Compliance for Experts June 27, 2012 Presenters John Misgen, CPA - PowerPoint PPT Presentation

Bank Secrecy Act Compliance for Experts June 27, 2012

Presenters John Misgen, CPA • Senior Compliance Consultant with CliftonLarsonAllen LLP for more than six years • Has provided regulatory compliance assistance, including BSA/AML/OFAC testing, to financial institutions ranging from less than $5 million in assets to more than $1 billion in assets. Jeffrey Pratt • Deputy Assistant Director, Office of Compliance, Financial Crimes Enforcement Network • The Office works to works to better ensure industry compliance with the Bank Secrecy Act. The Office also tracks the performance of financial institutions experiencing significant Bank Secrecy Act compliance deficiencies.

Overview of the Regulations Bank Secrecy Act USA Patriot Act Office of Foreign Assets Control

Staying Current With Changes FinCEN provides a Weekly Digest Bulletin via email – https://public.govdelivery.com/accounts/USFI NCEN/subscriber/new?preferences=true NAFCU provides a daily compliance blog via email – http://nafcucomplianceblog.typepad.com/nafc u_weblog/

BSA/AML Risk Assessment • Many effective methods and formats for conducting the risk assessment • The development of the BSA/AML risk assessment generally involves two steps • Business accounts pose more risk; additional time and resources are needed to perform these assessments

BSA Compliance Program Management should structure the financial institution’s BSA/AML compliance program to adequately address its risk profile The BSA/AML compliance program must provide for at least four requirements at a minimum

CIP Requirements • Each financial institution must implement a written CIP • The CIP must be incorporated into the financial institution’s BSA/AML compliance program

CIP Requirements • Three basic rules – Verify – Check – Maintain • Verifying identity requires five important pieces of information • Notice displayed where accounts are opened • Obtain information to assess account risk

CIP: Lack of Verification • CIP must include procedures for when ID can’t be verified • Examples: – Unable to provide ID – False/modified ID – Online account opening – Red Flags

CIP: Comparison with Govt Lists The CIP must include procedures for determining whether the member appears on any federal government list of known or suspected terrorists or terrorist organizations. – OFAC Specially Designated Nationals (SDN) List – Must be done at time of account opening or earlier

CIP: Use of Other Parties Permitted to rely on another financial institution if addressed in CIP certain criteria are met. Permitted to rely on third parties, but credit union is ultimately responsible

Member Due Diligence Must have procedures in place to have a “reasonable expectation of the types of transactions a member conducts.” • At account opening • High-risk members and their transactions should be reviewed more closely

Member Due Diligence • Determine which reports currently being used will address any of the risks needing monitoring • Business accounts create additional inherent risk and need additional monitoring • Every institution has specific risks. • Member due diligence procedures should be documented

Suspicious Activity Monitoring Most common is money laundering Other common types of suspicious activity • Check Fraud • Check Kiting • Counterfeit Check • Counterfeit Credit/Debit Card • Credit/Debit Card Fraud • Loan Fraud • Wire Transfer Fraud • Identity Theft

Detecting Suspicious Activity • Examples of Suspicious Activity • Credit unions should have a means for front line staff to report suspicious activity to a supervisor or BSA Officer immediately.

Detecting Suspicious Activity • Need adequate monitoring system – Determining whether manual or automated software is needed – Understanding the filtering criteria of a surveillance monitoring system is critical • Should establish policies, procedures, and processes for identifying and monitoring subjects of law enforcement requests

Shared Branching  CTR Requirements - “By, through, or to” -FinCEN Ruling 2001-1  Establish written protocols  Aggregation 17 17

Shared Branching  SAR Requirements - “By, at, or through” -Confidentiality  Determine Risk  Importance of Communication 18 18

Shared Branching  Agent status  314(b)  Money Laundering/Terrorist Financing  FIN-2009-G002 “information relating to transactions that may involve the proceeds of one or more specified unlawful activities remain within the protection of the section 314(b) safe harbor from liability” 19 19

Shared Branching SAR Joint Filing 20 20

Electronic Filing Dates  Mandatory Electronic Filing July 1, 2012  New CTR and New SAR required March 31, 2013 21 21

FinCEN’s View on Monitoring Manual vs. Automated

Reporting Suspicious Activity Do you know when a SAR is required to be filed? Do you know there is a safe harbor for SARs filed?

