Institute of International Bankers & Conference of State Bank Supervisors Anti-Money Laundering Internal Controls: Know Your Customer & Suspicious Activity Reporting November 27, 2012 P © 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member 1 firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS Key Controls in a BSA/AML Program Primary Goals of an AML Program: •Understand who you are (or might be) doing business with so you can prevent bad actors from gaining access to the financial system; and •Accepting that some will get through, being able to spot those who get do so you can alert law enforcement and give them the opportunity to take action. © 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member 2 firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS Key Sections of the USA PATRIOT Act Section 352: Anti-Money Laundering Programs Requires financial institutions to establish anti-money laundering programs which, at a minimum, must include: the development of internal policies, procedures, and controls; designation of a compliance officer; an ongoing employee training program; and an independent audit function to test programs. Section 326: Verification of Identification Prescribes regulations establishing minimum standards for financial institutions and their customers regarding the identity of a customer that shall apply with the opening of an account at the financial institution, i.e. the Customer Identification Program requirements. Section 312: Special Due Diligence for Correspondent Accounts & Private Banking Accounts Imposes due diligence and enhanced due diligence requirements on U.S. financial institutions that maintain correspondent accounts for foreign financial institutions or private banking accounts for non-U.S. persons. © 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member 3 firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS Section 352: AML Compliance Programs Pillar 1: Internal Controls . Comprehensive plan and set of internal controls, including, for example: 1. Documented policies and procedures – including board approved policy 2. Established governance and accountability 3. Documented AML/OFAC risk assessment 4. Risk-based customer due diligence 5. Sufficient controls and monitoring systems for timely detection and reporting of suspicious activity 6. Regulatory reporting 7. Record retention requirements 8. Management reports © 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member 4 firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS Key Program Elements – Risk-based Approach © 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member 5 firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS Prevention, Detection, and Reporting • Implementation of Customer Identification Program Prevention • Execution of CDD and EDD requirements • Front Office employees knowing their customers & understanding expected transactional activity Detection • Employees staying alert to possible suspicious activity • Back Office employees monitoring and reporting unusual transactions to the Compliance Officer Reporting • Conducting due diligence/investigations • Reporting of potentially suspicious activity to FinCEN • Updating customer’s profile, if warranted © 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member 6 firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS Customer Identification Program (CIP) . Written . Part of the overall AML compliance and KYC program . Approved by senior management or a committee thereof (part of board approved policy) . CIP requires you to: – Identify and verify identity of customer for all new accounts – Notify customer of process – Keep records of identification information – Consult government lists . At a minimum, you must obtain: – Name – Address – Date of birth (for individuals only) – SSN or TIN for U.S. persons, or other Government-issued Identification Number or equivalent for non-U.S. persons © 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member 7 firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS CIP Applies to “Customers” The CIP rule applies to a “customer.” • A customer is a “person” (an individual, a corporation, partnership, a trust, an estate, or any other entity recognized as a legal person) who opens a new account, an individual who opens a new account for another individual who lacks legal capacity, and an individual who opens a new account for an entity that is not a legal person (e.g., a civic club). A customer does not include: • A person who does not receive banking services, such as a person whose loan application is denied. • An existing customer as long as the bank has a reasonable belief that it knows the customer’s true identity. • Excluded from the definition of customer are financial institutions regulated by a federal functional regulator*, banks regulated by a state bank regulator, governmental entities, and publicly traded companies (as described in 31 CFR 1020.315(b)). * Federal functional regulator means: Board of Governors of the Federal Reserve System; Federal Deposit Insurance Corporation; National Credit Union Administration; Office of the Comptroller of the Currency. © 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member 8 firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS CIP Applies to Customers who Open Accounts: An account does not include: Products or services for which a formal banking relationship is not established with a person, such as check cashing, funds transfer, or the sale of a check or money order. Any account that the bank acquires. This may include single or multiple accounts as a result of a purchase of assets, acquisition, merger, or assumption of liabilities. Accounts opened to participate in an employee benefit plan established under the Employee Retirement Income Security Act of 1974. © 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member 9 firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS Customer Due Diligence (CDD) / Know Your Customer (KYC) A primary objective of CDD is to enable the financial institution to understand the customer and the risks associated with the customer: – What are basic attributes of the customer that may set preliminary risk standards for the collection of information – What do you learn from collecting that information that may elevate or mitigate risk CDD policies, procedures, and process are critical to the bank because they can aid in: – Understanding what activity or type of activity the customer is likely to engage in – Detecting deviations from normal and expected activity for the purpose of reporting unusual or suspicious transactions that potentially expose the bank to financial loss, increased expenses, or reputational risk – Avoiding criminal exposure from persons who use or attempt to use the bank’s products and services for illicit purposes – Adhering to safe and sound banking practices © 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member 10 firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS Customer Due Diligence (CDD) /Know Your Customer (KYC) (Con’t) CDD/ KYC is conducted to enable you to form a reasonable belief that you know and understand: • Who your customer is; • What your customer does (business activities); • What your customer can be expected to do through your institution; • What risks associated with your customer; • Whether activities are legitimate Supporting documentation will be gathered NB – There is no exception for affiliates! © 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member 11 firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS Customer Due Diligence (CDD) aka Know Your Customer (KYC) (Con’t) Processes are risk based Will generally begin with a preliminary risk assessment of the customer, assessing factors indicative of risk: Factors may include: – Whether the customer is publicly traded or privately held – If privately held, whether beneficial owners present increased risk (e.g. Politically Exposed Persons)? – Where the customer is registered or has its principal place of business – Whether the client is a high risk industry – Whether