Against this background, boards and executive teams should ask themselves two broad sets of questions. The first concerns what steps are being taken to remain resilient and support customers through near-term economic pressures; and the second, whether their own strategic plans align with medium-term structural changes in their operating environment.

Indeed, a strong grasp of the ever-evolving regulatory environment must inform how financial services firms answer these questions.

Near-term economic pressures

Disruptive economic factors will command attention in the near term. The credit risk outlook is increasingly precarious, and lenders will need to be able to demonstrate to supervisors how they are managing the associated risks. Many insurers and investment funds will also face credit-related pressures in their portfolios and may need to boost their credit teams if the volumes of defaults and corporate restructurings begin to rise.

Where credit risks crystallize, they will feed through to regulatory capital positions. Firms will also need to be vigilant for sudden bouts of volatility within the capital markets.

Central banks and regulators will be working hard to understand market vulnerabilities, with continued stress-testing of individual firms, funds, and the wider system. Margining practices will be under scrutiny.

There is also a major conduct risk component to the current economic situation, with consumers feeling the cost-of-living squeeze. Conduct supervisory standards are substantially higher now than in previous downturns, and firms will rightly be expected to support their customers through a period of economic hardship.

This is a particular dilemma for lenders, who will need to make judgements about when and how to exercise forbearance. It will also be a challenge for insurers, who may see rising numbers of policyholders struggling to cover their premiums, creating the possibility of protection gaps that will draw supervisory attention.

Embedding climate & nature risks

Climate and nature risks will increasingly shape the financial services operating environment. Less advanced firms may find themselves given progressively less leeway for shortcomings in the year ahead.

Efforts are underway in numerous arenas to improve the structure and content of transition plans, and firms will need to shift gears to keep up with new rules, guidelines, and greater supervisory scrutiny.

Firms will also need to keep an eye on the still-evolving nature-related risk disclosure framework being developed by the Taskforce on Nature-Related Financial Disclosures, a financial services industry advisory group whose members represent more than $20 trillion in assets. The Taskforce’s risk disclosure framework is due to be finalized in Fall 2023.

Technology transforming the sector

Technology enables firms to provide new and better products and services, develop deeper insights, and do so ever-more efficiently. However, as supply chains and delivery services models become more complex, both the regulatory regime and firms’ risk management and control frameworks have struggled to maintain pace with technological innovation.

Nowhere is this clearer than in relation to digital (and particularly crypto) assets. Regulated firms have increasingly been engaging with an evolving ecosystem of digital asset technology providers and developing client offerings. The European Union’s Markets in Crypto-Assets framework will enter into force this year, but a further regulatory response may be needed to tackle issues such as leveraged trading and crypto-lending as regulatory uncertainty and gaps will persist.

In the United Kingdom, meanwhile, the Financial Services and Markets Bill, once passed, will give authorities the power to oversee digital assets markets. The secondary legislation that will clarify which activities and market participants they will regulate, however, is yet to emerge.

The transition period for the U.K.’s operational resilience framework will soon enter its second year, and U.K.-based firms need to demonstrate measurable progress with regards to important business services. The 24-month implementation period for the E.U.’s Digital Operational Resilience Act begins this month, and firms within the E.U. will need to begin their work post-haste to be on track for the early 2025 deadline.

The resilience of the delivery of financial services in which third-party suppliers are involved is a major issue. In some cases, firms will need to develop contingency exit strategies and business continuity plans for third-party exposures, including substitute service delivery methods.

Long-standing concerns about model risk management also now have a distinctly technological flavor, with supervisors scrutinizing how firms are deploying artificial intelligence and machine learning. When finalized later this year, the U.K. Prudential Regulation Authority’s (PRA) proposed principles on model risk management will require a large amount of work to catalogue, categorize, and risk-assess models that for some firms could number in the thousands given the PRA’s expansive definition of model.

A general principle will be relevant for firms across all sectors and regions: people, and not models, should be responsible for decision-making. Boards and executive teams should be able to demonstrate that they understand the functioning of their models, including those based on new technologies such as machine learning.

Rising geopolitical tensions

Finally, rising geopolitical tensions will continue to be another feature of the changing risk environment in which financial services firms are operating. International markets are increasingly fragmenting, as nations and business leaders look at how to build supply chain resilience and security through greater localization of production and supply.

Given the volume of alerts generated by transaction monitoring systems, the inherent limitations of legacy systems and data, and strengthened baseline expectations, it is no wonder that some firms feel they are having to run ever-faster just to keep up. The status quo does not appear sustainable, and operating model reform will need to be part of the response, including considering changes to internal structures, resourcing models, and technology strategies.

Resilience and strength

Financial service firms face many headwinds as the new year begins but will do so from a position of resilience and strength, having successfully navigated the vicissitudes of the last three years. The major challenge will be to navigate the choppy near-term waters without losing sight of the medium-term processes of structural change playing out in relation to geopolitics, technology, and sustainability.

Regulation continues to be a major force that will shape the operating environment for financial services, and an integrated view of the regulatory landscape — as well as an ability to connect such a view with business strategy decisions — remain imperative for firms looking to stay at the forefront of the industry.

This blog post was taken in part from a recent report written by David Strachan & Suchitra Nair of Deloitte. You can sign up to receive Deloitte’s Financial Markets Regulatory Outlook report, due to be published later in January, here.

You can download TRRI’s 7^th report on Fintech, RegTech, and the role of compliance in 2023 here

On the other hand, there are signs of a slowdown in the growth of the fintech sector. In the first half of 2022, for example, the total capital invested in fintech worldwide reached $59 billion, which was flat year-over-year, according to Innovate/Finance’s 2022 Summer Investment Report. What’s more, there were 3,045 deals completed in the fintech sector, fewer than the 3,401 deals in the first half of 2021.

The slowdown is echoed in the findings from this year’s TRRI survey. There was a fall in the number people feeling extremely positive about fintech and regtech. For fintech overall, this year’s survey reported that 15% of respondents were extremely positive compared with 31% last year. For regtech, 15% of respondents felt extremely positive compared with 26% in 2021. What’s more, less than one-in-ten (8%) of respondents from G-SIBs felt extremely positive about fintech.

It may be unsurprising that respondents felt less positive about innovation and digital disruption given the challenges that firms must address across the board. This year, respondents said that the availability of skills (20% fintech, 16% regtech) and regulatory approach (14% fintech, 18% regtech) were the most significant challenges anticipated in the next 12 months. For G-SIBs, concentration risk and third-party providers ranked highest among challenges for fintech (15%), whereas cultural approach (15%) was the biggest challenge facing G-SIB regtech users. Data governance and cyber resilience also feature highly in the list, with other areas including financial crime and operational resilience also prominent.

Regulators are also adopting technological solutions to help with their supervisory roles and the management of large volumes of data. That means, firms need more interaction with regulators on fintech and regtech. More than two-fifths (43%) of G-SIBs reported having spoken to their regulator about fintech and regtech. This contrasts with responses from other financial services firms, nearly 60% of which reported that their regulator had not spoken to them about the use of technological solutions.

Despite this current slowdown and waning of enthusiasm, the future of the fintech market remains optimistic, the report observes, recommending that financial services firms should continue to invest in technology, IT infrastructure, and associated skillsets. To maximize the potential of technological innovation, firms must continually reassess their technological needs and then invest in solutions tailored to the activities of their business.

The Fintech, Regtech, and the role of compliance survey has, in its lifetime, attracted more than 3,000 respondents. Participants from all sectors of financial services — from globally significant banks to technology start-ups — took part in this seventh survey. The survey results are intended to help financial services firms with planning, resourcing, and direction, allowing them to benchmark whether their approach, skills, strategy, and expectations are in line with those of the wider industry. The report specifically focuses on areas that directly affect the compliance function.

The report also assesses the extent to which firms are turning the technological challenges they are now facing into opportunities, embracing new ways of working and navigating the evolving regulatory approach.

As a result, visibility into supply chain actions and outcomes has catapulted to the top of many corporate wish lists — but many business leaders become frustrated when their operations and technologies don’t deliver. Still, experts say, better visibility into corporate supply chains can be achieved, but only if companies are willing to think about their sustainable supply chain initiatives in a more innovative way.

According to a September EY report on sustainable supply chains, visibility has become one of the top priorities among supply chain leaders. Of the 525 large corporations surveyed, 58% said that increased end-to-end visibility in their supply chain was among their top two priorities in both the past two years and the upcoming two years. However, despite that desire, just 37% of supply chain leaders reported achieving supply chain visibility over the past two years, indicating a large gap between the desire for more visibility and the progress many organizations are practically achieving.

Rae-Anne Alves, ESG & Sustainability Supply Chain Leader at EY Americas and co-author of the report, said that visibility is the key first step to compliance. “When companies are thinking through their supply chain and trying to make it more sustainable, they need end-to-end visibility to know is what is happening,” Alves said. “Companies are lacking the transparency that they need from their suppliers through logistics, especially in areas outside of their four walls.  Achieving this transparency will give them the visibility they need across their supply chain.”

Recent research from the Thomson Reuters’ Market Research & Competitive Insights team mirrored these findings. In interviews conducted with senior leaders of US-based companies charged with tracking ESG efforts, large numbers of companies say they have established dedicated ESG efforts but collecting data and measuring those efforts remains disconnected and lacks consistency.

The issues in raising visibility

When it comes to trying to raise the visibility of supply chain practices and outcomes, many corporate leaders have run into an unfortunate reality: the difficulty of gathering and mingling data that lives in disparate systems. One public company ESG head explained that a common supply chain review pulls data from systems as broad as risk management and operations software, human resources software, and procurement and supplier-oriented software.

Combining all of these types of data into one truth remains difficult. “I don’t even know how they collect their data,” said the supply chain head of another public company. “Every vendor has their own process.”

This problem is only increasing as companies are beginning to scale up the types of data that they collect, EY’s Alves added. To take a firmer grasp on their supply chain, many companies are looking to catalog not only emissions from scope 1 (directly owned by the company) and scope 2 (indirect use of energy the company purchases), but increasingly scope 3 emissions that result both up and down the company’s value chain as well. Indeed, the more a company’s data collection scope expands, the more complex the visibility question becomes. Many supply chain-centric software providers have arisen in recent years to try and compile and display all of these data sources, however, currently, there is not a leader that has captured a substantial share of the market.

Some companies have been able to achieve more supply chain visibility, becoming sustainable supply chain “trailblazers” with an “extreme focus on transparency”

“It’s unclear yet whether there will be a provider that is able to deliver the end-to-end capability needed for a digitally network-connected supply chain,” explained Gaurav Malhotra, Partner and Americas Supply Chain Technology Leader at EY. “There are many factors that have to come together, versus just a singular platform from a control tower or visibility standpoint to enable the orchestration.”

