Presentation is loading. Please wait.

Presentation is loading. Please wait.

Bank Secrecy Act Internal Controls/Fraud

Similar presentations


Presentation on theme: "Bank Secrecy Act Internal Controls/Fraud"— Presentation transcript:

1 Bank Secrecy Act Internal Controls/Fraud
Sarah Bush, CFE, Supervision Analyst Region III Division of Supervision Bank Secrecy Act Internal Controls/Fraud League of Southeast Credit Unions Meeting July 19, 2017

2 Bank Secrecy Act (BSA) Bank Secrecy Act and Internal Controls/Fraud

3 Bank Secrecy Act REGULATIONS
12 USC 1786(q)(2) requires NCUA to conduct a review of the BSA compliance program at each examination of a federally insured credit union. 12 CFR requires every federally insured credit union to establish a BSA compliance program that, at a minimum,: Establishes a customer identification program; Provides for a system of internal controls to assure ongoing compliance; Provides for independent testing for compliance to be conducted by the credit union personnel or outside parties; Designates an individual responsible for coordinating and monitoring day-to-day compliance; and Provides for training for appropriate personnel. Title 12 of the U.S. Code, Subchapter 1786 requires…Read Screen Part 748 of the NCUA Regulations…Read Screen Bank Secrecy Act and Internal Controls/Fraud

4 Bank Secrecy Act REGULATIONS
NEW - FinCEN Adds 5th BSA Pillar - Customer Due Diligence (CDD) Rule Effective Date – July 2016 Compliance Date – May 11, 2018 Requirement – BSA/AML program must include appropriate risk-based procedures for conducting ongoing CDD to understand the nature and purpose of customer relationships and to conduct ongoing monitoring to identify and report suspicious transactions, and, on a risk basis, to maintain and update customer information. Intent – FinCEN intends that the legal entity customer identify its ultimate beneficial owner or owners and not “nominees” or “straw men.” In case you are not aware, FinCEN is issuing a “5th Pillar” called the Customer Due Diligence Rule to amend existing BSA regulation in order to clarify and strengthen customer due diligence requirements. Requirements To establish and maintain written procedures reasonably designed to identify and verify the beneficial owners of legal entity customers/members These procedures must enable the credit union to identify the beneficial owners of each member at the time a new account is opened, with a few exceptions. The procedures must establish risk-based practices for verifying the identify of each beneficial owner identified to the credit union ETC…. Bank Secrecy Act and Internal Controls/Fraud

5 Bank Secrecy Act FEDERAL CREDIT UNIONS
Significant BSA Violations – Administrative Action Progression Initial Action – DOR Resolution within 90 days or less from first identification date. Second Action – Preliminary Warning Letter (PWL) or Letter of Understanding and Agreement (LUA) Resolution within 180 days or less from first identification date. Third Action – Cease and Desist Order (C&D) Resolution within 270 days or less from first identification date. Fourth Action – Civil Money Penalty (CMP) Resolution within 360 days or less from first identification date. NCUA has an aggressive administrative action progression schedule for the resolution of significant BSA violations in federal credit unions. READ SCREEN NCUA BSA Instruction No (Rev. 1) Bank Secrecy Act and Internal Controls/Fraud

6 Bank Secrecy Act FEDERALLY INSURED, STATE CHARTERED CREDIT UNIONS
State Supervisory Authorities (SSA) Examiners-in-Charge Establish prompt deadlines for state chartered credit unions to comply and correct BSA violations. Daily Supervision Responsible for the daily supervision of state chartered credit unions. State supervisory authorities act as examiners-in-charge to establish prompt deadlines for state charted credit union compliance and correction of BSA violations. They are also responsible for the daily supervision of state charted credit unions. DON’T READ SCREEN Bank Secrecy Act and Internal Controls/Fraud

