Join me on Thursday, June 20 at 1:00 PM CST for a discussion on Tax Evasion and Tax Fraud.
What's Being Covered?:
Tax crimes have been hot buttons for the IRS and regulators for years. What is tax evasion and what is tax fraud? Failure to comply, falsifying or withholding information, or not reporting income is a crime. Most comply and pay their taxes, but there are many who try to cheat. What is SAR reportable? We will answer these questions and more in this webinar.
Register here: www.bankerstoolbox.com/taxfraud
Tuesday, June 18, 2013
Tuesday, February 12, 2013
When Was Your Last Checkup?
I hate going to the dentist. So, of course I avoid the annual checkup and ignore the small aches and pains when I eat cold or sweet foods for as long as I can, only to risk ending up rushing to the dentist for an emergency root canal.
Just like avoiding the dentist, we can't put off having a regular checkup of our BSA program if we want to avoid serious problems. It might seem like a waste of time and resources, especially if you feel you have low risk, but the consequences of not being prepared are huge.
Enhanced Scrutiny
I have blogged recently about the enhanced scrutiny financial institutions are currently facing. Banks, credit unions and money service businesses are being reviewed more closely than ever in the area of BSA and anti-money laundering. Dollar fines are at a historical high and are being handed out liberally. Due to ineffective programs at Wachovia, Citibank, Zions, Commerzbank, and HSBC, (to name a few), the examiners are playing a role of taking no prisoners as they do their rounds of BSA exams.
A bank should have an effective process in place to look for criminal activity. After all, that was the purpose of the Bank Secrecy Act to begin with. But, many small and mid-sized institutions are saying they are being taken by surprise. I hear a similar theme: "My last exam was perfect, no problems at all and now I'm being told that I am failing at one or more of the four mandatory pillars of an effective BSA program. How could this happen?"
How Did It Happen
In the case of the giants in the news, it was often a story of years and years of negligence. Many of these institutions were told to improve. They either chose to ignore the mandate, or often did not identify or put any kind of review in place for areas of extreme high risk, such as foreign correspondent activity, bulk cash shipments and remote deposit capture for foreign Casa de Cambio accounts.
Now the justice department is out for blood. Examiners were severely critiqued for not being hard enough and will now have their magnifying glasses out at your next exam. We might not get the benefit of constructive criticism first and then punishment for non-compliance later.
Alert to SAR Ratios
Institutions are reporting to me that they are being told that the volumes of SARs they file have to be a certain ratio to the number of alerts they review. Another concern is that their volumes are out of proportion to what the same size bank across town is filing. Institutions are desperately looking for suspicious activity that doesn't exist in many low risk institutions just so they can make their quotas. In response, they are filing SARs on activity that a larger institution would never bother looking at or on activity they really do not believe is suspicious just to make their numbers.
Ultimate Goal
The ultimate goal of an effective suspicious activity monitoring program is to catch suspicious activity if it is occurring. What if there is very little happening at the institution? The majority of small institutions have no bulk cash shipments, foreign remote deposit capture, foreign correspondent accounts, ACH origination, third party payment processors, prepaid cards, brokers, or politically exposed persons.
Each financial institution should have an effective RISK-BASED BSA/ AML program, that includes the four pillars, (policies & procedures; internal controls; qualified BSA officer; and independent testing), a regularly updated and thorough risk assessment, and a strong balanced suspicious activity program. They should regularly evaluate their program and processes and effectively train their employees on BSA and processes. If automated systems are involved, they should test their data regularly to make sure the data they need to look for suspicious activity is coming into the system.
All these processes can and should be right sized according to the risk at the institution. The important thing, regardless of the size of your institution, is to have regular checkups to identify emerging threats and risks, and to act on the advice and recommendations made during your checkup.
Tuesday, October 30, 2012
Worries in the Trenches — How Much Does a Financial Institution have to do to Detect Suspicious Activity?
HSBC Set the Stage for Increased Scrutiny
HSBC obviously exposed the U.S. financial system to money laundering, drug trafficking and terrorist financing risks due to ineffective anti-money laundering controls. It is also now public knowledge that their violations were egregious and had been going on for years. But, the concern now is that all institutions will have to pay because of HSBC’s past polluted compliance culture.