Reporting Suspicious Activity • A SAR must be filed within 30 days after the initial detection if the suspect is known. • You have up to 60 days, if suspect is not known. • Narrative — Be complete! • Keep but do not file supporting documents • Account should be monitored for continuing activity

Reporting Suspicious Activity • All investigations should be documented • Required reporting to the board – Board or an appropriate board committee – Regulations do not mandate a particular notification format

Confidentiality of SARs • Highly confidential! • Only those in the credit union who need to know should be informed of a SAR • DO NOT TELL MEMBER • This should be included with each training session (employees and board)

Currency Transaction Reporting • Currency = coin and paper money of the U.S. or any other country designated as legal tender • Cash Transactions > $10,000 • CTRs must be filed with FinCEN within 15 days after the date of the transaction – You have up to 25 calendar days if you are E-Filing (until March 31, 2013)

CTR Reporting All beneficiaries must be reported – Gets confusing! • For deposits, all those who are known to benefit from the transaction must be identified on the CTR. • For withdrawals, only person conducting transaction unless… • Examples

CTR Reporting For businesses: • sole proprietorships • separate legal entity with a TIN - general rule • Separately incorporated entities are presumed to be independent persons, unless information shows otherwise • Examples

CTR Exemptions • Not required to exempt • 2 phases – Phase I and Phase II – Phase I – Phase II

Currency Purchases of Monetary Instruments • Recordkeeping only required if daily purchases aggregate to $3,000 or more • Requirements for member purchases • Non-members = need more • Need to have a process in place to aggregate multiple purchases at multiple branches < $3,000 if daily aggregation is $3,000 or more

Funds Transfers Recordkeeping • Originator responsibilities • Beneficiary responsibilities • Must be retrievable by name and account number for five years • Must have a process to monitor funds transfers for suspicious activity

OFAC Should conduct an OFAC risk assessment Should have policy and procedures • Designate an OFAC officer • Independent testing • Screening requirements • How to determine and document whether OFAC hit is valid or false-positive • Procedures for reporting blocked funds to OFAC • Training

Commonly Cited Violations In the news: • 2010: Wachovia Bank $110,000,000 • 2010: Pamrapo Savings Bank $5,000,000 • 2010: ANB AMRO Bank $500,000,000 • 2011: Zions First Nat’l Bank $8,000,000 • 2011: Oceans Bank $10,900,000 • 2011: Mendoza (individual) $25,000 and 6 months prison • 2012: Citibank, N.A. Cease and desist • 2012: ING Bank N.V. $619,000,000

Commonly Cited Violations What we see: • BSA/AML risk assessment not detailed • MDD procedures not specifically documented • Inadequate MDD on MSBs • Inadequate MDD on share branching/3rd party • SARs not completed correctly (narrative) • CTRs not listing all those benefiting • No specific OFAC risk assessment • Weak or undocumented OFAC policy/procedures • No procedures for reviewing law enforcement requests • Training deficiencies

Penalties for Non-Compliance Failure to comply with the BSA can have serious consequences for you and for your institution. • BSA violations involve civil, criminal, and intangible penalties • The federal banking agencies and FinCEN can bring civil money penalty actions In addition to above, individuals may be removed from banking

Changes in Next 12 Months Known: • Exemption changes for payroll members – Immediate • E-filing requirements – July 1, 2012 • BSA implications on non-bank mortgage lenders – August 13, 2012 • New CTR, SAR, and DOEP forms – March 31, 2013 – Testing site: http://sdtmut.fincen.treas.gov/main.html

Changes in Next 12 Months Expected: • Member Due Diligence Requirements