Bank Secrecy Act:

De-Risk or Up Your Game?

Jay Postma, CAMS

President

Compliance Conference

September 24, 2014

Industry Participation

Objectives

BSA/AML compliance demands an effective risk-based

approach. FinCEN Director Jennifer Shasky-Calvary has noted

that de-risking is "both healthy and unhealthy at the same time."

Wise banks take corrective action when they have "taken on

more risk than they can control"; and, de-risking is problematic

when a bank "cuts with a machete rather than a scalpel."

Learn about the risks of and best practices for serving: foreign

customers; money services businesses (including those

involved in digital currencies such as bitcoin), and third party

payment processors.

The “4 Pillars”I. Development of Internal Policies, Procedures and Controls

Risk focused policies

Procedures for each area or function

Controls to Ensure Compliance

Monitoring and Reporting Systems

II. Designation of Compliance Officer

Sufficient time, resources and authority

III. Training Program

Content based on current procedures and systems

Relevant to specific audience position and responsibilities

Documentation

IV. Independent Testing

Sufficient scope and testing

Reporting to the Board of Directors

Timely action to address any concerns or weaknesses

Suspicious Activity

• Prevent

• Detect

• Report

• Assist

Human Trafficking

Elder Financial Abuse

Drug Trafficking

Fraud

Terrorist Financing

Sea Change

“As Director, I feel it is important that financial institutions take responsibility when

their actions violate the BSA. And by accepting responsibility, it is not just about admitting

to the facts alleged in FinCEN’s enforcement action. It is also about admitting a

violation of the law. Over the last year, we have changed our practice at FinCEN to one

in which our presumption is that a settlement of an enforcement action will include an

admission to the facts, as well as the violation of law. And, we have begun implementing

this practice in our enforcement actions against all sizes and types of financial institutions.

Integrity and transparency goes a long way. It is a great bestowal of trust that enables

financial institutions to be part of the U.S. financial system, to be part of the global financial

system. And that trust -- that privilege -- comes with obligations. One of those obligations

is a responsibility to put effective AML controls in place so criminals and terrorists are not

able to operate with impunity in the U.S. financial system.

As FinCEN’s recent enforcement actions show, FinCEN will act under such circumstances

to protect the integrity and transparency of the U.S. financial system.”

Jennifer Shasky Calvery, Director, FinCEN

FIBA, Anti-Money Laundering Conference

February 20, 2014

De-risking

De-risking is the purposeful rejection or termination of

financial relationships with groups of customers or lines

of business considered high risk under BSA/AML

standards.

Money Services Businesses (MSBs)

Third Party Payment Processors (TPPPs)

Embassies

Correspondent Banks

Foreign Persons

Medical Marijuana

Gambling / Casinos

Gun / ammo retailers

adult entertainment

Impact of De-Risking

• Reputation and Public Relations Compromised

• Lost Revenue and Profits

• Collateral Damage

• Transfer of Risk - Not Decreased Risk

• Broader financial concerns

AML Regulations NOT meant

to shut legitimate business out

of the financial system

“Recently, we have been hearing about instances of ‘de-risking,’ where money

services businesses (MSBs) are losing access to banking services because of

perceived risks with this category of customer and concerns about regulatory

scrutiny. Some financial institutions also state that the costs associated with

maintaining these accounts outweigh the benefits. But just because a particular

customer may be considered high risk does not mean that it is ‘unbankable’

and it certainly does not make an entire category of customer unbankable.

Banks and other financial institutions have the ability to manage high risk customer

relationships.

It is not the intention of the AML regulations to shut legitimate business out of

the financial system. I think we can all agree that it is not possible for financial

institutions to eliminate all risk. Rather, the goal is to provide banking services to

legitimate businesses by understanding the applicable risks and managing

them appropriately.”

Jennifer Shasky Calvery, Director, FinCENFIBA, Anti-Money Laundering Conference

February 20, 2014

Decisions of Board and

Senior Management“The fact is, when we look at the issues underlying BSA infractions,

they can almost always be traced back to decisions and actions of the

institution’s Board and senior management.”

Deficiencies fall into four (4) areas:

Culture of Compliance

Resources Committed to BSA compliance

Strength of Information Technology and monitoring processes

Quality of risk management

Thomas J. Curry

Comptroller of the CurrencyACAMS, March 17, 2014

Walk the Talk

Board and senior management must send right message AND also

“walk the talk”

by ensuring that there is an alignment between good compliance

practices and the bank’s system of compensation and incentives.

by providing increased resources

by increasing the authority and status of the BSA Officer within

the organization

by ensuring proper incentives are incorporated throughout the

organization

Thomas J. Curry

Comptroller of the CurrencyACAMS, March 17, 2014

IMPROVEMENT

desired over De-Risking

Improving is a trend we want to encourage

“And it’s clearly a better option than simply

abandoning customers in higher risk categories

because a lack of resources makes it difficult to manage

the risk.”

