Definitions AML/BSA Risks Assess Your Risks Identify the Risks Mitigate the Risks Scenario Questions? 2
BSA Bank Secrecy Act Currency and Foreign Transactions Reporting Act, is legislation passed by the United States Congress in 1970 that requires U.S. financial institutions to collaborate with the U.S. government in cases of suspected money laundering and fraud. The purpose of the BSA, aside from making money laundering more difficult to propagate, is to prevent banks from becoming unknowing intermediaries in illicit activity. 3
AML Anti-Money Laundering legal controls that require financial institutions and other regulated entities to prevent or report money laundering activities. Anti-money laundering guidelines came into prominence globally after the September 11, 2001 and the subsequent enactment of the USA Patriot Act. 4
Money Laundering The practice of processing ill-gotten gains or dirty money, through a series of transactions 5
Money is cleaned through a series of transactions This is generally accomplished through three steps Placement - Introducing unlawful proceeds into the financial system without attracting attention Structuring deposits by dividing large amounts of currently into small amounts in an effort to avoid detection Layering - Moving funds around the financial system to create confusion and complicate the paper trail Wiring funds through numerous accounts through one or more financial institutions Integration Creating the appearance of legality through additional transactions Purchasing real estate or other assets with the funds 6
The best of the bad guys are often sophisticated in their knowledge of the financial system and the regulations put in place for anti-money laundering Money laundering often occurs within the context of a legitimate business front putting the dirty money into the payment system to clean 7
Payment System Can be any system that facilitates payments between individuals or businesses Electronic payments systems ACH Wire Transfers Third-Party Processors 8
The use of the ACH network has grown substantially over the last several years due to the increased volume of electronic check conversion and one-time ACH debits. The ACH network was designed to transfer high volume low-dollar domestic transactions which overall pose lower AML/BSA risks. Today, however, the ACH system has become a robust payment mechanism with the ability to facilitate high-dollar and international transactions, in addition to traditional domestic ACH transactions. 9
Dues to the increase in ACH activity as well as the increased BSA/AML risk, the FFIEC BSA/AML Examination Manual has outlined several risk factors of which financial institutions should be aware Accounts opened without face-to-face (i.e. internet) which allow immediate ACH transaction capabilities ACH transactions that are originated through a thirdparty service provider when the originator is not a direct customer of the ODFI Certain transactions initiated electronically (i.e. WEB, TEL) may be susceptible to manipulation and fraudulent use 10
Certain transactions initiated electronically (i.e. WEB, TEL) may be susceptible to manipulation and fraudulent use Potential for misrepresenting identity and anonymity Higher transaction volume, types, and sizes may be easier to hide 11
Certain practices associated with how the financial industry processes ACH transactions may expose financial institutions to BSA/AML risks. An ODFI authorizing an originator or third-party sender to send ACH files directly to the ACH Operator (Direct Access), in essence bypassing the ODFI ODFI s and RDFI s relying on each other to perform adequate due diligence on their customers Batch processing that obscures the identities of originators Lack of sharing of information on or about originators and receivers therefore inhibiting a financial institutions ability to appropriately assess and managed the risk associated with the correspondent and ACH processing operations, monitor of suspicious activity, and screen for OFAC compliance 12
Conduct a formal risk assessment (as part of your BSA Risk Assessment and ACH Risk Assessment) Consider Your Risks Assess each product offered Assess each service offered Types of customers served Geographic location Know your Customers Gain sufficient knowledge of your customers to establish expectations Know your customers lines of business Compare similar customers activity 13
Identify the higher risk transactions types (WEB, TEL, IAT) Identify the higher risk activities (online payment processors, certain credit-repair services, third-party tele-marking companies, offshore businesses, payday lending, and adult entertainment) Identify any perceived risks Include all business lines and their input 14
Electronic Funds Payment Services Prepaid cards or payroll cards Funds Transfers Domestic and international Third-Party Payment Processor Transactions Automated Clearing House (ACH) Transactions Automated Teller Machines (ATM) Privately owned ATM s Nearly any individual or business can utilize an ATM connected to a financial system Bank should scrutinize activity, volume, type, trends, et Money Services Businesses (MSB s) Check cashers Money transmitters 15
ODFI s must also be aware of IAT activity and evaluate the activity using a risk-based approach. There is a potentially higher risk exposure in IAT s which should be considered at length by banks through ACH polices, procedures, and processes. As noted in the FFIEC BSA/AML Exam Manual, financial institutions should consider the following when processing IAT s: 16
Customers and transactions types and volumes Third party payment processor relationships Responsibilities, obligations, and risk of becoming a Gateway Operator CIP, CDD, and EDD standards and practices Suspicious activity monitoring and reporting practices Appropriate MIS, including the potential necessity for systems upgrades or changes Processing procedures (i.e. identifying and handling IAT s, resolving OFAC hits, and handling noncompliant and rejected messages) Training programs for appropriate bank personnel Legal agreements with customers, third-party processors, and vendors, and whether those agreements need to be upgraded or modified 17
This broad answer is to implement appropriate BSA/AML policies, procedures, and processes to monitor and identify unusual activity associated with ACH transactions Adopt a strong CDD program for traditional ACH customers Review ACH reports or logs Analyze origination trends and volumes Consider whether activity is consistent with the Originator s line of business in comparison to other similarly situated Originators 18
Perform CDD on all third-party service providers (TPSP) as well as consider CDD on the principals associates with the TPSP and its originators If heavy reliance is placed on a TPSP to report suspicious activity, periodic reviews of the TPSP AML monitoring program might be warranted A comprehensive contract should be in place with the TPSP addressing and delineating the BSA/AML responsibilities of all parties to the contract Implement a procedure to cease or restrict the facilitation of ACH transactions for originators with unexplained and/or unusual ACH activity 19
Educate Customers Consider periodic visits with your ACH Originators to make certain they have adopted safeguarding techniques for their login/password and authentication information. 20
The final documentation of your assessment can take many forms Narrative Matrix Narrative and matrix combination (preferred) Determine a periodic review process Annually Semi-annually As changes within the program are recognized 21
Structuring High ACH or funds transfer volume Significant changes High activity with low account balances Activity inconsistent with normal activity Difficulty verifying ID or other account opening issues 22
Corporate Account Takeover The login in credentials of a small business customer at a community bank were compromised most likely by a hacker using malware. The fraudsters logged into the account on Day #1 and got oriented with the account and ACH privileges, the fraudster even modified a pending ACH transactions. On Day #2, the fraudster executed 16 separate ACH debits all under $9,000 to stay undetected. The total withdrawal was over $142,000. 23