Bank Secrecy Act
Nonbank Financial Institutions—Overview
Objective. Assess the adequacy of the bank's systems to manage the risks associated with accounts of nonbank financial institutions (NBFI), and management's ability to implement effective monitoring and reporting systems.
NBFIs are broadly defined as institutions other than banks that offer financial services. The USA PATRIOT Act has defined a variety of entities as financial institutions.277Refer to Appendix D ("Statutory Definition of Financial Institution") for guidance. Common examples of NBFIs include, but are not limited to:
- Casinos and card clubs.
- Securities and commodities firms (e.g., brokers/dealers, investment advisers, mutual funds, hedge funds, or commodity traders).
- Money services businesses (MSB).278MSBs include five distinct types of financial services providers and the U.S. Postal Service: (1) dealers in foreign exchange ; (2) check cashers; (3) issuers or sellers of traveler's checks or money orders, ; (4) providers or sellers of prepaid access; and (5) money transmitters. FinCEN routinely publishes administrative letter rulings that address inquiries regarding whether persons who engage in certain specific business activities are MSBs.
- Insurance companies.
- Loan or finance companies.279 77 Fed. Reg. 8148 (February 14, 2012) defines non-bank residential mortgage lenders and originators as loan or finance companies for the purpose of requiring them to establish anti-money laundering programs and report suspicious activity. FinCEN Guidance FIN-2012-R005, Compliance obligations of certain loan or finance company subsidiaries of Federally regulated banks and other financial institutions(August 13, 2012), confirms that when a subsidiary loan or finance company is obligated to comply with the AML and SAR regulations that are applicable to its parent financial institution and is subject to examination by the parent financial institution's Federal functional regulator, the loan or finance company is deemed to comply with FinCEN's regulation.
- Operators of credit card systems.
- Other financial institutions (e.g., dealers in precious metals, stones, or jewels; pawnbrokers).
Some NBFIs are currently required to develop an AML program, comply with the reporting and recordkeeping requirements of the BSA, and report suspicious activity, as are banks.280Refer to 31 CFR Chapter X for specific regulatory requirements. NBFIs typically need access to banking services in order to operate. Although NBFIs maintain operating accounts at banks, the BSA does not require, and neither FinCEN nor the federal banking agencies expect, banks to serve as the de facto regulator of any NBFI industry or individual NBFI customer. Furthermore, while banks are expected to manage risk associated with all accounts, including NBFI accounts, banks will not be held responsible for their customers’ compliance with the BSA and other applicable federal and state laws and regulations.
NBFI industries are extremely diverse, ranging from large multi-national corporations to small, independent businesses that offer financial services only as an ancillary component to their primary business (e.g., grocery store that offers check cashing). The range of products and services offered, and the customer bases served by NBFIs, are equally diverse. As a result of this diversity, some NBFIs may be lower risk and some may be higher risk for money laundering.
Banks that maintain account relationships with NBFIs may be exposed to a higher risk for potential money laundering activities because many NBFIs:
- Lack ongoing customer relationships and require minimal or no identification from customers.
- Maintain limited or inconsistent recordkeeping on customers and transactions.
- Engage in frequent currency transactions.
- Are subject to varying levels of regulatory requirements and oversight.
- Can quickly change their product mix or location and quickly enter or exit an operation.
- Sometimes operate without proper registration or licensing.
Banks that maintain account relationships with NBFIs should develop policies, procedures, and processes to:
- Identify NBFI relationships.
- Assess the potential risks posed by the NBFI relationships.
- Conduct adequate and ongoing due diligence on the NBFI relationships when necessary.
- Ensure NBFI relationships are appropriately considered within the bank’s suspicious activity monitoring and reporting systems.
Risk Assessment Factors
Banks should assess the risks posed by their NBFI customers and direct their resources most appropriately to those accounts that pose a more significant money laundering risk.
The following factors may be used to help identify the relative risks within the NBFI portfolio. Nevertheless, management should weigh and evaluate each risk assessment factor to arrive at a risk determination for each customer and to prioritize oversight resources. Relevant risk factors include:
- Types of products and services offered by the NBFI.
