Category: AML Regulations and Enforcement Actions

A review by the UK’s Solicitors Regulation Authority (SRA) results in 44% of solicitor firms tested will be subject to disciplinary process. That’s bad, but what is worse is that US lawyers performing the same type of work are not subject to equivalent regulations

There are 7,000 regulated law firms in England and Wales that are subject to the anti-money laundering program and reporting regulations promulgated as a result of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Act 2017. Among other things, those firms are required to have a risk-based ML/TF compliance program, including customer due diligence and suspicious activity reporting requirements.

Note 1: not all “lawyers” are subject to these regulations. In the UK (and Canada) lawyers are either barristers – representing clients in criminal and civil proceedings in court – or solicitors – acting for clients in all other legal matters. The ML/TF regulations apply, generally, to solicitors, or “independent legal professionals and trust of company service providers” that provide “legal or notorial services to other persons, when participating in financial or real property transactions concerning” the buying or selling of real property and businesses, managing client money or asserts, opening and management of bank, savings, or securities accounts, and creating companies, trusts, and foundations. Put simply, financial, company, or property transactional work outside the court systems is covered by the ML/TF program and reporting requirements.

Note 2: the money laundering and terrorist financing compliance program requirements address at least (or only) three (3) of the enumerated thirty-eight (38) risks identified by the SRA in its Regulatory Risks Index. Ten (10) of the risks relate to the market and are not given a “severity” score: twenty-eight (28) of the risks relate to individual firms and are given a severity risk. Those risks range from a low of 4% for geographical or jurisdictional conflicts to a high of 96% for misuse of money or assets. The mean (average) risk is 43%, and the median (middle) risk is 38%. The second highest severity score was for criminal association (77%), the third highest was for money laundering (73%), and the fourth highest was for bribery and corruption (67%). Other than stealing clients’ money, the Solicitors Regulation Authority considers financial crimes – associating with criminals, money laundering, and bribery and corruption – to be the risks with the greatest severity. So with such severe risk, one would assume that firms would be serious about their compliance requirements: the results of the SRA’s review suggest otherwise.

In 2018 the SRA reviewed the programs of 59 law firms. On May 7, 2019 the SRA published the results. The actual report is at Go to the review. The press release is at https://www.sra.org.uk/sra/news/press/aml-tcsp-review-2019.page.

The SRA’s press release provided as follows:

A review has shown that a significant minority of law firms are not doing enough to prevent money laundering, with some falling seriously short.

The review did not find evidence of actual money laundering or that firms had any intention of becoming involved in criminal activities. However, it did find a range of breaches of the 2017 Money Laundering Regulations, as well as poor training and processes.

One of the biggest areas of concern was firms’ risk assessments. A firm risk assessment is required in legislation and should be the backbone of a firm’s anti-money laundering approach. We found that more than a third (24) of firms reviewed fell short in this area, including four that had no risk assessment at all.

There were also issues around appropriate customer due diligence. This included inadequate processes in almost a quarter (14) of firms to manage risks around Politically Exposed Persons, known as PEPs. However, in some instances effective customer due diligence did result in firms turning down work. Fifteen firms had done this, with one of the main reasons being evasive clients.

As a result of the review we have put 26 firms [out of 59] into our disciplinary processes. We have also published a warning notice reminding the profession of their obligations, particularly in relation to firm risk assessments. And we have begun a further review of 400 other law firms to check compliance with the Governments 2017 Money Laundering Regulations. This review will be led by a new dedicated anti-money laundering unit, being set up to bolster resources to prevent and detect money laundering.

But as important as what the press release did include is what it did not include. According to the actual report:

“Firms had raised low numbers of internal suspicious activity reports (ISARs).” The actual data, represented by the graphic below, suggests an even bleaker picture: only three (3) of fifty-nine (59) firms  – or one out of twenty – averaged more than one internal report on potential suspicious activity per year.  And the report noted that “only 10 firms had submitted SARs in the last 24 months”, but like the ISAR data, the actual SAR data was even more bleak, with only two (2) of the fifty-nine (59) firms filing more than one SAR a year over the last two years. 

Other results are worth highlighting:

• two firms failed to consider the countries that they operate in and failed to have a PEP process in place
• two firms failed to consider the geographical location of their clients or the nature of their firm’s work
• five firms failed to consider the types of transactions that they undertake. They also failed to provide information and procedures in their AML policy about scrutinising complex and/or unusual transaction or transactions that have no apparent economic or legal purpose
• one firm failed to address how they deliver legal services and also acknowledged that they do not see 5% of their clients
• five firms that did not have a file [client] risk assessment process in place. This is concerning and suggests that some firms are not systematically addressing money laundering issues. This undermines the ability of fee earners to detect issues, report concerns and mitigate risks.
• nine firms that had a [client risk assessment] process in place, but the fee earner was unable to provide an adequate risk assessment for each file. These failures suggest some firms struggle to monitor the compliance levels of fee earners and/or fail to implement the process/policy
• We made eight referrals into our disciplinary processes about inadequate AML policies. This included one referral for a complete lack of written policies
• of the 59 firms we visited, the fee earner we spoke to at 10 of the firms (17%) was unable to provide the relevant CDD for each of their files
• eight files did not contain adequate information and/or recorded evidence about beneficial owners of the relevant trust or company
• eight firms had no PEP process. These firms were referred into our disciplinary process

These same firms are advising financial institutions on how to comply with UK AML laws and regulations. It is inconceivable that these firms would ignore their own advice – assuming it is good advice – by having programs that have inadequate risk assessments, missing or inadequate customer due diligence files, no or inadequate internal processes for escalating unusual or potentially suspicious activity, and missing SARs. In fairness, though, where five firms have no programs, fifty-four have programs; where eight firms have no PEP process, fifty-one have a PEP process. And, as the headline indicates, at least the UK solicitors are equal partners with their financial institution clients in the global fight against money laundering and terrorist financing … unlike their American counterparts.

Sed quis custodiet ipsos Custodes

But who will guard the guards themselves? – Roman poet and satirist Juvenal, c. 100 AD

On May 15, 2019 the Senate Banking Committee held a hearing on “Oversight of Financial Regulators”. The link to the hearing is:

https://www.banking.senate.gov/hearings/oversight-of-financial-regulators

The heads of the OCC, FDIC, and NCUA, and the head of regulatory supervision of the Board of Governors of the Federal Reserve, submitted written statements and testified. Anti-money laundering (AML) and its regulatory regime under the Bank Secrecy Act (BSA) were touched on by three of the four witnesses in their written statements.

The OCC’s Comptroller, Joseph Otting, had the following:

“Compliance risk remains elevated as banks seek to manage money-laundering risks in a complex, dynamic operating and regulatory environment.”

“My priorities also include improving the efficiency and effectiveness of Bank Secrecy Act (BSA) and Anti-Money Laundering (AML) regulations, supervision, and examination, while continuing to support law enforcement, protect the financial system from those who seek to exploit it for illicit and illegal purposes, and reduce the burden of BSA/AML compliance.”

And under the heading “Bank Secrecy Act and Anti-Money Laundering”, the Comptroller wrote:

The BSA and AML laws and regulations exist to protect our financial system from criminals who would exploit that system for their own illegal purposes or use that system to finance terrorism. While regulators and the industry share a commitment to fighting money laundering and other illegal activities, the process for complying with current BSA/AML laws and regulations has become inefficient and costly. It is critical that the BSA/AML regime be updated and enhanced to address today’s threats and better use the capabilities of modern technology to protect the financial system from illicit activity.

The OCC has taken a leadership role in coordinating discussions with the FDIC, Board of Governors of the Federal Reserve System, National Credit Union Administration, Treasury’s Office of Financial Intelligence, and FinCEN to identify and implement ways to improve the efficiency and effectiveness of BSA/AML regulations, supervision, and examinations, while continuing to meet the requirements of the statute and regulations, support law enforcement, and reduce BSA/AML compliance burden. In October 2018, these agencies released a joint statement clarifying ways in which community banks with a lower BSA risk profile may be able to increase efficiency and reduce burden in their BSA/AML compliance programs by sharing BSA resources. The statement describes how these banks can effectively use collaborative arrangements to share human, technology, or other resources related to BSA compliance to reduce costs, increase operational efficiency, and leverage specialized expertise.

More recently, in December 2018, these agencies issued a joint statement encouraging banks to take innovative approaches to meet their BSA/AML compliance obligations. The statement recognizes significant potential for technological innovation to transform BSA/AML compliance. In addition to assisting banks’ efforts to control their costs, innovation is increasingly necessary to counter constantly changing threats, as illicit financing methods evolve to exploit vulnerabilities in existing systems. The statement makes clear the agencies are committed to continued engagement with the private sector to modernize and innovate in their BSA/AML compliance programs. The OCC is actively engaged in discussions with banks and other stakeholders regarding ways to explore enhanced technology usage while maintaining the current strong protections for the financial system.

The OCC also has identified areas in which legislative changes could increase the impact and efficiency of BSA/AML regulation and compliance programs. The OCC generally supports legislative changes that would reduce unnecessary industry burden and compliance costs and allow for more effective information sharing related to illicit finance. These include requiring a regular review of BSA/AML regulations to identify those that could be strengthened, refined or to reduce unnecessary burden, and providing safe harbors to promote sharing of information.

The written statements of Jelena Williams, Chair of the FDIC, and Randal K. Quarles, Vice Chair for Supervision for the Federal Reserve, did not include anything on BSA/AML.

The written statement of Rodney E. Hood, Chairman of the National Credit Union Administration (NCUA), included the following on BSA/AML (footnotes omitted):

Ensuring Compliance with the Bank Secrecy Act The NCUA takes seriously its obligations to supervise federal credit unions for compliance with the various BSA and AML laws and regulations. As technology has become embedded in financial systems, even small financial institutions like credit unions can be vulnerable to illicit finance activity. The NCUA examines federal credit union compliance with BSA during every examination that we conduct. Additionally, the NCUA assists state regulators by conducting BSA examinations in federally insured, state-chartered credit unions where state resources are limited. In 2018, the NCUA conducted 3,308 BSA examinations in federal credit unions.

The NCUA’s BSA reviews are risk-focused and include a set of core procedures that cover an institution’s compliance with the pillars of the BSA. These core procedures are based on the FFIEC examination procedures we issue jointly with the other federal financial regulatory agencies. In addition to the core procedures, examiners are trained and directed to tailor examinations based on the unique risk characteristics of each federal credit union. Federal credit unions that have diverse platforms with higher risk activities will receive an expanded review tailored to the unique risk characteristics they present. Conversely, examinations of smaller, low-risk credit unions are appropriately scaled to minimal necessary procedures consistent with their risk characteristics and our obligations under the FCU Act.

The NCUA coordinates regularly with our counterparts as the other federal financial regulatory agencies, as well as the Financial Crimes Enforcement Network (FinCEN). The NCUA actively participates in the Bank Secrecy Act Advisory Group (BSAAG) and the FFIEC BSA Working Group. Additionally, the NCUA is part of a recently established interagency working group to improve effectiveness and streamline, where possible, our regulations and supervisory processes. The working group recently issued a Joint Statement on Innovative Efforts to Combat Money Laundering and Terrorist Financing, as well as an Interagency Statement on Shared BSA Resources. Both joint statements provide appropriate information for institutions to leverage resources and new technologies to improve and streamline their BSA compliance obligations. The NCUA intends to continue to foster collaborative working relationships with our regulatory counterparts, including FinCEN. I believe that this is especially important in addressing substantial concerns related to the proliferation of cash-based businesses, which further necessitates reforming and modernizing the BSA regime.

Finally, the NCUA also communicates with the credit union industry through numerous channels, including: BSAAG participation and outreach; assistance and participation in national events applicable to the BSA attended by credit union industry professionals and leaders; and through periodic and ongoing training via webinars. The NCUA continues to maintain transparency in its policy positions. To that end, the agency publishes our examination and policy manuals, as well as nearly all guidance and directives provided to examiners related to the supervisory process or examinations.

I’ve highlighted three excerpts from Comptroller’s Otting’s statement:

It is critical that the BSA/AML regime be updated and enhanced to address today’s threats and better use the capabilities of modern technology to protect the financial system from illicit activity.

The agencies issued a joint statement encouraging banks to take innovative approaches to meet their BSA/AML compliance obligations. The statement recognizes significant potential for technological innovation to transform BSA/AML compliance.

The OCC generally supports legislative changes that would reduce unnecessary industry burden and compliance costs and allow for more effective information sharing related to illicit finance. These include requiring a regular review of BSA/AML regulations to identify those that could be strengthened, refined or to reduce unnecessary burden, and providing safe harbors to promote sharing of information.

Comptroller Otting’s testimony – and indeed the actions of the OCC and the other regulators – around the encouragement of innovative uses of technology is a very positive for all financial institutions struggling to balance the competing and sometimes conflicting interests and perspectives of their regulators, their customers, and law enforcement. The promotion of sharing information is also very positive: financial institutions working individually will never fulfill their regulatory obligations effectively or efficiently, and can only do so by sharing information with other institutions. Big data intelligence and collaborative investigations are the future of BSA/AML.

US-based AML practitioners are familiar with FinCEN Guidance and Advisories. Most are probably not sure what the differences are between a Guidance document and an Advisory. But both seem to have something called “persuasive precedential effect”. What is persuasive precedential effect? Is it different from non-persuasive precedential effect? My spell check doesn’t recognize the word “precedential”, and Googling the phrase only brings back 74 hits.

Just what is “persuasive precedential effect”? Having just glanced at the title of the first search result – “Legitimacy Model for the Interpretation of Plurality Decisions” – I couldn’t bear to try to answer that question myself, so … could a financial institution subject to the BSA please seek an Administrative Ruling from FinCEN to get an answer to the question “what does the phrase ‘persuasive precedential effect’ actually mean?”

FinCEN’s Regulatory Releases – Regulations, Guidance, Statements of Policy, Advisories, and Enforcement Rulings

On May 9, 2019, the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN), which has responsibility for the administration of the Bank Secrecy Act (BSA) under Treasury Order 180-01 (1992), issued formal Guidance (FIN-2019-G001) titled “Application of FinCEN’s Regulations to Certain Business Models Involving Convertible Virtual Currencies.”

https://www.fincen.gov/sites/default/files/2019-05/FinCEN%20Guidance%20CVC%20FINAL%20508.pdf

Also on May 9th, FinCEN issued an Advisory (FIN-2019-A003) titled “Advisory on Illicit Activity Involving Convertible Virtual Currency”.

https://www.fincen.gov/sites/default/files/advisory/2019-05-09/FinCEN%20Advisory%20CVC%20FINAL%20508_0.pdf

Why two documents? Why was one labeled “Guidance” and the other “Advisory”? The answers, in part, can be found at FinCEN’s “Regulatory Releases” page: FinCEN Regulatory Releases

According to FinCEN, it has authority to issue regulations, regulatory interpretations and guidance, advisories, and enforcement assessments/consent assessments. As explained by FinCEN:

I. Regulations

Regulations implementing the Bank Secrecy Act codified in title 31 of the Code of Federal Regulations, Chapter X (31 CFR Chapter X). Related publications include:

• Final rules
• Interim final rules
• Notices of proposed rulemakings (known as “NPRM”)
• Advance notices of proposed rulemakings (known as “ANPRM”)
• Corrections

Final rules, interim final rules, and any subsequent corrections to these rules, are binding obligations on individuals and entities within the scope of such rules.

II. Regulatory Interpretations and Guidance

According to FinCEN, it “routinely issue[s] interpretations of BSA regulations as well as guidance to financial institutions on complying with our regulations.” There are three categories that fall into this bucket:

1. Administrative Rulings

The authority, process, and effect of Administrative Rulings is contained in subpart G of Part X of Title 31 of the code of Federal regulations – 31 CFR § 1010.710-717. Although FinCEN’s website provides that “published letter rulings often express an opinion about a new issue, apply an established theory or analysis to a set of facts that differs materially from facts or circumstances that have been previously considered, or provide a new interpretation of Title 31 of the United States Code, or any other statute granting FinCEN authority”, the regulation itself is somewhat more direct. It provides:

The result? If FinCEN publishes an Administrative Ruling, it shall have precedential value and may be relied upon by financial institutions “similarly situated” as the requestor.

2. Interpretive Guidance

FinCEN provides three examples of interpretive guidance:

• Interpretive releases, including written responses to informal inquires on the application of 31 CFR Chapter X that are not made and submitted to the Financial Crimes Enforcement Network consistent with the procedures outlined at 31 CFR § 1010.711
• Frequently Asked Questions
• Staff commentaries

Notably, interpretations of BSA regulations that are published on FinCEN’s public web site under the heading “Guidance” shall have persuasive precedential effect and, to that extent, may be relied upon by those financial institutions subject to the specific provision of the BSA regulation being interpreted until such interpretation is superseded, revoked, or amended.

FinCEN notes that “if written guidance is not published on FinCEN’s public web site under the heading “Guidance”, although not binding, such guidance provides useful insight into our view of the application of the Bank Secrecy Act and its implementing regulations at the time that the guidance is issued.”

3. Statements of Policy

This appears to cover guidance not published as “Guidance”, as well as “statements outlining or describing our policy with respect to specific issues arising under the Bank Secrecy Act.” According to FinCEN, “these statements provide useful insight into our view of the application of the Bank Secrecy Act and its implementing regulations at the time the statement is issued.”

III. Advisories

Advisories are published to financial institutions “concerning money laundering or terrorist financing threats and vulnerabilities for the purpose of enabling financial institutions to guard against such threats.”  If published on the FinCEN web site under the heading “Advisories” and to the extent they interpret BSA regulations , Advisories shall have persuasive precedential effect and may be relied upon by those financial institutions subject to the specific provision of the BSA regulation being interpreted until such interpretation is superseded, revoked, or amended.

And, like guidance not published under the heading “Guidance”, advisories not published under the heading “Advisory”, are not binding but provides “useful insight into [FinCEN’s] view of the application of the BSA and BSA regulations at the time that the advisory/guidance is issued.

IV. Enforcement Assessments and Consent Assessments

Public enforcement actions, often referred to as “Consent Orders” by the OCC and Federal Reserve and “Consent Assessments” by FinCEN because they are entered into with the (grudging) consent of the sanctioned entity, are binding on and apply exclusively to the sanctioned entity. However, as FinCEN notes, any “regulatory interpretations contained in such assessments shall have persuasive precedential effect and, to that extent, may be relied upon by those financial institutions subject to the specific provision of 31 CFR Chapter X being interpreted until such interpretation is superseded, revoked, or amended.”

FINRA Provides Guidance to Firms Regarding Suspicious Activity Monitoring and Reporting Obligations

http://www.finra.org/sites/default/files/notice_doc_file_ref/Regulatory-Notice-19-18.pdf

May 9, 2019

FINRA issued the Notice to provide guidance to member firms regarding suspicious activity monitoring and reporting obligations under FINRA Rule 3310 (Anti-Money Laundering Compliance Program). The guidance included ninety-seven (97) red flags organized into six sections:

1. Potential Red Flags in Customer Due Diligence and Interactions With Customers (19 red flags, 10 are new)
2. Potential Red Flags in Deposits of Securities (8 red flags, all are new)
3. Potential Red Flags in Securities Trading (20 red flags, 18 are new)
4. Potential Red Flags in Money Movements (31 red flags, 20 are new)
5. Potential Red Flags in Insurance Products (5 red flags, all are new)
6. Other Potential Red Flags (14 red flags, 10 are new)

The Notice provided that these red flags were in addition to the money laundering red flags that appeared in Notice to Members 02-21 (NTM 02-21) published in April 2002:

“Since NTM 02-21 was published [in April 2002], guidance detailing additional red flags that may be applicable to the securities industry have been published by a number of U.S. government agencies and international organizations. FINRA is issuing this Notice to provide examples of these additional money laundering red flags for firms to consider incorporating into their AML programs, as may be appropriate in implementing a risk-based approach to BSA/AML compliance.”

“This Notice is intended to assist broker-dealers in complying with their existing obligations under BSA/AML requirements and does not create any new requirements or expectations. In addition, this Notice incorporates the red flags listed in NTM 02-21 so that firms can refer to this Notice only for examples of potential red flags.”

So the twenty-five 2002 red flags are included, but not identified, within the ninety-seven 2019 red flags. To assist compliance professionals, I have gone through the 2002 red flags and inserted them into the 2019 red flags so that those professionals can more easily determine whether their current programs are covering off the “new” red flags.

2002 Red Flags

1. The customer exhibits unusual concern regarding the firm’s compliance with government reporting requirements and the firm’s AML policies, particularly with respect to his or her identity, type of business and assets, or is reluctant or refuses to reveal any information concerning business activities, or furnishes unusual or suspect identification or business documents.
2. The customer wishes to engage in transactions that lack business sense or apparent investment strategy, or are inconsistent with the customer’s stated business strategy.
3. The information provided by the customer that identifies a legitimate source for funds is false, misleading, or substantially incorrect.
4. Upon request, the customer refuses to identify or fails to indicate any legitimate source for his or her funds and other assets.
5. The customer (or a person publicly associated with the customer) has a questionable background or is the subject of news reports indicating possible criminal, civil, or regulatory violations.
6. The customer exhibits a lack of concern regarding risks, commissions, or other transaction costs.
7. The customer appears to be acting as an agent for an undisclosed principal, but declines or is reluctant, without legitimate commercial reasons, to provide information or is otherwise evasive regarding that person or entity.
8. The customer has difficulty describing the nature of his or her business or lacks general knowledge of his or her industry.
9. The customer attempts to make frequent or large deposits of currency, insists on dealing only in cash equivalents, or asks for exemptions from the firm’s policies relating to the deposit of cash and cash equivalents.
10. The customer engages in transactions involving cash or cash equivalents or other monetary instruments that appear to be structured to avoid the $10,000 government reporting requirements, especially if the cash or monetary instruments are in an amount just below reporting or recording thresholds.
11. For no apparent reason, the customer has multiple accounts under a single name or multiple names, with a large number of inter-account or third-party transfers.
12. The customer is from, or has accounts in, a country identified as a non-cooperative country or territory by the Financial Action Task Force (FATF).
13. The customer’s account has unexplained or sudden extensive wire activity, especially in accounts that had little or no previous activity.
14. The customer’s account shows numerous currency or cashiers check transactions aggregating to significant sums.
15. The customer’s account has a large number of wire transfers to unrelated third parties inconsistent with the customer’s legitimate business purpose.
16. The customer’s account has wire transfers that have no apparent business purpose to or from a country identified as a money laundering risk or a bank secrecy haven.
17. The customer’s account indicates large or frequent wire transfers, immediately withdrawn by check or debit card without any apparent business purpose.
18. The customer makes a funds deposit followed by an immediate request that the money be wired out or transferred to a third party, or to another firm, without any apparent business purpose.
19. The customer makes a funds deposit for the purpose of purchasing a long-term investment followed shortly thereafter by a request to liquidate the position and transfer of the proceeds out of the account.
20. The customer engages in excessive journal entries between unrelated accounts without any apparent business purpose.
21. The customer requests that a transaction be processed in such a manner to avoid the firm’s normal documentation requirements.
22. The customer, for no apparent reason or in conjunction with other “red flags,” engages in transactions involving certain types of securities, such as penny stocks, Regulation “S” (Reg S) stocks, and bearer bonds, which although legitimate, have been used in connection with fraudulent schemes and money laundering activity. (Such transactions may warrant further due diligence to ensure the legitimacy of the customer’s activity.)
23. The customer’s account shows an unexplained high level of account activity with very low levels of securities transactions.
24. The customer maintains multiple accounts, or maintains accounts in the names of family members or corporate entities, for no apparent business purpose or other purpose.
25. The customer’s account has inflows of funds or other assets well beyond the known income or resources of the customer.

2019 Red Flags (with references to 2002 red flags)

I. Potential Red Flags in Customer Due Diligence and Interactions With Customers

1. The customer provides the firm with unusual or suspicious identification documents that cannot be readily verified or are inconsistent with other statements or documents that the customer has provided. Or, the customer provides information that is inconsistent with other available information about the customer. This indicator may apply to account openings and to interaction subsequent to account opening. (2002 red flag # 1 – The customer exhibits unusual concern regarding the firm’s compliance with government reporting requirements and the firm’s AML policies, particularly with respect to his or her identity, type of business and assets, or is reluctant or refuses to reveal any information concerning business activities, or furnishes unusual or suspect identification or business documents.)
2. The customer is reluctant or refuses to provide the firm with complete customer due diligence information as required by the firm’s procedures, which may include information regarding the nature and purpose of the customer’s business, prior financial relationships, anticipated account activity, business location and, if applicable, the entity’s officers and directors. (2002 red flag # 1 – The customer exhibits unusual concern regarding the firm’s compliance with government reporting requirements and the firm’s AML policies, particularly with respect to his or her identity, type of business and assets, or is reluctant or refuses to reveal any information concerning business activities, or furnishes unusual or suspect identification or business documents.)
3. The customer refuses to identify a legitimate source of funds or information is false, misleading or substantially incorrect. (2002 Red Flag #4 – Upon request, the customer refuses to identify or fails to indicate any legitimate source for his or her funds and other assets. Also, 2002 red flag #3 – The information provided by the customer that identifies a legitimate source for funds is false, misleading, or substantially incorrect.)
4. The customer is domiciled in, doing business in or regularly transacting with counterparties in a jurisdiction that is known as a bank secrecy haven, tax shelter, high-risk geographic location (e.g., known as a narcotics producing jurisdiction, known to have ineffective AML/Combating the Financing of Terrorism systems) or conflict zone, including those with an established threat of terrorism.
5. The customer has difficulty describing the nature of his or her business or lacks general knowledge of his or her industry. (2002 red flag # 8 – The customer has difficulty describing the nature of his or her business or lacks general knowledge of his or her industry.)
6. The customer has no discernable reason for using the firm’s service or the firm’s location (e.g., the customer lacks roots to the local community or has gone out of his or her way to use the firm).
7. The customer has been rejected or has had its relationship terminated as a customer by other financial services firms.
8. The customer’s legal or mailing address is associated with multiple other accounts or businesses that do not appear related.
9. The customer appears to be acting as an agent for an undisclosed principal, but is reluctant to provide information. (2002 red flag # 7 – The customer appears to be acting as an agent for an undisclosed principal, but declines or is reluctant, without legitimate commercial reasons, to provide information or is otherwise evasive regarding that person or entity.)
10. The customer is a trust, shell company or private investment company that is reluctant to provide information on controlling parties and underlying beneficiaries.
11. The customer is publicly known or known to the firm to have criminal, civil or regulatory proceedings against him or her for crime, corruption or misuse of public funds, or is known to associate with such persons. Sources for this information could include news items, the Internet or commercial database searches. (2002 red flag #5 – The customer (or a person publicly associated with the customer) has a questionable background or is the subject of news reports indicating possible criminal, civil, or regulatory violations.)
12. The customer’s background is questionable or differs from expectations based on business activities.
13. The customer maintains multiple accounts, or maintains accounts in the names of family members or corporate entities, with no apparent business or other purpose. (2002 red flag # 11 – For no apparent reason, the customer has multiple accounts under a single name or multiple names, with a large number of inter-account or third-party transfers. Also 2002 red flag #24 – The customer maintains multiple accounts, or maintains accounts in the names of family members or corporate entities, for no apparent business purpose or other purpose.)
14. An account is opened by a politically exposed person (PEP), particularly in conjunction with one or more additional risk factors, such as the account being opened by a shell company beneficially owned or controlled by the PEP, the PEP is from a country which has been identified by FATF as having strategic AML regime deficiencies, or the PEP is from a country known to have a high level of corruption. (similar to 2002 red flag # 12 – The customer is from, or has accounts in, a country identified as a non-cooperative country or territory by the Financial Action Task Force (FATF).)
15. An account is opened by a non-profit organization that provides services in geographic locations known to be at higher risk for being an active terrorist threat.
16. An account is opened in the name of a legal entity that is involved in the activities of an association, organization or foundation whose aims are related to the claims or demands of a known terrorist entity.
17. An account is opened for a purported stock loan company, which may hold the restricted securities of corporate insiders who have pledged the securities as collateral for, and then defaulted on, purported loans, after which the securities are sold on an unregistered basis.
18. An account is opened in the name of a foreign financial institution, such as an offshore bank or broker-dealer, that sells shares of stock on an unregistered basis on behalf of customers.
19. An account is opened for a foreign financial institution that is affiliated with a U.S. broker-dealer, bypassing its U.S. affiliate, for no apparent business purpose. An apparent business purpose could include access to products or services the U.S. affiliate does not provide.

