A PUBLICATION OF CHARTWELL COMPLIANCE … · plan available in the “Char- ters” booklet 3 of...

A PUBLICATION OF CHARTWELL COMPLIANCE | CHARTWELLCOMPLIANCE.COM SEPTEMBER 2018

2 Second Guidance Memo on the Fintech Bank Charter By Petra Hrachova

5 Fintech Regulatory Sandbox Will You Participate? By Melody Loudin

7 Coming to America ... GDPR By Trish Lagodzinski

11 NMLS CORNER: NMLS Agency Update

13 NMLS CORNER: Planning Ahead for License Renewals By Melody Loudin

15 Interview with Bryan Keltner, Co-Founder at SynapseFI By Richard Davis

16 Digital Identities - How They Help with Compliance and Risk Management By Neil Reiter

18 Look Back, How Did You Do on GDPR? By Petra Hrachova

20 Points to Ponder

22 About Chartwell Compliance

24 Services

25 Strategic Alliances

Chartwell ComplianCe provides a one-stop shop of consulting, testing and outsourcing services in the areas of regulatory compliance, state MSB licensing, financial crimes prevention and enterprise risk management.

EDITORIAL STAFF

Daniel A. Weiss, President and [email protected]

Jonathan Abratt, Chief Operating [email protected]

Richard Davis, Corporate Services [email protected]

CHARTWELLCOMPLIANCE.COMCHARTWELL COMPASS | SEPTEMBER 2018

http://www.chartwellcompliance.com

Second Guidance Memo onthe Fintech Bank Charter

By Petra Hrachova, CRCM, CAMS, Compliance Director

OCC Begins Accepting National Bank Charter Applications From Financial Technology Companies

1 https://home.treasury.gov/news/press-releases/sm447

2 https://www.occ.gov/publications/publications-by-type/licensing-manuals/file-pub-lm-considering-charter-applications-fintech.pdf

On July 31, 2018, the Treasury released its long-awaited Re-port on Nonbank Financials, Fintech, and Innovation1 endors-ing the creation of such charter. The OCC followed within hours by announcing that it will accept the Special Purpose National Bank Charter applications and the CFPB responded within a week by creating the “sandbox” to provide regulatory guidance on launching a new product or service in the market, network for regulatory collaboration and sharing and to provide a forum for joint policies and discussions.

This step, referred to by observers as a “game changer”, should provide an option to fintechs regulated by 50 different entities and often required to meet additional requirements of its the bank-ing partners. According to the OCC, “Companies that provide banking services in innovative ways deserve the opportunity to pursue that business on a national scale as a federally chartered, regulated bank.” OCC Comptroller Otting stated that “Providing a path for fintech companies to become national banks can make the federal banking system stronger by promoting economic

growth and opportunity, modernization and innovation, and competition.” Many questions about the application process, the capital and liquidity requirements, and the impact of the regula-tory oversight on fintech companies remain.

OCC Special Purpose National Bank Charter high level details

The OCC confirmed the challenged statutory authority, regula-tions, and policies governing its review and decision making with respect to chartering national banks, including special purpose national banks. That authority includes companies that engage in one of the core banking functions (paying checks, lending money, or taking deposits) and is described at 12 CFR 5.20(e)(1).

The OCC Comptroller’s Licensing Manual Supplement Con-sidering Charter Applications From Financial Technology Com-panies2 issued in conjunction with the OCC’s announcement provides detail on the application process, key considerations

2 CHARTWELLCOMPLIANCE.COMCHARTWELL COMPASS | SEPTEMBER 2018

in the OCC’s review of the application and the supervision pro-cess. The document describes the OCC’s approach applicable to fintech companies engaged in paying checks or lending money relying on funding sources different from those relied on by in-sured banks and therefore not insured by the Federal Deposit Insurance. The OCC views the National Bank Act as sufficiently adaptable to include fintechs facilitating payments electronically and would consider the product as the modern equivalent of paying checks. Any applicants proposing to engage in activities not already addressed in statute, regulation, or OCC precedent are encouraged to consult the OCC. Fintechs that take deposits are required to obtain FDIC insurance and therefore apply for a full-service national bank charter.

The OCC’s application process for a national bank consists of four phases:

1. A prefiling phase, in which potential applicants engage with the OCC in formal and informal meetings to discuss the proposal, the chartering process, and application re-quirements.

2. The filing phase, in which the organizers submit a complete application.

3. The review phase, in which the OCC reviews and ana-lyzes the application to assess whether the proposed bank has a reasonable chance of success, will be operated in a safe and sound manner, will provide fair access to finan-cial services, will promote fair treatment of customers, will ensure compliance with laws and regulations, and will foster healthy competi-tion.

4. The decision phase, in which the OCC decides whether to approve a char-ter application. The decision phase includes the prelimi-nary conditional approval stage, in which the OCC imposes requirements and conditions for receiving a charter; the organization stage, in which the bank raises capital and prepares for opening; and the final approval stage.

The OCC encourages potential applicants to contact the OCC and learn about the application process and the OCC’s

requirements and expectations well in advance of filing. A dialog to discuss the charter should be initiated followed by additional meetings to discuss the proposed bank’s business plan, including a description of the proposed activities, the underlying market-ing analysis supporting the business plan, the capital and liquid-ity needed to support the business plan, as well as a contingency plan to remain viable under significant financial stress. The fin-tech should also be prepared to outline its commitment to finan-cial inclusion and how it will be achieved.

The OCC may provide feedback on the proposal and discuss any legal, policy, or supervisory issues that may be relevant to the proposal and that would need to be resolved in connection with the final application. OCC will determine whether the or-ganizers should submit a draft application before filing a formal application.

The OCC will start the review when an application is filed and consider whether:

▶ the proposed bank has a reasonable chance of success,

▶ will be operated in a safe and sound manner,

▶ will provide fair access to financial services, will promote fair treatment of customers, and

▶ will ensure compliance with laws and regulations.

Additional considerations include whether the proposed bank can reasonably be ex-pected to achieve and main-tain profitability and whether approving its charter will fos-ter healthy competition. The OCC will consider applicant’s business model and proposed risk profile. It will also con-sider, among other factors, whether the proposed bank has a business plan that articu-lates a clear path and timeline to profitability, has adequate capital and liquidity to sup-

port the projected volume, and has organizers and management with appropriate skills and experience. A fintech company with a national bank charter will be supervised like similarly situated national banks, including with respect to capital, liquidity, and risk management.

The OCC provides additional resources regarding the business

A fintech company with a national

bank charter will be supervised like similarly situated

national banks, in-cluding with re-spect to capital,

liquidity, and risk management.


plan available in the “Char-ters” booklet3 of the Comptrol-ler’s Licensing Manual and the OCC’s expectations regard-ing a bank’s risk management and corporate governance framework in appendix A of the Supplement, “Supervisory Considerations.”

The OCC will require mini-mum and ongoing capital lev-els to be commensurate with the risk and complexity of the proposed activities and sub-ject to the minimum leverage and risk-based capital require-ments in 12 CFR 3 that apply to all national banks. The OCC expects that for some fintechs the set floor may not be suffi-cient for measuring capital ad-equacy and expect the fintech to propose a minimum level of capital that will be met or ex-ceeded at all times.

The OCC preliminary conditional approval for a charter will include a condition specifying a minimum capital level the fin-tech must maintain at all times. This amount would be based on the analysis of quantitative and qualitative factors. The OCC expects that capital would increase beyond the initial minimum amount as the size, complexity, and corresponding risks of the bank evolve. Since the fintech will be uninsured and likely to rely on funding that is potentially more volatile in certain environ-ments, the fintech will need to describe how it will be funded and maintain sufficient liquidity under stressed conditions.

Financial inclusion and fair access to financial services and fair treatment of customers will have to demonstrated. The ex-pectations for promoting financial inclusion will depend on the fintech’s business model and the types of planned products, services, and activities. This is an important aspect for all regu-lated banks that has not been pushed down as strongly to non-bank financial institutions. The expectations will depend on the products and service, any lending activities will likely undergo scrutiny and required fair lending reviews. The OCC will review and evaluate the policies and procedures related to the financial inclusion commitment along the Community Reinvestment Act applicable to the regular bank charter. The fintechs’ commitment

3 https://www.occ.gov/static/licensing/form-business-plan-v2.pdf

to financial inclusion is on-going through the life of the charter.

Same as regular bank char-ters the special purpose char-ter banks will have to develop a contingency plan to address significant financial stress that could threaten its viability. The contingency plan should out-line strategies for restoring the bank’s financial strength and options for selling, merging, or liquidating the bank in the event the recovery strategies are not effective. The OCC’s final approval will require the bank to implement and adhere to the plan. The fintech will be expected to review the contin-gency plan annually and up-date it as needed.

The OCC will seek to make a decision on a complete and ac-curate application within 120

days after receipt or as soon as possible thereafter. But the OCC gives itself more flexibility and provides for additional time and scrutiny. The average review process will be determined once the OCC has a history of approved applications.

Please click on the link below to be directed to the full article and for more detailed information.

Petra Hrachova, CRCM, CAMS, Compliance Director has over 17 years of experience as a compliance, CRA, and Bank Secrecy Act officer at community banks and as a regulator.

Prior to joining the Chartwell Compliance team as a senior compliance professional and training manager, Petra worked as a senior assistant bank examiner at the Federal Reserve Bank, routinely helping with supervisory activities for community and regional state member banks. Petra’s experience also includes starting a de novo bank, where she successfully created and managed compliance, BSA, and credit administration programs. In her compliance roles and as a member of the management teams, Petra developed an in-depth knowledge of all functional areas of banking. For more information, please contact Petra at [email protected].

Click on the link to be directed to the full article and for detailed information on theSecond Guidance Memo on the Fintech Bank Charter.

Same as regular bank charters the

special purpose charter banks will

have to develop a contingency plan to address

significant financial stress [...]


http://www.chartwellcompliance.com/second-guidance-memo-on-the-fintech-bank-charter/

Fintech Regulatory Sandbox Will You Participate?By Melody Loudin

With nations seeking out fintech innovation, regulatory sandboxes

are popping up worldwide. But, what is a sandbox and how is it beneficial?While each sandbox is different with vary-ing rules and eligibility criteria, the basic premise is to test an innovative financial product or service within a well-defined space and for a set duration without li-censure. The resultant success and benefit of this limited product testing serves to speed up the introduction and viability of new services available to consumers in-cluding online payment solutions.

Arizona is the first state in the U.S to create such a Fintech Sandbox which will be implemented in late 2018. With only a couple other states exploring this approach, the majority of states will be watching the outcome in Arizona and how this impacts the local financial in-dustry and its consumers before they decide on whether to establish a Fintech Sandbox of their own.

Beginning late 2018, applications can be submitted to the Arizona Attorney General for a financial product or service that must be new and innovative and not currently offered in Arizona by other ap-proved sandbox participants and/or li-censees operating in the state of Arizona. The sandbox program ends July 1, 2028.

This program offers limited access to the market for Arizona consumers to test fi-nancial products and/or services without obtaining a license.

Arizona Regulatory Sandbox Parameters for Program, Products & ServicesThe application process is set to begin late 2018 and the Attorney General will be re-quired to consult with applicable agencies before admitting the participant into the sandbox. Until the application is posted on the legislative website, the following is a recap of what the House Bill indicates.

Who Can Apply?The Attorney General accepts and re-views each application for entry into the sandbox on a rolling basis. Any individ-ual or entity can apply and is subject to the jurisdiction of the Arizona Attorney General. Applicants are subject to the ju-risdiction by:

▶ Incorporation ▶ Residency ▶ Presence Agreement or otherwise

Applicants must establish a physical or virtual location that is adequately accessi-ble to the Attorney General. The location

must be where the testing is developed, performed, and where all required re-cords, documents and data will be main-tained.

Application Steps/Requirements

▶ The Paper Form of the application will be made available on the Arizona Attorney General’s website in late 2018

▶ Applicants must list enough information to show the applicant has an adequate understanding of the innovation, sufficient plans to test, monitor and assess the innovation while ensuring Arizona consumers are protected from the test’s failure

▶ Applicants must provide relevant personal contact information

▶ Applicants must disclose any criminal convictions of the applicant and/or key personnel

▶ A description of the innovation to be tested including statements which address:

› How the innovation is subject to regulation outside of the sandbox;

› How the innovation benefits consumers;

› How the innovation is different from other products and/or services already offered in the Arizona marketplace;

› What risks will confront consumers who use or purchase the innovative financial product and/or service;

› How entering the sandbox enables a successful test of the innovation;

› Proposed Testing Plan;

› Estimated time periods for market entry, market exit, and the pursuit of necessary licensure or authorization; and

› How the applicant will wind down the test and protect consumers if the test fails.

▶ An application fee will be set by the Attorney General

▶ A separate application is required for each innovative product and/or service


Approvals & Denials

Not later than 90 days after the applica-tion is submitted, the Attorney Gen-eral will notify the applicant whether or not they are approved for entry into the sandbox. However, there can be a mutual agreement to extend the time period for the Attorney General to determine ap-proval status.

Sandbox participants who have been approved for entry will have 24 months after the date of approval to test the in-novative financial product and/or service described in the application. Addition-ally, there will be a participant registra-tion number provided for all disclosures. Upon a denial, there can be no appeal of the decision.

Financial Product and/or Service Requirements

The product must be financial in nature with the following elements:

▶ Applicable for Arizona resident consumers only

▶ No more than 10,000 consumers may transact through or enter into an agreement to use the innovation

▶ If the innovation is “Money Transmission” the following applies:

› Individual transactions per consumer may not exceed $2,500

› Aggregate transactions per consumer may not exceed $25,000

▶ If the innovation is “Consumer Lending” the following applies:

› Individual consumer lender loans may be issued for up to $15,000

› Aggregate consumer lender loans may not exceed $50,000

Disclosures Required for the Consumer

Below are the minimum required

disclosures for any innovation: ▶ Name and contact information

of sandbox participant including the registration number assigned;

▶ Statement that the innovative financial product and/or service is authorized only through the sandbox and that the applicant does not have a license or other authorization to generally provide the product and/or service under Arizona state laws which regulate the product outside of the sandbox;

▶ Arizona does not endorse or recommend the innovation;

▶ Product and/or service is a temporary test which may be discontinued at the end of the testing period;

▶ Expected end date of the testing period;

▶ How to contact the Attorney General and file a complaint. This information shall also include the phone number, website and address where complaints may be filed;

▶ Clear and conspicuous language in both English and Spanish; and Internet or applications based innovative products and/or services must be received and acknowledged by the consumer before the completion of a transaction.

Disclosures Required for the Attorney General

At least 30 days before the end of the 24-month sandbox testing period, the par-ticipant must:

› Notify the Attorney General that the participant will exit the sandbox, wind down its test and cease offering any innovative product and/or services in the sandbox within 60 days after the 24-month testing period ends OR;

› Seek an extension to pursue a license or authorization required by

state law. If the Attorney General does not receive any notification, the testing period ends at the end of the 24-month testing period and the participant must immediately cease offering the product and/or services; and

› If a test includes offering a product and/or services that requires ongoing duties, such as servicing a loan, the participant must continue to fulfill those duties or arrange for another person to fulfill those duties after the participant exits the sandbox.

Extensions

▶ The testing period can be extended to pursue a license or other authorization and an extension will be denied or granted by the end of the 24-month testing period.

▶ The extension is not effective for more than 1 year after the end of the sandbox testing period.

▶ If approved for an extension, the participant must provide a written report every three months which provides an update on the efforts to obtain a license or other authorization, including submitted applications for licensure and/or rejected applications for licensure.

Recordkeeping and Reporting

▶ All records, documents, and data produced in the ordinary course of business must be maintained at the location specified in the application.

▶ If the innovation fails before the end of the testing period, the participant must notify the Attorney General and report on actions taken to ensure consumers have not been harmed as a result of the failure.

▶ All breaches must be reported to the Attorney General in a written report.

Melody Loudin brings over 17 years of experience in regulatory compliance beginning her career in federal grant acquisition, program compliance and exam management. As a Sr. Compliance Specialist with two of the largest non-bank mortgage servicers in the U.S., she has helped to enhance and maintain compliance programs as well as manage entity, branch, and individual

licensing for Mortgage Services, Consumer Lending, Consumer Debt Collection, Auction and Property Preservation. For more information, please contact Melody at [email protected].


Coming to America…GDPRBy Trish Lagodzinski

The European Union’s General Data Protection Reg-ulation (“GDPR”) has landed on America’s shores.

U.S. companies will need to monitor and plan for the U.S.-based privacy requirements as well as focus on compliance with the European GDPR.

On June 28, 2018, California lawmakers enacted the California Consumer Privacy Act of 2018 (the “CCPA”) a sweeping, GDPR-like privacy law which is intended to give California consumers more control over how businesses collect and use their data. In addition, this fall California voters will also decide whether and how the European privacy regime will be adopted. In addition to California, several other U.S. states have recently introduced and passed legislation to expand data breach notification rules and to mirror some of the protections provided by Europe’s recently enacted GDPR.

As of March 2018, all 50 U.S. states, as well as the District of Co-lumbia, Guam, Puerto Rico and the U.S. Virgin Islands, have en-acted or expanded breach notification laws that require businesses to notify consumers when their personal information is compro-mised. These new and amended state data breach laws expand the definition of personal information and specifically mandate that certain information security requirements are implemented.1

Here are some recent examples of state legislation and regula-tions:

Alabama (SB 318) – Alabama passed its first data breach notifi-cation law. Alabama’s data breach notification law went into effect on June 1, 2018. The law applies to the unauthorized acquisition of sensitive personally identifying information in electronic form. The definition of sensitive personally identifying infor-mation is expansive and includes health information, as well as username or email address in combination with a password or security question and answer. Other key provisions of the law in-clude a risk of harm provision, and the requirement that covered entities and their third-party agents must implement and main-tain reasonable security measures to protect sensitive personally identifying information from a breach of security. The law also contains a data disposal requirement, which requires applicable entities and their third-party agents to shred, erase or otherwise modify sensitive personally identifying information contained in records when the records no longer need to be retained. In ad-dition, the Alabama law imposes civil penalties of up to $500,000 per breach for any entity that knowingly violates or fails to com-ply with the notification provisions of the law.

1. Data Protection Report. US states pass data protection laws on the heels of the GDPR. Jeewon Kim Serrato, Chris Cwalina, Anna Rudawski, Tristan Coughlin, and Katey Fardelmann, July 9, 2018.

