AML Guidance From FIUs During COVID-19

Posted April 15. Updated July10: FinCEN issues advisory

 

Financial intelligence units (FIUs) have responded to the current pandemic with warnings about an increase in COVID-19-related crime or guidance to help AML compliance teams focus their priorities to keep business flowing.

Although each has specific roles to play, most agencies have issued similar notices calling for businesses to concentrate on the basics to combat illicit financing and maintain AML obligations during the coronavirus pandemic.

In the U.S., the Financial Crimes Enforcement Network (FinCEN) issued a notice on April 3 cautioning that the situation is fluid. FinCEN said banks should check back regularly for updates to help comply with the American Bank Secrecy Act (BSA) and the Coronavirus Aid, Relief, and Economic Security Act (CARES Act).

“Compliance with the Bank Secrecy Act (BSA) remains crucial to protecting our national security by combating money laundering and related crimes, including terrorism and its financing,” FinCEN said. In a statement.

“FinCEN expects financial institutions to continue following a risk-based approach, and to diligently adhere to their BSA obligations.”

 

Regulatory relief from FinCEN

 

The FinCEN BSA notice provides some relief to BSA compliance. One of the changes allows exempting from beneficial ownership requirements any new loans extended to existing customers under the (CARES Act) Paycheck Protection Program.

“If the PPP loan is being made to an existing customer and the necessary information was previously verified, you do not need to re-verify the information,” FinCEN said in April 13 in a statement.

Meanwhile, FinCEN has created a COVID-19-specific online contact mechanism, via a specific drop-down category, for financial institutions to communicate to FinCEN any COVID-19-related concerns while adhering to their BSA obligations.

FinCEN is also relaxing filing obligations for Currency Transaction Report (CTR) filing during the pandemic.

“FinCEN will issue further information on these types of CTR filings at an appropriate time with reasonable implementation periods.”

 

FinCEN issues red flags

 

FinCEN issued an advisory May 18th to alert financial institutions to rising medical scams related to the COVID-19 pandemic. This advisory contains red flags, descriptions of COVID-19-related medical scams, case studies, and information on reporting suspicious activity.

BSA data, as well as information from other federal agencies, foreign government partners, and public sources indicate possible illicit activities related to the COVID-19 pandemic regarding fraudulent cures, tests, vaccines, and services; non-delivery scams; and price gouging and hoarding of medical-related items, such as face masks and hand sanitizer.

Red flags include:

  • The merchant is requesting payments that are unusual for the type of transaction or unusual for the industry’s pattern of behavior. For example, the merchant requires a pre-paid card, the use of a money services business, convertible virtual currency, or that the buyer send funds via an electronic funds transfer to a high-risk jurisdiction.
  • Financial institutions might detect patterns of high chargebacks and return rates in their customer’s accounts.
  • The merchant does not appear to have a lengthy corporate history, lacks physical presence or address, or lacks an Employer Identification Number. Additionally, if the merchant has an address, there are noticeable discrepancies between the address and a public record search for the company or the street address. Searches in corporate databases reveal that the merchant’s listing contains a vague or inappropriate company name, multiple unrelated names, a suspicious number of name variations, multiple “doing business as” (DBA) names, or does not align with its business model.
  • The merchant claims several last minute and suspicious delays in shipment or receipt of goods. For example, the merchant claims that the equipment was seized at port or by authorities, that customs has not released the shipment, or that the shipment is delayed on a vessel and cannot provide any additional information about the vessel to the customer or their financial institution.
  • Domestic or foreign governments have identified the merchant or its owners are being associated with fraudulent and criminal activities
  • A newly opened account receives a large wire transaction that the account holder failed to mention during the account opening process

For more red flags, read the medical scam advisory here.

Read the reference notice here.

FinCEN advisory on scams

The Financial Crimes Enforcement Network (FinCEN) issued a new advisory July 7 to alert financial institutions to potential indicators of imposter scams and money mule schemes, which are prevalent during the COVID-19 pandemic.

FinCEN’s advisory contains descriptions of the schemes, financial red flag indicators for both, and information on reporting suspicious activity.

Imposter scams have criminals impersonating organizations such as governments or charities to offer services or otherwise defraud consumers.

Money mule schemes can either be with unwitting money mules, or those where a person is complicit in illegal activities.

Read the full advisory here.

OFAC to consider pandemic effect on enforcement

 

The U.S. Treasury Department says it will consider the effects of the pandemic on the ability of companies to comply with sanctions as it evaluates possible enforcement actions.

The Treasury’s Office of Foreign Assets Control (OFAC) issued a notice April 20 acknowledging that some companies may need to temporarily reassign sanctions compliance resources due to the pandemic.

The reallocation of those resources could weaken a company’s sanctions compliance efforts, such as its ability to vet business partners or customers and conduct in-person audits.

OFAC has encouraged FIs to tell the agency about pandemic-related compliance concerns, including delays in meeting deadlines.  OFAC said it would evaluate resource issues on a case-by-case basis, but noted companies and individuals are still expected to meet their regulatory requirements.

“This includes requirements related to filing blocking and reject reports within 10 business days as required … and responses to administrative subpoenas, … reports required by general or specific licenses, or any other required reports or submissions,” OFAC stated.

 

Canadian regulator sets up email hotline

 

Canadian regulator FINTRAC issued guidance saying reporting entities are expected to meet all of their obligations, including those in relation to reporting.

“However, FINTRAC understands that some reporting entities may find themselves in a situation where they are required to reassign and reprioritize their internal resources in response to COVID-19, which may affect their ability to meet certain obligations,” they said in a statement.

FINTRAC said when it comes to reporting, priority should be given to submitting suspicious transaction reports (STRs). In exceptional circumstances, such as terrorist financing, FINTRAC has published a new email hotline where reporting entities can reach out and have an analyst contact them immediately.

FINTRAC has updated its guidance on What is a suspicious transaction report? and Reporting suspicious transactions to FINTRAC. The update includes amendments to the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations that come into force June 1, 2020 and the feedback FINTRAC received from businesses.

The change to the regulations concerns the timeline to submit a Suspicious Transaction Report (STR). Businesses now have 30 days to report a suspicious transaction from the day they detect something that makes them suspect it. As of June 1, they will need to submit a report as soon as practicable after they have completed the measures that allow them to establish reasonable grounds to suspect a suspicious transaction.

The change should not significantly alter businesses’ current practices leading to the submission of suspicious transaction reports, FINTRAC said.

 

Europe calls for financial safeguards

 

Meanwhile, the European Banking Authority issued a statement saying it is important to safeguard the integrity of financial markets as a shared objective of the EU’s anti-money laundering and countering the financing of terrorism (AML/CFT) frameworks.

“It remains important to continue to put in place and maintain effective systems and controls to ensure that the EU’s financial system is not abused for money laundering or terrorist financing (ML/TF) purposes,” EBA said in a statement March 31.

It called on financial institutions to ensure the following:

  • Making clear that financial crime remains unacceptable, even in times of crisis such as the COVID-19 outbreak;
  • Continuing to share information on emerging ML/TF risks and setting clear expectations of the steps credit and financial institutions should take to mitigate those risks; and
  • Considering how to adapt the use of their supervisory tools temporarily to ensure ongoing compliance by credit and financial institutions with their AML/CFT obligations.

 

UK financial services firms get COVID reprieve

 

The Financial Conduct Authority (FCA) is giving financial services firms in the UK an additional six months to implement strong customer authentication (SCA) for e-commerce. This is to reduce disruption to consumers and merchants due to the COVID crisis.

Firms are required to take all necessary steps to comply with the revised detailed phased implementation plan and critical path to avoid the risk of enforcement action.

FCA said it expects UK Finance, as coordinator for the industry, to discuss the detailed phased implementation plan soon. In the meantime, the regulator says firms should continue with the necessary preparatory activities such as robust end-to-end testing.

The new timeline of September 14, 2021 replaces the March 14, 2021 date.

 

FATF says fraud schemes on the rise

 

The Financial Action Task Force (FATF) , the global money laundering and terrorist financing watchdog, warned April 1 that fraudulent schemes are on the rise and that financial institutions need to ensure due diligence is procedures are followed, in particular because in-person banking has been shifting to online banking.

“Use of financial technology (Fintech) provides significant opportunities to manage some of the issues presented by COVID-19. In line with the FATF Standards, the FATF encourages the use of technology, including Fintech, Regtech and Suptech to the fullest extent possible,” FATF president Xiangmin Liu said in a statement.

In addition, the International Monetary Fund (IMF) came out with additional bad news on April 14, warning of a major recession that will affect the world economy. They are predicting the worst year since the Depression.

In May, FATF issued a new paper in response to an increase in COVID-19 related crimes, including fraud, cybercrime, misuse of government funds and international financial aid.

The FATF said COVID-19 and the new remote methods of working create new sources and methods of finding funds for criminals. At the same time, it is hurting the ability of governments and the private sector to fulfil their AML/CFT obligations.

This could create new risks and ways to bypass customer due diligence measures, FATF said.

The FATF said criminals use the unregulated financial sector to launder illicit funds and exploit financial aid and emergency funding. The organization is also concerned that COVID-19 the global economic downturn could see a move to new cash-intensive businesses in developing countries.

The paper describes the ways in which AML/CFT policy responses can help support the swift and effective implementation of measures to respond to COVID-19.

 

Australia offers pointers for KYC and fraud

 

Australia issued guidance for dealing with customers at a time when face-to-face procedures are not always available.

“We recognize that some ‘know your customer’ processes cannot be used,” AUSTRAC said in a statement.

The AML/CTF Rules support flexible KYC processes and procedures, it said. AUSTRAC said other ways that you could verify your customers’ identity and fulfil your KYC requirements include:

  • using alternative proof of identity processes
  • using electronic copies (scans or photographs) of reliable and independent documentation, in accordance with your AML/CTF program, to verify the identity of individual customers or companies
  • relying on disclosure certificates to verify certain types of information about customers who are not individuals, where measures put in place by industry as part of their response to the COVID-19 pandemic mean that such information is not otherwise reasonably available from other sources

The Australian FIU stated if institutions choose to verify a customer’s identity using these options, they should still apply the risk-based systems and controls in your AML/CTF program.

AUSTRAC also encouraged FIs to monitor for new and emerging threats and submit suspicious matter reports (SMRs).

The FIU has also identified areas of criminal exploitation where the financial system may be more vulnerable during the COVID-19

  • Targeting of government assistance programs through fraudulent applications and phishing scams.
  • Movement of large amounts of cash following the purchase or sale of illegal or stockpiled goods.
  • Out of character purchases of precious metals and gold bullion
  • Exploitation of workers or trafficking of vulnerable persons in the community.
  • An increase in the risk of online child exploitation following restrictions on travel.
  • A rise in extremist views either against members of the community or the government.

Movement on Beneficial Ownership

 

While FIUs are busy with COVID-19 related issues, countries are pressing ahead with regulations for shining a light on ultimate beneficial ownership.

In Europe, there has been some movement on implementing AMLD5 – the latest directive for anti-money laundering.

The Dutch lower house of Parliament accepted in April a bill for consideration to implement the EU directive on the ultimate beneficial owner (UBO) register.

The bill in the Netherlands includes measures to oblige companies and legal entities to register their beneficial owners; and require specified beneficial owner details, including the nature and extent of the beneficial owner’s economic interest.

At the end of March, Luxembourg brought in its law to implement the EU directive to enhance the beneficial ownership registry.

 

US to push ahead on BO Registry

 

Turning to North America, CaseWare RCM has learned that officials in the U.S. are confident the delays due to COVID will not prevent legislation from passing before the November elections.

The bill has strong bipartisan support in the Senate, as it did in the House,” an insider connected to the legislation told CaseWare RCM. “Before the coronavirus pandemic, the bill was expected to be considered in the Senate Banking Committee and once … we return to regular order in the Congress, we will be able to get the Corporate Transparency Act through the Senate.”

Canada is still a long way away from a central registry for beneficial ownership, but the province of British Columbia has a new registry available online to allow for searches of ultimate beneficial owners of property.

However, COVID crisis has caused the province to delay its full beneficial ownership transparency register until October 1, 2020. Previously, the register was to come into effect on May 1.

 

Links to the latest statements from some of the major agencies can be found below:

If your business or FI has been affected by COVID-19, ask us how we can help you through the crisis. We may have an immediate solution for you. To speak to a risk specialist from Alessa about AML compliance, regtech or fraud detection, please contact us today.

 

Latest News from FinCEN

Keeping on top of the latest advisories and guidances from FinCEN. This blog will update with any new information from the regulator as it becomes available.

July 7, 2020 Advisory

The Financial Crimes Enforcement Network (FinCEN) issued a new advisory July 7 to alert financial institutions to potential indicators of imposter scams and money mule schemes, which are prevalent during the COVID-19 pandemic.

FinCEN’s advisory contains descriptions of the schemes, financial red flag indicators for both, and information on reporting suspicious activity.

Imposter scams have criminals impersonating organizations such as governments or charities to offer services or otherwise defraud consumers.

Money mule schemes can either be with unwitting money mules, or those where a person is complicit in illegal activities.

The full advisory is intended to aid financial institutions in detecting, preventing, and reporting potential COVID19-related criminal activity.

This advisory is based on FinCEN’s analysis of COVID-19-related information obtained from Bank Secrecy Act (BSA) data, open source reporting, and law enforcement partners.

Read full July 13 2020 advisory here.

May 18, 2020 Advisory

 

FinCEN issued an advisory that contains red flags, descriptions of COVID-19-related medical scams, case studies, and information on reporting suspicious activity.

Bank Secrecy Act (BSA) data, as well as information from other federal agencies, foreign government partners, and public sources indicate possible illicit activities related to the coronavirus pandemic regarding fraudulent cures, tests, vaccines, and services; non-delivery scams; and price gouging and hoarding of medical-related items, such as face masks and hand sanitizer.

Some of these red flags are common indicators of fraudulent merchant activity committed by shell or fraudulent retail or wholesale business operators. Additionally, some of the red flag indicators outlined below may apply to multiple COVID-19-related fraudulent activities.

 

SAR filing instructions

FinCEN also addressed some changes it has seen in SAR filings in light of the COVID-19 pandemic.

“Some financial institutions have added COVID-19 statements to their disclaimers or are using SAR narratives to address COVID-19’s impact on their SAR filing abilities.

Financial institutions should not include in the SAR narrative their challenges during the pandemic; the SAR narrative should include COVID-19 when it is tied to suspicious activity only.

FinCEN goes on to say that filers who have already included references to COVID-19 in matters not related to the pandemic do not need to file corrected reports.

Read full May 18, 2020 advisory here.

 

Q&A: Understanding Wire Transfers and their Money Laundering and Fraud Risks

Questions and answers from the webinar Understanding Wire Transfers and their Money Laundering and Fraud Risks featuring Laurie Kelly.

Laurie is an expert in the field with a 35-year career spanning the fields of accounting, finance, risk management, and regulatory compliance. Most recently, she served as the Director of Compliance for CoBank ACB, a $136B Farm Credit System institution, where she developed and managed the bank’s anti-money laundering, fraud, and economic sanctions compliance programs.

 

Q:  You discussed the differences between wire funds and ACH, can you summarize how risks vary between the two?

A: In terms of money laundering risks, I think wire transfers present a greater money laundering risk because they are more effective and they are more popular with money launderers for the reasons I talked about. Not to say that ACH could not be used in money laundering or fraud because I have seen it used in both, but it takes more effort to set up an ACH batch and get it into the payment processing network and then there is the timing involved.

One thing I have always felt though is ACH is constantly competing with wire transfers – they want to take over the whole payments industry, so when same-day ACH came out, that was the big concern of many AML professionals because now you have eliminated the factor that made wires more desirable as well because wires were same day, ACH was, at a minimum next day.

And the fact that ACHs have more controls in them – they are not irrevocable, per se. That makes them less amenable to money laundering, but I would say they are popular with fraud. Frequently we would see fraudulent ACH debits where a customer’s account would be debited fraudulently.

Often times it was people who got a hold of their number. All you need is that account number which is on the checks that they issue. You already have all that information, so sometimes somebody would say were behind on their visa bill or their phone bill and they would go in an online banking payment application and they would put in a customer’s account number as theirs – and then the phone company would tap our customer’s account to pay that person’s bill. Now it is going to be caught, obviously, but it gives them another month before that happens. ACH is used more for fraud; wire transfer is more for money laundering

 

Q: Is a wire transfer considered an EFT for regulatory purposes?

A: It is one type of EFT

 

Q: If a bank is a Fed member, they can use Fed wire, correct?

A: There is different levels of Fed membership. Every bank needs to be a member of the Fed if they are going to clear checks, clear ACH and if they choose to, to use Fed wire.

 

Q: So if they are not Fed member, they can still use Fed wire by going through a correspondent bank, right?

A: Right. So they can still get their customers wire transfer processed, it is just someone else has to help them, another bank has to help them by putting it into the system for them.

 

Q: If a bank uses a correspondent, should we ask their frequency of settlement with the correspondent, or is or is it always monthly?

A: That really depends on the correspondent relationship and agreement that has been established between the two banks. And I have seen anywhere from weekly or even daily settlement.

It just depends on probably as well the risk assessment that one the bank that is providing the correspondent services to the bank that does not have that wire access, for instance, what is their risk assessment of that bank.

So, if they consider them a little bit more risky, they may say, we want you to settle up with us once a week or twice a month or something like that.

It just all depends on that specific relationship that’s been established with that correspondent.

 

Q: CHIPS – is it like an escrow in a way that it settles accounts?

A: I would not really call it escrow.  All the banks enter their transactions during the day and it’s beginning of the day and the system sort of queues them all ups and starts netting them.

As they initiate more outgoing payments to other banks and the system, the system is going to take down that credit balance and increase the credit balance of the other banks.

And then at the end of the day, we have closed off wires for today. Let us look at where every bank’s position is and if one bank is in the hole, then they have to bring that money in. They could use some of their security deposits. And if that is not enough to cover it, then they need to go to Fed or into CHIPS to cover the rest of it. Or if they don’t do that, then they have to say they still owe one bank still a certain amount.

And then at the end of the day, they say, OK, let’s settle up.

 

Q: Can banks only have one single correspondent bank?

A: I suppose so.  If they are doing global transfers, they would need relationships in different countries with different banks.

 

Q: If each bank has a responsibility to adhere to the travel rule, how do you avoid having the information stripped in the process?

A: So the responsibility to populate the wire transfer with all of the travel rule required information is on the originator bank.

The receiving bank has no responsibility to say if something is missing, go back to the originator bank and say, you left off the originators address or something like that.

That is not their responsibility. The receiving bank is only supposed to just keep a record of what information they got from the originating bank.

 

Q:  What kind of transaction testing would you recommend for BSE examinations? A financial institution, when reviewing wire fund transfers beyond reviewing the policies?

A: You could do a sample that would definitely be something you would want to do as a random sample of outgoing and incoming wire transfers. Especially, on the outgoing side, looking to see if the bank is complying with the travel rule and what fields they are populating.

Then, on the incoming side, looking at how they are processing and what their process is. Are they posting appropriately or they OFAC screening? Many different things that they could certainly examine.

So ensure travel rule compliance on outgoing wires, then on incoming wire is the posting processes on both sides OFAC screening and any other sanctions screening that you would need to do.

Whether you could even get into the verification processes that are taking place. So if it was a freeform wire transfer, meaning not based on a template or a process is followed to ensure two-step verification on that transaction.

And what are the processes around customers creating new wire transfer templates, and is there a two-step verification process around that as well.

 

Q: Should financial institutions still complete an OFAC check on domestic customers when receiving and or sending a wire transfer?

A: Well, if it is your customer, best practices suggest you should be screening your customer base on a regular basis, so that way you already know whether or not your customer is a sanctioned party or not. Even if they are U.S. party.

I think that’s just safe to assume you should be screening the beneficiary on an outgoing wire, if it’s an incoming wire to your customer, again, you should already be screening your customer both during onboarding as part of the CIP, but then on an ongoing basis.

 

Q: Is the original bank, the only bank conducts a KYC review of the customer or do all related banks in the transaction conduct KYC reviews on the originator?

A: No, it would just be the originating bank that would be the customer’s bank.

 

Q: If the other banks do not conduct KYC reviews on the originator. How do these banks know that they are not sustaining an illegal activity?

A: They would need to look at it from the perspective of their customer who is receiving it.

In other words, is it suspicious on the receiving end? Is this an unusual payment that your customer has never received before? Is it a wire transfer from Latvia? Each bank has that responsibility on their side and should be monitoring the activity of their customers.

 

Q:  What do you say to a financial institution that does not include a very good description narrative for the purpose of the wire?

A: That is always a struggle. Because per the travel rule, that is optional. If the customer doesn’t give you anything to put in that field, or gives you something cryptic, it’s not your obligation under the travel rule to go back to the customer and say this doesn’t make sense, or, give me something to put in that field, because it’s only if the originator provides you with that information do you have to include it.

It is something that comes back to customer education. So when customers understand why it is important to include that information, especially all the beneficiary information, their address, and so forth. Then putting additional things into the freeform text fields about what the purpose of this is, such as invoice numbers. Anything that can help the recipient of that transaction understand what you are paying them.

 

Q: Would you raise any red flags if it does not contain good descriptive information if it is common practice at the bank?

A: Not necessarily, no, because again, that is driven by the originator. So, for example, if I know customers who are routinely paying the same entity by wire transfer on a regular basis, they don’t necessarily need to put anything in that explanatory field.

I have mentioned, several times, wire transfer templates. They are more common on the commercial side, where it’s basically if you have a repeating wire transfer that you’re going to make to a particular business or other entity, you can actually set up all the wire instructions, including the bank, the beneficiary, all the address information, anything you want to put in that field.

Then the only thing you need when you go to initiate transaction is the dollar amount, So that way, you do not need to do that two-step verification. They can simply pull up the template and change the dollar amounts, or whatever they need to pay that other party on that day, and then a two-step confirmation of that. The legitimacy of that transaction does not need to happen because everything is set in stone other than the amount.

 

Q: When you process a wire in a correspondent relationship, is it valid to request a copy of the KYC information of the customer sending and receiving the transactions since this is not my customer and I don’t know them?

A: That is a good question and it speaks to the risks involved in correspondent banking, especially foreign correspondent banking, which has a section of the Patriot Act entirely devoted to it.

So, you have a risk when you are the correspondent that because you are processing transactions on behalf of somebody else’s customer and other banks customer. How do you detect suspicious activity? How do you know that enough vetting has been performed on that customer?

So I guess, depending on how, again, this is a risk-based approach that each financial institution that is a correspondent bank would need to make.

Banks want to know all about their anti-money laundering programs. There are detailed questionnaires and documentation that each bank wants to know about the other bank to do. Do they have a robust AML program in place? Banks will rely on that information in order to not have to look at the KYC of every single customer that they are processing a transaction for.

 

Q: What questions would you ask an FI if there are many return wires, whether from a single customer or multiple customers?

A: I guess they are looking to maybe understand maybe what their process is because if they have to be returned, then there is something inaccurate on the message itself.

It could be the wrong account number. It could be that they are leaving off information that does not allow that receiving bank to be able to automatically process that transaction all the way through to the customer’s account.

 

Q: Is a Post Office box address considered a valid address?

A:  Actually, it is. A lot of debate about that over the years, back and forth.  Nowadays, it is generally accepted that a P.O. Box is OK. Often you may have with your customers a mailing address and a physical address. You should probably have both those records.  When we would pre-populate our customer’s name and address on an outgoing wire in the originator fields, we would pull from their physical address record, not their mailing address.

So that way we were closer to ensuring that they, we avoided the P.O. Box as much as possible, but, but that’s not always possible.

 

Q: Do you request a source of funds from the originator?

A: Usually the source of funds is their account. I suppose an MSB might be if someone brings in cash and wants to send a wire using that cash. That is again, another risk-based question. Do you know this customer already? Is this transaction unusual for that customer? If so, then you may ask, what is the source of funds? They do not necessarily have to tell you, but you could certainly ask if there are other suspicious elements to the transaction of any kind.

 

Q: What happens if many incoming wires are coming with no originator account number?

A: That could be something that the receiving institution may want to have a have a conversation with the sending institution. There is a possibility that one particular type of institution is doing a lot of non-customer wire transfers, especially with large unbanked populations. Then they may not be providing anything. They do not have an account number because they do not have an account.

Even if they do not have an account in that originator identification field, they should have something, such as a driver’s license or, or some other identification form of identification.

 

Q: Do you request professional or nature business for the sender and detailed information on the major shareholders owning 10% or more relationship between sender recipients as documentary evidence of the sender’s source of funds?

A: Not typically, at least not in my practice or my history because we have already done that KYC on our customer. Now that’s not to say that, we do our initial KYC and establish a risk rating for our customer and, then, once we see their transaction activity over time, if there’s odd stuff going on, we may actually pursue that information with them to get more details from them. And in other words, enhanced due diligence.

 

Q: What is the IPE and number versus a SWIFT code?

A: So an IBAN number is like an account number. It’s a very long number, I think it is like 36 numbers and letters and that is used in Europe, predominantly to identify any recipient of funds. So it is as a way of identifying the person and the account number. And the institution where that account number resides all in one big long number whereas the SWIFT BIC is the identification of the financial institution in the SWIFT system.

 

Q: Is the purpose of transaction not mandatory for fed wire transfer? And if not mandatory, can the fund be returned?

A: To my knowledge? No, it is not mandatory. The Fed is not looking for that field to be completed the purpose of the wire.  I have never been requested to provide that. And also from the travel rule perspective, it does not have to be provided unless your originator gives it to you.

 

Q: So, if not mandatory, can the funds be returned?

A:  I don’t think so. The only reason that a bank would want to return funds is if they could not post it in some way. And then you get into sanctions issues as well if they are rejecting a wire transfer if it had an OFAC match on it that they consider to be legitimate, but that’s outside of this subject.

 

Q: Will you provide some guidelines on OFAC screening on wire transfers? For example, is it required to OFAC screen domestic banks?

A: There are no regulatory requirements for screening. There is no regulatory requirement that you screen anything, and so, that’s why it becomes a risk-based approach. Therefore, OFAC describes screening as a tool that you can use to make sure that you comply with the economic sanctions. So, it’s screening as a tool, you decide how you want to use that tool to protect yourself, and make sure that you are complying with the sanctions, so that there is no legal requirement.

That, being said, in my opinion, you should be screening the banks because there are banks that are sanctioned parties. I know the OFAC screening tool we used had sort of added-value lists that had major banks in sanctioned countries, for example. So those would be flagged so we could take a look at it more closely.

So, my opinion, absolutely, you should be including banks in your screening process.

 

Q: If a U.S. bank has a foreign branch and others in another country and it is the originator bank for a wire transfer from an OFAC standard, is it required to OFAC screen the Foreign Branch?

A: We saw a number of years ago where a bank was doing something called payments stripping, where they were getting a SWIFT payment message from their counterpart banks in Iran that included names of sanctioned parties that were bringing funds to the U.S.

And they had people modifying the SWIFT payment message before it went to their U.S. branch to take out the sanctioned parties so that their U.S. branch wouldn’t flag anything from an OFAC perspective.

So I think absolutely you should be screening anything that comes to you.

 

Q: Is it true to say that all U.S. dollar transactions have to transit the fed wire system?

Even if SWIFT is being used?

A: No, they would not have to. So they can either be through CHIPS where those 50 or so banks that are members of CHIPS are basically processing transactions amongst themselves all within the system.

And then, if you are a member of a SWIFT in the U.S. and you have correspondent relationships with banks in foreign countries, through SWIFT, you can absolutely do your year foreign wire transfers that way and bypass the Fed completely.

 

Q: If an outgoing wire receipt and the transaction does not make sense with the customer profile, at what point do you reach out to the customer for clarification? And if it does not satisfy the response or continued behavior, at what point do you reject a payment?

A: My opinion is unless there is a legal reason, like an OFAC match or some others sanctions match that requires you to block an outgoing payment, you have to let it go. And that is when you file a suspicious activity report (SAR).

Now there could be in this scenario that your customer may be being defrauded. And so then you want to talk to them and try to convince them that they need to make sure, and corroborate with somebody else that this is a legitimate transaction.

Now if it isn’t flagged by your fraud monitoring system, but it comes up later as suspicious activity from a money laundering perspective, then you have to decide when you’re looking at that and looking at the alert and actual payment or looking more closely at that wire transfer and deciding whether this is something you should approach your customer about.

Like in the example I gave with the Sony home theater system that was just so bizarre that we asked our customer about it. They could clearly see the Latvian bank and the Sony theatre system explanation.

So at that point, we said, OK, time to file a SAR and not even push it any further with the customer. Because we don’t want to take that risk of tipping them off.

What ended up happening with that customer was the kickoff to a pattern that we started to see with wires coming from these shell companies in different countries all through banks and one of the two major banks in Latvia.

And, when we finally approached the customer about this activity, we asked them about a couple of others ones. We asked them in the same way as we did the first wire about the Sony home theater system. We asked them what is the business purpose of this? And then after, a couple of inquiries what we started noticing was they were still getting payments from all these shell companies, but the explanation for the purpose of the payment on the wire had changed.

And all of them said the exact same thing “for fruits and vegetables.”

It’s like you could just picture somebody’s picking up the phone and saying, hey, you guys quit using all these funny explanations, you have to just say it’s for fruit. We had a kind of a laugh about that, but, they obviously changed their behavior for some reason, and we could observe that, and obviously, report it.

 

Q: So, if the wire was conducted on the fraudulently open account, using an identity theft victims information, is this still reported?  The victim had never authorized the use of his information. And so the follow up is if you report it, wouldn’t it be misleading, as we would be reporting using the victims themselves?

A: What we would do on all of our SARs that related to fraud that had been perpetrated against our customer, is that you do not list the customer anywhere as a subject on the SAR. You can describe it in the narrative. But the only subject on the SAR would be if we had any details about somebody involved in the fraud.

So let’s say they were fooled into sending a fraudulent wire transfer to some third party. The subjects on our SAR would be that third party.

If it were a fraud instance where we had no information about the sender, then we would just check that box on the side that said: no subject information.

But with a wire, you usually have somebody’s name that this money is going to or coming from, so that’s what goes on the SAR, and you leave your customer out of it.

And you just explain in your narrative that this was your customer who was impacted by this. So that’s what you would do in that particular case. And you would report it because law enforcement again needs to know about these instances. That is the whole purpose of SARs is to let law enforcement know what is going on.

And so for that same wire transfer, the person getting the money could be getting this from banks all over the place through other victims. And so that name, if it’s used the subject field on the SAR is going to pop up in our database with FinCEN.

 

Q: How do you handle PEP wires?

A: So, that really is a know-your-customer issue. So if your customer is a PEP you could look at that from both directions. So what wire transfers are they doing, that goes into what is your monitoring process for that individual.

What do you know is normal activity and expected activity for that particular PEP customer? And then what would be out of pattern?

In other words, PEPs are just red flags. So a customer getting a wire transfer from Maduro in Venezuela would probably raise a big red flag. Why are they getting money from this individual?

So, it becomes out of pattern activity. And then, you would do some due diligence to figure out why. But it’s not something that you unnecessarily block you could certainly reported if it ended up being suspicious.

 

Q: Would the quantity, like how much is being sent, be a consideration?

A:  It can, or it can’t. Actually, in the majority of my SAR cases, the dollar amounts of the wire transfers were rarely over $100,000 at a time.

And I think that’s deliberate, because you would just assume that a huge $1-million wire transfer is going to raise a lot of red flags just because of the dollar amount. But something from $10,000, $25,000, $50,000, that establishes a sort of ordinary pattern. And again, it depends on the customer.

If we’re talking about a consumer account that may be because any wire transfer could be potentially suspicious, but on a business account, it may be they’re looking to establish a pattern. If they’re laundering money, what we did see, way back when we had that we initially at my bank experienced our customers were getting malware where the fraudster could actually come in secretly and stay online.

In the online banking system, for example, even if the customer thought that they had logged out; the fraudster was still in the system and could look at everything that they had done. They look at what’s a normal wire transfer for them dollar wise.

And then they started initiating wire transfers of those similar dollar amounts to see if they could get away with that. So, monitoring systems wouldn’t necessarily pick it up.

 

Q:  Can a person remit funds with an ABA for one institution and a SWIFT code for another in the same transaction?

A: So say both are U.S. banks, and you’re using fed wire and you try to use the routing number of your bank as the sender. And for the receiver, you try to use their SWIFT code that you still need to populate that receiver depository institution, fed routing number, the Fed cannot process a wire transfer without that sender DI, and receiver DIs Fed Account, fed routing number.

So They’re going to kick it back. If it doesn’t have those two fields populated.

But the beneficiary bank could certainly be a SWIFT number because really, what the Fed is looking for, mostly, are those to the sender DI, and the receiver DI, because that’s how they’re going to post the transaction.

 

Q: Is the beneficiary date of birth and place of birth necessary to be on the wire transfer template,

A: Not in the United States. I’ve seen thousands of incoming wire transfers from other countries where that information is always provided in the OBI field.  I’m thinking that it probably is required in many other countries.

A large proportion of these were in Asia, India, Asia, and sometimes the Middle East, but not very much from Europe. So, it could just be that, that there are regulations in those countries that require that, But definitely not in the United States.

 

Q:  What laws in the U.S. protect the consumer for bank fraud or phishing? And is it mandatory for the banks to reimburse the customer, if phishing or fraud was determined in the wire transfer of funds?

A: There are several programs. But it’s very true that consumer accounts have far more protections than commercial accounts do.

In fact, commercial accounts have to protect themselves with additional products and services, especially on the check side and the ACH side, to make sure that they’re not experiencing fraud.

So, the regulations are different and there are several of them that apply based on, for instance, what type of events, what type of transfer it is. And this could be in federal regulations that could be in for ACH, but most of the time, consumers are absolutely protected with wire transfers.

It is a little bit different than with checks and ACH because just the nature of wire transfers; they are not a negotiable instrument in other words. It’s a little tougher for a consumer to have if the consumer was the one who was defrauded and the consumer had initiated the wire transfer, they’re going to have a hard time getting money back from their bank. But if this was a hacker and impersonation, then definitely the bank is going to be on the hook for that.

 

Q: So if a wire transfer arrived from a bank account, which previously had a suspicious activity, do you consider this as a suspicious activity.

A: I could see that going two ways. One might be you have a customer who is receiving a wire transfer, and you’ve previously been monitoring this customer’s account for suspicious activity of the nature of wire transfers, or maybe it’s something else that they’re doing. Again, that is you are looking for out of pattern, right? So if you’re already monitoring a customer’s account for suspicious activity than pretty much any transaction that’s going on with them should be looked at more closely.

They could be asking the question that if the sender of the wire transfer, the originator, has been flagged as something suspicious through a payment to a customer – to one customer. And then the same suspicious party makes a payment to another customer.

We actually had that happen on a couple of occasions. And now, both of the customers who received payments from this one suspicious party, which we had identified as a shell company, they were both in the same business.

So again, the fact that it was a shell company that we could pretty much clearly identify was a foreign shell company, that’s a red flag. It doesn’t necessarily mean that it was illegal activity. Both of these companies are exporters. And a lot of times, foreign exports come through payments for foreign experts. Exports come through third parties, sometimes that are set up a shell company. So we were able to flag that in our monitoring systems and point it out.

So, then, because we had flagged that as a suspicious party on one customer, we flagged it again and would file a SAR on the other customer as well for receiving that payment.

And then we mentioned in our SAR, that corroboration between the two. And even referred in our SAR narrative to the SAR identification number of the original SAR on customer number one where we had seen this activity. So that way, law enforcement as they are reading the SAR  can say I can see what you’re talking about here and I can go and look up this particular file and see the connection between them.

 

Q: Is this where you would document this information in the case report. Just so you can track all this this information?

A: Obviously yes. A case report is a tool we talk about in the webinar we did on SARs, too.

When you get these really complex cases, which wire transfers can often involve because you are dealing with layering for the most part of layering processes in the money laundering process. So this can get, these can get really complicated.

So being able to write out everything that you have investigated, every connection so that you have made, that are not just obvious from the alerts itself, that may or may not have been generated by your system, is important. And that is something that then you can provide to law enforcement to see how you have justified the SAR and give them more information than just your summary.

 

Q:  What are key elements regarding wire transfers that are scrutinized for either internal or external auditors?

A:  For your external CPAs or your internal audit, is, I think, number one, they’re going to be looking for compliance with the travel rule.

So are you, on your outgoing wires, just where the traveler would apply to our outgoing wires? Are you capturing all the mandatory information and then what are you doing if anything to validate that?

Are you allowing an originator’s name to be changed. Processes like that.

And then on the incoming wire side, obviously they will be looking for you to be retaining all of the information you receive for the mandatory five year period. And per the FinCEN travel rule, how are you retaining it? Is it easy to retrieve because there are rules in the travel rule about how quickly you have to retrieve information, once it’s been asked for how are you storing it. Is it easy to find and how is it being analyzed by your AML system?

Also, what are the parameters and rules and models that your AML system is using to look for suspicious activity within wire transfers?

 

Q: Here at your institution when investigating a transaction involving your correspondent would you request supporting documents like invoice, bill of lading, or just a profile of your customer?

A: I guess that would depend on the nature of the transaction.

Let’s just say it’s a wire transfer, That was where the underlying transaction was done through open an account trading, meaning there’s no, the banks aren’t involved and issuing an letter of credit or anything like that. It’s just the parties are making payments directly if there is something suspicious.  We would go to the correspondent bank and say, there is something about this transaction and we would like more information.

Do you have supporting documentation from your customer that verifies this as an export transaction like a bill of lading or commercial invoice, something like that.

 

Q:  Do they require a financial institution to call every client that does an online wire to confirm it, even though it’s the same page and they’re sending often.

A: So our policy, and this is probably the case with most banks, is that we distinguish freeform wire transfers, versus template wire transfers.  Let’s talk about templates at first. So our customers were able to create a wire transfer template that has the payee name and address the bank account information.

Even anything that they would want to regularly include in that OBI field.

And then, that template would get set up, and it would require two-touch approval to set up that template to begin with. And then, when that template is used, they’re going to routinely make payments to that particular vendor.  Then the employee, whose job it is to make those payments, can pull up that template, change the dollar amount for whatever they are owed the vendor and then just initiate the wire, and you don’t need a second authorization. Because they can’t change anything, except for the dollar amount.

Now a freeform wire is where there is no template. So they’re setting up a wire, transfer instructions, or a payment order, with someone they’ll say they have never paid before and they don’t have a template for. So anytime one of these came through, it was stopped by a wire transfer system, we did a call back to the customer to confirm, we did a callback actually to a second party at that customer.

So I guess to answer the question, even if that customer does not understand that they can create a template. So that they do not have to go through the secondary approval process all the time. They may be sending a freeform wire every single time to the same party repeatedly. And so then, yes, every single time you should be authenticating or verifying that if it’s free form or if it’s through online banking, then a second person ticket user on their system should be able to, should have to approve it.

And so, then, if you start to see that a lot more of this, somebody should reach out to their customer and say we’ve got this feature here, that you don’t have to do this all the time. If you set up a template.

 

Q:  Given most foreign wires have serious data issues, so, partial jurisdiction info, named accounts, what was your bank’s policy regarding fixing or interpreting geo data for risk by for risk facing each wire?

A:  Actually, my experience was different from what this participant is enquiring about.

I always found that foreign wire transfers had way more information than domestic ones did.

Now, given the fact, however, all my customers were commercial clients. But the problem that we had was that we did not use SWIFT for payment messages. So we were always receiving foreign payments incoming through a U.S. intermediary who had received a SWIFT message for that payment from the foreign bank and then they had to convert it into a Fed wire. And so we had the issues around addresses. And it would end up being all kind of jumbled together and we had the purpose of the payment in several places where it would be entered in one or more fields on the Fed wire.

Another issue would be when information is being translated from the language of that country where it’s coming from into English. Foreign wires coming from Asian countries would convert names and so forth into English; they were using sort of a phonetic spelling on, on names, addresses, city names, street names.

In certain Southeast Asian countries, the addresses are really complicated, so there was this translation that was going on as well language translation, that made it a little challenging as well. But in terms of missing information, I honestly rarely saw that. That was more on the U.S. side, the fed wire, because the Fed doesn’t require pretty much anything except for that sender DI and receiver DI, and then the dollar amount and the date.

Understanding Money Laundering and Fraud Risks of Wire Transfers

Wire transfers have long been the tool of choice for money launderers and fraudsters. To mitigate these risks to the financial institutions they serve, AML compliance and fraud professionals must understand how wire transfers work, both in the U.S. and globally, as well as be able to recognize the red flags in wire transfer transactions that may indicate money laundering or fraud is taking place through a customer’s account.

In this webinar, Laurie Kelly, CAMS shares her knowledge and experiences gained from 20 years in leading the AML, fraud, and sanctions compliance functions for a $130 billion U.S. financial institution that processed 12,000 to 15,000 wire transfers per day. Attendees will learn about the mechanics of wire transfers, both in the U.S. and globally, and how wire transfers differ from other types of money movement methods. She will then discuss the FinCEN “Travel Rule”, as well as sanctions screening best practices for wire transfers. Finally, Laurie will explore the money laundering and fraud risks and red flags associated with wire transfers and ways to mitigate them.

 

Using Corruption Perception Index for AML Risk Scoring

Transparency International’s Corruption Perceptions Index (CPI) shows Canada is the top ranked country in the Americas.

However, the bad news is that ranking in the annual measurement of corruption has dropped for the last few years

Canada scores a 77/100, a rating that is down to 12th out of 180 countries measured.

While Canada is consistently a top performer, the country dropped four points since last year and seven points since 2012. The index ranks countries out of a score of 100, where 100 is the least corrupt and one is the most corrupt.

 

U.S. continues downward slide

 

The U.S. ranks at 69/100, but is 23rd out of 180 countries. The U.S. ranking has also dropped two points since last year to earn its lowest score on the CPI in eight years.

This comes at a time when Americans’ trust in government is at an historic low of 17 per cent, according to the Pew Research Center.

The U.S. score drop is a seven-point slide over the last four years.  Therefore, there are still some challenges and anti-corruption perceptions under the country’s current framework.

Mexico was listed at 29/100, showing some improvement in its annual ranking.

The lowest in the Americas was Venezuela, which only scored 16, which is also one of the bottom five scores globally.

 

Corruption, democracy and human rights

 

When you look at the world map in the CPI, it uses colors to chart how well countries are doing in terms of democracy or human rights.

Blue is to show that a country is doing really well. Green also indicates that they are generally doing well. Then, there is the red zone in areas of the highest corruption perceptions. This map shows that no country is in the green or blue color range.

There are many dark reds in Africa, Asia or Latin America, and there are still corruption challenges in Western Europe in Canada, the U.S., Australia, Japan and other countries. No country is free from corruption.

Transparency International says the map also suggests corruption and bribes do not stay within borders.

They say the money that is gained through illegal actions or through bribes does not always stay in those deep red countries.

It often goes to the lighter yellows and orange countries where they are seen as less corrupt, but may be willing to hide the money of the corrupt regimes or countries.

 

Top countries hold rankings

 

In the last year, top performers Denmark and New Zealand have held their ranks as the least corrupt countries on the CPI.

When we talk about countries that are at the top of the corruption perception index also being an entryway for illicit funds, we see Switzerland there at No. 6, as it is a well-known secrecy jurisdiction.

Countries at the bottom of the index include Venezuela in the Americas and Syria in the Middle East and the African nations of Yemen, Sudan and Somalia.

Taking a regional view of the corruption perception index, Western Europe and the EU are still amongst the highest ranked regions along with sub-Saharan Africa, and North Africa.

 

How CPI is calculated

 

The index ranks 180 countries and territories by their perceived levels of public sector corruption.

The CPI aggregates data from a number of different sources that provide perceptions by business leaders and country experts. The rank the level of corruption in the public sector.

It is a composite index of 13 other indices such as the World Economic Forum, the World Bank, the Economist Intelligence Unit and the Ibrahim Index of African Governance.

For a country to be on the CPI report, it needs to have had at least three of those indices rank them in the past three years.

A country’s CPI score is then calculated as the average of all standardized scores available for that country. Scores are rounded to whole numbers.

 

How compliance officers can use CPI

 

The corruption index is also used by compliance officers to help them conduct country risk assessments.

The CPI, along with the Basel AML Index and the TRACE matrix, is among the tools that can help compliance compile and document geographic risk scores for regulators. Remember this index measures “perceived” public sector corruption. It does not measure the private sector.

One of the keys is to keep the risk score as simple as possible and to document the way your model works.  If you use the CPI index, remember its scoring system is the opposite of some others – the higher the score, the lower the risk.

One way around this would be to bucket the CPI from a range of scores into risk level labels, such as high, medium high, medium, low and very low. Determine each country’s risk level based on where their score falls in the range. Then you assign point values to each risk level (i.e. 20 for risky country, 0 for low risk country)

This would allow you to use the CPI risk alongside other indices that measure risk scores differently.

You also need to include the reasons why you chose your methods and what existing models you used in your calculations.

To learn more about how to use CPI and other indices to calculate geographic risk score, watch our recent webinar on Assessing AML Geographic Risk. If you want to speak to a CaseWare RCM Alessa risk specialist about how calculating risk score, click here.

 

Trade-Based Money Laundering: What Compliance Professionals Need to Know (CAMS)

July 14, 2020  |  12 pm ET  |  Register Now

July 16, 2020  |  9 am ET  |  Register Now

CAMS Credit: 2

Hundreds of billions of dollars are laundered every year through trade-based money laundering (TBML). Its sophisticated techniques allow criminals to use legitimate trade to disguise the source of illegal proceeds and transfer value across borders without the use of traditional money movement methods.

In this webinar, Laurie Kelly, CAMS will share her knowledge and experiences gained from 20 years in leading the AML, fraud, and sanctions compliance functions for a $130 billion U.S. financial institution that provided extensive trade finance services for global exports of U.S. agricultural products. Attendees will learn the fundamentals of foreign trade and trade finance, and why these long-established processes make it so vulnerable to TBML.

We will break down the most common TBML techniques, including the Black Market Peso Exchange, over & under invoicing, and others, using real world case studies. Finally, we will review the red flags for these activities and how to incorporate transaction monitoring, sanctioned/restricted party screening, and enhanced customer due diligence to mitigate TBML risks.

 

Register for July 14 event | Register for July 16 event

Dispelling Myths about Cloud Computing for AML and CCM

As we move toward creating faster and more secure ways of doing business and fighting financial crimes, we at CaseWare RCM have been asking ourselves some critical questions about what our clients need in order to have an AML compliance and continuous controls monitoring (CCM) system that will take them into the future.

A key hurdle that many customer face is the availability and scalability of IT resources and infrastructure. Keeping compliance and audit systems upgraded, secure and scaled to meet their growing needs is not always a top priority for businesses. To make the issue worse, often IT problems are only discovered when there is an interruption in service or a much-needed upgrade is delayed or failed.

We have been very bullish in our recommendation for customers to migrate their Alessa deployments to the cloud. While the use of the cloud by businesses has grown extensively, there remain many pre-conceptions or myths about the use of this technology. Everything from security to location of data are critical questions asked by IT, risk officers and the C-suite.

Here are some common misconceptions about the cloud, facts that dispel the myths and the reasons that CaseWare RCM is now collaborating with Microsoft to migrate and expand our Alessa solution in the Azure cloud.

 

Myth #1: The public cloud is less secure

 

Global public cloud providers like Microsoft are able to invest massive amounts of resources that exceed what any individual organization can realistically invest. It is estimated that Microsoft has more than 3,500 security professionals and spends over US$1Bn on cloud security annually.  This is what allows them to use state-of-the-art technology, and employ the world’s leaders in cybersecurity.

Public cloud providers also invest heavily in monitoring of their infrastructure since it is one of their core value propositions and a cornerstone of their business. The constant monitoring along with their massive scale and geographic presence enables public cloud providers to detect emerging threats quickly and address issues before they gain traction.

Beyond security, ensuring compliance with global, local, and industry regulations is also a significant burden to individual companies. When organizations turn to a global cloud provider, they are inheriting the compliance and security certifications and standards of work already put in place for organizations around the globe. In this case, Azure has over 92 global, regional and industry specific certifications.

 

Myth #2: Your data will be stored internationally

 

Many organizations, including financial services businesses, require their data be stored in specific  jurisdictions. It is for these reasons, that many public cloud providers have regional data centers.

In the case of Microsoft Azure, it has 58 worldwide regions and is available in 140 countries. There are multiple data centers in the U.S., Canada, UK, India, Africa, Australia, China, etc.

These offer the scale needed to bring applications closer to users around the world, preserving data residency, and offering comprehensive compliance and resiliency options for customers.

 

Myth #3: Cloud computing will cost more

 

While thinking about costs, there are many aspects to consider. There is the actual capital and operational expenses of hardware, virtual machines, software and staff to deploy, secure, upgrade and maintain IT equipment and services.

Another consideration is time. How much time does it take to deploy new services and products? What is the lead-time to purchase new equipment and services?

Finally, utilization is a consideration. Do you have to purchase extra capacity in advance to plan for future needs? Are resources being spent for underutilized equipment for the “just in case” or upgrade scenarios?

When you consider all these costs, the total cost of ownership is comparable, but with the added benefit of greater security and redundancy along with an improved end-user experience. Organizations also have the added benefit of being able to purchase capacity as and when they require, so capital investment is not locked in underutilized equipment.

 

Myth #4: Cloud service providers will have access to my data

 

Encrypting client data at rest and in transit ensures that there is no potential for cloud providers to access confidential information without an encryption key. In the end, the clients have the final say over who does and does not have access to their data.

 

Myth #5: Working in the cloud is complex

 

While the theory behind how the cloud works may be complex, the end-user experience is quite the opposite.

When it comes to setting up or migrating to the cloud, your service provider does all the heavy lifting in the back-end, which results in a seamless transition that limits downtime and creates the same, if not a better, experience as an on-premise environment.

 

Fact: Faster deployments and software upgrades

 

It is without a doubt that cloud deployments have made life easier for our customers. Initial implementations and software upgrades are much faster for Alessa customers in the cloud than those who opted for on-premise installation.

Internally, our decision to use Microsoft Azure has been a boon. Alessa developers are able to spend more time developing compliance and fraud prevention functionality rather than code for IT infrastructure and deployment code. This has translated to more integrations with other service providers and features that help our clients with their day-to-day operations.

 

Fact: Greater capacity for fraud detection and prevention

 

With the increased data storage and computing power offered the cloud, deploying AI-based techniques in Alessa becomes a reality for many more organizations.

In the case of Microsoft Azure, the platform offers advanced machine learning capabilities, which allows companies to quickly and easily build, train, and deploy machine-learning models.

At Alessa, we have been helping our customers to migrate to the cloud so they can spend less time worrying about infrastructure to support their AML compliance and CCM systems. We invite you to learn more about how the cloud can help you, too.

 

Q&A: Writing Effective FinCEN SARs (Suspicious Activity Reports)

Updated  June 11, 2020
 

Recently we had a chance to have Question and Answer sessions with Laurie Kelly following CaseWare RCM’s webinar on writing SARs.

Laurie is an expert in the field with a 35-year career spanning the fields of accounting, finance, risk management, and regulatory compliance. Most recently, she served as the Director of Compliance for CoBank ACB, a $136B Farm Credit System institution, where she developed and managed the bank’s anti-money laundering, fraud, and economic sanctions compliance programs.

 

 

Q: If the bank is in one state, but pre-paid accounts are located in another state, in fact across the U.S., where would the SAR be filed?

A: Where the SAR is filed from is the state you would file. We had one central location, but our SARs were filed where the suspicious activity was taking place. For example, we were in Colorado, but we would have a customer in California. Let’s say that we had suspicious activity, we still would contact the SAR review team that was for our Colorado regional area, and let them know about it, and they would look at it and then they would refer it to another site review team in California, if they so choose to.

 

 

 

Q: The main question from junior team members relates to the level of detail to provide. Another challenge is the level of review internally until a SAR is actually issued, what would be a good period between identification and issuance of the report?

A: So your clock starts ticking for SAR filing once you make the official decision to file the SAR. So you have an alert, a junior associate looks at it and says they think it is SAR worthy. They raise it to their supervisor and whatever your processes you have for who approves that final SAR filing decision. It is at that point that the SAR filing clock starts. So you have time ahead of that to investigate before you make a decision on whether you’re going to file a SAR not?

It depends on your organization and what your hierarchies are for approvals. In my organization, things would come through a supervisor and then to me, and then I would make a decision on whether or not this was SAR worthy. I would speak to the chief compliance officer and tell him about the case. And he would say yes or no.

So it’s kind of a balance there. Whom do you decide has that authority to say yes or no? And if you’re a large organization with a lot of SARs, then you probably have intermediary level management that could be able to make that decision.

But just keeping in mind that there the SAR filing clock starts at the date that you make the decision to file.

 

Q: Do you run into any problems if it takes you a little while to start investigating a transaction?

A: Not necessarily, because I think law enforcement does not want you to file an unnecessary SAR that you have not thought about or investigated.  They want the good stuff. They do not want the stuff you are not sure about.

Obviously, if you wait months to make a decision, that is not acceptable.

But if it is typically within the timeframe of 30 days or so. We did not generate alerts daily. We generated them twice a month.

So a transaction could have occurred at the beginning of the month that we wouldn’t see for two weeks as an alert, and then we would investigate that and determine whether we needed to file a SAR. So, that was a two-week period. But, I think that is a reasonable amount of time as long as you can justify it in order to file a good quality SAR.

 

Q:  How do you handle cumulative dollar amounts in a SAR?  Would you choose continuing if it was a SAR follow-up review and only include the cumulative amount for SARs?

A: In the form itself, if you have checked the box for continuing activity, then it’s going to ask you for a cumulative total in the section of the report. Then it will ask you for the amount of this particular SAR. There is a place at the form to guide you as to what information or dollar amounts to use.

 

Q: Do MSBs file SARs?

A: Absolutely, Yes.

 

Q; Do you get 150 days for continuing activity?

A: It’s 120 days. The due date of your continuing activities SAR is 120 days from the date of your last SAR. So, that’s the maximum amount of time. You could certainly file it before then

So, even if we were coming up on our preparing our SAR and the 120 day due date was coming up, if it was a big case or a critical case, oftentimes, we go in ourselves and look for more activity within our transaction systems and not even wait for the alerts to see what came up. And stick anything in there that we could enter that current SAR.

