Anti-Money Laundering and Economic Sanctions 1
Meet Your Instructor Denise Whiting, CAMS Manager, Risk Advisory, Charlotte Uptown 14 years experience in the financial services industry Extensive knowledge of the Bank Secrecy Act (BSA), Anti-Money Laundering (AML), Economic Sanctions (ES) and Operational Risk compliance Prior to joining DHG, worked for three Fortune 50 financial institutions and a Fortune 300 financial institution 2
Objectives How Recent FFIEC Changes Impact BSA /AML Compliance How to Conduct a BSA / AML Audit What to Know About Recent Enforcement Actions 3
How Recent Changes to FFIEC Impact BSA / AML Compliance 4
Generally the FFIEC BSA / AML Exam Manual is considered the most complete guide to identifying and mitigating risks of money laundering and terrorist financing. It is used by internal auditors and bank examiners to evaluate a bank s compliance with AML regulations and OFAC requirements. 5
Virtual Currency Prepaid Access Currency Transaction Reporting (CTR) Suspicious Activity Reporting (SAR) 6
The use of virtual currency (Bitcoin) is now regulated as a Money Service Business (MSB). Previously referred to as electronic cash, Prepaid Access is considered an expanded risk. 7
The U.S. Department of Treasury required any currency transaction for more than $10,000 on a business day be reported using a CTR. Updated guidance requires banks to aggregate large currency transactions of separately incorporated entities with common ownership as if they were one business and to report on those transactions. i.e. if one entity owns five businesses & each business account posts a $2,500 currency transaction, the guidance indicates all five transactions should be aggregated and reported. 8
The updates for SAR filing incorporates the new SAR e-filing requirements and guidance on filing SARs for continuous suspicious activity. The updated guidance allows an additional 30 days to file, allowing a maximum deadline of 120 calendar days for supplemental review and SAR filing. 9
How to Conduct a BSA / AML Audit 10
Does the bank have adequate controls in place that allow for a compliance program that is commensurate with their risk profile? Office of Foreign Assets Control (OFAC) 11
Planning Fieldwork Exit Meeting Reporting Wrap-Up Scoping and planning should align to the bank s BSA/AML risk assessment. Review prior audit reports, related workpapers and management responses to any previously identified BSA findings. Identify reports, policies, procedures and processes used by the bank to monitor, detect and report unusual activity. Formulate a request list tailored specifically for the bank s risk profile and the planned audit scope. Review related correspondence between the bank and its primary regulator. While OFAC is not a part of the BSA, evaluation of OFAC compliance is frequently included in BSA/AML exams. As a best practice, an open source internet search should be conducted to search for fines, violations, consent orders, negative media, etc. 12
Comprehensive BSA/AML Analysis Identify Specific Risk Categories Controls Mitigate Risks Risk Profile 13
Planning Fieldwork Exit Meeting Reporting Wrap-Up Fieldwork - During Fieldwork, the auditor reviews internal control documentation, such as job descriptions and procedures. They gather and analyze data, and perform other audit tests for documenting observations. In some cases there will be a need for transaction testing. Test of Design The auditor should test the design effectiveness of controls by determining whether the controls, if they are operated as prescribed by persons possessing the necessary authority and competence to perform the control effectively, satisfy the company's control objectives. Test of Operating Effectiveness - The auditor should test the operating effectiveness of a control by determining whether the control is operating as designed and whether the person performing the control possesses the necessary authority and competence to perform the control effectively. 14
Customer Identification Program BSA/AML Policies & Procedures Suspicious Activity Reporting CDD and EDD Currency Transaction Reports Information Sharing Record Retention CTR Exemptions 15
Planning Fieldwork Exit Meeting Reporting Wrap-Up Exit Meeting - At the conclusion of fieldwork, Audit will meet with the client to discuss observations and recommendations. Audit delivers discussion tools prior to this meeting, which are used for documenting observations, related risks, and recommended actions. 16
Planning Fieldwork Exit Meeting Reporting Wrap-Up Reporting An audit report is issued at the end of each audit to summarize findings, recommendations, and any responses or action plans from management. An audit report may have an executive summary; a body that includes the specific issues or findings identified and related recommendations or action plans. Each audit finding within the body of the report may contain five elements, sometimes called the "5 C's": Condition: What is the particular problem identified? Criteria: What is the standard that was not met? The standard may be a company policy or other regulatory benchmark. Cause: Why did the problem occur? Consequence: What is the risk/negative outcome (or opportunity foregone) because of the finding? Corrective action: What should management do about the finding? What have they agreed to do and by when? 17
Planning Fieldwork Exit Meeting Reporting Wrap-Up Wrap-Up - Audit will request a written Management response that addresses each observation and recommendation made in the final report. The response should indicate any action already taken by Management to correct the condition or the planned action to be taken in the near future. The reply should estimate the date when corrective action will be completed, as well as the names of the individuals who will be responsible for implementing the recommendations. Post issuance of the report, Internal Auditing will follow-up with management to ascertain what improvements have been made, and if need be, conduct validation testing to ensure the corrective action is sufficient to mitigate the identified risks of a poorly operating control. 18
Ensure the bank maintains sufficient OFAC policies, procedures and processes. Review OFAC training. Identify potential OFAC matches. Review blocked accounts for regulatory compliance. Review block reports for accuracy. 19
What to Know About Recent Enforcement Actions 20
Enforcement action details: First Data Resources, LLC settled with the U.S. Department of Treasury in April 2015 for $23,336.00. The settlement stems from three violations of the Foreign Narcotics Kingpin Sanctions Regulations (FNKSR). First Data provided third party data processing services to a Specially Designated Narcotics Trafficker between February and June 2011 which violated the FNKSR. What led to the enforcement actions: First Data is a highly sophisticated company that had no prior sanctions violations. First Data s three violations occurred because of a deficiency in the company s OFAC compliance program. First Data s OFAC program was incorrectly categorizing individuals on the Specially Designated Nationals and Blocked Persons lists. Additionally, First Data allowed the sanctioned individual to activate a service account after it had already deactivated access to the individual for compliance with OFAC regulations First Data did not maintain minimum standards of compliance when reviewing information pinged by its alert management system. First Data was providing services to a Specially Designated Narcotics Trafficker even though First Data has reason to believe that this client was a sanctioned individual. First Data s interdiction software alerted that their customer was potentially the SDNT (which it was) but continued to provide services to that individual beginning in 2011. The alleged violations caused significant harm to U.S. sanctions program objectives by conveying economic benefit to an SDNT and undermining the policy objectives of U.S. counter narcotics sanctions. What could they have done: The most shocking thing First Data did was provide access to services to the sanctioned individual after it had already severed ties with them. Employee compliance training needed to be conducted to convey the importance of knowing who they are conducting business with. What could they do now: Internal Controls and Independent Testing - Keep up to date lists of all sanctions lists and conduct appropriate screening of clients. Invest in better technology/ provide training. 21
Enforcement action details: PayPal settled with the U.S. Department of Treasury in March 2015 for $7,658,300.00. The settlement stems from 486 violations involving the following sanctions violations: Weapons of Mass Destruction Proliferators Sanctions Regulations Iranian Transactions and Sanctions Regulations Cuban Assets Control Regulations Global Terrorism Sanctions Regulations Sudanese Sanctions Regulations What led to the enforcement actions: Prior to 2014, PayPal did not have adequate transaction screening technology or procedures used to identify sanctioned individuals and entities. Due to the screening deficiencies, PayPal processed transactions which should have been blocked/prohibited transactions according to U.S. economic sanctions requirements. Additionally, PayPal processed transactions on behalf of a Specially Designated National (SDN) sanctioned individual. Between October 2009 and April 2013, PayPal processed 136 transactions aggregating to $7,091.77 involving an account maintained by the SDN. What could they have done: This was a huge lapse in internal controls. 486 violations is a very large number, especially when it comes to the types of violations. As a payment provider, PayPal is obligated to comply with regulations that would have avoided such conduct. PayPal needed to update their technology (namely their transaction monitoring program) and conduct independent testing of their compliance policies and procedures. What could they do now: Internal controls! Keep up to date transaction monitoring systems and procedures; Conduct internal testing on these systems, especially as they are updated. Conduct transaction look-backs to try to identify any further deficiencies. Compliance training employees were concluding sanctioned individuals as false positives and allowing them to conduct transactions through PayPal. 22
Enforcement action details: HSBC Bank USA settled with the U.S. Department of Treasury in December 2013 for $32,400.00. The settlement stems from three violations of the Global Terrorism Sanctions Regulations occurring from 2010 to 2011. HSBC Bank USA settled with the U.S. Department of Treasury in December 2012 for $375,000,000.00. The settlement stems from violations of the Global Terrorism Sanctions Regulations. The settlement stems from 486 violations involving the following sanctions violations: Iranian Transactions and Sanctions Regulations Burmese Sanctions Regulations Cuban Assets Control Regulations Sudanese Sanctions Regulations Libyan Sanctions Regulations HSBC is facing a possible criminal indictment due to tax evasion allegations against its Swiss Private Bank. HSBC has admitted wrongdoing that was conducted prior to 2007 which consisted of tax evasion practices. Belgium charges HSBC with money laundering Argentina charges HSBC with tax evasion France initiates a criminal trial and investigations against HSBC What led to the enforcement actions: HSBC failed to identify an OFAC sanctioned individuals and processed a wire transactions on their behalf; the individuals had ties with Hezbollah. 23
HSBC faced OFAC violations relating to payment practices that interfered with the implementation of U.S. economic sanctions by financial institutions in the United States. The referenced payment practices consisted of obscured SWIFT code payment messages, removal of SWIFT code information, and falsely stating HSBC as the ordering institution on forwarded payment messages. These violations consisted of approximately 2,300 transactions totaling $430,000,000. HSBC Swiss Private Bank helped wealthy customers to conceal large amounts of funds. These practices also included allowing customers to withdrawal bricks of cash, establishing black accounts (unknown concealed accounts), and banking with known criminals or very high risk individuals. Global banking giant HSBC for years catered to a motley crew of weapons dealers, tax evaders, tin-pot dictators and celebrities, using its private Swiss arm to shield accounts worth more than $100 billion. What could they have done: Implement U.S. compliance standards across all affiliates and regions. HSBC uses the U.S. for dollar clearing and these funds are subject to the rules and regulations of the U.S. as it passes through the system. Bolstered internal controls at HSBC Mexico, HSBC Swiss Bank, etc., would help alleviate violations. Employee training on policy and ethics, as well as quality assurance and manager reviews/sign offs. Establish an internal monitor/auditor to review the policies and work conducted at each affiliate. What have they done: Created a Global Standard for financial crime compliance. This keeps all affiliates on the same page as there is a minimum level of expected compliance across the board. HSBC Private Bank developed a tax transparency policy in 2012. The policy claims that HSBC PB will close accounts or refuse business to clients if they have reason to believe that the client is not compliant to tax obligations. Existing accounts were also reviewed which led to a large decrease in clients and accounts due to eliminating risks. 24
Enforcement action details: BNP Paribas 2014/2015 Fined $8.9 Billion for illegally processing financial transactions for countries subject to U.S. Economic Sanctions Went to elaborate lengths to conceal prohibited transactions Did not cooperate with law enforcement when contacted Provided dollar-clearing services for individuals and entities in Sudan, Iran, and Cuba Moved more than $8.8 billion through the U.S. financial system on behalf of sanctioned entities over the course of 8 years Conducted business with Sudanese banks which played a pivotal role in support of the Sudanese government which hosted Osama Bin Laden and refuses intervention for human rights abuses Ignored internal warnings from compliance officers regarding transactions What Could Have Been Done to Prevent This? Proper internal controls such as: Internal Audit QA/QC Internal review of employees who ignored warnings from compliance officers Multi-level reviews of transactions testing to identify false tags for transaction repairs on sanctioned entities. Proper CDD of high-risk geography clients/correspondent banks. Education and training of key employees and remediation projects to ensure compliance. Hiring an independent firm to conduct an extensive audit examination 25
Questions 26
For More Information Denise Whiting Charlotte - Uptown 704.452.8053 denise.whiting@dhgllp.com 27