bank secrecy act - indiana bankers cbc... · known as the “bank secrecy act,” which established...

Bank Secrecy Act

Community Bankers for Compliance School

DEPOSITS

2016

This publication is designed to provide information in regard to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional service. If legal advice or other expert assistance is required, the services of a professional competent in the area of special need should be sought.

© Copyright 2016 Young & Associates, Inc.

All rights reserved

Young & Associates, Inc. • www.younginc.com • Page i

Table of Contents

Section 1: Introduction ................................................................................................................................... 1

Section 2: Risk Assessment ............................................................................................................................ 1

Section 3: The Four Pillars (Program Requirements)............................................................................. 1

Section 4: Definitions [31 C.F.R. § 1010.100] ............................................................................................... 7

Section 5: Currency Transaction Reports ................................................................................................ 17

Section 6: Targeting Orders [31 C.F.R. § 1010.370] ................................................................................. 25

Section 7: CTR Exemptions [31 C.F.R. § 1020.315] .................................................................................. 27

Section 8: Suspicious Activity Reports [31 C.F.R. § 1020.320] ............................................................. 46

Section 9: Customer Due Diligence [31 C.F.R. § 1020.220] .................................................................... 80

Section 10: Reports of Transportation of Currency or Monetary Amounts [31 C.F.R. § 1010.340] ............................................................................................................................................................................. 93

Section 11: Foreign Financial Accounts [31 C.F.R. § 31 C.F.R. § 1010.350, 1010.360 & 1010.420]. 97

Section 12: Purchases of Monetary Instruments [31 C.F.R. § 1010.415] .......................................... 107

Section 13: Wire Transfer Records [31 C.F.R. § 1020.410] ................................................................... 109

Section 14: Information Sharing With Government [31 C.F.R. § 1010.520] .................................... 116

Section 15: Information Sharing With Other Financial Institutions [31 C.F.R. § 1010.540] ...... 120

Section 16: Correspondent Accounts [31 C.F.R. § 1010.605, 1010.630] ............................................. 124

Section 17: Additional Records Requirements [31 C.F.R. § 1010.410, 1010.430, 1010.440 & 1020.410] .......................................................................................................................................................... 128

Section 18: Anti-Money Laundering [12 C.F.R. § 1020.210] ................................................................ 131

Section 19: USA PATRIOT Act ................................................................................................................... 135

Section 20: Appendix: Customer Due Diligence Requirements for Financial Institutions (Proposal) ....................................................................................................................................................... 138

Young & Associates, Inc. • www.younginc.com • Page 1

Section 1: Introduction

Introduction The Bank Secrecy Act (BSA) is implemented by a regulation [31 C.F.R. Chapter X] issued by

the Department of the Treasury (Treasury). It requires domestic financial institutions to file a report of each single or multiple deposits, withdrawal, exchange of currency, or other payment or transfer by, through, or to such financial institution which involves a transaction in currency of more than $10,000. Financial institutions also must report suspicious activity involving potential losses, generally, that exceed $5,000. In addition to the reporting requirements, the BSA regulations require banks to keep a variety of internal records on designated transactions to provide an audit trail for either Treasury or the Internal Revenue Service (IRS) to use during criminal investigations.

On an annual basis (or thereabouts), the Federal Financial Institutions Examination Council (FFIEC) releases a revised Bank Secrecy Act/Anti-Money Laundering Examination Manual (Exam Manual). The most recent revision was released in November 2014. The revisions generally reflect the federal banking agencies and the Financial Crimes Enforcement Network (FinCEN) efforts to provide current and consistent guidance on risk-based policies, procedures, and processes for banking institutions to comply with the BSA. The 2014 version of the Exam Manual may be found at:

http://www.ffiec.gov/bsa_aml_infobase/documents/BSA_AML_Man_2014_v2.pdf

The financial institution regulatory agencies (Federal Reserve Board, Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation, and Office of Thrift Supervision) require banks and thrifts to develop and administer a program to assure compliance with the Bank Secrecy Act and its corresponding regulation.

Organization of the Regulation Effective March 1, 2011, the Financial Crimes Enforcement Network (FinCEN) reorganized

and transferred the BSA regulations to a new chapter in the Code of Federal Regulations (CFR). This rule transferred FinCEN’s regulations from 31 CFR 103 to a new, tenth chapter entitled, “Title 31 Chapter X – Financial Crimes Enforcement Network.” It also assigned a new numbering convention for Title 31 provisions, with each part containing subparts.

FinCEN stated that this new structure is intended to organize BSA regulations by industry, or to identify provisions that are applicable to all regulated industries or covered individuals, thereby making regulatory obligations uniform across industries and more accessible to affected parties. The rule does not alter existing BSA regulatory obligations or impose new obligations.

This manual contains the citations from the newly created Title 31 Chapter X. Therefore, throughout the manual, you will see citations such as [31 C.F.R. § 1020.100]. These citations are provided for your use, should you wish to read the language specifically used in the regulation.

Community Bankers for Compliance School 2016


Background The Exam Manual discusses the background of the regulation as follows:

In 1970, Congress passed the Currency and Foreign Transactions Reporting Act commonly known as the “Bank Secrecy Act,” which established requirements for recordkeeping and reporting by private individuals, banks, and other financial institutions. The BSA was designed to help identify the source, volume, and movement of currency and other monetary instruments transported or transmitted into or out of the United States or deposited in financial institutions. The statute sought to achieve that objective by requiring individuals, banks, and other financial institutions to file currency reports with the U.S. Department of the Treasury (U.S. Treasury), properly identify persons conducting transactions, and maintain a paper trail by keeping appropriate records of financial transactions. These records enable law enforcement and regulatory agencies to pursue investigations of criminal, tax, and regulatory violations, if warranted, and provide evidence useful in prosecuting money laundering and other financial crimes.

Other laws that modified the Bank Secrecy Act include:

The Money Laundering Control Act of 1986.

The 1992 Annunzio-Wylie Anti-Money Laundering Act

The Money Laundering Suppression Act of 1994 (MLSA)

Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (Patriot Act). Title III of the Patriot Act is the International Money Laundering Abatement and Anti-Terrorist Financing Act of 2001.

The Patriot Act is arguably the single most significant AML law that Congress has enacted since the BSA itself. Among other things, the Patriot Act criminalized the financing of terrorism and augmented the existing BSA framework by strengthening customer identification procedures; prohibiting financial institutions from engaging in business with foreign shell banks; requiring financial institutions to have due diligence procedures, and, in some cases, enhanced due diligence procedures for foreign correspondent and private banking accounts; and improving information sharing between financial institutions and the U.S. government. The Patriot Act and its implementing regulations also:

Expanded the AML program requirements to all financial institutions.

Increased the civil and criminal penalties for money laundering.

Provided the Secretary of the Treasury with the authority to impose “special measures” on jurisdictions, institutions, or transactions that are of “primary money laundering concern.”

Facilitated records access and required banks to respond to regulatory requests for information within 120 hours.

Required federal banking agencies to consider a bank’s AML record when reviewing bank mergers, acquisitions, and other applications for business combinations.


Section 2: Risk Assessment

Each bank must have a BSA program. In order to make decisions regarding the specifics of a bank’s program, the regulators have placed a renewed emphasis on the bank’s Risk Assessment. A graphic representation of this interrelationship appeared in the Exam Manual (Appendix I) as follows:

This brief flow chart makes it clear that all banks need to develop an overall BSA process that includes a periodic review of the bank’s risk assessment. This assessment will follow approaches similar to the risk assessment that the Customer Identification Program required. To assist in the risk assessment process, the Exam Manual (Appendix J) set forth 11 criteria, and offered a description of what might be low, moderate, or high risk. This appendix appears below and on the following two pages:



In the Exam Manual’s Core Overview – BSA/AML Risk Assessment – The Overview section discusses a review of the bank’s BSA/AML risk assessment, as follows:

“Evaluating the BSA/AML risk assessment should be part of scoping and planning the examination, and the inclusion of a section on risk assessment in the manual does not mean the two processes are separate. Rather, risk assessment has been given its own section to emphasize its importance in the examination process and in the bank’s design of effective risk-based controls.

The same risk management principles that the bank uses in traditional operational areas should be applied to assessing and managing BSA/AML risk. A well-developed risk assessment will assist in identifying the bank’s BSA/AML risk profile. Understanding the risk profile enables the bank to apply appropriate risk management processes to the BSA/AML compliance program to mitigate risk. This risk assessment process enables management to better identify and mitigate gaps in the bank’s controls. The risk assessment should provide a comprehensive analysis of the BSA/AML risks in a concise and organized presentation, and should be shared and communicated with all business lines across the bank, board of directors, management, and appropriate staff; as such, it is a sound practice that the risk assessment be reduced to writing.

There are many effective methods and formats used in completing a BSA/AML risk assessment; therefore, examiners should not advocate a particular method or format. Bank management should decide the appropriate method or format, based on the bank’s particular risk profile. Whatever format management chooses to use for its risk assessment, it should be easily understood by all appropriate parties.

The development of the BSA/AML risk assessment generally involves two steps: first, identify the specific risk categories (i.e., products, services, customers, entities, transactions, and geographic locations) unique to the bank; and second, conduct a more detailed analysis of the data identified to better assess the risk within these categories. In reviewing the risk assessment during the scoping and planning process, the examiner should determine whether management has considered all products, services, customers, entities, transactions, and geographic locations, and whether management’s detailed analysis within these specific risk categories was adequate. If the bank has not developed a risk assessment, this fact should be discussed with management. For the purposes of the examination, whenever the bank has not completed a risk assessment, or the risk assessment is inadequate, the examiner must complete a risk assessment based on available information.

Evaluating the Bank’s BSA/AML Risk Assessment An examiner must review the bank’s BSA/AML compliance program with sufficient knowledge of the bank’s BSA/AML risks in order to determine whether the BSA/AML compliance program is adequate and provides the controls necessary to mitigate risks. For example, during the examination scoping and planning process, the examiner may initially determine that the bank has a high-risk profile, but during the examination, the examiner may determine that the bank’s BSA/AML compliance program adequately mitigates these risks. Alternatively, the examiner may initially determine that the bank has a low- or moderate-risk profile; however, during the examination, the examiner may determine that the bank’s BSA/AML compliance program does not adequately mitigate these risks.



In evaluating the risk assessment, an examiner should not necessarily take any single indicator as determinative of the existence of a lower or higher BSA/AML risk. The assessment of risk factors is bank-specific, and a conclusion regarding the risk profile should be based on a consideration of all pertinent information. Banks may determine that some factors should be weighed more heavily than others. For example, the number of funds transfers is certainly one factor to be considered in assessing risk; however, in order to effectively identify and weigh the risks, the examiner should look at other factors associated with those funds transfers, such as whether they are international or domestic, the dollar amounts involved, and the nature of the customer relationships.

Identification of Specific Risk Categories

The first step of the risk assessment process is to identify the specific products, services, customers, entities, and geographic locations unique to the bank. Although attempts to launder money, finance terrorism, or conduct other illegal activities through a bank can emanate from many different sources, certain products, services, customers, entities, and geographic locations may be more vulnerable or have been historically abused by money launderers and criminals. Depending on the specific characteristics of the particular product, service, or customer, the risks are not always the same. Various factors, such as the number and volume of transactions, geographic locations, and nature of the customer relationships, should be considered when the bank prepares its risk assessment. The differences in the way a bank interacts with the customer (face-to-face contact versus electronic banking) also should be considered. Because of these factors, risks will vary from one bank to another. In reviewing the bank’s risk assessment, examiners should determine whether management has developed an accurate risk assessment that identifies the significant risks to the bank.

The expanded sections in this manual provide guidance and discussions on specific lines of business, products, and customers that may present unique challenges and exposures for which banks may need to institute appropriate policies, procedures, and processes. Absent appropriate controls, these lines of business, products, or customers could elevate aggregate BSA/AML risks. The examiner should expect the bank’s ongoing risk assessment process to address the varying degrees of risk associated with its products, services, customers, entities, and geographic locations, as applicable.

Products and Services

Certain products and services offered by banks may pose a higher risk of money laundering or terrorist financing depending on the nature of the specific product or service offered. Such products and services may facilitate a higher degree of anonymity, or involve the handling of high volumes of currency or currency equivalents. Some of these products and services are listed below, but the list is not all inclusive:

Electronic funds payment services — electronic cash (e.g., prepaid and payroll cards), funds transfers (domestic and international), payable upon proper identification (PUPID) transactions, third-party payment processors, remittance activity, automated clearing house (ACH) transactions, and automated teller machines (ATM).

Electronic banking.



Private banking (domestic and international).

Trust and asset management services.

Monetary instruments.

Foreign correspondent accounts (e.g., bulk shipments of currency, pouch activity, payable through accounts (PTA), and U.S. dollar drafts).

Trade finance.

Services provided to third-party payment processors or senders.

Foreign exchange.

Special use or concentration accounts.

Lending activities, particularly loans secured by cash collateral and marketable securities.

Non deposit account services (e.g., non deposit investment products and insurance).

The expanded sections of the manual provide guidance and discussion on specific products and services detailed above.

Customers and Entities

Although any type of account is potentially vulnerable to money laundering or terrorist financing, by the nature of their business, occupation, or anticipated transaction activity, certain customers and entities may pose specific risks. At this stage of the risk assessment process, it is essential that banks exercise judgment and neither define nor treat all members of a specific category of customer as posing the same level of risk. In assessing customer risk, banks should consider other variables, such as services sought and geographic locations. The expanded sections of the manual provide guidance and discussion on specific customers and entities that are detailed below:

Foreign financial institutions, including banks and foreign money services providers (e.g., casas de cambio, currency exchanges, and money transmitters).

Nonbank financial institutions (e.g., money services businesses; casinos and card clubs; brokers/dealers in securities; and dealers in precious metals, stones, or jewels).

Senior foreign political figures and their immediate family members and close associates (collectively known as politically exposed persons (PEP))

Nonresident alien (NRA) and accounts of foreign individuals.

Foreign corporations and domestic business entities, particularly offshore corporations (such as domestic shell companies and Private Investment Companies (PIC) and international business corporations (IBC)) located in higher-risk geographic locations.

Deposit brokers, particularly foreign deposit brokers.

Cash-intensive businesses (e.g., convenience stores, restaurants, retail stores, liquor stores, cigarette distributors, privately owned ATMs, vending machine operators, and parking garages).



Nongovernmental organizations and charities (foreign and domestic).

Professional service providers (e.g., attorneys, accountants, doctors, or real estate brokers).

Geographic Locations

Identifying geographic locations that may pose a higher risk is essential to a bank’s BSA/AML compliance program. U.S. banks should understand and evaluate the specific risks associated with doing business in, opening accounts for customers from, or facilitating transactions involving certain geographic locations. However, geographic risk alone does not necessarily determine a customer’s or transaction’s risk level, either positively or negatively.

Higher-risk geographic locations can be either international or domestic. International higher-risk geographic locations generally include:

Countries subject to OFAC sanctions, including state sponsors of terrorism.

Countries identified as supporting international terrorism under section 6(j) of the Export Administration Act of 1979, as determined by the Secretary of State.

Jurisdictions determined to be “of primary money laundering concern” by the Secretary of the Treasury, and jurisdictions subject to special measures imposed by the Secretary of the Treasury, through FinCEN, pursuant to section 311 of the USA PATRIOT Act.

Jurisdictions or countries monitored for deficiencies in their regimes to combat money laundering and terrorist financing by international entities such as the Financial Action Task Force (FATF).

Major money laundering countries and jurisdictions identified in the U.S. Department of State’s annual International Narcotics Control Strategy Report (INCSR), in particular, countries which are identified as jurisdictions of primary concern.

Offshore financial centers (OFC).

Other countries identified by the bank as higher-risk because of its prior experiences or other factors (e.g., legal considerations, or allegations of official corruption).

Domestic higher-risk geographic locations may include, but are not limited to, banking offices doing business within, or having customers located within, a U.S. government-designated higher-risk geographic location. Domestic higher-risk geographic locations include:

o High Intensity Drug Trafficking Areas (HIDTA).

o High Intensity Financial Crime Areas (HIFCA).

Analysis of Specific Risk Categories

The second step of the risk assessment process entails a more detailed analysis of the data obtained during the identification stage in order to more accurately assess BSA/AML risk. This step involves evaluating data pertaining to the bank’s activities (e.g., number of: domestic and international funds transfers; private banking customers; foreign



correspondent accounts; PTAs; and domestic and international geographic locations of the bank’s business area and customer transactions) in relation to Customer Identification Program (CIP) and customer due diligence (CDD) information. The level and sophistication of analysis may vary by bank. The detailed analysis is important because within any type of product or category of customer there will be accountholders that pose varying levels of risk.

This step in the risk assessment process gives management a better understanding of the bank’s risk profile in order to develop the appropriate policies, procedures, and processes to mitigate the overall risk. Specifically, the analysis of the data pertaining to the bank’s activities should consider, as appropriate, the following factors:

Purpose of the account.

Actual or anticipated activity in the account.

Nature of the customer’s business/occupation.

Customer’s location.

Types of products and services used by the customer.

The value of a two-step risk assessment process is illustrated in the following example. The data collected in the first step of the risk assessment process reflects that a bank sends out 100 international funds transfers per day. Further analysis may show that approximately 90 percent of the funds transfers are recurring well-documented transactions for long-term customers. On the other hand, the analysis may show that 90 percent of these transfers are nonrecurring or are for noncustomers. While the numbers are the same for these two examples, the overall risks are different.”

Other Risk Factors In addition to the four assessment factors expected by examiners, banks should also focus on

some operational areas. One such area would include an assessment of your financial institutions policies related to account opening procedures, various transactions conducted for customers only versus non-customers (i.e., wire transfers, monetary instrument sales, safe deposit box rental, etc.)

In developing your risk profile, consider the asset size of your bank as well as its structure. Areas of the bank important to BSA that may be understaffed should be considered and, conversely, a large bank staff may increase BSA/AML risk. Obtain employee turnover statistics especially in key BSA areas.

Other factors to consider include your bank’s data processing systems and other software tools that assist the bank in complying with the BSA regulatory requirements. It can be inferred that the greater and more sophisticated a bank’s BSA systems, the more likely any evident risks will be mitigated.

When evaluating risk associated with operations, a financial institution should take into consideration staff experience, expertise, and management’s support of providing continuing education and educational resources.



A banks risk assessment process should be ongoing. As the customer base expands, mergers occur, geographic areas grow and as the institution offers new products or services, your risk assessment should reflect these factors. On an annual basis, or as changes occur, your BSA/AML risk assessment should be reviewed and updated.

Summarizing Your Risk Assessment Using and analyzing the data you have obtained is the second phase in the risk assessment.

Not only will your risk assessment be evaluated, but the analysis process used to reach a risk conclusion will be assessed. Controls that are in place, management’s ability and willingness to identify and mitigate risk will be evaluated. A bank need not necessarily consider itself at higher risk because of a large volume of wire transfers if the analysis of the information proves the majority of the transfers were recurring and took place for well-established customers and that transfers, in fact, are only conducted for existing customers. Compare that same volume of funds transfers for non-customers or nonrecurring customers, many transfers being destined for high risk geographic areas, and the risk analysis outcome will be vastly different.

At the conclusion of completing the risk profile for your institution, the results must be reviewed and analyzed to determine whether the existing policies and procedures remain adequate. In addition, the risk profile should be summarized to inform both management and the board of directors of the bank’s overall BSA/AML risks.

In general, it is recommended that the data you have obtained through the risk profile be summarized into a narrative document that briefly discusses each risk factor. The summary document should be written not only from a perspective where risks are evident but it should also highlight areas of the bank’s operations that are not as prone to risks. Those conducting a risk assessment may not consider for inclusion factors that are not applicable to the bank. Excluding what does not apply may give the appearance that the issues were not taken into consideration. For example, if your institution is not located within or near an HIDTA, the risk profile summary should make note of this fact. In proving the validity of a self-assessed lower risk rating to a high risk area such as funds transfers, the institution could include the fact that the that wires are conducted for customers only, the majority of wires are for long established customers, any monitoring processes in place, and that all names associated with a wire are compared to the current OFAC list as well as the country and bank when conducting an international transfer.

Consolidated BSA/AML Compliance Risk Assessment As stated in the Exam Manual, “Banks that implement a consolidated or partially

consolidated BSA/AML compliance program should assess risk both individually within business lines and across all activities and legal entities. Aggregating BSA/AML risks on a consolidated basis for larger or more complex organizations may enable an organization to better identify risks and risk exposures within and across specific lines of business or product categories. Consolidated information also assists senior management and the board of directors in understanding and appropriately mitigating risks across the organization. To avoid having an outdated understanding of the BSA/AML risk exposures, the banking organization should continually reassess its BSA/AML risks and communicate with business units, functions, and legal entities. The identification of a BSA/AML risk or deficiency in one area of business may indicate concerns elsewhere in the organization, which management should identify and control.”


Section 3: The Four Pillars (Program Requirements)

There are four minimum requirements of an acceptable Bank Secrecy Act compliance program. To meet the minimum requirements, a bank’s BSA compliance program should include a system of internal controls, provisions for independent testing for compliance with the requirements of the regulation, the designation of an individual or individuals to be responsible for coordinating and monitoring compliance with the BSA, and training for appropriate personnel.

Every compliance program must be in writing, approved by the bank’s board of directors, and noted in the board meeting minutes.

System of Internal Controls Ultimately, the board of directors is responsible for ensuring that the bank maintains an

effective BSA/AML internal control structure, including suspicious activity monitoring and reporting. The board of directors in concert with management is charged with creating a culture of compliance to ensure staff adherence to the bank’s BSA policies, procedures, and processes. Internal controls cover a number of areas, including:

policies,

procedures, and

processes

Designed to limit and control the bank’s risks relative to BSA.

Depending upon the bank’s needs, the level of sophistication of the internal controls should be commensurate with the size, structure, risks, and complexity of the bank. Large complex banks usually have more defined departmental internal controls for BSA compliance. Smaller institutions may have less structure; however, all financial institutions must have a comprehensive BSA compliance program.

The Exam Manual includes these additional internal control features:

Identify banking operations (i.e., products, services, customers, entities, and geographic locations) more vulnerable to abuse by money launderers and criminals; provide for periodic updates to the bank’s risk profile; and provide for a BSA/AML compliance program tailored to manage risks.

Inform the board of directors, or a committee thereof, and senior management, of compliance initiatives, identified compliance deficiencies, and corrective action taken, and notify directors and senior management of SARs filed.

Identify a person or persons responsible for BSA/AML compliance.

Provide for program continuity despite changes in management or employee composition or structure.



Meet all regulatory recordkeeping and reporting requirements, meet recommendations for BSA/AML compliance, and provide for timely updates in response to changes in regulations.

Implement risk-based CDD policies, procedures, and processes.

Identify reportable transactions and accurately file all required reports including SARs, CTRs, and CTR exemptions. (Banks should consider centralizing the review and report-filing functions within the banking organization.)

Provide for dual controls and the segregation of duties to the extent possible. For example, employees that complete the reporting forms (such as SARs, CTRs, and CTR exemptions) generally should not also be responsible for the decision to file the reports or grant the exemptions.

Provide sufficient controls and systems for filing CTRs and CTR exemptions.

Provide sufficient controls and monitoring systems for timely detection and reporting of suspicious activity.

Provide for adequate supervision of employees that handle currency transactions, complete reports, grant exemptions, monitor for suspicious activity, or engage in any other activity covered by the BSA and its implementing regulations.

Incorporate BSA compliance into the job descriptions and performance evaluations of bank personnel, as appropriate.

Train employees to be aware of their responsibilities under the BSA regulations and internal policy guidelines.

The above list is not to be considered all inclusive and should reflect the bank’s BSA/AML risk profile. Additional policy guidance for specific risk areas is provided in the expanded sections of the Exam Manual.

Independent Testing Independent testing for compliance with the BSA and its corresponding regulation should be

conducted at least annually, preferably by the internal audit department, outside auditors, consultants, or other qualified individuals. Banks that do not employ outside auditors or consultants or that do not operate internal audit departments can comply with this requirement by utilizing the use of employees who are not involved with the BSA function that is under review. In general, it is advised that independent testing be conducted every 12 to 18 months, again commensurate with your banks risk profile.

The Exam Manual indicates that the persons or companies conducting the BSA testing should report directly to the board of directors or to a designated board committee comprised primarily or completely of outside directors.

The independent testing should be risk based (see risk assessment, discussed earlier) and evaluate the quality of risk management for every area of banking operations, including departments and subsidiaries. Therefore, risk-based audit programs will vary from bank to bank depending on the bank’s size, complexity, scope of activities, risk profile, quality of control functions, geographic diversity, and use of technology. The risk based testing should include all banking activities. The results of which will allow the board of directors and auditors to focus on areas of greater concern.



An effective risk-based auditing program will cover all of the bank’s activities. The frequency and depth of each activity’s audit will vary based on the activity’s risk assessment. This risk-based auditing approach enables the board of directors and auditors to use the bank’s risk assessment to focus the audit scope on the areas of greatest concern. The results of testing should be to assist the board of directors and management in the identification of areas of weakness or areas where there appears to be a need for enhancements or stronger controls.

The scope of an independent test has expanded dramatically over the last few years. The Exam Manual sets forth the following list of items that should be subject to review:

Independent testing should, at a minimum, include:

An evaluation of the overall adequacy and effectiveness of the BSA/AML compliance program, including policies, procedures, and processes. Typically, this evaluation will include an explicit statement about the BSA/AML compliance program’s overall adequacy and effectiveness and compliance with applicable regulatory requirements. At the very least, the audit should contain sufficient information for the reviewer (e.g., an examiner, review auditor, or BSA officer) to reach a conclusion about the overall quality of the BSA/AML compliance program.

A review of the bank’s risk assessment for reasonableness given the bank’s risk profile (products, services, customers, entities, and geographic locations).

Appropriate risk-based transaction testing to verify the bank’s adherence to the BSA recordkeeping and reporting requirements (e.g., CIP, SARs, CTRs and CTR exemptions, and information sharing requests).

An evaluation of management’s efforts to resolve violations and deficiencies noted in previous audits and regulatory examinations, including progress in addressing outstanding supervisory actions, if applicable.

A review of staff training for adequacy, accuracy, and completeness.

A review of the effectiveness of the suspicious activity monitoring systems (manual, automated, or a combination) used for BSA/AML compliance. Related reports may include, but are not limited to:

o Suspicious activity monitoring reports.

o Large currency aggregation reports.

o Monetary instrument records.

o Funds transfer records.

o Nonsufficient funds (NSF) reports.

o Large balance fluctuation reports.

o Account relationship reports.

An assessment of the overall process for identifying and reporting suspicious activity, including a review of filed or prepared SARs to determine their accuracy, timeliness, completeness, and effectiveness of the bank’s policy.



An assessment of the integrity and accuracy of MIS used in the BSA/AML compliance program. MIS includes reports used to identify large currency transactions, aggregate daily currency transactions, funds transfer transactions, monetary instrument sales transactions, and analytical and trend reports.

The Exam Manual suggests that auditors document the audit scope, procedures performed, transaction testing completed, and findings of the review. In addition, all audit documentation and work papers should be available for examiner review, upon request. Any violations, policy or procedures exceptions, or other deficiencies noted during the audit should be included in an audit report and reported to the board of directors or a designated committee in a timely manner. The board or designated committee and the audit staff should track audit deficiencies and document corrective actions.

Designation of BSA Officer Each bank must annually designate, by name, a senior bank official to be responsible for

coordinating and monitoring compliance with the BSA. This must be noted in the minutes of the board of directors. This might be the compliance officer, chief auditor, or another officer of similar status. In addition, other individuals in each office, department, or regional headquarters should be given the responsibility for day-to-day compliance so that appropriate controls are in place at all levels of the bank.

The BSA compliance officer must also manage all aspects of the BSA/AML compliance program and managing the bank’s adherence to the BSA and its implementing regulations. Although the board must make this annual appointment, the board of directors is ultimately responsible for the bank’s BSA/AML compliance.

The regulation makes no specific requirement regarding the title of the individual responsible for overall BSA compliance, his or her level of authority and responsibility within the bank is critical. In many institutions, the BSA compliance officer delegates some BSA duties to other employees, but the officer is still responsible for overall BSA/AML compliance. The board of directors must assure that the BSA compliance officer has sufficient authority and resources (monetary, physical, and personnel) to administer an effective BSA compliance program based on the bank’s risk assessment.

The person designated as the BSA compliance officer should be fully knowledgeable of the BSA and all related regulations. This individual must also understand the bank’s products, services, customers, and geographic locations, and the potential money laundering and terrorist financing risks associated with those activities.

The Exam Manual makes it clear that the appointment of a BSA compliance officer is not sufficient to meet the regulatory requirement if that person does not have the expertise, authority, or time to satisfactorily complete the job.

The BSA compliance officer must have direct access to the board of directors and senior management regarding the bank’s ongoing compliance with the BSA. Pertinent BSA-related information, including the reporting of SARs filed with FinCEN, should be reported to the board of directors or an appropriate board committee so that these individuals can make informed decisions about overall BSA/AML compliance.



The BSA compliance officer is also responsible for carrying out the direction of the board to ensure that employees adhere to the bank’s BSA policies, procedures, and processes.

Training for Appropriate Personnel A bank’s training program must provide training for tellers who handle currency

transactions. In addition, anyone who is involved in Bank Secrecy Act compliance should be trained in their areas of compliance as well. The training should be tailored to the employee’s specific responsibilities. In addition, an overview of the BSA/AML requirements typically should be given to new staff during employee orientation. Training should encompass information related to applicable business lines, such as trust services, and international and private banking. The BSA compliance officer should receive periodic training that is relevant and appropriate given changes to regulatory requirements as well as the activities and overall BSA/AML risk profile of the bank. Depending on the bank’s needs, training materials can be purchased from banking associations, trade groups, or outside vendors, or they can be developed by the bank. Banks should assure that the training includes not only the regulatory requirements, but also the bank’s specific rules and procedures for compliance. Copies of the training materials must be available in the bank for review by examiners, as well as proof of training (generally sign-in sheets at training sessions, etc.).

Management, including Board members, must also receive periodic updates on the requirements so that adequate resources are allocated to comply with this regulation. Since there is scarcely any area of the bank that is not potentially affected by the Bank Secrecy Act, bank-wide training is recommended. While the board of directors may not require the same detailed level of training as provided to banking operations personnel, they need to understand the importance of BSA/AML regulatory requirements, the ramifications of noncompliance, and the risks posed to the bank. Without this sort of general understanding, the board of directors cannot adequately monitor the program, including their oversight, policy/procedure approvals, and resource allocation.

Training is an ongoing necessity and should incorporate current developments and changes to the BSA and any related regulations. Inclusion of changes to internal policies, procedures, and processes in training coverage is a must to keep staff up-to-date on the bank’s expectations for compliance.

Examples of money laundering activity and suspicious activity monitoring and reporting can and should be tailored to each individual audience. For example, training for tellers should focus on examples involving large currency transactions or other suspicious activities; training for the loan department should provide examples involving money laundering through lending arrangements.

Lastly, banks should document their training programs. Copies of the training materials must be available in the bank for review by examiners. Documentation of attendance is an important step in the process. Signed attendance sheets (with employee job title and recording of completed online training), help ensure the adequacy of the bank’s training program.

Board Responsibilities First, a bank’s board of directors (“board”) is ultimately responsible for the bank’s BSA

compliance program. As noted earlier, this process begins with the board’s approval of its written BSA compliance program. In today’s current examination environment, such approval should follow the board being apprised of the bank’s BSA/AML/OFAC risk profile (discussed



earlier). Only after evaluating a bank’s risks may it identify the necessary requirements of the bank’s written program. Communicating these risks to the board on a periodic and regular basis (i.e., annually) allows for such informed decisions. Therefore, the board should expect and demand regular updates on the status of the bank’s program.

The designation of a BSA compliance officer is another key element of an effective BSA compliance program. It is another of the board’s responsibilities to designate the staff member or member to carry out the program. Failure to identify and designate a knowledgeable and effective BSA compliance officer may eventually lead to an ineffective and possibly criticized BSA compliance program. Therefore, such designation of an effective BSA compliance officer is paramount.

As part of the overall responsibility for a bank’s BSA compliance program, the board is also responsible for assuring that risk-based independent audits are performed to assess the effectiveness of the program. While the BSA compliance officer typically coordinates and identifies potential individuals or firms to conduct such reviews, the final word rests with the board. In that light, the board, or a committee thereof, needs to be the catalyst to hire effective internal auditors or engage capable outside auditors. Additionally, the results from these audits need to be communicated directly to the board or indirectly through a committee of the board.

In addition to receiving periodic updates on the bank’s BSA risk profile, as well as results of independent audits, the board should expect to receive regular reports on the status of the bank’s BSA compliance program. Such status reports might include the following with one certain item a mandatory requirement:

Notification of any suspicious activity reports that have been filed, generally at the next regularly scheduled board meeting (this is a regulatory mandate)

Updates on procedural changes, as appropriate

Education on new and/or amended regulatory requirements

Status of BSA-related training initiatives, including board member training

Changes or trends in the level of required reports, such as currency transaction reports

Industry related BSA issues, trends, and concerns


Section 4: Definitions [31 C.F.R. § 1010.100]

All regulations have key definitions. These definitions are crucial to understanding each regulation, as a word may have slightly different meanings in different regulations. This section discusses the definitions that are included in Subpart A. There are several locations in the regulation that include another set of definitions. These definitions will be addressed in the sections of the manual in which those definitions are pertinent.

