Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
© 2015 Association of Certified Fraud Examiners, Inc.
Fraud-Related Compliance
Areas of Compliance, Part 2:
Industry-Specific and International Regulations
© 2015 Association of Certified Fraud Examiners, Inc. 2 of 27
Industry-Specific Compliance
Many industries have laws tailored for them, in
addition to standard regulations.
Specific regulations usually apply in high-risk
industries with important rights to protect.
• Financial institutions (a broadening classification)
• Health care providers
Consider: Does your employer contract with any
businesses in such industries?
© 2015 Association of Certified Fraud Examiners, Inc. 3 of 27
Anti-Fraud Compliance in
Financial Institutions
Regulator focus
• Combat money laundering.
• Prevent financial institution
fraud.
Core regulations
• Bank Secrecy Act
• PATRIOT Act
• Red Flags Rules
© 2015 Association of Certified Fraud Examiners, Inc. 4 of 27
Bank Secrecy Act
Aimed at preventing money laundering by
requiring financial institutions to keep certain
records and report large or unusual
transactions
Two major parts:
• Title I—Financial Recordkeeping
• Title II—Reports of Currency and Foreign
Transactions
© 2015 Association of Certified Fraud Examiners, Inc. 5 of 27
Bank Secrecy Act—Recordkeeping
Regulates financial institutions, defined broadly
(e.g., banks, lenders, insurers, securities
brokers, car dealerships, casinos)
Requires records to be kept for five years
• Transfers of more than $10,000 outside the United
States
• Extensions of credit more than $10,000
• Account statements, signature cards
• Purchases of instruments worth $3,000 or more
• Checks and deposits in excess of $100
© 2015 Association of Certified Fraud Examiners, Inc. 6 of 27
Bank Secrecy Act—Reporting
Certain financial institutions must file reports for
various transactions.
• Currency Transaction Reports for currency
transactions of $10,000 or more
• Suspicious Activity Reports for transactions with
known or suspected criminal activity
• Reports of International Transportations of Currency
or Monetary Instrument for any transfer of $10,000 or
more into or outside of the United States
© 2015 Association of Certified Fraud Examiners, Inc. 7 of 27
PATRIOT Act
Passed in 2001,
primarily to combat
funding for terrorism and
other illicit activities
Beyond data monitoring,
provides additional
regulations and requires
programs to prevent
money laundering
© 2015 Association of Certified Fraud Examiners, Inc. 8 of 27
PATRIOT Act—
Money Laundering Provisions
Requires all financial institutions to establish anti-
money laundering (AML) programs
Prohibits shell banks from having accounts in U.S.
financial institutions
Institutes due diligence procedures to detect and
report money laundering in non-U.S. citizen
accounts
Requires any trade or business reports to FinCEN
upon receipt of over $10,000 in currency
Makes bulk smuggling of cash over $10,000 a
criminal offense
© 2015 Association of Certified Fraud Examiners, Inc. 9 of 27
PATRIOT Act—AML Programs
Applies to a broad definition of financial
institutions (from banks to jewelry dealers)
Minimum requirements of an AML program
• Internal controls tailored to preventing money
laundering
• Designating a money laundering compliance officer
• Ongoing employee training
• Supporting an independent audit function to test
program
© 2015 Association of Certified Fraud Examiners, Inc. 10 of 27
Elements of an AML Program
Policies and procedures
• Identify high-risk areas.
• Select individuals responsible for compliance; get the
board of directors to approve an AML officer.
• Have policies to meet each regulatory requirement.
Controls
• Segregation of duties
• Monitoring system for timely detection of suspicious
activity
• Gearing training for key personnel toward anti-money
laundering
© 2015 Association of Certified Fraud Examiners, Inc. 11 of 27
PATRIOT Act—
Know Your Customer (KYC) Programs
Section 326 requires financial institutions to
implement programs to:
• Identify and conduct background checks on all new
customers.
• Create monitoring systems designed to detect
suspicious activity (e.g., repetitive transfers sent just
below report thresholds).
© 2015 Association of Certified Fraud Examiners, Inc. 12 of 27
Office of Foreign Assets Control
OFAC enforces U.S. sanctions.
The Specially Designated Nationals (SDN) List
contains thousands of names of people known
or suspected of committing illegal activity.
U.S. residents and organizations must not do
business with anyone on the SDN List.
© 2015 Association of Certified Fraud Examiners, Inc. 13 of 27
Red Flags Rules
Created pursuant to the Fair and Accurate
Credit Transaction Act to reduce identity theft
Enforced by the FTC and federal bank
regulatory agencies
Applies not only to financial institutions, but also
to various creditors
The FTC has interpreted creditors to mean any
organization that maintains accounts with a
reasonably foreseeable risk of identify theft.
© 2015 Association of Certified Fraud Examiners, Inc. 14 of 27
Four Elements of Red Flags Program
Have reasonable procedures to identify the red
flags of identity theft in day-to-day operations
Be designed to specifically detect the identified
red flags
Include appropriate actions upon detection of
red flags
Be periodically evaluated to find new risks
© 2015 Association of Certified Fraud Examiners, Inc. 15 of 27
Anti-Fraud Compliance in Health Care
Heavily regulated due to:
• False claims
• Provider fraud
• Privacy issues
Core regulations:
• ACA
• HIPAA
• HITECH Act
• Red Flags Rules
© 2015 Association of Certified Fraud Examiners, Inc. 16 of 27
Patient Protection and Affordable Care Act
Compliance programs were previously
voluntary.
The ACA mandates that a broad range of
providers, suppliers, and physicians establish a
compliance and ethics program.
HHS-OIG recommends a compliance program
based on the Federal Sentencing Guidelines.
© 2015 Association of Certified Fraud Examiners, Inc. 17 of 27
Patient Protection and Affordable Care Act
1. Conduct internal monitoring and auditing.
2. Implement compliance and practice standards.
3. Designate a compliance officer or contact.
4. Conduct appropriate training and education.
© 2015 Association of Certified Fraud Examiners, Inc. 18 of 27
Patient Protection and Affordable Care Act
5. Respond appropriately to detected offenses and
develop corrective action.
6. Develop open lines of communication with
employees.
7. Enforce disciplinary standards through well-
publicized guidelines.
© 2015 Association of Certified Fraud Examiners, Inc. 19 of 27
Health Insurance Portability and
Accountability Act (HIPAA)
Makes health care fraud a federal crime
Violations
• Defrauding any health care benefit program
• Intentionally making false statements in any manner
involving a health care benefit program
• Embezzling or converting any property of a health
care benefit program
• Obstructing an investigation of a health care offense
© 2015 Association of Certified Fraud Examiners, Inc. 20 of 27
Key HIPAA Provisions
Health care benefit program, the operative link
to a violation, means:
• Any public or private plan
• Affecting commerce
• Under which any medical benefit/service is provided,
whether it is provided by an individual or an entity
Health care fraud: Knowingly and willfully
executing a scheme to defraud a health care
benefit program
© 2015 Association of Certified Fraud Examiners, Inc. 21 of 27
Health Information Technology for
Economic and Clinical Health (HITECH) Act
Passed in 2009 to prevent fraud and
inappropriate disclosure of patient information
Key fraud-related provisions:
• If HC providers inappropriately release covered
information, they must notify the patient and Health
and Human Services.
• Data privacy requirements were expanded to
business associates of providers.
• It increased funding for enforcement actions.
© 2015 Association of Certified Fraud Examiners, Inc. 22 of 27
Red Flags Rules in Health Care
The Red Flags Rules are designed to regulate
creditors.
While health care providers are normally not
labeled creditors, the FTC originally suggested
they would be for these rules.
The FTC has since clarified that providers are
not creditors per se, but may be so classified if
they maintain accounts with a foreseeable risk
of identity theft.
© 2015 Association of Certified Fraud Examiners, Inc. 23 of 27
International Laws and Regulations
Not just for large
companies with foreign
offices and affiliates
anymore
Regulatory reach
extends to those with
indirect foreign
business
© 2015 Association of Certified Fraud Examiners, Inc. 24 of 27
EU Directive on Personal Data Protection
Response to increased data sharing
Creates consistent international policy to protect
personal data
Applies to all companies using personal data of
EU citizens
Protected personal data includes:
• Employment status
• Economic status
• Health history
© 2015 Association of Certified Fraud Examiners, Inc. 25 of 27
EU Directive on Personal Data Protection
It restricts member nations from sending
consumer data from the EU to non-EU
countries.
EU nations must ensure “adequate” data
protection with non-EU data counter-parties.
United States negotiated the Safe Harbor
Agreement with the EU to facilitate trade.
© 2015 Association of Certified Fraud Examiners, Inc. 26 of 27
EU General Data Protection Regulation
Proposed draft to replace EU Directive (2015)
Extends coverage to companies processing
data about EU residents, even if the companies
have no presence in the EU
Requires notification and consent of individuals
for information processing
Enables individuals to request history clearing
Requires notification of individuals and
authorities about data breaches
© 2015 Association of Certified Fraud Examiners, Inc. 27 of 27
French Data Privacy Case
Illustration: Dassault Systèmes
Warning for anonymous whistleblower
procedures developed within multinational
companies to satisfy SOX
French Supreme Court found that procedures
ran counter to French data protection laws,
violating:
• Rights of subject to be notified
• Subject’s right to rectify false information
© 2015 Association of Certified Fraud Examiners, Inc. 28 of 27
International Anti-Corruption Regulations
EU Convention on the Fight Against Corruption
• Prohibits bribery of officials of the EU and EU
member states
• Promotes member cooperation in prosecution of
corruption
UN Convention Against Corruption
• Recommended standards for member nations
• Ratified by 144 members
• Framework to fight bribery (public and foreign),
extortion, abuse of power, money laundering
© 2015 Association of Certified Fraud Examiners, Inc. 29 of 27
UK Bribery Act
Passed in 2010, the
Bribery Act is a UK law
with a function similar to
the FCPA.
Official enforcement
date was July 1, 2011.
Anyone with a
substantial business
presence in the UK is
subject to its provisions.
© 2015 Association of Certified Fraud Examiners, Inc. 30 of 27
UK Bribery Act
Scope: Like the FCPA, the Bribery Act has
international reach to any company doing
business in the UK.
Offenses under the Act:
• Failure of commercial enterprises to prevent bribery
due to inadequate prevention measures (defense
available for having adequate procedures in place)
• Official bribery (much like the FCPA)
• Commercial bribery (unlike the FCPA)
© 2015 Association of Certified Fraud Examiners, Inc. 31 of 27
UK Bribery Act
FCPA UK Bribery Act
The FCPA applies only to bribery of
foreign officials.
The act covers both commercial
bribery and bribery of foreign political
officials.
The FCPA does not apply to the
receipt of a bribe.
The commercial bribery provisions of
the act apply to both the offer and the
acceptance of a bribe, while those
relating to bribery of foreign political
officials apply only to the offer,
promise, or payment of a bribe.
Comparison of FCPA and UK Bribery Act
© 2015 Association of Certified Fraud Examiners, Inc. 32 of 27
UK Bribery Act
FCPA UK Bribery Act
The bribery provisions of the FCPA
apply to: (1) SEC issuers (U.S. and
foreign companies); (2) “domestic
concerns”; (3) U.S. persons acting
outside U.S. in furtherance of a
prohibited payment; (4) foreign
nationals and entities that commit an
act in the U.S. in furtherance of a
prohibited payment; and (5) U.S. or
foreign agents of any of the foregoing.
The “failure to prevent bribery”
provision applies to: (1) UK entities
that conduct business in the UK or
elsewhere; and (2) any corporation,
wherever formed, that carries on
business or part of a business in the
UK
The government must show that the
defendant had the requisite state of
mind with respect to his actions (i.e.,
negligence, recklessness, intent) to
prove bribery violations.
There is strict liability on a corporation
for “failing to prevent bribery” by an
associate whether the bribed person is
a foreign political official or not. The
only defense is that the company had
adequate procedures in place to
prevent the bribe.
© 2015 Association of Certified Fraud Examiners, Inc. 33 of 27
UK Bribery Act
FCPA UK Bribery Act
The FCPA permits facilitation
payments for low-level payments for
certain routine governmental actions.
The act does not permit an exception
for facilitation payments.
The FCPA provides an affirmative
defense for payments that are
reasonable and bona fide business
expenses directly related to the
promotion, demonstration, or
explanation of products or services or
the execution or performance of a
contract with a foreign government or
agency.
The act does not provide an
affirmative defense for bona fide
business expenses.
© 2015 Association of Certified Fraud Examiners, Inc. 34 of 27
UK Bribery Act
FCPA UK Bribery Act
The FCPA provides an affirmative
defense for payments that are
permissible under written local law.
The act provides the same affirmative
defense—but only with respect to
payments made to foreign political
officials. On the other hand, with
respect to “commercial bribery,”
written local law can be considered
only as a mitigating factor in
determining what a reasonable payer
or payee in the UK would expect in
return for the payment.
© 2015 Association of Certified Fraud Examiners, Inc. 35 of 27
UK Bribery Act
Six principles for organizations to assert the
defense for having adequate procedures in
place to prevent bribery:
• Proportionality
• Top-level commitment
• Risk assessment
• Due diligence
• Communication
• Monitoring and review
© 2015 Association of Certified Fraud Examiners, Inc. 36 of 27
UK Bribery Act
Enforcement trend still
unclear
Mostly minor
enforcements
First major enforcement
in August 2013: £23
million bribe regarding
government land in
Cambodia
© 2015 Association of Certified Fraud Examiners, Inc. 37 of 27
Discussion Question #1
The financial industry is heavily regulated in
comparison to many others. What are the main
areas that compliance professionals in the
financial industry need to be concerned about?
© 2015 Association of Certified Fraud Examiners, Inc. 38 of 27
Discussion Question #2
There are some regulations that, while aimed
primarily at financial institutions, affect many
other industries. Give some examples of such
laws and explain how nonfinancial institutions
need to develop their compliance programs
accordingly.
© 2015 Association of Certified Fraud Examiners, Inc. 39 of 27
Discussion Question #3
Give some examples of how U.S. companies
may be subject to international rules.
• Discuss the challenges in complying with
international rules and the laws of foreign nations.
• What methods could be developed to comply with
international and foreign laws? What about when
these laws clash with U.S. regulations?