bank secrecy act anti-money laundering for directors · bank secrecy act & anti-money laundering...

of 42/42
Bank Secrecy Act & Anti-Money Laundering for Directors Mike Lee Director of Regulatory Advocacy [email protected]

Post on 14-Jun-2018




0 download

Embed Size (px)


  • Bank Secrecy Act


    Anti-Money Laundering



    Mike Lee

    Director of Regulatory Advocacy

    [email protected]

  • Legal Disclaimer:

    Information provided in this presentation, including all

    materials, should not be construed as legal services, legal

    advice, or in any way establishing an attorney-client

    relationship. Credit unions should contact their own legal

    counsel for advice. Information may have changed since

    this presentation was prepared. This information is

    intended to only be a summary and is not all inclusive.

  • Goals

    By the end of this Presentation we will:

    1. Identify regulators expectations for CU directors under BSA.

    2. Identify the required components of your BSA Compliance


    3. Introduce the requirements of the Beneficial Ownership Rule.

    4. Review Case Studies of Credit Unions that Failed BSA


  • Why are you here?

    Required annual training Clarified in 05-CU-09.

    Advisory FIN-2014-A007: The guidance was provided due to

    shortcomings in compliance due to a lack of involvement from

    institutions senior management. It pointed to the poor culture of

    compliance which existed in part due to a lack of leadership to

    improve and strengthen organizational compliance with Bank

    Secrecy Act (BSA) obligations.

  • What is a Culture of Compliance?

    Characteristics defined by FinCEN (FIN-2014-A007):

    Leadership Should Be Engaged.

    Compliance Should Not Be Compromised By Revenue Interests.

    Information Should Be Shared Throughout the Organization.

    Leadership Should Provide Adequate Human and Technological


    The Program Should Be Effective and Tested By an Independent and

    Competent Party.

    Leadership and Staff Should Understand How Their BSA Reports are


  • What the BSA Exam Manual says:

    The board of directors and senior management should be

    informed of changes and new developments in the

    BSA...they need to understand the importance of BSA/AML

    regulatory requirements, the ramifications of

    noncompliance, and the risks posed to the bank.

    Without a general understanding of the BSA, the board of

    directors cannot adequately provide BSA/AML oversight;

    approve BSA/AML policies, procedures, and processes; or

    provide sufficient BSA/AML resources.

  • BSA Framework

    The Law The Bank Secrecy Act and a medley of other

    statutes (PATRIOT Act).

    FinCEN Promulgates/enforces the BSA regulations.

    NCUA Enforces compliance via examination.(12 CFR Part 748)

    Federal Law Enforcement utilizes data for investigations.






    Credit Union Analysis


    Law Enforcement

  • Prevent Money Laundering

  • Then

  • And Now

  • BSA 748.2 Procedures for monitoring Bank

    Secrecy Act (BSA) compliance. a) Purpose. This section is issued to ensure that all federally insured

    credit unions establish and maintain procedures reasonably

    designed to assure and monitor compliance

    b) Establishment of a BSA compliance program

    1. Program requirement. Each federally insured credit union shall

    develop and provide for the continued administration of a

    program reasonably designed to assure and monitor

    compliance with the recordkeeping and recording

    requirements The compliance program must be written,

    approved by the credit union's board of directors, and

    reflected in the credit union's minutes.

    2. Customer identification Program. Each federally insured credit

    union is subject to the requirementswhich require a customer

    identification program to be implemented as part of the BSA

    compliance program required under this section.

  • Pillars of BSA Compliance

    1. Implement proper internal controls to ensure that your BSA program is

    functioning as intended;

    2. Provide training for appropriate personnel, at least annually;

    3. Provide adequate annual independent audit procedures;

    4. Require the participation of a qualified and knowledgeable BSA officer;

    5. Implement Risk Based procedures for Customer Due Diligence /

    Beneficial Ownership Rule

  • Pillar 1: Internal Controls Biggest Challenge?

    The board of directors, acting through senior management, is

    ultimately responsible for ensuring that the bank maintains an

    effective BSA/AML internal control structure, including suspicious

    activity monitoring and reporting. The board of directors and

    management should create a culture of compliance to ensure staff

    adherence to the banks BSA/AML policies, procedures, and

    processes. Internal controls are the banks policies, procedures, and

    processes designed to limit and control risks and to achieve

    compliance with the BSA. The level of sophistication of the internal

    controls should be commensurate with the size, structure, risks,

    and complexity of the bank.

  • Pillar 1: Internal Controls Risk Assessment

    An examiner will review whether the BSA/AML compliance

    program is adequate and provides the controls necessary to

    mitigate risks.

    Step 1: ID Risk Categories - Risks may vary according to:

    Products and Services Prepaid Cards, remittances

    Customers MSBs, attorneys, non-resident aliens


    High Intensity Drug Trafficking Areas (HIDTA): Jefferson, Mobile, Polk,

    Miami-Dade, Nassau

    High Intensity Financial Crime Areas (HIFCA) South Florida

    Step 2: Analyzing the Risk Categories Using CUs data:

    Purpose of the account.

    Actual or anticipated activity in the account.

    Nature of the customers business/occupation.

    Customers location.

    Types of products and services used by the customer.

  • Pillar 1: Internal Controls SAR

    Suspicious Activity Report filing required for:

    Criminal violations involving insider abuse in any amount.

    Criminal violations aggregating $5,000 or more when a suspect

    can be identified.

    Criminal violations aggregating $25,000 or more regardless of a

    potential suspect.

    Transactions conducted or attempted by, at or through a credit

    union aggregating $5,000 or more, of the credit union knows,

    suspects or has reason to suspect that the transaction:

    May involve potential money laundering or other illegal activity.

    Is designed to evade the BSA or its implementing regulations.

    Has no business or apparent lawful purpose, or is not the type of

    transaction that the particular member would normally be expected to

    engage in, and the credit union knows of no reasonable explanation for

    the transaction.

  • Pillar 1: SAR Systems and Safe Harbor

    Credit Unions must have policies and procedures in place to monitor

    systems for suspicious activity, specifically regarding high risk

    factors and refer those activities to those who investigate and decide

    whether to file a SAR.

    The decision to file a SAR is an inherently subjective

    judgment . CU should not be criticized for the failure to file

    a SAR unless the failure is significant or accompanied by

    evidence of bad faith.

    Federal law (31 USC 5318(g)(3)) provides protection from civil

    liability for all reports of suspicious transactions made to appropriate


  • Pillar 1: SAR Filing

    SARs must be filed:


    No later than 30 days from the detection of facts constituting

    the basis for filing.

    If no suspect is identified, the filing is extended to 60 days.

    5 year record retention.

    Board should be kept aware of SAR filings.

    SARs are confidential, disclosure of the existence or non-

    existence of a SAR is prohibited, especially to suspect

    Member (and associates).

    Can be shared with Federal law enforcement and NCUA.

    Must not comply with subpoenas unless requested to do so by LE.

    Seek Counsel.

  • Pillar 1: Internal Controls CTR

    File Currency Transaction Report (CTR) for each transaction

    in currency (deposit, withdrawal, exchange, or other payment

    or transfer) of more than $10,000.

    Multiple currency transactions totaling more than $10,000

    during any one business day are treated as a single

    transaction if the credit union has knowledge that they are by

    or on behalf of the same person.

    Must be filed within 15 days after the date of the transaction.

    Bank Secrecy Act Currency Transaction Report


    5 year record retention.

  • CTRs Use in Investigation (NBC News)

    Mandalay Bay shooter Stephen Paddock gambled with at least

    $160,000 in the past several weeks at Las Vegas casinos,

    according to senior law enforcement officials.

    There were 16 Currency Transaction Reports, or CTRs, filed for

    Paddock in recent weeks. The Treasury Department and the IRS

    mandate that casinos file the reports for "each transaction in

    currency involving cash-in and cash-out of more than $10,000 in

    a gaming day."

    The reports don't show whether Paddock won or lost or both on

    the days in question. They do show that on same days there

    were multiple transactions.

    A source familiar with the investigation told NBC News that

    Paddock was a frequent player "with the highest status" at

    Caesars Entertainment properties in Las Vegas.

  • Pillar 2 - Training

    At a minimum:

    the credit unions training program must include employees whose

    duties involve BSA.

    training should be tailored to the persons specific responsibilities.

    In addition, an overview of the BSA/AML requirements typically

    should be given to new staff during employee orientation.

    The BSA compliance officer should receive periodic training that is

    relevant and appropriate given changes to regulatory requirements

    as well as the activities and overall BSA/AML risk profile of the bank.

    Credit unions should document their training programs.

  • Pillar 3 - Audit 12 18 months Independent testing should, at a minimum, include:

    An evaluation of the overall adequacy and effectiveness

    of the BSA/AML compliance program, including policies,

    procedures, and processes.

    A review of the banks risk assessment

    Appropriate risk-based transaction testing

    An evaluation of managements efforts to resolve

    violations and deficiencies

    A review of staff training for adequacy, accuracy, and


    A review of the effectiveness of the suspicious activity

    monitoring systems (manual, automated, or a

    combination) used for BSA/AML compliance.

  • Pillar 4 - Staff : BSA Officer

    The board of directors is responsible for ensuring that

    the BSA compliance officer has sufficient authority and

    resources (monetary, physical, and personnel) to

    administer an effective BSA/AML compliance

    program based on the banks risk profile.

    The BSA compliance officer should be fully

    knowledgeable of:

    the BSA and all related regulations; and

    the banks products, services, customers, etc.

    The BSA compliance officer should regularly apprise the

    board of directors and senior management of ongoing

    BSA compliance.

  • CIP: Collect Member Information Purpose: To enable the CU to form a reasonable belief that it

    knows the identity of each member.

    1. Identifying Info:

    1. Name

    2. DOB for individuals.

    3. Address

    4. ID= Tax ID = SSN

    2. Verifying Info: Documentary - Unexpired government issued identification, such as:

    A drivers license;

    Passport; or

    Military ID.


    Information obtained from a credit bureau, or against fraud and bad check databases

    References from other financial institutions

    Confirm information such as telephone number and address by contacting member

    Tax return or a financial statement

  • CIP: Verifying Member Information

    Procedures explaining verification and non-verification. (Flowchart)

    Identifying info must be kept for five years after the account is


    Included in this is documents used to verify the ID, with a full

    description of such document.

    Methods used and results of verification.

    Results of discrepancies in ID.

    Must include cross reference of ID with federal terrorist list.

    Must provide notice to applicant that CU is requesting info to identify

    their ID.

  • Information Sharing - Section 314(a) of the USA

    PATRIOT Act (31 CFR 1010.520)

    Law Enforcement via FinCEN requests information on


    Credit Union must review their current account or those active

    previous 12 months, or transactions with suspect for six


    Credit Union has 14 days to report matches.

    Credit Unions must develop policies and procedures to

    process requests.

    Credit Union should document its: receipt, review and


    Voluntary Information Sharing Section 314(b) of the USA

    PATRIOT Act (31 CFR 1010.540)

  • OFAC - Office of Foreign Assets Control

    Enforces sanctions on people, nations, entities.

    Credit Unions must regularly review the Specially Designated

    Nationals (SDN) List against membership.

    Credit Unions must block or reject people or entities on the list

    and report those transactions to OFAC.

    Must perform risk assessment:

    International funds transfers.

    Nonresident alien accounts.

    Foreign customer accounts. Etc

    OFAC compliance pillars are essentially the same as for BSA.

  • Beneficial Owners : Due Diligence Rule May

    2018 Must have written procedures designed to Id and verify legal entity


    At minimum the procedures to verify the identity must contain elements of

    CIP program already in place.

    develop risk profile regarding member relationships, monitor

    activities for suspicious transactions.

    ID beneficial owners when new account is opened by:

    Using Beneficial Owner Certification Form in Appendix A; or (no

    safe harbor)

    Collecting the info asked for on the form.

    Beneficial Owners

    Those who own 25% or more of equity interest in a legal entity; & Those who control a legal entity. (CEO, CFO, President, Treasurer)

    For trusts that own 25% of entity, the beneficial owner is the trustee.

  • Beneficial Owners : Legal Entity Defined

    Legal Entity means: corp., LLC, or other entity created by filing a

    public document with Sec. of State.

    Definition does not include:

    Financial institutions regulated by Fed. or state.

    The Fed. or state govt.

    Publicly traded companies or their subsidiaries.

    Issuers of registered securities, investment companies or


    Public Accounting firms.

    Insurance companies regulated by the state.

    Non-US govt entity that doesnt engage in commercial activities.

  • Beneficial Owners : Record keeping

    Credit union must establish procedures for making and maintaining

    a record of all info obtained under the rule.

    The record must include at least:

    For identification: any identifying info in certification.

    For verification: description of documents relied upon or non-

    documentary methods.

    Records must be retained for 5 years after the account is closed for

    identification or 5 years after it is made for verification.

    Compliance date: May 11, 2018

  • Case Study 1: North Dade Community

    Development Federal Credit Union

    FOM: Community charter North Miami-Dade County, FL

    Employees: 5

    Assets: $4.1 million

    Serviced MSBs outside FOM, performing High Risk activities

    in High Risk jurisdictions.

    2013: MSBs transactions (90% of revenue) included:

    $54.8 million in cash orders,

    $1.01 billion in outgoing wires,

    $5.3 million in returned checks,

    $984.4 million in remote deposit capture.

    NCUA ordered C&D in 2013.

  • North Dades compliance with BSA:

    1. Internal Controls

    Failed to assess money laundering and terrorist financing risks.

    Risk assessment wasnt performed from 2009 until Nov. 2013.

    Inadequate controls to monitor suspicious activity and 3rd party vendors.

    56 MSB accounts were serviced rather than the 1 vendor, without

    additional assessments or monitoring.

    From 2010-13, one person accounted for 60% of business banking, they

    filed over 2000 CTRs, but didnt monitor the account as high risk.

    Failed to follow policy on MSBs without licenses, continued to service


    2. BSA Officer- failed to designate.

    3. Training- No record of Board or employee BSA training.

    4. Audit: Had no evidence of BSA audit prior to C & D.

  • North Dades compliance with BSA:

    3. Member Identification Program Failed to ID MSBs.

    By not knowing its members, North Dade was not capable of

    understanding their expected transactional behavior and thus

    was unable to appropriately monitor for suspicious activities.

    4. SAR Reporting: - Filed only 15 SARs in a 3 year period.

    Failed to file SAR after Law Enforcement seized $1.5 million from MSB


    5. Review 314(a) lists: Failed to review lists for 2 years.

    FinCen Fine: $300,000

    Result: Liquidiation

  • Case Study 2:

    FOM: low-moderate income in Bronx, NY

    Employees: 22

    Maintained internal controls to its membership since 2002.

    In 2011, began servicing MSBs, including those in high risk

    jurisdictions with high risk activities (wires to Middle East). Did

    not update internal controls.

    Relied on vendor for Due Diligence and monitoring of MSBs.

  • Bethexs compliance with BSA:

    1. Internal Controls

    In 2010, Bethex processed $657 million domestic transactions.

    In 2012, Bethex processed over $4 billion in domestic and international

    transactions, an increase of more than 300% with modifying its

    controls. Generated high fee income.

    Failed to conduct risk assessment while transacting in 30 countries,

    some high risk.

