Bank Secrecy Act/ Anti-Money Laundering Examination Manual Federal Financial Institutions Examination Council Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, Office of Thrift Supervision, and State Liaison Committee 2010 ~ A Discussion About Key Changes ~ \ Shaun M. Hassett, CAMS Vice President, Practice Leader The LUBRINCO Group, Ltd., Inc. www.lubrinco.com Copyright, 2010, The LUBRINCO Group, Ltd., Inc.
Setting the Stage
On April 29, 2010, the Federal Financial Institutions Examination Council (FFIEC) released the updated 2010 Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Examination Manual. Most of the changes in the revised manual has been updated to provide new guidance and regulations, greater clarity in regards to current supervisory expectations and includes new or enhanced areas of AML risk. The 2010 FFIEC BSA/AML Examination Manual is also better streamlined in certain sections, the updated manual also clarifies supervisory expectations since the August 24, 2007 update. To ensure BSA/AML compliance you should consider the following: Review the changes to determine whether any products, services or departments/business lines may be affected Update policies, procedures, processes, controls and systems to be in line with new/updated guidance Review and revise any arrangements with vendors/third-party service providers, software providers or other parties to meet any changed or increased guidance Provide training to appropriate employees Incorporate changes, as necessary, into internal audit s BSA/AML approach, scope and testing.
Agenda Suspicious Activity Reports Electronic Banking Remote Deposit Capture Electronic Cash Prepaid Cards (stored value) Bulk Currency Shipments Funds Transfers and IAT Payments Third-Party Payment Processors
Suspicious Activity Reporting
Suspicious Activity Reporting WHEN TO REPORT: Banks, bank holding companies, and their subsidiaries are required by federal regulations to report suspicious transactions to FinCEN if the transaction : Criminal violations involving insider abuse in any amount; Criminal violations aggregating $5,000 or more when a suspect can be identified; Criminal violations aggregating $25,000 or more regardless of a potential suspect;
Suspicious Activity Reporting - Transactions conducted or attempted by, at, or through the bank (or an affiliate) and aggregating $5,000 or more, if the bank or affiliate knows, suspects, or has reason to suspect the transaction: May involve potential money laundering or other illegal activity (e.g., terrorism financing); Is designed to evade the BSA or its implementing regulations;
Suspicious Activity Reporting Has no business or apparent lawful purpose or is not the type of transaction that the particular customer would normally be expected to engage in, and the bank knows of no reasonable explanation for the transaction after examining the available facts, including the background and possible purpose of the transaction. A transaction includes a deposit; withdrawal; transfer between accounts; an exchange of currency; an extension of credit; a purchase or sale of any stock; bond, certificate of deposit, or other monetary instrument or investment security; or any other payment, transfer, or delivery by, through, or to a bank.
Suspicious Activity Reporting SAR Completion: Accurate and Complete information is vital to a SAR filing. Always include a very descriptive narrative (Page 3, Section V of the SAR form) that includes, at a minimum, Who, What, When, Where, Why, How, and lists supporting documents used to determine/report the suspicious activity. Retain all supporting documents related to the SAR report. Good reference: PREPARATION GUIDELINES FOR SUSPICIOUS ACTIVITY REPORT FORM (SAR) July 2003 (Revised 11/28/06) http://www.fincen.gov/forms/files/sarguidelinesv4.pdf
Suspicious Activity Reporting Safe Harbor: Federal law (31 USC 5318(g)(3)) provides protection from civil liability for all reports of suspicious transactions made to appropriate authorities Includes supporting documentation, regardless of whether such reports are filed pursuant to the SAR instructions.
Suspicious Activity Reporting Specific notation in law that a bank, its directors, officers, employees, and agents that make a disclosure to the appropriate authorities of any possible violation of law or regulation, including a disclosure in connection with the preparation of SARs, shall not be liable to any person under any law or regulation of the United States, any constitution, law, or regulation of any State or political subdivision of any State, or under any contract or other legally enforceable agreement (including any arbitration agreement), for such disclosure or for any failure to provide notice of such disclosure to the person who is the subject of such disclosure or any other person identified in the disclosure.
