2017 managing bsa aml compliance - resources.gabankers.comresources.gabankers.com/event agenda...

GBA 2017 Advanced Compliance SchoolManaging BSA/AML Compliance

Financial Solutions * May 2017 1

2017 Managing BSA/AML Compliance

August 2015

GBA Advanced Compliance School

May 2017

Presented by

Patti Joyner Blenden, CRCM



Birth of the Bank Secrecy Act (BSA)

Enacted in 1970

‐ The law requires financial institutions to assist government agencies in efforts to curb federal crime by imposing recordkeeping and reporting requirements.

– Since the passage of the BSA, the nature and frequency of money‐laundering crimes, especially those related to illegal drug trafficking, have increased and changed considerably.

3

Significant BSA Milestones

• 1986 ‐ Money laundering was made a crime. Congress also allowed the seizure and forfeiture of laundered funds. Banks were required to have a formal BSA compliance program.

• 1990 ‐ Financial Crimes Enforcement Network (FinCEN) was created to administer BSA.

4



Significant BSA Milestones (continued)

• 1995 ‐ Record keeping requirements for funds transfers, such as wire transfers, were added and Currency Transaction Exemptions introduced.

• 2001 ‐ The role of the banking system in assisting law enforcement changed again with Congress enacted the USA PATRIOT Act:

Uniting and Strengthening America by Providing AppropriateTools Required to Intercept and Obstruct Terrorism Act

5

Regulating BSA and USA PATRIOT Act

• In 2005 the federal banking agencies jointly issued a comprehensive interagency examination manual covering the BSA, Anti‐Money Laundering (AML) laws and Office of Foreign Assets Control (OFAC) regulations:

– Bank Secrecy Act / Anti‐Money Laundering Examination Manual, Federal Financial Institutions Examination Council (FFIEC)

6

Revised in 2007, 2010 and most recently in

2014.



New FFIEC BSA/AML Examination Manual

• On December 2, 2014, the FFIEC released an updated version of the Bank Secrecy Act/Anti‐Money Laundering Examination Manual (November 2014), replacing the prior April 2010 version.

• The bank regulatory agencies announced the updated manual, assuring bankers the changes were not changes to regulatory policies or procedures. Instead, the changes were designed to reflect new regulations, advisories and other guidance that has been issued after publishing the April 2010 manual.

7

Significant Changes to the BSA/AML Exam Manual

• Independent Testing

• Suspicious Activity Reporting (SAR)

• Currency Transaction Report (CTR)

• Foreign Correspondent Account Recordkeeping

• Foreign Bank and Financial Accounts (FBAR)

• International Transportation of Currency or Monetary Instruments Reporting (CMIR)

• ACH, Prepaid Access & Third Party Payment Processors

• Nonbank Financial Institutions (NBFIs) – Money Services Businesses (MSB)

8



FinCEN Advisory on Compliance Culture

A financial institution can strengthen its BSA/AML compliance culture by ensuring that:(1) Its leadership actively supports and understands compliance efforts;

(2) Efforts to manage and mitigate BSA/AML deficiencies and risks are not compromised by revenue interests;

(3) Relevant information from the various departments within the organization is shared with compliance staff to further BSA/AML efforts;

(4) The institution devotes adequate resources to its compliance function;

(5) The compliance program is effective by, among other things ensuring that it is tested by an independent and competent party; and

(6) Its leadership and staff understand the purpose of its BSA/AML efforts and how its reporting is used. 9

Advisory to U.S. Financial Institutions on Promoting a Culture of Compliance

What's Required in a BSA/AML Program

BSA Program Requirements:

1. Must be reduced to writing

2. Approved by board of directors

3. Should be based on the institution’s risk assessment, as periodically updated. Risk assessments should be determined by the institutions:

– Products and services

– Customers and entities

– Geographies served

10



Five Pillars of a BSA Compliance Program

BSA Officer TrainingInternal Controls

Independent Testing

Customer Due

Diligence

11

BSA/AML Compliance Program

BSA / AML Program Pillar (1 of 5)

Appointing BSA Officer – Designated by Board of Directors (BOD).

– Must have sufficient authority.

– Manage all aspects of BSA/AML program.

– Ability to communicate with BOD.

12




BSA/AML Training – Provide training to all personnel whose duties require knowledge of BSA (Including BOD).

– Tailored for persons responsibilities.

– New hire and on‐going training.

– Document dates and attendance.

13


Internal Controls

– Implement risk‐based policies, procedures, and processes.

– Provide sufficient controls and monitoring systems for the timely detection and reporting of suspicious activity

– Identify areas more vulnerable to abuse.

– Meet recordkeeping and reporting requirements (e.g. CTRs and SARs).

– Sufficient controls to prevent/identify breakdowns.

– Incorporate BSA compliance into job descriptions and evaluations

14




Independent Testing – Conducted by 3rd party (e.g. Auditors, consultants).

– Frequency of test commensurate with BSA/AML risk profile.

– Identify areas of weakness.

– Results should be reported to BOD.

15


Customer Due Diligence – Must obtain information regarding ownership of all new entity customers

• Beneficial Ownership

– CDD information must be obtained at account opening

– New beneficial ownership rule made it mandatory in the regs to update CDD information

16



17

What is Money Laundering?

– Money laundering is a method used to “wash” away the paper trail of illegally obtained funds in order to conceal the true ownership and source of the funds.

18



Sources and Methods of Illegal Activities

– Drug Trafficking

– Illegal Gaming

– Embezzlement

– Arms sales

– Etc.

• Cash‐intensive businesses

• Bulk cash smuggling

• Real estate

• Structuring

• Etc.

19

Sources Methods

Three Common Steps for Money Laundering

Picture sourced from the United Nations Office on Drugs & Crime 20



What is Terrorist Financing?

– Terrorist financing differs from typical money laundering in that funds may have a legitimate source.

– The use of the funds can oftentimes appear to be for legitimate uses as well, such as living expenses.

21

BSA/AML Risk Assessment



Taking a Risk Based Approach Taking a Risk‐Based Approach

A risk based program is unique to your bank and situational in measuring your risks and controls/triggers to mitigate your risks

23

Goal of BSA/AML Risk Assessment

• A well‐developed risk assessment assists in identifying the bank’s BSA/AML risk profile.

• Understanding the risk profile enables the bank to apply appropriate risk management processes to the BSA/AML compliance program to mitigate risk.

• This risk assessment process enables management to better identify and mitigate gapsin the bank’s controls.

24



Using the Risk Assessment

There are many effective methods and formats used in completing a BSA/AML risk assessment.

– It is a sound practice that the risk assessment be reduced to writing.

The risk assessment should provide a comprehensive analysis of the BSA/AML risks in a concise and organized presentation.

25

Should be shared and communicated with all business lines across the bank, board of directors, management, and appropriate staff.

How Examiners Used the Risk Assessment

Examiners Objective:

Assess the BSA/AML risk profile of the bank and evaluate the adequacy of the bank’s BSA/AML risk assessment process.

– Part of scoping and planning the examination;

NOTE: Whenever the bank has not completed a risk assessment, or the risk assessment is inadequate, the examiner must complete a risk assessment based on available information.

26



Developing a Risk Assessment

Step 1

Identify Specific Risk Categories:

– Products

– Services

– Customers

– Entities

– Geographical locations

Step 2

Evaluate These Risks:

Step 3

Communicate your Findings to:

– Senior Management

– BOD

– Examiners27

The assessment of risk factors is bank-specific, and a conclusion regarding the risk profile should be based on a consideration of all

pertinent information.

• Banks may determine that some factors should be weighed more heavily than others.

Sample: Quantity of Risk Matrix

28

The FFIEC provided a sample quantity of risk matrix that could be used to help formulate summary conclusions.



The Risk Assessment RESULTS

Basis for:

– High‐risk client enhanced due diligence

– High‐risk beneficial ownership due diligence

– High‐risk watch list

– High‐risk branches, markets or delivery channels

– Ongoing monitoring of behaviors

– Ongoing transaction monitoring

– Ongoing/focused testing

29

Customer Identification Program

CIP



Customer Identification Program (CIP)

CIP is intended to enable a bank to form a reasonable belief it knows the true identity of each customer.

– All Banks must have a risk‐based written CIP appropriate for its size and type of business.

– Typically incorporated into the banks BSA/AML compliance program.

– Effective as of October 1, 2003

31

Incorporated into BSA/AML Program

The CIP must include account opening procedures that specify the identifying information that is obtained from each customer.

• It must also include reasonable and practical risk‐based procedures for verifying the identity of each customer.

• Banks should conduct a risk assessment of their customer base and product offerings, and in determining the risks, consider:

– The types of accounts offered by the bank.

– The bank’s methods of opening accounts.

– The types of identifying information available.

– The bank’s size, location, and customer base, including types of products and services used by customers in different geographic locations.

32



CIP Definition ‐ Accounts

Accounts

– Formal banking relationship to provide or engage in services, dealings or financial transactions.

• Examples include: Deposit accounts; asset accounts; credit accounts, including extensions of credit; cash management accounts; trust accounts; relationship established to provide safe deposit boxes and other safekeeping services.

33

Account Does Not Include

• Products or services for which a formal banking relationship is not established with a person, such as check cashing, funds transfer, or the sale of a check or money order.

• Any account that the bank acquires.– This may include single or multiple accounts as a result of a purchase

of assets, acquisition, merger, or assumption of liabilities.

• Accounts opened to participate in an employee benefit plan established under the Employee Retirement Income Security Act of 1974.

34



CIP Definition ‐ Customer

CustomerA customer is:

– A “person” (an individual, a corporation, partnership, a trust, an estate, or any other entity recognized as a legal person)

– Who opens a new account, an individual who opens a new account for another individual who lacks legal capacity, and an individual who opens a new account for an entity that is not a legal person (e.g., a civic club).

35

Customer Does Not Include

• Existing customers who open new accounts provided the bank has a reasonable belief that it knows the customer’s true identity – NOTE: However, coverage includes new cosigners added to existing

accounts and borrowers who assume existing loans

• A person who does not receive banking services, such as a person whose loan application is denied.

• Excluded from the definition of customer are federally regulated banks, banks regulated by a state bank regulator, governmental entities, and publicly traded companies.

36



Minimum CIP Requirements

The CIP must contain account‐opening procedures detailing the identifying information that must be obtained from each customer.

At a minimum, the bank must obtain the following identifying information from each customer before opening the account:

37

– Name

– Date of birth, for individuals

– Physical Address

– Identification Number

CIP Address

• Individual – Residential or street address.

– Army Post Office (APO) or Fleet Post Office (FPO).

– Street address of next of kin or another contact individual.

– Description of physical location.

38



CIP Address

• Business – Principal place of business.

– Office location.

– Other physical address.

39

CIP Identification Number

• U.S. Person

• Non‐U.S. Person

– Taxpayer ID Number (TIN) or evidence of one.

– ITIN.

– Passport number.

– Alien ID card Number.

– Number & country of issuance of any unexpired government issued ID (showing nationality or residence)

40



Customer Identification Program (CIP)

Three matters to consider:

– Collection

– Verification

– Timing

41

CIP Procedures Risk‐based Customer Verification

CIP must contain procedures for verifying customers identity within reasonable period of time after account is opened.

• Documentary

• Non‐documentary

• Lack of verification

42



Additional Verification for Certain Customers

The CIP must address situations where, based on its risk assessment of a new account opened by a customer that is not an individual, the bank obtains information about individuals with authority or control over such accounts, including signatories, in order to verify the customer’s identity.

For example: A bank may need to obtain information about and verify the identity of a sole proprietor or the principals in a partnership when the bank cannot otherwise satisfactorily identify the sole proprietorship or the partnership.

– Regulators have finalized Beneficial Ownership requirements

43

Failure to Verify Identities

• The bank’s CIP should contain procedures to address situations when the bank cannot verify the customer’s true identity. These should include:

– When the bank should refuse to open an account

– When the bank should allow a customer to use an account while it attempts to verify the customer’s identify

– When the bank should close an account after attempts at identity verification have failed

– When the bank should file a SAR in connection with the failure to verify a customer’s identity or other suspicious activity

44



Maintaining CIP Records and Retention

The bank’s CIP must maintaining records of all account information obtained during the verification process, including:

– All identifying information about the customer

– A description of any document that was relied on

– A description of the methods and results

– A description of the resolution of any discrepancy

Records retention – All records obtained to identify the customer before opening an account must

be retained for five years after the date the account is closed.

• These records include the customer’s name, date of birth, address, and ID number. For credit card accounts, records must be maintained for five years after the account is closed or becomes dormant.

– Records used to verify the customer’s identity using documents, non‐documentary methods, or other methods must be retained for five years after the record was made.

45

Additional CIP Requirements

Comparison with Government Lists• The bank’s CIP must contain procedures for determining whether the customer appears on any government‐issued lists of suspected or known terrorists or terrorist organizations.

• As of this date of this training, there are no designated government lists to verify specifically for CIP purposes.

Customer Notice• Providing customers with a notice that the information is being used to verify their identities.

• The notice must be placed in a manner that the customer will be able to view it before opening an account. For example, it can be:

– Posted in the bank’s lobby

– Printed on applications

– Posted on the bank’s Web site

46



Sample Notice Language

IMPORTANT INFORMATION ABOUT PROCEDURES FOR OPENING A NEW ACCOUNT:

To help the government fight the funding of terrorism and money laundering activities, federal law requires all financial institutions to obtain, verify, and record information that identifies each person who opens an account. What this means for you: When you open an account, we will ask for your name, address, date of birth, and other information that will allow us to identify you. We may also ask to see your driver’s license or other identifying documents.

47

Additional CIP Information

Reliance on Another Financial Institution

A bank is permitted to rely on another financial institution (including an affiliate) to perform some or all of the elements of the CIP, if reliance is addressed in the CIP and the following criteria are met:

• The relied‐upon financial institution is subject to a rule implementing the AML program requirements of 31 USC 5318(h) (Maintain an Anti‐Money Laundering Program) and is regulated by a federal functional regulator.

• The customer has an account or is opening an account at the bank and at the other functionally regulated institution.

• Reliance is reasonable, under the circumstances.

• The other financial institution enters into a contract requiring it to certify annually to the bank that it has implemented its AML program, and that it will perform (or its agent will perform) the specified requirements of the bank’s CIP

48



Use of Third‐Parties for CIP

Use of Third Parties

The CIP rule does not alter a bank’s authority to use a third party, such as an agent or service provider, to perform services on its behalf. Therefore, a bank is permitted to arrange for a third party, such as a car dealer or mortgage broker, acting as its agent in connection with a loan, to verify the identity of its customer.

The bank can also arrange for a third party to maintain its records.

• However, as with any other responsibility performed by a third party, the bank is ultimately responsible for that third party’s compliance with the requirements of the bank’s CIP.

• As a result, banks should establish adequate controls and review procedures for such relationships.

49

Customer Due DiligenceBeneficial Ownership

50



Customer Due Diligence (CDD): Beneficial Ownership

• Prior to the rule, there was no mandatory requirement for banks to know the identity of individuals who own or control a legal entity customer

• FinCEN’s final rule was published on May 11, 2016 and applies to MANY types of financial entities– Has been in process since February 29, 2012

• Enhances CDD requirements by mandating that financial institutions identify and verify the identity of the beneficial owners of their legal entity customers

• Two‐Pronged Test– Ownership – Identify up to 4 individuals with 25% or more direct or indirect

ownership in the entity’s equity– Control – Identification of one individual with significant responsibility to

control, manage, or direct a legal entity• At your discretion based on risk, you may want to REQUIRE more control individuals

51

Beneficial Ownership

• Two‐Year Compliance Transition Period. Covered financial institutions have until May 11, 2018 to implement the new requirements.

• Must verify the identity of the individual identified as a beneficial owner, but NOT his or her status as a “beneficial owner.”

• Required identity information can be obtained by any means, and records of the information can be kept in any manner that satisfies the applicable recordkeeping rules.

• The CDD Rule is not retroactive; it does not require a “lookback” to obtain beneficial ownership information from existing customers, unless those customers experience a triggering event.

– Customer information should be updated on an event‐driven basis in the course of normal monitoring activity. For example, opening a new account, applying for a new loan, requesting signature card or transaction authorization updates, replacing existing guarantors with new individuals, etc.

52



New Fifth Pillar of an Effective AML Program

1. Board approved policies and procedures2. A designated compliance officer3. An ongoing training program 4. An independent audit function5. Conduct customer due diligence

A. Understand the nature and purpose of customer relationships for the purpose of developing a customer risk profile

B. Conduct ongoing monitoring to identify and report suspicious transactions and, on a risk basis, maintain and update customer information, including beneficial owner information

53

Legal Entity Customer

• An entity that files a public document with a Secretary of State, or similar state official or office, including any similar entity formed under the laws of a foreign jurisdiction.

• Examples include corporations, limited liability corporations, partnerships, etc.

