BSA Risk Assessments-What’s the Point, December 28, 2016



For those of you who have experienced a BSA examination or audit, you know one of the first things you are asked for is your BSA/OFAC risk assessment.  It has also likely been your experience to find a risk assessment deemed complete and not in need of some sort of enhancement is something of a “unicorn”.  In most cases, examinations and audits include a comment discussing the need to expand the risk assessment and to include more detail.  The detail required for a complete risk assessment is elusive at best.  Often, the right information for the risk assessment fits the famous Supreme Court definition of pornography- “you know it when you see it”.

The FFIEC BSA manual is not exactly helpful when it comes to developing risk assessments.   The manual directs every financial institution should develop a BSA/AML and an OFAC risk assessment.  Unfortunately, the form the risk assessment should take or the minimum information required are left as open questions for the financial institution.   Thus, many financial institutions end up with a very basic document which has been developed to meet a regulatory requirement, but without much other meaning or use.

As financial institutions continue to change and the number of financial products and type of institutions offering banking services grows, the risk assessment can be something entirely different. Taking the approach that the risk assessment can be used to formulate both the annual budget request and the strategic plan, can change the whole process.

The FFIEC BSA examination manual specifically mentions risk assessments in the following section:

“The same risk management principles that the bank uses in traditional operational areas should be applied to assessing and managing BSA/AML risk. A well-developed risk assessment assists in identifying the bank’s BSA/AML risk profile. Understanding the risk profile enables the bank to apply appropriate risk management processes to the BSA/AML compliance program to mitigate risk. This risk assessment process enables management to better identify and mitigate gaps in the bank’s controls. The risk assessment should provide a comprehensive analysis of the BSA/AML risks in a concise and organized presentation, and should be shared and communicated with all business lines across the bank, board of directors, management, and appropriate staff; as such, it is a sound practice that the risk assessment be reduced to writing” 1


This preamble has several important ideas in it.   The expectation is, management of an institution can identify:

  • Who its customers are:  including the predominant nature of the customer base- are you a consumer institution or a commercial at your core?  Who are the customers you primarily serve?
  • What is going on in your service area?  Is it a high crime area or a high drug trafficking area, both or neither?  The expectation is you will know the types of things, both good and bad going on around you.  For example, if you live in an area where real estate is extremely high cost, there might be several “bad guys” buying property for cash as a means of laundering money.   The point is you need to know what is going on around you
  • Where are the outlier customers?  Do you know which types of customers who require being watched more than others?  There are some customers who, by the nature of what they do, require more observation and analysis than others.  The question is, have you identified these high-risk customers?
  • How well are you set up to monitor the risks at your institution?  Do you have systems in place are up to the task to discover “bad things” going?  Does the software you use really help the monitoring process?   This analysis should consider whether the staff you have   truly understand the business models your customers are using.  For example, if your customer base includes Money Service Businesses, do you have staff in place who know how money services business work and what to look for?  The best software in the world is ineffective if the people reading the output are not familiar with what normal activity at an MSB.
  • Ties to the strategic plan: Does the BSA program have the resources to match changes in products or services planned for the institution? For example, if the institution plans to increase the number of accounts offered to money services business, does the BSA department have an increase in staff included in its budget?


Effective Risk Management 

The information and conclusions developed in the risk assessment should be used for planning the year for the BSA/AML compliance program.  The areas with the greatest areas of risk should also be the same areas with the greatest dedicated resources.   Independent audits and reviews should be directed to areas of greatest risk.  For example, if there are many electronic banking customers at the institutions while almost no MSB’s, then the audit scope should presumably focus on the electronic banking area and give MSB’s a limited review.  In addition, training should focus on the BSA/AML risks associated with electronic banking, etc.

Rethinking the Risk Assessment process 

Continued development of new products and processes in finance and technology (“fintech”) and BSA/AML have opened the possibility of a vast array of potential new products for financial institutions.  Products such as digital wallets and stored value on smartphones have opened new markets for people who have been traditionally unbanked and underbanked. Financial institutions which are forward thinking should consider the possibility some of these new products have the potential to enhance income.

