Bank Secrecy Act (BSA)/Anti-Money Laundering (AML) Compliance Update

Kim Stock, CRCM

Source

• The Bank Secrecy Act (BSA) requires all financial institutions, casinos, and certain other businesses to: Monitor customer behavior File reports on transactions that meet

certain dollar amounts or on transactions that are suspicious

Maintain records of certain transactions

BSA

Source

• Financial Crimes Enforcement Network (FinCEN): Bureau of the United States Department of the

Treasury whose mission is to safeguard the financial system from illicit use and combat money laundering and promote national security through the collection, analysis, and dissemination of financial intelligence and strategic use of financial authorities.

Final interpreter of the Bank Secrecy Act https://www.fincen.gov/

FinCEN

Source

• Financial institutions aid U.S. government agencies and law enforcement by uncovering criminal activities such as money laundering, drug trafficking, tax fraud, and possible terrorist financing.

Monitoring Customer Behavior

Source

• Money laundering is when illegal money is brought into mainstream circulation.

• Launderers hide the source of these illegal funds by making a series of intricate transactions. The true source of the money is “washed away.”

It has been estimated that more than $300 billion is laundered each year in the U.S. alone. More than 81,000 people are convicted of money laundering on some level each year in the U.S.

Money Laundering

Source

• Placement – the first stage in the washing cycle. Money laundering involves a “cash intensive” business generating vast amounts of cash from illegal activities (for example, dealing drugs where payment takes the form of cash). The cash is placed into the financial system, and to avoid detection is transformed into other asset forms, such as purchasing monetary instruments like travelers checks. "Dirty" money is most vulnerable to detection and seizure during placement.

Stages of Money Laundering

Source

• Layering - separating the illegally obtained money from its source through a series of financial transactions that makes it difficult to trace the origin. A few of the many mechanisms that may be misused during layering are currency exchanges, wire transmitting services, prepaid cards that offer global access to cash via automated teller machines and goods at point of sale.

Stages of Money Laundering

Source

• Integration – final stage in the process, where illegal funds are converted into a seemingly legitimate form. Integration may include the purchase of businesses, automobiles, real estate and other assets. Integration of the "cleaned" money into the economy is accomplished by the launderer making it appear to have been legally earned. By this stage, it is exceedingly difficult to distinguish legal and illegal funds

Stages of Money Laundering

Source

• The Currency Transaction Report (CTR) records cash transactions that exceed $10,000.

• Current CTR Form-http://sdtmut.fincen.treas.gov/news/FinCENBCTR.pdf

• CTR FAQ-http://www.fincen.gov/whatsnew/html/ctr_faqs.html

Filing Reports

Source

• The Suspicious Activity Report (SAR)records any known or suspected federal violation of federal law.

• Current SAR Form-http://sdtmut.fincen.treas.gov/news/FinCENBSAR.pdf

• SAR FAQ-http://www.fincen.gov/whatsnew/html/sar_faqs.html

Filing Reports

Source

• A SAR must be filed on any known or suspected federal violation of law. Suspicious activity requires reporting if it involves: Criminal violations involving insider abuse in

any amount. Criminal violations aggregating $5,000 or more

when a suspect can be identified. Criminal violations aggregating $25,000 or

more regardless of a potential suspect.

SAR

Source

• Activity is not consistent with the customer’s business

• Unusual characteristics or behavior• Customer attempts to avoid reporting or

record keeping requirements• Insufficient information is provided by the

customer

Business goes from depositing funds once a week to several times a day at different branches. Customer visits safe deposit box each time before making a deposit. A customer asks the reporting amount for a CTR. A customer who gives no record of past or present employment is making frequent large cash transactions. The cash to be deposited smells like marijuana, cash absorbs smells.

SAR

Source

• Detecting Suspicious Activity Is the activity reasonable for that

customer? Whether the action is ultimately

fraudulent is up to law enforcement to decide.

SAR

Source

• The records related to the identity of a customer must be maintained for five years after the account (e.g., loan, deposit, or trust) is closed.

• Additionally, on a case-by-case basis (e.g., U.S. Treasury Department Order, or law enforcement investigation), a financial institution may be ordered or requested to maintain some of these records for longer periods.

Maintaining Records

Source

• Financial institutions are required to have a written policy which provide for: Internal controls Independent testing An individual responsible for

BSA/AML compliance Training for appropriate personnel

BSA Compliance Program

Source

• The board of directors, acting through senior management, is ultimately responsible for ensuring that the financial institution maintains an effective BSA/AML internal control structure, including suspicious activity monitoring and reporting.

• The board of directors and senior management should create a culture of compliance to ensure staff adherence to the financial institution’s BSA/AML policies, procedures, and processes.

• The level of sophistication of the internal controls should depend on the size, structure, risks, and complexity of the financial institution.

Internal Controls

Source

• Internal controls should:

Identify products, services, customers, entities, and geographic locations more vulnerable to abuse by money launderers and criminals

Provide for periodic updates to the financial institution’s risk profile and provide for a BSA/AML compliance program tailored to manage risks

Inform the board of directors and senior management of compliance initiatives, identified compliance deficiencies, corrective action taken and when SARs are filed

Internal Controls

Source

• Internal controls should:

Meet all regulatory recordkeeping and reporting requirements

Identify a person or persons responsible for BSA/AML compliance

Provide for dual controls and the segregation of duties Train employees to be aware of their responsibilities

under the BSA regulations and internal policy guidelines

Internal Controls

Source

• Independent testing (audit) should be conducted by the internal audit department, outside auditors, consultants, or other qualified independent parties every 12 to 18 months.

• Evaluate the overall adequacy and effectiveness of the BSA/AML compliance program

• Review the financial institution’s risk assessment • Perform risk-based transaction testing to verify the

financial institution’s adherence to the BSA recordkeeping and reporting requirements (e.g., CIP, SARs, CTRs and CTR exemptions)

• Review staff training for adequacy, accuracy, and completeness

Independent Testing

Source

• Evaluate senior management’s efforts to resolve violations and deficiencies noted in previous audits and regulatory examinations

• Review the effectiveness of the suspicious activity monitoring systems used for BSA/AML compliance (for example, suspicious activity monitoring report, large currency aggregation report, monetary instrument records, funds transfer records, NSF reports, large balance fluctuation reports and kiting reports)

• Assess the overall process for identifying and reporting suspicious activity, including reviewing filed or prepared SARs to determine their accuracy and timeliness

Independent Testing

Source

• The board of directors must designate a qualified individual to serve as the BSA compliance officer to coordinate and monitor day-to-day BSA/AML compliance. However, the board of directors is ultimately responsible for the financial institution’s BSA/AML compliance.

• The board of directors is responsible for ensuring that the BSA compliance officer has sufficient authority and resources (monetary, physical, and personnel) to administer an effective BSA/AML compliance program based on the financial institution’s risk profile.

BSA Officer

Source

• The BSA compliance officer should be fully knowledgeable of the Bank Secrecy Act and all related regulations. The BSA compliance officer should also understand the financial institution’s products, services, customers, entities, and geographic locations, and the potential money laundering and terrorist financing risks associated with those activities.

• Pertinent BSA-related information, including the reporting of SARs filed with FinCEN, should be reported to the board of directors or an appropriate board committee so that these individuals can make informed decisions about overall BSA/AML compliance.

BSA Officer

Source

• Include regulatory requirements and the financial institution’s internal BSA/AML policies, procedures, and processes

• Should be tailored to the person’s specific responsibilities• An overview of the BSA/AML requirements typically should

be given to new staff during employee orientation• Teller training, for example, would focus on large currency

transactions or other suspicious activities• The BSA compliance officer should receive periodic training

that is relevant to changing regulatory requirements

BSA Training

Source

• Lender training, for example, would provide scenarios involving money laundering through lending arrangements

• Training programs which include training and testing materials, the dates of training sessions, and attendance records should be documented and maintained and be available for examiner review

• Board of directors training should explain the importance of BSA/AML regulatory requirements, the ramifications of noncompliance, and the risks posed to the financial institution.

BSA Training

Source

• Customer Identification Program (CIP) is the minimum standards required under the USA PATRIOT ACT for identifying and verifying the identity of persons opening accounts

• After September 11th, President Bush signed into law the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act

• One way to combat money laundering is for financial institutions to know their customers.

• CIP must be applied to all new customers who open accounts. It does not apply to existing customers.

CIP

Source

• Provide customers with adequate notice that the bank is requesting information to verify their identities before the account is opened. Examples include posting a notice in the lobby, on a Web site, or within loan application documents.

