Wednesday, October 27, 2004
( 3:50 AM ) Ken - Pegasus
ABA/ABA Money Laundering Enforcement Seminar, Day Three
Juan Carlos Zarate, Assistant Secretary, Executive Office for Terrorist Financing and Financial crime of the Treasury opened the final day of the seminar with a brief keynote presentation. He noted that 9/11 represented a major turning point for both the industry and the Department of Treasury. “We have seen both the broadening and the deepening of regulation, not just in banking, but in the money services and brokerage businesses as well.”
He thanked the industry for its cooperation and assured those present that their efforts had had a demonstrable effect, “It is now more difficult for Al Queda and similar organizations to move money.” He indicated that terrorist organizations may now be forced to use crude methods to transfer funds, for example, cash couriers rather than electronic transfers.
Zarate’s remarks echoed those of previous speakers in one area in particular: “The government has the overriding responsibility in this new paradigm. It needs to share information…”
“Ask the Examiners” was the title of the first general session. Participants included representatives from the FDIC, OCC, FDIC, FRB and the SEC. Panel members were each given the opportunity to make general remarks and then answered questions submitted in advance by the audience. Generally, those responding offered caveats that the opinions they expressed were their own, not those of their employer.
Some questions were answered only by the representatives from a single agency. However all of the agencies responded to a question regarding the expected frequency of independent examinations of BSA compliance. There was a general consensus that the independent examination should be performed annually. However, there was some acknowledgement that a smaller, less complex bank might reasonably extend the frequency to 18 months. (That acknowledgement was not uniform among the agencies.) One panelist noted that a bank with high risk factors might need to have an independent examination done more frequently than annually.
Office of the Comptroller of Currency
Dan Stipano, Deputy Chief Counsel, reminded those present that, “The environment has changed. That’s true for banks and true for regulators.” He noted that most regulation takes place seamlessly and privately; “Ninety-five percent of the problems are fixed as a result of the examination process.” However, he also noted that there are cases where wholesale failures, repeat violations or uncorrected violations require stronger measures.
As he had done the day before, Stipano mentioned the longstanding BSA provision, 12 USC 1818(s), that mandates issuance of a cease and desist order if a bank fails to establish an effective BSA compliance program or has repeat violations in the same area of BSA compliance. He said the OCC expects to publish a matrix originally developed for internal use that shows the circumstances under which an order would be issued.
In response to a question about personal responsibility if a compliance officer is unable to get management to act on needed changes Stipano said, “Compliance officers must try to get the attention of senior management, try to convince them this is a business motivated decision. If those efforts fall on deaf ears, I’m not sure what the compliance officer can do about it.”
When a banker asked about how banks were expected to detect terrorist financing Stipano responded, “It is not the job of banks to identify terrorist financing or money laundering. It is the responsibility of banks to identify suspicious activity and report it. It is law enforcement’s job to figure out if it is money laundering or terrorist financing.” Timothy Leary from the OTS noted that the 314(a) process is a good example of a bank’s efforts to detect terrorist financing, “Past reporting suspicious activity and responding to 314(a) queries, there is not a lot they can do.”
One banker asked about the bank’s responsibility to impose CIP requirements on cardholders if a corporation obtained cards for all of its employees, Stipano indicated that generally, the corporation would be the “customer” for CIP purposes. However, he quickly noted that additional facts would be necessary to offer an informed rather than a “curbside” opinion. Julie Williams from the FRB noted that a bank was still obligated to make its own risk assessment in connection with CIP; i.e. it might conclude that its CIP procedures to incorporate the cardholders themselves.
John Wagner, National Bank Examiner/Compliance Specialist indicated that a reasonable time in which to expect to receive documentation requested from an MSB, such as a written AML program, would be “a week or so.”
On another MSB related question; i.e. whether a bank could continue to do business with an MSB after it realized it was unregistered, Wagner indicated that, “The customer is clearly out of compliance with a federal statute - that would be a very big red flag to me.” Lisa Arquette from the FDIC added that in dealing with an unregistered MSB the bank is “…not violating anything, but the MSB is. Since it’s a violation of law you need to file a SAR and monitor that customer’s activity.”
In response to a question about whether banks should monitor activity for an amount less than that required for currency transaction reporting, Wagner said that, whether the system focused on a single day or several days, any dollar figure used is ultimately a management decision; there is no regulatory suggestion of a specific amount. He noted that examination procedures (expected out next year) will contain guidance regarding monitoring activity and transaction testing.
Federal Reserve Board of Governors
Bridget Neill, Manager Anti-Money Laundering Policy and Compliance, began by explaining that bankers often seek guidance in establishing effective AML programs. She encouraged them to review the Fed’s publicized enforcement actions for suggestions.
She said the FRB’s enforcement actions were more comparable to a compass than a road map; i.e. they do not retain recitations of facts saying exactly what the institution did as a prelude to the action, but they do describe what an effective AML program would look like. She specifically noted that the enforcement actions were a form of public outreach where the agency sought to communicate with all banks, not just the one that is the object of the order.
Reiterating recent industry headlines, she noted that every institution must have a system in place to detect and monitor suspicious activity. “We are acutely aware of the subjectivity in SAR filing, but if SAR failures are pervasive and systemic we will help you manage it,” she said.
In response to a question about whether a bank need to actually review an MSB’s written AML program Neill said, “If you are going to request it you are going to need to review it. You might consider asking for a copy of their audit program as well.”
Lisa Arquette, Chief Special Activities Division of Supervision and Consumer Protection, began her remarks by emphasizing that the FDIC’s position was both that of a regulator and an insurer in reviewing problems related to BSA compliance.
Kevin Hutchins, Review Examiner, responded to a question regarding the regulatory agencies’ current interest in documenting SARs that were not filed. He indicated, “If examiners believe there is suspicious activity they will want to discuss it. Our expectation is that they (the bank) would support their decision in writing.” Arquette added, “If it looks peculiar, they evaluate it and determine a SAR is not necessary, if they document it, that’s fine with us.”
One questioner asked about the propriety of “counseling” customer who is structuring cash transactions to avoid reporting requirements, but who is not otherwise believed to be involved in illegal activity. Arquette said interviewing the customer would be appropriate in an attempt to follow trends and determine what is reasonable for that customer. Hutchins added that the conversation should focus on “what’s going on,” not CTR filing or structuring.
Timothy Leary, Counsel, Banking and Finance, pointed out that the consistency of enforcement is particularly critical in the BSA area and that the expected revision of the examination procedures would aid that goal. A member of the group that is currently drafting the interagency procedures, he said, “As far as interagency groups are concerned, this is one of the fastest moving I have participated in. We already have a pretty solid draft of the core procedures together.”
He indicated that the core procedures would address BSA fundamentals such as currency transaction reporting, record retention and SAR filing. He noted that recently published procedures such as those on Sections 314 and 326 of the USA PATRIOT Act would probably be included without revision. It was his expectation that the core procedures would actually be distributed to examiners for field testing prior to year end.
Using the same analogy referenced by a speaker the day before, he described the expanded procedures as a “Chinese Menu.” The expanded procedures will be used selectively based on the particular bank’s activities and other variables; i.e. specific portions will be incorporated in the examination if they are relevant to the particular institution.
Phil Magathan, Compliance Examiner, focused his remarks on the CIP examination procedures issued this summer. He noted that the regulations required banks to perform a risk assessment and that the agency would expect it to be documented (in writing) and available for their review. He noted that independent testing conducted for BSA compliance should include review of the bank’s CIP and that examiners would be sampling account openings to see if stated procedures were followed and to evaluate what actions the bank took when problems were identified.
[Will add some additional information from a couple later sessions tonight.]
Recordings of individual sessions can be purchased through http://www.intelliquestmedia.com/ . Next year, MLES will be held October 30 to November 1 at the Marriott Wardman Park Hotel in D.C.
Monday, October 25, 2004
( 8:30 PM ) Ken - Pegasus
ABA/ABA Money Laundering Enforcement Seminar, Day Two
Sunday, October 24, 2004
( 7:06 PM ) Ken - Pegasus
ABA/ABA Money Laundering Enforcement Seminar Begins
One presenter thought a quote from Lewis Carroll’s Alice in Wonderland might be appropriate for attendees at the opening session of the 2004 ABA/ABA Money Laundering Enforcement seminar.
In its sixteenth year and boasting a record number of participants (nearly 800), the conference began this afternoon at the Hyatt Regency in Arlington, Virginia. It is jointly sponsored by the American Bankers Association and the American Bar Association.
John Atkinson, Assistant Vice President of the Supervision and Regulation Division of the Federal Reserve Bank of Atlanta reminded the audience of the Cheshire Cat’s remonstrance to Alice: If you don't know where you are going, any road will take you there” and asked them to keep it in mind when they are considering adoption of an automated AML system.
Atkinson was a panelist in the session that opened the conference, “Choosing a Product/Service for AML Compliance, What is the Process?” He advised attendees that the decision to seek a technological approach to combatting money laundering is often quickly made and put in place without adequate planning. He said, “Too often, the decision is the hasty result of a critical audit report or a bad examination.”
He encouraged audience members to make their first investment as time, not money, the time it would take to make certain they knew what was already available to them in current software packages. After that information is identified, they can decide exactly what incremental improvements in their information management system are necessary. However, he noted, “A proper MIS is critical to managing risk, whether the risk is credit, interest rate or BSA compliance.”
The well balanced panel was moderated by Alan Abel, Leader Anti-Money Laundering Risk Management Services for Deloitte in Washington, D.C. He began the session by noting the task force a bank used to develop or select an automated AML solution should include those personnel who will be the “stakeholders” in the process as well as the ultimate users. He stressed that the software should do what bank personnel thought was necessary, not vice versa, and observed, “Your people should not be software slaves.”
Like Atkinson, Abel encouraged attendees to pay close attention to integrated financial application systems and platforms already in place. He indicated that current vendors may have related products, versions or features that can be more cheaply or quickly engaged.
Peter Janczak, Director of Compliance for Marshall & Ilsley Corporation in Milwaukee, noted that banks had no resources to waste and might need to phase in their response. For example, they might need to begin with an interim solution focused on the greatest areas of risk and then evolve it into a more intuitive system involving all major product lines. Noting that the goal is to: “get the data review and analysis out of the silos,” he encouraged the audience to “do the basics well” and prioritize other areas.
Janczak emphasized that the end result of the automated system has to be usable data. He said any system requires fine tuning in order to make it fully functional; i.e. the alerts generated must be connected to the correct areas and be usable in volume. He also noted, “There are few things worse than producing alerts and not effectively researching and resolving them.”
Another banker on the panel, Thomas Martin, BSA Officer and Financial Intelligence Unit Manager for SunTrust, listed the six steps his bank had taken in selecting a vendor for AML software:
· assembling a project team,
· defining requirements,
· designing the project concept,
· developing a request for vendor proposal,
· evaluating vendors and
· vendor selection.
Martin also acknowledge the long term desire to establish a “neural model;” i.e. an enterprise wide system capable of connecting activity from unrelated areas of bank operations. He also noted the importance of using data produced by the system to revise the system, “We have found more interesting information and that information adjusts what you see as the area of risk.”
In reviewing his bank’s experience in installing an automated AML system, Dennis Algiere, Chief Compliance Officer for the Wilmington Trust Company in Westerley, Rhode Island emphasized the critical support he received from his institution’s management. He said, “It was easier for us to get because we did a risk assessment. We could demonstrate that the ability to identify suspicious activity and report fraud was financially critical.” He added that it is probably easier than it has ever been to demonstrate to a CEO that the cost justification for an automated AML system exists.
Algiere emphasized the importance that bank personnel would continue to have in the detection of suspicious activity saying, “These systems are not a replacement for personal observation.” He emphasized that initial and continued training are critical with the inception and maintenance of an automated AML system.
In response to a question from the audience, the bankers uniformly noted that the number of Suspicious Activity reports their institution filed had increased significantly after they put the automated system in place. They also noted that much of the increase was related to reporting the “structuring” of currency transactions.
There was general applause when John Byrne, Director of the ABA’s Center for Compliance in Washington, D.C. observed that it might be appropriate to investigate “…whether we are wasting a lot of good people’s time and energy in filing SARs on structuring that have no value.”
The seminar will run through Tuesday of this week. Recordings of individual session can be purchased through http://www.intelliquestmedia.com after the seminar is over.
Tuesday, October 19, 2004
( 6:44 AM ) John Burnett
Treasury's Fiscal Management Service has issued in today's (10/19/04) Federal Register (69 FR 61563) an interim final rule restating its regulation on Indorsement and Payment of Checks Drawn on the United States Treasury.
The interim rule, effective October 28, 2004, restates the Service's regulation at 31 CFR Part 240, to adapt the rule to the check processing environment that will become effective with the implementation of Check 21 rules on the same date.
In addition to adding provisions to the regulation addressing the presentment of substitute checks and images of Treasury checks (which create indemnities paralleling those created under Check 21 for substitute checks), Treasury proposes requirements that would mandate security over original Treasury checks that have been truncated such that the information on those checks would not be available to third parties for data mining or other purposes.
The interim rule also makes some technical tweaks to the regulation, last revised just last spring. For example, the current rule mandates a review of original Treasury checks for the existence of Treasury's security watermark as a minimum standard for a bank's having verified the authenticity of the check. That standard is removed if the check being reviewed is an image check or substitute check, since the watermark will not survive imaging.
The interim rule can be found at http://a257.g.akamaitech.net/7/257/2422/06jun20041800/edocket.access.gpo.gov/2004/pdf/04-23279.pdf
Sunday, October 17, 2004
( 9:17 AM ) Andy
Software Piracy, Not In Your Bank, Right
The Business Software Alliance recently released a study indicating that 23% of businesses use software without a license. Coincidentally, in a survey of 1,500 business professionals, 89% agreed this is a risk not worth taking.
Copyright owners may sue for statutory damages of up to $150,000. Criminal penalties go up to $250,000, 5 years in jail, or both. This is a worst case. The BSA (troubling initials in more ways than one) usually settles for between $10,000 and $50,000. This will depend on the software and violations. You can also expect a huge cost as you inventory all your computers and match up your licenses to each. You do have your licenses and a list of what programs are on what computers, don't you?
The BSA is a watchdog group representing software companies including Adobe, Apple, Autodesk, Cisco, Microsoft, and Symantec. They don't necessarily have the ability to walk in and audit your computer software, but they do work closely with the software manufacturers and law enforcement, when necessary. They do in fact have clout. The Loss Angeles Police Federal Credit Union has paid a $60,000 settlement to the BSA. More than $70 million in settlements has been collected by the BSA.
Disgruntled employees is one common way the alarm is sounded. Organizations may be purposely copying software or installing it on a network and allowing more users access than they are supposed to. Another common fault is when replacing a PC and installing existing software on the new one, handing the old down to another user without taking off the duplicate programs. Businesses must also ensure that the software they purchase has a valid license, and is used in accordance with that.
Software management is important. Have a system in place. Training and management tools are available from the BSA. #