Together, these new laws create an uneven regulatory patchwork that has already resulted in the divestment of billions of dollars in state funds from investment managers. Investors and businesses increasingly face a choice between complying with these new state laws and achieving the ESG goals promised to investors and stakeholders. New laws introduced in 2023 expand the scope of anti-ESG laws and present significant uncertainty for an increasing range of businesses.

Fiduciary duties & non-pecuniary factors

Federal regulators and conservative lawmakers in some states are taking opposing approaches to defining the duties of fiduciaries. Investors making decisions using ESG frameworks include factors such as greenhouse gas emissions, which go beyond traditional fiduciary criteria like return on investment. The conflict reflects a philosophical disagreement between the belief that companies should work only to maximize returns, on one hand, and consideration of the interests of a wider range of stakeholders and outcomes, on the other.

In 2022, the U.S. Department of Labor (DOL) released a final rule addressing when fiduciaries may consider ESG factors in accordance with their fiduciary duties under the Employment Retirement Income Security Act of 1974 (ERISA). Under ERISA, retirement plan fiduciaries have a duty to act solely in the interest of plan participants and beneficiaries. The new rule clarifies that fiduciaries may consider ESG factors such as climate change and may select from competing investments based on collateral economic or social benefits. In late-January, 25 states filed a lawsuit in federal court seeking an injunction against the new rules.

Even before the release of the DOL final rule, several states proposed laws prohibiting the use so-called “non-pecuniary factors” in making investment decisions for state pensions and other funds. Earlier in 2022, the American Legislative Exchange Council introduced the State Government Employee Retirement Protection Act, model legislation that closely mirrors fiduciary duty bills later introduced in several states.

On March 24, Kentucky Governor Andy Beshear (D) signed House Bill 236 into law. Under the statute, “environmental, social, political, or ideological interests” not connected to investment returns may not be included in determining whether a fiduciary or proxy of the state retirement system is acting solely in the interest of the members and beneficiaries. Five non-exclusive factors, including statements of principles and participation in initiatives, are listed as evidence a fiduciary has considered or acted on a non-pecuniary interest.

In 2023, legislators introduced fiduciary duty laws of varying scope in several large states, including Ohio and Missouri. In total, legislators in more than 20 states have introduced bills amending the fiduciary duty laws covering investing and proxy voting for state retirement systems.

To further complicate matters, state pension funds in states like New York and California take the opposite approach, setting net zero carbon targets for their portfolios, for example.

ESG as boycott

Conservative politicians often claim ESG uses economic power to enact political agendas through alternative means. They argue goals like decarbonization amount to a boycott of fossil fuel companies and are a threat to the economies of states dependent on the extractive industry. New legislation expands on previous anti-boycott laws to include targeting companies that consider ESG factors.

Several states have already started the process of divesting retirement system and other funds from financial companies they claim boycott fossil fuel companies. For example, a 2021 Texas law requires the State Comptroller to publish a list of boycotting companies. The Comptroller’s initial criteria for inclusion included membership in Climate Action 100 and the Net Zero Banking Alliance/Net Zero Asset Managers Initiative, two major financial industry initiatives focused on climate change.

Utah Governor Spencer Cox (R) signed a bill into law on March 15 that goes beyond state investments to prohibit companies from coordinating or conspiring with another company to eliminate viable options for another company to obtain a product or service “with the specific intent of destroying a boycotted company.” A boycotted company is defined by the law as one that engages in aspects of the firearms industry or does not meet certain ESG standards.

Social Credit scores

Speaking in support of the Utah anti-conspiracy bill, state Rep. Mike Petersen (R) said: “I’m convinced that ESG is not a conspiracy theory, it is a conspiracy truth.” To many of its opponents and skeptics, ESG is an unaccountable shadow regulatory system that takes specific aim at industries and policies supported by conservatives.

The belief that the stated goals of ESG mask other motives is at the source of bills introduced in several states to prohibit financial institutions from using a “social credit score” to make lending or other decisions and defining the term to include ESG. The language invokes the Social Credit System in use in China, which monitors and punishes individuals and businesses for certain behaviors and serves as a type of blacklist.

Though some ESG frameworks produce numerical scores for various metrics, the comparison to the Social Credit System is rejected by ESG experts. There is no substantive overlap between China’s surveillance apparatus and ESG in goals or application.

This distinction has not dissuaded lawmakers in Florida, who enacted legislation amending state banking law to make the use of social credit scores by lenders an unsafe and unsound practice in violation of state financial institutions codes and unfair trade practices laws, subject to sanctions and penalties. The law prohibits the use of a social credit score based on factors that include, among other things, ESG standards on topics including emissions and corporate board diversity.

The Florida bill and others like it expand previous efforts by the state to divest state funds to restrict decisions on private lending, potentially involving many more financial institutions.

On the horizon

The volume of anti-ESG bills introduced in state legislatures is growing. Many are passing as the topic gains political salience, particularly on the political right. As these laws pass, they serve as models for similar legislation in other states. However, the success of future legislation faces significant headwinds.

Anti-ESG laws have been passed predominantly in states where Republicans control the governorship and both houses of the legislature. So far, there is little indication many Democrats will support these anti-ESG laws. Indeed, the growing scope of anti-ESG laws pose another roadblock to their widespread adoption. Newer laws impose restrictions on a much broader range of companies, which only increases the complexity of enforcement and increases the risk of a legal challenge.

