Compliance Professional Resources David DeMartino 212.257.6500 ext.1 ddemartino@compliancepros.net | ||||
 | ||||
| July 2010 | ||||
| This issue's articles: |
||||
|
The Revised Bank Secrecy Act/Anti-Money Laundering (BSA/AML) FFIEC Examination Manual AML Diligence: A Never-Ending Process for FI's Risk Assessment 101 |
||||
AIBA Announcement: New Risk Committee |
||||
|
The AIBA is pleased to announce the creation of a new Risk and Compliance committee as part of the AIBA. The committee will be chaired by David DeMartino, Managing Partner of Compliance Professional Resources, LLC. We have seen the critical need in the international banking community for a structured Risk and Compliance committee. The AIBA is responding to this void in the international banking community by creating what we believe will be the foremost risk and compliance committee in the marketplace. Furthermore, membership in the committee will be open to all AIBA members at no extra charge. David was co-founder of Prime Associates, Inc. the AML technology company that helped pioneer the industry. He has been an industry leader in the compliance space as chair of both the IFSA technology and IFSA Risk and Compliance committees. He has contributed to the industry with his involvement with key regulators, law enforcement agencies and trade associations. Dave brings a wealth of knowledge, and experience to the newly formed committee. |
Some of the objectives of the committee will be:
About the AIBA The AIBA membership consists of the internal audit and compliance professionals of nearly 100 US branches and agencies of foreign banks. The mission of the AIBA is to foster the professional standing of its members by increasing their knowledge, skills and capacities to carry out their responsibilities with respect to international banking. |
|||
| The Revised Bank Secrecy Act/Anti-Money Laundering (BSA/AML) FFIEC Examination Manual |
||||
|
by Alfred Madrid Senior Compliance Consultant, Compliance Professional Resources, LLC The 2010 version of the BSA/AML Examination Manual was released by the The Federal Financial Institutions Examination Council (FFIEC) on April 29, 2010. The revised manual reflects the ongoing commitment of the federal and state banking agencies to provide current and consistent guidance on risk-based policies, procedures, and processes for banking organizations to comply with the BSA and safeguard operations from money laundering and terrorist financing (AML/CTF). The 2010 version further clarifies supervisory expectations since the August 24, 2007 update. The FFIEC is comprised of the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency, the Office of Thrift Supervision, and the the State Liaison Committee (Agencies). The Financial Crimes Enforcement Network (FinCEN), the administrator of the BSA, and the Office of Foreign Assets Control (OFAC) collaborated with the FFIEC on the revisions made to the sections that address compliance with the regulations and sanctions programs that FinCEN and OFAC administer and enforce.  Revisions were made throughout the manual and sections with more significant updates include: Bulk Currency Shipments A new section on bulk currency shipments was added. The objective essentially is to assess the adequacy of the U.S. bank's systems to manage the risks associated with receiving bulk shipments of currency and management's implementation of effective monitoring and reporting systems. BSA/AML Compliance Program Structures Substantially reworked the section on enterprise-wide BSA AML Compliance programs to discuss the variety of BSA/AML compliance programs that exist, allowing a banking organization discretion as to how to structure and manage its BSA/AML compliance program. A small institution may choose to combine BSA/AML compliance with other functions and utilize the same personnel in several roles. In those circumstances, there should still be adequate senior level attention to BSA/AML compliance, and sufficient dedicated resources. A larger, more complex institution may establish a corporate BSA/AML compliance function to coordinate some or all BSA/AML responsibilities. Core Examination Procedures for Assessing the BSA/AML Compliance Program Streamlined and reorganized the core examination procedures for assessing the BSA/AML compliance program to make them more logical. Developing Conclusions and Finalizing the Examination Revised the section to include guidance to examiners on how to determine whether a violation is systemic or recurring, as opposed to a technical or isolated violation. Currency Transaction Reporting Exemptions Updated the section to reflect the changes in the regulation and FinCEN guidance in this area, including removal of the initial designation and annual review requirements for certain Phase I customers, the biennial filing requirement for Phase II exempt customers, and eliminated the waiting period for exempting otherwise eligible Phase II customers by adopting a risk-based approach to exempting those customers. Funds Transfers Updated the section to reflect introduction of the SWIFT MT 202 COV message format that contains mandatory fields for originator and beneficiary information. The mandatory fields provide intermediary banks with additional information to perform sanctions screening and suspicious activity monitoring. Effective 11/21/2009, the MT 202 COV is required for any bank-to-bank payment for which there is an associated MT 103. |
Suspicious Activity Reporting Enhanced the discussion of methods to identify, research, and report suspicious activity. Reorganized the section to reflect current supervisory expectations and made the discussion easier to follow and more user-friendly (e.g., managing alerts, SAR decision making, SAR completion, and notifying board of directors of SAR filings). Added a new Appendix S to illustrate the interaction between the different components of a suspicious activity-monitoring program. Automated Clearing House Transactions Updated the section to reflect the recent changes to international Automated Clearing House (IAT) transactions; made corresponding changes to the OFAC section. The Electronic Payments Association (NACHA) issued IAT operating rules and formats that became effective 09/18/2009. The IAT is a new Standard Entry Class code for ACH payments that enables financial institutions to identify and monitor international ACH payments, and perform sanctions screening as required by OFAC. Due diligence for an inbound or outbound IAT include reviewing details of the payment field information for an indication of a sanctions violation, investigating hits, if any, and blocking or rejecting the transaction. Electronic Cash Revised the section to include a more in-depth discussion of prepaid cards. Risk factors include initial purchase using false identification, funding through stolen credit cards, purchase of multiple cards, unregulated loading points, and cross-border bulk cash movement. Risk mitigation in prepaid card programs may include limits or prohibitions on cash loads, access, or redemption, velocity or speed of fund use, number of cards purchased, dollar thresholds on ATM withdrawals, geographic usage, and aggregate card values. Trade Finance Activities Updated the definition to more closely reflect actual usage in the industry and added a reference to recent Wolfsberg Group guidance for banks that provide trade finance services (Ref: The Wolfsberg Trade Finance Principles, January 2009 at www.wolfsberg-principles.com). So, in addition to OFAC filtering, the monitoring process should give greater scrutiny to obvious- or under- pricing of goods and services, obvious misrepresentation of quantity or type of goods, transaction structure that appears unnecessarily complex, significantly amended L/C , items that are inconsistent with the nature of the customer's business, and customers conducting business or shipping through higher-risk jurisdictions. Electronic Banking Updated the section, specifically on Remote Deposit Capture (RDC), to reflect the FFIEC guidance, Risk Management of Remote Deposit Capture (11/14/2009). The guidance addresses the essential components of RDC risk management: the identification, assessment and mitigation of risk. Third-Party Payment Processors Updated the section to reflect recent agency guidance, Guidance on Payment Processor Relationships, FDIC FIL-127-2008 (November 7, 2008) and Risk Management Guidance: Payment Processors, OCC Bulletin 2008-12 (April 24, 2008). Processors are bank customers that provide payment-processing services to merchants and other business entitities, and primarily include credit card payments, automated clearing house transactions, remotely generated checks (RCC), and debit and prepaid cards transactions. With the expansion of the Internet, retail borders have been eliminated. Processors now provide services to a variety of merchant accounts, including conventional retail and Internet-based establishments, prepaid travel, telemarketers, and Internet gaming enterprises. Processors generally are not subject to BSA/AML regulatory requirements, hence, they may be vulnerable to money laundering, identity theft, fraud schemes, and illicit transactions or transactions prohibited by OFAC. If a bank has not implemented an adequate processor-approval program that goes beyond credit risk management, it could be vulnerable to processing illicit or OFAC-sanctioned transaction. The bank's BSA/AML risks when dealing with a processor account are similar to risks from other activities in which the bank's customers conducts transactions through the bank on behalf of the customer's clients. Think KYCC! While most, if not all, such changes may affect your banking institution, the reorganized 2010 version is a logical, simplified and user-friendly manual which provides a clearer understanding of the regulatory expectations for an effective BSA/AML compliance program. For more information about BSA/AML and OFAC training courses customized to your particular bank's operations, you may contact Alfred Madrid at #212-257-6500 (Ext. 5) or amadrid@compliancepros.net. |
|||
| Back to top | ||||
| AML Diligence: A Never-Ending Process for FI's |
||||
|
by David DeMartino, CPC Managing Partner, Compliance Professional Resources, LLC Many financial institutions believe that they simply need to install an AML system and that is all that is needed to safeguard their organization from the threats of fraud, money laundering and terrorist financing. The reality is that protecting a firm against the perils of criminal activity requires constant viligence and ongoing diligence. The trending clearly points to this:
AML technology has only been around as a mainstream technology since the mid-nineties. While some would say that nearly a decade later the technology should be mature, the simple fact is that early generation AML solutions simply focused on BSA requirements. The theory in the early years of AML technology was that any FI who made an investment in this technology was head and shoulders ahead of most other FI's. The belief was that regulators would be pleased, and give the institution a free pass. As a result of the US Patriot Act the stakes have been raised. The technology has continued to evolve from simple profiling, to rules-based engines, to peer modeling and predictive modeling. The challenge for compliance professionals is the ability to keep up with the ever-changing technology advances. Compliance professionals need to work closely with their IT departments to coordinate upgrades and install the latest features. They must work with either their own compliance staff or operational/departmental resources to ensure that the most up-to-date features are being utilized. Budgeting for these items is of paramount importance; a compliance organization must be involved in planning for the ongoing costs of continual diligence. Additionally, compliance must consider utilizing a consulting services vendor to help in the installation of new feature/functionality. Simply "spinning" a CD and installing the latest version will not be enough. The functionality must be used. Consulting organizations are well-versed at not only understanding the new capabilities but using these capabilities in a client's environment based on industry best practices. |
The regulators expect increasing capabilities on the technology front. Regulators understand that technology is changing and improving; they have come to expect that these new capabilities will be introduced into the marketplace and thus adopted by FI's. A clear example of this is the ongoing focus by regulators regarding correspondent banking wire transfers. Regulators now understand that this high risk area needs specialized attention. They know that industry best practice rules have been created specifically for wire transfers and they require the use of these rules when dealing with international money transfers. The regulators themselves are being educated on the functionality provided in AML solutions; as such the expectation level has increased dramatically. Peer FI's that utilize all the assets contained in AML solutions are being viewed as "setting the bar" for the rest of the industry. Those FI's that do not make use of the capabilities will be viewed in a negative light by the regulators. Criminals are pushing the envelope when its comes to testing the defenses of FI's. This statement cannot be taken too lightly. Criminals are not sending up the "white flag" because detection technology is now available in the marketplace. They are constantly probing the system looking for vulnerabilities. This is a predicament for FI's because it means that they must keep up with both the latest advances that are being brought into the market. Secondly, those who are not using the full capabilities in their existing AML system have a double whammy. First they must get their system up and running maximizing existing capabilities, then they must look at upgrading the application to the latest version to keep their institution from falling prey to criminals who have detected a weakness in their defenses. Shareholders and clients will not tolerate reputational problems. History does repeat itself; we have seen the problems many FI's. A lax approach to compliance could turn a conservative, reputable firm into a "poster child" for poor compliance practices. What night start out as minor violations could easily turn out to be a catastrophe for the firm. Clients tend to lose faith in an institution that has been identified by the regulators as having weak compliance capabilities or worse. Once that trust has been broken it is extremely difficult to get that relationship back. Shareholders that see their investment diminish are quick to blame both the executive team and the board of directors. My suggestion is to immediately look at the technology in use at your company and get an expert opinion from a AML consulting firm. They will determine if you are truly compliant and are using the technology to its fullest capabilities. These "Vulnerability Assessments" will do that and more. |
|||
| Back to top | ||||
| Risk Assessment 101 |
||||
|
by Omer Hussein, CCO ICICI Bank, New York Banks are in the business of assuming risk. Therefore, they can do business with high risk customers, offer high risk products, operate in high risk geographies and/or a combination of all three. However, risks taken also need to be managed: credit risk, market risk, operational risk, etc. have been practiced (or at least we thought they were!) for quite some time. For foreign banks operating in the US, BSA, OFAC, Compliance, customer and product risk assessments are relatively new phenomena, especially since risk management became the focal point of interest of US bank regulatory authorities. So, it was not surprising that regulatory expectations and industry best practices gravitated towards risk-based audits, risk-based compliance programs, even risk-based regulatory examinations. There continues to be a lot of discussion about risk assessments spanning multiple dimensions; risk assessments on customers, products, controls, entire business units, etc. To a non-US banker who is not required to assess such risks and use its result in a meaningful manner, this seems like an exercise in futility. US units of foreign financial institutions that are required to conduct such risk assessments need to justify requisitioning extra resources (to remain compliant) from their head offices. Explanations such as these can be very tricky; it could be useful to work backwards by explaining the end result first and so on. Given below are a few simple examples that have not extrapolated backwards. Assuming a risk assessment matrix is suitable to an institution, is the output produced by it useful on a standalone basis? The answer is "yes" and "no". |
 The output (either a risk-score or risk-level, depending on the institution's preference) of a risk assessment alone could be useful to determine whether an institution chooses to offer a certain product at all, restrict it to certain classes of customers/geographies or modify it to lower its risk profile altogether. A risk-score or risk-level could also determine the frequency of compliance/audit testing of a control or process. In the context of an overall compliance risk assessment of a business/operations unit or the entire institution, a risk-score or risk-level can be used by senior management to price a product/service. Conversely, for the output of customer, BSA or OFAC risk assessments to be useful, they would need to be applied to downstream tools and resources to generate alerts. For example, the outputs could be used to apply different tolerances in transaction monitoring or suspicious activity monitoring systems/processes, which would produce red flags or warning signs that the institution will have to review in order to fulfill its regulatory requirement of screening transactions for possible suspicious activity. Last, but certainly not least, a risk assessment can identify control gaps in a financial institution's operations before an auditor or examiner does. In such cases, if the institution can fill the gap before the audit/examination, the potential savings of this alone could justify allocating resources toward building a solid risk assessment program. |
|||
| Back to top | ||||
| About CPR | ||||
 | ||||
|
CPR is a unique regulatory compliance services firm. A unique blend of compliance recruiting services (executive, permanent, and temporary), and compliance consulting services. Add in managing partners that have essentially pioneered the industry, this makes CPR clearly a leader in the Regulatory Compliance service space. Our commitment to excellence in all phases of our business is unparalleled. As it relates to recruiting, we will provide you with the best, most skilled candidates, we work tirelessly to get the right person, after we completely understand your needs. Our Compliance consultant services are surgically focused on getting the job done as expeditiously as possible, and without crippling your budget. We only provide seasoned and experienced consultants, always with the correct skill sets. Our goal is to get it right the first time. |
||||
www.compliancepros.net | ||||