Mais conteúdo relacionado Semelhante a New York - Virtual Currencies Compliance Conference (20) New York - Virtual Currencies Compliance Conference1. Designing a Compliance Program
for Virtual Currencies
Virtual Currencies Compliance Conference
New York, August 14 , 2013
by Juan Llanos, CAMS
2. Agenda
1. Risk identification
Risk areas Focus on AML
2. Risk mitigation
a) Program design tips
b) Overview of corporate and product safeguards
c) Customer identification and authentication
(de-anonymization)
3. SA Detection via Monitoring and Analysis
Leveraging the blockchain
4. Unsolicited (contrarian) advice
© 2013 JuanLlanos
3. Agenda
1. Risk identification
Risk areas Focus on AML
2. Risk mitigation
a) Program design tips
b) Overview of corporate and product safeguards
c) Customer identification and authentication
(de-anonymization)
3. SA Detection via Monitoring and Analysis
Leveraging the blockchain
4. Unsolicited (contrarian) advice
© 2013 JuanLlanos
4. Risk Areas
• operational
• credit
• money laundering
• terrorist financing
• information loss
• liquidity
• fraud
• Identity Theft
Stakeholders
• federal agencies
• state agencies
• investors
• consumers
• employees
• society
Goals
• safety
• soundness
• security
• privacy
• crime prevention
• health
• integrity
Regulation Inevitable, yet valid
Risks & Stakeholders
© 2013 JuanLlanos
Compliance Onerous, yet valuable
5. Money transmitters
and their agents are perceived as
HIGH RISK of
• ABUSE TO CONSUMER
• MONEY LAUNDERING
• TERRORIST FINANCING
Money transmission = highly regulated industry
© 2013 JuanLlanos
6. How Can We Abuse
Consumers?
• Loss of funds
• Wrong product/service
• Failed transactions
• Overpricing
• Divulging/losing private data
• Claims ignored
© 2013 JuanLlanos
7. How Can Money be
Laundered Through Us?
• Identity theft &
impersonation
•Structuring
•Fraudulent acts
•Lax controls
FRONT
OFFICE
BACK
OFFICE
© 2013 JuanLlanos
General risks (all FIs) fake IDs, negligence, incompetence & wrongdoing
8. Main Risk Areas
Anti-Money Laundering
Anti-Terrorism Financing (CFT)
Privacy and Information Security
Safety and soundness
Consumer protection
Main Statutes and Regs
BSA, USA PATRIOT Act, Money
Laundering Acts
USA PATRIOT Act, OFAC
Gramm-Leach-Bliley
State (via licensing)
State (via licensing) + Dodd-Frank /
Regulation E (CFPB)
Money Transmitter Regulation
© 2013 JuanLlanos
Focus AML/BSA + State Compliance
11. RISKS MITIGATORS
Commingling/diversion of funds
Poor cash management, accounting
and settlement
Poor document management,
reporting and record-keeping
Inadequate policies and procedures
Poor controls
Systems breakdowns
Employee acceptance, monitoring
and termination protocols
Employee training and education
Professional financial, operational
and compliance management
Dual controls and segregation of
duties
Business continuity and disaster
recovery planning
Independent auditing and testing
State-of-the-art technology
Operational Risks and Mitigators
© 2013 JuanLlanos
12. RISKS MITIGATORS
Complicity with agent or foreign
counterparty
Complicity with recipient (or sender)
‘Drip-irrigation’ transfer of illicit funds
(O2M recipients, M2O recipient, M2M
recipients)
Intra-company structuring
Inter-company structuring (‘smurfing’)
Terrorist financing
Customer acceptance, monitoring
and termination protocols
Transaction & behavior monitoring
Lower identity verification thresholds
at origin and destination
For cards, maximum loadable
amounts, expiration date, and limited
number of recipients.
Redundant identity verification
procedures at destination
POS training
OFAC screening
Eventually, intercompany transaction
monitoring by highly-professional
and secure clearing house. This is
the only possible antidote against
‘smurfing’.
Customer Risks and Mitigators
© 2013 JuanLlanos
13. Foreign Counterparty
Risks and Mitigators
RISKS MITIGATORS
Complicity with sender or agent
Poor cash sourcing, management,
accounting and settlement
Poor documentation and record-
keeping
Lax policies, procedures and controls
Poor regulatory regime
Credit risk
Systems breakdowns
Foreign counterparty acceptance,
monitoring and termination
protocols
Selecting reputable partners with
proven track record and effective
systems and controls
Transaction monitoring
Independent auditing and testing
OFAC screening
© 2013 JuanLlanos
14. RISKS MITIGATORS
Assistance in structuring
Complicity with sender or beneficiary
Commingling of funds
Credit risk
Identity theft
Non-compliance with Section 352 of
PATRIOT Act
Agent acceptance, monitoring and
termination protocols
Transaction monitoring
POS training
Zero tolerance policy
Secret shopping and stress testing
OFAC screening
Agent Risks and Mitigators
© 2013 JuanLlanos
15. Agenda
1. Risk identification
Risk areas Focus on AML
2. Risk mitigation
a) Program design tips
b) Overview of corporate and product safeguards
c) Customer identification and authentication
(de-anonymization)
3. SA Detection via Monitoring and Analysis
Leveraging the blockchain
4. Unsolicited (contrarian) advice
© 2013 JuanLlanos
16. 1. Always understand the flow of DATA and
the flow of MONEY.
2. Life-cycle management and the right mix
of detective and deterrent techniques,
including effective training, are key.
3. Document or perish
Program Design Tips
© 2013 JuanLlanos
19. * AML Program Elements (Section 352 of the USA PATRIOT Act)
1. A designated compliance officer + professional team
2. Written policies and procedures + operational controls:
• Licensing, renewal and reporting procedures (S)
• Registration, record‐keeping and report‐filing procedures (F)
• KY (Know Your…) Subprograms: Acceptance, monitoring, correction and
termination
• KY…Customer
• KY…Agent
• KY…Foreign Counterparty
• KY…Employee
• KY…Vendor
• Monitoring, analysis and investigating procedures
• OFAC compliance program
• Response to official information requests
• Privacy and information security protection protocols
3. An on‐going training program
• Risk & Compliance Committee
4. An independent compliance auditing function
CORPORATE Safeguards*
© 2013 JuanLlanos
20. Key Elements of a BSA/AML Program
• State Compliance: Licensing, renewal and reporting
procedures // Consumer protection disclosures, etc.
• Federal Compliance: Registration, record‐keeping and
report‐filing procedures (F)
• KY (Know Your…) Subprograms: Acceptance, monitoring,
correction and termination (Life‐Cycle Management)
• KY…Customer
• KY…Agent
• KY…Foreign Correspondent or Counterparty
• KY…Employee
• KY…Vendor
• SA Detection: Monitoring, analysis and investigating
procedures
• Information Sharing: Response to information requests
• OFAC Compliance Program
• Privacy and information security protection protocols (GLBA)
© 2013 JuanLlanos
21. PRODUCT Safeguards
• Anonymous identification
• No value limits
• Anonymous funding
• No transaction records
• Wide geographical use
• No usage limits
Cash features
Anything we do to
counter these
will mitigate
the risk of our
product!
© 2013 JuanLlanos
22. CUSTOMER Identification
© 2013 JuanLlanos
Non‐Face to Face Card not present standards
Non-documentary contacting a customer; independently verifying
the customer’s identity through the comparison of information provided
by the customer with information obtained from a consumer reporting
agency, public database, or other source; checking references with other
financial institutions; and obtaining a financial statement.
Documentary Review an unexpired government-issued form of
identification from most customers. This identification must provide
evidence of a customer’s nationality or residence and bear a photograph
or similar safeguard; examples include a driver’s license or passport.
However, other forms of identification may be used if they enable the
bank to form a reasonable belief that it knows the true identity of the
customer.
23. Authentication Strength
Multifactor authentication:
• Something the user knows (e.g., password, PIN)
• Something the user has (e.g., ATM card, smart card)
• Something the user is (e.g., biometric feature)
Authentication methods:
• Shared secrets
• Tokens (smart card, one-time password generating device)
• Biometrics (fingerprint, face, voice, keystroke recognition)
• Out-of-band authentication
• Internet protocol address (IPA) location and geo-location
• Mutual identification
Source: FFIEC
© 2013 JuanLlanos
24. Agenda
1. Risk identification
Risk areas Focus on AML
2. Risk mitigation
a) Overview of corporate and product
safeguards
b) Customer identification and authentication
(de-anonymization)
3. SA Detection via Monitoring and Analysis
Leveraging the blockchain
4. Unsolicited (contrarian) advice
© 2013 JuanLlanos
25. “What customers do
speaks so loudly
that I cannot hear
what they’re saying.”
(Paraphrasing Ralph Waldo Emerson)
Customer identification vs. customer knowledge
BEHAVIORAL ANALYTICS
© 2013 JuanLlanos
26. © 2013 Juan Llanos
Machine Learning (AI) Methods
SUPERVISED LEARNING: relies on two labeled classes (good vs. bad)
Goal Detect known suspicious patterns
1. Training set:
a. Select dataset with clean and dirty cases.
b. Classification algorithm to discriminate between the two
classes (finds the rules or conditions)
c. Probabilities of class 1 and class 2 assignment
2. Run discrimination method on all future purchases.
UNSUPERVISED LEARNING: no class labels
Goal Detect anomalies
1. Takes recent purchase history and summarize in descriptive
statistics.
2. Measure whether selected variables exceed a certain threshold.
(deviations from the norm)
3. Sounds alarm and records a high score.
© 2013 JuanLlanos
27. • High amounts
• High frequency
• Use of multiple locations
• Use of multiple identities
• Use of untrusted device
• Values just below threshold
• Immediate withdrawals
Examples of Known Behaviors
© 2013 JuanLlanos
30. • The entire history of Bitcoin transactions is
publicly available.
• “Using an appropriate network representation,
it is possible to associate many public-
keys with each other, and with external
identifying information.”
• “Large centralized services such as the
exchanges and wallet services are capable of
identifying and tracking considerable
portions of user activity.”
An Analysis of Anonymity in the Bitcoin
System - Bitcoin is Not Anonymous
by Fergal Reid and Martin Harrigan (2011)
Link: http://anonymity-in-bitcoin.blogspot.com/2011/07/bitcoin-is-not-anonymous.html
31. The victim woke up on the morning of 13/06/2011 to find a large portion of his
Bitcoins sent to1KPTdMb6p7H3YCwsyFqrEmKGmsHqe1Q3jg. The alleged theft
occurred on 13/06/2011 at 16:52:23 UTC shortly after somebody broke into the
victim's Slush pool account and changed the payout address
to 15iUDqk6nLmav3B1xUHPQivDpfMruVsu9f. The Bitcoins rightfully belong
to1J18yk7D353z3gRVcdbS7PV5Q8h5w6oWWG.
34. Agenda
1. Risk identification
Risk areas Focus on AML
2. Risk mitigation
a) Overview of corporate and product
safeguards
b) Customer identification and authentication
(de-anonymization)
3. SA Detection via Monitoring and Analysis
Leveraging the blockchain
4. Unsolicited (contrarian) advice
35. • Get real WANT vs. MUST vs. CAN
• Prevention trumps damage control
• Risk MGT Both reducing downside and
increasing upside
• Simplicity and common sense
• Train for behavior change, not theoretical
knowledge
• Form-substance continuum substance
• Letter-spirit continuum focus on spirit
(underlying purpose and values) facilitates
• Operational synergies (leveraging tech)
• Compliance without compromising performance
• Flexibility and sustainability
© 2013 JuanLlanos
36. SUBSTANCE (be)
Handbooks, written policies, talk
(lawyers, public relations)
Operationalization, quality, walk
(compliance officers, engineers, leaders)
FORM (seem)
© 2013 JuanLlanos
37. “Prosecutors are looking for
substantive AML programs (not just
paper ones) in determining whether
you’re a victim or a suspect.”
Former federal prosecutor
“A well-written AML program will not
by itself be sufficient. It’s the
everyday operation, the execution
and delivery, that matters.”
Wells Fargo MSB Risk Manager
© 2013 JuanLlanos
38. Evolution of Regulatory Relations
VALUES AND CULTURE REGULATORY RELATIONSHIP
Minimum Standards
As little as can get away with
Unthinking, mechanical
Compliance Culture
By the book
Bureaucratic
Beyond Compliance
Risk focused, self-policing
Ethical business
Values-based
Spirit, not just letter
Focus on prevention
Strong learning
Policing
Enforcement lesson
Basic training
Supervising / Educating
Look for early warnings
Themed, focused visits
Educating / Consulting
Culture development
Lighter touch
Mature relationship
Reinforce best practice
Benchmark
Reallocate resources to problem firms
Source: Financial Services Authority, UK
© 2013 JuanLlanos
39. © 2013 Juan Llanos
Juan Llanos
EVP & Compliance Officer
Unidos Financial Services, Inc.
275 Seventh Ave. ‐ 20th Floor
New York, NY 10001
Direct: (646) 485‐2264
Mobile: (646) 201‐6217
jllanos@unidosfinancial.com
LinkedIn: www.linkedin.com/in/juanllanos
Twitter: @JuanLlanos
Blog: contrariancompliance.com
Thank you!