Compliance Blog: 05/01/2014

Thursday, May 29, 2014

The Bank Secrecy Act – What It Enforces ? Best Practices how to comply ?

In 1970, the Currency and Foreign Transactions Reporting Act was passed by US Congress. It is commonly known as the Bank Secrecy Act or BSA. The Act requires US financial institutions to assist US government agencies in detecting and preventing money laundering.

Specifically, the BSA requires financial institutions to:

· Keep records of cash purchases of negotiable instruments,

· File reports of cash transactions exceeding $10,000 (daily aggregate amount), and

· Report suspicious activity that might signify money laundering, tax evasion, or other criminal activities

The BSA requires financial institutions to have a written, board-approved compliance monitoring program. The program must:

- Provide for a system of internal controls to assure ongoing compliance;

- Provide for independent testing for compliance;

- Designate an individual responsible for coordinating and monitoring day-to-day compliance; and

- Provide training for appropriate personnel.

In addition, the implementing regulation for section 326 of the PATRIOT Act requires that every bank adopt a customer identification program identification program as part of its BSA compliance program.

Reporting Requirements under the BSA

The BSA includes the following reporting requirements (these are administered by the US Department of Treasury's Financial Crimes Enforcement Network (FinCEN)):

- FinCEN Form 104 - Currency Transaction Report (CTR)

- FinCEN Form 105 - Report of International Transportation of Currency or Monetary Instruments (CMIR)

- Treasury Department Form 90.22.1 - Report of Foreign Bank and Financial Accounts (FBAR)

- Suspicious Activity Report (SAR)

- Designation of Exempt Person Form

6 Best Practices for Complying with the BSA’s Suspicious Activity Reports Requirement

1. Implement a Proper Monitoring and Reporting System
2. Use the Appropriate Method to Identify Unusual Activity
3. Identify the Underlying Crime
4. Document the SAR Decision Making Process
5. Submit Forms that Are Thorough and Complete
6. Ensure Reports Are Filed within the Required Time Period

Expert Q&A - in computer system validation

Q - Is it mandatory to have system requirements should be high level and functional specifications be detailed ?

Ans - There is no specifically defined procedure for validation. Different process and terminologies comes under validation. Instead of using different terms like functional requirements, user requirements, functional specs, user specs, design specs, configuration specs, IT requirements, regulatory requirements, it is advised to mention everything as “system requirements”. The FDA does not care whether the requirement for the system came from the vendor, IT department or QA department. Hence rather than worrying over trying to segregate these various compartments of requirements, mention everything as “requirements “. The requirements must be written in sufficient detail such that they are complete, accurate and testable. So very high level requirements really would be the type of thing that you might have when you evaluate a vendor but requirements for validation projects should be concise and testable.

Q -What are the procedures for retrospective validation of systems that have been in production for five to 20 years?

Ans - “Retrospective validation” is an invalid term and should not be used as validation is a point in time process and systems change over time as well as the network and users and procedures. If you have a system that has been in production, rather than calling it “retrospective validation”, mention that you are going to validate your system. In the validation plan indicate that the system has been in use successfully for “X” number of years and give some good rationale for why it was not validated and indicate that you are going to validate it.
The FDA always allows us the latitude to become more compliant. In this particular case, in your regular validation plan indicate that the system has been in use successfully but you recognize the need for validation and as such record the requirements just like you would for any system. You may have some installation records at the company already that you could use for your installation qualification. Go through the process as you would for the new system.

Q - When data are entered into a database, does that constitute a change? how to determine when change control should be documented for system changes?

When data are entered into the system, it does not constitute a change. When you set up a system or when you install your computerized system you are going to establish the baseline configuration of that system. All the software, hardware, inner phases will be documented as well as the configuration choices. Any subsequent change to that baseline configuration can only be done through change control. But data are not part of your baseline configuration and adding data to a system does not constitute change control. But any change to your documented baseline configuration which you establish at installation would be subject to change control.

If you have more questions please inbox me @ mycomplianceblog@gmail.com . i will post questions and answers of experts here

What are Suspicious Activity Reports and Who Should File ?

The BSA also requires every US national bank to file a Suspicious Activity Report (SAR) when they detect certain known or suspected violations of federal law or suspicious transactions related to a money laundering activity or a violation of the BSA. A SAR filing is required for any potential crimes:

- involving insider abuse regardless of the dollar amount;

- where there is an identifiable suspect and the transaction involves $5,000 or more; and

- where there is no identifiable suspect and the transaction involves $25,000 or more

An SAR filing also is required in the case of suspicious activity that is indicative of potential money laundering or BSA violations and the transaction involves $5,000 or more. A customer must not be informed that an SAR related to his transactions is being filed.

