Anti-Money Laundering Program: Testing

I learned recently some rather extraordinary news: my firm is currently the only mortgage risk management firm in the country offering testing of a Residential Mortgage Lenders and Originator’s (RMLO’s) Anti-Money Laundering Program.* This situation struck me as exceedingly odd, inasmuch as testing is a statutory requirement.

Visit our Anti-Money Laundering Program website.

Testing annually is recommended, but not later than every eighteen months. In this first year, most companies are testing prior to the Financial Crimes and Enforcement Network’s (FinCEN’s)statute’s anniversary date in August. An audit of the procedures detailed in an RMLO’s policy and procedures must be conducted either an internal auditor, in accordance with FinCEN guidelines, or, in accordance with FinCEN guidelines, by an independent external auditor.

How is it that we are the first mortgage risk management firm to offer the independent auditing requirement? Maybe, even at this late date, the industry itself is still trying to absorb the AML compliance implementation, while struggling to integrate a multitude of other new regulations.

Many residential mortgage industry participants have run the Elizabeth Kubler Ross spectrum of denial to acceptance at a pace that leaves in its wake the sentiments of high dudgeon, middling dudgeon, intermediate dudgeon, towering dudgeon, lofty dudgeon - and, finally, recognition that the tide of change is actually upon us!

I have tried to make it clear in previous articles, that the AML program is quite different than other policy statements and procedures!

For two of my analyses on this matter, read my articles entitled Anti-Money Laundering Program - Preparation is Protection (8/2012), or Anti-Money Laundering Debuts for Nonbank Mortgage Companies (3/2012).

Over the years, we have conducted AML audits for banks. Now we conduct them for nonbanks and their Suspicious Activity Report (SAR) filing compliance. Soon enough, I expect another cottage industry to arise, chock full of firms that will promote such external auditing, bringing about yet another feeding frenzy!

In this article, I will offer some of the basics to AML testing for RMLOs, so that you have a high-level set of bullets that may offer some insight into the audit process. There are many moving features to such an audit. In constructing your own procedures, be aware that the time to learn about how to properly test and report audit results is most certainly not during an examination.

Visit our Anti-Money Laundering Program website.

_____________________________________________________

IN THIS ARTICLE

Elements of Testing

Internal or External Auditing

Library

_____________________________________________________

We recommend that an AML audit for RMLOs should contain, at the least, the following elements:

Entrance Interview
We require an entrance interview for all AML program audits. The meeting is held with company’s officials, compliance personnel, and support staff is conducted to (1) discuss the company’s lender profile, (2) specify procedures to be followed by the company in the course of the engagement, (3) answer any questions regarding the auditor’s evaluation process.

Audit responses to Prior Year Consulting and Regulatory Examination Reports (if applicable) We are in the first year of the AML program. However, each year afterward, the review will ask for the prior year's reports, including any regulatory reports. This part of the review cannot be side-stepped, because it acts as a baseline, further enhanced by an evaluation of corrective action responses. The reviewer's first actions may include back-testing to see if corrective actions were implemented. Any continuation of a compliance failure that previously was subject to corrective action should cause the review to mark down the results.

Issue and Review Document Request
Every audit must contain a document request. The extent that a company can comply with the document request is in itself a sign of the company's ability to implement the AML program's requirements. It is expected that a company will provide the documents needed promptly, in legible condition, and in their entirety. Failure to provide certain documents causes an adverse finding.

Conduct Anti-Money Laundering (AML) Risk Assessment
The review must go through a series of risk assessment analytics in order to determine that the company is fulfilling its AML program requirements. These series can be quite extensive, depending on the company's size, complexity, and risk profile.

Social Media and Networking Compliance

When you think of advertising, do you include social media? These days, most of you do!

However, social media compliance - which I shall call "SMC" - is a considerable undertaking, far more involved than just issuing a policy and procedure. Often, implementing SMC includes working with internet technology and information security professionals, collaborating with sales, compliance, legal, marketing, and human resources personnel, and ensuring that virtually all employees understand their own obligations with respect to using internet communications.

We have drafted SMC policy statements that call for constant vigilance by management and appointed staff to monitor for and find the appropriate remedies to transgressions relating to use of a company's name, logo, products, and services, in casual and even formal social media interactions.

Recently, Federal Financial Institutions Examination Council (FFIEC) issued a request for comments, entitled Social Media: Consumer Compliance Risk Management Guidance ("Notice"). FFIEC issued this notice on behalf of its six members, Office of the Comptroller of the Currency (OCC); the Board of Governors of the Federal Reserve System (Board); the Federal Deposit Insurance Corporation (FDIC); the National Credit Union Administration (NCUA); the CFPB (collectively, the "Agencies"); and the State Liaison Committee (SLC). Succinctly put, whatever the federal agencies eventually adopt, the states will issue the final guidance as a supervisory guidance not only to the institutions that are, by extension, under its supervision but also through the State Liaison Committee, thereby encouraging state regulators to adopt the guidance.

This means that institutions will be expected to use the forthcoming guidance in their efforts to ensure that their policies and procedures provide oversight and controls commensurate with the risks posed by their social media activities. State agencies that adopt the guidance will expect the entities that they regulate to use the guidance in their efforts to ensure that their risk management and consumer protection practices adequately address the compliance and reputation risks raised by activities conducted via social media.

In this article, I will consider certain features of FFIEC's social media Notice as well as some important subjects to be addressed in constructing an SMC policy and procedure.*

_______________________________________________________

IN THIS ARTICLE

Defining Social Media

Use of Social Media

Risks of Social Media

Risk Management

Risk Areas

Laws and Regulations

Major Risks

Policy and Procedures

_______________________________________________________

Defining Social Media

Social media has been defined in a number of ways. For purposes of the proposed guidance, the Agencies consider social media to be a form of interactive online communication in which users can generate and share content through text, images, audio, and/or video.

Social media can take many forms, including, but not limited to, micro-blogging sites (i.e., Facebook, Google Plus, MySpace, and Twitter); forums, blogs, customer review Websites and bulletin boards (i.e., Yelp); photo and video sites (i.e., Flickr and YouTube); sites that enable professional networking (i.e., LinkedIn); virtual worlds (i.e., Second Life); and social games (i.e., FarmVille and CityVille).

A simple test to distinguish social media from other online media in that the social media communication tends to be more interactive.

_______________________________________________________

Use of Social Media

Financial institutions use social media in a variety of ways, including marketing, providing incentives, facilitating applications for new accounts, inviting feedback from the public, and engaging with existing and potential customers.

For instance, social media has been used to receive and respond to complaints. They have been used to provide loan pricing. Since this form of customer interaction tends to be informal and occurs in a less secure environment, it presents some unique challenges to financial institutions.

Anti-Money Laundering Program–Preparation is Protection

The Financial Crimes Enforcement Network (FinCEN), a bureau of the Department of the Treasury, recently finalized regulations (Final Rule) requiring non-bank Residential Mortgage Lenders and Originators (RMLOs) to establish an Anti-Money Laundering Program (AML Program) and file Suspicious Activity Reports (SARs), as FinCEN requires of other types of financial institutions.[i]

FinCEN issued these regulations defining non-bank residential mortgage lenders and originators as loan or finance companies for the purpose of requiring them to establish AML Programs and report suspicious activities under the Bank Secrecy Act (BSA).

The effective compliance date for the Final Rule is August 13, 2012.[ii]

For additional background information, this article may be read in conjunction with my March 2012 article in this publication, entitled Anti-Money Laundering Debuts for Nonbanks.[iii]

FinCEN may impose civil monetary penalties for non-compliance with its regulations, including a penalty for each suspicious activity reporting violation, so compliance with the SAR regulations should be considered mandatory on the part of responsible management.[iv]

BSA authorizes the Treasury to issue regulations requiring financial institutions, including any “loan or finance company” to keep records and file reports that are deemed to have “a high degree of usefulness in criminal, tax, or regulatory investigations or proceedings, or in the conduct of intelligence or counterintelligence activities, including analysis, to protect against international terrorism.”

In the supplementary information to the Final Rule, the term loan or finance company “can reasonably be construed to extend to any business entity that makes loans to or finances purchases on behalf of consumers and businesses. Some loan and finance companies extend personal loans and loans secured by real estate, mortgages and deeds of trust, including home equity loans.”

The following constitutes these categorical definitions recognized by FinCEN:

Loan or Finance Company – A person engaged in activities that take place wholly or in substantial part within the United States in one or more of the capacities listed below, whether or not on a regular basis or as an organized business concern. This includes but is not limited to maintenance of any agent, agency, branch or office within the United States. The term “loan or finance company” shall include a sole proprietor acting as a loan or finance company, and shall not include: a bank, a person registered with and functionally regulated or examined by the SEC or the CFTC, any GSE regulated by the FHFA, any federal or state agency or authority administering mortgage or housing assistance, fraud prevention or foreclosure prevention programs, or an individual employed by a loan or finance company or financial institution. A loan or finance company is not a financial institution as defined in these regulations.

Residential Mortgage Lender – The person to whom the debt arising from a residential mortgage loan is initially payable on the face of the evidence of indebtedness or, if there is no such evidence of indebtedness, by agreement, or to whom the obligation is initially assigned at or immediately after settlement. The term “residential mortgage lender” shall not include an individual who finances the sale of the individual’s own dwelling or real property.

Residential Mortgage Originator – The person accepting a residential mortgage loan application, or offers or negotiates terms of a residential mortgage loan.

Residential Mortgage Loan – The loan that is secured by a mortgage, deed of trust or other equivalent consensual security interest on:

· A residential structure that contains 1-4 units, including (if used as a residence) an individual condominium unit, cooperative unit, mobile home or trailer; or

· Residential real estate upon which such a structure is constructed or intended to be constructed.

FinCEN interprets the term “loan or finance company” under the BSA to include any non-bank residential mortgage lenders and originators (i.e., “mortgage companies,” mortgage bankers or lenders,” and “mortgage brokers”) in the residential mortgage business sector.

In this article, I will provide a brief overview of but a few of the many salient features that should be expected in every AML Program.* To give you an idea of the size and complexity of a well-constructed AML Program, my firm’s AML Program is well over fifty pages – which consists of a policy statement and numerous appendices for applicable procedures. This should give you some idea of the depth and detail needed for properly implementing AML compliance. The absence of or any inaccuracies in required program components may indicate a defective policy and procedures – the very tools needed to assist in detecting and preventing money laundering or other illegal activities conducted through mortgage banking conduits.

Anti-Money Laundering Debuts for Nonbank Mortgage Companies

A new era in filing requirements is about to begin.* For the first time, the Financial Crimes Enforcement Network, known as “FinCEN,” will require nonbank mortgage lenders and originators to implement an Anti-Money Laundering program (“AML Program”) and file Suspicious Activity Reports (“SARs”) for certain loan transactions.[i] FinCEN is establishing this AML program in accordance with the Bank Secrecy Act (“BSA”).[ii] The guidelines relating to the AML requirement become effective on April 16, 2012, and the AML Program’s effective compliance date is August 13, 2012.[iii] The AML program and SAR filing regulations, which I will refer to as “FinCEN’s rule,” are considered to be “the first step in an incremental approach to implementation of regulations for the broad loan or finance company category of financial institutions.”[iv]

The Bank Secrecy Act defines the term "financial institution" to include, in part, a loan or finance company. This terminology, however, can reasonably be construed to extend to any business entity that makes loans to or finances purchases on behalf of consumers and businesses. Thus, nonbank residential mortgage lenders and originators, and mortgage brokers, are grouped into the "loan or finance company" category.[v] However, the term ‘‘loan or finance company’’ is actually not concisely defined in any FinCEN regulation, and there is no legislative history on the term itself. Nevertheless, FinCEN is applying this term to extend to any business entity that makes loans to or finances purchases on behalf of consumers and businesses. [vi] Therefore, residential mortgage lenders and originators (“RMLOs”) are covered by the scope of the ‘‘loan or finance company’’ term. I will use the acronym “RMLO” in this article, inasmuch as my principal focus herein relates to residential mortgage lenders and originators.

FinCEN can issue regulations requiring financial institutions to keep records and file reports that are determined to have a high degree of usefulness in criminal, tax, or regulatory investigations or proceedings, or in the conduct of intelligence or counterintelligence activities, including analysis, to protect against international terrorism. Federally regulated depository institutions have been required to have AML Programs,[vii] and now, as of the aforementioned effective compliance date, RMLOs must also comply with FinCEN’s regulations relating to implementing an AML Program and the filing of SARs.

Over the last few years,[viii] FinCEN has issued studies and analyses that used SARs to discover suspected mortgage fraud and money laundering that involved both banks and residential mortgage lenders and originators.[ix] According to FinCEN, these reports “underscore[d] the potential benefits of AML and SAR regulations for a variety of businesses in the primary and secondary residential mortgage markets.”[x]

Residential mortgage lenders and originators, the RMLOs, are considered to be the primary providers of mortgage finance, and have a unique position with respect to direct contact with the consumer. Thus, they are presumably able to assess and identify money laundering risks and fraud.[xi] At this time, FinCEN is not proposing a definition of “loan or finance company’’ that would encompass other types of consumer or commercial finance companies, or real estate agents and other entities involved in real estate closings and settlements.

In this article, I am going to unpack the AML Program for you in a way that will give you some familiarity with its scope, while perhaps also making its implementation a bit less daunting than it might otherwise seem to be. Nevertheless, many RMLOs will find that setting up the AML Program will be a challenging endeavor. Information, issuances, and relevant documentation are available in the FinCEN section of my firm’s website Library.

Please keep in mind that, as is the case with many applications of legal and regulatory compliance, there are aspects and nuances that will require recourse to a competent risk management professional to obtain comprehensive guidance and reliable information.[xii]

AML Program

Residential mortgage lenders and originators, the RMLOs, are required to establish an AML Program that includes, at a minimum:

(1) Development of internal policies, procedures, and controls.

(2) Designation of a compliance officer.

(3) Ongoing employee training program.

(4) Independent audit function to test for compliance.

To effectuate the AML Program, FinCEN has given a definition of an RMLO that is broad in scope and covers most nonbank residential mortgage originators.

The AML Program covers any business that, on behalf of one or more lenders, accepts a completed mortgage loan application, even if the business does not in any manner engage in negotiating the terms of a loan. Also covered are businesses that offer or negotiate specific loan terms on behalf of either a lender or borrower, regardless of whether they also accept a mortgage loan application.

Note that the word “accept” is intended to differentiate the FinCEN rule from the SAFE Act. FinCEN is ensuring that persons who either accept an application or offer or negotiate the terms of a loan are covered. Furthermore, the AML rule applies to residential mortgage originators, regardless of whether they receive compensation or gain for acting in that capacity.