Evolving regulationfrom the Bank Secrecy Act through the USA Patriot Act: who are your customers, what are they doing, and why should you care?
Michael I. Frachioni
The din of publicity and commentary surrounding the Patriot Act over the past three years should not cause one to lose sight of the fact that this three-year-old Act has been over three decades in the making and, with respect to customer information and activities, merely augments existing statures and regulations.
The Bank Secrecy Act (BSA) was enacted in 1970 to fight money laundering and other financial crimes. To keep pace with evolving and increasingly sophisticated financial crimes, and to strengthen law enforcement’s ability to combat them, the BSA has been amended a number of times–by the Money Laundering Control Act of 1986, by the Money Laundering Suppression Act of 1994, and, most recently (and most publicly), by the USA Patriot Act of 2001.
Given the increasingly intense scrutiny paid to BSA compliance by both regulators and the public, we would expect financial institutions to be increasingly vigilant in their strict compliance with the Acts. Sadly, that’s not always the case.
Bank Secrecy Act
Financial institutions are required to adopt a written internal compliance program, approved by the board of directors and noted as such in the board minutes. It is startling to discover the number of institutions that have yet to comply with these fundamental elements. In the large scheme of compliance examination, this may be a small point, but it sets the tone for the regulators as to how comprehensive an institution’s BSA program may be.
In addition, a qualified bank employee must be designated as the BSA compliance officer with day-to-day responsibility for all aspects of the program, oversight of employee training, and compliance with all BSA regulations.
Under the BSA, financial institutions also are subject to a number of reporting and record-keeping requirements, most notably Currency Transaction Reports (CTRs) and Suspicious Activity Reports (SARs). They also must retain a record of each cash sale of bank checks, cashier’s checks, money orders, and traveler’s checks ranging from $3,000 to $10,000, and they must maintain a record of each funds transfer of $3,000 or more that they originate, for which they act as intermediary, or receive.
Finally, institutions must provide for periodic, independent audit and testing of transaction and record-keeping activities. FDIC and OCC personnel have made it clear, both in public pronouncements and in conversations with this author, that BSA compliance, record keeping, and testing will remain a priority of examiners for the foreseeable future.
Training. Comprehensive training of all appropriate personnel is the cornerstone of any institution’s BSA and anti-money-laundering program. The BSA requires that the bank ensure appropriate personnel are trained in all elements of the BSA and the bank’s internal compliance programs. Fundamentally, such training programs must cover three basis areas:
1. Appropriate personnel. All bank personnel, including senior management, who have any type of customer interaction (including in person, by telephone, or electronically), who oversee any customer activity, or who handle cash in any way must be appropriately trained in the Act, its associated regulations, and the institution’s internal compliance programs. Such personnel include, but are not limited to, branch administration, customer service, private banking, correspondent banking, trust, brokerage, safe deposit, and vault personnel.
2. Ongoing and up-to-date. Training must be ongoing and incorporate developments in or changes to the BSA, anti-money-laundering laws, and OCC and the Treasury Department’s Financial Crimes Enforcement Network (FinCEN) regulations. Examples of laundering schemes should be provided, and the training should address ways in which money laundering or other violations may be detected and eliminated.
3. Penalties. The training should address potential penalties for failure to comply with applicable statutes, regulations, or the institution’s internal programs. These may include fines, termination, or criminal prosecution. Finally, programs should identify resources able to provide additional guidance to personnel. These may include contact information for compliance personnel and written copies of the institution’s compliance programs or handbooks.
CTR. A CTR (IRS Form 4789) must be filed for each deposit, withdrawal, exchange of currency, or other payment or transfer by, through, or to a financial institution involving a currency transaction of more than $10,000. Multiple transactions must be treated as a single transaction if the institution has knowledge that they are conducted by or on behalf of the same person and the transfers of currency in aggregate total more than $10,000. Note that such institutional knowledge is attributable to officers, directors, employees, and any automated or manual systems employed in an effort to detect multiple transactions. Filings must be made with the IRS Detroit computing center within 25 days after the reportable transaction if filing magnetically and 15 days if a paper filing is made.
