A -MONEY LAUNDERING IN A I - macmember.org Laundering and the... · 1970 Bank Secrecy Act ... transactions have exhibited red flags for money laundering in the past, ... High risk

Presented byLaura H. Goldzung, CAMS, CCFE, CFCF, CCRP

AML Audit Services, LLC

ANTI-MONEY LAUNDERING INTHE ACQUIRING INDUSTRY

March 8, 2016

AGENDA

AML Regulatory Overview OFAC Regulatory Overview AML & OFAC Risks Customer Risk: Merchant Types Due Diligence & Enhanced Due Diligence Independent Review / Gap Analysis Key Takeaways

3© 2016 AML Audit Services, LLC

AML REGULATORY OVERVIEW

International AML-Related RegulationsUN Convention Against Illicit Traffic in Narcotics and Psych. Drugs 1988Financial Action Task Force 1989Wolfsberg GroupEgmont Group of Financial Intelligence Units

U.S. AML-Related RegulationsBank Secrecy Act (BSA)USA PATRIOT ActMoney Laundering Control ActOffice of Foreign Assets Control (OFAC)State Licensing Requirements


HISTORY OF U.S. MONEY LAUNDERING LEGISLATION 1970 Bank Secrecy Act 1986 Money Laundering Control Act 1990 Financial Crimes Enforcement Network (FinCEN) 1992 Annunzio-Wylie AML Act 1994 Money Laundering Suppression Act 1996 Mandatory Suspicious Activity Reports (banks) 1998 Money Laundering and Financial Crimes Strategy Act 2001 USA PATRIOT Act; Title III International Money

Laundering Abatement & Anti-Terrorist Financing Act of 2001

2004 Intelligence Reform & Terrorism Prevention Act of 2004

2006 Regulation K Enacted (for foreign banks with US branches)

© 2016 AML Audit Services, LLC

MONEY LAUNDERING CONTROL ACT OF 1986

Title 18, US Code, Section 1956(a)(1) Four Elements of the Crime:

Conduct, or Attempt to Conduct, a Financial TransactionWith the Proceeds of a “Specified Unlawful Activity”Knowing, Suspecting or being “Willfully Blind” to the Fact that Funds were from Unlawful ActivityWith an Objective to:

Promote a Specified Unlawful ActivityEvade US TaxesConceal or Disguise the Source Ownership / Nature of the FundsAvoid Federal or State Transaction Reporting Requirements

Penalties: Up to 20 Years Incarceration and/or Fine of the Larger of Twice Amount of Funds Involved or $500,000


POLLING QUESTION

What is your greatest OFAC challenge?1. Not taken seriously in the organization2. Understanding the requirements /insufficient

training3. Inconsistent processes4. Unreliable tools for screening5. Too many false-positives (potential matches)

to clear out


OFFICE OF FOREIGN ASSETS & CONTROLOFAC OVERVIEW

OFACFinancial intelligence and enforcement agency of the U.S. Department of the Treasury charged with planning and execution of economic and trade sanction in support of US national security and foreign policy objectives.

OFAC’s RoleAdministers and enforces economic and trade sanctions against foreign governments and government officials and persons and entities identified on the SDN List as terrorists, drug traffickers, etc.

SDN List“Specially Designated Nationals and Blocked Persons List”identifies more than 6,000 foreign nationals with whom transactionsare prohibited; more than 50 in U.S.

© 2016 AML Audit Services, LLC 8

OFAC: ECONOMIC SANCTIONSSanctions are a government’s legislative measures against designated persons, certain transactions, and countries to achieve policy objectives: Sanctions were incorporated as a tool of enforcement Economic sanctions are used by the U.S. government to

prevent targeted countries, entities, and individuals from, among other things, accessing the U.S. financial system for purposes that are contrary to U.S. foreign policy and national security objectives

Economic sanctions encompasses the deliberate, government-inspired withdrawal, or threat of withdrawal, of customary trade or financial relations


OFAC SANCTIONS PENALTIES & ENFORCEMENT:ENFORCEMENT RESPONSES

Criminal Referral

Civil Penalty

Finding of Violation

Cautionary Letter

No Action

Types of Responses


RECENT PENALTY ACTION: PAYPAL

March 2015 – Self-Disclosed Violations Settlement Agreement $7M

• Failing to implement an effective compliance program “to identify, interdict, and prevent transactions in apparent violation of the sanctions programs administered by OFAC

• 2009-2013 processed over 100 transactions ($7,000) to/from account registered to subject on SDN list

• Automated interdiction filter did not identify subject• When it did, the Operations Agents dismissed alerts

on 6 occasions without properly clearing


POLLING QUESTION

What is the most important AML risk factor to consider when assessing risk?

1. Customers2. Products / Services3. Geographies4. Operational


WHO PRESENTS THE GREATEST RISKS?

Who’s in your portfolio? Are you one step removed from money laundering? Merchant types that present risk Are they limited to real estate industry, gems traders and

jewelers, professional services, limos, charities & NFPs, FX Dealers, MSBs?

Other Industries Beneficial Owners Counterparties / Intermediaries


RISK CHARACTERISTICS

Customer CharacteristicsCustomers’ characteristics provide useful information to identify who poses higher risks to your institution

• Politically exposed persons• Customers who conduct non face-to-face transactions• Customers associated with organizations having complex legal structures

and/or their economic purpose is not understood• Customers associated with source of funds from high risk geographic centers

Geographic characteristicsCountries differ in the level of corruption seen as acceptable, in criminal activity, maturity of markets, and attractiveness for terrorists

• Customers may reside in these markets, transfer money to/from these markets and/or do business in these markets

• Business may be conducted through countries identified as corrupt or tax havens

• Countries that are non-compliant with international AML efforts and are more likely to pose a risk to the institution

Product, services and market characteristicsSize and types of transactions that we typically complete will help identify that is unusual or higher risk activity

• The different types of products, services and channels offered by your institution have differing likelihoods of being used to generate or launder illegal funds or to channel terrorist finances

• Products and services providing more anonymity to customers should be reviewed for higher risk

Relationship characteristicsYour institutions’ relationship with the customer is critical to controlling risks

• Factors such as length of time they have been a customer, or if their transactions have exhibited red flags for money laundering in the past, or if identification records are out of date, are important in evaluating risks

• Customer due diligence activities are important mitigating controls


POLLING QUESTION

Who is your highest risk customer type?1. Precious gems traders / jewelers2. Charitable organizations 3. Money Services Businesses4. Cash intensive businesses


PITFALLS IN ASSESSING RISK

Insufficient mitigating controls Inadequate coverage of risk factors Inadequate coverage of high risk customers Inability to assess and monitor on a program-

wide basis Systemic risk may not be apparent in risk

assessment approach


ANATOMY OF AN AML PROGRAM

INDEPENDENT TESTING AML TRAINING

COMPLIANCE OFFICERAML POLICIES, PROCEDURES & CONTROLS

RISK ASSESSMENT

Know Your Customer Transaction Monitoring Report & AuditCIP/CDD & Verification

Risk Rating & EDD

Behavioral Analytics

Watch Lists & EDD

360° View of Customer and Relationships

Transaction Analysis

Trend Analysis

Pattern Analysis

Investigative Support &Case Management

Threshold Optimization

Government Reporting

Management Reporting

Regulatory Guidance

Transaction Testing

Program Administration and Improvement


–

AML COMPLIANCE PROGRAM ELEMENTS

Four elements ( 4 Pillars) of a risk-based AML Program:

Written AML policies and procedures• Senior management’s approval• Tailored to risk presented by client base, nature of business, and

geographic locations• Customer Identification Requirements/Program

Designation of AML Compliance Officer• Qualifications and training• Authority to enforce AML Program

Ongoing Employee Training• Minimal level of training to all employees• Specific training for employees directly involved in high risk areas• Document training provided (e.g., tracking, agendas, sign-in list)

Independent Testing• Frequency• Qualified service provider


CUSTOMER DUE DILIGENCE (CDD)

BSA/AML policies, procedures, and processes should include CDD guidelines that: Are commensurate with the FI’s BSA/AML risk profile, paying

particular attention to higher-risk customers. Contain a clear statement of management’s overall expectations

and establish specific staff responsibilities, including who is responsible for reviewing or approving changes to a customer’s risk rating or profile, as applicable.

Ensure that the FI possesses sufficient customer information to implement an effective suspicious activity monitoring system.

Provide guidance for documenting analysis associated with the due diligence process, including guidance for resolving issues when insufficient or inaccurate information is obtained.

Ensure the FI maintains current customer information.



CUSTOMER DUE DILIGENCE (CDD)

Source: FFIEC Manual

POLLING QUESTION

What constitutes “periodic” for purposes of performing EDD reviews?

1. Monthly2. Quarterly3. Semi-annually4. Annually5. As risk dictates


CUSTOMER DUE DILIGENCE (CDD) VS. ENHANCED DUE DILIGENCE (EDD)

CDD:Verifies and validates the identifying information by corroborating information that would likely be known only by the person supplying the informationSets anticipated/expected activity levels based on information collectedAssigns initial risk rating to customer

EDD:Performed periodically for higher risk customer types and/or activities and/or geographies of where transactions take placeMay advance the risk rating based on actual activity or validate the risk scoreAugments automated transaction monitoring, i.e. flagged activity results in assessing customer



Monitors transactions for changes in patterns and behavior Interview customer Purpose of transaction(s) Source of funds / use of funds documentation Internet Searches, website, social media Verify recipient with counterparties Engaging a third party to uncover additional information Gaining

insights in the customer’s customers Other banking relationships the customer maintains Identification of nominal and beneficial owners of accounts (private

banking and/or international businesses) Other personal or business relationships the customer maintains Expected origination and destination of funds

ENHANCED DUE DILIGENCE (EDD)

MONITORING TRANSACTIONS All transactions should be subject to monitoring, but the

extent, nature and frequency should be risk-based Ensure new products and services are incorporated into the

monitoring process A one-size-fits-all approach is usually insufficient to identify

unusual or suspicious activity Different levels of monitoring are applicable:

• Transaction level: type, code, date, amount• Account level: account type such as checking, loan• Customer level: aggregate transactions, TIN profile, unique customer

number• Household level: similar to customer level but for household• Geographic level: driven by higher risk locations or unusual patterns in

particular locations


MANAGING & FINE TUNING ALERTSAlerts Management: Time frames for conducting reviews (e.g., within 30 days of alert

generation Prioritization and escalation of cases Documentation standards (supported reasoning of cleared alerts,

use of case management system, etc.) Appropriate case management narratives includes the “Five Ws”

Who conducted the activity? What instruments were used? Where did the activity occur? When did the activity occur? Why is the activity suspicious or not suspicious?

Quality assurance procedures (secondary review of (% of) alerts/ cases, escalations to bank are tracked in log)


POLLING QUESTION

What purpose does an independent review serve if we are not required to have one?

1. Gauges the effectiveness of the Program2. Gives bank partners sense of overall risk3. Provides independent view of effectiveness4. Helps us to manage risk


ESCALATION PROCEDURESEscalating red flags and concerns of unusual activity should be spelled out in procedures: Analysts escalate to supervisor or compliance officer

promptly and efficiently Compliance officer escalates significant and meaningful

findings to management and/or committee Bank escalations are promptly referred according to

agreed time frames and procedures Document all reviews, escalations, referrals


INDEPENDENT REVIEW / GAP ANALYSISKey areas: Policies, procedures and controls (PPC) Risk assessment / risk models and scoring Governance & Oversight Compliance Officer and Compliance/Risk department Training (basic & tailored) Previous Independent testing report results Customer Due Diligence / Enhanced Due Diligence Transaction monitoring systems, alerts management Suspicious activity monitoring processes High risk customers/transactions – definition, EDD, monitoring,

escalations to bank partners OFAC SDN/Sanctions screening, tools, alerts management, reporting

processes


KEY TAKEAWAYS1. Ensure policies, procedures and processes provide effective

controls to manage money laundering risk 2. Risk assessments: address any changes in customer

activities including locations where they transact; utilize information about your customers / suppliers / partners; address OFAC risk factors

3. Test your OFAC screening process for gaps; test screening match escalation; address tools provide timely feed; ensure policy for persistent screening

4. Consider periodic independent risk model validation to verify effectiveness of detection alerts, prevention and identification of suspicious activity

5. Address suspicious activity with bank partners quickly6. Consider independent review or gap analysis to ensure your

program is effective


CONTACT INFORMATION

Laura H. Goldzung, President & CEOAML Audit Services, LLCToll Free: 800-870-8076

Office: [email protected]

AMLAudits


Documents

A -MONEY LAUNDERING IN A I - macmember.org Laundering and the... · 1970 Bank Secrecy Act ... transactions have exhibited red flags for money laundering in the past, ... High risk