aml compliance requirements. copyright © 2006 deloitte development llc. all rights reserved. agenda...

AML Compliance Requirements

Copyright © 2006 Deloitte Development LLC. All rights reserved.

Agenda

Overview

Current Environment

Prevalent Practices for an AML Compliance Program

Questions and Answers


Overview


• “In every war we have fought, bankers have been on the front lines. And you are on the front lines today. Make no mistake about that.”

• “It is clear that what was good enough in the past may not be good enough now. The stakes are much, much higher than ever before.”

• “Clearly, the times have changed--for banks and for regulators--and a ‘business-as-usual’ approach is not going to be sufficient to meet the challenges at hand.”

Daniel P. StipanoActing Chief

CounselOffice of the

Comptroller of the Currency


Heightened Regulatory Scrutiny

• New rules for enforcement actions• New interagency Bank Secrecy Act (“BSA”)

examination manual• Newly-articulated supervisory risk focus • New government initiatives underway


Implications

• Enhanced scrutiny of AML compliance by bank regulators and prosecutors– Examinations more intense and detailed

• General, targeted and horizontal exams

– Past exams not indicative of future exam rating• Rating declines from 1 or 2 to 3 or 4

• The trend for FinCEN and bank regulators is monetary penalties as well as informal or formal actions

• Forward Look• Look Back (Transaction Review, i.e., back-filing CTRs and/or SARs)

– If CTR/SAR systems and controls are deemed deficient, a financial institution can be required to go back in time and reconstruct transactions, typically with the “assistance” of a third party, for reporting purposes

– Can be burdensome and expensive– Late-filing is useful in theory, but in reality, late-filing appears punitive


•Well over 100 formal public enforcement and informal actions in the last few years

•Regulatory fines have been assessed, in some public actions, ranging from several million to $50 million

•Pace of recent enforcement actions appears similar to 2004 and 2005

Impact


Reasons for Enforcement Actions

• Recent public/non-public enforcement actions are mainly the result of governance, process and testing failures– Lack of management oversight and accountability– Failure to meet reporting requirements– Failure/Absence of key control activities– Inadequate risk assessment– Inadequate/Ineffective monitoring functions

– Failure to conduct due diligence on clients– Inadequate communication of information

– Failure to respond to previous criticism

– Concealing information from examiners


Potential Consequences– Unsatisfactory management or composite rating jeopardizes

status of parent as a “FHC” and conduct of non-banking businesses

– Unsatisfactory rating/enforcement action derails bank acquisitions• Expansion of current activity/M&A activity is dependent:

– Being well managed (at least a satisfactory rating)– Being well capitalized– Having a satisfactory CRA rating– Must have an effective AML program (Section 327 of USA

PATRIOT Act allows regulators to restrict a BHC/financial institution ability to complete M&A/expand

• If under an AML enforcement action, generally barred from M&A and/or expansion activities until it is lifted

– Coupled with use of bank by money launderers, compliance inadequacies may be basis for criminal charges against bank

– Involvement in money laundering can trigger the forfeiture of bank charter or FDIC insurance


Additional Thoughts

Do Not Rest on Your Laurels– A past history of satisfactory BSA exams does not mean

your program will be satisfactory today or going forward.– Examinations are more rigorous, every program element

is subject to heightened scrutiny. Consequently, weaknesses that may not have been identified in earlier exams may surface.

– Even if your institution is not subject to regular BSA exams, the expectation of prosecutors must also be taken into account.• If transactions involving money laundering occur through

your institution, prosecutors will take into account whether you have a robust AML/BSA program.

• Where are you in your peer group? Many institutions not yet subject to formal requirements, e.g., SAR filings, have implemented these program elements as a “best practice”.


Current Environment


Current Environment - Overall

RegulatoryRequirement

Bank Broker-Dealer Insurance Company

Investment Company

Investment Advisor

OFAC Applicable Applicable Applicable Applicable Applicable

Cash Activity Applicable (CTRs)

Applicable(CTRs)

Applicable(Form 8300)



AML Program (Section 352)

Applicable Applicable Applicable (effective May 2, 2006)

Applicable – Mutual Funds; Proposed – Unreg funds

Proposed

SARs Applicable Applicable Applicable (effective May 2, 2006)

Proposed for Mutual Funds;TBD for Unreg funds

TBD


Current Environment - Overall


Bank Broker-Dealer

Insurance Company

Investment Company

Investment Advisor

CIP (Section 326) Applicable Applicable TBD Applicable – Mutual Funds; TBD - Unreg Funds

TBD

Information sharing (Section 314(a))

Applicable Applicable TBD Applicable – Mutual Funds**; Proposed – Unreg Funds

TBD

Information sharing (Section 314(b))

Applicable Applicable Applicable (effective May 2, 2006)

Applicable – Mutual Funds; Proposed – Unreg Funds

TBD


Current Environment - OverallRegulatoryRequirement

Bank Broker-Dealer Insurance Company

Investment Company

Investment Advisor

Special Measures (Section 311)

Applicable Applicable TBD TBD TBD

EDD for Correspondent/ PB Accounts (Section 312)

ApplicableProspectively for New Accounts – Applicable 4/4/06;Retrospectively for Accts Established Prior to 4/4/06 – 10/2/06

Applicable Prospectively for New Accounts – Applicable 4/4/06;Retrospectively for Accts Established Prior to 4/4/06 – 10/2/06


Applicable -Mutual Funds Prospectively for New Accounts – Applicable 4/4/06;Retrospectively for Accts Established Prior to 4/4/06 – 10/2/06;Not Currently Applicable - Unreg Funds

Not Currently Applicable

Shell Banks (Section 313/319)

Applicable Applicable Currently Not Applicable

Currently Not Applicable


AML Record (Section 327)

Applicable Currently Not Applicable





Current Environment – Trust Companies


Trust Companies that are Federally

Functionally Regulated

Trust Companies that are Not Federally Functionally

Regulated

OFAC Applicable Applicable

Cash Activity Applicable (CTRs)

Applicable(CTRs)

AML Program (Section 352) Applicable Not Currently Applicable

SARs Applicable Not Currently Applicable




Trust Companies that are Federally Functionally

Regulated

Trust Companies that are Not Federally Functionally

Regulated

CIP (Section 326) Applicable Applicable

Information sharing (Section 314(a))

Applicable Not Currently Applicable

Information sharing (Section 314(b))

Applicable Not Currently Applicable




Trust Companies that are Federally


Trust Companies that are Not Federally


Special Measures (Section 311) Applicable Not Currently Applicable

EDD for Correspondent/ PB Accounts (Section 312)


Not Currently Applicable

Shell Banks (Section 313/319) Applicable Applicable

AML Record (Section 327) Applicable Not Currently Applicable


Current Environment (cont’d)

• Changing Regulatory Approach – AML risk management plays key role in

corporate governance and independent monitoring functions • Continued shift by regulators to risk based

supervisory approach • More reliance on bank’s own monitoring and

senior management assertions• “Top down” approach to assess compliance

and compliance testing


Current AML Environment (cont’d)

• Regulatory scrutiny has led to:– Defensive filing of Suspicious Activity Reports

(“SARs”)– Need to enhance AML programs– Increased costs of compliance, including

responding to regulatory actions– Departures from the market– Difficulties in managing global clients


Risk-Based Expectations for AML

•Industry should adopt sound risk management to:– Better identify risk– Better direct resources– Better safeguard the organization

•Examiners will tailor examination scope to the risk profile of bank


PLAN• Risk Strategy• Strategic

Planning• Resource

Planning• New Product

Approvals

PLAN• Risk Strategy• Strategic

Planning• Resource

Planning• New Product

Approvals

EVALUATE• Monitor Risk• Management

Reporting to Board

• Annual Board Assessment

EVALUATE• Monitor Risk• Management

Reporting to Board

• Annual Board Assessment

Aggregation& Performance

Objectives

Compliance Function• Corporate Compliance• Regional Compliance• Business Unit Compliance

• Relationship with Internal Audit

Compliance Function• Corporate Compliance• Regional Compliance• Business Unit Compliance

• Relationship with Internal Audit

Compliance Elements• Roles and Responsibilities• Organizational Structure• Policies and Procedures• Training• Testing• Management Reporting

Compliance Elements• Roles and Responsibilities• Organizational Structure• Policies and Procedures• Training• Testing• Management Reporting

External Factors• Banking Laws and Regs• Examination Handbooks• Regulatory Bulletins• Enforcement Actions• Industry Practices

External Factors• Banking Laws and Regs• Examination Handbooks• Regulatory Bulletins• Enforcement Actions• Industry Practices

POLICY

Risk DefinitionRisk PrinciplesRisk Appetite

Risk Governance ModelAuthorities

POLICY

Risk DefinitionRisk PrinciplesRisk Appetite

Risk Governance ModelAuthorities

Information forDecision Making

Enterprise Risk Management

Process

RelevantReporting Entities:RelevantReporting Entities:

FHCFHC

Bank:Bank:

- Retail- Retail

- Wholesale- Wholesale

Nonbank Subs.Nonbank Subs.

Credi

t

Credi

t

Inte

rest

Rat

e

Inte

rest

Rat

e

Marke

t

Marke

t

Liquid

ity

Liquid

ity

Operat

ional

Operat

ional

Complia

nce

Complia

nceLe

galLe

gal

Strate

gic

Strate

gic

Reputa

tion

Reputa

tion

MitigateMitigateMeasure& ReportMeasure& ReportAssessAssessIdentifyIdentify

Relevant Risk Categories:Relevant Risk Categories:

Compliance Risk Management


Prevalent Practices for

an AML Compliance Program


Overview

Reputation

Reporting- CTRs- SARs

- 314(a)- Board/Sr Mgt

Training CIP/ CDD / EDD and

RiskAssessment

OFAC USA PATRIOT Act

Requirements

BSA Requirements

Spirit of the Law

Foundation of the Organization

Formal Policy Statements:Mission, Vision, Values

Governance/Culture of Compliance

OrganizationalStructure

Independent Testing

Reputation: The Most ValuableIntangible Asset

Compliance:Acting Accordingto Regulatory Requirements and Expectations

Processes andProcedures


Eight Key AML Requirements

1. Governance– Board and senior management are responsible

for ensuring effectiveness of the compliance program (“Culture of Compliance”)• Need to be actively involved; set “tone at the top”• Participate in setting AML risk tolerances • Approve policy and assist in establishing appropriate

controls• Receive AML awareness training/education • Receive and review reports (e.g., AML risk trends and

how risk is managed) to increase transparency• Establish AML Committee to provide guidance and

leadership on significant AML compliance issues • Increasingly held to a higher standard


“A culture of compliance should establish – from the top of the organization – the proper ethical tone that will govern the conduct of business. In many instances, senior management must move from thinking about compliance as a cost center to considering the benefits of compliance in protecting against legal and reputational risks that can have an impact on the bottom line.”

Governor Susan Schmidt BiesBoard of Governors of the Federal Reserve System


Mary Ann GadzialaAssociate Director, OCIE

•“Examiners expect to find certain core principles of risk management including, top level involvement, clear responsibilities at each level of management, independence of risk controls, strong well-developed systems and effective monitoring and reporting.”


2. Risk Assessment– Risk identification, measurement and monitoring– Assess at a business and customer level the

degree of money laundering and/or terrorist financing risk.

– Stratify the customer base in an effort to identify monitor those customers that pose a heightened money laundering risk.



3. Comprehensive Program– Policies, procedures and internal controls

• Clearly delineate AML roles and responsibilities of management, staff as well as functions (e.g., internal audit, compliance, etc.)

• Define regulatory requirements (inventory of applicable laws/regulations

• Communication/Roll-out/Employee sign-off• Annual review and update

– Organizational Structure and Staffing• Designation of an AML officer; senior person with requisite

skills and direct access to Board of Directors• Independent Structure/Reporting lines• Designate an adequate staff• Focus on business accountability



4. Comprehensive Program– Training

• Establish general/customized (specialized) AML training• Identify affected employees and establish mechanism to

track participation• Train all “affected employees” at a minimum• “Train the Trainers”

– Testing• Regulators looking for three-pronged approach:

1) Business unit self-assessment 2) Compliance testing3) Internal audit

• Risk based monitoring, surveillance and testing• Testing of automated systems• Reporting and tracking of deficiencies



5. Know Your Customer (KYC)– KYC

• Determine the nature and level of expected transaction activity, source of funds, purpose of account, etc.

• Understand customer and expected activity in order to identify and monitor for unusual activity

• Establish electronic KYC databases for business and personal customers and automate “call reports”

– Customer Identification Program (CIP)• Develop and maintain for each business unit written

procedures tailored to the AML risks presented by the products, services, customers, delivery channels, etc.

– Enhanced Due Diligence (EDD)• Identify circumstances when it becomes necessary to

perform EDD as well as the level of review to be undertaken by customer category and/or risk level



6. Reporting– CTR

• Ability to identify, aggregate and report in a timely fashion cash activity on bank-wide basis

– SAR• Ability to detect, escalate, monitor, report (as necessary) and

document ultimate resolution of unusual activity• Assess cash, wires, monetary instruments, at a minimum

– OFAC• Adopt an internal “watch list”• Screen customers, wires, charitable contributions, vendors and

employees against SDN List at initiation/when list is updated– Section 314(a) Requests– General

• Periodic reporting to the Board• Well defined escalation process• Corrective action tracking



7. Human Resources– Incorporate AML Compliance into

Employee Performance Measurement– Consider establishing a “Whistleblower”

process– Require Employees to sign-off that they

have read, understood and will comply with the AML Policy

“We must all hang together, or assuredly we shall all hang separately.”

— Benjamin Franklin



8. Continuous Maintenance, Assessment and Refinement



“An enterprise-wide compliance-risk management program should be dynamic and proactive, meaning it constantly assesses evolving risks when new business lines or activities are added or when existing activities are altered. To avoid having a program that operates on “autopilot,” an organization must continuously reassess its risks and controls and communicate with its business lines. An integrated approach to compliance-risk management can be particularly effective for Bank Secrecy Act and anti-money-laundering (BSA/AML) compliance. … Controlling BSA/AML risk continues to be a primary concern for banking organizations.”

Governor Susan Schmidt BiesBoard of Governors of the Federal Reserve System


Contact Information

Peter FitzgeraldPrincipalDeloitte & Touche [email protected]

www.deloitte.com/aml


About Deloitte

Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, its member firms and their respective subsidiaries and affiliates. Deloitte Touche Tohmatsu is an organization of member firms around the world devoted to excellence in providing professional services and advice, focused on client service through a global strategy executed locally in nearly 150 countries. With access to the deep intellectual capital of 120,000 people worldwide, Deloitte delivers services in four professional areas, audit, tax, consulting and financial advisory services, and serves more than one-half of the world’s largest companies, as well as large national enterprises, public institutions, locally important clients, and successful, fast-growing global growth companies. Services are not provided by the Deloitte Touche Tohmatsu Verein and, for regulatory and other reasons, certain member firms do not provide services in all four professional areas.

As a Swiss Verein (association), neither Deloitte Touche Tohmatsu nor any of its member firms has any liability for each other’s acts or omissions. Each of the member firms is a separate and independent legal entity operating under the names “Deloitte”, “Deloitte & Touche”, “Deloitte Touche Tohmatsu” or other related names.

In the US, Deloitte & Touche USA LLP is the US member firm of Deloitte Touche Tohmatsu and services are provided by the subsidiaries of Deloitte & Touche USA LLP (Deloitte & Touche LLP, Deloitte Consulting LLP, Deloitte Financial Advisory Services LLP, Deloitte Tax LLP and their subsidiaries), and not by Deloitte & Touche USA LLP. The subsidiaries of the US member firm are among the nation's leading professional services firms, providing audit, tax, consulting and financial advisory services through nearly 30,000 people in more than 80 cities. Known as employers of choice for innovative human resources programs, they are dedicated to helping their clients and their people excel. For more information, please visit the US member firm’s web site at www.deloitte.com/us.

© 2006 Deloitte Development LLC. All rights reserved.

This presentation and related discussion hereon are intended to provide general information on the particular subject and is not an exhaustive treatment of the subject. Accordingly, the information in this document is not intended to constitute professional advice or services. Before making any decision or taking any action that might affect your personal or professional interests, you should consult a qualified professional advisor.

aml compliance requirements. copyright © 2006 deloitte development llc. all rights reserved. agenda...

Documents