Community Bank Compliance

Sunday, January 30, 2022

Banking as a Service

Implications for Community Banks

Part Three Choose Your Partner Wisely

For a community bank that is considering developing banking as s service, there are several issues to consider. While the overall public impression of banks and financial institutions took a major hit during the 2008 financial crisis, in large part, the damage was being slowly repaired. However, it is obvious that the relationship between financial institutions and the public has changed forever. Even before the coronavirus hit the economy, a broad wave of consumer distrust buffeted the banking industry's reputation. Let's face it, the current times are not exactly the best for the image of banks. In addition to the mortgage crisis, there have been several highly publicized scandals involving some of the larger and best-known banks.

As pointed out in Bankshot^{^[1]} banking journal- “What’s at stake? Customers have more choice than ever when it comes to where they do their banking, including from an increasing array of fintech competitors with arguably less cultural and emotional baggage than the traditional banking industry. Now, more than ever before, there are real alternatives to banking.

The need for nontraditional banking services is one of the main drivers of the financial technical “fintech” industry. Many bankers seem to understand that fintech companies present the possibilities for significant change in the industry. According to a survey conducted by PWC:

FinTech is a driver of disruption in the market. Financial Institutions are increasingly likely to lose revenue to innovators, with 88% believing this already is occurring. The perceived business at risk trend has continued to rise, to 24% on average this year among all sectors.
Incumbents are becoming more aware of the disruptive nature of FinTech, shown well by the fact that, in 2017, 82% of North American participants believe that business is at risk, up from 69% in 2016. Insights from PwC’s DeNovo also indicate that 30% of consumers plan to increase usage of non-traditional Financial Services providers and only 39% plan to continue to use only traditional Financial Services provider. In addition, asset backed lenders have largely increased their share of lending (the lending club and other peer-to- peer business).

Fintech companies have been in the business of designing products that address some of the concerns raised by the unbanked or underbanked. For example, speed of delivery, consideration of alternative means for credit underwriting and ease of delivery.

Despite the idea that fintech equals disruption, it doesn’t have to be a negative thing. Disruption often results in improvement in efficient and better service. In fact, there are several places where fintech companies and financial institutions, especially community banks have converging interests.

Community banks and credit unions have overall higher levels of trust and a better public image than their larger brethren. Because community banks are smaller, they are nimbler and making changes to products lines can happen quickly and in response to customer needs. The independent bankers association published the “Fintech strategy Roadmap in 2017” as a guide for the many opportunities that fintech companies can present. A summary of these opportunities includes;

Increased Operational Efficiency and Scale
Increased Access to Customers with a Younger Age Demographic
Increased Access to Loan Customers in New Markets
Enhanced Brand Reputation
Enhanced Customer Experience

Disruption is simply that- it doesn’t necessarily have to be a bad thing. In fact, disruption can result in greater efficiencies and more effective. Some good news, these companies have done all of the research and development work with venture capital funds! They have worked out a lot of the bugs that are usually part of delivery of a new product. Some more good news, these companies are burdened by a regulatory scheme that really limits them. That is that they are considered MSB’s and must get state licenses to operate in each state. Because of this, many FinTechs are looking for a partnership with a bank- in this way they get around the need for licenses.

Successful collaboration means having a risk assessment, strategic plan and most importantly, strong vendor management. The FDIC, the OCC and the FRB have all issued guidance on the proper way to administer vendor management. While the published guidance from each of these regulators its own idiosyncrasies, there are clear basic themes that appear in each. All of the guidance has similar statements that address the types of risk involved with third party relationships and all discuss steps for mitigating risks.

One of the considerations that are necessary is about what level of due diligence is required for a third-party contract. The level of due diligence is heavily impacted by determination of whether the activity being considered is a critical activity. The OCC guidance defines a critical activity as:

• Critical activities—significant bank functions (e.g., payments, clearing, settlements, custody) or significant shared services (e.g., information technology), or other activities that could cause a bank to face significant risk if the third party fails to meet expectations;

• Could have significant customer impacts require significant investment in resources to implement the third-party relationship and manage the risk;

• Could have a major impact on bank operations if the bank has to find an alternate third party or if the outsourced activity has to be brought in-house.^{^[2]}

The steps that are necessary for the proper engagement of a third party for a critical activity are discussed in each of the regulatory guidance documents that have been released. The OCC bulletin provides the most comprehensive list that includes:

• Relationship Plan: Management should develop a full plan for the type of relationship it seeks to engage. The plan should consider the overall potential risks, the manner in which the results will be monitored and a backup plan in case the vendor fails in its duties.

• Due Diligence: The bank should conduct a comprehensive search on the background of the vendor, obtain references, information on its principals, financial condition and technical capabilities. It is during this process that a financial institution can ask a vendor for copies of the results of independent audits of the vendor. There has recently been a great deal of attention given to the due diligence process for vendors. Several commenters and several banks have interpreted the guidance to require that bank research a vendor and all of its subcontractors in all cases. We do not believe that this is the intention of the guidance. It is not at all unusual for a third-party provider to use subcontractors. We believe that a financial institution should get a full understanding of how the subcontracting process works and consider that as part of the due diligence, however, it impractical to expect a bank to research the backgrounds of all potential subcontractors before engaging a provider.

• Risk Assessment: Management should prepare a risk assessment based upon the specific information gathered for each potential vendor. The risk assessment should compare the characteristics of the firms in a uniform manner that allows the Board to fully understand the risk associated with each vendor. ^{^[3]}

• Contract Negotiation: The contract should include all of the details of the work to be performed and the expectations of management. The contract should also include a system of reports that will allow the bank to monitor performance with the specifics of the contract. Expectations such as compliance with applicable regulations must be spelled out.

• Ongoing Monitoring: Banks must develop a program for ongoing monitoring of the performance of the vendor. We recommend that the monitoring program should include not only information provided by the vendor, but also internal monitoring including

• Customer complaints: Customer complaints are a direct indication of issues or problems within a program or product offering. A system that tracks complaints and their resolution is a critical component of evaluating the overall effectiveness of a program.

• Oversight and Evaluation: There should be a fixed period for evaluating the overall success and efficacy of the vendor relationship. The Board should, on a regular basis evaluate whether the relationship with the vendor is on balance a relationship with keeping.

[1] https://www.americanbanker.com/bankshot

[2] OCC BULLETIN 2013-29

[3] Ibid.

Sunday, January 23, 2022

Banking as a Service- Implications for Community Banks

Part Two- Technology is the Key

In the first blog in this series, we discussed the overall concept of Banking as a Service (“BaaS”). A recent Cornerstone Advisors survey of bank executives found that one in 10 banks is in the process of developing a BaaS strategy and another 20% are considering pursuing a BaaS strategy. This is only likely the beginning! There are a couple of major factors that are driving the need for BaaS.

First, as we noted in the first blog- cellphones are ubiquitous and as a result mobile banking applications are growing. In addition to that, the number of unbanked and underbanked households presents an opportunity. There is a huge pool of potential customers for financial institutions. This pool represents a large source of potential income that is untapped. The pool we are referring to is the large number of unbanked and underbanked households in the United States.

Who are the Unbanked and Underbanked?

The unbanked have no ties to an insured economic institution. Essentially, they have no checking or savings account and no debit or ATM card. Meanwhile, the underbanked do use some of these services – often a checking account – but they also used alternative financial options within the past year. This population has been estimated to be as many as 30 million people. Around 20 percent of Americans are underbanked, according to the FDIC, which means they have either a checking or savings account, though rarely both. Households are also usually given the underbanked distinction if they've used alternative financing options during the previous year, such as money orders or rent-to-own services. Around 67 million Americans are underbanked, or the equivalent of 24.5 million households, based on 2019 figures from the most up to date FDIC survey.[1]

Just as important as the number of people who are unbanked and underbanked are the reasons that they have limited contact with banks. The most recent FDIC study on the unbanked and underbanked was published in 2019. In the study, the main reasons for not having bank accounts included:

· Do not have enough money to keep in an account”.

· Don’t trust banks”

· Bank account fees are too high

· Bank account fees are unpredictable”

· Higher proportions of unbanked households that were not at all likely or not very likely to open a bank account in the next 12 months cited “Don’t trust banks” (36.2 and 31.5 percent, respectively) in 2019, compared with unbanked households that were somewhat likely or very likely to open a bank account in the next 12 months (24.7 and 21.0 percent, respectively).[2]

When we put this all together there is a huge market opportunity for banking as a service. This is where the FinTechs and banking comes together. And the way they do so is through technology; including API’s and BaaS infrastructure that allows for widespread adaptation of the products and services that are being designed and offered.

API’s

These are software programs called application programming interfaces. This is a fancy word for patches that allow different forms of data to recognize each other. In the real world an API is like the adapter that you put on a three-pronged plug to make it fit into two pronged outlets.

Financial API’s are specifically designed to allow financial data to be shared between entities that naturally would want to share data- for example, your bank account and Turbo Tax.

There are three types of API’s

· Internal – these generally don’t touch activity that is consumer facing. They are designed to help the flow of internal information with an organization

· Partner – these are API’s that connect to distinct businesses-organizations. These are the API’s that are most often used by banks that want to offer specific products and services

· Open- These are the applications that allow financial data to third party service providers. These are the applications that allow a person to be offered direct pay for bills and subscriptions

The development of API’s has made it possible for banks to apply technology that was unavailable in the past.

Infrastructure

These software platforms allow banks to take full advantage of API’s and to offer new and innovative products and services. Reasons why infrastructure is necessary include

· Costs of development

· Resources and organizations that are not designed for software development

· Technology that isn’t compatible

BaaS infrastructure providers have begun to ramp up their services – these will be needed partners as the industry develops. We will discuss the aspects of vendor management in a later blog.

[1] FDIC National Survey of Unbanked and underbanked Households

[2] Unbanked versus underbanked: Who they are and how they differ. Dec, 23, 2017 Waly Wojciechowski

Monday, January 17, 2022

Banking as a Service- What it means for Community Banking

Introduction

One of the hottest topics in the financial service industry todays is the development of the are called “Banking as a Service” (“BaaS”). Put in it most simple terms, BaaS is the combining of a financial services platform with digital access to a banking account. Banking as a Service platforms allow non-bank financial institutions to offer all kinds of financial products. You may have seen some of the products if you recently purchased an airline ticket, or large appliance. When you proceed to check out, you get a notice that you can (on approval), finance the purchase and pay installments rather than paying the whole price right away.

There are several firms that are no providing point of sale financing that allow for short term installment loans to pay for larger purchases. This is a form of BaaS.

For community banks, the growth of BaaS can present both an opportunity and a potential challenge. As an opportunity, BaaS presents the ability to reach out to a much larger number of customers who have been unbanked and underbanked and offer services and products at a reasonable cost.

FinTechs as the Basis for BaaS

We hear a lot about fintech companies financial technology, also known as FinTech, is a line of business based on using software to provide financial services. Financial technology companies are generally, startups founded with the purpose of disrupting incumbent financial systems and corporations that rely less on software.

The overall goal of Fintech companies include:

· Efficient and speedy delivery of funds

· Development of alternate means of solutions for ongoing problems

· Especially in the financial industry there are a lot of naysayers, but the fact of the matter is that there are structural reasons for the potential success of FinTechs. Underbanked and unbanked people represents a huge potential market. The FDIC produces a great deal of information about the unbanked and underbanked every two years. The study is called 2019 FDIC National Survey of Unbanked and Underbanked Households. As of 2019, the combined number of unbanked and underbanked was almost 30 million people.

Fintech companies are pointed directly at the needs of the underbanked and unbanked

· When thinking of a fintech, it is important to note that what they are trying to do is to get money to people is a manner that is both fast and cheap

· FinTechs are also working on ways to meet the needs of a large group of people who are outside of the banking industry

· Fintech companies understand that while not everyone has a banking account, mostly everyone has a cell phone or a similar electronic device

Using this technology, fintech companies are reducing the need for bank accounts. FinTech companies are really going after this population of people who for the most part are potential bank customers by providing solutions to problems that people have with banks. One of the things that Fintech companies have focused on are the many uses of the smartphone. For example, smartphones can be used for stored value. That is, just like a reloadable debit card, the smartphone can be used to reload value repeatedly. Fintech companies such as Zoom, Square and Amazon is making it possible to transfer funds and store funds. Other Fintech companies are changing the way that credit is underwritten. Fintech also has increased a small institutions ability to offer different products and services. As traditional means for profit become scarcer, Fintech opens the possibilities for additional income streams.

The 30 million people in the underbanked and unbanked populations are your potential customers! The statistics show that this group is getting younger and more internet savvy. The more that the customers use their smartphones, the less likely they are to rely on banks

Some examples of the many uses of a smartphone in the fintech industry includes the following:

· Stored Value - A stored-value the card is a payments card with a monetary value stored on the card itself, not in an external account maintained by a financial institution. Stored-value cards differ from debit cards, where the money is on deposit with the issuer, and credit cards which are subject to credit limits set by the issuer.

· APIs - An open API is a publicly available application programming interface that provides developers with programmatic access to a proprietary software application or web service. APIs are sets of requirements that govern how one application can communicate and interact with another.

· Nationwide Reach- Using data analytics, fintech companies can have access to customer behavior data and assist with marketing opportunities

For many of the unbanked, fintech companies represent a much-welcomed alternative to the use of high-cost check cashers. In addition, there are companies that are taking on Payday lenders who up to this point have not had a great deal of competition. One of the other things that these companies do is give financial institutions the ability to offer products and services

Information is power and even for a small institution, if you are unaware of what your customers want and are going to want in the future, it is a problem. The regulatory agencies that cover financial institutions have recognized this synergy and have issued guidance and taken steps that are designed to ease the process for relationships between financial institutions and Regtech companies. These included:

· Regulators are encouraging institutions to pool resources when it is feasible

· Joint Statement on Banks and Credit Unions Sharing Resources to Improve Efficiency and Effectiveness of Bank Secrecy Act Compliance was issued in October of 2018

· One of the main points of the statement is that there are ways that financial institutions can leverage what other banks or firms are doing

· Fintech companies have the ability to help in a number of ways. Some of these companies have developed programs that are help with analytics and security

· The Office of the Comptroller of the Currency has initiated the Fintech charter program that was designed to allow Fintech companies to have special banking powers. This charter has been called into question by a decision of a federal court that is now undergoing appeal.

Regardless of the outcome from the appeal of the Fintech charter, the regulatory agencies have noted that fintech and banking are a natural combination that will continue to grow and in scope and activity.

Sunday, August 1, 2021

BSA in a Fintech World

There are two areas that will always be among the “hot topics” when it comes to compliance. The first is an institutions’ system for compliance with the requirements of the Bank Secrecy Act/Anti-Money laundering (“BSA/AML”) laws. Regulated financial institutions have been well aware of the fact that a well-developed system for compliance is a critical component of ongoing operations. A second area that is becoming increasingly important is the use of technology to transact business by financial institutions. This area is often known as “fintech”. Although fintech is often a broadly used term, there are generally accepted definitions such this one offered by Fintech magazine:

Financial technology, also known as FinTech, is a line of business based on using software to provide financial services. Financial technology companies are generally startups founded with the purpose of disrupting incumbent financial systems and corporations that rely less on software.[1]

PayPal, Apple Pay and Venmo are just a few examples of popular software applications that allow consumers to transfer money to one another with a just a few relatively easy steps.

As the number of firms that offer variations of fintech transactions grow, so does the need for a financial institutions’ BSA/AML system to adapt.

The Heart of BSA/AML- CIP and KYC

Although there are numerous components that make up a strong and complete BSA compliance program, the heart of all programs is the ability of the financial institution to know complete information about its customers. The two components of the BSA program that perform this function are the Customer Identification program (“CIP”) and the Know Your Customer (“KYC”) programs. The CIP program is made up of the policies and procedures established by an institution for the purpose of collecting identifying information about their new customers. The FFIEC BSA manual details the requirements of the CIP regulation and notes that at a minimum, a financial institution must obtain the following information before opening an account:

· Name

· Date of birth for individuals.

· Address.

· Identification number.[2]

There are well established rules for the types of identification that are considered acceptable. The goal of the CIP program must be that a financial institution has to establish with a reasonable certainty that the person who is attempting to open an account is who they say they are. For business accounts, the requirements are the same although the form of identification takes on different forms e.g., name would be the legal name of a business and identification number would be the tax identification number.

Once the identity of a customer is established; the KYC portion of a compliance program comes into play. Depending on the types of transactions that the customer says that they will conduct additional information is necessary. For example, if the customer is a flower shop, then information about how long they have been in business, who their customers are, how the flowers are sold and the means for payment, etc. are all pieces of information that are necessary for a financial institution. Using this information, the financial institution can keep transactions conducted by the customer in context. In other words, if the flower shop sells mostly orchids, it is reasonable that there would be wires to regions of the country where orchids are grown.

It is through CIP and KYC that all of the information that gathered on a client is filtered. Individual transactions may or may not be considered suspicious based upon the KYC and CIP obtained about a client. Using the flower shop example above, wires or ACH activity to war-torn regions of the world would seem at least very unusual for orchids.

CIP and Unintended Consequences

The need for complete CIP and KYC has been at the heart of a delicate balancing act for financial institutions and the customers that they serve. The FDIC separates people who do not use banks to fully serve their financial needs into two distinct categories. The unbanked have no ties to an insured economic institution. Essentially, they have no checking or savings account and no debit or ATM card. Meanwhile, the underbanked do use some of these services – often a checking account – but they also used alternative financial options within the past year.

