Complying With BSA Need Not Be A Secret
The Bank Secrecy Act/Customer Identification Program (BSA/CIP) requires a risk assessment of each member account. While we can define these requirements, actually implementing the necessary processes in you anti-money laundering (AML) efforts may be easier said than done.
As a quick refresher, you can think of the risk assessment tasks as falling in three groups: member identification; account risk characteristics; and, products/services risks. Together these components make up the risk assessment process.
Under "member identification" we can include two tasks:
Collecting, documenting and verifying identity information, including: name, address, tax ID, date of birth; nationality and country of residence (if not U.S.); searching denied party lists (e.g., OFAC, Politically Exposed Person (PEP), Global Black Lists (GBL)).
Account Risk Characteristics will include considering such factors as: account type (i.e., private or business-including business type risk); whether the account is for an embassy or consulate, international business company, private investment company, or other high-risk entity; deposit of foreign source funds.
Product and services risk should assess the vulnerabilities to money laundering of the various services to be used by the account. These should include: private banking, trusts or asset management, loans, pass-through account; electronic and PC banking should also be considered for its potential anonymity.
Getting Familiar With Risk Factors
If your credit union has studied and developed a program to meet the CIP requirements, then you are familiar with these risk factors. If you have implemented your program, then you have also had to consider the issues involved with performing the risk assessments while also operating an efficient account opening process.
There are a number of ways to implement a new account risk assessment, but in each case several time-consuming and possibly complex tasks must be performed.
The OFAC is a publicly available list with several thousand records that can be checked manually. However, politically exposed persons (PEPs) files that fully satisfy the objectives of the requirement can be much more difficult to check (i.e., to detect: "individuals who have or have had positions of public trust such as government officials, senior executives of government corporations, politicians, important political party officials, etc. and their families and close associates require heightened scrutiny.")
If business accounts are offered, then it will be necessary to assess the AML risk of the business type. One simple way to perform this task may be to refer to the list of exemption-ineligible business types provided on the reverse side of Treasury Form TD F 90-22.53, Designation of Exempt Person. However there are a number of other sources for identifying high risk businesses. These include U.S. Code (?103.22(d)(6)(viii)); the Federal Financial Institution Examination Council (FFIEC); and the Office of the Comptroller of Currency(OCC) Bank Secrecy Act Handbook. These lists are not identical and you may want to be safe and create a consolidated list.
More financial institutions are using the U.S. Census Bureau's, North American Industrial Classification System (NAICS) as a standardized reference for identifying business types consistently. While the data file for the NAICS is easily available on the Census Bureau's website, checking this table might be too time consuming to perform during the member's account opening process.
Similar challenges exist when opening accounts for non-U.S. citizens, when foreign funds are presented and when associations with a foreign banking institution are detected. The risk assessment should include the evaluation of country risk for any alien (resident or not) and for any financial connections outside the U.S.
There is no single authoritative or directed list of country risks produced by any government agency specifically for the use of the banking industry. Rather there are a number of lists from different sources that attempt to address various viewpoints (e.g., narcotics trafficking, corruption, counter-money laundering, etc.) of individual country risks. These include, in part:
* Central Intelligence Agency World Fact Book: an assessment of general country characteristics including illicit drug trade, money laundering and terrorism risks.
* U.S. Department of State, International Narcotics Control Strategy Report (INCSR): an assessment of risk potentials for drug trafficking and other sources of money laundering.
* Financial Crimes Enforcement Network (FINCEN), Section 311-Special Measures, Entities of Primary Money Laundering Concern
* Financial Action Task Force/Non-Cooperative Countries and Territories (NCCT): a list of national entities that do not conform to world anti-money laundering programs.
* OFAC/Sanctions List: a list of U.S. sanctions against high-risk nations.
The Patriot Act, Section 311 list (available on the FINCEN website) provides both financial institutions and nations that are restricted from U.S. banking transactions. Any member relationships with these entities must be detected and reported.
As we can see, there are a number of requirements that might be difficult to fulfill-particularly in those credit unions where new accounts are opened frequently. Stopping to look up a business type, country risk or a Special Measures entity in the middle of a new account opening session may be impractical and inefficient.
While automated services to aid with some or all of these functions can improve the efficiency of the process there are at least four critical considerations that need to be added to your program.
* Research. Regardless of how you look up individuals in any denied party or PEP database, you are bound to have to deal with false positive returns. While some of these may be easy to resolve, some will also be close enough to the name you have entered to require resolution. Researching PEP possibilities may be more involved and can require reviewing a profile of the individual's documented history from an online source like World Check or WorldCompliance.
* Scoring. It's not enough to simply review each account for AML risk, you must also assess and assign a level of risk. While this may be a simple grading like High, Medium and Low, it can also be based on a more definitive method that would incorporate a mathematical process. Each credit union has its individual vulnerabilities depending on its membership, geography, products, services and processes. These should be part of the risk assessment. Individual accounts, will then possess their own degree of risk depending on the factors described above. Both of these factors should be considered in assigning a risk score to the account. Developing, operating and maintaining your risk scoring process must be an integral part of the Customer Identification Program.
* Decision-making. The regulations require that you perform a risk assessment for each account, but they do not prevent you from opening accounts with high risk (except for certain blocked countries or entities). Consequently you need to consider each account for its individual degree of risk for involvement with money laundering or terrorism financing. How these decisions are performed and documented will be another element of your process that must be carefully considered and implemented.
* Integration. The CIP is only one half of the overall requirements in the anti-money laundering program. There must also be an account activity monitoring process that reviews daily transactions, detects high risk activities and produces appropriate cash and suspicious activities reports. While this "back -office" process is focused on the risk associated with an account's activity, the total risk (including CIP-related risk) should be considered. It is important to design your AML program with the ability to include the CIP risk assessment performed on account opening as part of the activity risk assessment.
Implementing a complete AML program is clearly a challenge. Managers must make many critical decisions regarding the risks they face, the costs involved and the processes that best fit their operations. Knowing the requirements and understanding their complexities are essential parts of creating, operating and maintaining a balanced and successful program.
Bob Cofod is president of BankDetect, Churchton, Md. Mr. Coford can be contacted at bob.cofod