As President of Associated Risk Group, Ryan is responsible for corporate administration and the management of sales, marketing and business development. ARG is an affiliate of Associated Banc-Corp ($22 billion bank holding company) that provides compliance consulting to small and mid size financial institutions. Prior to joining ARG, Ryan was employed with the U.S. Secret Service and lived in the Washington DC metropolitan area. His banking career started at E*TRADE Bank where he assumed the role of Bank Secrecy Act and Anti-Money Laundering Officer. In 2003, Ryan was employed at Associated Banc-Corp in Green Bay Wisconsin as Vice President, BSA/AML Director. In that capacity, he was responsible for the bank's Anti-Money Laundering, Bank Secrecy Act and OFAC compliance programs. He conducted several training programs throughout the year specializing in CIP, Identity Theft, Risk Assessment, Detecting and Reporting Suspicious Activity.
Ryan is currently a board member of the ABA National Compliance School and actively participates in the ABA Money Laundering Issues Group. He was a speaker at the 2004 ABA Regulatory Compliance Conference in Chicago, frequently conducts web seminars for Money Laundering Alert and also a member of ACAMS.
We have been notified by VISA Fraud that 23 of our customers debit cards may have been compromised. We have notified each affected customers. To date we have not identified any loss. Do we need to: 1) file a SAR?, 2) notify law enforcement? or 3) notify the FDIC?
Our bank operates an insurance agency. Do we have to check these clients against the OFAC list? We merely write policies and forward premium checks on to the larger insurance providers.
I understand a SAR is required when there are violations aggregating $5,000 or more and a suspect can be identified. What constitutes suspect identification? If the customer thinks but is not sure someone committed the fraud would that be considered suspect identification? What about family fraud situations where a customer thinks their son/daughter used the credit card without authorization?
Can you provide some guidance regarding CTR Exempt Account Reviews? What is the time period expected to be covered for the annual and biennial review (i.e. 6, 9, 12 months) for suspicious activity and what supporting documentation is expected to be in the file (i.e., copies of monthly statements, deposit detail -cash in, checks, checks reviewed to determine if unusual for the business)?
Is the bank required to have 2 forms of identification to open an account? Our Compliance Officer says it is the legal requirement of the Patriot Act, however I cannot find where it is required, only recommended.
Do we need to have an actual risk assessment for CIP and if so, where can I find a sample to be used for guidance?
Per the BSA, an MSB does not include a bank, nor shall it include a person registered with, and regulated by the SEC or the Commodity Futures Trading Commission. Does this mean that I do not have to perform any enhanced due diligence on an MSB that is a 34 Act company? By enhanced due diligence, I mean determining whether the business has procedures to comply with applicable BSA requirements, whether the company has proper controls to monitor for suspicious activity and whether the company has procedures to ensure compliance with OFAC regulations
Automatic Rollovers and IRAs - CIP implications. There's a footnote on page 5 of the guidance issued under IRS Notice 2005-5 regarding automatic rollovers. CIP compliance on the IRA seems not to be immediately required at establishment when it is an automatic rollover, and says that institution will not be required to implement its CIP until the former employee first contacts such institution to assert ownership or exercise control over the account. Industry wide - any guidelines on what to do if the "account owner" never asserts ownership or whether within a certain timeframe after account establishment you become responsible to find them to secure CIP requirements? (I don't exactly trust the footnote) I envision accounts established for "lost participants" who I will be hard pressed to fulfill my CIP requirements.
What are the compliant steps to prove a suspicious account for check kiting?
If a customer manipulates his SSN/TIN in an effort to hide a record on ChexSystems, does a SAR need to be filed? Would it matter if the SSN/TIN was corrected and the account kept?