II. Potential Red Flags in Deposits of Securities

1. A customer opens a new account and deposits physical certificates, or delivers in shares electronically, representing a large block of thinly traded or low-priced securities.
2. A customer has a pattern of depositing physical share certificates, or a pattern of delivering in shares electronically, immediately selling the shares and then wiring, or otherwise transferring out the proceeds of the sale(s).
3. A customer deposits into an account physical share certificates or electronically deposits or transfers shares that:

• • were recently issued or represent a large percentage of the float for the security;
  • reference a company or customer name that has been changed or that does not match the name on the account;
  • were issued by a shell company;
  • were issued by a company that has no apparent business, revenues or products;
  • were issued by a company whose SEC filings are not current, are incomplete, or nonexistent;
  • were issued by a company that has been through several recent name changes or business combinations or recapitalizations;
  • were issued by a company that has been the subject of a prior trading suspension; or
  • were issued by a company whose officers or insiders have a history of regulatory or criminal violations, or are associated with multiple low-priced stock issuers.

4. The lack of a restrictive legend on deposited shares seems inconsistent with the date the customer acquired the securities, the nature of the transaction in which the securities were acquired, the history of the stock or the volume of shares trading.
5. A customer with limited or no other assets at the firm receives an electronic transfer or journal transfer of large amounts of low-priced, non-exchange-listed securities.
6. The customer’s explanation or documents purporting to evidence how the customer acquired the shares does not make sense or changes upon questioning by the firm or other parties. Such documents could include questionable legal opinions or securities purchase agreements.
7. The customer deposits physical securities or delivers in shares electronically, and within a short time-frame, requests to journal the shares into multiple accounts that do not appear to be related, or to sell or otherwise transfer ownership of the shares.
8. Seemingly unrelated clients open accounts on or at about the same time, deposit the same low-priced security and subsequently liquidate the security in a manner that suggests coordination.

III. Potential Red Flags in Securities Trading

1. The customer, for no apparent reason or in conjunction with other “red flags,” engages in transactions involving certain types of securities, such as penny stocks, Regulation “S” stocks and bearer bonds, which although legitimate, have been used in connection with fraudulent schemes and money laundering activity. (Such transactions may warrant further due diligence to ensure the legitimacy of the customer’s activity.) (2002 red flag # 22 – The customer, for no apparent reason or in conjunction with other “red flags,” engages in transactions involving certain types of securities, such as penny stocks, Regulation “S” (Reg S) stocks, and bearer bonds, which although legitimate, have been used in connection with fraudulent schemes and money laundering activity. (Such transactions may warrant further due diligence to ensure the legitimacy of the customer’s activity.)).
2. There is a sudden spike in investor demand for, coupled with a rising price in, a thinly traded or low-priced security.
3. The customer’s activity represents a significant proportion of the daily trading volume in a thinly traded or low-priced security.
4. A customer buys and sells securities with no discernable purpose or circumstances that appear unusual. (2002 red flag #2 – The customer wishes to engage in transactions that lack business sense or apparent investment strategy, or are inconsistent with the customer’s stated business strategy.)
5. Individuals known throughout the industry to be stock promoters sell securities through the broker-dealer.
6. A customer accumulates stock in small increments throughout the trading day to increase price.
7. A customer engages in pre-arranged or other non-competitive securities trading, including wash or cross trades, with no apparent business purpose.
8. A customer attempts to influence the closing price of a stock by executing purchase or sale orders at or near the close of the market.
9. A customer engages in transactions suspected to be associated with cyber breaches of customer accounts, including potentially unauthorized disbursements of funds or trades.
10. A customer engages in a frequent pattern of placing orders on one side of the market, usually inside the existing National Best Bid or Offer (NBBO), followed by the customer entering orders on the other side of the market that execute against other market participants that joined the market at the improved NBBO (activity indicative of “spoofing”).
11. A customer engages in a frequent pattern of placing multiple limit orders on one side of the market at various price levels, followed by the customer entering orders on the opposite side of the market that are executed and the customer cancelling the original limit orders (activity indicative of “layering”).
12. Two or more unrelated customer accounts at the firm trade an illiquid or low priced security suddenly and simultaneously.
13. The customer makes a large purchase or sale of a security, or option on a security, shortly before news or a significant announcement is issued that affects the price of the security.
14. The customer is known to have friends or family who work at or for the securities issuer, which may be a red flag for potential insider trading or unlawful sales of unregistered securities.
15. The customer’s purchase of a security does not correspond to the customer’s investment profile or history of transactions (e.g., the customer may never have invested in equity securities or may have never invested in a given industry, but does so at an opportune time) and there is no reasonable explanation for the change.
16. The account is using a master/sub structure, which enables trading anonymity with respect to the sub-accounts’ activity, and engages in trading activity that raises red flags, such as the liquidation of microcap issuers or potentially manipulative trading activity.
17. The firm receives regulatory inquiries or grand jury or other subpoenas concerning the firm’s customers’ trading.
18. The customer engages in a pattern of transactions in securities indicating the customer is using securities to engage in currency conversion. For example, the customer delivers in and subsequently liquidates American Depository Receipts (ADRs) or dual currency bonds for U.S. dollar proceeds, where the securities were originally purchased in a different currency.
19. The customer engages in mirror trades or transactions involving securities used for currency conversions, potentially through the use of offsetting trades.
20. The customer appears to buy or sell securities based on advanced knowledge of pending customer orders.

