Just a few short years ago, a majority of financial institutions scoured green bar reports of account transactions daily to collect information that was usually manually entered into paper Currency Transaction Reports (“CTR”) and Suspicious Activity Reports (“SAR”). Even earlier, suspicious activity was reported on the Criminal Referral Form, which was replaced with the SAR by the Annunzio-Wylie Anti-Money Laundering Act (1992). For many institutions, the Bank Secrecy Act (“BSA”) compliance process was plagued with inconsistencies, data omissions, and timeliness challenges. Similarly, many institutions’ Office of Foreign Assets Control (“OFAC”) checking system consisted of a hard-copy printout of the OFAC Specially Designated Nationals (“SDN”) list which was circulated among key individuals periodically to manually “review” for matches against customer accounts.
Fast-forward to 2012. Financial institutions operate sophisticated, state-of-the-art BSA programs that, not only demonstrate adherence to the “four pillars” BSA principles – internal policies and procedures for day-to-day compliance; a dedicated BSA compliance officer; independent testing of the program; and on-going BSA training for all personnel – but differentiate and manage levels of risk among various customer, geographic, and product segments. Some significant developments in BSA reporting and recordkeeping technology developed in 2012 and will continue in 2013. Too, as the industry and its methods of meeting regulatory challenges evolve, regulator expectations also evolve and become manifested in evolutionary challenges.
On July 1, 2012, the era of paper filing was, for all practical purposes, extinguished. Financial Crimes Enforcement Network (“FinCEN”) forms must now be electronically filed (E-Filed) through the FinCEN E-filing portal. FinCEN will no longer accept most paper filings and has allowed exceptions and exemptions only in certain circumstances. The E-Filing process dovetails with sweeping movements in the financial services world for increased efficiency and use of automation in both government and private industry. It also provides the appropriate environment for future versions of FinCEN forms and reports. Past the initial upgrades or systems adjustments that some organizations may face, the electronic filing certainly enhances speed, accuracy and recordkeeping consistency for the BSA/AML process.
On March 29, 2012, FinCEN began to accept the new CTR and SAR into FinCEN’s BSA E-Filing System. Together, these two new reports replace FinCEN Form 104 (CTR), FinCEN Form 103 (CTR by Casinos), and all of the industry-specific SARs (TD F 90-22.47, FinCEN Form 101, FinCEN Form 102, and FinCEN Form 109) (collectively, “legacy reports”). The new CTR and SAR reports may only be submitted electronically and coincide with the E-filing mandate. Use of the new CTR and SAR forms is required by March 31, 2013.
While the new CTR and SAR forms do not create any new obligations or otherwise change existing statutory and regulatory expectations of financial institutions, the structure of the forms is revised and fields of data collected are enhanced. FinCEN developed the new forms through dialogue with federal law enforcement and regulatory partners. The modernized information technology (“IT”) system is driven by the data collection instead of form design. Some of the new data elements will trigger third-party data enhancements after the new reports are received by FinCEN, such as postal geographic validation of entries in address fields, which will help ensure consistency in reporting and allow users of FinCEN’s modernized IT system to benefit from the enhanced information. All of these updates to the IT system will allow more advanced and sophisticated querying for law enforcement and regulators. On September 10, 2012, in a related issuance, FinCEN announced the availability of the system for queries by authorized users, who generally consist of FinCEN’s law enforcement and regulatory partners.
Risk assessments have become de rigueur to enterprise risk management (“ERM”) across the board; however, that practice is substantially rooted in BSA compliance. Although the intensity has increased dramatically over the past few years, banks and non-bank financial institutions have been applying the risk assessment process to products and services since 2000 and before. Regulatory scrutiny, too, has escalated, and, in the “risk-based” examination environment, the regulatory agencies depend heavily on the institution’s ability to maintain records of and demonstrate the sufficiency of coverage and adequacy of the BSA compliance management program to shape the scope and depth of examinations – the onus is on financial institutions to conduct detailed risk assessments and demonstrate their validity as a precursor to the context of other elements in the program regimen.
How should a financial institution or MSB determine whether the identified BSA/AML/OFAC risk assessment is adequate to identify, measure, monitor, and control the BSA/AML/OFAC risks before the regulators conduct their next examination? Think enterprise-wide and identify and consider all business lines, this is especially true for companies that oversee and administer the BSA/AML/OFAC compliance program at the holding company level. Identify and consider how the risks of one line of business are interrelated with other lines of business within the organization.