Thomas J. Curry

Comptroller of the CurrencyACAMS, March 17, 2014

Categories too risky to bank?

“Some argue that, in the current regulatory environment, there are whole categories of businesses that

are too risky to bank. I understand why you would want to be cautious – some types of businesses are

more risky than others and require a higher level of due diligence. And in all candor, BSA is an area of

intense scrutiny, by banking regulators and law enforcement. “

“However, that’s why we support a risk-based approach.”

“Even in areas that traditionally have been viewed as inherently risky, you should be able to

appropriately manage the risk.”

“You shouldn’t feel that you can’t bank a customer just because they fall into a category that on its face

appears to carry an elevated level of risk. Higher-risk categories of customers call for stronger risk

management and controls, not a strategy of total avoidance. “

“Obviously, if the risk posed by a business or an individual is too great to be managed successfully,

then you have to turn that customer away. But you should only make those decisions after appropriate

due diligence.”

Thomas J. Curry

Comptroller of the Currency

ACAMS, March 17, 2014

Step Up Our Game

“It’s clear that we all need to step up our game, both banks and Government

alike, because the challenges are growing by the day. In part, that’s because the

bad guys are stepping up their game. But it’s also because of the impact of

technology. Technology is not only changing the way we live, but it’s

reshaping the payments system, broadening the choices available to businesses

and consumers, and even allowing payment and clearing mechanisms to exist

outside the traditional banking and thrift industries.”

Thomas J. Curry

Comptroller of the CurrencyACAMS, March 17, 2014

Culture of Compliance

FinCEN’s recent Advisory does NOT say anything that you have not heard

before…

It is another tool you can use to influence your organization’s leadership…

to help them live and breathe BSA/AML the same way that you do.

“Based on the enforcement cases I have seen time and time again, both during

my time as a prosecutor at the U.S. Department of Justice and now as Director

of FinCEN, I can say without a doubt that a strong culture of compliance

could have made all the difference. If I were to find myself responsible for

BSA/AML compliance within any financial institution, my first order of business

would be to pay attention to these core, fundamental concepts. Because once

you have a strong culture in place, including the support of your institution’s

leadership, you have a firm foundation on which to build an effective program.”

Jennifer Shasky Calvery, Director, FinCENFIBA, Anti-Money Laundering Conference

February 20, 2014

Compliance - Defined

Fulfillment (n)

Observance

Conformity

Disobedience (antonym)

Obedience (n)

Acquiescence

Agreement

Falling in line

Submission

Resistance (antonym)

Compliance is: Doing it right the first time...Adhering to internal policies

and procedures… Maintaining a standard that is in accordance with laws

and regulations

What’s Your Culture?

Signs of a lax, Non-Compliance Culture?

FinCEN’s Culture guidance – FIN-2014-A007

Advisory to U.S. Financial Institutions on

Promoting a Culture of Compliance

Have you shared the guidance with your Board

and senior management team?

6 Ways to Strengthen

Your ProgramA financial institution can strengthen its BSA/AML compliance program by ensuring:

1. Engaged Leadership

“its leadership actively supports and understands compliance efforts”

2. Compliance not compromised

“efforts to manage and mitigate BSA/AML deficiencies and risks are not

compromised by revenue interests”

3. Lines of Communication

“relevant information from the various departments within the organization is

shared with compliance staff to further BSA/AML efforts”

4. Human and Technological Resources

“the institution devotes adequate resources to its compliance function”

5. Competent Independent Testing

“the compliance program is effective by, among other things, ensuring that it is

tested by an independent and competent party”

6. Purpose

“its leadership and staff understand the purpose of its BSA/AML efforts and how

its reporting is used”

Hard Target

or Soft Pushover?

Do not compromise yourself with

lack of knowledge

lack of necessary information

lack of understanding

exceptions to policies and procedures

poor documentation

lack of focus or willpower

Will you be a wet noodle? A mouse?

Understand Your Markets

Stay on the Safe Side

• Recognize Danger

• Be Cautious and Think

• Staying Safe is the

reward for knowing what

to do and doing it

Money Services Businesses

“MSBs play a vital role in our economy and provide valuable financial services,

especially to individuals who may not have easy access to the formal banking

sector.”

“FinCEN is joined by the Federal Banking Agencies in continuing to support the

applicability of this guidance. Recently, officials from both the Federal Reserve Board

and Office of the Comptroller of the Currency underscored in Congressional

testimony that the joint guidance issued in 2005 remains in effect today. Scott

Alvarez, the Federal Reserve Board’s General Counsel, stated: ‘That [the]

guidance confirms that banking organizations may provide banking services

to MSBs that operate lawfully. The guidance is intended to assist banks in the

decision to open and maintain accounts for legitimate businesses by identifying the

programs and procedures they should have in place to perform customer due

diligence and monitoring of these customers for suspicious activity.’

