Q&A: Understanding Wire Transfers and their Money Laundering and Fraud Risks

Questions and answers from the webinar Understanding Wire Transfers and their Money Laundering and Fraud Risks featuring Laurie Kelly.

Laurie is an expert in the field with a 35-year career spanning the fields of accounting, finance, risk management, and regulatory compliance. Most recently, she served as the Director of Compliance for CoBank ACB, a $136B Farm Credit System institution, where she developed and managed the bank’s anti-money laundering, fraud, and economic sanctions compliance programs.

 

Q:  You discussed the differences between wire funds and ACH, can you summarize how risks vary between the two?

A: In terms of money laundering risks, I think wire transfers present a greater money laundering risk because they are more effective and they are more popular with money launderers for the reasons I talked about. Not to say that ACH could not be used in money laundering or fraud because I have seen it used in both, but it takes more effort to set up an ACH batch and get it into the payment processing network and then there is the timing involved.

One thing I have always felt though is ACH is constantly competing with wire transfers – they want to take over the whole payments industry, so when same-day ACH came out, that was the big concern of many AML professionals because now you have eliminated the factor that made wires more desirable as well because wires were same day, ACH was, at a minimum next day.

And the fact that ACHs have more controls in them – they are not irrevocable, per se. That makes them less amenable to money laundering, but I would say they are popular with fraud. Frequently we would see fraudulent ACH debits where a customer’s account would be debited fraudulently.

Often times it was people who got a hold of their number. All you need is that account number which is on the checks that they issue. You already have all that information, so sometimes somebody would say were behind on their visa bill or their phone bill and they would go in an online banking payment application and they would put in a customer’s account number as theirs – and then the phone company would tap our customer’s account to pay that person’s bill. Now it is going to be caught, obviously, but it gives them another month before that happens. ACH is used more for fraud; wire transfer is more for money laundering

 

Q: Is a wire transfer considered an EFT for regulatory purposes?

A: It is one type of EFT

 

Q: If a bank is a Fed member, they can use Fed wire, correct?

A: There is different levels of Fed membership. Every bank needs to be a member of the Fed if they are going to clear checks, clear ACH and if they choose to, to use Fed wire.

 

Q: So if they are not Fed member, they can still use Fed wire by going through a correspondent bank, right?

A: Right. So they can still get their customers wire transfer processed, it is just someone else has to help them, another bank has to help them by putting it into the system for them.

 

Q: If a bank uses a correspondent, should we ask their frequency of settlement with the correspondent, or is or is it always monthly?

A: That really depends on the correspondent relationship and agreement that has been established between the two banks. And I have seen anywhere from weekly or even daily settlement.

It just depends on probably as well the risk assessment that one the bank that is providing the correspondent services to the bank that does not have that wire access, for instance, what is their risk assessment of that bank.

So, if they consider them a little bit more risky, they may say, we want you to settle up with us once a week or twice a month or something like that.

It just all depends on that specific relationship that’s been established with that correspondent.

 

Q: CHIPS – is it like an escrow in a way that it settles accounts?

A: I would not really call it escrow.  All the banks enter their transactions during the day and it’s beginning of the day and the system sort of queues them all ups and starts netting them.

As they initiate more outgoing payments to other banks and the system, the system is going to take down that credit balance and increase the credit balance of the other banks.

And then at the end of the day, we have closed off wires for today. Let us look at where every bank’s position is and if one bank is in the hole, then they have to bring that money in. They could use some of their security deposits. And if that is not enough to cover it, then they need to go to Fed or into CHIPS to cover the rest of it. Or if they don’t do that, then they have to say they still owe one bank still a certain amount.

And then at the end of the day, they say, OK, let’s settle up.

 

Q: Can banks only have one single correspondent bank?

A: I suppose so.  If they are doing global transfers, they would need relationships in different countries with different banks.

 

Q: If each bank has a responsibility to adhere to the travel rule, how do you avoid having the information stripped in the process?

A: So the responsibility to populate the wire transfer with all of the travel rule required information is on the originator bank.

The receiving bank has no responsibility to say if something is missing, go back to the originator bank and say, you left off the originators address or something like that.

That is not their responsibility. The receiving bank is only supposed to just keep a record of what information they got from the originating bank.

 

Q:  What kind of transaction testing would you recommend for BSE examinations? A financial institution, when reviewing wire fund transfers beyond reviewing the policies?

A: You could do a sample that would definitely be something you would want to do as a random sample of outgoing and incoming wire transfers. Especially, on the outgoing side, looking to see if the bank is complying with the travel rule and what fields they are populating.

Then, on the incoming side, looking at how they are processing and what their process is. Are they posting appropriately or they OFAC screening? Many different things that they could certainly examine.

So ensure travel rule compliance on outgoing wires, then on incoming wire is the posting processes on both sides OFAC screening and any other sanctions screening that you would need to do.

Whether you could even get into the verification processes that are taking place. So if it was a freeform wire transfer, meaning not based on a template or a process is followed to ensure two-step verification on that transaction.

And what are the processes around customers creating new wire transfer templates, and is there a two-step verification process around that as well.

 

Q: Should financial institutions still complete an OFAC check on domestic customers when receiving and or sending a wire transfer?

A: Well, if it is your customer, best practices suggest you should be screening your customer base on a regular basis, so that way you already know whether or not your customer is a sanctioned party or not. Even if they are U.S. party.

I think that’s just safe to assume you should be screening the beneficiary on an outgoing wire, if it’s an incoming wire to your customer, again, you should already be screening your customer both during onboarding as part of the CIP, but then on an ongoing basis.

 

Q: Is the original bank, the only bank conducts a KYC review of the customer or do all related banks in the transaction conduct KYC reviews on the originator?

A: No, it would just be the originating bank that would be the customer’s bank.

 

Q: If the other banks do not conduct KYC reviews on the originator. How do these banks know that they are not sustaining an illegal activity?

A: They would need to look at it from the perspective of their customer who is receiving it.

In other words, is it suspicious on the receiving end? Is this an unusual payment that your customer has never received before? Is it a wire transfer from Latvia? Each bank has that responsibility on their side and should be monitoring the activity of their customers.

 

Q:  What do you say to a financial institution that does not include a very good description narrative for the purpose of the wire?

A: That is always a struggle. Because per the travel rule, that is optional. If the customer doesn’t give you anything to put in that field, or gives you something cryptic, it’s not your obligation under the travel rule to go back to the customer and say this doesn’t make sense, or, give me something to put in that field, because it’s only if the originator provides you with that information do you have to include it.

It is something that comes back to customer education. So when customers understand why it is important to include that information, especially all the beneficiary information, their address, and so forth. Then putting additional things into the freeform text fields about what the purpose of this is, such as invoice numbers. Anything that can help the recipient of that transaction understand what you are paying them.

 

Q: Would you raise any red flags if it does not contain good descriptive information if it is common practice at the bank?

A: Not necessarily, no, because again, that is driven by the originator. So, for example, if I know customers who are routinely paying the same entity by wire transfer on a regular basis, they don’t necessarily need to put anything in that explanatory field.

I have mentioned, several times, wire transfer templates. They are more common on the commercial side, where it’s basically if you have a repeating wire transfer that you’re going to make to a particular business or other entity, you can actually set up all the wire instructions, including the bank, the beneficiary, all the address information, anything you want to put in that field.

Then the only thing you need when you go to initiate transaction is the dollar amount, So that way, you do not need to do that two-step verification. They can simply pull up the template and change the dollar amounts, or whatever they need to pay that other party on that day, and then a two-step confirmation of that. The legitimacy of that transaction does not need to happen because everything is set in stone other than the amount.

 

Q: When you process a wire in a correspondent relationship, is it valid to request a copy of the KYC information of the customer sending and receiving the transactions since this is not my customer and I don’t know them?

A: That is a good question and it speaks to the risks involved in correspondent banking, especially foreign correspondent banking, which has a section of the Patriot Act entirely devoted to it.

So, you have a risk when you are the correspondent that because you are processing transactions on behalf of somebody else’s customer and other banks customer. How do you detect suspicious activity? How do you know that enough vetting has been performed on that customer?

So I guess, depending on how, again, this is a risk-based approach that each financial institution that is a correspondent bank would need to make.

Banks want to know all about their anti-money laundering programs. There are detailed questionnaires and documentation that each bank wants to know about the other bank to do. Do they have a robust AML program in place? Banks will rely on that information in order to not have to look at the KYC of every single customer that they are processing a transaction for.

 

Q: What questions would you ask an FI if there are many return wires, whether from a single customer or multiple customers?

A: I guess they are looking to maybe understand maybe what their process is because if they have to be returned, then there is something inaccurate on the message itself.

It could be the wrong account number. It could be that they are leaving off information that does not allow that receiving bank to be able to automatically process that transaction all the way through to the customer’s account.

 

Q: Is a Post Office box address considered a valid address?

A:  Actually, it is. A lot of debate about that over the years, back and forth.  Nowadays, it is generally accepted that a P.O. Box is OK. Often you may have with your customers a mailing address and a physical address. You should probably have both those records.  When we would pre-populate our customer’s name and address on an outgoing wire in the originator fields, we would pull from their physical address record, not their mailing address.

So that way we were closer to ensuring that they, we avoided the P.O. Box as much as possible, but, but that’s not always possible.

 

Q: Do you request a source of funds from the originator?

A: Usually the source of funds is their account. I suppose an MSB might be if someone brings in cash and wants to send a wire using that cash. That is again, another risk-based question. Do you know this customer already? Is this transaction unusual for that customer? If so, then you may ask, what is the source of funds? They do not necessarily have to tell you, but you could certainly ask if there are other suspicious elements to the transaction of any kind.

 

Q: What happens if many incoming wires are coming with no originator account number?

A: That could be something that the receiving institution may want to have a have a conversation with the sending institution. There is a possibility that one particular type of institution is doing a lot of non-customer wire transfers, especially with large unbanked populations. Then they may not be providing anything. They do not have an account number because they do not have an account.

Even if they do not have an account in that originator identification field, they should have something, such as a driver’s license or, or some other identification form of identification.

 

Q: Do you request professional or nature business for the sender and detailed information on the major shareholders owning 10% or more relationship between sender recipients as documentary evidence of the sender’s source of funds?

A: Not typically, at least not in my practice or my history because we have already done that KYC on our customer. Now that’s not to say that, we do our initial KYC and establish a risk rating for our customer and, then, once we see their transaction activity over time, if there’s odd stuff going on, we may actually pursue that information with them to get more details from them. And in other words, enhanced due diligence.

 

Q: What is the IPE and number versus a SWIFT code?

A: So an IBAN number is like an account number. It’s a very long number, I think it is like 36 numbers and letters and that is used in Europe, predominantly to identify any recipient of funds. So it is as a way of identifying the person and the account number. And the institution where that account number resides all in one big long number whereas the SWIFT BIC is the identification of the financial institution in the SWIFT system.

 

Q: Is the purpose of transaction not mandatory for fed wire transfer? And if not mandatory, can the fund be returned?

A: To my knowledge? No, it is not mandatory. The Fed is not looking for that field to be completed the purpose of the wire.  I have never been requested to provide that. And also from the travel rule perspective, it does not have to be provided unless your originator gives it to you.

 

Q: So, if not mandatory, can the funds be returned?

A:  I don’t think so. The only reason that a bank would want to return funds is if they could not post it in some way. And then you get into sanctions issues as well if they are rejecting a wire transfer if it had an OFAC match on it that they consider to be legitimate, but that’s outside of this subject.

 

Q: Will you provide some guidelines on OFAC screening on wire transfers? For example, is it required to OFAC screen domestic banks?

A: There are no regulatory requirements for screening. There is no regulatory requirement that you screen anything, and so, that’s why it becomes a risk-based approach. Therefore, OFAC describes screening as a tool that you can use to make sure that you comply with the economic sanctions. So, it’s screening as a tool, you decide how you want to use that tool to protect yourself, and make sure that you are complying with the sanctions, so that there is no legal requirement.

That, being said, in my opinion, you should be screening the banks because there are banks that are sanctioned parties. I know the OFAC screening tool we used had sort of added-value lists that had major banks in sanctioned countries, for example. So those would be flagged so we could take a look at it more closely.

So, my opinion, absolutely, you should be including banks in your screening process.

 

Q: If a U.S. bank has a foreign branch and others in another country and it is the originator bank for a wire transfer from an OFAC standard, is it required to OFAC screen the Foreign Branch?

A: We saw a number of years ago where a bank was doing something called payments stripping, where they were getting a SWIFT payment message from their counterpart banks in Iran that included names of sanctioned parties that were bringing funds to the U.S.

And they had people modifying the SWIFT payment message before it went to their U.S. branch to take out the sanctioned parties so that their U.S. branch wouldn’t flag anything from an OFAC perspective.

So I think absolutely you should be screening anything that comes to you.

 

Q: Is it true to say that all U.S. dollar transactions have to transit the fed wire system?

Even if SWIFT is being used?

A: No, they would not have to. So they can either be through CHIPS where those 50 or so banks that are members of CHIPS are basically processing transactions amongst themselves all within the system.

And then, if you are a member of a SWIFT in the U.S. and you have correspondent relationships with banks in foreign countries, through SWIFT, you can absolutely do your year foreign wire transfers that way and bypass the Fed completely.

 

Q: If an outgoing wire receipt and the transaction does not make sense with the customer profile, at what point do you reach out to the customer for clarification? And if it does not satisfy the response or continued behavior, at what point do you reject a payment?

A: My opinion is unless there is a legal reason, like an OFAC match or some others sanctions match that requires you to block an outgoing payment, you have to let it go. And that is when you file a suspicious activity report (SAR).

Now there could be in this scenario that your customer may be being defrauded. And so then you want to talk to them and try to convince them that they need to make sure, and corroborate with somebody else that this is a legitimate transaction.

Now if it isn’t flagged by your fraud monitoring system, but it comes up later as suspicious activity from a money laundering perspective, then you have to decide when you’re looking at that and looking at the alert and actual payment or looking more closely at that wire transfer and deciding whether this is something you should approach your customer about.

Like in the example I gave with the Sony home theater system that was just so bizarre that we asked our customer about it. They could clearly see the Latvian bank and the Sony theatre system explanation.

So at that point, we said, OK, time to file a SAR and not even push it any further with the customer. Because we don’t want to take that risk of tipping them off.

What ended up happening with that customer was the kickoff to a pattern that we started to see with wires coming from these shell companies in different countries all through banks and one of the two major banks in Latvia.

And, when we finally approached the customer about this activity, we asked them about a couple of others ones. We asked them in the same way as we did the first wire about the Sony home theater system. We asked them what is the business purpose of this? And then after, a couple of inquiries what we started noticing was they were still getting payments from all these shell companies, but the explanation for the purpose of the payment on the wire had changed.

And all of them said the exact same thing “for fruits and vegetables.”

It’s like you could just picture somebody’s picking up the phone and saying, hey, you guys quit using all these funny explanations, you have to just say it’s for fruit. We had a kind of a laugh about that, but, they obviously changed their behavior for some reason, and we could observe that, and obviously, report it.

 

Q: So, if the wire was conducted on the fraudulently open account, using an identity theft victims information, is this still reported?  The victim had never authorized the use of his information. And so the follow up is if you report it, wouldn’t it be misleading, as we would be reporting using the victims themselves?

A: What we would do on all of our SARs that related to fraud that had been perpetrated against our customer, is that you do not list the customer anywhere as a subject on the SAR. You can describe it in the narrative. But the only subject on the SAR would be if we had any details about somebody involved in the fraud.

So let’s say they were fooled into sending a fraudulent wire transfer to some third party. The subjects on our SAR would be that third party.

If it were a fraud instance where we had no information about the sender, then we would just check that box on the side that said: no subject information.

But with a wire, you usually have somebody’s name that this money is going to or coming from, so that’s what goes on the SAR, and you leave your customer out of it.

And you just explain in your narrative that this was your customer who was impacted by this. So that’s what you would do in that particular case. And you would report it because law enforcement again needs to know about these instances. That is the whole purpose of SARs is to let law enforcement know what is going on.

And so for that same wire transfer, the person getting the money could be getting this from banks all over the place through other victims. And so that name, if it’s used the subject field on the SAR is going to pop up in our database with FinCEN.

 

Q: How do you handle PEP wires?

A: So, that really is a know-your-customer issue. So if your customer is a PEP you could look at that from both directions. So what wire transfers are they doing, that goes into what is your monitoring process for that individual.

What do you know is normal activity and expected activity for that particular PEP customer? And then what would be out of pattern?

In other words, PEPs are just red flags. So a customer getting a wire transfer from Maduro in Venezuela would probably raise a big red flag. Why are they getting money from this individual?

So, it becomes out of pattern activity. And then, you would do some due diligence to figure out why. But it’s not something that you unnecessarily block you could certainly reported if it ended up being suspicious.

 

Q: Would the quantity, like how much is being sent, be a consideration?

A:  It can, or it can’t. Actually, in the majority of my SAR cases, the dollar amounts of the wire transfers were rarely over $100,000 at a time.

And I think that’s deliberate, because you would just assume that a huge $1-million wire transfer is going to raise a lot of red flags just because of the dollar amount. But something from $10,000, $25,000, $50,000, that establishes a sort of ordinary pattern. And again, it depends on the customer.

If we’re talking about a consumer account that may be because any wire transfer could be potentially suspicious, but on a business account, it may be they’re looking to establish a pattern. If they’re laundering money, what we did see, way back when we had that we initially at my bank experienced our customers were getting malware where the fraudster could actually come in secretly and stay online.

In the online banking system, for example, even if the customer thought that they had logged out; the fraudster was still in the system and could look at everything that they had done. They look at what’s a normal wire transfer for them dollar wise.

And then they started initiating wire transfers of those similar dollar amounts to see if they could get away with that. So, monitoring systems wouldn’t necessarily pick it up.

 

Q:  Can a person remit funds with an ABA for one institution and a SWIFT code for another in the same transaction?

A: So say both are U.S. banks, and you’re using fed wire and you try to use the routing number of your bank as the sender. And for the receiver, you try to use their SWIFT code that you still need to populate that receiver depository institution, fed routing number, the Fed cannot process a wire transfer without that sender DI, and receiver DIs Fed Account, fed routing number.

So They’re going to kick it back. If it doesn’t have those two fields populated.

But the beneficiary bank could certainly be a SWIFT number because really, what the Fed is looking for, mostly, are those to the sender DI, and the receiver DI, because that’s how they’re going to post the transaction.

 

Q: Is the beneficiary date of birth and place of birth necessary to be on the wire transfer template,

A: Not in the United States. I’ve seen thousands of incoming wire transfers from other countries where that information is always provided in the OBI field.  I’m thinking that it probably is required in many other countries.

A large proportion of these were in Asia, India, Asia, and sometimes the Middle East, but not very much from Europe. So, it could just be that, that there are regulations in those countries that require that, But definitely not in the United States.

 

Q:  What laws in the U.S. protect the consumer for bank fraud or phishing? And is it mandatory for the banks to reimburse the customer, if phishing or fraud was determined in the wire transfer of funds?

A: There are several programs. But it’s very true that consumer accounts have far more protections than commercial accounts do.

In fact, commercial accounts have to protect themselves with additional products and services, especially on the check side and the ACH side, to make sure that they’re not experiencing fraud.

So, the regulations are different and there are several of them that apply based on, for instance, what type of events, what type of transfer it is. And this could be in federal regulations that could be in for ACH, but most of the time, consumers are absolutely protected with wire transfers.

It is a little bit different than with checks and ACH because just the nature of wire transfers; they are not a negotiable instrument in other words. It’s a little tougher for a consumer to have if the consumer was the one who was defrauded and the consumer had initiated the wire transfer, they’re going to have a hard time getting money back from their bank. But if this was a hacker and impersonation, then definitely the bank is going to be on the hook for that.

 

Q: So if a wire transfer arrived from a bank account, which previously had a suspicious activity, do you consider this as a suspicious activity.

A: I could see that going two ways. One might be you have a customer who is receiving a wire transfer, and you’ve previously been monitoring this customer’s account for suspicious activity of the nature of wire transfers, or maybe it’s something else that they’re doing. Again, that is you are looking for out of pattern, right? So if you’re already monitoring a customer’s account for suspicious activity than pretty much any transaction that’s going on with them should be looked at more closely.

They could be asking the question that if the sender of the wire transfer, the originator, has been flagged as something suspicious through a payment to a customer – to one customer. And then the same suspicious party makes a payment to another customer.

We actually had that happen on a couple of occasions. And now, both of the customers who received payments from this one suspicious party, which we had identified as a shell company, they were both in the same business.

So again, the fact that it was a shell company that we could pretty much clearly identify was a foreign shell company, that’s a red flag. It doesn’t necessarily mean that it was illegal activity. Both of these companies are exporters. And a lot of times, foreign exports come through payments for foreign experts. Exports come through third parties, sometimes that are set up a shell company. So we were able to flag that in our monitoring systems and point it out.

So, then, because we had flagged that as a suspicious party on one customer, we flagged it again and would file a SAR on the other customer as well for receiving that payment.

And then we mentioned in our SAR, that corroboration between the two. And even referred in our SAR narrative to the SAR identification number of the original SAR on customer number one where we had seen this activity. So that way, law enforcement as they are reading the SAR  can say I can see what you’re talking about here and I can go and look up this particular file and see the connection between them.

 

Q: Is this where you would document this information in the case report. Just so you can track all this this information?

A: Obviously yes. A case report is a tool we talk about in the webinar we did on SARs, too.

When you get these really complex cases, which wire transfers can often involve because you are dealing with layering for the most part of layering processes in the money laundering process. So this can get, these can get really complicated.

So being able to write out everything that you have investigated, every connection so that you have made, that are not just obvious from the alerts itself, that may or may not have been generated by your system, is important. And that is something that then you can provide to law enforcement to see how you have justified the SAR and give them more information than just your summary.

 

Q:  What are key elements regarding wire transfers that are scrutinized for either internal or external auditors?

A:  For your external CPAs or your internal audit, is, I think, number one, they’re going to be looking for compliance with the travel rule.

So are you, on your outgoing wires, just where the traveler would apply to our outgoing wires? Are you capturing all the mandatory information and then what are you doing if anything to validate that?

Are you allowing an originator’s name to be changed. Processes like that.

And then on the incoming wire side, obviously they will be looking for you to be retaining all of the information you receive for the mandatory five year period. And per the FinCEN travel rule, how are you retaining it? Is it easy to retrieve because there are rules in the travel rule about how quickly you have to retrieve information, once it’s been asked for how are you storing it. Is it easy to find and how is it being analyzed by your AML system?

Also, what are the parameters and rules and models that your AML system is using to look for suspicious activity within wire transfers?

 

Q: Here at your institution when investigating a transaction involving your correspondent would you request supporting documents like invoice, bill of lading, or just a profile of your customer?

A: I guess that would depend on the nature of the transaction.

Let’s just say it’s a wire transfer, That was where the underlying transaction was done through open an account trading, meaning there’s no, the banks aren’t involved and issuing an letter of credit or anything like that. It’s just the parties are making payments directly if there is something suspicious.  We would go to the correspondent bank and say, there is something about this transaction and we would like more information.

Do you have supporting documentation from your customer that verifies this as an export transaction like a bill of lading or commercial invoice, something like that.

 

Q:  Do they require a financial institution to call every client that does an online wire to confirm it, even though it’s the same page and they’re sending often.

A: So our policy, and this is probably the case with most banks, is that we distinguish freeform wire transfers, versus template wire transfers.  Let’s talk about templates at first. So our customers were able to create a wire transfer template that has the payee name and address the bank account information.

Even anything that they would want to regularly include in that OBI field.

And then, that template would get set up, and it would require two-touch approval to set up that template to begin with. And then, when that template is used, they’re going to routinely make payments to that particular vendor.  Then the employee, whose job it is to make those payments, can pull up that template, change the dollar amount for whatever they are owed the vendor and then just initiate the wire, and you don’t need a second authorization. Because they can’t change anything, except for the dollar amount.

Now a freeform wire is where there is no template. So they’re setting up a wire, transfer instructions, or a payment order, with someone they’ll say they have never paid before and they don’t have a template for. So anytime one of these came through, it was stopped by a wire transfer system, we did a call back to the customer to confirm, we did a callback actually to a second party at that customer.

So I guess to answer the question, even if that customer does not understand that they can create a template. So that they do not have to go through the secondary approval process all the time. They may be sending a freeform wire every single time to the same party repeatedly. And so then, yes, every single time you should be authenticating or verifying that if it’s free form or if it’s through online banking, then a second person ticket user on their system should be able to, should have to approve it.

And so, then, if you start to see that a lot more of this, somebody should reach out to their customer and say we’ve got this feature here, that you don’t have to do this all the time. If you set up a template.

 

Q:  Given most foreign wires have serious data issues, so, partial jurisdiction info, named accounts, what was your bank’s policy regarding fixing or interpreting geo data for risk by for risk facing each wire?

A:  Actually, my experience was different from what this participant is enquiring about.

I always found that foreign wire transfers had way more information than domestic ones did.

Now, given the fact, however, all my customers were commercial clients. But the problem that we had was that we did not use SWIFT for payment messages. So we were always receiving foreign payments incoming through a U.S. intermediary who had received a SWIFT message for that payment from the foreign bank and then they had to convert it into a Fed wire. And so we had the issues around addresses. And it would end up being all kind of jumbled together and we had the purpose of the payment in several places where it would be entered in one or more fields on the Fed wire.

Another issue would be when information is being translated from the language of that country where it’s coming from into English. Foreign wires coming from Asian countries would convert names and so forth into English; they were using sort of a phonetic spelling on, on names, addresses, city names, street names.

In certain Southeast Asian countries, the addresses are really complicated, so there was this translation that was going on as well language translation, that made it a little challenging as well. But in terms of missing information, I honestly rarely saw that. That was more on the U.S. side, the fed wire, because the Fed doesn’t require pretty much anything except for that sender DI and receiver DI, and then the dollar amount and the date.

Live Q&A Forum: Money Laundering and Fraud Risks for Wire Transfers

July 7, 2020  |  12 pm ET  |  Register Now

Do you have questions about how wire transfers in the U.S. work or how to manage their money laundering or fraud risks? AML expert Laurie Kelly, CAMS will follow-up with any answered questions during her recent webinar on Understanding Money Laundering and Fraud Risks of Wire Transfers and answer any new attendee questions. Come hear the questions from your peers and learn how you can improve your own AML program.

Understanding Money Laundering and Fraud Risks of Wire Transfers

Wire transfers have long been the tool of choice for money launderers and fraudsters. To mitigate these risks to the financial institutions they serve, AML compliance and fraud professionals must understand how wire transfers work, both in the U.S. and globally, as well as be able to recognize the red flags in wire transfer transactions that may indicate money laundering or fraud is taking place through a customer’s account.

In this webinar, Laurie Kelly, CAMS shares her knowledge and experiences gained from 20 years in leading the AML, fraud, and sanctions compliance functions for a $130 billion U.S. financial institution that processed 12,000 to 15,000 wire transfers per day. Attendees will learn about the mechanics of wire transfers, both in the U.S. and globally, and how wire transfers differ from other types of money movement methods. She will then discuss the FinCEN “Travel Rule”, as well as sanctions screening best practices for wire transfers. Finally, Laurie will explore the money laundering and fraud risks and red flags associated with wire transfers and ways to mitigate them.

 

Using Corruption Perception Index for AML Risk Scoring

Transparency International’s Corruption Perceptions Index (CPI) shows Canada is the top ranked country in the Americas.

However, the bad news is that ranking in the annual measurement of corruption has dropped for the last few years

Canada scores a 77/100, a rating that is down to 12th out of 180 countries measured.

While Canada is consistently a top performer, the country dropped four points since last year and seven points since 2012. The index ranks countries out of a score of 100, where 100 is the least corrupt and one is the most corrupt.

 

U.S. continues downward slide

 

The U.S. ranks at 69/100, but is 23rd out of 180 countries. The U.S. ranking has also dropped two points since last year to earn its lowest score on the CPI in eight years.

This comes at a time when Americans’ trust in government is at an historic low of 17 per cent, according to the Pew Research Center.

The U.S. score drop is a seven-point slide over the last four years.  Therefore, there are still some challenges and anti-corruption perceptions under the country’s current framework.

Mexico was listed at 29/100, showing some improvement in its annual ranking.

The lowest in the Americas was Venezuela, which only scored 16, which is also one of the bottom five scores globally.

 

Corruption, democracy and human rights

 

When you look at the world map in the CPI, it uses colors to chart how well countries are doing in terms of democracy or human rights.

Blue is to show that a country is doing really well. Green also indicates that they are generally doing well. Then, there is the red zone in areas of the highest corruption perceptions. This map shows that no country is in the green or blue color range.

There are many dark reds in Africa, Asia or Latin America, and there are still corruption challenges in Western Europe in Canada, the U.S., Australia, Japan and other countries. No country is free from corruption.

Transparency International says the map also suggests corruption and bribes do not stay within borders.

They say the money that is gained through illegal actions or through bribes does not always stay in those deep red countries.

It often goes to the lighter yellows and orange countries where they are seen as less corrupt, but may be willing to hide the money of the corrupt regimes or countries.

 

Top countries hold rankings

 

In the last year, top performers Denmark and New Zealand have held their ranks as the least corrupt countries on the CPI.

When we talk about countries that are at the top of the corruption perception index also being an entryway for illicit funds, we see Switzerland there at No. 6, as it is a well-known secrecy jurisdiction.

Countries at the bottom of the index include Venezuela in the Americas and Syria in the Middle East and the African nations of Yemen, Sudan and Somalia.

Taking a regional view of the corruption perception index, Western Europe and the EU are still amongst the highest ranked regions along with sub-Saharan Africa, and North Africa.

 

How CPI is calculated

 

The index ranks 180 countries and territories by their perceived levels of public sector corruption.

The CPI aggregates data from a number of different sources that provide perceptions by business leaders and country experts. The rank the level of corruption in the public sector.

It is a composite index of 13 other indices such as the World Economic Forum, the World Bank, the Economist Intelligence Unit and the Ibrahim Index of African Governance.

For a country to be on the CPI report, it needs to have had at least three of those indices rank them in the past three years.

A country’s CPI score is then calculated as the average of all standardized scores available for that country. Scores are rounded to whole numbers.

 

How compliance officers can use CPI

 

The corruption index is also used by compliance officers to help them conduct country risk assessments.

The CPI, along with the Basel AML Index and the TRACE matrix, is among the tools that can help compliance compile and document geographic risk scores for regulators. Remember this index measures “perceived” public sector corruption. It does not measure the private sector.

One of the keys is to keep the risk score as simple as possible and to document the way your model works.  If you use the CPI index, remember its scoring system is the opposite of some others – the higher the score, the lower the risk.

One way around this would be to bucket the CPI from a range of scores into risk level labels, such as high, medium high, medium, low and very low. Determine each country’s risk level based on where their score falls in the range. Then you assign point values to each risk level (i.e. 20 for risky country, 0 for low risk country)

This would allow you to use the CPI risk alongside other indices that measure risk scores differently.

You also need to include the reasons why you chose your methods and what existing models you used in your calculations.

To learn more about how to use CPI and other indices to calculate geographic risk score, watch our recent webinar on Assessing AML Geographic Risk. If you want to speak to a CaseWare RCM Alessa risk specialist about how calculating risk score, click here.

 

Trade-Based Money Laundering: What Compliance Professionals Need to Know (CAMS)

July 14, 2020  |  12 pm ET  |  Register Now

July 16, 2020  |  9 am ET  |  Register Now

CAMS Credit: 2

Hundreds of billions of dollars are laundered every year through trade-based money laundering (TBML). Its sophisticated techniques allow criminals to use legitimate trade to disguise the source of illegal proceeds and transfer value across borders without the use of traditional money movement methods.

In this webinar, Laurie Kelly, CAMS will share her knowledge and experiences gained from 20 years in leading the AML, fraud, and sanctions compliance functions for a $130 billion U.S. financial institution that provided extensive trade finance services for global exports of U.S. agricultural products. Attendees will learn the fundamentals of foreign trade and trade finance, and why these long-established processes make it so vulnerable to TBML.

We will break down the most common TBML techniques, including the Black Market Peso Exchange, over & under invoicing, and others, using real world case studies. Finally, we will review the red flags for these activities and how to incorporate transaction monitoring, sanctioned/restricted party screening, and enhanced customer due diligence to mitigate TBML risks.

 

Register for July 14 event | Register for July 16 event

Dispelling Myths about Cloud Computing for AML and CCM

As we move toward creating faster and more secure ways of doing business and fighting financial crimes, we at CaseWare RCM have been asking ourselves some critical questions about what our clients need in order to have an AML compliance and continuous controls monitoring (CCM) system that will take them into the future.

A key hurdle that many customer face is the availability and scalability of IT resources and infrastructure. Keeping compliance and audit systems upgraded, secure and scaled to meet their growing needs is not always a top priority for businesses. To make the issue worse, often IT problems are only discovered when there is an interruption in service or a much-needed upgrade is delayed or failed.

We have been very bullish in our recommendation for customers to migrate their Alessa deployments to the cloud. While the use of the cloud by businesses has grown extensively, there remain many pre-conceptions or myths about the use of this technology. Everything from security to location of data are critical questions asked by IT, risk officers and the C-suite.

Here are some common misconceptions about the cloud, facts that dispel the myths and the reasons that CaseWare RCM is now collaborating with Microsoft to migrate and expand our Alessa solution in the Azure cloud.

 

Myth #1: The public cloud is less secure

 

Global public cloud providers like Microsoft are able to invest massive amounts of resources that exceed what any individual organization can realistically invest. It is estimated that Microsoft has more than 3,500 security professionals and spends over US$1Bn on cloud security annually.  This is what allows them to use state-of-the-art technology, and employ the world’s leaders in cybersecurity.

Public cloud providers also invest heavily in monitoring of their infrastructure since it is one of their core value propositions and a cornerstone of their business. The constant monitoring along with their massive scale and geographic presence enables public cloud providers to detect emerging threats quickly and address issues before they gain traction.

Beyond security, ensuring compliance with global, local, and industry regulations is also a significant burden to individual companies. When organizations turn to a global cloud provider, they are inheriting the compliance and security certifications and standards of work already put in place for organizations around the globe. In this case, Azure has over 92 global, regional and industry specific certifications.

 

Myth #2: Your data will be stored internationally

 

Many organizations, including financial services businesses, require their data be stored in specific  jurisdictions. It is for these reasons, that many public cloud providers have regional data centers.

In the case of Microsoft Azure, it has 58 worldwide regions and is available in 140 countries. There are multiple data centers in the U.S., Canada, UK, India, Africa, Australia, China, etc.

These offer the scale needed to bring applications closer to users around the world, preserving data residency, and offering comprehensive compliance and resiliency options for customers.

 

Myth #3: Cloud computing will cost more

 

While thinking about costs, there are many aspects to consider. There is the actual capital and operational expenses of hardware, virtual machines, software and staff to deploy, secure, upgrade and maintain IT equipment and services.

Another consideration is time. How much time does it take to deploy new services and products? What is the lead-time to purchase new equipment and services?

Finally, utilization is a consideration. Do you have to purchase extra capacity in advance to plan for future needs? Are resources being spent for underutilized equipment for the “just in case” or upgrade scenarios?

When you consider all these costs, the total cost of ownership is comparable, but with the added benefit of greater security and redundancy along with an improved end-user experience. Organizations also have the added benefit of being able to purchase capacity as and when they require, so capital investment is not locked in underutilized equipment.

 

Myth #4: Cloud service providers will have access to my data

 

Encrypting client data at rest and in transit ensures that there is no potential for cloud providers to access confidential information without an encryption key. In the end, the clients have the final say over who does and does not have access to their data.

 

Myth #5: Working in the cloud is complex

 

While the theory behind how the cloud works may be complex, the end-user experience is quite the opposite.

When it comes to setting up or migrating to the cloud, your service provider does all the heavy lifting in the back-end, which results in a seamless transition that limits downtime and creates the same, if not a better, experience as an on-premise environment.

 

Fact: Faster deployments and software upgrades

 

It is without a doubt that cloud deployments have made life easier for our customers. Initial implementations and software upgrades are much faster for Alessa customers in the cloud than those who opted for on-premise installation.

Internally, our decision to use Microsoft Azure has been a boon. Alessa developers are able to spend more time developing compliance and fraud prevention functionality rather than code for IT infrastructure and deployment code. This has translated to more integrations with other service providers and features that help our clients with their day-to-day operations.

 

Fact: Greater capacity for fraud detection and prevention

 

With the increased data storage and computing power offered the cloud, deploying AI-based techniques in Alessa becomes a reality for many more organizations.

In the case of Microsoft Azure, the platform offers advanced machine learning capabilities, which allows companies to quickly and easily build, train, and deploy machine-learning models.

At Alessa, we have been helping our customers to migrate to the cloud so they can spend less time worrying about infrastructure to support their AML compliance and CCM systems. We invite you to learn more about how the cloud can help you, too.

 

Q&A: Writing Effective FinCEN SARs (Suspicious Activity Reports)

Updated  June 11, 2020
 

Recently we had a chance to have Question and Answer sessions with Laurie Kelly following CaseWare RCM’s webinar on writing SARs.

Laurie is an expert in the field with a 35-year career spanning the fields of accounting, finance, risk management, and regulatory compliance. Most recently, she served as the Director of Compliance for CoBank ACB, a $136B Farm Credit System institution, where she developed and managed the bank’s anti-money laundering, fraud, and economic sanctions compliance programs.

 

 

Q: If the bank is in one state, but pre-paid accounts are located in another state, in fact across the U.S., where would the SAR be filed?

A: Where the SAR is filed from is the state you would file. We had one central location, but our SARs were filed where the suspicious activity was taking place. For example, we were in Colorado, but we would have a customer in California. Let’s say that we had suspicious activity, we still would contact the SAR review team that was for our Colorado regional area, and let them know about it, and they would look at it and then they would refer it to another site review team in California, if they so choose to.

 

 

 

Q: The main question from junior team members relates to the level of detail to provide. Another challenge is the level of review internally until a SAR is actually issued, what would be a good period between identification and issuance of the report?

A: So your clock starts ticking for SAR filing once you make the official decision to file the SAR. So you have an alert, a junior associate looks at it and says they think it is SAR worthy. They raise it to their supervisor and whatever your processes you have for who approves that final SAR filing decision. It is at that point that the SAR filing clock starts. So you have time ahead of that to investigate before you make a decision on whether you’re going to file a SAR not?

It depends on your organization and what your hierarchies are for approvals. In my organization, things would come through a supervisor and then to me, and then I would make a decision on whether or not this was SAR worthy. I would speak to the chief compliance officer and tell him about the case. And he would say yes or no.

So it’s kind of a balance there. Whom do you decide has that authority to say yes or no? And if you’re a large organization with a lot of SARs, then you probably have intermediary level management that could be able to make that decision.

But just keeping in mind that there the SAR filing clock starts at the date that you make the decision to file.

 

Q: Do you run into any problems if it takes you a little while to start investigating a transaction?

A: Not necessarily, because I think law enforcement does not want you to file an unnecessary SAR that you have not thought about or investigated.  They want the good stuff. They do not want the stuff you are not sure about.

Obviously, if you wait months to make a decision, that is not acceptable.

But if it is typically within the timeframe of 30 days or so. We did not generate alerts daily. We generated them twice a month.

So a transaction could have occurred at the beginning of the month that we wouldn’t see for two weeks as an alert, and then we would investigate that and determine whether we needed to file a SAR. So, that was a two-week period. But, I think that is a reasonable amount of time as long as you can justify it in order to file a good quality SAR.

 

Q:  How do you handle cumulative dollar amounts in a SAR?  Would you choose continuing if it was a SAR follow-up review and only include the cumulative amount for SARs?

A: In the form itself, if you have checked the box for continuing activity, then it’s going to ask you for a cumulative total in the section of the report. Then it will ask you for the amount of this particular SAR. There is a place at the form to guide you as to what information or dollar amounts to use.

 

Q: Do MSBs file SARs?

A: Absolutely, Yes.

 

Q; Do you get 150 days for continuing activity?

A: It’s 120 days. The due date of your continuing activities SAR is 120 days from the date of your last SAR. So, that’s the maximum amount of time. You could certainly file it before then

So, even if we were coming up on our preparing our SAR and the 120 day due date was coming up, if it was a big case or a critical case, oftentimes, we go in ourselves and look for more activity within our transaction systems and not even wait for the alerts to see what came up. And stick anything in there that we could enter that current SAR.

 

Q: I agree that we are filing a SAR for the benefit of law enforcement; however, regulating bodies frequently recommend that we add verbiage that clutter the SAR. Ultimately, they do not regulate us, so I think that is where the case report is helpful. Would you agree?

A: Yes. I feel your pain there. That is a long-standing dilemma, and so I personally took a hard stance on what I was providing in my SARs.

Once the attachment feature came out, I had far fewer issues because prior to the attachment feature our regulator wanted every single transaction crammed into that narrative. I could show them conversations that I had had with law enforcement about how they do not want this. But it was a longstanding agree to disagree kind of thing.

It is up to you to decide how much you want to go into battle.

 

Q: How do you handle complying with subpoenas for SAR information, including your case report, for complex or significant cases? Do you turn over the SAR case report?

A:  Yes, because they could probably access the SAR themselves, but we would, if they asked for the SAR form, we would provide it along with a case report.

 

Q: Do you have a suggestion on the number of transactions that would trigger using an attachment, or should you always use an attachment, even if it is just one transaction to keep it from being in the narrative?

A; Well, I guess it depends on the transaction, but if it was just one, I think what I would put in the narrative.  If it was the verbiage and the freeform text field of a wire, you could highlight that, and then just give them what they need to know to understand why this is suspicious.

Maybe if it is two transactions and it’s not cluttering up your narrative, then find a way to reflect those concisely. Because, remember, they are going to come back to you anyway for this information.

I have never had anyone from law enforcement just take what was on the SAR verbatim, and then run with it. They are going to contact you, and they are going to want to see all these details anyway. So file enough to get their attention, but three or four are probably worth it doing the attachment.

I had some that were very lengthy. Especially, like in counterfeit check cases where there were sometimes hundreds of transactions.

 

Q: After filing a SAR, should we continue to make transactions for the customer?

A: That is completely at the bank’s discretion. In addition, every bank should have its own policy about what it does when a customer has had suspicious activity reported on them. Some banks have a three strikes and you are out kind of thing.  Others may say you have had a SAR filed on you; we want to close your account.

And in the case with my institution, we were a lender, predominantly with customers who had multi-million dollar revolving lines of credit that they used for their operating capital. In addition, these loans, how would you know, five or 10-year terms on them.

