Online Data Collection Challenge

QUESTION 

Most of our business is from originating mortgages. Recently, we started originating Buy-Now-Pay-Later loans. I know you specialize in mortgage banking. And these are not mortgage loans. However, they are available online just like we offer our mortgages online. 

Our attorney told us that getting a customer's social security number for online Buy-Now-Pay-Later loans poses consumer privacy and information security risks. She says we could collect partial SSN information directly from the customer and then use a third party source to obtain the full SSN before opening the account. 

This is not a practical solution. As the sales manager, I am trying to find some kind of workaround. We need the SSN when the loan comes in online. Processing begins immediately and includes our CIP filters. However, if we use a third party to handle the BSA requirement, there could be a processing delay. 

Hopefully, you can shed some light on how to resolve this situation. Our attorney reads your articles and often sends them to us. So, I'm sure she will read your view on getting online SSN information. 

Can you explain why our attorney is concerned about our online CIP data collection involving Buy-Now-Pay-Later loans? 

COMPLIANCE SOLUTION 

Website Compliance Review 

Policies and Procedures

ANSWER 

Since 2006, Lenders Compliance Group has offered mortgage banking compliance. We do not provide compliance guidance for Buy-Now-Pay-Later (BNPL) loans. The BNPL loan is an installment loan that typically allows a customer to purchase something immediately with little or no initial payment and pay off the balance over four or fewer payments.[i] 

I will answer your question because you have an online origination platform that is used to originate mortgage loan products, where you have now introduced the origination of BNPL loans. 

You do not state if your company is contemplating partnering with a nonbank third party service provider to facilitate BNPL loan originations. 

Read on to find out why that information is a critical compliance element. 

I think there are more reasons for your attorney's directive than is described in your question. Given that you are marketing mortgage and non-mortgage products online, the online platform should be evaluated for its overall compliance with CIP requirements, among other things. Depending on the online consumer disclosures, product and service array, origination technology, and other factors, I think her concern is warranted. 

Please ask your attorney to contact me here. We'll discuss and resolve the situation. 

Your question comes as FinCEN is evaluating, via a Request for Information (RFI), existing requirements for banks under the Customer Identification Program Rule ("CIP Rule") to collect a taxpayer identification number (TIN) from a customer before opening an account. I'll provide a bird's-eye view of the anticipated plans, which may be responsive to your attorney's concerns. 

Generally, banks and nonbanks ("financial institution(s)" or "institution(s)") must collect a full Social Security Number (SSN) from a customer who is an individual and a U.S. person. The RFI, mentioned above, is being issued in consultation with staff at the OCC, FDIC, NCUA, and the Federal Reserve System (collectively, the "Agencies"). 

FinCEN is looking for feedback to understand the potential risks, benefits, and safeguards that could be established if financial institutions were permitted to collect partial SSN information directly from the customer for U.S. individuals and subsequently use reputable third party sources to obtain the full SSN before account opening. So, FinCEN's inquiry seems to align with your attorney's suggestion. Agencies usually issue an RFI because they want certain information to evaluate practices and, in this case, a better understanding of current industry practices and perspectives related to the CIP Rule's TIN collection requirement. So, their inquiry is based on wanting to assess the potential risks and benefits associated with a change to that requirement. 

From the start of anti-money laundering compliance, financial institutions have collected identifying information from a customer before opening an account. FinCEN, in consultation with staff at the Agencies, seeks information and comments from interested parties regarding the CIP Rule requirement for financial institutions to collect a taxpayer identification number (TIN) and other information from a customer who is a U.S. person before opening an account. 

There are minimum standards[ii] for such information collection, including, among other things, reasonable procedures[iii] for 

(1) verifying the identity of any person seeking to open an account to the extent reasonable and practicable; and 

(2) maintaining records of the information used to verify a person's identity, including name, address, and other identifying information.  

It is, therefore, a given that, to satisfy the CIP Rule's TIN collection requirement for a U.S. individual, a financial institution must collect the full SSN from the customer before opening an account. While an institution's procedures for verifying a customer's identity may be risk-based and may vary among institutions, the CIP Rule makes clear that the collection of certain identifying information is a minimum requirement, and such information must be collected directly from the customer before opening an account, except concerning credit card accounts. 

That said, the CIP Rule generally does not allow a financial institution to collect an individual's SSN from a person other than the customer (i.e., a third party service provider). 

When the CIP Rule was adopted, institutions were exempted from the requirement for credit card accounts to collect identifying information directly from the customer, including an identification number. Rather, financial institutions may collect the customer's identifying information, such as the SSN, for credit card accounts, from a third party source before extending credit to the customer. The agency saw at that time that without this exception, the CIP Rule would change an institution's business practices by mandating information beyond what was already obtained directly from a customer who opened a credit card account at the point of sale or by phone. 

Concerns were raised during the proposed CIP Rule's comment period that, for instance, a person applying for a credit card account would be hesitant to provide their SSN, especially through non-face-to-face means, because of consumer privacy and security concerns. 

It seems clear that FinCEN saw requiring a bank to collect a customer's identifying information from the customer in every case, including over the phone, would likely alter how they do business. Consequently, credit card accounts were exempted from the CIP Rule's information collection requirements, allowing banks and nonbanks to obtain, for these purposes, a customer's identifying information from a third party source, such as a credit bureau, before an extension of credit. In its issuances, FinCEN considered this practice an efficient and effective means of extending credit with little risk that an institution did not know the borrower's identity. 

Since the CIP Rule was adopted in 2003, FinCEN has become aware that there has been significant innovation in how customers interact with financial institutions and receive financial services, and in CIP data collection and verification tools available to financial institutions. 

So, here's the crux of the matter: some banks partner with nonbank third party service providers to facilitate new financial products and services. A Buy-Now-Pay-Later loan product is an example of a nonbank financial institution, a third party service provider, that enables such financial products and services by extending credit to customers at the point of sale. 

These products and services operate in a similar manner to credit cards but may be offered by nonbank financial institutions that may or may not be subject to the Bank Secrecy Act (BSA) and its implementing regulations or other comparable regulatory requirements.[iv] Even so, institutions that do not comply with the CIP Rule may face supervisory action, particularly if a nonbank with which a bank has partnered does not collect the customer's identifying information directly from the customer, as required by the CIP Rule. 

The RFI[v] will presumably inform FinCEN's understanding in this area and help the agency evaluate the risks, benefits, and potential safeguards related to certain CIP Rule requirements applicable to financial institutions. Specifically, FinCEN is seeking input from institutions and other interested parties regarding the Rule's SSN collection requirement. The results may allow financial institutions to collect partial SSN information from the customer and use a third party source to collect the full SSN. Partial SSN collection is when a bank collects a certain part of the SSN from individuals who are customers (i.e., the last four digits of an individual's SSN) and then obtains the full SSN from a reputable third party service provider. 

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director 

Lenders Compliance Group

---

[i] What is a Buy Now, Pay Later (BNPL) Loan?, Consumer Financial Protection Bureau, Issuance (Last Reviewed: December 2, 2021), https://www.consumerfinance.gov/ask-cfpb/what-is-a-buy-now-pay-later-bnpl-loan-en-2119/ 

[ii] Section 326 of the USA Patriot Act amended the BSA to require, inter alia, the Secretary to prescribe regulations "setting forth the minimum standards for financial institutions and their customers regarding the identity of the customer that shall apply in connection with the opening of an account at a financial institution." 

[iii] 13 CFR Part 103, Financial Crimes Enforcement Network; Customer Identification Programs for Certain Banks (Credit Unions, Private Banks and Trust Companies, That do not Have a Federal Functional Regulator, Department of the Treasury

[iv] An example of a nonbank financial institution that is a third-party service provider used to facilitate new financial products and services would be one that provides BNPL loans that extend credit at the point of sale to customers.

[v] The RFI supports FinCEN's ongoing efforts to implement Section 6216 of the Anti-Money Laundering Act of 2020, which requires the agency to, inter alia, identify regulations and guidance that may be outdated, redundant, or otherwise do not promote risk-based AML’s requirements for CFT, the acronym for combating the financing of terrorism.

Money Mules: ID Theft and AML Compliance

QUESTION 

Our company is under investigation by the banking department and law enforcement for allowing "money mules" to use our financial services. They managed to use our mortgage and depository services. The crooks targeted people in nursing homes and hospice care facilities. 

The banking department is now determining if we properly implemented an Identity Theft Protection Program and Anti-Money Laundering Program. They're looking back at the procedures as well as the level of testing and training. Our CEO has told us that she expects an administrative action against us. 

We haven't updated our Identity Theft Protection Program and Red Flags Rule in years. We're reviewing it now. Well, better late than never! 

But we do the Anti-Money Laundering Program testing and training as required. The banking department is closely scrutinizing both written policies. Yesterday, we received a notice from FinCEN that they are investigating our SAR filings. 

The news fallout has been devastating. We have been in business for decades and have never had a hit to our reputation, let alone something as shocking as being an unwitting accessory to an identity theft and money-laundering scheme. There's not enough money in the world to reestablish trust! 

How do "money mules" operate? 

How do "money mules" exploit the stealing of identities? 

How do "money mules" undermine anti-money laundering procedures? 

ANSWER 

Your situation reminds me of a recent arrest in California involving money mules. The victims' money is often initially handled by "money mules," individuals who permit their addresses or bank accounts to be used or agree to receive or negotiate cashier's checks. In brief, a money mule moves money obtained illegally on behalf of another individual. Funds are transferred in person, digitally, or through mail or courier. 

I have discussed money mules previously. Here is one about how the COVID pandemic was used by criminals to bilk the public: COVID-19: Imposters and Money Mules. 

Money mules can be – but are not always! – aware they are involved in laundering money obtained illegally. The purpose of this illegal activity is to obscure the source of funds. They are a key element in the money laundering and identity theft process. 

Scheme 

With some variance and nuances here and there, the following are the steps to money mule schemes: 

Step 1: Criminal looking to launder money employs a money mule to layer illicit funds. 

Step 2: Criminal transfers the funds to the money mule in person or electronically. 

Step 3: Money mule either places[i] the money into the financial system or receives money that has already been integrated[ii] into the financial system. 

Step 4: Money mule uses a series of transfers and transactions to layer[iii] the money. 

Step 5: Money mule returns the layered funds to the criminal. 

In the case I have in mind,[iv] the FBI arrested money mules involved in scams that bilked grandparents. This is brutal, wicked, and heartless, of course, but crooks will do what crooks will do! A con is a con. A mark is a mark. As Hamlet observed, "one may smile, and smile, and be a villain!"[v] 

Two money mules were arrested and indicted for their scheme to launder at least $2 million in proceeds obtained from victims of grandparent scams who were defrauded with false claims that their relatives were in distress and urgently needed funds. 

The indictment detailed how perpetrators of grandparent scams convince victims to send money – purportedly to help relatives, frequently their grandchildren, who are typically described as being in legal trouble – "to bank accounts, business entities, and physical addresses specified by the scammers, using interstate wires and cashier's checks…for the supposed purpose of assisting the relatives in distress." 

One of the money mules is said to be a manager of money mules, and the other, thus recruited, recruited his own money mules. Federal prosecutors further assert that the manager created business entities and opened bank accounts using information stolen from identity theft victims. 

Once the money was in the accounts associated with the money mules or identity theft victims, the two money mules allegedly engaged in transactions designed to conceal the true nature of the funds, which, in this case, had been obtained via wire fraud. 

The indictment specifically alleges that the scheme laundered funds obtained from victims of grandparent scams who live in California and Pennsylvania. The bank fraud scheme alleged in the indictment involves fraudulently obtained funds held in suspense in an account set up in the name of an identity theft victim. 

The two money mules and a co-conspirator allegedly worked in concert to contact the bank and impersonate the identity theft victim to secure the issuance of a check for nearly $83,000 that was remaining in the account. 

As I noted above, money mules can be unwittingly involved in a money mule scam. That seems hard to believe. Investigators find that the trail usually ends with the money mule, who might not have realized that they are laundering money for crime gangs. Unfortunately, the process often depends on the unwitting money mule for its effectuation. The enforcement authorities have found at least three primary types of money mules: (1) unwitting, (2) witting, and (3) complicit. Here's a synopsis of each type. 

Types 

(1) Unwitting Individuals are unaware they are involved in criminal activity and engage in it thinking it's legal. They are often deceived into doing the activity for someone they believe to be an employer, acquaintance, perhaps a romance scammer, or somebody in a position of some trust. 

(2) Witting Individuals who should be aware they are involved in suspicious activity but engage in it anyway. While they aren't fully aware of the extent to which they are involved in criminal activity, they typically ignore clear indicators that what they do is illegal or suspicious. 

(3) Complicit Individuals know they are involved in criminal activity yet still engage in it willfully. This type of money mule ranges from inexperienced individuals unaware of their involvement to experienced and adept fraudsters who run entire money mule rings. 

Identity Theft Prevention Program 

Beyond the legal ramifications of acting as a money mule,[vi] the people who serve as money mules may open themselves up to identity theft. All of their personally identifiable information ("PII") can be stolen by criminals, leading to the theft of their financial assets. Victims often wind up with drained accounts, damaged credit, and deprivation of medical treatment due to loss of cash liquidity. 

Stealing an individual's identity is a fraud committed or attempted using the identifying information of another person without authority.[vii] The "identifying information" of a victim is particularly onerous because such information means "any name or number that may be used, alone or in conjunction with any other information, to identify a specific person."[viii] 

The Red Flags Rule (" Rule") goes back to 2007 under a section in the Fair and Accurate Credit Transaction Act (FACTA), which amended the Fair Credit Reporting Act (FCRA).[ix] The Rule was promulgated in 2010.[x] 

If you haven't reviewed your written Identity Theft Protection Program – which is statutorily required – it is a bit late now, given that the regulators are currently involved in an investigation. In compliance, it is not the case to throw up your hands and, as you do, declare it is "better late than never." Indeed, that phrase harks all the way back to Geoffrey Chaucer in the 14^th century, who said, "For better than never is late; never to succeed would be too long a period."[xi] 

In compliance, virtually everything has a tail, a trace, a remnant, a vestige, some lingering scintilla of activity, a dash of evidence that cannot escape discovery at some point and in some way. Thus, "better late than never" is not functionally good enough in compliance. 

Pay attention to the second half of Chaucer's statement, "never to succeed would be too long a period." There are no viable exceptions to maintaining regulatory vigilance, and if there is a systemic or some other failure, admitting the mistake and fixing it permanently. Regulators are sometimes sympathetic to companies that recognize and willingly fix mistakes. But be assured that most of the time, they will find out about the errors you prefer not to tell them about. To succeed in compliance, you must proactively review, monitor, test, train, and implement regulatory requirements. 

There are notorious correlations between money mules and identity theft. I have been discussing "traditional" money mules, but there are "synthetic identities" used by money mules. Synthetic identities are created using a discrete combination of PII to fabricate a person or entity. Given the availability of stolen data on the dark web, these identities are easy to create on a large scale. 

If you haven't reviewed your Identity Theft Prevention Program in some time, you are quite remiss, and, from a regulatory compliance perspective, you are not only opening yourself to regulator scrutiny but may also be recklessly endangering your customers. 

Anti-Money Laundering Program 

You asked, How do "money mules" undermine anti-money laundering procedures? In our Anti-Money Laundering test audits, we have noted weaknesses in screening for money mules. The results of our findings are provided in our Executive Summary, and we offer our work papers so that you can see how deep we have gone to evaluate your AML program. We provide recommendations to fix the weaknesses. 

Our reviews have uncovered many money mule schemes. However, catching the scams is a never-ending task because the crooks are remarkably inventive in finding ways to undercut even the best AML programs. 

There are telltale elements that might indicate a money mule has landed on your AML radar. We are always adding to our audit list as crooks invent new schemes and scams. You should do the same! These scams come up repeatedly in our AML test audits to the point that we consider them triggers to conducting an investigation to determine if a Suspicious Activity Report (SAR) should be filed with FinCEN[xii]. 

Our organization maintains a list of warning signs that a money mule may be making their way onto a client's AML radar. Our list contains elements provided by CISA[xiii], and we build on these elements continually. In our estimation, AML compliance must include, among other things, periodic testing, employee training, due diligence, transaction monitoring, Identity Theft Protection Program mandates, KYC and KYB[xiv] requirements, CIP[xv], OFAC[xvi], identity theft[xvii] "frozen credit" alerts, and historical SAR filings. 

An example of due diligence is conducting your own investigation. Money mules can contaminate PII. During an investigation, a client of ours discovered that a money mule group used fake websites and social media profiles to trick victims into providing their personal information. It then used that PII to open bank accounts, apply for mortgage loans, and set up cryptocurrency wallets. This criminal group then laundered the stolen funds through a network of money mules, who received and transferred the funds on behalf of the criminals.

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director 

Lenders Compliance Group

---

[i] Placement is where illegitimate funds are introduced to the legitimate financial system.

[ii] Integration is where layered funds (which now appear legitimate) are returned to the criminal.

[iii] Layering is where the criminal intentionally moves funds to disguise where the money actually originated.

[iv] Two Indicted in Scheme that Allegedly Laundered over $2 Million Generated by ‘Grandparent Scams’ Targeting Elderly Victims, Press Release, Department of Justice, U.S. Attorney's Office, Central District of California, December 12, 2023

[v] Hamlet, Act 1, Scene 5, Shakespeare

[vi] For instance, among other things, the charge of conspiracy to commit money laundering carries a statutory maximum penalty of 20 years in federal prison, and the charge of conspiracy to commit bank fraud carries a sentence of up to 30 years.

[vii] 16 CFR 603.2(a)

[viii] 16 CFR 603.2(b)

[ix] The Red Flags Rule was issued in 2007 under § 114 of the Fair and Accurate Credit Transaction Act of 2003 (FACT Act), Pub. L. 108-159, amending the Fair Credit Reporting Act (FCRA), 15 USC 1681m(e). The Red Flags Rule is published at 16 CFR 681.1. See also 72 FR, Nov. 9, 2007.

[x] The Rule was amended in 2010 by the Red Flag Program Clarification Act of 2010, 15 U.S.C. 1681m(e)(4), Pub. L. 111-319, 124 Stat. 3457 (December 18, 2010).

[xi] Actually, the phrase is a direct translation from the Latin “potiusque sero quam nunquam” (viz., and better late than never) in Livy’s fourth book Ab Urbe Condita (History of Rome), 27 BC. The full quote in Livy is “Their insolence and recklessness must be opposed, and better late than never.” (My translation.)

[xii] Financial Crimes Enforcement Network (FinCEN), for nonbanks, see Anti-Money Laundering Program and Suspicious Activity Report Filing Requirements for Residential Mortgage Lenders and Originators, Financial Crimes Enforcement Network, 77 FR 8148-8160 (February 14, 2012), as revised from time to time.

[xiii] CISA provides several publications involving money mules and other schemes. One example is Understanding and Protecting Yourself Against Money Mule Schemes, Matthew DeSantis, Chad Dougherty, Mindi McDowell, US-CERT, Cybersecurity & Infrastructure Security Agency

[xiv] Respectively, Know Your Customer (KYC) and Know Your Business (KYB)

[xv] Customer Information Program (CIP)

[xvi] Office of Foreign Assets Control (OFAC)

[xvii] FCRA Identity Theft Rules, Op. cit. ix

Identity-Related Suspicious Activity

QUESTION 

We are a large mortgage lender in the West. A hedge fund owns us. Recently, the hedge fund came down hard on our compliance department for allowing the originating of loans that our AML process should have screened out. They were up in arms because our state regulator issued an administrative action against us. 

We didn't file some SARs that were identity-related, but we did document why the SARS were not filed. That didn't satisfy the regulator because they said we did not follow our own AML program guidelines. We may now lose our Safe Harbor because we didn't file the SARs by following our own policy. 

There are other issues, but the biggest one involves not screening for identity-related suspicious activity. That's the regulator's term: "identity-related suspicious activity." 

