Month: February 2019

On January 30, The Times reported that in a review of online security at 12 leading British banks, the United Kingdom-based consumer organization Which? and United Kingdom-based cybersecurity firm SureCloud found that only five of the 12 banks – including First Direct, HSBC, and Barclays – at the time of login provided accountholders with two-factor authentication (2FA).  (2FA can be defined as “an additional layer of security for your online accounts beyond your password,” such as an additional piece of information sent via another channel (e.g., a hardware or software token, a code texted to you, or a call to your phone).

The seven banks that failed to enforce 2FA at login were the Co-operative Bank, TSB, Lloyds, Clydesdale/Yorkshire Bank (CYBG), Santander, NatWest, and Metro Bank.  Responses to the study by several of those banks were less than enthusiastic about the rankings, but 2FA will no longer be an option for United Kingdom banks.  UK Finance, the trade association for the United Kingdom bank and financial services sector, stated that 2FA for high-value online payments would be a legal requirement as of September 2019.

Note: The issue of 2FA adoption is hardly unique to the United Kingdom, and certainly not to the banking sector.  In an October 2018 study of the prevalence of 2FA offerings by 34 top consumer websites in the United States, password-app company Dashlane found that 76 percent of sites do not offer users a full set of 2FA options.  Among the financial services companies included in the survey, Bank of America and Wells Fargo received the maximum score for offering multiple 2FA options, while Citibank, Discover, American Express, and Chase offered only SMS or email authentication.

Nor are all forms of 2FA equally effective.  Hackers can circumvent 2FA by “spoofing your SIM card, intercepting the unencrypted message as it is sent over the network or trying to steal databases filled with information about mobile accounts from telecoms operators.”  In addition, the United States National Institute of Standards and Technology (NIST) commented in 2016 that SMS was not recommended for 2FA because of its inherent vulnerabilities (e.g., lack of encryption), and last year published draft guidance “that recommends against companies and government agencies using SMS as the channel for out-of-band verification.“

“Some warn,” The Economist noted, “that SMS is better than nothing, for users who cannot navigate more complicated systems.”  That justification sounds far less persuasive in light of the 30 percent increase in e-commerce fraud attacks in 2017.  But it is also unclear how much “better than nothing” other multifactor authentication (MFA) technologies are.  As Professor Josephine Wolff of the Rochester Institute of Technology recently observed, empirical data is still lacking about how well various 2FA or MFA solutions work.  When 2FA becomes mandatory for United Kingdom banks later this year, both the banks and regulators need to examine what “best practices” truly means for 2FA and MFA, and how to evaluate which of those practices are substantially “better than nothing.”

Multiple media reports, including the Washington Post, have been reporting on the recent disclosure that Gerald Cotton, the founder of Canada’s largest cryptocurrency exchange QuadrigaCX, died in December 2018, without sharing with anyone a password or recovery key for access to some US$190 million in holdings maintained in QuadrigaCX’s offline “cold wallet.”  Since Cotton’s death, QuadrigaCX, which had been besieged with legal problems since early 2018, filed for and was granted creditor protection in a Nova Scotia court.

In the affidavit that she filed in the Nova Scotia proceeding, Cotton’s widow, Jennifer Robertson, stated that the laptop from which Cotton carried out company business “is encrypted and I do not know the password or recovery key.  Despite repeated and diligent searches, I have not been able to find them written down anywhere.”  Nor has the expert she retained had any success in accessing Cotton’s laptop.  That leaves vast numbers of QuadrigaCX clients wondering how much of their funds are stored in the cold wallet and when, if ever, they can retrieve those funds.

Regardless of one’s position on the merits and reliability of cryptocurrency, the lessons to be drawn from these recent disclosures extend well beyond the cryptocurrency field.  Chief information-security officers (CISOs) and chief compliance officers (CCOs) should use QuadrigaCX’s plight as an opportunity to ask two questions of other executives and managers (including CEOs and systems administrators): (1) “Is there any account, asset, resource, or system to which only you have access?”; and (2) “If you died or left the company, how would we be able to access or recover it?”

If any of the executives or managers answers yes to question (1), the CISO and CCO need to collaborate in compiling a list of all such assets, resources, and systems, and work with the relevant business or support unit to develop a plan to provide at least one other person in that unit with the access device, password, or key in case of emergencies or disasters.  Every company has certain data or resources that need to be kept confidential and secure, but no company should risk repeating Cotton’s mistake by leaving their “keys to the kingdom” in the hands of any single individual without backup recovery capabilities.

Since last October, Patisserie Valerie, the United Kingdom-based café chain that specialized in handcrafted cakes, has undergone a slow but irreversible collapse, like an overheated soufflé, thanks to a massive £40 million “black hole” found in the company’s accounts.  The following timeline shows some of the key events leading to the firm’s demise:

• October 10, 2018: Patisserie Holdings plc made two significant announcements: (1) that it had learned that it had learned that HM Revenue and Customs (HMRC) had filed a “winding-up” petition in the High Court affecting a Patisserie subsidiary, Stonebeach Limited, for approximately £1.14 million in taxes owed; and (2) that Patisserie Holdings’ board had been “notified of significant, and potentially fraudulent, accounting irregularities and therefore a potential material mis-statement of the company’s accounts.” During that week, the firm found that company overdrafts had been set up with two banks, Barclays and HSBC, and that £9.7 million had been used by the time they were discovered.
• October 12, 2018: After the firm’s finance director, Chris was reportedly arrested and released on bail without charge the preceding evening, the Serious Fraud Office announced that it had opened a criminal investigation into an unnamed individual relating to the firm. Also, by mid-October, multiple press reports indicated that the firm had a “black hole” of some £40 million.
• January 16, 2019: Patisserie Holdings announced that “the misstatement of its accounts was extensive, involving very significant manipulation of the balance sheet and profit and loss accounts. Among other manipulations, this involved thousands of false entries into the Company’s ledgers. . . . The initial indications from the work carried out to date is that the cash flow and profitability of the business has been overstated in the past and is materially below that announced in the trading update on 12 October 2018, which was based on limited work carried out over a 48-hour period.”
• January 22, 2019: Patisserie Valerie was forced into administration after it was unable to work out financing with banks, and after it reportedly failed to share with the banks a report by accounting firm PwC that “allegedly detail[ed] how suppliers provided fake invoices and multimillion-pound cheques were submitted to artificially inflate cash balances.”
• January 28, 2019: The Daily Telegraph reported that “Patisserie Valerie sales were in secret decline for at least three years before the discovery of the [£40 million] accounting black hole . . . .”
• February 3, 2019: The Times reported that a PwC forensic report said that PwC “identified forged company minutes used to take out overdrafts of almost £10m and fake invoices for shop refurbishments.”

Note: The sad tale of Patisserie Valerie’s collapse provides an object lesson in why small and medium enterprises, as much as FTSE 1000 and Fortune 500 companies, need to dedicate part of their compliance program to internal fraud.  Evidently neither the firm nor its outside auditor were focused on monitoring for fraud, but employees, investors, and patrons are now suffering the consequences of the firm’s failure to monitor internal transactions and accounts for possible embezzlement or fraud.  Like the protein and egg yolk in a soufflé, which strengthens the internal structure of the soufflé and prevents its collapse, a sound internal-fraud compliance program with trained staff and effective internal controls strengthens a company’s compliance architecture and reduces the risk of substantial damage to the company’s operations and reputation.

Despite the waves of adverse publicity about its demise and the apparent fraud, Patisserie Valerie reportedly has now attracted multiple offers for all or parts of the business.  With luck, acquiring companies may find what is left of the firm palatable, notwithstanding “claims by some bidders “that many of Patisserie Valerie’s shops were losing vast sums of money, and not profitable as the company had claimed.”  Unfortunately, pre- and post-transaction due diligence by the buyers, along with further law enforcement inquiry, will likely find that the full scale of the internal fraud is even greater than reported so far.

On February 1, Kenneth Hayne, Commissioner of the Australian Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry, submitted the Commission’s Final Report to the Governor-General of Australia.  The Commission’s terms of reference vested the Commission with a broad mandate to inquire into misconduct in the financial services sector, including the adequacy of laws, regulations, and industry practices.  The Final Report was tabled in the Australian Parliament on February 4.

At the outset, the Final Report reiterated and expanded on the substantial criticisms of the Australian financial sector that it set forth in its Interim Report.  It stated that

[t]he conduct identified and described in the Commission’s Interim Report [submitted in September 2018] and the further conduct identified and described in this Report includes conduct by many entities that has taken place over many years causing substantial loss to many customers but yielding substantial profit to the entities concerned. Very often, the conduct has broken the law. And if it has not broken the law, the conduct has fallen short of the kind of behaviour the community not only expects of financial services entities but is also entitled to expect of them.

The Final Report also presented four key observations about critical and pervasive failings in financial firms’ treatment of customers:

1. “[T]he connection between conduct and reward.” The Report stated that “in almost every case, the conduct in issue was driven not only by the relevant entity’s pursuit of profit but also by individuals’ pursuit of gain, whether in the form of remuneration for the individual or profit for the individual’s business. Providing a service to customers was relegated to second place. Sales became all important. Those who dealt with customers became sellers. And the confusion of roles extended well beyond front line service staff. Advisers became sellers and sellers became advisers.”
2. “[T]he asymmetry of power and information between financial services entities and their customers.” The Report stated that “entities and individuals acted in the ways they did because they could. Entities set the terms on which they would deal, consumers often had little detailed knowledge or understanding of the transaction and consumers had next to no power to negotiate the terms. At most, a consumer could choose from an array of products offered by an entity, or by that entity and others, and the consumer was often not able to make a well informed choice between them. There was a marked imbalance of power and knowledge between those providing the product or service and those acquiring it.”
3. “{T]he effect of conflicts between duty and interest.” The Report stated that “consumers often dealt with a financial services entity through an intermediary. The client might assume that the person standing between the client and the entity that would provide a financial service or product acted for the client and in the client’s interests. But, in many cases, the intermediary is paid by, and may act in the interests of, the provider of the service or product. Or, if the intermediary does not act for the provider, the intermediary may act only in the interests of the intermediary. The interests of client, intermediary and provider of a product or service are not only different, they are opposed. An intermediary who seeks to ‘stand in more than one canoe’ cannot.  Duty (to client) and (self) interest pull in opposite directions.”
4. “[H]olding entities to account.” The Report stated that “too often, financial services entities that broke the law were not properly held to account. Misconduct will be deterred only if entities believe that misconduct will be detected, denounced and justly punished. Misconduct, especially misconduct that yields profit, is not deterred by requiring those who are found to have done wrong to do no more than pay compensation. And wrongdoing is not denounced by issuing a media release.”

The Final Report set forth a total of 76 recommendations that cover a wide variety of practices and issues in the financial services sector, including consumer lending, access to banking services, enforceability of industry codes, financial advice, superannuation, insurance, and regulation.  Some of the more prominent recommendations according to news.com.au, included:

• Retention of the so-called “twin peaks” model of financial regulation (i.e., oversight by the Australian Securities and Investments Commission (ASIC) and the Australian Prudential Regulation Authority (APRA)), although Hayne recommended that the APRA keep a closer watch on banking-sector executive pay and stated that “the enforcement culture of ASIC, not the size of ASIC’s remit, should be the focus of change.”
• Mortgage brokers should be required by law to act in the best interests of borrowers, rather than lenders or themselves, and face a civil penalty for breach of that duty.
• Industry codes of conduct, which ASIC must approve, will include “enforceable code provisions,’ and a breach of such a provision will constitute a breach of law.

Note: The reaction to the Final Report by Australian government authorities and the business sector has generally been measured but positive.  The Government immediately committed, in the words of Australian Treasurer Josh Frydenburg, to “taking action on all 76 recommendations.”  Frydenburg also stated that the recommendations “will have far-reaching consequences across the financial system, including putting in place the banking executive accountability regime, not just within banks which we initiated, but with an insurance and superannuation companies, ensuring trustees of superannuation funds actually face penalties for breaching of their duties.”

ASIC stated that it “will consider the report carefully,” adding that it “identified ASIC’s enforcement culture as the focus of change needed at ASIC. This focus accords with ASIC’s change agenda, that has included the adoption of our ‘why not litigate?’ enforcement stance, the initiation of our Internal Enforcement Review and the enhancement of our governance structures.”  With regard to Hayne’s referrals for possible breaches of financial-services law, ASIC responded that “{c]onsideration of these matters will be prioritised. ASIC does not, as a general policy, comment on actual or potential investigations.”

The Chairman of the APRA, Wayne Byres, stated that the Final Report

is a considered and fair assessment of failings in the financial system and a helpful road map for reform . . . . The commission’s recommendations are wide-ranging. Within them, the commission has identified a number of areas where APRA’s prudential and supervisory framework can and should be strengthened. Many of these improvements are already in train, and APRA is committed to delivering on them. APRA appreciates the commission’s acknowledgment that increasing the intensity of supervision will require additional resources.

The true test of the Final Report, of course, will be the extent to which and the speed with which the Government and the banking sector pursue the report’s recommendations.  Regardless of how difficult it can be to change a bank’s culture, the key Australian banks will need to demonstrate that they are committed to changing their cultures for the better, and willing to play a constructive role in the upcoming discussion of potential legal and regulatory changes.

On January 21, the Wolfsberg Group published new guidance for financial institutions (FIs) on sanctions screening.  In a statement of key themes in that Guidance document, the Wolfsberg Group stated that the Guidance seeks to demonstrate “where sanctions screening can be an effective part of a wider sanctions compliance programme,” “where it has limitations as a control,” and “where a risk based approach may be appropriate, notwithstanding the strict liability nature of sanctions compliance.”

The Guidance includes sections that address the following key issues:

1. Definition of Sanctions Screening: This section (p. 2) defines sanctions screening as “a control used in the detection, prevention and disruption of financial crime and, in particular, sanctions risk. It is the comparison of one string of text against another to detect similarities which would suggest a possible match. It compares data sourced from an FI’s operations, such as customer and transactional records, against lists of names and other indicators of sanctioned parties or locations.”
2. The Fundamental Elements of a Sanctions Screening Program: This section (pp. 2-3) cautions that “screening as a control is not sanctions specific and should be deployed as part of an integrated risk based [financial crime compliance (FCC)] programme.” It also notes that “[f]undamental pillars of an FCC programme, including key enabling functions, should be applied to screening, not in isolation, but in conjunction with other financial crime risk prevention and control processes,” including policies and procedures, designation of a responsible person, risk assessment, and internal controls.
3. Consideration of a Risk Based Approach: This section (pp. 3-4) states that screening “requires a programmatic approach through which each FI must assess its own risks in order to define the manner, extent and circumstances in which screening is employed.” That process is built around four core principles summarized as follows:
   • “Articulate the specific sanctions risk the FI is trying to prevent or detect within its products, services and operations.”
   • “Identify and evaluate the inherent potential exposure to sanctions risk presented by the FI’s products, services and customer relationships.”
   • “A well-documented understanding of the risks and how they are managed through the set-up and calibration of the screening tool.”
   • “Assess w here, within the FI, the information is available in a format conducive to screening.”
4. Screening Technology and Generating Productive Alerts: Given the complexity of “[w]hat is often thought of as a simple name-matching process,” this section (pp. 4-6) sets out principles for generating productive alerts; discusses the process of alert generation and review; emphasizes the need for risk-relevant metric reporting, an independent risk-based testing and validation regime, and data integrity processes; and identifies criteria for deciding whether to build the screening application internally or source from a vendor.
5. Reference Data/Customer or Name Screening: This section (pp. 7-8) defines reference data screening as “the process of screening the information an FI collects and maintains on the parties it does business with, or specific types of products and services it offers.” It discusses the process of determining sanctions-relevant attributes in reference data, and the manner, timing, and frequency of reference data screening.
6. Transactions/Message Screening. This section (pp. 8-10) discusses transaction screening – “the process of screening a movement of value within the FI’s records, including funds, goods or assets, between parties or accounts” – as well as the focus of transaction screening, identifying which data elements within transactions are relevant for sanctions screening, and the manner, timing, and frequency of transactions screening.
7. List Management: This section (pp. 10- 12) discusses the importance of rigorous list management – “the end-to-end process of determining and managing regulatory and internal lists used for screening” – as well as considerations relevant to effective list management, data quality control for regulatory-sanctions and internal lists, and the use of identifying information and ‘weak aliases” (i.e., additional ancillary information of varying utility).
8. Historical Reviews (Lookbacks). This section (pp. 12-13) states that when an FI identifies “potential sanctions risk where a sanctions related data point may have been previously undetected by the screening system, . . . the FI should consider whether or not: (i) changes to the sanctions screening system (for example, configuration or lists) are warranted, and (ii) a historical review (“lookback”) should be performed.”  It also lists factors that should be considered in making that determination.

In conclusion, the Guidance advocates that FIs

seek to adopt a risk based approach to sanctions screening and to consider all aspects of a comprehensive sanctions screening control framework, as follows:

• The FI must have a robust FCC programme with a clear strategy in respect of sanctions screening, to mitigate the risk of being exposed to sanctioned parties and countries.
• The FI’s approach should recognise that while sanctions screening is a primary control, it has its limitations and should be deployed alongside a broader set of non-screening controls to be truly effective.
• It is important for FIs to document their systematic approach to screening by linking it directly to their risk appetite statements.
• The accuracy and completeness of the FI’s own data is central to an effective and efficient sanctions screening process.
• Technology remains a key enabler in the effectiveness of identifying financial crime risk through screening, more efficiently and on a real-time basis.
• Robust governance and oversight mechanisms must be put in place across the FIs to ensure transparency of risk decisions to key stakeholders and risk owners.
• The FI should ensure that people involved in the end-to-end risk event management are suitably trained, supervised and that the appropriate levels of quality control and assurance are in place to ensure compliance with requirements.
• Robust management information should be made available to management to report effectiveness, trends and performance.

Note: This latest Guidance from the Wolfsberg Group is consistent in quality and concision with the Group’s previously issued Standards on issues such as payment transparency, anti-bribery and corruption compliance programs, and Politically Exposed Persons.  In drafting this Guidance, the Wolfsberg Group noted that it found “a great deal of commonality in the design and execution of sanctions screening controls across the Wolfsberg member banks,” suggesting that there is already core common practice in the financial sector.  It emphasized, however, that while there were various ways in which FIs can seek to adhere to the Group’s various documents, “the means by which each FI choses to adopt these documents must make sense for each individual firm, recognising that one size doesn’t fit all and that each FI’s risk mitigation strategy must be tailored to meet its risk appetite.”

For that reason, compliance officers with responsibility for sanctions compliance should read the Guidance closely and use it as a basis for comparison with their current sanctions screening processes, bearing in mind that specific technology solutions and approaches suitable for some financial institutions may not be suitable for others.