Author: Dave Gowan

Dave brings a unique blend of experience as a former investigator and compliance officer with multi-billion dollar asset financial institutions. Dave has a 16+ years of career experience from the armed forces, as well as over a decade in the banking industry; from financial crime & fraud investigation to complete BSA compliance responsibilities. Dave brings a pragmatic and practical approach to the industry, grounded in fact and working knowledge of financial regulations. Dave has been with PayLynxs for over ten years.

Financial Crime Risk Management and the Current Pandemic

Given the current situation worldwide, I thought it might be appropriate to discuss how the current coronavirus pandemic is affecting all financial institutions, whether international bank or community credit union. A few days ago, FinCEN posted a news release regarding the pandemic and its potential effects on financial crime. Within this news release, several key points are made.

These key points highlight various trends that we can expect to see in the upcoming months, and a majority of these financial crime trends rely not only on the front line to report unusual activity, but for all back office functions to scrutinize the following:

  1. Imposter scams involving the impersonation of non-profit and government agencies; this is expected to be specific to healthcare and disaster outreach and recovery
  2. Investment activities involving the investment in companies in the healthcare and biosciences industries, such as those that may appear to conduct research on behalf of efforts involving the prevention, detection or curing of the coronavirus
  3. Entities involved in the promotion or sale of products, services, or information involving the prevention, detection, or the curing of the coronavirus
  4. Potential Insider trading due to stock market volatility and instability

 

It is also important to be wary of fraudulent activities that may arise during widespread emergency situations. Several of these activities involve the illicit gain of disaster relief or emergency assistance benefits and payments, as well as rapid flows of fund involving the pooling of these funds followed by  subsequent transfers involving seemingly unrelated parties. Additionally, it may be necessary to conduct enhanced due diligence of small or newly established charitable organizations, or transactions involving charitable organizations that appear out of pattern, such as use of money orders, cashier’s checks and money transfer or remittance. For more information, please see FinCEN Advisory FIN-2017-A007.

Lastly, please be aware of potential exploitation as easing of regulations involving compliance functions in other areas of the financial industry occur. Efforts involving a relaxing of Regulation D limits or Regulation CC holds on negotiable instruments carry their own risk. It is imperative that as a financial institution explores loosening these controls, it considers the situations for which these controls were establish originally. A loosening of controls can create a gap in risk. For more information, please see NCUA Letter 20-CU-02.

If you have any questions at this time, please contact us.

 

High-Risk Customers: Where to Begin

As a state or federally regulated financial institution, it’s important to have a grasp of what constitutes a high-risk customer as it pertains to BSA and financial crime risk. Additionally, determining what high-risk activities or traits might elevate the risk of a customer is also critical. For this reason, being aware of your financial institution’s respective regulatory agency’s prescribed standards can assist in determining whether your financial institution meets the standards set by their assigned agency.

Whether your institution’s BSA compliance program is regulated by the National Credit Union Administration (NCUA)The Federal Deposit Insurance Corporation (FDIC), or the Board of Governors of the Federal Reserve System (FRB), the guidance regarding examinations is a concerted effort. This effort is evidenced by the Federal Financial Institutions Examination Council’s (FFIEC) BSA/AML Examination Manual. As such, guidance on determining your high-risk customers begins with the BSA/AML Risk Assessment – Overview section the aforementioned manual.

This section breaks the Risk Assessment process into two parts: Identification and Analysis. However, as important as the Risk Assessment process is, we will focus on determining high-risk customers. Within the Identification portion of the Risk Assessment process is the section on Customers and Entities, with detailed explanation on the following customer types:

  • Foreign financial institutions, including banks and foreign money services providers (e.g., casas de cambio, currency exchanges, and money transmitters)
  • Nonbank financial institutions (e.g., money services businesses; casinos and card clubs; brokers/dealers in securities; and dealers in precious metals, stones, or jewels)
  • Senior foreign political figures and their immediate family members and close associates (collectively known as politically exposed persons (PEP))
  • Nonresident alien (NRA)
  • Foreign corporations and domestic business entities, particularly offshore corporations (such as domestic shell companies and Private Investment Companies (PIC) and international business corporations (IBC)) located in higher-risk geographic locations
  • Deposit brokers, particularly foreign deposit brokers
  • Cash-intensive businesses (e.g., convenience stores, restaurants, retail stores, liquor stores, cigarette distributors, privately owned ATMs, vending machine operators, and parking garages)
  • Nongovernmental organizations and charities (foreign and domestic)
  • Professional service providers (e.g., attorneys, accountants, doctors, or real estate brokers)

This list of business types and occupations provides a good framework to assess your institution’s client base against. Balancing this list against other risk factors using a risk-based approach is imperative to keeping the work load at a reasonable level. Ensuring that data involving these and other risk factors is accurate and complete further ensures that the risk-based approach taken is appropriate.

The Analysis portion of the Risk Assessment process provides the basic building blocks for a financial institution’s Customer Identification Program (CIP) and Customer Due Diligence (CDD) program. Per the FFIEC Manual, determining the following factors for each potential high-risk customer will help the financial institution determine the customer’s actual risk:

  • Purpose of the account
  • Actual or anticipated activity in the account
  • Nature of the customer’s business/occupation
  • Customer’s location
  • Types of products and services used by the customer

These types of questions provide answers that assist the financial institution in building risk profiles. They also provide data for determining which customers may be outside of normal patterns when compared to similar customer types.  The data comprises the primary function of conducting CDD, determining which customers need follow-on Enhanced Due Diligence (EDD), on those customers deemed statistically different than the norm.

In conclusion, the Risk Assessment process, customer onboarding processes, CIP, CDD and EDD, are all integral to determining an effective risk mitigation strategy, and consequently finding out who high risk customers are as it pertains to your financial institution. Developing a proper risk-based approach to managing customer risk is not a one-size-fits-all process; it should be a customized, organic approach to mitigate risk based on the institution’s risk appetite, human capital, and financial soundness.

If you’re looking for help evaluating and managing risk at your institution, contact us to request a complimentary demo.

FinCEN’s New CDD Rule: Significant and Unexplained Changes

FinCEN’s Final Rule regarding Customer Due Diligence (CDD) Requirements for Financial Institutions[1] (The New CDD Rule on Beneficial Ownership) is wrapped around CDD Requirements for beneficial owners and controlling parties of legal entities. In addition to specific rules outlining a financial institution’s handling of legal entity customers, this final rule codifies a new “fifth pillar” of Bank Secrecy Act[2] compliance. Regulatory bodies, such as the National Credit Union Administration (NCUA) specifically call out the third and fourth core elements of CDD as “ongoing customer due diligence[3],” which primarily comprises this new fifth pillar.

Outside of codifying the requirement of conducting ongoing CDD and implementing enhanced Customer Identification Program[4] (CIP) rules on legal entity customers, most of these new requirements have been implied for a long time. This is evident in implementing the old “four pillars” to a financial institution’s BSA compliance program, as seen within the Federal Financial Institutions Examination Council’s (FFIEC) examination procedures[5] specific to Internal Controls. What is explicitly different with the new rule are the reference to trigger events, such as the implication that a significant and unexplained change in the customer’s activity could require a review and update of the customer’s risk profile, as well as a triggering of a CIP review. This can be viewed by many as a change from the previous “periodic review” suggestion from FinCEN.

‘Trigger’ Events and Updating Records

The term “a significant and unexplained change…” is not necessarily new language but is a variation of what has always been implied, specifically as it pertains to transaction monitoring and Suspicious Activity Reporting (SAR) “Red Flags[6]”. However, the new CDD Requirements force the language to be restated to include the term “beneficial ownership information,” and infer that if a change in activity is seen, to check the CDD Information and update the customer record “to include beneficial ownership information” if anything has changed.

The language is buried within the rule[7]:

When a financial institution detects information (including a change in beneficial ownership information) about the customer in the course of its normal monitoring that is relevant to assessing or reevaluating the risk posed by the customer, it must update the customer information, including beneficial ownership information. Such information could include, e.g., a significant and unexplained change in the customer’s activity, such as executing cross-border wire transfers for no apparent reason or a significant change in the volume of activity without explanation. It could also include information indicating a possible change in the customer’s beneficial ownership, because such information could also be relevant to assessing the risk posed by the customer. This applies to all legal entity customers, including those existing on the Applicability Date. This provision does not impose a categorical requirement that financial institutions must update customer information, including beneficial ownership information, on a continuous or periodic basis. Rather, the updating requirement is event-driven, and occurs as a result of normal monitoring.

And later here:

We believe that this change to the ongoing monitoring clause better encapsulates current practice in the AML/CFT area, and therefore, the nature of the obligation—that is, financial institutions are presently expected to conduct a monitoring triggered update of customer information when they detect information during the course of their normal monitoring relevant to assessing or reevaluating the risk of a customer relationship. Such information could include, e.g., a significant and unexplained change in customer activity. It could also include information indicating a possible change in beneficial ownership, when such change might be relevant to assessing the risk posed by the customer.

In summary, “a significant and unexplained change” is merely a trigger to investigate the customer by conducting Enhanced Due Diligence, updating CDD and CIP information, and filing a SAR if needed. It is a small but significant implied task to maintaining a robust BSA Program. This term may be new, but the spirit of this term has existed prior to the new rule.

 

[1] https://www.federalregister.gov/documents/2016/05/11/2016-10567/customer-due-diligence-requirements-for-financial-institutions

[2] https://www.acamstoday.org/fifth-pillar-of-bsa-role-of-third-line-of-defense/

[3] https://www.ncua.gov/newsroom/Pages/ncua-report/2017/second-quarter/fincen-adds-fifth-bsa-compliance-pillar.aspx

[4] https://www.ffiec.gov/bsa_aml_infobase/pages_manual/olm_011.htm

[5] https://www.ffiec.gov/bsa_aml_infobase/pages_manual/OLM_008.htm

[6] https://www.ffiec.gov/bsa_aml_infobase/pages_manual/olm_106.htm

[7] https://www.federalregister.gov/documents/2016/05/11/2016-10567/customer-due-diligence-requirements-for-financial-institutions

 

Financial Crimes Compliance Efforts are tied to Data Integrity and Quality

Do you understand your own data?

This is something to consider when undertaking various Due Diligence efforts such as Third-Party Risk Management and Core Integration projects. While the software system your core banking software participates in may not be fully controlled by your financial institution, the quality of this data is vital to understanding gaps in your own AML and Financial Crimes monitoring regime. This includes other third-party services, which may send data back and forth with the core.  Knowing the gaps in your data will assist you in determining how to address these gaps; it may be possible to cover gaps in data by looking to native systems that are merely summarized in your core’s database.

For example, many core banking software systems receive data from various system providers that are then summarized as statement entries, without any rich detail as to what occurred. This is seen in various ways with Card, Wire, ACH, Bill Pay, Teller and Shared Branch (credit union network) and other network transactions, and greatly depends on the core system. This gap in understanding can be covered by your financial institution’s insistence on data maps and an institution-wide data management strategy. It is imperative that the financial institution document and validate any changes to the data schema so that dependent systems continue to work.

Best practices for implementing an institution-wide data management strategy starts with appointing a qualified professional to become a ‘data steward’ to gain an understanding of your financial institution’s various data streams, and then outline a data management strategy to keep all systems in sync. A good concept for data management is often called data governance, but there are a variety of concepts out there for your financial institution to emulate. Ensure your understanding of the concept is in sync with the technology department of your organization.

By treating the task of data integrity as essential to the organization’s overall health, the financial institution will have a better grasp of how it interacts with various systems, the gaps in the data exchanged, and the risks involved with summarized data in the risk management process. The topic of data integrity and quality is covered in greater detail from a variety of sources; do not hesitate to bring up the subject with your IT or IS Staff for more information.

Below are a few resources that may help you gain a further understanding of the topic from a regulatory framework perspective: