No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Compliance

Five Things to Consider For Non-Bank AML Policies

Some Measures Require Customization to Fit Specific Non-Bank Financial Institutions

by Matthew Bisanz and Brad Resnikoff
March 9, 2022
in Compliance, Financial Services
ladders are mismatched to reach certain clouds

Many AML frameworks are designed specifically for banks. If your non-bank organization is required to conduct AML compliance, but follows a bank-tailored policy, it can lead to numerous missteps and potential regulator scrutiny. 

For many years, the US Financial Crimes Enforcement Network (FinCEN) has imposed anti-money laundering compliance obligations on certain financial institutions. For these purposes, covered financial institutions include a range of non-banking entities, such as residential mortgage originators and lenders, money services businesses (MSBs), securities broker-dealers, and dealers in previous metals and gems.

We are often asked to review the policies and procedures that are used by non-bank financial institutions to comply with AML obligations. These reviews may be in relation to an investment by a third-party, an examination by state regulators, a secondary market transaction or a licensing application, and may be used to assess or enhance compliance efforts. 

Over the years, we have noticed recurring themes in AML policies at nonbank financial institutions. Five of the most notable themes are:

1. Choose the Right Starting Point

Financial institutions are required to maintain an AML compliance program comprised of written policies, procedures and processes. A quick internet search will reveal many templates and models of AML policies. Many non-bank institutions will download or purchase an AML template without considering whether it is appropriate for their particular business. This can lead to policies that describe products the financial institution does not and cannot offer and refer to requirements and forms that are irrelevant to the institution’s business. For example, MSB and residential mortgage loan originators offer entirely different products and services and are subject to different AML obligations, but may purchase the same AML template. This quickly becomes evident if a loan originator has an AML policy that discusses how it files “Form SAR-MSB” for suspicious money services activity. 

FinCEN regulates almost a dozen different types of financial institutions, each with its own AML requirements. State regulators also may examine nonbank financial institutions for compliance with FinCEN’s regulations. Therefore, financial institutions should ensure that they start with an AML template that is relevant for their business.

2. Tailor a Risk-Based Compliance Program

Financial institutions are required to adopt risk-based programs to satisfy their AML compliance obligations. In part, this means that AML compliance activities should be tailored to the specific characteristics of an institution’s business. For example, manual monitoring processes to identify suspicious activity may be sufficient for a smaller institution with “lumpy” transactions that are manually executed by individuals, such as with some residential mortgage loan originators. However, as an institution grows its business and begins to automate parts of transactions, it becomes harder to justify manual monitoring. This is particularly true if transaction volume is large and mostly automated, such as with some money services businesses.

AML policies should be tailored to reflect an appropriate risk-based compliance program. This may mean starting with a policy that describes manual monitoring activities and revising it over time as the institution adopts automated compliance controls. 

3. Understand What You Are Including and Why

Sometimes a non-bank institution will engage in AML compliance activities even if it is not legally required to do so. For example, an investor may require a MSB to adopt a bank-like AML compliance program as a condition of its investment. Or a residential mortgage lender may comply with the customer identification program requirements to make it easier to sell mortgages to a bank partner or in the secondary market. 

However, a financial institution should understand which compliance activities are legally required versus those that it has contractually agreed to perform, and should document that understanding. If an AML policy says that a financial institution does X, independent testers and government examiners will expect it to always do X, even if it is not legally required to do so. This can transform a breach of contract into an exam finding or enforcement penalty.

Furthermore, some AML provisions are not amenable to voluntary compliance. For example, the customer information program requirements require certain financial institutions to provide customers with adequate notice and include model language that states: “Federal law requires all financial institutions …” That language would be inappropriate for an institution to give to customers if it is complying with the customer information program requirements solely to enhance the secondary market for the product. 

Therefore, it is important for financial institutions to understand which items actually belong in its AML policy and avoid the tendency toward over-inclusion. 

4. Include Recordkeeping and Confidentiality Provisions

Two key items that can be easily overlooked in the AML compliance policy of a non-bank financial institution are recordkeeping and confidentiality requirements. FinCEN has established detailed recordkeeping requirements for non-bank financial institutions and generally requires institutions to maintain required records for at least five years. States also may impose recordkeeping requirements for AML-related records. Compliance with these requirements can be a challenge for smaller, nonbank financial institutions that may lack dedicated recordkeeping systems for AML compliance, particularly if these requirements are not mentioned in its AML policy.

FinCEN also requires financial institutions to maintain the confidentiality of suspicious activity reports. This has been one of its highest priority issues for many years, yet it can be easily overlooked in AML policies, particularly by nonbank financial institutions that infrequently file suspicious activity reports. However, it can quickly become a significant problem if a non-bank’s partner or counter party requests such reports or a non-bank files a report regarding insider misconduct and the insider becomes aware of the filing.

Therefore, AML policies should clearly describe all of the recordkeeping obligations that apply to a non-bank financial institution. Further, they should explain how the institution will maintain the confidentiality of any suspicious activity reports that it may file. 

5. Ensure Sufficient Prominence

FinCEN and state regulators generally expect the AML compliance function to have a prominent role within a financial institution. This means that senior management and the board of directors generally should be involved in the initial approval of an AML policy and should receive periodic or annual reports on significant AML issues, including compliance failures, corrective actions and policy revisions. 

Non-bank financial institutions may fail to give the AML compliance function sufficient prominence, particularly if escalation paths and reporting cadence are not defined in an AML policy. For example, an examiner may criticize an AML policy that designates a junior compliance officer as the (statutorily-mandated) AML compliance officer because that individual cannot escalate matters to the board’s attention. Similarly, an examiner may criticize a smaller, non-bank financial institution for dual-hatting an individual as the AML compliance officer if the person’s other role precludes them from devoting sufficient time to AML compliance. Without the compliance rails of an AML policy, it is easy to overlook annual reporting obligations.

Therefore, AML policies should define appropriate escalation paths to ensure that senior management and the board are made aware of significant AML compliance issues. The specific path and content will vary based on the institution’s risk profile (e.g., smaller institutions may have the board review every suspicious activity report, while larger institutions may provide quarterly reports of highlights or trends). However, it is important that the policy both empowers the AML compliance officer to report significant issues and assigns them with responsibility for reporting at appropriately defined intervals.

Conclusion

AML compliance is not easy, particularly for non-bank financial institutions that typically have fewer resources to devote to it. It may seem appealing to purchase a policy from the internet and slap a logo on the cover. However, FinCEN and state regulators are increasingly focusing on AML compliance at non-bank financial institutions. Therefore, compliance officers should periodically review their existing AML policies for the issues described in this article, tune their risk assessments to identify new gaps and new issues, and consider retaining external counsel to review the sufficiency of that policy.


Tags: AMLFinancial Crimes Enforcement Network (FinCEN)
Previous Post

How Criminal Actors Learned the Art of Cyber Warfare from Nation State Hackers

Next Post

How Corporate Malfeasance Takes Root, According to Whistleblower and Embezzler Mark Whitacre

Matthew Bisanz and Brad Resnikoff

Matthew Bisanz and Brad Resnikoff

BisanzMatthew Bisanz is a partner in Mayer Brown’s Financial Services Regulatory & Enforcement practice. He advises financial institutions on all major aspects of the operations of an insured depository institution, its affiliates, and its partners. He also counsels financial institutions on complex risk management and compliance issues, including anti-money laundering requirements and the OCC’s Heightened Standards. Matt is a certified public accountant and vice-chair of the American Bar Association’s subcommittee on banking legislation and regulation.
resnikoffBrad Resnikoff is a partner in Mayer Brown’s Financial Services Regulatory & Enforcement practice. He represents non-US and domestic financial institutions in significant multi-jurisdictional civil, criminal, and regulatory proceedings.  Brad has extensive knowledge of financial crimes law and regulation, including anti-money laundering, economic sanctions, criminal tax evasion, and anti-bribery and corruption.  Brad also develops investigation strategy and manages internal investigations to assess allegations of misconduct, manage risk, and advise on legal strategies with regulators, law enforcement, and partner institutions.

Related Posts

Phaxis 100 dollars

AML & KYC: Addressing Key Challenges for 2023 and Beyond

by Alex Roberto
March 16, 2023

(Sponsored) In today’s world, financial criminals are often a step ahead of regulators and financial institutions who struggle to effectively...

Paul Weiss Economic Sanctions and AML Developments 2022_f

Economic Sanctions and AML Developments

by Corporate Compliance Insights
March 15, 2023

Sanctions start high and stay high 2022 Year in Review Economic Sanctions and AML Developments What’s in this report from...

money laundering concept

It Takes a Village: Preventing FinCrime Means Everybody Needs Skin in the Game

by Samar Pratt
March 15, 2023

Banks bear the brunt of consequences for financial crimes amid a huge increase in anti-money laundering fines in 2022, making...

russia sanctions

Why Russian Sanctions Require Compliance Teams to Take a Fresh Look at KYC Procedures

by Rory Doyle
February 15, 2023

The Russian invasion of Ukraine continues with no signs of a resolution, and along with the protracted conflict, the U.S....

Next Post
Roots extend from the office chair in which a shadowy man sits.

How Corporate Malfeasance Takes Root, According to Whistleblower and Embezzler Mark Whitacre

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT