Thursday, August 30, 2007

BSA/ AML: Testing the Channel...

Legal compliance with the Bank Secrecy Act (BSA) and Anti-Money Laundering (AML) is a complex and growing concern by regulators, enforcement and Operational Risk Executives. In the United States, the FFIEC (Federal Financial Institutions Examination Council) has published the latest Examination Manual to provide guidance:

Enterprise-Wide BSA/AML Risk Assessment

Holding companies or lead financial institutions that implement an enterprise-wide BSA/AML compliance program should assess risk both individually within business lines and on a consolidated basis across all activities and legal entities. Aggregating risks on an enterprise-wide basis for larger or more complex organizations may enable an organization to better identify risks and risk exposures within and across specific lines of business or product categories. Consolidated information also assists senior management and the board of directors in understanding and appropriately mitigating risks across the organization. To avoid having an outdated understanding of the BSA/AML risk exposures, the holding company or lead financial institution should continually reassess the organization’s BSA/AML risks and communicate with business units, functions, and legal entities. The identification of a BSA/AML risk or deficiency in one area of business may indicate concerns elsewhere in the organization, which management should identify and control.

When a financial institution utilizes a strategy for it's channel or broker network the goal is to build controls into the consumer application process. These controls help the parent financial institution with compliance issues and give the independent broker or registered investment advisor with the tools and mechanisms for risk mitigation. However, to what degree do these independent brokers who interface with the consumer actually understand, implement and comply 100% with BSA/AML laws?

This question may haunt the minds of many OPS Risk professionals as they try to manage the mountain of data and documentation requirements at the home office or processing center. When there are dozens or hundreds of independent brokers in the client acquisition process your risk exposure increases dramatically. When and how often do you need to audit these important entities in your member or client supply chain?

Independent testing (audit) should be conducted by the internal audit department, outside auditors, consultants, or other qualified independent parties. While the frequency of audit is not specifically defined in any statute, a sound practice is for the bank to conduct independent testing generally every 12 to 18 months, commensurate with the BSA/AML risk profile of the bank. Banks that do not employ outside auditors or consultants or have internal audit departments may comply with this requirement by using qualified persons who are not involved in the function being tested. The persons conducting the BSA/AML testing should report directly to the board of directors or to a designated board committee comprised primarily or completely of outside directors.

Those persons responsible for conducting an objective independent evaluation of the written BSA/AML compliance program should perform testing for specific compliance with the BSA, and evaluate pertinent management information systems (MIS).

This is not any surprise to large banks and securities dealers who have been working diligently on these compliance management problems for decades. Whenever an organization is deploying a distributed and indirect model for acquiring new consumers, high net worth individuals and other business entities for financial-based products and services; BSA/AML programs should be robust. The individuals who are planning to launder money that has been obtained illegally or are part of a fraud scheme will prey on those unsuspecting and naive institutions first. In some cases, it could be an independent broker or business who is the target of a sophisticated and influential individual. They want to find a weak link in the institutions sales channel to gain access to a well known brand to leverage their scheme with new victims.

The criminal trial of ex-Refco Inc. Chief Executive Phillip R. Bennett and two other former executives has been postponed until March 2008, according to court transcripts.

During a telephone conference last month, U.S. District Judge Naomi Reice Buchwald delayed the trial of Bennett; Robert C. Trosten, Refco's ex-chief financial officer; and Tone N. Grant, the commodities broker's former president, until March 17. A transcript of the call was released publicly earlier this week.

The case was originally scheduled to go to trial in October.

The men are facing a variety of charges including conspiracy, securities fraud, bank fraud, wire fraud and money laundering.

Late Wednesday, the litigation trusts representing Refco's creditors announced they had sued Thomas H. Lee Partners LP in federal court in Manhattan, alleging the buyout firm uncovered red flags about Refco and its executives before the buyout firm's 2004 purchase of a controlling stake in Refco, but failed to follow up in hopes of profiting from Refco's initial public offering the next year. Lee has denied the claims.

Monday, August 13, 2007

ESI: Authenticity of Evidence...

Legal opinions on the admissibility of evidence and electronically stored information (ESI) are becoming more prevalent and increasingly relevant to Operational Risk Management:

In Lorraine v. Markel, authentication of information is a key issue in the ruling. Maryland Courts Watcher caught this ruling and our eye recently. "In its 101 page opinion, the court dedicated at least 90 pages to providing extensive and detailed analysis and guidance on the interrelated evidentiary issues governing the admissibility of electronically stored evidence (ESI), including: analysis under Rule 104, relevance under Rule 401, authentication as required by Rule 901(a), effect of hearsay as defined by Rule 801 and any applicable exceptions, consideration of the form of the ESI being offered under the original writing rule and the admissibility of any secondary evidence to prove its content, and the probative value of the ESI considering potential unfair prejudice or one of the other factors identified by Rule 403."

Whether ESI is admissible into evidence is determined by a collection of evidence rules that present themselves like a series of hurdles to be cleared by the proponent of the evidence. Failure to clear any of these evidentiary hurdles means that the evidence will not be admissible. Whenever ESI is offered as evidence, either at trial or in summary judgment, the following evidence rules must be considered: (1) is the ESI relevant as determined by Rule 401 (does it have any tendency to make some fact that is of consequence to the litigation more or less probable than it otherwise would be); (2) if relevant under 401, is it authentic as required by Rule 901(a) (can the proponent show that the ESI is what it purports to be); (3) if the ESI is offered for its substantive truth, is it hearsay as defined by Rule 801, and if so, is it covered by an applicable exception (Rules 803, 804 and 807); (4) is the form of the ESI that is being offered as evidence an original or duplicate under the original writing rule, of if not, is there admissible secondary evidence to prove the content of the ESI (Rules 1001-1008); and (5) is the probative value of the ESI substantially outweighed by the danger of unfair prejudice or one of the other factors identified by Rule 403, such that it should be excluded despite its relevance.

Authenticity and the chain of custody of ESI will continue to be a major challenge for the general counsels of major corporations in the years ahead. Creating and maintaining trusted information through out the enterprise intersects policy, processes, people and technology. The legal risk associated with non-compliance and missed opportunities is a growing concern in executive management and Board of Directors meetings.

The explosion of information as early as 2001 started a process of discussions on the nexus of information security regarding data integrity and authenticity:

With the explosive growth of data exchange and the availability of access to services over the Web, the Trusted Information requirement is more and more an issue to providers and users of these services. Addressing this security issue, this volume is divided into eleven parts covering the essentials of information security technologies, including application-related topics, and issues relating to application development and deployment:

  • Security Protocols;
  • Smart Card;
  • Network Security and Intrusion Detection;
  • Trusted Platforms;
  • eSociety;
  • TTP Management and PKI;
  • Secure Workflow Environment;
  • Secure Group Communications;
  • Risk Management;
  • Security Policies;
  • Trusted System Design and Management.

Companies like IBM have been talking to clients about trusting their information for decades. However, when the discussions turn to litigation and admitting information stored on hard disks, dvd's, USB Thumb Drives and the data on your VOIP phone system it all starts to become more complex than one could ever imagine. That complexity and the speed that courts are asking for responsive answers puts your legal risk in the center of the discussion.

Achieving a Defensible Standard of Care requires more than a savvy outside counsel. It demands an effective CIO, CSO and Records Manager working in combination with the hundreds of law firms you may have retained to address your ongoing litigation.