In this edition of the Navigator, we briefly review some of the politically-driven changes that impacted financial services throughout 2017, share industry conference chatter and examine old news that resurfaced in the headlines last year. We follow this commentary by keeping you informed with a summary of relevant regulations taking effect this year. This edition wraps up with our thoughts on the most important trends for financial services and our prescription for success in 2018 and beyond.

Section 1: 2017: A Year in Review

Politics:         

The Trump administration has repealed almost 70 regulations and approximately another 1,500 withdrawn, made inactive/dormant or relegated to long term this past year. According to President Trump’s Administration, the 2017 regulation cuts alone amount to a lifetime net savings of over $8 billion; for 2018, the predictions are close to $10 billion. Although the administration is focused on repealing regulations, discussion in the market and from regulators suggests the expectations of and level of scrutiny to financial crime and anti-money laundering (AML) compliance programs to remain heightened. On day one as the new Chair of the Federal Reserve, Jerome “Jay” Powell promised “to make sure that our regulation and supervision are efficient as well as effective.” While there may be additional regulatory repeal in 2018, how to prevent, detect and respond to financial crimes in an efficient and effective manner is likely to be a priority.

Let’s take a look at some of the other regulatory changes of 2017. Notably, AIG is no longer subject to several federal regulations and oversight after the Financial Stability Oversight Countcil (FSOC), which is chaired by Steven Mnuchin, removed its “too-big-to-fail” designation. Additionally, numerous revisions and delays of some consumer protection-related regulations occurred. The Arbitration Rule was successfully nullified under the Congressional Review Act; the Consumer Financial Protection Bureau (CFPB) is softening its supervision as part of its new Home Mortgage Disclosure Act Data Collection Rule (Regulation C amendments effective this year) despite its intended expanded scope; and a rule was proposed allowing Federal Home Loan Banks to use their own rating methodologies as opposed to ratings issued by Nationally Recognized Statistical Rating Organizations (NRSROs).

Sanctions concerns remained at the forefront in 2017, with several notable changes occurring. U.S. Commodity Futures Trading Commission (CFTC) sanctions collections fell 68 percent during the period of September 2016 to September 2017 compared to the previous year’s same timeframe. As for Office of Foreign Assets Control (OFAC) sanctions, we saw some major updates to Countering America’s Adversaries Through Sanctions Act (CAATSA) and still-heightening North Korean sanctions. Additionally, current (India) and future (China, U.S.) export controls made both national and global news.

Other notable happenings that could soon affect the finance world include: the appointment of Federal Communications Commission (FCC) Chief Ajit Pai, who may repeal net neutrality; the Department of Justice’s slowed investigation of a global bank’s involvement in a Russian money laundering scheme and its potential association with the President (pending Mueller’s investigation); and of course, tax reform.

Word on the Street:

Each year, our professionals engage with clients, colleagues and industry experts around the world to stay ahead of the latest regulatory trends and developments. Here, we summarize some of the most salient points heard buzzing at recent industry events.

American Bankers Association and American Bar Association co-hosted Financial Crimes Enforcement Conference 2017 (National Harbor, MD):

A&M was pleased to attend this event, where various topics were buzzing:

• There was noticeable discomfort when the topic of Beneficial Ownership was mentioned – and it was mentioned often. The reaction stemmed from lingering anxiety shared amongst the financial services community and from compassion expressed by regulators, who professed that the rule may be complex to implement.
• Robust discussion was had around the impact of antiquated regulations and similarly antiquated compliance technologies in use at financial institutions. A finding taken from the United Nations Office on Drugs and Crime (UNODC) report of 2011, made during a late-day industry panel, silenced the audience. The UNODC report found that an estimated 2-5 percent of global GDP (the equivalent of $1 trillion at the time) is thought to have been laundered, while only one percent of these illicit flows were actually being detected and seized by governments. Now with global spend on AML Compliance estimated at $8.7 billion in 2017, a logical conclusion to make is that our current AML Compliance landscape is as ineffective as it is unsustainable.
• The awareness campaign in support of reaping the benefits of AI/Machine Learning and Analytics was in full swing. Robotic Process Automation (RPA), or the ability to automate many of the low-value added work consuming the time of investigators, promises to free up resources and offer greater consistency. However, the point was made that RPA is only possible with repeatable processes – those with no process need not apply.
• In addition to FinTech and RegTech, the industry was told to look out for SupTech (supervisory technology). The Office of the Comprtoller of the Currency’s (OCC) Office of Innovation is one example of a step the regulatory community is taking to have a vested interest in understanding the emerging technologies that are driving change in the industry.
• In the realm of regulatory enforcement, a concerted chant of “Document, Document, Document” was the clear guidance given to regulated institutions. As proclaimed by a former regulator (and now private sector executive), documentation is a necessary burden for banks to prove compliance. Financial institutions should adhere to the guiding principle of “didn’t document, didn’t do.”

