Title: Anti-Money Laundering Association
1The Unique Alternative to the Big Four
Anti-Money Laundering Association Top 10 BSA
Regulatory Trends, Expectations, and Emerging
Issues John Epperson, CAMS, CFE
2Agenda
- Overview of BSA Regulatory Environment
- Top 10 Regulatory Trends and Hot Topics
- Customer Risk Identification and Methodologies
- Beneficial Ownership
- Tailored Enhanced Due Diligence
- Administration of New Products and Services
- System Validation
- System Tuning
- Electronic Banking Services
- Stored Value Card Programs
- Correspondent Banking Considerations (Cover
Payments and Iranian Sanctions) - Independent Testing
- Wrap up and Questions
3BSA/AML Regulatory Environment
- Overview of BSA/AML Regulatory Environment
- Still an area of increased regulatory emphasis
- Tough economic environment is not deterring
examiner focus on BSA program requirements - Evaluation less focused on blocking and
tackling aspects of BSA compliance - Penalties, written agreements, board resolutions,
etc still occurring - Requirements that were once big bank focus are
now being seen in the community bank environment - Shifting of BSA/AML examination resources
- Leveraged examination model
- Technology implementation an industry norm
- Trends in regulatory hot buttons are becoming
more apparent
4Customer Risk Identification and Methodologies
- General Requirement
- Financial institutions should have processes and
procedures in place to identify accounts that may
pose a higher level of BSA/AML risk to the
institution - Regulatory Focus
- Use of software for identification of high risk
accounts - Are the risk scores commensurate with the Banks
BSA/AML Risk Assessment - Product/Services, Customer Types, Geographic
Risks, and Product Risks - Stratifying customer types and services
- Peer Group Considerations dba, defining peer
groups - Adequacy in monitoring deviations from KYC/CDD or
historical activity
5Customer Risk Identification and Methodologies
- Frequency and dynamics of re-scoring
- How often are customers risk scored, what if they
are reported as high risk during one period, and
other period are not - Ensuring the frequency is consistent with
transactional look-back - System cutoffs
- Transitions from manual to automated monitoring
- Auto High Risk Factors
- Administration of Customer Risk Scoring
- Changes to customer risk scores
- Formalized processes and procedures
- Approval
- Tuning
- Broader Focus to Tune customer risk scoring
methodology - Qualitative and quantitative analysis to support
reasonableness and adequacy of customer risk
scoring methdology
6Customer Risk Identification and Methodologies
- Are customer risk ratings or risk factors
utilized in determining whether potential unusual
activity is alerted through transaction
monitoring systems - Pros
- May be beneficial to support on-going and
enhanced due diligence for high risk
relationships - May assist in the tuning of the effectiveness of
established filtering parameters - Cons
- Often complex multiple variables to consider
- Are we missing potential unusual activity?
- Discussion on effective methods
7Beneficial Ownership
- On March 5, 2010 interagency guidance
(FIN-2010-G001) was issued to clarify and
consolidate existing regulatory expectations for
obtaining beneficial ownership information for
certain accounts and customers - Heightened risks with respect to beneficial
owners of accounts as nominal account holders can
enable individuals and business entities to
conceal the identity of the true owner of assets
or property - Establish and maintain CDD procedures to identify
and verify the identity of beneficial owners of
an account, as appropriate, based on the
institution's evaluation of risk pertaining to an
account - Customers acting as an agent or on behalf of
another - Private Investment Companies (PIC)
- Trusts, corporate entities, shell entities
- Expanded and required elements for Private
Banking Services and Correspondent Banking
Relationships
8Tailored Enhanced Due Diligence
- General Requirements
- Implementation of due diligence procedures,
commensurate with the amount of perceived risk,
for customers that pose a higher level of BSA/AML
risk to the organization - Increased Area of Regulatory Focus
- Are the due diligence procedures appropriate for
mitigating BSA/AML risk - Frequency
- Account level versus Customer level
- Information included in analysis
- Quality assurance processes
- Are the due diligence procedures customized/
tailored based on the customer type - NGOs/ Charities
- NBFIs
- MSBs
- Privately Owned ATM Operators
- PEPs
- Third Party Payment Processors
9Tailored Enhanced Due Diligence
- Do EDD processes allow for holistic review of
transactional activities occurring within an
account? - Should allow for formalized and documented
conclusion of processes to mitigate risks
associated with a high risk account - Processes should allow for single customer view
- Reasonableness evaluation
- Money Service Business cash analysis
- ATM Ownership
- May need to be supported through request of
additional information such as financial
statements and tax returns - More common to see aspects of EDD leveraged
through account officers and lines of business - Systems utilized to management these processes
- Processes should allow for independent review
with BSA department
10Administration of New Products and Servcies
- Financial institutions are finding themselves
under regulatory scrutiny for poor administration
of BSA controls related to new products and
service - Framework for evaluation of new services
- Key Administration Elements
- BSA/AML Supervisory Committee
- BSA new product service representation
- Strong transaction code management structures
- Administration of adequate Due Diligence and CIP
- Online accounts
- Stored value card features and programs
- Non-Customer services
- Unique arrangements with commercial accounts
- Armored Car, Sub Accounts, Leasing, Financing
- List Searching considerations
- More common to see mandated look-backs other than
just suspicious and unusual activity - CIP, CTR, Due Diligence collection
11System Validation
- General Requirements
- Systems relied upon for BSA/AML compliance should
be independently tested to confirm their accuracy
and integrity - Why is this a Hot Button
- Leading attribute of major gaps in monitoring
- Often noted attribute of look-backs,
post-transaction review, etc - Difficult to do during a risk-based examination
- What systems require validation
- Cash aggregation systems
- Transaction monitoring systems
- Automated customer risk scoring due diligence
- List Searching Functionalities
- Frequency
12Transaction Monitoring System Validation
- Outside the Box
- What are the sources of transactions and customer
data defining the testing universe - Gap analysis to identify source systems,
transaction points of entry and exit - Enterprise-wide monitoring solution
- Risk Based Approach What data feeds present the
greatest level of risk to the institution? - Inside the Box
- Are established thresholds functioning as
intended
13Gap Analysis
Gap Analysis - Analysis of the information
currently captured and analyzed by the
transaction monitoring application. This
approach is largely accomplished through
interviews with the key BSA management team to
understand the objectives of the TM software and
managements understood capabilities of the
software.
14Testing of Source Transactions
Testing of Source Transactions Analysis and
testing of the interface between the software
and a selection of the Banks core system
applications which will serve as source reports.
The purpose of these testing procedures is to
confirm that source transaction data reports were
correctly identifying intended transactions and
would serve as appropriate control reports.
15Information System Testing
Information System Testing Determine whether all
transactions, as identified in the Banks core
systems, are accurately translated to the
transaction monitoring software. Reconcile all
key records between the Banks source system
application reports and transaction monitoring
extract reports and individually review
reconciling items.
16Validation of Parameters
Validation of Parameters Testing of the various
system parameters utilized by the transaction
monitoring software. This process includes
selecting a sample of alert scenarios generated
from the Banks TM application and completing
back testing procedures to confirm that the
selected alerts were accurately generated and
reported based on the stated rules and
parameters.
17System Validation Summary
- Not all systems will capture all activities
- Design Limitations
- Monetary Instruments, Stored Value Cards, ACH
Origination, RDC Activities, Pouch, US Dollar
Drafts - System/Processing Limitations
- Information captured through existing processes
but not adequatley mapped within TM application - Quantify Risk Exposure to Known System
Limitations - What are my controls to mitigate the risks of not
capturing certain activities? - Employee referrals
- Supplemental manual and ad doc reports
- Reasonableness of over reporting scenarios
- Limited exposure
- Documenting a system validation risk assessment
18Ongoing Administration of System Application
- Balancing Reasonableness Test for key
transactional data - Risk Based approach
- Establishment of tolerance thresholds based on
types and risks of activities - Transaction Code Management
- BSA Management apprised of additions, deletions,
or consolidation of transaction codes - New Product and Services
- Cited as one of the most common issues
19System Tuning
- What systems are subject to tuning?
- Primarily, any automated transaction monitoring
system however, generally applies to all
suspicious and unusual monitoring techniques and
well as customer risk identification processes - General Requirements
- No two institutions are the same and therefore,
no two filters/ monitoring programs should be the
same - Applications with off the shelf reporting
scenarios are top on regulators lists - Commonly cited in examination reports
20System Tuning and Optimization
- How do I tune my system?
- Metrics
- Alerts to qualified investigations
- Alerting filters to SAR filings
- Red Flag Guidance Coverage Assessment
- Mapping of monitoring techniques to various money
laundering red flag publications - Banks Risk Assessment
- Mapping of monitoring techniques to risk factors
identified in bank-wide BSA/AML Risk Assessment - Peer groups and deviations
- Systems with self-tuning functionalities and
multiple variables - Customer level tuning
21Electronic Banking Services
- Increasing number of institutions offering wide
array of innovative e-banking solutions - Regulatory Focus
- Recently cited cases whereby e-banking services
utilized as conduits of money laundering and
financial crime - Substantial losses impact safety and soundness
- BSA Examinations increasingly focused on line of
business risk management practices - Increased areas of focus
- Automated Clearing House (ACH)
- IAT monitoring
- Listing searching
- Suspicious and Unusual monitoring
- Returned Item Monitoring
- Excessive returns as revoked and unauthorized
- Impact of client risk rating
22Electronic Banking Services
- Increased areas of focus
- Third Party Payment Processors and ACH
Origination - Due Diligence on counterparties
- BSA/AML and OFAC responsibilities
- SAS 70 Review
- On-going site visits
- Ongoing evaluation of processors customers
- Prohibitions on customer types
- Key risk factors related to ACH Origination
should be evaluated during credit exposure review
processes - If risk rating is utilized, is it communicated to
the BSA Department? - Does the credit risk rating impact the BSA risk
rating? - May leverage this process into ongoing EDD
processes - Online account opening
- Evaluation of products, services, and geographies
- Collection of due diligence information
- Enhanced monitoring
23Electronic Banking Services
- Increased areas of focus
- Remote Deposit Capture
- RDC Risk Assessment
- Complete and accurate due diligence information
- Type of business, credit history, and ownership
- Expected activities (many institutions identify
limits) - Strong RDC agreement which clearly outlines
responsibilities and guidance set forth by FFIEC - Administration of information security and
documentation destruction - Allowable transaction types
- Ongoing monitoring
- Deviations from normal or anticipated
- Transaction monitoring solution may allow
institutions to write varying criteria - Impact on client risk rating processes
24Stored Value Card Programs
- Issuing Bank or Third Party Marketer?
- Bulk of monitoring falls on Issuing Bank
- Usage monitoring
- Monitoring of loads and purchases
- Administration and review of reports received
from processors - Ongoing Due Diligence and Risk Rating
- ISO and Program Manager
- Clients (Companies or Banks)
-
- Does not preclude monitoring as a marketing bank
- Should have processes to evaluate potential
unusual activity - Frequent Purchases
- Loads and Re-loads
- Due Diligence on bulk purchases
- Payroll card due diligence
25Correspondent Banking
- Wire Transfers Covered Payments
- Previous standards
- MT 103 - Credit Transfer is sent from the
ordering customers financial institution through
the correspondents to the beneficiary customers
financial institution. - MT 202 - Due to the lack of a direct account
relationship in the currency of the transfer, a
separate covering MT 202 Transfer is sent to
clear and settle the payment at the inter-bank
level. The correspondent banks that process the
MT 202 do not receive any information about the
ordering and beneficiary customers - New Standards
- MT 202 COV - MT 202 COV will allow for the
end-to-end inclusion of full information on
customers and financial institutions and enables
correspondents involved in the clearing and
settlement of the transaction to duly screen
payments in line with regulations. - Impact
- Allows correspondents to better monitor
intermediary wire transactions - While beneficial information, may be difficult to
incorporate into existing monitoring functions
(transaction monitoring, OFAC, etc.)
26Correspondent Banking
- Previous Methods
- Source Swift.com
27Correspondent Banking
- New Standards
- Source Swift.com
28Correspondent Banking
- Iranian Sanctions
- Comprehensive Iran Sanctions, Accountability, and
Divestment Act of 2010 (CISADA) - Impacts financial institutions with foreign
correspondent banking activities - Awaiting implementing regulations whereby
institutions must - Perform an audit of activities carried out by a
foreign financial institution - Report to the Department of the Treasury with
respect to transactions or other financial
services provided with respect to any such
activity - Certify that the foreign financial institution is
not knowingly engaged in any such activity and /
or - Establish due diligence policies, procedures, and
controls to detect whether the Secretary of the
Treasury has found the foreign financial
institution to knowingly engage in any such
activity. - Discussion of trade finance
- Monitoring of reasonableness of goods and
services - List searching and due diligence of relative
counterparties - Bureau of Industry and Security Denied Persons
and Entity Lists
29Independent Testing
- General Requirements
- Considered one of the four pillars of
compliance - All BSA programs must have an independent testing
function - Identified by several regulators as the number
one, in terms of frequency, examination comment - Why is this an area of examination focus?
- New examination model
- Correlation of exam findings back to audit
results - What are examiners focusing on?
- Independence of auditors
- Qualification of auditors (certification, etc)
- Comprehensive test plan (all LOBs, functional
unites, etc) - Transaction testing, sample sizes, etc
30Questions?
31Contact Information
- John Epperson, CFE, CAMS
- Crowe Horwath LLP
- One Mid American Plaza
- PO Box 3697
- Oak Brook, IL 60522-3697
- John.Epperson_at_crowehorwath.com
- www.crowehorwath.com/aml
- O 630.575.4220
- C 773.332.9847