Regulatory Compliance in Finance

Today we’re presenting the findings from our clients using AI agents, in production for 3 months. We can cut customer wait times stuck in a KYC/sanctions queue from 20 days to 2 minutes. This is a huge unlock for anyone onboarding customers. “Compliance Officer” is the 5th fastest growing occupation in the United States! Major banks average 307 employees just for KYC alone, yet can't hire more compliance officers fast enough. More than headcount, this costs customers and revenue. We deployed AI agents in production environments at multiple financial institutions for 3+ months and show AI Agents can meaningfully improve KPIs: - For one FI, the daily backlog was 14 hours and they couldn't keep up with it.  - So the backlog kept growing  - As did the average customer wait time stuck in a queue, to 20 days. Using Agentic AI, we were able to  - Automate majority (95%) of the cases and  - bring down daily backlog to 41 minutes (from 14 hours).  - Most importantly, avg customer wait time went down drastically to 2 minutes. Perhaps the most counterintuitive finding. Agentic AI when trained and deployed according to our framework, can be more accurate than humans. We found AI agents follow operating procedures in 100% of cases vs <95% for humans. Humans never follow SOP to the minute details and with rote work, they are more error prone. FI's rightly worry, what about hallucination? What about data privacy? Will the regulator allow it These live, production data points are all within existing regulatory frameworks (SR 11-7 compliant). Our Agentic Oversight Framework maintains complete human accountability while delivering: - Alignment to Standard Operating Procedures (SoPs) - A full audit trail of every data element accessed - A full, explained decision rationale, reviewed before every case is progressed - Continuous learning from expert reviewers - Automated drift detection and safeguards The white paper is a playbook for how financial institutions can safely implement agentic AI while fully complying with regulatory requirements. Real results. Real institutions. Real transformation. You might ask: what is AI about all of this and how's it different from ML and rules based systems. In short, rules systems are rigid but Agentic AI can adapt. All those details in the white paper:

Convenience Comes at a Cost: TD Bank’s $3.1B Money Laundering Lesson  The phrase “America’s Most Convenient Bank” has taken on an unintended meaning for TD Bank. A rapid expansion strategy made TD a household name, but it also left the door wide open for money launderers—resulting in a historic $3.1 billion in fines and a guilty plea for conspiracy to commit money laundering.  From Chinese fentanyl dealers to Colombian drug traffickers, TD became the financial institution of choice for criminals due to its permissive policies, undertrained staff, and cost-cutting compliance failures. Even internal employees flagged concerns—one message bluntly stated, “How is this not money laundering?” The answer? ….. It was. 🌎 The Bigger Picture: A Growing Insider Threat  This case isn’t just about one bank—it’s a wake-up call for the entire financial industry. The TD debacle highlights a disturbing trend of insider threats, where bank employees, whether negligent or complicit, play a key role in enabling financial crime. With over two dozen individuals charged, including TD insiders, this case underscores the urgent need for training, and externally-developed bespoke insider threat programs.   💡 Key Takeaways: 🥱  People are Always the Soft Spot – Even the most sophisticated detection systems can’t prevent fraud if employees are complicit. Insider threats are the biggest blind spot in banking security. 🤼  Culture Over Controls – Compliance isn’t just about technology; it’s about instilling a culture where employees won’t turn a blind eye—or worse, actively assist criminals. Training, ethics, and internal accountability must be as strong as any AI-powered monitoring system. 🔥  Fraud Thrives on Convenience – Criminals exploit gaps in oversight, and when employees prioritize speed or customer experience over compliance, banks become an easy target. Internal teams must be empowered (and incentivized) to prioritize security over simplicity. 🤝 Trust, But Verify – Rigorous internal audits, anonymous whistleblower programs, and proactive behavioral analysis are essential to catching insider threats before they spiral into billion-dollar liabilities. Ambition isn’t the enemy—blind ambition is. Expansion itself isn’t the problem; charging forward without anticipating and mitigating the human risks that come with it is. 💸 TD’s U.S. operations are now handcuffed by an asset cap, and its reputation is in freefall—a stark reminder that convenience without accountability isn’t just reckless, it’s expensive. #Banking #Compliance #MoneyLaundering #FinancialCrime #RiskManagement #AML

SEC is Not Accepting Half-Truths! The U.S. Securities and Exchange Commission has fined four major companies for materially misleading investors regarding cyberattacks. Regulatory actions have been brought against Unisys, Avaya, Check Point Software, and Mimecast for their purposeful decisions to not clearly inform customers and shareholders of the attacks and breaches they suffered as part of the SolarWinds cyberattack. The SEC concluded that these companies were purposely vague by framing their #cybersecurity risk factors hypothetically or discussing them in generic terms, even after knowing the issues were present and material. Reporting material issues to shareholders is a requirement for public companies, so investors will have the same information to make decisions as the insiders of the company. Jorge G. Tenreiro, acting chief of the Crypto Assets and Cyber Unit, warned that “downplaying the extent of a material cybersecurity breach is a bad strategy”. The result of this investigation is that Unisys Corporation is fined $4 million as a civil penalty for misleading disclosures and a failure to maintain proper controls over its public statements. Check Point, Avaya, and Mimecast were fined close to $1 million each for similar reasons. The message to boards, C-suites, and especially Chief Information Security Officers (CISOs) is clear – report material breaches as required by the governing regulations. Misleading or false statements are not acceptable. Sanjay Wadhwa, Acting Director of the SEC’s Division of Enforcement, stated “…while public companies may become targets of cyberattacks, it is incumbent upon them to not further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered” Security must be seen as a center of trust. Ethical representations of risks and impacts are the foundation. This includes messages and formal notifications to shareholders and customers. CISOs must recognize their new responsibilities and actively navigate conflicts of interest they experience, and honor their duties. SEC Press Release: https://lnkd.in/geRFcW7N

Free Resource Friday! If 2024 has taught us anything, it’s that fraud remains one of the most critical compliance challenges we face today. From APP fraud to synthetic identity scams, money muling, and cross-border fraud, financial criminals are evolving faster than ever. For compliance professionals, fraud risk assessment is no longer optional—it’s a must-have for proactive risk mitigation, regulatory alignment, and reputational protection. 🔍 ACAMS has released a FREE best practice guide on Fraud Risk Assessment, offering: ✔️ A step-by-step methodology for conducting robust fraud risk assessments ✔️ Insights into emerging fraud threats and trends ✔️ A risk prioritization matrix to help organizations focus on high-impact risks ✔️ Strategies to break down silos and create a multi-disciplinary fraud risk approach ✔️ Real-world examples, frameworks, and a fraud risk register template 💡 Key takeaway? Fraud is not just an AML issue—it’s an enterprise-wide risk. Organizations that embed fraud risk assessments into their compliance framework will be better equipped to handle regulatory changes and reduce financial crime exposure. #FraudPrevention #Compliance #RiskAssessment #ACAMS #FinancialCrime

You Want To Control Your Own Data? You Can't Handle Your Own Data! The CFPB's 1033 rule aims to empower consumers by granting them access to and control over their financial data. But that assumes that we have the knowledge, resources, and capacity to manage such complex responsibilities. This assumption is problematic for a number of reasons: 1️⃣ 𝗘𝗱𝘂𝗰𝗮𝘁𝗶𝗼𝗻 𝗴𝗮𝗽. Managing financial data involves understanding things like data security, third-party provider credentials, and consent agreements. But, as so many people here like to point out, we have a financial literacy (or illiteracy) problem in the US. Many consumers lack formal education in financial literacy or cybersecurity, making them vulnerable to exploitation or mismanagement of their data. 2️⃣ 𝗢𝘃𝗲𝗿𝘄𝗵𝗲𝗹𝗺𝗶𝗻𝗴 𝘃𝗼𝗹𝘂𝗺𝗲 𝗼𝗳 𝗱𝗮𝘁𝗮 𝗮𝗻𝗱 𝗽𝗿𝗼𝘃𝗶𝗱𝗲𝗿𝘀. Many consumers--particularly younger ones--interact with upward of a hundred financial providers. Constantly monitoring, authorizing, and renewing consent for multiple providers will create an unsustainable load for the average consumer. Revoking data access requires knowledge of the process and vigilance to ensure that 3rd parties no longer have the data. Many consumers simply won't spend the time to track these activities. 3️⃣ 𝗩𝘂𝗹𝗻𝗲𝗿𝗮𝗯𝗶𝗹𝗶𝘁𝘆 𝘁𝗼 𝗱𝗮𝘁𝗮 𝗽𝗿𝗶𝘃𝗮𝗰𝘆 𝗿𝗶𝘀𝗸𝘀. Many consumers are unaware of how their data may be used once shared. PII isn't even needed anymore for marketers to accurately individual consumers. Providers could use data for purposes like targeted advertising or profiling, potentially violating consumer expectations. 4️⃣ 𝗜𝗻𝗮𝗯𝗶𝗹𝗶𝘁𝘆 𝘁𝗼 𝗮𝗱𝗱𝗿𝗲𝘀𝘀 𝗱𝗮𝘁𝗮 𝗯𝗿𝗲𝗮𝗰𝗵𝗲𝘀. While there are some good tools available today, most consumers lack the resources to track and resolve data breach issues. Financial recovery, identity restoration, and credit monitoring require expertise and time that many consumers do not have. To address these challenges, the industry needs: ▶️ 𝗦𝘁𝗮𝗻𝗱𝗮𝗿𝗱𝗶𝘇𝗲𝗱 𝗰𝗲𝗿𝘁𝗶𝗳𝗶𝗰𝗮𝘁𝗶𝗼𝗻𝘀. While 1033 rule requires the secure handling and sharing of consumer data, it doesn't include a formal certification process or licensing requirement. ▶️ 𝗘𝗻𝗵𝗮𝗻𝗰𝗲𝗱 𝗱𝗲𝗳𝗮𝘂𝗹𝘁 𝗽𝗿𝗼𝘁𝗲𝗰𝘁𝗶𝗼𝗻𝘀. Instead of placing the responsibility on consumers, FIs should implement security measures like automatic consent expiration and granular access settings. While Section 1033 aspires to give consumers control, it places an excessive burden on individuals to manage complex data-related responsibilities. Ironically, without additional safeguards and educational measures, the rule risks empowering only the most informed and resourced consumers, leaving others--i.e., those 1033 was designed to help the most--more, not less, vulnerable.

Weighing You Down: The new Capital Requirements proposed under Basel III Endgame will prove onerous for Banks & Borrowers, alike. Today, I examine the Commercial Real Estate sector since this asset class is highly reliant on banks (and vulnerable) and the CRE market is contending with a huge pending maturity wall. Banks account for ~50% of the CRE debt market, representing the largest collective lender to CRE - this equates to nearly $3T in the U.S. alone. Below, I have constructed a table that very clearly states (my source from various federal documents that include: Note 20.86 on the Basel Framework (BIS) & Page 164 of September 2023 FDIC Proposed Rules notice) how a bank must measure its cash reserve requirements (CRR) for a given loan. Notice the change in risk weightings required for a given LTV. For a given loan, ~+20% higher risk weighted capital will be required that will soon be subject to this new measurement for risk. The bank lender will be required to hold additional capital for a given loan, or alternatively, simply extend less credit when writing a new loan as they apply more conservative detachment points (e.g. $50M loan vs. $100M asset value which is 50% LTV vs 80% LTV previously). If the bank does not want to increase its CRR, it must reduce the amount of credit it extends for a given asset/borrower. The delta is stark; this is a paradigm shift that will crack the door wide open for Private Credit Lenders. Banks will differentiate, take a more discerning eye when extending credit, with greater discipline going forward under Basel III Endgame. The new Basel III Endgame capital guidelines required by federal banking regulators and implemented in 2025 will break down risk-weighted assets by blending what is considered senior-secure risk v. unsecured risk (within a single unitranche loan). Regulators are confident that by imposing stricter capital requirements and more onerous stress tests when reporting liquidity, assets, operations, capital requirements, large banks (30 banks in U.S. with assets greater than $100B) will become less risky and less prone to failure. Banks are with their regulators to push back on Basel III Endgame capital charges; I am sure Banks will find a middle-ground with their regulators, but it will still result in additional and significant costs and more conservative lending practices. Private Credit firms such as Marathon Asset Management will provide a critical role in filling the void, to partner with banks and originate a plethora of investment opportunities that arise: - Mezz debt loans to fill the capital gap as banks roll loans at lower LTVs - Private Credit gaining more market share as banks reduce ABL exposure, for all ABL segments (not just CRE) - Asset Sales by banks - CRT/SRT transactions as private capital allows banks to offload risk - Private Capital & Bank Investment - Management Partnerships The current ratios vs. the proposed ratios are starkly contrasted in this table below:

What happens when a global bank becomes the weak link in the fight against financial crime? In 2024, TD Bank was fined $3 billion after failing to detect hundreds of millions in laundered money—making them the first major bank to plead guilty to criminal conspiracy. The lapse wasn’t small. From 2018 to 2024, TD failed to screen 90% of transactions. That’s $18.3 trillion moving through with inadequate oversight. Criminal organizations saw the gap—and moved fast. They structured deposits to bypass alerts. In some cases, TD employees were allegedly involved. Over $670 million in illicit funds flowed through compromised accounts. The fallout was severe: → $3B in fines → Five years of probation under independent monitors → Shareholder lawsuits → Dividend restrictions and compensation clawbacks → 41 senior leaders had pay slashed But instead of collapse, TD responded with transformation. They committed $500M to rebuild compliance from the ground up. Their recovery had three pillars: 1. Technology Overhaul → AI and machine learning to flag laundering patterns → Real-time monitoring of transactions across all channels 2. Organizational Restructuring → A new Chief Compliance Transformation Officer reporting to the top → Compliance headcount tripled—from 1,200 to 3,600 experts 3. Cultural Reset → Training rolled out to all 90,000+ employees → Stronger whistleblower protections → Pay tied to compliance performance across business lines The shift delivered fast results: → SAR filings jumped 340% in Q1 → 12,000 high-risk accounts were identified and closed → TD exited entire business lines that posed elevated risk 3 Takeaways for Financial Institutions: 1. Regulatory risk isn’t a legal issue—it’s an existential one 2. Proactive systems detect what policies miss 3. Culture determines whether red flags get surfaced—or buried — Thanks for reading! I’m Natasha Kiemnec. After 15+ years brokering insurance for top financial institutions, I’m now bringing that same platform to underserved firms who deserve equal service. Want the same elite protection that Fortune 500 banks enjoy? Join 5K+ financial leaders who rely on our weekly newsletter to stay ahead of the competition: https://lnkd.in/garzxSxG LION Specialty. The leader in institutional insurance. 🦁

Get your🍿ready! 🚨 SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies 🚨 The new rules will require registrants to disclose on the new Item 1.05 of Form 8-K any cybersecurity incident they determine to be material and to describe the material aspects of the incident's nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant. An Item 1.05 Form 8-K will generally be due four business days after a registrant determines that a cybersecurity incident is material. The disclosure may be delayed if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing. The new rules also add Regulation S-K Item 106, which will require registrants to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents. Item 106 will also require registrants to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats. These disclosures will be required in a registrant's annual report on Form 10-K. 👉 The final rules will become effective 30 days following publication of the adopting release in the Federal Register. 👉 The Form 10-K and Form 20-F disclosures will be due beginning with annual reports for fiscal years ending on or after December 15, 2023. 👉 The Form 8-K and Form 6-K disclosures will be due beginning the later of 90 days after the date of publication in the Federal Register or December 18, 2023. 👉 Smaller reporting companies will have an additional 180 days before they must begin providing the Form 8-K disclosure.

🗞️🛢️How is this not a BIGGER story?! The Jensen Family Case: A Masterclass in Modern Financial Crime Detection The recent federal indictment of the Jensen family reveals a sophisticated $300 million oil smuggling operation that highlights critical lessons for our industry. Key Investigative Insights: 🔍 The Operation’s Sophistication: - 2,881 fraudulent shipments over 3 years (May 2022-2025) - Falsified customs documents labeling stolen crude oil as “waste lube oils” and “petroleum distillates” - Strategic use of Arroyo Terminals in Rio Hondo, TX—just 30 miles from the Mexican border - Multi-jurisdictional complexity spanning Utah, Texas, and Mexico 💰 Financial Crime Red Flags That Should Have Triggered Earlier Detection: - $47+ million in suspicious transfers to “Mexican businesses” - Rapid asset accumulation: $9.1M Utah mansion, $300M in total assets - Cash-intensive business model in a typically credit-based industry - Geographic anomaly: Utah residents operating border infrastructure 🚨 The Cartel Connection Evolution: What started as a Drug Enforcement Administration trafficking investigation evolved when investigators discovered the family was providing material support to CJNG (Cartel de Jalisco Nueva Generación)—recently designated as a Foreign Terrorist Organization. This case represents a new frontier: charging enablers under terrorism statutes. Lessons for Financial Crime Professionals: 1. Geographic Inconsistencies Matter: Utah-based ownership of Texas border operations should trigger enhanced due diligence. 2. Document Verification is Critical: The systematic mislabeling of crude oil as waste products shows how commodity classifications can be weaponized. 3. Cross-Border Transactions Require Extra Scrutiny: Especially when involving regions with known criminal organization presence. 4. Asset Accumulation Patterns: Rapid wealth accumulation inconsistent with declared business models should always be investigated. 5. Industry Knowledge is Essential: Understanding that stolen PEMEX crude was being laundered through legitimate U.S. energy markets required sector expertise. The Bigger Picture: This case demonstrates how traditional money laundering has evolved into complex, multi-billion dollar operations that fund terrorism and destabilize energy markets. The $11.9 billion global black market in crude oil isn’t just about profit—it’s about national security. 🏦For our industry: This reinforces why robust Know Your Customer (KYC) procedures, Suspicious Activity Reporting (SAR), and cross-border transaction monitoring are not just compliance exercises—they’re national security imperatives. The Jensen case will likely become a landmark prosecution showing how terrorism financing charges can be applied to seemingly legitimate businesses that enable cartel operations. New York Post article 👉🏼https://shorturl.at/NtUZi Operation Shamrock Airdropd Anchorage Digital Wave Digital Assets CT Digital Forum BioCatch

Last week, I posted a District Court decision in SEC v. SolarWinds (SW). See https://lnkd.in/esRfTmJF. One key takeaway from that decision for CISOs and SEC Registrants is that if organizations state publicly that they have particular security controls, courts may find an implied assumption that those controls are fully enforced, working effectively, and have no notable exceptions.   For example, on its website security statement, SW described its "access controls," including standard statements about having "role based access controls" (RBAC) and the "principle of least privilege." Op. at 53. The Court, however, found these statements would be materially misleading if SW "was routinely promiscuous in freely granting administrative rights . . . and conferring access rights way beyond those necessary." Id.    In other words, even though SW may have legitimately had the stated controls in place generally, it was sufficient for the SEC to allege that these controls were not fully effective or uniformly enforced, and contained notable exceptions. It is this takeaway that may cause some concern to the security community, because it may be the exception, rather than the rule, to find a flawless security control (i.e., one that is fully enforced with no exceptions, and no weaknesses). Give this reality, here are five practical steps one can take to mitigate legal risk:    1. AVOID UNECESSARY PUBLIC STATEMENTS ABOUT SECURITY: If you are public company, anything discussed on your website, blog, or other public location may be the basis for a securities fraud claim. Op. at 51. Consider providing detailed security information directly to customers and potential customers on request, rather than making it public.   2. INCLUDE APPOPRIATE CAVEATS: Consider routinely including statements like, "While the organization has implemented different security controls, it is always an ongoing effort to improve the effectiveness, enforcement, and consistency of application of these controls." See also https://lnkd.in/gTNU5kaK.   3. AVOID PUFFERY: The Court did dismiss certain claims where the statements constituted "non-actionable corporate puffery"--statements "too general to cause a reasonable investor to rely on them." Op. at 68. Be careful, however, because reasonable minds can disagree about whether a statement is general "puffery" or an actionable misstatement, and the question is sometimes left for juries.   4. BE THOUGHTFUL WITH INTERNAL COMMUNICATIONS: Much of the SEC's case was made by corporate emails, slide decks, and other internal communications that may not have been worded as carefully as possible. I provided guidance on internal communications here: https://lnkd.in/gtn4TXbb 5. PROVIDE CISOS WITH PROPER PROTECTIONS: Litigating such enforcement actions can cost millions of dollars and have significant consequences. Make sure your CISO is adequately protected. See my specific guidance here: https://lnkd.in/eadkTEdG.