Suspicious Activity Reporting The safe harbor applies to SARs filed: within the required reporting thresholds; or voluntarily on any activity below the threshold.
Suspicious Activity Reporting Monitoring/Reporting = Critical internal controls. Proper monitoring/reporting processes are essential to ensuring the bank has an adequate and effective BSA compliance program.
Suspicious Activity Reporting Policies/Procedures must be in place to allow monitoring/identifying of unusual activity. Sophistication of monitoring system should Be dictated by the bank s risk profile Have emphasis on higher-risk products, services, customers, entities, geographies (just like Risk Assessment) Have adequately assigned staff members to perform research, reports of suspicious activities, keeping in mind the bank s overall risk profile and volume of transactions.
Suspicious Activity Reporting Effective suspicious activity monitoring and reporting systems include four key components: 1) 2) 3) 4) Identification or alert of unusual activity Managing alerts SAR decision making SAR completion and filing Four key components are interdependent Monitoring and reporting process should include successful implementation of each of the four components.
Suspicious Activity Reporting Identification of Unusual Activity: Appropriate Training to ensure personnel adhere to internal processes for identification and referral of potentially suspicious activity. Suspicious activity monitoring system includes processes to facilitate the transfer of internal referrals to appropriate personnel for further research.
Suspicious Activity Reporting Policies/Procedures/Processes should be established for identifying subjects of law enforcement requests. Monitor activity of subjects when appropriate Identify unusual/potentially suspicious activity related to those subjects Filing SARs if/when appropriate Note: Mere receipt of any law enforcement inquiry does not, by itself, require the filing of a SAR by the bank. A bank should determine whether a SAR should be filed based on all available customer information
Suspicious Activity Reporting Managing Alerts Parameters/Filters should be reasonable and tailored to the activity the bank is trying to identify or control. Understanding the filtering and criteria of surveillance monitoring system is critical to assessing the effectiveness of the system. Develop filtering criteria through a review of specific higher-risk products, services, customers/entities, and geographies. Include specific profiles and rules based on what s reasonable/expected for each type account.
Suspicious Activity Reporting Banks should have policies/procedures/processes in place for referring unusual activity from all areas of the bank or business lines to the personnel or department responsible for evaluating unusual activity. Bank should assign adequate staff to the: Identification Evaluation Reporting of potentially suspicious activity, taking into account the bank s overall risk profile and volume of transactions.
Suspicious Activity Reporting Bank should ensure the assigned staff posses the requisite experience levels that are provided with comprehensive and ongoing training to maintain their expertise. Staff should be provided sufficient internal/external tools to assist with proper research activities and to formulate conclusions. Investigators should document conclusions to support whether a SAR should be/was filed or not.
Suspicious Activity Reporting Policies/procedures/processes in place for referring unusual activity from all business lines to the personnel/department responsible for evaluating unusual activity. Within procedures management should establish a clear and defined escalation process from the point of initial detection to disposition of the investigation.
Suspicious Activity Reporting SAR decision maker (may be an individual or committee) Should have authority to make the final SAR filing decision. NOTE: If using a committee, as decision maker, a clearly defined process to resolve differences of opinion should be in place. Document specific reason(s) for all SAR filings or nonfiling decisions. Decision to file a SAR is an inherently subjective judgment.
Suspicious Activity Reporting FinCEN s guidelines suggest banks report continuing suspicious activity by filing a report at least every 90 days. Be sure to track via spreadsheet, tickler system, etc.
Suspicious Activity Reporting Policies/procedures/processes should indicate when to escalate issues/problems identified as the result of repeat SAR filings on accounts which should include: Review by senior management and legal staff (if applicable) Criteria for when analysis of the overall customer relationship is necessary Criteria for whether and, if so, when to close the account
Suspicious Activity Reporting Critical parts of the SAR monitoring and reporting process Policies/procedures/processes should be in place to ensure SAR forms are: Filed in a timely manner Are complete Are accurate The narrative provides a sufficient description of the activity reported as well as the basis for filing
Suspicious Activity Reporting Timing: SAR rules require a SAR be filed no later than 30 calendar days from the date of the initial detection of facts that may constitute a basis for filing. If no suspect can be identified, the time period for filing a SAR is extended to 60 days.
Suspicious Activity Reporting Timeframes begins when the organization, during its review or because of other factors, knows or has reason to suspect the activity or transactions under review meet one or more of the definitions of suspicious activity. NOTE: Initial detection does not mean the moment a transaction is highlighted for review. NOTE: The 30-60 day period does not begin until an appropriate review is conducted and a determination is made that the transaction under review is suspicious
Suspicious Activity Reporting SAR Quality: Accuracy of information is critical. Forms should be complete, thorough, and timely. All known subject information should be included on the SAR
Suspicious Activity Reporting Notifying Board of Directors: Banks are required by the SAR regulations to notify the board of directors or an appropriate board committee that SARs have been filed. Regulations do not mandate any particular notification format No requirement to provide actual copies of SARs May opt to provide summaries, tables of SARs filed for specific violation types, etc.
Suspicious Activity Reporting Record Retention/Supporting Documentation: Banks must: Retain copies of SARs and supporting documentation for five years from the date of filing the SAR. Provide all documentation supporting the filing upon request by FinCEN or an appropriate law enforcement or federal banking agency. Supporting documentation refers to all documents and records that assisted a bank in making the determination to file a SAR.
Suspicious Activity Reporting Prohibition of SAR Disclosure: No bank, no director, officer, employee, or agent of a bank that reports a suspicious transaction may notify any person involved in a SAR reportable transaction that the transaction has been reported. Persons subpoenaed or otherwise requested to disclose a SAR or the information contained in a SAR, except when such disclosure is requested by FinCEN or an appropriate law enforcement or federal banking agency, shall decline to produce the SAR or provide information that would disclose that a SAR has been prepared or filed.
Electronic Banking
Remote Deposit Capture 2010 FFIEC BSA/AML Exam Manual under Electronic Banking contains the examination guidelines for Remote Deposit Capture (RDC) activity Updated to eliminate reference to fact that expensive hardware restricts the program Reference to FFIEC guidance issued on Jan. 14, 2009 http://www.ffiec.gov/pdf/pr011409_rdc_guidance.pdf Expanded to provide more details particularly on increased use by foreign correspondents Risk mitigation section expanded
RDC - Defined RDC is a deposit transaction delivery system that has made check and monetary instrument processing more efficient. In broad terms RDC allows a bank s customers to scan a check or monetary instrument and then transmit the scanned or digitized image to the institution for settlement.
RDC - Process Scanning and transmission activities occur at remote locations that include: Bank branches ATMs Domestic and foreign correspondents Locations owned or controlled by: Commercial customers Retail customers
RDC - Benefits Reduces volume of paper Reduces transportation and mailing costs Supports new and existing banking products Improves customers access to their deposits
RDC Risk Factors Exposure to risk may increase: Money laundering controlling or knowing the location and who is using the RDC equipment Fraud fraudulent, sequentially numbered or physically altered documents, particularly money orders and traveler's checks, may be more difficult to detect Information security recordkeeping, data safety and integrity issues may increase
RDC Potential Losses
RDC Higher-risk Customers Higher-risk RDC customers can be defined by industry, incidence or fraud or other criteria Examples: Online payment processors Credit-repair services Mail order and telephone order companies On-line gambling operations Businesses located off-shore Adult entertainment businesses
RDC Risk Mitigation Appropriate product and vendor vetting Risk-based customer parameters CDD and EDD List of acceptable industries, underwriting criteria, ownership structure, geographic locations Developing contracts clearly identifying each party s role, responsibilities and liabilities Implementing additional monitoring or review when significant changes occur in the type or volume of transactions Customer training Documentation that addresses issues including routine operations, procedures, duplicate presentment and problem resolution
RDC - Recommendations Create a RDC Risk Policy Assign a risk level to customers using RDC Low risk annual notice on risk mitigation Moderate risk annual notice, annual on-site visit High risk annual notice, annual on-site visit, adjust limits Risk Assessment criteria based on locations, average deposit, number of checks, number of returns, type of business, how long been a customer, credit history and relationship ACH Exposure and RDC Deposit Limit Approval Form
Electronic Cash Transactions using e-cash may pose the following unique risks to the bank: Funds may be transferred to or from an unknown third party. Customers may be able to avoid border restrictions as the transactions can become mobile and may not be subject to jurisdictional restrictions. Transactions may be instantaneous. Specific cardholder activity may be difficult to determine by reviewing activity through a pooled account. The customer may perceive the transactions as less transparent.
