SIMPLIFIED GUIDE TO AN EFFECTIVE AML AUDIT UNDER THE BSA

SIMPLIFIED GUIDE TO AN EFFECTIVE AML AUDIT UNDER THE BSA

SIMPLIFIED GUIDE TO AN EFFECTIVE AML AUDIT UNDER THE BSA

GUYCHRISTIAN AGBOR

This simplified guide begins by summarizing the basic principles of Money Laundering and Terrorist Financing in the Fundamental section and ensuring short parts address specific requirements of the Bank Secrecy Act (BSA), the USA PATRIOT Act and the Office of Foreign Assets Control (OFAC). This is followed by practical considerations of how to achieve an effective AML/CFT compliance program such as Risk Assessment, Know Your Customer and Transactions Monitoring and Investigations.

Measuring the current scale of money laundering is extremely difficult, the World Bank (WB) and the International Monetary Funds (IMF) have estimated the volume of money laundering to be between 3 to 5 percent of the global gross domestic product (GDP) equivalent to approximately $ 2,2 trillion to $ 3,7 trillion annually.

One has to keep in mind that the right AML tools and assessment can be difficult unless more specific factual scenarios are available to learn from and apply. This has led to subjective, challengeable assessments of what exactly is an effective AML program based on who is reviewing the material and what exactly is being looked at. This is frequently executed as a subjective standard based on an examiner’s or auditor’s “opinion” of what is “adequate” and “effective.” However, money laundering and an AML program is federal law and the law must be an objective standard. That objective standard is ultimately measured bythoseinthefederalcourtsystem.

A-“Ineffective” According to the Department of Justice

As an institution required to have an “effective AML program,” one must take a two- pronged approach to “effectiveness:” (1) self test your institution internally and (2) test your institution using an independent auditor. The BSA/AML officer, and the BSA/AML investigators, senior/executive level management should support the BSA/AML component or risk their line of business being “de-risked.” BSA/AML investigators should have all readily available information and systems at their disposal and should have sufficient education, experience and intellect to perform proper analysis and document that analysis. The BSA/AML program should be flexible and proactive. As new or unique risk situations develop, the BSA/AML program should analyze, adapt and modify detection processes as appropriate. The transaction monitoring process should cover all banking transactions. It is also recommended that the BSA/AML officer should be of senior or executive status and maintain direct lines of communication with the board of directors and other senior/executive level management. Higher risk customers pose unique challenges and must be monitored with unique tools and by using unique skillsets. Red flag detection processes utilize an unlimited array of incoming information, from computer systems, to commercial negative news databases, to manual monitoring, to human intelligence. All of these processes should function in a way that effectively flows the information and produces useableresults. Qualitative and quantitative testing coupled together produces the most reliable results. This also allows for testing of potential future red flag detection methods for effectiveness before actual implementation. Reviewing trends, both of customers and the industry in light of the BSA/AML program’s current resources will notify you if the BSA/AML program has sufficient staffing and resources to be an effective BSA/AML program.

Acting proactively in preventing money laundering and financial crime will not prevent all criminal acts. However, it can increase the odds of detection and assist in protecting the U.S. financial system and the general public of the U.S. as mandated by federal law. Gap assessment and remediation are mission critical. Unanticipated scenarios are certain to arise, how your BSA/AML program deals with new information and uncharted territory will determine whether or not your BSA/AML program remains dynamically effective versus formerly effective. BSA/AML program essentials include customeridentification (beneficial ownership), source of funds analysis, expected transactions of the account, transaction monitoring, out-of-pattern transaction identification, due diligence on out-of-pattern transactions, and filing on unusual or suspicious transactions. Failure on any of these matters risks civil and criminal liability, both by the bank and the individualsinvolved.

Risk assessments of the overall BSA/AML function and of the major components of the function will act as a guide to determine if one’s program is effective. Review and comment on the audit plan is an effective way to ensure that one has obtained adequate independent audit coverage.

B- Legal Basis

United States Code Title 31, Chapter 53 Commonly Referred to as the “Bank Secrecy Act” The Bank Secrecy Act and its implementing regulations is the legal basis and it was enacted by Congress to address an increase in criminal money laundering activities utilizing financial institutions, requires domestic banks, insured banks and other financial institutions to maintain programs designed to detect and report suspicious activity that might be indicative of money laundering and other financial crimes, and to maintain certain records and file reports related thereto that are especially useful in criminal, tax, or regulatory proceedings.[1]

31 U.S.C. § 5318: Delegation of Authority to TreasuryDepartment

The “Bank Secrecy Act” provides the Treasury Department with the ability to implement much of the anti-money laundering standards. 31 USC § 5318(h), titled “Compliance, Exemptions, and Summons Authority,” subtitled “Anti-Money Laundering Programs,” and sub-subtitled “Regulations” states: “The Secretary of the Treasury . . . may prescribe minimum standards for [AML]programs.