54



Legal Entity

Corporation

LLC

Partnership, general

or limited

Customer Due Diligence – New Rule

55

Not a Legal Entity

Natural Person

Sole Proprietorship

Unincorporated assoc.

Unregistered trust

Business trusts (registered)

Created by filing of

public document with government

Important Dates and Key Points:

Effective July 11, 2016

You have to comply by May 11, 2018

You should be building a coalition of stakeholders within your firm to contemplate compliance

The rule only applies to new accounts opened after May 11, 2018 (new accounts opened for new or existing legal entity customers)

Customer Due Diligence – New Rule

56



Know Your Customer’s Owners

• According to FinCEN, clarifying and strengthening CDD requirements will advance BSA’s purpose in a number of ways.

– Enhance the ability of law enforcement to access beneficial ownership information.

– Increase the ability of various stakeholders to identify assets associated with criminals and terrorists, helping to strengthen compliance with sanctions programs.

– Help financial institutions assess and mitigate potential risks and comply with legal requirements.

– Facilitate tax compliance, especially as it relates to the Foreign Account Tax Compliance Act (FATCA) and reciprocity with other jurisdictions.

– Promote consistency in implementing and enforcing CDD regulatory expectations across financial sectors.

57

Legal Entity Customer Enhanced Transparency

Identify and verify customer

identity

Identify and verify beneficial

owners

(Individuals!!)

Understand the nature and purpose of customer

relationship

Conduct ongoing monitoring to identify and

report suspicious activity

58



“Beneficial Owner”

• The definition of “beneficial owner” would have two components: an ownership prong and a control prong.

– Under the ownership prong, a beneficial owner would be an individual who, directly or indirectly, owns 25% or more of the equity interests of the legal entity. There could be no more than 4 individuals in this context.

– The control prong would apply to an individual with significant responsibility to control, manage or direct a legal entity customer, such as an executive officer, senior manager or an individual who performs similar functions. You would only need to identify a single individual.

• Each prong would be an independent test, although one individual could potentially satisfy both tests.

59

Beneficial Ownership Key Points

• Each individual who owns 25% or more of the equity interests in a legal entity customer and one individual who exercises significant managerial control over the legal entity customer.

• Legal entity customers include corporations, limited liability companies, partnerships or similar business entities, but not trusts.

• No requirement to identify underlying customers in intermediated accounts.

• Standard beneficial ownership certification form is optional.

• Verify identity of beneficial owner, not beneficial owner status.

• Preserves a risk‐based approach –the rule serves as the minimum.

• Recordkeeping is required.

60



Beneficial Ownership Requirement

• Covered financial institutions will be required to identify beneficial owners of new legal entity customers, subject to certain exemptions. Covered institutions:

– Will not have to identify beneficial owners of certain types of legal entity customers.

– Will not have to identify the beneficial owners of an intermediary’s underlying clients if that financial institution has no Customer Identification Program (CIP) obligation with respect to those underlying clients.

– Will be able to rely on a standard certification form at the bank’s option (was originally a required form in proposal).

– Will be able to rely on the CDD of other financial institutions, consistent with the approach in the existing CIP reliance structure.

61

Exclusions from Legal Entity Customer

• A financial institution regulated by a federal functional regulator or a bank regulated by a state bank regulator

• A department or agency of the United States, a State or the political subdivision of a State

• An entity established under the laws of the United States, a State or the political subdivision of a State that exercises governmental authority

• An entity other than a bank whose stock is listed on a national exchange or a subsidiary of that entity if the listed entity owns at least 51% of the equity of the subsidiary

62



Exclusions from Legal Entity Customer (continued)

• Other entities not covered by the CDD requirement:– An issuer of certain securities registered with the SEC– An investment company– An investment adviser– An exchange or clearing agency– Any other entity registered with the SEC– Certain entities registered with the CFTC– A public accounting firm registered under Sarbanes‐Oxley– A bank holding company– A pooled investment vehicle– A state‐regulated insurance company– A foreign financial institution

63

Limited Beneficial Ownership CDD Entities

• For some entities, only a control person must be identified and verified:

– A pooled investment vehicle operated or advised by a financial institution

– A legal entity established as a non‐profit that has filed appropriate documents with the State

64



Accounts Exempt from CDD BO Requirements

• Accounts opened at the point‐of‐sale solely for purchase at that retailer

• Accounts to finance the purchase of postage

• Accounts to finance payments of property and casualty insurance premiums

• Accounts to finance equipment leases or purchase

65

Identify the Individual in Control

• Under the ownership prong, even though there may be complex structures and ownerships, FinCEN expects financial institutions will identify the natural person who exercises control.

• FinCEN does not expect financial institutions to analyze whether individuals are acting in concert to exercise control.

• If a trust owns 25% or more of the equity interests of a legal entity customer, the trustee is considered the beneficial owner.

66



Natural Person Required Information

• Natural person opening the account for the legal entity customer – name and title

• Beneficial owners:– Name (plus title for the controlling individuals)– Date of birth– Address– Social Security Number (for US Persons) or passport number

and country of issuance or similar documentation (for non US Persons)

• New CDD rule does not require that CDD verification steps be identical to CIP requirements

67

New Accounts & Certification

• The requirement to obtain beneficial ownership information would apply only when a new account is opened. It would not apply to existing accounts, but would apply when an existing customer opened a new account.

– FinCEN suggests, however, that financial institutions may want to obtain a certificate from existing customers when the customer’s risk profile is updated.

• When an account is opened, require that the customer execute a standardized certification form or provide required information.

• The process requires the individual opening an account to certify, to the best of his or her knowledge, on behalf of the entity, that the information is complete and correct.

• The financial institution must then verify the identity of the person or persons identified as the beneficial owners, using standard CIP practices.

68



Obtaining the Required Information

• A covered financial institution may accomplish this either by – Obtaining a certification in the form of appendix A of this section

from the individual opening the account on behalf of the legal entity customer; or

– Obtaining from the individual the information required by the form by another means, provided the individual certifies, to the best of the individual’s knowledge, the accuracy of the information.

• A covered financial institution may rely on the information supplied by the legal entity customer regarding the identity of its beneficial owner or owners, provided that it has no knowledge of facts that would reasonably call into question the reliability of such information.

69

Beneficial Ownership Recordkeeping

• Procedures must be established for maintaining records• Identifying information, including the certification form (if

obtained)• Verification information, including a description of any

document relied on (type, ID #, place and date of issuance, and expiration) or the non‐documentary method used, plus how any substantive discrepancies were resolved

• Identification records must be kept for five years after an account is closed

• Verification information must be retained for five years after the record is made

70



Existing Customer Due Diligence

CDD / EDD

Customer Due Diligence Customer Due Diligence

The objective of CDD: Enable the bank to predict with relative certainty the types of transactions the customer is likely to engage.

• Specific focus on business relationships and beneficial ownership;

• Understand purpose of business relationship and anticipated behavior;

• Risk assigned based on behavior and use of products/services;

• On‐going due diligence for higher risk customers.

72



Making CDD Effective

Effective CDD policies, procedures, and processes provide the critical framework that enables the bank to comply with regulatory requirements and to report suspicious activity.

– An illustration of this concept is provided in Appendix K (“Customer Risk versus Due Diligence and Suspicious Activity Monitoring”)

73

Putting CDD Into Practice

CDD information should allow the bank to determine the customer’s risk profile at account opening.

• Banks should monitor their lower‐risk customers through regular suspicious activity monitoring and customer due diligence processes.

• If there is indication of a potential change in the customer’s risk profile (e.g., expected account activity, change in employment or business operations), management should reassess the customer risk rating and follow established bank policies and procedures for maintaining or changing customer risk ratings.

** CDD processes should include periodic risk‐based monitoring of the customer relationship to determine whether there are substantive changes to

the original CDD information (e.g., change in employment or business operations).

74



Certain Customers & Products Pose Higher Risk

Higher Risk Customers

• Foreign Financial Institutions

• Non‐Bank Institutions

• Senior Foreign Political Figures

• Nonresident Aliens (NRA)

• Foreign Corporations

• Deposit Brokers

• Cash Intensive Businesses

• Charities

• Professional Service Providers

Higher Risk Products/Services

• Electronic Funds Payment Services

• Electronic Banking

• Private Banking (domestic and international)

• Trust and Assets Management

• Trade Finance

• Special Use or Concentration Accounts

75

Enhanced Due DiligenceEnhanced Due Diligence

EDD is used for high‐risk customers and is especially critical in understanding their anticipated transactions and implementing a suspicious activity monitoring system that reduces the bank’s reputation, compliance and transaction risks (FFIEC)

May be determined Higher Risk because of customers:• Business activity • Ownership structure• Anticipates vs. actual volume and types of transactions• Dealing with higher risk jurisdictions

76



Methods to Identify Higher Risk Customers

Strategies to identify higher risk customers may include a combination of several approaches, including:

• Process automation (validate ID, Sanction screening, negative news)

• North American Industrial Codes Standards (NAICS) • Response to due diligence questions at account opening• Peer comparison/monitoring • Specific focus on users of multiple and/or unique high risk

products/services• Customers operating in or with high risk geographies

77

Enhanced Due DiligenceEnhanced Due Diligence

If determined Higher Risk consider obtaining, both at account opening and throughout the relationship the following:

• Purpose of account(s)• Source of funds and wealth• Individuals with ownership or control over account• Financial statements• Banking references• Proximity information• Description of the business operations and a list of major

customers and suppliers • Explanations for changes in account activity

78



Allocation of Resources for EDD

Hig

hest

Ris

ks

Moderate to Low Risks

25-10% Time & Resources

Highest Risk Customerswithin the Institution

75-90% Time & Resources

* The percentages used in this chart are for illustration purposes only and would vary depending on the risk of each individual institution.

79

Customer Risk Rating Process

The Bank should have a process to differentiate between lower‐risk customers and higher‐risk customers at account opening:

• Bank should monitor their lower‐risk customers through regular suspicious activity monitoring and CDD process;

• If there is an indication of change in a customers profile – the risk should be reassessed.

• Higher risk customers and their transactions should be reviewed more closely at account opening and throughout their relationship with the Bank.

Static DataProducts/ Services

Transactional

Customer Risk Score

H/M/L

* The customer risk rating categories used in this chart are for illustration purposes only and would vary depending on the risk of each individual institution.

80



Suspicious Activity Reporting

SAR

Suspicious Activity Reporting (SAR)

• SARs are the cornerstone of the BSA reporting system.

• Examiners and banks should recognize that the quality of SAR content is critical to the adequacy and effectiveness of the suspicious activity reporting system.

As a practical matter:

It is not possible for a bank to detect and report all potentially illicit transactions that flow through the bank.

82



Reportable Suspicious Activity

– Criminal violations involving insider abuse in any amount.

– Criminal violations aggregating $5,000 or more when a suspect can be identified.

– Criminal violations aggregating $25,000 or more regardless of a potential suspect.

83

Reportable Suspicious Activity

Transactions conducted or attempted by, at, or through the bank (or an affiliate) and aggregating $5,000 or more, if the bank or affiliate knows, suspects, or has reason to suspect that the transaction:

– May involve potential money laundering or other illegal activity (e.g., terrorism financing).

– Is designed to evade the BSA or its implementing regulations (such as structuring).

– Has no business or apparent lawful purpose or is not the type of transaction that the particular customer would normally be expected to engage in, and the bank knows of no reasonable explanation for the transaction after examining the available facts, including the background and possible purpose of the transaction.

84



What is Considered a Transaction

A transaction includes:

• A deposit;

• A withdrawal;

• A transfer between accounts;

• An exchange of currency;

• An extension of credit;

• A purchase or sale of any stock, bond, certificate of deposit or other monetary instrument or investment security;

• Or any other payment, transfer, or delivery by, through, or to a bank.

85

SAR Safe Harbor

• Federal law provides protection from civil liability for all reports of suspicious transactions made to appropriate authorities, including supporting documentation, regardless of whether such reports are filed pursuant to the SAR instructions.

86



Prohibited to Disclose a SAR

No bank, and no director, officer, employee, or agent of a bank that reports a suspicious transaction may notify any person involved in the transaction that the transaction has been reported.

• A SAR and any information that would reveal the existence of a SAR, are confidential, except as is necessary to fulfill BSA obligations and responsibilities.

– For example, the existence or even the non‐existence of a SAR must be kept confidential, as well as the information contained in the SAR to the extent that the information would reveal the existence of a SAR.

87

Timing for Filing a SAR

A bank must file a SAR with the Department of the Treasury’s FinCEN:

• Within 30 calendar days after initial detection of facts that may constitute a basis for filing a SAR.

• Filing may be delayed another 30 calendar days if needed to identify a suspect.

The bank also should telephone the appropriate law enforcement agency and its supervisory agency if the violation requires immediate attention.

– SAR filings should include only the information required on the form itself;

– documentation and other evidence should not be filed.88



SAR Filing on Continued Activity

If the suspicious activity continues over a period of time, such information should be made known to law enforcement and the federal banking agencies.

• FinCEN’s guidelines have suggested that banks should report continuing suspicious activity by filing a report at least every 90 calendar days.

– Subsequent guidance permits banks with SAR requirements to file SARs for continuing activity after a 90 day review with the filing deadline being 120 calendar days after the date of the previously related SAR filing.

89

SAR Narrative

Answer the following questions during investigation:

– Who

– What

– When

– Where

– Why

Organize the information on the SAR:

– Introduction

– Body

– Conclusion

90



Banks Are Not Police Officers

Banks are not obligated to investigate or confirm the underlying crime (e.g., terrorist financing, money laundering, tax evasion, identity theft, and various types of fraud).

NOTE:

• Investigation is the responsibility of law enforcement.

• When evaluating suspicious activity and completing the SAR, banks should, to the best of their ability, identify the characteristics of the suspicious activity.

91

Monitoring Needs

The sophistication of monitoring systems should be dictated by the bank’s risk profile, with particular emphasis on the composition of higher‐risk products, services, customers, entities, and geographies.

• The bank should ensure adequate staff is assigned to the identification, research, and reporting of suspicious activities, taking into account the bank’s overall risk profile and the volume of transactions.

– Need comprehensive and ongoing training to maintain their expertise.

Monitoring systems typically include:

• Employee identification or referrals,

• Transaction‐based (manual) systems,

• Surveillance (automated) systems,

• Or any combination of these.

92



Law Enforcement Requests

–Grand Jury Subpoenas

–National Security Letters

–314(a)

93

Additional SAR Processes to Consider

–Documentation of decision not to file SAR

–Providing law enforcement with information used as basis for filing SARs

– Lessons learned from SARs

–Volumes and trends

–Board Reporting

94



SAR Record Retention

Banks must retain copies of SARs and supporting documentation for five years from the date of filing the SAR.

• The bank can retain copies in paper or electronic format.

• Additionally, banks must provide all documentation supporting the filing of a SAR upon request by FinCEN or an appropriate law enforcement or federal banking agency. – “Supporting documentation” refers to all documents or records that

assisted a bank in making the determination that certain activity required a SAR filing.

95

Currency Transaction Reporting

CTR



Currency Transaction Reporting

• A bank must file a Currency Transaction Report for each transaction in currency(deposit, withdrawal, exchange, or other payment or transfer) of more than $10,000 by, through, or to the bank.

• NOTE: The BSA rule states that any person who receives more than $10,000 in a single cash transaction, or a series of cash transactions, must report the exchange to the IRS. This includes businesses as well as individuals who engage in a transaction that results in the transfer of cash

97

Aggregation of Currency Transactions

• Multiple currency transactions totaling more than $10,000 during any one business day are treated as a single transaction if the bank has knowledge that they are by or on behalf of the same person.

98



Potential CTR Situations

• Cash exchanges (for example, $10 bills changed to $100 bills)

• Cash used to purchase a wire transfer, cashier’s check, money order, savings bond, and so forth

• Loans funded or paid in cash

• Purchase or cashing in of securities for cash

• Traveler’s checks sold or cashed for cash

• Transactions with foreign currency (and report its value in U.S. currency)

99

Recording Information for a CTR

• Deposits made at night, over the weekend, or on a holiday are considered transactions of the next business day following the day of the deposit

• Information on all persons or entities conducting the transaction and all persons or entities receiving the benefit of the transaction must be completed, including:– Identification verification using state or government issued ID,

including alien identification cards

– Physical address

– Specific occupation of the conductor

100



Additional CTR Requirements

• A completed CTR must be filed with FinCEN:

– FinCEN announced a change in the CTR electronic filing specification for the CTR from the previous 25‐days to 15‐days.

– Bank must retain copies of CTRs for five years from the date of the report.

• The BSA E‐Filing System will send an acknowledgment for each filing (both discrete and batch) submitted through BSA E‐Filing.

101

Exemptions

• U.S. Treasury regulations have historically recognized that the routine reporting of some types of large currency transactions does not necessarily aid law enforcement authorities and may place unreasonable burdens on banks.– The Money Laundering Suppression Act of 1994 (MLSA) established a

two‐phase exemption process.

• In December 2008, FinCEN announced its final rule on CTR exemptions to simplify requirements for financial institutions.– It is an update of the Bank Secrecy Act (BSA) regulation that allows

depository institutions to exempt certain customers from reporting cash transactions greater than $10,000.

– The rule became effective January 5, 2009.

102



Phase I Exemptions

FinCEN’s rule identifies five categories of Phase I exempt persons:

– A bank, to the extent of its domestic operations.

– A federal, state, or local government agency or department.

– Any entity exercising governmental authority within the United States.

– Any entity (other than a bank) whose common stock or analogous equity interests are listed on the New York Stock Exchange or the American Stock Exchange or have been designated as a NASDAQ National Market Security listed on the NASDAQ Stock Market.

– Any subsidiary (other than a bank) of any “listed entity” that is organized under U.S. law and at least 51 percent of whose common stock or analogous equity interest is owned by the listed entity

103

Phase I Filing Timeframes

Banks must file a one‐time Designation of Exempt Person report (DOEP) to exempt each eligible listed public company or eligible subsidiary from currency transaction reporting.

• The report must be filed electronically through the BSA E‐Filing System within 30 days after the first transaction in currency that the bank wishes to exempt.

• The information supporting each designation of a Phase I‐exempt listed public company or subsidiary must be reviewed and verified by the bank at least once per year.

NOTE: Banks do not need to file a DOEP for Phase I‐eligible customers that are banks, federal, state, or local governments, or entities exercising governmental authority.

104



Phase II Exemptions

• An institution may exempt a “non‐listed business” or “payroll customers” in this category after maintaining a transactional account for two months, provided there have been at least five reportable transactions through its exemptible accounts, and:

– No more than 50 percent of its gross revenues per year are derived from one or more of the ineligible business activities listed in the rule.

– When determining whether a customer is an exempt person, a bank may treat all transaction accounts of the person as though it were one account

NOTE: The final rule provides an alternative to this two month/five transaction requirement: conduct a risk‐based analysis of the customer’s eligibility. This analysis must be able to show a reasonable, legitimate business purpose for large, frequent cash transactions.

105

Ineligible Businesses for CTR Exemption

– Serving as a financial institution.

– Purchasing or selling motor vehicles of any kind, vessels, aircraft, farm equipment, or mobile homes.

– Practicing law, accounting, or medicine.

– Engaging in investment advisory services or investment banking services.

– Operating a real estate brokerage.

– Engaging in trade union activities.

– Auctioning of goods.

– Chartering or operation of ships, buses, or aircraft.

– Operating a pawn brokerage.

– Engaging in gaming of any kind.

– Operating in title insurance activities and real estate closings.

– Engaging in any other activity that may, from time to time, be specified by FinCEN.

106



Monitor Exempt Accounts

• NOTE: Exempting a customer’s account does not exempt them from being monitored and reported for suspicious activity !

107

Additional Reporting Requirements

Report of International Transportation of Currency or Monetary Instruments (CMIR)

• Persons who physically transport monetary instruments of more than $10,000 into or out of the United States – such as:– Currency

– Traveler’s checks

– All negotiable instruments, including checks, cashier’s checks, promissory notes, and money orders

Report on a Report of Foreign Bank and Financial Accounts (FBAR)

• Any person (U.S. citizens, residents or domestic entities) with a financial interest exceeding $10,000 in a financial account in a foreign country.

• “Financial Account” includes:– Accounts in which assets are in

a comingled fund where the owner has an equity interest in the fund.

108



Additional Reporting Requirements cont.

Purchases of monetary instruments

• Covers any purchase of bank checks, drafts, cashier’s checks, money orders, or traveler’s checks for $3,000 ‐ $10,000 in currency.

• Maintain required information for 5 years.

Funds transfers

• Information must be retained for certain wire transfers, including funds transfers and payment orders from a person instructing a financial institution to pay $3,000 or greater to a recipient.– (See page 833 in ABA

Reference Guide)

109

Record Retention



Record Retention

In general, the BSA requires that a bank maintain most records for at least five years.

• These records can be maintained in many forms including original, microfilm, electronic, copy, or a reproduction.

• A bank is not required to keep a separate system of records for each of the BSA requirements; however, a bank must maintain all records in a way that makes them accessible in a reasonable period of time, such as for: – Purchase/sale of Monetary Instruments log

– Funds Transfer

– CTRs

– SARs

– CIP

111

Who Is OFAC

112

Office of Foreign Assets Control (OFAC)

Division of U.S. Department of the Treasury

Purpose:

• Administers and enforces economic and trade sanctions based on U.S. foreign policy and national security goals against entities such as:– Targeted foreign countries,

– Terrorists,

– International narcotics traffickers, and

– Those engaged in activities related to the proliferation of weapons of mass destruction.



OFAC Authority

OFAC acts under Presidential national emergency powers, as well as authority granted by specific legislation.

• Designed to impose controls on transactions and freeze assets under U.S. jurisdiction.

– Targeting countries and individuals or entities known to be acting on behalf of targeted countries.

– The targeted countries change periodically on the basis of presidential and congressional action.

113

Who Does OFAC Apply To

114

The OFAC regulations apply to:

• All U.S. persons, including U.S. citizens, permanent resident aliens (regardless of where they are physically located);

• All persons and entities within the U.S.;

• All U.S. incorporated entities and their foreign branches;

– Under some programs foreign subsidiaries owned or controlled by U.S. companies must also comply and under other programs foreign persons in possession of U.S. origin goods are subject to OFAC requirements as well.

Meaning for Banks:

OFAC applies to everyone including employees, customers, and vendors.



Regulation of OFAC

The federal banking agencies evaluate OFAC compliance policies, procedures, and processes to ensure that all banks subject to their supervision comply with the sanctions. • OFAC regulations require that those subject to the regulation have policies

and procedures in place to screen for and identify any potential matches to the OFAC list, and take appropriate action if a match is found, to help ensure compliance.

The agencies have issued a chapter on OFAC compliance in the BSA Examination Manual. Enforcement responses to OFAC violations are determined by OFAC. • As a means of enforcement ‐ OFAC may levy penalties or other types of

enforcement actions against any party found to be in violation of OFAC regulations.

115

Culture of Compliance for OFAC

• An effective OFAC compliance program is one that is supported by the Board of Directors and senior management.

• Key staff (Frontline/Operations) and key personnel should receive training to ensure they understand requirements and the potential impact that violations can have on the company.

116



OFAC Penalties

Corporations and individuals can be hit with civil and/or criminal penalties for noncompliance. These depend on the particular sanctions being violated.

• Civil penalties: from $250,000 (or twice the amount of each underlying violating transaction) to $1,075,000 per violation

• Criminal fines: from $50,000 to $1,000,000

For example, violating the Cuban embargo can result in the following:

• Criminal: $1,000,000 in fines for corporations, $250,000 for individuals

• Civil: up to a $65,000 fine per violation

Prison Sentences under OFAC

• Violating the guidelines can also lead to prison time for corporate executives, as OFAC recent actions show. Sentences vary based on the program, but willful violations typically bring about 10 to 30 years of imprisonment.

117

How OFAC Accomplishes Its Mission

• OFAC accomplishes its mission by creating, maintaining, publishing and enforcing various sanction programs and identifying individuals and entities with whom we are prohibited from doing business.

• OFAC provides this information via the:

– Specially Designated Nationals (SDN) List and

– Various sanction programs.

118



119

Specially Designated Nationals and Blocked Persons (“SDN”) List

‐ OFAC’s prohibited parties list

‐ Owned, controlled by or acting on behalf of targeted governments or groups‐ Recent Example – Ukraine Sanctions

‐ Individuals, entities, vessels, banks located worldwide

‐ UPDATED FREQUENTLY

120

OFAC Blocking

Blocking‐ Commonly referenced as “freezing.” ‐ Across‐the‐board prohibitions against transfers or transactions regarding the blocked property‐ Title of blocked property remains with sanctioned target

Most OFAC‐related transactions you will encounter will involve blocking, since the overwhelming majority of the affected entities/individuals are subject to blocking sanctions.

Call OFAC in order to obtain their help in determining whether it really is the affected individual or entity.



OFAC Rejecting

Rejecting‐ Underlying transaction that is prohibited, but contains no “blockable” interest ‐ Business is refused, payments are returned to sender.

There are very, very few instances where rejection is required, rather than blocking.– For example, all accounts belonging to persons or entities in Iran or the Government of Iran must be Rejected.

121

122

Blocked and Rejected Transaction Reports

‐ Due within 10 days of blocking/reject

‐ Filling Options

– Voluntary forms are available on OFAC’s website

• May be mailed or faxed to 202‐622‐2426

‐ Annual Reports of Blocked Property due by September 30



123

Internal Controls/Due Diligence

• Screening is the foundation of an effective compliance policy• Are you screening?• How are you screening?• What are you screening?

• Updating compliance programs and using the • most current SDN list

• Reporting

• Recordkeeping• Customer account information• End‐user statements, or similar language• Export licenses, if applicable• Shipping / freight forwarder information

• Due Diligence – Obtain full name, POB, DOB, etc for individuals and relevant information for entities

OFAC Record Retention

• OFAC has a five‐year requirement to retain relevant OFAC records – i.e., New account OFAC screening

• For Blocked property, record retention for as long as blocked.

• Once unblocked, records must be maintained for five years

124



OFAC Licenses

OFAC issues general and specific licenses for specific exemptions from the general prohibitions

Application may be made to OFAC for a license authorizing certain transactions:

1. Applicant must make full disclosure to OFAC of all interested parties to the transaction

2. Persons acting under authority of a license are subject to various reporting requirements as specified in the license

125

OFAC License

• Banks should also be aware of the expiration date on the license. If it is unclear whether a particular transaction is authorized by a license, the bank should confirm with OFAC.

– Maintaining copies of licenses will also be useful if another bank in the payment chain requests verification of a license’s validity.

• Copies of licenses should be maintained for five years, following the most recent transaction conducted in accordance with the license.

126



127

Common Exam Findings

What leads to an OFAC enforcement investigation?

• Most frequent financial institution violations:

‐ Processing transactions involving SDNs or target countries

‐ human error or filter deficiencies

‐ Operating Iranian accounts

‐ Operating SDN accounts, including those belonging to

Cuban nationals

‐ Rejecting rather than blocking a prohibited payment

‐ Relying on an outdated SDN list

128

Compliance Program

Risk Assessment

Internal Controls/Due Diligence

Testing/

Internal AuditTraining

Responsible Individuals



Risk Assessment

• A company’s risk profile may change due to new business partners or new markets that it enters.

• It may become necessary for policies and procedure to be revised.

• Regulators have placed great emphasis on adequate risk assessments in OFAC compliance programs and that assessments be tailored to operations and third‐party relationships.

129

130

Independent Testing and Audits

Should Examine Entire Compliance Program, including but not limited to:

• Filtering program

• System performance

• Risk assessment and matrix

• Policies and procedures

• Escalation process

• Internal communication

• External communication

• Record‐keeping

• OFAC licenses

• Training

• Plans for improvement



Marijuana Legalization Update

Marijuana Legalization Update

29 States and the District of Columbia have legalized marijuana to varying degrees. Some medical legalizations are broad; others are limited to treating specific illnesses, and there are differences and nuances in each of the recreational laws.

Additional states allow the use of diluted forms of marijuana, called low‐THC marijuana or cannabis oils.

It’s still illegal at the federal level due to the Controlled Substances Act (CSA).



Marijuana Legalization – Fed’s Position

The Federal Reserve Board has incorporated references to FinCEN’s Marijuana Guidance (FIN‐2014‐G001) into the revised 2014 FFIEC Bank Secrecy Act Examination Manual.

The decision to open, close or decline a particular account or relationship is yours and typically made without involvement of Federal Banking Agencies.

Marijuana Legalization –Regulatory Expectations from the Fed

We will evaluate both the risk management of the activity, including the system of internal controls, and

Compliance to FinCEN’s Guidance FIN‐2014‐G001

Weak risk management of a bank’s marijuana‐related business activity and/or noncompliance to the FinCEN Guidance could negatively impact a bank’s management and risk management ratings as well as our view of the BSA compliance program.



Marijuana Legalization –Senatorial Plea to FinCEN

Group of U.S. Senators asked FinCEN to issue supplemental Marijuana Guidance

Want FinCEN to address indirect businesses that provide services to marijuana businesses

How will FinCEN respond???

AML Hot TopicManaging Surveillance Alerts



What’s Happening?

137

Some banks have determined that a portion of the output of their suspicious activity monitoring tool does not result in SARs and/or is nonproductive

Banks call this output different things –hits, alerts, output, etc.

The regulatory expectation is that decisions to not review 100% of alerts should be supported in writing, backed by a sound methodology

Regulatory Expectations around Alert Management

138

We are asking you to document your decisioning behind not “working” all output or alerts

We’d like for you to be able to support inwriting that you are not missing SARs bynot reviewing the output



What will the Examiner do?

139

The examiner will review the documentation supporting your reason for selection of particular alerts/hits to be worked and not worked

We will evaluate your justification and try to understand why you’ve gone in this direction

We will consider: Backlog of alerts Is staffing an issue Quality of output/alerts (Do rules/parameters

need adjustment)

Suspicious Activity in the Loan Portfolio

public 140

Here is a list of examples of when a SAR should be contemplated for loan activity:

Falsifying income on a loan application or submitting fraudulent documents to bolster the appearance of creditworthiness

Selling a car out of trust for a floor plan loan made

When the loan applicant has ties to terrorism or is on the Specially Designated Nationals list—whether or not the loan is made

When a large loan is paid off unexpectedly in cash (source of funds)

When it is suspected or known that the loan customer is involved in fraud

When loan losses occur as a result of fraudulent activity

When loan proceeds are not used for the stated loan purpose

When straw borrowers receive loan proceeds



What Will the Examiner Do?

141

Talk to you about how you ensure suspicious activity involving loans is reported; evaluate your methodology

Talk to the lenders to evaluate their awareness and understanding of referring loan frauds/suspicious activity to the BSA group

Evaluate any referral process, monitoring or communication protocols your firm uses to identify loan issues that may be reportable

Best Practices

142

Providing targeted training to loan officers Being open to receiving information from lenders

about loan activity in various forms Serving as a nonvoting member of loan or loan work-

out committees Reviewing loan committee minutes Using a BSA compliance committee of which lenders

are a member Reviewing loan MIS reports on past dues,

nonaccruals, etc. Communicating to the lenders using their language High AML risk to them might equate to a loan classification



Questions we may the BSA Officer

143

What kind of training do the lenders get on suspicious activity related to loans?

Have you filed any SARs on loans since the previous examination?

How do you and the lenders communicate about BSA matters involving loans?

Do you read loan committee minutes or loan workout information?

Do you have any kind of BSA compliance committee that includes other business lines, like the lenders?

How do you monitor suspicious activity for loans?

Do you evaluate loan activity of customers when you perform enhanced due diligence on high-risk customers?

Lessons Learned from2016 Enforcement Actions



Enforcement Actions in 2016

145

More diversity and focus on nontraditional entities – casinos, a precious metal dealerMore personal fines

Lessons Learned:

Don’t wait to file the SAR (Gibraltar)

Make sure your AML program keeps pace with your growth; you need resources

Do your due diligence and EDD!

Lessons Learned from 2016

When you delegate, don’t walk away!Monitor what you’ve delegated.

Independent review – does using the same firm year after year compromise independence?

Create meaningful SARs with the why front and center; make sure the content is useful to law enforcement (BethEx FCU)



Enforcement Actions Highlighted

147

Gibraltar Private B&T $4 million fine + $2.5 million CMP Monitoring system generated unmanageable number of alerts,

including large numbers of false positives that bank didn’t address Don’t delay in filing the SAR, irrespective of your decision to keep or

close the account

“We many never know how that scheme might have been disrupted had Gibraltar more rigorously complied with its obligations under the law. This bank’s failure to implement and maintain an effective AML program exposed its customers, its banking peers, and our financial system to significant abuse.”

-Former FinCEN Director Jennifer Shasky Calvery

Enforcement Actions Highlighted

148

BethEx Federal Credit Union $500,000 CMP assessed Lack of AML controls for MSB customer base High-risk jurisdictions and international wires

to countries with weak AMLregimes No changes to AML policies and procedures

after banking MSB customers Look back resulted in SAR filings that were

vague, short and not helpful to law enforcement



Emphasis on Cyber Events and Cyber Reporting

Relationships with your IT partners are critical!

Customer Due Diligence/Beneficial Ownership – What’s happening between now and implementation????

Changes with the new Administration?

New FinCEN director?

Possible expansion of coverage of BSA Coverage

Real estate professionals?

Registered investment advisors?

The Road Forward in 2017

public 149

Financial Solutions

• Patti Blenden

[email protected]

www.finsolinc.com

Compliance Tools

Marian Wilson, Office Manager

[email protected]

COMPLIANCE ACTION VOLUME 21, NUMBER 2

ActionTraining

Strengthening Your Organization’s BSA Culture of Complianceby Patti Blenden

FinCEN issued AdvisoryFIN-2014-A007 to US FinancialInstitutions on Promoting a

Culture of Compliance on August11, 2014. FinCEN stated BSA andAML shortcomings have triggeredcivil and criminal enforcement

(1) Leadership must actively support and understand compliance requirements and efforts.

a. Leaders are responsible for understanding an institution’s BSA responsibilities and creating aculture of compliance. Leaders must support BSA leadership and stay tuned in to current compliance.

b. An organization’s leaders’ commitment and support should be clearly visible within the organization.This commitment significantly influences the attitudes of others within the organization.

c. Organization leaders must have regular BSA/AML training tailored to their roles to its obligationsand to make informed decisions regarding the allocation of BSA resources.

(2) Resources to manage and mitigate BSA/AML deficiencies and risks must not be compromised by revenueinterests.

a. Compliance staff should be empowered with sufficient authority and autonomy to effectively implementan institution’s AML program.

b. Organizations must take appropriate actions to address and mitigate risks arising from an institution’sbusiness line and file any necessary reports, such as Suspicious Activity Reports (SARs).

(3) Relevant information from across the enterprise must be shared with BSA/AML compliance staff!

a. Several recent enforcement actions noted institutions possessed relevant information that was notshared with BSA/AML compliance staff.

b. Whether resulting from an ineffective sharing infrastructure, a lack of appreciation of the BSA/AMLsignificance of the information or an intentional decision to prevent compliance, the BSA/AMLprogram was compromised. Fix communication breakdowns fast!

(4) The institution must devote adequate, competent resources to its compliance function.

a. Every BSA/AML compliance program requires designation of a BSA-proficient individual withsufficient authority to administer the program.

b. The institution should devote appropriate support staff to its BSA/AML program based on itsrisk profile to allow the program to be effective.

c. Appropriate technological resources must be allocated to BSA/AML tasks to identify and monitorsuspicious activity, especially for institutions with substantially higher risk.

(5) Leadership must support an effective compliance program by, among other things, ensuring that it isregularly tested by an independent and competent party;

a. FinCEN stresses the importance of independent testing of its BSA/AML compliance program.

b. Leadership should ensure the party testing the program (internal or external) is independent,qualified, unbiased with no conflicting business interests to influence the test results.

c. Safeguarding the integrity and independence of the compliance program testing enables aninstitution to locate and take appropriate corrective actions to address BSA/AML deficiencies.

(6) Leadership and staff must understand the purpose of its BSA/AML efforts and how its reporting is used.

a. Financial institutions provide many reports under FinCEN’s regulations that result in some of themost important information available to law enforcement and others safeguarding the nation.

b. Leadership and staff at all levels in a bank should understand they are not simply generatingreports, but recognize the purpose of BSA reports and how the critical information is used.

actions, even civil money penaltiesagainst individuals. FinCEN high-lighted the importance of a strongculture of BSA and AML compliancesupported by the board, seniormanagement, leadership and ownersof all financial institutions regard-

less of size or industry sector.Summarized below for yourquick reference and refreshertraining are the key actions afinancial institution can take tostrengthen its BSA/AMLcompliance culture.

BSA/AML

www.bankersonline.com/ca

BSA/AML Compliance Program — Overview Objective. Assess the adequacy of the bank’s BSA/AML compliance program. Determine whether the bank has developed, administered, and maintained an effective program for compliance with the BSA and all of its implementing regulations.

Review of the bank’s written policies, procedures, and processes is a first step in determining the overall adequacy of the BSA/AML compliance program. The completion of applicable core and, if warranted, expanded examination procedures is necessary to support the overall conclusions regarding the adequacy of the BSA/AML compliance program. Examination findings should be discussed with the bank’s management, and significant findings must be included in the report of examination or supervisory correspondence.

The BSA/AML compliance program30 must be written, approved by the board of directors,31 and noted in the board minutes. A bank must have a BSA/AML compliance program commensurate with its respective BSA/AML risk profile. Refer to the core overview section, “BSA/AML Risk Assessment,” page 18, for additional guidance on developing a BSA/AML risk assessment. Refer to Appendix I (“Risk Assessment Link to the BSA/AML Compliance Program”) for a chart depicting the risk assessment’s link to the BSA/AML compliance program. Furthermore, the BSA/AML compliance program must be fully implemented and reasonably designed to meet the BSA requirements.32 Policy statements alone are not sufficient; practices must coincide with the bank’s written policies, procedures, and processes. The BSA/AML compliance program must provide for the following minimum requirements:

• A system of internal controls to ensure ongoing compliance.

• Independent testing of BSA/AML compliance.

30 The Board of Governors of the Federal Reserve System (Federal Reserve) requires Edge and agreement corporations and U.S. branches, agencies, and other offices of foreign banks supervised by the Federal Reserve to establish and maintain procedures reasonably designed to ensure and monitor compliance with the BSA and related regulations (refer to Regulation K, 12 CFR 211.5(m)(1) and 12 CFR 211.24(j)(1)). In addition, because the BSA does not apply extraterritorially, foreign offices of domestic banks are expected to have policies, procedures, and processes in place to protect against risks of money laundering and terrorist financing (12 CFR 208.63 and 12 CFR 326.8). 31 The Federal Reserve, the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC), each require the U.S. branches, agencies, and representative offices of the foreign banks they supervise operating in the United States to develop written BSA compliance programs that are approved by their respective bank’s board of directors and noted in the minutes, or that are approved by delegatees acting under the express authority of their respective bank’s board of directors to approve the BSA compliance programs. “Express authority” means the head office must be aware of its U.S. AML program requirements and there must be some indication of purposeful delegation. For those U.S. branches, agencies, and representative office of foreign banks that were already in compliance with existing obligations under the BSA (and usual and customary business practices), the BSA compliance program requirement should not impose additional burden. Refer to 71 Fed. Reg. 13936 (March 20, 2006). Refer to expanded overview section, “Foreign Branches and Offices of U.S. Banks,” page 164, for further guidance. 32 Refer to Appendix R (“Enforcement Guidance”), for additional information.

BSA/AML

• Designate an individual or individuals responsible for managing BSA compliance (BSAcompliance officer).

• Training for appropriate personnel.

In addition, a CIP must be included as part of the BSA/AML compliance program. Refer to the core overview section, “Customer Identification Program,” page 47, for additional guidance.

Internal Controls The board of directors, acting through senior management, is ultimately responsible for ensuring that the bank maintains an effective BSA/AML internal control structure, including suspicious activity monitoring and reporting. The board of directors and management should create a culture of compliance to ensure staff adherence to the bank’s BSA/AML policies, procedures, and processes. Internal controls are the bank’s policies, procedures, and processes designed to limit and control risks and to achieve compliance with the BSA. The level of sophistication of the internal controls should be commensurate with the size, structure, risks, and complexity of the bank. Large complex banks are more likely to implement departmental internal controls for BSA/AML compliance. Departmental internal controls typically address risks and compliance requirements unique to a particular line of business or department and are part of a comprehensive BSA/AML compliance program.

Internal controls should:

• Identify banking operations (i.e., products, services, customers, entities, and geographiclocations) more vulnerable to abuse by money launderers and criminals; provide forperiodic updates to the bank’s risk profile; and provide for a BSA/AML complianceprogram tailored to manage risks.

• Inform the board of directors, or a committee thereof, and senior management, ofcompliance initiatives, identified compliance deficiencies, and corrective action taken,and notify directors and senior management of SARs filed.

• Identify a person or persons responsible for BSA/AML compliance.

• Provide for program continuity despite changes in management or employee compositionor structure.

• Meet all regulatory recordkeeping and reporting requirements, meet recommendations forBSA/AML compliance, and provide for timely updates in response to changes inregulations.33

• Implement risk-based CDD policies, procedures, and processes.

• Identify reportable transactions and accurately file all required reports including SARs,CTRs, and CTR exemptions. (Banks should consider centralizing the review and report-filing functions within the banking organization.)

33 Refer to Appendix P (“BSA Record Retention Requirements”) for guidance.

BSA/AML

• Provide for dual controls and the segregation of duties to the extent possible. Forexample, employees that complete the reporting forms (such as SARs, CTRs, and CTRexemptions) generally should not also be responsible for the decision to file the reports orgrant the exemptions.

