“Risk Comes from Not Knowing What You Are Doing.” -Warren Buffet

5/5/2016

Bank Secrecy Act

GBA Compliance School Athens, GA

Thomas Williams, CRCM, CCBIA SVP, Senior Compliance Manager United Bank May 5, 2016

Definition of Risk

“Risk comes from not knowing what you are doing.”

-Warren Buffet

Background

What is Money Laundering?

1 5/5/2016

Background

October 1970

• Congress enacted the Currency and Foreign Transactions Reporting Act , which is now what we know as the Bank Secrecy Act. • Granted the Secretary of the Treasury authority to impose regulations on insured banks. • Required U.S. financial institutions to assist U.S. government agencies to detect and prevent money laundering.

Background

Money Laundering Control Act (1986)

o Established money laundering as a federal crime o Prohibited structuring transactions to evade CTR filings o Introduced civil and criminal forfeiture for BSA violations o Directed banks to establish and maintain procedures to ensure and monitor compliance with the reporting and recordkeeping requirements of the BSA

Background

Anti-Drug Abuse Act of 1988

o Expanded the definition of financial institution to include businesses such as car dealers and real estate closing personnel and required them to file reports on large currency transactions o Required the verification of identity of purchasers of monetary instruments over $3,000

2 5/5/2016

Background

Annunzio-Wylie Anti-Money Laundering Act (1992)

o Strengthened the sanctions for BSA violations o Required Suspicious Activity Reports and eliminated previously used Criminal Referral Forms o Required verification and recordkeeping for wire transfers

Background

Money Laundering Suppression Act (1994)

o Required banking agencies to review and enhance training, and develop anti-money laundering examination procedures o Required banking agencies to review and enhance procedures for referring cases to appropriate law enforcement agencies o Streamlined CTR exemption process o Required each Money Services Business (MSB) to be registered by an owner or controlling person of the MSB o Required every MSB to maintain a list of businesses authorized to act as agents in connection with the financial services offered by the MSB o Made operating an unregistered MSB a federal crime o Recommended that states adopt uniform laws applicable to MSBs

Background

Money Laundering and Financial Crimes Strategy Act (1998)

o Required banking agencies to develop anti-money laundering training for examiners o Required the Department of the Treasury and other agencies to develop a National Money Laundering Strategy o Created the High Intensity Money Laundering and Related Financial Crime Area (HIFCA) Task Forces to concentrate law enforcement efforts at the federal, state and local levels in zones where money laundering is prevalent. HIFCAs may be defined geographically or they can also be created to address money laundering in an industry sector, a financial institution, or group of financial institutions.

3 5/5/2016

Background

Other Major AML Laws:

• USA Patriot Act (2001) • Intelligence Reform and Terrorism Prevention Act of 2004 o Required certain financial institutions to report cross-border electronic transmittals of funds • USA Freedom Act 2015

Background

OFAC

• Beginnings can be traced by to early 1800s. • Officially renamed Office of Foreign Assets Control in 1962. • Administers and enforces targeted country- and regime-based sanctions programs against hostile countries such as Iran, Syria, etc. • Maintains a watchlist of well over 5,000 individuals and entities to which no U.S. person or entity can do business.

Background

FinCEN

• Established in 1990 as a bureau of the US Treasury. • Initial goal was to analyze data and track financial criminals. • Played a key role in establishing the joint examination manual first released by the FFIEC in 2005 • Today works closely with federal and state law enforcement authorities as BSA Administrator.

4 5/5/2016

Background

Purpose

• Assist in criminal , tax, and regulatory investigations. • Established requirements for recordkeeping and reporting by private individuals, banks, and other financial institutions. • Designed to help identify the source, volume, and movement of currency and other monetary instruments transported or transmitted into or out of the US.

Impact to Financial Institutions

FI’s must put systems in place to assist with:

• Prevention

• Detection

• Prosecution

Money Laundering Defined

Money Laundering

• At the time mafias in the U.S. used laundromats as fronts in order to facilitate and disguise their illegal activity. • Due to the cash intensive nature of the business, these criminals were able to easily avoid taxation as well as mix illicit earnings with legitimate ones from the laundry business.

5 5/5/2016

Money Laundering Defined

Three primary means:

• Placement

• Layering

• Integration

Money Laundering Defined

How to Launder Money

Money Laundering Defined

6 5/5/2016

USA PATRIOT ACT

Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act

USA PATRIOT ACT

• The single most significant AML law that Congress has enacted since BSA itself.

• Signed into law by President George W. Bush October 26, 2001.

• Reaction to the September 11, 2001 attack, (filed 45 days after the attack on the World Trade Center).

USA PATRIOT ACT

Significance

• Allowed law enforcement and financial institutions the ability to more freely share information.

• Allows law enforcement agencies greater freedom in the searching of communications; specifically telephone and email communications.

7 5/5/2016

The Facts

• Cost and estimated $400,000 to $500,000 to plan and execute the 9/11 attacks.

• $300,000 of these funds passed through the hijackers bank accounts in the US.

• Money used in the attacks went towards travel, flight training, and living expenses.

• The 9/11 hijackers returned $26,000 to a facilitator in the UAE days prior to the attacks. 22

The Facts

• None of the 9/11 attackers received any domestic financial support.

• The financial transactions were not complex in nature.

Funding

3 Primary Methods:

• Wire transfers,

• Physical transport of cash and travelers checks into the US, and

• Debit cards.

8 5/5/2016

USA FREEDOM ACT

Uniting and Strengthening America by Fulfilling Rights and Ending Eavesdropping, Dragnet- collection and Online Monitoring Act

USA FREEDOM ACT

• Signed into law by President Obama June 2, 2015 and extends Patriot Act through 2019.

• Reauthorizes parts of the USA Patriot Act but dissolves its notorious bulk data collection of Americans’ phone records and Internet metadata.

• Increases the maximum penalty for material support to terrorism from 15 years to 20 years.

USA FREEDOM ACT

9 5/5/2016

Bank Secrecy Act

Applicability

• Banks; • Money Services Businesses (including check cashers and money transmitters); • Casinos; • Insurance companies; • Precious metals dealers; and • Loan or finance companies and pawnbrokers.

Bank Secrecy Act

1 2 3 4 5 System of Internal Controls Internal of System Audit Independent Appropriate for Training Personnel Identification Customer Program Board Appointed BSA Officer

Bank Secrecy Act

System of Internal Controls

• Policies, procedures, and processes to manage, monitor, and control risks; • Ensures compliance with BSA regulations; • Establishes controls commensurate with BSA risk profile; and • Includes recordkeeping and reporting requirements.

10 5/5/2016

Bank Secrecy Act

Bank Secrecy Act Officer

• Must be approved annually by the Board of Directors; • Must be qualified; • Must have significant authority, knowledge, and resources; and • Responsible for ensuring overall BSA compliance.

Bank Secrecy Act

Independent Audit

• Must be completed by a qualified party; • Must be independent (in-house or external); • Conducted every 12 to 18 months (based on risk profile); and • Can be a risk based process.

Bank Secrecy Act

Training for Appropriate Personnel

• Should be documented; • Be tailored to specific job duties; • Address regulatory requirements; • Reference bank policies, procedures, and processes; • Be on-going; • Reiterate employee responsibilities.

11 5/5/2016

Bank Secrecy Act

Customer Identification Program

• Must form a reasonable belief of customer identity; • Must include account opening procedure and verification methods; • Must ensure collection of minimum data elements; and • May use risk-based procedures for additional documentation and verification of customer identity.

Bank Secrecy Act

ABA Money Laundering Enforcement Conference, November 16, 2015 “A bank will want to know about an MSB’s geographic and demographic focus, the nature of its products and services, and its anticipated volume of activity, among other things. But this does not mean that a bank is responsible for knowing its customers’ customers. Understand a customers’ customer base is one thing, but knowing a customers’ customer is another, and we have repeatedly confirmed that the latter is not an obligation under the BSA.” - Jennifer Shasky Calvery, FinCEN Director

Bank Secrecy Act

Importance

• Enables law enforcement and regulatory agencies to pursue investigations of criminal, tax and regulatory violations.

• Provides evidence useful in prosecuting money laundering and other financial crimes.

12 5/5/2016

Regulatory Requirements

• Record

• Report

• Identify

Regulatory Requirements

Recordkeeping and Reporting:

• Currency Transaction Reports (CTRs) • Designation of Exempt Persons; and • Suspicious Activity Reports (SARs)

Regulatory Requirements

Retention of Records:

• Transaction Data – 5 years from transaction; and • Customer ID information – 5 years from account closure.

13 5/5/2016

Currency Transaction Reports

Filing Requirements:

• Currency transactions that exceed $10,000 conducted by, or on behalf of, one person. • Must be filed for multiple currency transactions that in aggregate exceed $10,000 in a single business day. • Obtain personal identifying information for the person conducting the transaction (i.e., SSN, drivers license, government issued ID).

Designation of Exempt Person

Filing Requirements:

• Phase I o Bank (Domestic Operations) o Federal, state, local government agency or department o Entity (other than a bank) listed on the NYSE, ASE, NASDAQ • Phase II o Non-listed businesses i. Maintained a transaction account for at least two months or prior to the passing of two months; ii. Frequently engages in transactions in currency with the bank in excess of $10,000; and iii. Is incorporated or organized under the laws of the US or a state, or is eligible to do business in the US.

Designation of Exempt Person

Ineligible Businesses (engaged primarily in):

• Serving as a financial institution or as agents of a financial institution. • Purchasing or selling motor vehicles of any kind. • Practicing law, accounting, or medicine. • Auctioning of goods. • Chartering or operation of ships, buses, or aircrafts. • Pawn brokerages.

14 5/5/2016

Designation of Exempt Person

Ineligible Businesses (engaged primarily in):

• Engaging in gaming of any kind. • Engaging in investment advisory services or investment banking services. • Operating a real estate brokerage. • Operating in title insurance activities and real estate closings. • Engaging in trade union activities. • Engaging in any other activity that may, from time to time, be specified by FinCEN, such as a marijuana-related business.

Suspicious Activity Reports

Filing Requirements:

• Transactions involving insider abuse in any amount; • Transactions aggregating $5,000 or more when a suspect can be identified; • Transactions aggregating $25,000 or more regardless of a potential suspect.

Suspicious Activity Reports

Filing Requirements:

• Transactions conducted or attempted by, at, or through the bank (or affiliate) aggregating $5,000 or more, if the bank knows, suspects, or has reason to suspect:

o Money laundering or other illegal activity, o Transaction is designed to evade BSA, o No business or apparent lawful purpose, or o Not the type of activity a customer would normally conduct.

15 5/5/2016

Management of Risk

An effective BSA program also includes:

• BSA/AML/OFAC Risk Assessment • Customer Due Diligence • Enhanced Due Diligence

Management of Risk

Assess

Risk Measure Evaluate Management

Manage

Management of Risk

Risk assessments are:

• The foundation of a solid BSA/AML Program.

• Identify the bank’s risk profile and allow for the appropriate controls to be put in place to mitigate the risks.

16 5/5/2016

Management of Risk

Identifying the Risk:

• Specific risk categories. o Customers o Products o Services o Geographies

• Quantify the specific risk categories.

Management of Risk

Sample CIP Risk Assessment

Sample BSA Risk Assessment

FDIC Enforcement by the Numbers

Bryan Cave Consumer Banking Blog – 11/3/2015

• As of November 2, 2015, the FDIC has publicly announced 39 bank enforcement actions for the year.

• Most frequent basis for Consent Orders in 2015 has been for BSA violations or program weaknesses, account for 13 of the 39 enforcement actions.

17 5/5/2016

FDIC Enforcement by the Numbers

Bryan Cave Consumer Banking Blog – 11/3/2015

• “I expect this trend to continue unless we experience a significant economic downturn or other disaster that redirects the FDIC’s resources.” - John Reveal

Enforcement Actions

First National Community Bank, Dunmore, PA. - $1.5 Million (2/27/2015)

Asset size: $970 Million

Regulatory Authority Amount

FinCEN $1 Million

OCC $500,000

Enforcement Actions

First National Community Bank, Dunmore, PA. - $1.5 Million (2/27/2015)

• The bank willfully violated the Bank Secrecy Act by failing to detect or adequately report suspicious transactions involving millions of dollars in illicit proceeds from a judicial corruption scheme perpetrated by a former Pennsylvania state judge, among other violations.

• The bank failed to file SARs on a timely basis in connection with certain suspicious transactions.

18 5/5/2016

Enforcement Actions

Lone Star National Bank, Pharr, TX - $1 Million (4/1/2015)

Asset Size: $2.2 Million

Regulatory Authority Amount

OCC $1 Million

Enforcement Actions

Lone Star National Bank, Pharr, TX - $1 Million (4/1/2015)

• Critical deficiencies with suspicious activity identification, monitoring, and reporting.

• Two of the four minimum elements for the BSA program were not satisfied.

• The bank’s customer due diligence (CDD) and (EDD) for high-risk accounts was unsatisfactory.

Enforcement Actions

Lone Star National Bank, Pharr, TX - $1 Million (4/1/2015)

• There were a number of deficiencies with the Bank’s foreign correspondent relationship.

19 5/5/2016

Enforcement Actions

Bank of Mingo, Williamson, WV - $8 Million (6/15/2015)

Asset size: $94 Million

Regulatory Authority Amount

FinCEN $4.5 Million

FDIC $3.5 Million

Enforcement Actions

Bank of Mingo, Williamson, WV - $8 Million (6/15/2015)

• The bank serviced high-risk customers without effectively monitoring their accounts for suspicious activity.

• Significant deficiencies in all aspects of its AML program, including internal controls, independent testing, training of personnel, and designation of a BSA Officer with sufficient resources to adequately oversee its BSA compliance program.

Enforcement Actions

Bank of Mingo, Williamson, WV - $8 Million (6/15/2015)

• Failed to properly assess the money laundering risk associated with its customers.

• Failed to properly designate many customers and their accounts as high risk.

• Failed to adequately monitor and detect the unusual currency transactions or suspicious activities in which these customers engaged.

20 5/5/2016

Enforcement Actions

Bank of Mingo, Williamson, WV - $8 Million (6/15/2015)

• Bank failed to implement an effective BSA/AML Compliance Program over an extended period of time.

• Failed to file multiple currency transaction reports and suspicious activity reports associated with this risk.

Enforcement Actions

Banamex USA, Century City, CA - $140 Million (7/22/2015)

Asset size: $1.1 Billion

Regulatory Authority Amount

FDIC $140 Million

Enforcement Actions

Banamex USA, Century City, CA - $140 Million (7/22/2015)

• Failed to implement an effective BSA/AML compliance program over an extended period of time.

• Failed to retain a qualified and knowledgeable BSA officer and sufficient staff.

• Failed to maintain adequate internal controls reasonably designed to detect and report illicit financial transactions and other suspicious activities.

21 5/5/2016

Enforcement Actions

Banamex USA, Century City, CA - $140 Million (7/22/2015)

• Failed to provide sufficient BSA training.

• Failed to conduct effective independent testing.

Enforcement Actions

Gibraltar Bank & Trust Co, Coral Gables, FL - $6.5 Million (2/25/2016)

Asset size: $1.529 Billion

Regulatory Authority Amount

FinCEN $4 Million

OCC $2.5 Million

Enforcement Actions

Gibralter Bank & Trust Co, Coral Gables, FL - $6.5 Million (2/25/2016)

• Failed to implement and maintain an adequate AML program.

• Failed to develop and implement an adequate customer identification program.

• Failed to detect and adequate report suspicious transactions.

22 5/5/2016

Enforcement Actions

Gibralter Bank & Trust Co, Coral Gables, FL - $6.5 Million (2/25/2016)

• Program deficiencies led to the bank’s failure to monitor and detect suspicious activity despite red flags.

• Deficiencies resulted in the bank failing to timely file at least 120 suspicious activity reports.

• Previous deficiencies resulted in an Order in 2010, in which the bank had failed to achieve compliance with the requirements during examinations of the bank in 2011, 2012, and 2013.

Real World Scenarios

1) Structured Cash Transactions

2) Multiple Monetary Instruments to Same Payee

3) Elder Abuse via Wire

4) Elder Abuse via Checks Written to Cash

5) Domestic Cash Deposits and ATM Withdrawals in Countries of Concern

Monitoring of BSA Activity

• OFAC

• FinCEN 314a lists

• Suspicious Activity

• Wire Activity

• ACH Activity

23 5/5/2016

The Obvious Challenge

Additional Challenges

Marijuana Related Businesses

o Legalized for medical use in some states

o Legalized for recreational in a few states

o Controlled Substances Act

Additional Challenges

Bitcoin

o Enables the user to remain essentially anonymous. o Simple for the user to navigate. o May have low fees associated with the transactions. o Worldwide accessibility with Internet connection. o Can store value, as well as make international transfer of value.

24 5/5/2016

Questions

Contact Information

Thomas Williams, CRCM, CCBIA SVP, Senior Compliance Manager United Bank [email protected] (770) 412-4909 Office (678) 972-2095 Cell

25 TRICOMPLYFinancial Compliance Journal

The BSA Issue

Cost is $495 for TriComply Members and $595 for non-members. Register by June 30, 2012 to qualify for discount pricing! Breaking Register online at: Agenda trinovus.com/conference2012 Wednesday, August 22, 2012 Down 7:00 pm to 9:00 pm Welcome Reception – Gathering Area WaterColor Inn Thursday, August 23, 2012 BSA 7:15 am to 8:00 am Breakfast – Spartina Rooms 2 & 3 8:00 am to 8:30 am Dodd Frank Update Speaker: Blair Rugh 8:30 am to 10:00 am The New Loan Estimate & Settlement Disclosures Speaker: Leah Hamilton 10:15 am to 11:00 pm SARs: The New Form & The Impact On How You Categorize Let’s Explore Suspicious Activity Speaker: Alison Hawkins l 11:00 am to 12:00 pm How To Perform A Compliance Risk Assessment SAR: When Is An Activity Suspicious? Speaker: Cindy LeBlanc lWho Are You Required to Identify? 12:00 pm Adjourn for Lunch & Leisure or Golf at Shark’s Tooth Golf Course lWhen Are Two Customers One? 1:00 pm-3:00 pm Optional 2 hr Reg Z and RESPA Forms Workshop 6:30 pm Cocktails, Fish Out of Water Restaurant lAre You Ready For New e-Filing Requirements? 7:00 pm Dinner, Fish Out of Water Restaurant lThe New SAR Form Friday, August 24, 2012 lRMLOS No Longer Exempt From BSA lTo Report or Not To Report? 7:15 am to 8:00 am Breakfast – Spartina Rooms 2 & 3 8:00 am to 8:30 am Overdraft: What Is Its Current State? Speaker: Leah Hamilton 8:30 am to 9:30 am UDAAP: Let’s Talk About Confusing, Misleading & Abusive Speaker: Katherine Timon 9:45 am to 10:45 am A Periodic Statement For Mortgage Loans Speaker: Andrea Gullion April/May 2012 | BSA Issue $5.95 COMPLIANCE 10:45 am to 11:15 am Key Examiner Trends Speaker: Leah Hamilton 11:15 am to 11:30 am Closing Compliance Comments Speaker: Blair Rugh 11:30 am to 12:00 pm What’s In Store For Banking & Compliance Technology Speaker: David Brasfield Q& A om TriNovus Our successful past Your Trusted in EFT can only TriComply Compliance Experts be eclipsed by our promising future. TriComply Knowledgebase TriComply Compliance Manual Policy Creation & Review Compliance Newsletter After more than 40 years of creating Advertisement Review profitable EFT programs, we’ve gained Online Training Library a level of experience, reliability and Compliance Calendar availability that positions us, and you, for even greater success down the road. With the strength and stability of U.S. Bank Kristin Harville, Southern States Bank behind us and unparalleled service from the on changes in the compliance industry: most seasoned professionals in the business, Changes in consumer real estate transactions, consumer awareness, more consistent to regulatory adherence, stronger regulatory presence no one offers your financial institution a better, based on the current consumer expectations...most of these changes proven approach. EFT is all we do – and have resulted to help the consumer while putting regulatory hardship on the bank, from learning new ways to adhere to new guidelines, to frankly, we do it better than anyone else. implementing new technology to help with the processes. TriComply To set up your informational meeting, has equipped me to face these daily challenges! Kay Basnight, CBC National Bank, contact us at 1.800.343.7064 or on the benefits of TriComply [email protected]. TriComply has been invaluable to me because I took a few years oﬀ from banking. It has allowed me to get answers on things I might be rusty on until I catch up with the changes that It’s your turn to have taken place in the last few years. But that doesn’t mean I’ll stop using TriComply because I’ll never, ever get ahead as Join the inner fast as the changing regulations are coming out. It’s also really Circle good to have a sounding board so when you have new ideas for new products you have someone to talk to in order to be sure you’re heading in the right direction. It’s a great group and pretty quick response time. ey’re very knowledgeable and some of the top compliance professionals in the industry. Katie Garlington, Central State Bank on her biggest compliance challenge I would say juggling the time it takes to keep up with a constant stream of regulatory changes and the amount of work that goes with updating policies and procedures, implementing regulatory changes, training, etc. while trying to maintain the Our People. Your Success. appropriate amount of monitoring reviews. TriComply has ATM & Debit Programs been a great resource for me at a really reasonable price. ATM Managed Services Fraud Management Contact Darryl Brasfield : 904.264.1050 |[email protected] MoneyPass® surcharge-free ATM .com & PIN POS Network ©2012 Elan Financial Services www.elanfinancialservices.com COMPLIANCE Every issue features actual questions Table of asked by real compliance officers just TRICOMPLYFinancial Compliance Journal like you from across the nation. CONTENTS (C)Q Additional verification A for certain customers. The bank’s products, services, customers, entities, and CIP must address& situations where, based on the bank’s geographic locations, and the potential money laun- risk assessment of a new account opened by a custom- dering and terrorist financing risks associated with What Is The TriComply Financial er that is not an individual, the bank will obtain infor- those activities. The appointment of a BSA compli- mation about individuals with authority or control over ance officer is not sufficient to meet the regulatory re- Compliance Journal? such account, including signatories, in order to verify quirement if that person does not have the expertise, We’re excited about the third issue of our TriComply Financial Compliance the customer’s identity. This verification method ap- authority, or time to satisfactorily complete the job. Journal for financial institution compliance professionals. The journal is plies only when the bank cannot verify the customer’s written and edited by TriComply Compliance Services, a part of TriNovus, true identity using the verification methods described The line of communication should allow the BSA compli- LLC. TriComply provides expert compliance advice to financial institutions in paragraphs (b)(2)(ii)(A) and (B) of this section. ance officer to regularly apprise the board of directors around the country. We decided to compile some of our expertise on (iii) Lack of verification. The CIP must include pro- and senior management of ongoing compliance with timely compliance topics, and the result is the TriComply Financial cedures for responding to circumstances in the BSA. Pertinent BSA-related information, including the Compliance Journal. For more information on TriNovus and TriComply, call which the bank cannot form a reasonable be- reporting of SARs filed with FinCEN, should be reported to 205.991.5636 or visit www.trinovus.com. You can also subscribe to our free lief that it knows the true identity of a customer. the board of directors or an appropriate board commit- weekly compliance newsletter on our website. tee so that these individuals can make informed deci- What are the requirements that are necessary to sions about overall BSA/AML compliance. The BSA com- Q. become a BSA officer? pliance officer is responsible for carrying out the direction of the board and ensuring that employees adhere to the There are no hard and fast rules for becom- bank’s BSA/AML policies, procedures, and processes. A.ing a BSA officer, and there is no required cre- dential to become a BSA officer. I have included Every day the TriComply staff answers hundreds of ques- Let’s Explore... an excerpt detailing the responsibilities and duties tions just like these from people just like you! If you are of the BSA officer from the online BSA Manual locat- interested in subscribing to TriComply, visit When Are Two Customers One?... pg 5 ed at the FFIEC.gov website. It will give you a good www.trinovus.com/tricomply, email [email protected] idea of what is required to become a BSA officer. or call 205.9915636. When Is An Activity Suspicious... pg 6

BSA Compliance Officer Who Are You Required To Identify... pg 8 The bank’s board of directors must designate a qualified individual to serve as the BSA compliance of- On The Job With Katie Garlington.. pg 11 ficer. The BSA compliance officer is responsible for coordinating and monitoring day-to-day BSA/AML The New Suspicious Activity Reporting Form... pg 12 compliance. The BSA compliance officer is also charged with managing all aspects of the BSA/AML The Four Pillars of BSA.. pg 15 compliance program and with managing the bank’s Meet TriComply RMLOs No Longer Exempt From BSA.. pg 16 adherence to the BSA and its implementing regula- Cindy LeBlanc is a Senior Com- tions; however, the board of directors is ultimately pliance Advisor with TriNovus’ To Report or Not to Report.. pg 17 responsible for the bank’s BSA/AML compliance. TriComply Services team. Her 29-year career has focused on Are You Ready For The New e-Filing Requirements?.. pg 15 While the title of the individual responsible for overall Compliance and Risk Manage- BSA/AML compliance is not important, his or her level of ment, Audit, Training and Con- authority and responsibility within the bank is critical. The sulting. Cindy has successfully COMPLIANCE BSA compliance officer may delegate BSA/AML duties managed compliance programs to other employees, but the officer should be responsible and exams for institutions super- for overall BSA/AML compliance. The board of directors is vised by the OCC, FDIC, State of responsible for ensuring that the BSA compliance officer Missouri and NCUA. She is a CRCM (Certified Regulatory Com- has sufficient authority and resources (monetary, physi- pliance Manager), a CUCE (Credit Union Compliance Expert) cal, and personnel) to administer an effective BSA/AML and a former OCC Compliance Examiner. Cindy has provided com- pg compliance program based on the bank’s risk profile. pliance services to community banks across Louisiana, Mississippi, 20 Missouri and Alabama and credit unions in Louisiana. She has Q A The BSA compliance officer should be fully knowl- & provided training for bank and credit union Boards of Directors, edgeable of the BSA and all related regulations. The various community outreach programs, and high school financial BSA compliance officer should also understand the education seminars. 22 You do not have to police your system for this as many held only in the husband’s name. Is there a requirement systems do not provide for a means to matching of the under BSA to maintain a record (specifically a manual names and account numbers before accepting the paper record) of said transfer, since ownership of funds From the transaction. However, if you notice this type of activity, was lost by the joint account? then, you should monitor the account(s) to watch for TRICOMPLY suspicious activity. Typically, your tellers are going to no- How about if the transfer involves a transfers of funds Financial Compliance Journal EDITOR tice this when the funds are withdrawn. The institutions from one business account to another business account that have mentioned this activity seem to be noticing 4 at the Bank, with the owner of both accounts being the different postings coming into the same account and same person? are unable to link the tax payer to the account holder STAFF in any way. If you see or your teller reports this activity, These would both meet the description for the I recommend adding the account(s) to your high risk A. exception under 31 CFR 103.33(e)(6). ear Reader: monitoring list, and if necessary complete, a SAR. Funds transfers where both the originator and the WelcomeD to the third If a new customer opens an loan account and this beneficiary are the same person and the originator’s edition of the Q. customer is a corporation, we CIP the corporation. bank and the beneficiary’s bank are the same bank TRICOMPLY EDITORIAL & PRODUCTION Correct? What if there is also a personal guarantee by are not subject to the record keeping requirements for FINANCIAL Karly Field the owners of the corporation to secure a loan. For ex- funds transfers. COMPLIANCE ample, John and Sam Doe are the principals for Doe & JOURNAL. In this Doe Enterprises, Inc. If John and Sam both personally There is also an exception for the record keeping issue, we have endorse the loan as well, we would need to CIP those requirements for the funds transfer when the originating focused on the Bank individuals, correct? bank is also the beneficiary bank. Secrecy Act and its TRICOMPLY STAFF related requirements. Miller Gunn Correct, your “customer” is the corporation. It seems like every A. Your bank should have written CIP procedures How would we document a customer identity on regulation hits a Andrea Gullion to address situations where the “customer” is not Q. our CIP form if our borrower (VA on active duty in zenith. Then, it fades Cindy LeBlanc an individual and through your documentary and Afghanistan now) is not here? His wife has POA doc- into its place with all non-documentary verification methods you cannot umentation and will be signing documentation on his of the other Leah M. Hamilton reasonably verify the identity of the “customer.” In those behalf and we will do an “Alive and Well” statement at regulations. The Bank Alison M. Hawkins cases, your procedures should reference obtaining closing. Secrecy Act is information on those individuals with authority or control somewhat the same. Blair Rugh over the account, including signatories. Many institutions This will actually go back to your institution’s Katherine E. Timon complete the CIP process on all signers of closely held A. specific procedures, so check your BSA policy. I can remember several years ago when it was the corporations, such as the one you mentioned. In these As you know, the customer is actually the owner of hottest topic in banking. It seemed like every compliance Kenny Vickers cases, institutions may find verifying the true identity of the account. Therefore, you may have to do some of consulting group was holding a seminar every day on the corporation difficult and, in turn, verify those with this long distance (via phone or email) You will likely BSA. Now its importance has somewhat faded --- unless authority or control over the account. have to use non-documentary methods. BSA says: your institution was just tagged with a BSA violation. If that happens, you will quickly find out how important In cases where the account is a loan with a personal (B) Verification through non-documentary meth- BSA compliance is. We hope that the articles in this guarantee, the guarantors are not considered your ods. For a bank relying on non-documentary meth- issue will assist you in strengthening and implementing “customer” for purposes of CIP, they do not have an ods, the CIP must contain procedures that describe your BSA program. You can also use this edition of the The information contained in this “account” with you as you are not offering them a the non-documentary methods the bank will use. journal as part of your annual BSA training program. TriComply Financial Compliance product or service. However, you may have a tough ( 1 ) These methods may include contacting a cus- Journal is not intended to time during your safety and soundness exam explaining tomer; independently verifying the customer’s iden- We are very grateful for all of the financial institutions constitute,and should not be received why you didn’t verify your guarantor. In many cases tity through the comparison of information provided that have subscribed to our TriComply service, and we as, legal advice. Please consult with where the loan must be supported by a personal by the customer with information obtained from a appreciate that they have placed their confidence in your counsel for more detailed guarantee, it is typical that the bank’s CIP procedures consumer reporting agency, public database, or us. Our commitment is to provide a service that exceeds information applicable to your required it as well due to the difficulty in identifying the other source; checking references with other finan- the expectations of our customers. Our growth has institution. “corporation” as mentioned above. cial institutions; and obtaining a financial statement. been much more rapid than we anticipated and that ( 2 ) The bank’s non-documentary procedures must has caused us to have a few hiccups. We realize that The TriComply Financial Compliance Under the wire transfer regulations related to BSA/ address situations where an individual is unable and have taken the steps necessary to assure that our Journal is published by TriNovus, LLC, Q. AML, is there a requirement to keep a paper re- to present an unexpired government-issued identifi- service is the best in the industry. We continue to add PO BOX 380305, Birmingham, AL 35238. cord or any record for that matter of any in-house trans- cation document that bears a photograph or similar to our staff the best compliance professionals that we All content herein is the sole property fer (inside the institution-i.e. from account to account at safeguard; the bank is not familiar with the documents can find to support your growing needs. If your institution of TriNovus. Please submit all the same bank) of $3,000 or more where ownership of presented; the account is opened without obtaining does not presently subscribe to TriComply, we hope you correspondence to the address above the funds is lost or transferred to another individual or documents; the customer opens the account with- will give us a try. or via email at [email protected]. entity (business)? out appearing in person at the bank; and where the Sincerely, bank is otherwise presented with circumstances that Advertising inquiries may be made by For example, if a husband and wife own a joint ac- increase the risk that the bank will be unable to veri- calling 205.991.5636 or emailing count and funds are transferred on-line to an account fy the true identity of a customer through documents. [email protected]. Blair Rugh TriNovus For more information on TriNovus visit TriComply Financial Compliance Journal | Pg www.trinovus.com. 21 COMPLIANCE Every issue features actual questions Let’s Explore asked by real compliance officers just BSA: When Are Two Customers One? Q A like you from across the nation. Aggregating Transactions for CTRs by Blair Rugh Can you& provide some guidance as to exactly related to MSBs. (specifically page 43591 footnote 46) Q. what topics need to be discussed in a BSA AML OFAC risk assessment? I have one but I am having FDIC We have a convenience store customer that has a examiners and want to be sure it’s correct/complete. Q. tax id number for his corporation and another tax id number for his dba. When completing a SAR which A basic model can be found in the 2010 FFIEC tax id number should I use? This is a repetitive SAR (ev- A.BSA Exam Manual for BSA and OFAC (Appen- ery 90 days) and I just realized the dba had it’s own TIN. dix J and M). You will want to address your institution’s The past 3 SAR’s I have used the corporation TIN. Can I high risk areas with respect to those areas and any put the dba’s TIN in the narrative? high risk customer types and/or products and services You may need to complete two different Part II Is our bank responsible for the OFAC screening A. forms. You would need one for the Q. for the originator of an domestic ACH or does that corporation and another for the dba. fall to the originating institution? We have a member who has provided their ac- sometimes under separately incorporated businesses Corporation A owns a hamburger With respect to domestic ACH transactions, the count number to individuals that are not signers Q. the BSA rules, an with separate taxpayer identification stand, Corporation B owns an ODFI is responsible for verifying that the Origina- on the account for them to be able to e-file and have A. institution must numbers. The aggregation question automobile dealership and tor is not a blocked party and making a good faith ef- their tax return funds come into our member’s account. aggregate the cash depends on whether the businesses Corporation C owns a dairy farm. fort to ascertain that the Originator is not transmitting Since they are not signers, we do not have any infor- transactions of two are run independently of one Each business is run totally blocked funds. The RDFI similarly is responsible for veri- mation on these individuals. Can our member give their separately another or whether in fact they are independent of the others. Each has fying that the Receiver is not a blocked party. In this account number out and does the IRS allow them to incorporated operated as a single business. There its own employees and payroll. way, the ODFI and the RDFI are relying on each other place the funds in an account for which they are not a S customers for the purpose of CTR is a presumption that separately There is no transfer of funds between for compliance with OFAC regulations. signer? Doesn’t the originator have some liability there? reporting if the separate customers incorporated entities are the three corporations. Even though have common ownership and a independent persons, but that the three corporations are all owned If we have an MSB that is a loan customer only, No, the IRS does not allow this type of activity. level of joint operations. In 2001, presumption is rebuttable. by Mr. Jones, they operate are we still required to adhere to the same due This also poses great risk on your institution with re- Q. A. FinCEN issued FinCEN Ruling 2001-2 independently and their transactions diligence requirements that apply to MSBs that have a spect to fraud and BSA requirements. You should check describing one circumstance when For example, assume that your should not be aggregated. deposit relationship with us? the name against the OFAC list, inform your member transactions of separate customers customer Mr. Jones owns three Unfortunately, most cases are not as that your institution does not allow this type of activ- should be aggregated. Recently, separate corporations, corporations clear cut as these two. Yes, you should follow your MSB requirements for ity nor does the IRS. You should also review the activity FinCEN issued a guidance A, B and C, and each corporation all account types. The guidance available for in- and consider a SAR. A similar scenario was included in A. expanding upon its prior direction owns a hamburger stand in your There is no single issue that is stitutions servicing MSBs refers to “accounts”. This would an IRS FAQ document. http://www.irs.gov/individuals/ (FIN-2012-G001). community. Corporation A orders determinative of whether two or include both loan and deposit relationships. Also con- article/0,,id=164570,00.html all of the supplies for all three more separate businesses are being sider the fact that the loan account could be used for FinCEN’s regulations implementing corporations and pays the payroll operated in a manner that makes operational funding and keep a check on what items Regarding direct deposit of someone’s tax refund the Bank Secrecy Act (“BSA”) require for all three corporations. Employees them something other than separate are being provided in their monthly payments. If your into an account that does not bear their name, we Q. financial institutions to aggregate of one of the corporations often and independent. The following are MSB isn’t registered and in compliance with the BSA re- don’t really know there is a name/acct# discrepancy multiple currency transactions “if work at the hamburger stand owned factors that should be considered in quirements, your credit could be at risk with respect to unless the account number is incorrect and unposts or the financial institution has by one of the other corporations. making a determination: repayment. rejects. Are we still responsible for the funds coming knowledge that [the multiple Frequently, funds are transferred •Do the corporations have joint into a valid account number and posting? Do we have transactions] are by or on behalf of between the accounts of the three employees? If our deposit customer is a property management to police every deposit coming in to ensure the name any person and result in either cash corporations and the account of •Do the corporations have separate company and they routinely accept rental pay- and account number match? Q. in or cash out totaling more than each acts as overdraft protection payroll accounts? ments in the form of traveler’s checks or money orders $10,000 during any one business for the other two. They jointly •Are the two corporations in the (sometimes in excess of $1,000 from one tenant in one The taxpayer should follow the IRS rules regarding day.” The issue, therefore, is when advertise the three hamburger same business? day), is the company considered to be a Money Ser- the direct deposit of their refund check. How- transactions are conducted through stands. Clearly, in this case, the three •Are there fund transfers between vice Business, as far as BSA is concerned? A. ever, many of them don’t know the rules or don’t care. the accounts of separate corporations are being operated as the accounts of the two Therefore, the bank should implement prudent proce- corporations by or on behalf of one one business and the BSA rules corporations? No, they would not be considered an MSB if dures to discourage or prohibit this activity. As stated in person. Frequently, an institution require that their transactions be •Do the corporations operate out of they are only accepting the items as rental pay- A. the previous Q&A, implement your suspicious activity may have an individual or a group aggregated for CTR filing purposes. the same premises? ments. This was mentioned in the section analysis of the monitoring process for these types of situations. of individuals that are the owners of On the other hand, assume that Final Rule issued on 7/21/2011 clarifying the definitions continued on page 19

