EDITORIAL STAFF Chartwell Compliance Provides a One-Stop Shop of Consulting, Testing and Outsourcing Services in the Areas of Re

A PUBLICATION OF CHARTWELL COMPLIANCE | CHARTWELLCOMPLIANCE.COM OCTOBER 2020

2 AML Transaction Monitoring and the Automated Silver Bullet Chartwell Compliance provides a one-stop shop of By Emmanuel Olivas consulting, testing and outsourcing services in the areas 4 Love in the Time of COVID of regulatory compliance, state MSB licensing, financial By Veronika Foster crimes prevention and enterprise risk management. 6 Oversight of Your Hemp Banking Program: The Periodic Focused Review By Sharon Blanchette 8 Is your Compliance Program Stale? By Sherry Tomac

9 What’s in a Name By Melody Loudin

10 Louisiana - Next State to Require Virtual Currency Business License By Melody Loudin 12 Facing Down Your Fears During A State Regulatory Exam By Todd Jones, Christa Fazzi and Trish Lagodzinski

15 A Focused Take-a-Way From the FinCEN Files Issue By Sharron Blanchette

16 Considerations for Updating your AML/OFAC Business Continuity Plan By Sharon Blanchette

18 Fraud Prevention Platforms: An Evolution from Rules Engines to One-Stop-Shop By Jamon Whitehead

20 Exciting Times Ahead for Coinme Inc. By Eddie Ponce

21 ERM Framework (COSO vs. OCEG) Which One Is Right for Fintechs? By Brad Carter

22 NMLS Corner

25 Chartwell New Hires

EDITORIAL STAFF 26 Chartwell Shows You the Way

Daniel A. Weiss, President and CEO, [email protected] 28 Services Jonathan Abratt, Chief Operating Officer, [email protected] Richard Davis, Corporate Services Director, [email protected] 29 Strategic Alliances

CHARTWELL COMPASS | OCTOBER 2020 1 CHARTWELLCOMPLIANCE.COM AML Transaction The Problem The biggest issues with AML monitoring software aren’t the soft- Monitoring and ware, per se; it’s largely the financial institution and its users. Here the Automated are the biggest reasons why: Garbage In, Garbage Out Silver Bullet Data quality is the single largest enemy to any monitoring system. Is every customer’s primary address being spelled cor- By Emmanuel Olivas, CAMS rectly with no zip code miskeys? Is your institution accurately collecting NAICS1 for its business customers, if at all? Are you " f I switch to the ComplyMagician 3000 software, all my collecting occupation for your individual customers? If you an- monitoring and customer risk rating issues will be solved!” swered no to any of these questions, your software vendor and I’ll be honest, I’ve been guilty of falling into this type of compliance staff is going to have a difficult time accurately iden- Imind trap, and if you’ve been exasperated by manual monitoring tifying high risk customers. Any one of these scenarios will cause or waves of false positive alerts, then maybe you have too. Surpris- the system to overlook a money services business (“MSB”), a ingly, this strategy has been also adopted by executive leadership HIFCA/HIDTA2 customer, or duplicate household party groups. in hopes of reducing its compliance expenses. Neither of these scenarios is unreasonable or flawed in its logic. Think about it; a com- puter with more RAM or cores for performance should ultimately There is no silver bullet or fool save you time and money in the long run. However, the truth is much more complicated. proof anti-money laundering Let me not bury the lead; there is no silver bullet or fool proof anti-money laundering (“AML”) monitoring software. Every AML monitoring software ... system is going to cost you resources and there will be no guaran- tee that it will save your skin in an examination. Worse still, your every AML system is going AML software solution can actually become the impetus for a cease-and-desist or civil money penalty. But why? to cost you resources.

1 The North American Industry Classification System (NAICS) is the standard used by Federal statistical agencies in classifying business establishments for the purpose of collecting, analyzing, and publishing statistical data related to the U.S. business economy. 2 HIFCA stands for High Intensity Financial Crime Area," these high risk areas were first announced in the 1999 National Money Laundering Strategy and were conceived in the Money Laundering and Financial Crimes Strategy Act of 1998 as a means of concentrating law enforcement efforts at the federal, state, and local levels in high intensity money laundering zones. The High Intensity Drug Trafficking Areas (HIDTA) program, created by Congress with the Anti-Drug Abuse Act of 1988, provides assistance to Federal, state, local, and tribal law enforcement agencies operating in areas determined to be critical drug-trafficking regions of the United States.

CHARTWELL COMPASS | OCTOBER 2020 2 CHARTWELLCOMPLIANCE.COM Most modern systems have the ability shortcut robots, and machine learning, data. If the data is lacking, start a clean-up to create enhanced due diligence alerts no amount of automation is going to re- project that involves the frontline employ- based on industry codes, occupation, duce the need of a human workforce. How ees. If the data is missing, use this as an and by household. Ay missing or errone- much staffing is enough and why if it’s opportunity to provide frontline training ous data points means that your system “automated”, do we need X people work- and expand the scope of the data that is is performing at a less than optimal rate. ing? The answer to this too is complicated, captured when a customer is on-boarded The data issues go far beyond just mis- but it is rooted in the previous two rea- (e.g. NAICS). Give the frontline staff all keys. Is your institution relying on external sons. Understanding the AML software’s the tools they need to make sure they ac- sources for transaction processing, such as capabilities and shortcomings is the key curately select the proper industry codes an intermediary bank? Wire formatting to proper staffing. Whether the software and that individual occupation is collect- quirks from the Fed, intermediary banks has or has not been optimized, having ed. Pitch it not just as an AML issue but and foreign financial institutions wreak as a cross-selling opportunity. The more havoc on your AML vendors ability to map data they collect, the broader the oppor- wire data correctly. SWIFT and Business No amount of tunity to offer that home equity loan with Identification Codes (“BIC”) are sources automation is going to awesome rates. During your data clean up, for foreign activity false positive alerts. you may have to resort to core reports for reduce the need of a monitoring and if your data isn’t perfect Out of the Box Thinking (i.e. wires), maybe an old-fashioned pivot After months of waiting, you’ve finally human workforce. table is the best tool for the job. installed the ComplyMagician 3000 and If you want to ensure you have adequate it’s looks glorious! You commence the sufficient resources to address the volume monitoring and customer risk coverage, primary ignition and flip the switch to of transaction monitoring, reporting, and look past the marketing materials and un- On. Uh-oh…after a week, the system has periodic due diligence alerts is pertinent derstand your institution’s customer base generated hundreds of alerts. “This can’t be to avoid audit and regulatory scrutiny. from top to bottom. This means tailoring right…it says I have no high-risk customers. Moreover, if your compliance officer does your AML software to the size and com- I don’t understand, I set all the parameters not understand the institution’s risk profile, plexity of your institution. Don’t let a vendor to the typical bank settings as suggested by fails to learn the gaps in the AML software’s define your risk and transaction threshold the vendor!” Sound familiar? You’re not capabilities, and does not alert executives to definition. Make sure those risk segments alone. This scenario plagues just about these issues, it could lead to costly regula- are properly identified, make sure the risk every institution. Poking around in soft- tory enforcement actions. This means that factors in the software’s risk model accurate- ware system settings can be intimidating or a compliance officer should know that any ly reflect the products, services and geogra- downright confusing, so it’s much easier to AML software may need to be supplement- phies served and offered by your institution. ask for “typical” settings. The problem with ed with manual processes. The data issues Intimidated by the software settings? “typical” settings is: Who is it typical to? noted earlier will make this an absolute cer- Maybe you skipped the classes on standard Every institution has a different heart- tainty and will be necessary in order to pro- deviations and Bayesian Theory, that’s ok! beat, risk complexity, and appetite. It’s vide adequate monitoring coverage. Hire a consultant who will help you crunch because of this that using the out-of-the- your transaction data to make your alert ef- box or suggested vendor settings becomes The Solution ficient and your thresholds optimized. Pair- problematic. The vendor doesn’t know ing your alert thresholds so that it syncs that your institution isn’t an ACH origi- Now that I’ve provided the cold realities with your institution’s risk profile is the text- nator, with no MSBs, and a homogenous of the AML monitoring systems of the book definition of a “risk-based” AML pro- customer base. This complexity means world, it’s not all doom and gloom. There gram. There’s nothing wrong with asking for that what may work for another institu- are simple solutions that are realistically help, so reach out to executive management tion, may not work for you. attainable and cost efficient to boot! and ask for additional resource to assist with To tackle data integrity issues, iden- optimizing the software. Once the software I Thought it Was Automated and with AI? tify the size of the universe first. Leverage sweet spot has been achieved, you can make Sorry executives, but no matter how your IT department or AML software to informed staffing decisions that will lead to many promises of reduced false positives, generate reports for missing or erroneous audit and regulatory accolades.

Emmanuel Olivas serves as a Compliance Director at Chartwell Compliance and brings over 21 years of experience working with financial institutions. Emmanuel has been deeply involved for the majority of his work life in BSA and Consumer Compliance and has successfully managed compliance programs for various money service business and community banks in Texas, Pennsylvania and California with customer bases in Venezuela, Uruguay, Dominican Republic, Mexico, Israel and all across the United States. A specific expertise in the Bank Secrecy Act and Anti-Money Laundering space for bank and non-bank financial institutions such as currency exchange, check cashing, and money transmission means he brings relevant knowledge and skills to effectively service Chartwell customers. For more information, please contact Emmanuel at [email protected].

CHARTWELL COMPASS | OCTOBER 2020 3 CHARTWELLCOMPLIANCE.COM cryptocurrencies in 2020 and GenX- Love in the ers (aged 41-55) comprised 30%. Baby Boomers showed little love for crypto- Time of COVID currencies in 2020 as they constituted Virtual Currencies and only 3% of all individuals who purchased cryptocurrencies this year.6 Fintech Payments Parallels As with the Garcia Marquez’ novel where society ended up condoning the By Veronika Foster, CAMS, J.D. seemingly reproachable love that the characters professed for each other, so it e all remember the romantic seems to be happening with certain reg- novel by Nobel-prize winner, ulatory agencies that are opening up the Gabriel Garcia Marquez, financial system just a little to give room Wdepicting an impossible love that endures for the cryptocurrencies to breathe just decades of opposition by the societal a little easier and maybe grow. This year mores of the time, with up and downs and of COVID has brought so far, at least, a bacterial epidemic as the backdrop in a two important developments for the beautiful place somewhere in Colombia. virtual currency and FinTech industries. The end of the novel presents the two main characters, although old The first one came early in the year from Governor Leal Brainard and decrepit, able to live triumphantly their love with the acceptance of the Board of Governors of the Federal Reserve Bank; and the of those around them. That was Love in the Time of Cholera. second development came in July from the Office of the Comp- What does it have to do with anything in the FinTech industry, troller of the Currency (OCC). you might ask. And it would be a good question. With COVID In February of this year, Governor Lael Brainard acknowl- as the backdrop of everything happening in 2020, there are sun- edged the obvious digital transformation taking place in the dry parallels between the romantic novel and virtual currencies payments space driven by technology firms ( i.e. BigTechs and and fintech payments. Indulge me following this comparison FinTechs) with innovation, speed, user-friendliness, accessibility and analogy. Think of the general dissension, skepticism and and just new business models that bundle payments with other even opposition that virtual currencies have experienced since activities. Three key benefitso f having technology firms in the Bitcoin first gained entrance into our consciousness about ten payments space were noted: (a) opportunity for increased com- years ago. Alan Greenspan, former Chairman of the Board of petition; (b) product offering enhancements; (c) lower transac- Governors of the Federal Reserve Bank thought that “you really tion costs; (d) potentially driving financial inclusion (i.e. more have to stretch your imagination to infer what the intrinsic value accessible financial services to more people).7 On the risky side, of Bitcoin is…”1 He saw no value in it and probably no benefit to because cryptocurrencies run outside of the banking system the consumer. His successor as Chairman, Ben Bernanke, was there is lack of consumer fraud and privacy protections as well more insightful in sharing that Bitcoin had serious problems due as lack of sufficient anti-money laundering controls. to its instability in its source of value, price volatility and the fact The medium of exchange that technology companies are using that it was not widely accepted as a transaction medium.2 Indeed, are either based on the U.S. dollar as the unit of account or not in 2015, Bitcoin was not widely accepted by the general public as based on the U.S. dollar as the unit of account. First generation only 47 percent of all U.S. consumers had ever heard of Bitcoin cryptocurrencies, like Bitcoin, fall in the category of currencies or virtual currencies. And less than 1 percent of all U.S. not being based on the U.S. dollar as the unit of account. They consumers had ever owned virtual currency.3 Fast forward to run and operate completely outside of the banking and financial 2020, the COVID pandemic in full swing and the levels of systems. The second wave of digital currencies, like Facebook’s demand for Bitcoin and other virtual currencies reached all- proposed Libra currency, seek to avoid price volatility by an- time highs in monthly trading volume with $1,200 Billion in choring themselves to an asset like the U.S. dollar as their unit of February, 2020 which was sustained until May.4 As it relates to account. The creation of Libra as a “stable coin” anchored on the unit price, Bitcoin specifically, in mere ten years has seen its price U.S. dollar is forcing a review by the Federal Reserve Bank of the per unit increase from a few cents to the present price of $10,296 entire financial system. With a behemoth the size of Facebook per Bitcoin unit,5 with many up and downs in between. that has one-third of the global population as its users, Libra So, where is the love for virtual currencies coming from in could be a destabilizing force for the U.S. and the interconnected time of COVID? global economy, if things went wrong with it. Hence, the scru- In 2020 it is reported that 15 percent of American adults own tiny and judicious study by regulators of the proposed Libra. some form of cryptocurrency. Of those individuals, half purchased The Federal Reserve Bank is also exploring the implications cryptocurrency for the first time in the first six months of 2020 at of having a central bank digital currency (CBDC) in the United the crest of the pandemic wave. This love affair in times of COVID States. Apparently, at least 52 central banks in the world are en- came from high income, well-educated men. Millennials (aged gaged in exploratory work of CBDC and some actually moving 26-40) comprised 57 percent of the individuals who purchased towards issuing CBDC.8

CHARTWELL COMPASS | OCTOBER 2020 4 CHARTWELLCOMPLIANCE.COM On August 13, 2020 Governor Brainard clear that national banks and federal sav- Ben Bernanke and most certainly those of gave an update on digital currencies. The ings associations have authority to pro- Alan Greenspan. It is clear that the offer COVID crisis in the U.S. reminded us all of vide safekeeping services for digital assets. and demand of cryptocurrencies have what was really important. It became obvious The c o nclusion o f the O CC i s t h at “pro-grown. The product/service is maturing that having a resilient and trusted payments viding cryptocurrency custody services, although it has a lot of room for growth infrastructure that would allow everyone ac- including holding unique cryptographic keys still. With this clarification letter, crypto- cess to their unemployment and PPE checks associated with the cryptocurrency, is a currency companies will enjoy more sta- in times of crisis, was important. Addition- modern form of traditional bank activities bility, higher demand for virtual curren- ally, China moved forward and ahead with related to custody services.”10 It also clarifies that cies, more capital investment and overall the pursuit of a CBDC. Governor Brainard national banks and savings associations may growth. It’s undeniable that the OCC describes in some detail the efforts the Fed- provide additional services beyond just showed quite a bit of love for cryptocur- eral Reserve Bank is currently making to safekeeping assets (i.e. trades settlement, rencies in times of COVID. actively conduct research and hands-on ex- investment of cash balances, collection of This OCC clarification letter allows perimentation related to distributed ledger income, process corporate actions, price cryptocurrency companies to more easily (block-chain) technologies, partnering with securities positions, recordkeeping and obtain the banking services they need in the Massachusetts Institute of Technology reporting services). order to run their operations. However, to build and test hypothetical CBDC for the Very importantly, the OCC letter gives it must be noted that the OCC also men- central bank use in the U.S. They are using cryptocurrencies legitimacy and recognition tioned that the national banks and sav- the Board’s Technology Lab to build and not given before by a federal regulator. In ings associations must ensure they under- test a range of distributed ledger platforms pertinent part the letter says (and I include stand cryptocurrency risks and that they with a myriad of use cases, looking into op- the entire quote because it is truly remark- perform a comprehensive due diligence portunities, challenges and the implications able), “Cryptocurrencies have been used review of the cryptocurrency companies, of digital currencies on the entire payments for a variety of payment and investment ac- including a review to determine if they ecosystem. The Federal Reserve Bank is also tivities. Bitcoin remains the most widely used comply with money laundering rules. working and participating in structured ex- and valuable cryptocurrency, with a current Cryptocurrency companies seeking changes with other central banks around the market capitalization of approximately $170 banking services should be prepared to world to learn from each other and to con- billion. Bitcoin is now accepted as payment provide to the bank or savings associa- duct collaborative, multi-dimensional, by thousands of merchants worldwide; cus- tion their anti-money laundering (AML) multi-jurisdictional experiments and more.9 tomers may even purchase Bitcoin for cash at program, complete with the policies, pro- Governor Brainard’s tone and the sub- various retail locations. Contracts on Bitcoin cedures and internal controls put in place stance of the work the Federal Reserve futures have been established and options on to mitigate money laundering risks. They Bank is doing, seems so different from Bitcoin futures are now trading. Although should have a risk assessment in place as what Alan Greenspan and even Ben Ber- transactions in cryptocurrencies can occur the foundation of the AML program and nanke said just a few years prior. The mere directly between parties via decentralized, should ensure that they comply with all fact that in 2020 the Federal Reserve Bank peer-to-peer cryptocurrency transactions, applicable aspects of the Bank Secrecy Act. has identified very specifically the critical many cryptocurrencies may also be traded While the regulatory environment will benefits that technology firms bring forth through centralized, online cryptocurrency continue to evolve and the trend of crypto- to the consumers, especially in terms of exchanges where parties trade one cryptocurrency adoption will continue to grow and financial inclusion, puts the FinTech and currency for another or trade for fiat curren- mature, this year so far has been very positive cryptocurrency industry in a higher cies such as the U.S. dollar through a financial for virtual currencies and FinTechs, in spite ground than before. Not to mention the intermediary. Some centralized cryptocur- of (or because of) the COVID pandemic. sense of urgency conveyed by the Gover- rency exchanges have obtained state banking Some may conclude that just like love nor this year given that China seems to be licenses as trust banks.”11 The OCC also points triumphed and gained acceptance in the moving much faster than the U.S. out that recent data show that approximately 40 novel, similarly, these innovative pay- The second development of critical im- million Americans own cryptocurrencies. ments and cryptocurrencies are gaining port to the FinTech and cryptocurrency The data and statistics about crypto- the love of the consumers and maybe even industry this year so far, was a letter pub- currency provided by the OCC debunks the regulators—okay, maybe not love but lished by the OCC on July 22 making it almost entirely the earlier comments of at least acceptance, no doubt!

Veronika serves as a Compliance Director at Chartwell and brings over 17 years’ experience in financial services. As the Senior Director at Walmart, Inc., a top Fortune 500 company and the largest Money Services Business by several measures, Veronika was responsible for the creation, maintenance and improvement of the anti-money laundering and fraud prevention programs for financial services which passed regulatory scrutiny many times over during her nine-year tenure with the retailer. Veronika also created the controls associated with the anti-money laundering program for the sale of precious stones, metals and jewels. In addition, Veronika served as an expert advisor to the executive officers of the company on matters related to product and risk assessments, compensating controls, training, audit management, OFAC, vendor due diligence, among other areas. For more information, please email Veronika at [email protected].

CHARTWELL COMPASS | OCTOBER 2020 5 CHARTWELLCOMPLIANCE.COM Oversight of Your Hemp Banking Program: The Periodic Focused Review By Sharon Blanchette, CPA, CIA, CRCM, CAMS

purred on by changes in hemps laws and regulations over the past two years, many financial institutions began banking hemp and hemp-derived CBD products. Institutions in Shemp-friendly states likely started banking hemp and CBD in hemp-related-businesses is still a complex area. There is also earnest in early 2019 and may have well-developed programs examination risk in that examiners could cite a finding that the with numerous customers by now. Other institutions followed institution launched a program without proper expertise or risk as it became clear that hemp was different from marijuana in the management in place. Last, for institutions that are lending to eyes of the law, financial institution regulators, and subsequently hemp-related businesses, there is also increased credit risk be- in the eyes of FinCEN. (See below for chronology and links) cause of the volatility in the cannabis industry in general. To ensure success of the higher-risk hemp banking program, BSA and Risk Officers should have created a written risk man- October 31, 2019, the USDA issued an interim final rule agement program, having read through guidance from Fin- establishing the domestic hemp production regulatory pro- CEN, the USDA and the FDA. The written risk management gram, as set forth in the 2018 Farm Bill; (citation: program should include updated policies and procedures, formal training, robust on-boarding programs to collect and re- https://www.federalregister.gov/documents/2019/10/31/2019-23749/ establishment-of-a-domestic-hemp-production-program) view due-diligence information, and a monitoring program to monitor on-going transactions. Governance should have been addressed, as well, with a written governance procedure that December 3, 2019, Joint Guidance from financial institution regulators entitled “Providing Financial Services to describes how the performance of the hemp banking program Customers Engaged in Hemp-Related Businesses”; (citation: is measured and communicated to executive management and Board. After risk management and governance is addressed, all https://www.fincen.gov/sites/default/files/2019-12/Hemp%20Guidance%20 that remains is ... %28Final%2012-3-19%29%20FINAL.pdf) ... having the hemp banking program formally reviewed. Hemp-banking programs for many institutions are approach- and June 29, 2020 FinCEN provides guidance regarding ing, or at, their one-year anniversary, making this a good time Due Diligence Requirements under the Bank Secrecy Act for to think about having the program reviewed. While there is no Hemp-Related Business Customers] (citation: formal requirement from regulators or FinCEN that a separate focused review be performed of the hemp banking program, in https://www.fincen.gov/sites/default/files/2020-06/FinCEN_Hemp_ addition to annual BSA independent testing, there are four ben- Guidance_508_FINAL.pdf) efits to doing so:

Despite that, however, hemp-related businesses remain a high- 1. Efficiency and effectiveness improvements in the hemp er-risk customer types for financial institutions to bank because banking program could be suggested by the reviewer. there is risk that the hemp is really marijuana and the institution 2. Additional revenue opportunities for the institution could inadvertently banks marijuana outside of its policy… or worse, be revealed by the review. misses the filing of a marijuana SAR. Hemp-related businesses could also run afoul of the USDA, FDA, or DEA laws and regu- 3. A separate review of the hemp banking program could lations, putting their business at risk. In other words, banking be perceived by examiners as a proactive approach to

CHARTWELL COMPASS | OCTOBER 2020 6 CHARTWELLCOMPLIANCE.COM stellar oversight over the program. 4. Having a focused hemp banking review would ensure that the program is reviewed by a hemp banking specialist, and not by a general review team. With the expansion of the hemp and Components of a hemp banking program review hemp-related CBD industry comes an expansion of banking The BSA/AML/OFAC aspects of the hemp banking program will be addressed programs to service the industry. in depth, including: ▶ Interviews with business development, first-line relationship managers, risk management, legal, and BSA/AML/OFAC/Fraud staff. ▶ Review of the Risk Assessment performed specifically on the hemp banking program › Are the alert thresholds in the the program, and periodically thereaf- monitoring system set to detect ter. The review should be conducted by ▶ Review of documentation potentially suspicious activity someone who is knowledgeable about the surrounding the review/approvals among this specialized entire cannabis industry, including the of the program, including customer base? differences between hemp and marijuana, conversations with the Board, › Are the staff who are working the the ever-changing hemp guidance from executive management, and alerts provided with additional the USDA and FDA, and the nuances of a regulators, including the existence training on the risks of the hemp- hemp banking risk management program. of an exit strategy banking program and what to The hemp banking program will likely re- ▶ Review of approved concentration look for? main in scope for the institution’s annual limits BSA independent review, but the general ▶ Review of reporting and review team might be able to rely, at least ▶ Review of policies and procedures communication surrounding the in part, on the specialist’s hemp banking ▶ Review of the hemp training success of the program program review report. With the expansion of the hemp and program for business development ▶ And, of course, detail testing: and first-time staff hemp-related CBD industry comes an › Deposit sample expansion of banking programs to ser- ▶ Review of the hemp training › Lending sample vice the industry. New banking programs program for Risk and BSA staff equate to new risk – including operating ▶ Review of the on-boarding due For institutions that are lending to hemp- outside of policy, missing a marijuana diligence (forms and process) related businesses, the reviewer should re- SAR if the hemp were really marijuana, view lending policies and procedures with or being the recipient of an exam finding ▶ Review of the initial customer respect to the hemp banking program. that the bank entered a program without EDD and approvals by the BSA For maximum benefit to the institu- having appropriate expertise or risk man- Department (forms and process) tion, the hemp banking program re- agement in place. Institutions can avoid ▶ Review of the monitoring program view should occur as the institutions most of this risk proactively with periodic approaches the one-year anniversary of focused reviews.

Sharon Blanchette serves as a Compliance Director with Chartwell Compliance and brings over 20 years of risk management, audit, regulatory compliance, and AML experience and expertise. For financial institutions, Sharon has held roles as diverse as Chief Risk Officer, Director of a Financial Investigations Unit, Director of Consumer Compliance, and Audit Director. She has also served as a Director of Compliance for a national consulting firm. In some of her previous roles, Sharon was onboarded to remediate regulatory enforcement actions, and has extensive experience acting as a liaison to regulatory examiners. For more information, please contact Sharon at [email protected].

CHARTWELL COMPASS | OCTOBER 2020 7 CHARTWELLCOMPLIANCE.COM enhancements.”¹1 The Compliance Officer and the Board need to endorse continuous improvement as a part of their culture of compliance. Processes with clear responsibility need to be included in the compliance program to regularly review and improve efficiency and effectiveness. Continuous improvement within a compliance program results in incremental ongoing process improvements that really tailor your compliance program to your business. One thing we know for sure is that change will occur. And as it does, there will always be impact to a compliance program. Change comes from both internal and external sources. Internally, changes occur from 1) new products, 2) new leadership, 3) new ownership, and 4) new systems, just to name a few sources. Internal changes can include lessons learned as compliance analysts and compliance managers use the compliance systems and identify what’s broken or what information elements are missing when new customer types are on-boarded or new products are implemented. New learning can come more formally from internal audits that focus on program elements or specific controls. Externally, there are changes in 1) laws, 2) the economy, 3) regulatory practices, 4) industry standards, plus 5) regulatory examinations, and 6) industry enforcement actions. More recently, the COVID-19 pandemic has been a new source of change. And Is your finally, there are compliance trends that come, go, or build upon practices that already exist. Independent reviews provide objec- Compliance tive insight into the effectiveness of your compliance program compared to industry best practices. Program Below are continuous improvement activities that should be in- corporated into your compliance program and documented for Stale? oversight and review: By Sherry Tomac, PMP 1. Tracking of internal and external events that impact business processes, policies and procedures ompliance programs must have a component of 2. Auditing and monitoring regularly, reviewing and testing continuous improvement to always be more efficient and of compliance controls effective at managing risk. CIn 2012, the joint Department of Justice (DOJ) and Securities and 3. Responding quickly to allegations of misconduct Exchange Commission (SEC) FCPA issued “The 10 Hallmarks of 4. Proactively making changes to identified weaknesses and an Effective Compliance Program.”¹ This was a guidance document inefficiencies in your processes for those learning about the Foreign Corrupt Practices Act but the principles hold as best practices for any compliance program. Compliance programs should evolve with the times and not be- In particular, the ninth Hallmark of that guidance addresses come stale documents that sit on a shelf until examiners arrive. the need for continuous improvement, noting that “compliance Incorporating continuous improvement into your compliance programs that do not just exist on paper but are followed in prac- program will tailor your program to your business and more ef- tice will inevitably uncover compliance weaknesses and require fectively protect your company.

1 Thomas R. Fox, 2017, ‘THE 10 HALLMARKS OF AN EFFECTIVE COMPLIANCE PROGRAM: STILL THE FOUNDATION’, http://fcpacompliancereport.com/2017/11/10-hallmarks-effective-compliance-program-still-foundation/

Sherry Tomac serves as Vice President Licensing at Chartwell Compliance and brings over 20 years of process improvement experience using Kaizen and lean six sigma tools in operational areas of Chartwell Compliance, Western Union, First Data, and Children’s Hospital Colorado. Her experience includes documentation of current and future state processes, staff training, standardization of procedures, elimination of waste, and generation of cost savings. Sherry, manages a highly skilled group of compliance professionals who are skilled project managers and subject matter experts leading and/or working on high profile engagements, provides project oversight, coaching and training to the Chartwell staff and manages Kaizen process improvement activities within the organization. For more information, please email Sherry at [email protected].

CHARTWELL COMPASS | OCTOBER 2020 8 CHARTWELLCOMPLIANCE.COM ▶ Filling in the gaps between statutory definitions that are often outdated and fail to cover new business models and practices. ▶ Establishing a requirement that, after an appropriate rulemaking, financial services companies register with DFPI to ensure that such companies are legitimate and able to perform their obligations to consumers.

Money Transmitters are already regulated by the DBO; however, this bill expands their scope of oversight authority over activity in industries that are not currently regulated by the DBO. What’s in a Name? A few examples of these new covered products or business activity include retail sales financing, consumer credit reporting, debt By Melody Loudin collection, debt settlement, and lead generation. The bill’s author, Assembly Member Ting is quoted as saying n August 31, 2020, the California Assembly passed AB “I wanted to start the important conversation of strengthening 1864 and sent it to the Governor’s desk for signature. our consumer financial protection capabilities at the state level”. This bill makes a sweeping change and renames the Assembly Member Ting worked with a coalition of former CFPB OCalifornia “Department of Business Oversight” (DBO) to the officials and consumer law experts and they shaped a vague con- “Department of Financial Protection and Innovation” (DFPI). cept into a specific proposal. Now that this bill has been passed While maintaining the department’s existing authorities it has provided a pathway for the DFPI to receive the necessary and duties, AB 1864 puts the department in charge of various resources and authority to carry out a renewed vision of putting other laws related to providing financial products and servic- consumers first by monitoring fintech companies offering -con es in California and enacts the California Consumer Financial sumers quick cash and debt collection. Protection Law (CCFPL) which will provide oversight and This bill has the potential to establish California as a national enforcement authority related to providers of consumer fi- leader in protecting consumers, small businesses, and commu- nancial products and services that are not currently under the nities by being in place during the worst of the coming down- department’s authority. It will also prohibit unlawful, unfair, turn, when the angst of low-income Californians will be at its deceptive, and abusive acts or practices by persons subject to height due to the pandemic. the CCFPL. In summary, AB 1864 provides clear authority for DFPI to The DFPI will be authorized to enforce actions which are per- regulate the broad market of consumer financial products and mitted by 12 U.S.C. 5552 (which include judicial, administra- services provided to California consumers. By borrowing the tive, or regulatory proceedings brought by a state regulator), to definitions and structure from Dodd-Frank, this bill leverages enforce specified provisions of federal law related to consumer the value of an existing regulatory framework to which indus- financial protection and regulations issued by the Consumer Fi- try participants are already subject. Companies that provide nancial Protection Bureau (CFPB), with respect to an entity that consumer financial products and services, regardless of whether is licensed, registered, or subject to oversight by DFPI. It will au- they are required to be licensed under existing state law, should thorize the DFPI to secure remedies provided by the Consumer already have programs in place to comply with Dodd-Frank Financial Protection Act of 2010. and CFPB regulations, and those companies will be able to use In addition to existing statutory authority, AB 1864 builds on their existing policies and procedures to ensure compliance with the DBO’s expertise and functions by: this law. The regulatory framework inspired by Dodd-Frank provides DFPI with the appropriate tools to regulate market ac- ▶ Consolidating oversight authority over consumer financial tivities based on the functional characteristics of products and products and services, while preserving enforcement services that are offered and provided to Californian consumers. authority provided to the Attorney General. Chartwell Compliance is an industry leader in helping financial service companies create and maintain policies and procedures ▶ Empowering DFPI to address a broader set of consumer as well as withstand the scrutiny of state examinations. With the complaints. DFPI now authorized to enforce and bring civil or administrative ▶ Ensuring that DFPI can hold any financial service actions against a covered service provider with respect to consumer providers accountable for treating a California consumer financial products or services, each company needs to review their unfairly, deceptively, or abusively. compliance policies and procedures and that is where we can assist.

Melody Loudin serves as a Compliance Professional at Chartwell Compliance and brings over 20 years of experience in consumer lending, mortgage services, money transmission licensing and maintenance, and regulatory reporting. Melody worked for the National White-Collar Crime Center, a division of the FBI, and for three of the largest non-bank mortgage servicers and holds a degree in Paralegal Studies. For more information, please contact Melody at [email protected].

CHARTWELL COMPASS | OCTOBER 2020 9 CHARTWELLCOMPLIANCE.COM the nature and extent of risks in the applicant’s virtual currency business model”; vi. provides the state’s office of financial institutions with enforcement authority; vii. prohibits licensees from engaging in unfair, deceptive, or fraudulent practices; and viii. $100,000 Surety Bond.

Over the Next Several Months

Even though their Virtual Currency Business Act (VCBA) requires the OFI to adopt administrative rules to implement and enforce the new license requirement, there is no specific time- line regarding when such rules must be enacted. As a result, the timing of the virtual currency business licensing requirement is still unclear. At least ninety days’ notice is required prior to taking any action on such proposed rules and approval and the rulemaking process can take longer if a public hearing is requested. Louisiana—Next State Of course, in this increasing age of virtual currency and with the myriad of new and innovative business models in money to Require Virtual transmission, determining if you need this license means asking and answering several questions. It is also important to note that Currency Business even though the applicant will be required to include information about any money service or money transmitter license the appli- License cant holds in other states, the Louisiana virtual currency licensing regime does not appear to exempt a Louisiana licensed money By Melody Loudin transmitter, (this is also the case with the New York regime). As a result, companies engaging in virtual currency activity ollowing in the footsteps of New York, on June 13, 2020 under a Louisiana money transmitter license today will need to Louisiana H.B. 701 was signed by the governor and became consider whether the new law and their Money Transmission effective on August 1, 2020. Louisiana became the 2nd License product requires a separate Louisiana license. In addi- Fstate to enact a stand-alone virtual currency law and the first state tion, payments companies seeking to engage in virtual currency to base virtual currency licensing requirements on the Uniform Regulation of Virtual-Currency Business Act. According to the Act, no one is permitted to engage in a virtual currency business nd activity, or hold itself out as being able to engage in a virtual Louisiana became the 2 state currency business activity, with or on behalf of any “resident” of Louisiana, irrespective of where the person is located, unless to enact a stand-alone the person is either licensed by the Louisiana Office of Financial Institutions (OFI) or exempt. Louisiana’s passage of this law is virtual currency law. the state’s latest foray into cryptocurrency and their willingness to regulate cryptocurrency business. But do not rush to find that application just yet because it may not be available until 2021. This bill establishes the following requirements among other things: i. authorizes reciprocity of licensure with other states; activity in Louisiana will need to determine whether they need both a virtual currency license and a money transmission license ii. pecifies that licensee applications must be submitted in the state. It has been indicated that this license requirement through the Nationwide Multi-State Licensing System; will mostly mirror New York’s license requirement. However, let iii. require executives’ fingerprints, experience, character, us look at some of the triggers for this license requirement: and general fitness to undergo investigation and perhaps the business premises as well; Covered Entities iv. adds provisions related to licensee examinations; Covered “virtual currency business activity” that will trigger li- v. outlines licensee surety bond requirements “based on censure includes any one of the following:

