28
New Jersey Bankers Association Senior Management Conference 2016 Engineering an Effective BSA/AML Program Asaad Faquir Director, RSK Compliance Solutions Reliability - Service - Knowledge
New Jersey Bankers Association Senior Management Conference 2016
Engineering an Effective BSA/AML Program
Asaad FaquirDirector, RSK Compliance Solutions
Reliability - Service - Knowledge
• The Office of the Comptroller of the Currency has issued a Consent Order for a Civil Money Penalty of $1 millionagainst Stearns Bank, N.A., St. Cloud, Minnesota. The Comptroller found: – Beginning in March 2010, the Bank became aware of suspicious
transactions associated with the manipulation and fabrication of accounts receivables and factoring invoices.
– The Bank failed to adhere to its internal policies and procedures governing the monitoring and reporting of suspicious activity, including the maintenance of appropriate documentation to support its Suspicious Activity Report (“SAR”) determinations, and failed to file timely SARs.
– By reason of the failure to file timely SARs, the Bank violated 12 C.F.R. § 21.11
Reliability - Service - Knowledge
Recent Enforcement Actions
• Bank of Mingo ($95.7 Million in Assets) – $4.5 Million Penalty– FinCEN states that "Mingo had systemic BSA violations that
derived from its failure to establish and maintain an adequate anti-money laundering program and customer due diligence program. Mingo's program deficiencies led to its failure to monitor, detect and report suspicious activity and to timely file currency transaction reports. Consequently, from 2008 through 2012, Mingo allowed more than $9.2 million in structured and otherwise suspicious cash transactions to flow through the institution unreported.”
Reliability - Service - Knowledge
Recent Enforcement Actions
• Mingo has admitted that "a particular corporate customer structured hundreds of currency transactions through its accounts at Mingo's Williamson Branch. The Williamson Branch Manager facilitated the corporate customers structured transactions to evade the filing of currency transaction reports (CTRs). Mingo was aware of the Branch Manager's structuring scheme, yet failed to file the requisite CTRs and suspicious activity reports related to the high volume of unusual cash transactions conducted by the corporate customer.“
Reliability - Service - Knowledge
Bank of Mingo
• The FDIC issued a Consent Order on 11/1/2013 requiring the Bank to improve its BSA compliance. That order remains in effect. According to the FinCEN Order, "although Mingo designated a BSA Officer, it did not provide the BSA Officer with sufficient resources and time to adequately oversee Mingo's BSA compliance program. Specifically, Mingo assigned the BSA Officer multiple non-BSA responsibilities that left him unable to adequately fulfill his BSA obligations. Mingo was aware of this situation but failed to designate an additional person to support the BSA Officer or otherwise remedy the situation.”
• That customer has pleaded guilty to conspiring to structure currency transactions, and the Mingo Branch Manager pleaded guilty to lying to federal agents about his knowledge of the customer's cash transactions, and separately agreed with the FDIC to be barred permanently from involvement with any federally insured institution.
Reliability - Service - Knowledge
Bank of Mingo
• First National Community Bank (FNCB)– The Bank admitted that it knowingly failed to file
suspicious activity reports on transactions involving illicit proceeds from a judicial corruption scheme spanning over five years, in which two former Pennsylvania judges misused their positions to profit from, among other things, sending thousands of juveniles to detention facilities in which they had a financial interest. One of the judges was on FNCB's Board of Directors and controlled accounts at the Bank through which he processed the proceeds of his illegal activity. Despite several red flags indicating suspicious activity, FNCB did not file a single suspicious activity report related to these accounts until after the judge's first guilty plea in 2009.
Reliability - Service - Knowledge
Recent Enforcement Actions
• August 11, 2014 – Advisory Letter (FIN-2014-A007)– “Shortcomings identified in recent Anti-Money
Laundering (AML) enforcement actions confirm that the culture of an organization is critical to its organization.”
– “Regardless of its size and business model, a financial institution with a poor culture of compliance is likely to have shortcomings in its BSA/AML program.”