20 TriComply Financial Compliance Journal | Pg 5 by Blair Rugh When Two Are One SAR: When Is An Activity Suspicious? continued from page 5 It seems like every regulatory requirement has its season: would normally be expected to Industries (FinCEN Form 101) •Does one corporation supply goods or services to the 20 years ago, it was CRA: 10 years ago, it the Bank engage in, and the bank knows of •SAR by MSBs (FinCEN Form 109) other? Secrecy Act; today, it is Dodd Frank or one of its offspring. no reasonable explanation for the •SAR by Casinos and Card Clubs (FinCEN Form 102) •Does one corporation make payments to third parties BSA compliance is no less important today than it was transaction after examining the •CTR by Casinos (FinCEN Form 103) on behalf of the other? 10 years ago, but because it is no longer a front burner available facts, including the •Registration of MSBs (FinCEN Form 107) item, some financial institutions are not as diligent in background and possible purpose Again, no single factor is determinative. The fact that detecting suspicious activity as they once were. of the transaction. both corporations are in the same business does not, in and of itself, mean that they are not being operated Under the Bank Secrecy Act, financial institutions are One of the most frequent violations separately and independently. It is the intensity of the required to report: is the customer who is aware of the mutual relationships that is the determining factor; CTR reporting requirements but not Meet TriComply unfortunately, that is a subjective decision. Because of Andrea Gullion is a Senior Com- *Criminal violations involving insider abuse in any SAR reporting. To avoid having a that, we recommend that institutions be somewhat pliance Advisor at TriComply amount; CTR filed, the customer makes one aggressive in aggregation determinations. In this Services. With more than 12 *Criminal violations aggregating $25,000 or more when or frequent cash deposits under the circumstance, you will not be criticized for filing a CTR years of experience in banking, a suspect can be identified; $10,000 CTR reporting level. Most when it was not required, but you will be criticized if the Andrea is a former Compliance *Criminal violations aggregating $25,000 or more banking automation systems will examiner thinks that the transactions should have been and CRA Officer for a large com- regardless of a potential suspect; and detect that pattern. The more aggregated and you did not file. *Transactions conducted or attempted by, at, or difficult situation is a transaction or a munity bank. She has advised on fair lending matters referred to the through the institution and aggregating $5000 or more, series of transactions that are not of The new guidance reiterated the requirement to DOJ and assisted in compliance if the institution or affiliate knows suspects, or has reason the type that the customer would aggregate transactions when they are done by the remediation efforts. Andrea is to suspect that the transaction: normally be expected to engage in same person. Thus, if an employee of Company A also a licensed attorney in the state of Alabama, where she has prac- **May involve potential money laundering or and for which the bank is not aware makes a deposit for Company A and a deposit for ticed real estate law at a large firm in Huntsville, Alabama. She has other illegal activity; of any business purpose. For Company B, they must be aggregated to determine extensive compliance experience as well as vast legal knowledge of **Is designed to evade the BSA or its implementing example, if I were to deposit a whether or not a CTR should be filed. Also, if a customer the compliance industry. Andrea received both her Juris Doctor of regulations; or significant amount of cash into my owns several businesses that are not incorporated, Law and Bachelor of Science in Commerce and Business Adminis- ***Has no business or apparent lawful purpose or is not account at my bank, it would then, their accounts are the accounts of the customer, tration from the University of Alabama, Tuscaloosa. the type of transaction that the particular customer certainly be out of the ordinary and and their transactions must be aggregated.

One final interesting issue that the new guidance raises is when a corporation owned by a customer pays a significant number of personal expenses of the A Formal CDD Rule on customer. For example, the corporation may own the home the owner lives in, the car that the owner drives Its Way? and may pay some of the owner’s personal expenses. In those circumstances, the owner of the corporation Despite the obligation of customer due diligence and the corporation may not be operating separately (CDD) implicit in BSA requirements, FinCEN and independently and the owner’s cash transactions should be aggregated with that of the corporation. believes that issuing an express CDD rule that requires financial institutions to perform CDD, including an obligation to categorically obtain ben- Meet TriComply eficial ownership information, may be necessary Alison Hawkins is Vice Presi- dent of TriComply Services. to protect the US financial system from criminal During her 16 plus years in bank- abuse and to guard against terrorist financing, ing, Alison has served as a Com- money laundering and other financial crimes. The pliance Officer, BSA Officer, and initial rules would cover banks, brokers or dealers a Certified Bank Auditor for large in securities, mutual funds, futures commission financial institutions as well as community banks, including a merchants, and introducing brokers in commodi- de novo where she developed and ties. Consideration will be given for extending such implemented the compliance pro- a rule to other financial institutions in the future. gram. As a compliance consultant, she has served as the lead consul- Accordingly, FinCEN issued an Advance Notice tant for a $9 billion bank fair lending review and has successfully of Proposed Rule Making (ANPRM), with a assisted institutions with BSA remediation efforts resulting in releases from regulatory agency orders. Alison received her Bachelor comment closing period of May 5, 2012. of Science in Commerce and Business Administration at the Uni- versity of Alabama, Tuscaloosa.

TriComply Financial Compliance Journal | Pg 19 Are You Ready For The New e-Filing by Andrea Guillon one that I would not normally be The first problem with filing SARs under suspicious Requirements? expected to engage in. I have had circumstances is that what is suspicious is very subjective. FinCEN has taken a leap into the them at this time. So, where does response. Unfortunately, if your insti- my account for probably 40 years, What one person thinks is suspicious another may not. 21st Century by requiring e-filing on that leave your institution? Alas, tution hasn’t done so by now, it is and I don’t believe that I have ever The second problem is that the examiners can look at it most of its prevalent forms. In the in- don’t fret, there is some saving too late; so, get cracking! made a cash deposit. The first time I in perfect hindsight. An institution determined that the terest of saving all involved time grace (or should we say “was”) for do it, it probably does not rise to the activity was not suspicious and did not file a SAR. The and money, the two most common some institutions. If your institution is not currently regis- level of something that should be customer was subsequently arrested for money forms—the Suspicious Activity Re- tered for e-filing through FinCEN, it reported. If I continue to do it, then laundering. Also, just because law enforcement is aware ports (SARs) and the Currency Trans- FinCEN issued notification of three can do so by applying for a user ID either the bank would have to ask of the criminal activity is no reason for not filing a SAR. action Reports (CTRs)—are required categories for possible exemption and password on the BSA E-Filing me where the money was coming There was a case in Alabama where a person was to be submitted by e-filing, rather from these requirements on Febru- System website: http://bsaefiling.fin- from and determine a legitimate embezzling money from the company for which he than paper, starting July 1, 2012. ary 24, 2012; institutions had 30 days cen.treas.gov/main.html. After re- purpose for it or file a suspicious worked. He was arrested and committed suicide. The from that date to apply for an ex- ceipt of these items, the system can activity report. bank where he was depositing the embezzled funds felt Institutions are also encouraged to emption. The categories for hard- be securely accessed and e-filing that because law enforcement was already involved file other forms, such as the Reports ship exemptions given were Money can begin—please contain your ex- I don’t know how many times a and the person was dead there was no reason to file a of Foreign Bank and Financial Ac- Services Businesses (MSBs) and/or citement. Detailed instructions for e- banker has called me, described an SAR. Bad decision. counts (FBARs) electronically as small credit unions that lack internet filing are available through the FAQs activity or a pattern of activity on soon as possible; however, this form access and file a limited number of at http://bsaefiling.fincen.treas.gov/ the part of a customer, and asked The BSA requires employee training. Part of that should may still be submitted by paper until reports, and financial institutions FAQs.html. whether or not I thought it was be for front line personnel regarding the types of June 30, 2013. Additionally, special who utilize batch software requiring suspicious. My response normally is transactions that might be suspicious. There should be a exceptions have been made for the a major system conversion or other In addition to the forms listed above, that I don’t know the customer or person or a committee of people in each institution who Currency and Money Instrument Re- extraordinary circumstances. the following forms are currently eli- the situation, but if the activity was determine whether a SAR should be reported. All ports (CMIRs) and Form 8300 (Re- gible for electronic filing: sufficient for the banker to call me to employees should be trained to report to that person or ports of Cash Payment Over $10,000 If extra time is needed by these insti- get my opinion, then, obviously the committee all transactions or conduct that have any Received in a Trade or Business.) tutions to prepare for the change, •Designation of Exempt Person (Fin- banker was suspicious, which means potential of being suspicious. Then, the person or the Due to the nature of those reports, they were required to affirmatively CEN Form 110) a SAR probably should be filed. committee can investigate and make the correct e-filing will not be mandated for request an extension and await a •SAR by the Securities and Futures decision regarding filing.

om TriNovus BankRISK By routinely stress testing your loan portfolio with BankRISK, you can project future strengths and weaknesses based on hypothetical conditions that are imposed upon your institution’s loan, collateral Concentration is and appraisal data. Stress testing quantiies the effect of the changing economic conditions on your bank’s overall losses, earnings, and King capital, thereby identifying potential problem areas in advance. BankRISK’s Key Benefits • Predict the effect of adverse economic conditions • Apprise you of your inherent risk exposure • Effectively evaluate your capital • Determine your appropriate level of risk tolerance • Prepare you to compete for lending business more prootably • Satisfy regulatory requirements

It’s your turn to Join the inner .com 205.991.5636 | [email protected] Who Are You Required To Identify? To Report or Not to Report? That is the Question by Alison Hawkins We have all been there, you have completed your What you thought was just a little indigestion after lunch, investigation from the teller’s report of suspicious may actually be the missing piece in an FBI investigation. activity; yet, you are still completely puzzled as to what in the world this customer could be doing. No one wants to file a SAR on someone that is completely The activity looks suspicious at a quick glance, but innocent, but how far must you go to prove your case. you have at least three ideas for situations that Sometimes we misinterpret our responsibility to would justify the activity. You have spoken with investigate when determining whether or not to file a the relationship officer and received the standard, SAR. Keep in mind, the SAR is merely a report of “Oh, no way, he is a good customer.” Or “I have suspicious activity. As much as I think I would enjoy banked him for 25 years. He is a good business being a criminal investigator, that isn’t our job. We man and we go to church together.” are not the police, and we do not have And my personal favorite, “He to solve the case in order to brings donuts in every Friday determine the activity is morning for everyone.“ So reportable. now what? Do I file or not? In performing your Unfortunately, investigation, keep in providing an endless mind to watch for supply of donuts the little things. does not make Search the internet someone a good for the names of customer. Donuts companies to tend to make which checks or hungry wires are sent. employees look Ask the question the other way. that no one wants Most of us have to hear the answer seen stable, to: when was the even highly last time you profitable, long checked out the term customer collateral? Verify relationships take a signatures when lending turn for the worst in documents are allowed this economy. to be signed outside of the Business owners you bank. (Come on. . .we all would not have worried know it happens, you don’t have about in a million years are to allow it, but put a control in place to by Blair Rugh considering the unthinkable protect your institution just in case.) to keep their business alive Have someone investigate the store front; ection 326 of the USA PATRIOT Act duration in time, such as a deposit account, a credit another quarter. It happens on are they functioning as an unlicensed MSB? mandates that the federal bank regulatory arrangement, a safe deposit box lease or the provision both sides of the fence, the deposit side and the Are they kiting or structuring? Are there signs of identity agencies establish regulations requiring all of cash management, custodian or trust services. Single lending side alike. A few donuts to hide some theft or fraud? U.S. financial institutions subject to their isolated transactions such as cashing a check, the sale kiting or to stop the loan officer from asking “how’s control have formal programs for verifying of a money order or cashier’s check, a wire transfer or business” could be well worth it for a customer in In some cases, you may want to flag the account and the identity of their customers. The rules the use of an ATM, do not create a customer relationship, trouble. continue to watch it closely for another week or two. becameS mandatory on October 1, 2003. The customer although their use by a person may be frequent. An But, in most cases, if you have that little feeling in the pit identification program (CIP) must be a component of institution’s CIP should be completed on a customer So, what do you do when you are faced with a of your stomach that something just doesn’t feel right - the institution’s overall Bank Secrecy Act program and before an account relationship is opened; however, it situation where you are unsure of whether or not to file the SAR. You can certainly amend it later to add must be approved by the institution’s Board of Directors. may be completed after the account is opened report? When in doubt, fill it out. That is my motto additional facts that appeared after submission. And, The CIP is intended to enable the institution to form a provided that all transactions in the account are for suspicious or unusual activity. (Of course, with sometimes it helps to talk it out. It always seems there is reasonable belief that it knows the true identity of each restricted until the identification process is completed. the mandatory e-filing deadline of July 1st for BSA more to the story when you start discussing it, strictly customer. forms fast approaching, I will have to change that confidential, of course. For our members, our team of You are not required to identify the owners of accounts to type it out.) We tend to think of a parade of red experts is here to help you with those quirky situations. For the purpose of CIP, a customer is a person who is that you acquire by either merger or acquisition as your flags with alarms going off when we think of SARs. the owner of an account with the institution. An account relationship was not initiated by the customer. If, The trouble we have is when the activity is only Oh, and the donut guy took the institution for a half a is a formal relationship that is anticipated to have a however, you open an additional account for a sounding that alarm in the pit of our stomach. million in a sticky lending scam.

8 TriComply Financial Compliance Journal | Pg 17 RMLOs No Longer Exempt from customer whose relationship you acquired and have community member, but neither has been a customer by Leah M. Hamilton not previously identified, then, you must identify the of your institution. You must still apply your CIP to these Mandatory BSA Requirements customer at that time. There is an exemption from individuals when they become your customer. for individuals financing the sale of identification for financial institutions regulated by their own real estate. For example, federal or state agencies and for publicly traded Once you have put a customer through your Customer individuals employed by a loan or companies listed on the New York or American stock Identification Program and have identified the finance company that would be exchanges, or in the NASDAQ National Market System customer, if the customer opens additional accounts, not be subject to the rule include (except for small-capitalization segment). there is no requirement that you identify the customer administrative assistants and office again as long as you have a reasonable belief that you clerks who gather documents, re- Often the question arises, “Who is your customer?” Your know the true identity of your customer. view land records and complete customer is the account owner. If there are multiple forms on behalf of a lender or origi- owners of an account, then, all of the owners are your CIP should not be confused with obtaining identification nator. customer, and all must be identified. If the person who for other BSA purposes such as wires, monetary applies to open an account with you is an individual, instruments, CTRs, SARs, and other required transaction RMLOs will be required to have a the determination is easy. The individual is or will reporting. In those transactions, you must obtain, verify senior management approved, become your customer. On the other hand, if your or maintain the necessary identification of the AML Program in place, which must customer is a juridical entity, that is an organization conductor, beneficiary, originator, etc. as applicable include, at a minimum, the four pil- created by law, sometimes the determination of who is to the account or transaction. lars: (1) the development of internal your customer is more difficult. policies, procedures, and controls; (2) the designation of a compliance If the account owner is a corporation, the corporation officer; (3) an ongoing employee is your customer. You are required to identify the Meet TriComply training program; and (4) an inde- corporation, but you are not required to identify persons Blair Rugh is one of the preemi- pendent audit function to test pro- that are associated with the corporation such as the nent experts on United States grams. Each loan or finance com- stockholders, directors, officers or the signers on the banking laws and regulations. He pany is required to develop and account. Some institutions require the identification of has authored compliance manu- implement an anti-money launder- the stockholders or other persons affiliated in some way als recognized by the banking in- ing program reasonably designed with closely held corporations that are their customers. dustry as the definitive treatise to prevent the loan or finance com- That is certainly permissible, but it is not required. on banking law and regulation. The 10-year reprieve from manda- residential mortgage loan. In addi- pany from being used to facilitate Similarly, if the owner of your account is a limited liability He has extensive experience as a tory Anti-money Laundering (AML) tion, the rule will apply to residential money laundering or the financing company or a limited partnership, the limited liability speaker to bankers’ associations Programs and suspicious activity re- mortgage originators, regardless of of terrorist activities. company or limited partnership is your customer and is and has written numerous articles published in banking journals. porting (SAR) is soon to end for cer- whether they receive compensation the only entity or person that must be identified. With more than 20 years experience in commercial and investment tain loan and finance companies. or gain for acting in that capacity. The new SAR form has been designed banking, Mr. Rugh’s background includes a Bachelor of Science de- Generally, the final rule is intended FinCEN deliberately expanded the with loan and finance companies in If your customer is a partnership, it is the entity that must gree in chemical engineering from the University of Kansas as well to cover initial purchase money definition with just a few simple word mind. Although most have volun- be identified. Frequently, two or more persons may form as a juris doctor degree from Southern Methodist University Law loans and traditional refinancing changes in order to cast a wide net, tarily filed SARs in the past, RMLOs a partnership where there is no written partnership School. transactions facilitated by residen- with few exceptions. will now be subject to mandatory agreement; therefore, no way to identify the partnership. tial mortgage lenders (RMLOs). Non- reporting requirements. In that event, you identify the individual partners. Meet TriComply bank RMLOs, which are generally Exempt from the definition of RMLO Leah M. Hamilton is the Direc- known as “mortgage companies” is any government sponsored enter- With an effective date of April, 16, If your account owner is a trust, you identify the trust. tor of TriComply Services with and “mortgage brokers” in the resi- prise (GSE) regulated by the Fed- 2012, and a mandatory compliance The settlor of the trust, the trustees and the beneficiaries TriNovus. She has more than 17 dential mortgage business sector, eral Housing Finance Agency. GSEs date of August 13, 2012, RMLOs will are not your customers, and there is no requirement years of experience in the finan- are a significant subset of the “loan have an established procedure for surely be in a scurry to ensure its op- that you identify them. In my opinion, there is an cial services industry. Leah is one or finance company” category, in reporting suspicious activity to the erational policies, procedures and exception to that when your customer is a revocable of the nation’s sought after com- terms of the number of businesses FHFA, which then reports the suspi- processes will pass muster under the trust. In that case, there is such a close relationship pliance instructors and consul- and the aggregate volume and cious activity to FinCEN. Addition- new regulatory requirements for an between the settlors of the trust and the trust because tants. She brings her passion for value of transactions they facilitate. ally, as long as a mortgage servicer AML Program and SAR reporting. the settlors may revoke the trust at any time and compliance and real world stories does not extend residential mort- A loan or finance company will be become the account owners. I believe that the better to engage the audience and offer A closer look at the definition of a gage loans or offer or negotiate required to make a copy of its AML policy is to also identify the settlors of the trust. If the levity to very tough topics. As a compliance expert, Leah has served residential mortgage originator is the terms of a residential mortgage Program available to FinCEN or its owner of your account is an unincorporated association as the lead compliance consultant and advisor on several consent essential as it changed significantly loan application, it will not fall under designee upon request. Compli- such as the Thursday Night Guy’s Bowling, Beer and order remediation engagements, focusing on Consumer Compliance from the proposed definition which of the definition of residential mort- ance will be examined by FinCEN Belch club, then, you identify the person opening the and BSA/AML. A licensed attorney for more than 10 years, Leah initially corresponded with the SAFE gage loan originator. The final rule or its delegates in accordance with account. received her Juris Doctorate from Northern Illinois University Col- Act. A residential mortgage origina- does not contemplate coverage of the BSA. lege of Law, and her Bachelor of Arts in General Studies degree tor is a person who accepts a resi- an individual employed by a loan Lastly, there is the scenario where you have known an from the University of Texas at Dallas where she majored in law dential mortgage loan application or finance company or financial in- individual forever, such as a relative or long standing and minored in business management. or offers or negotiates terms of a stitution and provides an exception

16 TriComply Financial Compliance Journal | Pg 9 om TriNovus BankerVMS Managing Vendors Can Be So E a s y ...You Get The Idea! by Leah M. Hamilton Manage Documents sssssssssssssssssssssssssssssssssssssssssssssssssssssss ssssssssssssssssssssssssssssssssssssssssssssssssssssss ssssssssssssssssssssssssssssssss The Four Pillars of BSA

Contracts o ensure compliance with the Bank Secrecy Act necessary competency and have no conflict of interests. �sssssssssssssssssssssssssssssssssssssssssssssssssssss (BSA) and its implementing regulations, a financial Training is the fourth pillar of an effective BSA Program. ssssssssssssss�ssssssssssssssssssssssssssssssssss�sssss institution must have a BSA Program that consists Training need not be formal conference training, but it sssss�ssssssssss�sssssssssssssssssssssssssssssssssssssss of: must be comprehensive to adequately train staff at T• Internal controls; employment and annually thereafter. Ongoing training sssssssssssssssssssssssssssssssssssssss�ssssssssssssss • Independent testing should also be provided, which may occur during staff sssssssssssssssssssssssss�ssss�sssssssssss�ssss • A specifically designated BSA officer; and meetings, webinars, brown bag lunches, or one-on-one • Ongoing training for appropriate staff. situations. The key is to use appropriate training as may be necessary and conducive to your audience to keep Risk for Vendors These are often referred to as the four pillars. To support staff informed of ongoing regulatory changes and any sssssssssssssssssssssssssssssssssssssssssssssss�sssssss these pillars, a foundation is also required - a customer issued bulletins. Federal record-keeping of BSA training ssssssssssssssssssssssssssssssss�ssssssssssssssss�sssssss identification program (CIP). must be maintained, including attendance records and sssssssssss�sssssssssssssssssssssssssssssssssssssss�ss copies of materials. Internal controls are those policies, procedures and �sssssssssssssssssssssssssssss processes that an institution implements to control and The Customer Identification Program (CIP), often referred mitigate its risk and to achieve compliance with the BSA. to as the fifth pillar, is the foundation for any effective Costs Internal controls should be commensurate with the size, BSA Program as a customer or member may pose a structure, risks, and complexity of the institution. great risk for BSA violations. All financial institutions are �sssssssssssssssssssssssssssssssssssssssssssssssssss required to have a board approved, written CIP to sssssssssssssssssssssssssssssssssssssssssss�s Independent testing does not mean you have to hire a enable staff to form a reasonable belief that the �sssss��sssssssssssssssssssssssss�sssssssssssssssss third-party to audit your BSA/AML program areas. What institution knows the true identity of its customer or sssssssssss�ssssssssssssssssssssssssssssssssssssssssss it does mean is that it must be performed by a person (or member. None more so than today with the increase of sssssssssssssss�sssssssssssssssssssssssssssss persons) who are not involved with the institution’s BSA/ identity theft is it so essential that an institution know its It’s your turn to AML compliance staff. Additionally, independent refers customer or member. At a minimum, generally, the to whether or not such persons report directly to the institution must obtain from each customer or member Join the innerCircle Reports Board of Directors or its designated committee that before opening the account, the name, date of birth �sssssssssssssssssssssssssssssssss�ssssssss�ssss consists primarily of outside directors, if at all. Most (for individual), address, and an identification number. community institutions do not have a separate audit The CIP must include risk-based procedures for verifying sssssssssssssssssssssssssssssssssssssssssssssssssssss staff, and thus, farm out the work to third parties. The the identity, although it need not establish the accuracy ssssssssssssssssss�sssssssssssssssssssssssssss�sssss audit should be comprehensive, accurate, adequate of every element of the identification information, it must sssssssssssssssssssssssssssssssssssssssss and timely. Best practice is an annual independent be verified with enough information to form a reasonable audit, but in no event should the review cycle exceed belief that you know the true identity of your customer or 18 months. If you are under any type of a BSA order, a member. Please Your Regulators With A more frequent review may be appropriate. This is a very high level of the key components of the BSA The BSA Officer must be appointed by the Board of Program. To ensure compliance with the regulations and Vendor Management System Directors and is responsible for the overall BSA/AML examiner expectations, each institution should perform program. That does not mean such person does all of its own thorough BSA Program review. the work, but like any other manager, is responsible to ensure all of it gets done. The BSA officer must be A BSA Program Review template based on the 2010 FFIEC empowered with the necessary authority and resources BSA Examination Manual is available to TriComply 205.991.5636 | [email protected] to effectively execute all applicable duties. When Members at no additional cost. For non-members, it is .com designating the BSA Officer and staff, the Board of available for $99. Please call 205.991.5636 or email Directors is responsible for ensuring that they have the [email protected] for details.

TriComply Financial Compliance Journal | Pg 15 The New SAR Form On the Job by Ryan Loftis burden on financial institutions or to change existing activity, such information should be entered into the Member FDIC requirements or expectations. The additional data is to applicable fields, instead of written in the Narrative Since graduating from Auburn University with a degree enable law enforcement to more quickly analyze the section. in finance in December of 2003, Katie Garlington has tens of thousands of filings received and to make filings dedicated her career to regulatory compliance in for institutions easier, less time consuming and less costly. Spreadsheet attachments Alabama banking. Her experience includes 4 years as As always, institutions are expected to complete what As previously mentioned, the new SAR form will accept an auditor with Regions Financial Corporation in they know (or later learn) and not to try to solve the a single, comma-separated value (CSV) spreadsheet- Birmingham and a stint as vice president and senior compliance officer at West Alabama Bank & Trust in case. like attachment as part of the report. Such attachments Katie Garlington Reform. In February of 2011, she joined Central State will be considered part of the narrative and reference Compliance Officer Bank in Calera as a compliance officer for the second Critical fields to the attachment should be made in the Narrative. Calera, AL | Est 1916 time. Among her certifications are one from the ABA In a paper filing, if you didn’t know the information, you But, in no event will the attachment serve as a substitute www.centralstatebank.com could leave the space on the form blank. Not so with for the Narrative. No other document may be attached National Compliance School in 2006 and one from the data captured in an electronic filing; if something is to the suspicious activity report form. All other supporting ABA Graduate School of Compliance Risk Management agency websites (Federal Reserve, FDIC, OCC, FFIEC, unknown, you must check the box marked unknown. documentation must be retained at the financial in 2008. CFPB), Federal Reserve Consumer Compliance Hand- Similarly, where you could write out information on a institution in the supporting documentation file. book, interagency guidelines, Consumer Compliance paper form, electronic data capture now requires you In a recent conversation with Garlington, she discussed Outlook (FRB), Bankers Online, American Bankers Asso- to check off the appropriate information or complete important facts about banking compliance, the skills ciation (ABA). I am registered for free email notifica- the required field. So, if it has an *, be prepared to and qualities necessary for a successful compliance tions from most of these sites as well. TriComply is a complete the information. officer and how stricter regulations have changed the great resource for a really reasonable price. way banks operate. SAR Narrative Q: How would you describe the greatest resource a The SAR narrative will remain a critical component of compliance officer provides? the SAR filing. However, with the new suspicious activity Q: Why did you start working in banking compliance? reporting categories and the ability to attach a relevant A: Providing management with the knowledge of spreadsheet, fewer characters were deemed necessary A: I guess you could say that I lucked into banking what the risks are and helping to maintain the level of in the narrative section. compliance. I think most people that are in the risk that management has set for the bank. A lot of it is compliance field would probably say the same. In my damage control and being able to effectively “Gender” Field case, my entire career has been in banking compliance. implement regulatory requirements with the least Item 4 in Part I of Subject Information of the new SAR When I graduated Auburn University, my first job was at amount of operational impact. asks for the gender of the suspect. Law enforcement Regions Financial Corporation in their Internal Audit feedback said gender information of the subject could Department. Regions is so large that the audit Q: What changes have you seen in the industry since be an important characteristic when inquiries are department is divided into specialized audit groups. I you started? made. Due to potential conflicts with other regulations, was placed in the compliance audit group. FinCEN offered guidance. The use of the gender field is A: The biggest change that I have seen in the industry not mandatory; it is recommended if you know the Q: What skills and qualities do you feel are necessary with respect to banking compliance would be the level gender of the suspect(s). In no event is the use of the for a successful compliance officer? of importance the compliance officer role has become gender field meant to impose a new requirement on over time due to the amount of increased banking reg- financial institutions to manually or electronically collect A: A successful compliance officer most importantly ulations. For a long time compliance was just a cost Meet TriComply has to have and maintain a working knowledge of the gender information. FinCEN reminds financial institutions Katherine E. Timon is a Senior center for the larger banks and another “hat” at com- regulations. In addition, they should have an that the collection of gender information should not Compliance Advisor with the munity banks, but now there are not enough of us out understanding of the products and services offered conflict with the financial institution’s obligations under TriComply team. In these times there to fill the demand. and the regulatory impact. I think it is also being able to any other applicable law. of UDAAP scrutiny, Katherine identify the risks and implement controls to mitigate the brings to the team her expertise Q: If you were in charge of the regulatory agencies, risk to the level management has set. NAICS Code in prosecuting cases under Flori- what changes would you make? FinCEN reemphasized that financial institutions are only da’s Unfair and Deceptive Trade Q: What is your overall biggest challenge? expected to provide that information for which they Practices Act while serving as an A: I would hire more bankers or ex-bankers to work have direct knowledge and that an institution should Assistant Attorney General. She within the agencies. These people know how a bank A: I would say juggling the time it takes to keep up with not search or otherwise investigate for additional has 40 trial victories to her credit runs and how regulatory changes impact banking. You a constant stream of regulatory changes and the information when the occupation or business type is where she successfully defended clients, including the New York can know the regulations backwards and forwards, but amount of work that goes with updating policies and unknown, just because there is a NAICS code field. State Banking Department, the Department of Labor and the De- if you have never worked in a bank, it is impossible to procedures, implementing regulatory changes, training, partment of Housing and Community Renewal, among others, in know the true impact of regulatory changes on a bank etc. while also trying to maintain the appropriate Fields Related to Internet Presence matters in state and federal court. For the past few years, Katherine operational level. amount of monitoring reviews. Certain new data elements related to the Internet has advised over 1,000 financial institutions on compliance related presence of subjects and suspicious activity have been matters. Admitted to practice law in New York and Florida as well Q: What tools do you use to help you accomplish your added. In particular, the e-mail, websites and/or URL as before the US Supreme Court, Katherine received her Juris Doc- job? address fields under Subject Information and IP address torate degree from Brooklyn Law School and her Bachelor of Arts under suspicious activity are new. If you know the from Stony Brook University, NY. Internet presence of the subject or the suspicious A: There are a lot of tools out there. The regulatory

14 TriComply Financial Compliance Journal | Pg 11 facilitate auto populating certain other data, but they System code (NAICS code), long used by businesses did not re-order the numbering for either the questions and government to standardize the classification of or the Part sections. For example, you still start with businesses, industries and entities. The new electronic question #1, but then immediately jump to Part IV, SAR form will provide for a drop down menu to assist in question #82. Once you enter the Filing Institution completing this section. Contact Information, additional data throughout the form will also auto populate. The new organizational The critical information for address, city, state and zip order of the form is: code are required. This information will generate data for law enforcement’s use by generating a GEO code •Part IV - Filing Institution Contact Information (formerly based on the address and identifying the address as Reporting Business); being in a HIFCA or HIDTA location. •Part III - Information About Financial Institution Where Activity Occurred (formerly Transaction Location); Under Suspicious Activity Information, like the old form, •Part I - Subject information; the new form asks for the amount of money involved in •Part II - Suspicious Activity Information; and this report and date or range of dates of the suspicious •Part V - The Narrative. activity. A list of products and instrument types and a listing of categories of various suspicious activities is The SAR data fields are sometimes referred to as provided, and you are asked to check all that apply. “questions.” Certain questions are considered critical fields which must be answered and are identified by an Part V is still allocated for the narrative description of asterisk (*). The first entry on the new SAR form, Type of the suspicious activity. This is a critical section of the SAR Filing, will identify the kind of report that is being filed, form and deserves the institution’s appropriate whether it is an initial report or one to correct or amend attention. Space is limited to 17,000 characters or a prior report, or is a continuing activity report. This is a approximately (5) single-spaced pages. FinCEN expects critical information field. this space to be used by financial institutions to give an analytical explanation of the reasons for its suspicions, Part IV is the section for the Filing Institution’s Contact not just a recitation of facts. Information. Information requested includes the institution’s primary regulator, the institution’s TIN, the FinCEN found that institutions often attach tabular data type of institution, address, city, state and zip code, to the SAR narrative to assist in explaining the basis for designated contact office information and law their conclusion of suspicious activity. These attachments enforcement contact information. are not captured on the old electronic SAR form in a manner that can be easily accessed. Accordingly, on Part III of the new SAR form is for information concerning the new electronic SAR form, FinCEN will enable a the financial Institution where the suspicious activity reporting institution to attach one such tabular format occurred. If the activity occurred at multiple branches document (Excel-type spreadsheets limited to 1 MB) to or institutions, you must complete a Part III section for the narrative section of the new form. Attachments of each branch or institution. Information requested this type are purely voluntary and for the purpose of includes the type of financial institution, the institution’s assisting filers in their analytical presentation of the primary regulator, identification number, legal name, reasons for their suspicions. This ability to attach a any alternate names, TINs, address, city, state and spreadsheet type file is not intended to permit filers to by Katherine E.Timon country. This data will automatically generate GEO add “supporting documentation,” as defined by the codes, High Intensity Financial Crimes Area (“HIFCA”) regulation, to the narrative. Indeed, FinCEN’s position codes, and High Intensity Drug Trafficking Area (“HIDTA”) on SARs is that the SAR is a lead-generating document codes for law enforcement use. only and is not intended to be direct evidence of the underlying events described in the SAR. The New Suspicious Activity Reporting Form Part II Subject Information, like the old form, requires critical identifying information such as the Last and First New Guidance The long anticipated new suspicious activity form (SAR) activity reporting form. FinCEN provided a break on the names, the Middle names and any Suffixes, such as Sr. On March 29, 2012, FinCEN issued guidance with has finally arrived! The new SAR was initially expected to narrative by reducing the number of available or Jr. for the subject of the suspicious activity report. respect to the new SAR and CTR forms in response to go-live July 1, 2012 along with the new mandatory characters from 39,000 to 17,000 characters. In other However, new fields have been added. For example, if several industry inquiries. Additionally, it recognized that e-filing. However, it wasn’t ready, and a reprieve to use words, do not regurgitate all of the information you just gender and alternate names are known, such it may need to develop further guidance as well as the new form was granted. Although not required until checked off in the prior 98 data fields; tell FinCEN clearly information should be provided in the question section educational webinars. TriComply’s Compliance March 31, 2013, institutions are encouraged to use the and concisely why you think the activity is suspicious. instead of the Narrative. Multiple entries for alternate Calendar will also incorporate such information as it new form effective immediately. Until that date, either And, there is more hope. The new SAR form is designed names like a/k/a or a D/B/A information are allowed becomes available. form may be used for e-filing only. The form warns that to accommodate multiple types of industries. So, once where the person or entity has more than one alternate you may not use the new form for paper filing. you pick your industry, non-applicable sections will name. Characterizations of Suspicious Activity. automatically grey-out. To facilitate a more effective use of the information Although FinCEN did not hit the “Ask 100 questions,” it The new SAR form also asks for occupation or type of collected in SARS, additional data elements were came close with 98 questions on the new suspicious What is new? First, you have not unlearned how to business using the North American Industry Classification added to the form. The intent is not to increase the count. FinCEN reorganized the new e-filing SAR form to

12 TriComply Financial Compliance Journal | Pg 13 facilitate auto populating certain other data, but they System code (NAICS code), long used by businesses did not re-order the numbering for either the questions and government to standardize the classification of or the Part sections. For example, you still start with businesses, industries and entities. The new electronic question #1, but then immediately jump to Part IV, SAR form will provide for a drop down menu to assist in question #82. Once you enter the Filing Institution completing this section. Contact Information, additional data throughout the form will also auto populate. The new organizational The critical information for address, city, state and zip order of the form is: code are required. This information will generate data for law enforcement’s use by generating a GEO code •Part IV - Filing Institution Contact Information (formerly based on the address and identifying the address as Reporting Business); being in a HIFCA or HIDTA location. •Part III - Information About Financial Institution Where Activity Occurred (formerly Transaction Location); Under Suspicious Activity Information, like the old form, •Part I - Subject information; the new form asks for the amount of money involved in •Part II - Suspicious Activity Information; and this report and date or range of dates of the suspicious •Part V - The Narrative. activity. A list of products and instrument types and a listing of categories of various suspicious activities is The SAR data fields are sometimes referred to as provided, and you are asked to check all that apply. “questions.” Certain questions are considered critical fields which must be answered and are identified by an Part V is still allocated for the narrative description of asterisk (*). The first entry on the new SAR form, Type of the suspicious activity. This is a critical section of the SAR Filing, will identify the kind of report that is being filed, form and deserves the institution’s appropriate whether it is an initial report or one to correct or amend attention. Space is limited to 17,000 characters or a prior report, or is a continuing activity report. This is a approximately (5) single-spaced pages. FinCEN expects critical information field. this space to be used by financial institutions to give an analytical explanation of the reasons for its suspicions, Part IV is the section for the Filing Institution’s Contact not just a recitation of facts. Information. Information requested includes the institution’s primary regulator, the institution’s TIN, the FinCEN found that institutions often attach tabular data type of institution, address, city, state and zip code, to the SAR narrative to assist in explaining the basis for designated contact office information and law their conclusion of suspicious activity. These attachments enforcement contact information. are not captured on the old electronic SAR form in a manner that can be easily accessed. Accordingly, on Part III of the new SAR form is for information concerning the new electronic SAR form, FinCEN will enable a the financial Institution where the suspicious activity reporting institution to attach one such tabular format occurred. If the activity occurred at multiple branches document (Excel-type spreadsheets limited to 1 MB) to or institutions, you must complete a Part III section for the narrative section of the new form. Attachments of each branch or institution. Information requested this type are purely voluntary and for the purpose of includes the type of financial institution, the institution’s assisting filers in their analytical presentation of the primary regulator, identification number, legal name, reasons for their suspicions. This ability to attach a any alternate names, TINs, address, city, state and spreadsheet type file is not intended to permit filers to by Katherine E.Timon country. This data will automatically generate GEO add “supporting documentation,” as defined by the codes, High Intensity Financial Crimes Area (“HIFCA”) regulation, to the narrative. Indeed, FinCEN’s position codes, and High Intensity Drug Trafficking Area (“HIDTA”) on SARs is that the SAR is a lead-generating document codes for law enforcement use. only and is not intended to be direct evidence of the underlying events described in the SAR. The New Suspicious Activity Reporting Form Part II Subject Information, like the old form, requires critical identifying information such as the Last and First New Guidance The long anticipated new suspicious activity form (SAR) activity reporting form. FinCEN provided a break on the names, the Middle names and any Suffixes, such as Sr. On March 29, 2012, FinCEN issued guidance with has finally arrived! The new SAR was initially expected to narrative by reducing the number of available or Jr. for the subject of the suspicious activity report. respect to the new SAR and CTR forms in response to go-live July 1, 2012 along with the new mandatory characters from 39,000 to 17,000 characters. In other However, new fields have been added. For example, if several industry inquiries. Additionally, it recognized that e-filing. However, it wasn’t ready, and a reprieve to use words, do not regurgitate all of the information you just gender and alternate names are known, such it may need to develop further guidance as well as the new form was granted. Although not required until checked off in the prior 98 data fields; tell FinCEN clearly information should be provided in the question section educational webinars. TriComply’s Compliance March 31, 2013, institutions are encouraged to use the and concisely why you think the activity is suspicious. instead of the Narrative. Multiple entries for alternate Calendar will also incorporate such information as it new form effective immediately. Until that date, either And, there is more hope. The new SAR form is designed names like a/k/a or a D/B/A information are allowed becomes available. form may be used for e-filing only. The form warns that to accommodate multiple types of industries. So, once where the person or entity has more than one alternate you may not use the new form for paper filing. you pick your industry, non-applicable sections will name. Characterizations of Suspicious Activity. automatically grey-out. To facilitate a more effective use of the information Although FinCEN did not hit the “Ask 100 questions,” it The new SAR form also asks for occupation or type of collected in SARS, additional data elements were came close with 98 questions on the new suspicious What is new? First, you have not unlearned how to business using the North American Industry Classification added to the form. The intent is not to increase the count. FinCEN reorganized the new e-filing SAR form to

12 TriComply Financial Compliance Journal | Pg 13 The New SAR Form On the Job by Ryan Loftis burden on financial institutions or to change existing activity, such information should be entered into the Member FDIC requirements or expectations. The additional data is to applicable fields, instead of written in the Narrative Since graduating from Auburn University with a degree enable law enforcement to more quickly analyze the section. in finance in December of 2003, Katie Garlington has tens of thousands of filings received and to make filings dedicated her career to regulatory compliance in for institutions easier, less time consuming and less costly. Spreadsheet attachments Alabama banking. Her experience includes 4 years as As always, institutions are expected to complete what As previously mentioned, the new SAR form will accept an auditor with Regions Financial Corporation in they know (or later learn) and not to try to solve the a single, comma-separated value (CSV) spreadsheet- Birmingham and a stint as vice president and senior compliance officer at West Alabama Bank & Trust in case. like attachment as part of the report. Such attachments Katie Garlington Reform. In February of 2011, she joined Central State will be considered part of the narrative and reference Compliance Officer Bank in Calera as a compliance officer for the second Critical fields to the attachment should be made in the Narrative. Calera, AL | Est 1916 time. Among her certifications are one from the ABA In a paper filing, if you didn’t know the information, you But, in no event will the attachment serve as a substitute www.centralstatebank.com could leave the space on the form blank. Not so with for the Narrative. No other document may be attached National Compliance School in 2006 and one from the data captured in an electronic filing; if something is to the suspicious activity report form. All other supporting ABA Graduate School of Compliance Risk Management agency websites (Federal Reserve, FDIC, OCC, FFIEC, unknown, you must check the box marked unknown. documentation must be retained at the financial in 2008. CFPB), Federal Reserve Consumer Compliance Hand- Similarly, where you could write out information on a institution in the supporting documentation file. book, interagency guidelines, Consumer Compliance paper form, electronic data capture now requires you In a recent conversation with Garlington, she discussed Outlook (FRB), Bankers Online, American Bankers Asso- to check off the appropriate information or complete important facts about banking compliance, the skills ciation (ABA). I am registered for free email notifica- the required field. So, if it has an *, be prepared to and qualities necessary for a successful compliance tions from most of these sites as well. TriComply is a complete the information. officer and how stricter regulations have changed the great resource for a really reasonable price. way banks operate. SAR Narrative Q: How would you describe the greatest resource a The SAR narrative will remain a critical component of compliance officer provides? the SAR filing. However, with the new suspicious activity Q: Why did you start working in banking compliance? reporting categories and the ability to attach a relevant A: Providing management with the knowledge of spreadsheet, fewer characters were deemed necessary A: I guess you could say that I lucked into banking what the risks are and helping to maintain the level of in the narrative section. compliance. I think most people that are in the risk that management has set for the bank. A lot of it is compliance field would probably say the same. In my damage control and being able to effectively “Gender” Field case, my entire career has been in banking compliance. implement regulatory requirements with the least Item 4 in Part I of Subject Information of the new SAR When I graduated Auburn University, my first job was at amount of operational impact. asks for the gender of the suspect. Law enforcement Regions Financial Corporation in their Internal Audit feedback said gender information of the subject could Department. Regions is so large that the audit Q: What changes have you seen in the industry since be an important characteristic when inquiries are department is divided into specialized audit groups. I you started? made. Due to potential conflicts with other regulations, was placed in the compliance audit group. FinCEN offered guidance. The use of the gender field is A: The biggest change that I have seen in the industry not mandatory; it is recommended if you know the Q: What skills and qualities do you feel are necessary with respect to banking compliance would be the level gender of the suspect(s). In no event is the use of the for a successful compliance officer? of importance the compliance officer role has become gender field meant to impose a new requirement on over time due to the amount of increased banking reg- financial institutions to manually or electronically collect A: A successful compliance officer most importantly ulations. For a long time compliance was just a cost Meet TriComply has to have and maintain a working knowledge of the gender information. FinCEN reminds financial institutions Katherine E. Timon is a Senior center for the larger banks and another “hat” at com- regulations. In addition, they should have an that the collection of gender information should not Compliance Advisor with the munity banks, but now there are not enough of us out understanding of the products and services offered conflict with the financial institution’s obligations under TriComply team. In these times there to fill the demand. and the regulatory impact. I think it is also being able to any other applicable law. of UDAAP scrutiny, Katherine identify the risks and implement controls to mitigate the brings to the team her expertise Q: If you were in charge of the regulatory agencies, risk to the level management has set. NAICS Code in prosecuting cases under Flori- what changes would you make? FinCEN reemphasized that financial institutions are only da’s Unfair and Deceptive Trade Q: What is your overall biggest challenge? expected to provide that information for which they Practices Act while serving as an A: I would hire more bankers or ex-bankers to work have direct knowledge and that an institution should Assistant Attorney General. She within the agencies. These people know how a bank A: I would say juggling the time it takes to keep up with not search or otherwise investigate for additional has 40 trial victories to her credit runs and how regulatory changes impact banking. You a constant stream of regulatory changes and the information when the occupation or business type is where she successfully defended clients, including the New York can know the regulations backwards and forwards, but amount of work that goes with updating policies and unknown, just because there is a NAICS code field. State Banking Department, the Department of Labor and the De- if you have never worked in a bank, it is impossible to procedures, implementing regulatory changes, training, partment of Housing and Community Renewal, among others, in know the true impact of regulatory changes on a bank etc. while also trying to maintain the appropriate Fields Related to Internet Presence matters in state and federal court. For the past few years, Katherine operational level. amount of monitoring reviews. Certain new data elements related to the Internet has advised over 1,000 financial institutions on compliance related presence of subjects and suspicious activity have been matters. Admitted to practice law in New York and Florida as well Q: What tools do you use to help you accomplish your added. In particular, the e-mail, websites and/or URL as before the US Supreme Court, Katherine received her Juris Doc- job? address fields under Subject Information and IP address torate degree from Brooklyn Law School and her Bachelor of Arts under suspicious activity are new. If you know the from Stony Brook University, NY. Internet presence of the subject or the suspicious A: There are a lot of tools out there. The regulatory

14 TriComply Financial Compliance Journal | Pg 11 om TriNovus BankerVMS Managing Vendors Can Be So E a s y ...You Get The Idea! by Leah M. Hamilton Manage Documents sssssssssssssssssssssssssssssssssssssssssssssssssssssss ssssssssssssssssssssssssssssssssssssssssssssssssssssss ssssssssssssssssssssssssssssssss The Four Pillars of BSA

TriComply Financial Compliance Journal | Pg 15 RMLOs No Longer Exempt from customer whose relationship you acquired and have community member, but neither has been a customer by Leah M. Hamilton not previously identified, then, you must identify the of your institution. You must still apply your CIP to these Mandatory BSA Requirements customer at that time. There is an exemption from individuals when they become your customer. for individuals financing the sale of identification for financial institutions regulated by their own real estate. For example, federal or state agencies and for publicly traded Once you have put a customer through your Customer individuals employed by a loan or companies listed on the New York or American stock Identification Program and have identified the finance company that would be exchanges, or in the NASDAQ National Market System customer, if the customer opens additional accounts, not be subject to the rule include (except for small-capitalization segment). there is no requirement that you identify the customer administrative assistants and office again as long as you have a reasonable belief that you clerks who gather documents, re- Often the question arises, “Who is your customer?” Your know the true identity of your customer. view land records and complete customer is the account owner. If there are multiple forms on behalf of a lender or origi- owners of an account, then, all of the owners are your CIP should not be confused with obtaining identification nator. customer, and all must be identified. If the person who for other BSA purposes such as wires, monetary applies to open an account with you is an individual, instruments, CTRs, SARs, and other required transaction RMLOs will be required to have a the determination is easy. The individual is or will reporting. In those transactions, you must obtain, verify senior management approved, become your customer. On the other hand, if your or maintain the necessary identification of the AML Program in place, which must customer is a juridical entity, that is an organization conductor, beneficiary, originator, etc. as applicable include, at a minimum, the four pil- created by law, sometimes the determination of who is to the account or transaction. lars: (1) the development of internal your customer is more difficult. policies, procedures, and controls; (2) the designation of a compliance If the account owner is a corporation, the corporation officer; (3) an ongoing employee is your customer. You are required to identify the Meet TriComply training program; and (4) an inde- corporation, but you are not required to identify persons Blair Rugh is one of the preemi- pendent audit function to test pro- that are associated with the corporation such as the nent experts on United States grams. Each loan or finance com- stockholders, directors, officers or the signers on the banking laws and regulations. He pany is required to develop and account. Some institutions require the identification of has authored compliance manu- implement an anti-money launder- the stockholders or other persons affiliated in some way als recognized by the banking in- ing program reasonably designed with closely held corporations that are their customers. dustry as the definitive treatise to prevent the loan or finance com- That is certainly permissible, but it is not required. on banking law and regulation. The 10-year reprieve from manda- residential mortgage loan. In addi- pany from being used to facilitate Similarly, if the owner of your account is a limited liability He has extensive experience as a tory Anti-money Laundering (AML) tion, the rule will apply to residential money laundering or the financing company or a limited partnership, the limited liability speaker to bankers’ associations Programs and suspicious activity re- mortgage originators, regardless of of terrorist activities. company or limited partnership is your customer and is and has written numerous articles published in banking journals. porting (SAR) is soon to end for cer- whether they receive compensation the only entity or person that must be identified. With more than 20 years experience in commercial and investment tain loan and finance companies. or gain for acting in that capacity. The new SAR form has been designed banking, Mr. Rugh’s background includes a Bachelor of Science de- Generally, the final rule is intended FinCEN deliberately expanded the with loan and finance companies in If your customer is a partnership, it is the entity that must gree in chemical engineering from the University of Kansas as well to cover initial purchase money definition with just a few simple word mind. Although most have volun- be identified. Frequently, two or more persons may form as a juris doctor degree from Southern Methodist University Law loans and traditional refinancing changes in order to cast a wide net, tarily filed SARs in the past, RMLOs a partnership where there is no written partnership School. transactions facilitated by residen- with few exceptions. will now be subject to mandatory agreement; therefore, no way to identify the partnership. tial mortgage lenders (RMLOs). Non- reporting requirements. In that event, you identify the individual partners. Meet TriComply bank RMLOs, which are generally Exempt from the definition of RMLO Leah M. Hamilton is the Direc- known as “mortgage companies” is any government sponsored enter- With an effective date of April, 16, If your account owner is a trust, you identify the trust. tor of TriComply Services with and “mortgage brokers” in the resi- prise (GSE) regulated by the Fed- 2012, and a mandatory compliance The settlor of the trust, the trustees and the beneficiaries TriNovus. She has more than 17 dential mortgage business sector, eral Housing Finance Agency. GSEs date of August 13, 2012, RMLOs will are not your customers, and there is no requirement years of experience in the finan- are a significant subset of the “loan have an established procedure for surely be in a scurry to ensure its op- that you identify them. In my opinion, there is an cial services industry. Leah is one or finance company” category, in reporting suspicious activity to the erational policies, procedures and exception to that when your customer is a revocable of the nation’s sought after com- terms of the number of businesses FHFA, which then reports the suspi- processes will pass muster under the trust. In that case, there is such a close relationship pliance instructors and consul- and the aggregate volume and cious activity to FinCEN. Addition- new regulatory requirements for an between the settlors of the trust and the trust because tants. She brings her passion for value of transactions they facilitate. ally, as long as a mortgage servicer AML Program and SAR reporting. the settlors may revoke the trust at any time and compliance and real world stories does not extend residential mort- A loan or finance company will be become the account owners. I believe that the better to engage the audience and offer A closer look at the definition of a gage loans or offer or negotiate required to make a copy of its AML policy is to also identify the settlors of the trust. If the levity to very tough topics. As a compliance expert, Leah has served residential mortgage originator is the terms of a residential mortgage Program available to FinCEN or its owner of your account is an unincorporated association as the lead compliance consultant and advisor on several consent essential as it changed significantly loan application, it will not fall under designee upon request. Compli- such as the Thursday Night Guy’s Bowling, Beer and order remediation engagements, focusing on Consumer Compliance from the proposed definition which of the definition of residential mort- ance will be examined by FinCEN Belch club, then, you identify the person opening the and BSA/AML. A licensed attorney for more than 10 years, Leah initially corresponded with the SAFE gage loan originator. The final rule or its delegates in accordance with account. received her Juris Doctorate from Northern Illinois University Col- Act. A residential mortgage origina- does not contemplate coverage of the BSA. lege of Law, and her Bachelor of Arts in General Studies degree tor is a person who accepts a resi- an individual employed by a loan Lastly, there is the scenario where you have known an from the University of Texas at Dallas where she majored in law dential mortgage loan application or finance company or financial in- individual forever, such as a relative or long standing and minored in business management. or offers or negotiates terms of a stitution and provides an exception

16 TriComply Financial Compliance Journal | Pg 9 Who Are You Required To Identify? To Report or Not to Report? That is the Question by Alison Hawkins We have all been there, you have completed your What you thought was just a little indigestion after lunch, investigation from the teller’s report of suspicious may actually be the missing piece in an FBI investigation. activity; yet, you are still completely puzzled as to what in the world this customer could be doing. No one wants to file a SAR on someone that is completely The activity looks suspicious at a quick glance, but innocent, but how far must you go to prove your case. you have at least three ideas for situations that Sometimes we misinterpret our responsibility to would justify the activity. You have spoken with investigate when determining whether or not to file a the relationship officer and received the standard, SAR. Keep in mind, the SAR is merely a report of “Oh, no way, he is a good customer.” Or “I have suspicious activity. As much as I think I would enjoy banked him for 25 years. He is a good business being a criminal investigator, that isn’t our job. We man and we go to church together.” are not the police, and we do not have And my personal favorite, “He to solve the case in order to brings donuts in every Friday determine the activity is morning for everyone.“ So reportable. now what? Do I file or not? In performing your Unfortunately, investigation, keep in providing an endless mind to watch for supply of donuts the little things. does not make Search the internet someone a good for the names of customer. Donuts companies to tend to make which checks or hungry wires are sent. employees look Ask the question the other way. that no one wants Most of us have to hear the answer seen stable, to: when was the even highly last time you profitable, long checked out the term customer collateral? Verify relationships take a signatures when lending turn for the worst in documents are allowed this economy. to be signed outside of the Business owners you bank. (Come on. . .we all would not have worried know it happens, you don’t have about in a million years are to allow it, but put a control in place to by Blair Rugh considering the unthinkable protect your institution just in case.) to keep their business alive Have someone investigate the store front; ection 326 of the USA PATRIOT Act duration in time, such as a deposit account, a credit another quarter. It happens on are they functioning as an unlicensed MSB? mandates that the federal bank regulatory arrangement, a safe deposit box lease or the provision both sides of the fence, the deposit side and the Are they kiting or structuring? Are there signs of identity agencies establish regulations requiring all of cash management, custodian or trust services. Single lending side alike. A few donuts to hide some theft or fraud? U.S. financial institutions subject to their isolated transactions such as cashing a check, the sale kiting or to stop the loan officer from asking “how’s control have formal programs for verifying of a money order or cashier’s check, a wire transfer or business” could be well worth it for a customer in In some cases, you may want to flag the account and the identity of their customers. The rules the use of an ATM, do not create a customer relationship, trouble. continue to watch it closely for another week or two. becameS mandatory on October 1, 2003. The customer although their use by a person may be frequent. An But, in most cases, if you have that little feeling in the pit identification program (CIP) must be a component of institution’s CIP should be completed on a customer So, what do you do when you are faced with a of your stomach that something just doesn’t feel right - the institution’s overall Bank Secrecy Act program and before an account relationship is opened; however, it situation where you are unsure of whether or not to file the SAR. You can certainly amend it later to add must be approved by the institution’s Board of Directors. may be completed after the account is opened report? When in doubt, fill it out. That is my motto additional facts that appeared after submission. And, The CIP is intended to enable the institution to form a provided that all transactions in the account are for suspicious or unusual activity. (Of course, with sometimes it helps to talk it out. It always seems there is reasonable belief that it knows the true identity of each restricted until the identification process is completed. the mandatory e-filing deadline of July 1st for BSA more to the story when you start discussing it, strictly customer. forms fast approaching, I will have to change that confidential, of course. For our members, our team of You are not required to identify the owners of accounts to type it out.) We tend to think of a parade of red experts is here to help you with those quirky situations. For the purpose of CIP, a customer is a person who is that you acquire by either merger or acquisition as your flags with alarms going off when we think of SARs. the owner of an account with the institution. An account relationship was not initiated by the customer. If, The trouble we have is when the activity is only Oh, and the donut guy took the institution for a half a is a formal relationship that is anticipated to have a however, you open an additional account for a sounding that alarm in the pit of our stomach. million in a sticky lending scam.

8 TriComply Financial Compliance Journal | Pg 17 Are You Ready For The New e-Filing by Andrea Guillon one that I would not normally be The first problem with filing SARs under suspicious Requirements? expected to engage in. I have had circumstances is that what is suspicious is very subjective. FinCEN has taken a leap into the them at this time. So, where does response. Unfortunately, if your insti- my account for probably 40 years, What one person thinks is suspicious another may not. 21st Century by requiring e-filing on that leave your institution? Alas, tution hasn’t done so by now, it is and I don’t believe that I have ever The second problem is that the examiners can look at it most of its prevalent forms. In the in- don’t fret, there is some saving too late; so, get cracking! made a cash deposit. The first time I in perfect hindsight. An institution determined that the terest of saving all involved time grace (or should we say “was”) for do it, it probably does not rise to the activity was not suspicious and did not file a SAR. The and money, the two most common some institutions. If your institution is not currently regis- level of something that should be customer was subsequently arrested for money forms—the Suspicious Activity Re- tered for e-filing through FinCEN, it reported. If I continue to do it, then laundering. Also, just because law enforcement is aware ports (SARs) and the Currency Trans- FinCEN issued notification of three can do so by applying for a user ID either the bank would have to ask of the criminal activity is no reason for not filing a SAR. action Reports (CTRs)—are required categories for possible exemption and password on the BSA E-Filing me where the money was coming There was a case in Alabama where a person was to be submitted by e-filing, rather from these requirements on Febru- System website: http://bsaefiling.fin- from and determine a legitimate embezzling money from the company for which he than paper, starting July 1, 2012. ary 24, 2012; institutions had 30 days cen.treas.gov/main.html. After re- purpose for it or file a suspicious worked. He was arrested and committed suicide. The from that date to apply for an ex- ceipt of these items, the system can activity report. bank where he was depositing the embezzled funds felt Institutions are also encouraged to emption. The categories for hard- be securely accessed and e-filing that because law enforcement was already involved file other forms, such as the Reports ship exemptions given were Money can begin—please contain your ex- I don’t know how many times a and the person was dead there was no reason to file a of Foreign Bank and Financial Ac- Services Businesses (MSBs) and/or citement. Detailed instructions for e- banker has called me, described an SAR. Bad decision. counts (FBARs) electronically as small credit unions that lack internet filing are available through the FAQs activity or a pattern of activity on soon as possible; however, this form access and file a limited number of at http://bsaefiling.fincen.treas.gov/ the part of a customer, and asked The BSA requires employee training. Part of that should may still be submitted by paper until reports, and financial institutions FAQs.html. whether or not I thought it was be for front line personnel regarding the types of June 30, 2013. Additionally, special who utilize batch software requiring suspicious. My response normally is transactions that might be suspicious. There should be a exceptions have been made for the a major system conversion or other In addition to the forms listed above, that I don’t know the customer or person or a committee of people in each institution who Currency and Money Instrument Re- extraordinary circumstances. the following forms are currently eli- the situation, but if the activity was determine whether a SAR should be reported. All ports (CMIRs) and Form 8300 (Re- gible for electronic filing: sufficient for the banker to call me to employees should be trained to report to that person or ports of Cash Payment Over $10,000 If extra time is needed by these insti- get my opinion, then, obviously the committee all transactions or conduct that have any Received in a Trade or Business.) tutions to prepare for the change, •Designation of Exempt Person (Fin- banker was suspicious, which means potential of being suspicious. Then, the person or the Due to the nature of those reports, they were required to affirmatively CEN Form 110) a SAR probably should be filed. committee can investigate and make the correct e-filing will not be mandated for request an extension and await a •SAR by the Securities and Futures decision regarding filing.

It’s your turn to Join the inner .com 205.991.5636 | [email protected] by Blair Rugh When Two Are One SAR: When Is An Activity Suspicious? continued from page 5 It seems like every regulatory requirement has its season: would normally be expected to Industries (FinCEN Form 101) •Does one corporation supply goods or services to the 20 years ago, it was CRA: 10 years ago, it the Bank engage in, and the bank knows of •SAR by MSBs (FinCEN Form 109) other? Secrecy Act; today, it is Dodd Frank or one of its offspring. no reasonable explanation for the •SAR by Casinos and Card Clubs (FinCEN Form 102) •Does one corporation make payments to third parties BSA compliance is no less important today than it was transaction after examining the •CTR by Casinos (FinCEN Form 103) on behalf of the other? 10 years ago, but because it is no longer a front burner available facts, including the •Registration of MSBs (FinCEN Form 107) item, some financial institutions are not as diligent in background and possible purpose Again, no single factor is determinative. The fact that detecting suspicious activity as they once were. of the transaction. both corporations are in the same business does not, in and of itself, mean that they are not being operated Under the Bank Secrecy Act, financial institutions are One of the most frequent violations separately and independently. It is the intensity of the required to report: is the customer who is aware of the mutual relationships that is the determining factor; CTR reporting requirements but not Meet TriComply unfortunately, that is a subjective decision. Because of Andrea Gullion is a Senior Com- *Criminal violations involving insider abuse in any SAR reporting. To avoid having a that, we recommend that institutions be somewhat pliance Advisor at TriComply amount; CTR filed, the customer makes one aggressive in aggregation determinations. In this Services. With more than 12 *Criminal violations aggregating $25,000 or more when or frequent cash deposits under the circumstance, you will not be criticized for filing a CTR years of experience in banking, a suspect can be identified; $10,000 CTR reporting level. Most when it was not required, but you will be criticized if the Andrea is a former Compliance *Criminal violations aggregating $25,000 or more banking automation systems will examiner thinks that the transactions should have been and CRA Officer for a large com- regardless of a potential suspect; and detect that pattern. The more aggregated and you did not file. *Transactions conducted or attempted by, at, or difficult situation is a transaction or a munity bank. She has advised on fair lending matters referred to the through the institution and aggregating $5000 or more, series of transactions that are not of The new guidance reiterated the requirement to DOJ and assisted in compliance if the institution or affiliate knows suspects, or has reason the type that the customer would aggregate transactions when they are done by the remediation efforts. Andrea is to suspect that the transaction: normally be expected to engage in same person. Thus, if an employee of Company A also a licensed attorney in the state of Alabama, where she has prac- **May involve potential money laundering or and for which the bank is not aware makes a deposit for Company A and a deposit for ticed real estate law at a large firm in Huntsville, Alabama. She has other illegal activity; of any business purpose. For Company B, they must be aggregated to determine extensive compliance experience as well as vast legal knowledge of **Is designed to evade the BSA or its implementing example, if I were to deposit a whether or not a CTR should be filed. Also, if a customer the compliance industry. Andrea received both her Juris Doctor of regulations; or significant amount of cash into my owns several businesses that are not incorporated, Law and Bachelor of Science in Commerce and Business Adminis- ***Has no business or apparent lawful purpose or is not account at my bank, it would then, their accounts are the accounts of the customer, tration from the University of Alabama, Tuscaloosa. the type of transaction that the particular customer certainly be out of the ordinary and and their transactions must be aggregated.

TriComply Financial Compliance Journal | Pg 19 COMPLIANCE Every issue features actual questions Let’s Explore asked by real compliance officers just BSA: When Are Two Customers One? Q A like you from across the nation. Aggregating Transactions for CTRs by Blair Rugh Can you& provide some guidance as to exactly related to MSBs. (specifically page 43591 footnote 46) Q. what topics need to be discussed in a BSA AML OFAC risk assessment? I have one but I am having FDIC We have a convenience store customer that has a examiners and want to be sure it’s correct/complete. Q. tax id number for his corporation and another tax id number for his dba. When completing a SAR which A basic model can be found in the 2010 FFIEC tax id number should I use? This is a repetitive SAR (ev- A.BSA Exam Manual for BSA and OFAC (Appen- ery 90 days) and I just realized the dba had it’s own TIN. dix J and M). You will want to address your institution’s The past 3 SAR’s I have used the corporation TIN. Can I high risk areas with respect to those areas and any put the dba’s TIN in the narrative? high risk customer types and/or products and services You may need to complete two different Part II Is our bank responsible for the OFAC screening A. forms. You would need one for the Q. for the originator of an domestic ACH or does that corporation and another for the dba. fall to the originating institution? We have a member who has provided their ac- sometimes under separately incorporated businesses Corporation A owns a hamburger With respect to domestic ACH transactions, the count number to individuals that are not signers Q. the BSA rules, an with separate taxpayer identification stand, Corporation B owns an ODFI is responsible for verifying that the Origina- on the account for them to be able to e-file and have A. institution must numbers. The aggregation question automobile dealership and tor is not a blocked party and making a good faith ef- their tax return funds come into our member’s account. aggregate the cash depends on whether the businesses Corporation C owns a dairy farm. fort to ascertain that the Originator is not transmitting Since they are not signers, we do not have any infor- transactions of two are run independently of one Each business is run totally blocked funds. The RDFI similarly is responsible for veri- mation on these individuals. Can our member give their separately another or whether in fact they are independent of the others. Each has fying that the Receiver is not a blocked party. In this account number out and does the IRS allow them to incorporated operated as a single business. There its own employees and payroll. way, the ODFI and the RDFI are relying on each other place the funds in an account for which they are not a S customers for the purpose of CTR is a presumption that separately There is no transfer of funds between for compliance with OFAC regulations. signer? Doesn’t the originator have some liability there? reporting if the separate customers incorporated entities are the three corporations. Even though have common ownership and a independent persons, but that the three corporations are all owned If we have an MSB that is a loan customer only, No, the IRS does not allow this type of activity. level of joint operations. In 2001, presumption is rebuttable. by Mr. Jones, they operate are we still required to adhere to the same due This also poses great risk on your institution with re- Q. A. FinCEN issued FinCEN Ruling 2001-2 independently and their transactions diligence requirements that apply to MSBs that have a spect to fraud and BSA requirements. You should check describing one circumstance when For example, assume that your should not be aggregated. deposit relationship with us? the name against the OFAC list, inform your member transactions of separate customers customer Mr. Jones owns three Unfortunately, most cases are not as that your institution does not allow this type of activ- should be aggregated. Recently, separate corporations, corporations clear cut as these two. Yes, you should follow your MSB requirements for ity nor does the IRS. You should also review the activity FinCEN issued a guidance A, B and C, and each corporation all account types. The guidance available for in- and consider a SAR. A similar scenario was included in A. expanding upon its prior direction owns a hamburger stand in your There is no single issue that is stitutions servicing MSBs refers to “accounts”. This would an IRS FAQ document. http://www.irs.gov/individuals/ (FIN-2012-G001). community. Corporation A orders determinative of whether two or include both loan and deposit relationships. Also con- article/0,,id=164570,00.html all of the supplies for all three more separate businesses are being sider the fact that the loan account could be used for FinCEN’s regulations implementing corporations and pays the payroll operated in a manner that makes operational funding and keep a check on what items Regarding direct deposit of someone’s tax refund the Bank Secrecy Act (“BSA”) require for all three corporations. Employees them something other than separate are being provided in their monthly payments. If your into an account that does not bear their name, we Q. financial institutions to aggregate of one of the corporations often and independent. The following are MSB isn’t registered and in compliance with the BSA re- don’t really know there is a name/acct# discrepancy multiple currency transactions “if work at the hamburger stand owned factors that should be considered in quirements, your credit could be at risk with respect to unless the account number is incorrect and unposts or the financial institution has by one of the other corporations. making a determination: repayment. rejects. Are we still responsible for the funds coming knowledge that [the multiple Frequently, funds are transferred •Do the corporations have joint into a valid account number and posting? Do we have transactions] are by or on behalf of between the accounts of the three employees? If our deposit customer is a property management to police every deposit coming in to ensure the name any person and result in either cash corporations and the account of •Do the corporations have separate company and they routinely accept rental pay- and account number match? Q. in or cash out totaling more than each acts as overdraft protection payroll accounts? ments in the form of traveler’s checks or money orders $10,000 during any one business for the other two. They jointly •Are the two corporations in the (sometimes in excess of $1,000 from one tenant in one The taxpayer should follow the IRS rules regarding day.” The issue, therefore, is when advertise the three hamburger same business? day), is the company considered to be a Money Ser- the direct deposit of their refund check. How- transactions are conducted through stands. Clearly, in this case, the three •Are there fund transfers between vice Business, as far as BSA is concerned? A. ever, many of them don’t know the rules or don’t care. the accounts of separate corporations are being operated as the accounts of the two Therefore, the bank should implement prudent proce- corporations by or on behalf of one one business and the BSA rules corporations? No, they would not be considered an MSB if dures to discourage or prohibit this activity. As stated in person. Frequently, an institution require that their transactions be •Do the corporations operate out of they are only accepting the items as rental pay- A. the previous Q&A, implement your suspicious activity may have an individual or a group aggregated for CTR filing purposes. the same premises? ments. This was mentioned in the section analysis of the monitoring process for these types of situations. of individuals that are the owners of On the other hand, assume that Final Rule issued on 7/21/2011 clarifying the definitions continued on page 19

20 TriComply Financial Compliance Journal | Pg 5 You do not have to police your system for this as many held only in the husband’s name. Is there a requirement systems do not provide for a means to matching of the under BSA to maintain a record (specifically a manual names and account numbers before accepting the paper record) of said transfer, since ownership of funds From the transaction. However, if you notice this type of activity, was lost by the joint account? then, you should monitor the account(s) to watch for TRICOMPLY suspicious activity. Typically, your tellers are going to no- How about if the transfer involves a transfers of funds Financial Compliance Journal EDITOR tice this when the funds are withdrawn. The institutions from one business account to another business account that have mentioned this activity seem to be noticing 4 at the Bank, with the owner of both accounts being the different postings coming into the same account and same person? are unable to link the tax payer to the account holder STAFF in any way. If you see or your teller reports this activity, These would both meet the description for the I recommend adding the account(s) to your high risk A. exception under 31 CFR 103.33(e)(6). ear Reader: monitoring list, and if necessary complete, a SAR. Funds transfers where both the originator and the WelcomeD to the third If a new customer opens an loan account and this beneficiary are the same person and the originator’s edition of the Q. customer is a corporation, we CIP the corporation. bank and the beneficiary’s bank are the same bank TRICOMPLY EDITORIAL & PRODUCTION Correct? What if there is also a personal guarantee by are not subject to the record keeping requirements for FINANCIAL Karly Field the owners of the corporation to secure a loan. For ex- funds transfers. COMPLIANCE ample, John and Sam Doe are the principals for Doe & JOURNAL. In this Doe Enterprises, Inc. If John and Sam both personally There is also an exception for the record keeping issue, we have endorse the loan as well, we would need to CIP those requirements for the funds transfer when the originating focused on the Bank individuals, correct? bank is also the beneficiary bank. Secrecy Act and its TRICOMPLY STAFF related requirements. Miller Gunn Correct, your “customer” is the corporation. It seems like every A. Your bank should have written CIP procedures How would we document a customer identity on regulation hits a Andrea Gullion to address situations where the “customer” is not Q. our CIP form if our borrower (VA on active duty in zenith. Then, it fades Cindy LeBlanc an individual and through your documentary and Afghanistan now) is not here? His wife has POA doc- into its place with all non-documentary verification methods you cannot umentation and will be signing documentation on his of the other Leah M. Hamilton reasonably verify the identity of the “customer.” In those behalf and we will do an “Alive and Well” statement at regulations. The Bank Alison M. Hawkins cases, your procedures should reference obtaining closing. Secrecy Act is information on those individuals with authority or control somewhat the same. Blair Rugh over the account, including signatories. Many institutions This will actually go back to your institution’s Katherine E. Timon complete the CIP process on all signers of closely held A. specific procedures, so check your BSA policy. I can remember several years ago when it was the corporations, such as the one you mentioned. In these As you know, the customer is actually the owner of hottest topic in banking. It seemed like every compliance Kenny Vickers cases, institutions may find verifying the true identity of the account. Therefore, you may have to do some of consulting group was holding a seminar every day on the corporation difficult and, in turn, verify those with this long distance (via phone or email) You will likely BSA. Now its importance has somewhat faded --- unless authority or control over the account. have to use non-documentary methods. BSA says: your institution was just tagged with a BSA violation. If that happens, you will quickly find out how important In cases where the account is a loan with a personal (B) Verification through non-documentary meth- BSA compliance is. We hope that the articles in this guarantee, the guarantors are not considered your ods. For a bank relying on non-documentary meth- issue will assist you in strengthening and implementing “customer” for purposes of CIP, they do not have an ods, the CIP must contain procedures that describe your BSA program. You can also use this edition of the The information contained in this “account” with you as you are not offering them a the non-documentary methods the bank will use. journal as part of your annual BSA training program. TriComply Financial Compliance product or service. However, you may have a tough ( 1 ) These methods may include contacting a cus- Journal is not intended to time during your safety and soundness exam explaining tomer; independently verifying the customer’s iden- We are very grateful for all of the financial institutions constitute,and should not be received why you didn’t verify your guarantor. In many cases tity through the comparison of information provided that have subscribed to our TriComply service, and we as, legal advice. Please consult with where the loan must be supported by a personal by the customer with information obtained from a appreciate that they have placed their confidence in your counsel for more detailed guarantee, it is typical that the bank’s CIP procedures consumer reporting agency, public database, or us. Our commitment is to provide a service that exceeds information applicable to your required it as well due to the difficulty in identifying the other source; checking references with other finan- the expectations of our customers. Our growth has institution. “corporation” as mentioned above. cial institutions; and obtaining a financial statement. been much more rapid than we anticipated and that ( 2 ) The bank’s non-documentary procedures must has caused us to have a few hiccups. We realize that The TriComply Financial Compliance Under the wire transfer regulations related to BSA/ address situations where an individual is unable and have taken the steps necessary to assure that our Journal is published by TriNovus, LLC, Q. AML, is there a requirement to keep a paper re- to present an unexpired government-issued identifi- service is the best in the industry. We continue to add PO BOX 380305, Birmingham, AL 35238. cord or any record for that matter of any in-house trans- cation document that bears a photograph or similar to our staff the best compliance professionals that we All content herein is the sole property fer (inside the institution-i.e. from account to account at safeguard; the bank is not familiar with the documents can find to support your growing needs. If your institution of TriNovus. Please submit all the same bank) of $3,000 or more where ownership of presented; the account is opened without obtaining does not presently subscribe to TriComply, we hope you correspondence to the address above the funds is lost or transferred to another individual or documents; the customer opens the account with- will give us a try. or via email at [email protected]. entity (business)? out appearing in person at the bank; and where the Sincerely, bank is otherwise presented with circumstances that Advertising inquiries may be made by For example, if a husband and wife own a joint ac- increase the risk that the bank will be unable to veri- calling 205.991.5636 or emailing count and funds are transferred on-line to an account fy the true identity of a customer through documents. [email protected]. Blair Rugh TriNovus For more information on TriNovus visit TriComply Financial Compliance Journal | Pg www.trinovus.com. 21 COMPLIANCE Every issue features actual questions Table of asked by real compliance officers just TRICOMPLYFinancial Compliance Journal like you from across the nation. CONTENTS (C)Q Additional verification A for certain customers. The bank’s products, services, customers, entities, and CIP must address& situations where, based on the bank’s geographic locations, and the potential money laun- risk assessment of a new account opened by a custom- dering and terrorist financing risks associated with What Is The TriComply Financial er that is not an individual, the bank will obtain infor- those activities. The appointment of a BSA compli- mation about individuals with authority or control over ance officer is not sufficient to meet the regulatory re- Compliance Journal? such account, including signatories, in order to verify quirement if that person does not have the expertise, We’re excited about the third issue of our TriComply Financial Compliance the customer’s identity. This verification method ap- authority, or time to satisfactorily complete the job. Journal for financial institution compliance professionals. The journal is plies only when the bank cannot verify the customer’s written and edited by TriComply Compliance Services, a part of TriNovus, true identity using the verification methods described The line of communication should allow the BSA compli- LLC. TriComply provides expert compliance advice to financial institutions in paragraphs (b)(2)(ii)(A) and (B) of this section. ance officer to regularly apprise the board of directors around the country. We decided to compile some of our expertise on (iii) Lack of verification. The CIP must include pro- and senior management of ongoing compliance with timely compliance topics, and the result is the TriComply Financial cedures for responding to circumstances in the BSA. Pertinent BSA-related information, including the Compliance Journal. For more information on TriNovus and TriComply, call which the bank cannot form a reasonable be- reporting of SARs filed with FinCEN, should be reported to 205.991.5636 or visit www.trinovus.com. You can also subscribe to our free lief that it knows the true identity of a customer. the board of directors or an appropriate board commit- weekly compliance newsletter on our website. tee so that these individuals can make informed deci- What are the requirements that are necessary to sions about overall BSA/AML compliance. The BSA com- Q. become a BSA officer? pliance officer is responsible for carrying out the direction of the board and ensuring that employees adhere to the There are no hard and fast rules for becom- bank’s BSA/AML policies, procedures, and processes. A.ing a BSA officer, and there is no required cre- dential to become a BSA officer. I have included Every day the TriComply staff answers hundreds of ques- Let’s Explore... an excerpt detailing the responsibilities and duties tions just like these from people just like you! If you are of the BSA officer from the online BSA Manual locat- interested in subscribing to TriComply, visit When Are Two Customers One?... pg 5 ed at the FFIEC.gov website. It will give you a good www.trinovus.com/tricomply, email [email protected] idea of what is required to become a BSA officer. or call 205.9915636. When Is An Activity Suspicious... pg 6

The BSA Issue

Department of Financial Services Superintendent’s Regulations

Part 504 BANKING DIVISION TRANSACTION MONITORING AND FILTERING PROGRAM REQUIREMENTS AND CERTIFICATIONS (Statutory authority: Banking Law §§37(3)(4) & 672; Financial Services Law §302)

Sec.

§ 504.1 Background § 504.2 Definitions § 504.3 Transaction Monitoring and Filtering Program Requirements § 504.4 Annual Certifications § 504.5 Penalties/Enforcement Actions § 504.6 Effective Date

§ 504.1 Background.

The Department of Financial Services (the “Department”) has recently been involved in a number of investigations into compliance by Regulated Institutions, as defined below, with applicable Bank Secrecy Act/Anti‐Money Laundering laws and regulations1 (“BSA/AML”) and Office of Foreign Assets Control (“OFAC”)2 requirements implementing federal economic and trade sanctions.3

As a result of these investigations, the Department has become aware of the shortcomings in the transaction monitoring and filtering programs of these institutions and that a lack of robust governance, oversight, and accountability at senior levels of these institutions has contributed to these shortcomings. The Department believes that other financial institutions may also have shortcomings in their transaction monitoring programs for monitoring transactions for suspicious activities, and watch list filtering programs, for “real‐time” interdiction or stopping of transactions on the basis of watch lists, including OFAC or other sanctions lists, politically exposed persons lists, and internal watch lists.

1 With respect to federal laws and regulations, see 31 U.S.C. 5311, et seq and 31 CFR Chapter X. For New York State regulations, see Part 115 (3 NYCRR 115), Part 116 (3 NYCRR 116), Part 416 (3 NYCRR 416) and Part 417 (3 NYCRR 417). 2 31 CFR part 501 et seq. 3 For information regarding the Unites States Code, the Code of Federal Regulations and the Federal Register, see Supervisory Policy G‐1.

To address these deficiencies, the Department has determined to clarify the required attributes of a Transaction Monitoring and Filtering Program and to require a Certifying Senior Officer, as defined below, of Regulated Institutions, to file Annual Certifications, in the form set forth herein, regarding compliance by their institutions with the standards described in this Part.

This regulation implements these requirements.

§ 504.2 Definitions.

The following definitions apply in this Part:

(a) “Annual Certification” means a certification in the form set forth in Attachment A.

(b) “Bank Regulated Institutions” means all banks, trust companies, private bankers, savings banks, and savings and loan associations chartered pursuant to the New York Banking Law (the “Banking Law”) and all branches and agencies of foreign banking corporations licensed pursuant to the Banking Law to conduct banking operations in New York.

(d) “Nonbank Regulated Institutions” shall mean all check cashers and money transmitters licensed pursuant to the Banking Law.

(e) “Regulated Institutions” means all Bank Regulated Institutions and all Nonbank Regulated Institutions.

(f) “Risk Assessment” means an on‐going comprehensive risk assessment, including an enterprise wide BSA/AML risk assessment, that takes into account the institution’s size, businesses, services, products, operations, customers/ counterparties/ other relations and their locations, as well as the geographies and locations of its operations and business relations;

(g) “Suspicious Activity Reporting” means a report required pursuant to 31 U.S.C. § 5311 et seq that identifies suspicious or potentially suspicious or illegal activities.

(h) “Transaction Monitoring Program” means a program that includes the attributes specified in Subdivisions (a), (c) and (d) of Section 504.3.

(i) “Watch List Filtering Program” means a program that includes the attributes specified in Subdivisions (b), (c) and (d) of Section 504.3.

(k) “Transaction Monitoring and Filtering Program” means a Transaction Monitoring Program, and a Watch List Filtering Program, collectively.

§ 504.3 Transaction Monitoring and Filtering Program Requirements.

(a) Each Regulated Institution shall maintain a Transaction Monitoring Program for the purpose of monitoring transactions after their execution for potential BSA/AML violations and Suspicious Activity Reporting, which system may be manual or automated, and which shall, at a minimum include the following attributes:

1. be based on the Risk Assessment of the institution;

2. reflect all current BSA/AML laws, regulations and alerts, as well as any relevant information available from the institution’s related programs and initiatives, such as "know your customer due diligence", "enhanced customer due diligence" or other relevant areas, such as security, investigations and fraud prevention;

3. map BSA/AML risks to the institution’s businesses, products, services, and customers/counterparties;

4. utilize BSA/AML detection scenarios that are based on the institution’s Risk Assessment with threshold values and amounts set to detect potential money laundering or other suspicious activities;

5. include an end‐to‐end, pre‐and post‐implementation testing of the Transaction Monitoring Program, including governance, data mapping, transaction coding, detection scenario logic, model validation, data input and Program output, as well as periodic testing;

6. include easily understandable documentation that articulates the institution’s current detection scenarios and the underlying assumptions, parameters, and thresholds;

7. include investigative protocols detailing how alerts generated by the Transaction Monitoring Program will be investigated, the process for deciding which alerts will result in a filing or other action, who is responsible for making such a decision, and how investigative and decision‐making process will be documented; and

8. be subject to an on‐going analysis to assess the continued relevancy of the detection scenarios, the underlying rules, threshold values, parameters, and assumptions.

(b) Each Regulated Institution shall maintain a Watch List Filtering Program for the purpose of interdicting transactions, before their execution, that are prohibited by applicable sanctions, including OFAC and other sanctions lists, and internal watch lists, which system may be manual or automated, and which shall, at a minimum, include the following attributes:

1. be based on the Risk Assessment of the institution;

2. be based on technology or tools for matching names and accounts4, in each case based on the institution’s particular risks, transaction and product profiles;

3. include an end‐to‐end, pre‐ and post‐implementation testing of the Watch List Filtering Program, including data mapping, an evaluation of whether the watch lists and threshold settings map to the risks of the institution, the logic of matching technology or tools, model validation, and data input and Watch List Filtering Program output;

4. utilizes watch lists that reflect current legal or regulatory requirements;

5. be subject to on‐going analysis to assess the logic and performance of the technology or tools for matching names and accounts, as well as the watch lists and the threshold settings to see if they continue to map to the risks of the institution; and

6. include easily understandable documentation that articulates the intent and the design of the Program tools or technology.

1. identification of all data sources that contain relevant data;

2. validation of the integrity, accuracy and quality of data to ensure that accurate and complete data flows through the Transaction Monitoring and Filtering Program;

3. data extraction and loading processes to ensure a complete and accurate transfer of data from its source to automated monitoring and filtering systems, if automated systems are used;

4. governance and management oversight, including policies and procedures governing changes to the Transaction Monitoring and Filtering Program to ensure that changes are defined, managed, controlled, reported, and audited;

5. vendor selection process if a third party vendor is used to acquire, install, implement, or test the Transaction Monitoring and Filtering Program or any aspect of it;

6. funding to design, implement and maintain a Transaction Monitoring and Filtering Program that complies with the requirements of this Part;

4 The technology used in this area by some firms is based on automated tools that develop matching algorithms, such as those that use various forms of so‐called “fuzzy logic” and culture‐based name conventions to match names. This regulation does not mandate the use of any particular technology, only that the system or technology used must be adequate to capture prohibited transactions.

7. qualified personnel or outside consultant responsible for the design, planning, implementation, operation, testing, validation, and on‐going analysis, of the Transaction Monitoring and Filtering Program, including automated systems if applicable, as well as case management, review and decision making with respect to generated alerts and potential filings; and

8. periodic training of all stakeholders with respect to the Transaction Monitoring and Filtering Program.

(d) No Regulated Institution may make changes or alterations to the Transaction Monitoring and Filtering Program to avoid or minimize filing suspicious activity reports, or because the institution does not have the resources to review the number of alerts generated by a Program established pursuant to the requirements of this Part, or to otherwise avoid complying with regulatory requirements.

§ 504.4 Annual Certification.

To ensure compliance with the requirements of this Part, each Regulated Institution shall submit to the Department by April 15th of each year Certifications duly executed by its Certifying Senior Officer in the form set forth in Attachment A.

§ 504.5 Penalties/Enforcement Actions.

All Regulated Institutions shall be subject to all applicable penalties provided for by the Banking Law and the Financial Services Law for failure to maintain a Transaction Monitoring Program, or a Watch List Filtering Program complying with the requirements of this Part and for failure to file the Certifications required under Section 504.4 hereof. A Certifying Senior Officer who files an incorrect or false Annual Certification also may be subject to criminal penalties for such filing.

§ 504.6 Effective Date.

This Part shall be effective immediately. It shall apply to all State fiscal years beginning with the Fiscal Year starting on April 1, 2017.

ATTACHMENT A

______(Regulated Institution Name)

APRIL 15, 20____

Annual Certification For Bank Secrecy Act/Anti‐Money Laundering and Office of Foreign Asset Control Transaction Monitoring and Filtering Programs

New York State Department of Financial Services

In compliance with the requirements of the New York State Department of Financial Services (the “Department”) that each Regulated Institution maintain a Transaction Monitoring and Filtering Program satisfying all the requirements of Section 504.3 and that a Certifying Senior Officer of a Regulated Institution sign an annual certification attesting to the compliance by such institution with the requirements of Section 504.3, each of the undersigned hereby certifies that they have reviewed, or caused to be reviewed, the Transaction Monitoring Program and the Watch List Filtering Program (the “Programs”) of (name of Regulated Institution) as of ______(date of the Certification) for the year ended______(year for which certification is provided) and hereby certifies that the Transaction Monitoring and Filtering Program complies with all the requirements of Section 504.3.

By signing below, the undersigned hereby certifies that, to the best of their knowledge, the above statements are accurate and complete.

Signed:

Name: ______Date: ______Chief Compliance Officer or equivalent

6 Rob Nichols President and CEO 202-663-5111 [email protected]

March 31, 2016

By electronic delivery to: [email protected]

Mr. Gene C. Brooks First Assistant Counsel New York State Department of Financial Services One State Street New York, NY 10004-1511

Re: Proposed Addition of Part 504 to Title 3 of the Superintendent's Regulations, Banking Division Transaction Monitoring and Filtering Program Requirements and Certifications (I.D. No. DFS-50-15-00004-P)

Dear Mr. Brooks:

The American Bankers Association (ABA)1 appreciates the opportunity to comment on the transaction monitoring, filtering and certification regulations proposed by the New York Department of Financial Services (DFS).2 The proposal was announced on December 1, 2015, by Governor Andrew Cuomo, as “[A] new anti-terrorism and anti-money laundering regulation that includes – among other important provisions – a requirement modeled on Sarbanes-Oxley that senior financial executive[s] certify that their institutions have sufficient systems in place to detect, weed out, and prevent illicit transactions.”3 The proposal was prompted, in part, by recent enforcement actions targeting transaction monitoring and screening processes deemed inadequate in a few cases.

The proposal purports not to alter existing federal Bank Secrecy Act (BSA)4 and anti-money laundering (AML) requirements, but rather provide “more granular guidance.” However, it would substantively change current requirements and conflict with existing federal regulations. For example, the proposal would establish a number of highly prescriptive transaction monitoring and watch list filtering program requirements for DFS-regulated institutions—requirements that are

1 The American Bankers Association is the voice of the nation’s $16 trillion banking industry, which is composed of small, regional and large banks that together employ more than 2 million people, safeguard $12 trillion in deposits and extend more than $8 trillion in loans. 2 See 2015 N.Y. Reg. 25854 (Dec. 1, 2015) available at: http://www.dfs.ny.gov/legal/regulations/proposed/banking/prop_banking_archive.htm. 3 NEW YORK DEPARTMENT OF FINANCIAL SERVICES PRESS RELEASE, GOVERNOR CUOMO ANNOUNCES ANTI-TERRORISM REGULATION REQUIRING SENIOR FINANCIAL EXECUTIVES TO CERTIFY EFFECTIVENESS OF ANTI-MONEY LAUNDERING SYSTEMS, (2015), available at http://dfs.my.gov/about/press/pr1512011.htm. 4 Formally, the Currency and Foreign Transactions Reporting Act of 1970. (31 U.S.C. 5311 et seq.), the Bank Secrecy Act was originally adopted as part of the war on drugs but has been amended numerous times, most significantly by the USA PATRIOT Act of 2001, which added expectations for monitoring for terrorist activity.

Gene C. Brooks New York State Department of Financial Services March 31, 2016 Page 2

unnecessary and likely to cause confusion and that are inconsistent with existing federal BSA/AML and Office of Foreign Asset Control (OFAC)5 rules. In addition, the proposed rule would require annual certification by an institution’s chief compliance officer that the institution’s transaction monitoring and filtering program “complies with all the requirements of the rule.” And, the certification requirement would impose significant liability, since an “incorrect or false” certification could lead to criminal prosecution.

ABA and the banking industry are long-standing partners with federal and state law enforcement agencies in the battle against money laundering and terrorist financing. Recognizing that commitment, federal officials have remarked on the important support and commendable efforts of the financial sector to maintain BSA/AML compliance programs, systems, and controls.6 Very recently, the Comptroller of the Currency, Thomas Curry, stated that, “…suffice it to say that the vast majority of the institutions we supervise have solid programs in place to manage and control BSA/AML risk.”7 Therefore, while the lapses of a few parties may have drawn Governor Cuomo’s attention, the vast majority of financial institutions have strong and effective transaction monitoring and filtering programs in place.

Combating money laundering and terrorist financing is critical, especially considering the current threat posed by the Islamic State of Iraq and the Levant (ISIL) and other terrorist groups. We appreciate New York’s desire to take steps that further that goal. However, ABA believes that the proposal would undermine, not enhance, the country’s efforts to combat money laundering and the financing of terrorism.

First, the proposal would add new compliance requirements for financial institutions in an area that is already extensively governed by a federal framework that has been developed and refined over many decades. Congress entrusted the federal government with the responsibility to implement the BSA to combat financial crime and protect the financial sector. Overlapping state regulations threaten to introduce confusion as well as disparate and contradictory requirements.

Second, international authorities and the federal government have long advocated a flexible, risk- based approach to AML, which enables banks to adapt to ever-changing threats.8 In contrast, the proposal would implement a highly prescriptive and static set of rules that could not be amended quickly, hindering the ability of institutions to design and calibrate their monitoring and filtering

5 OFAC is a division of the US Department of the Treasury that administers and enforces U.S. economic and trade sanctions. https://www.treasury.gov/about/organizational-structure/offices/Pages/Office-of-Foreign-Assets-Control.aspx. 6 Jennifer Shasky Calvery, Director, Financial Crimes Enforcement Network (FinCEN), American Bankers Association/American Bar Association Money Laundering Enforcement Conference (Nov. 16, 2015), available at: https://www.fincen.gov/news_room/speech/html/20151116.html. 7 Thomas J. Curry, Comptroller of the Currency, Office of the Comptroller of the Currency, Remarks before the Institute of International Bankers (March 7, 2016) (Comptroller Curry’s Remarks) available at: http://www.occ.treas.gov/news- issuances/speeches/2016/pub-speech-2016-25.pdf. 8 See Financial Action Task Force. Guidance on the Risk-Based Approach to Combating Money Laundering and Terrorist Financing – High Level Principles and Procedures (2007), available at: http://www.fatf- gafi.org/documents/documents/fatfguidanceontherisk-basedapproachtocombatingmoneylaunderingandterroristfinancing- highlevelprinciplesandprocedures.html; see also Bank Secrecy Act/Anti-Money Laundering Examination Manual (BSA Manual)(2014), p. 18, available at: https://www.ffiec.gov/bsa_aml_infobase/pages_manual/manual_online.htm.

Gene C. Brooks New York State Department of Financial Services March 31, 2016 Page 3

systems in a flexible, risk-sensitive manner designed to react to the dynamic nature of criminal and terrorist threats.

Third, the proposal would introduce a certification process that requires a chief compliance officer to accept liability for actions outside of his or her control. Moreover, as drafted, the proposed certification would require the compliance officer to certify to an imprecise and subjective definition of “actual compliance” with transaction monitoring and watch list filtering programs, not merely that the company has implemented and tested risk-based programs reasonably designed to detect money laundering and sanctioned transactions. Imprecise and subjective standards in the proposed monitoring and watch list requirements will render certification of complete compliance all but impossible.

Beyond the challenge of attesting to compliance, the proposed rule does not require an “intent” standard for the imposition of criminal penalties. If the underlying objective for the certification requirement is to encourage financial institutions to develop and implement effective programs to detect and prevent money laundering and terrorist financing, ABA strongly believes the proposal will not achieve its objective. Rather, as proposed, the severe legal liability for poorly defined standards will deter experienced and qualified individuals from accepting chief compliance officer positions, which in turn will undermine the BSA/AML programs of regulated institutions.

Overall, the proposal would set the bar so high that it would greatly diminish the risk appetite of financial institutions, leading them to close or not open marginal accounts. This would aggravate the so-called “de-risking” that is already a significant concern of federal and state officials.9 With any new regulatory mandate, financial institutions must factor a number of elements into the risk equation, such as costs for compliance, challenges with updating systems, re-calibrating audit programs, and re-training staff. Against these factors, the company also must weigh the volume of business that will be impacted and income from these accounts. Unfortunately, all too frequently in marginal business lines or accounts, the calculation produces a negative result. If the regulatory costs and risks exceed the income and benefits from any relationship, the most efficient and effective step for a financial institution, particularly in the context of safety-and-soundness, is to terminate or not enter into affected account relationships.

While ABA agrees that transaction monitoring and filtering programs are critical to bank compliance, the proposal goes well beyond what is necessary and will result in serious unintended and counterproductive consequences. We therefore urge DFS to withdraw the proposal, and instead reinforce participation in the existing and long-standing federal regime, that unites government authorities, law enforcement, and bank and nonbank financial institutions in the effort to fight crime and terrorist financing.

9 See for example, Adam Szubin, Acting Under Secretary. U.S. Department of the Treasury, Remarks at The ABA/ABA Money Laundering Enforcement Conference (Nov. 16, 2015), available at: https://www.treasury.gov/press-center/press- RELEASES/Pages/jl0275.aspx; see also Comptroller Curry’s Remarks, supra, note 6

Gene C. Brooks New York State Department of Financial Services March 31, 2016 Page 4

1. ABA and the banking industry actively support robust AML/CFT Programs.

ABA shares New York’s goal to ensure that financial institutions implement and maintain robust and effective AML and countering of terrorism (CFT) programs. However, we are concerned that creation of a separate, parallel state system could divert resources from efforts to prevent money laundering and terrorist financing and frustrate the efforts to have a coordinated national approach— and even international approach.

For the last few years, the Financial Crimes Enforcement Network (FinCEN) has been working diligently to ensure that the gap, or “delta,” between regulatory mandates and illicit financing risk is narrowed.10 The fundamental goal for the special task force that FinCEN created to address this concern, the Delta Team, is to ensure that regulatory mandates are designed to provide the necessary information and support for law enforcement but avoid rules that do not meet that goal. Creation of a separate state system that overlaps the federal system is only likely to expand the delta, not diminish it.

It is important to realize that any new regulation is not adopted in a vacuum; rather, it is part of a long-standing federal framework that has been updated and refined over nearly 50 years as risks have changed and law enforcement programs have evolved. FinCEN and the federal banking agencies, working with national law enforcement and intelligence agencies, have the expertise and access to information necessary to design comprehensive national standards for effectively combatting financial crimes and terrorist financing. That recognition informed the close cooperation of the federal banking agencies when they created uniform examination procedures, the FFIEC Bank Secrecy Act/Anti-Money Laundering Manual (BSA Manual).11 When the manual, last updated in November 2014, was introduced, it was hailed as a model of cooperation between regulatory agencies and as a step that would further the fight against money laundering.

International cooperation is also critical to combating money laundering and terrorist financing. That is why the Financial Action Task Force was created in 198912 and why a number of countries banded together as the Egmont Group to ensure mutual cooperation to combat money laundering and terrorist financing.13 Fundamentally, coordination with other countries must be at the federal level. To that end, it is logical to have a federal AML/CFT compliance regime. Independent state regulations, by introducing inconsistencies in interpretations, application, and enforcement, will undermine the efficacy of the federal framework.

10 Jennifer Shasky Calvery, Director, Financial Crimes Enforcement Network, Remarks at the American Bankers Association/American Bar Association Money Laundering Enforcement Conference (November 2012), available at: https://www.fincen.gov/news_room/speech/html/20121113.html. 11 Comptroller Curry’s Remarks, supra note 6. 12 Currently, there are 35 countries, including the United States, serving as members of the Financial Action Task Force (FATF). See http://www.fatf-gafi.org/home/. FATF is an inter-governmental body established in 1989 by the Ministers of its Member jurisdictions. The objectives of the FATF are to set standards and promote effective implementation of legal, regulatory, and operational measures for combating money laundering, terrorist financing, and other related threats to the integrity of the international financial system. 13 The Egmont Group provides a mechanism at the federal level to combat illicit finance. FinCEN is the United States representative to the Egmont Group. See http://www.egmontgroup.org/

Gene C. Brooks New York State Department of Financial Services March 31, 2016 Page 5

2. The proposed rule creates a series of explicit and implicit requirements that are inconsistent with the risk-based approach to BSA/AML/OFAC monitoring and filtering programs.

The proposal would impose a prescriptive set of transaction monitoring and watch list filtering program requirements that would apply to all DFS-regulated institutions but that is at odds with the federal risk-based approach. Under the existing federal regime, each bank identifies the risks it faces and then, within the context of federal standards, designs its own AML/CFT program to manage those risks. As stated in the BSA Manual, “There are many effective methods and formats used in completing a BSA/AML risk assessment; therefore, examiners should not advocate a particular method or format.”14 The goal, as set forth in the BSA Manual, is to have each bank assess the risks it faces, based on the products and services it offers, the customers it serves, the geographies where it is located, and its own unique capacities. Then each bank must be able to create policies, procedures, and controls to mitigate the risk. Imposition of a one-size-fits-all transaction monitoring and filtering program frustrates that.

The emphasis on flexible standards is not limited to the United States. International efforts to combat money laundering and terrorist financing also emphasize the need to develop flexible standards that let individual financial institutions identify risks and adopt controls to manage those risks.15 This ensures the most effective use of resources to combat money laundering and terrorist financing. Prescriptive mandates do not.

Another danger inherent in a prescriptive requirement is that it encourages banks to manage to the regulation and not the risk. Where examiners and auditors have specific requirements against which to check compliance, they look to see if each individual element of the statutory mandate is satisfied without evaluating the overall process or its effectiveness. When examiners and auditors check the box, the most efficient way for a bank to demonstrate compliance is to show that each element of the rule has been met without regard to whether it has addressed risk. Compliance then becomes a mechanical, and all too often less effective, exercise. Since criminals are constantly seeking to find new ways to access the payment system without detection, law enforcement and financial institutions must be equally adept in order to identify and control AML/CFT risks, but that dynamic is lost when compliance becomes a mechanical exercise.

a. Proposed section 504.3(b)’s requirement for maintaining a watch list filtering program is imprecise and inconsistent with federal requirements.

Section 504.3(b) would require institutions to maintain a watch list filtering program “for the purposes of interdicting transactions, before their execution, that are prohibited by applicable sanctions, including OFAC and other sanction lists, and internal watch lists.” Note 4 to the proposal also states, in relevant part, “This regulation does not mandate the use of any particular technology,

14 BSA manual, supra note 7, at 18. 15 See Financial Action Task Force, The FATF Recommendations – International Standards on Combating Money Laundering and the Financing of Terrorism & Proliferation (2012), available at:http://www.fatf- gafi.org/media/fatf/documents/recommendations/pdfs/FATF_Recommendations.pdf; see also, Financial Action Task Force’s series of publications on the application of the risk-based approach, available at: http://www.fatf- gafi.org/documents/riskbasedapproach/?hf=10&b=0&s=desc(fatf_releasedate)

Gene C. Brooks New York State Department of Financial Services March 31, 2016 Page 6

only that the system or technology used must be adequate to capture prohibited transactions” (emphasis added).

This language appears to suggest a zero tolerance for OFAC screening, which is inconsistent with the current expectations that appropriately recognize that no filtering system can guarantee that it will capture all prohibited transactions.

Moreover, section 504.3(b) appears to require OFAC monitoring systems that screen all transactions against the lists, which is overbroad and inconsistent with current expectations that banks implement risk-based transaction monitoring.16 Indeed, the federal approach accords individual institutions flexibility in setting thresholds for OFAC filtering, recognizing that there is always a trade-off between a system’s ability to identify all transactions potentially covered and the need to avoid a significant number of false positives that demand time and syphon off resources to resolve.

At the same time, it is important to recognize that screening every party in every transaction, as the proposal seems to mandate, would be a severe impediment to the normal course of business for the vast body of legitimate transactions by law-abiding parties. For example, there currently is no automated system that can screen the payee on every check or card transaction. Constructing such a system would be prohibitively expensive and impractical. And, it fails to recognize that screening is conducted by different parties at different points in the system, as appropriate; as a result, not every processor needs to monitor every party at every step in the process.

In addition, neither “other sanction lists” nor “internal watch lists” is defined, leaving it open to interpretation—interpretation that could be criticized later by an examiner. Indeed, the number of sanctions lists that could be included is extensive. Not only are there multiple OFAC lists, there are lists published by the Department of Commerce Bureau of Industry and Security, the Departments of State and Homeland Security, and there are a series of Executive Orders issued by the White House. Similarly, the term “internal watch list” is vague; the proposal offers no parameters for which internal lists should be included or guidance as to whether and how internal watch lists should be developed.17

In other words, the proposal would impose rules that are vague, overbroad, and inconsistent with current expectations for risk-based transaction monitoring. We urge DFS to withdraw the proposal and defer to the existing federal screening regime.

16 BSA Manual, supra note 7, at 142 to 151 17 Although DFS removed the reference to “politically exposed persons (PEPs) lists” from the proposed rule text published in the New York State Register on December 16, 2015, the preamble to the proposal states, “The Department believes that other financial institutions may also have shortcomings in their transaction monitoring programs for monitoring transactions for suspicious activities, and watch list filtering programs, for ‘real-time’ interdiction or stopping of transactions on the basis of watch lists, including OFAC or other sanctions lists, politically exposed persons lists, and internal watch lists.” ABA supports the decision to remove reference to PEP lists but urges DFS to remove any reference to PEPs from the preamble. We note that there is no federal requirement to interdict payments to PEPs, and a requirement to screen transactions involving PEPs would have significant, negative consequences for the payment system. Federal regulations focus on PEPs at the account relationship level, not at the transaction level, as the most effective way to address potential risks with PEPs.

Gene C. Brooks New York State Department of Financial Services March 31, 2016 Page 7

b. Proposed section 504.3(a)’s requirement on the transaction monitoring program also is imprecise and inconsistent with federal requirements.

Section 504.3(a) would require a transaction monitoring program to “reflect all current BSA/AML laws, regulations and alerts, as well as any relevant information from the institution’s related programs and initiatives such as ‘know your customer due diligence,’ ‘enhanced customer due diligence,’ or other relevant areas such as security, investigations, and fraud prevention.” This requirement is exceedingly broad and would impose monitoring requirements far beyond those of the federal risk-based framework. FinCEN and the federal banking agencies recognize that not all BSA/AML laws, regulations, or alerts are necessary or appropriate for incorporation into a transaction monitoring program, and individual banks should exercise discretion as to those elements that are appropriately incorporated based on that bank’s risk assessment.

The federal risk-based framework recognizes that BSA officers are best positioned to make judgments about the information used to sustain and improve the efficacy of their transaction monitoring programs. A requirement for monitoring “all BSA/AML laws, regulations, and alerts” is extremely broad and disregards an individual institution’s specific risks. In addition, such an expansive approach will produce more transactions that are unnecessarily categorized as “suspicious” and that will therefore need to be investigated, stretching and distracting investigative resources, resulting in less effective information for law enforcement purposes.

The proposed rule’s requirement for an “ongoing comprehensive risk assessment” also appears to require that an institution continuously revise its BSA/AML risk assessment. This contradicts the federal requirements outlined in the BSA Manual, which state, “[I]t is a sound practice for banks to periodically reassess their BAS/AML risks at least every 12 to 18 months,” unless there are changes to an institution’s risk profile such as a merger or the introduction of new products or services.18

Overall, the proposal lays forth a prescriptive mandate for transaction monitoring. As with the elements of sanctions screening, the preferable approach, consistent with federal and international guidance, is to set forth guidelines for financial institutions and then allow each institution, within those guidelines, to develop its own compliance program tailored to its unique circumstances and the nature of the risks faced.

c. Proposed section 504.3(d) is overly broad and appears to conflict with federal guidelines.

As proposed, section 504.3(d) would forbid banks from making changes to their transaction monitoring and filtering programs “to avoid or minimize filing suspicious activity reports, or because the institution does not have the resources to review the number of alerts generated by a Program established under the proposal, or to otherwise avoid complying with regulatory requirements.” While ABA agrees that banks should not set program thresholds for alerts simply to reduce the number of alerts that need to be addressed, we believe that the proposed language

18 BSA Manual, supra note 7 at 24.

Gene C. Brooks New York State Department of Financial Services March 31, 2016 Page 8

conflicts with federal guidelines and will result in a significant increase in BSA filings that are not helpful or useful to law enforcement.

One critical element of the federal transaction monitoring expectations is that the alert system be risk-based and that, “Parameters and filters should be reasonable and tailored to the activity that the bank is trying to identify or control.”19 The federal guidelines go on to state that, “System filtering criteria, including specific profiles and rules, should be based on what is reasonable and expected for each type of account.” In calibrating their systems, banks are expected to take steps to reduce alerts that would result in unhelpful filings.

Accordingly, bank BSA personnel make risk-based decisions about transaction monitoring and filtering system settings that determine the volume of alerts generated. It is an iterative process that seeks to minimize the number of false alerts and maximize the number of “true” alerts that generate SAR filings. In fact, FinCEN and federal law enforcement agencies encourage these ongoing efforts to optimize filters, so that they are not overwhelmed by unnecessary suspicious activity report (SAR) filings.20 This process ensures that bank and law enforcement resources are maximized in the fight against money laundering and terrorist financing.

Therefore, while a financial institution should not adjust its transaction monitoring system to eliminate alerts simply because there are insufficient resources to handle that level of alerts, a financial institution must have the flexibility to adjust the alert system to eliminate false positives and to calibrate the program to produce the most effective level of alerts possible.

d. Proposed section 504.3(a)(5)’s mandates for system validation are unworkable.

Proposed section 504.3(a)(5) would require an “end-to-end, pre- and post-implementation testing of the Transaction Monitoring Program.” ABA agrees that it is important for financial institutions to adopt procedures to ensure that the systems they use work properly and in accordance with regulatory expectations. In fact, the basic elements of the proposal reflect two of the four pillars of a bank BSA compliance program that have been in place since 1986—the implementation of internal controls and an audit program.

However, the proposal appears to mandate an evaluation that departs from standard audit practice and good risk management. It would be extremely expensive, costing in the tens of thousands of dollars for even a small institution, and could draw resources into a perennial audit better used for fighting crime and providing customer service. The prohibitive costs associated with this alone would cause many community banks to exit lines of business, leading to financial exclusion instead of financial inclusion, as discussed more fully below. Here, as with other elements of the proposed rule, the language departs from an approach focused on risk, an approach that makes the best use of

19 BSA Manual, supra note 7 at 66. 20 Recently, the Director of FinCEN, commenting on the utility of suspicious activity filings, noted that law enforcement used approximately 62% of the reports filed, meaning that 38% were not used. Under the proposed rule, it is likely that the percentage of SARs that are not used would increase. See Jennifer Shasky Calvery, Director, Financial Crimes Enforcement Network, Remarks at the 2014 Mid-Atlantic AML Conference, (August 2014), available at https://www.fincen.gov/news_room/speech/html/20140812.html.

Gene C. Brooks New York State Department of Financial Services March 31, 2016 Page 9

resources for testing and evaluating systems as a means to validate that the programs are appropriate and working as intended.

Perhaps more significant, although the proposal suggests that a bank could use an automated or a manual system, the elements of the proposal are so detailed that they seem to undermine the ability for even a small community bank to use anything other than an automated system to comply.

ABA believes that the proposed rule would fail to achieve its intended purpose. Instead, the prescriptive nature of the transaction monitoring and watch list filtering program requirements threaten to undermine the effectiveness and flexibility of the federal approach to AML/CFT compliance, while hampering the unity of approach needed for an effective national and international effort. ABA urges DFS to withdraw the proposal.

3. The certification requirement will undermine financial institutions’ AML/CFT compliance programs.

Proposed section 504.4 would require each regulated institution to submit an annual certification that is duly executed by its “Senior Certifying Officer” (SCO), defined as the institution’s chief compliance officer or functional equivalent, attesting that the institution’s transaction monitoring and watch list filtering programs comply with all of the requirements set forth in the proposed rule. However, at the outset it is not entirely clear who would be the appropriate signatory. As compliance responsibilities have ballooned, especially after the adoption of the Dodd–Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank), compliance responsibilities have been diffused among different individuals within an organization. At the same time, existing federal regulations require financial institutions to appoint a designated individual as the BSA Officer, and it is that individual who is most likely to be familiar with the expectations set forth in the proposal, but the BSA Officer may be a different person than the chief compliance officer. In short, the proposal need greater clarity to determine where the expected responsibility lies and who should execute the certification.

Even so, ABA opposes this certification requirement. Although the proposal purports to model the certification required by the Sarbanes-Oxley Act of 2002 (Sarbanes-Oxley),21 there is a significant distinction. The certification required under Sarbanes-Oxley is not an absolute attestation. Rather, Sarbanes-Oxley allows the certifying officer to attest to the information based on his or her knowledge and belief as well as incorporating a reasonableness standard. Under Sarbanes-Oxley, the certifying officer certifies that the company has in place a system of controls reasonably designed to achieve compliance. Here, in contrast, the SCO must certify to actual compliance with all of the requirements of the proposed rule, an impossible standard. And an attestation made in good faith that is later found to be “incorrect or false” can result in criminal prosecution. These certifications, in the terms proposed, are statistically prone to be found inaccurate in some respect

21 Sarbanes–Oxley Act of 2002, Pub. L. No. 107–204, 116 Stat 745 (2002), 2002 Enacted H.R. 3763, 107 Enacted H.R. 3763

Gene C. Brooks New York State Department of Financial Services March 31, 2016 Page 10

that has little bearing on the genuine effectiveness of the AML program but that is bound to hang liability around the neck of the SCO.

No one individual should, or can, be expected to assume responsibility for the activities of his or her colleagues or associates. A corporation, by its very nature, acts through the efforts of many individuals. Each one contributes to the overall action of the company, and the sum of their collective actions is what constitutes the actions of the corporation. At the same time, while a SCO can direct, supervise, correct, guide, monitor, and conduct the many other elements of his or her duties with great skill, competence, and integrity, he or she does not have sufficient authority to control the actual conduct of others in the company, no more than a police officer can assure that there will be no traffic violations on the highways he or she patrols.

Nor does the SCO have ultimate control over the resources allocated to the institution’s BSA/AML program. He or she can recommend a budget, but senior management and the board will make the final decision about the allocation of finite resources across many programs to meet the many legal obligations of the firm and provide expected services to its customers. Yet the proposed rule’s requirement that an institution adequately fund its BSA/AML/OFAC monitoring systems, would pull this decision into the certification, requiring budgeting discussions and decisions to be thoroughly documented in light of the possibility of civil or criminal prosecution.

Successful BSA/AML compliance is a company-wide endeavor, dependent on the actions of employees throughout the organization, including frontline personnel responsible for customer identification program compliance, business line employees that feed data into the transaction monitoring and filtering programs, technology experts that build and manage the monitoring and screening systems, and BSA/AML compliance employees who investigate suspicious activity, file required reports, and oversee the entire BSA/AML program. With so many individuals contributing to compliance it would be fundamentally unfair to hold one individual responsible for all of those efforts. Moreover, doing so would undermine the goal of creating a culture of compliance throughout the firm that is essential to a program’s success.

In addition, and as discussed previously, the proposed rule contains a number of unclear standards that would make certification of compliance very difficult, if not impossible. As also explained above, the requirement to certify that an institution’s transaction monitoring and filtering programs comply with all the requirements of the proposed rule establishes an unrealistic standard that is at odds with the federal risk-based framework for BSA compliance.

ABA believes that the certification requirement will not encourage the development and implementation of effective programs designed to detect and prevent money laundering and terrorist financing. Instead, it will deter experienced and qualified individuals from accepting chief compliance officer positions, which will undermine the BSA/AML programs of regulated institutions.

For many years, federal regulators have had the authority to charge individuals with malfeasance when appropriate. The bar for charging an individual is set high, recognizing that the company acts through a series of steps by individuals. However, it is an authority that is and can be used when

Gene C. Brooks New York State Department of Financial Services March 31, 2016 Page 11

appropriate. That authority exists without a certification requirement. ABA urges DFS to remove the certification requirement.

4. The Proposal is likely to inhibit efforts to increase financial inclusion.

As has been noted, one of the key elements for a bank AML/CFT compliance program is the risk- assessment process. When there are prescriptive mandates to follow or where a compliance officer must accept an elevated level of responsibility for managing risks associated with customers, it not only raises the bar for compliance, it simultaneously lowers the tolerance for risk. The fundamental goal of a risk management program is to identify and define the risks, determine steps that can manage or minimize those risks, and monitor and audit to be sure that the risks do not change and that the risk mitigation is working properly.

When there is a risk that cannot be controlled or cannot be defined, the logical solution is to minimize or even avoid the risk. In this context, that means that a bank will close or not open a particular account or process a difficult transaction at the margin. Such actions, to be consistent with regulatory expectations, are also likely to leave customers without ready access to some banking services. That does not eliminate customer needs; customers may then turn to alternate providers, perhaps including “informal” providers in the underground economy. The more that legitimate customers go that route to meet their financial needs, the more fertile environment there is for bad actors to conduct transactions. And, when transactions are moved outside the mainstream, they are less transparent to law enforcement and regulatory authorities. That is a cost that bankers, law enforcement, and policymakers should seek to avoid.22

5. Conclusion

ABA firmly believes that the efforts to combat money laundering and terrorist financing require a partnership between the banking industry and law enforcement. For nearly 50 years, the federal government has instituted, refined and, where appropriate, expanded the compliance expectations needed to carry out those efforts. Since combating money laundering and especially terrorist activity is an international effort requiring global cooperation, the most effective process is one that is managed at the federal level where it can be applied consistently nationwide and can best integrated into an essential international effort.

22 E.g., “Government cooperation in setting and enforcing international standards for anti-money laundering and transparency in the financial system is essential if banks’ efforts to detect and report potential money laundering are to be effective.” U.S.DEP’T OF THE TREAS., NATIONAL MONEY LAUNDERING RISK ASSESSMENT (2015) p. 52, available at: https://www.treasury.gov/resource-center/terrorist-illicit- finance/Documents/National%20Money%20Laundering%20Risk%20Assessment%20%E2%80%93%2006-12-2015.pdf, and, “This framework aids financial institutions in identifying and managing risk, provides valuable information to law enforcement, and creates the foundation of financial transparency required to apply targeted financial measures against the various national security threats that seek to operate within the U.S. financial system.” U.S. DEP’T OF THE TREAS., NATIONAL TERRORIST FINANCING RISK ASSESSMENT (2015), p. 48, available at: https://www.treasury.gov/resource-center/terrorist-illicit- finance/Documents/National%20Terrorist%20Financing%20Risk%20Assessment%20%E2%80%93%2006-12-2015.pdf.

Gene C. Brooks New York State Department of Financial Services March 31, 2016 Page 12

ABA appreciates the opportunity to comment on the proposal. Clearly, we share the same goals of an effective program to protect that nation’s financial sector from criminals and terrorists. We believe that this can best be achieved by working together within the federal program, and we therefore urge withdrawal of the proposal.

Sincerely,

Rob Nichols President and CEO

Personal Liability Issues 6 | ABA BANK COMPLIANCE | MARCH–APRIL 2016

SHUTTERSTOCK BY RALPH E. SHARPE, ESQUIRE

N DECEMBER 1, 2015, the New York Department of Financial Services (“DFS”) proposed “…a new anti-terrorism and anti-money laundering regulation that includes— among other important provisions—a requirement modeled on Sarbanes-Oxley that senior financial executive[s] certify that their institutions has sufficient systems in place to Odetect, weed out, and prevent illicit transactions.”1 The proposed regulation, if adopted, would require that DFS-supervised institutions maintain a transaction monitoring program designed to identify potential BSA/ AML violations and ensure timely Suspicious Activity Reporting, as well as a watch list filtering program for the purpose of interdicting transactions before their execution that are prohibited by applicable sanctions, including OFAC and other sanctions lists, politically exposed persons lists, and internal watch lists.2 Under the proposed regulation, on or before April 15 of each year, each covered institution would also be required to submit to the DFS a certification of compliance with the above requirement duly executed by its chief compliance officer or functional equivalent.3 Section 504.5 of the proposed regulation provides that: All Regulated Institutions shall be subject to all applicable penalties provided for by the Banking Law and the Financial Services Law for failure to maintain a Transaction Monitoring Program, or a Watch List Filtering Program complying with the requirements of this Part and for failure to file the Certifications required under Section 504.4 hereof. A Certifying Senior Officer who files an incorrect or false Annual Certification also may be subject to criminal penalties for such filing.4 This pronouncement follows a long series of recent policy pronouncement and enforcement actions initiated by the DFS and other financial services regulators where the focus has included not only corporate but individual responsibility, with a particular focus on compliance professionals. The purpose of this article it to discuss the implications of this shift in focus for compliance professionals, to offer suggestions on how such professionals can better protect themselves from potential liability, and to raise a cautionary note that in their effort to ensure that financial services firms maintain a high level of regulatory compliance with all AML-related laws and regulations, the financial service regulators do not make it increasingly difficult for firms to find and retain those best qualified to lead this effort, i.e., well-qualified compliance professionals. Personal Liability Issues for Compliance Professionals [T]he BSA allows FinCEN to impose civil penalties not How we got here— only against domestic financial institutions and non- Governmental Policies and Statements financial trades or businesses that willfully violate the BSA, As history instructs, the 2007-2008 financial downturn mostly but also against partners, directors, officers and employees took banks and regulators by surprise—and both have been run- of such entities who themselves actively participate in mis- ning hard since to “catch up.” Regulators reacted in a number of conduct. Although FinCEN has employed these tools only ways. They ratcheted up their rhetoric regarding their supervi- occasionally in the past, in the future FinCEN will look for sory expectations; issued policy statements signaling increased more opportunities to impose these types of remedies in supervisory scrutiny and took a series of high-profile enforcement appropriate cases (https://www.treasury.gov/press-center/ actions intended to reinforce a “no more Mr. nice guy” message. press-releases/Pages/jl1871.aspx). Most of these were directed at the financial institutions themselves, but as legislators, commentators and the public began to clamor In March of 2014, Comptroller of the Currency Thomas Curry for actions against individuals, the regulators began to turn their offered the following remarks before the Association of Certified focus more in that direction. In March of 2013, David S. Cohen, Anti-Money Laundering Specialists: “The question I would pose Under Secretary for Terrorism and Financial Intelligence, testi- from a risk management and corporate governance standpoint fying before the Senate Committee on Banking, Housing, and is whether it’s time to require large complex banks to establish Urban Affairs on Patterns of Abuse: Assessing Bank Secrecy Act clear lines of accountability that make it possible to hold senior

SHUTTERSTOCK SHUTTERSTOCK Compliance and Enforcement stated: executives responsible for serious compliance breakdowns that

MARCH–APRIL 2016 | ABA BANK COMPLIANCE | 7 from the very beginning of an investigation, we maximize lead to BSA program violations.” (See http://www.sec.gov/news/ the chances that the final resolution of an investigation statement/supporting-role-of-chief-compliance-officers.html.) uncovering the misconduct will include civil or criminal In June of this year, SEC Commissioner Luis A. Aguilar offered charges against not just the corporation but against cul- a defense of two SEC enforcement actions taken to discipline Chief pable individuals as well. (See http://www.justice.gov/dag/ Compliance Officers (“CCOs”), stating in part, that: file/769036/download at 4.) “In my experience, the Commission has approached CCO Finally, as noted in the introduction to this article, the DFS has cases very carefully, making sure that it strikes the right bal- now weighed in with an unprecedented proposal that, if adopted, ance between encouraging CCOs to do their jobs compe- would require annual certifications by compliance officers that tently, diligently, and in good faith, and bringing actions to their DFS-regulated institutions were maintaining an effective punish and deter those that engage in egregious misconduct. transaction monitoring program to detect potential BSA viola- In making this determination, the Commission cautiously tions, maintaining watch list filtering programs to identify and evaluates the facts and circumstances of each case, and con- interdict prohibited transactions and filing SARs when suspicious siders many important factors such as fairness and equity.” activities are identified. Commissioner Aquilar’s view that the SEC’s actions against Collectively, these statements evince a growing, and increasingly compliance officers has been a balanced one is not shared by uniform articulation of governmental policies reflecting a willing- all of his fellow commissioners, however. Commissioner Daniel ness and determination to visit personal liability on individuals Gallagher, commenting on the same two cases referred to by as well as corporate entities. As discussed in the next section, this Commissioner Aguilar, offered a more cautionary view: willingness and determination has manifested itself in a number of recent enforcement actions taken by financial services regula- “Both settlements illustrate a Commission trend toward tors against individuals. strict liability for CCOs under Rule 206(4)-7. Actions like these are undoubtedly sending a troubling message that Recent Enforcement Actions— CCOs should not take ownership of their firm’s compli- Policy Becomes Reality ance policies and procedures, lest they be held accountable The most well-known enforcement action aimed at a compliance for conduct that, under Rule 206(4)-7, is the responsibility professional is, of course, the action being taken by FinCEN against of the adviser itself. Or worse, that CCOs should opt for Thomas Haider, former Chief Compliance Officer of MoneyGram less comprehensive policies and procedures with fewer International Inc.5 In a complaint filed on FinCEN’s behalf by the specified compliance duties and responsibilities to avoid United States Attorney for the Southern District of New York on liability when the government plays Monday morning December 18, 2014, the government seeks an order enforcing a quarterback.” (See http://www.sec.gov/news/statement/sec- $1,000,000 civil money penalty (“CMP”) against Mr. Haider for cco-settlements-iaa-rule-206-4-7.html.) failing to ensure that MoneyGram “(1) implemented and main- In September of 2015, the U.S. Department of Justice also tained an effective AML program and (2) fulfilled its obligation weighed in on the issue of individual accountability by noting that to file timely SARs.6 This Complaint also seeks an injunction “[o]ne of the most effective ways to combat corporate misconduct barring Mr. Haider from participating directly or indirectly in is by seeking accountability from the individuals who perpetrated the conduct of the affairs of any financial institution located in the wrongdoing.“ DOJ’s memo on Individual Accountability for or conducting business in the United States for a term of years Corporate Wrongdoing (otherwise known as the “Yates” memo) to be defined at trial.7 More specifically, FinCEN alleged that Mr. articulates the rationale for this statement thusly: Haider failed to ensure that MoneyGram: ■■ Implemented a policy for disciplining agents and outlets that Both criminal and civil attorneys should focus on indi- MoneyGram personnel knew or suspected were involved in vidual wrongdoing from the very beginning of any inves- fraud and/or money laundering; tigation of corporate misconduct. By focusing on building ■■ Terminated agents and outlets that MoneyGram personnel cases against individual wrongdoers from the inception understood were involved in fraud and/or money laundering, of an investigation, we accomplish multiple goals. First, including outlets that Haider himself was on notice posed an we maximize our ability to ferret out the full extent of unreasonable risk of fraud and/or money laundering; corporate misconduct. Because a corporation only acts ■■ Fulfilled its obligation to file timely SARs, because Haider main- through individuals, investigating the conduct of individu- tained MoneyGram’s AML program so that the individuals als is the most efficient and effective way to determine the responsible for filing SARs were not provided with information facts and extent of any corporate misconduct. Second, by possessed by MoneyGram’s Fraud Department that should focusing our investigation on individuals, we can increase have resulted in the filing of SARs on specific agents or outlets; the likelihood that individuals with knowledge of the cor- ■■ Conducted effective audits of agents and outlets, including porate misconduct will cooperate with the investigation outlets that MoneyGram personnel knew or suspected were and provide information against individuals higher up involved in fraud and/or money laundering; and the corporate hierarchy. Third, by focusing on individuals ■■ Conducted adequate due diligence on prospective agents, or

8 | ABA BANK COMPLIANCE | MARCH–APRIL 2016 existing agents seeking to open additional outlets, which resulted What this all means for in, among other things, MoneyGram (1) granting outlets to Compliance Professionals agents who had previously been terminated by other money Collectively, the above cases paint a sobering picture for compli- transmission companies and (2) granting additional outlets to ance officers, particularly those in larger, more complex, financial agents who MoneyGram personnel knew or suspected were institutions. Clearly, on an increasing basis, regulators are look- involved in fraud and/or money laundering.8 ing for ways to underscore the importance of AML compliance by sending a very strong message to compliance professionals In 2014, the New York Department of Financial Services (“DFS”) that not only may the institution they serve be at risk, they may took a pair of actions against financial institutions that while also be found personally liable. This raises a number of serious not directly seeking to penalize individuals, nevertheless resulted questions, including how do compliance professionals protect in adverse actions being taken against individuals currently or themselves from this kind of risk, and what are the implications formerly working for the institutions involved. In June of 2014, of the current approach for the institutions they serve? DFS entered into a Consent Order with BNP Paribas, S.A., New York Branch directing BNP to pay an $8.9 billion civil money penalty, restrict its U.S. dollar clearing operations going forward “…but one thing is certain, compliance and terminate certain senior executive officers.9 As to the latter, professionals subject to DFS jurisdiction DFS directed the termination of twelve officers and officials of the Bank involved in the illegal clearing operations, including (and those who may become subject to the former Group Head of Compliance and directed that the Bank shall not in the future, directly or indirectly retain any of some variation of the proposal should the named officials as an “officer, employee, agent, consultant or other financial service regulators follow contractor of the Bank or any of its affiliates.”10 The Consent Order alleges that these officials either ignored or overrode numerous suit) may understandably see this compliance-related warnings raised by more junior compliance personnel and not only deferred to business managers who pressed measure as one more means of targeting to maintain a profitable line of business, but actively worked to compliance professionals at a time when support serious illegal conduct by the Bank and conceal it from their regulators and other authorities.11 their services are needed most” In December of 2014, In the Matter of Bank Leumi, USA, Bank Leumi Le-Israel, B.M., DFS entered into a Consent Order that included provisions requiring the Bank to terminate and/ There are also a number of fundamental questions that all or ban certain specific employees from further involvement in compliance professionals should be asking themselves in the cur- compliance-related activities, including the former Chief Compli- rent environment, and if they are not able to answer these ques- ance Officer, who the DFS alleged was complicit in perpetuating tions in a satisfactory manner, they should consider themselves violations of law for conducting an illegal cross-border scheme as being exposed to elevated risks of personal liability if/when to assist U.S. clients in evading federal and state taxes (http:// something goes wrong. www.dfs.ny.gov/about/press/pr1412222.htm). Under the Consent ■■ Are you working in a healthy compliance environment? Is there Order, the Compliance Officer was effectively banned from be- a strong compliance culture that emanates from the top of the ing involved “in any duties, responsibilities, or activities while organization? If not, you may be personally at risk. employed at the Bank that involved compliance in any way.” The ■■ Is compliance receiving adequate staffing, resources and systems Bank also agreed to payment of $130 million civil money penalty commensurate with the risks faced by the organization? If not, and appointment of an independent monitor to review the Bank’s are you making those needs known to senior management and compliance programs, policies and procedures. the Board and doing all you can to see that they are being met? Also in 2014, FINRA not only took action against the firm If not, you may be personally at risk. of Brown Harriman by fining the firm $8 million for numerous ■■ Does the organization have adequate controls in place that AML compliance failures. It also took action against the firm’s serve to identify risks, including those presented by third-party former AML compliance officer, Harold Crawford, by fining him relationships, before they rise to unmanageable levels and ensure $25,000 and suspending him for one month for his role in those that risks are properly addressed once recognized? If not, you failings, which FINRA alleged included failure to have an ad- may be personally at risk. equate anti-money laundering program in place to monitor and ■■ When problems need to be elevated, does the organization have detect suspicious penny stock transactions, failure to sufficiently a good system in place for alerting senior management and investigate potentially suspicious penny stock activity brought to the Board and getting their support for any corrective actions the firm’s attention, and failure to meet SAR filing requirements. that need to be taken? If not, you may be personally at risk.

MARCH–APRIL 2016 | ABA BANK COMPLIANCE | 9 ■■ Is the Compliance function keeping meticulous records that scales should arguably tip in favor of the latter objective. There is a Become a CRCM. enable it to fully document issues and corrective measures finite number of well-qualified compliance professionals available taken? If not, you may be personally at risk. to financial service organizations, particular in the AML arena. While the cases discussed in this article are relatively few in However, as the above cases illustrate, in today’s environment, Prepare with Con dence. number, the current environment suggests that we will see more assuming a position as a compliance professional carries with it to come. No one questions the need for strong remedial measures increasing risk of ever closer regulatory scrutiny and the potential being taken against a compliance officer who knowingly fails to for personal liability when things go wrong. discharge his or her responsibilities or who looks the other way in This article opened with a brief discussion of the DFS’ recent the face of strong push-back from business lines in the organiza- regulatory proposal to require that compliance officers certify to tion focused exclusively on revenues and agnostic with respect their organization’s compliance with requirements to maintain to whether or not the organization is satisfying its compliance transaction monitoring and filtering program designed to detect Let ABA help you reach your goal faster with responsibilities. That said, there is certainly room for discussion as potential violations of the Bank Secrecy Act and other AML laws to when a compliance officer’s failures should rise to that level. As and to identify and report suspicious activity. As noted above, under these prep options to t your learning style in all things, it’s a question of balance and when that balance tips the proposal, failure to so certify, or the filing of an incorrect or and schedule. too far one way or the other, the result can work a disservice to false certification could expose the officer making the certification sound public policy. A recent SEC action illustrates the dilemma. (i.e., the compliance officer) to criminal and other penalties. It In August of 2015, the SEC issued a decision In the Matter of remains to be seen whether the DFS’s regulation will be adopted ABA CRCM Review Course Judy K. Wolf, a compliance professional working with Wells Fargo as proposed, but one thing is certain, compliance professionals (https://www.sec.gov/alj/aljdec/2015/id851ce.pdf). The SEC found subject to DFS jurisdiction (and those who may become subject Mar. 14, 2016 - May 22, 2016 clear violations on the part of Ms. Wolf, but ultimately declined to to some variation of the proposal should other financial service aba.com/CRCMOnline-DBC sanction her, citing, among other considerations, the following: regulators follow suit) may understandably see this measure as one more means of targeting compliance professionals at a time There is one additional consideration: the fact that Wolf when their services are needed most. ■ ABA CRCM Boot Camp worked in compliance. Obviously, compliance professionals are subject to the securities laws like everyone else. But May 2-6, 2016 ABOUT THE AUTHOR Wolf is correct to complain that in compliance, “the risk RALPH SHARPE, Counsel at Venable LLP, is head of Venable’s aba.com/CRCMBootCamp-DBC is much too high for the compensation.” Tr. 439. In my Financial Services Group Risk Management and Compliance Team. experience, firms tend to compensate compliance person- Mr. Sharpe draws upon his 26 years of experience in key positions nel relatively poorly, especially compared to other associ- with the Office of the Comptroller of the Currency (OCC), including ated persons possessing the supervisory securities licenses Director of Enforcement and Compliance, Deputy Comptroller compliance personnel typically have, likely because their for Bank Technology, and Deputy Comptroller for Community work does not generate profits directly. But because of their and Consumer Compliance. In addition, Mr. Sharpe served as the responsibilities, compliance personnel receive a great deal Deputy Comptroller for Multinational Banking at the OCC, where of attention in investigations, and every time a violation is he was responsible for the supervision of the ten largest national banks. His full bio can be found at: https://www.venable.com/ detected there is, quite naturally, a tendency for investiga- ralph-e-sharpe/. He can be reached at [email protected]. tors to inquire into the reasons that compliance did not detect the violation first, or prevent it from happening at all. ENDNOTES The temptation to look to compliance for the “low hang- 1 See http://www.dfs.ny.gov/about/press/pr1512011.htm ing fruit,” however, should be resisted. There is a real risk 2 Id. that excessive focus on violations by compliance personnel 3 Id. will discourage competent persons from going into compli- 4 For more information Id. ance, and thereby undermine the purpose of compliance 5 FinCEN’s action against Mr. Haider follows on the heels of a Deferred about the CRCM, including programs in general. That is, “we should strive to avoid the Prosecution Agreement (“DPA”) entered into by MoneyGram on perverse incentives that will naturally flow from targeting November 9, 2012 with the U.S. Attorney’s Office for the Middle District eligibility requirements, visit: of Pennsylvania on various charges, including a charge of willfully failing compliance personnel who are willing to run into the fires to implement an effective AML program. MoneyGram agreed to forfeit aba.com/CRCM that so often occur at regulated entities.” Commisioner $100 million as part of the DPA and to retain an independent compliance Daniel M. Gallagher, Statement on Recent SEC Settlements monitor approved by the DOJ. 6 Charging Chief Compliance Officers With Violations of A copy of FinCEN’s Press Release and the Complaint filed by the USA’s Office can be found at https://www.fincen.gov/news_room/ea/files/ Investment Advisers Act Rule 206(4)-7 (June 18, 2015), Haider_Assessment.pdf and https://www.fincen.gov/news_room/ea/files/ available at http://www.sec.gov/news/statement/sec-cco- USAO_SDNY_Complaint.pdf respectively. settlements-iaa-rule-206-4-7.html. 7 By Order dated March 17, 2015, the case was transferred to the U.S. District Court for the District of Minnesota. As of the submission of this article, no The SEC’s statement suggests that the public policy objectives dispositive actions have been taken in the matter. of ensuring that organizations maintain high levels of compliance 8 Supra, fn 5, Complaint at 3-4. while also attracting and retaining highly-qualified and dedicated 9 See http://www.dfs.ny.gov/about/press/pr1406301.htm compliance professionals need not be at odds. The statement also 10 Id. suggests that when a balance is struck between the two, that the 11 Id., See Paragraph 47 of the Order

MARCH–APRIL 2016 | ABA BANK COMPLIANCE | 11

April 2015 Follow @Paul_Hastings

Key Trends in BSA/AML Compliance: Heightened Regulatory Expectations as Industry Growth Presents New Challenges

BY THE GLOBAL BANKING AND PAYMENT SYSTEMS PRACTICE

As the Federal Banking Agencies (“FBAs”)1 continue to sharpen and focus supervisory attention on enforcement of the Bank Secrecy Act (“BSA”) and U.S. anti-money laundering (“AML”) laws, banks are facing new and difficult regulatory, supervisory, and compliance challenges. Importantly, these developments have been accompanied by a marked uptick in BSA/AML enforcement activity by the FBAs and the Financial Crimes Enforcement Network (“FinCEN”). Highlighting this renewed emphasis, in August 2014, FinCEN issued an advisory emphasizing its expectations for financial institutions’ BSA/AML compliance programs, including: engagement and accountability of financial institution management and directors; allocation of sufficient compliance staffing and related resources; sharing of relevant compliance related information across business units; competent and independent testing of an institution’s BSA/AML compliance program, as well as periodic updates to address emerging issues and trends; and an enterprise-wide understanding of the critical role of BSA/AML reporting requirements.2

Perhaps more significantly, since 2012, the FBAs and FinCEN have brought a number of high profile supervisory and enforcement actions involving BSA/AML compliance issues against financial institutions, including banks and nonbanks.3 A closer review of the enforcement activity since the beginning of 2014 reveals that the FBAs have not only increased their attention on and heightened their expectations for BSA/AML compliance for banks and thrifts, but have also expanded their focus to impose enforcement actions against a broader range of institutions, as well as individual officers of financial institutions. There is no reason to think that this activity will stop at the boardroom; in fact, the regulators have made clear their expectations for director accountability of the bank’s critical compliance programs.

The emphasis on BSA/AML compliance is continuing into 2015, with a notable focus on certain hot- button issues including cryptocurrency, cybersecurity, and innovative payment technologies, such as mobile payments. The regulatory focus on these areas raises new issues for banks, including how to balance increased BSA/AML compliance obligations with monetary costs to the bank, as well as for nonbank institutions—specifically, with respect to the increasingly important role nonbank BSA/AML service providers play in the rapidly expanding footprint of the banking and financial services industry both domestically and internationally.

Recent BSA/AML Enforcement Activity In 2014, the FBAs continued to emphasize their expectation that financial institutions establish and implement robust BSA/AML compliance programs.4 The FBAs’ heightened focus on identifying and addressing deficiencies in BSA/AML compliance programs has resulted in significant enforcement actions, including the imposition of substantial civil money penalties (“CMPs”) by the FBAs and FinCEN. Among the more notable enforcement actions highlighting the FBAs’ interest in and attention to BSA/AML issues, the FBAs pursued the following actions against national banks:

. In June 2014, the Office of the Comptroller of the Currency (“OCC”) entered a consent order for a $500,000 CMP with a national bank based on deficiencies identified in its BSA/AML compliance program.5 According to the OCC, during the period from 2010 to 2012 the bank, among other things, failed to (1) conduct adequate risk assessments and customer due diligence; (2) establish and implement an adequate suspicious activity monitoring system; (3) conduct adequate independent testing of its BSA/AML compliance program; and (4) provide the necessary resources and training to its BSA staff. In particular, the OCC alleged that the bank had failed to identify compliance program deficiencies and properly identify high-risk customers, resulting in the failure to timely file approximately 670 suspicious activity reports (“SARs”).

. In a January 2014 agreement with FinCEN, the U.S. Attorney’s Office for the Southern District of New York, and the OCC, a large national bank paid $2.05 billion to settle civil liability claims based on alleged willful violations of the BSA and the failure to report suspicious transactions arising out of a long-standing multi-billion dollar fraudulent investment scheme.6 Under the terms of the settlement, for a number of years, bank employees had identified suspicious repeated round-dollar transactions between two prominent clients but did not file any SARs with law enforcement, even after another bank involved in the transactions filed a SAR and closed down an account owned by one of the clients. Exacerbating the situation, between 2006 and 2008, the bank conducted due diligence reviews on an investment fund and several feeder funds and identified several red flags for fraud, including: (1) investment performances that appeared too good to be true, (2) lack of transparency in investment and trading activity, (3) use of a small, unknown auditor, and (4) repeated refusal by the investment fund to fully comply with due diligence review requests. Despite the red flags, the bank failed to report its concerns to its AML personnel or to notify FinCEN, as required by law, and despite the filing of suspicious activity reports by employees at a foreign branch filed with their host country’s regulator, which was known by the bank’s U.S.-based AML compliance officers. FinCEN criticized the bank’s failure to report these suspicious activities in light of the bank’s redemption of its own investments in the suspicious funds.

. In a similar settlement with the OCC in January 2014, another bank agreed to pay a $500,000 CMP to the OCC as a result of BSA/AML compliance program deficiencies.7 The OCC alleged that the bank’s compliance department lacked resources and expertise, failed to provide for independent testing for BSA compliance, conducted inadequate risk assessments, and failed to implement an adequate suspicious activity monitoring system. The OCC also criticized the bank’s internal audit review for its failure to identify the compliance program’s deficiencies, which, after conducting a look back, resulted in the filing of 110 new SARs and 172 supplemental SARs.

The level of interest and enforcement activity has not abated in 2015, with the following action already noted:

. In February 2015, the OCC and FinCEN entered a consent order for a $1.5 million CMP with a community bank based on BSA violations as a result of failure to detect and adequately report suspicious transactions—the transactions involved millions of dollars in illicit proceeds from a judicial corruption scheme.8 According to FinCEN, the bank failed to identify significant red flags, including: (1) a 2007 law enforcement subpoena submitted against individuals and entities involved in the transactions, (2) repeated round-dollar transactions, often occurring on a single day, and (3) abnormal activity volume compared to account balances. FinCEN specifically criticized the bank’s failure to review for risk the accounts and documents of the individuals and entities identified in the subpoena. Another critical factor was that the bank waited two years—after the leaders of the fraud had pled guilty to criminal offenses—before filing SARs regarding the suspicious activity that totaled approximately $6.3 million.

In addition to these more typical actions involving banks, the FBAs also imposed CMPs for BSA/AML violations against a number of nonbank financial institutions, as well as individual officers. These include:

. In March 2015, the OCC and FinCEN entered a consent order for a $75,000 CMP against a money service business (“MSB”) and its owner and AML compliance officer based, among other things, on willful violations of the BSA’s compliance program and reporting requirements.9 The MSB conducted check cashing services, but failed to implement an adequate AML program. The agencies alleged that the MSB lacked adequate internal controls, failed to conduct independent compliance reviews, and failed to adequately train appropriate personnel. Specifically, the company’s AML compliance program lacked procedures for employees to follow when customers presented checks to be cashed for greater than $10,000 as well as procedures for verifying the accuracy of currency transaction reports (“CTRs”). Moreover, the MSB’s employee training failed to address procedures related to check cashing and was conducted infrequently, with new employees not receiving training for many years. Additionally, the company and its AML officer filed CTRs late, and not at all for a period of more than two years.

. In January 2015, FinCEN and the U.S. Securities and Exchange Commission (“SEC”) assessed a $20 million CMP against a securities broker-dealer for BSA violations.10 The agencies alleged that, during the period from 2008 through May 2014, the securities broker-dealer failed to establish and implement an adequate AML program, conduct adequate due diligence on customers, and comply with requirements under Section 311 of the USA PATRIOT Act. In particular, FinCEN identified 16 customers who had engaged in suspicious patterns of trading involving penny stocks, which the security broker-dealer failed to report. The security broker-dealer also failed to conduct adequate due diligence and monitor a foreign financial institution customer that it had deemed “high risk.”

. In December 2014, FinCEN assessed a $1 million CMP against the former Chief Compliance Officer (“CCO”) of an MSB for his failure to ensure the MSB complied with the AML provisions of the BSA.11 Additionally, the U.S. Attorney’s Office for the Southern District of New York, acting as FinCEN’s representative, filed a complaint seeking to enforce the CMP and to ban the CCO from employment in the financial industry. According to FinCEN, the CCO willfully

violated the BSA requirements to implement an effective AML compliance program and to report suspicious activity. While serving as CCO, the individual oversaw the MSB’s fraud department, which received thousands of complaints from consumers who had been defrauded by agents of the MSB. FinCEN specifically alleged that the CCO failed to: (1) establish a policy for disciplining agents suspected of involvement in fraud or money laundering, (2) terminate agents known by the MSB to be engaged in fraud or money laundering, (3) ensure timely filing of SARs, (4) ensure effective audits of suspected agents were conducted, and (5) ensure the MSB performed adequate due diligence. According to FinCEN, the CCO violated his obligations as CCO, which allowed criminals to defraud thousands of innocent customers—many of whom were elderly—and launder the proceeds of such funds.

. A month earlier, in November 2014, FinCEN assessed a $300,000 CMP against a small credit union based on alleged BSA violations.12 Notably, the credit union had only five employees and $4 million in assets. However, the credit union contracted with a third party vendor and MSB to provide services and subaccounts to 56 MSBs during the period 2009 to 2014. The 56 MSBs were not members of the credit union, were located in high-risk jurisdictions, and produced over $1 billion in transaction volume through outgoing wire transfers. During the period, the credit union failed to implement an adequate BSA compliance program and, instead, relied on the third-party vendor to conduct its required due diligence on MSBs. FinCEN cited the credit union’s deficient BSA compliance program—inadequate internal controls, lack of independent testing, insufficient training, failure to designate an appropriate BSA compliance officer, and systemic reporting failures—as exposing the U.S. financial system to significant risks of money laundering and terrorist financing.

. In another settlement several months earlier, a MSB and its president/owner agreed to pay a $10,000 CMP to FinCEN for alleged violations of the BSA.13 The president/owner served as the MSB’s compliance officer, despite her lack of knowledge and experience with respect to the BSA. As a result, the MSB failed to develop an effective compliance program. Of particular concern, FinCEN noted that the MSB’s inadequate policies, procedures, and internal controls failed to confirm the identities of consumers, monitor for suspicious transactions, identify currency transactions exceeding certain monetary values, provide sufficient training, or create adequate records. Additionally, the president/owner never conducted a BSA/AML risk assessment of the MSB and failed to conduct independent testing of the MSB’s compliance program for a period of over six years.

Key Trends Emerging in BSA/AML Enforcement and Compliance These recent enforcement actions highlight the ongoing expectation of the FBAs, FinCEN, and state regulators that financial institutions implement and maintain robust BSA/AML compliance programs that are appropriately tailored to the institution’s risk profile. This high level of regulatory scrutiny is likely to continue for the foreseeable future, with key developments emerging to reflect the growth of—and significant changes to—the financial services industry in areas such as mobile and other emerging payment systems, continued reliance and dependence on service providers, and rapidly increasing cybersecurity risks. Based on last year’s actions, financial institutions should understand and remain current on the following enforcement trends:

Increased Focus on MSBs, Including Cryptocurrency Companies Although the FBAs have always had the authority, for purposes of the BSA and FinCEN’s implementing regulations, to regulate and bring enforcement actions against a broad range of financial institutions, historical enforcement actions typically focused on banks and, occasionally, their third party service providers. Notably, 2014 marked an expansion in the regulators’ increasing focus on nonbank financial institutions, such as MSBs and securities broker-dealers. Although the enforcement actions taken against MSBs in 2014 generally involved system due diligence, risk monitoring, and reporting failures, the actions also highlight the increased risks and heightened regulatory scrutiny surrounding MSBs.

Since the enactment of the USA PATRIOT Act in 2001, regulatory supervision and enforcement actions have increasingly scrutinized potential money laundering activities, and MSBs have been perceived as higher-risk customers in the wake of these developments. Due to concerns with regulatory scrutiny, uncertainty of regulatory expectations, the risks presented by various types of MSB accounts, and the costs and burdens associated with maintaining MSB accounts,14 many banks have limited MSBs’ access to banking products and services. In response to this “de-risking” of bank MSB operations, the FBAs have recently taken steps to clarify that banks should not be discouraged from working with and serving MSBs, but should have appropriate risk mitigation measures in place to do so.15

A similar approach may be taking shape with respect to the cryptocurrency industry. With the continued expansion of the industry, cryptocurrency companies and financial institutions providing products and services to those in the industry are likely to face increased regulatory scrutiny. For example, in July 2014, the New York State Department of Financial Services (“NYDFS”) proposed to develop a regulatory licensing framework for virtual currency businesses.16 Under the proposed framework, licenses would be required for businesses engaged in: (1) receiving or transmitting virtual currency on behalf of consumers; (2) securing, storing, or maintaining custody or control of such virtual currency on the behalf of customers; (3) performing retail conversion services; (4) buying and selling virtual currency as a customer business; or (5) controlling, administering, or issuing a virtual currency.17 Such licenses would be required, among other things, to maintain robust AML compliance programs that, at a minimum, provide internal controls to ensure ongoing compliance with applicable BSA/AML laws and regulations, provide for independent testing, designate a qualified individual for coordinating and monitoring day-to-day compliance, and provide ongoing training to appropriate personnel.18 To date, four other states—Hawaii, Idaho, Vermont, and Washington—actively license, regulate, and oversee the transmission of virtual currency. Two additional states—California and North Carolina—are in the process of or considering doing so.

As the cryptocurrency industry grows, state and federal banking regulators will be certain to increase their scrutiny of bank practices related to cryptocurrency customers, and/or follow New York’s efforts to impose licensure and industry-specific BSA/AML requirements on the cryptocurrency industry.

Innovative Payment Technologies May Present a Challenge to the FBAs As the payment systems industry continues its rapid growth, innovative and emerging payment technologies and new market participants will present new regulatory challenges and issues for the FBAs, FinCEN, state regulators, and law enforcement.

In particular, as nonbank companies such as telecommunications providers begin to offer new payment systems to their consumers, the FBAs and other regulators will not only need to understand these technologies, but also grapple with their role as regulators to the financial services industry. In most cases, the FBAs have supervisory and examination authority over industry participants

pursuant to the Bank Service Company Act; however, in some cases the FBAs’ regulatory jurisdiction may be unclear. Innovations in payment technologies, like the development of mobile wallets and other mobile payment systems, have resulted in an overlap of financial and telecommunication regulatory schemes. Mobile payment services, in particular, are currently subject to oversight by the FCC with respect to mobile carrier standards and competition, the FTC with respect to consumer protection and identity fraud, and the FBAs with respect to consumer protection and banking regulations, including BSA/AML compliance.19 Although it is generally understood that the FBAs’ regulations and laws applicable to payment methods (credit, debit, prepaid, and ACH) govern these mobile payments, uncertainty remains with respect to coverage and liability responsibilities.20 Unlike traditional banking products that allow financial institutions to control much of a transaction, “mobile payments require the coordinated and secure exchange of payment information over several unrelated entities,”21 many of which have not previously been subject to the FBA’s oversight and supervision.

In addition to the challenge of converging telecommunication and financial regulatory schemes, mobile payments present increased risks of money laundering and financing of terrorism activities. For example, criminals have increased access to a consumer’s banking account by stealing a mobile phone with inadequate security or hacking a wireless network that transfers the financial data for such account. The continued growth of the mobile payments industry is requiring the FBAs to determine which technologies to supervise, how to supervise such technologies, and which technologies are more appropriately and effectively regulated by other agencies (i.e., the FCC or FTC).

Implications for Community Banks As highlighted by FinCEN’s imposition of a CMP on a small credit union in April 2014, every financial institution is expected to establish a BSA/AML compliance program commensurate with the institution’s risk level, regardless of the institution’s size or staffing. Financial institutions must carefully consider the risks associated with their customers and lines of business to determine what resources are required to adequately monitor BSA/AML risks. Importantly, smaller financial institutions must walk a fine line between heightened regulatory expectations requiring robust compliance programs, and managing the typically higher costs of such compliance programs. And this is not only a financial resources issue; some banks have faced regulatory criticism due to skyrocketing compliance costs. Typically, it is not uncommon for a small community bank’s earnings to suffer as a result of such costs. The enhanced scrutiny on BSA/AML compliance for small financial institutions and increased regulatory expectations present the very real risk that small financial institutions may effectively be supervised out of the market. This is an issue with which the FBAs and other regulators are aware and continuously trying to address, but for which there are no ready solutions.

Oversight of Third Party Vendors The FBAs have made clear that reliance on third party service providers for due diligence will not be sufficient to satisfy regulatory expectations. While financial institutions may appropriately outsource aspects of their BSA/AML compliance programs to third party compliance vendors, financial institutions and their officers will ultimately be held responsible for the institution’s BSA/AML compliance program. It is critical that institutions using third party vendors take appropriate measures to oversee vendors’ ongoing activities and operations on behalf of the bank, as well as to implement additional checks and controls within the institution to oversee and ensure compliance on a real-time basis.

Cybersecurity FBAs are increasingly considering a financial institution’s cybersecurity measures as part of the institution’s BSA/AML compliance obligations. In a March 2, 2015 speech by OCC Comptroller Curry before the Institute of International Bankers, Comptroller Curry noted “the goals of BSA/AML and cybersecurity are increasingly converging. Terrorists, drug cartels, and cybercriminals all have a need to generate cash and move money, and it would seem that many of them would share some of the same goals. There are lessons to be learned from our decades-long experience in BSA enforcement that can be applied to the cybersecurity area, and vice versa.”22 Clearly, this is a time in which financial institutions of all sizes should be expecting increased FBA supervision of their cybersecurity measures, including as an ongoing part of both their supervisory safety and soundness and regulatory compliance examinations.

Focus on Individual Accountability23 Financial institutions and their staff must also be aware of and vigilant with respect to understanding the scope and nature of enforcement actions that could be brought directly against individual officers and directors for institutional BSA/AML compliance failures. As highlighted in several of the enforcement actions discussed above, the FBAs may hold individual officers accountable for compliance program deficiencies, regardless of whether the officers serve at national banks with significant experience and compliance resources, at small insured institutions, or at relatively new MSBs or other nonbank entities.

In addition to these enforcement actions, the Comptroller raised the issue of senior management “oversight accountability” for BSA/AML compliance, suggesting that financial institutions should be required to establish “clear lines of accountability that make it possible to hold senior executives responsible for serious compliance breakdowns that lead to BSA program violations.”24 State regulators appear to be adopting a similar approach. For example, NYDFS Superintendent Benjamin Lawsky has stated that “fines—while often necessary—are not sufficient to deter misconduct on Wall Street … We must also work to impose individual accountability, where appropriate, and clearly proven, on specific bank employees that engaged in wrongdoing.”25 NYDFS put its theory into action last year, requiring a bank, as part of a settlement agreement for violating U.S. sanctions and anti- money laundering rules, to terminate 13 officers and discipline 45 employees found responsible for or complicit with the bank’s alleged misconduct.26

Action Plan for Financial Institutions Given the increasingly complex BSA/AML compliance landscape, it is critical for banks and nonbank financial firms to develop and implement an action plan to address the heightened regulatory scrutiny and program risks presented with BSA/AML compliance. This requires an enterprise-wide review and assessment of BSA/AML risk, regardless of the size and complexity (or lack thereof) of a financial institution’s operations. At a minimum, an action plan should include the following:

. Ensure a Strong Top-Down Compliance Culture. Involvement by bank senior officers and directors in understanding and overseeing a financial institution’s BSA/AML compliance program is a key element of an effective program. Directors must be active participants in reviewing and overseeing an institution’s compliance function and activities. Boards of directors should consider building BSA/AML compliance measures into the performance criteria for senior bank and business unit managers, ensuring that responsibility for oversight is assumed at the highest levels of the organization. This should include implementing clearly

defined channels for reporting compliance deficiencies, and conducting thorough board reviews of BSA/AML compliance lapses to assess program weaknesses and determine whether additional board action may be warranted to address compliance program deficiencies. Implementing a strong compliance culture at all levels of the organization will help to ensure that employees recognize that compliance is a top priority.

. Committing Sufficient Personnel and Technological Resources, While Avoiding Excessive Overhead Costs. As discussed above, there has been increased tension between financial institutions’ BSA/AML compliance obligations and the need to keep overhead costs appropriate for the size of the institution. A financial institution must be able to demonstrate to regulators that it has committed the necessary resources—and is willing and able to invest additional resources, as appropriate—to establish and maintain a robust BSA/AML compliance program, including investments in technology, staff, training, and monitoring capabilities. The cost of committing adequate resources up-front will produce benefits in terms of reduced risk exposure and potential remedial costs and fines for failing to take the necessary actions to achieve and maintain BSA/AML compliance.

. Focus on Cybersecurity. In addition to maintaining updated information technology (“IT”) software and programs, management and boards should ensure adequately trained staffing to monitor and supervise these processes and programs. Examiners will typically probe IT systems and back-end analytical departments to ensure that case management processes for unique or unusual transactions are supported by reasonable financial intelligence.

. Risk Management. Regulators will continue to examine financial institutions with a focus on ensuring that senior management and boards of directors have taken the time to identify the particular risks posed by a financial institution’s business model and designed a BSA/AML compliance program that addresses such risks. Institutions should consider reviewing and updating their internal controls as necessary to address new and increased risks associated with particular industries and customers.

. Effective Detection and Reporting. Effective transaction monitoring and detection systems should be deployed and sufficiently staffed by trained personnel. While the particulars of a financial institution’s detection and reporting system will be based on its size and BSA/AML risk profile, senior management should ensure that a financial institution’s BSA and SARs policies are clear, precise and leave limited discretion to lower-level employees, which will promote consistent and timely filing. In addition to general BSA/AML training provided to all employees, financial institutions should consider additional training targeted at certain business units that pose higher risks and should make sure that such units are appropriately designed and equipped to detect and report suspicious activities related to heightened BSA/AML risks.

. Smaller Financial Institution Risks. Smaller financial institutions should identify particular lines of business or geographic regions that pose higher risks, and ensure such risks are specifically reflected and addressed in their BSA/AML compliance program, policies, and procedures. For example, an institution may not have a significant foreign presence, but may engage in issuing prepaid cards, supporting cash intensive businesses, have significant mobile banking platforms, and/or may serve particular groups of high-risk customers, all of which increase the institution’s overall BSA/AML risk profile.

  

If you have any questions concerning these developing issues, please do not hesitate to contact any of the following Paul Hastings lawyers:

Atlanta Miah Ramanathan Lawrence D. Kaplan Todd W. Beauchamp +44 020 3023 5178 1.202.551.1829 1.404.815.2154 [email protected] [email protected] [email protected] Palo Alto Gerald S. Sachs Chris Daniel Cathy S. Bedya 1.202.551.1975 1.404.815.2217 1.650.320.1824 [email protected] [email protected] [email protected] Alexandra L. Anderson Erica Berg Brennan San Francisco 1 202 551 1969 1.404.815.2294 Thomas P. Brown [email protected] [email protected] 1.415.856.7248 [email protected] Laura E. Bain Heena A. Ali 1.202.551.1828 1.404.815.2393 Stan Koppel [email protected] [email protected] 1.415.856.7284 [email protected] Ryan A. Chiachiere Kevin P. Erwin 1.202.551.1767 1.404.815.2312 Ryan M. Decker [email protected] [email protected] 1.415.856.7237 [email protected] Katie A. Croghan Meagan E. Griffin 1.202.551.1849 1.404.815.2240 Molly E. Swartz [email protected] [email protected] 1.415.856.7238 [email protected] Lauren Kelly D. Greenbacker Diane Holden 1.202.551.1985 1.404.815.2326 Paul M. Schwartz laurenkellygreenbacker@paulhasting [email protected] 1.415.856.7090 s.com [email protected] London Amanda Kowalski Ben Regnard-Weinrabe Washington, D.C. 1.202.551.1976 [email protected] +44 020 3023 5185 V. Gerard Comizio [email protected] 1.202.551.1272

[email protected] Nikki Johnstone +44 020 3023 5112 Behnam Dayanim [email protected] 1.202.551.1737 [email protected]

1 The FBAs are the Office of the Comptroller of the Currency (“OCC”), the Federal Deposit Insurance Corporation (“FDIC”), and the Board of Governors of the Federal Reserve System (“FRB”). 2 See Financial Crimes Enforcement Network, FIN-2014-A007, Advisory to U.S. Financial Institutions on Promoting a Culture of Corporate Compliance (August 11, 2014) (“Advisory”), available at http://fincen.gov/statutes_regs/guidance/pdf/FIN-2014-A007.pdf. 3 For purposes of the BSA and FinCEN implementing regulations, a “financial institution” includes: banks, trust companies, U.S. agencies or branches of foreign banks, credit unions, and thrifts; brokers or dealers in securities or commodities

Paul Hastings LLP StayCurrent is published solely for the interests of friends and clients of Paul Hastings LLP and should in no way be relied upon or construed as legal advice. The views expressed in this publication reflect those of the authors and not necessarily the views of Paul Hastings. For specific information on recent developments or particular factual situations, the opinion of legal counsel should be sought. These materials may be considered ATTORNEY ADVERTISING in some jurisdictions. Paul Hastings is a limited liability partnership. Copyright © 2015 Paul Hastings LLP. 9

and investment companies; currency exchangers, issuers, redeemers, or cashiers of travelers checks, checks, money orders, or similar instruments; insurance companies; dealers in precious metals, stones, or jewels; pawnbrokers and loan or finance companies; money transmitters; and certain casinos or gaming establishments. See 31 U.S.C. § 5312(a)(2); 31 C.F.R. § 1010.100(t). 4 Paul Hastings previously detailed the rise in BSA/AML and OFAC enforcement activity targeted at depository institutions in the Paul Hastings Client Alert titled AML/BSA and OFAC Compliance—Higher Stakes and Greater Consequences for Banks (March 2013), available at http://www.paulhastings.com/docs/default-source/PDFs/stay-current---bsaaml-and- ofac-compliance-higher-stakes-and-greater-consequences-for-banksdf36df6923346428811cff00004cbded.pdf. 5 See OCC EA 2014-094, AA-EC-2014-60 (June 26, 2014), available at http://www.occ.gov/static/enforcement-actions/ea2014-094.pdf. 6 See FinCEN Matter No. 2014-1 (January 7, 2014), available at http://www.fincen.gov/news_room/ea/files/JPMorgan_ASSESSMENT_01072014.pdf. 7 See OCC EA 2014-006, AA-EC-2013-11 (January 14, 2014), available at http://www.occ.gov/static/enforcement- actions/ea2014-006.pdf. 8 See FinCEN number 2015-03 (February 27, 2015), available at http://www.fincen.gov/news_room/ea/files/FNCB_Assessment.pdf. 9 See FinCEN number 2015-03 (February 27, 2015), available at http://www.fincen.gov/news_room/ea/files/FNCB_Assessment.pdf. 10 See Press Release, FinCEN (January 27, 2015), available at http://www.fincen.gov/news_room/nr/html/20150127.html. 11 See Press Release, FinCEN (December 18, 2014), available at http://www.fincen.gov/news_room/nr/pdf/20141218.pdf. 12 See Press Release, FinCEN (November 25, 2014), available at http://www.fincen.gov/news_room/nr/html/20141125.html. 13 See FinCEN Matter No. 2014-03 (April 23, 2014), available at http://www.fincen.gov/news_room/ea/files/NMCE%20Assessment.pdf. 14 See OCC Acting Comptroller Julie L. Williams, Testimony before Committee on Banking, Housing, and Urban Affairs of the U.S. Senate at 12 (April 26, 2005). 15 See Cohen Speech; see also FinCEN Statement. 16 See Press Release, NYDFS (July 17, 2014), available at http://www.dfs.ny.gov/about/press2014/pr1407171.html. 17 See Press Release, NYDFS (July 17, 2014), available at http://www.dfs.ny.gov/about/press2014/pr1407171.html. 18 See Section 200.15 of proposed BitLicense Regulatory Framework (February 25, 2014), available at http://www.dfs.ny.gov/legal/regulations/revised_vc_regulation.pdf; see also Press Release, NYDFS (July 17, 2014), available at http://www.dfs.ny.gov/about/press2014/pr1407171.html. 19 See Federal Reserve Bank of Atlanta, The U.S. Regulatory Landscape for Mobile Payments (July 25, 2012). 20 See Federal Reserve Bank of Atlanta, The U.S. Regulatory Landscape for Mobile Payments (July 25, 2012). 21 See FDIC, Supervisory Insights—Winter 2012—Mobile Payments: An Evolving Landscape (January 3, 2013), available at https://www.fdic.gov/regulations/examinations/supervisory/insights/siwin12/mobile.html. 22 Remarks by Thomas J. Curry, Comptroller of the Currency, Before the Institute of International Bankers (Mar. 2, 2015), available at http://www.occ.gov/news-issuances/speeches/2015/pub-speech-2015-32.pdf. 23 For additional detail on the growing threat of enforcement actions targeted at individual financial institution officers and directors for institutional violations of law, please see the recently issued Paul Hastings Client Alert titled Getting Personal—Financial Regulators Warn of New Era of Individual Responsibility (April 2014), available at http://www.paulhastings.com/docs/default-source/PDFs/getting-personal-financial-regulators-warn-of-new-era-of- individual-responsibility.pdf. 24 Thomas J. Curry, Remarks Before the Association of Certified Anti-Money Laundering Specialists (March 17, 2014), available at http://www.occ.gov/news-issuances/speeches/2014/pub-speech-2014-39.pdf. 25 Press Release, New York Department of Financial Services (November 18, 2014), available at http://www.dfs.ny.gov/about/press2014/pr1411181.htm. 26 Press Release, New York Department of Financial Services (June 30, 2014), available at http://www.dfs.ny.gov/about/press2014/pr1406301.htm.

November/December 2015 - Print Pages Page 1 of 5

http://magazines.aba.com/bcmag/november_december_2015/Print_submit.action?articleTit ... 4/ 20/ 2016 November/December 2015 - Print Pages Page 2 of 5

http://magazines.aba.com/bcmag/november_december_2015/Print_submit.action?articleTit ... 4/ 20/ 2016 November/December 2015 - Print Pages Page 3 of 5

http://magazines.aba.com/bcmag/november_december_2015/Print_submit.action?articleTit ... 4/ 20/ 2016 November/December 2015 - Print Pages Page 4 of 5

http://magazines.aba.com/bcmag/november_december_2015/Print_submit.action?articleTit ... 4/ 20/ 2016 November/December 2015 - Print Pages Page 5 of 5

http://magazines.aba.com/bcmag/november_december_2015/Print_submit.action?articleTit ... 4/ 20/ 2016 March/April 2016 - Print Pages Page 1 of 4

http://magazines.aba.com/bcmag/march_april_2016/Print_submit.action?articleTitle=&arti ... 4/ 20/ 2016 March/April 2016 - Print Pages Page 2 of 4

http://magazines.aba.com/bcmag/march_april_2016/Print_submit.action?articleTitle=&arti ... 4/ 20/ 2016 March/April 2016 - Print Pages Page 3 of 4

http://magazines.aba.com/bcmag/march_april_2016/Print_submit.action?articleTitle=&arti ... 4/ 20/ 2016 March/April 2016 - Print Pages Page 4 of 4

http://magazines.aba.com/bcmag/march_april_2016/Print_submit.action?articleTitle=&arti ... 4/ 20/ 2016 REGULATORY FRAUD REPORTING LOST IN A SEA OF CHANGE?

BY BRIDGET BERG

SUMMARY >VÌÀiµÕÀiÃw>V>ÃÌÌÕÌÃÌii« Óä£Ó]Ì i >-iVÀiVÞƂVÌiÝ - records of cash purchases of negotiable panded its requirements for reporting of ÃÌÀÕiÌÃ]wiÀi«ÀÌÃvV>Ã ÌÀ>Ã>V - ÀÌ}>}i>vÀ>Õ`ÌVÕìL> ÌÃiÝVii`}f£ä]äää`>Þ>}}Ài}>Ìi residential mortgage loan originating amount), and to report suspicious activ- companies. This expansion was expected, ity that might signify money laundering, over time, to help the ability of regula- tax evasion, or other criminal activities. It tors and the mortgage industry to have was passed by the Congress of the United Bridget Berg greater transparency in and awareness of States in 1970. The BSA is sometimes mortgage fraud trends. However, more referred to as an anti-money laundering than three years after the effective date >ÜƂ ®ÀÌÞ>Ã -ƂÉƂ °-iÛiÀ> of the regulation, reporting levels are a AML acts, including provisions in Title III of fraction of estimates. Has this regulatory More than three Ì i1-Ƃ*Ƃ/,"/ƂVÌvÓää£] >ÛiLii change been lost in the shadow of other years after enacted up to the present to amend the V >}iÃ]ÃÕV >Ã/, ¶ the enactment -Ƃ°-iiÎ£1- xÎ££xÎÎä>`Î£ , of the Bank This article provides insight into the >«ÌiÀ8QvÀiÀÞÎ£ ,*>ÀÌ£äÎR®° Secrecy Act, ÃÌÀÞv-ÕÃ«VÕÃƂVÌÛÌÞ,i«ÀÌ} Beginning in 2002, mortgage loan fraud reporting levels and Anti-Money Laundering requirements >ÃLiiV>i`ÕÌ>Ã>Ã«iVwV>Ài>v are a fraction of >`ìÌwiÃ«ÌiÌ>`ÃVÀi«>ViÃ>` estimates. Has complexities in deciding how to approach ÌiÀiÃÌvÀÌ i >-iVÀiVÞƂVÌ-ÕÃ«VÕÃ this regulatory reporting as potential fraudulent trends ƂVÌÛÌÞ,i«ÀÌ}° change been From 2002 to 2012, Suspicious Activ- lost in the continue to evolve. ÌÞ,i«ÀÌÃ-Ƃ,Ã®vÀÀÌ}>}i>vÀ>Õ` shadow of other changes, BACKGROUND AND TIMELINE ÜiÀiwi`«À>ÀÞLÞì«ÃÌÀÞÃÌÌÕ - such as TRID? The Currency and Foreign Transac- tions, and reporting volumes increased ÌÃ,i«ÀÌ}ƂVÌv£ÇäÜ V i}Ã - Ã}wV>ÌÞvÀÓääÓÌÓä££° iV>ÕÃi >ÌÛivÀ>iÜÀÃVÞÀiviÀÀi`Ì much of the reported activity was found >ÃÌ i >-iVÀiVÞƂVÌÀ -Ƃ®ÀiµÕÀiÃ during review of defaulted loans years after 1°-°w>V>ÃÌÌÕÌÃÌ>ÃÃÃÌ1°-° the actual suspicious activity, the reporting government agencies to detect and pre- «i>}ÕÀi£\Àiì®Ã ÜÃ>wÛiÌ ÛiÌiÞ>ÕìÀ}°-«iVwV>Þ]Ì i six-year delay versus the start of suspi- 6

10 March 2016 VÕÃ>VÌÛÌÞ«i>}ÕÀi£\LÕii®°,i}>ÀìÃÃ / iÀivÀi]Ì iÓä£{>`Óä£xw}iÛiÃvÀÌ i vºì>Þi``ÃVÛiÀiÃ]»Ì iVÀi>ÃiÌ iÛÕi -Ƃ,-Ì>ÌÃÃÌiÜiÀiÕÃi`vÀÌ Ã>ÀÌVi° v>VÌÕ>Ài«ÀÌÃÜ>ÃìwÌiÞÃ}>}>ÛiÀÞ>À}i rise in mortgage loan fraud in the years before the MARKET SHARE INCREASE w>V>VÀÃÃ° FOR NONBANK LENDERS Originations in the industry moved away from L>Ã>vÌiÀÌ iw>V>VÀÃÃ]LÕÌL>Ã>Ài Ü>}>ÃÌÀ}ViL>V°Ì ivÕÀÌ µÕ>ÀÌiÀ vÓä£x]L>iìÀÃ>VVÕÌi`vÀ{n°Ç«iÀViÌ v- ÃiVÕÀÌâi`Ã}iv>ÞÀÌ}>}iÃ]Õ«vÀ £Ó«iÀViÌÓä£ä>`Î£«iÀViÌÓä£Î°ÛiÌ i ÌÀi`]ÌÃiÞÌ >ÌÓä£ÈÀ}>ÌÃÜLiiÛiÞ Ã«ÌLiÌÜiiL>Ã>`L>Ã°À>-Ƃ, perspective, half of the suspicious mortgage origi- >Ì>VÌÛÌÞÃiÞVVÕÀÀ}L>ÃpÌ i iÜÞVÕì`ÃÌÌÕÌÃÌ iÓä£Ó-Ƃ,Ài«ÀÌ} expansion. Figure 1: FinCEN 2012 SAR Data RELATIVELY LOW FILINGS ÌÃiÛìÌÌ >ÌL>-Ƃ,Ài«ÀÌ}ÃÕìÀ - i}}Óä£Ó]L>iìÀÃÜiÀiVÕ` - ed in the responsibility to maintain anti-money laun- ÃÌ>Ìi`}ÛiL>«iÀViÌ>}ivÛiÀ>ÀÌ - ìÀ}«À}À>Ã>`wi-ÕÃ«VÕÃƂVÌÛÌÞ,i«ÀÌÃ° gage originations: *ÀÀÌÌ Ã]Ì iÞ``Ìwi-Ƃ,Ã° U ÀÌ}>}i>vÀ>Õ`-Ƃ,w}ÃvÀì«ÃÌÀÞ - stitutions averaged 2,731 per month in 2014 and KEY DATES: 2,134 per month in 2015. February 14, 2012 q>,Õi«ÕLÃ i`ÀiµÕÀ} U /iÃÌ>Ìiw}vÀL>Ã]ÃÌÌÕÌV>Ì - L>ÃÌV«ÞÜÌ Ƃ >`-Ƃ,ÀiµÕÀi - i}ÀiÃvºÌ iÀ»>`º>É>Vi «> - ments. iÃ»ÜiÀiVLi`°/ iVLiìÃÌ>ÌiÃ º/ i-Ƃ,Ài}Õ>ÌÀiµÕÀiÃÀi«ÀÌ}vÃÕÃ« - averaged 294 per month in 2014 and 390 per cious activity, including but not limited to fraudulent month in 2015. attempts to obtain a mortgage or launder money U / iiÃÌ>ÌiÌ iÓä£Ó>,ÕivÀ«ÕÀ«ÃiÃ by use of the proceeds of other crimes to purchase vV>VÕ>Ì}Ì i-Ƃ,Ài«ÀÌ}LÕÀìvÀ - ÀiÃìÌ>Ài>iÃÌ>Ìi°»iìÀ>,i}ÃÌiÀ6ÇÇiL L>ÃÜ>ÃÎ£]äää>Õ>ÞÀÓ]xnÎ-Ƃ,Ài«ÀÌÃ 14, 2012) per month. August 13, 2012 – Effective date for compliance «>À}L>w}iÛiÃÌì«ÃÌÀÞ ÜÌ Ì i>,Õi° ÃÌÌÕÌw}iÛiÃ>`ÌÌ iiÃÌ>ÌiÃÓä£Ó] April, 2013 q iVÌÀVw}ÃÌ>`>À`LiV>iiv - ÃÕ}}iÃÌÃÌ >ÌÌ iL>-Ƃ,w}À>ÌiÃ>ÀiÕV viVÌÛiÆÌ iÀivÀi]-ÕÃ«VÕÃƂVÌÛÌÞ,i«ÀÌÃÜiÀi lower than expected. The impact of delayed discov- ÀiµÕÀi`ÌLiwiìiVÌÀV>Þ° eries may account for a portion of the difference, LÕÌ>Vv>Ü>ÀiiÃÃvÀiµÕÀiiÌÃ>`>ÌÕÀi August, 2014 qƂÃi«>À>ÌiìÃ}>Ìvw>V> «À}À>ÃL>Ã>ÀiiÞ>À}iÀv>VÌÀÃ° ÃÌÌÕÌÃvÀº>À>Vi «>Þ»Ü>ÃivviV - tive within the FinCEN electronic reporting system. COMPLEXITIES IN REPORTING – SHOULD Today, Ì i>V> ÀiÃ vÀViiÌ iÌÜÀ YOU OR SHOULD YOU NOT? ®>iÃÃÕ>ÀÞ`>Ì>«ÕLVÞ>Û>>LivÀ L>ÃÀ>}iÃâivÀÛiÀÞÃ>Ãi -Ƃ,w}Ãwi`Ì ÀÕ} Ì iiiVÌÀVÃÞÃÌi° proprietorships to large corporations. Although most Óä£Ó>`Óä£Î]-Ƃ,ÃÕ>ÀÞ`>Ì>V«>Ì>` L>Ã>Þ >Ûii«ÞiiÃÜÌ «ÀÀiÝ«iÀiVi availability had multiple changes and inconsistencies. ì«ÃÌÀÞÃÌÌÕÌÃ]ÃÌ>ÀiÕiÞÌ >Ûi 6

12 March 2016 iÝ«iÀiVi-Ƃ,Ài«ÀÌ}° / iw>V>Ài}Õ>ÌÀÃÓä£{ >-iVÀiVÞƂVÌÉ Ûiì«ÃÌÀÞÃÌÌÕÌÃÜÌ >ÌÕÀi-Ƃ,« - Anti-Money Laundering Examination Manual ac- ViÃ>`Þi>ÀÃvvii`L>VvÀ -ƂiÝ>>ÌÃ Üi`}iÃ\º/ iìVÃÌwi>-Ƃ,Ã> iÀ - may struggle when determining whether a situation iÌÞÃÕLiVÌÛiÕ`}iÌ°»ÌÌ ii« >ÃâiÃÌ i of mortgage fraud or suspected mortgage fraud ÃÌÌÕÌ½Ã«ÀViÃÃÌiÃV>>Ìi>ìÛ>Õ>ÌiÃÌÕ> - should be reported. Misrepresentation and fraud tions rather than individual decisions. can occur over the life of the loan, from origination Ì ÀÕ} ÃiÀÛV}]ÃÃÌ}>Ì]>`, "`Ã«Ã- BEST PRACTICES tions, and the schemes and trends can change over ÛiÌ i>L}ÕÌÞÛÛi`>}Ì iìV - time. The mortgage industry does not have a single sion to report or not, the following guidelines are >ÕÌ ÀÌ>ÌÛiìwÌvÜ >ÌVÃÌÌÕÌiÃ>VÌÕ>À suggested: attempted misrepresentation or fraud. U 7ÀÜÌ ÞÕÀi}>ÀV«>ViiÝ«iÀÌÃvÀ Most origination-type misrepresentations are }Õ`>ViƂ >`-Ƃ,V«>Vi° based on false statements or omissions regarding the • Create and execute on a policy regarding em- LÀÀÜiÀ½Ã>LÌÞÌµÕ>vÞvÀÌ i>ÀÃÀi« - «ÞiiÌÀ>}vÀìÌwV>Ì>ìÃV>>Ì resentation of the terms of the transaction or settle- of suspicious situations to promote consistency in ment details. Often, the intent behind misrepresenta- w}° tion appears clear, such as the case of a fabricated or • Include auditable fraud prevention and detection >ÌiÀi`«>ÞÃÌÕLÀL>ÃÌ>ÌiiÌ° ÕÌÃiÌiÃÌ processes in your transaction and quality control is uncertain whether discrepancies are due to misun- ÜÀyÜÃ° derstanding, incomplete documentation, or a true U iÌiÀiv>vÀ>ìVÃ«ÀViÃÃvÀw} intent to defraud. An example of a less clear situation is where a is prudent for your organization. If you have a LÀÀÜiÀÀiw>ViÃ> iÌ iÞVÕÀÀiÌÞVVÕ«ÞvÀ process, adhere to it consistently. cash out prior to purchasing another home. On the CONCLUSION standard loan application, the occupancy question is ÀÌ}>}i>vÀ>Õ`-ÕÃ«VÕÃƂVÌÛÌÞ,i«ÀÌÃ phrased: “Do you intend to occupy the property as Ì iÞi>ÀÃLivÀiÌ iw>V>VÀÃÃ`V>Ìi`>Ã >À« ÞÕÀ«À>ÀÞÀiÃìVi¶»/ i>««V>ÌµÕiÃÌ trend of increased problematic activities. The expan- does not specify for how long the applicant intends Ãv-ÕÃ«VÕÃƂVÌÛÌÞ,i«ÀÌ}>`>ÌiÞ to occupy. However, at closing, the mortgage docu- >ÕìÀ}ÀiµÕÀiiÌÃÌL>ÃÜ>Ã>«Ã - ment includes a covenant that the borrower intends tive step in closing gaps that could be exploited by to occupy the property within 60 days and for a VÀ>Ã]>`>iÃi`}i«ÞiiÃ>i`} period of 12 months. institutions accountable for controlling and report- vÌ iLÀÀÜiÀÕÃiÃÌ iV>Ã ÕÌvÀÌ iwÀÃÌ property to purchase a new primary residence and ing fraud. Successful execution of the expansion will moves to the new property, is this a case of inten- provide FinCEN, regulators, law enforcement, and tional fraud, incomplete documentation, or a misun- most importantly, the mortgage industry with a more ìÀÃÌ>`}¶ complete and possibly timelier view of fraud activity. 7>ÃÌ iÀi>Ã}iÀÌ}>}i>vwViÀLÌ As we enter an era of increased credit availability, the ÌÀ>Ã>VÌÃ¶7 >ÌÜ>ÃÌ iÌ}LiÌÜiiÌ iÌÀ>Ã- ÀiÀLÕÃÌ-Ƃ,ÀiµÕÀiiÌÃ>`ÀiÃÕÌ}w} >VÌÃ¶ `Ì iLÀÀÜiÀ >Ûi>«ÀÀ>««V>Ì levels may be an even better warning if these changes Ì iÀiw>ViÌ >ÌÜ>ÃVÕÌiÀvviÀi`>Ã>ÛiÃÌ - >Ài>VV«>i`LÞÕ>VVi«Ì>LivÀ>Õ`ÀÃ° MC M iÌ«À«iÀÌÞ>`ÜÌ `À>Ü¶ vÌ iÃiÌ iÀv>VÌÀÃyÕiViÌ i-Ƃ,w}ì - VÃ]ÌÃiÞÌ >ÌÃÌÕ>ÌÃÜ V >««i>ÀÃ>À Bridget Berg is Senior Director, Fraud Solutions Strat- initially may result in different decisions. Therefore, it egy, for CoreLogic, where she leads the delivery of Ã«ÀÕìÌÌ >Ûi«ViÃ]}Õ`>Vi]>`ÉÀ`VÕ - fraud risk management solutions to the mortgage in - mentation to support each decision. dustry. She can be reached at [email protected].

14 March 2016 March Enforcement Actions

Agency/Bureau Violation Type of Bank Bank Asset Date Restitution CMP Fine Link to Summary of enforcement action Penalty for Size ($K) Fine enforcement action Violation

CFPB CMP UDAAP Student Aid Institute N/A 3/30/2016 N/A $50,000 Consent Order 2016-CFPB-0008 - Student Aid Institute Inc. charged illegal advance fees; deceived borrowers about the benefits and terms of its services; failed to provide required privacy notices; falsely represented an affiliation with the Department of Education.

FRB CMP BSA/AML National Bank of Pakistan N/A 3/24/2016 N/A N/A Written Agreement 15-037-WA/RB-FB; 15-037-WA/RB-FBR -The and Federal Reserve Bank bank had deficiencies of New York relating to the Branch’s risk management and compliance with applicable federal and state laws, rules, and regulations relating to anti-money laundering (“AML”) compliance.

FRB CMP BSA/AML Hazard Bancorp; Peoples $281,405 3/3/2016 N/A N/A Written Agreement 16-003-WA/RB-HC; 16-003-WA/RB-SM - Bank and Trust Company BSA violations. and the Federal Reserve Bank of Cleveland FRB CMP BSA/AML Industrial Bank of Korea N/A 3/1/2016 N/A N/A Written Agreement 16-002-WA/RB-FB; 16-002-WA/RB-FBR - and Federal Reserve Bank The bank had deficiencies of New York; relating to the Branch’s risk management New York, New York and compliance with applicable federal and state laws, rules, and regulations relating to anti-money laundering (“AML”) compliance.

1120 Connecticut Ave NW, Washington, DC 20036 1-800-BANKERS | aba.com BSA-AML

Agency/Bureau Violation Type of Penalty Bank Bank Asset Size Date Restitution Fine CMP Fine Link to enforcement Summary of enforcement action for Violation ($K) action FRB CMP BSA/AML National Bank of N/A 3/24/2016 N/A N/A Written Agreement 15-037-WA/RB-FB; 15-037-WA/RB-FBR -The bank had deficiencies Pakistan and relating to the Branch’s risk management and compliance with Federal Reserve applicable federal and state laws, rules, and regulations relating to Bank of New York anti-money laundering (“AML”) compliance.

FRB CMP BSA/AML Hazard Bancorp; $281,405 3/3/2016 N/A N/A Written Agreement 16-003-WA/RB-HC; 16-003-WA/RB-SM - BSA violations Peoples Bank and Trust Company and the Federal Reserve Bank of Cleveland

FRB CMP BSA/AML Industrial Bank of N/A 3/1/2016 N/A N/A Written Agreement 16-002-WA/RB-FB; 16-002-WA/RB-FBR - The bank had Korea and Federal deficiencies relating to the Branch’s risk management and Reserve Bank of compliance with applicable federal and state laws, rules, and New York; regulations relating to anti-money laundering (“AML”) compliance New York, New York

FinCEN BSA/AML CMP Gibraltar Private $1,529,412 2/25/2016 None $4,000,000 of https://www.fincen.gov/news_ro Number 2016-01 - The bank failed to (a) implement and Bank and Trust which $2.5 million om/nr/pdf/Gibraltar_%20Assessm maintain an adequate anti-money laundering program, (b) ent.pdf Company; will be concurrent develop and implement an adequate customer identification Coral Gables, Fl with the penalty program, and (c) detect and adequately report suspicious imposed by the transactions. Gibraltar’s substantial program deficiencies led OCC to its failure to monitor and detect suspicious activity despite red flags. These deficiencies ultimately caused Gibraltar to fail to timely file at least 120 suspicious activity reports (“SARs”). OCC BSA/AML CMP Gibraltar Private $1,529,412 2/25/2016 None $2,500,000 http://www.occ.gov/static/enforc AA-EC-2015-104 - During the 2011, 2012 and 2013 Bank and Trust ement-actions/ea2016-018.pdf examinations of the Bank, examiners assessed the Bank’s Company; progress in obtaining compliance with the 2010 Order and Coral Gables, Fl determined that the Bank failed to achieve compliance with its requirements. During the 2013 examination, examiners also determined that the Bank had a repeat violation of 12 C.F.R. § 163.180 for failure to ensure timely SAR filings. FDIC BSA/AML CMP Banamex USA; $1,082,200 7/22/2015 None $140,000,000 https://www5.fdic.gov/ FDIC-14-0259k - The bank committed violations of law including but Century City, CA EDOBlob/Mediator.aspx?U not limited to violations of the Bank Secrecy Act. niqueID=8448b456-ccfe- 4626-8df4-a7501107a493 FinCen BSA/AML CMP Bank of Mingo; $93,879 6/15/2015 None $4,500,000 http://www.fincen.gov Number 2015-08 - The bank serviced high-risk customers without Williamson, WV /news_room/ea/files/Min effectively monitoring their accounts for suspicious activity, had go_Assessment.pdf significant deficiencies in all aspects of its AML program, including its internal controls, independent testing, training of personnel, and designation of a BSA officer with sufficient resources to adequately oversee its BSA compliance program, failed to properly assess the money laundering risk associated with its customers, failed to properly designate many customers and their accounts as high risk, and failed to adequately monitor and detect the unusual currency transactions or suspicious activities in which these customers engaged.

FDIC BSA/AML CMP Bank of Mingo; $93,879 6/15/2015 None $3,500,000 https://www.fdic.gov/ne FDIC-14-0071k - The bank failed to implement an effective Williamson, WV ws/news/press/2015/PR- BSA/AML Compliance Program over an extended period of time 49-2015a.pdf and failed to file multiple currency transaction reports and suspicious activity reports associated with this risk.

1120 Connecticut Ave NW, Washington, DC 20036 1-800-BANKERS | aba.com BSA-AML

FinCen BSA/AML CMP First National $969,655 2/27/2015 None $1,500,000 http://www.fincen.go Number 2015-03 - The bank willfully violated the Bank Secrecy Act Community $500,000 will be v/news_room/ea/files/FN by failing to detect or adequately report suspicious transactions Bank; concurrent with the CB_Assessment.pdf involving millions of dollars in illicit proceeds from a judicial Dunmore, PA penalty imposed by corruption scheme perpetrated by a former Pennsylvania state the OCC judge, among other violations.

OCC BSA/AML CMP First National $969,655 2/27/2015 None $500,000 http://www.occ.gov/static AA-EC-2015-16 - The bank failed to file SARs on a timely basis in Community Bank; /enforcement- connection with certain suspicious transactions. Dunmore, PA actions/ea2015-016.pdf FinCen BSA/AML CMP North Dade N/A 11/25/2014 None $300,000 http://www.fincen.gov Number 2014-07 - The bank failed to implement an adequate anti- Community /news_room/ea/files/ money laundering program, failed to develop and implement an Development NorthDade_Assessment.p adequate customer identification program, failed to detect and Federal df adequately report suspicious transactions, and failed to access or Credit Union; review FinCEN’s 314(a) lists. Miami Gardens, Fl OCC BSA/AML CMP Associated Bank; $26,653,631 6/26/2014 None $500,000 http://www.occ.gov/static AA-EC-2014-60 - The bank failed to conduct adequate risk Greenbay, WI /enforcement- assessments, conduct sufficient customer due diligence, properly actions/ea2014-094.pdf identify high-risk customers, and implement an adequate suspicious activity monitoring system; the Bank’s independent testing of the Bank’s BSA/AML compliance program was inadequate; the Bank’s BSA officer and staff lacked the necessary resources and expertise, including knowledge of regulatory requirements; the Bank’s BSA training efforts for staff were inadequate; and after conducting a lookback, the Bank filed 670 new Suspicious Activity Reports (“SARs”).

OCC BSA/AML CMP Old National Bank; $11,501,951 1/14/2014 None $500,000 http://apps.occ.gov/Enforc AA-EC-2013-112 - The bank failed to conduct adequate risk Evansville IN ementActions/Enforcemen assessments, obtain more than the minimum information required tActions.aspx for customer identification program purposes, implement an adequate suspicious activity monitoring system, and properly identify high-risk customers; the bank’s internal audit review failed to identify the deficiencies in the Bank’s BSA/AML compliance program; the Bank’s BSA officer and staff lacked the necessary resources and expertise, including knowledge of regulatory requirements; and after conducting a lookback, the Bank filed 110 new Suspicious Activity Reports (“SARs”) and 172 supplemental SARs.

1120 Connecticut Ave NW, Washington, DC 20036 1-800-BANKERS | aba.com BSA-AML

Agency/Bureau Violation Type of Penalty Bank Bank Asset Size Date Restitution Fine CMP Fine Link to enforcement Summary of enforcement action for Violation ($K) action OCC BSA/AML CMP Chase Bank USA, $130,662,639 1/7/2014 None $350,000,000 http://www.occ.gov/static AA-EC-13-109 - The bank had deficiencies in its BSA/AML N.A.; Wilmington, /enforcement- compliance program, failed to adopt and implement a compliance DE actions/ea2014-001.pdf program that adequately covers the required BSA/AML program elements due to an inadequate system of internal controls and ineffective independent testing, failed to correct previously identified systemic weaknesses in the adequacy of customer due diligence and the effectiveness of monitoring in light of the customers’ cash activity and business type, and failed to identify significant volumes of suspicious activity and file the required SARs concerning suspicious customer activities among several other things. OCC BSA/AML CMP JPMorgan Bank and $1,547,717,929 1/7/2014 None $350,000,000 http://www.occ.gov/static AA-EC-13-109 - The bank had deficiencies in its BSA/AML Trust Company, /enforcement- compliance program, failed to adopt and implement a compliance N.A.; actions/ea2014-001.pdf program that adequately covers the required BSA/AML program San Francisco, CA elements due to an inadequate system of internal controls and ineffective independent testing, failed to correct previously identified systemic weaknesses in the adequacy of customer due diligence and the effectiveness of monitoring in light of the customers’ cash activity and business type, and failed to identify significant volumes of suspicious activity and file the required SARs concerning suspicious customer activities among several other things. OCC BSA/AML CMP JPMorgan Chase $1,410,851,000 1/7/2014 None $350,000,000 http://www.occ.gov/static AA-EC-13-109 - The bank had deficiencies in its BSA/AML Bank N.A.; /enforcement- compliance program, failed to adopt and implement a compliance Columbus, OH actions/ea2014-001.pdf program that adequately covers the required BSA/AML program elements due to an inadequate system of internal controls and ineffective independent testing, failed to correct previously identified systemic weaknesses in the adequacy of customer due diligence and the effectiveness of monitoring in light of the customers’ cash activity and business type, and failed to identify significant volumes of suspicious activity and file the required SARs concerning suspicious customer activities among several other things. FinCen BSA/AML CMP JPMorgan Chase $1,410,851,000 1/7/2014 None 461,000,000 http://www.fincen.gov Number 2014-1 - The bank failed to file any SARs and failed to Bank N.A.; /news_room/ea/files/JPM report its concerns regarding their client's potential fraud to the Columbus, OH organ_ASSESSMENT_0107 Financial Crimes Enforcement Network. 2014.pdf FinCen BSA/AML CMP Saddle River Valley N/A 9/24/2013 None $4,100,000 http://www.fincen.gov Number 2013-02 - The bank failed to conduct adequate due Bank; /financial_institutions/nr.h diligence on foreign correspondent accounts, failed to detect and Montclair, NJ tml?short=1 adequately report in a timely manner suspicious activities in the accounts of foreign money exchange houses, and executed $1.5 billion worth of inadequately monitored transactions on behalf of Mexican and Dominican casas de cambio despite publicly available information that provided ample notice of the heightened risks of dealing with these institutions.