7 Bank Secrecy Act FEDERALLY INSURED, STATE CHARTERED CREDIT UNIONS
State Supervisory Authorities and NCUA work together in enforcing BSA compliance in state chartered credit unions. Developing corrective action agreements. Monitoring progress in resolution of significant BSA violations. Following up on outstanding significant BSA violations. However, NCUA insures state chartered credit unions and has enforcement authority for state credit unions it examines , so NCUA works closely with SSAs to ensure state credit unions comply with BSA. NCUA examiners work with SSAs to: Ensure adequate agreements for corrective action are documented in the examination reports, Remain aware of progress made in the resolution of significant BSA violations, Follow up to assess the status of corrective action if the significant BSA violations have been outstanding for an unreasonable length of time. DON’T READ SCREEN NOTE” “examined” refers specifically to WCC 11s) Bank Secrecy Act and Internal Controls/Fraud

8 Bank Secrecy Act Most Common Significant BSA Violations Cited
Internal Controls Outdated BSA risk assessments Inadequate suspicious activity monitoring Training Not recent Not documented Does not cover credit union’s policies/procedures No training for board of directors Mention agency wide – READ SCREEN Bank Secrecy Act and Internal Controls/Fraud

9 Bank Secrecy Act Most Common Significant BSA Violations Cited
Customer Identification Program No enhanced member due diligence on high-risk members and accounts Independent Testing Not include all credit union operations Not recent (12 to 18 months) Not independent Bank Secrecy Act and Internal Controls/Fraud

10 Bank Secrecy Act FinCEN ENFORCEMENT FINES
FinCEN has assessed civil money penalties to credit unions for violating Bank Secrecy Act and Anti-Money Laundering program and reporting requirements. Bethex FCU - $500,000 (2016) North Dade Community Development FCU - $300,000 (2014) Failure to comply can result in fines ranging from $500 to as much as $1,000,000. Penalties for negligent violation range from $500 - $50,000 Though we normally hear about banks being fined by FinCEN for BSA violations, credit unions are not immune. If you are not aware, in the last few years, FinCEN has assessed hefty fines to credit unions for significant BSA violations and weaknesses. According to the IRS’ website*, BSA penalties can be staggering. They range from: -$500 for any negligent BSA violation (or the violation of any regulation prescribed under BSA); -$50,000 for a pattern of negligent violations; to -$1,000,000 for willful violations failing to comply with any special measures. In many cases, the potential fees and penalties are far in excess of a credit union’s net worth. They literally cannot afford to be out of compliance. DON’T READ SCREEN *Source: Bank Secrecy Act and Internal Controls/Fraud

11 Bank Secrecy Act MONEY SERVICES BUSINESSES (MSBs) ACCOUNTS
MSBs offer one or more of the following services: Money Orders (issuer, seller, redeemer) Traveler’s Checks (issuer, seller, redeemer) Check Cashing Currency Dealing and/or Exchange -AND- Conducts greater than $1,000 in the MSB activity for any person on the same day in one or more transactions. -OR- Provides money transmission and prepaid access services in any amount. Both of the credit unions fined by FinCEN had significant BSA violations related to MSB activities. As a result, one credit union was conserved (ultimately a P&A) and the other was liquidated. Bethex and North Dade – Assets were less than $20 million Bethex – Between established relationships with over 70 money transmitters and check cashing companies. This resulted in an increase in volume from $657 million in domestic transactions in 2010 to over $4 billion in domestic and international transactions in 2012 Credit unions often have MSB member accounts and are not aware of it. However, some credit unions make it a critical part of their strategic plan because of the fee income these types of accounts generate. Offering MSB accounts requires a significant investment of a credit union’s time and resources. MSB accounts are typically priced to compensate for this additional time and risk. MSBs are most commonly seen in credit unions as convenient stores, gas stations, and check cashing stores. Many financial institutions opted to stop serving MSB accounts due to the high risk associated with the volume of transactions, increased risk of money laundering, requirements to monitor activity, and international exposure. So, MSBs may often have a difficult time finding a financial institution that is willing to open accounts or even accept their business. As a result, MSB business owners may or may not opt to disclose the true nature of their business at account opening. So, it is important for credit unions to know what type of daily activities would deem a business a MSB. DON’T READ SCREEN Bank Secrecy Act and Internal Controls/Fraud

12 Bank Secrecy Act MONEY SERVICES BUSINESSES (MSBs) ACCOUNTS MSBs must*:
Register with FinCEN. Renew their FinCEN registration every 24 months. Complete additional registrations required at the state level. Prepare & maintain a list of their agents every January 1st. File Currency Transaction Reports and Suspicious Activity Reports. Develop & implement a BSA/AML compliance program. Maintain a Monetary Instrument Log to keep adequate records/reports for currency exchanges & funds transfers. *Requirements can vary by MSB type (i.e. money transmitters must file SARs, but check cashiers currently do not) READ SCREEN *Source: Money Laundering Prevention, A Money Services Business Guide Power Point from FinCEN Bank Secrecy Act and Internal Controls/Fraud

13 Bank Secrecy Act MONEY SERVICES BUSINESSES (MSBs) ACCOUNTS
Risk Factors Within MSBs: Diverse products, services and customer base Lack ongoing customer relationships Minimal or no identification requirements Limited recordkeeping Frequent currency transactions Various levels of oversight Frequent change of product mix, location, operations In addition to understanding the definition of a MSB, credit unions also need to understand the risks associated with maintaining these accounts. We are not saying MSB are bad accounts to maintain, we are just saying credit unions need to understand the businesses and the risks associated with the maintaining the accounts. FinCEN has developed a BSA/AML Examination Manual specifically for MSBs to deal with their unique risks. READ SCREEN Source: Bank Secrecy Act and Internal Controls/Fraud

14 Bank Secrecy Act MONEY SERVICES BUSINESSES (MSBs) ACCOUNTS
Risk Mitigation Factors: Proper identification of MSB relationships Adequate assessment of potential risks Adequate understanding of the business model and activity of the MSB Adequate and ongoing due diligence relative to the risk assessed Adequate and ongoing suspicious activity monitoring Adequate staffing, expertise, and resources There are several controls credit unions can implement in risk mitigation. READ SCREEN Bank Secrecy Act and Internal Controls/Fraud

15 Bank Secrecy Act MONEY SERVICES BUSINESSES (MSBs) ACCOUNTS
Credit Union Due Diligence Expectations: Perform the required Customer Identification Program procedures. Confirm that member MSBs register with FinCEN, if applicable. Confirm that member MSBs comply with state or local licensing requirements, if applicable. Confirm the member MSB’s agent status, if applicable. FinCEN, NCUA, and the other federal banking agencies have established minimum expectations that banking organizations should meet when providing banking services to MSBs. Based on existing BSA requirements applicable to credit unions, the minimum due diligence expectations associated with opening and maintaining accounts for MSBs are on the screen. READ SCREEN ***************************************************** [Individual states may or may not have their own licensing requirements for MSBs. The credit union should be familiar with the particular requirements in their state.] An entity that is an MSB solely because that entity serves as an agent of another MSB is not required to register. However, an entity that is an MSB both because it engages in MSB activities on its own behalf and as an agent of another MSB must register. For example, a supermarket corporation that serves as an agent both of a money order issuer and of a money transmitter is not required to register. However, registration is required if the supermarket corporation – in addition to acting as an agent of a money order issuer – cashed checks or exchanged currency (other than as an agent for another MSB) in an amount greater than $1,000 for any person on any day in one or more transactions. (31 CFR (a)(2).)] Bank Secrecy Act and Internal Controls/Fraud

16 Bank Secrecy Act MONEY SERVICES BUSINESSES (MSBs) ACCOUNTS
Credit Union Due Diligence Expectations: Conduct a BSA/AML risk assessment Types of products and services offered by the MSB Location(s) and market(s) served by the MSB Anticipated account activity and volume Purpose of the account Credit should also conduct a BSA/AML risk assessment to document the level of risk associated with the account and whether greater due diligence is necessary. As with any business account, in determining how much, if any, further due diligence would be required for any MSB member, the credit union should consider the following basic information. READ SCREEN Bank Secrecy Act and Internal Controls/Fraud

17 Bank Secrecy Act MONEY SERVICES BUSINESSES (MSBs) ACCOUNTS
Credit Union Enhanced Due Diligence: Review MSB’s BSA/AML program Review results of MSB’s independent testing Review written procedures for the operation of MSB Conducting on-site visits of MSB Review MSB’s written employee screening practices If a credit union determines that a member MSB presents a higher level of money laundering or terrorist-financing risk, enhanced due diligence measures should be conducted in addition to minimum due diligence procedures. Depending on the level of potential risk, as well as the size and sophistication of a particular MSB, a credit union may pursue some or all of the following actions as part of an appropriate enhanced due diligence review: Not all money services businesses pose the same level of risk. Each will require a different level of due diligence based on the credit union’s review and assessment. DON’T READ SCREEN Bank Secrecy Act and Internal Controls/Fraud

18 Bank Secrecy Act MONEY SERVICES BUSINESSES (MSBs) ACCOUNTS
Identify high-risk members/accounts Criteria must be clearly defined by credit union management Sample high-risk criteria might include Members with suspicious activity reports filed in the last 12 months Members requiring 3 currency transaction reports in 2 months during the last year Members who join the credit union online (for the first 6 months) Cash-intensive businesses Members who use high-risk services (wires, electronic transfers) Members who live in a high-risk geographic locations (HIDTA, HIFCA) New credit union members Other criteria as defined by management Once initial account due diligence is complete, the credit union should determine if an account is high-risk (or not) based on their own high risk account criteria. Each credit union’s criteria should be clearly defined and documented by senior management and the board of directors. Once an account is identified as high-risk, it should be tracked through coding within the credit union’s data processing system or other processes, such as maintenance of a list. In addition to developing, defining, and documenting high risk account criteria, the credit union must also: -Define how they will monitor and document the review of these high risk accounts; and -Define and document how names can be removed from the list. DON’T READ SCREEN Bank Secrecy Act and Internal Controls/Fraud

19 Bank Secrecy Act MONEY SERVICES BUSINESSES (MSBs) ACCOUNTS
What do examiners look for in credit unions? Understanding of risk MSB policies, procedures, and risk assessments Enhanced member due diligence on MSBs at account opening Required MSB documentation Annual MSB reviews, site visits, etc. Monitoring of the risks associated with large cash transactions, armored car deliveries, international transactions, and remote deposit capture Staffing and expertise Monitoring of MSBs for CTRs/SARs Procedures to suspend or close MSB accounts as needed MSB Pricing READ SCREEN Bank Secrecy Act and Internal Controls/Fraud

20 Helpful Resources Bank Secrecy Act www.ncua.gov www.fincen.gov
Bank Secrecy Act and Internal Controls/Fraud

21 Internal Controls/Fraud
Bank Secrecy Act and Internal Controls/Fraud

22 Internal Controls/Fraud
Internal Control – Objectives Should be designed to provide a reasonable assurance of: Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations A credit union’s internal control process should be developed by the board of directors, management, and other personnel and should be designed to provide a reasonable assurance regarding the achievement of three internal control objectives. READ SCREEN Bank Secrecy Act and Internal Controls/Fraud

23 Internal Controls/Fraud
Internal Control – Component Control system formality depends largely on: Credit union size Sophistication of operations Number of employees Risk profile The formality of any control system depends largely on a credit union’s size, the sophistication of its operations, the number of employees, and its risk profile. Small credit unions can design less structured control systems that can achieve similar effectiveness as more formal and structured controls systems at larger of more sophisticated credit unions. Credit union’s risks are different so there are no “one-size-fits-all” control records or ways to mitigate internal control risk. However…NEXT SLIDE DON’T READ SCREEN Bank Secrecy Act and Internal Controls/Fraud