Instead, many companies have tried to apply other technological fixes to the issue, often without much success. “Almost everything is run on Excel. It’s truly terrible,” a public company’s supply chain head told Thomson Reuters Institute. “We have very few tools for environmental stuff. Everything is reported through Excel, everything is measured in Excel, everything is rolled up in Excel and it’s extremely inefficient because we have all these different teams.”

Supplying more visibility

Still, some companies have been able to achieve more supply chain visibility. EY’s report designated certain companies as sustainable supply chain “trailblazers” and noted that one of the traits they have in common is an “extreme focus on transparency” through which “[t]hey can significantly or moderately peer into Tier 2 and 3 supply networks.”

EY’s Malhotra said these leaders often undertake two simultaneous shifts to aid this transparency. One involves automating individual supply chain functions so that they can run more efficiently and be consistently reliable. The second involves integrating those individual functions and making sure their output data is portable to enable the needed effective real-time communication, both internally and with external supply chain ecosystem partners.

Currently, he explained, most supply chain networks are “not digitally integrated in their true sense” because they operate in multiple stages. Data is processed by one organization that controls their section of the supply chain ecosystem, then it is transmitted to be able to be consumed or processed by other organizations. While Malhotra concedes that it takes “time and effort to ultimately get to a mostly autonomous state,” he believes combining, integrating, and automating these steps will be the future of supply chain management.

“What we have found is that some leading companies have moved towards an integrated process and singular platform that allows the right level of visibility, orchestration and actioning with their supply chain network partners,” Malhotra said. “Enabling trust, effective execution and accountability with the overall network in play, resulting in a highly efficient, highly integrated, differentiated and reliable supply chain.”

Leading companies are also pushing for data standardization among common supply chain suppliers, Alves added. Many sustainability frameworks are available, and increased regulatory attention continues to add more complexity. Increased standardization can make supply chain data more actionable, and auditable, potentially lowering a company’s risk profile. When asked about top supply chain priorities for the coming year, the ESG head of one public company was clear: “We want to make sure that we have auditable processes in place, that the data is sound.”

However, Alves added that for sustainable supply chain measurement and reporting businesses are “definitely not there yet.” As both public and regulatory attention in the space continue, expect that visualization into supply chain processes and data will become even more important, and leading organizations will continue to invest resources and personnel to get their supply chain data house in order.

Yet, mistakes, data breaches, and data exposure tend to happen when people communicate and share information digitally, and firms need to make it as straightforward as possible for employees to leverage modern UC tools while remaining compliant and secure.

“Increased reliance on simple, easy-to-access but unauthorized chat and text platforms will pose a significant challenge for many types of entities operating in our markets. Internal compliance programs must adopt internal controls consistent with this new landscape. Firms must inculcate a culture of compliance at all levels of their organization to mitigate the risks associated with using unauthorized chat and text platforms.”

— Kristin N. Johnson, commissioner, US Commodity Futures Trading Commission (CFTC), September 2022

In its 4th annual survey report on modern communications compliance and security, security and compliance software firm Theta Lake highlights the complex challenges faced by those professionals tasked with maintaining compliance, security, and data privacy within firms and companies. The report is based on the views and experiences of more than 500 compliance and security professionals from the heavily regulated financial services, healthcare, and government sectors across the United States, the United Kingdom, and Canada. The report provides a snapshot of how communication platforms are being used and the issues with which organizations are struggling and can help organizations benchmark their own practices and expectations against those of the wider industry.

Heightened regulatory focus on modern communications

The survey findings come against the backdrop of fines of more than $2 billion already levied by the US Securities and Exchange Commission (SEC) and the CFTC for failures of organizations to capture, retain, and supervise communications. The situation underscores that a lack of visibility and oversight is one of the biggest risks faced by firms in a modern hybrid workplace. For example, the survey showed that two-thirds (66%) of financial services leaders believe employees are using unmonitored channels, posing heightened compliance and security compliance risks.

“As technology changes, it’s even more important that registrants appropriately conduct their communications about business matters within only official channels, and they must maintain and preserve those communications.”

— Gary Gensler, chair, SEC, September 2022 

The crackdown on non-compliant communications is the clearest indicator yet that regulators have lost patience with firms that have yet to address supervision and record-keeping risks that were exacerbated by the pandemic.

Attempts to offset these risks is made harder by the limitations of legacy supervision and archiving approaches, which also pose real risks and costs to businesses. As a case in point, 39% of survey respondents cited gaps in coverage as a top challenge with their existing archiving tools, while only 9% reported having no issues. Another 45% said they needed to be able to selectively archive written in-meeting communications like chat without having to record the video or audio. A mismatch between legacy tools built for email and today’s workplace, where 81% use chat and 63% use video equally or more than email, has created critical gaps in records. It has also put a spotlight on dated compliance tools that are unable to capture, retain, and supervise dynamic communications data.

“The time is now to bolster your record retention processes and to fix issues that could result in similar future misconduct by firm personnel.”

— Sanjay Wadhwa, senior associate director of enforcement, SEC, September 2022

As a result, organizations face growing challenges to both enable communications across the platforms that employees and customers use while deploying technologies to appropriately capture, retain, and supervise these interactions to meet regulatory obligations.

“The [survey report] findings show just how integral modern communication platforms have become in today’s workplace, but there’s a lot of catching up to do when it comes to the compliance and security tools currently being used. The more than $2 billion in fines is the biggest wake-up call yet that compliance and unified communications teams need to be in lockstep to ensure a comprehensive approach to record-keeping and supervision.”

— Stacey English, director of regulatory intelligence, Theta Lake

Proactive compliance needs modern tools

The views and experiences of survey participants highlighted numerous challenges that organizations need to overcome in order to stay safe and compliant in an increasingly complex communications environment.

Organizations are seeking specific capabilities in modern compliance tools, including the ability to capture contextual information such as reactions, emojis, GIFs, edits, or deletions as well as features like whiteboards. Tools also need proactive compliance functionality, including the capability to automatically post disclaimers and remove problematic content.

“Let me be clear here: I am talking about more than putting together a stock policy and giving a check-the-box training. This requires proactive compliance, and this type of approach has never been more important than today — a time of rapid and profound technological change.”

— Gurbir S. Grewal, director, SEC Division of Enforcement, October 2021

Unsurprisingly, the control environment across all organizations is varied and complex, as approaches evolve to meet the rapid and constantly changing nature of communications and regulatory expectations.

Some 66% of survey respondents in the financial services industry are using documented usage policies as controls, with 65% using internally built platform controls, and 62% using specialist software to enforce policies. Almost half (45%) of organizations take a more draconian approach, however, by disabling features to limit the risk of new channels. Perhaps not surprisingly, the most frequently disabled features are camera functionality, file sharing, and screen sharing.

In the short term, bans and blocks may work as a control. Given that the features being disabled are essential, however, it is only a matter of time before employees circumvent such policies — an observation reinforced by the recent regulatory enforcement action.

Organizations need modern compliance and security technology to give them the confidence and assurance to unlock the value of the platforms in which they have invested, rather than disable them, allowing staff and customers access to the features they want to use.

For more, you can download a copy of Theta Lake’s 2022 Modern Communications Compliance and Security Report here

Even before the collapse of FTX, complaints from consumers who were hit by other types of digital currency losses have been rising at an alarming rate, the CFPB reported. The CFPB report said the crypto market has become a magnet for fraudsters who see little chance that their schemes will be detected due to the absence of investor protection and the opaque nature of the market.

Crypto firms hiding behind “terms & conditions”

The fledgling crypto industry’s $2 trillion market, made up of complex and illiquid digital assets, lacks controls and account management operations to handle customers’ problems, the CFPB report suggested. The firms often “hide behind terms and conditions” to delay transactions when customers try to claim their crypto assets.

The report found that despite marketing claims that they offered “immediate access” to funds, some crypto firms have often delayed or denied redemptions based on “identity verification issues, security holds, or technical issues.” Many customers also reported the transactions were settled at prices far below quoted levels when unexpected or unexplained fees were tacked on. Some firms cited “market spreads” that led to payouts far below quoted prices. Further, the transaction concerns were most often handled in some form, the CFPB report said, even if they were settled on disadvantageous terms for consumers.

The largest complaint category, representing about 40% of complaints, involved fraud-related matters, and sometimes included use of social media by digital currency participants in a potent mix of deception and opaque fund movement. The CFPB reported that in many instances of fraud reports from customers, the transaction provider declined to accept responsibility or to help in recovering funds, arguing that since they act as intermediaries they are not contractually required to act. In some cases, they required customers to submit to “mandatory arbitration” and clauses that prohibited them from joining class actions.

US regulators have said that since the crypto firms operate from offshore domiciles, they have only limited powers to intercede when fraud surfaces. The CFPB itself said its “complaint bulletin” was meant as a risk warning, but the agency went no further in committing its own enforcement division to pursuing wrongdoing.

Enforcing crypto fraud “time-consuming” 

The CFPB, with its own packed rulemaking and enforcement agenda, suggested that pursuing bad actors would be a drain on agency resources since the anonymity of crypto “makes tracing crypto-assets stolen by fraudsters more time consuming for regulators and law enforcement.” The agency said it would continue to log complaints and follow up with efforts to recover funds from crypto firms it could reach; however, in most cases, it said it would refer complaints to the Federal Trade Commission or other law enforcement authorities.

In its bulletin, the CFPB said the fraud complaints ranged from sophisticated “nation-state” level operations to the types of social engineering scams or cyber breaches seen in ransomware attacks by bad actors seeking payments in hard-to-trace cryptocurrencies. Among the leading scam methods the CFPB noted were: i) playing on a victim’s emotions to extract money or posing as customer service representatives to gain access to customer accounts; ii) using social media posts or targeting different communities in affinity attacks aimed at younger populations, Black and Latino communities, older consumers, and service members; and iii) impersonating crypto-asset developers, founders of major websites such as YouTube, or the official accounts of governments to solicit crypto-asset donations to help the people of Ukraine.

The CFPB also described various tactics that crypto firms used to evade or delay regulations or returning assets to customers, including: i) patterning transactions by using many small transactions to evade money laundering and fraud controls; ii) freezing consumer assets immediately prior to entering bankruptcy or using decentralized finance (DeFi) as part of the crypto-asset ecosystem; and iii) using hacked SIM cards and mobile phone numbers to activate and take control of users’ credentials, or linking transactions and a crypto address with a consumer’s identity on their other transactions.

While the CFPB’s bulletin was intended as a warning to consumers, it cited one area in which it might take direct action — the use of deceptive claims of government savings account insurance, which is guaranteed by the Federal Deposit Insurance Corporation (FDIC). In a May announcement, the CFPB said it could bring action under the Consumer Financial Protection Act, which prohibits any fraud involving deceptive claims around FDIC insurance.

“Our analysis of consumer complaints suggests that bad actors are leveraging crypto-assets to perpetrate fraud on the public,” said the CFPB’s Chopra. “Americans are also reporting transaction problems, frozen accounts, and lost savings when it comes to crypto assets. We will continue our work to keep the payments system safe from fraudsters targeting Americans.”

Indeed, there is even a new generation of consumer that reacts economically to the reputation of an institution, and it is increasingly common for institutions to endanger that reputation by running afoul with certain customers that they chose to accept. It’s these failures in financial institutions’ vetting process and its know your customer (KYC) compliance programs that can greatly cause harm to their reputations and integrity.

Global regulators are focusing on KYC rules as a way to ensure financial institutions across the world are not offering their banking services to illicit actors or being willfully ignorant of the risks that they are taking.

In a new white paper, Financial Institutions & Know Your Customer Rules: From Security to Solutions, published by the Thomson Reuters Institute and Thomson Reuters Regulatory Intelligence, we look at how KYC rules are playing a bigger role in the compliance and security of financial institutions. The paper also examines the challenges that financial institutions are facing in getting in compliance with changing KYC rules both in the United States, the United Kingdom, and around the world. Finally, we’ll see how some institutions and financial third parties are looking for solutions, either by creating new tech products or by outsourcing, to make their KYC challenges more efficient and cost effective.

The paper also shows that global regulators are focusing on KYC rules as a way to ensure financial institutions across the world are not offering their banking services to illicit actors or being willfully ignorant of the risks that they are taking. Regulators see these rules as being able to level the playing field and decreases gaps in screening for potential bad actors.

In addition, customers and other businesses are looking to make sure they are only associated with those financial institutions that do not have connections with bad actors. As global financial crime only increases worldwide — with a big boost in such illegal activity seen during the years of the global pandemic — more and more scrutiny will be placed on how financial institutions determine the real identity, suitability, and financial sophistication of their banking customers.

As the paper argues that KYC is here to stay, and its compliance and government oversight likely will only become more stringent. Financial institutions who fail to understand the importance of proper KYC compliance programs and their impact on institutions’ reputation and security are in for a mess of consent orders, bad publicity, and costly fines, among other negative impacts.

To download a copy of the new white paper, “Financial Institutions & Know Your Customer Rules: From Security to Solutions”, please fill out the form below:

A key concern is that banks may ultimately have responsibility for validating the accuracy of registry data and be required to file suspicious activity reports (SARs) when information is suspect. Another is that a massive volume of registry data could force institutions to hire additional investigators to probe automated alerts from sanctions screening systems.

Late last month, Treasury’s Financial Crimes Enforcement Network (FinCEN) issued a final rule — pursuant to the Corporate Transparency Act (CTA), part of the Anti-Money Laundering Act of 2020 — laying out which legal entities will be required to report their beneficial ownership data, beginning on Jan. 1, 2024. Companies required to report will include, with some exemptions, limited liability partnerships, business trusts, and most limited partnerships, in addition to corporations and limited liability companies.

Congress enacted the CTA to combat the longstanding abuse of shell companies by criminals.

FinCEN also vowed to issue two additional rules — one detailing access to the database and another amending the Treasury bureau’s customer due diligence (CDD) rule that requires financial institutions to collect beneficial ownership data from customers. It will likely be years before the rules come into effect, experts say.

“The elephant in the room… is ‘What are the next milestones that we’re looking for with regard to beneficial ownership changes that may be forthcoming from FinCEN?'” Kieran Beer, director of editorial content with the Association of Certified Anti-Money Laundering Specialists (ACAMS), told an ACAMS conference earlier this month.

Unanswered questions loom

Financial institutions will need time to adjust their compliance programs once FinCEN issues the remaining rules and clarifies how the database will affect existing CDD requirements, Heather Allen, deputy director of financial crime with Truist Financial Corp, told the conference.

“I think all of us are very much invested in the need to have the registry, but there are a lot of questions that remain unanswered,” Allen said. For example, the question of who will “own” responsibility for verifying the beneficial ownership information that legal entities report to FinCEN remains unanswered, she added. “If we have information that comes out of that system that is inconsistent with the bank data that we have, what is our responsibility as bankers?”

The CTA directed that financial institutions have the ability to access database information about customers who grant them permission, which raises questions regarding what the banks will be expected to do with the mountain of new data.

Sanctions against Russia raise stakes

As FinCEN is drafting rules to establish the database, which is expected to house information on tens of millions of companies and other entities, the U.S. and its allies scramble to combat the evasion of sanctions imposed on Russia over its February invasion of Ukraine.

“We’re sitting in the midst of the greatest use-case of greater beneficial ownership in Russia-Ukraine sanctions, so the timing is incredibly good, or it’s incredibly bad, depending on which side of the table you sit on,” James Candelmo, chief Bank Secrecy Act and AML sanctions officer with PNC, said at the ACAMS conference.

