fincen’s cdd rules & bsa compliance: why preparing now …fincen’s cdd rules & bsa...

FinCEN’s CDD Rules & BSA Compliance:

Why Preparing Now for the Fifth Pillar is Critical

SUPPLEMENT TOOLKIT

February 2017

Presented by: Susan Costonis, C.R.C.M. Training & Consulting for Financial Institutions [email protected]

mailto:[email protected]

NEW CDD RULES BENEFICIAL OWNERSHIP 2

TABLE OF CONTENTS

CHECKLIST FOR IDENTIFYING LEGAL ENTITIES AND DUE DILIGENCE ............................................ 3

PROCEDURES TEMPLATE ................................................................................................................. 4

FINDING THE NEW LAW .................................................................................................................... 8

SECTION 1010.220 CUSTOMER IDENTIFICATION PROGRAM........................................................... 9

SECTION 1010.230 BENEFICIAL OWNERSHIP FOR LEGAL ENTITY CUSTOMERS ............................ 14

TEMPLATE TO DEVELOP A RISK PROFILE ...................................................................................... 18

BSA RESOURCES.............................................................................................................................. 20

NCUA BSA RESOURCES .................................................................................................................... 22

FINCEN’S FAQS FOR CUSTOMER DUE DILIGENCE JULY 2016 ......................................................... 23

2015 NATIONAL MONEY LAUNDERING RISK ASSESSMENT ............................................................ 25

COMPONENTS OF DUE DILIGENCE PROGRAM ................................................................................ 28

SUSPICIOUS ACTIVITY REPORTING BASICS .................................................................................... 30

MONITORING AND DUE DILIGENCE RED FLAGS FOR SUSPICIOUS ACTIVITY ................................. 32

WHAT IS THE RISK ASSESSMENT LINK TO BSA/AML PROGRAMS? ................................................. 37

INTERVIEW QUESTIONS FOR ACCOUNT OPENING .......................................................................... 39

UPDATES TO BSA/AML POLICY ....................................................................................................... 41

SAMPLE NEW CDD POLICY #1 ......................................................................................................... 42

SAMPLE NEW CDD POLICY #2 ......................................................................................................... 46


CHECKLIST FOR IDENTIFYING LEGAL ENTITIES AND DUE DILIGENCE

TASK DESCRIPTION OF STEPS

1. The person opening an account (including a loan) for a legal entity customer claims that the entity is excluded from the legal requirement to name its beneficial owners and provide the identifying information.

2. If the legal entity is a:

• State or federally supervised financial institution or

• A government entity or

• A publically traded company listed on a major stock exchange or

• A subsidiary of a publically traded company listed on a major stock exchange or

• A state regulated insurance company The lender, loan assistant, or new account representative will DOCUMENT this statement with evidence provided by the person opening the loan or deposit account. This may require independent research. If reasonable documentation is provided go to Task 5. If this is not satisfied, go to Task 4.

3. If the person opening the account for a legal entity claims to be eligible for a specific exclusion other than those listed in Task 2, the person must provide adequate documentation to support the exemption. BEST practice is that the attestation be reviewed by the BSA Officer or staff for approval. If it is approved, go to Task 5. If not, got to Task 4.

4. The financial institution requires the completion of Appendix A or an equivalent customized document prior to opening the loan or deposit account.

5. The loan assistant, lender, or deposit account representative will make notation of the legal entity customer exclusion in the CUSTOMER INFORMATION FILE or appropriate documentation system that is outlined in the CIP/CDD procedures and DESCRIBE the supporting documentation that was obtained.

6. A similar table must be developed for the entities that are only subject to the control prong in Appendix A.


PROCEDURES TEMPLATE

Each financial institution will develop unique policies and procedures for the new CDD and Beneficial Ownership Rules. These are some potential steps to develop procedures for IDENTIFYING and VERIFYING BENEFICIAL OWNERS:

Category Task Due Date

Resp. Party

Completion Date

Getting Ready

1. Tell management about the changes with a handout and document in Board minutes

2. Set a target date prior to May 11, 2018, to have a program in place; involve ALL relevant areas and staff

3. Sample the legal entity customers; see how much you really know about them and their operations. Business entities are customers “subject to expanded examination overview” in the Manual (2014) – you should be able to produce a list on demand

4. How many legal entity customers are classified as high risk?

5. Go to your state’s Secretary of State’s (or the equivalent office) website and develop a list of the legal entities that are required to register there, e.g., corporations, LLCs, etc.

6. General partnerships are a legal entity, but are usually not required to register. Per the definition of a “legal entity customer,” add them to your list anyway

7. Understand definitions, A sole proprietorship is not a legal entity, it’s just an individual, maybe one with a nickname (DBA name). A sole proprietorship does not provide a cloaking device for the owner; that is the “customer” for CIP purposes



Resp. Party

Completion Date

Policies 1. BSA Policy 2. OFAC Policy 3. CIP/New Account Opening and New

CDD Policies 4. Review your existing CIP as it

applies to legal entities; e.g., do you identify signatories?

5. How well do you document existence of beneficial owners? Note: there are no states that require all legal entities to disclose ownership information at the time of formation or in later reports. Verification would be impossible.

6. Keep the terms of your CIP in mind when you are working on your policy CDD

7. OPTIONS – Develop a program that complies with the “letter of the law” or an advanced version to improve reliability of information.

8. Other

Procedures 1. New Account Procedures 2. New Loan Procedures 3. Update Suspicious activity

monitoring procedures 4. Other

Forms 1. Signature Card 2. Loan application addendum 3. New Account Worksheets 4. New Loan Worksheets 5. Other

Processing 1. What will you collect? Frontline personnel will need to be able to identify legal entity customers at account inception. You will give them the list you made or incorporate it in your software



Resp. Party

Completion Date

2. Will you need lists of what legal entities can be organized in other states? In foreign countries?

3. Some excluded entities are Phase I exempt persons under the CTR exemption process and can be easily verified. Who will review this? REMINDER: FinCEN does not expect front-line employees of covered financial institutions to engage in any type of legal analysis to determine the applicability of this exclusion. Rather, FinCEN expects covered financial institutions to rely upon the representations of such customers, absent knowledge to the contrary.

4. What will be entered at account opening or booking the loan?

5. What will be scanned? 6. Can systems accommodate notation

of the beneficial ownership information?

7. How will triggering events be monitored when changes in beneficial ownership are found for existing deposit and loan customers?

8. Other System Changes

1. Beneficial ownership information and CIP

2. Relationship codes 3. Sending data to AML system and

platforms for deposit and loans 4. Collection of additional CDD

information 5. Ability to document expected

activity 6. Reports that detect unusual activity 7. TEST CHANGES



Resp. Party

Completion Date

Training 1. Train Branch staff 2. Train lenders and loan operations

staff 3. Train BSA staff 4. Board training 5. Other

Additional Regulatory Guidance

1. Monitor FinCEN FAQs 2. Monitor for new exam procedures 3. Monitor information from YOUR

primary regulator


FINDING THE NEW LAW

This is a link to the FinCEN announcement of the new rule, look at the Customer Due Diligence Requirements for Financial Institutions (05/12/2016):

https://www.treasury.gov/press-center/press-releases/Pages/jl0451.aspx

The PDF from the Federal Register is 62 pages. WARNING – it is in a small font and each page has three columns.

This link has the entire rule from the Federal Register

https://federalregister.gov/a/2016-10567


https://federalregister.gov/a/2016-10567


SECTION 1010.220 CUSTOMER IDENTIFICATION PROGRAM

§ 1020.220 Customer identification programs for financial institutions, savings associations, financial institutions, and certain non-Federally regulated financial institutions.

(a) Customer Identification Program: minimum requirements -

(1) In general. A financial institution must implement a written Customer Identification Program (CIP) appropriate for its size and type of business that, at a minimum, includes each of the requirements of paragraphs (a)(1) through (5) of this section. If a financial institution is required to have an anti-money laundering compliance program under the regulations implementing 31 U.S.C. 5318(h), 12 U.S.C. 1818(s), or 12 U.S.C. 1786(q)(1), then the CIP must be a part of the anti-money laundering compliance program. Until such time as financial institutions, private financial institutions, and trust companies without a Federal functional regulator are subject to such a program, their CIPs must be approved by their boards of directors.

(2) Identity verification procedures. The CIP must include risk-based procedures for verifying the identity of each customer to the extent reasonable and practicable. The procedures must enable the financial institution to form a reasonable belief that it knows the true identity of each customer. These procedures must be based on the financial institution assessment of the relevant risks, including those presented by the various types of accounts maintained by the financial institution, the various methods of opening accounts provided by the financial institution, the various types of identifying information available, and the financial institution size, location, and customer base. At a minimum, these procedures must contain the elements described in this paragraph (a)(2).

(i) Customer information required -

(A) In general. The CIP must contain procedures for opening an account that specify the identifying information that will be obtained from each customer. Except as permitted by paragraphs (a)(2)(i)(B) and (C) of this section, the financial institution must obtain, at a minimum, the following information from the customer prior to opening an account:

(1) Name;

(2) Date of birth, for an individual;

(3) Address, which shall be:

(i) For an individual, a residential or business street address;

(ii) For an individual who does not have a residential or business street address, an Army Post Office (APO) or Fleet Post Office (FPO) box number, or the residential or business street address of next of kin or of another contact individual; or

(iii) For a person other than an individual (such as a corporation, partnership, or trust), a principal place of business, local office, or other physical location; and

(4) Identification number, which shall be:

https://www.law.cornell.edu/uscode/text/31/

https://www.law.cornell.edu/uscode/text/31/5318#h

https://www.law.cornell.edu/uscode/text/31/12

https://www.law.cornell.edu/uscode/text/12/1786#q_1

https://www.law.cornell.edu/definitions/index.php?width=840&height=800&iframe=true&def_id=79054abb85be8ffebea475d145a1c7cb&term_occur=3&term_src=Title:31:Subtitle:B:Chapter:X:Part:1020:Subpart:B:1020.220

https://www.law.cornell.edu/definitions/index.php?width=840&height=800&iframe=true&def_id=9b880608d1c439d24751330ce044f4a2&term_occur=3&term_src=Title:31:Subtitle:B:Chapter:X:Part:1020:Subpart:B:1020.220


https://www.law.cornell.edu/definitions/index.php?width=840&height=800&iframe=true&def_id=585b5721c5062de88611aa221be78889&term_occur=3&term_src=Title:31:Subtitle:B:Chapter:X:Part:1020:Subpart:B:1020.220





(i) For a U.S. person, a taxpayer identification number; or

(ii) For a non-U.S. person, one or more of the following: A taxpayer identification number; passport number and country of issuance; alien identification card number; or number and country of issuance of any other government-issued document evidencing nationality or residence and bearing a photograph or similar safeguard.

Note to paragraph (A)(2)(I)(A)(4)(ii):

When opening an account for a foreign business or enterprise that does not have an identification number, the financial institution must request alternative government-issued documentation certifying the existence of the business or enterprise.

(B) Exception for persons applying for a taxpayer identification number. Instead of obtaining a taxpayer identification number from a customer prior to opening the account, the CIP may include procedures for opening an account for a customer that has applied for, but has not received, a taxpayer identification number. In this case, the CIP must include procedures to confirm that the application was filed before the customer opens the account and to obtain the taxpayer identification number within a reasonable period of time after the account is opened.

(C) Credit card accounts. In connection with a customer who opens a credit card account, a financial institution may obtain the identifying information about a customer required under paragraph (a)(2)(i)(A) by acquiring it from a third-party source prior to extending credit to the customer.

(ii) Customer verification. The CIP must contain procedures for verifying the identity of the customer, using information obtained in accordance with paragraph (a)(2)(i) of this section, within a reasonable time after the account is opened. The procedures must describe when the financial institution will use documents, non-documentary methods, or a combination of both methods as described in this paragraph (a)(2)(ii).

(A) Verification through documents. For a financial institution relying on documents, the CIP must contain procedures that set forth the documents that the financial institution will use. These documents may include:

(1) For an individual, unexpired government-issued identification evidencing nationality or residence and bearing a photograph or similar safeguard, such as a driver's license or passport; and

(2) For a person other than an individual (such as a corporation, partnership, or trust), documents showing the existence of the entity, such as certified articles of incorporation, a government-issued business license, a partnership agreement, or trust instrument.

(B) Verification through non-documentary methods. For a financial institution relying on non-documentary methods, the CIP must contain procedures that describe the non-documentary methods the financial institution will use.

(1) These methods may include contacting a customer; independently verifying the customer's identity through the comparison of information provided by the customer with information
















https://www.law.cornell.edu/cfr/text/31/1020.220#a_2_i











obtained from a consumer reporting agency, public database, or other source; checking references with other financial institutions; and obtaining a financial statement.

(2) The financial institution's non-documentary procedures must address situations where an individual is unable to present an unexpired government-issued identification document that bears a photograph or similar safeguard; the financial institution is not familiar with the documents presented; the account is opened without obtaining documents; the customer opens the account without appearing in person at the financial institution; and where the financial institution is otherwise presented with circumstances that increase the risk that the financial institution will be unable to verify the true identity of a customer through documents.

(C) Additional verification for certain customers. The CIP must address situations where, based on the financial institution's risk assessment of a new account opened by a customer that is not an individual, the financial institution will obtain information about individuals with authority or control over such account, including signatories, in order to verify the customer's identity. This verification method applies only when the financial institution cannot verify the customer's true identity using the verification methods described in paragraphs (a)(2)(ii)(A) and (B) of this section.

(iii) Lack of verification. The CIP must include procedures for responding to circumstances in which the financial institution cannot form a reasonable belief that it knows the true identity of a customer. These procedures should describe:

(A) When the financial institution should not open an account;

(B) The terms under which a customer may use an account while the financial institution attempts to verify the customer's identity;

(C) When the financial institution should close an account, after attempts to verify a customer's identity have failed; and

(D) When the financial institution should file a Suspicious Activity Report in accordance with applicable law and regulation.

(3) Recordkeeping. The CIP must include procedures for making and maintaining a record of all information obtained under the procedures implementing paragraph (a) of this section.

(i) Required records. At a minimum, the record must include:

(A) All identifying information about a customer obtained under paragraph (a)(2)(i) of this section;

(B) A description of any document that was relied on under paragraph (a)(2)(ii)(A) of this section noting the type of document, any identification number contained in the document, the place of issuance and, if any, the date of issuance and expiration date;

(C) A description of the methods and the results of any measures undertaken to verify the identity of the customer under paragraph (a)(2)(ii)(B) or (C) of this section; and

(D) A description of the resolution of any substantive discrepancy discovered when verifying the identifying information obtained.

































https://www.law.cornell.edu/cfr/text/31/1020.220#a


https://www.law.cornell.edu/cfr/text/31/1020.220#a_2_i

https://www.law.cornell.edu/cfr/text/31/1020.220#a_2_ii_A



(ii) Retention of records. The financial institution must retain the information in paragraph (a)(3)(i)(A) of this section for five years after the date the account is closed or, in the case of credit card accounts, five years after the account is closed or becomes dormant. The financial institution must retain the information in paragraphs (a)(3)(i)(B), (C), and (D) of this section for five years after the record is made.

(4) Comparison with government lists. The CIP must include procedures for determining whether the customer appears on any list of known or suspected terrorists or terrorist organizations issued by any Federal government agency and designated as such by Treasury in consultation with the Federal functional regulators. The procedures must require the financial institution to make such a determination within a reasonable period of time after the account is opened, or earlier, if required by another Federal law or regulation or Federal directive issued in connection with the applicable list. The procedures must also require the financial institution to follow all Federal directives issued in connection with such lists.

(5)

(i) Customer notice. The CIP must include procedures for providing financial institution customers with adequate notice that the financial institution is requesting information to verify their identities.

(ii) Adequate notice. Notice is adequate if the financial institution generally describes the identification requirements of this section and provides the notice in a manner reasonably designed to ensure that a customer is able to view the notice, or is otherwise given notice, before opening an account. For example, depending upon the manner in which the account is opened, a financial institution may post a notice in the lobby or on its Web site, include the notice on its account applications, or use any other form of written or oral notice.

(iii) Sample notice. If appropriate, a financial institution may use the following sample language to provide notice to its customers:

Important Information About Procedures for Opening a New Account

To help the government fight the funding of terrorism and money laundering activities, Federal law requires all financial institutions to obtain, verify, and record information that identifies each person who opens an account.

What this means for you: When you open an account, we will ask for your name, address, date of birth, and other information that will allow us to identify you. We may also ask to see your driver's license or other identifying documents.

(6) Reliance on another financial institution. The CIP may include procedures specifying when a financial institution will rely on the performance by another financial institution (including an affiliate) of any procedures of the financial institution's CIP, with respect to any customer of the financial institution that is opening, or has opened, an account or has established a similar formal banking or business relationship with the other financial institution to provide or engage in services, dealings, or other financial transactions, provided that:

(i) Such reliance is reasonable under the circumstances;


https://www.law.cornell.edu/cfr/text/31/1020.220#a_3_i_A

https://www.law.cornell.edu/cfr/text/31/1020.220#a_3_i_A





















https://www.law.cornell.edu/definitions/index.php?width=840&height=800&iframe=true&def_id=848aafe6b62d615e0c5b071a42d3bda9&term_occur=1&term_src=Title:31:Subtitle:B:Chapter:X:Part:1020:Subpart:B:1020.220











(ii) The other financial institution is subject to a rule implementing 31 U.S.C. 5318(h) and is regulated by a Federal functional regulator; and

(iii) The other financial institution enters into a contract requiring it to certify annually to the financial institution that it has implemented its anti-money laundering program, and that it will perform (or its agent will perform) the specified requirements of the financial institution's CIP.

(b) Exemptions. The appropriate Federal functional regulator, with the concurrence of the Secretary, may, by order or regulation, exempt any financial institution or type of account from the requirements of this section. The Federal functional regulator and the Secretary shall consider whether the exemption is consistent with the purposes of the Bank Secrecy Act and with safe and sound banking, and may consider other appropriate factors. The Secretary will make these determinations for any financial institution or type of account that is not subject to the authority of a Federal functional regulator.

(c) Other requirements unaffected. Nothing in this section relieves a financial institution of its obligation to comply with any other provision in this chapter, including provisions concerning information that must be obtained, verified, or maintained in connection with any account or transaction.


https://www.law.cornell.edu/uscode/text/31/5318#h












SECTION 1010.230 BENEFICIAL OWNERSHIP FOR LEGAL ENTITY CUSTOMERS

This section added effective July 11, 2016. Covered financial institutions must comply by Friday, May 11, 2018. (a) In general, covered financial institutions are required to establish and maintain written procedures that are reasonably designed to identify and verify beneficial owners of legal entity customers and to include such procedures in their anti-money laundering compliance program required under 31 U.S.C. 5318(h) and its implementing regulations. (b) Identification and verification. With respect to legal entity customers, the covered financial institution’s customer due diligence procedures shall enable the institution to: (1) Identify the beneficial owner(s) of each legal entity customer at the time a new account is opened, unless the customer is otherwise excluded pursuant to paragraph (e) of this section or the account is exempted pursuant to paragraph (h) of this section. A covered financial institution may accomplish this either by obtaining a certification in the form of appendix A of this section from the individual opening the account on behalf of the legal entity customer, or by obtaining from the individual the information required by the form by another means, provided the individual certifies, to the best of the individual’s knowledge, the accuracy of the information; and (2) Verify the identity of each beneficial owner identified to the covered financial institution, according to risk-based procedures to the extent reasonable and practicable. At a minimum, these procedures must contain the elements required for verifying the identity of customers that are individuals under §1020.220(a)(2) of this chapter (for financial institutions); §1023.220(a)(2) of this chapter (for brokers or dealers in securities); §1024.220(a)(2) of this chapter (for mutual funds); or §1026.220(a)(2) of this chapter (for futures commission merchants or introducing brokers in commodities); provided, that in the case of documentary verification, the financial institution may use photocopies or other reproductions of the documents listed in paragraph (a)(2)(ii)(A)(1) of §1020.220 of this chapter (for financial institutions); §1023.220 of this chapter (for brokers or dealers in securities); §1024.220 of this chapter (for mutual funds); or §1026.220 of this chapter (for futures commission merchants or introducing brokers in commodities). A covered financial institution may rely on the information supplied by the legal entity customer regarding the identity of its beneficial owner or owners, provided that it has no knowledge of facts that would reasonably call into question the reliability of such information. (c) Account. For purposes of this section, account has the meaning set forth in §1020.100(a) of this chapter (for financial institutions); §1023.100(a) of this chapter (for brokers or dealers in securities); §1024.100(a) of this chapter (for mutual funds); and §1026.100(a) of this chapter (for futures commission merchants or introducing brokers in commodities). (d) Beneficial owner. For purposes of this section, beneficial owner means each of the following: (1) Each individual, if any, who, directly or indirectly, through any contract, arrangement, understanding, relationship or otherwise, owns 25 percent or more of the equity interests of a legal entity customer; and


(2) A single individual with significant responsibility to control, manage, or direct a legal entity customer, including: (i) An executive officer or senior manager (e.g., a Chief Executive Officer, Chief Financial Officer, Chief Operating Officer, Managing Member, General Partner, President, Vice President, or Treasurer); or (ii) Any other individual who regularly performs similar functions. (3) If a trust owns directly or indirectly, through any contract, arrangement, understanding, relationship or otherwise, 25 percent or more of the equity interests of a legal entity customer, the beneficial owner for purposes of paragraph (d)(1) of this section shall mean the trustee. If an entity listed in paragraph (e)(2) of this section owns directly or indirectly, through any contract, arrangement, understanding, relationship or otherwise, 25 percent or more of the equity interests of a legal entity customer, no individual need be identified for purposes of paragraph (d)(1) of this section with respect to that entity’s interests. Note to paragraph (d).The number of individuals that satisfy the definition of “beneficial owner,” and therefore must be identified and verified pursuant to this section, may vary. Under paragraph (d)(1) of this section, depending on the factual circumstances, up to four individuals may need to be identified. Under paragraph (d)(2) of this section, only one individual must be identified. It is possible that in some circumstances the same person or persons might be identified pursuant to paragraphs (d)(1) and (2) of this section. A covered financial institution may also identify additional individuals as part of its customer due diligence if it deems appropriate on the basis of risk. (e) Legal entity customer. For the purposes of this section: (1) Legal entity customer means a corporation, limited liability company, or other entity that is created by the filing of a public document with a Secretary of State or similar office, a general partnership, and any similar entity formed under the laws of a foreign jurisdiction that opens an account. (2) Legal entity customer does not include: (i) A financial institution regulated by a Federal functional regulator or a financial institution regulated by a State financial institution regulator; (ii) A person described in § 1020.315(b)(2) through (5) of this chapter; (iii) An issuer of a class of securities registered under section 12 of the Securities Exchange Act of 1934 or that is required to file reports under section 15(d) of that Act; (iv) An investment company, as defined in section 3 of the Investment Company Act of 1940, that is registered with the Securities and Exchange Commission under that Act; (v) An investment adviser, as defined in section 202(a)(11) of the Investment Advisers Act of 1940, that is registered with the Securities and Exchange Commission under that Act; (vi) An exchange or clearing agency, as defined in section 3 of the Securities Exchange Act of 1934, that is registered under section 6 or 17A of that Act; (vii) Any other entity registered with the Securities and Exchange Commission under the Securities Exchange Act of 1934;


(viii) A registered entity, commodity pool operator, commodity trading advisor, retail foreign exchange dealer, swap dealer, or major swap participant, each as defined in section 1a of the Commodity Exchange Act, that is registered with the Commodity Futures Trading Commission; (ix) A public accounting firm registered under section 102 of the Sarbanes–Oxley Act; (x) A financial institution holding company, as defined in section 2 of the Financial institution Holding Company Act of 1956 (12 U.S.C. 1841) or savings and loan holding company, as defined in section 10(n) of the Home Owners’ Loan Act (12 U.S.C 1467a(n)); (xi) A pooled investment vehicle that is operated or advised by a financial institution excluded under paragraph (e)(2) of this section; (xii) An insurance company that is regulated by a State; (xiii) A financial market utility designated by the Financial Stability Oversight Council under Title VIII of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010; (xiv) A foreign financial institution established in a jurisdiction where the regulator of such institution maintains beneficial ownership information regarding such institution; (xv) A non-U.S. governmental department, agency or political subdivision that engages only in governmental rather than commercial activities; and (xvi) Any legal entity only to the extent that it opens a private banking account subject to §1010.620 of this chapter. (3) The following legal entity customers are subject only to the control prong of the beneficial ownership requirement: (i) A pooled investment vehicle that is operated or advised by a financial institution not excluded under paragraph (e)(2) of this section; and (ii) Any legal entity that is established as a nonprofit corporation or similar entity and has filed its organizational documents with the appropriate State authority as necessary. (f) Covered financial institution. For the purposes of this section, covered financial institution has the meaning set forth in § 1010.605(e)(1) of this chapter. (g) New account. For the purposes of this section, new account means each account opened at a covered financial institution by a legal entity customer on or after the applicability date. (h) Exemptions. (1) Covered financial institutions are exempt from the requirements to identify and verify the identity of the beneficial owner(s) set forth in paragraphs (a) and (b)(1) and (2) of this section only to the extent the financial institution opens an account for a legal entity customer that is: (i) At the point-of-sale to provide credit products, including commercial private label credit cards, solely for the purchase of retail goods and/or services at these retailers, up to a limit of $50,000; (ii) To finance the purchase of postage and for which payments are remitted directly by the financial institution to the provider of the postage products; (iii) To finance insurance premiums and for which payments are remitted directly by the financial institution to the insurance provider or broker;


(iv) To finance the purchase or leasing of equipment and for which payments are remitted directly by the financial institution to the vendor or lessor of this equipment. (2) Limitations on Exemptions. (i) The exemptions identified in paragraphs (h)(1)(ii) through (iv) of this section do not apply to transaction accounts through which a legal entity customer can make payments to, or receive payments from, third parties. (ii) If there is the possibility of a cash refund on the account activity identified in paragraphs (h)(1)(ii) through (iv) of this section, then beneficial ownership of the legal entity customer must be identified and verified by the financial institution as required by this section, either at the time of initial remittance, or at the time such refund occurs. (i) Recordkeeping. A covered financial institution must establish procedures for making and maintaining a record of all information obtained under the procedures implementing paragraph (b) of this section. (1) Required records. At a minimum the record must include: (i) For identification, any identifying information obtained by the covered financial institution pursuant to paragraph (b) of this section, including without limitation the certification (if obtained); and (ii) For verification, a description of any document relied on (noting the type, any identification number, place of issuance and, if any, date of issuance and expiration), of any non- documentary methods and the results of any measures undertaken, and of the resolution of each substantive discrepancy. (2) Retention of records. A covered financial institution must retain the records made under paragraph (i)(1)(i) of this section for five years after the date the account is closed, and the records made under paragraph (i)(1)(ii) of this section for five years after the record is made. (j) Reliance on another financial institution. A covered financial institution may rely on the performance by another financial institution (including an affiliate) of the requirements of this section with respect to any legal entity customer of the covered financial institution that is opening, or has opened, an account or has established a similar business relationship with the other financial institution to provide or engage in services, dealings, or other financial transactions, provided that: (1) Such reliance is reasonable under the circumstances; (2) The other financial institution is subject to a rule implementing 31 U.S.C. 5318(h) and is regulated by a Federal functional regulator; and (3) The other financial institution enters into a contract requiring it to certify annually to the covered financial institution that it has implemented its anti-money laundering program, and that it will perform (or its agent will perform) the specified requirements of the covered financial institution’s procedures to comply with the requirements of this section.


TEMPLATE TO DEVELOP A RISK PROFILE

Financial institutions are required to file a Suspicious Activity Report (SAR) where a customer appears to be engaged in illegal or suspicious activity. While, we all know the general SAR requirements, there are many questions about what activity is considered suspicious; or more precisely what are the “red flags” of money laundering. In light of the looming concerns in this area and increased regulatory scrutiny around the failure to file a SAR in certain instances, this section will provide a non-exhaustive list of some of the common indicators of money laundering activity that a financial institution may encounter.

As an initial matter, the BSA/AML regime requires financial institutions to file a SAR if it involves at least $5k and the financial institution has reason to suspect that the transaction: (i) involves funds derived from money laundering or any other illegal activity; (ii) is designed to evade the BSA or its implementing regulations; or (iii) has no apparent business or lawful purpose, or is not the type of transaction that the customer would normally be expected to engage in. See, 12 CFR 748.1. Financial institutions are encouraged to develop appropriate policies, procedures, and processes that monitor and identify unusual or suspicious activity. But what is suspicious? The following are examples of possible situations that may indicate money laundering. Two considerations should be noted: one, this list is non-exhaustive. Two, the presence of a red flag is not conclusive evidence of criminal activity. Rather, the presence of a red flag should prompt additional investigation and scrutiny in order to determine whether a SAR should be filed.

USE THES POTENTIAL ISSUES AS A TEMPLATE TO DEVELOP A RISK PROFILE:

Avoiding Recordkeeping and Reporting Requirements

• Customer asks about record-keeping or reporting requirements • Customer discourages employee from filing required reports or complying with

recordkeeping requirements • Customer reluctant to proceed with cash transaction after being told it must be reported

Suspicious Customer Identification Behavior

• Customer uses unusual or suspicious identification documents, or refuses to produce originals for verification

• Customer refuses to provide personal background information when opening an account • Customer’s permanent address is outside of the financial institution’s service area • Customer indicates that he/she does not want a statement of account or nay mail sent to

his/her address • A business customer is reluctant to provide information about the nature and

purpose of its business, expected account activity, or the names of its officers and directors

• THIS IS THE FOCUS OF THE BENEFICIAL OWNERHSIP RULES!


Suspicious Cash Transactions

• Customer regularly uses ATMs to make several deposits below the reporting threshold • Customer comes in with another customer and they go to different tellers to conduct

currency transactions under the reporting threshold • Customer opens different accounts under different names, and then makes several cash

deposits under the reporting threshold • Customer deposits cash into several accounts in amounts below the reporting threshold

and subsequently transfers the funds into one account and wire transfers them overseas • Customer attempts to take back a portion of a cash deposit that exceeds the reporting

threshold after being told a CTR must be filed • Customer makes numerous purchases of monetary instruments with cash in amounts less

than the reporting threshold • Customer purchases a number of prepaid cards for large amounts, inconsistent with

normal account activity

Suspicious Activity in Credit Transactions

• Customer suddenly pays down or pays off a large loan with no credible explanation as to where the funds came from

• Customer purchases certificates of deposit and uses them as loan collateral • Loans are made for, or paid on behalf of, a third party with no plausible explanation • Customer’s loan proceeds are unexpectedly transferred offshore or customer requests that

loan proceeds be wired transferred

Suspicious Employee Activity

• Employee lives a lavish lifestyle that cannot be supported by his salary • Employee fails to adhere to financial institution’s internal policies, procedures, and

processes and frequently overrides internal controls • Employee is reluctant to take a vacation

Again, this lists just some of the various transactions and activities that may indicate potential money laundering. For a more comprehensive list, check the FFIEC’s BSA/AML Examination Manual, Appendix F.


BSA RESOURCES

BSA Links – This is the link to FinCEN for Depository Institutions https://www.fincen.gov/resources/financial-institutions/depository-institutions Bank Secrecy Act - Increased Use of Exemption Provisions Could Reduce Currency Transaction Reporting (CTR) While Maintaining Usefulness to Law Enforcement Efforts - The Government Accountability Office (GAO) report to congressional committees on the usefulness of CTRs to law enforcement, the costs of meeting CTR requirements to depository institutions, and ways to encourage use of exemptions to avoid unnecessary CTRs. The Financial Crimes Enforcement Network (FinCEN) - FinCEN, a bureau of the U.S. Treasury, is the delegated administrator of the BSA. In this capacity, FinCEN issues regulations and interpretive guidance, provides outreach to regulated industries, supports the examination functions performed by federal banking agencies and pursues civil enforcement actions when warranted. There are several ways to contact the Financial Crimes Enforcement Network. The following contact information is provided to help direct your inquiries to the appropriate offices and/or personnel. General Information (703) 905-3591 (Monday thru Friday, 8:30 a.m. - 8:00 p.m., E.S.T.) For the general public with questions about the Financial Crimes Enforcement Network, its policies and programs. Regulatory Toll-Free Helpline 1-800-949-2732 (Monday thru Friday, 8:00 a.m. - 5:00 p.m., E.S.T.) For financial institutions with questions relating to Bank Secrecy Act and USA PATRIOT Act requirements and forms. Financial Institutions Toll-Free Hotline 1-866-556-3974 (7 days a week, 24 hours a day) For financial institutions wanting to report suspicious transactions that may relate to terrorist activity. The purpose of the hotline is to facilitate the immediate transmittal of this information to law enforcement. While not an inclusive list, links to several reports on FinCEN’s website are provided below. You are encouraged to visit FinCEN’s home page for an inclusive list of all BSA related resources. SAR Activity Review Trends, Tips and Issues: These reports are issued twice a year and provide analyses of trends, tips and issues about the preparation, use and utility of Suspicious Activity Reports.

https://www.fincen.gov/resources/financial-institutions/depository-institutions


SAR Activity Review - By the Numbers: A compilation of numerical data gathered from Suspicious Activity Reports filed by depository institutions certain money services, casinos and card clubs, and certain segments of the securities and futures industries.

Advisories, Rulings, Bulletins, Fact Sheets: Provide additional guidance and information regarding the BSA.

314(a) Information Requests: FinCEN regularly requests financial institutions search records for persons that may be involved in terrorism or money laundering. Requests are sent to points of contact (POCs) at financial institutions. If you need to change your POC, please file an amended Call Report with the updated information.

Money Services Business (MSB) Website: Guidance on providing banking services to the MSB industry MSB Registration list

U.S. Money Laundering Threat Assessment (MLTA): The MLTA offers a detailed analysis of money laundering methods in the United States, ranging from well-established techniques for integrating dirty money into the financial system to modern innovations that exploit global payment networks as well as the Internet.

2007 National Money Laundering Strategy: The 2007 Strategy addresses the priority threats and vulnerabilities identified by the Money Laundering Threat Assessment released in 2006.

Financial Action Task Force (FATF) Reports: The Financial Action Task Force (FATF) is an inter-governmental body whose purpose is the development and promotion of national and international policies to combat money laundering and terrorist financing.

High Intensity Financial Crimes Areas (HIFCAS): This is a means of concentrating law enforcement efforts at the federal, state and local levels in high intensity money laundering zones.

High Intensity Drug Trafficking Areas (HIDTAs): HIDTAs are areas within the United States that exhibit serious drug trafficking problems and harmfully impact other areas of the country.

International Narcotics Control Strategy Report (INCSR), published annually by the U.S. State Department identifies major money laundering countries and jurisdictions.

Cornerstone: A U.S. Immigration and Customs Enforcement’s (ICE) comprehensive investigative initiative for fighting financial crime, trade fraud and intellectual property crime. The Cornerstone Report is a quarterly bulletin highlighting key issues related to ICE financial and trade investigations.


NCUA BSA RESOURCES

12 USC 1786(q)(2) requires that the National Credit Union Administration (NCUA) include a review of the BSA compliance program at each examination of a federally insured credit union. NCUA plays a critical role in implementing BSA regulations by developing examination guidance, ensuring compliance with the BSA and enforcing the BSA in federally insured credit unions.

Below are some resources your credit union can rely on to be prepared for the next BSA exam.

This is the link to the resources: https://www.ncua.gov/regulation-supervision/Pages/bank-secrecy-act.aspx

• NCUA Examiner's Guide • AIRES BSA Questionnaire • NCUA Compliance Self-Assessment Guide • Interagency Statement on Enforcement of BSA AML Requirements

This is the link to the FFIEC Bank Secrecy Act/Anti-Money Laundering InfoBase and Exam Manual:

https://www.ffiec.gov/bsa_aml_infobase/default.htm

https://www.ncua.gov/regulation-supervision/Pages/bank-secrecy-act.aspx

https://www.ffiec.gov/bsa_aml_infobase/default.htm


FINCEN’S FAQS FOR CUSTOMER DUE DILIGENCE JULY 2016

This is a link to the nine page guidance issued July 19, 2016; it was released as FIN-2016-G003 https://www.fincen.gov/resources/statutes-regulations/guidance/frequently-asked-questions-regarding-customer-due-diligence This guidance should be downloaded and printed; monitor FinCEN for continued updates. It is nine pages and 26 questions, and here are some key points:

Question 4: CDD requirements for covered financial institutions with respect to beneficial ownership

Q: What are the requirements for covered financial institutions to collect beneficial ownership information? A: The CDD Rule requires covered financial institutions to establish and maintain written procedures that are reasonably designed to identify and verify the beneficial owners of legal entity customers. These procedures must enable the institution to identify the beneficial owners of each customer at the time a new account is opened, unless the customer is otherwise excluded or the account is exempted. Also, the procedures must establish risk-based practices for verifying the identity of each beneficial owner identified to the covered financial institution, to the extent reasonable and practicable. The procedures must contain the elements required for verifying the identity of customers that are individuals under applicable customer identification program (“CIP”) requirements. In short, covered financial institutions are now required to obtain, verify, and record the identities of the beneficial owners of legal entity customers.

Question 5: Amendments to the anti-money laundering (“AML”) program requirements

Q: Are there any changes to the AML program requirements for covered financial institutions in the Rule? A: Yes. The CDD Rule amends the AML program requirements for each covered financial institution to explicitly require covered institutions to implement and maintain appropriate risk-based procedures for conducting ongoing customer due diligence, to include: • understanding the nature and purpose of the customer relationships; and • conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information. A covered financial institution’s AML program must include, at a minimum: (1) a system of internal controls; (2) independent testing; (3) designation of a compliance officer or individual(s) responsible for day-to-day compliance; (4) training for appropriate personnel; and (5) appropriate risk-based procedures for conducting ongoing CDD to understand the nature and purpose of customer relationships and to conduct ongoing monitoring to identify and report suspicious transactions, and, on a risk basis, to maintain and update customer information. NOTE: Item number 5 is the FIFTH PILLAR; the first four items were the long-standing FOUR PILLARS.

https://www.fincen.gov/resources/statutes-regulations/guidance/frequently-asked-questions-regarding-customer-due-diligence

https://www.fincen.gov/resources/statutes-regulations/guidance/frequently-asked-questions-regarding-customer-due-diligence


Question 6: Procedures for identification and verification of identity of beneficial owners

Q: Must a covered financial institution’s procedures for identifying and verifying the identity of beneficial owners of legal entity customers be identical to its customer identification program? A: No. However, the CDD Rule requires that the procedures, at a minimum, contain the same elements as required for verifying the identity of customers that are individuals under the applicable CIP rule. However, financial institutions may use photocopies or other reproductions of identification documents in the case of documentary verification.


2015 NATIONAL MONEY LAUNDERING RISK ASSESSMENT

The U.S. Treasure posted a press release on June 12, 2015 announcing the issuance of the National Money Laundering Risk Assessment, (NMLRA) and the National Terrorist Financing Risk Assessment (NTFRA) . This is a link to the announcement: https://www.treasury.gov/press-center/press-releases/Pages/jl0072.aspx Here are some highlights of the press release: “The NMLRA finds that the United States has effectively kept pace with innovation, such that, criminals pursuing money laundering opportunities rely on costly and burdensome methods to mask their identities from financial institutions in order to open and maintain accounts. These include, but are not limited to, using cash, other monetary instruments, shell companies, and conducting transactions below customer identification thresholds. The report also finds that the U.S. framework for anti-money laundering and counter terrorist financing effectively narrows many of the most significant vulnerabilities that money launderers seek to exploit through a core set of tools, including targeted financial sanctions, law enforcement investigations and prosecutions and regulatory preventive measures, and by working to enhance international standards. The NTFRA finds that the U.S. Government has made it substantially more difficult for terrorist organizations to raise and move money through the U.S. financial system since the September 11, 2001 attacks. A notable trend highlighted in the report is a decrease in the use of the U.S banking system for terrorist financing-related transactions, as terrorists are forced into more expensive and less efficient methods to facilitate terrorist financing, such as cash smuggling. Such channels outside of the regulated financial system are riskier than straightforward bank transfers, making them more vulnerable to disruption and exposure. Nonetheless, the wealth and resources of the United States will continue to make it an attractive target for a wide range of terrorist organizations seeking to fund their activities, and the risk of terrorist financing through the U.S. financial system persists.” The Executive Summary outlines threats and says that the assessment “estimates that about $300 billion is generated annually in illicit proceeds. Fraud and drug trafficking offenses generate most of those proceeds.” The press release as a link to the 2015 National Money Laundering Risk Assessment, it is 100 pages. There are sections for THREATS that focus on these areas:

• Fraud • Drug Trafficking • Human Smuggling

• Organized Crime • Public Corruption

There are sections that focus on Vulnerabilities & Risks: Money Laundering Methods:

• Cash • Banking • Money Service Businesses

• Casinos • Securities

Here are some highlights on the BANKING section:



The VULNERABILITIES section for banking included:

• Summary of wire activity ($3.5 trillion daily in 2014) and ACH activity (more than $10 TRILLION annually)

• Financial institutions are vulnerable when individual and entities attempt to disguise the nature, purpose, or ownership of their accounts through:

o Structuring and misuse of currency deposits (interstate funnel accounts) o Misuse of correspondent banking services o Misuse of new payment technologies o Nominees and misuse of legal entities o Money Brokers and Trade-based money laundering o Misuse of third party payment processors

• Many examples were listed for Structuring and Misuse of Currency Deposits (Interstate Funnel Accounts); Correspondent Banking, Remote Deposit Capture, Prepaid Debit Cards

• Misuse of Customer Relationships – Nominees and Misuse of Legal Entities • Foreign Money Transmitters • Third Party Payment Processors • Compliance Deficiencies, resulting in enforcement actions


The section on RISKS included some of these points: While structuring is a common money laundering method in the United States, financial institutions file thousands of SARs annually citing structuring and law enforcement utilizes these SARs to identify criminal activity and identify individuals. This suggests that, generally, structuring does not go undetected. Identifying suspicious activity depends in part on the adequacy of a financial institution’s customer due diligence policies and procedures. Not knowing who owns or controls an account (i.e., the beneficial owner) can make it difficult for a financial institution to understand how an account is being used and whether the activity is legitimate. There is no current federal obligation to identify the beneficial owner of an account except in very specific circumstances (i.e., correspondent banking relationships and private banking for non-U.S. clients) NOTE: THIS WAS WRITTEN PRIOR TO THE NEW CDD BENEFICIAL OWNERSHIP RULES THAT BECOME EFFECTIVE IN MAY 2018! With few exceptions, U.S. regulation, supervision, and enforcement are effective and adequate. Between 2006 to 2012, out of the approximately 13,000 depository institutions in the United States only approximately 1 percent were subjected to formal enforcement actions requiring them to improve their programs, and over the last three years the issuance of enforcement actions has decreased significantly.


COMPONENTS OF DUE DILIGENCE PROGRAM

Purpose of Customer Due Diligence Customer Due Diligence is designed to support BSA/ MIP compliance by aiding in detecting and reporting unusual or suspicious transactions that potentially expose the financial institution to financial loss, increased expenses, and damage to its reputation. Under the Customer Identification Program (MIP), financial institutions must follow procedures designed to verify the identity of any person seeking to open an account, to the extent reasonable and practicable, and check the names of people who want to open accounts or conduct other transactions against the OFAC’s Specially Designated Nationals (SDN) and the BSA 314(a) lists. However, Customer Due Diligence programs must go beyond the standard MIP requirements. The financial institution needs to have a thorough understanding of the money laundering and terrorist financing risks within its customer base. Customer due diligence requires each financial institution to implement procedures that help it form accurate pictures of its customers’ normal and expected activities so that it can detect any transactions that seem unusual or suspicious Three components come together to make a financial institution’s Customer Due Diligence the cornerstone of a strong BSA compliance program:

1. Predicting normal activity Due diligence requires financial institutions to predict normal activity for each customer and account by developing an understanding customers’ anticipated transactions and monitoring customer relationships to stay abreast of any substantial changes.

2. Identifying indicators of potential change in risk: Due diligence requires that financial institutions identify indicators of potential change in the customer’s risk profile.

3. Developing procedures to keep current: Due diligence requires financial institutions to develop procedures to periodically monitor customers’ information to keep it current.

Each component helps your financial institution stay in compliance Predicting Normal Activity By paying attention to customers’ anticipated transactions, due diligence enables financial institutions to predict normal activity for each customer and account. Due diligence begins at account opening. By finding out how customers plan to use their new accounts, the financial institution can estimate “normal transactional behavior” and assign a risk rating/profile. This allows the financial institution to heighten its monitoring of deposits and withdrawals on riskier accounts and identify any potentially suspicious transactions.


Much of the information that helps the financial institution determine the predicted normal activity and risk levels is routinely collected at account opening, such as employment and geographic location of the residence or business. Asking a few additional questions at account opening will improve its ability to determine the risk associated with the account. The following questions about account activity are helpful to ask new customers: “Will you be using this account to manage your personal finances?” “Do you expect to make wire transfers or accept direct deposits through this account?” “Do you expect to make regular large cash deposits or withdrawals?” If an account is deemed “high risk,” additional information may be needed and the financial institution may be required to perform enhanced and ongoing due diligence.


SUSPICIOUS ACTIVITY REPORTING BASICS

Financial institutions are required to file Suspicious Activity Reports (SARs…or “something ain’t right” reports) under the Bank Secrecy Act. SAR information is reviewed by the law enforcement staff at FinCEN. The data is used to initiate or enhance criminal investigations and prosecutions. Appendix S in the Exam Manual include: Key Suspicious Activity to Monitoring Components. The process should work like this:

Filing is required if • the financial institution detects any known or suspected federal criminal violation, or

pattern of violations, committed or attempted against the financial institution, or involving one or more transactions conducted through the financial institution and the financial institution believes it was an actual or potential victim of a crime or was used to facilitate a crime

When is a SAR required? FILE WHAT & HOW MUCH? Filing a Suspicious Activity Report is required if…

the amount involved is $5000 or more in the aggregate and involves money laundering or violations of BSA. or there is insider abuse involving any amount, or the amount involved is $5000 or more and a suspect can be identified, or the amount involved is $25000 or more regardless of whether a suspect can be identified.


Suspicious Activity Monitoring Monitoring, identifying, and reporting unusual or suspicious activity are regulatory

requirements are form the foundation of BSA reporting SAR’s are filed for unusual or suspicious activity, including, but not limited to terrorist

financing, tax evasion, fraud, and structuring Financial institutions are not investigating, or “verifying or confirming” a particular

crime. Board of Directors should regularly review overall SAR activity One financial institution’s SAR activity may be linked to SAR’s filed by others. Policies should outline how the financial institution will address recurring SAR filings,

escalation procedures, and when an account will be closed When the activity needs immediate attention because of the nature of the activity, contact

law enforcement before filing the SAR When do you need to inform the BSA Officer of potential suspicious activity during the lending process? NEW! – CDD review shows that information provided for beneficial ownership was

untrue or suspicious CIP issues that violate policy (identity theft, forged documents) Loan requests for questionable purposes or sources of repayment False statements on loan applications Income appears to be from questionable sources Payments appear to be from questionable sources; sudden pay-down without a reasonable

source of funds Collateral offered appears to be questionable Loan proceeds are being sent to a high-risk geography without a legitimate reason


MONITORING AND DUE DILIGENCE RED FLAGS FOR SUSPICIOUS ACTIVITY

This is a portion of Appendix F from the 2014 BSA Exam Manual; this is the link: https://www.ffiec.gov/bsa_aml_infobase/pages_manual/olm_106.htm NOTE: The term “bank” is used, but has the same meaning as a credit union; customers means members.

Money Laundering and Terrorist Financing “Red Flags”

The following are examples of potentially suspicious activities, or “red flags” for both money laundering and terrorist financing. Although these lists are not all-inclusive, they may help financial institutions and examiners recognize possible money laundering and terrorist financing schemes. Management’s primary focus should be on reporting suspicious activities, rather than on determining whether the transactions are in fact linked to money laundering, terrorist financing, or a particular crime. The following examples are red flags that, when encountered, may warrant additional scrutiny. The mere presence of a red flag is not by itself evidence of criminal activity. Closer scrutiny should help to determine whether the activity is suspicious or one for which there does not appear to be a reasonable business or legal purpose. Potentially Suspicious Activity that May Indicate Money Laundering Customers Who Provide Insufficient or Suspicious Information

A customer uses unusual or suspicious identification documents that cannot be readily verified.

A customer provides an individual tax identification number after having previously used a Social Security number.

A customer uses different tax identification numbers with variations of his or her name. A business is reluctant, when establishing a new account, to provide complete

information about the nature and purpose of its business, anticipated account activity, prior banking relationships, the names of its officers and directors, or information on its business location.

A customer’s home or business telephone is disconnected. The customer’s background differs from that which would be expected on the basis of his

or her business activities. A customer makes frequent or large transactions and has no record of past or present

employment experience. A customer is a trust, shell company, or Private Investment Company that is reluctant to

provide information on controlling parties and underlying beneficiaries. Beneficial

https://www.ffiec.gov/bsa_aml_infobase/pages_manual/olm_106.htm


owners may hire nominee incorporation services to establish shell companies and open deposit accounts for those shell companies while shielding the owner’s identity.

Funds Transfers

Many funds transfers are sent in large, round dollar, hundred dollar, or thousand dollar amounts.

Funds transfer activity occurs to or from a financial secrecy haven, or to or from a high-risk geographic location without an apparent business reason or when the activity is inconsistent with the customer’s business or history.

Many small, incoming transfers of funds are received, or deposits are made using checks and money orders. Almost immediately, all or most of the transfers or deposits are wired to another city or country in a manner inconsistent with the customer’s business or history.

Large, incoming funds transfers are received on behalf of a foreign client, with little or no explicit reason.

Funds transfer activity is unexplained, repetitive, or shows unusual patterns. Payments or receipts with no apparent links to legitimate contracts, goods, or services are

received. Funds transfers are sent or received from the same person to or from different accounts. Funds transfers contain limited content and lack related party information.

Automated Clearing House Transactions

Large-value, automated clearing house (ACH) transactions are frequently initiated through third-party service providers (TPSP) by originators that are not bank customers and for which the bank has no or insufficient due diligence.

Unusually high level of transactions initiated over the Internet or by telephone. Activity Inconsistent with the Customer’s Business

The currency transaction patterns of a business show a sudden change inconsistent with normal activities.

A large volume of cashier’s checks, money orders, or funds transfers is deposited into, or purchased through, an account when the nature of the accountholder’s business would not appear to justify such activity.

A retail business has dramatically different patterns of currency deposits from similar businesses in the same general location.

Unusual transfers of funds occur among related accounts or among accounts that involve the same or related principals.


The owner of both a retail business and a check-cashing service does not ask for currency when depositing checks, possibly indicating the availability of another source of currency.

Goods or services purchased by the business do not match the customer’s stated line of business.

LENDING ACTIVITY – SIX RED FLAGS

1. Loans secured by pledged assets held by third parties unrelated to the borrower. 2. Loan secured by deposits or other readily marketable assets, such as securities,

particularly when owned by apparently unrelated third parties. 3. Borrower defaults on a cash-secured loan or any loan that is secured by assets which are

readily convertible into currency. 4. Loans are made for, or are paid on behalf of, a third party with no reasonable explanation. 5. To secure a loan, the customer purchases a certificate of deposit using an unknown

source of funds, particularly when funds are provided via currency or multiple monetary instruments.

6. Loans that lack a legitimate business purpose, provide the bank with significant fees for assuming little or no risk, or tend to obscure the movement of funds (e.g., loans made to a borrower and immediately sold to an entity related to the borrower).

Privately Owned Automated Teller Machines

Automated teller machine (ATM) activity levels are high in comparison with other privately owned or bank-owned ATMs in comparable geographic and demographic locations.

Sources of currency for the ATM cannot be identified or confirmed through withdrawals from account, armored car contracts, lending arrangements, or other appropriate documentation.

Purpose of the shell company is unknown or unclear.

Employees

Employee exhibits a lavish lifestyle that cannot be supported by his or her salary. Employee fails to conform to recognized policies, procedures, and processes, particularly

in private banking. Employee is reluctant to take a vacation.


Unusual Customer Activity Customer rents multiple safe deposit boxes to store large amounts of currency, monetary

instruments, or high-value assets awaiting conversion to currency, for placement into the banking system. Similarly, a customer establishes multiple safe custody accounts to park large amounts of securities awaiting sale and conversion into currency, monetary instruments, outgoing funds transfers, or a combination thereof, for placement into the Banking system.

Unusual use of trust funds in business transactions or other financial activity. Customer uses a personal account for business purposes. Customer has established multiple accounts in various corporate or individual names that

lack sufficient business purpose for the account complexities or appear to be an effort to hide the beneficial ownership from the bank.

Customer makes multiple and frequent currency deposits to various accounts that are purportedly unrelated.

Customer conducts large deposits and withdrawals during a short time period after opening and then subsequently closes the account or the account becomes dormant. Conversely, an account with little activity may suddenly experience large deposit and withdrawal activity.

Customer makes high-value transactions not commensurate with the customer’s known incomes.

Potentially Suspicious Activity that May Indicate Terrorist Financing The following examples of potentially suspicious activity that may indicate terrorist financing are primarily based on guidance “Guidance for Financial Institutions in Detecting Terrorist Financing” provided by the FATF. FATF is an intergovernmental body whose purpose is the development and promotion of policies, both at national and international levels, to combat money laundering and terrorist financing. Activity Inconsistent with the Customer’s Business

Funds are generated by a business owned by persons of the same origin or by a business that involves persons of the same origin from high-risk countries (e.g., countries designated by national authorities and FATF as non-cooperative countries and territories).

The stated occupation of the customer is not commensurate with the type or level of activity.

Persons involved in currency transactions share an address or phone number, particularly when the address is also a business location or does not seem to correspond to the stated occupation (e.g., student, unemployed, or self-employed).


Regarding nonprofit or charitable organizations, financial transactions occur for which there appears to be no logical economic purpose or in which there appears to be no link between the stated activity of the organization and the other parties in the transaction.

A safe deposit box opened on behalf of a commercial entity when the business activity of the customer is unknown or such activity does not appear to justify the use of a safe deposit box.

Other Transactions That Appear Unusual or Suspicious

Transactions involving foreign currency exchanges are followed within a short time by funds transfers to high-risk locations.

Multiple accounts are used to collect and funnel funds to a small number of foreign beneficiaries, both persons and businesses, particularly in high-risk locations.

A customer obtains a credit instrument or engages in commercial financial transactions involving the movement of funds to or from high-risk locations when there appear to be no logical business reasons for dealing with those locations.

Banks from high-risk locations open accounts. Funds are sent or received via international transfers from or to high-risk locations. Insurance policy loans or policy surrender values that are subject to a substantial

surrender charge.


WHAT IS THE RISK ASSESSMENT LINK TO BSA/AML PROGRAMS?

RISK ASSESSMENT

IDENTIFY & MEASURE RISK Products, Services,

Customers, and Geographies INTERNAL CONTROLS

Develop applicable: Policies, Procedures,

Systems, and Controls

Risk based compliance program

(1) Internal Controls (2) Audit (3) BSA Compliance

Officer (4) Training (5) ADD FIFTH PILLAR!


ANTI MONEY LAUNDERING PROGRAM

Customer Identification Program & Training

Add Beneficial Owner Rules

Customer Due Diligence, Customer Monitoring Programs & Training

Add Beneficial Owner Rules

Suspicious Activity Awareness

and Reporting by Staff and Management


INTERVIEW QUESTIONS FOR ACCOUNT OPENING

1. Are you a U.S. citizen? If not, in what country are you a citizen?

2. Why did you select this financial institution?

3. Do you have accounts or loans at other institutions?

4. If you open a deposit account, what type of items will be deposited? (i.e., cash, checks, ACH, wires) How frequently do you expect to make deposits?

5. How will you deduct funds? Checks, ATM, debit card, ACH, etc.

6. What is the purpose of the deposit account?

7. What is the purpose for the loan request? Will it be secured by collateral? If yes, who owns the collateral, where is it located, etc.

8. Will any business proceeds be deposited into the account?

9. Will any business proceeds be used to repay the loan?

10. What is your current employment? What are your sources of income?

11. What are you debts/liabilities?

12. For legal entities ask about the beneficial owners and person(s) controlling the entity.

13. Ask about the form of the organization. Is it a:

a. Corporation – What is the state where it was incorporated? Date?

b. Limited Liability company – What is the state where it was organized? Date?

c. Limited Partnership – What is the state were the agreement was filed? Date?

d. Joint Venture – Is there a written agreement? Date?

e. General Partnership - Is there a written agreement? Date?

f. What is the Employer Identification Number?

g. Is there a Social Security number for a sole proprietor?

h. What is the physical address? Phone? Website?


i. What is the NAICS code?

j. What is the description of the business?

k. What type of items are included in the initial deposit?

l. What services will be used and frequency? Deposits, cash withdrawal, wires (outgoing and incoming; to/from information)

m. Is there an ATM on the premise?

n. Are you providing any financial services?

14. Determine if any beneficial owners have 25% or more in interest of the entity.

15. Review loan application and other information to determine possible candidates for the control prong. ASK DIRECTLY – who controls the entity?

16. COMPLETE CIP and CDD DOCUMENTATION STEPS


UPDATES TO BSA/AML POLICY

There is no official guidance on specific topics that are required in a financial institution’s BSA/AML policy. However, there are “core” exam procedures in the FFIEC BSA/AML manual that address account activity and should be considered as policy elements.

• Customer Identification Program*

• Customer Due Diligence

• Suspicious Activity Reporting*

• Currency Transaction Reporting*

• Currency Transaction Reporting Exemptions*

• Information Sharing*

• Purchase and Sale of Monetary Instruments Recordkeeping*

• Funds Transfers Recordkeeping*

• Foreign Correspondent Account Recordkeeping, Reporting, and Due Diligence*

• Private Banking Due Diligence Program (Non-U.S. Persons)

• Special Measures

• Foreign Bank and Financial Accounts Reporting

• International Transportation of Currency or Monetary Instruments Reporting*

• Office of Foreign Assets Control*

* Related records requested in Appendix H (Request Letter)

Note: If a financial institution does not engage in an activity described; e.g., “Private Banking” (a defined term), it need not have a policy on that topic. It may, however, be a best practice to list the topics on which it does not have policies and state that a policy will be developed on those topics if it decides to engage in related activities in the future.


SAMPLE NEW CDD POLICY #1

Our financial institution implements and maintains an anti-money laundering program that:

(a) Complies with the requirements of the Bank Secrecy Act

(b) Includes, at a minimum:

(1) A system of internal controls to assure ongoing compliance;

(2) Independent testing for compliance to be conducted by bank personnel or by an outside party;

(3) Designation of an individual or individuals responsible for coordinating and monitoring day-to-day compliance;

(4) Training for appropriate personnel; and

(5) Appropriate risk-based procedures for conducting ongoing customer due diligence, to include, but not be limited to:

(i) Understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and

(ii) Conducting ongoing monitoring to maintain and update customer information and to identify and report suspicious transactions; and

(c) Complies with the regulation of its federal functional regulator governing such programs.

N OTE: Language in item 5 is the update for beneficial ownership rules


BENEFICIAL OWNERSHIP REQUIREMENTS FOR LEGAL ENTITY CUSTOMERS

(a) Our financial institution is required to establish and maintain written procedures that are reasonably designed to identify and verify beneficial owners of legal entity customers.