24 Internal Controls/Fraud
Internal Control – Component Effective controls systems should have: Control environment Risk assessment Control activities Accounting, information, and communication systems, Self-assessment or monitoring READ SCREEN…… Control environment – Sort of “tone at the top” – Reflect the commitment of the board and management to internal control. Risk assessment – The identification, measurement, and analysis of risks (internal and external), controllable and uncontrollable…. Control activities – Policies, procedures, and practices… Accounting, information, and communication systems – capture and distribute pertinent and timely information in a form that enables the board, management, and employees to carry out their responsibilities. Self assessment or monitoring – the credit union’s own oversight of the control system’s performance… Bank Secrecy Act and Internal Controls/Fraud

25 Internal Controls/Fraud
What rising internal control weakness is NCUA seeing in credit unions? Bank Secrecy Act and Internal Controls/Fraud

26 Internal Controls/Fraud
Automated Clearing House (ACH) Transactions Credits unions are experiencing increased losses due to ACH transactions. Primary causes Poor internal controls Insider fraud Bank Secrecy Act and Internal Controls/Fraud

27 Internal Controls/Fraud
Automated Clearing House (ACH) Transactions Payment Processing Risks to Credit Unions Credit – Exposure Risk (insufficient funds) Operational Risk (e.g. hardware failure, human error) Fraud Risk (e.g. unauthorized access) Systemic Risk (e.g. cross system failure) 3rd Party Processing Risk (e.g. system access, processing failure) There are risks associated with ACH transactions. The amount of risk associated with processing ACH payments varies. Credit unions must understand payment processing risks and implement detailed written policies and procedures to control the risks. READ SCREEN Bank Secrecy Act and Internal Controls/Fraud

28 Internal Controls/Fraud
Automated Clearing House (ACH) Transactions Fraud Risk – Insider Theft Adequate Controls Personnel practices Physical security Data security and integrity Software and data changes controls Access restriction Processing dollar and file limit controls We are focusing on fraud risk with insider theft today because this is the risk area in which we are seeing increasing losses. Fraud risk is the danger that an employee or interlopers who gain unauthorized access to the system will initiate or alter a payment transaction in an attempt to misdirect or misappropriate funds. Credit unions can mitigate this risk with adequate controls. The controls should include: READ SCREEN…self explanatory Don’t read below Personnel practices: Management must write personnel policies that enhance internal controls within the ACH operation. Physical security: Management must (1) limit access to computer and communications equipment sites to authorized personnel, (2) protect sensitive equipment within the secured area using access controls or device locks, and (3) secure and limit access to all data on portable media. Data security and integrity: Management should (1) purchase commercially available software products to access production data files; (2) limit access to specified programs or user IDS by setting up each file for read-only or read-and-write access; and (3) employ encryption, authentication, and dial back data protection techniques when accessing data-in-transit from one participant to another. Software and data changes controls: Management must maintain detailed written development and change policies. Access restriction: Management must restrict access on software products using (1) operator passwords to prohibit entry by unauthorized personnel; (2) automatic features to control the number of unsuccessful password attempts, password expiration, or designated periods of inactivity; (3) multilevel functions by password to require dual control and ensure that no single employee can create and send transactions (e.g., restricting one operator to file creation and a second operator to file approval or transmission); and (4) system administration level procedures that require secondary approval to assign, initiate, and maintain passwords. Processing dollar and file limit controls: Management must require use and enforcement of exposure limits (1) at the time of entry, batch, or file creation; (2) at the time of transmission; or (3) both (1) and (2.) Bank Secrecy Act and Internal Controls/Fraud

29 Internal Controls/Fraud
Automated Clearing House (ACH) Transactions Operational Controls File controls to ensure staff – Accounts for all files at each step in ACH processing. Only processes current files. Does not accidentally or intentionally duplicate or omit files from processing. Dollar controls to – Confirm dollar totals at each step in ACH processing. Ensure in-balance ACH files, accurately posted accounts, and properly settled ACHs. Date controls to – Monitor that staff processes the files within the time frames established by the various regulations (file creation date, effective entry date, and settlement date). Management must also develop procedures to implement operational controls in mitigating fraud risk. Operational controls must include… READ SCREEN Bank Secrecy Act and Internal Controls/Fraud

30 Internal Controls/Fraud
Automated Clearing House (ACH) Transactions Operational Controls Exception reporting to monitor – Circumstances such as over limit activity. Anticipated files not received. File inconsistencies that may suggest error, intrusion, or duplication. Audit trails including procedures to – Maintain a record of all ACH transaction data and all changes to static data. Respond to member inquiries. Reconstruct a sequence of events if a problem occurs. Comply with NACHA rules. READ SCREEN NACHA – National Automated Clearing House Association Bank Secrecy Act and Internal Controls/Fraud

31 Internal Controls/Fraud
Automated Clearing House (ACH) Transactions Operational Controls Reconciliation of the actual entries (Very Important) Verify that the ACH work settled as anticipated Proper segregation of duties requires that the staff member responsible for reconciling ACH transactions should not be otherwise involved in the ACH processing ACH transactions should be reconciled frequently/daily using various control reports and tracing each transaction. Sample control reports – daily activity report, settlement advise reports, exception reports One of the most important operational controls is the reconciliation of the actual entries. READ SCREEN Bank Secrecy Act and Internal Controls/Fraud

32 Internal Controls/Fraud
Automated Clearing House (ACH) Transactions Operational Controls Internal audits of the ACH process NACHA rules require credit unions to complete an internal audit of its ACH operations at least once every year. Completion of the audit reinforces compliance with the ACH rules and improves the overall quality of the ACH network. READ SCREEN Bank Secrecy Act and Internal Controls/Fraud

33 Internal Controls/Fraud
Automated Clearing House (ACH) Transactions NACHA Operating Rules Changes Phase 1 – Same Day ACH – Credits (e.g. payroll direct deposits) – End of RDFI Processing Day (September 2016) Phase 2 – Same Day ACH – Debits and Credits – End of RDFI Processing Day (September 2017) Phase 3 – Same Day ACH – Debits and Credits – 5pm RDFI Local Time (March 2018) NACHA rules have recently changed with same-day ACH credits and soon with same-day debits so the need for frequent reconciliations is increasing. ACH Network – Credit (“push”) payment ACH Network – Debit (“pull”) payment Bank Secrecy Act and Internal Controls/Fraud

34 Internal Controls/Fraud
What to expect from examiners? Evaluation of internal controls including: Identifying credit union internal control objectives Reviewing pertinent policies, procedures, and documentation Discussing controls with appropriate personnel Observing the control environment Bank Secrecy Act and Internal Controls/Fraud

35 Internal Controls/Fraud
What to expect from examiners? Evaluation of internal controls including: Testing transactions – level of risk Sharing findings, concerns, and recommendations with the board of directors and senior management Determining prompt correction of deficiencies READ SCREEN FIRST Examiners generally base the scope, type, and depth of an internal control review on the credit union’s size, complexity, scope of activities, and risk profile. An assessment of the credit union’s audit function plays an important part in this determination. It is important for the credit union to take immediate action to correct internal control deficiencies. Bank Secrecy Act and Internal Controls/Fraud

36 Helpful Resources Internal Controls/Fraud www.ncua.gov
NCUA Supervisory Committee Guide for Federal Credit Unions NCUA Examiner’s Guide NCUA YouTube Fraud Series Bank Secrecy Act and Internal Controls/Fraud

37 Office Contact Page Feel free to contact our office with questions or comments. Primary Staff: Sarah Bush, CFE Supervision Analyst Office Phone: Bank Secrecy Act and Internal Controls/Fraud


Download ppt "Bank Secrecy Act Internal Controls/Fraud"

Similar presentations


Ads by Google