The ability to safely and effectively offer new products depends heavily on the ability of the compliance department to fully handle the regulatory requirements of the products.  When preparing the risk assessment, consider the resources necessary to offer new and (money making products).

There are no absolute prohibitions against banking high risk clients  

Per the FFIEC BSA Examination manual higher risk accounts are defined as:

“Certain products and services offered by banks may pose a higher risk of money laundering or terrorist financing depending on the nature of the specific product or service offered. Such products and services may facilitate a higher degree of anonymity, or involve the handling of high volumes of currency or currency equivalents” 2

The Manual goes on to detail several other factors which should be considered when monitoring high risk accounts.  We note the manual does not conclude high risk accounts should be avoided.

The BSA/AML examination manual (“exam manual”) establishes the standard for providing banking services to clients who may have a high risk of potential money laundering.  Financial institutions are expected to:

  1. Conduct a risk assessment on each of these clients,
  2. Consider the risks presented
  3. Consider the strengthening of internal controls to mitigate risk
  4. Determine whether the account(s) can be properly monitored and administrated;
  5. Determine if the risk presented fits within the risk tolerance established by the Board of Directors.

Once these steps are followed to open the account, for high risk customers, there is also an expectation there will be ongoing monitoring of the account for potential suspicious activity or account abuse.    The exam manual is also clear; once a procedure is in place to determine and properly mitigate and manage risks, there is no prohibition against having high risk customers.  The risk assessment section of the exam manual notes the following:

“The existence of BSA/AML risk within the aggregate risk profile should not be criticized as long as the bank’s BSA/AML compliance program adequately identifies, measures, monitors, and controls this risk as part of a deliberate risk strategy.”3

Once an account has been determined to be high risk, and an efficient monitoring plan has been developed, there can be various levels of what high risk can mean.    When a customer’s activity is consistent with the parameters which have been established and have not varied for some time, then account can technically be high risk but not in practice.   For example, Money Services Businesses are considered “high-risk” because they fit the definition from the FFIEC manual.  However, a financial institution can establish who the customers of the MSB are and what they do.  A baseline for remittance activity, check cashing and deposits and wire activity can be established.   If the MSB’s activity meets the established baseline, the account remains “high risk” only in the technical meaning of the word.   Knowing what the customers’ business line is and understanding what the customer is doing as they continue without much variation reduces the overall risk.

For a more complete discussion of the effective use of the BSA/AML risk assessment, please contact us at

The Beneficial Ownership Rule: Part Two – Due Diligence

bor-part2In the first part of this series we described the new beneficial ownership rule. We talked about the reasons that the rule was passed and we noted that the central idea of this rule is making sure that financial institutions get complete information when an account is opened for a legal entity. This is especially true when a legal entity has a complex ownership structure. There is a second aspect of the rule that changes the due diligence process for legal entities to a dynamic one. This portion of the rule is being called the “fifth pillar” of BSA/AML compliance programs.

Due Diligence
Under the new Beneficial Ownership rule, the definition of due diligence is essentially changed, especially for accounts that are opened for legal entities. The rule specifically requires institutions to obtain background information on any person that owns, or controls the legal entity. For purposes of this rule, ownership is defined as anyone who maintains an ownership stake of 25% or more of the entity. Control means anyone who has a significant responsibility to manage or direct the entity. A controlling person could have zero ownership interest in an entity.

Currently information about the persons who control or own legal entities is not necessarily required, although as a best practice, this information should often be considered important to the due diligence process. The Beneficial Ownership rule makes obtaining the ownership and control information a requirement of the account opening and due diligence process. The rule also requires that financial institutions should write policies and procedures that reflect these requirements. The rule notes that the policies and procedures should be risk based and should detail the various steps taken based upon the risk rating of the account. The types of documentation that can be considered acceptable for meeting the requirements of the rule are described.

Due Diligence as a dynamic process
When developing your compliance program to meet the requirements of the new rule, consider that due diligence for legal entities should become a dynamic process. It won’t be enough to obtain ownership and control information at the time the account is opened and then stop. There must be ongoing monitoring of accounts for changes in the ownership or control and analysis of what those changes mean.
In recent years, one of the tactics that money launders have employed is to take over legitimate long standing business to hide “dirty money”. For example, in late 2014, the Los Angeles area garment industry was overrun by a scheme known as “Black Market Peso Exchanges. Drug money was used to purchase goods and then the goods were shipped to other countries where they were resold and converted back to cash. In many cases, the reason that this scheme was able to proceed was that the person or persons that desired to launder the money became a part owner of what was once a legitimate business.

In a similar manner, when a person who has bad intentions is able to control an entity, then the possibility that suspicious activity might occur goes up exponentially. An important part of ongoing monitoring for suspicious activity must be continuing due diligence on both the ownership and controlling persons of an entity.

Asking the second Question
Once information is obtained about the owners and/controllers of a legal entity there is an additional review process that should occur. Does the owner or controller of the legal entity increase the likelihood or potential for money laundering? In the alternative, does the information that you have obtained about the owner or controller leave more questions than answers? For example, suppose your corporate customer runs a small flower shop on main street. One day, a 30 % interest in the flower shop is purchased by a man who is the owner of the local casino. Why would the owner of a casino want a flower shop business? Since a casino is a high cash, high risk, business, and people do still buy flowers with cash, there is an increased risk that the new controlling person may try to move some of his money through the deposits of the flower shop. In this case, the best practice would be to find out all that you could about the new owner and why this controlling interest makes sense. Moreover, now is the time to determine whether or not your BSA department still has the capability to monitor the flower shop now that it has a new owner. Do you have the ability to determine whether suspicious activity might be occurring? Not only should due diligence be dynamic, it should also include the analysis necessary to make the most efficient use of the information obtained.

The Beneficial Ownership Rule- A Two Part Series

borpart1Part One – What is the rule and What Does it mean to Me?

On May 11, 2016, the Financial Crimes Enforcement Network (FinCEN) announced its final rule strengthening the due diligence requirements for covered financial institutions. This rule is generally known as the beneficial ownership rule. This rule represents a significant change in the overall administration of Bank Secrecy Act/Anti-Money laundering (BSA/AML) compliance programs. The purpose of the change was made clear in FinCEN’s announcement of the final rule.

“Covered financial institutions are not presently required to know the identity of the individuals who own or control their legal entity customers (also known as beneficial owners). This enables criminals, kleptocrats, and others looking to hide ill-gotten proceeds to access the financial system anonymously. The beneficial ownership requirement will address this weakness.”

Put another way, the purpose of this rule is to address one of the biggest weaknesses in the current system for identifying suspicious activity. The fact that that financial institutions have been required to obtain information about a legal entity without considering the ownership and /or control of the legal entity has allowed many a “bad guy” to effectively hide his/her illicit activity. The preamble to the rules lists out several examples of how legal entities have been taken over by criminals in an effort to launder money. Some of the more interesting examples included:
• A series of shell companies that were used to take over and loot a publicly traded mortgage company.
• Using a series of small legal entities to cover a drug smuggling ring
• Using a series of companies that were ostensibly for movie production to hide large amounts of cash that was being used for human trafficking

In all of the cases that were cited, the common feature was the ownership and control of the legal entities was obscured by a complex holding structure. The beneficial ownership rule is designed to addresses this practice. The rule requires that a financial institution doing business with a legal entity should know who owns and controls the entity. This is the enumerated requirement. However, it should be the understood that simply knowing this information is not enough. Once the due diligence information is obtained, it is critical to ensure that it makes sense in context. For example, does it really make sense that a flower shop owner also owns a casino? These business are entirely unrelated except for the fact that they are both often cash intensive businesses.

The Rule Itself
The final rule creates a “fifth pillar” in the standard group of expectations for a comprehensive BSA/AML compliance program. Ongoing and risk based due diligence for customers will now be considered an essential part of the compliance program. The rule makes due diligence a dynamic process rather than the traditional process that essentially ended at the time the account was opened. Financial institutions are expected to stay abreast of who the beneficial owners of a legal entity are and how their ownership might impact ongoing monitoring of the account. As the beneficial owners change, then the manner in which the account is viewed should change accordingly.