Jennifer Shasky Calvery, Director, FinCENFIBA, Anti-Money Laundering Conference

February 20, 2014

WHY would someone

use an MSB?Convenience and Control

• Hours and locations

• Transaction based, immediacy, price transparency,

value

Funds Availability

• Immediate cash for checks; risk transference / no

NSFs

• Immediate / Guaranteed Prompt payment

Language and Culture

Accessibility

• Simple & easy to understand services

• No special skills required

Anonymity

Challenges faced by

MSBs

Bank service discontinuance; lack of in market services

Decreased transaction volumes and revenues

• minimal commercial checks

• increased check fraud risks- tax returns, mobile capture

Increasing competition for customers

High regulatory and banking compliance expectations

Common Issues identified

MSB Independent ReviewsIndependent Review

• Only performed when notified of impending IRS or GA DBF exam

• Only performed when specifically requested by bank

• Issues previously identified by independent review or regulators not

being corrected - repeat findings License, sign and/or pricing not

posted.

No employee background checks

FinCEN registration

• expired, needing late renewal

• re-registration not filed after change of ownership

Risk assessment not present or no evidence of ongoing review/updates

Compliance program inadequate, incomplete, generic, incorrect

• or no evidence of ongoing review/updating amid changes

Training - lack of documentation, or inadequate

CTRs and SARs - minor form completion errors; late

Bankers’ Concerns

in Serving MSBs

High Degree of Risk and Exposure Associated with MSBs

• Risky Business... unsophisticated, inadequate risk

management

• Tons of cash!

• Unknown, Vague, Shady source of cash

• Criminals can abuse MSBs

• Difficult to understand, monitor and manage the MSB

relationships

Negative Perceptions

Law Enforcement and Banking Regulators often perceive MSBs as

…

• being used by either criminals, shady/bad people, or by

uneducated, uninformed or foolish consumers who would be

better served by a bank

• “The Un-banked” - “The Under-Banked” - “The Self-Banked”

• being insufficiently regulated

• being subject to insufficient examination

• being irresponsible, incompetent, inattentive, reckless...

Challenging / Difficult

• Regulatory rules and issues can be complex

• Bank may not sufficiently understand customer

business or risks

• May result in gaps with bank compliance and risk

management

• May result in bank compliance issues, regulatory risks

Regulatory Expectations

for the Bank

• Effective supervision/monitoring of MSB relationships

• Reasonable understanding of MSB risks

• Meaningful additional action on higher potential risks

Interagency guidance since 2005, FFIEC BSA/AML

Exam manual, and best practices...

• Low Risk? - registration and licensing

• High Risk? - expanded due diligence

• Price appropriately

• Recourse and collateral considerations

• Security considerations

• Ongoing monitoring

Risk of MSBs

• Principal Money Transmitter (high risk areas)

• Principal Money Transmitter (lower risk areas)

• Full Service MSB / Principal Check Casher, multi-store, high dollar, non-natural

persons

• Full Service MSB / Principal Check Casher, multi-store, high dollar

• MSB Agent, money transfer services limited to high risk areas

• Full Service MSB/ Principal Check Casher, multi-store, low dollar

• Full Service MSB/ Principal Check Casher, one store

• Offers MSB services including check cashing, low dollar, limited scope (e.g.

payroll)

• Offers MSB services - agent only, not dedicated to serving high risk areas

Note that higher potential risk MSBs can be lower risk due to mitigation efforts.

Bank Requirements for

Higher Risk MSBs

• Initial & ongoing site visit, inspection, staff interviews

• Negative news monitoring

• Independent Review

• Scope. Reviewer. Reporting. Management

responses.

• 3rd Party review on behalf of bank

• Assessment of foreign government oversight

Core needs of the bank

• Meaningful, complete background - CIP & CDD

• Confirm FinCEN registration

• Confirm State licensing

• Confirm Agent status

• Ability to assess risks

• Ability to monitor

• Address Credit Risk / Exposure

Bank Pricing of MSB Accounts

• Analysis

• Compliance Surcharge

• Set cash limits / require

armored courier service

• Consider additional

collateral

Bank monitoring

of MSBs

• Verify FinCEN registration, state licensing

• Ongoing Extended Due Diligence on higher risk

MSBs

• Independent Reviews

• 3rd party review on behalf of bank

• Large fluctuations / change in volume - reasonable?

