Category Archives: Regulatory Risk

Immediate Vault Immediate Access

Six Considerations Impacting Strategic Regulatory Change Management

Posted on by

Regulatory change management (RCM) is one of the most important risk and compliance related domains in 2021, thanks to two key drivers. First, the shift from Republican deregulation to Democratic control and an expected uptick in regulatory requirements. Second, similar to the 2008 crash, the pandemic-induced economy and focus on Paycheck Protection Program (PPP) loans caused many banks to relax their regulatory exams and requirements, while regulators gave companies extra runway for transitioning processes and policies for remote/work-from-home models.

Sometimes regulatory changes are significant enough to change business strategy. In 2021, chief risk officers must be prepared to quickly adapt and react to a historically volatile risk management environment.

buy advair online dentalhacks.com/wp-content/uploads/2023/10/jpg/advair.html no prescription pharmacy

When thinking about an updated, strategic regulatory change management program, here are six considerations for chief risk officers:

1. Lax compliance during the pandemic in 2020 may have introduced hidden risk for activities that normally would have had deeper oversight. 
Sometimes rule changes can also introduce new risks or eliminate a previous risk that needed to be managed, such as potential new default rates around extensions, forfeiture and other things. For example, historically low interest rates present a vexing risk for banks dealing with less profit but just as many loans to process.

buy xenical online dentalhacks.com/wp-content/uploads/2023/10/jpg/xenical.html no prescription pharmacy

What kind of new risk may be found within those loans?

2. When communicating change across the enterprise, establish responsibility to manage it.
Once you understand which regulations have changed, prioritize those that present the most risk, identify what department’s products and processes are impacted, and determine who is responsible for managing those policies. Having a secure central repository for communicating, storing and managing compliance documentation, versus relying on employees storing information on devices outside corporate servers, is ideal.
buy proscar online dentalhacks.com/wp-content/uploads/2023/10/jpg/proscar.html no prescription pharmacy

 

3. If conducting quarterly testing of compliance requirements, it may be challenging to identify key areas in advance that could slip, such as controls around IT/cybersecurity.
When the risk portfolio changes, the controls to manage those risks must be updated accordingly. Firms that may now be less dependent on management oversight and more dependent on confirmations that processes are being followed should put automated controls in place to verify those activities.

4. Companies should shift to best practice or common checklists that can be standardized and shared across the enterprise. 
Assessment checklists are a great way to ensure that all requirements are being met for a wide variety of business processes. Once checklists have been updated, cloud-based software systems can track who has access and can also notify when changes happen. 

5. Historically done manually in-house by visible teams, monitoring and testing for compliance purposes will be conducted remotely. 
The visibility of those tests presents significant challenges, and it is critical to determine how errors and issues will progress and be communicated to the remote testing teams, management, and the organization at large. 

6. Verifying and certifying online training for remote employees can be daunting. 
Creating courses formalized for online training represents a major compliance and process change, particularly for companies in industries with limited work-from-home models, such as financial services. Training materials will need to be updated for new employees, while previously trained employees will need to be retrained. 

Human Trafficking and Supply Chains: Q&A with Tim Nelson of the Slave-Free Alliance

Posted on by

The International Labour Organization estimates that 25 million people are subject to human trafficking around the world, with children comprising one of every four victims. In many cases, the victims are used and transported by their traffickers in supply chains. 

Tim Nelson is the international development director for Hope For Justice, an anti-trafficking organization that aims to end modern slavery. He also holds the same title at the Slave-Free Alliance, an affiliated group that collaborates with businesses to assess and prevent the risk of human trafficking in their supply chains. Nelson recently appeared on RIMScast to discuss the how human trafficking has evolved into a major supply chain risk and how employers and employees can identify signs of this abuse.

Check out some highlights below, and to take a free deep-dive with Nelson and learn how to take action to prevent human trafficking in your company and community, download RIMScast episode 120.

For more information on steps businesses should take to help identify and combat modern slavery on their premises, you can also check out the Risk Management feature article “Human Trafficking: How Businesses Can Combat the Modern Slavery Epidemic.”

What inspired the creation of the Slave-Free Alliance?

Tim Nelson: We primarily started in the U.K., and formed because of the Modern Slavery Act, which requires companies with £36 million (about $50 million) or more in their annual revenue to state their efforts to remove slavery from their supply chain. Consequently, we tend to work with businesses above that £36 million level and we try and effectively help them honor their commitment.

We also work alongside federal or local police and alongside other NGOs and effectively try and be a trusted friend. Many people, because of the countries that they come from or what they’ve been told, are suspicious of police or are worried about corruption. We can be there to build that bridge of trust.

How can someone identify trafficking and modern slavery?

TN: Traffickers are those individuals who would use other people to generate profit for themselves and are looking for every opportunity. Global estimates indicate that there’s $150 billion made from this illegal activity. And therefore, the traffickers have thought it through. 

One of the complexities in identifying it is that human trafficking is hidden in plain sight. The common form that most people are aware of is sexual exploitation. But ultimately, traffickers [also] realized that they could traffic individuals to work in the supply chains of businesses, making components, working in manufacturing, working in agriculture.

Could you provide an example of how traffickers permeate supply chains?

TN: Last year there was a case where 400 victims were identified as being slaves within the primary supply chain of some of the major supermarkets within the U.K. And, like we said earlier, it was in plain sight—no one could see how this was happening.

This particular occurrence happened because the traffickers had gotten control of a recruitment company and they were able to bring individuals from a non-English-speaking nation to the U.K. Those individuals were given jobs, but the traffickers had control of their bank accounts. They were forcing these 30-plus individuals to live in a three-bedroom property. Many of them were washing themselves in a local river—not having running water was a sign that this is not how people should be living in 2020. 

National Slavery & Human Trafficking Prevention Month is held annually in January to educate about the different forms of human trafficking. What can risk professionals do to ensure the awareness continues all year?

TN: I would encourage all businesses to realize that they’ve got the power to change this so easily if they start to engage and put in different processes and systems. And part of what we’re trying to do is not to just encourage individuals or companies to stop buying goods from a particular company. If you just stop dealing with a company because you suspect there’s modern day slavery or trafficking happening, that company will close and another one will open like a phoenix. Companies can also sometimes be complicit just by not even looking or allowing enough due diligence to show that they are slave-free within the supply chain.

Is there a bottom-line impact as well?

TN: What we are seeing now is, internationally, inaction can be a major risk to your business. I can think of companies where issues around slavery were brought to the fore and share prices dropped by half as institutional investors pulled out. This is a key ESG issue, which makes it a C-suite-level risk in many cases.

What should companies expect when they engage with the Slave-Free Alliance?

TN: The first thing that we would do is conduct a gap analysis. This is not just looking at where you’re getting supply from—it’s to try and identify the weaknesses that may be in your supply chain. And that gap analysis forms something almost like a risk register.

Every company is different. I spoke to a Fortune 100 company last month that didn’t even have a procurement division. And that’s what I would have assumed every major multinational had. But every company has a different approach to it.

Quite often, a lot of people find that the even the thought of how big their supply chain creates a massive complexity because there might be just three people running the procurement department.

When we see something that would sit within the risks that we identify, then we work with the companies to diminish that risk. It could be an [unannounced] site assessment or working with those people who are going in and auditing the factories themselves.

For more information about how your business can combat and identify modern slavery, visit the Slave-Free Alliance and Hope For Justice. You can report suspected activity in the U.S. to the National Human Trafficking Hotline and internationally to the International Labour Organization.

On Data Privacy Day, Catch Up on These Critical Risk Management and Data Security Issues

Posted on by

Happy Data Privacy Day! Whether it is cyberrisk, regulatory risk or reputation risk, data privacy is increasingly intertwined with some of the most critical challenges risk professionals face every day, and ensuring security and compliance of data assets is a make or break for businesses.

buy prevacid online www.soundviewmed.com/wp-content/uploads/2023/10/jpg/prevacid.html no prescription pharmacy

In Cisco’s new 2021 Data Privacy Benchmark Report, 74% of the 4,400 security professionals surveyed saw a direct correlation between privacy investments and the ability to mitigate security losses. The current climate is also casting more of a spotlight on privacy work, with 60% of organizations reporting they were not prepared for the privacy and security requirements to manage risks with the shift to remote work and 93% turning to privacy teams to help navigate these pandemic-related challenges. Amid COVID-19 response, headline-making data breaches and worldwide regulatory activity, data privacy is also a critical competency area for risk professionals in executive leadership and board roles, with 90% of organizations now asking for reporting on privacy metrics to their C-suites and boards.

“Privacy has come of age—recognized as a fundamental human right and rising to a mission-critical priority for executive management,” according to Harvey Jang, vice president and chief privacy officer at Cisco. “And with the accelerated move to work from anywhere, privacy has taken on greater importance in driving digitization, corporate resiliency, agility, and innovation.”

In honor of Data Privacy Day, check out some of Risk Management’s recent coverage of data privacy and data security:

CPRA and the Evolution of Data Compliance Risks

Also known as Proposition 24, the new California Privacy Rights Act (CPRA) aims to enhance consumer privacy protections by clarifying and building on the expectations and obligations of the California Consumer Privacy Act (CCPA).

Frameworks for Data Privacy Compliance

As new privacy regulations are introduced, organizations that conduct business and have employees in different states and countries are subject to an increasing number of privacy laws, making the task of maintaining compliance more complex. While these laws require organizations to administer reasonable security implementations, they do not outline what specific actions should be taken. Proven security frameworks like Center for Internet Security (CIS) Top 20, HITRUST CSF, and the National Institute of Standards and Technology (NIST) Framework can provide guidance.

Protecting Privacy by Minimizing Data

New obligations under data privacy regulation in the United States and Europe require organizations not only to rein in data collection practices, but also to reduce the data already held. Furthering this imperative, over-retention of records or other information can lead to increased fines in the case of a data breach.

buy ocuflox online www.soundviewmed.com/wp-content/uploads/2023/10/jpg/ocuflox.html no prescription pharmacy

As a result, organizations are moving away from the practice of collecting all the data they can toward a model of “if you can’t protect it, don’t collect it.”

3 Tips for Protecting Remote Employees’ Data

As COVID-19 continues to force many employees to work from home, companies must take precautions to protect sensitive data from new cyberattack vulnerabilities. That means establishing organization-wide data-security policies that take remote workers into account and inform them of the risks and how to avoid them. These three tips can help keep your organization’s data safe during the work-from-home era.

What to Do After the EU-US Privacy Shield Ruling

It was previously thought that the EU-US Privacy Shield aligned with the EU’s General Data Protection Regulation (GDPR), but following the CJEU’s recent ruling, the Privacy Shield no longer provides a mechanism for legitimizing cross-border data flows to the United States. This has far-reaching consequences for all organizations that currently rely on it. In light of the new ruling, risk professionals must help their organizations to reevaluate data strategies and manage heightened regulatory risk going forward.

The Risks of School Surveillance Technology

Schools confront many challenges related to students’ safety, from illnesses, bullying and self-harm to mass shootings. To address these concerns, they are increasingly turning to a variety of technological options to track students and their activities. But while these tools may offer innovative ways to protect students, their inherent risks may outweigh the potential benefits. Tools like social media monitoring and facial recognition are creating new liabilities for schools.

2020 Cyberrisk Landscape

As regulations like CCPA and GDPR establish individuals’ rights to transparency and choice in the collection and use of their personal data, one can expect to see more people exercise these rights.

buy doxycycline online www.soundviewmed.com/wp-content/uploads/2023/10/jpg/doxycycline.html no prescription pharmacy

In turn, businesses need to ensure they have formal and efficient processes in place to comply with such requests in the clear terms and prompt manner these regulations require, or risk fines and reputation fallout. These processes will also need to provide sufficient documentation to attest to compliance, so if businesses have not yet already, they should be building auditable and iterative procedures for “data revocation.”

Data Privacy Governance in the Age of GDPR

As personal information has become a monetizable asset, risk, compliance and data experts have increasingly been forced to address the regulatory and operational ramifications of the rapid, mass availability of personal customer and employee data circulated both inside and outside of organizations. With new data protection regulations, Canadian and U.S. companies must reassess how they process and safeguard personal information.

Key Features of India’s New Data Protection Law

Among the new data protection laws on the horizon is India’s Personal Data Protection Bill. While the legislation has not yet been approved and is likely to undergo changes before it is enacted, its fundamental structure and broad compliance obligations are expected to remain the same. Companies both inside and outside India should familiarize themselves with its requirements and begin preparing for how it will impact their data processing activities.

Reducing Risk Exposure Through Sanctions Screening

Posted on by

International sanctions have increased in recent years and discrepancies still exist between how financial institutions and non-banking financial institutions in different countries and regions handle them. This has led to ongoing international tensions where politicians use asset-freezing, confiscation and other sanctions as tools to forward personal agendas, producing an increased stream of sanctions. It also leads to headaches for the compliance industry as it attempts to assess their level of risk.

For example, there is a great sanction application difference between the United States and the European Union/United Kingdom as a result of the United States leaving the Joint Comprehensive Plan of Action (JPCOA) agreement and re-implementing sanctions against Iran progressively in 2018. In a post-Brexit world, it is likely that a divergence between European Union and United Kingdom sanctions will occur over time.

Increasing challenges add to complexity for compliance professionals conducting sanctions and transactions screenings in accordance with regulations and institutions’ policies. The rapid transition to an increasingly digital world amidst COVID-19 begs the question: Do financial institutions truly understand the identities moving within their digital networks?

The Wolfsberg Group recently published detailed guidance for financial institutions regarding sanctions screening. The guidance highlights the importance of account and transaction screenings, but does not propose fundamental changes to the processes that financial institutions should follow already. Compliance officers need to rely on robust sanctions screening systems, high data quality and up-to-date policies to drive a successful long-term sanctions screening program.

Compliance departments should continue to conduct basic functions such as documented controls and procedures. They should also require a clear understanding of sanctions risk and how essential it is to take a risk-based approach to customer onboarding. Further, the compliance team should consider improving the following:

  1. Sanctions List Management: List data can be incomplete and decay over time. Active list management is essential for compliance personnel to ensure complete, accurate and up-to-date data.
  2. Screening Technology: Screening engines vary in capability. Platforms should meet business needs on a basic level and be able to:
    • Manage requisite screening record volumes
    • Configure to reflect the differing risk profile lists
    • Efficiently remediate alerts through fully functioning workflow tools
    • Ingest a variety of external lists
    • Integrate APIs into enterprise systems
  3. Sanctions Data: Not all externally provided sanctions lists are created equal. Financial institutions should conduct thorough due diligence and compare data from different sources. Some issues to consider:
    • How the data is synthesized from original issuing bodies
    • The quality controls within the research process
    • The extent that the provider enriches the data to maximize secondary identifiers of sanctioned individuals
    • How complete the data set is, given the many official bodies globally and whether the system is configurable to select those relevant to the institution in question
    • Whether the data provided facilitates consolidation of entities appearing on multiple sanctions lists to lower duplicate alerts and minimize analysts’ efforts

Sanctions screening is a vital but complex process and a continuously trained compliance staff helps ensure that the financial institution is consistently screening against the most relevant and up-to-date sanctions lists. Sanctions authorities require increasingly strict compliance and this involves employing intelligent augmentation through a combination of human efforts and new technologies such as big data, data analytics, machine learning and artificial intelligence.

Organizations can best reduce risk exposure by using all the compliance tools in a responsible and efficient way. Only then can a financial institution be sure that it is navigating the increasingly complex and rigorously enforced regulatory landscape.