CHARTWELL COMPASS | OCTOBER 2020 10 CHARTWELLCOMPLIANCE.COM 1. Exchanging, transferring, or ▶ Certain regulated financial will not exceed $35,000 per year may ob- storing virtual currency or institutions holding state or federal tain a less burdensome registration with engaging in virtual currency bank or trust company charters; the OFI provided they meet the statutory administration, whether directly ▶ Certain payment processors; requirements and notify the LA OFI. or through an agreement with a virtual currency control services ▶ Certain foreign exchange A Reciprocal License vendor; businesses; Exemption? 2. Holding electronic precious ▶ Certain internet service, data service metals or electronic certificates and enterprise solution providers; According to bill headnotes, the Act will representing interests in precious “authorize reciprocity of licensure.” In - ▶ Persons using virtual currency metals on behalf of another person deed, the term “reciprocity agreement” is for the purchase or sale of goods or issuing shares or electronic defined by the Act as an arrangement be- or services, solely on the person’s certificates representing interests in tween the OFI and the appropriate licens- own behalf for personal, family, precious metals; or ing agency of another state which per- household or academic purposes; mits a licensee operating under a license 3. Exchanging one or more digital ▶ Attorneys and title insurance granted by the other state to engage in vir- representations of value used companies offering escrow services; tual currency business activity with or on within one or more online games, behalf of a Louisiana resident. However, game platforms, or family of games ▶ Certain securities intermediaries; the Act itself does not actually grant any for either of the following: ▶ Certain secured creditors; reciprocal exemption or otherwise utilize › Virtual currency offered by or the defined term “reciprocity agreement.” ▶ A “virtual currency control services on behalf of the same publisher This issue will be addressed by later rule- vendor,” defined to include a person from which the original digital making from the OFI. that has control of virtual currency representation of value was The Act is perhaps notable not so much solely under an agreement with a received, or for the conduct it covers, but rather the person that, on behalf of another › Legal tender or bank credit very broad classes of persons and business- person, assumes control of virtual outside the online game, game es granted exemptions from regulation. currency; platform, or family of games Clearly the Louisiana Legislature sought offered by or on behalf of the ▶ A person who does not receive to thread a needle and subject only a nar- same publisher from which the compensation from a resident for row band of businesses to regulation under original digital representation of providing virtual currency products the Act. In this respect it could become value was received. or services or for conducting virtual a model for other states seeking to tread currency business activity, or that lightly in the virtual currency space is engaged in testing products or . Exemptions services with the person’s own Chartwell’s recommendation: If you funds; and think you may be operating a virtual cur- There will be some exemptions but what rency business with Louisiana residents or will those Exemptions/Applicability look ▶ Anyone else exempted by OFI. plan to in the future and are still unsure of like? First, the Act does not apply to and your requirement to be licensed, reach out excludes activity that is already governed by There will also be a blanket de minimus to our team at Chartwell Compliance for the Electronic Funds Transfer Act of 1978, monetary activity requirement meaning assistance navigating this ever changing the Securities Exchange Act of 1934, the that not every virtual currency business environment. Commodities Exchange Act of 1936, and may have to obtain a license. For ex- the Louisiana Securities Law, R.S. 51:701 et ample, the Act will not apply to persons Click on HOUSE BILL NO. 701 to review seq. The list of entities exempt from licen- whose virtual currency business with or the entire bill. sure seems fairly broad and includes: on behalf of Louisiana residents will not be valued at more than $5,000 on an an- H.B. 701, 2020 Reg. Sess. (La. 2020), codi- ▶ Federal, state, local, foreign govern- nual basis. As an alternative to the license, fied at La. R.S. §§ 6:1381 to 6:1394 (eff. ments and governmental entities; persons whose virtual currency business Aug 1, 2020).

CHARTWELL COMPASS | OCTOBER 2020 11 CHARTWELLCOMPLIANCE.COM During an examination, state examiners review a money transmitter’s operations, financial condition, management, compliance function and compliance with the Bank Secrecy Act and the institution’s anti-money laundering program. All these areas of review provide state agencies with data and other information to assess if a licensee is complying with applicable laws and conducting business in a safe and sound manner. If a licensee is found operating in an unsafe manner or out of compliance with state

Coming face to face with examiners, whether in person or virtually, can be a very daunting experience.

and federal requirements, the licensee may face state enforcement actions. Coming face to face with examiners, whether in person or virtually, can be a very daunting experience. You and your Com- pany interacted with the state to acquire your license, but this is a different experience altogether. In addition, COVID-19 has forced examiners to conduct remote examinations, which makes the communications even more difficult. To make this interac- tion and exam itself a little less stressful and flow much smoother, Chartwell has some pointers to assist you outlined below.

Prior to Arrival of your Regulator:

Facing Down your ▶ Build a relationship with the State Examination Departments from the beginning as this will help to build Fears During a State trust during current and future examinations. ▶ If you are leading the examination, always include a clear due Regulatory Exam date when requesting documents for examiners from the By Todd Jones, Christa Fazzi, and Trish Lagodzinski company’s Subject Matter Experts (“SMEs”) and management. ▶ Plan meetings ahead of time to ensure that any and all tates perform regular exams at regulated financial services designated SMEs and officers are available for any and all companies and the agencies have various frequency meetings with regulators. cycles for conducting examinations. Most licensed money Stransmitters are examined annually by either multistate teams › In the event a SME will not be available, ensure a or individual states to ensure licensees operate in a safe and designated back-up person will be available who can sound manner and in adherence to state and federal laws speak on their behalf. and regulations. › Once you are notified of what meetings should be scheduled Between exams, state regulators monitor their licensees on an and which SMEs the examiners would like to speak with, ongoing basis by reviewing the information submitted pursuant notify the appropriate individuals as soon as possible. to reporting requirements. Licensees have periodic reporting requirements covering financial statements, permissible invest- ▶ Regulators will request documents in advance of their ments adequacy, branch and agent listings and transmission vol- arrival. Make sure that all requested documentation is ume activity. Consumer complaints provide another input into responsive and provided in a timely manner. the supervisory process.

CHARTWELL COMPASS | OCTOBER 2020 12 CHARTWELLCOMPLIANCE.COM ▶ If an individual at the rules involving transaction examinations, one state may company is not responsive monitoring, Suspicious require more information on during acquisition of required Activity Reports (SARs), and a topic while other states do documents for the exam, bring it other proprietary information, not require it. the attention of the appropriate communicate the document supervisor in the effort to avoid handling procedures clearly with ▶ If you cannot get the delays with documentation the regulators. Explain to the documentation to the examiners requests. regulators that they can view the within the agreed upon documentation in the office or deadlines, communicate as soon While your Regulator is on on screen but must return it back as possible and explain why Site (in person or virtually): and not download once they are the requests are not available finished with their review. in order to set expectations. In ▶ Always look professional and ▶ If an individual at the company the event any items cannot be keep a professional demeanor. is not responsive during an provided prior to the conclusion of an examination, explain During the duration of the exam, on-site/virtual exam, bring it ▶ why, and determine if you can check in daily and reconcile all the attention of the appropriate get the examiners to accept requests with the Examiner- supervisor in the effort to avoid the information on a specific in Charge (“EIC”) or other delays with documentation date after the examination has designated person(s) to help requests. concluded. ensure that your company and ▶ Make sure to be transparent the examining department(s) with documentation so that ▶ In the event an individual is not agree on the status of requested examiners can review everything keeping a professional demeanor documentation. they need in order to expedite and refuses to provide requested information to the examiners, › This is also a good time to set the review. address the individual privately expectations on requested ▶ Communicate regularly with and escalate the situation to the documentation that may the regulators so there are no appropriate individual in the require longer turnaround surprises, as this will assist you event addressing the individual times. in understanding how they feel directly is unsuccessful. the examination is going and ▶ If you do not know the answer ensure they have what they need. ▶ Deliver requested items within to any verbal questions posed a platform that the examiners by an examiner, it is acceptable ▶ Be available as much as possible cannot change, edit, or delete, to respond with “I’ll get back in the time zone of the state even if a state asks you to use to you” rather than provide during desktop and online their portal for documentation incorrect information. examinations as exams are delivery. currently being conducted offsite ▶ Ensure that a representative due to COVID-19. ▶ It is acceptable to attempt from your company negotiation of certain requests accompanies you when you ▶ Pre-COVID-19 and if you are with the regulators. For example, meet with regulators. This helps back in an office environment— if they request all transaction to avoid confusion and clarify make sure rooms are available data for 18 months and it responses to any questions that for examiners and ad-hoc consists of a million transactions, could be misunderstood. meetings when they are onsite inquire whether you can narrow that are separate from where the time frame and/or designate If you sense that an examiner ▶ employees are conducting a transaction threshold, as it might have an issue with a their work. is common that examiners are response or comments made not aware of the size of a data during an in-person interview, › This will help avoid file. Examiners may agree on a engage your legal team as soon distracting the examiners smaller data set to accomplish as possible to speak with the that are working on unrelated their goals in the event they examiner to clarify any potential items and enable your do not want to mine through a misunderstood or inaccurate company to speak with the massive number of lines of data information. specific examiner(s) who that also can take extended time requested the meeting(s). For sensitive documents such to pull and provide. ▶ During multistate as privacy protocols, business

CHARTWELL COMPASS | OCTOBER 2020 13 CHARTWELLCOMPLIANCE.COM ▶ The exam lead should always ▶ Remember, preliminary ratings ask the regulators to provide disclosed during exit meetings all requests in writing. This is can change, especially if critical for tracking purposes examiners are still reviewing and providing examiners with documentation or waiting what they require the first time on additional requests for around. In our experience, documentation. almost all States have been receptive to this request as it is a › If examiners are still reviewing win-win for all parties involved. requested documentation or waiting for additional During your Exit Interview: responses for documentation, it is a best practice to set ▶ During exit interviews up a post exam call once when potential findings are all documents have been communicated, have a full Being professional, delivered and reviewed by the understanding of the breadth examiners to determine they and scope of the preliminary responsive, and have everything they need findings so that those issues and do not have any further can be addressed and remedied transparent will requests. immediately. Staff should respond to any inaccurate increase the Keep in mind, many experienced findings mentioned that may examiners are driven to identify is- be due to a misunderstanding likelihood of having sues in the effort to educate and help and speak to the EIC offline. a successful exam to improve your program. Being pro- Addressing potential errors fessional, responsive, and transparent offline is key so that examiners and helps to build will increase the likelihood of having do not incorrectly include a a successful exam and helps to build finding/recommendation within trust going forward. trust going forward. Building rela- the Report of Examination tionships with examiners is invaluable (“ROE”) issued by the regulators. to your present and future business operations.

Todd Jones, CAMS, Compliance Director at Chartwell Compliance, brings over 20 years of experience in various leadership positions at Western Union and First Data achieving goal oriented results within regulatory compliance. His varied experience includes money transmitter licensing, regulatory exam management, BSA/AML program development and ongoing maintenance, data analysis, investigations, data governance as well as project management. For more information, please email Todd at [email protected].

Christa Fazzi, Compliance Professional at Chartwell Compliance, brings more than 10 years of professional experience in managing, completing, and maintaining state licensing applications. As a Licensing Paralegal, with the gaming industry’s leading provider of cash access services to casinos, Christa managed licensing for over 33 US States and territories and coordinated all corporate entity documentation and filing requirements for twelve foreign subsidiaries including the United Kingdom, Hong Kong, Macau, Switzerland, Belgium, Canada, and India. Christa has also assisted in foreign and domestic dissolutions, and domestic acquisitions and mergers. For more information, please email Christa at cfazzi@ chartwellcompliance.com.

Trish Lagodzinski, Compliance Director at Chartwell Compliance, has more than 25 years of experience in government contracting, project management and support. At Chartwell and, previously, Ascella Compliance, she has assisted with regulatory compliance matters dealing with state money services business licenses and related state and federal compliance regulations for a wide range of non-bank financial services companies. Her work has included leading a 50-state license application project for a publicly traded customer. She also serves as an outsourced state license administrator for customers. For more information, please email Trish at [email protected].