    Failed to perform Due Diligence four MSBs owned by one person at

    one address, serviced one Mexican MSB wasnt monitored.

    Failed to monitor suspicious activities, had insufficient staff.

    2. BSA Officer

    Failed to have BSA officer with sufficient experience, authority, and

    resources to ensure compliance.

    Willfully undermined controls by sending multiple wires under policy


  • Bethexs compliance with BSA:

    3. Audit: Ignored auditor findings.

    4. Training- Inadequate

    Suspicious Activity Reporting:

    Failed to file SARs for wires with high dollar amounts to Middle East.

    SARs were filed late and were inadequate.

    FinCen Fine: $500,000

    Result: Liquidiation

  • Takeaway from FinCEN Enforcement Actions.

    1. Internal Controls:

    Dont rely on 3rd party vendors for compliance.

    Dont wire money abroad.

    Dont service MSBs.

    Do - Update controls annually, specifically when introducing new

    products and services.

    2. BSA Officer- Hire sufficient and competent staff

    3. Training- Annual training for Board and relevant


    4. Audit:


    Listen to them.

  • SAR Filing Data

    Month 2012 2013 2014 2015 2016

    January - 12,232 65,898 66,101 70,460

    February - 21,088 61,637 65,984 73,927

    March 24 45,719 64,462 73,420 83,964

    April 609 67,278 73,302 74,049 81,282

    May 1,210 72,255 75,301 68,216 80,822

    June 1,713 63,579 71,773 77,162 91,400

    July 2,505 70,857 75,559 77,508 83,284

    August 3,115 74,312 70,856 75,503 84,726

    September 2,947 68,751 70,703 75,863 78,014

    October 5,561 79,201 77,735 78,096 76,943

    November 7,954 69,631 63,761 71,500 75,599

    December 10,098 69,027 68,327 76,505 78,116

    Subtotal 35,736 713,930 839,314 879,907 958,537

    Total Filings 3,427,424

  • Civil Monetary Penalties After 1/15/17 12 U.S.C. 1829b(j) Relating to Recordkeeping Violations For Funds Transfers $20,111

    12 U.S.C. 1955 Willful or Grossly Negligent Recordkeeping Violations 20,111

    31 U.S.C. 5318(k)(3)(C) Failure to Terminate Correspondent Relationship with Foreign



    31 U.S.C. 5321(a)(1) General Civil Penalty Provision for Willful Violations of Bank

    Secrecy Act Requirements



    31 U.S.C.


    Foreign Financial Agency TransactionNon-Willful Violation

    of Transaction


    31 U.S.C. 5321(a)(5)(C) Foreign Financial Agency TransactionWillful Violation of



    31 U.S.C. 5321(a)(6)(A) Negligent Violation by Financial Institution or Non-Financial

    Trade or Business


    31 U.S.C. 5321(a)(6)(B) Pattern of Negligent Activity by Financial Institution or Non-

    Financial Trade or Business


    31 U.S.C. 5321(a)(7) Violation of Certain Due Diligence Requirements, Prohibition

    on Correspondent Accounts for Shell Banks, and Special



    31 U.S.C. 5330(e) Civil Penalty for Failure to Register as Money Transmitting



  • Advocate for Changing BSA Regime

    Recommendations for Changes by FAITH LLEVA ANDERSON

    of American Airlines FCU at House Financial Services

    Committee hearing titled, Examining the BSA/AML Regulatory

    Compliance Regime.

    1. SAR and CTR Forms Should Be Combined

    2. Reporting Thresholds and Deadline to File Should Be

    Increased to Reflect Todays Environment. ($20k $50k)

    3. Beneficial Owner and Beneficiaries Requirements

    4. Monetary Instrument Purchases Remove Separate


  • Upcoming Events:

    BSA Seminar by Federal Law Enforcement

    Jan. 30 Birmingham, AL

    Jan. 31 Huntsville, AL

    Note: The last element of the culture of


    Nov. 7 Compliance Meeting Avadian CU, Birmingham.