 

Q: I agree that we are filing a SAR for the benefit of law enforcement; however, regulating bodies frequently recommend that we add verbiage that clutter the SAR. Ultimately, they do not regulate us, so I think that is where the case report is helpful. Would you agree?

A: Yes. I feel your pain there. That is a long-standing dilemma, and so I personally took a hard stance on what I was providing in my SARs.

Once the attachment feature came out, I had far fewer issues because prior to the attachment feature our regulator wanted every single transaction crammed into that narrative. I could show them conversations that I had had with law enforcement about how they do not want this. But it was a longstanding agree to disagree kind of thing.

It is up to you to decide how much you want to go into battle.

 

Q: How do you handle complying with subpoenas for SAR information, including your case report, for complex or significant cases? Do you turn over the SAR case report?

A:  Yes, because they could probably access the SAR themselves, but we would, if they asked for the SAR form, we would provide it along with a case report.

 

Q: Do you have a suggestion on the number of transactions that would trigger using an attachment, or should you always use an attachment, even if it is just one transaction to keep it from being in the narrative?

A; Well, I guess it depends on the transaction, but if it was just one, I think what I would put in the narrative.  If it was the verbiage and the freeform text field of a wire, you could highlight that, and then just give them what they need to know to understand why this is suspicious.

Maybe if it is two transactions and it’s not cluttering up your narrative, then find a way to reflect those concisely. Because, remember, they are going to come back to you anyway for this information.

I have never had anyone from law enforcement just take what was on the SAR verbatim, and then run with it. They are going to contact you, and they are going to want to see all these details anyway. So file enough to get their attention, but three or four are probably worth it doing the attachment.

I had some that were very lengthy. Especially, like in counterfeit check cases where there were sometimes hundreds of transactions.

 

Q: After filing a SAR, should we continue to make transactions for the customer?

A: That is completely at the bank’s discretion. In addition, every bank should have its own policy about what it does when a customer has had suspicious activity reported on them. Some banks have a three strikes and you are out kind of thing.  Others may say you have had a SAR filed on you; we want to close your account.

And in the case with my institution, we were a lender, predominantly with customers who had multi-million dollar revolving lines of credit that they used for their operating capital. In addition, these loans, how would you know, five or 10-year terms on them.

So our manager was not going to call a loan and say goodbye just because of something compliance has noted, it would have to be serious for them to do that. An actual indictment maybe.

The bank should have its own policy on how it addresses customers who have suspicious activity reports filed on them.

And sometimes I would think even just one might not be, that might be a little extreme. But that is just, kind of my general opinion. If it keeps happening obviously, yes.

 

Q:  For SAR reports conducted on a customer’s correspondent bank, should I include the bank in my report?

A: You would definitely want to say in your narrative that these were transactions processed for your correspondent.

 

Q: Can you provide more information on SAR committees? I have been looking and cannot find anything. Where should I look? Or, who should I reach out to?

A:  Some banks choose to have a SAR review committee. It is internal, and so, maybe, it is made up of the head of compliance, the head of audit, and the head of legal.

On a periodic basis, they look at and give the final approval to file a SAR.

I think this is more common in smaller institutions, because just from a process perspective in a larger institution, there would just be too much, it would be a full-time job for people.

And you do not want to unnecessarily delay the filing of that SAR.

Typically, the decision to file a SAR is made by a compliance team. Then these committees sort of give their blessing to it.

It is an extra internal control that I think smaller institutions probably find more useful, especially if they do not file many SARs.

Because then they would those would want to be more aware of what was going on.

 

Q: Should the compliance committee comment on SARs with the directors of the banks? In many cases, some customers are related in some ways to the director.

A: So that’s the confidentiality aspect of it, the need to know kind of thing. So we always took the approach that we did not let any person on the sales side, or the relationship managers, know that a SAR has been filed. There is a distinction between the knowledge that a SAR has been filed, and the knowledge that a suspicious activity has occurred. So knowing that suspicious activity has occurred is OK internally. It is just that the formal filing of the report has to remain confidential.

You don’t say that you file a SAR, but you can ask them to even help you review that activity and ask them, Does this make any sense to you? Is there some underlying reason why they’re doing this?

 

Q: A decision to escalate by monitoring analysts for further investigation to the investigation team doesn’t start the six-day clock, is that correct?

A: No, it should not. The clock for filing starts when the formal decision to file has been made. Not just the flag of suspicious activity. You may investigate it, and then, for whatever reason, decide that you are not going to file a SAR.  And it is important to keep track of those decisions as well as from a regulatory perspective.

 

Q: In an instance where an analyst has a strong reason that an account warrants a SAR based on suspicious transactions, but the BSA officer does not think a filing is justified in this instance, what do you suggest the analyst do?

A: Whoever has the final say, I guess, is what should happen. This is another reason where a case report comes in, as it is very handy because you can document the analyst’s opinion.

Then, the BSA officer’s opinion would be included as to why they did not think it was SAR worthy.

And then that record is kept where you have both opinions. And regulators come back later and want to see a sample of cases where you decided not to file a SAR. And they can see that and determine if they think that the right judgment was made.

Just documenting both people’s opinion I think, is important.

 

Q: What do you suggest regarding lengthy, unlicensed MSB cases involving many transactions? Should we just mentioned we identified the activity, and say information is available upon request, or should we detail each transaction in the narrative?

A: While you would definitely not want to detail each transaction in the narrative. This is where the attachment feature would come in helpful. And if it is like thousands of transactions.  And maybe just describe in your narrative that there were over one thousand transactions, and so on. We can provide these details to you upon request.

 

Q:  Because of the pandemic, is there any way to justify the delay in SAR reports?

A: I have not seen the latest, but the last FinCEN guidance I saw was, they were kind of wishy washy about it. They did not provide extra time. I would just check with FinCEN and maybe even call them if you are experiencing a legitimate reason why you need extra time.

 

Q: So as an MSB, would you file SARs on recipients in a foreign country?

A: Yes. Sure, if it was actively flowing through your institution.

 

Q; If during an investigation, what do we do if it becomes public, before we are able to report it?

A: You still report it.  In fact, I had it reminds me of a case I had one time where it was public information on some illegal activity of a former customer, that prompted us to go back.

We went back several years and looked for anything suspicious that might have been related to that case and reported it. At the time that it occurred, it did not look suspicious. But once this case came to light, and they were talking about all these things they had done, then looking at that activity in a different light, we filed a SAR just to provide that information.

We were never contacted by law enforcement on it, but we felt that it was our responsibility to report it.

 

Q: We are a broker dealer and have numerous relationships with clearing firms. Is that relationship something that we should identify in our narrative?

A: Only if it relates to the transactions.

 

Q: How would we explain identifying an account number with the clearing firm to specifically identify the account as opposed to our internal identifying number, which corresponds to a customer, not specifically an individual account?

A: You could add, if there isn’t a place on the form, where you’re actually reflecting the account number of that customer. I would mention that number in the narrative.

 

Previous SAR Writing Q&A

 

Q: Upon writing a SAR, who is supposed to review it before filing, in the case of a large institution? The head of compliance can certainly not review them all.  What is the best practice before filing?

A: That definitely depends on the size of the institution and the size of your staff. The best practice I can give you is that at least one other person with more experience should review it.

I think every institution has to approach it based on their individual situation. Therefore, it does not always have to be the head of compliance, but at least somebody else who is knowledgeable on filing SARS.

 

Q: Here is a question around balance. How should you determine whether you should file a SAR that “may be suspicious”?

A: It would be helpful if you can present it to several people in your compliance department to see what their opinion is about whether this is really SAR-worthy or not.

In some cases, I felt that a SAR was not necessary because we had no information to provide to law enforcement. I personally felt that if we had no names, no telephone numbers, no information to provide to law enforcement, then there is no point in filing a SAR.

 

Q:  When we file a SAR, can we include multiple different subjects in the SAR? For example, if I have 10 unrelated incidents in one week should I actually be submitting 10 different SARs?

A: I guess I would expand on that question … if it were all related to say one customer, then yes; you can certainly include multiple subjects. The SAR form can accommodate an unlimited number of subjects.

However, I would consider this from law enforcement perspective: What is it that you are trying to tell them about the case? And even though you may have multiple subjects, if it’s all related to one customer or the same flavor of activities, then you could certainly include those all in one.

 

Q: After you have created a continuous SAR and still have the same activity, do you create a new or continuous file?

A: If it is the exact same thing going on – you have the same players, you have the same nature of activity, that is when you want to check the continuing activity box. Then, in your narrative, say this is a continuing activity, summarize why this is suspicious and add the new details.

 

Q: If within the 90 days, the suspect opens a new account and conducts the same activity, would we do a continuing or a new report?

A: I would call that continuing because it is the same characterization of activity. The fact they opened a new account and started doing it out of a new account is even more suspicious.

 

Q: So if you have a continuous SAR report, should the narrative from the original SAR be included?

A: No, and that is a very good question. In your first sentence, say this is a report of continuing activity and describe that activity briefly. Have the BSA ID number, date and amount of your original SAR, so law enforcement readers can see that information.

 

Q: In the case of identity theft, what should we register for subject information, since the data is from the victim?

A: If you do not have any information, you do not list any information. In the case of fraud where your customer is the victim, you do not list your customer as a subject.

The subject section is intended to be only for participants in the illegal activity. In money laundering cases, typically, your customer is an active participant in that activity, so you would list your customer as well as any other parties.

 

Q:  Do you create case reports for unusual activity where you decide not to produce a SAR?

A: Yes. That is a very good question because it is important to document. If your alert system or something else came up that is unusual and you ultimately decide not to file a SAR, you need to document the reason why.

It could be something as simple as there is no information of value to provide to law enforcement. Sometimes a case report may not be necessary, so simply document that in your case management system.

However, if there was sufficient detail, you need to document why you chose not to file this SAR. Typically, examiners will ask you for a list of all incidents where you actually decided not to file a SAR.

 

Q: How do you keep your case reports confidential?

A: It really all comes down to good data security practices. We restricted access to our network to compliance staff only as well as our government. If we were going to provide a case report to someone outside of compliance, but within the organization, we would make that document read-only with password protection.

We sent the document through internal email only, and we provided the recipient with the document password by phone. We kept hard copies as well in a locked cabinet.

And if we had any external auditors or examiner’s that wanted to review the report, we typically made them read it on site in hard copy only and not take it away from our area. So we had very tight security around anything to do with SARs. And that’s really a definite best practice for any compliance group.

 

Q: Do you have any recommendations or practices for sharing actionable information with local law enforcement outside of SARs?  Some local law enforcement office do not have direct access to FinCEN database, but we may want to inform them directly of certain situations?

A: Actually, it is a very good practice for compliance people at banks to make a connection with your local law enforcement. This would include the local field office of the FBI, or even Homeland Security. I think law enforcement does appreciate when we as compliance professionals actually reach out to them directly.

 

Q: Is there a limit on how many SARs you can write and submit especially in a closing quarter of the year?

A: You can submit as many as you need to but you want to avoid the defensive filing.

 

Q: Should the FI or listed business be notified by the law enforcement agencies that their SAR was received?

A: If you file electronically, FinCEN sends back something that acknowledges that they received it and then usually within a couple of days FinCEN sends another message that they have processed it and it has been accepted. You know it has been accepted when the BSA ID number is assigned.

 

Q: How many days should you watch a suspicious customer before creating a SAR?

A: The key date from FinCEN’s perspective is the day that you decide to file the SAR. The date that decision to file is made is when the clock starts for your filing. But depending on what kind of suspicious activity you noted with your customer, you may want to file the SAR immediately.

 

Q: If you had a suspicious activity that goes over the 90-day review, or a similar incident occurs a year later, would you reference that previous SAR that has been filed or begin a new series?

A: I still personally believe that if it is exactly the same, it is a continuing activity report even though it has been a year and that law enforcement want to know that. However, if you feel more comfortable filing it as new, then definitely state that in your narrative.

 

Q: So another question that came in was is it OK to use the form, section five, in a SAR log?

A: You can really organize these case reports however you would like to. It is not a regulatory form, it is purely an internal form, and you want to design it in a way that is most useful to you. Now we did have a previous section that was I believe the SAR narrative is section five. Then we have a separate section where we do use it as a SAR filing log.

In addition, I will say that that is incredibly helpful, especially when you are providing that report to law enforcement because if you do include the BSE IDs for each one of the SARs. That is how agents would go and look up previous, SARs or related SARs.

 

Q: So how can you tell who actually filled out the SAR?  Some forms seem to come from a corporate office, so you cannot tell which branch filed a SAR.

A: There is a place at the beginning of the SAR form where you indicate the financial institution contact. That is up to the bank or institution to decide whose name you want to provide there. That way, if law enforcement did reach out and contact that person, they would be the best person to talk to you as they were in charge of that case.

However, other banks may use a general number for compliance, or maybe the director of compliance or whatever that they prefer to do.

 

Q: Would I contact the IRS criminal investigation field office to reach the SAR review team even if the SAR being reference is not related to any IRS fraud?

A: Absolutely, yes. IRS criminal investigation actually investigate more than just fraud and more than just tax fraud or tax evasion. They investigate structuring cases, money laundering, and all kinds of different types of activities.

In addition, because IRS is a division of the Treasury Department, which is what FinCEN is a division of, that is kind of why I believe they take the lead when it comes to SAR filings.

The SAR review teams include representatives from many other federal law enforcement agencies. So they will decide if they need to investigate or whether it is worth pursuing, then they will decide as a team who should this go to. Maybe it will be something they want to give to Homeland Security, or maybe to the Secret Service.

So, yes, the IRS, criminal investigations does a lot more than just tax fraud.

 

Q:  There is a question on the number of transactions that would trigger a SAR.  Is it just one that might trigger a SAR? Or do you need to see a pattern of transactions before you file a SAR?

A: It really does not matter as long as it is suspicious. There are some dollar amount guidelines for SAR filings, which are just guidelines. There is a $25,000 threshold and a $5,000 threshold and it has to do with whether or not a subject, or a suspect, has been identified or not.  But one transaction can certainly be SAR worthy.

 

Q: Is the person filing a SAR kept anonymous each time, and if not, are they contacted anytime during the investigation?

A: There is an assumed confidentiality surrounding SAR filings between the filing institution and law enforcement.

Really, it is the bank or institution that is filing the SAR, is kept out of public records. It is actually a federal offense to disclose that a SAR has been filed.

And so that anonymity, if you will, is protected. But as far as dealing with individuals within the institution who have prepared the SAR, work the case and so forth, there is not really any anonymity that’s needed because you’re partnering with law enforcement.

A law enforcement officer may contact you about one of your SARs because they want to work with you in the end. So you may have multiple conversations with them after you provide information. They may have some more questions. It becomes a dialog.

 

Q: What is the general rule for a local entity to share a SAR with their parent company? In addition, is there a restriction, if the parent is internationally located?

A: There would not be any international restriction that I am aware of. You want to consider things on a need to know kind basis.

So, for example, you should be advising your Board of Directors of your SAR activity. But you don’t need to tell those members of the board the names of the customers, for example, on whom these SARs have been filed.

You can describe the suspicious activity and talk about it.

However, where you need to be really careful is in that indicator that a SAR has been filed.

Where the federal offense comes in is in disclosing publicly that a SAR report has been filed.

How much detail does your parent company really need to know? They probably want to know the volume and nature of the SARs you are filing, so maybe consider reporting that.

I would do a quarterly report to our board, where I would describe all the new SARs we filed on our major cases and continuing activities. But I never used any customer names. I just switch, say, customer A, customer, B, and so forth.

Where I did provide customer names, though, was when our customer was a victim of fraud.

That way they would want to know when fraud occurred and what types of fraud, But on the AML side, we never revealed any customer names.

 

Q: What is a civil penalty for tipping off someone about a SAR?

A: According to FinCEN, both civil and criminal penalties may be imposed for SAR disclosure violations. So, you’re looking at up $200,000 for each violation and criminal penalties of up to $250,000. And, or imprisonment not to exceed five years. So, I think that’s what the individual financial institutions could be liable for in civil money penalties, and they could be as much as $25,000 per day for each day that the violation continues.

 

Q:  What do you do if the person on which the SAR has been filed is a PEP?

A: If the suspect or subject is a PEP, you certainly want to highlight that in your narrative. In that very first paragraph, I would repeat their name and who they are because obviously their name is going to be shown in the subjects section of the report. But the fact that they are at PEP is not going to be unless they’re very famous.

Now, whether or not you choose to notify local law enforcement, again, depends on the nature of the case. But it is OK to notify local law enforcement. You just wouldn’t send them the SAR. You would file a SAR through FinCEN.  Then the SAR review teams are the ones who are reviewing them.

But in something I would consider to be a hot SAR, you could get in touch with IRS CI, or even call Homeland Security.

I should emphasize here, instead of going to your SAR review team, you can go directly to a law enforcement, federal law enforcement agency in your area to tell them about it.

I have even asked whether they thought something was SAR worthy or not.  I had made law enforcement contacts through networking meetings. Those are great connections to have where you can actually reach out to them and say, I have this weird situation going on, do you think this is SAR worthy?

Because in one case, it was related to the beneficial owner of our customer and I was seeing there could be potentially an immigration issue.

That’s when I reached out and contacted them and asked whether I should file a SAR because there wasn’t any actual dollar transactions involved. This person could have been in the country illegally.  So, we did file a SAR at their suggestion.

 

Q: What happens if the entity files a SAR which, according to the IRS regulators is not a suspicious activity? Is there some action taken on entity if they report something that is not suspicious?

A: No. Not, to my knowledge, I don’t think there’s ever been in a particular penalties assessed.

But sometimes there’s been talk of when this comes back to data quality, which is where there’s a term called defensive filing. This is where an institution files a SAR on anything that has the remotest potential suspicion, but without investigating it.

Sometimes it may be a slap on the wrist, or a warning might come down if a regulator says I think you’re overdoing it a little bit with your SAR filings.

But as far as I know, there is no particular penalty. If you really think it’s suspicious, and then it turns out not to be, It’s not our job as AML professionals to investigate.

Our job is to look at something a little bit and say, yes this is suspicious. This doesn’t smell right to me, because of these reasons. Here’s my report, and now law enforcement makes that decision how to proceed. Are we going to investigate this? Or, No, I don’t think we’re investigating this. It’s not our job to really figure out if something illegal is actually happening.