Preparing for Your BSA Compliance Exams Ted Dreyer, Senior Attorney Wolters Kluwer
Scoping And Planning of Exam BSA/AML Examination Manual Overview Examination procedures
First thing on list Previous Criticism Review prior reports Review management response to identified issues
Risk Assessment Should form basis of program Does it include all products, services, customers and areas? Update for new risk areas Process for updating Detailed information in Risk Assessment section of Manual New CSBS Tool
Compliance Program Four pillars or is it five now? Pillar violations are treated more severely Manual has detailed information on each pillar Documentation appropriate and updated System of reporting to Board on BSA Compliance
Avoiding Systemic or Recurring Problems Treated more harshly Systemic violations involve a substantial number of issues and are the result of ineffective systems or controls Recurring violations involve repeated failures to correct same or similar issues Isolated or Technical Violations Difference is pattern or practice of noncompliance
Avoiding Systemic or Recurring Problems Recent FinCEN Enforcement Action Number 2017-02 $7 million CMP on Community Bank with $64 million in assets Violations of previous consent orders Failed to have adequate AML Program, conduct due diligence on foreign correspondent accounts and detect and report suspicious activity
Trend Towards Personal Liability FDIC Enforcement Action President/CEO/BSA Officer of $37 Million Bank Failed to file timely SARs CMP $35,000 with no indemnification Periodic Training requirements Guidance on Payment Processors FIL-41-2014, July 28, 2014
CDD as New Fifth Pillar Four Core Elements of CDD Should be Explicit Requirements of Program Customer Identification and Verification; Beneficial Ownership Identification and Verification; Understanding Nature and Purpose of Customer Relationships to Develop a Customer Risk Profile; and Ongoing Monitoring for Reporting Suspicious Transactions and Risk-Based Maintaining and Updating of Customer Information
CDD on Beneficial Owners The Financial Crimes Enforcement Network (FinCEN) has issued a final regulation to require financial institutions to do due diligence on the beneficial owners of legal entities. The rule covers financial institutions subject to Customer Identification Program (CIP) requirements.
CDD on Beneficial Owners An Account means a formal banking relationship established to provide or engage in services, dealings, or other financial transactions including: a deposit account, a safety deposit box lease, a credit account, loans, or other extensions of credit. It does not include check-cashing, wire transfer, or sale of a check or money order; or an account opened for participating in an employee benefit plan established under ERISA
CDD on Beneficial Owners The term Legal entity customer would include: corporations and limited liability companies, limited partnerships, business trusts that are created by a filing with a state office, any other entity created in this manner, and general partnerships. It would also include similar entities formed under the laws of other countries.
CDD on Beneficial Owners A Legal entity customer would not include: sole proprietorships or unincorporated associations even if they file with the Secretary of State in order to, for example, register a trade name or establish a tax account; natural persons opening accounts on their own behalf; or non-business trusts. These requirements are triggered whenever a new Account is opened on behalf of a Legal entity customer.
CDD on Beneficial Owners When the requirements are triggered, the institution must collect CIP information name, physical address, date of birth, and social security number (for US persons) or other ID number (for non-us persons) for each beneficial owner.
CDD on Beneficial Owners The definition of beneficial owner is: each individual, if any, who directly or indirectly owns 25 percent of the equity interests of a legal entity customer (the ownership prong); and a single individual with significant responsibility to control, manage, or direct a legal entity customer, including an executive officer or senior manager or any other individual who regularly performs similar functions (the control prong).
CDD on Beneficial Owners Financial institutions can satisfy this requirement through either: the use of FinCEN s Certification Form; the use of the financial institution s own forms, so long as they meet the requirements of the regulation; or any other means that satisfy the substantive requirements of the regulation.
CDD on Beneficial Owners The certification of accuracy by the individual submitting the information may be obtained without use of the Certification Form in the same way the financial institution obtains other information from its customers in connection with its account opening procedures. The new regulations become effective July 11, 2016, but compliance is not mandatory until May 11, 2018.
. Certification of Beneficial Owners I. GENERAL INSTRUCTIONS What is this form? To help the government fight financial crime, Federal regulation requires certain financial institutions to obtain, verify, and record information about the beneficial owners of legal entity customers. Legal entities can be abused to disguise involvement in terrorist financing, money laundering, tax evasion, corruption, fraud, and other financial crimes. Requiring the disclosure of key individuals who own or control a legal entity (i.e., the beneficial owners) helps law enforcement investigate and prosecute these crimes. Who has to complete this form? This form must be completed by the person opening a new account on behalf of a legal entity with any of the following U.S. financial institutions: (i) a bank or credit union; (ii) a broker or dealer in securities; (iii) a mutual fund; (iv) a futures commission merchant; or (v) an introducing broker in commodities..
..
..
..
FinCEN Website as a Resource Check for New Issuances FAQs on BSA Generally SARs CTRs Reporting Cyber-Events E-Filing
Guidance on Cyber-Events FAQs on Reporting of Cyber Events issued 10/25/16 These supersede previous guidance from 2001 on computer intrusion Include cyber information even if not truly a cyber event Example: include available Internet Protocol (IP) addresses and accompanying time stamps associated with fraudulent wire transfers
Guidance on Cyber-Events When truly a cyber event, include all relevant and available information Type, magnitude and methodology of cyber event; and Signatures and facts on network or system Specific SAR fields for IP Addresses (#44), website/url addresses (19a) and Email addresses (#19) If no field, include in Narrative
Guidance on Cyber-Events Can use single cumulative SAR for numerous events, if Similar in nature and share common identifiers; or Are believed to be related, connected or part of a scheme Report cyber event even if unsuccessful No new requirements for personnel, systems or knowledge Can use 314(b) to exchange information on cyber events
Guidance on Prepaid Cards The banking regulators jointly issued final interagency guidance on March 21 st clarifying how CIP requirements should be applied to prepaid cards. Since CIP only applies to accounts meaning formal banking relationships similar to deposit accounts and not to less formal relationships like the sale of a check or money order, the first step is determining whether a prepaid card is an account.
Guidance on Prepaid Cards The guidance says that an account is created if a Customer has the ability to reload funds onto the prepaid card, or can access the prepaid card s credit or overdraft features. The next step is determining who the customer is. Depending on the nature of the prepaid card program, the Customer could be either the cardholder or a thirdparty.
Guidance on Prepaid Cards The guidance also addresses specialized cards government benefit cards in which the beneficiary is not a customer if only the government can add value, HSA accounts in which the employee is considered the customer since they establish the account, and Flexible Spending accounts in which the employer is the customer since they establish the account and add the value
Guidance on Prepaid Cards If you are involved with prepaid cards, you should review your CIP program in light of this guidance. The FDIC issued FIL-21-2016 and the OCC issued Bulletin 2016-10 to implement this guidance.
Questions?