CHARTWELL COMPASS | OCTOBER 2020 14 CHARTWELLCOMPLIANCE.COM opposed to a line-in-the sand definition of “n number consecu- A Focused Take-a-Way tive SARs filed,” and focus on outliers. The outliers will be easy to From the FinCEN identify and AML Officers need to act on these. Solid understanding of the underlying activity: Regardless Files Issue of whether AML Officers have to justify their account-closure decisions to others in the institution (most do), the documen- By Sharon Blanchette, CPA, CIA, CRCM, CAMS tation surrounding the account-closure decision needs to be robust. It’s not the AML Officer’s job to perform a law-enforce- he reaction to the FinCEN Files in September was ment investigation and prove the underlying crime or fraud, but similar to the reaction years ago to the Panama Papers. the AML Officer has to understand the activity well enough to There was (and still is) much debate and conversation support the suspicion of such, and the resulting risk to the insti- Tregarding the leak and publication of SAR information, but tution of leaving the account open. This is difficult when there that is outside of the control of AML Officers. AML Officers are numerous defensive SAR filings. must focus on that which they can control, and one example One approach is to create a grid of accounts that should be of that is the account closure process to manage risk to the considered for closure. Describe the numbers and pattern of institution the AML Officer works for. This article will assume SAR filings. Clearly describe the activity seen in the accounts, the institution has not received a law enforcement request to as well as the customer relationship. Clearly articulate the risk leave the account open. the account presents to the bank if left open. If the AML Officer Financial institutions aren’t in business to close accounts, but meets with a committee that considers account closure recom- they do have to manage risk, so it’s important that AML Officers: mendations, then this grid will provide the talking points as the AML Officer reviews each account. ▶ Have a protocol for account closure based on The FinCEN Files created debate and conversation in the AML suspicious activity. industry, and that can be a good thing. If one of the results of ▶ Have a solid understanding of the activity that is taking this is that AML Officers review and solidify their account clo- place in the accounts. sure processes, then something good will have come from the Crafting the protocol: In crafting the account-closure protocol, undesirable leak and publication of SAR information. AML Officers can look to the FFIEC manual for guidance, but all they will find is a sentence that says, “Consider closing accounts as a result of continuous suspicious activity.” Most will agree, it’s Sharon Blanchette serves as a Compliance Director pretty vague. Continuous suspicious activity is also difficult to with Chartwell Compliance and brings over 20 years of describe and measure. Every institution’s definition of what con- risk management, audit, regulatory compliance, and stitutes “continuous suspicious activity,” might be different, and AML experience and expertise. For financial institutions, Sharon a pure definitional approach to what is considered “continuous has held roles as diverse as Chief Risk Officer, Director of a suspicious activity” might lead to frustration and confusion. For Financial Investigations Unit, Director of Consumer Compliance, example, an institution has a procedure whereby after four con- and Audit Director. She has also served as a Director of secutive SARs, an account is closed. However, one customer has Compliance for a national consulting firm. In some of her three consecutive SARs, the activity ceases for two months, and previous roles, Sharon was onboarded to remediate regulatory then two more consecutive SARs are filed. Technically, there enforcement actions, and has extensive experience acting as a weren’t four consecutive SARs. When crafting the protocol, AML liaison to regulatory examiners. For more information, please Officers might want to focus more on the pattern of SAR filings as contact Sharon at [email protected].

CHARTWELL COMPASS | OCTOBER 2020 15 CHARTWELLCOMPLIANCE.COM First, we will explore the impact of work-from-home (WFH) on a location-specific incident. Second, we’ll explore considerations for an AML-system-specific incident. These are just two out of hundreds of different continuity scenarios for which AML/ OFAC officers should be planning. We’ll also explore some to-do items for AML/OFAC officers to be working on. Location-Specific Incident:

Prior to the pandemic, most AML/OFAC Officers had business continuity plans that were at least somewhat location specific. Access to AML and OFAC software systems for some staff may Considerations for have been dependent on using desktop computers that were in one location, even if the software systems were accessed via the Updating your internet. If an incident made that location inaccessible, AML/ OFAC Officers could have been challenged to conduct mission- AML/OFAC Business critical AML functions such as filing CTRs, filing SARs, screening for OFAC, and screening for 314(a) without access to those Continuity Plan computers. By Sharon Blanchette, CPA, CIA, CRCM, CAMS Then 2020 arrived and brought a pandemic with it. Within a two-week period during the first quarter of 2020 (depending on location) offices emptied and most AML/OFAC staff who had been working on desktop PCs picked up their newly-assigned laptops, monitors, and headed home. Many are still in work- from-home (WFH) mode. While this was initially disruptive, there was a silver lining that was immediately noticeable. That is, running the AML/OFAC department during a location-specific “incident” became less of a risk. The risk impact of a location-specific incident decreased because AML/OFAC staff were scatteredeverywhere and didn’t have to get to their desktop computers in order to work.

To-Do Item: Since WFH seems to be sticking around, it’s a good time for AML/OFAC Officers to update their business continuity plans for a location-specific incident. That category 4 hurricane, blizzard, or intense wildfire hitting the office where the AML/ OFAC department used to be located might end up having a much lighter impact, other than on the staff living in the immediate area who could lose electricity, he recent pandemic has turned attention back to business internet service, or even their homes. Include in your continuity planning in financial institutions of all types. business continuity plan a chart of staff locations and Pandemic or not, it’s always a good time for AML/OFAC consider mapping this as well. If SARs have to be filed TOfficers to update their business continuity plans. The silver lining on Tuesday, and your SAR manager is impacted by a to the pandemic is that it has provided additional inputs for the blizzard, what other staff member can file those SARs plan, such as the impacts from staff working from home. from a non-impacted location? Be mindful, too, that Keeping the AML/OFAC business continuity plan updated a far-reaching incident, like a major hurricane, could is important because it helps ensure that the critical functions leave many in the department without electricity or of the department continue to take place during an incident. internet for multiple days. Assume only one person Business continuity planning is also a heavily-audited and ex- in the department has access, but that person doesn’t amined area. normally file CTRs or SARs. Plan for who can In this article we’ll explore two types of incidents that could in- work with that person and coach them through the terrupt operations in an AML Department. For simplicity, we’ll filing process. refer to all interruptions as “incidents,” acknowledging that every However, location-specific incidents aren’t the only incidents institution’s business continuity plan uses different terminology. that impact the operations of an AML/OFAC department. AML/

CHARTWELL COMPASS | OCTOBER 2020 16 CHARTWELLCOMPLIANCE.COM OFAC Officers also have to plan for their have reports that will assist the investigator To-Do Item: AML/OFAC AML and OFAC systems to be down for with identifying suspicious activity, and Officers will need to ensure that an extended period of time. the core system should be able to iden- staff know how to file SARs and tify certain high-cash transactions. Once CTRs directly with FinCEN and AML/OFAC System-specific this activity is identified, investigation can have access rights to do so. incident: also take place using the institution’s other available systems. Regarding reporting, To-Do Item: AML/OFAC A more critical scenario is if the AML AML/OFAC Officers will need to file SARs Officers, working with their software or OFAC software isn’t available and CTRs directly with FinCEN. friends in IT and Operations, for an extended period of time. Although When the AML/OFAC systems are will need to know how to import AML and OFAC system vendors have available again, AML/OFAC Officers have missed transactions and manually- their own business continuity plans, an to ensure that activity that took place out- worked alerts/cases/SARs/CTRs incident could still occur that causes the side the system is loaded into the system into the system once it’s available. system to be unavailable for multiple days. so there’s no long-term impact to the func- Queue up the aspirin. Most system vendors will strive toward a tioning of the suspicious activity monitor- 48-hour recovery, but a wise AML/OFAC ing model. Most models consider number Screening: Officer will still plan for an extended -in of alerts, SARs, and customer transaction cident. This means that AML/OFAC Of- activity levels, and the absence of these for Because institutions typically have mul- ficers have to plan for how critical func- even a few days could impact the model. tiple systems that can perform screening tions will occur without the use of functions, this is likely a lesser issue the software system. This article than suspicious activity reporting. will consider a situation where the This becomes an exercise in failing- AML/OFAC systems aren’t avail- over to alternate systems. able, but the remainder of the institution’s systems are. (An example To-Do Item: AML/OFAC of this is if the AML/OFAC system The silver lining to Officers will need to have vendor experienced a ransomware alternate systems identified attack.) The solution to this prob- the pandemic is ahead of time and know how lem is often referred to as a “walk those systems work. They down memory lane,” in that AML/ that it has provided will need to know how to OFAC Officers have to revert back redirect the file feeds into the to how operations took place prior additional inputs for alternate systems. They will to the advent of AML and OFAC also have to ensure that staff software. Consider the following the plan, such as the have access rights and know critical functions that will have to impacts from staff how to use the systems. be addressed during this incident: working from home. Partnering to Address the ▶ Suspicious activity Bigger Picture: identification, investigation, and reporting (SARs). Other overarching concepts to consider when updating the AML/OFAC High-cash transaction ▶ To-Do Item: AML/OFAC business continuity plans for both types of identification and reporting Officers should identify the incidents are: (CTRs). institution’s systems and reports ▶ Information security. When working ▶ Screening: that will be used during an with alternate processes and alternate › OFAC - at account opening extended system incident, and systems, how do you continue and ongoing ensure that staff know what to protect the confidentiality of › 314(a) – only if the incident systems to use, which reports customer information? Work with lasts an extended period to run, how to run them, and the institution’s Information Security of time how to review them. Ensuring Officer on this topic. that staff have access rights to Suspicious Activity and CTRs: these systems ahead of time is ▶ Vendor management. Whenever important since there will likely a vendor is involved in a business As cumbersome as it sounds, an institu- be little time to request access and continuity plan, be sure to involve the tion’s core system and wire system should set up users during an incident. Vendor Management department.

CHARTWELL COMPASS | OCTOBER 2020 17 CHARTWELLCOMPLIANCE.COM ▶ Incident response: AML and OFAC departments don’t adaptability, teamwork, and resilience. When an incident begins, operate in a silo. If the AML/OFAC system isn’t available reality changes, sometimes within seconds. When dealing with for an extended period of time, the institution’s Incident an incident, roles change and teamwork rules. Those who ap- Response Protocol will likely be triggered to involve other proach the incident with the attitude of “the reality has changed, departments. Be sure to keep the Incident Response how do we make the most of it,” will help bring the institution to staff informed. a good outcome.

Although it’s important to involve others, the AML/OFAC business continuity plan should be written and maintained by an Sharon Blanchette serves as a Compliance AML/OFAC Operations professional in the AML/OFAC depart- Director with Chartwell Compliance and brings ment and should be granular in nature. Because the goal is to over 20 years of risk management, audit, regulatory continue operations, it’s important to include the “how” and the compliance, and AML experience and expertise. For “how” needs to be practiced ahead of time so failover can occur financial institutions, Sharon has held roles as diverse as as seamlessly as possible. Chief Risk Officer, Director of a Financial Investigations Unit, Director of Consumer Compliance, and Audit Director. The Most Important Ingredients: She has also served as a Director of Compliance for a national consulting firm. In some of her previous roles, Updating the AML/OFAC business continuity plan is a critical Sharon was onboarded to remediate regulatory enforcement task, but all the planning under the sun won’t always result in a actions, and has extensive experience acting as a liaison to good outcome. There are four other ingredients to business con- regulatory examiners. For more information, please contact tinuity that will help attain a good outcome. Those are flexibility, Sharon at [email protected].

Fraud Prevention Platforms: An Evolution from Rules Engines to One-Stop-Shop By Jamon Whitehead

ike so many technologies in the transactional order review. Often, at the simpler platform through which retailers fraud prevention realm, third-party foundation of the prevention platform can manage decision rules and manual fraud prevention platforms have is a customizable rules engine with an reviews to more of a “one-stop shop” for Lcome a long way since their inception. artificial intelligence layer designed all (or at least most) things fraud mitiga- They offer protection and flexibility to and maintained to identify historically tion tech-related. This evolution offers not only prevent fraudulent transactions high-risk combinations of transaction more end-to-end options under one um- but to also increase acceptance of attributes. It then makes an “accept,” brella. The evolution has come primarily legitimate orders. They continue to help “reject,” or “review” decision on behalf of in two forms. organizations scale their fraud teams by the merchant. managing—or helping to eliminate— Over the last decade, we have witnessed 1. Acquisition: We’ve seen a the manual requirement associated with the evolution of such providers from a number of large, well known

CHARTWELL COMPASS | OCTOBER 2020 18 CHARTWELLCOMPLIANCE.COM brands acquiring complementary with the primary platforms through ▶ Orchestration platforms platforms to bolster their activation of these secondary Device ID / reputation fraud mitigation functionality. services and technologies as they ▶ Major credit card brands have are acquired, with little to no ▶ Behavioral biometrics been quite busy in this regard. additional integration needed. Chargeback management platform Acquisition examples include the ▶ 2. Partnership: This is a looser ▶ Consolidated reporting options integration alternative to acquisition, and still allows end A large number of We will continue to monitor these fraud users the advantages of boosted platform providers as they evolve and en- service offerings with little to no well known brands hance service offerings for end users. In additional integration. In these the meantime, we recommend that exist- instances, (primarily) third- are acquiring ing and potential clients continue to drive party identity data providers the conversation around what support complementary partner with a number of (in and services are required to fill risk-based many cases) competing platform business needs. fraud prevention partners to offer enhanced identity verification options to clients of In our 2020 edition of the Paladin Ven- platforms to bolster those platforms. The partnership dor Report, we featured a number of so- typically involves the creation their fraud mitigation lution providers offering fraud platform of API calls between various solutions, including: functionality. technology providers. Existing platform users can then take Accertify Interceptas advantage of these enhancements CyberSource DM by simply “activating” those Visa acquisition of CyberSource, ACI RED additional functions through Cardinal, and Verifi—and the Arvato the platform. Mastercard Acquisition of Clearsale

NuData, and Ethoca, as well Kount In this scenario, merchants and as the AMEX acquisition of NS8 financial institutions can fully Accertify and Inauth. Payment Sift integrate this enhanced data service providers have also gotten Signifyd to further enrich their existing involved with the acquisition of Transunion rules and models. In addition, or Retail Decisions (RED) by ACI. alternatively, users who operate Finally, the consumer credit agency The 2020 Paladin Vendor Report not some level of manual review can Transunion has pieced together only covers fraud platform technologies— include individual call outs to these full platform with the recent it also spans the full spectrum of current secondary service providers for acquisition of Iovation. technology and solutions in the fraud pre- further verification of individuals vention landscape today. Download the interacting with in their digital In this scenario, we have seen a full Paladin Vendor Report here: http:// environment. wide range of integration levels, paladinfraud.com/mrc-trends-2020/ In with some technologies remaining While the scenarios above are some of addition, the Paladin Payment Service relatively independent and others the most common, additional integra- Provider Report can be downloaded here: being fully absorbed and fully tion layers have been created based on http://paladinfraud.com/mrc-paladin- integrated into the offering. End the platform service combination. Other payment-report-2020/ users have the ability to take common layers and platform enhance- advantage of existing integrations ments include:

Jamon Whitehead, Co-Founder of Paladin Group, has more than 15 years of experience in the card not present (CNP) payment and risk industry, Jamon has a background in strategic and tactical management of the complete payment and transactional risk life-cycle. This includes but is not limited to the technology assessment and implementation, user authentication and trust assessment, risk based data mining, automated and manual review management and chargeback processing and analysis. Jamon and his team offer an extensive and customizable suite of services for both merchants and vendors. For more information, please contact Richard Davis at [email protected].

