Just a few short years ago, a majority of financial institutions scoured green bar reports of account transactions daily to collect information that was usually manually entered into paper Currency Transaction Reports (“CTR”) and Suspicious Activity Reports (“SAR”). Even earlier, suspicious activity was reported on the Criminal Referral Form, which was replaced with the SAR by the Annunzio-Wylie Anti-Money Laundering Act (1992). For many institutions, the Bank Secrecy Act (“BSA”) compliance process was plagued with inconsistencies, data omissions, and timeliness challenges. Similarly, many institutions’ Office of Foreign Assets Control (“OFAC”) checking system consisted of a hard-copy printout of the OFAC Specially Designated Nationals (“SDN”) list which was circulated among key individuals periodically to manually “review” for matches against customer accounts.

Fast-forward to 2012. Financial institutions operate sophisticated, state-of-the-art BSA programs that, not only demonstrate adherence to the “four pillars” BSA principles – internal policies and procedures for day-to-day compliance; a dedicated BSA compliance officer; independent testing of the program; and on-going BSA training for all personnel –  but differentiate and manage levels of risk among various customer, geographic, and product segments. Some significant developments in BSA reporting and recordkeeping technology developed in 2012 and will continue in 2013. Too, as the industry and its methods of meeting regulatory challenges evolve, regulator expectations also evolve and become manifested in evolutionary challenges.

E-Filing – The Diminishing “Paper” Trail

On July 1, 2012, the era of paper filing was, for all practical purposes, extinguished. Financial Crimes Enforcement Network (“FinCEN”) forms must now be electronically filed (E-Filed) through the FinCEN E-filing portal. FinCEN will no longer accept most paper filings and has allowed exceptions and exemptions only in certain circumstances. The E-Filing process dovetails with sweeping movements in the financial services world for increased efficiency and use of automation in both government and private industry. It also provides the appropriate environment for future versions of FinCEN forms and reports. Past the initial upgrades or systems adjustments that some organizations may face, the electronic filing certainly enhances speed, accuracy and recordkeeping consistency for the BSA/AML process.

FinCEN’s New Currency Transaction Report and Suspicious Activity Report

On March 29, 2012, FinCEN began to accept the new CTR and SAR into FinCEN’s BSA E-Filing System. Together, these two new reports replace FinCEN Form 104 (CTR), FinCEN Form 103 (CTR by Casinos), and all of the industry-specific SARs (TD F 90-22.47, FinCEN Form 101, FinCEN Form 102, and FinCEN Form 109) (collectively, “legacy reports”). The new CTR and SAR reports may only be submitted electronically and coincide with the E-filing mandate. Use of the new CTR and SAR forms is required by March 31, 2013.

While the new CTR and SAR forms do not create any new obligations or otherwise change existing statutory and regulatory expectations of financial institutions, the structure of the forms is revised and fields of data collected are enhanced. FinCEN developed the new forms through dialogue with federal law enforcement and regulatory partners. The modernized information technology (“IT”) system is driven by the data collection instead of form design. Some of the new data elements will trigger third-party data enhancements after the new reports are received by FinCEN, such as postal geographic validation of entries in address fields, which will help ensure consistency in reporting and allow users of FinCEN’s modernized IT system to benefit from the enhanced information. All of these updates to the IT system will allow more advanced and sophisticated querying for law enforcement and regulators. On September 10, 2012, in a related issuance, FinCEN announced the availability of the system for queries by authorized users, who generally consist of FinCEN’s law enforcement and regulatory partners.

Trends – Risk Assessments and Enterprise Risk Management

Risk Assessments

Risk assessments have become de rigueur to enterprise risk management (“ERM”) across the board; however, that practice is substantially rooted in BSA compliance. Although the intensity has increased dramatically over the past few years, banks and non-bank financial institutions have been applying the risk assessment process to products and services since 2000 and before. Regulatory scrutiny, too, has escalated, and, in the “risk-based” examination environment, the regulatory agencies depend heavily on the institution’s ability to maintain records of and demonstrate the sufficiency of coverage and adequacy of the BSA compliance management program to shape the scope and depth of examinations – the onus is on financial institutions to conduct detailed risk assessments and demonstrate their validity as a precursor to the context of other elements in the program regimen.

How should a financial institution or MSB determine whether the identified BSA/AML/OFAC risk assessment is adequate to identify, measure, monitor, and control the BSA/AML/OFAC risks before the regulators conduct their next examination?  Think enterprise-wide and identify and consider all business lines, this is especially true for companies that oversee and administer the BSA/AML/OFAC compliance program at the holding company level.  Identify and consider how the risks of one line of business are interrelated with other lines of business within the organization.

Smaller institutions often forget to include mortgage, broker-dealer or trust in their risk assessment.  MSBs often forget to include all their products lines including agents check cashing, remote deposit capture for their agents, and prepaid card sales.  No matter how the company is structured, management must show cross-organizational awareness and reassess the BSA/AML/OFAC risks periodically to keep current with the changing business environment.

Once all lines of business are included in the risk assessment and all products, services, customers and geographic locations that are unique to the institution should be documented.  Things to consider when assessing the BSA/AML/OFAC risks are risks within each risk category as well as certain products, services, customers and geographic locations that are more susceptible to BSA/AML/OFAC risks or have been used historically for illicit means.  Remember to consider how the institution conducts business with its customers. Is it face-to-face or online?

The more detailed the information provided in the risk assessment the better the quality of the overall risk assessment.  After all risk categories have been identified, the institution should quantify the risk for each category using actual numbers.  The final step in the risk assessment should be to make an overall evaluation of the institution’s BSA/AML/OFAC level of risk (low, moderate, or high).  The overall risk profile and level of risk should lead the institution in establishing risk mitigants when designing an appropriate BSA/AML/OFAC compliance program.  The BSA/AML/OFAC risk assessment should be updated and approved by the Board of Directors (or similar management group) at least every 12 to 18 months.  The BSA/AML/OFAC risk assessment is a living document and should be updated on an-ongoing basis, especially when introducing new products or services.

Enterprise Risk Management – The Big Picture

The financial services industry has transformed risk management models many times from the time the first deposit accounts were entrusted to financial institutions to our current state of instantaneous movement of funds.  Financial institutions have traditionally played the role of a trusted community partner because of their fiduciary responsibilities, and the business has been founded on taking measured risks. As the products and services get more creative, the disciplines employed to prevent, detect, and respond to BSA and anti-money laundering (“AML”) issues are applicable across many types of financial crimes risk management.

The face of banking has changed significantly over the past 25 years and regulators place increased emphasis on managing BSA risk as a part of a larger plan.  Incumbent with benefits of building global commerce and offering competitive products, financial institutions have experienced increased financial crimes risk management challenges, not only for tracking the source and movement of funds, but customer bases that have expanded to a globally-remote population.

Financial institutions have begun to maximize their financial crimes resources by implementing the investigative approach to the policies, procedures, programs, and people who are involved in risk management disciplines across the organization.  The investigative approach pulls together sources of information and expertise that may be dispersed across the organization.  For instance, parallels exist across various types of financial crime – methods, intent, and results – and the transactional or account information available about activities conducted through the financial institution can be used more productively when the investigative approach is employed.

Risk management, compliance, loss prevention, a financial intelligence unit, fraud prevention, internal audit – they go by many names in various organizations, but they all have similar interests – to prevent, detect, or mitigate financial crime and its effects. Your organization may not have all of these positions, but, think of who has parallel responsibilities – Operations Officers, Head Tellers, and the like. The data that the investigation team considers comes from many sources – reports aggregated or submitted to government agencies, transaction monitoring, records review, audits, external reviews or examinations.  The key is to share the information and develop a method of finding associations among the data.

There’s a balance to compliance and operational costs and the costs of repairing damage done – financial, reputational, operational – all these risks can affect the organization negatively or positively. The old saying goes, an ounce of prevention is worth a pound of cure –  you either pay for BSA risk management on the front end, or pay for it on the back end – and generally, the costs are much greater the later the price is paid. When things are going well, it’s easy to fall into a false sense of security. As we will present later, we are still seeing the evidence of systemic and internal control breakdowns in violations and orders issued against financial institutions.

There are good reasons to approach financial crimes mitigation “loaded for bear” for form and for function. Certainly, it is our wish to successfully navigate the rigors of regulatory exams and to thwart real risk to the organization and its customers. As diligent as bank and non-bank institutions have become, we still see gaps that are evidenced by public results of examinations and investigations, and, that are, no doubt, reflected further in non-public results of the same.