The 2020 AML legislation originally “landed in our board rooms” as “potentially some relief” from AML and sanctions compliance burdens, but in the wake of Russia’s invasion and the resulting global push to unveil assets controlled by sanctioned parties, “I don’t believe that will be the case,” Candelmo said.

Database could lead to more SARs duties

Referencing remarks from FinCEN Acting Director Himamauli Das earlier in the ACAMS conference, Sarah Runge, a former Treasury official who now is director of regulatory programs, policy, and governance with Facebook Payments, said she is concerned that financial institutions could end up being responsible for validating information in the beneficial ownership database.

When asked whether financial institutions will be expected to compare information in the database with the data they collect from customers under FinCEN’s customer due diligence rule, Das “pivoted to talk about how financial institutions will continue to have [SARs] filing requirements,” Runge said. “From my perspective, that’s when every part of every hair on my body sort of went up, because he didn’t answer (the) question, but he pivoted to expectations to identify suspicious activity. And I read it to mean that if there is a discrepancy, that that might rise to be suspicious where we would be expected to file a SAR and effectively be verifying and validating the database, which from my perspective is the worst-case scenario.”

Requiring financial institutions to report discrepancies would be consistent with requirements imposed by European countries with registries, explained Markus Schulz, global head of change management for financial crimes compliance at ING. “If we pull information from the registry, then we find in our own due diligence or in the course of dealing with a customer that there is a different director or change in ownership… financial institutions are obliged to report back to the central registry that there is a discrepancy,” Schulz said. “The central registry will then confront the company and hold the company accountable to make it correct, so… we’re not completely responsible for the integrity [of the registry], but if we have that intelligence it’s our obligation to inform the authorities.”

In September, the White House issued its First-ever Comprehensive Framework for Responsible Development of Digital Assets, an aspirational document short on specifics but long on promises, including protecting consumers and investors, combating illegal finance schemes, and encouraging “responsible innovation” of financial products using the underlying blockchain technology that makes digital assets unique.

More regulation, please

To date, however, US regulatory agencies have mostly restricted their communication on digital assets to official advisories, notifications of enhanced enforcement of existing laws, and recommendations to Congress to get busy and pass some crypto-relevant legislation. Because until Congress grapples seriously with the many regulatory questions posed by digital assets, government agencies are somewhat handcuffed by the current legal framework for financial dealings, which was developed well before digital assets ever existed.

US regulatory agencies are not entirely without resources and strategies for dealing with the risks associated with digital assets, however.

At the recent 21^st Annual Anti-Money Laundering & Anti-Financial Crime Conference, held by the Association of Certified Anti-Money Laundering Specialists (ACAMS), a panel of federal regulators shared their thoughts on managing digital assets and what their agencies are doing to support the president’s stated objectives. The panel included representatives from the Federal Reserve Board, the Federal Deposit Insurance Corp. (FDIC), the Financial Industry Regulatory Authority (FINRA), the Financial Crimes Enforcement Network (FinCEN), and the Officer of the Comptroller of Currency (OCC).

Enforcement: FinCEN & FINRA

On the enforcement side, representatives from both FinCEN and FINRA emphasized that their agencies are working hard to improve their technical capabilities to better keep up with criminals, while aggressively pursuing and prosecuting illegal financial activity of all kinds. They’re also seeking to strengthen their working relationships with banks and financial institutions to create a stronger public/private safety net.

Panelist Andrew McElduff, senior director of FINRA, which oversees non-bank financial institutions, said his agency has added a crypto-assets investigative team and created a “blockchain lab” — however, the team itself is new, so information-gathering is its top priority at the moment.

Another panelist, FinCEN’s Director of Office Compliance Jay Song, said the agency was in discussions about amending the Bank Secrecy Act (BSA) to address concerns about digital assets in the US financial system, but he also cautioned bank compliance officers (a large component of the ACAMS audience) not to wait for guidance from FinCEN. “Regardless of the absence of outright regulation, there is an obligation to meet BSA requirements,” Song said. “The fact that a regulation doesn’t exist for [a given financial activity] does not mean you can ignore the financial institution’s obligations under the BSA.”

US regulatory agencies have mostly restricted their communication on digital assets to official advisories, notifications of enhanced enforcement of existing laws, and recommendations to Congress to get busy and pass some crypto-relevant legislation

For banks and financial institutions, those obligations primarily involve following standard know-your-customer (KYC) protocols and filing suspicious activity reports (SARS), which FinCEN relies on to identify criminal financial activity of all kinds, including cyber-crime and crypto-fraud.

The Fed & the FDIC: Be careful

Likewise, panelist Lisa Arquette, associate director of anti-money laundering (AML) and cyber-fraud with the FDIC, noted that her agency has issued two institutional advisories this year: one asking FDIC-insured institutions to alert the FDIC if they intend to engage in — or are already engaging in — any crypto-related financial activity; the other warning about crypto companies that lead their customers to believe crypto deposits are insured by the FDIC, just like any other bank deposit, when they are not.

While the FDIC does support crypto-related financial activities that are “safe, sound, and legal,” Arquette said, she added that “we have concerns that crypto-related activities represent a risk to consumers, and that insured depository institutions face risks in effectively managing the application of consumer protection laws and regulations.”

In other words: Be careful, because danger lurks. Consumers beware.

The Federal Reserve Board’s deputy associate director, Suzanne Williams, offered a similar assessment of the crypto situation on the panel, noting that the Fed has issued guidance of its own and encourages banks to inform the Fed if they are contemplating involvement in a “crypto-asset relationship.” If they do, the Fed will help evaluate the wisdom of that relationship, she said, or at least identify the risks involved.

In the meantime, Williams reinforced the message that financial institutions offering crypto-related products to their customers (or thinking about it) should make sure they have the proper risk-management systems and controls in place, especially if those products are being outsourced to a third party.

The Fed: A digital dollar?

The Federal Reserve’s primary interest is in maintaining the stability of the traditional financial system, of course, so it exists in tension with other parts of the government that want to keep the door open to innovation that could lead to potentially lucrative new financial vehicles.

One innovation Arquette would not discuss, however, is the federal government’s interest in developing its own Central Bank Digital Currency (CBDC), a digital form of the US dollar that the government says should, if implemented, “protect consumers, promote economic growth, improve payment systems, provide interoperability with other platforms, advance financial inclusion, protect national security, respect human rights, and align with democratic values.”

That’s a lot to ask of a digital currency. What the government doesn’t say — but crypto enthusiasts understand implicitly — is that a US-backed CBDC would mean giving control of the currency’s blockchain over to the US government, which raises serious privacy issues and strikes many people as a step too far for Big Brother. For all of their risks and volatility, cryptocurrencies are kept on decentralized blockchains, so no government controls it, which is why crypto was created in the first place.

Leaders in both the traditional financial system and the decentralized finance, or De-Fi, industry agree that a more reliable, relevant, and equitable regulatory landscape needs to be established. Until further legislation is drafted, however, the government’s advice on digital assets of all kinds still amounts to: Be careful because danger lurks. Consumers beware.

At the 21^st Annual Anti-Money Laundering & Anti-Financial Crime Conference, held by the Association of Certified Anti-Money Laundering Specialists (ACAMS), Rebecca Kiethley, a Federal Bureau of Investigation (FBI) fraud specialist, explained that people over 70 years of age control 75% of the wealth in America, and over the next 10 years somewhere between $30 trillion and $68 trillion in assets is expected to be transferred from the Baby Boomer generation to their Gen X and Millennial generation heirs.

Criminals know all of this, of course, and they are preparing to steal as much of that money as they can.

According to the FBI’s 2021 Elder Fraud Report, seniors over 60 lost more than $1.7 billion to fraud last year (a 74% increase from 2020), with the average victim losing $18,246. In fact, people over 60 lost $239 million in 2021 to investment schemes alone, many of which were get-rich-quick scams involving digital assets, or cryptocurrencies. And it is estimated that for every 1 complaint the FBI receives, 44 go unreported.

Crypto scammers target seniors for several reasons. In addition to seniors being more trusting of people, they also tend to be less knowledgeable about technology in general, and digital assets in particular. Worse yet, many people currently in their 60s who have not saved enough for retirement are now trying to “catch up,” which makes them vulnerable to investment schemes that promise quick, large returns.

An abuse of trust

Speaking at the ACAMS conference, Kiethley said that seniors are most likely to fall victim to investment scams, but they can also be taken in by romance scams, Ponzi schemes, fake lottery prizes, tech-support scams, real-estate swindles, or people pretending to represent a government agency such as the IRS, Medicare, or Medicaid.

Unfortunately, victims of such scams are much less likely to get their money back if the scheme involves crypto, due to the anonymous, decentralized nature of digital currencies. The FBI has created a special virtual-asset investigative unit to combat an expected rise in crypto crime, and the unit has already had some success in recovering stolen digital assets using sophisticated financial forensics. The odds of recovering money lost to a crypto scam, however, are still very long.

When targeting seniors, many scammers make initial contact via social media or over the phone, pretending to have dialed a wrong number. Scammers often research their target on the internet or social media, then use that information to establish a sense of personal connection with their victim. After gaining the person’s trust through a few friendly interactions, the scammers will move to the next phase: extracting money from their victim.

In a typical crypto investment scam, for instance, the scammer might mention a great crypto investment opportunity and invite the victim to participate by giving them a small amount — $100, for example. A week later, the scammer might show the victim a crypto wallet with $1,000 in it as proof that the investment has paid off. Then the scammer might persuade the victim to “invest” more money — $500 or $1,000 this time — and claim soon after that the victim has made $10,000. Excited by such gains, the victim might then be willing to part with $10,000 or more, after which both the scammer and money disappear.

Investment scams are the most common ones involving cryptocurrency, but other types of fraud can involve digital assets as well. Indeed, according to the FBI’s Elder Abuse report, “cryptocurrency is becoming the preferred payment method for all types of scams,” because digital assets are so difficult to trace.

How to recognize elder fraud

Because seniors are so vulnerable to such tactics, government agencies, law enforcement, regulators, and bank personnel are all ramping up efforts to educate the public and encourage training that teaches front-line personnel how to recognize signs that a senior is being scammed — and if so, where to report it.

Mike Brunow, who oversees the criminal money laundering and fraud division of the United States Postal Service, told the ACAMS audience that there are a number of red flags for elder abuse of which front-line bank workers and other financial personnel should be aware. These red flags include:

• • • customer behavior that is out of character;
    • a sudden change in deposit habits;
    • someone unfamiliar showing interest in the customer’s financial affairs;
    • a customer adding someone unexpected to their bank security card;
    • a customer who purchases a large number of pre-paid cards; and
    • unorthodox transactions or money transfers.

Bank employees who suspect foul play can try to engage a customer in conversation to find out more, or, failing that, file a Suspicious Activity Report (SAR) detailing the circumstances and reasons for suspicion. Also, anyone can file a complaint with the FBI’s Internet Crime Complaint Center.

Trying to help seniors who are experiencing some form of cognitive decline can be tricky, however. Bank employees and police investigators are not doctors, after all, and bank customers are technically free to do whatever they wish with their money.

According to another ACAMS speaker — Jessica Clemens, assistant VP of risk management with Timberline Bank in Grand Junction, Colo. — another problem is that even if a scam is uncovered, it is sometimes difficult to convince seniors that they are being duped.

“These people often don’t realize that they are victims,” Clemens says, adding that then the question becomes, “What do we need to do as a community to educate them — to say you are being taken advantage of, that the lovely individual at the other end of the line is never coming to see you, and the car full of cash is never going to show up?”

Approximately 17% of the US population is over 65 years of age, and that number will climb to more than 20% by 2030, according to Statista. And to crypto scammers, those numbers mean opportunity. To everyone else, they should be a wake-up call — a push to expand awareness and prevention efforts and ensure that the oldest among us are not being fleeced by criminals posing as friends.

Until now, the changing role of compliance has not featured largely in the wave of regulatory initiatives proposed by Biden administration regulators over the past two years as they seek to curb financial abuses and economic inequality while closing regulatory gaps opened with fast-changing technology. These new carrot & stick initiatives include:

• • • First, the stick — Some firms have already been fined by regulators failure to maintain controls over personal devices use that included use by top managers. Firms must revamp controls over new technology that evades surveillance, modify behavior to end hidden practices, and align culture to serve clients’ interests. Independent consultants will act in the role of monitors until firms’ operations have transparent operations producing verifiable results.
    • Next, the “compliance carrot”— For the first time ever, the DOJ said firms should implement rewards for compliance officers for independence and decisiveness in response to misconduct. The DOJ’s enforcement unit is working to complete a proposal by the end of the year that uses concrete, measurable criteria of compliance actions.

Sources close to the DOJ say a wide a range of metrics and material factors are under consideration as the agency looks to compliance incentives to win more cooperation from firms, ranging from use of independent audits of bonuses to evidence-based instances of chief compliance officers deterring violators early in the act.

In a recent speech, Deputy Attorney General Lisa Monaco cited corporate compensation policies with penalties intended to deter misconduct, including effective claw-back provisions and the escrowing of compensation when potential abuses arise. “No one should have a financial interest to look the other way or ignore red flags,” Monaco said. “Corporate wrongdoers — rather than shareholders — should bear the consequences of misconduct.”

She added that “on the incentive side, companies are building compensation systems that use affirmative metrics and benchmarks to reward compliance-promoting behavior.”

Compliance pushed to play active role

Regulators’ crackdown and the compensation initiative were seen as efforts to empower compliance professionals to do their jobs better. Appropriate compensation that incentivizes independent compliance, the DOJ has decided, could bolster the authority of chief compliance officers (CCOs) and compliance staff within firms. Similarly, the CCO who finds instances of staff violating personal device policies can use the case to warn employees, from rank and file representatives up to C-suite executives, of the need to avoid the practice.

The DOJ initiative marks the first serious effort by an enforcement agency to tackle an issue that has largely been avoided by regulators. Financial enforcement has increasingly stiffened penalties for violations when investigators find firms have failed to provide resources, such as staffing levels, written supervisory procedures, or training and expertise based on specific risk factors faced by the firms.

The new initiatives show the agency raising its expectations for compliance compensation significantly. However, the initiative was not entirely “top down” thinking by the DOJ. Some firms, Monaco said, have already begun to rework compensation incentives for compliance. And the DOJ’s initiative could also eliminate roadblocks for those firms that are trying to craft more attractive pay packages to attract talent in a highly competitive market. Giving incentives to control staff members who have often been frowned upon in the industry may be a wise idea.

Skeptics say enforcement can’t change secretive culture 

Skeptics, however, say that efforts to bolster compliance could have a positive impact but would not address cultural problems in an industry reluctant to interfere with top performers who prefer to work outside the surveillance grid. Customers often prefer anonymity, and bankers and traders are often reluctant to expose their “secret sauce” that shows how they work or share details of client contacts they view as personal assets.

In the hyper-competitive, performance driven financial services industry, secretive behavior has become embedded within a culture that puts relationship-building in over-drive. The regulatory initiatives to change behavior “could raise awareness in the short term but does not address systemic problems,” said Jay Gould, special counsel at the law firm Baker Botts.

Changing culture happens gradually, and when regulators push for change, “culture will change, if it hasn’t already,” noted Brian Rubin, partner and head of the Washington, DC office of Eversheds Sutherland (US) and a former senior enforcement official at the SEC and the Financial Industry Regulatory Authority.

The growth of text messaging on personal devices became more widespread during the COVID-19 pandemic, pushing regulators to act more aggressively, Rubin explained. While some argue it is impossible to regulate the new technology, regulators have advanced their skills in detecting hidden messaging with technology tools such as forensic data analytics.

In addition, they are scouring network communications using parallel processing that correlates message patterns with transactions, finding gaps in the context of messages pointing to off-line conversations and also using metadata and internet service traffic that show suspicious messaging activity.