aml compliance requirements. copyright © 2006 deloitte development llc. all rights reserved. agenda...
TRANSCRIPT
AML Compliance Requirements
Copyright © 2006 Deloitte Development LLC. All rights reserved.
Agenda
Overview
Current Environment
Prevalent Practices for an AML Compliance Program
Questions and Answers
Copyright © 2006 Deloitte Development LLC. All rights reserved.
Overview
Copyright © 2006 Deloitte Development LLC. All rights reserved.
• “In every war we have fought, bankers have been on the front lines. And you are on the front lines today. Make no mistake about that.”
• “It is clear that what was good enough in the past may not be good enough now. The stakes are much, much higher than ever before.”
• “Clearly, the times have changed--for banks and for regulators--and a ‘business-as-usual’ approach is not going to be sufficient to meet the challenges at hand.”
Daniel P. StipanoActing Chief
CounselOffice of the
Comptroller of the Currency
Copyright © 2006 Deloitte Development LLC. All rights reserved.
Heightened Regulatory Scrutiny
• New rules for enforcement actions• New interagency Bank Secrecy Act (“BSA”)
examination manual• Newly-articulated supervisory risk focus • New government initiatives underway
Copyright © 2006 Deloitte Development LLC. All rights reserved.
Implications
• Enhanced scrutiny of AML compliance by bank regulators and prosecutors– Examinations more intense and detailed
• General, targeted and horizontal exams
– Past exams not indicative of future exam rating• Rating declines from 1 or 2 to 3 or 4
• The trend for FinCEN and bank regulators is monetary penalties as well as informal or formal actions
• Forward Look• Look Back (Transaction Review, i.e., back-filing CTRs and/or SARs)
– If CTR/SAR systems and controls are deemed deficient, a financial institution can be required to go back in time and reconstruct transactions, typically with the “assistance” of a third party, for reporting purposes
– Can be burdensome and expensive– Late-filing is useful in theory, but in reality, late-filing appears punitive
Copyright © 2006 Deloitte Development LLC. All rights reserved.
•Well over 100 formal public enforcement and informal actions in the last few years
•Regulatory fines have been assessed, in some public actions, ranging from several million to $50 million
•Pace of recent enforcement actions appears similar to 2004 and 2005
Impact
Copyright © 2006 Deloitte Development LLC. All rights reserved.
Reasons for Enforcement Actions
• Recent public/non-public enforcement actions are mainly the result of governance, process and testing failures– Lack of management oversight and accountability– Failure to meet reporting requirements– Failure/Absence of key control activities– Inadequate risk assessment– Inadequate/Ineffective monitoring functions
– Failure to conduct due diligence on clients– Inadequate communication of information
– Failure to respond to previous criticism
– Concealing information from examiners
Copyright © 2006 Deloitte Development LLC. All rights reserved.
Potential Consequences– Unsatisfactory management or composite rating jeopardizes
status of parent as a “FHC” and conduct of non-banking businesses
– Unsatisfactory rating/enforcement action derails bank acquisitions• Expansion of current activity/M&A activity is dependent:
– Being well managed (at least a satisfactory rating)– Being well capitalized– Having a satisfactory CRA rating– Must have an effective AML program (Section 327 of USA
PATRIOT Act allows regulators to restrict a BHC/financial institution ability to complete M&A/expand
• If under an AML enforcement action, generally barred from M&A and/or expansion activities until it is lifted
– Coupled with use of bank by money launderers, compliance inadequacies may be basis for criminal charges against bank
– Involvement in money laundering can trigger the forfeiture of bank charter or FDIC insurance
Copyright © 2006 Deloitte Development LLC. All rights reserved.
Additional Thoughts
Do Not Rest on Your Laurels– A past history of satisfactory BSA exams does not mean
your program will be satisfactory today or going forward.– Examinations are more rigorous, every program element
is subject to heightened scrutiny. Consequently, weaknesses that may not have been identified in earlier exams may surface.
– Even if your institution is not subject to regular BSA exams, the expectation of prosecutors must also be taken into account.• If transactions involving money laundering occur through
your institution, prosecutors will take into account whether you have a robust AML/BSA program.
• Where are you in your peer group? Many institutions not yet subject to formal requirements, e.g., SAR filings, have implemented these program elements as a “best practice”.
Copyright © 2006 Deloitte Development LLC. All rights reserved.
Current Environment
Copyright © 2006 Deloitte Development LLC. All rights reserved.
Current Environment - Overall
RegulatoryRequirement
Bank Broker-Dealer Insurance Company
Investment Company
Investment Advisor
OFAC Applicable Applicable Applicable Applicable Applicable
Cash Activity Applicable (CTRs)
Applicable(CTRs)
Applicable(Form 8300)
Applicable(Form 8300)
Applicable(Form 8300)
AML Program (Section 352)
Applicable Applicable Applicable (effective May 2, 2006)
Applicable – Mutual Funds; Proposed – Unreg funds
Proposed
SARs Applicable Applicable Applicable (effective May 2, 2006)
Proposed for Mutual Funds;TBD for Unreg funds
TBD
Copyright © 2006 Deloitte Development LLC. All rights reserved.
Current Environment - Overall
RegulatoryRequirement
Bank Broker-Dealer
Insurance Company
Investment Company
Investment Advisor
CIP (Section 326) Applicable Applicable TBD Applicable – Mutual Funds; TBD - Unreg Funds
TBD
Information sharing (Section 314(a))
Applicable Applicable TBD Applicable – Mutual Funds**; Proposed – Unreg Funds
TBD
Information sharing (Section 314(b))
Applicable Applicable Applicable (effective May 2, 2006)
Applicable – Mutual Funds; Proposed – Unreg Funds
TBD
Copyright © 2006 Deloitte Development LLC. All rights reserved.
Current Environment - OverallRegulatoryRequirement
Bank Broker-Dealer Insurance Company
Investment Company
Investment Advisor
Special Measures (Section 311)
Applicable Applicable TBD TBD TBD
EDD for Correspondent/ PB Accounts (Section 312)
ApplicableProspectively for New Accounts – Applicable 4/4/06;Retrospectively for Accts Established Prior to 4/4/06 – 10/2/06
Applicable Prospectively for New Accounts – Applicable 4/4/06;Retrospectively for Accts Established Prior to 4/4/06 – 10/2/06
ApplicableProspectively for New Accounts – Applicable 4/4/06;Retrospectively for Accts Established Prior to 4/4/06 – 10/2/06
Applicable -Mutual Funds Prospectively for New Accounts – Applicable 4/4/06;Retrospectively for Accts Established Prior to 4/4/06 – 10/2/06;Not Currently Applicable - Unreg Funds
Not Currently Applicable
Shell Banks (Section 313/319)
Applicable Applicable Currently Not Applicable
Currently Not Applicable
Currently Not Applicable
AML Record (Section 327)
Applicable Currently Not Applicable
Currently Not Applicable
Currently Not Applicable
Currently Not Applicable
Copyright © 2006 Deloitte Development LLC. All rights reserved.
Current Environment – Trust Companies
RegulatoryRequirement
Trust Companies that are Federally
Functionally Regulated
Trust Companies that are Not Federally Functionally
Regulated
OFAC Applicable Applicable
Cash Activity Applicable (CTRs)
Applicable(CTRs)
AML Program (Section 352) Applicable Not Currently Applicable
SARs Applicable Not Currently Applicable
Copyright © 2006 Deloitte Development LLC. All rights reserved.
Current Environment – Trust Companies
RegulatoryRequirement
Trust Companies that are Federally Functionally
Regulated
Trust Companies that are Not Federally Functionally
Regulated
CIP (Section 326) Applicable Applicable
Information sharing (Section 314(a))
Applicable Not Currently Applicable
Information sharing (Section 314(b))
Applicable Not Currently Applicable
Copyright © 2006 Deloitte Development LLC. All rights reserved.
