Thursday, February 14, 2013

Anti-Money Laundering–Red Flags and the SAR Narrative

Even though AML compliance for nonbanks has been in effect since August 13, 2012, many Residential Mortgage Lenders and Originators (RMLO) still seem to have considerable difficulty in two specific areas: how to determine when a Suspicious Activity Report (SAR) should be filed, and which suspicious activity events or features may trigger the SAR filing requirement.
In one article, entitled Anti-Money Laundering Debuts for Nonbanks, I unpack the AML Program in a way that will provides some familiarity with the AML Compliance scope, while perhaps also making its implementation a bit less daunting than it might otherwise seem to be.
In another article, entitled Anti-Money Laundering Program: Preparation is Protection, I outlined many of the so-called Red Flags and other triggering events. In addition, I offered a way to construct a SAR narrative - the description to FinCEN about the alleged suspicious activity - that, based on years of experience auditing and implement AML compliance on behalf of our clients, best meets FinCEN's expectations of an informative statement.
To give you an idea of the size and complexity of a well-constructed AML Program, my firm’s AML Program is well over fifty pages – which consists of a policy statement and numerous appendices for applicable procedures. This should give you some idea of the depth and detail needed for properly implementing AML compliance. The absence of or any inaccuracies in required program components may indicate a defective policy and procedures – the very tools needed to assist in detecting and preventing money laundering or other illegal activities conducted through mortgage banking conduits.
So, a word of caution is due: do not take the chance of buying an abbreviated or defective AML Program, in the hope of merely satisfying the “basic” FinCEN requirements. Obtaining a boilerplate document with your company’s name on it is regressive, and it is a tactic that Examiners are now regularly criticizing in adverse findings.
These days, regulators are fully aware of this ‘short cut’ to compliance. An insufficient AML Program may cause adverse examination findings. Indeed, in some cases, template-driven policy and procedures may cause Examiners to escalate their regulatory review of an RMLO’s anti-money laundering implementation.
AML compliance is a specialized area of mortgage compliance, necessitating genuine, practical, hands-on, regulatory compliance and experiential knowledge, and an AML Program must reflect precise policies and procedures that not only implement the SAR regulations but also conform to a company’s way of doing business.
Therefore, an AML Program is one policy statement and set of procedures where the purchase price should not be an operative consideration. Caveat Emptor!
This is why I want to further outline the descriptive process of completing the SAR narrative, emphasizing a simple method I call The 5 W's and the How, and I will also provide details regarding both so-called Red Flags and triggering events. So, even if a company has a skimpy or defective AML policy and procedures, at least those who implement AML Compliance may be offered some rudimentary guidelines to consider in the practical experience of actually filing a SAR.
The 5 W's and the How
Triggering Events
Documentation Red Flags
Applicant Red Flags
RMLO's Employee Red Flags
Library Resources
The 5 W's and the How
If I were to choose the central feature of the SAR, I would select the SAR narrative.
Each SAR requires a narrative to be provided by the SAR filer.
Over time, my firm has compiled numerous examples of common patterns of suspicious activities from our audit and due diligence reviews. Based on our experience and FinCEN’s own stated guidance, we believe that there are five interrogative categories to be considered when writing a SAR narrative: who? what? when? where? and why?

Tuesday, February 5, 2013

Social Media and Networking Compliance

When you think of advertising, do you include social media? These days, most of you do!
However, social media compliance - which I shall call "SMC" - is a considerable undertaking, far more involved than just issuing a policy and procedure. Often, implementing SMC includes working with internet technology and information security professionals, collaborating with sales, compliance, legal, marketing, and human resources personnel, and ensuring that virtually all employees understand their own obligations with respect to using internet communications.
We have drafted SMC policy statements that call for constant vigilance by management and appointed staff to monitor for and find the appropriate remedies to transgressions relating to use of a company's name, logo, products, and services, in casual and even formal social media interactions.
Recently, Federal Financial Institutions Examination Council (FFIEC) issued a request for comments, entitled Social Media: Consumer Compliance Risk Management Guidance ("Notice"). FFIEC issued this notice on behalf of its six members, Office of the Comptroller of the Currency (OCC); the Board of Governors of the Federal Reserve System (Board); the Federal Deposit Insurance Corporation (FDIC); the National Credit Union Administration (NCUA); the CFPB (collectively, the "Agencies"); and the State Liaison Committee (SLC). Succinctly put, whatever the federal agencies eventually adopt, the states will issue the final guidance as a supervisory guidance not only to the institutions that are, by extension, under its supervision but also through the State Liaison Committee, thereby encouraging state regulators to adopt the guidance.
This means that institutions will be expected to use the forthcoming guidance in their efforts to ensure that their policies and procedures provide oversight and controls commensurate with the risks posed by their social media activities. State agencies that adopt the guidance will expect the entities that they regulate to use the guidance in their efforts to ensure that their risk management and consumer protection practices adequately address the compliance and reputation risks raised by activities conducted via social media.
In this article, I will consider certain features of FFIEC's social media Notice as well as some important subjects to be addressed in constructing an SMC policy and procedure.*
Defining Social Media
Use of Social Media
Risks of Social Media
Risk Management
Risk Areas
Laws and Regulations
Major Risks
Policy and Procedures
Defining Social Media
Social media has been defined in a number of ways. For purposes of the proposed guidance, the Agencies consider social media to be a form of interactive online communication in which users can generate and share content through text, images, audio, and/or video.
Social media can take many forms, including, but not limited to, micro-blogging sites (i.e., Facebook, Google Plus, MySpace, and Twitter); forums, blogs, customer review Websites and bulletin boards (i.e., Yelp); photo and video sites (i.e., Flickr and YouTube); sites that enable professional networking (i.e., LinkedIn); virtual worlds (i.e., Second Life); and social games (i.e., FarmVille and CityVille).
A simple test to distinguish social media from other online media in that the social media communication tends to be more interactive.
Use of Social Media
Financial institutions use social media in a variety of ways, including marketing, providing incentives, facilitating applications for new accounts, inviting feedback from the public, and engaging with existing and potential customers.
For instance, social media has been used to receive and respond to complaints. They have been used to provide loan pricing. Since this form of customer interaction tends to be informal and occurs in a less secure environment, it presents some unique challenges to financial institutions.