationship, and linkage of subcontractors to the primary contracted entity.
- Examiners will evaluate how closely the bank manages certain types of risks posed by certain third parties, including concentration risk, credit risk, compliance risk, reputation risk, and strategic risk, as well as the bank’s use of higher-risk third parties, such as foreign-based service providers, subcontractors, financial market utilities, and third-party lenders.
- Quality of Risk Management. OCC examiners will evaluate the sufficiency of a bank’s program to mitigate the quantity of risk posed by its third-party relationships:
- Examiners will evaluate whether a bank’s third-party risk management process is integrated into its broader enterprise risk management framework.
- Examiners will place additional focus on how unique or increased risks posed by specific types of relationships are managed by the bank, particularly evolving risks associated with fintech partners.
- Examiners will focus on how financial institutions periodically assess the nature of services provided to the bank by third parties, including the risk and criticality of those services as they relate to the bank’s services provided to its customers. Additionally, examiners will determine whether the bank has contacted the OCC periodically for an Interagency Examination of a Service Provider report and incorporated any relevant information from the examination report into its ongoing oversight of the third party.
The OCC’s procedures are not meant to be an exact checklist of steps performed during every exam of every bank; rather, examiners are expected to conduct risk-based exams, addressing those objectives and risks relevant to the bank being examined. Nonetheless, banks should review their current third-party risk management programs against the OCC examination procedures to confirm alignment of their programs with the procedures and related regulatory guidance. This will allow them to address proactively any potential gaps ahead of a regulatory examination, particularly any unique contracting-related matters. Bank service providers also should familiarize themselves with the examination procedures as their bank partners will likely seek additional information from them as part of their contracting and risk oversight monitoring processes.
In February 2017, at the annual AML and Financial Crimes Conference, held by the Securities Industry and Financial Markets Association (SIFMA), representatives from the Financial Industry Regulatory Authority (FINRA), a self-regulatory agency that provides oversight of broker-dealers, discussed key emerging risks and themes related to AML compliance for the securities industry. FINRA shared common violations noted through its examination process and reminded industry participants that it identified money laundering as one of the key risks it will focus on in 2017 as part of its regulatory examination strategy.
Key points made by FINRA during the conference included:
- AML compliance departments are experiencing a shift due to big data analytics. FINRA encouraged the use of additional methods where technology and reporting can improve risk identification processes and strengthen the AML compliance functions.
- Firms should consider fusing AML compliance with other compliance functions and be mindful not to create silos that may, in turn, limit their abilities to identify and assess risk. For example, as firms are required on their SARs to report patterns of cyber-related threats and attacks, FINRA noted that cybersecurity and AML compliance functions should be collaborating actively to ensure adequate linkage between cybersecurity and suspicious activity monitoring efforts.
- As firms develop new systems, tools and protocols to comply with the new customer due diligence (CDD) rule, they should review their inventory of customer-related information and leverage existing collection and maintenance processes already in use for other purposes.
- Financial institutions should continue to focus on fundamental AML compliance. In discussing common examination findings, FINRA noted that firms should continue to focus on performing proper due diligence and conducting investigations that adequately capture suspicious aspects of transaction activity. (Firms routinely fail to monitor suspicious trades or trading patterns and unusual money movement effectively; that can result in inadequate investigations and SAR filings.) FINRA also noted other common findings centered on the implementation of customer identification programs (CIP), adequate performance of independent testing of internal controls, appropriate maintenance of updated procedures, and dedication of proper resources to AML compliance efforts.
Many of these points address information collection, analytics, and internal communication and coordination. To this end, firms should evaluate comprehensively how customer information is currently collected, analyzed, maintained and reported, and what changes are planned to meet the requirements of the CDD rule. Further, firms should identify and implement strategies to gain AML operational efficiencies by leveraging related efforts already in production; they also should consider bolstering AML technology solutions and making better use of big data to improve the accuracy and flow of information. Last, in response to FINRA’s comments about fundamental AML compliance, firms must remain vigilant in their self-assessment and testing of AML risks and controls.
Note: It is important to note that this newsletter is provided for general information purposes only and is not intended to serve as legal analysis or advice. Companies should seek the advice of legal counsel or other appropriate advisers on specific questions and practices as they relate to their unique circumstances.