CAMS Chapter 3

the final rule establishes eight minimum requirements for TMPs, in addition to specific core components of each program, which a financial organization must establish and maintain under the statute:

1. Identification of all data sources 2. Validation of the integrity, accuracy, and quality of data 3. Data extraction and loading processes to ensure a complete and accurate transfer of data 4. Governance and management oversight 5. Vendor selection process when a third-party vendor is used 6. Funding to design, implement, and maintain a program 7. Qualified personnel or outside consultant 8. Periodic training

FATF recommends that organizations incorporate the following four measures into their CDD programs:

1. Identify the customer and verify the customer's identity using reliable, independent source documents, data, and information. 2. Identify the beneficial owner and take reasonable measures to verify the identity of the beneficial owner. 3. Understand and, as appropriate, obtain information on the purpose and intended nature of the business relationship. 4. Conduct ongoing due diligence on the business relationship and scrutinize transactions undertaken throughout the course of the relationship to ensure that the transactions being conducted are consistent with the organization's knowledge of the customer, their business, risk profile, and, when necessary, the source of funds.

Know Your Employee

A Know Your Employee (KYE) program ensures that an organization has the means to understand an employee's background, conflicts of interest, and susceptibility to money laundering complicity. Policies, procedures, internal controls, job descriptions, levels of authority, compliance with personnel laws and regulations, accountability, monitoring, dual control, and other deterrents should be firmly in place. Additionally, codes of conduct and ethics should specify mandatory requirements to report suspicious activity. The US Federal Deposit Insurance Corporation (FDIC) provides guidance on employee screening in its paper, Pre-Employment Background Screening: Guidance on Developing an Effective Pre-Employment Background Screening Process.

A risk-based approach

A risk-based approach identifies, manages, and analyzes AML/CFT risk in order to design and effectively implement appropriate controls. As such, it is critical that risk ratings accurately reflect the risks present, provide meaningful assessments that lead to practical steps to mitigate the risks, are periodically reviewed, and, when necessary, are regularly updated.

AML/CFT Risk Scoring

A risk-scoring model uses numeric values to determine the category of risk (geography, customer type, and products and services) and the overall customer risk. For example, each category could be given a score between 1 and 10, with 10 being the highest risk. The individual categories could be scored, with 1-3 being standard risk, 4-8 being medium risk, and 9-10 being high risk. Such a model is particularly helpful when analyzing product risk, because it helps determine appropriate controls for the products.

Customer Due Diligence

A sound CDD program is one of the most effective ways to prevent money laundering and other financial crimes. Knowledge is what the entire AML/CFT compliance program is built upon. the US Federal Financial Institutions Examination Council (FFIEC) described the cornerstone of a strong AML compliance program as the adoption and implementation of comprehensive CDD policies, procedures, and processes for all customers, particularly those that present a higher risk for money laundering and terrorist financing.

the objective of CDD

According to the FFIEC, the objective of CDD should be to enable the financial organization to predict with relative certainty the types of transactions in which a customer is likely to engage. These processes assist the financial organization in determining when transactions are potentially suspicious.

European Union sanctions

Article 215 of the Treaty on the Functioning of the European Union provides a legal basis for the interruption or reduction, in part or completely, of the EU's economic and financial relations with one or more third countries (i.e., countries outside the EU), when such restrictive measures are necessary to achieve the objectives of the Common Foreign and Security Policy. In general terms, the EU imposes its restrictive measures to bring about a change in policy or activity by the target country, part of a country, government, entities, or individuals.

Sanctions List Screening

Before a financial organization starts doing business with a new customer or engages in certain transactions (e.g., international wire payments), it should review the various country sanctions program requirements, as well as published lists of known or suspected terrorists, narcotics traffickers, and other criminals, for potential matches.

Recommendation 10 in FATF's updated Recommendations.

CDD is Recommendation 10 in FATF's updated Recommendations. FATF recommends that financial organizations be required to undertake CDD measures when: • Establishing business relationships • Carrying out occasional transactions under certain circumstances • There is a suspicion of money laundering or terrorist financing • The financial organization has doubts about the veracity or adequacy of previously obtained customer identification data

A sound CDD program should include what seven elements

Customer identification Profiles Customer acceptance Risk rating Monitoring Investigation Documentation

Economic Sanctions

Economic sanctions are a way to influence the behavior of a jurisdiction or group by financially isolating it as the "target." Increasingly, countries are using economic sanctions instead of military force as an instrument of foreign policy.

