A Financial Crimes + Regulatory Compliance Master Class - June 2024

Two weeks ago, I had the esteemed pleasure of attending Compliance Week: Financial Crimes and Regulatory Summit. When I tell you just the ? day session was a masterclass in compliance, I kid you not!? As a new student at Fordham Law School, I was eager to learn about how content I’m learning in class aligns with industry professionals’ perspectives on compliance pitfalls and best practices. Although I intended to write this post immediately after attending the submit, my responsibilities as a new professor/teacher—grading, preparing students for their Regents exams and getting them across the line to graduation—intervened. Nevertheless, below I share insights from each speaker. Keep in mind that due to my teaching and coursework commitments, I could only attend half a day of the two-day sessions (the afternoon of Tuesday, June 11th, 2024).

On the Panel Discussion regarding Dealing with Increased Regulatory Examinations and Supervision, I learned:

From Michael Rufino, National Associate Director at the Securities and Exchange Commission

When regulators conduct an investigation, record-keeping is crucial. A company's anti-money laundering (AML) program must align with business's AML reporting standards and the Bank Secrecy Act (BSA). Often time irregularities are found when the individuals who initially set up and supervised the program are no longer with the firm.?

The program and its controls must be independently tested regularly to identify strengths and weaknesses. Those conducting the tests must not have conflicting responsibilities. Staffing levels must meet demands, backlogs must be addressed promptly, and any special entity considerations must be managed.

Regulators will review the firm's policies and procedures to ensure active compliance. If firms are not following their policies and procedures, these often guide the SEC during an investigation. A common issue is when Suspicious Activity Reports (SARs) are not being reported, and as of late, regulators have frequently observed significant irregularities in microsecurities, which is a serious concern.

Regarding artificial intelligence (AI), firms must be aware that criminals can use AI to circumvent detection systems or to enhance their illegal activities. Therefore, AI governance must be stringent, privacy concerns must be resolved, and human oversight must be maintained. AI is not a substitute for human oversight.

When regulators reach out, it is essential to have the right people present. Being upfront with information and acknowledging mistakes can set a positive tone for an investigation.

From Melissa Babin, Head of Financial Crimes Investigations at Robinhood

Having an operational compliance/AML contingent contractor (if you’re using any third-party vendors) in place is crucial. If something happens with the main contractor, you have a readily available backup. There are positive use cases for AI in anti-money laundering (AML). If you're going to use AI as part of your AML program, you need both effectiveness and efficiency; you can't sacrifice one for the other. AI is good for surveillance, investigations, and customer screening, and it can also provide great investigation summaries.

However, don't try to automate too early, and always maintain human oversight. Within your compliance program, when you do risk assessment testing, ensure you have a mitigation process for false positive scoring. Ensure day-to-day readiness within your AML program, making changes that are defensible and not just for the sake of change. If there is an examination, know how you will readily remediate.?

Read FINRA reports for emerging risks and understand what other organizations have gotten in trouble for. Isolate and identify inadequate ongoing monitoring where portions of the program are not covered by independent testing. Choose an experienced testing vendor.

From Maurya Keating, Division of Examinations New York at the Securities and Exchange Commission

Investment advisors don't currently have AML reporting requirements, but registered investment advisors do. Although investment advisors don't have an AML requirement, fiduciary duty is something that her department looks at closely, along with fees. Her unit also examines the content of AML programs, ensuring that companies haven't just copied someone else's compliance program without tailoring it to their business.

Another area of review for her department is whether there has been adequate testing of AML programs. Additionally, her unit is concerned with the verbiage that investment advisors use in their advertising. It is trendy for investment advisors to claim they use AI to make investment decisions when, in fact, they aren't using AI in their approach at all.

The SEC is no longer waiting years to approach and "introduce themselves" to new registrants. New investment advisors will find that shortly after they register, the SEC will come to introduce themselves. The SEC feels it's very important to take this approach with newly registered investment advisors to set the tone and emphasize to investment advisors the importance of staying on top of regulatory changes.

On the Panel Discussion: SEC Regulatory Update - Impact of New Rules and How to Prepare, I learned:

From Thomas Smith, Regional Director at the Securities and Exchange Commission

The SEC has whistleblower tips and tricks suggested by the public on their website, which are helpful to review. Firms claiming to be ESG-conscious but not actually considering ESG in their investment strategy have recently come under SEC scrutiny.?

It's important not to block whistleblowers and to cease the unlawful behavior that caused the investigation in the first place. Firms should provide summaries of internal investigations, identify key documents, and engage in preemptive redemption. Quickly following up on requests without requiring a subpoena, returning ill-gotten gains, and facilitating interviews with former employees are also essential actions if your firm is undergoing an investigation.

From Matthew Siano, Managing Director Emeritus at Two Sigma Partners

The SEC is concerned about risks to retail investors regarding AI. At the moment, there is also ongoing consideration about whistleblowers receiving bounties. Communicate with your regulator and involve outside counsel early, especially when issues around self-reporting arise.

Firms conducting activities outside of official business tools ("off-channel communications"), such as text messages, will be under regulatory scrutiny. Regardless of an actual company violation, texting or operating outside of the firm's policies and procedures is a significant issue for regulators.

Panel Discussion: Actual Uses for AI in Compliance Implementation, I learned:

From Adam Storch, Associate Director at the Securities and Exchange Commission

In the Division of Examinations, the SEC spends most of its time focusing on broker-dealers and investment managers, who constitute the majority of their examinations. Lately, as you can imagine, they’ve been engaging with registrants to understand how AI is used to mitigate both internal and external risks and threats. Companies that market using AI in their businesses should also emphasize the importance of human oversight. For example, a firm may accept 80-90% of AI suggestions but challenge or discard some, and back-test outputs with human oversight to check and balance potential errors produced by AI as a best practice.?

From Hane Kim, Chief Risk and Strategy Officer at the Securities and Exchange Commission

The SEC isn’t advocating for one technology over another; it is technology agnostic. The SEC wants to see that businesses are thoroughly evaluating any technology against their specific needs. This includes outlining policies and procedures, monitoring risks, avoiding a "set it and forget it" mentality, and implementing and testing their technology. The SEC wants to see firms examining their actual use cases, such as whether their models are adapting to current business climate considerations, including geopolitical factors. Additionally, the SEC expects businesses to document the questions being asked to back-test and remediate, as well as maintain logs of their model creation process.

From Brendon Lodge, Head of Advance Analytics Products at HSBC

It is important to press third-party vendors about the criteria and processes they use to back-test the data output of their AI models. Utilize AI to test other AI and employ open-source tools to showcase transparency. Push vendors to demonstrate and explain how they are using AI and other generative models within their platform. Regarding audit logging and tracking, AI can be useful. Use AI as a domain expert.

Again, when I tell you that the Compliance Week: Financial Crimes and Regulatory Compliance Summit was a masterclass, I can’t stress that enough. For compliance professionals across the spectrum of experience, this is an excellent event to sharpen your skills. Compliance Week just confirmed their AI in Compliance Summit in Boston for October 8th-9th; definitely check it out (details).

A very special thank you to Barbara Boehler for making it possible for me to attend my first Compliance Week and for working hard to ensure Fordham Law’s compliance students are exposed to and can take advantage of every opportunity.? A special thank you to Donna O’Neil at Compliance Week as well.?

#uncomplicatedcompliance

Disclaimer: I, Meisa Bonelli, am not an attorney and the information provided here is for general informational purposes only. It should not be construed as legal advice, nor is it intended to be a substitute for legal counsel on any subject matter. You should consult with an attorney or other qualified legal professional for advice regarding your specific situation or concerns.