Risks in Having a Poor Anti-Money Laundering Program

Identifying Gaps and Risks

Valuation and financial forensics professionals and their firms often provide other services. In this article, the author discusses Anti-Money Laundering (AML) actions and which industries are at risk for violating Bank Secrecy Law and AML provisions. Many kinds of businesses are at risk for money laundering and for penalties if AML programs do not meet regulatory standards. Financial institutions—banks, credit card companies, investment brokers, etc.—are under scrutiny to comply with AML requirements as are casinos and dealers in hard goods such as automobile, boat, and airplane dealers, and jewelers. Certain industries, such as insurance and real estate, are also being scrutinized for potential money laundering.

[su_pullquote align=”right”]Resources:

Forensic Accounting Academy©

People, Money & Patterns©

Fraud Prevention through Internal Accounting Controls

Fraud Risk Assessment And The Internal Control Framework

[/su_pullquote]

An escalation in recent investigations suggests that financial and non-financial institutions are increasingly in violation of Bank Secrecy Act (BSA)/Anti-Money Laundering (AML) policies and procedures.  In December of 2016, the Financial Industry Regulatory Authority (FINRA) fined Credit Suisse Securities (USA) LLC $16.5 million for AML supervision and violations.  Specifically, Credit Suisse failed to effectively review trading for AML reporting purposes.  In January of 2017, the Financial Crimes Enforcement Network (FinCEN) assessed a $184 million civil money penalty against Western Union Financial Services, Inc. (WUFSI) for willfully violating the BSA’s AML requirements by failing to implement and maintain an effective, risk-based AML program and by failing to file timely suspicious activity reports (SARs).  US AML rules require money service businesses, like WUFSI, to have an effective AML program in place to prevent the company from being used to facilitate money laundering and the financing of terrorism.  WUFSI’s practice was not to identify agent locations as “subjects” of SARs unless it found the agent location to be complicit.  By rarely filing SARs on its agents’ locations, it unnecessarily delayed reporting that was critical for the U.S. government to detect and prevent illicit finance.

Who is Required to Have an Anti-Money Laundering Program?

Many kinds of businesses are at risk for money laundering and for penalties if AML programs do not meet regulatory standards.  Financial institutions—banks, credit card companies, investment brokers, etc.—are under scrutiny to comply with AML requirements as are casinos and dealers in hard goods such as automobile, boat, and airplane dealers, and jewelers.  Certain industries, such as insurance and real estate, are also being scrutinized for potential money laundering.  As an example, in February of 2017, FinCEN announced the renewal of existing Geographic Targeting Orders (GTOs), which temporarily require U.S. title insurance companies to identify all persons behind shell companies that pay “all cash” for high-end residential real estate in six major metropolitan areas.[1]  FinCEN has found that about 30 percent of the transactions covered by the GTOs involve a beneficial owner or purchaser representative that is also the subject of a previous SAR.  This has corroborated FinCEN’s concerns about the use of shell companies to buy luxury real estate in “all cash” transactions.

The preceding examples are more reason to ensure that adequate AML programs are in place as the U.S. government is increasingly investigating AML/BSA regulatory cases.  Where the programs are in place, what are the steps that compliance officers may be missing?  Are businesses at risk because they are unaware of the threat posed by an AML program that may have inadequate controls?  Are businesses deficient in paying significant attention to the latest compliance rulings?  Are there business owners who are unaware that they should have an AML compliance program in place?

Business entities and individuals suffer consequences when they do not have adequate AML/BSA programs in place.  Often, government agency cases are initiated due to an entity’s insufficient AML compliance program.  Such compliance programs are necessary for both financial[2] and non-financial institutions.

The Pillars of an Anti-Money Laundering Program

Section 352 of the Patriot Act requires all financial institutions to establish AML programs that achieve the following:

• Establish internal policies, procedures, and controls to prevent money laundering;
• Designate a money laundering compliance officer;
• Establish an ongoing training program for awareness of money laundering; and
• Establish an independent audit function to test the programs.

Section 326 of the Patriot Act expands on the BSA by requiring financial institutions to implement Customer Identification Programs (CIPs).  The CIPs are to be incorporated into financial institutions’ money laundering programs and should verify and maintain records of any individual seeking to open an account.

The Patriot Act also prohibits foreign shell banks from maintaining correspondent accounts at any U.S. financial institution.  “Shell banks” lack a physical presence[3] in any country.  U.S. institutions are strongly encouraged to verify all the information provided by the foreign institution at least every two years.  Additionally, financial institutions are required to establish due diligence policies, procedures, and controls that are designed to detect money laundering through private and correspondent bank accounts[4] held by non-U.S. citizens.

Performing Additional Due Diligence

AML Compliance programs should include comprehensive customer due diligence (CDD) policies, procedures, and processes for all customers, especially those that present a higher risk for money laundering and terrorist financing.  The goal of CDD is to enable a financial institution to predict the types of transactions in which a customer is likely to engage.  These processes can then assist a financial institution in determining which transactions are potentially suspicious.  CDD begins with verifying the customer’s identity and assessing the risks associated with that particular customer.  Processes should also include enhanced CDD for higher-risk customers and ongoing due diligence of the customer base.

High-risk customers present increased exposure to financial institutions; therefore, these customers and their transactions should be closely scrutinized at the initial account opening and throughout the term of their relationship with the bank.  Financial institutions determine that a customer poses a higher risk because of the customer’s business activity, ownership structure, anticipated or actual volume and types of transactions, inclusive of transactions in high-risk jurisdictions.  Consequently, a financial institution should initially and periodically request the following information:[5]

• Purpose of the account;
• Source of funds and wealth;
• Identification of individuals with ownership or control over the account such as beneficial owners;
• Occupation or type of business;
• Financial statements;
• Banking references;
• Location of where the business is organized;
• Proximity of the customer’s residence, place of employment, or place of business to the bank;
• Description of the customer’s primary trade area and expected frequency of international transactions;
• Description of the business operations, the anticipated volume of currency and total sales, and a list of major customers and suppliers; and
• Explanations of account activity.

Recently, FinCEN issued guidance on AML compliance obligations for Money Service Businesses (MSBs) and has been targeting MSBs such as Western Union Financial Services, Inc. and MoneyGram International, Inc. for violating AML rules and regulations.  Specifically, FinCEN has issued guidance on AML program obligations imposed on the principals of MSBs to understand and account for the risks associated with their agents.

All MSBs, both principals and agents, are required to maintain an effective written AML program that will prevent the MSB from being used to facilitate money laundering and the financing of terrorist activities.  Although principals and agents may allocate responsibility for developing policies, procedures, and internal controls, both the principal and its agents remain liable under the rules for the existence of these policies, procedures, and controls.

An MSB principal is exposed to risk when an agent engages in transactions that create a risk for money laundering, terrorist financing, or other financial crime.  To reduce exposure, the MSB principal should have procedures in place to identify agents conducting activities that appear to lack commercial purpose or justification, or are otherwise not supported by verifiable documentation.  Risk-based procedures must be implemented to monitor the agents’ transactions to ensure their legitimacy.  The MSB principal should also implement procedures for handling non-compliant agents, including agent contract terminations.  Principals should also develop and implement risk-based policies, procedures, and internal controls that can ensure acceptable ongoing monitoring of agent activity, as part of the principal’s implementation of its AML program.  When monitoring their agents, principals must, at a minimum, conduct the following:[6]

• Identify the owners of the MSB’s agents;
• Evaluate the operations of the agents on an ongoing basis and monitor for fluctuations in those operations; and
• Evaluate agents’ implementation of policies, procedures, and controls.

Risk factors that principals should consider when conducting agent monitoring include, but are not limited to:

• Whether the owners are known or suspected to be associated with criminal conduct or terrorism;
• Whether the agent has an established and adhered-to AML program;
• The nature of the markets the agents serve and the extent to which the market presents an increased risk for money laundering or terrorist financing;
• The services an agent is expected to provide and the agent’s level of activity; and
• The nature and the duration of the relationship.

No different than any other industry FinCen regulates, MSB principals and agents are expected to structure their AML programs to reflect risks associated with their business services, clients, size, locations, and circumstances.  AML risks can be jurisdictional, product-related, service-related, or client-related.  Principals should periodically reassess risks associated with their agents and update their AML programs to address any changing or additional related risks.  Principals should also take corrective measures as soon as they become aware of any weaknesses or deficiencies in their AML programs.  Principals and agents are required to perform reviews with a scope and frequency proportionate to the risks of money laundering or other illegal activity such principal or agent faces.  A principal should conduct internal and/or external independent testing to ensure there are no material flaws (i.e., inadequate training) or internal control deficiencies.  Additionally, the testing must consider products and services provided to determine if the procedures are sufficient to detect and report suspicious activity.

