Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Designing a Compliance Program
for Virtual Currencies
Virtual Currencies Compliance Conference
New York, August 14 , 2013
...
Agenda
1. Risk identification
Risk areas  Focus on AML
2. Risk mitigation
a) Program design tips
b) Overview of corporate...
Agenda
1. Risk identification
Risk areas  Focus on AML
2. Risk mitigation
a) Program design tips
b) Overview of corporate...
Risk Areas
• operational
• credit
• money laundering
• terrorist financing
• information loss
• liquidity
• fraud
• Identi...
Money transmitters
and their agents are perceived as
HIGH RISK of
• ABUSE TO CONSUMER
• MONEY LAUNDERING
• TERRORIST FINAN...
How Can We Abuse
Consumers?
• Loss of funds
• Wrong product/service
• Failed transactions
• Overpricing
• Divulging/losing...
How Can Money be
Laundered Through Us?
• Identity theft &
impersonation
•Structuring
•Fraudulent acts
•Lax controls
FRONT
...
Main Risk Areas
Anti-Money Laundering
Anti-Terrorism Financing (CFT)
Privacy and Information Security
Safety and soundness...
Operational Customer   
(Sender & Recipient)
Foreign 
Counterparty
Agent          
(B&M, online)
MT Risks
Money Transmitte...
© 2013 JuanLlanos
RISKS MITIGATORS
 Commingling/diversion of funds
 Poor cash management, accounting
and settlement
 Poor document manage...
RISKS MITIGATORS
 Complicity with agent or foreign
counterparty
 Complicity with recipient (or sender)
 ‘Drip-irrigatio...
Foreign Counterparty
Risks and Mitigators
RISKS MITIGATORS
 Complicity with sender or agent
 Poor cash sourcing, managem...
RISKS MITIGATORS
 Assistance in structuring
 Complicity with sender or beneficiary
 Commingling of funds
 Credit risk
...
Agenda
1. Risk identification
Risk areas  Focus on AML
2. Risk mitigation
a) Program design tips
b) Overview of corporate...
1. Always understand the flow of DATA and
the flow of MONEY.
2. Life-cycle management and the right mix
of detective and d...
1. Map Flows, 
and Processes
2. Identify 
Risks
3. Design 
Controls
4. Write PPCs
5. Execute
and Measure
6. Enhance 
and I...
Life-Cycle Management
© 2013 JuanLlanos
* AML Program Elements (Section 352 of the USA PATRIOT Act)
1. A designated compliance officer + professional team 
2. Wri...
Key Elements of a BSA/AML Program
• State Compliance: Licensing, renewal and reporting 
procedures // Consumer protection ...
PRODUCT Safeguards
• Anonymous identification
• No value limits
• Anonymous funding
• No transaction records
• Wide geogra...
CUSTOMER Identification
© 2013 JuanLlanos
Non‐Face to Face  Card not present standards
Non-documentary  contacting a cus...
Authentication Strength
Multifactor authentication:
• Something the user knows (e.g., password, PIN)
• Something the user ...
Agenda
1. Risk identification
Risk areas  Focus on AML
2. Risk mitigation
a) Overview of corporate and product
safeguards...
“What customers do
speaks so loudly
that I cannot hear
what they’re saying.”
(Paraphrasing Ralph Waldo Emerson)
Customer i...
© 2013 Juan Llanos
Machine Learning (AI) Methods
SUPERVISED LEARNING: relies on two labeled classes (good vs. bad)
Goal  ...
• High amounts 
• High frequency
• Use of multiple locations 
• Use of multiple identities
• Use of untrusted device
• Val...
Sample Entity Pair 
Concentration 
Analysis
© 2013 JuanLlanos
Sample 
Geographical 
Concentration 
(“heat”) Map
© 2013 JuanLlanos
• The entire history of Bitcoin transactions is
publicly available.
• “Using an appropriate network representation,
it is ...
The victim woke up on the morning of 13/06/2011 to find a large portion of his
Bitcoins sent to1KPTdMb6p7H3YCwsyFqrEmKGmsH...
Bitcoin
Anonymous
Untraceable
“Invisible to law enforcement and the taxman”
© 2013 JuanLlanos
Myths?
Agenda
1. Risk identification
Risk areas  Focus on AML
2. Risk mitigation
a) Overview of corporate and product
safeguards...
• Get real  WANT vs. MUST vs. CAN
• Prevention trumps damage control
• Risk MGT  Both reducing downside and
increasing u...
SUBSTANCE (be)
Handbooks, written policies, talk
(lawyers, public relations)
Operationalization, quality, walk
(compliance...
“Prosecutors are looking for
substantive AML programs (not just
paper ones) in determining whether
you’re a victim or a su...
Evolution of Regulatory Relations
VALUES AND CULTURE REGULATORY RELATIONSHIP
Minimum Standards
As little as can get away w...
© 2013 Juan Llanos
Juan Llanos
EVP & Compliance Officer
Unidos Financial Services, Inc.
275 Seventh Ave. ‐ 20th Floor
New ...
New York - Virtual Currencies Compliance Conference
Upcoming SlideShare
Loading in …5
×

New York - Virtual Currencies Compliance Conference

1,889 views

Published on

I present my point of view on how to approach the inevitability of regulation, and how to build a risk and compliance program the smart way. Part 1 deals with the main risk areas facing non-bank financial institutions and how to identify the risks, and why focusing on the spirit of the law is important. Part 2 is about designing a program the smart way, i.e., with an engineering mindset. Part 3 is an introduction to suspicious activity detection via transaction monitoring and data analysis, leveraging the blockchain, Part 4 includes a few words of unsolicited advice (contrarian, of course) that I've followed myself to build several companies, obtain and maintain hundreds of bank accounts and pass dozens of examinations in multiple countries.

Published in: Technology, News & Politics

New York - Virtual Currencies Compliance Conference

  1. 1. Designing a Compliance Program for Virtual Currencies Virtual Currencies Compliance Conference New York, August 14 , 2013 by Juan Llanos, CAMS
  2. 2. Agenda 1. Risk identification Risk areas  Focus on AML 2. Risk mitigation a) Program design tips b) Overview of corporate and product safeguards c) Customer identification and authentication (de-anonymization) 3. SA Detection via Monitoring and Analysis Leveraging the blockchain 4. Unsolicited (contrarian) advice © 2013 JuanLlanos
  3. 3. Agenda 1. Risk identification Risk areas  Focus on AML 2. Risk mitigation a) Program design tips b) Overview of corporate and product safeguards c) Customer identification and authentication (de-anonymization) 3. SA Detection via Monitoring and Analysis Leveraging the blockchain 4. Unsolicited (contrarian) advice © 2013 JuanLlanos
  4. 4. Risk Areas • operational • credit • money laundering • terrorist financing • information loss • liquidity • fraud • Identity Theft Stakeholders • federal agencies • state agencies • investors • consumers • employees • society Goals • safety • soundness • security • privacy • crime prevention • health • integrity Regulation  Inevitable, yet valid Risks & Stakeholders © 2013 JuanLlanos Compliance  Onerous, yet valuable
  5. 5. Money transmitters and their agents are perceived as HIGH RISK of • ABUSE TO CONSUMER • MONEY LAUNDERING • TERRORIST FINANCING Money transmission = highly regulated industry © 2013 JuanLlanos
  6. 6. How Can We Abuse Consumers? • Loss of funds • Wrong product/service • Failed transactions • Overpricing • Divulging/losing private data • Claims ignored © 2013 JuanLlanos
  7. 7. How Can Money be Laundered Through Us? • Identity theft & impersonation •Structuring •Fraudulent acts •Lax controls FRONT OFFICE BACK OFFICE © 2013 JuanLlanos General risks (all FIs)  fake IDs, negligence, incompetence & wrongdoing
  8. 8. Main Risk Areas Anti-Money Laundering Anti-Terrorism Financing (CFT) Privacy and Information Security Safety and soundness Consumer protection Main Statutes and Regs BSA, USA PATRIOT Act, Money Laundering Acts USA PATRIOT Act, OFAC Gramm-Leach-Bliley State (via licensing) State (via licensing) + Dodd-Frank / Regulation E (CFPB) Money Transmitter Regulation © 2013 JuanLlanos Focus  AML/BSA + State Compliance
  9. 9. Operational Customer    (Sender & Recipient) Foreign  Counterparty Agent           (B&M, online) MT Risks Money Transmitter Risk Fronts © 2013 JuanLlanos
  10. 10. © 2013 JuanLlanos
  11. 11. RISKS MITIGATORS  Commingling/diversion of funds  Poor cash management, accounting and settlement  Poor document management, reporting and record-keeping  Inadequate policies and procedures  Poor controls  Systems breakdowns  Employee acceptance, monitoring and termination protocols  Employee training and education  Professional financial, operational and compliance management  Dual controls and segregation of duties  Business continuity and disaster recovery planning  Independent auditing and testing  State-of-the-art technology Operational Risks and Mitigators © 2013 JuanLlanos
  12. 12. RISKS MITIGATORS  Complicity with agent or foreign counterparty  Complicity with recipient (or sender)  ‘Drip-irrigation’ transfer of illicit funds (O2M recipients, M2O recipient, M2M recipients)  Intra-company structuring  Inter-company structuring (‘smurfing’)  Terrorist financing  Customer acceptance, monitoring and termination protocols  Transaction & behavior monitoring  Lower identity verification thresholds at origin and destination  For cards, maximum loadable amounts, expiration date, and limited number of recipients.  Redundant identity verification procedures at destination  POS training  OFAC screening  Eventually, intercompany transaction monitoring by highly-professional and secure clearing house. This is the only possible antidote against ‘smurfing’. Customer Risks and Mitigators © 2013 JuanLlanos
  13. 13. Foreign Counterparty Risks and Mitigators RISKS MITIGATORS  Complicity with sender or agent  Poor cash sourcing, management, accounting and settlement  Poor documentation and record- keeping  Lax policies, procedures and controls  Poor regulatory regime  Credit risk  Systems breakdowns  Foreign counterparty acceptance, monitoring and termination protocols  Selecting reputable partners with proven track record and effective systems and controls  Transaction monitoring  Independent auditing and testing  OFAC screening © 2013 JuanLlanos
  14. 14. RISKS MITIGATORS  Assistance in structuring  Complicity with sender or beneficiary  Commingling of funds  Credit risk  Identity theft  Non-compliance with Section 352 of PATRIOT Act  Agent acceptance, monitoring and termination protocols  Transaction monitoring  POS training  Zero tolerance policy  Secret shopping and stress testing  OFAC screening Agent Risks and Mitigators © 2013 JuanLlanos
  15. 15. Agenda 1. Risk identification Risk areas  Focus on AML 2. Risk mitigation a) Program design tips b) Overview of corporate and product safeguards c) Customer identification and authentication (de-anonymization) 3. SA Detection via Monitoring and Analysis Leveraging the blockchain 4. Unsolicited (contrarian) advice © 2013 JuanLlanos
  16. 16. 1. Always understand the flow of DATA and the flow of MONEY. 2. Life-cycle management and the right mix of detective and deterrent techniques, including effective training, are key. 3. Document or perish Program Design Tips © 2013 JuanLlanos
  17. 17. 1. Map Flows,  and Processes 2. Identify  Risks 3. Design  Controls 4. Write PPCs 5. Execute and Measure 6. Enhance  and Improve Bottom-Up Program Design Spirit of law + Engineering Mindset © 2013 JuanLlanos
  18. 18. Life-Cycle Management © 2013 JuanLlanos
  19. 19. * AML Program Elements (Section 352 of the USA PATRIOT Act) 1. A designated compliance officer + professional team  2. Written policies and procedures + operational controls: • Licensing, renewal and reporting procedures (S) • Registration, record‐keeping and report‐filing procedures (F) • KY (Know Your…) Subprograms: Acceptance, monitoring, correction and  termination • KY…Customer • KY…Agent • KY…Foreign Counterparty • KY…Employee • KY…Vendor • Monitoring, analysis and investigating procedures • OFAC compliance program • Response to official information requests • Privacy and information security protection protocols 3. An on‐going training program  • Risk & Compliance Committee 4. An independent compliance auditing function CORPORATE Safeguards* © 2013 JuanLlanos
  20. 20. Key Elements of a BSA/AML Program • State Compliance: Licensing, renewal and reporting  procedures // Consumer protection disclosures, etc. • Federal Compliance: Registration, record‐keeping and  report‐filing procedures (F) • KY (Know Your…) Subprograms: Acceptance, monitoring,  correction and termination (Life‐Cycle Management) • KY…Customer • KY…Agent • KY…Foreign Correspondent or Counterparty • KY…Employee • KY…Vendor • SA Detection: Monitoring, analysis and investigating  procedures • Information Sharing: Response to information requests • OFAC Compliance Program • Privacy and information security protection protocols (GLBA) © 2013 JuanLlanos
  21. 21. PRODUCT Safeguards • Anonymous identification • No value limits • Anonymous funding • No transaction records • Wide geographical use • No usage limits Cash features Anything we do to counter these will mitigate the risk of our product! © 2013 JuanLlanos
  22. 22. CUSTOMER Identification © 2013 JuanLlanos Non‐Face to Face  Card not present standards Non-documentary  contacting a customer; independently verifying the customer’s identity through the comparison of information provided by the customer with information obtained from a consumer reporting agency, public database, or other source; checking references with other financial institutions; and obtaining a financial statement. Documentary  Review an unexpired government-issued form of identification from most customers. This identification must provide evidence of a customer’s nationality or residence and bear a photograph or similar safeguard; examples include a driver’s license or passport. However, other forms of identification may be used if they enable the bank to form a reasonable belief that it knows the true identity of the customer.
  23. 23. Authentication Strength Multifactor authentication: • Something the user knows (e.g., password, PIN) • Something the user has (e.g., ATM card, smart card) • Something the user is (e.g., biometric feature) Authentication methods: • Shared secrets • Tokens (smart card, one-time password generating device) • Biometrics (fingerprint, face, voice, keystroke recognition) • Out-of-band authentication • Internet protocol address (IPA) location and geo-location • Mutual identification Source: FFIEC © 2013 JuanLlanos
  24. 24. Agenda 1. Risk identification Risk areas  Focus on AML 2. Risk mitigation a) Overview of corporate and product safeguards b) Customer identification and authentication (de-anonymization) 3. SA Detection via Monitoring and Analysis Leveraging the blockchain 4. Unsolicited (contrarian) advice © 2013 JuanLlanos
  25. 25. “What customers do speaks so loudly that I cannot hear what they’re saying.” (Paraphrasing Ralph Waldo Emerson) Customer identification vs. customer knowledge BEHAVIORAL ANALYTICS © 2013 JuanLlanos
  26. 26. © 2013 Juan Llanos Machine Learning (AI) Methods SUPERVISED LEARNING: relies on two labeled classes (good vs. bad) Goal  Detect known suspicious patterns 1. Training set: a. Select dataset with clean and dirty cases. b. Classification algorithm to discriminate between the two  classes (finds the rules or conditions) c. Probabilities of class 1 and class 2 assignment 2. Run discrimination method on all future purchases.  UNSUPERVISED LEARNING: no class labels Goal  Detect anomalies 1. Takes recent purchase history and summarize in descriptive  statistics. 2. Measure whether selected variables exceed a certain threshold.  (deviations from the norm) 3. Sounds alarm and records a high score. © 2013 JuanLlanos
  27. 27. • High amounts  • High frequency • Use of multiple locations  • Use of multiple identities • Use of untrusted device • Values just below threshold • Immediate withdrawals Examples of Known Behaviors © 2013 JuanLlanos
  28. 28. Sample Entity Pair  Concentration  Analysis © 2013 JuanLlanos
  29. 29. Sample  Geographical  Concentration  (“heat”) Map © 2013 JuanLlanos
  30. 30. • The entire history of Bitcoin transactions is publicly available. • “Using an appropriate network representation, it is possible to associate many public- keys with each other, and with external identifying information.” • “Large centralized services such as the exchanges and wallet services are capable of identifying and tracking considerable portions of user activity.” An Analysis of Anonymity in the Bitcoin System - Bitcoin is Not Anonymous by Fergal Reid and Martin Harrigan (2011) Link: http://anonymity-in-bitcoin.blogspot.com/2011/07/bitcoin-is-not-anonymous.html
  31. 31. The victim woke up on the morning of 13/06/2011 to find a large portion of his Bitcoins sent to1KPTdMb6p7H3YCwsyFqrEmKGmsHqe1Q3jg. The alleged theft occurred on 13/06/2011 at 16:52:23 UTC shortly after somebody broke into the victim's Slush pool account and changed the payout address to 15iUDqk6nLmav3B1xUHPQivDpfMruVsu9f. The Bitcoins rightfully belong to1J18yk7D353z3gRVcdbS7PV5Q8h5w6oWWG.
  32. 32. Bitcoin Anonymous Untraceable “Invisible to law enforcement and the taxman” © 2013 JuanLlanos Myths?
  33. 33. Agenda 1. Risk identification Risk areas  Focus on AML 2. Risk mitigation a) Overview of corporate and product safeguards b) Customer identification and authentication (de-anonymization) 3. SA Detection via Monitoring and Analysis Leveraging the blockchain 4. Unsolicited (contrarian) advice
  34. 34. • Get real  WANT vs. MUST vs. CAN • Prevention trumps damage control • Risk MGT  Both reducing downside and increasing upside • Simplicity and common sense • Train for behavior change, not theoretical knowledge • Form-substance continuum  substance • Letter-spirit continuum  focus on spirit (underlying purpose and values) facilitates • Operational synergies (leveraging tech) • Compliance without compromising performance • Flexibility and sustainability © 2013 JuanLlanos
  35. 35. SUBSTANCE (be) Handbooks, written policies, talk (lawyers, public relations) Operationalization, quality, walk (compliance officers, engineers, leaders) FORM (seem) © 2013 JuanLlanos
  36. 36. “Prosecutors are looking for substantive AML programs (not just paper ones) in determining whether you’re a victim or a suspect.” Former federal prosecutor “A well-written AML program will not by itself be sufficient. It’s the everyday operation, the execution and delivery, that matters.” Wells Fargo MSB Risk Manager © 2013 JuanLlanos
  37. 37. Evolution of Regulatory Relations VALUES AND CULTURE REGULATORY RELATIONSHIP Minimum Standards As little as can get away with Unthinking, mechanical Compliance Culture By the book Bureaucratic Beyond Compliance Risk focused, self-policing Ethical business Values-based Spirit, not just letter Focus on prevention Strong learning Policing Enforcement lesson Basic training Supervising / Educating Look for early warnings Themed, focused visits Educating / Consulting Culture development Lighter touch Mature relationship Reinforce best practice Benchmark Reallocate resources to problem firms Source: Financial Services Authority, UK © 2013 JuanLlanos
  38. 38. © 2013 Juan Llanos Juan Llanos EVP & Compliance Officer Unidos Financial Services, Inc. 275 Seventh Ave. ‐ 20th Floor New York, NY 10001 Direct: (646) 485‐2264 Mobile: (646) 201‐6217 jllanos@unidosfinancial.com LinkedIn: www.linkedin.com/in/juanllanos Twitter: @JuanLlanos Blog: contrariancompliance.com Thank you!

×