460 likes | 482 Views
Join us for a presentation on the critical compliance issues in the financial industry, including bank supervision, BSA/AML developments, FCPA enforcement, and ban-the-box laws. Presented by Berkeley Research Group and the ACC Financial Services Committee.
E N D
Play to Win Code: MYMSURVIVOR 703 - Compliance Land Mines in the Financial Industry Presented jointly by Berkeley Research Group and the ACC Financial Services Committee Miriam Lefkowitz Chief Legal Officer Summit Financial Resources, Inc./ Summit Equities, Inc. David Abshier Managing DirectorBerkeley Research Group Emre Carr Director Berkeley Research Group
2016 ACC Mid-Year MeetingSession 703 – Compliance Landmines in the Financial IndustryApril 12, 20162:40 p.m. – 3:55 p.m.
ModeratorEmre Carr, Director Managing Director, Berkeley Research Group (BRG) Panelists: David E. Abshier, Managing Director, Berkeley Research Group (BRG) Jonathan Halpern, Partner, Foley & Lardner, LLP Miriam Lefkowitz, Chief Legal Officer, Summit Financial Resources, Inc./Summit Equities, Inc. 2
3 Bank Supervision vs GAAP/SEC BSA/AML – Critical Developments FCPA Onboarding/Employment Ban the Box HIPAA Unfair, Deceptive or Abusive Acts or Practices Challenges for Dually Registered BDs/IAs Privacy/Security/Books and Records/Cybersecurity JOBS Act Issues Relating to Seniors Overseas Issues in General DOJ Enforcement Priorities
Bank Supervision vs GAAP/SEC 4 • Reserves/Allowance for Loan and Lease Losses • Off-Balance Sheet exposures • Supervision Expansion • CFPB • Bleeding Down of “Best Practices” (Institutions below key thresholds) • Enforcement Actions • Public/Private Entities
BSA/AML – Critical Developments 5 • NYDFS • Capable Systems/Data Validations • Know Your Customer/Source of Funds • Geographic Targeting Orders (FinCEN GTOs) • Officer/Bank Liability
BSA/AML – Critical Developments (Continued) 6 • Correspondent Relationships • De-risk • Communicate, Communicate, Communicate – BSA/Operations/ Credit/Board • Independent Testing – review of top 20-50 Credit/Deposit Customers/Vendors
Aggressive Expansion of Foreign Corrupt Practices Act (FCPA) Enforcement 7 • FCPA • Criminal and Civil Liability • DOJ and SEC (issuer) jurisdiction • Expansive extensive of U.S. territorial jurisdiction • Provisions: • Anti-bribery • Books and records • Accounting controls • Liability for Third-Party Conduct • Narrow exceptions • Stringent criminal, civil, and administrative penalties
DOJ FCPA Enforcement Focus on Individual Prosecution for Perceived Corporate Misconduct 8 FCPA Pilot Program (April 5, 2016) Super “Mitigation Credit” Offered -- Companies encouraged “to disclose FCPA misconduct to permit the prosecution of individuals whose criminal wrongdoing might otherwise never be uncovered or disclosed to law enforcement” • Voluntary self-disclosure • Full cooperation, including • Disclose relevant facts attribute misconduct to specific sources, subject to privilege • Cooperate proactively • Identify involved third-party companies and individuals • Timely and Appropriate Remediation • Limited and Full Credit Options
Onboarding/Employment 9 • The Form U4 is a required documents for brokers, but seeks information (criminal histories, age) which raise HR issues. • 1099 vs. W2 representatives for brokers and advisers creates HR concerns • Non-solicit/non completes may violate FINRA Rule 2140 which prohibits interference with BD account transfers • Internal investigation requests for confidentiality (or separation agreements) may violation whistleblower rules • In the Matter of KBR, Inc. ADMINISTRATIVE PROCEEDING File No. 3-16466 (April 1, 2015) • Rethink how you deliver Upjohnwarnings
Ban-the-Box Laws: Overview 10 • State, county, and city laws that generally restrict employers from inquiring about an applicant’s criminal history in the early stages of hiring process • Intended to remove obstacles for individuals with arrest or conviction record • April 2016: 21 states and more than 100 cities and counties have adopted ban-the-box policies [Business Information Group] • Bans extended to cover private employers in several states (incl IL, MA, NJ) and cities (incl DC, NYC, Philadelphia, Seattle, SF)
Ban-the-Box Laws: Overview 11 • Variation in ban-the-box laws • Employers generally may conduct background checks, but later in the hiring process • E.g., after invited to interview or conditional offer of employment • Employers generally are not obligated to hire individuals with a criminal record • Applicants may still be excluded if employers are so required by federal or state law, for particular jobs, e.g.: • Specified positions in a financial institution • Airport security • Working with children or elderly • EEOC Guidance