Reliability - Service - Knowledge
Culture of Compliance
1. Leadership should be engaged2. Compliance should not be compromised by revenue
interests3. Information should be shared throughout the
organization4. Leadership should provide adequate Human and
Technological resources5. The program should be effective and tested by an
independent and competent third party6. Leadership and staff should understand how their BSA
reports are used
Reliability - Service - Knowledge
Culture of Compliance
• Leaders are responsible for providing direction– Setting a Path of Intended Motion
• Based on assets available• Based on perceived risks• Based on broader bank strategy
– Leaders must be knowledgeable about BSA/AML• Training about BSA/AML• Understanding your BSA/AML program’s obligations• Briefings about the success and failures of your BSA/AML
resources at meeting those obligations– How much do you “know” about your Bank’s
BSA/AML program?
Reliability - Service - Knowledge
Leadership Should be Engaged
• Nothing interferes with the BSA Officer carrying out their duties– A customer’s personal relationships to Board
Members or Senior Executives don’t matter• Fishing buddies• Golfing buddies
• Risk is all that matters…– Risk can be mitigated or deemed acceptable
• Never without your BSA Officer’s input or help – or blessing
Reliability - Service - Knowledge
Compliance Should Not be Compromised by Revenue Interests
• Board and Senior Executives are all-knowing– At least they should be at a high level…
• But communication is often heavily filtered• Compliance should also be all-knowing, but only with
your help– You need to know what they need to know so that
when you know what you know, you can let them know and then they will know what you know and why it is important and why they needed to know it
• Knowing is half the battle– Letting others know is the other half
Reliability - Service - Knowledge
Information Should be Shared Throughout the Organization
• Human = Money– A “qualified” BSA Officer– $78,000+ on Average in New Jersey (salaryexpert.com)
• Technological = Money2
– With great BSA technology comes even greater expenditures
• More things to ensure are working properly– Validation
• More things needed to keep up with “efficiency” of the technology
– People» $72,000+ National Average for BSA Analyst
(glassdoor.com)
Reliability - Service - Knowledge
Leadership Should Provide Adequate Resources
Reliability - Service - Knowledge
AML System Flow
OFACPEP
314A
Anti-Money Laundering Monitoring
Anti-Fraud Monitoring
Customer Activity
(Transactions)
Core System
Funds Transfers
ATM/Debit
Electronic Banking
Trade
Remittance
Customer Risk
Assessment
Case Management
ALERTS
• BSA Risk Assessment• Conceptual Soundness• BSA Staff Training• Employee Training• Policies & Procedures• Culture• Funding
Cash Aggregation & Reporting
Transactions Type “Mapping”
Copyright © 2015 GRC Solutions
• Data Validation– Does the AML system receive good data?– Does the AML system receive all the data?– Does the AML system process all of the good data?
• Model Validation (includes Data Validation)– Are the outcomes/outputs of data processing accurate?– Are the outcomes/outputs being used appropriately?– Are better outcomes/outputs possible?
Reliability - Service - Knowledge
Validations
• How often should we validate our system?– Periodically based on risk.
• Could you be a little more helpful?– Yes. The Bank can determine from its risk profile
how often a validation should occur based on the type of validation (data or model).
Reliability - Service - Knowledge
Validations
• That is more helpful, but can you explain further?– An institution should have a minimum frequency for
validation (by type), established by policy, based on the institution’s risk profile. However, it should be noted that the minimum frequency is a guide mark, and there are numerous events which can happen between validation periods which will impact the risk profile of the institution and trigger an out of cycle validation of either type.
