The Bank Secrecy Act, Essentials

Transcription

1 A presentation on The Bank Secrecy Act, Essentials William G. Berg, M.B.A., CCUE, CUCE, BSACS, CUERME June 17, 2016

2 OMG.BSA Acronyms BSA = Bank Secrecy Act CTR = Currency Transaction Report SAR = Suspicious Activity Report AML = Anti-Money Laundering NCUA = National Credit Union Administration CFR = Code of Federal Regulation, Treasury Rules for BSA Compliance FinCEN = Financial Crimes Enforcement Network NSL = National Security Letter FFIEC = Federal Financial Institutions Examinations Council MIP / CIP = Member or Customer Identification Program USA PATRIOT Act = Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism MDDP = Member Due Diligence Program OFAC = Office of Foreign Assets Control SDN = Specially Designated Nationals HIDTA = High Intensity Drug Trafficking Area M / I = Monetary Instruments 2

3 BSA/AML PURPOSE Purpose: To help identify the source, volume and movement of currency and other monetary instruments transported or transmitted into or out of the U.S. or deposited into financial institutions. Create a paper trail of financial transactions to aid in the investigation of money laundering, tax evasion, international terrorism and other criminal activity. 3

4 MONEY LAUNDERING Money Laundering is: The introduction of illegally obtained currency into the banking system Launders hide the source of these illegal funds by making a series of intricate transactions. The source of the money is washed away It works by: Placement the process of depositing illicit assets into the financial industry through ANY method: wires, cash, checks, money orders, travelers check, etc. Physically placing bulk cash proceeds. Layering separating the proceeds of the criminal activity from their origins through layers of complex financial transactions: wire transfers, CDs, drafts, letters of credit, internal transfers, negotiable instruments, foreign exchange, Integration providing an apparently legitimate explanation for the illicit proceeds; the movement of laundered funds back into the economy as legitimate funds (wire transfers, ACH, checks, Internet, etc.) 4

5 LAWS AND REGULATIONS THAT FORM BSA Bank Secrecy Act of 1970 requires certain financial reporting, records for currency transactions greater than $10,000 (Currency Transaction Reports or CTRs) Anti-Drug Abuse Act of 1986 law to strengthen federal law enforcement struggles with drug problems, domestic and foreign Money Laundering Act of 1986 complementary to 1986 Anti-Drug Abuse Act USA PATRIOT Act signed by President Bush post 9/11 legislation, targets terrorist money laundering 5

6 ENFORCEMENT The Financial Crimes Enforcement Network (FinCEN), along with assistance of the banking regulatory agencies (NCUA) is tasked with administering the Bank Secrecy Act. Created in 1990 to work towards maximizing information shared between law enforcement agencies and financial institutions. 6

7 USA PATRIOT ACT Four basic requirements 1. Verify the identity of anyone opening an account. 2. Maintain records of the verifying information. 3. Check the lists of known or suspected terrorists. 4. Provide member with a notice of the information collection requirements. 7

8 CUSTOMER IDENTIFICATION PROGRAM (CIP) Helps identify potential members. Assist in the detection and prevention of money-laundering and terrorist financing. Credit Unions must verify information of members, joint account holders and co-borrowers CIP should be based on CU s specific risk assessment. CIP must be incorporated in overall BSA program and approved by the Board of Directors. Verify anyone opening an account!! 8

9 CUSTOMER IDENTIFICATION PROGRAM (CIP) The credit union must obtain the following information from members: Name, Date of Birth, Physical Address, Tax Identification Number The credit union must independently verify the information, such as drivers license, passport, work identification, along with credit reports, reference checks, etc. Physical address is absolute; P.O. Box acceptable for mail, etc. Military: if no residential available, then substitute with APO, FPO, or residential address of relative or other contact. Businesses: principal place of business, local office or other physical office address. ID Number: US Persons: Taxpayer Identification Number TIN (usually SSN) Non-US Persons: ITIN, passport or other government-issued document reflecting an identification number, country or origin and photo or similar safeguard 9

10 VERIFICATION OF IDENTITY Credit unions are not required to verify the validity of documents reviewed unless there is evidence to suggest they may be false/altered, etc. but must verify enough of the information to establish a reasonable belief that you know the true identity of the member. Two methods which can be used: documentary (using documents) or non-documentary methods to verify identity. 10

11 DOCUMENTARY METHOD Unexpired government issued identification such as: Individuals Driver s license or state issued ID Passport Military ID (prohibits photocopying Title 18, U.S. Code, Part I, Chapter 33, Section 701) Businesses verify actual existence of business (pose higher risker for money laundering) Articles of incorporation Government-issued business license Partnership agreement Whatever is appropriate 11

12 NON DOCUMENTARY METHOD Information obtained from a credit bureau or against fraud and bad check databases References from other FI or information available from other trusted third-party source Confirm information such as telephone numbers and address by contacting member Tax return or a financial statement Online verification system Public databases (telephone book or local telephone number) 12

13 VERIFICATION OF IDENTITY At a minimum your CIP/MIP should address these four specific situations: When should the credit union not open an account at all? When will the credit union open an account while it attempts to verify ID? When should the credit union close an account after attempts to verify the identity of the person fails? When should the credit union file a suspicious activity report (SAR)? How do you handle situations that fall outside the minimum challenges? 13

14 VERIFICATION OF IDENTITY Must be done before or within a reasonable time after the account is opened. This depends on the location, products and services and the credit union. Must verify enough information to form a reasonable belief that you know the member, any joint owners and co-borrowers. 14

15 CUSTOMER IDENTIFICATION PROGRAM RECORDS RETENTION Record Keeping Requirements Maintain identification information for five years after account is CLOSED. Maintained as either a copy of the actual document or a description of the document Type of document Identifying number on the document The location issued (country, state) The date of issuance, expiration date 15

16 TERRORIST LIST USA Patriot ACT Does your member appear on any federal government list of known or suspected terrorist organizations? 16

17 NOTICE TO MEMBERS You must provide your members and potential members with a notice describing the information collection requirements of the BSA. You must ensure that every member will see the notice before account opening. Do not have to give each member a notice. Notice can be placed on website, applications, posted in the credit union. This is a federal requirement. 17

18 CIP EXAMINER REVIEW Popular CIP accounts to review: Accounts with incomplete verification or where member is applying for a TIN Documentary and non documentary methods used for verification High Risk accounts Any accounts opened with exceptions Accounts opened by third parties Examiners may review the board minutes to verify approval of the CIP 18

19 PRE-EXAM REVIEW Regulators have access to filed reports. Review of filed reports and comparison to internal reports of transactions. Review of policies and procedures, internal reports, staff training documentation, Board training documentation Transaction testing New accounts, anti-money laundering monitoring processes, reportable transaction monitoring process, OFAC. Review risk assessment, internal controls and audit findings. 19

20 PRE-EXAM REVIEW Review of BSA database reporting information Inconsistencies between credit union records and reporting databases Review of prior exam and management s responses to previously identified BSA violations Review of correspondence between the credit union and FinCEN or the IRS Detroit Computing Center Whether management has taken corrective action 20

21 WHAT EXAMINERS WILL BE LOOKING FOR? Development of policies and procedures Promotes executive awareness and understanding of the credit union s AML responsibilities and activities Mandatory ongoing training of all employees in AML laws, regulations and requirements, including BSA and USA Patriot Act 21

22 CUSTOMER DUE DILIGENCE (CDD) Requirements are found in the FFIEC BSA/AML Examination Manual located at Obtain information at account opening to understand normal activity for all members; Collection of this information allows credit unions to distinguish low and high risk members. Member s normal and expected transactions activity Changes in the member s risk profile Periodically monitor information to ensure it s up to date Collect from all members-not just high risk 22

23 CUSTOMER DUE DILIGENCE (CDD) For high risk members consider obtaining: Purpose of account; Source of funds and wealth; Individuals with ownership or control over the account Occupation or type of business Financial statements Financial institution references Where the business is organized Member s place of employment Are international transactions routine? Business operations, volume of currency and sales, major customers and supplies Change in account activity 23

24 CDD GUIDELINES Commensurate with the credit union s BSA/AML risk profile Clear statement of management's overall expectations Sufficient information for suspicious activity monitoring Guidance for documentation analysis associated with the due diligence process Maintain current member information. 24

25 COMPLIANCE PROGRAM Board approved written BSA/AML compliance program to ensure it contains the following required elements: A system of internal controls to ensure ongoing compliance. Independent testing of BSA/AML compliance. Designate an individual or individuals responsible for managing BSA compliance (BSA compliance officer). Training for appropriate personnel. Customer Identification Program (CIP). Document approval of written policies, procedures and processes in the minutes of the meeting 25

26 RISK ASSESSMENT The credit union s BSA/AML Compliance program is based on the credit union s Risk Assessment There are two steps: 1. Identify the specific risk categories unique to your credit union 2. Provide a detailed analysis of the data gathered in Step 1 26

27 RISK ASSESSMENT Some factors to consider during Step 2: Purpose of the account Actual or anticipated activity in the account Nature of member s business or occupation Member s location Type of products and services used by the member 27

28 RISK ASSESSMENT What types of products and services does the credit union offer? Who is using them? Where is the potential exposure to money laundering? What steps have been taken to mitigate risk? 28

29 RISK ASSESSMENT Who does your credit union serve? What services do they use? What is their source of funds? Where are they located? 29

30 RISK ASSESSMENT Develop appropriate policies and procedures to monitor and control the credit union s BSA risks with more emphasis on higher risk products, services, members and branches. Identify steps that have been taken to mitigate risk. Should evolve as new products and services are introduced or changed, expansions occur through mergers, and/or field of membership enlarges. Recommend reassessing the BSA Risk every 12 to 18 months. 30

31 RISK ASSESSMENT Credit Unions should refer to the FFIEC BSA/AML Manual Appendices I and J to assist in developing a risk assessment and use these as starting point. 31

32 RISK ASSESSMENT (APPENDIX I) The risk assessment will determine the policies, procedures and processes for BSA/AML compliance 32

33 RISK ASSESSMENT (APPENDIX J) 33

34 RISK ASSESSMENT (APPENDIX J) 34

35 RISK ASSESSMENT Develop appropriate polices and procedures to monitor and control the credit union s BSA risks, with more emphasis on higher risk products, services, members and branches. Risk assessment is an ongoing process not a one-time exercise. Recommend reassessing the BSA risk ever months. Refer to the FFIEC BSA/AML examination manual- Appendices I and J to assist in developing their risk assessment. These appendences should be considered a starting point for your risk assessments. 35

36 HIGH INTENSITY DRUG TRAFFICKING AREA Florida South Florida: Broward, Miami-Dade, Monroe and Palm Beach Counties Central Florida: Pinellas, Hillsborough, Polk, Osceola, Orange, Seminole and Volusia Counties North Florida: Alachua, Baker, Clay, Columbia, Duval, Flagler, Marion, Nassau, Putnam and St. Johns Counties

37 HIGH INTENSITY DRUG TRAFFICKING AREA Gulf Coast Alabama: Baldwin, Jefferson, Madison, Mobile, Montgomery and Morgan Counties Arkansas: Benton, Jefferson, Pulaski and Washington Counties Louisiana: Bossier, Caddo, Calcasieu, East Baton Rouge, Jefferson, Lafayette, Orleans and Ouachita Parishes Mississippi: Hancock, Harrison, Hinds, Jackson, Lafayette, Madison and Rankin Counties 37

38 INTERNAL CONTROLS The Board of Director s is ultimately responsible for ensuring the credit union has an effective internal control structure. Policies, procedures and processes should be in place to monitor and identify unusual activity. The level of monitoring is dictated by the credit union s risk assessment, with an emphasis on high-risk products, services, members and geographic locations. 38

39 INTERNAL CONTROLS (CONT.) Internal controls should: Identify credit unions products, services, members, branches and geographic locations which are vulnerable to abuse Inform the board of directors and senior management of compliance initiatives, deficiencies and corrective actions Identify individual(s) responsible for BSA/AML compliance Program continuity despite changes in management structure. Recordkeeping and reporting requirements Train employees of their responsibilities 39

40 INTERNAL CONTROLS (CONT.) Customer Due Diligence (CDD) policies and procedures Identify reportable transactions and file reports Segregation of duties where possible Sufficient controls and monitoring systems Supervision of employees Those who that handle CTRs, SARs, complete reports, grant exemptions, or engage in any activity covered by the BSA 40

41 INTERNAL CONTROLS - REPORTING BSA requires financial institutions to file the following reports with the Financial Crimes Enforcement Network (FinCEN): Currency Transaction Reports (CTRs) CTR Exemption Forms (if applicable) Suspicious Activity Reports (SARs) 41

42 CURRENCY TRANSACTION REPORTS These forms are FinCEN Report 112 Must be filed for each deposit, withdrawal, payment, transfer or other transaction involving currency (cash) of more than $10,000. Multiple transactions by or on behalf of one person in one business day: consolidate the transactions and report them as one if the total exceeds $10,000. Must be filed within 15 days after the date of the transaction May be fined up to $10,000 per day for each CTR not filed 42

43 CURRENCY TRANSACTION REPORTS Examples of reportable transactions: Denomination exchanges, IRAs, loan payments, ATM transactions, purchases of certificates of deposit, deposits and withdrawals, funds transfers paid in currency, and monetary instrument purchases Management should ensure the credit union has an adequate system to: Aggregate currency transactions throughout the credit union; and Appropriately report 43

44 CURRENCY TRANSACTION REPORTS Joint account owners- CTRs should list all joint owners on the account for deposits. For account withdrawals, list only the individual who is making the withdrawal unless you have facts to suggest that all or additional joint owners are benefiting from the transaction. 44

45 CTR STRUCTURING Member deposits $4,000 at Branch #1, $4,000 later that day at Branch #2 and $3,000 ATM deposit. Rule states if aware of all deposits such as this file a CTR. Member deposits $12,000 in savings (Cash In), withdraws $3,000 from checking (Cash Out) and withdraws $4,000 from ATM (Cash Out) $11,000 Cash in reportable complete CTR $7,000 Cash out not reportable do not complete CTR 45

46 AGGREGATING WEEKEND NCUA s Weekend Example: A member places one deposit bag into the night depository at a credit union on Friday night, two bags on Saturday and two on Sunday. Then on Monday morning, a teller processes all five deposit bags and deposit slips at the same time, but posts each individual deposit separately. Because these deposits occurred at night and over the weekend they should be treated as a single transaction for reporting purposes, having been received on Monday, the following business day POS Example: According to FinCEN a point of sale transaction does not trigger a CTR 46

47 CURRENCY TRANSACTION REPORTS CTR s must be filed within 15 calendar days. If a credit union misses the filing deadline begin the process of completing the forms and contact BSA Helpline for assistance immediately. FinCEN Regulatory Helpline: or Keep all copies of CTRs for 5 years 47

48 CTR EXEMPTIONS Credit unions may exempt certain types of members from currency transaction reporting Must file a Designation of Exempt Person form with the Internal Revenue Service (IRS) Two types of exemptions (Phase I and Phase II) 48

49 SUSPICIOUS ACTIVITY REPORTING Suspicious activity reporting forms the cornerstone of the BSA reporting system. It is critical to the United States ability to utilize financial information to combat terrorism, terrorist financing, money laundering, and other financial crimes. FFIEC Bank Secrecy Act/Anti-Money Laundering Examination Manual 49

50 SUSPICIOUS ACTIVITY REPORTING Examiner will assess policies, procedures, processes, internal controls and overall compliance with statutory and regulatory requirements for monitoring, detecting and reporting suspicious activities. The four key components to an effective monitoring and reporting system are: 1. Identification/alert of unusual activity 2. Managing alerts (i.e. investigate & evaluate unusual activity) 3. Suspicious Activity Report (SAR) decision making 4. SAR completion and filing 50

51 SUSPICIOUS ACTIVITY MONITORING 51

52 SUSPICIOUS ACTIVITY REPORTING The reporting forms are FinCEN Report 111 Credit unions are required to file a SAR with respect to the following: Criminal violations involving insider abuse in any amount Criminal violations aggregating $5,000 or more when a suspect can be identified Criminal violations aggregating $25,000 or more regardless of a potential suspect 52

53 SUSPICIOUS ACTIVITY REPORTING Transactions conducted or attempted by, at or through a credit union aggregating $5,000 or more, of the credit union knows, suspects or has reason to suspect that the transaction: May involve potential money laundering or other illegal activity Is designed to evade the BSA or its implementing regulations Has no business or apparent lawful purpose, or is not the type of transaction that the particular member would normally be expected to engage in, and the credit union knows of no reasonable explanation for the transaction 53

54 SUSPICIOUS ACTIVITY REPORTING The term transaction includes: Deposits Withdrawals Transfers between accounts Exchanges of currency Extensions of credit Sales of monetary instrument Any other payments by, through, or to a financial institution 54

55 SAR SAFE HARBOR Credit union directors, officers, employees and agents that report a suspicious transaction to the appropriate authorities are granted a safe harbor from any civil liability under any law or regulation, regardless of whether such reports are filed pursuant to the SAR instructions. This safe harbor applies to SARs filed within the required reporting thresholds as well as those filed voluntarily on any activity below the threshold. 55

56 APPROPRIATE AUTHORITIES Criminal investigative services of the armed forces Bureau of Alcohol, Tobacco, and Firearms (ATF) Drug Enforcement Administration (DEA) Federal Bureau of Investigation (FBI) IRS or tax enforcement agencies at the state level Office of Foreign Assets Control (OFAC) Immigration and Customs Enforcement (ICE) State or local police department; an attorney general, district attorney, or state s attorney at the state or local level; U.S. Attorney s Office U.S. Postal Inspection Service U.S. Secret Service 56

57 WHAT S SUSPICIOUS ACTIVITY? Many activities can raise a red flag as possibly facilitating money laundering, terrorist financing or other illicit activity. Red Flags warrant closer scrutiny and possibly filing a SAR. The first question you ask is if the activity is reasonable for that member. If not, then that rises to the level of suspicious activity. Whether the action is ultimately a fraud is up to law enforcement to decide. 57

58 RED FLAGS EXAMPLES A member: uses unusual or suspicious identification documents that can not be readily verified. makes frequent or large transactions and has no record of past of present employment experience tries to persuade a credit union employee not fill out a CTR or maintain required records. separates a cash transaction over $10,000 in to several transactions in an attempt to avoid the CTR reporting threshold Funds transfer activity occurs to or from a financial institution located in a higher risk jurisdiction distant from the member s operations. Many small, incoming wires are received or deposits are made using checks and money orders. Almost immediately all or most of the transfers or deposits are wired to another city or country in a manner inconsistent with the member's transaction history. 58

59 RED FLAGS EXAMPLES Wire or EFT activity is unexplained repetitive or shows unusual patterns. When establishing a new account a member is reluctant to provide complete information about the nature and purpose of his business, and anticipated account activity, prior relationships with financial institutions, location of the business, or the names of its officers and directors. 59

60 WHEN TO FILE A SAR BSA structuring Check fraud Unauthorized electronic/computer intrusion Embezzlement Identify theft Credit/debit card fraud Mortgage loan fraud Terrorist financing Wire transfer fraud A credit union is not required to file a SAR for a robbery or burglary as long as it is reported to the appropriate law enforcement. 60

61 SAR EXEMPTIONS When NOT to file a SAR: Robberies and Burglaries: A SAR does NOT need to be filed for those robberies and burglaries that are reported in writing to local authorities. Lost, missing, counterfeit, or stolen securities reported to the SEC and FBI when criminal activity is involved. 61

62 SAR FILING When to file a SAR? Any suspicious transactions relevant to a possible violation of federal law or regulations. 30-day filing deadline from initial detection, but can be extended based upon date of detection In the case no suspect has been identified the time period is extended to 60 days. For filings where a subject has been identified, the timeline is as follows: Identification of suspicious activity and subject: Day 0. Deadline for initial SAR filing: Day 30. End of 90 day review: Day 120. Deadline for continuing activity SAR with subject information: Day 150 (120 days from the date of the initial filing on Day 30). If the activity continues, this timeframe will result in three SARs filed over a 12-month period (FinCEN SAR FAQs, Q&A #16) Old rule was to file every 90 days 62

63 DOCUMENT EVERYTHING Document your decision making process regardless if the credit union files a SAR. Maintain a copy of the SAR and supporting documents for 5 years from the date of filing the SAR. Be ready to respond to law enforcement requests should they occur. If it is not written it didn t happen!! 63

64 SAR CONFIDENTIALITY The unauthorized disclosure of a SAR is a violation of federal law: Civil and criminal penalties can be imposed for SAR disclosures No credit union, director, officer, employee or agent of the credit union that reports a suspicious transaction may notify any person involved in the transaction that the transaction has been reported. 64

65 FinCEN ASSESSES CIVIL MONEY PENALTY FOR SAR DISCLOSURE VIENNA, Va. - The Financial Crimes Enforcement Network (FinCEN) today announced the assessment of a $25,000 civil money penalty against Frank Mendoza of Garden Grove, California, for violating Bank Secrecy Act (BSA) prohibitions against disclosing suspicious activity reports ("SARs"). FinCEN determined that Mendoza violated the BSA and its implementing regulations by willfully disclosing the existence of a SAR to a person involved in the reported transaction. Mendoza was convicted in a criminal case of bribery and unlawful SAR disclosure in the U.S. District Court for the Central District of California. Frank E. Mendoza 65

66 NOTIFYING THE BOARD OF SAR FILINGS Management must promptly notify the Board of Directors (or designated committee) of any SAR filings. Promptly means at least monthly (monthly board meetings) There s no required format for sharing the information with the board 66

67 LAW ENFORCEMENT REQUEST The decision to comply with a request from law enforcement to maintain certain accounts to aid in their investigation is left to the credit union. Pros and cons for complying should be weighed by the credit union. Get the request in writing. Ensure the request is issued by a supervisory agent or an attorney representing federal, state, or local law enforcement Maintain documentation of such requests for at least 5 years after the requests have expired. If a credit union maintains an account that reflects suspicious activity would still be expected to complete and file a SAR on the account. 67

68 LAW ENFORCEMENT REQUEST Complying with a LE request does not relieve a credit union of its recordkeeping and reporting responsibilities under BSA. For example, a CI that opts to maintain an account that reflects suspicious activity would still be expected to complete and file SARs on the account. 68

69 MONETARY INSTRUMENTS Records must be maintained for purchase of a cashiers check, travelers check or money between $3,000 and $10,000 in cash. Record Keeping: Purchases during one business day totaling $3,000 or more are treated as one purchase. Purchases of different types of instruments totaling $3,000 or more as one purchase. 69

70 MONETARY INSTRUMENTS For members credit unions must keep a record of: Name of purchaser Date of purchase Type of instrument purchased Serial numbers of each instrument Verify ID of purchaser For non-members Name and address of the purchaser Social Security or alien identification number of the purchaser Date of birth of the purchaser Date of purchase Retain all records for 5 years 70

71 MONETARY INSTRUMENTS Yes, credit unions are permitted to implement a policy requiring members to deposit their currency before purchasing a monetary instrument but the transaction is still subject to recordkeeping requirements. 71

72 FUNDS TRANSFER Credit unions must retain records in connection with funds transfers of $3,000 or more. The term funds transfer mean any payment order issued by the originators financial institution or an intermediary institution intended to carry our the originator s payment order (e.g. wire transfers). Records must be maintained for 5 years. Funds transfer rule does not cover: Transfers less than $$3,000 Electronic funds transfer ACH transactions 72

73 FUNDS TRANSFER Funds transfer of $3,000 or more the credit union must collect: Transmitter s name and address Amount, date and payment order and any payment instructions received Beneficiary bank identification Beneficiary s name, address and the account number if it was provided to the credit union Travel Rule: the information must travel with the payment order to the receiving financial institution. 73

74 INFORMATION SHARING USA PATRIOT Act Two types of information sharing: Between the law enforcement and financial institutions [314(a)]; and Between financial institutions [314(b)] 74

75 INFORMATION SHARING - 314(A) REQUESTS Between the Credit Union and Law Enforcement FinCEN may require a credit union to search its records to determine whether it maintains or has maintained accounts for, or engaged in transactions with a specified person, entity or organization during the past 12 months (or 6 months if there is a transaction where no account is involved) Must report to FinCEN within 14 days, unless the request specifies otherwise Sent out once every 2 weeks via secure website Must be kept confidential Report matches to FiCEN 75

76 INFORMATION SHARING - 314(B) REQUESTS Permits sharing of information with another FI to help identify and report activities that are suspected to involve possible money laundering or terrorist activity. Financial institutions must notify FinCEN of its intent to engage in information sharing, and that it has established and will maintain adequate procedures to protect the information A notice to share information is effective for one year Should ensure that the other FI or association has filed its required FinCEN notice Cannot share SARs or SAR filing information If request relates to a transaction subject to a SAR, disclose only the transaction and member information requested 76

77 POSSIBLE RAMIFICATIONS OF NON-COMPLIANCE: > DOR (Document of Resolution Findings) > LUA (Letter of Understanding and Agreement) > Cease and Desist Orders Fines North Dade Community Federal Credit Union 78

78 OFFICE OF FOREIGN ASSETS CONTROL (OFAC) COMPLIANCE OFAC is a division of the U.S. Treasury Department. Administer and enforces economic and trade sanctions against targeted countries and their agents, terrorist sponsoring agencies and organizations and international narcotics traffickers. 79

79 OFAC COMPLIANCE PROGRAM Designate an OFAC compliance officer Identify high risk areas Provide for appropriate internal controls for OFAC screening and reporting Establish independent testing for compliance Create training programs for appropriate personnel in al relevant areas of the credit union 80

80 OFAC Requirements are separate and distinct from the BSA, but they share a common national security goal. OFAC regulations require the following: Block (freeze) accounts and other property of specified countries, entities and individuals appearing on the Specially Designated Nationals (SDN) and Blocked Persons List. Prohibit or reject unlicensed trade and financial transactions with specified countries, entities and individuals Report blocked and prohibited transactions to OFAC 81

81 WHAT S THE SDN LIST? OFAC s primary list of U.S. sanction targets which includes: Individuals and entities owned or controlled by or acting for or on behalf or targeted countries and Individuals groups and entities such as terrorists and narcotics traffickers designated under programs that are not country-specific. Examples are Cuba, Syria, Libya and Russia, Iran, individuals etc. Sanctions for Cuba are still in place following President Obama s announcement on December 17, Check treasury.gov for more information. 82

82 WHAT IS PROPERTY? Property is anything of value. Examples of property include: Money, checks, drafts, debts, obligations, notes, warehouse receipts, bills of sale, evidences of title, negotiable instruments, trade acceptance, contracts and anything else real, personal or mixed tangible or intangible or interest or interests therein, present, future, or contingent. Just about everything the credit unions do every day involves property within the meaning of OFAC regulations. Likewise, property interest is defined as any inerest whatsoever, direct or indirect. 83

83 OFAC COVERS EVERYTHING Opening new accounts Wire transfers ACH transfers Electronic Fund Transfers Cashing/Depositing share drafts/checks Dispensing loan proceeds/accepting loan payments 84

84 TRANSACTION PARTIES Based on the credit union s risk profile for each area of the its operations and available technology, the credit union should establish policies, procedures and processes for reviewing transactions and transaction parties. (FFIEC BSA/AML Exam Manual) Transaction parties include primary members, joint account holders, check payees, beneficiaries, cosigners, parties on the other end of wire, etc ANYONE!! 85

85 REPORTING OFAC HITS Blocked and rejected transactions must be reported to OFAC within 10 days from the date that property becomes blocked. Property is anything of value: money, checks, drafts, debts, obligations, notes everything credit unions do everyday involves property within the meaning of OFAC Call OFAC and ask for instructions when you have a hit on the list or questions regarding a potential match OFAC (6322) or

86 BLOCKED ACCOUNT Interest-bearing account on the books. Only OFAC authorized debits may be made. Funds must earn interest at a commercially reasonable rate (i.e. a rate currently offered to other members on deposits or instruments of comparable sixe and maturity). What about normal service charges? Generally allowable but check sanction program before charging any service charges. 87

87 ANNUAL OFAC REPORT All holders of blocked property must file a comprehensive annual report on blocked property held as of June 30 by September 30 each year. The Blocked Properties Reporting form is available at website under resource-center sanctions pages. 88

88 OFAC Record Retention All OFAC records must be retained for 5 years Rejected items: 5 years from the date of the transaction. Blocked accounts: 5 years after the date the account was blocked Maintain a complete and accurate record of the blocked account for as long as the credit union is holding the blocked property. 89

89 BSA PROGRAM BSA Compliance Officer appointed by the board Internal controls Independent testing conducted by credit union personnel or outside parties Training BSA Compliance Program must be: In writings Approved by the board of directors and Reflected in the minutes of the meeting. 90

90 CULTURE OF COMPLIANCE ADVISORY Shortcomings in compliance due to a lack of involvement from senior management and providing guidance on creating a culture of compliance within the credit union. FinCEN provided guidelines to strengthen a credit union s BSA compliance culture including: Board of Directors, executive and senior management should actively support, understand and be engaged in compliance efforts. Managing and mitigating BSA deficiencies and risks should not be compromised by revenue interests. Relevant information should be shared throughout the credit union. Adequate resources for compliance. Credit union leadership and staff should understand the purpose of BSA efforts and reporting. Independent testing FinCEN Advisory FIN-2014-A007 91

91 WHAT MUST THE BOARD DO? Have a basic understanding of BSA and OFAC Approve the BSA, Member Identification Program and OFAC policies Appoint a knowledgeable BSA compliance officer Ensure adequate financing of BSA-related programs Promote due diligence and annual training for all credit union staff Monitor compliance through reports from the BSA compliance officer and annual BSA audit reports 92

92 WHAT SHOULD THE SUPERVISORY COMMITTEE DO? Verify that the Board has approved a BSA, Member ID Program and OFAC policy Verify that above are reviewed and revised as necessary Verify that knowledgeable BSA compliance officer(s) have been appointed and are regularly monitoring the program for compliance Confirm that adequate BSA tools have been implemented at the credit union and are appropriate for the credit union s level of risk Ensure that an independent audit and staff training are conducted at least annually 93

93 BSA COMPLIANCE OFFICER Board designated qualified individual fully knowledgeable of the BSA and all related regulations, as well as understand the credit union s products, services, members and geographic locations. Responsible for coordinating and monitoring day-to-day compliance. Manages all aspects of the BSA compliance program Must have sufficient authority and resources to perform duties Must regularly apprise board of directors and senior management of ongoing compliance with the BSA 94

94 BSA INTERNAL CONTROLS Consist of policies and procedures which are commensurate with the size, structure, risks and complexity of your credit union. Identify credit union products, services, members, branches that are more vulnerable to abuse. Inform the board and senior management of compliance initiatives, deficiencies, corrective actions, and SARs Program continuity Recordkeeping and reporting requirements 95

95 BSA INTERNAL CONTROLS Customer Due Diligence Identify reportable transactions and file reports Segregation of duties where possible Sufficient controls and monitoring systems Supervision of employees BSA training for employee 96

96 INDEPENDENT TESTING Performed by parties who are not involved in BSA functions. Audit results should be reported directly to the Board of Directors. Independent testing should be performed generally every months, depending on the credit union s risk assessment. Testing should include: Evaluation of the overall adequacy and effectiveness of the BSA/AML compliance program, including policies, procedures, and processes Risk Assessment Transaction testing Resolved previous violations and deficiencies Staff training Review of suspicious activity monitoring systems 97

97 BSA TRAINING All personnel whose duties require knowledge of BSA Tailored to the person s specific responsibilities New employee orientation Periodic training for BSA Compliance Officer Board of Directors should receive sufficient training to gain a general understanding to provide adequate oversight NCUA recommends BSA Training every months but should be ongoing Document training programs 98

98 MONEY SERVICE BUSINESSES (MSBS) Money Services Businesses are: Currency dealers or exchangers Check cashers Issuers or sellers of traveler s checks or money orders Money transmitters US Postal Service (low risk) Credit Unions are not MSBs 99

99 MONEY SERVICE BUSINESS Properly identify member accounts as MSBs; Assess the potential risk posed by the member relationship; Conduct adequate and ongoing due diligence of the MSB relationship and; Ensure the MSB member accounts are appropriately included in the credit union s suspicious activity monitoring and reporting system. Credit unions are expected to apply their risk based BSA standards to MSBs MSBs should produce the following: Basic information State licensing, if applicable FinCEN registration Additional helpful information 100

100 MONEY SERVICE BUSINESS If a MSB: Can not provide appropriate registration/licensing documentation and There is no reasonable explanation for this lack of documentation The credit union should file a SAR MSB due diligence minimum expectations: Apply CIP Confirm FinCEN registration; Confirm state and local license Risk assessment 101

101 MONEY SERVICE BUSINESS To determine the level of risk for MSB consider: Types of product/services offered by the MSB; Location and market served by MSB; Anticipated account activity; Purpose of the account. MSBs are subject to BSA regulatory controls: Anti-money laundering Suspicious Activity Reports Currency Transactions Reporting Customer Identification Programs Cigarette Smuggling Operation 102

102 BSA AND MARIJUANA Washington and Colorado have legalized marijuana for recreational use. First cannabis credit union The Fourth Corner Credit Union/ Since the medical marijuana movement began, 21 states and the District of Columbia, starting with California in 1996, have legalized medical cannabis or effectively decriminalized it: Alaska, Arizona, California, Colorado, Connecticut, Delaware, Hawaii, Illinois, Maine, Massachusetts, Maryland, Michigan, Montana, Nevada, New Hampshire, New Jersey, New Mexico, Oregon, Rhode Island, Vermont, Washington; Maryland allows for reduced or no penalties if cannabis use has a medical basis. Florida or Alabama could be next. 103

103 ELDERLY ABUSE The credit union s priority is to protect its members but credit unions also want to make sure they are protected and not violating any laws or regulations. NCUA, in conjunction with other regulators, provided interagency guidance regarding privacy laws and the reporting of financial abuse. The NCUA issued letter (13-CU-08) regarding the Reporting of Elder Abuse or Financial Exploitation. If the credit union suspects that a member may be a victim, they can report the suspected abuse without violating that member s privacy. The guidance clarifies that not only does the reporting of suspected abuse to the appropriate local, state or federal agencies not violate the privacy provisions of the Gramm-Leach-Bliley Act (GLBA) or its implementing regulations, sharing this type of information under the appropriate circumstances is permitted without the notice and opt-out requirements governed under Regulation P. 104

104 ELDERLY ABUSE According to the National Center on Elder Abuse, elder abuse includes the illegal or improper use of an older adult s funds, property or assets. Since credit unions are in a unique position to detect and prevent elder financial abuse PolicyPro Model Policy 2245: Protecting the Elderly and Vulnerable from Fraud, can be used to adopt guidelines for the credit union to consider when implementing their program and related procedures to protect its members. Not sure who to contact to report suspected abuse? Elder Abuse hotline at (800) Reporting can be anonymous 105

105 ELDERLY ABUSE Examples of elder financial abuse: Are there unusual transactions on a member s account? Did the member recently add an authorized signer who is not a family member? Is a fiduciary or joint owner making unusually large withdrawals? Is the member requesting wire transfers to non-family members? While a single transaction of these types may not be suspicious, if the credit union staff typically knows that the only activity consists of small checks or withdrawals, an unusually large transaction may need to be investigated further. 106

106 ELDERLY ABUSE Train staff to be especially alert to suspicious activities and transactions involving older members and continue to ask the fundamental question, Does it make sense for this member to be conducting this transaction? They should also look for signs that senior members have been threatened or unduly influenced. What policies and procedures does your credit union have in place to detect and prevent elder abuse and/or the financial exploitation of your members? 107

107 Resources NCUA: CUNA: NASCUS: FinCEN: FinCEN s BSA/AML Examination Manual: _online.htm FBI: OFAC: LSCU: PolicyPro and ComplySight Elder Care Locator: 108

108 Thank You! Please feel free to contact me with questions using the below information: William G. Berg, M.B.A., CCUE, CUCE, BSACS Vice President, Compliance Training and Information x

109 Additional Contacts Bill Berg, VP, Compliance and Training Information , ext or Laura Lee Vann, Vice President, Cooperative Initiatives (CI) , ext or April N. Ales, Member Relations Consultant (MRC), CI , ext or Juli Lewis, MRC, CI ext or Judy Scott, Member Relations Consultant, Cooperative Initiatives , ext or 110