Remote Deposit Capture Money Laundering Risks

1y ago

28 Views

1 Downloads

203.48 KB

5 Pages

Report/dmca

Download PDF

Transcription

Continue

Remote deposit capture money laundering risks#1308862 Thread Options - 12/17/09 11:02 PM How Remote Repository Capture Affects AML Concern Power Poster United: June 2001 Posts: 8.272 Where the heart is BTW - can anyone outline exactly how catching remote deposits has an increased risk of money laundering versus having their customer support in the merchant window with 500 checks todeposit? And I'm talking about money laundering risks – not the risks of fraud (i.e. fake checks and double dipping) since you're going to find out about fraudulent deposits very quickly while true money laundering takes time to detect. Back to Top #1308884 - 12/17/09 11:41 PM Re: Updated exam manual BSA / AML? [Re: Princess Romeo] 10K ClubJoined: Jul 2001 Posts: 74,836 Galveston, TX Because you don't have an ATM flipping and checking the items deposited. ? #1308898 PPDocs.com [Re: rlcarey] Power Poster Joined: June 2001 Posts: 8,272 Where the heart is right - (and big whop-de-do) I understand that from a fraud perspective, but how would DRC afford real money launderingthat would be different from having items deposited in the merchant cage or drop at night? Again – I'm not talking about the risk that someone may perpetrate a fraud – that is fraud prevention that is a different animal than seeking money laundering from, say, trading maryjane. How can someone set up an effective anti-money laundering program for DRC ifthere is no measurable difference in what a whitener can do if they were in their lobby. It's not like they can deposit cash through DRC - is it? Just saying' Back to Top #1308936 - 12/18/09 03:58 Re: Updated BSA / AML exam manual? [Re: Princess Romeo] 10K Club Joined: Jul 2001 Posts: 74,836 Galveston, TX For example, if no one is looking atdeposits, they could be laundering checks for other depositors or money order laundering, etc. While the risk may not be greater, you'd be surprised at the number of banks I visit that have never reviewed a DRC deposit since its launch. #1309429 PPDocs.com PM How Does AML Remote Deposit Capture Affects [Re: rlcarey] Power Poster Unit: June2001 Places: 8,272 Where the Heart Is Right – which makes more sense to me and just means that banks need to treat a DRC deposit like any other deposit activity would. Would a DRC capture routing numbers so someone could quickly see if an extraordinary number of items were being deposited with the same routing number? As for the bleachingcontrols of other depositors, I'm not sure if the actual risk would be greater with DRC than it would be with bulk deposits made nightfall or the merchant's ATM. For me, the biggest risk with DRC is the potential for fraud. Back to Top #1309520 - 12/18/09 07:30 PM Re: How it affects the capture of remote AML deposits concern [Re: Princess Romeo] 10K ClubJoined: Jul 2001 Messages: 74,836 Galveston, TX I disagree with this statement (fraud) at all and I strongly agree. However, even with the fall of the night and the cashier trading, it must physically pass through someone's hands. As I said before, you'd be surprised how many banks don't routinely review DRC deposits. #1310062 PPDocs.com PM Re:How capturing remote repositories affect AML concern [Re: rlcarey] Diamond Poster Joined: June 2004 Posts: 1,927 New York To mitigate ML and DRC fraud risks someone must review all items deposited in the same way as they would if they were received in person. Back to Top #1377011 - 04/20/10 01:31 PM Re: How remote deposit capture affectsAML concern [Re: devsfan] Gold Star Unit: September 2009 Messages: 296 Kiting through DRC can also easily go unnoticed if there is no routine deposit check. It happened here. Back to Top #1377434 - 04/20/10 06:45 PM Re: How it affects the capture of remote repositories AML concern [Re: drewella] Member United: Nov 2005 Messages: 85 Although Iwould agree that fraud appears to be the greatest risk, there is some risk of ML with DRC deposits. For example, it would be very easy for a company to deposit a stack of consecutively numbered monetary instruments through DRC and avoid detection. As noted in Wachovia's recent action, when he is not from the US. financial institutions may use DRC, MLrisks are similar to those of stock market activity. Return to Top Remote Deposit Capture (DRC), the digital processing of paper checks and monetary instruments in remote locations to deposit and clean through the Check (image) or ACH networks, has expanded rapidly in recent years and is being used in financial institutions and customer locations.Although taking deposits remotely is not a new activity, DRC should be seen as a new delivery system and not simply as a new service. Before implementing the DRC, senior management must identify and evaluate the legal, compliance, reputation and operational risks associated with the new system. They must ensure that the DRC is compatible with thebank's business strategies and understand the return on investment and management capacity to manage the risks inherent in the DRC. Management must incorporate its assessments of DRC systems, including products and services, into existing risk assessment processes. With DRC, the depository and the financial institutions of collection can choose tosend or accept a substitute cheque or participate in the present of electronic checks (ECP) where the data and images captured from the original checks to complete payment transactions. Payment. includes the capture of deposits in the line of ATMs of the financial institution and the processing of the backroom, in ATMs and in customer locations. DRC incustomer locations allows the customer to make deposits by scanning items in their own facilities and sending the image of the deposit item for processing through check clearing networks or simply deposit data for processing and cleaning through the ACH network. RDC may also include electronically capturing deposit information made up of cash or otheritems such as electronic deposits made through a remote custody agreement at the customer's location or through another intermediary. Financial institutions have greater control over DRC activities deployed in fully owned or controlled locations. Depending on the DRC configuration used and customer operations, the DRC in a client location increases thelegal, compliance and operational risks of the financial institution to varying degrees. The legal and compliance risks could be significant depending on the effectiveness of the controls and the legal agreements being deed. The use of DRC by clients of international correspondents is increasing. DRC is effectively replacing the activity of the correspondentcash card bag. BSA/ AML controls on DRC bag activity must also cover DRC and should be commendable with increased volumes. Operational risks to the customer's location include unauthorized access to technological systems and electronic data images, inability to maintain system compatibility with financial institution systems, ineffective controls onphysical deposit management and storage procedures, inadequate record retention programs, and exposure to money laundering and fraud. The TD Manual Management Brochure and the FFIEC Banking Secrecy Act/Anti-Money Laundering Examination Manual (BSA/AML) provide additional descriptions of risk management processes. Goal. Evaluate theadequacy of the bank's systems to manage the risks associated with electronic banking (electronic banking) customers, including the activity of capturing remote deposits (DRC) and the management capacity to implement effective monitoring and reporting systems. Electronic banking systems, which provide electronic delivery of banking products tocustomers, include automatic ATM (ATM) operations; opening of online accounts; Internet banking operations; telephone banking. For example, credit cards, deposit accounts, mortgage loans, and fund transfers can be started online, without face-to-face contact. Management must recognise this as a potentially higher risk area and develop policies,procedures and appropriate for the identification and monitoring of customers for specific areas of banking. See the basic examination procedures, Customer Identification Program (CIP), page 53, for further guidance. Additional information on electronic banking is available in the FFIEC's information technology examination manual. 197Refers to FFIECFFIEC Information Technologies Manual. Risk factors Banks must ensure that their monitoring systems properly capture electronic transactions. As with any account, they should be alert to anomalies in account behavior. Red flags can include the speed of funds in your account or, for ATMs, the number of debit cards associated with your account. Accountsthat open without face-to-face contact may be an increased risk of money laundering and terrorist financing for the following reasons: It is harder to positively verify the identity of the individual. The customer may be outside the bank's geographical area or target country. The customer may perceive transactions as less transparent. Transactions aresnapshots. It can be used by an unknown front or third company. Risk mitigation banks must establish BSA/AML monitoring, identification and reports for unusual and suspicious activities that occur through electronic banking systems. Useful MIS for detecting unusual activity instead of higher risk include ATM activity reports, fund transfer reports, newaccount activity reports, changing Internet address reports, Internet Protocol (IP) address reports, and reports to identify related or linked accounts (e.g., common addresses, phone numbers, email addresses, and taxpayer identification numbers). When determining the level of follow-up required for an account, banks must include how the account wasopened as a factor. Banks involved in internet transactional banking must have effective and reliable methods to authenticate a customer's identity when opening online accounts and must set policies for when a customer should be required to open accounts in person. 198For additional information, see Authentication in an Internet banking environmentissued by the FFIEC, October 13, 2005. Banks can also institute other controls, such as setting transaction dollar limits for large items requiring manual intervention to exceed the preset limit. Remote Deposit Capture Remote Deposit Capture (DRC) is a deposit transaction delivery system that has made processing checks and monetary instruments moreefficient (e.g. traveler checks or monetary orders). Generally speaking, DRC allows customers of a bank to scan a check or monetary instrument, and then transmit the scanned or digitized image to the entity. Scanning and streaming activities occur in remote locations including branches, ATMs, domestic and foreign correspondents, and locations owned orcontrolled by commercial or retail customers. By eliminating in-person transactions, DRC reduces the cost and volume of paper with the physical shipment or deposit of items. DRC also supports new and existing banking products and improves customers' access to their deposits. On January 14, 2009, the FFIEC published a guide entitled Remote DepositRisk Management. The orientation addresses the essential components of DRC risk management: the risk assessment and mitigation. It includes a full discussion on DRC risk factors and mitigants. See the FFIEC website. DRC risk factors can expose banks to various risks, including money laundering, fraud and information security. Fraudulent documents,sequentially numbered or physically altered, especially money orders and traveler checks, may be harder to detect when sent by the DRC and not inspected by a qualified person. Banks can face challenges in controlling or understanding the location of DRC equipment, as equipment can be easily transported from one jurisdiction to another. This challengeincreases as foreign correspondents and foreign money services companies are increasingly using DRC services to replace the bag and certain instrument processing and compensation activities. Inappropriate controls could result in intentional or unintional alterations to deposit item data, referral of a data file or duplicate presentation of checks and imagesat one or more financial institutions. In addition, original deposit items are not usually sent to banks, but the customer or customer service provider retains them. As a result, logging, data security and integrity issues may increase. Higher risk customers can be defined by industry, incidence of fraud or other criteria. Examples of higher-risk parts include onlinepayment processors, certain credit repair services, certain mail ordering and phone ordering companies, online gambling operations, offshore businesses and adult entertainment companies. Risk mitigation management must develop appropriate policies, procedures and processes to mitigate the risks associated with DRC services and effectively monitorunusual or suspicious activity. Examples of risk mitigating are: Comprehensively identify and evaluate DRC risk before implementation. Senior Management must identify BSA/AML, operational, information security, compliance, legal and reputational risks. Depending on the size and complexity of the bank, this comprehensive risk assessment process shouldinclude BSA/AML personnel, information and security technologies, deposit operations, treasury or treasury sales, business continuity, auditing, compliance, accounting and legal. Cdd and EDD of the appropriate client. Creation of risk-based parameters that can be used to perform DRC client eleability reviews. Parameters can include a list of acceptableindustries, standardized subscription criteria (e.g. credit history, financial statements and business ownership structure), and other risk factors (customer risk management processes, geographical and customer base). When the risk level guarantees, bank staff should consider visiting the customer's physical location as part of the suitability review. Duringthese visits, the operational controls and risk management processes of the client must be evaluated. The provider is in action when banks use a service provider for DRC activities. Management must ensure the implementation of solid supplier management processes. Get expected DRC customer account activity, such as expected DRC transactionvolume, dollar volume, and type (e.g., payroll checks, third-party checks, or traveler checks), compare it with actual activity, and resolve significant deviations. Compare the expected activity with the type of business to make sure they are reasonable and consistent. Set or modify the customer's DRC transaction limits. Develop well-built contracts that clearlyidentify the role, responsibilities and liabilities of each party, and detail record retention procedures for DRC data. These procedures must include physical and logical security expectations for the access, transmission, storage and definitive disposal of the original documents. The contract must also address the customer's responsibility to properly secureDRC equipment and prevent improper use, including establishing effective computer security controls (e.g., passwords, dual-control access). In addition, contracts must detail the obligation of the DRC customer to provide original documents to the bank to facilitate investigations related to unusual transactions or poor quality transmissions, or to resolvedisputes. The contracts must clearly detail the bank's authority to order specific internal controls, conduct audits or terminate the DRC relationship. Implement additional monitoring or review when significant changes occur in the type or volume of operations, or when significant changes occur in the subscription criteria, customer base, customer riskmanagement processes or geographic location on which the bank was based when establishing DRC services. Ensure that DRC customers receive adequate training. The training should include documentation addressing issues such as routine operations and procedures, duplication and problem solving. Use improved aggregation and monitoringcapabilities as provided by digitized data. If applicable, use technology to minimize errors (e.g., using postage to seal or identify a deposit as processed). 199Franking consists of printing or stamping phrases such as Electronically Processed or Processed on the front of the original check. This process is used as an indicator that paper verification has alreadybeen processed electronically and therefore should not be physically deposited later. Goal of page 2. Evaluate the adequacy of the bank's systems to manage the risks associated with electronic banking (electronic banking) customers, including the activity of capturing remote deposits (DRC) and the management capacity to implement effective monitoringsystems reporting. 1. Review the policies, procedures and processes related to electronic banking, including the activity of the DRC as appropriate. Evaluate the adequacy of policies, procedures and processes given the activities and risks presented. Assess whether the controls are adequate to reasonably protect the bank from money laundering andterrorist financing. 2. Based on a review of MIS and internal risk rating factors, determine whether the bank effectively identifies and monitors higher-risk electronic banking activities. 3. Determine whether the bank's electronic banking supervisory system, including DRC activity as appropriate, for suspicious activities and reporting suspicious activities, isappropriate given the size, complexity, location and types of customer relations at the bank. 4. If applicable, consult the basic examination procedures, Foreign Assets Control Office, page 152, for guidance. Transaction Tests 5. Based on the bank's risk assessment of its electronic banking activities, as well as preliminary examination and audit reports, selecta sample of electronic banking accounts. For the selected sample, perform the following procedures: Review the account opening documentation, including CIP, ongoing CDD, and transaction history. Compare the expected activity with the actual activity. Determine whether the activity is consistent with the nature of the customer's business. Identify anyunusual or suspicious activity. 6. Based on completed examination procedures, including proofs of operation, they form a conclusion on the adequacy of policies, procedures and processes associated with electronic banking relationships. Goal of page 3. Evaluate the adequacy of the entity's systems to manage the risks associated with fund transfers and themanagement capacity to implement effective monitoring and reporting systems. This section extends the fundamental review of the legal and regulatory requirements of fund transfers to provide a broader assessment of the risks of AML associated with this activity. Payment systems in the United States consist of numerous financial intermediaries, financialservices companies and non-bank companies that create, process and distribute payments. The national and international expansion of the banking and non-bank financial services sector has increased the importance of electronic fund transfers, including transfers of funds made through wholesale payment systems. Additional information about the types ofwholesale payment systems is available in the FFIEC's information technology examination manual. 200 Consult the FFIEC's information technology examination manual. Fund transfer services The vast majority of the value of U.S. dollar payments, or transfers, in the United States is ultimately processed through wholesale payment systems, which generallyhandle high-value transactions between banks. The banks carry out these as well as for the benefit of other financial service providers and banking customers, both corporate and consumer. Related retail transfer systems facilitate transactions such as automated clearing houses (ACH); ATM (ATM); point of sale (POS); telephone bill for payment; homebanking systems; I I debit and prepaid cards. Most of these retail transactions are initiated by customers rather than by banks or corporate users. These individual transactions can be batched to form larger wholesale transfers, which are the focus of this section. The two main domestic wholesale payment systems for interbank fund transfers are the FedwireFund Service (Fedwire ) 201Fedwire Services is a registered service mark of Federal Reserve Banks. and the Interbank Payment System of the Clearing House (CHIPS). 202CHIPS is a private multilateral settlement system owned and operated by The Clearing House Payments Co., LLC. Most of the dollar value of these payments originates

electronically to make large-value, time-critical payments such as interbank purchase settlement and federal fund sales, settlement of currency transactions, disbursement or loan repayment; settlement of real estate transactions or other financial market transactions; purchase, sale or financing of securities transactions. Fedwire and CHIPS participantsfacilitate these transactions on their behalf and on behalf of their customers, including non-bank financial institutions, commercial companies and correspondent banks that do not have direct access. Structurally, there are two components for fund transfers: instructions, containing information about the sender and recipient of funds, and actual movement ortransfer of funds. Instructions can be sent in various ways, including by electronic access to networks operated by the Fedwire or CHIPS payment systems; through access to financial telecommunication systems, such as Society for Worldwide Interbank Financial Telecommunication (SWIFT); or email, facsimile, telephone or telex. Fedwire and CHIPS areused to facilitate U.S. dollar transfers between two national extremes or the U.S. dollar segment of international transactions. SWIFT is an international messaging service that is used to transmit payment instructions for the vast majority of international interbank transactions, which can be denominated in numerous Fedwire Fedwire currencies is operated byFederal Reserve Banks and allows a participant to transfer funds from their master account at Federal Reserve banks to the master account of any other bank. 203 An entity entitled to maintain a master account with the Federal Reserve is generally eligible to participate in the Fedwire Fund Service. These participants include: - Depositary entities. - Americanagencies and branches of foreign banks. - Member banks of the Federal Reserve System. - The U.S. Treasury and any entity specifically authorized by the federal statute to use Federal Reserve Banks as tax agents or depositories. - appointed by the Treasury Secretary. - Foreign central banks, foreign monetary authorities, foreign governments and certaininternational organizations. - Any other entity authorized by a Federal Reserve Bank use the Fedwire Fund Service. The payment on Fedwire is final and irrevocable when the Federal Reserve Bank credits the amount of the payment order to the master account of the Federal Reserve Bank of the receiving bank or sends a notice to the receiving bank,whichever is earlier. While there is no risk of settlement for Fedwire participants, they may be exposed to other risks, such as errors, omissions and fraud. Participants can access Fedwire by three methods: Mainframe-to-mainframe direct (Fedline Direct). Internet access through a virtual private network to Web-based applications (FedLine Advantage).Offline or telephone access to a Federal Reserve Bank operations site. CHIPS CHIPS is a real-time multilateral payments system, operated in real time, that is typically used for large dollar payments. CHIPS is owned by banks, and any banking organization with a regulated U.S. presence can become a participant in the system. Banks use CHIPS to liquidatinterbank and customer transactions, including, for example, payments associated with business transactions, bank loans and securities transactions. CHIPS also plays an important role in the settlement of USD payments related to international transactions, such as currencies, international trade transactions and offshore investments. Continuing LinkedSettlement (CLS) Bank CLS Bank is a special purpose private bank that simultaneously settles the two payment obligations arising from a single currency exchange operation. The payment versus payment settlement form ensures that a payment segment of a exchange transaction is settled if and only if the corresponding payment segment is settled,eliminating the currency settlement risk that arises when each segment of the exchange operation is settled separately. CLS is owned by global financial institutions through stakes in CLS Group Holdings AG, a Swiss company that is the latest holding company of CLS Bank. CLS Bank currently settles payment instructions for currency transactions in 17currencies and is expected to add more currencies over time. SWIFT The SWIFT network is a messaging infrastructure, not a payments system, that provides users with a private international communications link between them. Real fund movements (payments) are completed through correspondent banking relationships, Fedwire or CHIPS. The movementof payments denominated in different currencies occurs through correspondent banking relationships or on fund transfer systems in the corresponding country. In addition to customer and bank fund transfers, SWIFT is used to transmit currency confirmations, debit and credit entry confirmations, statements, collections and letters of credit. Cover payments Atypical fund transfer implies that instruct your bank (the deceased's bank) to make the payment to the account of a beneficiary (the beneficiary) with the beneficiary's bank. A cover cover occurs when the deceased's bank and the beneficiary's bank do not have a relationship that allows them to settle the payment directly. In this case, the deceased's bankinstructs the beneficiary's bank to make the payment and advises that the transfer of funds to cover the obligation created by the payment order has been arranged through correspondent accounts at one or more intermediary entities. Cross-border coverage payments typically involve several banks in various jurisdictions. For transactions in U.S. dollars,intermediary banks are generally U.S. banks that maintain correspondent banking relationships with non-U.S. banks. banks and the banks of the beneficiaries. In the past, SWIFT message protocols allowed cross-border coverage payments to be made through the use of separate and simultaneous message formats: MT 103 - the originator's bank paymentorder to the beneficiary's bank with information identifying the originator and the beneficiary; and MT 202 - bank-to-bank payment orders directing intermediary banks to cover the obligation of the deceased's bank to pay the beneficiary's bank. To address transparency concerns, SWIFT adopted a new message format for cover payments (the MT 202 COV)containing mandatory fields for source and beneficiary information. Effective November 21, 2009, cov MT 202 is required for any bank payment for which there is an associated MT 103. The MT 202 COV provides intermediary banks with additional source and beneficiary information to carry out sanction screening and monitoring of suspicious activity. Theintroduction of the MT 202 COV does not alter the OFAC or BSA/AML obligations of a U.S. bank. The MT 202 format remains available for transfers from bank funds to bank that have no MT 103 message associated with it. For more information about transparency in cover payments, see Transparency and Compliance for U.S. Banking Organizations ThatCarry Out Cross-Border Fund Transfers (December 18, 2009), which can be found on the website of each website of federal banking agencies Informal Value Transfer Systems An informal value transfer system (IVTS) (for example, hawalas) is a term used to describe a currency transfer or value system that operates informally to transfer money as abusiness. 204 Ivts Information Sources include: - FinCEN Advisory FIN-2010-A011, Informal Value Transfer Systems, September 2010 - FinCEN Advisory 33, Informal Value Transfer Systems, March 2003. - Report on informal value transfer systems from the U.S. Treasury to Congress in accordance with Section 359 of the Patriot Act, November 2002. Working Group on Financial Action on Money Laundering (FATF), Interpretative Note to Special Recommendation VI: Alternative, June 2003. - FATF, Fight against the abuse of alternative remittance systems, Good International Practices, October 2002. In countries that do not have a stable financial sector or large areas not served by formal banks, IVTSmay be the only method for carrying out financial operations. Financial. living in the United States can also use IVTS to transfer funds to their home countries. IVTS can operate legally in the United States as a money services business, and specifically as a type of money transmitter as long as they comply with applicable state and federal laws. This includessigning up for FinCEN and complying with the BSA/AML provisions applicable to all money transfers. A more sophisticated form of IVTS operating in the United States often interacts with other financial institutions in foreign exchange storage, check compensation, referral and receipt of funds, and obtaining other routine financial services, rather than actingindependently of the formal financial system. Pay in suitable identification operations A type of fund transfer transaction that entails a particular risk is what is paid in the appropriate identification service (PUPID). PUPID transactions are transfers of funds for which there is no specific account to deposit the funds and the beneficiary of the funds is not a bankcustomer. For example, a person can transfer funds to a family member