Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
Risk-Based Audit Approach to MSB Programs for Sellers of Prepaid Cards Elisa Evans, CAMS
1
Table of Contents I. Executive Summary .............................................................................................................................. 2
II. Background ........................................................................................................................................... 2
III. Fraud and Money Laundering Risks of Prepaid Cards ..................................................................... 3
IV. Prepaid Access Final Rule Overview ................................................................................................ 4
A. Open Loop Prepaid Access: .............................................................................................................. 4
B. Closed Loop Prepaid Access: ........................................................................................................... 4
C. Regulatory Requirements for Non-Exempt Sellers of Prepaid Access ............................................. 5
V. Audit Plan Scope and Methodology ..................................................................................................... 5
A. Past Independent Review Reports ..................................................................................................... 6
B. Written AML Compliance Program, Policies and Procedures ......................................................... 6
C. AML Risk Assessment ..................................................................................................................... 7
D. Store Risk Assessment .................................................................................................................... 10
E. AML Compliance Training Program .............................................................................................. 10
F. Systems Controls Testing................................................................................................................ 13
G. Transaction Monitoring System Testing ......................................................................................... 14
VI. Considerations for Drafting Audit Report ......................................................................... 17
V. Conclusion ............................................................................................................................. 19
Sources .......................................................................................................................................... 21
2
I. Executive Summary
This paper provides guidance for a risk-based approach to conducting an audit for large
organizations that are considered both a retailer and a Money Services Business (MSB). The MSB
referenced in this paper has over 4,000 retail stores throughout the U.S., an e-commerce website
and a major publicly traded retailer. The MSB sells a variety of prepaid cards. The MSB sells its
own branded reloadable gift card in addition to a variety of other gift cards, reloadable prepaid gift
cards and prepaid debit cards; it also offers additional financial services such as check cashing,
money orders, wire transfers and bill payments.
A major retailer that also qualifies as a MSB is unique in that its primary mission is to sell
merchandise, not financial service products. It is often challenging to train merchants to think like
compliance officers. Due to equipment and system requirements, the majority of the financial
services such as wire transfers, bill payments and money orders must be processed at specific
registers in a designated location in the store by employees who have had specialized anti-money
laundering (AML) compliance training. However prepaid gift cards, which are also available
online, and prepaid debit cards can be sold at any register, by any cashier. This can create
compliance challenges for large MSBs/retailers.
Conducting a Bank Secrecy Act (BSA) /AML audit on an MSB such as the one described in this
paper can also be challenging for an auditor. There are many unique factors to consider from an
auditing standpoint with a company of this magnitude such as selecting the right sample size for
each of the program elements as well as evaluating risk, effectiveness of training, cross-chain know
your customer (KYC) data collection and evaluating the transaction monitoring system.
II. Background
Towards the end of the 1990s, prepaid cards were introduced into the market as an alternate method
of payment to credit and debit cards.1 This method of payment became attractive to those with
little or no credit or did not have a bank account. By 2015, in the U.S. the number of prepaid debit
card payments reached 9.9 billion with a dollar value of $0.27 trillion2 and it was estimated that
28 percent of American households were either unbanked or under-banked.3
Prepaid debit and gift cards have become very popular among consumers. There are many different
types of prepaid cards. There are private-label gift cards that can only be spent at a specific retail
outlet or location as well as network-branded cards that can be used anywhere the network is
accepted. Some prepaid debit cards even have features similar to debit cards linked to bank
checking accounts.
1 FATF. Draft Guidance for a Risk-Based Approach to Prepaid Cards, Mobile Payments and Internet-Based Payment Services. http://prepaidforum.org/wp-content/uploads/2013/04/Draft-guidance-prepaid-cards-mobile-payments-and-Internet-based-paymen-.pdf 2 The Federal Reserve. (December, 2016) The Federal Reserve Payments Study 2016. https://www.federalreserve.gov/paymentsystems/fr-payments-study.htm 3 Currency Cloud. (August 4, 2015) The Regulation Behind Prepaid Cards. https://www.currencycloud.com/en-us/news/blog/the-regulation-behind-prepaid-cards/
3
On July 26, 2011, FinCEN issued the Prepaid Access Final Rule (the “Rule”) which amended the
BSA. The Rule imposed regulatory requirements on qualified providers and sellers of prepaid
access to register as a MSB and develop an AML program, which includes customer and
transaction information collection as well as suspicious activity reporting for certain types of
prepaid cards.4
III. Fraud and Money Laundering Risks of Prepaid Cards
According to the U.S. Department of Justice, in 2009 an estimated $24 billion in cash and prepaid
cards are smuggled into Mexico each year as a result of drug trafficking and money laundering.5
Most recently, the terrorists who attacked Paris, killing 130 people, used anonymous prepaid cards
to rent hotel rooms the evening before their attack.6
Not only are prepaid cards being used in money laundering schemes but also in consumer fraud
scams. For years perpetrators have been calling elderly victims pretending to be a grandchild or a
relative in need and asking them to send wire transfers to help them. Scam artists have come to
realize that it is quicker and easier to remain anonymous if they trick people into loading prepaid
cards instead of using money transfers. An example of this was when an 82 year-old woman was
contacted by someone pretending to be her granddaughter claiming that she was arrested in a drug
bust and needed money to be bailed out of jail resulting in the elderly victim losing $36,000 in
prepaid card loads to a scammer.7
A major reason prepaid cards are attractive to criminals is due to the easy accessibility to purchase
the cards. Most retailers sell a variety of both open-loop and closed-loop prepaid cards. Criminals
are aware of those retail outlets where they can purchase open-loop prepaid cards and how much
they can load on each card and still remain anonymous. Criminals recognize these stores as easy
targets since cashiers are not usually trained to identify money laundering or how to identify and
report suspicious or unusual behavior.
