Navigating the Waters of Compliance
Navigating the Waters of Compliance: Overcome the complexities of today's regulatory landscape and protect your business against emerging threats
Fostering a culture of risk and compliance management where continuous improvement is valued and feedback actively sought after to refine the strength of the risk and compliance program, helps a company proactively have strong mitigants against risk.
– Anthony Rodriguez, Chief Compliance Officer, Corpay Cross-Border
In our interview, Anthony Rodriguez, Chief Compliance Officer at Corpay Cross-Border, offers insight into his experience and outlines the various compliance obligations businesses have today. Anthony shares tips on recognizing business email compromise (BEC) threats; complying with standard reporting requirements; how your business might benefit from the US Corporate Transparency Act (CTA); and implementing effective sanctions compliance programs within your organization. Anthony covers these critical topics to help readers better understand best practices, and encourage companies to overcome compliance challenges and implement actionable solutions.Read on to learn how to navigate the (often choppy!) waters of compliance – and be better prepared to weather any storms!
Anthony’s compliance and regulatory expertise
Q: Could you share your background in compliance and regulatory affairs?
I have over 20 years of experience in the money service business and fintech sectors and have been at the forefront of addressing financial crime and regulatory compliance challenges.
My journey has taken me across continents, securing licenses in North and South America, Europe, and Asia, and allowing me to hone my skills in anti-money laundering, global economic sanctions, privacy, and regulatory corporate compliance. I've led teams around the globe, managed complex compliance initiatives, and implemented cutting edge technologies for transaction monitoring and sanctions screening.
In addition to my current role at Corpay, I serve on the Advisory Board of the Henry C Lee College of Criminal Justice and Forensic Science at the University of New Haven. I’m a representative on the Advisory Board of the Association of Certified Anti Money Laundering Specialists. I also hold qualifications as a certified public accountant, a certified anti-money laundering specialist, and several more, which underscores my commitment to excellence in this ever-evolving field.
The threat of Business Email Compromise and how to stay protected
Q: Today it’s common for people to get spam emails, both personally and professionally, but what defines Business Email Compromise (BEC)? Why is it a significant threat to corporations?
BEC is a sophisticated scam that exploits the trust within corporations’ communication structures. It usually targets companies engaged in wire transfers, and dealing with both domestic and foreign suppliers. Through computer intrusion the attackers compromise legitimate business email accounts to conduct unauthorized transfers. Scams such as this affect all sizes of transactions and have led to significant financial losses over the last 10 years. Sophisticated BEC scams have resulted in approximately US$51 billion of losses to businesses worldwide between 2013 and 2022.1
Q: How can organizations detect and respond to early signs of BEC attempts?
To detect BEC isn't always easy, but organizations can employ strategies like monitoring their emails to detect altered extensions, scrutinizing for changes in language or payment details, and by being wary of emails demanding urgent action. It’s important for employees to be alert to when something feels slightly off, especially when it involves an unusually high-value transaction.
When in doubt, the best way to detect possible scams is to verify through direct contact. Calling your supplier and verifying whether they have made change to their banking information or their email address is a critical response strategy for discovering these scams.
The foundation of this defense is about training your employees, and enabling the staff to be able to identify and challenge anything that seems to be suspicious from their day-to-day activities.
Q: Can you recommend other effective strategies for businesses to protect against BEC?
Protective measures against BEC attacks require a blend of employee education, stringent internal controls, and at times, advanced technology training programs. The proper training equips employees with the ability to spot the signs. And corporations can apply technology defenses, which include email authentication protocols to counter email spoofing, and a dual approval process when processing transactions over a certain amount of money.
Q: Could you share a typical BEC incident, and the lessons that you've learned from it?
Typically, email fraud is used to trick an employee into sending money or divulging some sort of confidential information. What the attackers often do is pose as trusted figures to initiate fraudulent activities. The attackers dupe people by sending a fraudulent email mimicking the CEO, for example, which then leads to an unauthorized wire transfer and significant financial losses.
The attackers use the power of the CEO role and combine that with their ability to spoof emails to convince employees that their requests are legitimate. So the lesson to be learned here is this: when an employee gets an urgent request that seems unusual, to stop and not hesitate to verify whether it is in fact a legitimate transaction. The biggest lesson I've learned is the power of a callback. The extra couple of minutes taken to do that verification will often save companies hundreds of thousands of dollars. It’s better to be safe than sorry.
Complying and benefiting from the US Corporate Transparency Act
Q: Can you explain the Corporate Transparency Act, and its importance for business in general?
The CTA is focused on US businesses. It's a significant piece of legislation aimed at combating illicit activities such as money laundering, terrorist financing, and other financial crimes. It requires certain US businesses to report beneficial ownership information to the Financial Crimes Enforcement Network, also known as ‘FinCEN’. However, not all businesses are required to file a Beneficial Ownership Information Report (BOI).