A lack of uniformity means businesses operating in more than one state may have to make difficult choices. The broader economic consequences of anti-ESG laws are still undetermined, but compliance with these new laws presents immediate challenges.

The regulator’s monitoring of the marketplace in 2022 found 1,882 promotions from unauthorized firms that required amendment or withdrawal following intervention by the agency, an increase of 34% over the 1,410 promotions that received such treatment in 2021. An additional 8,582 promotions from authorized firms were similarly required to be amended or withdrawn, compared with just 573 in 2021, a massive increase of 1,398%.

The FCA notes that “[l]ast year we saw an increase in the use of bloggers and influencers on social media such as Instagram, Facebook, and YouTube, promoting financial products, particularly investment products, to younger age groups. We also saw an ongoing trend in the number of bloggers promoting credit on behalf of unauthorized third parties, with a particular growth in financial promotions targeting students.”

Finfluencers & regulations

The emergence of finfluencers (short for financial influencers) – individuals on social media who advocate a particular type of investment option – is highlighted in the Royal Mint’s 2022 Gen Z Investment Report, which found that 23% of young investors are followers of finfluencers.

… finfluencers need to be aware that social media is not an oasis where consumer protection law, advertising standards and intellectual property rights can be ignored.

Some see the dissemination of financial information via social media platforms as a healthy way of engaging people in investment activity, and they welcome the greater transparency inherent in this mode of communication. However, finfluencers need to be aware that social media is not an oasis where consumer protection law, advertising standards and intellectual property rights can be ignored.

Regulators around the world have begun to issue guidance to both finfluencers and their followers. The 2021 Statement on Investment Recommendations on Social Media by the European Securities and Markets Authority (ESMA), explores the boundaries between providing financial information and providing financial advice and recommendations online. Also, the Securities and Futures Commission of Hong Kong’s Guidelines on Online Distribution and Advisory Platforms stipulates that any licensed financial adviser will be held accountable through all channels, including social media. The New Zealand Financial Markets Authority has a Guide to Talking about Money Online, providing tips for consumers and finfluencers. Meanwhile, the Australian Securities and Investments Commission has an information sheet for finfluencers who include details of financial products and services in their content.

If finfluencers provide financial advice and recommendations per regulators’ definitions of those terms, they must adhere to regional regulations on authorization and conduct of business. However, the popularity of finfluencers, which is being fueled by shifting attitudes among investors and the more varied range of channels through which they can enter the investment market, makes it difficult for regulators and firms to ensure that customers are being treated fairly.

New attitudes toward investing

Factors such as new technology, the global pandemic and climate change concerns have caused shifts in investors’ attitudes. The Royal Mint report paints a mixed picture of young adults’ investment behavior. On the one hand, social media was found to have caused 17% of those surveyed to adopt a get-rich-quick mentality, with people expecting to double or triple what they had invested within a short space of time.

On the other hand, the report also finds that when losses occurred, 64% of 16- to 25-year-olds actively looked to diversify their risk by adding what they believed were “safer investments” to their portfolios. A total of 80% of that same group now dedicates a portion of their income to investing in their future, with two-fifths stating the pandemic made them realize the value of having secure finances. As a result, more than one-third have taken it upon themselves to learn about investing as a way of helping to grow their money.

A 2021 research report by the FCA highlighted that, for those investing in high-risk products, “the challenge, competition, and novelty are more important than conventional, more functional reasons for investing, like wanting to make their money work harder or save for their retirement.

Case study of a finfluencer

Paul Pierce, a former Boston Celtics pro basketball player and NBA Hall of Famer, promoted EthereumMax (EMAX), a cryptocurrency coin or token, on social media as did many other celebrities. In his tweets, Pierce showed screenshots of alleged profits along with links where followers could make purchases. Pierce is one of many celebrities who made such claims of financial gain using these types of investments. During his promotion of EMAX tokens on Twitter, Pierce failed to disclose that he was paid for his promotion with EMAX tokens worth more than $244,000, the US Securities and Exchange Commission (SEC) alleged.

“This year, we will continue to put the pressure on people using social media to illegally promote investments, which put people’s hard-earned money at risk.”

— Sarah Pritchard  | Executive Director for Markets, Financial Conduct Authority

Pierce has now agreed to pay more than $1.4 million to settle charges he illegally promoted digital assets, the SEC stated in February. This settlement is larger than the $1.26 million paid by Kim Kardashian to settle similar SEC charges related to promoting EMAX. The settlements with Pierce and others mark the latest move by the SEC to crack down on celebrity endorsements of crypto products.

The increase in the number of noncompliant finfluencer promotions suggests that as investors appear more willing to take risks, firms’ marketing departments may be tempted to make financial promotions more exciting.

In the UK, for example, regulations are based on the principle of being clear, fair and not misleading. Regulations also provide detailed requirements for firms about including the need for financial promotions to give a fair and prominent indication of any relevant risks, and to be presented in a way that is likely to be understood by the average member of the group to whom it is directed. Further, these promotions cannot disguise, diminish or obscure important elements, statements or warnings.

The future

This year, there won’t likely be any letup in regulators’ focus on the use of financial promotions. Sarah Pritchard, executive director for markets at the FCA, gave clear indication what the future holds. “This year, we will continue to put the pressure on people using social media to illegally promote investments, which put people’s hard-earned money at risk,” she said.

As the number of tools and resources issued by regulators for monitoring promotions increases, so too does the risk to firms of being caught for noncompliant behavior. The FCA is consulting on the introduction of tougher checks for financial promotions and measures that will remove harmful promotions more quickly.

Finally, firms in the UK need to consider the impact of the new Consumer Duty, which many are due to implement in July 2023. “Under the duty, firms will need to demonstrate that they are providing consumers with information which helps them to make effective and informed decisions about financial products and services,” the FCA stated.

In the US, the SEC is moving to chastise all bad actors, not just celebrities, according to Gurbir S. Grewal, director of the SEC’s Division of Enforcement. “The federal securities laws are clear that any celebrity or other individual who promotes a crypto-asset security must disclose the nature, source and amount of compensation they received in exchange for the promotion,” Grewal said.

As workloads are increasing, there is also a limit on the finite resources available to manage these growing compliance burdens. These concerns are compounded by a diverse and expanding range of subject areas with which compliance officers need to be familiar as well as an expectation of a greater volume of regulatory change. This larger picture is set against increased costs and difficulties in recruiting skilled compliance staff.

Overall, survey respondents outlined a sector that held greater responsibility but also contained practical operational challenges that threaten to undermine efforts to provide their firms with the level of compliance support required in today’s environment.

Thomson Reuters Regulatory Intelligence’s 14th annual survey of compliance leaders — distilled into the 2023 Cost of Compliance Report — was undertaken against this backdrop. The report explores the challenges that compliance officers face in 2023 and exposes the depth of issues that compliance leaders have encountered. The survey was taken of more than 350 practitioners, representing global systemically important banks (G-SIBs), other banks, insurers, asset and wealth managers, regulators, broker-dealers, and payment services providers mainly in the United States, the European Union, and the United Kingdom.

Overall, survey respondents outlined a sector that held greater responsibility but also contained practical operational challenges that threaten to undermine efforts to provide their firms with the level of compliance support required in today’s environment.

Some of the key findings of the annual report include:

• • • The volume of regulatory change was expected to increase and was seen as a key compliance challenge for boards and compliance officers.
    • Cost pressure and balancing competitive and compliance pressures were reported as key challenges, yet 45% of respondents did not monitor their cost of compliance with regulations across their organizations.
    • One-third of respondents expected compliance teams to grow, and the cost of compliance staff was also expected to increase, while turnover of staff and budgets remain at 2022 levels. An increase in the number of firms using outsourced providers for their compliance functionality was also reported.
    • Retaining skilled resources is seen as essential to deliver on a growing range of subjects with which the compliance function is involved. The recruitment of the appropriate talent comes at a cost, and the appeal of becoming a compliance officer has been reduced due to the potential for increased personal liability.
    • Low staff morale is emerging as a key conduct risk for many financial services firms. This may lead to wider noncompliance issues due to staff error or manipulation. Couple this with the identification of cybersecurity as a prominent culture and conduct risk, and it becomes more important for firms to ensure internal security controls are robust.
    • Firms operated an effective compliance culture despite the conduct and culture risks, with respondents predicting they will spend more time on culture and conduct issues in 2023.

The findings of this annual report are intended to help financial services firms with planning and resourcing while allowing them to benchmark their own approaches with those of the wider industry. The experiences of the G-SIBs are analyzed where these can provide a sense of the stance taken by the world’s largest financial services firms.

You can download a full copy of Thomson Reuters Regulatory Intelligence’s 2023 Cost of Compliance Report, here.

In what Fed Vice Chair for Supervision Michael Barr called an “unflinching” review of the U.S. central bank’s supervision of SVB, the Fed said its oversight of the Santa Clara, California-based bank was inadequate and that regulatory standards were too low. “SVB’s failure demonstrates that there are weaknesses in regulation and supervision that must be addressed,” Barr said in a letter accompanying a 114-page report, which also was supplemented by confidential materials that are typically not made public.

While it was the regional bank’s own mismanagement of basic risks that was at the root of SVB’s downfall, the Fed said, supervisors of SVB did not fully appreciate the problems, delaying their responses to gather more evidence even as weaknesses mounted, and failed to appropriately address certain deficiencies when they were identified. At the time of its failure, SVB had 31 unaddressed citations on its safety and soundness, triple the number its peers in the banking sector had, the report said.

One particularly effective change the Fed could make on supervision would be to put risk mitigation methods in place quickly in response to serious capital, liquidity, or management issues, a senior Fed official said, adding that such increased capital and liquidity requirements also would have bolstered SVB’s resilience.

Barr said that as a consequence of the failure, the central bank will reexamine how it supervises and regulates liquidity risk, beginning with the risks of uninsured deposits.

Regulators shut SVB on March 10 after customers withdrew $42 billion on the previous day and queued requests for another $100 billion the following morning. The historic run triggered massive deposit outflows at other regional banks that were seen to have similar weaknesses, including a large proportion of uninsured deposits and big holdings of long-term securities that had lost market value as the Fed raised short-term interest rates.

New York-based Signature Bank failed two days later (the Federal Deposit Insurance Corporation release its review of that collapse the same day as the Federal Reserve’s assessment of SVB), and the Fed and other U.S. government authorities moved to head off an emerging crisis of confidence in the banking sector with an emergency funding program for otherwise healthy banks under sudden pressure and guarantees on all deposits at the two banks.

Supervision headcount fell

Before the twin bank failures in March, banking regulators had focused most of their supervisory firepower on the very biggest U.S. banks that were seen as critical to financial stability. The realization that smaller banks are capable not only of causing disruptions in the broader financial system but of doing it at such speed has forced a banking regulators to rethink their position.