Ban-the-Box Laws: FDIC Limitations 12 • FDIC Identification of Disqualifying Offenses • FDIA Section 19 applicable to federally-insured banks -- • (1) Applies to convictions/pre-trial diversion program for prospective employees in specified offenses involving: • Dishonesty • Breach of trust • Money laundering • (2) Bars (without prior FDIC written consent) such persons from: • Becoming or continuing as an affiliate of the bank • Owning or controlling, directly or indirectly, a bank • Participating, directly or indirectly, in the affairs of the bank
Ban-the-Box Laws: FDIC Limitations 13 • FDIC Section 19 Applies to: • FDIC-insured institutions • FDIC Institution-affiliated parties • Participants in the affairs of the FDIC-insured institution • Employees of FDIC-insured institution • FDIC Section 19 Does Not Apply to: • Employees of non-FDIC-insured institutions or to independent contractors, unless they are determined to be “de facto” employees of FDIC-insured institution • De Minimis exceptions • Bank subject to state and local anti-discrimination laws
HIPAA and Financial Services 14 • Privacy Rule • National Standards • Use and disclosure of PHI • Balance of important uses and privacy protection • Covered entities • Business Associate Services • Types of services • E.g., Financial, legal, consulting, accounting , management services
HIPAA and Financial Services 15 Business Associate Services and Functions • Types of services • E.g., Financial, legal, consulting, accounting , mgt services • Types of functions -- E.g., Claims processing, data analysis, utilization review, quality assurance, billing, practice management
HIPAA and Financial Services 16 • Business Associate • Providing services involving PHI to covered entity • Performing functions involving PHI for covered entity • HHS Examples (with access to PHI) • TPA assisting HCP • Accountant providing services to HCP • Lawyer providing services to HCP • Consultant performing certain reviews for hospital • Health care clearinghouse • Independent medical transcriber • PBM
HIPAA and Financial Services 17 • Business Associate • Is PHI accessible? • HCP enlisted by another HCP? • -- E.g., help hospital teach or train medical students • Software vendor? • Not for simply selling or providing software to covered entity as long as vendor does not have access to PHI • N.B.: except for hosting software with PHI • Reinsurer? • Not for simply selling a reinsurance policy to a health plan or paying claims • Related to providing reinsurance benefits?
HIPAA and Financial Services 18 • Financial Institutions: HIPAA Inapplicable • Traditional consumer financial transactions • Section 1179 payment processing activities excepted for banks and financial institutions • Examples: • Debit, credit or other payment processing transactions • Check clearing • ETFs • Transfer of funds to pay for health care/plan premiums • Takeaway re Section 1179 activities : • HIPAA rules and BA contract obligations inapplicable
HIPAA and Financial Services 19 • Financial Institutions: HIPAA Applicable • “Functions above and beyond the payment processing activities” • Examples: • Accounts receivable services for health care provider • Lockbox services • Services for covered entity involving billing or financial records that reflect PHI • Clearinghouse services (covered entity) • Converting PHI to standard electronic format for processing claim for payment
HIPAA and Financial Services 20 Financial Institutions Subject to HIPAA Liability: Requirements of A “Business Associate” • Documented comprehensive HIPAA privacy and security compliance system • Security risk assessment • HIPAA policies and procedures that cover use and disclosure of PHI • Adequate safeguards to deter, detect, and resolve security breaches • Business associate agreement (BAA) with more rigorous safeguarding provisions • Compliance with terms of BAA legally required
HIPAA and Financial Services 21 Business Associate Agreements for Financial Institutions The Requirements: • Mandatory and in writing • Contract with covered entities, subs with access to PHI • Required and permitted uses of PHI identified • Barred use or disclosure of PHI outside contract, except as required by law • Appropriate safeguards required to prevent unauthorized use of disclosure of PHI • Reasonable steps required by covered entity to cure breach or end violation where material
HIPAA and Financial Services 22 Business Associate Agreements for Financial Institutions The Requirements (cont): • Termination of contract where steps to cure or end violation are not successful • Required reporting to HHS OCR where termination is not feasible Other Issues: • Apportionment of risk • Indemnification • Liability limits • Notice provisions
HIPAA and Financial Services 23 Exposure for Financial Institutions Subject to HIPAA Liability: Increased monetary penalties Referrals to DOJ for criminal investigation Expanded jurisdiction extending to state attorneys general Increasing number of HHS audits No private right of action under statute Increasing number of state courts have allowed negligence actions based on allegations of HIPAA violation
Unfair, Deceptive, or Abusive Acts or Practices 24 • Customer Complaint Resolution • Compliance Committee – Board and Management • Organization Chart/Accountability Matrix • Agreements with Vendors/3rd Parties with Consumer Interaction • Compensation/Incentive Programs • “Lookback”/Remediation/Resolution
Unfair, Deceptive, or Abusive Acts or Practices (Cont.) 25 • Internal Control Monitoring • Internal and External Testing • Policies and Procedures • Training Materials • Products and Services • Marketing and Advertisements • Collection Scripts and Call Records (Including 3rd Party)
Challenges for Dually Registered BDs/IAs 26 Generally • BD rules and requirements are very detailed, often picayune • IA rules are very broad and principles-based • In the Matter of Barclays Capital Inc., Administrative Proceeding File No. 3-16154 (September 23, 2014)
Challenges for Dual Registrants – cont’d 27 • Custody • 15c3-3 and 206(4)-2 have different requirements • Can be a non-custodial IA but violate BD net capital rules • Licenses/registrations for offices and associated persons • Most associated persons of brokers must have at least one license to conduct certain business activities even if those activities can be conducted by advisers without such registration. • Locations at which many BD activities are conducted must be registered • Advertisements/Communications • FINRA rule 2210 is very different than 206(4)-1 • Acceptable IA communications may need to be filed with FINRA by a BD
Challenges for Dual Registrants – cont’d Challenges for Dual Registrants – cont’d 28 • Outside businesses • FINRA Rule 3270 and Form U4 vs. ADV 2B • Complying with one will not satisfy the other • Private investments • NASD Rule 3050/NYSE 407 and 204A-1 • Compensation • Fees and commissions on same assets • SEC and FINRA have differing views
Challenges for Dual Registrants – cont’d 29 • Supervision • FINRA rule 3110 • Conflicts of Interests • Where to start?!? • Annual reviews • FINRA 3110(c) and 206(4)-7 are very different • Recordkeeping • 17a-3 and 17a-4 are very different than 204-2
Privacy/Security/Books and Records 30 Caveat about sending password-protected documents in order to protect privacy – may run afoul of books and records
Cybersecurity - Data Protection & Management 31 • Practical Pointers • Prevention/Maintenance/Oh Damn! • Cybersecurity • Data Governance • Internal Control Monitoring and Independent Testing (Customers, Employees, Vendors)
FTC Privacy and Safeguard Rules for Financial Institutions 32 • Applies to companies “significantly engaged” in providing financial products or services • Limits disclosure on nonpublic personal information (NPI) to non-affiliated third parties • Companies to develop written information security plan to protect confidentiality and security of NPI • Companies to assess and address risks to customer information in all areas of operations • Companies to provide “clear and conspicuous” privacy and information-sharing notice to customers and to some consumers with “opt-out” rights
Cybersecurity Issues for Financial Institutions 33 • SEC and FTC Oversight • Dual Focus: • Firms -- duty to protect client data and personally identifiable information (PII) • Hackers – prevent misappropriation and trading on MNPI • The fundamentals: • Conduct cybersecurity risk assessment • E.g.., IRS alert re spoofing email scams • Periodic evaluation and monitoring • Implement written policies and procedures • Firewall protection • Encryption • Access rights and controls
Cybersecurity Issues for Financial Institutions 34 • The Fundamentals (cont) • Implement appropriate standards required to protect consumer data and PII • Mandatory antivirus software • Encryption (GLB Act, SEC Reg S-P) • Data loss management – transfers to and from external sources • Vendor management • Test for internal controls and reports necessary to • Ensure accuracy of financial results unaffected by any security breach (as part of cyberattack response plan) • Implement appropriate incident response • Mitigation • Reporting
Jumpstart Our Business Startups (JOBS) Act: Select Provisions 35 • Objectives: • Promote job creation and economic growth by easing access to capital markets for small businesses • Reduce regulatory burdens of SOX (for limited term) • Balance investor protection vs. improved access to capital • Emerging Growth Company (EGC) (Title I) • Under $1.0 billion in annual revenue • Remains EGC until earliest of four conditions • Eligible if first sale of registered equity securities was after December 8, 2011
Jumpstart Our Business Startups (JOBS) Act 36 • Regulatory Advantages for EGCs: • Less financial information required to be submitted to SEC • SEC confidential review of draft registration statement permitted before public filing • “Test the waters” communications permitted with Qualified Institutional Buyers and institutions if accredited investors • Underwriting banks permitted to present research reports during public offering • Conflict of interest/communication rules inapplicable • New, revised accounting standards not currently required • Auditors exempted from required attestation reports on EGC internal controls for financial reporting • Reduced requirements re executive compensation disclosure
JOBS Act: Title II 37 • Enhanced Access to Private Capital Markets Private Offerings: • Elimination of prohibition on general solicitation and advertising in private offerings • Securities required to be purchased only by QIBS or accredited investors • Reasonable measures required to ensure qualified purchasers
JOBS Act: Title III 38 “Crowdfunding” Exemption to Offer and Sell Securities: • Starts May 16, 2016 • Annual investment limits based on individual income and net worth • Offered through registered funding portal • Securities bought generally may not be resold for one year • Limited company disclosures to SEC, investors, and intermediaries • Ineligible companies • Non-U.S. companies • Reporting under Exchange Act • Non-compliant • Lacking business plan or merger/acquisition with unidentified company • SEC alert of investor risks
JOBS Act: Title VI 39 • Banks and Bank Holding Companies • Act increases threshold to 2,000 shareholders from 500 shareholders requiring banks and bank holding companies to register with the SEC • Registration and reporting obligations may be suspended if number of shareholders “of record” drops to below 1,200 • Consequence of de-registering: reduction in regulatory costs • “Going private” opportunities (below 1,200): • Stock repurchase, reverse stock split, etc. • Banks may be eligible to be an EGC
JOBS Act: Title VI 40 Banks and Bank Holding Companies (cont) • Banks may take advantage of crowdfunding to raise capital efficiently in small sums from large number of investors • Opportunity to increase customer base • Act eliminated prohibition against “general solicitation and general advertising” in specified private offerings where purchasers are accredited investors • Section 3(b) of Securities Act amended under JOBS Act to increase aggregate offering amount to $50 million (from $5 million) that SEC exempts
Issues Relating to Seniors 41 • Protecting seniors can raise other legal concerns • State and federal privacy laws • How to reach out to a family member/friend if you suspect diminished capacity? • How to reach out to a family member/friend if you suspect elder exploitation? • State “dignity” laws • Can you refuse to honor a POA that you think was given under duress?
Challenges and Risks For Companies with Operations Abroad 42 • Limited application of attorney-client privilege • Challenges to cooperation with DOJ/SEC • Identifying, collecting, and obtaining discovery • Witness interviews • Document reviews • Privacy laws • Employment laws • EU restrictions
Developments in Justice Department (DOJ) Law Enforcement Priorities for Corporations 43 • Principles of Federal Prosecution of Business Organizations (USAM, 9-28) • Yates Memo Modification of Principles (September 2015) • Individual accountability for corporate wrongdoing • Cooperation credit requires disclosure of all relevant facts re individuals’ involvement in corporate misconduct • DOJ investigations to focus on individuals from outset • DOJ civil and criminal attorneys to communicate routinely • No protection from individual civil/criminal liability in corporate resolution, absent extraordinary circumstances • Resolution of individual cases viewed along with corporate disposition • Individual’s ability to pay is not the sole factor in considering civil suit
QUESTIONS? 44 • DAbshier@thinkbrg.com • ECarr@thinkbrg.com • JHalpern@foley.com • MLefkowitz@sfr1.com
Play to Win Code: MYMSURVIVOR Thank you! Presented jointly by Berkeley Research Group and the ACC Financial Services Committee Miriam Lefkowitz Chief Legal Officer Summit Financial Resources, Inc./ Summit Equities, Inc. David Abshier Managing DirectorBerkeley Research Group Emre Carr Director Berkeley Research Group