Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS
1
November 27, 2012 P
Anti-Money Laundering Internal Controls: Know Your Customer & Suspicious Activity Reporting
Institute of International Bankers & Conference of State Bank Supervisors
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS
2
Key Controls in a BSA/AML Program
Primary Goals of an AML Program:
•Understand who you are (or might be) doing business with so you can prevent bad actors from gaining access to the financial system; and
•Accepting that some will get through, being able to spot those who get do so you can alert law enforcement and give them the opportunity to take action.
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS
3
Key Sections of the USA PATRIOT Act
Section 352: Anti-Money Laundering Programs Requires financial institutions to establish anti-money laundering programs which, at a minimum, must include: the development of internal policies, procedures, and controls; designation of a compliance officer; an ongoing employee training program; and an independent audit function to test programs.
Section 326: Verification of Identification Prescribes regulations establishing minimum standards for financial institutions and their customers regarding the identity of a customer that shall apply with the opening of an account at the financial institution, i.e. the Customer Identification Program requirements.
Section 312: Special Due Diligence for Correspondent Accounts & Private Banking Accounts Imposes due diligence and enhanced due diligence requirements on U.S. financial institutions that maintain correspondent accounts for foreign financial institutions or private banking accounts for non-U.S. persons.
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS
4
Section 352: AML Compliance Programs Pillar 1: Internal Controls
Comprehensive plan and set of internal controls, including, for example:
1. Documented policies and procedures – including board approved policy
2. Established governance and accountability
3. Documented AML/OFAC risk assessment
4. Risk-based customer due diligence
5. Sufficient controls and monitoring systems for timely detection and reporting of suspicious activity
6. Regulatory reporting
7. Record retention requirements
8. Management reports
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS
5
Key Program Elements –
Risk-based Approach
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS
6
Prevention
Detection
Reporting
• Implementation of Customer Identification Program
• Execution of CDD and EDD requirements
Prevention, Detection, and Reporting
• Front Office employees knowing their customers & understanding expected transactional activity
• Employees staying alert to possible suspicious activity
• Back Office employees monitoring and reporting unusual transactions to the Compliance Officer
• Conducting due diligence/investigations
• Reporting of potentially suspicious activity to FinCEN
• Updating customer’s profile, if warranted
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS
7
Customer Identification Program (CIP)
Written Part of the overall AML compliance and KYC program Approved by senior management or a committee thereof (part of board
approved policy) CIP requires you to:
– Identify and verify identity of customer for all new accounts – Notify customer of process – Keep records of identification information – Consult government lists
At a minimum, you must obtain: – Name – Address – Date of birth (for individuals only) – SSN or TIN for U.S. persons, or other Government-issued Identification Number or
equivalent for non-U.S. persons
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS
8
CIP Applies to “Customers”
The CIP rule applies to a “customer.”
• A customer is a “person” (an individual, a corporation, partnership, a trust, an estate, or any other entity recognized as a legal person) who opens a new account, an individual who opens a new account for another individual who lacks legal capacity, and an individual who opens a new account for an entity that is not a legal person (e.g., a civic club). A customer does not include:
• A person who does not receive banking services, such as a person whose loan application is denied.
• An existing customer as long as the bank has a reasonable belief that it knows the customer’s true identity.
• Excluded from the definition of customer are financial institutions regulated by a federal functional regulator*, banks regulated by a state bank regulator, governmental entities, and publicly traded companies (as described in 31 CFR 1020.315(b)).
* Federal functional regulator means: Board of Governors of the Federal Reserve System; Federal Deposit Insurance Corporation; National Credit Union Administration; Office of the Comptroller of the Currency.
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS
9
CIP Applies to Customers who Open Accounts:
An account does not include: Products or services for which a formal banking relationship is not established with
a person, such as check cashing, funds transfer, or the sale of a check or money order.
Any account that the bank acquires. This may include single or multiple accounts as a result of a purchase of assets, acquisition, merger, or assumption of liabilities.
Accounts opened to participate in an employee benefit plan established under the Employee Retirement Income Security Act of 1974.
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS
10
Customer Due Diligence (CDD) / Know Your Customer (KYC)
A primary objective of CDD is to enable the financial institution to understand the customer and the risks associated with the customer: – What are basic attributes of the customer that may set preliminary risk standards for the
collection of information
– What do you learn from collecting that information that may elevate or mitigate risk
CDD policies, procedures, and process are critical to the bank because they can aid in: – Understanding what activity or type of activity the customer is likely to engage in
– Detecting deviations from normal and expected activity for the purpose of reporting unusual or suspicious transactions that potentially expose the bank to financial loss, increased expenses, or reputational risk
– Avoiding criminal exposure from persons who use or attempt to use the bank’s products and services for illicit purposes
– Adhering to safe and sound banking practices
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS
11
Customer Due Diligence (CDD) /Know Your Customer (KYC) (Con’t)
CDD/ KYC is conducted to enable you to form a reasonable belief that you know and understand:
• Who your customer is;
• What your customer does (business activities);
• What your customer can be expected to do through your institution;
• What risks associated with your customer;
• Whether activities are legitimate
Supporting documentation will be gathered
NB – There is no exception for affiliates!
