bank secrecy act anti-money laundering for directors · bank secrecy act & anti-money...
TRANSCRIPT
Bank Secrecy Act
&
Anti-Money Laundering
for
Directors
Mike Lee
Director of Regulatory Advocacy
Legal Disclaimer:
Information provided in this presentation, including all
materials, should not be construed as legal services, legal
advice, or in any way establishing an attorney-client
relationship. Credit unions should contact their own legal
counsel for advice. Information may have changed since
this presentation was prepared. This information is
intended to only be a summary and is not all inclusive.
Goals
By the end of this Presentation we will:
1. Identify regulators’ expectations for CU directors under BSA.
2. Identify the required components of your BSA Compliance
Program.
3. Introduce the requirements of the Beneficial Ownership Rule.
4. Review Case Studies of Credit Unions that Failed BSA
Compliance.
Why are you here?
• Required annual training – Clarified in 05-CU-09.
• Advisory FIN-2014-A007: “The guidance was provided due to
shortcomings in compliance due to a lack of involvement from
institutions’ senior management. It pointed to the poor culture of
compliance which existed in part due to a lack of leadership to
improve and strengthen organizational compliance with Bank
Secrecy Act (BSA) obligations.”
What is a Culture of Compliance?
Characteristics defined by FinCEN (FIN-2014-A007):
• Leadership Should Be Engaged.
• Compliance Should Not Be Compromised By Revenue Interests.
• Information Should Be Shared Throughout the Organization.
• Leadership Should Provide Adequate Human and Technological
Resources.
• The Program Should Be Effective and Tested By an Independent and
Competent Party.
• Leadership and Staff Should Understand How Their BSA Reports are
Used.
What the BSA Exam Manual says:
The board of directors and senior management should be
informed of changes and new developments in the
BSA...they need to understand the importance of BSA/AML
regulatory requirements, the ramifications of
noncompliance, and the risks posed to the bank.
Without a general understanding of the BSA, the board of
directors cannot adequately provide BSA/AML oversight;
approve BSA/AML policies, procedures, and processes; or
provide sufficient BSA/AML resources.
BSA Framework
• The Law – The Bank Secrecy Act and a medley of other
statutes (PATRIOT Act).
• FinCEN – Promulgates/enforces the BSA regulations.
• NCUA – Enforces compliance via examination.(12 CFR Part 748)
• Federal Law Enforcement –utilizes data for investigations.
• Statute
• Regulation
FinCEN
• Compliance
• Experience
Credit Union • Analysis
• Prosecution
Law Enforcement
Prevent Money Laundering
Then…
And Now
BSA – §748.2 Procedures for monitoring Bank
Secrecy Act (BSA) compliance. a) Purpose. This section is issued to ensure that all federally insured
credit unions establish and maintain procedures reasonably
designed to assure and monitor compliance…
b) Establishment of a BSA compliance program—
1. Program requirement. Each federally insured credit union shall
develop and provide for the continued administration of a
program reasonably designed to assure and monitor
compliance with the recordkeeping and recording
requirements… The compliance program must be written,
approved by the credit union's board of directors, and
reflected in the credit union's minutes.
2. Customer identification Program. Each federally insured credit
union is subject to the requirements…which require a customer
identification program to be implemented as part of the BSA
compliance program required under this section.
Pillars of BSA Compliance
1. Implement proper internal controls to ensure that your BSA program is
functioning as intended;
2. Provide training for appropriate personnel, at least annually;
3. Provide adequate annual independent audit procedures;
4. Require the participation of a qualified and knowledgeable BSA officer;
5. Implement Risk Based procedures for Customer Due Diligence /
Beneficial Ownership Rule
Pillar 1: Internal Controls – Biggest Challenge?
The board of directors, acting through senior management, is
ultimately responsible for ensuring that the bank maintains an
effective BSA/AML internal control structure, including suspicious
activity monitoring and reporting. The board of directors and
management should create a culture of compliance to ensure staff
adherence to the bank’s BSA/AML policies, procedures, and
processes. Internal controls are the bank’s policies, procedures, and
processes designed to limit and control risks and to achieve
compliance with the BSA. The level of sophistication of the internal
controls should be commensurate with the size, structure, risks,
and complexity of the bank.
Pillar 1: Internal Controls – Risk Assessment
• An examiner will review whether the BSA/AML compliance
program is adequate and provides the controls necessary to
mitigate risks.
• Step 1: ID Risk Categories - Risks may vary according to:
– Products and Services – Prepaid Cards, remittances
– Customers – MSBs, attorneys, non-resident aliens
– Geography –
• High Intensity Drug Trafficking Areas (HIDTA): Jefferson, Mobile, Polk,
Miami-Dade, Nassau
• High Intensity Financial Crime Areas (HIFCA) – South Florida
• Step 2: Analyzing the Risk Categories – Using CU’s data:
– Purpose of the account.
– Actual or anticipated activity in the account.
– Nature of the customer’s business/occupation.
– Customer’s location.
– Types of products and services used by the customer.
Pillar 1: Internal Controls – SAR
Suspicious Activity Report filing required for:
– Criminal violations involving insider abuse in any amount.
– Criminal violations aggregating $5,000 or more when a suspect
can be identified.
– Criminal violations aggregating $25,000 or more regardless of a
potential suspect.
– Transactions conducted or attempted by, at or through a credit
union aggregating $5,000 or more, of the credit union knows,
suspects or has reason to suspect that the transaction:
• May involve potential money laundering or other illegal activity.
• Is designed to evade the BSA or its implementing regulations.
• Has no business or apparent lawful purpose, or is not the type of
transaction that the particular member would normally be expected to
engage in, and the credit union knows of no reasonable explanation for
the transaction.
Pillar 1: SAR Systems and Safe Harbor
• Credit Unions must have policies and procedures in place to monitor
systems for suspicious activity, specifically regarding high risk
factors and refer those activities to those who investigate and decide
whether to file a SAR.
• “The decision to file a SAR is an inherently subjective
judgment” . CU …should not be criticized for the failure to file
a SAR unless the failure is significant or accompanied by
evidence of bad faith.
• Federal law (31 USC 5318(g)(3)) provides protection from civil
liability for all reports of suspicious transactions made to appropriate
authorities.
Pillar 1: SAR Filing
SARs must be filed:
• Electronically;
• No later than 30 days from the detection of facts constituting
the basis for filing.
• If no suspect is identified, the filing is extended to 60 days.
• 5 year record retention.
• Board should be kept aware of SAR filings.
• SARs are confidential, disclosure of the existence or non-
existence of a SAR is prohibited, especially to suspect
Member (and associates).
– Can be shared with Federal law enforcement and NCUA.
– Must not comply with subpoenas unless requested to do so by LE.
• Seek Counsel.
Pillar 1: Internal Controls – CTR
• File Currency Transaction Report (CTR) for each transaction
in currency (deposit, withdrawal, exchange, or other payment
or transfer) of more than $10,000.
• Multiple currency transactions totaling more than $10,000
during any one business day are treated as a single
transaction if the credit union has knowledge that they are by
or on behalf of the same person.
• Must be filed within 15 days after the date of the transaction.
• Bank Secrecy Act Currency Transaction Report
(BCTR)/electronic.
• 5 year record retention.
CTRs Use in Investigation… (NBC News)
Mandalay Bay shooter Stephen Paddock gambled with at least
$160,000 in the past several weeks at Las Vegas casinos,
according to senior law enforcement officials.
There were 16 Currency Transaction Reports, or CTRs, filed for
Paddock in recent weeks. The Treasury Department and the IRS
mandate that casinos file the reports for "each transaction in
currency involving cash-in and cash-out of more than $10,000 in
a gaming day."
The reports don't show whether Paddock won or lost or both on
the days in question. They do show that on same days there
were multiple transactions.
A source familiar with the investigation told NBC News that
Paddock was a frequent player "with the highest status" at
Caesars Entertainment properties in Las Vegas.
Pillar 2 - Training
At a minimum:
• the credit union’s training program must include employees whose
duties involve BSA.
• training should be tailored to the person’s specific responsibilities.
• In addition, an overview of the BSA/AML requirements typically
should be given to new staff during employee orientation.
• The BSA compliance officer should receive periodic training that is
relevant and appropriate given changes to regulatory requirements
as well as the activities and overall BSA/AML risk profile of the bank.
• Credit unions should document their training programs.
Pillar 3 - Audit 12 – 18 months Independent testing should, at a minimum, include:
• An evaluation of the overall adequacy and effectiveness
of the BSA/AML compliance program, including policies,
procedures, and processes.
• A review of the bank’s risk assessment
• Appropriate risk-based transaction testing
• An evaluation of management’s efforts to resolve
violations and deficiencies
• A review of staff training for adequacy, accuracy, and
completeness.
• A review of the effectiveness of the suspicious activity
monitoring systems (manual, automated, or a
combination) used for BSA/AML compliance.
Pillar 4 - Staff : BSA Officer
• The board of directors is responsible for ensuring that
the BSA compliance officer has sufficient authority and
resources (monetary, physical, and personnel) to
administer an effective BSA/AML compliance
program based on the bank’s risk profile.
– The BSA compliance officer should be fully
knowledgeable of:
• the BSA and all related regulations; and
• the bank’s products, services, customers, etc.
• The BSA compliance officer should regularly apprise the
board of directors and senior management of ongoing
BSA compliance.
CIP: Collect Member Information Purpose: To enable the CU to form a reasonable belief that it
knows the identity of each member.
1. Identifying Info:
1. Name
2. DOB for individuals.
3. Address
4. ID= Tax ID = SSN
2. Verifying Info: – Documentary - Unexpired government issued identification, such as:
• A driver’s license;
• Passport; or
• Military ID.
– Non-Documentary –
• Information obtained from a credit bureau, or against fraud and bad check databases
• References from other financial institutions
• Confirm information such as telephone number and address by contacting member
• Tax return or a financial statement
CIP: Verifying Member Information
• Procedures explaining verification and non-verification. (Flowchart)
• Identifying info must be kept for five years after the account is
closed.
– Included in this is documents used to verify the ID, with a full
description of such document.
– Methods used and results of verification.
– Results of discrepancies in ID.
• Must include cross reference of ID with federal terrorist list.
• Must provide notice to applicant that CU is requesting info to identify
their ID.
Information Sharing - Section 314(a) of the USA
PATRIOT Act (31 CFR 1010.520)
• Law Enforcement via FinCEN requests information on
suspects.
• Credit Union must review their current account or those active
previous 12 months, or transactions with suspect for six
months.
• Credit Union has 14 days to report matches.
• Credit Unions must develop policies and procedures to
process requests.
• Credit Union should document its: receipt, review and
response.
• Voluntary Information Sharing — Section 314(b) of the USA
PATRIOT Act (31 CFR 1010.540)
OFAC - Office of Foreign Assets Control
• Enforces sanctions on people, nations, entities.
• Credit Unions must regularly review the Specially Designated
Nationals (SDN) List against membership.
• Credit Unions must block or reject people or entities on the list
and report those transactions to OFAC.
• Must perform risk assessment:
– International funds transfers.
– Nonresident alien accounts.
– Foreign customer accounts. Etc…
• OFAC compliance pillars are essentially the same as for BSA.
Beneficial Owners : Due Diligence Rule – May
2018 • Must have written procedures designed to Id and verify legal entity
members.
• At minimum the procedures to verify the identity must contain elements of
CIP program already in place.
– develop risk profile regarding member relationships, monitor
activities for suspicious transactions.
– ID beneficial owners when new account is opened by:
• Using Beneficial Owner Certification Form in Appendix A; or (no
safe harbor)
• Collecting the info asked for on the form.
• Beneficial Owners –
– Those who own 25% or more of equity interest in a legal entity; & – Those who control a legal entity. (CEO, CFO, President, Treasurer)
– For trusts that own 25% of entity, the beneficial owner is the trustee.
Beneficial Owners : Legal Entity Defined
• Legal Entity means: corp., LLC, or other entity created by filing a
public document with Sec. of State.
• Definition does not include:
– Financial institutions regulated by Fed. or state.
– The Fed. or state gov’t.
– Publicly traded companies or their subsidiaries.
– Issuers of registered securities, investment companies or
advisors.
– Public Accounting firms.
– Insurance companies regulated by the state.
– Non-US gov’t entity that doesn’t engage in commercial activities.
Beneficial Owners : Record keeping
• Credit union must establish procedures for making and maintaining
a record of all info obtained under the rule.
• The record must include at least:
– For identification: any identifying info in certification.
– For verification: description of documents relied upon or non-
documentary methods.
• Records must be retained for 5 years after the account is closed for
identification or 5 years after it is made for verification.
• Compliance date: May 11, 2018
Case Study 1: North Dade Community
Development Federal Credit Union
• FOM: Community charter – North Miami-Dade County, FL
• Employees: 5
• Assets: $4.1 million
• Serviced MSBs outside FOM, performing High Risk activities
in High Risk jurisdictions.
• 2013: MSBs transactions (90% of revenue) included:
– $54.8 million in cash orders,
– $1.01 billion in outgoing wires,
– $5.3 million in returned checks,
– $984.4 million in remote deposit capture.
• NCUA ordered C&D in 2013.
North Dade’s compliance with BSA:
1. Internal Controls
– Failed to assess money laundering and terrorist financing risks.
– Risk assessment wasn’t performed from 2009 until Nov. 2013.
– Inadequate controls to monitor suspicious activity and 3rd party vendors.
– 56 MSB accounts were serviced rather than the 1 vendor, without
additional assessments or monitoring.
– From 2010-13, one person accounted for 60% of business banking, they
filed over 2000 CTRs, but didn’t monitor the account as high risk.
– Failed to follow policy on MSBs without licenses, continued to service
MSBs.
2. BSA Officer- failed to designate.
3. Training- No record of Board or employee BSA training.
4. Audit: Had no evidence of BSA audit prior to C & D.
North Dade’s compliance with BSA:
3. Member Identification Program – Failed to ID MSBs.
“By not knowing its members, North Dade was not capable of
understanding their expected transactional behavior and thus
was unable to appropriately monitor for suspicious activities.”
4. SAR Reporting: - Filed only 15 SARs in a 3 year period.
– Failed to file SAR after Law Enforcement seized $1.5 million from MSB
owner/member.
5. Review 314(a) lists: Failed to review lists for 2 years.
FinCen Fine: $300,000
Result: Liquidiation
Case Study 2:
• FOM: low-moderate income in Bronx, NY
• Employees: 22
• Maintained internal controls to its membership since 2002.
• In 2011, began servicing MSBs, including those in high risk
jurisdictions with high risk activities (wires to Middle East). Did
not update internal controls.
• Relied on vendor for Due Diligence and monitoring of MSBs.
Bethex’s compliance with BSA:
1. Internal Controls
– In 2010, Bethex processed $657 million domestic transactions.
– In 2012, Bethex processed over $4 billion in domestic and international
transactions, an increase of more than 300% with modifying its
controls. Generated high fee income.
– Failed to conduct risk assessment while transacting in 30 countries,
some high risk.
– Failed to perform Due Diligence – four MSBs owned by one person at
one address, serviced one Mexican MSB wasn’t monitored.
– Failed to monitor suspicious activities, had insufficient staff.
2. BSA Officer
– Failed to have BSA officer with sufficient experience, authority, and
resources to ensure compliance.
– Willfully undermined controls by sending multiple wires under policy
threshold.
Bethex’s compliance with BSA:
3. Audit: Ignored auditor findings.
4. Training- Inadequate
• Suspicious Activity Reporting:
– Failed to file SARs for wires with high dollar amounts to Middle East.
– SARs were filed late and were inadequate.
FinCen Fine: $500,000
Result: Liquidiation
Takeaway from FinCEN Enforcement Actions.
1. Internal Controls:
– Don’t rely on 3rd party vendors for compliance.
– Don’t wire money abroad.
– Don’t service MSBs.
– Do - Update controls annually, specifically when introducing new
products and services.
2. BSA Officer- Hire sufficient and competent staff
3. Training- Annual training for Board and relevant
employees.
4. Audit:
– Independent.
– Listen to them.
SAR Filing Data
Month 2012 2013 2014 2015 2016
January - 12,232 65,898 66,101 70,460
February - 21,088 61,637 65,984 73,927
March 24 45,719 64,462 73,420 83,964
April 609 67,278 73,302 74,049 81,282
May 1,210 72,255 75,301 68,216 80,822
June 1,713 63,579 71,773 77,162 91,400
July 2,505 70,857 75,559 77,508 83,284
August 3,115 74,312 70,856 75,503 84,726
September 2,947 68,751 70,703 75,863 78,014
October 5,561 79,201 77,735 78,096 76,943
November 7,954 69,631 63,761 71,500 75,599
December 10,098 69,027 68,327 76,505 78,116
Subtotal 35,736 713,930 839,314 879,907 958,537
Total Filings 3,427,424
Civil Monetary Penalties After 1/15/17 12 U.S.C. 1829b(j) Relating to Recordkeeping Violations For Funds Transfers $20,111
12 U.S.C. 1955 Willful or Grossly Negligent Recordkeeping Violations 20,111
31 U.S.C. 5318(k)(3)(C) Failure to Terminate Correspondent Relationship with Foreign
Bank
13,603
31 U.S.C. 5321(a)(1) General Civil Penalty Provision for Willful Violations of Bank
Secrecy Act Requirements
54,789
−$219,156
31 U.S.C.
5321(a)(5)(B)(i)
Foreign Financial Agency Transaction—Non-Willful Violation
of Transaction
12,663
31 U.S.C. 5321(a)(5)(C) Foreign Financial Agency Transaction—Willful Violation of
Transaction
126,626
31 U.S.C. 5321(a)(6)(A) Negligent Violation by Financial Institution or Non-Financial
Trade or Business
1,096
31 U.S.C. 5321(a)(6)(B) Pattern of Negligent Activity by Financial Institution or Non-
Financial Trade or Business
85,236
31 U.S.C. 5321(a)(7) Violation of Certain Due Diligence Requirements, Prohibition
on Correspondent Accounts for Shell Banks, and Special
Measures
1,360,317
31 U.S.C. 5330(e) Civil Penalty for Failure to Register as Money Transmitting
Business
8,084
Advocate for Changing BSA Regime
Recommendations for Changes by FAITH LLEVA ANDERSON
of American Airlines FCU at House Financial Services
Committee hearing titled, “Examining the BSA/AML Regulatory
Compliance Regime.”
1. SAR and CTR Forms Should Be Combined
2. Reporting Thresholds and Deadline to File Should Be
Increased to Reflect Today’s Environment. ($20k – $50k)
3. “Beneficial Owner” and Beneficiaries Requirements
4. Monetary Instrument Purchases – Remove Separate
Documentation.
Upcoming Events:
• BSA Seminar by Federal Law Enforcement
– Jan. 30 – Birmingham, AL
– Jan. 31 – Huntsville, AL
Note: The last element of the culture of
compliance.
• Nov. 7 Compliance Meeting – Avadian CU, Birmingham.