One way the bad guys are able to remain undetected is by using similar “smurfing” money
laundering techniques to purchase prepaid cards as they use to launder cash.8 Groups of criminals
work together to visit various retailers and convenient stores where prepaid cards can be purchased
and load multiple cards with small amounts of cash. By using “smurfs,” they can easily load
hundreds of cards, remain under the KYC threshold and still remain anonymous.
4 FinCEN (July 26, 2011) FinCEN Issues Prepaid Access Final Rule Balancing the Needs of Law Enforcement and Industry. https://www.fincen.gov/sites/default/files/news_release/20110726b.pdf 5 Reuters. (2016). Drug Cartels Continue Money Laundering with Prepaid Cards, Amid Industry Pushback. https://www.nbcnews.com/business/business-news/drug-cartels-continue-money-laundering-prepaid-cards-amid-industry-pushback-n627056 6 Mathers, C. (February 4, 2016). Terrorists Used Prepaid Cards to Finance Preparations For Paris Attacks. https://www.linkedin.com/pulse/terrorists-used-prepaid-cards-finance-preparations-paris-mathers 7 Picchi, A. (April 20, 2017). Beware of a new scam involving "relatives" and gift cards. https://www.cbsnews.com/news/beware-of-a-new-scam-involving-relatives-and-gift-cards/ 8 Furst, K. (January 26, 2017). Merchant-Based Money Laundering Part 2: Prepaid Gift Card Smurfing https://www.acfcs.org/news/328136/Merchant-based-money-laundering-part-2-Prepaid-gift-card-smurfing.htm
4
Another reason prepaid cards are an easy target for money laundering and fraud is the multiple
relationships involved in the sale. These relationships involve the card holder (purchaser),
merchant, merchant acquirer (payment processor and clearing) and issuing bank.9 If the
relationships are not orchestrated effectively, the prepaid cards can become an easy avenue for
organized criminals to use for laundering their illicit funds.
IV. Prepaid Access Final Rule Overview
Prepaid access is defined as “access to funds or value of funds that have been paid in advance and
can be retrieved or transferred at some point in the future through an electronic device or vehicle,
such as a card, code, electronic serial number, mobile identification number or personal
identification number.”10 The Rule, issued on July 29, 2011, established regulatory requirements
for both providers and sellers of prepaid access under the regulatory requirements of the BSA.11
The Rule clearly defines the factors that qualify retailers as sellers of prepaid access and are
required to register as a MSB and develop an AML program. The Rule also describes the
qualifications that exempt a retailer from being classified as a MSB.
According to the Rule and the Federal Financial Institutions Examination Council (FFIEC) BSA
Examination Manual, prepaid cards can be categorized as either open or closed-loop based on the
functionality. The description of each is provided below.12
A. Open-Loop Prepaid Access:
Prepaid cards that can be used or described as any of the following characteristics:
1. Branded by a major network, such as VISA or MasterCard, and issued by a bank that
is part of that payment network;
2. Can be used as method of payment for purchases with any merchant that accepts the
major network card;
3. Can be used to access cash from an ATM that accepts the major network card; or
4. Can be reloaded with funds to add value to the card.
B. Closed-Loop Prepaid Access:
Generally, closed-loop prepaid cards are merchant specific and can only be spent with the
merchant issuing the card. Some examples include restaurant gift cards, retail cards, movie
cards, etc.
As mentioned before, the Rule allows for exemptions for some providers, retailers and other
businesses who sell prepaid access cards that meet the following qualifications13:
1. Closed-loop prepaid access cards with load limits that do not exceed $2,000 per day;
2. Cards that can only load funds from a governmental agency;
3. Specific cards, called out by the Rule, related to health care expenses;
4. Open-loop cards that cannot exceed the maximum value of $1,000 per day;
9 Bansal, A. (2012). Challenges & Opportunities for Merchant Acquirers 10 31 CFR 1010.100(ww) 11 FinCEN. (November 2, 2011). Final Rule- Definitions and Other Regulations Relating to Prepaid Access. 12 FFIEC. (2014). Bank Secrecy Act Anti-Money Laundering Examination Manual. Prepaid Access-Overview. 13 FinCEN. (November 2, 2011). Final Rule- Definitions and Other Regulations Relating to Prepaid Access.
5
5. Payroll cards that meet all of the following criteria:
a) Cannot be used internationally;
b) Cannot transfers funds from person to person; and
c) Cannot be reloaded by a non-depository source
C. Regulatory Requirements for Non-Exempt Sellers of Prepaid Access
The BSA considers a company as a “seller” of prepaid access if it sells prepaid access products
that can be spent before verification of the customer; or if it does not have controls in place to
prevent the sale of more than $10,000 in prepaid access (including closed loop) to the same
person on the same day.14 A retailer will fall into the category of a seller if it has not established
controls to limit the amount of money that can be loaded and reloaded on its own branded cards
for each customer in one day.
The Rule also revised MSB regulations to require non-exempt sellers of prepaid access to
establish, maintain and implement an AML program that is reasonably designed to prevent
money laundering and terrorist financing.15 The AML program must include the following four
elements:
1. Policies, procedures and internal controls are established to ensure the following:16
a) A customer verification process is established and specific personal information is
captured for customers who purchase over $10,000 of prepaid cards (including
closed loop) during the same day;17
b) Filing CTR and SAR reports;
c) Responding to law enforcement requests; and
d) Record retention.
2. A designated person responsible for the day-to-day compliance obligation;18
3. An adequate AML training program;19 and
4. An independent review20
V. Audit Plan Scope and Methodology
As previously discussed, this audit will be geared towards a publicly-traded large retailer that is
considered a non-exempt seller of prepaid access cards. The retailer is registered as a MSB and
has over 4,000 stores throughout the U.S. as well as an e-commerce website and offers a variety
of open-loop and closed-loop prepaid cards. The cards sold include prepaid debit VISA cards with
features similar to a bank-issued debit card, non-reloadable VISA gift cards, gaming and restaurant
gift cards, and the company-branded closed-loop reloadable gift card that can hold up to $1,000 in
value. Not only does this company sell prepaid cards, but it also offers other financial services
14 31 CFR 1010.100(ff)(7). 15 31 CFR 1022.210 16 31 CFR 1022.210(d)(1)(i-iv) 17 31 CFR 1022.210(d)(1)(iv) 18 31 CFR 1022.210(d)(2) 19 31 CFR 1022.210(d)(3) 20 31 CFR 1022.210(d)(4)
6
such as check cashing, and is an agent that sells wire transfers, bill payments, credit cards and
money orders.