2012 BSA/AML Penalties

04/15/12 Citibank N.A. – C & D Order

2012 OFAC Penalties

Hot Buttons

Aggregation Aggravation

In March 2012 the Financial Crimes Enforcement Network (“FinCEN”) released Guidance FIN-2012-G001 “Currency Transaction Report Aggregation for Businesses with Common Ownership” (“Guidance”).  This new Guidance expands on the requirements that a financial institution must file a Currency Transaction Report (“CTR”) when it has knowledge that the same person has conducted multiple transactions that total more than $10,000 in currency in one business day or when it has knowledge that multiple transactions that total more than $10,000 in currency in one business day are on behalf of the same person.This new Guidance expands on the requirement that a financial institution must file a currency transaction report (“CTR”) when it has knowledge that the same person has conducted multiple transactions that total more than $10,000 in currency in one business day or when it has knowledge that multiple transactions that total more than $10,000 in currency in one business day are on behalf of the same person. The Guidance gives, as an example and reminder, that a financial institution is considered to have knowledge that the same person deposited $11,000 in cash transactions in a single business day if it is aware that the same individual made both a $5,000 cash deposit into his personal account and, later that same business day, a $6,000 cash deposit into his employer’s business account, i.e., the financial institution is required to file a CTR.

The Guidance also explains that although multiple businesses may share a common owner, the presumption is that separately incorporated entities are independent persons, but that the presumption that the entities are separate is rebuttable. FinCEN explained that it is ultimately up to the financial institution to determine, based on information obtained in the ordinary course of business, whether multiple businesses that share a common owner are, in fact, being operated independently depending on all the facts and circumstances. Financial institutions may determine that aggregating the businesses’ transactions is appropriate because the transactions were made on behalf of a single person. Thus, it is explained that when determining whether to aggregate transactions as being on behalf of the same person, a financial institution must use its knowledge of relevant facts and circumstances. There are no universal rules applicable to any situation. Alternatively, once a financial institution determines that the businesses are not independent of each other or their common owner, then the transactions of these businesses should be aggregated going forward.

Aggregation continues to be a difficult process.  It is important to establish appropriate controls and properly document compliance involving more than one entity and the required CTR filing.  Each financial institution should review its current procedures and controls and determine if the current efforts to aggregate cash transactions are sufficient or should be enhanced based on the Guidance.

Customer Due Diligence and Enhanced Due Diligence

As stated in The FFIEC Bank Secrecy Act / Anti-Money Laundering Examination Manual issued in 2010:

“The cornerstone of a strong BSA/AML compliance program is the adoption and implementation of comprehensive CDD policies, procedures, and processes for all customers, particularly those that present a higher risk for money laundering and terrorist financing. The objective of CDD should be to enable the bank to predict with relative certainty the types of transactions in which a customer is likely to engage. These processes assist the bank in determining when transactions are potentially suspicious. The concept of CDD begins with verifying the customer’s identity and assessing the risks associated with that customer. Processes should also include enhanced CDD for higher-risk customers and ongoing due diligence of the customer base.”

The objective of Customer Due Diligence (“CDD”) is to make sure that a financial services business knows its customers, and can predict with relative certainty the type of monetary transactions a customer is likely to be involved in.  The process begins with verifying the customer’s identity and evaluating the risks associated with that specific customer.  For higher risk customers, an Enhanced Customer Due Diligence (“EDD”) process needs to be implemented.

Over the past ten years, FinCEN and the Treasury Department have continued to engage the federal financial regulatory agencies, financial institutions, and Congress to combat various risks associated with the criminal abuse of legal entities, such as shell companies, and the associated exploitation of the financial system to facilitate financial crime, including money laundering, financing of terrorism and proliferation, and tax evasion. Despite efforts to highlight and clarify CDD and beneficial ownership expectations over this time, FinCEN is concerned that there is a lack of uniformity and consistency in the way financial institutions address these implicit CDD obligations and collect beneficial ownership information within and across industries.

An express CDD program rule is one key element of a broader U.S. Department of the Treasury strategy to enhance financial transparency in order to strengthen efforts to combat financial crime. Enhancing financial transparency to address such ongoing abuse of legal entities requires a broad approach. Other key elements of this strategy include: (i) improving the availability of beneficial ownership information of legal entities created in the United States; and (ii) facilitating global implementation of international standards regarding CDD and beneficial ownership of legal entities.