In the BSA/SAR context, a “transaction” includes any of the following:

- a deposit

- a withdrawal

- a transfer between accounts;

- an exchange of currency;

- an extension of credit;

- a purchase or sale of any stock, bond, certificate of deposit, or other monetary instrument or investment security; or

- any other payment, transfer, or delivery by, through, or to a bank

The law requires the following institutions to file SARs:

- Depository institutions

- Money Service Businesses (MSBs)

- Casinos and card clubs

- Securities and futures industries

- Insurance companies

- Mutual fund operators

Schedule of Penalties by OSHA

Typically when an employer has violated any rules or standards related to OSHA , OSHA sends a citation and proposed penalty by registered email and it is must for the employer to put the copy of citation at the place of violation for at least 3 days or until the violation is rectified.

Below are few examples of violations and the penalties associated with it.

Other-Than-Serious Violation — A violation that has a direct relationship to job safety and health, but probably

Minimum: $0 / Maximum: $1,000

Serious Violation Minimum: $1,500 / Maximum: $7,000

Willful Violation Minimum: $5,000 / Maximum: $70,000

Willful Violation (results in death) Individuals: $250,000 + 6 months jail / Corporation: $500,000 + 6 months jail

Willful Violation – Egregious Multiplier Willful penalties are applied on a violation-by violation basis or employee by employee exposure.

Repeat Violation Maximum: $70,000

Failure-to-Abate Up to $7,000 a day for each day violation continues beyond abatement date

Falsifying records or making false statements $10,000 fine or up to 6 months jail or both

Violating Posting Requirements (failure to post OSHA poster, OSHA 300 Annual summary, citations, etc) Maximum: $7,000

Failure to report fatality/catastrophic event within 8 Hours Minimum: $5,000

Providing advance notice of inspection $1,000 fine or up to 6 months jail or both

Wednesday, May 14, 2014

Is obesity a “disability” under the ADA ( Americans with Disabilities Act)

A federal court judge, the Honorable Stephen N. Limbaugh, Jr. of the Eastern District of Missouri, recently ruled, in Whittaker v. America’s Car-Mart, Inc., that an employee’s severe obesity could constitute a “disability” under the Americans with Disabilities Act.

The plaintiff, Joseph Whittaker, alleged that America’s Car-Mart discharged him from his General Manager position because of his severe obesity and because his employer regarded him as being substantially limited in the major life activity of walking. Whittaker further contended that he was able to perform all of the essential functions of his job, with or without an accommodation. America’s Car-Mart moved to dismiss Whittaker’s disability discrimination claim on the grounds that severe obesity is not a “disability” under the ADA in the absence of an underlying physiological disorder.

Judge Limbaugh rejected America’s Car-Mart’s argument, keeping Whittaker’s case alive. The Court explained that America’s Car-Mart improperly relied on: (a) outdated case law based on the more restrictive approach that was applied before Congress passed the Americans with Disabilities Amendments Act of 2008; and (b) a statement in the EEOC’s Interpretive Guidance that “except in rare circumstances, obesity is not considered a disabling impairment,” which has since been omitted following the passage of the ADAAA. Judge Limbaugh pointed out that the EEOC takes the position that severe obesity is a disability under the ADA and does not require proof of an underlying physiological disorder.

Recent EU privacy ruling - effect on search engine operations

Europe's top court ruled that Google Inc. can be forced to erase links to content about individuals on the Web, a surprise decision that could disrupt search-engine operators and shift the balance between online privacy and free speech across Europe.

Individuals can request that search engines remove links to news articles, court judgments and other documents in search results for their name. National authorities can force the search engines to comply if they judge there isn't a sufficient public interest in the information, the court ruled.
The ruling could lead to a massive wave of takedown requests that would swamp companies and privacy regulators with legal costs, while whitewashing the public record. Also it will not help the analysts or any other firm who wanted to make a living by using data crawled from internet , analyze and present in consumable format as many data will not be available now.

China's Data Privacy Laws pose challenge to FCPA compliance

Multinational companies face a different challenge if they are operating in china. as per FCPA they need to do due diligence about their vendors, suppliers and need some how personal data about the principals, but on the other hand due to 13 different data privacy laws of China it becomes difficult to understand while doing due diligence if any of the laws are broken or not. while doing due diligence the companies need to engage a company that understands data privacy regulations, as the Chinese government closely monitors those involved in due diligence in a manner similar to its monitoring of journalists.

To reduce the risk of violations and comply with the Chinese law, multinationals borrow data privacy concepts that use an inclusive definition of personally identifiable information, including an individual's name, resident identity cards, driver's license numbers, birthplace, telephone number and birthday, and possibly more. Corporations also need to obtain the consent of individuals included in the due diligence effort and, in general, only collect information that would be available to the subjects themselves.

http://www.reuters.com/article/2014/05/13/idUSnMKWLjMsya+1e8+MKW20140513