In order to begin auditing such a large company that offers so many different financial services it
is important to determine the time period and program components that will be audited. As the
topic of the paper describes, the audit will cover an assessment of the AML program and will
address the BSA requirements for a seller of prepaid access and the audit will assess the previous
six months of activities of the MSB’s AML program. The program elements that will be audited
are detailed below.
A. Past Independent Review Reports
It is important to review the previous independent audit reports and remediation plans before
beginning an audit. This will help the auditor understand the frequency of independent reviews;
the strengths and weaknesses of the program; and if remediation plans were developed and
tested to address the exceptions identified. Since this audit is focused on prepaid cards, the
auditor should look for any issues previously identified regarding the sale of prepaid cards.
Depending upon the level of proof of remediation and testing of the previous audits, additional
testing may be required to ensure the issues were in fact resolved.
B. Written AML Compliance Program, Policies and Procedures
“MSBs are required by 31 CFR 103.125 to implement an effective AML Program that is
reasonably designed to prevent the MSB from being used to facilitate money laundering and
terrorist financing. The anti-money laundering program must be written and must
commensurate with the MSB’s risk profile. Furthermore, the program must be fully
implemented and reasonable designed to meet the BSA requirements.”21
The AML compliance program “Program” should at a minimum include the four pillars and
should be customized to include all of the MSB’s financial services products and its legal
obligation to comply with the AML/BSA regulations and any other state and federal laws
pertaining to its products. The elements of the program should be reviewed and tested to
determine if the program is adequate and reasonably designed.
To effectively test the program, the auditor must test both the procedures and processes at the
store level where the cashiers have direct contact with customers and in the back-end at the
Financial Intelligence Unit (FIU) level. Considering the scope, it is reasonable to expect the
MSB to maintain two sets of procedures, one for each of the groups mentioned.
At the store level, the written policies and procedures should contain at a minimum, the
following:
a) Customer identification requirements and expectations;
b) Financial services product transaction limits;
c) KYC and Currency Transactions Reporting (CTR) dollar thresholds;
d) Red flag indicators of suspicious activity; and
e) Procedures explaining how to report suspicious activity to the FIU.
21 Bank Secrecy Act/Anti-Money Laundering Examination Manual for Money Services Businesses. (2008). p. 43
7
At the FIU level, the written policies and procedures should contain at a minimum, the
following:
a) Procedures for responding to transaction alerts generated from the transaction
monitoring system;
b) Case investigation tools and procedures;
c) Case escalation protocol requirements;
d) SAR and CTR reporting procedures;
e) Responding to subpoenas, law enforcement and 314(b) requests.
The program, policies and procedures should be utilized throughout the audit to verify the
effectiveness of the program. The audit should also identify any discrepancies or gaps of
information provided in the policies and procedures compared to the program.
C. AML Risk Assessment
The purpose of an AML risk assessment for an MSB is to evaluate the money laundering risks
associated with the types of financial products and services offered in conjunction with the
customer risks, operational risks and geographic locations where the company facilitates
transactions.22 An effective AML risk assessment will expose the weaknesses or vulnerabilities
within the program and should be used when establishing internal controls, procedures and
processes.
In order to determine the soundness of the overall program, the auditor should review and
evaluate the company’s AML risk assessment to gauge whether or not management
sufficiently considered all of the risk elements. The risk assessment should be tailored to the
size of the company and the products and services it offers. Unlike banks, this MSB does not
have customer accounts. In order to gather KYC on a customer, it must be collected at the time
of the transaction. This should be considered when reviewing the AML risk assessment. The
audit of the AML risk assessment should include assessing the following categories:
1. Financial Products and Services Risk
This MSB offers a variety of financial services. Each product should be included in the
AML risk assessment and should be individually evaluated to determine the product’s level
of inherent risk to money laundering and terrorist financing.23 This assessment should take
into consideration each financial service product’s susceptibility to anonymity based on the
regulatory record keeping threshold requirements and program controls. The risk
assessment should also factor in the current procedures and controls to determine the
residual risk per product.
Additionally, each financial service should be evaluated and risk rated against the other
financial services that were sold during the evaluation period. The following factors should
be individually calculated by product and then compared against the total number and face
value of all products combined:
a) Total transaction volume compared to all products;
b) Total and average transaction face value compared to all products;
22 Bank Secrecy Act/Anti-Money Laundering Examination Manual for Money Services Businesses. (2008). p. 23 23 Bank Secrecy Act/Anti-Money Laundering Examination Manual for Money Services Businesses. (2008). p. 20
8
c) Percentage of transactions compared to all products;
Other considerations:
d) Channels where the products are offered such as bricks-and-mortar and e-commerce;
e) A comparison of the number of SARs and CTRs filed per product to other products;
f) Effectiveness of the AML compliance training program; and
g) The number of consumer fraud complaints reported per product.
Open-Loop and Non-Exempt Prepaid Access Risk Factors
In addition to the factors mentioned above, the MSB should consider other elements that
impact risk for open-loop and non-exempt prepaid cards. The risk factors below are also
described in the memorandum issued on April 27, 2017 by the Department of Treasury
Director of Examination-Specialty Policy, Alfredo Valdespino.24 According the
memorandum, the level of risk increases when:
a) There are no controls in place to prevent an individual from purchasing multiple cards
or allowing multiple users per card;
b) There are no geographic restrictions that limit the jurisdictions where the cards may be
used, including internet use (This should be considered when evaluating the geographic
risks.);
c) The cards may be used to make person-to-person money transfers;
d) There are no load and reload limits or restrictions in place;
e) Non-face-to-face prepaid access loads are allowed without KYC controls; and
f) The cards may be used at ATMs or POS to withdrawal cash.
