Subscribe to our Resources Mailing List

Thanks for submitting!

RISKSCOUT COLLABORATION LEADS TO CHANGE WITH THE FFIEC BSA/AML EXAMINATION MANUAL

Updated: Feb 2



If you are like most bankers, you’ve probably not put much thought into how or why updates to the Federal Financial Institutions Examination Council (FFIEC) Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Examination Manual occur or the process behind those updates. To be honest, neither did we until this past Spring. The amount of effort and collaboration it takes to make impactful and meaningful changes to the manual -- and eventually the banking industry as a whole -- is mind-blowing. Allow me to explain.


In April 2021 RiskScout was invited by the National ATM Council to assist in redlining the “Privately Owned Automated Teller Machine” section of the FFIEC BSA/AML Examination Manual. The proposed redlining would be presented to the FFIEC for consideration with the intention to provide clarity on how the industry truly operates as well as remove damning and misleading language that, whether by design or not, led most bankers to believe the ATM industry is more susceptible to money laundering and fraud than other industries.


Included in the redlining invitation was the opportunity to participate in an open discussion with a panel of FFIEC members that included multiple representatives from each regulatory agency. The discussion included the proposed redline changes along with open dialogue with real-life independent ATM owners that have struggled to find a financial institution to serve them despite the fact they have been operating legal and compliant ATM businesses for decades. The discussion was lively and the FFIEC council members present on the call appeared open to the changes.


On paper this seems like a smooth and fast sequence of events. In reality it took years to get FFIEC key stakeholders on the phone. How could that be since it was just in April 2021 that the redlining took place? Truthfully, it took years of behind-the-scenes work by the National ATM Council: Years of meeting directly with FinCEN on the topic of ATMs, gaining an understanding of their concerns and drafting proposed solutions for ATM operators to adhere to based on their concerns. Years of industry experts advocating for the ATM industry and addressing real concerns voiced by FinCEN and other key decision makers.


After months of deliberation and many discussions later, on December 1, 2021 the FFIEC released four updates to the BSA//AML Examination Manual. The release included our proposed redlining (with a few additional tweaks) for the ATM section of the manual - now titled “Independent Automated Teller Machine Owners or Operators”. To say we are proud of this accomplishment would be an understatement. The opportunity to participate in such a critical update for an industry that is widely misunderstood and woefully underserved was an honor. The profound insight gained into the arduous process of updating core banking guidance was eye opening and provides proof that each BSA/AML manual update is the result of months, if not years, of collaboration between industry experts and regulators.


Below are the highlights of the four December 1, 2021 BSA/AML Examination Manual updates:


  • Introduction - Customers (New)

  • Examiners are reminded that no specific customer type automatically presents a higher risk of ML/TF or other illicit financial activity.


  • The federal banking agencies and FinCEN encourage banks to manage customer relationships and mitigate risks based on those customer relationships rather than declining to provide banking services to entire categories of customers.


  • Examiners should assess how a bank evaluates customers according to their particular characteristics to determine whether the bank can effectively mitigate the risk customers may pose.


  • Charities and Nonprofit Organizations (Updated)

  • The federal banking agencies and FinCEN have recognized that it is vital for legitimate charities and other NPOs to have access to financial services, including the ability to transmit funds in a timely manner.


  • The ML/TF risk for charity and other NPO customers can also vary depending on the operations, activities, leadership, and affiliations of the organization.

  • For example, U.S. charities that operate and provide funds solely to domestic recipients generally present lower ML/TF risk. However, those U.S. charities that operate abroad, or that provide funding to, or have affiliated organizations in conflict regions can face potentially higher ML/TF risks.


  • Based on the customer risk profile, the bank may consider obtaining, at account opening (and throughout the relationship), more customer information in order to understand the nature and purpose of the customer relationship.


  • Independent Automated Teller Machine Owners or Operators (Updated)

  • Automated Teller Machines (ATMs) offer fast and convenient access to cash and are an important channel in providing financial services, including in underserved markets.


  • Not all independent ATM owner or operator customers pose the same risk, and not all independent ATM owner or operator customers are automatically higher risk.

  • The potential risk to a bank depends on the facts and circumstances specific to the customer relationship, such as transaction volume, locations of the ATMs, and the source of funds to replenish the ATMs.


  • Because of the cash-intensive nature of an ATM, the source of funds used to replenish the ATM is a key risk factor.

  • Independent ATM owners or operators that fund their ATM replenishment solely with cash withdrawn from their account at a bank pose a relatively lower ML/TF risk because the bank knows the source of funds and can compare the volume of cash usage to EFT settlements to identify suspicious activity.

  • Conversely, independent ATM owners or operators that replenish ATMs from other or unknown cash sources may present potentially higher ML/TF risks, as the source of cash can be difficult for the bank to verify.


  • Examiners should assess how a bank evaluates independent ATM owner or operator customers according to their particular characteristics to determine whether the bank can effectively mitigate the risk these customers may pose.


  • Additional reviews and information collected by a sponsoring bank or ISO associated with determining compliance with EFT networks’ rules may also assist a bank in developing a customer risk profile.


  • Based on the customer risk profile, the bank may consider obtaining, at account opening (and throughout the relationship), more customer information in order to understand the nature and purpose of the customer relationship.


  • Politically Exposed Persons

  • Bank Secrecy Act/Anti-Money Laundering (BSA/AML) regulations do not define the term Politically Exposed Person (PEP),and the term should not be confused with “senior foreign political figure” (SFPF), a subset of PEP.

  • The term PEP is commonly used in the financial industry to refer to foreign individuals who are or have been entrusted with a prominent public function, as well as to their immediate family members and close associates.


  • Not all bank-identified PEP customers pose the same risk, and not all bank-identified PEP customers are automatically higher risk.


  • The potential risk to the bank depends on the facts and circumstances specific to the customer relationship, such as transaction volume, type of activity, and geographic locations.


  • Bank-identified PEPs with a limited transaction volume, a low-dollar deposit account with the bank, known legitimate sources of funds, access only to products or services subject to specific terms and payment schedules, or a limited number of accounts with which the bank-identified PEP is associated, could reasonably be characterized as having lower customer risk profiles.


  • The CDD rule does not require a bank to screen for or otherwise determine whether a customer or beneficial owner of a legal entity customer may be considered a PEP.


  • Examiners should assess how a bank evaluates bank-identified PEP customers according to their particular characteristics to determine whether the bank can effectively mitigate the potential risk these customers may pose.


  • Based on the customer risk profile, the bank may consider obtaining, at account opening (and throughout the relationship), more customer information in order to understand the nature and purpose of the customer relationship.


  • For a bank-identified PEP who is no longer in active government service, banks may also consider the time that the customer has been out of office and the level of influence he or she may still hold as factors in the customer risk profile.


If you have any questions as to how this new guidance could could affect your BSA/AML program, please feel to contact me, Kristin Parker, at kristin@riskscout.com.


20 views0 comments