During the recent Senate Permanent Subcommittee on Investigations probe, Sen. Carl Levin, subcommittee Chairman said, “The OCC tolerated HSBC’s weak AML system for years. If an international bank won’t police its own affiliates to stop illicit money, the regulatory agencies should consider whether to revoke the charter of the U.S. bank being used to aid and abet that illicit money.”
The report severely criticized the OCC’s AML oversight and recommended that the OCC follow the lead of other regulators and treat money laundering as a threat to a bank’s safety and soundness, rather than a consumer compliance concern. The report further recommended that the OCC change its practice of refraining from statutory violations when a bank’s program does not effectively meet one of the four required statutory BSA pillars and that the OCC should take stronger action when a bank hits a threshold number of BSA/AML statutory violations.
On October 17th, American Banker published an article with comments from HSBC’s Irene Dorner about how banks must do a lot more to repair their image and also while being “battered from within and without, the banking industry must work much harder and wait much longer to restore its reputation.”
The Justice Department is Catching On
And then to top it off, Forbes published an article last week that said, “The Department of Justice is taking a new tack in its efforts to track and prosecute money laundering that occurs through financial institutions.” Instead of focusing on money laundering that results from criminal violations to prevent money laundering, they are instead looking at financial institutions for weaknesses in their internal controls and procedures.
In the past, regulators have cited many institutions, big and small, for BSA violations calling them “compliance shortcomings” which are sometimes resolved by deferred prosecution agreements as in the case of Wachovia, where the government agrees to dismiss the charges and in return the financial institution promises implementation of additional anti-money laundering measures, along with an agreement in which the bank neither admits nor denies wrongdoing. The Justice Department is now expressing an end to this leniency and has made no secret of its intentions to more aggressively prosecute future violations against financial institutions and even the board of directors or individual bankers.
So the Justice Department is now placing more emphasis on identifying financial institutions with weak AML programs. They are also charging financial institutions for overall failure to implement effective programs to combat money laundering. All financial institutions are at risk. In June of this year, the Justice Department charged several check cashers and their owners for violations of AML laws.
All Asset Sizes are at Risk
The Southern California ACAMs Chapter recently hosted a BSA Roundtable meeting for local financial institutions to share knowledge and tips for BSA compliance, but also allowed them to vent their concerns about the recent regulatory environment. (ACAMs is an international organization dedicated to enhancing knowledge of BSA/AML professionals.) The message from the trenches was clear. “It doesn’t matter how big or small you are, or the level of risk at your institution, and it definitely doesn’t matter how your past exams have gone. Every financial has to take a good hard look at their current BSA/AML programs, policies and procedures to make sure they still pass muster.”
What They're Looking For
Financial institutions are being taken to task for nine common weaknesses. It is not enough to just have policies and procedures, and it also is not enough to have software to help you identify suspicious activity. Examiners are looking to see that the institution has strong due diligence of their customer base, and is conducting enhanced due diligence of higher risk accounts, and when suspicious activity is identified are filing complete and detailed suspicious activity reports (SARs) on a timely basis. They are also looking to see that your policies and procedures thoroughly document each of these processes. And when the decision is made not to file a SAR, the justification must be sound and well documented. Examiners are also looking for financial institutions to justify their suspicious activity monitoring program, including, (if they have automation), why and how did they pick the parameters and filters that they are using to find potential suspicious activity.
The Forbes article stated that financial institutions already spend in excess of $100 million annually to comply with the BSA and it is likely that much more will have to be spent to beef up their AML programs to meet the new increased expectations. The concern in the trenches (by BSA/AML professionals charged with this compliance), is how much is enough, especially in this environment of “do more with less.”
Tuesday, October 9, 2012
Beat 9 Common BSA/AML Weaknesses
Is something missing from your bank's BSA/AML program?
Over the last several months, there have been headlines warning of increased scrutiny by examiners on BSA/AML and dire consequences for banks unprepared for their exams. Many financial institutions, both big and small, are being hit with enforcement actions and severe penalties.
Over the last few years, regulators and examiners had been concentrating their efforts on problems stemming from the recent financial crisis. But now the trend has turned back to money laundering and the Bank Secrecy Act. So be warned that even if your last exam went well or was even a non-event, don't have the same expectations for the upcoming BSA/AML exams.
Remember to evaluate and review your program for any weaknesses on a periodic basis.
What should you be looking for? What can you do to shore up your BSA/AML program to ensure you don't fall under the regulator's lash? Let's address nine of the most common weaknesses.
Read the full article on the ABA Banking Journal website.
Over the last several months, there have been headlines warning of increased scrutiny by examiners on BSA/AML and dire consequences for banks unprepared for their exams. Many financial institutions, both big and small, are being hit with enforcement actions and severe penalties.
Over the last few years, regulators and examiners had been concentrating their efforts on problems stemming from the recent financial crisis. But now the trend has turned back to money laundering and the Bank Secrecy Act. So be warned that even if your last exam went well or was even a non-event, don't have the same expectations for the upcoming BSA/AML exams.
Remember to evaluate and review your program for any weaknesses on a periodic basis.
What should you be looking for? What can you do to shore up your BSA/AML program to ensure you don't fall under the regulator's lash? Let's address nine of the most common weaknesses.
Read the full article on the ABA Banking Journal website.
Monday, September 24, 2012
Partnership between Banks, Examiners and Law Enforcement
FDIC Works to Mend Relationship
The article relayed the message that Martin Gruenberg, acting chairman of the FDIC, sent Sept.14 to community bankers who have complained about the tense relationship they have with their examiners in this "post-crisis" environment.
Gruenberg said better communication will go a long way in mending the fences between examiners and community bankers. The FDIC is taking these steps to help bankers prepare better for their exams:
- Better communication before the exam so bankers can provide sufficient and adequate information in advance, and examiners can be more efficient when they arrive onsite.
- Better communication at the start of the exam with bank management to clearly layout the focus and the goals.
- Better communication after the exam with "timely" post-exam reports that focus on the same issues identified during the onsite discussions with the bank, so there are no surprises.
There are More Parties Involved
Here is where I get on my soapbox. While I know the FDIC wasn't just specifically talking about the BSA exam, it made me think about the relationship that occurs during the BSA exam between the examiner and the BSA department. While I do not disagree that a better partnership between examiners and bank management is a great goal, I do think there is an important player that needs to be considered when it comes to a better partnership.
What about the partnership between examiners, bankers and law enforcement?!
The BSA was created to assist law enforcement in tracking down and putting away criminals by providing much needed financial records. Suspicious activity reports (SARs) provide financial institutions with a method of reporting possible criminal activity so law enforcement can investigate and catch the criminal.
Differing Needs of Examiners and Law Enforcement
For years, a great relationship has been built and nurtured between law enforcement and bankers, especially with the BSA and fraud investigators. Many different local and regional chapter groups and associations were created to provide much needed education and guidance on both sides. At many of these gatherings, law enforcement express to financial institutions what they like and don't like about the thousands of SARs they weed through in pursuit of catching the bad guys. Often the structure and content of what law enforcement would like to see in the narrative of these reports differs from what examiners want. More details on what law enforcement would like to see in a SAR will have to be the topic of one of my future blogs.
The ultimate goal of the BSA has gotten lost in the shuffle. According to law enforcement, financial institutions filing defensive SARs flood the system. They advise financial institutions to have good "know your customer" policies and procedures, be thorough in suspicious activity reviews and SAR documentation and go with your gut instincts. Don't file a SAR if you have a good reasonable explanation that the activity is not suspicious and you have no reason (including that gut feeling) to doubt the explanation.
When to File a SAR
The decision to file a SAR is subjective. Examiners are instructed by the FFIEC BSA exam manual that they are not supposed to question individual decisions made by financial institutions to file or not file a SAR, unless the failure is significant or accompanied by evidence of bad faith. Instead, examiners are asked to concentrate on ensuring the institution has a good decision making process and follows that process.
Many institutions have told me about situations where they have been criticized for failing to file a SAR, even though the bank had a reasonable explanation and did not feel it was suspicious. One bank told me they have filed SARs even when they did not feel a situation was suspicious simply because their examiner told them they had to.
A couple of other BSA officers have told me they have had examiners tell them the ratio between how many accounts they have, how many alerts they have reviewed and how many SARs they file is too low or too high. Does the identification of possible BSA and criminal/suspicious activity have anything to do with a ratio at your institution?
SARs are a tool to help law enforcement catch the crook. If SARs are also being filed defensively because financial institutions are afraid of poor exams, then law enforcement will have trouble seeing through the forest because of all the trees. Why do financial institutions listen to examiners when it contradicts what law enforcement is requesting? They want and need to pass their exam.