“Contagion from the failure of SVB threatened the ability of a broader range of banks to provide financial services and access to credit for individuals, families, and businesses,” Barr said. “Weaknesses in supervision and regulation must be fixed.”

In its report, the Fed said that between 2018 to 2021 its supervisory practices shifted, and there were increased expectations for supervisors to accumulate more evidence before considering taking action. The staff interviewed as part of the Fed’s review reported pressure during this period to reduce burdens on firms and demonstrate due process, the report said.

Barr signaled in his accompanying letter that this situation would change. “We need to develop a culture that empowers supervisors to act in the face of uncertainty,” he said.

Between 2016 and 2022, as assets in the banking sector grew 37%, the Fed’s supervision headcount declined by 3%, according to the report. As SVB itself grew, the Fed did not step up its supervisory game quickly enough, the report showed, allowing weaknesses to fester as executives left them unaddressed, even after staff finally did downgrade the bank’s confidential rating to “not-well-managed.”

The Fed is looking at linking executive compensation to fixing problems at banks designated as having deficient management so as to focus executives’ attention on those problems, a senior Fed official said in a briefing.

One thing the report did not do was place any blame at the feet of San Francisco Fed President Mary Daly, with a senior Fed official telling reporters that regional Fed bank presidents do not engage in nor have responsibility for day-to-day supervision of banks in their regions.

While the fallout from the failures of SVB and Signature themselves may have subsided, the ripple effects continue. The forced sale on May 1 of San Francisco-based First Republic Bank after its deposit outflows following the SVB and Signature collapses exceeded $100 billion shows that smaller, regional banks may not be out of the proverbial woods yet.

This blog post was written by Chris Prentice & Hannah Lang, both of Reuters News; with additional reporting by Ann Saphir.

This means that only products that have been produced on land that has not been subject to deforestation or forest degradation after December 31, 2019 may be placed on the E.U. market or exported.

This is just one more sign of the ongoing expansion of regulations focused on risks related to environmental, social & governance (ESG) issues — in this case, those with a focus on the E. However, E is not the alone in this regulation, as respect for human rights will be considered an obligation for a product to be considered deforestation-free.

While this regulation would not ban any country or commodity specifically, companies will not be allowed to sell their products in the E.U. without this type of statement. This means that companies will also have to verify compliance with relevant legislation originating out of the country of production, including those on human rights and the rights of concerned Indigenous peoples.

Scope of legislation

The products covered by the new legislation include cattle, cocoa, coffee, palm-oil, soya, and wood, as well as products that contain, have been fed with, or have been made using these commodities (such as leather, chocolate, and furniture). The MEPs also successfully added rubber, charcoal, printed-paper products, and a number of palm oil derivatives to the list. In addition, the legislation also allows for the addition of new commodities to the list.

Additionally, all banking, investment, and insurance activities of financial institutions are required to take additional action around due diligence in the legislation. Specifically, financial services firms would only be allowed to provide financial services to customers if it concludes that there is no more than a negligible risk that the services potentially provide support directly or indirectly to activities leading to deforestation, forest degradation, or forest conversion.

This is just another global regulation that reinforces the need for companies to conduct ongoing due diligence with respect to their business partners and make every attempt to map their supply chains to the lowest tier possible.

The competent E.U. authorities will have access to relevant information provided by the companies, such as geo-location coordinates, and be able to conduct checks. They can, for example, use satellite monitoring tools and DNA analysis to check where products come from. The final text of the regulation also includes the obligation to precisely geo-locate the specific plot of land involved in the production or farming of the commodities and products in question.

The European Commission (E.C.) will classify countries, or part thereof, into low-, standard-, or high-risk categories within 18 months of this regulation going into effect. Also, the proportion of checks on operators will be performed according to the country’s risk level: 9% for high risk, 3% for standard risk, and 1% for low risk. For high-risk countries, member states would also have to check 9% of total volumes.

​​​​​​​Penalties for non-compliance and lack of due diligence shall be proportionate and dissuasive, and the maximum amount of a fine is set for at least 4% of the total annual turnover in the E.U. of the non-compliant operator or trader. All products linked to deforestation will be required to be withdrawn from the market if they are already present in the E.U. market.

Although the final technical details of the exact wording are still being worked out, the goal is to introduce mechanisms to avoid duplication of obligations and reduce the administrative burden. The final text will also include language that small operators will be able to rely on larger operators to prepare due diligence declarations. This is another example of how the E.U. is taking smaller businesses into consideration when drafting these new requirements.

Next steps

The MEPs and Council will need to formally approve the agreement, which is anticipated. The new law will come into force 20 days after its publication in the E.U. Official Journal, but some articles will apply 18 months later.

The E.C. will step up dialogue with other big consumer countries and engage multilaterally to join efforts, so companies should monitor how these discussions proceed and to what degree these requirements could apply outside the E.U. in the future. For example, a new bill was introduced in the current U.S. Congress in November 2022 that is seen as a response to the E.U. legislation.

While this regulation would not ban any country or commodity specifically, companies will not be allowed to sell their products in the E.U. without this type of statement.

This is just another global regulation that reinforces the need for companies to conduct ongoing due diligence with respect to their business partners and make every attempt to map their supply chains to the lowest tier possible. As the first reports will likely be due to the E.C. by April 2024, putting solid due diligence practices in place now are part of a responsible sourcing strategy. Tools to certify that small suppliers of raw materials are sourced from areas that are not degrading forests no doubt will be required. Moreover, tools that allow users of raw materials in their products to monitor them on an ongoing basis is equally important to ensure compliance is maintained.

At the same time, uncertainty remains. Currently the regulation avoids a clear directive for producer-countries to require standards for human rights or to define what the term deforestation means. Without this, companies may seek to source products from jurisdictions in which relatively weak legal frameworks exist, and thus, could undermine the E.U.’s intent with the regulations.

The need for the E.U. to seek input from all stakeholders— including producer countries; local communities in producer countries; small land users that produce in-scope materials and products and mostly reside in Southeast Asia; local buyers of raw materials that sell them to small-, medium-, and large-sized companies; and multinational companies that purchase the in-scope materials — is necessary to effectively achieve the intent of the overall legislation, which is to ensure sustainable sourcing and avoid deforestation or forest degradation.

There seems little question that AI will lead to an upheaval among U.S. investment banks and brokerage firms. In a recent report, Goldman Sachs estimated that 35% of employment in business and financial operations is exposed to so-called generative artificial intelligence, which can generate novel, human-like output rather than merely describing or interpreting existing information. Indeed, ChatGPT is a generative AI product from research laboratory OpenAI.

While the Goldman Sachs analysis did not drill down to AI’s specific impact on investment research, Joseph Briggs, one of the report’s authors, said that “equity research is a bit more highly exposed, at least on an employment-weighted basis.”

ChatGPT & Fedspeak

There are many questions over how far AI applications can go in replacing human input and analysis, but new academic research suggests that ChatGPT can perform certain Wall Street tasks just as well as experienced analysts — even those tasks that may appear more nuanced in nature.

A new study from the Federal Reserve Bank of Richmond used Generative Pre-training Transformer (GPT) models to analyze the technical language used by the Federal Reserve to communicate its monetary policy decisions. Experts on Wall Street whose job it is to predict future monetary policy decisions — also known as Fed watchers — apply a blend of technical and interpretive skills in reading through the often opaque and obscure language that Fed officials use in their communications with the public.

There are many questions over how far AI applications can go in replacing human input and analysis, but new academic research suggests that ChatGPT can perform certain Wall Street tasks just as well as experienced analysts.

GPT models “demonstrate a strong performance in classifying Fedspeak sentences, especially when fine-tuned,” the analysis said, cautioning, however, that “despite its impressive performance, GPT-3 is not infallible. It may still misclassify sentences or fail to capture nuances that a human evaluator with domain expertise might capture.”

Fed watchers are also known to make errors in judging future monetary policy decisions, which raises questions about how ChatGPT and similar technology could be applied to less-nuanced Wall Street tasks, such as company earnings projections or more fundamental industry research.

Laws regarding AI usage lag innovation

Just how should investment banks and other investment firms approach the use of ChatGPT in their research efforts and communications with clients? The short answer from legal experts is, cautiously.

“The state of AI regulation in the U.S. is still in its early stages,” said Mary Jane Wilson-Bilik, a partner at the law firm Eversheds Sutherland in Washington, D.C. “Many regulatory agencies have issued guidelines, principles, statements, and recommendations on AI… but laws specific to AI and ChatGPT are relatively few.”

That is not to say regulations will not be forthcoming. In late April, four U.S. federal agencies issued a joint statement warning of the “escalating threat” from fast-growth artificial intelligence applications, citing a range of potential abuses. The agencies called on firms to actively oversee the use of AI technology, including ChatGPT and other “rapidly evolving automated systems.”

 Four U.S. federal agencies issued a joint statement warning of the “escalating threat” from fast-growth artificial intelligence applications, citing a range of potential abuses.

The Securities and Exchange Commission has indicated it plans to issue a rule proposal on decentralized finance tools this year, but it is unclear whether the proposal will require specific disclosures on whether AI/ChatGPT was used when providing advice or reports to customers.

Given the regulatory vacuum on specific rules for Wall Street research, Wilson-Bilik cautioned firms on how they use and disclose AI and ChatGPT in their research products. “While there are no legal requirements just yet to tell clients that AI was used in the writing of a report or analysis, it would be best practice,” she said. “Some firms, out of an abundance of caution, are adding language about the possible use of AI into their online privacy policies.”

While clients do not currently have a legal “right to know” whether AI was used in generating a research report, “risks would arise if the client was misled or deceived on how AI was used,” Wilson-Bilik explained. “If firms use AI in a misleading or deceptive way — for example, by implying or stating that results are human-generated when the results are a hybrid or mostly AI-generated — that would be a problem under the anti-fraud statutes.”

Legal experts also warn that AI tools should be checked for accuracy and for bias. Without robust guardrails, there could well be cause for regulatory action or litigation.

Stress in the commercial real estate sector could be the next big concern for U.S. regional banks and regulators, as losses emanating from higher interest rates manifest over the coming months, analysts and bankers say. A portion of this fear stems from the possibility that each regional bank could be the next to suffer a major loss.

As banks report their first-quarter earnings, investors are scrutinizing the results for signs of stress or weakness following SVB’s collapse last month. So far, the earnings picture has not revealed any hidden bombshells, but experts say the pressures on banks’ financial health are likely to become more pronounced in the months ahead.

