Author: Dave Gowan

Dave brings a unique blend of experience as a former investigator and compliance officer with multi-billion dollar asset financial institutions. Dave has a 15+ years of career experience from the armed forces; to financial crime / fraud investigation; to complete compliance officer responsibilities. Dave brings a pragmatic and practical approach to the industry, grounded in fact and working knowledge of financial regulations. Dave has been with PayLynxs for over 4 years.

What do you do about the new Russian Sanctions?

What do you do about the new Russian Sanctions?

Given the current situation in Eastern Europe, specifically Ukraine, many are questioning what more they should be doing involving OFAC and the various sanctions programs involving the Russian Federation and Belarus. I will take a few minutes and go over the due diligence that is being requested by FinCEN. In my opinion, it is more than sanctions and a direct connection to Russia or Belarus and the various sanctioned entities involved in the situation.

Recently, FinCEN published a new FinCEN Alert (FIN-2022-Alert001) entitled, “FinCEN Advises Increased Vigilance for Potential Russian Sanctions Evasion Attempts.” Some key elements of this publication involve the following:

  • Select Red Flag Indicators of Sanctions Evasion through the U.S. Financial System
  • Select Red Flag Indicators of Sanctions Evasion Using CVC
  • Select Red Flag Indicators of Possible Ransomware Attacks and Other Cybercrime
  • New SAR Key Term “FIN-2022-RUSSIASANCTIONS”

 

Additionally, the bulletin provides distinct ‘Relevant BSA Obligations and Tools for U.S. Financial Institutions,’ specifically calling out the following:

  • Suspicious Activity Reporting involving OFAC Sanctions
  • Placement of key term “FIN-2022-RUSSIASANCTIONS” in SAR field 2
  • Currency Transaction Reporting and other Relevant BSA Reporting Requirements
  • Due Diligence (CDD/EDD)
  • Information Sharing (USA PATRIOT Act 314(b))
  • Executive Order 14024 (This is the specific Sanctions Program regarding the Russian Federation)

 

This seems like quite a bit to go over, but in my opinion, much of this is a reiteration of what a Compliance Department should already be doing. If you have questions or need more confidence, it is always a good move to read through the FinCEN Alert and apply it to your current practices. From there, determine for yourself whether your organization is meeting the ‘spirit of the law.’ Without regurgitating what is already written in the bulletin, I will briefly discuss each topic above and attempt to explain how I might go about establishing confidence in meeting each relative key element.

Select Red Flag Indicators of Sanctions Evasion through the U.S. Financial System

On this topic, there are seven (7) Select Red Flag Indicators that FinCEN is asking Financial Institutions to keep an eye on. In reading through these, I get the following overall feeling that FinCEN is asking that Financial Institutions know their customers. More specific, corporate vehicles and third parties need to be scrutinized to ensure that their use is not to obscure ownership, as well as the origination or destination of funds in a transaction. Regarding EO 14024, scrutinize high-risk areas normally associated with transactional flows to and from the Russian Federation, such as neighboring countries, or high-risk countries known for being tax havens and safe harbors. Pay attention to new account relationships, and always get to the bottom of an entity’s Beneficial Ownership. For established clientele, take exception to unusual foreign exchange activities. If you see something, it’s better to say something than ignore it.

Select Red Flag Indicators of Sanctions Evasion Using CVC

“CVC” is also known as convertible virtual currency, or the more popular term, cryptocurrency. There are three (3) Red Flag Indicators mentioned, but unless you own, operate, or host a cryptocurrency exchange, wallet provider, or host any of these products within your institution, the third one is where most financial institutions need to focus. The overall meaning of the red flag is to know where funds are coming from or going to, specific to cryptocurrency exchange. For most conventional financial institutions, this means scrutinizing transactions specific to crypto exchanges or foreign Money Services Businesses (MSBs) operating in high-risk countries or regions. Also, pay special attention here to volume and frequency of these types of transactions as an additional indicator of risk, as not all CVC transactions are necessarily bad. As previously mentioned in another blog post, more information on the risks and pitfalls to CVC transactions can be found on the FATF website, in a publication labeled “Virtual Assets Red Flag Indicators of Money Laundering and Terrorist Financing,” which can be downloaded and distributed.

Possible Ransomware Attacks and Other Cybercrime

Within this key element are three (3) more Red Flag Indicators. The first involves knowing where customer transactions are initiated or received by means of knowing the geolocation of IP Addresses. This may prove to be more difficult for most small financial institutions, as tools that do this sort of work can be expensive. Check in on your BSA Risk Assessment to determine the right risk-based approach for you organization. Another topic here is customers that use crypto currency mixers or tumblers. Using these services is an indicator of the user’s desire for anonymity.

Relevant BSA Obligations and Tools for U.S. Financial Institutions

The last section goes over much of what a compliance department already does. If you are to file a SAR on activity you believe to be related to the sanction program, enter the key term “FIN-2022-RUSSIASANCTIONS” in SAR field 2, which is on the first page. You can also contact FinCEN and advise them of the SAR by calling the FinCEN Financial Institutions Toll-Free Hotline at (866) 556-3974.

In my opinion, for smaller institutions, the last piece of the bulletin is the most important. This is the Customer Due Diligence reminder, and it is just as strong of a tool as OFAC scanning or transaction monitoring. Refine your process if necessary to get to the beneficial owner of each entity in your portfolio. Ensure that back-shop operations involving foreign transactions get special one-on-one guidance involving what they might look for as they process foreign transactions involving IAT and SWIFT, or any other foreign transaction vehicle your institution uses.

Lastly, one thing I do want to cover briefly is Charitable Organizations. As things progress in Ukraine, many are going to be looking for ways to help. Unfortunately, we also know that many scams out there will be taking advantage of customer interest in assisting those in need. Vigilance here is important as well, and as you field calls of charity fraud, make note of these transactions, and attempt to template them and find others who may not even know they were deceived. Look for common recipients or other patterns of activity to build your case.

In closing, often our premonitions are enough to draw light on something strange that may be occurring. As with most things OFAC, it’s better to be cautious than to let something slip through. Best of luck to everyone out there!

 

BSA/AML Program Fundamentals: An Introduction to the Five Requirements of a BSA/AML Program

Well-built structures have many things in common, and most structures start with a good foundation. The foundation is critical as it supports the building of the rest of the structure. Quality materials, well-trained construction professionals, prudent leadership, sound construction practices, and routine inspections all contribute to the optimal performance of a structure’s foundation. Understanding the geography of the building site often determines the methods, expertise and materials needed to establish the foundation, which ultimately influences the rest of the building’s structure.

Similarly, a BSA/AML Risk Assessment provides the details, or blueprint, specific to the financial institution’s understanding of its risk and provides a basis for how and where to mitigate said risk. Consequently, the foundation of a financial institution’s BSA/AML Risk Management Program is dependent on the health of its pillars. While not called out specifically as pillars, the BSA/AML Manual located within the FFIEC BSA/AML InfoBase calls out the following requirements for an adequate BSA/AML compliance program directly:

    • A system of internal controls to assure ongoing compliance.
    • Independent testing for compliance to be conducted by bank personnel or by an outside party.
    • Designation of an individual or individuals responsible for coordinating and monitoring day-to-day compliance (BSA compliance officer).
    • Training for appropriate personnel.
    • …(A) customer identification program (CIP) with risk-based procedures that enable the bank to form a reasonable belief that it knows the true identity of its customers.

It is these five requirements that constitute the often-cited “Five Pillars of a BSA/AML Program.” Considering these as requirements, it is a fair assessment of your program to consider each of these when determining the health and strength of your institution’s BSA/AML program. From a holistic standpoint, any weakness in one area affects the health of the entire foundation. For example, having a good training program without a good system of internal controls makes the training program less effective. Similarly, having an inadequate internal audit function only sets up the compliance officer and financial institution for failure down the road. Having stagnant policies without periodic review may point to further compliance gaps that are unanticipated by the institution.

On the other hand, maintaining a strong independent audit program only makes the internal controls and CIP program stronger, which in turn can lead to a well-versed BSA compliance officer with adequately trained staff that confidently affect the entire financial institution’s culture of compliance. A healthy culture of compliance reflects well on the safety and soundness of a financial institution, which in turn provides opportunities for growth and results in a positive reputation.

Over the next few months, we will begin discussing in the blog the various details of each of these five requirements. It is our hope that the reader takes away from this effort the overall goal of BSA/AML Compliance so that strategizing how best to use BSA/AML software systems, such as our own SimpliRisk application, lines up with their own institution’s needs and aspirations, while giving all readers an equal understanding of how PayLynxs interprets and views the “five pillars” of a sound BSA/AML Risk Management Program.

High Risk Transactions: Understanding Virtual Currencies & Associated Proposed Legislative Action

In recent months, virtual currency has seen an influx in interest from various directions. While in some circles, these currencies have always maintained their status, recent events have given rise to mainstream popularity, especially from those who may not fully understand how crypto and other means of virtual currencies work. Most prices have seen volatility, with wild swings in the exchange rate for many, and progressive record-breaking climbs for mainstays such as Bitcoin and to a lesser extent, Ethereum. Noting the growing popularity of virtual currencies, financial institutions need to continually adjust their own knowledge and understanding of virtual currencies and their respective markets to maintain a handle on the risks associated with their corresponding transactions.

So, the BSA layperson might ask, “What exactly are virtual currencies, and how do I determine and manage the risks associated with them?” While a bit dated, a good frame of reference for virtual currencies begins with The Financial Action Task Force (FATF). Back in June of 2014, FATF published a report, Virtual Currencies: Key Definitions and Potential AML/CFT Risks. It provides a great overview of virtual currency in its various forms, such as convertible versus non-convertible, centralized versus decentralized, altcoins, cryptocurrency, and others. The report also explains the various mechanisms involved with creating and exchanging said currencies using wallets, exchanges, mining, and torrents.

Groups such as FATF provide common basis behind much of the regulatory workspace. This is seen when looking at recent FinCEN actions, such as the request for comment recently extended by the Biden Administration. The Pending Notice of Proposed Rulemaking involving convertible virtual currencies proposes BSA requirements on certain Money Services Businesses (MSBs), exchanges and wallet administrators that are in line with Currency Transaction Reporting requirements in place today.

It is imperative that the AML and Risk professional have a basic understanding of the underlying gaps that these proposals are trying to fill and how they may or may not affect their institutions and their members and customers. Gaining a broader perspective on virtual currency provides a better understanding for the risk professional and allows for a more succinct risk-based approach.

AML Program Effectiveness: Policy and Automation

When many compliance professionals make plans for determining a strategy for managing your financial institution’s AML program, the use of software, such as SimpliRisk, may be at the forefront of planning. There are many situations for which software can be the proper tool for alleviating some of the risks. Developing risk models for measuring your member or customer base as a business segment is one such mitigation strategy where software can easily assist in making the job easier to manage. Developing
specific rules to catch outliers within your portfolio is another step many take regarding the use of software.

As effective as software is in crunching large volumes of numbers to determine hot spots for review, there are times where the use of software is better meant to assess a policy’s effectiveness, as opposed to
being that front line of defense. Often, when establishing AML monitoring rules, a compliance professional is left wondering, “How do I establish a threshold to gain insight on what is worthy of review?” Often, the answer lies within the financial institution’s already established policies.

For example, all financial institutions have a good grasp on the basic patterns of structuring and Currency Transaction Report (CTR) evasion. This goes beyond industry-wide best practices, as the rules for situations involving cash transactions is very clear, as seen in FinCEN’s Notice to Customers: A CTR Reference Guide. It is common knowledge that the thresholds for monitoring CTR evasion involves aggregating transactions involving cash at a threshold above $10,000. Similarly, Monetary Instrument Log (MIL) evasion is established by monitoring the cash purchases or exchanges of monetary instruments within aggregated thresholds of $3,000 and $10,000. Both instances require looking at the results of both queries and comparing those results against the daily paperwork at the branch level.

However, as simple as this might seem, there are gaps. One of the most common gaps involve transactions that appear outside of the system. For instance, a person walks in with $5,000 in cash and wishes to procure a monetary instrument for an equal or lesser amount. This request may appear to
be commonplace and inconsequential, until the AML professional realizes that these transactions are not being easily captured. In essence, these transactions often do not trigger a rule because the transactions are not tied to a distinct account.

To alleviate this monitoring gap, a common practice by many financial institutions involves policy. While not all people conducting such transactions are necessarily doing so with the intent to obfuscate the source of funds, it is well known that bad actors do employ such a tactic, and as such, a policy of
deposit prior to purchase is commonplace. Similarly, a policy of not executing non-customer cash purchase transactions may be put into place as well.

One last point on this topic involves persons negotiating checks for cash. It is important that a financial institution, specifically smaller ones, gain an in-depth knowledge of Regulation CC, which governs ‘funds availability’ for various deposits. While many transactions require immediate or next-day funds availability, checks not deemed ‘on-us’ allow for longer delays of full funds availability to ensure the funds guaranteed by the instrument are available within the account at the other financial institution.

Becoming knowledgeable on Regulation CC and other regulations will greatly assist in tightening your policies on higher risk transactions. As is always the case involving policies affecting consumers,
publishing all changes, such as changes to your Regulation CC policy, in accordance with all rules and regulations is mandatory. Managing and understanding various controls through policy gives the AML professional better insight into establishing risk-based thresholds for monitoring compliance, both inside and outside of your financial institution.