Money Laundering and FCPA Compliance

Saturday, July 24, 2010

Michael Volkov


Week after week, the Justice Department and the SEC have been announcing corporation after corporation which has agreed to multi-million dollar criminal fines as settlement for FCPA or export control violations.

Without as much fanfare, the government has been increasing enforcement against financial institutions of anti-money laundering (AML) laws and Office of Foreign Assets Controls (OFAC) regulations. For example, recently the Lloyds TSB Bank agreed to pay $350 million for laundering funds related to sanctioned countries and entities.

The compliance risks are even greater for financial institutions operating in the international sphere. As with most compliance issues, AML compliance requires close knowledge of the risk profile of the company.

This requires the identification of specific risk categories (products, customers, transactions, and geographic locations) that are likely to create risks, and the analysis of the risk within each of these categories.

Key compliance best practices when creating internal controls include:

• Creating a formal risk profile that identifies the products, services, customers, and geographic factors that have been identified as creating higher risk to facilitate the creation of a compliance program that is tailored to address these risks.

• Establishing a control structure for the proper implementation of an AML compliance program that includes a single person or committee in charge of implementing the program, monitoring its effectiveness, and notifying directors and senior management of issues that arise, including those that might require the filing of Suspicious Activity Reports (SARs).

• Putting in place a mechanism to identify suspicious activity and to determine when it needs to be reported.

• Identifying all reportable transactions, including currency transaction reports and other regulatory reports.

• Creating training programs for employees that handle currency transactions, engage in overseeing and handling high-risk activities, or for other reasons need detailed knowledge of AML requirements.

• Establishing a program that meets all required recordkeeping requirements.

• Incorporating AML compliance into performance evaluations.

As with all compliance programs, training is a key topic. Training should focus on both AML regulatory requirements and the financial institution’s own internal policies and procedures.

Most compliance programs rely on a mix of automated and manual systems, with computer scrutiny resulted in the referral of out-of-character transactions to compliance personnel, based upon pre-defined parameters for the type of account at issue.

The breadth of such monitoring should be as wide as possible, to include suspicious activity ranging across deposits, withdrawals, funds transfers, automated clearing house transactions, electronic funds transactions, ATM transactions, and other financial activity.

The SAR rules require that a SAR be filed within thirty days of identification of the suspicious activity, with the time period being extended to sixty days where no suspect can be identified (to allow additional inquiry into the nebulous state of facts) .

To meet this standard, financial institutions need to inquire into red flags immediately, so that they can determine whether the responsibility to file a SAR has been triggered or whether there is a reasonable explanation for any deviation from an account-holder’s norms.

The final key component is recordkeeping. Compliance program should specify that all documents used to establish identity will be kept for five years after the relationship/account ends, including any documents used to verify identity, any investigation made, and how any discrepancies discovered during identity verification were resolved.

All checks to determine that the customer does not appear on lists of known or suspected terrorists also should be maintained for the same length of time.

AML audits are intended to test a financial institution’s adherence to the promises of its compliance program and to its regulatory responsibilities. Audits should use a risk-based approach that focuses more heavily on areas where issues are likely to arise.

There are nearly twenty current sanctions programs. Even changes to lists of SDNs need to be taken into account. The quickness with which financial transactions can occur also makes speedy compliance especially important when dealing with asset-control regulations.

Needless to say, these heightened risks make risk assessment and compliance extremely important in the sanctions realm.

Traditionally, many financial institutions assumed that sanctions compliance was for large banks and securities firms. OFAC, however, has expanded its scrutiny in recent years far beyond banks and security firms to include numerous other financial institutions, such as clearing houses, insurance companies, title insurers, and many other institutions that could serve as an indirect conduit for forbidden transactions.

Although OFAC regulations always covered these types of institutions, OFAC now is putting increasing enforcement attention on them. This expands the need for compliance well beyond banks and securities firms.

As with AML compliance, implementation requires an assessment of potential risk areas and the resources available to mitigate them. Many financial institutions integrate OFAC compliance into their AML know-your-customer guidelines and BSA compliance programs.

Institutions, however, need to be certain that they have implemented all necessary OFAC-specific requirements into their compliance programs, because OFAC in some cases requires a more searching inquiry than is required under banking regulations.

Because of the quickness of financial transactions, regulators recommend quarterly reviews of compliance. The topics to be covered in these reviews varies depending upon the program and institution. As part of an audit or review, sample transaction testing should occur.


The U.S. government is devoting increasing enforcement resources to AML and sanctions enforcement, and there is no sign that this trend is going to abate. In this environment, there is no prudent alternative to devoting significant resources to compliance.

Although compliance can be expensive, the cost pales compared to the costs of dealing with a government investigation or government fines and sanctions. For multinational corporations that operate in the Middle East, compliance with anti-boycott regulations maintained by the U.S. government is essential.

With the U.S. government maintaining two sets of anti-boycott measures (under the oversight of both the Department of Commerce and the Internal Revenue Service), there are multiple avenues of exposure for the unwary multinational corporation.

Possibly Related Articles:
Compliance Enterprise Security
Post Rating I Like this!
Jon Stout Hopefully these steps will increase our national security.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.