BSA & OFAC Compliance for Directors & Supervisory/Audit Committee October 10, 2012
Presenter John Misgen, CPA • Senior Compliance Consultant with CliftonLarsonAllen LLP (CLA) for more than six years • Has provided regulatory compliance assistance, including BSA/AML/OFAC testing, to financial institutions ranging from less than $5 million in assets to more than $1 billion in assets. • CliftonLarsonAllen is the nation’s largest auditor of credit unions with more than $40 million in assets • John is part of the regulatory compliance group within CLA. The group focuses 100% of its time and resources performing compliance testing and providing regulatory compliance assistance to financial institutions
Recent Enforcement Actions In the news: • 2010: Wachovia Bank $110,000,000 • 2010: Pamrapo Savings Bank $5,000,000 • 2010: ANB AMRO Bank $500,000,000 • 2011: Zions First Nat’l Bank $8,000,000 • 2011: Oceans Bank $10,900,000 • 2011: Mendoza (individual) $25,000 and 6 months prison • 2012: Citibank, N.A. Cease and desist • 2012: ING Bank N.V. $619,000,000
Overview of the Regulations Bank Secrecy Act USA Patriot Act Office of Foreign Assets Control
Board of Directors’ Responsibilities • Approve the BSA/AML compliance program • Ensure the credit union maintains an effective BSA/AML internal control structure • Track audit deficiencies and document corrective action • Designate a qualified individual to serve as the BSA compliance officer. • To have developed policies, procedures, and processes based on their risk assessment to ensure compliance with OFAC laws and regulations.
1) BSA/AML Compliance Program Management should structure the financial institution’s BSA/AML compliance program to adequately address its risk profile The BSA/AML compliance program must provide for at least four requirements at a minimum The Board is required to approve the program – MUST BE NOTED IN MINUTES
Program Requirements • The BSA/AML compliance program must provide for the following minimum requirements: – A system of internal controls to ensure ongoing compliance – Independent testing of BSA/AML compliance – Designate an individual or individuals responsible for managing BSA compliance (BSA compliance officer) – Training for appropriate personnel
2) Internal Controls The Board, acting through senior management, is ultimately responsible for ensuring an effective BSA/AML internal control structure, including suspicious activity monitoring and reporting.
Internal Control Requirements • Risk Identification • Inform Board of compliance initiatives, deficiencies/corrective action, SARs filed • Identify person(s) responsible for BSA compliance • Provide for program continuity • Meet recordkeeping & reporting requirements • Provide timely updates in changes to Act
BSA/AML Risk Assessment • BSA/AML Compliance Program must be designed around a risk assessment • Many effective methods and formats for conducting the risk assessment • Business accounts pose more risk; additional time and resources are needed to perform these assessments • SHOULD BE REPORTED TO THE BOARD
Internal Controls (cont) Internal controls consist of policies, procedures, and processes designed to limit and control risks and to achieve compliance with the BSA. The level of sophistication of the internal controls should be commensurate with the size, structure, risks, and complexity
Internal Controls (cont) Internal controls should: – Inform the Board, or a committee, and senior management of compliance initiatives, compliance deficiencies and corrective action taken – Notify the Board of SARs filed
Recordkeeping • Generally five years – Purchase/sale of monetary instruments – Funds transfers – Foreign correspondent accounts (not covered) • Refer to Appendix P of the 2010 FFIEC BSA/AML Examination Manual for detailed record retention schedule
Monetary Instruments Recordkeeping • Recordkeeping only required if daily purchases aggregate to $3,000 or more • Requirements for member purchases • Non-members = need more • Need to have a process in place to aggregate multiple purchases at multiple branches < $3,000 if daily aggregation is $3,000 or more
Funds Transfers Recordkeeping • Originator responsibilities • Beneficiary responsibilities • Must be retrievable by name and account number for five years • Must have a process to monitor funds transfers for suspicious activity
Reporting Requirements Should all be in policy • Suspicious Activity Reporting • Currency Transaction Reporting – Exemptions available for certain accounts • Foreign Bank and Financial Accounts Reporting (not covered) • International transportation of currency or monetary instruments reporting (not covered)
SAR Reporting Requirements • Criminal violations involving insider abuse in any amount • Criminal violations aggregating $5,000 or more when a suspect can be identified • Criminal violations aggregating $25,000 or more regardless of a potential suspect • Transactions conducted or attempted by, at, or through the financial institution (or an affiliate) and aggregating $5,000 or more, if the financial institution or affiliate knows, suspects, or has reason to suspect that the transaction: – May involve potential money laundering or other illegal activity (e.g., terrorism financing) – Is designed to evade the BSA or its implementing regulations – Has no business or apparent lawful purpose or is not the type of transaction that the particular member would normally be expected to engage in, and the financial institution knows of no reasonable explanation for the transaction after examining the available facts, including the background and possible purpose of the transaction
Detecting Suspicious Activity • Need adequate monitoring system – Determining whether manual or automated software is needed – Understanding the filtering criteria of a surveillance monitoring system is critical • Should establish policies, procedures, and processes for identifying and monitoring subjects of law enforcement requests
Member Due Diligence • Procedures to form a “reasonable expectation of the types of transactions a member conducts.” • Procedures to detect unusual/suspicious activity • High-risk members and their transactions should be reviewed more closely • Business accounts create additional inherent risk and need additional monitoring • Should be documented (part of the program)
CTR Reporting Requirements • Currency = coin and paper money of the U.S. or any other country designated as legal tender • Cash Transactions > $10,000
CIP Requirements • Each financial institution must implement a written CIP • The CIP must be incorporated into the financial institution’s BSA/AML compliance program
CIP: Use of Other Parties Permitted to rely on another financial institution if addressed in CIP certain criteria are met. Permitted to rely on third parties, but credit union is ultimately responsible
3) Audit Deficiencies • Auditor must be independent and qualified • Findings should be reported directly to the Board, or audit committee • Board is responsible for tracking audit deficiencies and documenting corrective action – Can designate this responsibility to a committee – Can perform jointly with audit staff, if applicable
4) BSA Compliance Officer Board is responsible for designating a qualified individual to serve as the BSA compliance officer – Do you know who this is in your credit union? – Officer should have sufficient authority and resources – Board is ultimately responsible – Communication between Board and officer – Specific/detailed training – Program continuity?
5) OFAC Laws & Regulations • OFAC regulations not part of the BSA but is frequently included in BSA/AML exam manual. • Board and senior management have responsibility to developed policies, procedures, and processes based on their risk assessment to ensure compliance with OFAC laws and regulations.
OFAC Should conduct an OFAC risk assessment Should have policy and procedures • Designate an OFAC officer • Independent testing • Screening requirements • How to determine and document whether OFAC hit is valid or false-positive • Procedures for reporting blocked funds to OFAC • Training
BSA Board Reporting Required: • Independent testing findings • SAR Filings Optional but Recommended • BSA/AML risk assessment
Confidentiality of SARs • HIGHLY CONFIDENTIAL! • DO NOT TELL MEMBER • Only those in the credit union who need to know should be informed of a SAR
Training Requirements • The Board and senior management should be informed of changes and new developments in the BSA, its implementing regulations and directives, and the federal banking agencies’ regulations. • Examiners are looking to ensure the Board and senior management are aware of BSA/AML regulatory requirements; effectively oversee BSA/AML compliance, and commit, as necessary, to corrective actions (e.g., audit and regulatory examinations).
Recommend
More recommend