Anti-Money Laundering (“AML”)

What is Money Laundering?

The concealing or disguising the existence, illegal source, movement, destination or illegal application of illicitly derived property or funds to make them appear legitimate.

The three stages of Money Laundering:• Placement: The introduction of the funds into the

financial system;

• Layering: Movement of the funds to distance them from the original source;

• Integration: Funds re-enter the legitimate economy and are used to purchase goods or services,

finance other illegal activity or are otherwise spent.

AML has transcended from a compliance requirement to a national security issue.

Increased Scrutiny by Regulatory Authorities•Deferred prosecution agreements •Aggressive regulatory enforcement actions •AML compliance is a leading enforcement priority of federal and state

agencies

Congressional Inquiries•FRB – UBS•OCC – Riggs, Arab Bank, and Banco de Chile

AML’s Impact on Financial Institutions

Escalation of Fines•$10 million fine against U.S. Trust in 2001•$80 million fine against ABN Amro in 2005. •Cumulative penalties for the years 2000-2004 have been calculated

to be approximately $120 million.

Clearly, the regulatory authorities are intolerant of non-compliance and place a greater emphasis on penalties and

regulatory actions.

AML’s Impact on Financial Institutions (cont’d)

The Scale of the Problem

The International Monetary Fund, for example, has stated that the aggregate size of money laundering in the world could be somewhere between two and five percent of the world’s gross domestic product.

Using 1996 statistics, these percentages would indicate that money laundering ranged between US Dollar (USD) 590 billion and USD 1.5 trillion. The lower figure is roughly equivalent to the value of the total output of an economy the size of Spain.

In the US, the estimated earning of criminal activity (2000 statistics) is 779 billion or about 8% of the GDP.

The figures stated above are speculative at best.

Anti-Money Laundering Compliance

An Anti-Money Laundering Compliance Program• Designed to assist institutions and businesses in their fight

against money laundering and terrorist financing

• Required since 1987 (roots extend back to the Bank Secrecy Act of 1970)

• Requirement has been recently (October, 2001) extended to all financial institutions, including securities dealers, money services businesses and many other businesses including jewelers and precious gem dealers.

AML Regulations

• Bank Secrecy Act (1970) - legal principle under which banks are allowed to protect personal information about their customers. The Bank Secrecy Act sets out the four minimum requirements for an AML compliance program:

• Written internal policies, procedures and controls• A duly-designated AML Compliance Officer• On-going employee training program• Independent audit function to test the AML programs

• USA Patriot Act (2001) – combined the BSA AML requirements with the trade sanctions imposed by OFAC (Office of Foreign Assets Control). The USA Patriot Act delivers four primary directives to financial institutions:

• Identify clients and account holders, both private and commercial• Block transactions with entities identified on the OFAC and other interdiction lists• Determine and report suspicious activities with out blocking them• Share information with other Financial Service Providers (FSPs) to aid in determining

suspicious activity

AML Regulations

The United States became the first country to criminalize money laundering through a 1986 law that is considered the most powerful in the world. The law, Title 18, USC Sec. 1956, applies to the proceeds of more than 200 crimes. The most powerful of the three laws, Sec. 1956, imposes heavy penalties – up to 20 years in prison – and it has broad reach. It also includes a unique provision that permits undercover stings with funds “represented to be the proceeds of specified unlawful activity.”

• The Laundering of Monetary Instruments - Title 18, USC Sec. 1956 • Monetary Transactions in Property Derived from Specified Unlawful Activity La

w- Title 18, USC Sec. 1957

• Prohibition of Unlicensed Money Transmitting Businesses Law - Title 18, USC Sec. 1960

AML RegulationsUSA Patriot Act – Title III

Section 311 Secretary of the Treasury (Secretary) the authority to designate a foreign jurisdiction, institution(s), class(es) of transactions, or type(s) of account(s) as a “primary money laundering concern” and to impose certain “special measures”

Section 312 Special Due Diligence Programs for certain foreign correspondent and private banking accounts

Section 313 Prohibition on US Correspondent Accounts with Shell Banks

Section 319 (b) Availability of Records – •Correspondent Bank Certifications• 120 hour rule

Section 314 (a) Cooperation Among Financial Institutions, Their Regulatory Authorities and Law Enforcement Authorities

Section 314 (b) Voluntary Information Sharing Among Financial Institutions

Section 326 Customer Identification Program (CIP)

Section 327 Consideration of an Anti-Money Laundering Record

Key AML Regulators

Office of Foreign Assets Control (OFAC)An office of the U.S. Department of the Treasury.Administers and enforces economic and trade sanctions based on U.S. foreign policy and national security goals against targeted foreign countries, terrorists, international narcotics traffickers, and those engaged in activities related to the unapproved proliferation of weapons of mass destruction

Financial Crimes Enforcement Network (FinCEN) Created in 1990 to administrator the Bank Secrecy Act. FinCEN role is issue regulations and to impose civil penalties for violations. FinCEN has delegated examination authority to each Federal Banking Agencies. Originally a department of the U.S. Department of Treasury it was elevated to bureau status in of the U.S. Department of the Treasury to combat money laundering

Key AML Regulators (cont’d)Federal Banking Agencies (FBAs)

Office of the Comptroller of the Currency (OCC)

Federal Reserve

Office of Thrift Supervision (OTS)

Federal Deposit Insurance Corporation (FDIC)

Securities and Exchange Commission (SEC)

Internal Revenue Service (IRS)

OFAC’s Focus:• Identifies persons for designation; • Assists U.S. persons in complying with the sanctions prohibitions

through its compliance and licensing efforts• Penalizes U.S. persons violating the prohibitions • Works with other U.S. Government agencies• Coordinates and works with other nations to implement similar

strategies

Compliance with OFAC:A bank’s main compliance responsibility is to ensure that suspect items are interdicted. In developing OFAC compliance program, focus should be on providing enough information to key staff in all areas of operations to enable them to recognize and stop suspect transactions.

A Little More on OFAC

Any bank organized or located in the United States is responsible by law to block virtually all property that comes within the bank’s possession or control in which there is an interest of a blocked individual or entity.

Over the past several years, OFAC has had to impose millions of dollars in civil penalties involving U.S. Banks. The majority of the fines resulted from bank’s failure to block illicit

transfers when there was a reference to a targeted country

Main difference between OFAC and BSA compliance is OFAC tends to “freeze” rather than “seize” assets. OFAC will often block transactions in an attempt to apply political pressure on hostile governments.

Who is Liable Under OFAC?

Regulations require the following:• Block accounts and other property of specified countries, entities,

and individuals.• Prohibit or reject unlicensed trade and financial transactions with

specified countries, entities and individuals.

Unlike the BSA, the laws and OFAC-issued regulations apply not only to the U.S. banks, their domestic branches, agencies, and international banking facilities, but also their foreign branches, and often overseas offices and subsidiaries.

The Specially Designated Nationals (SDNs) list is comprised of thousands of individuals and entities that are primarily located outside of the blocked countries. Blocked countries currently include Cuba, Iran, Libya, North Korea, Sudan, and Syria.

Compliance with OFAC

Blocked TransactionsU.S. law requires that assets and accounts be blocked when such property is located in the United States, is held by U. S. individuals or entities, or comes into the possession or control of U.S. individuals or entities. Transactions with anyone on the SDN list are required to by law to be blocked and reported to OFAC.

Banks must block transactions that:• Are by or on behalf of a blocked individual or entity• Are to or through a blocked entity• Are in connection with a transaction in which a blocked individual or entity as an interest

Prohibited TransactionsIn some cases, and underlying transaction may be prohibited but there is no blockable interest in the transaction. In these cases, the transaction is simply rejected and not processed.

Compliance with OFAC

•OFAC has the authority, through a licensing process, to permit certain transactions that would otherwise be prohibited under it regulations.

•Specific licenses are issued on a case-by-case basis and require an application to OFAC.

•If the transactions conforms with U.S. foreign policy under a particular program, the license will be issued.

•When a customer claims to hold a specific license, the bank should still verify the transactions conforms to the terms of the license and retain a copy.

OFAC Licenses

•Banks must report all blocking to OFAC within ten days of the occurrence and annually on September 30th concerning assets blocked as of June 30th. Prohibited transactions that are rejected must also be reported with in ten days of occurrence.

•Banks must keep a full and accurate record of each blocked or rejected transaction for at least five years after the date of the transaction.

OFAC Reporting

Fundamental Elements of a sound OFAC program include assessment of:

•Specific product lines•Customer Base•Nature of Transactions•Identification of high-risk areas for OFAC transactions•Account and Transaction Parties

Based on the bank’s risk profile, they should establish policies, procedures and processes for reviewing transactions and transactions parties.

OFAC Risk Assessment

An effective OFAC program should include internal controls for identifying suspect accounts and transactions and reporting to OFAC. Internal controls should include the following elements:

•Flag and review suspect transactions – manually, interdiction software, or both.

•Updating OFAC lists – timely updating as the list as OFAC updates the list frequently.

•Reporting – OFAC should be notified as soon as possible in the case of narcotics or terrorism. However, most other items should be reported within ten day of occurrence.

•Maintaining License Information – OFAC recommends that banks consider maintaining copies of customers’ OFAC licenses on file for at least five years.

OFAC Internal Controls

Independent TestingEvery bank should conduct an independent test of it’s OFAC program that is performed by internal audit, outside auditors or other independent parties. An in-depth audit should be conducted at least once a year. For larger banks, frequency and are of testing should be based on the perceived risk of a specific area of business.

Responsible IndividualEvery bank should designate a qualified individual to monitor day-to-day compliance of the OFAC program.

TrainingThe bank should provide adequate training for all appropriate employees. This training should be consistent with the bank’s risk and employee responsibility.

OFAC Internal Controls

Internal Audit Considerations

Evaluating AML Risks and Compliance with U.S.

AML Regulations

Risk ConsiderationsThe ability to assess BSA/AML risk on a consolidated basis across all activities, business lines, and legal entities allows the holding company to view its risks and worldwide exposure inside a larger risk management framework.

Audit ObjectiveEvaluate the adequacy of the enterprise-wide BSA/AML compliance program. Determine reporting lines and how effectively the program manages risk in an integrated fashion across affiliates, business lines, and risk types.

Enterprise Wide BSA/AML Compliance Program

Risk ConsiderationsThe bank’s BSA/AML compliance program is not tailored to its

specific risks

The bank does not have a consolidated understanding of its risk exposure across all activities, business units and legal entities

Entity risks related to products, services, customers and geographic locations are not properly identified, updated and incorporated into the BSA/AML compliance program.

Audit ObjectiveAssess the adequacy of the Entity Risk Profile development and

updating process

Entity Risk Profile

Entity Risk Profile (cont’d)

AML Programs must be implemented on a risk-based approach. This means that the following factors need to be taken in into consideration with policies and procedures to support the AML program are implemented. Risk rate the following:

Clients Examples: High net worth individualsFinancial InstitutionsNon-traditional banking businessesMoney Services BusinessCharitable Organizations/Not for ProfitsAny type of business identified by Government Authorities

as high risk for Money Laundering

Products & Services Examples: Correspondent Banking Private BankingPayable ThroughWire TransfersOfficial Items

Geographic Regions Examples: Areas listed by the Financial Action Task Force (FATF)Middle East

Latin America

Risk ConsiderationsThe level of sophistication of the internal controls should be

commensurate with the size, structure, risks and complexity of the financial institution.

If internal controls are inadequate, the financial institution may not be able to detect, report and monitor suspicious activity in compliance with the BSA.

Audit ObjectiveTo determine whether internal controls ensure compliance

with the BSA and provide sufficient risk management, especially for high-risk operations (products, services, customers, and geographic locations).

Internal Controls

Risk ConsiderationsThe board, acting through senior management, is ultimately

responsible for ensuring that the financial institution maintains an effective BSA/AML internal control structure, including suspicious activity monitoring and reporting. Their oversight is a crucial element of a sound risk management and control environment.

Audit ObjectiveTo determine whether the board and senior management’s

oversight of the bank’s BSA /AML Compliance program is sufficient to effectively monitor and address identified risks.

The board and senior management should create a culture of compliance to ensure staff adherence to the Bank’s BSA/AML policies, procedures, and processes.

Governance and Oversight

Risk ConsiderationsA failure to sufficiently train such personnel in applicable

aspects of the BSA may result in the bank’s failure to prevent, detect and/or monitor suspicious activity.

The board of directors must also receive adequate training in BSA. Without a general understanding of the BSA, the board of directors cannot adequately provide BSA/AML oversight; approve BSA/AML policies, procedures, and processes; or provide sufficient BSA/AML resources.

Audit ObjectiveEvaluate the adequacy of the entity’s training program.

Assess the currentness, completeness, accuracy and presentation effectiveness of the training program.

Training

Risk ConsiderationsAccounts are opened without verification of owner identity

Identification documentation is not reliable or adequately safeguarded

Customer identification is relaxed because of certain external or certain internal referrals, including new accounts opened for existing relationships

Audit ObjectiveAssess the entity’s compliance with the statutory and

regulatory requirements for the CIP

Customer Identification Program (“CIP”)

Risk ConsiderationsAccounts are opened without review of customer background

Due diligence is:• ineffective or lacks appropriate checks and balances• not robust enough for high risk accounts• relaxed because of certain internal or certain external

referrals

Audit ObjectiveAssess the appropriateness and comprehensiveness of the

entity’s CDD policies, procedures, and processes for obtaining customer information and assess the value of this information in monitoring, detecting and reporting suspicious activity.

Customer Due Diligence (“CDD”)

Suspicious Activity Reports (“SARs”)

In April 1996, a Suspicious Activity Report (SAR) was developed to be used by all banking organizations in the United States.

A banking organization is required to file a SAR whenever it detects a known or suspected criminal violation of federal law or a suspicious transaction related to money laundering activity or a violation of the BSA.

Suspicious activity reporting forms the cornerstone of the BSA reporting system.

When Must A SAR Be Filed?

A national bank shall file a SAR with the appropriate Federal law enforcement agencies and the Department of the Treasury in accordance with the following circumstances:

1. Insider abuse involving any amount

2. Violations aggregating $5,000 or more where a suspect can be identified

3. Violations aggregating $25,000or more regardless of potential suspects

4. Transactions aggregating $5,000 or more that involve potential money laundering or violate the Bank Secrecy Act.

The Importance of Filing a SAR

1. Identifies potential and actual illegal activity:• Money Laundering• Terrorist financing• Other financial fraud and abuse

2. Detects and prevents flow of illicit funds

3. Establishes emerging threats through analysis of patterns and trends

4. It’s the law.

Financial Institutions Required to file SARs

• Banks

• Savings Association

• Savings Association Service Corporations

• Credit Unions

• Bank Holding Companies

• Non-bank subsidiaries of bank holding companies

• Edge & Agreement Corporations

• U.S. branches & agencies of foreign banks

SAR Reporting Deadlines

A financial institution is required to file a SAR:

No later than 30 calendar days after the date of initial detection of facts that may constitute a basis for the filing

No later than 60 calendar days if no suspect was identified on the date of detection of the incident requiring the filing

Risk ConsiderationsSuspicious activity is not properly defined or communicated

SARs are incomplete or not filed timely

SARs activity is not monitored for trends or those trends are not investigated

Decisions not to file SARs are not appropriate or adequately supported

Audit ObjectiveAssess the entity’s policies, procedures, and processes, and overall

compliance with statutory and regulatory requirements for monitoring, detecting, and reporting suspicious activities

SARs from an Audit Perspective

Currency Transaction ReportingInformation SharingPurchase and Sale of Monetary InstrumentsFunds TransfersForeign Correspondent Account Recordkeeping and Due Diligence Private Banking Due Diligence Program Special MeasuresForeign Bank and Financial Accounts Reporting International Transportation of Currency or Monetary Instruments Reporting

Other Risk Areas

Office of Foreign Assets Control Correspondent AccountsU.S. Dollar Drafts Payable Through Accounts Pouch ActivitiesForeign Branches and Offices of U.S. Banks Parallel Banking Electronic Banking Electronic Cash

Other Risk Areas

Third-Party Payment Processors Brokered Deposit Referral Agents Privately-Owned Automated Teller Machine Non-deposit Investment Products Insurance Concentration Accounts Lending Activities Trade Finance Activities

Other Risk Areas

Trust and Asset Management Services Nonresident Aliens and Foreign Individuals Politically Exposed Persons Embassy and Foreign Consulate Accounts Non-Bank Financial Institutions Professional Services Providers Non-Governmental Organizations and Charities Corporate Entities Cash-Intensive Businesses

Other Risk Areas

Appendices

APPENDIX A: Key Terms

BSA Bank Secrecy ActCIP Customer Identification ProgramCTR Currency Transaction ReportDCN Document Control NumberEFT Electronic Funds TransferFBO Foreign Bank OrganizationFinCEN Financial Crimes Enforcement Network

APPENDIX A: Key Terms

MLSA Money Laundering Suppression Act of 1994OCC Office of the Comptroller of the CurrencyOFAC Office of Foreign Assets ControlROE Report of ExaminationSAR Suspicious Activity ReportSEC Securities and Exchange CommissionSDN Specially Designated Nationals (or Blocked Persons)TDF Treasury Department Form