Operational Risk Management in a Period of Disruption – Will Normal Programming Resume Shortly?


In both normal times and uncertain times, policies and procedures seek to give all employees support in the carriage of business activities. The current COVID-19/coronavirus social and economic crisis is, however, putting to the test existing, proven and robust policies and procures in all organisations, argues Peter Deans, of 52 Risks management, in this blog

Peter Deans, Creator & Founder of the 52 Risks management framework, argues that risk managers must put aside any desire they harbour to continue ‘business as usual’ without making adjustments that reflect the changing external environment. Peter offers eight key activities and priorities for operational risk and compliance managers in this period of significant disruption.


Why do policies and procedures exist? They provide a roadmap for the smooth day-to-day operation of business activities. They can provide guidance on how to be compliant with laws and regulations, ensure sound customer and business outcomes, help to streamline decision-making, and generally make business activities as trouble-free as possible. In both normal times and uncertain times, policies and procedures seek to give all employees support in the carriage of business activities.

The current COVID-19/coronavirus social and economic crisis is, however, putting to the test existing, proven and robust policies and procedures in all organisations. The normal operational rhythm has been disrupted, and new ways of operating many business activities are being developed in real time. Many business activities that have operated unchanged for many years are having to be redesigned and reshaped.

Risk managers are now asking themselves many questions: Should we continue to operate our existing enterprise risk or operational risk management frameworks (‘risk frameworks’) unchanged in this environment? Do we temporarily pause our existing risk framework for a while? Do we continue to operate our risk frameworks ‘as is’ but acknowledge the significant disruption to normal activities? Do we need to rewrite our risk frameworks to reflect an extended period of disruption?

Will ‘normal programming’ resume shortly – as the television service message used to say?

The goal for organisations of any size should be to have a dynamic, living and breathing set of operational protocols, policies, and procedures. These should enable a dynamic and flexible approach to doing business that readily flexes and adapts to a changing external and internal environment. The coronavirus crisis, however, is putting to the test the ability of organisations to adapt to a dramatically changing environment.

As has been stated many times, this crisis is unprecedented. Few governance and risk management frameworks can have contemplated the extent of disruption being experienced. Accordingly, risk managers must put aside any desire they harbour to continue ‘business as usual’ without making adjustments that reflect the changing external environment. A fresh approach (and clear head) is needed.

Key activities and priorities for operational risk and compliance managers in this period of significant disruption will include:

Deferring any low priority or non-essential operational risk activities. Existing risk and governance frameworks, reflecting compliance and regulatory requirements, require a range of scheduled periodic activities. This will include, for example, annual or biannual product reviews. Risk managers should look to have many of these deferred to free up the business unit and risk resources for more urgent, higher priority activities.

Liaising closely with internal governance forums and regulators to discuss and agree on revisions to approved governance frameworks in this period. Regulators have already demonstrated significant flexibility in deferring or suspending the legislative agenda and regulatory change projects. All internal and external stakeholders recognise this period is not ‘business as usual’.

Focus on supporting business functions and activities that are being significantly redesigned in response to the crisis. These business functions will have a very different operating model for an extended period. Seek to quickly complete abridged risk assessments so that business changes can be quickly implemented (or even defer completion of the risk assessments until shortly thereafter). Look to redirect operational risk resources temporarily or permanently from business activities that are substantially quieter (or have ceased to operate) in this period.

Maintain strong oversight of key compliance and customer outcomes. All financial institutions will need to continue to ensure that expected customer outcomes are delivered in this period. Financial institutions now see record levels of financial hardship across their consumer and business loan portfolios. In addition, new arrangements are being quickly designed and put in place. High priority needs to be given to ensuring these are robust processes – an important role for compliance and operational risk managers.

Look to bring forward automation and process efficiency initiatives that can support a leaner and more nimble organisation. It will be necessary to cancel or defer many initiatives that may disrupt critical business activities or cannot be funded due to profitability challenges. However, there will be some initiatives that can help the organisation operate more effectively and efficiently in this period. These should be reprioritised and brought forward.

Review management reporting to governance forums and business partners to ensure focus on business-critical activities that have already been disrupted. Risk committee members and executives will want to understand the changing risk profile of the business.

Conduct a review of material third party arrangements. Risk managers and internal stakeholders should be urgently seeking to identify any suppliers, vendors or third-party business partners that have been impacted and/or may be encountering financial stress.

Monitor the impact of restructuring and downsizing. The short-term financial impact of the economic shock of the coronavirus will inevitably lead to significant cost-cutting. It will be incumbent on risk managers to ensure that nothing ‘slips between the cracks’ in this period, and that the organisation is fully aware of the changed risk profile post-restructuring. Risk management functions themselves will also be the subject of restructuring. This will all require significant change management and operational risk support.

A new rhythm will need to be developed for an extended period of disruption ahead. Once the external environment begins to normalise – and it is unlikely that it will return to its previous state – a new operating model may need to be developed for risk governance.

In the medium to longer term, the priorities of both the risk management function and the organisation will likewise evolve. The lasting effects of the coronavirus crisis are not yet known, however there will undoubtedly be significant medium and long-term change for many businesses. For example, those with extensive outsourced and/or overseas operations may look to reassess this operating model. Organisations will inevitably be looking to adopt greater automation – continuing a trend evident for many years.

In summary, normal programming is unlikely to resume in the short, medium or long term. The challenge – and opportunity – for risk managers is, however, unchanged. They should seek to assist and guide their respective organisations through what will be an extended period of change and disruption.


Peter Deans is a former Chief Risk Officer and industry leading risk management specialist. Peter retired from banking & finance in 2019 after a career of over 32 years at several Australian and international banks.

Peter was awarded Australian Banking & Finance magazine’s Chief Risk Officer of the Year award in 2014, 2015, 2016 and 2018.

Peter is now a risk and strategy consultant supporting companies in the financial services, corporate and start up/technology sectors.

Peter is also the Creator & Founder of the 52 Risks management framework (www.52Risks.com) and a Non-Executive Director of The Regtech Association in Australia.

GRC Solutions resources

So be good for goodness sake: workplace behavior at end-of-year events

As we head into the silly season, it’s worth keeping in mind that silliness is no excuse for poor standards of behavior or even misconduct at work functions.

We’ve all heard stories about office parties where a worker has embarrassed themselves and/or others, or caused harm to others, because they’ve had too much to drink or just gotten carried away.

We’ve also all heard stories of employers firing staff because of such inappropriate behavior.

Perpetrators of misconduct often ruin otherwise enjoyable events for the majority and may even cause lingering damage.

But behavior at work functions is more than just an issue of “fun” – it can also be a serious compliance problem.

Workplace codes of conduct and anti-bullying and harassment laws can extend to conduct which takes place outside what is traditionally considered “the workplace”. This means staff behavior at work functions held at off-site venues are included in the scope of the law. In some situations, travel to and from such events may also be covered. Laws and policies may also apply to posting online about work or work events, for example, uploading pictures of colleagues or commenting on other people’s posts.

Employers are responsible for providing a safe work environment for staff (including volunteers and contractors) as well as clients. A safe work environment means one which is free from bullying and harassment. Your organization could be held liable for inappropriate staff behavior at work functions.

Most people have no issues treating others with respect and professionalism while having a good time. Others might need a reminder.

Ensuring all staff members are informed of and understand the standard of behavior expected of them at these events helps everyone to have a great time and can go a long way toward preventing lingering legal or reputational consequences.

GRC Solutions is an award-winning provider of compliance training. To find out more about our Diversity & Equality course which details how your workplace should manage and prevent bullying, contact us today.


Department of Justice indicts Australian company for million-dollar bribes to Iraqi officials

The US Department of Justice (DoJ) has alleged that senior executives of Australian company Leighton Holdings (now known as CIMIC) were involved in offering bribes amounting to US$5.5 million as part of an effort to win a billion-dollar construction project in Iraq.

The allegations were made in the context of the DoJ’s wide-ranging inquiry into Unaoil, the Monaco energy industry consultancy said to have helped global companies such as Leighton and Rolls Royce to bribe officials.

According to the DoJ, back in 2010, senior executives at Leighton Offshore had targeted construction jobs in Iraq that were worth up to $2 billion. The executives sought to bribe corrupt officials in the Iraqi government that had been identified to them by Cyrus and Saman Asahni, the brothers who ran Unaoil with their father, Ata. If Leighton’s bid to win the work were successful, it was envisaged that the brothers would win millions of dollars in commissions – enough for Unaoil to pay off corrupt officials within the oil ministry of Baghdad and the government’s South Oil Company.

The DoJ’s 2019 indictment alleges that “certain executives at [a business referred to as ‘Company 8’] ensured” there were “sufficient funds to make bribe payments to Iraqi government officials”. A Fairfax report identifies former Leighton executive, Russell Waugh, as a key figure, and while the indictment only refers to ‘Company 8’ as a “listed Australian company”, Fairfax further alleges that “it is clear it is Leighton”.

Unaoil executive Peter Willimont is alleged to have met with Waugh in May 2010 in a Perth hotel, where the pair, along with others, “agreed to rig the bidding process for projects in Iraq”.

The Ahsani brothers have already pleaded guilty to charges of bribery and money laundering as well as to having “destroyed incriminating documents with the intent to prevent their discovery by law enforcement”. They have since become FBI informants.

If found guilty, CIMIC could face penalties running into hundreds of millions of dollars.

Sources: 2019 indictmentLeighton Holdings 2016

GRC Solutions is an award-winning provider of compliance training. To find out more about our Anti-Bribery course, contact us today.

ACA International & GRC Solutions – Podcast

Justin Muscolino, our Head of Compliance Training North America has been interviewed by Harry Strausser – ACA International in this very instructive podcast discussion about compliance training.

Some of the highlights include:

  1. Why do organizations struggle so much with culture and what impact can compliance training have to improve this? What are some of the things that you have seen?
  2. What do organizations often get wrong when it comes to training?
  3. What happens when organizations do not target their training?
  4. One of the issues that organizations face is benchmarking the effectiveness of their compliance training and whether it is working; any suggestions around benchmarking?
  5. In another blog post on your website you look at training compliance professionals to improve their organization’s culture?  Explain what you mean by compliance officer training program and what do you want them to get out of it?
  6. Any advice for companies trying to get the right culture in their organizations?

Top 5 employee induction tips

The first few days of introducing a new hire into the workplace is the best time to build a mutually beneficial professional relationship. While they’ve passed the application process and pressure of interviews, it’s what happens during orientation that will influence performance in the long run. With this in mind, here are some top tips on setting the groundwork for retaining fresh talent that adds value to your team:

  1. Prepare your induction infrastructure

Even the smallest details such as having computer logins ready and some friendly faces to help a new person settle in, can make all the difference. For managers, taking the time to cover logistics such as an entry pass, quick tour of the facilities and fire exits communicates that your organization values safety and compliance. Establishing this ‘tone from the top’ from the beginning has a direct influence on employee conduct in the long term.

  1. Cultivate corporate culture

Establishing whether a person will be a good fit for the organization can be made clearer during the recruitment process by having a casual ‘culture fit’ chat after someone has passed the initial interview. Beyond this, encouraging morale-building activities such as team lunches and checking in for feedback on how the person is settling in, makes for a smooth transition. The benefit of engaging effectively at this stage of the onboarding process is to increase employee retention. A study referenced by the Society for Human Resources Management reveals that 69% of employees are likely to stay with a company for three years or more if they have a positive experience during orientation.

  1. Clarify job roles and responsibilities

The induction process is an ideal opportunity to readdress the finer details of the job role and clarify any concerns. Facilitating an open flow of communication can be achieved through holding an informal meeting which covers how they can best meet the needs of the organization, alongside how you can enhance their experience through flexible working arrangements for example. Additional strategies such as introducing a mentor to explain the ‘ins and outs’ on areas such as document control and cybersecurity measures encourage best practices from the outset.

  1. Embrace the ‘learning by doing’ approach

A structured onboarding program with comprehensive on-the-job training has been shown to produce a 62% increase in time-to-productivity ratios. In a supportive environment where it’s possible to develop the necessary skills and learn on the job, new employees are given the tools to understand how they are contributing to the organization’s objectives in the bigger picture. As data published by Aberdeen Group illustrates, “employees are more likely to stay with a company, and to continue to strive to perform, when they are challenged by their job, enjoy the company culture, and feel supported and valued by the organization.”

  1. Educate on internal policies and obligations

Developing a culture of compliance starts from the ground up and every workplace strives to have employees that have taken the company values on board, fit in with the culture and act ethically. The first step towards achieving this is a well-organized orientation program that includes compliance training on the company’s code of conduct and other internal policies and procedures. Information should also be provided on who to contact with questions or concerns about what regulatory obligations affect the employee’s specific job role.

In essence, these five tips illustrate that investing in comprehensive training that instills the values of a positive workplace culture, focus on compliance and setting goals for productivity, are going to ensure that your organization is at the forefront of employee satisfaction and business success.

Sources: Society for Human Resources ManagementHarvard Business Review

GRC Solutions is an award-winning provider of both off-the-shelf and bespoke compliance training. For more information on how our courses can contribute to positive workplace behaviours in your organization, contact us today.


Leadership skills for compliance officers

In this blog post, Justin Muscolino, GRC Solutions’ Head of Compliance Training in North America, provides tips on leadership skills for compliance officers.

During my career in compliance training I’ve learned first-hand that you need all the assistance you can get. It’s important to get others involved in delivering your message. But in order for compliance officers to do that well, they need to have the leadership skills and knowledge necessary to deliver the message. Equipping compliance officers with these necessary leadership skills will enhance their capabilities. It can also help change the compliance culture within an organization.

Early in my career I observed how difficult it can be to get the necessary buy-in from business leaders to deliver an effective compliance training program. In addition, I realized how important it was to enlist other people who are working in compliance to help deliver messages throughout the organization. But I also came to realize that not everyone has the skill set and style to achieve these goals. Compliance officers typically deal directly with the business and by increasing their capabilities and developing their leadership skills, this can only aid in delivering a positive message throughout the organization.

I often attended business meetings with other compliance officers and found that they didn’t ask the necessary questions, didn’t have the right mindset, or couldn’t convey their thoughts and opinions confidently.

So I asked myself: what if I could train compliance officers to understand what it takes to deliver the appropriate messages while enhancing their leadership skills? With that in mind, I created a program aimed at enhancing the capabilities of compliance officers. Over the years the program evolved into something much more.

Think about it. Could a training program for compliance officers shift the culture of compliance? Yes, it could. By delivering a consistent message and teaching them effective leadership skills you can change the culture of compliance in a positive way.

What are the benefits of creating a compliance officer program?

  • Shift in compliance culture
  • Higher employee morale
  • Consistent messaging throughout the organization
  • More career opportunities
How do you do it?

Coming up with a proper program means that you should conduct a training needs analysis to determine the gaps and opportunities of your compliance officers. Talking with your CCO, compliance officers and people within the business could determine both your direction and a curriculum for your program.

If you want to create a compliance officer training program, the results of your needs analysis will help determine what the program could look like. It will vary from organization to organization, but the core basics should remain the same. Some of the topics may include: presentation skills, influence and persuasion skills, running effective meetings, and understanding your target audience. These are high-level topics which would have to be defined in granular detail based on when the needs analysis is conducted.

GRC Solutions is an award-winning provider of compliance training. To find out more about our Compliance Officer Training Program, contact us today.

An article written by Justin Muscolino
Head of Compliance Training North America

Detox from Compliance Training in 2019, plan right for 2020!

At this point of the year, staff complain about having too much compliance training to do. They want it to stop and not begin again until it’s absolutely required. Even then, it’s a tough chore to get across. Listening to your audience is important, but you have to wonder how many of them ever really want to do compliance training!

Why do organizations get themselves in this predicament? It’s easy to resolve if you put in the proper structure.

For many years in corporate life I listened to all the commotion from different areas of an organization. A few years into my career I realized that you can’t make everyone happy. All I can do is what’s best for my organization. But I thought, there must be a better way to get buy-in and at least make this less like a chore.

So, I started doing things differently. My plan was to enhance my relationships with each business of the organization, and learn more about what staff do and how I can apply a solid training and/or communications strategy. It wasn’t that difficult. I’d listen carefully to what each business was telling me about staff issues, which in turn helped me to uncover potential risks to the organization.

I didn’t want these conversations to only happen once a year. My goal was to touch base with each business on at least a quarterly basis. I wanted to ensure that all the information I had at my disposal was up to date and also review any new information that I received that might change the training plan for the year.

The next question I asked myself was, “How can I create an effective compliance training program that takes into account the busy times of the year?” Not only would I have to take the risks into consideration, but also timing. Mostly, each department of an organization has different times of the year when they are busy and when they are not. For example, quarter end for an operations department might look much different in comparison to front line staff.

When I initially created the annual training plan, the schedule was staggered across the year so that we could avoid those pitfalls when departments are busy and staff are most sensitive about being taken away from their desk. But remember, what a plan looks like at the beginning could be  different from how it ends up at the end of the year. This is why having periodic meetings with your stakeholders is the right thing to do.

To end this edition, here are my top tips for avoiding detox.

Justin’s Top Tips for Avoiding Detox

1. Stagger your training schedule throughout the year. Take advantage of the time when staff are more physically and mentally available.

2. Listen to your staff and take the time to understand their point of view. Even though there might be some complaining involved, you can always pick up some useful information.

3. Do what’s best for your organization. Look at your organization’s risk profile to determine what your staff needs to learn.

4. Control the field by providing thoughtful suggestions and opinions.

5. Keep it short and sweet. Training doesn’t have to be long and boring. Remember your target audience!

6. Provide the right messaging to increase levels of retention. Retention means everything. If they don’t remember, how will they apply their newfound knowledge?

7. Know your target audience and deliver impactful presentations. Make sure it aligns with their roles and responsibilities.

8. Relationships are the key to success. Meet with your stakeholders periodically and let them know you are listening.

9. Make compliance training fun! Well, fun might be an overstatement, but it can be entertaining and impactful.

Nowadays, I help clients and partners construct effective compliance training programs based on my corporate and regulatory experience as well as working for a regulator. These lessons have served me well since I understand the landscape that organizations work in and what is required from our regulators.

If you are interested in learning more of what we can do for your organization, please feel free to contact us.

An article written by Justin Muscolino
Head of Compliance Training
North America

Dealing with training and self-leadership in a high turnover environment

In this excerpt, Justin Muscolino, GRC Solutions’ Head of Compliance Training in North America and Mervin Brown, Founder and Chief Purpose Connector of MKB Leadership Evolution, explain how to deal with training and self-leadership in a high turnover environment. 

Employee turnover is crazy these days in corporate America, yet different depending on who is talking. It’s not only about employers cutting back staff, it’s also about employees leaving the organization after a short period of time to pursue other opportunities. The major problem is, how do you handle training and self-leadership in an organization these days when both are an issue?

Whenever employee turnover starts to increase above normal levels, members of an organization should ask themselves the following questions:

  1. What can we do differently to retain talent?
  2. Is there an issue with management?
  3. Do we need to change the culture?

These are the questions senior management need to answer, but we would strongly advise using your entrepreneurial ability to either start having these discussions or look for ways to get involved before things get out of hand.


You can find the full whitepaper here: ‘Dealing with training and self-leadership in a high turnover environment ’

Written by:

Justin Muscolino
Head of Compliance Training
North America


Mervin Brown
Founder and Chief Purpose Connector
MKB Leadership Evolution

Main Street Banking & GRC Solutions – Podcast

Justin Muscolino, our Head of Compliance Training North America has been interviewed by Byron Earnheart – Main Street Banking in this very informative podcast discussion about compliance training.

Compliance training does not have to be boring. As a matter of fact, in the many years that we have been evaluating our faculty and our curriculum, one of the highest rated classes is Compliance. The faculty members contribute a great deal to this, to be sure, but the topic is one that must be discussed. And if that’s the case, then let’s make it interesting and actually beneficial to the bank.

Creating compliance training for the relevant audience

In this blog post, Justin Muscolino, GRC Solutions’ Head of Compliance Training in North America, gives tips on how to create a successful compliance training program. 

Did you know that prosecutors of the DOJ really do look at whether compliance training programs are geared towards the relevant audience? No joke, I am serious. Last week I read the US Department of Justice “Evaluation of Corporate Compliance Programs” and it’s specifically called out. To say that I was proud is a vast understatement.

During my career leading compliance departments and in my current role heading up GRC Solutions’ Compliance Training in North America, I constantly tell others why it’s so important. Think of it this way, if compliance training is always a “tick-the-box” exercise, what does it say about the compliance culture as a whole in the organization? In my experience, it’s not just training, but in other areas as well.

Whenever I create a compliance training program or single initiative, the biggest key is the level of retention as well as aligning with the target audience. If retention increases for learners, shouldn’t risk decrease? I think it’s an inverse relationship. Basically what I mean is that if staff retain knowledge during a classroom or eLearning training module, they should be better equipped to understand the associated risks, identification of red flags and points of escalation. Right?

Remember, retention decreases over time so any information learned today must be refreshed from time to time. That’s why I always think short-term and long-term. For the short-term, I want to create a training and/ or communication that’s memorable and impactful. To do this effectively, you must know the target audience. Something I preach all the time. Is it so hard to do some due diligence in order to understand the target audiences? No, not if you care about doing the right thing. The ultimate goal is to get the retention level so high, that at least theoretically, the risk in the organization reduces.

As for long-term, you need to think of a strategy that makes sense over a given time period. Information acquired diminishes over time, so it needs to be refreshed periodically.

For example, a client of mine wanted to conduct privacy training since it’s a hot topic these days. We conducted the initial launch, but afterwards we came up with a strategy over the next 12 months. This included the creation of a short micro-learning module issued 90 days after the initial launch of the training. Then we scheduled communications every other month thereafter. Finally, since this client conducts annual training to all staff, we included a small section on privacy.

This is an example of what it might look like, but one size does not fit all. Find the proper way to continuously refresh the information so the retention level doesn’t fall to levels where an entire new training on the same subject is needed all too soon.

Do you agree with my sentiments? Regardless of whether you do or not, it would be great to hear from you.

GRC Solutions is an award-winning provider of compliance training. To find out more about our Compliance Officer Training Program, contact us today.


An article written by Justin Muscolino
Head of Compliance Training
North America

British Airways faces record fine for GDPR breach

British Airways faces a £183 million fine (AU $329 million) by the UK Information Commissioner’s Office (ICO) for breaching the EU General Data Protection Regulation (GDPR).

The ICO found that hackers infiltrated British Airways’ website and app and directed customers to an identical-looking fraudulent platform which harvested their credit card details. Approximately 500,000 customers were affected.

The GDPR has been in effect since May 2018. One of the principal requirements under the GDPR is that businesses maintain certain standards of security to protect personal data they collect or hold. Businesses are also required to report security breaches to their regulator within 72 hours of becoming aware of the breach. While British Airways reported the breach within the required time frame, the ICO still found that it had failed to implement adequate security measures in and around its online booking applications to protect their customers’ data from a cyber attack.

This is the first penalty announced by the ICO for enforcement under the GDPR. The amount represents 1.5% of British Airways’ annual turnover. Under the GDPR, businesses may be fined up to 4% of their annual turnover.

This case demonstrates the need to exercise responsible data privacy management and for businesses to ensure they are aware of and up-to-date on current cybersecurity and technology risks.

While a final penalty amount is yet to be determined and British Airways does have an opportunity to appeal, it’s expected that regulators will take a firm stance on companies who aren’t investing enough into their data security policies. As explained by Information Commissioner Elizabeth Denham, “That’s why the law is clear – when you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from my office to check they have taken the appropriate steps to protect fundamental privacy rights.”

Sources: The Guardian; Reuters; Forbes

GRC Solutions provides both off-the-shelf and bespoke training on issues surrounding privacy and data protection. To find out more about our GDPR course, contact us today.

Introduction to Risk Management


George Clooney impersonator charged with identity theft scam

An Italian couple has been arrested in Thailand after conning investors into believing that their clothing business was endorsed by actor and filmmaker George Clooney.

Francesco Galdeli and Vanja Goffi had set up a fashion company called “GC Exclusive by George Clooney”. They had claimed to investors that Clooney was involved in the business and that clothing produced by the company would be sent for export.

The real George Clooney took legal action against the pair for fraudulently using his name back in 2010 and they were sentenced in Milan to 8 years’ imprisonment. They managed to flee Italy but were subsequently arrested in July 2014 after they were found living in Pattaya, Thailand on an expired visa. But Galdeli successfully bribed prison guards with 20,000 Thai baht to cover their escape.

Galdeli and Goffi are known to have operated a range of other scams, including advertising fake Rolex watches online and sending customers packets of salt instead. It was not until June 2019 that Interpol, in conjunction with Thai and Italian authorities, was able to catch the fraudsters for good.

This George Clooney imposter scam isn’t the first time a celebrity’s name has been used to deceive victims. In 2017, a scammer posing as Bruce Springsteen defrauded a woman in Chicago out of US$11,000 by sending her Facebook messages which stated his marriage was ending and he had lost control of his assets. The scheme started relatively small, with the victim sending the fraudster $500 in iTunes cards over a few weeks. But things quickly escalated, with “Springsteen” sending a photo of gold bullion he claimed to have located in Dubai and asking the woman to send thousands in money transfers in order to cover shipping of the bullion to the US.

While many people may like to think they would never fall for such a ploy, the US Federal Trade Commission reported that in 2018 consumers lost close to US$488 million to all types of impostor scams. Whether it’s someone famous contacting you at random, or a member from a “government agency” calling to update your bank details, it always pays to question who’s really at the other end of the line.

GRC Solutions creates award-winning training programs on a range of legal compliance areas. Our new Fraud Awareness course is coming soon, contact Justin today to find out more. 

Compliance Evangelist & GRC Solutions – Podcast

Justin Muscolino, our Head of Compliance Training North America has been interviewed by Tom FoxCompliance Evangelist in this very informative podcast where they talk all about compliance training and how to help organizations. This podcast is available on Spotify, iTunes, YouTube and Megaphone.

Some of the highlights include:

  1. Why do organizations struggle so much with culture and what compliance training do to improve this?
  2. What do organizations often get wrong when it comes to training?
  3. What happens when organizations do not target their training?
  4. One of the issues that organizations face is measuring the effectiveness of their training benchmarking as to whether their compliance is working. How can a compliance professional use benchmarking?
  5. In a blog post on the GRC Solutions website we talk about ways to train compliance professionals on how to improve their cultures. How can you train compliance officers around this issue?
  6. What advice is there for companies trying to incorporate the right culture into their organizations?

Salt Adaptive product update

Protecting whistleblowers isn’t just a compliance exercise, it’s good for business

Some of the world’s most significant cases of corporate fraud and misconduct first came to light as a result of whistleblower disclosures. 

Sherron Watkins and Cynthia Cooper, then-employees of Enron and Worldcom respectively, were key to exposing the massive accounting fraud schemes underlying the businesses. 

Jeffrey Wigand was Vice President of Research and Development at Brown & Williamson Tobacco Co. when he blew the whistle on the true addictive quality of cigarettes and exposed deeply unethical business practices within the industry. 

In Australia, Jeff Morris was a former financial planner at the Commonwealth Bank of Australia who in 2008 reported his experiences of corruption to the Australian Securities and Investments Commission (ASIC). This disclosure is often credited with instigating what would become the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry (also known as the Banking Royal Commission or the Hayne Royal Commission). 

Multiple studies across private and public sectors internationally have shown that whistleblowing is the most effective way of identifying wrongdoing in organisations. A PricewaterhouseCoopers survey of 3,000 in 54 countries found that whistleblowers were the most common source of identification of internal wrongdoing. Research from universities including the Chicago School of Business and the University of Toronto, supports a similar conclusion, with findings that employees were the number one fraud detection mechanism when it came to corporate wrongdoing. 

Many jurisdictions have laws protecting whistleblowers across a range of circumstances. This often includes requiring organisations to have whistleblower policy detailing how disclosures can be made and will be dealt with and ensuring that persons who make disclosures do not suffer a reprisal as a result of having made the disclosure. 

But protecting whistleblowers should be more than a matter of statutory compliance. Early identification of misconduct is key to minimising adverse impacts on the organisation, but staff and third parties are less likely to report if they feel like they’ll be subject to retaliation. So it’s in all businesses’ best interests to remove barriers to making internal disclosures and ensure whistleblowers’ safety and, if relevant, anonymity. 

Contact GRC Solutions today to learn more about training your staff on how to deal with and make whistleblower reports.



Digital currency offerings are treated as securities offerings

The US SEC (Securities & Exchange Commission) views over 99% of digital currencies issued in the US as security digital currencies, with utility digital currency issuers being the exception. The SEC has issued over 400 subpoenas to digital currency issuers. The Howey test developed in 1948, still rules the day in determining whether it is a security or not. Unfortunately, the Securities Act (1933) could not have reasonably considered the prospect of digital currencies, and consequently, hasn’t adapted to this new, tokenized, digital asset trading environment. It’s clear that the SEC doesn’t see either blockchain or digital currency disappearing anytime soon. However, it is the overriding mandate of the SEC to ensure that enough investor protections are implemented from a public policy perspective.

High-risk digital currency jurisdictions are countries that are at a minimum not friendly to digital currencies and/or hostile to digital currencies via regulation or other punitive measures. High-risk countries that digital currency issuers should avoid include Indonesia, Bangladesh, and Nepal. Lower-risk countries that STOs (Security Token Offerings) should avoid include Macedonia, Algeria, Bolivia, Ecuador, and Libya.

On the other hand, the most STO-friendly jurisdictions are Singapore, Malta, Switzerland, Japan, and various Caribbean islands. These countries are digital currency friendly and receptive to STO marketing for the sale and distribution of digital currencies. We will continue to see more regulatory arbitrage, where STOs are marketed in jurisdictions that have the least path of regulatory resistance. This carries their own separate risks for digital currency holders.

Incidentally and unsurprisingly, none of these countries form part of the G-20, which is where the majority of either security or utility digital currency buyers are likely to be identified with serious interest. It’s the G-20 countries that matter in the final analysis. The biggest challenge in succeeding with this initiative will be regulatory coordination among the G-20 due to varying capital market structures, maturity, political imperatives, and liquidity preferences.

Does the extraterritorial reach of the SEC extend beyond US borders for STOs?

This is an issue of the SECs extraterritorial reach in other jurisdictions beyond its borders. As a lead statutory securities regulator, the SEC yields tremendous authority, ferocity, power, and enforcement that should never be underestimated. The SEC has been known to exercise its extra-territorial reach far outside its borders as far as Australia in the case of SEC v. National Australian Bank, for example. Unlike other, smaller securities regulators, the SEC has a $1.6B USD budget Such a budget allows the SEC to investigate, enforce, and prosecute for securities breaches both at home and around the world — the long arm of US securities laws. The SEC can and will prosecute non-resident companies that breach US securities laws. However, the SEC only has jurisdiction over breaches of its own rules under the Securities Act (1933) and Securities & Exchange Act (1934).

We’re also seeing a coordinated approach among securities regulators to fend bad actors in the digital currency space. In 2018, for example, there was a regulatory sweep between the OSC (Ontario Securities Commission) and SEC in cracking down on a few ICOs (Initial Coin Offerings) that were seen to be shady and suspect. This coordination should give comfort to digital currency investors and purchasers in Canada and the US, especially given how quickly both regulators reacted and investigated.

In fairness, although the SEC has taken a hardline approach to digital currency issuers generally, actual enforcement has not nearly been as harsh as the regulatory environment would predict. We’ve seen the start of a few class-action lawsuits filed against Paragon Coin on behalf of the investor class, and SEC enforcement action against Tezos and Munchee, for example. We should expect these actions considering the US being the largest and most powerful capital market globally.

How pervasive is regulatory arbitrage in exploiting differences in digital currency regulation?

Regulatory arbitrage is likely to be more nuanced and multifaceted. For example, a digital currency issuer has both digital currency securities regulation and tax regulation as major risks and concerns. It’s perfectly conceivable, for example, for a security digital currency issuer to select Switzerland for its banking jurisdiction, Panama for taxes, Malta for its exchange (e.g., Binance, the largest digital currency exchange in the world processing $5.6B USD in digital currency transactions, formerly based in Hong Kong, recently moved its operations to Malta), and Isle of Man for its gaming. In effect, this creates a form of “virtual jurisdiction” that takes regulatory arbitrage to new heights.

Japan is unequivocally leading the charge in digital currency exchange regulation by establishing firm and strict rules for all stakeholders in the exchange ecosystem – liquidity providers, third-party vendors, market makers, algorithm providers, and others. Nearly 60% of all digital currency trading is in Japan. This is clearly a market that views regulation as digital currency validation and a way to centralize controls for decentralized digital assets. Regulation provides exchanges with strict standards around the cold storage of digital currencies, for example. Customers that trade digital currency are increasingly concerned about the likelihood of digital currencies being stolen by outsiders for which they have no control over.

What does this mean for digital currency investors and issuers?

  1. STOs are unregulated and lack liquidity: The market for STOs is mainly unregulated, other than two national and regulated digital asset exchanges such as the JSE (Jamaica Stock Exchange) and BSE  (Barbados Stock Exchange) that are onboarding STO issuers. The technological capability and regulatory approvals required for licensed securities dealers to list and integrate blockchain-native digital currencies into their offerings do not currently exist. This demonstrates there is a limited active secondary market for trading, and thereby limited liquidity. Although the JSE and BSE are slowly migrating from a traditional stock exchange to a digital asset exchange (retaining all traditional stock exchange capabilities), boards will need to carefully evaluate their secondary market needs and determine which jurisdiction(s) and the extent of regulation are required to best list their STO. Although regulatory arbitrage has yielded lower regulatory and surveillance costs for digital asset exchanges like Binance, for example, boards need to consider the absence of investor protections or insurance to mitigate against potential frauds, scams, or other malfeasance concerns.
  2. Director liability revisited: If issuers decide to raise capital via an STO, ICO, or IEO (Initial Exchange Offering), and list on decentralised and mainly unregulated exchanges, such exchanges do not provide investor protections nor deposit insurance for either issuers or investors. If issuers are sued for any type of fraud, scam, misrepresentation, or other malfeasance, existing D&O liability insurance may be insufficient. SEC enforcement actions listed above with various STO issuers is evidence that SEC enforcement actions are alive and well and directors need the required protections.
  3. Higher leakage costs: Blockchain powers digital currency. Issuers that raise capital via an STO, STO, or IEO must realize that shareholder dissemination of information is now instantaneous, giving rise to the efficacy of the efficient market hypothesis. Any internal leakage of material, non-public information of corporate events or transactions are likely to significantly increase leakage or slippage costs. This carries reputational, business, and director liability risks if certain shareholder groups are advantaged at the expense of others.



An article written by Jack J. Bensimon
Managing Partner
Black Swan Diagnostics Inc

Counterfeit goods: fraud, terrorist funding and third party risks

Everyone loves a bargain, but the true cost of counterfeit goods to businesses and individuals is complex and often deeply chilling.

A US1.7 trillion-dollar problem and counting

We often think of the counterfeit goods industry as tourists browsing through “luxury” sunglasses, watches and handbags, care of a street vendor, or maybe a clandestine showroom. But that’s only the tip of the iceberg – after all, it’s an industry that according to the OECD costs the global economy more than US$1.7 trillion. Just look at online retail, which allows consumers to connect with retailers of fake goods half a world away – most commonly in China, although India, Malaysia, Pakistan, Thailand, Turkey, Vietnam, and South Korea are all also reported to be major sources of illicit goods.

And that’s just the consumer level. Business’s supply chains are rife with counterfeit goods, often unknowingly. Legitimate businesses have been found selling everything from counterfeit apparel and accessories to counterfeit toothpaste, wine, vitamins, and more.

Risky business

Firstly, and most obviously, there are intellectual property (IP) issues associated with dealing in products that are clearly imitations of someone else’s designs.

The counterfeit goods are generally not of the same quality as legitimate products, or as thoroughly regulated. Many are even actively dangerous. Dealing in counterfeit goods puts your customers’ health and safety at risk – not to mention the host of reputational and legal risks you and your organization could face should the worst happen.

One of the reasons that counterfeit goods are sold so cheaply is because they tend to be manufactured under forced labor conditions and/or by persons who have been trafficked. This might be a good time to remind you that some jurisdictions, including Australia, require businesses to report on the risks of their engaging in modern slavery through their supply chains, making this a regulatory compliance consideration as well as an ethical one.

Finally – and perhaps most disturbingly – the production and sale of fake goods have been shown to have been used as a method of fundraising by organized crime and terrorist organizations. Apparently, it’s even more profitable than drug trafficking. For those entities who have anti-money laundering/combatting the financing of terrorism obligations (AML/CFT), that should ring a few alarm bells. And even those who don’t should be aware that dealing in property owned or held by terrorists is an offence with severe penalties in many jurisdictions.

So how can I ensure my business stays clear of fake goods?

Due diligence is king. Vet your customers and third parties, including your suppliers – remember, their actions could have real, significant implications for your business. Always know your product. Ensure your quality control standards are up to par and are being enforced.

It’s natural to be tempted by something that seems like a good deal. But if it’s too good to be true… remember the risks.


Contact GRC Solutions today for more information about our off-the-shelf and bespoke online training modules on Anti-Money Laundering, Modern Slavery, Fraud, Third Party Risk and more.


GRC Solutions has won the top compliance training and custom development awards in the Asia Pacific at the LearnX Live! Awards 2019.

The LearnX Foundation’s annual awards represent the industry standard in the region.

GRC has good form at the awards, having won for our online compliance training every year since 2008.

This year, we won platinum for Best Learning & Development ProjectCompliance for the Banking Code of Practice course we developed with the Australian Banking Association. It’s our twelfth win in a row in this category.

The course brings to life the Code’s best banking practice standards, using scenarios and a sleek, modern design to flesh out precepts on ethical behavior, responsible lending, greater financial protection and increased transparency. It is now being used by ABA member banks throughout Australia.

LearnX also awarded us platinum for Best Learning Model (Bespoke/Custom) for our work with Western Australia’s Department of Mines, Industry Regulation & Safety (DMIRS) on a suite of continuing professional development (CPD) e-learning modules.

DMIRS needed to transform its existing face-to-face training manuscripts into fully fledged online training. This involved drawing on GRC’s writing and editing expertize, as well developing voiceovers and interactions.

Managing Director Julian Fenwick says the accolades consolidate our place as “leaders in governance, risk and compliance training”, and reflect the “high standards” of our in-house account management, content development, legal and client services teams.

Congratulations to our clients ABA and DMIRS, and to all the winners!

What is an effective compliance program?

An effective compliance program is obviously important to have. But to put a proper program into effect, you need to understand what one should look like. Most people only want to do what the regulators want and not what’s best for their organization. If you implement a program that addresses all your risks with the proper policies and procedures, I guarantee that the regulators will be happy with it. The goal is not only to make the regulators happy, but also what makes sense for you. It’s about:

  • doing a proper risk assessment and identifying the risks in your organization
  • having the proper controls in place so that potential issues are addressed immediately
  • having a culture of compliance that communicates urgency, the escalation points and the need to identify red flags
  • refreshing your message throughout the year and training your people effectively using real-life situations
  • ensuring supervisors are equipped with the right knowledge to create a positive atmosphere for staff
  • having an effective “tone from the top” that engages everyone

Recently the US Department of Justice (DOJ) issued an update to its guidance on evaluating corporate compliance programs. You are more than welcome to read it thoroughly and make your own determination, but it basically tells corporations to use common sense when creating an effective compliance program. This means educating your staff to have a sense of urgency about the need for compliance and creating a culture of compliance that rewards rather than punishes staff for reporting or escalating potential issues.

As Assistant Attorney General Brian A. Benczkowski mentioned in his keynote address to the 2019 Annual Impact Conference, “But a company’s compliance program is the first line of defense that prevents the misconduct from happening in the first place. It has the ability to keep the company off our radar screen entirely.” This starts with creating an effective program that creates a good culture of compliance from new hires to long tenured staff. This is not a one-off event or “tick-a-box” formality; it’s a mindset that needs to be refreshed periodically throughout your organization. Think of a political campaign. Candidates don’t give one speech to win an election. They continuously spread the message and reinforce it over time.

You need to be agile with your thinking and make gradual improvements, evaluating successes and failures to determine if there are gaps and opportunities. A good program evolves by soliciting feedback then training your staff accordingly. Staying with the status quo is not the right choice. When people, technology and the industry change, you need to adapt.

In conclusion, what I’m saying is that if you use your common sense and do what’s best for your organization, everything will be alright!

GRC Solutions is an award-winning provider of compliance training. To find out more about our Compliance Officer Training Program, contact us today.


An article written by Justin Muscolino
Head of Compliance Training
North America

7 Tips for Creating a Successful Compliance Training Program

In this blog post, Justin Muscolino, GRC Solutions’ Head of Compliance Training in North America, gives tips on how to create a successful compliance training program. This blog post has been created in partnership with eThink Education.

Many organizations struggle with constructing a solid compliance training program. It’s not a hard chore, but it requires attention and research. The common perception is that we need to do what the regulators want and focus less on the real risks that are paramount to an organization. Regulators want organizations to mitigate risk and control it in such a fashion that there are no concerns. Sometimes regulators will suggest or recommend a topic for inclusion, but if it doesn’t make sense from an organizational structure then why include it? A few regulators will require certain training topics, which obviously need to be included, but beyond that, it’s purely about the risk profile of an organization.

It’s one thing to have all the components in a training plan from a risk perspective, but you still need to build effective training.

Building effective training doesn’t have to be difficult, but in order to achieve the main goals of mitigating risk and increasing employee learning retention, you want the materials to be impactful and meaningful. Include these elements to ensure a memorable compliance training program.

How to Create Impactful and Meaningful Compliance Training

  • Retention. The best way to grasp this concept is to look at the Learning Pyramid. This shows how people best retain information. Utilize an approach that works best for your target audience.
  • Creativity. With every training, regardless of if it’s classroom or online, you want to be creative with the subject. Try incorporating pertinent case studies or regulatory actions that best suit the audience.
  • Interactivity. Engaging your audience is important. It not only helps with retention, but it allows them to be part of the training delivery. Exercises that incorporate real-life examples and get employee involvement are also crucial.

Increase Efficiency

Another consideration in a solid training plan is to create efficiency. Here are a couple of things to keep in mind to make the efforts efficient:

  • Budget. Always ask for more funds than needed. During the year, the training plan will change, and you might be asked to add more initiatives due to regulatory changes, updated policies and procedures, new products and services offered, new systems and management mandates.
  • Exclusivity. Review all the training entries to determine if there is any overlap of topics between departments. It’s always a great idea to train more than one department at a time if there is a workflow that impacts both areas. It’s also great for relationships between departments.
  • Time-saving. The goal is also to save time since you are taking staff members away from their desk. So, if you can produce one training that covers multiple topics and they are related, your audience will appreciate it. For example, if you have two regulations to discuss and they are somewhat intertwined, it’s better to have an hour and a half spent than two hours.
  • Avoid overtraining. Determine which topics as a percentage of the training plan are included. The goal is to see if there were any concentrations that may lead to overtraining.

Creating an efficient training program is not a difficult chore, but it must be done right and you have to put forth the appropriate due diligence for it to be successful. Remember, after you create a training plan it becomes a living document. Meaning, during the course of the year it will change based on new rules & regulations, industry advances and don’t forget, changes internally. And lastly, the ultimate goal of a training program is to have a positive shift in compliance culture.

An article written by Justin Muscolino
Head of Compliance Training
North America

1MDB case: Trial into global corruption scandal begins

The trial against former Malaysian Prime Minister Najib Razak has continued to unveil the depth of corruption involving 1Malaysia Development Berhad (1MDB). Over two hearings at Malaysia’s High Court, Mr Razak has so far pleaded not guilty to seven charges relating to criminal breach of trust, money laundering, and abuse of power surrounding the theft of US$10.3 million from 1MDB subsidiary SRC International (SRC). With a total of 42 charges leveled against him and multiple companies involved worldwide, the repercussions are set to be ongoing.

Both the US Department of Justice and Malaysian prosecutors have taken legal action, with an estimated $US4.5 billion in total misappropriated from the state investment fund 1MDB. In his capacity as both prime minister and finance minister, Najib was able to use his position to allegedly divert funds into personal accounts and provide for a lavish lifestyle. US-based investment bank Goldman Sachs has also been brought into the scandal. Former employees are said to have falsified statements relating to illegal bond transactions with 1MDB and taken advantage of lenient compliance procedures.

The assistant registrar at the Companies Commission of Malaysia gave technical evidence on corporate records during the first day of the trial. SRC, its subsidiary Gandingan Mentari and Ihsan Perdana, which was a corporate social responsibility partner for 1MDB, have also been implicated. But while many officials involved in the money laundering have been caught, the suspected mastermind behind the entire scheme, Jho Low, remains at large. A second trial will begin in November, focusing on reports that Razak deliberately tampered with the final audit report for 1MDB to mislead the Public Accounts Committee and avoid criminal action. But with 3000 pages of evidence submitted by the prosecution, it appears that this expansive corruption case is unlikely to go unpunished. It serves as a reminder to all government and financial organisations that checks on power and due diligence over where funds are being directed cannot be underestimated.

GRC Solutions is an award-winning provider of compliance training. To find out more about our anti-bribery and corruption or anti-money laundering courses, contact us today.

Source: Channel News Asia, Malay Mail

GO1 & GRC Solutions Partner

GRC Solutions is excited to announce a partnership with GO1. This collaboration brings together one of the leading providers of compliance training with one of the world’s fastest growing marketplaces for eLearning.

GO1 Premium users will now have access to an ever-growing list of titles from GRC Solutions that address critical governance, risk and compliance topics. GRC Solutions makes learning interventions that are suitable for the United States, Australia, New Zealand, Singapore, Malaysia, and Hong Kong.

As global leaders in governance, risk, and compliance training, GRC Solutions aims not only to train staff, but also to develop and improve the compliance culture across a business. “The GRC Solutions team is excited to be working with GO1! This collaboration will help advance our message around the importance of education in supporting positive workplace cultures”, said Dean Rogers, GRC Solutions’ Head of Sales and Marketing.

About GO1

Go1 Logo partnership
GO1 is  an established leader in online learning and education, and works alongside some of the largest companies in the world covering a wide range of industries and regions. Inspiring education and learning is at the very core of what they do. Their mission is to unlock positive potential through a love for learning.
To learn more about GO1, please visit www.go1.com.


The business of ethical decision-making

What do we mean when we talk about ethical decision-making in a professional context, such as business ethics?

Ethics’ is really just a set of rules for behaviour.

They may be specific rules, such as “Always declare any conflict of interest before your board starts discussing a relevant issue”. They may be general rules, such as “Always try to look after your client’s best interests”.

You can say that ‘ethics’ is a set of rules/standards that are applied to evaluate the ‘rightness’ or ‘wrongness’ of actions in a particular context. For example:

  • Medical ethics refers to the rules of behaviour which apply in the health care sector.
  • Legal ethics refers to the rules of behaviour which apply to lawyers.

Ethical rules differ from legal rules:

  • There is often no explicit punishment, penalty or right to sue associated with a breach of ethical rules – whereas there are with legal rules.
  • Ethical rules are – to an extent at least – adopted voluntarily by people they apply to – but you can’t opt out of legal rules.

That doesn’t mean that legal rules and ethical rules necessarily cover different subjects. Sometimes there are ethical rules and legal rules that are the same as each other.

But even if they don’t lead to explicit punishment, breaches of ethical rules can have consequences:

  • If you breach the ethical rules of a profession, you might be fined or even disbarred from practice by the profession’s governing body.
  • If you behave unethically in society, you can be shamed, shunned, reviled, held up to ridicule, lose your customers, lose your advertisers, lose your sponsors, lose your staff, or suffer productivity loss due to loss of staff morale.

GRC Solutions offers award-winning compliance training in a range of areas, including ethical decision making. To learn more about our courses, contact us today.

How to develop a summary for your training needs analysis

In this excerpt, Justin Muscolino, GRC Solutions’ Head of Compliance Training in North America, explains how to develop a summary for your training needs analysis.

When creating your summary for a needs analysis, you need to understand the organizational goals and objectives as well as regulators’ expectations. In the financial industry there are several regulators, but your organization will only have a certain number depending on the products and services offered. Your summary should include which regulators are applicable and what products or services need to be covered.

Do your regulators require certain compliance training topics to be trained on? This should be identified in your summary, along with the relevant rules and regulations. In addition, organizational locations should be cited.

You will also need to identify how you will handle non-Full Time Equivalents (non-FTEs) in addition to existing staff. Will new hires, consultants, contractors and part-time staff be trained the same as FTEs or will there be a separate curriculum?

Lastly, you should outline the methodology that you adopt to perform our needs analysis. Is it a risk-based approach? If so, provide some details about your approach. For example: ‘a risk-based approach was used to identify the key risks within the organization, prioritizing the compliance training program around these risks.’

The summary should be detailed, providing an overall view of what and how you are targeting full compliance coverage through training.

 The data derived from your needs analysis should be featured in your training plan. There should be a column devoted to acknowledging the sources from which the training entries originated (i.e. risk assessment, audit, or examination). This is covered in detail in the training plan section.

The key is to show a linkage throughout the process. If an audit or regulator conducts an examination, you will be able to show a detailed audit trail of each training entry.

You can find the full whitepaper here: ‘Conducting a Needs Analysis and Developing a Training Plan

Written by Justin Muscolino
Head of Compliance Training
North America

College admissions bribery scandal

An FBI investigation known as ‘Operation Varsity Blues’ has found a network of celebrities, business executives and other powerful figures at the center of a college admissions bribery scandal.

A Californian tutoring organization called the Key is alleged to have made $US25 million by charging parents to secure their children spots in elite schools, including Ivy League universities. The Key’s founder, William Singer, is believed to have set up a separate sham charity to launder the money he collected, which he used to help his students cheat their way into securing spots in prestigious colleges.

Singer has pleaded guilty to all his charges, including fraud and two forms of bribery. However, Singer is not the only one under scrutiny. The bribery ring is bringing down multiple parties, including parents and universities. Some parents paid hundreds of thousands, and sometimes millions of dollars per child to a fixer who would channel that money to bribe certain college officials.

The accused parents include American television stars Felicity Huffman and Lori Loughlin who have lost contract deals and suffered immediate reputational damage as a result of the scandal. Some parents who are prominent business executives have been suspended from their positions while their children, now students, find themselves in an uncertain limbo regarding their continuing enrolment.

Universities such as Yale, Stanford, and Georgetown are also facing lawsuits from students claiming that they and others were denied a fair chance at admission. The universities are accused of failing to maintain adequate protocols and security measures that would guarantee the sanctity of the college admission process.

A civil lawsuit has brought allegations against the parents, coaches and university administrators involved in the bribery ring. The scandal has cast an astonishingly wide net over different individuals and institutions, highlighting the pervasive, broad-ranging nature of bribery itself. Bribery isn’t just a white-collar crime; almost anybody in any industry, including the education sector, could engage in it. They can also be held liable for it and face grave penalties as a result.


GRC Solutions is an award-winning provider of compliance training. To find out more about our Anti-Bribery and Corruption course, contact us today.

Source: ABC News, The Atlantic


If the Corruption Perceptions Index (CPI) results for 2019 prove anything, it’s this: no country is immune to corruption. In fact, out of 180 countries, not one earns a perfect score, with the average global score being 43 out of 100. The USA dropped out of the top 20 countries altogether.

Transparency International (TI) started the CPI in 1995 and is the leading global indicator of public sector corruption. The CPI scores 180 countries with their perceived levels of corruption based on data about specific corrupt behavior including bribery, diversion of public funds, use of public funds for private gain, and nepotism. The CPI uses a scale of zero (being highly corrupt) to 100 (very clean) to rank countries.

China, India, Indonesia, and the USA – slipped down the list. China fell from 77th place to 87th place with a CPI of 39 out of 100.

The 2018 Exporting Corruption report highlights that even when countries are perceived to have relatively low levels of corruption, they may fail to investigate and punish companies implicated in paying bribes overseas. Even if corruption isn’t prevalent within our borders, our presence in countries that are rife with corruption still has the potential to taint us.

TI also notes the way weak institutions and unresponsive political systems that lack a focus on compliance with anti-corruption laws can undermine democracy. In a context of international trade of goods, this failure to support democratic principles of governance perpetuates a culture of corruption and leads to over $2.6 trillion in loss annually.

No country should take a good score alone as a sign that they are doing enough to combat corruption. The CPI sends a powerful message about the need for constant monitoring and vigilance when it comes to stamping out corruption in public structures – and this of course has ramifications for the private sector, too.


Source: Transparency International

eThink Education & GRC Solutions Partner

GRC Solutions is excited to announce a partnership with eThink Education, a leading Learning Management System (LMS) solutions provider. Through this alliance, eThink will be able to offer clients the ability to deploy highly effective compliance eLearning which can be customized to suit their employee training strategy.

GRC Solutions are global leaders in Governance, Risk and Compliance training. They are regulatory compliance experts with proven experience in delivering high quality, effective training. GRC Solutions aims not only to train staff, but also to develop and improve the compliance culture across a business.

GRC Solutions creates modular compliance training programs designed to suit a range of job roles and levels within organizations. They believe that one size doesn’t fit all and that attaining speed to competence – becoming proficient in key concepts quickly – is essential for staff. Courses can be developed in micro and adaptive learning formats, are fully mobile enabled, and offer text-to-speech narration.

GRC Solutions works closely with clients to customize training in accordance with organizational compliance policies and corporate culture. This helps to make practical legal and compliance topics relevant and engaging to learners. Courses developed on GRC Solutions’ platform can be delivered through eThink’s LMS environments, incorporating both the in-line multilingual feature as well as client-side edit capability.

eThink Education provides a fully managed eLearning solution for open-source Moodle and Totara, covering all LMS needs including implementation, cloud hosting, integration, consultation, and management services. Because eThink Education and GRC Solutions both employ a value-driven and service-oriented model, this partnership ensures total client satisfaction in LMS design, course creation, and eLearning efficacy.

“We are excited to be working with eThink Education, a company that has highly personalized customer service at its heart. We hope the addition of our compliance training expertize and software platforms will enhance eThink’s client offerings substantially,” said Justin Muscolino, GRC Solutions Head of Compliance Training North America.

“GRC Solutions provides premium compliance eLearning courses, written by legal and regulatory experts, that are effectively tailored to meet the needs of our clients,” said Brian Carlson, CEO & Co-Founder of eThink Education. “We are proud to add GRC Solutions’ fully customizable content and platform solutions to our growing network of partner resources for our clients to take advantage of.”

About eThink Education 

eThink Education provides a fully managed e-learning solution including implementation, cloud hosting, integration, consultation, and management services for open-source Moodle and Totara. Managed by experts, eThink’s total solution provides a dynamic and customizable platform to meet specific institutional and organizational needs. With clients in various industries including healthcare, education, nonprofit, government and corporate, eThink can help all types of organizations to maximize the effectiveness of their e-learning programs for improved business outcomes. To learn more about eThink Education, please visit ethinkeducation.com.


How to begin developing a training needs analysis

A needs analysis should not be taken lightly. The overall goal is to ensure from a compliance training standpoint that all organizational risks are covered. During the needs analysis stage, the key is to gather as much data as possible to formulate your training plan. If certain data is missed, the organization, the Chief Compliance Officer (CCO), and you could be held accountable if the regulators come in for an examination. To cover all your bases, a solid project plan must be in place. Think of yourself as being a project manager: you need to lay out the approach, timelines, milestones, and the approval process.

There are four steps for conducting a thorough needs analysis:

  1. Understand the organizational goals and objectives
  2. Collecting data
  3. Analyzing data
  4. Discussions with key stakeholders

Understand the organizational goals and objectives

When creating your summary for a needs analysis, you need to understand the organizational goals and objectives as well as regulators’ expectations. In the financial industry there are several regulators, but your organization will only have a certain number depending on the products and services offered. Your summary should include which regulators are applicable and what products or services need to be covered.

Do your regulators require certain compliance training topics to be trained on? This should be identified in your summary, along with the relevant rules and regulations.

In addition, organizational locations should be cited.

You will also need to identify how you will handle non-Full Time Equivalents (non-FTEs) in addition to existing staff. Will new hires, consultants, contractors and part-time staff be trained the same as FTEs or will there be a separate curriculum? Lastly, you should outline the methodology that you adopt to perform your needs analysis. Is it a risk-based approach? If so, provide some details about your approach. For example: ‘a risk-based approach was used to identify the key risks within the organization, prioritizing the compliance training program around these risks.’

The summary should be detailed, providing an overall view of what and how you are targeting full compliance coverage through training.

The data derived from your needs analysis should feature in your training plan.

There should be a column devoted to acknowledging the sources from which the training entries originated (i.e. risk assessment, audit, or examination). This is covered in detail in the training plan section.

The key is to show a linkage throughout the process. If an audit or regulator conducts an examination, you will be able to show a detailed audit trail of each training entry.

This is an excerpt from our new whitepaper, ‘Conducting a Needs Analysis and Developing a Training Plan


Written by Justin Muscolino
Head of Compliance Training
North America


Understanding your target audience to create more effective eLearning training

In this blog post, Justin Muscolino, GRC Solutions’ Head of Compliance Training in North America, discusses the importance of understanding who the audience is for your compliance training.

When I first started in compliance training, I remember having a conversation with a senior member of a financial institution about an upcoming eLearning module. During the conversation I asked him a few questions about the target audience, so that I could better understand how to align the training to the relevant staff. I remember like it was yesterday. He had this very confused look on his face and had no idea why I was asking these questions. Did he want this training to simply be a ‘tick the box’ exercise? Or did I need to explain the rationale for the questions? The result was that he didn’t care too much.

I have seen a shift over the years. More people are paying attention to the target audience, but not to a point where knowledge retention is higher and risk is mitigated, resulting in a better compliance culture.

For example, if an organization wants to launch code of conduct training, they may need to take into account geographic differences in policies, recent issues with regulators in a particular region or specific behaviors identified by management that warrant such a training. All this information should be considered. Also, different departments (operations, trading, investment banking) might require different case studies that are more pertinent to their workplaces and practices.

If any of these considerations resonate, let me ask: do you want one training that covers everyone? Probably not. That might be considered information overload. Or you find that people may get upset or frustrated by being exposed to so much information that isn’t relevant to their role.

What happens when you get it wrong?

A couple of issues could arise, such as a lack of memory retention or staff pushback due to the perception that you are wasting their time.

What happens when you get it right?

Asking questions about the target audience is important in order to align the proper solution to the business. Maybe the answer after defining the target audience is that different forms of e-learning training or even blended learning would be provide greater benefit. Or maybe the scenarios, case studies, images and graphics would differ. Without knowing these details, it can be hard to define the best solution.

Here are some questions I typically ask:

1. Is this training going to all staff? You should include consultants, contractors and part-time. 
This shouldn’t change the solution, but a breakdown may help.

2. Where is your staff located?
You need to understand if there are any technological issues with certain locations.

3. What is the reason for this training? Is there any urgency for this training?
An action from a regulator, audit or a shift in compliance culture.

Questions to ask yourself:

  1. If this training is not foundational in nature, has the staff been trained on the necessary pre-requisites?
  2. How am I going to make sure that staff retain the information?
  3. What type of effectiveness measurement do I want to employ?
    An assessment is typical with an e-learning module, but you might want to factor in behavioral changes.
  4. What is the right level of interactivity for this audience?
  5. Did I check previous training to determine look and feel?
  6. Did I check the assessment scores and completion rate?

I have seen many e-learning firms try to sell me something that they advocate because of the amazing technology, bells and whistles of their training modules. Only once do I recall someone asking me some specifics about who needs to receive this training, but not in detail.

So, you must ask yourself: how important is it for the target audience to understand their e-learning?


An article written by Justin Muscolino
Head of Compliance Training
North America

Training Compliance Officers

In this blog post, Justin Muscolino, GRC Solutions’ Head of Compliance Training in North America, reflects on the benefits of having a training program for Compliance Officers.

During my career in compliance training I’ve learned first-hand that you need all the assistance you can get. It’s important to get others involved in delivering your message. One way to do that in a consistent manner is to equip Compliance Officers with the necessary skills and knowledge to be an extension of you. Compliance Officers typically deal directly with the business, either portions of it or as a whole. Increasing their capabilities to deliver more effective training can only aid in delivering your message. This also creates a great opportunity to change the compliance culture in your firm.

I realized early in my career that it can be difficult at times to get the necessary buy-in from business leaders to deliver an effective compliance training program. That’s why I started looking at possibilities to be more effective in my role. That’s why I thought it was important to have others working in compliance to help me deliver messages throughout the firm. Then I started realizing that not everyone has the skillset and style to achieve these goals. What if I trained them effectively to understand what it takes to deliver the appropriate messages? I created a program aimed at enhancing the capabilities of Compliance Officers to deliver effective training.

Over the years the program evolved into something more. There were other areas in which Compliance Officers needed assistance after they performed a thorough needs analysis. A few ideas surfaced, particularly about the need to deliver a clear and crisp message.

There were many times when I attended business meetings with other Compliance Officers in which they weren’t asking the necessary questions, didn’t have the right mindset, or couldn’t convey a message.

Think about it. Could a training program for compliance officers shift the culture of compliance? Yes, it could. By delivering a consistent message and approach you can change the culture.

What are the benefits of creating a Compliance Officer program?

  • Shift in compliance culture
  • Consistent messaging
  • More effective training and better performance (and presence) in meetings
  • Better alignment to the firm’s needs
How do you do it?

Coming up with a proper program means that you will have to conduct a needs analysis to determine the gaps and opportunities of your Compliance Officers. Talking with your CCO, Compliance Officers and people within the business could determine your direction and eventually a curriculum for your program. Here are some example questions to ask:

1. Business

a. What skills do you think can be developed further to enhance the relationships (i.e. communication, presentation, organization) with your department?
b. How do you feel about the current state of risk in your business?

 2. CCO

a. In your vision, how would you like Compliance Officers to be perceived by the business and the firm?
b. Has there been any feedback from the business on our compliance officers?
c. Where do you think there are opportunities for improvement?

3.  Compliance Officers

a. Where do you see opportunities for improvement?
b. What type of training can help you in dealing with the business?

When asking these types of questions, remember that this is not a performance evaluation of a particular compliance officer, but a way to improve the compliance culture throughout the firm.

If you want to create a Compliance Officer training program, the results of your needs analysis can determine what the program will look like. It will vary from firm to firm, but the core basics should remain the same. Some of the possible topics may include: presentation skills, influence and persuasion skills, running effective meetings and understanding your target audience. These are high level topics which would have to be defined in granular detail based on the needs analysis conducted.

An article written by Justin Muscolino
Head of Compliance Training
North America

Workplace bullying more common than you think

A missed invitation to the annual staff celebration. A group of colleagues snickering as you walk past. A snide remark about what you’re wearing as you sit down at your desk. By themselves, it would be easy to dismiss each of these incidents as the usual obstacles of navigating your workplace’s social hierarchy. But together they paint a different picture, illustrating that bullying at work is rarely obvious at first glance and so requires strategies to combat it which alter the culture and behavior of employees at their core. Its impact on productivity and employees’ psychological wellbeing can’t be ignored, with research from the University of Phoenix revealing 75 per cent of workers in the US have been exposed to workplace bullying. Below are a couple of common misconceptions you may have heard about the topic:

“No one looks upset at work, so everyone must be getting along”

While you may be able to recognize someone being bullied if they’re being repeatedly shouted at by another colleague in the middle of the office, most bullying happens behind closed doors. Employees who are the targets of continuous anti-social and intimidation tactics both at work and/or online could be too afraid to speak up. ‘Not wanting to cause a fuss’ or feeling as if their complaint will be ignored are some key reasons behind bullying being left unreported, which perpetuates a culture of silence and validates bad behavior.

Mindset switch:

  • As a manager, be proactive in ensuring that communications between employees are respectful and be aware of toxic ‘office politics’ which may indicate some employees don’t feel safe at work. Emotionally intelligent bosses make themselves approachable and knowledgeable about not only the tasks allocated to each team member, but also how they interact with each other and they will step in to resolve conflict where required.

“I was just providing necessary criticism”

At some stage in your career, you’re bound to face some critique of your work. This should be with the aim of helping you improve and not directed as an attack based on a personal characteristic such as race, age, gender identity, religion or sexual orientation which would make such conduct unlawful. Bullies can mask their overly degrading commentary as ‘constructive criticism’, when its real impact was to damage the victim’s self-esteem and embarrass them in front of other colleagues.

Mindset switch:

  • If you have constructive feedback about someone’s work, have an open dialogue with thoughtful advice on how they can improve. Never make aggressive or unsubstantiated statements which criticize a team member personally.

Encouraging inclusive workplace practices and taking a zero-tolerance approach to bullying will keep employees happy and deliver positive results overall. The Healthy Workplace Bill is the first piece of legislation which specifically targets bullying at work and the obligations of employers. The Senate Labor & Commerce Committee is expected to provide updates on its implementation in the coming months.


GRC Solutions is an award-winning provider of compliance training. To find out more about our Diversity & Equality course which details how your workplace should manage and prevent bullying, contact us today.

Source: Workplace Bullying Institute

Justin Muscolino Joins GRC Solutions’ US operations

GRC Solutions is pleased to announce that Justin Muscolino has joined our New York operations as Head of Compliance Training Operations in North America. 

Justin draws on his longstanding experience in compliance, training and regulation for the banking sector. He was Macquarie Group’s Head of Americas Compliance Training and JP MorganChase’s Compliance Training Manager. More recently, he served as Head of Compliance Training at Bank of China.  

Justin has also worked at the US regulator FINRA, where he helped create Examiner University, seeking to nurture and develop examiners’ skills to deal with financial institutions. 

“I’m excited to join GRC after more than 20 years in corporate. After dealing with vendors throughout my career, I can lend my expertise to GRC on best practices when dealing with financial institutions,” Justin says. 

“GRC is well-placed to provide premium quality compliance consulting and training to the financial services sector which attracted me to this opportunity.” 

In January 2016 GRC Solutions opened our New York office with our unique adaptive e-learning technology. In Australia we have continued to win awards at the industry LearnX Awards for many years, including Best Compliance Program and Best Custom Project in 2018.  

GRC Solutions was the recipient of a prestigious Brandon Hall Group’s Excellence Award and was a finalist at the Premier’s NSW Export Awards. 

Three tips for your new year’s compliance checkup

Check list January may signify the loss of sun-drenched beachside holidays as you readjust to business as usual, but it’s also an opportune time to refresh your organisation’s objectives and check in with staff to begin the year on a positive note. Setting ambitious sales targets and devising strategies for new clients may be top of the agenda, though it pays to do a compliance checkup along the way with these tips in mind:

1. Identify gaps in learning and compliance training

A training needs analysis may not seem like the most exhilarating activity at first glance. But it can go a long way towards ensuring that your training covers all the relevant areas and does more than just ‘tick a box’. Ensuring that company procedures are published and updated, and that staff at all levels have completed their relevant compliance training, will mean everyone is on the same page with common goals.

 2. Make your teams aware of compliance contacts and their responsibilities

Who can employees go to if they suspect an IT scam is making the rounds? What if simmering tensions between a few workers haven’t mended over the holiday break? It’s important that staff know what the Compliance Officer is responsible for and are comfortable enough to approach them or management when these types of issues arise. It goes back to establishing a culture that promotes clear lines of communication, but also the old saying that “prevention is better than cure”. This brings us to the third tip.

3. Review risk management procedures through assessing your workplace culture

“Risk management” and “due diligence” always come up when talking about compliance procedures. Your organisation’s workplace culture is where risk management starts – if employees are in an environment where their peers are acting with a compliance mindset, they’re more likely to follow suit. Implementing programs which demonstrate real-world scenarios that your employees can directly relate to is a great place to start. Bringing together multiple departments through workshops or discussion groups about their approaches to high-risk areas like fraud awareness are also a good way to check that your compliance policies are being adopted. Further training can then be adapted as required to fill any gaps in knowledge and embed compliance as a fundamental part of how workers carry out their everyday tasks.

Some key checkpoints:

  • Are new employees briefed on the importance of a collaborative and diligent workplace culture led by example?
  • Does your company have a fraud awareness plan and social media policy?
  • Do your meetings just focus on the numbers or is there also a focus on establishing good business ethics?

GRC Solutions provides a large library of award-winning online compliance training, as well as customisation and bespoke development services.

Morgan Stanley pays penalty for employee fraud

On 29 June 2018, Morgan Stanley Smith Barney LLC (Morgan Stanley), an investment adviser and broker-dealer, agreed to pay US$3.6 million penalty for failing to prevent its employee from misappropriating funds from client accounts.

Background fraud

Barry F. Connell, a financial adviser at Morgan Stanley, misappropriated $7 million from client accounts.

The theft was possible because Morgan Stanley permitted financial advisers like Connell to initiate third-party disbursements of up to $100,000. The only requirement for financial advisers was to provide a written attestation that they had received a verbal request from the client to incur the disbursements.

From December 2015, Connell began misappropriating funds from an elderly couple’s account by falsely representing the couple’s instructions to his assistant. Connell made it appear that the couple were requesting for a funds transfer to take place in the Morgan Stanley’s system.

Connell gave approximately 90 false attestations over a year until the clients questioned about the unauthorized transactions.

The consequences

Connell has been charged for committing fraud under both civil and criminal jurisdictions.

Morgan Stanley was also charged for failing to prevent the fraud. The company settled the charges with the US Securities and Exchange Commission (SEC) for $3.6 million and gave an undertaking to comply with its obligation under the Advisers Act to prevent fraud.

Morgan Stanley also agreed to pay the clients for the loss of their funds, plus interest.

To remedy the loopholes, Morgan Stanley increased its anti-fraud expenditures and hired fraud operations personnel.

A proactive approach to fraud risk

In 2018, PWC reported that 52% of all frauds are committed by people within an organization. The repercussions from fraud can be damaging. Organizations should take the following proactive approach to addressing the risk of fraud:

  • Implement policies and procedures that are reasonably designed to detect and prevent fraud. Morgan Stanley, in this instance, had the policies and procedures but according to the SEC, they were not reasonably designed to detect and prevent potential misconduct with client accounts.
  • Have a check and balance system for employees’ decision-makings. Do not authorize only one person to make the decision, particularly, in relation to money matters.
  • Encourage employees to ask questions when they suspect something at work.
  • Create awareness among employees about fraud and the ways to detect and prevent it.
  • Have policies and procedures to protect whistleblowers.

GRC Solutions offers a wide-ranging library of Salt Compliance e-learning courses, including Fraud Awareness and Whistleblowing. Contact us today for more information.

Source: PWC, SEC

What do you need to know about the GDPR

You may have noticed a flurry of privacy policy updates in your inbox in the last few weeks. There’s a good reason for that – the GDPR is here and it could apply to you.

What is the GDPR?

The EU’s General Data Protection Regulation (GDPR) commenced on May 25 2018, and its impacts are being felt worldwide. These new rules for data collection and storage apply to all EU based companies and residents as well as any businesses outside the EU that handle the data of EU residents. Basically, this means that if you do business with any EU companies, or market goods or services to EU residents, then the GPDR applies to you.

The GDPR contains 99 articles that define what data can be collected and stored and the conditions of that storage. In addition, there is a requirement of explicit, voluntary consent for data collection, and an obligation to allow all individuals access to their data.

The GDPR regulates not just the usual private information – name, email address, street address – but also cookies, IP addresses, and location information.

Are you compliant?

The broad application and detail in the GDPR means that you need to adapt your response to your business. Implementation may not be straightforward, and you will need to build your response into everyday work practice.

Under the GDPR you will have to clearly define the data you collect and how you store that information. Moreover, the requirement of explicit, voluntary consent means that you must communicate in plain language, avoiding any jargon or legalese, and the customer must have a genuine opportunity to opt out.

If you share that information with any third parties, you will have to include a Data Process Addendum (DPA) in any agreement. A DPA should define the type of data accessible to the third party and their obligation to comply with your privacy requirements.

GDPR readiness will require, among other actions, a revision of your privacy policy, staff training and a review of many of your customer communication forms – for example, your email opt-in and contact forms.

What is different about the GDPR?

GDPRs hold companies to a higher standard to protect the rights of individuals.

While a lot of privacy regulations focus on a company’s duty to protect its data from hackers, these regulations require the company to demonstrate responsible privacy management. In this context, absence of breach does not ensure compliance.

Compliance with these new regulations will require companies to achieve this higher standard. And with penalties of up to 4% of your worldwide annual revenue or over US$23 million, they need to adapt quickly.

Sources: Regulation (EU) 2016/679; Forbes: The Biggest GDPR Mistake U.S. Companies are Making, Security Intelligence: Getting Ready for GDPR, CSO: GDPR is live!-Now what?, Forbes: Is Your Business GDPR Compliant?

GRC Solutions offers a wide-ranging library of Salt Compliance e-learning courses. Contact us today for more information.



Australia’s biggest bank to pay AUD$702.5 million to settle anti-money laundering case

The Commonwealth Bank of Australia (CBA) has agreed to pay the biggest money laundering penalty in the country’s history to settle the current case against it for 53,700 breaches of its anti-money laundering and counter-terrorist financing (AML/CTF) laws.

The money laundering case arose from claims by Australia’s financial intelligence agency, AUSTRAC, that the bank had failed to make its required suspicious and threshold transaction reports and carry out ongoing customer due diligence.

According to AUSTRAC, the primary cause of those breaches was the bank’s use of so-called “Intelligent Deposit Machines” (IDMs), a type of ATM that allowed anonymous cash deposits and instantly credits the amount to the customer’s account. Crucially, at the time they were introduced in May 2012, there was no limit on the amount of cash that could be deposited this way.

For example, one criminal, Mr Yuen Hong Fung, was able to deposit $670,000 of drug sale proceeds into his bank account in one day using a CBA IDM without triggering the bank’s AML/CTF controls.

Ultimately, it was a local branch manager who raised the issue of possible suspicious activity with the bank, after watching Mr Fung shovel huge sums of cash into the ATMs.

AUSTRAC estimates that by the time CBA finally imposed daily IDM cash deposit limit, an estimated $20.6 million in dirty money had passed through IDMs.

As part of the settlement, CBA has admitted it failed to adequately monitor over 778,000 accounts and to carry out proper AML/CTF risk assessments, as well as to the late filing of over 53,500 suspicious matter reports.

“While not deliberate, we fully appreciate the seriousness of the mistakes we made,” CEO Matt Comyn said in a public statement.

Contact GRC Solutions today for more information on our Anti-Money Laundering training and other generic and bespoke online compliance training offerings.

Sources: AFR, ABC News, Reuters.

New York Says #MeToo to New Anti-Sexual Harassment Laws for New York Employers

New York State has passed new laws to implement stronger protections against workplace harassment. In the wake of the #MeToo movement and widespread allegation of sexual harassment in the workplace, the state will now require employers to provide annual anti-sexual harassment training to all employees.

Here are the key takeaways from the new state and city laws that employers need to know:

Employers must deliver annual anti-sexual harassment training

From October 9 2018, all New York employers are required to provide annual anti-sexual harassment training to all employees. Employers can use a model program developed by state agencies or they can establish their own training program that meets or exceeds the new law’s requirements. The training program must be interactive and will need to:

  • Explain sexual harassment
  • Provide specific examples of inappropriate conduct
  • Detail information about federal, state and local laws and the remedies available to victims of harassment
  • Inform employees of their external rights of redress and all available forums for bringing a complaint

Adopt a prevention policy

New York employers must adopt and distribute a written anti-sexual harassment prevention policy by October 9 2018 that meets the following requirements:

  • Prohibits sexual harassment and provides examples of what constitutes sexual harassment
  • Includes information about federal and state sexual harassment laws and remedies available to victims
  • Includes a standard complaint form and a procedure for timely and confidential investigation of complaints
  • Informs employees of their rights and the external remedies available to them
  • Clearly states that sexual harassment is a form of employee misconduct and sanctions will be enforced against any individual engaging in sexual harassment and against supervisors and managers who knowingly allow such behavior to continue
  • Clearly states that retaliation against individuals who complain, testify or assist in any legal proceeding is unlawful

Employers must also account for the new protections against sexual harassment for “non-employees”. Employers will now be liable for sexual harassment claims made by contractors, subcontractors, vendors, consultants and other individuals providing services pursuant to a contract or if the employer knew or should have known about the harassment and failed to take immediate and appropriate action.

Arbitration and non-disclosure provisions will be prohibited

By July 11 2018, non-disclosure clauses and arbitration provisions in agreements to settle sexual harassment claims will be prohibited without the express consent of the complainant.

Additional Obligations for New York City Employers

The “Stop Sexual Harassment in New York City Act” passed on April 11 2018 is one of the strictest anti-sexual harassment laws in the country.

  • Mandatory annual anti-sexual harassment trainings will also be required by the new city law. Employers with 15 or more employees must conduct annual and interactive anti-sexual harassment training for all employees – including interns. New employees must receive the training within 90 days of hire. Unlike the state law, the city law requires employers to keep records for at least 3 years.
  • All employers are covered by anti-discrimination laws. The existing city law prohibiting gender-based harassment now applies to all employers regardless of the size of the organization.
  • Employers must display anti-sexual harassment posters in workplaces.

Next Steps

Employers should review their existing policies, procedures and trainings to ensure compliance with the new minimum standards set by the new state and city laws. Given the focus on the role of supervisors in reporting and handling incidents of sexual harassment, employers should also ensure their supervisors are properly trained on the new law and the organization’s anti-sexual harassment policy.

GRC Solutions offers a wide-ranging library of Salt Compliance e-learning courses and develops anti-sexual harassment and discrimination training for large-scale clients globally. Contact us today for more information.


Starbucks shuts stores for a day for anti-bias training

On 29 May 2018, Starbucks, one of the world’s largest coffeehouse chains, closed its business in the US for the day across 8000 stores to provide its employees with anti-bias and diversity training.


On 12 April 2018, six police officers in Philadelphia took two black men into custody at a Starbucks store after an employee made a complaint. The two men had not purchased anything, were reportedly waiting for another person and had refused to leave the store.

The incident was captured on video and watched by millions online. A public outcry followed. Questions were raised at Starbucks’ culture of racial bias against black men.

Starbucks response

 Starbucks CEO Kevin Johnson released a statement on the same day promising to investigate the incident and make necessary changes to prevent it from happening in future.

The company then took the step of providing its 175,000 employees with implicit bias training.

Johnson says that the company is taking a long-term view of its commitment and that training costs would be “an important investment in the tens of millions”.

Implicit/Unconscious Bias

Implicit or unconscious bias means having a preconceived attitude or stereotype against someone which affects our understanding of, and conduct towards, others in an unconscious manner.

A US research association, the Perception Institute, states that studies have found that the incident in discussion is a common example of implicit bias where white people frequently associate criminality with black people without even realizing that they are being biased.

What can businesses learn from it?

This incident has certainly impacted Starbucks with both negative publicity and financial consequences, given the settlement money that the company will be paying the victims of the arrest.

But the incident illustrates just one of several different examples of unconscious bias.

An important step in challenging the influence of unconscious biases within any business is to train employees on biases in general, and to promote a general culture of awareness.

GRC Solutions offers a wide-ranging library of Salt Compliance e-learning courses, including Unconscious Bias and Diversity & Equality. Contact us today for more information.

Source: Starbucks, Perception Institute

Cyber security alert: Major ransomware attack on city of Atlanta

The Cyberattack

On 22 March 2018, a ransomware attacker encrypted the city of Atlanta’s IT systems before allegedly demanding a ransom to decrypt them.

Encryption involves converting information into code so that the information can only be read by using a key to convert the code into a readable format.

Consequences of the attack

The city of Atlanta has denied awareness of any compromises to personal data. But the encryption has affected many of its departments’ computer systems and automated administrative processes. This includes handling of emergency service requests, processing of water bills and parking tickets and the availability of airport wifi services.

Most city employees were only able to turn their computers back on as of 27 March 2018. Some continue to use manual processes.

The city has been working alongside the FBI, US Department of Homeland Security (DHS), Microsoft and Cisco to resolve the incident. The Mayor is said to have called this incident ‘an attack on digital infrastructure’.  It is yet to see how the US DHS Privacy Office will respond to the potential privacy breaches.

Who are the ransomware attackers?

The city has not yet disclosed details of the attackers. However it is reported that a group known as the ‘SamSam ransomware family’ is responsible. The attackers are suspected to have taken advantage of publicly open city services to gain an access point. Weak IT security measures may have also contributed to the spread of the ransomware.

The Preventative Measures

The consequences of cyber security attacks can be huge, resulting in financial loss, decreased productivity, liabilities for breaching privacy loss and damage to reputation. It is paramount that organisations take their information system security seriously at a strategic level. Organisations can seek to mitigate risks by ensuring that appropriate cybersecurity protocols are in place and that employees are adequately trained to help prevent breaches.

GRC Solutions offers a wide-ranging library of Salt Compliance e-learning courses, including Cyber Security and Privacy. Contact us today for more information.

Source: City of AtlantaCSO Online

Keppel Corp involved in US$1 billion bribery scandal

Keppel Corp, Singapore’s oil rig builder, is embroiled in one of the biggest international bribery and corruption scandals Singapore has seen in recent times.

A very large oil rigInvestigations revealed Keppel Offshore & Marine’s (KOM) involvement in a scheme that ran from 2001 to 2014 which paid US$55 million in bribes to win contracts with Brazilian company Petrobas.

The bribes resulted in more than US$1 billion in contracts for KOM.

The Singapore government is the biggest shareholder of the company with Temasek Holdings owning about 20 percent of Keppel Corp’s shares.

Although duly denied by Keppel Corp, an agent of Keppel Offshore, Zwi Skornicki, alleged that he was authorized by senior executives to pay bribes on behalf of the company.

As part of a global resolution with authorities in Singapore, Brazil and the United States, KOM has agreed to pay US$422 million in fines.

Member of Parliament (MP) Sylvia Lim questioned this measure for its “implications on local law enforcement and prosecutorial decisions”.

Worker’s Party MP Pritam Singh is also curious about the measures taken by the Ministry and Temasek Holdings to ensure that government-linked companies (GLCs) refrain from corrupt practices.

Immediate measures adopted by KOM including financial sanctions, resignations, demotions and written warnings and an agreement to improve compliance and controls within the company awarded the company with a discount to its applicable fine.

Call for increased responsibility within government-linked companies

The incident taints Singapore’s pristine, corruption-free reputation.

Corporate governance experts suggest that Keppel is likely to be held to higher standards since it is a GLC.

Accounting Professor of the National University of Singapore Mak Yuen Teen highlighted that “as the controlling shareholder, Temasek has a stewardship role over the GLCs and need to hold the boards and management accountable”.

The other GLC companies involved are Keppel, Sembcorp and ST Engineering.

CIMB economist Song Seng Wun attributes the increased susceptibility to corruption in these industries to the “large sums of money moving around” in the offshore and marine, mining and construction sectors.

He adds that similar future incidents will be handled with graver consequences.

It is essential that GLCs, especially, set a strong standard of compliance and corporate governance in Singapore.

Talk to GRC Solutions today about our Salt Compliance online training courses, including our Anti-Bribery and Corruption courses.

Source: ReutersTodayThe Straits Times

Hollywood harassment and your workplace

How celebrity scandals dictate how corporate America deals with sexual harassment

Looking back onto 2017, one prominent issue has dominated the headlines: sexual harassment. Never before has there been such a strong and persistent focus on calling out perpetrators of harassment. In the wake of sexual misconduct revelations about Harvey Weinstein, Kevin Spacey, Matt Lauer and dozens of other prominent men in politics, media and entertainment, millions of people worldwide have shared their stories about being sexually harassed and assaulted.

A rocky week – again

This week has been no different. In the space of just a few days we saw Republican Roy Moore spectacularly losing the Alabama special elections because of alleged misconduct of girls as young as 14 years old, Salma Hayek’s searing opinion piece Harvey Weinstein is my Monster too, reports that celebrity restaurateur Ken Friedman has been accused of sexual misconduct by 10 women, and on it goes.

In light of this, it is perhaps not surprising that Time magazine’s Most Influential Person of 2017 is The Silence Breakers, a social movement aimed at raising awareness about sexual harassment and assault. Epitomized by the #MeToo hashtag, there is no sign that this handle is about to become obsolete any time soon.

Backlash and prosecution

So why is all of this coming out now? The answer to that is the power of social media and the immediate and severe backlash it inflicts. Entertainment studios are scrambling to disengage from perceived perpetrators faster than you can say “sexual harassment accusation”. Kevin Spacey was unceremoniously dumped from House of Cards when Netflix swiftly cut all ties with the actor after allegations arose. Christopher Plummer, who replaced Spacey in All the Money in the World scooped up a Golden Globe for his role earlier this week. While all this happened, corporate America watched and learned… and followed suit.

What this means for the workplace

Caught up by the wave of the #MeToo accusations, even organizations that have had solid harassment policies in place for years are feeling renewed pressure to act. This is because a further consequence of social media’s far-reaching powers is that no cases can be perceived to be swept under the carpet. After all, the vast majority of claims occur out of the glare of the spotlight. Public scrutiny and attention may have been rare until recently but now, inaction is frowned upon.

When people speak up, it is expected to be thoroughly investigated by HR and reported to the authorities if necessary. In this environment, it is unlikely that a case, no matter how small, will go uninvestigated.

The role of culture

Though not as dramatically, the landscape of corporate culture has been changing steadily over recent years. Research after research shows the importance of a healthy corporate culture which, we now all know, is good for business. There are many ways to go about establishing a healthy work environment in an organization. The effectiveness of a “tone from the top” culture has been proven time and again, as well as measures to monitor team culture and genuine whistleblower protections. Culture directs how an organization and its staff think, make decisions and actually behave.

Ensuring compliance is therefore key with the accountability of employees extremely important. Employees are expected to understand their employer’s core values and, most importantly, that they will be rewarded or held to account for their behavior in relation to these values.

Looking ahead at 2018

These cases show all too clearly that we are entering a phase where workplace misconduct is no longer tolerated and where double standards are called out instantly. The public expects that all organizations put employee health and wellbeing first, and this will undoubtedly continue in 2018. The outcome of the Alabama election indicates that political parties may elevate the issue onto the national agenda.

Upcoming holiday season

At this time of the year, organizations must think of employee wellbeing during the holiday season celebrations. Employers must ask the following questions: Do all staff know the line between flirting and sexual harassment? Between banter and bullying? What if staff carry on after the work party or go to a client function? And the million-dollar question: what are your social media guidelines?

For too many organizations, January 2 comes around with a formal complaint. Start off the new year with the commitment not to partake in any celebrity drama.

About the author

As an education adviser, Nathalie creates and delivers tailored learning for many organizations and industries. Her field of expertise is regulatory compliance with an emphasis on Organizational Culture and Business Ethics, as well as Cyber Security and Financial Crime topics. Nathalie is closely involved in the content development of the Salt e-learning for GRC Solutions. For further information, visit https://grcsolutions.co or email contactus@grcsolutions.co

GRC Solutions attends the American Banker RegTech “Compliance Transformed” Conference

On October 3rd and 4th 2017 GRC Solutions consultant Matt Wadley attended the American Banker RegTech “Compliance Transformed” Conference in Brooklyn, New York.

The conference sought to bring together banks, regulators, venture capitalists, consultants and regtech vendors for a discussion about how the emergence of a new RegTech industry is transforming how financial institutions approach compliance—making it easier, and less expensive. The event was a fascinating look into the different ways that players in the financial industry compliance space are viewing and using emerging RegTech technologies.

Some of the highlights of the conference included:

• A highly diverse range of speakers and panelists that ran the gamut from regulators to venture capitalists, journalists to commentators, financial institutions and the vendors serving them. Each group brought a unique perspective to RegTech and the process of sharing their different viewpoints will continue to help these groups understand each other’s needs and concerns, as well as foster dialogue and collaboration.
• Practical and specific illustrations of the application of RegTech solutions to compliance challenges from financial institutions large and small.
• Insight into new and emerging RegTech technologies and solutions.
• Indications by regulators as to the role they see RegTech playing now and in the future and the challenges posed by that technology.
• Visions of the potential future of RegTech and its ability to not only solve compliance challenges presented by the current regulatory framework but also to potentially shape the future regulatory framework itself.
• Specific examples of RegTech companies and their attributes that venture funds are attracted to in this space.

The consensus was that RegTech can deliver the promise of decreased cost with increased efficiency, an outcome generally not associated with compliance where costs have been rising exponentially. Most attendees and speakers agreed that the current rate of increase in resources devoted to compliance is sustainable.

The conference was universally praised by all participants who GRC Solutions talked with and looks set to become a fixture in the conference calendar.

Why diversity and equality matters: the cautionary tale of Uber

Legendary management consultant Peter Drucker once said, “Culture eats strategy for breakfast”. Perhaps Uber – and particularly its recently-departed CEO Travis Kalanick – had never heard of the quote or decided that revenue and expansion were more important than treating employees with basic decency.

Taxis on a dark ominous looking streetFormer Uber employee Susan Fowler blew the whistle on the infamous start-up in a now-famous blog post back in February. Her article detailed how a select few individuals within Uber were deemed untouchable. Not only were they immune to any complaints of sexual harassment, Kalanick went so far as to publicly acknowledge them as embodying the 14 core values of the organisation.

When people talk about Uber, they’re often referencing its status as one of the prized darlings of Silicon Valley and its fabled rise from tiny start-up to a titanic taxi-industry disrupter. Today, the company is valued at $70 billion and operates in 83 different countries.

But as Fowler’s article demonstrates, even a giant “success story” like Uber is not immune to the reputational damage caused by poor workplace culture. Nor can it escape other costs, including paying compensation to victims of harassment and the costs of replacing staff who can no longer work in hostile environments.

Uber is not the first company whose serious corporate culture issues have made international news. Sadly, too many organisations normalise sexism and too many victims and other employees are discouraged from speaking out against it. It’s startling to think that Uber’s harassment problems could have remained buried, and its business model unquestioned, if it hadn’t been for one brave female engineer taking a stand. Diversity and equality training has been around long enough now that staff expect their employers to take harassment claims seriously, and that they will not be victimised for blowing the whistle on toxic behaviour.

GRC Solutions offers Diversity and Equality training for staff at all levels within an organisation – both online learning courses that everyone take or tailored workshops for small groups or management. Contact us today to find out how we can help.

Millions of dollars of celebrity’s jewellery linked to 1MDB case

Australian model Miranda Kerr is the latest celebrity to be caught up in Malaysia’s 1Malaysia Development Berhand (1MDB) corruption and money laundering scandal.

Malaysian financier Jho Low gifted Kerr USD$8 million worth of jewellery allegedly paid for with funds misappropriated from the 1MDB fund. Kerr recently turned the jewellery over to US authorities and has not been accused of any wrongdoing.

1DMB investors have also alleged that the 2013 Hollywood film The Wolf of Wall Street was partly financed with diverted 1MDB funds. Actor Leonardo DiCaprio has returned USD$12 million worth of artwork and a Marlon Brando Oscar statuette given to him by 1MDB financiers.

The US Justice Department has sought to collect USD $1.7 billion worth of goods bought with misappropriated 1MDB funds. So far this has included a luxury yacht, a Bombadier jet, real estate in New York, Los Angeles and London, as well as Kerr’s jewellery and DiCaprio’s Picasso painting.

The 1MDB scandal first made headlines in 2015, with allegations that Malaysian Prime Minister Najib Tun Raza had siphoned off almost USD$700 million from the government fund for national development for his own personal benefit. Malaysia’s first lady was also accused of receiving $30 million in jewellery paid for by the stolen funds.

Law enforcement agencies in countries including the US, Singapore, Hong Kong, the UAE and Switzerland have been conducting their own investigations into the issue, and taking action to freeze accounts and recover assets. The cases are ongoing.

Want to learn more about anti-bribery and corruption or anti-money laundering? GRC Solutions offers off-the-shelf e-learning, bespoke content and face-to-face workshops. Contact us today for more information.

US anti-money laundering framework has “severe deficiencies” when it comes to the real estate market, says Transparency International

Global anti-corruption organization Transparency International has revealed that the US real estate industry has severe anti-money laundering deficiencies.

A man discreetly puts money into his suit jacket. Anti-money laundering is an issue all companies must take seriously. The “Doors Wide Open” report identifies 10 prominent legal loopholes and regulatory failures allowing criminals to launder stolen money through luxury real estate purchases in the US, the UK, Canada and Australia. The report alleges that the US has deficiencies in nine of the 10 identified areas.

The UK was found to have deficiencies in only one of the 10 areas, while Australia had deficiencies in all 10.

Even though the USA PATRIOT Act 2001 originally required real estate professionals in America to perform customer due diligence, a transitional exemption on their obligations remains in place. The US regulatory framework also lacks restrictions, or checks on foreign entities who purchase property.

The real estate market is a perennial favourite with criminals seeking to covert illegitimate proceeds into clean money, especially in cities with high, stable property values, such as New York City, London, or Paris.

The Financial Crimes Enforcement Network (FinCen)’s Geographic Targeting Orders (GTOs) require certain title companies to report details of beneficial owners high-value real estate purchased using cash (ie. non-mortgage transactions). In February 2017, FinCEN reported that approximately 30 precent of GTO transactions involved an owner or purchaser who was the subject of a previous suspicious activity report, corroborating concerns about the use of shell companies to buy real estate in cash transactions.

In 2015, the US National Association of Realtors found that 59 percent of real estate purchases by international clients were made in cash. The same report found that 62 percent of international clients’ property purchases were made in cash.

Transparency International’s recommendations include widening the scope of anti-money laundering provisions to include professionals involved in real estate transactions, and requiring foreign purchasers of real estate to provide beneficial owner information.

Are you up to date on your AML/CTF obligations? Contact GRC Solutions today for information about our off-the-shelf and custom online compliance training on customer due diligence, monitoring and reporting obligations and other AML risks.

Sources: Transparency International, BoingBoing, SBS News, The Australian

GRC Solutions’ Certified Compliance Professional courses in Nairobi and Dubai a big success

Sam Gibbins with the group of attendees at the Certified Compliance Professional courseThe GRC Solutions Singapore team has conducted another two highly successful runs of the Certified Compliance Professional course, in Nairobi, Kenya and Dubai, UAE.

Covering a total of 18 compliance practitioners across these jurisdictions, GRC Solutions continues to prove to be a valuable partner to the compliance profession, working alongside industry and regulators to upskill individual and advance thought leadership across the industry.

The five-day Certified Compliance Professional course is accredited by the International Academy of Business and Financial Management. The content aligns with ISO19600 Compliance Management Standard guidelines and principles.

The course covers both organisational and individual development, with the aim of providing participants with the skills and knowledge to advance to a mature, sustainable state of compliance effectiveness. Participants gain an understanding of strategic compliance, moving away from tactical responses towards significant organisational change.

The course also places the challenges of managing business risk and compliance requirements within the context of the broader regulatory environment, considering the dangers posed by poor conduct risk and compliance culture, financial crime and terrorist financing.

The workshops received acclaim for the way they combined theory with case studies and real-life examples to tie the concepts to practical actions.

A participant from Nairobi said, “The program was relevant and exciting”, with another exclaiming, “The training is very good with lots of information and examples”.

Sam Gibbins takes a selfie with the Certified Compliance Professional attendees In Dubai, one participant said:

“The real insights of market knowledge and case studies was useful. The trainer knowledge was up to date and the real-life examples were related well to the key concepts in the Compliance Risk, AML and Governance area.”

Another declared:

“Sam Gibbins is an excellent trainer, he is clear, accurate, eloquent and made the long and hard course quite fun and digestible. His information was updated, engaging and relevant to the participants. Sam did a great job in making the…sessions fun as well.”

Further runs of the Certified Compliance Professional course are due to take place in Harare, Zimbabwe (March), Kuwait (May), Ghana (May), and Johannesburg, RSA (July).

Contact us for further information on any of these programs or our other offering, including our extensive library of online courseware and tailored content.

We look forward to seeing you on one of our courses soon!

US Department of Justice (DOJ) publishes new evaluation guidance for compliance programs

US Department of Justice (DOJ) publishes new evaluation guidance for compliance programs

The DOJ’s Fraud Section recently released its Evaluation of Corporate Compliance Programs, containing guidance on 11 key topics considered by federal criminal investigators when assessing corporations.

The 11 topic areas:

  1. Analysis and Remediation of Underlying Misconduct
  2. Senior and Middle management
  3. Autonomy and Resources
  4. Policies and Procedures (Design and Accessibility and Operational Integration)
  5. Risk Assessment
  6. Training and Communications
  7. Confidential Reporting and Investigation
  8. Incentives and Disciplinary Measures
  9. Continuous Improvement, Periodic Testing and Review
  10. Third Party Management
  11. Mergers and Acquisitions

Of particular note is the DOJ’s focus on the day-to-day operation of compliance programs. For example, the Evaluation invokes the principles of “root cause analysis”, and examines the importance of, and processes involved in, identifying the systemic problems underlying any misconduct. It also asks whether any earlier opportunities to detect the misconduct were missed, and specifies types of misconduct remediation companies should undertake.

The integration of the compliance program into companies’ management systems (that is, its compliance culture) is another area of emphasis. The Evaluation discusses compliance resource allocation, and any exercise of compliance personnel’s powers to pursue compliance concerns.

While no high-level report can specifically address a company’s unique risk profile, the Evaluation provides valuable insight into how the DOJ assesses compliance programs, and serves as a practical outline for designing, enhancing or implementing rigorous compliance programs.

Contact GRC Solutions today for more information about our off-the-shelf and custom corporate compliance training modules.

Source: US Department of Justice Evaluation of Corporate Compliance Programs, Global Compliance News