2. Customer Risk
Since MSBs typically do not maintain accounts for customers, there are other elements that
should be considered when evaluating risks for non-account customer. As mentioned in the
MSB exam manual,25 other factors are:
a) The geographic locations of the stores where the customers conduct transactions. Take
into account the stores located in the southern region of the U.S. border or if it is in a
high drug trafficking or financial crimes area;
b) The average dollar amount of transaction for each financial service;
c) The general method of payment. Often the customers using the MSB services are
unbanked customers who use cash rather than credit or debit cards linked to a banking
account; and
d) The general reason why a customer would purchase the product.
In addition to these factors, many of the risks associated with customers may be reduced
by establishing dollar threshold KYC controls at the point of sale compared to the
regulatory requirements as well as limiting the types of government-issued photo
identification that may be accepted. When establishing the KYC dollar threshold limits,
the MSB should consider the risks associated with its customer base, the transaction
24 Alfredo Valdespino, Director, Examination-Specialty Policy, Department of Treasury. Memorandum dated April 27, 2017. Addressing Prepaid Access Issues in Bank Secrecy Act Examination Cases. https://www.irs.gov/pub/foia/ig/spder/sbse-04-0417-0010.pdf 25 Bank Secrecy Act/Anti-Money Laundering Examination Manual for Money Services Businesses. (2008). pp. 20-21
9
volume, number of locations and how it does not maintain customer accounts.
3. Operational Risk
The MSB must evaluate its systems and internal controls to determine if they are adequate
enough to detect or prevent money laundering or terrorist financing.26 The MSB
Examination Manual provides a list of the factors that should be considered when
evaluating operational risks.
There are potentially significant operational risks for a large MSB that operates both in the
e-commerce space and bricks-and-mortar, and offers a variety of financial services in
addition to retail goods. It is imperative that the MSB evaluate the level of controls and
dollar thresholds required at POS and online to ensure it is able to capture the KYC and
detect suspicious activity. As a seller of open-loop and non-exempt prepaid cards, the MSB
must take into account the $10,000 KYC requirement and evaluate its systems to ensure it
captures and connects the same customer’s activity across the chain and on-line.
4. Geographic Risk
Geographic risks occur in various locations, both domestic and international, from which
transactions are being conducted, sent, or received by the MSB. For example, money
transfers may be sent to receivers outside of the U.S. as well as received in the U. S. from
senders from other countries. This poses a higher risk for money laundering and fraud
considering the countries from which the money may be sent or received. On the other
hand, many prepaid open loop cards are limited to transactions in the U.S. only. Although
the cards have limited geographic use, they still pose a high risk for money laundering
since they can be used as anonymous instruments.
Provided below are sources used by MSBs to identify high risk domestic and international
locations.
High Risk Domestic Locations
Domestic high risk locations include those listed in the High Intensity Drug Trafficking
Areas (“HIDTA”)27 and the High Intensity Financial Crimes Areas (“HIFCA”)28. In
addition to the HIDTA and HIFCA locations, special attention should be given to the
southwest border locations and those locations near seaside ports.
High Risk International Locations
International high risk geographic locations include those countries, jurisdictions or
governments that are recognized on any of the following websites:
Office of Foreign Asset Control (“OFAC”)29
Countries identified by the Secretary of State as supporting international terrorism30
26 Bank Secrecy Act/Anti-Money Laundering Examination Manual for Money Services Businesses. (2008). p. 22 27 https://www.dea.gov/ops/hidta.shtml 28 https://www.fincen.gov/hifca-regional-map 29Includes a list of countries, jurisdictions, and governments. OFAC website: https://www.treasury.gov/resource-center/sanctions/Pages/default.aspx 30 https://www.state.gov/j/ct/rls/crt/
10
Jurisdictions determined by the Secretary of Treasury through FinCEN as Primary
money laundering concern (Section 311 of the USA PATRIOT Act)31
Financial Action Task Force (“FATF”)32
Money laundering countries and jurisdictions identified by the US Department of
State’s annual International Narcotics Control Strategy Report (“INCSR”)33
D. Store Risk Assessment
Since the MSB has so many bricks-and-mortar locations, it should maintain a separate store
risk assessment that evaluates each store based on the following criteria:
1. Geographic location (refer to the Geographic Risk section of the AML Risk Assessment);
2. Transaction volume per product;
3. Average face value per product;
4. Number of SARs and CTRs filed; and
5. Reported Fraud
All of the above factors should be considered when identifying the stores that fall into the high,
medium, and low-risk categories. The store risk assessment will be important for the auditor
during the review of the AML training program as well as during the store selection for testing
and sampling the prepaid card transactions and procedures.
E. AML Compliance Training Program
The third element required of an AML program is training of appropriate personnel.34 It is
essential for the MSB to hire qualified, experienced staff to manage and oversee the AML/BSA
Compliance Department and the FIU. The job descriptions and resumes of the key staff
members should be reviewed to verify they have the appropriate level of experience, skills and
education necessary to meet the requirements of their individual job responsibilities.
In a retail environment with over 4,000 locations, it is impractical to expect the cashiers and
store management to be AML/BSA compliance experts. However, it is practical and expected
that managers and cashiers who oversee and sell financial service products to receive
AML/BSA compliance training and have a basic understanding of their roles and
responsibilities in regards to the regulation.35 This must be considered when developing the
training program.
In order to have an effective training program, the MSB must consider the audience, content,
frequency and method of delivery. The training program and its elements should align with the
AML risk assessment and store risk assessment. The following should be verified:
1. Audience
31 https://www.fincen.gov/regsection311.html 32 http://www.fatf-gafi.org/ 33 ttps://www.state.gov/j/inl/rls/nrcrpt/ 34 Bank Secrecy Act/Anti-Money Laundering Examination Manual for Money Services Businesses. (2008). p. 54 35 31 CFR 1022.210 (d)(3)
11
The MSB’s organizational chart should be reviewed to determine who should be trained in
accordance with roles and responsibilities. The training logs, material and records should
be evaluated to determine if the select audience has completed their training as required by
the AML training program. For this type of MSB, the following roles require AML
training.
a) Cashiers
b) Store Management
c) AML / BSA Compliance Department (includes AML/BSA Compliance Officer,
Compliance Management Team and FIU)
d) Financial Services Business Leaders
e) Internal Audit Department
f) Compliance Sr. Leadership and Board of Directors (or other executive leadership
group reporting to the Board)
2. Content As explained in the MSB Exam Manual, the training content should be tailored to the job
responsibilities of the employees and managers. When reviewing the training material for
each group, consider the level of accountability and responsibility the role contributes to
the overall success of the program. For example, the training delivered to the cashiers who
have face-to-face interaction with the customers should be different from training delivered
to the executive leadership.
The cashier AML training content should coincide with the cashier compliance policies,
processes and procedures. There should be no discrepancies between the AML training
content and the day-to-day operations. The training content should include AML
compliance information related to all of the financial services products, including prepaid
cards. The training content should at a minimum include:
a) Employee responsibility and accountability to follow the BSA compliance
requirements;36
b) The MSB’s KYC requirements and transaction limits;
c) How financial service products are used to facilitate fraud, terrorist financing and
laundering money; and
d) How to identify and report suspicious activity.
For the store management personnel, the training should include an overview of the BSA
compliance requirements in conjunction with the policies and procedures, as well as their
responsibility and level of accountability in overseeing the BSA program at their store.
On the other hand, the AML/BSA Compliance Department should receive ongoing AML
training, staying apprised of industry trends, money laundering schemes, new regulation,
enforcement actions, etc. The financial services business leaders should also receive basic
AML/BSA training in addition to training about how compliance and regulatory changes
impact their business.
36 Bank Secrecy Act/Anti-Money Laundering Examination Manual for Money Services Businesses. (2008). p. 60
12
As a best practice, all training materials developed by the MSB should be reviewed and
approved by an AML expert in the legal department and retained for five years.
3. Training Delivery Channel, Record Retention and Frequency
An MSB should consider the following factors when determining the channel from which
the training will be delivered as well as frequency:
a) Size of the organization;
b) Size of the audience(s);
c) Timeliness of training;
d) Accountability;
e) Proof of training completion with a passing grade; and
f) Record retention.
Delivery Channel and Record Retention:
For an MSB of this size with a vast number of store employees who require training, the
organization should have an electronic means of training delivery and tracking. However,
for the smaller groups, the training delivery and tracking is not as complicated and may be
delivered via other methods such as web video or classroom training. Whichever method
is selected, it is important to keep in mind that the training delivery method and tracking
go hand in hand. There must be a way to track and maintain records proving training
knowledge and completion.
Proof of knowledge can be obtained through testing on the content presented and requiring
a passing grade in order to complete the training. If the individual does not pass the training
the first time, it must be retaken until a passing grade is achieved.
Proof of training completion includes signatures or electronic records containing the
training date and a unique personal identifier such as a name, username or unique user ID.
If the only tool used to track the training is a spreadsheet with training dates and a typed
list of names without signatures, the records do not prove the training actually occurred.
Additional proof would be required in this instance. AML training completion records must
be maintained for five years.
Training Frequency:
The initial AML/BSA compliance training should be completed before the cashier sells
any financial services products. The same training completion requirement is expected of
the store management before supervising the employees who perform these job functions.
The frequency of future and ongoing training is dependent upon the MSB’s level of risk.
It also depends upon the level of accountability and responsibility for the AML compliance
program. Therefore, the training frequency, just like the content, cannot be considered as a
“one size fits all.”
For the store employees in a large MSB, the training should be required at least annually
for all employees. However, the MSB should factor in the store risk assessment when
evaluating the frequency for stores rated as high risk. The frequency of training should be
evaluated and treated differently for high-risk stores than those stores with a low-risk
13
rating. Supplemental or targeted training in addition to the other required training should
be provided to those employees in high-risk locations.
F. Systems Controls Testing
The established POS controls should be aligned with the MSB’s overall AML risk assessment.
The stringency of controls should be based on the size of the organization and its ability to
systematically capture KYC for aggregating prepaid card purchases totaling over $10,000 for
a single customer in one day. For an MSB this large, there is great risk of individuals
recognizing an opportunity to structure their prepaid purchases and avoiding the KYC
requirements if the controls are too relaxed. Considering the level of risk, the expectation for
a MSB of this size is that the dollar threshold for capturing KYC is low enough to make it
difficult for an individual to make large purchases of prepaid cards, at a location or online, and
remain anonymous. Additionally, the KYC captured at any dollar threshold should be
aggregated on the back-end through the transaction monitoring system.
Before beginning the field testing, the auditor should have a general understanding about the
overall operation of the MSB’s BSA/AML compliance program as well as the processes,
policies and procedures. In order to validate the quality and stability of the prepaid access
program, the KYC and dollar threshold controls should be tested at the point of sale, e-
commerce channels and the transaction monitoring system.
Point of Sale (“POS”) and Field Testing
The purpose for performing a POS and field testing is twofold.
1. To assess the effectiveness of the BSA/AML training program through employee
interviews; and
2. To validate the system controls are established, functioning and reliable in accordance with
the internal processes and procedures.
Before conducting the assessment, the stores that will be part of the test must be selected. Since
the MSB is part of the large retail corporation, the POS controls should be centralized and
managed from the corporate headquarters, rather than separately at each individual store.
Therefore, in theory, the POS controls should perform the same at every location. The auditor
should confirm this theory by selecting five to six stores ranging from low to high risk and
located in different regions of the U.S. The number of stores initially selected may increase
depending on the consistency of the test results. Since the audit includes e-commerce, the
controls from the e-commerce channels should be tested as well. Once the store selection has
been established, the next task is to begin interviews and testing.
