Drug Trafficking Offences Act 1986

Transcription

- Hi, I'm Kathy Moe, Deputy Regional Director for the San Francisco Region of the Division of Risk Management Supervision. It is my pleasure to welcome you to this presentation on the Bank Secrecy Act or BSA, Anti-Money Laundering or AML, and Office of Foreign Assets Control, or OFAC. This video focuses on what you, as a director, should know about some of the basic risks and responsibilities associated with BSA compliance. This video is one of several that are being developed as part of the FDIC's Community Banking Initiative. Here with me today are: Christy Cornell-Pape, Special Activities Case Manager for the Division of Risk Management Supervision in the San Francisco Region, and Dan McCarthy, Examiner for the Division of Risk Management Supervision in the Orange County Field Office. I would now like to turn over the presentation to Dan. - The Bank Secrecy Act was passed by Congress in 1970, and established requirements for record-keeping and reporting by banks and other financial institutions. The records filed and maintained under the requirements of the Bank Secrecy Act enable law enforcement and regulatory agencies to pursue investigations of criminal, tax, and regulatory violations. Such investigations could include income tax evasion, money laundering, fraud, illegal drug trafficking, and terrorist financing activities. The Financial Crimes Enforcement Network, or FinCEN, is a bureau of the U.S. Treasury, and is the delegated administrator of the Bank Secrecy Act. FinCEN issues regulations and interpretative guidance, provides outreach to regulated industries, supports examination functions performed by federal banking agencies, and pursues civil enforcement actions when necessary. FinCEN relies on the federal banking agencies to examine banks for compliance with the Bank Secrecy Act. The FDIC is responsible for the oversight of state nonmember banks for which it is primary federal regulator. U.S. Code section 1818[s] implemented the Money Laundering Control Act of 1986, augmenting the BSA's effectiveness. The 1986 statute directed banks to establish and maintain procedures reasonably designed to ensure and monitor compliance with the BSA. This is the only area of bank governance where bank policy, and the specific requirements of bank policy, are mandated by statute. BSA statutes also mandate formal corrective programs, such as a Consent Order, for uncorrected BSA problems or unsatisfactory BSA/AML programs. BSA deficiencies can impede a bank's strategic options such as, merger, acquisition, or branching activity. Furthermore, extremely serious or ongoing BSA problems resulting in a criminal conviction related to money laundering, cash transaction reporting offenses, or other criminal violations of the BSA or related regulations may lead to a termination of deposit insurance. Because these potential consequences are so severe, we want to make sure that bank board members have a full understanding of the BSA/AML requirements. - The Bank Secrecy Act is a requirement for all financial institutions, including banks. The BSA requires banks to maintain records and file currency reports for certain transactions involving cash. It also requires banks to file reports when they detect unusual or suspicious activity. These documents filed in association with the Bank Secrecy Act provide law enforcement a method to identify potentially illegal activities and follow the flow of money. Other entities determined to be financial institutions must also comply with the Bank Secrecy Act. One of the largest categories of financial institutions is that of Money Services Businesses, which includes entities such as check cashers and money transmitters. Other financial institutions include securities and commodities firms; casinos and card clubs; insurance companies; precious metals dealers; and loan or finance companies and pawnbrokers. In order to combat money laundering, terrorist financing, and other illicit activities, banks are under a regulatory mandate to maintain a BSA/AML program that provides policies and procedures designed to promote compliance. As a requirement of the law, the bank must develop, administer, and maintain an effective program for compliance with the BSA and all of its implementing regulations. The bank's BSA/AML Program must be written and approved by the bank's board of directors [generally on an annual basis], with appropriate notation in the minutes. The program should be designed to meet regulatory requirements, mitigate the bank's specific BSA/AML risks, and be fully implemented. The BSA/AML program must include the following components: a system of internal controls, independent review, a knowledgeable BSA Officer, and appropriate training of bank personnel. These are commonly referred to as the "Four Pillars." Banks must also have a Customer Identification Program, which is sometimes referred to as the "Fifth Pillar." Now we are going to cover each of the five pillars in more detail. - The first pillar, internal controls, consists of the policies, procedures, and processes designed to manage, monitor, and control BSA risks and achieve compliance with BSA regulations. The level of sophistication should be commensurate with the bank's overall risk profile, including factors such as customer type, location, size, structure, and complexity of products and services offered. Violations of the internal control pillar commonly result when control systems are seriously lacking, ineffective, or insufficient in relation to the risk profile of the bank. - The second pillar, independent review, should be conducted by qualified independent parties, generally every 12 to 18 months, commensurate with the bank's BSA risk profile. The review itself should be a risk-based process, and may be performed by in-house or external personnel as long as they are both qualified and independent of the BSA function. For example, the BSA review could be completed by the bank's consumer compliance officer as long as the individual has sufficient BSA knowledge and is independent of the BSA function. Review or audit findings should be provided directly to the board. Violations of the independent review pillar commonly result when no review was completed, the review was not independent, or the review was incomplete, ineffective, or conducted by unqualified individuals. - The third pillar is that of the BSA Officer. Even though the Board of Directors retains ultimate responsibility for compliance with the BSA, the board must designate a qualified individual to serve as BSA officer and take responsibility for overall BSA/AML compliance. The BSA officer must have sufficient authority, as granted by the Board, knowledge of the BSA, and appropriate resources to effectively administer the BSA program. Violations of the BSA Officer pillar commonly result when the bank has no BSA Officer, the BSA Officer lacks the necessary authority, or the individual acting as the BSA Officer lacks the expertise, effectiveness, or resources to adequately perform the job. - The fourth pillar, training, should be tailored to a bank employee's job duties. Training should address regulatory requirements as well as the bank's own policies, procedures, and processes. The board of directors and senior management should be informed of changes and new developments in the Bank Secrecy Act and implementing regulations and guidelines. Although the board of directors may not require the same degree of training as bank personnel, the directors need to understand the importance of BSA regulations, the ramifications of noncompliance, and the risks posed to the bank. Training should be ongoing and incorporate current developments and changes to the regulations or guidelines. Training should be documented, reinforce the importance of BSA/AML compliance, and reiterate everyone's roles and responsibilities in ensuring an effective program. Effective training programs should allow the trainees the opportunity to ask questions and provide sufficient accessibility to ensure all employees have a better understanding of their roles and responsibilities in relation to the BSA. Face-to-face training is an effective method to ensure such interaction. Violations of the training pillar commonly result when a bank lacks sufficient training records, the training is inadequate in relation to the employees' job duties, or the training has not been effective, resulting in significant weaknesses in internal controls. - The final pillar is the Customer Identification Program. This pillar implements regulations adopted by Treasury to implement provisions of the USA PATRIOT Act. These regulations were established to ensure that bank personnel collect information sufficient to form a reasonable belief of each customer's true identity. The Customer Identification Program must include account opening procedures and customer verification methods. Procedures must include collection of minimum requirements, but additional documentation and verification methods may be risk-based. - The Bank Secrecy Act also establishes other basic requirements, including recordkeeping responsibilities, BSA reporting, and suspicious activity monitoring. Effective BSA/AML compliance programs include controls designed to highlight unusual or suspicious activities and transactions that may indicate potential money laundering, terrorist financing, and other schemes designed for illicit purposes. Often, individuals involved in suspicious activity will use a combination of several types of unusual transactions in an effort to confuse or mislead anyone attempting to identify the true nature of their activities. - Banks are required to submit reports to the Financial Crimes Enforcement Network, or FinCEN, including Currency Transaction Reports, the Designation of Exempt Persons, and Suspicious Activity Reports. Currency Transaction Reports, or CTRs, and Suspicious Activity Reports, or SARs, are the primary means used by banks to provide information on financial transactions for review by law enforcement. Through these reports, and the related supporting documentation, a paper and audit trail is maintained. Since these reports and records have a high degree of usefulness in criminal, tax, and regulatory investigations and proceedings, the recordkeeping regulations also require that management maintain financial records, which must be provided upon request for specified time periods. - Banks are required to file CTRs for transactions of over $10,000 in cash received, paid out, or exchanged. CTRs provide several data elements of personal information on each party involved in a transaction. The information required in the CTR form is forwarded electronically by the bank to FinCEN, for inclusion in a searchable data base. As such, the validity of each data element is essential to the investigation process. - Some customers may be exempted from the filing of CTRs under specific conditions and circumstances detailed in the Designation of Exempt Persons section of the underlying BSA regulations. When a bank chooses to exempt a customer from CTR filings, the bank must file a "Designation of Exempt Persons" form in accordance with the regulatory requirements and instructions. Businesses may be determined to be eligible for exemption after they have conducted five or more reportable transactions within a year, and have maintained a relationship with the bank for at least two months. An annual review is required for businesses listed on a national stock exchange, other businesses determined to be eligible, and payroll customers. Exemption forms are not required for bank customers who are other domestic banks or are U.S. or state government entities. - Banks are required to file Suspicious Activity Reports, or SARs, when illicit or suspicious activity over a certain dollar amount is identified. If the suspicious activity is conducted by a bank insider, there is no dollar minimum. The information required in SAR filings is extremely important to law enforcement because SARs may link suspect relationships by any of the data elements. These forms also provide the ability to report specific personal data on more than one suspect, including suspects which may not be directly known to the bank but might be identified through known business relationships or the sources or uses of funds. - Generally, all reports filed under the Bank Secrecy Act and the related financial records must be maintained for a period of five years, typically from the date of the transaction or the date of account closure. - The process of monitoring, identifying, investigating, and reporting unusual or suspicious activity is the cornerstone of BSA/AML compliance. This process involves the integration of all aspects of the bank's program and requires satisfactory implementation of all of the components we have previously discussed. Suspicious activity reports are not just filed for potential money laundering, but are also filed on a variety of other potential criminal activity including terrorist financing; tax evasion; various types of fraud, including loan fraud and check kiting schemes, and computer intrusion. The bank is not responsible for finding evidence of or proving an underlying crime, but must file SARs when they determine that the activity is unusual or suspicious, or has no business or apparent lawful purpose. Management should provide regular reports to the board that include a summary of SAR filing data. Management should also provide sufficient information to allow the Board to understand the suspicious activity that is conducted against and through the bank. SARs are highly confidential, and cannot be shared outside of the bank or disclosed to the suspect. Disclosure of a SAR or its existence to an outside party, or to the suspect, violates Federal regulations. External requests for SARs, including subpoenas, should be reported to your regulatory agency and FinCEN. Your SARs, combined with SARs filed by other financial institutions, can possibly link together complex criminal activities and assist law enforcement in both active and new cases. - As part of a strong monitoring program and an effective BSA/AML risk management process, the board should provide guidelines on managing and limiting risk from ongoing suspicious activities. As part of this process, management should establish procedures that outline how the bank will address recurring SAR filings. These procedures should include an escalation process for reviewing of these accounts, including a determination if such accounts should be closed. When activity is unusual and the need is determined to be immediate, management should contact local law enforcement before filing the SAR. An effective BSA program also includes additional components, such as a BSA/AML risk assessment, Customer Due Diligence, and Enhanced Due Diligence. We will discuss each of these areas in more detail. Risk Assessments provide a key link in developing appropriate policies, procedures, and processes in relation to the bank's risk profile. Without an effective assessment of BSA risk, controls may be too constrictive, resulting in excessive costs, or too lax, resulting in insufficient control structures. The bank's overall risk assessment should include all areas of the bank. - A well-developed BSA/AML risk assessment is critical in identifying the bank's higher-risk activities and customers, and determining related risks. The risk assessment should, at a minimum, identify and analyze the specific risk categories, such as products, services, geographies, customers, entities, and transactions that are unique to the bank. The bank should review its internal control structure to ensure BSA risks are adequately mitigated to an acceptable level. If a risk for a product or service is considered excessive, then management should develop an action plan for strengthening controls or exiting the business line. - The concept of Customer Due Diligence is a basic tenet of BSA/AML controls and should be incorporated for all customers of the bank. Customer Due Diligence and Enhanced Due Diligence procedures ensure that the bank gathers and maintains an appropriate level of information about its customer. Customer Due Diligence is used to develop a customer risk profile, with the objective to enable the bank to predict, with relative certainty, the types of transactions the customer will conduct. Customer Due Diligence information should be sufficient to develop an understanding of normal and expected activity for the customer's occupation or business operations. This due diligence information can assist in effectively identifying unusual and suspicious activity. Such information assists the bank in assessing baseline customer risk and developing expectations about customer behavior. Some customers pose a high risk of potential illicit activity and present increased BSA/AML risks. These customers should be subjected to "enhanced" due diligence, or a deeper level of review and understanding of their account activity. - In addition to complying with the BSA, banks must also comply with the Office of Foreign Assets Control, or OFAC. This office of the U.S. Treasury administers and enforces economic and trade sanctions based on U.S. foreign policy objectives and national security goals. Sanctions can be issued against targeted foreign countries and regimes, individuals, entities, and practices. These include: terrorists; international narcotics traffickers; transnational organizations, such as cartels, and those engaged in activities related to the proliferation of weapons of mass destruction. All U.S. persons, including U.S. banks, bank holding companies, and non-bank subsidiaries must comply with OFAC regulations. This applies not only to U.S. banks and their domestic entities, but also to their foreign branches and often overseas offices and subsidiaries. - The sanctions programs administered by OFAC require that the institution either block accounts and other property, or prohibit or reject unlicensed trade and financial transactions, depending on the specifics of the OFAC sanction. The Office of Foreign Assets Control has the ability to assess Civil Money Penalties for processing or engaging in an apparent violation of a U.S. sanctions program. - OFAC operates under a clause of strict liability. This means that the processing of a sanctioned transaction will result in an apparent violation of law. Such a violation can subject the bank to Civil Money Penalties. When determining whether a CMP is appropriate, or in calculating the CMP amount, OFAC's Economic Sanctions Enforcement Guidelines recommends the review of the existence, nature, and adequacy of the bank's OFAC compliance program, including the views of the institution's regulator. While not required by specific regulation, but as a matter of sound banking practice and in order to ensure compliance, banks should establish and maintain an effective, written OFAC compliance program commensurate with their OFAC risk profile. Just as with the BSA compliance program, a risk assessment is also a fundamental element for a sound OFAC compliance program. The OFAC program should identify high-risk areas, provide for appropriate internal controls for screening and reporting transactions and account information, establish independent testing for compliance, designate a bank employee as responsible for OFAC compliance, and create training programs for appropriate personnel. - In order to comply with sanctions, banks need to complete comparisons or reviews of the customer base and transaction activity against current OFAC lists. Lists include OFAC's Specially Designated Nationals and Blocked Persons List as well as broader prohibitions outlined in country-based sanctions programs. Scans of products and services, including accounts and transactions, for possible OFAC "matches," are an essential OFAC control. New scans should be completed every time the OFAC lists are updated. When OFAC adds new information to its sanctions listings, management should ensure that its software contains the appropriate updates and then rescan the existing database. The frequency, method, and scope of scans should also be commensurate with the OFAC risk of the product, service, geographic location, and customer base. For example, wire transfers, particularly international wires, are considered to have a high OFAC risk and all outgoing wires should be checked prior to transmission. - BSA risks are subject to ongoing change. Emerging risks include new products, services, transactions, and off-book items, which can be encountered by