- Locations and markets served by the NBFI.
- Anticipated account activity.
- Purpose of the account.
A bank’s due diligence should be commensurate with the level of risk of the NBFI customer identified through its risk assessment. If a bank’s risk assessment indicates potential for a heightened risk of money laundering or terrorist financing, it will be expected to conduct further due diligence in a manner commensurate with the heightened risk.
Providing Banking Services to Money Services Businesses
FinCEN and the federal banking agencies issued interpretive guidance on April 26, 2005, to clarify the BSA requirements and supervisory expectations as applied to accounts opened or maintained for MSBs.281Refer to Interagency Interpretive Guidance on Providing Banking Services to Money Services Businesses Operating in the United States, April 26, 2005. With limited exceptions, many MSBs are subject to the full range of BSA regulatory requirements, including the anti-money laundering program rule, suspicious activity and currency transaction reporting rules, and various other identification and recordkeeping rules.282Refer to 31 CFR 1022.210 (requirement for MSBs to establish and maintain an anti-money laundering program); 31 CFR 1022.310 (requirement for MSBs to file Currency Transaction Reports); 31 CFR 1022.320 (requirement for MSBs to file Suspicious Activity Reports, other than for check cashing); 31 CFR 1010.415 (requirement for MSBs that sell monetary instruments for currency to verify the identity of the customer and create and maintain a record of each currency purchase between $3,000 and $10,000, inclusive); 31 CFR 1010.410(e) and (f) (rules applicable to certain transmittals of funds); and 1022.410 (additional recordkeeping requirement for dealers in foreign exchange including the requirement to create and maintain a record of each exchange of currency in excess of $1,000);1022.420 (additional recordkeeping requirements for providers or sellers of prepaid access). Existing FinCEN regulations require certain MSBs to register with FinCEN.283Refer to 31 CFR 1022.380. All MSBs must register with FinCEN (whether or not licensed as an MSB by any state) except: a business that is an MSB solely because it serves as an agent of another MSB; a business that is an MSB solely as a seller of prepaid access, ; the U.S. Postal Service; and agencies of the United States, of any state, or of any political subdivision of any state. A business that acts as an agent for a principal or principals engaged in MSB activities, and that does not on its own behalf perform any other services of a nature or value that would cause it to qualify as an MSB, is not required to register with FinCEN. FinCEN has issued guidance on MSB registration and de-registration. Refer to Registration and De-Registration of Money Services Businesses, FIN-2006-G006, February 3, 2006. Finally, many states have established supervisory requirements, often including the requirement that an MSB be licensed with the state(s) in which it is incorporated or does business.
FinCEN defines MSBs as doing business in one or more of the following capacities:
- Dealer in foreign exchange
- Check casher
- Issuer or seller of traveler's checks or money orders
- Money transmitter
- Provider of prepaid access
- Seller of prepaid access
- U.S. Postal Service
There is a threshold requirement for dealers in foreign exchange, check cashers and issuers or sellers of traveler's checks or money orders. A business that engages in such transactions will not be considered an MSB if it does not engage in such transactions in an amount greater than $1,000 for any person on any day in one or more transactions (31 CFR 1010.100(ff)). An entity that engages in money transmission in any amount is considered an MSB. Thresholds for providers and sellers of prepaid access are discussed below.
FinCEN's regulation for MSBs excluded certain prepaid access arrangements from the definition of prepaid programs. Providers and sellers of prepaid access will not be considered an MSB if they engage in prepaid arrangements excluded from the definition of a prepaid program under 31 CFR 1010.100(ff)(4)(iii).284Frequently Asked Questions Final Rule-Definitions and Other Regulations Relating to Prepaid Access (11/2/2011). The exclusions include arrangements that:
- Provide closed loop prepaid access to funds (i.e., such as store gift cards) in amounts not to exceed $2,000 maximum value per device on any day.
- Provide prepaid access solely to funds provided by a government agency.
- Provide prepaid access to funds for pre-tax flexible spending for health and dependent care, or from Health Reimbursement Arrangements for health care expenses.
