New BSA Officer Training Community Bankers Webinar Network June 2017

Transcription

1 Community Bankers Webinar Network June 2017 Copyright 2017 Young & Associates, Inc. All rights reserved

2 Table of Contents Section 1: Introduction... 1 Section 2: Risk Assessment... 2 Section 3: Program Requirements Section 4: Definitions [31 C.F.R ] Section 5: Currency Transaction Reports Section 6: Targeting Orders [31 C.F.R ] Section 7: CTR Exemptions [31 C.F.R ] Section 8: Suspicious Activity Reports [31 C.F.R ] Section 9: Customer Due Diligence [31 C.F.R ] Section 10: Foreign Financial Accounts [31 C.F.R. 31 C.F.R , & ] Section 11: Purchases of Monetary Instruments [31 C.F.R ] Section 12: Wire Transfer Records [31 C.F.R ] Section 13: Information Sharing With Government [31 C.F.R ] Section 14: Information Sharing With Other Financial Institutions [31 C.F.R ] Section 15: Correspondent Accounts [31 C.F.R , ] Section 16: Additional Records Requirements [31 C.F.R , , & ]

3 Alabama Bankers Association Arkansas Community Bankers California Community Banking Network Independent Bankers of Colorado Florida Bankers Association Community Bankers Association of Georgia Community Banker Association of Illinois Indiana Bankers Association Community Bankers of Iowa Community Bankers Association of Kansas Kentucky Bankers Association Maine Bankers Association Community Bankers of Michigan Independent Community Bankers of Minnesota Missouri Independent Bankers Association Montana Independent Bankers Association Nebraska Independent Community Bankers Independent Comm. Bankers Assoc. of New Mexico Independent Bankers Assoc. of New York State Independent Community Banks of North Dakota Community Bankers Association of Ohio Community Bankers Association of Oklahoma Pennsylvania Association of Comm. Bankers Independent Banks of South Carolina Independent Comm. Bankers of South Dakota Independent Bankers Association of Texas Vermont Bankers Association Virginia Association of Community Banks Community Bankers of Washington Community Bankers of West Virginia Wisconsin Bankers Association Directed by The Community Bankers Webinar Network Sponsors Young & Associates, Inc. Page ii

4 Presenter Bill Elliott, CRCM, Senior Consultant and Manager of Compliance Bill Elliott has over 35 years of banking experience. As a senior compliance consultant and manager of the compliance division with Young & Associates, Inc., Bill works on a variety of compliance-related issues, including leading compliance seminars, conducting compliance reviews, conducting in-house training, and writing compliance articles and training materials. Bill s career includes 15 years as a compliance officer and CRA officer in a large community bank, as well as working at a large regional bank. He has experience with consumer, commercial, and mortgage loans, and has managed a variety of bank departments, including loan review, consumer/commercial loan processing, mortgage loan processing, loan administration, credit administration, collections, and commercial loan workout. Disclaimer This presentation is designed to provide accurate and authoritative information in regard to the subject matter covered. The handouts, visuals, and verbal information provided are current as of the webinar date. However, due to an evolving regulatory environment, Financial Education & Development, Inc. does not guarantee that this is the most-current information on this subject after that time. Webinar content is provided with the understanding that the publisher is not rendering legal, accounting, or other professional services. Before relying on the material in any important matter, users should carefully evaluate its accuracy, currency, completeness, and relevance for their purposes, and should obtain any appropriate professional advice. The content does not necessarily reflect the views of the publisher or indicate a commitment to a particular course of action. Links to other websites are inserted for convenience and do not constitute endorsement of material at those sites, or any associated organization, product, or service. Young & Associates, Inc. Page i

5 Section 1: Introduction Introduction The Bank Secrecy Act (BSA) is implemented by a regulation [31 C.F.R. Chapter X] issued by the Department of the Treasury (Treasury). It requires domestic financial institutions to file a report of each single or multiple deposits, withdrawal, exchange of currency, or other payment or transfer by, through, or to such financial institution, which involves a transaction in currency of more than $10,000. Financial institutions also must report suspicious activity involving potential losses, generally, that exceed $5,000. In addition to the reporting requirements, the BSA regulations require financial institutions to keep a variety of internal records on designated transactions to provide an audit trail for either Treasury, other law enforcement, or the Internal Revenue Service (IRS) to use during criminal investigations. Young & Associates, Inc. Page 1

6 Section 2: Risk Assessment Each financial institution must have a BSA program. In order to make decisions regarding the specifics of a financial institution s program, the regulators have placed a renewed emphasis on the financial institution s Risk Assessment. A graphic representation of this interrelationship appeared in the Exam Manual (Appendix I) as follows: This brief flow chart makes it clear that all financial institutions need to develop an overall BSA process that includes a periodic review of the financial institution s risk assessment. This assessment will follow approaches similar to the risk assessment that the Customer Identification Program required. To assist in the risk assessment process, the Exam Manual (Appendix J) set forth 11 criteria, and offered a description of what might be low, moderate, or high risk. This appendix appears below and on the following two pages: Young & Associates, Inc. Page 2

7 Young & Associates, Inc. Page 3

8 Young & Associates, Inc. Page 4

9 Young & Associates, Inc. Page 5

10 Identification of Specific Risk Categories The first step of the risk assessment process is to identify the specific products, services, customers, entities, and geographic locations unique to the financial institution. Products and Services Certain products and services offered by financial institutions may pose a higher risk of money laundering or terrorist financing depending on the nature of the specific product or service offered. Such products and services may facilitate a higher degree of anonymity, or involve the handling of high volumes of currency or currency equivalents. Some of these products and services are listed below, but the list is not all inclusive: Electronic funds payment services electronic cash (e.g., prepaid and payroll cards), funds transfers (domestic and international), payable upon proper identification (PUPID) transactions, third-party payment processors, remittance activity, automated clearing house (ACH) transactions, and automated teller machines (ATM). Electronic services. Private banking (domestic and international). Trust and asset management services. Monetary instruments. Foreign correspondent accounts (e.g., bulk shipments of currency, pouch activity, payable through accounts (PTA), and U.S. dollar drafts). Trade finance. Services provided to third-party payment processors or senders. Foreign exchange. Special use or concentration accounts. Lending activities, particularly loans secured by cash collateral and marketable securities. Non-deposit account services (e.g., non-deposit investment products and insurance). The expanded sections of the manual provide guidance and discussion on specific products and services detailed above. Customers and Entities Although any type of account is potentially vulnerable to money laundering or terrorist financing, by the nature of their business, occupation, or anticipated transaction activity, certain customers and entities may pose specific risks. At this stage of the risk assessment process, it is essential that financial institutions exercise judgment and neither define nor treat all members of a specific category of customer as posing the same level of risk. In assessing customer risk, financial institutions should consider other variables, such as services sought and geographic locations. The expanded sections of the manual provide guidance and discussion on specific customers and entities that are detailed as follows: Young & Associates, Inc. Page 6

11 Foreign financial institutions, including banks and foreign money services providers (e.g., casas de cambio, currency exchanges, and money transmitters). Nonbank financial institutions (e.g., money services businesses; casinos and card clubs; brokers/dealers in securities; and dealers in precious metals, stones, or jewels). Senior foreign political figures and their immediate family members and close associates (collectively known as politically exposed persons (PEP)) Nonresident alien (NRA) and accounts of foreign individuals. Foreign corporations and domestic business entities, particularly offshore corporations (such as domestic shell companies and Private Investment Companies (PIC) and international business corporations (IBC)) located in higher-risk geographic locations. Deposit brokers, particularly foreign deposit brokers. Cash-intensive businesses (e.g., convenience stores, restaurants, retail stores, liquor stores, cigarette distributors, privately owned ATMs, vending machine operators, and parking garages). Nongovernmental organizations and charities (foreign and domestic). Professional service providers (e.g., attorneys, accountants, doctors, or real estate brokers). Geographic Locations Identifying geographic locations that may pose a higher risk is essential to a bank s BSA/AML compliance program. U.S. financial institutions should understand and evaluate the specific risks associated with doing business in, opening accounts for customers from, or facilitating transactions involving certain geographic locations. However, geographic risk alone does not necessarily determine a customer s or transaction s risk level, either positively or negatively. Higher-risk geographic locations can be either international or domestic. International higher-risk geographic locations generally include: Countries subject to OFAC sanctions, including state sponsors of terrorism. Countries identified as supporting international terrorism under section 6(j) of the Export Administration Act of 1979, as determined by the Secretary of State. Jurisdictions determined to be of primary money laundering concern by the Secretary of the Treasury, and jurisdictions subject to special measures imposed by the Secretary of the Treasury, through FinCEN, pursuant to section 311 of the USA PATRIOT Act. Jurisdictions or countries monitored for deficiencies in their regimes to combat money laundering and terrorist financing by international entities such as the Financial Action Task Force (FATF). Major money laundering countries and jurisdictions identified in the U.S. Department of State s annual International Narcotics Control Strategy Report (INCSR), in particular, countries, which are identified as jurisdictions of primary concern. Offshore financial centers (OFC). Young & Associates, Inc. Page 7

12 Other countries identified by the financial institution as higher-risk because of its prior experiences or other factors (e.g., legal considerations, or allegations of official corruption). Domestic higher-risk geographic locations may include, but are not limited to, financial institution offices doing business within, or having customers located within, a U.S. government-designated higher-risk geographic location. Domestic higher-risk geographic locations include: o High Intensity Drug Trafficking Areas (HIDTA). o High Intensity Financial Crime Areas (HIFCA). Analysis of Specific Risk Categories The second step of the risk assessment process entails a more detailed analysis of the data obtained during the identification stage in order to more accurately assess BSA/AML risk. This step involves evaluating data pertaining to the financial institution s activities (e.g., number of: domestic and international funds transfers; private banking customers; foreign correspondent accounts; PTAs; and domestic and international geographic locations of the financial institution s business area and customer transactions) in relation to Customer Identification Program (CIP) and customer due diligence (CDD) information. The level and sophistication of analysis may vary by financial institution. The detailed analysis is important because within any type of product or category of customer there will be accountholders that pose varying levels of risk. This step in the risk assessment process gives management a better understanding of the financial institution s risk profile in order to develop the appropriate policies, procedures, and processes to mitigate the overall risk. Specifically, the analysis of the data pertaining to the financial institution s activities should consider, as appropriate, the following factors: Purpose of the account. Actual or anticipated activity in the account. Nature of the customer s business/occupation. Customer s location. Types of products and services used by the customer. The value of a two-step risk assessment process is illustrated in the following example. The data collected in the first step of the risk assessment process reflects that a financial institution sends out 100 international funds transfers per day. Further analysis may show that approximately 90 percent of the funds transfers are recurring well-documented transactions for long-term customers. On the other hand, the analysis may show that 90 percent of these transfers are nonrecurring or are for noncustomers. While the numbers are the same for these two examples, the overall risks are different. Young & Associates, Inc. Page 8

13 Other Risk Factors In addition to the four assessment factors expected by examiners, financial institutions should also focus on some operational areas. One such area would include an assessment of your financial institutions policies related to account opening procedures, various transactions conducted for customers only versus non-customers (i.e., wire transfers, monetary instrument sales, safe deposit box rental, etc.) In developing your risk profile, consider the asset size of your financial institution as well as its structure. Areas of the financial institution important to BSA that may be understaffed should be considered and, conversely, a large financial institution staff may increase BSA/AML risk. Obtain employee turnover statistics especially in key BSA areas. Other factors to consider include your financial institution s data processing systems and other software tools that assist the financial institution in complying with the BSA regulatory requirements. It can be inferred that the greater and more sophisticated a financial institution s BSA systems, the more likely any evident risks will be mitigated. When evaluating risk associated with operations, a financial institution should take into consideration staff experience, expertise, and management s support of providing continuing education and educational resources. A financial institutions risk assessment process should be ongoing. As the customer base expands, mergers occur, geographic areas grow, and as the institution offers new products or services, your risk assessment should reflect these factors. On an annual basis, or as changes occur, your BSA/AML risk assessment should be reviewed and updated. Summarizing Your Risk Assessment Using and analyzing the data you have obtained is the second phase in the risk assessment. Not only will your risk assessment be evaluated, but the analysis process used to reach a risk conclusion will be assessed. Controls that are in place, management s ability and willingness to identify and mitigate risk will be evaluated. A financial institution need not necessarily consider itself at higher risk because of a large volume of wire transfers if the analysis of the information proves the majority of the transfers were recurring and took place for well-established customers and that transfers, in fact, are only conducted for existing customers. Compare that same volume of funds transfers for non-customers or nonrecurring customers, many transfers being destined for high-risk geographic areas, and the risk analysis outcome will be vastly different. At the conclusion of completing the risk profile for your institution, the results must be reviewed and analyzed to determine whether the existing policies and procedures remain adequate. In addition, the risk profile should be summarized to inform both management and the board of directors of the financial institution s overall BSA/AML risks. In general, it is recommended that the data you have obtained through the risk profile be summarized into a narrative document that briefly discusses each risk factor. The summary document should be written not only from a perspective where risks are evident but it should also highlight areas of the financial institution s operations that are not as prone to risks. Those conducting a risk assessment may not consider for inclusion factors that are not applicable to the Young & Associates, Inc. Page 9

14 financial institution. Excluding what does not apply may give the appearance that the issues were not taken into consideration. For example, if your institution is not located within or near an HIDTA, the risk profile summary should make note of this fact. In proving the validity of a selfassessed lower risk rating to a high-risk area such as funds transfers, the institution could include the fact that the that wires are conducted for customers only, the majority of wires are for long established customers, any monitoring processes in place, and that all names associated with a wire are compared to the current OFAC list as well as the country and financial institution when conducting an international transfer. Young & Associates, Inc. Page 10

15 Section 3: Program Requirements There are minimum requirements of an acceptable Bank Secrecy Act compliance program. To meet the minimum requirements, a financial institution s BSA compliance program should include a system of internal controls, provisions for independent testing for compliance with the requirements of the regulation, the designation of an individual or individuals to be responsible for coordinating and monitoring compliance with the BSA, and training for appropriate personnel. Every compliance program must be in writing, approved by the financial institution s board of directors, and noted in the board meeting minutes. System of Internal Controls Ultimately, the board of directors is responsible for ensuring that the financial institution maintains an effective BSA/AML internal control structure, including suspicious activity monitoring and reporting. The board of directors in concert with management is charged with creating a culture of compliance to ensure staff adherence to the financial institution s BSA policies, procedures, and processes. Internal controls cover a number of areas, including: policies, procedures, and processes Designed to limit and control the financial institution s risks relative to BSA. Depending upon the financial institution s needs, the level of sophistication of the internal controls should be commensurate with the size, structure, risks, and complexity of the financial institution. Large complex financial institutions usually have more defined departmental internal controls for BSA compliance. Smaller institutions may have less structure; however, all financial institutions must have a comprehensive BSA compliance program. The Exam Manual includes these additional internal control features: Identify financial institution operations (i.e., products, services, customers, entities, and geographic locations) more vulnerable to abuse by money launderers and criminals; provide for periodic updates to the financial institution s risk profile; and provide for a BSA/AML compliance program tailored to manage risks. Inform the board of directors, or a committee thereof, and senior management, of compliance initiatives, identified compliance deficiencies, and corrective action taken, and notify directors and senior management of SARs filed. Identify a person or persons responsible for BSA/AML compliance. Provide for program continuity despite changes in management or employee composition or structure. Young & Associates, Inc. Page 11

16 Meet all regulatory recordkeeping and reporting requirements, meet recommendations for BSA/AML compliance, and provide for timely updates in response to changes in regulations. Implement risk-based CDD policies, procedures, and processes. Identify reportable transactions and accurately file all required reports including SARs, CTRs, and CTR exemptions. (Financial institutions should consider centralizing the review and report-filing functions within the financial institution.) Provide for dual controls and the segregation of duties to the extent possible. For example, employees that complete the reporting forms (such as SARs, CTRs, and CTR exemptions) generally should not also be responsible for the decision to file the reports or grant the exemptions. Provide sufficient controls and systems for filing CTRs and CTR exemptions. Provide sufficient controls and monitoring systems for timely detection and reporting of suspicious activity. Provide for adequate supervision of employees that handle currency transactions, complete reports, grant exemptions, monitor for suspicious activity, or engage in any other activity covered by the BSA and its implementing regulations. Incorporate BSA compliance into the job descriptions and performance evaluations of personnel, as appropriate. Train employees to be aware of their responsibilities under the BSA regulations and internal policy guidelines. The above list is not to be considered all-inclusive and should reflect the financial institution s BSA/AML risk profile. Additional policy guidance for specific risk areas is provided in the expanded sections of the Exam Manual. Independent Testing Independent testing for compliance with the BSA and its corresponding regulation should be conducted at least annually, preferably by the internal audit department, outside auditors, consultants, or other qualified individuals. Financial institutions that do not employ outside auditors or consultants or that do not operate internal audit departments can comply with this requirement by utilizing the use of employees who are not involved with the BSA function that is under review. In general, it is advised that independent testing be conducted every 12 to 18 months, again commensurate with your financial institutions risk profile. The Exam Manual indicates that the persons or companies conducting the BSA testing should report directly to the board of directors or to a designated board committee comprised primarily or completely of outside directors. The independent testing should be risk based (see risk assessment, discussed earlier) and evaluate the quality of risk management for every area of financial institution operations, including departments and subsidiaries. Therefore, risk-based audit programs will vary from financial institution to financial institution depending on the financial institution s size, complexity, scope of activities, risk profile, quality of control functions, geographic diversity, and Young & Associates, Inc. Page 12

17 use of technology. The risk based testing should include all financial institution activities. The results of which will allow the board of directors and auditors to focus on areas of greater concern. An effective risk-based auditing program will cover all of the financial institution s activities. The frequency and depth of each activity s audit will vary based on the activity s risk assessment. This risk-based auditing approach enables the board of directors and auditors to use the financial institution s risk assessment to focus the audit scope on the areas of greatest concern. The results of testing should be to assist the board of directors and management in the identification of areas of weakness or areas where there appears to be a need for enhancements or stronger controls. The scope of an independent test has expanded dramatically over the last few years. The Exam Manual sets forth the following list of items that should be subject to review: Independent testing should, at a minimum, include: An evaluation of the overall adequacy and effectiveness of the BSA/AML compliance program, including policies, procedures, and processes. Typically, this evaluation will include an explicit statement about the BSA/AML compliance program s overall adequacy and effectiveness and compliance with applicable regulatory requirements. At the very least, the audit should contain sufficient information for the reviewer (e.g., an examiner, review auditor, or BSA officer) to reach a conclusion about the overall quality of the BSA/AML compliance program. A review of the financial institution s risk assessment for reasonableness given the financial institution s risk profile (products, services, customers, entities, and geographic locations). Appropriate risk-based transaction testing to verify the financial institution s adherence to the BSA recordkeeping and reporting requirements (e.g., CIP, SARs, CTRs and CTR exemptions, and information sharing requests). An evaluation of management s efforts to resolve violations and deficiencies noted in previous audits and regulatory examinations, including progress in addressing outstanding supervisory actions, if applicable. A review of staff training for adequacy, accuracy, and completeness. A review of the effectiveness of the suspicious activity monitoring systems (manual, automated, or a combination) used for BSA/AML compliance. Related reports may include, but are not limited to: o Suspicious activity monitoring reports. o Large currency aggregation reports. o Monetary instrument records. o Funds transfer records. o Nonsufficient funds (NSF) reports. o Large balance fluctuation reports. o Account relationship reports. Young & Associates, Inc. Page 13

18 An assessment of the overall process for identifying and reporting suspicious activity, including a review of filed or prepared SARs to determine their accuracy, timeliness, completeness, and effectiveness of the financial institution s policy. An assessment of the integrity and accuracy of MIS used in the BSA/AML compliance program. MIS includes reports used to identify large currency transactions, aggregate daily currency transactions, funds transfer transactions, monetary instrument sales transactions, and analytical and trend reports. The Exam Manual suggests that auditors document the audit scope, procedures performed, transaction testing completed, and findings of the review. In addition, all audit documentation and work papers should be available for examiner review, upon request. Any violations, policy or procedures exceptions, or other deficiencies noted during the audit should be included in an audit report and reported to the board of directors or a designated committee in a timely manner. The board or designated committee and the audit staff should track audit deficiencies and document corrective actions. Designation of BSA Officer Each financial institution must annually designate, by name, a senior financial institution official to be responsible for coordinating and monitoring compliance with the BSA. This must be noted in the minutes of the board of directors. This might be the compliance officer, chief auditor, or another officer of similar status. In addition, other individuals in each office, department, or regional headquarters should be given the responsibility for day-to-day compliance so that appropriate controls are in place at all levels of the financial institution. The BSA compliance officer must also manage all aspects of the BSA/AML compliance program and managing the financial institution s adherence to the BSA and its implementing regulations. Although the board must make this annual appointment, the board of directors is ultimately responsible for the financial institution s BSA/AML compliance. The regulation makes no specific requirement regarding the title of the individual responsible for overall BSA compliance, his or her level of authority and responsibility within the financial institution is critical. In many institutions, the BSA compliance officer delegates some BSA duties to other employees, but the officer is still responsible for overall BSA/AML compliance. The board of directors must assure that the BSA compliance officer has sufficient authority and resources (monetary, physical, and personnel) to administer an effective BSA compliance program based on the financial institution s risk assessment. The person designated as the BSA compliance officer should be fully knowledgeable of the BSA and all related regulations. This individual must also understand the financial institution s products, services, customers, and geographic locations, and the potential money laundering and terrorist financing risks associated with those activities. The Exam Manual makes it clear that the appointment of a BSA compliance officer is not sufficient to meet the regulatory requirement if that person does not have the expertise, authority, or time to satisfactorily complete the job. The BSA compliance officer must have direct access to the board of directors and senior management regarding the financial institution s ongoing compliance with the BSA. Pertinent BSA-related information, including the reporting of SARs filed with FinCEN, should be reported Young & Associates, Inc. Page 14

19 to the board of directors or an appropriate board committee so that these individuals can make informed decisions about overall BSA/AML compliance. The BSA compliance officer is also responsible for carrying out the direction of the board to ensure that employees adhere to the financial institution s BSA policies, procedures, and processes. Training for Appropriate Personnel A financial institution s training program must provide training for tellers who handle currency transactions. In addition, anyone who is involved in Bank Secrecy Act compliance should be trained in their areas of compliance as well. The training should be tailored to the employee s specific responsibilities. In addition, an overview of the BSA/AML requirements typically should be given to new staff during employee orientation. Training should encompass information related to applicable business lines, such as trust services, and international and private banking. The BSA compliance officer should receive periodic training that is relevant and appropriate given changes to regulatory requirements as well as the activities and overall BSA/AML risk profile of the financial institution. Depending on the financial institution s needs, training materials can be purchased from financial institution associations, trade groups, or outside vendors, or they can be developed by the financial institution. Financial institutions should assure that the training includes not only the regulatory requirements, but also the financial institution s specific rules and procedures for compliance. Copies of the training materials must be available in the financial institution for review by examiners, as well as proof of training (generally sign-in sheets at training sessions, etc.). Management, including Board members, must also receive periodic updates on the requirements so that adequate resources are allocated to comply with this regulation. Since there is scarcely any area of the financial institution that is not potentially affected by the Bank Secrecy Act, financial institution-wide training is recommended. While the board of directors may not require the same detailed level of training as provided to financial institution operations personnel, they need to understand the importance of BSA/AML regulatory requirements, the ramifications of noncompliance, and the risks posed to the financial institution. Without this sort of general understanding, the board of directors cannot adequately monitor the program, including their oversight, policy/procedure approvals, and resource allocation. Training is an ongoing necessity and should incorporate current developments and changes to the BSA and any related regulations. Inclusion of changes to internal policies, procedures, and processes in training coverage is a must to keep staff up-to-date on the financial institution s expectations for compliance. Examples of money laundering activity and suspicious activity monitoring and reporting can and should be tailored to each individual audience. For example, training for tellers should focus on examples involving large currency transactions or other suspicious activities; training for the loan department should provide examples involving money laundering through lending arrangements. Lastly, financial institutions should document their training programs. Copies of the training materials must be available in the financial institution for review by examiners. Documentation of attendance is an important step in the process. Signed attendance sheets Young & Associates, Inc. Page 15

20 (with employee job title and recording of completed online training), help ensure the adequacy of the financial institution s training program. Board Responsibilities First, a financial institution s board of directors ( board ) is ultimately responsible for the financial institution s BSA compliance program. As noted earlier, this process begins with the board s approval of its written BSA compliance program. In today s current examination environment, such approval should follow the board being apprised of the financial institution s BSA/AML/OFAC risk profile (discussed earlier). Only after evaluating a financial institution s risks may it identify the necessary requirements of the financial institution s written program. Communicating these risks to the board on a periodic and regular basis (i.e., annually) allows for such informed decisions. Therefore, the board should expect and demand regular updates on the status of the financial institution s program. The designation of a BSA compliance officer is another key element of an effective BSA compliance program. It is another of the board s responsibilities to designate the staff member or member to carry out the program. Failure to identify and designate a knowledgeable and effective BSA compliance officer may eventually lead to an ineffective and possibly criticized BSA compliance program. Therefore, such designation of an effective BSA compliance officer is paramount. As part of the overall responsibility for a financial institution s BSA compliance program, the board is also responsible for assuring that risk-based independent audits are performed to assess the effectiveness of the program. While the BSA compliance officer typically coordinates and identifies potential individuals or firms to conduct such reviews, the final word rests with the board. In that light, the board, or a committee thereof, needs to be the catalyst to hire effective internal auditors or engage capable outside auditors. Additionally, the results from these audits need to be communicated directly to the board or indirectly through a committee of the board. In addition to receiving periodic updates on the financial institution s BSA risk profile, as well as results of independent audits, the board should expect to receive regular reports on the status of the financial institution s BSA compliance program. Such status reports might include the following with one certain item a mandatory requirement: Notification of any suspicious activity reports that have been filed, generally at the next regularly scheduled board meeting (this is a regulatory mandate) Updates on procedural changes, as appropriate Education on new and/or amended regulatory requirements Status of BSA-related training initiatives, including board member training Changes or trends in the level of required reports, such as currency transaction reports Industry related BSA issues, trends, and concerns Young & Associates, Inc. Page 16

21 Section 4: Definitions [31 C.F.R ] All regulations have key definitions. These definitions are crucial to understanding each regulation, as a word may have slightly different meanings in different regulations. This section discusses the definitions that are included in Subpart A. There are several locations in the regulation that include another set of definitions. These definitions will be addressed in the sections of the manual in which those definitions are pertinent. Accept A receiving financial institution, other than the recipient s financial institution, accepts a transmittal order by executing the transmittal order. A recipient s financial institution accepts a transmittal order by paying the recipient, by notifying the recipient of the receipt of the order, or by otherwise becoming obligated to carry out the order. At One Time For purposes of the reporting requirements regarding international shipment of currency and monetary instruments [section ], a person who transports, mails, ships, or receives monetary instruments is deemed to do so at one time if that person, either alone, in conjunction with, or on behalf of others, transports, mails, ships, or receives in any manner monetary instruments, into or out of the United States, totaling more than $10,000 on any one calendar day (or, if for the purpose of evading the reporting requirements of section , on one or more days). Attorney General - The Attorney General of the United States. Bank Each agent, agency, branch, or office within the United States of any person doing business in one or more of the following capacities: A commercial bank or trust company organized under the laws of any state or of the United States A private bank A savings and loan or building and loan association organized under the laws of any state or of the United States A federally insured institution A savings bank, industrial bank, or other thrift institution A credit union organized under the laws of any state or of the United States Any other organization chartered under the banking laws of any state and subject to the supervision of bank supervisory authorities of a state A bank organized under foreign law Any national banking association/corporation acting under the Federal Reserve Act Bank Secrecy Act - The Currency and Foreign Transactions Reporting Act, its amendments, and the other statutes relating to the subject matter of that Act, have come to be referred to as the Bank Secrecy Act. These statutes are codified at 12 U.S.C. 1829b, 12 U.S.C , 18 U.S.C. 1956, 18 U.S.C. 1957, 18 U.S.C. 1960, and 31 U.S.C and and notes thereto. Beneficiary The person to be paid by the beneficiary s bank. Young & Associates, Inc. Page 17

22 Beneficiary s Bank The bank identified in a payment order in which an account of the beneficiary is to be credited pursuant to the order or which otherwise is to make payment to the beneficiary if the order does not provide for payment to an account. Business Day That day that is normally communicated to its depository customers on which a bank routinely posts a particular transaction to an account. Commodity Any good, article, service, right, or interest described in section 1a(4) of the Commodity Exchange Act ( CEA ), 7 U.S.C. 1a(4). Common Carrier Any person engaged in the business of transporting individuals or goods for a fee who holds himself out as ready to engage in such transportation for hire and who undertakes to do so for all persons who are prepared to pay the fee for the particular service offered. Contract of Sale Any sale, agreement of sale, or agreement to sell as described in section 1a(7) of the CEA, 7 U.S.C. 1a(7). Currency The coin and paper money of the United States or of any other country that is designated as legal tender and is customarily accepted as a medium of exchange in the country of issuance. (Examples: silver certificates, U.S. notes, Federal Reserve notes, and foreign currency that is an accepted medium of exchange.) Deposit Account Transaction accounts, savings accounts, and other time deposits. Domestic Refers to doing business within the United States. Established Customer A person with an account with the financial institution, including a loan account or deposit or other asset account, or a person with respect to which the financial institution has obtained and maintains on file the person s name and address, as well as taxpayer identification number (e.g., Social Security or employer identification number) or, if none, alien identification number or passport number and country of issuance, and to which the financial institution provides financial services relying on that information. Execution Date The day on which the receiving financial institution may properly issue a transmittal order in execution of the sender s order. The execution date may be determined by instruction of the sender but cannot be earlier than the day the order is received and, unless otherwise determined, is the day the order is received. If the sender s instruction states a payment date, the execution date is the payment date or an earlier date on which execution is reasonably necessary to allow payment to the recipient on the payment date. Federal Functional Regulator The Board of Governors of the Federal Reserve System; The Office of the Comptroller of the Currency; The Board of Directors of the Federal Deposit Insurance Corporation; The Office of Thrift Supervision; The National Credit Union Administration; The Securities and Exchange Commission; or The Commodity Futures Trading Commission. Young & Associates, Inc. Page 18

23 FinCEN The Financial Crimes Enforcement Network, an office within the Office of the Under Secretary (Enforcement) of the Department of the Treasury. Financial Institution Each agent, agency, branch, or office within the United States of any person doing business, whether or not on a regular basis or as an organized business concern, in one or more of the following capacities: A bank (except bank credit card systems) A broker/dealer in securities A money service business as defined below A telegraph company A casino/gambling casino licensed as a casino or gambling casino by a state or local government and having a gross gaming revenue in excess of $1,000,000 (includes principal headquarters and any branch of the business) A card club licensed as a card club, gaming club, card room, or similar gaming establishment by a state or local government, and having gross gaming revenue in excess of $1,000,000 (includes principal headquarters and any branch of the business) A person subject to supervision by any state/federal supervisory authority A futures commission merchant An introducing broker in commodities Foreign Bank A bank organized under foreign law located outside the United States. It does not include an agent, agency, branch, or office organized under foreign law located within the United States. Foreign Financial Agency A person acting outside the United States for a person (except for a country, a monetary or financial authority acting as a monetary or financial authority, or an international financial institution of which the United States government is a member) as a financial institution, bailee, depository trustee, or agent, or acting in a similar way related to money, credit, securities, or gold. Funds Transfer The series of transactions, beginning with the originator s payment order, made for the purpose of making payment to the beneficiary of the order. The term includes any payment order issued by the originator s bank or an intermediary bank intended to carry out the originator s payment order. A funds transfer is completed by acceptance by the beneficiary s bank of a payment order for the benefit of the beneficiary of the originator s payment order. Funds transfers governed by the Electronic Fund Transfer Act of 1978, as well as any other funds transfers that are made through an automated clearinghouse, an automated teller machine, or a point of sale system, are excluded from this definition. Futures Commission Merchant Any person registered or required to be registered as a futures commission merchant with the Commodity Futures Trading Commission ( CFTC ) under the CEA, except persons who register pursuant to section 4f(a)(2) of the CEA, 7 U.S.C. 6f(a)(2). Indian Gaming Regulatory Act The Indian Gaming Regulatory Act of 1988 codified at 25 U.S.C and 18 U.S.C Young & Associates, Inc. Page 19

24 Intermediary Bank A receiving bank other than the originator s bank or the beneficiary s bank. Intermediary Financial Institution A receiving financial institution, other than the transmitter s financial institution or the recipient s financial institution. The term intermediary financial institution includes an intermediary bank. Introducing Broker-Commodities Any person registered or required to be registered as an introducing broker with the CFTC under the CEA, except persons who register pursuant to section 4f(a)(2) of the CEA, 7 U.S.C. 6f(a)(2). Investment Security An instrument that (1) is issued in bearer or registered form; (2) is of a type commonly dealt with by securities exchanges or markets or commonly recognized in any area in which it is issued or dealt in as a medium for investment; (3) is either one of a class or series or by its terms is divisible into a class or series of instruments; and (4) evidences a share, participation, or other interest in property or in an enterprise, or evidences an obligation of the issuer. Monetary Instruments Currency; traveler s checks in any form; negotiable instruments such as personal checks, business checks, official bank checks, cashier s checks, third-party checks, promissory notes, and/or money orders; incomplete instruments (i.e., all of the instruments noted above signed but with the payee s name omitted); and securities or stock in bearer form or in such other form that title passes upon delivery. The term does not include warehouse receipts or bills of lading. Money Services Business Each agent, agency, branch, or office within the United States of any person doing business, whether or not on a regular basis or as an organized business concern, in one or more of the capacities listed below. Notwithstanding the preceding sentence, the term money services business shall not include a bank, nor shall it include a person registered with, and regulated or examined by, the Securities and Exchange Commission or the Commodity Futures Trading Commission. Dealer in foreign exchange A person that accepts the currency, or other monetary instruments, funds, or other instruments denominated in the currency, of one or more countries in exchange for the currency, or other monetary instruments, funds, or other instruments denominated in the currency, of one or more other countries in an amount greater than $1,000 for any other person on any day in one or more transactions, whether or not for same-day delivery. Check casher A person that accepts checks or monetary instruments in return for currency or a combination of currency and other monetary instruments or other instruments, in an amount greater than $1,000 for any person on any day in one or more transactions. Facts and circumstances; Limitations. Whether a person is a check casher as described in this section is a matter of facts and circumstances. The term check casher shall not include: o A person that sells prepaid access in exchange for a check, monetary instrument or other instrument; o A person that solely accepts monetary instruments as payment for goods or services other than check cashing services; Young & Associates, Inc. Page 20

25 o A person that engages in check cashing for the verified maker of the check who is a customer otherwise buying goods and services; o A person that redeems its own checks; or o A person that only holds a customer's check as collateral for repayment by the customer of a loan. Issuer or seller of traveler's checks or money orders A person that issues traveler's checks or money orders that are sold in an amount greater than $1,000 to any person on any day in one or more transactions or sells traveler's checks or money orders in an amount greater than $1,000 to any person on any day in one or more transactions. Provider of prepaid access A provider of prepaid access is the participant within a prepaid program that agrees to serve as the principal conduit for access to information from its fellow program participants. The participants in each prepaid access program must determine a single participant within the prepaid program to serve as the provider of prepaid access. o Considerations for provider determination In the absence of registration as the provider of prepaid access for a prepaid program by one of the participants in a prepaid access program, the provider of prepaid access is the person with principal oversight and control over the prepaid program. Which person exercises principal oversight and control is a matter of facts and circumstances. Activities that indicate principal oversight and control include: Organizing the prepaid program; Setting the terms and conditions of the prepaid program and determining that the terms have not been exceeded; Determining the other businesses that will participate in the prepaid program, which may include the issuing bank, the payment processor, or the distributor; Controlling or directing the appropriate party to initiate, freeze, or terminate prepaid access; and Engaging in activity that demonstrates oversight and control of the prepaid program. o Prepaid program A prepaid program is an arrangement under which one or more persons acting together provide(s) prepaid access. However, an arrangement is not a prepaid program if: It provides closed loop prepaid access to funds not to exceed $2,000 maximum value that can be associated with a prepaid access device or vehicle on any day; It provides prepaid access solely to funds provided by a Federal, State, local, Territory and Insular Possession, or Tribal government agency; It provides prepaid access solely to funds from pre-tax flexible spending arrangements for health care and dependent care expenses, or from Health Reimbursement Arrangements (as defined in 26 U.S.C. 105(b) and 125) for health care expenses; or It provides prepaid access solely to: Employment benefits, incentives, wages or salaries; or Young & Associates, Inc. Page 21

26 Funds not to exceed $1,000 maximum value and from which no more than $1,000 maximum value can be initially or subsequently loaded, used, or withdrawn on any day through a device or vehicle; and It does not permit: o o o Funds or value to be transmitted internationally; Transfers between or among users of prepaid access within a prepaid program; or Loading additional funds or the value of funds from non-depository sources. Money transmitter A person that provides money transmission services. The term money transmission services means the acceptance of currency, funds, or other value that substitutes for currency from one person and the transmission of currency, funds, or other value that substitutes for currency to another location or person by any means. Any means includes, but is not limited to, through a financial agency or institution; a Federal Reserve Bank or other facility of one or more Federal Reserve Banks, the Board of Governors of the Federal Reserve System, or both; an electronic funds transfer network; or an informal value transfer system or any other person engaged in the transfer of funds. Facts and circumstances; Limitations. Whether a person is a money transmitter as described in this section is a matter of facts and circumstances. The term money transmitter shall not include a person that only: o Provides the delivery, communication, or network access services used by a money transmitter to support money transmission services; o Acts as a payment processor to facilitate the purchase of, or payment of a bill for, a good or service through a clearance and settlement system by agreement with the creditor or seller; o Operates a clearance and settlement system or otherwise acts as an intermediary solely between BSA regulated institutions. This includes but is not limited to the Fedwire system, electronic funds transfer networks, certain registered clearing agencies regulated by the Securities and Exchange Commission ( SEC ), and derivatives clearing organizations, or other clearinghouse arrangements established by a financial agency or institution; o Physically transports currency, other monetary instruments, other commercial paper, or other value that substitutes for currency as a person primarily engaged in such business, such as an armored car, from one person to the same person at another location or to an account belonging to the same person at a financial institution, provided that the person engaged in physical transportation has no more than a custodial interest in the currency, other monetary instruments, other commercial paper, or other value at any point during the transportation; o Provides prepaid access; or o Accepts and transmits funds only integral to the sale of goods or the provision of services, other than money transmission services, by the person who is accepting and transmitting the funds. Young & Associates, Inc. Page 22

27 U.S. Postal Service. The United States Postal Service, except with respect to the sale of postage or philatelic products. Seller of prepaid access. Any person that receives funds or the value of funds in exchange for an initial loading or subsequent loading of prepaid access if that person: o Sells prepaid access offered under a prepaid program that can be used before verification of customer identification under (d)(1)(iv); or o Sells prepaid access (including closed loop prepaid access) to funds that exceed $10,000 to any person during any one day, and has not implemented policies and procedures reasonably adapted to prevent such a sale. For the purposes of this section, the term money services business shall not include: o A bank or foreign bank; o A person registered with, and functionally regulated or examined by, the SEC or the CFTC, or a foreign financial agency that engages in financial activities that, if conducted in the United States, would require the foreign financial agency to be registered with the SEC or CFTC; or o A natural person who engages in an activity identified in paragraphs (ff)(1) through (ff)(5) of this section on an infrequent basis and not for gain or profit. Mutual Fund An investment company (as the term is defined in section 3 of the Investment Company Act (15 U.S.C. 80a 3)) that is an open-end company (as that term is defined in section 5 of the Investment Company Act (15 U.S.C. 80a 5)) registered or required to register with the Securities and Exchange Commission under section 8 of the Investment Company Act (15 U.S.C. 80a 8). Option on a Commodity Any agreement, contract, or transaction described in section 1a(26) of the CEA, 7 U.S.C. 1a(26). Originator The sender of the first payment order in a funds transfer. Originator s Bank The receiving bank to which the payment order of the originator is issued if the originator is not a bank, or the originator if the originator is a bank or a foreign bank. Payment Date The day on which the amount of the transmittal order is payable to the recipient by the recipient s financial institution. The payment date may be determined by instruction of the sender, but cannot be earlier than the day the order is received by the recipient s financial institution and, unless otherwise prescribed by instruction, is the date the order is received by the recipient s financial institution. Payment Order An instruction of a sender to a receiving bank, transmitted orally, electronically, or in writing, to pay, or to cause another bank to pay, a fixed or determinable amount of money to a beneficiary if all of the following conditions are met: The instruction does not state a condition to payment to the beneficiary other than time of payment. The receiving bank is to be reimbursed by debiting an account of, or otherwise receiving payment from, the sender. Young & Associates, Inc. Page 23

28 The instruction is transmitted by the sender directly to the receiving bank or to an agent, funds transfer system, or communication system for transmittal to the receiving bank. Person All entities recognized as legal personalities (individuals, corporations, partnerships, trusts or estates, joint stock companies, associations, syndicates, joint ventures, Indian tribes, and other unincorporated groups or organizations). Receiving Bank The bank or foreign bank to which the sender s instruction is addressed. Receiving Financial Institution The financial institution or foreign financial agency to which the sender s instruction is addressed. The term receiving financial institution includes a receiving bank. Recipient The person to be paid by the recipient s financial institution. The term recipient includes a beneficiary, except where the recipient s financial institution is a financial institution other than a bank. Recipient s Financial Institution The financial institution identified in a transmittal order in which an account of the recipient is to be credited pursuant to the transmittal order or which otherwise is to make payment to the recipient if the order does not provide for payment to an account. The term recipient s financial institution includes a beneficiary s bank, except where the beneficiary is a recipient s financial institution. Secretary The Secretary of the Treasury or any other person designated to perform the function mentioned. Security Any instrument or interest described in section 3(a)(10) of the Securities Exchange Act of 1934, 15 U.S.C. 78c(a)(10). Self-regulatory organization Shall have the same meaning as provided in section 3(a)(26) of the Securities Exchange Act of 1934 (15 U.S.C. 78c(a)(26)); and means a registered entity or a registered futures association as provided in section 1a(29) or 17, respectively, of the Commodity Exchange Act (7 U.S.C. 1a(29), 21). Sender The person giving the instruction to the receiving financial institution. State The States of the United States and, wherever necessary to carry out the provisions of this part, the District of Columbia. Prepaid access Access to funds or the value of funds that have been paid in advance and can be retrieved or transferred at some point in the future through an electronic device or vehicle, such as a card, code, electronic serial number, mobile identification number, or personal identification number. Structure (Structuring) For purposes of section , a person structures a transaction if that person, acting alone or in conjunction with, or on behalf of, other persons, conducts or attempts to conduct one or more transactions in currency, in any amount, at one or more financial institutions, on one or more days, in any manner, for the purpose of evading the reporting requirements under sections , , , and of the regulation. In any manner includes, but is not limited to, the breaking down of a single sum of currency exceeding $10,000 or the conduct of a transaction, or series of currency transactions, including transactions at or below $10,000. The transaction or transactions need not exceed the $10,000 reporting threshold at any single financial institution on any single day in order to constitute structuring within the meaning of this definition. Young & Associates, Inc. Page 24

29 Taxpayer Identification Number Taxpayer Identification Number ( TIN ) is defined by section 6109 of the Internal Revenue Code of 1986 (26 U.S.C. 6109) and the Internal Revenue Service regulations implementing that section (e.g., social security number or employer identification number). Territories and Insular Possessions The Commonwealth of Puerto Rico, the United States Virgin Islands, Guam, the Commonwealth of the Northern Mariana Islands, and all other territories and possessions of the United States other than the Indian lands and the District of Columbia. Transaction Account Accounts that take deposits and are subject to withdrawal by check or other negotiable order (includes money market accounts). Transaction in Currency A transaction that involves the actual physical transfer of currency from one person to another. Transmittal of Funds A series of transactions beginning with the transmitter s transmittal order, made for the purpose of making payment to the recipient of the order. The term includes any transmittal order issued by the transmitter s financial institution or an intermediary financial institution intended to carry out the transmitter s transmittal order. The term transmittal of funds includes a funds transfer. A transmittal of funds is completed by acceptance by the recipient s financial institution of a transmittal order for the benefit of the recipient of the transmitter s transmittal order. Funds transfers governed by the Electronic Fund Transfer Act of 1978, as well as any other funds transfers that are made through an automated clearinghouse, an automated teller machine, or a point of sale system, are excluded from this definition. Transmittal Order The term transmittal order includes a payment order and is an instruction of a sender to a receiving financial institution, transmitted orally, electronically, or in writing, to pay, or to cause another financial institution to pay, a fixed or determinable amount of money to a recipient if all of the following conditions are met: The instruction does not state a condition to payment to the recipient other than time of payment. The receiving financial institution is to be reimbursed by debiting an account of, or otherwise receiving payment from, the sender. The instruction is transmitted by the sender directly to the receiving financial institution or to an agent or communication system for transmittal to the receiving financial institution. Transmitter The sender of the first transmittal order in a transmittal of funds. The term transmitter includes an originator, except where the transmitter s financial institution is a financial institution other than a bank. Transmitter s Financial Institution The receiving financial institution to which the transmittal order of the transmitter is issued if the transmitter is not a financial institution or foreign financial agency, or the transmitter if the transmitter is a financial institution. The term transmitter s financial institution includes an originator s bank, except where the originator is a transmitter s financial institution other than a bank. Young & Associates, Inc. Page 25

30 United States The states of the United States, the District of Columbia, the Commonwealth of Puerto Rico, the U.S. Virgin Islands, Guam, the Commonwealth of the Northern Mariana Islands, American Samoa, the Trust Territory of the Pacific Islands, and all other territories and possessions of the United States and/or any political subdivision or subdivisions thereof. U.S. Person A United States citizen, or a person other than an individual (such as a corporation, partnership or trust), that is established or organized under the laws of a State or the United States. Non-U.S. person means a person that is not a U.S. person. United States Postal Service The United States Postal Service, except with respect to the sale of postage or philatelic products. Closed loop prepaid access Prepaid access to funds or the value of funds that can be used only for goods or services in transactions involving a defined merchant or location (or set of locations), such as a specific retailer or retail chain, a college campus, or a subway system. Young & Associates, Inc. Page 26

31 Section 5: Currency Transaction Reports Over the course of the history of the Bank Secrecy Act, the Secretary of the Treasury has determined that the reports required by the regulation have a high degree of usefulness in the proceedings that surround criminal, tax, or regulatory investigations. Therefore, the regulation outlines very specific guidelines for the submission of the reports deemed useful for this purpose. Reports of Currency Transactions [31 C.F.R ] General Rule Each financial institution must file a report of each deposit, withdrawal, exchange of currency, or other payment or transfer by, through, or to such an institution that involves a transaction of currency of more than $10, Types of currency transactions subject to reporting requirements individually or by aggregation include, but are not limited to: denomination exchanges, individual retirement accounts (IRAs), loan payments, automated teller machine (ATM) transactions, purchases of certificates of deposit, deposits, withdrawals, funds transfers paid for in currency, and monetary instrument purchases. Financial institutions must develop systems necessary to aggregate currency transactions throughout the financial institution. The BSA officer along with financial institution management should ensure that an adequate system is implemented that will appropriately report currency transactions subject to the BSA requirement. Multiple Transactions [31 C.F.R ] Multiple currency transactions must be treated as a single transaction if the financial institution has knowledge that the transactions are made by or on behalf of any one person and result in cash in or cash out in an amount that exceeds $10,000 during any one-business day. Knowledge, in this context, means knowledge on the part of a partner, director, officer, or employee of the financial institution or on the part of any existing automated or manual system at the financial institution that permits it to aggregate transactions. Young & Associates, Inc. Page 27

32 Holiday, Weekend, or Night Deposits Deposits made at night, over a weekend, or during a holiday must be treated as if they were received the next business day. CTR Backfiling If a financial institution fails to file CTRs on reportable transactions for a specific customer, the financial institution should immediately begin filing CTRs for this customer, and should contact the Internal Revenue Service (IRS) Enterprise Computing Center - Detroit at to request a determination on whether the back filing of unreported transactions is necessary. Currency Transaction Reporting Guidelines [31 C.F.R ] Financial institutions are to use FinCEN Form 104: Currency Transaction Report to report any reportable transaction as defined above. The regulation calls for making reports in a timely manner. The following guidelines should be used when filing this form: [31 C.F.R ]: 1. A report must be filed by the financial institution within 15 days following the day on which the reportable transaction occurred. 2. A report must be filed by the financial institution within 15 days after receiving a request for the report. 3. A copy of each report filed must be retained by the financial institution for a period of five years from the date of the report. 4. All reports must be required to be filed with the Commissioner of Internal Revenue, unless otherwise specified. 5. The report shall be filed on forms prescribed by the Secretary. All information called for in such forms shall be furnished. Transactions between Financial Institutions and Exempt Persons [31 CFR ] Reports of transactions are not required from Federal Reserve Banks, Federal Home Loan Banks, transactions that occur between domestic financial institutions, and reports by non-bank banks of transactions with commercial banks. However, commercial banks must report such transactions with non-bank banks. Reports of transactions between financial institutions and exempt persons are not required. Exempt persons are discussed in Section 6 of this manual. Young & Associates, Inc. Page 28

33 Identification Required [31 C.F.R ] Before concluding any transaction in which a report is required, the financial institution must verify and record the required information in the following manner: 1. Record the name and address of the person presenting the transaction. 2. Record the identity, account number, and tax identification number of any person/entity that the transaction will affect. 3. Verification of the identity of an individual who indicates he or she is an alien or is not a resident of the United States must be made by a passport, alien identification card, or other official document evidencing nationality or residence. 4. Verification of identity in any other case must be made by examination of a document (not a financial institution signature card) that is normally accepted within the financial institution community as a means of cashing checks for nondepositors. A financial institution signature card may be relied upon only if it was issued after examining documents for establishing the identity of the person in question and such note was made on the signature card. 5. In each instance, the identifying information used in verifying the identity of the customer must be recorded on the report. (The notation of known customer or financial institution signature card on file is not sufficient and is prohibited.) Elderly/Disabled Exception Certain elderly or disabled patrons do not possess identification documents that would normally be considered acceptable within the financial institution community (e.g., driver s licenses, passports, or state issued identification cards). Accordingly, the procedure set forth below should be followed to fulfill the identification verification requirements of sections and According to a Treasury Administrative Ruling [FIN-1992-R001], financial institutions may accept as appropriate identification a Social Security, Medicare, Medicaid, or other insurance card presented along with another document that contains both the name and address of the patron (e.g., an organization membership card, voter registration card, utility bill, or real estate tax bill). Such forms of identification shall be specified in the financial institution s formal written policy and operating procedures as acceptable identification for transactions involving elderly or disabled patrons who do not possess identification documents normally considered acceptable within the financial institution community for cashing checks for nondepositors. This procedure may be applied only if the following circumstances exist: 1. The financial institution must establish that the identification the elderly or disabled patron has is limited to a Social Security or Medicare/Medicaid card plus another document that contains the patron s name and address. 2. The financial institution must use whatever information it has available, or policies and procedures it has in place, to determine the patron s identity. If the patron is a deposit accountholder, the financial institution should review its internal records to determine if there is information on file to verify the patron s identity. Young & Associates, Inc. Page 29

34 3. Only if the financial institution is confident that the elderly or disabled patron is who he (she) says he is may the transaction be concluded. Failure to identify an elderly or a disabled customer s identity as required by 31 C.F.R and as described herein may result in the imposition of civil and/or criminal penalties. The financial institution shall establish a formal written policy and shall implement operating procedures for processing reportable currency transactions or recording cash sales of certain monetary instruments to elderly or disabled patrons who do not have forms of identification ordinarily considered acceptable. Once implemented, the financial institution shall permit no exceptions to its policy and procedures. In addition, financial institutions are encouraged to record the elderly or disabled patron s identity and address. When the information has been obtained and verified, the method of identification should be noted on a signature card or other record. In completing a CTR, if all of the above conditions have been satisfied, the financial institution should enter the words Elderly or Disabled and the method used to verify the patron s identity, such as Social Security and (Organization) Membership Cards Only ID. Retention Period [31 C.F.R ] All records must be retained for a period of five years and will be stored in such a way as to be accessible within a reasonable amount of time, taking into account the nature of the record and the amount of time expired since the record was made. The CTR The following pages include the actual CTR report. Young & Associates, Inc. Page 30

35 Young & Associates, Inc. Page 31

36 Young & Associates, Inc. Page 32

37 Young & Associates, Inc. Page 33

38 Young & Associates, Inc. Page 34

39 Section 6: Targeting Orders [31 C.F.R ] Introduction If the Treasury Department determines, or receives a request from an appropriate Federal or State law enforcement official, and concludes that reasonable grounds exist for requiring additional recordkeeping and/or reporting requirements to be imposed, then the Treasury Department may issue a targeting order. These orders are to prevent persons from evading the reporting and/or recordkeeping requirements of the regulation. The order may be issued requiring any domestic financial institution or group of domestic financial institutions in a geographic area and any other person participating in the type of transaction to file a report in the format specified in such order. When an order is issued to a financial institution, it must be directed to the Chief Executive Officer of the financial institution and must designate one or more of the following categories of information to be reported: each deposit, withdrawal, exchange of currency, or other payment or transfer by, through, or to such financial institution specified in the order, which involves all or any class of transactions in currency and/or monetary instruments equal to or exceeding an amount to be specified in the order. Targeting Order Content An issued order must prescribe all of the following: 1. The dollar amount of transactions subject to the reporting requirement in the order 2. The type of transaction(s) subject to or exempt from a reporting requirement in the order 3. The appropriate form for reporting the transactions required in the order 4. The address to which reports required in the order are to be sent or from which they will be picked up 5. The starting and ending dates by which such transactions specified in the order are to be reported 6. The name of a Treasury official to be contacted for any additional information or questions 7. The amount of time the reports and records of reports generated in response to the order will have to be retained by the financial institution 8. Any other information deemed necessary to carry out the purposes of the order Prohibited Disclosure No officer, director, employee, or agent of any financial institution subject to a special reporting order can disclose the existence or terms of the order except as authorized by the Treasury Department. Young & Associates, Inc. Page 35

40 Term of Order No order issued can prescribe a reporting period of more than 60 days unless renewed pursuant to the requirements of the regulations. Revised Orders Any revisions to an order issued under this section will not be effective until made in writing. Treatment of Exemptions During the Order Unless otherwise specified in the order, a financial institution receiving an order under this section may continue to use the exemptions granted under section of the regulation prior to receipt of the order, but it may not grant additional exemptions. Young & Associates, Inc. Page 36

41 Section 7: CTR Exemptions [31 C.F.R ] Introduction The Department of the Treasury s experience in enforcing the Bank Secrecy Act has shown that certain legitimate businesses engage in regular and frequent currency transactions with domestic financial institutions. The routine reporting of these transactions is not likely to be useful to law enforcement agencies. Treasury has, therefore, included in the BSA regulations, provisions that permit financial institutions to exempt certain entities or accounts of certain customers from the Currency Transaction Report (CTR) reporting requirements. The Money Laundering Suppression Act of 1994 (MLSA) established a two-phase exemption process. Under Phase I exemptions, transactions in currency by financial institutions, governmental departments or agencies, and public or listed companies and their subsidiaries are exempt from reporting. Under Phase II exemptions, transactions in currency by smaller businesses that meet specific criteria laid out in FinCEN s regulations may be exempted from reporting. The standards for what constitutes eligible Phase I and Phase II Exempt Persons follow below. The definitions changed January 5, Phase I Exempt Persons 1. A bank, to the extent of its domestic operations. 2. A department or agency of the United States, of any state, or of any political subdivision of any state. 3. Any entity exercising governmental authority established under the laws of the United States, of any state, of any political subdivision of any state, or under an interstate compact between two or more states. 4. Any entity, other than a bank, whose common stock or other analogous equity interest is listed on the New York Stock Exchange or the American Stock Exchange or whose common stock or analogous equity interest have been designated as a NASDAQ National Market Security listed on the NASDAQ Stock Market (except stock listed under the separate NASDAQ Capital Markets Companies heading). Under this heading, a person that is a financial institution other than a bank, is exempt only to the extent of its domestic operations. 5. Any subsidiary of any corporation (non-bank entity) described above that is organized under the laws of the United States or of any state and at least 51 percent of whose common stock or analogous equity interest is owned by the listed entity, to the extent of its domestic operations. Young & Associates, Inc. Page 37

42 Designating Phase I Exempt Persons The rule imposes one condition on a bank s exemption of currency transactions of a customer who satisfies the definition of an exempt person. That condition is that a single form be filed designating the exempt person and the financial institution. FinCEN has a form (FinCEN 110) specifically for this purpose. The designation form will exempt all transaction accounts of the customer. Transaction accounts include demand deposits, negotiable order of withdrawal accounts, savings deposits subject to automatic transfers, and share draft accounts. The designation of new customers as exempt persons should be made no later than 30 days following the first transaction in currency in excess of $10,000 between a financial institution and the new customer. It should be noted, however, that FinCEN wishes financial institutions to file designations whenever they become aware of a qualifying customer who has had currency transactions exceeding $10, Financial institutions do not need to file the exemption form, or perform any annual due diligence for: Federal Reserve Banks and other banks, to the extent of their domestic operations, Government Departments or Agencies (National, state, or local) Any entities exercising government control under national, state, or local law Financial institutions do need to file the form for any other Phase I exemptions with whom they do business. Phase II Exempt Persons Non-listed businesses are Phase II exemptions. The following businesses are not eligible non-listed businesses. In other words, they may not be exempted. Non-Exemptible Non-Listed Businesses A business engaged primarily in one or more of the following activities may not be treated as a non-listed business: Businesses serving as financial institutions or agents of financial institutions of any type; purchase or sale to customers of motor vehicles of any kind, vessels, aircraft, farm equipment or mobile homes; The practice of law, accountancy, or medicine; Auctioning of goods; Chartering or operation of ships, buses, or aircraft; Gaming of any kind (other than licensed pari-mutuel betting at race tracks); Investment advisory services or investment banking services; Young & Associates, Inc. Page 38

43 Real estate brokerage; Pawn brokerage; Title insurance and real estate closing; Trade union activities; and Any other activities that may be specified by FinCEN. A business that engages in multiple business activities may be treated as a non-listed business so long as no more than 50 percent of its gross revenue is derived from one or more of the ineligible business activities. Before issuing a Phase II exemption, banks are encouraged to determine if any additions or amendments have been made to the non-exemptible non-listed business list. Questions often arise in determining the gross revenue of gaming activities, such as lottery sales. FinCEN has ruled that for the purpose of determining if a business derives more than 50 percent of its gross revenue from gaming, the term gross revenue is intended to encompass the amount of money that a business actually earns from a particular activity, rather than the sales volume of such activity conducted by the business. For example, if a business engages in lottery sales, the gross revenue from this activity would be the amount of money that the business actually earns from lottery sales, rather than the amount of money that the business takes in on behalf of the state lottery system. See FinCEN Ruling at: Exemptible Non-Listed Businesses 1. A non-listed business, to the extent of its domestic operations, other than those listed as non-exemptible, that: a. Has maintained a transaction account at the financial institution for at least two months; b. Frequently engages in transactions in currency with the financial institution in excess of $10,000, defined as at least five transactions per year; and c. Is incorporated or organized under the laws of the United States or a state, or is registered as and eligible to do business within the United States or a state. 2. A payroll customer, with respect solely to withdrawals for payroll purposes from existing transaction accounts, that: a. Has maintained a transaction account at the financial institution for at least two months; b. Operates a firm that regularly withdraws (at least five times per year) more than $10,000 in order to pay its United States employees in currency; and c. Is incorporated or organized under the laws of the United States or a state, or is registered as and eligible to do business within the United States or a state. 3. A non-listed business or payroll customer that meets the criteria of 1 or 2 above, and has maintained a money market deposit account (MMDA), used for business purposes, for at least two months (along with a transaction account) is eligible to have the MMDA exempted also. Young & Associates, Inc. Page 39

44 As noted above, the term frequently means five or more times per year. Depending upon the type of business, all of the five times per year may only occur at certain times of the year. For instance, a golf course in a northern area of the country may only have transactions in excess of $10, during the summer months. The rules state that seasonality such as this is acceptable for the purposes of this rule. Therefore, if the golf course only has large deposits in the summer, and at least five of them are for amounts in excess of $10,000.00, the golf course may be exempted. A sole proprietorship may be treated as a non-listed business (Phase II exemption) if the business otherwise meets the definition set forth in items 1 through 3 above. Care should be taken not to permit confusion between the customer s personal accounts and activities from the customer s business accounts and activities. Designating Phase II Exempt Persons The initial designation of exempt persons for Phase II exempt persons is essentially the same as for Phase I exempt persons. Phase II initial exemptions must be filed designating the exempt person and the financial institution. FinCEN Form 110 is specifically designed for this purpose. The designation form will exempt all transaction accounts of the customer. Transaction accounts include demand deposits, negotiable order of withdrawal accounts, savings deposits subject to automatic transfers and share draft accounts. As noted above, the exemption also can extend to MMDAs of Phase II exempt persons. Risk-Based Analysis to Exempt Non-Listed Businesses Notwithstanding the above mentioned criteria, a financial institution may choose to designate a non-listed business or a payroll customer as an exempt person before the customer has maintained a transaction account for at least two months if the financial institution conducts and documents a risk-based assessment of the customer and forms a reasonable belief that the customer has a legitimate business purpose for conducting frequent transactions in currency. This permitted risk-based assessment was added to the BSA effective January 5, The final rule, as published in the Federal Register included the following commentary as it relates to conducting a risk-based assessment on non-listed businesses: When conducting a risk-based analysis to determine the Phase II exemption eligibility of a customer, the depository institution should form a reasonable belief that the customer has a legitimate business purpose for conducting frequent transactions in currency. Factors the depository institution might consider in order to form a reasonable belief include, but are not limited to: whether the depository institution had a past relationship with the customer, certain specific characteristics of the customer s business model that may be pertinent, the types of business in which the customer engages, and where the business is operating. Exempting an otherwise eligible Phase II customer prior to two months time may be particularly appropriate when, for example: a returning customer reopens a previously maintained exempt transaction account with the institution; a customer that would now be eligible for Phase II exemption but under the current regulations was previously not eligible because the customer had conducted fewer than eight, but at least five, large cash transactions; or, when a customer that was a publicly listed company or a subsidiary becomes ineligible for exemption under Phase I, but may be designated for exemption under Phase II. Young & Associates, Inc. Page 40

45 Operating Procedures In addition to the preceding changes to the exempt person rules, the Treasury has also elected to remove the requirement to conduct an annual review of certain Phase I exempt persons (i.e., those where a FinCEN Form 110 is not necessary.) There continues to be, however, an annual review requirement for the remaining Phase I and all Phase II exempt persons. First, a financial institution must annually ascertain that a customer continues to qualify as an exempt person. Second, a financial institution must, at least annually and as necessary, review its monitoring of the currency transactions of its Phase II exempt customers for suspicious activity. A financial institution should retain documentation of these reviews. Financial institutions are expected to perform the same degree of due diligence in determining whether a customer is an exempt person (and documenting that determination) that a reasonable and prudent financial institution would perform to conduct its own business in order to avoid losses from fraud or misstatement. The objective is to allow financial institutions, who have already designed business procedures and protocols to deal with similar problems, to adapt their present procedures to achieve the results sought. An assessment of compliance will focus not on whether a bank necessarily makes every judgment perfectly, but on whether it takes the steps a reasonable and prudent banker would take to create appropriate systems. Annual Review Phase I Exemptions The rule permits a bank to determine the status of a customer as a government department, agency, or instrumentality based on its name or community knowledge. An entity generally exercises governmental authority only if its authorities include one or more of the powers to tax, to exercise the authority of eminent domain or to exercise police powers with respect to matters within its jurisdiction. To determine whether a customer is a listed corporation, a bank may rely on any: New York Stock Exchange, American Stock Exchange, or NASDAQ Stock Market listing published in a newspaper of general circulation; commonly accepted or published stock symbol guide; information contained in the Securities and Exchange Commission Edgar System; or information contained on an Internet World Wide Web site or sites maintained by the New York Stock Exchange, the American Stock Exchange, or the National Association of Securities Dealers. In determining whether a person is a subsidiary of a listed entity, a financial institution may rely upon the following: Any reasonably authenticated corporate officer s certificate; Any reasonably authenticated photocopy of Internal Revenue Service Form 851 (Affiliation Schedule) or the equivalent thereof for the appropriate tax year; or A person s Annual Report or Form 10 K, as filed in each case with the Securities and Exchange Commission. Young & Associates, Inc. Page 41

46 Annual Review Phase II Exemptions Phase II exemptions are non-listed businesses and require a different type of annual review. The financial institution must determine that the Phase II exempt customer continues to qualify for exempt status. To qualify, the accounts need to meet all of the original requirements of the initial exemption process, including the requirement that there be at least five transactions in currency in excess of the $10,000 limit during the previous 12 months. Aggregated Accounts In determining the qualification of a customer as an exempt person, a financial institution may treat all transaction accounts of the customer as a single account. If a financial institution elects to treat all transaction accounts of a customer as a single account, the financial institution must continue to treat such accounts consistently as a single account for purposes of determining the qualification of the customer as an exempt person. Limitations on Exemption The exemption for transactions by an exempt person applies only to transactions involving that person s own funds and does not apply to situations in which an exempt person is engaging in a transaction as an agent on behalf of another, beneficial owner of currency. In other words, an exempt person cannot lend its status, for a fee or otherwise, to another person s transactions. In addition, the provisions of the new rule create an exemption only with respect to the currency transaction reporting requirement. The rule does not create any exemption, and in fact has no effect of any kind, on the requirement that financial institutions file Suspicious Activity Reports on transactions, including currency and non-currency transactions, that meet the Suspicious Activity Report filing requirements. For example, multiple exchanges of small denominations of currency into large denominations of currency or currency transactions that are not (or whose amounts are not) commensurate with the stated business or other activity of the exempt person may indicate the need to file a Suspicious Activity Report. Similarly, a sudden need for currency by a business that never before had such a need can form a basis for the determination that a Suspicious Activity Report is due. Limitations on Liability No financial institution will be subjected to penalties for failure to file a Currency Transaction Report, unless the financial institution: Knowingly files false or incomplete information with respect to the transaction or the customer engaging in the transaction; or Young & Associates, Inc. Page 42

47 Has reason to believe that the customer does not meet the criteria established for exemptions, or the transaction is not that of an exempt person. If the financial institution subsequent to the filing determines that the customer no longer meets the requirements, and had no prior knowledge of this fact, there will be no penalty. However, the financial institution is required to assure that it does a full and complete analysis and review at the time of the annual review, to assure that the error does not continue past that point. If the financial institution files a CTR for an exempt customer, it will be subject to the same rules and restrictions as if the customer was not exempt. Therefore, any errors will be treated as exception items, even though the customer was exempt. Revocations FinCEN has the authority to revoke the status of any person as an exempt person by written notification published in the Federal Register. In addition, and without any action on the part of the Treasury Department, the status of a corporation as an exempt person ceases once the corporation ceases to be listed on the applicable stock exchange. Likewise, the status of a subsidiary as an exempt person ceases once the subsidiary ceases to be included in a consolidated federal income tax return. If the financial institution determines that an exemption is no longer appropriate, the financial institution may revoke the exemption at any time, without notice. Young & Associates, Inc. Page 43

48 Young & Associates, Inc. Page 44

49 Young & Associates, Inc. Page 45

50 Young & Associates, Inc. Page 46

51 Section 8: Suspicious Activity Reports [31 C.F.R ] Introduction Both the Department of the Treasury and the federal financial institution regulatory agencies have rules outlining the reporting requirements for suspicious transactions. The Suspicious Activity Report (SAR) has been developed as the primary method of suspicious activity reporting, and is considered the cornerstone of the BSA reporting system. It is through this system that financial institutions can help the United States fight terrorism and its financing, money laundering and other financial crimes. The SAR reporting system creates a uniform reporting form for all financial institutions to use when reporting known or suspected criminal offenses and transactions that a financial institution suspects involve money laundering or violate the Bank Secrecy Act. All completed forms are filed in one central location. This centralized filing will allow the establishment of a database that will be accessible to federal and state financial institution regulators and law enforcement agencies. FinCEN has been working diligently to improve the filing process to make the central depository retention more meaningful and helpful in the pursuit of illegal activities. In the Exam Manual, the regulators state Within this system, FinCEN and the federal banking agencies recognize that, as a practical matter, it is not possible for a financial institution to detect and report all potentially illicit transactions that flow through the financial institution. Examiners should focus on evaluating a financial institution s policies, procedures, and processes to identify, evaluate, and report suspicious activity. However, as part of the examination process, examiners should review individual SAR filing decisions to determine the effectiveness of the financial institution s suspicious activity identification, evaluation, and reporting process. The latest version of the SAR was issued in March A copy of the form and its instructions appear at the end of this section. Reporting Thresholds Even if the filing of an SAR is not required by the regulation, the regulation permits the filing of an SAR any time the financial institution believes the filing of the SAR for a suspicious transaction would be relevant to the possible violation of any law or regulation. There are four major categories of activities or transactions that require the filing of a Suspicious Activity report. The first three categories address the same type of known or suspected criminal violations but have different reporting thresholds based upon the suspected perpetrators of the violation(s). An SAR would be required (assuming the reporting thresholds are met) upon the detection of any known or suspected federal criminal violation(s): committed or attempted against the financial institution, or involving a transaction or transactions conducted through the financial institution, if the financial institution knows, suspects, or has reason to suspect: Young & Associates, Inc. Page 47

52 that it was either an actual or potential victim of a criminal violation(s) or that the financial institution was used to facilitate a criminal transaction. Although the regulation itself limits the filing of an SAR to amounts in excess of $5,000, the instructions for the filing of an SAR and the requirements of the regulators state that an SAR shall be filed in the following situations: Insider Abuse. Criminal violations involving insider abuse in any amount. Known Suspect. Criminal violations aggregating $5,000 or more when a suspect can be identified. Unknown Suspect. Criminal violations aggregating $25,000 or more regardless of a potential suspect. Money Laundering. The fourth category of activities or transactions that requires the filing of a Suspicious Activity Report is transactions aggregating $5,000 or more that involve potential money laundering or violate the Bank Secrecy Act. This would include any type of a transaction (not just a currency transaction) aggregating $5,000 or more conducted or attempted to be conducted by, at, or through a financial institution, if the financial institution knows, suspects, or has reason to suspect that: o The transaction involves funds derived from illegal activities or is intended or conducted in order to hide or disguise funds or assets derived from illegal activities as part of a plan to violate or evade any law or regulation or to avoid any transaction reporting requirement under federal law, o The transaction is designed to evade any Bank Secrecy Act regulations, or o The transaction has no business or apparent lawful purpose or is not the sort in which the particular customer would normally be expected to engage, and the financial institution knows of no reasonable explanation for the transaction after examining the available facts (including the background and possible purpose of the transaction). Money Laundering and Terrorist Financing Red Flags Appendix F of the 2010 (pages F-1 through F-11) Exam Manual contains significant lists of red flags that financial institutions should include in training as well as implement in their daily monitoring process that would aid in recognizing potential money laundering or terrorist financing activity. These red flags cover account opening, reporting and recordkeeping, funds transfers, ACH activity, lending, cross border transactions, trade finance, insurance, domestic and foreign customers, as well as unusual employee activity. Appendix F, in its entirety, appears on the next several pages. Appendix F: Money Laundering and Terrorist Financing Red Flags The following are examples of potentially suspicious activities, or red flags for both money laundering and terrorist financing. Although these lists are not all-inclusive, they may help Young & Associates, Inc. Page 48

53 financial institutions and examiners recognize possible money laundering and terrorist financing schemes. Management s primary focus should be on reporting suspicious activities, rather than on determining whether the transactions are in fact linked to money laundering, terrorist financing, or a particular crime. The following examples are red flags that, when encountered, may warrant additional scrutiny. The mere presence of a red flag is not by itself evidence of criminal activity. Closer scrutiny should help to determine whether the activity is suspicious or one for which there does not appear to be a reasonable business or legal purpose. Potentially Suspicious Activity That May Indicate Money Laundering Customers Who Provide Insufficient or Suspicious Information A customer uses unusual or suspicious identification documents that cannot be readily verified. A customer provides an individual tax identification number after having previously used a Social Security number. A customer uses different tax identification numbers with variations of his or her name. A business is reluctant, when establishing a new account, to provide complete information about the nature and purpose of its business, anticipated account activity, prior financial institution relationships, the names of its officers and directors, or information on its business location. A customer s home or business telephone is disconnected. The customer s background differs from that which would be expected on the basis of his or her business activities. A customer makes frequent or large transactions and has no record of past or present employment experience. A customer is a trust, shell company, or Private Investment Company that is reluctant to provide information on controlling parties and underlying beneficiaries. Beneficial owners may hire nominee incorporation services to establish shell companies and open financial institution accounts for those shell companies while shielding the owner s identity. Efforts to Avoid Reporting or Recordkeeping Requirement A customer or group tries to persuade a financial institution employee not to file required reports or maintain required records. A customer is reluctant to provide information needed to file a mandatory report, to have the report filed, or to proceed with a transaction after being informed that the report must be filed. A customer is reluctant to furnish identification when purchasing negotiable instruments in recordable amounts. A business or customer asks to be exempted from reporting or recordkeeping requirements. A person customarily uses the automated teller machine to make several financial institution deposits below a specified threshold. Young & Associates, Inc. Page 49

54 A customer deposits funds into several accounts, usually in amounts of less than $3,000, which are subsequently consolidated into a master account and transferred outside of the country, particularly to or through a location of specific concern (e.g., countries designated by national authorities and Financial Action Task Force on Money Laundering (FATF) as noncooperative countries and territories). A customer accesses a safe deposit box after completing a transaction involving a large withdrawal of currency, or accesses a safe deposit box before making currency deposits structured at or just under $10,000, to evade CTR filing requirements. Funds Transfers Many funds transfers are sent in large, round dollar, hundred dollar, or thousand dollar amounts. Funds transfer activity occurs to or from a financial secrecy haven, or to or from a higherrisk geographic location without an apparent business reason or when the activity is inconsistent with the customer s business or history. Many small, incoming transfers of funds are received, or deposits are made using checks and money orders. Almost immediately, all or most of the transfers or deposits are wired to another city or country in a manner inconsistent with the customer s business or history. Large, incoming funds transfers are received on behalf of a foreign client, with little or no explicit reason. Funds transfer activity is unexplained, repetitive, or shows unusual patterns. Payments or receipts with no apparent links to legitimate contracts, goods, or services are received. Funds transfers are sent or received from the same person to or from different accounts. Funds transfers contain limited content and lack related party information. Automated Clearing House Transactions Large-value, automated clearinghouse (ACH) transactions are frequently initiated through third-party service providers (TPSP) by originators that are not financial institution customers and for which the financial institution has no or insufficient due diligence. TPSPs have a history of violating ACH network rules or generating illegal transactions, or processing manipulated or fraudulent transactions on behalf of their customers. Multiple layers of TPSPs that appear to be unnecessarily involved in transactions. Unusually high level of transactions initiated over the Internet or by telephone. NACHA The Electronic Payments Association (NACHA) information requests indicate potential concerns with the financial institution s usage of the ACH system. Activity Inconsistent with the Customer s Business The currency transaction patterns of a business show a sudden change inconsistent with normal activities. Young & Associates, Inc. Page 50

55 A large volume of cashier s checks, money orders, or funds transfers is deposited into, or purchased through, an account when the nature of the accountholder s business would not appear to justify such activity. A retail business has dramatically different patterns of currency deposits from similar businesses in the same general location. Unusual transfers of funds occur among related accounts or among accounts that involve the same or related principals. The owner of both a retail business and a check-cashing service does not ask for currency when depositing checks, possibly indicating the availability of another source of currency. Goods or services purchased by the business do not match the customer s stated line of business. Payments for goods or services are made by checks, money orders, or financial institution drafts not drawn from the account of the entity that made the purchase. Lending Activity Loans secured by pledged assets held by third parties unrelated to the borrower. Loan secured by deposits or other readily marketable assets, such as securities, particularly when owned by apparently unrelated third parties. Borrower defaults on a cash-secured loan or any loan that is secured by assets, which are readily convertible into currency. Loans are made for, or are paid on behalf of, a third party with no reasonable explanation. To secure a loan, the customer purchases a certificate of deposit using an unknown source of funds, particularly when funds are provided via currency or multiple monetary instruments. Loans that lack a legitimate business purpose, provide the financial institution with significant fees for assuming little or no risk, or tend to obscure the movement of funds (e.g., loans made to a borrower and immediately sold to an entity related to the borrower). Changes in Bank-to-Bank Transactions The size and frequency of currency deposits increases rapidly with no corresponding increase in noncurrency deposits. A financial institution is unable to track the true accountholder of correspondent or concentration account transactions. The turnover in large-denomination bills is significant and appears uncharacteristic, given the financial institution s location. Changes in currency-shipment patterns between correspondent financial institutions are significant. Cross-Border Financial Institution Transactions U.S. financial institution increases sales or exchanges of large denomination U.S. financial institution notes to Mexican financial institution(s). Young & Associates, Inc. Page 51

56 Large volumes of small denomination U.S. banknotes being sent from Mexican casas de cambio to their U.S. accounts via armored transport or sold directly to U.S. financial institutions. These sales or exchanges may involve jurisdictions outside of Mexico. Casas de cambio direct the remittance of funds via multiple funds transfers to jurisdictions outside of Mexico that bear no apparent business relationship with the casas de cambio. Funds transfer recipients may include individuals, businesses, and other entities in free trade zones. Casas de cambio deposit numerous third-party items, including sequentially numbered monetary instruments, to their accounts at U.S. financial institutions. Casas de cambio direct the remittance of funds transfers from their accounts at Mexican financial institutions to accounts at U.S. financial institutions. These funds transfers follow the deposit of currency and third-party items by the casas de cambio into their Mexican financial institution. Bulk Currency Shipments An increase in the sale of large denomination U.S. financial institution notes to foreign financial institutions by U.S. financial institutions. Large volumes of small denomination U.S. financial institution notes being sent from foreign nonfinancial institution financial institutions to their accounts in the United States via armored transport, or sold directly to U.S. financial institutions. Multiple wire transfers initiated by foreign nonbank financial institutions that direct U.S. financial institutions to remit funds to other jurisdictions that bear no apparent business relationship with that foreign nonbank financial institution. Recipients may include individuals, businesses, and other entities in free trade zones and other locations. The exchange of small denomination U.S. bank notes for large denomination U.S. bank notes that may be sent to foreign countries. Deposits by foreign nonbank financial institutions to their accounts at U.S. financial institutions that include third-party items, including sequentially numbered monetary instruments. Deposits of currency and third-party items by foreign nonbank financial institutions to their accounts at foreign financial institutions and, thereafter, direct wire transfers to the foreign nonbank financial institution s accounts at U.S. banks. Trade Finance Items shipped that are inconsistent with the nature of the customer s business (e.g., a steel company that starts dealing in paper products, or an information technology company that starts dealing in bulk pharmaceuticals). Customers conducting business in higher-risk jurisdictions. Customers shipping items through higher-risk jurisdictions, including transit through noncooperative countries. Customers involved in potentially higher-risk activities, including activities that may be subject to export/import restrictions (e.g., equipment for military or police organizations of foreign governments, weapons, ammunition, chemical mixtures, classified defense articles, sensitive technical data, nuclear materials, precious gems, or certain natural resources such as metals, ore, and crude oil). Young & Associates, Inc. Page 52

57 Obvious over- or underpricing of goods and services. Obvious misrepresentation of quantity or type of goods imported or exported. Transaction structure appears unnecessarily complex and designed to obscure the true nature of the transaction. Customer requests payment of proceeds to an unrelated third party. Shipment locations or description of goods not consistent with letter of credit. Significantly amended letters of credit without reasonable justification or changes to the beneficiary or location of payment. Any changes in the names of parties should prompt additional OFAC review. Privately Owned Automated Teller Machines Automated teller machine (ATM) activity levels are high in comparison with other privately owned or bank-owned ATMs in comparable geographic and demographic locations. Sources of currency for the ATM cannot be identified or confirmed through withdrawals from account, armored car contracts, lending arrangements, or other appropriate documentation. Insurance A customer purchases products with termination features without concern for the product s investment performance. A customer purchases insurance products using a single, large premium payment, particularly when payment is made through unusual methods such as currency or currency equivalents. A customer purchases a product that appears outside the customer s normal range of financial wealth or estate planning needs. A customer borrows against the cash surrender value of permanent life insurance policies, particularly when payments are made to apparently unrelated third parties. Policies are purchased that allow for the transfer of beneficial ownership interests without the knowledge and consent of the insurance issuer. This would include secondhand endowment and bearer insurance policies. A customer is known to purchase several insurance products and uses the proceeds from an early policy surrender to purchase other financial assets. A customer uses multiple currency equivalents (e.g., cashier s checks and money orders) from different financial institutions and money services businesses to make insurance policy or annuity payments. Shell Company Activity A financial institution is unable to obtain sufficient information or information is unavailable to positively identify originators or beneficiaries of accounts or other financial institution activity (using Internet, commercial database searches, or direct inquiries to a respondent financial institution). Payments to or from the company have no stated purpose, do not reference goods or services, or identify only a contract or invoice number. Young & Associates, Inc. Page 53

58 Goods or services, if identified, do not match profile of company provided by respondent financial institution or character of the financial activity; a company references remarkably dissimilar goods and services in related funds transfers; explanation given by foreign respondent financial institution is inconsistent with observed funds transfer activity. Transacting businesses share the same address, provide only a registered agent s address, or have other address inconsistencies. Unusually large number and variety of beneficiaries are receiving funds transfers from one company. Frequent involvement of multiple jurisdictions or beneficiaries located in higher-risk offshore financial centers. A foreign correspondent financial institution exceeds the expected volume in its client profile for funds transfers, or an individual company exhibits a high volume and pattern of funds transfers that is inconsistent with its normal business activity. Multiple high-value payments or transfers between shell companies with no apparent legitimate business purpose. Purpose of the shell company is unknown or unclear. Embassy and Foreign Consulate Accounts Official embassy business is conducted through personal accounts. Account activity is not consistent with the purpose of the account, such as pouch activity or payable upon proper identification transactions. Accounts are funded through substantial currency transactions. Accounts directly fund personal expenses of foreign nationals without appropriate controls, including, but not limited to, expenses for college students. Employees Employee exhibits a lavish lifestyle that cannot be supported by his or her salary. Employee fails to conform to recognized policies, procedures, and processes, particularly in private financial institution. Employee is reluctant to take a vacation. Other Unusual or Suspicious Customer Activity Customer frequently exchanges small-dollar denominations for large-dollar denominations. Customer frequently deposits currency wrapped in currency straps or currency wrapped in rubber bands that is disorganized and does not balance when counted. Customer purchases a number of cashier s checks, money orders, or traveler s checks for large amounts under a specified threshold. Customer purchases a number of open-end prepaid cards for large amounts. Purchases of prepaid cards are not commensurate with normal business activities. Customer receives large and frequent deposits from online payments systems yet has no apparent online or auction business. Young & Associates, Inc. Page 54

59 Monetary instruments deposited by mail are numbered sequentially or have unusual symbols or stamps on them. Suspicious movements of funds occur from one financial institution to another, and then funds are moved back to the first financial institution. Deposits are structured through multiple branches of the same financial institution or by groups of people who enter a single branch at the same time. Currency is deposited or withdrawn in amounts just below identification or reporting thresholds. Customer visits a safe deposit box or uses a safe custody account on an unusually frequent basis. Safe deposit boxes or safe custody accounts opened by individuals who do not reside or work in the institution s service area, despite the availability of such services at an institution closer to them. Customer repeatedly uses a financial institution or branch location that is geographically distant from the customer s home or office without sufficient business purpose. Customer exhibits unusual traffic patterns in the safe deposit box area or unusual use of safe custody accounts. For example, several individuals arrive together, enter frequently, or carry bags or other containers that could conceal large amounts of currency, monetary instruments, or small valuable items. Customer rents multiple safe deposit boxes to store large amounts of currency, monetary instruments, or high-value assets awaiting conversion to currency, for placement into the financial institution system. Similarly, a customer establishes multiple safe custody accounts to park large amounts of securities awaiting sale and conversion into currency, monetary instruments, outgoing funds transfers, or a combination thereof, for placement into the financial institution system. Unusual use of trust funds in business transactions or other financial activity. Customer uses a personal account for business purposes. Customer has established multiple accounts in various corporate or individual names that lack sufficient business purpose for the account complexities or appear to be an effort to hide the beneficial ownership from the financial institution. Customer makes multiple and frequent currency deposits to various accounts that are purportedly unrelated. Customer conducts large deposits and withdrawals during a short time period after opening and then subsequently closes the account or the account becomes dormant. Conversely, an account with little activity may suddenly experience large deposit and withdrawal activity. Customer makes high-value transactions not commensurate with the customer s known incomes. Young & Associates, Inc. Page 55

60 Potentially Suspicious Activity That May Indicate Terrorist Financing The following examples of potentially suspicious activity that may indicate terrorist financing are primarily based on guidance Guidance for Financial Institutions in Detecting Terrorist Financing provided by the FATF. FATF is an intergovernmental body whose purpose is the development and promotion of policies, both at national and international levels, to combat money laundering and terrorist financing. Activity Inconsistent With the Customer s Business Funds are generated by a business owned by persons of the same origin or by a business that involves persons of the same origin from higher-risk countries (e.g., countries designated by national authorities and FATF as noncooperative countries and territories). The stated occupation of the customer is not commensurate with the type or level of activity. Persons involved in currency transactions share an address or phone number, particularly when the address is also a business location or does not seem to correspond to the stated occupation (e.g., student, unemployed, or self-employed). Regarding nonprofit or charitable organizations, financial transactions occur for which there appears to be no logical economic purpose or in which there appears to be no link between the stated activity of the organization and the other parties in the transaction. A safe deposit box opened on behalf of a commercial entity when the business activity of the customer is unknown or such activity does not appear to justify the use of a safe deposit box. Funds Transfers A large number of incoming or outgoing funds transfers take place through a business account, and there appears to be no logical business or other economic purpose for the transfers, particularly when this activity involves higher-risk locations. Funds transfers are ordered in small amounts in an apparent effort to avoid triggering identification or reporting requirements. Funds transfers do not include information on the originator, or the person on whose behalf the transaction is conducted, when the inclusion of such information would be expected. Multiple personal and business accounts or the accounts of nonprofit organizations or charities are used to collect and funnel funds to a small number of foreign beneficiaries. Foreign exchange transactions are performed on behalf of a customer by a third party, followed by funds transfers to locations having no apparent business connection with the customer or to higher-risk countries. Other Transactions That Appear Unusual or Suspicious Transactions involving foreign currency exchanges are followed within a short time by funds transfers to higher-risk locations. Multiple accounts are used to collect and funnel funds to a small number of foreign beneficiaries, both persons and businesses, particularly in higher-risk locations. Young & Associates, Inc. Page 56

61 A customer obtains a credit instrument or engages in commercial financial transactions involving the movement of funds to or from higher-risk locations when there appear to be no logical business reasons for dealing with those locations. Financial institutions from higher-risk locations open accounts. Funds are sent or received via international transfers from or to higher-risk locations. Insurance policy loans or policy surrender values that are subject to a substantial surrender charge. Filing Guidelines The SAR rules require that an SAR be filed no later than 30 calendar days from the date of the initial detection of facts that may constitute a basis for filing an SAR. If no suspect can be identified, the time period for filing an SAR is extended to 60 days. Organizations may need to review transaction or account activity for a customer to determine whether to file an SAR. The need for a review of customer activity or transactions does not necessarily indicate a need to file an SAR. The time period for filing an SAR starts when the organization, during its review or because of other factors, knows or has reason to suspect that the activity or transactions under review meet one or more of the definitions of suspicious activity. The phrase initial detection should not be interpreted as meaning the moment a transaction is highlighted for review. There are a variety of legitimate transactions that could raise a red flag simply because they are inconsistent with an accountholder s normal account activity. The financial institution s automated account monitoring system or initial discovery of information, such as system-generated reports, may flag a transaction; however, this should not be considered initial detection of potential suspicious activity. Whenever possible, a prompt review of an unusual transaction or account is recommended, which can be of significant assistance to law enforcement. In any event, the review should be completed in a reasonable period of time. What constitutes a reasonable period of time will vary according to the facts and circumstances of the particular matter being reviewed and the effectiveness of the SAR monitoring, reporting, and decision-making process of each financial institution. The key factor is that a financial institution has established adequate procedures for reviewing and assessing facts and circumstances identified as potentially suspicious, and that those procedures are documented and followed. For violations requiring immediate attention, in addition to filing a timely SAR, a financial institution is required to immediately notify, by telephone, an appropriate law enforcement authority and, as necessary, the financial institution s primary regulator. An appropriate law enforcement authority would generally be the local office of the Internal Revenue Service Criminal Investigation Division or the FBI. Notifying law enforcement of a suspicious activity does not relieve a financial institution of its obligation to file an SAR. For suspicious activity related to terrorist activity, institutions may also call FinCEN s Financial Institution s terrorist hotline at the toll free number (7 days a week, 24 hours a day) to further facilitate the immediate transmittal of relevant information to the appropriate authorities. Young & Associates, Inc. Page 57

62 Ongoing Suspicious Activity Should the circumstances that led to a SAR filing continue (such as suspected money laundering issues), financial institutions should re-file a new SAR at least every 90 days, giving an update as to current activity. This notifies law enforcement of continuing activity and serves as a reminder to the institution to continue monitoring account and transaction activity to determine whether other appropriate actions, such as terminating a customer or employee relationship, is required. Financial institutions should be aware that law enforcement may have an interest in ensuring that certain accounts remain open notwithstanding suspicious or potential criminal activity in connection with those accounts. If a law enforcement agency requests that a financial institution maintain a particular account, the financial institution should ask for a written request. The written request should indicate that the agency has requested that the financial institution maintain the account and the purpose and duration of the request. Ultimately, the decision to maintain or close an account should be made by a financial institution in accordance with its own standards and guidelines. The financial institution should develop policies, procedures, and processes indicating when to escalate issues or problems identified as the result of repeat SAR filings on accounts. The procedures should include: Review by senior management and legal staff (e.g., BSA compliance officer or SAR committee). Criteria for when analysis of the overall customer relationship is necessary. Criteria for when to close the account, Criteria for when to notify law enforcement, if applicable. As part of the filing process, financial institutions are required to collect and maintain all supporting information so that it will be available to the appropriate authorities should further action be required. Exceptions An SAR is not required for actual or attempted robberies or burglaries that are reported to the appropriate law enforcement authorities. SARs are also not required for lost, missing, counterfeit, or stolen securities that are properly reported to the appropriate regulatory agencies. Systems to Identify, Research and Report Suspicious Activity The Suspicious Activity Reporting section of the Exam Manual discuss the systems and procedures that financial institutions are expected to have in place to assure that all possible suspicious transactions are reported, as follows: Young & Associates, Inc. Page 58

63 Suspicious activity monitoring and reporting are critical internal controls. Proper monitoring and reporting processes are essential to ensuring that the financial institution has an adequate and effective BSA compliance program. Appropriate policies, procedures, and processes should be in place to monitor and identify unusual activity. The sophistication of monitoring systems should be dictated by the financial institution s risk profile, with particular emphasis on the composition of higher-risk products, services, customers, entities, and geographies. The financial institution should ensure adequate staff is assigned to the identification, research, and reporting of suspicious activities, taking into account the financial institution s overall risk profile and the volume of transactions. Monitoring systems typically include employee identification or referrals, transaction-based (manual) systems, surveillance (automated) systems, or any combination of these. Generally, effective suspicious activity monitoring and reporting systems include four key components (refer to Appendix S Key Suspicious Activity Monitoring Components ). The components, listed below, are interdependent, and an effective suspicious activity monitoring and reporting process should include successful implementation of each component. Breakdowns in any one or more of these components may adversely affect SAR reporting and BSA compliance. The four key components to an effective monitoring and reporting system are: 1. Identification or alert of unusual activity (which may include employee identification, law enforcement inquiries, other referrals, and transaction and surveillance monitoring system output). 2. Managing alerts. 3. SAR decision making. 4. SAR completion and filing. These four components are present in financial institutions of all sizes. However, the structure and formality of the components may vary. Larger financial institutions will typically have greater differentiation and distinction between functions, and may devote entire departments to the completion of each component. Smaller financial institutions may use one or more employees to complete several tasks (e.g., review of monitoring reports, research activity, and completion of the actual SAR). Policies, procedures, and processes should describe the steps the financial institution takes to address each component and indicate the person(s) or departments responsible for identifying or producing an alert of unusual activity, managing the alert, deciding whether to file, and SAR completion and filing. Record Retention Copies of filed SARs and records of any supporting documentation must be maintained for a period of five years from the date of filing the SAR. The financial institution should treat the supporting records as if they had been filed with the SAR, and should be properly maintained and labeled. Records of the supporting documentation must be available to appropriate law enforcement agencies, FinCEN and financial institution supervisory agencies upon request. Young & Associates, Inc. Page 59

64 SAR Confidentiality [31 C.F.R (e)] A SAR, and any information that would reveal the existence of a SAR, are confidential and shall not be disclosed except as authorized in this section. For purposes of this section, a SAR shall include any suspicious activity report filed with FinCEN pursuant to any regulation in this chapter. Prohibition on Disclosures by Financial institutions: General. No financial institution, and no director, officer, employee, or agent of any financial institution, shall disclose a SAR or any information that would reveal the existence of a SAR. Any financial institution, and any director, officer, employee, or agent of any financial institution that is subpoenaed or otherwise requested to disclose a SAR or any information that would reveal the existence of a SAR, shall decline to produce the SAR or such information, citing this section and 31 U.S.C. 5318(g)(2)(A)(i), and shall notify FinCEN of any such request and the response thereto. Rules of Construction. Provided that no person involved in any reported suspicious transaction is notified that the transaction has been reported, this section shall not be construed as prohibiting: The disclosure by a financial institution, or any director, officer, employee, or agent of a financial institution, of: o A SAR, or any information that would reveal the existence of a SAR, to FinCEN or any Federal, State, or local law enforcement agency, or any Federal regulatory authority that examines the financial institution for compliance with the Bank Secrecy Act, or any State regulatory authority administering a State law that requires the financial institution to comply with the Bank Secrecy Act or otherwise authorizes the State authority to ensure that the financial institution complies with the Bank Secrecy Act; or o The underlying facts, transactions, and documents upon which a SAR is based, including but not limited to, disclosures: To another financial institution, or any director, officer, employee, or agent of a financial institution, for the preparation of a joint SAR; or In connection with certain employment references or termination notices, to the full extent authorized in 31 U.S.C. 5318(g)(2)(B); or The sharing by a financial institution, or any director, officer, employee, or agent of the financial institution, of a SAR, or any information that would reveal the existence of a SAR, within the financial institution's corporate organizational structure for purposes consistent with Title II of the Bank Secrecy Act as determined by regulation or in guidance. Prohibition on disclosures by government authorities. A Federal, State, local, territorial, or Tribal government authority, or any director, officer, employee, or agent of any of the foregoing, shall not disclose a SAR, or any information that would reveal the existence of a SAR, except as necessary to fulfill official duties consistent with Title II of the Bank Secrecy Act. For purposes of this section, official duties shall not include the disclosure of a SAR, or any Young & Associates, Inc. Page 60

65 information that would reveal the existence of a SAR, in response to a request for disclosure of non-public information or a request for use in a private legal proceeding, including a request pursuant to 31 CFR Limitation on Liability [31 C.F.R (f)] A bank, and any director, officer, employee, or agent of any financial institution, that makes a voluntary disclosure of any possible violation of law or regulation to a government agency or makes a disclosure pursuant to this section or any other authority, including a disclosure made jointly with another institution, shall be protected from liability to any person for any such disclosure, or for failure to provide notice of such disclosure to any person identified in the disclosure, or both, to the full extent provided by 31 U.S.C. 5318(g)(3). Compliance [31 C.F.R (g)] Financial institutions shall be examined by FinCEN or its delegatees for compliance with this section. Failure to satisfy the requirements of this section may be a violation of the Bank Secrecy Act and of this chapter. Such failure may also violate provisions of title 12 of the Code of Federal Regulations. FinCEN Advisory On March 2, 2012, FinCEN issued the following advisory to financial institutions regarding SAR confidentiality. It has been formatted for manual purposes, but the text remains unchanged. FIN-2012-A002 Issued: March 2, 2012 Subject: SAR Confidentiality Reminder for Internal and External Counsel of Financial Institutions The Financial Crimes Enforcement Network (FinCEN) is issuing this Advisory to remind financial institutions, and in particular, the lawyers that advise them, of the requirement to maintain the confidentiality of Suspicious Activity Reports (SARs). FinCEN is concerned that an increasing number of private parties, who are not authorized to know of the existence of filed SARs, are seeking SARs from financial institutions for use in civil litigation and other matters. Financial institutions, and their current and former directors, officers, employees, agents, and contractors, are prohibited from disclosing SARs, or any information that would reveal the existence of a SAR. 1 FinCEN recognizes that an escalation in the number of requests for use of SARs in private litigation may increase the likelihood of an unauthorized disclosure of a SAR. This is especially true when external counsel is unfamiliar with the regulations covering SAR 1 See 31 CFR (e), (e), (d), (e), (d), (e), and (e), see also Pub. L : Consolidated Appropriations Bill, Division C, Title I, Section 118 amending 31 U.S.C. 5318(g)(2)(A)(December 23, 2011). Young & Associates, Inc. Page 61

66 confidentiality. Financial institutions, and their current and former directors, officers, employees, agents, and contractors could be subject to civil and criminal penalties for the unauthorized disclosure of a SAR. FinCEN is responsible for both safeguarding the information it collects under its regulations implementing the Bank Secrecy Act, including SARs, and promoting appropriate protection of this by authorized users of the data across the Federal, State and local levels of government. The unauthorized disclosure of SARs could undermine ongoing and future investigations by tipping off suspects, deterring financial institutions from filing SARs, and threatening the safety and security of institutions and individuals who file such reports. Such disclosure of SARs compromises the essential role SARs play in protecting our financial system and in preventing and detecting financial crimes and terrorist financing. The success of the SAR reporting system depends upon the financial sector's confidence that these reports will be appropriately protected. Possible Civil and Criminal Penalties for Unauthorized SAR Disclosures The unauthorized disclosure of a SAR is a violation of federal law. 2 Both civil and criminal penalties may be imposed for SAR disclosure violations. Violations may be enforced through civil penalties 3 of up to $100,000 for each violation and criminal penalties 4 of up to $250,000 and/or imprisonment not to exceed five years. 5 In addition, financial institutions could be liable for civil money penalties resulting from anti-money laundering program deficiencies (i.e., internal controls, training, etc.) that led to the SAR disclosure. Such penalties could be up to $25,000 per day for each day the violation continues. 6 FinCEN is committed to working with regulatory agencies, law enforcement, SROs, and financial institutions to take appropriate action for unauthorized disclosures of SARs. Incidents involving possible unauthorized SAR disclosures are investigated, and appropriate action is taken for violations of the law. Guidance on Maintaining SAR Confidentiality FinCEN reminds financial institutions to be vigilant in maintaining the confidentiality of SARs. This includes ensuring all employees, agents, and individuals appropriately entrusted with information in a SAR are informed of the individual obligation to maintain SAR confidentiality. This obligation applies not only to the SAR itself, but also to information that would reveal the existence (or non-existence) of the SAR. Likewise, such persons should be informed of the consequences for failing to maintain such confidentiality, which could include civil and criminal penalties as explained herein. A financial institution may consider including such information as part of its ongoing training of all employees. Furthermore, financial institutions may want to remind their counsel of the strict requirements of SAR confidentiality. Additional risk-based measures to enhance the confidentiality of SARs could include, among other appropriate security measures, limiting access on a "need-to-know" basis, restricting areas for reviewing SARs, logging of access to SARs, using cover sheets for SARs or information that reveals the existence of a SAR, or providing electronic notices that highlight confidentiality concerns before a person may access or disseminate the information U.S.C. 5318(g)(2), 5321, and U.S.C and 31 CFR U.S.C and 31 CFR U.S.C. 5322(b) and 31 CFR (c) (Criminal penalties may increase if the violation is committed while violating another law of the United States or as part of a pattern of illegal activity) U.S.C. 5321(a)(1). Young & Associates, Inc. Page 62

67 If you or your institution becomes aware of an unauthorized disclosure of a SAR, or if your institution receives a subpoena or other request for a SAR from other than an authorized government authority or self-regulatory organization as defined in the applicable SAR regulations, you should immediately contact FinCEN's Office of Chief Counsel at (703) Additionally, an institution may be required to contact its primary federal regulator, as may be applicable in a corresponding SAR rule. Questions or comments regarding the contents of this Advisory should be addressed to the FinCEN Regulatory Helpline at Financial institutions wanting to report suspicious transactions that may relate to terrorist activity should call the Financial Institutions Toll-Free Hotline at (866) (7 days a week, 24 hours a day). The purpose of the hotline is to expedite the delivery of this information to law enforcement. Financial institutions should immediately report any imminent threat to local-area law enforcement officials. The SAR Form The following pages contain the current SAR report CFR (e), (e), (d), (e), (d), (e), and (e). Young & Associates, Inc. Page 63

68 Young & Associates, Inc. Page 64

69 Young & Associates, Inc. Page 65

70 Young & Associates, Inc. Page 66

71 Young & Associates, Inc. Page 67

72 Young & Associates, Inc. Page 68

73 Young & Associates, Inc. Page 69

74 Young & Associates, Inc. Page 70

75 Section 9: Customer Due Diligence [31 C.F.R ] Customer Due Diligence (CDD) Overview The foundation of strong BSA/AML programs is the implementation of complete CDD policies, procedures, and controls for all customers, particularly those that present a higher risk for money laundering and terrorist financing. The concept of CDD builds upon the CIP regulatory requirements for identifying and verifying a customer s identity. The goal of a CDD program is to develop an awareness of the unique financial details of the institution s customers and the ability to predict the type and frequency of transactions in which its customers are likely to engage. In this way, institutions can better identify, research, and report suspicious activity as required under BSA. Although customer due diligence is not required by statute or regulation, an effective CDD program is the framework that allows the institution to comply with regulatory requirements. Benefits of an Effective CDD Program An effective CDD program protects the reputation of the institution by: Preventing unusual or suspicious transactions that would expose the financial institution to loss or expense Helps the financial institution avoid criminal exposure by those who would use the financial institution for illegal activity Ensuring compliance with BSA regulations and holding to sound financial institution practices. Another way to realize the benefits of an effective CDD program is through the following: Using a customer risk rating system to allocate financial institution resources for monitoring purposes Focusing the majority of the financial institution s monitoring efforts on those customers that present the greatest risk Compliance with the BSA through a risk-based approach. CDD Program Guidance CDD programs should be tailored to each institution s BSA/AML risk profile; consequently, the scope of any CDD program will vary. Even though a small financial institution may have more frequent direct contact with customers than those at larger financial institutions, all financial institutions should adopt a CDD program. An effective CDD program should: Be in proportion to a financial institutions BSA/AML risk profile, Be clear in management s expectations and staff responsibility, and Young & Associates, Inc. Page 71

76 Establish monitoring systems and procedures to identify activity that is inconsistent for a customer s normal financial institution activity. Elements of a CDD Program While there is a great deal of flexibility allotted to financial institutions in devising an appropriate CDD program, all Know Your Customer programs should contain certain critical features, which are discussed below. Each program should also delineate acceptable documentation requirements and the due diligence procedures the financial institution will follow. The delineation of this information in the CDD program will ensure that the same standards are applied throughout the financial institution and will inform auditors and examiners of the financial institution s established standards for review of customer information. Minimum Steps for Compliance The following are the minimum steps the financial institutions should take in order to comply with the CDD expectations. Identify the Customer The USA PATRIOT Act, Section 326 made a provision part of the law to identify the true identity of a customer. The rule for customer identification was discussed earlier in this manual. Determine the Source of Funds The CDD program should provide a system for determining the source of a customer s funds. The amount of information needed to do this can depend on the type of customer in question. As an example, if a retail financial institution customer maintains demand deposit accounts funded primarily from payroll deposits, it should be a relatively simple task to identify and document the source of funds as payroll deposits. On the other hand, a more detailed analysis, with a more extensive documentation process, would be required for high net worth customers with multiple deposits from a variety of sources. For these reasons, among others, it may be beneficial for financial institutions to classify customers into varying categories, based on factors such as the types of accounts maintained, the types of transactions conducted, and the potential risk of illicit activities associated with such accounts and transactions. Financial institutions could then develop procedures to obtain necessary information and documentation based on the risk assessment for the various categories or classes established by a financial institution. Determine Normal and Expected Transactions The CDD program should provide a system for determining a customer s normal and expected transactions involving the financial institution. Without this information, a financial Young & Associates, Inc. Page 72

77 institution is unable to identify suspicious transactions. A financial institution s understanding of a customer s normal and expected transactions should be based on information obtained both when an account is opened and during a reasonable period of time afterward. It also should be based on normal transactions for similarly situated customers. Monitor the Account Transactions The CDD program should provide a system for monitoring, on an ongoing basis, the transactions conducted by customers and identifying transactions that are inconsistent with the normal and expected transactions for particular customers or for customers in the same or similar categories or classes. The examiners do not require that every transaction of every customer be reviewed. Rather, they do expect a financial institution to develop a monitoring system that is appropriate for the risks presented by the accounts maintained at that financial institution. In designing a monitoring system, a financial institution may choose to classify accounts into various categories based on factors such as the type and size of account; the types, number, and size of transactions conducted in the account; and the risk of illicit activity associated with the account. For certain classes or categories of accounts, it would be sufficient for an effective monitoring system to establish parameters for which the transactions within these accounts will normally occur. Rather than monitoring each transaction, an effective monitoring system could entail monitoring only for those transactions that exceed the established parameters for that particular class or category of accounts. For other categories or classes of accounts, such as private banking accounts, it may be necessary to monitor each significant transaction. Determine If the Transaction Should Be Reported Once a transaction is identified as inconsistent with normal and expected transactions, the financial institution must determine if the transaction warrants the filing of a Suspicious Activity Report. In identifying reportable transactions, a financial institution should not conclude that every transaction that falls outside what is expected for a given customer should be reported. Rather, a financial institution should focus on patterns of inconsistent transactions and isolated transactions that present risk factors that warrant further review. Customer Risk As observed in the risk assessment portion of this manual, a financial institution is expected to identify and understand its money laundering and terrorist financing risks of the financial institution s customer base. The most efficient method to understand the ongoing risks is to obtain appropriate and relevant information at account opening. Such information should be sufficient enough to allow the financial institution to develop an understanding of normal and expected activity for the customer s occupation or business operations. This is best illustrated in Appendix K of the Exam Manual, which focuses on the relationship between the type of customer and the level of suggested/expected due diligence. Young & Associates, Inc. Page 73

78 Assessing Risk In general, customers may pose low-risk or high-risk or some combination in between. Examples of low risk (routine or usual accounts) include: Low aggregate balances Low volume of activity Household accounts Most retail passbook savings/checking accounts Accounts for minors Examples of higher-risk accounts or activities includes: Large balances High volume of activity Frequent or excessive funds transfers Frequent or excessive large cash transactions Personal Accounts. When opening personal accounts, financial institutions may want to consider the following: Location of residence Follow-up calls Source of funds (especially large sums of cash) For larger accounts, prior financial institution references are recommended Checking with service bureaus (i.e., ChexSystems) Business Accounts: In addition, consider the following when opening business accounts, as applicable: Evidence of customer s legal status Article of incorporation, partnership agreement, etc. Certificate of Good Standing with state Business license Check with reporting agency (i.e., Dunn & Bradstreet, etc.) Prior financial institution references Follow-up calls and on-site visits Source of funds Description of line of business Young & Associates, Inc. Page 74

79 For larger accounts: Financial statements Listing of major suppliers, customers, and geographic locations Description of business s primary trade area Whether international transactions are expected Description of business operations (i.e., retail vs. wholesale) Anticipated volume of cash activity High-Risk Products and Services While a financial institution may have additional high risk products and services, three forms of possible high-risk products or services are presented here: Wire transfer/international Correspondent Bank Accounts Private Banking Relationships, and Electronic Banking Wire Transfer/International Correspondent Bank Accounts. When dealing with wire transfers or international accounts, financial institutions should consider the following factors: Account purpose Location of foreign bank, if applicable Nature of banking license of correspondent bank Correspondent s AML program Prevention controls Extent of banking regulation enforced in the foreign country For our typical domestic based customers, wire transfer activity can pose an issue if the purpose or frequency of the funds transfer activity is not reasonable for the type of customer or the customer s business. Therefore, it is important to determine the level of any funds transfer activity of a prospective customer at the time of account opening and continually monitor such activity to ensure that it falls in line with the original expectations. One simple method to accomplish this objective is to inquire at account opening the following: Does the customer perform funds transfers? What will be the expected frequency and amounts of such transfers? Does the customer deal with international suppliers or customers? Obtain a list of such suppliers and customers Ensure that none appear on any sanctioned lists (i.e., OFAC) Young & Associates, Inc. Page 75

80 Does the customer deposit currency and then subsequently wire funds out of the financial institution on a regular basis? Depending on the answers to the above, there may be some initial high-risk concerns by the financial institution if the customer is dealing in a high level of funds transfer activity, especially on an international basis. Private Banking Relationships. Private banking is generally considered the personal or discreet offering of a wide variety of financial services and products to the affluent market. It can involve customers as individuals, commercial businesses, law firms, investment advisors, trusts, etc. Proper due diligence when opening private banking accounts goes beyond the normal procedures or controls employed with a financial institution s typical retail customer base. Items to consider when opening private banking accounts includes: Confirming references Background checks Determining the source of the client s wealth, needs and expected transactions Electronic Banking. Electronic banking is a broad term that encompasses a variety of delivery channels: telephone banking, Internet banking, PC-base banking, ATMs and ACHs. In today s environment, electronic banking is becoming more and more popular given our hectic lifestyles. While most customers that utilize electronic banking channels to conduct transactions do so in a legitimate manner, the mere existence of such channels has raised concerns by the regulators. In general, electronic banking is vulnerable to money laundering and terrorist financing due to user anonymity, rapid transaction speed and its wide geographic availability. When offering electronic banking channels, financial institutions should consider the following: Customer s proximity to the financial institution s branches Requirement for the customer to initiate electronic banking services on-site at the financial institution Review of customer s transactions and expected transactions High-Risk Customers Financial institutions are expected to develop a high-risk customer list from their customer base. While included in Section 2 of this manual, the following is reproduced as a reminder of those types of entities that are considered as possessing a higher degree of risk: Cash intensive businesses such as convenience stores, restaurants, retail stores, liquor stores, cigarette distributors, privately owned ATMs, vending machine operators and parking garages Pawn brokers Purchasers or sellers of any type of motor vehicle, vessel, aircraft, farm equipment or mobile home Auctioneering Chartering or operation of ships, buses or aircraft Young & Associates, Inc. Page 76

81 Gaming of any kind Trade unions Title insurance operations and real estate closing Professional service providers such as doctors, attorneys, accounts and real estate brokers Non-governmental organizations and charities Non-bank financial institutions, which would include money service businesses (MSB), casino and card clubs, brokers/dealers in securities, and dealers in precious metals, stones and jewels Senior political figures, their immediate families and close associates (PEPs) Non-resident aliens and accounts of foreign individuals Foreign corporations maintaining transactions accounts, offshore corporations, and international business corporations located in high-risk geographic areas Deposit brokers (including foreign brokers) Foreign financial institutions, including financial institutions and foreign money service providers Once identified, the financial institution can determine which customers are conducting transactions and/or using services of the financial institution that would warrant remaining on a high-risk list and necessitate further monitoring. High-Risk Geographic Locations Identifying high-risk geographic locations is essential to a financial institution s anti-money laundering program. A condensed reminder of those available resources of high-risk geographic locations is as follows: Jurisdiction identified by intergovernmental organizations (e.g., FATF) Countries/jurisdictions identified by the US Department of State s International Narcotics Control Strategy Report (INCSR) Geographies identified by OFAC Jurisdictions designated by the Secretary of the Treasury as being primary money concern as authorized by the USA Patriot Act Jurisdictions identified by financial institution management Risk Codes A customer risk rating system should be developed before a financial institution may begin assigning risk ratings to its customers. Risk rating systems can range from the most simplistic Young & Associates, Inc. Page 77

82 to highly sophisticated. Given the wide variety of financial institution sizes, types, customer bases and locations, there is no one perfect method for every financial institution. Agreeing on a risk rating system or model might be considered simple when compared to the daunting task of assigning a rating to all existing customers. The following will discuss a logical approach to initiate the process and establish benchmarks that can be used for existing and new customers. It is important to note that, when assigning risk ratings to specific customers, the financial institution must be cognizant that the various risk factors can interrelate. For example, a customer that might utilize a higher risk service may not result in a high-risk rating for that particular customer. The customer s profile should be considered in such situations. When assessing the existing customer base, the above risk rating code sample (or similar) should be referenced as ratings are assigned. The assignment of responsibility to assign risk ratings is integral in a financial institution s overall CDD process. An effective risk rating process will have checks and balances, and allow for modification over time. Each institution will need to find a process that works best; however, the following are offered as suggestions in its development: Initial risk rating options o Developing a comprehensive, user-friendly account opening form used by line staff, which guides staff on assigning initial ratings o Deferring the risk rating process to select individuals within the institution Risk rating adjustments allowing for a post-review of risk ratings to assure that the rating system is properly employed Account closure allowing for authority to close an account relationship should the risk rating prompt such action Modifications to system allowing for adjustments to the risk rating system, as necessary Step One: High-Risk Types. Begin the process by identifying those existing customers that fall into any of the customer type categories identified by regulators as high-risk. While this process can take time when reviewing a financial institution s existing customer database, it can be broken down into manageable pieces to expedite the process. For example, customers can be grouped into account types and assigned to designated staff to complete the assessment. The analysis of customers geographic locations may present a problem since it is impractical to assess each and every customer s address, as compared to the listing of regulator-defined highrisk areas. A more practical approach is to first determine if any of the customer base resides, overlaps, or is adjacent to such areas. If the financial institution is located nowhere near such areas, then this part of the assessment should be minimal. As part of the high-risk type analysis, the reviewer should identify any customers that engage in a business that is not eligible for a Phase II exemption. Step Two: Suspicious Activity. Next, financial institutions should identify any customers where suspicious activity reports (SARs) have been considered or filed in the past. Care should be taken on the final risk rating category assigned for these customers so that the risk rating does not readily highlight the fact that an SAR has been filed, since this information is to remain confidential. When bringing an assessment up-to-date, the reviewer might consider reviewing those instances where an SAR was filed or considered within a predefined time frame, Young & Associates, Inc. Page 78

83 such as during the most recent 12 months. Financial institutions with effective suspicious activity monitoring programs should be able to rely on these procedures to readily identify those individuals of particular concern. Step Three: High-Risk Products/Services. As a result of the financial institution products or services that have been identified as possessing a higher risk (which will be discussed in the next section,) financial institutions should next create a listing of the customers that utilize such products or services. This list of customers should then be cross-referenced with the other high-risk areas (i.e., customer type and geographic location). Step Four: Customer Activity. Financial institutions are afforded with a wealth of customer activity records. These records, including cash activity, can provide a significant amount of information about a customer s profile. Subject to system limitations, financial institutions should utilize their databases to identify the following: Cash Activity. Customers that routinely engage in large currency transactions. The minimum thresholds for cash activity should be below the regulatory reporting amount of $10,000. In today s financial institution environment, many financial institutions already track cash activity that is above $3,000 (or similar) to assist in their CTR reporting process and suspicious activity monitoring programs. As part of this process, financial institutions need to become familiar with a customer s usual activity. If a wage earner customer (i.e., someone whose income is reported on a W-2) has frequent cash activity, then the financial institution needs to determine the source of the funds. While many financial institutioners may be uncomfortable asking for customer explanations, the financial institution must, by whatever method, determine if the cash activity is normal or unusual. Monetary Instrument Purchases. The regulations require financial institutions to record any sales of monetary instruments involving currency of $3,000 to $10,000, inclusive. These records, when reviewed periodically, can provide the financial institution with insight concerning any suspicious activity. Such records should be reviewed during the risk rating process to determine if any customers are frequently purchasing such instruments without any reasonable or legitimate purpose. A subset of this review might include reviewing where the instruments are cashed (i.e., in a foreign country) to determine if the risks need to be elevated. Funds Transfers. Since financial institutions are required to record certain information about persons that originate or receive funds through the wire system involving amounts of $3,000 or more, these records can be used to identify customers or persons that conduct frequent transactions without any reasonable or legitimate purpose. These records should already be incorporated into an ongoing review by a financial institution s BSA officer or designee, which serves to determine whether frequent funds transfers by a particular customer meet his/her risk profile. Step Five: Customer Location. A review should be performed to identify any customers that reside outside of the financial institution s predefined market area. It should be noted that some of these customers may not pose higher risks, but rather have relocated or have family connections to the market area. Customers that do fall into this category with no ascertainable reason to maintain an account at the financial institution require further evaluation. In addition, customers that are classified as non-u.s. persons will need to be identified. Young & Associates, Inc. Page 79

84 Step Six: CIP Concerns. Finally, the reviewer shall identify those customers that have recently opened a customer relationship but have not fulfilled the financial institution s CIP requirements. Ideally, a designated person or department within the financial institution should be tracking such customers on an ongoing basis. Any customers that have failed to provide either identity or verification information should be flagged to allow the institution to track the fulfillment of CIP requirements. Depending on the financial institution s written CIP, eventually the financial institution should take appropriate action when CIP requirements are not met. Monitoring Once the customer base has been risk rated, the process of ongoing monitoring begins. Depending on each financial institution s resources, the level of available reports and/or tools will vary. However, even the smallest of institutions shall have methods employed to assess customer risks on an ongoing basis. In the simplest of examples, higher risk rated customers should be monitored more frequently than the low-risk customers. In addition, the types of monitoring reports for high-risk customers will likely contain transaction or customer profile specific parameters. For example, cash activity for one risk rated customers might be monitored for any cash activity of $3,000 and greater each business day. In addition, these same customers might be monitored for cash activity exceeding specific amounts over a designated time period (i.e., cash activity of $15,000 or more in a seven-day period). When developing such monitoring methods, financial institutions must first be cognizant of its higher risk customers and the tools available to effectively monitor the accounts. Not every financial institution will be expected to spend large sums of money or resources to implement such methods, but the methods should be commensurate with its overall risks. Young & Associates, Inc. Page 80

85 Section 10: Foreign Financial Accounts [31 C.F.R. 31 C.F.R , & ] Young & Associates, Inc. Page 81

86 Young & Associates, Inc. Page 82

87 Young & Associates, Inc. Page 83

88 Young & Associates, Inc. Page 84

89 Young & Associates, Inc. Page 85

90 Young & Associates, Inc. Page 86

91 Young & Associates, Inc. Page 87