bank secrecy act: de-risk or up your game?

Bank Secrecy Act:De-Risk or Up Your

Game?Jay Postma, CAMSPresident

Compliance ConferenceSeptember 24, 2014

Industry Participation

Objectives

BSA/AML compliance demands an effective risk-based approach. FinCEN Director Jennifer Shasky-Calvary has noted that de-risking is "both healthy and unhealthy at the same time."

Wise banks take corrective action when they have "taken on more risk than they can control"; and, de-risking is problematic when a bank "cuts with a machete rather than a scalpel."

Learn about the risks of and best practices for serving: foreign customers; money services businesses (including those involved in digital currencies such as bitcoin), and third party payment processors.

The “4 Pillars”I. Development of Internal Policies, Procedures and Controls

Risk focused policiesProcedures for each area or functionControls to Ensure ComplianceMonitoring and Reporting Systems

II. Designation of Compliance OfficerSufficient time, resources and authority

III. Training ProgramContent based on current procedures and systemsRelevant to specific audience position and responsibilitiesDocumentation

IV. Independent TestingSufficient scope and testingReporting to the Board of DirectorsTimely action to address any concerns or weaknesses

Suspicious Activity

• Prevent

• Detect

• Report

• Assist

Human Trafficking

Elder Financial Abuse

Drug Trafficking

Terrorist Financing

Sea Change“As Director, I feel it is important that financial institutions take responsibility when their actions violate the BSA. And by accepting responsibility, it is not just about admitting to the facts alleged in FinCEN’s enforcement action. It is also about admitting a violation of the law. Over the last year, we have changed our practice at FinCEN to one in which our presumption is that a settlement of an enforcement action will include an admission to the facts, as well as the violation of law. And, we have begun implementing this practice in our enforcement actions against all sizes and types of financial institutions.

Integrity and transparency goes a long way. It is a great bestowal of trust that enables financial institutions to be part of the U.S. financial system, to be part of the global financial system. And that trust -- that privilege -- comes with obligations. One of those obligations is a responsibility to put effective AML controls in place so criminals and terrorists are not able to operate with impunity in the U.S. financial system.

As FinCEN’s recent enforcement actions show, FinCEN will act under such circumstances to protect the integrity and transparency of the U.S. financial system.”

Jennifer Shasky Calvery, Director, FinCENFIBA, Anti-Money Laundering Conference

February 20, 2014

De-riskingDe-risking is the purposeful rejection or termination of financial relationships with groups of customers or lines of business considered high risk under BSA/AML standards.

Money Services Businesses (MSBs)Third Party Payment Processors (TPPPs)EmbassiesCorrespondent BanksForeign PersonsMedical MarijuanaGambling / CasinosGun / ammo retailersadult entertainment

Impact of De-Risking

• Reputation and Public Relations Compromised

• Lost Revenue and Profits• Collateral Damage• Transfer of Risk - Not Decreased Risk• Broader financial concerns

AML Regulations NOT meantto shut legitimate business out

of the financial system“Recently, we have been hearing about instances of ‘de-risking,’ where money services businesses (MSBs) are losing access to banking services because of perceived risks with this category of customer and concerns about regulatory scrutiny. Some financial institutions also state that the costs associated with maintaining these accounts outweigh the benefits. But just because a particular customer may be considered high risk does not mean that it is ‘unbankable’ and it certainly does not make an entire category of customer unbankable. Banks and other financial institutions have the ability to manage high risk customer relationships.

It is not the intention of the AML regulations to shut legitimate business out of the financial system. I think we can all agree that it is not possible for financial institutions to eliminate all risk. Rather, the goal is to provide banking services to legitimate businesses by understanding the applicable risks and managing them appropriately.”


February 20, 2014

Decisions of Board and Senior Management

“The fact is, when we look at the issues underlying BSA infractions, they can almost always be traced back to decisions and actions of the institution’s Board and senior management.”

Deficiencies fall into four (4) areas:

Culture of ComplianceResources Committed to BSA complianceStrength of Information Technology and monitoring processesQuality of risk management

Thomas J. CurryComptroller of the Currency

ACAMS, March 17, 2014

Walk the TalkBoard and senior management must send right message AND also “walk the talk”

by ensuring that there is an alignment between good compliance practices and the bank’s system of compensation and incentives.by providing increased resourcesby increasing the authority and status of the BSA Officer within the organizationby ensuring proper incentives are incorporated throughout the organization



IMPROVEMENT desired over De-

RiskingImproving is a trend we want to encourage

“And it’s clearly a better option than simply abandoning customers in higher risk categories because a lack of resources makes it difficult to manage the risk.”



Categories too risky to bank?

“Some argue that, in the current regulatory environment, there are whole categories of businesses that are too risky to bank. I understand why you would want to be cautious – some types of businesses are more risky than others and require a higher level of due diligence. And in all candor, BSA is an area of intense scrutiny, by banking regulators and law enforcement. “

“However, that’s why we support a risk-based approach.”

“Even in areas that traditionally have been viewed as inherently risky, you should be able to appropriately manage the risk.”

“You shouldn’t feel that you can’t bank a customer just because they fall into a category that on its face appears to carry an elevated level of risk. Higher-risk categories of customers call for stronger risk management and controls, not a strategy of total avoidance. “

“Obviously, if the risk posed by a business or an individual is too great to be managed successfully, then you have to turn that customer away. But you should only make those decisions after appropriate due diligence.”



Step Up Our Game

“It’s clear that we all need to step up our game, both banks and Government alike, because the challenges are growing by the day. In part, that’s because the bad guys are stepping up their game. But it’s also because of the impact of technology. Technology is not only changing the way we live, but it’s reshaping the payments system, broadening the choices available to businesses and consumers, and even allowing payment and clearing mechanisms to exist outside the traditional banking and thrift industries.”



Culture of Compliance

FinCEN’s recent Advisory does NOT say anything that you have not heard before…

It is another tool you can use to influence your organization’s leadership…

to help them live and breathe BSA/AML the same way that you do.

“Based on the enforcement cases I have seen time and time again, both during my time as a prosecutor at the U.S. Department of Justice and now as Director of FinCEN, I can say without a doubt that a strong culture of compliance could have made all the difference. If I were to find myself responsible for BSA/AML compliance within any financial institution, my first order of business would be to pay attention to these core, fundamental concepts. Because once you have a strong culture in place, including the support of your institution’s leadership, you have a firm foundation on which to build an effective program.”


February 20, 2014

Compliance - Defined

Fulfillment (n)

ObservanceConformityDisobedience (antonym)

Obedience (n)

AcquiescenceAgreementFalling in lineSubmissionResistance (antonym)

Compliance is: Doing it right the first time...Adhering to internal policies and procedures… Maintaining a standard that is in accordance with laws and regulations

What’s Your Culture?

Signs of a lax, Non-Compliance Culture?

FinCEN’s Culture guidance – FIN-2014-A007Advisory to U.S. Financial Institutions on Promoting a Culture of Compliance

Have you shared the guidance with your Board and senior management team?

6 Ways to Strengthen Your Program

A financial institution can strengthen its BSA/AML compliance program by ensuring:1. Engaged Leadership

“its leadership actively supports and understands compliance efforts”2. Compliance not compromised

“efforts to manage and mitigate BSA/AML deficiencies and risks are not compromised by revenue interests”

3. Lines of Communication“relevant information from the various departments within the organization is shared with compliance staff to further BSA/AML efforts”

4. Human and Technological Resources“the institution devotes adequate resources to its compliance function”

5. Competent Independent Testing“the compliance program is effective by, among other things, ensuring that it is tested by an independent and competent party”

6. Purpose“its leadership and staff understand the purpose of its BSA/AML efforts and how its reporting is used”

Hard Target or Soft Pushover?

Do not compromise yourself withlack of knowledgelack of necessary informationlack of understandingexceptions to policies and procedurespoor documentationlack of focus or willpower

Will you be a wet noodle? A mouse?

Understand Your Markets

Stay on the Safe Side

• Recognize Danger• Be Cautious and Think• Staying Safe is the

reward for knowing what to do and doing it

Money Services Businesses

“MSBs play a vital role in our economy and provide valuable financial services, especially to individuals who may not have easy access to the formal banking sector.”

“FinCEN is joined by the Federal Banking Agencies in continuing to support the applicability of this guidance. Recently, officials from both the Federal Reserve Board and Office of the Comptroller of the Currency underscored in Congressional testimony that the joint guidance issued in 2005 remains in effect today. Scott Alvarez, the Federal Reserve Board’s General Counsel, stated: ‘That [the] guidance confirms that banking organizations may provide banking services to MSBs that operate lawfully. The guidance is intended to assist banks in the decision to open and maintain accounts for legitimate businesses by identifying the programs and procedures they should have in place to perform customer due diligence and monitoring of these customers for suspicious activity.’


February 20, 2014

WHY would someone use an MSB?

Convenience and Control• Hours and locations• Transaction based, immediacy, price

transparency, valueFunds Availability• Immediate cash for checks; risk transference /

no NSFs• Immediate / Guaranteed Prompt payment

Language and CultureAccessibility• Simple & easy to understand services• No special skills required

Anonymity

Challenges faced by MSBs

Bank service discontinuance; lack of in market services

Decreased transaction volumes and revenues

• minimal commercial checks

• increased check fraud risks- tax returns, mobile capture

Increasing competition for customers

High regulatory and banking compliance expectations

Common Issues identified MSB Independent Reviews

Independent Review• Only performed when notified of impending IRS or GA DBF

exam• Only performed when specifically requested by bank• Issues previously identified by independent review or

regulators not being corrected - repeat findings License, sign and/or pricing not posted.

No employee background checksFinCEN registration• expired, needing late renewal• re-registration not filed after change of ownershipRisk assessment not present or no evidence of ongoing review/updatesCompliance program inadequate, incomplete, generic, incorrect• or no evidence of ongoing review/updating amid changesTraining - lack of documentation, or inadequateCTRs and SARs - minor form completion errors; late

Bankers’ Concernsin Serving MSBs

High Degree of Risk and Exposure Associated with MSBs

• Risky Business... unsophisticated, inadequate risk management

• Tons of cash!• Unknown, Vague, Shady source of cash• Criminals can abuse MSBs• Difficult to understand, monitor and manage the

MSB relationships

Negative Perceptions

Law Enforcement and Banking Regulators often perceive MSBs as …• being used by either criminals, shady/bad people, or by

uneducated, uninformed or foolish consumers who would be better served by a bank• “The Un-banked” - “The Under-Banked” - “The Self-

Banked”• being insufficiently regulated• being subject to insufficient examination• being irresponsible, incompetent, inattentive, reckless...

Challenging / Difficult

• Regulatory rules and issues can be complex• Bank may not sufficiently understand customer

business or risks• May result in gaps with bank compliance and

risk management• May result in bank compliance issues, regulatory

risks

Regulatory Expectations for the Bank

• Effective supervision/monitoring of MSB relationships

• Reasonable understanding of MSB risks• Meaningful additional action on higher

potential risks

Interagency guidance since 2005, FFIEC BSA/AML Exam manual, and best practices...

• Low Risk? - registration and licensing• High Risk? - expanded due diligence• Price appropriately• Recourse and collateral considerations• Security considerations• Ongoing monitoring

Risk of MSBs•Principal Money Transmitter (high risk areas)•Principal Money Transmitter (lower risk areas)•Full Service MSB / Principal Check Casher, multi-store, high dollar,

non-natural persons•Full Service MSB / Principal Check Casher, multi-store, high dollar•MSB Agent, money transfer services limited to high risk areas•Full Service MSB/ Principal Check Casher, multi-store, low dollar•Full Service MSB/ Principal Check Casher, one store•Offers MSB services including check cashing, low dollar, limited

scope (e.g. payroll)•Offers MSB services - agent only, not dedicated to serving high risk

areas

Note that higher potential risk MSBs can be lower risk due to mitigation efforts.

Bank Requirements for Higher Risk MSBs

• Initial & ongoing site visit, inspection, staff interviews

• Negative news monitoring• Independent Review

• Scope. Reviewer. Reporting. Management responses.

• 3rd Party review on behalf of bank• Assessment of foreign government oversight

Core needs of the bank

• Meaningful, complete background - CIP & CDD• Confirm FinCEN registration• Confirm State licensing• Confirm Agent status• Ability to assess risks• Ability to monitor• Address Credit Risk / Exposure

Bank Pricing of MSB Accounts

• Analysis

• Compliance Surcharge

• Set cash limits / require armored courier service

• Consider additional collateral

Bank monitoring of MSBs

• Verify FinCEN registration, state licensing• Ongoing Extended Due Diligence on higher

risk MSBs• Independent Reviews• 3rd party review on behalf of bank

• Large fluctuations / change in volume - reasonable?

• Check cashing concentration, non-natural persons

• Out of market deposits

Reasonable Considerations for MSBs wanting to keep and establish

banking relationships• Communication, transparency, responsiveness

• Don’t assume your bank understands what you do and want makes sense

• Help the bank accurately understand risks• Provide documented evidence of

compliance• Be sure your relationship is beneficial to

the bank• Maintain sound credit and security

practices

Common Bank Issuesre MSBs

• Not understanding MSB customers and that each have different risks

• Failure to reasonably risk rate MSBs, distinguish between higher and lower risk MSB customers, identify changes in risk exposure over time

• Poorly defined policies and procedures regarding MSB relationships

• Incorrectly identifying all MSBs as high risk then not following FinCEN guidance or Board approved policies regarding monitoring

• Not setting and maintaining reasonable standards for performance• Not extending bank culture of compliance to MSB relationships

• Not charging MSBs appropriately for services rendered• Missing security implications of large cash deposits or withdrawals• Not considering credit risks of MSB relationships• Accepting poor quality independent reviews• Lack of documented customer visitation• Lack of 3rd party review on behalf of bank for high risk entities

Third Party Payment Processors

Money Transmittermoves money on behalf of sender to receiver

Third Party Payment Processormoves money on behalf of receiver from sender for settlement of a transaction other than the funds transfer itself

• NOT currently directly subject to Bank Secrecy Act compliance

• provides gateway to banking system• State money transmitter licensing may be required• subject to examination by state(s) where licensed• 3rd party review on behalf of servicing bank(s)

TPPP Overview• A bank’s business customer that uses its deposit

relationship to process payments on behalf of other businesses.

• Bank provides channel for clearing and settlement a variety of payment types: ACH, checks, payment cards, digital currencies, etc.• May include electronic checks created through

Remote Deposit Capture, or• Remotely Created Checks (RCCs) that never

existed in paper form.• Differs from traditional business banking

relationships where payment transactions (e.g., ACH, checks, etc.) are made on behalf of the business customer.

TPPP Merchant Clients

• What type of merchants? Risk level?• How are merchants qualified and accepted?

• Who is served under what conditions?• How and when are merchant relationships terminated?

Higher Potential RiskMerchants / Activities

Ammunition Sales“As Seen on TV”Coin DealersCredit Card SchemesCredit Repair ServicesDating ServicesDrug ParaphernaliaEscort ServicesFirearms/Fireworks SalesGamblingGet Rich Quick ProductsGovernment GrantsHome Based

Charities/Businesses

Life Time GuaranteesMembership/Purchasing ClubsPyramid Type SalesPay Day LoansPharmaceutical SalesPornographyPonzi SchemesRacist materialsRaffles/SweepstakesSurveillance equipmentTelemarketingTobacco SalesTravel Clubs

TPPP Red Flags• Significant Consumer Complaints

• unauthorized, misrepresented, intimidated, threatened into providing account information

• High level of unauthorized returns/charge-backs• Unverifiable merchant information (e.g.,

website, business registration, etc.)• Unexpected volume/value activity or change• Prior civil, criminal and regulatory actions

against processor or its principals• Law enforcement inquiries

Bank’s MinimumResponsibilities

• Comprehensive Policies and Procedures• Assess risk of TPPPs (including review of merchant

clients)• Review Contracts with Processors and Sub-Processors• Establish sound and enforceable contractual

requirements for all parties• In-Depth Enhanced Due Diligence• Evaluate Due Diligence Performed by Processors on

Merchants they work with • Perform Ongoing Monitoring

• Consumer complaints• High rates of returns or charge backs

• Establish and Maintain Adequate Reserve Accounts• Ongoing Training- staff can effectively monitor/identify

problems

Reliance on TPPPs• Banks must not rely entirely on TPPP

systems for merchant approval and monitoring.

• Cursory merchant reviews without ensuring appropriate ongoing monitoring of the TPPP and transaction activity is inappropriate.

• Any reliance placed on TPPP for initial or ongoing tasks need to be verified periodically by external and/or bank review of TPPP policies, procedures, and processes

TPPP Best Practices

• Require TPPP to provide documented analysis / legal opinion regarding potential state licensing issues

• Require TPPP to have written risk-based BSA/AML program

• independent review; 3rd party review• Periodic bank review and/or 3rd party examination

• Negative news monitoring of TPPP, merchant clients

Remember!

• Bank retains ultimate responsibility for all transactions flowing through the bank.

• Must file SARs on unusual or suspicious activities

• Bank must have sufficient understanding of each TPPP and its merchant processing to identify unusual activity.

Questions?Jay Postma, CAMSPresidentMSB Compliance [email protected](678) 389-9068

www.LinkedIn.com/in/jaypostmawww.MSBComplianceInc.comwww.Twitter.com/MSBCompliance

Weekly newsletter: paper.MSBComplianceInc.com