BSA & OFAC Compliance for

Directors & Supervisory/Audit

Committee

October 10, 2012

Presenter

John Misgen, CPA • Senior Compliance Consultant with CliftonLarsonAllen LLP (CLA)

for more than six years

• Has provided regulatory compliance assistance, including

BSA/AML/OFAC testing, to financial institutions ranging from less

than $5 million in assets to more than $1 billion in assets.

• CliftonLarsonAllen is the nation’s largest auditor of credit unions with

more than $40 million in assets

• John is part of the regulatory compliance group within CLA. The

group focuses 100% of its time and resources performing

compliance testing and providing regulatory compliance assistance

to financial institutions

Recent Enforcement Actions

In the news: • 2010: Wachovia Bank $110,000,000

• 2010: Pamrapo Savings Bank $5,000,000

• 2010: ANB AMRO Bank $500,000,000

• 2011: Zions First Nat’l Bank $8,000,000

• 2011: Oceans Bank $10,900,000

• 2011: Mendoza (individual) $25,000 and 6

months prison

• 2012: Citibank, N.A. Cease and desist

• 2012: ING Bank N.V. $619,000,000

Overview of the Regulations

Bank Secrecy Act

USA Patriot Act

Office of Foreign Assets Control

Board of Directors’

Responsibilities

• Approve the BSA/AML compliance program

• Ensure the credit union maintains an effective BSA/AML

internal control structure

• Track audit deficiencies and document corrective action

• Designate a qualified individual to serve as the BSA

compliance officer.

• To have developed policies, procedures, and processes

based on their risk assessment to ensure compliance

with OFAC laws and regulations.

1) BSA/AML Compliance

Program

Management should structure the financial

institution’s BSA/AML compliance program to

adequately address its risk profile

The BSA/AML compliance program must provide

for at least four requirements at a minimum

The Board is required to approve the program –

MUST BE NOTED IN MINUTES

Program Requirements

• The BSA/AML compliance program must

provide for the following minimum

requirements:

– A system of internal controls to ensure

ongoing compliance

– Independent testing of BSA/AML compliance

– Designate an individual or individuals

responsible for managing BSA compliance

(BSA compliance officer)

– Training for appropriate personnel

2) Internal Controls

The Board, acting through senior

management, is ultimately responsible for

ensuring an effective BSA/AML internal

control structure, including suspicious

activity monitoring and reporting.

Internal Control Requirements

• Risk Identification

• Inform Board of compliance initiatives,

deficiencies/corrective action, SARs filed

• Identify person(s) responsible for BSA

compliance

• Provide for program continuity

• Meet recordkeeping & reporting

requirements

• Provide timely updates in changes to Act

BSA/AML Risk Assessment

• BSA/AML Compliance Program must be designed

around a risk assessment

• Many effective methods and formats for conducting the

risk assessment

• Business accounts pose more risk; additional time and

resources are needed to perform these assessments

• SHOULD BE REPORTED TO THE BOARD

Internal Controls (cont)

Internal controls consist of policies,

procedures, and processes designed to

limit and control risks and to achieve

compliance with the BSA.

The level of sophistication of the internal

controls should be commensurate with the

size, structure, risks, and complexity

Internal Controls (cont)

Internal controls should:

– Inform the Board, or a committee, and

senior management of compliance

initiatives, compliance deficiencies and

corrective action taken

– Notify the Board of SARs filed

Recordkeeping

• Generally five years

– Purchase/sale of monetary instruments

– Funds transfers

– Foreign correspondent accounts (not

covered)

• Refer to Appendix P of the 2010 FFIEC

BSA/AML Examination Manual for detailed

record retention schedule

Monetary Instruments

Recordkeeping

• Recordkeeping only required if daily

purchases aggregate to $3,000 or more

• Requirements for member purchases

• Non-members = need more

• Need to have a process in place to

aggregate multiple purchases at multiple

branches < $3,000 if daily aggregation is

$3,000 or more

Funds Transfers Recordkeeping

• Originator responsibilities

• Beneficiary responsibilities

• Must be retrievable by name and account

number for five years

• Must have a process to monitor funds

transfers for suspicious activity

Reporting Requirements

Should all be in policy

• Suspicious Activity Reporting

• Currency Transaction Reporting

– Exemptions available for certain accounts

• Foreign Bank and Financial Accounts

Reporting (not covered)

• International transportation of currency or

monetary instruments reporting (not

covered)

SAR Reporting Requirements

• Criminal violations involving insider abuse in any amount

• Criminal violations aggregating $5,000 or more when a suspect can

be identified

• Criminal violations aggregating $25,000 or more regardless of a

potential suspect

• Transactions conducted or attempted by, at, or through the financial

institution (or an affiliate) and aggregating $5,000 or more, if the

financial institution or affiliate knows, suspects, or has reason to

suspect that the transaction: – May involve potential money laundering or other illegal activity (e.g., terrorism

financing)

– Is designed to evade the BSA or its implementing regulations

– Has no business or apparent lawful purpose or is not the type of transaction that

the particular member would normally be expected to engage in, and the

financial institution knows of no reasonable explanation for the transaction after

examining the available facts, including the background and possible purpose of

the transaction

Detecting Suspicious Activity

• Need adequate monitoring system – Determining whether manual or automated software

is needed

– Understanding the filtering criteria of a surveillance

monitoring system is critical

• Should establish policies, procedures, and

processes for identifying and monitoring

subjects of law enforcement requests

Member Due Diligence

• Procedures to form a “reasonable expectation of

the types of transactions a member conducts.”

• Procedures to detect unusual/suspicious activity

• High-risk members and their transactions should

be reviewed more closely

• Business accounts create additional inherent

risk and need additional monitoring

• Should be documented (part of the program)

CTR Reporting Requirements

• Currency = coin and paper money of the

U.S. or any other country designated as

legal tender

• Cash Transactions > $10,000

CIP Requirements

• Each financial institution must implement a

written CIP

• The CIP must be incorporated into the

financial institution’s BSA/AML compliance

program

CIP: Use of Other Parties

Permitted to rely on another financial

institution if addressed in CIP certain

criteria are met.

Permitted to rely on third parties, but credit

union is ultimately responsible

3) Audit Deficiencies

• Auditor must be independent and qualified

• Findings should be reported directly to the

Board, or audit committee

• Board is responsible for tracking audit

deficiencies and documenting corrective action

– Can designate this responsibility to a committee

– Can perform jointly with audit staff, if applicable

4) BSA Compliance Officer

Board is responsible for designating a

qualified individual to serve as the BSA

compliance officer

– Do you know who this is in your credit union?

– Officer should have sufficient authority and

resources

– Board is ultimately responsible

– Communication between Board and officer

– Specific/detailed training

– Program continuity?

5) OFAC Laws & Regulations

• OFAC regulations not part of the BSA but

is frequently included in BSA/AML exam

manual.

• Board and senior management have

responsibility to developed policies,

procedures, and processes based on their

risk assessment to ensure compliance

with OFAC laws and regulations.

OFAC

Should conduct an OFAC risk assessment

Should have policy and procedures • Designate an OFAC officer

• Independent testing

• Screening requirements

• How to determine and document whether OFAC hit is

valid or false-positive

• Procedures for reporting blocked funds to OFAC

• Training

BSA Board Reporting

Required:

• Independent testing findings

• SAR Filings

Optional but Recommended

• BSA/AML risk assessment

Confidentiality of SARs

• HIGHLY CONFIDENTIAL!

• DO NOT TELL MEMBER

• Only those in the credit union who need to

know should be informed of a SAR

Training Requirements

• The Board and senior management should be

informed of changes and new developments in

the BSA, its implementing regulations and

directives, and the federal banking agencies’

regulations.

• Examiners are looking to ensure the Board and

senior management are aware of BSA/AML

regulatory requirements; effectively oversee

BSA/AML compliance, and commit, as

necessary, to corrective actions (e.g., audit and

regulatory examinations).

Commonly Cited Violations

What we see: • BSA/AML risk assessment not detailed

• MDD procedures not specifically documented

• Inadequate MDD on MSBs

• Inadequate MDD on share branching/3rd party

• SARs not completed correctly (narrative)

• CTRs not listing all those benefiting

• No specific OFAC risk assessment

• Weak or undocumented OFAC policy/procedures

• Training deficiencies

Penalties for Non-Compliance

Failure to comply with the BSA can have

serious consequences for you and for your

institution. • BSA violations involve civil, criminal, and intangible

penalties

• The federal banking agencies and FinCEN can bring civil

money penalty actions

In addition to above, individuals may be

removed from banking

Changes in Next 12 Months

Known: • Exemption changes for payroll members – Immediate

• E-filing requirements – July 1, 2012

• BSA implications on non-bank mortgage lenders –

August 13, 2012

• New CTR, SAR, and DOEP forms – March 31, 2013

– Testing site: http://sdtmut.fincen.treas.gov/main.html

– FinCEN recorded webinars www.fincen.gov

Changes in Next 12 Months

Expected: • Member Due Diligence Requirements

Staying Current With Changes

BSA Compliance Officer should stay current

with changes. • FinCEN provides a Weekly Digest Bulletin via email

– https://public.govdelivery.com/accounts/USFINCEN/s

ubscriber/new?preferences=true

• NAFCU provides a daily compliance blog via email

– http://nafcucomplianceblog.typepad.com/nafcu_weblo

g/

Questions?

John Misgen, CPA

Senior Compliance Consultant

CliftonLarsonAllen LLP

507-434-7032

John.misgen@cliftonlarsonallen.com