TECHNOLOGY RELIANCE NOTE OF CAUTION:

An unverified but illustrative story about technology limitations involves a global bank that realized it had unusually large number of astronauts as customers.

Some digging into the issue uncovered the fact that
astronaut was one of the choices that was visible when
the Occupation drop down box was first shown, and it
turned out to be a favorite choice when front line staff
was in a hurry to open accounts.

KNOW YOUR CUS TOMER:

Get it Right

Getting KYC right requires clear
delineation of roles and responsibilities
across the first and second lines of
defense in a bank.

BY JOHN ATKINSON, CAMS

Contents

NOVEMBER–DECEMBER 2015 | VOL. 36 | NO. 6

;
;
;
;
;
;
;

; ; ; ; ; ;

“How you think
about your customers
influences how you
respond to them.”
Best-in-Class
Customer Remediation
Framework Insights

DESIGN&BUILD

BY JONATHAN SHIERY

Minimizelossesfromoperationalbreakdown Protectcustomerexperience Quicklycontrolrootcauseofissues

procedures, software processes, additional training, and any Ensure completeness and accuracy of root cause identification, impacted customer populations, and remediation approaches?

Take advantage of economies of scale and knowledge sharing?

Communicate and respond to key senior management, regulator, and compliance stakeholders?

Empower individual lines of business to be responsive and flexible while ensuring all business and regulatory requirements are satisfied, including incorporating revised forms,

—MarilynSuttle

Rapidmobilizationandresponsetooperationalissues

‘Best-In-Class’ Remediation Capability

GONEARETHEDAYSwhentrackingasuspicioussetoftransactions wasstraightforwardfortheexperiencedanti-moneylaunderingprofes- sional.Moneywasmovedfromoneaccountandwiredintoanotherwith clearoriginanddestinationnumbers,afterwhichitmightbemoved again to other accounts or withdrawn.

What was once relatively simple is now becoming remarkably complex as banks continue to modernize with online services and alternative payment systems, including everything from prepaid cards, to mobile banking apps, to virtual currencies. This ongoing process of innovation is dramatically improving customer access and experience, but, at the same time, it is also opening new pathways for cyber criminals to infiltrate, steal, and cover their tracks on the money trail.

Earlier this year, a gang of hackers was found to have infiltrated more than 100 banks in over 30 countries. By using a “spear phishing” campaign, the hackers lured bank employees to unwittingly open deceptive emails, providing the hackers with access and the ability to insert malware that manipulated the banks’ software, accounting, and ATM systems. Over a two-year period, as much as $1 billion was siphoned directly from the banks, and the proceeds were layered into the hackers’ own accounts, in some cases using the SWIFT network.1

This is one of many examples taking place at the
intersection of bank compliance and cyber security.
It is a tangled web, as cyber criminals are using both
traditional and alternative payment methods to aid
illegal activities and mask identities while completing
scams at light-speed. With this new breed of criminal,
AML teams are facing their greatest challenges to date.
Regulators are keeping steady and aggressive
watch over how well compliance teams are prepared
to handle these new risks. Banks faced record fines
and regulatory scrutiny of compliance programs in
2014, as U.S. and European banks paid nearly $65
billion in fines and penalties. 2 In addition, twenty of
the world’s biggest banks have paid more than $235
billion in fines and compensation in the last seven
years for breaching a variety of financial regulations. 3
Enforcement and investigations are increasingly
challenging for regulators who are grappling with how
to regulate a changing market with growing risks spread
across cyberspace and the financial services industry.
In June 2015, the New York State Department of
Financial Services (NYDFS) issued its long awaited
BitLicense—new regulations for all entities engag-
ingin virtual currency business activity. 4 Notably, the
BitLicense rules require such institutions not only to
have designated compliance personnel and the same
kind of AML procedures that apply to institutions
handling fiat currency, but also detailed cybersecurity
procedures. That is a reflection of how intertwined
cyber crimes and the financial system have become.
NYDFS is pioneering this regulation, but other regu-
lations will follow.

Regulators are poised to take the same rigorous approach to investigating bank cybersecurity procedures as they have done with AML. At a recent conference, Former New York State NYDFS superintendent Benjamin Lawsky described cyber crime as a “huge threat to our financial system” and said “You are going to see a lot of action around cybersecurity and the regulation in that area.” 5

With these new regulations and risks, how can AML teams effectively leverage information about cyber criminals and identify suspicious transactions that are anonymous, fast, and hidden within a vast expanse of other data?

Unfortunately, there is no quick fix to managing these challenges. It requires a new mindset to understand the risks and then restructure and test programs to meet those risks. As a start, all banks, regardless of size, need to answer the following questions: ;How do your cyber and AML teams share information?

;Do you have a robust transaction monitoring system that is independentlyvalidated at least once per year?

;Are you prepared to review volumes of historical transaction data if regulators require you to do so?

With this new breed of criminal,
AML teams are facing their greatest
challenges to date.

32 | ABA BANK COMPLIANCE | NOVEMBER–DECEMBER 2015

The Convergence of
and
Anti-Money Laundering
Cyber Security

BY THOMAS BOCK BY ALLISON TRIPLETT CRCM, CAMS, CFE, AND KATHERINE MAY, CAMS, CFE

WE ARE ALL FAMILIARwiththerequirementsundertheBankSecrecyAct (BSA)governingasuccessfulAnti-MoneyLaundering(AML)programinwhich financialinstitutionsmusthavethefollowingelements:

1. A personresponsible for compliance;

2. A written program with a system of internal controls;

3. A training program; and 4. Independent testing.

These components are commonly referred to as the “pillars” of a BSA/AML program. Often referred to as the “fifth pillar” are the Customer Identification Program (CIP) requirements, which stemmed from the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT Act) after the events of September 11, 2001. Nothingis really new here. But we need to be forward-looking and focus on how the regulators have been enforcing these requirements and what expectations we, as AML professionals, are expected to have in place at our financial institutions. We know the “what” and the “why”, but we need to constantly reevaluate the “how.” Criminals stay ahead of the curve and the bar keeps rising as examiners expect us to evolve continuously, strengthen controls, and determine how the program pillars reinforce each other.

Even if your program has passed examination many times in the past, it may need some additional attention in order to withstand more intense scrutiny. A careful review of recent enforcement actions is a good start to understand the new “normal” and assess how our pillars may hold up.

History

In 1970, the U.S. Congress passed the Cur-
rency and Foreign Transactions Reporting
Act, which we now commonly know
as the Bank Secrecy Act. This was to
ensure banks developed reporting
and recordkeeping procedures
and the requirements to file
Currency Transaction Re-
ports (CTRs) that would
assist law enforcement
with investigations of
crimes. Fast forward
to 1986 when the
Money Launder-
ing Control Act implemented the requirement to monitor
for compliance and imposed criminal liability if persons
structure or avoided the reporting of transactions. And as
previously mentioned, as a reaction to the terrorist actions
of September 11, 2001, the USA PATRIOT Act imposed
requirements to obtain and retain certain information on
customers that open accounts at financial institutions. Roll
all these together with an eye to continuing illegal activities,
including activities in areas not previously used, and we
arrive at the current form of BSA/AML expectations and
efforts in the industry.

As we’ve seen consistently in the past 10+ years, deficiencies of a pillar can result in a Cease and Desist (C&D) order. A bank can also get a C&D if it fails to correct a previously reported pillar violation or from other program problems. Formal written agreements or other enforcement actions may be used based on the severity of the issues and whether the financial institution is serious about correcting their deficiencies appropriately and timely. Through August of 2015 alone, depository institutions were socked with 4 separate enforcement actions specifically for BSA/AML carrying combined penalties of about $147 Million1. This figure doesn’t even include the three separate Office of Foreign Assets Control (OFAC) penalties assessed against depository institutions during the same period totaling nearly $259 Million2. Reading these public documents can identify how breakdowns in any of the pillar requirements can lead to trouble for management and the bank. It’s never a bad idea to review enforcement actions for hints that point to possible weaknesses in the bank’s program.

The Compliance Officer

Let’s look at the first pillar–the BSA/AML Compliance Officer. The BSA/AML Compliance Officer must be approved by the bank’s Board of Directors, and usually regulators request to see evidence of this in the minutes. This individual should have a solid AML background and a strong understanding of BSA/AML and the guidance associated with it. But it doesn’t stop there; the BSA/AML Compliance Officer should be aware of all lines of business of the bank and the products and services offered within each line of business. This will allow the BSA/AML Compli-

BANK SECREC Y AC T/AN TI-MONE Y LAUNDERING

WILL THE
PILLARS
SUPPORT
THE
STRUCTURE?

NOVEMBER–DECEMBER 2015 | ABA BANK COMPLIANCE | 13 SHUTTERSTOCKANDREYMYAGKOV FEATURES

6 | Know Your Customer: Get it Right

Know Your Customer has been a basic tenet of AML risk management for a very long time and covers the Customer Identification Program requirements, Customer Due Diligence and Enhanced Due Diligence for higher risk customers. This article explores the facets of Know Your Customer that must be interconnected to work smoothly and efficiently, and also looks at the potential impact of the proposed new regulatory requirements soon to be issued by the FinCEN.

BY JOHN ATKINSON, CAMS

12 | Bank Secrecy Act/ Anti-Money Laundering: Will the
Pillars Support the Structure?

The components of the Bank Secrecy Act are commonly referred to as the “pillars” of a BSA/AML program. Even if your program has passed examination many times in the past, it may need some additional attention in order to withstand more intense scrutiny. A careful review of recent enforcement actions is a good start to understand the new “normal” and assess how our pillars may hold up.

BY ALLISON TRIPLETT CRCM, CAMS, CFE, AND KATHERINE MAY, CAMS, CFE

18 | Design and Build Best-in-Class Customer Remediation Framework
Insights

Developing a best-in-class remediation process that effectively responds to operational issues causing consumer harm, demonstrates how a financial institution thinks about its customers. This process will be a differentiating factor in protecting the customer experience and recovering consumer confidence when issues arise.

BY JONATHAN SHIERY

32 | The Convergence of Anti-Money Laundering and Cyber Security

Cyber criminals are using both traditional and alternative payment methods to aid illegal activities, and AML teams are facing their greatest challenges to date. Increasingly, financial institutions will see the advantages of a strategic, integrated approach to sharing information among their cyber and AML teams. Collaboration enhances their value to the institution, and it makes sense to bring them together in a coordinated way.