institute of international bankers & conference of state ...€¦ · © 2012 kpmg llp, a...

© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS

1

November 27, 2012 P

Anti-Money Laundering Internal Controls: Know Your Customer & Suspicious Activity Reporting

Institute of International Bankers & Conference of State Bank Supervisors


2

Key Controls in a BSA/AML Program

Primary Goals of an AML Program:

•Understand who you are (or might be) doing business with so you can prevent bad actors from gaining access to the financial system; and

•Accepting that some will get through, being able to spot those who get do so you can alert law enforcement and give them the opportunity to take action.


3

Key Sections of the USA PATRIOT Act

Section 352: Anti-Money Laundering Programs Requires financial institutions to establish anti-money laundering programs which, at a minimum, must include: the development of internal policies, procedures, and controls; designation of a compliance officer; an ongoing employee training program; and an independent audit function to test programs.

Section 326: Verification of Identification Prescribes regulations establishing minimum standards for financial institutions and their customers regarding the identity of a customer that shall apply with the opening of an account at the financial institution, i.e. the Customer Identification Program requirements.

Section 312: Special Due Diligence for Correspondent Accounts & Private Banking Accounts Imposes due diligence and enhanced due diligence requirements on U.S. financial institutions that maintain correspondent accounts for foreign financial institutions or private banking accounts for non-U.S. persons.


4

Section 352: AML Compliance Programs Pillar 1: Internal Controls

Comprehensive plan and set of internal controls, including, for example:

1. Documented policies and procedures – including board approved policy

2. Established governance and accountability

3. Documented AML/OFAC risk assessment

4. Risk-based customer due diligence

5. Sufficient controls and monitoring systems for timely detection and reporting of suspicious activity

6. Regulatory reporting

7. Record retention requirements

8. Management reports


5

Key Program Elements –

Risk-based Approach


6

Prevention

Detection

Reporting

• Implementation of Customer Identification Program

• Execution of CDD and EDD requirements

Prevention, Detection, and Reporting

• Front Office employees knowing their customers & understanding expected transactional activity

• Employees staying alert to possible suspicious activity

• Back Office employees monitoring and reporting unusual transactions to the Compliance Officer

• Conducting due diligence/investigations

• Reporting of potentially suspicious activity to FinCEN

• Updating customer’s profile, if warranted


7

Customer Identification Program (CIP)

Written Part of the overall AML compliance and KYC program Approved by senior management or a committee thereof (part of board

approved policy) CIP requires you to:

– Identify and verify identity of customer for all new accounts – Notify customer of process – Keep records of identification information – Consult government lists

At a minimum, you must obtain: – Name – Address – Date of birth (for individuals only) – SSN or TIN for U.S. persons, or other Government-issued Identification Number or

equivalent for non-U.S. persons


8

CIP Applies to “Customers”

The CIP rule applies to a “customer.”

• A customer is a “person” (an individual, a corporation, partnership, a trust, an estate, or any other entity recognized as a legal person) who opens a new account, an individual who opens a new account for another individual who lacks legal capacity, and an individual who opens a new account for an entity that is not a legal person (e.g., a civic club). A customer does not include:

• A person who does not receive banking services, such as a person whose loan application is denied.

• An existing customer as long as the bank has a reasonable belief that it knows the customer’s true identity.

• Excluded from the definition of customer are financial institutions regulated by a federal functional regulator*, banks regulated by a state bank regulator, governmental entities, and publicly traded companies (as described in 31 CFR 1020.315(b)).

* Federal functional regulator means: Board of Governors of the Federal Reserve System; Federal Deposit Insurance Corporation; National Credit Union Administration; Office of the Comptroller of the Currency.


9

CIP Applies to Customers who Open Accounts:

An account does not include: Products or services for which a formal banking relationship is not established with

a person, such as check cashing, funds transfer, or the sale of a check or money order.

Any account that the bank acquires. This may include single or multiple accounts as a result of a purchase of assets, acquisition, merger, or assumption of liabilities.

Accounts opened to participate in an employee benefit plan established under the Employee Retirement Income Security Act of 1974.


10

Customer Due Diligence (CDD) / Know Your Customer (KYC)

A primary objective of CDD is to enable the financial institution to understand the customer and the risks associated with the customer: – What are basic attributes of the customer that may set preliminary risk standards for the

collection of information

– What do you learn from collecting that information that may elevate or mitigate risk

CDD policies, procedures, and process are critical to the bank because they can aid in: – Understanding what activity or type of activity the customer is likely to engage in

– Detecting deviations from normal and expected activity for the purpose of reporting unusual or suspicious transactions that potentially expose the bank to financial loss, increased expenses, or reputational risk

– Avoiding criminal exposure from persons who use or attempt to use the bank’s products and services for illicit purposes

– Adhering to safe and sound banking practices


11

Customer Due Diligence (CDD) /Know Your Customer (KYC) (Con’t)

CDD/ KYC is conducted to enable you to form a reasonable belief that you know and understand:

• Who your customer is;

• What your customer does (business activities);

• What your customer can be expected to do through your institution;

• What risks associated with your customer;

• Whether activities are legitimate

Supporting documentation will be gathered

NB – There is no exception for affiliates!


12

Customer Due Diligence (CDD) aka Know Your Customer (KYC) (Con’t)

Processes are risk based

Will generally begin with a preliminary risk assessment of the customer, assessing factors indicative of risk:

Factors may include:

– Whether the customer is publicly traded or privately held

– If privately held, whether beneficial owners present increased risk (e.g. Politically Exposed Persons)?

– Where the customer is registered or has its principal place of business

– Whether the client is a high risk industry

– Whether the client is engaged in high risk transactions/using high risk products


13

Customer Due Diligence (CD) /Enhanced Due Diligence (EDD)

Information, in addition to CIP, should be collected from customers to assist in determining if the risk level should be elevated and Enhanced Due Diligence (EDD) collected.

Customer Information Data Element Examples Basic Information (all risk levels) • Purpose of the account • Domicile (where the business is organized) • Primary place of business • Description of the customer’s primary trade area and whether international transactions are

expected to be routine • Description of the business operations • Negative news and other list searches on the client, e.g. PEP screening If not publicly traded • Individuals with ownership or control over the account, such as beneficial owners, principals,

guarantors, trustees • Negative news and other list searches on the related parties (UBOs, etc.) When risk is elevated, either based on due diligence, enhanced due diligence must be performed


14

Enhanced Due Diligence (EDD)

A more comprehensive form of KYC For those customers where there may be increased risk associated with the account Increased risk may include: High-risk geographies High-risk type of persons or entities High-risk products or services Accounts for which EDD should be conducted include: High-risk foreign correspondent banks, pursuant to Section 312 of the USA PATRIOT Act Foreign Private Banking customers PEPs Customers with an AML risk rating of High


15

Enhanced Due Diligence (EDD)(Continued)

Customer Information Examples (Cont’d) • Source of funds and wealth • Enhanced background checks • Financial statements • Banking references • If the higher risk client is subject to an AML Program requirement (e.g., MSBs, Casinos, Precious

Metals Merchant), assess that the client’s AML program addresses: • Internal controls designed to assure compliance with the Bank Secrecy Act (BSA) • Employee Training • Independent compliance testing • Designated Compliance Officer, responsible for day-to-day compliance with the BSA AML

Program • Procedures for filing and reporting Currency Transaction Reports (CTRs) and Suspicious Activity

Report (SARs) • Site visits to assess their operations and AML or other controls

Enhanced approvals should be obtained for high risk clients - Business must own their risk


16

Enhanced Due Diligence (EDD) – Cont’d

Special Due Diligence Program for Foreign Correspondent Accounts Section 312 requires U.S. financial institutions to establish a due diligence

program that includes appropriate, specific, risk based and, where necessary, enhanced policies, procedures and controls reasonably designed to detect and report money laundering through correspondent accounts and private banking accounts established or maintained by U.S. financial institutions for non-U.S. persons.

Due diligence policies, procedures and controls must include the following: – Determining whether EDD is required; – Assessing the money laundering risks presented by the bank; – Applying risk-based procedures and controls, including a periodic review of the

correspondent account activity to determine if the activity is consistent with what is expected

Factors to be considered in assessing the risks of a Correspondent Bank Include: – Nature of the Correspondent’s business and the markets served – Type, purposes and anticipated activity – Nature and duration of the relationship – AML and supervisory regime of the licensing jurisdiction – AML record


17

Enhanced Due Diligence (EDD) – Cont’d

Special Due Diligence Program for Foreign Correspondent Accounts Enhanced due diligence must be applied to correspondent accounts maintained

in the U.S. for a foreign bank operating under: – An offshore banking license; – A banking license issued by a country that has been designated as being non-

cooperative with international anti-money laundering principles or procedures by an intergovernmental organization of which the U.S. is a member and with which designation the U.S. concurs; or

– A license issued by a country designated by the Secretary of the Treasury as warranting special measures due to money laundering concerns.

Financial institutions are also required to determine if the correspondent maintains correspondent accounts for other foreign institutions and the identity of each owner of a foreign bank whose shares are not traded publicly. (An “owner” is a person who directly or indirectly owns, controls or has the power to vote 10 percent or more of any class of the foreign bank’s securities.)


18

CDD is a Continuous Effort

Critical to ensuring you understand the risk in your customer base is periodically reviewing customers, using a risk based approach:

Periodic Reviews Using a risk-based time table, conduct regular reviews of customers in order to:

• Ensure that core client reference data remains accurate • Update due diligence/EDD information so that it remains current • Validate that that the client’s risk rating remains accurate • Assess that the client is engaging in transactions consistent with expected activity • Review client to assess whether there is any recent negative news/reputational concerns • If the client relationship has been dormant, use the periodic review as an opportunity to

purge inactive accounts, and • Ensure that the business/senior management remains comfortable maintaining the

relationship

Transaction Monitoring/Surveillance

Leverage the various customer risk factors (risk rating, industry, geography, etc…), in support of: • Automated transaction monitoring, and • Targeted transaction reviews in order to identify potential suspicious activity based upon

known typologies associated with a particular industry or customer type (e.g., unregistered MSBs)


19

Monitoring


20

Consider customer’s usual activity

Review unusual activity

Determine if unusual activity is suspicious

Update customer profile

•Understand manual and electronic systems •Need for

transparency

• Customers • Products • Transactions • Countries

•Transactions that just don’t make sense

• Unusual not necessarily suspicious

• Investigate • No plausible

explanation • Compliance

determination

• Legitimate changes in behavior

• New media and public database information

Use of manual and/or

electronic monitoring systems

Transaction Monitoring Process


21

Transaction Monitoring Systems/Processes

Transaction monitoring systems/processes must identify transactions that may be: Elevated risk

Appear unusual or indicative of suspicious activity

Transaction monitoring systems assist with the identification and analysis of potentially suspicious activity by considering factors such as : Transactions to specific geographies

Risk level of a customer

Velocity and frequency of transactions

Transaction routing

Changes in profile transactional behavior

Transaction unusual for peer group profile

Specialized risk scenarios


22

Other Monitoring Efforts

Monitoring efforts used in addition to routine transaction monitoring, including: Review of customers/parties appearing on 314(a)/(b) requests;

Customers associated with PEPs identified during batch screening;

Customers/parties named in subpoenas or other government requests received by the bank;

Customers with ties to OFAC program lists identified during batch screening (to be discussed in more detail later);

Reviews of customers with previous SAR history

Targeted reviews of activity identified as indicative of money laundering by law enforcement

Customers associated with negative media stories

Business is the first line of defense:

Front office must be alert to and trained to identify unusual behavior during all stages of a customer relationship from on-boarding and beyond


23

SAR Reporting Requirements


24

Customer Information

Transaction Monitoring

Reporting of Suspicious Activity

Executing AML Requirements


25

SAR Filing Conditions

When to File a SAR:

Transactions involving insider abuse - Any dollar amount;

Criminal violations aggregating $5,000 or more when a suspect can be identified;

Criminal violations aggregating $25,000 or more regardless of the identification of a potential suspect

Transactions conducted / attempted through the bank aggregating $5,000 or more if the bank knows, suspects, or has reason to suspect that the transaction:

May involve money laundering or other illegal activity (e.g. terrorist financing)

Is designed to evade BSA requirements

Has no business or apparent lawful purpose or is not the type of transaction in which the customer would be expected to engage without reasonable explanation.


26

SAR Filing Criteria

When to file: If ongoing criminal activity is detected, file immediately, alert law enforcement;

Otherwise:

If a suspect has been identified, file no later than 30 days from detection of the facts that form the basis for the filing;

If no suspect has been identified, then filing should be no later than 60 days from detection of the facts that form the basis for the filing.


27

Other SAR Requirements

Confidentiality is Critical: A SAR, or any information that would reveal the filing of a SAR must not be disclosed with limited exceptions:

Banking organizations may share SARs with head offices and controlling companies, thus, a US branch or agency of a foreign bank may share a SAR with its head office outside the US, providing that appropriate arrangements are made to protect the confidentiality of the SAR.

This does not apply to affiliate organizations

If subpoenaed do not provide – notify FinCEN

Records must be retained: •SARS and supporting documentation must be retained for five years from filing

Safe Harbor Laws: 31 USC 5381(g)(3) offers safe harbor from civil liability for all reports of suspicious activity

and supporting documentation


28

Questions?


29

Presenter’s Contact Details Teresa A. Pesce,

Principal, AML Services Leader

KPMG, LLP

32 5 Park Avenue

New York, NY 10154

212-872-6272

[email protected] The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

mailto:[email protected]�

institute of international bankers & conference of state ...€¦ · © 2012 kpmg llp, a...

Documents