The auditor we hired to do our annual AML test was fired. Now, to comply with the regulator, we have to find an auditor who will work with us to review the last 36 months to determine if we should have filed more identity-related SARs. This is a massive undertaking. I am one of several operations persons drafted into the compliance department to assist. I want to know more, and I hope you will give us some feedback. 

What is identity-related suspicious activity? 

ANSWER 

We provide Anti-Money Laundering (AML) testing and training. We were the first compliance firm in the country to offer testing, training, and a written AML Program. Also, we handle large AML due diligence projects such as the one you've described. If you want information about our AML compliance support, contact us here. 

For years, the Financial Crimes Enforcement Network (FinCEN) has issued trend analyses showing that identity-related suspicious activity is a huge percentage of filings. For instance, in 2021, approximately 1.6 million SARs (42% of the SARs filed that year) related to identity, which was $212 billion in suspicious activity. 

Just a few weeks ago, FinCEN published its findings as part of its ongoing Identity Project ("Report").[i] The Report outlines how bad actors exploit identity-related processes in processing transactions as well as opening and accessing accounts. 

I will provide a cursory overview of the Report and then move on to an answer to your question. 

TYPOLOGIES 

The Report discusses the existence of significant identity-related exploitations through various schemes. FinCEN identified over fourteen "typologies" commonly indicated in identity-related SARs. 

The most frequently reported were 

(1) fraud,

(2) false records,

(3) identity theft,

(4) third-party money laundering, and

(5) circumvention of verification standards. 

These top five typologies accounted for 88% of identity-related SARs and 74% of the total suspicious activity reported in 2021. 

TRENDS 

Trends found in the BSA reporting include: 

·       Although identity-related suspicious activity impacted all types of financial institutions, depository institutions filed the most identity-related BSA reports, which was about 54% of all identity-related filings. 

·       The impact of identity-related exploitations by BSA report volumes and cited U.S. dollar values are significant. Attackers most frequently use impersonation tactics, followed by compromise during authentication, and then circumvent verification to evade detection. Compromised credentials have a disproportionally large monetary impact compared to impersonation and circumvention. 

·       The Report found that compromised credentials have a disproportionate financial impact compared to other types of identity exploitation. 

SAFE HARBOR 

I will not comment on your company's exposure to losing the Safe Harbor except to point out that the Safe Harbor provision of the Bank Secrecy Act (BSA)[ii], among other things, shields financial institutions, their officers, and employees from civil liability for reporting known or suspected criminal offenses or suspicious activity by filing a SAR. From your question, I can't tell who told you that your company may lose the Safe Harbor. 

The Safe Harbor provides immunity to any "financial institution that makes a voluntary disclosure of any possible violation of law or regulation to a government agency." This protection precludes liability under any federal, state, or local law, or regulation, or under any contract. Nevertheless, courts have disagreed about the scope of the protection it affords. You should be working with competent counsel in responding to the regulatory agency. 

SCREENING PROCEDURES 

It seems to me that your screening procedures failed to identify identity-related suspicious activity. You state that the regulator alleges you did not follow your own AML program procedures. That infers that you have procedures in a ratified AML Program that were not implemented. 

There are three stages to a systemic framework that mitigates identity-related suspicious activity.[iii] These stages are: (1) Validation; (2) Verification; and (3) Authentication. I do not think this framework is failsafe, but it is quite comprehensive. Nonetheless, in the age of Artificial Intelligence, we can expect updates to these stages. 

The following is a brief outline of each stage. 

Validation 

The validation stage begins when a customer presents identity attributes and supporting evidence (i.e., birth certificate, passport, driver's license, and so forth) – in person or remotely – for review by a financial institution. The financial institution then attempts to determine:

a)     Whether the presented identity exists (i.e., whether it is tied to a real-life identity);

b)     Whether the presented identity is unique (i.e., whether it is claimed by only one entity);

c)     Whether the presented information and evidence are authentic and accurate. 

Generally, the financial institution makes these determinations by comparing the presented information and evidence against authoritative government data, such as public records and Social Security Administration data, or third-party data sources, such as credit reporting agency, utility, and employer data (i.e., independent and reliable data sources). 

Verification 

In the verification stage, the financial institution confirms that the previously validated identity evidence belongs to the customer. The financial institution may, for instance, match the customer's appearance in person (or virtually) via photo or video to a photo on the customer's driver's license, passport, or other photo identification. 

Verification tools and techniques can rely on humans or be entirely automated. These tools may also use biometrics like facial recognition and "liveness" detection or verify documents and attributes to determine a match. This process may also use various other technical and risk data from third parties. 

Authentication 

In the authentication stage, a financial institution assesses whether the customer is who they purport to be based on the customer's possession and control of valid "authenticators." Financial institutions may also engage in other activities involving transactions, such as verifying counterparties and other transaction monitoring. 

Authentication is supposed to provide "risk-based" assurance that the customer is the same customer whose identity was validated and verified during previous steps of the identity process. 

The authentication process can occur in person or remotely, be manual or digital, rely on humans or machines, and is considered more robust when it depends on multiple authentication factors (i.e., multifactor authentication). 

Common authentication factors include: 

a)     Ownership of something the customer has (i.e., a badge, phone, or cryptographic key);

b)     Knowledge of something the customer knows (i.e., a password, passphrase, or PIN);

c)     Inherent or something the customer is (i.e., a fingerprint or other biometric data).

AML Examinations: Common Audit Findings

QUESTION 

We are a credit union with several branches. Our concern is that we don't believe we have a comprehensive training program for BSA/AML. We are going to have a regulatory examination soon, and I think we will be written up for having an incomplete training program and aids. But that's just one of the weaknesses. 

We need some direction here. First, our compliance manager is contacting your firm to review our written AML program. Second, we need to know the areas of weakness that regulators often find in our AML program. 

What are some areas of weakness we can anticipate being reviewed in an AML examination? 

ANSWER 

If you expect the AML examination soon, you and other subscribers can contact us here. 

We have conducted hundreds of AML risk assessments over the years, and the findings regarding BSA/AML vary depending on the financial institution's risk profile, size, complexity, and products and services. Still, there is a common grouping of weaknesses that tend to recur. 

Before listing the more salient, I urge you to segment your responsibility matrix for those personnel involved in the Anti-Money Laundering review process. Regulators take a keen interest in evaluating whether an institution properly allocates responsibilities and authorities along the chain of command in reviewing AML data. 

Segmenting the specific responsibilities will make the written AML program easier to execute. Importantly, the regulators will be able to determine that your institution is complying in a procedurally reliable way. 

I will segment the responsibilities into four groups: (1) Frontline Staff, (2) Operations Staff, (3) Board of Directors, and (4) New Personnel. Now, consider the following brief description of each. You can take these responsibilities as a "starting point." I suggest you broaden them to reflect your institution's normative information paths.

Frontline Staff 

Responsibilities 

• CTR reporting requirements,

• Recognizing suspicious activity,

• Completing a SAR,

• Customer Identification Program due diligence, and

• Office of Foreign Assets Control (OFAC) requirements (if applicable). 

Operations Staff 

Responsibilities 

• Wire transfers,

• ACH Transactions,

• Debit, Credit, Gift Card Transactions

• Recognizing and reporting suspicious activity related to applicable financial products and services, and

• OFAC requirements (if applicable). 

Board of Directors

Responsibilities 

• Methods to enhance the importance of BSA/AML requirements,

• Consequences and risks of noncompliance, and

• Changes and new developments in the BSA laws and regulations. 

New Personnel 

Responsibilities

• Orientation for BSA/AML overview, 

• Jobs requiring performance of BSA/AML and/or OFAC duties must receive thorough training prior to starting the position.

There are eight recurring weaknesses we have found through our AML risk assessments. I will list them here, with the caveat that they are by no means meant to be comprehensive. Also, keep in mind our AML test audits and risk assessments are focused on residential mortgage loan originations and servicing compliance. 

My advice is for you to review your written AML program to ensure you cover these areas with respect to policies, descriptions, and procedures. And be sure to test them! 

Some Commonly Recurring Weaknesses 

in 

Anti-Money Laundering Programs

• Customer ID Program requirements.

• Timely 314(a) reviews and CTR reports.

• Independent audits must address all the issues they identify.

• BSA policies should note both the BSA/AML officer and the backup BSA/AML officer.

• Risk assessments must consider all new products and services.

• Confidentiality of all SARs must be maintained at all levels of the institution.

• BSA training is kept current and available; examiners scrutinize training records and materials.

• Customize the BSA/AML training program to employees' specific responsibilities. 

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director 

Lenders Compliance Group

Personally Identifiable Information

QUESTION 

We passed our information security review by our banking department. However, they found that our description of personally identifiable information was too narrow. 

We need to revise our policies and procedures and submit them to the banking department. Hopefully, you can offer a broader understanding of this area of customer privacy. 

What is a good working description of personally identifiable information for our policy? 

ANSWER 

Most people have heard of nonpublic personal information, called “NPI.” To be precise, as it relates to financial institutions, NPI is personally identifiable information (“PII”) that:

 

1.    The consumer provides to a financial institution;

2.    Results from a transaction or service provided for the consumer; or

3.    The financial institution otherwise obtains, and that is not publicly available.[i]

As a practical matter, most information that a financial institution collects from a consumer or customer is NPI. In fact, NPI also includes lists, descriptions or groupings of consumers, even if the data is publicly available, if the financial institution has derived the data from an individual’s nonpublic personal information. 

Personally identifiable information, PII, is any information a consumer or customer gives to a financial institution in connection with applying for or receiving a product or service.[ii] 

To broaden the foregoing description, PII is (1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.[iii] 

Here are a few common examples of PII:

 

·     Name: full name, maiden name, mother’s maiden name, or alias;

·     Personal identification numbers: social security number (SSN), passport number, driver’s license number, taxpayer identification number, patient identification number, financial account number, or credit card number;

·     Personal address information: street address or email address;

·     Personal telephone numbers;

·     Personal characteristics: photographic images (particularly of face or other identifying characteristics), fingerprints, or handwriting;

·     Biometric data: retina scans, voice signatures, or facial geometry

·     Information identifying personally owned property: VIN or title number; and

·     Asset information: Internet Protocol (IP) or Media Access Control (MAC) addresses that consistently link to a particular person.

However, there are examples that, on their own, do not constitute PII, as more than one person could share these traits. But when linked or linkable to one of the above examples, the following could be used to identify a specific person:

 

·       Date of birth;

·       Place of birth;

·       Business telephone number;

·       Business mailing or email address;

·       Race;

·       Religion;

·       Geographical indicators;

·       Employment information;

·       Criminal history;

·       Medical information;[iv]

·       Education information;[v] and

·       Financial information.

Thus, PII refers to information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information linked or linkable to a specific individual. 

It is essential to note that the definition of PII is not anchored to any single category of information or technology.[vi] Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified. In performing this assessment, the financial institution should recognize that “non-PII” – non-personally identifiable information – can become PII whenever additional information is made publicly available – in any medium and from any source – that, when combined with other available information, could be used to identify an individual. 

Indeed, there is even PII that is considered high risk, called “High Risk PII.” The Department of Energy describes High Risk PII as PII which, if lost, compromised, or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual.[vii] Examples of High Risk PII include Social Security Numbers (SSNs), biometric records (i.e., fingerprints, DNA, etc.), health and medical information, financial information (i.e., credit card numbers, credit reports, bank account numbers, etc.), and security information (i.e., security clearance information). 

While all PII must be handled and protected appropriately, High Risk PII must be given greater protection and consideration – especially following a breach – because of the increased risk of harm to an individual if it is misused or compromised. 

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director 

Lenders Compliance Group

---

[i] 15 USC § 6809(4)

[ii] 16 USC § 313.3(o)(1)

[iii] Safeguarding Against and Responding to the Breach of Personally Identifiable Information, OMB Memorandum M-07-16, May 22, 2007

[iv] May be subject to HIPAA requirements

[v] May be subject to FERPA requirements

[vi] Op. cit. iii

[vii] Department of Energy Privacy Program, DOE O 206.1 Chg1 (MinChg), January 16, 2009