On August 20, the OCC issued Bulletin 2014-41, which announces a new “Merchant Processing” booklet of the Comptroller’s Handbook. This booklet replaces the booklet of the same name issued in December 2001 and provides updated guidance to examiners and bankers on assessing and managing the risks associated with merchant processing activities. Specific updates address: (i) the selection of third-party organizations and due diligence; (ii) technology service providers; (iii) on-site inspections, audits, and attestation engagements, including the “Statement on Standards for Attestation Engagement” (SSAE 16) and the “International Standard on Assurance Engagements” (ISAE 3402); (iv) data security standards in the payment card industry for merchants and processors; (v) the Member Alert to Control High-Risk Merchants (MATCH) list; (vi) BSA/AML compliance programs and appropriate policies, procedures, and processes to monitor and identify unusual activity; and (vii) appropriate capital for merchant processing activities.
On August 20, FinCEN announced an action against a casino employee who admitted to violating the Bank Secrecy Act by willfully causing the casino to fail to file certain reports. FinCEN asserted based in part on information obtained from an undercover investigation that the employee helped high-end gamblers avoid detection of large cash transactions by agreeing not to file either Currency Transaction Reports or Suspicious Activity Reports as required under the BSA. FinCEN ordered the employee to pay a $5,000 civil money penalty, and immediately and permanently barred him from participating in the conduct of the affairs of any financial institution located in the U.S. or that does business within the U.S.
On August 11, FinCEN issued Advisory FIN-2014-A007 to provide guidance regarding BSA/AML compliance programs. Specifically, the guidance recommends that institutions create a “culture of compliance” by ensuring that: (i) leadership actively supports and understands compliance efforts; (ii) efforts to manage and mitigate BSA/AML deficiencies and risks are not compromised by revenue interests; (iii) relevant information from the various departments within the organization is shared with compliance staff to further BSA/AML efforts; (iv) the institution devotes adequate resources to its compliance function; (v) the compliance program is effective by, among other things, ensuring that it is tested by an independent and competent party; and (vi) leadership and staff understand the purpose of the institution’s BSA/AML efforts. The guidance follows numerous public remarks by FinCEN Director Jennifer Shasky Calvery and other financial regulators and enforcement authorities calling for stronger compliance cultures, particularly with regard to BSA/AML compliance. Director Shasky Calvery reinforced that message in an August 12, 2014 speech in which she asserted that, in the enforcement matters she has seen, a culture of compliance “could have made all the difference.” In the same speech, Ms. Shasky Calvery criticized—as Comptroller of the Currency Thomas Curry also did earlier this year—financial institutions which may be “de-risking” by preventing certain categories of businesses from accessing banking services. She stressed that “just because a particular customer may be considered high risk does not mean that it is ‘unbankable’,” and called on banks to develop programs to manage high risk customer relationships.
On August 14, Freddie Mac issued Bulletin 2014-15, which reminds seller/servicers subject to the AML requirements of the BSA that they are expected to maintain an AML compliance program and are required to report to Freddie Mac any instances of AML program noncompliance. Effective October 1, 2014, Freddie Mac is also requiring seller/servicers not subject to the AML provisions of the BSA to develop internal controls and policies and procedures to detect and report Suspicious Activity to Freddie Mac (but without the requirement to file SARs). Additionally, the Bulletin notifies seller/servicers that, effective October 15, 2014, Freddie Mac will require wholly-owned subsidiaries of seller/servicers that are federally-regulated depository institutions to obtain separate Freddie Mac seller/servicer approvals. The Bulletin also: (i) provides that seller/servicers can waive the requirement for flood insurance for non-residential detached structures located on the Mortgaged Premises; (ii) clarifies ULDD data points; (iii) updates Freddie Mac’s certificate of incumbency for sellers and warehouse lenders (effective October 1, 2014); and (iv) updates miscellaneous manufactured home requirements.
