BSA-AML Examiner School Case Study eBook
BSA/AML Examiner School Case Study
April 15-19, 2024 San Diego, CA
@ www.csbs.org ♦ @csbsnews
CONFERENCE OF STATE BANK SUPERVISORS 1300 I Street NW / Suite 700 / Washington, DC 20005 / (202) 296-2840
BSA/AML EXAMINER SCHOOL TS&J Bank Case Study Introduction
Over the remainder of the week, you will be completing a case study of TS&J Bank. For most areas, we will discuss exam concepts and you will apply the concepts by reviewing materials related to the case study. The case study is based on an actual examination of an institution. However, the personal identifying information of the customers and the institution were changed. Later in the week, the outcomes from the examination will be shared with you. The case study is intended to simulate a BSA examination. As such, you will have the opportunity to ask the BSA Officer [ your instructors ] questions on two occasions. You should write down any questions that you have during the exam planning exercise because the initial BSA Officer interview will occur tomorrow. Later in the week, you will develop your conclusions and conduct a simulated BSA Officer exit meeting (with a group of examiners lasting 30 minutes). To ensure you have a successful experience, you will want to document any potential exceptions, findings, or violations you identify during the transaction testing exercises. These will help you develop your findings and conclusions related to the BSA program at TS&J Bank to discuss with the BSA Officer during the meeting. TS&J Bank is a community bank located in a rural area with total assets of $189 million. The bank is locally owned with four locations (Eagle, Lincoln, Omaha, and Fremont) in Nebraska. In 2022, the bank decided to venture into Banking as a Service (BaaS). In November of 2023 the bank onboarded it first FinTech Client Azul. The bank then onboarded a second client Lemon in December 2023. The ratings from the Fed examination in 9/2022 were 2-2-2-2-3-2/2, with loan problems noted. There was a Matter Requiring Board Attention for Operational Risk Management regarding internal control practices. The prior exam report stated that the BSA program was satisfactory, and the institution satisfactorily complies with OFAC requirements.
For Training Purposes Only
REQUEST LIST
Financial Institution - AML/CFT DOCUMENT REQUEST LIST
The list below includes materials that examiners request to be provided (P) for offsite review. Items with an (*P) indicate the bank may need to provide initial information, then/or the Examiner will contact the bank with additional material/transaction sampling requested.
ITEM # AML 1
AML/CFT Compliance Program
EXPLANATION
P/*P
X
ITEM
Provide name and title of the designated AML/CFT (formerly BSA/AML) compliance officer and, if different, the name and title of the person responsible for monitoring AML/CFT compliance.
NAME & TITLE OF OFFICER
P
a.
Provide copies of resumes and qualifications of person(s) new to the program serving in AML/CFT program oversight capabilities. Provide copies of the policy and procedures relating to all reporting and recordkeeping requirements, including suspicious activity reporting. Please provide the dates the policy/procedures, risk assessment, and SARs were approved by the Board.
P
b.
ALL AML/CFT, CIP, AND OFAC RELATED POLICIES AND PROCEDURES
P
c.
Independent Testing
AML 2
EXPLANATION
P/*P
X
ITEM
*AML Examiner will contact bank if access is needed to the audit workpapers.
INTERNAL & EXTERNAL AUDIT WORK PAPERS
*P
a.
AML Training
AML 3
EXPLANATION
P/*P
X
ITEM
Provide AML/CFT training schedule with dates, attendees, and topics. A list of persons in positions for which the bank typically requires AML/CFT training, and those who do not require training (since the last regulatory examination). Provide training documentation (e.g., materials for external training) since the previous AML/CFT regulatory examination. Provide training documentation (e.g., materials used for internal training) since the previous AML/CFT regulatory examination.
P
AML TRAINING REPORTS
a.
P
TRAINING WORKPAPERS-EXTERNAL
b.
P
TRAINING WORKPAPERS-INTERNAL
c.
Regulation GG - Unlawful Internet Gambling Enforcement Act (UIGEA)
AML 4
EXPLANATION
P/*P
X
ITEM
P P
REGULATION GG POLICY
Provide a copy of the current Reg GG policy.
a. b.
NOTICE
Provide the disclosure process on commercial accounts.
Risk Assessment
AML 5
EXPLANATION
P/*P
X
ITEM
P
AML BOARD AGENDAS
Provide AML documentation given to the Board of Directors since the last examination, if not included in the Board minutes.
a.
Customer Identification Program (CIP) and CDD (Beneficial Ownership)
AML 6
EXPLANATION
P/*P
X
ITEM
Provide a list of accounts without Taxpayer Identification Numbers (TINs) or Employee Identification Numbers (EINs). Provide a sample copy of all account opening forms (e.g., for loans, deposits or other accounts) used to document Customer Identification Information, Beneficial Ownership, and Customer Due Diligence information. Provide tracking reports with written description of the bank’s rationale for exceptions. Provide a list of new accounts (including legal entity accounts) covering all product lines (including accounts opened by third parties) and segregating existing customer accounts from new customers, for prior two months. *After new account documents are posted, the AML Examiner will contact the bank with the selected sample for CIP/CDD, Beneficial Ownership, and OFAC. Provide a copy of the customer notice and a description of the timing and delivery, by product. Provide a list of the financial institutions on which the bank is relying, if the bank is using the “reliance provision.” The list should note if the relied-upon financial institutions are subject to a rule implementing the AML/CFT compliance program requirements of 31 USC 5318(h) and are regulated by a federal functional regulator. Provide copies of contracts with financial institutions and with third parties that perform all or any part of the bank’s CIP.
