Anti-Money Laundering Association

1
The Unique Alternative to the Big Four
Anti-Money Laundering Association Top 10 BSA
Regulatory Trends, Expectations, and Emerging
Issues John Epperson, CAMS, CFE
2
Agenda

• Overview of BSA Regulatory Environment
• Top 10 Regulatory Trends and Hot Topics
• Customer Risk Identification and Methodologies
• Beneficial Ownership
• Tailored Enhanced Due Diligence
• Administration of New Products and Services
• System Validation
• System Tuning
• Electronic Banking Services
• Stored Value Card Programs
• Correspondent Banking Considerations (Cover
  Payments and Iranian Sanctions)
• Independent Testing
• Wrap up and Questions

3
BSA/AML Regulatory Environment

• Overview of BSA/AML Regulatory Environment
• Still an area of increased regulatory emphasis
• Tough economic environment is not deterring
  examiner focus on BSA program requirements
• Evaluation less focused on blocking and
  tackling aspects of BSA compliance
• Penalties, written agreements, board resolutions,
  etc still occurring
• Requirements that were once big bank focus are
  now being seen in the community bank environment
• Shifting of BSA/AML examination resources
• Leveraged examination model
• Technology implementation an industry norm
• Trends in regulatory hot buttons are becoming
  more apparent

4
Customer Risk Identification and Methodologies

• General Requirement
• Financial institutions should have processes and
  procedures in place to identify accounts that may
  pose a higher level of BSA/AML risk to the
  institution
• Regulatory Focus
• Use of software for identification of high risk
  accounts
• Are the risk scores commensurate with the Banks
  BSA/AML Risk Assessment
• Product/Services, Customer Types, Geographic
  Risks, and Product Risks
• Stratifying customer types and services
• Peer Group Considerations dba, defining peer
  groups
• Adequacy in monitoring deviations from KYC/CDD or
  historical activity

5
Customer Risk Identification and Methodologies

• Frequency and dynamics of re-scoring
• How often are customers risk scored, what if they
  are reported as high risk during one period, and
  other period are not
• Ensuring the frequency is consistent with
  transactional look-back
• System cutoffs
• Transitions from manual to automated monitoring
• Auto High Risk Factors
• Administration of Customer Risk Scoring
• Changes to customer risk scores
• Formalized processes and procedures
• Approval
• Tuning
• Broader Focus to Tune customer risk scoring
  methodology
• Qualitative and quantitative analysis to support
  reasonableness and adequacy of customer risk
  scoring methdology

6
Customer Risk Identification and Methodologies

• Are customer risk ratings or risk factors
  utilized in determining whether potential unusual
  activity is alerted through transaction
  monitoring systems
• Pros
• May be beneficial to support on-going and
  enhanced due diligence for high risk
  relationships
• May assist in the tuning of the effectiveness of
  established filtering parameters
• Cons
• Often complex multiple variables to consider
• Are we missing potential unusual activity?
• Discussion on effective methods

7
Beneficial Ownership

• On March 5, 2010 interagency guidance
  (FIN-2010-G001) was issued to clarify and
  consolidate existing regulatory expectations for
  obtaining beneficial ownership information for
  certain accounts and customers
• Heightened risks with respect to beneficial
  owners of accounts as nominal account holders can
  enable individuals and business entities to
  conceal the identity of the true owner of assets
  or property
• Establish and maintain CDD procedures to identify
  and verify the identity of beneficial owners of
  an account, as appropriate, based on the
  institution's evaluation of risk pertaining to an
  account
• Customers acting as an agent or on behalf of
  another
• Private Investment Companies (PIC)
• Trusts, corporate entities, shell entities
• Expanded and required elements for Private
  Banking Services and Correspondent Banking
  Relationships

8
Tailored Enhanced Due Diligence

• General Requirements
• Implementation of due diligence procedures,
  commensurate with the amount of perceived risk,
  for customers that pose a higher level of BSA/AML
  risk to the organization
• Increased Area of Regulatory Focus
• Are the due diligence procedures appropriate for
  mitigating BSA/AML risk
• Frequency
• Account level versus Customer level
• Information included in analysis
• Quality assurance processes
• Are the due diligence procedures customized/
  tailored based on the customer type
• NGOs/ Charities
• NBFIs
• MSBs
• Privately Owned ATM Operators
• PEPs
• Third Party Payment Processors

9
Tailored Enhanced Due Diligence

• Do EDD processes allow for holistic review of
  transactional activities occurring within an
  account?
• Should allow for formalized and documented
  conclusion of processes to mitigate risks
  associated with a high risk account
• Processes should allow for single customer view
• Reasonableness evaluation
• Money Service Business cash analysis
• ATM Ownership
• May need to be supported through request of
  additional information such as financial
  statements and tax returns
• More common to see aspects of EDD leveraged
  through account officers and lines of business
• Systems utilized to management these processes
• Processes should allow for independent review
  with BSA department

10
Administration of New Products and Servcies

• Financial institutions are finding themselves
  under regulatory scrutiny for poor administration
  of BSA controls related to new products and
  service
• Framework for evaluation of new services
• Key Administration Elements
• BSA/AML Supervisory Committee
• BSA new product service representation
• Strong transaction code management structures
• Administration of adequate Due Diligence and CIP
• Online accounts
• Stored value card features and programs
• Non-Customer services
• Unique arrangements with commercial accounts
• Armored Car, Sub Accounts, Leasing, Financing
• List Searching considerations
• More common to see mandated look-backs other than
  just suspicious and unusual activity
• CIP, CTR, Due Diligence collection

11
System Validation

• General Requirements
• Systems relied upon for BSA/AML compliance should
  be independently tested to confirm their accuracy
  and integrity
• Why is this a Hot Button
• Leading attribute of major gaps in monitoring
• Often noted attribute of look-backs,
  post-transaction review, etc
• Difficult to do during a risk-based examination
• What systems require validation
• Cash aggregation systems
• Transaction monitoring systems
• Automated customer risk scoring due diligence
• List Searching Functionalities
• Frequency

12
Transaction Monitoring System Validation

• Outside the Box
• What are the sources of transactions and customer
  data defining the testing universe
• Gap analysis to identify source systems,
  transaction points of entry and exit
• Enterprise-wide monitoring solution
• Risk Based Approach What data feeds present the
  greatest level of risk to the institution?
• Inside the Box
• Are established thresholds functioning as
  intended

13
Gap Analysis
Gap Analysis - Analysis of the information
currently captured and analyzed by the
transaction monitoring application. This
approach is largely accomplished through
interviews with the key BSA management team to
understand the objectives of the TM software and
managements understood capabilities of the
software.
14
Testing of Source Transactions
Testing of Source Transactions Analysis and
testing of the interface between the software
and a selection of the Banks core system
applications which will serve as source reports.
The purpose of these testing procedures is to
confirm that source transaction data reports were
correctly identifying intended transactions and
would serve as appropriate control reports.
15
Information System Testing
Information System Testing Determine whether all
transactions, as identified in the Banks core
systems, are accurately translated to the
transaction monitoring software. Reconcile all
key records between the Banks source system
application reports and transaction monitoring
extract reports and individually review
reconciling items.
16
Validation of Parameters
Validation of Parameters Testing of the various
system parameters utilized by the transaction
monitoring software. This process includes
selecting a sample of alert scenarios generated
from the Banks TM application and completing
back testing procedures to confirm that the
selected alerts were accurately generated and
reported based on the stated rules and
parameters.
17
System Validation Summary

• Not all systems will capture all activities
• Design Limitations
• Monetary Instruments, Stored Value Cards, ACH
  Origination, RDC Activities, Pouch, US Dollar
  Drafts
• System/Processing Limitations
• Information captured through existing processes
  but not adequatley mapped within TM application
• Quantify Risk Exposure to Known System
  Limitations
• What are my controls to mitigate the risks of not
  capturing certain activities?
• Employee referrals
• Supplemental manual and ad doc reports
• Reasonableness of over reporting scenarios
• Limited exposure
• Documenting a system validation risk assessment

18
Ongoing Administration of System Application

• Balancing Reasonableness Test for key
  transactional data
• Risk Based approach
• Establishment of tolerance thresholds based on
  types and risks of activities
• Transaction Code Management
• BSA Management apprised of additions, deletions,
  or consolidation of transaction codes
• New Product and Services
• Cited as one of the most common issues

19
System Tuning

• What systems are subject to tuning?
• Primarily, any automated transaction monitoring
  system however, generally applies to all
  suspicious and unusual monitoring techniques and
  well as customer risk identification processes
• General Requirements
• No two institutions are the same and therefore,
  no two filters/ monitoring programs should be the
  same
• Applications with off the shelf reporting
  scenarios are top on regulators lists
• Commonly cited in examination reports

20
System Tuning and Optimization

• How do I tune my system?
• Metrics
• Alerts to qualified investigations
• Alerting filters to SAR filings
• Red Flag Guidance Coverage Assessment
• Mapping of monitoring techniques to various money
  laundering red flag publications
• Banks Risk Assessment
• Mapping of monitoring techniques to risk factors
  identified in bank-wide BSA/AML Risk Assessment
• Peer groups and deviations
• Systems with self-tuning functionalities and
  multiple variables
• Customer level tuning

21
Electronic Banking Services

• Increasing number of institutions offering wide
  array of innovative e-banking solutions
• Regulatory Focus
• Recently cited cases whereby e-banking services
  utilized as conduits of money laundering and
  financial crime
• Substantial losses impact safety and soundness
• BSA Examinations increasingly focused on line of
  business risk management practices
• Increased areas of focus
• Automated Clearing House (ACH)
• IAT monitoring
• Listing searching
• Suspicious and Unusual monitoring
• Returned Item Monitoring
• Excessive returns as revoked and unauthorized
• Impact of client risk rating

22
Electronic Banking Services

• Increased areas of focus
• Third Party Payment Processors and ACH
  Origination
• Due Diligence on counterparties
• BSA/AML and OFAC responsibilities
• SAS 70 Review
• On-going site visits
• Ongoing evaluation of processors customers
• Prohibitions on customer types
• Key risk factors related to ACH Origination
  should be evaluated during credit exposure review
  processes
• If risk rating is utilized, is it communicated to
  the BSA Department?
• Does the credit risk rating impact the BSA risk
  rating?
• May leverage this process into ongoing EDD
  processes
• Online account opening
• Evaluation of products, services, and geographies
• Collection of due diligence information
• Enhanced monitoring

23
Electronic Banking Services

• Increased areas of focus
• Remote Deposit Capture
• RDC Risk Assessment
• Complete and accurate due diligence information
• Type of business, credit history, and ownership
• Expected activities (many institutions identify
  limits)
• Strong RDC agreement which clearly outlines
  responsibilities and guidance set forth by FFIEC
• Administration of information security and
  documentation destruction
• Allowable transaction types
• Ongoing monitoring
• Deviations from normal or anticipated
• Transaction monitoring solution may allow
  institutions to write varying criteria
• Impact on client risk rating processes

24
Stored Value Card Programs

• Issuing Bank or Third Party Marketer?
• Bulk of monitoring falls on Issuing Bank
• Usage monitoring
• Monitoring of loads and purchases
• Administration and review of reports received
  from processors
• Ongoing Due Diligence and Risk Rating
• ISO and Program Manager
• Clients (Companies or Banks)
• Does not preclude monitoring as a marketing bank
• Should have processes to evaluate potential
  unusual activity
• Frequent Purchases
• Loads and Re-loads
• Due Diligence on bulk purchases
• Payroll card due diligence

25
Correspondent Banking

• Wire Transfers Covered Payments
• Previous standards
• MT 103 - Credit Transfer is sent from the
  ordering customers financial institution through
  the correspondents to the beneficiary customers
  financial institution.
• MT 202 - Due to the lack of a direct account
  relationship in the currency of the transfer, a
  separate covering MT 202 Transfer is sent to
  clear and settle the payment at the inter-bank
  level. The correspondent banks that process the
  MT 202 do not receive any information about the
  ordering and beneficiary customers
• New Standards
• MT 202 COV - MT 202 COV will allow for the
  end-to-end inclusion of full information on
  customers and financial institutions and enables
  correspondents involved in the clearing and
  settlement of the transaction to duly screen
  payments in line with regulations.
• Impact
• Allows correspondents to better monitor
  intermediary wire transactions
• While beneficial information, may be difficult to
  incorporate into existing monitoring functions
  (transaction monitoring, OFAC, etc.)

26
Correspondent Banking

• Previous Methods
• Source Swift.com

27
Correspondent Banking

• New Standards
• Source Swift.com

28
Correspondent Banking

• Iranian Sanctions
• Comprehensive Iran Sanctions, Accountability, and
  Divestment Act of 2010 (CISADA)
• Impacts financial institutions with foreign
  correspondent banking activities
• Awaiting implementing regulations whereby
  institutions must
• Perform an audit of activities carried out by a
  foreign financial institution
• Report to the Department of the Treasury with
  respect to transactions or other financial
  services provided with respect to any such
  activity
• Certify that the foreign financial institution is
  not knowingly engaged in any such activity and /
  or
• Establish due diligence policies, procedures, and
  controls to detect whether the Secretary of the
  Treasury has found the foreign financial
  institution to knowingly engage in any such
  activity.  
• Discussion of trade finance
• Monitoring of reasonableness of goods and
  services
• List searching and due diligence of relative
  counterparties
• Bureau of Industry and Security Denied Persons
  and Entity Lists

29
Independent Testing

• General Requirements
• Considered one of the four pillars of
  compliance
• All BSA programs must have an independent testing
  function
• Identified by several regulators as the number
  one, in terms of frequency, examination comment
• Why is this an area of examination focus?
• New examination model
• Correlation of exam findings back to audit
  results
• What are examiners focusing on?
• Independence of auditors
• Qualification of auditors (certification, etc)
• Comprehensive test plan (all LOBs, functional
  unites, etc)
• Transaction testing, sample sizes, etc

30
Questions?
31
Contact Information

• John Epperson, CFE, CAMS
• Crowe Horwath LLP
• One Mid American Plaza
• PO Box 3697
• Oak Brook, IL 60522-3697
• John.Epperson_at_crowehorwath.com
• www.crowehorwath.com/aml
• O 630.575.4220
• C 773.332.9847