ABA Money Laundering Enforcement Conference -- Days 2 & 3 by Ken Golliher Principal, Pegasus Educational Services, LLC
ABA Money Laundering Enforcement Conference -- Days 2 & 3
by Ken Golliher
Principal, Pegasus Educational Services, LLC
Day two of the largest MLEC in history began with a general session, "Keeping Customers and Complying with the USA PATRIOT Act: Understanding Your Customer's AML Obligations." The session focused on how to deal with bank customers such as pawnbrokers, jewelers and insurance companies -- all examples of customers who have BSA-related compliance responsibilities of their own.
William Langford, Jr. from FinCEN noted that it was critical that bankers understand their customer's regulatory obligations. However, he then noted the importance of avoiding a situation similar to the circumstance where many banks refused to open or retain accounts for Money Service Businesses (MSBs). He said, "Merely because an industry is described as vulnerable to money laundering, there is no intention to send banks a message not to deal with them." He encouraged banks to utilize the tools they use every day in the operation of their business, their skills in assessing and mitigating risks, to find ways to make their services available to other businesses with BSA compliance responsibilities.
Noting that many bankers' perceptions of pawnbrokers might be based wholly on their depiction in the television serial "Law & Order," Sarah Jane Hughes of Indiana University, explained that pawnbrokers per se are not MSBs: "They do not have an MSB's specific legal responsibilities, nor do they share their business profile." She said, "The average pawn loan in the U.S. is $60 and the proceeds are generally paid in cash - the opposite of what the money launderer wants." Ms. Hughes is the author of an article that appeared in the March/April issue of the ABA Bank Compliance magazine, "Banks Should Keep Pawnbrokers as Commercial Loan Customers." Additional information on pawn brokers can be found at http://www.nationalpawnbrokers.org/
Stressing the diversity found in the jewelry industry, Cecilia L. Gardner of the Jewelers Vigilance Committee distinguished between wholesalers and suppliers and observed that retailers run the gamut between large chain stores and publicly traded companies to small "Mom and Pop" organizations. She observed that, although jewelers may be "financial institutions" according to the law, their operations do not reflect that label and the business models they operate under vary greatly among them.
Gardner encouraged banks not to assume that their own BSA requirements were applicable to jewelers. While the AML program required for jewelers incorporates the same structural elements required for banks; e.g. individual responsible for compliance, a risk assessment, etc., there are significant differences. She indicated that her organization has developed a "JVC Compliance Kit" and that bankers should refer jewelers to http://www.jvclegal.org for additional information on developing their compliance programs.
Monday's second and third general sessions focused on banks' BSA/AML risk assessment. Part 1 was on "Assessing Risk" and part 2, the afternoon session, focused on a "Blueprint for Managing the Risk."
The "risk assessment" is widely perceived as the linchpin of the recently-revised BSA/AML Examination Procedures. That 330-page document mentions the "risk assessment" no less than 143 times. The bank's written risk assessment is expected to serve as the foundation for its BSA/AML compliance program. Examiners will request copies as a prelude to on-site examinations.
Regulators repeatedly say the idea of a risk assessment isn't "new"; banks have always been expected to do a BSA/AML risk assessment. However, they do acknowledge that the emphasis the new procedures place on the effort, coupled with the clear expectation that it be "in writing," is new. Clearly many banks are struggling to establish a methodology for conducting the risk assessment and then documenting their analysis (in devoting two consecutive general sessions to the subject, the conference planners are clearly aware of the bankers' desire for assistance). The risk assessment is to focus on the individual bank's products, services, geography and customers.
John Atkinson from the Federal Reserve Bank of Atlanta began the session with a discussion of the need for holding companies to conduct an "enterprise wide" risk assessment. He noted that holding companies should assess the BSA/AML risks posed by all of their products, services, customers and geographies, not just those connected to their banks. As most of the following speakers would do, he referred attendees to Appendix J of the examination procedures as a template for organizing their efforts and their results. He indicated that holding companies should begin with a depiction of their organizational structure -- a simple list of the legal entities and a chart showing their relationships. The end result would be a uniform evaluation of the entire enterprise.
Cautioning that the risk assessment, "is not a product and it's not a report; it's a process," Lisa Arquette from the FDIC stressed that it is not a one-time effort. She noted that obviously the addition of new services and product would require revisions, but that banks should be aware of changes in their customer demographics as well.
As an example, she noted that a growing contingent of "ITIN customers" (non resident aliens) could have a significant effect on a bank's risk assessment. Funds would be originating from and be transferred to different locations than the bank had seen historically. The bank's remittances for customers and non customers might increase significantly in response to the new clientele. In the same circumstance, it might also be necessary to revise the bank's customer identification program (CIP) to include differing types of identification.
Using an example taken from the front page, she talked about the effect that evacuees from the recent Gulf Coast hurricanes could have if they moved into a bank's market area. In particular, she discussed the potential need for modification of the bank's CIP, "You want to be humane, but you want to be certain you know whom you are dealing with." Again, she noted that a significant shift in the bank's customer base should trigger a reassessment.
Noting that the risk assessment has never been more important, John Wagner of the Office of the Comptroller of Currency also mentioned that there is "No one size fits all" methodology for conducting or documenting the risk assessment. He did indicate that it was essential that banks identify their "high risk" customers as a prelude to the risk assessment (there is no longer a tacit regulatory understanding that certain businesses are automatically "high risk"; banks are directly responsible for identifying their own high risk customers).
Wagner noted that the assessment process requires banks to identify and measure risk. He also noted that the existence of risk is not necessarily a concern; the issue is whether the risks are identified and how are they managed. He explained that banks should look at the four areas to be included in the risk assessment and then "drill" down to identify the risk in each. He emphasized that "the value of the risk assessment is in its impact on the compliance program."
Robert Curry of Fifth Third bank presented a synopsis of his bank's risk assessment methodology, breaking it down into two major components:
- enterprise self assessment and
- line of business (LOB) self assessment.
The bank's LOB self assessment resulted in a surveillance risk assessment, a 600-page document describing the bank's methodologies for monitoring customer activity. Curry described several aspects of his bank's analysis including issues regarding "inherent risk" e.g. SAR volume, 314(a) and (b) referrals, subpoena volume, etc. He also discussed a method for analyzing the effectiveness of the bank's employee "alerts" vs. its SAR filing, a concept he described as the "SAR precision rate."
The final session on day two offered attendees a choice between four breakout sessions. The session on "AML Compliance Assessment and Auditing" was popular.
John Atkinson from the Federal Reserve Bank of Atlanta kicked off the session with a discussion of regulatory expectations regarding the program requirement for an independent BSA examination. He explained that "independence" generally focuses on the expectation that the independent examiner 1) has no connection to the design or operation of the BSA compliance program and 2) reports directly to the board of directors. He noted the general expectation that the independent examination would be conducted annually. However, he also mentioned that in a large, sophisticated operation, the audit might be conducted continuously, moving from one BSA compliance responsibility to another.
He listed common deficiencies in BSA audits as including:
- lack of independence,
- lack of qualifications,
- limited transaction testing,
- compliance focus rather than risk management focus, and
- insufficient conclusions.
On the latter point, he noted that the report should explain and characterize the seriousness of the exceptions noted, not just enumerate them.
Addressing another BSA/AML program requirement, monitoring, Michael D. Kelsey from PNC Bank distinguished monitoring from auditing. He noted that, "Monitoring enables AML compliance and management to understand emerging risks and weaknesses in an AML program before they become audit issues." He gave several examples of where monitoring could be critical to the quality of BSA compliance and noted that issues recognized through monitoring efforts could be handled differently than issues recognized in audits or regulatory examinations. He encouraged banks to make monitoring risk based, not to spend scarce resources on low risk portions of their operations.
Tuesday, November 2
The final day of the conference began with "side by side" general sessions on the new BSA/AML examination procedures. The sessions were divided depending on whether the bank's assets were more or less than $5 billion.
The new BSA/AML examination procedures were the subject of a nationwide "rollout," an unprecedented effort by FinCEN, OFAC and the functional bank regulatory agencies to assist bankers in anticipating and preparing for the revised processes. Reportedly, more than 20,000 bankers participated in the three nationwide telephone seminars and the five "live" meetings held in major U.S. cities. (A recording of the "live" meeting held in New York http://www.visualwebcaster.com/FFIEC/30018/_reg.html is still available for viewing.) Banks that participated in the telephone seminars, attended the public programs, or watched the video of the New York program should note that in their BSA training files.
Bridget M. Spaniel of the Federal Reserve in Washington was the first presenter in the "smaller" bank session. She gave some insight into the process the regulatory agencies went through and noted that, for the first time, FinCEN and OFAC had been active participants in developing BSA examination procedures for the agencies to follow. She indicated that, from her perspective, the only two aspects of the examination procedures that were actually "new" were the concept of an "enterprise wide" risk management program being advocated at the holding company level and the fact that the OFAC examination procedures had been homogenized among the agencies (previously, each agency had its own OFAC-related procedures).
Joanne Haakinson from the Office of Thrift Supervision indicated the primary goals in implementing the new examination procedures were to ensure that supervised institutions establish and maintain compliance programs; establish consistency in the review of those programs; and to minimize the regulatory burden. She indicated that, "Generally, examinations under the new procedures are going very well," and added that the risk assessment, although more heavily emphasized under the new processes, was not really "new."
Describing the new examination procedures as a valuable tool for bankers as well as examiners, Kevin Hutchison of the FDIC encouraged bankers to specifically review the new procedures regarding references to risk assessment, due diligence and transaction testing. He emphasized that, "The FDIC will expect some form of a documented risk assessment from its supervised institutions." He added that risk assessment in general was a process, not a goal - it would be an ongoing effort for any bank.
In the area of monitoring, Hutchinson pointed out that it would be very difficult to recognize unusual customer activity if a bank did not maintain a profile of the customer's routine activity. He also noted that every FDIC examination incorporating a review of BSA/AML compliance programs will include transaction testing.
In anticipating their next on-site examination, John Wagner from the Comptroller of Currency had some practical suggestions for bankers that were not wholly dependent on the new examination procedures:
- Review their prior examination to ensure that all deficiencies had been remedied and all commitments had been met. Failure to do so could affect the bank's credibility and expose it to liability for repeat violations.
- Go over their risk assessment again to ensure accuracy and documentation of findings. He said there was no need for a "highfalutin" process in smaller institutions, just basic analysis.
- Analyze their SAR relation monitoring processes, auditing them for their overall effectiveness in identifying suspicious transactions.
- Review their most recent independent examination knowing that bank examiners will leverage the audit, using it as the starting point for their own examination.
Presenting the view from the other end of the microscope was Don Ledet of Iberia Bank. Ledet's bank had recently been examined under the new procedures and he offered several observations:
- The request for information received prior to the examination was daunting. There was a clear expectation that the bank would have the ability to identify customers by type; e.g. attorneys, brokers, etc.
- Examiners expected the bank to be able to review a written risk analysis prepared by the bank as a part of their efforts to scope the examination prior to their arrival at the bank.
- Examiners came very well prepared; it was abundantly clear that they had gone through the information provided by the bank in great detail.
- SARs were reviewed in detail, with more attention paid to written narratives than in prior examinations. There was more emphasis on telling the bank how the SAR should be written; e.g. the narrative should focus on explaining the suspicious rather than the routine.
Ledet also offered the observation that it would be impossible for any bank to tell exactly how much of the variations in its next examination compared to the last comes from the new procedures as opposed to changes in the examination staff, "Examiners are not robots."
The final agenda includes detailed information on the schedule and as well as biographical information on the presenters. Recordings of individual sessions can be purchased through IntelliQuest Media. Next year's MLEC will be held October 8-10 at the Marriott Wardman Park Hotel in Washington, D.C.
First published on BankersOnline.com 11/7/05
First published on 11/07/2005