Arizona (HB 2145) – Arizona updated its breach notification law to expand the definition of personal information and tighten noti-fication timelines. On April 11, 2018, Arizona’s governor signed HB 2154 to amend the Arizona data breach notification law. The law went into effect upon signing and amends Arizona’s data breach notification law to: (1) expand the definition of personal information; (2) refine the time period in which consumers must be notified to 45 days; (3) prescribe circumstances when the At-torney General and Consumer Reporting Agencies (CRAs) must be notified; (3) implement a risk of harm provision; and (4) impose civil penalties of up to $500,000 for knowing and willful violations of the law.

Colorado (HB 1128) – Colorado strengthened consumer pro-tections by requiring formal information security policies as well as increased oversight of third parties. Passed on May 29, 2018, Colorado’s law takes effect on September 1, 2018. Under the law, “covered entities,” defined as “a person [. . .] that maintains, owns or licenses personal identifying information in the course of the person’s business, vocation, or occupation,” are accountable for protecting personal information. Like GDPR Articles 24, 25 and 32, which require data protection policies to ensure appropriate levels of security, Colorado requires covered entities to: (1) de-velop and maintain written policies on the disposal of personal information; and (2) “implement reasonable security procedures and practices commensurate with the sensitivity of personal data processed as well as the size and complexity of the entity.” In ad-dition, Colorado now requires supervision of third-party provid-ers that process personal data on behalf of covered entities. Like-wise, covered entities will also be required to provide notice of data breaches to both individuals and Colorado’s attorney general when more than 500 Colorado residents are impacted. Violations of the law may be enforced by the state’s attorney general.


Iowa (HF 2354) – Iowa passed legislation regulating online services and mobile apps for students. Iowa’s law took effect on July 1, 2018. The law applies to operators of internet sites, online services, online applications, or mobile applications that have actual knowledge that their site, service, or application is used primarily for kindergarten through grade twelve purposes and was designed or marketed for such purposes. The law prohib-its the use of students’ information for certain purposes, such as creating student profiles or selling or renting a student’s informa-tion. And, it requires operators to implement and maintain se-curity procedures and practices appropriate and consistent with industry standards and applicable state and federal laws, rules, and regulations.

Louisiana (Act. No. 382) – Louisiana amended its data breach law. Amendments to Louisiana’s existing law went into effect on August 1, 2018. Among other things the law: (1) expands Loui-siana’s definition of personal information; (2) amends the state’s data breach notification law to require notice to affected Loui-siana residents within 60 days of determining that a security breach occurred; (3) incorporates a risk of harm provision; and (4) requires organizations to take reasonable steps to destroy re-cords with personal information that the business does not in-tend to retain.

Nebraska (LB 757) – Nebraska enacted a requirement to main-tain reasonable security practices and procedures and flow down those obligations to third parties. Effective July 18, 2018, commer-cial entities that conduct business in Nebraska and license, own or maintain computerized data that includes personal informa-tion of Nebraska residents must implement and maintain rea-sonable security procedures and practices. In addition, commer-cial entities must contractually require non-affiliated, third-party service providers to institute and maintain reasonable security procedures and practices.

Oregon (SB 1551) – Oregon amended its breach notification rules. On June 2, 2018, Oregon’s amended data breach notifica-tion and information security laws went into effect. Oregon’s data breach notification law was amended to: (1) expand the scope

of those who must provide notice of a security breach to anyone who “otherwise possess” personal information; (2) broaden the definition of personal information; (3) require notice to affected Oregon residents within 45 days of determining that a security breach occurred; (4) require all entities, whether or not they meet the threshold for providing notification to the Attorney General, to provide the Attorney General with a copy of the notice sent to consumers within a reasonable time; and (5) prohibit entities of-fering free credit monitoring or identity theft prevention services from conditioning such services on the person providing a credit or debit card number or accepting any other services the person offers to provide for a fee.

South Carolina (H4655) – South Carolina imposed heightened breach notification and security requirements on the insurance in-dustry. The South Carolina Insurance Data Security Act, which goes into effect on January 1, 2019, will require the insurance industry to implement comprehensive written cybersecurity programs and incident response plans. Moreover, the Insurance Commissioner must be notified within 72 hours of a security breach.

South Dakota (SB No. 62) – South Dakota enacted its first data breach notification law. Effective July 1, 2018, South Dakota’s breach notification law limits the definition of a breach to the “unauthorized acquisition of unencrypted computerized data” and includes an expansive definition of what is considered “per-sonal information” and “protected information.” The law requires affected individuals to be notified within 60 days of the discov-ery of the breach. Moreover, the law requires that notification be provided to CRAs when residents receive notice of a breach, regardless of the size of the breach. In addition, the attorney gen-eral must be notified if 250 or more South Dakota residents are provided with notice of a breach. The attorney general may pros-ecute any entity that fails to provide individual notifications as required by the law and seek penalties of up to $10,000 per day, per violation.

Vermont (H. 764) – Vermont passed legislation to regulate data brokers. Passed in May 2018, Vermont’s law goes into effect on January 1, 2019. Under the new law, data brokers will be required to: (1) register with the Vermont Attorney General and pay a $100 registration fee; (2) make annual disclosures to the Ver-mont Attorney General concerning data privacy practices and data breaches; and (3) develop, implement, and maintain a com-prehensive written information security program that contains administrative, technical, and physical safeguards.

Virginia (HB 183) – Virginia amended its breach notification law to include income tax information. Effective July 1, 2018, Vir-ginia’s data breach notification law now requires individuals that prepare tax returns on behalf of any Virginia individual to no-tify the Virginia Department of Taxation upon the discovery or notification of unauthorized access to an individual’s “return in-formation.” The notification obligation is triggered if the tax pre-parer has a reasonable belief that the information was accessed


and acquired by an unauthorized person and that such access or acquisition will cause or has caused, identity theft or other fraud. “Return information” is defined as a “taxpayer’s identity and the nature, source, or amount of his income, payments, receipts, de-ductions, exemptions, credits, assets, liabilities, net worth, tax li-ability, tax withheld, assessments, or tax payments.”

Like their European counterparts, these state laws are intend-ed to provide consumers with greater transparency and control over their personal data. The California and Vermont laws go beyond breach notification and require companies to make sig-nificant changes in their data processing operations.

California

The new CCPA, enacted on June 28, 2018, is set to take effect on January 1, 2020 which means the California legislature may still consider changes to the new law in the coming months and years. Lawmakers moved swiftly to pass the bill to preempt a No-vember ballot initiative that would have codified more stringent rules. In addition, Californians will likely be given the option on the November 6, 2018 ballot to impose a sweeping, GDPR-like privacy regime.2

If approved by voters in November, the CCPA would require businesses to disclose the categories of personal information they collect, sell, or share about California consumers, and gives consumers a right to say “no” to the sale of their information. The Act would also allow consumers to sue for violations (which include data breaches resulting from failure to maintain “reason-able security procedures and practices”), without suffering any loss of money or property, and would impose stiff penalties for noncompliance.3

The proposed Act is far reaching. It covers virtually all infor-mation a business has about a consumer and reaches across all industries and business practices. If passed, the Act would im-pose significant compliance challenges, burdens, and costs, and greatly increase the risk of litigation.

The Act seeks to create the following consumer privacy “rights”:4

“Right to know.” Upon request by a consumer, businesses must disclose the categories of personal information (PI) that the business has, within the year preceding the request: (i) collected; (ii) sold to a third party; and/or (iii) disclosed to another person for a business purpose. Consistent with its expansive scope, the Act broadly defines collecting, selling, and disclosing for a “busi-ness purpose” to encompass virtually all aspects of a business’s interaction with — and use of — consumer PI:

▶ If a business buys an email or address list from a direct-mailing-list broker, that information would need to be listed as information “collected.”

2 Data Protection Report. California passes major legislation, expanding consumer privacy rights and legal exposure for US and global companies. Spencer Persson, Jeewon Kim Serrato, Steve Roosa, Arleen Fernandez, and Anna Rudawski on June 29, 2018

3 California’s GDPR? The 2018 California Consumer Privacy Act. Government Technology. Dan Lohrmann.

4 California’s GDPR? The 2018 California Consumer Privacy Act, Purvi G. Patel and Alexandra Eve Steinberg Laks, Morrison and Foerster Publications. 05/14/2018

▶ If a business shares customer purchase records with a data cooperative in exchange for access to other consumer PI the cooperative has, that information would need to be listed as information “sold,” and depending on what the business receives from the co-op, as information “collected.”

▶ If a business provides a consumer’s account or transaction information to a third-party customer-support provider or to a third-party for processing credit card transactions, that information would need to be listed as information “disclosed for a business purpose.”

For businesses that have sold or disclosed the requesting-con-sumer’s PI, the business must also provide accurate names and contact information for the receiving parties.

To facilitate consumer requests for information, the Act would require businesses to make available two or more designated methods to ask for the information. At a minimum, these meth-ods must include a toll-free number and, if the business has a website, a website address.

Businesses would be required to respond in writing within 45 days of a request. These reports would need to be provided free of charge. In addition, a business must disclose certain informa-tion about the Act online, including, if applicable, in its online privacy policy or in any California-specific description of con-sumers’ privacy rights. This information, which must be updated at least once a year, includes (i) a description of rights under the Act, and (ii) a list of categories of PI collected, sold to a third party, or disclosed for business purposes.