1. On-Site Employee Interviews
Before conducting the POS controls test, the written AML procedures for processing
prepaid card transactions should be reviewed and understood. Then, the next step is
conducting on-site interviews with a select number of cashiers and managers to confirm
the employees have a basic understanding of BSA/AML and the MSB’s prepaid card
compliance program policies and procedures. It is not necessary to interview every cashier
and manager at the test site; however, the interview sample should contain more than one
individual per job category. In addition to verifying the effectiveness of the AML training
14
program, the interviews help the auditor gain a good understanding of the store level
processes and procedures.
2. On-Site POS Controls Testing
As a best practice, the auditor should create a checklist of controls that are required to be
tested in accordance with the regulation and the written processes and procedures. For
open-loop and non-exempt prepaid cards, there should be specific controls at POS that
ensures the MSB is capturing the required KYC for aggregate prepaid access transactions
totaling over $10,000 during the same day for the same customer.37 As mentioned
previously, the KYC dollar threshold for an MSB of this size should be reasonably low
enough to ensure the KYC can be captured on all qualifying prepaid cards and aggregated
across the organization.
A variety of POS systems tests should be performed including all qualifying prepaid cards
to prove the following to be true:
a) POS is triggering and capturing KYC at the MSB’s lower dollar threshold;
b) Number of cards per person limits cannot be exceeded;
c) Maximum dollar thresholds per card cannot be exceeded;
d) KYC is captured when a variety of prepaid cards are purchased in a single totaling the
POS dollar threshold;
e) KYC is captured when a number of the retailer’s branded reloadable gift cards are
purchased in a single transaction totaling the POS dollar threshold;
f) POS has mandatory system prompts that capture the required KYC (name, address,
date of birth and identification number);38
g) POS mandatory prompts are programmed to prevent the cashier from entering a single
letter or number in order to skip the KYC requirements; and
h) POS mandatory prompt controls cannot be bypassed or overridden.
3. E-Commerce POS Controls Testing
The assessment of e-commerce controls can be conducted similarly to the store level POS
assessment with the exception of testing by ordering online and verifying the controls are
in place.
G. Transaction Monitoring System Testing
The purpose for evaluating the transaction monitoring system is to verify its effectiveness and
reliability and that it is within accordance of the MSB’s risk profile.39
1. Data Reconciliation Reports
The purpose of the data reconciliation reports is to validate the transactional data and KYC
captured at POS is being transferred to the AML transaction monitoring system. These
reports should be reviewed before testing the transaction monitoring system. The MSB’s
technology team responsible for systems and data management should maintain
documented policies and procedures to perform and report results of data reconciliation.
37 31 CFR 1022.210(d)(1)(iv) 38 31 CFR 1022.210(d)(1)(iv) 39 Bank Secrecy Act/Anti-Money Laundering Examination Manual for Money Services Businesses. (2008). p. 92
15
The procedures should be reviewed to determine the frequency data reconciliation tests are
performed and then the reconciliation reports for the audit period should be reviewed.
From those reports the auditor will be able to identify failure rates, corrective action plans
and post-corrective action plan reports.
2. Transaction Sample Testing
The size of the transaction sample is dependent upon the MSB’s risk profile and the results
of previous independent review.40 As explained in the MSB Examination Manual, if the
independent review results are favorable for transaction testing, a minimal sample of
transactions may be adequate enough to ensure the system and the overall program is
operating efficiently.41 On the other hand, if the independent testing did not show favorable
results, the transaction sample should be increased based on the judgment of the auditor
and the results from the initial sample tests.
The MSB’s store risk assessment is a valuable tool when determining the transaction
sample. The selection should contain a mixture of transactions from high, medium, and
low-risk stores. The number of stores selected per risk level will be determined by the
previous independent review results. Since the high-risk stores pose the greatest threat for
money laundering, fraud, and terrorist financing, the majority of the transactions tested
should be from stores in the high risk category. The second largest sample should come
from stores in the medium risk category; and finally, a smaller sample from low risk stores.
Once the stores have been identified, the transaction dates and dollar thresholds must be
selected for the review. To obtain an adequate sample, the dates selected should be
scattered throughout the examination period and should not be isolated to just one day or a
consecutive 7 day period. Additionally, the transaction dollar threshold should be
reasonable and an amount that is high enough to detect patterns of possible structuring.
Selecting at least one day per week, per month throughout the exam period will gage the
level of consistency of the program. Again, the number of days will vary depending upon
the previous independent reviews and the initial sample test results.
The tests that should be performed with the sample transaction data are as follows:
a) Data Transmission Testing
The data transmission testing is used to validate the prepaid card transactions
containing KYC which were transmitted from POS into the transaction monitoring
system along with the KYC that was captured at the time of the sale.
The testing should begin by first selecting from the raw data sample containing only
those transactions that meet KYC requirements and should have been fed into the
transaction monitoring system as required by the program and procedure. The second
step is to gather data from the transaction monitoring system matching the same dates
and locations. Each POS transaction should be compared to the data contained in the
40 Bank Secrecy Act/Anti-Money Laundering Examination Manual for Money Services Businesses. (2008). p. 33 41 Bank Secrecy Act/Anti-Money Laundering Examination Manual for Money Services Businesses. (2008). p. 33
16
monitoring system to verify that all of the required transactions and KYC were
transferred into the system.
b) Transaction Pattern Testing Testing transaction patterns identifies sequences of prepaid card transactions occurring
back-to-back by the same cashier. The purpose is to identify those transactions from
which the MSB should have captured KYC as required by its policies and procedures.
The transaction pattern testing is an analysis of the transactions within the sample that
occurred consecutively by the same cashier but individually did not meet the dollar
threshold for KYC and was not fed into the transaction monitoring system. The purpose
of this test is to identify patterns of individual transactions that if combined into a single
transaction, the KYC should have been captured. When these patterns are detected, this
may indicate lack of knowledge and understanding of the written policies and
procedures or possible collusion to help someone avoid detection.
c) Regulatory Reporting Transaction Testing Similar to transaction pattern testing, this is the analysis of prepaid card data to identify
transactions requiring additional investigation that may have required a CTR filing or
further investigation for a possible SAR filing.
This analysis is a combination of both the data transmission testing and the transaction
pattern testing. The purpose for the analysis of the data is to identify unusual transaction
patterns, as well as individual or patterns of large cash transactions that exceed the
$10,000 currency transaction reporting threshold. Once these groups of transactions
have been identified, the auditor should compare the raw data with the same records in
the transaction monitoring system to verify an investigation occurred or a SAR or CTR
was filed.
3. Transaction Monitoring Rules, Alerts, and Cases
Generally, transaction monitoring systems are automated computer programs that are
developed specifically to meet the needs of the MSB through algorithms, rules, and
parameters and are developed to compare normal customer behavior with abnormal or
unexplained behavior.42 The monitoring system should have the capacity to accept and
monitor all of the MSB’s financial service products as well as the volume of transactions.
Effective monitoring systems are rules-driven, adaptive to rule adjustments and use
artificial intelligence to identify specific patterns of transactions based on the complexity
of the rules.43
In order to effectively audit the MSB’s transaction monitoring system, the auditor should
refer to both the store risk assessment and the AML risk assessment which will provide
insight into the store risks, types of financial service products, high-risk geographic
locations and high-risk customers. There should be an assessment of the set of rules, logic
42 Murton, R. (2015) Keeping an Eye on Suspicious Activity- The Importance of Maintaining Human Analytics. ACAMS. files.acams.org/pdfs/2016/Keeping-an-Eye-on-Suspicious-Activity.pdf 43 Bank Secrecy Act/Anti-Money Laundering Examination Manual for Money Services Businesses. (2008). p. 85
17
and flow behind the design of each rule. The design of the rules should be established to
detect abnormal customer activity and should be designed to identify unusual transaction
patterns that include the use of multiple financial services products across the entire MSB
chain. The rules should also consider the span of transactions occurring over a number of
days or weeks, transaction volumes and dollar thresholds. In addition to tracking unusual
activity, the rules should be designed to alert for cash transaction reporting over $10,000.
The MSB should maintain records or reports pertaining to any rules testing that has been
performed to validate the accuracy of the transaction monitoring system. The FIU or
technology team should have procedures in place that describes the system testing
requirements as well as the dates recorded when the testing occurred. It is recommended
that systems be tested within six months of the initial installation and then at least annually
thereafter.44
The effectiveness of the rules can be verified by selecting a sample of each alert and case
type related to prepaid card transactions that triggered or was investigated during the audit
period. The sample should contain all alerts and cases that were created for prepaid card
transactions occurring across the chain, including e-commerce, rather than just store
specific ones. The sample should include both suspicious and not suspicious alerts and
cases. In order to narrow down the sample, the alerts and cases should be selected for
random days throughout the exam period. When reviewing the alerts and cases, the auditor
should verify the following for each:
a) The FIU investigator clearly documented the investigation by describing the outcome
of the decision.
b) The SAR or CTR (when applicable) was attached to the case along with any supporting
investigation notes, documentation and attachments.
After an alert generates, the FIU should have written procedures that provide guidance to
the investigators about responding to alerts and the factors that justify turning the alert into
a case for further investigation and potentially a SAR filing. The FIU procedures should be
reviewed to ensure they contain guidance on conducting investigations as well as
regulatory requirements and time frames for filing initial SARs as well as consecutive
reports.45
VI. Considerations for Drafting Audit Report
The audit report is a detailed assessment describing the program’s strengths and weaknesses as
well as recognizing those areas posing the highest risk to the MSB.46 The report should also
44 Kentouris, C. (August 6, 2015) AML Transaction Monitoring: Five Steps to Getting it Right http://finops.co/operations/aml-transaction-monitoring-five-steps-to-getting-it-right/ 45FinCEN requires initial SAR filing to be submitted 30 days after activity is deemed suspicious and continuing activity within 120 days of the previously related SAR filing. https://www.fincen.gov/frequently-asked-questions-regarding-fincen-suspicious-activity-report-sar 46 FinCEN (September 22,2006) Frequently Asked Questions Conducting Independent Reviews of Money Services Business Anti-Money Laundering Programs https://www.fincen.gov/resources/statutes-regulations/guidance/frequently-asked-questions-conducting-independent-reviews
18
provide regulatory guidance and recommendations to the MSB regarding any corrective actions
that should be taken to remediate any findings. Additionally, the report should indicate whether or
not the MSB is compliant with the requirements of the BSA and following its own policies and
procedures.
The auditor’s observations regarding the level of compliance relating to the major elements of the
program should be contained in the final audit report. Levels of compliance should be evaluated
by using the following criteria:
Satisfactory- In compliance with the regulatory requirements and there are no major
discrepancies identified.
Improvement Needed- In compliance with the regulatory requirements with some
discrepancies identified.
Unsatisfactory- Little or no compliance with regulatory requirements with major
discrepancies identified.
Although the audit covers more areas of the program, the outline below highlights some of the key
elements that should be evaluated and rated in the final audit report.
A. Written AML Compliance Program
1. The program is designed to satisfy the risk profile of the MSB;
2. The program outlines the implementation and design requirements of the four pillars of the
BSA;
3. The AML policies, procedures and internal controls are aligned with the program;47and
4. The program includes policies, procedures and internal controls related to all financial
services products offered by the MSB.
B. Risk Assessments
1. The AML risk assessment incorporates an evaluation of all of the major risk categories:
Financial services product risks, geographic risks, operational risks, and customer risks.
2. The risk assessment pertaining open-loop and non-exempt prepaid cards factor in the
variety of cards offered, the locations where the cards are sold (bricks-and-mortar and
online), how and where the cards may be used, as well as anonymity risks.
3. The store risk assessment contained all of the elements which reasonably assessed the
level of risk per location.
C. AML Training Program
1. All required employees and levels of management received AML training as required by
the AML training program.
2. The training content was sufficient and tailored to the intended audience. There was
sufficient content regarding the regulatory requirements for sellers of open-loop and non-
exempt prepaid cards.
3. The frequency and the method in which the AML training is delivered satisfied the level
of risk by location and job function.
47 31 CFR 1022.210
19
4. During interviews, the cashiers and FIU employees were knowledgeable about AML
/BSA compliance including prepaid access requirements.
D. Independent Audit
1. The frequency of independent audits is aligned with the MSB’s risk level.
2. The MSB remediated any deficiencies identified in previous audits.
E. KYC and Systems Controls
1. The results from the online and POS controls testing for open-loop and non-exempt prepaid
cards indicate the POS systems are reliable and capture KYC from individuals purchasing
prepaid cards at the established per transaction threshold, regardless of the type of card.
2. The KYC register prompts are mandatory and cannot be overridden or bypassed.
3. The KYC register prompts at POS and mandatory fields for customers online capture all
of the required customer information.
4. The KYC transaction thresholds established for open-loop and non-exempt prepaid cards
are aligned with the level of risk reported on the AML risk assessment.
F. Transaction Monitoring Systems and Regulatory Reporting
1. The technology team routinely performs data reconciliation tests, tracks failure rates and
develops and executes corrective action plans.
2. The results from the data transmission test verified the data and KYC collected at POS and
online is transmitting into the transaction monitoring system.
3. The test verified the transaction monitoring rules are designed in a way to capture abnormal
patterns of prepaid card transactions across the enterprise.
4. The test verified the transaction monitoring rules identify large cash transactions requiring
a CTR.
5. The transaction monitoring system and regulatory reporting test validated the FIU are
trained to identify unusual transaction patterns and are knowledgeable about red flags that
indicate suspicious activity.
6. The FIU investigators included documentation, reports and investigation notes to alerts and
cases that were either deemed as suspicious, not suspicious or requiring a CTR.
V. Conclusion
Hopefully this information will provide guidance to auditors who may be faced with an audit of a
BSA program for a seller for prepaid access or a MSB that is part of a large retailer. The magnitude
of the audit can be overwhelming with a large MSB. However, effectively testing all of the major
program elements and providing solutions is extremely beneficial to the MSB and ultimately, the
retailer. The goal of the audit is to identify the weaknesses in the program and provide guidance
to the MSB as it develops plans of action to ensure its program is strong and has reasonable controls
in place to prevent or deter money laundering and terrorist financing. Consequences of an
insufficient audit can result in reputation, civil liability or even criminal risk to a MSB.
20
21
Sources
Bansal, A. (2012). Challenges & Opportunities for Merchant Acquirers. Retrieved from http://www.lansholdings.com/r_d/Challenges___Opportunities_for_Merchant_Acquirers.pdf
Currency Cloud. (August 4, 2015) The Regulation Behind Prepaid Cards. Retrieved from
https://www.currencycloud.com/en-us/news/blog/the-regulation-behind-prepaid-cards/
FATF. (2013). Draft Guidance for a Risk-Based Approach to Prepaid Cards, Mobile Payments and
Internet-Based Payment Services. Retrieved from http://prepaidforum.org/wp-
content/uploads/2013/04/Draft-guidance-prepaid-cards-mobile-payments-and-Internet-based-paymen-.pdf
The Federal Reserve. (December, 2016) The Federal Reserve Payments Study 2016.
https://www.federalreserve.gov/paymentsystems/fr-payments-study.htm
FFIC. (2014). Bank Secrecy Act Anti-Money Laundering Examination Manual: Prepaid Access-
Overview. Retrieved from https://www.ffiec.gov/bsa_aml_infobase/pages_manual/olm_061.htm
FinCEN. (2011, July 26) FinCEN Issues Prepaid Access Final Rule Balancing the Needs of Law
Enforcement and Industry. https://www.fincen.gov/sites/default/files/news_release/20110726b.pdf
FinCEN. (2011, November 2). Final Rule- Definitions and Other Regulations Relating to Prepaid Access.
Retrieved from https://www.fincen.gov/resources/statutes-regulations/guidance/final-rule-definitions-and-
other-regulations-relating
FinCEN, IRS (2008). Bank Secrecy Act/Anti-Money Laundering Examination Manual for Money
Services Businesses.
Furst, K. (2017, January 26). Merchant-Based Money Laundering part 2: Prepaid Gift Card Smurfing.
Retrieved from https://www.acfcs.org/news/328136/Merchant-based-money-laundering-part-2-Prepaid-
gift-card-smurfing.htm
Kentouris, C. (August 6, 2015) AML Transaction Monitoring: Five Steps to Getting it Right
http://finops.co/operations/aml-transaction-monitoring-five-steps-to-getting-it-right/
Mathers, C. (2016, February 4). Terrorists Used Prepaid Cards to Finance Preparations For Paris Attacks.
Retrieved from https://www.linkedin.com/pulse/terrorists-used-prepaid-cards-finance-preparations-paris-
mathers
Murton, R. (2015) Keeping an Eye on Suspicious Activity- The Importance of Maintaining Human
Analytics. ACAMS. files.acams.org/pdfs/2016/Keeping-an-Eye-on-Suspicious-Activity.pdf
Picchi, A. (2017, April 20). Beware of a new scam involving "relatives" and gift cards. Retrieved from
https://www.cbsnews.com/news/beware-of-a-new-scam-involving-relatives-and-gift-cards/
Valdespino, A. (2017, April 27). Addressing Prepaid Access Issues in Bank Secrecy Act Examination
Cases. Retrieved from https://www.irs.gov/pub/foia/ig/spder/sbse-04-0417-0010.pdf
22
Reuters. (2016). Drug Cartels Continue Money Laundering with Prepaid Cards, Amid Industry Pushback.
Retrieved from https://www.nbcnews.com/business/business-news/drug-cartels-continue-money-
laundering-prepaid-cards-amid-industry-pushback-n627056