There are two types of prepaid access arrangements that have a qualified exclusion.
- Open loop prepaid access that does not exceed $1,000 maximum value on any day.
- Prepaid access to employment benefits, incentives, wages or salaries ("payroll").
These arrangements are not prepaid programs subject to BSA regulatory requirements unless they can:
- Be used internationally.
- Allow transfers of value from person to person within the arrangement, or
- Be reloaded from a non-depository source.
If any one of these features is part of the arrangement, it will be a covered prepaid program under 31 CFR 1010.100.
Administrators and Exchangers of Virtual Currency
FinCEN's regulations define currency as "the coin and paper money of the United States or of any other country that is designated as legal tender; and that circulates; and is customarily used and accepted as a medium of exchange in the country of issuance." In contrast, "virtual" currency is a medium of exchange that operates like a currency in some environments, but does not have legal tender status in any jurisdiction. Virtual currency must be converted into U.S. dollars through the services of an administrator or exchanger prior to deposit into the banking system. An administrator or exchanger of virtual currency is an MSB under FinCEN's regulations, specifically, a money transmitter, unless a limitation to or exemption from the definition applies to the person.285Application of FinCEN's Regulations to Persons Administering, Exchanging, or Using Virtual Currencies, FIN-2013-G001, March 18, 2013. BSA requirements and supervisory expectations for providing banking services to administrators or exchangers of virtual currencies are the same as money transmitters.286Refer to the Financial Action Task Force Guidance on Virtual Currencies, Key Definitions and Potential AML/CFT Risks, June 2014.
The following regulatory expectations apply to banks with MSB customers:
- The BSA does not require, and neither FinCEN nor the federal banking agencies expect, banks to serve as the de facto regulator of any type of NBFI industry or individual NBFI customer, including MSBs.
- While banks are expected to manage risk associated with all accounts, including MSB accounts, banks will not be held responsible for the MSB's BSA/AML program.
- Not all MSBs pose the same level of risk, and not all MSBs will require the same level of due diligence. Accordingly, if a bank's assessment of the risks of a particular MSB relationship indicates a lower risk of money laundering or other illicit activity, a bank is not routinely expected to perform further due diligence (such as reviewing information about an MSB's BSA/AML program) beyond the minimum due diligence expectations. Unless indicated by the risk assessment of the MSB, banks are not expected to routinely review an MSB's BSA/AML program.
MSB Risk Assessment
An effective risk assessment should be a composite of multiple factors, and depending upon the circumstances, certain factors may be given more weight than others. The following factors may be used to help identify the level of risk presented by each MSB customer:
- Purpose of the account.
- Anticipated account activity (type and volume).
- Types of products and services offered by the MSB.
- Locations and markets served by the MSB.
Bank management may tailor these factors based on their customer base or the geographic locations in which the bank operates. Management should weigh and evaluate each risk assessment factor to arrive at a risk determination for each customer. A bank’s due diligence should be commensurate with the level of risk assigned to the MSB customer, after consideration of these factors. If a bank’s risk assessment indicates potential for a heightened risk of money laundering or terrorist financing, the bank will be expected to conduct further due diligence in a manner commensurate with the heightened risk.
MSB Risk Mitigation
A bank’s policies, procedures, and processes should provide for sound due diligence and verification practices, adequate risk assessment of MSB accounts, and ongoing monitoring and reporting of unusual or suspicious activities. A bank that establishes and maintains accounts for MSBs should apply appropriate, specific, risk-based, and where necessary, EDD policies, procedures, and controls.
The factors below, while not all inclusive, may reduce or mitigate the risk in some MSB accounts:
- MSB is registered with FinCEN and licensed with the appropriate state(s), if required.
- MSB confirms it is subject to examination for AML compliance by the IRS or the state(s), if applicable.287On December 9, 2008, FinCEN and the Internal Revenue Service released the Bank Secrecy Act/Anti-Money Laundering Examination Manual for Money Services Businesses (MSB Exam Manual) which was developed in collaboration with the Conference of State Bank Supervisors, the Money Transmitter Regulators Association, and state agencies responsible for MSB regulation. Refer to the MSB Exam Manual.
