Caryl Athanasiu

So many Fintech today think they have this covered, the unfortunate truth is that they are wrong! Third party risk management & your required compliance efforts are much more than performing identity checks and validating account ownership through a vendor during client onboarding. If that is what you are doing, you are missing the point!

3

1 Comment

Two thoughts for today ... First, if Congress and FinCEN and the federal functional regulators are all espousing a "risk-based approach", and are requiring financial institutions to tailor their AML/CFT controls to their particular risks, why do we still have a rules-based, dollar-threshold approach for reporting cash transactions ($10,000) and suspicious transactions ($5,000)? Second, there is no regulatory requirement to have a sanctions program, yet most firms do OK when it comes to managing sanctions risk. So why have a regulatory requirement for an AML/CFT program? The FFIEC BSA Exam Manual has a chapter on OFAC. https://lnkd.in/gQesf7uX It begins with this: "Assess the bank’s risk-based Office of Foreign Assets Control (OFAC) compliance program to evaluate whether it is appropriate for the bank’s OFAC risk, taking into consideration its products, services, customers, entities, transactions, and geographic locations." What program? Since there is no regulation that requires a financial institution to have a sanctions or OFAC compliance program, what would the examiners look to? Other than their nebulous, catch-all "safety and soundness" violation, what is there? The FFIEC admits this in its OFAC chapter. It provides: "In general, the regulations that OFAC administers require banks to do the following: block accounts and other property of specified countries, entities, and individuals; and prohibit or reject unlicensed trade and financial transactions with specified countries, entities, and individuals." There is nothing about a "system of internal controls", a "designated OFAC officer", "training", and "independent testing" as there is for AML/CFT. So why not dial back, or even eliminate, the requirement to have an AML/CFT program? The lack of one, or having one that doesn't work, can lead to massive penalties, so it would behoove a firm to have a functioning program. But if no program works for sanctions ... why not for AML/CFT? Even OFAC knows it has no formal sanctions compliance laws or regs. See its May 2, 2019 "Framework for OFAC Compliance Commitments" that provides, in part, "OFAC strongly encourages organizations subject to U.S. jurisdiction ... to employ a risk-based approach to sanctions compliance by developing, implementing, and routinely updating a sanctions compliance program (SCP)." https://lnkd.in/gHdxRQnd "Strongly encourages" is all an agency can do if it has no regulatory stick.

50

11 Comments

Financial Crimes Enforcement Network, US Treasury released a 15-page advisory regarding #fentanyl. I'll say it again - if your #AML system does not allow you to operationalize these advisories, you need to get a new one. If your AML system says - don't worry, we have this covered... they don't. They can't. YOU as the AML Officer are the one that needs to be tailoring these advisories for your customer base. I encourage you to read the pdf below as there are several interesting red flags... but of course, below are the key takeaways: 1) Payment processors and e-commerce sites - you'll find that I have repetitive comments embedded throughout the document. They are unregulated (AML)... so, if you are a merchant acquiring #bank or a sponsor bank. You must ensure that your payment processors (both inbound and outbound rails for e-commerce sites) get this advisory and do something with it. Ask them to verify the industries of their #merchants. What are they doing for to monitor for this? (they will say nothing because there's no chargebacks) This is my hill. And I will not stop. Do we think that these criminals don't know about these loopholes?? 😑 2) All the red flags (14 of them) will live and die on good #data. Do you really know your business customers? Are your NAICS complete? Accurate? Appropriately assigned a risk rating? There are many NAICS related to chemicals and machine equipment. Ensure your high-risk customer criteria appropriately assigns risk scores to these. 3) If your bank thinks you don't have "risk" in this area, but you haven't done the work and developed a #threat landscape (customer and transactional), then you should start now. 4) This advisory is not just for tradFIs... but "brokers or dealers in #securities, mutual funds, and futures commission merchants and introducing brokers in commodities (FCM/IBs)". 5) If your FI does not business with any chemical or manufacturing equipment companies (I'm talking to you, #communitybanks)... ask them to certify they are not dealing with the precursor chemicals listed - see footnote 8, pg. 2. 6) Seeing payments to from MX and China? Dig deeper. Look for indicators of shell and front companies. 7) Negative news and keyword searches for related businesses will be vital in this hunt as well. Make them laser focused to your threats. There were many updates to the #OFAC list as well today. And so proud of the work that IRS Criminal Investigation and Lauren Kohr are doing to bring together the power of the PPP. Their initiatives along with FIs that will operationalize these advisories will go a long way in stopping the damage that fentanyl is doing to our communities. #ifollowdirtymoney #sanctions

277

25 Comments

The Consumer Financial Protection Bureau has released the first part of its 1033 rule - How it will recognize standards setting organizations. I'll have more to say after I've digested this portion of the rule. For now, from the CFPB's press release: To be recognized by the CFPB, the standard setters must apply to the CFPB and display the following attributes: ◼ Openness: The CFPB will not recognize any standard-setting organization that is rigged in favor of any set of industry players. The process must be open to all interested parties, including public interest groups, app developers, and a broad range of financial firms with a stake in open banking. ◼ Transparency: Procedures must be transparent to participants and publicly available. ◼ Balanced decision-making: The decision-making power to set standards must be balanced across all interested parties, including consumer and other public interest groups. There must also be meaningful representation for large and small commercial entities. No single special interest can dominate the decision-making process. ◼ Consensus: Standards development must proceed by consensus, though not necessarily unanimity. Comments and objections must be considered using fair and impartial processes. ◼ Due process and appeals: The standard-setting body must use documented and publicly available policies and procedures, provide adequate notice of meetings, sufficient time to review drafts and prepare views and objections, access to views and objections of other participants, and a fair and impartial process for resolving conflicting views. An appeals process is also available for the impartial handling of procedural appeals. https://lnkd.in/evJJ9KpC

6

1 Comment

On Friday, the Fed, FDIC, and OCC issued “Third Party Risk Management - A Guide for Community Banks.” The agencies issued third-party risk management guidance for all banks less than a year ago, and issued a guide for community banks conducting due diligence on fintechs in 2021. So why yet another “guide”? More on that below, but first a note on the two most important sentences in the new release–the first two: "Community banks engage with third parties to compete in and respond to an evolving financial services landscape. Third-party relationships can offer community banks access to new technologies, risk-management tools, human capital, delivery channels, products, services, and markets." This statement signals clearly that the agencies appreciate the advantages partnerships can bring, especially for community banks. The enforcement wave against partner banks may be a questionable risk-based allocation of scarce supervisory resources, but this statement is further evidence against a new “operation chokepoint.” If the agencies wanted to do away with fintech partnerships they would not issue three pieces of guidance on managing those relationships in a span of less than three years, and the Fed and OCC would not be creating specialized supervisory teams. The guide is intended to be “​​a resource for community banks to consider when managing the risk of third-party relationships.” Importantly, it is intended to apply to all kinds of third-party relationships–in fact, all but one of the examples in the guide involve traditional vendor relationships. Two quick takeaways: ♦ In discussing planning considerations, the agencies encourage banks to ask “how would the relationship align with the bank’s strategic plan?” That presupposes the bank has a strategic plan that incorporates its third-party activities, which echoes existing guidance and has been reinforced in recent enforcement actions. Alignment with the strategic plan is also an important consideration for risk assessments, ongoing monitoring, board oversight, and other elements of the third-party risk program. ♦ The guide also reiterates the importance of risk assessments as a fulcrum of third-party risk management–to assess alignment with risk appetite and strategic plan, and to inform due diligence, contractual provisions, and oversight, among other things. So, what is new about this guidance? Not much for risk management practitioners like the Klaros team. But we are not the audience. The new guide does a far better job than prior guidance at offering plain-English explanations and examples to help bank employees–business leaders in particular–to execute against the regulations and guidance already on the books. Banks will hopefully spend less on consultants like us just to understand how to apply the core principles of third-party risk management. https://lnkd.in/erJVAQqs

64

1 Comment

CDFI Credit Unions Worried About Losing Certification On December 7, 2023, the Community Development Financial Institutions Fund (CDFI Fund) published a revised CDFI Certification Application. Since then, CUCollaborate has heard from many credit unions that they don’t believe that they can retain their certification under the revised application. So, over the last few months, we have been working hard to develop strategies, and the necessary software to support them, to give credit unions the best chance of retaining their certification. Here is a list of some of the strategies and software we have developed: 1. Custom Investment Areas (IA): while the revised certification application has significantly diminished the potential impact of custom IAs, they are still a critical tool for credit unions that are close to being able to obtain certification but not quite able. We have developed software that draws mathematically optimized custom IAs based on a credit union’s lending activity and financial services. 2. Financial Services Option Analysis: Under the revised application, credit unions that either have 60% by number and 50% of the dollar, or 50% by number and 60% by dollar can retain certification if at least 60% of the credit union's depository account holders are members of one or more eligible Target Markets. We have found that the combination of a mathematically optimized Custom Invest Area and the Financial Services Option is particularly effective in retaining certification in desperate cases. 3. Target Market API: We have developed a CDFI Target Market API which supports a number of strategies to ensure that you meet your target market lending requirements moving forward. We have established, and continue to add more partnerships, with Fintechs (like National Auto Loan Network, LoanStar Technologies, GreenLyne, etc.) and loan participation platforms (like Aluvy, etc.) to help source qualified lending to ensure credit unions retain certification in the future. 4. CDFI Certification Dashboard: We have also developed a data analytics platform that allows credit unions to monitor the necessary statistics to retain certification on a rolling basis so they can be sure that if they start to fall behind they can take proactive action before it is too late. 5. CUSO Strategies: Finally, if all else fails, credit unions can leverage CUSOs to either help the credit union attain or retain certification directly or indirectly gain the many of the benefits conferred by CDFI certification through a CDFI Loan Fund CUSO. We know the value of your CDFI Certification, which is why we have invested significantly in developing strategies and proprietary technology that help credit unions retain certification. The software we have developed allows us to help credit unions retain certification in instances when it would simply be impossible without it. So, if you believe you are in jeopardy of losing your certification, please contact us. 

51

Why payments need to be borne as 'public goods'? This Federal Reserve Board Governor Waller's speech put it simpler (in 2 complementary ways): 1. Identifying the need and timing for technical standards, incorporating a breadth of industry perspectives, and aligning on implementation approaches requires 'coordination', and central banks play a key role as neutral conveners to harmonise efforts from all relevant stakeholders. 2. Leading by example, central banks' operated payment platforms provide expertise in the adoption of standards and best practices. RTGS systems remain as the backbone of the financial system, they serve as rails for safe and efficient settlement in central bank money #RTGS #payments #ISO20022 #standards #innovation

30

Here's what you missed when Kay Turner, Chief Digital Identity Officer at Fincen, and I geeked out about digital identity and implications for the payments industry. Earlier this year FinCEN published an analysis of BSA reports submitted by banks, money service businesses, and other financial services industry participants during 2021. They use a helpful typology to describe the identity related exploitation attempts as follows: 1️⃣ Impersonating others to evade identity validation by presenting false records (e.g. drivers license), or presenting a combination of real and fake data in the form of a synthetic ID that passes validation. 2️⃣ Circumventing verification (using mules, often via a scam) or exploiting inadequate verification processes deployed by providers 3️⃣ Using compromised credentials to gain unauthorized access to accounts either by manipulating victims into thinking that they are dealing with a trusted party or by misusing their position or access to exploit others A few observations and questions: 🔹 The vast majority of BSA reports are for impersonation - 67% of the reports and 57% of the suspicious $ amount. Attackers purport to be legitimate businesses, charities, payment solutions, government entities in order to defraud other people and financial institutions. 🔹 Check kiting is a very modest number of the reports but on average $182,000 is at risk. The latest AFP Payments Fraud report underscores this point (link: https://lnkd.in/gaEcq6F7) As if we need further rationale to digitize checks! 🔹 Business must be vigilant. Business email compromise amounts to approx 20,000 BSA reports and an average of $400,000 per incident. Yet internal threats — ‘abuse of access’ in the report typology — due to employee corruption, embezzlement constitute a staggering $600,000 on average. 🔹 I am very interested in seeing the longitudinal findings as FinCEN digs into more and more of the BSA data. I imagine we will see more identity theft driven by AI fabricated credentials — yet AI should play an important role in uncovering identity fraud. And I suspect there are some pandemic-era spikes in the 2021 data that we may not see going forward. 🔹 As an aside, a recent BIS Finternet report uses the same impersonation, circumvention, compromise typology (link: https://lnkd.in/ggT4_u5h?) . It would be great if the industry could coalesce around this framework so that we have comparable data across geographies, enforcement agencies, and financial institutions. How are you thinking about identity fraud? You can read the full FinCEN report here: https://lnkd.in/gk7-R35T

20

1 Comment

If your financial institution or credit union assigns scores by hand, runs calculations, or uses an algorithm, risk scoring is a crucial part of a well-oiled compliance system. ✅ Join former OCC regulator Ryan McInerny in our upcoming webinar on May 30th to discover how to align with your unique risk profile and ensure you're not missing suspicious activity. ✅ Register today! >> https://lnkd.in/dZ_7bHu2 #Riskscoring #RiskScout #Streamlinedcompliance #Financialinstitutions #Creditunions

6

This article is deeply flawed. The problem bank list has been, and remains, an extremely important tool in bank supervision. It identifies banks that require more supervisory attention including cease & desist orders, fines, removal of officers & directors, and even termination of deposit insurance. Those enforcement actions over the years have resulted in fewer than half of the problem banks failing. Roughly half of the problem banks recover or sell to an stronger bank. The three large banks that failed in 2023 were very poorly supervised by their management and boards and, more importantly, by their regulators. Those banks should have been rated as problem banks and put under enforcement actions due to their severe interest-rate mismatch. That interest-rate mismatch lesson was learned in 1979 when First Pennsylvania Bank (the oldest national bank in the country) failed for the exact same reason. Sadly, that lesson was forgotten three times in 2023. William M. Isaac, Chairman, Secura/Isaac Group Former Chairman, FDIC

76

4 Comments

Recent fintech events have provoked a renewed wave of calls for some kind of national fintech or payments charter. This recent op ed by Alex Johnson is a great example: https://lnkd.in/gCJxYwGp Also on Thursday, Acting Comptroller Hsu concluded that “Rather, tailored federal payments regulation and supervision is needed.” (link 👇) In theory, I’m all in favor - the electronic money and payments regimes work well in the EU and UK. In practice, I fear it would have the same problem as the hero in Dr Seuss’ I Had Trouble In Getting to Solla Sollew. If you don’t know the book, it involves an arduous journey to Solla Sollew, “where they never have troubles! At least, very few”. Our hero gets there, only to discover that a Seussian creature is preventing anyone from getting in. What’s that got to do with financial regulation? I doubt that a ‘key-slapping slippard’ is preventing the Fed, OCC, and FDIC from approving new charters and master account access, But nevertheless they’ve been highly disinclined to grant access for fintech companies. Financial innovation in the US relies on being able to find ways to get to market. I can’t see the current group of federal regulators being prepared to approve PayPal in 2000, Square in 2008, Coinbase in 2013, or Chime in 2014. Simply put, we can’t risk putting financial innovation on hold in the US for years at a time every time the regulatory pendulum swings to the lower risk end. And that’s without considering that, in a post-Chevron world, Congress would almost certainly need to pass an enabling law. At the end of the book, our hero declines the chance to go to Boola Boo Ball, where “They never have troubles! No troubles at all!”. Instead, he decides to stop looking for a miracle solution and instead confront his troubles head on. No-one in their right mind would say that either partner banking or U.S. state regulation of non-bank financial institutions is anything close to ideal. But it's what we have to work with. So we should look to confront our troubles and make the existing system better rather than searching for implausible utopias. Over the next few weeks, I’ll be posting about some ideas for making existing systems safer for consumers and small businesses. If there are specific aspects you’d like me to hit on, please add them in the comments or message me.

63

14 Comments

OCC Announces Enforcement Actions Against Banks in June The Office of the Comptroller of the Currency (OCC) took a series of enforcement actions against national banks, federal savings associations, and individuals formerly affiliated with OCC-supervised institutions, according to details released by the regulator on Friday. (quoted from the article) Among the actions aimed at banks, the OCC issued a formal agreement with Credit Suisse AG's New York Branch to address deficiencies related to : - Compliance with the Bank Secrecy Act and other anti-money laundering laws and regulations. The formal agreement was a condition for the branch's conversion to a federal license, with the provisions substantially mirroring a prior written agreement between the branch, the Federal Reserve, and New York state regulators. Touchmark National Bank in Alpharetta, Georgia over - Unsafe or unsound practices. - Deficiencies in areas such as strategic planning - Board and management oversight - Liquidity risk management - Credit risk management - Auditing - Information technology at the bank On the enforcement front against individuals, the OCC issued orders of prohibition barring two former bank employees from participating in the banking industry. - Manuel Alejandro Ramirez Perez, an ex-employee at Bank of America branches in Florida, was prohibited for improperly accessing and disclosing customer account information to a third party.  - Avianna Rivera, formerly of First National Bank Texas, was banned after embezzling $11,500 from a customer account. The OCC also terminated a previous formal agreement from January 2022 against Commonwealth National Bank in Mobile, Alabama. The agency found the bank had demonstrated compliance with requirements related to strategic planning, loan portfolio management and internal audit issues that prompted the original action. Orders of prohibition and formal agreements are common enforcement tools used by the OCC to correct violations and unsound practices at the institutions it supervises. By publicly disclosing these details, the regulator aims to deter future misconduct and promote accountability in the banking industry. #enforcements #OCC https://lnkd.in/gX3kc3Eb

10

Underscoring the importance of managing third-party risks effectively, the Fed Board of Governors, FDIC & OCC recently released a new TPRM guide for community banks. TRaiCE can help community banks navigate the complexities of third-party risk management by enhancing existing due diligence processes and providing continuous monitoring of third-party business health.   #tprm #riskmonitoring #fdic #occ #communitybanks

12

Skiptism runs supreme. Regulators have drummed for simplification of banks. This is clarion call seems to be cast aside by bank CEOs. Cap1 expects regulators to come down on Cap1's assertion that the deal improves competition. Ignoring the current regulatory concerns of unsafe and unsound business practices, rooted in banks cutting corners to save costs and settlings for passing compliance grades. Taxpayer bailouts are not in the offing, especially for cutrate business practice choices. Executives will have to emerge into C-Suites skilled at growing their business without M&A options. Perhaps this means burning the ol' playbook of cutting costs when earnings plans are missed. Finding a new tactic, perhaps restructuring executive compensation could be a new dawning. #banks #mergersandacquisitions #regulatoryactions

1

New guidance from a trio of regulators designed to aid community banks in their management of third-party relationships is a welcome sign in the industry. Partner and U.S. Head of Community Banking, John Soffronoff tells Banking Dive the guidelines provide a good roadmap for community banks to evaluate their third-party relationships throughout their entire lifecycle. Click on the image below to learn more about what John has to say ⬇️ #Communitybanking #Risk #Financialservices

4

The widening fallout from Synapse’s collapse and subsequent bankruptcy—and every bank and fintech partner swept up in it—continues to raise serious operational questions, cause lingering angst for customers still unable to access their money, and yet is utterly devoid of soul searching on the part of executives responsible for what transpired. Synapse, a Banking-as-a-Service (BaaS) provider backed by prominent venture capitalists, worked with as many as 100 bank and fintech partners—including Evolve Bank & Trust, Lineage Bank, Mercury, Dave, Yotta, Juno and Yieldstreet—serving as the intermediary between bank partners providing deposit accounts, loans and payment products and the fintechs that embed them into their customer apps. As the enormity of U.S. bankruptcy trustee Jelena McWilliams’ findings became public, what was also glaringly obvious: Some of the companies involved were so busy pointing fingers at each other that they failed to acknowledge that customers—all of whom were unwittingly tied to Synapse and its bank partners through their usage of fintech apps—have become collateral damage. That must change. Given the pace of financial innovation and the size of most BaaS banks—60% of BaaS banks have assets under $5 billion, while about 30% have assets under $1 billion, according to CCG Catalyst —the principles-based interagency guidance from the Federal Reserve Board, Federal Deposit Insurance Corporation (FDIC) and Office of the Comptroller of the Currency seems inadequate to prevent another Synapse-like event. The resolution of the Synapse bankruptcy will likely be precedent-setting, potentially dictating changes to the BaaS model to ensure greater stability and reliability, sharpening enforcement of existing bank regulations and forcing new and deeper straight-line federal regulatory oversight—perhaps via national charters—of BaaS providers and fintechs. My latest for FIN: The Fast Forward on Fintech.

