Bank Secrecy Act (BSA)/Anti-Money Laundering (AML) Compliance Update
Kim Stock, CRCM
The Bank Secrecy Act (BSA)
• The Bank Secrecy Act (BSA) requires all financial institutions, casinos, and certain other businesses to: Monitor customer behavior File reports on transactions that meet
certain dollar amounts or on transactions that are suspicious
Maintain records of certain transactions
• Financial Crimes Enforcement Network (FinCEN): Bureau of the United States Department of the
Treasury whose mission is to safeguard the financial system from illicit use and combat money laundering and promote national security through the collection, analysis, and dissemination of financial intelligence and strategic use of financial authorities.
Final interpreter of the Bank Secrecy Act https://www.fincen.gov/
Anti-Money Laundering (AML)
• Anti-Money Laundering (AML) A set of procedures, laws or
regulations designed to stop the practice of generating income through illegal actions.
Requires financial institutions and other regulated entities to prevent, detect, and report money laundering activities.
• Anti-Money Laundering (AML) Financial institutions aid U.S.
government agencies and law enforcement by uncovering criminal activities such as money laundering, drug trafficking, tax fraud, human trafficking and possible terrorist financing.
• High Intensity Drug Trafficking Areas Refer to Handout - High Intensity Drug
Trafficking Areas Program Counties https://www.whitehouse.gov/ondcp/h
igh-intensity-drug-trafficking-areas-program
• Money Laundering When illegal money is brought into mainstream
circulation. Launderers hide the source of these illegal funds by making a series of intricate transactions. The true source of the money is “washed away.”
It has been estimated that more than $300 billion is laundered each year in the U.S. alone. More than 81,000 people are convicted of money laundering on some level each year in the U.S.
• Placement First stage in the washing cycle Money laundering involves a “cash intensive”
business generating vast amounts of cash from illegal activities (for example, dealing drugs where payment takes the form of cash).
The cash is placed into the financial system, and to avoid detection is transformed into other asset forms, such as purchasing monetary instruments like money orders.
"Dirty" money is most vulnerable to detection and seizure during placement.
• Layering Middle stage in the washing cycle Separating the illegally obtained money
from its source through a series of financial transactions that makes it difficult to trace the origin
A few of the many mechanisms that may be misused during layering are currency exchanges, wire transmitting services, prepaid cards that offer global access to cash via automated teller machines and goods at point of sale.
• Integration Final stage in the washing cycle Where illegal funds are converted into a
seemingly legitimate form. Integration may include the purchase of
businesses, automobiles, real estate and other assets. Integration of the "cleaned" money into the economy is accomplished by the launderer making it appear to have been legally earned.
By this stage, it is exceedingly difficult to distinguish legal and illegal funds.
Filing Reports
• The Currency Transaction Report (CTR) Records cash transactions that exceed
$10,000. Current CTR Form-User Test System-
http://sdtmut.fincen.treas.gov/news/FinCENBCTR.pdf
CTR FAQ-http://www.fincen.gov/whatsnew/html/ctrfaqs.html
• The Suspicious Activity Report (SAR) Records any known or suspected federal
violation of federal law. Current SAR Form-User Test System-
http://sdtmut.fincen.treas.gov/news/FinCENBSAR.pdf
SAR FAQ-http://www.fincen.gov/whatsnew/html/sarfaqs.html
https://www.fincen.gov/news_room/rp/files/SAR02/SAR_Stats_2_FINAL.pdf
• SAR Stats Publication
Rank State/Territory Filings (Overall) Percentage (Overall)
1 283,295 14.69%
2 188,850 9.79%
3 149,381 7.75%
4 147,171 7.63%
5 119,477 6.20%
Detecting Suspicious Activity
• Detecting Suspicious Activity A SAR must be filed on any known or
suspected federal violation of law Criminal violations involving insider abuse in
any amount Criminal violations aggregating $5,000 or
more when a suspect can be identified Criminal violations aggregating $25,000 or
more regardless of a potential suspect
• Detecting Suspicious Activity Activity not consistent with the
customer’s business Unusual characteristics or behavior Customer attempts to avoid reporting
or record keeping requirements Insufficient information is provided by
the customer
• Detecting Suspicious Activity If you receive a subpoena for a SAR,
notify FinCEN and your regulatory agency.
Whether the action is ultimately fraudulent is up to law enforcement to decide.
• Human Trafficking Use “ADVISORY HUMAN TRAFFICKING” in
the Narrative of the SAR There is no specific check box, so must
check “Other Box” https://www.fincen.gov/statutes_regs/guid
ance/pdf/FIN-2014-A008.pdf Refer to Handout - APPENDIX B: Human
Trafficking Red Flags
• Human Trafficking
• Human Trafficking Backpage.com, then select your state, then city,
then adult Financial institutions are in a unique position to
spot red flags in transaction activity and report them to law enforcement.
Homeland Security Awareness Training – Blue Campaign
https://www.dhs.gov/xlibrary/training/dhs_awareness_training_fy12/hta01/module.htm?refresh=1&
Record Retention
• Maintaining Records The records related to the identity of a customer
must be maintained for five years after the account (e.g., loan, deposit, or trust) is closed.
Additionally, on a case-by-case basis (e.g., U.S. Treasury Department Order, or law enforcement investigation), a financial institution may be ordered or requested to maintain some of these records for longer periods.
BSA Compliance Program
• BSA Compliance Program Internal controls Independent Testing An individual responsible for BSA/AML
compliance Training for appropriate personnel
Internal Controls
• Internal Controls The Board of Directors (BOD) is
ultimately responsible for BSA Creating a culture of compliance Depends on size, structure, risks, and
complexity of the financial institution
• Internal Controls should: Identify products, services, customers,
entities and geographic locations Provide periodic updates to the risk
profile Inform the BOD of compliance
initiatives, deficiencies, corrective action taken and when SARS are filed
• Internal Controls should: Meet all regulatory recordkeeping and
reporting requirements Identify a person or persons responsible for
BSA/AML compliance Provide for dual controls and the
segregation of duties Train employees to be aware of their
responsibilities under the BSA regulations and internal policy guidelines
Independent Testing
• Independent Testing should: Be conducted every 12 to 18 months Evaluate the BSA/AML compliance program Review the financial institution’s risk
assessment Verify adherence to the BSA recordkeeping
and reporting requirements (e.g., CIP, SARs, CTRs and CTR exemptions)
Review staff training for adequacy, accuracy, and completeness
• Independent Testing should: Evaluate efforts to resolve violations and
deficiencies noted in previous audits and regulatory examinations
Review the effectiveness of the suspicious activity monitoring systems used for BSA/AML compliance
Assess the overall process for identifying and reporting suspicious activity
Same person should not conduct BSA training
BSA Officer
• Designating a BSA Officer The BOD must designate a qualified individual to
serve as the BSA compliance officer to coordinate and monitor day-to-day BSA/AML compliance.
The BOD is responsible for ensuring that the BSA compliance officer has sufficient authority and resources to administer an effective BSA/AML compliance program based on the financial institution’s risk profile.
• A BSA Officer should: Be fully knowledgeable of the Bank Secrecy
Act and know the bank’s products, services, customers, entities, geographic locations and the related risks involved
Receive periodic training that is relevant to changing regulatory requirements
Report SARs filed with FinCEN to the BOD so that they can make informed decisions about overall BSA/AML compliance
BSA Training
• BSA Training should: Be conducted annually and include
regulatory requirements and the financial institution’s internal BSA/AML policies and procedures
Be tailored to the person’s specific responsibilities
Be given to new staff during employee orientation
• BSA Training should: Be documented and include training and
testing materials, the dates of training sessions, attendance records and be available for examiner review
Be provided to the BOD on an annual basis and documented in the board minutes along with a copy of the training material
Customer Identification Program (CIP)
• CIP After September 11th, President Bush
signed into law the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act
The minimum standards required under the USA PATRIOT ACT for identifying and verifying the identity of persons opening accounts
• CIP Provide customers with adequate notice that
information will be requested to verify their identities before the account is opened.
IMPORTANT INFORMATION ABOUT PROCEDURES FOR OPENING A NEW ACCOUNT — To help the government fight the funding of terrorism and money laundering activities, federal law requires all financial institutions to obtain, verify, and record information that identifies each person who opens an account. What this means for you: When you open an account, we will ask for your name, address, date of birth, and other information that will allow us to identify you. We may also ask to see your driver’s license or other identifying documents.
