30 August 2007

BSA/ AML: Testing the Channel...

Legal compliance with the Bank Secrecy Act (BSA) and Anti-Money Laundering (AML) is a complex and growing concern by regulators, enforcement and Operational Risk Executives. In the United States, the FFIEC (Federal Financial Institutions Examination Council) has published the latest Examination Manual to provide guidance:

Enterprise-Wide BSA/AML Risk Assessment

Holding companies or lead financial institutions that implement an enterprise-wide BSA/AML compliance program should assess risk both individually within business lines and on a consolidated basis across all activities and legal entities. Aggregating risks on an enterprise-wide basis for larger or more complex organizations may enable an organization to better identify risks and risk exposures within and across specific lines of business or product categories. Consolidated information also assists senior management and the board of directors in understanding and appropriately mitigating risks across the organization. To avoid having an outdated understanding of the BSA/AML risk exposures, the holding company or lead financial institution should continually reassess the organization’s BSA/AML risks and communicate with business units, functions, and legal entities. The identification of a BSA/AML risk or deficiency in one area of business may indicate concerns elsewhere in the organization, which management should identify and control.

When a financial institution utilizes a strategy for it's channel or broker network the goal is to build controls into the consumer application process. These controls help the parent financial institution with compliance issues and give the independent broker or registered investment advisor with the tools and mechanisms for risk mitigation. However, to what degree do these independent brokers who interface with the consumer actually understand, implement and comply 100% with BSA/AML laws?

This question may haunt the minds of many OPS Risk professionals as they try to manage the mountain of data and documentation requirements at the home office or processing center. When there are dozens or hundreds of independent brokers in the client acquisition process your risk exposure increases dramatically. When and how often do you need to audit these important entities in your member or client supply chain?

Independent testing (audit) should be conducted by the internal audit department, outside auditors, consultants, or other qualified independent parties. While the frequency of audit is not specifically defined in any statute, a sound practice is for the bank to conduct independent testing generally every 12 to 18 months, commensurate with the BSA/AML risk profile of the bank. Banks that do not employ outside auditors or consultants or have internal audit departments may comply with this requirement by using qualified persons who are not involved in the function being tested. The persons conducting the BSA/AML testing should report directly to the board of directors or to a designated board committee comprised primarily or completely of outside directors.

Those persons responsible for conducting an objective independent evaluation of the written BSA/AML compliance program should perform testing for specific compliance with the BSA, and evaluate pertinent management information systems (MIS).

This is not any surprise to large banks and securities dealers who have been working diligently on these compliance management problems for decades. Whenever an organization is deploying a distributed and indirect model for acquiring new consumers, high net worth individuals and other business entities for financial-based products and services; BSA/AML programs should be robust. The individuals who are planning to launder money that has been obtained illegally or are part of a fraud scheme will prey on those unsuspecting and naive institutions first. In some cases, it could be an independent broker or business who is the target of a sophisticated and influential individual. They want to find a weak link in the institutions sales channel to gain access to a well known brand to leverage their scheme with new victims.

The criminal trial of ex-Refco Inc. Chief Executive Phillip R. Bennett and two other former executives has been postponed until March 2008, according to court transcripts.

During a telephone conference last month, U.S. District Judge Naomi Reice Buchwald delayed the trial of Bennett; Robert C. Trosten, Refco's ex-chief financial officer; and Tone N. Grant, the commodities broker's former president, until March 17. A transcript of the call was released publicly earlier this week.

The case was originally scheduled to go to trial in October.

The men are facing a variety of charges including conspiracy, securities fraud, bank fraud, wire fraud and money laundering.

Late Wednesday, the litigation trusts representing Refco's creditors announced they had sued Thomas H. Lee Partners LP in federal court in Manhattan, alleging the buyout firm uncovered red flags about Refco and its executives before the buyout firm's 2004 purchase of a controlling stake in Refco, but failed to follow up in hopes of profiting from Refco's initial public offering the next year. Lee has denied the claims.

13 August 2007

ESI: Authenticity of Evidence...

Legal opinions on the admissibility of evidence and electronically stored information (ESI) are becoming more prevalent and increasingly relevant to Operational Risk Management:

In Lorraine v. Markel, authentication of information is a key issue in the ruling. Maryland Courts Watcher caught this ruling and our eye recently. "In its 101 page opinion, the court dedicated at least 90 pages to providing extensive and detailed analysis and guidance on the interrelated evidentiary issues governing the admissibility of electronically stored evidence (ESI), including: analysis under Rule 104, relevance under Rule 401, authentication as required by Rule 901(a), effect of hearsay as defined by Rule 801 and any applicable exceptions, consideration of the form of the ESI being offered under the original writing rule and the admissibility of any secondary evidence to prove its content, and the probative value of the ESI considering potential unfair prejudice or one of the other factors identified by Rule 403."

