By Carolyn Casey
This week in NYC, which was all decorated for the holidays, a group of over 100 compliance, risk and privacy leaders convened to dig into the compliance environment with peers and experts at the InnoXcell Symposium at the Warrick Hotel. During the Financial Crime Compliance Exchange panel, I had the pleasure of moderating a conversation with a panel of esteemed experts. The panelists brought insights and recommendations based on their leadership tenure at financial institutions and the Securities and Exchange Commission (SEC). The conversation got me thinking about some of the technology trends we are seeing in regulatory compliance and cyber breach incident response in banks and other highly regulated industries.
Compliance Chiefs Emerge as Strategic Influencers
The room was packed with Chief Compliance Officers and Chief Compliance & Ethics Officers from U.S., European, Japanese and Chinese banks. The Wall Street Journal® reports that compliance chiefs’ influence on firm direction and culture has expanded as risks to banks’ reputations from ethical and illegal behavior soars. Research from the Aite Group shows 68 percent of global financial compliance professionals see reputation preservation as their top job. This coincides with the trend to add “Ethics” to the compliance title.
A show of hands at our Tuesday session indicated a roughly even distribution of compliance reporting lines across CEOs, General Counsels and the Board of Directors. The Aite report reveals that in 2016 18 percent of compliance chiefs report to the board; twice as many as in 2015. Legal reporting lines dropped from 20 percent to 16 percent. Wherever they sit, compliance chiefs are gaining clout in financial institutions. Yet, as the panel commented, they often lack adequate budget and resources.
Culture Is the Key
As we dug more into the culture of compliance, Stephen Cohen, former Associate Director of the SEC Enforcement Division shared with the audience that it only takes a few minutes of conversation to discern the state of a company’s compliance culture. “If you are talking to the right person, it can take a matter of minutes to tell if the culture is more on paper than in practice.”
Stephen, who helped craft the SEC Whistle Blower Program, also emphasized that open channels of communication for whistle blowers in an organization is a positive indicator of a compliance culture. Companies that want whistle blowers to talk to the company first, before approaching the government about possible SEC violations, have made it safe for employees to report possible fraud or wrongdoing, without facing negative repercussions.
Perils and Perks of “Cooperation”
David Schwartz, CEO, Florida Bankers Association, and a former chief compliance officer at a major bank, said banks have struggled with the Department of Justice (DOJ) Yates Memo that demands that organizations turn over information on individual culpability/actions to the government during investigations. David added that “this creates a disturbing environment in cultures that value loyal employees and customers, but don’t want unethical, fraudulent or corrupt behavior going on in their institution.”
The recent headline penalties for foreign corrupt practices act transgressions—a $264 million JP Morgan Chase fine for its client referral hiring program in the Asia-Pacific area, and the $200M+ Och Ziff penalties for bribing of foreign sovereign fund investors—have not gone unnoticed in the financial sector. Och Ziff’s CEO was personally fined $2.2M.
Here’s also an article from The Metropolitan Corporate Counsel® I wanted to share with some practical advice from the first two cases under the DOJ Pilot “Cooperation” Program. The program offers opportunity for more positive outcomes and fine reductions with cooperation in investigations.
ISO 37001 New Bribery Management System Standards
Janice Innis-Thompson, the former Chief Compliance & Ethics Officer at TIAA, shared an overview of the new NIST ISO 37001 standards for creating anti-bribery management systems. Janice suggested that ISO 37001 certification can be a competitive differentiator for banks. The new standards call for an anti-bribery policy, appointing a person to oversee anti-bribery compliance, training, risk assessments and due diligence on projects and business associates, implementing financial and commercial controls, and instituting reporting and investigation procedures. The panel agreed that the new standards could be a good practical reference for building a culture of compliance increasingly required by a range of regulators.
NY Banks Face Boatload of New Cybersecurity Mandates
Many types of financial institutions operating in New York must soon have protocols in place to comply with the New York Department of Financial Services (DFS) cybersecurity regulation, slated to take effect January 1. For large banks, many of the 16 minimum standards are likely already in place. But mandates such as a 72-hour breach notice, incident response plan and annual audits may cause some bank compliance teams heartburn as they ramp up to comply during the 180-day grace period.
The panel and the audience discussed concerns about having to share information on cyber incidents with the government, fearing reputation hits from any leakage of this information since the government gets hacked too. However, some recognized the shared responsibility to report intrusions so the industry can keep informed and build protections for the latest hack formula and protect the integrity of the banking system.
Compliance Investigations and Technology Trends
The panel discussion got me thinking about the practical investigative workflows and the role of technology in compliance internal investigations and audits. It seems to me that protocols and procedures for audits and incident response/investigations are foundational for a culture of compliance. How can organizations comply with the never-ending slew of cybersecurity, fraud, corruption and data privacy compliance inquiries if they don’t invest in technology that automates investigations and preserves data integrity? In the environment of “cooperation” where organizations are sharing internal investigative data, you want to be very sure it is sound and that you can prove it has not been altered.
We see more large banks integrating sophisticated forensic software into their compliance arsenal. This is due to the massive amounts of structured and unstructured data nestled in repositories, networks, computers and mobile devices that investigative teams must identify across the enterprise for collection and analysis. Compliance and their IT and InfoSec partners are looking beyond traditional GRC solutions and tools built for specific regulations to leverage the enterprise reach and high-speed search of forensic software and e-discovery technology. Some legal and compliance teams may not even be aware that their InfoSec team already has forensic technology that could be used, or already is used, to conduct compliance investigations.
These technologies can supercharge precise searches across multiple repositories, network shares and computers. The software lets you perform careful, remote searches of laptops that avoid alerting employees to the data collection.
Preserving the data in a forensic container during analysis ensures data integrity is not compromised. Reports that prove the data was collected from a specific laptop, used by a specific individual at exact times and dates and preserved are table stakes for overcoming any regulator or litigant’s challenges to the veracity of the data. Parsing through layers of data hidden in system logs can reveal concrete evidence on email communications, system access, document downloads and more. Compliance and legal can see communications patterns revealing who was talking to whom and who was where at what time using forensic timelines and e-discovery analytics.
For example, imagine equipping investigators with the ability to rapidly search for key words and dates in volumes of expense reports (where bribes are often hidden), email communications and mobile phone activity of employees suspected of engaging in bribery of foreign officials. And then collecting and preserving this evidence for documentation and analysis.
Once you know you’ve had a cyber breach, these same enterprise-wide search capabilities allow you to rapidly locate the source of a cyber-intrusion and shut it down with remediation steps such as turning off laptop ports where malware is infecting the organization or serving as a conduit to exfiltrate (extract) your data. The same technology can be used to locate where you are storing Protected health information (PHI) and personally identifiable information (PII) for regulatory audits and check on who has access to this sensitive data.