SSFA Means Simplified Supervisory Formula Approach

Financial Institution Letter

Regulatory Capital Rules:
Regulatory Capital Tool for Securitization Exposures


The FDIC has published a simplified supervisory formula approach (SSFA) tool as part of its continued outreach efforts to help institutions implement the revised capital rules. The SSFA is a new method banks may use under the revised capital rules to calculate capital requirements for securitization exposures. It is a formula-based approach designed to apply relatively higher capital requirements to the more risky junior tranches that are the first to absorb losses, and relatively lower requirements to the most senior tranches.

Statement of Applicability to Institutions Under $1 Billion in Total Assets: This Financial Institution Letter applies to all FDIC-supervised banks and savings associations, including community institutions.

FDIC-Supervised Banks and Savings Associations

Complete Financial Institution Letter:

About the Author: Marcus Maltempo is a compliance professional with more than a decade of experience helping banks, law firms and clients manage investigations and regulatory responses.


OFAC Means Office of Foreign Assets Control

OFAC is an office within the Terrorism and Financial Intelligence Office at the US Department of the Treasury.

The Office of Foreign Assets Control (OFAC) is a financial intelligence and enforcement organization of the U.S. government charged with planning and execution of economic and trade sanctions in support of U.S. national security and foreign policy objectives. Acting under Presidential national emergency powers, OFAC carries out its activities against problematic foreign states, organizations and individuals alike. – Wikipedia
Randall Park in The Interview via Historias Bastardas Extraordinarias

Historically, OFAC was dealing with sanctions on Iran, North Korea and Cuba, the usual suspects. But nowadays, OFAC also deals with individuals connected to Russian President Vladimir Putin and individual terrorists.

Making a career in this area of regulations involves great amount of interest in both financial crimes investigations and geopolitics. It also involves keeping up with information on what other regulatory bodies are doing, such as FinCEN, FINRA and Department of Homeland Security.

About the Author: Marcus Maltempo is a compliance professional with more than a decade of experience helping banks, law firms and clients manage investigations and regulatory responses.

Supervisory Power Means Judge Overrides DPA

Supervisory Power is a power given to judges so that they can override the legitimacy of a Deferred Prosecution Agreement (DPA). The idea is that Judges feel the agreement between the violator and the SEC or DOJ deviate from the trend.
Ben Stiller and Robert De Niro promoting Meet the Fockers via Solo Parole Sparse

Such was the case for Fokker Services. Fokker is an aerospace parts distributor. It was found to have provided parts to sanctioned countries, primarily Iran, between 2005 and 2010. This was done with the approval of management and the employees who violated the sanctions are still employed by the firm. DOJ and Fokker made a DPA which was attached to a $21 Million fine. $21 Million was the revenue earned from the violations. The judge rejected DPA stating that the punishment was too weak considering how egregious the violations were.

Another reason to avoid DPA’s that unreasonably favor violators.

About the Author: Marcus Maltempo is a compliance professional with more than a decade of experience helping banks, law firms and clients manage investigations and regulatory responses.

DPA Means Deferred Prosecution Agreement

Deferred prosecution agreements (DPAs) encourage individuals and companies to provide the SEC with forthcoming information about misconduct and assist with a subsequent investigation. In return, the SEC refrains from prosecuting cooperators for their own violations if they comply with certain undertakings. – SEC

DPA’s are also used by the DOJ.

For a company or an individual who may have unwittingly been involved in financial crime, DPA is often the best option. There are two main types of DPA’s, with and without admission of violation.

Obviously, not admitting to violation is the best option. This option can only be provided if the violator’s intended results were not a violation in themselves. This doesn’t mean it’s the end of the violator’s troubles. The violator may face professional punishments if s/he is licensed or certified. In rare cases, the violator will be barred from the profession.
Wolf of Wall Street by Martin Scorsese via Aerometal

Admitting to the violation only strengthens the case against the violator’s disbarment. On top of that, the violator may face disbarment from the industry regardless of the function. Admission could be career suicide.