31 U.S.C § 5321: CivilPenalties

The “Bank Secrecy Act” provides for civil penalties. 31 U.S.C. § 5321, Titled “Civil Penalties,” Subsection (a)(1) states: “A domestic financial institution . . . partner, director, officer, or employee . . . willfully violating [the AML program legal and regulatory provisions] is liable to the United States Government for a civilpenalty.[2]Subsection(a)(5)©, titled “Willful Violations”, states: “In the case of any person willfully violating, or willfully causing any violation of any provision of section 5314 [the maximum penalty shall be . . .]”[3]

Subsection (a)(6), titled “Negligence,” states: “Treasury may impose a civil money penalty on any financial institution . . . which negligently violations any provision.”[4]In addition, a “financial institution . . . [may] engage in a pattern of negligent violations.”[5]

31 U.S.C § 5322: CriminalPenalties

The Bank Secrecy Act provides for criminal penalties as well. 31 U.S.C § 5322, titled “Criminal Penalties,” provides that willful violation by a person can be sentenced to up to five years of prison[6]. Violating the Bank Secrecy Act while committing another federal crime, can result up to 10 years of prison.[7]In addition, the criminal fine can be up to two times the amount of the transaction, up to $1million.[8]

Considerations for a Civil Action:

The differences between the civil and criminal system can be very important. For instance, the civil system has a “two-way discovery” or discovery processes that allow opponents to request documentation from each other and take the testimony of witnesses and opposing parties before the trial actually occurs. In addition, the usual remedies involve money or forcing or preventing a future action. While a criminal charge generally has a one-way discovery where the criminal defendant gets information from the government, the primary remedy of a criminal charge is punishment, either by prison time or by fine. A significant second punishment of a criminal charge is the stigma associated with the allegation or conviction. A logical deduction from the heavily favored criminal process over the civil process is likely the reduced cost to the U.S. (civil discovery can be very expensive and time consuming) and the threat of criminalconviction.

1) Validation of the BSA/AML Officer, the Officer Is IndividuallyLiable under United States v. Haider, 2014.

In 2014, the U.S. filed a civil suit against Haider in connection with his duties as chief compliance officer of MoneyGram[9]. The U.S. alleged the following failures:

Failure to implement a policy to discipline agents and outlets that knew or suspected were involved in fraud and/or moneylaundering[10]. Failure to terminate agents and outlets understood to be involved in fraud and/or moneylaundering[11].

Failure to file SARs because Haider did not provide fraud department information to the AMLprogram[12]. Failure to conduct effective audits of agents/outlets, including ones suspected to be involved in fraud and/or moneylaundering[13].Failure to conduct adequate due diligence on agents/outlets by (1) granting outlets to agents previously terminated by other money transmission companies and (2) granting additional outlets to agents suspected to be involved in fraud and/or moneylaundering[14]. These AML failures resulted in known or suspected fraud and/or money laundering outlets to continue to use MoneyGram’s money transfer system to facilitate their The federal civil lawsuits to support this paper were extremely limited. From the two covered, one included a parallel criminal proceeding, leaving only a single dedicated civil action for analysis. The differences between the civil and criminal system can be very important. For instance, the civil system has a “two-way discovery” or discovery processes that allow opponents to request documentation from each other and take the testimony of witnesses and opposing parties before the trial actually occurs. In addition, the usual remedies involve money or forcing or preventing a future action. While a criminal charge generally has a one-way discovery where the criminal defendant gets information from the government, the primary remedy of a criminal charge is punishment, either by prison time or by fine. A significant second punishment of a criminal charge is the stigma associated with the allegation or conviction. A logical deduction from the heavily favored criminal process over the civil process is likely the reduced cost to the U.S. (civil discovery can be very expensive and time consuming) and the threat of criminalconviction as well as fraudulent schemes[15]. Haider’s AML failures were willful within the meaning of the civil enforcement provisions of the “Bank Secrecy Act.”[16]

United States v. CommerceWest Bank, 2015 (civil).

In 2015, the U.S. filed a civil complaint against CommerceWest Bank alleged that the bank, knowingly or with deliberate ignorance, allowed the theft of tens of millions of dollars from customers’ bank accounts.[17]The U.S. alleged the following failures: For over a year, the bank ignored red flags of return rates over 50 percent, thousands of consumer complaints, multiple complaints from other banks whose customers had been victims of the fraud scheme. Ultimately, the bank permitted hundreds of thousands of unauthorized charges from consumer bank accounts.[18]The civil suit then goes on to detail BSA/AML program requirements:

An effective BSA/AML program requires knowing the identity of its customer and understanding the customer’s business.[19]This Customer Identification Program was designed to prevent access to the banking system by entities engaged in illegalactivity.[20]

2) The Necessity To Use Quantitative Testing, Such as Published Industry Standards

The civil suit also gives great weight to banking regulators’ published guidance on risks associated with payment processor customers. Years before this suit, “bank regulators urged banks to take particular precautions when dealing with payment processor customers. These steps have included:

Monitoring all transaction returns (unauthorized returns totalreturns); Reviewing the third-party payment processor’s promotional materials to determine its targetclientele; Determining whether the third-party payment processor re-sells its services to otherentities; Reviewing the third-party payment processor’s policies and procedures to determine the adequacy of merchant duediligence; Reviewing main lines of business and return volumes for the third-party payment processor’s merchants;and Requiring . . . the third-party payment processor provide the bank with information about its merchants to enable the bank to assure that the merchants are operating lawfulbusinesses.”[21]A “bank accepting large volumes of demand drafts for deposit must analyze rates of return transactions for the demand drafts it submits into the national bankingsystem.”[22]

3) Use Qualitative Testing, Such as the BSA/AML Program’s Use of All Readily AvailableResources

After conducting due diligence of the third-party payment processor, the customer was categorized as high risk.[23]The due diligence revealed that the third-party payment processor specialized in demand drafts for merchants that had been prohibited from accepting other forms of payments,[24]including obtaining information of a special “Terminated Merchant File” for merchants that had been banned from processing credit card payments.[25]However, the bank did not conduct separate due diligence on this special “Terminated Merchant File” product.[26]In contrast to performing additional due diligence and mitigating or eliminating risks, the bank’s account officer for the third-party payment processor reported to the bank’s CEO “that ‘[w]e have hit gold with this relationship, it will expanding. The [payment processor] founder . . . would like to meet you and take you flying in his Russian fighter jet.’”[27]

Additional red flags appeared early in the banking relationship as many merchants stopped processing payments through the third-party payment processor.[28]Of particular importance are the reasons for stopping the business and the bank’s actual knowledge of the reasons. The reasons included claims of fraudulent charges by the third-party payment processor.[29]The bank due diligence file contained copies of the complaints, including for fraudulent charges.[30]Very shortly after the relationship creation and expansion (about six months), nearly all transactions were on behalf of three merchants.[31]Each of these three merchants were engaged in a multimillion dollar consumer fraud scheme.[32]

4) Third Party Payment Processor DueDiligence

The permanent injunction places due diligence requirements on the bank and provides a roadmap for how to conduct due diligence on any third-party payment processor.[33]These items include:

Certify before the start of banking activity[34] and then every six months,[35]licensure status as a money transmitter in each stateof business and registered with FinCEN, or provides documentation to the bank stating that no registration isrequired.[36]The bank should conduct due diligence on the third-party payment processor’s merchants and not delegate that responsibility to the third- party paymentprocessor.[37]The bank should monitor the merchants as if they were direct customers of the bankitself.[38]

Reasonable conduct, good faith, due diligence to the best of the bank’s ability and knowledge, regarding a merchants business practices for fraudulent, unfair, deceptive, or abusive business practices against consumers, both in the federal sphere and in each state where the business or consumers arelocated.[39]

Conduct reasonable, good faith, due diligences to the best of the bank’s ability and knowledge, of the merchant’s licensing requirements, registration requirements, and legal standards in both the federal sphere and in each state where the business or consumers arelocated.[40]All of the due diligence should be documented and maintained for inspection.[41]

CriminalAspects Considerations

Each of the criminal cases researched for this article resulted in a Deferred Prosecution Agreement. A Deferred Prosecution Agreement typically gives a criminal defendant an opportunity to comply with certain conditions that will result in the dismissal of the criminal charges if respected. In each of the cases reviewed, the U.S. DOJ obtained an agreement to increase the quality of the BSA/AML program’s effectiveness in very specific and measurable ways. This research will review some of the failures and how the U.S. may determine if a BSA/AML program is “effective” going forward.

5) For Higher Risk Customers or Products, Validate Staffing Analysis in United States v. CommerceWest(2015) (criminal).

Parallel with the CommerceWestCivil suit, the U.S. pursued a criminal case by filing a criminal information against CommerceWest Bank.[42]The criminal case states the bank willfully failed toreport suspicious transactions.[43] The criminal case uses a regulatory guidance letter as a basis to form the bank’s knowledge of red flags of merchant fraud.[44]The criminal allegations also state the bank’s need to hire temporary workers to process the large volume of returned transactions coupled with repeated warnings, letters and phone calls warning of fraud. [45]Even after the bank “attempted, but was unable, to obtain evidence that the processor processed legitimate transactions,” no SAR wasfiled.[46]

6) Validation of the “Tone at the Top” RegardingBSA/AML

Avoid Red Flags: An international affiliate of CommerzBank declined to provide false documents to a bank customer, but then provided options on how to refuse to disclose information critical to an audit.[47]Later the bank had senior and executive level individuals discuss suspicions, fraud, asset stripping, market manipulation, tax offenses, lack of reasonable explanation, and bank executives turning a “blind eye” or intentionally remaining ignorant of concerninginformation.[48]

Detect Suspicious Wires. When two wires of $455 million and $67 million dollars were processed by the bank, the bank’s AML system alerted and triggered due diligence requests to the bank’s international affiliate.[49]The international affiliate responded and did not convey any of the concerns about the structures and transactions.[50]Ultimately, the bank did not file a SAR until more than two years after the fraud was revealed.[51]

7) Validation of the “Request for Information” EscalationProcess must be Proactive

BSA/AML Program Deficiencies. The bank’s BSA/AML program had difficulties obtaining responses forinformation requested; many of these investigations were closed without obtaining information and based on limited publicly available information.[52]This lead to the conclusion that the bank’s BSA/AML program was inadequate with regard to know your customer information fromits ownforeign branches and affiliates.[53]The exact language of the criminal offense charged is as follows:

-Willfully “failed to adequately conduct investigations of transactions that were deemed potentially suspicious or that ‘alerted’ in [the bank’s] automated AML software, instead of closing investigations of potentially suspicious transactions based on no or insufficient information received in response to requests forinformation;”[54]

-Willfully “failed to support suspicious activity including wire transfers through [the bank] that ultimately furthered the [securities fraud scheme of a bankcustomer];”[55]

-Willfully “failed to adequately monitor billions of dollars in correspondent banking transactions, including by failing to conduct any due diligence on [the bank’s] branches and inadequate due diligence on [the bank’s]affiliates.”[56]

9) DueDiligence of the Corresponding Banking

Correspondent Banking. “Correspondent accounts are generally considered to be higher risk than other banking accounts, because the bank does not have a direct relationship with, and therefore has no [due] diligence information on the correspondent financial institution’s customers who initiated the wire transfers. To mitigate this risk…U.S. law requires financial institution to conduct due diligence on all non-U.S. entities…for which it maintains correspondent accounts. There is no exception for foreign financial institutions within the same parent company,…branches and affiliates of the same bank.”[57]This due diligenceincludes:

Transactionmonitoring;[58]Identify of ultimate sender offunds;[59]

Identify of ultimate recipient of funds;[60]and Risk assessment of the foreign correspondent account, including market served, type, purpose and the activity of the account, the nature and duration of relationship, AML and supervision regime of the banking jurisdiction of the accountholder, and information readily available about the account holder’s AML record. There is no exception for foreign branches oraffiliates.[61]

BSA/AML Independence is required.The bank’s foreign business unit “did not permit the U.S. AML compliance program to act independent from [the bank’s business line], by, for example, insisting on the restoration of correspondent accounts that had been blocked for AML reasons by U.S. AML compliancepersonnel.”[62]

United States v. HSBC Bank USA, 2012.

In 2012, the U.S. filed criminal charges against HSBC Bank USA for Bank Secrecy Act violations.[63]The criminal acts alleged were:

Ineffective due diligence or “know your customer” information on bank affiliates;[64]The bank “increased its AML staffing from 92 full timeemployees and25 consultants…to approximately 880 full time employees and 267 consultants;”[65]The bank “reorganized its AML department to strengthen its reporting lines and elevate its status within the institution…providing…the AML Director report directly to the Board and senior management about [the bank’s] Bank Secrecy Act (‘BSA’) and anti-money laundering (AML) program;”[66]

The bank “revamped its KYC program and now treats…[a]ffiliates as third parties that are subject to the same due diligence as all other customers”;[67]

The bank “implemented a new customer risk-rating methodology based on a multifaceted approach that weighs the following factors: 1) the country where the customer is located, 2) the products and services utilized by the customer, 3) the customer’s legal entity structure, and 4) the customer and businesstype;”

The bank “exited 109 correspondent relationships for riskreasons;” [68]

The bank “has a new automated monitoring system. The new system monitors every wire transaction that moves through [the bank]. The system also tracks the originator, sender and beneficiary of a wire transfer, allowing [the bank] to look at its customer’scustomer;” [69]

The bank “made significant progress in remediating all customer KYC, files in order to ensure they adhere to the new AMLpolicies;” The bank “exited the Banknotesbusiness;”[70]. The bank “spent over $290 million on remedialmeasures”;[71]

The bank is implementing a “single global standard shaped by the highest or most effective anti-money laundering standards available in any location where [the bank] operates. This new policy will require that all [bank] Affiliates will, at a minimum, adhere to U.S. anti-money launderingstandards;” [72]

The bank “elevated” the compliance position to “one of the…most senior employees at [the bank]globally;”[73]

The compliance position “has been given direct oversight over every compliance officer globally, so that both accountability and escalation now flow directly to andfrom…Compliance”;[74]

“Material or systemic AML control weaknesses at any affiliate…are reported with all other [line of business] heads facilitating horizontal informationsharing;”[75]

The bank “restructured its senior executive bonus system so that the extent to which the senior executive meets compliance standards and values has a significant impact on the amount of the senior executive’s bonus, and failure to meet those compliance standards and values could result in voiding of the senior executive’s entire year-end bonus;”[76]

The bank “commenced a review of all customer KYC files across the entire[bank].Thefirstphaseofthisremediationwillcostanestimated $700 million to complete over five years”;[77]

The bank “will defer a portion of the bonus compensation for its most senior officers…during the deferred prosecutionagreement;”[78]

The bank “adopted a set of guidelines to be taken into account when considering whether [the bank] should do business in countries posing a particularly high corruption/rule of law risk as well as limiting business in those countries that pose a high financial crimerisk;”[79]

The bank’s “new global sanctions policy…will be utilizing key Office of Foreign Assets Control (OFAC) and other sanctions lists to conduct screening in all jurisdictions, in allcurrencies.” [80]

10) Development of a BSA/AML Program

Compliance Monitor.[81]The Deferred Prosecution Agreement specifically requires an “independent compliance monitor.”[82]The program’s qualifications “shall have, at a minimum, the following qualifications:

DemonstratedexpertisewithrespecttotheBSAandotherapplicable

U.S. and U.K. anti-money laundering laws;

Experience designing and/or reviewing corporate compliance policies, procedures and internal controls, including BSA and anti-money laundering policies, procedures and internalcontrols;

The ability to access and deploy resources as necessary to discharge the program’s duties as described in theAgreement;

Sufficient independence from [the bank] to ensure effective and impartial performance of the program’sduties.”[83]

The Department of Justice may reject any proposed monitor and may propose itsown.[84]

As part of the corporate anti-money laundering program, the bank shall:

Cooperate fully with theprogram;

Facilitate the program’s access to the banks documents and resources;

Provide the program with access to all information, documents, records, facilities and/or employees, as reasonably requested by the program, that fall within the scope of the Mandate of theprogram;

Not form an attorney client privilege with theprogram;

Adopt within 90 calendar days after receiving the program’s report, the program’s recommendations, except for items the bank objects to in writing due to unduly burdensome, inconsistent with law or regulation, impractical, costly, or otherwiseinadvisable;

Report to the bank’s chief legal officer any questionable, improper, or illegal practices with respect to anti-money launderingdiscovered;

Meet at least annually with the Department of Justice for comments or anti-money laundering improvements the bank may wish to discuss or propose.[85]

In addition, the program:

Shall have the authority to take such reasonable steps as may be necessary to be fully informed about the bank’s complianceprogram;

Shall conduct an initial review, followed by at least four follow-up reviews;

Shall prepare a written work plan 60 days prior to eachreview;

Shall coordinate with bankpersonnel;

Shall to the extent the monitor deems appropriate, rely on the results of studies, reviews, audits and analyses conducted by thebank;

Shall not be expected to conduct a comprehensive review of all business lines, activities, ormarkets;

Shall make an assessment of the AML program;

Shall make recommendations reasonably designed to improve the AML programeffectiveness;

Shall consult with the bank on an ongoing basis concerning his/her findings andrecommendations;

Shall consider the bank’s comments and input to the extent the Monitor deemsappropriate;

May focus on those areas with respect to which the Monitor wishes to make recommendations for improvement or which the Monitor determines particular attention is needed;and

Shall provide the report to the Board of Directors and the Department ofJustice.

11) Validation of the BSA/AML Staffing and Resources

Staffing. “In the face of known AML deficiencies and high risk lines of business, [the bank] further reduced the resources available to its AML program in order to cut costs and increase its profits.”[86] “[A] year after the written agreement had been lifted, [the bank] had fewer AML employees than required by its own internal plans. Moreover…senior business executives instructed the AML department to ‘freeze’ staffing levels as part of a bank-wide initiative to cut costs and increase the bank’s return on equity. This goal was accomplished by not replacing departing employees, combining the functions of multiple positions into one, and not creating new positions.”[87] “Even senior compliance officers were not replaced after they left [the bank].” [88]Bank senior level employees “confirmed . . . the desire to save costs was the primary justification for merging the two roles.”[89] The bank’s “Chief Operating Officer for Compliance conducted an internal review of the Bank’s AML program — -[and]found…theAML program…was ‘behind the times’ and needed to be fundamentally changed to meet regulators’ expectations and to achieve parity with other banks.”[90]“Specifically, the…AML review noted that AML monitoring…was significantly under- resourced. At the time, only four employees reviewed the 13,000 to 15,000 suspicious wire alerts generated per month. In contrast, following remedial measures undertaken by [the bank], [the bank] currently has approximately 430 employees reviewing suspicious wire alerts.”[91]“Despite the findings of the… AML Review, [the bank] failed to address the lack of AMLresources.”[92]

12) Robust Account Procedures Post SARFiling

Failure to Terminate Suspicious Accounts. “When suspicious activity was identified, [the Mexico affiliate] repeatedly failed to take action to close the accounts.”[93] “Senior business executives at [the bank’s Mexico affiliate] repeatedly overruled recommendations from its own AML committee to close accounts with documented suspicious activity.”[94]A “senior compliance officer told [the bank’s Mexico affiliate’s] Chief Compliance Officer that ‘the AML committee just can’t keep rubber-stamping unacceptable risks merely because someone on the business side writes a nice letter.’”[95]“Even when [the Mexico affiliate] determined a relationship should be terminated, it often took years for the account to actually beclosed.”[96]

Red Flags. The bank’s Mexico affiliate met with the Central Bank of Mexico and was informed by the Central Bank, that Mexico and U.S. law enforcement were seriously concerned that U.S. dollars being deposited at the Mexico affiliate might represent drug trafficking proceeds.[97]The Mexico affiliate “CEO was also told that Mexican law enforcement possessed a recording of a Mexican drug lord saying that [the bank’s Mexico affiliate] was the place to launder money.”[98]An internal investigation following this meeting revealed a very small number of customers accounted for a large percentage of the physical U.S. dollardeposits.[99]

