Institute of International Bankers & Conference of State Supervisors Anti-Money Laundering Internal Controls: & Suspicious Activity Reporting

November 27, 2012

P

© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member 1 firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS Key Controls in a BSA/AML Program

Primary Goals of an AML Program:

•Understand who you are (or might be) doing business with so you can prevent bad actors from gaining access to the financial system; and

•Accepting that some will get through, being able to spot those who get do so you can alert law enforcement and give them the opportunity to take action.

© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member 2 firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS Key Sections of the USA PATRIOT Act

Section 352: Anti-Money Laundering Programs Requires financial institutions to establish anti-money laundering programs which, at a minimum, must include: the development of internal policies, procedures, and controls; designation of a compliance officer; an ongoing employee training program; and an independent audit function to test programs.

Section 326: Verification of Identification Prescribes regulations establishing minimum standards for financial institutions and their customers regarding the identity of a customer that shall apply with the opening of an account at the financial institution, i.e. the Customer Identification Program requirements.

Section 312: Special Due Diligence for Correspondent Accounts & Private Banking Accounts Imposes due diligence and enhanced due diligence requirements on U.S. financial institutions that maintain correspondent accounts for foreign financial institutions or private banking accounts for non-U.S. persons.

© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member 3 firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS Section 352: AML Compliance Programs Pillar 1: Internal Controls

. Comprehensive plan and set of internal controls, including, for example: 1. Documented policies and procedures – including board approved policy 2. Established governance and accountability 3. Documented AML/OFAC risk assessment 4. Risk-based customer due diligence 5. Sufficient controls and monitoring systems for timely detection and reporting of suspicious activity 6. Regulatory reporting 7. Record retention requirements 8. Management reports

© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member 4 firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS Key Program Elements – Risk-based Approach

© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member 5 firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS Prevention, Detection, and Reporting

• Implementation of Customer Identification Program Prevention • Execution of CDD and EDD requirements

• Front Office employees knowing their customers & understanding expected transactional activity Detection • Employees staying alert to possible suspicious activity • Back Office employees monitoring and reporting unusual transactions to the Compliance Officer

Reporting • Conducting due diligence/investigations • Reporting of potentially suspicious activity to FinCEN • Updating customer’s profile, if warranted

© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member 6 firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS Customer Identification Program (CIP)

. Written . Part of the overall AML compliance and KYC program . Approved by senior management or a committee thereof (part of board approved policy) . CIP requires you to: – Identify and verify identity of customer for all new accounts – Notify customer of process – Keep records of identification information – Consult government lists . At a minimum, you must obtain: – Name – Address – Date of birth (for individuals only) – SSN or TIN for U.S. persons, or other Government-issued Identification Number or equivalent for non-U.S. persons

© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member 7 firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS CIP Applies to “Customers”

The CIP rule applies to a “customer.” • A customer is a “person” (an individual, a corporation, partnership, a trust, an estate, or any other entity recognized as a legal person) who opens a new account, an individual who opens a new account for another individual who lacks legal capacity, and an individual who opens a new account for an entity that is not a legal person (e.g., a civic club). A customer does not include: • A person who does not receive banking services, such as a person whose application is denied. • An existing customer as as the bank has a reasonable belief that it knows the customer’s true identity. • Excluded from the definition of customer are financial institutions regulated by a federal functional regulator*, regulated by a state bank regulator, governmental entities, and publicly traded companies (as described in 31 CFR 1020.315(b)).

* Federal functional regulator means: Board of Governors of the Federal Reserve System; Federal Deposit Insurance Corporation; National Union Administration; Office of the Comptroller of the Currency.

© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member 8 firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS CIP Applies to Customers who Open Accounts:

An account does not include:  Products or services for which a formal banking relationship is not established with a person, such as check cashing, funds transfer, or the sale of a check or money order.  Any account that the bank acquires. This may include single or multiple accounts as a result of a purchase of assets, acquisition, merger, or assumption of liabilities.  Accounts opened to participate in an employee benefit plan established under the Employee Retirement Income Security Act of 1974.

© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member 9 firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS Customer Due Diligence (CDD) / Know Your Customer (KYC)

 A primary objective of CDD is to enable the financial institution to understand the customer and the risks associated with the customer:

– What are basic attributes of the customer that may set preliminary risk standards for the collection of information

– What do you learn from collecting that information that may elevate or mitigate risk  CDD policies, procedures, and process are critical to the bank because they can aid in:

– Understanding what activity or type of activity the customer is likely to engage in

– Detecting deviations from normal and expected activity for the purpose of reporting unusual or suspicious transactions that potentially expose the bank to financial loss, increased expenses, or reputational risk

– Avoiding criminal exposure from persons who use or attempt to use the bank’s products and services for illicit purposes

– Adhering to safe and sound banking practices

© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member 10 firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS Customer Due Diligence (CDD) /Know Your Customer (KYC) (Con’t)

CDD/ KYC is conducted to enable you to form a reasonable belief that you know and understand: • Who your customer is; • What your customer does (business activities); • What your customer can be expected to do through your institution; • What risks associated with your customer; • Whether activities are legitimate Supporting documentation will be gathered NB – There is no exception for affiliates!

© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member 11 firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS Customer Due Diligence (CDD) aka Know Your Customer (KYC) (Con’t)

Processes are risk based Will generally begin with a preliminary risk assessment of the customer, assessing factors indicative of risk:  Factors may include:

– Whether the customer is publicly traded or privately held

– If privately held, whether beneficial owners present increased risk (e.g. Politically Exposed Persons)?

– Where the customer is registered or has its principal place of business

– Whether the client is a high risk industry

– Whether the client is engaged in high risk transactions/using high risk products

© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member 12 firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS Customer Due Diligence (CD) /Enhanced Due Diligence (EDD)

 Information, in addition to CIP, should be collected from customers to assist in determining if the risk level should be elevated and Enhanced Due Diligence (EDD) collected. Customer Information Data Element Examples Basic Information (all risk levels)

• Purpose of the account

• Domicile (where the business is organized)

• Primary place of business

• Description of the customer’s primary trade area and whether international transactions are expected to be routine

• Description of the business operations

• Negative news and other list searches on the client, e.g. PEP screening If not publicly traded

• Individuals with ownership or control over the account, such as beneficial owners, principals, guarantors, trustees

• Negative news and other list searches on the related parties (UBOs, etc.) When risk is elevated, either based on due diligence, enhanced due diligence must be performed

© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member 13 firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS Enhanced Due Diligence (EDD)

A more comprehensive form of KYC  For those customers where there may be increased risk associated with the account Increased risk may include:  High-risk geographies  High-risk type of persons or entities  High-risk products or services Accounts for which EDD should be conducted include:  High-risk foreign correspondent banks, pursuant to Section 312 of the USA PATRIOT Act  Foreign Private Banking customers  PEPs  Customers with an AML risk rating of High

© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member 14 firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS Enhanced Due Diligence (EDD)(Continued)

Customer Information Examples (Cont’d)

• Source of funds and wealth • Enhanced background checks • Financial statements

• Banking references • If the higher risk client is subject to an AML Program requirement (e.g., MSBs, Casinos, Precious Metals Merchant), assess that the client’s AML program addresses: • Internal controls designed to assure compliance with the Bank Secrecy Act (BSA) • Employee Training • Independent compliance testing • Designated Compliance Officer, responsible for day-to-day compliance with the BSA AML Program • Procedures for filing and reporting Currency Transaction Reports (CTRs) and Suspicious Activity Report (SARs) • Site visits to assess their operations and AML or other controls

Enhanced approvals should be obtained for high risk clients - Business must own their risk

© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member 15 firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS Enhanced Due Diligence (EDD) – Cont’d

Special Due Diligence Program for Foreign Correspondent Accounts  Section 312 requires U.S. financial institutions to establish a due diligence program that includes appropriate, specific, risk based and, where necessary, enhanced policies, procedures and controls reasonably designed to detect and report money laundering through correspondent accounts and private banking accounts established or maintained by U.S. financial institutions for non-U.S. persons.  Due diligence policies, procedures and controls must include the following: – Determining whether EDD is required; – Assessing the money laundering risks presented by the bank; – Applying risk-based procedures and controls, including a periodic review of the correspondent account activity to determine if the activity is consistent with what is expected  Factors to be considered in assessing the risks of a Correspondent Bank Include: – Nature of the Correspondent’s business and the markets served – Type, purposes and anticipated activity – Nature and duration of the relationship – AML and supervisory regime of the licensing jurisdiction – AML record

© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member 16 firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS Enhanced Due Diligence (EDD) – Cont’d

Special Due Diligence Program for Foreign Correspondent Accounts  Enhanced due diligence must be applied to correspondent accounts maintained in the U.S. for a foreign bank operating under: – An offshore banking license; – A banking license issued by a country that has been designated as being non- cooperative with international anti-money laundering principles or procedures by an intergovernmental organization of which the U.S. is a member and with which designation the U.S. concurs; or – A license issued by a country designated by the Secretary of the Treasury as warranting special measures due to money laundering concerns.  Financial institutions are also required to determine if the correspondent maintains correspondent accounts for other foreign institutions and the identity of each owner of a foreign bank whose shares are not traded publicly. (An “owner” is a person who directly or indirectly owns, controls or has the power to vote 10 percent or more of any class of the foreign bank’s securities.)

© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member 17 firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS CDD is a Continuous Effort

 Critical to ensuring you understand the risk in your customer base is periodically reviewing customers, using a risk based approach:

Periodic Reviews Using a risk-based time table, conduct regular reviews of customers in order to: • Ensure that core client reference data remains accurate • Update due diligence/EDD information so that it remains current • Validate that that the client’s risk rating remains accurate • Assess that the client is engaging in transactions consistent with expected activity • Review client to assess whether there is any recent negative news/reputational concerns • If the client relationship has been dormant, use the periodic review as an opportunity to purge inactive accounts, and • Ensure that the business/senior management remains comfortable maintaining the relationship

Transaction Monitoring/Surveillance Leverage the various customer risk factors (risk rating, industry, geography, etc…), in support of: • Automated transaction monitoring, and • Targeted transaction reviews in order to identify potential suspicious activity based upon known typologies associated with a particular industry or customer type (e.g., unregistered MSBs)

© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member 18 firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS Monitoring

© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member 19 firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS Transaction Monitoring Process

Use of manual Consider Review Determine Update and/or customer’s unusual if unusual customer electronic usual monitoring activity activity is profile activity systems suspicious

•Understand • Customers •Transactions • Unusual not • Legitimate manual and • Products that just don’t necessarily changes in electronic • Transactions make sense suspicious behavior systems • Countries • Investigate • New media •Need for • No plausible and public transparency explanation database information • Compliance determination

© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member 20 firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS Transaction Monitoring Systems/Processes

Transaction monitoring systems/processes must identify transactions that may be:  Elevated risk  Appear unusual or indicative of suspicious activity Transaction monitoring systems assist with the identification and analysis of potentially suspicious activity by considering factors such as :  Transactions to specific geographies  Risk level of a customer  Velocity and frequency of transactions  Transaction routing  Changes in profile transactional behavior  Transaction unusual for peer group profile  Specialized risk scenarios

© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member 21 firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS Other Monitoring Efforts

Monitoring efforts used in addition to routine transaction monitoring, including:  Review of customers/parties appearing on 314(a)/(b) requests;  Customers associated with PEPs identified during batch screening;  Customers/parties named in subpoenas or other government requests received by the bank;  Customers with ties to OFAC program lists identified during batch screening (to be discussed in more detail later);  Reviews of customers with previous SAR history  Targeted reviews of activity identified as indicative of money laundering by law enforcement  Customers associated with negative media stories Business is the first line of defense:  Front office must be alert to and trained to identify unusual behavior during all stages of a customer relationship from on-boarding and beyond

© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member 22 firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS SAR Reporting Requirements

© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member 23 firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS Executing AML Requirements

Customer Transaction Information Monitoring

Reporting of Suspicious Activity

© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member 24 firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS SAR Filing Conditions

When to File a SAR: . Transactions involving insider abuse - Any dollar amount; . Criminal violations aggregating $5,000 or more when a suspect can be identified; . Criminal violations aggregating $25,000 or more regardless of the identification of a potential suspect . Transactions conducted / attempted through the bank aggregating $5,000 or more if the bank knows, suspects, or has reason to suspect that the transaction: . May involve money laundering or other illegal activity (e.g. terrorist financing) . Is designed to evade BSA requirements . Has no business or apparent lawful purpose or is not the type of transaction in which the customer would be expected to engage without reasonable explanation.

© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member 25 firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS SAR Filing Criteria

When to file: . If ongoing criminal activity is detected, file immediately, alert law enforcement; . Otherwise: . If a suspect has been identified, file no later than 30 days from detection of the facts that form the basis for the filing; . If no suspect has been identified, then filing should be no later than 60 days from detection of the facts that form the basis for the filing.

© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member 26 firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS Other SAR Requirements

Confidentiality is Critical:

.A SAR, or any information that would reveal the filing of a SAR must not be disclosed with limited exceptions: .Banking organizations may share SARs with head offices and controlling companies, thus, a US branch or agency of a foreign bank may share a SAR with its head office outside the US, providing that appropriate arrangements are made to protect the confidentiality of the SAR. .This does not apply to affiliate organizations .If subpoenaed do not provide – notify FinCEN Records must be retained: •SARS and supporting documentation must be retained for five years from filing

Safe Harbor Laws: . 31 USC 5381(g)(3) offers safe harbor from civil liability for all reports of suspicious activity and supporting documentation

© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member 27 firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS Questions?

© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member 28 firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS Presenter’s Contact Details Teresa A. Pesce, Principal, AML Services Leader KPMG, LLP 32 5 Park Avenue New York, NY 10154 212-872-6272 [email protected]

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. © 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member 29 firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS