Group of professionals discuss finance

Breaking news and expert analysis on legal and compliance issues

[Back To Home][Back To Archives]

From Banking and Finance Law Daily, February 26, 2015

Lawsky urges stronger individual accountability for fraud, money laundering lapses

By Lene Powell, J.D.

In an idea modeled on the Sarbanes-Oxley approach to accounting fraud, New York Superintendent of Financial Services Benjamin Lawsky said the agency is considering making senior executives personally attest to the adequacy and robustness of anti-money laundering systems. In prepared remarks at Columbia Law School, the regulator also stressed the need to hold individuals, not just corporations, accountable for misconduct. Further, he discussed cybersecurity initiatives the Department of Financial Services is undertaking, and said the agency will begin grading banks on cybersecurity preparedness.

Money laundering. Due to the incredibly high volume of transactions, banks rely heavily on automated transaction monitoring and filtering systems to help flag suspicious payments for further review. However, due to defective design or faulty data, systems can fail to flag suspicious transactions. Worse, bank management or employees may deliberately turn down the sensitivity of the filters, so the systems do not generate enough alerts and suspicious transactions go undetected, said Lawsky.

In the past, regulators have relied on self-reporting by firms to gauge compliance. But this “whack-a-mole” approach is not enough, Lawsky said, because it is likely there are widespread problems with transaction monitoring and filtering systems throughout the industry. When an independent monitor installed at one large bank compared results, it found that the bank failed to flag millions of suspicious transactions. As a result, the Department of Financial Services brought a major enforcement action against the bank.

DFS is considering random audits of monitoring and filtering systems, but the agency can’t audit every institution simultaneously. Therefore, in an approach drawing on Sarbanes-Oxley, the agency is considering requiring senior executives to personally attest to system effectiveness.

“We expect to move quickly on these ideas and—to the extent they are effective—we hope that other regulators will take similar steps,” said Lawsky.

Fraud. Another area where more individual accountability is needed is fraud. Many Americans have been “deeply disappointed” by efforts to hold individual, senior executives on Wall Street accountable for misconduct. It’s unsurprising that we continue to see fraud after fraud, said the regulator, because the individuals who engaged in wrongdoing rarely, if ever, face any real consequences.

Even if the misconduct doesn’t rise to the level of criminal fraud, regulators still have options, Lawsky said. In civil enforcement actions, the agency required the CEO of BNP Paribas and the chairman of Ocwen Financial to step down. The agency has also banned multiple senior executives from participating in the operations of regulated institutions.

“[M]ore and more often it feels like we are discussing a corporation’s wrongdoing without detailing who exactly did what wrong. And, in my opinion, if in any particular instance we cannot find someone, some person, to hold accountable, that just means we have stopped looking,” said Lawsky.

Cybersecurity. The regulator said he is “deeply worried” that within the next decade or sooner, we will see an “Armageddon-type cyber event” that causes a significant disruption in the financial system for a period of time. To create incentives to boost security, the agency is revamping its regular examinations to add grades for cybersecurity preparedness.

Further, because a company’s cybersecurity is only as strong as that of its third-party vendors, DFS is considering requiring vendors to provide “robust representations and warranties” that they have critical cybersecurity protections in place. If they don’t strengthen their own security, vendors will risk losing business.

“That is tough medicine, but we believe it is likely warranted given the risks that cyber hacking presents to the stability of our financial markets and economy,” said Lawsky.

DFS is also considering regulations that would mandate the use of multi-factor authentication for the financial institutions it regulates. This requires an extra layer of authentication in addition to the username and password, such as a randomly generated additional password texted to a user’s phone. This is a simple step, but can actually prevent a significant amount of hacking, Lawsky said.

MainStory: TopStory BankSecrecyAct BankingOperations EnforcementActions IdentityTheft Privacy

Banking and Finance Law Daily

Introducing Wolters Kluwer Banking and Finance Law Daily — a daily reporting service created by attorneys, for attorneys — providing same-day coverage of breaking news, court decisions, legislation, and regulatory activity.


A complete daily report of the news that affects your world

  • View full summaries of federal and state court decisions.
  • Access full text of legislative and regulatory developments.
  • Customize your daily email by topic and/or jurisdiction.
  • Search archives for stories of interest.

Not just news — the right news

  • Get expert analysis written by subject matter specialists—created by attorneys for attorneys.
  • Track law firms and organizations in the headlines with our new “Who’s in the News” feature.
  • Promote your firm with our new reprint policy.

24/7 access for a 24/7 world

  • Forward information with special copyright permissions, encouraging collaboration between counsel and colleagues.
  • Save time with mobile apps for your BlackBerry, iPhone, iPad, Android, or Kindle.
  • Access all links from any mobile device without being prompted for user name and password.