North American Bitcoin Conference 2018 (Miami, FL):

Alvarez & Marsal was proud to sponsor and attend this event, where our leaders discussed financial crime risk and compliance with investors, ICOs, exchanges and miners, and provided answers to questions at the forefront of these stakeholders’ minds:

• What measures should an organization take to ensure compliance?
• What aspects of NYSDFS Part 504 apply to cryptocurrency?
• How does an organization address Beneficial Ownership concerns?
• How does an organization determine if it is an MSB (Money Services Business)? What is the purpose of the Rule?

Check back for insights and answers to these questions in the coming weeks.

Old News:

Global financial transparency and the ability to mitigate financial crime once again resurfaced as a major headline in 2017 with the November release of the Paradise Papers. The Paradise Papers’ 1.4 terabytes of leaked data exposed high-profile individual use of offshore tax havens and highlights the continued struggle for both financial institutions and regulators to successfully identify potentially suspicious activity and prevent financial crime.

Separately, the OCC’s proposed special purpose charter for Fintech companies continues to remain on hold due to the recent change of leadership within the agency. The proposed charter represents efforts by regulators to provide consumer protections while seeking a pathway to more closely govern the changes to the financial services landscape fueled by rapid technological innovation. This charter, along with the establishment of its Office of Innovation, represent a series of initiatives by the OCC to stay more engaged and informed about the industry which it has regulated for more than 150 years.

Section 2: On the Lookout in 2018

The GDPR countdown continues… and other approaching regulations soon to take effect:

The EU General Data Protection Regulation (GDPR) is in the final countdown before its May 25, 2018 “go live” date. The GDPR will significantly impact how companies collect and process personal information pertaining to EU individuals. It is important to note that its reach goes well beyond the borders of the EU member states and will be enforced globally. Any company that stores or processes the personal data of an EU individual will be obliged to conform to the new regulation or face the consequences, regardless of where they are in the world. It does not however rescind other financial and legal requirements that companies must adhere to, such as AML, MiFID II, PSD II or employee and state regulations.

The following are examples of consequences for non-compliance that companies could potentially face:

• Minor offenses: (such as administrative offenses) could cost up to €10 million, or in the case of an undertaking, up to 2 percent of its total global annual turnover, whichever is greater
• Major offenses: (such as legal effects on the rights and freedoms of EU Individuals) could cost up to €20 million, or in the case of an undertaking, up to 4 percent of its total global annual turnover, whichever is greater
• Reputational damage: companies that have exposed their customers or employee’s data have shown higher customer churn rates
• Class actions lawsuits: already prevalent in the U.S., may also become commonplace in the EU
• Cost of remediation: internal costs estimated by the Ponemon Institute at $144 per breached record, thus potentially destroying the shareholder value and increasing the subsequent cost of corrective actions
• Exclusion from business opportunities: companies may lose contracts and be subjected to lawsuits for breaches of contract by their clients for data breaches
• Audits and seizures by the Data Protection Authority: investigations into a company will cause disruptions to ongoing business operations

The nature and gravity of an offense, as well as the co-operation with the Data Protection Authority, will determine the scale of the fine issued, and will be “effective, proportionate to the offense and dissuasive” to the company. If GDPR applies to your organization, you cannot afford to ignore it. Financial services companies need to initiate a GDPR risk assessment and action plan to clarify their legal position and obligations to consumers around the personal data and processes they hold and protect. This data is not always within the organizations immediate grasp, considering the use of social and web platforms, and SAAS applications that have become prevalent with the rise of “big data” and the lack of transparency.

See below for a calendar of key events and deadlines related to GDPR:

A little known bi-partisan bill is making its way up the steps of the U.S. legislative ladder purporting to modernize the country’s approach to combating Money Laundering and Terrorist Financing. The bill, H.R. 4373[1], was first introduced to the 115th U.S. Congress on November 13, 2017 by Rep. Edward R. (R-CA) and Rep. Vicente Gonzalez (D-TX) as the “AML and CTF Modernization Act of 2017.” Of course, the bill is still far from becoming a Law as evidenced by the fate of similar bills that never quite made it out of the legislative process (see the stalled 114th Congress’ Bills HR 5594, 5606, 5607 and the 115th Congress’ S. 1241).

