Optimizing Your BSA/AML Program

(1)

Optimizing Your

BSA/AML Program

BCAC Seminar

(2)

The ideas presented in this session and PowerPoint are

for informational purposes only and are not intended

to replace legal advice on any compliance or AML

issues or decisions.

(3)

Agenda



Why do we care so much about this topic?



The four required elements



What’s really “required”



Systems/Rules Validations



High Risk Customer Enhanced Due Diligence



Documenting the Clearing of Alerts



Quarterly Wire Review



Staffing Assessments



Risk Assessment



Other Helpful Hints



Q&A

(4)

Why We Care So Much About This Topic

• Most banks receive some sort of finding or “Matter

Requiring Attention” (MRA) regarding their BSA Program.

• BSA is one of the areas where regulators can go straight to

a C&D if one of the key elements of a BSA Program isn’t

present or isn’t functioning.

• Examiners have done a great job over the past 3 years of

raising BSA awareness among executive management and

the Board. This should be helping BSA Officers.

(5)

The Four Required Elements

•

BSA Officer

•

Internal Policies, Procedures and Controls (e.g., monitoring for suspicious activity)

•

Annual BSA/AML/OFAC Audit

•

Annual BSA/AML/OFAC Training

•

Most Internal Audit programs only focus on the elements above, but not necessarily testing the other “required” elements.

(6)

What’s Really “Required”? (Validations)

•

Systems and Rules Validations

•

Examiners might not always be satisfied with having the system and rules tested as part of the annual internal audit. Why?

–

Might be better to have an independent party perform the systems and rules testing, and then have Internal Audit note/test that this has taken place and that it was sufficient.

–

Examiners are scrutinizing the credentials of the people performing the systems and rules validations and are asking,

“Is XYZ Vendor qualified and competent to be performing this testing?”

(7)

What’s Really “Required”? (validations)

•

Systems and Rules Validation (contd.)

•

What increases the risk here?

–

You have new staff in place who were not in place when the AML monitoring system was installed/implemented. These folks may not have a solid understanding of the tran codes, the mapping between core and other source systems to the AML monitoring system. Perhaps the implementation wasn’t as well documented as it could have been.

–

You haven’t had an independent systems and rules validation performed in 2 years or more.

–

You already know that some transactions aren’t flowing into the AML monitoring system properly, your case notes reflect this or you have a lot of manual entries in your AML software.

(8)

What’s Really “Required”? (Validations)

•

Systems and Rules Validations (contd.)

•

Are there operational/financial benefits to doing this?

–

Typically, any system that’s made more efficient and reliable is going to save time, which in turn saves money. Optimized systems tend to require fewer manual steps.

–

The exercise of having systems and rules validated serves as an educational opportunity for staff, who come out of the project with a keen understanding of how the system functions. So when the bank adds a new product/service and new tran codes are created, existing staff know exactly how to do the mapping and to document same.

(9)

… But What’s Really “Required”? (Validations)

•

Periodic internally‐performed Systems and Rules Validations

•

Examiners might not always be satisfied with having the system and rules tested once per year; they’re often looking for periodic testing as part of regular department monitoring.

–

BSA Officer says: “Even if I look at 1% of all transactions per month, I’d need a small army to get it done.”

–

True, but this is one of those things where you might be better off doing .01% of all transactions per month, than nothing at all.

(10)

What’s Really “Required”? (Internal Validations)

•

Two different types of tests needed for internal validations:

–

Accuracy Test (much easier and quicker to do). •Start by selecting samples from the AML software, and you compare them to the source document to ensure they’re the same.

–

Completeness Test (more difficult and time consuming, but many examiners won’t consider any validation to be done if you don’t test for completeness.) •Start with various source transactions at their source (not from the AML software). Now go see if they show up in the AML software. •A “finding” is when some source transaction is supposed to be in the AML software, but never made it there.

(11)

What’s Really “Required”? (Internal Validations)

•

One Possible Example of a Completeness Test:

–

Consider taking your wire log directly from your wire software system. Select a sample of wires (incoming / outgoing / domestic / foreign).

–

Make sure each one that should show up in your AML software actually does.

–

So you find one incoming wire that didn’t show up in your AML software. You’re perplexed as it looks like all the others. You call the wire department. They say “Oh, Sally was out sick that day, Joe processed that wire and he just does them differently, that’s all.” You ask: Has Joe processed any other wires since January. They reply “Oh lots, I’ll send you the list.”

(12)

… But What’s Really “Required”? (High Risk EDD)

•

High Risk Customer EDD – Three areas of concern: 1) Having way too many “high risk” customers; 2) Having customers that never got risk‐ranked at all; 3) Having a separate “high risk” customer listing in Excel, that doesn’t tie out to the rankings in the system.

•

Although it’s time‐consuming and sometimes expensive to fix this, once it’s fixed it tends to stay fixed.

–

Consider performing an EDD review on all high risk customers to properly risk‐rate them. This can be outsourced. Sometimes examiners will actually require that it be outsourced.

(13)

What’s Really “Required”? (High Risk EDD)

•

High Risk Customer EDD (contd.)

•

What raises risk here?

–

Staff who aren’t confident in the risk‐rating process, so they risk‐rate every customer “High” to be safe. This is usually well‐intentioned.

–

You’re not capturing all the information needed to property risk‐rate the customer.

–

Your bank has acquired other banks and in doing so acquired customers you don’t know, with minimal documentation and scarce account‐opening KYC.

(14)

What’s Really “Required”? (High Risk EDD)

•

High Risk Customer EDD

• –

Optimizing your high risk customer list also optimizes your annual high risk reviews, in that you typically have fewer to do.

–

This can also optimize the number of monthly alerts the AML monitoring system is generating, especially if you have rules that are tied to the risk‐rating of the customer.

(15)

(16)

What’s Really “Required”? (Moderate Risk)

•

So what do we do about moderate risk customers?

–

It depends, but the guidance tells us we have to do something.

–

We risk rate customers for a reason. It’s so that we can do “x” for the lows; “y” for the moderates; and “z” for the highs. That’s directly from the guidance. Most banks simply let the automated software to handle the lows. Most banks have written processes and procedures for the highs. But the moderates are forgotten about, which means they’re treated like the lows.

(17)

What’s Really “Required”? (Moderate Risk)

•

Guidance doesn’t say we have to do full EDD on moderates, but it does say we have to treat them differently from the lows.

•

Possible Option: Consider taking a list of moderates once a year. Add a column for your initials. Add a column for the date. Review 6 to 12 months of transactions visually for each customer. Only do a write‐up and further review if unusual activity is present. Otherwise, simply initial and date to evidence and document your transactional review.

(18)

What’s Really “Required”? (Moderate Risk)

•

Possible Option 2: Once every 2 years, consider performing a limited EDD on your moderates. Take your full EDD methodology and scale it down to do a mini narrative on each. Break your moderates into 24ths and do 1/24th _each month, therefore staggering your review over 24 months. So this is more involved than Option #1, but less involved than full EDD on the high risk customers.

•

The point is to be thoughtful about what works for you. The next slide directly from ACAMS leads me to believe most BSA Officers understand that we have to do something with the moderates.

(19)

(20)

What’s Really “Required”? (Clearing Alerts)

•

Documenting the Clearing of Alerts – Two areas of concern: 1) Not enough documentation; 2) Too much documentation.

•

Some adjustment to process and procedure can help fix this.

–

Not all alerts are the same. Consider writing P&P for how to clear: •The same alerts that keep triggering for the same customer month after month after month. •Alerts that trigger for a customer that’s never alerted before. •Alerts for low‐risk customers vs. alerts for high risk customers. •Determine if there is any other way to stratify the alerts you have set up.

(21)

What’s Really “Required”? (Clearing Alerts)

•

Documenting the Clearing of Alerts (contd.) – Write into your P&P which alerts can be cleared with: •Just a sentence in the system itself, after review. •The above, combined with a notated spreadsheet of transaction review. •The above, combined with a short narrative. •Typically, any more than that and you’re really dealing with a full “case.” – Regarding using just an explanatory sentence in the system for clearing some alerts. The problem arises when, due to time

constraints, the activity isn’t really reviewed and the user simply inserts a canned sentence about the activity not being suspicious. (All it takes is one…)

(22)

What’s Really “Required”? (Clearing Alerts)

•

Documenting the Clearing of Alerts (contd.)

•

What increases risk here?

–

Multiple staff who take a different approach to clearing alerts, not following any specific P&P.

–

Not having written P&P to follow, or having the P&P, but not training on it.

–

Having alerts that aren’t well designed to begin with, so non‐ helpful alerts continue to trigger which take valuable time away from the helpful alerts. (Helpful, meaning they truly identify potentially suspicious activity.)

–

Alert systems that don’t have enough options or that don’t provide enough information.

(23)

What’s Really “Required”? (Clearing Alerts)

•

• –

Yes, to the extent everyone on staff is approaching similar alerts in the same fashion. This can ensure that you’re not performing a full EDD review on each and every customer that generates an alert. Or, if you do end up having to do extensive research on an alert that rises to the level of an EDD review, that you utilize the information when the annual EDD review comes around, meaning, you don’t reinvent the wheel.

(24)

What’s Really “Required”? (Clearing Alerts)

• –

Of all the topics addressed in this session, the clearing of alerts is the most difficult because: •It’s the most subjective. One examiner will feel your documentation is fine, another one will say there isn’t enough documentation. Write robust P&P, follow the P&P, and you’ll be on firmer ground with this one. •Every system handles alerts differently. With many systems, when an alert comes into your queue, you can’t discern quickly if it’s for a low risk or high risk customer, you can’t discern if it’s an alert that hits continually, especially in large banks with thousands of alerts each month.

(25)

What’s Really “Required”? (Wire Review)

•

Quarterly International Wire Review – Two areas of concern: 1) Not doing it. 2) Doing wire review, but not over a long enough period of time.

•

Can’t just rely on your alerts that trigger for high wire activity or for a large wire. This Quarterly International Wire Review addresses different patterns, such as:

–

Wires that tend to come in from one country around the same time, followed by wires (in aggregate) to a different country.

–

Seemingly non‐related customers who might be acting in unison.

–

Because it’s pattern‐based, need to review at least a quarter of activity at a time.

(26)

What’s Really “Required”? (Wire Review)

•

Quarterly International Wire Review (contd.)

• –

The biggest risk is that you’re simply not doing it. (If you’re doing it, but perhaps not doing exactly what an examiner wants you to be doing, you might get a comment instead of an MRA, but this is one topic where doing something is the most important.)

–

International wire activity is so voluminous for the quarter, that you max out the Row limitation on Excel. You’ll need to have a database designed for you for this.

–

Difficulty extracting international wire activity out of your systems.

–

International wires that look like they’re domestic in your systems because they went through a correspondent bank.

(27)

What’s Really “Required”? (Wire Review)

•

Quarterly International Wire Review (contd.)

• –

It helps you to understand your customers better in terms of their international wire activity patterns.

–

It can help you spot patterns of potentially fraudulent activity, and that helps in all areas.

(28)

What’s Really “Required”? (Staffing Assessments)

•

Staffing Assessments – This finding tends to arise in exams where multiple other findings are present. In other words, the examiner has reason to believe the bank has a resource issue in BSA. I’ve never seen this finding arise in BSA exams where everything was peachy.

•

These take time, but methodology and documentation are key. These can also be outsourced.

–

This is an assessment of the staffing levels and functions in the department, not necessarily an assessment of Johnny and Sally’s abilities, but that can also be done.

–

Consider creating an Excel sheet of every task performed in the department, by job function, along with the amount of time it takes per month.

(29)

What’s Really “Required”? (Staffing Assessments)

•

Staffing Assessments (contd.)

–

Include the tasks that you should be doing, but are not doing because you don’t have the staffing.

–

Include the BSA/AML tasks performed by people in other departments that should be done in the BSA/AML department. (This is subjective, but be all‐inclusive on the staffing assessment so you get the whole picture.)

–

Include sick/vacation/holiday time, time in meetings, time presenting to board, time prepping for exams and audits, be granular on the Excel sheet, but stick with facts. For it to be believable, it needs to be defendable.

(30)

What’s Really “Required”? (Staffing Assessments)

• –

Some things you do daily, some weekly, some monthly, some quarterly, and some annually, so note the correct time, then do the multiplication or division to bring all time to a monthly standard.

–

Example: I do something 1 hour per week. I’d indicate 4.3 hours per month. Or, I do something 80 hours a year, like the annual Risk Assessment. That’s 6.66 hours/month. Add up all of your monthly time. Divide by 173 hours, and you should end up with how many FTEs you need in your department.

(31)

What’s Really “Required”? (Staffing Assessments)

• –

Undoubtedly, you included some number of hours for clearing alerts. You’ll need to document how you came up with that number and whether it’s reasonable or not.

–

You’ll want a separate Excel sheet that indicates the number and type of alerts you get each month. Why? Because all alerts are not created equal. Some take 20 minutes to clear, some can take 2 days. Only by listing each type and the number of each that generate each month, and how long it takes to clear each type, can you really support the number of hours you spend clearing alerts.

(32)

What’s Really “Required”? (Staffing Assessments)

• –

The excel sheet and alert‐clearing support is only part of it. Next consider writing a narrative report describing your methodology and the change in staffing that you’ll make in response to the results.

–

Example: “We will be creating a position for an AML Analyst to take responsibility for the clearing of alerts and new account reviews. This will allow the BSA Officer to focus on more strategic items.” (This is more complex in larger departments with multiple positions.) “Additionally, to analyze the 1,900 High Risk customers, we will be hiring XYZ firm to manage the project along with 3 temporary analysts who will assist with preparing the 1,900 files for review by the firm.” New org chart depictions are helpful in this section.

(33)

What’s Really “Required”? (Staffing Assessments)

• –

Another example: “We’ve decided to no longer have 1 individual responsible for both compliance and BSA. We’ve split out the BSA Officer function and have started a search. Attached is the new job description.”

–

Always include a description of your Bank in the beginning of your narrative, similar to what you do in your BSA Risk Assessment.

(34)

What’s Really “Required”? (Staffing Assessments)

• –

If you’ve had multiple BSA findings from your exams, make sure your narrative addresses how the new staffing levels will address and remediate the findings.

–

Although the purpose of the assessment isn’t necessarily to assess the performance of each staff member, it’s a good idea to provide full resumes of each staff member and job descriptions for any new position noted. Be sure to map it out for your reader how each person’s skills and strengths are mapped to the positions.

–

Last, write a 1‐paragraph executive summary at the very top of your report. Remember, your audience is the examiners.

(35)

What’s Really “Required”? (Staffing Assessments)

•

• –

You leave some key aspects of a BSA Program off of the ‘tasks’ list. If the ‘tasks’ list is found to be missing some key aspect of what a BSA department should be doing, such as periodic EDD, or reviewing new customers, or clearing alerts, then examiners will wonder if you’re really doing it at all.

–

If the results of the assessment aren’t well received by executive management or the Board, they might have to explain why a staffing assessment revealed that you needed 3 FTEs, but you continue to have 2.

(36)

What’s Really “Required”? (Staffing Assessments)

•

• –

All the tools and plans cannot bring about success if you don’t have the people to execute. If you don’t have the people to bring about success, the exam/audit findings could keep ratcheting up and you could end up with a Formal Agreement or a C&D. That $65,000 you would have spent on an additional Analyst is dwarfed by what you’ll spend to get out of an FA or a C&D.

–

The formal staffing assessment ends the conjecture of “we need more people” and helps explain why you need more people.

(37)

What’s Really “Required”? (Risk Assessment)

•

Assessing Inherent Risk – Biggest area of concern: BSA Officer involvement in new product review.

–

Evidenced in the BSA Risk Assessment.

(38)

(39)

What’s Really “Required”? (Risk Assessments)

•

Risk Assessments (contd.)

•

What increases the risk here?

–

You have new staff in place who aren’t familiar with customers, products, services, geographies.

–

BSA Officers aren’t informed about new initiatives at the bank that impact BSA/AML/Sanctions risk.

–

Examiners have found issues in certain areas. When that happens, they tend to scrutinize the risk assessment even more.

–

A ‘stagnant’ BSA Program that hasn’t kept pace with the changing environment.

–

Difficulty obtaining data to prepare the risk assessment.

(40)

What’s Really “Required”? (Risk Assessments)

•

• –

I’m a big fan of the adage “You can’t manage risk that you don’t know about.”

–

If examiners find issues, and you had correctly identified the risk on your risk assessment, that’s one thing. BUT… if examiners find issues, and your risk assessment was silent about the risk, now you have 2 different MRAs – the issue itself, and an inadequate risk assessment.

(41)

Importance of the Risk Assessment

January 2014 CMP March 2014 CMP

(42)

What’s Really “Required”? (Risk Assessments)

•

How to enhance?

–

Be sure there’s a section in the “Products” part of the risk assessment that discusses the impact of new products and services (and new ways of doing business) on BSA risk.

–

Be sure the BSA Officer reviews all New Product/Service Risk Assessment report and opines on BSA Risk – even if the

Compliance Officer is also doing so and even if there is no BSA risk. (When no risk, BSA Officers simply indicate that you’ve reviewed it and note no BSA risk because of “x”, “y”, and “z.”)

(43)

What’s Really “Required”? (Risk Assessments)

•

How to enhance?

–

Discuss your bank’s “Culture of Compliance”

–

Analyze all products and services with an eye on whether they obscure financial transparency.

–

Be sure you show the reader of your Risk Assessment that you truly understand payment systems. •The payments products/services your bank offers. •The payment systems your customers are using, such as your convenience stores.

(44)

What’s Really “Required”? (Risk Assessments)

•

See “Assessing Inherent BSA/AML Risk at Community Banks”, Federal Reserve Bank of San Francisco, Third Quarter 2013 http://www.communitybankingconnections.org/articles/2013/Q3/Assessing-Inherent-BSA-AML-Risk-at-Community-Banks.cfm

•

Always conclude on the level of risk, the change in risk compared to the prior year (and why), and the direction of risk over the next 12 months (and why.)

•

For merged banks, discuss any risks from disparate systems and be sure to show the reader that you understand the merged banks’ customers, products, services, and geographies.

(45)

Other Helpful Hints

•

Formal Training Plans for New Hires

–

So you finally got that new FTE approved (or someone resigned) and the new person is arriving on Monday. You got yourself a great candidate with a wonderful can‐do attitude, plenty of aptitude, some relevant experience, but this person hasn’t done this exact job before.

–

Examiners might expect to see a full formal training program for this individual, and the program should be scaled to reflect the position/responsibility. It should be written, and should go beyond the typical online BSA training required of bank staff.

–

Recommend a mixture of topics and venues over the first 6 months.

(46)

Other Helpful Hints

•

Formal Training Plans for New Hires

–

Examples: The annual state Bankers Association 1‐ to 2‐day BSA conference, a handful of BSA webinars by reputable vendors, targeted webinars on Prepaids or Elder Abuse, etc.

–

You’re trying to show proactive risk management with developing new staff.

–

In general (not just for new staff) examiners seem to frown on the canned online BSA training.

–

Have your written training program ready for day #1 of the exam.

–

Always a good idea to do written performance evaluations at the 90 and 180 day mark for new BSA staff.

(47)

Other Helpful Hints

•

KYC for high wealth customers

–

A number of banks are getting into Private Banking, serving high wealth customers.

–

Issues: 1) On‐Boarding; 2) Transaction Monitoring Why?

–

Estates, Formal Trusts, and In‐Trust‐For accounts tend to follow high wealth customers. Does the BSA staff have the proper knowledge of these account types to risk‐rate them?

–

Increased size of wires and ACHs tend to follow high wealth customers. Does the BSA staff have the proper training to understand what these transactions are. In other words, the difference between “wealthy‐people‐activity” and money laundering? Wealthy people tend to move their money with wires and ACH transfers.

(48)

Other Helpful Hints

• –

Watch for common referral source ‐‐ that is one particular attorney or wealth advisor or CPA who refers many customers to you. Without you knowing it, the referral source isn’t on the up‐and‐up and is sending to you customers (customer #1 through #6) through which he/she can launder money. Looking at each customer’s activity alone reveals no unusual activity. But when all 6 customers’ activity is reviewed, you start to see patterns that concern you.

–

Or…worse… the referral source starts to embezzle or commit some other crime against his/her “subjects”, see next slide:

(49)

Other Helpful Hints – Note Local News

• September 2014: A Waterbury man convicted of participating in a drug‐

trafficking ring has testified that a Seymour lawyer was laundering money. Bruce Yazdzik said in U.S. District Court in New Haven Tuesday that Ralph Crozier knew Yazdzik’s money came from drug sales and that he helped Yazdzik establish

businesses and make investments to make the money seem legitimate. • September 2014: Several managers and employees of two Providence, Rhode Island, stores convicted of food stamp fraud and money laundering and sentenced to prison terms. • August 2014: John Rice of Windsor, CT sentenced to 18 months in prison. On April 25, 2014, Rice pleaded guilty to one count of criminal copyright infringement and one count of money laundering. Rice also structured cash deposits into his bank account. In November 2012, Rice withdrew from his account $39,237 in cash derived from his criminal activity (selling bootlegged merchandise) in order to purchase a cashier’s check payable to BMW of West Springfield.

(50)

Other Helpful Hints – Note Local News

• July 2014: Bangor, Maine: Mei Ya Zhang, of Waterville, was sentenced to 15 months in prison, three years of supervised release and ordered to pay more than $88,000 in restitution to the IRS. Zhang was the manager of a Chinese buffet restaurant that brought undocumented aliens into Maine to work. Among other actions, Zhang paid the undocumented aliens under the table with cash generated illegally by their employment. Zhang filed numerous false quarterly employment tax returns in which the undocumented aliens were not disclosed and employment taxes were not properly withheld or paid.

(51)

Other Helpful Hints

• –

It goes without saying that high net worth customers could be targets of wrongdoing more often than others. Although this may be more fraud‐related than AML‐related, know that trusts and other wealth‐type accounts are easy pickings for fraud. Trustees have authority to move money and if the instructions to the trustee are spoofed, an unwitting trustee could erroneously wire money out of the country to a fraudster.

–

From a risk perspective, be sure you are reviewing Trusts and other fiduciary accounts regularly. Yes, they tend to have low activity, but that activity still needs to be reviewed.

(52)

Other Helpful Hints

• –

Be aware of the risks associated with trusts and estates – they can be used to mask beneficial ownership.

–

Be aware of “referral sources”, and patterns of activity in all of the accounts referred to a bank by one referral source. •For banks that have Private Banking or “Relationship Banking for High Net Worth Customers,” consider adding the review of referral sources’ entire fiefdom (in aggregate) to your monitoring program.

(53)

Other Helpful Hints

• –

Be sure you document extra training for the BSA staff on Trusts, Estates, and other fiduciary accounts.

–

Be sure your BSA risk assessment touches on the risks associated with high wealth customers.

–

Be sure to run ‘negative news’ on referral sources, even if they’re not customers.

(54)

Other Helpful Hints

•

BSA in Lending

–

I’m aware of exams where the BSA Officer has actually been asked for all BSA‐related suspicious activity referrals from the lending departments, all lending‐related cases, and all lending‐related SARs.

–

Might not be the best situation if your answer is “There haven’t been any.” Even in the smallest of banks, there is surely something that’s been suspicious in the lending world.

–

If you file a lot of SARs, you don’t want to be going through each one looking for the lending‐related ones. Consider having some way to flag them as such.

(55)

Other Helpful Hints

•

Marijuana

–

Other than the issue of marijuana companies being illegal from a Federal perspective (which is a big concern), we have an issue similar of banking an extremely risky entity, much like an MSB. (Do we really understand the full extent of the risk, yet, though?)

–

If you can become a bank that has this as a specialty, and you bank a lot of them so that you develop expertise, then consider putting your risk program together much the same way you put it together for MSBs.

–

Obtain all the information on the entire industry that you possibly can. Get to know who in your state (or region) serves as a SME or think‐tank for this.

(56)

Other Helpful Hints

•

Marijuana

–

Let’s assume you choose to not willingly bank marijuana companies… how do you ensure one of your existing customers isn’t becoming a dispensary?

–

There are lists that indicate who has applied for a license.

–

Many entities are names something like “holistic health”, etc. If you have customers that are likely to be interested in dispensing marijuana, you’ll want to watch the lists.

–

You’ll need P&P to show that you’re are monitoring this risk.

(57)

Other Helpful Hints

•

Marijuana

–

Update the following documents before making the final decision to bank marijuana companies: •BSA Risk Assessment •BSA written Policy and Program •Staffing Assessment

–

Do this to show what your BSA department will look and function like if you do bank marijuana companies. Then use the documents in the decision‐making process. If executive management decides not to move forward, just archive the documents.

(58)

DEA: COLOMBIANS LAUNDER FUNDS THROUGH

COLORADO TO OPERATE MARIJUANA BUSINESS

•

Money was being wired from bank accounts in Colombia to bank accounts in Colorado for purchase of marijuana grow facility. – The defendants affected the international transfer of funds from the Republic of Colombia into the United States to facilitate the purchase of real property, with existing physical structures, located at 5200 East Smith Road, in Denver, Colorado. – The defendants intended to permit the use of the Smith Road property to cultivate, manufacture, and/or distribute marijuana. – In 2013, Gerardo Uribe filed documents with the Colorado Secretary of State to incorporate a company known as Colorado West Metal, LLC. Attorney David Furtado was the registered agent. Hector Diaz was listed as the person responsible for forming the corporation. – Furtado opened a bank account at Wells Fargo in the name of Colorado West Metal, LLC, and was the sole signor on that account. – Furtado used his attorney trust account, held in the name of his law firm, to facilitate the purchase of the property.

(59)

Washington State Dept of Financial Institutions

June 2014.

http://www.dfi.wa.gov/banks/pdf/marijuana‐faqs.pdf

Five‐page discussion of the risks associated with banking licensed marijuana companies and/or lending to them.

(60)

Other Helpful Hints

•

Both High Wealth Customers and Marijuana Companies

–

Consider the Internal Audit. Ensure that the auditors also understand the nuances of the above customers.

(61)

Other Helpful Hints

•

Convenience Stores & other retail

–

Since the whole payments landscape is changing, and MSBs are such high risk, pay extra attention to convenience stores. Although having MSBs is ‘risky’, it’s much more risky to have one and not know it.

–

Be sure in your write‐ups on convenience stores, that you acknowledge what payments vendors they are using. This should be done during the initial account risk‐rating process. This will only help you document that your convenience store customer is not an MSB.

–

Even if your customer isn’t an MSB, if your examiner does a thorough review on a customer and notes that they’re dealing with ECS Prepaid or even Pay Spot, if this fact doesn’t appear anywhere in your due diligence, a finding could result.

(62)

Other Helpful Hints

•

Convenience Stores and other retail

–

The risk is that the convenience store adds a payments partner and you miss it during your review (be it your annual review or your clearing of alerts). Every time you review a convenience store, document the payments partners and take a screen shot of their website.

–

The above holds true for all retail establishments, but convenience stores are higher risk.

–

You will soon become experts in the hundreds of payments providers there are out there.

(63)

Other Helpful Hints

•

Convenience Stores and other retail

–

How do you determine the likelihood that a customer has an ATM onsite if they don’t tell you, such as an existing customer installs an ATM and no one knows about it?

–

Consider screening ACH transactions for certain keywords that would indicate ATM activity.

(64)

Other Helpful Hints

•

Closing Accounts

–

This topic has risen in importance over the past few years. How do you go about recommending that an account be closed for AML purposes, and how do you document this? Consider a form that addresses the following:

–

Severity of activity; Duration of activity; Number of alerts, cases SARs; The cost/benefit analysis; The likelihood of the activity being interpreted as “Tipping Off” the customer.

–

Consider making these discussions part of the SAR Committee or BSA Committee meetings if you have them.

(65)

Other Helpful Hints

•

Financial Statements

–

Although I could have put this into the EDD section, it’s so important that it should stand on its own. It’s the concept of asking your deposit customers for their financial statements when: •Performing EDD •Clearing an alert that turns into a serious case and you need to prove that you did a thorough review and truly Know Your Customer.

–

Relatively easy to obtain financials on customers who also have a current loan with the bank, not so easy otherwise.

–

What are BSA Officers currently doing for this?

(66)

Other Helpful Hints

•

Two Recent Topics

–

Beneficial Ownership

(67)

Conclusion – Where We Are

June 2014 – Supervisory Spotlight – Federal Reserve Bank of San Francisco

Over the past year, examiners have observed that many community bankers are devoting more attention to BSA/AML compliance. But we are still identifying BSA/AML internal control weaknesses in community banks, which indicates that continued diligence is needed. Some areas that may require additional attention include considering the BSA/AML risk of new products and services; better identifying potentially high‐risk customer activities, such as operating private ATMs, money service businesses, and marijuana‐related businesses; ensuring job‐specific BSA/AML training for staff; and providing meaningful reporting to the board of directors or its appointed committee.

(68)

Conclusion – Where We Are

August 2014 ‐ FinCEN ‐Advisory Promoting a Culture of Compliance

• According to FinCEN, recent enforcement actions have highlighted a pattern of deficient leadership and organizational focus when it comes to AML/BSA compliance. The advisory states that a financial institution can strengthen its BSA/AML compliance culture by ensuring that: – its leadership actively supports and understands compliance efforts; – BSA/AML compliance is not compromised by revenue interests; – information is shared within relevant departments to further BSA/AML efforts; – adequate resources are devoted to its compliance function; – the compliance program is tested by an independent and competent party; and – its leadership and staff understand the purpose of its BSA/AML efforts.

(69)

Q&A

(70)

Thank You

Sharon Blanchette, CPA, CIA, CRCM, CAMS, MBA Director, Special Projects Enterprise, Governance, Risk and Compliance (EGRC) Solutions [email protected] 860.466.0563