Copyright © 2007 Deloitte Development LLC. All rights reserved. BSA/AML Update Peter Fitzgerald Principal Deloitte & Touche LLP

Copyright © 2007 Deloitte Development LLC. All rights reserved. Evolving Regulatory Approach Risk-based supervisory approach Establish a “culture of compliance” –Set tone at the top Top management is ultimately responsible for compliance –Business is responsible for day-to-day compliance –Compliance management plays a key role in corporate governance, monitoring and advisory functions

Copyright © 2007 Deloitte Development LLC. All rights reserved. Evolving Regulatory Approach (cont.) Greater reliance on institution’s own monitoring Focus on systems, procedures and controls Compliance with “letter and spirit” of the law Enforcement actions are mainly being driven by failure of institutions to adequately design and/or implement their BSA/AML programs, e.g., –Failure to effectively file SARs –Insufficient resources/oversight –Inadequate testing –Missing the risks

Copyright © 2007 Deloitte Development LLC. All rights reserved. Evolving Regulatory Approach (cont.) “Examiners expect to find certain core principles of risk management including, top level involvement, clear responsibilities at each level of management, independence of risk controls, strong well- developed systems and effective monitoring and reporting.” Mary Ann Gadziala, Associate Director, OCIE, Securities and Exchange Commission “A culture of compliance should establish – from the top of the organization – the proper ethical tone that will govern the conduct of business. In many instances, senior management must move from thinking about compliance as a cost center to considering the benefits of compliance in protecting against legal and reputational risks that can have an impact on the bottom line.” Former Governor Susan Schmidt Bies, Board of Governors of the Federal Reserve System

Copyright © 2007 Deloitte Development LLC. All rights reserved. BSA/AML Program Should Be Based A Risk-Based One Process People Technology Threads Policy & Procedures Account / Transaction Monitoring Record Keeping / Retention AML Regulatory Requirements Risk Profile Testing Governance Risk Assessment P&P / Structure CIP/CDD/EDD Reporting Organization & Controls Maintenance Training / Testing

Copyright © 2007 Deloitte Development LLC. All rights reserved. Characteristics of a BSA/AML Program Provide adequate human and financial resources Provide compliance staff with appropriate authority and independence Link compliance objectives to Senior Management’s goals (and compensation) Identify and assess compliance risk across the entire organization Maintain understanding of applicable laws and regulations Establish policies, procedures and internal controls

Copyright © 2007 Deloitte Development LLC. All rights reserved. Characteristics of a BSA/AML Program (cont.) Develop risk measurement, monitoring and MIS to provide timely reports Establish internal controls for analyzing new business activities and products Establish an escalation process for reporting identified risks or breaches Take corrective actions/interim controls to address breaches and track exceptions until resolved Ensure compliance staff objectivity and independence from business lines

Copyright © 2007 Deloitte Development LLC. All rights reserved. Readiness Level Risk AssessmentCompliance Organization MonitoringReportingIndependent Testing 1 No Risk AssessmentA Written Program Board Approval Manual Efforts, No Standards Set Manual Efforts, Inconsistent Standards across business units No Independent Testing or testing is not effective 2 Risk Assessment Completed at the BU Level for High Risk Businesses based on products and services but not quantity of risk assessment Policies and Procedures are defined but not adequate to address the risks defined to the BU Level Standards Set at the BU level. Technology is in place but not effectively implemented Some Automation, Inconsistent Standards across Business Units results in incomplete or inconsistent reporting Testing takes place but is not risk based, does not cover assessment of the business compliance unit and is not effective 3 Risk Assessment Completed at the BU level for all LOBS Policies and Procedures are defined and are adequate to address the risks defined to the BU Level Standards Set at the BU Level. Technology is in place at BU and effectively implemented Automation and Consistent BU standards are in place however inability to aggregate at the enterprise level results in unclear reporting Testing takes place, is somewhat effective and is aligned with Enterprise Risk Assessment 4 High Level Risk Assessment completed for the enterprise Policies and Procedures are defined and are adequate to address the risks defined to the enterprise Standards are set at the Enterprise Level. Supporting Technology is in place at the enterprise level but not effectively implemented Automated Reporting and enterprise standards are in place Testing is effective and aligned with the enterprise 5 Detailed Enterprise Risk Assessment for all lines of business and is communicated to the Board as well as key business owners Culture of Compliance is imbedded into the corporate DNA and is embedded into operational process of all of the business units Ongoing refinement of policies and procedures is way of life Technology is in place at the enterprise level and the organization has the ability to monitor accounts for suspicious activity based on the total relationship and transaction life cycle SAR Reporting threshold is consistently applied across business units Sr Management and Board Level reporting is consistent and effective in a culture of compliance Attests to overall integrity/effectivenes s of management and controls Where is Your Organization? A method to project, manage and monitor progress

Copyright © 2007 Deloitte Development LLC. All rights reserved. 9 Motivation for Compliance Privileged and Confidential Fulfilling a social responsibility for the companies and a moral imperative for the individuals. Guarding your employment, good name, professional integrity, and the good name of your company. Avoiding criminal and civil liability under the BSA as well as money laundering laws, regulatory enforcement actions, and related shareholder suits. Avoiding aggressive scrutiny by regulators and a loss of confidence in your company by the regulators. Trust and good will lost are hard to regain.

Copyright © 2007 Deloitte Development LLC. All rights reserved. Contact Information Peter Fitzgerald Principal Deloitte & Touche LLP

Copyright © 2007 Deloitte Development LLC. All rights reserved. About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, its member firms and their respective subsidiaries and affiliates. Deloitte Touche Tohmatsu is an organization of member firms around the world devoted to excellence in providing professional services and advice, focused on client service through a global strategy executed locally in nearly 150 countries. With access to the deep intellectual capital of 120,000 people worldwide, Deloitte delivers services in four professional areas, audit, tax, consulting and financial advisory services, and serves more than one-half of the world’s largest companies, as well as large national enterprises, public institutions, locally important clients, and successful, fast-growing global growth companies. Services are not provided by the Deloitte Touche Tohmatsu Verein and, for regulatory and other reasons, certain member firms do not provide services in all four professional areas. As a Swiss Verein (association), neither Deloitte Touche Tohmatsu nor any of its member firms has any liability for each other’s acts or omissions. Each of the member firms is a separate and independent legal entity operating under the names “Deloitte”, “Deloitte & Touche”, “Deloitte Touche Tohmatsu” or other related names. In the US, Deloitte & Touche USA LLP is the US member firm of Deloitte Touche Tohmatsu and services are provided by the subsidiaries of Deloitte & Touche USA LLP (Deloitte & Touche LLP, Deloitte Consulting LLP, Deloitte Financial Advisory Services LLP, Deloitte Tax LLP and their subsidiaries), and not by Deloitte & Touche USA LLP. The subsidiaries of the US member firm are among the nation's leading professional services firms, providing audit, tax, consulting and financial advisory services through nearly 30,000 people in more than 80 cities. Known as employers of choice for innovative human resources programs, they are dedicated to helping their clients and their people excel. For more information, please visit the US member firm’s web site at This presentation contains general information only, including the results of an informal survey conducted by Deloitte & Touche LLP. Deloitte & Touche LLP is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte & Touche LLP, its affiliates and related entities shall not be responsible for any loss sustained by any person who relies on this publication.