13) Robust Horizontal Information Sharing or “Internal Referral” System

Ineffective Information Sharing. The bank “failed to have a formal mechanism for sharing information horizontally among . . . Affiliates.”[100]The bank’s Mexico affiliate’s AML problems were not discussed in detail at the meetings attended by the Bank’s U.S. CEO “and did not indicate . . . the problems [that] affected [the U.S. bank’s AML program] or involved the potential laundering of U.S. dollar drug trafficking proceeds.”[101]The bank’s global holding company “failed to adequately inform the [U.S. bank] about the problems at [the bank’s Mexico affiliate].”[102]“Senior [global holding company] executives, including the CEO, Head of Compliance, Head of Audit, and Head of Legal, were all aware . . . the problems at [the Mexico affiliate] involved U.S. dollars and U.S. dollar accounts, but did not contact their counterparts at [the U.S. bank] to explain the significance of the problems or the potential effect on [the U.S. bank’s] business.”[103]The U.S. bank’s AML program director did not learn of the Mexico affiliate problems until yearslater.[104]

“The investigation [of the money laundering at the Mexico affiliate] further revealed thatdrugtraffickersweredepositinghundredsofthousandsofdollarsinbulkU.S. currency each day into HSBC Mexico accounts. In order to efficiently move this volume of cash through the teller windows at HSBC Mexico branches, drug traffickers designed specially shaped boxes that fit the precise dimensions of the teller windows. The drug traffickers would send numerous boxes filled with cash through the teller windows for deposit into HSBC Mexicoaccounts.”[105]

“The investigation [of the money laundering at the Mexico affiliate] further revealed that, because of its lax AML controls, [the Mexico affiliate] was the preferred financial institution for drug cartels and money launderers. The drug trafficking proceeds (in physical U.S. dollars) deposited at [the Mexico affiliate] [passed] through [the] Banknotes [line of business]. In addition, many of the . . . wire transfers to exporters in the United States passed through [the Mexico affiliate’s] correspondent account with [the U.S. bank]. As discussed above, [for years the U.S. bank] did not monitor [the] Banknotes transactions or wire transfers from [the Mexico affiliate] and did not detect the drug trafficking proceeds as they flowed into the United States.”[106]

United States v. JP Morgan Chase, 2014.

In 2014, the U.S. filed criminal charges against JPMorgan Chase bank for failure to maintain an adequate anti-money laundering program and failing to file a SAR.[107]The bank failed to have effective information sharing for anti-money laundering personnel.[108] This predominately revolves around the Madoff Ponzi scheme and the relevant items are as follows:

The bank failed “to ensure that information about the Bank’s clients obtained outside the United States was shared with United States compliance and anti-money launderingpersonnel.”[109]

The bank “failed to file a Suspicious Activity Report in the United States with respect to transactions in bank accounts maintained by MadoffSecurities.”[110]

The bank maintained the primary Madoff Ponzi scheme accounts from 1986 to 2008 without filing aSAR.[111]The bank had knowledge of several instances of serious red flags, well before the public reveal of the Ponzi scheme allegations, such as: An analyst from this Equity Exotics Desk wrote an email/memo on October 16, 2008 about: the “inability to validate Madoff’s trading activity or even custody of assets;” “questioned Madoff’s ‘odd choice’ of a small, unknown accounting firm;” the bank “’seemed to be relying onMadoff’s integrity’ with little to verify that such reliance was well-placed;” “’there are various elements in the story that could make us nervous,’ including the ‘feeder’ funds manager’s ‘apparent fear ofMadoff.’”[112]

“[A]t various times between the late 1990s and 2008, employees of various divisions of [the bank] raised questions about Madoff . . . , including questions about the validity of Madoff’s . . . investment returns. At no time during the period did [the bank’s] personnel communicate their concerns about Madoff . . . to [anti-money laundering compliance] personnel in the United States responsible for [the bank’s] banking relationship with Madoff . . . . Nor did [the bank] file any [suspicious activity report] in the United States relating to Madoff . . . until after Madoff’sarrest.”[113]

The bank “served as Madoff’s primary banker for more than 20 years, and continued to do business with Madoff even as individuals within various segments of the Bank developed serious and well-articulated suspicions that Madoff was perpetrating afraud.”[114]

The bank filed a SAR in the United Kingdom, but failed to do so in the UnitedStates.[115]

As a result of the suspicions, the bank withdrew more than $300 million of its own funds, from Madoff relatedfunds.”[116]

In the 1990s, two different bank lines of business attempted to perform due diligence into Madoff’s investments for red flags and improbably highly consistent returns. Neither bank line of business was able to answer their questions; however, none of the bank’s AML personnel wereinformed.[117]From 1986 to 2008, the Madoff related accounts received deposits and transfers of approximately $150 billion, yet the funds were not used for the purchase and sale of stocks, corporate bonds, or options, as Madoff had promised his customers he would invest their money.[118]Nor were the funds deposited into the [deposit and related] account transferred to other broker-dealers for the purchase and sale of securities. [119]The account manager originally assigned to the Madoff account, did not understand the nature of the account (tens of millionsversus billions, small operations expense account versus primary broker- dealer account). [120] “The Madoff . . . banking relationship with [the bank] was handled by [the bank’s] Investment Bank’s Broker-Dealer Banking Group. [However,] “[f]ollowing a restructuring, …client financial statements, regulatory filings, credit reviews, and other documents that had been reviewed by the relationship manager were no longer regularly reviewed.”[121]

The bank’s “AML investigations team . . . did not have immediate access to computerized information providing the identity of the relationship manager in the event . . . the AML officer deemed it appropriate to contact the relationshipmanager.”[122]

The bank’s “efforts to electronically store KYC materials were behind schedule and . . . on some occasions AML investigations teams . . . were unable to access the computerized KYCmaterial.”[123] “On two occasions . . . [the computerized AML] system generated ‘alerts’ . . . [for activity amounting to] 27 times the average daily [activity] over the prior 90 days of activity. . . . In both cases, the AML investigators, closed the alerts with a notation . . . the transactions did not appear to be unusual, . . . but in both cases, the investigators attempted to review the KYC file for Madoff . . . [received] error messages [when trying to review the KYC documents] that no file was available, and did not conduct furtherinvestigation.” [124]“Beginning in the mid-1990s, . . . [bank employees] identified a series of transactions . . . which consisted of ‘round trip’ [check] transactions.. . [and] because of the delay between when the transactions were credited and when they were cleared (referred to as the ‘float’), . . . these transactions [made] Madoff’s balances at [the bank] appear larger than they [were].” [125] About 1994, a bank employee drafted a memo in which the employee informed Madoff, the bank, and the third party in the transaction of the “float.” [126] Then about 1996, another bank invested the round-trip “float” transactions.[127]As a result of that other bank’s 1996 investigation, which “concluded that there wasnot legitimate business purpose for these transactions, which appeared to be a ‘check kiting’ scheme, and terminated its banking relationship with Madoff.”[128]Further, the bank was notified of the other bank’s closure of the Madoff relationship.[129]Unknown to the bank, the other bank filed a suspicious activity report for transactions with no apparent business purpose.[130] Following this series of events, the bank did not file a suspicious activity report, nor exit the Madoffrelationship.[131] After Madoff’s 2008 arrest, the bank’s AML personnel reviewed the round-trip “float” transactions and filed aSAR.[132]

Discussion

5+ Years of Significant Federal LegalAction

While the “Bank Secrecy Act”, or varying parts of it, have been in effect since 1970. The real teeth of the federal legal remedies came into effect with the USA. PATRIOT Act of 2001. Even after 2001, the U.S. used the federal courthouse very few times to force U.S. financial institutions to comply. That is until the law had been in effect for about 10 years. Now we see federal civil and criminal cases for “BSA violations” filed on a regular basis since 2010. With five years of significant BSA civil actions and criminal prosecutions, we do have concrete examples beyond the general guidance provided by the FFIEC BSA/AML Exam Manual and the various agency general guidance publications. Here are some of the lessons that should belearned…

Individual Responsibility &Competence

Business Line.Individual responsibility, competence, qualifications, background, education, and continuing education is the starting point for all anti-money laundering program effectiveness measures. The business line should be responsible for customer contact, knowing their customer’s line of business and expected banking activities, ensuring information is available to AML personnel, identifying specifically relevant information for AML personnel to review (internal referrals), and for terminating banking relationships with a significant risk of financial crime, fraud, or other money laundering risks.

Senior/Executive Management.The senior and executive level management should support of an effective AML program, ensure the AML programfunctions independent of income or profit concerns, ensure the quantity and quality of information available is everything that is readily available, provide for escalation of AML program concerns (such as unanswered documentation requests, staffing needs, resource needs, education needs), and ensure the AML program has senior or executive level authority.

AML Investigators.The AML program investigators should have readily available know your customer information, process all transaction alerts timely, document the analysis of the alert and cite to the information obtained, escalate for further attention unansweredrequestsfordocumentation,andbeofsufficienteducation,experience, and intellect to enable proper financial crime, fraud, and anti-money laundering and financial due diligence analysis.

AML Program.The AML program function should be responsible for reviewing readily available due diligence and seeking further information as the situation requires, perform additional due diligence on higher risk customers, markets, and products (often called enhanced due diligence), conduct ongoing periodic due diligence as risk dictates, conduct appropriate risk assessments, and perform adequate due diligence investigations for beneficial ownership, customer documentation, public source information, licensing documentation, red flag analysis, and verify information is correct.

Transaction Monitoring.The transaction monitoring function should cover all banking transactions, be appropriately risk based (more attention to higher risk areas, but not ignore those less than higher risk), be tuned to alert for unusual activity, not be tuned based on the amount of available staff or time resources, and should be supplemented by human intelligence (such as horizontal information sharing or “Internal Referral” processes).

BSA/AML Officer.The BSA/AML officer should be a senior or hold an executive position, maintain a direct line of reporting to the board of directors, senior/executive management, lines of business, AML investigators, maintain independence to terminate customers, markets, and products that pose unacceptable risks of financial crime, fraud, and money laundering, and be acutely aware of his/her personal accountability for the entire AML program’s function.

Higher RiskCustomers

Foreign correspondent banking has unique elevated risks. Products should not be offered that allow essentially anonymous transactions to occur. All transactions flowing through a financial institution should have identified parties and counterparties. Coupling a higher risk customer in a higher risk market with a higher risk product is either unacceptable requiring termination or of such significance that specialized, enhanced, and ongoing due diligence should occur. Money service businesses and Mexican Casa de Cambios with high transaction and dollar volumes are higher risk requiring ongoing, additional due diligence. Certain higher risk customers or products may require a certain level of know your customer’scustomer.

Red Flag DetectionProcesses

The AML program function should utilize all readily available sources of red flag identification, such as automated transaction monitoring, manual monitoring, government guidance, law enforcement investigations, public news sources, industry concerns, internal referral of concerning information, actual versus expected account usage, ACH debit transaction return percentages, fraud detection methods, cash monitoring, bearer share due diligence and geographic riskanalysis.

Measurable Validation, both Qualitative andQuantitative

Not all testing is created equal, so multiple testing methods are needed. An AML program should test itself versus known or published industry “what could be done” as a qualitative testing measure. Both methods should be internal testing and independent audittesting.

The BSA/AML officer, senior/executive management, and board of directors should review staffing and resource trends. If a particular customer, product, or transaction type increases, the AML program should be assessed for ability to effectively review that increase. If the business trend is down, then those AML program resources can be reviewed for re-assignment to the other significant customers, products, or transactions. Be acutely aware of AML staffing and resource declining trends and ensure they correspond to a trend of reduced risk. Increasing business volumes, numbers of customers, markets, and products, requires a corresponding AML program staffing and resources analysis and risk mitigation associated with the increasedrisk.

Act Proactively, Validate Retrospectively, but Not in aVacuum

The AML program function is designed to prevent money laundering — a crime. Thus it is a proactive measure against crime. This means the program cannot be stable or unchanged. The AML program must remain dynamic and continuously educated of new money laundering methods and indicators. However, rarely can a proactive crime prevention program ever document the crimes it prevented. So the only thing left to do is to review past situations and see how the proactive AML program can best attempt to prevent that crime in the future. Remember, a crime free utopia only exists infiction.

IssueRemediation

When issues are identified, be proactive. Make a list of the issues, brainstorm resolutions, pick a straightforward and effective solution, implement the solution, and maintain the solution going forward. Do not make the same mistake again. If possible, automate the proactive monitoring for that issue that arose. If automation is not possible, schedule the review and testing on acalendar.

BSA/AML ProgramEssentials

An effective AML program should have risk-based approaches to obtain true customer identification, customer’s source of funds, normal and expected transactions, customer transaction monitoring, identify out-of-pattern transactions, perform due diligence on those out-of-pattern transactions, and file unusual or suspicious transactions.

Regular RiskAssessments

The effective AML and OFAC function each have regular and ongoing risk assessments. This means an overall risk assessment for the financial institution, but also individualized risk assessments within the financial institution (such as, transactions, customers, products, geography,etc.).

Validate the AuditPlan

Grading your own work is a good start and it is necessary to improve the quality of your work and to learn from your mistakes. So an effective audit plan involves some aspects of quality control or self-auditing. However, a financial institution needs an independent auditor to examine your work. This means having appropriately timed and scoped audits. Generally, each AML program function should be checked periodically by this independent auditor and more frequently by means of quality control or self-auditing. Each of these self and independent audits should cover the lessons learned from the federal civil and criminal actions regarding effective BSA/AML programs. In other words, the process should flow as follows: Red Flag àBSA/AML Analyst Performs Work àBSA/AML Quality Control Review Performed àWork Product Finalized àWork Product Self Audit Sample Selected and Reviewed àIssue Remediation àIndependent Audit Sample Selected and Reviewed àIssueRemediation.

Conclusion

A financial institution should have the education, experience, knowledge, and resources to review the four separate sources of information (FFIEC BSA/AML Exam Manual, various federal agency guidance, Consent Orders, and the civil and criminal legal actions) and use that information to determine the effectiveness of the AML program as a whole and the effectiveness or ineffectiveness of each individual AML program process. After this, the financial institution should implement ongoing quality control or self-audit processes and ongoing independent audits, both of which

Published at Wed, 07 Aug 2019 00:47:25 +0000

Bitcoin Pic Of The Moment
Shiny Bitcoin on glossy surface with reflection and laptop screen in background showing stock price candlestick chart and trading volume for crypto stock.

Many more free Bitcoin photos and other crypto coin photos can be found on our website at QuoteInspector.com

Please provide attribution to the main collection on our website rather than to this Flickr page.
By QuoteInspector.com on 2018-09-26 10:03:22