Receipt of a governmental subpoena or search warrant

Financial organizations often initiate investigations upon receipt of a governmental subpoena or search warrant. In either situation, the organization has two independent obligations: (1) legally fulfill the requirements of the subpoena or warrant, and (2) determine whether the activity of its customer identified in the subpoena or warrant requires the filing of a SAR.

New York State Department of Financial Services (DFS) issued Final Rule Part 504 on June 30, 2016

Further emphasizing the need for a culture of compliance, the New York State Department of Financial Services (DFS) issued Final Rule Part 504 on June 30, 2016, requiring regulated organizations to maintain transaction monitoring and filtering programs (TMPs) reasonably designed to: • Monitor transactions after their execution for compliance with the BSA and AML laws and regulations, including suspicious activity reporting requirements • Prevent unlawful transactions with targets of economic sanctions administered by OFAC

An AML/CFT compliance program should be in writing and include policies, procedures, and controls that are designed to prevent, detect, and deter money laundering and terrorist financing, including how the organization will:

Identify high risk customer and operations inform the board of compliance initiatives, known compliance deficiencies, SARs filed, and corrective actions taken Meet all regulatory requirements and recommendations for AML/CFT compliance others

Recommendation 10 interpretive note

In its interpretive note to Recommendation 10, FATF acknowledges that there are circumstances in which the risk of money laundering or terrorist financing is higher and EDD measures must be taken.

United States Sanctions

One of the most widely known sanctions lists is OFAC's Specially Designated Nationals and Blocked Persons (SDN) list. Updated often, the SDN list includes thousands of names of individuals and businesses, as well as aircraft and ships (vessels) from more than 150 countries, which the US government considers to be terrorists, international narcotics traffickers, and other criminals covered by US foreign policy and trade sanctions. Similar to the UN and EU, OFAC applies sanctions to deter nonconstitutional changes, constrain and deter terrorism, and protect human rights.

Consolidated Customer Due Diligence

One way to ensure that financial organizations implement a strong CDD program is to consolidate and streamline account opening and ongoing monitoring processes across the organization, both domestically and globally, when applicable.

new acquisitions

Organizations must integrate the AML/CTF and KYC frameworks of new acquisitions immediately with a thorough risk assessment.

The Final Rule

The Final Rule, which went into effect on January 1, 2017, also requires boards of directors or senior officer(s) of regulated organizations to make annual certifications to the DFS, confirming that they have taken all steps necessary to comply with the TMP requirements. Although the law may seem specific to New York, numerous foreign banks are subject to the law because they operate in New York. Specifically, the law covers banks, trust companies, private bankers, savings banks and savings and loan associations chartered pursuant to the New York Banking Law, and all branches and agencies of foreign banking corporations licensed pursuant to the Banking Law to conduct banking operations in New York. The law also applies to nonbank financial institutions with a Banking Law license, such as check cashers and money transmitters. Penalties for noncompliance are consistent with those under the Banking Law.

Independent Audit

The audit must be independent (i.e., performed by people not involved with the organization's AML/CFT compliance staff), and individuals conducting the audit should report directly to the board of directors or to a designated board committee composed primarily or completely of outside directors. The individuals performing the audit must be sufficiently qualified to ensure that their findings and conclusions are reliable, including having knowledge and expertise of AML/CFT.

Politically Exposed Persons Screening

The problem is the lack of available and useful information about the identity of PEPs around the world. There are many private providers that offer PEP databases; however, the information contained in them and the ability to positively match customers with PEPs on a database can be challenging. Because it is difficult to identify these parties, it is important to have strong CDD and monitoring controls. It is also important to continually review and update customer screening and sanctions programs. This includes updating procedures, tuning, and testing screening tools and training staff.

The Basel Committee provided guidelines for account opening and customer identification in Annex IV General Guide to Account Opening.

This document does not address every eventuality; rather, it focuses on some methods banks can use to develop effective customer identification and verification programs. The annex divides customers into two groups—natural people seeking to open an account and legal people and legal arrangements—and addresses what types of information should be collected and verified for each.

UN sanctions

UN sanctions are managed by the UN Security Council committees. The UN Security Council can take actions to maintain and restore international peace and security under Chapter VII of the United Nations Charter. Sanctions measures, under Article 41, encompass a broad range of enforcement options that do not involve the use of armed force. Security Council sanctions take several different forms in pursuit of a variety of goals. The measures range from comprehensive economic and trade sanctions to more targeted measures, such as arms embargoes, travel bans, and financial or commodity restrictions.

What is the fifth pillar of an effective AML/CFT program?

Under a 2016 rule, FinCEN established a fifth pillar that requires appropriate, risk-based procedures for conducting ongoing CDD, raising the prominence of this critical aspect of AML/CFT programs to its own pillar.

The Basel Committee's Sound Management of Risks Related to Money Laundering and Financing of Terrorism states that a bank should establish

a systematic procedure for identifying and verifying its customers and, when applicable, any person acting on their behalf and any beneficial owners. Although the committee focused on banks, its recommendations can apply to any financial organization that opens accounts.

A risk management model should

also take into account whether a country is a member of FATF or an FSRB and has AML/CFT requirements equivalent to international best practices.

FinCEN can investigate and impose civil money penalties on

current and former employees of MSBs that participate in willfully violating BSA regulations.

The core of a risk-based approach includes the assessment of risk of a financial organization's

customers, geographical locations/jurisdictions, and products and services.

MSBs are required to

develop, implement, and maintain an effective AML program, including establishing a system of internal controls, designating a qualified compliance officer, implementing an appropriate training program, and providing an independent review for the program.

The Basel Committee, in its Sound Management of Risks Related to Money Laundering and Terrorist Financing states

hat EDD may be essential for individuals planning to maintain a large account balance and conduct regular, cross-border wire transfers and individuals who are PEPs.

An organization's compliance function

is commonly referred to as the second line of defense. It is responsible for monitoring the controls of the business, which is the first line of defense.

For high-risk customers, both Wolfsberg's Correspondent Banking Principles and FATF recommend

obtaining the approval of senior management to commence or continue the business relationship, as well as requiring the first payment to be carried out through an account in the customer's name with a bank subject to similar CDD standards.

An AML/CFT program should be

risk-based. Certain aspects of a financial organization's business pose greater money laundering risks than others and therefore require additional controls to mitigate those risks.

The Wolfsberg Group noted in its Statement on Monitoring, Screening, and Searching

that an organization's transaction monitoring framework should be aligned to the risk of its business model, the products and services offered, and its customer base, and it should be embedded in the organization's AML program. The document additionally discusses types of monitoring, typology reviews, and staff training.

ultimate responsibility for executing the AML/CFT program

ultimate responsibility lies with the board of directors and not the compliance officer

The responsibilities of a compliance offer include:

· Communication · Delegation of AML duties · Program management · Transaction monitoring · KYC · Sanctions screening · Financial Investigations

Commonly referred to as the four pillars, the basic elements of an effective AML/CFT program are:

• A system of internal policies, procedures, and controls (first line of defense) • A designated compliance function with a compliance officer (second line of defense) • An ongoing employee training program • An independent audit function to test the overall effectiveness of the AML program (third line of defense)

Training best practices published in the FCA guidance included the following:

• Appropriate training tailored to the individual's specific roles. Roles lacking specific training included the following areas: offshore centers, mortgage lending, areas servicing PEPs and other high-risk clients, investment banks, and trade finance. Generic training is considered to be acceptable, provided it is supplemented with specific training with a practical application to the specific line of business or role within the organization. • Periodic refresher training—usually annually—is important for existing employees. • Banks should assess whether third parties and employees working in outsourced functions need to attend specific AML training.

Appropriately functioning technology can equip financial organizations with improved defenses in the fight against financial crime by providing the following:

• Automated customer verification: Using third-party databases to compare information provided by a customer with source data • Watch list filtering: Screening new accounts, existing customers, beneficiaries, and transaction counterparties against terrorist, criminal, and other blocked-persons sanctions and/or watch lists • Transaction monitoring: Scanning and analyzing transactional data for potential money laundering activity • Automation of regulatory reporting: Filing SARs, CTRs, and other regulatory reports with the government • Case management: Providing a dashboard feature to view customer KYC, transaction history, investigations undertaken, and regulatory filings filed on a customer • Audit trail: Documenting steps taken to demonstrate compliance efforts to auditors and supervisory authorities

Supervisory authorities in various countries have identified some types of customers are inherently high risk for money laundering, including:

• Banks • Casinos • Offshore corporations and banks located in tax/banking havens • Embassies • MSBs, including currency exchange houses, money remitters, and check cashers • Virtual currency exchanges • Car, boat, and airplane dealerships • Used car and truck dealers and machine parts manufacturers • Professional service providers (e.g., attorneys, accountants, investment brokers, and other third parties who act as financial liaisons for their clients) • Travel agencies • Broker-dealers in securities • Jewel, gem, and precious metals dealers • Import and export companies • Cash-intensive businesses (e.g., restaurants, retail stores, parking)

When presented with a search warrant, an organization should consider taking the following steps:

• Call the financial organization's in-house or outside legal counsel and/or designated officer in charge of security, risk management, or a similar business area. • Review the warrant to understand its scope. • Ask for and obtain a copy of the warrant. • Ask for a copy of the affidavit that supports the search warrant. The agents are not obligated to provide a copy of the affidavit; however, when a financial organization is allowed to review the affidavit, it can learn more about the purpose of the investigation. • Remain present while the agents make an inventory of all items they seize and remove from the premises and keep track of the records taken by the agents. • Ask for a copy of law enforcement's inventory of what it has seized. • Document the names and agency affiliations of the agents who conduct the search.

Nondocumentary customer verification procedures include:

• Contacting the customer by telephone or letter to confirm the information supplied after an account has been opened • Checking references provided by other financial organizations • Using an independent information verification process, such as by accessing public registers, private databases, and other reliable independent sources

Country or geographic risk factors

• Countries identified by credible sources, such as FATF's mutual evaluations and detailed assessment reports, as not having adequate AML/CFT systems • Countries subject to sanctions, embargoes, and similar measures issued by, for example, the United Nations • Countries identified by credible sources as having significant levels of drug trafficking, corruption, financial crimes, or other criminal activity • Countries or geographic areas identified by credible sources as providing funding or support for terrorist activities, or that have designated terrorist organizations operating within them • Countries that share a common border and are known to have physical cross-border transactional activity • Geographic areas identified as having a higher risk of money laundering or financial crimes, such HIFCAs and HIDTAs in the United States

When assessing risk, FATF recommends considering:

• Customer risk factors, such as nonresident customers, cash-intensive businesses, complex ownership structures, and companies with bearer shares • Country or geographic/jurisdictional risks, such as countries with inadequate AML/CFT systems, countries subject to sanctions or embargos, countries involved with funding or supporting terrorist activities, and countries with significant levels of corruption • Product, service, transaction, and delivery channel risk factors, such as private banking, anonymous transactions, and payments received from unknown third parties

Scope of Training

• Customer-facing staff: 1st line of defense • Operations personnel: 1st line of defense • AML/CFT compliance staff: 2nd line of defense • Independent testing staff: 3rd line of defense • Senior management and board of directors:

Internal reports that are useful for discovering possible money laundering and terrorist financing include:

• Daily cash activity exceeding the country's reporting threshold • Daily cash activity just below the country's reporting threshold (to identify possible structuring) • Cash activity aggregated over a period of time (e.g., individual transactions over a certain amount or totaling more than a certain amount over a 30-day period, to identify possible structuring); • Wire transfer reports/logs with filters using amounts and geographical factors • Monetary instrument logs/reports • Check kiting/drawing on uncollected funds with significant debit/credit flows • Significant change reports • New account activity reports

When assessing the AML/CFT risks of products and services, consider whether they:

• Enable significant volumes of transactions to occur rapidly • Allow the customer to engage in transactions with minimal oversight by the organization • Afford significant levels of anonymity to the users • Have an especially high transaction or investment value • Allow payments to third parties • Have unusual complexity • Require government verification of customer eligibility

Product, service, transaction, and delivery channel risk factors

• Private banking • Anonymous transactions (which might include cash) • Non-face-to-face business relationships and transactions • Payment received from unknown or unassociated third parties

In addition, certain banking functions and products are considered high risk, including:

• Private banking • Offshore international activity • Deposit-taking facilities • Wire transfer and cash-management functions • Transactions in which the primary beneficiary is undisclosed • Loan guarantee schemes • Travelers checks • Official bank checks • Money orders • Foreign exchange transactions • International remittances • Payment services such as payment processors, prepaid products, automatic clearing house • Remote deposit capture • Trade-financing transactions with unusual pricing features • Payable through accounts

AML/CFT risk categories can be categorized by the following levels:

• Prohibited: The organization will not tolerate any dealings of any kind, given the risk. This category could include transactions with countries subject to economic sanctions or designated as state sponsors of terrorism, such as those on the UN and OFAC lists. • High risk: The risks are significant, but they are not necessarily prohibited. • Medium Risk: Medium risks merit additional scrutiny, but they do not rise to the level of high risk, such as a retail business that accepts low to moderate levels of cash but is not considered cash-intensive. • Low Risk: This represents the baseline risk of money laundering. Typically, low risk indicates normal, expected activity.

Common investigation initiators include:

• Regulatory recommendations and official findings • Transaction monitoring rules designed to detect and trigger alerts on potentially suspicious activity • Referrals from customer-facing employees regarding potentially suspicious activity • Information obtained from internal hotlines • Negative media information • Receipt of a governmental subpoena, search warrant, or other law enforcement request

A financial organization should consider obtaining additional information from high-risk customers, such as:

• Source of funds and wealth • Identifying information on individuals with control over the account, such as signatories and guarantors • Occupation or type of business • Financial statements • Banking references • Domicile • Proximity of the customer's residence, place of employment, and place of business to the bank • Description of the customer's primary trade area and whether international transactions are expected to be routine • Description of the business operations, the anticipated volume of currency and total sales, and a list of major customers and suppliers • Explanations for changes in account activity

Sanctions can generally fall into one of the following categories:

• Targeted sanctions: Aimed at specific, named individuals, such as key leaders in a country or territory; named terrorists; significant narcotics traffickers; and proliferators of WMD. These sanctions often include the freezing of assets and travel bans, when possible. • Sectoral sanctions: Aimed at key sectors of an economy to prohibit a very specific subset of financial dealings within those sectors to impede future growth • Comprehensive sanctions: Generally prohibit all direct and indirect import/export, trade brokering, financing, and facilitating of most goods, technology, and services. Comprehensive sanctions are often aimed at regimes that are responsible for gross human rights violations and nuclear proliferation.

How can an organization identify high-risk countries?

• The US Department of State issues an annual International Narcotics Control Strategy Report, which rates more than 100 countries on their money laundering controls. • Transparency International publishes a yearly Corruption Perceptions Index, which rates more than 100 countries on perceived corruption. • FATF identifies jurisdictions with weak AML/CFT regimes and issues country-specific mutual evaluation reports. • In the US, certain domestic jurisdictions are evaluated based on whether they fall within government-identified higher risk geographic locations, such as high-intensity drug trafficking areas (HIDTAs) and high-intensity financial crime areas (HIFCAs).

The 5th pillar procedures include:

• Understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile • Conducting ongoing monitoring to identify and report suspicious transactions • Maintaining and updating customer information

As every financial organization develops transaction history with customers, it should consider modifying the risk rating of the customer, based on:

• Unusual activity, such as alerts, cases, and SAR filings • Receipt of law enforcement inquiries, such as subpoenas • Transactions that violate economic sanctions programs • Other considerations, such as significant volumes of activity where it would not be expected, such as a domestic charity receiving multiple deposits (e.g., cash and electronic transfers) and then engaging in large international transactions, or businesses engaged in large volumes of cash when this would not typically be expected

Customer risk factors

• Unusual circumstances regarding how the business relationship is conducted, such as significant, unexplained geographic distance between the financial organization and the customer • Nonresident customers • Legal persons or arrangements that are personal asset-holding vehicles • Companies that have nominee shareholders or shares in bearer form • Cash-intensive businesses • Unusual or excessively complex appearance of the ownership structure of the company, given the nature of the company's business

Westpac Case Study

• Westpac did not apply the correct typologies or monitoring tools to detect payments linked to child exploitation, even when the risks had been identified. • Westpac did not have a consistent and clear understanding of its AML/CFT risk and how it should be managed and mitigated. • Westpac's control failures extended to other high-risk areas such as correspondent banking.