• Check cashing concentration, non-natural persons

• Out of market deposits

Reasonable Considerations for

MSBs wanting to keep and establish

banking relationships

• Communication, transparency, responsiveness

• Don’t assume your bank understands what you

do and want makes sense

• Help the bank accurately understand risks

• Provide documented evidence of compliance

• Be sure your relationship is beneficial to the

bank

• Maintain sound credit and security practices

Common Bank Issues

re MSBs• Not understanding MSB customers and that each have different risks

• Failure to reasonably risk rate MSBs, distinguish between higher and lower risk MSB customers, identify changes in risk exposure over time

• Poorly defined policies and procedures regarding MSB relationships

• Incorrectly identifying all MSBs as high risk then not following FinCEN guidance or Board approved policies regarding monitoring

• Not setting and maintaining reasonable standards for performance

• Not extending bank culture of compliance to MSB relationships

• Not charging MSBs appropriately for services rendered

• Missing security implications of large cash deposits or withdrawals

• Not considering credit risks of MSB relationships

• Accepting poor quality independent reviews

• Lack of documented customer visitation

• Lack of 3rd party review on behalf of bank for high risk entities

Third Party Payment Processors

Money Transmitter

moves money on behalf of sender to receiver

Third Party Payment Processor

moves money on behalf of receiver from sender for settlement of

a transaction other than the funds transfer itself

• NOT currently directly subject to Bank Secrecy Act

compliance

• provides gateway to banking system

• State money transmitter licensing may be required

• subject to examination by state(s) where licensed

• 3rd party review on behalf of servicing bank(s)

TPPP Overview

• A bank’s business customer that uses its deposit

relationship to process payments on behalf of other

businesses.

• Bank provides channel for clearing and settlement a

variety of payment types: ACH, checks, payment cards,

digital currencies, etc.

• May include electronic checks created through

Remote Deposit Capture, or

• Remotely Created Checks (RCCs) that never existed

in paper form.

• Differs from traditional business banking relationships

where payment transactions (e.g., ACH, checks, etc.)

are made on behalf of the business customer.

TPPP Merchant Clients

• What type of merchants? Risk level?

• How are merchants qualified and accepted?

• Who is served under what conditions?

• How and when are merchant relationships

terminated?

Higher Potential Risk

Merchants / Activities

Ammunition Sales

“As Seen on TV”

Coin Dealers

Credit Card Schemes

Credit Repair Services

Dating Services

Drug Paraphernalia

Escort Services

Firearms/Fireworks Sales

Gambling

Get Rich Quick Products

Government Grants

Home Based Charities/Businesses

Life Time Guarantees

Membership/Purchasing Clubs

Pyramid Type Sales

Pay Day Loans

Pharmaceutical Sales

Pornography

Ponzi Schemes

Racist materials

Raffles/Sweepstakes

Surveillance equipment

Telemarketing

Tobacco Sales

Travel Clubs

TPPP Red Flags

• Significant Consumer Complaints

• unauthorized, misrepresented, intimidated,

threatened into providing account information

• High level of unauthorized returns/charge-backs

• Unverifiable merchant information (e.g., website,

business registration, etc.)

• Unexpected volume/value activity or change

• Prior civil, criminal and regulatory actions against

processor or its principals

• Law enforcement inquiries

Bank’s Minimum

Responsibilities• Comprehensive Policies and Procedures

• Assess risk of TPPPs (including review of merchant clients)

• Review Contracts with Processors and Sub-Processors

• Establish sound and enforceable contractual requirements for

all parties

• In-Depth Enhanced Due Diligence

• Evaluate Due Diligence Performed by Processors on Merchants

they work with

• Perform Ongoing Monitoring

• Consumer complaints

• High rates of returns or charge backs

• Establish and Maintain Adequate Reserve Accounts

• Ongoing Training- staff can effectively monitor/identify problems

Reliance on TPPPs

• Banks must not rely entirely on TPPP systems

for merchant approval and monitoring.

• Cursory merchant reviews without ensuring

appropriate ongoing monitoring of the TPPP and

transaction activity is inappropriate.

• Any reliance placed on TPPP for initial or

ongoing tasks need to be verified periodically by

external and/or bank review of TPPP policies,

procedures, and processes

TPPP Best Practices

• Require TPPP to provide documented analysis /

legal opinion regarding potential state licensing

issues

• Require TPPP to have written risk-based BSA/AML

program

• independent review; 3rd party review

• Periodic bank review and/or 3rd party examination

• Negative news monitoring of TPPP, merchant

clients

Remember!

• Bank retains ultimate responsibility for all

transactions flowing through the bank.

• Must file SARs on unusual or suspicious activities

• Bank must have sufficient understanding of each

TPPP and its merchant processing to identify

unusual activity.

Questions?

Jay Postma, CAMS

President

MSB Compliance Inc.

Jay.Postma@MSBComplianceInc.com

(678) 389-9068

www.LinkedIn.com/in/jaypostma

www.MSBComplianceInc.com

www.Twitter.com/MSBCompliance

Weekly newsletter:paper.MSBComplianceInc.com