IV. Potential Red Flags in Money Movements

1. The customer attempts or makes frequent or large deposits of currency, insists on dealing only in cash equivalents, or asks for exemptions from the firm’s policies and procedures relating to the deposit of cash and cash equivalents. (2002 red flag # 9 – The customer attempts to make frequent or large deposits of currency, insists on dealing only in cash equivalents, or asks for exemptions from the firm’s policies relating to the deposit of cash and cash equivalents.)
2. The customer “structures” deposits, withdrawals or purchases of monetary instruments below a certain amount to avoid reporting or recordkeeping requirements, and may state directly that they are trying to avoid triggering a reporting obligation or to evade taxing authorities. (2002 red flag # 10 – The customer engages in transactions involving cash or cash equivalents or other monetary instruments that appear to be structured to avoid the $10,000 government reporting requirements, especially if the cash or monetary instruments are in an amount just below reporting or recording thresholds.)
3. The customer seemingly breaks funds transfers into smaller transfers to avoid raising attention to a larger funds transfer. The smaller funds transfers do not appear to be based on payroll cycles, retirement needs, or other legitimate regular deposit and withdrawal strategies.
4. The customer’s account shows numerous currency, money order (particularly sequentially numbered money orders) or cashier’s check transactions aggregating to significant sums without any apparent business or lawful purpose. (2002 red flag # 14 – The customer’s account shows numerous currency or cashiers check transactions aggregating to significant sums.)
5. The customer frequently changes bank account details or information for redemption proceeds, in particular when followed by redemption requests.
6. The customer makes a funds deposit followed by an immediate request that the money be wired out or transferred to a third party, or to another firm, without any apparent business purpose. (2002 red flag # 18 – The customer makes a funds deposit followed by an immediate request that the money be wired out or transferred to a third party, or to another firm, without any apparent business purpose.)
7. Wire transfers are made in small amounts in an apparent effort to avoid triggering identification or reporting requirements. (this is similar to 2002 red flag # 21 – The customer requests that a transaction be processed in such a manner to avoid the firm’s normal documentation requirements.)
8. Incoming payments are made by third-party checks or checks with multiple endorsements.
9. Outgoing checks to third parties coincide with, or are close in time to, incoming checks from other third parties.
10. Payments are made by third party check or money transfer from a source that has no apparent connection to the customer.
11. Wire transfers are made to or from financial secrecy havens, tax havens, high risk geographic locations or conflict zones, including those with an established presence of terrorism. (2002 red flag #16 – The customer’s account has wire transfers that have no apparent business purpose to or from a country identified as a money laundering risk or a bank secrecy haven.)
12. Wire transfers originate from jurisdictions that have been highlighted in relation to black market peso exchange activities.
13. The customer engages in transactions involving foreign currency exchanges that are followed within a short time by wire transfers to locations of specific concern (e.g., countries designated by national authorities, such as FATF, as non-cooperative countries and territories).
14. The parties to the transaction (e.g., originator or beneficiary) are from countries that are known to support terrorist activities and organizations.
15. Wire transfers or payments are made to or from unrelated third parties (foreign or domestic), or where the name or account number of the beneficiary or remitter has not been supplied. (2002 red flag # 15 – The customer’s account has a large number of wire transfers to unrelated third parties inconsistent with the customer’s legitimate business purpose.)
16. There is wire transfer activity that is unexplained, repetitive, unusually large, shows unusual patterns or has no apparent business purpose.
17. The securities account is used for payments or outgoing wire transfers with little or no securities activities (i.e., account appears to be used as a depository account or a conduit for transfers, which may be purported to be for business operating needs). (similar to 2002 red flag # 23 – The customer’s account shows an unexplained high level of account activity with very low levels of securities transactions.).
18. Funds are transferred to financial or depository institutions other than those from which the funds were initially received, specifically when different countries are involved.
19. The customer engages in excessive journal entries of funds between related or unrelated accounts without any apparent business purpose. (2002 red flag #20 – The customer engages in excessive journal entries between unrelated accounts without any apparent business purpose.)
20. The customer uses a personal/individual account for business purposes or vice versa.
21. A foreign import business with U.S. accounts receives payments from outside the area of its customer base.
22. There are frequent transactions involving round or whole dollar amounts purported to involve payments for goods or services.
23. Upon request, a customer is unable or unwilling to produce appropriate documentation (e.g., invoices) to support a transaction, or documentation appears doctored or fake (e.g., documents contain significant discrepancies between the descriptions on the transport document or bill of lading, the invoice, or other documents such as the certificate of origin or packing list).
24. The customer requests that certain payments be routed through nostro or correspondent accounts held by the financial intermediary instead of its own accounts, for no apparent business purpose.
25. Funds are transferred into an account and are subsequently transferred out of the account in the same or nearly the same amounts, especially when the origin and destination locations are high-risk jurisdictions.
26. A dormant account suddenly becomes active without a plausible explanation (e.g., large deposits that are suddenly wired out). (similar to 2002 red flag # 13 – The customer’s account has unexplained or sudden extensive wire activity, especially in accounts that had little or no previous activity.)
27. Nonprofit or charitable organizations engage in financial transactions for which there appears to be no logical economic purpose or in which there appears to be no link between the stated activity of the organization and the other parties in the transaction.
28. There is unusually frequent domestic and international automated teller machine (ATM) activity.
29. A person customarily uses the ATM to make several deposits into a brokerage account below a specified BSA/AML reporting threshold.
30. Many small, incoming wire transfers or deposits are made using checks and money orders that are almost immediately withdrawn or wired out in a manner inconsistent with the customer’s business or history; the checks or money orders may reference in a memo section “investment” or “for purchase of stock.” This may be an indicator of a Ponzi scheme or potential funneling activity. (2002 red flag # 17. The customer’s account indicates large or frequent wire transfers, immediately withdrawn by check or debit card without any apparent business purpose.)
31. Wire transfer activity, when viewed over a period of time, reveals suspicious or unusual patterns, which could include round dollar, repetitive transactions or circuitous money movements.

V. Potential Red Flags in Insurance Products

1. The customer cancels an insurance contract and directs that the funds be sent to a third party.
2. The customer deposits an insurance annuity check from a cancelled policy and immediately requests a withdrawal or transfer of funds.
3. The customer cancels an annuity product within the free-look period. This could be a red flag if accompanied with suspicious indicators, such as purchasing the annuity with several sequentially numbered money orders or having a history of cancelling annuity products during the free-look period.
4. The customer opens and closes accounts with one insurance company, then reopens a new account shortly thereafter with the same insurance company, each time with new ownership information.
5. The customer purchases an insurance product with no concern for the investment objective or performance.

VI. Other Potential Red Flags

1. The customer is reluctant to provide information needed to file reports to proceed with the transaction.
2. The customer exhibits unusual concern with the firm’s compliance with government reporting requirements and the firm’s AML policies. (similar to part of 2002 red flag #1 – The customer exhibits unusual concern regarding the firm’s compliance with government reporting requirements and the firm’s AML policies, particularly with respect to his or her identity, type of business and assets, or is reluctant or refuses to reveal any information concerning business activities, or furnishes unusual or suspect identification or business documents.)
3. The customer tries to persuade an employee not to file required reports or not to maintain the required records.
4. Notifications received from the broker-dealer’s clearing firm that the clearing firm had identified potentially suspicious activity in customer accounts. Such notifications can take the form of alerts or other concern regarding negative news, money movements or activity involving certain securities.
5. Law enforcement has issued subpoenas or freeze letters regarding a customer or account at the securities firm.
6. The customer makes high-value transactions not commensurate with the customer’s known income or financial resources. (2002 red flag #25 – The customer’s account has inflows of funds or other assets well beyond the known income or resources of the customer.)
7. The customer wishes to engage in transactions that lack business sense or an apparent investment strategy, or are inconsistent with the customer’s stated business strategy.
8. The stated business, occupation or financial resources of the customer are not commensurate with the type or level of activity of the customer.
9. The customer engages in transactions that show the customer is acting on behalf of third parties with no apparent business or lawful purpose.
10. The customer engages in transactions that show a sudden change inconsistent with normal activities of the customer.
11. Securities transactions are unwound before maturity, absent volatile market conditions or other logical or apparent reason. (similar to 2002 red flag # 19 – The customer makes a funds deposit for the purpose of purchasing a long-term investment followed shortly thereafter by a request to liquidate the position and transfer of the proceeds out of the account.)
12. The customer does not exhibit a concern with the cost of the transaction or fees (e.g., surrender fees, or higher than necessary commissions). (2002 red flag # 6 – The customer exhibits a lack of concern regarding risks, commissions, or other transaction costs.)
13. A borrower defaults on a cash-secured loan or any loan that is secured by assets that are readily convertible into currency.
14. There is an unusual use of trust funds in business transactions or other financial activity.

The size of an NHL ice surface – 200 feet by 85 feet – hasn’t changed in 100 years.  Yet professional hockey players are getting bigger and faster – for example, the 1965-1966 Boston Bruins roster averaged 5’10” and 180 pounds and the 2018-2019 Bruins roster averages 6’1” and 200 pounds, an increase of about 22%. And the game has become more international over the years, bringing in new styles, new languages, and new strategies. In 1978-1979, Canadian- and American-born players made up 95% of NHL rosters, and there were only 25 players from 6 other countries: in 2018-2019, Canadians and Americans make up 71% of the rosters, and there are 261 players from 15 other countries.[1]

Notwithstanding a number of rule changes, and the addition of a second referee in 2000-2001, NHL league officials have become increasingly concerned over the number of penalties that the referees have been missing. Faster, stronger players; not being able to clearly communicate with all players in all languages; a new “full ice” style of play; and greater stakes with bigger endorsement opportunities and higher salaries, have all contributed to more missed penalties.  And these missed calls are seen as contributing to dirtier play, as the rules-abiding (and often more skillful) players become frustrated, and those contributing the infractions don’t fear the sanction of a penalty. There have been a number of rule changes over the years, and others have been contemplated, all meant to encourage and promote fair play. And like other professional sports leagues, the NHL has been looking at using more video replay and off-ice officials. One notable fintech company has developed a machine learning, artificial intelligence-based system that relies on 120 micro-sensors embedded in the players’ equipment and 7 video cameras on helmets, jerseys, and skates to monitor the game and, when infractions occur but are not called, inform the on-ice referees in real time that a penalty occurred but was not seen or called.

