Automatically monitor regulatory updates to map to your internal policies, procesures and controls. Learn More
-

1558 Enforcement Actions in the U.S. over past 30 days

-

FTC enforcements decreased 55% over the past 30 days

-

SEC issued enforcements: $37,812,859 over the past 30 days

-

50 Final Rules go into effect in the next 7 days

-

49 Mortgage Lending docs published in the last 7 days

-

1670 docs with extracted obligations from the last 7 days

-

new Proposed and Final Rules were published in the past 7 days

-

11906 new docs in pro.compliance.ai within the last 7 days

-

Considering RCM Solutions?  Here’s an RFP to get started.

-

What’s ahead for Crypto and IT Compliance regulations?

2022 has seen tremendous regulatory movement in the commodities market with cryptocurrencies taking center stage. At the same time, Scandals like Wirecard show how limited the powers of supervision for regulatory authorities to subcontractors actually are. There will also be a high focus on information security and deep understanding of the relevant risk factors in banks IT architecture. In this conversation with experts Professor Jerry Markham and Dr. Iris Liliana Bleck, we’ll dive into the latest trends in banking across the US and EU as well as take a look at how securities and commodities may affect regulators in the next year and beyond.

Listen in and watch as our expert advisors Dr. Iris Bleck and Jerry Markham discuss the latest in regulatory change. 

*See the full transcript below.

Ronjini Joshua  (Ronjini)

Hi, everyone, thanks for joining us. We’re just going to wait a couple minutes while everybody files into the room and then we’ll get started. All right/ Hello and welcome to compliance.ai webinar: What’s ahead for crypto and IT compliance regulations?” 

If you have any questions during the webinar, please feel free to drop them into the q&a section. And our panelists will answer them at some point during the session or at the end in our q&a session. But before we get started, I wanted to just quickly touch on if you haven’t heard already, we are going to be hosting the second annual EITL Virtual Forum. It’s the first conference focused on regulatory change management for BFSI’s. The event is coming up on September 7th and 8th, featuring a wide array of the most trending regulatory topics. It’s easily accessible online, its a virtual event. Our keynote speaker on day one is former FBI special agent and cybersecurity expert John Carruthers, with industry luminary, CEO and co-founder of alliance for innovative regulation and host of the air podcast Joanne Barefoot, joining us for the day two keynote. So if you haven’t already registered, please register for free, grab your spot at the EITL Forum. I’m going to drop that link right here in the chat box so you guys can head on over and register. And with that, I’m going to hand it over to our co-founder and chief product and Strategy Officer Kayvan Alikhani to get our webinar started today.

Kayvan Alikhani (Kayvan)

Thank you so much and I want to appreciate Dr. Iris Bleck. And Jerry Markham. I joined here as well. Jerry was just looking a little bit further into your background and the kind of books you’ve authored, we can see you’ve actually written the book literally on financial compliance and regulatory compliance for banks. And Iris, of course, extensive experience on an International basis. I look forward to getting your perspective on a couple of key trends. From a regulatory point of view, continuing on a topic and trend that we talked about. I want to say in June, in a webinar that we had established some ground truth, if you will, in what is cryptocurrency? What are NFT digital assets? And established the framework for those definitions and how they impact organizations both on a regional and global basis. We looked at three use cases, one within the United States, United Arab Emirates, United Kingdom and we also provide a global perspective. I’m going to ask Ronjini to also provide a link to that webinar in case you’re interested in the predecessor to this event that happened in June with two of our other advisors assisting that. Today we’re going to continue that discussion and also talk about another important set of regulations that impact IT compliance and vendor management specifically, talk about the ongoing overlap between regulations of various jurisdictions and you know how these credit regulatory trends impact IT compliance. Get a temperature reading really are crypto trends and also IT vendor management. Jerry, how do you see the current set of regulatory frameworks and trends as it relates to cryptocurrency?

Professor Jerry Markham (Jerry)

Yes, so we’ve got a great deal of overlapping regulation here. We’ve got several agencies, the SEC CFTC, Department of Justice, FINCEN, the New York State Department of Financial Services and all the other money transmitte,r regulators in the States. The Consumer Financial Protection Bureau, the bank regulators, OCC, Fed FDIC, the National Credit Union Administration, and last but not least, the Department of Labor. And they’ve each staked out claims on jurisdiction over.

But what I’d like later in the presentation is to go through each of those agencies areas of claim. And then if we have time, maybe I could just briefly talk about a legislation that’s being banded around in Congress.

Kayvan

And an iris as it relates to IT vendor management compliance, I assume there’s a plethora of regulations coming down and some confusion both on the regulator side and the regulated company side as well. Right?

Dr. Iris Liliana Bleck (Dr. Bleck)

Yeah, absolutely true. So this is the situation that regulators face today is, especially in areas where we have financial innovation, and banks and fintechs are working together. Or banks and outsourcing providers, working together, regulators face a situation where are facing directly or indirectly, multiple parties that are responsible to together deliver regulatory compliance. And they’ve now started to really increase the governance to effectively regulate the entire value chain of a financial service.

Kayvan

Right. And I’m assuming that that leaves both sides a little confused on how to manage this entire process in the face of increased scrutiny, but maybe some confusing or complex regulations that come their way. So we’ll talk about that as well. Starting, as we knew a lot of times in these webinars with the poll, in terms of whether these topics as it relates to it, compliance, cybersecurity, crypto ESG, of course, are on your mind and which one is most impacting your organization waiting for the answers to come in? Maybe give it another 30 seconds?

And, you know, obviously, there are a lot of organizations, it’s kind of like all of the above, and there’s 50 others that we haven’t listed here, but for the purpose of today’s call, kind of focusing on that.

(POLL RESULTS)

And it seems like right now, it’s evenly split amongst all four aspects. Both are on it compliance, cybersecurity Crypto seems to be 43%. Ronjini, Can we close it? Or do you want Oh, there’s still, there we go. Yeah, it seems like crypto is very much top of mind, followed by IT compliance. And then other topics to follow. As soon as you can see the making to the news everyday here, both in terms of the conflicts between corporate decisions and ESG investments, and also ESG regulations is another topic that we will be covering and have covered in the past as well. So thank you for that.

Really delving into the crypto regulations Jerry, within the United States, can you give us a picture of both the regulatory framework and the regulated organization impact of some of these regulations that have happened recently? And what are you foreseeing coming soon? 

Jerry

Okay, Well, it’s a lot. So give me 15 minutes while I walk through it, if you don’t mind. So what I’d like to do is just go kind of regulator by regulator, and show what they’ve done, what they’re doing, and then the effect upon the industry. So cryptocurrency is money. The IRS rule that cryptocurrency is not a currency, It’s a property. The investment, the infrastructure investment in JOBS Act of 2021, made crypto brokers or crypto markets, it made them become brokers, like broker dealers for purposes IRS reporting on your 1099 B. And they also have to report transactions of over $10,000. FINCEN said that cryptocurrency is not money, but it treats it as if it was. So under federal law, money transmitters must register with the federal government, and they must register with the states and I think all Montana have some form of regulation. Now here’s where it veers off road.

Money transmitters or somebody like Western Union who back in the 1800s allowed you to transfer money by, by telegraph. Now, PayPal Venmo and MoneyGram are what we would consider to be classic money transmitters. But FinCEN has said now we’re going to expand that, to include cryptocurrency exchanges.

Most of these cryptocurrency exchanges are registered as money transmitters, including Coinbase. The New York Department of Finance has got adopted regulations that allow you to have a debt license, or you can register as a limited trust company under New York law. Now, money mixers must also register as money transmitters. These mixers take in cryptocurrency and then mix it up and then send it back out. So it disguises the original origin of the money.

The Department of Justice has indicted at least one unregistered money transmitter, I have to tumbler a mixer. The individual pleaded guilty and was fined $60 million by FINCEN for failing to register. Now a huge focus of all of these regulators has been money laundering controls. And the money transmitters at the state level are broadly subject to state controls. But FinCEN has also said that you’re subject to the Bank Secrecy Act. Since you’re registered with us, and you have to have your money laundering controls in place. Now, money transmitter registration can have consequences. Robin Hood crypto just settled, paid $30 million to settle the New York financial services division department case because it had inadequate money laundering controls. They were doing their reviews manually. And the Department said that is not enough. From everything I’m seeing from the regulators. They’re going to be looking at your systems of controls, to decide whether to bring an action against you. 

A lot of these cases are structured in a way to focus on the lack of money laundering controls, and I’ll get to bit next case in a little bit. 

Kayvan

Just to be clear. Just to be clear, in the case that you mentioned it wasn’t that money laundering had occurred, it was the inadequacy of comprehensive robust enterprise grade automation in the AML. Practice and the controls that were related to that, right? 

Jerry

Yes, that’s correct.

So, OFAC, Office of Foreign Assets Control also got involved. For sanctions breaches for row countries. Tornado cash, was charged with using more than seven or laundry more than $7 billion of funds. And I think 455 million of that was from a group of North Korean hackers who stole the money.

And in the announcement of this action, the Treasury department’s stressed that a risk based approach to assess the risk associated with different virtual currency services, industry business must implement measures to mitigate risks and address the challenges that can be present to comply with anti money laundering obligations. 

Again, that’s the constant stress in these cases. 

Alright, so switching over to the SEC side. Cyptocurrencies, as securities. And let me just point out how serious this is. The SEC created a crypto assets and cyber unit. It is staffed with 70 staff members, they brought more than 80 actions. And that’s a lot for the agency. The SEC, staff published guidance on what when a cryptocurrency will be a security.

They adopted something called The Howey Test. It’s from a 1946 Supreme Court decision, finding that an orange grove owner who was selling little plots of land and the orange grove to tourists, and giving them a contract where he would maintain the orange crop and send them and market the crop and send the money that that was an investment contract. That is a security regulated by the SEC. And from the orange grove, we go to crypto currencies. The Howey Test has three prongs, a common enterprise, a investment money, and next the expectation of profit derived from the efforts of others. 

That is egnimatic. It’ll fit anything that he wanted. But yeah, if you look at the virtual currency guidance from the SEC staff. That’s basically what they’re saying. They give you like 50 factors to consider, but none of which are determined,  so it’s really a guesswork. One of the commissioners, SEC commissioners, has criticized the SEC for lack of real clear guidance on the issue. The AMA that the SEC has applied the Howey Test to its ICOs initial coin offerings. And it’s brought several actions against these ICOs likening them to an initial public offering. 

The cryptocurrency firm will say you give us Bitcoins, and we’ll give you new tokens. And we’ll use your bitcoins to build a new blockchain or do something else. And the SEC likened that to again to an IPO., But it’s taken the fight further. Now, it’s saying that cryptocurrency exchanges can be selling securities and trading and securities. As for the case where ICO is done, that was not registered. The SEC has views that once a security, always a security. So if you didn’t register it, and you try to trade it, you’re legally you’re dealing in illegal securities. They kind of went about this sideways, they brought an insider trading action of all things against some Coinbase employees who had advanced knowledge of listings. And when the listings were announced, the token would go way up in value, and they would buy beforehand. So that the Department of Justice indicted them under the wire fraud act. And the SEC charged, however, that they were a cryptocurrency exchange. Well, let me back up and the SEC charged that the nine of the tokens listed on Coinbase were securities, they didn’t charge Coinbase yet on that charge. But that certainly leaves it up in the air. Of course, a lot of cryptocurrency exchanges are quite worried about all of that.

Chairman Gensler has said he wanted Coinbase and other cryptocurrency exchanges to register as National Securities Exchanges. That raises all kinds of issues about self regulation, and so forth. So it’s going to be a difficult fit. There’s also a proposed amendment to regulation ATS SEC regulation ATS, which is alternative trading systems. They want to add something called communication protocol systems, make them register as ATS. And that basically is directed at Treasury trading, but it’s broad enough to apply to the cryptocurrency exchanges, or at least that concern has been expressed. So that could cause further troubles. If it’s adopted, then the crypto currency exchange would have to be registered either as a broker dealer, or as a national securities exchange.The SEC said they expect most registered broker dealers because of the lower amount of regulation. CFTC, Commodity Futures Trading Commission, they  created on their staff a virtual currency task force that has brought over 50 Crypto actions. And that’s a lot for the CFTC. The CFTC considers virtual currency to be a commodity, like a lot of other international commodities, like stock indexes, for example. And the SEC, oddly, has said it is a commodity. Bitcoin is a commodity as opposed to a security. But they convert these things into securities through The Howley analysis. 

Kayvan

So it’s both

It’s both essentially like it could be one or the other at any point in time, correct? 

Jerry 

Yes. So if the way you package it, so if it’s completely decentralized, like Bitcoin, then it’s a commodity. But if you package it, like these ICO cases, then it’s a security. Now, the CFTC for its entire history, has not been able to regulate, allowed to regulate so called spot markets. These are cash markets where there’s actual delivery, they had some limited authority over manipulation claims. Dodd Frank gave them more authority for fraud and manipulation claims for over the counter retail customer trades that are leveraged. And the CFTC has taken that authority and used it against firms operating in the crypto sector. The CFTC has a long history of these problems of finding new instruments, commodity options, swaps, foreign born trades, foreign exchange, precious metals, and other contracts on the over the counter market. And they’ve taken years to put legislation regulations in place that address each of those areas. While with crypto currencies, they’re kind of doing it on the fly. There’s dozens, if not hundreds of cases dealing with this actual delivery requirements, is their actual physical delivery. That sounds like an easy proposition. It’s not. A lot of these contracts will call for delivery, but delivery is not actually made.

And the CFTC has lost a bunch of these case, won a bunch and there’s been a lot of legislation, which is where I think we’re headed at this point in time. So at this point the CFTC has only manipulation and fraud authority, but it does not have the authority to oversee spot virtual currency platforms. It cannot impose registration requirements, surveillance or monitoring, transaction reporting, capital adequacy, trading systems safeguards, cyber security examinations, and a lot of other requirements. So it’s kind of regulation by enforcement, if you will.

The CFTC has issued interpretive guidance on what constitutes actual delivery of a virtual currency. And basically, it has to be transferred from one wallet to another on different blockchains with the purchaser or the customer having complete control over the account.

20:50

They Bitnex case, I was an expert on that. It’s been settled. The SEC, I’m sorry, the department of justice charged that Bitmex was a Futures Commission merchant, and that it did not have a money laundering compliance program as required by CFTC regulations for Futures Commission merchants. Now Bitmex is an exchange. If anything, it would have been a contract market. And that contract markets are not required to have money laundering programs. So they put this in the back door through the FCM requirement or registration claim. But I think for our purposes here, it’s important to stress that it’s money laundering controls that lie at the heart of these enforcement actions. And they’ll figure out some way to charge you if your money controls are not there, or they’re inadequate.

There’s another case of Kraken case, where there was an illegal offering of tokens, and a claim that it was failed to register as an FCM, CFTC Commissioner Don Stomp is criticized this by saying wait a minute, these models these Futures Commission merchant models and designated contract market models don’t fit cryptocurrency. They’re decentralized or peer to peer, this not intermediary based, we need to take separate look at that.

Let’s go to the banking sector cryptocurrency regulation. The banking regulators have been fairly slow and getting off the ground. FINCEN is active. But the Prudential regulators like the OCC and the Fed haven’t done too much. In November 2021, they issued a joint statement announcing a quote policy sprint, whatever that is, to provide rules and clarity on regulation of cryptocurrency activities. March 9 2022, President Biden issued an executive order directing a coordinated agency of inter agency approach to develop regulations. The Treasury department then sought to create a quote framework for interagency and international cooperation. And that is underway. On August 16 of this month, the Fed issued a supervisory letter to its banks saying that A. they need to inform the Fed of any activities in the crypto sector. They must make sure that they have adequate controls in place. And that they’re conducted in a safe and sound manner prior to commencing such activities and that such activities are legal.

Kayvan

This is on top of where aside from state level regulatory activity, I remember we covered it in the last webinar as well, that is quite dispersed and diverse. We looked at, I think 14 Different states with regulatory initiatives. Is this initiative you mentioned to the Biden administration trying to account for that or is it are we going to see more conflicting and contradicting?

Jerry

Yeah, good question. So the CFTC check that the SEC chairman has said look, these these crypto exchanges, they’re not money transmitters, and these trading. It’s like securities and commodities. And we think they want to push the money transmitters out of the picture and impose SEC slash CFTC style regulation on those firms. Stable coins are another concern. Tera USD, had a crash. They broke the buck, they really broke the buck. And we were all reminded of this systemic concern raised when the reserve primary fund broke the buck by three cents back in 2008 and exacerbated the financial crisis of 2008 after Lehman failed.

Voyager digital offer deposit accounts for cryptocurrency traders and promised them FDIC insurance of up to $250,000 for each account. They placed those customer funds at a bank. It was not a bank and FDIC insured bank, but it was placed in an anonymous account, both for the benefit of customers. And nobody knows what that means for FDIC insurance purposes. So I’m expecting a fight over that gray area.

Kayvan

The gray area, it sounds seems like yes, yes. 

Jerry 

The FDIC then sent out a letter to five crypto exchanges, saying you have to remove any references to the FDIC in your advertising because that’s false and misleading. And then one of those firms came back and said, well, they were going to explore ways so customers can make direct deposits to their FDIC insured institution. So that probably will be the workaround. And then the National Credit Union Administration warned off one of its credit unions, that was dealing with money transmitters.  cryptocurrency money transmitters saying that’s outside your charter. It’s unsafe and sound, and you don’t have any equity controls to deal with that problem. So again, this recurring theme of control, it is controls, controls controls.

And then I mentioned the Department of later labor jumped in, and warned 401 K plan administrators that cryptocurrency probably wasn’t isn’t a good idea for their for their accounts. 

Kayvan

That’s good to know. Yeah, so yeah, absolutely. And it seems like the trend of this contradicting conflicting regulations federal, state and international continues. But also, what you’re mentioning is also about jurisdiction, like what is and is not within a specific regulatory jurisdiction hasn’t been settled as it relates to crypto. 

Jerry

And that’s important, because remember the SEC and CFTC, they’re like, in some ways, but they’re not alike in a lot, a lot of ways and that regulations, and registration requirements is jusone of them. 

Kayvan

So I’m an organization, I’m regulated, I have to monitor all of these right? And stay abreast of all of these updates. Because if any one of them may impact me at this point in time. 

Kayvan

Very good. Well, thank you for that. 

Jerry 

One more little thing, just legislation. There’s efforts in Congress, and it’s on a bipartisan basis, basically, to codify this mess. But to give the CFTC jurisdiction over spot market, something that the government has never done for the CFTC, or any of its predecessors since 1921, when they first imposed legislation. So I think that will be that’s something that needs everybody. 

Kayvan 

That’s in process right now. That clarification? 

Jerry

Yeah, it they thought they might have something by the fall, but it’s got the rail. So I’m thinking a year at best. Well, that’s big. And with that, I’ll keep quiet.

Kayvan

No, please don’t. And, you know, we looked at this US centric view of it. And Iris maybe zooming out looking at this as an international trend. And the consequence of this, what are you seeing and what is your assessment, both from an impact on organizations and the regulatory transit in Europe?

Dr. Bleck

Yeah, so I’m very interesting to see that some of the trends are the same. And some are a little bit different. I think. What’s a bit different is we don’t we don’t don’t have so many issues with overlapping regulation, right? 

It;s those crypto asset depository institutions, as they’re called in the EU, they’re under one scheme. So it’s, = there’s not another overlap with different agencies. But other other topics are very similar and very much the same.

You mentioned FDIC, like having getting banks in trouble that have the burden. The marketing is not 100%. Very specific, what’s covered and what’s not. This is exactly what we’re seeing here in Europe, especially when there’s several parties playing together, right? So we had the bigger insolvency of crypto app. And I’m saying app because it’s not really a bank. And it’s also not the depository institution. They were using another bank, like a fully licensed bank, and a fully licensed crypto depository institution, as a fronting bank, as we call it here. So the bank who holds the license, while they as an app, only basically develop the cover or the wrapping paper right around the banking services to provide a better Plan experience. 

So with now the app going insolvent, and having on boarded 500,000 retail clients. A couple of things happen. So one is, with the app being insolvent doesn’t doesn’t change anything to the banking relationship in general because the banking relationship stays the same if the app goes insolvent or not. 

So the clients still had access to their accounts where their bitcoins were laying, and they could still trade their Bitcoin. So there wasn’t a loss of functionality. But we’re talking about gray areas. They also constructed a product where clients could use their bitcoins and lend them to someone else, and basically generate a interest like a profit, which was supposed to be very safe, given that you were not giving up the Bitcoin, but you’re just like basically lending it in return for an interest, interest rates. 

So first of all, it looked like a deposit account. And so it also felt like a deposit account, because clients were basically putting bitcoins on it and getting interest in return. What now happens when Celsius in the US who offered this product went bankrupt?

The marketing was not good enough to keep off existing claims. And there are many lawyers in Germany, who are now collecting for mass basically against the app provider, and also the banks. 

Because roughly 40 million of Bitcoin that have been lent. Now, they’re now frozen, and no one knows how much will be basically freed up again, after the insolvency proceeding of Celsius here in the US. Yeah. And so this was, for one very crucial point for the app who wanted to raise more money and wasn’t successful, given the legal risks. That of course, they were facing due to all the clients starting to claim their part of the 40 million but also, and this is now where it can be that we have the parallel to the US to the fronting bank Solaris Bank, which are covered by the by the German deposit protection scheme, Which is a state state run deposit protection scheme. And sometimes it wasn’t clear if these products were covered or not. So the parallel developments here, which are probably much more in focus than before given the current crypto crisis around the world. 

Kayvan

So basically, maybe they didn’t know what type of marketing message that you were using. You think the regulations were unclear, it was just like, confusing. So it led to marketing messaging, that wasn’t very clear. The impact of it on the clients or was it one? 

Dr. Bleck 

Yeah, I think that’s it probably. Well, I’m not sure if regulation wasn’t clear, or it’s sometimes also like it, was a quite complex structure between the fronting bank, the product deliverer in the US and the app in Germany. And so let’s say instead of really explaining in detail to clients, and following all your information duties, sometimes it’s easier and catchier to simplify. But on the hind side, and that’s then also sloppy, and exposes your company to legal risks. 

Kayvan

When you’re you’re mentioning the jurisdictional conflicts or less. This is between, for example, Germany, EU and international but not intra Germany, like there’s no jurisdictional differences inside of Germany, for this. But maybe some adaptations that are slightly different between EU members are all subject to pretty much the same regulations in this regard?

Dr. Bleck

So I would say like the general the most relevant requirements are the same on EU level. The EU is has become quite a strong regulator and for the most relevant questions, and that’s much easier for German and European financial services providers right there. And the harmonization is going on step by step. It just came out that they’re now building up a European anti money laundering office. So a new agency basically, which is to harmonize all anti money laundering requirements across Europe, which will make it even easier for banks to also scale and develop and expand. Given that your onboarding can finally stay the same wherever you onboard clients. 

Kayvan

But as the Celsius case shows, it’s kind of like this. This thing transcends boundaries, country boundaries, it’s very much international, you can call it originally, but then you’re talking about half a million retail clients losing access to the money as a result of the actions of another entity in a completely different jurisdiction. 

Yes. So we’ve talked about, should we call it the crypto mess or the crypto opportunity in the prior session and in this one, and I’m sure we’re going to have other sessions as well. Switching gears here really looking at another aspect of regulatory trends that impacts regulated organizations specifically within the financial sector. IT has to do with both IT compliance vendor management. Iris continuing to stay in Europe and providing that perspective on what are you seeing in terms of both IT compliance and vendor management as it relates to regulations and how companies are coping with them? 

Dr. Bleck

Yeah. So I mean, Wirecard that basically happened two years ago. It’s mostly last year and this year, where we can really see the consequences of this. I’m not sure how many are familiar with this. So one of the big basically, the correspondence of, this is one of the top 30 listed companies in Germany went bankrupt because they claimed to have business in Asia, which they never had. And it was this business that was delivered through together with a partner. 

So like someone who was partially external from them. And so the regulators, and also auditors didn’t have full transparency around what was going on there. And also no one took a close enough look, As a consequence, and this was really for German regulators, this was the worst case scenario. So half year before, they filed a criminal complaint against the hedge fund manager who claimed that Wirecard is a scam, which turned out to be true. 

And then they weren’t able to detect the issues themselves now. And then they realized that regulator employees were actually betting against Wirecard, behind the scenes, which in the end cost the German head of regulatory body bathn his job. So for them, it was really like the total nightmare happening. And, but the consequences it shows a trend that has been going on for years. Especially in the tech world, there are now many, many different providers providing a financial services. Abnd regulators need to need to and want to push

38:12

the ones who have the regulatory responsibility to fully understand what’s happening, and that they remain responsible for the entire service. And they forced them basically to install all the governance

to their outsourcing providers to their vendors. And so, t I think the key issue now, really is when it comes to those outside outsourcing providers, right, because first you just got a contract with one party. But now, I’m really facing that situation that I don’t just ask, okay, how was your IT and some compliance and security system set up? But I also have to ask, okay, what are your main vendors and stop outsourcing providers? 

And which IT certificates do they have? What does their IT compliance and standards look like? And so this now brings a lot of companies that have never been in touch with regulation suddenly on the front line, having not even having the compliance system in place and needing to become nice or ISO 27 compliant, just because they serve software companies who serve banks. And so it’s the the amount of companies in Europe that need to get certifications and proof evidence that they’re compliant with our regulations. Just probably quadruples. And at the same time, it’s also all the contracts. So we have vendors now who need to go back to their vendors and check the contracts and make sure and include all those governance and control rights so that basically regulators can walk in their subcontractors door anytime they want. 

Just because they have a bank as a client. And so the entire relationship basically between bank vendors and their subcontractors changes. And it’s an opportunity on the one hand for some industries like consultants and certain educators. Yeah. But it’s a big issue for everyone else. 

Kayvan

So, yeah,  it sounds like. I want to make it clear, what I heard from you. Firstly, we see that same thing on fintechs using backhole service, which you mentioned on the crypto side as well, of course, this is how fintechs get to operate for things that they don’t have, use a license of another, right bank to operate. That’s one side of it. And then obviously, the financial services, you have a large number of partners. And so is there now a accountability that’s being held for those subcontractors as well? 

Dr. Bleck

No, that’sthe main goal is to keep the financial services provider in charge. But the duties basically to allow regulators to control lights to inform the financial service provider in case of any, let’s say, a situation that may impact the quality of the services. So all those governance requirements, they have been pushed down to any, and not just one level, like as far as it goes right? 

To the actual service providers so that no one can actually turn back and say no, it wasn’t my fault was therefore

Kayvan 

Right. So yeah, no vendor management organization, you’re looking for that subcontractor outsourcing.

You can’t just go based on a claim you have to know also verify, I guess. 

Dr. Bleck

Yes, yes. No, really? I mean, it’s no longer enough to say, yeah. Our subcontractors comply with all those requirements to take a certification or something. No, it’s really. So regulators have asked me for the clauses and the text in the clause that really state that the subcontractor, so like Microsoft Azure, grants audit rights to the German regulator, because we are using a software that’s hosted on Azure.

Yeah, there have been a lot of long faces here on all sides.

Kayvan

Yeah, I can imagine it’s a lot of scrutiny, and potentially red tape on processes and elongating a simple procurement now, be there. Recently, we saw the same, in fact, we had a webinar on this new rule that went into effect in April. And now the compliance requirement data is actually behind us, which requires, for example, security incident notification for the Fi’s and their service providers. And there’s indications in there that are holding the service provider accountable. That’s why I was asking that question in terms of the communication both with the FI who then is responsible to reporting things back into the OCC. So it looks like more and more and also on crypto  seen some trends and a couple of our advisors are going to have sessions during the EITL about the trickling down into responsibly down even to the developers of the algorithms of some of those crypto assets in cryptocurrencies. So the seems like both on the vendor management side. And then that, of course then translates to IT compliance requirements. We’re seeing trends of more scrutiny and more accountability.

You know, so monitoring, obviously, these are changes that are happening both at the federal, state and national basis. Jerry, would you like to add anything on the vendor management /IT compliance side as it relates to crypto?

Jerry

Well, just to repeat what I said and it kind of fits in with this conversation. Systems and controls are going to be everything. And again, I go back to Robin Hood, crypto, the manual system or something that’s not state of the art. You’re down to strikes before you even get the bad.

Kayvan

Yeah, down two strikes. So you know, now looking at your vendor management system seems like the type of scrutiny that Iris is describing and we saw the same in the US is an ongoing trend. What are you seeing as a user in your vendor management system? Have you integrated automation into gathering the knowledge that Iris was referring to and making decisions on a more automated basis or is it all manual?

Really reg tech as an influencer, in terms of both automating the knowledge of what’s changed, or what’s coming down the pipe from a regulatory perspective is interesting. And that’s what I was asking is it chalked up in that marketing example, to just the complexity of the law? Is it lack of knowledge? Or is it more likely there’s so many loopholes in that users can offer. 

Dr. Bleck 

I mean, it’s, I mean, it’s maybe also a disadvantage, if you have the surface of a financial technology based financial product delivered by an app by people who have maybe not necessarily worked many years in the financial industry. But just know the financial service from the user side and bring to market the things that they think are compliant.

Versus someone who’s responsible for everything.

Kayvan

And here’s the results of our survey. 28% are extremely happy with doing everything manually. And I’m happy to see the last categories empty, that they are basically not considering everything bulletproof and looking for change. A good number, of course, are either considering or have looked into reg tech, as a way to help automate some of these practices for compliance study. As a vendor, we are very much trying to assist compliance organizations risk departments, Office of the General Counsel be knowledgeable, and in the know, in terms of what’s changed help.

I would say drill down from that minutia to that specific focus group of changes that impact a specific organization. Otherwise, you can, as we’ve seen, drown in the type of volume of changes that Jerry and Iris are talking about. That’s just one topic, as in crypto changes within specific asset class. And you just broaden that to topics around privacy, around lending, around AML as an independent topic from crypto, it’s become very much unmanageable. And then ultimately be able to provide to publish and feed that information into a vendor management solution. It becomes critical, and a big part of what we’ve seen from our clients as an interest is I understand there’s a lot of regulatory activity, but tell me about the enforcement actions. Who’s being fined? what are the violations? And that is becoming the most popular approach within our clients really to look at the trend, see where because there’s so much going on and want to see where the regulator’s are actually putting their chips and where they’re putting their emphasis. And that kind of drives the regulatory emphasis, and then finally be able to report on everything that’s happened during that process. So as Jerry was mentioning, some of those fines had nothing to do with actual anti money laundering, but the lack of an adequate, robust system that shows that you’re automatically tracking, reacting and reporting on those changes on a timely manner. I think that was probably the ask. And Jerry, we’ve seen multiple enforcement actions proven off of that lack of adequate, systematic approach, and more of, automating when and where possible, the process. 

With that, I wanted to open it up to Q&A. And Ronjinii, if you have questions we’ve received, are we happy to answer it? And you can use that q&a?

Ronjini

We have one, but I think I kind of think we covered this, how can we investigate and monitor crypto currency transactions? I think we kind of answered that a bit. But I don’t know if you want to just do a quick recap on that one for Khalil. 

Kayvan

So transaction processing, right, I guess one advantage is having a ledger that’s transparent and available. Then now I’m an organization. And I want to take advantage of that to monitor. So Jerry, one thing, one topic we didn’t talk about is anonymity, right? And that many of these crypto assets and cryptocurrencies in order for them to be able to be used in the banking sector, that the KYC requirements, the monitoring requirements, right? All of that comes into play, and I’m assuming some of them are still operating under the radar in the wild, wild west. But ultimately, this monitoring and knowledge of KYC is a minimum requirement for these transactions, correct? 

Jerry

Yes. And the Bitmex case the claim was made that Bitmex thought they were an offshore exchange, but they government charged there were several US customers who were using was a VIP addresses where you don’t they don’t know who they are or where the country is.

So that and then the mixers as well, that the tumble these things. So that’s a problem is that, again, your KYC needs to be very sophisticated to keep these, you know, maintain compliance. 

Kayvan 

Yeah, absolutely. And one question Iris wanted to ask, you know, from an adoption, you know, of automated technologies in Europe, do you see this as a matter of

50:31

if or a matter of when, where do you see Europe and the adoption of more automation and more types of streamlined solutions to address at least visibility and knowledge of the organizations and reduce that confusion, reduce the complexity for them?

Dr. Bleck 

It’s hard to say I think, overall, I would guess.

In Europe, institutions are more on the considering part.

I’ve lived through more painful IT project of a German bank trying to deliver something themselves, or like develop something themselves, which didn’t go well. But overall, I would say then themost banks are probably in the group of considering a solution rather than having it already readily available.

Kayvan

Very good. Well, I want to appreciate both Jerry and Iris for providing two different key Hot Trends. One on the crypto side and one on IT compliance. Obviously, we have upcoming webinars, the big one

in a couple of weeks, is it a couple of weeks is it’s sooner than that within EITL where we put the spotlight on a lot of these topics and more.?

Ronjini 

It’s a couple of weeks. Yep. September 7, and eighth. So I think we have about two weeks, roughly to the day. So yeah, the link is in the chat box, so you guys can head over there. It’s a free registration online event. There’s no reason not to join us. And you could see the full agenda at that link. So you’ll see the wide variety of topics there. But yeah,that’s it. Thank you for joining us today. 

Kayvan

A couple questions people sent me had to do with the availability of this content post the webinar. So if you want to absolutely. So last but not least, this webinar will be available on demand. Probably mid next week, we posted on our blog with the video as well as the transcription. And then anyone who’s registered for this event will also get an email with the on demand version, a link to it. So you guys should be able to have that about mid next week. And again, on the regulatory trends blog on the compliance website. 

Thank you, Jerry. Thank you, Iris. Thank you. Thank you. Bye, everyone.

Tags: , , , ,

X