QUESTION
I am a mortgage broker, one-man shop. I have been
told that I must have an anti-money laundering program in place and have a test
of the program conducted by a third party. Given that my company consists only
of me, this requirement seems very onerous and expensive. Must I have such a
program in place and, if so, what does it consist of?
ANSWER
Yes, as a mortgage broker, you must have an Anti-Money
Laundering Program in place, regardless of whether you are a company employing
100 loan originators or a ‘one-man shop’.
The Bank Secrecy Act of 1970 (BSA, or “Act”) requires
financial institutions to assist U.S. government agencies in detecting and
preventing money laundering. Among the activities to be performed by a
financial institution is the reporting of suspicious activity that might
signify money laundering. The Financial Crimes Enforcement Network (FinCEN) is
responsible for implementing and enforcing compliance with the BSA.
On February 7, 2012, FinCEN extended the
requirement for an Anti-Money Laundering Program to include residential
mortgage loan originators (RMLOs) as it was thought that RMLOs could fill a
regulatory gap open to exploitation by criminals. RMLOs, as the primary providers
of mortgage financing, deal directly with consumers, and are in a unique
position to identify and assess money laundering fraud. Under the Act, an RMLO
includes a “person who accepts a residential mortgage loan application, or
offers or negotiates terms of a residential mortgage loan”, such as a mortgage
broker. [31 CFR § 1010.100(lll)(1)(iii)]
The requirement became effective August 13, 2012.
An RMLO’s AML Program, at a minimum, should consist
of the following four elements: (1) policies, procedures and internal controls;
(2) designation of an AML Compliance Officer; (3) on-going training; and, (4)
an independent test. A brief overview of
each of these elements is set forth below. [CFR: Title 31, Subtitle B, Chapter X, Section
1029.210 (a)-(d)]
First, you must develop and implement policies,
procedures and internal controls designed to limit and control risks and achieve
compliance with the BSA. The policies and procedures should be based upon a
risk assessment of your company, identifying the level of risk posed by your
customers. Such an assessment should take into account your products and
services, your geographic lending locations, and customer markets served by
your company. Additionally, the Program should include sound policies and
processes to verify your customer’s identity and information. The Program
should also contain methods for identifying suspicious activity, such as a red
flags worksheet, and the procedures to be followed upon discovery of such
activity.
Second, the company must appoint an AML Compliance
Officer, which in the case of your one-man shop, would be you. This individual
is responsible for managing AML compliance at the company. The AML Compliance Officer
must monitor the compliance of all personnel with your AML Program, update the
Program as necessary, and ensure that all affected personnel are trained on the
various AML components.
Third, training on at least an annual basis is
essential. Any company personnel who handles any aspects of a residential
mortgage loan transaction must be kept informed about both the BSA and its regulations
and your company’s specific policies, procedures and processes. It is essential
that should an employee identify a red flag, the employee must know the
procedures to be followed in order to bring the matter to a resolution. Thus,
in a small shop, it is most likely that training should be required of all
employees.
Fourth, your company’s AML Program should require
annual independent testing to verify the effectiveness of the Program. This
testing is generally in the form of an audit and can be performed by a third
party or a Company employee. If it is performed by a company employee, it
cannot be performed by the AML Compliance Officer or anyone reporting to the
AML Compliance Officer. The frequency of testing is risk-based. Generally, regulators
recommend that the testing be conducted no less than every 12 to 18 months and the
scheduling of the audit be done commensurate with the company's size,
complexity, and risk profile. The findings of the AML audit may indicate the frequency
of testing. A risk assessment and testing should be conducted as loan products,
services, or your business changes.
Joyce Wilkins Pollison
Director/Legal & Regulatory Compliance
Lenders Compliance Group