• CIP Name Date of Birth (for individuals) Residential or business street address Tax Identification Number
• CIP Procedures to Verify Identity A list of documents acceptable as primary
identification such as drivers license, valid passport, military ID, valid state I.D. Card or U.S. alien registration
A list of secondary identification such as an insurance card, social security card, utility bill or voters registration card
• CIP Procedures of Non-Documentary Verification Chex Systems Telecheck Credit Reporting Agencies Secretary of State web site for businesses Site visit
• CIP – Three Basic Rules Verify the identity of the person opening
the account Maintain records for 5 years after the
account is closed Check government lists (Office of Foreign
Assets and Control) (OFAC)• CIP FAQ’shttp://www.ffiec.gov/bsa_aml_infobase/documents/BSA_AML_FAQ.pdf
314 (a)
• 314 (a) of the USA Patriot Act Law enforcement submits a formal request to
FinCEN naming individuals and businesses that are persons of interest.
FinCEN compiles a list, assigns tracking numbers and emails points of contact designated by financial institutions every other Tuesday notifying them that a new request list is available on the Secure Information Sharing System (SISS).
https://www.fincen.gov/statutes_regs/patriot/pdf/leinfosharing.pdf
• 314 (a)
Required to search records within 14 days Deposit records, loan records, trust
department account records, safe deposit records, securities transactions, remitters of monetary instrument sales, funds transfer records (originators and incoming recipients)
Document searches Appoint back-up point of contact
314 (b)
• 314 (b) Enables financial institutions to share information
with each other if they are registered Must verify the registration of the other institution
involved Only if both institutions believe terrorist activity,
money laundering or unlawful activity is involved Add to policy and procedures before you register Effective for one year FinCEN provides participating financial institutions
with access to a list of other participating financial institutions and their related contact information
BSA/AML Resource
• FFIEC BSA/AML Examination Manual Provides overview of BSA/AML compliance program
requirements, risk management expectations, industry sound practices, and examination procedures. This manual was a collaborative effort of the federal and state banking agencies. The Federal Financial Institutions Examination Council (FFIEC) was established in March 1979 to prescribe uniform principles, standards, and report forms and to promote uniformity in the supervision of financial institutions.
https://www.ffiec.gov/bsa_aml_infobase/pages_manual/manual_online.htm
Common BSA Findings
• Common BSA Findings Inadequately monitoring suspicious activity Failure to identify and monitor high risk customers Failure to conduct adequate risk assessments
APPENDIX J: QUANTITY OF RISK MATRIXhttps://www.ffiec.gov/bsa_aml_infobase/pages_manual/OLM_110.htmBSA/AML Risk Assessment - Overview https://www.ffiec.gov/bsa_aml_infobase/pages_manual/OLM_005.htm
• Common BSA Findings Inadequate BSA/AML training for the
employees and the BOD Failure to obtain independent testing Failure to file a CTR Failure to search records for 314(a) in
a timely manner Failure to identify and monitor Money
Service Business (MSB) customers
• Common BSA Findings Failure to obtain minimum CIP
information Failure to file a timely SAR Failure to monitor wire transfers Failure to monitor monetary
instrument sales BSA officer lacks expertise and
knowledge of the regulations
Penalties for Noncompliance
• Violations of BSA requirements may hold the following penalties: Civil penalties of $1000 per day for each day
of noncompliance A penalty of $500 per violation of the
recordkeeping requirements of the BSA Willful violations may cause civil penalties in
an amount equivalent to that of the transaction or $25,000, whichever is greater
• Violations of BSA requirements may hold the following penalties: If a required CTR is not filed within 15 calendar
days, a $10,000-per-day civil penalty may be imposed until it is filed
Continued noncompliance can result in the issuance of a “Cease & Desist” order from the FDIC
BSA/AML is a safety and soundness issue which affects your camel rating and the growth of your institution
• Penalties for Noncompliance: Any individual who willfully violates the
structuring provisions may be fined $250,000 and/or imprisoned for five years.
Any individual who willfully violates the structuring provisions while violating another federal law, may be fined $500,000 or imprisoned for ten years.
• Penalties for Noncompliance: It is extremely important for financial
institutions to inform their employees that it is not necessarily the financial institution that will suffer the penalty for non-compliance, but it could actually be the employee paying the fine and going to jail.
• Penalties for Noncompliance:Most recently in March of this year, the Office of the
Comptroller of the Currency (OCC) issued a consent order for the payment of a $2,500 civil money penalty and order to cease and desist to the former chief compliance/risk officer of Gibraltar Private Bank and Trust Company in Florida.
The OCC previously issued a $4 million civil money penalty order to Gibraltar Private Bank and Trust Company for willful anti-money laundering compliance violations.
• Penalties for Noncompliance:The chief compliance/risk officer was found to have
failed to timely file suspicious activity reports after being informed by the BSA officer of suspicious activity of a customer who was later convicted of operating an illegal Ponzi scheme.
The OCC also found that the chief compliance/risk officer’s failure to file the SARs were part of a pattern of misconduct that caused more than a minimal loss to the bank. He was ordered to share a copy of the Consent Order with the BOD of any financial institution with which he becomes affiliated.
• Penalties for Noncompliance: The Federal Deposit Insurance Corporation
(FDIC) determined the Bank of Mingo in West Virginia failed to implement an effective BSA/AML Compliance Program over an extended period of time
$4.5 million civil money penalty assessed on June 15, 2015, against the financial institution with only $96 million in assets
• Penalties for Noncompliance: Inadequate internal controls resulted in
unacceptable risk to the financial institution Financial institution failed to file multiple currency
transaction reports and suspicious activity reports associated with this risk
The branch manager pled guilty to making false statements to federal agents regarding suspicious banking activity conducted by a business customer and was sentenced to three years probation and fined $5000.
• Cease and Desist: The Federal Reserve recently issued a Cease
and Desist Order on April 12, 2016 to CommerceWest Bank in Irvine, California.
Examiners identified significant deficiencies in risk management and compliance relating to anti-money laundering including the Bank Secrecy Act, resulting in a compliance program violation.
• The plan shall address: Strengthen board oversight of the bank’s
compliance with BSA/AML requirements Submit an enhanced written BSA/AML compliance
program which contains enhanced internal controls, independent testing, effective training and a risk assessment that identifies and considers all products, services, customer types and geographic locations
Submit a revised program for conducting appropriate levels of customer due diligence
• The plan shall address: Submit an enhanced program for monitoring and
reporting suspicious activity Conduct a review of account and transaction
activity associated with high risk customers Submit a written program for review of new
products, services and business lines and assess potential compliance, reputational, fraud and credit risks including approval by the BOD
Submit an enhanced program for accurately filing CTRs
What’s Next?
Changes to Currency Transaction Report (CTR)
• FinCEN is proposing changes to the CTR A new part of the CTR to record separate
locations for where the report is filed and where the transaction took place
Rename “courier service” to “common carrier”
Facilitate reporting dollar values of multiple transactions without filing multiple CTRS
• FinCEN is proposing changes to the CTR Indicate shared branching transactions Clarify which employees count as a teller Comments were due April 4, 2016
https://www.federalregister.gov/articles/2016/02/02/2016-01825/proposed-collection-comment-request-bank-secrecy-act-currency-transaction-report-bctr-revised-layout
Customer Due Diligence
• Customer Due Diligence Effective Date Unknown Still a proposal, comments were due
last October 3, 2014 Will become effective one year from
the date the final rule is issued It is expected that FinCEN will move
forward and require the identification of beneficial owners
• Enhanced Requirements Establishing and verifying the identity of
customers Establishing and verifying the identity of
beneficial owners Understanding the nature and purpose of
customer relationships Monitoring to maintain and update
customer information and to identify and report suspicious transactions
• Collection of Beneficial Ownership Facilitates tax reporting Increases the transparency of U.S.
legal entities Facilitates global implementation of
international standards Increases efficiency in monitoring
accounts for suspicious activity
• Beneficial Owner Definition is two-pronged – focusing on ownership
and control Ownership – any individual who directly or
indirectly owns 25% or more of the equity interests of a legal entity customer (no more than four individuals)
Control – one individual with significant responsibility to control, manage or direct a legal entity, including an executive officer, senior manager or anyone who performs similar functions
• Standard Certification Form Requires an individual at account opening to
provide each beneficial owner’s name, date of birth, address and social security number (for U.S. persons or other similar identification for foreign persons)
Requires an individual to certify the genuineness of the information provided
• Standard Certification Form Financial institutions should retain this
form and any related identifying information collected for five years after the date an account is closed
Located on pg. 22 at the following link-http://www.fincen.gov/statutes_regs/files/CDD-NPRM-Final.pdf
Refer to Handout
• Amendments to the “Pillars” of the AML Program Add a Fifth Pillar: Appropriate risk-based
procedures for conducting ongoing CDD that include: Understanding the nature and purpose of the
customer relationship in order to develop a customer risk assessment
Conducting ongoing monitoring to maintain and update customer information and to identify and report suspicious transactions
Questions?