Right to “say no.” Businesses must give consumers the right to opt out of the sale of personal information. The Act requires a “clear and conspicuous” link on the business’s homepage, titled “Do Not Sell My Personal Information.” If the business has a separate page for California consumers and takes reasonable


steps to direct California consumers to that page, the business does not have to put the “Do Not Sell” link on its homepage. Any information collected in connection with a consumer’s opt-out request may only be used for purposes of complying with the opt-out request.

Right to sue for violations of the Act. The Act provides a private right of action for violations of its provisions in the amount of $1,000 per violation (or up to $3,000 for willful violations) of statutory damages or actual damages, whichever is greater. The Act is silent, however, on what constitutes a “violation” — i.e., in the context of a delayed response to a request, for example, whether a “violation” is a single failure to respond per person or whether that failure is multiplied per category of PI or per day, or, in the context of an incomplete disclosure, whether a “viola-tion” is the errant disclosure itself or the category or categories of PI excluded.

A violation of the Act alone is enough for an injury-in-fact, meaning the plaintiff need not have suffered any loss of money or property to have standing to sue. The Act also provides for public enforcement by the California Attorney General or district at-torney (as well as, under certain circumstances, a county coun-sel, city attorney, or city prosecutor), with civil penalties of up to $7,500 for each violation. Finally, the Act provides a “whistle-blower” enforcement mechanism that would allow individuals to stand in the shoes of the AG to seek civil penalties for violations.

Notably, there is no “good faith” compliance or “bona fide” error or mistake exception. There is, however, a non-California “exemption” that provides that the obligations imposed by the Act shall not restrict a business’s ability to collect and sell con-sumer PI so long as every aspect of the commercial conduct takes place outside of California.

Right to sue for data breach. The Act also creates new liabilities for security breaches involving consumers’ PI (as defined in Cali-fornia’s data breach notification law, Cal. Civ. Code § 1798.82). A business that has suffered a data breach and failed to implement

and maintain “reasonable security procedures and practices” to protect the disclosed PI will be deemed to have violated the Act, opening the business up to the Act’s statutory penalties. The Act specifies that consumers, law enforcement, or whistleblowers may sue for a data breach.

The potential exposure could be enormous if a “violation” is the number of individuals and/or records impacted as opposed to the breach incident itself. Assuming a breach of one million consumer records, if a defendant is found liable under the Act, the statutory damages from a consumer action could amount to $1 billion.

This provision was designed to overcome court decisions find-ing that consumers lack standing to sue for data breaches where they cannot demonstrate actual harm or a likely threat of future harm. The Act would likely lower the bar for standing in data breach cases, thereby making dismissal more difficult and po-tentially raising the “headline” number for private consumer and law enforcement data breach settlements.

Compliance and Legal Planning

Since similar GDPR legislation is likely to be passed in the next two years across the U.S., companies should develop legal and compliance plans to monitor changes in the regulatory land-scape and continually reassess the effectiveness of the company’s risk mitigation controls. There will likely be amendments to the new California law. Companies that have started to comply with the GDPR will need to conduct a gap assessment to determine how their existing procedures will need to be revised to comply with these new state laws.

Companies looking to adopt an effective data management program may want to consider:

▶ Auditing the personal data they collect, analyzing the nature or categories of personal data, and identifying which data is “critical” to the company.

▶ Developing a process for receiving, reviewing and fulfilling customers’ requests in connection with their data and requests to opt out of data collection as well as how these requests will be operationalized.

▶ Developing and maintaining written data protection policies and security procedures and training employees who handle personal data on policy changes, proper handling, and best practices.

Trish Lagodzinski has more than 25 years of experience in government contracting, project management and support. At Chartwell Compliance and, previously, Ascella Compliance, she has assisted with regulatory compliance matters dealing with state money services business licenses and related state and federal compliance regulations for a wide range of non-bank

financial services companies. Her work has included leading a 50-state license application project in six months for a publicly traded customer. She also serves as an outsourced state license administrator for customers. For more information, please contact Trish Lagodzinski at [email protected].


NMLS Agency NewsBy Trish Lagodzinski

Minnesota Added a Residential PACE Administrator License to NMLS August 1, 2018

NMLS is now receiving new application filings for the Minnesota Department of Commerce Residential PACE Administra-tor License. New applicants are now able to submit these records through NMLS.

Wyoming Added a Collection Agency License to NMLS August 1, 2018

Starting August 1, NMLS will begin receiv-ing new application and transition filings for the Wyoming Department of Banking Collection Agency License. New appli-cants and existing licensees will be able to submit these records through NMLS.

Companies holding these license types in Wyoming and Minnesota are required to submit a license transition request through NMLS by filing a Company Form (MU1) and an Individual Form (MU2) for each of their control persons by September 30. Additionally, for each branch holding these license types, com-panies are encouraged to complete and submit a Branch Form (MU3).

Washington State Department of Financial Institutions Begins Accepting Applications for Student Education Loan Servicers – July 16, 2018

As part of the implementation for E2SSB 6029, the Student Loan Bill of Rights,

THE NMLSCORNER


T H E N M L S C O R N E R

Washington State Department of Finan-cial Institutions begins accepting appli-cations from student education loan ser-vicers on July 16. Applicants will apply for a Washington Consumer Loan license for the main office and a Washington Con-sumer Loan Branch license for any addi-tional locations conducting Washington State business. Click here to access the application checklist and requirements.

South Carolina Attorney General’s Office to Add Money Transmitter and Currency Exchange Licenses to NMLS on May 14, 2018

South Carolina Attorney General Alan Wilson has announced the newly formed Money Services Division will begin ac-cepting applications for licenses to con-duct money transmission and currency exchange services in South Carolina today, May 14. Frequently asked questions and answers on the licensing process have been posted online. New applicants and existing licensees will be able to submit these re-cords through NMLS.

Note: Any person conducting money transmission or currency exchange ser-vices in South Carolina as of May 25, who files an application no later than the close of business on June 29, may continue to do business in South Carolina while the ap-plication is being reviewed.Click here for more information.

Surety Bonds Minnesota Department of Commerce and Wyoming Department of Banking to Adopt Electronic Surety Bonds

Starting August 1, the state agencies list-ed below will begin receiving Electronic Surety Bonds (ESB) through NMLS for the license types listed below. See the ESB Adoption Map and Table for a list of state agencies that have also adopted ESB and required ESB conversion dates.

North Carolina Commissioner of Banks to Receive New Electronic Surety Bonds in NMLS on June 5, 2018

Starting June 1, 2018, the North Carolina

Commissioner of Banks Office began re-ceiving new and converted Electronic Surety Bonds (ESB) through NMLS for the following license types. See the ESB Adoption Map and Table for a list of state agencies who have also adopted ESB and required ESB conversion dates.

▶ Mortgage Broker License

▶ Mortgage Lender License

▶ Mortgage Servicer License

Idaho Department of Finance to Receive New Electronic Surety Bonds in NMLS on May 2, 2018

Starting June 1, 2018, the Idaho Depart-ment of Finance began receiving new and converted Electronic Surety Bonds (ESB) through NMLS for the Money Transmitter License. See the ESB Adoption Map and Table for a list of state agencies who have also adopted ESB and required ESB con-version dates.

12 CHARTWELLCOMPLIANCE.COMCHARTWELL COMPASS | SEPTEMBER 2018 12

https://dfi.wa.gov/consumer-loan-companies/application-faqs

http://www.scag.gov/civil/money-services


Planning Ahead for License RenewalsBy Melody Loudin

NMLS RENEWALS

With renewals of Money Transmission Licenses (MTL’s) right around the corner, it is not too early to start planning.

The first step is to review the deadline requirements for each state because the “recommended renewal date” for submission and the “renew by” date can be different. For example, even though the MTL license expires by 12/31, last year Arizona recommended you submit your renewal through NMLS by 12/1. But more importantly, Arizona also required that you submit the ancillary renewal forms they needed to their agency no later than 10/31. Some states may even impose a late fee if renewals are not sub-mitted by a certain date.

To remain aware and compliant, you can download the “Renewal Deadlines, Requirements, Fees Chart” that is post-ed under Resources for Annual Renewals.

Best practices are to prepare and/or begin your renewals as soon as the checklists are released and according to the listed recommendations of each state. Another important factor to remember is that the renewal checklists change frequently sometimes all the way into December, so it is helpful to keep checking for the most current version. And don’t forget that once you submit for renewal you have 5 days from that submission for the regulator to receive any documents that must be submitted via mail or upload.

After you have become familiar with the due dates, the next step is to consider these questions:

1. Is your NMLS record up to date, including material changes?

a. Executive Officers

b. Qualified Individuals

c. Physical Addresses

d. Email Addresses

e. Updates to required internal documents

2. Are your licenses eligible for renewal?

3. Have you cleared outstanding license items?

4. Have your MU2’s verified their record are up to date?

5. Some states may require Criminal Background Checks for each control person which means confirming if the existing finger-prints have expired. You can check the individual NMLS record for the expiration dates or you can request a report in NMLS titled “Criminal Background Check Compliance (Company)” which will list all control persons and their fingerprint expiration dates.

