Fraud-Related Compliance...or Monetary Instrument for any transfer of $10,000 or ... Creates consistent international policy to protect personal data Applies to all companies using

© 2015 Association of Certified Fraud Examiners, Inc.

Fraud-Related Compliance

Areas of Compliance, Part 2:

Industry-Specific and International Regulations

© 2015 Association of Certified Fraud Examiners, Inc. 2 of 27

Industry-Specific Compliance

Many industries have laws tailored for them, in

addition to standard regulations.

Specific regulations usually apply in high-risk

industries with important rights to protect.

• Financial institutions (a broadening classification)

• Health care providers

Consider: Does your employer contract with any

businesses in such industries?


Anti-Fraud Compliance in

Financial Institutions

Regulator focus

• Combat money laundering.

• Prevent financial institution

fraud.

Core regulations

• Bank Secrecy Act

• PATRIOT Act

• Red Flags Rules


Bank Secrecy Act

Aimed at preventing money laundering by

requiring financial institutions to keep certain

records and report large or unusual

transactions

Two major parts:

• Title I—Financial Recordkeeping

• Title II—Reports of Currency and Foreign

Transactions


Bank Secrecy Act—Recordkeeping

Regulates financial institutions, defined broadly

(e.g., banks, lenders, insurers, securities

brokers, car dealerships, casinos)

Requires records to be kept for five years

• Transfers of more than $10,000 outside the United

States

• Extensions of credit more than $10,000

• Account statements, signature cards

• Purchases of instruments worth $3,000 or more

• Checks and deposits in excess of $100


Bank Secrecy Act—Reporting

Certain financial institutions must file reports for

various transactions.

• Currency Transaction Reports for currency

transactions of $10,000 or more

• Suspicious Activity Reports for transactions with

known or suspected criminal activity

• Reports of International Transportations of Currency

or Monetary Instrument for any transfer of $10,000 or

more into or outside of the United States


PATRIOT Act

Passed in 2001,

primarily to combat

funding for terrorism and

other illicit activities

Beyond data monitoring,

provides additional

regulations and requires

programs to prevent

money laundering


PATRIOT Act—

Money Laundering Provisions

Requires all financial institutions to establish anti-

money laundering (AML) programs

Prohibits shell banks from having accounts in U.S.

financial institutions

Institutes due diligence procedures to detect and

report money laundering in non-U.S. citizen

accounts

Requires any trade or business reports to FinCEN

upon receipt of over $10,000 in currency

Makes bulk smuggling of cash over $10,000 a

criminal offense


PATRIOT Act—AML Programs

Applies to a broad definition of financial

institutions (from banks to jewelry dealers)

Minimum requirements of an AML program

• Internal controls tailored to preventing money

laundering

• Designating a money laundering compliance officer

• Ongoing employee training

• Supporting an independent audit function to test

program


Elements of an AML Program

Policies and procedures

• Identify high-risk areas.

• Select individuals responsible for compliance; get the

board of directors to approve an AML officer.

• Have policies to meet each regulatory requirement.

Controls

• Segregation of duties

• Monitoring system for timely detection of suspicious

activity

• Gearing training for key personnel toward anti-money

laundering


PATRIOT Act—

Know Your Customer (KYC) Programs

Section 326 requires financial institutions to

implement programs to:

• Identify and conduct background checks on all new

customers.

• Create monitoring systems designed to detect

suspicious activity (e.g., repetitive transfers sent just

below report thresholds).


Office of Foreign Assets Control

OFAC enforces U.S. sanctions.

The Specially Designated Nationals (SDN) List

contains thousands of names of people known

or suspected of committing illegal activity.

U.S. residents and organizations must not do

business with anyone on the SDN List.


Red Flags Rules

Created pursuant to the Fair and Accurate

Credit Transaction Act to reduce identity theft

Enforced by the FTC and federal bank

regulatory agencies

Applies not only to financial institutions, but also

to various creditors

The FTC has interpreted creditors to mean any

organization that maintains accounts with a

reasonably foreseeable risk of identify theft.


