"Journal of Digital Media Management provides a vital professional resource that accomplishes three important objectives for the field of digital asset management: a peer-reviewed publication, a history of best practices, and a practical source of learning for anyone with responsibility for organising and sharing content."
Volume 8 (2024-25)
Each volume of Journal of Financial Compliance consists of four 100-page issues.
Articles scheduled for Volume 8 include:
Volume 8 Number 2
-
Editorial
Mario J. Difiore, Editor -
Practice Papers
Are the old ways of transaction monitoring dead?
Carrie Gilson, Senior Vice President, Director of Financial Intelligence Unit, U.S. Bank
Financial institutions continue to face the challenge of demonstrating a comprehensive anti-money laundering (AML) transaction monitoring programme that is designed to detect, and aligns with, relevant Federal Financial Institutions Examinations Council (FFIEC) red flags without explicit, consistent confirmation on whether the escalations (ie Suspicious Activity Report [SAR] filings) are correct or valuable. Historically, this led most banks to adopt the use of typology-based if/then rules, resulting in a significant volume of alerts to be reviewed and dispositioned, with only a small portion being identified as potentially suspicious. While machine learning models are touted as an obvious fix to this problem, many banks may find such solutions to be far too expensive, complex and/or resource intensive. In order to answer the question, ‘are the old ways of transaction monitoring dead?’, this paper offers and evaluates various practical solutions, ranging from simple to sophisticated, to reduce false positive alerts generated by traditional AML transaction monitoring applications.
Keywords: transaction monitoring; machine learning; suspicious activity; false positive; rules-based; prioritisation; data quality -
Identifying and addressing the risks of AI through regulations, compliance controls and technical design
Sudhanshu Bahadur, Head of Technology for Global Asset Management, BMO Financial Group and Kuno Tucker, Chief Compliance Officer at Manulife Wealth and Adjunct Professor, Corporate Governance, York University
This paper will identify and examine the various aspects of artificial intelligence (AI), surface the risks associated with AI, and provide compelling governance, compliance and technical solutions to mitigate those risks. AI is destined to accelerate the pace of change and development in multiple fields; however, with its great advances come great risks that need to be addressed.
Keywords: artificial intelligence; compliance; regulations; risk management; controls; GenAI; LLMs -
Keeping up with the regulators: How to build an effective compliance programme to satisfy the Best Interest care obligation
Stephanie Nicolas, Partner and Joshua Nathanson, Associate, WilmerHale
Over the past couple of years, the Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA) have significantly increased their Regulation Best Interest (Reg BI) enforcement efforts. Broker-dealers will need to act fast, as the pace of enforcement picks up and regulators issue guidance regarding their expectations for broker-dealers and their associated persons. This paper is intended for legal and compliance professionals designing a Reg BI compliance programme. It draws from recent SEC and FINRA guidance and enforcement actions, and it highlights some practical issues as well as potential solutions. The paper begins by discussing the differences between Reg BI and the Advisers Act fiduciary standard. It then provides some general considerations regarding the scope and application of Reg BI. The paper continues with an analysis of recent guidance and enforcement actions related to the care obligation, which has been a focus for both the SEC and FINRA. Finally, the paper concludes with some commentary on Reg BI issues related to the use of artificial intelligence by broker-dealers.
Keywords: Regulation Best Interest; broker-dealers; investment recommendations; artificial intelligence; Securities and Exchange Commission; FINRA -
EMIR Refit implementation: Practical advice and considerations for trade reporting obligations
Nik Volpe, Founder, Laurellis Associates, Avinash Shamdasani, Global Head of Transaction Reporting, BGC Group and Kalyan Deshpande, Founder & CEO, Reg-X Innovations
EMIR (European Market Infrastructure Regulation) trade reporting is a fundamental regulatory requirement for firms trading derivatives within the EU and UK. Introduced in 2014, EMIR mandates the reporting of derivative trades to authorised trade repositories to enhance market transparency and enable regulatory oversight. The recent EMIR Refit introduces new complexities, requiring firms to navigate the increased number of data fields, new XML reporting formats and different implementation dates between the EU and UK. This paper addresses three primary challenges of EMIR Refit: oversight and control of trade reporting, delegated reporting to brokers and third parties and updating legacy EMIR trades. This paper discusses the necessity for robust daily controls, governance structures and accurate data reconciliation to ensure compliance and mitigate risks. Firms must adapt to dual reporting obligations due to divergent implementation dates, maintaining separate systems for EU and UK reporting standards. Delegated reporting, while operationally beneficial, requires vigilant oversight to ensure third party compliance with regulatory standards. Updating legacy EMIR trades to align with EMIR Refit standards is crucial to maintaining data integrity and regulatory compliance. This paper provides practical guidance for firms to enhance their trade reporting processes, ensuring adherence to EMIR Refit requirements and safeguarding market stability. Through proactive planning and robust controls, firms can effectively manage the challenges posed by EMIR Refit, maintaining compliance and operational efficiency in the evolving regulatory landscape.