For example, large operating companies, defined as those with at least $5,000,000 in revenue and more than 25 full-time employees, are exempt if they file a business tax return. Additionally, tax exempt entities under the IRS code section 501C are not obligated to submit a BOI report. Therefore businesses need to carefully review their status and, most importantly, seek professional advice to determine their reporting obligations.
The CTA enhances transparency for businesses within the corporate structure. It’s a critical tool in closing loopholes that have allowed bad actors to conceal their identities and engage in illicit activities through US entities.
Q: What are the reporting obligations under the CTA and who is really affected?
Under the CTA, corporations, limited liability companies, and similar entities must provide FinCEN with information on their beneficial owners. ‘Beneficial owners’ are natural persons who own and control the company, so they must report their role to newly formed and existing entities. Again, there are exceptions for publicly traded companies and others like Corpay, who are regulated by a licensing regime.
On March 1, 2024, a federal district court in Alabama ruled that the CTA is unconstitutional.2 FinCen stated that it will continue to implement the act so companies should comply as litigation continues.
Q: And does this translate across countries?
Good question. The United States is one of the last countries in the world to establish a beneficial ownership registry. For example, in the UK, corporations must report their information to a local registry, a government agency called ‘Companies House’.
By enforcing the CTA, the US is catching up to the rest of this world. On a global scale, recommendations come out of international audit organizations such as the Financial Action Task Force. FATF is an international organization that sets standards for anti-money laundering and counter terrorist financing.
Q: What steps should US businesses take to ensure compliance with the CTA?
It's important for newly formed businesses to adhere to timely compliance. When you determine your business falls under the reporting requirements, filing a Beneficial Ownership Information report is a straightforward process.3
You can establish internal procedures to ensure that information remains up to date and provide light training for your staff and monitor the regulations for further guidance too.
The importance of implementing effective sanctions compliance programs
Q: A hot topic right now in today's global economy: Sanctions. Could you address how businesses can ensure compliance?
The attention is certainly on sanctions, and there are critical aspects that businesses need to consider. Now more than ever, businesses need to adopt a risk-based approach to sanctions, implementing robust internal controls and conducting thorough due diligence checks.
In many cases, companies aren't accustomed to taking such measures.However, when you're doing business internationally and conducting supplier due diligence anyway, make sure to add sanctions compliance to your checklist.
Q: How can companies ensure that they comply with both US and international sanctions?
The first step for companies to ensure compliance is seeking legal advice when they come across potentially complex sanctions regulations.
Secondly, they need to stay informed about sanctions developments. The latest updates are available through the Office of Foreign Assets Controls (OFAC) in the US, and from international governing entities like the United Nations and the European Union. The OFAC, in conjunction with Bureau of Industry and Security (BIS), also puts out guidance regarding certain products that are sold and exported globally.
Companies doing business internationally also need to consider implementing a sanctions program. That includes policies, procedures and controls tailored to the company’s specific risk. There are some free sanctions tools and resources available. The OFAC in the US provides a sanctions list search tool, and they have training videos on their website.
The EU Sanctions Map is a helpful website that provides access to the names included in all the different EU sanctions lists. The UN provides a searchable sanctions list on their website. The UK Office of Financial Sanctions Implementation (OFSI) also maintains lists and resources. Canada too has a searchable sanctions database.
Depending on where you are in the world, you would use the governing entities’ search tools to identify whether a supplier or one of the associated parties is on the list to stay compliant.
Better safe than sorry: Do your due diligence
Q: We've talked about why companies should comply with international sanctions. What are the potential ramifications for non-compliance?
The ramifications for non-compliance range from hefty fines to large reputational risks. You don’t want to find yourself in a sanctioned situation. It can lead to massive monetary losses, and potential restrictions from your financial service providers. Noncompliance can be very negatively impactful to any company caught doing business with a sanctioned entity.
Q: Can you tell us why due diligence is crucial in sanctions compliance and how can businesses effectively conduct it?
Due diligence is simply good business practice. It's crucial in sanctions compliance because it ensures your business is identifying and mitigating the risk of inadvertently engaging with sanctioned individuals, entities, or countries.In most instances, companies are already gathering and verifying information about their suppliers - they just need to take steps further and use the online government provided resources.
Another useful business practice is documenting your due diligence efforts to demonstrate compliance to regulators. Whether it’s screenshots or documents – save it all.
Q: What final piece of advice would you offer to companies aiming to enhance their compliance programs?
Fostering a culture of risk and compliance management where continuous improvement is valued, and feedback actively sought after to refine the strength of the risk and compliance program helps a company proactively have strong mitigants against risk.
1 https://www.ic3.gov/Media/Y2023/PSA2306092Read more about the ruling and FinCen’s position here: https://www.fincen.gov/news/news-releases/updated-notice-regarding-national-small-business-united-v-yellen-no-522-cv-014483 FinCEN provides an online platform for the submission which is accessible through their website at - www.fincen.gov/BOI.