Accept – A receiving financial institution, other than the recipient’s financial institution, accepts a transmittal order by executing the transmittal order. A recipient’s financial institution accepts a transmittal order by paying the recipient, by notifying the recipient of the receipt of the order, or by otherwise becoming obligated to carry out the order.

At One Time – For purposes of the reporting requirements regarding international shipment of currency and monetary instruments [section 1010.340], a person who transports, mails, ships, or receives monetary instruments is deemed to do so “at one time” if that person, either alone, in conjunction with, or on behalf of others, transports, mails, ships, or receives in any manner monetary instruments, into or out of the United States, totaling more than $10,000 on any one calendar day (or, if for the purpose of evading the reporting requirements of section 1010.340, on one or more days).

Attorney General - The Attorney General of the United States.

Bank – Each agent, agency, branch, or office within the United States of any person doing business in one or more of the following capacities:

A commercial bank or trust company organized under the laws of any state or of the United States

A private bank

A savings and loan or building and loan association organized under the laws of any state or of the United States

A federally insured institution

A savings bank, industrial bank, or other thrift institution

A credit union organized under the laws of any state or of the United States

Any other organization chartered under the banking laws of any state and subject to the supervision of bank supervisory authorities of a state

A bank organized under foreign law

Any national banking association/corporation acting under the Federal Reserve Act

Bank Secrecy Act - The Currency and Foreign Transactions Reporting Act, its amendments, and the other statutes relating to the subject matter of that Act, have come to be referred to as the Bank Secrecy Act. These statutes are codified at 12 U.S.C. 1829b, 12 U.S.C. 1951–1959, 18 U.S.C. 1956, 18 U.S.C. 1957, 18 U.S.C. 1960, and 31 U.S.C. 5311–5314 and 5316–5332 and notes thereto.

Beneficiary – The person to be paid by the beneficiary’s bank.



Beneficiary’s Bank – The bank identified in a payment order in which an account of the beneficiary is to be credited pursuant to the order or which otherwise is to make payment to the beneficiary if the order does not provide for payment to an account.

Business Day – That day that is normally communicated to its depository customers on which a bank routinely posts a particular transaction to an account.

Commodity – Any good, article, service, right, or interest described in section 1a(4) of the Commodity Exchange Act (“CEA”), 7 U.S.C. 1a(4).

Common Carrier – Any person engaged in the business of transporting individuals or goods for a fee who holds himself out as ready to engage in such transportation for hire and who undertakes to do so for all persons who are prepared to pay the fee for the particular service offered.

Contract of Sale – Any sale, agreement of sale, or agreement to sell as described in section 1a(7) of the CEA, 7 U.S.C. 1a(7).

Currency – The coin and paper money of the United States or of any other country that is designated as legal tender and is customarily accepted as a medium of exchange in the country of issuance. (Examples: silver certificates, U.S. notes, Federal Reserve notes, and foreign currency that is an accepted medium of exchange.)

Deposit Account – Transaction accounts, savings accounts, and other time deposits.

Domestic – Refers to “doing business within the United States.”

Established Customer – A person with an account with the financial institution, including a loan account or deposit or other asset account, or a person with respect to which the financial institution has obtained and maintains on file the person’s name and address, as well as taxpayer identification number (e.g., Social Security or employer identification number) or, if none, alien identification number or passport number and country of issuance, and to which the financial institution provides financial services relying on that information.

Execution Date – The day on which the receiving financial institution may properly issue a transmittal order in execution of the sender’s order. The execution date may be determined by instruction of the sender but cannot be earlier than the day the order is received and, unless otherwise determined, is the day the order is received. If the sender’s instruction states a payment date, the execution date is the payment date or an earlier date on which execution is reasonably necessary to allow payment to the recipient on the payment date.

Federal functional regulator The Board of Governors of the Federal Reserve System;

The Office of the Comptroller of the Currency;

The Board of Directors of the Federal Deposit Insurance Corporation;

The Consumer Financial Protection Bureau;

The National Credit Union Administration;

The Securities and Exchange Commission; or

The Commodity Futures Trading Commission.



FinCEN – The Financial Crimes Enforcement Network, an office within the Office of the Under Secretary (Enforcement) of the Department of the Treasury.

Financial Institution – Each agent, agency, branch, or office within the United States of any person doing business, whether or not on a regular basis or as an organized business concern, in one or more of the following capacities:

A bank (except bank credit card systems)

A broker/dealer in securities

A money service business as defined below

A telegraph company

A casino/gambling casino licensed as a casino or gambling casino by a state or local government and having a gross gaming revenue in excess of $1,000,000 (includes principal headquarters and any branch of the business)

A card club licensed as a card club, gaming club, card room, or similar gaming establishment by a state or local government, and having gross gaming revenue in excess of $1,000,000 (includes principal headquarters and any branch of the business)

A person subject to supervision by any state/federal bank supervisory authority

A futures commission merchant

An introducing broker in commodities

Foreign Bank – A bank organized under foreign law located outside the United States. It does not include an agent, agency, branch, or office organized under foreign law located within the United States.

Foreign Financial Agency – A person acting outside the United States for a person (except for a country, a monetary or financial authority acting as a monetary or financial authority, or an international financial institution of which the United States government is a member) as a financial institution, bailee, depository trustee, or agent, or acting in a similar way related to money, credit, securities, or gold.

Funds Transfer – The series of transactions, beginning with the originator’s payment order, made for the purpose of making payment to the beneficiary of the order. The term includes any payment order issued by the originator’s bank or an intermediary bank intended to carry out the originator’s payment order. A funds transfer is completed by acceptance by the beneficiary’s bank of a payment order for the benefit of the beneficiary of the originator’s payment order. Funds transfers governed by the Electronic Fund Transfer Act of 1978, as well as any other funds transfers that are made through an automated clearinghouse, an automated teller machine, or a point of sale system, are excluded from this definition.

Futures Commission Merchant – Any person registered or required to be registered as a futures commission merchant with the Commodity Futures Trading Commission (“CFTC”) under the CEA, except persons who register pursuant to section 4f(a)(2) of the CEA, 7 U.S.C. 6f(a)(2).

Indian Gaming Regulatory Act – The Indian Gaming Regulatory Act of 1988 codified at 25 U.S.C. 2701–2721 and 18 U.S.C. 1166–68.



Intermediary Bank – A receiving bank other than the originator’s bank or the beneficiary’s bank.

Intermediary Financial Institution – A receiving financial institution, other than the transmitter’s financial institution or the recipient’s financial institution. The term “intermediary financial institution” includes an intermediary bank.

Introducing Broker-Commodities – Any person registered or required to be registered as an introducing broker with the CFTC under the CEA, except persons who register pursuant to section 4f(a)(2) of the CEA, 7 U.S.C. 6f(a)(2).

Investment Security – An instrument that (1) is issued in bearer or registered form; (2) is of a type commonly dealt with by securities exchanges or markets or commonly recognized in any area in which it is issued or dealt in as a medium for investment; (3) is either one of a class or series or by its terms is divisible into a class or series of instruments; and (4) evidences a share, participation, or other interest in property or in an enterprise, or evidences an obligation of the issuer.

Monetary Instruments – Currency; traveler’s checks in any form; negotiable instruments such as personal checks, business checks, official bank checks, cashier’s checks, third-party checks, promissory notes, and/or money orders; incomplete instruments (i.e., all of the instruments noted above signed but with the payee’s name omitted); and securities or stock in bearer form or in such other form that title passes upon delivery. The term does not include warehouse receipts or bills of lading.

Money Services Business – Each agent, agency, branch, or office within the United States of any person doing business, whether or not on a regular basis or as an organized business concern, in one or more of the capacities listed below. Notwithstanding the preceding sentence, the term “money services business” shall not include a bank, nor shall it include a person registered with, and regulated or examined by, the Securities and Exchange Commission or the Commodity Futures Trading Commission.

Dealer in foreign exchange – A person that accepts the currency, or other monetary instruments, funds, or other instruments denominated in the currency, of one or more countries in exchange for the currency, or other monetary instruments, funds, or other instruments denominated in the currency, of one or more other countries in an amount greater than $1,000 for any other person on any day in one or more transactions, whether or not for same-day delivery.

Check casher – A person that accepts checks or monetary instruments in return for currency or a combination of currency and other monetary instruments or other instruments, in an amount greater than $1,000 for any person on any day in one or more transactions. Facts and circumstances; Limitations. Whether a person is a check casher as described in this section is a matter of facts and circumstances. The term “check casher” shall not include:

o A person that sells prepaid access in exchange for a check, monetary instrument or other instrument;

o A person that solely accepts monetary instruments as payment for goods or services other than check cashing services;



o A person that engages in check cashing for the verified maker of the check who is a customer otherwise buying goods and services;

o A person that redeems its own checks; or

o A person that only holds a customer's check as collateral for repayment by the customer of a loan.

Issuer or seller of traveler's checks or money orders – A person that issues traveler's checks or money orders that are sold in an amount greater than $1,000 to any person on any day in one or more transactions or sells traveler's checks or money orders in an amount greater than $1,000 to any person on any day in one or more transactions.

Provider of prepaid access – A provider of prepaid access is the participant within a prepaid program that agrees to serve as the principal conduit for access to information from its fellow program participants. The participants in each prepaid access program must determine a single participant within the prepaid program to serve as the provider of prepaid access.

o Considerations for provider determination – In the absence of registration as the provider of prepaid access for a prepaid program by one of the participants in a prepaid access program, the provider of prepaid access is the person with principal oversight and control over the prepaid program. Which person exercises “principal oversight and control” is a matter of facts and circumstances. Activities that indicate “principal oversight and control” include:

Organizing the prepaid program;

Setting the terms and conditions of the prepaid program and determining that the terms have not been exceeded;

Determining the other businesses that will participate in the prepaid program, which may include the issuing bank, the payment processor, or the distributor;

Controlling or directing the appropriate party to initiate, freeze, or terminate prepaid access; and

Engaging in activity that demonstrates oversight and control of the prepaid program.

o Prepaid program – A prepaid program is an arrangement under which one or more persons acting together provide(s) prepaid access. However, an arrangement is not a prepaid program if:

It provides closed loop prepaid access to funds not to exceed $2,000 maximum value that can be associated with a prepaid access device or vehicle on any day;

It provides prepaid access solely to funds provided by a Federal, State, local, Territory and Insular Possession, or Tribal government agency;

It provides prepaid access solely to funds from pre-tax flexible spending arrangements for health care and dependent care expenses, or from Health Reimbursement Arrangements (as defined in 26 U.S.C. 105(b) and 125) for health care expenses; or

It provides prepaid access solely to:

Employment benefits, incentives, wages or salaries; or



Funds not to exceed $1,000 maximum value and from which no more than $1,000 maximum value can be initially or subsequently loaded, used, or withdrawn on any day through a device or vehicle; and

It does not permit:

o Funds or value to be transmitted internationally;

o Transfers between or among users of prepaid access within a prepaid program; or

o Loading additional funds or the value of funds from non-depository sources.

Money transmitter – A person that provides money transmission services. The term “money transmission services” means the acceptance of currency, funds, or other value that substitutes for currency from one person and the transmission of currency, funds, or other value that substitutes for currency to another location or person by any means. “Any means” includes, but is not limited to, through a financial agency or institution; a Federal Reserve Bank or other facility of one or more Federal Reserve Banks, the Board of Governors of the Federal Reserve System, or both; an electronic funds transfer network; or an informal value transfer system or any other person engaged in the transfer of funds.

Facts and circumstances; Limitations. Whether a person is a money transmitter as described in this section is a matter of facts and circumstances. The term “money transmitter” shall not include a person that only:

o Provides the delivery, communication, or network access services used by a money transmitter to support money transmission services;

o Acts as a payment processor to facilitate the purchase of, or payment of a bill for, a good or service through a clearance and settlement system by agreement with the creditor or seller;

o Operates a clearance and settlement system or otherwise acts as an intermediary solely between BSA regulated institutions. This includes but is not limited to the Fedwire system, electronic funds transfer networks, certain registered clearing agencies regulated by the Securities and Exchange Commission (“SEC”), and derivatives clearing organizations, or other clearinghouse arrangements established by a financial agency or institution;

o Physically transports currency, other monetary instruments, other commercial paper, or other value that substitutes for currency as a person primarily engaged in such business, such as an armored car, from one person to the same person at another location or to an account belonging to the same person at a financial institution, provided that the person engaged in physical transportation has no more than a custodial interest in the currency, other monetary instruments, other commercial paper, or other value at any point during the transportation;

o Provides prepaid access; or

o Accepts and transmits funds only integral to the sale of goods or the provision of services, other than money transmission services, by the person who is accepting and transmitting the funds.



U.S. Postal Service. The United States Postal Service, except with respect to the sale of postage or philatelic products.

Seller of prepaid access. Any person that receives funds or the value of funds in exchange for an initial loading or subsequent loading of prepaid access if that person:

o Sells prepaid access offered under a prepaid program that can be used before verification of customer identification under §1022.210(d)(1)(iv); or

o Sells prepaid access (including closed loop prepaid access) to funds that exceed $10,000 to any person during any one day, and has not implemented policies and procedures reasonably adapted to prevent such a sale.

For the purposes of this section, the term “money services business” shall not include:

o A bank or foreign bank;

o A person registered with, and functionally regulated or examined by, the SEC or the CFTC, or a foreign financial agency that engages in financial activities that, if conducted in the United States, would require the foreign financial agency to be registered with the SEC or CFTC; or

o A natural person who engages in an activity identified in paragraphs (ff)(1) through (ff)(5) of this section on an infrequent basis and not for gain or profit.

Mutual Fund – An ‘‘investment company’’ (as the term is defined in section 3 of the Investment Company Act (15 U.S.C. 80a–3)) that is an ‘‘open-end company’’ (as that term is defined in section 5 of the Investment Company Act (15 U.S.C. 80a–5)) registered or required to register with the Securities and Exchange Commission under section 8 of the Investment Company Act (15 U.S.C. 80a–8).

Option on a Commodity – Any agreement, contract, or transaction described in section 1a(26) of the CEA, 7 U.S.C. 1a(26).

Originator – The sender of the first payment order in a funds transfer.

Originator’s Bank – The receiving bank to which the payment order of the originator is issued if the originator is not a bank, or the originator if the originator is a bank or a foreign bank.

Payment Date – The day on which the amount of the transmittal order is payable to the recipient by the recipient’s financial institution. The payment date may be determined by instruction of the sender, but cannot be earlier than the day the order is received by the recipient’s financial institution and, unless otherwise prescribed by instruction, is the date the order is received by the recipient’s financial institution.

Payment Order – An instruction of a sender to a receiving bank, transmitted orally, electronically, or in writing, to pay, or to cause another bank to pay, a fixed or determinable amount of money to a beneficiary if all of the following conditions are met:

The instruction does not state a condition to payment to the beneficiary other than time of payment.

The receiving bank is to be reimbursed by debiting an account of, or otherwise receiving payment from, the sender.



The instruction is transmitted by the sender directly to the receiving bank or to an agent, funds transfer system, or communication system for transmittal to the receiving bank.

Person – All entities recognized as legal personalities (individuals, corporations, partnerships, trusts or estates, joint stock companies, associations, syndicates, joint ventures, Indian tribes, and other unincorporated groups or organizations).

Receiving Bank – The bank or foreign bank to which the sender’s instruction is addressed.

Receiving Financial Institution – The financial institution or foreign financial agency to which the sender’s instruction is addressed. The term “receiving financial institution” includes a receiving bank.

Recipient – The person to be paid by the recipient’s financial institution. The term “recipient” includes a beneficiary, except where the recipient’s financial institution is a financial institution other than a bank.

Recipient’s Financial Institution – The financial institution identified in a transmittal order in which an account of the recipient is to be credited pursuant to the transmittal order or which otherwise is to make payment to the recipient if the order does not provide for payment to an account. The term “recipient’s financial institution” includes a beneficiary’s bank, except where the beneficiary is a recipient’s financial institution.

Secretary – The Secretary of the Treasury or any other person designated to perform the function mentioned.

Security – Any instrument or interest described in section 3(a)(10) of the Securities Exchange Act of 1934, 15 U.S.C. 78c(a)(10).

Self-regulatory organization – Shall have the same meaning as provided in section 3(a)(26) of the Securities Exchange Act of 1934 (15 U.S.C. 78c(a)(26)); and means a “registered entity” or a “registered futures association” as provided in section 1a(29) or 17, respectively, of the Commodity Exchange Act (7 U.S.C. 1a(29), 21).

Sender – The person giving the instruction to the receiving financial institution. State – The States of the United States and, wherever necessary to carry out the provisions

of this part, the District of Columbia.

Prepaid access – Access to funds or the value of funds that have been paid in advance and can be retrieved or transferred at some point in the future through an electronic device or vehicle, such as a card, code, electronic serial number, mobile identification number, or personal identification number.

Structure (Structuring) – For purposes of section 1010.314, a person structures a transaction if that person, acting alone or in conjunction with, or on behalf of, other persons, conducts or attempts to conduct one or more transactions in currency, in any amount, at one or more financial institutions, on one or more days, in any manner, for the purpose of evading the reporting requirements under sections 1010.311, 1010.313, 1020.315, 1021.311 and 1021.313 of the regulation. “In any manner” includes, but is not limited to, the breaking down of a single sum of currency exceeding $10,000 or the conduct of a transaction, or series of currency transactions, including transactions at or below $10,000. The transaction or transactions need not exceed the $10,000 reporting threshold at any single financial institution on any single day in order to constitute structuring within the meaning of this definition.



Taxpayer Identification Number – Taxpayer Identification Number (“TIN”) is defined by section 6109 of the Internal Revenue Code of 1986 (26 U.S.C. 6109) and the Internal Revenue Service regulations implementing that section (e.g., social security number or employer identification number).

Territories and Insular Possessions – The Commonwealth of Puerto Rico, the United States Virgin Islands, Guam, the Commonwealth of the Northern Mariana Islands, and all other territories and possessions of the United States other than the Indian lands and the District of Columbia.

Transaction Account – Accounts that take deposits and are subject to withdrawal by check or other negotiable order (includes money market accounts).

Transaction in Currency – A transaction that involves the actual physical transfer of currency from one person to another.

Transmittal of Funds – A series of transactions beginning with the transmitter’s transmittal order, made for the purpose of making payment to the recipient of the order. The term includes any transmittal order issued by the transmitter’s financial institution or an intermediary financial institution intended to carry out the transmitter’s transmittal order. The term “transmittal of funds” includes a funds transfer. A transmittal of funds is completed by acceptance by the recipient’s financial institution of a transmittal order for the benefit of the recipient of the transmitter’s transmittal order. Funds transfers governed by the Electronic Fund Transfer Act of 1978, as well as any other funds transfers that are made through an automated clearinghouse, an automated teller machine, or a point of sale system, are excluded from this definition.

Transmittal Order – The term “transmittal order” includes a payment order and is an instruction of a sender to a receiving financial institution, transmitted orally, electronically, or in writing, to pay, or to cause another financial institution to pay, a fixed or determinable amount of money to a recipient if all of the following conditions are met:

The instruction does not state a condition to payment to the recipient other than time of payment.

The receiving financial institution is to be reimbursed by debiting an account of, or otherwise receiving payment from, the sender.

The instruction is transmitted by the sender directly to the receiving financial institution or to an agent or communication system for transmittal to the receiving financial institution.

Transmitter – The sender of the first transmittal order in a transmittal of funds. The term “transmitter” includes an originator, except where the transmitter’s financial institution is a financial institution other than a bank.

Transmitter’s Financial Institution – The receiving financial institution to which the transmittal order of the transmitter is issued if the transmitter is not a financial institution or foreign financial agency, or the transmitter if the transmitter is a financial institution. The term “transmitter’s financial institution” includes an originator’s bank, except where the originator is a transmitter’s financial institution other than a bank.



United States – The states of the United States, the District of Columbia, the Commonwealth of Puerto Rico, the U.S. Virgin Islands, Guam, the Commonwealth of the Northern Mariana Islands, American Samoa, the Trust Territory of the Pacific Islands, and all other territories and possessions of the United States and/or any political subdivision or subdivisions thereof.

U.S. Person – A United States citizen; or a person other than an individual (such as a corporation, partnership or trust), that is established or organized under the laws of a State or the United States. Non-U.S. person means a person that is not a U.S. person.

United States Postal Service – The United States Postal Service, except with respect to the sale of postage or philatelic products.

Closed loop prepaid access – Prepaid access to funds or the value of funds that can be used only for goods or services in transactions involving a defined merchant or location (or set of locations), such as a specific retailer or retail chain, a college campus, or a subway system.


Section 5: Currency Transaction Reports

Over the course of the history of the Bank Secrecy Act, the Secretary of the Treasury has determined that the reports required by the regulation have a high degree of usefulness in the proceedings that surround criminal, tax, or regulatory investigations. Therefore, the regulation outlines very specific guidelines for the submission of the reports deemed useful for this purpose.

Reports of Currency Transactions [31 C.F.R. § 1010.311]

General Rule Each financial institution must file a report of each deposit, withdrawal, exchange of

currency, or other payment or transfer by, through, or to such an institution that involves a transaction of currency of more than $10,000.00.

Types of currency transactions subject to reporting requirements individually or by aggregation include, but are not limited to:

denomination exchanges,

individual retirement accounts (IRAs),

loan payments,

automated teller machine (ATM) transactions,

purchases of certificates of deposit,

deposits,

withdrawals,

funds transfers paid for in currency, and

monetary instrument purchases.

Banks must develop systems necessary to aggregate currency transactions throughout the bank. The BSA officer along with bank management should ensure that an adequate system is implemented that will appropriately report currency transactions subject to the BSA requirement.

Multiple Transactions [31 C.F.R. § 1010.313] Multiple currency transactions must be treated as a single transaction if the financial

institution has knowledge that the transactions are made by or on behalf of any one person and result in cash in or cash out in an amount that exceeds $10,000 during any one business day. Knowledge, in this context, means knowledge on the part of a partner, director, officer, or employee of the financial institution or on the part of any existing automated or manual system at the financial institution that permits it to aggregate transactions.



Holiday, Weekend, or Night Deposits Deposits made at night, over a weekend, or during a holiday must be treated as if they were

received the next business day.

CTR Backfiling If a bank fails to file CTRs on reportable transactions for a specific customer, the bank

should immediately begin filing CTRs for this customer, and should contact the Internal Revenue Service (IRS) Enterprise Computing Center - Detroit at 800-800-2877 to request a determination on whether the back filing of unreported transactions is necessary.

Currency Transaction Reporting Guidelines [31 C.F.R. § 1010.330] Financial institutions are to use FinCEN Form 104: Currency Transaction Report to report

any reportable transaction as defined above. The regulation calls for making reports in a timely manner. The following guidelines should be used when filing this form: [31 C.F.R. § 1010.306]:

1. A report must be filed by the financial institution within 15 days following the day on which the reportable transaction occurred.

2. A report must be filed by the financial institution within 15 days after receiving a request for the report.

3. A copy of each report filed must be retained by the financial institution for a period of five years from the date of the report.

4. All reports must be required to be filed with the Commissioner of Internal Revenue, unless otherwise specified.

5. The report shall be filed on forms prescribed by the Secretary. All information called for in such forms shall be furnished.

Transactions between Financial Institutions and Exempt Persons [31 CFR § 1020.315]

Reports of transactions are not required from Federal Reserve Banks, Federal Home Loan Banks, transactions that occur between domestic banks, and reports by non-bank banks of transactions with commercial banks. However, commercial banks must report such transactions with non-bank banks.

Reports of transactions between banks and exempt persons are not required. Exempt persons are discussed in Section 6 of this manual.

Identification Required [31 C.F.R. § 1010.312] Before concluding any transaction in which a report is required, the financial institution

must verify and record the required information in the following manner:



1. Record the name and address of the person presenting the transaction.

2. Record the identity, account number, and tax identification number of any person/entity that the transaction will affect.

3. Verification of the identity of an individual who indicates he or she is an alien or is not a resident of the United States must be made by a passport, alien identification card, or other official document evidencing nationality or residence.

4. Verification of identity in any other case must be made by examination of a document (not a financial institution signature card) that is normally accepted within the banking community as a means of cashing checks for nondepositors. A financial institution signature card may be relied upon only if it was issued after examining documents for establishing the identity of the person in question and such note was made on the signature card.

5. In each instance, the identifying information used in verifying the identity of the customer must be recorded on the report. (The notation of “known customer” or “financial institution signature card on file” is not sufficient and is prohibited.)

Elderly/Disabled Exception Certain elderly or disabled patrons do not possess identification documents that would

normally be considered acceptable within the banking community (e.g., driver’s licenses, passports, or state issued identification cards). Accordingly, the procedure set forth below should be followed to fulfill the identification verification requirements of sections 1010.312 and 1010.415.

According to a Treasury Administrative Ruling [FIN-1992-R001], financial institutions may accept as appropriate identification a Social Security, Medicare, Medicaid, or other insurance card presented along with another document that contains both the name and address of the patron (e.g., an organization membership card, voter registration card, utility bill, or real estate tax bill). Such forms of identification shall be specified in the bank’s formal written policy and operating procedures as acceptable identification for transactions involving elderly or disabled patrons who do not possess identification documents normally considered acceptable within the banking community for cashing checks for nondepositors.

This procedure may be applied only if the following circumstances exist:

1. The financial institution must establish that the identification the elderly or disabled patron has is limited to a Social Security or Medicare/Medicaid card plus another document that contains the patron’s name and address.

2. The financial institution must use whatever information it has available, or policies and procedures it has in place, to determine the patron’s identity. If the patron is a deposit account holder, the financial institution should review its internal records to determine if there is information on file to verify the patron’s identity.

3. Only if the financial institution is confident that the elderly or disabled patron is who he (she) says he is may the transaction be concluded.

Failure to identify an elderly or a disabled customer’s identity as required by 31 C.F.R. § 1010.312 and as described herein may result in the imposition of civil and/or criminal penalties.



The financial institution shall establish a formal written policy and shall implement operating procedures for processing reportable currency transactions or recording cash sales of certain monetary instruments to elderly or disabled patrons who do not have forms of identification ordinarily considered “acceptable.” Once implemented, the financial institution shall permit no exceptions to its policy and procedures. In addition, financial institutions are encouraged to record the elderly or disabled patron’s identity and address. When the information has been obtained and verified, the method of identification should be noted on a signature card or other record.

In completing a CTR, if all of the above conditions have been satisfied, the financial institution should enter the words “Elderly” or “Disabled” and the method used to verify the patron’s identity, such as “Social Security and (Organization) Membership Cards Only ID.”

Retention Period [31 C.F.R. § 1010.430] All records must be retained for a period of five years and will be stored in such a way as to

be accessible within a reasonable amount of time, taking into account the nature of the record and the amount of time expired since the record was made.

The CTR

The following pages include the actual CTR report.


Section 6: Targeting Orders [31 C.F.R. § 1010.370]

Introduction If the Treasury Department determines, or receives a request from an appropriate Federal or

State law enforcement official, and concludes that reasonable grounds exist for requiring additional recordkeeping and/or reporting requirements to be imposed, then the Treasury Department may issue a targeting order. These orders are to prevent persons from evading the reporting and/or recordkeeping requirements of the regulation. The order may be issued requiring any domestic financial institution or group of domestic financial institutions in a geographic area and any other person participating in the type of transaction to file a report in the format specified in such order.

When an order is issued to a financial institution, it must be directed to the Chief Executive Officer of the financial institution and must designate one or more of the following categories of information to be reported: each deposit, withdrawal, exchange of currency, or other payment or transfer by, through, or to such financial institution specified in the order, which involves all or any class of transactions in currency and/or monetary instruments equal to or exceeding an amount to be specified in the order.

Targeting Order Content An issued order must prescribe all of the following:

1. The dollar amount of transactions subject to the reporting requirement in the order

2. The type of transaction(s) subject to or exempt from a reporting requirement in the order

3. The appropriate form for reporting the transactions required in the order

4. The address to which reports required in the order are to be sent or from which they will be picked up

5. The starting and ending dates by which such transactions specified in the order are to be reported

6. The name of a Treasury official to be contacted for any additional information or questions

7. The amount of time the reports and records of reports generated in response to the order will have to be retained by the financial institution

8. Any other information deemed necessary to carry out the purposes of the order

Prohibited Disclosure No officer, director, employee, or agent of any financial institution subject to a special

reporting order can disclose the existence or terms of the order except as authorized by the Treasury Department.



Term of Order No order issued can prescribe a reporting period of more than 60 days unless renewed

pursuant to the requirements of the regulations.

Revised Orders Any revisions to an order issued under this section will not be effective until made in writing.

Treatment of Exemptions During the Order Unless otherwise specified in the order, a financial institution receiving an order under this

section may continue to use the exemptions granted under section 1020.315 of the regulation prior to receipt of the order, but it may not grant additional exemptions.


Section 7: CTR Exemptions [31 C.F.R. § 1020.315]

Introduction The Department of the Treasury’s experience in enforcing the Bank Secrecy Act has shown

that certain legitimate businesses engage in regular and frequent currency transactions with domestic banks. The routine reporting of these transactions is not likely to be useful to law enforcement agencies. Treasury has, therefore, included in the BSA regulations, provisions that permit banks to exempt certain entities or accounts of certain customers from the Currency Transaction Report (CTR) reporting requirements.

The Money Laundering Suppression Act of 1994 (MLSA) established a two-phase exemption process. Under Phase I exemptions, transactions in currency by banks, governmental departments or agencies, and public or listed companies and their subsidiaries are exempt from reporting. Under Phase II exemptions, transactions in currency by smaller businesses that meet specific criteria laid out in FinCEN’s regulations may be exempted from reporting. The standards for what constitutes eligible Phase I and Phase II Exempt Persons follow below. The definitions changed January 5, 2009.

Phase I Exempt Persons 1. A bank, to the extent of its domestic operations.

2. A department or agency of the United States, of any state, or of any political subdivision of any state.

3. Any entity exercising governmental authority established under the laws of the United States, of any state, of any political subdivision of any state, or under an interstate compact between two or more states.

4. Any entity, other than a bank, whose common stock or other analogous equity interest is listed on the New York Stock Exchange or the American Stock Exchange or whose common stock or analogous equity interest have been designated as a NASDAQ National Market Security listed on the NASDAQ Stock Market (except stock listed under the separate “NASDAQ Capital Markets Companies” heading). Under this heading, a person that is a financial institution other than a bank, is exempt only to the extent of its domestic operations.

5. Any subsidiary of any corporation (non-bank entity) described above that is organized under the laws of the United States or of any state and at least 51 percent of whose common stock or analogous equity interest is owned by the listed entity, to the extent of its domestic operations.



Designating Phase I Exempt Persons The rule imposes one condition on a bank’s exemption of currency transactions of a customer

who satisfies the definition of an exempt person. That condition is that a single form be filed designating the exempt person and the bank. FinCEN has a form (FinCEN 110) specifically for this purpose.

The designation form will exempt all transaction accounts of the customer. Transaction accounts include demand deposits, negotiable order of withdrawal accounts, savings deposits subject to automatic transfers, and share draft accounts.

The designation of new customers as exempt persons should be made no later than 30 days following the first transaction in currency in excess of $10,000 between a bank and the new customer. It should be noted, however, that FinCEN wishes financial institutions to file designations whenever they become aware of a qualifying customer who has had currency transactions exceeding $10,000.00.

Banks do not need to file the exemption form, or perform any annual due diligence for:

Federal Reserve Banks and other banks, to the extent of their domestic operations,

Government Departments or Agencies (National, state, or local)

Any entities exercising government control under national, state, or local law

Banks do need to file the form for any other Phase I exemptions with whom they do business.

Phase II Exempt Persons “Non-listed businesses” are Phase II exemptions. The following businesses are not eligible

non-listed businesses. In other words, they may not be exempted.

Non-Exemptible Non-Listed Businesses A business engaged primarily in one or more of the following activities may not be treated as

a non-listed business:

Businesses serving as financial institutions or agents of financial institutions of any type; purchase or sale to customers of motor vehicles of any kind, vessels, aircraft, farm equipment or mobile homes;

The practice of law, accountancy, or medicine;

Auctioning of goods;

Chartering or operation of ships, buses, or aircraft;

Gaming of any kind (other than licensed pari-mutuel betting at race tracks);

Investment advisory services or investment banking services;

Real estate brokerage;



Pawn brokerage;

Title insurance and real estate closing;

Trade union activities; and

Any other activities that may be specified by FinCEN.

A business that engages in multiple business activities may be treated as a non-listed business so long as no more than 50 percent of its gross revenue is derived from one or more of the ineligible business activities. Before issuing a Phase II exemption, banks are encouraged to determine if any additions or amendments have been made to the non-exemptible non-listed business list.

Questions often arise in determining the “gross revenue” of gaming activities, such as lottery sales. FinCEN has ruled that for the purpose of determining if a business derives more than 50 percent of its gross revenue from gaming, the term gross revenue is intended to encompass the amount of money that a business actually earns from a particular activity, rather than the sales volume of such activity conducted by the business. For example, if a business engages in lottery sales, the “gross revenue” from this activity would be the amount of money that the business actually earns from lottery sales, rather than the amount of money that the business takes in on behalf of the state lottery system. See FinCEN Ruling 2002-1 at:

http://www.fincen.gov/news_room/rp/rulings/pdf/fincenruling2002-1.pdf

Exemptible Non-Listed Businesses 1. A non-listed business, to the extent of its domestic operations, other than those listed as

non-exemptible, that:

a. Has maintained a transaction account at the bank for at least two months;

b. Frequently engages in transactions in currency with the bank in excess of $10,000, defined as at least five transactions per year; and

c. Is incorporated or organized under the laws of the United States or a state, or is registered as and eligible to do business within the United States or a state.

2. A payroll customer, with respect solely to withdrawals for payroll purposes from existing transaction accounts, that:

a. Has maintained a transaction account at the bank for at least two months;

b. Operates a firm that regularly withdraws (at least five times per year) more than $10,000 in order to pay its United States employees in currency; and

c. Is incorporated or organized under the laws of the United States or a state, or is registered as and eligible to do business within the United States or a state.

3. A non-listed business or payroll customer that meets the criteria of 1 or 2 above, and has maintained a money market deposit account (MMDA), used for business purposes, for at least two months (along with a transaction account) is eligible to have the MMDA exempted also.

As noted above, the term “frequently” means five or more times per year. Depending upon the type of business, all of the five times per year may only occur at certain times of the year. For



instance, a golf course in a northern area of the country may only have transactions in excess of $10,000.00 during the summer months. The rules state that seasonality such as this is acceptable for the purposes of this rule. Therefore, if the golf course only has large deposits in the summer, and at least five of them are for amounts in excess of $10,000.00, the golf course may be exempted.

A sole proprietorship may be treated as a non-listed business (Phase II exemption) if the business otherwise meets the definition set forth in items 1 through 3 above. Care should be taken not to permit confusion between the customer’s personal accounts and activities from the customer’s business accounts and activities.

Designating Phase II Exempt Persons The initial designation of exempt persons for Phase II exempt persons is essentially the same

as for Phase I exempt persons. Phase II initial exemptions must be filed designating the exempt person and the bank. FinCEN Form 110 is specifically designed for this purpose.

The designation form will exempt all transaction accounts of the customer. Transaction accounts include demand deposits, negotiable order of withdrawal accounts, savings deposits subject to automatic transfers and share draft accounts. As noted above, the exemption also can extend to MMDAs of Phase II exempt persons.

Risk-Based Analysis to Exempt Non-Listed Businesses Notwithstanding the above mentioned criteria, a bank may choose to designate a non-listed

business or a payroll customer as an exempt person before the customer has maintained a transaction account for at least two months if the bank conducts and documents a risk-based assessment of the customer and forms a reasonable belief that the customer has a legitimate business purpose for conducting frequent transactions in currency. This permitted risk-based assessment was added to the BSA effective January 5, 2009.

The final rule, as published in the Federal Register included the following commentary as it relates to conducting a risk-based assessment on non-listed businesses:

“When conducting a risk-based analysis to determine the Phase II exemption eligibility of a customer, the depository institution should form a reasonable belief that the customer has a legitimate business purpose for conducting frequent transactions in currency. Factors the depository institution might consider in order to form a reasonable belief include, but are not limited to: whether the depository institution had a past relationship with the customer, certain specific characteristics of the customer’s business model that may be pertinent, the types of business in which the customer engages, and where the business is operating. Exempting an otherwise eligible Phase II customer prior to two months’ time may be particularly appropriate when, for example: a returning customer reopens a previously maintained exempt transaction account with the institution; a customer that would now be eligible for Phase II exemption but under the current regulations was previously not eligible because the customer had conducted fewer than eight, but at least five, large cash transactions; or, when a customer that was a publicly listed company or a subsidiary becomes ineligible for exemption under Phase I, but may be designated for exemption under Phase II.”



Operating Procedures In addition to the preceding changes to the exempt person rules, the Treasury has also elected to

remove the requirement to conduct an annual review of certain Phase I exempt persons (i.e., those where a FinCEN Form 110 is not necessary.) There continues to be, however, an annual review requirement for the remaining Phase I and all Phase II exempt persons.

First, a bank must annually ascertain that a customer continues to qualify as an exempt person. Second, a bank must, at least annually and as necessary, review its monitoring of the currency transactions of its Phase II exempt customers for suspicious activity. A bank should retain documentation of these reviews.

Banks are expected to perform the same degree of due diligence in determining whether a customer is an exempt person (and documenting that determination) that a reasonable and prudent bank would perform to conduct its own business in order to avoid losses from fraud or misstatement. The objective is to allow bankers, who have already designed business procedures and protocols to deal with similar problems, to adapt their present procedures to achieve the results sought. An assessment of compliance will focus not on whether a bank necessarily makes every judgment perfectly, but on whether it takes the steps a reasonable and prudent banker would take to create appropriate systems.

Annual Review – Phase I Exemptions The rule permits a bank to determine the status of a customer as a government department,

agency, or instrumentality based on its name or community knowledge. An entity generally exercises “governmental authority” only if its authorities include one or more of the powers to tax, to exercise the authority of eminent domain or to exercise police powers with respect to matters within its jurisdiction.

To determine whether a customer is a listed corporation, a bank may rely on any:

New York Stock Exchange, American Stock Exchange, or NASDAQ Stock Market listing published in a newspaper of general circulation;

commonly accepted or published stock symbol guide;

information contained in the Securities and Exchange Commission Edgar System; or

information contained on an Internet World Wide Web site or sites maintained by the New York Stock Exchange, the American Stock Exchange, or the National Association of Securities Dealers.

In determining whether a person is a subsidiary of a listed entity, a bank may rely upon the following:

Any reasonably authenticated corporate officer’s certificate;

Any reasonably authenticated photocopy of Internal Revenue Service Form 851 (Affiliation Schedule) or the equivalent thereof for the appropriate tax year; or

A person’s Annual Report or Form 10 K, as filed in each case with the Securities and Exchange Commission.



Annual Review – Phase II Exemptions Phase II exemptions are non-listed businesses and require a different type of annual review.

The bank must determine that the Phase II exempt customer continues to qualify for exempt status. To qualify, the accounts need to meet all of the original requirements of the initial exemption process, including the requirement that there be at least five transactions in currency in excess of the $10,000 limit during the previous 12 months.

Aggregated Accounts In determining the qualification of a customer as an exempt person, a bank may treat all

transaction accounts of the customer as a single account. If a bank elects to treat all transaction accounts of a customer as a single account, the bank must continue to treat such accounts consistently as a single account for purposes of determining the qualification of the customer as an exempt person.

Limitations on Exemption The exemption for transactions by an exempt person applies only to transactions involving

that person’s own funds and does not apply to situations in which an exempt person is engaging in a transaction as an agent on behalf of another, beneficial owner of currency. In other words, an exempt person cannot lend its status, for a fee or otherwise, to another person’s transactions.

In addition, the provisions of the new rule create an exemption only with respect to the currency transaction reporting requirement. The rule does not create any exemption, and in fact has no effect of any kind, on the requirement that banks file Suspicious Activity Reports on transactions, including currency and non-currency transactions, that meet the Suspicious Activity Report filing requirements.

For example, multiple exchanges of small denominations of currency into large denominations of currency or currency transactions that are not (or whose amounts are not) commensurate with the stated business or other activity of the exempt person may indicate the need to file a Suspicious Activity Report. Similarly, a sudden need for currency by a business that never before had such a need can form a basis for the determination that a Suspicious Activity Report is due.

Limitations on Liability No bank will be subjected to penalties for failure to file a Currency Transaction Report,

unless the bank:

Knowingly files false or incomplete information with respect to the transaction or the customer engaging in the transaction; or



Has reason to believe that the customer does not meet the criteria established for exemptions, or the transaction is not that of an exempt person.

If the bank subsequent to the filing determines that the customer no longer meets the requirements, and had no prior knowledge of this fact, there will be no penalty. However, the bank is required to assure that it does a full and complete analysis and review at the time of the annual review, to assure that the “error” does not continue past that point.

If the bank files a CTR for an exempt customer, it will be subject to the same rules and restrictions as if the customer was not exempt. Therefore, any errors will be treated as exception items, even though the customer was exempt.

Revocations FinCEN has the authority to revoke the status of any person as an exempt person by written

notification published in the Federal Register. In addition, and without any action on the part of the Treasury Department, the status of a corporation as an exempt person ceases once the corporation ceases to be listed on the applicable stock exchange. Likewise, the status of a subsidiary as an exempt person ceases once the subsidiary ceases to be included in a consolidated federal income tax return.

If the bank determines that an exemption is no longer appropriate, the bank may revoke the exemption at any time, without notice.

FinCEN Guidance On June 11, 2012, FinCEN issued the following guidance. It has been formatted for manual

purposes, but the text remains unchanged.



Guidance on Determining Eligibility for Exemption from Currency Transaction Reporting Requirements

FIN-2012-G003

Issued: June 11, 2012 Subject: Guidance on Determining Eligibility for Exemption from Currency Transaction

Reporting Requirements

This document revises the guidance originally published on August 31, 2009, to implement the following changes:

Relevant citations have been updated to reflect the final rule transferring FinCEN's regulations from 31 CFR § 103 to 31 C.F.R. Chapter X, effective March 1, 2011, and as published at 75 FR 65806;

The portion of the guidance dealing with exemption eligibility for payroll customers has been amended in accordance with the final rule amending 31 C.F.R. § 1020.315, published at 77 FR 33638 on June 7, 2012.

I. Background: The Financial Crimes Enforcement Network ("FinCEN") is issuing this guidance to help

banks1 determine whether a customer is eligible for exemption from currency transaction reporting requirements.2 This guidance provides examples and answers to commonly asked questions regarding the final rules3 that FinCEN issued in December, 2008 and June, 2012, which amended the currency transaction report ("CTR") exemption requirements ("the final rules").

The Bank Secrecy Act and its implementing regulations require financial institutions to file a CTR on any transaction in currency of more than $10,000.4 The regulations in the Bank Secrecy Act also provide banks with the ability to exempt certain customers from currency transaction reporting. 5

1 Pursuant to the Bank Secrecy Act, the term "bank" includes inter alia each agent, agency, branch, or office within the United States of any person doing business as a commercial bank, a savings and loan association, a thrift institution, a credit union, or a foreign bank, 31 C.F.R. § 1010.100(d).

2 FinCEN consulted with the staffs of the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, and the Office of the Comptroller of the Currency prior to issuing this guidance.

3 See 73 FR 74010 and 77 FR 33638, respectively.

4 31 CFR § 1010.310.

5 31 C.F.R. § 1020.315.



A. 2008 GAO Report In 2008, the Government Accountability Office ("GAO") issued a report6 concluding, among

other things, that the information provided on CTRs provides unique and reliable information essential to a variety of efforts, including law enforcement investigations, regulatory and counter-terrorism matters. In this same report, the GAO recommended several changes to the exemption requirements, which FinCEN addressed in the final rules. The GAO also concluded that additional web-based guidance was necessary to help banks determine eligibility for exemption, which FinCEN is addressing in this guidance document.

B. The Final Rules - CTR Exemption Changes Overview of the requirements of the final rules:

The final rules, which went into effect on January 5, 2009 and June 7, 2012, make the following substantive changes to the previous CTR exemption system:

Elimination of designation and annual review for most Phase I customers.7 Banks are no longer required to file a designation of exempt person ("DOEP") report for, or conduct an annual review of, customers who are other depository institutions operating in the United States, U.S. or State governments, or entities acting with governmental authority. The DOEP filing and annual review are still required for businesses listed on a major national stock exchange ("listed businesses"), non-listed businesses, and payroll customers.

"Frequently" decreased to five reportable transactions. Banks may designate an otherwise eligible non-listed business customer or payroll customer8 for exemption after the customer has within a year conducted five or more reportable transactions in currency (previously, eight or more reportable transactions were required).

Waiting time for eligibility decreased. Banks may use a hybrid approach to designate an otherwise eligible customer for a Phase II exemption: The customer may be eligible for exemption after maintaining a transaction account for two months (previously twelve months were required); or, the customer may be eligible for exemption in less than two months if the bank conducts a risk-based analysis to form a reasonable belief that the customer has a legitimate business purpose for conducting frequent or regular large currency transactions.

Biennial renewals eliminated. Banks are no longer required to file a biennial renewal or record and report a change of control for an exempt Phase II customer.

These final rules, along with the existing requirements established by previous rulemakings, have simplified the exemption process by generally authorizing a bank to treat a customer as exempt from currency transaction reporting under the following circumstances:

6 See ''Bank Secrecy Act: Increased Use of Exemption Provisions Could Reduce Currency Transaction Reporting While Maintaining Usefulness to Law Enforcement Efforts'' GAO-08-355 (GAO: Washington, D.C.: Feb. 21, 2008).

7 Entities commonly known as "Phase I" are defined in 31 C.F.R. § 1020.315(b)(1)-(b)(5).

8 Entities commonly known as "Phase II" are defined in 31 C.F.R. § 1020.315(b)(6) and (b)(7).



The chart above indicates that for Phase I customers, a bank may immediately treat as exempt any eligible entity without concern for the time it has been a customer of the bank or the number of reportable transactions it has conducted. Additionally, because the "ineligible businesses" provision applies only to non-listed business exemptions, a Phase I customer may be treated as exempt regardless of their involvement in such activities. For all Phase I customers other than listed businesses and their subsidiaries, no DOEP or annual review is required.

Before treating a non-listed business or payroll customer as exempt, a bank must first determine that the customer has conducted five or more transactions within the previous year, has been a customer of the bank for at least two months (or less time on a risk-assessed basis), and, in the case of non-listed businesses, derives no more than 50% of its gross revenues from any ineligible business activity. 9

Banks must file DOEP reports and conduct annual reviews for all Phase II customers (whether they are non-listed businesses or payroll customers), as well as for listed businesses and their subsidiaries.

9 For additional discussion of the "50% rule" relating to ineligible businesses, see http://www.fincen.gov/statutes_regs/guidance/pdf/fin-2009-g001.pdf.



The final CTR exemption rules do not relieve banks of their separate obligation to conduct suspicious activity monitoring and reporting for both Phase I and Phase II exempt customers.10

II. Frequently asked questions:

Since the publication of the final rules, FinCEN has received questions regarding various provisions. FinCEN is issuing answers to these questions to assist banks in understanding the scope and application of the final rules.

A. Timing

Question: When should a bank make a risked-based determination to exempt an otherwise eligible Phase II customer before they have been a customer for two months?

Answer: The preamble to the 2008 final rule provides some examples of criteria that may be appropriate when making such a risk-based decision. For example, banks could consider the nature of the market the customer serves, the type of services offered, the location of the business, and whether the bank had a past relationship with the customer. In light of such factors, possible examples of customers who may qualify for exemption prior to two months may include the following:

Returning customers that reopen a previously maintained exempt transaction account with the bank;

Customers whose exempt status has changed (for example, when a customer that was a publicly listed company privatizes and is otherwise eligible for Phase II exemption).

The above examples are not intended to be exhaustive, but rather representative of the types of customer relationships where a risk-based determination to exempt prior to two months may be appropriate. Readers should note that for each of the examples provided above, there is some factor contributing to a bank's level of knowledge exceeding what is typical for a new customer being considered for exemption. Such knowledge, or other mitigating factors, could assist the bank in forming a reasonable conclusion that the risk of exempting the customer prior to two months was low.

Banks are not required to use the risk-based approach. FinCEN originally proposed11

removing any prescribed amount of time before a bank could consider a Phase II customer for exemption, enabling a bank to make a risk-based determination of when to exempt in all instances. Due to comments submitted in response to that proposal, however, FinCEN implemented a hybrid approach that allows banks to choose the flexibility of a risk-based approach or the simplicity of the two-month threshold.

10 See 31 CFR § 1020.320.

11 See 73 FR 22101.



Banks should remember that even if using the two month approach, they are required at least annually to conduct a review of the customer to determine continued eligibility for exemption and to monitor for suspicious activity.

B. Frequency

Question: Using the risk-based approach, can a bank exempt a non-listed business or payroll customer prior to the two month mark even if the customer has conducted fewer than five transactions?

Answer: No. The risk-based approach for determining when to exempt a Phase II customer gives latitude with respect to the timeframe only (i.e., allowing for exemption of customers that have been customers for less than two months). None of the other criteria necessary for Phase II exemption can be adjusted as part of that risk-based approach, including the criteria to for a non-listed business or payroll customer to engage frequently in reportable transactions. Thus, before a bank may exempt a non-listed business or payroll customer, that customer must have conducted at least five reportable transactions. FinCEN believes that without such a frequent large cash transaction volume, a bank could not reasonably expect to have sufficient knowledge of its customer to justify the risk-based approach.

C. Corporate structure and reorganization

Question: What is the status of an exempt customer that previously was a listed public company but has reorganized as a private company?

Answer: If a Phase I customer no longer is a publicly-traded company, the customer is ineligible for a Phase I exemption. However, the bank could evaluate the customer for potential exemption as a non-listed business customer. If the bank's assessment indicates that the private company does not derive more than 50% of its gross revenues from ineligible lines of business,12

has conducted five or more reportable transactions in the previous year, and otherwise meets all of the exemption criteria, the bank may exempt the company as a non-listed business.

Banks should note that a business's eligibility for exemption under the "listed business" provision may change over time, for example, as it makes an initial public offering or is privatized. This is the primary reason that listed businesses and their subsidiaries are the only Phase I exempt customers under the 2008 final rule for which banks must continue to file DOEP reports and conduct annual reviews. As part of those requirements, banks should have procedures for verifying whether a listed business remains eligible for exemption at least once per year. Annual reports, stock quotes from newspapers, or other information, such as electronic media can be used to document the review.

Question: Does the Phase I exemption available to certain subsidiaries of listed businesses apply to franchises or other affiliated entities when the listed company does not have a 51% or greater ownership stake in the affiliated entity?

12 See 31 CFR § 1020.315(e)(8).



Answer: No. To be eligible for exemption, any affiliated entity must meet the definition of "subsidiary" found at 31 C.F.R. § 1020.315(b)(5), which requires that the listed business own at least 51% of the common stock or analogous equity interest of the entity in question. For example, a privately owned restaurant franchise operating under the corporate name of a listed fast food company would not be eligible for Phase I exemption. A retail business location at least 51% owned by the same listed fast food company and operating under the same corporate name as the franchise, however, would be eligible for Phase I exemption.

Question: What is the exempt status of a Phase II customer who reorganizes his business? For example, what is the recourse for an exempt customer with a doing business as ("DBA") account who forms a limited liability corporation as his business grows.

Answer: Since the restructuring of a business may cause that business to become ineligible for exemption or otherwise make the original DOEP filing inaccurate or incomplete with respect to the newly restructured business, banks should consider evidence of a business restructuring as part of their annual review or ongoing customer due diligence. Potential evidence of such restructuring could include changes in the customer's management, business purpose, operations, customers, ownership, or account relationship with the bank. More specifically, changes to a customer's account relationship with the bank could include the issuance of a new taxpayer identification number,13 modifications to the names on the account, changes in account activity, or the addition or removal of signors or controllers of an account.

Banks should use a risk-based approach when determining which factors to consider to ensure that a customer remains eligible for exemption and that the original DOEP filing continues to identify that customer accurately and completely. To the extent that such changes make the original DOEP filing inaccurate or incomplete with respect to the newly restructured business, a bank should reevaluate the business for exemption. In such cases, the bank may consider using the risk-based approach for exempting the newly restructured business prior to the two-month waiting period. If the restructured business is eligible for exemption and the bank wishes to treat them as such, a new DOEP report must be filed with FinCEN.

In the example used in the question, an unincorporated business that incorporates would likely need reevaluation for the purposes of CTR exemption eligibility.14 Accordingly, after verifying that the newly restructured business was eligible for exemption, a bank wishing to treat that customer as exempt would need to file a new DOEP report.

D. Ineligible businesses

Question: Does FinCEN consider a hospital or doctor’s office to be engaged in the practice of medicine and therefore ineligible for exemption as a non-listed business? 15

Answer: FinCEN interprets the term "the practice of medicine" broadly, rather than focusing on the technicalities of individual state laws governing the licensing of medical

13 In some instances, such as the formation of a single member limited liability corporation or certain types of partnerships in some states, a change in corporate structure may not result in the issuance of a new taxpayer identification number.

14 A bank should also consider potential customer identification program obligations under 31 CFR § 1020.220.

15 The practice of medicine is one of several business activities that make a customer ineligible for exemption as a non-listed business. see 31 CFR § 1020.315(e)(8).



practitioners. Accordingly, any entity that derives more than 50% of its gross revenues by offering medical services is ineligible for exemption as a non-listed business. This interpretation would likely exclude most privately owned hospitals, doctors' offices, or other medical practices from being eligible for exemption as non-listed businesses.

E. Customers no longer eligible for exemption

Question: What should a bank do if, during its annual review of a listed business or Phase II customer, it discovers that the customer no longer meets all the criteria for exemption?

Answer: During the annual review of a Phase II exempt customer, a bank may conclude that a customer is no longer eligible for exemption (for example, if an exempt non-listed business customer conducted only four reportable currency transactions during the year under review). At the time the customer's ineligibility is discovered, the bank should document its determination of ineligibility and cease to treat the customer as exempt.16 The bank is not required to back file CTRs with respect to a designated Phase II customer that had met the eligibility requirements in a preceding year, but was subsequently found to be ineligible during the bank's timely completion of its annual review.

F. Suspicious activity of an exempt customer

Question: Is a customer that has been the subject of a Suspicious Activity Report ("SAR") eligible for initial or continued exemption?

Answer: A Bank is required to file a SAR, where appropriate, regarding the activities of any of its exempt customers.17 However, if an exempt person is involved in a transaction that has been reported in a SAR, the bank is not required to cease treating the person as exempt. The decision to exempt, or to retain or revoke a customer's exemption, should be made by the bank in accordance with its risk-based anti-money laundering policies, procedures, and controls.

G. Completing the Designation of Exempt Person report

Question: The DOEP report (FinCEN Form 110) and instructions were not updated with the final rules to account for the various changes to the CTR exemption process. How should a bank complete the DOEP when exempting a new customer?

Answer: The preamble to the 2008 final rule clarified that certain elements of the DOEP report should be disregarded by filers since they are no longer applicable under the new exemption requirements. Because the final rule removed several existing requirements but did not add any new requirements, the DOEP report now contains a limited number of extraneous

16 In the event the customer meets the eligibility requirements in the future, the bank must file a new DOEP to begin treating the customer as exempt.

17 31 CFR § 1020.320.



fields but remains fully sufficient to designate any eligible customer as an exempt person. Accordingly, filers should disregard references on the report as well as in the instructions to biennial renewals and to types of Phase I customers that no longer require a DOEP filing.18 FinCEN has disabled the unnecessary fields in the E-filing system as well as in the version of FinCEN Form 110 available on its website.

H. Exemptible transaction accounts

Question: The definition of a Phase II "exempt person" in 31 C.F.R. § 1020.315(b)(6) and (7) includes the phrase "only with respect to transactions conducted through its exemptible accounts." Does this mean that certain transactions of Phase II exempt customers require the filing of a CTR?

Answer: Yes. The scope of the exemption for non-listed businesses and payroll customers is limited by several criteria. While the final rules reduced those criteria with respect to the number of transactions and the waiting period before a bank could treat those customers as exempt, they did not alter the remaining criteria for Phase II customers, including the provision that a Phase II customer is exempt "to the extent of its domestic operations and only with respect to transactions conducted through its exemptible accounts."19 For transactions conducted by the customer outside of the criteria for Phase II customers, the customers would not meet the definition of "exempt person" and could not be treated as exempt by the bank.

For example, a bank may have a convenience store as an exempt non-listed business customer. This customer might regularly make deposits into its transaction account exceeding $10,000 in currency, none of which would require the bank to file a CTR. However, if the convenience store presents more than $10,000 in currency in exchange for a cashier's check, whether the bank is required to file a CTR will depend on whether the transaction was processed "through [the] exemptible account." Specifically, the bank would not be required to file a CTR if the bank credited the customer's transaction account as a deposit and then debited the account to fund the cashier's check, or otherwise processed the transaction in such a way that it resulted in a line item entry into the customer's transaction account statement. The bank would be required to file a CTR, however, if the currency was deposited into and the cashier's check was drawn upon the bank's general ledger account(s), or otherwise did not result in a line item entry into the customer's transaction account statement.

Banks may generally use the test of whether a transaction results in a line item entry into a Phase II exempt customer's transaction account statement to determine whether a transaction was "conducted through [the] exemptible account." For any reportable transaction not conducted through the exemptible account, the customer would not meet the definition of "exempt person" only with respect to that transaction and a CTR must be filed.

18 See 73 FR 74015, Section V.

19 See 73 FR 74015, Section V.



I. Revoking an exemption

Question: If a bank ceases to treat a customer as exempt, and begins or intends to begin filing CTRs on that customer for the next reportable transaction, must the bank formally revoke the exemption by filing the DOEP report and selecting the "exemption revoked" box?

Answer: Banks have never been required to formally revoke an exemption using the DOEP report. Generally, examiners or other users of BSA data would be able to rely on a pattern of reporting to know that a customer is no longer being treated as exempt. For purposes of clarity or creating internal documentation, however, many banks voluntarily revoke exemptions using the DOEP report. For example, if during its annual review of an exempt non-listed business customer a bank discovers that the customer conducted no reportable transactions in the previous year, the bank could no longer treat that customer as exempt. If the exemption is not formally revoked using the DOEP report and the customer continues the pattern of not conducting reportable transactions, a law enforcement agent investigating the company would likely conclude incorrectly from the lack of CTR filings that the customer is still being treated as exempt. While revoking an exemption in such instances may benefit both the filing bank and users of BSA data, banks may choose to do so entirely on a voluntary basis.

Questions or comments regarding the contents of this Guidance should be addressed to the FinCEN Regulatory Helpline at 800-949-2732.


Section 8: Suspicious Activity Reports

[31 C.F.R. § 1020.320]

Introduction Both the Department of the Treasury and the federal financial institution regulatory

agencies have rules outlining the reporting requirements for suspicious transactions. The Suspicious Activity Report (SAR) has been developed as the primary method of suspicious activity reporting, and is considered the cornerstone of the BSA reporting system. It is through this system that financial institutions can help the United States fight terrorism and its financing, money laundering and other financial crimes.

The SAR reporting system creates a uniform reporting form for all financial institutions to use when reporting known or suspected criminal offenses and transactions that a bank suspects involve money laundering or violate the Bank Secrecy Act. All completed forms are filed in one central location. This centralized filing will allow the establishment of a data base that will be accessible to federal and state financial institution regulators and law enforcement agencies. FinCEN has been working diligently to improve the filing process to make the central depository retention more meaningful and helpful in the pursuit of illegal activities.

In the Exam Manual, the regulators state “Within this system, FinCEN and the federal banking agencies recognize that, as a practical matter, it is not possible for a bank to detect and report all potentially illicit transactions that flow through the bank. Examiners should focus on evaluating a bank’s policies, procedures, and processes to identify, evaluate, and report suspicious activity. However, as part of the examination process, examiners should review individual SAR filing decisions to determine the effectiveness of the bank’s suspicious activity identification, evaluation, and reporting process.”

The latest version of the SAR was issued in March 2011. A copy of the form and its instructions appear at the end of this section.

Reporting Thresholds Even if the filing of an SAR is not required by the regulation, the regulation permits the

filing of an SAR any time the bank believes the filing of the SAR for a suspicious transaction would be relevant to the possible violation of any law or regulation.

There are four major categories of activities or transactions that require the filing of a Suspicious Activity report. The first three categories address the same type of known or suspected criminal violations but have different reporting thresholds based upon the suspected perpetrators of the violation(s). An SAR would be required (assuming the reporting thresholds are met) upon the detection of any known or suspected federal criminal violation(s):

committed or attempted against the bank, or

involving a transaction or transactions conducted through the bank, if the bank knows, suspects, or has reason to suspect:



that it was either an actual or potential victim of a criminal violation(s) or

that the bank was used to facilitate a criminal transaction.

Although the regulation itself limits the filing of an SAR to amounts in excess of $5,000, the instructions for the filing of an SAR and the requirements of the regulators state that an SAR shall be filed in the following situations:

Insider Abuse. Criminal violations involving insider abuse in any amount.

Known Suspect. Criminal violations aggregating $5,000 or more when a suspect can be identified.

Unknown Suspect. Criminal violations aggregating $25,000 or more regardless of a potential suspect.

Money Laundering. The fourth category of activities or transactions that requires the filing of a Suspicious Activity Report is transactions aggregating $5,000 or more that involve potential money laundering or violate the Bank Secrecy Act. This would include any type of a transaction (not just a currency transaction) aggregating $5,000 or more conducted or attempted to be conducted by, at, or through a bank, if the bank knows, suspects, or has reason to suspect that:

o The transaction involves funds derived from illegal activities or is intended or conducted in order to hide or disguise funds or assets derived from illegal activities as part of a plan to violate or evade any law or regulation or to avoid any transaction reporting requirement under federal law,

o The transaction is designed to evade any Bank Secrecy Act regulations, or

o The transaction has no business or apparent lawful purpose or is not the sort in which the particular customer would normally be expected to engage, and the bank knows of no reasonable explanation for the transaction after examining the available facts (including the background and possible purpose of the transaction).

Money Laundering and Terrorist Financing Red Flags Appendix F of the 2014 (pages F-1 through F-11) Exam Manual contains significant lists of

red flags that financial institutions should include in training as well as implement in their daily monitoring process that would aid in recognizing potential money laundering or terrorist financing activity. These red flags cover account opening, reporting and recordkeeping, funds transfers, ACH activity, lending, cross border transactions, trade finance, insurance, domestic and foreign customers, as well as unusual employee activity. Appendix F, in its entirety, appears on the next several pages.

Appendix F: Money Laundering and Terrorist Financing “Red Flags”

The following are examples of potentially suspicious activities, or “red flags” for both money laundering and terrorist financing. Although these lists are not all-inclusive, they may help banks and examiners recognize possible money laundering and terrorist financing schemes.



Management’s primary focus should be on reporting suspicious activities, rather than on determining whether the transactions are in fact linked to money laundering, terrorist financing, or a particular crime.

The following examples are red flags that, when encountered, may warrant additional scrutiny. The mere presence of a red flag is not by itself evidence of criminal activity. Closer scrutiny should help to determine whether the activity is suspicious or one for which there does not appear to be a reasonable business or legal purpose.

Potentially Suspicious Activity That May Indicate Money Laundering

Customers Who Provide Insufficient or Suspicious Information A customer uses unusual or suspicious identification documents that cannot be readily

verified.

A customer provides an individual tax identification number after having previously used a Social Security number.

A customer uses different tax identification numbers with variations of his or her name.

A business is reluctant, when establishing a new account, to provide complete information about the nature and purpose of its business, anticipated account activity, prior banking relationships, the names of its officers and directors, or information on its business location.

A customer’s home or business telephone is disconnected.

The customer’s background differs from that which would be expected on the basis of his or her business activities.

A customer makes frequent or large transactions and has no record of past or present employment experience.

A customer is a trust, shell company, or Private Investment Company that is reluctant to provide information on controlling parties and underlying beneficiaries. Beneficial owners may hire nominee incorporation services to establish shell companies and open bank accounts for those shell companies while shielding the owner’s identity.

Efforts to Avoid Reporting or Recordkeeping Requirement A customer or group tries to persuade a bank employee not to file required reports or

maintain required records.

A customer is reluctant to provide information needed to file a mandatory report, to have the report filed, or to proceed with a transaction after being informed that the report must be filed.

A customer is reluctant to furnish identification when purchasing negotiable instruments in recordable amounts.

A business or customer asks to be exempted from reporting or recordkeeping requirements.

A person customarily uses the automated teller machine to make several bank deposits below a specified threshold.

A customer deposits funds into several accounts, usually in amounts of less than $3,000, which are subsequently consolidated into a master account and transferred outside of the



country, particularly to or through a location of specific concern (e.g., countries designated by national authorities and Financial Action Task Force on Money Laundering (FATF) as noncooperative countries and territories).

A customer accesses a safe deposit box after completing a transaction involving a large withdrawal of currency, or accesses a safe deposit box before making currency deposits structured at or just under $10,000, to evade CTR filing requirements.

Funds Transfers Many funds transfers are sent in large, round dollar, hundred dollar, or thousand dollar

amounts.

Funds transfer activity occurs to or from a financial secrecy haven, or to or from a higher-risk geographic location without an apparent business reason or when the activity is inconsistent with the customer’s business or history.

Many small, incoming transfers of funds are received, or deposits are made using checks and money orders. Almost immediately, all or most of the transfers or deposits are wired to another city or country in a manner inconsistent with the customer’s business or history.

Large, incoming funds transfers are received on behalf of a foreign client, with little or no explicit reason.

Funds transfer activity is unexplained, repetitive, or shows unusual patterns.

Payments or receipts with no apparent links to legitimate contracts, goods, or services are received.

Funds transfers are sent or received from the same person to or from different accounts.

Funds transfers contain limited content and lack related party information.

Automated Clearing House Transactions Large-value, automated clearing house (ACH) transactions are frequently initiated

through third-party service providers (TPSP) by originators that are not bank customers and for which the bank has no or insufficient due diligence.