Beneficial Ownership is a broad definition that includes both ownership and control.
Ownership – is denied as any person who directly or indirectly owns more than 25 percent of the equity of a legal entity
Control – The term “beneficial owner” means a single individual with significant responsibility to control, manage, or direct the legal entity customer (e.g., a Chief Executive Officer, Vice President, or Treasurer).

These two prongs are critical because there are many times when a person or persons could actually have a minimal ownership stake in a firm or even no actual legal ownership, but still have the ability to control the firm. The rule requires all covered institutions to obtain information on all people who own or control a legal entity.

Financial institutions are expected to design policies and procedures that detail how staff will use their best efforts to establish and maintain written procedures that are reasonably designed to identify and verify beneficial owners of a legal entity customer. The procedures must allow the financial institution to identify all beneficial owners of each legal entity customer at the time of account opening unless an exclusion or exemption applies to the customer or account.

Why Wait?
The rule requires all covered institutions to be in compliance by May of 2018. Covered institutions in this case means:
“For purposes of the CDD Rule, covered financial institutions are federally regulated banks and federally insured credit unions, mutual funds, brokers or dealers in securities, futures commission merchants, and introducing brokers in commodities”

Though this rule only technically only applies to covered institutions, it will be prudent for all financial institutions to become familiar with the requirements of the regulations and to apply the standards enumerated therein. Financial institutions will expect that their Money Service Businesses meet the same standards because the risks for undetected suspicious activity is the same.

There is absolutely no reason to wait to implement the principals detailed in the rule. By developing policies and procedures that are able to determine beneficial ownership, a financial entity can have more effective risk mitigation of its customer base. At the end of the regulatory day, knowing your customers and what it is that they do is the heart of any string AML Compliance program

In Part Two- we will discuss the details of a strong beneficial ownership program.

It’s so Hard to Say Goodbye-When it’s time to De-risk

august22blogHigh risk customers present myriad concerns for a BSA Officer. Questions like- what is the proper amount of Due Diligence, how much monitoring is appropriate and whether or not SAR’s should be filed are all questions that go with the administration of a high risk client. Of course, the ultimate question is whether or not the customer should be kept or “de-risked” (the relatively new nomenclature for closing the account). For many BSA Officers this last option step is elusive. In many cases, high risk customers continue to be a burden on the overall compliance apparatus. Year after year, SARs, enhanced due diligence, and sometimes hopes and prayers are employed while administrating high risk customers. These customers often become the target of examiners during their reviews and very often become the reasons for a finding at an institution. On the other hand, high risk customers are often the source of substantial fee income. For the BSA Officer, convincing management senior management that they right thing to do is to sacrifice earnings in the name of compliance is a very tough sale to say the least. To paraphrase a very popular song, sometimes “It’s So Hard to Say Goodbye”

High Risk Doesn’t mean Undesirable
According to the FFIEC BSA Examination manual higher risk accounts are defined as:
“Certain products and services offered by banks may pose a higher risk of money laundering or terrorist financing depending on the nature of the specific product or service offered. Such products and services may facilitate a higher degree of anonymity, or involve the handling of high volumes of currency or currency equivalents”

The Manual goes on to detail several other factors that should be considered when monitoring accounts that are high risk. We note that the manual does not conclude that high risk accounts should be avoided. Instead, the manual suggests that when a bank has recognized that an account is high risk, proper monitoring is required. The best practices for high risk accounts include:
• Complete customer Identification: Your institution must be able to establish that the customer is who they say they are. Are they a real person or a legal person in good standing? The goal of CIP must be to establish a basic identification
• Enhanced Due diligence: For a higher risk customer the best practice is to find out all you can about the reputation of the person of the company that is opening the account. During this process, it is important to find out about how the customer is perceived by the community.
• Know Your Customer: This area is the most critical when dealing with a high risk customer. Understanding the particular business and how it operates is critical to being able to properly monitor transactions. In addition, to knowing how you customer operates, knowledge of how the industry operates is key, because it provides context for your customer.
• Baseline monitoring: Using the information that has been obtained in the previous steps, setting up a monitoring plan for a customer allows the BSA Officer and BSA staff to develop a plan for review of a customer’s transactions. If the customer uses wires to pay vendors, then there should be a baseline for monthly wires and the vendors who receive the wires should match the types of vendors that deal in the particular industry.