P
TAX IDENTIFICATION NUMBERS
a.
P
ACCOUNT OPENING FORMS
b.
CIP & BENEFICIAL OWNERSHIP EXCEPTIONS
P
c.
LIST OF NEW ACCOUNTS
P
d. e.
CIP CUSTOMER NOTICE
P P
USE OF RELIANCE PROVISION
f.
Customer Due Diligence (CDD)
AML 7
EXPLANATION
P/*P
X
ITEM
After review of the initial list of higher risk customers provided. *The AML examiner will contact the bank with higher risk accounts to be sampled, to include CIP, CDD, account statements, and the last formal review.
*P
ENHANCED CDD
a.
Suspicious Activity Reporting
AML 8
EXPLANATION
P/*P
X
ITEM
*AML Examiner will contact the bank on SARs to be uploaded. Please password protect. Provide analysis/documentation of any activity for which a SAR was considered but not filed, or for which the bank is actively considering filing a SAR since the prior examination . Please password protect. Provide information on whether the bank uses a manual or an automated account monitoring system, or a combination of the two. If an automated system is used, is the system proprietary or vendor supplied? If the system is provided by an outside vendor, provide (i) a list that includes the vendor, (ii) application names, and (iii) installation dates of any automated account monitoring system provided by an outside vendor. Additionally, provide a list of the algorithms or rules used by the systems. Provide a list of reports used for identification of and monitoring for suspicious transactions. These reports include, but are not limited to, suspected kiting reports, currency activity reports, monetary instrument records, and funds transfer reports. These reports can be generated from specialized AML/CFT software, the bank’s general data processing systems, or both. *Upon review of the list provided, examiner will contact the bank for the date ranges for review of the various reports.
*P
SUSPICIOUS ACTIVITY REPORTS (SARs)
a.
P
NON-FILED SARs
b.
SUSPICIOUS ACTIVITY MONITORING SYSTEMS
P
c.
SUSPICIOUS ACTIVITY MONITORING REPORTS
P
d.
Currency Transaction Reporting
AML 9
EXPLANATION
P/*P
X
ITEM
Provide copies of CTRs filed in December 2023.
P P
CTRs FILED
a. b.
Provide currency aggregation reports for the weeks of December 18th, 2023 - January 5th, 2024.
CURRENCY AGGREGATION REPORTS
Currency Transaction Reporting Exemptions
AML 10
EXPLANATION
P/*P
X
ITEM
Provide a list of new/existing customers exempted from CTR filing and the documentation to support the exemption (e.g., currency transaction history or, as applicable, risk-based analysis) and dates exempted.
P
LIST OF EXEMPT CUSTOMERS
a. b.
Provide documentation on required annual reviews of CTR exemptions.
P
ANNUAL EXEMPTION REVIEWS
Information Sharing
AML 11
EXPLANATION
P/*P
X
ITEM
POSITIVE 314(a) MATCHES
Provide documentation of any positive match(es) for a section 314(a) request.
P P
a.
SEARCH REQUESTS
Provide documentation demonstrating that required searches have been performed since the last regulatory examination. If applicable, provide a copy of the bank’s most recent notification form to voluntarily share information with other financial institutions under 31 CFR 1010.540 (Voluntary Information Sharing Among Financial Institutions), or a copy of the most recent correspondence received from FinCEN that acknowledges FinCEN’s receipt of the bank’s notice to voluntarily share information with other financial institutions.
b.
P
314(b)
c.
Purchase and Sale of Monetary Instruments
AML 12
EXPLANATION
P/*P
X
ITEM
P
SALES MONETARY INSTRUMENTS
Provide records of currency sales of monetary instruments in amounts between $3,000 and $10,000 since the last regulatory examination.
a.
Funds Transfers Recordkeeping
AML 13
EXPLANATION
P/*P
X
ITEM
P
FUNDS TRANSFERS/WIRES
Provide an excel document of funds transfers, including incoming, and outgoing (foreign and domestic) transfers of $3,000 or more for the last two months. *November 2023, and December 2023. Please provide in an excel document with all the required 'travel rule' fields.
a.
Office of Foreign Asset Control (OFAC)
AML 14
EXPLANATION
P/*P
X
ITEM
P
OFAC
Provide the Name and title of the designated OFAC compliance officer and, if different, the name and title of the person responsible for monitoring OFAC compliance. Provide the last full file scrub report on the full customer database and if exceptions noted, comments or reasoning.
a.
P
OFAC FULL CUSTOMER REVIEW
b.
E-banking Services-Automated Clearing House Transactions/Remote Deposit Capture/Online Account Opening
AML 15
EXPLANATION
P/*P
X
ITEM
AML Examiner will request additional information if needed.
LIST OF ACH ORIGINATORS (if not provided with IT request list) LIST OF RDC CUSTOMERS (if not provided with IT request list)(do not include mobile banking customers)
P
a.
AML Examiner will request additional information if needed.
P
b.
Provide transcripts of IATs (originated/received by the bank) in the last two months.
P
International ACH Transactions (IATs)
c. d.
Make available copies of any policies and procedures related directly to electronic banking (e-banking) that are not already included in the AML/CFT policies.
P
INTERNAL CONTROLS
e.
Provide management reports that indicate the monthly volume of e-banking activity.
REPORTS
P
AML 16 BaaS Services (AML/CFT) X P/*P
ITEM
EXPLANATION
Provide AML/CFT policies, procedures, and processes for BaaS.
a. b.
INTERNAL CONTROLS
P P
Provide BaaS procedures and guidelines used to determine when EDD is appropriate for higher-risk accounts and parties to the relationship. These should include methods for identifying account interested parties. Provide a list of politically exposed persons (PEP), export or import business owners, money transmitters, Private Investment Companies (PIC), financial advisers, offshore entities, or money managers (when an intermediary is acting on behalf of customers). Customers who were introduced to the bank by individuals previously employed by other financial institutions. Provide a list of the bank’s BaaS clients who's clients meet the following criteria:
GUIDELINES
c.
LISTS
P P
P
§ Customers who were introduced to the bank by a third-party investment adviser.
P P P P P P P
§ Customers who use nominee names.
§ Customers who are from, or do business with, a higher-risk geographic location.
§ Customers who are involved in cash-intensive businesses.
§ Customers who were granted exceptions to policies, procedures, and controls. § Customers who frequently appear on unusual activity monitoring reports.
Provide reports and minutes submitted to the board of directors or its designated committee relating to AML/CFT matters pertaining to BaaS business lines and activities. Provide an organizational chart for the AML/CFT compliance function as it relates to BaaS services. Provide a risk assessment of BaaS customers that identifies those customers, prospective customers, or products the bank has determined to be higher risk. Provide management reports covering the largest, most active, or most profitable BaaS customers. Provide a AML/CFT independent review or audit of BaaS. Provide workpapers. Include internal audits performed on BaaS and work papers. Provide a copy of the AML/CFT training materials for management and employees involved BaaS activities. Identify the BaaS systems used. Briefly explain how they accommodate and assist compliance with AML/CFT regulations and guidelines.
d.
BOARD REPORTS
e.
ORG CHART
P
f.
RISK ASSESSMENT
P
g. h.
ACTIVITY
P P
INDEPENDENT REVIEW
i.
TRAINING
P
j.
SYSTEMS
P
Provide a list of newly opened BaaS clients since 1/1/2023.
k.
CLIENTS
P P P P P
Provide procedures for checking section 314(a) requests relating to BaaS services.
l.
314A
Provide a list of all BaaS customers designated as higher risk.
m.
HIGH RISK
Provide copies of SARs associated with BaaS.
n. o.
SARS
Provide a list of subpoenas, particularly AML/CFT-related, relating to BaaS activities.
SUBPOENAS
From: EIC@Statebankingagency.org Sent: February 15, 2024 To: Allexamstaff@Statebankingagency.org Subject: TS&J Bank Examination
Examination Team,
Good afternoon team.
A few items before the examination. Please read the INTERNAL MEMO REGARDING RECENT VISITATION that was just completed.
Please note your concerns.
For Training Purposes Only
1
INTERNAL MEMO REGARDING RECENT VISITATION ON THE BANK’S BaaS PROGRAM: The Fed conducted an offsite visitation of TS&J Bank, Eagle, Nebraska, which commenced December 4, 2023, and focused on the bank’s implementation of a novel Banking as a Service (BaaS) strategy, including relationships with the designated service provider, Unit Finance Inc., (Unit), and Onyx Card, LLC., (Onyx). Examiners’ review was limited in scope and primarily centered on the bank’s third-party risk management; cybersecurity/information security; and the Bank Secrecy Act (BSA)/Anti-Money Laundering (AML) program. In addition, financial implications such as capital planning, earnings impact, and liquidity risk were considered. Following the visitation, FED and the STATE examiners met with representatives of the board of directors (board) and senior management on January 16, 2024, to discuss the observations made during the visitation, which are included in this correspondence for your review. Representing the bank were Chief Executive Officer Lynn Love, President Todd Tallon, Vice President of Finance Seth Simmons, and Chief Compliance Officer/BSA Officer Ruby Rose. Members of both the FED and STATE were present. As was discussed during the visitation and the subsequent meeting to discuss observations, to ensure safe and sound banking practices, a bank’s risk management program must be commensurate with the level of risk present in a bank’s activities. In particular, BaaS activities are complex and present high inherent risks. A bank should ensure it has in place adequate systems, risk management, and controls to conduct such activities in a safe, sound, and compliant manner. We recognize the board’s commitment and intention to implement a risk management framework that effectively mitigates risk associated with the BaaS strategy and program. Such intention was demonstrated through the establishment of a board risk committee and chief risk officer, hiring of knowledgeable and competent staff, such as Chief Compliance Officer/BSA Officer Rose who is well-versed in BaaS strategies, and a third-party risk management program that captures key principles of Supervision and Regulation Letter (SR Letter) 23-4, Interagency Guidance on Third-Party Relationships: Risk Management (SR Letter 23-4). We also acknowledge several, adequate qualities of the bank’s risk management program that are in process of being fully developed and were unavailable to be reviewed. In addition, due to the limited scope of the review, not all areas were assessed for appropriateness or adequacy. As a reminder, it is important that controls are in place prior to the bank engaging any new products and service activities and that the bank’s risk management framework should emulate either growth, expansion, or change in the BaaS strategy. The BaaS strategy is active; therefore,
For Training Purposes Only
it is imperative that the board and senior management demonstrate that the enhancements below are being substantially addressed prior to the upcoming safety and soundness examination, dated February 12, 2024. Failure to demonstrate progress increases the likelihood for rating changes, examination findings as well as pausing additional onboarding of new BaaS partners or clients until risk management gaps are addressed, which may impede further growth of the bank’s BaaS strategy going forward. Enhancements to Risk Management Framework of BaaS Program The following are enhancements related to gaps in third-party risk management, dual controls, and liquidity risk management. The bank’s efforts in demonstrating strengthening the respective areas will be assessed at the upcoming joint safety and soundness examination. • With consideration to effective third-party risk management, the bank should incorporate BaaS-related activities within its business continuity planning (BCP) and business impact analysis (BIA) framework. Consideration should also be given to BCPs and BIAs of current (i.e., Unit and Onyx) and future BaaS partners as well as the decommissioning of or transferring aspects of the program to new vendors. Third-party risk management procedures should also delineate the criticality risk rating methodology and documentation requirements used for potential BaaS partners and specify the use of alternatives when the requested information is not available for due diligence and ongoing monitoring. Additionally, Unit and all BaaS partners should be tracked on the bank’s vendor management risk assessment and classified as either a critical or non-critical vendor. All critical vendors should be incorporated into quarterly monitoring in accordance with internal policies. Refer to SR Letter 23-4 for additional information. • With consideration to managing operational risk, the bank should develop dual control practices and written procedures related to the daily reconciliation of BaaS activities. • With consideration to liquidity risk management, the bank should clearly delineate the current on-balance sheet deposit strategies and key performance indicators pursuant to the BaaS Deposit Phase 1 strategy in its written policies and procedures. On a forward-looking basis, policies and procedures should also delineate limits and restrictions on the deployment of BaaS deposits for bank activity and include them as part of annual liquidity stress testing processes. In addition, policies and procedures should delineate the operational process for the placement of BaaS deposits and ensuring insurance coverage is in effect. We understand that in Deposit Phase 1, the bank intends to sell deposits received through the BaaS program to the Intra-fi network. Although the Phase 1 is documented in the BaaS business strategy presentation, this strategy and post-Phase 1 strategy, the placement of BaaS deposits, and the insurance coverage mechanism should be formalized in the bank’s current liquidity policy.
For Training Purposes Only
Other Areas to be Reviewed at Upcoming Examination: While examiners held discussions in the following areas, a thorough review was not completed during the visitation. Examiners will review the corresponding areas as part of the upcoming examination. • Capital planning will be reviewed. The 2023 capital plan was not requested as part of this review; however, we understand the 2024 capital plan was in process of development at the time of the visitation and will include an assessment of operational risks presented by the BaaS program. In addition, it was unclear how frequently the capital plan will be reviewed and modified to incorporate the dynamic operational risks present as the BaaS program expands. In addition, the bank’s dividend plans regarding providing a return to shareholders and/or investors of the BaaS strategy will be monitored and reviewed. • The bank’s monitoring and testing of Unit’s BSA/AML program will be reviewed as these controls were not established at the time of the visit. • The bank’s internal audit program and control environment will be reviewed as it is unclear whether the bank’s audit plans incorporate audits of BaaS-related activities, BaaS vendors and partners, or prospective partners. • The license agreement between the bank and Love Bancshares, Inc., will be reviewed to ensure compliance with Regulation W, Section 23B. We appreciate senior management’s cooperation during the visitation and acknowledge the board’s stated intention to build a risk management framework that supports the bank’s business initiatives in a safe and sound manner. While many risk management factors are noted above, this is not an exhaustive list of risk management factors to consider in the establishment of a strong risk management framework that supports the BaaS program and growth initiatives. Finally, the consumer compliance examination that commenced on December 4, 2023, remains open and final conclusions from that examination will be provided separately, including any assessment of the impact of the bank’s BaaS strategy on its compliance management system. As such, senior management should continue to be proactive and agile in the identification of risk and implementation of commensurate controls to manage the dynamic risk that is introduced by the BaaS program.
For Training Purposes Only
From: EIC@Statebankingagency.org Sent: February 16, 2024 To: BSAexamstaff@Statebankingagency.org Subject: TS&J Bank Examination
BSA/AML Team,
I hope you had a chance to read the visitation memo.
I know this is the first time we have seen this type of program (BaaS) in our State, so I have talked to the scheduler and instead of three days for the BSA/AML examination he has extended it to five days for the examination, hopefully this will allow ample time to complete your review of the area. Please let the scheduler know if more time is needed. Also, I just finished our pre-examination call with TS&J Bank. President Todd Tallon, who brought up some important information regarding the upcoming BSA/AML examination. In June 2023 the bank hired a new BSA Officer Ruby Rose. They also just hired a BSA Assistant, Nellie Newark. BSA Officer Rose has prior FinTech experience and heads up the BaaS program and BSA Assistant Newark does some work on the community bank side for BSA. He also stated the Fed just completed a visitation of the program at the end of 2023, and there were a few concerns about the program, but the bank is on top of it and there shouldn’t be any concerns. He went on to say that in 2022 the bank hired a consulting group to help set up the program. The Board spend over $6 million dollars on the statements of work (SOW), and in fact they had seven SOWs completed to help set up the BaaS program. He reiterated that the new program would generate some good fee income for the bank and that things were in order. Side notes/History after my discussion with President Tallon: President did not seem concerned with the visitation findings. The visitation did not do an in-depth review of the BaaS program for BSA/AML. CEO Love’s great-great grandfather ran the bank, and now she is the owner. She is known for having a higher risk appetite. The bank lost a lot of money in 2021 due to a loan fraud case. The bank took an investment statement as collateral, and the investment statement was fraudulent, and the bank lost $2.1 million, and ROAA was less than stellar. CEO Love had mentioned she need to find a way to make some additional income. Examiners have also found that in the past she has delayed the correction of the deficiencies, identified by both regulators and external auditors. She will commit to remediating items however with no timeline. The Board has one strong member Kathy Karton who seems engaged at prior Board meetings, however we do not know the extent the Board members are apprised of the new BaaS activity or concern with the new activity. Beware as examiners have discussions with management, they should always have another examiner present.
For Training Purposes Only
1
Internal Use Only
Please review the prior exam comment below.
The following will give you a little history with this institution and their BSA program.
The Bank has remained an overall composite 2 rating, for the last 3 examinations. Prior BSA examinations have been Satisfactory. The most recent examination dated 7/11/2022 ratings were 2-2-2-2-2-2/2. Prior MRBAs noted at the 2020 examination were considered closed, however three new MRBAs were outlined in the 2022 Report. The MRBAs were due to Credit Risk-Commercial Real Estate Portfolio Management, Liquidity Risk Management – Contingency Funding Plan, and Operational Risk Management – Internal Controls Practices. The Operational Risk Management MRBA is detailed below. Operational Risk Management – Internal Controls Practices • The board and senior management are required to formalize the current schedule for internal control testing to enhance oversight and independent review by the board with an overall emphasis placed on fully documenting routine testing of current internal control practices, findings and resolution tracking, and periodic independent reporting to the board. Consideration should be given to the sound risk management principles outlined in SR Letter 03-5, Amended Interagency Guidance on the Internal Audit Function and its Outsourcing , to assist with this matter. Bank Secrecy Act/Anti-Money Laundering (AML) Compliance Program The BSA/AML compliance program is satisfactory and is designed to adequately mitigate and manage risks associated with money laundering, terrorist financing, and other illicit activity. The bank satisfactorily maintains the four pillars of a sound BSA compliance program which includes an adequate Customer Identification Program. The program also includes an established customer due diligence and Beneficial Ownership function. BSA Officer Donna Dewitt possesses a satisfactory level of knowledge, experience, and authority to effectively manage the BSA/AML program. The training program is adequate and includes continual training for employees, including new hires, and annual training for board members. An independent test is conducted every 12-18 months with the most recent test conducted in February 2022 by Compliance Compliance, Mitchell, South Dakota. The scope of the review and testing performance is adequate and aligns with guidelines outlined in the FFIEC’s BSA/AML Examination Manual. No violations noted. Again, thank you for helping out with this examination. With the departure of the former BSA Officer Dewitt the BSA Officer Rose oversees the BSA/AML compliance program currently for the community bank side and the BaaS program. The new BSA Officer’s resume noted that she was from a bank on the east coast. I am a little concerned that upon some research I learned that in May of 2023 that bank she listed on her resume went under a Consent Order due to its BaaS program (for its lending, IT, and BSA programs). She was Director of FinTech for that bank.
For Training Purposes Only
2
TS&J Bank Banking as a Service Team
Ruby Rose Compliance Officer/BSA Officer
Seth Simmons VP Finance
President Todd Tallon
CEO Lynn Love
Leadership
Unit Liaison
Lead Product Manager
Lead Compliance
Liaison
Chief Risk Officer
New FinTech Client Review
Lead Client DD
Board
Product Success Monitor
FinTech Liaison Spokesperson
Lead Audit, Reporting
Division Strategy
Accounting
Testing & Monitoring
Product Development Lifecycle
BSA/AML/OFAC
For Training Purposes Only
TS&J BANK BSA/AML/OFAC Policy and Program
Initial
Document Version:
Document Type:
Policy, Tier 1
Ruby Rose, Chief Compliance Officer
Policy Owner:
Business Function:
Compliance
Approval Date:
January 2024
Effective Date:
January 2024
Next Review Date:
August 2024
For Training Purposes Only
Internal Use Only
BSA/AML Policy and Program
Table of Contents 1. INTRODUCTION................................................................................................................................. 3 2. POLICY OBJECTIVES..................................................................................................................... 3 3. SCOPE ..................................................................................................................................................... 4 4. KEY TERMS............................................................................................................................................ 4 5. GOVERNANCE, ROLES, AND RESPONSIBILITIES...................................................... 6 6. THE POLICY ....................................................................................................................................... 10 A. DESIGNATION OF A BSA/AML OFFICER.................................................................. 11 B. INTERNAL CONTROLS .......................................................................................................... 11 C. MECHANISMS DESIGNED TO MONITOR ONGOING COMPLIANCE .... 26 7. MONITORING AND REPORTING......................................................................................... 29 8. COMMUNICATIONS AND TRAINING 29 9. POLICY EXCEPTIONS................................................................................................................... 29 10. REVIEW AND APPROVAL 30 11. RELATED INFORMATION .......................................................................................................... 30 A. RELATED POLICIES, PROCEDURES, AND OTHER RESOURCES ................... 30 B. RELATED LAWS, REGULATIONS, AND REGULATORY GUIDANCE .............. 30 12. CHANGE HISTORY........................................................................................................................ 31
2
Confidential
Internal Use Only
BSA/AML Policy and Program
1. INTRODUCTION The Bank Secrecy Act/Anti-Money Laundering and Sanctions Policy (the “Policy”) and Program (“BSA/AML/OFAC Policy/Program” or “Policy/Program”) establishes the fundamental principles and core processes that TS&J Bank (“TS&J” or “the Bank”) uses to identify, measure, monitor and control financial crime risk. It also sets how TS&J complies with the laws, regulations, and guidelines designed to prevent, detect, and report money laundering, financial crimes, sanctions evasion, and terrorist financing. TS&J and its Board are committed to deterring customers and outside parties from using the Bank and its Third Parties as a conduit for illegal activity and to identify and report, as appropriate, those customers and card holders who may be engaging in such activity. The Bank recognizes that the banking services TS&J offers, which include its TS&J BaaS Solutions Platform, could pose the risk of money laundering and other financial crimes, and will therefore maintain controls commensurate with the risks of the services it offers. 2. POLICY OBJECTIVES This Policy / Program seeks to establish the core elements of a sound BSA / AML / OFAC Program for TS&J, aligned with the Bank’s broader Enterprise Risk Management Policy. Specifically, this Policy/Program: ● Defines roles and responsibilities for TS&J’s BSA / AML / OFAC program; ● Creates an AML risk assessment process; ● Outlines TS&J’s BSA / AML / OFAC internal control processes; ● Creates a Know Your Customer (“KYC”) framework that provides for risk- based customer identification, verification and due diligence; ● Ensures an appropriate level of ongoing Customer Due Diligence (“CDD”) and Enhanced Due Diligence (“EDD”) for customers and others using Bank services; ● Creates a risk-based transaction monitoring and suspicious activity reporting program including both automated transaction monitoring and staff reviews and referrals; ● Establishes controls to ensure compliance with Office of Foreign Asset Control (“OFAC”) requirements; ● Establishes a process to ensure adherence to all government requirements, including filing of suspicious activity reports, responding to information requests, and maintenance of records;
3
Confidential
Internal Use Only
BSA/AML Policy and Program
● Ensures the Bank documents efforts to meet its legal and regulatory obligations; ● Provides a training program for Bank employees; ● Requires independent testing of its BSA/AML/OFAC program; ● Requires periodic reporting to TS&J’s Risk and Compliance management committee and Board on the Bank’s BSA/AML/OFAC efforts; and ● Specifies how the Bank will oversee the AML programs of its Third Parties. 3. SCOPE This Policy / Program applies to all Bank employees. To the extent the Bank outsources any activities related to this Policy / Program to a third party, including an affiliate, independent contractor, vendor, or Fintech Partner, this Policy / Program also applies to the third party. 4. KEY TERMS
TERM
DEFINITION
BaaS Solutions Platform
The BaaS Solutions Platform is the Bank’s BaaS platform that will offer partner bank capabilities and strategic partnerships with Fintech Partners to deliver banking products and services to businesses and consumers across the United States. Each individual, if any, who, directly or indirectly, through any contract, arrangement, understanding, relationship, or otherwise, owns 25 percent or more of the equity interests of a legal entity customer; and a single individual with significant responsibility to control, manage, or direct a legal entity customer, including: ● An executive officer or senior manager (e.g., a chief executive officer, chief financial officer, chief operating officer, managing member, general partner, president, vice president, or treasurer); or ● Any other individual who regularly performs similar functions.
Beneficial Owner
BSA/AML/ OFAC
The BSA, other AML laws and regulations, and sanctions law and regulations. See Section 10.B for additional information.
BSA/AML/
The risk of legal or regulatory sanctions, material financial loss, or loss to reputation that the Bank may suffer as a result of the
TERM
DEFINITION
4
Confidential
Internal Use Only
BSA/AML Policy and Program
OFAC Risk
Bank’s failure to comply with the BSA and other AML-related laws, rules, and regulatory guidance, as well as OFAC requirements. BSA/AML/OFAC Risk is a subset of Regulatory and Compliance risk as outlined in the Bank’s Enterprise Risk Management Policy. Generally, a vendor or partner, including a Fintech Partner, that supports critical Bank activities related to the Bank’s compliance with this Policy/Program and that would cause the Bank to face significant risk if the third party failed to meet expectations.
Critical Third Party
Fintech Partner
A financial technology company that utilizes the Bank’s services to support the provision of products or services to Bank customers. A Fintech Partner is a Critical Third Party.
Customers sourced through a Fintech Partner. In this model, TS&J establishes a customer relationship with the end-user, while the Fintech Partner principally acts as a third-party service provider or programmanager to the Bank (services may include marketing, provision of front-end technology layer, and customer service).
Fintech
Partner- Sourced Customers
Customers sourced by TS&J and its existing community banking activities.
TS&J Sourced Customers Know Your Customer (“KYC”)
Standards used in the banking industry to verify customers and understand their risk and financial profiles.
Money Laundering
The process by which persons attempt to conceal and disguise the true origin and ownership of illegal funds. Money laundering is generally viewed as a three stage process consisting of placement, layering, and integration: ● Placement involves the introduction of unlawful proceeds into the financial systemwithout attracting the attention of financial institutions or law enforcement; ● Layering involves the moving of funds around the financial system to create confusion and complicate the paper trail; and
TERM
DEFINITION
5
Confidential
Internal Use Only
BSA/AML Policy and Program
● Integration is the end goal of money laundering, involving the incorporation of unlawful proceeds into the financial system to convert illicit funds into apparently legitimate business earnings.
Program
Procedures and controls by which TS&J will comply with its BSA/AML/OFAC obligations.
Sanctions
Commercial and financial penalties applied by one or more countries against a targeted country, regime, or individual(s) for national security or foreign policy reasons. For purposes of this Policy/Program, Sanctions refers to such measures imposed by the United States government and implemented and enforced by the Office of Foreign Assets Control (“OFAC”). Sanctions often include prohibitions against U.S. persons engaging in certain trade or financial transactions and other dealings.
Willful Blindness
Knowingly “turning a blind eye” to a potential money laundering violation.
5. GOVERNANCE, ROLES, AND RESPONSIBILITIES
PARTY
ROLES AND RESPONSIBILITIES
BSA/AML Officer 1
The BSA/AML Officer is the Policy Owner and is responsible for: ● Drafting, implementing, and maintaining this Policy/Program; ● Reviewing the Policy/Program, procedures, and risk assessment at least annually, and more frequently as circumstances require, and making changes as needed with appropriate reporting; ● Overseeing the implementation of the BSA/AML/OFAC Policy/Program, including providing guidance and direction to Bank employees and Fintech Partners about the steps they need to take to help ensure the success of the Bank’s BSA/AML/OFAC program in their areas of responsibility;
1 The BSA/AML Officer may also be the Chief Compliance Officer.
6
Confidential
Internal Use Only
BSA/AML Policy and Program
PARTY
ROLES AND RESPONSIBILITIES ● Conducting BSA/AML/OFAC oversight of third-party service providers, which includes Fintech Partners ● Maintaining sufficient staffing, both in numbers and qualifications, and appropriate technological resources to implement TS&J’s BSA/AML/OFAC program effectively; ● Ensuring Bank employees and relevant Critical Third Parties, including Fintech Partners, receive BSA/AML/OFAC training and that the Company documents training and attendance; ● Monitoring BSA/AML/OFAC compliance and taking corrective action to remedy any deficiencies found; ● Reviewing changes to BSA/AML/OFAC-related laws, regulations, guidance and ensuring that TS&J implements processes to remain fully in compliance with its BSA/AML/OFAC obligations; ● Reviewing the BSA/AML/OFAC implications of new or changed products, services, initiatives or distribution channels offered by the Bank or its Fintech Partners and advising the management Risk and Compliance Committee and Board on the necessary steps to mitigate BSA/AML/OFAC risk; ● Communicating responsibilities for requirements attributed to the Bank in this Policy/Program to relevant employees and third parties; 2 ● Promptly alerting the Management Risk and Compliance Committee and Board to any material issues of BSA/AML/OFAC non-compliance, and instituting and monitoring corrective actions; and ● Periodically reporting to the management Risk and Compliance Committee and Board on the state of BSA/AML/OFAC compliance, key AML-related metrics (e.g., Suspicious Activity Reports), and any significant ongoing or emerging issues.
Board of Directors (“Board”) 3
The Board is responsible for: ● Reviewing and approving this Policy/Program at least
2 The BSA/AML Officer may communicate responsibilities for third parties, such as Fintech Partners, through their contracts or program agreements. 3 The Board may execute its responsibilities through a Board committee, such as the
7
Confidential
Internal Use Only
BSA/AML Policy and Program
PARTY
ROLES AND RESPONSIBILITIES
annually; ● Promoting a strong culture of BSA/AML/OFAC compliance; ● Overseeing the Bank’s BSA/AML/OFAC program and assessing its effectiveness; ● Reviewing the Bank’s BSA/AML/OFAC risk assessment at least annually; ● Assigning responsibility and accountability for coordinating and monitoring day-to-day compliance with the BSA/AML Officer; ● Reviewing BSA/AML/OFAC compliance reports, including the annual independent testing of the BSA/AML/OFAC program; ● Reviewing the scope and results of regulatory examinations or correspondence relating to the Bank’s BSA/AML/OFAC program and addressing any key issues resulting from such examinations or letters; ● Reviewing a summary of the Bank’s suspicious activity reporting and other AML-related metrics quarterly; and ● Reviewing reporting on the comprehensive state of BSA/AML/OFAC compliance and any significant emerging issues at least annually and receiving updates on significant issues as needed.
The Management Risk and Compliance Committee is responsible for: ● Promoting and implementing a strong culture of BSA/AML/OFAC compliance;
Management Risk and Compliance Committee (MRCC)
● Receiving reporting from the BSA/AML Officer; ● Reviewing this Policy/Program and recommending approval to the Board; ● Reviewing the Bank’s BSA/AML/OFAC risk assessment at least annually; ● Reviewing periodic compliance reports, including the state of compliance, risk assessment, testing and monitoring reports; ● Reviewing, approving, and overseeing Bank-wide
Board Risk and Audit Committee, with delegated authority pursuant to the committee’s charter.
8
Confidential
Internal Use Only
BSA/AML Policy and Program
PARTY
ROLES AND RESPONSIBILITIES BSA/AML/OFAC compliance initiatives; ● Monitoring corrective action on BSA/AML/OFAC matters and resolving escalated issues; and ● Supporting the BSA/AML Officer on matters relating to audits and examinations.
Business Line Management
Business Line Management is responsible for: ● Promoting a strong culture of BSA/AML/OFAC compliance within their departments;
● Implementing the Policy/Program within their areas of responsibility, including any necessary control activities; ● Notifying the BSA/AML Officer of proposals for new or modified products, services, initiatives, or distribution channels that might affect BSA/AML/OFAC risks; ● Identifying BSA/AML/OFAC compliance weaknesses through monitoring activities, and promptly alerting and working with the BSA/AML Officer to take corrective action; ● Ensuring that their staff receive appropriate BSA/AML/OFAC compliance training; and ● Maintaining systems, controls, and reports used to support BSA/AML/OFAC compliance efforts. All Bank employees are responsible for: ● Complying with and implementing this Policy/Program within their areas of responsibility, including any necessary control activities; ● Completing assigned training related to this Policy/Program; ● Reporting unusual activity to the BSA/AML Officer; ● Escalating potential issues of noncompliance with this Policy/Program; ● Identifying BSA/AML/OFAC compliance weaknesses in their areas of responsibility, and alerting and working with the BSA/AML Officer to take corrective action; ● Notifying the BSA/AML Officer of proposals for new or modified products, services, initiatives or distribution channels; ● Responding to all information requests from the
All Employees
9
Confidential
Internal Use Only
BSA/AML Policy and Program
PARTY
ROLES AND RESPONSIBILITIES
BSA/AML Officer; and ● Allowing the BSA/AML Officer, or designee, unrestricted access to any business records, systems, or locations necessary to fulfill the duties described in this Policy/Program. Critical Third Parties, including Fintech Partners, are responsible for: ● Maintaining appropriate BSA/AML/OFAC programs, including policies and procedures; ● Complying with contractual requirements; and ● Allowing the Bank access to monitor data, transactions, and documents as contractually obligated. Legal is responsible for: ● Interpreting BSA/AML/OFAC laws and regulations; and ● Providing legal and strategic advice on BSA/AML/OFAC issues and management of risks to the BSA/AML Officer, the management Risk and Compliance Committee, and Board as needed.
Critical Third Parties
Legal 4
6. THE POLICY The Bank’s BSA/AML/OFAC program will consist of the following core components and controls that are described in more detail in the following subsections:
● Designation of a BSA/AML Officer; ● Internal controls, which include:
○ BSA/AML/OFAC risk assessment; ○ KYC program; ○ OFAC compliance; ○ Transaction monitoring;
○ Suspicious activity detection and reporting; ○ Regulatory reporting and recordkeeping; and
4 The Bank may outsource the Legal function.
10
Confidential
Internal Use Only
BSA/AML Policy and Program
○ Information sharing. ● Mechanisms designed to monitor ongoing compliance, which include: ○ Staffing; ○ Reviewing new products and services; ○ Ongoing monitoring and testing; ○ Training; ○ Reporting; and ○ Independent testing of the BSA/AML/OFAC program. A. DESIGNATION OF A BSA/AML OFFICER The Bank’s Board will designate a qualified BSA/AML Officer to have responsibility for day-to-day oversight of the Bank’s BSA/AML/OFAC compliance. The Chief Compliance Officer will act as the BSA/AML Officer and reports directly to the Chief Risk Officer. The CCO will be responsible for periodic reporting to the Management Risk and Compliance Committee and the Board. All Bank employees are responsible for executing their responsibilities under the BSA/AML/OFAC program. The BSA/AML Officer may rely on Critical Third Parties, including Fintech Partners, to manage key processes and operations necessary to implement this BSA/AML/OFAC program. In all such cases, the BSA/AML Officer will retain responsibility for the implementation of the Policy/Program, ensure that all Bank employees and relevant Critical Third Party employees receive appropriate training, and closely monitor the effectiveness of the processes and operations. Similarly, the Bank may require each Fintech Partner to designate a dedicated AML Officer who will also serve as its primary liaison with TS&J’s BSA/AML Officer. B. INTERNAL CONTROLS The BSA/AML Officer will maintain and oversee a system of risk-based internal controls designed to limit and control financial crime risks and maintain compliance with applicable BSA/AML/OFAC laws and regulations. This section provides more details on TS&J’s internal control standards and oversight of Critical Third Parties, including Fintech Partners. Unless otherwise specified, the Bank will expect Fintech Partners to adopt similar internal controls for their AML programs and be subject to oversight by TS&J’s BSA/AML Officer and Compliance function. 1. BSA/AML/OFAC RISK ASSESSMENT The BSA/AML Officer will assess the Bank’s BSA/AML/OFAC compliance risk no less than annually through a formal risk assessment process. The BSA/AML
11
Confidential
Made with FlippingBook - Online catalogs