Managing Higher Risk Commercial Clients · compliance with SAR reporting, OFAC screenings, and CTR filing requirements. • A "mom and pop" local business may be secretly used as

**This presentation is not a full analysis and should not be relied upon as legal advice.

Managing Higher Risk Commercial Clients

South Carolina Risk Seminar 2016


Why does it matter?■ Regulators require a "risk-based" approach to assessing

individual customer relationships.

■ Banks must determine:• The risks presented by a customer relationship, and• Whether the bank can adequately manage that risk.

■ Regulatory References:• FDIC, FIL-127-2008 (November 7, 2008).• FDIC, FIL-3-2012 (January 31, 2012).• FDIC, FIL-5-2015 (January 28, 2015).• OCC Bull. No. 2013-29 (Oct. 30, 2013).


Operation Choke Point■ The investigation that the Department of Justice officials dubbed "Operation Choke Point"

was first disclosed in March 2013. The probe aimed to prevent certain individuals and businesses from accessing consumer bank accounts by choking off their access to the payments system. Its effects have been felt by banks, payment processors and companies that make short-term consumer loans over the Internet. (Am. Banker, Timeline: Operation Choke Point).

■ During the same time period, banking regulators (particularly the FDIC) promulgated guidance (informal and formal) regarding "high-risk" account relationships and management of "reputational risks" to banks.

■ Congressional findings indicated that "[a]s a consequence of Operation Choke Point, banks are indiscriminately terminating relationships with legal and legitimate merchants across a variety of business lines." House Comm. on Oversight and Gov't Reform, "Operation Choke Point," (December 18, 2014).

■ Merchants allege that banks were pressured to terminate relationships with "categories" of merchants that regulators felt presented too great of a reputational risk. (Comm. Fin. Serv. Assoc. of Amer. et al. v. FDIC et al. C.A. No. 14-953 (D.C. Cir. 2014).


Supervisory Insights (Summer 2011)

■ The FDIC identified the following merchant categories as associated with "high risk" activity.


Changes to Treatment■ Following the filing of "Operation Choke Point" lawsuit, the FDIC clarified its position in

FIL-5-2015.

■ "[T]he FDIC encourages institutions to take a risk-based approach in assessing individual customer relationships rather than declining to provide banking services to entire categories of customers, without regard to the risks presented by an individual customer or the financial institution’s ability to manage the risk. Financial institutions that can properly manage customer relationships and effectively mitigate risks are neither prohibited nor discouraged from providing services to any category of customer accounts or individual customer operating in compliance with applicable state and federal law."

■ In March 2015, FDIC revised policies to expressly prevent examiners from instructing banks to terminate customers solely based on "reputational risks." (Gruenberg Speech, March 24, 2015).


Risk-Based ApproachEffective Risk Assessment

Process

Identification and Investigation of

Customers

Evaluation of Potential Risks

Ability of Bank to Manage / Mitigate

Potential Risks

High-Risk Transactions

Ongoing Due Diligence

Termination of Customers


(1) Effective Risk Assessment Process

Inherent Risk of the Services Provided by Customer• Compliance/Legal: Compliance with legal, policy, or regulatory requirements• Contractual: Inability to meet obligations as they come due• Operational: Inability of bank to adequately oversee activities or volumes• Business Continuity: Inability to continue providing services• BSA/AML/OFAC: Potential of product for use in illegal activity

Risks Unique to the Customer• Experience: Ability to offer the services and use sophisticated banking products• External Financial: Factors affecting financial condition beyond customer's control• Reputation: Issues impacting the bank's brand or reputation• Strategic: Customer's mission aligned with the bank's strategic goals• Credit: Inability to pay obligations to Bank• Quality: Inability to deliver a quality service or product• Electronic/Cyber: Protection of confidentiality and integrity of third-party information


(2) Identification and Investigation

■ Identification goes beyond your CIP program.

■ Do you understand: (i) the business, (ii) its principals, and (iii) its products and services?

■ Are commercial bankers trained in conducting interviews?

■ Do you have a risk-scoring matrix that includes information on products and services?

■ Are commercial bankers engaging in meaningful investigations into customer activities?



