Financial Service firms would be well advised to pay particular attention to two separate matters this week. The first is the recent deferred prosecution agreement that JPMorgan Chase Bank, N.A. entered into with the Office of the United States Attorney for the Southern District of New York and the related actions by the Office of the Comptroller of the Currency and the Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN). As numerous headlines have made clear, the assessed fines in these actions exceeded $2 billion. What is perhaps lost in the headline and worth noting is that the charges against the bank related to anti-money laundering (AML) and Bank Secrecy Act (BSA) failures and, in particular, to a failure to file a suspicious activity report (SAR). As Jennifer Shasky Calvery, Director of the FinCEN, stated in her remarks at the press conference announcing the above actions, “today’s action . . . is not just about a SAR reporting violation: it’s about lost opportunities and the catastrophic consequences that can flow.”
Like the earlier $1.9 billion fine against HSBC Holdings PLC for violations of the BSA and other laws, the latest actions against JPMorgan drives home the fact that prosecutors have discovered AML and BSA. Prosecutors are increasingly bringing actions where AML is the main focus instead of tacking an AML violation onto a more substantive matter and prosecutors are no longer hesitant to treat AML as tantamount to an insurance policy that exposes firms to liability for any and every harm that arguably might have been avoided by a more rigorous AML program. Lest this point be missed, Mythili Raman, the acting assistant attorney general who heads the U.S. Department of Justice Criminal Division, is quoted in Thursday’s Wall Street Journal as saying both that banks “still need to do more” and that the “enforcement actions [against banks] are not over. There’s more to come. . . ”
Firms subject to AML obligations are urged to evaluate both the level of regulatory and reputational risk to which they might be exposed by shortcomings in their AML programs as well as the strength of these programs.
The second event is the issuance by the SEC’s Office of Compliance Inspections and Examinations (OCIE) of its Examination Priorities for 2014. While OCIE’s 2014 Examination Priorities are covered separately below, it is worth focusing on the continued and, indeed, increasing focus by the SEC on the risks posed by automation and technology to the securities markets, as well as to customers, clients, and the safety and soundness of regulated entities.
The 2014 Examination Priorities flags technology risk under one of the six “most significant initiatives across the entire NEP [National Examination Program].” Specifically, OCIE’s 2014 Examination Priorities notes that the NEP will continue to examine governance and supervision of information technology systems, operational capability, market access, information security, and preparedness to respond to sudden malfunctions and system outages.
OCIE’s 2014 Examination Priorities also touch upon a number of other technologically focused concerns.
In the case of investment advisers and investment companies, these include quantitative trading models, a concern that the SEC first raised in its enforcement action in February 2011 against AXA Rosenberg. Notably, OCIE’s 2014 Examination Priorities state that OCIE will seek to assess whether firms have adopted and implemented “compliance policies and procedures tailored to the performance and maintenance of their proprietary models, including such procedures as (i) evaluating if any models are used to manipulate the markets, (ii) reasonably review or test the models and their output over time, (iii) maintaining proper documentation within required books and records, and (iv) maintain a current inventory of all firm-wide proprietary models.”
In the case of broker-dealers, technology issues include a focus on algorithmic and high frequency trading, information leakage and cyber security. Following up on the SEC’s enforcement action involving Knight Capital, it also includes a focus on market access controls related to erroneous orders under Securities Exchange Act Rule 15c3-5.
The takeaway from the above is that increasingly the SEC views technology as a compliance issue that, like any compliance related requirement, is subject to procedures and policies, oversight and controls and documentation. Given this perspective, firms should ensure that compliance has a seat at the table when it comes to evaluating and monitoring their use of technology, especially technology that touches trading and clients or customers.