QUESTION
I am updating our Anti-Money Laundering Program. It was last updated three years ago. We had an AML test last year, and the report showed problems with the written program, yet we did not update it even then. This delay has happened because of staff turnover.
My concern is what areas I should emphasize in this new update. I would like to know what kinds of issues and challenges are critical, so I can identify them in the program and provide procedures for resolving them. Since your firm is known for conducting AML tests for mortgage companies, I thought you would list important AML issues.
What challenges do you see occurring in your AML audit tests?
ANSWER
If you do not review your Anti-Money Laundering Program (Program) for updates, as needed, and at least annually, you are not complying with Bank Secrecy Act (BSA) guidelines. You are violating the applicable statute if you are not conducting an Anti-Money Laundering (AML) test annually but no later than eighteen months from the previous test.
If you are not implementing AML training annually, including, when needed, for new hires, you have caused a statutory violation.
And, if you do not have a responsible, designated, and ratified AML Officer, you have not complied with the BSA mandates.
The Program is the written structure on which the four pillars of AML compliance rest. Those pillars are (1) ratifying the Program itself, (2) establishing an AML Officer, (3) conducting the AML test, and (4) implementing AML training.
Lenders Compliance Group was the first compliance firm in the country to provide AML audit tests for Residential Mortgage Lenders and Originators (RMLOs), the specific term used in the BSA. RMLOs were required to develop and implement a Program and begin filing Suspicious Activity Reports (SARs) by August 13, 2012. If you want LCG to conduct an AML test or provide other AML Compliance support, please contact us.
The test may be conducted internally, following FinCEN guidelines, or by an external auditor entirely independent of the AML Officer. If the findings report recommends that you go further by conducting an AML Risk Assessment, do it.
In using the term RMLOs, I am referring to two types of entities that are considered loan or finance companies: the mortgage lender, the entity that is explicitly stated in the note as being the initial payee in connection with a mortgage transaction, and the mortgage originator, the party that accepts a mortgage loan application or offers or negotiates the terms of a residential mortgage loan.
Each RMLO must adopt a policy and procedure for AML compliance in recognition of its obligations under BSA, other related money laundering regulations, the Financial Crimes Enforcement Network requirements, and federal and state licensing agencies.
That you are not revising policies and procedures pursuant to a competent AML test may put your firm at considerable regulatory risk. The audit results must be reported to the audit committee of the RMLO's management and the BSA/AML Officer. It is the responsibility of the AML Officer to take appropriate action to correct any problems found as a result of the audit and promptly respond to the RMLO's audit committee or appropriate senior management.
Crooks and bandits continue changing tactics, and your organization must adjust your AML program accordingly. Several "land mines" can be anticipated in BSA/AML examinations.
We keep a record of evolving money laundering schemes. At this point, our due diligence auditors avail themselves of an extensive database that keeps us alert to the nefarious money laundering tactics the crooks have developed and, unfortunately, continue to develop.
I will provide several actions and non-actions – what some organizations do or don't do – that trigger regulatory violations. My focus is on RMLOs.
Violations Bait and Land Mines
1. 314(a) searches aren't completed promptly. RMLOs should make certain that the U.S. Patriot Act contacts listed in their online profiles are current and that they certify these profiles when contacts are updated. Moreover, companies must ensure that their policies and procedures name a point of contact.
They should also provide the following:
a. steps for when the primary contact is unavailable;
b. ways to ensure information confidentiality;
c. how to respond to FinCEN requests;
d. how to determine if and when to file a SAR; and
e. the process for independent testing of 314(a) compliance.
2. Inadequate AML training for appropriate personnel. Board members and the AML Officer do not always receive the appropriate BSA/AML training for their roles. Failure to educate staff on illicit financial activities to keep members safe and the organization compliant. We believe financial institutions should train new staff as soon as possible.
To prevent staff-related issues, AML functions and responsibilities should encompass adequate resources, a sufficient level of aggregate AML expertise, and an appropriate allocation of time to AML tasks.
3. An AML Officer must be designated to own the system and ensure that processes are followed and updated, reports are filed, training is robust, and the entire system is running effectively. The board should grant the AML Officer the duties and authority to implement AML processes and policies.
4. AML training should include examples of money laundering and suspicious activity monitoring relevant to each operational area. This training also should provide officials with a sufficient understanding of the institution's risk profile and BSA/AML regulatory requirements.
Additionally, companies must document all training, including the following:
a. testing materials;
b. attendance records;
c. employees that fail to participate; and
d. corrective actions taken concerning employees who fail to attend training.
5. A lack of independent testing. Avoid utilizing in-house staff that does not satisfy the "qualified" and "independent" criteria for independent testing. If staff is not qualified and independent, the work product is worthless and will likely be rejected by regulators. Not using an external resource to conduct the independent review causes delays in the required testing.
6. No written and approved Program. BSA/AML compliance programs must be in writing, approved by the board, and documented in board meeting minutes. It should be comprehensive. Off-the-shelf AML policies are notoriously defective.
Additionally, the Program must set forth requirements for internal controls, independent testing, a designated AML Officer, training for appropriate personnel, member due diligence, and customer identification data. AML policies and procedures should be documented, comprehensive, consistent with best practices, approved by stakeholders, and regularly updated.
7. Stay alert to sanctions issued by the Office of Foreign Assets Control (OFAC). To be compliant with OFAC-governed sanctions regulations, your firm must ensure it is not engaging in trade or transaction activities that violate the rules behind OFAC's country-based sanctions programs or engaging in trade or transaction activities with sanctions targets named on OFAC's list of Specially Designated Nationals and Blocked Persons.
The linkage to AML compliance requires an organization's policies and procedures to address aspects of OFAC compliance and controls, including customer onboarding, screening, and even specialized training.
Customer Identification Program (CIP) requirements should be applied to all customers opening a new account as that term is defined in the Bank Secrecy Act and implementing regulations. The CIP must include procedures for making and maintaining a record of all information obtained to verify a customer's identity. At a minimum, the record must include all the identifying information gathered by the firm about a customer.
8. Noncompliant SARs. SARs are not filed within 30 or 60 days and are not complete or accurate, particularly SAR narratives. Failure to promptly detect, escalate, investigate, and file SARs. Include appropriate risk-based procedures for conducting ongoing customer due diligence, including (i) understanding the nature and purpose of customer relationships to develop a customer risk profile and (ii) conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information.
9. Know Your Customer (KYC) practices do not clearly define and align with customer attributes and risks (i.e., customer identification programs, customer due diligence, enhanced due diligence, and special circumstances due diligence).
Jonathan Foxx, Ph.D., MBA10. Certain loan products pose a higher risk of criminal activity than others and attract money laundering criminality. You must document processes for monitoring your high-risk products and services for potential money-laundering activity. A "best practice" is to ensure that the AML Officer and compliance department are part of product plans at your institution.
Chairman & Managing Director