FacultyFaculty/Author Profile

FinTech AML, Cybersecurity and Privacy


,


SUSAN GRAFTON: Hi. Good morning. So we're going to now switch a little bit and talk about AML, cyber security, and privacy as they relate to Fintech businesses. And I'm thrilled to introduce another really terrific panel. To my left we have Alma Angotti, whom I worked with at the SEC. We will not say how long ago it was, but she was in the Division of Enforcement. And she is currently managing director and co-leader of the global investigations and compliance practices at Navigant. And I have to say that Alma is one of the people that I associate with being the first to really get on board and learn and understand AML rules.

To her left is Deborah Conner, and she's been a criminal prosecutor with the Department of Justice for over 20 years. For the past year and a half, she served as the acting chief of the money laundering and asset recovery section in the criminal division of DOJ MLARS group, which leads the department's asset forfeiture and anti money laundering enforcement efforts, and provides leadership in the prosecution and coordination of complex, sensitive, and a multi district asset forfeiture investigations. And she supervises a section of over 80 prosecutors, so we're very lucky to have Deborah with us today.

And last but not least is Andreas Teleki, who I love to say is also another former colleague. And he's currently Chief Legal Officer of M3Sixty Administration, which provides fund accounting, fund administration, and transfer agency and other services to registered investment companies. He's also the managing member of the Teleki AML Cybersecurity law firm. And he in the past has been one of my go-to folks on AML issues. So thank you all for being here today.

We again are asked to throw a question out to the crowd. So for the group here, how many of you are involved in an AML program for your firm? And then also, how many of you have actually had a moment where you really have worried about cyber security issues. You're like, oh, no. This is something that I'm really concerned about. Maybe even keeping me up late at night. Great, thank you.

So we thought that we would start by talking about just to understand what the DOJ task force says and other information out of the Department of Justice. And Deborah, could I get you to start us off?

DEBORAH CONNOR: Sure. So for those who don't know what MLARS is, you probably knew us as AFMLS. For those in the room, it's the Money Laundering Asset Recovery Section. And as you all know, recently the Deputy Assistant Attorney General announced a new consumer Fraud Task Force that's bringing together the Department of Justice with the CFPB, the SEC. It's going to be managed with the Associate Assistant Attorney General. And the purpose of it is to really look hard and deep at issues related to all kinds of consumer fraud.

I think he announced that it would be really looking at victims such as the elderly consumers. But what we know-- and it's really only been up and functioning in terms of sharing for about four weeks now since the announcement. What we know at the department is consumer fraud more and more is being generated online through cyber, and it is certainly something that my section is focused quite keenly on.

We have had a lot of prosecutions and assisted US attorneys offices with prosecutions of entities and defendants who are online using money services businesses as methods for getting transactions across the web, whether it's an actual currency or virtual currency, and we are looking hard. Like you all, we have questions. Sometimes we see cyber issues that keep us up at night. And so we're doing what you're doing, and we're putting together a lot of resources within the department both in my section--

I now have a cyber working group that assembles US attorneys offices from across the country. We bring in our biggest experts and we meet quarterly to share information about cases, to share information about trends, to talk about what we're seeing in our investigations. We brought in Michele Korver, who some of you may see or have seen at various cyber panels also.

So we're doing a lot of the same things you're doing on our end to make sure that we are stopping bad actors in the financial markets and looking for ways to assist the private sector as well when you are victims of this situation. And hopefully not either blindly facilitating this or having employees of yours who are actually wanting to facilitate that. So that's kind of where we are at the department.

SUSAN GRAFTON: Do you think we'll see some kind of report or study based on what you're seeing, or is this really going to be something more in terms of prosecutions?

DEBORAH CONNOR: So I think it may be that rather than a report being reported, what you might see are the heads of these various agencies reporting out in places like this and others about what we're seeing. But I think it's to be collaborative in terms of how we're going to share information about what each agency is doing in its respective sphere. How we work together, how we work in parallel. And I know that the Deputy Attorney General has talked about this issue of not wanting to pile on, which means not wanting to have resolutions in all these different spaces that in ways can perhaps account for the same or similar conduct. So I think you'll see coordination, and then as we tend to develop matters you'll probably hear collectively and from each agency what's going on.

SUSAN GRAFTON: Thank you. Very helpful. So with that in mind, let's dig in here and talk about AML, the Bank Secrecy Act. I know your customer requirements. And Alma, do you want to start us off just talking about who triggers AML requirements and SAR requirements. It looked like this part of the room was all the folks that deal with AML, but maybe that part of the room isn't as familiar, so you might need to explain some of the terminology.

ALMA ANGOTTI: I sure will, but first I just want to say, I was talking to a client-- a small Casino-- a couple weeks ago. And I asked him, how many people in your AML department? And he said 1,700. And I said, are you kidding me? He said it's everybody. Compliance is everybody's job. And I thought, good answer. So pro-tip those of you who didn't raise your hand. Raise your hand for when the regulators are in. It's your job too. They like to see that.

So it's interesting because that should be an easy question. And the technical answer is there are certain categories of regulated entities that make you technically subject to the Bank Secrecy Act, which is the rules that require AML compliance program and certain reporting. And those are banks, registered broker dealers, commodities, broker dealers in a commodities, mutual funds, casinos, money services business as Deb said. Those are like Western Union or MoneyGram. Insurance companies and certain loan originators. So that's the technical answer.

The world is a little fuzzier now, especially if you're in a cryptocurrency space because I don't think it's entirely clear which of those buckets do you fit into if you're a cryptocurrency exchange, although FinCEN is pretty clear that they think you're an MSB. They don't always look like an MSB, so it's fuzzy. But you also have the overlay of good risk management. Even if you are an entity in a payment space that is not required to be registered as one of those things in the US, from a risk reputation and other issues, you don't want bad people to be using your systems.

So for example, I had a client-- a payment processor-- not required to be registered because they transmit money for goods and services. It's a restaurant app. And they said that they got a lot of information on the businesses but they weren't doing anything with it. So you have to think beyond the technical requirements of the regs and think about good risk management.

SUSAN GRAFTON: And Andras, I don't know if you have anything you want to add. I noticed that Alma did not list investment advisors.

ALMA ANGOTTI: That's my pet peeve.

SUSAN GRAFTON: I guess we're all looking to see what happens with those rules.

ANDRAS TELEKI: Yeah, there's a proposed role for investment advisors.

ALMA ANGOTTI: I wrote the first proposed rule in 2002, just saying. That's why it's my pet peeve.

ANDRAS TELEKI: And now we have a second proposed rule. It's still out there. It has not been finalized to this point. FinCEN hasn't publicly said, but they like to keep their cards pretty close to their vest as to what's going to happen when. Of all the US government agencies, I think FinCEN leaks the least, oddly enough, but the supposition is at some point investment advisors will have an AML program requirement. It will be very similar to what broker dealers and investment companies are subject to.

The other thing I wanted to add is on this issue of who's covered. It's something to keep in mind that if you're part of, for example, a bank holding company act structure, they're going to push down AML to groups which normally may not be covered. Pursuant to various banking requirements, not to mention how the banking regulators view the world.

The other place where people get surprise AML requirements are if you're interacting with an entity that's subject to AML, often they'll push it down to you and require you to do certain things even though you might not legally be required to. And a good example of this is you're a Fintech startup, you're looking for money, and you're looking to do some sort of transaction that involves a big investment bank like Goldman Sachs. Goldman Sachs is very interested in what your AML practices are, even if you may not technically yet have AML requirements. Or the scenario I've seen is that you're sort of in the infancy of your development, and they're going to push you along your AML program development, probably faster and harder than the regulator will.

SUSAN GRAFTON: That's a good point. Maybe we can start, Deb, with you talking about some of the issues that DOJ is focusing on, and then maybe Andras and Alma can talk about what that means and how to construct an effective compliance program.

DEBORAH CONNOR: Sure. So in my section MLARS, we have a unit called the Bank Integrity Unit, and it's comprised of about 14 prosecutors whose job it is to work on cases related to criminal violations of the Bank Secrecy Act. And we just last year resolved-- as to a large money services business-- Western Union. It was a very large, what we call, deferred prosecution agreement and resulted in about $586 million in forfeiture funds related to the remuneration of money to victims.

And obviously what was happening is bad actors, fraudsters out in the world across the globe, were using Western Union to push funds to them from consumers they were defrauding in consumer fraud scams, email scams, telephone scams, other scams. And there are markers-- obviously you all know-- indicators if you have the right compliance programs-- to show that there are trends or things that are happening out in the world and on your system that should alert you to the possibility that someone is using your system.

And I think in the world we're in now, where there's bitcoin and cyber currency and digital currency-- and part of the allure of that is that it has a lot of anonymity to it. And part of the allure of that is that the values are stored on a public ledger, although that sometimes is tough to penetrate in the public. It means the jobs that folks in compliance have in Fintech in other parts of the world are going to get a little harder because there is this layer. It doesn't mean it's impenetrable, but I think what we're trying to do in educating ourselves and what you're doing by being here is understanding what those trends are, what the patterns are that people processing transactions through your system or wanting to. That's what we're really looking at in my section.

When a case gets to us, obviously, then it's under consideration for criminal prosecution. And the question for us is really, was there anyone in the company itself or any person intentionally, willfully engaged in violating the Bank Secrecy Act? If we can't prove with any evidence that we have that it's willful, it's not a criminal violation. That doesn't mean that other regulating agencies-- FinCEN, the SEC, treasury OFAC-- can't come in and assess their regulatory fines, but we're looking for whether there's any willful behavior.

And one of the ways that companies show us, when it's just related to circumstantial evidence that it's not willful, is all the things they're doing to have a robust compliance program. Like some of the things that Alma has said, it's not just the compliance department. It's everyone in the company.

Where things are diffuse, we see cases where problems get raised. An email goes to an individual, it gets handed off again and again, and nothing is really addressed. You may see that in your own company. Everyone raises the flag and then we don't see anything happening on the back end to stop the conduct. And then the question becomes, is this just a convenient way to say that we weren't willful? As you can see, no one said go out and do this. It just never got addressed. So that's the kind of information we're looking at.

And then, in cryptocurrencies in areas like bitcoin, it does become incumbent upon folks assisting processors in that [? sphere ?] to really understand your customers and understand what business they're engaged in. And asking yourselves whether-- do a gut check for yourself. Does this make sense? Does this seem normal routine? I think there's going to be some of that.

I have prosecutors that come to me about issues with evidence, and the first thing I say is, how are you feeling about this? What does your gut tell you? And if your gut, your instinct says you're in compliance, it tells you there's just not something quite right here, then I would encourage you to continue to pursue information and ask questions and get information.

And don't dropped the ball on that because what happens then is you can have a lot of payments and information flowing through the pipes of your system that is actually criminal conduct. And then the question will be whether you're assisting in that, facilitating that, or involved in that. And to the extent you catch it and you catch it soon-- it's limited and you bring it to our attention, you can conveniently stay out of the department's lane

SUSAN GRAFTON: That's a good setup now to talk about what do you do. Andras, do you want to start us off talking about what a effective AML compliance program might look at, some--

ANDRAS TELEKI: Sure. I think that's a great segue. When I interact with clients to develop AML programs, one of the first questions I ask is, how can your environment be abused to do nefarious, bad, troublesome things? And that's I think something you should think about because AML, at the end of the day, is a risk based regime. If you've heard me speak before, I talk about the fact that if you're in the tax side of the business, tax law has codes, regs, case law. There are rules for everything. You may not know what those rules are, people may not agree how those rules work, but there's incredible minutia.

AML is much closer to the European model of being principles based. There are a lot of basic rules, and then you have to apply them in your environment. And to be able to apply them effectively in your environment, you need to understand how your environment can be abused. How can it be used to do bad things?

And then as the panelists discussed, tone from the top is very important. You have to have management buy in. The challenge if you're in the compliance department or if you're in the AML department is that you are effectively-- as far as the business is concerned-- the roadblock to getting any business done. The sales guys want to sell. Doesn't matter whether their product is quite legal, quite done, quite ready. They just want to sell. And every time a compliance in AML gets involved, they believe that this is harming the company because it's stopping sales and stopping business.

And that's really the wrong way to look at it. And the way you should look at it, the way the regulators want you to look at it, the way the government would like you to look at it is that basically this helps protect the organization in the long run. It protects the organization from ending up in places where it shouldn't end up.

And part of your AML is risk based. You have to understand the risk in your organization. If you're part of a larger organization, there's going to be a risk department, a risk officer. You want them to be fully invested because this is a risk for the business. Whenever you start a new line, you want to think about, well, gee, how are we going to do compliance on this? How are we going to do AML on this? If we have to do customer identification, verification, how is that going to work? How are we going to build monitoring tools?

I can't tell you the sort of-- I got involved in the early 2000s when the Patriot Act came in and when AML expanded from being really bank centric to getting into broker dealers, investment companies, and other places. And one of the things that people really struggled with is understanding how this is going to work in our environment because at that time, a lot of the knowledge was really bank centric. And in the bank centric world, a lot is really driven by having software and pattern analysis. And where I think the banks ran into trouble is that they bought really good software and the software threw out too many exceptions. And a number of banks got into trouble because these exceptions-- there were too many to process, so they did one of really three things.

Some people hired more and tried to work their way through the exceptions. But a lot of people just either turned off the report or shoved the results of the report into a desk drawer. None of those are good things. So when you're looking at the technology solution, you want to make sure that the technology solution works in your space.

And I think in Fintech this is particularly challenging, because what you're doing is grafting systems which are initially developed on the banking side and then were modified the work in the brokerage side are now being pulled into the Fintech side. So you've got to understand these systems that you're using, these vendors that you're talking to-- how is it going to work for you?

Because a really bad scenario that I've often seen is you've got this wonderful system, you've got these beautiful policies and procedures, and they're indexed and they're glossy. Nobody knows how they really work, or you really don't apply them correctly.

SUSAN GRAFTON: So maybe we could talk a little bit about what are you looking for? What are the things that you're supposed to do in terms of-- if you say you have to know your customer, what does that mean? I don't know if you want to jump in.

ALMA ANGOTTI: Sure. As Andras said, this is the pro and the con of k-based program. When I was at FINRA, I used to say, the good news is you can make your program do whatever you want. The bad news is I can't tell you if it's going to be good enough until later. So it is all about risk management. So the new customer due diligence rule, all of the KYC-- it is to get a sense of who your customer is and what kind of risk they present to your entity.

Knowing the different typologies that bad people can use your business for, and again, understanding that that's going to change. So you're looking to see a profile of your client, what the risk profile is, and then you have to use that. That's your measurement. If you have a client that by all reports is doing one thing and suddenly does another, you've got to figure out why.

Now, 99% of the time there's a perfectly legitimate explanation. But we see people and entities and institutions run into problems in two ways. One, the reason they get back from the customer doesn't make sense and they just let it go and write it off, or they don't ask or they ask and they have a solution and they don't document it. So it's a process of understanding the risk of your customer. Who owns them? What do they plan on doing? And this is, as Andras said--

SUSAN GRAFTON: Where they're located.

ALMA ANGOTTI: Yeah, where are they located? Where they do business. And this is the problem in the broker dealer space. Securities trading is market driven. Bank accounts can look very similar, whether it's IBM's operating account or my personal bank account. Trading you expect to change. So it's more important to understand why this hedge fund is suddenly doing European bonds that they have never done before and doesn't seem to be a market reason for it.

Now, they may not tell you why. They probably won't, but it's not as easy as dealing with differences in bank accounts. But you really have to go through the process. The more you know about them in advance, the easier it will be to do.

SUSAN GRAFTON: So let's just say that, Andras, you have this technology that's being run and folks are doing what they do and they say, oh my gosh, this is a big red flag. What do you do then? What's the requirement?

ANDRAS TELEKI: Well, ideally you've got some process that works the red flag or works the issue. You get an exception, either from one of your reps, one of your salespeople, the monitoring process. But somebody along the way raises a flag and says, hey, I've got some questions because this behavior looks odd.

I'm a big fan too of the smell test. It generally tends to be fairly effective that if you look at something and it doesn't seem right, it probably isn't right and figure out what's going on. So you have to have some method of escalating it and of resolving it and then doing something with that resolution. And I stress to people-- I've spent most of my career in regulated spaces-- is you want to be able to show the regulator that the issue came up and you addressed it.

I'd rather be in a situation where the regulator or the federal government second guesses my decision because we can argue until the cows come home as to whether the decision based on the facts available at the time was the right one. I don't want to be in a situation where I can't substantiate that I made a decision and did something with it because that's an easy case for the regulators to bring. It's you didn't do anything.

It's a much harder case for them to say, well, we looked at the facts and we came to a different conclusion. Because as we all know, hindsight is 20/20, and all of this is done in the heat of the moment. So you have to do something with it.

I tell people, if you decide that you don't have to file a SAR document it. Explain it so that the information is there. We did think about it. Based on what we knew at the time this is what we did. If you do file a SAR then you want to be able to follow up with it. Keep an eye on what's going on.

The last thing you want to do is be in a scenario where you've got a client, they're engaged in suspicious activity, you're reporting this regularly, and then they want to expand their business relationship with you. That's the point where the risk element ought to kick in and the risk element ought to say, well, wait a second. What's our exposure to this individual? Why do we want to continue doing this if we've got all these concerns? Maybe we should figure out how to shrink the relationship or maybe close the relationship, not expand it.

ALMA ANGOTTI: So for those of you non-AML hand-raising people, SARs-- and you probably know from your annual training-- are Suspicious Activity Reports that the entities covered by the Bank Secrecy Act have to file if they know, suspect, or have reason to suspect very low standard that a transaction may constitute a violation of law or regulation or is not the type which a customer is expected to engage. So that's the whole point of all of these rules.

Two points-- to keep bad people out of your institution at the beginning, and then to identify possible criminal intelligence activity for Deb and regulators to act on. It all goes into a big database and it's not a black hole.

DEBORAH CONNOR: And I think I would just echo some of the things that we look at. In real time, when you have a situation come up or you see something that's suspicious-- and the ways you can know if your gut is telling you is even just open source. If you're looking at a customer or your customer wants to do a transaction and you press a little and they say, it's on behalf of another entity that you've never heard of-- you trust your customer but you're not sure-- just do some of your own open source investigation to see what is out there. You can do that and probably figure out quickly whether this is a transaction you're going to trust or something that you want to elevate up or document if you make a decision to go ahead and execute on that.

If you see a lot of rapid transactions, again, changes in pattern, sizes of transactions or things going through your system. If you're used to seeing a range of financial transactions or requests and suddenly that range changes, gets precipitously lower and smaller-- sometimes can be just as nefarious as large or larger. Those are the things you want to ask yourself.

And then, documenting in real time what you're doing. Do that for yourself. We see a lot of email activity when we get into investigations where we get information and evidence. And emails trail off or there'll be an email raising the issue and then there's nothing circling back, talking about how it was resolved. And then we're left to look at historical information, the memories of individuals who are still at a company are not.

And so I think it's a very good practice in real time-- as you're thinking about these issues, when it's appropriate-- to document for yourself, document as part of a compliance process, document is part of the resolution of the problem what is going on. Because it is true that later, if you have to defend this decision in the company with a regulator, if ultimately at our door, you have these tools to show what you did. And regardless of whether it was a good decision or a bad decision at the time, certainly in my part of the world it wasn't a criminal decision if you have the evidence and documentation that shows that you were actually trying to solve a problem within the confines of the activity you were looking at and thinking about engaging in. So I do think that thinking about how you're going to capture that in real time will help if you find yourself two or three years down the road being looked at by a regulator.

ANDRAS TELEKI: And I want to stress, these are hard decisions. It's agonizing, especially for smaller entities who haven't filed a lot of SARs because they worry. We just don't know. Maybe we're going to file for-- and I hate to use the word prophylactic purposes, but that happens a lot. People do file because they're not sure and it's easier to say, hey, we didn't know, didn't smell good. We couldn't figure it out so we filed. It's a challenging-- these are tough, tough decisions because based on whether you file or not, companies make decisions.

Do we want to continue relationships? Do we want to be in this space? Do we want to deal with these people? And often, unraveling the facts-- again, I've been in this business a long time, and a lot of these financial transactions, especially when you're dealing with high net worth individuals, companies with far flung operations-- they're extremely complex transactions which have elements which are built in for tax efficiency, or to solve for a federal securities law issue, or a securities law issue in Switzerland that nobody has any real understanding of that it has to be done in this particular way. And so, unraveling this can be very difficult.

But one of the-- what I call the smoking gun in all of this-- is that if your client isn't willing to explain and walk you through, you have to ask and you have to keep asking. Well, what is this, and why is it this way? And it's when they become evasive is when the smell test kicks in.

ALMA ANGOTTI: And I also think, for the compliance people-- this is where really good dialogue with your business partners can really help because they know better than anybody the right way and the wrong way to use these products. They know better than anybody what this customer's typical transactions look like. You can't really necessarily talk to them that you're going to file these reports, but you can say, hey, we got this alert. We noticed this huge increase in transactions. What's going on?

Typically, they know. Typically, as I said, it's a legitimate reason that you can follow up on and document. Be aware when you send a question and you get an answer back in four seconds because that means they're probably just guessing. Not that I have a dim view of brokers or traders, but you have to look to be practical.

SUSAN GRAFTON: So in addition to AML and Bank Secrecy Act, we also have to worry about the Office of Foreign Assets Control. And maybe Andras, you could talk a little bit about who's subject to OFAC. And I think this is especially relevant in this program today because with the global nature of digital activities, it can be particularly troublesome.

ANDRAS TELEKI: The answer here is both easy and I think horrifying.

ALMA ANGOTTI: [LAUGHS]

ANDRAS TELEKI: Unlike AML-- where you have to figure out where you are in the ecosystem and what rules apply to you and am I this type of entity, or unlike privacy where, again, you have to figure out where you are in the ecosystem, whose rules apply-- OFAC applies to everybody. This applies to all US entities, US persons. It's not written from the standpoint that if you're in the computer business or if you're run a gardening service or what you are doing personally.

It applies to all US persons. It applies in your private life. It applies in your public life. It applies in your work life. So the easy answer-- and this is where people always get thrown-- is the OFAC and all those prohibitions applies to everybody in this room.

SUSAN GRAFTON: And can you just give us maybe what those prohibitions are?

ANDRAS TELEKI: Yeah. OFAC is the Office of Foreign Assets Control. Basically what they do is they enforce various US sanctions programs, as well as sanctions programs which are derived from the UN or from other international bodies. The sanctions can also come from executive order. It can come from statute.

The key things to remember about OFAC is that it's what I characterize as program driven. So the sanctions all vary based on what the target is and where they come from. So sort of well-known sanctions are, for example, the sanctions we have in place against Cuba forever, which are very broad, or North Korea. Then there are also very targeted sanctions programs which deal with conflict diamonds or if you're a narcotics trafficker.

When you start dealing with OFAC issues, you have to understand which OFAC prohibition are you dealing with and then drilling down as to whether or not this particular activity is prohibited by that. The way--

ALMA ANGOTTI: Can I just ask one-- does anybody know the first US economic sanction and when it was? Great Britain in the War of 1812. So this is a long standing national security tool.

ANDRAS TELEKI: Now OFAC, unless you are, again, with a bank, which has special rules, there's no program requirement like there is AML. There's no prescribed you have to have policies and procedures or you have to look or you have to do it a certain way. It's a strict liability statute, and I always use the example the speed limit. Either it's 55 and you're over and you're in trouble, or it's 55 and you're under. But the rules don't say that you have to have a speedometer or you're throwing out knots or you're using a stopwatch and looking at the lines going by. How you do this is really up to you.

But this is the qualifier. OFAC, when they get around to imposing sanctions and going after you, they will look at what did you do. Did you have a program? Did you take reasonable steps, or did you stick your head in the sand and ignore this issue entirely? So for this reason, I stress for people-- and especially if you have an AML program. Usually your AML program is tied together with OFAC compliance because you look at both at the same time because you're generating useful data for each.

But from an OFAC standpoint, it makes sense that at least think about this and think about whether-- given what you're doing and what's going on-- having a compliance program makes sense. If you are running a gardening service or a corner bodega, probably having an AML program doesn't make a whole lot of sense. It may be very difficult to implement. If you are engaged in Fintech, especially financial services, then having an OFAC program and thinking about this is extremely important.

OFAC compliance is really handled-- I characterize it in two ways. The top level compliance is something known as the SDN list or the Specially Designated Nationals list. A lot of these programs, like the narcotics kingpin program, have individuals which are designated by various agencies as being targets of the sanction program. They're specially designated nationals. And all of these names are cobbled together into a gigantic list. And actually, if you go to the OFAC web site, there's actually a tool where you can punch in a person's name and it will spit out as to whether or not they're on the SDN list, along with known aliases and so forth.

In financial services, a lot of attention is given to scrubbing any known information, especially account holder information, against the list. And if you get a match, then basically that's a stop, do not proceed. Then we start figuring out, is this an actual match, having a dialogue with OFAC because often OFAC holds back.

There's other information available which will help you figure out as to whether this is an actual match, because unfortunately, in this world a lot of people's names are the same. And it's unfortunate if your daughter's name, who's not, happens to be the exact same of some well-known terrorist. But the first step is to match it, and people use software. And there are a whole bunch of software providers out there that what they do is they provide the tool for running all the information.

How often you screen against the SDN list, again, is really up to you, but I always advocate a risk-based approach. A lot of banks, a lot of large financial situations, will scan every night and they'll scan wired information. So if you send wires they'll run all that information-- everything looking for matches. That's sort of what I call the easy part of OFAC.

The hard part is that there are a lot of prohibitions which are not name driven but activity driven or practice driven. And there you have to figure out, is what I'm doing going to be a problem? And that typically involves, unfortunately, a lot of time looking at the regs, a lot of time talking to outside counsel that's proficient in this, and a lot of time in talking with the government.

ALMA ANGOTTI: So one issue, for those of you involved in a global company-- as we were saying, these are US foreign policy and national security driven, as opposed to crime driven. Sometimes they're crime driven like some of the SDN list. One of the things that's gotten financial institutions in trouble over the years is their subsidiaries in foreign countries who don't agree with the US government policy.

