Understanding the Bank Secrecy Act - NACUSAC · 1 LONG-TERM RELATIONSHIPS ARE ALL ABOUT DEDICATION Understanding the Bank Secrecy Act LONG-TERM RELATIONSHIPS ARE ALL ABOUT DEDICATION

1

LONG-TERM RELATIONSHIPS ARE ALL ABOUT DEDICATION

Understanding the Bank Secrecy Act

LONG-TERM RELATIONSHIPS ARE ALL ABOUT DEDICATION2

What has FinCen been up to?

• 4/4/2015 Lone Star National Bank CMP - $1,000,000• Customer due diligence and enhanced due diligence of high risk

accounts unsatisfactory• Deficiencies in identifying suspicious activities• Weakness with foreign correspondence accounts.

• 1/27/2015 Oppenheim and Company - $20,000,000• Failed to establish effective AML program ( 2005 fined

$2million)• Suspicious trading activity at 5 branches,• Failure to identify and monitor foreign nationals

2



• 12/18/14 Thomas Haider – Chief Compliance Officer MoneyGram $1,000,000• Failure to establish an effective AML program.

• 11/25/14 North Dade community Development Federal Credit Union ( $ 4 million in assets)– $Penalized $300,000 for violation of BSA and USAPatriot Act– 56 Money Service Business as clients,– Over a billion $ in EFT transactions

• 6/26/14 – Associated Bank penalized $500,000– Failed to conduct risk assessments, customer due diligence ,

implement suspicious activity monitoring, and identify high risk customers

3



• 01/14/14 Old National Bank Penalized $500,000– Failed to conduct risk assessments, customer due diligence ,

implement suspicious activity monitoring's, and identify high risk customers

– Internal audit failed to detect deficiencies

• 9/24/2013 Saddle River Valley Bank –– Penalized $4,100,000 failure to conduct due diligence and monitor

Mexican and Dominican casas de cambio– Death penalty to the bank

• 9/23/2013 TD Bank– 37.5 million penalty– Failure to file Suspicious Activity Reports related to a Ponzi scheme

though the automated system flagged the customers account on several occasions.

4

3


History Lesson

• 1970 – Currency and Foreign Transactions Reporting Act

• 1986- The Money Laundering Control Act– Imposed criminal penalties for circumvention of the BSA

• 1992- Annunzio-Wylie Anti-Money Laundering Act

• 1996 The Suspicious Activity Report (SAR) introduced.

Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001.

USA Patriot Act

• Port Security Act of 2006 – Prohibition on Internet Gambling.


– The US Patriot Act

• Criminalized the financing of terrorism and augmented the existing BSA framework by strengthening customer identification procedures;

• Prohibiting financial institutions from engaging in business with foreign shell banks;

• Requiring financial institutions to have due diligence procedures,

• Expanded the AML program requirements to all financial institutions.

4


U.S. Patriot Act

• Increased the civil and criminal penalties for money laundering.

• Provided the Secretary of the Treasury with the authority to impose “special measures” on jurisdictions, institutions, or transactions that are of “primary money-laundering concern.”

• Facilitated records access and required institutions to respond to regulatory requests for information within 120 hours.

• Required federal regulators to consider a credit union’s AML record when reviewing credit union mergers, acquisitions, and other applications for business combinations.


What is Money Laundering

• Money Laundering – The criminal practiced of processing ill-gotten gains, or dirty money through a series of transactions to “ clean it”.

– Placement – introducing funds into the financial system,• Structuring, commingling deposits.

– Layering – moving funds around to create confusion and complicate the trail.

• Wire transfers, multiple accounts

– Integration – adds the appearance of legality through additional transactions

• Purchase and sale of real estate, securities, etc.

5


Terrorist Financing

• Not motivated by profit

• Relies on having an effective financial infrastructure

• Sources of funding which are mobile

• Sources from legal and illegal acts

• Money Laundering a vital component of terrorist financing


BSA IN A NUTSHELL

10

6


Acronyms/Definitions

• BSA – Bank Secrecy Act

• AML- Anti- Money Laundering Act

• FinCen – Financial Crimes Enforcement Network, responsible for BSA enforcement.

• CTR – Currency Transaction Report – filed for transactions involving currency of more than $10,000.

• OFAC – Office of Foreign Asset Control

• SAR – Suspicious Activity Report –– must be filed when if a transaction must be filed is a transaction or

aggregated transactions involve $5,000 or more and the institution knows, suspects or has reason to suspect that the transaction violates BSA or may violation of law.


Acronyms/Definitions

• CTR – Currency Transaction Report ( Form 104)

• Currency –– The coin and paper money of the United States or of any other

country that is designated as legal tender and that circulates and is customarily used and accepted as a medium of exchange in the country of issuance. Currency includes U.S. silver certificates, U.S. notes and Federal Reserve notes. Currency also includes official foreign bank notes that are customarily used and accepted as a medium of exchange in a foreign country.

• Monetary Instrument– Currency, traveler’s checks, negotiable instruments in bearer form,

securities in bearer form.

7


BSA in a Nutshell

• Risk Assessment– Comprehensive profile of the institutions risk profile and

exposure

• Compliance Program– Policies, procedures, processes to ensure compliance with

regulations

• BSA Activities– Currency Transaction Reporting– CIP/Customer Due Diligence– –Monetary Instruments– Wire/Fund Transfers– Suspicious Activity Reporting – Section 314(a) information sharing requests


BSA Activities

• Currency Transaction Reporting -Must report exchanges of currency of more than $10,000 on one day.

• CIP/ – forming a reasonable belief as to true identity of each customer

• Customer Due Diligence – should enable the institution to predict with relative certainty the types of transactions in which a customer is likely to engage.

• Monetary Instruments – must maintain information regarding sales of monetary instruments of $3,000 to $10,000.

• Wire/Fund Transfers- must maintain information regarding fund transfers in/out of $3,000 or more.

• Suspicious Activity Reporting – must design programs to detect suspicious activity

• Section 314(a) information sharing requests

8


Risk Based Focus and the Risk Assessment Process


Risk Based Focus

• A well developed risk assessment will assist in identifying the institution’s BSA/AML profile.

• The risk assessment process enables management to better identify and mitigate gaps in internal controls.

• Identifies specific risk categories and identifies risks within each category

9


Risk Assessment


Risk Assessment Process Identifying Specific Risk Categories

• Products– Transaction volumes/amounts– Monetary Instruments– Lending activities ( collateral)– Non-deposit activities ( investment and insurance)

– Stored value cards– ATM– Special use accounts

• Services– Electronic Banking– ACH– Third party payment processors– ATMs– Trust/Private Banking Services

10


Risk Assessment Process Identifying Specific Risk Categories -

• Geography– Risk of opening accounts/ doing business in certain

geographic areas– Countries subject to sanctions/terrorist sponsors– Offshore financial centers– High Intensity Drug Trafficking Areas– High Intensity Financial Crime Areas

• Customer Base– Non-bank financial institutions/ Cash intensive businesses– Nonresident Aliens and accounts of foreign individuals– Charitable Organizations– Professional Service Providers


Risk Assessment BSA/AML

• Customer Base

• Products/Services

• Volume of CTRs filed

• High Risk Customers

• Foreign Correspondent Accounts

• International Accounts

• Funds Transfer

• Geography– Location of Branches – High Intensity Drug Trafficking Area– High Intensity Financial Crime Area

• Employee Turnover

11


High Intensity Drug Trafficking Areas ( HIDTAs)

• Areas that exhibit serious drug trafficking problems, so serious as to cause harm to the local area and other areas of the country.

• 28 Regions through out the United States, encompassing 45 states, US Virgin Islands, Puerto Rico and the District of Columbia

• How do I know if I am in a HIDTA

http://www.whitehousedrugpolicy.gov/hidta/index.html


High Intensity Financial Crime Areas (HIFCA)

• California Northern District– Monterey, Humboldt, Mendocino, Lake, Sonoma, Napa, Marin,

Contra Costa, San Francisco, San Mateo, Alameda, Santa Cruz, San Benito, Monterey, Del Norte California Southern District Los Angeles, Orange, Riverside, San Bernardino, San Luis Obispo, Santa Barbara, Ventura Southwest Border Arizona - All Counties

• Texas - Counties Bordering, and adjacent to those bordering, the US and Mexico Boundary

• Chicago- Cook, McHenry, Dupage, Lake, Will, Kane • New York - All Counties• New Jersey - All Counties• Puerto Rico - All Areas• U.S. Virgin Isles - All Areas • South Florida Broward, Miami-Dade, Indian River, Martin, Monroe,

Okeechobee, Palm Beach and St Lucie

12


BSA/AML Compliance Program


Requirements

• BSA/AML compliance program must be in writing and approved by the Board of Directors

• It must provide for the following:

A. A system of internal controls to ensure ongoing compliance.

B. Independent testing of BSA/AML compliance.

C. Designate an individual or individuals responsible for managing BSA compliance (BSA compliance officer)

D. Training for appropriate personnel.

13


INTERNAL CONTROLS


Internal Controls

• Policies, procedures, and processes designed to limit and control risks and to achieve compliance with the BSA.

• The level of sophistication of the internal controls should be commensurate with the size, structure, risks and complexity of the credit union. Internal Controls should”

1) Identify credit union operations (products, services, customers, and geographic locations) more vulnerable to abuse by money launderers and criminals;

2) Provide for periodic updates to the credit union’s risk profile; and provide for a BSA/AML compliance program tailored to manage risks

3) Inform the board of directors, or a committee thereof, and senior management, of compliance initiatives, identified compliance deficiencies, and corrective action taken, and notify directors and senior management of Suspicious Activity Reports (SARs) filed.

14


Internal Controls ( Cont.)

4) Identify a person or persons responsible for BSA/AML compliance.

5) Provide for program continuity despite changes in management or employee composition or structure.

6) Meet all regulatory recordkeeping and reporting requirements, meet recommendations for BSA/AML compliance and provide for timely updates in response to changes in regulations.

7) Implement risk-based customer due diligence (CDD) policies, procedures, and processes.


Internal Controls (Cont.)

8. Identify reportable transactions and accurately file all required reports including SARs, Currency Transaction Reports (CTRs), and CTR exemptions. (Institutions should consider centralizing the review and report-filing functions within the credit union organization.)

9. Provide for dual controls and segregation of duties. (Employees that complete the reporting forms (e.g., SARs, CTRs, and CTR exemptions) should not also be responsible for filing the reports or granting the exemptions).

15


Internal Controls ( Continued)

10) Provide sufficient controls and monitoring systems for timely detection and reporting of suspicious activity.

11) Provide for adequate supervision of employees that handle currency transactions, complete reports, grant exemptions, monitor for suspicious activity, or engage in any other activity covered by the BSA and its implementing regulations

12) Incorporate BSA compliance into the job descriptions and performance evaluations of appropriate personnel.


Independent Testing

• Independent testing (audit) must be conducted– by the internal audit department, outside auditors,

consultants, or other qualified independent parties.

• Institutions that do not employ outside auditors or consultants or have internal audit departments may comply with this requirement by using qualified persons who are not involved in the function being tested.

– Frequency – not specifically defined in the statutes (Federal Reserve indicates a sound practice would be at 12 to 18

mos. depending on risk assessment and previous audit findings)

– The persons conducting the BSA/AML testing should report directly to the board of directors or to a designated board committee comprised primarily or completely of outside directors.

16


Independent testing should, at a minimum, include:

1) An evaluation of the overall integrity and effectiveness of the BSA/AML compliance program, including policies, procedures, and processes.

2) A review of the institution’s risk assessment for reasonableness given the credit union’s risk profile (products, services, customers, and geographic locations).

3) Appropriate transaction testing to verify the credit union’s adherence to the BSA recordkeeping and reporting requirements (e.g., CIP, SARs, CTRs, and CTR exemptions, information sharing requests).

4) An evaluation of management’s efforts to resolve violations and deficiencies noted in previous audits and regulatory examinations, including progress in addressing outstanding supervisory actions, if applicable.


Testing Continued

5) A review of staff training for adequacy, accuracy, and completeness.

6) A review of the effectiveness of the suspicious activity monitoring systems (manual, automated, or a combination) used for BSA/AML compliance.

7) Deficiencies noted during the audit should be included in an audit report and reported to the board of directors or a designated committee in a timely manner

8) The board or designated committee and the audit staff should track audit deficiencies and document corrective actions.

17


BSA Compliance Officer

• The credit union’s board of directors must designate a qualified employee to serve as the BSA compliance officer.

• The BSA compliance officer is responsible for coordinating and monitoring day-to-day BSA/AML compliance.

• The BSA compliance officer is also charged with managing all aspects of the BSA/AML compliance program and with managing the credit union’s adherence to the BSA and its implementing regulations

– however, the board of directors is ultimately responsible for the credit union’s BSA/AML compliance.


Who Should be the Compliance Officer

• Increasing demand in the market place for AML experts– Certified Anti-Money Laundering Specialist ( ACAMS)

• Specialists are commanding six figure salaries– Why?

• Expertise• Risk of penalties high• Management wants to protect themselves

• Requires combination of skills and personality traits– Investigative mentality, persistence, attention to detail, big

picture ( patterns of activity, and familiarity with financial transactions, transaction flows and information systems.

18


Training

• Credit unions must ensure that appropriate personnel are trained in applicable aspects of the BSA

• Training should include regulatory requirements and the credit union’s internal BSA/AML policies, procedures, and processes.

• At a minimum, the credit union’s training program must provide training for all personnel whose duties require knowledge of the BSA.

• The training should be tailored to the person’s specific responsibilities. (Front line, lending, EFT, etc. ) – Should include examples of money laundering and

suspicious activity monitoring


BSA Activities

19


Currency Transaction Reporting

• Must File a currency transaction report ( CTR) when currency is exchanged totaling more than $10,000 on a single business day– 15 days

• Must be able to aggregate transactions from different branches, ATMs, etc.– Monitoring systems, typically set at $10,000 (

suggestion lower > $2,500.– Include ATM transactions.– Shared branching

• Forms are filed with IRS

• Exempt Persons


Exempt Persons

• Exempt Persons– Type I

• Bank; federal, state, local gov’t.; publicly traded companies and listed entities.

– Type II• Everyone else except agents of financial institutions• Sellers of vehicles, boats, mobile homes, aircrafts• Law firms, Accounting Firms, Medical Practices• Pawn Shops, • Investment advisory services, insurance cos., title

insurance cos., real estate brokerage firms.• Trade unions.

20


Customer Identification Program

• REQUIRED CUSTOMER INFORMATION– Name, address, id # date of birth

• CUSTOMER VERIFICATION– Verification Through Documents– Verification Through Nondocumentary Methods – Additional Verification for Certain Customers– Lack of Verification

• RECORDKEEPING REQUIREMENTS AND RETENTION

• COMPARISON WITH GOVERNMENT LISTS

• ADEQUATE CUSTOMER NOTICE

• IDENTIFYING HIGH RISK CUSTOMERS


Customer Due Diligence

• CDD policies, procedures and processes are critical to the Credit Union because they can aid in:

– Detecting and reporting unusual or suspicious activities that potentially expose the credit union to financial loss, increased expenses or reputation risk.

– Avoiding criminal exposure from persons who use the credit union’s services for illicit purposes

– Adhering to safe and sound practices

21


Member/Customer Due Diligence

• “Predicts with relative certainty the types of transactions in which a member is likely to engage” – FFIEC

• Provides guidance on when transactions are considered suspicious

• Begins with the CIP process and assessing the risk of the member/relationship at account opening.

• “ Enhanced” for high risk accounts

• Member information and risk rating updated through out the life of the account.

• How realistic are regulatory expectations ?– Resources, IT Systems


CDD Guidance

• Commensurate with BSA/AML Risk profile– Emphasis on high risk customers

• Clearly state management’s overall expectations and establish specific staff responsibilities.– Who reviews and approves changes to customer risk ratings or

profiles

• Ensure the Credit Union possesses sufficient customer information to implement an effective suspicious activity monitoring system.

• Document analysis associated with due diligence process

• Maintain current customer information.

22


Customer Risk

• Management must have a thorough understanding of money laundering or terrorist financing risks of the credit union’s customer/member base.

• Information gathered at account opening should allow the credit union to differentiate between lower-risk customers and high risk customers.

– Lower risk customers monitored via regular suspicious activity monitoring and CDD processes.

– High Risk Customers require additional monitoring procedures.


23


Customer Due Diligence

• Critical Frame Work for determining suspicious activity– How was the account opened?– Purpose of the account– Sources of funds and wealth– Occupation or Business– Proximity of residence or employer to Credit Union– Expected international transactions– Expected cash flows

• Revise account opening information

• Flagging member files


Nonbank Financial Institutions

• Casinos • Securities firms• Money service businesses ( MSB)

– Check cashers– US Postal service – Issuers of traveler’s checks or money orders– Money transmitters– Certain prepaid access programs

• Insurance companies• Loan/finance companies• Operators of credit card systems• Pawnbrokers, dealers in precious metals, jewels, etc.

46

24


MSBs and High Risk Customers

• Risk Factors– Types of products and services– Locations and markets– Level of account activity– MSB lack ongoing customer relationships/minimal customer

identification– MSB change product mix and locations quickly

• What FinCen expects– Must have a process for identifying high risk customers– Conduct adequate and ongoing due diligence regarding the

relationship– Make sure the relationships are appropriately considered in

SAR activity monitoring and reporting.

47


Suspicious Activity Reporting

• Why have they become important to enforcement agencies?

– Tip off terrorist financing

– Connect otherwise apparently unrelated incidents

– Force system abusers to alternate methods, prevents cleaning of funds.

25


Suspicious Activity – When to File a SAR

• Criminal violations involving insider abuse any $ amount

• Criminal violations aggregating $5,000 or more when a suspect can be identified

• Criminal violations aggregating $25,000 or more regardless of a potential suspect

• Transactions conducted or attempted by at or through the Credit Union aggregating $5,000 or more, if the institution knows, suspects, or has reason to suspect:

– Illegal activity or money laundering

– May involve illegal activity or money laundering

– Designed to evade the BSA

– Has no lawful purpose or reasonable explanation


SARS - Process

• Must have a documented processes to

– Monitor and identify unusual activity.– Research and investigate unusual activity

– Evaluate and determine whether to file a SAR

– Document procedures performed and supporting information supporting decision to file OR NOT file a SAR

26


RED FLAGS – Signs of Money Laundering

• Customer uses unusual identification documents to open an account, which are not readily verifiable.

• Customer uses different names and tax id #’s

• Business reluctant to provide complete information about the nature and purpose of his business or names of owners, officers, etc.

• Frequent or large transactions without inconsistent with employment history or experience

• Customer tries to persuade employee not to file required reports

• Deposits into several accounts, swept into one and wired out


More Red Flags

• Customer accesses safe deposit box after several large cash transactions.

• Unusually high level of ACH/Debit card transactions over the phone or web.

• Sudden change in currency deposit patterns.

• Goods and services purchased through a business account do not match the customers stated line of business.

• Loans collateralized by the assets of a third party

• Loans taken out on behalf of a third party

• The List Goes On and On.

27


Challenges in filing SARs

• What is unusual activity for a particular member?– CIP and Customer Due Diligence Processes

• How do we detect unusual activity?– What are we looking for and why

• What reports are being reviewed– Large transactions– Wires– Currency transactions <= $10,000 ( aggregating )– New accounts– Monetary instruments– Kiting reports– EFT/ACH– Others


The Critical Question

IS THE ACTIVITY SUSPICIOUS OR NOT?

Is there evidence of intent to evade or violate law or of underlying possible financial crime?

Dennis Hastert

28


Still More Challenges

• Is manual monitoring sufficient or do we need to enhance IT systems? – Rules based systems vs. intelligent systems

• Can patterns of activity be discerned?

• How do we coordinate different operational areas– Can we see relationships between currency reports and wires?

• Do we have adequate staff and time to monitor all of this?

• What does this all cost?


FinCen – 314(a) Requests

• Fall under requirements of BSA

• Bi-weekly requests from FinCen to search members / transactions Searches initiated by domestic law enforcement

• Each bi-weekly request is separate from previous (not running list)

• No specific requirement to block or freeze matches –must notify law enforcement

29


Office of Foreign Asset Control - OFAC

• Part of the U.S. Treasury Department ( not technically part of BSA)

• Administers and enforces U.S. foreign trade sanctions.

• All U.S. persons including U.S. banks, bank holding companies, and non-bank subsidiaries must comply with OFAC’s regulations.

• Can not conduct business with person on blocked list.

• No requirement that OFAC procedures be in writing,( but best practices tells us they should.


Blocking Transactions

• Credit Unions must block transactions that:

– Are by or on behalf of a blocked individual or entity

– Are to or through a blocked entity; or

– Are in connection with a transaction in which a blocked individual or entity has an interest

If you receive a payment order that falls into one of the categories above, you must execute the order and

place the funds into a blocked account. The payment order can not be canceled or amended without OFAC

approval.

30


OFAC Reporting

• 10 days - each occurrence

• Annually by 9/30

• Maintain funds in the blocked account

• Keep a record of each transaction for five years.


Resources

• F.F.I.E.C.– Bank Secrecy Act Anti-Money Laundering Examination

Manual, June 2005– ffiec.gov

• Federal Reserve– federalreserve.gov

• NCUA ( ncua.gov)– Credit Union Resources

31


DISCUSSION/QUESTIONS

61