Part II: Firms Face Increased Regulatory Scrutiny for Data Protection
October 02, 2020
By Elana Margulies-Snyderman
Following our first article written on financial services firms facing increased regulatory scrutiny for data protection, including complying with General Data Protection (GDPR), J-SOX, the New York State’s Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) and California Consumer Privacy Act (CCPA), there are other regulations that firms (not only financial services ones, but others as well) need to keep in mind including the Bank Secrecy Act (BSA), Anti-Money Laundering (AML) and Know Your Customer (KYC).
EisnerAmper sat down with Michael Asher, Chief Information Officer of Richard Fleischman & Associates, who discussed some of the regulations; and Rahul Mahna, Managing Director, Managed IT Services in EisnerAmper’s Process Risk & Technology Solutions (PRTS) who addressed how IT can help assist firms adhere to these rules.
BSA is a U.S. legislation aimed at preventing criminals from using financial institutions to hide or launder money. It requires financial institutions to provide documentation to regulators whenever their clients deal with suspicious cash transactions involving sums over $10,000.
BSA regulations, and corresponding mechanisms implemented by covered entities, are closely related to AML and “red flag” rules. Interoperable compliance mechanisms can support strong compliance with the BSA and AML. Companies subject to BSA compliance should look to ensure policies and procedures, along with corresponding controls, are in place to detect potentially fraudulent financial transactions. Employees should be provided with ongoing training, and a detailed unalterable transaction log should be implemented to support the control framework. It’s recommended that a compliance officer is appointed to retain oversight and responsibility for the compliance program, including required reporting for transactions meeting the filing criteria under the BSA.
BSA is a compliance regulation that lends itself to redundant work and streams of operations that can be easily automated to improve efficiency and consistency. The improvement has many positive outcomes in helping banks assess risk factors exponentially faster than before; however, there are costs associated with these improved efficiency and compliance efforts. There are large costs to implement digital transformation and artificial intelligence automation and continued ongoing costs as well to maintain such systems. With our clients, we have found that a well-constructed technology approach to satisfying compliance and improving operations has hard and soft costs to deploy, train, and maintain. Fully achieving all the benefits requires well thought-out implementation approach.
The overarching theme from recent updates to AML regulatory frameworks is identifying the identity of “beneficial owners” for legally registered entities.
With AML, training programs are managed by IT and operational compliance staff to ensure that online training platforms and self-certification are available to all staff. Programs include procedures for:
- Understanding the nature and purpose of customer relationships and the purpose of developing a customer risk profile;
- Conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information, including information regarding beneficial owners of legal entity customers.
IT assists with data classification, managing assigned relationships between data (clients, customers and owners) and monitors for anomalies.
KYC is essentially a subsection under AML. Firms should have defined protocols in place to perform due diligence on clients as part of internal customer risk assessment process, including the following key elements:
- Identify and verify identity of customers;
- Identify and verify identity of “beneficial owners” of customers that are legal entities;
- Understand the nature and purpose of customer relationships;
- Conduct ongoing monitoring to maintain and update customer information and identify suspicious transactions.
Firms with a global footprint need to consider AML requirements for each area of operations with different AML jurisdictions as there are variances in thresholds (e.g., percentage to define “beneficial owner”).
KYC and AML are topics many financial institutions are concerned about. We often see multiple aspects of this mandate, from in-person to virtual applications. The essence revolves around the technology process of how to assess the risk and fit it to the organizations’ desires of what percentage of risk it’s willing to take on in specific categories. There are many software vendors that are building around platforms such as Salesforce to assess this risk. One of the most interesting outcomes we are seeing with the technology solution is a more streamlined and efficient process for the clients. As multiple databases are being connected, authentication and creation of new records can be very quickly and processing and onboarding times are being greatly reduced through the use of this advanced technology deployment.