6. Have the required Advance Change Notices (ACN) been filed in NMLS and the subsequent regulatory approval received for any applicable material changes?

a. Many states have a deadline anywhere between 60-90 days for notification of changes

7. Plan ahead for information you need to request from other de-partments in your organization.



8. Have you verified the following, if applicable? Please note that this is not an all-inclusive list of items. Additional items will be on the updated renewal checklists.

a. Audited financial statements uploaded to NMLS.

b. Latest quarterly financial statements uploaded to NMLS.

c. Surety Bond coverage to determine proper coverage or rid-ers to reflect changes in addresses, etc.

d. Are there any changes to your answers for the disclosure questions? If so, do you have the required documentation that may be requested?

Here are some important reminders to help you through this busy season:

1. You have 5 days to provide information and/or forms to the regulators after you have submitted the renewal

2. Promptly attest to your filings

3. Check your email or the NMLS site daily for NMLS and/or regulator notifications

4. Respond to regulators quickly

5. Monitor active license items in your NMLS record

6. NMLS will assess annual processing fees which must be paid before they will approve your renewal

7. Maintain notes of concerns/issues, etc. to remember for the next renewal season

RENEWALS OUTSIDE OF NMLS

Each state outside of NMLS has its own method and require-ments for renewing its money transmitter license. It is important to know ahead of time and follow up if your licensing depart-ment has not received any communication. Since renewals are

processed over the seasonal holidays in November and Decem-ber, some items to consider for those states outside of NMLS are:

1. Are Executive Officer signatures required? Is the signatory out of office during the holidays? Do you have an available notary?

2. What is the payment request procedure? Do you need extra time for check requests?

3. Are there additional documents that need to be attested or signed?

4. Are there any internal documents that need updating?

5. Have all material changes been reported per the state require-ment?

6. Does the state have the correct email address and/or contact information of the licensing department?

7. Are all reports filed and registrations up to date?

License renewal season is a very busy time for state regulators as well as money transmitter licensees. Planning and prepara-tion are the keys to a successful renewal. Please keep in mind that your license renewals and/or approvals may be delayed due to the sheer volume of renewals in process at the end of the cal-endar year.

Melody Loudin brings over 17 years of experience in regulatory compliance beginning her career in federal grant acquisition, program compliance and exam

management. As a Sr. Compliance Specialist with two of the largest non-bank mortgage servicers in the U.S., she has helped to enhance and maintain compliance programs as well as manage entity, branch, and individual licensing for Mortgage Services, Consumer Lending, Consumer Debt Collection, Auction and Property Preservation. For more information, please contact Melody at [email protected].


INTERVIEW WITH

Bryan Keltner, Co-Founder at SynapseFIBy Richard Davis

Please tell us a bit about SynapseFI and its servicesBK: SynapseFI offers a full stack wholesale banking solution. Financial technology companies can have better access to the banking infrastructure. More specifically, the ability to open and leverage almost any financial product using highly-available APIs and automated compliance suggestions. This allows them to focus more on their primary business.

Partner banks get to review and work with some of the best-in-class Fintechs to grow their numbers in transactions, custom-er accounts, and deposits. They also get access to our software which is a great set of review and reporting tools to make life simpler.

Describe what you like most about your current positionBK: I’m constantly working on something new with the most driven people I’ve ever met trying to establish better standards for banking and financial inclusion using technology. The whole thing is perfect.

How do you see the company changing in the next two years, and how do you see yourself being a part of that change?BK: We are providing access to more and more financial products that were previously only available in, or, directly through a bank. There are always challenges improving, automating, and building those traditional services into APIs that fintech companies can consume at a rapid rate. You have to have software that can handle such a fast pace and mitigate compliance and risk flags to effec-tively offer a product such as that.

I focus directly on compliance, audits, and deposit operations. That, coupled with the ever changing regulatory environments and new challenges expanding service offerings to locations out-side the United States, would be how the core service offerings steadily change over the next couple years.

What is the biggest challenge you or the company is facing right now?BK: It’s a challenge to work with legacy software or third-party providers. Speed to market is important but long term its hard to convince another company to make improvements you see are needed on software they control.

As years past we internally built more and more of the an-cillary software in the core products offered. Removing those dependencies allowed us to make much needed improvements which led to higher satisfaction in our products by us and our clients.

As time goes on I think we will continue that process. It may not be the biggest challenge but it’s a frequently recurring issue when refining each new product.

The best piece of advice that you have ever received?BK: When you are learning anything new, its easy to iterate on what you built when you went through the process. But starting from scratch and redoing the work again and again helps refine the outcome and the learning process. A good friend showed me that as advice and I have found it extremely helpful and applicable to almost anything.

Did you ever have a nick name? BK: No, everyone has always called me by my name.

What was your favorite age? Well, right now I’m 29 and holding. I’ll try to stay that for as long as I can.

If given a chance, who would you like to be for a day? BK: A day is so short! I’m not sure I can think of anybody to be for just a day.

What did you want to be when growing up? BK: Haha I am sure that answer changed almost daily while I was growing up. When I was 13-15 and on, I really starting to take a liking to computers. I was always trying to figure out different pieces of the software, what it controlled (breaking it), and how it worked (eventually fixing it). Around that age and on I remem-ber knowing I wanted to work on something related to software. I don’t remember if it was anything more specific at that age.

What’s the weirdest thing you’ve ever eaten? BK: I remember this one-time Sankaet Pathak (CEO) and I went to a BBVA|Propel Ventures dinner. They had flown in five-star chefs from Spain and there were some pretty interesting items I ate that night. Octopus, chicken liver, beef kidneys; That aside I’ll pretty much just order the same thing at every restaurant. A salad, chicken or steak.


Digital Identities How they help with Compliance and Risk ManagementBy Neil Reiter, Product Manager at IdentityMind

Digital identities have been gaining trac-tion over the last few years as its compli-

ance and risk applications become known.

What is a digital identity exactly?

A digital identity is a construct that combines online and real world information to build a better understanding of a customer. This includes collecting attributes such as

Physical data Name Address Email Phone Date of birth Social Security Number

Biometric data Selfie Video

Digital data Payment Instrument IP geolocation

Device fingerprint

Data breaches mean that no single attribute can be taken at face value. Turning attributes into an identity and analyzing them provides an accurate way to understand whether or not you can trust them. Link Analysis is then applied to look at the relationships between attributes and identities, and plays a key part in understanding how risky or trustworthy they are. This is the basis of a digital identity.

Real-time digital identities are fundamental to trust and allow organizations to react appropriately. For instance, because digital identities surface good customers as well as bad ones, an orga-nization can proactively create services and experiences tailored for the trustworthy customers, while presenting a rough-road for high risk customers or transactions.

KYC

Digital identities can be used to ensure faster and better custom-er onboarding. Customer information (address, email, phone, government ID) is validated individually, but also in relation to each other, and as a whole. This approach to authentication helps detect synthetic identities, whereby a criminal mixes real infor-mation from different people and presents it as belonging to a single applicant. Digital identities check whether the valid email address presented is actually linked to this valid credit card, or whether a billing address has been used in multiple unconnected purchase attempts.

Companies are also obliged to check that they are not on-boarding anyone on a sanctions or PEP list. Digital identities can distinguish between thousands of individuals sharing the same name, as each identity is an aggregation of that individual's unique web of associated attributes. This is valuable when scan-ning lists, which are full of common names, and yields more ac-curate matches. Individuals who are affiliated or linked to known terrorists or sanctioned entities can also be flagged through link analysis.

To take a more subtle example, a business you are offering ser-vices to may be legitimate, but be owned by an individual with a fraudulent past. If you decide to onboard such a merchant, you would know to adjust their risk rating, or amend reserve amounts, or the processing volume you allow.

Fraud Prevention

Taking a snapshot of the customer when they first come through your doors is only part of the picture. Digital identity captures their actions and behaviors afterwards as well.

Businesses and financial institutions are constantly serving as unwitting testing grounds for fraudsters and fraud rings. Digital identities provide:

▶ A continuity check: If the customer is behaving completely different than the initial KYC data (IP address, device, behavior, time zone) shouldn’t that raise a red flag? Especially if some of the new information is associated with other customers or bad actors? Account takeover is often preventable if there is timely data monitoring.


▶ Connections: Fraud rings can threaten the viability of channels, businesses, or entire industries. Digital identities look at the entities involved in a transaction, as well as who has been connected to them, providing visibility into the entire fraud ring and allowing bad customers to be added to blacklists and watchlists.

▶ Streamline operations: Rather than rejecting or manually reviewing large batches of customers, a system built on digital identities sets the good users aside, leaving analysts to detect fraud effectively, regardless of payment types, product lines, or geographies.

Transaction Monitoring

KYC is only one piece of AML. Monitoring customer’s transac-tions over time is also critical, and digital identities help. Spe-cifically, they enable financial institutions to better segment cus-tomers based on their behavior over time, building on what they present upon sign-up. By defining profiles based on transaction

patterns, you can set rules and alerts appropriate to each type of customer, so that each alert is more meaningful and easier to investigate.

A customer who has transacted within their expected bounds for years can be treated as inherently less risky, with increasing levels of scrutiny being applied to customers without the same track record.

Conclusion

The more financial institutions know about their customers, the better-informed their compliance and risk processes can be, and the better they can be translated into stronger customer experi-ences. That customer knowledge needs to evolve over time, so that customers are always in the correct risk category and so that potentially compromised accounts are spotted before they can be used. Digital identities address these needs in the form of a reusable digital asset that grows in depth with each transaction and that can be applied in versatile ways across compliance and risk teams’ workflows.

Neal Reiter is a Product Manager at IdentityMind responsible for the Anti-Money Laundering (AML) and Fraud Prevention product offering. Prior to IdentityMind, Neal led the San Francisco operations of Booz Allen Hamilton’s financial crimes team. While at Booz Allen, Neal supported global financial institutions and multinational corporations with regulatory compliance issues

specifically related to AML. IdentityMind provides a SaaS platform that builds, maintains and analyzes digital identities worldwide, allowing companies to perform identity proofing, risk-based authentication, regulatory identification, and to detect and prevent identity fraud.

The more financial institutions know about their customers, the better-informed their compliance and risk processes can be, and the better they can be translated into stronger customer experiences.


Look Back, How Did You Do on GDPR?By Petra Hrachova

Is your company a US-based entity offering goods or services to customers or businesses in the EU and handling

data of EU residents? If so, you should have already done the groundwork and are several months into implementing the new GDPR controls.

If you struggled with an interpretation of the basic definitions and coverage of the GDPR, you are not alone. There seems to be a variety of opinions on whether the citizen’s, resident’s or any EU indi-vidual’s personal data are covered under the GDPR. You will have a hard time deciding whose interpretation to side with when reviewing the Google search results. A great resource is the www.eug-dpr.org website, albeit not an official EU Commission site, which states that the company is covered if it processes data about individuals in the context of selling goods or services to citizens in EU coun-tries. The https://ec.europa.eu website, which is an official European Commis-sion site, refers to processing of personal data relating to individuals in the EU. The www.gdpreu.org website refers to goods or services provided to EU residents or monitoring the behavior of EU residents. And what does the actual GDPR regula-tion say? The https://gdpr-info.eu Article 4 definition does not provide an answer and adds personal data of “data subject” as a terminology. By limiting a GDPR covered data subject in your GDPR Risk

Assessment or Policy to only an EU citi-zen, you may not be fully compliant and may miss requiring a GDPR consent from a citizen of a non-EU country residing in EU. An example would be a US citizen with a US Tax Identification Number re-siding in the EU.

Let’s be honest, with the gaps in guid-ance on actual implementation, and the fact that not even legal counsels agree on the interpretation, companies have been searching for reliable sources to provide suggestions for how to comply. While it is understandable that the ability to vali-date content provided by a GDPR educa-tion source may have been limited, there is still time to review your new GDPR Policy for potential gaps in the data sub-ject definition and to make changes to include EU residents whose personal data you may handle. If your interpretation of the GDPR is that it is only applicable to EU citizens, then make sure to document it thoroughly as it may become an impor-tant topic to defend should your rationale be challenged.

Another topic pointed out by the affect-ed data subjects when GDPR went into effect, relates to the data subject consent. According to the regulation, the control-ler should be able to demonstrate that the data subject has consented to the process-ing of his or her personal data. The con-sent should be presented using clear and plain language and in a manner which is

clearly distinguishable from other mat-ters. It is a fairly straightforward concept which resulted in an often very straight-forward implementation. So much so that one could feel that the freely given con-sent is not free at all. I personally would compare signing the GDPR consent while residing in the EU to having to provide a mandatory immunization record just to get my kids into preschool. If you don’t sign it, you don’t get in or have access. Ac-cording to https://techcrunch.com, com-plaints have been filed against Facebook and Google related to the “take it or leave it” stance they have taken when it comes to consent. Sometimes an electronic con-sent provides options to manage the use of personal data or sharing choices. How-ever, some do not and it is up to the data subject to find what their user rights are and how to invoke them. Don’t forget about restrictions on the ability of chil-dren to consent to data processing with-out parental authorization. Double check that the consent is free and follows the GDPR presentation rules.

And how about the designation of a Data Protection Officer (DPO)? Have you, as a controller or processor, conclud-ed that your core activities consist of pro-cessing operations which, by their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale or that there are special categories requiring a designa-tion of a DPO? If so, the DPO can be a current employee, new hire or externally

“I personally would compare signing the GDPR consent while residing in the EU to having to provide a mandatory immunization record just to get my kids into preschool.”


outsourced resource. Keep in mind that while outsourcing may be tempting, the DPO responsibilities require an intimate knowledge of the internal processing op-erations and an ongoing consideration of all risks. Details at this level may not be available to the outsourced resource. The DPO is responsible for education and training, and for conducting regular secu-rity audits to ensure that the data protec-tion measures put in place are effective and adequate. The DPO is also a liaison between the company and Supervisory Authorities. Adding just one more hat to the many hats worn by compliance or risk

managers is common with many compa-nies. However, without the right profes-sional qualities and expert knowledge of data protection law and practices, that ap-proach will likely backfire.

While we could go on discussing pre- and post-implementation challenges, let’s briefly review the requirements and con-trols that by now should be effectively in place. The GDPR regulation has 11 chap-ters and 99 articles. I find that the easiest way to provide a high-level summary is to just follow the regulation as written.

The first two chapters are about the

regulation’s general provisions, GDPR principles relating to the processing of personal data and conditions for con-sent and the scope. The General provi-sions and principles provide content for your GDPR Policy statement and require lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability. As all other Policy statements, the GDPR Policy should have been approved by the Board of Directors and included in your list of Policies presented for an annual review and re-approval.

Chapter 3 in-cludes The Rights of data subjects that should be addressed in your procedures to include Transpar-ency and modalities, Information and ac-cess to personal data, Rectification and erasure, Right to ob-ject and automated individual decision-making and Restric-tions. The Rights are the basis of the regu-lation and need to be clearly understood and addressed.

Chapter 4 provides the requirements for Controllers and processors including General obligations, Security of personal data including notification of a personal data breach to the supervisory authority and to the data subjects, Data protection impact assessment and prior consultation with a supervisory authority in certain high-risk situations, The requirements for a DPO, and Codes of conduct and certifi-cation. This is a very important Chapter to thoroughly review and understand.

Chapters 5, 6, and 7 cover Transfers of personal data to third countries or

international organizations, Independent supervisory authorities, and Cooperation and consistency between the supervisory authorities.

Chapter 8 covers the important topic of remedies, liability and penalties. Are you wondering like the rest of us how the reg-ulation will be enforced and how penalties will be administered to entities outside of the EU? It is not clear as we have yet to see an enforcement action. However, we already know that in relation to coun-tries outside of the EU and international organizations, the Commission and su-pervisory authorities are required to take appropriate steps to provide international mutual assistance in the enforcement of legislation for the protection of personal data, including notification, complaint referral, investigative assistance and in-formation exchange. It is more than likely that some type of agreement or mutual treaty will be introduced to enforce the GDPR outside the EU member states.

The last 3 chapters cover the provisions relating to specific processing situations (such as the processing of national iden-tification numbers or processing in the context of employment), Delegated acts and implementing acts, and Final provi-sions of the regulation and its relationship with previous Directives and Agreements.

Your GDPR Risk Assessment should set the stage for the coverage and complex-ity of your GDPR Policy, internal proce-dures and training. There is still time to keep tweaking and working on improving your GDPR compliance program. The controversy over the GDPR EU legisla-tion, which took years to become a law, is known but GDPR is here to stay and will continue to evolve. Don’t stop revisiting the subject just because the initial imple-mentation fever is over. Keep your GDPR Risk Assessment current and keep an eye on the developments of the legislation and any additional guidance.

Petra Hrachova, CRCM, CAMS, Compliance Director has over 14 years of experience as a compliance, CRA, and Bank Secrecy Act officer at community banks and as a regulator. Prior to joining the Chartwell Compliance team as a senior compliance professional and training manager, Petra worked as a senior assistant bank examiner at the Federal Reserve Bank, routinely helping with supervisory activities for

community and regional state member banks. Petra’s experience also includes starting a de novo bank, where she successfully created and managed compliance, BSA, and credit administration programs. In her compliance roles and as a member of the management teams, Petra developed an in-depth knowledge of all functional areas of banking. For more information, please contact Petra at [email protected].

Don’t stop revisiting the

subject just because the initial

implementation fever is over.

Keep your GDPR Risk Assessment

current and keep an eye on the

developments of the legislation

and any additional guidance.


Treasury Releases Report on Nonbank Financials, Fintech, and Innovation

The U.S. Department of the Treasury re-leased on 07/31/18 a report identifying improvements to the regulatory land-scape that will better support nonbank financial institutions, embrace financial technology, and foster innovation. Trea-sury’s report identifies just over 80 recom-mendations that are designed to:

› Embrace the efficient and responsible use of consumer financial data and competitive technologies;

› Streamline the regulatory environment to foster innovation and avoid fragmentation;

› Modernize regulations for an array of financial products and activities; and

› Facilitate “regulatory sandboxes” to promote innovation.

OCC Begins Accepting National Bank Charter Applications From Financial Technology Companies

The Office of the Comptroller of the Cur-rency (OCC) announced on 07/31/18 that it would begin accepting applications for national bank charters from nonde-pository financial technology (fintech) companies engaged in the business of banking.

› Every application will be evaluated on its unique facts and circumstances.

› Fintech companies that apply and qualify for, and receive, special purpose national bank charters will be supervised like similarly situated national banks, to include capital, liquidity, and financial inclusion commitments as appropriate. Fintech companies will be expected to submit an acceptable contingency plan to address significant financial stress that

could threaten the viability of the bank. The plan would outline strategies for restoring the bank’s financial strength and options for selling, merging, or liquidating the bank in the event the recovery strategies are not effective.