Current Environment – Trust Companies
RegulatoryRequirement
Trust Companies that are Federally Functionally
Regulated
Trust Companies that are Not Federally Functionally
Regulated
CIP (Section 326) Applicable Applicable
Information sharing (Section 314(a))
Applicable Not Currently Applicable
Information sharing (Section 314(b))
Applicable Not Currently Applicable
Copyright © 2006 Deloitte Development LLC. All rights reserved.
Current Environment – Trust Companies
RegulatoryRequirement
Trust Companies that are Federally
Functionally Regulated
Trust Companies that are Not Federally
Functionally Regulated
Special Measures (Section 311) Applicable Not Currently Applicable
EDD for Correspondent/ PB Accounts (Section 312)
ApplicableProspectively for New Accounts – Applicable 4/4/06;Retrospectively for Accts Established Prior to 4/4/06 – 10/2/06
Not Currently Applicable
Shell Banks (Section 313/319) Applicable Applicable
AML Record (Section 327) Applicable Not Currently Applicable
Copyright © 2006 Deloitte Development LLC. All rights reserved.
Current Environment (cont’d)
• Changing Regulatory Approach – AML risk management plays key role in
corporate governance and independent monitoring functions • Continued shift by regulators to risk based
supervisory approach • More reliance on bank’s own monitoring and
senior management assertions• “Top down” approach to assess compliance
and compliance testing
Copyright © 2006 Deloitte Development LLC. All rights reserved.
Current AML Environment (cont’d)
• Regulatory scrutiny has led to:– Defensive filing of Suspicious Activity Reports
(“SARs”)– Need to enhance AML programs– Increased costs of compliance, including
responding to regulatory actions– Departures from the market– Difficulties in managing global clients
Copyright © 2006 Deloitte Development LLC. All rights reserved.
Risk-Based Expectations for AML
•Industry should adopt sound risk management to:– Better identify risk– Better direct resources– Better safeguard the organization
•Examiners will tailor examination scope to the risk profile of bank
Copyright © 2006 Deloitte Development LLC. All rights reserved.
PLAN• Risk Strategy• Strategic
Planning• Resource
Planning• New Product
Approvals
PLAN• Risk Strategy• Strategic
Planning• Resource
Planning• New Product
Approvals
EVALUATE• Monitor Risk• Management
Reporting to Board
• Annual Board Assessment
EVALUATE• Monitor Risk• Management
Reporting to Board
• Annual Board Assessment
Aggregation& Performance
Objectives
Compliance Function• Corporate Compliance• Regional Compliance• Business Unit Compliance
• Relationship with Internal Audit
Compliance Function• Corporate Compliance• Regional Compliance• Business Unit Compliance
• Relationship with Internal Audit
Compliance Elements• Roles and Responsibilities• Organizational Structure• Policies and Procedures• Training• Testing• Management Reporting
Compliance Elements• Roles and Responsibilities• Organizational Structure• Policies and Procedures• Training• Testing• Management Reporting
External Factors• Banking Laws and Regs• Examination Handbooks• Regulatory Bulletins• Enforcement Actions• Industry Practices
External Factors• Banking Laws and Regs• Examination Handbooks• Regulatory Bulletins• Enforcement Actions• Industry Practices
POLICY
Risk DefinitionRisk PrinciplesRisk Appetite
Risk Governance ModelAuthorities
POLICY
Risk DefinitionRisk PrinciplesRisk Appetite
Risk Governance ModelAuthorities
Information forDecision Making
Enterprise Risk Management
Process
RelevantReporting Entities:RelevantReporting Entities:
FHCFHC
Bank:Bank:
- Retail- Retail
- Wholesale- Wholesale
Nonbank Subs.Nonbank Subs.
Credi
t
Credi
t
Inte
rest
Rat
e
Inte
rest
Rat
e
Marke
t
Marke
t
Liquid
ity
Liquid
ity
Operat
ional
Operat
ional
Complia
nce
Complia
nceLe
galLe
gal
Strate
gic
Strate
gic
Reputa
tion
Reputa
tion
MitigateMitigateMeasure& ReportMeasure& ReportAssessAssessIdentifyIdentify
Relevant Risk Categories:Relevant Risk Categories:
Compliance Risk Management
Copyright © 2006 Deloitte Development LLC. All rights reserved.
Prevalent Practices for
an AML Compliance Program
Copyright © 2006 Deloitte Development LLC. All rights reserved.
Overview
Reputation
Reporting- CTRs- SARs
- 314(a)- Board/Sr Mgt
Training CIP/ CDD / EDD and
RiskAssessment
OFAC USA PATRIOT Act
Requirements
BSA Requirements
Spirit of the Law
Foundation of the Organization
Formal Policy Statements:Mission, Vision, Values
Governance/Culture of Compliance
OrganizationalStructure
Independent Testing
Reputation: The Most ValuableIntangible Asset
Compliance:Acting Accordingto Regulatory Requirements and Expectations
Processes andProcedures
Copyright © 2006 Deloitte Development LLC. All rights reserved.
Eight Key AML Requirements
1. Governance– Board and senior management are responsible
for ensuring effectiveness of the compliance program (“Culture of Compliance”)• Need to be actively involved; set “tone at the top”• Participate in setting AML risk tolerances • Approve policy and assist in establishing appropriate
controls• Receive AML awareness training/education • Receive and review reports (e.g., AML risk trends and
how risk is managed) to increase transparency• Establish AML Committee to provide guidance and
leadership on significant AML compliance issues • Increasingly held to a higher standard
Copyright © 2006 Deloitte Development LLC. All rights reserved.
“A culture of compliance should establish – from the top of the organization – the proper ethical tone that will govern the conduct of business. In many instances, senior management must move from thinking about compliance as a cost center to considering the benefits of compliance in protecting against legal and reputational risks that can have an impact on the bottom line.”
Governor Susan Schmidt BiesBoard of Governors of the Federal Reserve System
Copyright © 2006 Deloitte Development LLC. All rights reserved.
Mary Ann GadzialaAssociate Director, OCIE
•“Examiners expect to find certain core principles of risk management including, top level involvement, clear responsibilities at each level of management, independence of risk controls, strong well-developed systems and effective monitoring and reporting.”
Copyright © 2006 Deloitte Development LLC. All rights reserved.
2. Risk Assessment– Risk identification, measurement and monitoring– Assess at a business and customer level the
degree of money laundering and/or terrorist financing risk.
– Stratify the customer base in an effort to identify monitor those customers that pose a heightened money laundering risk.
Eight Key AML Requirements
Copyright © 2006 Deloitte Development LLC. All rights reserved.
3. Comprehensive Program– Policies, procedures and internal controls
• Clearly delineate AML roles and responsibilities of management, staff as well as functions (e.g., internal audit, compliance, etc.)
• Define regulatory requirements (inventory of applicable laws/regulations
• Communication/Roll-out/Employee sign-off• Annual review and update
– Organizational Structure and Staffing• Designation of an AML officer; senior person with requisite
skills and direct access to Board of Directors• Independent Structure/Reporting lines• Designate an adequate staff• Focus on business accountability
Eight Key AML Requirements
Copyright © 2006 Deloitte Development LLC. All rights reserved.
4. Comprehensive Program– Training
• Establish general/customized (specialized) AML training• Identify affected employees and establish mechanism to
track participation• Train all “affected employees” at a minimum• “Train the Trainers”
– Testing• Regulators looking for three-pronged approach:
1) Business unit self-assessment 2) Compliance testing3) Internal audit
• Risk based monitoring, surveillance and testing• Testing of automated systems• Reporting and tracking of deficiencies
Eight Key AML Requirements
Copyright © 2006 Deloitte Development LLC. All rights reserved.
5. Know Your Customer (KYC)– KYC
• Determine the nature and level of expected transaction activity, source of funds, purpose of account, etc.
• Understand customer and expected activity in order to identify and monitor for unusual activity
• Establish electronic KYC databases for business and personal customers and automate “call reports”
– Customer Identification Program (CIP)• Develop and maintain for each business unit written
procedures tailored to the AML risks presented by the products, services, customers, delivery channels, etc.
– Enhanced Due Diligence (EDD)• Identify circumstances when it becomes necessary to
perform EDD as well as the level of review to be undertaken by customer category and/or risk level
Eight Key AML Requirements
Copyright © 2006 Deloitte Development LLC. All rights reserved.
6. Reporting– CTR
• Ability to identify, aggregate and report in a timely fashion cash activity on bank-wide basis
– SAR• Ability to detect, escalate, monitor, report (as necessary) and
document ultimate resolution of unusual activity• Assess cash, wires, monetary instruments, at a minimum
– OFAC• Adopt an internal “watch list”• Screen customers, wires, charitable contributions, vendors and
employees against SDN List at initiation/when list is updated– Section 314(a) Requests– General
• Periodic reporting to the Board• Well defined escalation process• Corrective action tracking
Eight Key AML Requirements
Copyright © 2006 Deloitte Development LLC. All rights reserved.
7. Human Resources– Incorporate AML Compliance into
Employee Performance Measurement– Consider establishing a “Whistleblower”
process– Require Employees to sign-off that they
have read, understood and will comply with the AML Policy
“We must all hang together, or assuredly we shall all hang separately.”
— Benjamin Franklin
Eight Key AML Requirements
Copyright © 2006 Deloitte Development LLC. All rights reserved.
8. Continuous Maintenance, Assessment and Refinement
Eight Key AML Requirements
Copyright © 2006 Deloitte Development LLC. All rights reserved.
“An enterprise-wide compliance-risk management program should be dynamic and proactive, meaning it constantly assesses evolving risks when new business lines or activities are added or when existing activities are altered. To avoid having a program that operates on “autopilot,” an organization must continuously reassess its risks and controls and communicate with its business lines. An integrated approach to compliance-risk management can be particularly effective for Bank Secrecy Act and anti-money-laundering (BSA/AML) compliance. … Controlling BSA/AML risk continues to be a primary concern for banking organizations.”
Governor Susan Schmidt BiesBoard of Governors of the Federal Reserve System
Copyright © 2006 Deloitte Development LLC. All rights reserved.
Contact Information
Peter FitzgeraldPrincipalDeloitte & Touche [email protected]
www.deloitte.com/aml
Copyright © 2006 Deloitte Development LLC. All rights reserved.
About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, its member firms and their respective subsidiaries and affiliates. Deloitte Touche Tohmatsu is an organization of member firms around the world devoted to excellence in providing professional services and advice, focused on client service through a global strategy executed locally in nearly 150 countries. With access to the deep intellectual capital of 120,000 people worldwide, Deloitte delivers services in four professional areas, audit, tax, consulting and financial advisory services, and serves more than one-half of the world’s largest companies, as well as large national enterprises, public institutions, locally important clients, and successful, fast-growing global growth companies. Services are not provided by the Deloitte Touche Tohmatsu Verein and, for regulatory and other reasons, certain member firms do not provide services in all four professional areas.
As a Swiss Verein (association), neither Deloitte Touche Tohmatsu nor any of its member firms has any liability for each other’s acts or omissions. Each of the member firms is a separate and independent legal entity operating under the names “Deloitte”, “Deloitte & Touche”, “Deloitte Touche Tohmatsu” or other related names.
In the US, Deloitte & Touche USA LLP is the US member firm of Deloitte Touche Tohmatsu and services are provided by the subsidiaries of Deloitte & Touche USA LLP (Deloitte & Touche LLP, Deloitte Consulting LLP, Deloitte Financial Advisory Services LLP, Deloitte Tax LLP and their subsidiaries), and not by Deloitte & Touche USA LLP. The subsidiaries of the US member firm are among the nation's leading professional services firms, providing audit, tax, consulting and financial advisory services through nearly 30,000 people in more than 80 cities. Known as employers of choice for innovative human resources programs, they are dedicated to helping their clients and their people excel. For more information, please visit the US member firm’s web site at www.deloitte.com/us.
© 2006 Deloitte Development LLC. All rights reserved.
This presentation and related discussion hereon are intended to provide general information on the particular subject and is not an exhaustive treatment of the subject. Accordingly, the information in this document is not intended to constitute professional advice or services. Before making any decision or taking any action that might affect your personal or professional interests, you should consult a qualified professional advisor.