• Provide sufficient controls and systems for filing CTRs and CTR exemptions.

• Provide sufficient controls and monitoring systems for timely detection and reporting ofsuspicious activity.

• Provide for adequate supervision of employees that handle currency transactions,complete reports, grant exemptions, monitor for suspicious activity, or engage in anyother activity covered by the BSA and its implementing regulations.

• Incorporate BSA compliance into the job descriptions and performance evaluations ofbank personnel, as appropriate.

• Train employees to be aware of their responsibilities under the BSA regulations andinternal policy guidelines.

The above list is not designed to be all-inclusive and should be tailored to reflect the bank’s BSA/AML risk profile. Additional policy guidance for specific risk areas is provided in the expanded sections of this manual.

Independent Testing Independent testing (audit) should be conducted by the internal audit department, outside auditors, consultants, or other qualified independent parties. While the frequency of audit is not specifically defined in any statute, a sound practice is for the bank to conduct independent testing generally every 12 to 18 months, commensurate with the BSA/AML risk profile of the bank. Banks that do not employ outside auditors or consultants or have internal audit departments may comply with this requirement by using qualified persons who are not involved in the function being tested. The persons conducting the BSA/AML testing should report directly to the board of directors or to a designated board committee comprised primarily or completely of outside directors. Banks that employ outside auditors or consultants should ensure that qualified persons doing the BSA/AML testing are not involved in other BSA functions such as training or developing policies and procedures that may present a conflict or lack of independence.

Those persons responsible for conducting an objective independent evaluation of the written BSA/AML compliance program should perform testing for specific compliance with the BSA, and evaluate pertinent management information systems (MIS). The audit should be risk based and evaluate the quality of risk management for all banking operations, departments, and subsidiaries. Risk-based audit programs vary depending on the bank’s size, complexity, scope of activities, risk profile, quality of control functions, geographic diversity, and use of technology. An effective risk-based auditing program covers all of the bank’s activities. The frequency and depth of each activity’s audit varies according to the activity’s risk assessment. Risk-based auditing enables the board of directors and auditors to use the bank’s risk assessment to focus the audit scope on the areas of greatest concern. The testing

BSA/AML

should assist the board of directors and management in identifying areas of weakness or areas where there is a need for enhancements or stronger controls.

Independent testing should, at a minimum, include:

• An evaluation of the overall adequacy and effectiveness of the BSA/AML complianceprogram, including policies, procedures, and processes. Typically, this evaluationincludes an explicit statement about the BSA/AML compliance program’s overalladequacy and effectiveness and compliance with applicable regulatory requirements. Atthe very least, the audit should contain sufficient information for the reviewer (e.g., anexaminer, review auditor, or BSA officer) to reach a conclusion about the overall qualityof the BSA/AML compliance program.

• A review of the bank’s risk assessment for reasonableness given the bank’s risk profile(products, services, customers, entities, and geographic locations).

• Appropriate risk-based transaction testing to verify the bank’s adherence to the BSArecordkeeping and reporting requirements (e.g., CIP, SARs, CTRs and CTR exemptions,and information sharing requests).

• An evaluation of management’s efforts to resolve violations and deficiencies noted inprevious audits and regulatory examinations, including progress in addressingoutstanding supervisory actions, if applicable.

• A review of staff training for adequacy, accuracy, and completeness.

• A review of the effectiveness of the suspicious activity monitoring systems (manual,automated, or a combination) used for BSA/AML compliance. Related reports mayinclude, but are not limited to:

– Suspicious activity monitoring reports.

– Large currency aggregation reports.

– Monetary instrument records.

– Funds transfer records.

– Nonsufficient funds (NSF) reports.

– Large balance fluctuation reports.

– Account relationship reports.

• An assessment of the overall process for identifying and reporting suspicious activity,including a review of filed or prepared SARs to determine their accuracy, timeliness,completeness, and effectiveness of the bank’s policy.

• An assessment of the integrity and accuracy of MIS used in the BSA/AML complianceprogram. MIS includes reports used to identify large currency transactions, aggregatedaily currency transactions, funds transfer transactions, monetary instrument salestransactions, and analytical and trend reports.

BSA/AML

Auditors should document the audit scope, procedures performed, transaction testing completed, and findings of the review. All audit documentation and workpapers should be available for examiner review. Any violations, policy or procedures exceptions, or other deficiencies noted during the audit should be included in an audit report and reported to the board of directors or a designated committee in a timely manner. The board or designated committee and the audit staff should track audit deficiencies and document corrective actions.

BSA Compliance Officer The bank’s board of directors must designate a qualified individual to serve as the BSA compliance officer.34 The BSA compliance officer is responsible for coordinating and monitoring day-to-day BSA/AML compliance. The BSA compliance officer is also charged with managing all aspects of the BSA/AML compliance program and with managing the bank’s adherence to the BSA and its implementing regulations; however, the board of directors is ultimately responsible for the bank’s BSA/AML compliance.

While the title of the individual responsible for overall BSA/AML compliance is not important, his or her level of authority and responsibility within the bank is critical. The BSA compliance officer may delegate BSA/AML duties to other employees, but the officer should be responsible for overall BSA/AML compliance. The board of directors is responsible for ensuring that the BSA compliance officer has sufficient authority and resources (monetary, physical, and personnel) to administer an effective BSA/AML compliance program based on the bank’s risk profile.

The BSA compliance officer should be fully knowledgeable of the BSA and all related regulations. The BSA compliance officer should also understand the bank’s products, services, customers, entities, and geographic locations, and the potential money laundering and terrorist financing risks associated with those activities. The appointment of a BSA compliance officer is not sufficient to meet the regulatory requirement if that person does not have the expertise, authority, or time to satisfactorily complete the job.

The line of communication should allow the BSA compliance officer to regularly apprise the board of directors and senior management of ongoing compliance with the BSA. Pertinent BSA-related information, including the reporting of SARs filed with FinCEN, should be reported to the board of directors or an appropriate board committee so that these individuals can make informed decisions about overall BSA/AML compliance. The BSA compliance officer is responsible for carrying out the direction of the board and ensuring that employees adhere to the bank’s BSA/AML policies, procedures, and processes.

Training Banks must ensure that appropriate personnel are trained in applicable aspects of the BSA. Training should include regulatory requirements and the bank’s internal BSA/AML policies,

34 The bank must designate one or more persons to coordinate and monitor day-to-day compliance. This requirement is detailed in the federal banking agencies’ BSA compliance program regulations: 12 CFR 208.63, 12 CFR 211.5(m), and 12 CFR 211.24(j) (Federal Reserve); 12 CFR 326.8 (FDIC); 12 CFR 748.2 (NCUA); 12 CFR 21.21 (OCC).

BSA/AML

procedures, and processes. At a minimum, the bank’s training program must provide training for all personnel whose duties require knowledge of the BSA. The training should be tailored to the person’s specific responsibilities. In addition, an overview of the BSA/AML requirements typically should be given to new staff during employee orientation. Training should encompass information related to applicable business lines, such as trust services, international, and private banking. The BSA compliance officer should receive periodic training that is relevant and appropriate given changes to regulatory requirements as well as the activities and overall BSA/AML risk profile of the bank.

The board of directors and senior management should be informed of changes and new developments in the BSA, its implementing regulations and directives, and the federal banking agencies’ regulations. While the board of directors may not require the same degree of training as banking operations personnel, they need to understand the importance of BSA/AML regulatory requirements, the ramifications of noncompliance, and the risks posed to the bank. Without a general understanding of the BSA, the board of directors cannot adequately provide BSA/AML oversight; approve BSA/AML policies, procedures, and processes; or provide sufficient BSA/AML resources.

Training should be ongoing and incorporate current developments and changes to the BSA and any related regulations. Changes to internal policies, procedures, processes, and monitoring systems should also be covered during training. The training program should reinforce the importance that the board and senior management place on the bank’s compliance with the BSA and ensure that all employees understand their role in maintaining an effective BSA/AML compliance program.

Examples of money laundering activity and suspicious activity monitoring and reporting can and should be tailored to each individual audience. For example, training for tellers should focus on examples involving large currency transactions or other suspicious activities; training for the loan department should provide examples involving money laundering through lending arrangements.

Banks should document their training programs. Training and testing materials, the dates of training sessions, and attendance records should be maintained by the bank and be available for examiner review.

BSA/AML

2017 managing bsa aml compliance - resources.gabankers.comresources.gabankers.com/event agenda...

Documents