Seminar Description and Purpose · Bank Regulatory Agency Role Overview Federal functional (bank) regulatory agencies are charged with conducting on-site BSA examinations to verify

Your State Association Presents

BSA/AMLRecent Developments &

Common Errors Program Materials

Use this document to follow along with the live webinar

presentation. Please test your system before the broadcast.

Be sure to print enough copies for all listeners.

August 19, 2015 Presenter: Ken Golliher

Technical Support (for faster service please submit inquiries via email or online): (Registration & Tech Support): Email- [email protected], Phone- (877)988-7526 FOR ADDITIONAL ASSISTANCE PLEASE REFER TO OUR FAQs

mailto:[email protected]

https://bankers.confedge.com/ap/eSite/?i=faq

Procedures for Submitting Additional Questions

After the program is over, you have until midnight to submitadditional questions to Ken via email

Send your questions to [email protected]

In approximately 3-5 working days (it depends on the number of questions), we will email you a copy of all the questions along with Ken’s answers

This information will also be posted on your Conference Edgeaccount


BSA-AML

Compliance Management

2015

THIS SEMINAR IS… SO…

Not offered as legal advice

Attendees should consult with legal counsel

for advice on specific fact situations.

THIS MANUAL IS… SO…

Copyrighted by Pegasus Educational

Services, LLC, March, 2015

No portion of it, other than any government

forms it contains, can be reproduced

without violating U.S. copyright laws.

Anyone reporting such infringement will be

compensated.

(Blank Page)

Pegasus Educational Services, LLC

Pegasus Seminars

Since 1996 Pegasus Educational Services, LLC, located in Louisville, Kentucky, has worked to provide bankers across the nation with quality programs, presentations and materials. Our goal is your success. The original founders, Laura Wilson and Ken Golliher each have worked for state bankers associations in several states and have a dedicated following of attendees in each of them. Those bankers know they are going to get the best, most current information available delivered in an easy to digest, even humorous fashion. Both prove that participating in a training session, even a compliance training session, does not have to be painful!

Today’s Presenter

Ken Golliher is a principal with Pegasus Educational Services, LLC, a training firm headquartered in Louisville, Kentucky. Prior to becoming a full time trainer, he was a community banker and then the General Counsel for a regional consulting firm for financial institutions. He has presented seminars and compliance schools in more than 25 states. He serves as an administrator for BSA/AML compliance schools sponsored by the Florida, Indiana, Iowa, Kentucky, Louisiana, Tennessee, Texas, Michigan, and Wisconsin bankers associations. Ken has also served as an instructor for both FDIC and OTS examiners at the agencies' residential schools.

Blank Page

TABLE OF CONTENTS

Seminar Description and Purpose

1

Bank Regulatory Agency Role

7

Currency Transaction Reporting

10

FinCEN Currency Transaction Report 11

Exemptions from Currency Transaction Reporting

22

Designation of Exempt Person 24

CTR Backfiling 42

Currency Transaction Report Backfiling of Amendments

Checklist Form (No number)

43

Record Retention

44

Information Sharing 56

Suspicious Activity Reporting 62

FinCEN Suspicious Activity Report 63

NBFIs & MSBs 77

Anti – Money Laundering 81

.Anti – Money Laundering (CIP)

Anti – Money Laundering (Due Diligence)

87

Anti – Money Laundering (Enhanced Due Diligence)

98

Risk Rating Customers

108

Pegasus Educational Services, LLC 1


Introduction

This seminar teaches the bank related reporting, recordkeeping

and program requirements of the Currency and Foreign

Transactions Reporting Act of 1970. This federal statute is a

bank secrecy act, a generic term applied to banking laws in

many countries. Generally, these are laws that deal with

financial privacy issues. However, in the United States, the

generic term is generally used as the proper name, “the Bank

Secrecy Act” (BSA) and that is how it will be described

hereafter.

The BSA’s goal is not secrecy, but financial intelligence.

This program also reviews a bank’s responsibilities for

establishing an anti-money-laundering (AML) program. This

program is a combination of its:

customer identification program,

customer due diligence, and

enhanced customer due diligence.

What constitutes an appropriate AML program varies from

bank to bank and is ascertained through a periodic risk

assessment.

The Bank

Secrecy Act, as

amended

The BSA has been amended several times since its passage in

1970. Among the amending acts were the:

Money Laundering Control Act of 1986,

Annunzio-Wiley Act of 1992,

Money Laundering Suppression Act of 1994, and

USA PATRIOT Act of 2001.

These laws amended BSA, they did not take on a life of their

own. For example, adoption of Customer Identification

Programs or registering to share information with other banks is

for the purpose of complying with BSA, not the USA

PATRIOT Act – the original source of the concepts.



Purpose

This program’s purpose is to explain the key compliance

requirements of a bank’s BSA/AML program so they can be

integrated into daily operations.

Goals

Upon completion of this course, attendees are able to:

explain BSA’s law enforcement purposes,

recognize circumstances which require filing a Currency

Transaction Report (CTR),

administer exemptions from CTR filing ,

understand BSA’s general and specific record retention

requirements,

develop or evaluate a BSA compliance program appropriate

for their institution,

realize how an AML program is a necessary adjunct to a

BSA compliance program,

develop an appropriate AML program,

understand that AML/BSA compliance is the feeder system

for suspicious activity reporting, and

recognize circumstances which require filing a Suspicious

Activity Report (SAR).

Performance

Objectives

During this seminar, you will achieve the seminar goals by;

listening to the discussion,

participating in the discussion and

implementing what you learn when you return to work.

Primary

Audience

This program is designed for financial institution personnel

responsible for administering or evaluating a BSA/AML

compliance program. Information is presented at the basic and

intermediate levels.



BSA

Enforcement

Administration

Congress delegated authority to write implementing regulations

and administrative opinions for BSA to the Department of the

Treasury. That power now belongs to the Financial Crimes

Enforcement Network (FinCEN) a bureau within the

department of the Treasury.

FinCEN has delegated authority to examine for BSA/AML

compliance to the federal functional bank regulatory agencies:

Office of the Comptroller of Currency,

Board of Governors of the Federal Reserve System,

National Credit Union Administration, and

Federal Deposit Insurance Corporation.

FinCEN has also entered into memorandums of understanding

with state chartering authorities to cover BSA/AML

compliance in their on-site examinations.

Internet

Resources

The FinCEN website is the jumping off point for any serious

BSA/AML Research: http://www.fincen.gov/.

Another resource is the "FFIEC InfoBase"

http://www.ffiec.gov/bsa_aml_infobase/default.htm

developed by the FFIEC’s Task Force on Examiner Education

to provide field examiners with an electronic source for training

and distributing needed examination information

Note that the “Red Flags” section on the FFIEC web site

contains helpful examples for training several employee

groups.

http://www.fincen.gov/

http://www.ffiec.gov/bsa_aml_infobase/default.htm



FFIEC

BSA/AML

Examination

Manual

Because BSA is largely a safety and soundness topic, the

examination procedures often include many things not mentioned

in the regulations; i.e. failure to adhere to major philosophies in

the examination procedures may be adjudged to be an “unsafe and

unsound” banking practice. A link to the FFIEC BSA/AML

Examination Manual (the Examination Manual) is found by

clicking “Statutes & Regulations” on the banner of the FinCEN

web site.

The Examination Manual is a compilation of existing regulatory

requirements, supervisory guidance, and sound practices.

Updates do not set new standards. Generally, they simply

incorporate developments which have been published elsewhere

since the previous edition.

The Examination Manual was last updated in the last quarter of

2014. The table of contents draws attention to areas of change

and/or heightened emphasis by noting the year next to the topic:



Interpretive

Regulations

Like most federal banking laws, BSA is interpreted by

regulations. The regulations are written by FinCEN. Effective

March 1, 2011, the regulations were renumbered as 31 CFR

Chapter X. If you are reviewing an older resource that cites the

original regulation, there is a citation translator at

http://www.fincen.gov/statutes_regs/ChapterX/

Note: Appendix A to the Examination Manual contains a very

helpful list of relevant regulations.

BSA Related

E-Mail Services

(Free)

Several agencies will send official announcements or

notifications of changes to their web sites to subscribers:

Federal Deposit Insurance Corporation

http://www.fdic.gov/about/subscriptions/index.html

Federal Reserve Board of Governors

http://www.federalreserve.gov/newsevents/subscribe.htm

Financial Crimes Enforcement Agency (FinCEN) Updates

http://service.govdelivery.com/service/multi_subscribe.html?co

de=USFINCEN

Office of the Comptroller of Currency (OCC):

http://www.occ.treas.gov/listserv.htm

Office of Foreign Assets Control

http://www.ustreas.gov/ofac/

U.S. Immigration and Customs Enforcement (ICE)

http://www.ice.gov/

http://www.fincen.gov/statutes_regs/ChapterX/

http://www.fdic.gov/about/subscriptions/index.html

http://www.federalreserve.gov/newsevents/subscribe.htm

http://service.govdelivery.com/service/multi_subscribe.html?code=USFINCEN

http://service.govdelivery.com/service/multi_subscribe.html?code=USFINCEN

http://www.occ.treas.gov/listserv.htm

http://www.ustreas.gov/ofac/

http://www.ice.gov/



FinCEN

Resource

Center

Financial institutions are encouraged to seek assistance from the

FinCEN Resource Center:

Phone: 800.767.2825

E-mail: [email protected]

Hours: 8:00 AM to 6:00 PM EST

Previously published numbers for FinCEN’s “Helpline” and “Help

Desk” now roll over to this number which offers a more elaborate

“decision tree.”




Overview

Federal functional (bank) regulatory agencies are charged with

conducting on-site BSA examinations to verify regulatory

compliance. They have the authority to impose enforcement

actions for noncompliance. Bank regulatory agencies report

all violations found to the Department of Treasury, generally

as statistics. Major violations are referred in the name of the

bank involved.

BSA Policy

Requirements

Each bank regulatory agency issued regulations requiring the

institutions they supervise to have a BSA compliance program.

Each requires supervised institutions to have a written policy

providing for:

internal controls,

independent testing,

an individual responsible for compliance, and

training for appropriate personnel.

The program regulations also require the existence of a

Customer Identification Program. While the language of the

various “program regulations” is identical, each agency cites

violations of its own regulation:

If the supervisory agency is

the...

Then its BSA program

regulation is found at...

Federal Deposit Insurance

Corporation

12 CFR 326.8

Federal Reserve Board of

Governors

12 CFR 208.63

National Credit Union

Administration

12 CFR 748.2

Office of the Comptroller of

Currency

12 CRF 21.21



On-site

Examinations

Both the Department of the Treasury and the federal functional

regulatory agencies have the power to examine banks for BSA

compliance. State banking departments, at FinCEN’ s request,

also include BSA compliance in their on- site examination

profiles. Generally, the regulatory agencies consider BSA to be

a “safety and soundness” rather than a “compliance” issue. As

such, the results of a BSA examination can affect the bank’s

CAMELS rating. That rating reflects the agency’s overall

evaluation of the institution.

A poor BSA compliance program impacts “M” or “management

ability” component of CAMELS. A poor CAMELS rating (3 -

5) affects the processing of the bank’s applications for branches

and additional powers. It also reduces the interval between

examinations.

Note: Regulatory agencies must report all BSA violations to

FinCEN in statistical communications. Serious compliance

issues which might merit specific attention are brought directly

to FinCEN’ s attention.

Regulatory

Actions

Regulatory agencies have a variety of actions they can take

when they discover BSA violations:

criticism in the written report of examination with attendant

impact on CAMELS rating,

memorandum of understanding,

consent decree

civil money penalties and

referral to Treasury.

Under the terms of 12 USC 1818(s)(2), all violations identified

must be cited in the written report of examination. Also,

according to the statute, being cited for a repeat violation

automatically generates a cease and desist order. There is

Interagency Guidance that describes these provisions more

specifically in Appendix R of the BSA/AML Examination

Manual.



BSA Related

Enforcement

Actions by

Functional

Regulatory

Agencies

Each federal functional regulatory agency publishes formal

enforcement actions on its website. All have search capabilities.

Federal Deposit Insurance Corporation

http://www.fdic.gov/bank/individual/enforcement/index.html#search

form

Federal Reserve Board of Governors

http://www.federalreserve.gov/apps/enforcementactions/search.aspx

Office of the Comptroller of Currency

http://apps.occ.gov/EnforcementActions/

Note: There is much to be learned in reviewing enforcement actions

against other financial institutions. They can also be valuable

training tools for certain audiences; e.g. management, including the

board of directors.

Promoting a

Culture of

Compliance

FinCEN Advisory 2014-A007 stresses “… the importance of a

strong culture of BSA/AML compliance for senior management,

leadership and owners of all financial institutions subject to

FinCEN’s regulations regardless of size or industry sector.”

The author suggests this advisory be incorporated into training for

management, including the board of directors.

http://www.fdic.gov/bank/individual/enforcement/index.html#searchform

http://www.fdic.gov/bank/individual/enforcement/index.html#searchform

http://www.federalreserve.gov/apps/enforcementactions/search.aspx

http://apps.occ.gov/EnforcementActions/



Overview

All businesses - not just banks - are required to report currency

transactions exceeding $10,000. The purpose of the reporting

is to identify unusual flows of currency that may be emblematic

of illegal activity. More than 13 million (down from 15

million) currency transaction reports are filed annually.

Data Entry

Devices

The reports and the types of transactions that are reportable

vary depending on the entity with the reporting responsibility.

If the filer is a ... then the currency

transaction is reported on

the…

depository institution FinCEN CTR

casino, MSB, brokerage firm FinCEN CTR

other business

FinCEN Form 8300 (Report of

Cash Payments Over $10,000

Received in a Trade or

Business)

Note: Anyone shipping or carrying more than $10,000 in

currency into or out of the United States must report on

FinCEN Form 105 (formerly Customs Form 4790), Report of

International Transportation of Currency or Monetary

Instruments (CMIR). Banks do not normally file CMIRs.

CTR FAQ

In May, 2013 FinCEN published a “Frequently Asked

Questions” document that is invaluable in the completion of the

FinCEN CTR:

http://www.fincen.gov/whatsnew/html/ctr_faqs.html

http://www.fincen.gov/whatsnew/html/ctr_faqs.html











When

Reporting is

Required

A currency transaction exceeding $10,000 is reportable. The

currency need not be U.S. dollars, but can be any foreign coin

or currency in an amount that, when converted, exceeds

$10,000. Reportable transactions include:

deposits,

withdrawals,

exchanges, or

other payments or transfers.

Example 1 Matthew makes a $14,000 loan payment in cash.

A CTR must be filed. The transaction falls under the heading

of an “other payment or transfer.”

Example 2 Mark deposits 6 cashier’s checks totaling $41,000.

No CTR filing is needed. There is no cash component to this

transaction.

Aggregating

Transactions

Some currency transactions must be aggregated in determining

whether a CTR filing is required.