the bank including Third-Party Payment processors, remote deposit capture, and stored value card relationships. Third-party payment processors are bank customers that provide payment-processing services, typically to merchants and other business entities. These processors can serve a variety of merchants, including international merchants and higher-risk businesses such as prepaid travel, Internet gaming, dietary supplements, and more. Since the processors are generally not subject to BSA/AML regulatory requirements, they may expose the bank to money laundering, identity theft, illegal or illicit transactions [such as non-taxed tobacco products or sales of medication without a prescription]. The bank is the ultimate processing entity for these transactions. As such, the bank retains responsibility for monitoring, identifying, and reporting unusual or suspicious activities on the underlying transaction activity, even though the processors' customers may not be direct customers of the bank. - Remote deposit capture is a means of depositing checks into bank accounts by scanning and transmitting the digital image to a bank. Remote deposit capture can expose the bank to increased risks of money laundering, fraud, and compromised transmission of financial data. It is imperative to develop effective policies, procedures, and processes to establish sound controls for this area, including creating customer parameters and establishing effective monitoring methodologies. Risk in stored value card relationships can vary depending on the nature and customer base of the prepaid activity, as well as the bank's role in that activity. For example, if the bank is the card issuer and processor, its risks and responsibilities would be greater than it is only processing the transactions. Some card programs, such as government benefit cards or payroll cards, can have relatively low-risk profiles; however, since the bank is ultimately processing the transactions, efforts must be made to ensure that the activity is within the expected purpose and parameters of the program. Higher-risk stored value cards can pose an extreme money laundering risk to the bank and must be closely monitored for unusual or suspicious activities. For instance, a reloadable card purchased at a retail location that includes high dollar limits and no spending restrictions would be considered an extremely high-risk product. Many stored value products can allow reloading of cards anywhere and can be used for any type of purchase or funds transmission, both domestically and internationally. - Enforcement actions can be issued by your regulator for BSA/AML and OFAC program deficiencies. Informal actions, such as a Board Resolution or Memorandum of Understanding, can be used when there are a limited number of violations or deficiencies, which do not compromise the overall BSA program. Severe violations or deficiencies, even if previously unidentified, may rise to a level of severity for the regulator to issue a formal enforcement action. In compliance with statute, as discussed in the July 19, 2007 Interagency Statement on Enforcement of BSA/AML Requirements, formal enforcement actions, such as Consent Orders, are required for BSA/AML deficiencies when the overall program is considered to be deficient or a BSA/AML program violation is cited. Formal actions are also required when repeat problems indicate that management has failed to take corrective action in a timely and cohesive manner. In addition, depending on the nature and duration of the deficiencies or inappropriate activity, the bank, its board members, and key employees could be subject to Civil Money Penalties. - Additional information on BSA/AML and OFAC can be found at www.fdic.gov. You can also learn more from the Financial Crimes Enforcement Network, or FinCEN, at www.fincen.gov and, the Office of Foreign Assets Control at www.treasury.gov/ofac. Other guidance is located at the FDIC Directors Resource Center at www.fdic.gov/ resourcecenter. If you have questions or comments, please email the FDIC at: [email protected]. - We have reviewed the basic tenets of a sound BSA program and many of the issues currently impacting BSA/AML compliance. To enhance the Board's understanding of their responsibilities and provide for the oversight of a strong BSA/AML program, we have discussed the following key concepts: The applicability of BSA/AML requirements to your bank, components of a strong and effective BSA/AML program, BSA recordkeeping and reporting requirements, the process for monitoring, identifying, investigating and reporting unusual or potentially suspicious activity, the importance of understanding the risk profile of your bank in order to develop appropriate policies and procedures, the application of appropriate customer due diligence to existing and emerging customer activity; and finally, understanding the risks and controls necessary for OFAC compliance. In closing, we want to thank you for viewing this video, and we hope that the information presented, as well as information provided in the referenced guidance, will assist you and your bank in managing a satisfactory BSA/AML program.