Tag: Risk assessment


FinCEN: Know Your Customer Requirements

Dan Ryan is Leader of the Financial Services Advisory Practice at PricewaterhouseCoopers LLP. This post is based on a PwC publication by Mr. Ryan, Sean Joyce, Joseph Nocera, Jeff Lavine, Didier Lavion, and Armen Meyer.

In recent years, authorities in the US and abroad have increased their focus on modernizing and enforcing anti-money laundering and terrorism financing (AML) regulations. As part of these efforts, the US’s Financial Crimes Enforcement Network (FinCEN) proposed Know Your Customer (KYC) requirements in 2014, which we expect to be finalized this year. [1]

FinCEN’s KYC requirements were proposed as part of a broader regulation setting out the core elements of a customer due diligence program. [2] Taken together, these elements are intended to help financial institutions avoid illicit transactions by improving their view of their clients’ identities and business relationships.

READ MORE »

CFTC’s Proposed Rules on Cybersecurity

Dan Ryan is Leader of the Financial Services Advisory Practice at PricewaterhouseCoopers LLP. This post is based on a PwC publication by Mr. Ryan, Sean Joyce, Joseph Nocera, Jeff Lavine, Didier Lavion, and Armen Meyer.

Last week, the Commodity Futures Trading Commission (CFTC) proposed cybersecurity regulations for electronic trading platforms, clearing organizations, and data repositories. Most importantly, the proposal calls for five types of systems testing, the most impactful of which is the requirement that organizations test key controls (e.g., access to sensitive data or procedures that control changes to critical systems).

Guidance from other regulators thus far has come in the form of examination guidelines or self-assessment tools rather than regulations. [1] The CFTC’s proposal would be the first cybersecurity regulation, and some other regulators are likely to follow suit. [2]

READ MORE »

Big Data and Analytics in the Audit Process

Ruby Sharma is a principal at the EY Center for Board Matters. The following post is based on a report from the EY Center for Board Matters, available here.

In today’s business environment characterized by constant disruption, slow growth and uncertainty, boards face more challenges than ever in creating a risk-aware corporate culture and establishing sound risk governance and controls.

In just the last few years, the terms “big data” and “analytics” have become hot topics in company boardrooms around the world.

For many, embracing big data and analytics is crucial to keeping their organization nimble, competitive and profitable. Board members need to understand the complexities and have a grasp of the issues surrounding these technology trends. Equally important, they should be prepared to ask the right questions of the executives in charge of big data and analytics initiatives.
READ MORE »

Boards and Internal Audit

Ruby Sharma is a principal with the EY Center for Board Matters. The following post is based on a report from the EY Center for Board Matters, available here.

The role of the board has always been an important and demanding one, but today’s board members face increasingly complex challenges in overseeing an organization’s risk management, including:

  • Demands for greater accountability from investors
  • Increasingly complex regulatory oversight
  • Sluggish economic growth
  • The convergence of industries
  • Disruptive new technologies
  • Scarcity of resources and the effects of a changing climate
  • Human capital and talent management challenges

READ MORE »

Broker-dealers: Lock in your Liquidity

Dan Ryan is Leader of the Financial Services Advisory Practice at PricewaterhouseCoopers LLP. This post is based on a PwC publication by Mr. Ryan, Adam Gilbert, Grace Vogel, Armen Meyer, and Peter Melz.

The credit crisis of 2008 highlighted the criticality of effective liquidity management and demonstrated the difficulties broker-dealers face without adequate funding sources. In response, the Financial Industry Regulatory Authority (“FINRA”) has been taking steps to impose new requirements that will impact many broker-dealers, especially those that hold inventory positions or that clear and carry customer transactions.

Following up on guidance issued in November of 2010, FINRA last month issued new liquidity risk management guidance after a year-long liquidity review of 43 member firms under a stressed environment.

READ MORE »

The SEC’s Focus on Cybersecurity

Jessica Forbes is a corporate partner resident the New York office of Fried, Frank, Harris, Shriver & Jacobson LLP. This post is based on a Fried Frank publication authored by Ms. Forbes, Joanna D. Rosenberg, and Stacey Song.