Prepaid Access June 21, 2010 FinCEN Proposed Rule Seeking Greater Transparency for Prepaid Access to Help Curb Money Laundering and Terrorist Financing In a Notice of Proposed Rulemaking (NPRM) entitled Amendment to the Bank Secrecy Act Regulations Definitions and Other Regulations Relating to Prepaid Access, the Financial Crimes Enforcement Network (FinCEN)proposed new rules that would establish a more comprehensive regulatory framework for non-bank prepaid access. The proposed rule, which focuses on prepaid programs that pose the greatest potential risks of money laundering and terrorist financing, was developed in close cooperation with law enforcement and regulatory authorities.
Prepaid Access The proposal is mandated under the Credit Card Accountability, Responsibility and Disclosure Act of 2009, and covers prepaid devices such as plastic cards, mobile phones, electronic serial numbers, key fobs and/or other mechanisms that provide a portal to funds that have been paid for in advance and are retrievable and transferable. The proposed changes are intended to address regulatory gaps that have resulted from the proliferation of prepaid innovations over the last 10 years and their increasing use as accepted payment methods.
Prepaid Access Major features of the proposal Renaming stored value as prepaid access Deleting the terms issuer and redeemer of stored value and adding the terms "provider" and "seller"; Registration requirements on providers of prepaid access and suspicious activity reporting, customer information recordkeeping, and new transactional recordkeeping requirements on both providers and sellers of prepaid access Exempting certain categories of prepaid access products and services posing lower risks of money laundering and terrorist financing from certain requirements
How the System Works Card Distribution Center (Bank, Post Office, Retailer) Card Holder/Payment Sender Internet Registration Card Distribution Company Bank ATM Network ATM Locations Recipient
Types of Prepaid Cards There are two types of Prepaid Cards also known as Stored Value Cards Closed system cards restrict the user to purchasing goods and services from any merchant accepting electronic form of payment Open system cards-usable anywhere without restrictions, connected to the global automated teller machine networks (ATM),easy to use across the world.
Types of Prepaid Cards Closed End Open End Gift Card Incentive Prepaid Telephone Prepaid Franchise Mall Retail Payroll/Benefits HSA Accounts Use Anywhere Refunds Loyalty Programs Transit Agencies Services Cards
Closed System Cards Not re-loadable No ATM access Issued by merchants and service providers for specific goods and services (mass transit systems, retail stores, long distance prepaid cards)
Open System Cards Transactions processed on a payment network branded (i.e. Visa, Mastercard) Alternative to credit cards/cash ATM functionality Re-loadable Transferable No cross border reporting requirement
Risks Money Laundering Vulnerabilities Funds can be loaded anywhere in the world Often no maximum load limit Used at ATMs or as credit cards No bank account needed Can be activated online Bank Secrecy Act (BSA) Know Your Customer (KYC) Policy and other BSA regulations often do not apply Bulk cash smuggling operations
Risks Low Risk Moderate Risk High Risk Fixed load amount per transaction Limit on total load amount Purchaser is existing customer of Issuing Bank Some limits Some limits Unlimited load amount Unlimited total load amount No Account relationship to Issuing Bank Known card holder Anonymous card holder One Time Load Known source of funds Source of Funds credit card Reloadable Source of Funds: Cash, Other, Prepaid Fund
Mitigating Factors Strong customer due diligence program Understand the market for the card Unusual activity monitoring Understand the channels Understand usage Understand data collected
Electronic Cash: Risk Mitigation Know the identity & location of all third parties involved in the pre-paid card program, including any subagents. Obtain corporate documentation, licenses, references (including independent reporting services), and, if appropriate, documentation on principal owners. Understand the nature of the third-parties businesses and the markets and customer bases served. Information collected to identify and verify cardholder identity (KYC) Understand the type, purpose, and anticipated activity of the prepaid card program Obtain info to fully understand the nature & duration of the bank s relationship w/ third parties in the card program
Electronic Cash: Risk Mitigation Card features can provide important mitigation to the BSA/AML risks inherent in prepaid card relationships and transactions and may include: Limits or prohibitions on cash loads, access, or redemption. Limits or prohibitions on amounts of loads and number of loads/reloads within a specific time frame (velocity or speed of fund use). Controls on the number of cards purchased by one individual. Maximum dollar thresholds on ATM withdrawals and on the number of withdrawals within a specific time frame (velocity or speed of fund use). Limits or prohibitions on certain usage (e.g., merchant type) and on geographic usage, such as outside the United States. Limits on aggregate card values. FFIEC BSA/AML Examination
Bulk Currency Shipments
Bulk Currency Shipments Increase in Bulk Currency Shipments Required to report shipments in excess of USD$10,000 Exempt from shipment via USPS or Overland Carrier Not Exempt for shipment via Air Courier or Airlines Issue: Cash leaves US and returns via FT or via Cash Letter Instrument Note: Currency Shipments, in and of themselves, do not necessarily indicate criminal or terrorism related activity