TPSPs have a history of violating ACH network rules or generating illegal transactions, or processing manipulated or fraudulent transactions on behalf of their customers.

Multiple layers of TPSPs that appear to be unnecessarily involved in transactions.

Unusually high level of transactions initiated over the Internet or by telephone.

NACHA — The Electronic Payments Association (NACHA) information requests indicate potential concerns with the bank’s usage of the ACH system.

Activity Inconsistent with the Customer’s Business The currency transaction patterns of a business show a sudden change inconsistent with

normal activities.

A large volume of cashier’s checks, money orders, or funds transfers is deposited into, or purchased through, an account when the nature of the accountholder’s business would not appear to justify such activity.

A retail business has dramatically different patterns of currency deposits from similar businesses in the same general location.



Unusual transfers of funds occur among related accounts or among accounts that involve the same or related principals.

The owner of both a retail business and a check-cashing service does not ask for currency when depositing checks, possibly indicating the availability of another source of currency.

Goods or services purchased by the business do not match the customer’s stated line of business.

Payments for goods or services are made by checks, money orders, or bank drafts not drawn from the account of the entity that made the purchase.

Lending Activity Loans secured by pledged assets held by third parties unrelated to the borrower.

Loan secured by deposits or other readily marketable assets, such as securities, particularly when owned by apparently unrelated third parties.

Borrower defaults on a cash-secured loan or any loan that is secured by assets which are readily convertible into currency.

Loans are made for, or are paid on behalf of, a third party with no reasonable explanation.

To secure a loan, the customer purchases a certificate of deposit using an unknown source of funds, particularly when funds are provided via currency or multiple monetary instruments.

Loans that lack a legitimate business purpose, provide the bank with significant fees for assuming little or no risk, or tend to obscure the movement of funds (e.g., loans made to a borrower and immediately sold to an entity related to the borrower).

Changes in Bank-to-Bank Transactions The size and frequency of currency deposits increases rapidly with no corresponding

increase in noncurrency deposits.

A bank is unable to track the true accountholder of correspondent or concentration account transactions.

The turnover in large-denomination bills is significant and appears uncharacteristic, given the bank’s location.

Changes in currency-shipment patterns between correspondent banks are significant.

Cross-Border Financial Institution Transactions U.S. bank increases sales or exchanges of large denomination U.S. bank notes to Mexican

financial institution(s).

Large volumes of small denomination U.S. banknotes being sent from Mexican casas de cambio to their U.S. accounts via armored transport or sold directly to U.S. banks. These sales or exchanges may involve jurisdictions outside of Mexico.

Casas de cambio direct the remittance of funds via multiple funds transfers to jurisdictions outside of Mexico that bear no apparent business relationship with the casas de cambio. Funds transfer recipients may include individuals, businesses, and other entities in free trade zones.



Casas de cambio deposit numerous third-party items, including sequentially numbered monetary instruments, to their accounts at U.S. banks.

Casas de cambio direct the remittance of funds transfers from their accounts at Mexican financial institutions to accounts at U.S. banks. These funds transfers follow the deposit of currency and third-party items by the casas de cambio into their Mexican financial institution.

Bulk Currency Shipments An increase in the sale of large denomination U.S. bank notes to foreign financial

institutions by U.S. banks.

Large volumes of small denomination U.S. bank notes being sent from foreign nonbank financial institutions to their accounts in the United States via armored transport, or sold directly to U.S. banks.

Multiple wire transfers initiated by foreign nonbank financial institutions that direct U.S. banks to remit funds to other jurisdictions that bear no apparent business relationship with that foreign nonbank financial institution. Recipients may include individuals, businesses, and other entities in free trade zones and other locations.

The exchange of small denomination U.S. bank notes for large denomination U.S. bank notes that may be sent to foreign countries.

Deposits by foreign nonbank financial institutions to their accounts at U.S. banks that include third-party items, including sequentially numbered monetary instruments.

Deposits of currency and third-party items by foreign nonbank financial institutions to their accounts at foreign financial institutions and, thereafter, direct wire transfers to the foreign nonbank financial institution’s accounts at U.S. banks.

Trade Finance Items shipped that are inconsistent with the nature of the customer’s business (e.g., a

steel company that starts dealing in paper products, or an information technology company that starts dealing in bulk pharmaceuticals).

Customers conducting business in higher-risk jurisdictions.

Customers shipping items through higher-risk jurisdictions, including transit through noncooperative countries.

Customers involved in potentially higher-risk activities, including activities that may be subject to export/import restrictions (e.g., equipment for military or police organizations of foreign governments, weapons, ammunition, chemical mixtures, classified defense articles, sensitive technical data, nuclear materials, precious gems, or certain natural resources such as metals, ore, and crude oil).

Obvious over- or underpricing of goods and services.

Obvious misrepresentation of quantity or type of goods imported or exported.

Transaction structure appears unnecessarily complex and designed to obscure the true nature of the transaction.

Customer requests payment of proceeds to an unrelated third party.

Shipment locations or description of goods not consistent with letter of credit.



Significantly amended letters of credit without reasonable justification or changes to the beneficiary or location of payment. Any changes in the names of parties should prompt additional OFAC review.

Privately Owned Automated Teller Machines Automated teller machine (ATM) activity levels are high in comparison with other

privately owned or bank-owned ATMs in comparable geographic and demographic locations.

Sources of currency for the ATM cannot be identified or confirmed through withdrawals from account, armored car contracts, lending arrangements, or other appropriate documentation.

Insurance A customer purchases products with termination features without concern for the

product’s investment performance.

A customer purchases insurance products using a single, large premium payment, particularly when payment is made through unusual methods such as currency or currency equivalents.

A customer purchases a product that appears outside the customer’s normal range of financial wealth or estate planning needs.

A customer borrows against the cash surrender value of permanent life insurance policies, particularly when payments are made to apparently unrelated third parties.

Policies are purchased that allow for the transfer of beneficial ownership interests without the knowledge and consent of the insurance issuer. This would include secondhand endowment and bearer insurance policies.

A customer is known to purchase several insurance products and uses the proceeds from an early policy surrender to purchase other financial assets.

A customer uses multiple currency equivalents (e.g., cashier’s checks and money orders) from different banks and money services businesses to make insurance policy or annuity payments.

Shell Company Activity A bank is unable to obtain sufficient information or information is unavailable to

positively identify originators or beneficiaries of accounts or other banking activity (using Internet, commercial database searches, or direct inquiries to a respondent bank).

Payments to or from the company have no stated purpose, do not reference goods or services, or identify only a contract or invoice number.

Goods or services, if identified, do not match profile of company provided by respondent bank or character of the financial activity; a company references remarkably dissimilar goods and services in related funds transfers; explanation given by foreign respondent bank is inconsistent with observed funds transfer activity.

Transacting businesses share the same address, provide only a registered agent’s address, or have other address inconsistencies.

Unusually large number and variety of beneficiaries are receiving funds transfers from one company.



Frequent involvement of multiple jurisdictions or beneficiaries located in higher-risk offshore financial centers.

A foreign correspondent bank exceeds the expected volume in its client profile for funds transfers, or an individual company exhibits a high volume and pattern of funds transfers that is inconsistent with its normal business activity.

Multiple high-value payments or transfers between shell companies with no apparent legitimate business purpose.

Purpose of the shell company is unknown or unclear.

Embassy and Foreign Consulate Accounts Official embassy business is conducted through personal accounts.

Account activity is not consistent with the purpose of the account, such as pouch activity or payable upon proper identification transactions.

Accounts are funded through substantial currency transactions.

Accounts directly fund personal expenses of foreign nationals without appropriate controls, including, but not limited to, expenses for college students.

Employees Employee exhibits a lavish lifestyle that cannot be supported by his or her salary.

Employee fails to conform to recognized policies, procedures, and processes, particularly in private banking.

Employee is reluctant to take a vacation.

Other Unusual or Suspicious Customer Activity Customer frequently exchanges small-dollar denominations for large-dollar denominations.

Customer frequently deposits currency wrapped in currency straps or currency wrapped in rubber bands that is disorganized and does not balance when counted.

Customer purchases a number of cashier’s checks, money orders, or traveler’s checks for large amounts under a specified threshold.

Customer purchases a number of open-end prepaid cards for large amounts. Purchases of prepaid cards are not commensurate with normal business activities.

Customer receives large and frequent deposits from online payments systems yet has no apparent online or auction business.

Monetary instruments deposited by mail are numbered sequentially or have unusual symbols or stamps on them.

Suspicious movements of funds occur from one bank to another, and then funds are moved back to the first bank.

Deposits are structured through multiple branches of the same bank or by groups of people who enter a single branch at the same time.

Currency is deposited or withdrawn in amounts just below identification or reporting thresholds.



Customer visits a safe deposit box or uses a safe custody account on an unusually frequent basis.

Safe deposit boxes or safe custody accounts opened by individuals who do not reside or work in the institution’s service area, despite the availability of such services at an institution closer to them.

Customer repeatedly uses a bank or branch location that is geographically distant from the customer’s home or office without sufficient business purpose.

Customer exhibits unusual traffic patterns in the safe deposit box area or unusual use of safe custody accounts. For example, several individuals arrive together, enter frequently, or carry bags or other containers that could conceal large amounts of currency, monetary instruments, or small valuable items.

Customer rents multiple safe deposit boxes to store large amounts of currency, monetary instruments, or high-value assets awaiting conversion to currency, for placement into the banking system. Similarly, a customer establishes multiple safe custody accounts to park large amounts of securities awaiting sale and conversion into currency, monetary instruments, outgoing funds transfers, or a combination thereof, for placement into the banking system.

Unusual use of trust funds in business transactions or other financial activity.

Customer uses a personal account for business purposes.

Customer has established multiple accounts in various corporate or individual names that lack sufficient business purpose for the account complexities or appear to be an effort to hide the beneficial ownership from the bank.

Customer makes multiple and frequent currency deposits to various accounts that are purportedly unrelated.

Customer conducts large deposits and withdrawals during a short time period after opening and then subsequently closes the account or the account becomes dormant. Conversely, an account with little activity may suddenly experience large deposit and withdrawal activity.

Customer makes high-value transactions not commensurate with the customer’s known incomes.

Potentially Suspicious Activity That May Indicate Terrorist Financing The following examples of potentially suspicious activity that may indicate terrorist

financing are primarily based on guidance “Guidance for Financial Institutions in Detecting Terrorist Financing” provided by the FATF. FATF is an intergovernmental body whose purpose is the development and promotion of policies, both at national and international levels, to combat money laundering and terrorist financing.

Activity Inconsistent With the Customer’s Business Funds are generated by a business owned by persons of the same origin or by a business

that involves persons of the same origin from higher-risk countries (e.g., countries designated by national authorities and FATF as noncooperative countries and territories).



The stated occupation of the customer is not commensurate with the type or level of activity.

Persons involved in currency transactions share an address or phone number, particularly when the address is also a business location or does not seem to correspond to the stated occupation (e.g., student, unemployed, or self-employed).

Regarding nonprofit or charitable organizations, financial transactions occur for which there appears to be no logical economic purpose or in which there appears to be no link between the stated activity of the organization and the other parties in the transaction.

A safe deposit box opened on behalf of a commercial entity when the business activity of the customer is unknown or such activity does not appear to justify the use of a safe deposit box.

Funds Transfers A large number of incoming or outgoing funds transfers take place through a business

account, and there appears to be no logical business or other economic purpose for the transfers, particularly when this activity involves higher-risk locations.

Funds transfers are ordered in small amounts in an apparent effort to avoid triggering identification or reporting requirements.

Funds transfers do not include information on the originator, or the person on whose behalf the transaction is conducted, when the inclusion of such information would be expected.

Multiple personal and business accounts or the accounts of nonprofit organizations or charities are used to collect and funnel funds to a small number of foreign beneficiaries.

Foreign exchange transactions are performed on behalf of a customer by a third party, followed by funds transfers to locations having no apparent business connection with the customer or to higher-risk countries.

Other Transactions That Appear Unusual or Suspicious Transactions involving foreign currency exchanges are followed within a short time by

funds transfers to higher-risk locations.

Multiple accounts are used to collect and funnel funds to a small number of foreign beneficiaries, both persons and businesses, particularly in higher-risk locations.

A customer obtains a credit instrument or engages in commercial financial transactions involving the movement of funds to or from higher-risk locations when there appear to be no logical business reasons for dealing with those locations.

Banks from higher-risk locations open accounts.

Funds are sent or received via international transfers from or to higher-risk locations.

Insurance policy loans or policy surrender values that are subject to a substantial surrender charge.



Filing Guidelines The SAR rules require that an SAR be filed no later than 30 calendar days from the date of

the initial detection of facts that may constitute a basis for filing an SAR. If no suspect can be identified, the time period for filing an SAR is extended to 60 days. Organizations may need to review transaction or account activity for a customer to determine whether to file an SAR. The need for a review of customer activity or transactions does not necessarily indicate a need to file an SAR. The time period for filing an SAR starts when the organization, during its review or because of other factors, knows or has reason to suspect that the activity or transactions under review meet one or more of the definitions of suspicious activity.

The phrase “initial detection” should not be interpreted as meaning the moment a transaction is highlighted for review. There are a variety of legitimate transactions that could raise a red flag simply because they are inconsistent with an accountholder’s normal account activity. The bank’s automated account monitoring system or initial discovery of information, such as system-generated reports, may flag a transaction; however, this should not be considered initial detection of potential suspicious activity.

Whenever possible, a prompt review of an unusual transaction or account is recommended, which can be of significant assistance to law enforcement. In any event, the review should be completed in a reasonable period of time. What constitutes a “reasonable period of time” will vary according to the facts and circumstances of the particular matter being reviewed and the effectiveness of the SAR monitoring, reporting, and decision-making process of each bank. The key factor is that a bank has established adequate procedures for reviewing and assessing facts and circumstances identified as potentially suspicious, and that those procedures are documented and followed.

For violations requiring immediate attention, in addition to filing a timely SAR, a bank is required to immediately notify, by telephone, an “appropriate law enforcement authority” and, as necessary, the bank’s primary regulator. An “appropriate law enforcement authority” would generally be the local office of the Internal Revenue Service Criminal Investigation Division or the FBI. Notifying law enforcement of a suspicious activity does not relieve a bank of its obligation to file an SAR.

For suspicious activity related to terrorist activity, institutions may also call FinCEN’s Financial Institution’s terrorist hotline at the toll free number 866-556-3974 (7 days a week, 24 hours a day) to further facilitate the immediate transmittal of relevant information to the appropriate authorities.

Ongoing Suspicious Activity Should the circumstances that led to a SAR filing continue (such as suspected money

laundering issues), banks should re-file a new SAR at least every 90 days, giving an update as to current activity. This notifies law enforcement of continuing activity and serves as a reminder to the institution to continue monitoring account and transaction activity to determine whether other appropriate actions, such as terminating a customer or employee relationship, is required.

Banks should be aware that law enforcement may have an interest in ensuring that certain accounts remain open notwithstanding suspicious or potential criminal activity in connection with those accounts. If a law enforcement agency requests that a bank maintain a particular



account, the bank should ask for a written request. The written request should indicate that the agency has requested that the bank maintain the account and the purpose and duration of the request. Ultimately, the decision to maintain or close an account should be made by a bank in accordance with its own standards and guidelines.

The bank should develop policies, procedures, and processes indicating when to escalate issues or problems identified as the result of repeat SAR filings on accounts. The procedures should include:

Review by senior management and legal staff (e.g., BSA compliance officer or SAR committee).

Criteria for when analysis of the overall customer relationship is necessary.

Criteria for when to close the account,

Criteria for when to notify law enforcement, if applicable.

As part of the filing process, financial institutions are required to collect and maintain all supporting information so that it will be available to the appropriate authorities should further action be required.

Exceptions An SAR is not required for actual or attempted robberies or burglaries that are reported to

the appropriate law enforcement authorities. SARs are also not required for lost, missing, counterfeit, or stolen securities that are properly reported to the appropriate regulatory agencies.

Systems to Identify, Research and Report Suspicious Activity The Suspicious Activity Reporting section of the Exam Manual discuss the systems and

procedures that banks are expected to have in place to assure that all possible suspicious transactions are reported, as follows:

“Suspicious activity monitoring and reporting are critical internal controls. Proper monitoring and reporting processes are essential to ensuring that the bank has an adequate and effective BSA compliance program. Appropriate policies, procedures, and processes should be in place to monitor and identify unusual activity. The sophistication of monitoring systems should be dictated by the bank’s risk profile, with particular emphasis on the composition of higher-risk products, services, customers, entities, and geographies. The bank should ensure adequate staff is assigned to the identification, research, and reporting of suspicious activities, taking into account the bank’s overall risk profile and the volume of transactions. Monitoring systems typically include employee identification or referrals, transaction-based (manual) systems, surveillance (automated) systems, or any combination of these.

Generally, effective suspicious activity monitoring and reporting systems include four key components (refer to Appendix S “Key Suspicious Activity Monitoring Components”). The components, listed below, are interdependent, and an effective suspicious activity monitoring



and reporting process should include successful implementation of each component. Breakdowns in any one or more of these components may adversely affect SAR reporting and BSA compliance. The four key components to an effective monitoring and reporting system are:

1. Identification or alert of unusual activity (which may include: employee identification, law enforcement inquiries, other referrals, and transaction and surveillance monitoring system output).

2. Managing alerts.

3. SAR decision making.

4. SAR completion and filing.

These four components are present in banks of all sizes. However, the structure and formality of the components may vary. Larger banks will typically have greater differentiation and distinction between functions, and may devote entire departments to the completion of each component. Smaller banks may use one or more employees to complete several tasks (e.g., review of monitoring reports, research activity, and completion of the actual SAR). Policies, procedures, and processes should describe the steps the bank takes to address each component and indicate the person(s) or departments responsible for identifying or producing an alert of unusual activity, managing the alert, deciding whether to file, and SAR completion and filing.”

Identification of Unusual Activity In this same section of the Exam Manual, the following is provided regarding the

identification of unusual activity.

“Banks use a number of methods to identify potentially suspicious activity, including but not limited to activity identified by employees during day-to-day operations, law enforcement inquiries, or requests, such as those typically seen in 314(a) and 314(b) requests, transaction and surveillance monitoring system output, or any combination of these.

Employee Identification During the course of day-to-day operations, employees may observe unusual or potentially suspicious transaction activity. Banks should implement appropriate training, policies, and procedures to ensure that personnel adhere to the internal processes for identification and referral of potentially suspicious activity. Banks should be aware of all methods of identification and should ensure that their suspicious activity monitoring system includes processes to facilitate the transfer of internal referrals to appropriate personnel for further research.



Law Enforcement Inquiries and Requests Banks should establish policies, procedures, and processes for identifying subjects of law enforcement requests, monitoring the transaction activity of those subjects, identifying unusual or suspicious activity related to those subjects, and filing, as applicable, SARs related to those subjects. Law enforcement inquiries and requests can include criminal subpoenas, national security letters (NSLs), and section 314(a) requests.

Mere receipt of any law enforcement inquiry, does not, by itself, require the filing of an SAR by the bank. Nonetheless, a law enforcement inquiry may be relevant to a bank’s overall risk assessment of its customers and accounts. It is incumbent upon a bank to assess all of the information it knows about its customer, including the receipt of a law enforcement inquiry, in accordance with its risk-based BSA/AML compliance program.

The bank should determine whether an SAR should be filed based on all customer information available. Due to the confidentiality of grand jury proceedings, if a bank files an SAR after receiving a grand jury subpoena, law enforcement discourages banks from including any reference to the receipt or existence of the grand jury subpoena in the SAR. Rather, the SAR should reference only those facts and activities that support a finding of suspicious transactions identified by the bank.

National Security Letters NSLs are written investigative demands that may be issued by the local Federal Bureau of Investigation (FBI) and other federal governmental authorities in counterintelligence and counterterrorism investigations to obtain the following:

Telephone and electronic communications records from telephone companies and Internet service providers. (Electronic Communications Privacy Act, 18 U.S.C. § 2709)

Information from credit bureaus. (Fair Credit Reporting Act, 15 U.S.C. § 1681u)

Financial records from financial institutions. (Right to Financial Privacy Act of 1978, 12 U.S.C. § 3401 et seq.)

NSLs are highly confidential documents; as such, examiners will not review or sample specific NSLs. Pursuant to 12 U.S.C. § 3414(a)(3) and (5)(D), no bank, or officer, employee or agent of the institution, can disclose to any person that a government authority or the FBI has sought or obtained access to records through a Right to Financial Privacy Act NSL. Banks that receive NSLs must take appropriate measures to ensure the confidentiality of the letters and should have procedures in place for processing and maintaining the confidentiality of NSLs.

If a bank files an SAR after receiving a NSL, the SAR should not contain any reference to the receipt or existence of the NSL. The SAR should reference only those facts and activities that support a finding of unusual or suspicious transactions identified by the bank.

Questions regarding NSLs should be directed to the bank’s local FBI field office. Contact information for the FBI field offices can be found at www.fbi.gov.



Transaction Monitoring (Manual Transaction Monitoring) A transaction monitoring system, sometimes referred to as a manual transaction monitoring system, typically targets specific types of transactions (e.g., those involving large amounts of cash, those to or from foreign geographies) and includes a manual review of various reports generated by the bank’s MIS or vendor systems in order to identify unusual activity. Examples of MIS reports include currency activity reports, funds transfer reports, monetary instrument sales reports, large item reports, significant balance change reports, and nonsufficient funds (NSF) reports. Many MIS or vendor systems include filtering models for identification of potentially unusual activity. The process may involve review of daily reports, reports that cover a period of time (e.g., rolling 30-day reports, monthly reports), or a combination of both types of reports. The type and frequency of reviews and resulting reports used should be commensurate with the bank’s BSA/AML risk profile and appropriately cover its higher-risk products, services, customers, entities, and geographic locations.

MIS or vendor system-generated reports typically use a discretionary dollar threshold. Thresholds selected by management for the production of transaction reports should enable management to detect unusual activity. Upon identification of unusual activity, assigned personnel should review CDD and other pertinent information to determine whether the activity is suspicious. Management should periodically evaluate the appropriateness of filtering criteria and thresholds used in the monitoring process. Each bank should evaluate and identify filtering criteria most appropriate for their bank. The programming of the bank’s monitoring systems should be independently reviewed for reasonable filtering criteria. Typical transaction monitoring reports are as follows.

Currency Activity Reports. Most vendors offer reports that identify all currency activity or currency activity greater than $10,000. These reports assist bankers with filing CTRs and identifying suspicious currency activity. Most bank information service providers offer currency activity reports that can filter transactions using various parameters, for example:

Currency activity including multiple transactions greater than $10,000.

Currency activity (single and multiple transactions) below the $10,000 reporting requirement (e.g., between $7,000 and $10,000).

Currency transactions involving multiple lower dollar transactions (e.g., $3,000) that over a period of time (e.g., 15 days) aggregate to a substantial sum of money (e.g., $30,000).

Currency transactions aggregated by customer name, tax identification number, or customer information file number.

Such filtering reports, whether implemented through a purchased vendor software system or through requests from information service providers, will significantly enhance a bank’s ability to identify and evaluate unusual currency transactions.

Funds Transfer Records. The BSA requires banks to maintain records of funds transfer in amounts of $3,000 and above. Periodic review of this information can assist banks in identifying patterns of unusual activity. A periodic review of the funds transfer records in banks with low funds transfer activity is usually sufficient to identify unusual activity. For banks with more significant funds transfer activity, use of spreadsheet or vendor software is an efficient way to review funds transfer activity for unusual patterns. Most vendor software



systems include standard suspicious activity filter reports. These reports typically focus on identifying certain higher-risk geographic locations and larger dollar funds transfer transactions for individuals and businesses. Each bank should establish its own filtering criteria for both individuals and businesses. Noncustomer funds transfer transactions and payable upon proper identification (PUPID) transactions should be reviewed for unusual activity. Activities identified during these reviews should be subjected to additional research to ensure that identified activity is consistent with the stated account purpose and expected activity. When inconsistencies are identified, banks may need to conduct a global relationship review to determine if a SAR is warranted.

Monetary Instrument Records. Records for monetary instrument sales are required by the BSA. Such records can assist the bank in identifying possible currency structuring through the purchase of cashier’s checks, official bank checks, money orders, or traveler’s checks in amounts of $3,000 to $10,000. A periodic review of these records can also help identify frequent purchasers of monetary instruments and common payees. Reviews for suspicious activity should encompass activity for an extended period of time (30, 60, 90 days) and should focus on, among other things, identification of commonalities, such as common payees and purchasers, or consecutively numbered purchased monetary instruments.

Surveillance Monitoring (Automated Account Monitoring) A surveillance monitoring system, sometimes referred to as an automated account monitoring system, can cover multiple types of transactions and use various rules to identify potentially suspicious activity. In addition, many can adapt over time based on historical activity, trends, or internal peer comparison. These systems typically use computer programs, developed in-house or purchased from vendors, to identify individual transactions, patterns of unusual activity, or deviations from expected activity. These systems can capture a wide range of account activity, such as deposits, withdrawals, funds transfers, automated clearing house (ACH) transactions, and automated teller machine (ATM) transactions, directly from the bank’s core data processing system. Banks that are large, operate in many locations, or have a large volume of higher-risk customers typically use surveillance monitoring systems.

Surveillance monitoring systems include rule-based and intelligent systems. Rule-based systems detect unusual transactions that are outside of system-developed or management-established “rules.” Such systems can consist of few or many rules, depending on the complexity of the in-house or vendor product. These rules are applied using a series of transaction filters or a rules engine. Rule-based systems are more sophisticated than the basic manual system, which only filters on one rule (e.g., transaction greater than $10,000). Rule-based systems can apply multiple rules, overlapping rules, and filters that are more complex. For example, rule-based systems can initially apply a rule, or set of criteria to all accounts within a bank (e.g., all retail customers), and then apply a more refined set of criteria to a subset of accounts or risk category of accounts (e.g., all retail customers with direct deposits). Rule-based systems can also filter against individual customer-account profiles.

Intelligent systems are adaptive and can filter transactions, based on historical account activity or compare customer activity against a pre-established peer group or other relevant data. Intelligent systems review transactions in context with other transactions and the



customer profile. In doing so, these systems increase their information database on the customer, account type, category, or business, as more transactions and data are stored in the system.

Relative to surveillance monitoring, system capabilities and thresholds refer to the parameters or filters used by banks in their monitoring processes. Parameters and filters should be reasonable and tailored to the activity that the bank is trying to identify or control. After parameters and filters have been developed, they should be reviewed before implementation to identify any gaps (common money laundering techniques or frauds) that may not have been addressed. For example, a bank may discover that its filter for cash structuring is triggered only by a daily cash transaction in excess of $10,000. The bank may need to refine this filter in order to avoid missing potentially suspicious activity because common cash structuring techniques often involve transactions that are slightly under the CTR threshold. Once established, the bank should review and test system capabilities and thresholds on a periodic basis. This review should focus on specific parameters or filters in order to ensure that intended information is accurately captured and that the parameter or filter is appropriate for the bank’s particular risk profile.

Understanding the filtering criteria of a surveillance monitoring system is critical to assessing the effectiveness of the system. System filtering criteria should be developed through a review of specific higher-risk products and services, customers and entities, and geographies. System filtering criteria, including specific profiles and rules, should be based on what is reasonable and expected for each type of account. Monitoring accounts purely based on historical activity can be misleading if the activity is not actually consistent with similar types of accounts. For example, an account may have a historical transaction activity that is substantially different from what would normally be expected from that type of account (e.g., a check-cashing business that deposits large sums of currency versus withdrawing currency to fund the cashing of checks).

The authority to establish or change expected activity profiles should be clearly defined and should generally require the approval of the BSA compliance officer or senior management. Controls should ensure limited access to the monitoring system. Management should document or be able to explain filtering criteria, thresholds used, and how both are appropriate for the bank’s risks. Management should also periodically review the filtering criteria and thresholds established to ensure that they are still effective. In addition, the monitoring system’s programming methodology and effectiveness should be independently validated to ensure that the models are detecting potentially suspicious activity.”

Managing Alerts The Exam Manual also provides the following valuable information related to managing

alerts in the suspicious activity monitoring process.

“Alert management focuses on processes used to investigate and evaluate identified unusual activity. Banks should be aware of all methods of identification and should ensure that their suspicious activity monitoring program includes processes to evaluate any unusual activity identified, regardless of the method of identification. Banks should have policies, procedures, and processes in place for referring unusual activity from all areas of the bank or business lines to the personnel or department responsible for evaluating unusual activity. Within



those procedures, management should establish a clear and defined escalation process from the point of initial detection to disposition of the investigation.

The bank should assign adequate staff to the identification, evaluation, and reporting of potentially suspicious activities, taking into account the bank’s overall risk profile and the volume of transactions. Additionally, a bank should ensure that the assigned staff possess the requisite experience levels and are provided with comprehensive and ongoing training to maintain their expertise. Staff should also be provided with sufficient internal and external tools to allow them to properly research activities and formulate conclusions.

Internal research tools include, but are not limited to, access to account systems and account information, including CDD and EDD information. CDD and EDD information will assist banks in evaluating if the unusual activity is considered suspicious. For additional information, refer to the core overview section, “Customer Due Diligence,” pages 63 to 65. External research tools may include widely available Internet media search tools, as well those accessible by subscription. After thorough research and analysis, investigators should document conclusions including any recommendation regarding whether or not to file a SAR.

When multiple departments are responsible for researching unusual activities (i.e., the BSA department researches BSA-related activity and the Fraud department researches fraud-related activity), the lines of communication between the departments must remain open. This allows banks with bifurcated processes to gain efficiencies by sharing information, reducing redundancies, and ensuring all suspicious activity is identified, evaluated, and reported.

If applicable, reviewing and understanding suspicious activity monitoring across the organizations’ affiliates, subsidiaries, and business lines may enhance a banking organization’s ability to detect suspicious activity, and thus minimize the potential for financial losses, increased legal or compliance expenses, and reputational risk to the organization. Refer to the expanded overview section, “BSA/AML Compliance Program Structures,” pages 160 to 165, for further guidance.

Identifying Underlying Crime Banks are required to report suspicious activity that may involve money laundering, BSA violations, terrorist financing, and certain other crimes above prescribed dollar thresholds. However, banks are not obligated to investigate or confirm the underlying crime (e.g., terrorist financing, money laundering, tax evasion, identity theft, and various types of fraud). Investigation is the responsibility of law enforcement. When evaluating suspicious activity and completing the SAR, banks should, to the best of their ability, identify the characteristics of the suspicious activity. Part III, section 35, of the SAR provides 20 different characteristics of suspicious activity. Although an “Other” category is available, the use of this category should be limited to situations that cannot be broadly identified within the 20 characteristics provided.”

SAR Decision-Making Process Related to the SAR decision-making process, the Exam Manual states:



“After thorough research and analysis has been completed, findings are typically forwarded to a final decision maker (individual or committee). The bank should have policies, procedures, and processes for referring unusual activity from all business lines to the personnel or department responsible for evaluating unusual activity. Within those procedures, management should establish a clear and defined escalation process from the point of initial detection to disposition of the investigation.

The decision maker, whether an individual or committee, should have the authority to make the final SAR filing decision. When the bank uses a committee, there should be a clearly defined process to resolve differences of opinion on filing decisions. Banks should document SAR decisions, including the specific reason for filing or not filing a SAR. Thorough documentation provides a record of the SAR decision-making process, including final decisions not to file a SAR. However, due to the variety of systems used to identify, track, and report suspicious activity, as well as the fact that each suspicious activity reporting decision will be based on unique facts and circumstances, no single form of documentation is required when a bank decides not to file.

The decision to file a SAR is an inherently subjective judgment. Examiners should focus on whether the bank has an effective SAR decision-making process, not individual SAR decisions. Examiners may review individual SAR decisions as a means to test the effectiveness of the SAR monitoring, reporting, and decision-making process. In those instances where the bank has an established SAR decision-making process, has followed existing policies, procedures, and processes, and has determined not to file a SAR, the bank should not be criticized for the failure to file a SAR unless the failure is significant or accompanied by evidence of bad faith.

SAR Filing on Continuing Activity One purpose of filing SARs is to identify violations or potential violations of law to the appropriate law enforcement authorities for criminal investigation. This objective is accomplished by the filing of a SAR that identifies the activity of concern. If this activity continues over a period of time, such information should be made known to law enforcement and the federal banking agencies. FinCEN’s guidelines suggest that banks should report continuing suspicious activity by filing a report at least every 90 days. This practice will notify law enforcement of the continuing nature of the activity in aggregate. In addition, this practice will remind the bank that it should continue to review the suspicious activity to determine whether other actions may be appropriate, such as bank management determining that it is necessary to terminate a relationship with the customer or employee that is the subject of the filing.

Banks should be aware that law enforcement may have an interest in ensuring that certain accounts remain open notwithstanding suspicious or potential criminal activity in connection with those accounts. If a law enforcement agency requests that a bank maintain a particular account, the bank should ask for a written request. The written request should indicate that the agency has requested that the bank maintain the account and the purpose and duration of the request. Ultimately, the decision to maintain or close an account should be made by a bank in accordance with its own standards and guidelines.



The bank should develop policies, procedures, and processes indicating when to escalate issues or problems identified as the result of repeat SAR filings on accounts. The procedures should include:

Review by senior management and legal staff (e.g., BSA compliance officer or SAR committee).

Criteria for when analysis of the overall customer relationship is necessary.

Criteria for whether and, if so, when to close the account.

Criteria for when to notify law enforcement, if appropriate.

SAR Completion and Filing The following from the Exam Manual contains guidance related to the completion and filing

of the SAR:

“SAR completion and filing are a critical part of the SAR monitoring and reporting process. Appropriate policies, procedures, and processes should be in place to ensure SAR forms are filed in a timely manner, are complete and accurate, and that the narrative provides a sufficient description of the activity reported as well as the basis for filing. Beginning on September 12, 2009, banks that file SARs electronically can receive from FinCEN a Document Control Number as an acknowledgement of receipt for a submitted SAR.

Timing of a SAR Filing The SAR rules require that a SAR be filed no later than 30 calendar days from the date of the initial detection of facts that may constitute a basis for filing a SAR. If no suspect can be identified, the time period for filing a SAR is extended to 60 days. Organizations may need to review transaction or account activity for a customer to determine whether to file a SAR. The need for a review of customer activity or transactions does not necessarily indicate a need to file a SAR. The time period for filing a SAR starts when the organization, during its review or because of other factors, knows or has reason to suspect that the activity or transactions under review meet one or more of the definitions of suspicious activity.

The phrase “initial detection” should not be interpreted as meaning the moment a transaction is highlighted for review. There are a variety of legitimate transactions that could raise a red flag simply because they are inconsistent with an accountholder’s normal account activity. For example, a real estate investment (purchase or sale), the receipt of an inheritance, or a gift, may cause an account to have a significant credit or debit that would be inconsistent with typical account activity. The bank’s automated account monitoring system or initial discovery of information, such as system-generated reports, may flag the transaction; however, this should not be considered initial detection of potential suspicious activity. The 30-day (or 60-day) period does not begin until an appropriate review is conducted and a determination is made that the transaction under review is “suspicious” within the meaning of the SAR regulation.

Whenever possible, an expeditious review of the transaction or the account is recommended and can be of significant assistance to law enforcement. In any event, the review should be



completed in a reasonable period of time. What constitutes a “reasonable period of time” will vary according to the facts and circumstances of the particular matter being reviewed and the effectiveness of the SAR monitoring, reporting, and decision-making process of each bank. The key factor is that a bank has established adequate procedures for reviewing and assessing facts and circumstances identified as potentially suspicious, and that those procedures are documented and followed.

For situations requiring immediate attention, in addition to filing a timely SAR, a bank must immediately notify, by telephone, an “appropriate law enforcement authority” and, as necessary, the bank’s primary regulator. For this initial notification, an “appropriate law enforcement authority” would generally be the local office of the IRS Criminal Investigation Division or the FBI. Notifying law enforcement of a suspicious activity does not relieve a bank of its obligation to file a SAR.

SAR Quality Banks are required to file SAR forms that are complete, thorough, and timely. Banks should include all known subject information on the SAR form. The importance of the accuracy of this information cannot be overstated. Inaccurate information on the SAR form, or an incomplete or disorganized narrative, may make further analysis difficult, if not impossible. However, there may be legitimate reasons why certain information may not be provided in a SAR, such as when the filer does not have the information. A thorough and complete narrative may make the difference in determining whether the described conduct and its possible criminal nature are clearly understood by law enforcement. Because the SAR narrative section is the only area summarizing suspicious activity, the section, as stated on the SAR form, is “critical.” Thus, a failure to adequately describe the factors making a transaction or activity suspicious undermines the purpose of the SAR.

By their nature, SAR narratives are subjective, and examiners generally should not criticize the bank’s interpretation of the facts. Nevertheless, banks should ensure that SAR narratives are complete, thoroughly describe the extent and nature of the suspicious activity, and are included within the SAR form (no attachments to the narrative section can be stored in the BSA-reporting database). More specific guidance is available in Appendix L (“SAR Quality Guidance”) to assist banks in writing, and assist examiners in evaluating, SAR narratives. In addition, comprehensive guidance is available from FinCEN (e.g., “Guidance on Preparing a Complete & Sufficient Suspicious Activity Report Narrative,” November 2003, and “Suggestions for Addressing Common Errors Noted in Suspicious Activity Reporting,” October 2007) at www.fincen.gov/news_room/rp/sar_guidance.html.

Notifying Board of Directors of SAR Filings Banks are required by the SAR regulations of their federal banking agency to notify the board of directors or an appropriate board committee that SARs have been filed. However, the regulations do not mandate a particular notification format and banks should have flexibility in structuring their format. Therefore, banks may, but are not required to, provide actual copies of SARs to the board of directors or a board committee. Alternatively, banks may opt to provide summaries, tables of SARs filed for specific violation types, or other forms of notification. Regardless of the notification format used by the bank, management should



provide sufficient information on its SAR filings to the board of directors or an appropriate committee in order to fulfill its fiduciary duties.

SAR Record Retention and Supporting Documentation Banks must retain copies of SARs and supporting documentation for five years from the date of filing the SAR. Additionally, banks must provide all documentation supporting the filing of a SAR upon request by FinCEN or an appropriate law enforcement or federal banking agency. “Supporting documentation” refers to all documents or records that assisted a bank in making the determination that certain activity required a SAR filing. No legal process is required for disclosure of supporting documentation to FinCEN or an appropriate law enforcement or federal banking agency.

Prohibition of SAR Disclosure No bank, and no director, officer, employee, or agent of a bank that reports a suspicious transaction may notify any person involved in the transaction that the transaction has been reported. Thus, any person subpoenaed or otherwise requested to disclose a SAR or the information contained in a SAR, except when such disclosure is requested by FinCEN or an appropriate law enforcement or federal banking agency, shall decline to produce the SAR or to provide any information that would disclose that a SAR has been prepared or filed, citing 31 C.F.R. § 1020.320(e) and 31 U.S.C. § 5318(g)(2). FinCEN and the bank’s federal banking agency should be notified of any such request and of the bank’s response. Furthermore, FinCEN and the federal banking agencies take the position that banks’ internal controls for the filing of SARs should minimize the risks of disclosure.

Sharing SARs With Head Offices and Controlling Companies Interagency guidance clarifies that banking organizations may share SARs with head offices and controlling companies, whether located in the United States or abroad. A controlling company as defined in the guidance includes:

A bank holding company (BHC), as defined in section 2 of the BHC Act.

A savings and loan holding company, as defined in section 10(a) of the Home Owners’ Loan Act.

A company having the power, directly or indirectly, to direct the management policies of an industrial loan company or a parent company or to vote 25 percent or more of any class of voting shares of an industrial loan company or parent company.

The guidance confirms that:

A U.S. branch or agency of a foreign bank may share a SAR with its head office outside the United States.

A U.S. bank may share a SAR with controlling companies whether domestic or foreign.



Banks should maintain appropriate arrangements to protect the confidentiality of SARs. The guidance does not address whether a bank may share a SAR with an affiliate other than a controlling company or head office. However, in order to manage risk across an organization, banks that file a SAR may disclose to entities within its organization the information underlying a SAR filing.”

Policy Issues The bank should have policies, procedures, and processes for referring all unusual activity to

the personnel or department responsible for evaluating unusual activity. The process should ensure that all applicable information is effectively evaluated.

The regulators are encouraging bank to document SAR decisions. The greater the amount of documentation available, the better record of the SAR decision-making process is available to all parties. The decisions not to file an SAR should also be retained by the bank.

The decision to file an SAR is subjective. Examiners have been instructed to focus on whether the bank has an effective SAR decision-making process, not individual SAR decisions. Examiners may review individual SAR decisions as a means to test the effectiveness of the SAR monitoring, reporting, and decision-making process. In those instances where the bank has an established SAR decision-making process, has followed existing policies, procedures, and processes and has determined not to file an SAR, the bank should not be criticized for the failure to file an SAR unless the failure is significant or accompanied by evidence of bad faith.

These particular issues can present implementation issues for banks. The mechanism for the preparation of and for the filing of an SAR should be carefully and completely set forth in the bank’s policy. It should include who is ultimately responsible for the decision to file an SAR, and a mechanism for staff to communicate their concerns and other information to the person or group that makes SAR decisions. Banks should avoid the phrase “the bank,” as this is indefinite and will probably not withstand regulatory scrutiny. At a minimum, the individuals responsible for decision making should be named by title.

Training about SARs and how these situations should be handled by the bank should be an important segment of the bank’s annual training, as any breach of the bank/customer confidentiality may endanger the bank’s protections under the safe harbor provisions of the regulation.

Record Retention Copies of filed SARs and records of any supporting documentation must be maintained for a

period of five years from the date of filing the SAR. The bank should treat the supporting records as if they had been filed with the SAR, and should be properly maintained and labeled. Records of the supporting documentation must be available to appropriate law enforcement agencies, FinCEN and bank supervisory agencies upon request.



SAR Confidentiality [31 C.F.R. 1020.320(e)] A SAR, and any information that would reveal the existence of a SAR, are confidential and

shall not be disclosed except as authorized in this section. For purposes of this section, a SAR shall include any suspicious activity report filed with FinCEN pursuant to any regulation in this chapter.

Prohibition on Disclosures by Banks: General. No bank, and no director, officer, employee, or agent of any bank, shall disclose a

SAR or any information that would reveal the existence of a SAR. Any bank, and any director, officer, employee, or agent of any bank that is subpoenaed or otherwise requested to disclose a SAR or any information that would reveal the existence of a SAR, shall decline to produce the SAR or such information, citing this section and 31 U.S.C. 5318(g)(2)(A)(i), and shall notify FinCEN of any such request and the response thereto.

Rules of Construction. Provided that no person involved in any reported suspicious transaction is notified that the transaction has been reported, this section shall not be construed as prohibiting:

The disclosure by a bank, or any director, officer, employee, or agent of a bank, of:

o A SAR, or any information that would reveal the existence of a SAR, to FinCEN or any Federal, State, or local law enforcement agency, or any Federal regulatory authority that examines the bank for compliance with the Bank Secrecy Act, or any State regulatory authority administering a State law that requires the bank to comply with the Bank Secrecy Act or otherwise authorizes the State authority to ensure that the bank complies with the Bank Secrecy Act; or

o The underlying facts, transactions, and documents upon which a SAR is based, including but not limited to, disclosures:

To another financial institution, or any director, officer, employee, or agent of a financial institution, for the preparation of a joint SAR; or

In connection with certain employment references or termination notices, to the full extent authorized in 31 U.S.C. 5318(g)(2)(B); or

The sharing by a bank, or any director, officer, employee, or agent of the bank, of a SAR, or any information that would reveal the existence of a SAR, within the bank's corporate organizational structure for purposes consistent with Title II of the Bank Secrecy Act as determined by regulation or in guidance.

Prohibition on disclosures by government authorities. A Federal, State, local, territorial, or Tribal government authority, or any director, officer, employee, or agent of any of the foregoing, shall not disclose a SAR, or any information that would reveal the existence of a SAR, except as necessary to fulfill official duties consistent with Title II of the Bank Secrecy Act. For purposes of this section, “official duties” shall not include the disclosure of a SAR, or any information that would reveal the existence of a SAR, in response to a request for disclosure of non-public information or a request for use in a private legal proceeding, including a request pursuant to 31 CFR 1.11.



Limitation on Liability [31 C.F.R. 1020.320(f)] A bank, and any director, officer, employee, or agent of any bank, that makes a voluntary

disclosure of any possible violation of law or regulation to a government agency or makes a disclosure pursuant to this section or any other authority, including a disclosure made jointly with another institution, shall be protected from liability to any person for any such disclosure, or for failure to provide notice of such disclosure to any person identified in the disclosure, or both, to the full extent provided by 31 U.S.C. 5318(g)(3).

Compliance [31 C.F.R. 1020.320(g)] Banks shall be examined by FinCEN or its delegatees for compliance with this section.

Failure to satisfy the requirements of this section may be a violation of the Bank Secrecy Act and of this chapter. Such failure may also violate provisions of title 12 of the Code of Federal Regulations.

FinCEN Advisory On March 2, 2012, FinCEN issued the following advisory to financial institutions regarding

SAR confidentiality. It has been formatted for manual purposes, but the text remains unchanged.

FIN-2012-A002 Issued: March 2, 2012

Subject: SAR Confidentiality Reminder for Internal and External Counsel of Financial Institutions

The Financial Crimes Enforcement Network (FinCEN) is issuing this Advisory to remind financial institutions, and in particular, the lawyers that advise them, of the requirement to maintain the confidentiality of Suspicious Activity Reports (SARs). FinCEN is concerned that an increasing number of private parties, who are not authorized to know of the existence of filed SARs, are seeking SARs from financial institutions for use in civil litigation and other matters. Financial institutions, and their current and former directors, officers, employees, agents, and contractors, are prohibited from disclosing SARs, or any information that would reveal the existence of a SAR.20 FinCEN recognizes that an escalation in the number of requests for use of SARs in private litigation may increase the likelihood of an unauthorized disclosure of a SAR. This is especially true when external counsel is unfamiliar with the regulations covering SAR confidentiality. Financial institutions, and their current and former directors, officers, employees, agents, and contractors could be subject to civil and criminal penalties for the unauthorized disclosure of a SAR.

20 See 31 CFR §§ 1020.320(e), 1021.320(e), 1022.320(d), 1023.320(e), 1024.320(d), 1025.320(e), and 1026.320(e), see also Pub. L. 112-74: Consolidated Appropriations Bill, Division C, Title I, Section 118 amending 31 U.S.C. § 5318(g)(2)(A)(December 23, 2011).



FinCEN is responsible for both safeguarding the information it collects under its regulations implementing the Bank Secrecy Act, including SARs, and promoting appropriate protection of this by authorized users of the data across the Federal, State and local levels of government. The unauthorized disclosure of SARs could undermine ongoing and future investigations by tipping off suspects, deterring financial institutions from filing SARs, and threatening the safety and security of institutions and individuals who file such reports. Such disclosure of SARs compromises the essential role SARs play in protecting our financial system and in preventing and detecting financial crimes and terrorist financing. The success of the SAR reporting system depends upon the financial sector's confidence that these reports will be appropriately protected.

Possible Civil and Criminal Penalties for Unauthorized SAR Disclosures The unauthorized disclosure of a SAR is a violation of federal law.21 Both civil and criminal

penalties may be imposed for SAR disclosure violations. Violations may be enforced through civil penalties22 of up to $100,000 for each violation and criminal penalties23 of up to $250,000 and/or imprisonment not to exceed five years.24 In addition, financial institutions could be liable for civil money penalties resulting from anti-money laundering program deficiencies (i.e., internal controls, training, etc.) that led to the SAR disclosure. Such penalties could be up to $25,000 per day for each day the violation continues.25 FinCEN is committed to working with regulatory agencies, law enforcement, SROs, and financial institutions to take appropriate action for unauthorized disclosures of SARs. Incidents involving possible unauthorized SAR disclosures are investigated, and appropriate action is taken for violations of the law.

Guidance on Maintaining SAR Confidentiality FinCEN reminds financial institutions to be vigilant in maintaining the confidentiality of

SARs. This includes ensuring all employees, agents, and individuals appropriately entrusted with information in a SAR are informed of the individual obligation to maintain SAR confidentiality. This obligation applies not only to the SAR itself, but also to information that would reveal the existence (or non-existence) of the SAR. Likewise, such persons should be informed of the consequences for failing to maintain such confidentiality, which could include civil and criminal penalties as explained herein.

A financial institution may consider including such information as part of its ongoing training of all employees. Furthermore, financial institutions may want to remind their counsel of the strict requirements of SAR confidentiality. Additional risk-based measures to enhance the confidentiality of SARs could include, among other appropriate security measures, limiting access on a "need-to-know" basis, restricting areas for reviewing SARs, logging of access to SARs, using cover sheets for SARs or information that reveals the existence of a SAR, or providing electronic notices that highlight confidentiality concerns before a person may access or disseminate the information.

If you or your institution becomes aware of an unauthorized disclosure of a SAR, or if your institution receives a subpoena or other request for a SAR from other than an authorized government authority or self-regulatory organization as defined in the applicable SAR

21 31 U.S.C. §§ 5318(g)(2), 5321, and 5322.

22 31 U.S.C. § 5321 and 31 CFR § 1010.820.

23 31 U.S.C. § 5322 and 31 CFR § 1010.840.

24 31 U.S.C. § 5322(b) and 31 CFR § 103.59(c) (Criminal penalties may increase if the violation is committed while violating another law of the United States or as part of a pattern of illegal activity).

25 31 U.S.C. § 5321(a)(1).



regulations, you should immediately contact FinCEN's Office of Chief Counsel at (703) 905-3590.26 Additionally, an institution may be required to contact its primary federal regulator, as may be applicable in a corresponding SAR rule.

Questions or comments regarding the contents of this Advisory should be addressed to the FinCEN Regulatory Helpline at 800-949-2732. Financial institutions wanting to report suspicious transactions that may relate to terrorist activity should call the Financial Institutions Toll-Free Hotline at (866) 556-3974 (7 days a week, 24 hours a day). The purpose of the hotline is to expedite the delivery of this information to law enforcement. Financial institutions should immediately report any imminent threat to local-area law enforcement officials.

The SAR Form The following pages contain the current SAR report.

26 31 CFR §§ 1020.320(e), 1021.320(e), 1022.320(d), 1023.320(e), 1024.320(d), 1025.320(e), and 1026.320(e).


Section 9: Customer Due Diligence [31 C.F.R. § 1020.220]

Introduction In 1998, the federal banking regulators proposed Know Your Customer (KYC) guidelines.

While they were subsequently withdrawn, the elements of KYC serve as a resource for methods by which a financial institution can facilitate its responsibilities to operate under safe and sound banking procedures when opening accounts, and meet its requirements to file Suspicious Activity Reports.

The requirements were set out in general terms, reflecting the view that a program that is appropriate for one institution may not be appropriate for another. Under the proposed regulation, the agencies would expect each financial institution to design a program that is appropriate to that institution, given its size and complexity, the nature and extent of its activities, its customer base, and the levels of risk associated with its various customers and their transactions.

In recent years, the banking regulators have required banks to perform some level of Customer Due Diligence (CDD). The expectations concerning CDD were specified in the Exam Manual. The opening paragraphs of this section of the Exam Manual states:

“The cornerstone of a strong BSA/AML compliance program is the adoption and implementation of comprehensive CDD policies, procedures, and processes for all customers, particularly those that present a high risk for money laundering and terrorist financing. The objective of CDD procedures should be to enable the bank to predict with relative certainty the types of transactions in which a customer is likely to engage. These procedures assist the bank in determining when transactions are potentially suspicious. The concept of CDD begins with verifying the customer’s identity and assessing the risks associated with that customer. Procedures should also include enhanced CDD for high-risk customers and ongoing due diligence of the customer base.

Effective CDD policies, procedures, and processes provide the critical framework that enables the bank to comply with regulatory requirements and to report suspicious activity. An illustration of this concept is provided in Appendix K (“Customer Risk Versus Due Diligence and Suspicious Activity Monitoring”).

CDD policies, procedures, and processes are critical to the bank because they can aid in:

Detecting and reporting unusual or suspicious transactions that potentially expose the bank to financial loss, increased expenses, or reputation risk.

Avoiding criminal exposure from persons who use or attempt to use the bank’s products and services for illicit purposes.

Adhering to safe and sound banking practices.”

Developing a CDD program should not be a “one size fits all” approach. Although many banks have similarities, all banks vary in the level of inherent risk, based on customer base, products, services, and geographies. Therefore, CDD programs will vary from bank to bank.



Customer Due Diligence (CDD) Overview The foundation of strong BSA/AML programs is the implementation of complete CDD

policies, procedures, and controls for all customers, particularly those that present a higher risk for money laundering and terrorist financing. The concept of CDD builds upon the CIP regulatory requirements for identifying and verifying a customer’s identity.

The goal of a CDD program is to develop an awareness of the unique financial details of the institution’s customers and the ability to predict the type and frequency of transactions in which its customers are likely to engage. In this way, institutions can better identify, research, and report suspicious activity as required under BSA. Although customer due diligence is not required by statute or regulation, an effective CDD program is the framework that allows the institution to comply with regulatory requirements.

Benefits of an Effective CDD Program An effective CDD program protects the reputation of the institution by:

Preventing unusual or suspicious transactions that would expose the bank to loss or expense

Helps the bank avoid criminal exposure by those who would use the bank for illegal activity

Ensuring compliance with BSA regulations and holding to sound banking practices.

Another way to realize the benefits of an effective CDD program is through the following:

Using a customer risk rating system to allocate bank resources for monitoring purposes

Focusing the majority of the bank’s monitoring efforts on those customers that present the greatest risk

Compliance with the BSA through a risk-based approach.

CDD Program Guidance CDD programs should be tailored to each institution’s BSA/AML risk profile; consequently,

the scope of any CDD program will vary. Even though a small bank may have more frequent direct contact with customers than those at larger banks, all financial institutions should adopt a CDD program.

An effective CDD program should:

Be in proportion to a banks BSA/AML risk profile,

Be clear in management’s expectations and staff responsibility, and

Establish monitoring systems and procedures to identify activity that is inconsistent for a customer’s normal banking activity.



Elements of a CDD Program While there is a great deal of flexibility allotted to banks in devising an appropriate CDD

program, all Know Your Customer programs should contain certain critical features, which are discussed below. Each program should also delineate acceptable documentation requirements and the due diligence procedures the bank will follow. The delineation of this information in the CDD program will ensure that the same standards are applied throughout the bank and will inform auditors and examiners of the bank’s established standards for review of customer information.

Minimum Steps for Compliance The following are the minimum steps the banks should take in order to comply with the CDD

expectations.

Identify the Customer The USA PATRIOT Act, Section 326 made a provision part of the law to identify the “true”

identity of a customer. The rule for customer identification was discussed earlier in this manual.

Determine the Source of Funds The CDD program should provide a system for determining the source of a customer’s funds.

The amount of information needed to do this can depend on the type of customer in question. As an example, if a retail banking customer maintains demand deposit accounts funded primarily from payroll deposits, it should be a relatively simple task to identify and document the source of funds as payroll deposits. On the other hand, a more detailed analysis, with a more extensive documentation process, would be required for high net worth customers with multiple deposits from a variety of sources.

For these reasons, among others, it may be beneficial for banks to classify customers into varying categories, based on factors such as the types of accounts maintained, the types of transactions conducted, and the potential risk of illicit activities associated with such accounts and transactions. Banks could then develop procedures to obtain necessary information and documentation based on the risk assessment for the various categories or classes established by a bank.

Determine Normal and Expected Transactions The CDD program should provide a system for determining a customer’s normal and

expected transactions involving the bank. Without this information, a bank is unable to identify suspicious transactions. A bank’s understanding of a customer’s normal and expected transactions should be based on information obtained both when an account is opened and during a reasonable period of time afterward. It also should be based on normal transactions for similarly situated customers.



Monitor the Account Transactions The CDD program should provide a system for monitoring, on an ongoing basis, the

transactions conducted by customers and identifying transactions that are inconsistent with the normal and expected transactions for particular customers or for customers in the same or similar categories or classes. The examiners do not require that every transaction of every customer be reviewed. Rather, they do expect a bank to develop a monitoring system that is appropriate for the risks presented by the accounts maintained at that bank.

In designing a monitoring system, a bank may choose to classify accounts into various categories based on factors such as the type and size of account; the types, number, and size of transactions conducted in the account; and the risk of illicit activity associated with the account. For certain classes or categories of accounts, it would be sufficient for an effective monitoring system to establish parameters for which the transactions within these accounts will normally occur. Rather than monitoring each transaction, an effective monitoring system could entail monitoring only for those transactions that exceed the established parameters for that particular class or category of accounts. For other categories or classes of accounts, such as private banking accounts, it may be necessary to monitor each significant transaction.

Determine If the Transaction Should Be Reported Once a transaction is identified as inconsistent with normal and expected transactions, the

bank must determine if the transaction warrants the filing of a Suspicious Activity Report. In identifying reportable transactions, a bank should not conclude that every transaction that falls outside what is expected for a given customer should be reported. Rather, a bank should focus on patterns of inconsistent transactions and isolated transactions that present risk factors that warrant further review.

Customer Risk As observed in the risk assessment portion of this manual, a bank is expected to identify and

understand its money laundering and terrorist financing risks of the bank’s customer base. The most efficient method to understand the ongoing risks is to obtain appropriate and relevant information at account opening. Such information should be sufficient enough to allow the bank to develop an understanding of normal and expected activity for the customer’s occupation or business operations. This is best illustrated in Appendix K of the Exam Manual, which focuses on the relationship between the type of customer and the level of suggested/expected due diligence.



As part of an institution’s BSA/AML risk assessment, many institutions apply a BSA/AML risk rating to its customers. Using this approach, the institution will gather enough information at account opening to develop a customer transaction profile to understand what will be expected activity for that customer’s occupation or business. The following from the Exam Manual addresses the risk-based approach a bank should follow when risk rating and monitoring customer activity:

“This information should allow the bank to differentiate between lower-risk customers and higher-risk customers at account opening. Banks should monitor their lower-risk customers through regular suspicious activity monitoring and customer due diligence processes. If there is indication of a potential change in the customer’s risk profile (e.g., expected account activity, change in employment or business operations), management should reassess the customer risk rating and follow established bank policies and procedures for maintaining or changing customer risk ratings.

Much of the CDD information can be confirmed through an information-reporting agency, banking references (for larger accounts), correspondence and telephone conversations with the customer, and visits to the customer’s place of business. Additional steps may include obtaining third-party references or researching public information (e.g., on the Internet or commercial databases).

CDD processes should include periodic risk-based monitoring of the customer relationship to determine whether there are substantive changes to the original CDD information (e.g., change in employment or business operations).”

Assigning a risk rating to customers may not be appropriate for all banks, but bank management should have a detailed understanding of money laundering and terrorist finance as well as knowing their customer base to limit risk.

Assessing Risk In general, customers may pose low-risk or high-risk or some combination in between.

Examples of low risk (routine or usual accounts) include:

Low aggregate balances

Low volume of activity

Household accounts

Most retail passbook savings/checking accounts

Accounts for minors

Examples of higher-risk accounts or activities includes:

Large balances

High volume of activity

Frequent or excessive funds transfers

Frequent or excessive large cash transactions



Personal Accounts. When opening personal accounts, banks may want to consider the following:

Location of residence

Follow-up calls

Source of funds (especially large sums of cash)

For larger accounts, prior bank references are recommended

Checking with service bureaus (i.e., ChexSystems)

Business Accounts: In addition, consider the following when opening business accounts, as applicable:

Evidence of customer’s legal status

Article of incorporation, partnership agreement, etc.

Certificate of Good Standing with state

Business license

Check with reporting agency (i.e., Dunn & Bradstreet, etc.)

Prior bank references

Follow-up calls and on-site visits

Source of funds

Description of line of business

For larger accounts:

Financial statements

Listing of major suppliers, customers, and geographic locations

Description of business’s primary trade area

Whether international transactions are expected

Description of business operations (i.e., retail vs. wholesale)

Anticipated volume of cash activity

High-Risk Products and Services While a bank may have additional high risk products and services, three forms of possible

high-risk products or services are presented here:

Wire transfer/International Correspondent Bank Accounts

Private Banking Relationships, and

Electronic Banking



Wire Transfer/International Correspondent Bank Accounts. When dealing with wire transfers or international accounts, banks should consider the following factors:

Account purpose

Location of foreign bank, if applicable

Nature of banking license of correspondent bank

Correspondent’s AML program

Prevention controls

Extent of banking regulation enforced in the foreign country

For our typical domestic based customers, wire transfer activity can pose an issue if the purpose or frequency of the funds transfer activity is not reasonable for the type of customer or the customer’s business. Therefore, it is important to determine the level of any funds transfer activity of a prospective customer at the time of account opening and continually monitor such activity to ensure that it falls in line with the original expectations. One simple method to accomplish this objective is to inquire at account opening the following:

Does the customer perform funds transfers?

What will be the expected frequency and amounts of such transfers?

Does the customer deal with international suppliers or customers?

Obtain a list of such suppliers and customers

Ensure that none appear on any sanctioned lists (i.e., OFAC)

Does the customer deposit currency and then subsequently wire funds out of the bank on a regular basis?

Depending on the answers to the above, there may be some initial high-risk concerns by the bank if the customer is dealing in a high level of funds transfer activity, especially on an international basis.

Private Banking Relationships. Private banking is generally considered the personal or discreet offering of a wide variety of financial services and products to the affluent market. It can involve customers as individuals, commercial businesses, law firms, investment advisors, trusts, etc. Proper due diligence when opening private banking accounts goes beyond the normal procedures or controls employed with a bank’s typical retail customer base. Items to consider when opening private banking accounts includes:

Confirming references

Background checks

Determining the source of the client’s wealth, needs and expected transactions

Electronic Banking. Electronic banking is a broad term that encompasses a variety of delivery channels: telephone banking, Internet banking, PC-base banking, ATMs and ACHs. In today’s environment, electronic banking is becoming more and more popular given our hectic lifestyles. While most customers that utilize electronic banking channels to conduct transactions do so in a legitimate manner, the mere existence of such channels has raised concerns by the



regulators. In general, electronic banking is vulnerable to money laundering and terrorist financing due to user anonymity, rapid transaction speed and its wide geographic availability. When offering electronic banking channels, banks should consider the following:

Customer’s proximity to the bank’s branches

Requirement for the customer to initiate electronic banking services on-site at the bank

Review of customer’s transactions and expected transactions

High-Risk Customers Financial institutions are expected to develop a high-risk customer list from their customer

base. While included in Section 2 of this manual, the following is reproduced as a reminder of those types of entities that are considered as possessing a higher degree of risk:

Cash intensive businesses such as convenience stores, restaurants, retail stores, liquor stores, cigarette distributors, privately owned ATMs, vending machine operators and parking garages

Pawn brokers

Purchasers or sellers of any type of motor vehicle, vessel, aircraft, farm equipment or mobile home

Auctioneering

Chartering or operation of ships, buses or aircraft

Gaming of any kind

Trade unions

Title insurance operations and real estate closing

Professional service providers such as doctors, attorneys, accounts and real estate brokers

Non-governmental organizations and charities

Non-bank financial institutions, which would include money service businesses (MSB), casino and card clubs, brokers/dealers in securities, and dealers in precious metals, stones and jewels

Senior political figures, their immediate families and close associates (PEPs)

Non-resident aliens and accounts of foreign individuals

Foreign corporations maintaining transactions accounts, offshore corporations, and international business corporations located in high-risk geographic areas

Deposit brokers (including foreign brokers)

Foreign financial institutions, including banks and foreign money service providers



Once identified, the bank can determine which customers are conducting transactions and/or using services of the bank that would warrant remaining on a high-risk list and necessitate further monitoring.

High-Risk Geographic Locations Identifying high-risk geographic locations is essential to a bank’s anti-money laundering

program. A condensed reminder of those available resources of high-risk geographic locations is as follows:

Jurisdiction identified by intergovernmental organizations (e.g., FATF)

Countries/jurisdictions identified by the US Department of State’s International Narcotics Control Strategy Report (INCSR)

Geographies identified by OFAC

Jurisdictions designated by the Secretary of the Treasury as being primary money concern as authorized by the USA Patriot Act

Jurisdictions identified by bank management

Risk Codes A customer risk rating system should be developed before a bank may begin assigning risk

ratings to its customers. Risk rating systems can range from the most simplistic to highly sophisticated. Given the wide variety of bank sizes, types, customer bases and locations, there is no one perfect method for every bank. Below are two different approaches.

The following is a modification to various risk rating systems that have been utilized by banks and regulators alike. On the surface, this rating system is rather simplistic and attempts to limit the number of risk levels. The levels of customer risk range from highest (1) to lowest (4).

1. High

a. Customers where an SAR has been considered in the past

b. Customers that fall into the high-risk categories for all three risk factors (i.e., customer type, products/services used, and location of customer)

2. Moderate High

a. Customers that may not be exempted from CTR filings

b. Customers that fall into the regulator identified high-risk customer and geographic category

c. Non-U.S. citizens

d. Customers that reside outside of a pre-defined radius of the bank’s locations (i.e., 50 mile radius, outside of the county in which the bank operates, etc.)

e. Customers where an SAR was considered or filed in the past and no subsequent suspicious activity has occurred in a pre-defined period of time (i.e., within 6 months following the initial suspicious activity)



3. Moderate

a. Customers that did not provide sufficient information to verify identity at account opening

b. Customers that fall into any one of the three regulator identified high-risk categories

4. Low

a. Any customer that is not rated 1 through 3

b. Risk Rating Existing Customer Base

Agreeing on a risk rating system or model might be considered simple when compared to the daunting task of assigning a rating to all existing customers. The following will discuss a logical approach to initiate the process and establish benchmarks that can be used for existing and new customers.

It is important to note that, when assigning risk ratings to specific customers, the bank must be cognizant that the various risk factors can interrelate. For example, a customer that might utilize a higher risk service may not result in a high-risk rating for that particular customer. The customer’s profile should be considered in such situations. When assessing the existing customer base, the above risk rating code sample (or similar) should be referenced as ratings are assigned.

The assignment of responsibility to assign risk ratings is integral in a bank’s overall CDD process. An effective risk rating process will have checks and balances, and allow for modification over time. Each institution will need to find a process that works best; however, the following are offered as suggestions in its development:

Initial risk rating options –

o Developing a comprehensive, user-friendly account opening form used by line staff, which guides staff on assigning initial ratings

o Deferring the risk rating process to select individuals within the institution

Risk rating adjustments – allowing for a post-review of risk ratings to assure that the rating system is properly employed

Account closure – allowing for authority to close an account relationship should the risk rating prompt such action

Modifications to system – allowing for adjustments to the risk rating system, as necessary

Step One: High-Risk Types. Begin the process by identifying those existing customers that fall into any of the customer type categories identified by regulators as high-risk. While this process can take time when reviewing a bank’s existing customer database, it can be broken down into manageable pieces to expedite the process. For example, customers can be grouped into account types and assigned to designated staff to complete the assessment. The analysis of customers’ geographic locations may present a problem since it is impractical to assess each and every customer’s address, as compared to the listing of regulator-defined high-risk areas. A more practical approach is to first determine if any of the customer base resides, overlaps, or is adjacent to such areas. If the bank is located nowhere near such areas, then this part of the assessment should be minimal.



As part of the high-risk type analysis, the reviewer should identify any customers that engage in a business that is not eligible for a Phase II exemption.

Step Two: Suspicious Activity. Next, banks should identify any customers where suspicious activity reports (SARs) have been considered or filed in the past. Care should be taken on the final risk rating category assigned for these customers so that the risk rating does not readily highlight the fact that an SAR has been filed, since this information is to remain confidential. When bringing an assessment up-to-date, the reviewer might consider reviewing those instances where an SAR was filed or considered within a predefined time frame, such as during the most recent 12 months. Banks with effective suspicious activity monitoring programs should be able to rely on these procedures to readily identify those individuals of particular concern.

Step Three: High-Risk Products/Services. As a result of the bank products or services that have been identified as possessing a higher risk (which will be discussed in the next section,) banks should next create a listing of the customers that utilize such products or services. This list of customers should then be cross-referenced with the other high-risk areas (i.e., customer type and geographic location).

Step Four: Customer Activity. Banks are afforded with a wealth of customer activity records. These records, including cash activity, can provide a significant amount of information about a customer’s profile. Subject to system limitations, banks should utilize their databases to identify the following:

Cash Activity. Customers that routinely engage in large currency transactions. The minimum thresholds for cash activity should be below the regulatory reporting amount of $10,000. In today’s banking environment, many banks already track cash activity that is above $3,000 (or similar) to assist in their CTR reporting process and suspicious activity monitoring programs. As part of this process, banks need to become familiar with a customer’s usual activity. If a wage earner customer (i.e., someone whose income is reported on a W-2) has frequent cash activity, then the bank needs to determine the source of the funds. While many bankers may be uncomfortable asking for customer explanations, the bank must, by whatever method, determine if the cash activity is normal or unusual.

Monetary Instrument Purchases. The regulations require banks to record any sales of monetary instruments involving currency of $3,000 to $10,000, inclusive. These records, when reviewed periodically, can provide the bank with insight concerning any suspicious activity. Such records should be reviewed during the risk rating process to determine if any customers are frequently purchasing such instruments without any reasonable or legitimate purpose. A subset of this review might include reviewing where the instruments are cashed (i.e., in a foreign country) to determine if the risks need to be elevated.

Funds Transfers. Since banks are required to record certain information about persons that originate or receive funds through the wire system involving amounts of $3,000 or more, these records can be used to identify customers or persons that conduct frequent transactions without any reasonable or legitimate purpose. These records should already be incorporated into an ongoing review by a bank’s BSA officer or designee, which serves to determine whether frequent funds transfers by a particular customer meet his/her risk profile.



Step Five: Customer Location. A review should be performed to identify any customers that reside outside of the bank’s predefined market area. It should be noted that some of these customers may not pose higher risks, but rather have relocated or have family connections to the market area. Customers that do fall into this category with no ascertainable reason to maintain an account at the bank require further evaluation. In addition, customers that are classified as non-U.S. persons will need to be identified.

Step Six: CIP Concerns. Finally, the reviewer shall identify those customers that have recently opened a customer relationship but have not fulfilled the bank’s CIP requirements. Ideally, a designated person or department within the bank should be tracking such customers on an ongoing basis. Any customers that have failed to provide either identity or verification information should be flagged to allow the institution to track the fulfillment of CIP requirements. Depending on the bank’s written CIP, eventually the bank should take appropriate action when CIP requirements are not met.

Monitoring Once the customer base has been risk rated, the process of ongoing monitoring begins.

Depending on each bank’s resources, the level of available reports and/or tools will vary. However, even the smallest of institutions shall have methods employed to assess customer risks on an ongoing basis. In the simplest of examples, higher risk rated customers should be monitored more frequently than the low-risk customers. In addition, the types of monitoring reports for high-risk customers will likely contain transaction or customer profile specific parameters. For example, cash activity for “one” risk rated customers might be monitored for any cash activity of $3,000 and greater each business day. In addition, these same customers might be monitored for cash activity exceeding specific amounts over a designated time period (i.e., cash activity of $15,000 or more in a seven-day period).

When developing such monitoring methods, banks must first be cognizant of its higher risk customers and the tools available to effectively monitor the accounts. Not every bank will be expected to spend large sums of money or resources to implement such methods, but the methods should be commensurate with its overall risks.

Other High-Risk Resources While examiners are frequently targeting a bank’s policy and procedures addressing high-

risk customers, activities and services during a BSA examination, there has not been an abundance of information to help guide banks on exactly how to deal with this area. There are a variety of resources available to assist us with high-risk activities.

One such valuable resource can be found in the OCC’s publication Money Laundering: A Banker’s Guide to Avoiding Problems (December 2002). It may be found on the agency’s Web site at www.occ.treas.gov. Additional assistance can be found in the Exam Manual.


Section 10: Reports of Transportation of Currency or Monetary Amounts [31 C.F.R. § 1010.340]

Introduction Each person who attempts, causes, or physically transports, mails, or ships currency or other

monetary instruments in an aggregate amount exceeding $10,000 on any one occasion from the United States to any place outside the United States, or into the United States from any place outside the United States, must file a report of the transaction (Customs Form 105: Report of International Transportation of Currency or Monetary Instruments).

Receipt of Transported Currency or Monetary Instruments Likewise, if any person receives currency or monetary instruments in an aggregate amount

exceeding $10,000 on any one occasion which have been transported, mailed, or shipped to such person from any place outside the United States, and there has been no report filed, then that person must file a report (Customs Form 105) stating the amount, date of receipt, form of monetary instruments received, and the person from whom they were received.

Exceptions This report is not required of the following:

1. A Federal Reserve Bank;

2. A bank, a foreign bank, or a broker/dealer in securities (with respect to currency or other monetary instruments mailed or shipped through the postal service or common carrier);

3. A commercial bank or trust company organized under the laws of any state of the United States (e.g., overland shipments of currency or monetary instruments shipped or received from an established customer maintaining a deposit relationship with the financial institution and in amounts that reasonably do not exceed amounts that are customary to the conduct of the customer’s business);

4. A person who is not a citizen or resident of the United States when currency or other monetary instruments are mailed or shipped from abroad to a financial institution, broker, or dealer in securities through the postal service or common carrier;

5. A common carrier of passengers whose passengers are in possession of the currency or monetary instruments;

6. A common carrier of goods when the shipper does not declare that the goods are in currency or other monetary instruments;

7. A traveler’s check issuer or agent when the traveler’s checks are being delivered for future sale to the public;

8. A person when an endorsed traveler’s check is in the collection and reconciliation process after the traveler’s check has been negotiated;



9. A person who engages in the business of transportation of currency, monetary instruments, and other commercial paper between established offices of financial institutions, brokers, or dealers in securities

Common Carrier Exemption Under 31 C.F.R. § 1010.340(c)(2), a financial institution is not required to file a Form 105 in

respect to currency or other monetary instruments mailed or shipped through the postal service or by common carrier.

This exemption applies to those situations where the institution ships such currency directly through the common carrier as well as in those instances where an institution utilizes a private courier service to deliver such currency from the institution to the common carrier and international shipment of such currency is made via such common carrier.

The reporting provisions of 31 C.F.R. § 1010.311, the filing of Form 105 for all currency transactions in excess of $10,000, are still applicable to these international transactions, unless exempted by regulation.

Transportation of Currency Reporting Guidelines In filing reports of transportation of currency or monetary instruments, the financial

institution should follow the following sets of guidelines:

1. The report must be filed at the time of entry/departure into the United States or mailing/shipping from the United States, unless otherwise specified by the Commissioner of Customs.

2. A report must be filed within 15 days after receipt of the currency or other monetary instruments.

3. All reports must be filed with the Customs Officer in charge at any port of entry or departure or otherwise specified by the Commissioner of Customs.

Reports for currency or other monetary instruments not physically accompanying a person entering or departing the United States may be filed by mail on or before the date of entry, departure, mailing, or shipping. Reports filed by mail must be addressed to:

Commissioner of Customs Attention: Currency Transportation Reports

Washington, DC 20229 The Treasury has ruled that financial institutions are responsible for filing a Form 105 on

behalf of a customer only if the customer informs the bank that a Form 105 was not filed. As long as the bank does not acquire the knowledge within 15 days of the date of the transaction that a Form 105 was not filed, the bank has no obligation to file the Form 105. Moreover, the bank is not obligated to inquire whether a Form 105 was filed.


Section 11: Foreign Financial Accounts [31 C.F.R. § 31 C.F.R. § 1010.350, 1010.360 & 1010.420]

Reports of Foreign Financial Accounts [31 C.F.R. § 1010.350] A continuing problem for the United States has been the hiding of assets in foreign countries.

The Bank Secrecy Act and U.S. Treasury regulations attempt to stem the flow of funds by requiring the reporting of any financial interest and/or signature or other authority over one or more bank accounts, securities accounts, or other financial accounts in foreign countries exceeding $10,000 during the previous calendar year. In such instances where the person has more than 25 foreign accounts, the person only needs to note that fact on the form. However, the regulatory agencies may request additional information on each account as they deem necessary.

These reports (Department of the Treasury Report of Foreign Bank and Financial Accounts) must be filed with the Commissioner of Internal Revenue by June 30 of each calendar year. It is form number TD F 90-22.1 (revised 3/2011). A copy of the required form is included at the end of this section.

Reports of Transactions with Foreign Financial Agencies [31 C.F.R. § 1010.360]

The Secretary may amend regulations and require specified financial institutions to file reports of certain transactions with designated foreign financial agencies. If a regulation is issued as a final rule without notice/opportunity for public comment, then a “finding of good cause” for dispensing without the notice must be included in the regulation. If any regulation affecting reporting requirements is not published in the Federal Register, then any financial institution subject to the regulation will be named and personally served. If a financial institution is given notice of a reporting requirement by means other than publication in the Federal Register, then the Secretary may prohibit disclosure of the existence of that reporting requirement to the designated foreign financial agency or agencies.

Information Subject To Reporting The following information is subject to the reporting requirements:

1. Checks or drafts, including traveler’s checks, received by the respondent financial institution for collection or credit to the account of a foreign financial agency, sent by the respondent financial institution to a foreign country for collection or payment, or drawn by a foreign agency on a respondent financial institution, must include the following information:

a. Name of maker or drawer

b. Name of drawee or drawee financial institution

c. Name of payee



d. Date and amount of instrument

e. Names of all endorsers

2. Funds transfer transmittal orders received by a respondent financial institution from a foreign financial agency or sent by a respondent financial institution to a foreign financial agency must include all information maintained by that institution as required by the funds transfer recordation and record retention guidelines (sections 1010.410 and 1020.410) of the regulation.

3. Loans made by the respondent financial institution to or through a foreign financial agency must include the following information:

a. Name of borrower

b. Name of person acting for borrower

c. Date and amount of loan

d. Terms of repayment

e. Name of guarantor

f. Rate of interest

g. Method of disbursing proceeds

h. Collateral for loan

4. Commercial paper received or shipped by the respondent financial institution must include the following information:

a. Name of maker

b. Date and amount of paper

c. Due date

d. Certificate number

e. Amount of transaction

5. Stocks received or shipped by the respondent financial institution must include the following information:

a. Name of corporation

b. Type of stock

c. Certificate number

d. Number of shares

e. Date of certificate

f. Name of registered holder

g. Amount of transaction

6. Bonds received or shipped by the respondent financial institution must include the following information:

a. Name of issuer

b. Bond number



c. Type of bond series

d. Date issued

e. Due date

f. Rate of interest

g. Amount of transaction

h. Name of registered holder

7. Certificates of deposit received or shipped by the respondent financial institution must include the following:

a. Name and address of issuer

b. Date issued

c. Dollar amount

d. Name of registered holder

e. Due date and rate of interest

f. Certificate number

g. Name and address of issuing agent

Scope of Reports In issuing the regulations, the Secretary must prescribe the following:

1. A reasonable classification of financial institutions subject to or exempt from a reporting requirement

2. A foreign country to which a reporting requirement applies, if the Secretary decides that applying the requirement to all foreign countries is unnecessary or undesirable

3. The magnitude of the transactions subject to a reporting requirement

4. The kind of transaction subject to or exempt from a reporting requirement

Form of Reports The form of reporting to the Secretary is specifically outlined in the regulation. However, if

the financial institution demonstrates that it will be unnecessarily burdened by the required report, then a different form of report will be satisfactory, as long as it contains all of the information that the Secretary deems necessary and the submission of information will not unduly hinder the effective administration of the regulation.

Limitations In issuing the regulation, the Secretary….



Must consider the need to avoid impeding or controlling the import or export of monetary instruments and the need to avoid unreasonably burdening a person making a transaction with a foreign financial agency.

Must not issue a regulation for the purpose of obtaining individually identifiable account information concerning a customer where that customer is already the subject of an ongoing investigation for possible violation of the Currency and Foreign Transaction Reporting Act or is known by the Secretary to be the subject of a violation of any other federal law.

May issue a regulation requiring a financial institution to report transactions completed prior to the date it received notice of the reporting requirement; however, with respect to completed transactions, a financial institution may be required to provide information from records required to be retained (records maintained in the regular course of business).

Record Retention for Foreign Financial Accounts [31 C.F.R. § 1010.420]

Each person having a financial interest in or signature or any other authority over any foreign financial account that is required to be reported to the Commissioner of Internal Revenue must retain records of these reports for a period of five years. These records must be kept available for inspection by the appropriate agency.

The following information is required to be retained as part of the record:

1. The name in which each account is maintained

2. The number or other designation of such account

3. The name and address of the foreign financial institution or person with whom such an account is maintained

4. The type of such account

5. The maximum value of each account during the reporting period


Section 12: Purchases of Monetary Instruments [31 C.F.R. § 1010.415]

Purchases of Bank Checks and Drafts, Cashier’s Checks, Money Orders, And Traveler’s Checks [31 C.F.R. § 1010.415]

When a financial institution issues or sells a bank check or draft, cashier’s check, money order, or traveler’s check for $3,000 to $10,000, inclusive, in currency, it must maintain records of certain information regarding the sales of these instruments. The following information must be obtained for each issuance or sale of one or more of these instruments to any individual purchaser that involves currency in amounts of $3,000 to $10,000, inclusive.

Deposit Account Holder If the purchaser has a deposit account with the financial institution, the following

information must be collected:

1. The name of the purchaser

2. The date of the purchase

3. The type(s) of instrument(s) purchased

4. The serial number(s) of each of the instruments purchased

5. The dollar amount(s) of each of the instrument(s) purchased

In addition, the financial institution must verify that the individual is a deposit account holder or must verify the individual’s identity. Verification may be done by one of two methods:

1. Through a signature card or other file or record at the financial institution, if the deposit account holder’s name and address were verified at the time the account was opened or at any subsequent time and if that information was recorded on the signature card or other file or record

2. If the deposit account holder’s identity has not been verified previously, or if the financial institution is unable to determine whether the individual’s identification has been verified previously, then the financial institution must verify the deposit account holder’s identity by examination of a document that contains the name and address of the purchaser and is normally acceptable within the banking community as a means of identification when cashing checks for nondepositors, and the financial institution must record the specific identifying information (e.g., state of issuance and number of driver’s license).

Non-Deposit Account Holder If the purchaser does not have a deposit account with the financial institution, the following

information must be collected:

1. The name and address of the purchaser



2. The Social Security number of the purchaser or, if the purchaser is an alien and does not have a Social Security number, then the alien identification number

3. The date of birth of the purchaser

4. The date of the purchase

5. The type(s) of instrument(s) purchased

6. The serial number(s) of each of the instruments purchased

7. The dollar amount(s) of each of the instrument(s) purchased

In addition, the financial institution must verify the purchaser’s name and address by examination of a document that contains the name and address of the purchaser and is normally acceptable within the banking community as a means of identification when cashing checks for nondepositors, and the financial institution must record the specific identifying information (e.g., state of issuance and number of driver’s license).

Same-Day Transactions Contemporaneous purchases of the same or different types of instruments totaling $3,000 or

more must be treated as one purchase. Multiple purchases during one business day totaling $3,000 or more must be treated as one purchase if an individual employee, director, officer, or partner of the financial institution has knowledge that these purchases have occurred.

Record Retention Records required to be kept must be retained by the financial institution for a period of five

years and must be available to the Secretary of the Treasury upon request at any time.

Impact on Other Areas of BSA Unusual and/or frequent purchases (without a personal/business need) of monetary

instruments with currency generally are considered as a “red flag”. In essence, such transactions outside of the customer’s normal behavior are usually indicative of suspicious activity. Following are examples of unusual activity that would warrant the BSA officer’s review:

Frequent cash purchases when it is apparent the customer has no legitimate need for monetary instruments.

Multiple same day purchases below the recordkeeping dollar amount threshold of $3,000 and possibly purchased at multiple branch locations on the same day.

Deposit of sequentially numbered monetary instruments for the same or similar amounts.

Routine purchases of monetary instruments following large cash deposits.

Each of the above are warning signs that the purchaser may be engaging in illegal activity and attempting to “layer” illicit funds already “placed” into the financial system.


Section 13: Wire Transfer Records [31 C.F.R. § 1020.410]

Funds Transfer Requirements On January 3, 1995, the Department of the Treasury and the Board of Governors of the

Federal Reserve System issued several final rulings relating to funds transfer documentation and record keeping. These amendments became effective April 1, 1996, and require banks to record, retain, and transmit certain information on funds transfers. The type of information necessary to be recorded, retained, and transmitted depends upon a financial institution’s role in a particular funds transfer, the amount of the wire transfer, and the relationship of the parties to the transfer with the financial institution.

Originator’s Bank For each payment order in an amount of $3,000 or more that it accepts as an originator’s

bank, a financial institution must obtain and retain either the original, microfilm, other copy, or an electronic record of the following information relating to the payment order:

1. The name and address of the originator

2. The amount of the funds transfer

3. The execution date of the payment order

4. Any payment instructions received from the originator with the payment order

5. The identity of the beneficiary’s bank

6. As many of the following items as are received with the payment order:

a. The name and address of the beneficiary

b. The account number of the beneficiary

c. Any other specific identifier of the beneficiary

If the originator is not an established customer (one with a loan, deposit, or other asset account or a person from whom the bank has obtained and maintains on file the person’s name, address, and taxpayer identification number or, if none, an alien identification number or passport number and the country of issuance and to whom the bank provides financial services relying on this information), a financial institution must also do the following:

1. Verify the identity of the person placing the payment order if the order is made in person. This verification must take place prior to accepting the payment order. In addition, the following information must be recorded and retained:

a. The name and address of the person placing the payment order

b. The type of identification reviewed

c. The number of the identification document (e.g., driver’s license)



d. The person’s taxpayer identification number or, if none, the person’s alien identification number or passport number and country of issuance, or a notation of the lack of such a number

e. The originator’s (if different from the person placing the order and the bank has knowledge that the person placing the payment order is not the originator) taxpayer identification number or, if none, the person’s alien identification number or passport number and country of issuance, if known by the person placing the order, or a notation of the lack of such a number

2. Record and retain the following information if the payment order is not made in person:

a. The name and address of the person placing the payment order

b. The person’s taxpayer identification number or, if none, the person’s alien identification number or passport number and country of issuance, or a notation of the lack of such a number

c. A copy or record of the method of payment (e.g., check or credit card transaction) for the funds transfer

d. The originator’s (if different from the person placing the order and the bank has knowledge that the person placing the payment order is not the originator) taxpayer identification number or, if none, the person’s alien identification number or passport number and country of issuance, if known by the person placing the order, or a notation of the lack of such a number

Intermediary Banks An intermediary bank that accepts a payment order in an amount of $3,000 or more must

retain either the original or a microfilm of the original, a copy, or an electronic record of the payment order.

Beneficiary’s Bank For each payment order in an amount of $3,000 or more that it accepts as a beneficiary’s

bank, a financial institution must retain either the original or a microfilm of the original, a copy, or an electronic record of the payment order. If the beneficiary is not an established customer, the financial institution must also do the following:

1. Verify the identity of the person receiving the proceeds if they are delivered in person and record and retain the following:

a. The name and address of the person receiving the proceeds

b. The type of identification reviewed

c. The number of the identification document (e.g., driver’s license)

d. The person’s taxpayer identification number or, if none, the person’s alien identification number or passport number and country of issuance, or a notation of the lack of such a number



e. The beneficiary’s (if different from the person receiving the funds and the bank has knowledge that the person receiving payment is not the beneficiary) taxpayer identification number or, if none, the person’s alien identification number or passport number and country of issuance, if known by the person placing the order, or a notation of the lack of such a number

2. Record and retain the following if the proceeds are delivered other than in person:

a. A copy of the check or other instrument used to effect payment, or the information contained in the method of payment

b. The name and address of the person to whom the payment was sent

Identity Verification Where verification is required, a bank shall verify a person’s identity by examination of a

document (other than a bank signature card), preferably one that contains the person’s name, address, and photograph, that is normally acceptable by financial institutions as a means of identification when cashing checks for persons other than established customers. Verification of the identity of an individual who indicates that he or she is an alien or is not a resident of the United States may be made by passport, alien identification card, or other official document evidencing nationality or residence (e.g., a foreign driver’s license with indication of home address).

Retrievability Requirements The information that an originator’s bank must retain must be retrievable by the originator’s

bank by reference to the name of the originator. If the originator is an established customer of the originator’s bank and has an account used for funds transfers, then the information shall also be retrievable by account number.

The information that a beneficiary’s bank must retain must be retrievable by the beneficiary’s bank by reference to the name of the beneficiary. If the beneficiary is an established customer of the beneficiary’s bank and has an account used for funds transfers, then the information also shall be retrievable by account number.

This information need not be retained in any particular manner, as long as the bank is able to retrieve the required information by accessing funds transfer records directly or through reference to some other record maintained by the bank.

Exemptions from the recordkeeping requirements include funds transfers (1) where both the originator and beneficiary are the same person, and the originator’s bank and the beneficiary’s bank are the same domestic bank and (2) where both the originator and beneficiary are any of the following:

A domestic bank

A wholly owned domestic subsidiary of a domestic bank

A domestic broker or dealer in securities



A wholly owned domestic subsidiary of a domestic broker or dealer in securities

The United States

A state or local government

A federal state or local government agency or instrumentality

Transmittal Orders Actual fund transmittal orders must include much of the information that is required to be

recorded and retained. In order to accommodate the transmittal requirements, the Fedwire message format is expanded.

Orders to transmit funds in an amount of $3,000 or more must include the following:

1. The name and account number (if the payment is ordered from an account) of the transmitter

2. The address of the transmitter (If sending the transmittal order through the Fedwire system, the address of the transmitter need not be included until a bank converts to the expanded Fedwire message format.)

3. The amount of the funds transfer

4. The execution date of the transmittal order

5. The identity of the recipient’s financial institution

6. As many of the following items as are received with the transmittal order. If sending the transmittal order through the Fedwire system, a bank need only include one of these items, if received from the sender, until the bank converts to the expanded Fedwire message format:

a. The name and address of the recipient

b. The account number of the recipient

c. Any other specific identifier of the recipient

7. Either the name and address or numerical identifier of the transmitter’s financial institution

A receiving financial institution that acts as an intermediary financial institution must include all of the above received information at the time the transmittal order is sent to the next receiving institution.



Incoming Wire Transfers

For All Beneficiaries

Name:________________________________________________________________________

Receipt Date: ________________________ Transfer Amount:_________________________

Payment Method: (circle one; attach copy of check or deposit ticket if applicable)

Check Cash Credit Account No.:____________________________

Additional Information If Beneficiary Is Not an Established Customer and Proceeds Are Delivered in Person

Name of person receiving proceeds: _______________________________________________

Address of person receiving proceeds: ______________ _______________________________

Taxpayer I.D. number of person receiving proceeds: ___________________________________

Method used to verify identify of person receiving proceeds: (circle one and record issuer and document number)

Driver’s License/State I.D. Passport

Alien Registration Other ____________________________

Issued by: _____________________________ Number:___________________________

Beneficiary’s taxpayer I.D. number (if different from person receiving proceeds):____________

Additional Information If Beneficiary Is Not an Established Customer and Proceeds Are Delivered Other than in Person

Name of person to whom payment sent: _________________________________________

Address of person to whom payment sent: _______________________________________

Date of Receipt: _________________________

Received by: ____________________________ Disbursed by:_______________________

OFAC Check Date: _________________________



Outgoing Wire Transfers

Originator Information

For All Originators

Name:________________________________________________________________________

Address:______________________________________________________________________

Execution Date: _________________________ Transfer Amount:_______________________

Payment Method: (circle one and attach copy of check or withdrawal/debit ticket if applicable)

Check Cash/Debit Authorized Account No.: ________________________

Additional Information If Originator Is Not an Established Customer

Name of person placing transfer order:______________________________________________

Address of person placing transfer order: ____________________________________________

Taxpayer I.D. number of person placing transfer order: _________________________________

Method used to verify identify of person placing transfer order: (circle one and record issuer and document number if order is made in person)

Driver’s License/State I.D. Passport

Alien Registration Other: ________________________

Issued by: ________________________ Number: ______________________

Originator’s taxpayer identification number (if different from person placing transfer order):______

Beneficiary Information

For All Beneficiaries

Name: _______________________________________________________________________

Address: _____________________________________________________________________

Bank Name: ___________________________________________________________________

City/State: ________________________________ ABA Number: _______________________

Account Number: ____________________________ Other Identifier: _____________________

Payment Instructions: ___________________________________________________________

_____________________________________________________________________________

OFAC Check Date: _________________________



Originator Authorization

Originator Signature: _________________________________________________________

Phone Request: _____________________________________________________________

(record name of individual placing phone request)

Date of Request: ________________________ Initiated by: _________________________

Approved by: __________________________

Originator’s ABA Number: _________________ W/T Control Number: _________________

Entered by: ______________________________Verified by: _________________________

Transmitted by: _________________________ Fedline:_________________________

Phone: _______________________________


Section 14: Information Sharing With Government [31 C.F.R. § 1010.520]

Introduction This rule establishes procedures that encourage information sharing between governmental

authorities and financial institutions. The rule establishes a mechanism for law enforcement to communicate names of suspected terrorists and money launderers to financial institutions in return for securing the ability to locate promptly accounts and transactions involving those suspects. Financial institutions receiving the names of those suspects must search their account and transaction records for potential matches.

Definitions The statute does not define “money laundering” or “terrorist activity.” However, Treasury

states that each of these terms has well-established definitions. Accordingly, and consistent with the broad intent underlying section 314(b), these terms are being defined by cross references to existing sections of the United States Code (USC).

“Money laundering” means any activity involving proceeds from unlawful activities or to carry on some unlawful activity (18 U.S.C. § 1956 or 1957).

“Terrorist activity” means an act of domestic terrorism or international terrorism – activities that involve illegal violent acts or acts dangerous to human life and appear to be intended to intimidate or coerce a civilian population or government, or to affect the conduct of a government by assassination or kidnapping (18 U.S.C. § 2331).

Sharing Information with the Government A federal law enforcement agency investigating terrorist activity or money laundering may

request that FinCEN solicit, on the investigating agency’s behalf, certain information from a financial institution or a group of financial institutions. When submitting such a request to FinCEN, the federal law enforcement agency must provide FinCEN with a written certification, in such form and manner as FinCEN may prescribe.

At a minimum, such certification must:

state that each individual, entity, or organization about which the federal law enforcement agency is seeking information is engaged in, or is reasonably suspected based on credible evidence of engaging in, terrorist activity or money laundering;

include enough specific identifiers, such as date of birth, address, and social security number, that would permit a financial institution to differentiate between common or similar names; and

identify one person at the agency who can be contacted with any questions relating to its request.



Upon receiving the requisite certification from the requesting federal law enforcement agency, FinCEN may require any financial institution to search its records to determine whether the financial institution maintains or has maintained accounts for, or has engaged in transactions with, any specified individual, entity, or organization.

In March 2005, FinCEN began posting section 314(a) subject lists through the 314(a) Secure Information Sharing System. The financial institution’s designated point(s) of contact will receive notification from FinCEN that there are new postings to FinCEN’s secure web site. The point of contact will be able to access the current section 314(a) subject list (and one prior) and download the files in various formats for searching. Financial institutions should report all positive matches via the Secure Information Sharing System. Those financial institutions choosing to receive the section 314(a) subject lists by facsimile will continue to receive the lists in that manner. For those financial institutions, positive matches should be indicated on the respective subject information form and faxed to FinCEN.

The obligations of a financial institution receiving an information request are:

Record search: Upon receiving an information request from FinCEN under this section, a financial institution must expeditiously search its records to determine whether it maintains or has maintained any account for, or has engaged in any transaction with, each individual, entity, or organization named in FinCEN’s request. A financial institution may contact the federal law enforcement agency named in the information request provided to the institution by FinCEN with any questions relating to the scope or terms of the request. Except as otherwise provided in the information request, a financial institution will only be required to search its records for the following:

o Any current account maintained for a named suspect

o Any account maintained for a named suspect during the preceding 12 months

o Any transaction conducted by or on behalf of a named suspect, or any transmittal of funds conducted in which a named suspect was either the transmitter or the recipient, during the preceding six months that is required under law or regulation to be recorded by the financial institution or is recorded and maintained electronically by the institution

Report to FinCEN. If a financial institution identifies any account or transaction, it must report to FinCEN that it has a match.

o No details should be provided to FinCEN other than the fact that the financial institution has a match.

o A negative response is not required.

o A financial institution may provide the subject lists to a third-party service provider or vendor to perform or facilitate record searches as long as the institution takes the necessary steps, through the use of an agreement or procedures, to ensure that the third party safeguards and maintains the confidentiality of the information.



Designation of Contact Person Upon receiving an information request under this section, a financial institution shall

designate one or more persons to be the point of contact at the institution regarding the request and to receive similar requests for information from FinCEN in the future. When requested by FinCEN, a financial institution shall provide FinCEN with the name, title, mailing address, e-mail address, telephone number, and facsimile number of such person.

A financial institution that has provided FinCEN with contact information must promptly notify FinCEN of any changes to such information. This is generally accomplished through the financial institution’s primary regulator.

Use and Security of Information Request The regulation states that a financial institution shall not use information provided by

FinCEN for any purpose other than:

Reporting to FinCEN as provided in this section;

Determining whether to establish or maintain an account, or to engage in a transaction; or

Assisting the financial institution in complying with any requirement of this part.

Therefore, a financial institution shall not disclose to any person, other than FinCEN, the institution’s primary banking regulator, or the federal law enforcement agency on whose behalf FinCEN is requesting information, the fact that FinCEN has requested or has obtained information under the information sharing rules, except to the extent necessary to comply with such an information request.

However, a financial institution authorized to share information under the sharing of information among financial institutions (see section 19) may share information, following the financial institution sharing rules, concerning an individual, entity, or organization named in a request from FinCEN. However, such sharing shall not disclose the fact that FinCEN has requested information concerning such individual, entity, or organization.

Each financial institution shall maintain adequate procedures to protect the security and confidentiality of requests from FinCEN for information under this section. This requirement shall be deemed adequate provided that a financial institution applies to such information procedures that the institution has established to satisfy the requirements of section 501 of the Gramm-Leach-Bliley Act with regard to the protection of its customers' nonpublic personal information.

No Other Action Required The regulation does not require a financial institution to:

take any action, or to decline to take any action, with respect to an account established for, or a transaction engaged in with, an individual, entity, or organization named in a request from FinCEN; or



to decline to establish an account for, or to engage in a transaction with, any such individual, entity, or organization.

Except as otherwise provided in an information request from FinCEN, such a request shall not require a financial institution to report on future account opening activity or transactions or to treat a suspect list received under this section as a government list for purposes of section 326 of the USA PATRIOT Act (Customer Identification Program).

FinCEN advises that inclusion on a section 314(a) list should not be the sole factor used to determine whether to file a Suspicious Activity Report (SAR). Consequently, actions taken due to information provided in a request from FinCEN do not affect a financial institution’s obligations to comply with all of the rules and regulations of OFAC nor do they affect a financial institution’s obligations to respond to any legal process. Additionally, actions taken in response to a request do not relieve a financial institution of its obligation to file an SAR and immediately notify law enforcement, if necessary, in accordance with applicable laws and regulations.

The information that a financial institution is required to report is information required to be reported in accordance with a Federal statute or rule; therefore, it is not a violation of the Right to Financial Privacy Act or the privacy sections of the Gramm-Leach-Bliley Act.

Nothing in this portion of the regulation affects the authority of a Federal agency or officer to obtain information directly from a financial institution through normal channels and under applicable law.


Section 15: Information Sharing With Other Financial Institutions [31 C.F.R. § 1010.540]

Introduction Financial institutions are encouraged to share information among themselves for the

purpose of identifying and reporting suspected terrorism and money laundering once the financial institutions have notified FinCEN. The notice will inform FinCEN that they intend to share such information, and assure the agency that they will take adequate steps to maintain confidentiality.

The intent of this rule, and the statute behind it, is to facilitate financial institutions’ ability to identify and report to the federal government instances of money laundering or terrorism.

Definitions The statute does not define “money laundering” or “terrorist activity.” However, Treasury

states that each of these terms has a well-established definition. Accordingly, and consistent with the broad intent underlying section 314(b), these terms are being defined by cross references to existing sections of the United States Code (USC).

“Money laundering” means any activity involving proceeds from unlawful activities, or to carry on some unlawful activity (18 U.S.C. § 1956 or 1957).

“Terrorist activity” means an act of domestic terrorism or international terrorism – activities that involve illegal violent acts or acts dangerous to human life and appear to be intended to intimidate or coerce a civilian population or government, or to affect the conduct of a government by assassination or kidnapping (18 U.S.C. § 2331).

Sharing of Information Upon appropriate filing of the prescribed notice, a financial institution may, under the

protection of the safe harbor from liability, transmit, receive, or otherwise share information with any other financial institution regarding individuals, entities, organizations, and countries for purposes of identifying and, where appropriate, reporting activities that the financial institution suspects may involve possible terrorist activity or money laundering.

Notice Requirement A financial institution that intends to share information as permitted by this section of the

regulation must submit to FinCEN a notice. Each notice shall be effective for the one-year period beginning on the date of the notice. In order to continue to engage in the sharing of information after the end of the one-year period, a financial institution or association of financial institutions must submit a new notice.



Completed notices may be submitted to FinCEN by accessing FinCEN’s Internet Web site, http://www.treas.gov/fincen, and entering the appropriate information as directed, or, if a financial institution does not have Internet access, by mail to: FinCEN, P.O. Box 39, Vienna, VA 22183.

A copy of the notice appears at the end of this section.

Verification Requirement Prior to sharing information a financial institution, must take reasonable steps to verify that

the other financial institution with which it intends to share information has submitted a notice to FinCEN as well.

A financial institution or an association of financial institutions may satisfy this paragraph by confirming that the other financial institution appears on a list that FinCEN will periodically make available to financial institutions that have filed a notice with it, or by confirming directly with the other financial institution that they have filed the required notice.

Use and Security of Information Information received by a financial institution using this section shall not be used for any

purpose other than:

Identifying and, where appropriate, reporting on money laundering or terrorist activities;

Determining whether to establish or maintain an account, or to engage in a transaction; or

Assisting the financial institution in complying with any requirement of the regulation.

Each financial institution or association of financial institutions that use these information-sharing rules must maintain adequate procedures to protect the security and confidentiality of such information.

The requirements of this section are satisfied to the extent that a financial institution applies to such information procedures that the institution has established to satisfy the requirements of section 501 of the Gramm-Leach-Bliley Act with regard to the protection of its customers’ nonpublic personal information.

Safe Harbor from Certain Liability A financial institution that shares information under this section of the regulation shall be

protected from liability for such sharing, or for any failure to provide notice of such sharing, to an individual, entity, or organization that is identified in such sharing, to the full extent provided in subsection 314(b) of the USA PATRIOT Act.

This safe harbor does not apply if the financial institution does not comply with all of the requirements of this section of the regulation.



Information Sharing with the Federal Government If, as a result of information shared under these rules, a financial institution knows,

suspects, or has reason to suspect that an individual, entity, or organization is involved in, or may be involved in terrorist activity or money laundering, and the financial institution is subject to a suspicious activity reporting requirement under this part or other applicable regulations, the institution shall file a Suspicious Activity Report in accordance with those regulations.

In situations involving violations requiring immediate attention, such as when a reportable violation involves terrorist activity or is ongoing, the financial institution shall immediately notify, by telephone, an appropriate law enforcement authority and financial institution supervisory authorities in addition to filing, in a timely manner, a Suspicious Activity Report.

No Effect on Financial Institution Reporting Obligations Nothing in this section of the regulation affects the obligation of a financial institution to file

a Suspicious Activity Report pursuant to any other applicable regulation, or to otherwise contact directly a Federal agency concerning individuals or entities suspected of engaging in terrorist activity or money laundering.


Section 16: Correspondent Accounts [31 C.F.R. § 1010.605, 1010.630]

Definitions A correspondent account is an account established by a covered financial institution for a

foreign bank to receive deposits from, to make payments or other disbursements on behalf of, or to handle other financial transactions related to the foreign bank.

The term account means any formal banking or business relationship established to provide regular services, dealings, and other financial transactions; and includes a demand deposit, savings deposit, or other transaction or asset account and a credit account or other extension of credit.

Covered financial institution means:

An insured bank;

A commercial bank or trust company;

A private banker;

An agency or branch of a foreign bank in the United States;

A credit union; or

A thrift institution.

Foreign shell bank means a foreign bank without a physical presence in any country.

The term owner means any person who, directly or indirectly:

Owns, controls, or has power to vote 25 percent or more of any class of voting securities or other voting interests of a foreign bank; or

Controls in any manner the election of a majority of the directors (or individuals exercising similar functions) of a foreign bank.

For purposes of this definition, members of the same family shall be considered to be one person. This includes parents, spouses, children, siblings, uncles, aunts, grandparents, grandchildren, first cousins, stepchildren, stepsiblings, and parents-in-law, and spouses of any of the foregoing.

Each member of the same family who has an ownership interest in a foreign bank must be identified if the family is an owner because of aggregating the ownership interests of the members of the family. In determining the ownership interests of the same family, any voting interest of any family member shall be taken into account.

Physical presence means a place of business that:

1. Is maintained by a foreign bank;



2. Is located at a fixed address (other than solely an electronic address or a post-office box) in a country in which the foreign bank is authorized to conduct banking activities, at which location the foreign bank:

a. Employs one or more individuals on a full-time basis; and

b. Maintains operating records related to its banking activities; and

3. Is subject to inspection by the banking authority that licensed the foreign bank to conduct banking activities.

The term regulated affiliate means a foreign shell bank that:

1. Is an affiliate of a depository institution, credit union, or foreign bank that maintains a physical presence in the United States or a foreign country, as applicable; and

2. Is subject to supervision by a banking authority in the country regulating such affiliated depository institution, credit union, or foreign bank.

For purposes of this definition, affiliate means a foreign bank that is controlled by, or is under common control with, a depository institution, credit union, or foreign bank.

Control means:

A. Ownership, control, or power to vote 50 percent or more of any class of voting securities or other voting interests of another company; or

B. Control in any manner the election of a majority of the directors (or individuals exercising similar functions) of another company.

Prohibition on correspondent accounts for foreign shell banks A covered financial institution shall not establish, maintain, administer, or manage a

correspondent account in the United States for, or on behalf of, a foreign shell bank.

A covered financial institution shall take reasonable steps to ensure that any correspondent account established, maintained, administered, or managed by that covered financial institution in the United States for a foreign bank is not being used by that foreign bank to indirectly provide banking services to a foreign shell bank.

Nothing in this section prohibits a covered financial institution from providing a correspondent account or banking services to a regulated affiliate.

Records of owners and agents A covered financial institution that maintains a correspondent account in the United States

for a foreign bank shall maintain records in the United States identifying the owners of each such foreign bank whose shares are not publicly traded and the name and street address of a person who resides in the United States and is authorized, and has agreed to be an agent to accept service of legal process for records regarding each such account.



A covered financial institution need not maintain records of the owners of any foreign bank that is required to have on file with the Federal Reserve Board a Form FR Y-7 that identifies the current owners of the foreign bank as required by such form.

A covered financial institution will be deemed to be in compliance with the requirements of this section with respect to a foreign bank if the covered financial institution obtains, at least once every three years, a certification or recertification from the foreign bank. However, if at any time a covered financial institution knows, suspects, or has reason to suspect, that any information contained in a certification or recertification provided by a foreign bank, or otherwise relied upon by the covered financial institution is no longer correct, the covered financial institution shall request that the foreign bank verify or correct such information, or shall take other appropriate measures to ascertain the accuracy of the information or to obtain correct information, as appropriate.

In the case of any correspondent account in existence on October 28, 2002, if the covered financial institution:

Has not obtained a certification (or recertification) from the foreign bank, or

Has not otherwise obtained documentation of the information required by such certification (or recertification), on or before March 31, 2003, and at least once every three years thereafter,

Then the covered financial institution:

Shall close all correspondent accounts with such foreign bank within a commercially reasonable time, and

Shall not permit the foreign bank to establish any new positions or execute any transaction through any such account, other than transactions necessary to close the account.

In the case of any correspondent account established after October 28, 2002, if the covered financial institution:

Has not obtained a certification (or recertification), or has not otherwise obtained documentation of the information required by such certification (or recertification) within 30 calendar days after the date the account is established, and at least once every three years thereafter,




If the bank wishes to verify information from a foreign bank, if the covered financial institution:

Has not obtained, from the foreign bank or otherwise, verification of the information or corrected information within 90 calendar days after the date of undertaking the verification,






A covered financial institution may not reestablish any account closed due to a verification issues, and may not establish any other correspondent account with the concerned foreign bank, until it obtains from the foreign bank the certification or the recertification, as appropriate.

A covered financial institution shall not be liable to any person in any court or arbitration proceeding for terminating a correspondent account in accordance with the rules state above.

A covered financial institution shall retain the original of any document provided by a foreign bank, and the original or a copy of any document otherwise relied upon by the covered financial institution, for purposes of this section, for at least five years after the date that the covered financial institution no longer maintains any correspondent account for such foreign bank. A covered financial institution may have to retain the records for a longer period, if directed to do so by the Department of the Treasury.

Law Enforcement Access to Foreign Bank Records The Secretary of the Treasury or the Attorney General may issue a summons or subpoena to

any foreign bank that maintains a correspondent account in the United States, and may request records related to such correspondent account, including records maintained outside of the United States relating to the deposit of funds into the foreign bank. The summons or subpoena may be served on the foreign bank in the United States if the foreign bank has a representative in the United States, or in a foreign country pursuant to any mutual legal assistance treaty, multilateral agreement, or other request for international law enforcement assistance.

Upon receipt of a written request from a Federal law enforcement officer for information required to be maintained by a covered financial institution under the rules stated above, the covered financial institution shall provide the information to the requesting officer not later than seven days after receipt of the request.

A covered financial institution shall terminate any correspondent relationship with a foreign bank not later than 10 business days after receipt of written notice from the Secretary or the Attorney General (in each case, after consultation with the other) that the foreign bank has failed:

1. To comply with a summons or subpoena issued under this section; or

2. To initiate proceedings in a United States court contesting such summons or subpoena.

A covered financial institution shall not be liable to any person in any court or arbitration proceeding for terminating a correspondent relationship in accordance with these rules. Failure to terminate a correspondent relationship in accordance with this section shall render the covered financial institution liable for a civil penalty of up to $10,000 per day until the correspondent relationship is terminated.


Section 17: Additional Records Requirements [31 C.F.R. § 1010.410, 1010.430, 1010.440 & 1020.410]

Records to Be Retained By Financial Institutions [31 C.F.R. § 1010.410] Financial institutions must retain either the original or a microfilm of the original, a copy, or

another form of reproduction of the following records:

1. A record of each extension of credit in excess of $10,000, except an extension of credit secured by an interest in real property. The record must contain the person’s name and address, the amount of the extension of credit, the purpose of the credit, and the date of the extension of credit.

2. A record of any advice, request or instruction received or given regarding any transaction resulting in the transfer of currency, funds, checks, investment securities, or credit of more than $10,000 to or from any person, account or place outside the United States

3. A record of any advice, request or instruction given to another financial institution or other person located within or outside of the United States regarding a transaction intended to result in the transfer of funds, currency, checks, investment securities, or credit of more than $10,000 to a person, account or place outside of the United States

Additional Records to Be Retained By Financial Institutions [31 C.F.R. § 1020.410(c)] Each financial institution must retain either the original or a microfilm of the original, a

copy, or another form of reproduction of each of the following:

1. Each document granting signature authority over each deposit or share account, including any notations of specific identifying information verifying the identity of the signer, such as a driver’s license, credit card, etc.

2. Each statement, ledger card, or other record on each deposit or share account showing each transaction in or with respect to that account, such as a monthly statement

3. Each check, draft, or money order drawn or issued on the financial institution and payable by it, except for those (a) drawn for $100 or less; (b) drawn on accounts which can be expected to have drawn on them an average of 100 checks per month over the calendar year, such as high-volume business accounts; or (c) special purpose checks which are issued under the normal course of business, such as dividend checks, payroll checks, employee benefit checks, insurance claim checks, medical benefit checks, checks drawn on government agency accounts, checks drawn by brokers or dealers in securities, checks drawn on other financial institutions, or pension or annuity checks

4. Each item in excess of $100, other than financial institution charges or periodic charges made pursuant to an agreement with the customer, comprising a debit to a customer’s deposit or share account, not required to be kept, and not specifically exempted

5. Each item, including checks, drafts, or transfers of credit of more than $10,000 remitted or transferred to a person, account, or place outside the United States



6. A record of each remittance or transfer of funds (currency, monetary instruments, checks, investment securities, or credit) of more than $10,000 to a person, account, or place outside the United States

7. Each check or draft in excess of $10,000 drawn or issued by a foreign financial institution for which the domestic financial institution has paid or presented to a nonbank drawee for payment

8. Each item, including checks, drafts, or transfers of credit of more than $10,000 received directly from (not through) a domestic financial institution by letter, cable, or any other means from a bank, broker, or dealer in foreign exchange outside the United States

9. A record of each receipt of currency, monetary instruments, investment securities, checks, or other transfers of funds or credit exceeding more than $10,000 received on any one occasion directly from a bank, broker, or dealer in foreign exchange outside the United States

10. Records prepared or received in the ordinary course of business which would be needed to reconstruct a transaction and trace a check in excess of $100 deposited into such an account through its domestic processing system or to supply a description of that deposited check (applicable to demand deposit accounts only)

11. A record containing the name, address, and TIN of the purchaser of each certificate of deposit, a description of the instrument, a notation of the method of payment, and the date of the transaction

12. A record containing the name, address, and TIN of the person presenting a certificate of deposit for payment, the description of the instrument, and the date of the transaction

13. Each deposit slip or credit ticket reflecting a transaction in excess of $100 or an equivalent record for direct deposit or wire transfer

Nature of Records and Retention Period [31 C.F.R. § 1010.430] Wherever it is required to retain the original or a microfilm of the original, a copy, or another

form of reproduction of a monetary instrument or document, a copy of both front and back of each instrument or document must be retained, unless the side to be copied is blank or contains only standardized printed information.

Record Creation The records required by this regulation may be made in the ordinary course of business,

unless no record is made during the ordinary course of business, in which case a record must be prepared in writing by the financial institution.

Retention Period All records must be retained for a period of five years and will be stored in such a way as to

be accessible within a reasonable amount of time, taking into account the nature of the record and the amount of time expired since the record was made.



Person Outside the United States [31 C.F.R. § 1010.440] A remittance, transfer of funds, or other monetary instruments or credit to the domestic

account of a person whose address is known by the person making the transfer to be outside the United States must be deemed a transfer outside the United States, unless otherwise directed by the Secretary. This section does not apply to a transaction on the books of a domestic financial institution if a customer of such financial institution’s address is within 50 miles of the location of the financial institution or is known to be out of the United States temporarily.


Section 18: Anti-Money Laundering [12 C.F.R. § 1020.210]

Background Following the enactment of the USA PATRIOT Act, Treasury established a working group

that includes representatives of the federal functional regulators and the Department of Justice to assist in implementing section 352 of the act (requiring anti-money laundering programs) and in determining the appropriate minimum standards for anti-money laundering programs for financial institutions regulated by a federal functional regulator.

Regulation FinCEN issued a regulation to provide guidance to financial institutions concerning new

statutory mandates that financial institutions establish anti-money laundering programs. This provision was added to the Bank Secrecy Act (BSA) by Section 352 of the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act of 2001.

31 C.F.R. § 1020.210 states that a financial institution will be deemed to be in compliance with the new mandate if they establish and maintain anti-money laundering programs as required by existing FinCEN regulations (sections 1010.610 and 1010.620), or their respective federal regulator.

Certain financial institutions are already required to have anti-money laundering programs. Since 1987, all federally insured depository institutions and credit unions have been required by their federal regulators to have anti-money laundering programs. These programs contain the same elements that are required by the amended BSA. Those elements include:

1. The appointment of a Money Laundering Officer

2. Written policies and procedures

3. Regular training of staff

4. Independent testing

FinCEN expects that examination of banks, savings associations, and credit unions by their federal functional regulators will continue to assure compliance with those regulations.

Money laundering is addressed in the initial portion of the Exam Manual as follows:

Money Laundering “Money laundering is the criminal practice of processing ill-gotten gains, or “dirty” money,

through a series of transactions; in this way the funds are “cleaned” so that they appear to be proceeds from legal activities. Money laundering generally does not involve currency at every stage of the laundering process. Although money laundering is a diverse and often complex process, it basically involves three independent steps that can occur simultaneously:



Placement: The first and most vulnerable stage of laundering money is placement. The goal is to introduce the unlawful proceeds into the financial system without attracting the attention of financial institutions or law enforcement. Placement techniques include structuring currency deposits in amounts to evade reporting requirements or commingling currency deposits of legal and illegal enterprises. An example may include: dividing large amounts of currency into less-conspicuous smaller sums that are deposited directly into a bank account, depositing a refund check from a canceled vacation package or insurance policy, or purchasing a series of monetary instruments (e.g., cashier’s checks or money orders) that are then collected and deposited into accounts at another location or financial institution. (Refer to Appendix G “Structuring” for additional guidance.)

Layering: The second stage of the money laundering process is layering, which involves moving funds around the financial system, often in a complex series of transactions to create confusion and complicate the paper trail. Examples of layering include exchanging monetary instruments for larger or smaller amounts, or wiring or transferring funds to and through numerous accounts in one or more financial institutions.

Integration: The ultimate goal of the money laundering process is integration. Once the funds are in the financial system and insulated through the layering stage, the integration stage is used to create the appearance of legality through additional transactions. These transactions further shield the criminal from a recorded connection to the funds by providing a plausible explanation for the source of the funds. Examples include the purchase and resale of real estate, investment securities, foreign trusts, or other assets.

Terrorist Financing The motivation behind terrorist financing is ideological as opposed to profit-seeking, which is

generally the motivation for most crimes associated with money laundering. Terrorism is intended to intimidate a population or to compel a government or an international organization to do or abstain from doing any specific act through the threat of violence. An effective financial infrastructure is critical to terrorist operations.

Terrorist groups develop sources of funding that are relatively mobile to ensure that funds can be used to obtain material and other logistical items needed to commit terrorist acts. Thus, money laundering is often a vital component of terrorist financing.

Terrorists generally finance their activities through both unlawful and legitimate sources. Unlawful activities, such as extortion, kidnapping, and narcotics trafficking, have been found to be a major source of funding. Other observed activities include smuggling, fraud, theft, robbery, identity theft, use of conflict diamonds, and improper use of charitable or relief funds. In the last case, donors may have no knowledge that their donations have been diverted to support terrorist causes.

Other legitimate sources have also been found to provide terrorist organizations with funding; these legitimate funding sources are a key difference between terrorist financiers and traditional criminal organizations. In addition to charitable donations, legitimate sources include foreign government sponsors, business ownership, and personal employment.



Although the motivation differs between traditional money launderers and terrorist financiers, the actual methods used to fund terrorist operations can be the same as or similar to those methods used by other criminals that launder funds. For example, terrorist financiers use currency smuggling, structured deposits or withdrawals from bank accounts, purchases of various types of monetary instruments, credit/debit or stored value cards, and funds transfers. There is also evidence that some forms of informal banking (e.g., “hawala”) have played a role in moving terrorist funds. Transactions through hawalas are difficult to detect given the lack of documentation, their size, and the nature of the transactions involved. Funding for terrorist attacks does not always require large sums of money, and the associated transactions may not be complex.”

Enforcement Guidance A joint statement was issued by the Board of Governors of the Federal Reserve System, the

FDIC, OCC, the OTS and NCUA making circumstances more clear of reasons an agency may issue a cease and desist order for noncompliance with certain requirements of BSA/AML in light of provisions in Section 8(s) of the Federal Deposit Insurance Act (FDIA) and section 206(q) of the Federal Credit Union Act (FCUA).

When the following circumstances and facts exist, an agency may issues a cease and desist order:

Failure to establish and maintain a reasonably designed BSA Compliance Program. The Agency will issue a cease and desist (C & D) order to an institution that fails to establish

and maintain a program that:

Fails to have a written BSA compliance program, including a customer identification program, adequately covering required program elements (i.e., internal controls, independent testing, designating compliance personnel and training); or

Failure to implement a BSA compliance program that adequately covers the required program elements, noting that policy statements alone are not sufficient. The program must be consistent with the institutions written policies, procedures and processes; or

One or more BSA Compliance Program elements has defects, either in the written Compliance Program or its implementation is not effective, such as

o Highly suspicious activity that creates a significant potential for unreported money laundering or terrorist financing:

Patterns of structuring to evade reporting requirements,

Significant insider complicity, or

System failure to file Currency Transaction Reports, Suspicious Activity Reports or other required BSA reports.

An institution may have some adequate components in its BSA Compliance Program and still be issued a cease and desist order if other required elements are found deficient. For example, effective training may be provided to appropriate personnel while ineffective CDD internal controls coupled with suspicious activity create the potential for unreported money laundering or terrorist financing.



Failure to Correct Previously Reported BSA Compliance Program Problem. A history of deficiencies in a BSA compliance program in various areas or in the same

general area may result in a cease and desist order. After a careful review of relevant facts, an Agency may issue a C & D for failure to correct previously reported problems. If a serious criticism had been provided to directors or senior management through a written report of examination or other written supervisory communication and no action was taken to remedy the issue, this could be viewed as an uncorrected problem.

An Agency will generally not issue a C & D if sited deficiencies are corrected but a new examination identifies new problems in a different area than was previously noted.

Other Enforcement Actions for BSA Compliance Program Deficiencies. In addition to the situations described in the previous paragraphs, an Agency may issue a

cease and desist order or enter into a written formal agreement, or take informal enforcement action for other BSA/AML program concerns. An Agency may pursue enforcement action if an institution is engaged in unsafe or unsound practices or violations of the law, including BSA. This type of action will depend on the severity of noncompliance, weakness, deficiency as well as the capability and willingness of the financial institution to correct the problem(s).

Enforcement Actions for BSA Reporting and Recordkeeping Requirements Financial institutions and credit unions are subject to reporting and recordkeeping

requirements set forth by the Treasury Department. Among other things, this includes requirements applicable to monetary instrument transactions, CTR filing and exemption rules, due diligence, and Suspicious Activity Reports (SAR). Failure to comply with these reporting and recordkeeping requirements could result in enforcement action by an Agency.

Communicating Supervisory Concerns When an Agency identifies problems within a financial institution or credit union’s BSA

Compliance Program during the course of an examination, various means may be used to convey those concerns. These means may include:

Information discussions by examiners with an institution’s management during the examination process;

Formal discussions by examiners with the board of directors as part of the process;

Supervisory letters and other written communications from examiners or the agency to an institution’s management

A finding contained in the report of examination or in other formal communications from an Agency to an institution’s board of directors indicating deficiencies or weakness in the BSA Compliance Program; or

A finding contained in the report of examination or other formal communication from the Agency to the directors of a violation of the regulatory requirement to implement and maintain a reasonably designed BSA Compliance Program.


Section 19: USA PATRIOT Act

Other Requirements of the USA PATRIOT Act

Availability of Bank Records (Effective: December 25, 2001) The Act contains provisions to assist bank regulators and law enforcement authorities in

obtaining certain records from covered financial institutions. Generally, requested records must be provided within 120 hours of the request.

Due Diligence for Private Banking and Correspondent Accounts The Act requires due diligence by all financial institutions that maintain, administer, or

manage private banking accounts or correspondent accounts in the United States for non United States persons.

Private Banking Account Defined Private banking account is an account (or any combination of accounts) maintained at a bank

that satisfies all three of the following criteria:

Requires a minimum aggregate deposit of funds or other assets of not less than $1,000,000.

Is established on behalf of or for the benefit of one or more non-U.S. persons who are direct or beneficial owners of the account

Is assigned to, or is administered by, in whole or in part, an officer, employee, or agent of a bank acting as a liaison between a financial institution covered by the regulation and the direct or beneficial owner of the account.

With regard to the minimum deposit requirement, a “private banking account” is an account (or combination of accounts) that requires a minimum deposit of not less than $1,000,000. A bank may offer a wide range of services that are generically termed private banking, and even if certain (or any combination, or all) of the bank’s private banking services do not require a minimum deposit of not less than $1,000,000, these relationships should be subject to a greater level of due diligence under the bank’s risk-based BSA/AML compliance program but are not subject to 31 C.F.R. § 1010.620. Refer to the expanded overview section, “Private Banking,” on page 280 of the Exam Manual, for further guidance.

Private Banking Due Diligence A bank must establish and maintain a due diligence program that includes policies,

procedures, and controls that are reasonably designed to detect and report any known or suspected money laundering or suspicious activity conducted through or involving any private banking account for a non-U.S. person that is established, maintained, administered, or managed in the United States by the bank. The due diligence program must ensure that, at a minimum, the bank takes reasonable steps to do each of the following:

Ascertain the identity of all nominal and beneficial owners of a private banking account.

Ascertain whether the nominal or beneficial owner of any private banking account is a senior foreign political figure.



Ascertain the source(s) of funds deposited into a private banking account and the purpose and expected use of the account.

Review the activity of the account to ensure that it is consistent with the information obtained about the client’s source of funds, and with the stated purpose and expected use of the account, and to file a Suspicious Activity Report (SAR), as appropriate, to report any known or suspected money laundering or suspicious activity conducted to, from, or through a private banking account.

Risk Assessment of Private Banking Accounts for Non-U.S. Persons The nature and extent of due diligence conducted on private banking accounts for non-U.S.

persons will likely vary for each client depending on the presence of potential risk More extensive due diligence, for example, may be appropriate for new clients; clients who operate in, or whose funds are transmitted from or through, jurisdictions with weak AML controls; and clients whose lines of business are primarily currency-based (e.g., casinos or currency exchangers). Due diligence should also be commensurate with the size of the account. Accounts with relatively more deposits and assets should be subject to greater due diligence. In addition, if the bank at any time learns of information that casts doubt on previous information, further due diligence would be appropriate.

Background The USA PATRIOT Act, in particular Title III of the Act, authorized what Treasury

characterizes as bold, new measures to protect our financial system from money laundering and terrorism by taking the following three steps:

Reducing the barriers to the sharing of financial information among governmental entities as well as financial institutions

Systematically targeting known risks to the financial system

Providing Treasury with the ability to identify new risks as they develop and take appropriate action to counter them

Section 314 of the Act bolsters the information exchange regime by enhancing two key channels for sharing information – information exchange between the government and financial institutions, as well as among financial institutions. Section 312 requires certain U.S. financial institutions to take prescribed anti-money laundering measures with respect to correspondent and private banking accounts that they establish or maintain for non-U.S. persons.

Interim Final Rule The regulation, which was developed by Treasury in consultation with the staffs of the

Federal functional regulators, requires covered financial institutions (which for purposes of this provision includes all U.S. financial institutions required under Treasury regulations to establish an anti-money laundering program) to implement programs to ensure that the due diligence requirements of the Act are met.

The regulation sets forth certain minimum requirements and otherwise adopts a risk-based approach, permitting covered financial institutions to tailor their programs to their own lines of business, financial products and services offered, size, customer base, and location. The interim final rule contemplates that covered financial institutions will pay close attention to the risks presented by different foreign financial institution and private banking customers, the jurisdictions in which they operate, and the types of transactions for which the accounts are used.



FinCEN states that a covered financial institution’s program under the proposed rule should include evaluation and consideration of any risks associated with these and other relevant factors. Covered financial institutions are expected to exercise sound business judgment in complying with the interim final rule and in addressing risks presented by foreign financial institution and private banking customers.

Certain U.S. financial institutions are required to establish a due diligence program for correspondent accounts they maintain for certain foreign financial institutions designed to detect and report money laundering, and to conduct enhanced due diligence for accounts maintained for foreign banks from certain jurisdictions considered of higher risk for money laundering.

In addition, these U.S. financial institutions must take reasonable steps to determine the owners of, and source of funds deposited into, private banking accounts they maintain for non-U.S. persons, and conduct enhanced scrutiny of such accounts maintained for senior foreign political figures in order to detect and report transactions involving the proceeds of foreign corruption. Enhanced scrutiny must be reasonably designed to detect and report transactions that may involve the proceeds of foreign corruption.

The rule requires each financial institution or association of financial institutions that engages in the sharing of information to maintain adequate procedures to protect the security and confidentiality of such information.

There is a limited “safe harbor” in the new rule. A financial institution or association of financial institutions that engages in the sharing of information and that complies with the new rule shall not be liable to any person under any federal, state, or local law or regulation of the United States, or under any contract or other legally enforceable agreement (including any arbitration agreement), for such sharing or for any failure to provide notice of such sharing to an individual, entity, or organization that is the subject of such sharing.

The right to share information will be effective for the one-year period beginning on the date of the notice, which is the execution date appearing on the notice form. To continue the sharing of information after the end of the one-year period, a financial institution or association of financial institutions must submit a new notice form.

Other Areas Covered By the Act Forfeiture of Funds in U.S. Interbank Accounts. The Act expands the circumstances

under which funds in a U.S. interbank account may be subject to forfeiture.

Penalties. (Effective for future violations.) The Act amends the Bank Secrecy Act to authorize Treasury to impose penalties of up to $1 million for violations of new due diligence for private banking and correspondent accounts and accounts with shell banks requirements. The Act also provides for civil and criminal penalties for violations of geographic targeting orders issued by Treasury.

Anti-Money Laundering Record Considered in Applications. (Effective for applications submitted after December 31, 2001.) The Act requires that, with respect to any application submitted under the Bank Holding Company Act or Federal Deposit Insurance Act, the federal banking regulators must take into consideration the effectiveness of the applicants’ anti money laundering activities, including in overseas branches.


Section 20: Appendix

Customer Due Diligence Requirements for Financial Institutions (Proposal)

The Financial Crimes Enforcement Network (FinCEN) has proposed rules under the Bank Secrecy Act to clarify and strengthen customer due diligence requirements for banks.

The proposed rules contain explicit customer due diligence requirements and include a new regulatory requirement to identify beneficial owners of legal entity customers, subject to certain exemptions.

Background FinCEN, in consultation with the staffs of the federal functional regulators and the

Department of Justice, has determined that more explicit rules for covered financial institutions with respect to customer due diligence (CDD) are necessary to clarify and strengthen CDD. They believe that these changes will enhance financial transparency and safeguard the financial system against illicit use.

Requiring financial institutions to perform effective CDD so that they know their customers – both who they are and what transactions they conduct – is a critical aspect of combating all forms of illicit financial activity, from terrorist financing and sanctions evasion to more traditional financial crimes, including money laundering, fraud, and tax evasion.

For FinCEN, the key elements of CDD include:

identifying and verifying the identity of customers;

identifying and verifying the identity of beneficial owners of legal entity customers (i.e., the natural persons who own or control legal entities);

understanding the nature and purpose of customer relationships; and

conducting ongoing monitoring to maintain and update customer information and to identify and report suspicious transactions.

Collectively, these elements will comprise the minimum standard of CDD, which FinCEN believes is fundamental to an effective AML program. The Notice of Proposed Rulemaking (NPRM) proposes to amend FinCEN’s existing rules so that each of these pillars is explicitly referenced in a corresponding requirement within FinCEN’s program rules.

The first element, identifying and verifying the identity of customers, is already included in the existing regulatory requirement to have a customer identification program (CIP). Given this fact, FinCEN is adding explicit requirements for the other three remaining elements via two rule changes.



First, FinCEN is addressing the need to collect beneficial owner information on the natural persons behind legal entities by proposing a new separate requirement to identify and verify the beneficial owners of legal entity customers, with some exemptions.

Second, FinCEN is proposing to add explicit CDD requirements to understand the nature and purpose of customer relationships and conducting ongoing monitoring as components in each covered financial institution’s core AML program requirements.

Third, FinCEN is also updating its regulations to include explicit reference to all four of the pre-existing core requirements of an AML program, sometimes referred to as “pillars,” so that all of these requirements are visible within FinCEN’s rules.

Nothing in the proposal is intended to lower, reduce, or limit the due diligence expectations of the federal functional regulators or in any way limit their existing regulatory discretion. This proposal incorporates the CDD elements on nature and purpose and ongoing monitoring into FinCEN’s existing AML program requirements, which provide that an AML program is adequate if, among other things, the program complies with the regulation of its federal functional regulator governing such programs. The Treasury Department intends for the requirements contained in this proposal to be consistent with any regulations, guidance or authority of any federal banking agency.

Justification The abuse of legal entities to disguise involvement in illicit financial activity facilitates

crime, threatens national security, and jeopardizes the integrity of the financial system. There are numerous examples. Law enforcement officials have found that major drug trafficking organizations use shell companies to launder drug proceeds. A World Bank report highlighted how corrupt actors consistently abuse legal entities to conceal the proceeds of corruption, which the report estimates to aggregate to at least $40 billion per year in illicit activity.

Strong CDD practices that include identifying the natural persons behind a legal entity – i.e., the beneficial owners – help defend against these abuses. Armed with this information, financial institutions can provide law enforcement with details about the legal structures used by suspected criminals. Requiring legal entities seeking access to financial institutions to disclose identifying information, such as the name, date of birth, and social security number of a natural person, will make these entities more transparent, and less attractive to criminals.

The success of such targeted financial measures depends, in part, on the ability of financial institutions, law enforcement, and intelligence agencies to identify a target’s assets and accounts. Effective CDD helps prevent such abuses by requiring information, including beneficial ownership information, which may be helpful.

Express CDD requirements also enable financial institutions to more effectively assess and mitigate risk. It is through CDD that financial institutions are able to develop risk profiles of their customers. Comprehensive risk profiles enable a financial institution to monitor accounts more effectively, and evaluate activity to determine whether it is unusual or suspicious, as required under suspicious activity reporting obligations. If a financial institution files a SAR, information gathered through CDD enhances it, which helps law enforcement, intelligence, national security and tax authorities investigate and pursue illicit financing activity.



CDD also facilitates tax reporting, investigations and compliance. For example, information held by banks and other financial institutions about the ownership of companies can be used to assist law enforcement in identifying the true owners of assets and their true tax liabilities.

Strengthening CDD will also dovetail with other efforts to create greater transparency, such as the new tax reporting provisions under the Foreign Account Tax Compliance Act (FATCA). FATCA requires foreign financial institutions to identify U.S. account holders, including legal entities with substantial U.S. ownership, and to report certain information about those accounts to the IRS. The United States has collaborated with foreign governments to enter into intergovernmental agreements that facilitate the effective and efficient implementation of these requirements. These agreements and the applicable FATCA regulations allow foreign financial institutions to rely on existing AML practices in a number of circumstances, including, in the case of the agreements, for purposes of determining whether certain legal entity customers have substantial owners.

Promoting Clear and Consistent Expectations and Practices CDD is universally recognized as fundamental to mitigating illicit finance risk. While

Treasury understands from its outreach to the private sector that financial institutions broadly accept this principle and implement CDD practices in some form under a risk-based approach, covered financial institutions have expressed disparate views about what precise activity CDD entails.

FinCEN believes that this disparity adversely affects efforts to mitigate risk and can promote an uneven playing field across and within financial sectors. Covered financial institutions have noted that unclear CDD expectations can result in inconsistent regulatory examinations, potentially causing them to devote their limited resources to managing legal risk rather than fundamental illicit finance risk. Greater consistency across the financial system could also facilitate reliance on the CDD efforts of other financial institutions.

Expressly stating CDD requirements in rule or regulation with respect to understanding the nature and purpose of customer relationships and conducting ongoing monitoring to maintain and update customer information and to identify and report suspicious transactions, will facilitate more consistent implementation, supervision and enforcement of these expectations. With respect to the beneficial ownership proposal, requiring all covered financial institutions to identify beneficial owners in the same manner and pursuant to the same definition also promotes consistency across the industry. Requiring covered financial institutions to operate under one clear CDD framework will promote a more level playing field across and within financial sectors.

Scope of and Rationale for the Proposed Rule This proposal covers only those financial institutions subject to a CIP requirement under

FinCEN regulations. FinCEN believes that initially covering only these sectors is an appropriate exercise of its discretion to engage in incremental rulemaking. These sectors represent a primary means by which individuals and businesses maintain accounts with access to the financial system. Because these covered financial institutions have been subject to CIP rules, FinCEN believes that it is logical to commence implementation with those financial institutions already equipped to leverage CIP practices to the extent possible, as the proposal contemplates.



Expressly stating the requirements facilitates the goal that financial institutions, regulators, and law enforcement all operate under the same set of clearly articulated principles. The proposed CDD requirements are intended to set forth a clear framework of minimum expectations that can be broadly applied to varying risk scenarios across multiple financial sectors and can be tailored by financial institutions to account for the risks unique to them. For this reason, many other jurisdictions have already imposed requirements similar to those proposed. These global developments promote a level playing field internationally and mitigate the threat of illicit finance presented by an increasingly interconnected financial system.

A beneficial ownership requirement is best understood in the context of broader due diligence conducted on customers. Beneficial ownership information is only one component of a broader profile that is necessary for financial institutions to develop when assessing a particular customer’s risk. Beneficial ownership information is a means of building a more comprehensive risk profile; it is not an end in and of itself. Thus, in addition to proposing a specific requirement for the collection of the beneficial ownership information, FinCEN is also proposing amendments to its AML program rules to specifically reference the two components of CDD that were not elsewhere explicitly included in its regulations.

Elements of the Proposed Rule

Overview As described briefly above, CDD consists, at a minimum, of four elements:

Identifying and Verifying the Identity of Customers;

Identifying and Verifying the Identity of Beneficial Owners of Legal Entity Customers;

Understanding the Nature and Purpose of Customer Relationships; and

Conducting Ongoing Monitoring to Maintain and Update Customer Information and to Identify and Report Suspicious Transactions.

Because the first element of CDD is already satisfied by existing CIP requirements, this NPRM proposes to address the remaining three elements of CDD.

Beneficial Ownership The second element of CDD requires financial institutions to identify and verify the

beneficial owners of legal entity customers. In this NPRM, FinCEN proposes a new requirement that financial institutions identify the natural persons who are beneficial owners of legal entity customers, subject to certain exemptions. The definition of “beneficial owner” proposed herein requires that the person identified as a beneficial owner be a natural person (as opposed to another legal entity).

A financial institution must satisfy this requirement by obtaining at the time a new account is opened a standard certification form (attached hereto as Appendix A) directly from the individual opening the new account on behalf of the legal entity customer.

The term “beneficial owner” has been defined differently in different contexts. In the AML context, the Financial Action Task Force (FATF), the global standard setter for combating money laundering and the financing of terrorism and proliferation, defines beneficial owner as “the natural person(s) who ultimately owns or controls a customer and/or the person on whose



behalf a transaction is being conducted. It also incorporates those persons who exercise ultimate effective control over a legal person or arrangement.” FinCEN has endeavored to capture both the concept of ownership and of effective control in its proposed definition.

Financial institutions would be required to verify the identity of beneficial owners consistent with their existing CIP practices. However, FinCEN is not proposing to require that financial institutions verify that the natural persons identified on the form are in fact the beneficial owners. The requirement focuses on verifying the identity of the beneficial owners, but does not require the verification of their status as beneficial owners. This proposed requirement states minimum standards.

FinCEN believes that the beneficial ownership requirement is the only new requirement imposed by this rulemaking. Although beneficial ownership identification is but one of four requirements for a comprehensive CDD scheme, the proposed beneficial ownership rule is being proposed as a separate provision in FinCEN’s regulations. Other components of this rulemaking will be addressed via amendments to existing provisions, as described below.

Understanding the Nature and Purpose of Customer Relationships/Monitoring for Suspicious Activity

The NPRM also addresses the third and fourth elements of CDD by proposing amendments to the AML program rule that harmonize these elements of CDD with existing AML obligations.

The third element of CDD requires financial institutions to understand the nature and purpose of customer relationships in order to develop a customer risk profile. This is a necessary and critical step in complying with the existing requirement to identify and report suspicious transactions as required under the BSA.

The fourth element of CDD requires financial institutions to conduct ongoing monitoring. As with the third element, ongoing monitoring is a necessary part of maintaining and updating customer information and identifying and reporting suspicious transactions as required under the BSA.

The third and fourth elements are consistent with, and in fact necessary in order to comply with, the existing requirement to report suspicious activity, as this obligation inherently requires a financial institution to understand expected customer activity in order to develop a customer risk profile and to monitor customer activity so that it can identify transactions that appear unusual or suspicious. As such, the third and fourth elements are intended to explicitly state already existing expectations for the purpose of codifying the baseline standard of due diligence that is fundamental to an effective AML program.

Because these two elements are consistent with existing BSA requirements as adopted in regulations or rules issued by federal functional regulators and SROs, nothing in this proposed rule should be interpreted in a manner inconsistent with previous guidance issued by FinCEN or guidance, regulations, or supervisory expectations of the appropriate federal functional regulator or SRO with respect to these elements.

For example, the FFIEC provided supervisory expectations for examinations related to CDD in the FFIEC BSA/AML Examination Manual. FinCEN believes that, aside from the new beneficial ownership requirement, the other proposed CDD elements are consistent with the regulatory expectations of the federal functional regulators and should be interpreted



accordingly. Of course, as the proposed CDD requirements state minimum standards, existing or future guidance, regulations or supervisory expectations may provide for additional requirements or steps that should be taken to mitigate risk.

Identifying and Verifying the Identity of Beneficial Owners of Legal Entity Customers

The ANPRM explored a categorical requirement for financial institutions to identify the beneficial owners of legal entity customers. Unlike the other elements of CDD, this element would impose a new regulatory obligation on financial institutions.

The definition of “beneficial owner” must be clear to employees and customers of financial institutions. To that end, FinCEN proposes the following definition of “beneficial owner” of a legal entity customer, which, includes an ownership prong and a control prong:

1. Each individual, if any, who, directly or indirectly, through any contract, arrangement, understanding, relationship or otherwise, owns 25 percent or more of the equity interests of a legal entity customer;

and

2. An individual with significant responsibility to control, manage, or direct a legal entity customer, including:

a. An executive officer or senior manager (e.g., a Chief Executive Officer, Chief Financial Officer, Chief Operating Officer, Managing Member, General Partner, President, Vice President, or Treasurer); or

b. Any other individual who regularly performs similar functions.

Each prong is intended to be an independent test. Under the ownership prong a financial institution must identify each individual who owns 25 percent or more of the equity interests. Accordingly, a financial institution would be required to identify no more than four individuals under this prong, and, if no one individual owns 25 percent or more of the equity interests, then the financial institution may identify no individuals under the ownership prong.

Under the control prong a financial institution must identify one individual. In cases where an individual is both a 25 percent owner and meets the definition for control, that same individual could be identified as a beneficial owner under both prongs.

This definition provides greater flexibility to financial institutions and customers in responding to the control prong of the definition by permitting the identification in clause (ii) of any individual with significant managerial control, which could include a President, Chief Executive Officer or other senior executive, or any other individual acting in a similar capacity. Moreover, this definition does not require a financial institution to comparatively assess individuals to determine who has the greatest equity stake in the legal entity.

The 25 percent equity ownership threshold set forth in the ownership prong of the definition sets a clear standard that can be broadly applied. At the same time, the 25 percent threshold retains the benefits of identifying key individuals with a substantial ownership interest in the legal entity.



The term “equity interests” should be interpreted broadly to apply to a variety of different legal structures and ownership situations. In short, “equity interests” refers to an ownership interest in a business entity. Examples of “equity interests” include shares or stock in a corporation, membership interests in a limited liability company, and other similar ownership interests in a legal entity.

The phrase “directly or indirectly” in the ownership prong of the definition is intended to make clear that where a legal entity customer is owned by (or controlled through) one or more other legal entities, the proposed rule requires customers to look through those other legal entities to determine which natural persons own 25 percent or more of the equity interests of the legal entity customer. FinCEN does not expect financial institutions – or customers – to undergo complex and exhaustive analysis to determine with legal certainty whether an individual is a beneficial owner under the definition. Instead, FinCEN expects financial institutions to be able to rely generally on the representations of the customer when answering the financial institution’s questions about the individual persons behind the legal entity, including whether someone identified as a beneficial owner is in fact a beneficial owner under this definition.

Definition of Legal Entity Customer FinCEN proposes to define legal entity customers to include corporations, limited liability

companies, partnerships or other similar business entities that open a new account after the implementing date of the regulation.

FinCEN would interpret this to include all entities that are formed by a filing with the Secretary of State (or similar office), as well as general partnerships and unincorporated nonprofit associations. It does not include trusts other than those that might be created through a filing with a state (e.g., statutory business trusts).

Exemptions and Exclusion from the Beneficial Ownership Requirement

Customers Exempt from CIP FinCEN proposes to exempt from the beneficial ownership requirement those types of

entities that are exempt from the customer identification requirements under the CIP rules. Those types of entities include, but are not limited to, financial institutions.

The exemption proposed for this rule would not cover all the entities included in the exemption from the CIP requirements. This is because FinCEN does not propose to include an exemption for legal entities with existing accounts that open new accounts after the implementation date of the rule. The inclusion of such an exemption would parallel the exemption in the CIP requirements per the definition of “customer.”

However, FinCEN believes that such an approach would not serve the purposes of the present rule. In situations where a legal entity is opening an account in addition to a previously existing account, the new requirement will apply. If the pre-existing account predates the implementation date of the rule, the financial institution will need to obtain the certification form. If the pre-existing account was established after the implementation date, it may be reasonable to have another approach.

Other exemptions include publicly held companies traded on certain U.S. stock exchanges, domestic government agencies and instrumentalities and certain legal entities that exercise



governmental authority. These exemptions are incorporated into the proposed beneficial ownership requirement by excluding these entities from the definition of “legal entity customer,” which corresponds to how these entities are exempted from CIP.

Consequently, the definition of “legal entity customer” for purposes of the beneficial ownership requirement excludes all the same types of entities as the definition of “customer” for purposes of the CIP rules, including exclusions based on guidance issued by FinCEN and the federal functional regulators with regard to the applicability of the CIP rules.

Additional Exemptions for Certain Legal Entity Customers In addition to incorporating exemptions applicable to the CIP rules, FinCEN proposes that

the following entities also be exempt from the beneficial ownership requirement when opening a new account because their beneficial ownership information is generally available from other credible sources:

An issuer of a class of securities registered under Section 12 of the Securities Exchange Act of 1934 or that is required to file reports under Section 15(d) of that Act;

Any majority-owned domestic subsidiary of any entity whose securities are listed on a U.S. stock exchange;

An investment company, as defined in Section 3 of the Investment Company Act of 1940, that is registered with the SEC under that Act;

An investment adviser, as defined in Section 202(a)(11) of the Investment Advisers Act of 1940, that is registered with the SEC under that Act;

An exchange or clearing agency, as defined in Section 3 of the Securities Exchange Act of 1934, that is registered under Section 6 or 17A of that Act;

Any other entity registered with the Securities and Exchange Commission under the Securities and Exchange Act of 1934.

A registered entity, commodity pool operator, commodity trading advisor, retail foreign exchange dealer, swap dealer, or major swap participant, each as defined in section 1a of the Commodity Exchange Act, that is registered with the CFTC;

A public accounting firm registered under section 102 of the Sarbanes-Oxley Act; and

A charity or nonprofit entity that is described in Sections 501(c), 527, or 4947(a)(1) of the Internal Revenue Code of 1986, that has not been denied tax exempt status, and that is required to and has filed the most recently required annual information return with the Internal Revenue Service.

Existing and New Customers FinCEN proposes that the beneficial ownership requirement will apply only with respect to

legal entity customers that open new accounts going forward from the date of implementation. The definition of “legal entity customer” is limited to legal entities that open a new account after the implementation date.



Trusts Several comments described potential challenges in applying a beneficial ownership

requirement to a customer that is a trust. There are many types of trusts. While a small proportion may fall within the scope of the proposed definition of legal entity customer (e.g., statutory trusts), most will not. Unlike the legal entity customers that are subject to the proposed beneficial ownership requirement (corporations, limited liability companies, etc.), a trust is generally a contractual arrangement between the person who provides the funds and specifies the trust terms and the person with control over the funds for the benefit of those who benefit from the trust.

This arrangement does not generally require the approval by or other action of a state to become effective. FinCEN notes that in order to engage in the business of acting as a fiduciary it is necessary for a trust company to be federally- or state-chartered.

Given the variety of possible trust arrangements and the number of persons who may have roles in them, financial institutions are already taking a risk-based approach to collecting information with respect to various persons for the purpose of knowing their customer. FinCEN expects financial institutions to continue these practices as part of their overall efforts to safeguard against money laundering and terrorist financing, and will consider additional rulemaking or guidance to strengthen or clarify this expectation.

Intermediated Account Relationships and Pooled Investment Vehicles

The ANPRM sought comment on whether and how a beneficial ownership requirement should be applied to accounts held by intermediaries on behalf of third parties. An intermediary generally refers to a customer that maintains an account for the primary benefit of others, such as the intermediary’s own underlying clients. For example, certain correspondent banking relationships may involve intermediation whereby the respondent bank of a correspondent bank acts on behalf of its own clients.

FinCEN recognizes that this risk may be more effectively managed through other means. These would include proper customer due diligence conducted by financial institutions on their direct customers who serve as intermediaries, and appropriate regulation of the intermediaries themselves. Therefore, for purposes of the beneficial ownership requirement, if an intermediary is the customer, and the financial institution has no CIP obligation with respect to the intermediary’s underlying clients pursuant to existing guidance, a financial institution should treat the intermediary, and not the intermediary’s underlying clients, as its legal entity customer.

Consistent with other elements of CDD, a financial institution’s AML program should contain risk-based policies, procedures, and controls for assessing the money laundering risk posed by underlying clients of a financial intermediary, for monitoring and mitigating that risk, and for detecting and reporting suspicious activity. While a financial intermediary’s underlying clients may not be subject to the beneficial ownership requirement, a financial institution would be obligated to monitor for and report suspicious activity associated with intermediated accounts, including activity related to underlying clients.



Verification of Beneficial Owners

Standard Certification Form FinCEN proposes that a financial institution must satisfy the requirement to identify

beneficial owners by obtaining, at the time a new account is opened, the standard certification form attached hereto as Appendix A. To promote consistent customer expectations and understanding, the form in Appendix A plainly describes the beneficial ownership requirement and the information sought from the individual opening the account on behalf of the legal entity customer. To facilitate reliance by financial institutions, the form also requires the individual opening the account on behalf of the legal entity customer to certify that the information provided on the form is true and accurate to the best of his or her knowledge. This certification is also helpful for law enforcement purposes in demonstrating unlawful intent in the event the individual completing the form knowingly provides false information.

Verification of Beneficial Owners FinCEN is not proposing to require that financial institutions verify the status of a beneficial

owner. Financial institutions may rely on the beneficial ownership information provided by the customer on the standard certification form.

For verifying the identity of a beneficial owner, FinCEN proposes that financial institutions verify the identity using existing risk-based CIP practices. The proposed rule provides that a financial institution must implement risk-based procedures to verify the identity of each beneficial owner according to procedures that comply with the CIP requirements to verify the identity of customers that are natural persons.

Therefore, a financial institution may verify the identity of a beneficial owner using documentary or non-documentary methods, as it deems appropriate under its procedures for verifying the identity of customers that are natural persons. These procedures should enable the financial institution to form a reasonable belief that it knows the true identity of the beneficial owner of each legal entity customer. A financial institution must also include procedures for responding to circumstances in which it cannot form a reasonable belief that it knows the true identity of the beneficial owner, as described under the CIP rules. Because these practices are already well-established and understood at covered financial institutions, FinCEN expects that these institutions will leverage existing compliance procedures.

Updating Beneficial Ownership Information FinCEN is not proposing this requirement but notes that, as a general matter, a financial

institution should keep CDD information, including beneficial ownership information, as current as possible and update as appropriate on a risk-basis. For example, a financial institution may determine that updating beneficial ownership information is appropriate after a customer has been identified as engaging in suspicious activity or exhibits other red flags, which FinCEN believes is generally consistent with existing practice for updating other customer information.

Each financial institution’s policies and procedures should be based on its assessment of risk and tailored to, among other things, its customer base and products and services offered.

Reliance In general, a financial institution may rely upon another financial institution to conduct CIP

with respect to shared customers, provided that: (i) such reliance is reasonable; (ii) the other



financial institution is subject to an AML program rule and is regulated by a federal functional regulator, and (iii) the other financial institution enters into a contract and provides annual certifications regarding its AML program and CIP requirements.

FinCEN proposes to permit such reliance for purposes of complying with the beneficial ownership requirement, including obtaining the certification form required under the proposed rule.

Existing guidance with respect to whether a financial institution can rely on another financial institution to conduct CIP with respect to shared customers also would apply for the purposes of complying with the beneficial ownership requirement. As was the case with the CIP rules, a covered financial institution will not be held responsible for the failure of the relied-upon financial institution to adequately fulfill the covered financial institution’s beneficial ownership responsibilities, provided it can establish that its reliance was reasonable and that it has obtained the requisite contracts and certifications.

Understanding the Nature and Purpose of Customer Relationships The third element of CDD requires financial institutions to understand the nature and

purpose of customer relationships in order to develop a customer risk profile.

FinCEN understands that it is industry practice to gain an understanding of a customer in order to assess the risk associated with that customer to help inform when the customer’s activity might be considered “suspicious.” FinCEN does not intend for this element to necessarily require modifications to existing practice or customer onboarding procedures, and does not expect financial institutions to ask each customer for a statement as to the nature and purpose of the relationship or to collect information not already collected pursuant to existing requirements.

The amendment to the AML program rule that incorporates this element is intended to clarify existing expectations for financial institutions to understand the relationship for purposes of identifying transactions in which the customer would not normally be expected to engage.

FinCEN intends for this amendment to be consistent with existing rules and related guidance. For example, the requirement for financial institutions to report suspicious activity requires that they file a report on a transaction that, among other things, has “no business or apparent lawful purpose or is not the sort in which the particular customer would normally be expected to engage.”

In the context of depository institutions, it is well understood that “a bank should obtain information at account opening sufficient to develop an understanding of normal and expected activity for the customer’s occupation or business operations.” FinCEN intends for this proposed CDD element to be consistent with these types of expectations. FinCEN believes that in some circumstances an understanding of the nature and purpose of a customer relationship can also be developed by inherent or self-evident information about the product or customer type, or basic information about the customer.

FinCEN recognizes that inherent information about a customer relationship, such as the type of customer, the type of account opened, or the service or product offered, may be sufficient



to understand the nature and purpose of the relationship. Obtaining basic information about the customer, such as annual income, net worth, domicile, or principal occupation or business, may similarly be relevant depending on the facts and circumstances.

Longstanding customers of a financial institution may have a robust history of activity that could also be highly relevant in understanding future expected activity for purposes of detecting aberrations. At the same time, FinCEN recognizes that certain financial institutions, such as securities and futures firms, often maintain accounts in which expected activity can vary significantly over time based on numerous factors, and that prior transaction history or information obtained from the client upon account opening may not be a reliable indicator of future conduct. Each case depends on the facts and circumstances unique to the financial institution and its customers.

FinCEN believes that financial institutions should already be satisfying this element by complying with the requirement to report suspicious activity, as this element is an essential step in the process of identifying such activity. Because this is a necessary step to identifying and reporting suspicious activities, its scope should not be limited to “customers” for purposes of the CIP rules, but rather should extend more broadly to encompass all accounts established by the institution.

Ongoing Monitoring The fourth element of CDD requires financial institutions to conduct ongoing monitoring for

the purpose of maintaining and updating customer information and identifying and reporting suspicious activity. FinCEN intends for this element to be consistent with a financial institution’s current suspicious activity reporting and AML program requirements.

The BSA/AML Manual notes that the internal controls of a bank’s AML Program should “provide sufficient controls and monitoring systems for timely detection and reporting of suspicious activity.” Codifying this supervisory and regulatory expectation as explicit requirements within FinCEN’s AML program requirements is necessary to make clear that the minimum standards of CDD include ongoing monitoring of all transactions by, at, or through the financial institution appropriately based on such monitoring for the purpose of the identification and reporting of suspicious activity.”

The requirement that the financial institution “conduct ongoing monitoring to maintain and update customer information” means that, when in the course of monitoring the financial institution becomes aware of information relevant to assessing the risk posed by a customer, it is expected to update the customer’s relevant information accordingly.

The proposed requirement to update a customer’s profile as a result of ongoing monitoring (including obtaining beneficial ownership information for existing customers on a risk basis), is different and distinct from a categorical requirement to update or refresh the information received from the customer at the outset of the account relationship at prescribed periods.

Because financial institutions are already implicitly required to engage in ongoing monitoring, FinCEN expects that financial institutions would satisfy the fourth element of

CDD by continuing their current monitoring practices, consistent with existing guidance and regulatory expectations. All elements of CDD discussed in this proposal are minimum standards



and should not be interpreted or construed as lowering, reducing or limiting the expectations established by the appropriate federal functional regulator.

Rule Timing and Effective Date Financial institutions have requested sufficient time to implement any new CDD

requirements. FinCEN believes that the two CDD requirements set forth in this proposal will not in fact require covered financial institutions to perform any additional activities or operations, although it may necessitate revisions to written policies and procedures. FinCEN also recognizes that financial institutions will be required to modify existing customer onboarding processes to incorporate the beneficial ownership requirement, and therefore proposes an effective date of one year from the date the final rule is issued.

Section –By-Section Analysis (Unedited)

Beneficial Ownership Information Collection Section 1010.230 Beneficial Ownership Requirements for Legal Entity Customers

Section 1010.230(a) General. This section sets forth the general requirement for covered financial institutions to identify the beneficial owners of each legal entity customer (as defined).

Section 1010.230(b) Identification and Verification. In order to identify the beneficial owner, a covered financial institution must obtain a certification from the individual opening the account on behalf of the legal entity customer (at the time of account opening) in the form of Appendix A. The form requires the individual opening the account on behalf of the legal entity customer to identify the beneficial owner(s) of the legal entity customer by providing the beneficial owner’s name, date of birth, address and social security number (for U.S. persons). This information is consistent with the information required under the CIP rules for identifying customers that are natural persons. The form also requires the individual opening the account on behalf of the legal entity customer to certify, to the best of his or her knowledge, that the information provided on the form is complete and correct. Obtaining a signed and completed form from the individual opening the account on behalf of the legal entity customer shall satisfy the requirement to identify the beneficial owners under Section 1010.230(a).

This section also requires financial institutions to verify the identity of the individuals identified as beneficial owners on the certification form. The procedures for verification are to be identical to the procedures applicable to an individual opening an account under the existing CIP rules. Accordingly, the financial institution must verify a beneficial owner’s identity using the information provided on the certification form (name, date of birth, address, and social security number (for U.S. persons), etc.), according to the same documentary and non-documentary methods the financial institution may use in connection with its customer identification program (to the extent applicable to customers that are individuals), within a reasonable time after the account is opened. A financial institution must also include procedures for responding to circumstances in which it cannot form a reasonable belief that it knows the true identity of the beneficial owner, as described under the CIP rules.

Section 1010.230(c) Beneficial Owner. As more fully described above, the proposed definition of “beneficial owner” includes two independent prongs: an ownership prong (clause (1))



and a control prong (clause (2)). A covered financial institution must identify each individual under the ownership prong (i.e., each individual who owns 25 percent or more of the equity interests), in addition to one individual for the control prong (i.e., any individual with significant managerial control). If no individual owns 25 percent or more of the equity interests, then the financial institution may identify a beneficial owner under the control prong only. If appropriate, the same individual(s) may be identified under both criteria.

Section 1010.230(d) Legal Entity Customer. For purposes of the beneficial ownership requirement described under this Section, the proposed rule defines “legal entity customer” to mean a corporation, limited liability company, partnership or similar business entity (whether formed under the laws of a state or of the United States or a foreign jurisdiction), that opens a new account. The reference to “new account” makes clear that the obligation to identify beneficial owners under Section 1010.230 applies to legal entity customers opening new accounts after the date of rule’s implementation, and not retrospectively. Previously issued guidance that clarifies who a customer is under certain circumstances shall be instructive to the extent applicable to the proposed beneficial ownership requirement.

Section 1010.230(e) Covered financial Institution. This term has the meaning set forth in 31 CFR 1010.605(e)(1), which defines the term for purposes of the regulations implementing Sect 312 of the PATRIOT Act.

Section 1010.230(f) Retention of Records. A financial institution must have procedures for maintaining a record of all information obtained in connection with identifying and verifying the beneficial owners under 1010.230(b). These procedures must include retaining the beneficial ownership certification form, and any other related identifying information collected, for a period of five years after the date the account is closed. It must also retain in its records, for a period of five years after such record is made, a description of (i) every document relied on for verification, (ii) any nondocumentary methods and results of measures undertaken for verification, and (iii) the resolution of any substantive discrepancies discovered in verifying the identification information. The proposed rule leverages off of industry familiarity with the recordkeeping requirements relative to identifying and verifying the identity of individual customers under the CIP rules, and proposes an identical recordkeeping standard here. This is with the understanding that identical standards will help relieve implementation burden with respect to the new requirement.

Section 1010.230(g) Reliance on Another Financial Institution. The proposed rule permits reliance on another financial institution under the same conditions set forth in the applicable CIP rules.

Amendments to AML Program Requirements (Unedited)

Overview FinCEN’s existing AML program requirements applicable to each type of covered financial

institution are being amended to ensure alignment between existing AML requirements and CDD minimum standards. As described in Section III above, CDD consists of four fundamental components. The first component, customer identification, is already sufficiently included in the existing Customer Identification Program requirements issued jointly by FinCEN and its regulatory colleagues. The second component, identification of the beneficial ownership of legal entity customers, is proposed as a separate rule in 31 CFR § 1010.230, as outlined above.



The third and fourth components of CDD – understanding the nature and purpose of an account and ongoing monitoring – which have been understood as necessary facets of other regulatory requirements, are now being explicitly included in applicable AML program rules, as described in more detail below. Covered financial institutions are expected to apply these procedures on a risk-based approach with respect to the breadth of their account relationships, consistent with their obligation to identify and report suspicious activities.

FinCEN is incorporating these CDD procedures into the AML program requirements to make clear that CDD is a core element of a financial institution’s policies and procedures to guard against money laundering. Furthermore, incorporating these CDD requirements into the AML program requirements, which require the AML program to also comply with the regulation of its federal functional regulator governing such programs, makes clear that a financial institution’s procedures with respect to these requirements are subject to examination and enforcement by the appropriate federal functional regulator or self-regulatory organization in a manner consistent with current supervisory authorities and expectations. As such, this proposed rule is not intended to limit the federal functional regulators’ supervisory role or, where applicable, its ability to oversee an SRO’s effective examination and enforcement of BSA compliance.

Nothing in this proposal is intended to lower, reduce, or limit the due diligence expectations of the federal functional regulators or in any way limit their existing regulatory discretion. To clarify this point, this proposal incorporates the CDD elements on nature and purpose and ongoing monitoring into FinCEN’s existing AML program requirements, which generally provide that an AML program is adequate if, among other things, the program complies with the regulation of its federal functional regulator (or, where applicable, self-regulatory organization) governing such programs. In addition, the Treasury Department intends for the requirements contained in this customer due diligence and beneficial ownership proposal to be consistent with, and not to supersede, any regulations, guidance or authority of any federal banking agency, the SEC, the CFTC, or of any SRO relating to customer identification, including with respect to the verification of the identities of legal entity customers.

The FinCEN AML Program rules are also being amended to ensure that FinCEN’s regulations explicitly include the existing core requirements that are currently included within the AML program rules issued by the federal functional regulators or their appointed self-regulatory organizations (SROs). These existing core pillars, referenced in 31 U.S.C. § 5318(h) as “minimum” requirements, include: (i) the development of internal policies, procedures and controls; (ii) the designation of a compliance officer; (iii) an ongoing employee training program; and (iv) an independent audit program to test functions. While there are slight differences in the wording of the regulatory requirements across the rules applicable to each industry, FinCEN considers them to all be the same in practice at their core.

FinCEN sees utility for industry in having these rules clearly spelled out in FinCEN’s own regulations and believes that there is further utility in making these rules more uniform, particularly given the number of industry actors that have constituent components subject to multiple rules. FinCEN also acknowledges, however, that the core requirements set forth by SROs, as approved by the federal functional regulator supervising them, sometimes include details deemed warranted with respect to the SROs’ oversight of those industries. While such detail may not be included in FinCEN’s rules, FinCEN and the supervising regulator have coordinated in the past to ensure that such rules are consistent with the purposes of the BSA. There is no intent in this rulemaking to undermine the nuances that currently exist with respect to those rules, and they can be followed in tandem with rules set forth here.



Section 1020.210 Anti-money Laundering Program requirements for financial institutions regulated by a Federal functional regulator, including banks, savings associations and credit unions.

FinCEN is rewriting its existing AML program rule to include the existing core provisions already included in regulations issued by the relevant banking agencies and adding to these core provisions a fifth pillar that includes the components of CDD pertaining to understanding the nature and purpose of customer relationships and ongoing monitoring, as discussed above.

Section 1023.210 Anti-money laundering program requirements for brokers or dealers in securities

Omitted from this presentation.

Section 1024.210 Anti-money laundering program requirements for mutual finds Omitted from this presentation.

Section 1026.210 Anti-money laundering program requirements for futures commission merchants and introducing brokers in commodities

Omitted from this presentation.

bank secrecy act - indiana bankers cbc... · known as the “bank secrecy act,” which established...

Documents