High risk customers need bank accounts too and just because there is a higher risk of money laundering doesn’t mean that an efficient plan for monitoring can’t be developed.

Degrees of High Risk
Once an account has been determined to be high risk, and an efficient monitoring plan has been developed, there can be various levels of what high risk can mean. When a customer’s activity is consistent with the parameters that have been established and have not varied for some time, then account can technically be high risk by definition, but not in practice. For example, Money sServices Businesses are considered “high-risk” because they fit the definition from the FFIEC manual. However, a financial institution can establish who the customers of the MSB are and what they do. A baseline for remittance activity, check cashing and deposits and wire activity can be established. As long as the MSB’s activity meets the established baseline, the account remains “high risk” only in the technical meaning of the word. Knowing what the customers’ business line is and understanding that the customer continues on in that line without much variation reduces the overall risk.

On the other hand, when transactions are conducted that don’t match the business profile of the customer concern should follow. For example, if the MSB above started showing remittances to a new country, it is time for a discussion with the managers. Does this represent a new business line? To whom? Why now? Do the answers match with what you know about the customer and the surrounding community? The customer should be more than willing to give information on changes to their business. Generally, small business owners are proud and happy to discuss growth of their businesses. A new business line or new set of customers is the type of news that is readily discussed. Moreover, discovering changes in business often leads to new opportunities for additional products and services from the bank. The more reluctant the customer is to discuss the reasons for a variation in the business, the more likely that there might be a problem. Information is the key to effectively administering a high risk customer.

Explain it to Me Like I am an Eight Grader
In the movie “Philadelphia” Denzel Washington plays an attorney who has a habit of saying “explain it to me like I am an eighth grader”. His point was that if you truly understood a concept, you could make it plain for all. This is a good rule of thumb for monitoring high risk customers. Can you explain how the business works to a friend or acquaintance? Can you see in your mind’s eye how money flows through the business and feel comfortable that this makes sense? More than any other area of compliance, BSA/AML administration requires a good amount of “gut feel”. If a customer comes to you and says that they are a local flower shop, does it make sense that they would need to send remittances? Can the customer explain to you his/her business in a way that you understand and feel comfortable? If the answer is no, then the whole relationship should be reconsidered. There is no right or wrong answer, but if you can’t explain the business to someone who is an eighth grader, then you most likely cannot effectively monitor it.

Suspicion is in the Eye of the Beholder
When it comes to BSA, suspicious activity is often treated as a vague and hardly knowable concept. In point of fact suspicious activity is in the eye of the BSA administrator. The FFIEC BSA examination manual doesn’t specifically define suspicious, but instead lists examples of suspicious activity. The list includes things like unwillingness to give information, incorrect information, or transactions that don’t match the information about the customer (e. g. unemployed with large cash deposits).
For accounts that are already opened and are high risk, suspicious activity should be transactions that don’t fit the known fact pattern of the customer. Are there suddenly much larger cash deposits than there have been in the past? Perhaps wires are going to new vendors or new locations? These are the sort of transactions that demand an explanation from the customer. Moreover, the explanation should be accompanied by documentation. For example, if the customer says that have opened a new line of business, then they should be able to show documentation on how this new line came to be. Whether or not the explanation rings true is a matter of both documentation and gut feel.

The decision to file a suspicious activity report (“SAR”) should not be a default. If the activity is truly suspicious, then like any other relationship, there are trust issues. The SAR is really a report that is saying that we do not feel comfortable with what the customer is doing. If the activity rises to the level of a SAR, then the process should begin to consider whether the relationship is worth keeping.
De-Risking- a Mitigation Tool
One of the compliance areas that burdens the most BSA compliance resources is the follow up and administration of SARs.

The decision to file a SAR is a balancing act. For the BSA Officer at most financial institutions there remains the fear that the decision not to file a SAR might result in heavy regulatory criticism. It is sometimes the case that institutions will file a SAR even when they feel that they are totally informed about the transactions and do not feel it is suspicious. Filing a SAR to avoid regulatory criticism is commonly called “defensive SAR filing”. While almost no institution will admit to doing so, a large number have actually filed defensively.

