I am a mortgage broker, one-man shop. I have been told that I must have an anti-money laundering program in place and have a test of the program conducted by a third party. Given that my company consists only of me, this requirement seems very onerous and expensive. Must I have such a program in place and, if so, what does it consist of?
Yes, as a mortgage broker, you must have an Anti-Money Laundering Program in place, regardless of whether you are a company employing 100 loan originators or a ‘one-man shop’.
The Bank Secrecy Act of 1970 (BSA, or “Act”) requires financial institutions to assist U.S. government agencies in detecting and preventing money laundering. Among the activities to be performed by a financial institution is the reporting of suspicious activity that might signify money laundering. The Financial Crimes Enforcement Network (FinCEN) is responsible for implementing and enforcing compliance with the BSA.
On February 7, 2012, FinCEN extended the requirement for an Anti-Money Laundering Program to include residential mortgage loan originators (RMLOs) as it was thought that RMLOs could fill a regulatory gap open to exploitation by criminals. RMLOs, as the primary providers of mortgage financing, deal directly with consumers, and are in a unique position to identify and assess money laundering fraud. Under the Act, an RMLO includes a “person who accepts a residential mortgage loan application, or offers or negotiates terms of a residential mortgage loan”, such as a mortgage broker. [31 CFR § 1010.100(lll)(1)(iii)] The requirement became effective August 13, 2012.
An RMLO’s AML Program, at a minimum, should consist of the following four elements: (1) policies, procedures and internal controls; (2) designation of an AML Compliance Officer; (3) on-going training; and, (4) an independent test. A brief overview of each of these elements is set forth below. [CFR: Title 31, Subtitle B, Chapter X, Section 1029.210 (a)-(d)]
First, you must develop and implement policies, procedures and internal controls designed to limit and control risks and achieve compliance with the BSA. The policies and procedures should be based upon a risk assessment of your company, identifying the level of risk posed by your customers. Such an assessment should take into account your products and services, your geographic lending locations, and customer markets served by your company. Additionally, the Program should include sound policies and processes to verify your customer’s identity and information. The Program should also contain methods for identifying suspicious activity, such as a red flags worksheet, and the procedures to be followed upon discovery of such activity.
Second, the company must appoint an AML Compliance Officer, which in the case of your one-man shop, would be you. This individual is responsible for managing AML compliance at the company. The AML Compliance Officer must monitor the compliance of all personnel with your AML Program, update the Program as necessary, and ensure that all affected personnel are trained on the various AML components.
Third, training on at least an annual basis is essential. Any company personnel who handles any aspects of a residential mortgage loan transaction must be kept informed about both the BSA and its regulations and your company’s specific policies, procedures and processes. It is essential that should an employee identify a red flag, the employee must know the procedures to be followed in order to bring the matter to a resolution. Thus, in a small shop, it is most likely that training should be required of all employees.
Fourth, your company’s AML Program should require annual independent testing to verify the effectiveness of the Program. This testing is generally in the form of an audit and can be performed by a third party or a Company employee. If it is performed by a company employee, it cannot be performed by the AML Compliance Officer or anyone reporting to the AML Compliance Officer. The frequency of testing is risk-based. Generally, regulators recommend that the testing be conducted no less than every 12 to 18 months and the scheduling of the audit be done commensurate with the company's size, complexity, and risk profile. The findings of the AML audit may indicate the frequency of testing. A risk assessment and testing should be conducted as loan products, services, or your business changes.
Joyce Wilkins Pollison
Director/Legal & Regulatory Compliance
Lenders Compliance Group