|
|
|
Frequently Asked Questions
When must a Money Services Business (MSB) renew its FinCEN registration?
Can a non-citizen without work authorization obtain a Social Security number to get a driver's license?
What type of "due diligence" information should we be gathering from our customers?
How do I risk-rank an individual customer for our anti-money laundering program?
Can you please tell me what an MSB Independent Audit should include?
How often does an institution need to scan their customer database against the OFAC list?
Can you please tell me where I can find country codes ?
How do the requirements of the CIP rule apply to a loan that is renewed, or a certificate of deposit that is rolled over?
Do all these suspicious activity reports (SARs) really help law enforcement?
Is a state-licensed check-cashing business exemptible under the BSA?
Does FinCEN prepare and distribute training materials?
We did not properly file a CTR, what do we need to do?
Provide some examples of suspicious activity that a Bank Teller should look for?
Are social security numbers are being recycled?
What types of financial and non-financial businesses are considered to be a higher risk for laundering money?
How can I confirm if a money services business is registered with the government?
Should a casino be registered as a Money Services Business?
Do currency transactions of exactly $10,000 require a CTR?
If a business only cashes its own employees' payroll checks, is it a money services business?
Can you provide the regulatory definition of "structuring"?
What is the role of an Anti-Money Laundering Compliance Officer?
What is OFAC and what does it do?
What is the difference between Customer Identification Program and Customer Due Diligence?
Does the responsibility to file a SAR rest on whether or not a loss has occurred?
Question: When must a Money Services Business (MSB) renew its FinCEN registration?
Answer: MSBs that were initially required to be registered on or before December 31, 2001, were required to renew their registration for the first time by December 31, 2003. Thereafter, their renewal is required every 2 years.
MSBs that came into existence after December 31, 2001, are initially required to be registered within 180 days beginning on the day after the business is established as an MSB. Their renewal deadline is the end of the 2-calendar year period beginning in the year they initially were required to be registered. For example, if an MSB is required to be registered on October 15, 2007, it must renew by December 31, 2008. Thereafter, renewal is required every 24 months (on or before December 31, 2010, December 31, 2012, etc.).
It is also important to understand there are events that would cause an MSB to re-register with FinCEN. MSBs must re-register if there is:
- Change in ownership or control that requires the business to re-register under State law;
- Transfer of more than 10 percent of the voting power or equity interests;
- A more than 50 percent increase in the number of agents during the registration period.
Question: Can a non-citizen without work authorization obtain a Social Security number to get a driver's license?
Answer: No. The Social Security Administration does not assign an SSN to a non-citizen solely for the purpose of obtaining a driver's license. In general, only non-citizens who have permission to work from the Department of Homeland Security can apply for a Social Security number.
If they do not have permission to work, they may apply for a Social Security number only if the law requires them to provide a Social Security number to get general assistance benefits they already have qualified for.
Lawfully admitted non-citizens can get several benefits and services without a Social Security number. For example, they do not need a number to register for school, apply for educational tests, obtain private health insurance, apply for school lunch programs or apply for subsidized housing.
For more information on social security numbers for non-citizens, visit http://www.ssa.gov/pubs/10096.html.
back to top
Question: What type of "due diligence" information should we be gathering from our customers?
Answer: According to the FFIEC Bank Secrecy Act / Anti-Money Laundering Examination Manual "The objective of Customer Due Diligence (CDD) should be to enable the bank to predict with relative certainty the types of transactions in which a customer is likely to engage."
The manual goes on to state that management should have a thorough understanding of the money laundering or terrorist financing risks of the bank's customer base. Under this approach, the bank should obtain information at account opening sufficient to develop an understanding of normal and expected activity for the customer's occupation or business operations.
This information will allow the bank to differentiate between lower-risk customers and higher-risk customers at account opening. Banks should monitor their lower-risk customers through regular suspicious activity monitoring and customer due diligence processes. Customers that pose high money laundering or terrorist financing risks present increased exposure to banks; due diligence policies, procedures, and processes should be enhanced as a result.
Here are a few examples of questions your institution could ask depending on the level of risk assigned to each customer:
- What is the purpose of the account (e.g. personal, business, other)?
- Please list the source of funds expected to enter this account (e.g. payroll, business income, other).
- What is your occupation or type of business?
- If a business, where the business is organized, number of locations, and number of employees.
- Why did you choose this location (e.g. proximity of the customer's residence, place of employment, or place of business to the bank)?
- List anticipated volume/amount of domestic and international wire/ACH transactions.
- List anticipated volume/amount of currency (e.g. expected average monthly volume/amount of cash in and out).
- Explanations for changes in account activity.
back to top
Question: How do I risk-rank an individual customer for our anti-money laundering program?
Answer: You may need to do some prep work before you are actually able to risk-rank individual customers. It is important to follow these strategic steps to ensure your program is strong and complies with the FFIEC BSA/AML Examination Manual.
The first step is to conduct a Bank Secrecy Act / Anti-Money Laundering risk assessment to properly identify your bank's risk profile. This risk profile (e.g. Low, Moderate or High) is based on a comprehensive review of the specific risk categories unique to your institution such as products, services, customers, entities, transactions and geographical locations. The goal of this assessment is to measure the institution's overall money laundering exposure and implement the necessary controls to mitigate these risks. These controls may include stronger policies, procedures, monitoring systems, training, and segregation of duties.
Once completed, the risk assessment should become the bank's road map for risk-ranking individual customers. The findings within the risk assessment will isolate those customers which present the greatest risk for potential money laundering based on the type of customer, products/services they are using and the geographical locations they reside in and/or transact with. For example, an institution may identify "Bob's Money Transmitter Shop" as a high risk entity because their risk assessment identified money services businesses as high risk type of business. Additional risk factors identified in the risk assessment may include where Bob's shop is located, the type of customers they service, the products they are using and the individual countries they transact with.
back to top
Question: Can you please tell me what an MSB Independent Audit should include?
Answer: Just like banks have to do, the Bank Secrecy Act requires money services businesses to establish anti-money laundering programs that include "an independent audit function to test programs." The primary purpose of the independent review is to monitor the adequacy of the money services business' anti-money laundering program.
A money services business does not necessarily need to hire an outside auditor or consultant. The review may be conducted by an officer, employee or group of employees, so long as the reviewer is not the designated compliance officer and does not report directly to the compliance officer. The review should include testing of internal controls and transactional systems and procedures to identify problems and weaknesses and, if necessary, recommend to management appropriate corrective actions.
The scope and frequency of the review will depend on the money services business' risk assessment, which should take into account the business' products, services, customers, and geographic locations. For some money services businesses, based on their risk assessments, an annual review may not be necessary; for others, more frequent reviews may be warranted.
The person or persons responsible for conducting the review should document the scope of the review, procedures performed, transaction testing completed, if any, findings of the review, and recommendations to management for corrective actions, if any. After the review, the reviewer or the designated compliance officer should track deficiencies and weaknesses discovered during the review and document corrective actions taken by the money services business.
back to top
Question: How often does an institution need to scan their customer database against the OFAC list?
Answer: The frequency of running an OFAC scan must be guided by your internal bank policy and procedures. Keep in mind, however, that if your bank fails to identify and block a target account (of a terrorist, for example), there could be "real world" consequences such as a transfer of funds or other valuable property to an SDN, an enforcement action against your bank, and negative publicity.
OFAC agrees that financial institutions should take a risk-based approach when considering the likelihood that they may encounter OFAC issues. The functional regulators examine financial institutions to determine the adequacy of each institution's OFAC program and the effectiveness of its risk management. To assist banks with building a risk-based program, OFAC has provided a matrix to assist in identification of low, moderate and high areas (OFAC Risk Matrix: http://www.treas.gov/offices/enforcement/ofac/faq/matrix.pdf)
back to top
Question: Can you please tell me where I can find country codes ?
Answer: There is probably more than one way to find these country codes, but one source is FinCEN's website. They have published a list of two-digit codes for countries, states and territories. See list at http://www.fincen.gov/country_and_state_codes.pdf
back to top
Question: How do the requirements of the CIP rule apply to a loan that is renewed, or a certificate of deposit that is rolled over?
Answer: The CIP rule applies to a "customer," generally, "a person that opens a new account." "Account" means a formal banking relationship established to provide or engage in services, dealings, or other financial transactions including a deposit account, a transaction or asset account, a credit account, or other extension of credit. For purposes of the CIP rule, each time a loan is renewed or a certificate of deposit is rolled over, the bank establishes another formal banking relationship and a new account is established. However, the rule provides that the term "customer" does not include a person that has an existing account with the bank, provided that the bank has a reasonable belief that it knows the true identity of the person.
In each of these cases, the customer has an existing account. Therefore, as long as the bank has a reasonable belief that it knows the person's true identity, the bank need not perform its CIP when a loan is renewed or certificate of deposit is rolled over. However, if a new customer is added to the loan or deposit account, the bank would need to satisfy the CIP rule with respect to that new account relationship.
back to top
Question: Do all these suspicious activity reports (SARs) really help law enforcement?
Answer: According to the Financial Crimes Enforcement Network (FinCEN) the financial data, collected from financial institutions under the Bank Secrecy Act (BSA), has proven to be of considerable value in money laundering, terrorist financing and other financial crimes investigations by law enforcement. When combined with other data collected by law enforcement and the intelligence communities, BSA data assists investigators in connecting the dots in their investigations by allowing for a more complete identification of the respective subjects with information such as personal information; previously unknown addresses, businesses and personal associations; banking patterns; travel patterns; and communication methods.
The value of BSA data relative to counterterrorism matters produces additional information about subject(s) under investigation and their methods of operation. Counterterrorism investigators analyze the data to acquire biographical and descriptive information, to identify previously unknown subject associates and/or co-conspirators, and, in certain instances, to determine the location of subject(s) by time and place. The FBI, using information technology, reviewed approximately 71 million BSA documents for their relevance to counterterrorism investigative and intelligence matters and identified more than 88,000 SARs and Currency Transaction Reports (CTRs) that bore some relationship to subjects of terrorism investigations.
back to top
Question: Is a state-licensed check-cashing business exemptible under the BSA?
Answer: The reformed CTR exemption regulations do not distinguish between a "licensed" or "non-licensed" business. In determining whether any check-cashing business is eligible for exemption from currency transaction reporting requirements, a depository institution must determine whether the business falls into either of two categories (Listed or Non-listed Businesses) identified in the Bank Secrecy Act (BSA) regulation.
If a business engages in money service business activities (e.g., money transmission or check cashing), it may be treated as a non-listed business so long as no more than 50% of its gross revenues is derived from one or more of the ineligible business activities listed in the exemption regulation. One of the ineligible business activities listed in the regulation is serving as a financial institution. Under the BSA, the definition of "Financial Institution" includes money services businesses (MSBs).
So, for example, a check casher (whether licensed or non-licensed) that cashes checks in an amount more than $1,000 in currency or monetary instruments for any one person on any one day and is not involved in any other ineligible business activity, or derives no more than 50% of its gross revenue from any such business or the check cashing, may be exempted from CTR reporting requirements as a non-listed business. However, you must work closely with your institutions BSA or Compliance Officer to make sure they are aware of any potential risks which could occur by exempting this type of company. Some check-cashing businesses are viewed as high risk, required to register on a Federal level with FinCEN and must implement an anti-money laundering program similar to a bank. Failure to comply with these rules could increase the risk to the bank and deter you from exempting them.
back to top
Question: Does FinCEN prepare and distribute training materials?
Answer: FinCEN does not currently prepare or distribute training videos or materials. FinCEN frequently participates in conferences and other forums to discuss BSA reporting and recordkeeping requirements, developments relating to FinCEN's regulations, and counter money laundering efforts.
FinCEN's publications also impart information that may be useful in the preparation of training materials, such as FinCEN Advisories, SAR Bulletins, and The SAR Activity Review: Trends, Tips & Issues, which are available on FinCEN's web site (http://www.fincen.gov), under the tab for "Publications." Other reference materials, including answers to frequently asked questions, can be found on FinCEN's web site under the tab titled "Regulatory."
back to top
Question: We did not properly file a CTR, what do we need to do?
Answer: First you need to make sure your Bank Secrecy Act Officer is aware of the situation so they can properly address it. Typically when banks become aware of transactions that were not properly reported to the government, they will need to take the following steps:
- The bank must make sure they are filing CTRs on all reportable transactions going forward;
- Put the proper controls in place to prevent this event from occurring in the future; and
- Contact the Internal Revenue Service (IRS) to request a determination on whether the backfilling of the unreported transaction(s) is necessary.
back to top
Question: Provide some examples of suspicious activity that a Bank Teller should look for?
Answer: This is a difficult question to answer because there are so many different types of scenarios and situations. However, whenever something appears out of the ordinary or gives you a strange feeling, you should immediately notify your BSA Department. They will review the customer and/or their transactions to determine if it is indeed suspicious.
Here are just a few examples of potentially suspicious activities that you should report:
- A customer presents an unusual or suspicious form of identification that is difficult to verify or appears to be counterfeit.
