Transcript 2014 BSA Manual Updates

The 2014 Revised FFIEC BSA/AML Examination Manual
ACAMS
April 30, 2015
Agenda
• Overview
• Updates to the Manual
• Sections Not Updated
• Areas of Regulatory Focus
• Questions
1
Overview

Manual updates primarily incorporate regulatory guidance and
changes since the 2010 update

No significant new regulatory requirements

Most changes are to Overview section and not the Examination
Procedures

There are some areas of regulatory focus that are not included or
expanded upon.

The manual is a helpful guide but not all-inclusive
2
Updated Sections
•
Suspicious Activity Reporting
•
Currency Transaction Reporting
•
Currency Transaction Reporting Exemptions
•
Foreign Correspondent Account Recordkeeping and Due Diligence
•
Foreign Bank and Financial Accounts Reporting
•
International Transportation of Currency or Monetary Instruments Reporting
•
Correspondent Accounts (Foreign)
•
Bulk Shipments of Currency
•
Automated Clearing House Transactions
•
Prepaid Access
•
Third-Party Payment Processors
•
Embassy, Foreign Consulate and Foreign Mission Accounts
•
Non-Bank Financial Institutions
3
Suspicious Activity Reporting
 SAR E-Filing Requirements – Also in Appendix T
 Deadline for SAR Filing for Continuing Activity
 Clarifies prohibition on SAR disclosure
 Sharing SARs with Affiliates
 All changes are in Overview; no changes to Examination
Procedures
4
Suspicious Activity Reporting
•
No updates for the following:
– Expectations related to the 2011 OCC Model Risk
Management Guidance
– Language regarding SAR Decision Making process
5
Currency Transaction Reporting
 New E-Filing Requirements – Also in Appendix T
 Contact FinCEN Instead of IRS for Backfiling Determination
 Armored Car Guidance FIN-2013-R001
 Guidance for Aggregating Activity for Businesses with Common
Ownership
 Separately incorporated businesses can be aggregated
separately
 Exception if businesses are do not operate independently
and/or intermingling of funds
 Banks should have a process to identify these relationships
6
CTR Exemptions
• Updates to Phase II Exemption Ineligible Businesses:
– Incorporates guidance clarifying definition of dealers of
motor vehicles
– Marijuana businesses are ineligible
7
Foreign Correspondent Account
Recordkeeping, Reporting and Due
Diligence
 Added Requirements Related to Comprehensive Iran Sanctions
Accountability and Divestment Act (CISADA)
 Banks Must Provide Information on Foreign Correspondent Customer
Upon Written Request from FinCEN within 45 days
 Must Report to FinCEN Regardless of Whether Foreign Correspondent
Customer Responds
 Bank Must Request that Foreign Correspondent Provide Notification of
Subsequent Accounts Opened for Designated Entities
 Should Have Process to Reevaluate Customer Profile and Risk Rating
8
Foreign Correspondent Account
Recordkeeping, Reporting and Due
Diligence
 Required Information:

Whether the foreign bank maintains a correspondent account for an Iranianlinked financial institution designated under the International Emergency
Economic Powers Act (EEPA);

Whether the foreign bank has processed one or more transfers of funds
within the preceding 90 calendar days for or on behalf of, directly or
indirectly, an Iranian-linked financial institution designated under IEEPA, other
than through a correspondent account; and

Whether the foreign bank has processed one or more transfers of funds
within the preceding 90 calendar days for or on behalf of, directly or
indirectly, Iran’s Islamic Revolutionary Guard Corps (IRGC) or any of its agents
or affiliates designated under IEEPA.
9
Foreign Bank and Financial Account
Reporting (FBAR)
 Updated to Address Electronic Filing Requirements
 Banks are Required to File on Accounts they Own or Control
 Also Must File on Accounts Owned by Others Where Bank has
Signature Authority - FinCEN Notice 2014-1
 Deadline Extended to June 30, 2016
 Does not Mention Exemption for Correspondent and Bank
Use/Nostro Accounts (but are)
10
International Transportation of Currency or
Monetary Instruments Reporting
• Overview Updated to state that CMIR filing or
exemptions from filing do not relieve banks of other BSA
monitoring, reporting and recordkeeping requirements:
– CTRs
– SAR Monitoring and Reporting
11
OFAC
 Minor Change to Overview Section to Include Enhanced Iran
Sanctions
12
Correspondent Banking (Foreign) –
Expanded Section
 Several Additions to Examination Procedures:
 Determine whether the foreign correspondent financial
institution has in place acceptable AML compliance processes
and controls.
 Ensure that appropriate due diligence standards are applied to
those accounts determined to be higher risk.
 Follow up on account activity and transactions that do not fit
the foreign financial institution customer’s strategic profile (i.e.,
transactions involving customers, industries or products that are
not generally part of that foreign financial institution’s customer
base or market).
13
Bulk Shipments of Currency
 Incorporates 2014 CMIR Guidance on Common Carriers FIN2014-G002 and Guidance on Armored Cars FIN-2013-R001
 Common Carrier Definition Includes Armored Car
 Contractual Arrangements with Armored Cars should
include BSA/AML Considerations
 Details Roles of Key Parties: Common Carrier, Shipper,
Consignee, Currency Originator, Currency Recipient
 Emphasizes Need to File CTRs on Direct and Indirect Cash
Shipments
14
Bulk Shipments of Currency

Additional Risk Factors and Red Flags:
 Adds Remote Deposit Capture as means to repatriate smuggled cash
 Banks should have a clear understanding of the appropriate volumes of
currency shipments that are commensurate with the currency
originator’s or shipper’s profile (size, location, strategic focus, customer
base, geographic footprint) and the economic activity that generates the
cash.
 Structuring of currency deposits into an account in one geographic area,
with the funds subsequently withdrawn in a different geographic region
with little time elapsing between deposit and withdrawal.

Additional Risk Mitigant: Ensure that shipments involving the foreign
correspondent relationships are covered by the bank’s due diligence program
for correspondent accounts for foreign financial institutions.
15
Automated Clearing House Transactions
• Updated for NACHA requirements for IATs:
• Effective March 14, 2014, a Gateway must identify within an inbound
IAT entry:
• The ultimate foreign beneficiary of the funds transfer when the
proceeds from a debit inbound IAT entry are “for further credit to” an
ultimate foreign beneficiary that is other than the Originator of the
debit IAT entry, or
• The foreign party funding a credit inbound IAT entry when that party is
not the Originator of the credit IAT entry.
• Expanded discussion of role of Third Party Service Providers, Third Party
Senders and Sending Points
16
Automated Clearing House Transactions
• A third-party service provider (TPSP) is an entity other than an Originator,
ODFI, or RDFI that performs any functions on behalf of the Originator, the
ODFI, or the RDFI with respect to the processing of ACH entries Effective.
• A third-party sender is a type of service provider that acts on behalf of an
Originator (i.e., an intermediary between the Originator and the ODFI).
• A sending point is defined as an entity that transmits entries to an ACH
Operator on behalf of an ODFI.
17
Prepaid Access
 Formerly Known as Electronic Cash - Entirely New Overview Section
Acknowledges New Technologies in Addition to Prepaid Cards
 More Detailed Discussion of Prepaid Access Participants: Program
Manager, Network, Distributor, Provider, Payment Processor, Issuing
Bank, Seller/Retailer
 Criteria for MSB Status for Program Managers and Providers
 Expectation that Contractual Agreements include BSA
Considerations
 Reference to Network Branded Prepaid Card Association for
Additional Guidance
18
Prepaid Access
 Additional Risk Factors – Particular Emphasis on Transparency and 3rd
Party Relationships:
 Verification of cardholder identity may be done entirely remotely,
relying on third-party program managers, processors or distributors.
 Data in underlying pooled accounts may be held or managed by third
parties, separate from the issuing bank.
 Marketing of payment products, customer service, and onboarding of
new customers (both consumer and business customers) may be
handled primarily by third parties separate from the issuing bank.
 Source of payroll funding may come through an intermediary bank and
may not be transparent.
19
Prepaid Access
 Risk Mitigation Focuses on Four Areas:
 Conducting appropriate due diligence on any third-party service
provider.
 Conducting a risk assessment of the prepaid access product
itself including product features and how it is distributed and
loaded.
 Monitoring transactions conducted or attempted by, at or
through the bank for unusual or suspicious activity.
 Product features and limits on usage.
20
Prepaid Access
 New Examination Procedures:
 Review the due diligence undertaken by the bank regarding thirdparty service providers such as program managers, processors,
marketers, merchants and distributors.
 Determine whether the bank’s prepaid access program is
governed by an agreement or a contract describing each party’s
responsibilities and other relationship details, such as the
products and services provided. At a minimum, the contract
should consider each party’s: BSA/AML and OFAC compliance
requirements; customer base; due diligence procedures; and
network obligations.
 Review the prepaid access product configuration(s), including
features, how it is distributed, source of funds, and what
BSA/AML risk mitigants apply.
21
Third Party Payment Processors

Overview updated to include FDIC, OCC and FinCEN Guidance on Payment Processors since
2010
 FDIC Clarifying Supervisory Approach to Institutions
Establishing Account Relationships with Third-Party
Payment Processors, FDIC FIL-41-2014, July 28, 2014;
 Payment Processor Relationships Revised Guidance, FDIC
FIL-3-2012, January 31, 2012

Risk Management Guidance: Third Party Relationships, OCC Bulletin 2013-29, October 30,
2013
 Risk Associated with Third-Party Payment Processors,
FinCEN Advisory FIN-2012-A010, October 22, 2012
22
Third Party Payment Processors
 New Risk Mitigants:
 Reviewing appropriate databases to ensure that the processor and its
principal owners and operators have not been subject to law enforcement
actions.
 Conduct periodic audits of payment processor customers, review
merchant client lists and confirm contractual obligations to verify
legitimacy of clients
 Contractual agreements should provide for timely response to inquiries
 NACHA and NMLS are recommended sources for initial due diligence on
processor
23
Third Party Payment Processors
 Transaction Monitoring
 Should not be limited to review of unauthorized returns – should include
other reasons such as insufficient funds
 Monitoring should include attempts to evade NACHA limitations on
returned entries – resubmitting returned transaction with slight changes
to amount or other information
 Be sure to include the term “Payment Processor” in SAR narratives and
Subject Occupation fields
24
Embassy, Foreign Consulate, and Foreign
Mission Accounts
• Added Discussion of Foreign Missions
• Updated to include Interagency Guidance on Accepting
Accounts from Foreign Embassies, Consulates and Missions
(March 24, 2011)
– Risk may be mitigated through contractual agreements on
use of account and/or limited purpose accounts such as
payroll
– Monitoring should ensure that actual activity is consistent
with limitations on account
25
Non-Bank Financial Institutions
•
Updated Categories of NBFIs:
– Non-bank loan or finance companies per FinCEN Guidance FIN-2012-R005
– Operators of Credit Card Systems
•
MSB Definitions Updated to Include Prepaid Access Definitions and Exclusions;
Foreign Located Persons Engaging in MSB Activity within US
•
New Section Under MSBs for Administrators & Exchangers of Virtual Currency
– Defined as Money Transmitters
•
No Changes to Regulatory Expectations:
– Banks are not De Facto Regulators of MSBs
– Banks are not held responsible for MSBs BSA Program
– Banks are not expected to perform routine ongoing due diligence for “Low
Risk” MSBs
26
What Wasn’t Updated?
 Risk Assessment
 Culture of Compliance Guidance
 Customer Risk Rating Methodology
 OCC Model Risk Management Guidance
 Marijuana Businesses
 Many Operation Choke Point Target Industries
27
Questions?
Contact Information:
Rory Flynn, CCBCO, CBAP, AAP
515.729.3782
[email protected]
28