(b) Identification and Verification. With respect to legal entity customers, our financial institution’s customer due diligence procedures should enable the institution to:

(1) Identify the beneficial owner(s) of each legal entity customer, unless otherwise exempt pursuant to §1010.230(d). To identify the beneficial owner(s), our financial institution must obtain at the time a new account is opened a certification in the form of Appendix A from the individual opening the account on behalf of the legal entity customer; and

(2) Verify the identity of each beneficial owner identified to the covered financial institution, according to risk-based procedures to the extent reasonable and practicable. At a minimum, these procedures must be identical to our financial institution’s Customer Identification Program procedures required for verifying the identity of customers that are individuals.

(c) Beneficial Owner. For purposes of this section, Beneficial Owner means each of the following:

(1) Each individual, if any, who, directly or indirectly, through any contract, arrangement, understanding, relationship or otherwise, owns 25% or more of the equity interests of a legal entity customer;

(2) A single individual with significant responsibility to control, manage, or direct a legal entity customer, including

(i) An executive officer or senior manager (e.g., a Chief Executive Officer, Chief Financial Officer, Chief Operating Officer, Managing Member, General Partner, President, Vice President, or Treasurer); or

(ii) Any other individual who regularly performs similar functions.

(d) Legal Entity Customer. For the purposes of this section,

(1) Legal entity customer means: a corporation, limited liability company, partnership or other similar business entity (whether formed under the laws of a state or of the United States or a foreign jurisdiction) that opens a new account.


(2) Legal entity customer does not include:

(i) A financial institution regulated by a Federal functional regulator or a bank regulated by a State bank regulator;

(ii) A person described in § 1020.315(b)(2) through (b)(5) of this Chapter;

(iii) An issuer of a class of securities registered under section 12 of the Securities Exchange Act of 1934 or that is required to file reports under section 15(d) of that Act;

(iv) An investment company, as defined in section 3 of the Investment Company Act of 1940, that is registered with the Securities and Exchange Commission under that Act;

(v) An investment adviser, as defined in section 202(a)(11) of the Investment Advisers Act of 1940, that is registered with the Securities and Exchange Commission under that Act;

(vi) An exchange or clearing agency, as defined in section 3 of the Securities Exchange Act of 1934, that is registered under section 6 or 17A of the Securities Exchange Act of that Act;

(vii) Any other entity registered with the Securities and Exchange Commission under the Securities Exchange Act of 1934;

(viii) A registered entity, commodity pool operator, commodity trading advisor, retail foreign exchange dealer, swap dealer, or major swap participant, each as defined in section 1a of the Commodity Exchange Act, that is registered with the Commodity Futures Trading Commission;

(ix) A public accounting firm registered under section 102 of the Sarbanes–Oxley Act; and

(x) A charity or nonprofit entity that is described in sections 501(c), 527, or 4947(a)(1) of the Internal Revenue Code of 1986, has not been denied tax exempt status, and is required to and has filed the most recently due annual information return with the Internal Revenue Service.


(e) Recordkeeping. Our financial institution must establish procedures for making and maintaining a record of all information obtained under the procedures implementing paragraph (b) of this section.

(1) Required records. At a minimum the record must include:

(i) For identification, the certification form, and any other identifying information obtained by our financial institution; and

(ii) For verification, a description of any document relied on (noting the type, any identification number, place of issuance and; if any, date of issuance and expiration), of any non-documentary methods and the results of any measures undertaken, and of the resolution of each substantive discrepancy.

(2) Retention of Records. Our financial institution must retain the records made of this section for five years after the date the account is closed, and the records made initially of this section for five years after the record is made.

(f) Reliance on another Financial Institution. Our financial institution may rely on the performance by another financial institution (including an affiliate) of the requirements of this with respect to any legal entity customer of the covered financial institution that is opening, or has opened, an account or has established a similar business relationship with the other financial institution to provide or engage in services, dealings, or other financial transactions, provided that:

(1) Such reliance is reasonable under the circumstances;

(2) The other financial institution is subject to a rule implementing 31 U.S.C. 5318(h) and is regulated by a Federal functional regulator; and

(3) The other financial institution enters into a contract requiring it to certify annually to the covered financial institution that it has implemented its anti-money laundering program, and that it will perform (or its agent will perform) the specified requirements of the covered financial institution's procedures to comply with the requirements of this § 1010.230.


SAMPLE NEW CDD POLICY #2

DUE DILIGENCE

This policy is to be interpreted by written procedures developed by each affected operating area and approved by the BSA Officer. Due diligence is performed at account inception and over the life of the account. Our resources are limited and their allocation is modeled after that set out in Appendix K of the BSA/AML Examination Manual (2014). The term “customer” has the same meaning as “member.”

Account Inception – The BSA officer shall develop a due diligence questionnaires for consumer and non consumer accounts that gather information beyond the information obtained by our customer identification program (CIP) discussed earlier. Each operating area of the financial institution that opens new accounts is responsible for expanding those core documents as necessary to reflect the specific needs of that particular area.

This portion of our due diligence effort is to be conducted prior to opening the account. The goals of the financial institution’s due diligence efforts complement its CIP and are to: identify and flag customers subject to expanded examination overview and develop a general profile of expected activity for consumer accounts, and develop a specific profile of expected activity for non consumer accounts, and identify

the beneficial owners of legal entity customers, and provide for threshold monitoring for the entire customer base, and

periodically update profiles for customers identified as “higher risk” for money laundering.

Consumers who are U.S. citizens are rated 1. Consumers who are non U.S. citizens or politically exposed persons are rated 2. (The financial institution does not knowingly open or maintain accounts for consumers whose activities would cause them to be rated higher than 2.) All non-consumer customers are rated 3 (higher risk) at account inception, but they are reviewed at the end of 45 days to compare their projected activity to their actual activity and rated as a 2 or a 3.

In addition to profiling information, the information obtained for non-consumer customers must be sufficient to support a one paragraph description of the customer’s business and the assignment of the appropriate NAICS code or codes at account inception.

Only an officer, member, or partner of a legal entity may open an account for that entity. If an organization is excluded from the definition of a “legal entity customer” due to being publicly traded on a major exchange or a subsidiary of a company that is publicly traded on a major exchange, supporting documentation is required. If an organization is partially excluded due to being a charitable organization, supporting documentation is required. Other exclusions are allowed based on credible statements made by the person opening the account as approved by the BSA Officer.

If individual opening the account is an established customer (one whom we have identified pursuant to our CIP), we obtain information regarding the “beneficial owners” and verify the information to the extent we can as required by law. If the account is opened by a non-customer, our procedures require additional information and verification processes.


The financial institution’s management information system is capable of generating reports listing customers subject to expanded examination overview by class; e.g., it can produce a list of all identified non U.S. persons, cash intensive businesses, etc.

The due diligence questionnaires mentioned earlier will include questions that automatically direct an additional level of questioning. For example, additional information and documentation will be required for a customer that indicates it provides financial services to its clientele. Customer service representatives opening accounts are required to report account requests which they regard as questionable to the BSA Officer for review prior to opening the account regardless of whether any enhanced due diligence trigger has been pulled.

During the Life of the Account – The BSA Officer shall identify a number of daily reports from the financial institution’s management information system and assign responsibility for their review to appropriate personnel. Those daily reports must note the customer’s risk rating and whether the customer subject to expanded examination overview.

Reviewers are tasked with searching those reports for activity that may be inconsistent with the nature and stated purpose of the account to the point where the activity might be classified as suspicious. If any activity cannot be adequately explained, he or she is to report it to the BSA officer for further consideration.

Activity referred to the BSA officer by any employee, including those charged with reviewing daily reports, as potentially suspicious will be evaluated by the BSA Officer. If he or she believes there is any evidence that may indicate illegal activity is involved he will present the case to the SAR Committee for its review.

Third-party requests for customer funds or information; e.g., levies, subpoenas, casual queries from law enforcement etc. are to be referred to the BSA Officer for analysis prior to sending them to the appropriate area for processing. (The BSA Officer is actually responsible for processing National Security Letters.) If he or she believes there is any evidence that may indicate illegal activity he will direct the area responsible for processing the request to deliver the requested documents to him for review prior to its making them available to the requesting party. If, after that review, he believes suspicious activity is involved he will present the case to the SAR Committee for its review

Enhanced due diligence is performed at account inception and over the life of the account as necessary. It may be triggered by outside events that are brought to the financial institution’s attention by third parties including the news media. The overall level of enhanced due diligence we impose is a result of our most recent risk assessment.

Higher risk customers are identified by the use of a worksheet developed and maintained by the BSA Officer. The BSA Officer may also classify a customer as higher risk without regard to the worksheet. Profiles for higher risk customers incorporate a summary description of recent transaction activity as well as the most current listing of any beneficial owners that is no more than 12 months old. They are updated every six months or more frequently if circumstances dictate.

fincen’s cdd rules & bsa compliance: why preparing now …fincen’s cdd rules & bsa...

Documents