ForteBank CCO Timur Mussin continues a discussion on the real cost of noncompliance with a look at the various penalties – reputational, financial and otherwise – associated with regulatory violations.
Read Part 1 here.
As part of fierce competition, organizations are improving their products and services, including through innovative solutions. At the same time, without considering the compliance and money laundering risks associated with these decisions, it is highly likely that the organization may encounter problems caused by insufficient elaboration of a new product or service, which in turn will entail sanctions by the regulator or complaints and lawsuits by clients.
An innovative product can bring significant profit to an organization, which can exceed the size of potential fines, but it can also deprive the organization of a license and the ability to continue to work in the market if certain regulations aren’t followed during its production.
For example, the risks of trading cryptocurrency are mainly related to its volatility and anonymity. They are high risk and speculative, and it is important that you understand the risks before you start working with it. By the way, crimes associated with cryptocurrency accounted for more than $4 billion in loss in 2019.
Risks specific to cryptocurrency and other products should be taken into account as much as possible. The task of a compliance officer is to find vulnerabilities for the company and take measures to minimize risk or de-risking, including by refusing to work with a new product. For this, the compliance officer should take an active part in agreeing on new products and have a clear picture of all available and potential products, with the aim of periodically reviewing them and identifying compliance risks.
Western countries’ stock markets are shocked by frequent news of fabulous fines for divulging insider information – high-profile cases, speeches of representatives of the Securities Commission, seven-figure fines. Disclosure of insider information carries risks for the owner and object of this information, which may result in insider trading.
In world practice, insider trading refers to transactions with stocks, bonds and other securities, including derivatives based on insider information (i.e., information that is kept confidential from the public).
In most countries, insider trading is illegal because it violates the principles of information security, competition and fair trade. Insiders may be held administratively and even criminally liable for violation of the above standards, including in relation to the illegal disclosure, transfer and use of insider information or transactions based on such information. Lack of control over the disclosure of this information will inevitably lead to dire consequences for all market participants: the organization, its owners and customers.
Consider, for example, when the owner of the Galleon Group was sentenced in 2011 to 11 years in prison and fined $53 million for using insider information. Also, about 50 people were somehow found guilty of what was happening in this organization.
Given the above, the compliance officer should maintain an insider information control system at an adequate level, including through the development of internal procedures, the creation of Chinese walls, maintaining lists of insiders and providing interested parties with information about the importance of observing the requirements regarding the safety of insider information and the serious consequences for their violation. The above case can be a good example for this purpose.
The Lack of Customer Data Protection
Organizations must ensure the security of data received from clients, since the lack of control over such information and its unlawful disclosure will almost certainly entail questions from the regulator or claims from customers. Of course, organizations can — and most likely even should, in order to improve the quality of service — use this information to determine the profile of the client and provide the products and services necessary only for the client, but the information’s protection from third parties should be the most important task.
Without proper customer data protection, organizations run the risk of an outflow of customers disappointed in the false reliability of the organization, as well as administrative and even criminal liability.
The Federal Commissioner for Data Protection and Freedom of Information fined a provider of telecommunications services 1&1 in the amount of €9.55 million for insufficient authorization procedures and failure to comply with article 32 of GDPR, which relates to having the appropriate technical and organizational measures to protect data privacy whilst processing personal data.
An even larger penalty had previously been applied to real estate company Deutsche Wohnen SE for limitations in implementing a GDPR-compliant data storage system.
It is also worth recalling the French National Data Protection Commission’s fine of €50 million to Google for not providing sufficient information to users about their consent policies for data transfer and lack of sufficient control over how their information is used.
The employee responsible for GDPR must take measures to check the current situation in the organization and to eliminate gross violations of the basic principles of GDPR (if any). The first important step is to develop an effective system for collecting and storing personal data, as well as checking for the necessary consent from customers. A second important step is also to educate your employees about GDPR requirements and develop internal guidelines to promote compliance with the GDPR.
The above is relevant both for companies from the European Union and companies from other countries working with EU residents.
