Fraud & Breaches Conference

We are pleased to announce that Kyte is hosting the second in its series of conferences, this time in the city of Kiev, Ukraine. The event shall take place in the Conference Hall Goloseevo Kiev, on 19th September 2017.

Who will be there?

A series of senior operational risk, compliance managers and key decision makers from a variety of Financial Institutions in Ukraine, the CIS region, Europe and Malta will be invited to come and join us. We have an exciting programme, with confirmed participants and speakers from the Ukrainian interbank payment systems member association “EMA” as well as various specialists who will discuss the latest issues concerning:

  • PCI DSS compliance in payment systems
  • the use of Artificial Intelligence and machine learning
  • the protection of your information security systems
  • the management and reporting of your portfolio of clients as required by the AML 4th Directive, including CDD, EDD and AML reporting
  • insight into the latest innovations in the industry, including Blockchain and Bitcoin

About the conference

The last couple of years has witnessed a boom in the development of electronic and non-cash payments, the emergence of revolutionary crypto currency as well as an active transition to mobile payments. While such innovative technological advance creates convenience for users, it also carries an increased level of risk of compromising data. So how does one strike a balance between innovation, convenience and security?

The conference will include talks between experts who will be discussing cybersecurity whilst reviewing the current situation with fraud in various areas of business and methods of preventing it. Moreover, specialists will give practical recommendations on how to protect financial institutions and commercial companies from external and internal intrusions and attacks.

Some of the presentations shall be delivered in Ukrainian but translation services will be available through the use of headsets.

Who should attend this event?

This conference is an event that should not be missed if you’re:

  • a head or professional of specialized banking subdivisions dealing with IT and development departments
  • an information security, MLRO or compliance manager
  • a department working with retail, mobile and e-commerce payments
  • an employee of a company working in the field of e-commerce, crypto-currency and non-cash payments.

About the Venue

The conference hall is located 500 m from the Goloseevskaya metro station. There is underground parking for 12 persons, as well as free parking near the hotel available for guests.

Register for our Fraud and Breaches event in Kiev, Ukraine on 19th September via the link below http://fnb.biz.ua/

If you’re interested in finding out more about this exciting event contact us today!

Be sure to follow us on Facebook and Twitter for more of the latest updates.

Share

A quick look at FIAU/MGA Consultation Document: “Application of Anti-Money Laundering and Countering the Funding of Terrorism obligations to the Remote Gaming sector”

The 4 AMLD is taking Anti-Money Laundering and Countering the Funding of Terrorism compliance to a new level for the Remote Gaming Sector.

This Directive builds on and is an update on the 3rd AML Directive which was implemented in the year 2005. Amongst other measures, Remote Gambling Operators are given a Subject Person status. This removes previous doubts about the application of these rules towards the Gaming Sector.

The FIAU/MGA Consultation paper is giving MGA Gaming License holders some guidance and requests industry feedback prior to the EU’s 4th AML Directive being transposed into national laws.

Let’s have brief look at the most important points of this consultation document.

ML/FT Customer Risk Assessment

Businesses must carry out an ML/FT Assessment to identify its vulnerabilities and risks of exposure to activity and transactions derived from Money Laundering and Funding of Terrorism.

The assessment is not a one-time task and the Customer Risk Assessment has to be revisited at least once yearly, together with derivative measures, policies, controls and procedures. Changes in business structures, products and/or services are to be assessed immediately. This process and its derivatives have to be recorded and be available for auditing.

Dynamic Customer Specific Risk Assessment

Businesses must maintain a continuous Risk Assessment of their customers based on on-going monitoring of the business relationship with the customer. The key word here is “Dynamic”. It’s not a simple set of rules and measures and then, you’re good to go. Rather, it’s an ongoing risk assessment of the customer’s profile and behaviour to ensure that suspicious changes are identified and assessed.

The use of advanced analytic and behavioural analysis tools needs to be considered as an automated solution to meet this expectation and we believe that this is the reason why the FIAU/MGA have specifically mentioned such tools.

High Risk relationships

Screening and monitoring for PEPs and individuals on Sanctions Lists using reputable databases must be introduced. Special focus on high risk customers and originating territories is to feature highly on your Customer Risk Assessment.

The new consultation paper goes beyond simply verifying customer details and requiring you to monitor the business relationship risk level constantly.  Companies need to keep themselves updated on Country Risk levels through reputable sources such as country assessment reports by the Financial Action Task Force which are available on their website.

CDD/EDD Measures

The triggering of CDD/EDD Measures for customers not previously risk-assessed is to start, at a minimum, once a threshold of €2000 in linked deposits or €150 for high risk payment methods is achieved. Before your customer has reached that level though, your customer risk assessment may also dictate an early kick-start of CDD/EDD for higher risk customers.

These thresholds are not tied to a specific timeframe. The Malta Remote Gaming Council is raising this point with the FIAU/MGA to suggest specific time frames which makes sense for the Gaming Industry as well as to achieve the aim of managing the risk of ML/FT in a risk based approach.

Looking back for the skeletons in the closet

It’s not only a matter of doing risk assessments on new customers from directive transposition day onwards. The consultation paper also tasks the Gaming Industry to have a look back on its already present customer base and carry out customer risk assessments on clients with whom there are established business relationships.

