Since the enactment of the Gramm-Leach-Bliley Act (the GLB Act), one of the most significant pieces of US banking legislation of the last decade, the legislative process in the US has been relatively quiet in terms of the expansion of bank powers and activities and the deregulation process. However, there have been two significant areas of activity this year that will have far-reaching and lasting impacts on financial institutions both within and outside the US: (i) the sudden prominence of questions relating to the adequacy of corporate financial reporting, internal controls and the role of the audit committee in the aftermath of the Enron and Allied Irish/AllFirst debacles; and (ii) the elevation of anti-money laundering efforts as the primary non-military weapon in combating terrorism and other criminal activity.
ENRON AND ALLIED IRISH/ALLFIRST
Enron's use and disclosure of off-balance sheet financing, derivatives, trading activities, transactions with related parties and other financing structures, and the $691 million of currency trading losses at AllFirst Financial, a US subsidiary of Allied Irish Banks, have affected thousands of individuals and companies, spawned multiple civil and criminal lawsuits, aroused Congressional furor, and brought the US Securities and Exchange Commission (SEC) and the nation's accounting bodies under scrutiny. Various commentaries and regulatory investigations have attributed blame for these incidents to a number of factors, including inadequate oversight by the board of directors and the audit committee, failures by the outside auditor, lax internal controls, inadequate risk management systems and fraud. In particular, in the case of AllFirst/Allied Irish, an outside investigation concluded that inadequate internal controls and risk management systems, as well as fraud, are to blame for the losses ("Report to the Boards of Directors of Allied Irish Banks, AllFirst Financial and AllFirst Bank Concerning Currency Trading Losses Submitted by Promontory Financial Group and Wachtell, Lipton, Rosen & Katz, March 12, 2002").
Financial services firms are fortunate to be ahead of the curve in the areas of financial reporting and internal controls because of the requirements imposed by the Federal Deposit Insurance Corporation Improvement Act (FDICIA) in 1991. The FDICIA and its implementing regulations and guidelines required banks and thrifts, starting in 1993, to implement comprehensive policies and procedures designed to ensure the effectiveness of financial reporting systems and internal controls. In addition, institutions with assets of $500 million or more must file an annual report with the Federal Deposit Insurance Corporation (the FDIC) and with their primary federal or state supervisory agency that includes:
financial statements with independent auditor's opinion;
an assessment by management of the effectiveness of internal controls governing financial reporting and compliance with designated laws and regulations; and
a report by independent auditors attesting to the adequacy of the management assessment.
The FDICIA also established minimum requirements and standards for the financial literacy and independence of members of an institution's audit committee, thereby placing primary responsibility on the audit committee, and consequently the board of directors, to ensure the adequacy of an institution's financial reporting and internal control structure.
Even with this framework in place, however, financial services firms should expect, in the post-Enron Allied Irish/AllFirst, post-September 11 environment, to be subject to heightened regulatory and public scrutiny of financial reporting, internal controls, the audit process and overall management of risk. For example, federal bank regulators are considering requiring larger institutions to use dual auditors.
Even before these events, some efforts had been implemented by securities regulators. Rules adopted by the SEC, Nasdaq and the New York Stock Exchange (NYSE) regarding the audit committees of public companies provide additional direction to banks and thrifts that are publicly traded regarding the expected scope of audit committee responsibilities. Effective December 15, 2000, SEC rules require that a company's proxy statement include a report of the audit committee covering whether the committee has: (i) reviewed the audited financial statements with management; (ii) discussed with independent auditors the accounting principles used in preparing the report; (iii) discussed with auditors the published standards for independence of auditors; and (iv) recommended to the board the filing of the audited financial statements with the SEC. The proxy must also state the names of the members of the audit committee and whether the audit committee has a written charter, in which case a copy of the charter must be included, as an appendix, in at least every third year's proxy statement.
The Nasdaq and NYSE Listing Rules approved December 14, 1999, require each issuer to appoint at least three independent board members to the audit committee and to adopt an audit committee charter, which must be reviewed annually by the board. The audit committee members must be financially literate and at least one member must have accounting or related financial management experience. The outside auditor is directly responsible to the audit committee, which must ensure that the outside auditor periodically submits a formal written statement delineating all of its relationships with the company. The audit committee must discuss with the auditor any disclosed relationships or services that might impact the auditor's objectivity and satisfy itself as to the auditor's independence. The audit committee then must recommend to the board whether the outside auditor should be retained by the company.
The SEC and self-regulatory organization (SRO) rules are often supplemented and augmented by comments from senior SEC and SRO officials and by SEC and SRO releases. These have indicated, among other things, that audit committees will be scrutinized in connection with SEC investigations and that policies on corporate governance, including the role of the audit committee, are being reviewed.
For example, in a May 24, 2002, press release, Nasdaq announced adoption of rules to strengthen the definition of "independent director" and to require the audit committee or a comparable body to review and approve transactions between the company and related persons. Nasdaq has not filed this rule for approval by the SEC, and the press release is the only publicly-available communication about the rule.
Senator Sarbanes, chairman of the Senate Banking Committee, is drafting legislation that would, among other things, address the relationship between the audit committees of publicly held companies and the external auditor. The Committee has announced that the draft legislation, the "Public Company Accounting Reform and Investor Protection Act of 2002", will be marked up by the full Committee in mid-June.
Recommendations
It is essential that financial services firms be proactive in: (i) developing enhanced systems of internal controls and comprehensive risk management and compliance programmes (collectively referred to as risk management components); and (ii) continuing to refine the role and responsibilities of the audit committee.
An effective way of carrying out this effort is to appoint a task force to review and make recommendations regarding the risk management components and the role and responsibilities of the audit committee.
The task force should include the internal auditor, general counsel, head of risk management, chief financial officer and chief compliance officer. The task force should review and advise senior management and the audit committee on the risk management components and the role of the audit committee.
The COSO (Committee of Sponsoring Organizations for the Treadway Commission) Report is the ideal framework for evaluating the effectiveness of the internal control structure and procedures for financial reporting.
Senior teams should be established in each business unit to identify significant financial information streams and to ascertain the adequacy and effectiveness of the risk management components for each business unit. The head of each business unit should then report to the task force on the results of this review.
Each business head should be responsible for ensuring the overall implementation of adequate risk management components in their respective units and for completing the assessment of the effectiveness of the components to the satisfaction of the task force.
Each business head should be personally familiar with the risk management components in their respective units and be required: (i) to make a personal oral presentation to the CEO and the task force on the effectiveness of the risk management components in the business unit; and (ii) to provide a formal written representation specifying the basis for his or her conclusion that the risk management components are in fact effective.
Audit committee
The task force should work with the audit committee to evolve the role of the audit committee beyond simply being responsible for financial reporting and the audit process. The audit committee's role should also cover codes of conduct, conflicts of interests, payments, and the other potential legal, compliance, and risk management issues that a company may face. This is essential following the Caremark Case. The audit committee should have access to and consider retaining special counsel to assist it with this process. It is imperative that the audit committee be fully aware of, and familiar with, risk management and compliance policies and procedures. A technical review and approach is not adequate. The audit committee should have first-hand knowledge and contact with the officers who implement the risk management and compliance procedures and policies, understand how they are implemented and know what type of training occurs. In addition, the officers responsible for risk management and compliance should report directly to senior management, the auditor, the general counsel, and the audit committee.
Audit committee members must make a serious, proactive effort to know the people involved with the process and to understand the company's risk management and compliance culture. In order to be effective, a company's risk management and compliance culture must be more than just policies and procedures-it must include the people responsible for implementing it and the dissemination of risk management and compliance knowledge through all levels of the organization. Audit committee members should regularly meet with the internal auditor, the CFO, the general counsel, the head of compliance, and the heads of the business units, and then move down to the next level so as to gain full understanding of the company's business and operations. The audit committee also must ensure that policies and procedures do not just exist on shelves but are available to and understood by the staff. In this respect, it is important that the company's management, from the CEO down, supports the risk management, compliance and internal control process and culture.
Corporate compliance role
The audit committee should also review and assess the company's system for ensuring compliance with laws, regulations and ethical business practices.
| USA PATRIOT ACT TIMELINE The Act set the following implementation deadlines in 2001 and 2002: October 26, 2001 Funds deposited outside the US in a bank that has an interbank account with a US financial institution are treated as being in the interbank account for purposes of US forfeiture laws. The treasury secretary may impose special measures relating to non-US jurisdictions, institutions, transactions or accounts. Financial institutions and credit bureaus may share records with government authorities to combat international terrorism. December 25, 2001 Financial institutions may not maintain or administer correspondent accounts for unaffiliated foreign shell banks. Proposed rules at 66 Fed Reg 67469 (28/12/01). Financial institutions must take "reasonable steps" to ensure that no correspondent account maintained by them in the US is being used to provide services to an unaffiliated non-US shell bank. Proposed rules at 66 Fed Reg 67469 (28/12/01). The Treasury Secretary may require US banks to terminate any correspondent account held by a non-US bank that does not comply with or contests a US summons or subpoena. (This provision was effective October 26, 2001, but subject to a 60-day grace period.) Proposed rules at 66 Fed Reg 67469 (28/12/01). Depository institutions must provide information requested by their federal banking agency within 120 hours (five calendar days). (This provision was effective October 26, 2001, but provided a 60-day grace period to comply.) January 1, 2002 The federal banking agencies must consider an institution's record of combating money laundering in reviewing bank merger and acquisition applications filed after December 31, 2001. Persons conducting a nonfinancial trade or business must report the receipt of more than $10,000 in currency in a single or related transactions. Final rules at 66 Fed Reg 67679 (31/12/01). February 23, 2002 Treasury Secretary must issue regulations encouraging the sharing by financial institutions of information regarding persons suspected of engaging in terrorist or money laundering activities. Final regulations at 67 Fed Reg 9874 (4/3/02). April 24, 2002 Financial institutions must establish anti-money laundering programs to prevent money laundering. Financial institutions in compliance with existing rules on such programs satisfy this provision of the Act. Interim rules at 67 Fed Reg 21114, 21116, 21119 and 21120 (29/4/02) for money services businesses, mutual funds, depository institutions and credit card systems, respectively, at 67 Fed Reg 20854 (26/4/02) for NASD- and NYSE-regulated securities brokers and dealers, and at 67 Fed Reg 32072 (13/5/02) for CFTC- and NFA-regulated futures commission merchants and introducing brokers. The treasury secretary must adopt regulations establishing standards for financial institution due diligence policies and procedures to detect suspected money laundering through correspondent accounts and private banking accounts held by non-US persons. Final regulations at 67 Fed Reg 37736 (30/5/02). April 25, 2002 The treasury secretary must adopt regulations requiring all businesses to report cash transactions exceeding $10,000 to FinCEN. Final regulations at 66 Fed Reg 67679 (31/12/01). June 1, 2002 The treasury secretary must issue regulations requiring securities brokers and dealers to file suspicious activity reports. Proposed rules at 66 Fed Reg 67670 (31/12/01). July 23, 2002 Financial institutions must adopt due diligence policies and procedures to detect suspected money laundering through correspondent accounts and private banking accounts held by non-US persons. Proposed regulations at 67 Fed Reg 37736 (30/5/02). July 26, 2002 The treasury secretary must establish a "highly secure network" for use by financial institutions to file suspicious activity and various other reports. October 26, 2002 The treasury secretary must adopt regulations establishing minimum identification standards that financial institutions must use when opening accounts for customers. The Act also authorized, but did not establish a deadline for, the regulation of "concentration accounts" to prevent customers from anonymously using such accounts to transfer funds. Rules have not yet been proposed for such accounts, which are administrative accounts in which funds from various customers are commingled pending disbursement or transfer into customers' accounts. |
The corporate compliance officer should review and modify, as appropriate, the existing compliance process in conjunction with the risk management committee described below. The internal auditor should review the corporate compliance officer's development of adequate documentation policies, periodic monitoring and reporting procedures (including appropriate flow charts) and training.
The corporate compliance officer should report to the CEO, CFO and general counsel any deficiencies or weaknesses in the compliance process as well as actual events of noncompliance with significant laws and regulations or corporate policies, and should coordinate with the appropriate business units to correct any deficiencies.
The corporate compliance officer must be personally familiar with the company's process for compliance with the applicable laws and regulations, and should be required at least annually to provide: (i) a personal oral presentation to the CEO, CFO and general counsel on the compliance process and the status of compliance efforts; and (ii) a formal written representation specifying the basis for his or her conclusion that the company has adequate policies and procedures to ensure compliance with applicable laws and regulations.
Risk management committee
An enterprise-wide risk management system should be created, centered around a risk management committee consisting of senior executives from each of the principal business units, the heads of credit, audit, technology, human resources and compliance, the general counsel, the CEO, the CFO, the COO, the internal auditor, and other officers as appropriate. This senior level group should meet monthly and review every aspect of the company's business. Business heads, the heads of credit, audit, technology, human resources and compliance, the general counsel, the CFO, the COO, and the auditor, should make formal presentations to the risk management committee describing and analyzing all of the risks their business units and departments faced and face, what controls were or will be put in place to minimize those risks, and where a loss occurred or might occur. These senior officers should be subject to questioning by the committee with respect to the risks identified, the risks not identified, and the controls put in place to minimize or eliminate those risks.
ANTI-MONEY LAUNDERING POST-SEPTEMBER 11
Spurred by the September 11 terrorist attacks, the USA Patriot Act, enacted October 26 2001, established a broad variety of new ways to combat international terrorism, money laundering and other illegal activities. Of particular significance to financial institutions is Title III of the Act, which: (i) expanded the definition of "financial institution" to include for the first time credit unions, futures commission merchants, commodity trading advisers and commodity pool operators; (ii) imposed new reporting and due diligence requirements; and (iii) provided the Treasury Department and the federal banking agencies with enhanced authority to identify, prevent and punish money laundering activities. The box ("US Patriot Act Timeline") contains a summary of the Act's provisions in the form of a timeline. Following is a description of the most recent regulatory developments on correspondent and private banking account due diligence.
FOREIGN BANK CORRESPONDENT ACCOUNTS
The Act requires "covered financial institutions" (which includes US depository institutions, non-US depository institution branches and agencies located in one of the 50 US states or the District of Columbia, SEC-registered brokers and dealers, registered futures commission merchants, introducing brokers, mutual funds, money services businesses, and operators of credit card systems) to adopt procedures reasonably designed to:
detect and report money laundering in new and existing "correspondent accounts" held by non-US persons or their representatives;
ensure that correspondent accounts held by non-US banks are not being used to provide banking services to "foreign shell banks" (non-US bank with no physical presence);
obtain certain information from correspondent account holders that operate under an offshore banking licence or are licensed by a country that does not have adequate anti-money laundering policies; and
terminate correspondent accounts held directly or indirectly for the benefit of foreign shell banks.
"Correspondent account" is defined broadly to include any account that is established to receive deposits from or make payments on behalf of a foreign financial institution (any non-US entity that would be a covered financial institution if organized under US law), or to handle other financial transactions related to such an institution. "Account" includes any formal banking or business relationship established to provide regular services, dealings, and other financial transactions, and therefore encompasses a broader range of customer relationships than those involving just deposit accounts.
For all correspondent accounts provided to non-US banks, a covered financial institution must obtain the identity of the bank's owners and the name of an agent in the US that is authorized to receive service of process for correspondent account-related records. Although the Treasury Department has provided a model certification form that can be used for these purposes, use of the form does not relieve a covered financial institution from the obligation to apply publicly-available and other information that may come into its possession and to assess the credibility of information it receives from a non-US bank.
Enhanced due diligence procedures must be adopted by covered financial institutions by July 23, 2002, for accounts held by foreign banks that operate under:
an offshore banking licence (which prohibits the licensed entity from engaging in banking activities with citizens of, or in the currency of, the licensing jurisdiction); or
a licence issued by a country that has been designated as non-cooperative or as requiring special measures due to money laundering concerns.
Under regulations proposed by the Treasury Department, the enhanced due diligence procedures must include:
detection and reporting of known or suspected illegal activity;
review of the foreign bank's anti-money laundering programme and its effectiveness;
obtaining from the foreign bank the identity of each individual authorized to direct transactions and the sources and beneficial ownership of the individual's funds or other assets;
determining whether the foreign bank maintains correspondent accounts for other foreign banks, their identities, and the adoption of procedures to assess and minimize the risks of such accounts; and
for foreign banks whose shares are not traded on an exchange or an organized and regulated over-the-counter market, the identity of each person directly or indirectly owning or controlling 5% or more of any class of securities and their ownership interest.
ENHANCED DUE DILIGENCE FOR PRIVATE BANKING ACCOUNTS
Covered financial institutions must also adopt special due diligence procedures for private banking accounts maintained in the US by or for non-US persons or their representatives, including persons visiting the US. Under FinCEN's proposed rules, a private banking account would include any account, or combination of accounts, that requires aggregate funds or other assets of at least $1 million, is directly or beneficially owned by one or more individuals (even though the nominal holder may be an entity) and is in whole or in part administered or managed by an officer, employee, or agent of the covered financial institution acting as the account liaison.
Each institution would have to determine the identity of all nominal holders and beneficial owners of such an account (including lines of business and sources of wealth), ascertain the source of funds deposited into the account, determine whether any holder or owner is a senior foreign political figure, and comply with criminal and suspicious activity reporting requirements applicable to the account. Per FinCEN, the exact scope of required due diligence would vary by customer, based on an institution's assessment of risk factors. This would effectively place on institutions the burden of determining the scope of due diligence, subjecting them to potential second-guessing by examiners conducting after-the-fact reviews.
Special procedures would apply to an account that is directly or beneficially owned by a senior foreign political figure, which includes any present or former senior official in the executive, legislative, administrative, military, or judicial branches of a foreign government, a senior official of a major foreign political party, a senior executive of a foreign government-owned commercial enterprise, a corporation, business or other entity formed by or for the benefit of any of these individuals, an immediate family member of any of these individuals; and any person who is widely and publicly known (or is actually known by the covered financial institution) to maintain a close personal or professional relationship with any such individual. These broad standards effectively transfer to covered financial institutions the responsibility, and risk, of properly identifying senior political figures.
Covered financial institutions would be required to adopt and implement policies and procedures for accounts held by or for senior foreign political figures that are reasonably designed to detect and report transactions that may involve the proceeds of foreign corruption. Under the proposed rules, such proceeds would include assets or property acquired by, through, or on behalf of a senior foreign political figure through misappropriation, theft or embezzlement of public funds, or the unlawful conversion of property of a foreign government, or through acts of bribery or extortion, and would include other property into which such assets were transformed or converted. It is noteworthy, in this connection, that section 315 of the Act adds foreign corruption to the list of crimes that may be prosecuted as money laundering crimes.
Information sharing
Effective March 4 2002, FinCEN adopted rules to encourage information sharing between financial institutions for the purpose of identifying and reporting activities that may involve terrorist acts or money laundering activities. For purposes of these rules, "financial institution" is defined as meaning depository institutions, SEC-registered brokers and dealers, traveler's check and money order issuers, registered money transmitters, and credit card system operators other than money services businesses.
Enhanced enforcement powers
The Act substantially expanded the government's enforcement authority and. increased penalties for violations of the Bank Secrecy Act and implementing regulations. In the area of penalties, the Act criminalized the smuggling of bulk cash, and established civil and criminal penalties of up to $1 million for violations of various Bank Secrecy Act requirements.
The Act also provided government agencies with a number of additional enforcement options, including authorizing the Treasury Secretary to impose the following special measures on US financial institutions:
additional record-keeping and reporting requirements;
identifying non-US beneficial owners of certain accounts;
identifying customers of a non-US bank who use inter-bank payable-through accounts or correspondent accounts; and
restricting or prohibiting the opening or maintaining of certain inter-bank payable-through or correspondent accounts. However, this last measure may be imposed only through adoption of regulations.
SUMMARY
Together, the Act and implementing regulations place significant additional responsibilities on financial services firms, especially the additional due diligence required for correspondent and private banking accounts held by or on behalf of non-US persons. These new requirements make the execution of the recommendations discussed in the first portion of this article regarding reporting and internal control systems even more important. The combination of enhanced internal controls, a risk management committee, expanded audit committee role, and a comprehensive risk management and compliance system should provide financial services firms with an effective and proactive response to the enhanced regulatory and judicial scrutiny arising in the aftermath of Enron and All First/Allied Irish and the passage of the USA Patriot Act.
Winston & Strawn
200 Park Avenue
New York
New York 10161
Tel: +1 212 294 6700
Fax: +1 212 294 4700