Four Elements of Red Flags Program

Have reasonable procedures to identify the red

flags of identity theft in day-to-day operations

Be designed to specifically detect the identified

red flags

Include appropriate actions upon detection of

red flags

Be periodically evaluated to find new risks


Anti-Fraud Compliance in Health Care

Heavily regulated due to:

• False claims

• Provider fraud

• Privacy issues

Core regulations:

• ACA

• HIPAA

• HITECH Act

• Red Flags Rules


Patient Protection and Affordable Care Act

Compliance programs were previously

voluntary.

The ACA mandates that a broad range of

providers, suppliers, and physicians establish a

compliance and ethics program.

HHS-OIG recommends a compliance program

based on the Federal Sentencing Guidelines.



1. Conduct internal monitoring and auditing.

2. Implement compliance and practice standards.

3. Designate a compliance officer or contact.

4. Conduct appropriate training and education.



5. Respond appropriately to detected offenses and

develop corrective action.

6. Develop open lines of communication with

employees.

7. Enforce disciplinary standards through well-

publicized guidelines.


Health Insurance Portability and

Accountability Act (HIPAA)

Makes health care fraud a federal crime

Violations

• Defrauding any health care benefit program

• Intentionally making false statements in any manner

involving a health care benefit program

• Embezzling or converting any property of a health

care benefit program

• Obstructing an investigation of a health care offense


Key HIPAA Provisions

Health care benefit program, the operative link

to a violation, means:

• Any public or private plan

• Affecting commerce

• Under which any medical benefit/service is provided,

whether it is provided by an individual or an entity

Health care fraud: Knowingly and willfully

executing a scheme to defraud a health care

benefit program


Health Information Technology for

Economic and Clinical Health (HITECH) Act

Passed in 2009 to prevent fraud and

inappropriate disclosure of patient information

Key fraud-related provisions:

• If HC providers inappropriately release covered

information, they must notify the patient and Health

and Human Services.

• Data privacy requirements were expanded to

business associates of providers.

• It increased funding for enforcement actions.


Red Flags Rules in Health Care

The Red Flags Rules are designed to regulate

creditors.

While health care providers are normally not

labeled creditors, the FTC originally suggested

they would be for these rules.

The FTC has since clarified that providers are

not creditors per se, but may be so classified if

they maintain accounts with a foreseeable risk

of identity theft.


International Laws and Regulations

Not just for large

companies with foreign

offices and affiliates

anymore

Regulatory reach

extends to those with

indirect foreign

business


EU Directive on Personal Data Protection

Response to increased data sharing

Creates consistent international policy to protect

personal data

Applies to all companies using personal data of

EU citizens

Protected personal data includes:

• Employment status

• Economic status

• Health history


EU Directive on Personal Data Protection

It restricts member nations from sending

consumer data from the EU to non-EU

countries.

EU nations must ensure “adequate” data

protection with non-EU data counter-parties.

United States negotiated the Safe Harbor

Agreement with the EU to facilitate trade.


EU General Data Protection Regulation

Proposed draft to replace EU Directive (2015)

Extends coverage to companies processing

data about EU residents, even if the companies

have no presence in the EU

Requires notification and consent of individuals

for information processing

Enables individuals to request history clearing

Requires notification of individuals and

authorities about data breaches


French Data Privacy Case

Illustration: Dassault Systèmes

Warning for anonymous whistleblower

procedures developed within multinational

companies to satisfy SOX

French Supreme Court found that procedures

ran counter to French data protection laws,

violating:

• Rights of subject to be notified

• Subject’s right to rectify false information


International Anti-Corruption Regulations

EU Convention on the Fight Against Corruption

• Prohibits bribery of officials of the EU and EU

member states

• Promotes member cooperation in prosecution of

corruption

UN Convention Against Corruption

• Recommended standards for member nations

• Ratified by 144 members

• Framework to fight bribery (public and foreign),

extortion, abuse of power, money laundering


UK Bribery Act

Passed in 2010, the

Bribery Act is a UK law

with a function similar to

the FCPA.