• Core system conversion• Merger or acquisition• New products or services offered
Reliability - Service - Knowledge
Validations
Reliability - Service - Knowledge
AML System Flow
OFACPEP
314A
Anti-Money Laundering Monitoring
Anti-Fraud Monitoring
Customer Activity
(Transactions)
Core System
Funds Transfers
ATM/Debit
Electronic Banking
Trade
Remittance
Customer Risk
Assessment
Case Management
ALERTS
• BSA Risk Assessment• Conceptual Soundness• BSA Staff Training• Employee Training• Policies & Procedures• Culture• Funding
Cash Aggregation & Reporting
Transactions Type “Mapping”
Copyright © 2015 GRC Solutions
• The automated AML system has only one job– Review the entire universe of transactions conducted on a
daily basis at the Bank and generate a list of alerts with details about customers who conducted transactions which seem “interesting” based on a set of prescriptive rules built into the system or behavioral patterns detected based on “logic” built into the system
• 24/7/365 – No sick days and no vacations
• The BSA Officer has many other BSA jobs besides working Alerts and filing SARs– Technically, none more or less important than the next
• 8/5/240
Reliability - Service - Knowledge
Additional People
• Monitoring systems generate numerous alerts per day which need to be reviewed by humans– Average time it takes a human to clear an alert is
about 15-20 minutes• Based on examiner expectation for thorough alert review,
clearing and documentation
• It can take only 32 daily alerts to “exceed” a full day’s worth of work for an average employee– How many alerts are being generated by your system?– How are they keeping up with work?
Reliability - Service - Knowledge
Additional People
• Even more people involved in your BSA/AML program– The one job related to BSA/AML Compliance that
cannot be completed by your BSA Officer• Internal Auditors (Bank staff)• Internal Auditors (external company)• Specialized BSA consulting companies
Reliability - Service - Knowledge
The Program Should be Effective and Tested by an Independent and Competent Party
• Evaluating the skills of the specific people who will be involved in the testing– “Our internal auditor (Bank staff) has been doing BSA
testing for years.”• How independent are they?
– Lunch buddy with the BSA Officer
• How current are they?– Do they receive dedicated BSA/AML training?
• Are they “qualified?”– CAMS or other certifications for BSA/AML
Reliability - Service - Knowledge
BSA/AML Testing Competence
• Skills Evaluation (cont.)– Outsourced auditor or BSA compliance consultant
• Independence – Rarely an issue in most cases• Have they performed testing similar in risk and complexity
before?• Resume or background of the specific individuals who will be
testing your program– Will your bank get the skilled “BSA” team? or the less BSA-specific
“staff” team?» Are they “certified?”
– How current are they on trends and issues?» How do they stay current?
• Do they have knowledge of the systems you use– Core banking and AML
Reliability - Service - Knowledge
BSA/AML Testing Competence
• How do we know our program is effective?– Results of independent testing– Results of examinations
• Is there a better question to ask?– Yes.
• What is the goal of our program?– “Pass our audits and exams”– “Prevent financial crimes from happening through our institution”
» Quality of SAR investigations» Efficiency of AML alert and case reviews
Reliability - Service - Knowledge
Effective BSA/AML Program
• Do you know what reports are filed with FinCEN?– SARs– CTRs– CTR Exemptions– FBARs
• 314(a) Information Sharing Acknowledgements• Are there internal forms used by the Bank?
– Customer Risk forms?– Suspicious Activity Alert forms?– Others?
Reliability - Service - Knowledge
Leadership and Staff Should Understand How Their BSA Reports are Used
• There are 124.6 Million households in the U.S.– 115.9 Million households are “banked” in the U.S.
• Using the traditional “insured” banking system
– Almost 28 Million businesses in the U.S.• Most using a Bank account
– $1,200,000,000,000 in currency in circulation (as of 2013)
– Estimates of $14,000,000,000,000 in daily monetary flows in U.S. Financial Institutions
Reliability - Service - Knowledge
Understanding How Reports are Used
• Local law enforcement• Regional law enforcement• National (Federal) law enforcement• Global cooperation and law enforcement
Reliability - Service - Knowledge
Understanding How Reports are Used
• Knowing how BSA reports are used demonstrates why internal communication is critical to helping us achieve our BSA program goals, demonstrating the effectiveness of our process, which is further verified through testing and validation, which we know is being done by independent and competent people, confirming that we are not compromised by our revenue interests and are appropriately resourced as we attempt to meet our program goals – further evidencing the engagement of our senior leaders with the BSA process and proving that we indeed have a strong Culture of Compliance.
Reliability - Service - Knowledge
Summary
Reliability - Service - Knowledge
Questions
