'Independent monitor', 'independent examiner', 'compliance auditor', 'special representative' – the concept of monitors of financial institutions manifests under many different names in the United States and abroad, and has become a prominent tool for regulators and prosecutors worldwide. The formal title may vary, but the concept remains fundamentally the same across jurisdictions, generally involving an independent third party overseeing and testing the implementation of remedial compliance measures to address past deficiencies. Monitors have been mandated to investigate, test the compliance of, and report on myriad infractions at financial institutions ranging in size and spanning the various subsectors of the industry.
This chapter will focus on the inherent challenges of monitorships in the financial services industry and explore differences to other industries. Against the backdrop of examples collected from around the globe, this chapter will provide insight on the breadth of regulatory areas covered by monitorships and highlight practical considerations for an independent monitor of a financial institution.
Regulatory areas covered by financial services monitorships
The past decade has seen independent monitors installed for financial institutions operating in many different sub-sectors of the industry both in the United States and abroad. Monitors have been put in place for retail and commercial banks, broker-dealers, mortgage lenders and servicers, insurance companies, and investment advisers, among others. The breakdown in compliance and resulting risk faced by these financial institutions required monitoring by independent parties in a wide variety of regulatory areas.
In the United States, various federal and state bodies have adopted the use of an independent monitor to assist with the resolution of criminal, civil and regulatory actions.2 Internationally, the use of independent parties to monitor or examine a financial institution has similarly become more prevalent. In the United Kingdom, for example, independent reviews, such as that of Standard Bank Plc, have been agreed to as part of deferred prosecution agreements (DPAs) with the United Kingdom's Serious Fraud Office.3 Further, the United Kingdom's Financial Conduct Authority (FCA) has demonstrated an increased preference to commission skilled persons' reports or appointments under Section 166 of the Financial Services and Markets Act 20004 with the intent to 'obtain a view from a third party . . . about aspects of a regulated firm's activities if [the FCA is] concerned or want[s] further analysis.'5 The practice has been adopted by other European regulators as well, including Germany's Federal Financial Supervisory Authority (BaFin), and Switzerland's Financial Market Supervisory Authority (FINMA).
Each monitorship is governed by the specific terms of the underlying agreement between the authority and institution. The term, scope and requirements of the independent monitor of a financial institution can vary significantly, and the nature of the misconduct and regulatory findings are important influencing factors. The following topics are structured around those business or regulatory areas where independent monitors have become a prominent remedial tool, many of which are unique to, or particularly prevalent in, the financial services industry.
AML/CTF and OFAC/sanctions-compliance deficiencies and misconduct
There were several high-profile examples in the past decade of independent monitors appointed to oversee remedial activities related to financial institutions' anti-money laundering (AML) or counter-terrorist financing (CTF) and sanctions-compliance programmes. The monitors appointed in these instances have resulted from agreements with prosecutors and banking and financial regulators in the United States and internationally.
In the United States, actions involving a requirement to retain a monitor may originate from violations of the Bank Secrecy Act. Monitors have also been imposed owing to violations of US sanctions laws, which are primarily administered by the Office of Foreign Assets Control.6
Monitorships related to AML/CTF and sanctions are often preceded by the announcement of significant fines and penalties imposed by the governing authority. These monitorships can also be comparatively broad in scope. For example, HSBC Holdings Plc agreed to a joint settlement in 2012 carrying a total fine of approximately $1.9 billion in addition to the appointment of an independent monitor for a term of up to five years.7 Several other monitorships in this area have accompanied fines totalling hundreds of millions or billions of US dollars and have generally ranged from one to five years in term. The term, however, can be extended in many cases at the discretion of the regulatory or enforcement entity, depending on the institution's progress or compliance with the agreement.
Regulatory focus on AML compliance has increased internationally as well, which can be observed in other recent monitor appointments. BaFin appointed an independent 'special representative' in accordance with the German Banking Act to address ongoing AML compliance concerns at Deutsche Bank AG in September 2018, marking the first instance where BaFin has appointed a monitor in relation to AML rules.8 In Switzerland, the Financial Market Supervisory Authority commissioned an independent examiner in September 2018 to monitor the implementation of, and adherence to, measures directed at improving AML processes and controls at Credit Suisse AG.9
The AML/CTF and sanctions-compliance landscape is particularly complex. It involves significant resources and technology to perform adequate customer due diligence on the front end as well as robust ongoing monitoring and investigation of transactions to ensure that suspicious activities and potential sanctions violations are identified and reported accordingly. In this context, an effective independent monitor can provide a global view of the financial institution's compliance programme that a local regulator may not otherwise have. This is particularly important in the correspondent banking context where a single branch of a large bank may be relying, at least in part, on risk-mitigating controls of other branches of the financial institution to identify suspicious activity.
Tax-related compliance matters that resulted in the appointment of a monitor mostly occurred at Swiss banking institutions. In August 2013, the US DOJ announced the Swiss Bank Program, which set requirements for certain Swiss banks to be eligible for non-prosecution agreements related to criminal tax offences. This required qualifying Swiss banks to engage an independent examiner to report on compliance with the requirements of the Swiss Bank Program.10 To date, more than 75 Swiss banking institutions have entered into agreements as part of the programme, and collectively paid over $1.3 billion in penalties.11 Other examples outside of the Swiss Bank Program include Credit Suisse AG, which, as part of a 2014 consent order with the NY DFS, paid a civil penalty of $715 million and agreed to engage an independent monitor for a period of up to two years to perform a comprehensive review of the bank's compliance programmes, policies and procedures in place, which failed to prevent its New York representative's office from allegedly facilitating US tax evasion.12 Bank Leumi USA13 also agreed with the NY DFS to engage an independent monitor to address allegations involving its assistance to US clients regarding the concealing of assets offshore and evasion of US tax.14
Monitors imposed to address tax-related violations or deficiencies necessarily require specific qualifications and expertise with the applicable tax regimes. Further, an effective monitor will seek to employ a comprehensive set of data analytics tools to identify relevant information in structured and unstructured data. As an illustrative example, indications of a financial institution's client's taxation status may be found in sources beyond a financial system's structured client-relationship record, such as a US place of birth indicated in a non-US passport scanned by the financial institution.
Mortgage/lending and servicing misconduct
In the wake of the US financial crisis, the US mortgage finance and servicing industries were subject to significant enforcement action, which included the imposition of independent monitors in a number of high-profile instances. For example, on 12 March 2012, the DOJ, the US Department of Housing and Urban Development, and 49 state attorneys general filed a landmark $25 billion agreement with the five largest US mortgage servicers relating to servicing and foreclosure abuses (the National Mortgage Settlement).15 As part of the agreement, an independent monitor was appointed and tasked with overseeing, enforcing and reporting on the subjects' compliance with the consent judgment for a term of three and a half years.16 In another example, in 2017, Deutsche Bank AG17 settled with the DOJ claims related to the bank's residential mortgage backed securities activities in 2006 to 2007 by paying fines of over $7 billion and further consented to having an independent monitor oversee and report on compliance with the terms of the agreement.18 Another large US mortgage servicer, Ocwen, was subject to unique monitorship oversight. In a 2012 consent order, Ocwen agreed to retain an 'independent compliance monitor' for the period of two years to conduct a comprehensive review of the entity's servicing operations, including its compliance programme, and operational policies and procedures.19 The independent compliance monitor identified deficiencies that in part led to a subsequent consent order in 2014 requiring Ocwen to retain an independent 'operations monitor' for two years. The operations monitor was tasked with assessing the adequacy and soundness of Ocwen's operations as part of its mandate.20
Other violations across the industry
Misconduct by financial institutions is not exclusive to the subject areas above. A variety of alleged wrongdoing has resulted in the imposition of a monitor, including as related to capital markets misconduct, retail consumer practices and violations found in other industries. In 2015, Deutsche Bank AG entered into a DPA with the DOJ as part of pleading guilty to manipulating Libor21 for US dollars and several other currencies.22 As part of the DPA, Deutsche Bank AG agreed to retain a corporate monitor for a term of three years.23 The stipulation of the monitor is in addition to a total of over $2.5 billion in monetary penalties and disgorgement levied by multiple regulatory bodies, including the US Commodity Futures Trading Commission, NY DFS, DOJ and the UK FCA against the financial institution.24 Independent parties have also been installed as part of DPAs and consent agreements related to several other areas of wrongdoing by financial institutions in the capital markets subject areas, including violations related to foreign exchange trading,25 swap reporting,26 spoofing27 and wire fraud.28 The SEC has demonstrated a proclivity to include the concept of independent parties to review and report on corrective actions in many of these areas, with the scope, term and reporting requirements of each laid out in the agreement.29,30
There are still further areas of wrongdoing where independent parties have been imposed at financial institutions, including to address alleged Foreign Corrupt Practices Act violations,31 antitrust or price fixing,32 securities fraud,33 client billing practices,34 breach of fiduciary duty,35 and instances of misleading advertising or marketing materials by investment advisers.36
Challenges and considerations in financial services monitorships
The particularities of the industry present unique challenges and considerations for an independent monitor. The modern financial services industry is unique in its international reach and interconnectedness among competitors, dense and complex regulation across jurisdictions, and sophisticated governance and operating models, which are required to effectively manage global client processes and high volumes of transactions. Financial institutions operations are also generally more data- and technology-intensive compared to most industries.
These complexities and attendant-inherent risks, in addition to law enforcement and regulatory actions, caused many financial institutions to invest heavily in compliance and information technology systems a decade or more ago. The results of these investments include compliance organisations with hundreds or thousands of personnel and a combination of in-house developed and vendor-provided systems that maintain millions of data points impacting the compliance organisation. Below, these industry characteristics are explored in more detail, highlighting the implications and practical considerations for independent monitors.
Global systems and interdependencies
The present state of the financial services industry represents a densely connected international network of global operations involving complex transactions and numerous parties. For example, a client of Mexican nationality may walk into the London branch of a Swiss bank to take out a loan to pay for an invoice from an Australian company in US dollars – and the bank may package the loan in a portfolio and refinance it via a Luxembourg facility. To facilitate these transactions, banking institutions utilise subsidiaries or branches chartered in different countries for cross-border or correspondent payments and clearing activities, and payment chains may further include intermediary institutions to provide access to global markets and currencies. Indeed, this network, used to facilitate transactions, necessarily affects multiple jurisdictions and regulators. Considering the high level of lending and other relationships between financial institutions across borders, it is equally obvious how significantly international financial markets are intertwined and how actions taken in one market influence the other.
For an independent monitor, this implies that multiple international dimensions may need to be considered and addressed in the scope of its review and workplan. While the monitor's mandate may limit the scope to a particular operating entity under the agency's jurisdiction, it is possible that root causes of deficiencies or the misconduct itself are borne out of other entities and jurisdictions. The monitor may, therefore, need to scrutinise the institution's international client base and operations, be it via subsidiaries, branches, correspondent banks, funds, or offshore vehicles to the extent that transactions or operations in one area may impact the other. The monitor will consider the legal and regulatory framework across jurisdictions, for example, relating to data privacy restrictions and the necessary use of information barriers. While these traits may also be found for monitorships in other industries, they are of predominant significance here, given the global nature of transactions and the risk involved.
A monitor of a financial institution is well advised to consider early on the international implications of his or her mandate and ensure that these aspects are addressed in the initial workplan. This includes establishing the necessary controls and safeguards, identifying the relevant location or operating entities to be reviewed and ensuring the requisite knowledge and experience of the monitor team.
Dense regulation and complex oversight across jurisdictions
The financial services industry is highly regulated, and the level of regulatory oversight and pressure with extraterritorial effect has notably increased since the early 2000s. Regulatory ambitions for the industry inherently include those that are relevant to other industries, such as ethics and employee misconduct, fraud, accounting and reporting, IT security, antitrust, and health and safety. The industry is further subject to additional laws and regulations intended to address concerns specifically relevant to financial institutions, including financial crime compliance, consumer financial protection, and safety and soundness. As noted above, independent monitors have been imposed in relation to several of these regulatory topics.
Even within a jurisdiction, regulations governing financial institutions are complex compared to other industries. In the United States, for example, the responsibility of regulatory oversight over financial institutions is fragmented across multiple federal and state agencies, many of which have overlapping authorities.37
In parts of Europe, a single financial institution will also have overlapping oversight by banking regulators. Criminal investigative and prosecutorial authorities at the local, state or federal level could add a further level of government interest if allegations arise of intentional misconduct at the financial institution.
For a monitor, the extent to which the scope may extend beyond the area of the original infraction is often a matter of the situation at hand. Transparency and communication between the monitor, the financial institution, and the government authority is paramount in determining the scope of review and reporting. Additionally, although the monitor may be put in place by one regulatory agency, the monitor may be explicitly required to produce a report, or reports, to several regulatory or law enforcement bodies. Further, it may occur that regulators that supervise the entity in other jurisdictions may request the monitor's reports.
Governance and compliance framework complexity
The continually evolving requirements and heightened regulatory pressure have resulted in financial institutions developing more sophisticated and robust governance and compliance frameworks compared to many other industries. Institutions develop their own risk-based approaches to compliance based on their operational models, relevant compliance risks and risk appetites. As a result, each institution's compliance programme is unique. Acknowledging these differences, regulators and independent monitors will still expect to see effective governance in the form of clearly documented standards, policies and procedures, and supervisory controls. Further, an institution should ensure a culture of compliance and risk management is embedded across the organisation, from the front line to the back office.
The Basel Committee on Banking Supervision prescribes the three lines of defence concept as a framework for effective governance, wherein the business (the first line of defence) has 'ownership' of the risks it incurs through its activities; the compliance and risk management departments (second line) define policies and standards and monitor the risks; and the internal audit function (third line) conducts independent risk-based reviews to assure effective compliance.
The mandate of many financial institution monitorships includes an assessment of the governance and global compliance programmes. Accordingly, a monitor in the financial services industry requires significant knowledge of corporate governance, compliance organisations, and internal control frameworks, which includes how to effectuate change to implement the three lines of defence consisting of thousands of employees. A monitor should ensure the institution establishes a clear risk appetite to drive decision-making, a strong tone from the top reflected in visible management decisions, and a well-founded compliance culture with sufficient resourcing for the second and third line of defence (see Chapter 1).
Data and IT intensity
Another characteristic impacting compliance efforts in the modern financial services industry is its significant reliance on IT. Financial institutions capture high volumes of data, for example, transactional and customer data, which is typically managed in complex relational databases. Further, institutions routinely use a variety of in-house developed or third-party software and systems to execute key compliance processes. Evolving regulations and growing compliance-driven costs will likely lead to an increased reliance on software and system solutions and concurrently heighten the focus of institutions and regulators on adequate IT and data governance.38
The data and IT-intensive operations in the industry have implications for the required competencies of a monitor and his or her team. Depending on the mandate, the monitor's focus may go beyond the review of policies and procedures to an in-depth assessment of the institution's IT systems and data. A financial services monitor will, therefore, need to proactively consider questions of data systems, availability and review procedures early on. Often, this will require identification of, and access to, the institution's relevant live systems or separate secure data environments to conduct thorough independent reviews of the institutions' client base and transactions, as well as the adherence to the defined policies and procedures.
A monitor must ensure its team has the right competencies for an effective review of IT systems and large volumes of data, which may include IT, data analytics, and e-discovery experts to identify potential issues in the data and assist with the review of structured and unstructured data.
Guidelines for monitors in driving remediation
A monitor will work to drive change through the issuance of recommendations to the financial institution. An effective monitor will leverage the required competencies noted above to identify deficiencies at the institution and endeavour to develop recommendations that address the root causes of these deficiencies. Recommendations may allow for the institution to consider alternative approaches to remediation, given that there is more than one way to mitigate risk in most instances and the use of a risk-based approach allows for certain flexibility.
For example, the monitor may identify deficiencies in an institution's IT system impacting compliance. The monitor's resulting recommendation should not necessarily require replacement of the IT system with a specific third-party software solution. Rather, the recommendation should identify the root cause of the deficiency and allow the institution to propose a method of remediation, for example, by enhancing the current system and adding additional controls that adequately address the relevant risk.
Similarly, the monitor should be mindful of specifying time frames or target dates of remediations. Large-scale remediations, whether related to a complex system implementation or the review of thousands of customers, can take time. The monitor must coordinate with the institution to help prioritise and set reasonable target dates to achieve sustainable change.
More generally, the monitor should establish and maintain an open dialogue and respectful rapport with the institution while maintaining its independence. This is crucial to pre-empting contentious issues and helps ensure a common understanding of remedial progress.
Against the backdrop of tightening regulation and worldwide enforcement, we expect monitorships to remain an important tool for authorities and regulatory bodies around the globe to enforce, supervise, and track financial institutions' adherence to rules and regulations. Monitorships have been established across a wide spectrum of issues related to myriad financial products and services, and further innovation in the industry may result in additional monitorships if compliance programmes do not evolve at the same pace.
If a financial institution finds itself with a requirement to impose a monitor, there are certain steps the financial institution can take early on to facilitate an efficient monitorship. The below guidance gives hands-on advice to financial institutions regarding the initial phase of a monitorship.
Practical guidance for financial institutions entering into a monitorship
|Be prepared||Initiate a comprehensive and thorough remediation programme in writing, which can be shared with the monitor. Establish adequate project governance, resourcing and infrastructure to swiftly respond to the monitor requests.|
|Agree on clear scope and approach||Seek to align the mandate and scope of a monitorship as precisely as possible with the regulator or regulators and monitor, including the business lines and geographies to be reviewed.|
|Define access and interaction||Define and agree to how the monitor will interact with different stakeholders in the institution. Seek to establish a single point to facilitate all communications between the monitor and the financial institution (e.g., via a liaison or project management office), and a consistent, reliable, and auditable way to deliver data and records requested by the monitor.|
|Set up data assessment environment early||Establish access to relevant bank data and formulate clear information and data requirements early in the process. Be prepared to provide a secure data environment for the monitor's review of the data.|
|Define a clear governance structure||Ensure a thorough understanding of the legal and regulatory environment, in particular cross-jurisdictional, to support the implementation of the three lines of defence globally.|
|Focus on effectiveness and sustainability||Focus on the effectiveness and sustainability of the relevant new controls required when developing actions plans for monitor recommendations. Prepare for monitor testing by identifying internal testing that the financial institution can complete in advance of monitor testing.|
1 Günter Degitz and Rich Kando are managing directors at AlixPartners. The authors would like to thank Philip Bacher, Carina Nilles and Kurt Wessel for their contributions to this chapter.
2 Monitors have been imposed at financial institutions by US enforcement bodies such as the US Department of Justice (DOJ), Securities and Exchange Commission (SEC), various state attorneys general, the New York Department of Financial Services (NY DFS) and the Office of the Comptroller of the Currency.
3 News release, 'SFO agrees first UK DPA with Standard Bank', Serious Fraud Office (30 November 2015), https://www.sfo.gov.uk/2015/11/30/sfo-agrees-first-uk-dpa-with-standard-bank.
4 As amended by the 2012 Act. The FCA developed a 'skilled person panel', which lists firms based on subject categories. The FCA determines the scope of the skilled person's review, and the resulting costs are borne by the regulated firm.
5 Financial Conduct Authority, 'Skilled person reviews', https://www.fca.org.uk/about/supervision/skilled-persons-reviews.
6 Joseph T Lynyak III and Lanier Saperstein, 'AML and US Sanctions Laws—Recent Developments; Anti-Money Laundering Seminar' (24 January 2018), https://www.dorsey.com/~/media/files/uploads/images/saperstein-dorsey-ppt-presentation--deloitte-conferencev1.pdf?la=en.
7 DOJ Press Release No. 12-1478, 'HSBC Holdings Plc. and HSBC Bank USA N.A. Admit to Anti-Money Laundering and Sanctions Violations, Forfeit $1.256 Billion in Deferred Prosecution Agreement' (11 December 2012), https://www.justice.gov/opa/pr/hsbc-holdings-plc-and-hsbc-bank-usa-na-admit-anti-money-laundering-and-sanctions-violations.
8 BaFin Press Release: 'Deutsche Bank AG: BaFin orders measures to prevent money laundering and terrorist financing' (24 September 2018), https://www.bafin.de/SharedDocs/Veroeffentlichungen/EN/Massnahmen/60b_KWG/meldung_180924_60b_deutsche_bank_en.html; Olaf Storbeck, 'Deutsche Bank ordered to tighten controls on money laundering' Financial Times (24 September 2018), https://www.ft.com/content/42d8f1c4-bffc-11e8-8d55-54197280d3f7.
9 'FINMA finds deficiencies in anti-money laundering processes at Credit Suisse', https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/8news/ medienmitteilungen/20180917-mm-gwg-cs.pdf?la=en.
10 DOJ Press Release No. 13-975, 'United States and Switzerland Issue Joint Statement Regarding Tax Evasion Investigations', https://www.justice.gov/opa/pr/united-states-and-switzerland-issue-joint-statement-regarding-
11 US DOJ: Swiss Bank Program, https://www.justice.gov/tax/swiss-bank-program.
12 NY DFS: Consent Order Pursuant to Banking Law Section 44-a, In the Matter of Credit Suisse AG, https://www.dfs.ny.gov/about/ea/ea140519.pdf.
13 The New York subsidiary of Bank Leumi le-Israel.
14 NY DFS: Consent Order Pursuant to Banking Law Section 44 And 44-a, In the Matter of Bank Leumi USA, Bank Leumi Le-Israel, B.M., https://www.dfs.ny.gov/about/ea/ea141222_leumi.pdf.
15 US DOJ: '$25 Billion Mortgage Servicing Agreement Filed in Federal Court',
16 National Mortgage Settlement, 'Fact Sheet: Mortgage Servicing Settlement',
17 Including on behalf of its current and former subsidiaries.
18 Monitor of the 2017 Deutsche Bank Mortgage Settlement: 'About the Monitor',
19 NY DFS: 'Consent Order Pursuant To Banking Law § 44' In the Matter of Ocwen Financial Corporation, Ocwen Loan Servicing, LLC, https://www.dfs.ny.gov/about/ea/ea141222.pdf.
21 London Interbank Offered Rate.
22 'Deutsche Bank's London Subsidiary Agrees to Plead Guilty in Connection with Long-Running Manipulation of LIBOR' (23 April 2015), https://www.justice.gov/opa/pr/deutsche-banks-london-subsidiary-agrees-plead-
25 e.g., In re Barclays Bank Plc (and Barclays Bank Plc, New York Branch), NYDFS Enforcement Action: Consent Orders to Barclays Bank PLC (20 May 2015 and 17 November 2015), https://www.dfs.ny.gov/about/ea/ea150520.pdf, https://www.dfs.ny.gov/about/ea/ea151117.pdf.
26 e.g., In re Deutsche Bank AG, 'Opinion & Order Appointing Independent Monitor' (20 October 2016),
27 e.g., In re Igor B. Oystacher, and 3 Red Trading LLC, Consent Order with the US Commodity Futures Trading Commission (20 December 2016), https://www.cftc.gov/sites/default/files/idc/groups/public/
28 e.g., In re State Street Corporation, Deferred Prosecution Agreement (17 January 2017), https://www.justice.gov/criminal-fraud/file/932581/download.
29 The SEC generally has imposed two types of monitors: an 'independent compliance consultant' and an 'independent compliance monitor'. The former typically has a more focused scope and generally results from a stand-alone enforcement action. The latter generally arises out of parallel criminal or civil proceedings, and tends to have a broader mandate and more reporting requirements.
30 Jonny J Frank, 'SEC-Imposed Monitors', SEC Compliance and Enforcement Answer Book (2017 Edition), pp. 9-2, 8, 9, http://stoneturn.com/wp-content/uploads/2017/07/2017-SEC-Compliance-and-Enforcement-Answer-Book_SEC-Imposed-Monitors.pdf.
31 e.g., In re Och-Ziff Capital Management Group, LLC, Exchange Act Release No. 89,989 (29 September 2016).
32 e.g., In re DOJ deferred prosecution agreement with Deutsche Bank, 23 April 2015, https://www.justice.gov/sites/default/files/criminal-fraud/legacy/2015/05/22/2014-04-23-deutsche-bank-deferred-prosecution-agreement.pdf.
33 e.g., In re Insurance Service Center Inc, http://iaicm.org/wp-content/uploads/formidable/ISC-Inc-Crt-Ordr-
34 e.g., In re Marco Investment Management, LLC, https://www.sec.gov/litigation/admin/2016/ia-4348.pdf.
35 e.g., In re Royal Alliance Associates, Inc, https://www.sec.gov/litigation/admin/2016/34-77362.pdf.
36 e.g., Alpha Fiduciary, Inc, https://www.sec.gov/litigation/admin/2015/ia-4283.pdf); Trust & Investment Advisors, LLC (https://www.sec.gov/litigation/admin/2015/ia-4087.pdf.
37 See Government Accountability Office, Financial Regulation, GAO-16-175, February 2016, Figure 2 and p. 9, https://www.gao.gov/assets/680/675400.pdf.
38 e.g., the NY DFS memorandum 'DFS Cybersecurity Regulation – First Two Years and Next Steps,' (21 December 2018), https://www.dfs.ny.gov/about/cyber_memo_12212018.pdf.