On March 5, 2012, FinCEN issued an advance notice of proposed rulemaking (“ANPRM”) to solicit public comment on a wide range of questions pertaining to the possible application of an explicit customer due diligence (CDD) obligation on financial institutions, including a requirement for financial institutions to identify beneficial ownership of their accountholders.  FinCEN has held numerous roundtable sessions specifically seeking clarification, including examples, where appropriate, on the following issues:

1. Multiple comment letters indicated that some financial institutions already identify beneficial ownership of their customers in certain circumstances. FinCEN seeks detailed information as to how and when those financial institutions currently obtain beneficial ownership information, including, but not limited to: (i) the circumstances in which financial institutions obtain beneficial ownership information other than in connection with the regulations implementing Section 312 of the USA PATRIOT ACT, (ii) the basis for determining that such circumstances warrant the collection of beneficial ownership information, (iii) the specific procedures financial institutions currently use to obtain beneficial ownership information in such circumstances, including the definition of “beneficial owner” used, and (iv) how those circumstances and procedures vary across different lines of business, product type, customer profile and geographic location.
2. FinCEN seeks detailed information as to whether and how financial institutions currently verify beneficial ownership information obtained from their customers. The information sought includes, but is not limited to, whether and how financial institutions verify: (i) the identity of the individual identified by the customer as the beneficial owner of the customer, and (ii) that the individual identified by the customer as the beneficial owner, is indeed the beneficial owner of the customer (i.e., the status of the identified individual).
3. FinCEN seeks detailed information as to the costs associated with obtaining beneficial ownership information under current practices, and the expected costs associated with obtaining beneficial ownership information as discussed in the ANPRM.
4. FinCEN seeks detailed information as to the costs associated with verifying beneficial ownership information to the extent this is done under current practices, and the expected costs associated with verifying beneficial ownership information as discussed in the ANPRM.
5. Multiple comment letters expressed concern regarding the definition of “beneficial owner” in connection with a categorical requirement for financial institutions to identify beneficial ownership of their customers, as discussed in the ANPRM. FinCEN seeks detailed information about potential alternative definitions, and why such alternatives would be preferable from a financial institution’s perspective.
6. As reflected in multiple comment letters, certain financial institutions already identify beneficial ownership of their customers in certain circumstances in order to manage risk more effectively. FinCEN seeks detailed information about how identifying beneficial owners enhances a financial institution’s ability to manage risk. FinCEN also seeks detailed information as to the circumstances and account relationships in which beneficial ownership information may not be relevant for financial institutions in managing risk.
7. Many commenters have suggested FinCEN consider requiring financial institutions to obtain beneficial ownership information of their customers on a risk basis. FinCEN seeks detailed information as to (i) how financial institutions would expect to assess risk in determining whether to obtain beneficial ownership information (e.g., what specific factors would a financial institution consider), (ii) specific examples of any customer or account relationships or red flags that would be considered of higher risk for purposes of obtaining and verifying beneficial ownership information, and similarly any such relationships that would be considered of lower risk for purposes of obtaining and verifying beneficial ownership information, and (iii) how financial institutions would obtain and verify beneficial ownership information on a risk basis. For those financial institutions that already obtain beneficial ownership information on a risk basis, FinCEN seeks detailed information as to when they obtain it – during the on boarding process, or after a review of the account activity? If the latter, would the review of the account activity be a part of a periodic/routine review conducted by the financial institution or based upon the identification of red flags? Do financial institutions reassess risk presented periodically or based upon red flags identified? What steps do financial institutions take when new risks have been identified?
8. FinCEN seeks additional detailed information as to the abilities and limitations of a financial institution in mitigating risk associated with its customer’s underlying clients in the context of intermediated accounts. The information sought includes, but is not limited to: (i) the factors a financial institution considers when conducting diligence on its customer (i.e., the intermediary) to assess the risk of the account (e.g., whether the customer is (1) a domestic or foreign entity, (2) regulated or unregulated for anti-money laundering purposes, etc.), (ii) whether, and if so, in what circumstances and what type of information does a financial institution obtain from its customer (i.e., the intermediary) about the customer’s underlying clients, and (iii) any monitoring or other procedures applied to the customer’s account to identify suspicious activity and mitigate risks that may be associated with the customer’s underlying clients.
9. FinCEN seeks detailed information as to how financial institutions currently conduct due diligence on trust accounts. The information sought includes, but is not limited to: (i) how financial institutions assess risk with respect to trust accounts, as opposed to accounts held by natural persons or legal entities, and (ii) what information a financial institution obtains about the trust, including identifying information about the trustee.
10. FinCEN seeks detailed information as to the differences, if any, in obtaining beneficial ownership information from foreign legal entity customers compared to domestic legal entity customers.
11. Lack of transparency in the formation and operation of “shell companies” may be a desired characteristic for certain legitimate business activity, but it is also a vulnerability that allows these companies to disguise their ownership and purpose. FinCEN seeks detailed information as to whether and how financial institutions identify whether legal entity customers are “shell companies.”