Institutions may avoid a substantial amount of such filing by taking advantage of the available exemptions from CTR filing requirements. Banks are not required to file CTRs on large-currency transactions conducted by certain “except persons,” including 1) “Phase 1 persons” such as domestic depository institutions; federal, state, and local departments and agencies, or entities exercising authority on their behalf; NYSE, AMEX, or NASDAQ-listed entities or their majority-owned subsidiaries and 2) “Phase 2 persons” such as an established depositor who is a U.S. resident operating a retail business that is substantially paid in currency or an established depositor and U.S. resident who regularly withdraws in excess of $10,000 to pay employees.
A Designation of Exempt Person Form (Form TDF 90-22.53) must be filed within 30 days after the first otherwise reportable transaction. A holding company or one of its subsidiaries may make a single designation of exemption on behalf of all the subsidiaries if it lists each subsidiary to which the designation applies. Only a single filing is required for Phase 1 persons. Filings are required every two years for Phase 2 persons. CTR records must be maintained by the institution for five years.
Simply failing to file or failing to provide all information required by the CTR is a common error in these reports. Institutions should take steps to ensure that filings are made for those customers who were once exempt but for whom the exemption has expired or been revoked.
SAR. While federal regulators have noted that banks generally have good CTR programs in place, they have found SAR programs to be lacking in a number of respects. Institutions must file an SAR (Treasury Form 90-22.47 and OCC Forms 8010-9, 8010-1) for any suspicious transaction that may entail a possible violation of a law or regulation occurring in any bank department. Such reports must be filed with FinCEN within 30 days of discovering the facts leading to the filing. The difficulty, of course, lies in determining what is “suspicious.”
The regulations specifically require SARs to be filed upon the discovery of insider abuse involving any amounts of funds, violations of federal law aggregating to at least $5,000 where a suspect can be identified, and violations of federal law aggregating to at least $25,000 even if a suspect cannot be identified. In addition, SARs must be filed for any transactions aggregating to at least $5,000 that involve potential money laundering or BSA violations of which the bank knows or suspects, or has reason to suspect, that 1) involve funds from illegal activities or are intended to disguise illicit funds or assets, 2) are in an effort to evade any law or reporting requirement, 3) are designed to evade any BSA regulations, or 4) have no business or apparent lawful purpose.
Beyond these examples, the regulations offer little further guidance, and institutions and their compliance personnel must look elsewhere in divining what constitutes suspicious activity. Two good resources are the Bank Secrecy Act Examination Manual, published by the Board of Governors of the Federal Reserve System, and “Bank Secrecy Act/Anti-Money Laundering Handbook” published by the OCC.
In particular, the OCC handbook provides examples of potentially suspicious activities that should alert institutions to the need for further investigation. These are broken into several categories:
1. Activities inconsistent with the customer’s business.
* Numerous accounts opened for a particular business with frequent transactions among the accounts.
* Numerous cash deposits or withdrawals inconsistent with the customer’s business.
* Numerous cash purchases of traveler’s checks, money orders, cashier’s checks or wire transfers, or deposits of same into customer’s accounts, inconsistent with the customer’s business.
* Sudden and inconsistent changes in transaction patterns from the customer’s normal activities.
Obviously, it is important to be familiar with customers’ business and banking practices.
2. Avoiding reporting or record-keeping requirements.
* A business or new customer that asks to be exempted.
* A customer who is reluctant to provide necessary report information, or to proceed with the transaction after being informed that a report must be filed.
* Numerous currency deposits or withdrawals in teller or ATM transactions that appear to be intended to keep such transactions under reporting thresholds.
3. Wire transfers.
* International wire transfer activity, particularly to or from financial-secrecy haven countries, without an apparent business reason or that are inconsistent with customer history.
* Large, round-dollar amounts.
* Funds transferred in and out of an account on the same day or within a short period.
The above examples of efforts to avoid reporting requirements and suspicious wire activity demonstrate the need for comprehensive and continuing training of all bank personnel involved in any way with such activities.
A recent example of non-compliance. In April 2004, the Wall Street Journal reported that Riggs Bank of Washington, DC, failed to properly report dozens of substantial withdrawals from the personal accounts of the Saudi Arabian ambassador to the U.S., totaling more than $20 million in cash. The bank acknowledged that it failed to file SARs on the withdrawals, which were made with sequentially numbered checks. In addition, the bank has been classified as a “troubled institution” by the OCC for failing to adequately strengthen its controls against money laundering, despite a 2003 OCC order to do so.
Finally, the bank apparently failed to report deposits of more than $300 million by Exxon Mobil Corporation into accounts of Equatorial Guinea that were controlled by that country’s president.
At the very least, such failures are acts of nonfeasance that evidence a lack of appropriate compliance policies and procedures, training, and oversight. At worst, such acts are examples of intentional malfeasance, which should be dealt with even more harshly.
In this case, regulatory action was swift and severe. On May 13, the OCC announced the assessment of a $25 million civil money penalty against the bank for BSA violations, then further directed it to assess the competence of management and staff and to implement an audit program to determine its level of compliance with applicable laws and regulations and detect irregularities in operation.
USA Patriot Act
Among other things, the Patriot Act requires that financial institutions develop a Customer Identification Program (CIP), and the four federal banking regulators issued a final rule (the Rule), effective October 1, 2003, setting forth the general requirements of a CIP.
Under the Rule, “customer” includes any person who opens a new account, any signatory on the account at the time it is opened, and any new signatory added thereafter.
The Rule permits institutions to develop their own CIP appropriate for their size, locations, and business, with a minimum of specific requirements.
1. Customer identification. The program must provide for verified identification of new customers. In so doing, it must obtain the name, date of birth, residence, mailing address, and taxpayer identification number (or Social Security number for individuals). For customers who are not U.S. citizens, the institution must obtain a U.S. taxpayer identification number, a passport number, alien identification card number, or any other government-issued document evidencing nationality or residence.
2. Record keeping. The CIP must require the institution to maintain all documents used in customer identification for no fewer than five years after the account has been closed.
3. Terrorist lists. The CIP must require the institution to compare customer information against any government lists of known or suspected terrorists, inch, ding the list of such entities published and periodically updated by the Office of Foreign Assets Control (OFAC).
4. Notice to customers. The CIP must provide methods by which institutions can inform customers of these new identification procedures. A sample notice is included as part of the program.
5. Recent investigations. JPMorgan Chase & Co. recently came under scrutiny for potential “know your customer” violations as reported in the Wall Street Journal in March 2004. A former customer of the institution was convicted in February 2004 for acting as an unlicensed money transmitter. According to the report, the customer took deposits and transmitted money on behalf of Central and South American clients. The financial institution acted as the customer’s bank and accepted deposits until February 2003. The customer had a number of customers in a “pooled” account that shielded their identity. Thus, the financial institution had no idea who the customers were or, in many cases, where the funds were being transferred to or from.
The question posed by the New York district attorney to banking regulators is whether the financial institution should have provided services to an unlicensed money transmitter. Other questions, of course, include whether the institution violated any BSA or CIP requirements.
Although no such accusations have yet been made, the institution’s head of compliance has apparently resigned or been removed. In addition, according the report, the bank’s spokeswoman has stated that the institution no longer deals with wholesale money remitters and has tightened its money-laundering controls and monitoring systems.
In short, the Bank Secrecy Act and USA Patriot Act require institutions to adopt and implement comprehensive, written compliance programs to address money laundering and other financial crimes. These programs must include comprehensive, ongoing, and up-to-date training for all relative personnel, provisions for periodic internal or external audits of activities under the program, and complete and thorough record keeping of all currency transactions, suspicious activities, and other required reports.
The scrutiny of such programs and the activities they are meant to prevent will not soon wane. Bankers should take all necessary steps to avoid the harsh regulatory penalties and risk to reputation that may follow noncompliance.
Michael Frachioni may be contacted by e-mail at firstname.lastname@example.org.
[c] 2004 by RMA. Michael Frachioni, a member of the Pennsylvania and New York bars, is a member of DKW Law Group, LLC, and a principal of FiCap Strategic Partners, LLC< consultants to financial institutions nationwide.
COPYRIGHT 2004 The Risk Management Association
COPYRIGHT 2005 Gale Group