Multiple transactions must

be treated as a single

transaction if...

and...

multiple currency transactions

by or on behalf of the same

person exceed $10,000 in any

business day

the bank, or one of its

employees, has knowledge of

them.

Note: FIN-2012-G001 made it clearer that cash transactions for

commonly owned but separately operated entities are not

subject to aggregation.

http://www.fincen.gov/statutes_regs/guidance/pdf/FIN-2012-

G001.pdf

http://www.fincen.gov/statutes_regs/guidance/pdf/FIN-2012-G001.pdf




Aggregating

Transactions

The factors which determine whether transactions should be

aggregated deserve serious attention:

A “person” may be an individual or an entity.

The “bank” is all its offices considered together

Example 3 Two AmCorp. employees make $6,000 currency

deposits to the company’s account during the same business

day. The deposits are made at different branches.

As both deposits are on behalf of the same “person” and made

at the same “bank,” they are subject to aggregation.

A “business day” is whatever a bank normally

communicates to its depositary customers regarding the

routine positing of a transaction.

Example 4 Anywhere Federal has a properly disclosed 2:00

p.m. cut off; i.e. deposits received after then are posted on the

next day’s business. Michele made an $1,100 currency deposit

to her personal account at 11:30 a.m. At 3:00 p.m. the same

day, she makes a deposit for her employer which included

$9,600 in currency.

No CTR is required. The transactions took place on different

business days.

Only “like” transactions, in terms of cash entries, are subject

to aggregation.

Example 5 Diane purchases a $6,000 cashiers check with

currency and, later that same business day, deposits $7,500 in

currency to a friend’s account.

The cash side of each transaction is represented by a debit to

cash or a cash-in. The transactions are subject to aggregation.



Aggregating

Transactions,

continued

A bank “knows” about multiple transactions when a bank

employee or a bank system is aware of them.

Example 6 The same teller sells the official check and accepts

the deposit in Example 5.

Since one person knows about both transactions, a CTR is

required.

Example 7 Anywhere N.A. has a computer system that

aggregates cash-ins and outs affecting the same deposit account.

Arthur deposits $4,000 in cash to his account. Later that same

day, his wife makes a $8,100 cash deposit to the same account.

The computer system will find the two cash-ins. A CTR is

required.

Systems for

Aggregating

Transactions

If a bank has a system that allows it to aggregate multiple

transactions, it is required to use it properly. However, there is

no legal requirement that a bank have a system. Treasury

contemplated such a rule many years ago, but ultimately

withdrew the notice of proposed rulemaking. However,

aggregation systems are an item of “examiner preference” and

have become a practical necessity. Lack of such an internal

control could automatically generate a criticism of the

independent review’s inability to verify that large transactions

are identified and reported.

CTR

Addresses

The permanent street address, including zip code is required. A

P.O. box should not be used and may not be used unless there is

no street address.



CTR

Identification

All individuals (except employees of an armored car service

operating as an agent of the reporting financial institution)

conducting reportable transactions for themselves or for another

person, must be identified by means of an official document.

Acceptable

identification is...

and.. Examples are...

a document or

documents which

contain a name and

preferably an

address and a

photograph

which are normally

acceptable by

financial

institutions as a

means of

identification when

cashing checks for

persons other than

established

customers.

driver’s license,

military and

military

dependent I.D.

cards,

passport,

state issued I.D.

card,

foreign cedula

card and

nonresident

alien

identification

cards.

Note: Acceptable identification obtained previously and

recorded in the financial institution’s records may be used to

complete the report.

Note: In the absence of acceptable identification, banks should

decline the transaction.

Note: There are identification requirements for entities as well;

e.g. the person on whose behalf the transaction was conducted

might be an entity rather than an individual. For it,

identification could include such things as an entity’s business

license or incorporation documents, etc.



NAICS Codes

Enter the North American Industry Classification System (NAICS)

code for the occupation or type of business. Acceptable codes are

those found on a “drop down” list when the appropriate field is

clicked. The complete list of codes available is found here:

http://bsaefiling.fincen.treas.gov/docs/2007NAICS.pdf

Note: The codes listed on the reports’ “drop down” lists are a small

fraction of those currently available. See: http://www.naics.com/

Note: This is not a “critical” field. Also, per the instructions, a filer

may elect to describe the occupation or type of business instead of

using the NAICS code.

CTR

Occupation or

Type of

Business

The person’s profession, occupation or business should be

specifically identified. For example:

Examples of specific

occupations or types of business

are...

Examples of non-

specific occupations are...

doctor,

carpenter,

attorney,

truck driver,

plumber.

used car

dealership,

hardware

store.

businessman,

merchant,

retailer,

retired, or

self-employed.

Note: “If words like self-employed, unemployed, or retired are

used, add the current or former profession if known (e.g. self-

employed building contractor, retired teacher, or unemployed

carpenter).”

http://bsaefiling.fincen.treas.gov/docs/2007NAICS.pdf

http://www.naics.com/



Armored Cars

FinCEN revised its position on CTR completion in connection with

armored cars with the issuance of FIN-2013-R001 in July 2013.

http://www.fincen.gov/news_room/rp/rulings/html/FIN-2013-

R001.html

CTR Filing

Timeframe

FinCEN CTR must be filed by the 15th calendar day after the day

of the transaction.

CTR

Instructions

The instructions for the FinCEN CTR (Rev. March, 2015) are

found at:

http://sdtmut.fincen.treas.gov/docs/FinCENCTRElectronicFilingRe

quirements.pdf

Note: Compare the number of the current version of the

instructions (1.5) to the current version of the report a few pages

before.

http://www.fincen.gov/news_room/rp/rulings/html/FIN-2013-R001.html

http://www.fincen.gov/news_room/rp/rulings/html/FIN-2013-R001.html

http://sdtmut.fincen.treas.gov/docs/FinCENCTRElectronicFilingRequirements.pdf

http://sdtmut.fincen.treas.gov/docs/FinCENCTRElectronicFilingRequirements.pdf



Customer

Guidance on CTR

Filing

FinCEN publishes an English/Spanish pamphlet which can be used to

explain CTR filing and the evasion of CTR filing to customers.

http://www.fincen.gov/whatsnew/pdf/CTRPamphlet.pdf

http://www.fincen.gov/whatsnew/pdf/CTRPamphlet.pdf



Overview

The purpose of identifying a customer as an “exempt person” is

to allow the financial institution to discontinue the filing of

CTRs on that customer. In turn, that reduces Treasury’s receipt

of CTRs that serve no law enforcement purpose. Banks

choosing to use the exemption process should focus on

documenting every required element; i.e. files supporting

exemptions should speak for themselves.

Mandatory vs.

Discretionary

Exemptions

Although the statute describes some exemptions as

“mandatory,” the terminology is not applicable to the

depository’s institution’s use of the exemption process. With

the exception of banks and government entities which are

automatically exempt from currency transaction reporting, use

of the exemption process is a compliance management

decision; i.e. it is voluntary.

Enhanced

Compliance

Risk

Exemptions eliminate some work on the part of the financial

institution by decreasing the number of required CTR filings.

On the other hand, they increase the institution’s compliance

risk by adding an additional compliance element for regulatory

personnel to critique. Many institutions place greater emphasis

on the second point.

FinCEN

Guidance on

Revisions

Updated FinCEN guidance on the exemption process is found

in FIN-2012-G003:

http://www.fincen.gov/statutes_regs/guidance/pdf/FIN-2012-

G003.pdf





Filing

Designation of

Exempt Person

Report

Banks need the DOEP report (See next page) to recognize

some customers as exempt persons.

Note: Banks and government entities are automatically exempt

persons; it is not necessary for banks to file a DOEP report on a

bank or government entity. Banks and government entities are

simply not subject to CTR filing.

Filing is

Retroactive

The DOEP report must be filed within 30 days of the first

reportable transaction that the bank is seeking to exempt.

DOEP

Instructions

The instructions for the FinCEN DOEP (Rev. October 2012)

are found at:

http://sdtmut.fincen.treas.gov/news/FinCENDOEPElectronicFil

ingRequirements.pdf

For questions regarding completion of the discrete report, see

attachment C to those instructions.

http://sdtmut.fincen.treas.gov/news/FinCENDOEPElectronicFilingRequirements.pdf

http://sdtmut.fincen.treas.gov/news/FinCENDOEPElectronicFilingRequirements.pdf









Exempt Person,

as Defined in

Phase I –

Banks,

Government

Entities and

Publicly

Traded

Companies

Listed on a

Major

Exchange

(2) Exempt person. For purposes of this section, an exempt person

is:

(i) A bank, to the extent of such bank's domestic operations;

(ii) A department or agency of the United States, of any State, or

of any political subdivision of any State;

(iii) Any entity established under the laws of the United States, of

any State, or of any political subdivision of any State, or under an

interstate compact between two or more States, that exercises

governmental authority on behalf of the United States or any such

State or political subdivision;

(iv) Any entity, other than a bank, whose common stock or

analogous equity interests are listed on the New York Stock

Exchange or the American Stock Exchange or whose common stock

or analogous equity interests have been designated as a NASDAQ

National Market Security listed on the NASDAQ Stock Market

(except stock or interests listed under the separate “NASDAQ

Capital Markets Companies” heading), provided that, for purposes

of this paragraph (d)(2)(iv), a person that is a financial institution,

other than a bank, is an exempt person only to the extent of its

domestic operations;

(v) Any subsidiary, other than a bank, of any entity described in

paragraph (d)(2)(iv) of this section (a ``listed entity'') that is

organized under the laws of the United States or of any State and at

least 51 percent of whose common stock or analogous equity interest

is owned by the listed entity, provided that, for purposes of this

paragraph (d)(2)(v), a person that is a financial institution, other

than a bank, is an exempt person only to the extent of its domestic

operations;



Non Filing on

Phase I Exempt

Persons –

Government

Entities

Example 8: The Travis County Sheriff’s Department opens a

transaction account. Because it is a government entity, it is not

necessary for the bank to impose its CIP program.

Example 9: The Travis County Sheriff’s Department has an

otherwise reportable cash transaction. Because it is a government

entity, it is not necessary for the bank to file a CTR or a DOEP.

Documenting

Phase I status –

Government

Entities

(5)(ii) Governmental departments and agencies. A bank may

treat a person as a governmental department, agency, or entity if

the name of such person reasonably indicates that it is described

in paragraph (d)(2)(ii) or (d)(2)(iii) of this section, or if such

person is known generally in the community to be a State, the

District of Columbia, a tribal government, a Territory or Insular

Possession of the United States, or a political subdivision or a

wholly- owned agency or instrumentality of any of the foregoing.

An entity generally exercises governmental authority on behalf of

the United States, a State, or a political subdivision, for purposes

of paragraph (d)(2)(iii) of this section, only if its authorities

include one or more of the powers to tax, to exercise the authority

of eminent domain, or to exercise police powers with respect to

matters within its jurisdiction.

Example 10 In its list of exempt persons the bank notes:

Marion County School District (Name indicates it is a

government entity and it has the power to tax)

Regional Office, Federal Bureau of Investigation (Name

indicates it is a government entity)

Five Counties Mental Health Services (Service compact

acting as a joint instrumentality of Jefferson, Oldham,

Shelby, Spencer and Bullitt counties)

SEATAC Regional Airport Authority (Holds the power of

eminent domain)



Non Filing on

Phase I Exempt

Persons –

Banks

Example 11: A respondent bank opens an account with the

Omega National Bank. Because the respondent is a bank, it is

not necessary for Omega National to impose its CIP program.

Example 12: The respondent bank ships cash in a reportable

amount to the Omega National Bank. Because the respondent

is a bank, it is not necessary for either bank to file a CTR or a

DOEP.

Documenting

Phase I Status -

Banks

Banks (that includes thrifts and credit unions) can be most

easily identified through the web sites of the entities that insure

them:

From the FDIC web site:

From the NCUSIF web site:

Note: If you found these pages on the insurers’’ web sites and

printed them rather than taking screen shots, your browser

should print the date across the bottom of the page indicating

the date of your research.



Filing on Phase

I Exempt

Persons –

Listed Publicly

Traded

Companies

Example 13: McDonalds Inc. is a NYSE traded company that

operates a chain of fast food stores across the U.S. It opens a

transaction account with Anystate Bank. Because it is a listed

entity, it is not necessary for the bank to impose its CIP

program. However, Anystate Bank must either file a CTR or a

DOEP if McDonalds Inc. conducts a reportable transaction.

Documenting

Phase I Status –

Publicly

Traded

Companies

Listed on a

Major

Exchange

Proper documentation can come from an approved list of

sources:

(iii) Stock exchange listings. In determining whether a person is

described in paragraph (d)(2)(iv) of this section, a bank may

rely on any New York, American, or NASDAQ Stock Market

listing published in a newspaper of general circulation, on any

commonly accepted or published stock symbol guide, on any

information contained in the Securities and Exchange

Commission “EDGAR” System, or on any information

contained on an Internet site or sites maintained by the New

York Stock Exchange, the American Stock Exchange, or the

NASDAQ.

For example, the NYSE web site:



Filing on Phase

I Exempt

Persons –

Subsidiaries

Example 14: Taco Bell is a subsidiary of a NYSE traded

company, Yum Brands. Taco Bell opens a transaction account

with Anystate Bank. Because it is only a subsidiary of a listed

company, it is necessary for the bank to impose its CIP program.

In addition, Anystate Bank must either file a CTR or a DOEP if

Taco Bell conducts a reportable transaction.

Documenting

Phase I status –

Subsidiaries of

Publicly

Traded

Companies

Listed on a

Major

Exchange

Subsidiaries of publicly traded companies listed on a major

exchange may be identified by:

any reasonably authenticated corporate officer’s certificate,

any reasonably authenticated photocopy of Internal Revenue

Service Form 851 (affiliation schedule) or

an annual report or 10-K filed with the Securities and

Exchange Commission.

From the SEC web site and YUM Brands Form 10K, Exhibit

21.1, Taco Bell is a subsidiary:

Company

Owned

Businesses vs.

Franchises

Many publicly owned companies listed on a major exchange use a

system of franchisees to deliver their products and services. The

documentation used to open a bank account should indicate

whether the bank’s relationship is with a franchisee or the

company. For example, an account opening resolution from

KWG Enterprises, LLC dba McDonalds #1542 indicates the

customer is KWG Enterprises, LLC, not McDonalds Inc.



Exempt Person,

as Defined in

Phase II – Non

Listed

Businesses and

Payroll

Customers

This type of exemption was created second and was thereafter

referred to as “Phase II.”

(2) Exempt person. For purposes of this section, an exempt person

is:

[i – v omitted here]

(vi) To the extent of its domestic operations and only with

respect to transactions conducted through its exemptible accounts,

any other commercial enterprise (for purposes of this paragraph (d),

a “non-listed business”), other than an enterprise specified in

paragraph (d)(5)(viii) of this section, that:

(A) Maintains a transaction account, as defined in paragraph

(d)(5)(ix) of this section, at the bank for at least two months, except

as provided in paragraph (d)(3)(ii)(B) of this section;

(B) Frequently engages in transactions in currency with the bank

in excess of $10,000; and

(C) Is incorporated or organized under the laws of the United

States or a State, or is registered as and eligible to do business within

the United States or a State; or

(vii) With respect solely to withdrawals for payroll purposes from

existing exemptible accounts, any other person (for purposes of this

paragraph (d), a ``payroll customer'') that:

(A) Maintains a transaction account, as defined in paragraph

(d)(5)(ix) of this section, at the bank for at least two months, except

as provided in paragraph (d)(3)(ii)(B) of this section;

(B) Operates a firm that regularly withdraws more than $10,000

in order to pay its United States employees in currency; and

(C) Is incorporated or organized under the laws of the United

States or a State, or is registered as and eligible to do business within

the United States or a State.

Two Options:

Length of

Relationship or

Risk

Assessment

In addition to having conducted at least five or more reportable

cash transactions within a year:

the customer must have maintained a transaction account

for two months, or

the depository institution may conduct a risk based

analysis of the customer’s need for large currency

transactions.



Option A:

Considering the

Length of the

Relationship as

Requirement

for Exemption

Example 15: Alpha Corp. is a publicly traded company, but it is

not listed on a major exchange. It moves its business to Anystate

Federal. Alpha Corp was properly designated as an exempt

person at its previous institution and asks if it will be treated the

same way at Anystate Federal.

As soon as Alpha Corp. has five or more reportable transactions

and has maintained a transaction account with Anystate for at

least two months, Anystate Federal can file a DOEP report on

Alpha Corp.

Documenting

the Length of

the

Relationship

Remember, “the file speaks for itself.” Examples of

documentation that would show how long the customer’s

transaction account has been open could include a copy of a:

signature card showing the date the account was opened,

or

the first page of bank statement that is more than 60 days

old, or

print out from a customer information file that shows the

date the transaction account was opened.

Option B:

Conducting a

Risk

Assessment

Instead of waiting two months before recognizing a Phase II

customer as an exempt person, the regulation allows a bank to

perform a customer risk assessment.

(B) Notwithstanding subparagraphs (d)(2)(vi)(A) and (d)(2)(vii)(A) of

this section, and if the requirements under this paragraph (d) of this

section are otherwise satisfied, a bank may designate a non-listed

business or a payroll customer, as described in paragraphs (d)(2)(vi)

and (vii) of this section, as an exempt person before the customer has

maintained a transaction account at the bank for at least two months

if the bank conducts and documents a risk-based assessment of the

customer and forms a reasonable belief that the customer has a

legitimate business purpose for conducting frequent transactions in

currency.



Using a Risk

Assessment as

Requirement

for Exemption

Example 16: Anystate Federal convinces Alpha Corp, a closely

held corporation that operates 10 convenience stores in Anystate to

transfer all its business to them. Alpha Corp. was properly

designated as an exempt person at its previous institution and asks

if it will be treated the same way at Anystate Federal.

As soon as Alpha Corp. has five or more reportable transactions,

Anystate Federal can conduct a risk assessment on Alpha, Corp. to

determine whether it has a legitimate business purpose in

conducting frequent currency transactions.

Documenting

the Risk

Assessment

The regulation allows a risk based analysis in deciding whether to

treat the customer as an exempt person. The supplementary

information accompanying the final regulation indicates the risk

based approach should consider:

the length of the bank’s current relationship with the

customer,

the length of any past relationship with the customer,

certain specific characteristics of the customer’s business

model that may be pertinent,

the types of business in which the customer engages and,

where the business is operating.

Again, the file speaks for itself. It should be apparent what criteria

the bank used in choosing to evaluate the customer’s risk level for

exemption; the risk based analysis must be in writing.

Note: The author suggests that a bank using this method impose

and enforce a requirement that an existing business provide

evidence of a history of large currency transactions; e.g. prior bank

statements would be supportive.

Example 17: Long term customer Gamma Corp. reestablishes its

relationship with Anystate Bank, N.A. after transferring all of its

business to another institution for two months. Within the next 30

days it has 5 reportable transactions. The bank can use the risk

assessment method rather than waiting for 2 months.



Enhanced

Compliance

Risk

Use of the risk assessment rather than relying on a two month

relationship is a compliance management decision; i.e. it is not

required. There is no official guidance beyond that mentioned

above on what an acceptable risk assessment might entail.

Accordingly, any analysis offered by a bank using this method will

be subject to an unpredictable variety of interpretations by

regulatory field examiners. A regulatory conclusion that a risk

assessment was inadequate would have significant consequences.

Frequency of

Large

Currency

Transactions

“Frequently” was interpreted in supplementary information

accompanying the revised regulation as 5 reportable transactions

per year; i.e. within any period of 12 consecutive months.

Note: Exemption applies to the person or customer, not the

customer’s individual accounts. If all of the customer’s accounts

are included in the review then all of the customer’s transactions in

connection with those accounts are covered by the exemption.

Documenting

Transaction

Frequency

Remember, “the file speaks for itself.” Examples of documentation

that would show that the customer has had at least 5 reportable

transactions in the last 12 months could include:

copies of CTRs filed,

a print-out from the financial institution’s computer system

showing the reportable currency transactions in the

designated time frame, or

a manually compiled list of reportable transactions supported

by copies of the actual documents; e.g. checks or deposit

slips.

Note: Documentation does not have to include evidence of the

actual number of large transactions in the last 12 months, only 5 of

them.



Evidence of

U.S. Existence

Again, the file speaks for itself. The non-listed business must be

incorporated or organized under the laws of the United States or

authorized to do business in the United states. The form of

business organization determines what documentation is

appropriate.

Documenting

Existence

The customer’s existence should have been documented as a

function of the bank’s CIP. On the other hand, the requirement for

an annual review of all Phase II exempt persons indicates the

customer’s continuing existence is an issue. Standard techniques

used in opening new accounts should be used to verify existence.

For “creatures of statute,” verification of existence can generally be

obtained from the Secretary of State’s web site. For example:

For more “casual” business organizations such as general

partnerships and sole proprietorships, banks generally rely on any

evidence of government recognition available. For example:

state tax certificate,

fictitious name registration or occupational license (if

applicable),

city or county occupational license, or

state or local license.



Documenting

Payroll

Withdrawals

The customer must actually pay its employees in cash, not just

cash their checks.

Note: Withdrawals should be on an understandable frequency and

reflect a breakdown of denominations consistent with paying

wages to individuals. The author suggests that use of the payroll

exemption may be inconsistent with a well thought out anti-

money laundering program.

Ineligible

Businesses

Some businesses are not eligible for treatment as a non-listed

business:

(viii) Ineligible businesses. A business engaged primarily in one

or more of the following activities may not be treated as a non-listed

business for purposes of this paragraph (d): serving as financial

institutions or agents of financial institutions of any type; purchase

or sale to customers of motor vehicles of any kind, vessels, aircraft,

farm equipment or mobile homes; the practice of law, accountancy, or

medicine; auctioning of goods; chartering or operation of ships, buses,

or aircraft; gaming of any kind (other than licensed parimutuel betting

at race tracks); investment advisory services or investment banking

services; real estate brokerage; pawn brokerage; title insurance and

real estate closing; trade union activities; and any other activities that

may be specified by FinCEN. A business that engages in multiple

business activities may be treated as a non-listed business so long as

no more than 50% of its gross revenues is derived from one or more of

the ineligible business activities listed in this paragraph (d)(6)(viii).

Note: FinCEN has added marijuana related businesses to this list.

Gross Revenues

FinCEN ruling 2002-1 explains that the term “gross revenue” in

the CTR exemption regulations is intended to encompass the

amount of money that a business actually earns from a particular

activity, not the sales volume of such activity. For example, to

evaluate the eligibility of a convenience store that sells lottery

tickets, the bank would have to know how much income the store

made on those sales, not the value of all the tickets it sold.



Documenting

Gross Revenues

FinCEN regulations and guidance do not prescribe any specific

method for banks to use in documenting what percentage of

revenues a business derives from ineligible activities. In general

there are a few commonly used options including obtaining a:

copy of the customer’s income tax return that breaks down

revenues by type (not likely),

income statement prepared by the customer’s accountant,

or

statement written by the customer stated what percentage

of gross revenues come from ineligible activity.

FinCEN Guidance 2009-G001:

http://www.fincen.gov/statutes_regs/guidance/html/fin-2009-

g001.html provides a little insight, but does not indicate an

objective standard where a bank and its regulatory agency could

be certain to agree that specific documentation was necessary:

In instances where it is apparent – through a bank’s

implementation and application of due diligence policies,

procedures, and processes to all customers – that a non-listed

business customer derives a clear minority of its annual gross

revenues from ineligible business activities, the bank could

reasonably and appropriately exempt that customer from

currency transaction reporting based solely upon materials and

information collected and considered in the ordinary course of

conducting customer due diligence.

However, in those instances where it is less clear whether a non-

listed business customer derives no more than 50 percent of its

annual gross revenues from ineligible activities, a bank should

obtain such additional supporting materials and information that

would allow it to make a reasonable determination that it may

appropriately exempt that customer from currency transaction

reporting.

http://www.fincen.gov/statutes_regs/guidance/html/fin-2009-g001.html




Verification of

Exempt Person

Status and

Record

Retention

The bank must:

verify exempt person status and

retain the records supporting verification.

The steps considered reasonable are those the bank would take

to protect itself from loan or other fraud based on

misidentification of a person’s status.

Supporting documentation is retained for five years. Supporting

documentation might include:

a copy of any original DOEP filed,

copies of each annual review conducted in the last five

years and,

if it is a Phase II exemption, copies of the DOEPs filed

previously as biennial renewals.

Annual Review

At least annually, the bank must verify that exempt persons

other than banks and government entities retain their status.

Example 18: Anywhere State Bank filed a DOEP report on

Alpha Corp., an unlisted business, in January, 2014.

Within 12 months of that filing date Anywhere State Bank must

conduct and document a review of Minor Corp.’s eligibility.

(See sample on following page.)

Note: Documentation for an annual review is generally the

equivalent of the documentation used to support the initial

filing of the DOEP. It varies dramatically based on whether it

is a Phase I or Phase II exempt person.

Revocation of

an Exemption

Banks may, but are not required to file a DOEP report

indicating an exemption has been revoked.



CTR Filing Exemption Review for period ___/___/___ to ___/___/___

Check one Initial Review Annual review

Customer

Physical Address

SSN/EIN

Form of organization

Most Recent DOEP Report Date ___/___/___

Nature of Enterprise NAICS Code

Phase I Exempt Person Bank Government Listed company Subsidiary of listed company

Documentation regarding status indicated above is attached.

Phase II Exempt Person Documentation that customer has maintained a transaction account for 2 months or more is

attached.

Documentation that customer frequently engages in large currency transactions (at least 5 in the

twelve month period under review) is attached.

Documentation that the customer is currently authorized to do business in a state or the United States is

attached.

Yes No Does the customer engage in any activities that are considered ineligible

for exemption from currency transaction reporting:

Financial institution or agent of a financial

institution

Purchaser or seller of:

o motor vehicles,

o vessels,

o aircraft,

o farm equipment, or

o mobile homes.

Engaged in the practice of:

o law

o accountancy or medicine.

Auctions goods

Charters and operates ships, buses or aircraft

Gaming

Investment advisory or investment banking

services

Real estate brokerage

Pawn brokerage

Title insurance and real estate closing

Trade union activities

Marijuana related business

(If yes, documentation is attached that indicates the activities, establishes the percentage of gross

revenues they represent and shows that the aggregate amount shown is less than 51%.)

Yes No Does the customer act as a non bank financial institution (NBFI) by performing

currency exchanges, cashing checks, selling or redeeming checks or selling or redeeming stored value

cards, accepts virtual currencies, etc.? (If yes, documentation is attached that establishes the customer

has registered and obtained licenses if required by state and federal law.)

The bank’s system of monitoring cash transactions has been applied to this customer in this period.

Bank Employee ______________________________

Not A Model Form



List of Exempt

Persons

There is only a practical requirement that the bank keep a list of

persons on whom exempt person designations have been filed.

What a bank includes on its list is a function of judgment and

the needs of the readership. For example:

Phase I Exemptions

Customer

Account(s)

/Transactions

Exempted

Basis For

Exemption

Last DOEP

Filed

Last

Verification

or Review

Amcore Inc.

1522 Kings Highway

Clear Springs, Florida

33123

All NYSE Listed 10/1/97 2/1/15

Clear County

Sheriff’s Office

Room 216 Courthouse

101 N. Main St.


33123

All Government

Entity (police

powers)

10/1/97

2/1/08

(No longer

required)

Clear Springs

National Bank

5420 Main Street


33123

All Bank

10/1/97 2/1/08

(No longer

required)

Omega National

Bank

15111 Champions

Blvd

Miami, Fl 33157

All Bank N/A 2/1/08

(No longer

required)

Phase II Exemptions ABC Supermarket

Inc.

1234 Dixie Highway


33123

Deposits and

withdrawals

to all

transaction

accounts

[list #s]

Non listed

business

3/15/08 2/1/15

Note: This is not a suggestion that banks and government

entities must be listed on the bank’s list of exempt persons or

even a suggestion that the bank must have a list of exempt

persons. It is only a sample of how the information might be

kept.


CTR Backfiling

Overview

Occasionally, errors occur in the exemption process. An

example would be that of a customer recognized as an exempt

person was later found to be ineligible. Backfiling missing

CTRs without consulting with FinCEN first is a significant

compliance error.

Steps in

Obtaining a

Backfiling

Determination

Step Action

1 If the bank finds one or several omitted CTRs or a

repetitive error on CTRs it should call the FinCEN

Resource Center 800.767.2825 and leave a message

indicating that a backfiling determination is requested.

2 Explain the relevant facts to the FinCEN

representative to see if a backfiling determination is

appropriate. If so, the then current version of the

form on the following page will be sent to you.

3 Complete the form including all of the required

information and promptly return it to FinCEN with

the cover letter explaining:

o how the error occurred,

o how it was discovered and

o the measures taken to assure it does not happen

again.

4 Follow the instructions received from the FinCEN in

regard to backfiling. If backfiling is required, the

appropriate notation should be made on the BSA -

CTR.

Note: This process is not designed for required CTRs that were

simply omitted in error.


CTR Backfiling


Record Retention

Overview

BSA contains a long list of records which banks are required to

keep. The BSA requires financial institutions to keep certain

records and make certain reports that have been determined to be

useful in criminal, tax, or regulatory investigations or

proceedings, and for intelligence or counter-intelligence activities

to protect against international terrorism. The record retention

requirements of BSA are substantive; i.e. they are important in

their own right and are not generally focused on evidence of

compliance.

Retention

Period

All records which banks are required to keep under BSA must be

kept for five years.

Retention

Method

BSA allows banks to keep records in any fashion, using any

medium, e.g., originals, photocopies, microfilm, electronic

storage, etc. Regulations require banks to be able to produce

required records within a reasonable period of time.

Required

Records

Each Currency Transaction Report filed;

Each exemption granted;

Each extension of credit in an amount over $10,000 including,

borrower’s name and address,

amount of the credit,

nature and purpose of the credit and

the date of the credit.

Note: This does not apply to loans secured by real estate.

Each advice, request, or instruction received or given

regarding a transaction resulting in the transfer of currency or

other monetary instruments, funds, checks, investment

securities, or credit, of more than $10,000, to or from any

person, account or place outside the United States;


Record Retention

Required

Records,

continued

A list of deposit accounts opened without a TIN before

October 1, 2003.

Note: The bank is expected to maintain a list of accounts

opened without a TIN prior to October 1, 2003. CIP

requirements should make it impossible for a bank to open an

account for a U. S. person without a TIN after that date.

Current examination procedures emphasize TIN

compliance.

Each document granting signature authority over each deposit

account;

Each statement, ledger card or other record of each deposit

account showing each transaction involving the account,

Each check, clean draft or money order drawn on the bank for

more than $100 except those drawn on certain high volume

accounts,

Each debit in excess of $100 to a customer’s account other

than bank charges or charges pursuant to an agreement with

the customer,

Each document relating to a transaction of more than $10,000

remitted or transferred to a person, account or place outside

the United States,

Each check or draft in excess of $10,000 drawn on or issued

by a foreign bank which the domestic bank has paid or

presented to a nonbank drawee for payment,


Record Retention

Required

records,

continued

Each item relating to any transaction of more than $10,000

received on any one occasion directly and not through a

domestic financial institution, from a bank, broker or dealer in

foreign exchange outside the United States,

Records prepared or received by a bank in the ordinary course

of business which would be needed to reconstruct a demand

deposit account and to trace a check in excess of $100

deposited in a demand deposit account,

A record of each certificate of deposit sold including the

description of the instrument, a notation of the method of

payment, the date of the transaction and the following

information regarding the purchaser:

name,

address, and

taxpayer identification number,

A record of each certificate of deposit presented for payment

including the description of the instrument and the date of the

transaction and the following information regarding the person

presenting the certificate for payment:

name,

address, and

taxpayer identification number,

Each deposit slip or credit ticket reflecting a transaction in

excess of $100 or the equivalent record for direct deposit or

other wire transfer deposit transactions,

Note: The slip or ticket must show the amount of any currency

involved.

Information regarding official checks sold for cash (explained

in detail below), and

Information regarding wire transfers of $3,000 or more.


Record Retention

Monetary

Instruments

Issued for

Cash

When a financial institution issues monetary instruments for cash

between $3,000 and $10,000 inclusive, it must retain certain

information. The information required varies depending on

whether the purchaser is a deposit account holder. Official checks

include:

Bank checks or drafts,

Cashiers checks,

Money orders and

Travelers checks.

Prohibition vs.

Record

Retention

Requirement

Although it is routinely discussed as a record retention

requirement the regulation is actually written a prohibiting the

sale if the information is not obtained. If the information cannot

be obtained, the transaction should be refused.

General

Information

Required

Some information must be kept for all covered sales:

Name of purchaser

Date of purchase

Type of instrument

Instrument(s) serial number

Amount of instrument(s)


Record Retention

Purchases

by Deposit

Account

Holders

If the

purchaser…

then the financial institution must also

document that it has verified…

is a deposit

account holder

that the purchaser is a deposit account

holder whose identity was previously

verified and the information was recorded

on the signature card or file record or

the purchaser’s name and address through

examination of identification and recording

specific identifying information.

Purchases

by Non-

Deposit

Account

Holders

If the

purchaser…

then the financial institution must also

obtain the purchaser’s…

is not a deposit

account holder

address,

SSN or alien I.D. number, and

date of birth.

Note: A non deposit account holder’s name and address must be

verified through examination of identification and recording

specific identifying information.

Aggregation

Triggering

Record

Retention

Contemporaneous purchases of the same or different types of

instruments totaling $3,000 or more are treated as one purchase. If

the financial institution is aware of multiple purchases during one

business day totaling $3,000 or more, they are treated as one

purchase.

Monetary

Instrument

Sales Log

There is no specific method required for retaining information on

monetary instrument sales. A requirement that the information be

maintained on a log in a centralized place was removed from the

regulation several years ago. Nevertheless, many banks still

maintain the information using this method.


Record Retention

“Indirect”

Purchases with

Cash

Banks may implement a policy requiring customers who are

deposit accountholders and who want to purchase monetary

instruments in amounts between $3,000 and $10,000 with

currency to first deposit the currency into their deposit accounts.

Nothing within the BSA or its implementing regulations prohibits

a bank from instituting such a policy.

However, FinCEN takes the position that when a customer

purchases a monetary instrument in amounts between $3,000 and

$10,000 using currency that the customer first deposits into the

customer’s account, the transaction is still subject to the

recordkeeping requirements of 31 CFR 1010.415. This

requirement applies whether the transaction is conducted in

accordance with a bank’s established policy or at the request of

the customer. Generally, when a bank sells monetary instruments

to deposit accountholders, the bank already maintains most of the

information required by 31 CFR 1010.415 in the normal course of

its business. (Examination Manual, December, 2014)

Note: A bank would need to be able to identify monetary

instrument sales subject to the record retention requirement for

reviewers to demonstrate they could be made available to law

enforcement upon request.

Consider: If your financial institution sold a cashiers check to a

deposit account holder and retains a “register copy” of the check,

how much additional information would you need to meet the

record retention requirements? What if it was a non deposit

account holder? What if it was a money order or travelers checks

instead of a cashiers check? Not all financial institutions will

have the same answers.

Relevant

Policies and

Procedures

Financial institutions are expected to have policies and procedures

in connection with monetary instrument sales. They are also

expected to monitor these sales for suspicious activity.


Record Retention

Funds

Transfers

Of $3,000

Or More

When a bank originates or receives a funds transfer of $3,000 or

more it must retain certain information. (Responsibilities of

intermediary banks are not discussed here.)

Established

Customer

An “established customer” includes a person with a loan, deposit

or other asset account or one for whom the institution has on file

the person’s name; address; taxpayer identification number or

passport number and country of issuance; and to which the

institution provides financial services in reliance on that

information.

General

Information

Required by

Originating

Banks

Certain information must be kept for all covered funds transfers:

name and address of the originator

the amount of the funds transfer

the date of the funds transfer,

any payment instructions received from the originator with the

payment order,

the identity of the beneficiary bank, and

as many of the following items as are received with the

payment order:

name and address of the beneficiary,

account number of the beneficiary, and

any other specific identifier of the beneficiary.

Note: There is no requirement that the originating bank request or

record the “purpose” of the wire transfer. However, many banks

do so as a part of their customer due diligence program.


Record Retention

Additional

Information

Required

Additional information must be kept when the originator is not an

established customer:

if payment order received in person, identification is verified

and recorded

if person placing order is not originator, the originator’s U.S.

taxpayer identification, passport identification number

(including country of issuance). If this information is not

available, a note of the inquiry must be made.

if payment order not made in person, a record of the

originator’s name and address; U.S. taxpayer identification,

alien registration or passport number (including country of

issuance). If this information is not available, a note of the

inquiry must be made. A copy of or record of the method of

payment is also required.

Note: A bank is not obligated to send a wire transfer for anyone,

particularly someone who is not an established customer. A bank

is not obligated to receive a wire transfer for anyone, particularly

someone who not is an established customer.


Record Retention

Information

Includable in

Transmittal

Order

(aka, Travel

Rule)

The following must be included in the transmittal order for

covered transfers:

the name and, if payment is made from an account, account

number of the transmitter

the address of the transmitter

amount of transmittal order

date of transmittal order

identity of recipient’s financial institution

as many of the following as are received with transmittal

order

name and address of recipient

account number of recipient

any other specific identifier of recipient and

either the name, address or numeric identifier

of the transmitter’s financial institution.

Note: FinCEN Guidance 2010-G004 issued November

9, 2010, provides a Q & A on the requirements of the

“travel rule.”

http://www.fincen.gov/statutes_regs/guidance/pdf/fin-

2010-g004.pdf

http://www.fincen.gov/statutes_regs/guidance/pdf/fin-2010-g004.pdf

http://www.fincen.gov/statutes_regs/guidance/pdf/fin-2010-g004.pdf


Record Retention

General

Information

Required by

Beneficiary

Bank

Certain information must be kept for all covered funds

transfers:

an original or reproduction of the payment order

Additional

Information

Required

Additional information must be kept when the beneficiary is

not an established customer:

If payment is delivered in person, identification is verified

and recorded

if person receiving proceeds is not the beneficiary, the

beneficiary’s U.S. taxpayer identification, passport

identification, or alien registration number (including

country of issuance). If this information is not available, a

note of the inquiry must be made.

if proceeds not delivered in person, a copy or record of the

method of payment and the name and address of the person

to whom it was sent.

Retrievability

Originating banks must keep records so they can be retrieved

either by reference to the originator’s name or account number.

Beneficiary banks must keep records so they can be retrieved

by reference to the beneficiary’s name or account number.

(Obviously, in both cases, if there is no account, retrieval is by

name only.)


Record Retention

Proposed Rule

on Cross-

Border

Electronic

Transmittal of

Funds

On September 27, 2010 FinCEN issued a notice of proposed

rulemaking regarding requiring MSBs & banks to report, not

just keep records of, certain cross border transmissions of

funds.

http://www.fincen.gov/news_room/nr/html/20100927.html

No final regulation has been published.

Production of

Records

As noted, banks are generally required to produce records

“within a reasonable period of time.” Federally supervised

financial institutions to provide records related to anti-money

laundering compliance to their regulatory agency within 120

hours of the request. The requirement includes: …information

and account documentation for any account opened,

maintained, administered or managed in the United States by

the covered financial institution.

Note: It is clear that the time frame only applies to requests

from the regulatory agencies. It is not clear which records relate

to anti-money laundering compliance.



Record Retention

Legal

Compulsion

for Production

of Records

BSA establishes a bank’s responsibility to keep certain records.

It does not discuss a bank’s duty or ability to provide records

requested by a third party, whether the request is from law

enforcement, a grand jury, an administrative agency, the Internal

Revenue Service, etc. (It does provide specific guidance

regarding disclosure of records which the bank used in the

preparation of a SAR.)

Requests for records from the federal government are generally

covered by the Right to Financial Privacy Act (RFPA).

Generally, it indicates that banks are to receive a summons,

subpoena, or search warrant before they are compelled to turn

over information to agencies of the federal government. Even

then, they are generally entitled to receive a certificate of

compliance before delivering the information.

Section 3414 of the RFPA recognizes very limited

circumstances where law enforcement may require customer

information from a bank in the absence of legal compulsion; e.g.

a subpoena. They must relate to espionage, the "protective" role

of the Secret Service or terrorism. (Generalizing, there must be

an overwhelming concern and time must be of the essence.)

That same section of RFPA includes the procedures that must be

followed.

http://www.bankersonline.com/regs/rfpa/3414.html


Information Sharing

Overview

Section 314 of the USA PATRIOT Act created a mechanism

that allows law enforcement agencies to query banks indirectly

about their possible relationships with persons of interest in

money laundering and terrorist financing investigations. It

also allows banks to communicate with one another

concerning suspicious activity involving customers they may

have in common.

Financial

Institutions

Hotline

FinCEN provides a Financial Institution’s Hotline, 1-866-556-

3974, for financial institutions to voluntarily report to law

enforcement suspicious transactions that may relate to terrorist

activity against the United States. The hotline is operational

24 hours a day, 7 days a week.

Note: According to Treasury, the “safe harbor” provision

applies even if the report of suspicious activity is made orally

or in some form other than the use of the Treasury’s SAR

form. However, the author notes that substantial internal

controls should still be in place before such phone calls are

made.

Information

Sharing

Between Federal

LEA’s and

Financial

Institutions:

314(a)

Section 314(a) required Treasury to issue regulations

encouraging greater cooperation between financial institutions,

regulators and law enforcement agencies. The regulations

establish a mechanism where law enforcement agencies can

funnel requests for information on named individuals through

FinCEN which, in turn, notifies the financial institutions that

the names are available for download from a secure web site.


Information Sharing

Registration

Financial institutions are required to register a point of contact

with their primary federal regulatory agency. The bank’s

Consolidated Report of Condition and Income facilitates

registration:

General

Instructions for

Processing

314(a) Queries

It is exceptionally important that banks follow published

instructions in conducting searches required by 314(a). There

are two publications on the secure web site:

“FinCEN’s 314(a) Fact Sheet” and the

“Instructions for Responding to Section 314(a) Requests

Using the Secure Information Sharing System and FAQs.”

It is essential that each bank obtain copies of these documents

and design its search procedures around them.


Information Sharing

Instructions

Accompanying

Queries

It is exceptionally important to note that the instructions

accompanying a particular query may vary. For example, they

may require the institution to research its records for a different

time frame or to use the list on an ongoing basis to compare to

all new accounts opened. Read the instructions accompanying

the query carefully each time one is received.

Processing

Queries will be available every two weeks. The financial

institution must begin searching its records immediately. If it

identifies a positive match, it must respond within 14 calendar

days. This is to be a “one time” search; no secondary use is to

be made of the names provided. The queries are confidential.

Records to be

Searched

In general, the financial institution must search for its

customers in:

deposit records,

funds transfer records subject to mandatory record retention

(originators and incoming recipients only),

monetary instrument sales subject to mandatory record

retention (remitters only),

loan records,

trust department account records,

records of securities transactions,

records of transactions in commodities futures, options or

other derivatives, and

safe deposit records.

Length of

Search

Transactions linked to an account should be searched for the

preceding 12 months. Transactions not linked to an account

should be researched for the preceding 6 months.


Information Sharing

Positive Matches

The query incorporates a “Subject Information Form.” All the

respondent needs to do is put an “X” next to the particular named

subject for which a match was found and to provide point of

contact information. The form is to be sent to FinCEN. If no

positive matches are found, no response is necessary.

Procedures

Required

As suggested by its inclusion here, 314(a) queries are a part of

BSA just like CTR and SAR filing – they should be addressed in

the financial institution’s BSA policies and procedures. At a

minimum, the procedures should:

Designate a point of contact for receiving information

requests.

Ensure that the confidentiality of requested information is

safeguarded.

Establish a process for responding to FinCEN’s requests.

Linking a “positive” response to the bank’s mechanism

for considering the filing of a SAR.

Documentation

Documentation of 314(a) requests could include the following

methods:

Copies of the requests,

a log that records the tracking numbers and includes a

sign-off column, or

copies of the cover page of the requests, with a financial

institution sign-off, that the records were checked, the

date of the search and search results (e.g.,

positive/negative) or

self verification (there is a publication on the secure web

site, “314(a) Search Self-Verification Users Guide” that

explains the self verification process.