New Mexican Bank Regulations Regulations Imposing Restrictions on Mexican Banks for Transactions in US Currency Change in amount of cash (banknotes and coins) denominated in US Dollars that Mexican Banks May Receive Curb Flow of US Dollars from Criminal or Terrorist Activities
New Mexican Bank Regulations The regulations provide that Mexican banks shall be prohibited from receiving U.S. currency for transactions involving currency exchange, and for receipt of payment for services, or transfers or remittances of funds, subject to the following conditions: For legal entities (in Spanish "personas morales") and trusts that are customers, U.S. currency transactions will be prohibited, unless such customer is based or conducts most of its business within a tourist area (to be identified by SHCP at a later date), within twenty miles of the U.S. border, or within the States of Baja California or South Baja California; in which cases the bank may receive an aggregate limit of USD$7,000 from its customer per calendar month. For legal entities and trusts that are non-customers, all U.S. currency transactions will be prohibited. For individuals who are customers, the aggregate limit in U.S. currency that the bank may receive from its customer per calendar month shall be $4000. For individuals who are non-customers, the aggregate limits in U.S. currency that the bank may receive from the individual shall be $300 per day, and $1500 per month. Only the monthly threshold of $1500 per person will apply to non-mexicans (e.g., foreign tourists); the daily threshold will not apply. For all transactions for individuals who are non-customers, the Bank will be required to receive certain identification information from the transacting person.
New Mexican Bank Regulations Examples of possible effects helpful in assessing risks and in ongoing monitoring of financial transactions: The overall amount of U.S. currency repatriated by Mexican banks to the United States will decline, with a possible further consolidation of the Mexican entities seeking currency repatriation services Individuals and businesses no longer able to deposit U.S. currency into Mexican banks may instead look directly to U.S. financial institutions to deposit U.S. currency US based financial institutions in the region of the Mexican border or near frequently used ports of entry for travel to and from Mexico by land, sea or air, should consider whether significant changes in their U.S. currency activity might be related to the changes in Mexico May lead to increased demand by Mexican persons, and non-mexican persons doing business with Mexico, for other types of payment services or products to settle debts that might previously have been paid in U.S. currency. This could include increased demand for Mexican peso banknotes; debit cards, credit cards and pre-paid products presented in Mexico to access funds in U.S. accounts; increased use of wire transfers; ACH; money orders, checks or other paper instruments; etc May cause criminals in the United States to attempt to launder more U.S. currency within the United States
Funds Transfer Regulations Change way Cover Payments are handled SWIFT 202 COV Message Requires All data concerning parties of interest to be included in message Designed to streamline and improve transparency of all parties to the transaction
Cover Payment Basics Pre November 2009 Funds Transfer US intermediary banks are subject to increased risk of unknowingly facilitating illicit activities US intermediary banks previously did not receive all the details about the customer payment (MT103) to which the cover payment (MT202) relates because the MT 202 format does not require detailed info for the original Originator and Beneficiary Information Post November 2009 MT202COV, MT203COV and MT205COV were implemented by SWIFT in November 2009 to address lack of transparency in cover payments. (add l data requirements to identify parties to the transaction)
International ACH (IATs) Travel Rule Requirements The following information must be captured and included in IAT: Originator name Originator physical address Name of receiver (beneficiary) Physical address of receiver Account # of receiver
International ACH (IATs) Travel Rule Requirements (cont d) The following information must be captured and included in IAT: Identity of Receiver s Bank Correspondent Bank(s) me, Bank ID #, and Bank Branch Country Code Reason for the payment Unlike Travel Rule, applies for IAT transaction of any amount (not just USD$3,000 and up like wire transfers)
Third Party Processors Nonbank or third-party payment processors (processors) are bank customers that provide payment-processing services to merchants and other business entities These merchant transactions primarily include credit card payments as well as covered automated clearing house (ACH) transactions, remotely created checks (RCC), 199 and debit and prepaid cards transactions Processors now provide services to a variety of merchant accounts, including conventional retail and Internet-based establishments, prepaid travel, telemarketers, and Internet gaming enterprises. Processors generally are not subject to BSA/AML regulatory requirements. As a result, some processors may be vulnerable to money laundering, identity theft, fraud schemes, and illicit transactions or transactions prohibited by OFAC.