Of greatest concern is the banking sector’s exposure to commercial real estate (CRE), particularly the office sector. “Compared to big banks, small banks hold 4.4-times more exposure to U.S. [CRE] loans than their larger peers,” stated a new analysts report from JPMorgan Private Bank. “Within that cohort of small banks, CRE loans make up 28.7% of assets, compared with only 6.5% at big banks,” the report continued. “More worrying, a significant percentage of those loans will require refinancing in the coming years, exacerbating difficulties for borrowers in a rising rate environment.”

A separate Citigroup analysis found that banks represent 54% of the overall $5.7 trillion commercial real estate market, with small lenders holding 70% of CRE loans. More than $1.4 trillion in U.S. CRE loans will mature by 2027, with approximately $270 billion coming due this year, according to real estate data provider Trepp.

High vacancy rates

The office sector faces significant challenges following the COVID-19 pandemic, which forced a potentially permanent shift to remote work for millions of employees. A seismic shift in employee mentality following a period of flexible, remote working has led to a continued acceptance of remote and hybrid opportunities. With this change, office vacancy rates remain high across many U.S. cities. The current overall vacancy rate of 12.5% is comparable to where it was in 2010, one year after the onset of the Global Financial Crisis.

Further, chief executives from some of the largest banks have pointed to risks in the commercial real estate sector. “Weakness continues to develop in commercial real estate office,” said Wells Fargo Chief Executive Charlie Scharf on a recent earnings call with analysts. The bank set aside an additional $643 million in the first quarter for credit losses, mainly driven by expectations of higher CRE loan defaults.

California market in focus

With the tech and venture capital sector having borne the brunt of SVB’s collapse, recent data shows that California’s CRE market is one of the hardest hit in the country. San Francisco and Los Angeles had an average office vacancy rate of 21.6% in the first quarter, according to data from commercial real estate firm Cushman & Wakefield. And loans for San Francisco offices now face the highest risk of default of all U.S. metro areas.

“Difficulties are emerging by geography,” noted the JPMorgan report, adding that “Chicago and San Francisco are much more challenged than Miami, Raleigh, and Columbus, for example.”

CRE weakness is likely to affect banks of all sizes, but small and regional banks have, on a percentage basis, the greatest exposure. “While total exposure to the weakest CRE subsectors varies by bank, those with more than 100% of their capital in these buckets are more likely to be smaller regional entities,” the JPMorgan report stated, noting that Webster Financial Corporation, Valley National Bancorp, and Zions Bancorporation are a few of the banks with exposures exceeding 100% of their capital.

The bank’s base case scenario “assumes that aggregate CRE prices fall approximately 10% to 15% in the current cycle,” although for the office sector, the report revealed that price declines of 30% to 40% in the most stressed markets would be unsurprising.

The Carbon Disclosure Project estimates that Scope 3 emissions account for an average of three-quarters of a company’s emissions, according to the World Resources Institute. “Other studies show that the supply chains of eight sectors account for half of the world’s [greenhouse gas] GHG emissions and provide evidence that Scope 3 emissions from energy-intensive industries are increasing faster than their Scope 1 and 2 emissions.” Indeed, counting Scope 3 emissions is of paramount importance.

Variations in carbon emissions regulations make reporting murky

In the U.S., the Securities and Exchange Commission (SEC) mandates the disclosure of Scope 1 and Scope 2 emissions. According to the United Nations Global Compact, Scope 3 emissions account for approximately 70% of the average corporate value chain total emissions and are 11-times higher than Scope 1 emissions. Under SEC rules, Scope 3 emissions are only required to be disclosed if they are material or if the companies have Scope 3 emission targets. Currently, around 7,000 publicly traded companies are covered by this regulation.

By contrast, the Corporate Sustainability Reporting Directive (CSRD) in Europe is much broader. It includes 49,000 medium and large companies, covering all private and public companies with at least 500 workers. The European regulation affects more than 10,000 non-European companies, of which 30% are U.S. companies, according to data from Refinitiv.

Adding to the complexity of regulation is that specific rules within the regulation across countries and states or provinces can vary widely. As of August 2020, at least 40 countries required facilities or companies to measure and report their emissions periodically. With this list growing, it is good news that the GHP is the go-to resource for calculations and that additional harmonization of emission standards is ongoing.

Double counting not really a concern

When it becomes a legal requirement, accurate and homogenous collection, standardization, and reporting of Scope 3 emissions will be critical for both reporting companies and those using the data to make investment decisions.

Collecting data on Scope 3 emissions requires information from multiple sources, such as suppliers, customers, and other stakeholders, making it difficult to obtain accurate and reliable data. This affects the quality of the data, as it can vary or be incomplete or inaccurate. To combat this, companies may need to use multiple methods to collect data from various sources, which can come at a cost, especially for those with complex value chains.

While, as mentioned, the GHP has developed the corporate value chain accounting and reporting standard methodology for measuring and reporting Scope 3 emissions, one of the main criticisms around universal counting of Scope 3 emissions is the potential for double counting. This is because one company’s Scope 1 emissions are another company’s Scope 3 or Scope 2 emissions — and in some industries, the possibility exists for multiple companies to use the same supplier.

Collecting data on Scope 3 emissions requires information from multiple sources, such as suppliers, customers, and other stakeholders, making it difficult to obtain accurate and reliable data.

Double counting may occur when a manufacturer and a retailer both account for Scope 3 emissions resulting from the third-party transportation of goods between them. This only becomes problematic when claims are made that these emissions are offset with credits or provide a monetary value and when the same activity, such as the transportation of goods, is offset by another company. There are many other examples of double counting; for example, it may be acceptable to double count when a specific emissions goal is tracked over time and its progress needs to be reported.

Clear communication of reporting boundaries and emissions calculations can help identify potential overlaps and ensure that each company reports only its own emissions. This approach can provide a more accurate picture of a company’s carbon footprint and more fully support efforts to reduce emissions across the value chain.

Further, the GHP understands the need for additional clarification and is working towards the harmonization of U.S. and European disclosure rules. Additional guidance on this important subject is expected to ensure any double-counting concerns are alleviated.

The report, published by the Financial Action Task Force (FATF), the international standard-setter for anti-money laundering and countering the financing of terrorism (AML/CFT), addresses what has become one of the fastest growing and most disruptive forms of cybercrime in recent years.

Central to the FATF’s plea for fighting back against ransomware is shedding light on the illicit financial flows of ransomware gangs and their support networks — financial flows that overwhelmingly occur in crypto-assets. Concurrent regulatory developments increasingly demand that compliance officers at VASPs and financial institutions understand how to identify and manage financial crime risks related to ransomware.

Ransomware & money laundering risks

Cybercriminals use malware to encrypt data on victims’ computers or deny them access to critical systems, and then demand a ransom payment in return for restoring access to the victim. Ransomware has become especially lucrative in recent years as cybercriminal gangs have identified ways to launch attacks with increasing effectiveness and efficiency.

Employing a technique known as Big Game Hunting, ransomware gangs now routinely direct attacks at hospitals, government offices, energy firms, and other critical infrastructure to try and generate the biggest possible ransoms. In recent years, ransomware gangs — many of which operate from Russia, as well as in jurisdictions such as Iran and North Korea — have raised hundreds of millions of dollars annually by extracting large ransoms from their victims. Perpetrators of these attacks have included Russian ransomware organizations such as the DarkSide, Conti, and Ryuk gangs, as well as the Lazarus Group, North Korea’s cybercrime outfit.

Crypto-assets have featured heavily in the growth of ransomware. Nearly all ransomware payments are made in Bitcoin, which enables attackers to receive payments from victims into private Bitcoin wallets that are not held at regulated institutions.

After receiving payment in Bitcoin from their victims, ransomware attackers generally need to convert their funds at a crypto-exchange or other VASP into fiat currencies, such as Russian rubles, euros, or other currencies. Because the Bitcoin blockchain is highly transparent, the flow of funds from these attacks can be observed as ransomware gangs attempt to launder them through the crypto-ecosystem.

This activity can in turn generate red flag indicators of money laundering that compliance officers can detect, some of which the FATF details in its reports, and that regulators such as the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) have also documented in notices to the private sector.

Some important money laundering red flags and behaviors that often feature in cases of ransomware include:

• • • Funds from ransomware attacks are sent to crypto-asset exchanges with minimal or no AML/CFT controls, or are based in high-risk jurisdictions, such as the Bitzlato exchange, which FinCEN identified as a primary money laundering concernunder Section 9714 of the Combatting Russian Money Laundering Act.
    • Attackers send their funds through crypto-asset mixing services and other obfuscating technology aimed at breaking the funds’ trail on the blockchain.
    • Attackers take transparent crypto-assets, such as Bitcoin, that they receive from their victims and swap them for highly anonymous crypto-assets such as Monero.
    • Attackers deploy “chain-hopping” typologies of money laundering and attempt to obfuscate their activity by sending funds through decentralized finance (DeFi) services, such as cross-chain bridges that allow users to seamlessly move funds across the Bitcoin, Ethereum, and other blockchains.

While crypto-asset exchanges and other VASPs are most directly affected by this behavior, banks and other financial institutions must be alert to the money laundering risks too. After all, once ransomware gangs have swapped crypto-assets for fiat currencies, they then attempt to launder those funds through the banking system. By understanding the important red flags and typologies involved, bank compliance teams can equip themselves to identify ransomware-related money laundering.

Growing sanctions challenge

In addition to money laundering risks, transactions related to ransomware pose growing sanctions compliance risks and challenges. Over the past 18 months, the U.S. Treasury’s Office of Foreign Assets Control (OFAC) has targeted sanctions activity at ransomware attackers and their support networks with asset freezes.

This has often involved including crypto-asset addresses belonging to attackers and their support networks on the OFAC Specially Designated Nationals and Blocked Persons List (SDN List). OFAC’s recent actions involving ransomware include:

• • • In October 2020, OFAC issued guidanceentitled Potential Sanctions Risks for Facilitating Ransomware Payments, which it later updated in September 2021. The guidance explains that making or facilitating ransomware payments can result in a sanctions violation if those payments benefit a sanctioned person or jurisdiction.
    • Between September 2021 and April 2022, OFAC sanctioned three crypto-asset exchanges registered in Eastern Europe — SUEX, Chatex, and Garantex— that it accused of laundering crypto-assets on behalf of ransomware gangs.
    • In April 2022, OFAC also sanctioned the Hydra darknet marketplace, which had facilitated activity of ransomware gangs and their affiliates before it was taken down by German law enforcement.
    • In February 2023, OFAC undertook a coordinated, joint actionalongside the U.K.’s Office of Financial Sanctions Implementation (OFSI) to target ransomware gangs. OFAC and the OFSI both sanctioned seven Russian nationals allegedly associated with the Conti and Ryuk ransomware campaigns.

