Risk-Based Audit Approach to MSB Programs for Sellers of Prepaid Cards Elisa Evans, CAMS

1

Table of Contents I. Executive Summary .............................................................................................................................. 2

II. Background ........................................................................................................................................... 2

III. Fraud and Money Laundering Risks of Prepaid Cards ..................................................................... 3

IV. Prepaid Access Final Rule Overview ................................................................................................ 4

A. Open Loop Prepaid Access: .............................................................................................................. 4

B. Closed Loop Prepaid Access: ........................................................................................................... 4

C. Regulatory Requirements for Non-Exempt Sellers of Prepaid Access ............................................. 5

V. Audit Plan Scope and Methodology ..................................................................................................... 5

A. Past Independent Review Reports ..................................................................................................... 6

B. Written AML Compliance Program, Policies and Procedures ......................................................... 6

C. AML Risk Assessment ..................................................................................................................... 7

D. Store Risk Assessment .................................................................................................................... 10

E. AML Compliance Training Program .............................................................................................. 10

F. Systems Controls Testing................................................................................................................ 13

G. Transaction Monitoring System Testing ......................................................................................... 14

VI. Considerations for Drafting Audit Report ......................................................................... 17

V. Conclusion ............................................................................................................................. 19

Sources .......................................................................................................................................... 21

2

I. Executive Summary

This paper provides guidance for a risk-based approach to conducting an audit for large

organizations that are considered both a retailer and a Money Services Business (MSB). The MSB

referenced in this paper has over 4,000 retail stores throughout the U.S., an e-commerce website

and a major publicly traded retailer. The MSB sells a variety of prepaid cards. The MSB sells its

own branded reloadable gift card in addition to a variety of other gift cards, reloadable prepaid gift

cards and prepaid debit cards; it also offers additional financial services such as check cashing,

money orders, wire transfers and bill payments.

A major retailer that also qualifies as a MSB is unique in that its primary mission is to sell

merchandise, not financial service products. It is often challenging to train merchants to think like

compliance officers. Due to equipment and system requirements, the majority of the financial

services such as wire transfers, bill payments and money orders must be processed at specific

registers in a designated location in the store by employees who have had specialized anti-money

laundering (AML) compliance training. However prepaid gift cards, which are also available

online, and prepaid debit cards can be sold at any register, by any cashier. This can create

compliance challenges for large MSBs/retailers.

Conducting a Bank Secrecy Act (BSA) /AML audit on an MSB such as the one described in this

paper can also be challenging for an auditor. There are many unique factors to consider from an

auditing standpoint with a company of this magnitude such as selecting the right sample size for

each of the program elements as well as evaluating risk, effectiveness of training, cross-chain know

your customer (KYC) data collection and evaluating the transaction monitoring system.

II. Background

Towards the end of the 1990s, prepaid cards were introduced into the market as an alternate method

of payment to credit and debit cards.1 This method of payment became attractive to those with

little or no credit or did not have a bank account. By 2015, in the U.S. the number of prepaid debit

card payments reached 9.9 billion with a dollar value of $0.27 trillion2 and it was estimated that

28 percent of American households were either unbanked or under-banked.3

Prepaid debit and gift cards have become very popular among consumers. There are many different

types of prepaid cards. There are private-label gift cards that can only be spent at a specific retail

outlet or location as well as network-branded cards that can be used anywhere the network is

accepted. Some prepaid debit cards even have features similar to debit cards linked to bank

checking accounts.

1 FATF. Draft Guidance for a Risk-Based Approach to Prepaid Cards, Mobile Payments and Internet-Based Payment Services. http://prepaidforum.org/wp-content/uploads/2013/04/Draft-guidance-prepaid-cards-mobile-payments-and-Internet-based-paymen-.pdf 2 The Federal Reserve. (December, 2016) The Federal Reserve Payments Study 2016. https://www.federalreserve.gov/paymentsystems/fr-payments-study.htm 3 Currency Cloud. (August 4, 2015) The Regulation Behind Prepaid Cards. https://www.currencycloud.com/en-us/news/blog/the-regulation-behind-prepaid-cards/

3

On July 26, 2011, FinCEN issued the Prepaid Access Final Rule (the “Rule”) which amended the

BSA. The Rule imposed regulatory requirements on qualified providers and sellers of prepaid

access to register as a MSB and develop an AML program, which includes customer and

transaction information collection as well as suspicious activity reporting for certain types of

prepaid cards.4

III. Fraud and Money Laundering Risks of Prepaid Cards

According to the U.S. Department of Justice, in 2009 an estimated $24 billion in cash and prepaid

cards are smuggled into Mexico each year as a result of drug trafficking and money laundering.5

Most recently, the terrorists who attacked Paris, killing 130 people, used anonymous prepaid cards

to rent hotel rooms the evening before their attack.6

Not only are prepaid cards being used in money laundering schemes but also in consumer fraud

scams. For years perpetrators have been calling elderly victims pretending to be a grandchild or a

relative in need and asking them to send wire transfers to help them. Scam artists have come to

realize that it is quicker and easier to remain anonymous if they trick people into loading prepaid

cards instead of using money transfers. An example of this was when an 82 year-old woman was

contacted by someone pretending to be her granddaughter claiming that she was arrested in a drug

bust and needed money to be bailed out of jail resulting in the elderly victim losing $36,000 in

prepaid card loads to a scammer.7

A major reason prepaid cards are attractive to criminals is due to the easy accessibility to purchase

the cards. Most retailers sell a variety of both open-loop and closed-loop prepaid cards. Criminals

are aware of those retail outlets where they can purchase open-loop prepaid cards and how much

they can load on each card and still remain anonymous. Criminals recognize these stores as easy

targets since cashiers are not usually trained to identify money laundering or how to identify and

report suspicious or unusual behavior.

One way the bad guys are able to remain undetected is by using similar “smurfing” money

laundering techniques to purchase prepaid cards as they use to launder cash.8 Groups of criminals

work together to visit various retailers and convenient stores where prepaid cards can be purchased

and load multiple cards with small amounts of cash. By using “smurfs,” they can easily load

hundreds of cards, remain under the KYC threshold and still remain anonymous.

4 FinCEN (July 26, 2011) FinCEN Issues Prepaid Access Final Rule Balancing the Needs of Law Enforcement and Industry. https://www.fincen.gov/sites/default/files/news_release/20110726b.pdf 5 Reuters. (2016). Drug Cartels Continue Money Laundering with Prepaid Cards, Amid Industry Pushback. https://www.nbcnews.com/business/business-news/drug-cartels-continue-money-laundering-prepaid-cards-amid-industry-pushback-n627056 6 Mathers, C. (February 4, 2016). Terrorists Used Prepaid Cards to Finance Preparations For Paris Attacks. https://www.linkedin.com/pulse/terrorists-used-prepaid-cards-finance-preparations-paris-mathers 7 Picchi, A. (April 20, 2017). Beware of a new scam involving "relatives" and gift cards. https://www.cbsnews.com/news/beware-of-a-new-scam-involving-relatives-and-gift-cards/ 8 Furst, K. (January 26, 2017). Merchant-Based Money Laundering Part 2: Prepaid Gift Card Smurfing https://www.acfcs.org/news/328136/Merchant-based-money-laundering-part-2-Prepaid-gift-card-smurfing.htm

4

Another reason prepaid cards are an easy target for money laundering and fraud is the multiple

relationships involved in the sale. These relationships involve the card holder (purchaser),

merchant, merchant acquirer (payment processor and clearing) and issuing bank.9 If the

relationships are not orchestrated effectively, the prepaid cards can become an easy avenue for

organized criminals to use for laundering their illicit funds.

IV. Prepaid Access Final Rule Overview

Prepaid access is defined as “access to funds or value of funds that have been paid in advance and

can be retrieved or transferred at some point in the future through an electronic device or vehicle,

such as a card, code, electronic serial number, mobile identification number or personal

identification number.”10 The Rule, issued on July 29, 2011, established regulatory requirements

for both providers and sellers of prepaid access under the regulatory requirements of the BSA.11

The Rule clearly defines the factors that qualify retailers as sellers of prepaid access and are

required to register as a MSB and develop an AML program. The Rule also describes the

qualifications that exempt a retailer from being classified as a MSB.

According to the Rule and the Federal Financial Institutions Examination Council (FFIEC) BSA

Examination Manual, prepaid cards can be categorized as either open or closed-loop based on the

functionality. The description of each is provided below.12

A. Open-Loop Prepaid Access:

Prepaid cards that can be used or described as any of the following characteristics:

1. Branded by a major network, such as VISA or MasterCard, and issued by a bank that

is part of that payment network;

2. Can be used as method of payment for purchases with any merchant that accepts the

major network card;

3. Can be used to access cash from an ATM that accepts the major network card; or

4. Can be reloaded with funds to add value to the card.

B. Closed-Loop Prepaid Access:

Generally, closed-loop prepaid cards are merchant specific and can only be spent with the

merchant issuing the card. Some examples include restaurant gift cards, retail cards, movie

cards, etc.

As mentioned before, the Rule allows for exemptions for some providers, retailers and other

businesses who sell prepaid access cards that meet the following qualifications13:

1. Closed-loop prepaid access cards with load limits that do not exceed $2,000 per day;

2. Cards that can only load funds from a governmental agency;

3. Specific cards, called out by the Rule, related to health care expenses;

4. Open-loop cards that cannot exceed the maximum value of $1,000 per day;

9 Bansal, A. (2012). Challenges & Opportunities for Merchant Acquirers 10 31 CFR 1010.100(ww) 11 FinCEN. (November 2, 2011). Final Rule- Definitions and Other Regulations Relating to Prepaid Access. 12 FFIEC. (2014). Bank Secrecy Act Anti-Money Laundering Examination Manual. Prepaid Access-Overview. 13 FinCEN. (November 2, 2011). Final Rule- Definitions and Other Regulations Relating to Prepaid Access.

5

5. Payroll cards that meet all of the following criteria:

a) Cannot be used internationally;

b) Cannot transfers funds from person to person; and

c) Cannot be reloaded by a non-depository source

C. Regulatory Requirements for Non-Exempt Sellers of Prepaid Access

The BSA considers a company as a “seller” of prepaid access if it sells prepaid access products

that can be spent before verification of the customer; or if it does not have controls in place to

prevent the sale of more than $10,000 in prepaid access (including closed loop) to the same

person on the same day.14 A retailer will fall into the category of a seller if it has not established

controls to limit the amount of money that can be loaded and reloaded on its own branded cards

for each customer in one day.

The Rule also revised MSB regulations to require non-exempt sellers of prepaid access to

establish, maintain and implement an AML program that is reasonably designed to prevent

money laundering and terrorist financing.15 The AML program must include the following four

elements:

1. Policies, procedures and internal controls are established to ensure the following:16

a) A customer verification process is established and specific personal information is

captured for customers who purchase over $10,000 of prepaid cards (including

closed loop) during the same day;17

b) Filing CTR and SAR reports;

c) Responding to law enforcement requests; and

d) Record retention.

2. A designated person responsible for the day-to-day compliance obligation;18

3. An adequate AML training program;19 and

4. An independent review20

V. Audit Plan Scope and Methodology

As previously discussed, this audit will be geared towards a publicly-traded large retailer that is

considered a non-exempt seller of prepaid access cards. The retailer is registered as a MSB and

has over 4,000 stores throughout the U.S. as well as an e-commerce website and offers a variety

of open-loop and closed-loop prepaid cards. The cards sold include prepaid debit VISA cards with

features similar to a bank-issued debit card, non-reloadable VISA gift cards, gaming and restaurant

gift cards, and the company-branded closed-loop reloadable gift card that can hold up to $1,000 in

value. Not only does this company sell prepaid cards, but it also offers other financial services

14 31 CFR 1010.100(ff)(7). 15 31 CFR 1022.210 16 31 CFR 1022.210(d)(1)(i-iv) 17 31 CFR 1022.210(d)(1)(iv) 18 31 CFR 1022.210(d)(2) 19 31 CFR 1022.210(d)(3) 20 31 CFR 1022.210(d)(4)

6

such as check cashing, and is an agent that sells wire transfers, bill payments, credit cards and

money orders.

In order to begin auditing such a large company that offers so many different financial services it

is important to determine the time period and program components that will be audited. As the

topic of the paper describes, the audit will cover an assessment of the AML program and will

address the BSA requirements for a seller of prepaid access and the audit will assess the previous

six months of activities of the MSB’s AML program. The program elements that will be audited

are detailed below.

A. Past Independent Review Reports

It is important to review the previous independent audit reports and remediation plans before

beginning an audit. This will help the auditor understand the frequency of independent reviews;

the strengths and weaknesses of the program; and if remediation plans were developed and

tested to address the exceptions identified. Since this audit is focused on prepaid cards, the

auditor should look for any issues previously identified regarding the sale of prepaid cards.

Depending upon the level of proof of remediation and testing of the previous audits, additional

testing may be required to ensure the issues were in fact resolved.

B. Written AML Compliance Program, Policies and Procedures

“MSBs are required by 31 CFR 103.125 to implement an effective AML Program that is

reasonably designed to prevent the MSB from being used to facilitate money laundering and

terrorist financing. The anti-money laundering program must be written and must

commensurate with the MSB’s risk profile. Furthermore, the program must be fully

implemented and reasonable designed to meet the BSA requirements.”21

The AML compliance program “Program” should at a minimum include the four pillars and

should be customized to include all of the MSB’s financial services products and its legal

obligation to comply with the AML/BSA regulations and any other state and federal laws

pertaining to its products. The elements of the program should be reviewed and tested to

determine if the program is adequate and reasonably designed.

To effectively test the program, the auditor must test both the procedures and processes at the

store level where the cashiers have direct contact with customers and in the back-end at the

Financial Intelligence Unit (FIU) level. Considering the scope, it is reasonable to expect the

MSB to maintain two sets of procedures, one for each of the groups mentioned.

At the store level, the written policies and procedures should contain at a minimum, the

following:

a) Customer identification requirements and expectations;

b) Financial services product transaction limits;

c) KYC and Currency Transactions Reporting (CTR) dollar thresholds;

d) Red flag indicators of suspicious activity; and

e) Procedures explaining how to report suspicious activity to the FIU.

21 Bank Secrecy Act/Anti-Money Laundering Examination Manual for Money Services Businesses. (2008). p. 43

7

At the FIU level, the written policies and procedures should contain at a minimum, the

following:

a) Procedures for responding to transaction alerts generated from the transaction

monitoring system;

b) Case investigation tools and procedures;

c) Case escalation protocol requirements;

d) SAR and CTR reporting procedures;

e) Responding to subpoenas, law enforcement and 314(b) requests.

The program, policies and procedures should be utilized throughout the audit to verify the

effectiveness of the program. The audit should also identify any discrepancies or gaps of

information provided in the policies and procedures compared to the program.

C. AML Risk Assessment

The purpose of an AML risk assessment for an MSB is to evaluate the money laundering risks

associated with the types of financial products and services offered in conjunction with the

customer risks, operational risks and geographic locations where the company facilitates

transactions.22 An effective AML risk assessment will expose the weaknesses or vulnerabilities

within the program and should be used when establishing internal controls, procedures and

processes.

In order to determine the soundness of the overall program, the auditor should review and

evaluate the company’s AML risk assessment to gauge whether or not management

sufficiently considered all of the risk elements. The risk assessment should be tailored to the

size of the company and the products and services it offers. Unlike banks, this MSB does not

have customer accounts. In order to gather KYC on a customer, it must be collected at the time

of the transaction. This should be considered when reviewing the AML risk assessment. The

audit of the AML risk assessment should include assessing the following categories:

1. Financial Products and Services Risk

This MSB offers a variety of financial services. Each product should be included in the

AML risk assessment and should be individually evaluated to determine the product’s level

of inherent risk to money laundering and terrorist financing.23 This assessment should take

into consideration each financial service product’s susceptibility to anonymity based on the

regulatory record keeping threshold requirements and program controls. The risk

assessment should also factor in the current procedures and controls to determine the

residual risk per product.

Additionally, each financial service should be evaluated and risk rated against the other

financial services that were sold during the evaluation period. The following factors should

be individually calculated by product and then compared against the total number and face

value of all products combined:

a) Total transaction volume compared to all products;

b) Total and average transaction face value compared to all products;

22 Bank Secrecy Act/Anti-Money Laundering Examination Manual for Money Services Businesses. (2008). p. 23 23 Bank Secrecy Act/Anti-Money Laundering Examination Manual for Money Services Businesses. (2008). p. 20

8

c) Percentage of transactions compared to all products;

Other considerations:

d) Channels where the products are offered such as bricks-and-mortar and e-commerce;

e) A comparison of the number of SARs and CTRs filed per product to other products;

f) Effectiveness of the AML compliance training program; and

g) The number of consumer fraud complaints reported per product.

Open-Loop and Non-Exempt Prepaid Access Risk Factors

In addition to the factors mentioned above, the MSB should consider other elements that

impact risk for open-loop and non-exempt prepaid cards. The risk factors below are also

described in the memorandum issued on April 27, 2017 by the Department of Treasury

Director of Examination-Specialty Policy, Alfredo Valdespino.24 According the

memorandum, the level of risk increases when:

a) There are no controls in place to prevent an individual from purchasing multiple cards

or allowing multiple users per card;

b) There are no geographic restrictions that limit the jurisdictions where the cards may be

used, including internet use (This should be considered when evaluating the geographic

risks.);

c) The cards may be used to make person-to-person money transfers;

d) There are no load and reload limits or restrictions in place;

e) Non-face-to-face prepaid access loads are allowed without KYC controls; and

f) The cards may be used at ATMs or POS to withdrawal cash.