For positive matches, copies of the form returned to FinCEN and

the supporting documentation should be retained.


Information Sharing

Voluntary

Information

Sharing

Among

Financial

instutions:

314(b)

Section 314(b) required Treasury to issue regulations encouraging

greater cooperation between financial institutions. The regulations

establish a mechanism where financial institutions are allowed to

register to share information with other financial institutions that

they believe may relate to terrorist activity or money laundering.

Registration

Institutions volunteering to share information can provide notice at

the FinCEN web site: http://www.fincen.gov/fi_infoappb.html (See

the following page.) The notice is valid for one year. FinCEN

publishes a list of registered institutions in order to allow

verification by other institutions prior to sharing information.

Scope

Per the regulation, sharing is possible only if both institutions

believe terrorist activity or money laundering is involved. Each

institution involved in sharing must be registered and it is

responsible for verifying the registration of the other institutions

involved.

Note: FinCEN issued FIN-2009-G002 which it described as a

“clarification” on 314(b) information sharing:

http://www.fincen.gov/news_room/nr/pdf/20090616.pdf

It greatly expands the scope of circumstances under which

information can be shared.

Procedures

Required

Financial institutions should address registration in their BSA

policy; e.g. the BSA officer should be instructed to register or

empowered to register if necessary. Those that are registered

should establish procedures for:

sending and receiving information sharing requests.

verifying that any financial institution with whom they

intend to share information is registered, and

establishing security measures which are adequate to use and

protect information obtained from other financial

institutions.

http://www.fincen.gov/fi_infoappb.html



Information Sharing

I hereby notify, on behalf of

(name of financial institution, or association of financial institutions), that:

(1) (i) The financial institution specified above is a "financial institution" as such term is defined in 31 CFR 103.110(a)(2), which means any financial institution defined in 31

U.S.C. 5312(a)(2) that is required to establish and maintain an anti-money laundering program, or is treated under this part as having satisfied the requirements of 31 U.S.C.

5318(h)(1); or, (ii) The association specified above is an "association of financial institutions" as such

term is defined in 31 CFR 103.110(a)(3).

(2) The financial institution or association specified above intends, for a period of one (1) year beginning on the date of this Notification, to engage in the sharing of information

with other financial institutions or associations of financial institutions regarding individuals, entities, organizations, and countries, as permitted by section 314(b) of the USA PATRIOT Act of 2001 (Public Law 107-56) and the implementing regulations of the Department of the Treasury, Financial Crimes Enforcement Network (31 CFR 103.110).

(3) The financial institution or association of financial institutions specified above has established and will maintain adequate procedures to safeguard the security and

confidentiality of such information.

(4) Information received by the above named financial institution or association pursuant to section 314(b) and 31 CFR 103.110 will not be used for any purpose other than

identifying and reporting on activities that may involve terrorist or money laundering activities.

(5) The following person may be contacted in connection with inquiries related to the information sharing under section 314(b) and 31 CFR 103.110:

Financial Institution Tax Payer Identification Number:

Primary Federal Regulator: Please select a federal regulator . . .

Financial Institution Mailing Address:

(Address)

(City)

None(State)

(Zip; no dashes)

Contact Name:

Contact Title:

E-Mail Address of Contact:

Telephone Number of Contact:

FAX Number of Contact:


Suspicious Activity Reporting

Overview

Federally supervised and insured depositary institutions are

required to file FinCEN Suspicious Activity Reports (SARs). A

filing requirement can be prompted by a wide variety of

circumstances in addition to BSA violations.

Filing Triggers

If… then...

the amount involved is $5000 or

more in the aggregate and involves

money laundering or violations of

BSA. or

filing a SAR is required.

there is insider abuse involving any

amount, or


more and a suspect can be

identified, or


more regardless of whether a

suspect can be identified, or

the transaction has no apparent

lawful purpose or is not the sort in

which the particular customer would

be likely to engage or there is no

reasonable explanation for the

transaction.

SAR FAQ

In May, 2013 FinCEN published a “Frequently Asked

Questions” document that is invaluable in the completion of the

FinCEN SAR:

http://www.fincen.gov/whatsnew/html/sar_faqs.html

http://www.fincen.gov/whatsnew/html/sar_faqs.html

















Filing

SAR filing is required by BSA regulations. Each regulatory

agency also has its own regulation requiring SAR filings.

Financial institutions should be familiar with their primary

federal regulatory agency’s regulations, but they are virtually

identical.

If the supervisory agency is

the...

Then its SAR regulation is

found at...

Federal Deposit Insurance

Corporation

12 CFR 353

Federal Reserve Board of

Governors

12 CFR 208.62

National Credit Union

Administration

12 CFR 748.1(c)

Office of the Comptroller of

Currency

12 CRF 21.11

SAR

Instructions

The current version of the FinCEN SAR instructions (Rev.

March, 2015) is found at:

http://sdtmut.fincen.treas.gov/news/FinCENSARElectronicFilin

gRequirements.pdf

Note: Compare the number of the current version of the

instructions (1.4) to the current version of the report a few pages

before.

http://sdtmut.fincen.treas.gov/news/FinCENSARElectronicFilingRequirements.pdf

http://sdtmut.fincen.treas.gov/news/FinCENSARElectronicFilingRequirements.pdf



Time Frames

From the Examination Manual (December 2014):

The SAR rules require that a SAR be electronically filed through the

BSA E-Filing System no later than 30 calendar days from the date of the

initial detection of facts that may constitute a basis for filing a SAR. If

no suspect can be identified, the time period for filing a SAR is extended

to 60 days. Organizations may need to review transaction or account

activity for a customer to determine whether to file a SAR. The need for

a review of customer activity or transactions does not necessarily

indicate a need to file a SAR. The time period for filing a SAR starts

when the organization, during its review or because of other factors,

knows or has reason to suspect that the activity or transactions under

review meet one or more of the definitions of suspicious activity.

Continuation

SARs

Financial institutions may file SARs for continuing activity after a

90-day review with the filing deadline being 120 days after the

date of the previously related SAR filing.

SAR

Preparation

Although it has not been updated since the FinCEN SAR was

published, there is a guide to assist banks in SAR training and in

writing the SAR narrative:

http://www.fincen.gov/narrativeguidance_webintro.pdf

Identifying

Supporting

Documentation

Identifying supporting documentation is one of the most critical

aspects of report completion. In short, what records did the bank

rely on when it completed the report; i.e. where did each fact come

from? Those who prepare and review the report should track

every piece of information given back to its source and make

certain that source is specifically listed on the report. References

to sources should be specific. For example, do not list “cancelled

checks” as a source. Instead: “cancelled checks on account

#100676008 paid between 03/01/20XX and 04/30/20XX.

http://www.fincen.gov/narrativeguidance_webintro.pdf



Record

Retention

The bank must keep a copy of the SAR and the supporting

documentation for five years. The bank must identify and

maintain the supporting documentation in its files.

Production of

Supporting

Documentation

Supporting documentation for an SAR is treated as if it was part of

the original filing; it is to be made available to law enforcement

agencies on request. FinCEN has issued guidance regarding

supporting documentation:

http://www.fincen.gov/Supporting_Documentation_Guidance.pdf

SAR

Confidentiality

in General

The statute that requires SAR filing prohibits both banks and the

government from notifying “…any person involved in the

transaction…” that the SAR was filed. Disclosure is a crime. That

portion of the statute is interpreted by FinCEN, OCC, FDIC, FRB

and NCUA regulations that require SAR filing.

FinCEN regulations clarify SAR confidentiality rules. (The OCC

regulations are parallel to FinCEN’s, all being revised in 2010.

The FDIC, NCUA, and FRB use earlier versions.) As revised, the

FinCEN regulation expands the prohibition on disclosure:

31 CFR 103.18(e) Confidentiality of SARs. A SAR, and any information

that would reveal the existence of a SAR, are confidential and shall not

be disclosed except as authorized in this paragraph (e). For purposes of

this paragraph (e) only, a SAR shall include any suspicious activity

report filed with FinCEN pursuant to any regulation in this part.

(1) Prohibition on disclosures by banks. (i) General rule. No bank, and

no director, officer, employee, or agent of any bank, shall disclose a

SAR or any information that would reveal the existence of a SAR. Any

bank, and any director, officer, employee, or agent of any bank that is

subpoenaed or otherwise requested to disclose a SAR or any

information that would reveal the existence of a SAR, shall decline to

produce the SAR or such information, citing this section and 31 U.S.C.

5318(g)(2)(A)(i), and shall notify FinCEN of any such request and the

response thereto.

http://www.fincen.gov/Supporting_Documentation_Guidance.pdf



“Rules of

Construction”

Regarding SAR

Confidentiality

The revised FinCEN prohibition against disclosure by a bank is to

be interpreted as not prohibiting disclosure of:

a SAR or the existence of a SAR to a law enforcement

agency, federal functional regulatory agency, or a state

regulatory agency authorized under state law to examine for

BSA compliance,

the underlying facts, transactions, and documents on which

a SAR is based, including but not limited to disclosures in

connection with:

o the joint filing of a SAR, or

o certain employment references or termination notices

as authorized by statute.

sharing by a bank within its corporate structure for

purposes consistent with BSA compliance.

Note: Governmental agencies are also prohibited by regulation

from disclosing a SAR or any information that would reveal the

existence of a SAR except as consistent with their BSA

compliance responsibilities.

SAR Related

Subpoenas

If information is subpoenaed

that would…

then the bank must notify…

disclose a SAR or the existence

of a SAR

its federal functional regulatory

agency and FinCEN.

Note: A subpoena requesting specific documents, not a SAR or

evidence of the existence of a SAR, does not violate the disclosure

prohibition or trigger a notice requirement. For example, a bank

files a SAR listing its supporting documentation. It later receives a

subpoena listing that same supporting documentation, but making

no mention of the SAR. Prompt compliance is appropriate. (This

is actually the way things are supposed to work!)



Official Advice

Regarding SAR

Confidentiality,

FIN-2010-A014

FinCEN encourages organizations and authorities, both governmental

and non-governmental, to be vigilant in ensuring SAR confidentiality is

maintained. This includes making certain all employees, agents, and

individuals appropriately entrusted with information in a SAR are

informed of the individual obligation to maintain SAR confidentiality.

This obligation applies not only to the SAR itself but also to information

that would reveal the existence of the SAR. Likewise, such persons

should also be informed of the consequences for failing to maintain such

confidentiality, which could include civil and criminal penalties as

explained herein.

A financial institution may want to consider including such information

as part of its ongoing training of all employees. Additional risk-based

measures to ensure the confidentiality of SARs could include, among

other appropriate security measures, limited access on a "need-to

-know" basis, restricted areas for reviewing SARs, logging of access to

SARs, the use of cover sheets for SARs, or supporting documentation

that indicates the filing of a SAR, or electronic notices that highlight

confidentiality concerns before a person may access or disseminate the

information.

Reporting SAR

Filings to the

Board of

Directors

Functional federal regulatory agencies’ regulations require that all

SAR filings be reported to the institution’s Board of Directors or

an appropriate committee “promptly.” (FinCEN’s regulations

contain no parallel reporting requirement.) The Examination

Manual (December, 2014) indicates there is great discretion in the

amount of specific information reported to the board:

Banks are required by the SAR regulations of their federal banking

agency to notify the board of directors or an appropriate board

committee that SARs have been filed. However, the regulations do not

mandate a particular notification format and banks should have

flexibility in structuring their format. Therefore, banks may, but are not

required to, provide actual copies of SARs to the board of directors or a

board committee. Alternatively, banks may opt to provide summaries,

tables of SARs filed for specific violation types, or other forms of

notification. Regardless of the notification format used by the bank,

management should provide sufficient information on its SAR filings to

the board of directors or an appropriate committee in order to fulfill its

fiduciary duties, while being mindful of the confidential nature of the

SAR



SAR Policies

and Procedures

In March, 1998 all the bank regulatory agencies issued an

Interagency Advisory which noted:

It is vitally important that banks set up an internal process to handle the

filing of SARs and any requests from law enforcement agencies.

An Interagency Advisory issued in May, 2004 all the bank

regulatory agencies reiterated the observation in another

Interagency Advisory:

The staffs of the agencies want to emphasize that all financial

institutions covered by the agencies’ SAR reporting rules should have

internal processes to handle the filing of SARs as well as requests for

sensitive information from law enforcement authorities and from

litigants in private lawsuits regarding suspicious activities and

reporting to law enforcement.

The presence of a policy and procedure demonstrates that the

financial institution understands its responsibility. Adherence to

policy and procedure assures that choices are not being made in the

heat of the moment.

Safe Harbor

Federal law creates a so-called “safe harbor” which protects the

institution from liability in connection with all SAR filings

regardless of whether the SAR is voluntary or mandatory. In

recent years, there has been a consistent string of federal court

decisions affirming that protection. The majority of federal courts

have ruled that the safe harbor provision provides unqualified

protection to financial institutions and their employees from civil

liability for filing a SAR.



Training

Training on identifying and reporting suspicious activity must be

institution wide. It is not essential that all employees understand the

SAR filing process, but they m understand that reporting suspicious

activity is an essential part of their job responsibilities.

Independent

Examinations

or Audits of

SAR Filing

Program regulations require that banks conduct an independent

review of their BSA compliance program annually. Obviously, SAR

filing is an essential element of that review and every aspect of SAR

filing ranging from training, the effectiveness of monitoring

programs and the actual reports filed should be evaluated. Also

obviously, third party reviewer’s practices in reviewing SAR filing

should reflect a full measure of respect for SAR confidentiality.

Regulatory

Review of SAR

Filing

Decisions

The BSA/AML Examination Manual (December, 2014) :

The decision maker, whether an individual or committee, should have the

authority to make the final SAR filing decision. When the bank uses a

committee, there should be a clearly defined process to resolve differences

of opinion on filing decisions. Banks should document SAR decisions,

including the specific reason for filing or not filing a SAR. Thorough

documentation provides a record of the SAR decision-making process,

including final decisions not to file a SAR. However, due to the variety of

systems used to identify, track, and report suspicious activity, as well as

the fact that each suspicious activity reporting decision is based on unique

facts and circumstances, no single form of documentation is required

when a bank decides not to file.

The decision to file a SAR is an inherently subjective judgment. Examiners

should focus on whether the bank has an effective SAR decision-making

process, not individual SAR decisions. Examiners may review individual

SAR decisions as a means to test the effectiveness of the SAR monitoring,

reporting, and decision-making process. In those instances where the

bank has an established SAR decision-making process, has followed

existing policies, procedures, and processes, and has determined not to

file a SAR, the bank should not be criticized for the failure to file a SAR

unless the failure is significant or accompanied by evidence of bad faith.


NBFIs and MSBs

Overview

Non bank financial institutions (NBFIs) provide financial services

such as check cashing, currency exchanges and check purchasing to

their clientele. In those circumstances, they can be involved in

terrorist financing or money laundering just as a bank can. Banks

must identify NBFIs because they are “subject to expanded

examination overview.” Once a customer has been identified as an

NBFI, their potential status as a Money Service Business (MSB)

should be established.

MSB Website

A portion of the FinCEN web site is devoted to MSBs:

http://www.fincen.gov/financial_institutions/msb/

Money Service

Businesses

(MSBs)

A non bank financial institution is an MSB and must register if it

conducts more than $1,000 in business with one person in one or

more transactions (in any category of activity listed below) on the

same day in one or more of the following services:

money orders

traveler’s checks

check cashing

currency dealing or exchange or

the business provides money transfer services in any amount.

Prepaid Access

Devices

Sellers and providers of prepaid access devices may have specific

BSA reporting and recordkeeping requirements depending on the

specific characteristics of their program. The regulations spelling

out those characteristics are unusually complex. FinCEN has

issued a Q & A on the subject that is very helpful:


Banks should identify customers selling or providing prepaid

access devices and analyze their business practices in light of that

guidance.

http://www.fincen.gov/financial_institutions/msb/



NBFIs and MSBs

Virtual

Currencies

FinCEN rulings indicate a “user” of virtual currencies is not and

MSB under BSA regulations, but an “exchanger” of virtual

currencies and an “administrator” of a virtual currency system

would be money transmitters and, thus, MSBs.

Bank Due

Diligence on

MSB

Customers

In Interagency Guidance issued April 26, 2005,

http://www.fincen.gov/guidance04262005.pdf,

the agencies indicated the minimum due diligence requirements

for every MSB client are:

Apply the banking organization’s Customer Identification

Program;

Confirm FinCEN registration, if required;

Confirm compliance with state or local licensing requirements,

if applicable;

Confirm agent status, if applicable; and

Conduct a basic Bank Secrecy Act/Anti-Money Laundering risk

assessment to determine the level of risk associated with the

account and whether further due diligence is necessary.

Note: A considerable portion of the Guidance is out of date; e.g.

the understanding of what is an MSB has been expanded, MSB’s

no longer receive a paper certificate evidencing registration, etc.

Agents for

MSB’s

A person that is an MSB solely because that person serves as an

agent of another MSB is not required to register. However, a

person that is an MSB both because it engages in MSB activities on

its own behalf and as an agent of another MSB must register.

Example 19: A supermarket corporation that acts as an agent (as a

seller of money orders) for an issuer of money orders, and performs

no other services of a nature and amount that would cause the

supermarket corporation to be a money services business, is not

required to register. The result is the same if the supermarket

corporation serves as an agent for two or more MSBs. Thus, if the

supermarket corporation serves as an agent both of a money order

issuer and of a money transmitter, it is not required to register.

http://www.fincen.gov/guidance04262005.pdf


NBFIs and MSBs

MSB

Registration

Web Site

All MSB registrations must be completed electronically through

the BSA E-Filing System.


Verifying

MSB

Registration

Interested parties (including those providing banking services to

MSBs) can rely on the web site for proof of registration:

http://www.fincen.gov/financial_institutions/msb/msbstateselect

or.html

Unregistered

MSBs

From the 2005 Interagency Guidance referenced earlier:

One recurring question has been the obligation of a banking

organization to file a suspicious activity report on a money

services business that has failed to register with FinCEN or

failed to obtain a license under applicable state law. Given the

importance of the licensing and registration requirement, a

banking organization should file a suspicious activity report if it

becomes aware that a customer is operating in violation of the

registration or state licensing requirement.


http://www.fincen.gov/financial_institutions/msb/msbstateselector.html

http://www.fincen.gov/financial_institutions/msb/msbstateselector.html


NBFIs and MSBs

BSA/AML

Manual for

MSBs

Noting an important quote from the 2005 Interagency

Guidance reference earlier:

The Bank Secrecy Act does not require, and neither FinCEN

nor the Federal Banking Agencies expect, banking

organizations to serve as the de facto regulators of the money

services businesses for which they maintain accounts.

Banks will find the “Bank Secrecy Act/Anti-Money

Laundering Examination Manual for Money Service

Businesses”


It is a helpful resource to recommend to MSB customers.

De-risking

MSBs

FinCEN issued a statement on providing banking services to

MSB’s in November 2014:


Two of the federal functional regulatory agencies offer similar

guidance.

OCC, http://www.occ.gov/news-

issuances/bulletins/2014/bulletin-2014-58.html

FDIC, FIL – 2015 - 5:

https://www.fdic.gov/news/news/financial/2015/fil15005.html

Note: The FDIC guidance is certainly applicable to MSBs, but

it approaches “de-risking” on a much broader basis; it could be

applied to any customer whom an FDIC supervised bank was

declining services based on “status.”



http://www.occ.gov/news-issuances/bulletins/2014/bulletin-2014-58.html

http://www.occ.gov/news-issuances/bulletins/2014/bulletin-2014-58.html

https://www.fdic.gov/news/news/financial/2015/fil15005.html


Anti-Money Laundering

Overview

Full compliance with the requirements of BSA does not assure

that customers cannot use the institution’s products and services

to launder money. A financial institution must surround its BSA

compliance effort with an anti-money laundering program.

That program involves three elements:

customer identification,

due diligence, and

enhanced due diligence.

CIP only applies at account inception and, according to regulatory

guidance, when new owners are added to an account. Due

diligence and enhanced due diligence apply at account inception

and over the life of an account. They replace the now outmoded

phrase, “know your customer.”

Stair step

Hierarchy of

CIP and Due

Diligence at

Account

Inception

Enhanced due diligence (EDD)

includes extraordinary questions

because the person or entity has

been identified as subject to

expanded review procedures.

Information sought is needed to

more specifically predict account

activity and increase the bank’s

comfort level with the relationship.

Customer due diligence (CDD) consists of routine

questions which broadly predict account activity,

but specifically identify persons and entities subject

to enhanced due diligence.

Customer identification program (CIP) describes routine

requirements for specific information which identifies the person

or entity. Verification by documentary or non documentary

methods is required by law.


Anti-Money Laundering

Stair step

Hierarchy of

CDD and EDD

During Life of

Account

Enhanced due diligence (EDD) applies to higher

risk customers and incorporates monitoring

specific to that customer; i.e. transactions are

analyzed via comparison to a profile for that

specific customer or similar customers. For

customers identified as “high risk,” the monitoring

is routine. However, an anomalous transaction

may prompt analysis of a customer not previously

recognized as high risk. In either case, anomalies

that are not resolved are referred for SAR

consideration.

Customer due diligence (CDD) consists of reviewing routine

reports looking for activity that does not fit normal consumer or

business account activity. Anomalies are investigated.

The goal of an AML program is to intelligently allocate limited

resources. Identifying higher risk customers is the first priority.

Identifying

High Risk

Customers

Persons and entities subject

to expanded examination

reviews should be

identified…

and then…

at account inception or

o assigned an appropriate

risk level and

o monitored according to

that risk level.

during the life of the account

The “given” is that as risk increases documentation and monitoring

requirements increase. It is not enough for a bank to simply

identify its high risk customers, it must focus greater than normal

attention (enhanced due diligence) on their activities.


Anti – Money Laundering (CIP)

Overview

Banks are required to have a board approved Customer

Identification Program (CIP). It is the foundation for the

bank’s anti-money laundering program.

CIP Q & A’s

FinCEN and the bank regulatory agencies jointly issued Q &

A’s on CIP: http://www.fincen.gov/faqsfinalciprule.pdf

Customer

The definition of “customer” generally describes a person (an

individual or an entity) opening an account. If more than one

person is opening an account it includes all of them. However,

it does not include a mere signatory. Financial institutions may

exclude customers with existing accounts from their CIP

process, provided that they have a reasonable belief that they

know the person’s true identity.

Note: CIP regulations exclude some entities from the

“customer” definition:

banks,

government entities, and

publicly traded companies listed on a major exchange.

Account

“Account” includes all formal banking relationships including:

deposit account,

transaction or asset

account,

credit account or other

extension of credit,

safe deposit box or other

safekeeping services,

cash management,

custodian or trust services

Note: Sending a wire transfer, cashing a check, using an ATM

or purchasing an official check, regardless of frequency, does

not create an “account” and the person is not a “customer.”

http://www.fincen.gov/faqsfinalciprule.pdf



Customer

Information

Required

Prior to opening an account, the bank must obtain the following

information from the customer:

name,

date of birth (individuals only),

physical address (there is flexibility for using military

addresses or even the address of another party),

identification number (for a U.S. citizen, a SSN or EIN).

Note: A bank cannot waive any element of the required

information – obtaining it is a condition of opening the account.

A bank may include a provision in its CIP that allows it to open

an account without a TIN if it documents the fact that the

customer has applied for the number.

Verifying

Customer

Information

Within a reasonable time after opening the account, the bank

most verify the information received based on:

documentary verification,

nondocumentary verification or

a combination of the two.

The bank is not required to verify all four pieces of information

only enough to form a reasonable belief that it knows the

customer’s true identity.

CIP Content

The bank’s CIP should identify acceptable kinds of

identification based on the type of customer; e.g. individual,

corporation, partnership, etc. It should also spell out the

acceptable methods and time frames for verifying information,

the steps to be taken if information cannot be verified, and

establish a link to the bank’s suspicious activity reporting

mechanism. A bank’s CIP may provide varying requirements

for different products or services.



Variety in CIP

Design

There was never a requirement that banks apply the same

standards to all products or account types in their CIP. For

example:

A deposit customer might

need

…while a loan customer

might need

two forms of documentary

identification, one of which

must be primary

one form of primary

documentary identification and

a consumer report.

CIP Risk

Assessment

Prior to establishing its CIP (2003) the bank was to perform a

risk assessment based on the various:

types of accounts it maintained,

methods of account opening available,

types of identifying information available, and

the bank’s size, location, and customer base.

The implementing regulation did not require that the risk

assessment be updated periodically. Yet, it is not the nature of

risk to remain at a constant level. Some banks update this risk

assessment in their overall BSA/AML risk assessment.

CIP Revisions

Per the implementing regulation, the CIP was to be adopted by

the bank’s board of directors. Accordingly, any change in CIP

would require an amendment approved by the board of

directors.



CIP Record

Retention

Banks must retain… for five years after the…

the four pieces of information

required at account opening

account is closed.

a description of the:

documents it used to verify

identity,

the methods and results of

any measures undertaken to

verify identity, and

the resolution of any

substantive discrepancy

discovered when verifying

the information it received.

information is obtained.

Comparison to

Section 326

List

The requirement to consult a government list of “known or

suspected terrorists…” as a part of CIP is not a reference to the

OFAC list. It contemplates a list that has yet to be published or

even described by FinCEN.

Customer

Notice

The regulation requires that the customer be given a notice prior to

opening the account. The notice can be given orally or by a

method which gives the customer an opportunity to read it. (There

is no requirement that the customer receive a copy he can keep.)

The regulation contains sample language:

IMPORTANT INFORMATION ABOUT PROCEDURES FOR

OPENING A NEW ACCOUNT

To help the government fight the funding of terrorism and money

laundering activities, Federal law requires all financial institutions to

obtain, verify, and record information that identifies each person who

opens an account. What this means for you: When you open an account,

we will ask for your name, address, date of birth, and other information

that will allow us to identify you. We may also ask to see your driver’s

license or other identifying documents.



Overview

“Due diligence” is the label applied to the process of obtaining

information at account opening and during the life of the account

that will help the bank in identifying higher risk customers, those

deserving of enhanced due diligence. The simplest goals of due

diligence are to:

identify customers subject to expanded examination

overview, and

identify beneficial owners for higher risk customers, and

project future financial activity for higher risk customers, and

decide where enhanced due diligence is required.

Note: An intelligently designed AML program allocates a financial

institution’s finite resources where they will do the most good, to the

customers whom it classifies as higher risk. To illustrate, but not

state a rule of thumb, a bank might reasonably allocate 95% of its

AML resources to 5% of its customers.

Customers

Subject to

Expanded

Examination

Overview

The Examination Manual does not list what were once described as

“high risk businesses.” Each financial institution is required to

identify the customers it regards as “high risk.” However, The

Examination Manual does contain a list of persons and entities

subject to expanded examination overview. Each customer type

listed as being subject to expanded examination overview is

followed by examination procedures specific to that customer type.

Note: Examination procedures clearly indicate banks may be asked

for lists of customers included in each group. For example, banks

should be able to produce lists of non resident aliens or non bank

financial institution customers on request.

Individual

Customers

Subject to

Expanded

Examination

Overview

Individual or consumer customers included on the list of customers

subject to expanded examination overview are:

Nonresident Aliens and Foreign Individuals

Politically Exposed Persons

.



Entity

Customers

Subject to

Expanded

Examination

Overview

Entity customers subject to expanded examination overview are:

Embassy and Foreign Consulate Accounts

Non-Bank Financial Institutions

Professional Services Providers

Non-Governmental Organizations and Charities

Business Entities (Domestic and Foreign)

Cash intensive Businesses

Note: Only a few customer types subject to expanded examination

overview are individuals; most of the candidate pool for “high risk”

customers is made up of entities.

Identifying

Customers

Subject To

Expanded

Examination

Overview

Example 20: In response to standard requests for documentation at

account inception, it becomes apparent that a new customer, “Jack’s

Fast Check,” is a corporation established in Delaware, but registered

to do business in Illinois. It is a domestic business entity.

Example 21: In response to standard query at account inception, the

owner of “Jack’s Fast Check” indicates that the business cashes

checks for its customers and also sells stored value cards. It is a non

bank financial institution.

Example 22: Again in response to a standard query at account

inception, the owner of “Jack’s Fast Check” indicates the business

will be withdrawing significant amounts of cash daily to facilitate

check cashing. It is a cash intensive business.

Summary: Due diligence establishes that “Jack’s Fast Check” is a

customer subject to expanded examination overview 3 times over.

Nothing says it is a high risk customer; there is only a suggestion

that it must be evaluated as a potentially high risk customer. If an

examiner asks for a list of business entities, non bank financial

institutions, or cash intensive businesses “Jack’s Fast Check” will be

on each list, but it may not be on the bank’s high risk customer list.



Identifying

Customers

Subject To

Expanded

Examination

Overview,

continued

Example 23: An existing customer, Miram Laughlin, is matched to

a name on a vendor produced list of politically exposed persons.

Further investigation establishes that she actually is the person

named on the list; i.e. she is a politically exposed person.

Summary: Due diligence and enhanced due diligence have

established that Miram Laughlin qualifies as a customer subject to

expanded examination overview. Nothing says she is a high risk

customer; there is only a suggestion that she must be evaluated as a

potentially high risk customer. If an examiner asks for a list of its

politically exposed persons, Miram Laughlin will be on the list, but

she may not be on the bank’s high risk customer list.

Example 24: An existing sole proprietorship customer, “Angel’s

Taqueria,” is identified as having cross border ACH debits from an

international wire transfer company. Further investigation

establishes that the business is an agent for a money service

business.

Summary: Due diligence and enhanced due diligence have

established that “Angel’s Taqueria” qualifies as a customer subject

to expanded examination overview. Nothing says it is a high risk

customer; there is only a suggestion that it must be evaluated as a

potentially high risk customer. If examiners ask the bank for a list of

its non bank financial institutions “Angel’s Taqueria” will be on the

list, but it may not be may not be on the bank’s high risk customer

list.

Note: In general, due diligence at account inception is the least

expensive method for identifying customers subject to expanded

examination overview.



Interagency

Guidance on

Identifying

Beneficial

Owners

Interagency guidance issued in March 2010

http://www.fincen.gov/statutes_regs/guidance/html/fin-2010-

g001.html indicates banks are expected to identify beneficial

owners for customers whom they identify as having higher risk

levels. (It does not suggest financial institutions are required to

identify beneficial owners for all accounts.) It indicates:

“…nominal account holders can enable individuals and business

entities to conceal the identity of the true owner of assets or

property derived from or associated with criminal activity.”

Beneficial

Owner

Examples

Business entities may be the most convenient, and thus the most

common, method for obscuring ownership. The first level of

queries would focus on the type of entity involved.

If the customer is a… then the beneficial owner(s)

are…

corporation shareholders

partnership partners

limited liability company members

NPRM on

Beneficial

Ownership

FinCEN published a Notice of Proposed Rulemaking regarding

the establishment of customer due diligence requirements on

August 4, 2014. The comment period ended on October 3, 2014.

In essence, the proposal would require banks to identify beneficial

owners at the time an account is opened. The proposal

incorporated the model form on the following page.

At the time of this publication, the form on the following page

has no legal status whatsoever. Its use is neither required,

suggested, nor approved. It may be changed in or even

eliminated from the final regulation.




Anti-Money Laundering (Due Diligence) APPENDIX A—CERTIFICATION REGARDING BENEFICIAL OWNERS OF LEGAL ENTITY

CUSTOMERS

I. GENERAL INSTRUCTIONS

What is this form?

To help the government fight financial crime, federal regulation requires certain financial institutions to obtain, verify, and record information about the beneficial owners of legal entity customers. Legal entities can be abused to disguise involvement in terrorist financing, money laundering, tax evasion, corruption, fraud, and other financial crimes. Requiring the disclosure of key individuals who ultimately own or control a legal entity (i.e., the beneficial owners) helps law enforcement investigate and prosecute these crimes.

Who has to complete this form?

This form must be completed by the person opening a new account on behalf of a legal entity with any of the following U.S. financial institutions: (i) A bank or credit union; (ii) a broker or dealer in securities; (iii) a mutual fund; (iv) a futures commission merchant; or (v) an introducing broker in commodities. For the purposes of this form, a legal entity includes a corporation, limited liability company, partnership, and any other similar business entity formed in the United States or a foreign country.

What information do I have to provide?

This form requires you to provide the name, address, date of birth and social security number (or passport number or other similar information, in the case of foreign persons) for the following individuals (i.e., the beneficial owners): (i) Each individual, if any, who owns, directly or indirectly, 25 percent or more of the equity interests of the legal entity customer (e.g., each natural person that owns 25 percent or more of the shares of a corporation); and (ii) An individual with significant responsibility for managing the legal entity customer (e.g., a Chief Executive Officer, Chief Financial Officer, Chief Operating Officer, Managing Member, General Partner, President, Vice President or Treasurer).


Anti-Money Laundering (Due Diligence)

The financial institution may also ask to see a copy of a driver’s license or other identifying document for each beneficial owner listed on this form. II. CERTIFICATION OF BENEFICIAL OWNER(S) Persons opening an account on behalf of a legal entity must provide the following information: a. Name of Person Opening Account: ____________________________________________________________________________ b. Name of Legal Entity for Which the Account is Being Opened: ____________________________________________________________________________ c. The following information for each individual, if any, who, directly or indirectly, through any contract, arrangement, understanding, relationship or otherwise, owns 25 percent or more of the equity interests of the legal entity listed above:

(If no individual meets this definition, please write "Not Applicable.")

Name Date of Birth Address For U.S. Persons

Social Security Number

For Foreign Persons: Passport

Number and Country of Issuance or

Similar Identification

Number1



d. The following information for one individual with significant responsibility for managing the legal entity listed above, such as: • An executive officer or senior manager (e.g., Chief Executive Officer, Chief Financial Officer, Chief Operating Officer, Managing Member, General Partner, President, Vice President, Treasurer); or • Any other individual who regularly performs similar functions. (If appropriate, an individual listed under section (c) above may also be listed in this section (d)).

Name Date of Birth Address For U.S. Persons

Social Security Number

For Foreign Persons: Passport

Number and Country of Issuance or

Similar Identification

Number1

I, _________________________________________ (name of person opening account), hereby certify, to the best of my knowledge, that the information provided above is complete and correct. Signature:__________________________________ Date: ____________ _________________ 1 In lieu of a passport number, foreign persons may also provide an alien identification card number, or number and country of issuance of any other government-issued document evidencing nationality or residence and bearing a photograph or similar safeguard.



Anticipated

Transaction

Activity vs.

Review

After

Account is

Opened.

The FFIEC Manual mentions the importance of projecting

account activity. Such projections are now a regulatory

expectation. These materials acknowledge that expectation

several times.

Initial projections for a new business are inherently unreliable; i.e.

how would the business owner know what their actual activity

will be? When opening an account for an existing business the

author suggests it is advisable to use recent bank statements to

forecast activity rather than rely on an owner or signatory’s recall.

While banks could still obtain the information for reference in the

near term, it is probably wise to replace guesses made based on

initial information with judgments based actual activity after the

account has been open for two or three months.

Note: Acknowledging the regulatory expectation, the concept of

due diligence can be applied to individual, organizational, and

entity customers at account opening alike. See the forms on the

following pages.

Note: Again, the author notes that consumer accounts (other than

those belonging to a person subject to expanded examination

overview) are at a fairly low risk level for being involved in

money laundering. Moreover, it is highly likely that any unusual

behavior in a consumer account would be noted in routine

monitoring activities. The amount of due diligence conducted on

generic consumer accounts should be driven by the bank’s risk

assessment.

laundering.



Field Five

Customer Due Diligence (Consumer)

In what country are you a citizen?_____________________________

If you are not a U.S. citizen, how long do you expect to remain in the

U.S.?____________________________________________________

If you are not a U.S. citizen, do you have permission to work in the

U.S.?____________________________________________________

Are you or any of your relatives or associates connected to the government of a country

other than the United States?______ If yes, please

explain__________________________________________________

Field Six

Why did you choose this bank? ________________________________

_________________________________________________________

What other banks do you have accounts with? ____________________

_________________________________________________________

What types of items to you expect to be deposited to the

account; e.g. cash, checks, direct deposit, wires, etc.________________

__________________________________________________________

How frequently will deposits be made? __________________________

What methods do you expect to use to remove funds from the account; e.g. checks,

ATM, debit card, automated bill payments,

etc._______________________________________________________

__________________________________________________________

What is the purpose for this account?____________________________

Will any proceeds from business activities be deposited to this account?

_________

What do you anticipate maintaining as the average balance in this

account?___________________________________________________

Will any financial transactions affecting this account originate or have a destination

outside the U.S.?______ If yes, please explain.

Field Seven

Where are you currently employed?_____________________________

Which of these ranges includes your annual household income?

__________Less than $50,000

__________$50,001 to $100,000

_______$100,001 - $150,000

_______More than $150,000

Describe initial deposit

_____________________________________________________________________

Field Eight

Comments

____________________________________________________________________

____________________________________________________________________

____________________________________________________________________

Not a model form; reflects individual bank’s customer due diligence requirements.



Name of entity or

individual______________________________DBA_______________________________

Registered under assumed name statute? Y or N

OMEGA STATE BANK

NEW BUSINESS ACCOUNT SERVICE PROFILE

Form of Organization ___Corporation State where incorporated_______________ date_________

___Limited liability company State where organized_________________ date_________

___Limited partnership State where agreement filed____________ date_________

___Joint Venture Written agreement? Y or N If yes, date_________

___General partnership Written agreement? Y or N If yes, date_________

Employer Identification Number_______________________________

___Sole Proprietor

Social Security Number (Sole proprietor or one person LLC only)____________________

Business Address

(No P.O. Box)

Phone Fax

Website

NAICS Code Risk Rating: 4 or 5 (reviewed after 90 days)

Description of

business

Non bank FI; e.g.

check casher?

Reasons for

choosing Omega

State Bank

Make up of first

deposit

Please check the

services you expect

to use, their

frequency (daily,

weekly, etc.) and

their average

dollar amounts

where requested

Deposits Frequency_______ Avg. amount $_______

% in cash_____

Cash Withdrawals Frequency ______ Avg. amount $_______

Wire transfers Frequency _______

Outgoing to________________________________________

Incoming from

Loans

Safe Deposit

Trust

Private Banking



Due Diligence

During the

Life of the

Account

Due diligence does not end after the account is opened. It

continues to be found in the bank’s routine, non focused

monitoring of customer activity in general; i.e. it does not focus on

an individual customer, it looks for transactions that are anomalous

for customers as a particular class. It looks for situations that

make one customer stand out from other customers of the same

type. Here is where due diligence is at its most effective with

consumer accounts.

Customer

Monitoring

After Account

is Opened

Due diligence procedures for existing accounts involves the review

of standard reports looking for telltale activities such as the

presence of large amounts of currency, wire transfers to foreign

countries etc. Those are facts that might suggest membership in

one of the groups subject to expanded examination overview.

Possible sources of information are:

conventional reports, which may include:

o accounts listed by risk or classification code or both,

o average balance change,

o check/debit volume change,

o kiting suspects,

o large dollar transactions,

o loans with early pay off,

o loans secured by cash equivalents,

o many deposits, few checks,

o significant balance changes,

o account analysis,

o electronic banking & electronic payment activity and

o accounts with multiple alerts.

cash tracking reports which aggregate cash transactions

affecting an entire CIF or related CIFs over long periods of

time; e.g. weeks, months, etc.

rules based anti-money laundering software, or

intelligent anti-money laundering software.



Overview

Enhanced due diligence is the label applied to the bank’s

investigation when prompted by:

o information provided by the customer at account

inception or

o customer activities or transactions, or

o queries made by third parties or

o any combination of the above.

Information

Offered as a

Trigger for

Enhanced Due

Diligence

A customer that indicates it provides financial services and then

goes on to say that those services include check cashing might

be asked several additional questions as depicted on the

following page. If in responding to those questions the

customer indicates it is a money service business and is, thus,

required to register with Treasury a great deal more information

may be required. See the following page.



OMEGA STATE BANK

NBFI Detail Form

Name of entity or

individual______________________________DBA_______________________________

Type of organization; e.g. corporation, LLC etc.

State or country of organization

Financial Services

Provided

Maximum

daily amount

per person

Licensed by

Anystate

(Date or No)

Registered with

FinCEN as MSB

(Date or No)

Comment

Check cashing

*

Currency sale or

exchange

**

Check sales or

redemption

***

Stored value cards ***

Money Transmission ***

Other

* Required by [citation] if fees exceed X% of gross revenues for the business

** Required by [citation]

***Required by [citation]

Copy of any license required by state law and noted above is attached.

If you are acting as an agent for another company in providing these services, what company is it? (e.g.

Western Union, Sigue, Travelers Express, .etc.)

_______________________

Copy of any agency agreement with the licensed party is attached.

If your business is required to register with the Department of the Treasury as an MSB:

A printout from the MSB website verifying registration is attached.

The reverse side of this form is completed accurately and completely.

I understand that the Omega State Bank is required to obtain this information. I hereby confirm, under

penalties of perjury, that my statements are on both sides of this form are accurate. I also agree to

notify Omega State Bank if any of the above information changes and provide additional documentation

as requested.

___________________________Signature ____________________Name _____________________Title

[Notarization]



OMEGA STATE BANK

NBFI Detail Form (MSB Portion) Owners’ Name and

Address. List all

owning 25% or more.

TIN

Ownership

Percentage

Years of

Experience in

MSB Activities

Banks

Currently

Used

(personally)

Comments

Location of Any

Other Bank

Accounts

Types of Products

& Services Offered

Locations and

Markets Served

Anticipated

Account Activity

Purpose of this

Account

Comments

(Bank use only)



Documentary

& Activity

Reviews

A decision that a customer represents a higher level of risk must be

followed by a greater allocation of resources. High risk customers

are the focus of more frequent, more detailed reviews of their

transactions and their documentation than other customers.

Obviously, timing the “review” of high risk accounts involves

various considerations, but

there will be at least one annually and

the review should include a review of documentation as well

as activity.

January April July October

update

profile

review

activity

verify

registration

current

review

activity

review

activity

verify state

licensure

current

review activity

For discussion:

There isn’t anything official that dictates the frequency of

reviews. More to the point, there isn’t anything that says a

review of any frequency is adequate.

The suggestion that the profile be updated annually is

intentional – it will make it apparent if the activity has

increased significantly in the last several months.

On MSBs, one review should be shortly after year end to

assure that any FinCEN registration has been renewed.

On licensed NBFIs, one review should be shortly after any

standard time frame in which a state license must be

renewed.



Activity

Inconsistent

with

Consumers in

General

Activity which is inconsistent with a consumer account should

generate enhanced due diligence for a consumer’s accounts.

Examples are:

o frequent cash deposits,

o frequent cash withdrawals,

o regular use of wire transfers,

o deposits on a frequency greater than explained by wage

earners depositing pay checks,

o high account velocity, etc.

Again, what would be the justification for the bank’s maintenance

of a consumer account which the bank actually believed was at

high risk for money laundering or terrorist financing?

This Business

Customer’s

Activity vs.

Other

Customers in

the Same

Business

For a business customer, certain activity may be suspicious because

it was not like that of other customers involved in the same

business.

Example 25 – The Bank of Anywhere has the accounts for five

retail liquor stores. The compliance officer notes that only one,

State Street Spirits, does not make large withdrawals of cash. On

investigation, she discovers the store’s deposits rarely include cash.

All the other stores routinely deposit and withdraw cash.

By itself, the absence of cash in a particular business might not

indicate anything. However, when cash is normal for that

business, its absence may be critical.

Activity

Profiles for

High Risk

Customers

When a bank has established a profile for every high risk customer

it can readily identify circumstances where the activity may not be

representative of the normal course of the customer’s activity.

Such activity should prompt an investigation; i.e. additional

enhanced due diligence. Unless a bank has AML software that

creates and maintains such profiles, the process is labor intensive.



Customer

Profile

The underlying concept is simple: you cannot tell what’s

unusual or suspicious if you have no idea what is normal.

OMEGA STATE BANK

Customer Profile

Based on Averages from 4 Months in 20XX Name of entity or

individual______________________________DBA_______________________________

CIF# Date Opened NAICS # Risk Rating

NBFI (Attach Detail form) Lottery Ticket Sales

Comments

Incoming Funds

High $ Average $ Comment Cash deposits Checks Credit Card Wire Transfers

(Domestic)

Wire Transfers

(International)

ACH

Outgoing Funds

High $ Average $ Comment Cash Withdrawals Cash Shipments Checks Wire Transfers

(Domestic)

Wire Transfers

(International)

ACH


Anti – Money Laundering ( Enhanced Due Diligence)

High Risk

Customer

Review

Obviously, there is a strong connection between this form and the

customer profile.

OMEGA STATE BANK

Customer Profile 20XX

Name of entity or

individual______________________________DBA_______________________________

Review periods are those covered by a specific periodic statement and _____/_____ = High/Average for

period covered by statement. Comments on reverse side.

Dates covered* ______to______

______to______

______to______

______to______

Cash Deposits

______/______

______/______

______/______

______/______

Cash Withdrawals

______/______

______/______

______/______

______/______

Checks Deposited

______/______

______/______

______/______

______/______

Checks Written

______/______

______/______

______/______

______/______

Credit Card

Receipts

______/______

______/______

______/______

______/______

Wire Transfers

Incoming

(Domestic)

______/______

#

______/______

#

______/______

#

______/______

#

Wire Transfers

Outgoing

(Domestic)

______/______

#

______/______

#

______/______

#

______/______

#

Wire Transfers

Outgoing

(International)

______/______

#

______/______

#

______/______

#

______/______

#

Wire Transfers

Incoming

(International)

______/______

#

______/______

#

______/______

#

______/______

#

ACH Credits

______/______

#

______/______

#

______/______

#

______/______

#

ACH Debits

______/______

#

______/______

#

______/______

#

______/______

#



High Risk U.S.

Geographies

Just as a bank needs to be cognizant of its surrounding geography, it

also needs to aware of where its customer and its customer’s

customer is located. A customer with ties to U.S. or foreign

geographies that are classified as “high risk” could deserve a higher

risk rating.

Monitoring

Connections to

International

High Risk

Geographic

Locations

Again, a customer with ties to foreign geographies that are

classified as “high risk” would deserve a higher risk rating The

current term is "high risk geographic locations." Included are:

Countries subject to sanctions on the OFAC web site at:

http://www.treasury.gov/resource-

center/sanctions/Pages/default.aspx

Countries identified by the Secretary of State as supporting

international terrorism. See “Country Reports on Terrorism.”

http://www.state.gov/j/ct/rls/crt/

Jurisdictions of “primary money laundering concern:”

http://www.fincen.gov/reg_section311.html

Jurisdictions identified as non cooperative by FATF:

http://www.fatf-gafi.org/

Countries and jurisdictions identified in the annual International

Narcotics Control Strategy Report as jurisdictions of primary

concern:

http://www.state.gov/j/inl/rls/nrcrpt/2012/vol2/184115.htm

Offshore Financial Centers:

http://www.imf.org/external/ns/cs.aspx?id=55

Other countries identified by the bank as high-risk because of its

prior experiences or other factors (e.g. legal considerations, or

allegations of official corruption.)

http://www.treasury.gov/resource-center/sanctions/Pages/default.aspx

http://www.treasury.gov/resource-center/sanctions/Pages/default.aspx

http://www.state.gov/j/ct/rls/crt/

http://www.fincen.gov/reg_section311.html

http://www.fatf-gafi.org/

http://www.state.gov/j/inl/rls/nrcrpt/2012/vol2/184115.htm

http://www.imf.org/external/ns/cs.aspx?id=55



Section 311

Special

Measures

Section 311 of the USA PATRIOT authorizes the Secretary of the

Treasury to require domestic financial institutions and domestic

financial agencies to take certain special measures against foreign

jurisdictions, foreign financial institutions, classes of international

transactions, or types of accounts of primary money laundering

concern. The listing of current “special measures” is found on the

FinCEN web site.

http://www.fincen.gov/statutes_regs/patriot/section311.html

Note: Bank policies and procedures should reflect efforts to detect

and evaluate transactions with persons, entities, or jurisdictions

subject to special measures.

EDD

Prompted by

External

Events

Enhanced due diligence is prompted by uncommon facts. Just as a

customer’s surprise appearance on a standard internal report can

prompt a reevaluation of that customer’s risk level, an outside

communication can do the same thing. A number of

communications could cause a bank to reevaluate a customer’s

potential risk:

o newspaper stories,

o IRS levies,

o IRS summons,

o subpoenas from civil courts,

o grand jury subpoenas,

o National Security letters,

o positive response to a 314(a) query,

o positive response to an OFAC query, and

o informal queries from law enforcement personnel

can all make a bank launch a possible SAR filing investigation and

reconsider whether the customer’s status is appropriate. There is no

suggestion here that a SAR should automatically be filed in any of

these circumstances. The investigation suggested will determine if

a SAR filing is necessary.

http://www.fincen.gov/statutes_regs/patriot/section311.html



Monitoring vs.

Closing High

Risk Accounts

In some instances, a determination that a customer, particularly a

consumer customer, is “high risk” should yield account closure, not

additional monitoring. The Examination Manual notes that

examiners should determine whether the bank has:

*Procedures for considering closing accounts as a result of

continuous suspicious activity.

The Q & A portion of the Interagency Guidance on MSBs offers

clear direction:

The decision to maintain or close an account should be made by a

banking organization’s management under standards and

guidelines approved by its board of directors.

LEA Requests

to Keep

Accounts Open

FinCEN guidance encourages financial institutions to ask for a

written request if a law enforcement agency requests them to keep

an account open to facilitate an investigation. The request should

be specific in asking the institution to keep the account opened and

stay in effect for no more than six months.

http://www.fincen.gov/Maintaining_Accounts_Guidance.pdf

http://www.fincen.gov/Maintaining_Accounts_Guidance.pdf



Overview

The FFIEC’s BSA/AML Manual makes it abundantly clear that

banks must develop a:

list of high risk customers and

risk assessment that indicates whether their customer

base includes a low, moderate, or high number of high

risk customers.

High Risk of

What?

The potential risk is that the customer could be used to launder

money. (There is no realistic expectation that banks can do risk

based analysis regarding terrorist financing in the absence of

direct government support.) A “high risk” conclusion is not a

suggestion that the customer is involved in money laundering or

that the customer ever will be involved in money laundering. It is

an indicator that the nature of the customer’s operations could

facilitate money laundering, nothing more.

Declining or

Terminating

Customer

Relationships

Based on

Status

If it is possible that a customer risk assessment could result in a

refusal to open an account, the author suggests that the risk

assessment be well documented. It should support the conclusion

that the customer is not being denied banking services based on a

“status” such as being an MSB; embassy or foreign consulate; non

U.S. person, etc, but on the specific level of risk represented by

the potential customer. There is no legal prohibition against

charging a fee for taking an application to open an account. There

is no legal requirement that a decision on an application be made

while the customer waits. As with a loan application, a bank may

require any relevant documentation it wants in support of the

application.



Identifying

High Risk

Customers at

Account

Inception

Step Action

1 Via due diligence and enhanced due diligence at

account inception, identify bank customers who are

subject to expanded examination overview.

Note: The bank may supplement list of customers

subject to expanded examination overview with its

own selections based on other criteria.

2 Objectively evaluate each customer’s potential as a

“high risk” customer based on the customer’s

projected activity.

3 Objectively assign a risk rating. The risk rating

must direct higher levels of required documentation

and monitoring with each incremental level of risk.

The BSA officer may increase, but may not

decrease, the level of risk assigned by the bank’s

system.

Note: An alternative method is to automatically

assign a new customer a “high” risk rating and

review actual account activity 3 to 6 months after

the account is established to determine if the

customer is actually high risk.

4 Continuously or at least periodically review

customers subject to expanded examination

overview, including those previously classified as

high risk, and revise their risk level as

circumstances indicate necessary.



Risk Rating

Individual

Customers at

Account

Inception

From the author’s perspective, status as a foreign citizen or a

politically exposed person are the only facts determinable at

account opening on which a consumer customer might be

reasonably be rated something other than “low” risk. Obviously,

if foreign citizenship is in a high risk country that would further

increase that risk rating as would a disclosure that the customer

intends to conduct international transactions, particularly those

with high risk countries.. If the bank actually concludes an

individual’s account is “high risk” due to the individual’s

expected activity would it be prudent to retain the account; would

the necessary monitoring be cost justified?

Risk Rating

System Based

on Assumption

that Most

Individuals are

Low Risk

The sample risk rating matrix on the following page is just that, a

sample. It is designed around the premise that high risk consumer

or individual accounts would not be accepted or retained if they

were identified as such.



Rating/

Risk Level

Description CIP Customer Due

Diligence

Unique

Transaction

Profile

Monitoring

(Daily Reports

Indicate

Risk Code)

1/Low Consumer accounts, U.S.

Persons

Standard Source of funds

requested if initial

deposit not payroll

check or check drawn

on consumer’s account

at another bank.

No Conventional

daily reports

2/Average Consumer accounts,

non U.S. or Politically

Exposed Persons*

Standard, but

passport required

Source of funds

requested if initial

deposit not payroll

check or check drawn

on consumer’s account

at another bank.

Yes,

questions

regarding

presence in

U.S. &

expected

activity

Conventional

daily reports

3/Average Established business accounts

not subject to expanded

examination overview

This rating is not

assigned at

account

inception.

N/A Only

required at

account

inception

Conventional

daily reports

4/Above

average

All new businesses, ** and

businesses subject to expanded

examination overview not

classified as high risk. The

bank does not open accounts

for non U.S. entities.

Standard. CIP

performed on all

signatories. HR

worksheet

updated annually.

Recent (less than 60

days) bank statement

required for

established businesses

opening new accounts

Yes, updated

annually

Conventional

daily reports

and annual

monitoring

covering 60

days of activity

5/High Rating of 15 or higher on HR

worksheet

Standard. CIP

performed on all

signatories. HR

worksheet

updated annually.

Recent bank statement

required for

established businesses

opening new accounts.

Principals must be

identified at account

opening. Copy of

annual audit. Annual

site visit.

Yes, updated

quarterly

Conventional

daily reports

and quarterly

monitoring

cover 30 days

of activity

* The bank does not retain accounts for consumers that might, due to activity or connections to high risk

jurisdictions, theoretically merit a rating higher than “2.”

**New businesses with are rated a “4” at account inception and then reviewed after 90 days for re-rating.

Most are then rated as a 3. All businesses subject to expanded examination overview are rated as a “4” or a

“5.”

Note: This is not a model or even a suggested rating system. It

is supplied for discussion purposes only.

Risk Rating

Entity and

Organizational

Customers at

Account

Inception

A financial institution’s ability to identify high risk entity and

organizational customers at account inception is dependent on

their status and their self-disclosed future activity. The system

illustrated here relies on an automatic assignment of “high risk”

status to all new entity and organizational customers followed

by an objective analysis once an account history is established.



High Risk Worksheet

Objectively

Identifying

High Risk

Entity

Customers

If customer… then… Points

is subject to expanded examination overview or bank

believes customer is potentially high risk.

add 5

is an MSB rated as “low” risk add 3.

is an MSB rated as “moderate” risk add 6.

is an MSB rated as “high” risk add 10.

has been the subject of a legal order compelling the

bank to turn over information in the last 24 months

add 3 for each.

has relationships with other banks add 2 for each

relationship with this bank is less than 1 year old add 2.

is not eligible for exemption from CTR filing add 1.

makes routine use of wire transfers add 1.

sends wire transfers to destinations outside the U.S. or

receives from non U.S. points of origin

add 5.

is an originator of ACH activity add 3.

is a recipient of ACH credits or debits add 1.

is located in a HIFCA or HIDTA add 1.

has one or more significant customer or vendor

relationships in a HIFCA or HIDTA

add 1.

loans secured by cash equivalents add 1

place of business was not the object of a documented

on-site visit within the last 12 months.

add 1.

[Intentionally left blank]

SUBTOTAL

business activity does not involve significant amounts of

currency

subtract 1

place of business was the object of a documented on-

site visit within the last 12 months.

subtract 1.

has provided a current list of shareholders or principals subtract 1

has no relationships with other banks subtract 2.

is publicly traded on a major exchange subtract 5.

relationship with this bank is more than 2 years old subtract 1 for

each year over 2

lending relationship with this bank is more than 2 years

old and “paid as agreed”

subtract 2.

provided extensive financial information adequate to

support a lending relationship.

subtract 2.

business activities are readily comparable to those of

other bank customers in the same business

subtract 1.

[Intentionally left blank]

TOTAL

Risk Rating

3 4 5

0 - 5 5 - 15 More than 15

Note: How should previous SAR filings be factored into a customer

risk rating?



Identifying

High Risk

Customers

During the

Life of the

Account

Clearly, a bank may already have many existing customers when it

implements a rating system. The high risk customers among them

will have to be identified using labor intensive methods. In

addition, some customers may offer projections that are inaccurate

or their actual activity may not be recognized until it appears on

the bank’s daily reports and it is discovered through due diligence

or enhanced due diligence.

What if We

Get it Wrong?

Customer rated too low – While the bank may have a good AML

system, it is not using it effectively on this particular customer.

Suspicious activity may go undiscovered.

Customer rated too high – The bank is squandering limited

resources by monitoring activity that is not likely to be productive.

No amount of monitoring is going to uncover suspicious activity

where there is none.


To Do

Notes


We hope you enjoy this seminar and believe your time and your

institution’s money were well spent. The manual you received today is

an excellent desk-top reference on this topic. If your financial

institution would like to order additional copies of this manual, you

may do so by completing the order form below. Please mail the order

form with payment to Pegasus Educational Services, LLC at the

address provided below.

Please mail completed order form with payment to Pegasus Educational Services, LLC

PO Box 6305 Louisville, KY 40206-0305

BSA – AML Compliance Management Manual Order Form

Ship to Financial Institution ____________________________________________________________

Attention of ___________________________________________________________________

Address ______________________________________________________________________

City/State/Zip _________________________________________________________________

Telephone ____________________________________________________________________

Personnel from our institution attended this program and we are enclosing a check for

$65 each (includes sales tax) for ________ additional copies of the manual. Every

fifth copy of the manual is free. Total amount enclosed $ ____________.

Personnel from our institution did not attend this program and we are enclosing a

check for $85 each (includes sales tax) for ________ copies of the manual. Every

fifth copy of the manual is free. Total amount enclosed $ ____________.

BSA –AML Compliance

Management

Seminar Attendees . . .


(Blank Page)

Documents

Seminar Description and Purpose · Bank Regulatory Agency Role Overview Federal functional (bank) regulatory agencies are charged with conducting on-site BSA examinations to verify