If you look at the BNP Paribas deferred prosecution and Congress bank, you have emails of people saying, screw the US government. Who are they to tell us we can't do business with these people? And then you get things like deliberately keeping information that's going to trigger the filters out of the wire transfer or out of their trade finance documents to try to prevent that.

And the reason that US-- and Deb can talk to this-- is that they're so effective is the world does business in dollars. You almost have to do business in dollars, which gives the US government a very powerful tool. So for people dealing with foreign subsidiaries and foreign business partners it can be another level of challenge.

DEBORAH CONNOR: Exactly. There were a whole slew of large bank resolutions involving just the conduct that we're talking about here. OFAC had sanctions against certain countries, and large global banks had subsidiaries in other countries outside the United States. And those subsidiary banks or institutions? They didn't have the same restrictions in their country about doing business in these sanctioned countries.

But the problem they had is their clients, their customers of the bank, needed to clear in US dollars because that's how a lot of countries are transacting business either in goods and services. Because you're buying US goods or you're selling US goods overseas or the country you're transacting in just-- it's a liquid, obviously. We have one of the most liquid market in the world in US dollars.

And so to get around the monitors, they did what we call the stripping. They stripped the information out of the wires they were sending so that it was not apparent within the bank, with all the compliance systems they had set up, that these wired payments coming through these US correspondent bank accounts were actually destined for countries that were on the sanctions list.

And as a result, over the last 10 years or so, there were a lot of large, high level resolutions with banks related to this sanctions activity. And how is it that a bank like BMPP has plead guilty. So not a deferred prosecution agreement, which means we're not making you a criminal.

It means that you are entering into a period of probation, essentially. We're deferring prosecution. We're deciding not to. We're entering into an agreement. You're agreeing to do a lot of things during this time period of five years, typically, that requires enhanced compliance, new procedures. You get the imposition of what folks call monitors who come in. I would think it suffice it to say it's not a fun space for a company to be in, although they would certainly rather be in this space than be criminally convicted defendant.

So how does that happen? It happens because of the entity, the subsidiary, the affiliate-- if they intended the conduct that is criminal, which they did in the stripping, then the whole institution can become vicariously liable for that criminal conduct. It means, in a legal sense, that if you have an individual in your organization-- a person who is a decision maker-- that we would say was of a high enough level, that even that one person could bind the whole organization. If that one person made the decision to do something willfully incorporated-- could become a defendant. That doesn't always happen. That's why we have prosecutorial discretion, but in some of these cases that's why it does happen.

And so, what these organizations out in the world want to do is they want to get transactions done in US dollars. And they understand that they're going to hit on these monitor systems, so they got to find ways to anonymize themselves. And that's what they were doing in the banks, and the banks figured it out and we figured it out, and we've kind of run through all those.

I think the cyberspace becomes another space with digital currency and virtual currency where this can happen, this anonymizing force. Looking for ways to create deception so that a transaction that looks by all means lawful and doesn't seem to hit on these entities or countries on the sanctions list in fact will. And so it just means more careful attention being paid to IP addresses and the sources and the origins of where these transactions are coming from. Because folks can be running afoul of the OFAC sanctions list and potentially not know about it.

ALMA ANGOTTI: And kind of an interesting twist on this is Russia and Venezuela have both stated that they are trying to develop cryptocurrency specifically for the purpose of evading US sanctions. So that's going to add a whole other level of complexity. OFAC has already said virtual currency counts. You have to screen for it, although they may be adding private wallet addresses and keys onto the OFAC list.

The issue is even through their own tracker, you can't search on that yet. So there's going to be a lot of technology challenges as that part of the world matures. And for security firms, you have to think about your intermediated accounts. What are your foreign broker dealer correspondence or omnibus accounts? Who are they doing business with? Are they screening for US sanctions, or are they trying to-- are you getting agreements from them that they're going to comply with US sanctions? Because otherwise you are facilitating a sanctioned transaction.

ANDRAS TELEKI: To bring it home with the Fintech space, if you're inventing a new peer-to-peer payment system that's driven by dollars or something like that-- we'll use Apple Pay for an example or some sort of equivalent-- you've still got a lot of the same basic information that you have in other, what I call slower, ways of transferring money such as sending wires or going through Paypal. And so a lot of the screening tools we have developed still work reasonably well, again, assuming nobody is cheating to game the system.

But the problem is, when you get into virtual currencies, that they are designed and increasingly being designed to be anonymous and to get rid of a lot of that information which has historically been used to screen pretty effectively and go back to more, what I call sort of, a pure cash transaction. Because a real cash transaction-- that's money in suitcases-- that doesn't hit the financial system is very difficult to track. And that's the beauty, the great thing, and the awful thing about actual dollars, is that they're completely fungible and effectively not that traceable.

And so what the industry is struggling with is that there are these really significant restrictions under OFAC, and a lot of today's tools don't work while coupled with international state actors who've got real incentive to figure out how to cheat the system.

SUSAN GRAFTON: So let's talk about another risk. Let's talk about cyber security. As we saw from the hands raised by the crowd that a lot of folks worry about that. And maybe Andras you could talk about what are some of the unique cyber risks for Fintech companies? And Deborah, it would be really great to have some of your perspective and insights in what you're seeing.

ANDRAS TELEKI: I have to say, when I saw the show of hands I was surprised how few people raised their hands when it came to cyber security. It's kind of from my perspective-- worry about cyber security from a business standpoint along my business lines-- I worry about cyber security from a personal standpoint, my wife's standpoint, my kid's standpoint.

We recently had a conversation as to my daughter may need an email address, who's nine, for certain services. And I'm thinking, one, do we really want to put her out there in the public through the email address? And two, what vendor do we go with? Because I'm well aware, depending on the choice of vendor, that gives you a lot of rights as far as the vendor is concerned with my daughter's data.

So I think about cybersecurity from a professional standpoint, from a personal standpoint, and I think all of you in this room ought to be thinking about cyber security a lot because I think it's one of the single biggest challenges. Again, from a policies and procedures standpoint, especially if you're SEC regulated, the SEC has not seen fit to issue a specific cybersecurity rule. They will hook cybersecurity in in a number of ways, most predominantly under Reg S-P, which are the privacy rules which apply to broker dealers, investment advisors, and mutual funds.

And how you handle personal data? They'll look at your fiduciary duty and other things. But at the end of the day, it's really been a you need to do this but you need to figure out how to do this on your own, and we're not going to prescribe a specific methodology or what you need to have.

But I'm here to tell you is that you don't want to do this we'll figure it out as it comes along. You want to have cybersecurity policies and procedures no matter what line of business you're in, whether you're currently regulated by the SEC, one the bank regulators or somebody else, or if you're not. Because cyber security is key. Everybody interfaces through the internet with their clients, with their fellow people in the business, with distributors, with servicers, so it's a key element.

The second key element, and I can't stress this enough. If you don't remember anything else that we talk about today remember this. You want to have policies and procedures with how to deal with the inevitable breach, and you want to test them because there will be a breach. And again, I stress this to everybody in the room.

People always think that-- I'm not JP Morgan. I'm not Merrill Lynch. Nobody knows who I am. I'm a small player. Cyber security crimes come really in two flavors. There's what I call the targeted state actor flavor, where they have picked you out for some reason because you have something that either they want or you have a system that they can use for some purpose of their own. And that's sort of one flavor.

I'll be the first to admit-- that's hard to defend against. You've got large government, military contractors who've got things you really want to keep secret who struggle with this. But there's the other flavor, and that's what I call the crime of opportunity. And a lot of businesses, a lot of people get targeted not because they're interested in you but it's because they can get in easily.

And I use the example of the house in your neighborhood where the curtains are up, all the lights are off, the newspapers are piled up front, the grass is knee high, and you can kind of see this big screen TV. And you didn't set out to rob this particular house. You were not looking for this big screen TV. Door was open. I'm going to go in. I want to see what I can find.

A lot of cybercrime works this way, and you will discover is that your business, especially in the Fintech businesses, is that your defenses are not good. You haven't really thought about it, and people get in because it's easy. If I'm a kid, if I'm not an experienced hacker-- and remember, a lot of people are using tools which are available on the dark net.

I always use the analogy of picking locks is a mechanical skill. It takes a lot of practice, it takes a lot of tools, and a steady hand. It's not that easy to learn. Picking electronic locks where you're using software that somebody developed for that purpose requires you to have very basic skills, so it's really easy to do. So for that reason it's highly likely that if you haven't had a breach yet, you are going to have a cybersecurity breach.

It could be the hacking scenario. The scenario, unfortunately, that I see much more commonly is what's known in the industry as the wetware problem. That's the individual. People are unfortunately not that smart and they often give up their credentials really easily. You wouldn't believe how easy in a large organization it's to convince somebody to provide their login information. I don't have to be a world class hacker to get in if you tell me what your password is. It's also very easy through phishing and other techniques to get people's passwords.

So you are going to have a breach. Breach always happens at an opportune moment. It's not going to be Monday morning where everybody is bright eyed and bushy tailed and ready to start the week. It happens Friday night when all the key people are on airplanes going to their house in The Hamptons or kids softball games or Myrtle Beach or whatnot. And so you have to have policies and procedures and a game plan on how to deal with that breach.

And that ought to have enough detail in it as to who do you call, who the decision makers are? The toughest decision in the middle of an active breach where you now have a problem is do we have to take down our web site, our client facing access? And in investment management, in banking, in Fintech, in money services businesses? That's your lifeblood, and that's a tough decision to make. And so you want to know in advance who's got authority to say, you know what? We're going to have to turn this off for two hours or two days and figure out when we can bring this up, how we're going to communicate, how we're going to handle this.

SUSAN GRAFTON: And Deborah, maybe that's a good segue for you to talk about some of the things that you all see.

DEBORAH CONNOR: So it's interesting. It is a good segue. Before cyber I will say that I had-- when I was prosecuting fraud cases, a lot of nonprofits sometimes would have these situations where they would be defrauded. So they would have an employee or someone who's stealing money and then they would have to eventually report it. They wanted to recoup the money, charge the person criminally.

What really killed them was to have to tell the world that they had this problem internally because nonprofits-- people put their business there. You're going to donate to them. What are we going to tell people? What are we going to tell the world? What are we going to tell our donors when we have to say we were a victim of fraud by an employee inside who we didn't catch?

And I think the same is true in cybersecurity, in businesses small and large, when you have an intrusion. And we've seen cases in business email compromise schemes. And I am amazed at the cases that I have seen where e-mails come in to folks at the highest levels of large, sophisticated companies saying we need a wire transfer to happen and it needs to go now in the next 30 minutes because we're involved in a large M&A transaction. So please send $1 million this account over here to this account over here. And the urgency of the email-- and it has all the right names on it, right up to a CFO of an organization-- they will do that. They will wire the money.

Then on the back end, they'll find out an hour later that there is no M&A. There is no business. This is just a cyber hack. The question is, can we resolve this internally? Can we get the money back? We don't want folks to know that we were gullible enough to this scheme. We want trust in our clients. So I know that there can be business pressure to try to resolve this internally.

At the same time, though, I think, in terms of regulators-- and in our space, this is where we work with private industry. You want to catch these individuals. You want to stop this activity. And the farther away you are from the conduct, the harder that is going to be.

And on the virtual currency side, if you're moving money or virtual currency between exchangers and there's a lot of exchangers or tumblers out there that you're moving through and you see that, you should be questioning that and curious about that. Because there are folks out in the world who turn themselves into unregistered money services businesses because they're trying to move currencies for people as their business without ever having to follow all of the FinCEN reporting requirements, and you don't want to become caught up in that.

And that's all part of money laundering what we do. The layers and layers and layers of transactions so that the bad actor is over here and the good actor is way out here, and somewhere in the middle you're caught up in this stream. And it can catch you in a regulatory situation, and it can catch you farther down the road. So it is something you have to be conscious of, think about all the time. And when it happens, think about how quickly you're going to report and to whom to stop the conduct, but I recognize that there's a lot of business pressure in terms of thinking about how you manage that.

SUSAN GRAFTON: That's a good point.

ALMA ANGOTTI: And so to tie it back to the AML world, FinCEN came out with-- FinCEN is the Financial Crimes Enforcement Network. That's the agency that administers all of these money laundering rules. They reminded everyone a couple of years ago that cyber events are reportable on those suspicious activity reports that I talked about. Now, cyber events, attempted hacks that are not successful, as well as cyber related crimes, as Deb was talking-- an actual we got money from you or we stole data from you. It can be difficult to know if they really want every single cyber event because some of the times you really don't have very much information if you have good defenses, and I think some of the financial institutions struggle with that.

But to Deb's point, they specifically said when you file these reports, put in all of those technical details about the hack and IP addresses and where it came from and what you know because that really does help law enforcement find the bad guys.

ANDRAS TELEKI: A couple of things to think about is that for compliance in general and for AML in general and for all of you in this room who are attorneys or in the legal department, cyber security tends to be very, very hard because it's loaded with jargon. And when the regulator comes in, you're often in the position of having to translate something you vaguely understand to the regulator who may not understand that well either.

Trust me, the SEC has people who understand cybersecurity extremely well, but those may not be the people that you're interfacing with during an exam or the beginnings of an enforcement case. And so this is an area where it's incredibly important that you work with your IT folks and your cyber folks and have dialogue with them and have a seat at the table and you ask questions.

I mean, I'm in the space and I'm constantly like, wait a second here. What is this protocol you're talking about? Let's reduce this down to English. So what is this? What does this do? All right, it's on a router. Why is this port open? Why is this important? And you have to ask these questions.

And for people in compliance and people in legal, this is just a hard area because this is outside of their comfort zone. And if you're a smaller shop, a lot of this stuff is outsourced, and you outsourced it because we entirely don't understand this well. This is not our core business, so how do you ask-- how do you want us to police them? So it's very challenging.

SUSAN GRAFTON: And one thing that we've talked about that's been a common theme has been that there could be global aspects to this business. And so if you have-- Deborah, if you have a situation where there's an investigation-- there's some global component. You have a financial institution that's like, well, I'm concerned because our company is in Switzerland. They have very stringent privacy rules. I'm into between a rock and a hard spot. I'm complying with DOJ requests, a subpoena, and then complying with privacy rules. How do firms manage that?

DEBORAH CONNOR: So we see that a lot, and we understand and know well the data privacy laws and what international companies can and cannot do. We also know that there are ways we can talk about how we can get information or information can be shared that doesn't put a company at risk for violating the laws of a country where their affiliated or they're based, and we're not asking folks to do that. The thing that kind of sends up red flags for us is if immediately there's a request for data and there's just a complete pushback of, oh, we can't do that. There's all these data privacy restrictions. We're really sorry. We just can't get you that information.

That starts to look a little pretextual. I'm not saying that it is, but it is not the way-- most companies who face this in investigations, they will have thought about how we can make this work. They talk to each other. I think large financial institutions do in this space.

When we want to interview witnesses or get documents out of locations that are somewhere else, they think large. So if you run into situations where you're being asked for information, definitely if you're not legal go to legal-- in charge of those. Understand what those laws are. You don't want to run afoul of those, certainly. And then talk to folks about how you can respond.

And it may be, in some instances, that the answer is that we can't get you, and we on our side figured it out. Other times there are things we may suggest that we've seen in other contexts or that you may learn from your peers about how you can meet the requests of a civil subpoena or a grand jury subpoena, and try to work with the government on their demands.

SUSAN GRAFTON: Great, thank you. I think we're at our time here for our break, and so I want to thank this really terrific panel. Thank you very much.

[APPLAUSE]

ALMA ANGOTTI: Thank you, Susan. This was fun. Thank you, guys.

SUSAN GRAFTON: And we'll be back at 1:45.

Share
Email

  • FOLLOW PLI:
  • twitter
  • LinkedIn
  • YouTube
  • RSS

All Contents Copyright © 1996-2018 Practising Law Institute. Continuing Legal Education since 1933.

© 2018 PLI PRACTISING LAW INSTITUTE. All rights reserved. The PLI logo is a service mark of PLI.