High Risk customers must be reviewed within 6 months from adoption of the directive and all other customers must have been risk assessed within 18 months with FIAU/MGA expecting this to be done the soonest possible. Inactivity of the customer does not exclude him/her from the risk assessment.

Suspicious Transaction Reports

Subject persons are obliged to report Suspicious Transactions to the FIAU when there is a suspicion of ML/FT, even when a Transaction has not actually happened. The obligation to file the STR report cannot be taken lightly.

Some standard ML/FT Red Flags are also included in the consultation document together with reminders that any customer suspected of ML/FT must not be tipped off, neither intentionally nor unintentionally. One must discuss actions taken by the Business in respect of a suspected customer’s account with the FIAU to get the necessary guidance. FIAU has the authority to ask for a postponement of a transaction or for continued intensive monitoring of the customer activity.

Jurisdictions

The consultation document also shows appreciation that Jurisdiction concerns may occur when business have different licences depending on their target markets. Guidance is provided that the filing of STRs should ideally be made to the Reporting entity that has Jurisdiction in the country from which the license to operate has been issued.  This means that Businesses must be knowledgeable in the ML/FT regulations and guidelines for the markets they operate and are licensed in.

Thus, for example, if the STR is to be filed by a business based in Malta which provides services to a customer on a UK Gambling Commission License, then the STR has to be filed with the UK National Crime Agency.

Getting expert help

FIAU/MGA are studying the possibility for subject persons to be able to outsource some ML/FT specific tasks to dedicated providers who would be able to provide industry players with AML/CFT related services such as implementing AML/CFT controls, policies, measures and procedures.

However, the document itself states that this matter has not been finalised yet so expect new updates on the subject.  In the meantime, Businesses must start to implement these requirements themselves.

Why should I care?

Whilst the consultation paper itself does not contain references to penalties we can see the EU 4th AML Directive dictate that the cost of non-compliance might imply:

  • Reputational Cost – Publication of name of Business and nature of breach
  • Potential License Revocation
  • Temporary ban on managerial persons from exercising managerial responsibilities  in an obliged entity
  • Administrative fines which can run into millions of Euros imposed on both companies as well as individual obliged persons.

Here at Kyte Consultants, we can help you improve in-house processes which make certain that you are equipped to comply with your statutory obligations. We can help you cultivate processes based on your kind of business model and risk scenario and ensure that there is continuity in the processes.

To find out more about the services we offer and how we can help you ensure you are being compliant with the necessary legalities, contact us today.

Further reading: FIAU / MGA Consultation Document4th AML DirectiveFATF.

David Agius

Advisor for Regulatory Compliance

Share

Discover the Benefits of PCI DSS

A Brief Overview

The Payment Card Industry (PCI) Data Security Standards (DSS) applies to any entity that stores, processes or transmits payment card details and requires each entity to stringently abide by stipulated regulations. Regardless of the volume of payment card transactions an entity handles, they are obliged to comply with the PCI DSS.


Kyte is a Qualified Security Assessor Company that can offer their services to merchants, service providers and Financial Institutions in Europe, Middle East, Africa, North America and the Marshall Islands. We can support you in becoming fully compliant and can even review your operation to ensure that you are following PCI DSS guidelines.

  1. How important is PCI DSS to the iGaming industry?

The mode of payment preferred by the majority of online gaming customers is via credit card. To improve customer experience and reduce the effort to deposit money, an operator needs to store the credit card data for repeated use. Once a company stores such information, processes and transmits credit card data, it must comply with the PCI DSS standard, which is specifically designed to secure systems and protect credit card data from being stolen.

  1. What does PCI DSS Compliance checks and Certification consist of?

Most gaming companies follow ISO27001 to observe regulations or because it is good practice. As an Information Security Management System PCI DSS is similar to ISO27001, but specialises in securing Credit Card data. Scoping the exercise is the most important part of the process, where the main objective is to reduce the Card Holder Environment to the barest minimum. This process will then render the compliance process and certification review much simpler and cheaper. A reduced scope will also reduce the exposure of card data to theft.

  1. How long does it take for a company to become PCI DSS compliant?

It really depends on the resources made available as well as the result of the gap analysis. It is not easy and straightforward since there are several controls that would need to be implemented.


PCI DSS is also about maintaining compliance. Moreover, dedicated resources must be allocated to the ongoing compliance, just like any other standard or regulation requires ongoing monitoring and management. Becoming compliant for the first time is challenging but not impossible. With the right project plan in place and advice from professionals, it is certainly achievable.

  1. What are the advantages of becoming PCI DSS certified?

Nowadays, with all the hacking and stealing of data, customers do not get peace of mind from companies who simply say they are secure. Thus, it is no surprise they are reluctant to share their credit card details. Having the equivalent of a rubber stamp that states you comply with one of the most stringent and rigorous standards provides the assurance that they have the best protection available for the credit card data stored. This gives a competitive advantage over other operators who ask for the same data but cannot prove its adequately protected.

Kyte Consultants can assist you with PCI DSS Compliance as well as Certification. It is this approach adopted by some assessors in fact, which causes many companies to go over time and over budget in their efforts to achieve compliance. We acknowledge that a one-size fits all approach in interpreting PCI DSS requirements does not work. This is why we assess each company individually by taking into consideration its size, resources, business constraints and risk exposure.

If you would like to request a quote, please contact us. We look forward to meeting you in person to discuss your requirements. 

Share