BSA UPDATE FOR SUPERVISORY COMMITTEE MEMBERS › resources › Documents › 2016Mahalak.pdf · Specific requirements of policy – BSA/AML risk assessment with periodic updates –

BSA UPDATE FOR SUPERVISORY

COMMITTEE MEMBERSPresented by:

Daniel J. Mahalak, CPA, CGMA

Dan is the President & Managing Partner of Cindrich, Mahalak & Co., P.C., a CPA firm specializing in working with credit unionsand their subsidiaries. He joined the firm in 1980 upon graduating from Eastern Michigan University and became apartner in 1988. He is a certified public accountant (CPA), a chartered global management accountant (CGMA), and amember of both the American Institute of Certified Public Accountants (AICPA) and the Michigan Association of CertifiedPublic Accountants (MICPA). Dan has spent his entire professional career with this firm.

Throughout his career Dan has worked in all phases of the practice. He is involved in all audit activities and works closely withthe staff in training and development. He is involved in audit planning and personally reviews all audit files and reportsas part of the firm’s quality control process. His extensive experience allows him to provide clients with unique insightsinto any problems, issues, or challenges they are facing.

Throughout his tenure, Dan has been responsible for hundreds of credit union audits, and worked in fraud/embezzlementinvestigations, including filing bond claims, working with authorities, and testifying in criminal proceedings. He also workswith credit unions in budgeting and forecasting, asset-liability management consulting, strategic planning, mergers andacquisitions, human resources consulting, regulatory consulting, and a variety of other consulting projects. He is afrequent speaker on topics related to the credit union industry on both a local and national level, and has written articlesfor several credit union publications.

Cindrich, Mahalak & Co., P.C. is one of the largest credit union auditing firms in the country. They currently audit credit unionsranging from less than $10 million to well over $2 billion in assets. They have concentrated their practice in credit unionsand their subsidiaries since their inception in 1971.

Daniel J. Mahalak, CPA,CGMA

2June 2016

■ History ■ Background■ Role of Government Agencies■ Compliance Culture■ Abbreviations & Acronyms■ Board of Director Duties Regarding BSA/AML■ BSA/AML Topics■ OFAC■ Penalties & Fines■ Questions

Agenda

June 2016 3

■ In 1970, Congress passed the Currency and Foreign Transactions Reporting Act (Bank Secrecy Act)

■ The Money Laundering Control Act of 1986

■ In 1992 Annunzio-Wylie Anti-Money Laundering Act

■ The Money Laundering Suppression Act of 1994

■ SAR developed in April 1996

■ The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001(USA PATRIOT Act)

A Little History

June 2016 4

Background

■ The purpose is to help identify the source, volume, and movement of currency and other monetary instruments transported or transmitted into or out of the U.S. or deposited into financial institutions

■ And to aid in the investigation of money laundering, tax evasion, international terrorism, or other illegal activity

June 2016 5

Money Laundering

■ The criminal practice of processing dirty money through a series of transactions in order to clean the funds so they appear to be proceeds from legal activities

■ May not involve currency at every stage of the laundering process

■ Consider unusual electronic transactions, particularly wire transfers and ACH transactions

June 2016 6

■ U.S. Treasury– Requires financial institutions to

■ Establish AML programs■ File certain reports■ Keep records of transactions

– Also covers nonbank financial institutions■ Money services businesses■ Casinos■ Brokers/dealers in securities■ Futures commission merchants■ Mutual funds■ Insurance companies■ Operators of credit card systems

Role of Government Agencies

June 2016 7

■ FinCEN– Delegated administrator of BSA– Issues regulations and interpretative guidance– Provides outreach to regulated industries– Supports examination functions– Pursues civil enforcement actions– Provides investigative case support to law

enforcement– Identifies and communicates financial crime

trends and patterns– Fosters international cooperation worldwide


June 2016 8

FinCEN Guidance

■ FinCEN issued an advisory to highlight how financial institutions and their leadership can improve and strengthen compliance with BSA obligations– It begins with an organization wide compliance

culture

June 2016 9

Elements of Compliance Culture■ Leadership actively supports and understands compliance

efforts

■ Efforts to manage and mitigate BSA/AML deficiencies are not compromised by revenue interests

■ Relevant information from all departments within the organization is shared with compliance staff to further BSA/AML efforts

June 2016 10

Elements of Compliance Culture■ Adequate resources are devoted to the compliance function

of the organization

■ Compliance program is tested by an independent and competent third party

■ Leadership and staff understand the purpose of its BSA/AML efforts and how the reporting is used

June 2016 11

■ Federal Banking Agencies– Chartering (NCUA & OCC)– Insuring (NCUA & FDIC)– Regulating and supervising– Responsible for oversight of banking entities– Required to review BSA compliance at

examinations


June 2016 12

■ Establish and maintain a BSA compliance program

■ AML compliance program that guards against money laundering and terrorist financing

■ Management needs to be vigilant to ensure BSA/AML compliance

■ Policies, procedures, and processes to identify and report suspicious transactions to law enforcement

What is Required

June 2016 13

■ OFAC– Administers and enforces economic and trade sanctions– Based on US foreign policy and national security goals– Against targeted foreign countries, terrorists,

international narcotics traffickers, and those engaged in activities related to weapons of mass destruction

– Acts under the President’s wartime and national emergency powers to impose controls on transactions and freeze assets under US jurisdiction


June 2016 14

■ CCACU\2015\FFIEC-BSA Aconyms.pdf

BSA Abbreviations & Acronyms

June 2016 15

■ Appoint a BSA Compliance Officer

■ Review and approve Risk Assessments on an annual basis– Institution wide BSA/AML– Member BSA/AML– CIP/MIP– OFAC

Board of Director Duties

June 2016 16

■ Approve BSA Policy Annually

■ Acknowledge filing of SARs on a monthly basis

■ Receive annual training

■ Be aware of all other related compliance issues

Board of Directors Duties (continued)

June 2016 17

■ Designed to aid the federal government in detecting illegal activity by tracking certain cash-based transactions

■ Establishes specific record keeping and reporting requirements

■ Defines compliance requirements and standards

■ Imposes civil and criminal penalties for non-compliance. Can result in criminal proceedings against credit union and employee

BSA/AML Compliance

June 2016 18

■ Specific requirements of policy– BSA/AML risk assessment with periodic

updates– How to keep up with periodic updates to

regulatory requirements– Dual controls over filing and processing of

SARs, CTRs, and CTREs– Establish annual training program– When independent reviews of BSA compliance

will be completed (every 12 to 18 months)– Record retention requirement (5 years)

BSA/AML Compliance(continued)

June 2016 19

■ Enable CU to form reasonable belief that it knows true identity of member

■ Must include account procedures that specify the identifying information obtained

■ Include reasonable and practical risk-based procedures for verifying identity of member

■ Compare identity to government lists

Member Identification Program

June 2016 20

■ Risk assessment should include– Types of accounts offered– Methods for opening accounts– Types of identifying information available– Credit union size– Locations– Membership base– CIP training

Member Identification Program(continued)

June 2016 21

■ The cornerstone of a strong BSA/AML compliance program is comprehensive CDD policies, procedures, and processes for all members, particularly those that present a higher risk for money laundering and terrorist financing

■ The objective is to predict with relative certainty the types of transactions a member is likely to engage in

Member Due Diligence

June 2016 22

■ Policies, procedures, and processes can aid in– Detecting and reporting unusual or suspicious

transactions– Avoid criminal exposure from persons who use

or attempt to use CU products and services for elicit purposes

– Adhering to safe and sound practices

Member Due Diligence(continued)

June 2016 23

■ Should include guidelines that:– Are commensurate with the CU’s risk profile– Contain a clear statement of management’s overall

expectations and specific staff responsibilities– Ensure CU has enough information to implement

an effective suspicious monitoring system– Provide guidance for documenting analysis

associated with due diligence process– Ensure CU maintains current member information

Member Due Diligence(continued)

June 2016 24

■ SAR reporting forms the cornerstone of the BSA reporting system.

■ There should be procedures in place to ensure that suspicious financial transactions are reported on a SAR to FinCEN.

■ Key components– Identification or alert of unusual activity– Managing alerts– SAR decision making– SAR completion and filing– Monitoring and SAR filing on continuing activity

Suspicious Activity Reporting

June 2016 25

■ SARs required for– Criminal violations involving insider abuse in

any amount– Criminal violations aggregating $5,000 or

more when suspect can be identified– Criminal violations aggregating $25,000 or

more regardless of a potential suspect

Suspicious Activity Reporting(continued)

June 2016 26

■ SARs required for

– Transactions conducted or attempted, aggregating $5,000 or more, if it is suspected that■ Involvement in potential money laundering or other

illegal activity

■ Designed to evade BSA or its implementing regulations

■ Has no business purpose or is not the type of transaction the member would normally engage in, and there is no reasonable explanation

■ SARs required to be electronically filed within 30 days

– If no identified suspect, extended to 60 days

Suspicious Activity Reporting(continued)

June 2016 27

■ Whenever a non-exempt member deposits or withdraws currency in excess of $10,000 the credit union will submit a CTR, FinCEN Form 104, electronically by the 15th day following the date of the transaction

■ Multiple currency transactions totaling more than $10,000 are treated as one (aggregated)

Currency Transaction Reporting

June 2016 28

■ The CU may exempt a member from CTR reporting if certain criteria are met. No CTR will be filed for a transaction involving an exempt person acting within the scope of his/her/its exemption. The CU must exercise due diligence in ascertaining whether any member that requests an exemption is eligible.

■ The CU may elect not to grant CTREs. If so, the BSA/AML Policy should so state.

Currency Transaction Reporting Exemptions

June 2016 29

■ Phase I CTR exemptions– Financial institution (domestic operations)– Federal, state, or local government agency or

department– Any entity exercising governmental authority

within the US– Any entity whose common stock are listed on

NYSE, ASE, or NASDAQ– Any subsidiary of any “listed entity” at least

51% owned by listed entity

Currency Transaction Reporting Exemptions (continued)

June 2016 30

■ Phase II CTR exemptions– Entity has maintained transaction account at

CU for at least 2 months– Frequently engages in currency transactions in

excess of $10,000– Is incorporated or organized under US or State

law– Payroll customer


June 2016 31

■ Ineligible for exemption

– Serving as a financial institution or agent of one– Purchasing or selling motor vehicles, vessels, aircraft,

farm equipment, or mobile homes– Practicing law, accounting, or medicine– Auctioning of goods– Chartering or operation of ships, buses, or aircraft– Operating a pawn brokerage– Engaging in gaming– Engaging in investment advisory or investment banking

services


June 2016 32

■ Ineligible for exemption– Operating a real estate brokerage– Operating in title insurance activities and real

estate closings– Engaging in trade union activities– Engaging in any other activity specified by

FinCEN (marijuana-related businesses)


June 2016 33

■ Must file Designation of Exempt Person (DOEP) one time within 30 days of transaction wishing to exempt

■ Review information at least once per year and document that review


June 2016 34

■ The Patriot Act requires CU to provide information about specific accounts or transactions in response to requests from FinCEN

■ Search for– Current accounts– Accounts maintained in preceding 12 months– Transactions conducted outside of or on behalf

of account in preceding 6 months– Must search within 14 days– Requests generally every 2 weeks

Information Sharing – 314(a)

June 2016 35

■ Report to FinCEN if a match

■ No negative reporting

■ Cannot disclose request to any person, other than FinCEN, the regulator, or law enforcement agency on whose behalf FinCEN has requested

■ Must maintain adequate procedures to protect security and confidentiality of request

■ Maintain documentation of search

Information Sharing – 314(a)(continued)

June 2016 36

■ Encouraged to share with other financial institutions and associations of them

■ Protected from civil liability

■ Must notify FinCEN if going to participate– Effective for one year– Designate point of contact– Be sure other FI also has submitted required

notice– Maintain security and confidentiality of

information

Information Sharing – 314(b))

June 2016 37

■ Can only use info to – identify and report on money laundering and

terrorist activities– Determine whether to establish an account– Assist in BSA compliance– Can be used to determine whether to file a SAR– SAR info cannot be shared

Information Sharing – 314(b))

(continued)

June 2016 38

■ If CU purchases and/or sells monetary instruments, they are to track and record information when the currency portion of transaction or aggregation of transactions is between $3,000 and $10,000, inclusive.

– Monetary instruments are travelers checks, cashiers checks, money orders, bonds, etc.

■ Specific requirements– Must document name and account number, date,

type of instrument, serial numbers of instruments, and dollar amount of transaction

Purchase and Sale of Monetary Instruments

June 2016 39

■ Specific requirements– If non-member involved, must also include

address, social security number or alien ID number, date of birth, and date of purchase.

– If CU does not allow non-member transactions, policy should so state.

– A log should be maintained by each office unless reporting is centralized.

– BSA Compliance Officer should review logs monthly.

Purchase and Sale of Monetary Instruments (continued)

June 2016 40

■ Credit unions are required to comply with the recordkeeping requirements issued by the U.S. Treasury and the Board of Governors of the Federal Reserve System. This requires collection and retention of certain information for transactions of $3,000 or more.

■ Specific requirements– Dual controls over incoming and outgoing wires– OFAC verifications on all non-members, financial

institutions, and foreign countries– Logs should be kept and reviewed of wire activity

Funds (Wire) Transfers

June 2016 41

■ If originator, must obtain and retain– Name and address– Amount– Date– Payment instructions– Beneficiary’s institution– Name and address of beneficiary– Account number of beneficiary– Any other specific identifier of beneficiary

Funds (Wire) Transfers (continued)

June 2016 42

■ Applies to all financial institutions

■ Specific requirements– All new accounts should be scanned prior to

establishing the account– All current member accounts should be

scanned regularly – OFAC lists

■ SDN-Specially Designated Nationals■ Consolidated Non-SDN

– Software generally used for scans

Office of Foreign Assets Control

June 2016 43

■ Specific requirements– Any matches are not permitted to engage in

financial transactions in the U.S.– Sometimes there are false positives, which can

be resolved by calling OFAC Hotline.– Obligated to block or freeze funds if matches

and report to OFAC within 10 business days– Blocked account should be segregated into an

interest bearing account until delisted, rescinded or released by OFAC.

Office of Foreign Assets Control(continued)

June 2016 44

■ Specific requirements– In some cases there is no blockable interest in

transaction; if so it should be rejected.– All blocked transactions or property must be

reported within 10 business days and annually to OFAC (by Sep 30 as of Jun 30).

– Full and accurate records of each rejected transaction must be retained for 5 years

– Records of blocked property must be retained while blocked and five years after unblocked


June 2016 45

■ Specific requirements– Credit unions should maintain an effective,

written OFAC program commensurate with risk profile

– This will help identify high risk areas, provide for appropriate internal controls, establish independent testing for compliance, designate an employee to be responsible, create a training program for employees and board of directors


June 2016 46

■ Specific requirements– Risk assessment

■ Should be completed annually, reviewed and approved by Board

■ Should address all areas in which OFAC compliance is needed and how it is to be implemented

■ Once high risk areas are identified, appropriate policies, procedures and processes should be developed to address the risks


June 2016 47

■ Specific requirements– Internal controls

■ If OFAC scan is after account is opened, procedures should be in place to prevent transactions until after it occurs

■ Account should be frozen until scanned■ Assign responsibility to update OFAC information and

how■ All parties to an ACH transaction are subject to OFAC

– For domestic ACH transactions, ODFI is responsible for verifying originator

– RDFI is responsible for verifying receiver– ODFIs are not responsible for unbatching; if they

do, they become responsible as though it had batched them originally

– All non-members need to be checked on IATs


June 2016 48

■ Specific requirements– Independent testing

■ Required to have independent test of their program

■ Should be conducted by someone qualified and independent of the BSA and OFAC programs

– Responsible individual■ Should assign qualified individual to be

responsible for day-to-day compliance– Training

■ All employees and board of directors required to be trained annually


June 2016 49

■ Specific requirements– Items requiring OFAC verification

■ On-us checks cashed for non-members■ Sales of stamps, amusement park tickets,

etc. to non-members■ Credit card cash advances to non-members■ Wire transfers for non-members■ Loans with non-member as co-signer or

owner of collateral■ ACH


June 2016 50

■ Specific requirements– Items requiring OFAC verification

■ Payees of corporate drafts or money orders issued to non-members

■ New employees■ New members■ Joint owners■ Beneficiaries■ Powers of attorney■ Any non-member the CU does business with


June 2016 51

■ Money laundering– 20 years in prison– Up to $500,000 fine– Property involved subject to forfeiture– Banks/CUs can lose charters– Employees can be removed/barred

Penalties & Fines

June 2016 52

■ Willful violations of BSA

– Fine up to $250,000– 5 years in prison– Or both

■ For pattern of criminal activity

– Fine up to $500,000– 10 years in prison– Or both

■ Institution violations

– Up to $1 million– Or twice value of transaction

■ Plus civil penalties

Penalties & Fines

June 2016 53

■ Significant BSA violations

■ November 25, 2014

■ North Dade Community Development FCU

■ $300,000 civil money penalty

■ $4 million in assets

■ 5 employees

■ Provided services to 56 MSBs outside of its FOM – Central America, Middle East, Mexico

■ Accounted for 90% of CU revenue

– Over $1 billion in outgoing wires– $984 million in remotely captured deposits

Credit Union Fines

June 2016 54

June 2016 55

Daniel J. Mahalak, CPA, CGMAPresident & Managing Partner

[email protected]

My Contact Information…..

586.296.1155 ext 231877.998.CMCO Toll Free586.296.5325 Fax

31215 Jefferson Avenue, St. Clair Shores, MI 48082

www.cm-co.com [email protected]

June 2016 56