As a best practice, the SAR process should also be tied to the “de-risking” consideration process at your institution. There are many times when a customer engages in a suspicious transaction that is a onetime thing. Perhaps there a large cash transaction and the explanation from the customer is somewhat sketchy. A SAR is filed and the account is closely monitored for the next 180 days. There is no other unusual or suspicious activity.

However, there are cases when a customer engages in suspicious activity and continues to do so. For many institutions, the process has become a continuous string of monitoring account activity and filing SARs. However, in the event that a customer is engaging in activity that the institutions finds suspicious, the prudent course is to act on that information. In the event that there are numerous SARs filed on a customer for the same type of activity, it is necessary to make one of two determinations:
• The activity can be fully explained and vetted and is therefore not suspicious
• The institution does not have the information necessary to properly monitor and manage the risk presented by the customer and therefore must terminate the relationship (“de-risk”)
Continuously filing SARs on a customer without considering the customer for de-risking is a red flag for regulators. This is in an indication that the BSA staff of your institution does not fully understand what the customer is doing. Once activity of a customer has been determined to be suspicious, the process for gathering additional information should begin. Ultimately, if the BSA staff is unclear about a customer’s activity or business, he/she presents an unacceptable level of risk and the process of de-risking should begin.

What’s Hot in BSA

august16blogCompliance with the requirements of the Bank Secrecy Act and Anti Money Laundering (“BSA/AML”) laws will likely always be a “hot topic” when it comes to the ongoing operation of a financial institution. The fact is that our world is filled with people who are willing to do bad things and who must use financial institutions to move the cash that they receive for their activities. Because financial institutions are the nexus point for most criminal activities the role that compliance plays in BSA/AML enforcement will continue to be large and will likely continue to grow.

Developments in technology, continuing world events, expectations of regulators and political events all come together to impact expectations for BSA/AML compliance. The goal of BSA/AML compliance is to detect activity that is suspicious and does not fit with what one might expect from a particular customer. Why would a flower shop in downtown Los Angeles need to wire money to Serbia (or for that matter Miami)? Of course there may be a legitimate reason for this, but the idea is that your financial institution must have a system in place that allows for such a transaction to be flagged and for staff to document the legitimate reason.

With the basic principle of knowing your customer in mind, there have been recent developments that have or will soon change BSA/AML expectations for your institution. Here are a few recent developments that will impact BSA/AML:

Financial technology, also known as Fintech, is a line of business based on using software to provide financial services. Financial technology companies are generally startups founded with the purpose of disrupting incumbent financial systems and corporations that rely less on software.
Fintech companies have developed many products that allow customers to have many of the same services and abilities as a bank account. Digital wallets for example, allow customers to receive payroll, reload debit cards, payment bills and purchase gift cards among other things. These platforms also allow customers to send wires, ACH’s or other transfers.

The very nature of fintech relationship are often that the customer and the provider are not in physical contact with one another. The identification process is completed through various means such as texts to telephones, IP address verification and scanned copies of documents. The ability of fintech companies to discern fraud and detect unauthorized use of an account has become increasingly adept.
In response to developments in fintech, the FFIEC BSA manual has been updated to include more information about expectations for electronic banking customers. In addition, FFIEC issued Interagency Guidance to Issuing Banks on Applying Customer Identification Program Requirements to Holders of Prepaid Cards in March 21, 2016. This guidance defines when the opening on a reloadable card account becomes subject to the CIP rules. The guidance recognizes that with fintech, many times accounts are opened without an actual face-to-face meeting. However, the basic concept remains; the account issuer must be able to establish that the person who is trying to open the account is who they say they are. Developments in fintech will continue to push and change the contours of BSA/AML requirements.

Beneficial Ownership
Probably the most talked about impending change in the BSA/AML area are the new rules that cover beneficial ownership. It is our intention to write an entire blog series on these new rules, so we will simply summarize here.

At its core, the beneficial ownership rule requires that when an account is opened for a legal entity, that information must be collected on the persons who either own or control the entity. Both the concepts of “own” and “control” the company are defined in the regulation. The final rule creates a new section in the BSA regulations at 31 C.F.R. § 1010.230 setting forth the beneficial ownership identification requirements for covered financial institutions, as well as a number of exclusions for specific types of customers and accounts. As a result, the beneficial ownership rule is widely being referred to as the “fifth pillar” of the BSA/AML program. The goal of this rule is to allow enforcement agencies such as Fin Cen to be able to track the flow of funds through commonly owned businesses and entities.

This fifth pillar of the BSA/AML program is expected to do more than simply collect information on the beneficial owners of entities. Once the information is collected, the nature of the relationship between the owner and the entity should be considered. The idea here is that the entity should not be a conduit through which an individual can funnel transactions that would otherwise be considered suspicious. The beneficial ownership rule will most definitely add an additional layer of customer due diligence for legal entities.

Geographic Targeting Orders
As the behavior of suspected money launderers continues to change and evolve, so do the tactics employed by the enforcement agencies. One area that Fin Cen has been watching is the practice of money launderers to buy high end real estate for cash. In many cases, the purchases are made through legal entities such as limited liability companies. This is the very type of transaction that made the beneficial ownership rules necessary.

To combat this practice, Fin Cen issues geographically targeted orders (“GTO”) which require title companies to identify all of the individuals involved in shell companies that purchase real estate for all cash. For some time, the GTO’s issued only applied to the Miami and Manhattan areas. In July of 2016, Fin Cen expanded GTO’s to include six metropolitan areas;
• (1) all boroughs of New York City;
• (2) Miami-Dade County and the two counties immediately north (Broward and Palm Beach);
• (3) Los Angeles County, California;
• (4) three counties comprising part of the San Francisco area (San Francisco, San Mateo, and Santa Clara counties);
• (5) San Diego County, California;
• (6) the county that includes San Antonio, Texas (Bexar County)
Although the GTOs apply directly to title companies, the cash purchase of real estate is the type of transaction against which financial institutions must be vigilant.

MSB’s with Agents
Yet another area that will be getting the attention of regulators is the ability of Money Service Businesses (“MSB’s”) to monitor and administrate the agents that they engage. Fin Cen has issued guidance that specifies the BSA/AML standards for MSBs. The guidance focuses on the need to establish standards for monitoring and review and to insist on proper independent testing.

Model Validation
It is not enough to simply test whether or not the data in your BSA/AML software has been properly mapped. You must also determine that the software is doing what the bank needs it to do to monitor suspicious activity.

OCC guidance points out that the use of models in any banking environment must fit within a risk framework. This framework has essentially four elements:
• Business and regulatory alignment – the model must fit the bank’s risk profile and regulatory requirements
• Project management – a proper and appropriate implementation is an ongoing project that is dynamic as the bank’s operation
• Enabling Technology – The use of the technology should facilitate the bank’s ability to meet its regulatory requirements
• Supporting documentation – As a best practice, documentation of the rational for using the model should be maintained.

For BSA/AML, monitoring software, the risk framework means that regulators expect financial institutions to know how its software works as well as the “blind spots” for transactions that may not be completely covered by the way the software operates. The expectations are that your staff will use monitoring software as a tool that is constantly being sharpened and improved. The model validation process is the means to ensure that the software is improving.
BSA and AML programs for financial institutions have to be nimble and flexible as changes in technology, world politics and schemes of people who launder money continue to change.

The Nexus of BSA &Fintech

august9blogTwo areas that will always be among the “hot topics” when it comes to compliance. The first is an institutions’ system for compliance with the requirements of the Bank Secrecy Act/Anti-Money laundering (“BSA/AML”) laws. Regulated financial institutions have been well aware of the fact that a well-developed system for compliance is a critical component of ongoing operations. A second area that is becoming increasingly important is the use of technology to transaction business by financial institutions. This area is often known as “fintech”. Although fintech is often a broadly used term, there are generally accepted definitions such this one offered by Fintech magazine:
Financial technology, also known as Fintech, is a line of business based on using software to provide financial services. Financial technology companies are generally startups founded with the purpose of disrupting incumbent financial systems and corporations that rely less on software.
PayPal, Apple Pay and Venmo are just a few examples of popular software applications that allow consumers to transfer money to one another with a just a few relatively easy steps.
As the number of firms that offer variations of fintech transactions grow, so does the need for a financial institutions’ BSA/AML system to adapt.