One law enforcement friend said to me last week, "Why can't they let representatives from all three of these groups (law enforcement, bankers and examiners) get in a room and duke it out?" Well, I for one would not want to be the one to duke it out with law enforcement.
Reaching the Perfect Partnership
To give credit where it is due, FinCEN does listen to law enforcement. The new SAR form that will be mandatory in March 2013 includes many new optional fields of information that has been requested by law enforcement to help them with their investigations. I highly recommend to institutions that even though they are optional fields, please try and provide as much additional information as possible. It will be of great assistance to law enforcement. I may sound overly critical of examiners. This is not true. They have the very difficult job of ensuring that our nation's financial institutions comply with laws, sanctions and a whole alphabet soup of regulations. I have met many great individuals, bankers, examiners and law enforcement, who are all passionate about doing the right thing; but, until we can come up with a happy medium between what the examiners want to see, what law enforcement needs and what bankers are actually doing, we have a ways to go to reach that perfect partnership.
Monday, September 17, 2012
Money-Laundering Inquiry is Said to Aim at U.S. Banks
Over the last few years regulators and examiners concentrated their efforts on problems stemming from the recent financial crisis. The trend has now turned back to money laundering and the Bank Secrecy Act. Authorities are now investigating several banks for failure to monitor cash transactions and thereby allowing drug dealers and terrorists to use financial institutions to assist in furthering their criminal activities. The New York Times released an article on Friday to demonstrate how this new sting by our regulators is affecting U.S. financial institutions.
HSBC, Citi, Zions Bank, The Royal Bank of Scotland, Wachovia and Standard Chartered, to name a few, have all fallen under the regulators’ lash for not implementing sufficient BSA/AML/OFAC monitoring programs. Since adequate programs were not in place, it created lapses that allowed criminal activity to flow through their institutions. Millions of dollars in penalties are being assessed!
An important thing to keep in mind is that this is NOT just a big bank problem. I have been to many institutions of various sizes over the last couple of months where examiners have severely criticized and written up institutions for not doing enough to look for and track suspicious activity. In many of these situations, the organizations were small, low risk institutions with NO evidence of suspicious activity. The examiners’ concerns were that if there had been suspicious activity, it wouldn't have been caught because the institutions were not looking for it.
What Examiners Want to See
Even if you have the same examiner as previous years, you are not in the clear. I spoke to a few institutions who had the same examiner as their previous exam, and they still had their programs ripped apart, analyzed and criticized.Examiners are putting emphasis on the last time you evaluated your program to make sure it is still sufficient for "current" risk. Are you validating the data is coming into your AML system accurately? Are you conducting an independent evaluation on a regular basis?
Maleka
BSAGenie
Wednesday, September 12, 2012
FinCen Asks For Help in identifying and Tracking Account Take Over Fraud
Identifying Account Takeover Activity-New FinCEN Advisory FIN-2011-A016 (December 19, 2011)
Fincen issued a new advisory yesterday (Dec. 18, 2011) to help them identify account takeover activity through the filing of SARs.
Account takeover activity differs from other forms of computer intrusion, as the customer, rather than the financial institution maintaining the account, is the primary target.
"Computer intrusion may be defined as gaining access to a computer system of a financial institution to: a) remove, steal, procure or otherwise affect funds of the financial institution or the institution's customers; b) remove, steal, procure or otherwise affect critical information of the financial institution including customer account information; or c) damage, disable, disrupt, impair or otherwise affect critical systems of the financial institution."
In an account takeover, at least one of the targets is the customer holding an account at a financial institution and the ultimate goal is to remove, steal, or otherwise affect funds of the targeted customer.
What is required of you........FinCEN wants to track this activity via the use of Suspicious Activity Reporting.
"If a financial institution knows, suspects, or has reason to suspect that a transaction conducted or attempted by, at, or through the financial institution involves funds derived from illegal activity or an attempt to disguise funds derived from illegal activity, is designed to evade requirements under the Bank Secrecy Act ("BSA"), or lacks a business or apparent lawful purpose, the financial institution may be required to file a SAR."
When completing SARs on suspected account takeover activity, financial institutions should use the term "account takeover fraud" in the narrative section of the SAR and provide a detailed description of the activity. Financial institutions may wish to take the following examples into account when filling out the Suspicious Activity Information section to further enhance the usefulness of their filings:
If the account takeover involves computer intrusion, check the box for "computer intrusion." In addition, financial institutions can check the "other" box and note "account takeover fraud" in the space provided.
If the account takeover involved other delivery channels such as telephone banking or fraudulent activities such as social engineering, financial institutions can check the "other" box, note "account takeover fraud," and include a short description of the additional information in the space provided.
If the account takeover involves a wire transfer, then in addition to selecting the "other" box and noting "account takeover fraud," the box for "wire transfer fraud" should be checked.
If the account takeover involves an ACH transfer, financial institutions can check the "other" box and note "account takeover fraud - ACH."
Account takeovers often involve unauthorized access to PINs, account numbers, and other identifying information. Financial institutions may need to check the box for "identity theft," in addition to selecting the "other" box and noting "account takeover fraud." Additional boxes should be checked if appropriate (e.g. "terrorist financing").
Questions or comments regarding the contents of this Advisory should be addressed to the FinCEN Regulatory Helpline at 800-949-2732. Financial institutions wanting to report suspicious transactions that may relate to terrorist activity should call the Financial Institutions Toll-Free Hotline at (866) 556-3974 (7 days a week, 24 hours a day). The purpose of the hotline is to expedite the delivery of this information to law enforcement. Financial institutions should immediately report any imminent threat to local-area law enforcement officials.
Fincen issued a new advisory yesterday (Dec. 18, 2011) to help them identify account takeover activity through the filing of SARs.
Account takeover activity differs from other forms of computer intrusion, as the customer, rather than the financial institution maintaining the account, is the primary target.
"Computer intrusion may be defined as gaining access to a computer system of a financial institution to: a) remove, steal, procure or otherwise affect funds of the financial institution or the institution's customers; b) remove, steal, procure or otherwise affect critical information of the financial institution including customer account information; or c) damage, disable, disrupt, impair or otherwise affect critical systems of the financial institution."
In an account takeover, at least one of the targets is the customer holding an account at a financial institution and the ultimate goal is to remove, steal, or otherwise affect funds of the targeted customer.
What is required of you........FinCEN wants to track this activity via the use of Suspicious Activity Reporting.
"If a financial institution knows, suspects, or has reason to suspect that a transaction conducted or attempted by, at, or through the financial institution involves funds derived from illegal activity or an attempt to disguise funds derived from illegal activity, is designed to evade requirements under the Bank Secrecy Act ("BSA"), or lacks a business or apparent lawful purpose, the financial institution may be required to file a SAR."
When completing SARs on suspected account takeover activity, financial institutions should use the term "account takeover fraud" in the narrative section of the SAR and provide a detailed description of the activity. Financial institutions may wish to take the following examples into account when filling out the Suspicious Activity Information section to further enhance the usefulness of their filings:
If the account takeover involves computer intrusion, check the box for "computer intrusion." In addition, financial institutions can check the "other" box and note "account takeover fraud" in the space provided.
If the account takeover involved other delivery channels such as telephone banking or fraudulent activities such as social engineering, financial institutions can check the "other" box, note "account takeover fraud," and include a short description of the additional information in the space provided.
If the account takeover involves a wire transfer, then in addition to selecting the "other" box and noting "account takeover fraud," the box for "wire transfer fraud" should be checked.
If the account takeover involves an ACH transfer, financial institutions can check the "other" box and note "account takeover fraud - ACH."
Account takeovers often involve unauthorized access to PINs, account numbers, and other identifying information. Financial institutions may need to check the box for "identity theft," in addition to selecting the "other" box and noting "account takeover fraud." Additional boxes should be checked if appropriate (e.g. "terrorist financing").
Questions or comments regarding the contents of this Advisory should be addressed to the FinCEN Regulatory Helpline at 800-949-2732. Financial institutions wanting to report suspicious transactions that may relate to terrorist activity should call the Financial Institutions Toll-Free Hotline at (866) 556-3974 (7 days a week, 24 hours a day). The purpose of the hotline is to expedite the delivery of this information to law enforcement. Financial institutions should immediately report any imminent threat to local-area law enforcement officials.
Subscribe to:
Posts (Atom)