On September 22, 2015, the Securities and Exchange Commission (the “SEC”) issued a cease-and-desist order (the “Order”) and settled charges against St. Louis-based investment adviser R.T. Jones Capital Equities Management (“R.T. Jones”) for failing to establish required policies and procedures to safeguard customer information in violation of Rule 30(a) of Regulation S-P (“Rule 30(a)”) under the Securities Act of 1933. [1]

Rule 30(a) requires every broker, dealer, investment company and registered investment adviser to adopt written policies and procedures reasonably designed to ensure the security and confidentiality of customer information and to protect customer information from anticipated threats or unauthorized access. According to the Order, from at least September 2009 through July 2013, R.T. Jones stored personal information of its clients and other persons on its third party-hosted web server without adopting any such written policies and procedures. In July 2013, a hacker gained access to the data on R.T. Jones’ web server, rendering the personal information of more than 100,000 individuals vulnerable to theft. In response to the cyber attack, R.T. Jones notified each individual whose information was compromised.

READ MORE »

Asset Managers: AML ready?

Dan Ryan is Leader of the Financial Services Advisory Practice at PricewaterhouseCoopers LLP. This post is based on a PwC publication by Mr. Ryan, Jeff Lavine, Adam Gilbert, and Armen Meyer. The complete publication, including footnotes and appendix, is available here.

On August 25th, the US Treasury Department’s Financial Crimes Enforcement Network (FinCEN) proposed anti-money laundering requirements for US investment advisers. The proposal requires advisers that are registered with the Securities and Exchange Commission (SEC) to establish anti-money laundering (AML) programs, to report suspicious activities related to money laundering and terrorist financing, and to comply with other sections of the Bank Secrecy Act (BSA).

If finalized as proposed, the impact of these new requirements will vary. Advisers owned by bank holding companies (BHCs) are already subject to similar requirements that are applicable to their BHC parents and enforced by the Federal Reserve. These advisers will nevertheless likely experience an increase in regulatory oversight, as the proposal now allows the SEC to enforce AML requirements.

READ MORE »

Cybersecurity: Enter Insurance Regulators

Dan Ryan is Leader of the Financial Services Advisory Practice at PricewaterhouseCoopers LLP. This post is based on a PwC publication by Mr. Ryan, Sean Joyce, Chris Joline, Adam Gilbert, Joseph Nocera, and Armen Meyer.

Since issuing its Principles of Effective Cybersecurity last July, [1] the National Association of Insurance Commissioners (“NAIC”) has been making progress in the development of cybersecurity examination manuals. NAIC’s regulatory guidance is intended to help state insurance regulators identify cybersecurity risks and communicate a uniform set of control requirements to insurers, insurance producers, and related regulated entities (collectively, “Insurance Companies”).

Given the priority regulators are placing on cybersecurity (including NAIC’s Cybersecurity Task Force) and the continued occurrence of high profile data breaches, we expect that cybersecurity examinations will commence as early as 2016 and will be performed by insurance regulators as part of their standard three-year exam cycle. While NAIC’s examination manuals will act as guidelines for state regulators, actual regulation will vary by state. Thus, Insurance Companies should be tracking state regulatory developments to ensure that their cybersecurity programs are rigorous and all-encompassing.

READ MORE »

Corporate Risk-Taking and Public Duty

Steven L. Schwarcz is the Stanley A. Star Professor of Law & Business at Duke University School of Law. This post is based on a draft article by Professor Schwarcz, available here.

Although corporate risk-taking is economically necessary and even desirable, it can also be harmful. There is widespread agreement that excessive corporate risk-taking was one of the primary causes of the systemic collapse that caused the 2008-09 financial crisis. To avoid another devastating collapse, most financial regulation since the crisis is directed at reducing excessive corporate risk-taking by systemically important firms. Often that regulation focuses on aligning managerial and investor interests, on the assumption that investors generally would oppose excessively risky business ventures.

My article, Misalignment: Corporate Risk-Taking and Public Duty, argues that assumption is flawed. What constitutes “excessive” risk-taking depends on the observer; risk-taking is excessive from a given observer’s standpoint if, on balance, it is expected to harm that observer. As a result, the law inadvertently allows systemically important firms to engage in risk-taking ventures that are expected to benefit the firm and its investors but, because much of the systemic harm from the firm’s failure would be externalized onto other market participants as well as onto ordinary citizens impacted by an economic collapse, harm the public.

READ MORE »

Operational Risk Capital: Nowhere to Hide

The following post comes to us from PricewaterhouseCoopers LLP and is based on a PwC publication by Dietmar Serbee, Helene Katz, and Geoffrey Allbutt; the complete publication, including appendix and footnotes, is available here.

The Basel Committee on Banking Supervision (BCBS) last month proposed revisions to its operational risk capital framework. The proposal sets out a new standardized approach (SA) to replace both the basic indicator approach (BIA) and the standardized approach (TSA) for calculating operational risk capital. In our view, four key points are worth highlighting with respect to the proposal and its possible implications:
READ MORE »