Don’t Stop – Monitoring for BSA/AML

Bank Secrecy Act / Anti Money Laundering monitoring is key to a financial institution’s safety and soundness, risk mitigation, and more. Elizabeth Greene, CRCM, NCCO discusses updates to the FFIEC’s BSA / AML Examination Manual monitoring guidance.

Elizabeth Greene
Elizabeth Greene – Senior Compliance Advisor

We have always known that BSA / AML monitoring is key to a financial institution’s safety and soundness, risk mitigation, and more.  Changes to these areas of an institution will not go away, but only update as time goes on.  In this article we will discuss updates to the FFIEC’s BSA / AML Examination Manual for when an institution is conducting its monitoring.

We all know that the FFIEC is never big on setting the “requirements” for an institution’s monitoring program.  What they do is provide specific guidance on how our banks should be developing full scope, thorough programs under BSA / AML to ensure sound practices are in place.  Under the new updates, which provide additional transparency, certain areas have been addressed to indicate a need for financial institution policies, procedures, and processes to be reviewed; ensuring they address potential money laundering terrorist financing, and other illicit financial activity risks.

Our first category delves into the importance of knowing each customer and a reminder that a specific type of customer does not automatically mean the customer is considered high risk.  The FFIEC has stated that it is the responsibility of the institution to ensure there are appropriate risk-based procedures to understand the nature and purpose of the customer relationship and to develop customer risk profiles.  The review is expected to include customer identification, customer due diligence, beneficial ownership, and suspicious activity reporting.  They also encourage the institution to mitigate risks related to the unique characteristics of the customer relationship and not discourage or prohibit a specific type of customer from banking with them.

The next category we will look at will be Charities and Non-Profit Organizations (NPOs).  Based on the type of organization, the transactions that will be conducted, and the overall risk associated with this customer type, the FFIEC is setting expectations for financial institutions regarding proper customer identification, customer due diligence (CDD), beneficial ownership, and suspicious activity reporting (SAR).  As there is no defined CDD approach from the regulators, the expectation is that a consistent risk-based approach to the level and type of CDD should be in place with the risks presented by the customer relationship.  Items that have been highlighted by the FFIEC are:

  • Purpose and nature of the charity and NPO, including mission(s), stated objectives, programs, activities, and services.
  • Organizational structure, including key principals and management.
  • Geographic locations served, including headquarters and operational areas, particularly in higher-risk areas where terrorist groups are most active.
  • Information pertaining to the operating policies, procedures, and internal controls of the charity and NPO.
  • State incorporation or registration, and tax-exempt status by the Internal Revenue Service (IRS) and required reports with regulatory authorities.
  • Voluntary participation in self-regulatory programs to enhance governance, management, and operational practice.
  • Financial statements, audits, and any self-assessment evaluations.
  • General information about the donor base, funding sources, and fundraising methods, and, for public charities, the level of support from the general public.
  • General information about beneficiaries and criteria for disbursement of funds, including guidelines/standards for qualifying beneficiaries and any intermediaries that may be involved.
  •  Affiliation with other charities and NPOs, governments, or groups.

ATM owners and operators have always been a high-risk topic for an institution when conducting risk ratings and reviews, which brings us to our third point.  Due to the cash-intensive nature of an ATM, the source of funds used to replenish the machines is a key risk factor.  I imagine the first question to come to mind is: “Well, aren’t they getting their cash from a bank?”  Sure.  They usually are, but what if they aren’t?  Financial Institutions are still on the hook for knowing where their customer received the funds.  Even if your ATM owner receives their money from Major Bank USA, which poses a lower risk to your financial institution, you still have to know where they got it from.  Similar to your ATM owner getting their cash from a Money Service Business (MSB), which may pose a much higher risk and, you guessed it, you’re still responsible for knowing that the replenishment cash is coming from that MSB. 

Again, the regulators are not setting the requirements for monitoring this category of customer, but setting an expectation that your institution has proper monitoring in place to mitigate risk and conduct proper CDD, including necessary wider scope enhanced due diligence (EDD), for your customers.  Which are consistent practices that fall in line with necessary risk mitigation.  Here are some topics to consider:

  • Organizational structure, including key principals and management.
  • Information pertaining to the operating policies, procedures, and internal controls of the ATM owner or operator.
  • ATM currency servicing arrangements, contracts, and responsibilities (e.g., cash vault services, third-party providers, and self-service).
  • Information regarding the source of funds if the bank account is not used to replenish the ATM. Sources of cash may include proceeds generated by the core retail business of the owner, proceeds from a loan or revolving credit line, or cash originating from an account maintained at another bank.
  • Location where the independent ATM owner or operator customer is organized, and where they maintain their places of business, including locations of owned or operated ATMs.
  • Description of expected and actual ATM activity levels, including currency transactions.
  • Information to better understand whether ATM operations are generally ancillary to other retail operations or the primary business of the independent ATM owner or operator customer.  

Our last category to look at will be an institution’s identified politically exposed person (PEP).  You may be thinking: “How would a politically exposed person ever be a higher risk to our bank?  They are public servants and are here to do good.”  While this may be true, by virtue of their public position or relationships, some bank-identified PEPs may present a risk higher than other customers by having access to funds that may be the proceeds of corruption or other illicit activity. Some foreign individuals who are bank-identified PEPs have used banks as conduits for their illegal activities, including corruption, bribery, money laundering, and other illicit financial activity.  As such, our regulators are expecting institutions to have proper CDD and EDD practices in place to ensure our programs meet the needs of risk mitigation in this category.  Here is some information that can be useful for an institution in understanding the nature and purpose of the customer relationship and, therefore, in determining a risk profile of bank-identified PEP customers:

  • The type of products and services used.
  • The volume and nature of transactions.
  • Geographies associated with the customer’s activity and domicile.
  • The customer’s official government responsibilities.
  • The level and nature of the customer’s authority or influence over government activities or officials.
  • The customer’s access to significant government assets or funds.

In the end, the main point is the same as it has been – know your customer, know your customer’s customer, and ensure your institution has the proper BSA / AML guidelines within its program to cover this monitoring.  Financial Institution practices should be consistent among customers and thorough enough to show they meet the regulator’s expectation for risk monitoring processes, meeting examination procedures dependent on the bank’s risk profile, size, and / or complexity, adoption of new innovations or technologies, changes to the bank’s BSA / AML compliance officer or department, the quality of the bank’s independent testing, and other relevant factors.

Take the guesswork out of compliance and gain unlimited access to experts, guides, and other resources to help you navigate today’s complex regulatory environment. If interested in becoming a Temenos Compliance Services member, contact us today to learn how to begin taking advantage of these perks and more!

Filed under:

Elizabeth Greene
Elizabeth Greene – Senior Compliance Advisor