Keywords: EMIR Refit UK; EMIR Refit go live; EMIR compliance; EMIR FCA guidelines; EMIR Refit implementation; EMIR Refit schema; EMIR reporting xml conversion; EMIR Refit changes; EMIR regulatory updates; EMIR impact -
Why depository institutions, with or without affiliated securities firms, can and should manage employee use of personal devices for work-related communications
Richard H. Harvey, Jr, Executive Vice President, General Counsel and Director of Compliance Risk, Beneficial State Bank, Michael J. Leotta, Partner, WilmerHale and Gautam Sachdev, Partner, AlixPartners
This paper shows how the failure to monitor for and prevent off-channel communications poses risk to traditional depository institutions that are not subject to the jurisdiction of securities-law regulators and shows how those institutions can mitigate that risk. US securities regulators have cracked down on broker-dealer, investment-adviser and futures commission merchant employees' use of unapproved personal devices and applications for business communications, imposing over US$2.8bn in penalties between December 2021 and April 2024. However, because there have not, at the time of writing this paper, been similar enforcement actions against traditional depository institutions that do not have securities affiliates, many traditional banks without securities affiliates have continued with business as usual. Nonetheless, the OCC has recognised that electronic communications can constitute records that must be retained pursuant to specific rules and that banks' failure to maintain adequate record retention systems in general can create significant reputation, transaction, credit and compliance risks. This paper aims to illuminate those risks and offers suggestions about how to address them.
Keywords: off-channel communications; business communications; personal devices; text messaging; record keeping; e-communications surveillance -
An AI adoption strategy for financial crime prevention
Colin Whitmore, Strategy and Innovation, Financial Crime, NatWest Group
Faced with a bewildering array of FinTech vendors and innovative approaches what direction and approach should you take? How can you adopt and use the latest innovative techniques to better detect and prevent financial crime? Do you buy or build? Do you replace or augment current systems? What about ensuring machine learning models are safe and unbiased? What about the role of the person — the human in the loop? What about generative artificial intelligence? What role does or should that play in your strategy? Can you trust it and use it? Given the potential artificial intelligence (AI) has to revolutionise the way you work, can you afford to ignore it? This paper will explore an AI adoption strategy, from the basics upwards, explaining how and where you can use and deploy AI. The paper defines the different techniques, considering both short, medium and longer time frames. It will consider how you can build a roadmap where you can consider both the longer-term goals, at the same time as building your foundations. It is not easy to keep up with the rapidly changing landscape of AI and innovative solutions but having a clear direction and strategy is a great place to start.
Keywords: AI in financial crime; financial crime prevention; AML; financial crime; AI strategy -
The ISO 37008 Internal investigation standard framework and what this means for financial services institutions
Steve Young, Chief Executive Officer and Simon Scales, Chief Education & Development Officer, ACi
ISO 37008 provides companies with a way to standardise their reporting and investigations protocols while providing a framework to tailor these processes to manage key requirements in new and existing compliance and ESG regulations. The Association of Corporate Investigators (ACi) played an integral part in developing this ISO 37008 ‘Internal Investigations of Organizations — Guidance’, which looks at the full cycle of an internal investigation for organisations. It covers the establishment of investigative policies and procedures, implementation of the investigation process, the reporting of the investigation result and the performance of remedial measures. Readers will see that financial services institutions of all types and sizes may have occasions where they want to set up an internal investigation. This may be necessitated by matters coming to their attention that require immediate response and include internal misconduct, significant financial irregularity and risk, together with compliance breaches. An internal investigation which is properly carried out may help organisations negate or mitigate the effects, and with the foresight gained through an investigation, an organisation can then develop timely remedial measures to resolve these breaches. This ISO standard lays out the essential aspects of an internal investigation with a view to practical application and overlays the ACi Investigation Principles. Drafted generically, it can be tailored to meet different organisational needs, and a detailed case study helps to guide readers through the benefits of setting up a well-rounded investigative process ready to be deployed when breaches happen.
Keywords: ISO 37008; investigations; governance; compliance; risk
Volume 8 Number 1
-
Editorial
Mario J. Difiore, Editor -
Practice Papers
Machine learning and compliance: A consumer-led approach
Matthew Connell, Director of Policy and Public Affairs, Chartered Insurance Institute
For compliance professionals, addressing the risks and opportunities of technologies such as machine learning is a huge challenge. This paper examines the issues involved with machine learning and insurance, by combining known regulatory concerns from international and UK supervisors with the results of consumer research, to identify key risks and how they can be mitigated. The paper finds that blending consumer research and wider risk management analysis can lead to a holistic compliance approach to machine learning. This builds from the individual, through job role design, individual accountability and training, to organisational systems and controls including governance, pricing policies and data management, through to sector-wide systems and initiatives including management of third parties and consistent standards for model transparency. In particular, it can help focus financial services firms on elements that consumers consider to be highly important, such as pricing according to risk rather than other factors (for example, price elasticity of demand). Conversely, it can help firms take a more proportionate approach to societal factors, such as exclusion of high-risk groups, that insurers alone cannot resolve without partnership with civic authorities.
Keywords: machine learning; compliance; consumer perception; AI; ethics; outcomes -
Strengthening governance practices of TCSPS in the EU’s smallest member state
Christopher P. Buttigieg, Chief Officer Supervision, and Petra Camilleri, Deputy Head, Trust and Company Service Providers Supervision, Malta Financial Services Authority, Triq L-Imdina
In Malta, Trust and Company Service Providers (TCSPs) are subject to sector-specific legislation and regulation, overseen by the Malta Financial Services Authority (MFSA) responsible for their authorisation and prudential supervision. TCSPs act as gatekeepers to Malta's financial system, playing a pivotal role in ensuring the integrity of financial services. The paper evaluates the outcomes of the MFSA TCSP governance and compliance thematic review within the context of financial supervision in Malta. It aims to: (a) analyse international reports on TCSP risks, informing the rationale for sector regulation; (b) explore the significance of thematic reviews in the MFSA's supervisory framework; (c) evaluate governance and compliance importance in the MFSA's supervisory approach and (d) examine principal findings of the review and their sector implications. Contributing to the debate on the nature of financial supervision, the paper argues that the TCSP governance and compliance thematic review underscores a growing recognition among TCSPs of the need for robust compliance culture. However, it highlights persistent deficiencies warranting attention. This academic study sheds light on TCSP regulation and supervision in Malta, emphasising the oversight approach in the EU's smallest member state.
Keywords: regulation; supervision; TCSP; MFSA; compliance; EU -
Is DORA the dawn of a new era for cybersecurity compliance in the EU’s financial sector?
Antonio Giannino, Chief Risk and Compliance Officer, and Francesca Valenti, Legal and Regulatory Adviser, Amagis Capital Group, and Federico Sertori, Legal and Compliance Officer, Cargolux Italia
This paper aims to set out the application of Regulation (EU) 2022/2254, the Digital Operational Resilience Act (DORA), to analyse its main obligations, its impacts on the current financial ecosystem and on the future culture around cybersecurity in the financial sector. The paper focuses on the main pillars around which the regulation has been built, and its aim is to assist compliance officers and non-technical personnel to assess the impact of DORA within their organisation. The authors offer an overview of DORA because the first step to address the implementation of a new regulation is having a clear view on all areas involved and the intensity of the changes. DORA will require a deep review of current documentation and processes: legal departments will have to ensure the agreements in place with IT providers comply with the new requirements, which entails new processes and the ability to follow the new contractual obligations; risk officers will need to work closely with the IT department, middle-back office and the compliance department to ensure they are all proactively involved in the implementation and monitoring of the new processes and that such procedures and the IT tools integrated are constantly suitable to serve the organisation's need. Furthermore, management will be involved in DORA implementation and will bear responsibility for information and communication technology topics and, consequently, it will be incentivised to pay attention to and invest in information security. Meanwhile, carrying out a pre-assessment at organisational level to understand business impacts and drafting an implementation plan so as to be ready for January 2025, when DORA comes into effect is highly recommended.
Keywords: cybersecurity; compliance; European digital finance package; financial industry -
How to maintain a strong compliance function in a remote/hybrid working environment, using ESG as both the objective and the driver
Jessica Ramos, Head of Regulatory and Financial Affairs, Ella Adler, Regulatory and Oversight Affairs Counsel, and Erietta Exarchopoulou, Regulatory and Oversight Affairs Adviser, EBA Clearing
The new realities of the workplace have had a significant impact on how compliance experts are engaging staff in organisations across all sectors and in particular in the financial services sector. Remote/hybrid working arrangements as well as flexible hours have changed the way people interact with each other and how they live and absorb the company's culture. It has also led to an increase of existing risks, such as cyber risks, and created new risks, such as inspections from authorities of staff members' homes. In addition, an increased focus on Environmental, Social and Governance (ESG) principles in the corporate space presents challenges for companies from a regulatory point of view, in terms of dealing with new compliance requirements, requiring additional resources to cover reporting requirements and exposure to reputational or litigation risk. However, this paper sets out a number of opportunities that companies can benefit from by leveraging their ESG activities to attract and retain talent. This paper details the abovementioned challenges, laying out the main consequences that have been observed. It also offers a number of practical tips to leverage creative and novel methods to cultivate a culture of compliance, despite the challenges of the new realities of the workplace, and it gives insights on how to leverage ESG to promote compliance and general staff engagement.
Keywords: compliance culture; ESG; remote working; employee engagement -
From data to decisions: How emerging technologies can enhance ESG assessments and reporting
William Nelson, Associate General Counsel, Investment Adviser Association, Washington, DC
This paper presents a comparison of the environmental, social and governance (ESG) regulatory landscape across California, the European Union (EU) and the US Securities and Exchange Commission (SEC). It highlights both the similarities and key differences within these regulations, empowering companies with practical insights. Specifically, the paper explores how companies can leverage data and analytics, alongside emerging technologies like artificial intelligence and blockchain, to gain a deeper understanding of their ESG risks and opportunities. The paper also delves into how these technologies can facilitate ongoing progress monitoring and enhance transparency in communicating ESG performance to stakeholders.
Keywords: environmental; social and governance; ESG; artificial intelligence; AI; blockchain; GHG emissions -
Risk-based customer due diligence is the key to effectively managing financial crime risk
Ola Tucker, Founder, Compliance Notes
Customer due diligence (CDD) processes and procedures are a required component of a financial institution's anti-money laundering (AML) compliance programme in the US and in many other countries. Solid CDD policies and procedures are key to meeting regulatory expectations as well as effectively managing money laundering/terrorist financing (ML/TF) risk. However, there are many nuances to conducting risk-based CDD and it is critical that financial institutions understand the specific risks they face and tailor their programme accordingly, as well as update it regularly to account for evolving threats and updates in legislation. This paper discusses the importance of CDD for risk management in financial institutions. It starts with an introduction to CDD, defines the three basic types of due diligence and explains the requirement to identify beneficial owners of legal entity customers. The paper goes on to discuss regulatory expectations as well as some of the more common compliance violations related to CDD incurred by financial institutions. The paper also highlights a case study examining the regulatory enforcement action against Deutsche Bank related to its AML compliance failures involving Jeffrey Epstein. Finally, the paper concludes with a list of best practices and recommendations for banks and other financial institutions.
Keywords: customer due diligence; enhanced due diligence; anti-money laundering; compliance; beneficial ownership; know your customer -
A consideration of the evolving role visibility and prominence of compliance play in strategic planning and protecting brand and reputation
Catherine Vaughan, Global Financial Crime, Ethics and Compliance Leader, Ernst & Young
Compliance has progressively evolved from a mere legal and regulatory necessity to a strategic imperative for organisations. In today's fast-paced and interconnected business environment, compliance plays a crucial role in protecting an organisation's brand and reputation. Looking at the relationship between compliance and key function heads such as the Chief Operating Officer, Chief Financial Officer, Human Resources Executives and the increasingly visible Chief Trust Officer, this paper explores the shifting landscape of compliance, its increasing visibility and prominence, particularly in strategic planning. It emphasises the crucial interconnection between compliance and a company's brand and reputation, demonstrating how adherence to legal and ethical standards has become a core aspect of protecting and enhancing organisational success. While there is a leaning towards larger organisations, the concepts and insights explored in this paper have equal relevance to smaller firms, for whom brand and reputation is as equally important as for larger ones. For any organisation which relies on a reputation of trust, the relationship between compliance and strategy explored in this paper is crucial regardless of size, industry or sector.
Keywords: compliance; brand; reputation; strategy; protection; growth; board; trust; culture; evolution