OCC BSA/AML CMP Saddle River Valley N/A 9/23/2013 None $4,100,000 http://www.occ.gov/st AA-EC-13-70 - The bank failed to adequately monitor over $1.5 Bank; atic/enforcement- billion of activity in CDC accounts, including wire transfer and Montclair, NJ actions/ea2013-143.pdf remote deposit capture (“RDC”) activity; failed to conduct adequate monitoring of high volumes of wires flowing through CDC accounts; failed to comply with statutory requirements regarding customer due diligence (“CDD”) and enhanced due diligence (“EDD”) for its former foreign correspondent customers, the CDCs; and had inadequate processes for reviewing and reporting suspicious activity occurring in CDC accounts and failed to file Suspicious Activity Reports (“SARs”) on a timely basis with respect to its CDC customers, among other things.

1120 Connecticut Ave NW, Washington, DC 20036 1-800-BANKERS | aba.com BSA-AML

Agency/Bureau Violation Type of Penalty Bank Bank Asset Size Date Restitution Fine CMP Fine Link to enforcement Summary of enforcement action for Violation ($K) action FinCen BSA/AML CMP TD Bank, N.A.; $230,280,000 9/23/2013 None $37,500,000 http://www.fincen.gov Number 2013-1- The bank failed to detect and adequately report Wilmington, DE /pdf/TD_ASSESSMENT_09 suspicious activities in a timely manner. 222013.pdf OCC BSA/AML CMP TD Bank, N.A.; $230,280,000 9/20/2013 None $37,500,000 http://www.occ.gov/st AA-EC-2013-67 - The bank's violations were related to failures to Wilmington, DE atic/enforcement- file suspicious activity reports. actions/ea2013-142.pdf OCC BSA/AML CMP TCF National Bank; $19,379,587 1/25/2013 None $10,000,000 http://www.occ.gov/st AA-EC-2012-155 - SAR and BSA compliance program Sioux Falls, SD atic/enforcement- violations. actions/ea2013-003.pdf OCC BSA/AML CMP HSBC Bank USA, $190,499,714 12/11/2012 None $500,000,000 http://www.occ.gov/st AA-EC-2012-112 - The bank failed to adopt and implement a N.A.; atic/enforcement- compliance program that adequately covers the required BSA/AML McLean, VA actions/ea2012-262.pdf program elements, including, in particular, internal controls for customer due diligence, procedures for monitoring suspicious activity, and independent testing; did not perform BSA/AML monitoring for banknote (or “bulk cash”) transactions with Group Entities; did not collect or maintain customer due diligence (“CDD”) or enhanced due diligence (“EDD”) information for Group Entities; and the bank failed to disposition its alerts appropriately or to comply fully with its obligation to report suspicious activity on time, among other things.

FRB BSA/AML CMP HSBC Holdings PLC $174,706, 058 12/11/2012 None $165,000,000 http://www.federalre Docket Nos. 12-062-CMP-FB & 12-062-CMP-HC - The bank lacked (London) serve.gov/newsevents/pre adequate risk management and legal review policies and and HSBC North ss/enforcement/enf20121 procedures to ensure compliance and failed to maintain internal America 211a1.pdf controls, staffing and resources sufficient to adequately identify Holdings, Inc.; and mitigate the risks associated with high risk transactions New York, NY conducted through the bank’s foreign correspondent accounts, especially those relating to the bank’s Mexican affiliate.

FRB BSA/AML CMP Standard Chartered N/A 12/10/2012 None $100,000,000 http://www.federalre Docket No. 12-069-CMP-FB - The bank provided inadequate and PLC (London); serve.gov/newsevents/pre incomplete responses to examiner inquiries relating to the Standard Chartered ss/enforcement/enf20122 transmission of funds to and from parties subject to OFAC Bank (London); 012a2.pdf Regulations and by providing incomplete and misleading Standard Chartered information to examiners regarding the scale of and practices for Bank; processing Standard Chartered's and the Branch's U.S. dollar New York, NY clearing transactions, particularly with regard to Iranian customers and developed polices and procedures that deleted information from payment messages that was necessary for the Branch to determine whether these transactions were carried out in a manner consistent with U.S. law and to properly conduct the transaction review required under the 2004 Written Agreement.

FinCen & FDIC BSA/AML CMP First Bank of $177,986,000 11/19/2012 None $15,000,000 http://www.fincen.gov Numbr 2012-1 - The bank failed to adequately oversee third-party Delaware; /news_room/nr/pdf/First_ payment processor relationships and related products and services Wilmington, DE Bank_of_Delaware_11-15- in a manner commensurate with associated risks. 2012_Assessment.pdf

1120 Connecticut Ave NW, Washington, DC 20036 1-800-BANKERS | aba.com NEW ACCOUNT INFORMATION WORKSHEET FOR BSA

Name: Date: Account Number: Type of Business (if applicable): Trade Area: Where do you conduct the majority of your business? Skagit Cty WA State National International

Is your business a legal entity that is publicly traded within the US? Yes No What is your estimated annual business revenue? $0-$50,000 $50,000-$100,000 $100,001-$500,000 $500,001-$1M Over $1M Does your business routinely conduct trans w/ foreign companies or countries? Y/N : How often will you be making deposits of cash or checks into this account? No cash or check deposits Daily Weekly Monthly or Less Often Estimated amount of Deposits (based on frequency selected above) Under $3000 $3000-$10,000 Over $10,000 How often will you be making withdrawals of cash or checks from this account? No cash or Check Withdrawals Daily Weekly Monthly or Less Often Estimated amount of withdrawals (based on frequency selected above) Under $3000 $3000-$10,000 Over $10,000

How often do you plan on accepting electronic deposits (i.e. Direct Depost, ACH) in this account?

Not expecting electronic deposits Daily Weekly Monthly or Less Often How often do you plan to initiate automatic withdrawals from this account?

Not expecting electronic withdrawals Daily Weekly Monthly or Less Often How often do you plan to conduct wire transfers from this account?

Not expecting to conduct wire transfers Daily Weekly Monthly or Less Often

If sending wire transfers, wire transfers are Domestic Foreign Both Will you be using an issued debit card? Yes No Will you be using Online Banking? Yes No Will you be using Online Bill Payment? Yes No

Please check all appropriate boxes that apply to your business:

Performs or will perform wire/money transfer services in amounts greater than $1000 for any person or any day in one transaction Cashed checks for YOUR customer in amounts greater $1000 for any person on any day on one or more transactions

Issues or will issue Travelers Checks, Money Orders, or Stored Value Cards for your customers in amounts greater than $1000 for any person on any day in one or more transactions

Redeems/Will Redeem Travelers Checks, Money Orders, or Stored Value Cards for your customers in amounts greater than $1000 for any person on any day in one or more transactions Acts or will act as a coin/currency exchange dealer for your customer in amounts greater than $1000 for any person on any day in one or more transactions.

Is your business related to the marijuana industry? Is your business related to online gambling? New Market Bank Customer Risk Rating

Customer Name: TIN/EIN:

Account Title (if different than above) Account # Description 1 3 5 Description 1 3 5 Customer Type: Funds Transfer: (Money Wire Transfers) 0 - If no wires ever 1 - Current Customer - stable &known customer 1 - Low volume of funds transfers-< 1 per month 2 - Current Customer - unknown but current activity 3 - Moderate amount of funds transfers, including transfers to low risk countries-2-5/mo 3 - New customer, but business or owner known by bank officer or staff member 0 0 4 - Current Customer - unknown & inactive or dormant accounts 5 - High volume of funds transfers (internal and external), numerous transfers from personal to 5 - New customer, not known by any bank officer or staff member business account or visa versa, numerous transfers to foreign countries->5/mo Type of Account: International Connections: 1 - Certificates of Deposit, Savings Account, IRA N/A - No International Connections 3 - Checking Account, Loans: Consumer, Real Estate & Agriculture, Safe Deposit Box0 3 - Moderate amount of international connections (2 times per month or less) 0 5 - Commercial Loan 5 - High volume of international connections (more than 2 per month) Geographic Location: High Risk Business: 1 - Located within the State of Minnesota 1 - Business customer but not identified as a High Risk Business 3 - Moderate Risk Business - includes check cashers, convenience stores, high check volume 3 - Located outside the State of Minnesota but within United States 0 restaurants 0 5 - Located outside of United States or in HIDTA (High Intensity Drug Targeting Areas) or HIFCA 5 - High Risk Business - Money Service Business (check cashing only), foreign business, (High Intensity Financial Crimes Areas) nonresident alien or foreign individual owners

Internet Banking: 0 if no Internet Banking Total of columns: (document will automatically calculate if done online) If total # for column equals: 01-15 - Risk Rate (CIF Field #) is Low then risk rate on System 1 - Low (Normal) Use (inquiry, internal account transfers, E-Statements) should be Low 0 3 - Moderate Use - uses Bill Pay for normal monthly bills (utility, telephone, cable, etc.) 0 16-25 - Risk Rate is Moderate then rate on System should be Medium(**see below) 5 - Excessive Use (has OBM, remote capture and/or uses Bill Pay for many bills (more than 10 per 26-40 Risk Rate is High then Risk Rate on System s/b High (** see below) CIRCLE / month) HIGHLIGHT CORRECT RISK RATING LMH Currency Transactions: 1 - Low volume of currency activity 3 - Moderate volume (obtains cash 5-10 times/mo, CTR's filed 2-5 times in the last yr) 0 **System Input: Input system instructions on how to code customer. 5 - High volume (obtained more than 10/mo, more than 5 CTR's filed in the last yr, any Suspicious CIP Completed? YN Activity Form filed) Documents Waiting for: Comments/Exceptions to Policy:

Risk Rating Completed By: Date of Review:

Officer: ** (Officer Signature Required if Rating is higher than 25) New Market Bank Customer Risk Rating

Customer Name: TIN/EIN:

Account Title (if different than above): Account #: Description 1 3 5 Description 1 3 5 Customer Type: Funds Transfer: (Money Wire Transfers) 0 - If no wires ever 1 - Current Customer - stable & known customer 1 - Low volume of funds transfers-< 1 per month 2 - Current Customer - unknown but current activity 3 - Moderate amount of funds transfers, including transfers to low risk countries-2-5/mo 3 - New customer, but known by bank officer or staff member 0 0 4 - Current Customer - unknown & inactive or dormant accounts 5 - High volume of funds transfers (internal and external), numerous transfers from personal to business account or visa versa, numerous transfers to foreign countries->5/mo 5 - New customer, not known by any bank officer or staff member

Type of Account: International Connections: 1 - Certificates of Deposit, Savings Account, IRA 0 - No International Connections 3 - Checking Account, Loans: Consumer, Real Estate & Agriculture, Safe Deposit Box0 3 - Moderate amount of international connections (2 times per month or less) 0 5 - Commercial Loan 5 - High volume of international connections (more than 2 per month) Geographic Location: High Risk Consumer: 1 - Located within the State of Minnesota 1 - US Person with no CIP problems 3 - Nonresident alien or foreign individual (foreign exchange students) with no CIP problems 3 - Located outside the State of Minnesota but within United States 0 0

5 - Located outside of United States or in HIDTA (High Intensity Drug Targeting Areas) or HIFCA 5 - US Person, nonresident alien or foreign individual with CIP verification problems or Politically (High Intensity Financial Crimes Areas) Exposed Person Internet Banking: 0 if no Internet Banking Consumer Credit Report: 1 - Low (Normal) Use (inquiry, internal account transfers, E-Statements) 1 - FICO Score Above 660 3 - Moderate Use - uses Bill Pay for normal monthly bills (utility, telephone, cable, etc.) 0 3 - FICO Scores between 601 and 659 0 5 - Excessive Use (has OBM, remote capture and/or uses Bill Pay for many bills (more than 10 per month) 5 - FICO Score below 600 Type of Deposits: Total of columns: (document will automatically calculate if done online) 1 - On us transfers or checks, payroll checks, government checks Total = 1-17.99 - Risk Rate Low on System** 0 Total = 18-30.99 - Risk Rate Moderate on System** 3 - Cash, cashier's checks from other banks, wire transfers 0

Total = > 31 - Risk Rate High on System** CIRCLE / HIGHLIGHT 5 - Foreign Funds CORRECT RISK RATING TO THE RIGHT L MH

**System Input: Insert instructions on how to code customer on Core System

CIP Completed? Y N Documents Waiting for: Comments/Exceptions to Policy:

Risk Rating Completed & Inputted By: Date of Review & System Verification: Officer: ** (Officer Signature Required if Rating is higher than 25) BSA/AML Risk Assessment 2015 Anywhere Bank (Prepared January 2015) Information as of December 31, 2014

Overall Bank Risk Assessment High Moderate Low Bank Comments from 3 2 1 Score Federal Safety and Risk Factor Soundness Exams and/or Annual Independent Exam Number of Branches (>4= H, 2-3= M, 1= L)

Number of foreign correspondent account in high risk geographies or offering high risk services such as pouch services and payable through accounts . (Many = H, Few accounts of this type= M, No services of this type= L) Commercial customers with international businesses, including foreign wires (Large number of international accounts with unexplained currency activity= H, Moderate level of international accounts with unexplained currency activity= M, Very low or no international accounts or very low volumes of currency activity in the accounts= L) Commercial customers with high cash activity (Many business customers with high cash activity= H, Limited number but some business customers with high cash activity= M, Very Few or No business customers with high cash activity= L) Customers identified as High Risk Money Service Businesses (Many= H, Limited number but some= M, Very Few or None= L) Nonlisted entities exempt from cash reporting (>10= H, 5-9= M, <5= L) Customer Base (Fast growing customer base in a wide and diverse geographic area= H, Recent Merger or increasing customer base due to acquisition or branching= M, Stable customer base over several years or known customer base= L) Stability of Employee Base (Frequent and High turnover especially in key positions= H, Low turnover of key personnel but frontline personnel in branches has changed= M, Low turnover in key positions and frontline personnel= L) Domestic retail banking customers/accounts: savings, checking, time deposits Domestic retail consumer loans/Domestic commercial loans

Commercial and consumer deposits, loans, and funds transfers for international customers including PEP’s (politically exposed persons)and non-resident aliens (Frequent funds transfers from personal or business accounts to or from personal or business accounts in high risk areas= H, Moderate number of funds transfers with a few international transfers from personal or business accounts in low risk areas= M, Limited number of funds transfers for customers/noncustomers, limited third party transactions and no foreign fund transfers= L)

High Moderate Low Bank Comments from 3 2 1 Score Federal Safety and Risk Factor Soundness Exams and/or Annual Independent Exam Private Banking Accounts or Trust and assessment management accounts with payable through accounts and pouch activity (The bank offers significant domestic and international private bank or trust and asset management products or services, which are growing= H, The bank offers limited domestic private banking services or trust and asset management products or services over which the bank has investment discretion= M, The bank offers limited or no private banking services or trust and asset management products or services= L) Volume of transactions with high risk geographic locations (Significant volume of transactions with high risk geographic locations compared to overall transactions= H, Minimal transactions with high risk geographic locations= M, No transactions with high risk geographic locations= L) Internet /e-banking (Wide array of e-banking products and services including account transfers, bill payment, ACH origination with high customer activity= H, Limited e-banking products and services with moderate customer activity=M, No electronic banking or the bank’s web-site is non-transactional= L) Predominant method of delivery system for opening new account (Accounts opened via Internet without prior relationship=H, Some mail and telephone opening of new accounts in addition to in- person account opening=M, In-person account opening= L) Bank/Branch Locations ( Bank/branches located in money center or on U.S. border= H, Highly diverse metropolitan area= M, Rural homogenous community bank= L) Bank/Branch Geographic Locations: HIDTA/HIFCA (The Bank is located in an HIDTA and an HIFCA. A large number of fund transfers or account relationships involve HIDTAs or HIFCAs= H, The bank is located in an HIDTA or an HIFCA. The bank has some fund transfers or account relationships that involve HIDTAs or HIFCAs= M, The bank is not located in a HIDTA or HIFCA. No fund transfers or account relationships involve HIDTAs or HIFCAs= L) Risk Rating High risk Business Customers (The bank identified a large number of high risk business customers= H, The bank identified a moderate number of high risk business customers= M, The bank identified very few high risk business customers=L) Cash Reporting Systems (No aggregate cash reporting system or AML monitoring software=H, Automated aggregate cash reporting system but no AML monitoring software=M, Aggregated cash reporting system and AML monitoring software=L) SAR Reporting Systems (No centralized SAR reporting or monitoring system=H, Centralized SAR reporting/monitoring system with informal internal referral system= M, Centralized SAR monitoring/reporting with formalized internal referral system=L) Number of SAR’s per year (>20 suspicious activity reports (SAR’s) filed per year=H, 10 to 19 SAR’s filed per year= M, <10 SAR’s filed per year= L) 2

High Moderate Low Bank Comments from 3 2 1 Score Federal Safety and Risk Factor Soundness Exams and/or Annual Independent Exam OFAC (Large number of accounts have been blocked or rejected due to OFAC matching= H, Limited number of accounts have been blocked or rejected due to OFAC matching=M, No accounts have been blocked or rejected due to OFAC matching=L) 314(a) Requests (Large amount of positive matches from 314(a) search =H, Limited number of positive matches from 314(a) search=M, No positive matches from 314(a) searches=L) Large Currency or Structured Transactions (Significant volume of large currency or structured transactions=H, Moderate volume of large currency or structured transactions=M, Few or no large currency or structured transactions=L) BSA/AML Training (Inadequate BSA/AML training program on less than an annual basis=H, Adequate BSA/AML training program on at least an annual basis=M, extensive BSA/AML training program with regular updates throughout the year=L) Policies/Procedures (Policies/procedures are not effective to appropriately manage the bank’s BSA program=H, Policies/procedures are adequate to manage the bank’s BSA program but should be reviewed and/or updated on a more regular basis=M, Policies/procedures are effective in managing the bank’s BSA program and, policies are adhered to as well as reviewed and updated regularly=L) Independent Testing (Independent Testing is not completed on an annual basis=H, Independent Testing is completed and reported to the Board of Directors on an annual basis=L) TOTAL SCORE 00

Level of Risk Risk Score When determining the risk factor score High Risk =3, Moderate Risk= 2 and Low Risk =1. High 64-81 The highest possible score is 81 with the lowest possible score being 27. To determine total level of risk score ranges, the highest possible score of 81 was divided into thirds. This Moderate 46-63 methodology provides the overall level of risk score for Anywhere Bank’s BSA program. Low 27-45

TREND LINE

SAR’s filed CTR’s Filed Applications to Purchase filed

50 500 100 45 450 90 40 400 80 35 350 70 30 300 60 25 250 50 20 200 40 15 150 30 10 100 20 5 50 10 0 0 0 Year/ 2012 2013 2014 Year/ 2012 2013 2014 Year/ 2012 2013 2014 Total (00 ) (00) (00) Total (00) (00) (00) Total (00) (00) (00) # # #

OFAC Matches FinCEN 314(a) Matches Exempt Customers

50 50 50 45 45 45 40 40 40 35 35 35 30 30 30 25 25 25 20 20 20 15 15 15 10 10 10 5 5 5 0 0 0 Year/ 2012 2013 2014 Year/ 2012 2013 2014 Year/ 2012 2013 2014 Total Total Total (00) (00) (00) (00) (00) (00) (00) (00) (00) # # #

Attachment A

Risk Assessment as of 12/31/12

PRODUCTS AND SERVICES OFFERED INHERENT MITIGATING CONTROLS RESIDUAL YES NO RISK RISK Correspondent Banking Domestic International U.S. Dollar Drafts Payable Through Accounts Pouch Activities Foreign Branches/Offices of U.S. Banks Parallel Banking Electronic Banking High BSA Policy- Procedures: CIP, New Account, Internet Medium Internet Banking Banking, Merchant Remote Deposit Capture. Consumer: Account inquiry Offer wide Anti-Money Laundering Manager module in use Account transfers variety of e- Bill Pay banking Commercial Accts: Commercial: products & Risk Assessment prior to opening Account inquiry services Quarterly risk assessment of accounts that originate Account transfers pre-approved ACH debits Bill Pay Daily monitoring ACH/Tax Limits Merchant Remote Deposit Capture Daily monitoring Wires (Funds Transfers) Wires ACH ¹ Customer Base stable and long term Online account opening NOT offered Significant controls exist to open and/or monitor ebanking use. Higher level controls exist for wires & ACH origination. Less than 10% of the customer base are commercial customers using wire & ACH services.

PRODUCTS AND SERVICES OFFERED INHERENT MITIGATING CONTROLS RESIDUAL YES NO RISK RISK Electronic Funds Payment Services Automated Teller Machines (ATMs) Medium Visa Check Card Procedure-Anti-Money Laundering Low Manager module in use Offer moderate # of XX ATMs ATM/Debit XXXX Debit Cardholders Card services YTD Average $ per Card $30.00 with low cash available per account ¹ Customer Base stable and long term. The maximum amount of cash that can be obtained from an ATM is $500 and POS limit is $1,500

Automated Clearing House (ACH) Medium BSA Policy-CIP Procedures-New Account Procedures- Low Anti-Money Laundering Manager module in use- Offer FRB/RDFI Daily Batch Alerts moderate # of Receiving DFI % Return ATM/Debit Debits - $XXXXXXXX .24% Card services Credits - $ XXXXXXX .03% with low cash available per Originating DFI account Debits Originated $ XXXXXXXX .753% Credits Originated $XXXXXXXX .016% ¹Customer Base stable and long term ACH return rates for both receiving and originating files is less than industry standard. Significant controls exist for originating ACH files and monitoring originating and receiving files. Funds Transfers Domestic Medium BSA Policy-CIP Procedures-New Account Procedures- Low Funds Transfers Procedures-Anti-Money Laundering Moderate # of Manager module in use funds transfers Wires $3,000. or more: for customers Incoming Wires XX for XXX Customers $XXXXXXX Outgoing Wires XX for XXX Customers $XXXXXXX ¹ Customer Base stable and long term Significant controls exist to monitor outgoing and incoming wires.

PRODUCTS AND SERVICES OFFERED INHERENT MITIGATING CONTROLS RESIDUAL

YES NO RISK RISK Pay Upon Proper Identification (PUPID) Electronic Cash (Stored Value and Payroll cards) Third-Party Payment Processors Monetary Instruments Low BSA Policy-Monetary Instruments Procedures-Anti- Low Cashier’s Checks Money Laundering Manager module in use Cashier’s Monitoring of Cash Sales checks only sold to XXX Checks Sold with Cash Involvement customers Average $XXXXXXXX

¹ Customer Base stable and long term

Deposit Account Type Services Domestic Retail Low BSA Policy-CIP Procedures-New Account Procedures- Low Anti-Money Laundering Manager module in use Few, if any, non-resident XXXXXX Accounts or foreign individuals ¹ Customer Base stable and long term Significant controls exist for opening new accounts. The majority of customers (over 50%) have a long term relationship with the bank of 10 years or more. Domestic Commercial Medium BSA Policy-CIP Procedures-New Account Procedures- Low Anti-Money Laundering Manager module in use Moderate number of XXXXX Accounts high-risk business ¹ Customer Base stable and long term accounts Significant controls exist for opening new accounts. The majority of customers (over 50%) have had a long term relationship with the bank of 10 years or more. Domestic Payable Through Account Brokered Deposits

PRODUCTS AND SERVICES OFFERED INHERENT MITIGATING CONTROLS RESIDUAL

YES NO RISK RISK

Domestic Low Funds Management Policy-Board approval of Broker Low No open required - Due diligence performed-Anti-Money brokered Laundering Certification received deposits No deposits in 2012 International Privately-Owned Automated Teller Machines Non-deposit Account Services Non-deposit Investment Products Medium Policy – CIP Procedure – Due diligence performed Low annually Offer Dual employee arrangement-clients do not manage own minimum portfolios-Investment products limited number of XXX customers/ XXX accounts investment ¹ Customer Base stable and long term. services Small number of customers.

Insurance Safe Deposit Boxes Low BSA Policy-CIP Procedures-New Account Procedures- Low Safe Deposit Procedures Rent only to Total boxes available – XXXXX customers Total boxes rented - XXX ¹Customer Base stable and long term Less than 40% of available boxes are currently in use. Special Use or Concentration or Accounts Lending Activities General Low BSA Policy-CIP Procedures-Loan Policy-New Loan Low Traditional Procedures lending Strong knowledge of customer base activities XXXXX Loans $XXXXXXXXXXXXX secured by Monitoring procedures in place and low loan volume non-cash collateral Secured by cash collateral Medium BSA Policy-CIP Procedures-Loan Policy-New Loan Low Traditional Procedures lending Limited Activity-strong knowledge of borrowers activities XXX Loans including Minimum number of loans secured by cash collateral secured by cash PRODUCTS AND SERVICES OFFERED INHERENT MITIGATING CONTROLS RESIDUAL YES NO RISK RISK Secured by marketable securities Medium BSA Policy-CIP Procedures-Loan Policy-New Loan Low Traditional Procedures lending Limited Activity-strong knowledge of borrowers activities XX Loans including Minor number of loans secured by securities secured by cash/securities Credit Card lending Trade Finance Activities Domestic – Standby Letters of Credit Low BSA Policy-CIP Procedures-Loan Policy-New Loan Low Traditional Procedures lending Limited Activity-strong knowledge of borrowers activities XX Loans secured by Significant controls exist for a minor number of loans. non-cash collateral International – Import/Export Letters of Credit Private Banking (Domestic and International) Trust and Asset Management Services

PERSONS AND ENTITIES

Domestic – Individual or business Low BSA Policy-CIP Procedures-New Account Procedures- Low Well known- Anti-Money Laundering Manager module in use stable customer XXXXX Domestic Retail Accounts base XXXXXX Domestic Commercial Accounts

¹ Customer Base stable and long term Significant controls exist for opening and monitoring accounts. The majority of accounts (over 50%) have a long term relationship. Nonresident Aliens and Foreign Individuals Low BSA Policy-CIP Procedures-New Account Procedures- Low Few non- Anti-Money Laundering Manager module in use resident or Very limited activity foreign individuals XX Domestic Retail Accounts with ITIN numbers XX Domestic Retail Accounts with Foreign identification numbers Minor number of open accounts. PERSONS AND ENTITIES OFFERED INHERENT MITIGATING CONTROLS RESIDUAL YES NO RISK RISK Politically Exposed Persons Embassy and Foreign Consulate Accounts Non-Bank Financial Institutions NBFI) Money Service Businesses (MSB) Medium BSA Policy-CIP Procedures-New Account Procedures- Low Moderate MSB Procedures-Anti-Money Laundering Manager number of CTR module in use activity XXX Customers-an average number, per month, of CTR activity = XX Casinos and card clubs Low BSA Policy-CIP Procedures-New Account Procedures- Low No CTR activity Anti-Money Laundering Manager module in use 1 Account – Bingo - Account Inactive for over 1 year Insurance Companies Brokers/dealers in securities Dealers in precious metals, stones or jewels Professional Services Providers Medium BSA Policy-CIP Procedures-New Account Procedures- Low Moderate Anti-Money Laundering Manager module in use number of XXX Accounts accounts Customer base is stable and long term Only 3% of open accounts are professional services providers Non-Government Organizations and Charities Medium BSA Policy-CIP Procedures-New Account Procedures- Low Moderate Anti-Money Laundering Manager module in use number of XXX Accounts accounts Customer base is stable and long term Only 4% of open accounts are professional services providers Corporate Entities (Domestic and Foreign) Domestic – Shell corporations International – Trusts, IBCs, PICs, OFCs Cash-Intensive Businesses Medium BSA Policy-CIP Procedures-New Account Procedures- Low Moderate CTR Anti-Money Laundering Manager module in use & SAR activities XXX Accounts Customer base stable and long term Only1% of open accounts are cash-intensive businesses PERSONS AND ENTITIES OFFERED INHERENT MITIGATING CONTROLS RESIDUAL YES NO RISK RISK Unlawful Internet Gambling Businesses Unlawful Internet Gambling Enforcement Act (Regulation GG) Policy - New Business Account Profile Worksheet

Office of Foreign Assets Control Persons & Office of Foreign Assets Control Policy/Procedure- Entities OFAC Reporting Module (ORM)

GEOGRAPHIC LOCATIONS YES NO INHERNET RISK Domestic (San Joaquin, Stanislaus & Contra Costa Counties) ¹ Customer Base as of 12/31/12 High Intensity Drug Trafficking Areas (HIDTA) *Medium Number Total Portfolios – XXXX High Intensity Financial Crime Areas (HIFCA) *Medium Portfolios open less than 1 year—XXX International Portfolios open 1 to 5 years—XXXX Countries subject to OFAC sanctions Portfolios open 5 to 10 years—XXXX Countries supporting international terrorism Portfolios open 10 years or longer—XXX Jurisdictions “of primary money laundering concern” by FinCEN Jurisdictions/countries identified as non- cooperative by (FATF) Major money laundering countries and jurisdictions identified by International Narcotics Control Strategy Report (INCSR) Offshore financial centers (OFCs) Other countries identified by the bank as high-risk *Bank has branches located in HIDTA or HIFCA but has no account relationships and few, if any, transactions with higher-risk geographic locations

The Following is the Summary Conclusion BSA Risk Rating.

Description of Category Residual Discussion of Rating Rating Rating Score Assigned

Electronic Banking Medium The Bank offers consumers the ability to use ebanking for account transfers & bill payments. 2 Commercial customers have access to account transfers, bill payments, funds transfers (wire), and ACH origination. Significant controls exist to open and/or monitor ebanking usage. Higher level controls exist for wires and ACH origination. Less than 10% of the customer base is commercial customers using wire and ACH services.

Electronic Funds Payment Low The bank has only XX owned ATMs and the average Debit Card transaction is $30. The ACH 1 Services return rates for both receiving and originating ACH files is less than the industry average. Significant controls exist for originating ACH files and monitoring originating and receiving files.

Funds Transfers Low The Bank offers wire transfer service with significant controls in place to monitor outgoing and 1 incoming wires.

Monetary Instruments Low Cashier checks are only sold to bank customers. Less than XXX were sold with cash involvement 1 during the year and the average amount of each check was less than $1,800

Deposit Account Type Low Significant controls exist for opening new accounts and monitoring customer transactions. The 1 Services majority of customers (over 50%) have had a long term relationship with the bank of 10 years or more.

Non-Deposit Services Low A dual employee arrangement exists, clients do not manage their own investments and investment 1 products are limited for non-insured products. Only a small number of accounts exist. Safe Deposit Boxes are only rented to customers and less than 40% of available boxes are currently in use.

Lending Activities Low Significant controls exist for all lending activities and only a minor number of loans are secured 1 by cash collateral or marketable securities.

Trade Finance Activities Low Significant controls exist for the XX outstanding Standby Letters of Credit and no Import/Export 1 Letters of Credit are offered. Persons and Entities Low Significant controls exist for opening new accounts and monitoring customer transactions. The 1 majority of accounts are domestic consumer or business with the majority (over 50%) having a long term relationship with the bank of 10 years or more.

Non-Bank Financial Low Significant controls exist over MSB accounts with only XX open accounts. Only 1 account is 1 Institutions classified as Casino or Card Club.

Description of Category Residual Discussion of Rating Rating Rating Score Assigned

Professional Service Low Significant controls exist for opening new accounts and monitoring customer transactions. Only 1 Providers 3% of the total open accounts are professional service providers.

Non-Government Low Significant controls exist for opening new accounts and monitoring customer transactions. Only 1 Organizations & Charities 4% of the total open accounts are in this category.

Cash-Intensive Businesses Low Significant controls exist for opening new accounts and monitoring customer transactions. Only 1 .7% of the total open accounts are in this category

Geographic Locations Medium BAC has branches located in HIDTA or HIFCA but has no account relationships and few, if any, 2 transactions with higher-risk geographic locations.

Total Score= 16

Rating Scoring=1 LOW Overall Rating Score=LOW (14-22) LOW

Rating Scoring=2 MEDIUM Overall Rating Score=MEDIUM (23-34)

Rating Scoring=3 HIGH Overall Rating Score=HIGH (35-42)

4/21/2016

Financial Crimes Involving At-Risk Adults

GBA Compliance School Athens, GA

Thomas Williams, CRCM, CCBIA SVP, Senior Compliance Manager United Bank May 5, 2016

What is an “At-Risk Adult?”

• Disabled Adult – Person 18 years of age or older who is mentally or physically incapacitated, has Alzheimer’s Disease, or dementia.

• Elder Person – Person 65 years of age or older.

• Resident – Any person receiving treatment care in any long-term care facility.

O.C.G.A. 16-5-100 Definitions

1 4/21/2016

What is Financial Exploitation?

“Illegally or improperly using a disabled adult or elder person or that person's resources through undue influence, coercion, harassment, duress, deception, false representation, false pretense, or other similar means for one's own or another person's profit or advantage. ”