■ Are you using a checklist to investigate new customers?Customer Risk Assessment•Biographical•Ownership / Principals•Time in business•Market-reach (state, regional, national)•Customer demographics (HIDTA/HIFCA)•Number of locations / Internet only•Existing relationship with bank•Subsidiaries or franchises•International offices•Valid licenses to conduct business•Past regulatory violations / Criminal history•Subject to regulatory oversight•Experience with complex bank products•Financial condition•ACH return data / Card return data•Net-worth / Average balance•Review of past transaction activity•Number of banking relationships•High cash volumes

Product Risk Assessment•Products or services offered•Products or services regulated by a governmental agency•Products or services regulated as MSBs•Products or services sold interstate•Products or services sold internationally•Products or services prohibited / banned in some locations•Products or services sold on the internet / ability to anonymize transactions / card-not-present transactions•Customer identification program for products and services (if regulated)•Size and volume of monetary instruments, cash, or checks•International money movement transactions (IATs, wires) • Higher risk ACH transactions (WEB, TEL)•Non-verified senders of funds•Products or services carry the potential to create negative public sentiment towards the bank•Confidential customer data used in business



■ Top Tip: Be thorough in your investigation. Train bank employees to "keep digging" until the bank has a thorough understanding of the customer. This process requires people, not machines.


(3) Evaluation of Potential RisksRisk Factor Evaluation

International transactions Who will identify recipients / sources and ensure OFAC compliance?

Money Services Businesses Will the bank have to provide additional BSA/AML/OFAC screening?

Limited Experience with Banking Products Who will educate the customer and monitorproper use?

Limited Financial Resources How can the bank effectively set limits to minimize credit exposure?

Substantial Volume or Value of Transactions (in aggregate or individually)

Does the bank have the resources to screen transactions and file necessary SARs?

High-Cash Business Doest the bank have the resources to process large cash deposits and file CTRs?

Confidential Customer Data Does business have data security and data recovery program?


(3) Evaluation of Potential Risks■ United States v. Four Oaks Fincorp, Inc. (E.D.N.C.)

• Four Oaks failed to have an "effective compliance program to prevent illegal use of the banking system by the Bank's customers."

• Four Oaks allowed a payment processor to directly submit ACH files to the Atlanta Federal Reserve.

• 97% of payments were for payday lenders.• The other merchants included internet gambling and a Ponzi scheme.• The processor originated fraudulent ACHs. • Compared to the national ACH return average of 1.38%, Four Oaks

allowed return rates of up to 30%, if corrected within 30 days. The processor had a consistent return rate of 25%.

• Four Oaks did not confirm that payday lenders were licensed or even in the U.S. (tribal and international lenders)

• Four Oaks was notified that payday lenders were offering illegal APRs.• Four Oaks ($690MM Bank) paid a $1.2MM settlement.


(3) Evaluation of Potential Risks

■ Top Tip: Realistically assess each identified risk factor and determine what steps (if any) the bank will need to take to minimize or eliminate the risk. Document your file.


(3) Evaluation of Potential Risks


(4) How Can Banks Minimize Risks?

■ What ongoing monitoring will be needed?■ Who will be in charge of balance, float, or exposure reviews?■ Does the bank have adequate BSA/AML/OFAC resources and software?■ Can the bank limit the type, frequency, amount, or volume of transactions?■ Will the customer provide funds to "back-stop" credit or financial risks?■ Will the customer share customer satisfaction data or reports about its

business?■ Will the customer actively manage returned checks, returned ACHs, and

returned card transactions?■ Will the customer integrate an E-Sign compliant authentication platform to

identify its customers?■ Will the customer provide data security audits to the bank?■ Will principals of the customer guarantee its obligations?■ Does the customer have a robust and active compliance program (if

applicable)?


How Can Banks Minimize Risks?■ The most effective risk mitigation strategy is a pro-active banker: onsite, working with

the customer to understand the business and its operations.

■ Risk is not always as it seems:• An MSB may be cleanly run with a bank-level AML/BSA department acting in full

compliance with SAR reporting, OFAC screenings, and CTR filing requirements.• A "mom and pop" local business may be secretly used as front for Ponzi schemes

or money laundering activity.• A small pawn shop may be running a "fake gold" multi-state scheme.• A firearms retailer may be making fully documented, face-to-face, legal sales of

registered firearms in jurisdictions where such sales are legal. • A used textile equipment company may be legitimately moving millions of dollars

in overseas wires.• A local attorney may be mis-using an IOLTA account for high-volume, low value

fraudulent checks.



■ Top Tip: Remember, you do not have to open the account, allow the new service, or expand the relationship. If the bank cannot properly manage the risks of the relationship, it does not have to move forward.



■ Banks need to be careful how they decline to bank certain customers. Recently, customers have been going to the media regarding supposed "targeting" of unwanted relationships. Often these customers will ask for detailed denial reasons. Bankers need to understand that, under the new regulations, there are no "prohibited classes" of merchants.


(5) High Risk Transactions

■ What are the riskiest transactions for banks?

International WiresWire Transactions

>$25,000; Large Bill Payments

Monetary Instruments

Sales

Stored Value or Gift Cards

High Cash Volumes / ATMs / Check

Cashing

High-Volume, Low-Dollar Check

Deposits

Card-Not-Present or International

Credit Transactions

Internet or Non Face-to-Face Transactions

Payments for Financial Products

Remote Deposit Capture

Online ACH File Creation

Telephone Wire Instructions


(6) Ongoing Due Diligence

■ The evaluation of customers does not end at account opening or when a new service is activated.

■ Ongoing monitoring is key. Your relationship banker must act as a partner to your BSA/AML department.

■ BSA/AML does not end with computer software. "Red Flags" must be pursued and general, suspicious activity reviewed.


(6) Ongoing Due Diligence

■ Ongoing due diligence should also follow a risk-based approach.

■ Based on the initial evaluation, "how" and "how often" will you follow-up review customer activity.

■ The bank needs to respond to the customer's changing risk profile and change products, limits, and services to appropriate manage the risk.


(7) Termination of Customers■ Remember, your highest risk customers may be the most

profitable.

■ The bank may terminate any banking relationship (so long as not based on a discriminatory or illegal basis).

■ Attorneys, federal agencies, and law enforcement have increasingly held banks accountable for lapses in due diligence.

■ If you are not sure, it is better to close the account than risk the compliance or assets of the bank.


(7) Termination of Customers

■ For customers with recurring SARs, you have options.

■ Simply filing the SAR may not be enough.

■ A decision should be reached and documented regarding whether to continue doing business with a customer, or when and how to terminate the relationship.

■ If you keep the account, you should increase monitoring and diligence of the customer. If under investigation, work closely with law enforcement.


(7) Termination of Customers■ Do not be hesitant to involve upper management or the bank's legal counsel.

■ The decision to terminate may be filed as a SAR or may be used to supplement previous SARs.

■ If active criminal activity is suspected, you may need to contact appropriate law enforcement with jurisdiction over the issue.

■ Law enforcement may ask you to "hold open" the account. If so, you need to obtain these instructions in writing from a senior agent to show a regulator if questioned.


When Should You Seek Help?■ Review of BSA/AML policies

■ Consultation on potentially suspicious activity by customer and complex SAR filing narratives

■ Working with law enforcement and criminal investigators

■ Development of policies as regulations change or interpretations evolve.

■ Selection of external compliance tools, software, or products, systems

■ Assistance in dealing with customer relations issues involving limitations on accounts or refusal to open accounts

■ Developing risk-rating criteria for unique customer cases

■ BSA/AML/OFAC training for bank employees, officers, and board members

■ SAR backfiling requests

■ Don't be afraid to seek outside assistance. A BSA/AML officer does not have to know everything!


Questions?


Brad Rustin is a partner of Nelson Mullins Riley & Scarborough LLP who practices in Greenville, South Carolina. His career began as a litigator focusing on consumer financial services litigation and defense of regulatory claims against chartered and non-chartered financial institutions, finance entities, and money services business. Following in the wake of the fiscal crisis, he began working with financial institutions, money transmitters, non-traditional lenders, check cashers, and mortgage brokers on issues of regulatory compliance. As the regulatory environment facing financial institutions has changed and increased, he now spends most of his time counseling financial institutions in regulatory matters, including strategic agreements, product development, and operational compliance. Mr. Rustin regularly works with clients on issues relating to: state and federal consumer protection laws, fraud monitoring, anti-money laundering and Bank Secrecy Act compliance, state and federal regulation of money transmission, stored value strategies, ACH compliance and traditional and non-traditional lending. Along with the firm's technology group, Mr. Rustin regularly works with FinTech companies on state and federal regulatory compliance as well as issues relating to data integrity and E-Sign Act compliance.

Mr. Rustin works with a number of industry organizations focusing on financial institutions and regularly speaks on topics involving regulatory compliance for chartered and non-chartered financial institutions. His speaking engagements have, in particular, focused on changing federal regulation of the money transmission and lending space in the post-Dodd Frank environment.

Thank You!

[email protected]

Documents

Managing Higher Risk Commercial Clients · compliance with SAR reporting, OFAC screenings, and CTR filing requirements. • A "mom and pop" local business may be secretly used as