2. Customer Risk

Since MSBs typically do not maintain accounts for customers, there are other elements that

should be considered when evaluating risks for non-account customer. As mentioned in the

MSB exam manual,25 other factors are:

a) The geographic locations of the stores where the customers conduct transactions. Take

into account the stores located in the southern region of the U.S. border or if it is in a

high drug trafficking or financial crimes area;

b) The average dollar amount of transaction for each financial service;

c) The general method of payment. Often the customers using the MSB services are

unbanked customers who use cash rather than credit or debit cards linked to a banking

account; and

d) The general reason why a customer would purchase the product.

In addition to these factors, many of the risks associated with customers may be reduced

by establishing dollar threshold KYC controls at the point of sale compared to the

regulatory requirements as well as limiting the types of government-issued photo

identification that may be accepted. When establishing the KYC dollar threshold limits,

the MSB should consider the risks associated with its customer base, the transaction

24 Alfredo Valdespino, Director, Examination-Specialty Policy, Department of Treasury. Memorandum dated April 27, 2017. Addressing Prepaid Access Issues in Bank Secrecy Act Examination Cases. https://www.irs.gov/pub/foia/ig/spder/sbse-04-0417-0010.pdf 25 Bank Secrecy Act/Anti-Money Laundering Examination Manual for Money Services Businesses. (2008). pp. 20-21

9

volume, number of locations and how it does not maintain customer accounts.

3. Operational Risk

The MSB must evaluate its systems and internal controls to determine if they are adequate

enough to detect or prevent money laundering or terrorist financing.26 The MSB

Examination Manual provides a list of the factors that should be considered when

evaluating operational risks.

There are potentially significant operational risks for a large MSB that operates both in the

e-commerce space and bricks-and-mortar, and offers a variety of financial services in

addition to retail goods. It is imperative that the MSB evaluate the level of controls and

dollar thresholds required at POS and online to ensure it is able to capture the KYC and

detect suspicious activity. As a seller of open-loop and non-exempt prepaid cards, the MSB

must take into account the $10,000 KYC requirement and evaluate its systems to ensure it

captures and connects the same customer’s activity across the chain and on-line.

4. Geographic Risk

Geographic risks occur in various locations, both domestic and international, from which

transactions are being conducted, sent, or received by the MSB. For example, money

transfers may be sent to receivers outside of the U.S. as well as received in the U. S. from

senders from other countries. This poses a higher risk for money laundering and fraud

considering the countries from which the money may be sent or received. On the other

hand, many prepaid open loop cards are limited to transactions in the U.S. only. Although

the cards have limited geographic use, they still pose a high risk for money laundering

since they can be used as anonymous instruments.

Provided below are sources used by MSBs to identify high risk domestic and international

locations.

High Risk Domestic Locations

Domestic high risk locations include those listed in the High Intensity Drug Trafficking

Areas (“HIDTA”)27 and the High Intensity Financial Crimes Areas (“HIFCA”)28. In

addition to the HIDTA and HIFCA locations, special attention should be given to the

southwest border locations and those locations near seaside ports.

High Risk International Locations

International high risk geographic locations include those countries, jurisdictions or

governments that are recognized on any of the following websites:

Office of Foreign Asset Control (“OFAC”)29

Countries identified by the Secretary of State as supporting international terrorism30

26 Bank Secrecy Act/Anti-Money Laundering Examination Manual for Money Services Businesses. (2008). p. 22 27 https://www.dea.gov/ops/hidta.shtml 28 https://www.fincen.gov/hifca-regional-map 29Includes a list of countries, jurisdictions, and governments. OFAC website: https://www.treasury.gov/resource-center/sanctions/Pages/default.aspx 30 https://www.state.gov/j/ct/rls/crt/

10

Jurisdictions determined by the Secretary of Treasury through FinCEN as Primary

money laundering concern (Section 311 of the USA PATRIOT Act)31

Financial Action Task Force (“FATF”)32

Money laundering countries and jurisdictions identified by the US Department of

State’s annual International Narcotics Control Strategy Report (“INCSR”)33

D. Store Risk Assessment

Since the MSB has so many bricks-and-mortar locations, it should maintain a separate store

risk assessment that evaluates each store based on the following criteria:

1. Geographic location (refer to the Geographic Risk section of the AML Risk Assessment);

2. Transaction volume per product;

3. Average face value per product;

4. Number of SARs and CTRs filed; and

5. Reported Fraud

All of the above factors should be considered when identifying the stores that fall into the high,

medium, and low-risk categories. The store risk assessment will be important for the auditor

during the review of the AML training program as well as during the store selection for testing

and sampling the prepaid card transactions and procedures.

E. AML Compliance Training Program

The third element required of an AML program is training of appropriate personnel.34 It is

essential for the MSB to hire qualified, experienced staff to manage and oversee the AML/BSA

Compliance Department and the FIU. The job descriptions and resumes of the key staff

members should be reviewed to verify they have the appropriate level of experience, skills and

education necessary to meet the requirements of their individual job responsibilities.

In a retail environment with over 4,000 locations, it is impractical to expect the cashiers and

store management to be AML/BSA compliance experts. However, it is practical and expected

that managers and cashiers who oversee and sell financial service products to receive

AML/BSA compliance training and have a basic understanding of their roles and

responsibilities in regards to the regulation.35 This must be considered when developing the

training program.

In order to have an effective training program, the MSB must consider the audience, content,

frequency and method of delivery. The training program and its elements should align with the

AML risk assessment and store risk assessment. The following should be verified:

1. Audience

31 https://www.fincen.gov/regsection311.html 32 http://www.fatf-gafi.org/ 33 ttps://www.state.gov/j/inl/rls/nrcrpt/ 34 Bank Secrecy Act/Anti-Money Laundering Examination Manual for Money Services Businesses. (2008). p. 54 35 31 CFR 1022.210 (d)(3)

11

The MSB’s organizational chart should be reviewed to determine who should be trained in

accordance with roles and responsibilities. The training logs, material and records should

be evaluated to determine if the select audience has completed their training as required by

the AML training program. For this type of MSB, the following roles require AML

training.

a) Cashiers

b) Store Management

c) AML / BSA Compliance Department (includes AML/BSA Compliance Officer,

Compliance Management Team and FIU)

d) Financial Services Business Leaders

e) Internal Audit Department

f) Compliance Sr. Leadership and Board of Directors (or other executive leadership

group reporting to the Board)

2. Content As explained in the MSB Exam Manual, the training content should be tailored to the job

responsibilities of the employees and managers. When reviewing the training material for

each group, consider the level of accountability and responsibility the role contributes to

the overall success of the program. For example, the training delivered to the cashiers who

have face-to-face interaction with the customers should be different from training delivered

to the executive leadership.

The cashier AML training content should coincide with the cashier compliance policies,

processes and procedures. There should be no discrepancies between the AML training

content and the day-to-day operations. The training content should include AML

compliance information related to all of the financial services products, including prepaid

cards. The training content should at a minimum include:

a) Employee responsibility and accountability to follow the BSA compliance

requirements;36

b) The MSB’s KYC requirements and transaction limits;

c) How financial service products are used to facilitate fraud, terrorist financing and

laundering money; and

d) How to identify and report suspicious activity.

For the store management personnel, the training should include an overview of the BSA

compliance requirements in conjunction with the policies and procedures, as well as their

responsibility and level of accountability in overseeing the BSA program at their store.

On the other hand, the AML/BSA Compliance Department should receive ongoing AML

training, staying apprised of industry trends, money laundering schemes, new regulation,

enforcement actions, etc. The financial services business leaders should also receive basic

AML/BSA training in addition to training about how compliance and regulatory changes

impact their business.

36 Bank Secrecy Act/Anti-Money Laundering Examination Manual for Money Services Businesses. (2008). p. 60

12

As a best practice, all training materials developed by the MSB should be reviewed and

approved by an AML expert in the legal department and retained for five years.

3. Training Delivery Channel, Record Retention and Frequency

An MSB should consider the following factors when determining the channel from which

the training will be delivered as well as frequency:

a) Size of the organization;

b) Size of the audience(s);

c) Timeliness of training;

d) Accountability;

e) Proof of training completion with a passing grade; and

f) Record retention.

Delivery Channel and Record Retention:

For an MSB of this size with a vast number of store employees who require training, the

organization should have an electronic means of training delivery and tracking. However,

for the smaller groups, the training delivery and tracking is not as complicated and may be

delivered via other methods such as web video or classroom training. Whichever method

is selected, it is important to keep in mind that the training delivery method and tracking

go hand in hand. There must be a way to track and maintain records proving training

knowledge and completion.

Proof of knowledge can be obtained through testing on the content presented and requiring

a passing grade in order to complete the training. If the individual does not pass the training

the first time, it must be retaken until a passing grade is achieved.

Proof of training completion includes signatures or electronic records containing the

training date and a unique personal identifier such as a name, username or unique user ID.

If the only tool used to track the training is a spreadsheet with training dates and a typed

list of names without signatures, the records do not prove the training actually occurred.

Additional proof would be required in this instance. AML training completion records must

be maintained for five years.

Training Frequency:

The initial AML/BSA compliance training should be completed before the cashier sells

any financial services products. The same training completion requirement is expected of

the store management before supervising the employees who perform these job functions.

The frequency of future and ongoing training is dependent upon the MSB’s level of risk.

It also depends upon the level of accountability and responsibility for the AML compliance

program. Therefore, the training frequency, just like the content, cannot be considered as a

“one size fits all.”

For the store employees in a large MSB, the training should be required at least annually

for all employees. However, the MSB should factor in the store risk assessment when

evaluating the frequency for stores rated as high risk. The frequency of training should be

evaluated and treated differently for high-risk stores than those stores with a low-risk

13

rating. Supplemental or targeted training in addition to the other required training should

be provided to those employees in high-risk locations.

F. Systems Controls Testing

The established POS controls should be aligned with the MSB’s overall AML risk assessment.

The stringency of controls should be based on the size of the organization and its ability to

systematically capture KYC for aggregating prepaid card purchases totaling over $10,000 for

a single customer in one day. For an MSB this large, there is great risk of individuals

recognizing an opportunity to structure their prepaid purchases and avoiding the KYC

requirements if the controls are too relaxed. Considering the level of risk, the expectation for

a MSB of this size is that the dollar threshold for capturing KYC is low enough to make it

difficult for an individual to make large purchases of prepaid cards, at a location or online, and

remain anonymous. Additionally, the KYC captured at any dollar threshold should be

aggregated on the back-end through the transaction monitoring system.

Before beginning the field testing, the auditor should have a general understanding about the

overall operation of the MSB’s BSA/AML compliance program as well as the processes,

policies and procedures. In order to validate the quality and stability of the prepaid access

program, the KYC and dollar threshold controls should be tested at the point of sale, e-

commerce channels and the transaction monitoring system.

Point of Sale (“POS”) and Field Testing

The purpose for performing a POS and field testing is twofold.

1. To assess the effectiveness of the BSA/AML training program through employee

interviews; and

2. To validate the system controls are established, functioning and reliable in accordance with

the internal processes and procedures.

Before conducting the assessment, the stores that will be part of the test must be selected. Since

the MSB is part of the large retail corporation, the POS controls should be centralized and

managed from the corporate headquarters, rather than separately at each individual store.

Therefore, in theory, the POS controls should perform the same at every location. The auditor

should confirm this theory by selecting five to six stores ranging from low to high risk and

located in different regions of the U.S. The number of stores initially selected may increase

depending on the consistency of the test results. Since the audit includes e-commerce, the

controls from the e-commerce channels should be tested as well. Once the store selection has

been established, the next task is to begin interviews and testing.

1. On-Site Employee Interviews

Before conducting the POS controls test, the written AML procedures for processing

prepaid card transactions should be reviewed and understood. Then, the next step is

conducting on-site interviews with a select number of cashiers and managers to confirm

the employees have a basic understanding of BSA/AML and the MSB’s prepaid card

compliance program policies and procedures. It is not necessary to interview every cashier

and manager at the test site; however, the interview sample should contain more than one

individual per job category. In addition to verifying the effectiveness of the AML training

14

program, the interviews help the auditor gain a good understanding of the store level

processes and procedures.

2. On-Site POS Controls Testing

As a best practice, the auditor should create a checklist of controls that are required to be

tested in accordance with the regulation and the written processes and procedures. For

open-loop and non-exempt prepaid cards, there should be specific controls at POS that

ensures the MSB is capturing the required KYC for aggregate prepaid access transactions

totaling over $10,000 during the same day for the same customer.37 As mentioned

previously, the KYC dollar threshold for an MSB of this size should be reasonably low

enough to ensure the KYC can be captured on all qualifying prepaid cards and aggregated

across the organization.

A variety of POS systems tests should be performed including all qualifying prepaid cards

to prove the following to be true:

a) POS is triggering and capturing KYC at the MSB’s lower dollar threshold;

b) Number of cards per person limits cannot be exceeded;

c) Maximum dollar thresholds per card cannot be exceeded;

d) KYC is captured when a variety of prepaid cards are purchased in a single totaling the

POS dollar threshold;

e) KYC is captured when a number of the retailer’s branded reloadable gift cards are

purchased in a single transaction totaling the POS dollar threshold;

f) POS has mandatory system prompts that capture the required KYC (name, address,

date of birth and identification number);38

g) POS mandatory prompts are programmed to prevent the cashier from entering a single

letter or number in order to skip the KYC requirements; and

h) POS mandatory prompt controls cannot be bypassed or overridden.

3. E-Commerce POS Controls Testing

The assessment of e-commerce controls can be conducted similarly to the store level POS

assessment with the exception of testing by ordering online and verifying the controls are

in place.

G. Transaction Monitoring System Testing

The purpose for evaluating the transaction monitoring system is to verify its effectiveness and

reliability and that it is within accordance of the MSB’s risk profile.39

1. Data Reconciliation Reports

The purpose of the data reconciliation reports is to validate the transactional data and KYC

captured at POS is being transferred to the AML transaction monitoring system. These

reports should be reviewed before testing the transaction monitoring system. The MSB’s

technology team responsible for systems and data management should maintain

documented policies and procedures to perform and report results of data reconciliation.

37 31 CFR 1022.210(d)(1)(iv) 38 31 CFR 1022.210(d)(1)(iv) 39 Bank Secrecy Act/Anti-Money Laundering Examination Manual for Money Services Businesses. (2008). p. 92

15

The procedures should be reviewed to determine the frequency data reconciliation tests are

performed and then the reconciliation reports for the audit period should be reviewed.

From those reports the auditor will be able to identify failure rates, corrective action plans

and post-corrective action plan reports.

2. Transaction Sample Testing

The size of the transaction sample is dependent upon the MSB’s risk profile and the results

of previous independent review.40 As explained in the MSB Examination Manual, if the

independent review results are favorable for transaction testing, a minimal sample of

transactions may be adequate enough to ensure the system and the overall program is

operating efficiently.41 On the other hand, if the independent testing did not show favorable

results, the transaction sample should be increased based on the judgment of the auditor

and the results from the initial sample tests.

The MSB’s store risk assessment is a valuable tool when determining the transaction

sample. The selection should contain a mixture of transactions from high, medium, and

low-risk stores. The number of stores selected per risk level will be determined by the

previous independent review results. Since the high-risk stores pose the greatest threat for

money laundering, fraud, and terrorist financing, the majority of the transactions tested

should be from stores in the high risk category. The second largest sample should come

from stores in the medium risk category; and finally, a smaller sample from low risk stores.

Once the stores have been identified, the transaction dates and dollar thresholds must be

selected for the review. To obtain an adequate sample, the dates selected should be

scattered throughout the examination period and should not be isolated to just one day or a

consecutive 7 day period. Additionally, the transaction dollar threshold should be

reasonable and an amount that is high enough to detect patterns of possible structuring.

Selecting at least one day per week, per month throughout the exam period will gage the

level of consistency of the program. Again, the number of days will vary depending upon

the previous independent reviews and the initial sample test results.

The tests that should be performed with the sample transaction data are as follows:

a) Data Transmission Testing

The data transmission testing is used to validate the prepaid card transactions

containing KYC which were transmitted from POS into the transaction monitoring

system along with the KYC that was captured at the time of the sale.

The testing should begin by first selecting from the raw data sample containing only

those transactions that meet KYC requirements and should have been fed into the

transaction monitoring system as required by the program and procedure. The second

step is to gather data from the transaction monitoring system matching the same dates

and locations. Each POS transaction should be compared to the data contained in the

40 Bank Secrecy Act/Anti-Money Laundering Examination Manual for Money Services Businesses. (2008). p. 33 41 Bank Secrecy Act/Anti-Money Laundering Examination Manual for Money Services Businesses. (2008). p. 33

16

monitoring system to verify that all of the required transactions and KYC were

transferred into the system.

b) Transaction Pattern Testing Testing transaction patterns identifies sequences of prepaid card transactions occurring

back-to-back by the same cashier. The purpose is to identify those transactions from

which the MSB should have captured KYC as required by its policies and procedures.

The transaction pattern testing is an analysis of the transactions within the sample that

occurred consecutively by the same cashier but individually did not meet the dollar

threshold for KYC and was not fed into the transaction monitoring system. The purpose

of this test is to identify patterns of individual transactions that if combined into a single

transaction, the KYC should have been captured. When these patterns are detected, this

may indicate lack of knowledge and understanding of the written policies and

procedures or possible collusion to help someone avoid detection.

c) Regulatory Reporting Transaction Testing Similar to transaction pattern testing, this is the analysis of prepaid card data to identify

transactions requiring additional investigation that may have required a CTR filing or

further investigation for a possible SAR filing.

This analysis is a combination of both the data transmission testing and the transaction

pattern testing. The purpose for the analysis of the data is to identify unusual transaction

patterns, as well as individual or patterns of large cash transactions that exceed the

$10,000 currency transaction reporting threshold. Once these groups of transactions

have been identified, the auditor should compare the raw data with the same records in

the transaction monitoring system to verify an investigation occurred or a SAR or CTR

was filed.

3. Transaction Monitoring Rules, Alerts, and Cases

Generally, transaction monitoring systems are automated computer programs that are

developed specifically to meet the needs of the MSB through algorithms, rules, and

parameters and are developed to compare normal customer behavior with abnormal or

unexplained behavior.42 The monitoring system should have the capacity to accept and

monitor all of the MSB’s financial service products as well as the volume of transactions.

Effective monitoring systems are rules-driven, adaptive to rule adjustments and use

artificial intelligence to identify specific patterns of transactions based on the complexity

of the rules.43

In order to effectively audit the MSB’s transaction monitoring system, the auditor should

refer to both the store risk assessment and the AML risk assessment which will provide

insight into the store risks, types of financial service products, high-risk geographic

locations and high-risk customers. There should be an assessment of the set of rules, logic

42 Murton, R. (2015) Keeping an Eye on Suspicious Activity- The Importance of Maintaining Human Analytics. ACAMS. files.acams.org/pdfs/2016/Keeping-an-Eye-on-Suspicious-Activity.pdf 43 Bank Secrecy Act/Anti-Money Laundering Examination Manual for Money Services Businesses. (2008). p. 85

17

and flow behind the design of each rule. The design of the rules should be established to

detect abnormal customer activity and should be designed to identify unusual transaction

patterns that include the use of multiple financial services products across the entire MSB

chain. The rules should also consider the span of transactions occurring over a number of

days or weeks, transaction volumes and dollar thresholds. In addition to tracking unusual

activity, the rules should be designed to alert for cash transaction reporting over $10,000.

The MSB should maintain records or reports pertaining to any rules testing that has been

performed to validate the accuracy of the transaction monitoring system. The FIU or

technology team should have procedures in place that describes the system testing

requirements as well as the dates recorded when the testing occurred. It is recommended

that systems be tested within six months of the initial installation and then at least annually

thereafter.44

The effectiveness of the rules can be verified by selecting a sample of each alert and case

type related to prepaid card transactions that triggered or was investigated during the audit

period. The sample should contain all alerts and cases that were created for prepaid card

transactions occurring across the chain, including e-commerce, rather than just store

specific ones. The sample should include both suspicious and not suspicious alerts and

cases. In order to narrow down the sample, the alerts and cases should be selected for

random days throughout the exam period. When reviewing the alerts and cases, the auditor

should verify the following for each:

a) The FIU investigator clearly documented the investigation by describing the outcome

of the decision.

b) The SAR or CTR (when applicable) was attached to the case along with any supporting

investigation notes, documentation and attachments.

After an alert generates, the FIU should have written procedures that provide guidance to

the investigators about responding to alerts and the factors that justify turning the alert into

a case for further investigation and potentially a SAR filing. The FIU procedures should be

reviewed to ensure they contain guidance on conducting investigations as well as

regulatory requirements and time frames for filing initial SARs as well as consecutive

reports.45

VI. Considerations for Drafting Audit Report

The audit report is a detailed assessment describing the program’s strengths and weaknesses as

well as recognizing those areas posing the highest risk to the MSB.46 The report should also

44 Kentouris, C. (August 6, 2015) AML Transaction Monitoring: Five Steps to Getting it Right http://finops.co/operations/aml-transaction-monitoring-five-steps-to-getting-it-right/ 45FinCEN requires initial SAR filing to be submitted 30 days after activity is deemed suspicious and continuing activity within 120 days of the previously related SAR filing. https://www.fincen.gov/frequently-asked-questions-regarding-fincen-suspicious-activity-report-sar 46 FinCEN (September 22,2006) Frequently Asked Questions Conducting Independent Reviews of Money Services Business Anti-Money Laundering Programs https://www.fincen.gov/resources/statutes-regulations/guidance/frequently-asked-questions-conducting-independent-reviews

18

provide regulatory guidance and recommendations to the MSB regarding any corrective actions

that should be taken to remediate any findings. Additionally, the report should indicate whether or

not the MSB is compliant with the requirements of the BSA and following its own policies and

procedures.

The auditor’s observations regarding the level of compliance relating to the major elements of the

program should be contained in the final audit report. Levels of compliance should be evaluated

by using the following criteria:

Satisfactory- In compliance with the regulatory requirements and there are no major

discrepancies identified.

Improvement Needed- In compliance with the regulatory requirements with some

discrepancies identified.

Unsatisfactory- Little or no compliance with regulatory requirements with major

discrepancies identified.

Although the audit covers more areas of the program, the outline below highlights some of the key

elements that should be evaluated and rated in the final audit report.

A. Written AML Compliance Program

1. The program is designed to satisfy the risk profile of the MSB;

2. The program outlines the implementation and design requirements of the four pillars of the

BSA;

3. The AML policies, procedures and internal controls are aligned with the program;47and

4. The program includes policies, procedures and internal controls related to all financial

services products offered by the MSB.

B. Risk Assessments

1. The AML risk assessment incorporates an evaluation of all of the major risk categories:

Financial services product risks, geographic risks, operational risks, and customer risks.

2. The risk assessment pertaining open-loop and non-exempt prepaid cards factor in the

variety of cards offered, the locations where the cards are sold (bricks-and-mortar and

online), how and where the cards may be used, as well as anonymity risks.

3. The store risk assessment contained all of the elements which reasonably assessed the

level of risk per location.

C. AML Training Program

1. All required employees and levels of management received AML training as required by

the AML training program.

2. The training content was sufficient and tailored to the intended audience. There was

sufficient content regarding the regulatory requirements for sellers of open-loop and non-

exempt prepaid cards.

3. The frequency and the method in which the AML training is delivered satisfied the level

of risk by location and job function.

47 31 CFR 1022.210

19

4. During interviews, the cashiers and FIU employees were knowledgeable about AML

/BSA compliance including prepaid access requirements.

D. Independent Audit

1. The frequency of independent audits is aligned with the MSB’s risk level.

2. The MSB remediated any deficiencies identified in previous audits.

E. KYC and Systems Controls

1. The results from the online and POS controls testing for open-loop and non-exempt prepaid

cards indicate the POS systems are reliable and capture KYC from individuals purchasing

prepaid cards at the established per transaction threshold, regardless of the type of card.

2. The KYC register prompts are mandatory and cannot be overridden or bypassed.

3. The KYC register prompts at POS and mandatory fields for customers online capture all

of the required customer information.

4. The KYC transaction thresholds established for open-loop and non-exempt prepaid cards

are aligned with the level of risk reported on the AML risk assessment.

F. Transaction Monitoring Systems and Regulatory Reporting

1. The technology team routinely performs data reconciliation tests, tracks failure rates and

develops and executes corrective action plans.

2. The results from the data transmission test verified the data and KYC collected at POS and

online is transmitting into the transaction monitoring system.

3. The test verified the transaction monitoring rules are designed in a way to capture abnormal

patterns of prepaid card transactions across the enterprise.

4. The test verified the transaction monitoring rules identify large cash transactions requiring

a CTR.

5. The transaction monitoring system and regulatory reporting test validated the FIU are

trained to identify unusual transaction patterns and are knowledgeable about red flags that

indicate suspicious activity.

6. The FIU investigators included documentation, reports and investigation notes to alerts and

cases that were either deemed as suspicious, not suspicious or requiring a CTR.

V. Conclusion

Hopefully this information will provide guidance to auditors who may be faced with an audit of a

BSA program for a seller for prepaid access or a MSB that is part of a large retailer. The magnitude

of the audit can be overwhelming with a large MSB. However, effectively testing all of the major

program elements and providing solutions is extremely beneficial to the MSB and ultimately, the

retailer. The goal of the audit is to identify the weaknesses in the program and provide guidance

to the MSB as it develops plans of action to ensure its program is strong and has reasonable controls

in place to prevent or deter money laundering and terrorist financing. Consequences of an

insufficient audit can result in reputation, civil liability or even criminal risk to a MSB.

20

21

Sources

Bansal, A. (2012). Challenges & Opportunities for Merchant Acquirers. Retrieved from http://www.lansholdings.com/r_d/Challenges___Opportunities_for_Merchant_Acquirers.pdf

Currency Cloud. (August 4, 2015) The Regulation Behind Prepaid Cards. Retrieved from

https://www.currencycloud.com/en-us/news/blog/the-regulation-behind-prepaid-cards/

FATF. (2013). Draft Guidance for a Risk-Based Approach to Prepaid Cards, Mobile Payments and

Internet-Based Payment Services. Retrieved from http://prepaidforum.org/wp-

content/uploads/2013/04/Draft-guidance-prepaid-cards-mobile-payments-and-Internet-based-paymen-.pdf

The Federal Reserve. (December, 2016) The Federal Reserve Payments Study 2016.

https://www.federalreserve.gov/paymentsystems/fr-payments-study.htm

FFIC. (2014). Bank Secrecy Act Anti-Money Laundering Examination Manual: Prepaid Access-

Overview. Retrieved from https://www.ffiec.gov/bsa_aml_infobase/pages_manual/olm_061.htm

FinCEN. (2011, July 26) FinCEN Issues Prepaid Access Final Rule Balancing the Needs of Law

Enforcement and Industry. https://www.fincen.gov/sites/default/files/news_release/20110726b.pdf

FinCEN. (2011, November 2). Final Rule- Definitions and Other Regulations Relating to Prepaid Access.

Retrieved from https://www.fincen.gov/resources/statutes-regulations/guidance/final-rule-definitions-and-

other-regulations-relating

FinCEN, IRS (2008). Bank Secrecy Act/Anti-Money Laundering Examination Manual for Money

Services Businesses.

Furst, K. (2017, January 26). Merchant-Based Money Laundering part 2: Prepaid Gift Card Smurfing.

Retrieved from https://www.acfcs.org/news/328136/Merchant-based-money-laundering-part-2-Prepaid-

gift-card-smurfing.htm

Kentouris, C. (August 6, 2015) AML Transaction Monitoring: Five Steps to Getting it Right

http://finops.co/operations/aml-transaction-monitoring-five-steps-to-getting-it-right/

Mathers, C. (2016, February 4). Terrorists Used Prepaid Cards to Finance Preparations For Paris Attacks.

Retrieved from https://www.linkedin.com/pulse/terrorists-used-prepaid-cards-finance-preparations-paris-

mathers

Murton, R. (2015) Keeping an Eye on Suspicious Activity- The Importance of Maintaining Human

Analytics. ACAMS. files.acams.org/pdfs/2016/Keeping-an-Eye-on-Suspicious-Activity.pdf

Picchi, A. (2017, April 20). Beware of a new scam involving "relatives" and gift cards. Retrieved from

https://www.cbsnews.com/news/beware-of-a-new-scam-involving-relatives-and-gift-cards/

Valdespino, A. (2017, April 27). Addressing Prepaid Access Issues in Bank Secrecy Act Examination

Cases. Retrieved from https://www.irs.gov/pub/foia/ig/spder/sbse-04-0417-0010.pdf

22

Reuters. (2016). Drug Cartels Continue Money Laundering with Prepaid Cards, Amid Industry Pushback.

Retrieved from https://www.nbcnews.com/business/business-news/drug-cartels-continue-money-

laundering-prepaid-cards-amid-industry-pushback-n627056