However, instead of implementing more rule changes or adding off-ice officials – both of which were deemed to have too much of a negative impact on the game – and until any technologies can be deployed in real-game situations (notwithstanding the fintech company’s promotional materials, they have only deployed their system in a beta environment using a Finnish 12-and-under roller hockey team, and none of the equipment lasted longer than 1½ periods of play), the NHL has decided to require each NHL team to designate one player on the roster as the “In-Team Referee”. In addition to having his normal responsibilities as a center, forward, or defenseman (goalies are not eligible to be IRTs given they are often almost 200 feet from the play), the In-Team Referee, or IRT, will be required to call penalties on his own team. In order to ensure that the teams’ IRT programs are sound, and the IRT’s penalty-calling performance is up to the league’s expectations, each IRT will be examined and judged by NHL team examiners and, if found lacking, the NHL can impose penalties, fines, and suspensions against the IRT.

The NHL recognizes that the day-to-day life of the IRTs can become somewhat awkward. For example, if an IRT calls a penalty on one of the team’s highest performing, or highest paid, players that affects the game’s outcome or impacts that player’s bonus, the team could accuse the IRT of “not being a team player” or “being too close to the referees”. The NHL will watch for any possible retaliation, including overall situations where IRTs could find themselves changing teams every 2-3 years.

Pause.

Absurd? Yes. Real? No. The NHL is not contemplating such an absurd situation. Yet calling penalties on your own team is what the Bank Secrecy Act regulations require of BSA Compliance Officers: BSA Compliance Officers are “charged with … managing the bank’s adherence to the BSA and its implementing regulations” and they are “responsible for … ensuring that employees adhere to the bank’s BSA/AML policies, procedures, and processes” (quoting the 2014 BSA Exam Manual, page 32). And how does the BSA Officer do that? He or she should “regularly apprise the board of director and senior management of ongoing compliance with the BSA.”

BSA Compliance Officers are like In-Team Referees: they are required to “call penalties” on their own team mates when those team mates don’t follow the rules. It’s an incredibly tough situation to be in, and it takes tact and skill to be effective. But like the fictitious In-Team Referee, the dual-role of a BSA Officer – designing, building and running the BSA/AML program and calling penalties on his or her own colleagues when they fail to adhere to that program – make that BSA Officer’s life within his or her financial institution very difficult. Perhaps that’s why the average tenure of a BSA Officer is less than three years. My respect and admiration go out to all BSA Officers (and AML Officers and Money Laundering Reporting Officers in other jurisdictions): bravo for doing an impossible job!

[1] Yes, I did the research. For the Bruins 1965 roster, see https://www.NHL.com/bruins/roster/1965. For the Bruins 2019 roster, see https://www.hockey-reference.com/teams/BOS/2019.html#all_roster. For the nationality breakdown of NHL players for the last 50 years, see https://www.quanthockey.com/NHL/nationality-totals/NHL-players-2018-19-stats.html. Also, I’d appreciate it if the NHL’s lawyers have a sense of humor and don’t threaten any legal action against me for using the good name of the NHL: I’m originally from Canada and played hockey growing up … I can still hum the Hockey Night in Canada theme song, and love Don Cherry!

On December 20th the Treasury Department released its National Illicit Finance Strategy (something required under the Countering America’s Adversaries Through Sanctions Act of 2017 (CAATSA). That Strategy was based on three risk assessments that were released simultaneously, but to little or no fanfare:

1. 2018 National Proliferation Financing Risk Assessment
2. 2018 National Terrorist Financing Risk Assessment
3. 2018 National Money Laundering Risk Assessment

The 2018 National Money Laundering Risk Assessment (2018 NMLRA) is available at https://home.treasury.gov/system/files/136/2018NMLRA_12-18.pdf. It follows the June 2015 NMLRA, available at https://www.treasury.gov/resource-center/terrorist-illicit-finance/Documents/National%20Money%20Laundering%20Risk%20Assessment%20%E2%80%93%2006-12-2015.pdf.

What threats, vulnerabilities, and risks have changed or been added in the last 3 1/2 years since the 2015 NMLRA? Oddly … not much.

The 2018 NMLRA begins with an estimate of the size of the AML problem:

“The United States continues to estimate that domestic financial crime, excluding tax evasion, generated approximately $300 billion of proceeds for potential laundering, based on the sources and analysis cited in the 2015 NMLRA.”

So over the last 2 1/2 years, the size of the AML problem in the US hasn’t changed – it remains $300 billion of proceeds for potential laundering. In other words, not all of the proceeds of criminal activity make it into the financial system for potential laundering. But for arguments sake, let’s assume that all of the proceeds of criminal activity in the US make it into the financial system (and of course the NMLRA notes that proceeds of criminal activity from outside the United States are laundered through financial institutions based in the United States, and much of that simply passes through US-based financial institutions that are facilitating US DOllar-based transactions). Three hundred billion dollars is a lot of dirty money to go into, pass through, and/or end up in US financial institutions … but how much total money flows through those institutions? The 2015 NMLRA gives a clue: at page 35 is a reference to the volume of funds flowing through Fedwire, CHIPS, and ACH. The Fedwire and CHIPS numbers are daily volumes: $3.5 trillion per day and $1.5 trillion per day, respectively (ACH is measly $10 trillion per year). By my math, the three main US-based financial payments systems move ~two quintillion dollars a year, which means that criminal proceeds make up about $3 for every $20,000 that flow through US based financial institutions.  To put that in perspective, $300 billion in criminal proceeds out of $2 quintillion in total proceeds is equivalent to 1 drunk fan at a Yankees game every other game. OR to put it another way, 99.999985% of dollars moving through US financial institutions are “clean”. This is different than the other anecdotes and axioms we hear about the volume of dirty money in (or flowing through?) the financial system. Regardless, we can all agree that $300 billion is too much … and I digress …

What is particularly interesting about the 2018 NMLRA is that the sources of criminal proceeds, and how those proceeds are laundered, didn’t materially change from 2015 to 2018.

Both the 2015 and 2018 NMLRAs conclude that the biggest sources of criminal proceeds are the common frauds – bank fraud, consumer fraud, healthcare fraud, securities fraud, and tax refund fraud – drug trafficking, human smuggling and human trafficking (correctly noted as two very different crimes), organized crime, and corruption. Health care fraud and drug trafficking each account for the bulk of the $300 billion in criminal proceeds – $1oo billion each. Human trafficking is a large and growing source at an estimated $36 billion a year.

Notably, the most significant money laundering risks in the United States in 2018 are essentially the same risks found in 2015: the misuse of cash (pages 4, 20), complicit individuals and financial services employees, and lax compliance at financial institutions (pages 40-45). And the “main risk that facilitates money laundering”? Anonymity in transactions and funds transfers (pages 4, 46). Much of the 2015 and 2018 NMLRAs deal with the misuse of cash – bulk cash smuggling, structuring, and funnel accounts are detailed in both assessments. And according to the 2018 NMLRA, cash structuring is a predominate activity reported in Suspicious Activity Reports: at page 24 is a table of SARs filed in 2015, 2016, and 2017. At a high level, over those three years the ratio of “structuring” SARs didn’t change much: about one in seven SARs had structuring as the sole category of reported activity, and about four in ten SARs had structuring as one of the categories of reported activity.

I highly recommend that every AML professional download and read the 2018 National Money Laundering Risk Assessment. It is well-written, well-organized, and provides links to excellent resources. It refers to and provides a link to the 2015 NMLRA, which, in some respects, is a more comprehensive (and still relevant) source.  Many of us still have the 2005 United States Money Laundering Threat Assessment on our book shelves: for those that don’t …

https://www.treasury.gov/resource-center/terrorist-illicit-finance/documents/mlta.pdf

The only time the public (and Congress) hears about a bank’s BSA program is when the program has failed and a regulator issues a public censure. These public censures are rare, but drive the narrative that banks are doing a poor job when it comes to BSA compliance. In the last 12 months we’ve read about Rabobank California’s February $50 million OCC and $369 million forfeiture, US Bank’s February $613 million in penalties from multiple agencies, Danske Bank’s September €775 million in penalties, Société Générale’s November “stripping” penalty of $1.34 billion, UBS’s December $15 million penalty, and Morgan Stanley’s December $10 million penalty. With those as the only narrative, one could imagine an industry out of control.  Which isn’t the case: 99% of financial institutions are doing a pretty good job with their BSA/AML and sanctions programs.  So … why not use a CRA-like approach and publish the evaluations of all bank’s BSA compliance programs?

According to the OCC, “the Community Reinvestment Act of 1977 (CRA) provides a framework for financial institutions, state and local governments, and community organizations to jointly promote banking services to all members of a community. In a nutshell, the CRA: prohibits redlining (denying or increasing the cost of banking to residents of racially defined neighborhoods); and encourages efforts to meet the credit needs of all community members, including residents of low- and moderate-income neighborhoods.” https://www.occ.gov/topics/compliance-bsa/cra/index-cra.html

Again, according to the OCC, the CRA requires each federal financial supervisory agency, when examining financial institutions subject to its supervision, to use its authority to assess the institution’s record of meeting the credit needs of its entire community, including low- and moderate-income neighborhoods, consistent with safe and sound operation of the institution. Upon the examination’s conclusion, the agency must prepare a written evaluation of the institution’s record of meeting the credit needs of its community. This document is an evaluation of the CRA performance of the bank as of the date of the evaluation. The agency rates the CRA performance of an institution consistent with appendix A to 12 CFR part 25 across lending, investment, and servicing using a scale of Outstanding, Satisfactory, Needs to Improve, and Substantial Noncompliance.  There is also a narrative summarize the major factors supporting the bank’s rating. And when illegal discrimination or discouragement has been discovered (substantive violations, not merely technical) and has affected the rating, the summary should state that the rating was influenced by those violations.

These CRA evaluations are made public. For example, on December 4, 2018 the OCC released CRA Evaluations for 28 National Banks and Federal Savings Associations that became public during the period of November 1, 2018 through November 30, 2018. Of the 28 evaluations, 25 were rated satisfactory and three were rated outstanding. In the last six monthly releases of the OCC’s CRA evaluations, 30 banks received an Outstanding grade, 139 received a Satisfactory grade, 1 received a Needs to Improve grade, and 1 received a “Substantial Needs to Improve” grade. If these were BSA results, and the Needs to Improve and Substantial Needs to Improve results were the equivalent of Consent Orders, the public (and Congress) would only have read about the 2 banks, not the 169 that had satisfactory or outstanding programs.  Not only is this context critical (169 of 171 banks had satisfactory or outstanding programs), but it encourages the regulated banks to strive to build and maintain an outstanding program.  This is important, because currently the only opportunity a BSA Officer has to get his or her program mentioned publicly is in a negative context of a Cease & Desist or Consent Order. There is no upside.  So perhaps the regulators can take a page from the CRA Handbook and publish their results of BSA evaluations. My guess is that 169 of 171 will be satisfactory or outstanding.  And BSA Officers everywhere would have hope …

I know many of you will immediately react that this is a bad idea. But as Arthur Clarke (is alleged to have) said: “New ideas pass through three phases: it’s a bad idea; it may be a good idea, but it’s not worth doing; and … I knew it was a good idea all along!”

The most recent AML-related public censure comes in the form of a FINRA “AWC” or Letter of Acceptance, Waiver and Consent voluntarily submitted by Morgan Stanley to its self-regulatory organization, FINRA, on December 12, 2018. The AWC is a reasonably typical example of a public settlement (in the case of FINRA) or consent order or assessment of a money penalty (in the case of bank regulators and FinCEN) in that it uses colorful but vague adjectives and adverbs to describe the impugned activity – words such as willful, insufficient, appropriate, adequate, extraordinary (describing workloads) frequent, and sufficient – as well as to describe the actions taken after getting caught or self-reporting the impugned activity  – words such as extraordinary, substantial, and sufficient. We can guess or imagine what Morgan Stanley and FINRA mean by “extraordinary workloads” (bad) and “extraordinary steps” (good), but it would be much more instructive to all industry participants if the adjectives, adverbs, and phrases used in all public AML documents were more precise and instructive. I give a few examples below. But …

Perhaps the most interesting thing about this AWC is what is NOT written! There is nothing in it that suggests that Morgan Stanley did a review or look-back of the almost 500,000 wires for almost $100 billion over a 5 year period that didn’t make it into its AML transaction monitoring system … was there any undetected and thus unreported suspicious activity? We don’t know. But back to what WAS written in the AWC …

http://www.finra.org/sites/default/files/Morgan_Stanley_AWC_122618.pdf

There is quite a bit of detail on Morgan Stanley’s failure to feed at least four wire transfer and foreign currency transfer systems to its main transaction monitoring system, some for as long as 5+ years (January 2011 to at least April 2016):

• from 2011 through 2016 two main wire systems failed to feed 140,000 wire transfers for $43 billion, including $3.2 billion to or from high risk countries;
• from December 2014 through April 2016 an incoming wire system failed to feed 267,000 incoming wires for $30.4 billion, including $1.8 billion from high risk countries; and
• from January 2014 through August 2015 an outgoing wire system failed to feed 91,000 outgoing wires for $25.5 billion, including $1.2 billion to high risk countries.

That’s almost 500,000 wires over a 5+ year period totaling almost $100 billion ($100,000,000,000), including $6,200,000,000 to or from high risk countries.

It would be instructive if the AWC included the total number and dollar amount of all Morgan Stanley wires during this period, and to/from which high risk countries they came from or went to.  Was 500,000 wires 10% of the total? 50%? 90%?  If $6.2 billion in wires to/from high risk countries went un-monitored, how much WAS monitored? And how much of that monitored activity was alerted on? Knowing the answers to these questions would be instructive. In addition, there is nothing about WHY these systems weren’t connected to the transaction monitoring system: that information would also be instructive for the industry.  What did FINRA and Morgan Stanley learn that could be used by the industry to prevent another $6.2 billion in wires to and from high risk countries?

In addition, the AWC notes that 24 AML analysts and contractors “had extraordinary workloads that likely contributed to their unreasonable reviews” of those wire transfers that did alert on the transaction monitoring system.

What is “extraordinary”? To answer that, FINRA needs to explain what it considers “ordinary”: how many Analysts should Morgan Stanley have had to handle the number of alerts produced? There is nothing in the AWC that provides something like “the AML analysts were required to clear 50 alerts per day yet received between 70 and 100 each day.

The AML team and senior management at Morgan Stanley deserve credit for taking “extraordinary steps” and devoting “substantial resources” and investing “substantial additional financial resources in the AML program”, and they “greatly increased” the AML staffing. But, like the vague words to describe the impugned behavior, these vague words to describe the remediation efforts are simply not helpful to anyone trying to learn from this case and make their own institution’s program better. Just what were those extraordinary steps? What resources were added? And they greatly increased the AML staffing … but from 24 to what?

To conclude, it would be extraordinarily helpful if FINRA, FinCEN, and others devoted substantial resources and greatly decreased their use of descriptive but vague adjectives and adverbs, and instead invested substantial additional resources in providing actionable, specific information.

https://www.banking.senate.gov/hearings/10/24/2018/combating-money-laundering-and-other-forms-of-illicit-finance-regulator-and-law-enforcement-perspectives-on-reform

From obvious tension between FinCEN and the OCC, to patiently waiting for marijuana guidance, to missteps on CTR filings and thresholds, to grocery stores in Bucksnort, Louisiana, and ending with a statement from a Senator that “I don’t think you’re ever going to get the safety and soundness regulator to make this a priority”, this hearing was worth watching.

To lay the groundwork, some of the more salient features of the written submissions:

FinCEN Director Ken Blanco’s written testimony began with FinCEN’s mission:

“FinCEN’s mission is to safeguard the financial system from illicit use and to promote national security through the collection, analysis, and dissemination of financial intelligence.” And he further testified that FinCEN accomplishes that mission by: “(1) aggressively investigating and pursuing illicit activity; (2) ensuring that we collect the financial intelligence necessary to support these investigations; (3) understanding the evolving trends and typologies of illicit activity; and (4) closing any regulatory gaps that expose our financial system to money laundering and the other underlying illicit activity that threaten our financial system and put our nation, communities, and families in harm’s way.”

Director Blanco then commented on the importance of the BSA information:

“nearly 500 federal, state, and local law enforcement and regulatory agencies with direct access to FinCEN’s database of BSA records. Within these agencies, there are an estimated 11,000 active users of BSA data. This consists of 149 SAR Review Teams and Financial Crimes Task Forces located all around the country, covering all 94 federal judicial districts, including one in each state, the District of Columbia, and Puerto Rico. In the last five years, FinCEN query users have made more than ten million queries of the FinCEN database.”

“Internal Revenue Service Criminal Investigation alone conducts more than 126,000 BSA database inquiries each year. And, 24 percent of its investigations begin with a BSA source. As my colleague from the Federal Bureau of Investigation (FBI) will discuss, financial intelligence is a key tool for FBI criminal investigations. All FBI subjects have their names run against the BSA database. More than 21 percent of FBI investigations use BSA data, and for some types of crime, like organized crime, nearly 60 percent of FBI investigations use BSA data. Roughly, 20 percent of FBI international terrorism cases contain BSA data.”

“We are getting better at this every day, but we believe we can do much more. Part of getting better and doing more includes providing both our financial institutions and delegated examiners better and more consistent feedback on how we use BSA data so they understand our priorities and how to better use their resources more effectively and efficiently in a more targeted and focused way.”

Director Blanco then turned to regulatory reform:

“Our goal is to ensure that financial institutions are devoting their resources to identify and report activity that relates to the highest priority national security and law enforcement interests. This effort requires a multi-prong approach with three key priorities: (1) understanding BSA value; (2) promoting responsible innovation; and (3) fostering information sharing, including through public-private partnerships.”

The OCC’s Senior Deputy Comptroller for Compliance & Community Affairs, Grovetta Gardineer, testified that: “We at the Office of the Comptroller of the Currency (OCC) support the purpose of the BSA to combat money laundering and terrorist financing (illicit finance). Toward this end, the OCC is committed to ensuring that the institutions under its supervision have robust controls in place to safeguard them from being used as vehicles to launder money for drug traffickers and other criminal organizations, or to facilitate the financing of terrorist acts. Together, with the other federal banking agencies and the law enforcement community, our goal is to prevent the misuse of our nation’s financial institutions.”

She also stated:

“New technologies such as artificial intelligence (AI) and machine learning offer banks opportunities to better manage their costs and increase the ability of their monitoring systems to identify suspicious activity, while reducing the number of false positive alerts and investigations.”

I disagree with this statement, to a degree. There is nothing wrong with the existing technologies: it is their misapplication that is the primary problem, and the secondary problem is the fear of banks – brought on by regulatory expectations and published sanctions – that they cannot afford to miss any potential suspicious activity. AI and Machine Learning are great technologies, and have been effectively deployed for 10 years by some vendors (Verafin is one), but they are not the sole answer. For a BSA Officer to blame false positives on his or her technology is like a carpenter blaming his tools … you should look first to the carpenter …

Deputy Comptroller Gardineer then testified on proposed legislative reforms, using the Economic Growth & Regulatory Paperwork Reduction Act (EGRPRA, or “Eegrippa”) process.

This is where things got interesting during the question and answer session. Chairman Crapo (R. IL) opened with a question to Director Blanco whether the OCC’s proposed EGRPRA process was the right way to make BSA changes. Director Blanco said it wasn’t necessary and was, in fact, “another layer of bureaucracy”. Ms. Gardineer disagreed. The back and forth got so intense that Senator Crapo called it “a little bit of tension” and moved on.

Senator Sherrod Brown (D. OH), the Ranking Member, chastised the OCC for calling for regulatory relief at a time when the bigger banks’ misconduct seems to continue.

There was testimony and many questions on the CTR threshold. In his written testimony, Director Blanco noted that raising the CTR threshold to $20,000 would eliminate 60% of CTRs, and raising it to $30,000 would eliminate 80%. Senator Moran asked FBI Agent Steve D’Antuono about that: Agent D’Antuono made an excellent point that it isn’t simply the amount that is important, but all the other information reported in a CTR, such as addresses, telephone numbers, etc.

The exchange with Senator Toomey was interesting for many reasons. He noted that the $10,000 threshold has been in place since 1970, and has not been adjusted for inflation. He referred to a 1994 GAO study that found that 30% – 40% of CTRs were filed by large, well-known cash intensive companies that should have been depositing large volumes of cash, and that those reports offered little value to law enforcement.

Senator Toomey – or his staff or others he and they are relying on – appear misinformed and misguided. First, the Money Laundering Suppression Act of 1994 addressed the issue of large-dollar, well-known cash businesses by providing for the CTR exemption process. That problem has (partially) been solved. Second, the “inflation” argument ignores other more relevant factors: (i) in 1970 the CTR process was entirely manual, without the aid of desk-top computer systems, with forms copied with carbon paper and mailed in envelopes; (ii) in 1970 there were no ATMs, no debit cards, no ACH, no Internet, no mobile, certainly no peer-to-peer electronic (Venmo) transactions … the world has changed, and I would argue that $10,000 in cash today is just as unusual or anomalous as $10,000 in 1970.

A recent study conducted by the Federal Reserve Bank of Boston (a study titled “the Diary of Consumer Payment Choice”) found that the average cash transaction is $22: surely a reporting threshold that requires banks to report cash deposits that are almost 500 times the average cash transaction is a reasonable threshold.

Approximately 50 minutes into the hearing (at the 1:07:10 mark), Senator Menendez (D. NY) asked Director Blanco “does FinCEN have any plans to clarify how financial institutions can provide services to marijuana related businesses …?”. Director Blanco replied “we’re still having those [interagency] conversations … the 2014 guidelines are still the guidelines.” So no help there to those banks and credit unions considering whether to provide, and which, banking services to direct, indirect, or ancillary cannabis businesses and persons.

Senator Cortez Masto (D. NV) made two important points about possible changes to FinCEN’s mandate: giving FinCEN the authority to work with tribal police, and allowing FinCEN to investigate domestic terrorism. Director Blanco agreed with both.

The exchange with Senator Kennedy (R. LA) was particularly interesting. Like Senator Toomey, Senator Kennedy – or his staff or others he and they are relying on – appear misinformed and misguided. The Senator began his questions of Director Blanco with a scenario of a well known local grocery store in a small town that deposits $15,000 in cash every day into its account at a small bank. He asked Director Blanco if a CTR would have to be filed. Unfortunately, Director Blanco replied that yes, a CTR would have to be filed. In fact, in that scenario, the bank could exempt that well-known, cash-intensive business from the CTR filing requirement. It would be good to have that corrected for the record. Senator Kennedy actually gave a name to that small town – he called it “Bucksnort, Louisiana”. I Google Mapped (is that a verb?) “Bucksnort” … there appears to be one in Tennessee and another in Alabama. I couldn’t find the Louisiana Bucksnort.

Senator Kennedy then asked about the questions that needed to be asked of customers at account opening. He asked Director Blanco “does the bank have to ask if my company is a shell company?”. Again, unfortunately, Director Blanco answered “yes”, when in fact that is NOT a question that needs to be asked. Nor can it be reasonably answered: the only answer you’ll get is “no”. Rather, the new Beneficial Owner rule simply requires banks to ask the person opening the account to provide the names and identifying information of any natural person owning at least 25% of the entity (up to four legal owners) and the name of one controlling person, and the bank can rely on that information unless it has reason to believe it is false. Neither the Rule, nor any regulatory expectation I am aware of requires a bank to ask “is your company a shell company?”

Senator Warner (D.VA) had arguably the most interesting observation of the entire ninety minute hearing. At 1:33:17 of the hearing, after some discussion about the different missions of the OCC and FinCEN, he stated “I don’t think you’re ever going to get the safety and soundness regulator to make this a priority.”

This last statement may be getting to the crux of the matter. Depending on your perspective, do FinCEN and the safety and soundness regulators have different perspectives of the same problem, or are they competing interests? As Director Blanco put it, FinCEN has a dual mission: to safeguard the financial system from illicit use, and to promote national security through the collection, analysis, and dissemination of financial intelligence. Deputy Comptroller Gardineer testified that the OCC is committed to ensuring that the institutions under its supervision have robust controls in place to safeguard them from being used as vehicles to launder money. So FinCEN – and law enforcement – are focused on the actionable intelligence that financial institutions can provide: the OCC is focused on whether those institutions have robust controls in place. In my White Paper titled “50 Years of the Bank Secrecy Act: It’s Time to Renew the Purpose of Providing Actionable Intelligence to Law Enforcement” (https://verafin.com/resource/50-years-bank-secrecy-act/) I conclude with the following:

“I, and many others, believe that providing timely and actionable intelligence to law enforcement is critical to the successful prevention of illicit activity. Of course, as outlined in the FFIEC manual, a sound BSA/AML compliance program provides the necessary foundation for providing that intelligence. With that in mind, a first step in reforming the BSA/AML regime in the United States may be changing the language of the Manual itself. I propose that the language is changed from ‘a sound BSA/AML compliance program is critical in deterring and preventing these types of activities at, or through, banks and other financial institutions…’ to ‘providing timely and actionable intelligence to law enforcement is critical in deterring and preventing these types of activities at, or through, banks and other financial institutions, and a sound BSA/AML compliance program provides the foundation for the ability to provide that intelligence.’ The change is subtle but important as it strengthens and focuses the very purpose of the BSA. Providing actionable, timely intelligence to law enforcement, while maintaining sound but rational programs, should be the new goal.”

I believe that the safety and soundness regulators and FinCEN have different perspectives, not competing interests. But I would stress that a financial institution be supervised, examined, and judged first and foremost on whether it is providing actionable intelligence to law enforcement over whether the hundreds or even thousands of BSA compliance program requirements are ticked and tied and documented.

To conclude, testifying before Congress is a nerve-wracking and difficult thing to do (I’ve done it once, in 2004) and Director Blanco, Deputy Comptroller Gardineer, and Agent D’Antuono are to be commended for jobs well done. The public/private partnerships are better than they’ve ever been, and with courage, commitment, collaboration, and compromise, we can make them even better.