The Heart of BSA/AML- CIP and KYC
Although there are numerous components that make up a strong and complete BSA compliance program, the heart of all programs is the ability of the financial institution to know complete information about its customers. The two components of the BSA program that perform this function are the Customer Identification program (“CIP”) and the Know Your Customer (“KYC”) programs. The CIP program is made up of the policies and procedures established by an institution for the purpose of collecting identifying information about their new customers. The FFIEC BSA manual details the requirements of the CIP regulation and notes that at a minimum, a financial institution must obtain the following information before opening an account:
• Name
• Date of birth for individuals.
• Address.
• Identification number.

There are well established rules for the types of identification that are considered acceptable. The goal of the CIP program must be that a financial institution has to establish with a reasonable certainty that the person who is attempting to open an account is who they say they are. For business accounts, the requirements are the same although the form of identification takes on different forms e.g., name would be the legal name of a business and identification number would be the tax identification number.
Once the identity of a customer is established; the KYC portion of a compliance program comes into play. Depending on the types of transactions that the customer says that they will conduct, additional information is necessary. For example, if the customer is a flower shop, then information about how long they have been in business, who their customers are, how the flowers are sold and the means for payment, etc. are all pieces of information that are necessary for a financial institution. Using this information, the financial institution can keep transactions conducted by the customer in context. In other words, if the flower shop sells mostly orchids, it is reasonable that there would be wires to regions of the country where orchids are grown.

It is through CIP and KYC that all of the information that gathered on a client is filtered. Individual transactions may or may not be considered suspicious based upon the KYC and CIP obtained about a client. Using the flower shop example above, wires or ACH activity to war-torn regions of the world would seem at least very unusual for orchids.
CIP and Unintended Consequences
The need for complete CIP and KYC has been at the heart of a delicate balancing act for financial institutions and the customers that they serve. The FDIC separates people who do not use banks to fully serve their financial needs into two distinct categories. The unbanked have no ties to an insured economic institution. Essentially, they have no checking or savings account and no debit or ATM card. Meanwhile, the underbanked do use some of these services – often a checking account – but they also used alternative financial options within the past year.

When customers are the “unbanked” and “underbanked” communities, the issue of complete documentation of identification can be tricky. These customers may not have complete or traditional documentation available. For many institutions, the clash between the desire to serve underbanked and unbanked and the need for complete documentation has created an unintended consequence. The law of unintended consequences is defined as:
The law of unintended consequences is the outgrowth of many theories, but was probably best defined by sociologist Robert K. Merton in 1936. Merton wrote …a treatise which covers five different ways that actions, particularly those taken on a large scale as by governments, may have unexpected consequences. These “reactions,” may be positive, negative or merely neutral, but they veer off from the intent of the initial action.”

In the case of BSA, the desire to monitor and mitigate risk had the unintended consequence of shutting out entire industries that often are critical to unbanked or underbanked communities. MSB’s such as combination grocery stores and check cashers often serve as the bank and remittance service for migrant workers and expatriates of other countries. When the local bank makes a decision to stop proving services to these entities, the customers of the MSB are forced into transactions with entities that are completely underground.

Fintech to the Rescue?
Fintech companies have developed many products that allow customers to have many of the same services and abilities as a bank account. Digital wallets for example, allow customers to receive payroll, reload debit cards, payment bills and purchase gift cards among other things. These platforms also allow customers to send wires, ACH’s or other transfers.
The very nature of fintech relationship are often that the customer and the provider are not in physical contact with one another. The identification process is completed through various means such as texts to telephones, IP address verification and scanned copies of documents. The ability of fintech companies to discern fraud and detect unauthorized use of an account has become increasingly adept.
The development of fintech products gives financial institutions that opportunity to reach out to customers that have been largely overlooked due to BSA/AML concerns. The time has come to reconsider the possibilities.

For a detailed review of how Fintech can improve overall Community Reinvestment Act performance, non-interest income and BSA/AML compliance please go to and fill out the “Contact Us” form.

Your Partner in Balancing Compliance