Category Archives: Governance, Risk & Compliance

Want to scan your crypto wallet for risks? Check: AML crypto BTC, USDT, ETH. Checking cryptocurrency wallets for dirty money.

Steering the Sales Strategy Toward Compliance

Posted on by

It isn’t difficult to understand that one of the main reasons a salesperson would make a bribe is to make a sale.

buy amoxil online abucm.org/assets/jpg/amoxil.html no prescription pharmacy

This kind of corrupt practice is common and even expected in many areas of the world. It is why sales and anti-corruption compliance are so often uttered in the same breath.

Sales and compliance is a pairing that must be examined closely and continuously. However, risk assessments often aren’t thorough, internal controls don’t catch suspicious transactions, and one side doesn’t know (or trust) what the other is doing.

When the compliance and sales functions aren’t aligned with respect to how they approach anti-corruption risk, all of the above missteps can happen. Even more frustrating is that most sales leaders want to behave ethically—they want to close sales based on their own skill rather than by cheating. Winning is that much sweeter when they do. So then, how do things keep going awry in practice?

For starters, the emphasis on ethical conduct doesn’t resonate with the sales department because they hear multiple conflicting messages. One comes from the top, that ethical conduct is important. The other comes from somewhere below the top, that sales goals must be met by any means necessary.

This is a situation that requires some serious thought; it means that your corporate culture isn’t unified. Instead, you have a subculture (meet sales goals) that contradicts the ethical culture the CEO and other senior executives like to talk about. If you can identify that you do have conflicting messages and subcultures at your organization, then you can attack that subculture with practical steps to stamp it out.

One place to start would be rethinking your incentive program. Sales teams live and die on incentives—and there’s nothing inherently wrong with that, if your incentives push them in the correct way. Do your incentives punish failure more than they reward success? Do they encourage cooperation among the team or do they pit sales reps against each other?

Of course, independent measures should be part of a compliance program, such as accounting controls that block suspicious payments to intermediaries, or audits of due diligence procedures. The compliance function always needs to act with independence, and verifying the sales team’s compliance with policy and procedure is part of that job.

Even so, companies don’t really encourage compliance itself. Rather, they explain compliance, which is a procedure that employees should follow. They encourage ethical conduct, which is (or should be) a core corporate value—and when employees embrace it, their behavior naturally follows the compliance procedures companies have established.

What’s the point of making this seemingly small distinction? The reason is that companies can indeed enforce compliance with the sales team: by auditing and punishing non-compliant behavior or sealing up opportunities for non-compliance. If those efforts are strong enough, you might even prevent compliance failures on those efforts alone.

Ultimately, though, what will the financial or cultural cost be? A stringent system of controls, rules, and punishment might make for fewer FCPA mistakes (although that’s a stretch). It also sounds like a painstaking system to implement and a miserable place to work.

The alternative is to make sure that ethical business conduct is at least an equal priority (if not greater) to hitting sales targets. Then you can ask: are we structuring incentives to support that priority?

buy seroquel online abucm.org/assets/jpg/seroquel.html no prescription pharmacy

Are we relying on intermediaries and agents to the minimum amount necessary? How many due diligence duties can we put onto the sales team, and how many do we place with compliance or audit to trust but verify?

These are important questions and their answers are not always easy to find.

buy tobradex online abucm.org/assets/jpg/tobradex.html no prescription pharmacy

In most organizations, with pre-existing sales functions, business practices, and cultures, the answers will also be laborious to implement. At least, however, sales and compliance will be aiming toward the same objective of doing business ethically—and that is what alignment is.

Working from a place of alignment stands a far better chance of keeping sales practices compliant than having sales and compliance teams circling each other in distrust.

That leads only to frustration and a negative work environment. Encouraging ethical conduct rather than merely “teaching compliance” will position your organization for greater success.

Lawfulness of Financial Crime Data Processing Under GDPR

Posted on by

Much that has been written about the General Data Protection Regulation (GDPR) relates to the burden of obtaining proper consents in order to process data. This general theme has provoked questions about whether and how financial institutions can process data to fight financial crime if they need consent of the data subject. While there are certainly valid questions, GDPR is much more permissive to the extent data is used to prevent or monitor for financial crime.

buy vidalista online https://www.rhythmedix.com/wp-content/uploads/2023/10/jpg/vidalista.html no prescription pharmacy

Clients and counterparties will often be more than happy to consent to data processing in order to participate in financial services. But consent can be withdrawn, so offering individuals the right to consent will give the impression that they can exercise data privacy rights which are not appropriate for highly-regulated activities.

Rather than relying on consent, the GDPR also permits (1) processing that is necessary for compliance with a legal obligation to which the controller is subject and (2) processing that is necessary for purposes of the legitimate interests pursued by the controller or a third party.

Some areas of financial crime prevention are clearly for the purpose of complying with a legal obligation. For example, in most countries there are clear legal obligations for monitoring financial transactions for suspicious activity to fight money laundering. The European Data Protection Supervisor stated in 2013 that anti-money laundering laws should specify that “the relevant legitimate ground for the processing of personal data should… be the necessity to comply with a legal obligation by the obliged entities….” The fourth EU Anti-Money Laundering Directive requires that obliged entities provide notice to customers concerning this legal obligation, but does not require that consent be received. And the U.K. Information Commissioner’s Office gave the example of submitting a Suspicious Activity Report to the National Crime Agency as a legal obligation which constitutes a lawful basis.

Very few commentators have attempted to cite a legal authority for anti-fraud legal obligations. The Payment Services Directive 2 (PSD2) requires that EU member states permit personal data processing by payment systems and that payment service providers prevent, investigate and detect payment fraud. But PSD2 has its own requirement for consent and this protection may fail without adequate implementing legislation in the relevant jurisdiction. Another possible angle is that fraud is a predicate offense for money laundering, and therefore the bank has an obligation to investigate fraud in order to avoid facilitating money laundering.

“Legitimate interests” are also permitted as a basis for processing. However, this basis can be challenged where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. Financial institutions may not feel comfortable threading the needle between these ambiguous competing interests.

The GDPR makes clear, however, that several purposes related to financial crime should be considered legitimate interests. For example, “the processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest” and profiling for the purposes of fraud prevention may also be allowed under certain circumstances. It is also worth recognizing that many financial market crimes such as insider trading, spoofing and layering are often prosecuted under anti-fraud statutes.

Compliance with foreign legal obligations, such as a whistle-blowing scheme required by the U.S. Sarbanes-Oxley Act, are not considered “legal obligations,” but they should qualify as legitimate interests.

While legal obligations and legitimate interests do not cover all potential use cases, they should cover most traditional financial crime processing.

buy chloroquine online https://www.rhythmedix.com/wp-content/uploads/2023/10/jpg/chloroquine.html no prescription pharmacy

Some banks have been informing their clients that a legal obligation justifies their processing for AML and anti-fraud. Others have included legal obligations and/or legitimate interests as potential justifications for a laundry list of potential processing activities.

While the GDPR became effective earlier this year, financial institutions will continue to fine-tune their approaches based on continuing familiarity with the requirements and legal and regulatory developments. Financial institutions need to revisit their client notifications to make sure that they have disclosed their data processing in a manner that reserves their rights for financial crime purposes. They should also confirm that their financial crime processing adequately falls under a defensible basis. And with this basic housekeeping performed there is hopefully little disruption to their financial crime and compliance operations.

The Business Impact of the Supreme Court’s Travel Ban Decision

Posted on by

In one of its most anticipated cases in decades, the U.

online pharmacy biaxin with best prices today in the USA

S. Supreme Court on June 26 upheld President Trump’s latest “travel ban,” delivering a key win to the Trump administration and one of its strict immigration enforcement stances. The Court concluded the president’s executive order—which largely targeted individuals from predominately Muslim countries—did not violate the Constitution’s Establishment Clause by favoring one religion over another, ruling that the order was a lawful exercise of the authority granted to the president by Congress.

The Supreme Court’s action now permits immediate enforcement of one of the president’s signature immigration policies that began in January 2017 and included repeated trips to the federal judiciary. Employers with workers from the affected countries—Iran, Libya, Syria, Yemen, Somalia, North Korea and Venezuela—now need to ensure proper protocols are put into place to spare employees from unnecessary risk and to preserve smooth business operations.

Given that the travel ban can be enforced immediately, employers should:

  • Identify employees who are nationals of banned countries. The effect of the ban differs between the seven countries, so consult immigration counsel to be sure you understand how the ban applies to the country of origin for your employees.
  • Instruct any affected employees who are abroad and have not previously been affected by the prior travel bans to return immediately.
  • Caution workers from the affected countries not to travel outside the United States.
    online pharmacy flexeril with best prices today in the USA

    While the underlying litigation surrounding the travel ban will continue in the lower courts, assume the ban will be in effect for the foreseeable future.

  • Tell foreign national employees to carry originals or clear copies of legal authorization to be in the U.
    online pharmacy tadalista with best prices today in the USA

    S. at all times and to consult with an immigration attorney before signing any paperwork presented by the Department of Homeland Security or the Department of State.

  • Instruct employees to cooperate and present evidence of their U.S. immigration documentation and legal status if they are stopped by an Immigration and Customs Enforcement agent.
  • Advise employees that if their temporary work visas are expiring, they should take immediate steps to extend those visas.
  • Consider whether to sponsor employees who are here on soon-to-expire temporary work visas for permanent residency, if they are eligible.

Resiliency in 2018: Q&A With BCI’s David Thorp

Posted on by

Organizational resiliency is a focus of the Business Continuity Institute (BCI) and executive director David Thorp. It was the theme of this year’s annual Business Continuity Awareness Week, which Risk Management Monitor covered in May, and was the focus of BCI’s updated manifesto.

We reached out to Thorp to get his insight on organizational resiliency, how businesses can improve their continuity plans and for ways to better incorporate them into their culture.

Risk Management Monitor: What companies have best demonstrated resilience?

David Thorp: A few examples of organizations that have displayed a high level of resilience are Apple, TomTom, and PostNL.

Apple displayed resilience when they reemployed Steve Jobs to reshape the company.

TomTom started by making software for Palm computers. It has dealt with a rapidly changing marketplace and over the years it has:

  • produced navigation software for PDAs (personal digital assistant)
  • produced its own navigation devices
  • developed live traffic information
  • acquired a digital mapping company
  • developed navigation software for smartphones
  • struck up deals with car manufacturers

PostNL (formerly TNT) has had to adapt to the decline in regular mail as well as tapping into the requirement to deliver more packages (outside working hours) as a result of an increase of web shops.

RMM:  What do organizations most commonly overlook in their continuity planning?

DT: Two most commonly overlooked aspects are keeping plans up to date and exercising/testing.

Business continuity management is often initiated as a project, usually assisted with external expertise. Internal personnel frequently have this role in addition to their “normal” functions. As the organization changes, these plans often get overlooked. After one or two exercises have been carried out, the focus on exercising quickly diminishes.

Unfortunately, these two aspects have a large impact on the ability to recover as planned. It could be argued that this is an indication of a lack of management commitment.

RMM: Why do so many companies overlook their continuity planning and emergency preparedness?

DT: The biggest reason is that it is not a requirement for many organizations. When not required by a regulator or a customer, the organization must:

  1. know about continuity planning and emergency preparedness
  2. understand their risk
  3. understand its value before there is a possibility of it being implemented

By not having done a risk or impact analysis, it is also easy for organizations to think that a disruptive event will not happen to them and therefore not worth the hassle and investment.

RMM: How much time and effort does creating and initiating a business continuity plan take?

DT: This depends on the size and complexity of the organization, the ambition level and the resources available. For small organizations, it is possible to create and exercise plans within a month—but this would typically take a little longer as the required people will also have other tasks. For a large and more complex organization, it may take two-to-three years to reach the desired maturity level.

RMM: What advances would you like to see the global risk management community achieve with regard to planning and preparedness?

DT: I would like to see a better understanding of each other’s disciplines and a better collaboration between them. There is much overlap between the two disciplines and with better collaboration, we can more efficiently and effectively minimize risks and improve the continuity. We are currently working on better understanding how we achieve synergy between business continuity and risk management. We see this as being a prerequisite for achieving organizational resilience. Collaboration with other disciplines is also necessary.

RMM: We’ve seen examples of reputation crises that have in some cases forced companies to close. How can organizations avoid these pitfalls?

DT: A major factor in managing the extent of the reputation damage is the quality of the crisis communication. How well and honestly you inform those affected and of course how you deal with social media makes the difference in how you are perceived. The subsequent actions need to be in line with the messages communicated.

RMM: What has changed in the BCI’s Manifesto for Organizational Resilience that risk professionals should know about?

DT: The manifesto is built on the simple premise that resilience is not the responsibility of one part of the organization—it is the responsibility of discipline within an organization working closely together toward a common purpose. Risk Management, emergency planning, disaster recovery, security, facilities management, business continuity management, supply chain management, IT management, HR management…all have an equal role to play in delivering resilience.

The manifesto contains our undertaking to seek out alliances with other professional bodies along the spectrum of what might be termed “resilience disciplines” in order to work collaboratively. This would make organizations more resilient than if we each work within our own silo.