- Customer refuses to explain the purpose of their transactions, source of funds or appears nervous.
- The transactions in the account do not appear consistent with the lifestyle of a particular individual or normal for a certain type of business.
- Sudden change in account activity, such as a large cash deposit or sending an international wire.
- Customer frequently accesses a safe deposit box before or after a large cash transaction.
- Asking to exchange small bills for large-dollar denominations.
- Appears to be conducting cash transactions just below the Currency Transaction Reporting (CTR) or Monetary Instrument Log limits.
back to top
Question: Are social security numbers are being recycled?
Answer: We went to the Social Security Administration with your question, and it says social security numbers are not recycled after the number holder's death. Even though the SSA has issued more than 400 million social security numbers and assigns about five and a half million new numbers a year, there are enough new numbers for several future generations to come without having to change the numbering system.
If you have a customer saying this, I would encourage you to contact your Corporate Security or the BSA/AML Department to investigate and determine if they are trying to use a false identity.
back to top
Question: What types of financial and non-financial businesses are considered to be a higher risk for laundering money?
Answer: There are several types of businesses or services that are considered to have greater vulnerability to money laundering schemes. Most of these allow the quick movement of funds or the ability to convert and disguise the source of illegitimate cash. Some of the higher risk banking services include, but are not limited to, international wires, foreign correspondent banking and payable through accounts, ACH transfers, debit cards and online banking.
Non-bank financial institutions that are viewed by criminals as attractive vehicles for money laundering include money service businesses (e.g. check cashiers), money remitters, insurance companies and securities broker-dealers. There are also several other businesses, such as pawn shops, jewelers or precious metals dealers, or automobile, boat and plane dealers, that could be considered at risk for money laundering schemes.
back to top
Question: How can I confirm if a money services business is registered with the government?
Answer: The U.S. Treasury Department's Financial Crimes Enforcement Network (FinCEN) has posted on its Website a list of all money services businesses (MSBs) in the U.S. and its territories that have registered under the mandatory registration provisions of the Bank Secrecy Act. The list even includes some Canadian registrants in Ontario and British Columbia.
The list includes over 20,000 businesses that have registered with FinCEN as an MSB since December 2001, when the registration rules took effect. The rule is designed to provide banks and the U.S. law enforcement community with a virtual telephone book of MSBs, which include a wide variety of businesses that include money transmitters, check cashers and businesses that sell stored value products. The list is arranged alphabetically - first by state, then by city, and finally by registrant name within each city.
To take advantage of the FinCEN registered MSB list, go to http://www.fincen.gov/msbstateselector.html and select a state, territory or province name from the drop-down box. Click the OK button, and this will take you to the complete MSB listing for the area of your choice.
back to top
Question: Should a casino be registered as a Money Services Business?
Answer: It depends. If the casino meets the regulatory definition established by FinCEN for "casinos" they would not be required to comply with money services business (MSB) rules. However, casinos that do not meet this definition and provide MSB services must comply with MSB requirements. For example, casinos that have gaming revenue of $1 million or less do not meet FinCEN's definition of a casino and would be subject to MSB regulations. Also, if a tribal casino leases space to a third-party business providing check cashing or fund transfer services, that business would be required to comply with MSB rules. Be sure to contact your BSA/AML Department to discuss these types of scenarios in order to make sure our customer and the bank are complying.
back to top
Question: Do currency transactions of exactly $10,000 require a CTR?
Answer: No. Currency transactions that aggregate to $10,000 or less do not require a Currency Transaction Report (CTR). Financial institutions are obligated to file CTRs for currency transactions over $10,000.
back to top
Question: If a business only cashes its own employees' payroll checks, is it a money services business?
Answer: If a business only cashes their employee's payroll checks, they would not be considered a money service business. However, if the business cashed checks other than its own business checks in an amount exceeding $1,000 for any person in one day in one or more transactions, the business would be defined as a check casher under the Bank Secrecy Act and be required to register as a money services business and be obligated to comply with all applicable Bank Secrecy Act programmatic, recordkeeping, and reporting requirements.
back to top
Question: Can you provide the regulatory definition of "structuring"?
Answer: The definition of structuring (which was implemented before the Patriot Act) states, "a person structures a transaction if that person, acting alone or in conjunction with, or on behalf of, other persons, conducts or attempts to conduct one or more transactions in currency in any amount, at one or more financial institutions, on one or more days, in any manner, for the purpose of evading the CTR filing requirements."
For example, a customer may structure currency deposit or withdrawal transactions, so that each is less than the $10,000 CTR filing threshold. An individual may also use currency to purchase official bank checks, money orders, or traveler's checks with currency in amounts less than $10,000 or exchange small bank notes for large ones in amounts less than $10,000.
However, two transactions slightly under the $10,000 threshold conducted days or weeks apart may not necessarily be structuring. For example, if a customer deposits $9,900 in currency on Monday and deposits $9,900 in currency on Wednesday, it should not be assumed that structuring has occurred. Instead, further review and research may be necessary to determine the nature of the transactions, prior account history, and other relevant customer information to assess whether the activity is suspicious. Be sure to contact the Bank Secrecy Act Officer if you feel someone might be structuring their transactions.
back to top
Question: What is the role of an Anti-Money Laundering Compliance Officer?
Answer: The Anti-Money Laundering (AML) Officer is responsible for the overall development and implementation of the banks AML program. This position is appointed by the board of directors and the program must be approved by them annually.
The AML Officer is expected to monitor changes in the AML regulations, notify employees of those changes and make the necessary changes to the AML program. In order to have a good AML program, the AML Officer must develop and maintain adequate policies and procedures, oversee the transactional monitoring function to detect suspicious activity, ensure timely and accurate filing of required reports, conduct training and work closely with regulators.
back to top
Question: What is OFAC and what does it do?
Answer: The Office of Foreign Assets Control (OFAC) was formally created in December 1950, following the entry of China into the Korean War, when President Truman declared a national emergency and blocked all Chinese and North Korean assets subject to U.S. jurisdiction. Today, OFAC has expanded its role by administering and enforcing economic sanction programs primarily against countries and groups of individuals, such as terrorists and narcotics traffickers. OFAC administers a number of U.S. economic sanctions and embargoes that target geographic regions and governments (such as Cuba, Cote d'Ivoire, Iran, Iraq, Libya, North Korea, Sudan, Liberia, Zimbabwe, Sierra Leone, Syria and Burma [Myanmar]). In addition to targeted countries, it is very important to note that OFAC publishes a list of Specially Designated Nationals and Blocked Persons ("SDN list") which includes over 3,500 names of companies and individuals who are connected with terrorists and narcotics dealers throughout the world.
All U.S. persons must comply with OFAC regulations, including all U.S. citizens and permanent resident aliens regardless of where they are located within the United States. This also includes all U.S. businesses and their foreign branches. The fines for violations can be substantial. Depending on the program, criminal penalties can include fines ranging from $50,000 to $10,000,000 and imprisonment ranging from 10 to 30 years for willful violations. If you have any questions or concerns about OFAC or a possible OFAC "hit" on a customer, please contact your Bank Secrecy / Anti-Money Laundering Officer.
back to top
Question: What is the difference between Customer Identification Program and Customer Due Diligence?
Answer: The Customer Identification Program (CIP) is a regulatory requirement that requires certain financial institutions to identify and verify the identity of customers who open accounts. The bank must gather enough information to form a reasonable belief that it knows the true identity of each customer. The CIP program must include account opening procedures that specify the identifying information that will be obtained from each customer.
The concept of Customer Due Diligence (CDD) begins with verifying the customer's identity (i.e., by means of the CIP) and then assessing the risks associated with that customer or account. CDD often includes obtaining additional customer information which enables a bank to predict with relative certainty the types of transactions in which a customer is likely to engage and assists the bank in determining when transactions are suspicious. Some common CDD questions for customers include: "Can you please tell me how much cash you expect to deposit into your account each month?" or "How many international wires will you receive and why?"
CDD aids the bank in detecting and reporting unusual or suspicious transactions that potentially expose the banking organization to financial loss, increased expenses, or reputational risk. Please contact your BSA/AML Officer if you have any questions or concerns about CIP or CDD procedures.
back to top
Question: Does the responsibility to file a SAR rest on whether or not a loss has occurred?
Answer: When filing a suspicious activity report (SAR), it does not matter if your institution suffered a financial loss or not. The law requires a SAR filing if the suspicious transaction involves at least $5000 and you know or suspect that the transaction involves funds derived from illegal activities or is intended to hide or disguise funds; is intended to evade BSA requirements; or, has no apparent lawful purpose or is not the type of transaction one would expect from the particular customer conducting the transaction. Additionally, the enforcement action against AmSouth Bank specifically stated that SAR filings are not contingent on bank losses.
back to top