Smaller institutions often forget to include mortgage, broker-dealer or trust in their risk assessment. MSBs often forget to include all their products lines including agents check cashing, remote deposit capture for their agents, and prepaid card sales. No matter how the company is structured, management must show cross-organizational awareness and reassess the BSA/AML/OFAC risks periodically to keep current with the changing business environment.
Once all lines of business are included in the risk assessment and all products, services, customers and geographic locations that are unique to the institution should be documented. Things to consider when assessing the BSA/AML/OFAC risks are risks within each risk category as well as certain products, services, customers and geographic locations that are more susceptible to BSA/AML/OFAC risks or have been used historically for illicit means. Remember to consider how the institution conducts business with its customers. Is it face-to-face or online?
The more detailed the information provided in the risk assessment the better the quality of the overall risk assessment. After all risk categories have been identified, the institution should quantify the risk for each category using actual numbers. The final step in the risk assessment should be to make an overall evaluation of the institution’s BSA/AML/OFAC level of risk (low, moderate, or high). The overall risk profile and level of risk should lead the institution in establishing risk mitigants when designing an appropriate BSA/AML/OFAC compliance program. The BSA/AML/OFAC risk assessment should be updated and approved by the Board of Directors (or similar management group) at least every 12 to 18 months. The BSA/AML/OFAC risk assessment is a living document and should be updated on an-ongoing basis, especially when introducing new products or services.
Enterprise Risk Management – The Big Picture
The financial services industry has transformed risk management models many times from the time the first deposit accounts were entrusted to financial institutions to our current state of instantaneous movement of funds. Financial institutions have traditionally played the role of a trusted community partner because of their fiduciary responsibilities, and the business has been founded on taking measured risks. As the products and services get more creative, the disciplines employed to prevent, detect, and respond to BSA and anti-money laundering (“AML”) issues are applicable across many types of financial crimes risk management.
The face of banking has changed significantly over the past 25 years and regulators place increased emphasis on managing BSA risk as a part of a larger plan. Incumbent with benefits of building global commerce and offering competitive products, financial institutions have experienced increased financial crimes risk management challenges, not only for tracking the source and movement of funds, but customer bases that have expanded to a globally-remote population.
Financial institutions have begun to maximize their financial crimes resources by implementing the investigative approach to the policies, procedures, programs, and people who are involved in risk management disciplines across the organization. The investigative approach pulls together sources of information and expertise that may be dispersed across the organization. For instance, parallels exist across various types of financial crime – methods, intent, and results – and the transactional or account information available about activities conducted through the financial institution can be used more productively when the investigative approach is employed.
Risk management, compliance, loss prevention, a financial intelligence unit, fraud prevention, internal audit – they go by many names in various organizations, but they all have similar interests – to prevent, detect, or mitigate financial crime and its effects. Your organization may not have all of these positions, but, think of who has parallel responsibilities – Operations Officers, Head Tellers, and the like. The data that the investigation team considers comes from many sources – reports aggregated or submitted to government agencies, transaction monitoring, records review, audits, external reviews or examinations. The key is to share the information and develop a method of finding associations among the data.
There’s a balance to compliance and operational costs and the costs of repairing damage done – financial, reputational, operational – all these risks can affect the organization negatively or positively. The old saying goes, an ounce of prevention is worth a pound of cure – you either pay for BSA risk management on the front end, or pay for it on the back end – and generally, the costs are much greater the later the price is paid. When things are going well, it’s easy to fall into a false sense of security. As we will present later, we are still seeing the evidence of systemic and internal control breakdowns in violations and orders issued against financial institutions.
There are good reasons to approach financial crimes mitigation “loaded for bear” for form and for function. Certainly, it is our wish to successfully navigate the rigors of regulatory exams and to thwart real risk to the organization and its customers. As diligent as bank and non-bank institutions have become, we still see gaps that are evidenced by public results of examinations and investigations, and, that are, no doubt, reflected further in non-public results of the same.