Third Party Processors Banks with third party payment processor customers should be aware of the heightened risk of unauthorized returns and use of services by higher-risk merchants. These entities might include: certain mail order and/or telephone order companies telemarketing companies illegal online gambling operations online payday lenders businesses that are located offshore and adult entertainment businesses. Payment processors pose greater money laundering and fraud risk if they do not have an effective means of verifying their merchant clients identities and business practices. Risks are heightened when adequate CDD/EDD on the merchants for which they are originating payments is not performed.
Third Party Processors Risk Mitigation Banks offering account services to processors should develop and maintain adequate policies, procedures, and processes to address risks related to these relationships. A bank may assess the risks associated with payment processors by considering the following: Implementing a policy that requires an initial background check of the processor (using, for example, the Federal Trade Commission website, Better Business Bureau, state incorporation departments, Internet searches, OFAC and Legal Background Checks and other investigative processes) and of the processor s underlying merchants, on a risk-adjusted basis in order to verify their creditworthiness and general business practices.
Third Party Processors Risk Mitigation (cont d) Reviewing the processor s promotional materials, including its website, to determine the target clientele. A bank may develop policies, procedures, and processes that restrict the types of entities for which it will allow processing services, such as: offshore companies online gambling-related operations telemarketers online payday lenders Such restrictions should be clearly communicated to the processor at account opening. Does the processor re-sell its services to a third party who may be referred to as an agent or provider of Independent Sales Organization (ISO) opportunities or gateway arrangements.
Third Party Processors Risk Mitigation (cont d) Reviewing the processor s policies, procedures, and processes to determine the adequacy of its due diligence standards for new merchants. Requiring the processor to identify its major customers by providing information such as the merchant s name, principal business activity, and geographic location. Verifying directly, or through the processor, that the merchant is operating a legitimate business by comparing the merchant s identifying information against public record databases, and fraud and bank check databases. Reviewing corporate documentation including independent reporting services and, if applicable, documentation on principal owners.
Third Party Processors Risk Mitigation (cont d) Visiting the processor s business operations center Monitor their processor relationships for any significant changes in the third party processor s business strategies that may affect their risk profile Periodically re-verify and update the processors profiles to ensure the risk assessment is appropriate.
Third Party Processors Risk Mitigation (cont d) In addition to adequate and effective account opening and due diligence procedures for processor accounts, management should monitor these relationships for unusual and suspicious activities. To effectively monitor these accounts, the bank should have an understanding of the following processor information: Merchant base Merchant activities Average number of dollar volume and number of transactions Swiping versus keying volume for credit card transactions Charge-back history, including rates of return for ACH debit transactions and RCCs Consumer complaints that suggest a payment processor s merchant clients are inappropriately obtaining personal account information and using it to create unauthorized RCCs or ACH debits.
Shaun M. Hassett, CAMS Vice President, Practice Leader The LUBRINCO Group, Ltd., Inc. +1 847 458 8670 shassett@lubrinco.com