Bank Secrecy Act

Compliance for Experts

June 27, 2012

Presenters

John Misgen, CPA

• Senior Compliance Consultant with CliftonLarsonAllen LLP for more

than six years

• Has provided regulatory compliance assistance, including

BSA/AML/OFAC testing, to financial institutions ranging from less

than $5 million in assets to more than $1 billion in assets.

Jeffrey Pratt

• Deputy Assistant Director, Office of Compliance, Financial Crimes

Enforcement Network

• The Office works to works to better ensure industry compliance with

the Bank Secrecy Act. The Office also tracks the performance of

financial institutions experiencing significant Bank Secrecy Act

compliance deficiencies.

Overview of the Regulations

Bank Secrecy Act

USA Patriot Act

Office of Foreign Assets Control

Staying Current With Changes

FinCEN provides a Weekly Digest Bulletin

via email

– https://public.govdelivery.com/accounts/USFI

NCEN/subscriber/new?preferences=true

NAFCU provides a daily compliance blog via

email

– http://nafcucomplianceblog.typepad.com/nafc

u_weblog/

https://public.govdelivery.com/accounts/USFINCEN/subscriber/new?preferences=truehttps://public.govdelivery.com/accounts/USFINCEN/subscriber/new?preferences=truehttps://public.govdelivery.com/accounts/USFINCEN/subscriber/new?preferences=truehttps://public.govdelivery.com/accounts/USFINCEN/subscriber/new?preferences=truehttps://public.govdelivery.com/accounts/USFINCEN/subscriber/new?preferences=true

BSA/AML Risk Assessment

• Many effective methods and formats for

conducting the risk assessment

• The development of the BSA/AML risk

assessment generally involves two steps

• Business accounts pose more risk;

additional time and resources are needed

to perform these assessments

BSA Compliance Program

Management should structure the financial

institution’s BSA/AML compliance program

to adequately address its risk profile

The BSA/AML compliance program must

provide for at least four requirements at a

minimum

CIP Requirements

• Each financial institution must implement a

written CIP

• The CIP must be incorporated into the

financial institution’s BSA/AML compliance

program

CIP Requirements

• Three basic rules – Verify

– Check

– Maintain

• Verifying identity requires five important

pieces of information

• Notice displayed where accounts are

opened

• Obtain information to assess account risk

CIP: Lack of Verification

• CIP must include procedures for when ID

can’t be verified

• Examples: – Unable to provide ID

– False/modified ID

– Online account opening

– Red Flags

CIP: Comparison with Govt Lists

The CIP must include procedures for

determining whether the member appears

on any federal government list of known or

suspected terrorists or terrorist

organizations. – OFAC Specially Designated Nationals (SDN) List

– Must be done at time of account opening or earlier

CIP: Use of Other Parties

Permitted to rely on another financial

institution if addressed in CIP certain

criteria are met.

Permitted to rely on third parties, but credit

union is ultimately responsible

Member Due Diligence

Must have procedures in place to have a

“reasonable expectation of the types of

transactions a member conducts.”

• At account opening

• High-risk members and their transactions

should be reviewed more closely

Member Due Diligence

• Determine which reports currently being

used will address any of the risks needing

monitoring

• Business accounts create additional

inherent risk and need additional

monitoring

• Every institution has specific risks.

• Member due diligence procedures should

be documented

Suspicious Activity Monitoring

Most common is money laundering

Other common types of suspicious activity • Check Fraud

• Check Kiting

• Counterfeit Check

• Counterfeit Credit/Debit Card

• Credit/Debit Card Fraud

• Loan Fraud

• Wire Transfer Fraud

• Identity Theft

Detecting Suspicious Activity

• Examples of Suspicious Activity

• Credit unions should have a means for

front line staff to report suspicious activity

to a supervisor or BSA Officer

immediately.

Detecting Suspicious Activity

• Need adequate monitoring system – Determining whether manual or automated software

is needed

– Understanding the filtering criteria of a surveillance

monitoring system is critical

• Should establish policies, procedures, and

processes for identifying and monitoring

subjects of law enforcement requests

17

Shared Branching

17

CTR Requirements

-“By, through, or to” -FinCEN Ruling 2001-1 Establish written protocols Aggregation

18

Shared Branching

18

SAR Requirements

-“By, at, or through” -Confidentiality

Determine Risk Importance of Communication

19

Shared Branching

19

Agent status 314(b) Money Laundering/Terrorist Financing FIN-2009-G002 “information relating to transactions that may involve the proceeds of one or more specified unlawful activities remain within the protection of the section 314(b) safe harbor from liability”

20

Shared Branching

20

SAR Joint Filing

21

Electronic Filing Dates

21

Mandatory Electronic Filing July 1, 2012 New CTR and New SAR required March 31, 2013

FinCEN’s View on Monitoring

Manual vs. Automated

Reporting Suspicious Activity

Do you know when a SAR is required to be

filed?

Do you know there is a safe harbor for SARs

filed?

Reporting Suspicious Activity

• A SAR must be filed within 30 days after

the initial detection if the suspect is known. • You have up to 60 days, if suspect is not known.

• Narrative—Be complete!

• Keep but do not file supporting documents

• Account should be monitored for

continuing activity

Reporting Suspicious Activity

• All investigations should be documented

• Required reporting to the board – Board or an appropriate board committee

– Regulations do not mandate a particular notification format

Confidentiality of SARs

• Highly confidential!

• Only those in the credit union who need to

know should be informed of a SAR

• DO NOT TELL MEMBER

• This should be included with each training

session (employees and board)

Currency Transaction Reporting

• Currency = coin and paper money of the

U.S. or any other country designated as

legal tender

• Cash Transactions > $10,000

• CTRs must be filed with FinCEN within 15

days after the date of the transaction – You have up to 25 calendar days if you are E-Filing

(until March 31, 2013)

CTR Reporting

All beneficiaries must be reported – Gets

confusing!

• For deposits, all those who are known to

benefit from the transaction must be

identified on the CTR.

• For withdrawals, only person conducting

transaction unless…

• Examples

CTR Reporting

For businesses:

• sole proprietorships

• separate legal entity with a TIN - general

rule

• Separately incorporated entities are

presumed to be independent persons,

unless information shows otherwise

• Examples

CTR Exemptions

• Not required to exempt

• 2 phases – Phase I and Phase II – Phase I

– Phase II

Currency Purchases of

Monetary Instruments

• Recordkeeping only required if daily

purchases aggregate to $3,000 or more

• Requirements for member purchases

• Non-members = need more

• Need to have a process in place to

aggregate multiple purchases at multiple

branches < $3,000 if daily aggregation is

$3,000 or more

Funds Transfers Recordkeeping

• Originator responsibilities

• Beneficiary responsibilities

• Must be retrievable by name and account

number for five years

• Must have a process to monitor funds

transfers for suspicious activity

OFAC

Should conduct an OFAC risk assessment

Should have policy and procedures • Designate an OFAC officer

• Independent testing

• Screening requirements

• How to determine and document whether OFAC hit is

valid or false-positive

• Procedures for reporting blocked funds to OFAC

• Training

Commonly Cited Violations

In the news: • 2010: Wachovia Bank $110,000,000

• 2010: Pamrapo Savings Bank $5,000,000

• 2010: ANB AMRO Bank $500,000,000

• 2011: Zions First Nat’l Bank $8,000,000

• 2011: Oceans Bank $10,900,000

• 2011: Mendoza (individual) $25,000 and 6

months prison

• 2012: Citibank, N.A. Cease and desist

• 2012: ING Bank N.V. $619,000,000

Commonly Cited Violations

What we see: • BSA/AML risk assessment not detailed

• MDD procedures not specifically documented

• Inadequate MDD on MSBs

• Inadequate MDD on share branching/3rd party

• SARs not completed correctly (narrative)

• CTRs not listing all those benefiting

• No specific OFAC risk assessment

• Weak or undocumented OFAC policy/procedures

• No procedures for reviewing law enforcement requests

• Training deficiencies

Penalties for Non-Compliance

Failure to comply with the BSA can have

serious consequences for you and for your

institution. • BSA violations involve civil, criminal, and intangible

penalties

• The federal banking agencies and FinCEN can bring civil

money penalty actions

In addition to above, individuals may be

removed from banking

Changes in Next 12 Months

Known: • Exemption changes for payroll members – Immediate

• E-filing requirements – July 1, 2012

• BSA implications on non-bank mortgage lenders –

August 13, 2012

• New CTR, SAR, and DOEP forms – March 31, 2013

– Testing site: http://sdtmut.fincen.treas.gov/main.html

http://sdtmut.fincen.treas.gov/main.html

Changes in Next 12 Months

Expected: • Member Due Diligence Requirements

39

Available Resources

The SAR Activity Review, Trends, Tips, and Issues

SAR reporting guidance

Advisories/Bulletins/FAQs/Fact Sheets

Analytic Assessments – Mortgage Loan Fraud, Commercial Real Estate Fraud, Identity Theft

FinCEN web site – Law Enforcement Cases and Success Stories

39

40

Contact Information

FinCEN Regulatory Helpline

1-800-949-2732

Financial Institutions Hotline

1-866-556-3974 www.fincen.gov

E-Filing Service Desk Number

1-866-346-9478 (Option 1)

BSAEFilingHelp@fincen.gov

40

http://www.fincen.gov/mailto:BSAEFilingHelp@fincen.gov

Questions?

John Misgen, CPA

Senior Compliance Consultant

CliftonLarsonAllen LLP

507-434-7032

John.misgen@cliftonlarsonallen.com

mailto:John.misgen@cliftonlarsonallen.com