It used to be that corporations wanted to avoid admission because it meant suicide for the corporation. But last year, the regulators showed their willingness to work with corporations on leniency, if that’s what it can be called. A number of corporations entered into agreements to admit to wrong doing and pay hefty violations but DPA’s were executed in such a way so that corporations may have taken a hit to their assets, but the shareholders’ equity would not be affected.

About the Author: Marcus Maltempo is a compliance professional with more than a decade of experience helping banks, law firms and clients manage investigations and regulatory responses.

How super cookies threaten bank security

Super cookies threaten bank security by exposing both customer data in ways that are more discreet than ever before.


What are super cookies?

Super cookie are sometimes called zombie cookies. The most typical type of super cookie is called flash cookie because it is a cookie from Adobe Flash plug-in. Cookies are little bits of code websites leave on your browsers cookie folder so that it can remember your preferences and, should you choose to do so, account information and password. Basically, when you turn on your browser and you can get to your email or Facebook without having you login, the website has a cookie in your browser cookie folder. It is pretty convenient.

The usual threat

If this bit of code contains personal information, then of course your identity is threatened by anything that is going to try to retrieve it when it is not supposed to. The codes need to be deciphered, usually. There are lots of websites and phone applications known to have very security on their cookies, making it very simple to decipher. On a consumer level, this is dangerous because most consumers are not all that creative with their passwords, using the same one for all of their accounts.

The banking relevance

For banks, the threat is more real than ever. Transactions are usually legitimized in multiple ways: correctly identifying the transaction parties, correctly using the transaction accounts, correctly using passwords, matching payment sender and receiver, matching banking institutions and on and on. Most of these matches have been nearly eliminated because the banking system has taken care of most of them, having the consumer contact points reduced to the point of sale.

The primary banking threat

Now that the whole purchasing process can take place online, a digital path can be created for transactions. Here’s how it works: Jaco wants to purchase a bass guitar. He goes to and looks around. Jaco looks are strings and pick-ups and amplifiers along with bass guitars. He purchases a rare Flea Bass and nothing else. SBGGM keeps a cookie on his computer so that when he returns the website can present him with suggestions based on his purchase and his surfing history. If Jaco deletes the SBGGM cookie, then his return visit will not have any suggestions based on his surfing history. If SBGGM uses Adobe Flash on its website and creates a cookie in Adobe Flash, it keeps the cookie in an Adobe folder rather than a browser folder. Jaco’s return visit, will show him suggestions based on his previous visits even if he deleted SBGGM’s browser cookie. A cyber criminal can hack into Jaco’s computer, get onto SBGGM’s website, get on Jaco’s account, make purchases from the website suggestions, have them shipped to another address. From there, bought items could be sold for money. To add an additional layer of stealth, the cyber criminal can make purchases that are small every month to go undetected, especially if Jaco tends to just pay for all of the credit card balance at the end of each month. As long as the consumer does not pay attention to every transaction, consumer is paying for these transactions. Banks have been flooded with small fraudulent transactions. These transactions make banking more expensive for everyone.

Because super cookies circumvent a consumer’s deliberate attempt to erase information trails, it poses a super threat.

About the Author: Marcus Maltempo is a compliance professional with more than a decade of experience helping banks, law firms and clients manage investigations and regulatory responses.

How Net Neutrality Threatens Banks

Tom Wheeler is being credited for being the twenty first century’s Senator Joseph Kennedy.Tom_Wheeler_FCC

Last week, Tom Wheeler, Chairman of the Federal Communications Commission (FCC), publicly announced his support for Net Neutrality.


1219px-FCC_New_Logo.svgNet Neutrality is the name of the principle that all internet service providers (ISPs) should provide equal access to the their content providers. Proponents of Net Neutrality claim that it is this principle that has enabled many small content providers, social networks and economic platforms to flourish. Without continuing a policy that implements this principle, the next developing the next big thing will be so expensive that it won’t happen, at worst, or will happen in other economies, at best. Also, proponents are argue that a tiered service would amount to content discrimination. Proponents include Yahoo!, eBay, Amazon, Microsoft, Lawrence Lessig, Steve Wozniak and, even, President Barack Obama.

Those against Net Neutrality argue that the current system hinders financing the development of better telecom infrastructure, customers, especially lower income customers, are subsidizing large bandwidth heavy content providers and effectively lowering the service quality they receive. Those against Net Neutrality include major telecommunications providers, internet service providers and free market types. (Sadly, the names against Net Neutrality just aren’t as well known as the proponents, thereby making it unnecessary to enumerate.)

Both sides are correct.

Net Neutrality logoCurrently, Net Neutrality is in place. This means that when most people go online to do bandwidth heavy activities, such as listening music on Spotify or Pandora, or watching videos on Youtube or Netflix, no additional charges are incurred. If Net Neutrality was done away with, either the customers or the music and video providers or a combination of the two will have to pay for the heavy bandwidth. Seems more expensive?

Well, imagine if you are one of those creative types who are trying to develop something that will compete with YouTube, one of the groups of people proponents would like to protect. Because your competitor is providing their service for free, no one wants to go to your site. You are ten years behind and whatever great idea you have is very unlikely to get the notice to effectively compete with the established players. Customers are getting a great experience with existing industry players but they are missing out on potentially others.

There are more ways to think about what the alternative universe would look like in a world without Net Neutrality. One can even look at other developed economies to see how their industries have fared without Net Neutrality. Most common example is the United Kingdom.

How Net Neutrality Threatens Banks

Banking on both retail and investment side are being done more and more on the internet. Banking was one of the first industries to adopt internet technology. this makes sense since banking is a transaction system. Anything that helps to reduce the cost, increase the speed and better secure transactions would make an industry player more competitive.

Banking industry has experienced two major transitions in the last century. First was the transition from currencies backed by precious metals to fiat currencies. Second was from fiat currencies to digital currencies. Today, nearly all of the $2 Trillion in currency transactions per day are done digitally between computers. Despite the fact that the US Dollar and other currencies are government backed, in nature they aren’t much different from cyber-currencies like BitCoin. (There are some significant differences but those primarily have to do with the capabilities of the currency types, which, at this point, are not relevant for this discussion.)

Cyber-crime is performed in two primary ways. The “old school” method is to email or otherwise contact a person, deceive them in some way, and steal valuable information, which then can be used to “legitimately” tap into customer accounts. The more sophisticated method is to write codes that would do steal information or take over the processing capabilities to tap into customer accounts. These codes are, in many sense, the same as content. in order for Youtube to provide you with free videos, YouTube must develop code to do so. So, effectively, everyone is subsidizing the dissemination of cyber-crime.

Banks have been working very hard to secure themselves from both types of threats. Protection from phishing, the “old school” cyber-crime, banks require registering computers (via IP addresses) before entry into bank accounts. For institutional clients, this might be much more sophisticated than for retail customers but it is essentially the same.

To protect customers from code attacks, which are generally attacks directly on bank infrastructure, banks have hired technologists to develop hardware and software that protect servers.

Net Neutrality is a subject most people do not understand the nuances of, and, usually, favor without understanding the ramifications of its perpetuity. I am not taking a stance on either side of the discussion, but I think knowledge would do it great service.

About the Author: Marcus Maltempo is a compliance professional with more than a decade of experience helping banks, law firms and clients manage investigations and regulatory responses.

CFT Means Counter-Financing of Terrorism

Counter-Financing of Terrorism (CFT) is also known as Combating the Financing of Terrorism. Both are abbreviated as CFT and mean the same thing.

IMFThis is an AML activity that encompasses surveillance, assessment, investigation, sanctions and other traditional AML activity. A bank can receive instructions or guidance from any number of government entities. International Monetary Fund (IMF) has developed standards for assessment through its Offshore Financial Centers assessment program. Surveillance guidance is provided by Financial Sector Assessment Program (FSAP), which is another the IMF. And the Financial Action Task Force (FATF) plays a crucial role in developing the standards for assessment.

About the Author: Marcus Maltempo is a compliance professional with more than a decade of experience helping banks, law firms and clients manage investigations and regulatory responses.