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS
12
Customer Due Diligence (CDD) aka Know Your Customer (KYC) (Con’t)
Processes are risk based
Will generally begin with a preliminary risk assessment of the customer, assessing factors indicative of risk:
Factors may include:
– Whether the customer is publicly traded or privately held
– If privately held, whether beneficial owners present increased risk (e.g. Politically Exposed Persons)?
– Where the customer is registered or has its principal place of business
– Whether the client is a high risk industry
– Whether the client is engaged in high risk transactions/using high risk products
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS
13
Customer Due Diligence (CD) /Enhanced Due Diligence (EDD)
Information, in addition to CIP, should be collected from customers to assist in determining if the risk level should be elevated and Enhanced Due Diligence (EDD) collected.
Customer Information Data Element Examples Basic Information (all risk levels) • Purpose of the account • Domicile (where the business is organized) • Primary place of business • Description of the customer’s primary trade area and whether international transactions are
expected to be routine • Description of the business operations • Negative news and other list searches on the client, e.g. PEP screening If not publicly traded • Individuals with ownership or control over the account, such as beneficial owners, principals,
guarantors, trustees • Negative news and other list searches on the related parties (UBOs, etc.) When risk is elevated, either based on due diligence, enhanced due diligence must be performed
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS
14
Enhanced Due Diligence (EDD)
A more comprehensive form of KYC For those customers where there may be increased risk associated with the account Increased risk may include: High-risk geographies High-risk type of persons or entities High-risk products or services Accounts for which EDD should be conducted include: High-risk foreign correspondent banks, pursuant to Section 312 of the USA PATRIOT Act Foreign Private Banking customers PEPs Customers with an AML risk rating of High
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS
15
Enhanced Due Diligence (EDD)(Continued)
Customer Information Examples (Cont’d) • Source of funds and wealth • Enhanced background checks • Financial statements • Banking references • If the higher risk client is subject to an AML Program requirement (e.g., MSBs, Casinos, Precious
Metals Merchant), assess that the client’s AML program addresses: • Internal controls designed to assure compliance with the Bank Secrecy Act (BSA) • Employee Training • Independent compliance testing • Designated Compliance Officer, responsible for day-to-day compliance with the BSA AML
Program • Procedures for filing and reporting Currency Transaction Reports (CTRs) and Suspicious Activity
Report (SARs) • Site visits to assess their operations and AML or other controls
Enhanced approvals should be obtained for high risk clients - Business must own their risk
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS
16
Enhanced Due Diligence (EDD) – Cont’d
Special Due Diligence Program for Foreign Correspondent Accounts Section 312 requires U.S. financial institutions to establish a due diligence
program that includes appropriate, specific, risk based and, where necessary, enhanced policies, procedures and controls reasonably designed to detect and report money laundering through correspondent accounts and private banking accounts established or maintained by U.S. financial institutions for non-U.S. persons.
Due diligence policies, procedures and controls must include the following: – Determining whether EDD is required; – Assessing the money laundering risks presented by the bank; – Applying risk-based procedures and controls, including a periodic review of the
correspondent account activity to determine if the activity is consistent with what is expected
Factors to be considered in assessing the risks of a Correspondent Bank Include: – Nature of the Correspondent’s business and the markets served – Type, purposes and anticipated activity – Nature and duration of the relationship – AML and supervisory regime of the licensing jurisdiction – AML record
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS
17
Enhanced Due Diligence (EDD) – Cont’d
Special Due Diligence Program for Foreign Correspondent Accounts Enhanced due diligence must be applied to correspondent accounts maintained
in the U.S. for a foreign bank operating under: – An offshore banking license; – A banking license issued by a country that has been designated as being non-
cooperative with international anti-money laundering principles or procedures by an intergovernmental organization of which the U.S. is a member and with which designation the U.S. concurs; or
– A license issued by a country designated by the Secretary of the Treasury as warranting special measures due to money laundering concerns.
Financial institutions are also required to determine if the correspondent maintains correspondent accounts for other foreign institutions and the identity of each owner of a foreign bank whose shares are not traded publicly. (An “owner” is a person who directly or indirectly owns, controls or has the power to vote 10 percent or more of any class of the foreign bank’s securities.)
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS
18
CDD is a Continuous Effort
Critical to ensuring you understand the risk in your customer base is periodically reviewing customers, using a risk based approach:
Periodic Reviews Using a risk-based time table, conduct regular reviews of customers in order to:
• Ensure that core client reference data remains accurate • Update due diligence/EDD information so that it remains current • Validate that that the client’s risk rating remains accurate • Assess that the client is engaging in transactions consistent with expected activity • Review client to assess whether there is any recent negative news/reputational concerns • If the client relationship has been dormant, use the periodic review as an opportunity to
purge inactive accounts, and • Ensure that the business/senior management remains comfortable maintaining the
relationship
Transaction Monitoring/Surveillance
Leverage the various customer risk factors (risk rating, industry, geography, etc…), in support of: • Automated transaction monitoring, and • Targeted transaction reviews in order to identify potential suspicious activity based upon
known typologies associated with a particular industry or customer type (e.g., unregistered MSBs)
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS
19
Monitoring
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS
20
Consider customer’s usual activity
Review unusual activity
Determine if unusual activity is suspicious
Update customer profile
•Understand manual and electronic systems •Need for
transparency
• Customers • Products • Transactions • Countries
•Transactions that just don’t make sense
• Unusual not necessarily suspicious
• Investigate • No plausible
explanation • Compliance
determination
• Legitimate changes in behavior
• New media and public database information
Use of manual and/or
electronic monitoring systems
Transaction Monitoring Process
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS
21
Transaction Monitoring Systems/Processes
Transaction monitoring systems/processes must identify transactions that may be: Elevated risk
Appear unusual or indicative of suspicious activity
Transaction monitoring systems assist with the identification and analysis of potentially suspicious activity by considering factors such as : Transactions to specific geographies
Risk level of a customer
Velocity and frequency of transactions
Transaction routing
Changes in profile transactional behavior
Transaction unusual for peer group profile
Specialized risk scenarios
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS
22
Other Monitoring Efforts
Monitoring efforts used in addition to routine transaction monitoring, including: Review of customers/parties appearing on 314(a)/(b) requests;
Customers associated with PEPs identified during batch screening;
Customers/parties named in subpoenas or other government requests received by the bank;
Customers with ties to OFAC program lists identified during batch screening (to be discussed in more detail later);
Reviews of customers with previous SAR history
Targeted reviews of activity identified as indicative of money laundering by law enforcement
Customers associated with negative media stories
Business is the first line of defense:
Front office must be alert to and trained to identify unusual behavior during all stages of a customer relationship from on-boarding and beyond
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS
23
SAR Reporting Requirements
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS
24
Customer Information
Transaction Monitoring
Reporting of Suspicious Activity
Executing AML Requirements
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS
25
SAR Filing Conditions
When to File a SAR:
Transactions involving insider abuse - Any dollar amount;
Criminal violations aggregating $5,000 or more when a suspect can be identified;
Criminal violations aggregating $25,000 or more regardless of the identification of a potential suspect
Transactions conducted / attempted through the bank aggregating $5,000 or more if the bank knows, suspects, or has reason to suspect that the transaction:
May involve money laundering or other illegal activity (e.g. terrorist financing)
Is designed to evade BSA requirements
Has no business or apparent lawful purpose or is not the type of transaction in which the customer would be expected to engage without reasonable explanation.
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS
26
SAR Filing Criteria
When to file: If ongoing criminal activity is detected, file immediately, alert law enforcement;
Otherwise:
If a suspect has been identified, file no later than 30 days from detection of the facts that form the basis for the filing;
If no suspect has been identified, then filing should be no later than 60 days from detection of the facts that form the basis for the filing.
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS
27
Other SAR Requirements
Confidentiality is Critical: A SAR, or any information that would reveal the filing of a SAR must not be disclosed with limited exceptions:
Banking organizations may share SARs with head offices and controlling companies, thus, a US branch or agency of a foreign bank may share a SAR with its head office outside the US, providing that appropriate arrangements are made to protect the confidentiality of the SAR.
This does not apply to affiliate organizations
If subpoenaed do not provide – notify FinCEN
Records must be retained: •SARS and supporting documentation must be retained for five years from filing
Safe Harbor Laws: 31 USC 5381(g)(3) offers safe harbor from civil liability for all reports of suspicious activity
and supporting documentation
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS
28
Questions?
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 25924NSS
29
Presenter’s Contact Details Teresa A. Pesce,
Principal, AML Services Leader
KPMG, LLP
32 5 Park Avenue
New York, NY 10154
212-872-6272
[email protected] The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.