business continuity and disaster recovery challenges for
TRANSCRIPT
Business Continuity and Disaster RecoveryChallenges for Compliance Professionals
Jairo NamurFounder and Chief Commercial Officer
Intelligence for Action LLC
MODERATOR SPEAKERS
Pawneet AmbramowskiSVP, Chief Compliance Officer
Community Federal Savings Bank NY
Buck KulkarniSVP-GRCAlacriti Inc
David MclaughlinCEO
Quantaverse
Recent FINCEN and FFIEC regulatory guidance in response to the current COVID-19 pandemic:
3/16 FINCEN requests financial institutions affected by the COVID-19 pandemic to contact FinCEN and their functional regulator as
soon as practicable if a COVID-19-affected financial institution has concern about any potential delays in its ability to file required
Bank Secrecy Act (BSA) reports. FinCEN also advises financial institutions to remain alert about malicious or fraudulent
transactions and notes emerging trends in imposter, investment, and product scams as well as insider trading.
4/3 – FINCEN states it expects financial institutions to continue following a risk-based approach, and to diligently adhere to their
BSA obligations. FinCEN recognizes that certain regulatory timing requirements with regard to BSA filings may be challenging
during the COVID-19 pandemic and that there may be some reasonable delays in compliance. FinCEN encourages financial
institutions to consider, evaluate, and, where appropriate, responsibly implement innovative approaches to meet their BSA/anti-
money laundering compliance obligations and reminds financial institutions of the December 3, 2018 Joint Statement on Innovative
Efforts to Combat Money Laundering and Terrorist Financing.
CONTEXT
3/6 FFIEC issues updated guidance identifying actions that financial institutions should take to minimize the potential adverse
effects of a pandemic.
“This guidance is an update to the 2007 Interagency Statement on Pandemic Planning as well as the “Interagency Advisory on
Influenza Pandemic Preparedness” issued on March 15, 2006”
“Pandemic planning presents unique challenges to financial institution management. Unlike natural disasters, technical disasters,
malicious acts, or terrorist events, the impact of a pandemic is much more difficult to determine because of the anticipated
difference in scale and duration.”
“while traditional disasters and disruptions normally have limited time durations, pandemics generally occur in multiple waves, each
lasting two to three months.”
“Experts predict that perhaps the most significant challenge likely from a severe pandemic event will be staffing shortages due to
absenteeism.”
CONTEXT
Buck KulkarniSVP-GRC
Alacriti, Inc
BCP, DR, Pandemic Preparedness for Banks
Terminology
• Business Continuity• Disaster Recovery• Pandemic Plan
• Business Continuity Plan• Continuity of Ops Plan• Crisis Comm Plan• Critical Infra Protection Plan• Cyber Incident Response Plan• Disaster Recovery Plan• Information Systems
Contingency Plan• Occupant Emergency Plan
NIST 800-34
Regulations
• FISMA
• FFIEC
• OMB A-130
• Implicit/explicit in all other regulations
Evidence
• Annual DR• Annual BCP• Executive Table-top• Duration, RPO, RTO• Pandemic
Metrics:• Security• Performance• Cost• Efficiency• Reliability
BCP, DR, Pandemic Preparedness for Banks
Business Continuity and Disaster RecoveryChallenges for Compliance Professionals
Buck KulkarniSVP-GRC
Alacriti Inc
What is BCP, DR and Pandemic
DR - Disaster Recovery Focused on TechnologyHow do you mitigate customer service disruption?
BCP - Business Continuity Spans the Whole Organization How do you mitigate disruption from technology, people, and/or process failures?
Pandemic Readiness Spans A Large Portion of/All Of Your Ecosystem What if many branches in a region cannot open? Employees cannot reach workplace?
Lasts for a few days?
Coronavirus & Pandemic Preparedness
A traditional definition of pandemic:A pandemic is said to have occurred when:
- (say) 40% of your employees of a location cannot reach the work location- For (say) three consecutive business days
Implicit Assumptions:1. Half or more employees will reach office2. It is localized, not all locations will shut down3. Three to ten days is the expected duration of a pandemic event4. Real risk is quite low; we prepare for it more as a best practice!
Coronavirus demolishes all these assumptions
How To Prepare For a Pandemic Event?
PHYSICAL PREPARATION: LOGICAL PREPARATION:
* See NIST SP 207 for more information
SUPPLY CHAIN ASSURANCE:
* The Weakest Link for Many* Digital Suppliers Inventory* Digital Suppliers’ Posture* Digital Suppliers’ Contractual
Obligations* Digital Suppliers’ Assurance
* Zero Trust Architecture** Identify “Inherited Trust” Points* Mitigate Inherited Trust Points in Minimum Service Set (MSS)* Design and Test MSS with ZTA
* Accept Pandemic as a Reality* Board Mandate to Prepare & Test* Minimum Service Set (from BCP)* Minimum People Set (from BCP)* Minimum Process Set (from BCP)* Asset Build-out & Testing
Resources
NIST SP Body of Knowledge – 800-53, 37, 207 and more
Cloud Control Matrix (CCM) of the CSA
Regulatory Handbooks – FFIEC, NYDFS, PCI DSS, SOC…
Business Continuity and Disaster Recovery Challenges for Compliance Professionals Pawneet AbramowskiSVP, Chief Compliance Officer Community Federal Savings Bank (CFSB)
Challenges Preparedness of the Financial Institution
Business Continuity Plan – Is it Pandemic Specific?
•A preventive program•A documented strategy•A comprehensive framework of facilities, systems or procedures•A testing program•An oversight program to ensure ongoing review and updates
FFIEC* Highlights Pandemic Preparedness Guidance
*This guidance is an update to the 2007 Interagency Statement on Pandemic Planning as well as the “Interagency Advisory onInfluenza Pandemic Preparedness” issued on March 15, 2006 by the Board of Governors of the Federal Reserve System, the FederalDeposit Insurance Corporation, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision, as well as the“Letter to Credit Union 06-CU-06 - Influenza Pandemic Preparedness” issued by the National Credit Union Administration in March2006.
Lessons Learned• Organizations will not bypass putting compliance
preparedness last
• Investment in technology to support the compliance function
• Human investment will be in key areas• Budget and strategy will be re-reviewed to determine
shifting of investment in technology to support compliance or overall operations
• Flexibility will be paramount to work with employee’s circumstances
• BE READY NOW and for ANOTHER EVENT!
Consequences of NOT being Prepared
• Delay in overall operations• INCREASE in SPEND to get fully operational and support employees
with limited access and availability of vendors to deliver
• Ability to support 100% of workforce being remote and spending too much time troubleshooting
• Regulatory relaxation may not be there next time around• FinCEN guidance delay in SAR filings• FinCEN guidance on CDD – Beneficial Ownership
requirements for Stimulus related PPP loans
• Risk of being susceptible to Fraud • Due to remote work of all staff• Scammers taking advantage of circumstances
QuantaVerseWe Get Financial Crime
Phone+1 484.431.8220
Webquantaverse.net
David MclaughlinCEO
Quantaverse
COVID-19 Impact on Compliance Staffs
Areas hit by COVID-19 leading to temporary shortages
Off-shored work affected by shut-downs, forcing task repatriation
Remote work challenges
Increased alert volumes
Coronavirus Sends Outsource Workers Home, Causing a Ripple Effect
Antibribery Group Warns of Bribery Risks During Coronavirus Pandemic
FinOps Report“Conference calls are being cut off sometimes, video chats often don’t work, and we can’t look at multiple screens concurrently,” bemoans one AML investigator at a New York bank.
Organizations were not prepared, and
scrambled to react to a critical shortage of
investigators
Several
Firms are functioning, while accruing a growing
backlog of alerts which will need to be processed at
some future date
Many
FI’s are keeping pace with alert volumes, but
recognize a need for new contingency plans to
manage any further impact
Most
Different Levels of Preparedness
FFIEC Contingency Planning Guidance “A comprehensive framework …that provide the organization the capability to
continue its critical operations in the event that large numbers of its employees are unavailable for extended periods of time”
TMS
TMS
Normal systems and operations rely on expert human investigators throughout the process
Contingency planning will now require addressing this scenario
Detection L1 to L3 Investigation Reporting
Investigator Contingency Plan
TMS
QuantaVerse Alert Investigator automates and integrates every step of the investigation process producing a Financial Crime Report
TMS
!
QuantaVerseFinancial
Crime Report
We’ve established a contingency that is available on demand
Verify Trigger
EntityProfiling
RelatedEntities
AdverseMedia
EconomicPurpose
Non-alertedrisk
Transaction Beneficiary
For our clients that are unable to keep up with their alert volumes…
Transactions from Core
System(s) or Staging Tables
Transaction Monitoring System (TMS)Case Mgmt Tool / CLM
Alerts
AlertCopy
Core System(s) or
Staging Tables
Customer Information Files
AdverseMediaService
Case Mgmt Tool / CLM
???
???
??????
???
11K+ sources Open Source 3rd
party content Premium datasets
Transactions from Core
System(s) or Staging Tables
Transaction Monitoring System (TMS)Case Mgmt Tool / CLM
Alerts
AlertCopy
Ingestion & Prep Analytics EngineDelivery & Decision
QuantaVerseFinancial
Crime Report
Core System(s) or
Staging Tables
Customer Information
Files
AdverseMediaService
Case Mgmt Tool / CLM
Collect/Clean Data
Entity Profiling
Entity Resolution
Reputation Risks
Transaction Analysis
(intent/purpose)
Risk Scoring
Consolidated Findings via UI
Recommendation
Documentation & Narratives
Business Continuity and Disaster RecoveryChallenges for Compliance Professionals
Q & ASpeakers
Pawneet AmbramowskiSVP, Chief Compliance Officer
Community Federal Savings Bank NY
Buck KulkarniSVP-GRCAlacriti Inc
David MclaughlinCEO
Quantaverse