CHARTWELL COMPASS | OCTOBER 2020 19 CHARTWELLCOMPLIANCE.COM possible for consumers to easily purchase bitcoin with cash at thousands of Coinstar kiosks across the country As a result of the DCIL's efforts, Hawaii residents will now benefit from that ease of access and further opportunity at financial prosperity. Thinking back to 2009 when the bitcoin network came into existence, terms like Ethereum, Tether and Litecoin (in mainstream circles) could still be mistaken for references to the latest Gene Roddenberry installment of the Star Trek film franchise. That said, few can make a respectable argument disputing the simple fact that the crypto currency industry is here to stay and brings with it economic innovation that is a rarity in this new post-pandemic era we find ourselves in. Like any economic innovation, capitalistic desires begin to flourish and with it (especially in established markets) the regulatory community is not far behind in making real time adjustments to the regulatory landscape to ensure its constitu- ency is best positioned to take advantage of an open, fair and transparent marketplace. This is necessary to ensure the economic innovation and related opportunities can meet its full potential. It is exciting to see the state of Hawaii leading the pack within the U.S. regulatory community by combining the expertise of three agencies to explore digital currency innovation for the benefit of their consumers. Exciting Times Ahead As Coinme is beginning to launch their services for the two- for Coinme Inc. year program we want to recognize the benefit of consulting By Eddie Ponce, Chief Compliance Officer Hawaii is leading the pack within and AML/BSA Officer of Coinme Inc. the U.S. regulatory community oinme Inc. (Coinme), a blockchain financial services company dedicated to helping the world gain access by combining the expertise of to virtual currencies, is proud to have been selected Cfor the first cohort of participants for entrance into Hawaii’s three agencies to explore digital Digital Currency Innovation Lab (DCIL). The DCIL created through a partnership between the Ha- currency innovation. waii Department of Commerce and Consumer Affairs, Divi- sion of Financial Institutions (DFI) and the Hawaii Technolo- with Chartwell Compliance as one of the keys to obtaining ap- gy Development Corporation (HTDC), allows the Innovation proval from the great state of Hawaii. The guidance and sup- Lab to explore digital currency innovation and is the first of port provided by the various members of the Chartwell team its kind in the state. especially individuals such as Melody Loudin whose expertise The Innovation Lab permits a select group of private sector allowed Coinme to effectively apply and be considered to Ha- companies to benefit from a "no action message" allowing these waii's digital currency regulatory sandbox. To that end, re- companies the ability to conduct business in Hawaii without gardless of a company's tenure, it is this relevant expertise that first obtaining a state money transmitter license. Coinme is one can make the critical difference between a successful initiative of the select few granted with such authority alongside other and an unexpected delay. industry leaders such as Novi Financial and Robinhood Cryp- to. Of the approved companies, Coinme proudly stands alone as the only approved cryptocurrency kiosk company making it

Eddie Ponce serves as the Chief Compliance Officer and AML/BSA Officer of Coinme Inc., based out of Seattle, WA. Prior to joining Coinme, Eddie served as the Head of Compliance and the Global Compliance Program at MoneyGram. While at MoneyGram he was responsible for focusing on high risk points of exposure involving legal, regulatory & operational challenges to mitigate both fiscal and reputational impact. Prior to MoneyGram, Eddie served as the Director of the Global Compliance program for First Data/Western Union’s affiliate & subsidiary money transfer companies.

CHARTWELL COMPASS | OCTOBER 2020 20 CHARTWELLCOMPLIANCE.COM people (leadership, energy, principle), & pathway (silo break- down, common capabilities). The Red Book model doesn’t look at what the company can do for compliance, instead it asks the question “what can compliance do for the company?” The Red Book model is broken down into (4) primary components; Learn, Review, Perform, & Align. These components are broken down into subcomponents, 20 overall. Although it sounds daunting, the subcomponents bring the Red Book model to life. It gives insight into what compliance is doing for the ERM Framework organization and how compliance impacts everything from industry forces to even threats such as in a SWOT analysis. Many (COSO vs. OCEG) key components that may be left vague in other frameworks are defined within the Red Book model. Communication and other Which One Is Right key categories are broken down into perfectly cut out puzzle pieces that when collected help create a masterpiece that even for Fintechs? Picasso would be jealous of. By Brad Carter, MBA, CFE, CRCMP, CCEP-I, The Red Book model is perfect for start up Fintechs and even those who have been in business a while. It helps guide Fin- CCBP, GRCP, GRCA, MCP Techs to creating the perfect harmony between ERM & their business strategy. More importantly it gives FinTechs a chance to make their compliance program a masterpiece that fits who they are (not what they do). Although the Red Book model

Although the Red Book model nterprise Risk Management (ERM) has been around for a hasn’t been around as long long time. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) has been around since as COSO, it works more Ethe 80s. The Open Compliance & Ethics Group (OCEG) has been around since the early 2000s. Neither one are newcomers effectively towards FinTechs. to ERM. That being said, I would say it’s not unusual for COSO to be brought up in an ERM conversation but not OCEG. Why is that? Many could say that COSO has been around longer and hasn’t been around as long as COSO, it works more effectively is more battle tested, but I would have to say, “not so fast my towards FinTechs. Any FinTech looking to build a compliance friend” (courtesy of Lee Corso). program from the ground up or any FinTech who is looking On the surface COSO hits all of the important topics which to improve their compliance program, I challenge you to try is defined as components. COSO covers five components col- the Red Book model. The Red Book model is thorough and lectively: Control Environment, Risk Assessment, Control Ac- will involve a serious investment in time. However, as Voltaire tivities, Information/Communication, & Monitoring Activities. would say “perfection is attained by slow degrees; it requires Sounds simple enough, but in today’s FinTech world is the word the hand of time.” “simple” relevant? Many FinTechs that go under risk review have multiple layers of products/services and are involved in multiple payment rails. The word we might be looking for is “complex.” Resources This is where the Red Book model comes into play. COSO: https://i-sight.com/resources/coso-framework-what-it- The Red Book model was designed to “promote Principled is-and-how-to-use-it/ Performance as the universal goal of any organization team and individual” per OCEG’s website. Principled performance in a OCEG: https://www.oceg.org/about/what-is-principled-perfor- nutshell can be defined as our purpose (mission, values, goals), mance/

Brad Carter, Senior FinTech Risk & Compliance Analyst at MVB Bank, has over 15 years in the Financial, Health, & FinTech industries. Strengths include Operational Management, Compliance & Risk management, Leadership, Strategy, & Customer Service skills. Professional achievements include Banker of the Year & the Charles Trimble Leadership Award. Brad has served in the capacity of FinTech Risk and Compliance Senior Analyst for MVB Bank since April of 2020. For more information, please contact Richard Davis at [email protected].

CHARTWELL COMPASS | OCTOBER 2020 21 CHARTWELLCOMPLIANCE.COM Criminal Background Checks Section:

▶ Edits were made to explain that fingerprints in NMLS must be no older than three years, otherwise an THE NMLS individual will need to be reprinted. ▶ Edits were made to explain that new fingerprints must be CORNER submitted within the 180-day background check window. ▶ New language was added to explain that international applicants will receive fingerprint packages in a traceable manner to their current physical or mailing international address or their employer’s address and that the applicant is responsible for providing a mailing label to Get Prepared for State License Renewal facilitate the transmission of the packet.

The NMLS 2021 Streamlined Renewal Process begins Novem- NMLS Ombudsman Meeting: Virtually Everything ber 1 and ends December 31. For a list of state regulator renewal You Need to Know deadlines, requirements, renewal fees and more, visit the An- nual Renewal page on the NMLS Resource Center: The first virtual NMLS Ombudsman Meeting was held on https://mortgage.nationwidelicensingsystem.org/slr/common/ Wednesday, September 9, from 3:30 p.m. to 5:30 p.m. ET via renewals/Pages/default.aspx WebEx. The meeting with conducted by the new NMLS Om- budsman, Jim Payne. Appointed July 1, 2020, Mr. Payne is cur- Renewal requests must be submitted through NMLS by the rently Director of Examinations and Assistant Deputy Com- date specified by your state regulator(s). Licensees should start missioner for the Consumer and Mortgage Lending Division of downloading and preparing the renewal packages as soon as the the Kansas Office of the State Bank Commissioner. renewal checklists are available. It is not recommended to wait until November 1, especially if you have multiple licenses or li- The theme for the meeting is What Happens Next? Remote censes in all states and territories. Work and Supervision in a Post-Pandemic World. The COVID-19 Pandemic forced financial service providers to move ▶ Review the Renewal Checklists to determine any quickly to remote operations. Regulators responded equally as documentation required by the state outside of NMLS. quickly by temporarily suspending regulations that prohibited remote work or inhibited operations outside of licensed loca- All requirements must be submitted to the agency within ▶ tions. While the pandemic is farfrom over, NMLS felt that it five business days of the electronic renewal submission. is not too early to discuss lessons learned from this initial re- ▶ Click the respective state agency link(s) below to review sponse and to think about how location supervision might "stay all renewal requirements. different" in a post-pandemic world. To receive notification of renewal checklist updates, ▶ The NMLS Ombudsman Meeting topics and themes discussed follow NMLS on Twitter @NMLSInfo or subscribe to the included: State Licensing: Checklists RSS Feed. ▶ A “Fishbowl” Discussion on Ombudsman NMLS Policy Guidebook Updates Available ▶ NMLS Ombudsman and Panelists An updated version of the NMLS Policy Guidebook has been ▶ Live Questions & Comments with the Experts posted to the NMLS Resource Center and the Regulator Re- source Center. NMLS Ombudsman, Panelists, and Attendees included the fol- https://nationwidelicensingsystem.org/slr/common/policy/ lowing: NMLS%20Document%20Library/NMLS%20Policy% 20Guidebook%20Changes%20-%20September%203,% ▶ Jim Payne, NMLS Ombudsman & Director of 202020.pdf Examinations/Assistant Deputy, Consumer and Mortgage Lending Division, Kansas Office of the State The changes are in this edition address the following issues: ▶ Bank Commissioner

CHARTWELL COMPASS | OCTOBER 2019 22 CHARTWELLCOMPLIANCE.COM ▶ Kirsten Anderson, Licensing Manager, Oregon In addition, the MSB Call Report Field Definitions have been Department of Consumer and Business Services changed to reflect the updated definition. This change will be effective for the 2020Q4 reporting period. ▶ Charlie Clark, Director, Washington Department of Financial Institutions https://mortgage.nationwidelicensingsystem.org/licensees/ ▶ Rhoshunda Kelly, Interim Commissioner, Mississippi resources/LicenseeResources/MSB%20Call%20Report%20 Department of Banking & Consumer Finance Field%20Definitions.pdf ▶ Danielle Arlowe, Senior Vice President, American Financial Services Association Georgia Adds Installment Lender and Branch ▶ Charlie Fields, Jr., Senior Vice President, Mortgage Approval Licenses to NMLS September 1, 2020 Regulatory Relations, PennyMac Loan Services NMLS is now receiving new applications for Installment Lend- ▶ Melissa Koupal, Senior Vice President, Loan Integrity, er and Branch Approval Licenses and transitioning filings for Loan Depot the Georgia Department of Banking & Finance licenses. New ▶ Pete Mills, Senior Vice President, Residential Policy & applicants and existing licensees are now able to submit these Member Engagement, MBA records through NMLS. The agency will also begin receiving new and converted Electronic Surety Bonds through NMLS for Unfortunately, there was not a live, open forum discussion due this registration type. to the nature of the virtual meeting. Questions for panelists and commentary were taken via the WebEx Q&A function during Note: Companies holding these license types are required to the presentation. The call was recorded and is posted on the submit a license transition request through NMLS by filing a NMLS Resource Center. Company Form (MU1) and an Individual Form (MU2) for each of their control persons by October 15. Additionally, for each branch holding these license types, companies are encour- Other Technical Updates aged to complete and submit a Branch Form (MU3). New Business Activity in NMLS – Available June 1 District of Columbia Adds Appraisal Management The following new business activity has been added to the Company Registration to NMLS August 1, 2020 NMLS Business Activities: NMLS is now receiving new application and transition filings Precious Metals Dealing: Engaging in the business of purchas- for the District of Columbia Department of Insurance Securi- ing, selling, or trading articles made of or containing gold, sil- ties and Banking's Appraisal Management Company Registra- ver, platinum, or other precious metals or jewels. tion. New applicants and existing licensees are now able to submit these records through NMLS. The agency will also begin receiving new and converted Electronic Surety Bonds through Response to Comments on Money Services NMLS for this registration type. Businesses Call Report Line Item FC650 Definition Revision Note: Companies holding these license types are required to submit a license transition request through NMLS by filing a The comments received and the responses to comments, along Company Form (MU1) and an Individual Form (MU2) for with an overview of the approved change to the definition for each of their control persons by December 31. Line Item FC650 on the Money Services Businesses (MSB) Call Report are available on the NMLS website: South Dakota Adds Mortgage Branch Registration Comments: https://mortgage.nationwidelicensingsystem.org/ to NMLS July 1, 2020 news/ProposalsForComment/2020-1%20Comments%20-%20 Proposed%20Changes%20MSBCR%20August%202020.pdf NMLS is now receiving new application filings for the South Dakota Division of Banking Mortgage Branch Registration. Responses: https://mortgage.nationwidelicensingsystem.org/ New applicants are now able to submit these records through news/ProposalsForComment/2020-1%20Response%20to%20 NMLS. All licensed mortgage companies are required to regis- Comments%20-%20Proposed%20Changes%20MSBCR%20 ter branch locations by December 31, 2021. August%202020.pdf

CHARTWELL COMPASS | OCTOBER 2019 23 CHARTWELLCOMPLIANCE.COM West Virginia Adds Fintech Sandbox to NMLS Ohio Department of Financial Institutions to July 1, 2020 Adopt Electronic Surety Bonds

NMLS is now receiving new application filings for the West Starting June 1, the Ohio Department of Financial Institu- Virginia Division of Financial Institutions' Fintech Regulatory tions will begin receiving new and converted Electronic Surety Sandbox. New applicants are now able to submit these records Bonds (ESB) through NMLS for the Precious Metals Dealer. through NMLS. There is a New Application Checklist for the Please note that this is a new license type in NMLS, effective West Virginia Fintech Regulatory Sandbox Registration: June 1. https://mortgage.nationwidelicensingsystem.org/slr/Pub- lishedStateDocuments/WV_Fintech_Company-New_App- Checklist.pdf Ohio Adds Check-Cashing, Insurance Premium Finance, Small Loan and Precious Metals Dealer Licenses to NMLS June 1, 2020 Kansas Adds Credit Services Organization License to NMLS July 1, 2020 NMLS is now receiving new application and transition filings for the following Ohio Department of Financial Institutions li- NMLS is now receiving new application and transition filings censes. New applicants and existing licensees are now able to for the Kansas Office of the State Bank Commissioner Credit submit these records through NMLS. Services Organization License. New applicants and existing licensees are now able to submit these records through NMLS. ▶ Check-Cashing License The agency will also begin receiving new and converted Elec- Insurance Premium Finance License tronic Surety Bonds (ESB) through NMLS for this license type. ▶ ▶ Small Loan License Note: Companies holding these license types are required to Precious Metals Dealer submit a license transition request through NMLS by filing a ▶ Company Form (MU1) and an Individual Form (MU2) for each of their control persons by October 1. Note: Companies holding these license types are required to submit a license transition request through NMLS by filing a Company Form (MU1) and an Individual Form (MU2) for Idaho Adds Mortgage Loan Servicing License each of their control persons by August 31. Additionally, for Requirement to NMLS July 1, 2020 each branch holding these license types, companies are encour- aged to complete and submit a Branch Form (MU3). NMLS is now receiving new application filings for the Idaho Department of Finance for companies that service residential mortgage loans, regardless of occupancy level or lien position, Alaska Adds Nonprofit Organization Mortgage and do not currently have an approved Mortgage Broker/Lend- Exemption to NMLS June 1, 2020 er License. Starting July 1, these companies will be required to hold a Mortgage Broker/Lender License due to an expanded NMLS is now receiving new application filings for the Alaska definition of mortgage lending activities. This is not a new -li Division of Banking and Securities Nonprofit Organization cense type and application filings may be submitted now. Mortgage Exemption. New applicants are now able to submit these records through NMLS.

New York Adds Reverse Mortgage Lending Dual Authority and Reverse Mortgage Lending Alaska Adds Deferred Deposit Advance License to Authority to NMLS June 5, 2020 NMLS May 1, 2020

NMLS is now receiving new application filings for the follow- NMLS is now receiving new application and transition filings ing New York State Banking Department licenses: for the Alaska Division of Banking and Securities Deferred De- posit Advance License. New applicants and existing licensees ▶ Reverse Mortgage Lending Dual Authority are now able to submit these records through NMLS. Reverse Mortgage (HECM) Lending Authority ▶ Note: Companies holding these license types are required to submit a license transition request through NMLS by filing a New applicants are now able to submit these records through Company Form (MU1) and an Individual Form (MU2) for NMLS. each of their control persons by July.

CHARTWELL COMPASS | OCTOBER 2019 24 CHARTWELLCOMPLIANCE.COM Chartwell New Hires, Promotions, and Events

Chartwell is pleased to welcome the following individuals to its team of professionals.

SHARON both state/federal regulators in Canada Legal Assistant receiving her certifica- BLANCHETTE, and the U.S. during regulatory examination from the\ University of Texas El Paso, former Chief Risk tions and managing state license mainte- after which she worked for four years at Officer, Direc- nance for 53 US states and territories. He Hanna Law Firm, a personal injury at- tor of a Financial oversaw consumer and Agent investiga- torney, where she had a multi-disciplinary Investigations Unit, tions for multiple regions internationally role from paralegal to office manager. To Director of Con- and led ongoing transaction monitoring learn more about Andrea, please click here sumer Compliance, teams as well as had oversight for the https://www.chartwellcompliance.com/ and Audit Director, joins Chartwell as a associated development of both domestic team/andrea-thomas/. Compliance Director and brings over 20 and international programs. Todd’s other years of risk management, audit, regula- responsibilities included facilitating ongo- RAPHAEL tory compliance, and AML experience ing information sharing sessions with IMPELLIZZERI, and expertise. For financial institutions, federal regulators regarding questionable former State Ex- she has also served as a Director of Com- transaction patterns, as well as working aminer with the pliance for a national consulting firm. closely with consultants during external Florida Department In some of her previous roles, Sharon engagements. To learn more about Todd, of Agriculture and was onboarded to remediate regulatory please click here https://www.chartwell- Consumer Services, enforcement actions, and has extensive compliance.com/team/todd-jones-cams/. joins Chartwell as an experience acting as a liaison to regula- Assistant Director on Chatwell’s Federal tory examiners. To learn more about ANDREA Compliance team. Raphael brings over 20 Sharon, please click here https://www. THOMAS, former years of experience in regulations includ- chartwellcompliance.com/team/sharon- regulatory licensing serving as the Regulatory, OFAC and blanchettecpa-cia-crcm-cams-mba/. ing specialist for AML Officer at a Commercial Bridge Netspend Corpora- Lender that specializes in high net worth TODD JONES tion, joins Chartwell foreign nationals loans on investment real joins Chartwell as a as a Compliance estate in the US. During his time in the Compliance Director Professional on public sector as a State Examiner with on Chartwell’s state Chartwell’s state Licensing team. Andrea the Florida Department of Agriculture Licensing team and brings experience in regulatory licensing and Consumer Services he specialized in brings over 20 years and compliance, beginning her career unlicensed investigations and later with of experience in in the prepaid debit card industry over the Florida Office of Financial Regulations various leadership six years ago. Prior to joining Chartwell, where he specialized in Consumer Lend- positions achieving goal oriented results Andrea served as a regulatory licensing ing, AML and OFAC regulations, Mort- within regulatory compliance. His varied specialist for Netspend Corporation, gage Brokerage, Lending and Servicing, experience includes money transmitter where she maintained money trans- Securities, and Risk Compliance before licensing, regulatory exam manage- mitter licenses in 50 jurisdictions. Her joining FinCEN as a Compliance Special- ment, BSA/AML program development responsibilities included maintaining ist. Raphael’s public service career focused and ongoing maintenance, data analysis, authorized delegate location report- on protecting consumers from Financial investigations, data governance as well ing, monthly, quarterly, semi-annual Fraud as part of the Enforcement Units as project management. Prior to joining and annual reporting to the states as at these governmental agencies. To learn Chartwell, Todd spent his career at West- well as coordinating both the internal more about Raphael, please click here ern Union where he spent years acting and external aspects of state regulatory https://www.chartwellcompliance.com/ as the liaison between the company and examinations. Andrea is a Certified team/raphael-impellizzeri/.

CHARTWELL COMPASS | OCTOBER 2020 25 CHARTWELLCOMPLIANCE.COM Chartwell Compliance Shows You the Way

One state regulator with a reputation for strictness, attested to the conscientiousness and efficiency of the Chartwell Compliance team by stating: “I would also like to take this opportunity to say thank you so much for submitting such a complete and thorough application. It is extremely rare (it has actually only happened one other time in the history of our division regulating money transmitters) that we receive an application that does not require us to ask the applicant for additional information!”

hartwell Compliance offers all-in-one integrated CHARTWELL BRINGS to bear the breadth of its ex- Cregulatory compliance and risk management consulting, perience with the various state regulators, including testing, audit and examinations, and outsourcing services. knowledge of the preferences and personalities of the We serve bank and non-bank financial service providers various staff working for the various regulatory bodies. that are striving to do business successfully in the midst of Where there are gray areas (often in a changing land- unprecedented regulatory upheaval. scape), Chartwell’s experience enables their personnel to make recommendations as to how to respond to a Chartwell Compliance is attuned to emerging trends, new regulations variety of requirements (e.g., reporting and license and rules, and issues relating to the financial services industry. Our renewal requirements). In addition, as our Company consultants believe every client is critically important; and, along with has become licensed over the last 3 years, we con- high service delivery standards, coupled with a smaller firm’s pricing, allows Chartwell to deliver a value unmatched in the marketplace. tinue to engage Chartwell for support with ongoing li- The people of Chartwell have a practical, real-world understanding cense maintenance and renewals (an effort not to be of regulatory compliance, enterprise risk management, and financial underestimated). This includes support with manag- crimes. Chartwell consultants have gained their real-world understanding ing “advance change notifications” when the licensed through numerous years of work as regulators, law enforcement officials, entity proposes to appoint new officers (a surprisingly and operators in the financial industry. This allows us to translate involved process that takes several weeks). compliance in practical ways helping our clients maintain fee revenue; In short, we have been pleased with the quality of lower operating costs, and proactively anticipate the desires and Chartwell’s support from day one. And, although we requirements of a diverse range of agencies and regulators in charge of certainly rely on outside counsel from time to time for supervising financial institutions. legal issues and legal interactions with regulators, we Chartwell Compliance, as an all-in-one consulting firm, allows our have found that Chartwell offers the most cost-effec- clients to avoid the burden of managing multiple vendor relationships, tive approach for supporting management of the nuts- making it possible for our clients to realize economies of scale. In addition, and-bolts of filing license applications and supporting our clients gain further value from having a partner with experience and ongoing license maintenance and renewals. expertise encompassing compliance, risk, and corporate planning. Our consultants are passionate about their areas of expertise and equally Suzan S. Rowland, Deputy General Counsel comfortable as testers, trainers, or mentors to our clients. Yapstone Holdings, Inc.

CHARTWELL COMPASS | OCTOBER 2020 26 CHARTWELLCOMPLIANCE.COM Value Propositions Consultants

“One-stop payment shop” Our team is cross-certified in regulatory compliance, anti-money laundering, testing, information for Fintech Clients through our technology and security, and fraud. The diversified experience of our consultants provides our clients partnership with MVB Bank with access to experienced examiners, operators, and regulatory policy makers in both the banking and non-banking segments of the financial services market, including some of the most talented and One of the best AML, CFT, seasoned professionals in emerging payments compliance. This vast, multi-disciplinary experience financial crimes and state license allows us to help our clients design and implement compliance and risk management programs and consultancies in the world practices properly calibrated to address both the current and prospective regulatory environment in an effective manner. As a result, our clients’ products and services can be launched more quickly and One of North America’s best remain appropriately priced, usable, compliant, and of high value to end users. MSB and emerging payments compliance consulting firms Our group includes some of the industry’s foremost authorities on regulatory compliance, information security, licensing, and fraud such as: Very well-rounded practitioners experience ▶ Average of 22 years of experience per ▶ Former Office of the Comptroller of the professional Currency (OCC) Assistant Director of Nimble, specialized and ▶ Internationally-Prominent U.S. Payments Enforcement affordable Licensing and Compliance Advisory and ▶ Former Compliance Specialist with the Outsourcing Practice FinCEN and Financial Specialist with the Significantly lower cost, Regulatory Experience with the California Florida Office of Financial Regulations more services, and more ▶ Department of Business Oversight practitioners experience ▶ Certified AML (CAMS) and regulatory ▶ Former executives and managers from MSBs compliance manager certifications (CRCM), PMP Entrepreneurial and highly such as Western Union, First Data, and Sigue. responsive ▶ Former senior compliance and risk ▶ Extensive experience working in or with managers for state and nationally start-ups End-to-end services and chartered banks ▶ Long-standing relationships between outsourcing ▶ Former Chief of the Federal Bureau of many team members Investigation’s Financial Crimes and Free distribution of quarterly Terrorist Financing Sections technical publication, Chartwell Compass

Strong human and software project administration backbone to keep on time and on budget.

CHARTWELL COMPASS | OCTOBER 2020 27 CHARTWELLCOMPLIANCE.COM Services

REGULATORY COMPLIANCE Chartwell (corporate and mortgage); Foreign Cor- including renewals, periodic reporting, Compliance provides consulting across rupt Practices Act and the UK Bribery and other requirements; assistance with nearly the entire range of rules and reg- Act; forensic accounting; foreign gov- state regulatory exams and related re- ulations affecting bank and non-bank ernment advisory on AML/CFT regu- medial work; and non-legal regulatory financial institutions. Our regulatory latory regimes. Chartwell Compliance opinion relative to licensing and regula- subject matter expertise includes but is provides a wide variety of related ser- tory requirements. not limited to: Enforcement action solu- vices including: Training and seminars; tions; Bank Secrecy Act (“BSA”); Office enforcement action solutions; compre- of Foreign Assets Control (“OFAC”); hensive look back reviews; policy and UE DILIGENCE AND INVESTIGATIONS Loan Compliance (commercial, con- procedure development; independent The team of former senior law en- sumer, real estate); Deposit Compli- reviews; risk assessments; investiga- forcement and regulatory officials and ance, Home Mortgage Disclosure Act tions and due diligence, expert witness private sector executives of Chartwell (“HMDA”); Secure and Fair Enforce- services; and non-legal opinions. Compliance permits Chartwell to un- ment for Mortgage Licensing Act dertake due diligence and investigation (“SAFE”); Unfair, Deceptive or Abusive activities in a range of areas in the U.S. Acts or Practices Act (“UDAAP“); so- STATE MONEY SERVICES BUSINESS and overseas. We also offer assistance cial media; capital requirements; Com- LICENSING Chartwell Compliance as- to institutional investors and other munity Reinvestment Act (“CRA”); state sists money services businesses such companies conducting corporate due and federal regulations for money ser- as prepaid access providers, currency diligence on investment, merger, and vices businesses, stored value, and pay- exchangers, check-cashing companies, acquisition targets. ment systems. e-wallet service providers, and mobile technology companies in applying for and maintaining state licensure require- OPERATIONS & GOVERNANCE Many SA/OFAC, AML, FRAUD & CORRUP- ments. We offer first-hand experience, Chartwell Compliance consultants TION Chartwell Compliance brings reasonable non-legal pricing and addi- have experience in corporate opera- together some of the country’s most tional value in being able to assist clients tions, planning and leadership. Chart- prominent authorities in Anti-Money with related areas such as AML compli- well Compliance provides consulting Laundering and Combating the Fi- ance and corporate planning. Chartwell services in all of these areas, as well as, nancing of Terrorism (“AML/ CFT”) Compliance provides services tailored providing clients with services such as: financial crimes and fraud prevention. to fit the specific needs of each MSB Assessments and recommendations; Chartwell Compliance’s proficiencies including: preparation and submission enterprise wide risk assessments; key include: Counter terrorism financing; of state license applications: FinCEN/ indicator dashboards; policies and pro- anti-money laundering; asset forfei- FINTRAC registrations; administra- cedures; employee training; board of di- ture and recovery; fraud prevention tion of existing state license portfolios rectors training, and other services.

CHARTWELL COMPASS | OCTOBER 2020 28 CHARTWELLCOMPLIANCE.COM Strategic Alliances

Chartwell Compliance welcomes relationships that deepen the value provided to our mutual customers. In particular, Chartwell Compliance has a select number of strategic partnerships with leading service and software providers in the financial sector seeking a trusted source for referrals, thought leadership and feedback on new products from the perspective of regulators, law enforcement officials and former practitioners. Some of our alliances include:

• Fiserv, Inc. (NASDAQ: FISV) is the leading global provider of information management and electronic commerce systems for the financial services industry.

• Thomson Reuters is the world’s leading source of intelligent information for businesses and professionals.

• Consistently ranked as number one in the space, NICE Actimize experts apply innovative technology to protect institutions and safeguard consumers and investors assets by identifying financial crime, preventing fraud and providing regulatory compliance.

• Accuity offers a suite of innovative solutions for payments and compliance professionals, from comprehensive data and software that manage risk and compliance, to flexible tools that optimize payments pathways.

• Acuant Compliance's Trusted Identity Platform provides identity verification, regulatory compliance (AML/KYC) and digital identity solutions leveraging AI and human assisted machine learning to deliver unparalleled accuracy and efficiency.

Resellers Owned by Reed Elsevier, Accuity is part of BankersAccuity, the global standard for payment efficiency and compliance solutions. Accuity is a leading provider of global payment routing data, AML screening data and software and professional services that allow organizations, across multiple industries, to maximize efficiency and facilitate compliance of their transactions. Accuity maintains authoritative and comprehensive databases globally with a reputation built on the accuracy and quality of our data, products and services.

CHARTWELL COMPASS | OCTOBER 2020 29 CHARTWELLCOMPLIANCE.COM Awards & Honors Chartwell has been recognized not only for its superior services and dedication to client relationships but also for its commitment to investing in and developing a unique workplace. The backbone of Chartwell success is its expert team that truly embody the Chartwell brand.

Gettysburg Leadership Training

Kaizen training in Japan

Request your complementary digital subscription of the FEBRUARY 2018

| CHARTWELLCOMPLIANCE.COM

A PUBLICATION OF CHARTWELL COMPLIANCE provides ComplianCe 2 NY Part 504 Rule – Chartwell Ready to sign-off? a one-stop shop of consulting, By Omar Magana testing and outsourcing services in Chartwell Compass today! the areas of regulatory compliance, 4 Choosing Your state MSB licensing, financial Name and Business

crimes prevention and enterprise Registration risk management. By Lily Sayers

6 EU Guidelines On Data Breach Notifications By Edwin Jacobs

10 NMLS CORNER: NMLS Agency News [email protected]

12 NMLS CORNER: NMLS—NMLS 2.0

Unsplash on Bravo Luca 15 Interview with Risk Based Sherry Tomac, PMP, Vice President, The risk assessment provides organizations a pathwayChartwell to devel ComplianceWatch list filtering Program op an effective compliance program. The rule clearlyBy Richardstates that Davis the Transaction and Filtering Programs “must be based on the- Transaction Monitoring obligations may appear to be slightly Risk Assessment of the Institution”; thus, organizations must different from compliance with Watch List filtering obliga- Chartwell Compliance is a wholly-owned subsidiary of make their best efforts to understand their 16unique Points BSA and to tions,Ponder but there are key similarities such as the use of judge- AML risk profile and mitigate those risks by identifying any ment and the adoption of a risk based approach. Organi- gaps to define and implement immediate corrective18 actions.Regulatoryzations Updates that have designed and implemented a Watch List filtering program still need to consider whether they are suf- Start receiving the latest on financial institution MVB Bank, Inc. Transaction Monitoring System Maintenance ficient for the purposes of the NY 504 Rule. 19 Chartwell Shows The regulation goes on to provide a list of additionalyou attri -theConclusion Way butes that reportingEDITORIAL entities must STAFF include at minimum in re- lation to their Transaction Monitoring System (TMS).21 TheseServices The importance of documentation during the development attributesDaniel revolve A. Weiss, around President the need and CEOof having a transparent and ongoing management of the BSA, AML, and OFAC pro- [email protected] process for: Strategicgrams Alliances is vital. Senior management should ascertain that its Jonathan Abratt, Chief of Staff 22 model validation teams have an adequate understanding of ▶[email protected] identifying and detecting trends or patterns in suspicious the characteristics particular to AML and are capable of doc- and unusual activity; umenting technicalities as they carry out implementations, Richard Davis, Corporate Services Director regulatory compliance, financial crime developments or validations. [email protected] CHARTWELLCOMPLIANCE.COM ▶ identifying customers who present an elevated level of So, do you feel confident to sign-off on the Annual Cer AML or terrorist financing risk to the organization; and tification relating to the management of your organization’s AML Transaction Monitoring and Filtering programs? Our- CHARTWELL COMPASS | FEBRUARY 2018▶ rules and/or parameters used for the detection and consultants can help your organization assess compliance monitoring framework of the system as established. with the NY Part 504 Rule.

Further, it highlights the importance of articulating and documenting the TMS model’s purpose, use and expected Omar Magana, CAMS, Compliance Director at Chartwell results. Considering whether the TMS may be developed in- Compliance offers clients the benefit of a veteran prevention, and risk management issues. house or provided by a third-party vendor, when evaluating compliance officer with over 15 years of experience in TMS’ performance, organizations must have a clear under domestic and foreign regulatory environments. Omar has experience standing of its model’s intended uses. building and executing international as well as domestic AML and Lately, we’ve seen sophisticated changes and innovation on- due diligence programs and leading anti-bribery and corruption TMS’s, for which reporting entities must have ongoing evalu- programs. Omar also has participated in various task forces geared ations of their systems to confirm that results and controls toward the development of policies and procedures, operational are adequate. improvements, and assessing compliance implications for new products and services. For more information please contact Omar at [email protected]. CHARTWELL COMPASS | FEBRUARY 2018

3 CHARTWELLCOMPLIANCE.COM Chartwell grants permission to all subscribers to freely distribute this publication.

301 Virginia Avenue, Fairmont, WV 26554 | [email protected] | chartwellcompliance.com |

Chartwell Compass is intended to provide education and general information on regulatory compliance, reasonable management practices and corresponding legal issues. This publication does not attempt to offer solutions to individual problems and the content is not offered as legal advice. Questions concerning individual legal issues should be addressed to the attorney of your choice.

PHOTOS: UNSPLASH, CHARTWELL COMPLIANCE