UPFRONT COMPLIANCE CORNERPicking up the Pieces Responding to Looting Though Protocols, Methods and SystemsBY DANIEL HOYERCertain events stemming from civil unrest in late May and early June can only be described as tragic. Opportunists looted and otherwise destroyed storefront businesses nationwide. Several of the stores targeted were small businesses, and, specifically, financial service centers. My heart sank when numerous clients informed me of the damage that had occurred at their locations.Cliché as it may be, challenges provide opportunities to reassess existing, compliance protocols, methods, systems, and programs, as well as implement new ones.Should you have faced the challenge of reassembling what you had previously constructed, you likely found that securing the company’s premises and data were of upmost importance. Hopefully, your business-continuity and cyber-security plans served you well, coordinating efforts with the appropriate teams within your organization (or outside of it). (I’m confident that all FiSCA members had implemented such programs prior to the looting!) If they did not, the opportunity, and your ability to tailor them appropriately, is only further enhanced by the experience garnered from these events.Perhaps you considered coordinating efforts to assess and document damage, contact appropriate parties, document action plans, and document the resolution process (potentially ongoing) – including safeguards/controls implemented – with legal counsel. If you became aware of a data breach due to theft of “digital devices” (more on this following), you might have sought the advice of an attorney with privacy and data security expertise.You likely contacted local law enforcement. (This course of action was probably your first step of action if the safety and security of your employees or business was in jeopardy.) Not only is the documentation obtained during and after an investigation by the police department able to assist with the restitution process, it is further proof that the incident occurred.Hopefully, thoroughly documenting and generating and preserving evidence of the damage that occurred to the business served, and will continue to serve, you well – not only for operations purposes, but also when your business is subject to examination.I’d anticipate that you contacted the appropriate stakeholders, which likely included – depending on documented agreement and/or applicability – your bank(s), principals on whose behalf you offer financial products/services, agents, vendors, etc. While stakeholders may not have had formal procedures in place to address looting (specifically), as a representative from the Global Compliance Department of Western Union Financial Services, Inc. confirmed, “…our Agent should immediately notify their… Sales Representative if their… services are down/inoperable for more than 24 hours due to any circumstance, but, especially… with the civil unrest and looting of businesses.” In correspondence, a representative from Republic Bank also encouraged ongoing communication. Perhaps you received/reviewed the statement Digital Currency Systems (DCS) released that, among additional objectives, reflected the company’s commitment to assisting clients throughout the rebuilding process, even emailing the address they provided for assistance and/or visiting the unique page on their website to facilitate communication/distribution of information.You may have contacted state agencies, federal agencies, and/or consumers/customers concerning the damage incurred by your business.Though BSA regulations and existing guidance and rulings do not suggest an obligation to report looting to the Internal Revenue Service (IRS) or the Financial Crimes Enforcement Network (FinCEN), and IRS agents (privately) confirmed as such, in accordance with FinCEN’s recommendation concerning any illicit activity occurring at a financial institution, you may have determined voluntary filing of a Suspicious Activity Report (SAR) was appropriate. While FinCEN outlined reporting obligations concerning “cyber events” in FIN-2016-A005, a FinCEN representative confirmed that theft of “digital devices” does not, in and of itself, constitution a cyber event. (FinCEN did state that cyber events could be facilitated by such theft, however, and, should the business be made aware of such event, reporting to FinCEN would be mandatory.) Hopefully, there was no need for you to report such an event.Although both federal and state laws require certain businesses that obtain/retain non-public personal information (NPI) to establish and maintain information/cyber-security safeguards/programs, state laws establish requirements to notify customers of a data breach.For example, in Illinois, the Personal Information Protection Act (815 ILCS 530) states that notice of breach is required when “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the data collector” has occurred. With any luck, you didn’t have to provide notice to the Attorney General and/or the General Assembly, nor will you have to in the future. (The Illinois Department of Financial and Professional Regulation has documented its appreciation of currency exchange licensees maintaining an open dialogue and voluntarily reporting noncyber-related events.) Again, engaging an attorney specializing in such matters was an intelligent action on your part.Perhaps you notified your state’s department of financial services because you anticipated your location(s) remaining closed more than a set number of days, as required by law.You may have utilized such resources as the Federal Trade Commission’s Data Breach Response: A Guide for Businesses, consumed content on the New York State Department of Financial Services Cybersecurity Resource Center, or browsed the Federal Financial Institutions Examination Council (FFIEC) “Business Continuity Management” website.And you strengthened existing, and implement new safeguards, further minimizing the likelihood your business would be subject to such events in the future, no doubt.Above all, hopefully you identified that you’re not alone during this challenging time; the FiSCA community is, as it always has been, here to help.Daniel Hoyer, CAMS, is President of Optimized Compliance Solutions, LLC. He may be contacted at DHoyer@optimizedcompliance.com.