Amongst a laundry list of other proposed reforms, the bill calls into question the very basis of suspicious activity reports (SARs) and currency transaction reports (CTRs) reporting requirements by asking the simple question – why haven’t we adjusted the antiquated CTR and SAR reporting thresholds for inflation? This in turn alludes to a broader critique of potentially antiquated regulation in an area where it’s clear that some level of reform, whether it be a course-correction or modernization, is desperately needed. 

In summary, H.R. 4373 attempts to address the need for the following big-ticket reforms:

• Setting CTR reporting thresholds to be no less than $30,000 and no greater than what the Consumer Price Index (CPI) suggests (and revisited every five years). CTR thresholds have not changed since 1972.
• Setting SAR reporting thresholds to be in line with the current CPI and revisited as needed. SAR reporting thresholds have not changed since 1996. 
• Allowing U.S. depository institutions to share SARs with foreign branches or affiliates located in Financial Action Task Force (FATF) member/FATF-style countries that employ adequate information privacy and data security protections.
• Requiring that Financial Crimes Enforcement Network (FinCEN) put in place a qualitative feedback mechanism to:

1. Communicate FinCEN’s annual AML & CTF priorities; and

2. Provide filing institutions with qualitative feedback on the content of filed CTRs & SARs.

• A report issued by FinCEN (in consultation with other federal banking agencies), exploring the potential for and cost of:

1. Artificial intelligence, machine learning, and other technologies to aid in AML and CTF efforts;

2. The establishment of a centralized database forming a public-private information sharing collective;

3. General improvements to the current reporting requirement;

4. Greater inclusion of law enforcement; and

5. The utility of a single SAR filing threshold.

H.R. 4373 poses a fundamental challenge to the status quo that should not go unpursued by the collective BSA/AML/CTF ecosystem of bankers, regulators, software vendors, lawyers, contractors and consultants/advisers (to which I belong). One shortcoming of the bill, however, is the lack of any content targeted towards measuring the effectiveness of past or present AML and CTF efforts. Without this, compliance behaves much more like a song and dance for regulators and less like the truly concerted effort that is required to combat money laundering and terrorist financing. Unsurprisingly, similar challenges to past-and-present regulations have also been made in publications released by prominent industry-facing organizations like The Clearing House (see their Banking Perspectives Q3 – 2016 issue entitled “Fixing AML”[2]).

Section 3: Trends for 2018 and Beyond

RegTech:

“Parting ways from the FinTech herd, the recent advancements (and hype) in the Regulatory Technology (RegTech) space have proven to be deserving of their own buzzword. Expect to see RegTech continue to grow and permeate into all facets of Financial Services as the sector undergoes 1) more ways for customers to transact globally with greater participation from the traditionally underbanked, 2) an increase in data created despite continued pressure to rein-in compliance budgets and 3) efforts by regulators to keep pace with the innovation and react accordingly.” – Peter Kwan

Data:

“Through artificial intelligence and machine learning in non-traditional monitoring applications, behavioral analytics, and correlation of data in multi-end point customer systems, institutions will increase insight and reduce compliance risks and costs, particularly in industry sectors that generate and process large volumes of data.” – Andy G. Gandhi

Regulation & Enforcement:

“From a former regulator’s perspective, the ‘raising of the bar’ for BSA/AML and OFAC compliance programs is the new norm. Examiner expectations continue to rise as does the cost for non-compliance. The prudential regulators are seldom providing management the benefit of the doubt and, on a regular basis, are placing banks under enforcement actions and assessing CMPS.”  – Craig Stone

Cryptocurrency & ICO:

“Financial regulators will establish more stringent rules regarding KYC, AML compliance and securities which will begin to slow down the rate of ICOs and require cryptocurrency-based firms to develop more robust compliance programs. We’ll also see increase in enforcements for fraudulent crypto companies and poor compliance practices.” – Steven Lee

AML Program Maturity:

“In 2018, the Financial Crimes compliance practitioner will wrestle with geographic targeting orders related to real estate and title companies, transaction monitoring and filtering program compliance for New York State Financial Institutions, and implementation of the beneficial ownership rule as it pertains to covered financial institutions. As compliance costs rise, programs at various levels of maturity will continue to look for ways to become more efficient and effective. Institutions will be focused on transforming compliance programs and meeting new challenges.” – Larry Iwanski

Financial Crimes:

“We continue to see the five “C’s” dominate financial crimes discussions in 2018: Compliance, Cash, Crypto, Cannabis and Cyber. As we enter the new year, clients are adding these items to their already packed agendas of AML, Sanctions and Terrorist Financing!” – Hal Crawford