So our manager was not going to call a loan and say goodbye just because of something compliance has noted, it would have to be serious for them to do that. An actual indictment maybe.

The bank should have its own policy on how it addresses customers who have suspicious activity reports filed on them.

And sometimes I would think even just one might not be, that might be a little extreme. But that is just, kind of my general opinion. If it keeps happening obviously, yes.

 

Q:  For SAR reports conducted on a customer’s correspondent bank, should I include the bank in my report?

A: You would definitely want to say in your narrative that these were transactions processed for your correspondent.

 

Q: Can you provide more information on SAR committees? I have been looking and cannot find anything. Where should I look? Or, who should I reach out to?

A:  Some banks choose to have a SAR review committee. It is internal, and so, maybe, it is made up of the head of compliance, the head of audit, and the head of legal.

On a periodic basis, they look at and give the final approval to file a SAR.

I think this is more common in smaller institutions, because just from a process perspective in a larger institution, there would just be too much, it would be a full-time job for people.

And you do not want to unnecessarily delay the filing of that SAR.

Typically, the decision to file a SAR is made by a compliance team. Then these committees sort of give their blessing to it.

It is an extra internal control that I think smaller institutions probably find more useful, especially if they do not file many SARs.

Because then they would those would want to be more aware of what was going on.

 

Q: Should the compliance committee comment on SARs with the directors of the banks? In many cases, some customers are related in some ways to the director.

A: So that’s the confidentiality aspect of it, the need to know kind of thing. So we always took the approach that we did not let any person on the sales side, or the relationship managers, know that a SAR has been filed. There is a distinction between the knowledge that a SAR has been filed, and the knowledge that a suspicious activity has occurred. So knowing that suspicious activity has occurred is OK internally. It is just that the formal filing of the report has to remain confidential.

You don’t say that you file a SAR, but you can ask them to even help you review that activity and ask them, Does this make any sense to you? Is there some underlying reason why they’re doing this?

 

Q: A decision to escalate by monitoring analysts for further investigation to the investigation team doesn’t start the six-day clock, is that correct?

A: No, it should not. The clock for filing starts when the formal decision to file has been made. Not just the flag of suspicious activity. You may investigate it, and then, for whatever reason, decide that you are not going to file a SAR.  And it is important to keep track of those decisions as well as from a regulatory perspective.

 

Q: In an instance where an analyst has a strong reason that an account warrants a SAR based on suspicious transactions, but the BSA officer does not think a filing is justified in this instance, what do you suggest the analyst do?

A: Whoever has the final say, I guess, is what should happen. This is another reason where a case report comes in, as it is very handy because you can document the analyst’s opinion.

Then, the BSA officer’s opinion would be included as to why they did not think it was SAR worthy.

And then that record is kept where you have both opinions. And regulators come back later and want to see a sample of cases where you decided not to file a SAR. And they can see that and determine if they think that the right judgment was made.

Just documenting both people’s opinion I think, is important.

 

Q: What do you suggest regarding lengthy, unlicensed MSB cases involving many transactions? Should we just mentioned we identified the activity, and say information is available upon request, or should we detail each transaction in the narrative?

A: While you would definitely not want to detail each transaction in the narrative. This is where the attachment feature would come in helpful. And if it is like thousands of transactions.  And maybe just describe in your narrative that there were over one thousand transactions, and so on. We can provide these details to you upon request.

 

Q:  Because of the pandemic, is there any way to justify the delay in SAR reports?

A: I have not seen the latest, but the last FinCEN guidance I saw was, they were kind of wishy washy about it. They did not provide extra time. I would just check with FinCEN and maybe even call them if you are experiencing a legitimate reason why you need extra time.

 

Q: So as an MSB, would you file SARs on recipients in a foreign country?

A: Yes. Sure, if it was actively flowing through your institution.

 

Q; If during an investigation, what do we do if it becomes public, before we are able to report it?

A: You still report it.  In fact, I had it reminds me of a case I had one time where it was public information on some illegal activity of a former customer, that prompted us to go back.

We went back several years and looked for anything suspicious that might have been related to that case and reported it. At the time that it occurred, it did not look suspicious. But once this case came to light, and they were talking about all these things they had done, then looking at that activity in a different light, we filed a SAR just to provide that information.

We were never contacted by law enforcement on it, but we felt that it was our responsibility to report it.

 

Q: We are a broker dealer and have numerous relationships with clearing firms. Is that relationship something that we should identify in our narrative?

A: Only if it relates to the transactions.

 

Q: How would we explain identifying an account number with the clearing firm to specifically identify the account as opposed to our internal identifying number, which corresponds to a customer, not specifically an individual account?

A: You could add, if there isn’t a place on the form, where you’re actually reflecting the account number of that customer. I would mention that number in the narrative.

 

Previous SAR Writing Q&A

 

Q: Upon writing a SAR, who is supposed to review it before filing, in the case of a large institution? The head of compliance can certainly not review them all.  What is the best practice before filing?

A: That definitely depends on the size of the institution and the size of your staff. The best practice I can give you is that at least one other person with more experience should review it.

I think every institution has to approach it based on their individual situation. Therefore, it does not always have to be the head of compliance, but at least somebody else who is knowledgeable on filing SARS.

 

Q: Here is a question around balance. How should you determine whether you should file a SAR that “may be suspicious”?

A: It would be helpful if you can present it to several people in your compliance department to see what their opinion is about whether this is really SAR-worthy or not.

In some cases, I felt that a SAR was not necessary because we had no information to provide to law enforcement. I personally felt that if we had no names, no telephone numbers, no information to provide to law enforcement, then there is no point in filing a SAR.

 

Q:  When we file a SAR, can we include multiple different subjects in the SAR? For example, if I have 10 unrelated incidents in one week should I actually be submitting 10 different SARs?

A: I guess I would expand on that question … if it were all related to say one customer, then yes; you can certainly include multiple subjects. The SAR form can accommodate an unlimited number of subjects.

However, I would consider this from law enforcement perspective: What is it that you are trying to tell them about the case? And even though you may have multiple subjects, if it’s all related to one customer or the same flavor of activities, then you could certainly include those all in one.

 

Q: After you have created a continuous SAR and still have the same activity, do you create a new or continuous file?

A: If it is the exact same thing going on – you have the same players, you have the same nature of activity, that is when you want to check the continuing activity box. Then, in your narrative, say this is a continuing activity, summarize why this is suspicious and add the new details.

 

Q: If within the 90 days, the suspect opens a new account and conducts the same activity, would we do a continuing or a new report?

A: I would call that continuing because it is the same characterization of activity. The fact they opened a new account and started doing it out of a new account is even more suspicious.

 

Q: So if you have a continuous SAR report, should the narrative from the original SAR be included?

A: No, and that is a very good question. In your first sentence, say this is a report of continuing activity and describe that activity briefly. Have the BSA ID number, date and amount of your original SAR, so law enforcement readers can see that information.

 

Q: In the case of identity theft, what should we register for subject information, since the data is from the victim?

A: If you do not have any information, you do not list any information. In the case of fraud where your customer is the victim, you do not list your customer as a subject.

The subject section is intended to be only for participants in the illegal activity. In money laundering cases, typically, your customer is an active participant in that activity, so you would list your customer as well as any other parties.

 

Q:  Do you create case reports for unusual activity where you decide not to produce a SAR?

A: Yes. That is a very good question because it is important to document. If your alert system or something else came up that is unusual and you ultimately decide not to file a SAR, you need to document the reason why.

It could be something as simple as there is no information of value to provide to law enforcement. Sometimes a case report may not be necessary, so simply document that in your case management system.

However, if there was sufficient detail, you need to document why you chose not to file this SAR. Typically, examiners will ask you for a list of all incidents where you actually decided not to file a SAR.

 

Q: How do you keep your case reports confidential?

A: It really all comes down to good data security practices. We restricted access to our network to compliance staff only as well as our government. If we were going to provide a case report to someone outside of compliance, but within the organization, we would make that document read-only with password protection.

We sent the document through internal email only, and we provided the recipient with the document password by phone. We kept hard copies as well in a locked cabinet.

And if we had any external auditors or examiner’s that wanted to review the report, we typically made them read it on site in hard copy only and not take it away from our area. So we had very tight security around anything to do with SARs. And that’s really a definite best practice for any compliance group.

 

Q: Do you have any recommendations or practices for sharing actionable information with local law enforcement outside of SARs?  Some local law enforcement office do not have direct access to FinCEN database, but we may want to inform them directly of certain situations?

A: Actually, it is a very good practice for compliance people at banks to make a connection with your local law enforcement. This would include the local field office of the FBI, or even Homeland Security. I think law enforcement does appreciate when we as compliance professionals actually reach out to them directly.

 

Q: Is there a limit on how many SARs you can write and submit especially in a closing quarter of the year?

A: You can submit as many as you need to but you want to avoid the defensive filing.

 

Q: Should the FI or listed business be notified by the law enforcement agencies that their SAR was received?

A: If you file electronically, FinCEN sends back something that acknowledges that they received it and then usually within a couple of days FinCEN sends another message that they have processed it and it has been accepted. You know it has been accepted when the BSA ID number is assigned.

 

Q: How many days should you watch a suspicious customer before creating a SAR?

A: The key date from FinCEN’s perspective is the day that you decide to file the SAR. The date that decision to file is made is when the clock starts for your filing. But depending on what kind of suspicious activity you noted with your customer, you may want to file the SAR immediately.

 

Q: If you had a suspicious activity that goes over the 90-day review, or a similar incident occurs a year later, would you reference that previous SAR that has been filed or begin a new series?

A: I still personally believe that if it is exactly the same, it is a continuing activity report even though it has been a year and that law enforcement want to know that. However, if you feel more comfortable filing it as new, then definitely state that in your narrative.

 

Q: So another question that came in was is it OK to use the form, section five, in a SAR log?

A: You can really organize these case reports however you would like to. It is not a regulatory form, it is purely an internal form, and you want to design it in a way that is most useful to you. Now we did have a previous section that was I believe the SAR narrative is section five. Then we have a separate section where we do use it as a SAR filing log.

In addition, I will say that that is incredibly helpful, especially when you are providing that report to law enforcement because if you do include the BSE IDs for each one of the SARs. That is how agents would go and look up previous, SARs or related SARs.

 

Q: So how can you tell who actually filled out the SAR?  Some forms seem to come from a corporate office, so you cannot tell which branch filed a SAR.

A: There is a place at the beginning of the SAR form where you indicate the financial institution contact. That is up to the bank or institution to decide whose name you want to provide there. That way, if law enforcement did reach out and contact that person, they would be the best person to talk to you as they were in charge of that case.

However, other banks may use a general number for compliance, or maybe the director of compliance or whatever that they prefer to do.

 

Q: Would I contact the IRS criminal investigation field office to reach the SAR review team even if the SAR being reference is not related to any IRS fraud?

A: Absolutely, yes. IRS criminal investigation actually investigate more than just fraud and more than just tax fraud or tax evasion. They investigate structuring cases, money laundering, and all kinds of different types of activities.

In addition, because IRS is a division of the Treasury Department, which is what FinCEN is a division of, that is kind of why I believe they take the lead when it comes to SAR filings.

The SAR review teams include representatives from many other federal law enforcement agencies. So they will decide if they need to investigate or whether it is worth pursuing, then they will decide as a team who should this go to. Maybe it will be something they want to give to Homeland Security, or maybe to the Secret Service.

So, yes, the IRS, criminal investigations does a lot more than just tax fraud.

 

Q:  There is a question on the number of transactions that would trigger a SAR.  Is it just one that might trigger a SAR? Or do you need to see a pattern of transactions before you file a SAR?

A: It really does not matter as long as it is suspicious. There are some dollar amount guidelines for SAR filings, which are just guidelines. There is a $25,000 threshold and a $5,000 threshold and it has to do with whether or not a subject, or a suspect, has been identified or not.  But one transaction can certainly be SAR worthy.

 

Q: Is the person filing a SAR kept anonymous each time, and if not, are they contacted anytime during the investigation?

A: There is an assumed confidentiality surrounding SAR filings between the filing institution and law enforcement.

Really, it is the bank or institution that is filing the SAR, is kept out of public records. It is actually a federal offense to disclose that a SAR has been filed.

And so that anonymity, if you will, is protected. But as far as dealing with individuals within the institution who have prepared the SAR, work the case and so forth, there is not really any anonymity that’s needed because you’re partnering with law enforcement.

A law enforcement officer may contact you about one of your SARs because they want to work with you in the end. So you may have multiple conversations with them after you provide information. They may have some more questions. It becomes a dialog.

 

Q: What is the general rule for a local entity to share a SAR with their parent company? In addition, is there a restriction, if the parent is internationally located?

A: There would not be any international restriction that I am aware of. You want to consider things on a need to know kind basis.

So, for example, you should be advising your Board of Directors of your SAR activity. But you don’t need to tell those members of the board the names of the customers, for example, on whom these SARs have been filed.

You can describe the suspicious activity and talk about it.

However, where you need to be really careful is in that indicator that a SAR has been filed.

Where the federal offense comes in is in disclosing publicly that a SAR report has been filed.

How much detail does your parent company really need to know? They probably want to know the volume and nature of the SARs you are filing, so maybe consider reporting that.

I would do a quarterly report to our board, where I would describe all the new SARs we filed on our major cases and continuing activities. But I never used any customer names. I just switch, say, customer A, customer, B, and so forth.

Where I did provide customer names, though, was when our customer was a victim of fraud.

That way they would want to know when fraud occurred and what types of fraud, But on the AML side, we never revealed any customer names.

 

Q: What is a civil penalty for tipping off someone about a SAR?

A: According to FinCEN, both civil and criminal penalties may be imposed for SAR disclosure violations. So, you’re looking at up $200,000 for each violation and criminal penalties of up to $250,000. And, or imprisonment not to exceed five years. So, I think that’s what the individual financial institutions could be liable for in civil money penalties, and they could be as much as $25,000 per day for each day that the violation continues.

 

Q:  What do you do if the person on which the SAR has been filed is a PEP?

A: If the suspect or subject is a PEP, you certainly want to highlight that in your narrative. In that very first paragraph, I would repeat their name and who they are because obviously their name is going to be shown in the subjects section of the report. But the fact that they are at PEP is not going to be unless they’re very famous.

Now, whether or not you choose to notify local law enforcement, again, depends on the nature of the case. But it is OK to notify local law enforcement. You just wouldn’t send them the SAR. You would file a SAR through FinCEN.  Then the SAR review teams are the ones who are reviewing them.

But in something I would consider to be a hot SAR, you could get in touch with IRS CI, or even call Homeland Security.

I should emphasize here, instead of going to your SAR review team, you can go directly to a law enforcement, federal law enforcement agency in your area to tell them about it.

I have even asked whether they thought something was SAR worthy or not.  I had made law enforcement contacts through networking meetings. Those are great connections to have where you can actually reach out to them and say, I have this weird situation going on, do you think this is SAR worthy?

Because in one case, it was related to the beneficial owner of our customer and I was seeing there could be potentially an immigration issue.

That’s when I reached out and contacted them and asked whether I should file a SAR because there wasn’t any actual dollar transactions involved. This person could have been in the country illegally.  So, we did file a SAR at their suggestion.

 

Q: What happens if the entity files a SAR which, according to the IRS regulators is not a suspicious activity? Is there some action taken on entity if they report something that is not suspicious?

A: No. Not, to my knowledge, I don’t think there’s ever been in a particular penalties assessed.

But sometimes there’s been talk of when this comes back to data quality, which is where there’s a term called defensive filing. This is where an institution files a SAR on anything that has the remotest potential suspicion, but without investigating it.

Sometimes it may be a slap on the wrist, or a warning might come down if a regulator says I think you’re overdoing it a little bit with your SAR filings.

But as far as I know, there is no particular penalty. If you really think it’s suspicious, and then it turns out not to be, It’s not our job as AML professionals to investigate.

Our job is to look at something a little bit and say, yes this is suspicious. This doesn’t smell right to me, because of these reasons. Here’s my report, and now law enforcement makes that decision how to proceed. Are we going to investigate this? Or, No, I don’t think we’re investigating this. It’s not our job to really figure out if something illegal is actually happening.

 

 

 

Q&A from What AML Teams Need to Know about Working in the Cloud

Questions and answers from the webinar featuring Corie Murray, Software Architect at CaseWare RCM, James Poulin, Technical Operations Manager at CaseWare RCM and Ben Cheng, Cloud Solution Architect at Microsoft.

In this webinar, the trio discuss some of the myths around cloud adoption as well as real-life stories about why financial institutions moved their compliance solution to the cloud.

Q: Do I need to buy additional hardware or software to move to the cloud?

A: Murray: No, there’s absolutely no need for new hardware or software to use Alessa. However, you might have specific business requirements that warrant additional resources, For example, let’s say you’re trying to implement transaction monitoring, where you want to integrate with our APIs, to make sure that you can detect when a transaction should be blocked.

Then you might have to invest in some middleware to technology if you don’t already have it. In general, I would say no. You do not need any new hardware or software.

Cheng: It is situational. So, no, especially for customers who are potentially looking to extend their on-premise network. There may be a need to do you acquire some of those network devices, but, again, that’s on a situational basis.

 

Q: Do I need additional IT resources to manage cloud infrastructure?

A: Murray: Absolutely not.  Our DevOps and engineering team will manage everything in the cloud for you. That’s pretty much what they do. You might require some IT help to get integration and security configurations implemented. But outside of that, we handle everything 100% on the DevOps side.

 

Q: What is the uptime of the cloud?

A: Murray: It depends on the resource, to be honest. In general, I think you’re going to see an SLA from between, 99.9 to 99.99999, and it all depends on what components you have implemented.

So, in general, though, Azure will have different SLAs for different types of components. For example, if we’re using data bricks for your analytic platform, then its SLA is 99.95.

And in general what we do is we will give you the minimum SLA out of all the resources that we use in an implementation. So we might be using VMs, we might be using APIs, or you might be using data bricks and cognitive services, So we’ll pick the lowest one. We put the SLA for the lowest one and that will be our SLA to the customer.

Cheng: The SLAs that are posted for those Azure components are actually backed by service credit. Therefore, in the event that Microsoft doesn’t meet those SLAs for those particular components, service credits are given back to the customers.

 

Q: What kind of data is stored in the cloud?

A: Murray: It differs from implementation to implementation, obviously, but for a fully hosted deployment, you will have, possibly customer data, accounts, transaction data, or any other type of line of business data would be stored in Azure.

Now, it depends on the implementation, because if you have a hybrid deployment, then you may also have a situation where all the data is stored on premises. Then it is passed to the cloud just for compute purposes.

So, you won’t necessarily have the data being in the cloud. However, it depends on the type of implementation that particular customer needs.

 

Q: What’s the process to move from on premise to the cloud?

A: Poulin:  Hopefully, as minimal as possible, but it does change a little bit from client to client.

So, there are changes in how data moves into the cloud as we leverage the Azure infrastructure in place. As well as how client connectivity occurs and how clients are connecting back to the application itself.

 

Q: What processes are done in the cloud?

A: Murray:  We have generalized processing and I’m including, continuous monitoring, which can go across pretty much any business space.

But we also have specialized processing specifically for AML, which includes things like transaction monitoring, sanctions screening, risk profiling and regulator reporting, those are the main processing that we do in Azure.

 

Q:  What kind of security features does the cloud have?

A: Poulin: It may actually be easier to answer what it doesn’t have. Leveraging the Azure platform gives us a lot of features available to ensure security. From Alessa’s perspective, we are implementing end-to-end encryption of all of our client connections. And we also use encryption on all of our infrastructure, from virtual machine to data being held. So, there’s lots available there.

Cheng: Just to add onto the security features, within Azure, we have a number of what we call first class services that are essentially just native to Azure. But in addition to that, we have a plethora of third party offerings that Microsoft was partnered with some major security companies. So, for customers used to other types of security software, typically, you can find it within the Azure Marketplace, and if they’re more comfortable using that, they can just acquire it through the marketplace as part of their offerings.

 

Q: What about ISO certifications?

A: Poulin: So the Azure infrastructure itself, like Ben shared earlier, has the broadest certification coverage available in the cloud, which is fantastic. So we build off that, and with the Alessa application include our own ISO 27001 certification as part of that.

Cheng: Just to add on to that, we actually have a Service Trust Portal, that’s available to you.  It’s a repository that contains our latest audits or certifications across all clouds. All the certifications can be found and downloaded.

 

Q: How do I make sure they don’t lose my existing data?

A: Poulin: Good question. From Alessa’s standpoint the Alessa Cloud Ops team is responsible for deploying our applications in a fault tolerant manner. In doing that, we leverage Azure infrastructure technologies available to us like replication and backups to ensure that data isn’t lost in the event of any disasters or failures.

 

Q: If I have a branch in the U.S. and another in Canada, how is our data managed?

A: Murray: I see this one a lot. Basically, this is a typical scenario that you’ll see with our AML implementations. But to answer the question, we can replicate our assets in each region. We don’t have to move the data or we could just move the implementation to suit the needs of the customer. So, this will allow us to respect the data sovereignty requirements of the customer by applying it to the nearest available data center.

Cheng: Typically, we have at least two regions within the same country, and this is to have customers meet their data residency requirements, so that if one region does fail-over, it fails over to another region bound by the same country.

 

Q:  What is the fault tolerance of the system?

A: Murray: I get this question all the time, but the truth is, before, migrating to Azure, we would have to write a lot of code to satisfy this requirement in terms of just being able to deal with failures, whether, you know, persistent or a transient type failures. But, luckily, it’s basically built into the Azure platform.

Alessa takes full advantage of these features in terms of just making things available with high availability using geo replication.

Also, we have the ability to deploy multiple instances of each component that we use for a particular implementation. So, all of the tools are there, and we take advantage of them. So, no, this is not really a problem when you use the public cloud.

 

Q:  What about a financial institution’s customer identification program, that must now include additional legal entity screening capability with regard to beneficial owners and control persons. This is a question around integration of data.

A: Murray: Normally, what would happen is that if we have to integrate a particular customer with the screening and APIs, we would have a workshop where we kind of work through what, exactly you’re trying to do.

We will explain to you, how we think things will work, touch on all the different data points that you’re trying to integrate, and come up with a plan. So, part of going to the cloud is that we can react to the different requirements, different customers. So, it’s not that it’s never going to be a one size fits all, but we have the ability to react quickly and get you to where you need to be.

Note: Alessa is also in integrated with a number of third party lists providers, our risk intelligence provider, companies like World Check.

 

Q: Will I have to set up my own Azure account for Alessa to work?

A: Murray: No, you would not. So, that’s where our DevOps teams come in. We would set up the infrastructure.

At the end of the day, we will give you a URL or a connection string to upload data if that’s a requirement. Or we’ll give you the API URL, so that you can make calls out to that API to get a response about sanctions screening, or transaction monitoring, or something like that. So, you absolutely do not need any DevOps experience or anything like that to be able to implement the Alessa platform.

It takes some of the IT infrastructure work off your hands and passes it on to us. As well as the Microsoft team.

 

Q: Should a SOC 2 report be provided before usage?

A: Cheng: That’s one of the reports that I mentioned, is available in the Service Trust Portal for all the underlying components within Azure.

 

Q: Have third parties conducted application validation of services on the cloud?

A: Murray:  More than one organization or one provider, does assessments on whatever we offer.

And this is a part of our business strategy. So we often make sure that, we can provide our customers with the guarantee that their information and their environment is secure, and that we’re taking steps to make sure that it remains that way.

So we do have a policy that says we have to do things to get the environment assessed and report it to our customers on a periodic basis.

Cheng:  We actually have tools that help customers like CaseWare RCM track that and monitor it and make sure everything is compliant.

But based on what compliance needs you’re targeting, it would actually adhere to and keep tracking and monitoring and eventually signal when compliance is met or not met. So it gives customers the sort of line of sight to make sure that the compliance is at the highest level.

 

Q: The next question I have is really around security, and specifically, cyber security. What is the risk of a business being subjected to ransomware attacks?

A: Poulin: Unfortunately, in today’s day and age, that’s something that is there all the time. Our responsibility is to make sure that we protect against that risk within all of our deployments.

So, there’s a lot of different ways that we do that. And one of those ways is the replication and backups, to ensure that we have something to fall back to and maintaining encryption across all the channels we use. And then really stringent security policy on what is allowed in and out of our services to really minimize that attacks.

 

 

What AML Teams Need to Know about Working in the Cloud

With the advent of COVID-19, more AML compliance teams are looking at how they can leverage the cloud for better access to data and compliance systems, as well as increased fraud detection capabilities.

In this webinar, Ben Cheng, Cloud Solution Architect at Microsoft, Corie Murray, Software Architect at CaseWare RCM, and James Poulin, Technical Operations Manager at CaseWare RCM bust some of the myths around cloud adoption as well as share real-life stories of why financial institutions moved their compliance solution to the cloud.

Topics covered during the webinar include:

  • Answers to your questions around data location, security and privacy
  • How cloud deployments improve sanctions screening and transaction monitoring processes
  • The role of cloud in suspicious activity and fraud detection (think AI!)
  • Steps for the most efficient migration to the cloud
  • Answers to your AML compliance and Microsoft Azure question

Tips for Testing Your Sanctions and Watch List Screening Software

As part of an effective Financial Crime Compliance (FCC) program, banks and other financial institutions (FIs) need to have a sanctions and watch list screening solution in place to assist with the identification of sanctioned individuals and organizations (entities).

For those FIs that have had a screening program in place for many years or for those looking to implement a new one, it is important to test its effectiveness during the initial implementation, as well as, periodically.

What does testing a sanctions and watch list screening solution entail? In this white paper we review key areas that every financial institution should review to ensure that their sanctions screening software is working at its best.