Bank Secrecy Act
Nonbank Financial Institutions—Overview
Objective. Assess the adequacy of the bank’s systems to manage the risks associated with accounts of nonbank financial institutions (NBFI), and management’s ability to implement effective monitoring and reporting systems.
NBFIs are broadly defined as institutions other than banks that offer financial services. The USA PATRIOT Act has defined a variety of entities as financial institutions.250 Common examples of NBFIs include, but are not limited to:
- Casinos and card clubs.
- Securities and commodities firms (e.g., brokers/dealers, investment advisers, mutual funds, hedge funds, or commodity traders).
- Money services businesses (MSB).251
- Insurance companies.
- Other financial institutions (e.g., dealers in precious metals, stones, or jewels; pawnbrokers; loan or finance companies).
Some NBFIs are currently required to develop an AML program, comply with the reporting and recordkeeping requirements of the BSA, and report suspicious activity, as are banks. NBFIs typically need access to banking services in order to operate. Although NBFIs maintain operating accounts at banks, the BSA does not require, and neither FinCEN nor the federal banking agencies expect, banks to serve as the de facto regulator of any NBFI industry or individual NBFI customer. Furthermore, while banks are expected to manage risk associated with all accounts, including NBFI accounts, banks will not be held responsible for their customers’ compliance with the BSA and other applicable federal and state laws and regulations.
NBFI industries are extremely diverse, ranging from large multi-national corporations to small, independent businesses that offer financial services only as an ancillary component to their primary business (e.g., grocery store that offers check cashing). The range of products and services offered, and the customer bases served by NBFIs, are equally diverse. As a result of this diversity, some NBFIs may be lower risk and some may be higher risk for money laundering.
Banks that maintain account relationships with NBFIs may be exposed to a higher risk for potential money laundering activities because many NBFIs:
- Lack ongoing customer relationships and require minimal or no identification by customers.
- Maintain limited or inconsistent recordkeeping on customers and transactions.
- Engage in frequent currency transactions.
- Are subject to varying levels of regulatory requirements and oversight.
- Can quickly change their product mix or location and quickly enter or exit an operation.
- Sometimes operate without proper registration or licensing.
Banks that maintain account relationships with NBFIs should develop policies, procedures, and processes to:
- Identify NBFI relationships.
- Assess the potential risks posed by the NBFI relationships.
- Conduct adequate and ongoing due diligence on the NBFI relationships when necessary.
- Ensure NBFI relationships are appropriately considered within the bank’s suspicious activity monitoring and reporting systems.
Risk Assessment Factors
Banks should assess the risks posed by their NBFI customers and direct their resources most appropriately to those accounts that pose a more significant money laundering risk.
The following factors may be used to help identify the relative risks within the NBFI portfolio. Nevertheless, management should weigh and evaluate each risk assessment factor to arrive at a risk determination for each customer and to prioritize oversight resources. Relevant risk factors include:
- Types of products and services offered by the NBFI.
- Locations and markets served by the NBFI.
- Anticipated account activity.
- Purpose of the account.
A bank’s due diligence should be commensurate with the level of risk of the NBFI customer identified through its risk assessment. If a bank’s risk assessment indicates potential for a heightened risk of money laundering or terrorist financing, it will be expected to conduct further due diligence in a manner commensurate with the heightened risk.
Providing Banking Services to Money Services Businesses
FinCEN and the federal banking agencies issued interpretive guidance on April 26, 2005, to clarify the BSA requirements and supervisory expectations as applied to accounts opened or maintained for MSBs.252 With limited exceptions, many MSBs are subject to the full range of BSA regulatory requirements, including the anti-money laundering program rule, suspicious activity and currency transaction reporting rules, and various other identification and recordkeeping rules.253 Existing FinCEN regulations require certain MSBs to register with FinCEN.254 Finally, many states have established supervisory requirements, often including the requirement that an MSB be licensed with the state(s) in which it is incorporated or does business.
The following regulatory expectations apply to banks with MSB customers:
- The BSA does not require, and neither FinCEN nor the federal banking agencies expect, banks to serve as the de facto regulator of any type of NBFI industry or individual NBFI customer, including MSBs.
- While banks are expected to manage risk associated with all accounts, including MSB accounts, banks will not be held responsible for the MSB’s BSA/AML program.
- Not all MSBs pose the same level of risk, and not all MSBs will require the same level of due diligence. Accordingly, if a bank’s assessment of the risks of a particular MSB relationship indicates a lower risk of money laundering or other illicit activity, a bank is not routinely expected to perform further due diligence (such as reviewing information about an MSB’s BSA/AML program) beyond the minimum due diligence expectations. Unless indicated by the risk assessment of the MSB, banks are not expected to routinely review an MSB’s BSA/AML program.
MSB Risk Assessment
An effective risk assessment should be a composite of multiple factors, and depending upon the circumstances, certain factors may be given more weight than others. The following factors may be used to help identify the level of risk presented by each MSB customer:
- Purpose of the account.
- Anticipated account activity (type and volume).
- Types of products and services offered by the MSB.
- Locations and markets served by the MSB.
Bank management may tailor these factors based on their customer base or the geographic locations in which the bank operates. Management should weigh and evaluate each risk assessment factor to arrive at a risk determination for each customer. A bank’s due diligence should be commensurate with the level of risk assigned to the MSB customer, after consideration of these factors. If a bank’s risk assessment indicates potential for a heightened risk of money laundering or terrorist financing, the bank will be expected to conduct further due diligence in a manner commensurate with the heightened risk.
MSB Risk Mitigation
A bank’s policies, procedures, and processes should provide for sound due diligence and verification practices, adequate risk assessment of MSB accounts, and ongoing monitoring and reporting of unusual or suspicious activities. A bank that establishes and maintains accounts for MSBs should apply appropriate, specific, risk-based, and where necessary, EDD policies, procedures, and controls.
The factors below, while not all inclusive, may reduce or mitigate the risk in some MSB accounts:
- MSB is registered with FinCEN and licensed with the appropriate state(s), if required.
- MSB confirms it is subject to examination for AML compliance by the IRS or the state(s), if applicable.255
- MSB affirms the existence of a written BSA/AML program and provides the BSA officer’s name and contact information.
- MSB has an established banking relationship and/or account activity consistent with expectations.
- MSB is an established business with an operating history.
- MSB is a principal with one or a few agents, or is acting as an agent for one principal.
- MSB provides services only to local residents.
- Most of the MSB’s customers conduct routine transactions in low dollar amounts.
- The expected (lower-risk) transaction activity for the MSB’s business operations is consistent with information obtained by bank at account opening. Examples include the following:
- Check cashing activity is limited to payroll or government checks (any dollar amount).
- Check cashing service is not offered for third-party or out-of-state checks.
- Money-transmitting activities are limited to domestic entities (e.g., domestic bill payments) or limited to lower dollar amounts (domestic or international).
MSB Due Diligence Expectations
Registration with FinCEN, if required, and compliance with any state-based licensing requirements represent the most basic of compliance obligations for MSBs. As a result, it is reasonable and appropriate for a bank to require an MSB to provide evidence of compliance with such requirements, or to demonstrate that it is not subject to such requirements due to the nature of its financial services or status exclusively as an agent of another MSB(s).
Given the importance of licensing and registration requirements, a bank should file a SAR if it becomes aware that a customer is operating in violation of the registration or state licensing requirement. There is no requirement in the BSA regulations for a bank to close an account that is the subject of a SAR. The decision to maintain or close an account should be made by bank management under standards and guidelines approved by its board of directors.
The extent to which the bank should perform further due diligence beyond the minimum due diligence obligations set forth below will be dictated by the level of risk posed by the individual MSB customer. Because not all MSBs present the same level of risk, not all MSBs will require further due diligence. For example, a local grocer that also cashes payroll checks for customers purchasing groceries may not present the same level of risk as a money transmitter specializing in cross-border funds transfers. Therefore, the customer due diligence requirements will differ based on the risk posed by each MSB customer. Based on existing BSA requirements applicable to banks, the minimum due diligence expectations associated with opening and maintaining accounts for any MSB256 are:
- Apply the bank’s CIP.257
- Confirm FinCEN registration, if required. (Note: registration must be renewed every two years.)
- Confirm compliance with state or local licensing requirements, if applicable.
- Confirm agent status, if applicable.
- Conduct a basic BSA/AML risk assessment to determine the level of risk associated with the account and whether further due diligence is necessary.
If the bank determines that the MSB customer presents a higher level of money laundering or terrorist financing risk, EDD measures should be conducted in addition to the minimum due diligence procedures. Depending on the level of perceived risk, and the size and sophistication of the particular MSB, banking organizations may pursue some or all of the following actions as part of an appropriate EDD review:
- Review the MSB’s BSA/AML program.
- Review results of the MSB’s independent testing of its AML program.
- Review written procedures for the operation of the MSB.
- Conduct on-site visits.
- Review list of agents, including locations, within or outside the United States, which will be receiving services directly or indirectly through the MSB account.
- Review written agent management and termination practices for the MSB.
- Review written employee screening practices for the MSB.
FinCEN and the federal banking agencies do not expect banks to uniformly require any or all of the actions identified above for all MSBs.