When customers are the “unbanked” and “underbanked” communities, the issue of complete documentation of identification can be tricky. These customers may not have complete or traditional documentation available. For many institutions, the clash between the desire to serve underbanked and unbanked and the need for complete documentation has created an unintended consequence. The law of unintended consequences is defined as:

The law of unintended consequences is the outgrowth of many theories, but was probably best defined by sociologist Robert K. Merton in 1936. Merton wrote …a treatise which covers five different ways that actions, particularly those taken on a large scale as by governments, may have unexpected consequences. These “reactions,” may be positive, negative or merely neutral, but they veer off from the intent of the initial action.”

In the case of BSA, the desire to monitor and mitigate risk had the unintended consequence of shutting out entire industries that often are critical to unbanked or underbanked communities. MSB’s such as combination grocery stores and check cashers often serve as the bank and remittance service for migrant workers and expatriates of other countries. When the local bank makes a decision to stop proving services to these entities, the customers of the MSB are forced into transactions with entities that are completely underground.

Fintech to the Rescue?

Fintech companies have developed many products that allow customers to have many of the same services and abilities as a bank account. Digital wallets for example, allow customers to receive payroll, reload debit cards, payment bills and purchase gift cards among other things. These platforms also allow customers to send wires, ACH’s or other transfers.

The very nature of fintech relationship is often that the customer and the provider are not in physical contact with one another. The identification process is completed through various means such as texts to telephones, IP address verification and scanned copies of documents. The ability of fintech companies to discern fraud and detect unauthorized use of an account has become increasingly adept.

The development of fintech products gives financial institutions that opportunity to reach out to customers that have been largely overlooked due to BSA/AML concerns. The time has come to reconsider the possibilities.

For a detailed review of how Fintech can improve overall Community Reinvestment Act performance, non-interest income and BSA/AML compliance please go to www.vcm4you.com and fill out the “Contact Us” form

[1] FinTech – A definition by FinTech Weekly https://www.fintechweekly.com/fintech-definition

[2] See FFIEC BSA examination manual – Customer Identification Program- Overview

Wednesday, July 28, 2021

Why ARE There BSA/AML Regulations?

As anyone in compliance can attest, there are myriad consumer compliance regulations. For financial institutions, these regulations are regarded as anything from a nuisance, to the very bane of the existence of banks. However, in point of fact, there are no bank consumer regulations that were not earned by misbehavior in the past. Like it or not these regulations exist to prevent bad behavior and/or to encourage certain practices. We believe that one of the keys to strengthening a compliance program is to encourage your staff to understand why these regulations exist and what it is the regulations are designed to accomplish. To further this cause, we have designed a series of blogs that from time to time throughout the year, will address these questions about various banking regulations. We call this series “Why is there….”

BSA- the Early Years-

Since the beginning of crime, there has been a need to hide the ill-gotten gains of criminal activity. Early bad guys held their loot in caves. Later, treasure chests provided a means of hiding criminal wealth. However, despite the form that ancient loot took, the goal was and has always been to reduce assets to currency so that it can be used in exchange for other goods and services. The need to take illicit assets or money and hide its source is known commonly as “money laundering”. Criminals of all sorts engage in money laundering and have become exceedingly sophisticated in their pursuit of hiding the sources and uses of their money.

Because the “bad guys’ continue to evolve, the history of the Bank Secrecy Act (“BSA”) and Anti-Money Laundering laws (“AML”) is one of ongoing change. The laws that make money laundering illegal can be traced back to the Bank Secrecy Act of 1970. Since the time the BSA was passed, there have been seven major legislative changes to the overall legislative scheme that covers this area. These changes are;

· Money Laundering Control Act (1986)

· Anti-Drug Abuse Act of 1988

· Annunzio-Wylie Anti-Money Laundering Act (1992)

· Money Laundering Suppression Act (1994)

· Money Laundering and Financial Crimes Strategy Act (1998)

· Intelligence Reform & Terrorism Prevention Act of 2004

· Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct terrorism

As technology has changed, so have the goals of many of the criminals that want to launder money. In addition to drug dealers, there are terrorists, human traffickers, politicians and embezzlers, all of whom are developing ways to hide their cash.

Money Laundering

What exactly is money laundering? Well, FinCEN, which is the federal agency that is specifically charged with monitoring and preventing money laundering defines it this way;

Money laundering is the process of making illegally-gained proceeds (i.e. "dirty money") appear legal (i.e. "clean"). Typically, it involves three steps: placement, layering and integration. First, the illegitimate funds are furtively introduced into the legitimate financial system. Then, the money is moved around to create confusion, sometimes by wiring or transferring through numerous accounts. Finally, it is integrated into the financial system through additional transactions until the "dirty money" appears "clean." Money laundering can facilitate crimes such as drug trafficking and terrorism, and can adversely impact the global economy.[1]

Put another way, when criminals conduct their business, they almost always do so in cash, for what should be obvious reasons. As early as the 1970’s federal regulators realized that without some regulatory help, financial institutions would be used as tools for disposing of the cash received from crimes. Criminals would simply deposit their money in the bank, wait a few days and then make legitimate withdrawals. Once the cash was co-mingled with other deposits, there would be no way to tell which money came from real legitimate effort and which was the result of crime.

Popular Schemes

Some of the more popular schemes for changing criminal cash into legitimate money include;

· Black Market Foreign Exchange: In this enterprise, all of the participants are breaking one law or another. On one end are importers of goods who do not want to pay the government rate for exchanging currency from US Dollars to the home currency (e.g. Peso’s). These importers make a deal with a broker who is willing to import goods illegally. The importer makes a deal with a criminal who has “dirty” US dollars. The importer uses the “dirty” money to buy US goods and ships them to his own country. The goods are then sold to the importers who pay the broker in local currency. The criminal gets his money back in Pesos that are now “clean”

· Investing in Legitimate Businesses: Here a criminal buys all or part of a legitimate business and simply mixes his cash in with the earnings of that business. This only works for business that already deal extensively in cash. This is why gas stations, casinos, bars and check cashing stores are considered “high risk” for money laundering. Because many professional service providers such as doctors and lawyers often take cash for payments, they are also considered “high risk”.

· Smurfing: Sometimes a criminal will get a number of people working together to break up his cash deposits into small amounts. This is called smurfing

· Structuring: This is by far and away the most frequent form of attempted laundering. Most people realize these days that a cash deposit above $10,000 has to be reported to the IRS. Criminals have for years, tried to get around this limit by making deposits of smaller amounts on subsequent days. This is called structuring

Over the years there have been many different schemes for trying to avoid detecting of money laundering. In fact, there are simply too many to list here. Suffice to say that there are criminal groups with nothing but money and time to try to figure out new and different ways to make “dirty” money clean.

What is the Money Used For?

There are many different uses for money once it has been laundered. Some of the more onerous uses include:

· Drug Dealing Activity

· Human Trafficking

· Terrorist financing

· Tax evasion

· Embezzlement

As you can see, money that is laundered is used to fund extreme criminal enterprises. This is why it critically important is that financial institutions do all that they can to lend a hand to legal authorities to stop money laundering.

Each of the changes in BSA/AML laws were designed to improve the overall monitoring of cash and cash equivalent transactions. For small financial institutions, the changes have been ongoing and significant. As the regulations changed, the expectations of the regulatory bodies evolved. Today, no self-respecting banker would consider operating without a full BSA/AML compliance program. Moreover, very few banks can get away with a manual system for tracking and aggregating the transactions of their customers. Today, a sound BSA/AML program includes software that helps bank staff aggregate and monitor transactions of its customers.

BSA/AML laws are really financial institution’s way of helping to keep the world a better, safer place.

[1] https://www.fincen.gov/news_room/aml_history.html “History of Money Laundering Laws”

Monday, June 8, 2020

BSA Risk Assessments-What’s the Point

For those of you who have experienced a BSA examination or audit, you know one of the first things you are asked for is your BSA/OFAC risk assessment. It has also likely been your experience to find a risk assessment deemed complete and not in need of some sort of enhancement is something of a “unicorn”. In most cases, examinations and audits include a comment discussing the need to expand the risk assessment and to include more detail. The detail required for a complete risk assessment is elusive at best. Often, the right information for the risk assessment fits the famous Supreme Court definition of pornography- “you know it when you see it”.

The FFIEC BSA manual is not exactly helpful when it comes to developing risk assessments. The manual directs every financial institution should develop a BSA/AML and an OFAC risk assessment. Unfortunately, the form the risk assessment should take, or the minimum information required are left as open questions for the financial institution. Thus, many financial institutions end up with a very basic document which has been developed to meet a regulatory requirement, but without much other meaning or use.

As financial institutions continue to change and the number of financial products and type of institutions offering banking services grows, the risk assessment can be something entirely different. Taking the approach that the risk assessment can be used to formulate both the annual budget request and the strategic plan can change the whole process.

The FFIEC BSA examination manual specifically mentions risk assessments in the following section:

“The same risk management principles that the bank uses in traditional operational areas should be applied to assessing and managing BSA/AML risk. A well-developed risk assessment assists in identifying the bank’s BSA/AML risk profile. Understanding the risk profile enables the bank to apply appropriate risk management processes to the BSA/AML compliance program to mitigate risk. This risk assessment process enables management to better identify and mitigate gaps in the bank’s controls. The risk assessment should provide a comprehensive analysis of the BSA/AML risks in a concise and organized presentation, and should be shared and communicated with all business lines across the bank, board of directors, management, and appropriate staff; as such, it is a sound practice that the risk assessment be reduced to writing” [1]

This preamble has several important ideas in it. The expectation is, management of an institution can identify:

Who its customers are: including the predominant nature of the customer base- are you a consumer institution or a commercial at your core? Who are the customers you primarily serve?

What is going on in your service area: Is it a high crime area or a high drug-trafficking area, both or neither? The expectation is you will know the types of things, both good and bad going on around you. For example, if you live in an area where real estate is extremely high cost, there might be several “bad guys” buying property for cash as a means of laundering money. The point is you need to know what is going on around you at all times.

Where are the outlier customers: Do you know which types of customers who require being watched more than others? There are some customers who, by the nature of what they do, require more observation and analysis than others. The question is, have you identified these high-risk customers?

How well are you set up to monitor the risks at your institution: Do you have systems in place are up to the task to discover “bad things” going? Does the software you use really help the monitoring process? This analysis should consider whether the staff you have truly understand the business models your customers are using. For example, if your customer base includes Money Service Businesses, do you have staff in place who know how money services business work and what to look for? The best software in the world is ineffective if the people reading the output are not familiar with what normal activity at an MSB.

Ties to the strategic plan: Does the BSA program have the resources to match changes in products or services planned for the institution? For example, if the institution plans to increase the number of accounts offered to the money services business, does the BSA department have an increase in staff included in its budget?

Effective Risk Management

The information and conclusions developed in the risk assessment should be used for planning the year for the BSA/AML compliance program. The areas with the greatest areas of risk should also be the same areas with the greatest dedicated resources. Independent audits and reviews should be directed to areas of greatest risk. For example, if there are many electronic banking customers at the institutions while almost no MSB’s, then the audit scope should presumably focus on the electronic banking area and give MSB’s a limited review. In addition, training should focus on the BSA/AML risks associated with electronic banking, etc.

Rethinking the Risk Assessment Process

Continued development of new products and processes in finance and technology (“fintech”) and BSA/AML have opened the possibility of a vast array of potential new products for financial institutions. Products such as digital wallets and stored value on smartphones have opened new markets for people who have been traditionally unbanked and underbanked. Financial institutions which are forward thinking should consider the possibility some of these new products have the potential to enhance income.

The ability to safely and effectively offer new products depends heavily on the ability of the compliance department to fully handle the regulatory requirements of the products. When preparing the risk assessment, consider the resources necessary to offer new and (money making products).

There are no absolute prohibitions against banking high risk clients

Per the FFIEC BSA Examination manual higher risk accounts are defined as:

“Certain products and services offered by banks may pose a higher risk of money laundering or terrorist financing depending on the nature of the specific product or service offered. Such products and services may facilitate a higher degree of anonymity, or involve the handling of high volumes of currency or currency equivalents” ^[2]

The Manual goes on to detail several other factors which should be considered when monitoring high risk accounts. We note the manual does not conclude high risk accounts should be avoided.

The BSA/AML examination manual (“exam manual”) establishes the standard for providing banking services to clients who may have a high risk of potential money laundering. Financial institutions are expected to:

1. Conduct a risk assessment on each of these clients,

2. Consider the risks presented

3. Consider the strengthening of internal controls to mitigate risk

4. Determine whether the account(s) can be properly monitored and administrated;

5. Determine if the risk presented fits within the risk tolerance established by the Board of Directors.

Once these steps are followed to open the account, for high risk customers, there is also an expectation there will be ongoing monitoring of the account for potential suspicious activity or account abuse. The exam manual is also clear; once a procedure is in place to determine and properly mitigate and manage risks, there is no prohibition against having high risk customers. The risk assessment section of the exam manual notes the following:

“The existence of BSA/AML risk within the aggregate risk profile should not be criticized as long as the bank’s BSA/AML compliance program adequately identifies, measures, monitors, and controls this risk as part of a deliberate risk strategy.”^[3]

Once an account has been determined to be high risk, and an efficient monitoring plan has been developed, there can be various levels of what high risk can mean. When a customer’s activity is consistent with the parameters which have been established and have not varied for some time, then account can technically be high risk but not in practice. For example, Money Services Businesses are considered “high-risk” because they fit the definition from the FFIEC manual. However, a financial institution can establish who the customers of the MSB are and what they do. A baseline for remittance activity, check cashing and deposits and wire activity can be established. If the MSB’s activity meets the established baseline, the account remains “high risk” only in the technical meaning of the word. Knowing what the customers’ business line is and understanding what the customer is doing as they continue without much variation reduces the overall risk.

Sunday, May 3, 2020

Using Fintech to Offer New Products- a Three-Part series

Part Two- Fintech is Here to Stay

While the overall public impression of banks and financial institutions took a major hit during the 2008 financial crisis, in large part, the damage was being slowly repaired. However, it is obvious that the relationship between financial institutions and the public has changed forever. Even before the coronavirus hit the economy, a broad wave of consumer distrust buffeted the banking industry's reputation over the past year, bringing an end to a run of positive change in public perception in the years after the financial crisis, according to the annual American Banker/Reputation Institute. Let's face it, the current times are not exactly the best for the image of banks. In addition to the mortgage crisis, there have been several highly publicized scandals involving some of the larger and best-known banks. The rollout of the current economic stimulus plan has had mixed results at best. Even though many of these things go through cycles and the conventional wisdom is that “it will all blow over”, the current times are somewhat different

As pointed out in Bankshot[1] banking journal- “What’s at stake? Customers have more choice than ever when it comes to where they do their banking, including from an increasing array of fintech competitors with arguably less cultural and emotional baggage than the traditional banking industry. Now, more than ever before, there are real alternatives to banking.

Most of these alternatives are being provided by financial technology companies AKA FinTechs. As we noteddin the first part of this series, there is a huge potential pool of customers that FinTechs have been designed to meet; the unbanked and underbanked.

The FDIC conducts a study of the number of households that are underbanked and unbanked in the Us every two years. The most recent study was conducted in 2017. The highlights from this study are as follows:

· In 2017, 6.5 percent of U.S. households were “unbanked,” meaning that no one in the household had a checking or savings account. Approximately 8.4 million U.S. households, made up of 14.1 million adults and 6.4 million children, were unbanked in 2017.2 An additional 18.7 percent of U.S. households were “underbanked” in 2017, meaning that the household had an account at an insured institution but also obtained financial products or services outside of the banking system.

· Specifically, a household is categorized as underbanked if it had a checking or savings account and used one of the following products or services from an alternative financial services (AFS) provider in the past 12 months: money orders, check cashing, international remittances, payday loans, refund anticipation loans, rent-to-own services, pawn shop loans, or auto title loans. Approximately 24.2 million U.S. households, composed of 48.9 million adults and 15.4 million children, were underbanked in 2017.

The survey points out that a large portion of the population in this survey are turning to alternative financial institutions for their banking need. The need for nontraditional banking services is one of the main drivers of the financial technical “fintech” industry. Many bakers seem to understand that fintech companies present the possibilities for significant change in the industry. According to a survey conducted by PWC:

· FinTech is a driver of disruption in the market. Financial Institutions are increasingly likely to lose revenue to innovators, with 88% believing this already is occurring. The perceived business at risk trend has continued to rise, to 24% on average this year among all sectors.

· Incumbents are becoming more aware of the disruptive nature of FinTech, shown well by the fact that, in 2017, 82% of North American participants believe that business is at risk, up from 69% in 2016. Insights from PwC’s DeNovo also indicate that 30% of consumers plan to increase usage of non-traditional Financial Services providers and only 39% plan to continue to use only traditional Financial Services provider. In addition, asset backed lenders have largely increased their share of lending (the lending club and other peer-to- peer business).

Community banks and credit unions have overall higher levels of trust and a better public image than their larger brethren. Because community banks are smaller, they are more nimble and making changes to products lines can happen quickly and in response to customer needs. The independent bankers association published the “Fintech strategy Roadmap in 2017” as a guide for the many opportunities that fintech companies can present. A summary of these opportunities includes;

o Increased Operational Efficiency and Scale

o Increased Access to Customers with a Younger Age Demographic

o Increased Access to Loan Customers in New Markets

o Enhanced Brand Reputation

o Enhanced Customer Experience

In Part Three, we will discuss best practices for partnering with Fintech Companies

***For More Information on FinTech’s and Financial Institutions visit www.VCM4you.com***

[1] https://www.americanbanker.com/bankshot