bsa & ofac compliance for directors & supervisory/audit ... · bsa & ofac compliance...
TRANSCRIPT
Presenter
John Misgen, CPA • Senior Compliance Consultant with CliftonLarsonAllen LLP (CLA)
for more than six years
• Has provided regulatory compliance assistance, including
BSA/AML/OFAC testing, to financial institutions ranging from less
than $5 million in assets to more than $1 billion in assets.
• CliftonLarsonAllen is the nation’s largest auditor of credit unions with
more than $40 million in assets
• John is part of the regulatory compliance group within CLA. The
group focuses 100% of its time and resources performing
compliance testing and providing regulatory compliance assistance
to financial institutions
Recent Enforcement Actions
In the news: • 2010: Wachovia Bank $110,000,000
• 2010: Pamrapo Savings Bank $5,000,000
• 2010: ANB AMRO Bank $500,000,000
• 2011: Zions First Nat’l Bank $8,000,000
• 2011: Oceans Bank $10,900,000
• 2011: Mendoza (individual) $25,000 and 6
months prison
• 2012: Citibank, N.A. Cease and desist
• 2012: ING Bank N.V. $619,000,000
Board of Directors’
Responsibilities
• Approve the BSA/AML compliance program
• Ensure the credit union maintains an effective BSA/AML
internal control structure
• Track audit deficiencies and document corrective action
• Designate a qualified individual to serve as the BSA
compliance officer.
• To have developed policies, procedures, and processes
based on their risk assessment to ensure compliance
with OFAC laws and regulations.
1) BSA/AML Compliance
Program
Management should structure the financial
institution’s BSA/AML compliance program to
adequately address its risk profile
The BSA/AML compliance program must provide
for at least four requirements at a minimum
The Board is required to approve the program –
MUST BE NOTED IN MINUTES
Program Requirements
• The BSA/AML compliance program must
provide for the following minimum
requirements:
– A system of internal controls to ensure
ongoing compliance
– Independent testing of BSA/AML compliance
– Designate an individual or individuals
responsible for managing BSA compliance
(BSA compliance officer)
– Training for appropriate personnel
2) Internal Controls
The Board, acting through senior
management, is ultimately responsible for
ensuring an effective BSA/AML internal
control structure, including suspicious
activity monitoring and reporting.
Internal Control Requirements
• Risk Identification
• Inform Board of compliance initiatives,
deficiencies/corrective action, SARs filed
• Identify person(s) responsible for BSA
compliance
• Provide for program continuity
• Meet recordkeeping & reporting
requirements
• Provide timely updates in changes to Act
BSA/AML Risk Assessment
• BSA/AML Compliance Program must be designed
around a risk assessment
• Many effective methods and formats for conducting the
risk assessment
• Business accounts pose more risk; additional time and
resources are needed to perform these assessments
• SHOULD BE REPORTED TO THE BOARD
Internal Controls (cont)
Internal controls consist of policies,
procedures, and processes designed to
limit and control risks and to achieve
compliance with the BSA.
The level of sophistication of the internal
controls should be commensurate with the
size, structure, risks, and complexity
Internal Controls (cont)
Internal controls should:
– Inform the Board, or a committee, and
senior management of compliance
initiatives, compliance deficiencies and
corrective action taken
– Notify the Board of SARs filed
Recordkeeping
• Generally five years
– Purchase/sale of monetary instruments
– Funds transfers
– Foreign correspondent accounts (not
covered)
• Refer to Appendix P of the 2010 FFIEC
BSA/AML Examination Manual for detailed
record retention schedule
Monetary Instruments
Recordkeeping
• Recordkeeping only required if daily
purchases aggregate to $3,000 or more
• Requirements for member purchases
• Non-members = need more
• Need to have a process in place to
aggregate multiple purchases at multiple
branches < $3,000 if daily aggregation is
$3,000 or more
Funds Transfers Recordkeeping
• Originator responsibilities
• Beneficiary responsibilities
• Must be retrievable by name and account
number for five years
• Must have a process to monitor funds
transfers for suspicious activity
Reporting Requirements
Should all be in policy
• Suspicious Activity Reporting
• Currency Transaction Reporting
– Exemptions available for certain accounts
• Foreign Bank and Financial Accounts
Reporting (not covered)
• International transportation of currency or
monetary instruments reporting (not
covered)
SAR Reporting Requirements
• Criminal violations involving insider abuse in any amount
• Criminal violations aggregating $5,000 or more when a suspect can
be identified
• Criminal violations aggregating $25,000 or more regardless of a
potential suspect
• Transactions conducted or attempted by, at, or through the financial
institution (or an affiliate) and aggregating $5,000 or more, if the
financial institution or affiliate knows, suspects, or has reason to
suspect that the transaction: – May involve potential money laundering or other illegal activity (e.g., terrorism
financing)
– Is designed to evade the BSA or its implementing regulations
– Has no business or apparent lawful purpose or is not the type of transaction that
the particular member would normally be expected to engage in, and the
financial institution knows of no reasonable explanation for the transaction after
examining the available facts, including the background and possible purpose of
the transaction
Detecting Suspicious Activity
• Need adequate monitoring system – Determining whether manual or automated software
is needed
– Understanding the filtering criteria of a surveillance
monitoring system is critical
• Should establish policies, procedures, and
processes for identifying and monitoring
subjects of law enforcement requests
Member Due Diligence
• Procedures to form a “reasonable expectation of
the types of transactions a member conducts.”
• Procedures to detect unusual/suspicious activity
• High-risk members and their transactions should
be reviewed more closely
• Business accounts create additional inherent
risk and need additional monitoring
• Should be documented (part of the program)
CTR Reporting Requirements
• Currency = coin and paper money of the
U.S. or any other country designated as
legal tender
• Cash Transactions > $10,000
CIP Requirements
• Each financial institution must implement a
written CIP
• The CIP must be incorporated into the
financial institution’s BSA/AML compliance
program
CIP: Use of Other Parties
Permitted to rely on another financial
institution if addressed in CIP certain
criteria are met.
Permitted to rely on third parties, but credit
union is ultimately responsible
3) Audit Deficiencies
• Auditor must be independent and qualified
• Findings should be reported directly to the
Board, or audit committee
• Board is responsible for tracking audit
deficiencies and documenting corrective action
– Can designate this responsibility to a committee
– Can perform jointly with audit staff, if applicable
4) BSA Compliance Officer
Board is responsible for designating a
qualified individual to serve as the BSA
compliance officer
– Do you know who this is in your credit union?
– Officer should have sufficient authority and
resources
– Board is ultimately responsible
– Communication between Board and officer
– Specific/detailed training
– Program continuity?
5) OFAC Laws & Regulations
• OFAC regulations not part of the BSA but
is frequently included in BSA/AML exam
manual.
• Board and senior management have
responsibility to developed policies,
procedures, and processes based on their
risk assessment to ensure compliance
with OFAC laws and regulations.
OFAC
Should conduct an OFAC risk assessment
Should have policy and procedures • Designate an OFAC officer
• Independent testing
• Screening requirements
• How to determine and document whether OFAC hit is
valid or false-positive
• Procedures for reporting blocked funds to OFAC
• Training
BSA Board Reporting
Required:
• Independent testing findings
• SAR Filings
Optional but Recommended
• BSA/AML risk assessment
Confidentiality of SARs
• HIGHLY CONFIDENTIAL!
• DO NOT TELL MEMBER
• Only those in the credit union who need to
know should be informed of a SAR
Training Requirements
• The Board and senior management should be
informed of changes and new developments in
the BSA, its implementing regulations and
directives, and the federal banking agencies’
regulations.
• Examiners are looking to ensure the Board and
senior management are aware of BSA/AML
regulatory requirements; effectively oversee
BSA/AML compliance, and commit, as
necessary, to corrective actions (e.g., audit and
regulatory examinations).
Commonly Cited Violations
What we see: • BSA/AML risk assessment not detailed
• MDD procedures not specifically documented
• Inadequate MDD on MSBs
• Inadequate MDD on share branching/3rd party
• SARs not completed correctly (narrative)
• CTRs not listing all those benefiting
• No specific OFAC risk assessment
• Weak or undocumented OFAC policy/procedures
• Training deficiencies
Penalties for Non-Compliance
Failure to comply with the BSA can have
serious consequences for you and for your
institution. • BSA violations involve civil, criminal, and intangible
penalties
• The federal banking agencies and FinCEN can bring civil
money penalty actions
In addition to above, individuals may be
removed from banking
Changes in Next 12 Months
Known: • Exemption changes for payroll members – Immediate
• E-filing requirements – July 1, 2012
• BSA implications on non-bank mortgage lenders –
August 13, 2012
• New CTR, SAR, and DOEP forms – March 31, 2013
– Testing site: http://sdtmut.fincen.treas.gov/main.html
– FinCEN recorded webinars www.fincen.gov
Staying Current With Changes
BSA Compliance Officer should stay current
with changes. • FinCEN provides a Weekly Digest Bulletin via email
– https://public.govdelivery.com/accounts/USFINCEN/s
ubscriber/new?preferences=true
• NAFCU provides a daily compliance blog via email
– http://nafcucomplianceblog.typepad.com/nafcu_weblo
g/
Questions?
John Misgen, CPA
Senior Compliance Consultant
CliftonLarsonAllen LLP
507-434-7032