3

The OCC, FDIC, and Federal Reserve Board have released a guide to support community banks in managing risks presented by third-party relationships. This guide will be an invaluable resource for community banks as they navigate the potential risks of these relationships. Check out the link below to learn more about this important resource. https://lnkd.in/eDuZk9nv

2

Are bank regulators focusing enforcement activity in the right place to create a healthy banking system?  The fact that a third of the Q1 public enforcement actions related to partner banking gives me pause.  A little historical context.  I recently found an article showing that in Q1 2008, with the global financial crisis just over the horizon, just over a third of bank regulators’ public enforcement actions were related to BSA/AML. With the benefit of hindsight, regulators would certainly have focused priorities very differently at that time.  And it’s hard to argue now that partner banking is anything like the most important issue facing the banking system. Matt Harris recently made a cogent argument that the immediate challenges banks currently face with underwater securities and commercial real estate are only the tip of the iceberg.  If you haven’t seen it, follow the link to his analysis of the impact that AI will have in compressing net interest margin and the consequent need for banks to build scale and/or non-interest income. I don’t endorse everything Matt says about regulators, but I strongly agree that many banks need to get creative to have a long-term future.  And that requires regulators who don’t overreact to mistakes of strategy and execution with limited impact on safety and soundness, consumer protection, or financial crime. As an example, I was recently helping a bank whose regulators had found gaps in beneficial ownership records of its fintech clients.  I was puzzled that the bank had gotten this wrong on fintech clients but not on its core business.  The Bank told me they were also now fixing similar issues in their core business, but the regulators hadn’t even examined those files. I’ve said before that a lot of enforcement actions we have seen in BaaS have been fully justified and I stand by that.  But recently I’m seeing an increasing number of cases where regulators are, in effect, examining and enforcing more stringently for BaaS business than traditional business. Regulators genuinely want community banks to overcome the challenges of the current environment.  They can help by ensuring that banks conducting BaaS and other novel activities don’t face regulatory equivalent of police speed guns looking for cars driving a mile over the speed limit. 

49

2 Comments

We’ll return to our series of postings about AML system implementations, but we’d like to revisit our postings about recent #AML consent orders, and consider a letter recently written to federal regulators from the American Fintech Association (AFA). (link to the letter is included in comments). After reading the letter, you’ll see that the #AFA is suggesting that federal regulators are actually targeting banks that partner with Fintechs and offer #BaaS (Banking as a Service) services. If we look at recent AML consent orders, we’ll see quite a few for BaaS banks, but we’ll also see AML consent orders for non-BaaS banks, and most of these are smaller community banks. What’s concerning when reading the AML consent orders for non-BaaS banks is that they seem to be seriously missing the mark when it comes to #BSA compliance, with some of the pillars of BSA totally deficient, with at least one bank appearing to be deficient in all the pillars (they were required to perform a high risk lookback and a suspicious activity lookback review as well.) With this particular institution, it also appears that there was a exam letter that perhaps wasn’t heeded. It’s possible this prior exam letter included violations of law that were not addressed. So in one consent order we can see elements of what regulators have been speaking about in their various speeches and remarks. Financial institutions, especially the smaller ones, are still required to comply with BSA/AML/CFT requirements even when they are low risk. The belief that low risk equals no risk doesn’t hold up with BSA. We’ll continue to review consent orders and provide advice on how to avoid the findings listed in them. We are also available to perform a mock exam for your institution to give you insight as to what an examiner might find.

7

1 Comment