• IMPORTANT INFORMATION ABOUT PROCEDURES FOR OPENING A NEW ACCOUNT — To help the government fight the funding of terrorism and money laundering activities, federal law requires all financial institutions to obtain, verify, and record information that identifies each person who opens an account. What this means for you: When you open an account, we will ask for your name, address, date of birth, and other information that will allow us to identify you. We may also ask to see your driver’s license or other identifying documents.

CIP

Source

• At a minimum, the following identifying information must be obtained from each customer before an account is opened: Name Date of Birth (for individuals) Residential or business street address Tax Identification Number

CIP

Source

• Procedures to be used to verify a customer’s identity A list of documents acceptable as primary

identification such as drivers license, valid passport, military ID, valid state I.D. Card or U.S. alien registration

A list of secondary identification such as an insurance card, social security card, utility bill or voters registration card

Allowed to make copies of drivers licenses. Not permitted to make copies of military ID’s, this is a federal crime. Can write the information down. Should not make copies of credit cards. Can write the last 4 numbers down. Secretary of State website – look to see if business is active and in good standing.

CIP

Source

• Procedures of non-documentary methods to be used Chex Systems Telecheck Credit Reporting Agencies Secretary of State Web Site for

Businesses

Subject to Fair Credit Reporting Act . Must have a permissible purpose to pull report or obtain written permission from the consumer in advance. If pull report on account owner, no written authorization is required. But need it if pull report on authorized signers on consumer & business accounts or if the consumer is acting as a fiduciary on any account.

CIP

Source

• Three Basic Rules Verify the identity of the person opening the

account Maintain records for 5 years after the account

is closed Check government lists (Office of Foreign

Assets and Control) (OFAC)

• CIP FAQ’shttp://www.ffiec.gov/bsa_aml_infobase/documents/BSA_AML_FAQ.pdf

CIP

Source

• 314 of the USA Patriot Act allows financial institutions to share customer information to assist law enforcement agencies. Law enforcement submits a formal request to FinCEN

naming individuals and businesses that are persons of interest.

FinCEN compiles a list, assigns tracking numbers and emails points of contact designated by financial institutions every other Tuesday notifying them that a new request list is available on the Secure Information Sharing System (SISS).

314 (a)

Source

• Searching customer records within 14 calendar days Transactions linked to an account must be searched for

the preceding 12 months Transactions not linked to an account should be

searched for the preceding 6 months Deposit records, loan records, trust department

account records, safe deposit records, securities transactions, remitters of monetary instrument sales, funds transfer records (originators and incoming recipients)

Document the searches

314 (a)

Source

• 314 (b) enables financial institutions to share information with each other if they are registered Must verify the registration of the other

institution involved Only if both institutions believe terrorist

activity, money laundering or unlawful activity is involved

Add to policy and procedures before you register

314 (b)

Source

• FFIEC BSA/AML Examination Manual Contains an overview of BSA/AML compliance program

requirements, risk management expectations, industry sound practices, and examination procedures. The development of this manual was a collaborative effort of the federal and state banking agencies. The Federal Financial Institutions Examination Council (FFIEC) was established in March 1979 to prescribe uniform principles, standards, and report forms and to promote uniformity in the supervision of financial institutions.

https://www.ffiec.gov/bsa_aml_infobase/pages_manual/manual_online.htm

BSA/AML Resource

Source

• Inadequately monitoring suspicious activity• Failure to identify and monitor high risk

customers• Failure to conduct adequate risk

assessments

APPENDIX J: QUANTITY OF RISK MATRIXhttps://www.ffiec.gov/bsa_aml_infobase/pages_manual/OLM_110.htm

Common BSA Findings

Source

• Inadequate BSA/AML training for the employees and the board

• Failure to obtain independent testing• Failure to file a CTR• Failure to search records for 314(a) in a

timely manner• Failure to identify and monitor Money

Service Business (MSB) customers

• Instead of asking customer if they are a MSB, ask them if they ever cash 1 or more checks totaling $1,000 or more for one customer in a single day

Common BSA Findings

Source

• Failure to obtain minimum CIP information

• Failure to file a timely SAR• Failure to monitor wire transfers• Failure to monitor monetary

instrument sales• BSA Officer lacks expertise and

knowledge of the regulations

Common BSA Findings

Source

• Violations of BSA requirements may hold the following penalties: Civil penalties of $1000 per day for each day of

noncompliance A penalty of $500 per violation of the recordkeeping

requirements of the BSA Willful violations may cause civil penalties in an amount

equivalent to that of the transaction or $25,000, whichever is greater

If a required CTR is not filed within 15 days, a $10,000-per-day civil penalty may be imposed until it is filed

Continued noncompliance can result in the issuance of a “Cease & Desist” order from the FDIC

BSA/AML is not a compliance issue but a safety and soundness issue which affects your camel rating and the growth of your institution, for example, an application to open a new branch could be denied

Penalties for Noncompliance

Source

• Any individual who willfully violates the structuring provisions may be fined $250,000 and/or imprisoned for five years.

• Any individual who willfully violates the structuring provisions while violating another federal law, may be fined $500,000 or imprisoned for ten years.

Penalties for Noncompliance

Source

• It is extremely important for financial institutions to inform their employees that it is not necessarily the financial institution that will suffer the penalty for non-compliance, but it could actually be the employee paying the fine and going to jail.

Penalties for Noncompliance

Source

• Federal Deposit Insurance Corporation (FDIC) determined that a financial institution in West Virginia failed to implement an effective BSA/AML Compliance Program over an extended period of time

• $4.5 million civil money penalty assessed on June 15, 2015, against the financial institution with $96 million in assets

• Inadequate internal controls resulted in unacceptable risk to the financial institution in terms of unlawful financial transactions

• Financial institution failed to file multiple currency transaction reports and suspicious activity reports associated with this risk

Civil Money Penalties

Source

• FDIC determined that a financial institution in California failed to implement an effective BSA/AML Compliance Program over an extended period of time

• $140 million civil money penalty assessed on July 22, 2015, against the financial institution with $500 million in assets

• Failure to retain a qualified and knowledgeable BSA officer • Failure to maintain adequate internal controls reasonably

designed to detect and report unlawful financial transactions and other suspicious activities

• Failure to provide sufficient BSA training and conduct effective independent testing

• Citigroup Inc. in October was planning to close its three-branch Banamex USA subsidiary in San Jose, Los Angeles and Houston

Civil Money Penalties

What’s Next?

Source

• Effective Date Unknown Still a proposal, comments were due last

October 3, 2014 Will become effective one year from the

date the final rule is issued It is expected that FinCEN will move

forward and require the identification of beneficial owners

Customer Due Diligence (CDD)

Source

• Enhanced Requirements Establishing and verifying the identity of

customers Establishing and verifying the identity of

beneficial owners Understanding the nature and purpose of

customer relationships Monitoring to maintain and update customer

information and to identify and report suspicious transactions

Develop understanding of normal expected activity to differentiate between low and high risk customers. For example, lawyers have erratic payments so they pose a higher risk

Customer Due Diligence (CDD)

Source

• Collection of Beneficial Ownership Facilitates tax reporting Increases the transparency of U.S. legal

entities Facilitates global implementation of

international standards Increases efficiency in monitoring

accounts for suspicious activity

Customer Due Diligence (CDD)

Source

• Beneficial Owner Definition is two-pronged – focusing on ownership and

control Ownership – any individual who directly or indirectly

owns 25% or more of the equity interests of a legal entity customer (no more than four individuals)

Control – one individual with significant responsibility to control, manage or direct a legal entity, including an executive officer, senior manager or anyone who performs similar functions

Customer Due Diligence (CDD)

Source

• Standard Certification Form Requires an individual at account opening

to provide each beneficial owner’s name, date of birth, address and social security number (for U.S. persons or other similar identification for foreign persons)

Requires an individual to certify the genuineness of the information provided

Customer Due Diligence (CDD)

Source

• Standard Certification Form Financial institutions should retain this

form and any related identifying information collected for five years after the date an account is closed

Located on pg. 22 at the following link-http://www.fincen.gov/statutes_regs/files/CDD-NPRM-Final.pdf

Customer Due Diligence (CDD)

Source

• Amendments to the “Pillars” of the AML Program Add a Fifth Pillar: Appropriate risk-based procedures

for conducting ongoing CDD that include:• Understanding the nature and purpose of the

customer relationship in order to develop a customer risk assessment

• Conducting ongoing monitoring to maintain and update customer information and to identify and report suspicious transactions

Customer Due Diligence (CDD)

Questions?

Contact InformationKim Stock, CRCM

Senior Compliance Analystkstock@shazam.net

(800) 537-5427 Ext. 2971