On July 30, FinCEN released a proposed rule that would amend BSA regulations to clarify and add customer due diligence (CDD) obligations for banks and other financial institutions, including brokers or dealers in securities, mutual funds, futures commission merchants, and introducing brokers in commodities. The rule would not cover other entities subject to FinCEN regulations that are not already required to have a customer identification program (CIP)—e.g money services businesses—but FinCEN may extend CDD requirements in the future to these, and potentially other types of financial institutions. The proposed rule states that as part of the existing regulatory requirement to have a CIP, covered institutions are already obligated to identify and verify the identity of their customers. The proposed rule would add to that base CDD requirement, new requirements to: (i) understand the nature and purpose of customer relationships; and (ii) conduct ongoing monitoring to maintain and update customer information and to identify and report suspicious transactions. The proposed rule also would add a so-called beneficial ownership requirement, which would require institutions to know and verify the identities of any individual who owns at least 25% of a legal entity, or who controls the legal entity.
FinCEN emphasizes that nothing in the proposal is intended to limit the due diligence expectations of the federal functional regulators or in any way limit their existing regulatory discretion. To that end, the rule would incorporate the CDD elements on nature and purpose and ongoing monitoring into FinCEN’s existing AML program requirements, which generally provide that an AML program is adequate if, among other things, the program complies with the regulation of its federal functional regulator governing such programs. FinCEN does not believe that the new CDD requirements will require covered institutions to perform any additional activities or operations, but acknowledges the rule may necessitate revisions to written policies and procedures. FinCEN also recognizes that financial institutions will be required to modify existing customer onboarding processes to incorporate the beneficial ownership requirement. As such, FinCEN proposes an effective date of one year from the date the final rule is issued. Comments on the proposal are due 60 days from publication of the proposal in the Federal Register.
On July 1,Fannie Mae issued Selling Guide Announcement SEL-2014-09 to remind lenders and originators—as it recently did for servicers—of their obligations to be in compliance with applicable provisions of the Bank Secrecy Act and its implementing regulations and to have internal policies, procedures, and controls in place to identify suspicious activities.
On June 20, Fannie Mae issued Servicing Guide Announcement SVC-2014-11, which reminds servicers that under a recent FinCEN rule, Fannie Mae is considered a financial institution subject to BSA requirements. The announcement advises servicers subject to the AML provisions of the BSA that they are obligated to be in compliance with the BSA, and to report to Fannie Mae: (i) all instances of noncompliance, compliance failures, or sanctions related to BSA/AML requirements; (ii) suspicious activity related to Fannie Mae loans or business activities; and (iii) changes in ownership interest. Servicers may implement these requirements immediately, but are required to do so no later than August 25, 2014.
On June 25, the OCC published its semiannual risk report, which provides an overview of the agency’s supervisory concerns for national banks and federal savings associations, including operational and compliance risks. As in prior reports and as Comptroller Curry has done in speeches over the past year, the report highlights cyber-threats and BSA/AML risks. The OCC believes cyber-threats continue to evolve and require heightened awareness and appropriate resources to identify and mitigate the associated risks. Specifically, the OCC is concerned that cyber-criminals will transition from disruptive attacks to attacks that are intended to cause destruction and corruption. Extending another recent OCC theme, the report notes that the number, nature, and complexity of both foreign and domestic third-party relationships continue to expand, resulting in increased system and process interconnectedness and additional vulnerability to cyber-threats. The report also states that BSA/AML risks “remain prevalent given changing methods of money laundering and growth in the volume and sophistication of electronic banking fraud.” The OCC adds that “BSA programs at some banks have failed to evolve or incorporate appropriate controls into new products and services,” and again cautions that a lack of resources and expertise devoted to BSA/AML risk management can compound these concerns. Finally, the OCC expressed concern that competitive pressures in the indirect auto market are leading to an erosion of underwriting standards. The OCC’s supervisory staff plans to review retail credit underwriting practices at banks, especially for indirect auto.
On June 5, the FDIC and a Delaware bank entered a consent order that prohibits the bank from entering into any new relationships with third-party prepaid card processors or prepaid card program managers until the FDIC approves a written report from the bank that details the steps taken by the bank to (i) implement new BSA compliance policies and procedures; (ii) improve staff training; (iii) implement controls sufficient to mitigate BSA and safety and soundness risk associated with prepaid card, credit card merchant acquiring, and ACH activities; and (iv) perform a BSA risk assessment. The order similarly restricts the bank’s activities related to credit card merchant acquiring and ACH merchant payment processing. The order does not prohibit the bank from issuing prepaid cards through existing distribution channels under existing contracts with third-parties, but does restrict certain activities related to existing credit card and ACH processing activities. In addition, the bank must (i) retain and designate BSA and OFAC officers; (ii) conduct a suspicious activity reporting look-back review; and (iii) submit periodic progress reports. Finally, the order requires increased board supervision of the bank’s BSA compliance program and mandates the creation of a board-level BSA committee.
On April 29, FinCEN issued five rulings in response to companies who sought clarification regarding whether their company is a money service business under the BSA. In FIN-2014-R006, FinCEN determined that a company that operates an online real-time deposit, settlement, and payment services platform for banks, businesses, and consumers is considered a money transmitter, not a provider of prepaid access, and should be registered as a money services business under BSA regulations. In two other rulings—FIN-2014-R004 and FIN-2014-R005— FinCEN clarified the exemption from the money transmitter definition for persons that accept and transmit funds “only integral to the sale of goods or the provision of services, other than money transmission services.” FinCEN determined that the escrow services at issue in FIN-2014-R004 and the transaction management services at issue in FIN-2014-R005 fit within that exemption because the acceptance and transmission of funds in these cases is not a separate and discrete service in addition to the underlying service, but instead is a necessary and integral part of the service itself. Therefore, these companies are not considered to be money transmitters subject to registration. FinCEN determined in FIN-2014-R007 that a company that rents computer systems used to mine virtual currencies is not a money transmitter. Finally, in FIN-2014-R008, FinCEN determined that although the company, which uses armored cars to facilitate the exchange of coins and cash, does not qualify for the “armored car” exemption in the money transmitter definition, it is still not considered a money transmitter. FinCEN stated that the transportation of currency and/or coin of certain denominations from the company’s vault to the customer’s location and the return transportation of currency and/or coin in the exact amount of the change provided to the company’s own vault does not constitute the acceptance of value from one person and the transportation of such value to another person or location.
Comptroller Curry Addresses Senior Management’s AML Compliance Responsibilities, Criticizes “De-Risking”
On March 17, Comptroller of the Currency Thomas Curry reaffirmed his agency’s views with regard to BSA/AML compliance and the responsibilities of senior bank managers and boards of directors. Mr. Curry asserted that BSA infractions “can almost always be traced back to decisions and actions of the institution’s Board and senior management” and that the deficiencies underlying those infractions tend to involve failures in four areas: (i) the culture of compliance at the organization; (ii) the resources committed to BSA compliance; (iii) the strength of information technology and monitoring process; and (iv) the quality of risk management. Mr. Curry reported a recent positive trend, particularly at OCC-regulated large banks, which have increased spending and added BSA/AML compliance staff. He stated that such actions are one aspect of banks’ efforts to align “good compliance practices and the bank’s system of compensation and incentives.” The Comptroller criticized a separate trend of “de-risking”, in which banks avoid or end relationships with types of businesses deemed too risky. He warned that any business can be used for illicit purposes and “de-risking” is not a shortcut to circumvent a bank’s obligation to evaluate risk on an individual basis. He encouraged banks not to avoid high-risk businesses, but rather to apply stronger risk management and controls as necessary.
