(January, 2005) – At the core of the Anti Money Laundering legislation are the BSA act and more recently, the USA Patriot Act. This newsletter talks about the importance of assessing your Anti Money Laundering Program.

Conducting an Anti-Money Laundering Program Assessment
Criminals have consistently found ways to conceal or disguise the origins of illegal funds attained through criminal activity from financial institutions since the latter began managing money. The rise of terrorism through recent years has placed even more importance on combating money laundering. Unfortunately, the ever increasing reach and speed of modern technology has made the fight against money laundering even more difficult. The global reach of banking poses yet another challenge with an infinite number of transactions, traveling at incredible speeds, with numerous financial instruments that are continuously changing. Money laundering is no longer an issue that affects the financial industry alone. Now money laundering is a matter of national security.Financial institutions have more laws and regulations that they must comply with that are aimed at exposing the perpetrators of money laundering.

At the core of money laundering legislation is the Bank Secrecy Act (BSA) which has been amended by Congress several times over the years to include such acts as the Anti-Drug Abuse Act of 1986. The BSA lists over 170 crimes ranging from drug trafficking, gunrunning, murder for hire, fraud, acts of terrorism, and the illegal use of wetlands.*

A more recent act is the USA Patriot Act. This Act established severe penalties for financial services organizations that do not demonstrate comprehensive anti-money laundering policies and procedures. Not only do these policies and procedures need to exist, they also need to be followed closely and independently reviewed by a third party.

Government mandated legislation requires compliance reporting. Compliance reporting may help meet regulatory requirements, but failure to take the necessary steps to detect and prevent financial transactions supporting criminal or terrorist activity may result in stiff fines, criminal charges, and negative publicity that can cause irreparable damage to the institution’s reputation.

At the surface, an effective Anti-Money Laundering Program should include BSA compliance and know your customer (due diligence) programs, OFAC compliance, suspicious activity monitoring and reporting systems, and risk-based Anti-Money Laundering Programs. A closer look reveals that certain elements of security play a vital role in compliance with BSA.

At a minimum, a bank’s Anti-Money Laundering (internal compliance) Program must be formalized in writing and approved by the institution’s board of directors. The Program must include:

• A system of internal controls (administrative, physical and logical) to ensure ongoing compliance
• Independent testing of compliance with the Program
• Ongoing coordination and monitoring of compliance by a designated person (Compliance Officer)
• BSA and anti-money laundering training for appropriate personnel

The development and implementation of a system of internal controls must ensure that certain elements of security are considered. Computer systems must reside in a physically secure environment and systems must be secured at both the application and supporting infrastructure levels. The development, implementation, and/or testing of these controls may require specialized skills by information security professionals that have the ability to:

• Attest to the overall integrity and effectiveness of management systems and controls, and BSA technical compliance
• Test transactions in all areas of the bank with emphasis on high-risk areas, products, and services to ensure the bank is compliant. High risk transactions would include wire transfers, electronic transactions that allow the rapid movement of currency and Internet banking transactions
• Review evidence of training for employees to assess their knowledge of regulations and procedures as part of the security awareness and compliance program
• Assess the adequacy of the bank’s process for identifying and reporting suspicious activity including activity related to computer related crimes (18 U.S.C. Sec. 1030)
• Senior management and the Board of Directors should review the findings and approve an action plan

An assessment of a financial institution’s Anti-Money Laundering Program would include the performance of all of the tests listed above. The assessment should be scoped to include the areas that are most critical for the Anti-Money Laundering Program. For example, an Internet banking server could handle a large volume of transactions on a daily basis. These transactions need to be secured from unauthorized access and manipulation. Internet banking provides money launderers with an anonymous means of transferring funds anywhere in the world. Additionally, controls should be in place to detect certain types of suspicious transactions such as those that exceed $10,000, or multiple deposits that fall below a certain threshold, etc.

As long as financial institutions manage funds, criminals will continue to find ways to launder money through the system. Financial institutions face several issues when attempting to combat money laundering.The first is complying with legislation in terms of reporting and creating an Anti-Money Laundering Program. Many institutions feel that having a Program in place is more than enough. In reality, it is just the beginning. The Program needs to be robust and flexible enough to account for changes in products or the banking environment. Suspicious activity needs to be properly investigated and reported. Personnel need to be adequately trained and senior management needs to be involved in the process. The only way to ensure that all of these areas are addressed by the Anti-Money Laundering Program is to conduct an assessment that tests all aspects of the Program. The Existence of an Anti-Money Laundering Program that meets federal guidelines does not assure that it will be effective. To be truly effective, the Progam must prevent and detect money laundering activities. The biggest threat to financial institutions is not the stiff penalties the government will assess for non-compliance. The biggest threat comes from the affect on the institution’s reputation if a criminal and/or terrorist successfully launders money through their institution. Has your Anti-Money Laundering Program been assessed lately?

Let Enterprise Risk Management (ERM) help you ensure compliance with Bank Secrecy Act and Anti-Money Laundering legislation such as the USA Patriot Act. ERM specializes in providing risk assessment, information systems audit, and security-related services for financial institutions in the U.S. and abroad. Some of our clients include: Banco Popular de Puerto Rico, The International Bank of Miami, Euro Bank, Uni Bank, Banco Internacional de Costa Rica, Atlantic Security Bank, International Finance Bank, Commercebank, and Caja Madrid Bank. ERM professionals have a unique combination of technical and financial backgrounds, supplemented by multiple certifications in the information systems, accounting, and auditing professions; and specialized knowledge of the banking industry. Our professionals have held high-level IT management and audit positions at numerous prominent organizations in the South Florida area and have worked for the Big Four public accounting firms.