To sum up, in order to prevent businesses and individuals from suffering penalties for not having an adequate AML and/or BSA compliance program in place, the following must be incorporated into every financial and non-financial institution’s compliance programs:

Monitoring AML Programs

1. Ongoing AML program monitoring: Once an AML program has been implemented, it is important that an ongoing monitoring process be put in place as well.  Monitoring account activity and transactions flowing through an institution is one means of ensuring that appropriate processes are in place that allow for the identification of unusual activity and unusual patterns of activity or transactions.  Institutions must have the ability to analyze and determine if the activity, patterns, or transactions are suspicious in nature with regard to potential money laundering.  Financial institutions, in particular, should have the ability to review payment instructions and compare them against lists provided by governmental authorities in order to identify potential terrorists or terrorist financing.
2. Due diligence when accounts are opened: Similarly, due diligence needs to be performed at the account opening stage as well.  Testing should occur to determine whether institutions are verifying the identities of new account holders, comparing their names against lists provided by government agencies, and maintaining adequate records of the information used to verify an individual’s identity.  This initial step is crucial as it involves the profiling of potential client activity to aid in future monitoring.
3. Monitor customers and activity with highest risk: An enhanced due diligence and ongoing monitoring process should be developed in order to assess activity for all customers, placing emphasis on the customers and activity with the highest risk.  The ongoing monitoring process should be used to identify suspicious activity that may ultimately result in the filing of a SAR.
4. Consider an independent assessment: Institutions that already have an AML transaction monitoring system should consider having an independent consultant test their system in order to determine the adequacy of the monitoring, evaluate whether changes need to be made to the system and policies, and test the sufficiency of the institution’s efforts to have ongoing effectiveness and integrity.  For this reason, it is extremely important that institutions have a program in place to continually review the performance of their transaction monitoring system and make enhancements to address any deficiencies.

As an example, an institution may learn that their AML transaction monitoring system is not capturing important patterns of suspicious behavior and, therefore, that the activity is not being flagged and will not be reported to the appropriate government agency.  Performing a detailed, expert review of a sample of customer transaction data can help to identify these additional patterns and types of behavior that are not being monitored.

Additionally, it is also important that once AML activity has been flagged, AML analysts at the institution perform adequate due diligence to assess whether a SAR needs to be filed or a client profile needs to be updated.  Often, institutions run the risk of inadequately allocating resources to review cases of suspicious activity, which can result in the institution being deemed as having a deficient AML monitoring system and result in hefty fines.

An independent review of an AML transaction monitoring system may also help determine whether the system is effective in comparing the customer’s account/transaction history to the customer’s specific profile information and a relevant peer group, and/or in comparing the customer’s transaction history against established money laundering scenarios to help identify potentially suspicious transactions.

Having an AML transaction monitoring system in place, supplemented with employee training, compliance oversight, internal controls, and independent testing, should form a strong foundation for a complete AML compliance program.

[1] The GTOs renewed today include the following U.S. geographic areas: (1) all boroughs of New York City; (2) Miami-Dade County and the two counties immediately north (Broward and Palm Beach); (3) Los Angeles County; (4) three counties comprising part of the San Francisco area; (5) San Diego County; and (6) the county that includes San Antonio, Texas (Bexar County).

[2] Financial institutions include banks, investment firms, money service businesses, credit card issuers or operators, mutual funds, broker-dealers, currency exchanges, casinos, insurance companies, dealers involved in precious metals, stones, or jewels, travel agencies, loan companies, auto, boat, and airplane dealers, and individuals involved in real estate closings and settlements.

[3] “Physical presence” requires more than a post office box, e-mail address, or physical location housing a server.  The bank must be an actual place of business at a fixed address where a bank regulatory authority has licensed the operation of the bank.

[4] A private account is an account that requires a minimum of one million dollars in deposit of funds or other assets.  A correspondent account is defined as an account established to receive deposits from or make payments on behalf of a foreign financial institution.

[5] https://www.ffiec.gov/bsa_aml_infobase/pages_manual/olm_013.htm

[6] See FinCen Guidance (FIN-2016-G001) issued March 11, 2016.

Sareena M. Sawhney, MBA, CFE, CAMS, MAFF, is a Director in the Financial Advisory Services Group at Marks Paneth LLP. Ms. Sawhney focuses on providing services in the areas of complex fraud investigations and forensic accounting examinations as well as services related to commercial litigation and comprehensive damage analyses.

Ms. Sawhney can be reached at (212) 503-6372 or by e-mail to ssawhney@markspaneth.com.