As a result of these actions, VASPs and financial institutions must ensure that they do not facilitate prohibited payments with ransomware gangs and those supporting them who are subject to sanctions.

Responding to risks

Successfully combating ransomware while adhering to regulatory requirements is possible, though challenges exist. Compliance teams at VASPs and financial institutions can take steps to ensure that they address the related risks effectively.

First, compliance teams should receive training on typologies and red flags related to ransomware so that they have the knowledge needed to detect potential money laundering or sanctions-evasion activity. Secondly, compliance teams should familiarize themselves with evolving regulatory requirements and notices related to ransomware — particularly OFAC sanctions requirements — and should ensure their policies and procedures reflect these developments.

Finally, compliance teams at VASPs and financial institutions should use blockchain analytics solutions to detect red flags and other indicators of crypto-asset transactional risks related to ransomware. This should include using blockchain analytics solutions capable of identifying cross-chain funds flows indicative of chain-hopping typologies of money laundering that ransomware attackers increasingly use.

As a rapidly evolving form of cybercrime, ransomware activity poses significant compliance challenges; however, by taking the steps above, compliance teams can work to manage the risks successfully.

In the United States, synthetic fraud is one of the fastest-growing financial crimes, occurring more often in some high-risk customer segments than in others. But how can financial institutions protect themselves against synthetic fraud? And what are the differences between identity fraud and synthetic fraud, and why is synthetic fraud so much more difficult to detect?

From ID fraud to synthetic ID fraud

In a regular identify theft situation, for example, the real name of a person is used without modification as thieves use the same information they have obtained. Regular ID theft accounts for roughly 10% to 15% of all fraud cases in the U.S., and it is easier to prevent. Credit monitoring and credit freezing services are specifically designed to prevent this kind of theft.

With the emergence of synthetic fraud, however, only portions of personally identifiable information are obtained. In a typical synthetic fraud scheme, a criminal will use a real Social Security number belonging to someone who is deceased or not using their credit profile, then combine it with a fake name, or fake date of birth and address. The fraudster can also use information from multiple sources, such as stolen personal data, to create a more convincing identity.

When finished creating the false identity, the criminal applies for credit and other financial products, often using online applications. The fraudster then may use these fraudulent accounts to make purchases, take out loans, or buy other financial products.

Another type of synthetic fraud involves the creation of entirely fake identities using a combination of stolen personal information and fabricated details. Creating complete fake information can be more difficult for fraudsters than combining a real Social Security number with fake information. This is because creating entirely fake identities requires the fraudster to invent and fabricate every piece of information associated with the identity, including name, address, employment history, and credit history, among other information.

Targeting young customers

Not surprisingly, some customer segments are more likely targets of identity fraud. For example, young people are key targets for synthetic fraud most because their information is more easily available through social media and other public records. Around 1.25 million families have been victims of some sort of identity fraud in 2021, or roughly 1-in-50 children, according to research conducted by Javelin Strategy & Research. In addition, ransomware gangs have stolen data from 1,200 K-12 schools in the U.S. and published the information on the dark web. As this data has been made available to fraudsters, it poses a significant risk for school-age children because they likely don’t have credit histories yet, and their information can be used for establishing credit by a fraudster.

Putting the responsibility on a financial institution alone is not the only way to address and prevent synthetic fraud. It is also the responsibility of parents to take preventive measures. For example, parents can check the credit history report of their children under the age of 18, and they also have the option to freeze their children’s credit so that it is more difficult for a scammer to access.

Unfortunately, 85% of adult respondents have not checked their children’s credit history reports, according to a study conducted by Security.org, which makes the exploitation of children’s personal information easier as it often goes unnoticed. Children are also unlikely to check their own credit history if they don’t know that checking credit history is a preventive measure.

Targeting senior citizens

Similarly, senior citizens are at risk for synthetic fraud due to several factors, making them an especially vulnerable customer segment. First, senior citizens possess retirement savings, which makes them an attractive target; and second, they tend to be more isolated than other members of society and are not able to detect certain suspicious activities quickly.

Often, senior citizens are targeted for some kind of healthcare-related fraud as healthcare-related products and services are frequently used by senior citizens. Thus, for financial institutions, it would not be suspicious when an application for a credit card of a senior citizen with a stolen social security number is used to purchase healthcare-related products and services on a continuous basis.

There are, however, a variety of steps that financial institutions and senior citizens can take together to prevent synthetic fraud from occurring. One step would be to request a credit freeze from the major credit bureaus, which blocks the opening of new accounts — one of the most effective ways to prevent synthetic fraud.

Financial institutions should also educate senior citizens and their circle of supporters to monitor credit reports regularly. Being cautious with personal identifiable information is also a key component in a prevention strategy.

How financial institutions can help

Financial institutions can implement data-driven customer on-boarding measures, using biometric and document verification capabilities along with robust and accurate public record sources.

If, however, a fraudster is already using a synthetic ID and has established a credit profile, there are various ways institutions can review and monitor account activity. One option would be through the implementation of additional verification procedures in combination with the purchase of an additional product or the application for a higher credit limit. Once a new product, a higher credit limit, or a new credit card account is requested, financial institutions can require an additional step of verification through the submission of biometric information.

Establishing regular contact with customers to inform them about prevention measures is also a key component of any financial institution’s fraud prevention strategy, including informing customers about a more restrictive use of personal identifiable information through the various institutions and platforms where this information is stored.