Violations of Extraterritorial Laws
The United States Foreign Account Tax Compliance Act (FATCA) is designed to discourage tax evasion by U.S. citizens and residents. The law is also extraterritorial in nature and applies to many countries of the world that, within the framework of certain interaction models, send information about U.S. citizens and residents who have accounts in their organizations to the U.S. Internal Revenue Service.
Depending on the model of participation, organizations are required to send information to the IRS directly or through local tax authorities. Similar requirements come from the global version of FATCA, the Common Reporting Standards (CRS), in which citizens of other countries become the object of information exchange. In April 2019, the IRS announced that it was tightening compliance with FATCA requirements.
An organization working with foreign banks may encounter a number of problems if it does not comply with these requirements (or other similar requirements), which may lead to the termination of business relations with counterparties, the closure of the organization’s business in certain countries or, for example, fines totaling 30 percent of all the organization’s transactions.
Accordingly, the organization has two options: to leave everything to chance and hope that the IRS does not detect a violation (of course this is a very bad option) or designate an experienced employee responsible for compliance issues who will monitor the implementation of standards for these facts, including registration on the website the IRS will review, the procedures for obtaining the necessary information from customers and providing information to the IRS, etc.
Withdrawal of Assets
In world practice, the concept of an “affiliated person” has become quite widespread. This term refers to individuals and legal entities that, due to certain relationships, are able to influence the activities of others. Relationships can be either familial or of the business variety (e.g., through ownership of a joint business or through an employment contract).
For transactions of legal entities with affiliates, additional requirements and restrictions are applied to protect the organization and its customers from possible negative consequences caused, for example, by conspiracy of affiliates to each other. Lack of control over this issue may lead to the withdrawal of assets from organizations and corruption crimes for state and quasi-state organizations.
Affiliates often have access to inside information and can influence the decisions of others; therefore, their operations are more closely regulated. It is important for the compliance officer to provide mechanisms that will make it clear that transactions with affiliates are concluded on market conditions and by decision of the organization’s top management.
International sanctions are a popular tool in modern politics and economics. Through sanctions, some states try to punish their opponents in the political game, and companies destroy their competitors in the war for the client and the market. Often, sanctions are designed to remove an opponent from new technologies, which are an important development tool and the key to a successful future. Obviously, a country or organization without innovation and modern solutions has bleak prospects for the future.
The political situations in different parts of the world dictate their own rules of the game, which should be taken into account. For example, a significant number of large Russian organizations have been included in the U.S. sanctions lists since 2014. The initiators of international sanctions are various international organizations and states. Of the main ones, the UN Security Council sanctions are binding on all members of this organization, as well as U.S. and European Union sanctions, which – due to their actual extraterritoriality – are also binding on organizations doing business with organizations from the United States and the European Union.
The Office of Foreign Assets Control (OFAC) has fined a number of companies in recent years for violating sanctions. UniCredit was fined $ 611 million for violating sanctions programs against Burma, Cuba, Iran, Libya, Sudan, and Syria. In particular, organization processed payments to or through the United States in a manner that did not disclose underlying sanctioned persons or countries to U.S. financial institutions which were acting as financial intermediaries. Previously, the London-based Standard Chartered Bank was fined $ 657 million for operations that contradict the requirements of sanctions programs against Iran, Sudan, Zimbabwe and other countries.
Given the brutal measures taken by government departments regarding international sanctions, organizations should have a clear policy regarding international sanctions, understand their impact on the organization’s activities and be able to assess the risks associated with it. In practice, this issue can be covered by appointing the person / unit responsible for monitoring the implementation of sanctions, the Know Your Customer procedure that works correctly, and special software that allows all parties to the operations to be checked for compliance with the UN resolutions, OFAC, EU and other countries.
If this is not the case, most likely their foreign colleagues will stop working with the organization, for whom the execution of the data is mandatory according to the requirements of the law or internal documents, or even worse, the organization will itself get on the sanction lists for malicious violation of the sanctions programs.