I'm going to attend the Dallas session this morning and will relay anything mentioned there that I don't think was addressed in the telephone sessions. Please chime in if you attended the SF, Dallas or a later session. The NY session will be simulcast and you can register for it through the FinCEN web site. (Go to "What's New")

Attending the live session isn't feasible for many, many banks. However, the simulcast is. Suggest you have as many senior folks as possible in front of the screen, take attendance and note your participation in your BSA training file. They're not doing this just to entertain themselves.

I went to the SF meeting and it was worth my time. Two things they emphasized: 1. "Customized" Risk Assessment and 2. Transaction Testing.

My boss and I also attended the San Francisco conference. However, we found that we could have easily skipped the first 90 minutes, as it was simply a rehash of the design and structure of the exam manual that was already talked about at length during the nationwide conference calls.

As for the second half: The panel of banking representatives was somewhat frustrating, as the banks represented were so much smaller than our shop that we didn't find much of their experiences to be helpful to us. The 'Ask the Regulator' session was better, but several of the questions asked were so basic (and not really related to the exam updates) that it seemed a waste of our time.

I hope the later sessions will be 'meatier' for those in attendance.

OMG I CAN'T BELIEVE I MISSED SEEING YOU AT THE DALLAS CONFERENCE!!!!!!!!!! Which I thought was pretty good, btw. I got some good info. Some things I have in my notes - and I know there were other BOLers there today too, so feel free to add/correct.....

From the 'canned' presentation -
Bridget from the Fed and Tim from the OTS were really good speakers. The other 2 (Lisa from FDIC and John from OCC) were not.

* Exams should be consistent regardless of the agency.
* Goal is to scale down exams where possible.
* Low risk institution oculd have extremely limited exam.
* Ensure adequate transaction testing is done.
* Response to identfiied risks is key.
* BSA Databases - they're looking for material shifts in patterns, which should trigger a red flag. Database info shouldn't be used as a conclusion in/of itself.
* They don't expect every bank to have the same approach to OFAC.
* The goal is not to find OFAC violations but to determine whether a bank's protections are adequate for it's operations.
* Risk assessment - encouraged putting it in writing and documenting overall process.
* Risk assessment is a process, not a one time action.
* Banks with various departments that run their own computer networks/systems have more challenges that need to be addresed.
* Examiners must do some transaction testing to enusre they understand the reisk assessment and overall program.
* It's examiner judgement on how far transaction testing will go.
* CIP is included perforce in all BSA aspects.
* SARs, esp narratives, should include as much high quality information as possible.
* It is impossible for a bank to catch every illicit transaction that may pass through.
* Examiners should focus on overall SAR process, rather than an individual filing or nonfiling.
* Well trained tellers can go a long way towards identifying suspicious transactions.
* Thresholds and triggers are important and should be reassessed periodically.
* It is NOT the best use of an examiner's time to focus on individual judgement calls but on whether the system is adequate. The best way to ease the examiners' minds is to document, esp cases where SARs weren't filed.
* Examiners will still look at SARs to review the overall function of the process. You can still be criticized if an individual SAR is not filed if the failure is significant or the failure is a bad faith action on the bank's part.

I'll put the regulatory panel notes in another post.

Regulatory Panel Notes - all 4 big agencies represented (NCUA was not.) OFAC and FinCEN were also on board. The OFAC guys are scary smart.

* Fed stated BSA officer CAN be compliance officer as well but CANNOT be auditor or involved in audit in any way. (I know this has been a bone of contention with Fed banks.)
* Non-bank subs - what's required? OCC - BHC owned - no requirements per se, but enterprise wide, should be sure customers are known/understood. Under bank control, follow normal bank procedures. Fed - look over enterprise-wide risks; Reg Y covers SAR requirements. FinCEN - broker/dealer or other subs may have their own BSA requirements to follow. Insurance co rules are proposed.
* ACH Transactions - concerns that monitoring can be done only after the fact - OFAC - clearly, remitter has duty to doublecheck at the time of initiation. If discovered by receiving bank, take action as quickly as possible.
* Is payday lender an MSB if no checkcashing, wires, etc. - FinCEN - refer to rule 2002-2. If exceeds $1,000, possibly an MSB. No blanket or cookie cutter rule that can be applied.
* Prepaid stored value cards - OCC - evolving area. Make sure there are controls re: amount that can be put on any one card (and my own note - how many can be sold to one person/group at a time.) CIP applies. FinCEN - review expanded procedures on electronic cash for additional guidance. Fed: use activity reports to monitor patterns.
* MSBs - FinCEN confirmed - NOT bank's responsibility to montior MSB compliance with BSA/AML rules. MSB registering documentation should be returned to customer within approximately 60 days but MSBs have 180 days to register after starting MSB activity.
* Periodic risk assessment - how often should it be redone? Driven by changes in the bank and its environment. No one size fits all answer. (However, they were leery of anything going beyond about 18 months.) Suggested discussion with Board & sr management annually and then if no changes are warranted to the risk assessment documents, so be it.
* Cashiers checks - do you have to do OFAC on payable to parties? OFAC - YES. Very dangerous to make a blanket policy that you won't check beneficiaries, simply because overall bank is judged low risk.

Hope this helps some people..... the regulatory panel was the best part and I wish they'd done more of that! The examiners were supposed to be getting the same training this afternoon so I hope they got some of the same messages that we did.

We should have had a BOL get together at the ZaZa!

Great job! I have no corrections, but some of the following might reflect different points of emphasis. [I’m intentionally repeating the low risk OFAC question and will limit myself to one editorial remark: Now there is proof positive, OFAC compliance is not risk based, it’s paranoia based.]

The live program was more efficient and focused than the telephone conference; the only conspicuous waste of time was by some of the trade group representatives who padded their introductions of the bankers with their own observations. The regulators prepared remarks were similar to those phone conference I attended, but some focal points had changed. All spoke from a single slide presentation and it was easier to follow. As noted, there was a panel of bankers who had conducted their own risk assessments and that will apparently be a feature at the other sessions as well.

Some nuggets:

• The importance of the bank’s self assessment of BSA risk was stressed repeatedly. One regulatory panelist said, “For a low risk institution, a properly conducted and documented risk assessment could be the start and the end of your examination.”

• In response to a question about when the examination procedures will be in use, the FDIC representative indicated that his agency is using them now, an OCC said that agency would begin using them in September and an OTS representative indicated that current request letters being sent were based on Appendix H and, accordingly, those examinations beginning in the next 30-60 days would be based on these procedures. (I could not understand what the Fed speaker said.)

• The importance of the regulators “scoping” of the exam was emphasized. Previous exam findings, the results of independent testing, the risk assessment and information obtained from the BSA reporting data bases are all to be used to develop an opinion about the breadth of the on-site examination. (Not exactly a change except for the importance of the risk assessment.)

• The appendices reflecting risk matrices in the back of the manual were stressed as an important tool in helping the bank reach defensible conclusions regarding its risk.

• It was noted that if the bank had not prepared a risk assessment or if the examiner did not feel the one offered was adequate, then the examiner would develop a risk assessment for the bank for the purpose of scoping the examination.

• The regulatory panelists noted that there was no established frequency for the review of the risk assessment and that “low” risk institutions might justify longer intervals. The standard time frames discussed ranged from one year to within each examination cycle.

• It was also noted that new products & services as well as mergers and acquisitions could trigger the need for a new risk assessment. In the M&A discussion there was an observation about incompatible systems that I thought was interesting; systems that cannot cross-talk were described as enhancing risk.

• The banker panel included bankers from three banks with asset sizes of 185 million, one billion and eighteen billion. The risk assessment methods varied from questioning employees to computer aided analysis of customer activity through dedicated AML software. Two of the three indicated they used a risk rating system of low, moderate and high and coded accounts as 1, 2 or 3. (There is no model coding system.) Unfortunately, most of the questions they were given to them by the moderator were not about their efforts, but technical compliance questions that should have gone to the regulators.

• A question was asked of the OFAC representative regarding a bank that had conducted a well documented and effective risk assessment that determined that it was at low risk of an OFAC violation. Specifically, could that bank reasonably omit checking the OFAC list for payees on cashiers checks sold and on-us checks cashed. The answer was a lengthy, but emphatic, “No.”

• A conclusion that a business is “high risk,” including MSBs, is one reached by the bank. The concepts set out in the MSB guidance, that there is no presumption that MSBs are high risk, is now applied to all businesses. It is up to the bank to evaluate its customers one at a time and draw conclusions.

• The ABA representative seemed to imply that even an unregistered MSB would not necessarily be classified as “high risk.” (?)

• Transaction testing is very much in vogue. That’s how examiners will determine if the program is in synch with the risk assessment. Transaction testing will not be random, but will be aimed at areas most likely to find problems.

• The information in the procedures regarding privately owned ATMs is not a reference to the convenience store that has an ATM in the back. It refers to relationships where the bank provides an account for the Independent Sales Organization (ISO). In a separate conversation, the FinCEN representative indicated that a convenience store’s ownership of an ATM which it serviced could be a factor in its risk assessment, but reiterated that the guidance was not focused on that circumstance.

• One presenter singled out the following paragraph from the examination procedures:

The decision to file a SAR is an inherently subjective judgment. Examiners should focus on whether the bank has an effective SAR-decision making process, not individual SAR decisions. Examiners may review individual SAR decisions as a means to test the effectiveness of the SAR Monitoring, reporting and decision making process. [Formatting on the following changed to reflect his points of emphasis, but the language is the same.]

In those instances where the bank:
*has an established SAR decision making process,
*has followed existing policies, procedures and processes and
*has determined not to file a SAR,
the bank should not be criticized for the failure to file a SAR unless the failure is significant or accompanied by evidence of bad faith.

I would like to editorialize on how the SAR filing issue reflects a much needed change in the perspective of at least one of the agencies, but I’ll save that for another thread.

I know that there is a separate thread about technical problems accessing today's web cast from NY. Did anyone actually attend the NY session or successfully view the web cast that would like to share any comments?

Due to a scheduling conflict, I was unable to attend the first 1.5 hours but did tune in at 10:30. I didn't find the last hour and a half particularly enlightening. Was the first 1.5 hours better?

I left a note in that other thread. We could see and hear the presenters at the webcast, but did not see the slides. If they were different from the overview deck at the FFIEC site, then, oh well.

Questions asked (as best I could make them out) at the New York presentation:

• SAR Filings:Do your colleagues at the Dept. of Justice share this new view of SAR review policies (ie, not punishing for failure to file). Answer:they take some comfort from the ruling that prosecutions of banks under BSA have to have top level approval.
  
• Re: section that states "OFAC compliance is based on the ability to catch misspellings (incl. fuzzy logic and natural language processing). Does this carry over to CDD and transaction monitoring as well? "Yes"
  
• Can SAR information be shared across legal entities within a holding company? "No. SAR information can be shared up, but not across."
  
• Qestion on frequency of background checks of key staff. No one addressed question.
  
• Question to explain rationale behind examples of high risk categories of loan products. Bridgette Spaniel of the Fed explained how that section was written, and how banking feedback had been incorporated.
  
• What is the best way to tell a customer (after a couple of SAR filings) that a customer's business is no longer welcome at the bank? Carefully. In very general business-line, risk management, industry sorts of terms, possibly have legal counsel draft the letter.
  
• Why was FinCEN involved in the assessment of fines against Arab Bank? Answer: they partner with the primary regulator at all times, and are involved, though not always publicly, in most letters, penalties and other enforcement actions.
  
• Given that the new manual just came out in June, given the time required to create new policies, train people, get board approval, etc. what it is the real reasonable expectation for using the new manual in exams? Answer, the new manual isn't really new. It's the aggregation of best and recommended practices that are already "out there".
  
• Small state bank question on being examined in alternate years (I didn't get the whole question)
  
• What level of cash transaction monitoring (under $10,000) is expected for small banks who do mostly 'manual' monitoring? A: about $7,000, given variable circumstances. Most systems will facilitate at least that level of monitoring.
  
• If you deny credit because of SARs filed, how do you respond to a request for information about why the credit was denied without disclosing the existence of the SAR? Carefully, and by couching the response in pure terms of business or creditworthiness.
  
• question of business formation vehicles. missed this question, and hope someone else can tell me what it was.
  
• Question about a SAR for a wire txn relating to internet fraud. The wire was going from a NY bank to a foreign bene bank, and a branch office received a 'help desk' sort of a call on the wire. If the NY bank files a SAR, does the branch need to file as well?(Note, I actually think the panel misunderstood the question. But, then I could have as well...) They seemed to be answering the question, "should the foreign bank file a SAR?" and their answer was "Are they subject to the BSA?"
  
• When will the 312 final rule be issued? It's closer to being issued than it has ever been.
  
• Will the Ombudsman program still be in effect? Yes.
  
• How will you ensure the training and consistency of all the examiners? ,,,
  
• Do all customers need to be risk rated? and how frequently? That's a risk-based decision for the bank.
  
• When will AML rules for investment advisers come out? Sometime soon.
  
• What regulations apply to a bank branch in a foreign country? Depends on if it's really a branch or not. If it's a branch both US and local regulatory requirements apply.
  
• "Our customers are almost entirely municipalities, and hence low risk. How do we convince examiners that we don't have any 'high-risk' customers?" Simply document your rationale, and assessment. (as the guy next said, Sure, they say that now. What will they say in real life.)
  
• When will the next revision of the examination manual come out? Don't know, but they are working on updates.
  

Corrections and amplifications gratefully accepted, these are just from the notes I took.

Yesterday’s Miami session, the last in the series, was described as the most well attended. The regulatory panel at the beginning was identical in content to the session I heard earlier. Clearly the four panelists were the “core” of the road show and telephone seminars. They did an excellent job of making certain that the central message received by all attendees was the same. (Bridget Neill from the Fed is a personal favorite in terms of her clarity and candor, but I particularly admired her ability to feign rapt attention while she was hearing another panelist’s BSA quiz and anecdotes for the umpteenth time. The other panelists did not show the same level of skill in that arena. )

William Langford and John Byrne were also on the dais. Both made critical comments, but neither had a major speaking role, so some major resources were not fully utilized. The regulatory Q & A session at the end was apparently similar to all its predecessors in that most of the questions focused on BSA in general, not on the revised examination procedures. It was also similar to its predecessors in the fact that many questions were submitted that did not receive a response due to time pressures.

Some things mentioned that were not emphasized previously in this thread were:

• OFAC is planning some outreach sessions of its own. Details will be publicized soon.
• The examination procedures were described as a “living document” and it was indicated they will be updated, revised and corrected as necessary. The industry was credited with providing the impetus for the homogenization of the exam process and attendees were encouraged to continue to comment on their content and application in the field.
• The bankers’ panel discussion regarding the risk assessment reflected significant emphasis on international banking issues. (The panelists slide presentations from all of the sessions are here.)
• The core procedures were described as explaining the fundamentals of BSA compliance, while the expanded procedures were described as focusing on flagging potential risks and describing risk mitigants.
• It was noted that a small, low risk community bank would probably not be exposed to anything but the core procedures.
• It was also noted that, the small, low risk community bank would not be devoting the same amount of resources to BSA compliance as a larger bank with more exposure to risk. In addition, examiners would not be devoting the same amount of resources to reviewing BSA compliance in the small, low risk bank.
• The risk assessment was noted as being a standard industry tool for bankers; “the risk assessment process is something you are already doing.” As foreign as the application of the term to BSA compliance might sound, it is a matter of taking a highly familiar practice and applying it to a different situation.
• It was stressed that risk assessment was a process, not a goal and that it would be an ongoing effort. The parties conducting the risk assessment today should consider those who would hold their positions in the future in designing and implementing the process in order to assure it reflected continuity.
• It was acknowledged that no system or process for preventing OFAC violations was infallible. As an example of increased cooperation between OFAC and the regulatory agencies, OFAC plans to consult with a bank’s primary federal regulatory agency before assessing any penalties against a bank for OFAC compliance violations. In essence, a favorable previous evaluation from the agency could mean OFAC would assess a lesser penalty against the bank.
• In terms of risk rating customers, it was noted that a consumer account opened with U.S. identification and expected to receive only routine deposits of payroll checks would pose low risk of being used for illegal activity. In that circumstance, only unexpected activity noted in routine monitoring would elevate the account’s risk level.
• Again, it was stated that the bank itself would have to design its own customer rating system. One banker panelist (small bank) mentioned that her bank only identified “high risk” customers. Another said low, moderate and high risk customers were identified at the CIF level with as 3, 6 or 9 respectively based on documentation and activity. She also indicated that, “If we rate you as a “10,” you’re gone.”
• One of the regulators noted that the proverbial low risk community bank could rely on customer monitoring via standard reports; dedicated monitoring software would not be necessary.
• SAR filing does not lend itself to a checklist. Examiners are instructed not to focus on “close call” SAR decisions, but instead they are to evaluate the SAR filing process.
• There was an interesting discussion about how much information regarding SAR filing should be communicated to contact personnel. Specifically, the question was not about frontline personnel, but about managers who might be dealing with a customer routinely, but might not realize that the bank had filed a SAR and was closely monitoring the customer’s activity. A FinCEN representative noted that there was no legal prohibition on making bank employees aware that a SAR had been filed. The rest of the discussion focused on the fact that it was desirable that bank employees be made aware of the bank’s concerns and that the monitoring would be more effective if employees were well informed. However, it was noted that the bank’s concerns and information regarding the customer’s activity could (and perhaps should) be communicated to employees without ever saying a SAR had been filed
• Asked if there were any known plans for the government to publish a list of PEPs, it was noted that when the section 312 regulations are published the PEP issue will be clarified, but there were no known plans for the government to publish a list.
• In regard to the possibility that the dollar threshold for filing CTRs might be reduced from its historic (if not prehistoric) $10,000 level, John Byrne noted that a bill has been introduce in the House that will generate an active debate on the issue and that a similar bill might be introduced in the Senate.

Thanks for the great report.

Very good information. Thank you!

Thanks, Ken, that's very helpful!

Ken/EGB - thanks so much for your synopsis. I attended the Chicago event last Friday & heard essentially the same information. A couple of points that weren't addressed in your summaries:

Bill Fox from FinCEN took a very active role in the Q&A session. In response to one question, he acknowledged that the exemption process is broken and he's looking for solutions. He also revealed (this was news to me) that the Detroit Computing Center "will go away very soon", and be replaced by electronic access. First priority is law enforcement - but the net result will be summary reporting similar to what the examiners receive (CTR / SAR counts) that we'll be able to tap into.

And Jamar El-Hindi from OFAC also highlighted the importance of checking cashier's check payees.