Official enforcement

date was July 1, 2011.

Anyone with a

substantial business

presence in the UK is

subject to its provisions.


UK Bribery Act

Scope: Like the FCPA, the Bribery Act has

international reach to any company doing

business in the UK.

Offenses under the Act:

• Failure of commercial enterprises to prevent bribery

due to inadequate prevention measures (defense

available for having adequate procedures in place)

• Official bribery (much like the FCPA)

• Commercial bribery (unlike the FCPA)


UK Bribery Act

FCPA UK Bribery Act

The FCPA applies only to bribery of

foreign officials.

The act covers both commercial

bribery and bribery of foreign political

officials.

The FCPA does not apply to the

receipt of a bribe.

The commercial bribery provisions of

the act apply to both the offer and the

acceptance of a bribe, while those

relating to bribery of foreign political

officials apply only to the offer,

promise, or payment of a bribe.

Comparison of FCPA and UK Bribery Act


UK Bribery Act

FCPA UK Bribery Act

The bribery provisions of the FCPA

apply to: (1) SEC issuers (U.S. and

foreign companies); (2) “domestic

concerns”; (3) U.S. persons acting

outside U.S. in furtherance of a

prohibited payment; (4) foreign

nationals and entities that commit an

act in the U.S. in furtherance of a

prohibited payment; and (5) U.S. or

foreign agents of any of the foregoing.

The “failure to prevent bribery”

provision applies to: (1) UK entities

that conduct business in the UK or

elsewhere; and (2) any corporation,

wherever formed, that carries on

business or part of a business in the

UK

The government must show that the

defendant had the requisite state of

mind with respect to his actions (i.e.,

negligence, recklessness, intent) to

prove bribery violations.

There is strict liability on a corporation

for “failing to prevent bribery” by an

associate whether the bribed person is

a foreign political official or not. The

only defense is that the company had

adequate procedures in place to

prevent the bribe.


UK Bribery Act

FCPA UK Bribery Act

The FCPA permits facilitation

payments for low-level payments for

certain routine governmental actions.

The act does not permit an exception

for facilitation payments.

The FCPA provides an affirmative

defense for payments that are

reasonable and bona fide business

expenses directly related to the

promotion, demonstration, or

explanation of products or services or

the execution or performance of a

contract with a foreign government or

agency.

The act does not provide an

affirmative defense for bona fide

business expenses.


UK Bribery Act

FCPA UK Bribery Act

The FCPA provides an affirmative

defense for payments that are

permissible under written local law.

The act provides the same affirmative

defense—but only with respect to

payments made to foreign political

officials. On the other hand, with

respect to “commercial bribery,”

written local law can be considered

only as a mitigating factor in

determining what a reasonable payer

or payee in the UK would expect in

return for the payment.


UK Bribery Act

Six principles for organizations to assert the

defense for having adequate procedures in

place to prevent bribery:

• Proportionality

• Top-level commitment

• Risk assessment

• Due diligence

• Communication

• Monitoring and review


UK Bribery Act

Enforcement trend still

unclear

Mostly minor

enforcements

First major enforcement

in August 2013: £23

million bribe regarding

government land in

Cambodia


Discussion Question #1

The financial industry is heavily regulated in

comparison to many others. What are the main

areas that compliance professionals in the

financial industry need to be concerned about?



There are some regulations that, while aimed

primarily at financial institutions, affect many

other industries. Give some examples of such

laws and explain how nonfinancial institutions

need to develop their compliance programs

accordingly.



Give some examples of how U.S. companies

may be subject to international rules.

• Discuss the challenges in complying with

international rules and the laws of foreign nations.

• What methods could be developed to comply with

international and foreign laws? What about when

these laws clash with U.S. regulations?

Documents

Fraud-Related Compliance...or Monetary Instrument for any transfer of $10,000 or ... Creates consistent international policy to protect personal data Applies to all companies using