- MSB affirms the existence of a written BSA/AML program and provides the BSA officer’s name and contact information.
- MSB has an established banking relationship and/or account activity consistent with expectations.
- MSB is an established business with an operating history.
- MSB is a principal with one or a few agents, or is acting as an agent for one principal.
- MSB provides services only to local residents.
- Most of the MSB’s customers conduct routine transactions in low dollar amounts.
- The expected (lower-risk) transaction activity for the MSB’s business operations is consistent with information obtained by bank at account opening. Examples include the following:
- Check cashing activity is limited to payroll or government checks (any dollar amount).
- Check cashing service is not offered for third-party or out-of-state checks.
- Money-transmitting activities are limited to domestic entities (e.g., domestic bill payments) or limited to lower dollar amounts (domestic or international).
MSB Due Diligence Expectations
Registration with FinCEN, if required, and compliance with any state-based licensing requirements represent the most basic of compliance obligations for MSBs. As a result, it is reasonable and appropriate for a bank to require an MSB to provide evidence of compliance with such requirements, or to demonstrate that it is not subject to such requirements due to the nature of its financial services or status exclusively as an agent of another MSB(s).
FinCEN issued a final rule clarifying that certain foreign-located persons engaging in MSB activities within the United States fall within FinCEN's definition of an MSB and are required to register with FinCEN.28831 CFR 1010.100(ff).
Given the importance of licensing and registration requirements, a bank should file a SAR if it becomes aware that a customer is operating in violation of the registration or state licensing requirement. There is no requirement in the BSA regulations for a bank to close an account that is the subject of a SAR. The decision to maintain or close an account should be made by bank management under standards and guidelines approved by its board of directors.
The extent to which the bank should perform further due diligence beyond the minimum due diligence obligations set forth below will be dictated by the level of risk posed by the individual MSB customer. Because not all MSBs present the same level of risk, not all MSBs will require further due diligence. For example, a local grocer that also cashes payroll checks for customers purchasing groceries may not present the same level of risk as a money transmitter specializing in cross-border funds transfers. Therefore, the customer due diligence requirements will differ based on the risk posed by each MSB customer. Based on existing BSA requirements applicable to banks, the minimum due diligence expectations associated with opening and maintaining accounts for any MSB289Refer to Interagency Interpretive Guidance on Providing Banking Services to Money Services Businesses Operating in the United States, April 26, 2005. are:
- Apply the bank’s CIP.290Refer to 31 CFR 1020.100 (FinCEN); 12 CFR 21.21(Office of the Comptroller of the Currency); 12 CFR 208.63(b), 211.5(m), 211.24(j) (Board of Governors of the Federal Reserve System); 12 CFR 326.8(b)(2) (Federal Deposit Insurance Corporation);; 12 CFR 748.2(b) (National Credit Union Administration).
- Confirm FinCEN registration, if required. (Note: registration must be renewed every two years.)
- Confirm compliance with state or local licensing requirements, if applicable.
- Confirm agent status, if applicable.
- Conduct a basic BSA/AML risk assessment to determine the level of risk associated with the account and whether further due diligence is necessary.
If the bank determines that the MSB customer presents a higher level of money laundering or terrorist financing risk, EDD measures should be conducted in addition to the minimum due diligence procedures. Depending on the level of perceived risk, and the size and sophistication of the particular MSB, banking organizations may pursue some or all of the following actions as part of an appropriate EDD review:
- Review the MSB’s BSA/AML program.
- Review results of the MSB’s independent testing of its AML program.
- Review written procedures for the operation of the MSB.
- Conduct on-site visits.
- Review list of agents, including locations, within or outside the United States, which will be receiving services directly or indirectly through the MSB account.
- Determine whether the MSB has performed due diligence on any third-party servicers or paying agents.
- Review written agent management and termination practices for the MSB.
- Review written employee screening practices for the MSB.
FinCEN and the federal banking agencies do not expect banks to uniformly require any or all of the actions identified above for all MSBs.