The BSA Laundry Room
By: Erik Berggren, Review Examiner
Authoring an article focused on the Bank Secrecy Act (BSA) leaves the field pretty much wide open. And because this is basically the maiden voyage for the topic of BSA to be included as an occasional focal point in future Quarterly Interest publications, a very brief history of the OSBC's involvement may prove informative.
As you most certainly know by now, the mandate for financial institutions to undergo the extensive BSA/Anti-Money Laundering (AML) examinations we now have was largely, if not primarily, the result of the events surrounding September 11, 2001. A congressional mandate was handed down for federal banking agencies and regulators to conduct BSA/AML examinations on the financial institutions subject to their oversight. Sensing increased pressure and concerned with their ability to fully satisfy the mandate with their existing workforce, federal regulators solicited the assistance of state financial regulatory agencies to conduct these examinations. The FDIC and FRB willingly and significantly assisted OSBC personnel in riding the BSA/AML learning curve. Our examiners "shadowed" numerous examinations they conducted, and both formal and informal training opportunities were made available. The combination of these things resulted in the OSBC conducting its first independent BSA/AML examination in August of 2004, and we have at least one experienced BSA/AML examiner in each of our four regional offices.
Because the Federal banking agencies have statutory responsibility for enforcement of the BSA/AML regulations in Federally-insured financial institutions, the appropriate Federal agencies will become involved should examination results or other monitoring procedures of the OSBC deem it necessary to pursue some type of enforcement action. In addition to our cooperation with the Federal banking agencies, the OSBC has (as have 39 other state banking agencies as of August 14, 2006) entered into a written agreement with the Financial Crimes Enforcement Network (FinCEN) outlining obligations of each agency to the other. Most notable is the OSBC's requirement to monitor the frequency and nature of apparent BSA/AML violations, and to file quarterly and annual reports with FinCEN concerning this information. Additionally, even though somewhat limited, the OSBC's access to the highly sensitive and confidential information maintained by FinCEN subjects us to oversight and examination by FinCEN. Rest assured, safeguarding the information and insuring proper use thereof is equally paramount to us.
Knowing full well that there are a seemingly infinite number of resources available aimed at staying abreast of BSA/AML related issues, OSBC personnel have embraced and utilized many to help prepare for whatever the BSA/AML area may present. One such resource is an Interagency AML meeting held on a quarterly basis in Kansas City. These meetings are a combined effort of regulatory agencies for regulatory agencies. The duration of these meetings is usually confined to a single morning, and their purpose is to exchange knowledge and experience concerning current issues, situations, or questions that may have surfaced on a more broad range of BSA/AML issues. The meetings are usually organized and/or hosted by the FRB and FDIC, and the attendees run the full spectrum of regulatory agencies (IRS, FBI, FRB, FDIC, OCC, OTS, U.S. Immigration Customs Enforcment (ICE), Department of Homeland Security (DHS), Department of Justice (DOJ), local law enforcement, various state agencies, etc.). Thus far, OSBC General Counsel Sonya Allen and/or I have been fortunate enough to attend these meetings.
The most recent of these meetings centered on a tour of the Heart of America Regional Computer Forensics Laboratory (HARCFL) in Kansas City, Missouri. Being entirely new to this aspect of law enforcement, the mere existence of such a facility was quite interesting. According to a brochure made available during the tour,
"The RCFL Program is a national network of FBI sponsored, full-service digital forensics laboratories and training centers. The FBI provides start-up and operational funding, training, and equipment, while state, local, and other federal law enforcement agencies assign personnel to work as Examiners. An RCFL is devoted entirely to the examination of digital evidence in support of criminal investigations, such as, but not limited to- terrorism, crimes of violence, child pornography, theft or destruction of intellectual property, Internet crimes, fraud, and murder."
The brochure also reveals there are presently ten Regional Computer Forensics Laboratories (RCFL) operating throughout the country, with four future locations. A visit to www.rcfl.gov will provide more information concerning the Program as a whole, and visiting www.harcfl.org will provide information specific to the HARCFL. According to the RCFL Annual Report for 2005, the HARCFL was established in 2003 and services the State of Kansas and the western two-thirds of Missouri; a total of 171 counties. The Annual Report also lists 16 law enforcement agencies in HARCFL's service area that participate with HARCFL.
An Autumn 2005 issue of Kansas Peace Officer contains an article that focuses on the HARCFL and conveys the following:
"The idea that computers and other forms of electronic communications are limited to white collar crime matters is now outdated. Any criminal investigation is likely to involve an examination of some type of electronic communication or storage device."
This same article highlights the HARCFL's involvement in some of the more high-profile criminal investigations in the country; namely the "BTK" serial killer, the murder of a young pregnant woman in Missouri whose unborn fetus was cut from her body, and a homicide investigation involving former KSU professor Thomas Murray, who received a life sentence for murdering his estranged wife. HARCFL Director Kevin Steck, who actually conducted the tour, made us all pause for thought when he reiterated the fact that almost every crime committed in today's world involves some type of electronic communication or storage device; phones (all types), cameras, calculators, flash/thumb drives, surveillance cameras, ATMs, magnetic strip card readers, etc., etc., AND computers. Should you come upon an opportunity to tour such a facility, do not pass it up!
The agendas for the previously mentioned Interagency AML meetings include a time segment for a fraud update from FDIC. At the most recent of these meetings, FDIC Case Manager (Special Activities) Rick Gross made mention of an increased frequency of insider fraud, as referenced in the Association of Certified Fraud Examiners (visit: http://www.acfe.com/home.asp) "Report to the Nation" (RTTN) (visit: http://www.acfe.com/documents/2006-rttn.pdf). Not to get you paranoid or anything, but Rick's summary comments of this aspect of the RTTN conveyed that the most trusted, most respected, longest employed, best educated, and best compensated are common characteristics of those committing insider fraud. So, by all means, do not sidestep dual control, cross-training, and independent review procedures in the daily operation and audit steps of your institution!
While not making any kind of endorsement of the Association of Certified Fraud Examiners, further review of that website revealed a Fraud Prevention Checklist at http://www.acfe.com/documents/Fraud_Prev_Checkup_IA.pdf. The checklist is not necessarily geared specifically toward banks, but the approach presented does appear valuable and worth considering. The seven-question process suggest consideration of: 1) Fraud risk oversight; 2) Fraud risk ownership; 3) Fraud risk assessment; 4) Fraud risk tolerance and risk management policy; 5) Process level anti-fraud controls/re-engineering; 6) Environment level anti-fraud controls; and 7) Proactive fraud detection. Take a few moments and see how you score.
I would be remiss if somewhere within this article I did not remind you of the July 28, 2006 release of the revised FFIEC BSA/AML Examination Manual. It was officially announced by way of FIL-71-2006 dated Aug. 2, 2006, which is accessible via the web at www.fdic.gov/news/news/financial/2006/fil06071.html. The revised manual is accessible via the web at www.ffiec.gov/bsa_aml_infobase/default.htm. It contains a wealth of information, and outlines most everything that might be touched upon during a BSA examination conducted by your designated regulatory agencies. The Interagency Transmittal Letter is accessible at www.fdic.gov/news/news/financial/2006/fil06071a.pdf, and outlines the significant revisions and updates to the manual. CSBS has also made available a PodCast entitled "Recent Revisions to the FFIEC's BSA/AML Examination Manual" at http://innovativelearning.blogs.com/. This 12-minute interview between CSBS's SVP Roger Stromberg and Carol Van Cleef, partner in the Washington, DC office of the law firm of Bryan Cave LLP, provides highlights regarding the additions to (risk assessment and ACH) and changes in (foreign correspondent banking, private banking, SARs, trade finance activities, OFAC, red flags, and CIP) the newly revised FFIEC BSA/AML Examination Manual. Ms. Van Cleef leads the firm's MSB and AML Compliance teams. The PodCast is well worth a listen. In the PodCast, Ms. Van Cleef notes the "beefed up" version of "red flags." These are listed in Appendix F of the manual, which is entitled "Appendix F: Money Laundering and Terrorist Financing "Red Flags." It spans nine pages of the manual, but is a good refresher for what is the emphasis of BSA/AML; recognizing and taking appropriate action concerning suspicious or unusual activity.
