Regulatory Bulletin: March 2017

 
 

In this issue

·        Do You Offer Mobile Financial Services?

·        Have You Performed a Formal Validation of Your OFAC Systems?

·        Have You Revised Your Business Continuity Plan and Business Impact Analysis to Meet the Requirements for Outsourced Technology Services?

·        Violations of Anti-Money Laundering Laws Can Hit Large and Small Institutions – Do Not Be One!!

·        Ongoing…Are you Prepared? Contact Our President or Marketing Director for More Information

·        Contact Our President or Marketing Director for More Information

 

Do You Offer Mobile Financial Services?

Header

If the answer is yes, regulators expect your bank to have policies, procedures and management controls over such activities, including technical safety features. Requirements for banks in addressing the risks of Mobile Financial Services (“MFS”) have been formalized with the implementation of the FFIEC IT Examination Handbook – Retail Payment Systems Booklet (Appendix E) for MFS, which was added in 2016.  See http://ithandbook.ffiec.gov/it-booklets/retail-payment-systems.aspx

MFS may expose the Bank to legal, compliance, credit, reputation, strategic and transactional/operational risks.  Without adequate controls and management oversight for these activities, the Bank may be subject to unsafe and unsound practices, failure to meet regulatory requirements, as well as deterioration of the Bank’s condition.   MFS can pose elevated risks related to device security, authentication, data security, mobile malware, data transmission security, compliance, and third-party management.

Banks need to mitigate risk of MFS activities.  These include the development of appropriate practices and processes to mitigate the risks and to effectively monitor MFS transactions for high risk, unusual or suspicious activity; security risk; operational or other risks.

If you need help with developing policies, procedures, risk self-assessment and action plans to address issues, FRC can provide expertise to assist in this process.

 

Have You Performed a Formal Validation of Your OFAC Systems?

Header

If not, now is the time.  For many years, the regulators have required banks to provide evidence of BSA monitoring system validation.  Their attention has now expanded to enhanced expectations for banks to provide documentation that it has examined its OFAC processes and effectiveness of policies, procedures and automated OFAC screening systems.  Fines and regulatory actions have been levied against banks which have not properly screened all required parties or have not identified or addressed inadequacies in the bank’s implementation of such systems.

Management oversight requires banks to perform formal validation of their OFAC systems.  FRC can provide guidance for an internal audit OFAC validation or can perform an independent formal validation review of your bank’s OFAC systems.  This includes analysis of: policies and procedures; internal OFAC Bank Risk Assessment; training program; testing of OFAC lists against the bank’s OFAC system; testing of transactional activities; testing of customer accounts; and provide findings and recommendations.

 

Have You Revised Your Business Continuity Plan and Business Impact Analysis to Meet the Requirements for Outsourced Technology Services?

Header

If not, you should be aware of the formal requirements in Appendix J, which was added to the FFIEC IT Examination Booklet for Business Continuity Planning.   Appendix J states the actions to be taken to have systems and controls to mitigate the risks associated with Strengthening the Resilience of Outsourced Technology Services.  This includes formalization of bank due diligence for outsourced technology services and associated third party technology service providers.  See http://ithandbook.ffiec.gov/it-booklets/business-continuity-planning.aspx

The bank program should include an ongoing process that evaluates whether such activities are conducted within risk parameters acceptable to the Board of Directors and compliance with Appendix J.

The four key elements covered in Appendix J include:
1. Third-party management addresses the Bank management’s responsibility to control the business continuity risks associated with its TSPs and their subcontractors
2. Third-party capacity addresses the potential impact of a significant disruption on a third-party servicer’s ability to restore services to multiple clients.
3. Testing with third-party TSPs addresses the importance of validating business continuity plans with TSPs and considerations for a robust third-party testing program.
4. Cyber resilience covers aspects of BCP unique to disruptions caused by cyber events.

Banks need to take a number of steps to mitigate risk of outsourcing technology services.  If you need help developing policies, procedures, risk self-assessment and action plans to address issues, FRC can provide its team of experts to assist in this process.

 

Violations of Anti-Money Laundering Laws Can Hit Large and Small Institutions – Do Not Be One!!

Header

Notwithstanding years of regulatory pronouncements, a surprising number of financial institutions still fail to take appropriate actions to comply with the Anti-Money Laundering Laws.

For example, in January, 2017, the largest money service business in the world, Western Union Company, agreed to pay $586 million in fines over charges they failed to protect consumers from fraud and permitted their agents to illegally launder money for customers in violation of AML laws.  FinCEN civilly fined Western Union Financial Services, Inc.  $184 million for willfully violating the Bank Secrecy Act’s provisions for failing to implement and maintain an effective risk-based AML program and by failing to file timely suspicious activity reports.  (The $184 million fine was satisfied by the payment of the $586 million.)

Another example involved a smaller institution, Merchants Bank of California, which was penalized for “egregious” violations of AML laws and willful violations of several BSA provisions.  FinCen assessed a civil monetary penalty of $7 million in February, 2017; and the OCC assessed $1 million (payment to be credited towards the $7 million).  The Bank failed to establish and implement an adequate AML program; did not conduct the required due diligence on its foreign correspondent accounts; and did not detect and report suspicious activity.  Many of the transactions were conducted on behalf of money service businesses which were not adequately vetted.  The Bank had prior consent orders with the OCC which were not fully complied with, which contributed to the monetary penalty.

Some cautionary tales – regulators continue to be very serious about ensuring compliance with AML laws; banks need to exercise extra caution relating to money service activities or entities; a bank should go the “extra mile” to ensure it follows the letter and spirit of a consent order; and overall, banks need to have strong compliance programs, management oversight and appropriate controls.

The annual BSA Risk Assessment helps senior bank management and directors access and address BSA/AML risks, as well as having a strong independent review.  If you need help with the BSA/AML Risk Assessment; would like assistance in developing policies, procedures or action plans to meet all the requirements of any consent order or other regulatory criticism;  or if you would like to know more about our independent BSA review, please contact us.

 

Ongoing…Are you Prepared?

Header

Reminder – FRC can help you plan for any new compliance or reporting requirements such as:
• HMDA data collection and reporting
• New York State Part 504 Banking Division Transaction Monitoring and Filtering Program Requirements and Certifications
• Federal regulations relating to additional actions to be taken for Customer Due Diligence, including those related to enhanced identification of beneficial owners.
• Any other area for which you would like assistance – just ask.

Contact Our President or Marketing Director for More Information

Header

• Mr. Kevin Kane, President, CEO and Founder of FRC, who has substantial legal, compliance and regulatory experience – (212) 849-6828 ktk@frcconsult.com
• Ms. Shelly Berman, Marketing Director, who has substantial experience in assisting financial institutions obtain the products and services they need to meet their goals – (301) 262-6987 sberman@frcconsult.com

For more information visit www.frcconsult.com

 

Share

This entry was posted on Wednesday, March 15th, 2017 at 7:22 pm and is filed under Regulatory Bulletins, Regulatory Insights. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Comments are closed.

  • « Older Entries
  • Newer Entries »