› The expectations for promoting financial inclusion will depend on the company’s business model and the types of planned products, services, and activities.

› New fintech companies that become special purpose national banks will be subject to heightened supervision initially, similar to other de novo banks.

› The OCC has the authority, expertise, processes, procedures, and resources necessary to supervise fintech companies that become national banks and to unwind a fintech company that becomes a national bank in the event that it fails.

› The OCC’s charter review process is comprehensive and takes into account all aspects of the applicant’s individual business model, governance structure, and risk profile The OCC seeks to make a decision on a complete and accurate application within 120 days after receipt or as soon as possible thereafter. The OCC’s review of a special purpose charter application, however, may require additional time and scrutiny.

FATF issues professional money laundering report

On July 26, 2018, the Financial Action Task Force (FATF) issued a report that

Points to PonderRegulations & Rules + Interpretations & Applications

Disclaimer: For informational purposes only and not to be relied upon as legal advice.


looks at the techniques and tools used by professional money launderers, to help countries identify and dismantle them. Professional money launderers use a variety of money laundering tools and techniques such as trade-based money laundering, account management mecha-nisms and underground banking and al-ternative banking platforms. The report uses case studies identifying a range of different money laundering organizations and networks, from money transport and cash controller networks to proxy net-works.

The Financial Action Task Force (FATF) report on Sweden

On July 25, 2018, FATF released a report on Sweden’s progress in strengthening its

measures to tackle money laundering and terrorist financing. This report analyzes Sweden’s progress in addressing the tech-nical compliance deficiencies identified in the mutual evaluation report. The FATF has re-rated the country on 10 of the 40 Recommendations and moved the coun-try from enhanced to regular follow-up.

North Korea Sanctions & Enforcement Actions Advisory

On July 23, 2018 the U.S. Department of State, with the U.S. Department of the Treasury’s Office of Foreign Assets Con-trol (OFAC) and the U.S. Department of Homeland Security’s (DHS) Customs and Border Protection (CBP) and Immigra-tion and Customs Enforcement (ICE), issued an advisory to highlight sanctions

evasions tactics used by North Korea that could expose businesses – including man-ufacturers, buyers, and service providers – to sanctions compliance risks under U.S. and/or United Nations sanctions au-thorities. Businesses should closely exam-ine their entire supply chain(s) for North Korean laborers and goods, services, or technology, and adopt appropriate due diligence best practices.

Deutsche Bank to Pay Nearly $75 Million for abuses involving pre-released ADRs

On July 20, 2018, the Securities and Ex-change Commission announced that two U.S.-based subsidiaries of Deutsche Bank AG will pay nearly $75 million to settle charges of improper handling of “pre-released” American Depositary Receipts (ADRs.)

TCF National Bank under enforcement

On July 20, 2018, the CFPB filed in fed-eral district court a proposed settlement with TCF National Bank regarding its marketing and sale of overdraft services. Banks must first obtain a consumer’s con-sent before they can lawfully charge over-draft fees on one-time debit purchases and ATM withdrawals. The BCFPB al-leged in its lawsuit that, when attempt-ing to obtain this consent, TCF obscured the fees it charged and made consenting to overdraft fees seem mandatory for new customers to open an account. TCF agreed to pay $25 million in restitution to customers who were charged overdraft fees and has agreed to an injunction to prevent future violations.

Points to PonderRegulations & Rules + Interpretations & Applications

Disclaimer: For informational purposes only and not to be relied upon as legal advice.


Chartwell Compliance Shows You the Way

Chartwell Compliance offers all-in-one integrated regulato-ry compliance and risk management consulting, testing,

audit and examinations, and outsourcing services. We serve bank and non-bank financial service providers that are striv-ing to do business successfully in the midst of unprecedented regulatory upheaval.

Chartwell Compliance is attuned to emerging trends, new regulations and rules, and issues relating to the financial services industry. Our consultants believe every client is critically important; and, along with high service delivery standards, coupled with a smaller firm’s pricing, allows Chartwell to deliver a value unmatched in the marketplace.

The people of Chartwell have a practical, real-world understanding of regulatory compliance, enterprise risk management, and financial crimes. Chartwell consultants have gained their real-world understanding through numerous years of work as regu-lators, law enforcement officials, and operators in the financial industry. This allows us to translate compliance in practical ways helping our clients maintain fee revenue; lower operating costs, and proactively anticipate the desires and requirements of a di-verse range of agencies and regulators in charge of supervising financial institutions.

Chartwell Compliance, as an all-in-one consulting firm, allows our clients to avoid the burden of managing multiple vendor relationships, making it possible for our clients to realize economies of scale. In addition, our clients gain further value from having a partner with experience and expertise encompassing compliance, risk, and corporate planning. Our consultants are passionate about their areas of expertise and equally comfortable as testers, trainers, or mentors to our clients.

One state regulator with a reputation for strictness, attested to the conscientiousness and efficiency of the Chartwell Compliance team by

stating: “I would also like to take this opportunity to say thank you so much for submitting such a complete and thorough application. It is extremely

rare (it has actually only happened one other time in the history of our division regulating money transmitters) that we receive an application that

does not require us to ask the applicant for additional information!”

“I’m glad I made the decision of

getting the services of Chartwell Compliance.

Knowledgeable, open to questions

or concerns and more than willing to

go the extra mile. I should have hired

them long ago.”

NYC Credit & Funding, Inc


Value Propositions

One of the best AML, CFT, financial crimes and state license consultancies in the world

One of North America’s best MSB and emerging payments compliance consulting firms

Very well-rounded practitioners experience

Nimble, specialized and affordable

Significantly lower cost, more services, and more practitioners experience

Entrepreneurial and highly responsive

End-to-end services and outsourcing

Free distribution of quarterly technical publication, Chartwell Compass

Strong human and software project administration backbone to keep on time and on budget.

Consultants

Our team is cross-certified in regulatory compliance, anti-money laundering, testing, in-formation technology and security, and fraud. The diversified experience of our consultants provides our clients with access to experienced examiners, operators, and regulatory policy makers in both the banking and non-banking segments of the financial services market, including some of the most talented and seasoned professionals in emerging payments com-pliance. This vast, multi-disciplinary experience allows us to help our clients design and implement compliance and risk management programs and practices properly calibrated to address both the current and prospective regulatory environment in an effective manner. As a result, our clients’ products and services can be launched more quickly and remain ap-propriately priced, usable, compliant, and of high value to end users.

Our group includes some of the industry’s foremost authorities on regulatory compliance, information security, licensing, and fraud such as:

▶ Average of 20 years of experience per professional

▶ Former executives and managers from MSBs such as Western Union, First Data, Sigue, and Microfinance International

▶ Former senior compliance and risk managers for state and nationally chartered banks

▶ Former Chief of the Federal Bureau of Investigation’s Financial Crimes and Terrorist Financing Sections

▶ Former Office of the Comptroller of the Currency (OCC) Assistant Director of Enforcement

▶ Certified AML (CAMS) and regulatory compliance manager certifications (CRCM), PMP

▶ Extensive experience working in or with start-ups

▶ Long-standing relationships between many team members


REGULATORY COMPLIANCE Chartwell Compliance provides consulting across nearly the entire range of rules and regu-lations affecting bank and non-bank fi-nancial institutions. Our regulatory sub-ject matter expertise includes but is not limited to: Enforcement action solutions; Bank Secrecy Act (“BSA”); Office of For-eign Assets Control (“OFAC”); Loan Compliance (commercial, consumer, real estate); Deposit Compliance, Home Mortgage Disclosure Act (“HMDA”); Secure and Fair Enforcement for Mort-gage Licensing Act (“SAFE”); Unfair, Deceptive or Abusive Acts or Practices Act (“UDAAP“); social media; capital requirements; Community Reinvest-ment Act (“CRA”); state and federal reg-ulations for money services businesses, stored value, and payment systems.

BSA/OFAC, AML, FRAUD & CORRUP-TION Chartwell Compliance brings together some of the country’s most prominent authorities in Anti-Money Laundering and Combating the Financ-ing of Terrorism (“AML/ CFT”) financial crimes and fraud prevention. Chart-well Compliance’s proficiencies include: Counter terrorism financing; anti-mon-ey laundering; asset forfeiture and re-covery; fraud prevention (corporate and mortgage); Foreign Corrupt Practices

Act and the UK Bribery Act; forensic accounting; foreign government advi-sory on AML/CFT regulatory regimes. Chartwell Compliance provides a wide variety of related services including: Training and seminars; enforcement ac-tion solutions; comprehensive look back reviews; policy and procedure develop-ment; independent reviews; risk assess-ments; investigations and due diligence, expert witness services; and non-legal opinions.

STATE MONEY SERVICES BUSINESS LICENSING Chartwell Compliance as-sists money services businesses such as prepaid access providers, currency exchangers, check-cashing companies, e-wallet service providers, and mobile technology companies in applying for and maintaining state licensure require-ments. We offer first-hand experience, reasonable non-legal pricing and addi-tional value in being able to assist clients with related areas such as AML compli-ance and corporate planning. Chartwell Compliance provides services tailored to fit the specific needs of each MSB in-cluding: preparation and submission of state license applications: FinCEN/FIN-TRAC registrations; administration of existing state license portfolios including renewals, periodic reporting, and other

requirements; assistance with state regu-latory exams and related remedial work; and non-legal regulatory opinion rela-tive to licensing and regulatory require-ments.

DUE DILIGENCE AND INVESTIGATIONS The team of former senior law enforce-ment and regulatory officials and private sector executives of Chartwell Compli-ance permits Chartwell to undertake due diligence and investigation activities in a range of areas in the U.S. and overseas. We also offer assistance to institutional investors and other companies conduct-ing corporate due diligence on invest-ment, merger, and acquisition targets.

OPERATIONS & GOVERNANCE Many Chartwell Compliance consultants have experience in corporate operations, planning and leadership. Chartwell Compliance provides consulting services in all of these areas, as well as, provid-ing clients with services such as: Assess-ments and recommendations; enterprise wide risk assessments; key indicator dashboards; policies and procedures; employee training; board of directors training, and other services.

Services


Strategic Alliances

Chartwell Compliance welcomes relationships that deepen the value provided to our mutual customers. In particular, Chartwell Compliance has a select number of strategic partnerships with leading service and software providers in the financial sector seeking a trusted source for referrals, thought leadership and feedback on new products from the perspective of regulators, law enforcement officials and former practitioners. Some of our alliances include:

• Fiserv, Inc. (NASDAQ: FISV) is the leading global provider of information management and electronic commerce systems for the financial services industry.

• Bankers’ Bank of the West provides high-quality products and services as well as deep industry expertise to more than 300 community bank clients in the western states and Great Plains region.

• Thomson Reuters is the world’s leading source of intelligent information for businesses and professionals.

• With its finger on the pulse of the financial services, real estate and IT industries, OnCourse Learning provides best-in-class education and compliance solutions that help people get started and succeed in their chosen professions.

• Consistently ranked as number one in the space, NICE Actimize experts apply innovative technology to protect institutions and safeguard consumers and investors assets by identifying financial crime, preventing fraud and providing regulatory compliance.

• First Manhattan Consulting Group provides strategy, risk management, and marketing services to financial institutions across the globe.

ResellersOwned by Reed Elsevier, Accuity is part of BankersAccuity, the global standard for payment

efficiency and compliance solutions. Accuity is a leading provider of global payment routing data, AML screening data and software and professional services that allow organizations, across multiple industries, to maximize efficiency and facilitate compliance of their transactions. Accuity maintains authoritative and comprehensive databases globally with a reputation built on the accuracy and quality of our data, products and services.

Chartwell Compliance has been named a #MoxieAwardDC finalist for being bold in business! The Moxie Award program honors the accomplishments and achievements of growing businesses, nonprofits and associations in the DC metro community. Organizations are recognized for having demonstrated boldness and innovation as an integral part of their growth strategy. These outstanding organizations not only help make the DC metro area a great place to do business, but also an incredible place to live, thrive and play.

Chartwell 2018 Retreat Washington D.C.

A full two days in D.C. at the beautiful Gaylord Hotel was packed with activities which included team building, introspective exercises, the Space Museum, a hike though the Great Falls National Park and an afternoon Picnic.


6701 Democracy Blvd. Suite 300, Bethesda, MD 20817 | 800.541.6744 | chartwellcompliance.com |

Chartwell Compass is intended to provide education and general information on regulatory compliance, reasonable management practices and corresponding legal issues. This publication does not attempt to offer solutions to individual problems and the content is not offered as legal advice.

Questions concerning individual legal issues should be addressed to the attorney of your choice.

Request your complementary digital subscription of the Chartwell Compass today!

[email protected]

Start receiving the latest on financial institution regulatory compliance, financial crime prevention, and risk management issues.

Chartwell grants permission to all subscribers to freely distribute this publication.

Awards & Honors Chartwell has been recognized not only for its superior services and dedication to client

relationships but also for its commitment to investing in and developing a unique workplace.

The backbone of Chartwell success is its expert team that truly embody the Chartwell brand.

5CHARTWELLCOMPLIANCE.COM

CHARTWELL COMPASS | MAY 2017

Developing Terrorist Financing Typologies for AML ProgramsBy Dennis M. Lormel, CAMS

Developing terrorist financing typologies for anti-money laundering (AML) programs requires understanding. You must understand the terrorist threat environment, emerging terrorist trends, the funding flows terrorists rely on to sustain their operations, and your institutional risk for being used to facilitate terrorist funding flows. When you understand these dimensions and place them in context with each other, you should be positioned to develop viable terrorist financing typologies. This can be a daunting challenge because there are no silver bullets or smoking guns. In addition, the chal-lenge of identifying terrorist financing is exacerbated by the breadth of the terrorist landscape in terms of funding sourc-es, funding streams, and use of funds.It is possible to identify terrorist financing preemptively, but the likelihood is not probable until after a terrorist event takes place. We normally identify terrorist financing reac-tively, after the fact, through negative news. Our challenge is to improve the likelihood, and, thereby, increase the prob-ability of identifying suspicious activity before that activity evolves into a terrorist event. Increasing the probability of identifying terrorist financing begins with building a founda-tion through understanding the four dimensions articulated above, which are the threat environment, emerging trends, funding flows, and institutional risk. By assessing each ele-ment and placing them in context with each other in a matrix or analytical report or assessment, you can take more generic risk indicators or red flags and make them more specific to

your institutional risk. There are numerous reference guides listing terrorist financing red flags and typologies on a broad or generic level. Taking those broad typologies and assessing them against your institution’s risks will lead to developing more focused and institution-specific red flags and risk vul-nerabilities. In the U.S., a good example for red flag guidance is con-tained in the Federal Financial Institutions Examination Council (FFIEC) Bank Secrecy Act/AML Examination Manual. Appendix F of the FFIEC Examination Manual lists money laundering and terrorist financing red flags. The ter-rorist financing red flags are listed on page F-9. On a regional and global level, the Financial Action Task Force (FATF) has published numerous terrorist financing typologies reports that offer meaningful guidance for identifying terrorist fi-nancing. In addition, national financial intelligence units, such as the Financial Crimes Enforcement Network (Fin-CEN) in the U.S. and the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) provide valuable information regarding terrorist financing. Another excellent source for building terrorist financing typologies is from law enforcement charging documents, such as criminal informa-tion, indictments, arrest and search warrants, and plea agree-ments. These charging documents usually contain an affida-vit with a statement of facts, which sets forth the scheme or scenario used, to include money laundering. In addition to these sources, numerous publically accessible online web-sites, think tanks, private intelligence services (some being subscription services), and other government or private sec-tor sources provide research guidance. In developing your institution-specific terrorist financing typologies, it is important to be forward thinking, adaptable, attentive, and innovative. You must be forward thinking and adaptable regarding the threat environment and emerging trends. You must be attentive to visualizing funding flows and minimizing false positives. You must be innovative in developing your monitoring and analytical capabilities to mitigate your institutional risk. As a somber reminder, there is no easy answer or monitor-ing tool to readily identify terrorist financing. It takes com-mitment, understanding and visualization. First, you have to make a commitment to build adequate capacity. Second, you must understand the problems and challenges. Third, you must visualize the flow of funds from the point of origin to the point of distribution or intended distribution.

As a somber reminder, there is no easy answer or monitoring tool to readily identify terrorist financing. It takes commitment, understanding, and visualization.CHARTWELLCOMPLIANCE.COM

CHARTWELL COMPASS | MAY 2017

A PUBLICATION OF CHARTWELL COMPLIANCE | CHARTWELLCOMPLIANCE.COM MAY 2017

2 Monitoring & Reporting

Back to Basics Omar Magana, CAMS

5 Developing Terrorist

Financing Typologies for

AML Programs

Dennis M. Lormel, CAMS

10 LegReg Report Federal and State Legislative and

Regulatory Updates

12 The 10 Step Money

Transmitter License

Application

Trish Lagodzinski

15 Interview with Garrett

Gafke, President and

Chief Executive Officer,

IdentityMind Dawn R. Vignola, M.A., Ph.D.

18 FFIEC Issues Joint Report

to Congress Jason Noto, Esq., and Dawn Vignola

21 NMLS Regulatory

Updates

24 Points to Ponder

26 Representative Engagements

28 Compliance Beacon Q&A

29 About Chartwell Compliance

Editorial Staff

Daniel A. Weiss, President and CEO

[email protected]

Dawn Vignola, Managing Editor

[email protected]

Melissa Padgett, Editorial Staff

[email protected]

Chartwell Compliance provides a

one-stop shop of consulting, testing

and outsourcing services in the areas

of regulatory compliance, state MSB

licensing, financial crimes prevention

and enterprise risk management.

Gettysburg Leadership Training

Kaizen training in Japan

http://chartwellcompliance.com

http://www.chartwellcompliance.com

https://www.linkedin.com/company/chartwell-compliance

https://www.youtube.com/watch?v=WiL6w-0wqDg

http://www.chartwellcompliance.com/chartwell-compass/

mailto:compass%40chartwellcompliance.com?subject=

http://www.chartwellcompliance.com/chartwell-compass/

A PUBLICATION OF CHARTWELL COMPLIANCE … · plan available in the “Char- ters” booklet 3 of...

Documents

Transcript of A PUBLICATION OF CHARTWELL COMPLIANCE … · plan available in the “Char- ters” booklet 3 of...