ANTI-MONEY LAUNDERING IN THE ACQUIRING INDUSTRY Presented by Laura H. Goldzung, CAMS, CCFE, CFCF, CCRP AML Audit Services, LLC March 8, 2016
AGENDA AML Regulatory Overview OFAC Regulatory Overview AML & OFAC Risks Customer Risk: Merchant Types Due Diligence & Enhanced Due Diligence Independent Review / Gap Analysis Key Takeaways 3
AML REGULATORY OVERVIEW International AML-Related Regulations UN Convention Against Illicit Traffic in Narcotics and Psych. Drugs 1988 Financial Action Task Force 1989 Wolfsberg Group Egmont Group of Financial Intelligence Units U.S. AML-Related Regulations Bank Secrecy Act (BSA) USA PATRIOT Act Money Laundering Control Act Office of Foreign Assets Control (OFAC) State Licensing Requirements 4
HISTORY OF U.S. MONEY LAUNDERING LEGISLATION 1970 Bank Secrecy Act 1986 Money Laundering Control Act 1990 Financial Crimes Enforcement Network (FinCEN) 1992 Annunzio-Wylie AML Act 1994 Money Laundering Suppression Act 1996 Mandatory Suspicious Activity Reports (banks) 1998 Money Laundering and Financial Crimes Strategy Act 2001 USA PATRIOT Act; Title III International Money Laundering Abatement & Anti-Terrorist Financing Act of 2001 2004 Intelligence Reform & Terrorism Prevention Act of 2004 2006 Regulation K Enacted (for foreign banks with US branches)
MONEY LAUNDERING CONTROL ACT OF 1986 Title 18, US Code, Section 1956(a)(1) Four Elements of the Crime: Conduct, or Attempt to Conduct, a Financial Transaction With the Proceeds of a Specified Unlawful Activity Knowing, Suspecting or being Willfully Blind to the Fact that Funds were from Unlawful Activity With an Objective to: Promote a Specified Unlawful Activity Evade US Taxes Conceal or Disguise the Source Ownership / Nature of the Funds Avoid Federal or State Transaction Reporting Requirements Penalties: Up to 20 Years Incarceration and/or Fine of the Larger of Twice Amount of Funds Involved or $500,000 6
POLLING QUESTION What is your greatest OFAC challenge? 1. Not taken seriously in the organization 2. Understanding the requirements /insufficient training 3. Inconsistent processes 4. Unreliable tools for screening 5. Too many false-positives (potential matches) to clear out 7
OFFICE OF FOREIGN ASSETS & CONTROL OFAC OVERVIEW OFAC Financial intelligence and enforcement agency of the U.S. Department of the Treasury charged with planning and execution of economic and trade sanction in support of US national security and foreign policy objectives. OFAC s Role Administers and enforces economic and trade sanctions against foreign governments and government officials and persons and entities identified on the SDN List as terrorists, drug traffickers, etc. SDN List Specially Designated Nationals and Blocked Persons List identifies more than 6,000 foreign nationals with whom transactions are prohibited; more than 50 in U.S. 8
OFAC: ECONOMIC SANCTIONS Sanctions are a government s legislative measures against designated persons, certain transactions, and countries to achieve policy objectives: Sanctions were incorporated as a tool of enforcement Economic sanctions are used by the U.S. government to prevent targeted countries, entities, and individuals from, among other things, accessing the U.S. financial system for purposes that are contrary to U.S. foreign policy and national security objectives Economic sanctions encompasses the deliberate, government-inspired withdrawal, or threat of withdrawal, of customary trade or financial relations 9
OFAC SANCTIONS PENALTIES & ENFORCEMENT: ENFORCEMENT RESPONSES Criminal Referral Civil Penalty Types of Responses Finding of Violation Cautionary Letter No Action 10
RECENT PENALTY ACTION: PAYPAL March 2015 Self-Disclosed Violations Settlement Agreement $7M Failing to implement an effective compliance program to identify, interdict, and prevent transactions in apparent violation of the sanctions programs administered by OFAC 2009-2013 processed over 100 transactions ($7,000) to/from account registered to subject on SDN list Automated interdiction filter did not identify subject When it did, the Operations Agents dismissed alerts on 6 occasions without properly clearing 11
POLLING QUESTION What is the most important AML risk factor to consider when assessing risk? 1. Customers 2. Products / Services 3. Geographies 4. Operational 12
WHO PRESENTS THE GREATEST RISKS? Who s in your portfolio? Are you one step removed from money laundering? Merchant types that present risk Are they limited to real estate industry, gems traders and jewelers, professional services, limos, charities & NFPs, FX Dealers, MSBs? Other Industries Beneficial Owners Counterparties / Intermediaries 13
RISK CHARACTERISTICS Customer Characteristics Customers characteristics provide useful information to identify who poses higher risks to your institution Geographic characteristics Countries differ in the level of corruption seen as acceptable, in criminal activity, maturity of markets, and attractiveness for terrorists Product, services and market characteristics Size and types of transactions that we typically complete will help identify that is unusual or higher risk activity Relationship characteristics Your institutions relationship with the customer is critical to controlling risks Politically exposed persons Customers who conduct non face-to-face transactions Customers associated with organizations having complex legal structures and/or their economic purpose is not understood Customers associated with source of funds from high risk geographic centers Customers may reside in these markets, transfer money to/from these markets and/or do business in these markets Business may be conducted through countries identified as corrupt or tax havens Countries that are non-compliant with international AML efforts and are more likely to pose a risk to the institution The different types of products, services and channels offered by your institution have differing likelihoods of being used to generate or launder illegal funds or to channel terrorist finances Products and services providing more anonymity to customers should be reviewed for higher risk Factors such as length of time they have been a customer, or if their transactions have exhibited red flags for money laundering in the past, or if identification records are out of date, are important in evaluating risks Customer due diligence activities are important mitigating controls 14
POLLING QUESTION Who is your highest risk customer type? 1. Precious gems traders / jewelers 2. Charitable organizations 3. Money Services Businesses 4. Cash intensive businesses 15
PITFALLS IN ASSESSING RISK Insufficient mitigating controls Inadequate coverage of risk factors Inadequate coverage of high risk customers Inability to assess and monitor on a programwide basis Systemic risk may not be apparent in risk assessment approach 16
ANATOMY OF AN AML PROGRAM INDEPENDENT TESTING AML TRAINING COMPLIANCE OFFICER AML POLICIES, PROCEDURES & CONTROLS Know Your Customer Transaction Monitoring Report & Audit CIP/CDD & Verification Risk Rating & EDD Behavioral Analytics Watch Lists & EDD 360 View of Customer and Relationships Transaction Analysis Trend Analysis Pattern Analysis Investigative Support & Case Management Threshold Optimization RISK ASSESSMENT Government Reporting Management Reporting Regulatory Guidance Transaction Testing Program Administration and Improvement 17
AML COMPLIANCE PROGRAM ELEMENTS Four elements ( 4 Pillars) of a risk-based AML Program: Written AML policies and procedures Senior management s approval Tailored to risk presented by client base, nature of business, and geographic locations Customer Identification Requirements/Program Designation of AML Compliance Officer Qualifications and training Authority to enforce AML Program Ongoing Employee Training Minimal level of training to all employees Specific training for employees directly involved in high risk areas Document training provided (e.g., tracking, agendas, sign-in list) Independent Testing Frequency Qualified service provider 18
CUSTOMER DUE DILIGENCE (CDD) BSA/AML policies, procedures, and processes should include CDD guidelines that: Are commensurate with the FI s BSA/AML risk profile, paying particular attention to higher-risk customers. Contain a clear statement of management s overall expectations and establish specific staff responsibilities, including who is responsible for reviewing or approving changes to a customer s risk rating or profile, as applicable. Ensure that the FI possesses sufficient customer information to implement an effective suspicious activity monitoring system. Provide guidance for documenting analysis associated with the due diligence process, including guidance for resolving issues when insufficient or inaccurate information is obtained. Ensure the FI maintains current customer information. 19
CUSTOMER DUE DILIGENCE (CDD) Source: FFIEC Manual 20
POLLING QUESTION What constitutes periodic for purposes of performing EDD reviews? 1. Monthly 2. Quarterly 3. Semi-annually 4. Annually 5. As risk dictates 21
CDD: EDD: CUSTOMER DUE DILIGENCE (CDD) VS. ENHANCED DUE DILIGENCE (EDD) Verifies and validates the identifying information by corroborating information that would likely be known only by the person supplying the information Sets anticipated/expected activity levels based on information collected Assigns initial risk rating to customer Performed periodically for higher risk customer types and/or activities and/or geographies of where transactions take place May advance the risk rating based on actual activity or validate the risk score Augments automated transaction monitoring, i.e. flagged activity results in assessing customer 22
ENHANCED DUE DILIGENCE (EDD) Monitors transactions for changes in patterns and behavior Interview customer Purpose of transaction(s) Source of funds / use of funds documentation Internet Searches, website, social media Verify recipient with counterparties Engaging a third party to uncover additional information Gaining insights in the customer s customers Other banking relationships the customer maintains Identification of nominal and beneficial owners of accounts (private banking and/or international businesses) Other personal or business relationships the customer maintains Expected origination and destination of funds 23
MONITORING TRANSACTIONS All transactions should be subject to monitoring, but the extent, nature and frequency should be risk-based Ensure new products and services are incorporated into the monitoring process A one-size-fits-all approach is usually insufficient to identify unusual or suspicious activity Different levels of monitoring are applicable: Transaction level: type, code, date, amount Account level: account type such as checking, loan Customer level: aggregate transactions, TIN profile, unique customer number Household level: similar to customer level but for household Geographic level: driven by higher risk locations or unusual patterns in particular locations 24
MANAGING & FINE TUNING ALERTS Alerts Management: Time frames for conducting reviews (e.g., within 30 days of alert generation Prioritization and escalation of cases Documentation standards (supported reasoning of cleared alerts, use of case management system, etc.) Appropriate case management narratives includes the Five Ws Who conducted the activity? What instruments were used? Where did the activity occur? When did the activity occur? Why is the activity suspicious or not suspicious? Quality assurance procedures (secondary review of (% of) alerts/ cases, escalations to bank are tracked in log) 25
POLLING QUESTION What purpose does an independent review serve if we are not required to have one? 1. Gauges the effectiveness of the Program 2. Gives bank partners sense of overall risk 3. Provides independent view of effectiveness 4. Helps us to manage risk 26
ESCALATION PROCEDURES Escalating red flags and concerns of unusual activity should be spelled out in procedures: Analysts escalate to supervisor or compliance officer promptly and efficiently Compliance officer escalates significant and meaningful findings to management and/or committee Bank escalations are promptly referred according to agreed time frames and procedures Document all reviews, escalations, referrals 27
INDEPENDENT REVIEW / GAP ANALYSIS Key areas: Policies, procedures and controls (PPC) Risk assessment / risk models and scoring Governance & Oversight Compliance Officer and Compliance/Risk department Training (basic & tailored) Previous Independent testing report results Customer Due Diligence / Enhanced Due Diligence Transaction monitoring systems, alerts management Suspicious activity monitoring processes High risk customers/transactions definition, EDD, monitoring, escalations to bank partners OFAC SDN/Sanctions screening, tools, alerts management, reporting processes 28
KEY TAKEAWAYS 1. Ensure policies, procedures and processes provide effective controls to manage money laundering risk 2. Risk assessments: address any changes in customer activities including locations where they transact; utilize information about your customers / suppliers / partners; address OFAC risk factors 3. Test your OFAC screening process for gaps; test screening match escalation; address tools provide timely feed; ensure policy for persistent screening 4. Consider periodic independent risk model validation to verify effectiveness of detection alerts, prevention and identification of suspicious activity 5. Address suspicious activity with bank partners quickly 6. Consider independent review or gap analysis to ensure your program is effective 29
CONTACT INFORMATION Laura H. Goldzung, President & CEO AML Audit Services, LLC Toll Free: 800-870-8076 Office: 973-993-1843 info@amlauditservices.com AMLAudits 30