Whether ESI is admissible into evidence is determined by a collection of evidence rules that present themselves like a series of hurdles to be cleared by the proponent of the evidence. Failure to clear any of these evidentiary hurdles means that the evidence will not be admissible. Whenever ESI is offered as evidence, either at trial or in summary judgment, the following evidence rules must be considered: (1) is the ESI relevant as determined by Rule 401 (does it have any tendency to make some fact that is of consequence to the litigation more or less probable than it otherwise would be); (2) if relevant under 401, is it authentic as required by Rule 901(a) (can the proponent show that the ESI is what it purports to be); (3) if the ESI is offered for its substantive truth, is it hearsay as defined by Rule 801, and if so, is it covered by an applicable exception (Rules 803, 804 and 807); (4) is the form of the ESI that is being offered as evidence an original or duplicate under the original writing rule, of if not, is there admissible secondary evidence to prove the content of the ESI (Rules 1001-1008); and (5) is the probative value of the ESI substantially outweighed by the danger of unfair prejudice or one of the other factors identified by Rule 403, such that it should be excluded despite its relevance.

Authenticity and the chain of custody of ESI will continue to be a major challenge for the general counsels of major corporations in the years ahead. Creating and maintaining trusted information through out the enterprise intersects policy, processes, people and technology. The legal risk associated with non-compliance and missed opportunities is a growing concern in executive management and Board of Directors meetings.

The explosion of information as early as 2001 started a process of discussions on the nexus of information security regarding data integrity and authenticity:

With the explosive growth of data exchange and the availability of access to services over the Web, the Trusted Information requirement is more and more an issue to providers and users of these services. Addressing this security issue, this volume is divided into eleven parts covering the essentials of information security technologies, including application-related topics, and issues relating to application development and deployment:

  • Security Protocols;
  • Smart Card;
  • Network Security and Intrusion Detection;
  • Trusted Platforms;
  • eSociety;
  • TTP Management and PKI;
  • Secure Workflow Environment;
  • Secure Group Communications;
  • Risk Management;
  • Security Policies;
  • Trusted System Design and Management.

Companies like IBM have been talking to clients about trusting their information for decades. However, when the discussions turn to litigation and admitting information stored on hard disks, dvd's, USB Thumb Drives and the data on your VOIP phone system it all starts to become more complex than one could ever imagine. That complexity and the speed that courts are asking for responsive answers puts your legal risk in the center of the discussion.

Achieving a Defensible Standard of Care requires more than a savvy outside counsel. It demands an effective CIO, CSO and Records Manager working in combination with the hundreds of law firms you may have retained to address your ongoing litigation.

06 August 2007

Red Team: The Unknown Adversary...

As the dust settles on the details of the bridge collapse in Minneapolis, many states are in a review of their own critical infrastructure. What other bridges that also provide key fiber optic right-a-ways for telecom companies and crucial paths for other utilities could be at risk?

The investigation into the causes of the Minnesota bridge collapse may take as long as 18 months, the US National Transportation Safety Board says.
  • But while the exhaustive inquiry is set to last until 2009, computer technology may mean quicker answers than in past bridge collapses, officials say.
  • Debris from the eight-lane bridge, which collapsed at evening rush hour on 1 August, still blocks the Mississippi.
  • Five people have been confirmed dead and eight are unaccounted for.
  • Meanwhile, a state highway has been converted into a freeway in a bid to reduce commuter traffic disruption around Minneapolis following the destruction of what was the city's busiest bridge.
  • The timing of traffic signals has also been changed, new turn lanes have been created and access roads have been closed, while more city buses are running and car pooling is being encouraged.

When the analysis is done and the finger pointing is over, we will have one more example of why the public private partnership is essential for the future of government and business. Who owns the bridge? Who owns the utilities that use these bridges for the essential paths to service their customers? Organizations such as WashingtonDCFIRST, ChicagoFIRST and others around the the US are working on putting more emphasis on critical infrastructure resiliency.

Infragard in the Nations Capital or any of the other major metro areas is another example of how private business is interacting with government in the context of cooperation, coordination and connecting tens of thousands of subject matter experts. The people who can make a difference long before an incident or minutes after one occurs can be found in each of these local chapters. How the local community takes advantage of these resources is up to leadership.

Anticipating risks and potential threats to critical assets takes a "Red Team" mentality. Communities and companies need to be training, planning and adapting to all hazards whether they be the structural failure of a bridge or the next attack on the homeland. Having this mentality can save lives and dollars through the continuous exercise and approach to discovering and repairing vulnerabilities:

The ability to anticipate an opponent’s intent is critical to many forms of planning, analysis, design, and operations. While this need is recognized in the military and intelligence communities, infrastructure providers and first responders find themselves on the front line facing a range of potential threats that in many cases exceed the defenders’ direct experience.

Critical infrastructures and key resources are so vital to our national security that their incapacity or destruction would have a debilitating impact on the defense, economic security, public health or national confidence of the United States.

Critical infrastructures are physical and cyber-based systems that are essential to the minimum operations of the economy and the government.