On February 20, in remarks to the Florida International Bankers Association Anti-Money Laundering Conference, FinCEN Director Jennifer Shasky Calvery reviewed FinCEN’s key initiatives over the past year and outlined priorities going forward. She discussed FinCEN’s efforts with regard to virtual currency risks and stated that it is important for financial institutions that deal in virtual currency to put effective AML/CFT controls in place. She noted that it is also important for all stakeholders to keep virtual currency concerns in perspective given the relatively small size of the market. FinCEN is growing increasingly concerned with third party money launderers who layer transactions, create or use shell or shelf corporations, use political influence to facilitate financial activity, or engage in other schemes to infiltrate financial institutions and circumvent AML controls. FinCEN intends to pursue such actors regardless of where they are located. Director Shasky Calvery also reiterated concerns about securities firms that offer services similar to banks, and promised continued focus on threats posed by trade-based money laundering. With regard to its policy initiatives, FinCEN intends to engage stakeholders in a discussion of “balancing the policy motivations behind data privacy and secrecy laws in different jurisdictions with the need for an appropriate level of transparency to combat money laundering and terrorist financing.” The Director noted that this issue is particularly critical in the area of correspondent banking.
On February 20, FinCEN finalized a rule that will require Fannie Mae, Freddie Mac, and the Federal Home Loan Banks (the GSEs) to develop AML programs and to file SARs directly with FinCEN. Under the current system, the GSEs file fraud reports with the FHFA, which then files SARs with FinCEN when warranted under FinCEN’s reporting standards. The new regulations are substantially similar to the version proposed in November 2011, and are intended to streamline the reporting process and provide more timely access to data about potential fraud. The AML provisions of the new regulations implement the BSA’s four minimum requirements: (i) the development of internal policies, procedures, and controls; (ii) the designation of a compliance officer; (iii) an ongoing employee training program; and (iv) an independent audit function to test programs. The SAR regulation requires reporting of suspicious activity in accordance with standards and procedures contained in all of FinCEN’s SAR regulations. In addition, under the streamlined system, the GSEs and their directors, officers, and employees will qualify for the BSA’s “safe harbor” provisions, which are intended to encourage covered institutions to report suspicious activities without fear of liability. The final rule does not require the GSEs to comply with any other BSA reporting or recordkeeping regulations, such as currency transaction reporting. The rule takes effect 60 days after publication in the Federal Register and the GSEs will have 180 days from publication to comply.
On February 14, FinCEN issued guidance to clarify BSA expectations for financial institutions seeking to provide services to marijuana-related businesses in states that have legalized certain marijuana-related activity. The guidance was issued in coordination with the DOJ, which provided updated guidance to all U.S. Attorneys. The FinCEN guidance reiterates the general principle that the decision to open, close, or refuse any particular account or relationship should be made by each financial institution based on its particular business objectives, an evaluation of the risks associated with offering a particular product or service, its ability to conduct thorough customer due diligence, and its capacity to manage those risks effectively. The guidance details the necessary elements of a customer due diligence program, including consideration of whether a marijuana-related business implicates one of the priorities in the DOJ memorandum or violates state law. FinCEN notes that the obligation to file a SAR is unaffected by any state law that legalizes marijuana-related activity and restates the SAR triggers. The guidance identifies the types of SARs applicable to marijuana-related businesses and describes the conditions under which each type should be filed.
On January 30, in remarks to SIFMA’s AML and Financial Crimes Conference, FinCEN Director Jennifer Shasky Calvery stressed the importance of establishing a “culture of compliance” at financial institutions to support effective AML safeguards. The Director’s comments reinforce similar remarks made in recent months by both the Deputy U.S. Attorney General and Comptroller Curry. And like Comptroller Curry, Ms. Shasky Calvery highlighted the need for better information sharing not only within institutions but between institutions. FinCEN agrees with industry feedback that the agency needs to improve its own ability to share information. Also part of a broader theme among enforcement authorities, the Director explained that financial institutions should take responsibility when their actions violate the BSA, not only by admitting to the facts alleged by FinCEN but also by acknowledging a violation of the law. She highlighted specific risks in the securities sector including those related to the use of cash, and explained that securities firms that provide bank-like services need to consider the vulnerabilities associated with engaging in such services and must ensure that their compliance programs are commensurate with those risks.