04/15/12 Citibank N.A. – C & D Order
|08/22/12||Grand Resources USA Inc.||$402,000|
|07/10/12||Great Western Malting Co||$1,347,750|
|06/14/12||National Bank of Abu Dhabi||$855,000|
|06/12/12||ING Bank N.V.||$619,000,000|
|05/21/12||Genesis Asset Managers, LLP||$112,500|
|04/25/12||Sandhill Scientific Inc.||$126,000|
|04/10/12||Essie Cosmetics Ltd and Individual Corporate Officer||$450,000|
|02/24/12||Online Micro LLC||$1,054,388|
|02/21/12||Richland Trace Homeowners Association, Inc.||$9,000|
|07/07/12||Teledyne Technologies, Inc.||$30,385|
In March 2012 the Financial Crimes Enforcement Network (“FinCEN”) released Guidance FIN-2012-G001 “Currency Transaction Report Aggregation for Businesses with Common Ownership” (“Guidance”). This new Guidance expands on the requirements that a financial institution must file a Currency Transaction Report (“CTR”) when it has knowledge that the same person has conducted multiple transactions that total more than $10,000 in currency in one business day or when it has knowledge that multiple transactions that total more than $10,000 in currency in one business day are on behalf of the same person.This new Guidance expands on the requirement that a financial institution must file a currency transaction report (“CTR”) when it has knowledge that the same person has conducted multiple transactions that total more than $10,000 in currency in one business day or when it has knowledge that multiple transactions that total more than $10,000 in currency in one business day are on behalf of the same person. The Guidance gives, as an example and reminder, that a financial institution is considered to have knowledge that the same person deposited $11,000 in cash transactions in a single business day if it is aware that the same individual made both a $5,000 cash deposit into his personal account and, later that same business day, a $6,000 cash deposit into his employer’s business account, i.e., the financial institution is required to file a CTR.
The Guidance also explains that although multiple businesses may share a common owner, the presumption is that separately incorporated entities are independent persons, but that the presumption that the entities are separate is rebuttable. FinCEN explained that it is ultimately up to the financial institution to determine, based on information obtained in the ordinary course of business, whether multiple businesses that share a common owner are, in fact, being operated independently depending on all the facts and circumstances. Financial institutions may determine that aggregating the businesses’ transactions is appropriate because the transactions were made on behalf of a single person. Thus, it is explained that when determining whether to aggregate transactions as being on behalf of the same person, a financial institution must use its knowledge of relevant facts and circumstances. There are no universal rules applicable to any situation. Alternatively, once a financial institution determines that the businesses are not independent of each other or their common owner, then the transactions of these businesses should be aggregated going forward.
Aggregation continues to be a difficult process. It is important to establish appropriate controls and properly document compliance involving more than one entity and the required CTR filing. Each financial institution should review its current procedures and controls and determine if the current efforts to aggregate cash transactions are sufficient or should be enhanced based on the Guidance.
Customer Due Diligence and Enhanced Due Diligence
As stated in The FFIEC Bank Secrecy Act / Anti-Money Laundering Examination Manual issued in 2010:
“The cornerstone of a strong BSA/AML compliance program is the adoption and implementation of comprehensive CDD policies, procedures, and processes for all customers, particularly those that present a higher risk for money laundering and terrorist financing. The objective of CDD should be to enable the bank to predict with relative certainty the types of transactions in which a customer is likely to engage. These processes assist the bank in determining when transactions are potentially suspicious. The concept of CDD begins with verifying the customer’s identity and assessing the risks associated with that customer. Processes should also include enhanced CDD for higher-risk customers and ongoing due diligence of the customer base.”
The objective of Customer Due Diligence (“CDD”) is to make sure that a financial services business knows its customers, and can predict with relative certainty the type of monetary transactions a customer is likely to be involved in. The process begins with verifying the customer’s identity and evaluating the risks associated with that specific customer. For higher risk customers, an Enhanced Customer Due Diligence (“EDD”) process needs to be implemented.
Over the past ten years, FinCEN and the Treasury Department have continued to engage the federal financial regulatory agencies, financial institutions, and Congress to combat various risks associated with the criminal abuse of legal entities, such as shell companies, and the associated exploitation of the financial system to facilitate financial crime, including money laundering, financing of terrorism and proliferation, and tax evasion. Despite efforts to highlight and clarify CDD and beneficial ownership expectations over this time, FinCEN is concerned that there is a lack of uniformity and consistency in the way financial institutions address these implicit CDD obligations and collect beneficial ownership information within and across industries.
An express CDD program rule is one key element of a broader U.S. Department of the Treasury strategy to enhance financial transparency in order to strengthen efforts to combat financial crime. Enhancing financial transparency to address such ongoing abuse of legal entities requires a broad approach. Other key elements of this strategy include: (i) improving the availability of beneficial ownership information of legal entities created in the United States; and (ii) facilitating global implementation of international standards regarding CDD and beneficial ownership of legal entities.
On March 5, 2012, FinCEN issued an advance notice of proposed rulemaking (“ANPRM”) to solicit public comment on a wide range of questions pertaining to the possible application of an explicit customer due diligence (CDD) obligation on financial institutions, including a requirement for financial institutions to identify beneficial ownership of their accountholders. FinCEN has held numerous roundtable sessions specifically seeking clarification, including examples, where appropriate, on the following issues: