bank secrecy act / anti-money laundering (bsa/aml) compliance

BSA/AML BACKGROUND AND PURPOSE Made up of many laws:Money Laundering Control Act - 1986Annunzio-Wylie Anti-Money Laundering Act -1991Money Laundering Suppression Act – 1994USA PATRIOT Act – 2001BSA/AML BACKGROUND AND PURPOSE Purpose: To help identify if the source, volume and movementof currency and other monetary instrumentstransported or transmitted into or out of the U.S. ordeposited into financial institutions. To aid in the investigation of money laundering, taxevasion, international terrorism and other criminalactivity.3

WHY BSA BOARD TRAINING? FFIEC BSA/AML Manual: “While the board of directors may not require thesame degree of training as banking operationspersonnel, they need to understand the importanceof BSA/AML regulatory requirements, theramifications of noncompliance, and the risksposed” to the credit union. Board training must provide for a generalunderstanding of the BSA.PRE-EXAM REVIEW Review of BSA database reporting information. Inconsistencies between credit union records and reportingdatabases. Review of prior exam and management’s responses topreviously identified BSA violations. Review of correspondence between the credit unionand FinCEN or the IRS Detroit Computing Center. Whether management has taken corrective action.4

PRE-EXAM REVIEW Contact management and BSA complianceofficer. BSA/AML compliance program, managementstructure and risk assessment. Suspicious activity monitoring and reportingsystem. Level and extent of automated BSA/AML systems.COMPLIANCE PROGRAMEvery credit union must have a written compliance programthat is tailored to its level of risk5

COMPLIANCE PROGRAM Directors are responsible for ensuring that theircredit unions have a written BSA complianceprogram that is tailored to its level of risk. Written policies, procedures and processes. Must be written, approved by the board ofdirectors and noted in the board minutes.COMPLIANCE PROGRAM Made up of the following: Risk Assessment Internal Controls Independent Testing Designation of BSA/AML Compliance Officer Training Customer (Member) Identification Program (CIP)6

RISK ASSESSMENTThe risk assessment will determine the policies, proceduresand processes for BSA/AML complianceRISK ASSESSMENT7

RISK ASSESSMENT The risk assessment, though the use of a Risk Matrix,should identify and measure the degree of risk foreach of the following: Products & services; Members; and Geographic locations. Identify steps that have been taken to mitigate risk. Should evolve as new products and services areintroduced or changed, expansions occur throughmergers, and/or field of membership enlarges. Recommended every 12 to 18 months.RISK ASSESSMENT – RISK MATRIX[Product/Service;Members;GeographicLocation]Degree ofRisk (low,medium,high)Areas ofConcernRisk Controls8

RISK ASSESSMENT – PRODUCTS AND SERVICES What types of products and services does thecredit union offer? Who is using them? Where is the potential exposure to moneylaundering? What steps have been taken to mitigate risk?RISK ASSESSMENT - MEMBERS Who does your credit union serve? What services do they use? What is their source of funds? Where are they located?9

RISK ASSESSMENT – GEOGRAPHIC LOCATION High-risk locations can be foreign or domestic. Domestic high-risk geographic locations include: High Intensity Drug Trafficking Areas (HIDTAs) http://www.whitehousedrugpolicy.gov/hidta/ High Intensity Financial Crime Areas (HIFCAs) www.irs.gov/compliance/enforcement/article/0,,id=107488,00.html#hifca http://www.fincen.gov/le_hifcadesign.html Michigan HIDTA counties: Wayne, Macomb, Oakland, Washtenaw, Genessee, Kent,Kalamazoo, Allegan, Saginaw and Van BurenINTERNAL CONTROLSWritten policies, procedures and practices must be designed tolimit and control risks, and to achieve compliance with the BSA10

INTERNAL CONTROLS Made up of the credit union’s: Monitoringi Reporting Currency Transaction Reports (CTRs) CTR Exemptions Suspicious Activity Reports (SARs) RecordkeepingINTERNAL CONTROLS Board of directors ultimately responsible for ensuringthe credit union has an effective internal controlstructure. Policies, procedures and processes should be in placeto monitor and identify unusual activity. The level of monitoring is dictated by the credit union’srisk assessment, with an emphasis on high-riskproducts, services, members and geographiclocations.11

INTERNAL CONTROLS - MONITORING Monitoring systems typically include: Employee identification or referrals; Manual systems; Automated systems; or Any combination. Member Due Diligence ProgramINTERNAL CONTROLS – MONITORINGMEMBER DUE DILIGENCE PROGRAM Member Due Diligence (MDD) Program Begins with verifying the member’s identity and assessingthe risks associated with that member. Enables the prediction of the types of transactions in whicha member is likely to engage. Assists in determining when transactions are potentiallysuspicious. Should include an enhanced MDD for high-risk membersand ongoing due diligence of that member base. Keep current member information.12

INTERNAL CONTROLS - REPORTING BSA requires financial institutions to file the followingreports with the Financial Crimes EnforcementNetwork (FinCEN): Currency Transaction Reports (CTRs) CTR Exemption Forms (if applicable) Suspicious Activity Reports (SARs)CURRENCY TRANSACTIONREPORTSExaminer will assess compliance with the statutory andregulatory requirements for large currency transactionreporting13

INTERNAL CONTROLS - REPORTINGCURRENCY TRANSACTION REPORTS Must be filed for each deposit, withdrawal, payment,transfer or other transaction involving currency (cash)of more than $10,000. Multiple transactions by or on behalf of one person inone business day: consolidate the transactions andreport them as one if the total exceeds $10,000. Must be filed within 15 days after the date of thetransaction.INTERNAL CONTROLS - REPORTINGCURRENCY TRANSACTION REPORTS Examples of reportable transactions: Denomination exchanges, IRAs, loan payments, ATMtransactions, purchases of certificates of deposit, depositsand withdrawals, funds transfers paid in currency, andmonetary instrument purchases. Management should ensure that the credit union hasan adequate system to: Aggregate g currency transactions throughout the creditunion; and Appropriately report currency transactions subject to theBSA requirement.14

CURRENCY TRANSACTION REPORTEXEMPTIONS Credit unions may exempt certain types ofmembers from currency transaction reporting. Must file a Designation of Exempt Person formwith the Internal Revenue Service (IRS) Two types of exemptions: Phase I Phase IICURRENCY TRANSACTION REPORTSPHASE I EXEMPTIONS Categories: A federal, state or local government agency or department. Any entity exercising i governmental authority in the U.S. Other financial institutions, to the extent of its domestic operations. Any entity (other than a bank) whose common stock is listed on the NewYork, American, or Nasdaq stock exchanges (with some exceptions). Any subsidiary (other than a bank) of any “listed entity” that is organizedunder U.S. law and at least 51% of whose common stock is owned bythe listed entity. For entities (other than the first three above): Must file a one-time Designation of Exempt Person form with the IRSwithin 30 days after the first transaction in currency that the creditunion wishes to exempt. The credit union must review and verify the information supporting eachdesignation at least once per year.15

CURRENCY TRANSACTION REPORTSPHASE II EXEMPTIONS Must be either a “non-listed business” or a “payrollcustomer” “Non-Listed Business” – A business, to the extent t ofits domestic operations, and only with respect totransactions conducted through its exemptibleaccounts, that: Has maintained a transaction account at the exemptingcredit union for at least 2 months; “Frequently engages” in currency transactions with thecredit union in excess of $10,000 (meaning 5 or morereportable transactions per year); and Is incorporated or organized under the laws of the U.S. or astate, or is registered as and is eligible to do business withinthe U.S. or a state.CURRENCY TRANSACTION REPORTSPHASE II EXEMPTIONS Certain businesses are ineligible for treatment as anexempt non-listed business: Serving as a financial institution or as agents of one (of anytype). Purchasing or selling motor vehicles of any kind, vessels,aircraft, farm equipment or mobile homes. Practicing law, accounting or medicine. Auctioning of goods. Chartering or operation of ships, buses or aircraft. Operation of a pawn brokerage.16

CURRENCY TRANSACTION REPORTSPHASE II EXEMPTIONS Engaging in gaming (other than licensed pari-mutuel bettingat race tracks). Engaging in investment advisory services or investmentbanking services. Operating a real estate brokerage. Operating in title insurance activities and real estateclosings. Engaging in trade union activities. Engaging g gin any other activity that may, from time to time, bespecified by FinCEN. A business that engages in multiple business activities mayqualify for an exemption as a non-listed business as long as nomore than 50% of its gross revenues per year are derived fromone or more of the ineligible activities listed.CURRENCY TRANSACTION REPORTSPHASE II EXEMPTIONS “Payroll Customer” – A person who: Has maintained a transaction account at the credit union for at least 2months; Operates a firm that regularly withdraws more than $10,000 in order topay its U.S. employees in currency; and Is incorporated or organized under the laws of the U.S. or a state, or isregistered as an is eligible to do business within the U.S. or a state. Must file a one-time Designation of Exempt Person formwith the IRS within 30 days after the first transaction incurrency that the credit union wishes to exempt. As part of that process, the Designation of Exempt Personform must be re-filed every two years, on or before March15.17

CURRENCY TRANSACTION REPORTSEXEMPTION SAFE HARBOR Safe harbor from civil penalties for the failure to file aCTR for transactions in currency by an exempt person,unless the credit union knowingly provides false orincomplete information, or has reason to believe thatthe member does not qualify as an exempt member. Safe harbor does NOT apply to the filing of suspiciousactivity reports (SARs). The credit union must still retainrecords of funds transferred, or records in connection withthe sale of monetary instruments to that person.SUSPICIOUS ACTIVITY REPORTS(SARS)Examiner will assess policies, procedures, processes andoverall compliance with statutory and regulatory requirementsfor monitoring, detecting And reporting suspicious activities18

INTERNAL CONTROLS - REPORTINGSUSPICIOUS ACTIVITY REPORTS Credit unions are required to file a SAR withrespect to the following: Criminal violations involving insider abuse in anyamount. Criminal violations aggregating $5,000 or morewhen a suspect can be identified. Criminal violations aggregating $25,000 or moreregardless of a potential suspect.INTERNAL CONTROLS - REPORTINGSUSPICIOUS ACTIVITY REPORTS Transactions conducted or attempted by, at or through acredit union aggregating $5,000 or more, of the credit unionknows, suspects or has reason to suspect that thetransaction: May involve potential money laundering or other illegalactivity. Is designed to evade the BSA or its implementingregulations. Has no business or apparent lawful purpose, or is not thetype of transaction that the particular member wouldnormally be expected to engage in, and the credit unionknows of no reasonable explanation for the transaction.19

INTERNAL CONTROLS - REPORTINGSUSPICIOUS ACTIVITY REPORTS Policies, procedures and processes should includeprocedures for: Designating the person responsible for the identification,research and reporting of suspicious activities; The monitoring and identification of unusual activity; The referral of unusual activity to the appropriate person ordepartment responsible for evaluating unusual activity; Documenting the decision whether to file a SAR; Considering closing accounts as a result of continuoussuspicious activity;INTERNAL CONTROLS - REPORTINGSUSPICIOUS ACTIVITY REPORTS Completing, filing and retaining SARs and their supportingdocumentation; Reviewing and evaluating the transaction activity of subjectsincluded in law enforcement requests; and Subpoenas, section 314(a) requests and NationalSecurity Letters (NSLs). Reporting SARs to the board of directors, or a committeethereof, and senior management.20

INTERNAL CONTROLS - REPORTINGSUSPICIOUS ACTIVITY REPORTS SARs must be filed no later than 30 calendardays from the date of the initial detection of thesuspicious activity. 60 calendar days if no suspect can be identified. Board of directors must be notified that SARshave been filed.INTERNAL CONTROLS - REPORTINGSUSPICIOUS ACTIVITY REPORTS Examiners will look to the credit union’s overalldecision-making process, not individual dua SARdecisions. Individual SARs may be reviewed to determine theoverall effectiveness of the SAR monitoring, reportingand decision-making process. Failure to file a SAR will not be criticized unless thefailure is significant ifi or accompanied by evidence ofbad faith. Documenting SAR decisions is recommended.21

INTERNAL CONTROLS - REPORTINGSUSPICIOUS ACTIVITY REPORTS Must retain copies of SARs and supportingdocumentation for 5 years from the date of thereport. NO disclosure to anyone involved in thetransaction that a SAR has been filed. May ONLY inform FinCEN, law enforcement orfederal banking agencies.SUSPICIOUS ACTIVITY REPORTSSAFE HARBOR Credit union directors, officers, employees and agentsthat reports a suspicious transaction to theappropriate authorities are granted a safe harbor fromany civil liability under any law or regulation,regardless of whether such reports are filed pursuantto the SAR instructions. This safe harbor applies to SARs filed within the requiredreporting thresholds as well as those filed voluntarily on anyactivity below the threshold.22

INTERNAL CONTROLS – RECORDKEEPING Funds Transfers of $3,000 or above Oi Originating i i credit union Intermediary institution Beneficiary’s institution Money instrument sales between $3,000 and$10,000. Records of both must be retained for 5 years.INDEPENDENT TESTINGExaminer will obtain and evaluate the supporting documents ofthe independent testing of the credit union’s BSA/AMLcompliance program23

INDEPENDENT TESTING Should be conducted by the internal auditdepartment, outside auditors, or other qualifiedindependent parties – at least every 12 to 18 months. Results reported to the board. Risk-based, covering all of the credit union’s activities. Program effectiveness Risk assessment evaluation Personnel knowledge and adherenceBSA COMPLIANCE OFFICER(S)Board of Directors must designate a qualified employee(s) toserve as the BSA compliance officer24

BSA COMPLIANCE OFFICER(S) Must be appointed (NCUA Part 748.2) Responsible for management of the credit union’sBSA compliance program Board must ensure the BSA compliance officer(s) hasthe sufficient authority and resources to administerthe compliance program. Line of communication should allow the BSAcompliance officer(s) to regularly apprise the boardand senior management of ongoing BSA compliance.TRAININGAll appropriate personnel must be trained in the applicableaspects of the BSA25

TRAINING All staff whose duties require knowledge of the BSA,tailored to their specific responsibilities. Should be ongoing, as regulations and staff change. Should include regulatory requirements and the creditunion’s internal policies, procedures and processes. Inform board and senior management of changes tothe BSA and the implementing regulations. Document training program. Materials, dates and attendance records.TRAINING The following elements should be included in thetraining ta gpoga program and materials:as The importance the board of directors and seniormanagement place on ongoing education, training andcompliance. Employee accountability for ensuring BSA compliance. Comprehensiveness of training, considering specific risks ofindividual business lines. Training of personnel from all applicable areas of the creditunion. Penalties for non-compliance26

CUSTOMER/MEMBERIDENTIFICATION PROGRAM(CIP/MIP)The compliance program must include a written CIP/MIP for allmembers who open an account after October 1, 2003CUSTOMER IDENTIFICATION PROGRAM Must be written, approved by the board and incorporated in thecompliance program. Must include: Account opening procedures that specify the identifying informationobtained from each member; and Reasonable and practical risk-based procedures for verifying the identityof each member. Comparison of identity with government lists. Must retain the identifying information for 5 years after theaccount is closed. Not required to make and retain copies of photocopies, but if this isdone, security must be ensured.27

INFORMATION SHARINGExaminer will assess compliance with the statutory andregulatory requirements for information sharingINFORMATION SHARING Sections 314(a) and (b) of the USA PATRIOT Act. Two types of information sharing: Between the law enforcement and financialinstitutions [314(a)]; and Between financial institutions [314(b)].28

INFORMATION SHARING314(A) REQUESTS Between the Credit Union and Law Enforcement FinCEN may require a credit union to search its records todetermine whether it maintains or has maintained accountsfor, or engaged in transactions with a specified person,entity or organization during the past 12 months (or 6months if there is a transaction where no account isinvolved). Must report to FinCEN within 14 days, unless the requestspecifies otherwise. Must be kept confidential.INFORMATION SHARING314(B) REQUESTS Between Financial Institutions A financial institution must notify FinCEN of its intent to engagegin information sharing, and that it has established and willmaintain adequate procedures to protect the information. A notice to share information is effective for one year. Should ensure that the other financial institution or associationhas filed its required FinCEN notice. Cannot share SARs or SAR filing information. If request relates to a transaction subject to a SAR, discloseonly the transaction and member information requested.29

INFORMATION SHARING – NATIONAL SECURITYLETTERS (NSLS) Written investigative demands that may be issued bythe local Federal Bureau of Investigation (FBI) andother federal government authorities to obtainfinancial records from financial institutions. Highly confidential – examiners will not review. Policies and procedures should be in place to process andmaintain confidentiality of NSLs. SARs should not include their existence. Questions regarding NSLs should be directed tothe local FBI office.PENALTIES FOR BSA VIOLATIONS Credit unions Cease and Desist Order (see “InteragencyGuidance”) Loss of charter (criminal and civil). Criminal money penalties up to the greater of $1million or twice the value of the transaction. Civil money penalties.30

PENALTIES FOR BSA VIOLATIONS Individuals Removal and bar from banking (criminal and civil). Criminal fine of up to $250,000, five years in prison, or bothfor willful violations of the BSA and for structuringtransactions to evade BSA reporting requirements. Criminal find of up to $500,000, ten years in prison, or bothfor violating BSA and any other U.S. law or engaging in apattern of criminal i activity.it Civil money penalties.OFFICE OF FOREIGN ASSETSCONTROL (OFAC) COMPLIANCEExaminer will review the credit union’s OFAC risk assessmentand audit to determine the extent to which an OFAC review isnecessary during the BSA examination.31

OFAC Requirements are separate and distinct from the BSA,but they share a common national security goal. OFAC regulations require the following: Block accounts and other property of specified countries,entities and individuals. Prohibit or reject unlicensed trade and financial transactionswith specified countries, entities and individuals. Reporting blocked and prohibited transactions to OFAC.OFAC – BLOCKED TRANSACTIONS Must block those that are: By or on behalf of a blocked individual or entity; Are to or through a blocked entity; or Are in connection with a transaction in which a blockedindividual or entity has an interest. When requested to make a funds transfer that fallsinto one of these categories, execute the order andplace the funds into a blocked account. Cannot be canceled or amended after it is received by a U.S.financial institution unless authorized by OFAC.32

OFAC – PROHIBITED TRANSACTIONS Prohibited transactions with no blockableinterest in the transaction (i.e., transactionshould not even be accepted). In these cases, the transaction is simplyrejected. Examples: transfers between SpeciallyDesignated Nationals or Blocked Persons(SDNs).OFAC - REPORTING Blocked transactions – within 10 days of theoccurrence, ce, and annually by September 30 (for thoseblocked as of June 30). Prohibited transactions – within 10 days of theoccurrence. Must keep full and accurate record of each blockedand rejected transaction for 5 years after the date ofthe transaction. For blocked property, records must be retained for 5years after the property is unblocked.33

OFAC PROGRAM (RECOMMENDED) Risk assessment Internal controls How transactions will be flagged and reviewed. Defining criteria for comparing names to OFAC list. How it will be determined which hits are valid or false(investigation). Reassessment of OFAC filtering system. Prevention of transactions until comparison is made. Updating the OFAC list.OFAC PROGRAM Process used to block and reject transactions. Managing blocked accounts. Reporting transactions, blocked accounts and prohibitedtransactions. Maintaining licensing information. Independent testing (at least annually) Responsible individual Training34

RESOURCES MCUL: www.mcul.org (InfoSight) NCUA: www.ncua.gov CUNA: www.cuna.org NASCUS: www.nascus.org FinCEN: www.fincen.gov IRS Detroit Computing Center: (800) 800-2877 FinCEN’s Financial Institutions Terrorist Hotline to report terrorist activityagainst the U.S.: 1-866-556-3974 FinCEN’s BSA/AML Examination Manual:www.ffiec.gov/bsa_aml_infobase/pages_manual/manual_online.htmi f b / g l/ l li FBI: www.fbi.gov OFAC: www.treas.gov/ofac35