Anti-Money Laundering (“AML”)

What is Money Laundering? The concealing or disguising the existence, illegal source, movement, destination or illegal application of illicitly derived property or funds to make them appear legitimate. The three stages of Money Laundering: Placement: The introduction of the funds into the financial system; Layering: Movement of the funds to distance them from the original source; Integration: Funds re-enter the legitimate economy and are used to purchase goods or services, finance other illegal activity or are otherwise spent.

AML’s Impact on Financial Institutions AML has transcended from a compliance requirement to a national security issue. Increased Scrutiny by Regulatory Authorities Deferred prosecution agreements Aggressive regulatory enforcement actions AML compliance is a leading enforcement priority of federal and state agencies Congressional Inquiries FRB – UBS OCC – Riggs, Arab Bank, and Banco de Chile Effects of USA Patriot Act and the Riggs Bank Investigation The USA Patriot Act has created several new AML obligations to the financial industry including Customer Identification Programs (CIP) and Enhanced Due Diligence requirements for Private Banking and Correspondent Banking. The environment has increased legal and regulatory exposure for the industry while the regulatory agencies (Treasury, Federal Reserve, OCC, etc.) have provided little to no guidance. The industry is now a de facto agent of law enforcement. The Riggs Bank Investigation by the Subcommittee Minority Staff1 has recommended regulators to: Require prompt correction of AML deficiencies; Make greater use of formal enforcement tools; Develop a policy requiring mandatory enforcement actions; and Issue final regulations and revised examination guidelines by year end.

AML’s Impact on Financial Institutions (cont’d) Escalation of Fines $10 million fine against U.S. Trust in 2001 $80 million fine against ABN Amro in 2005. Cumulative penalties for the years 2000-2004 have been calculated to be approximately $120 million. Clearly, the regulatory authorities are intolerant of non-compliance and place a greater emphasis on penalties and regulatory actions. Effects of USA Patriot Act and the Riggs Bank Investigation The USA Patriot Act has created several new AML obligations to the financial industry including Customer Identification Programs (CIP) and Enhanced Due Diligence requirements for Private Banking and Correspondent Banking. The environment has increased legal and regulatory exposure for the industry while the regulatory agencies (Treasury, Federal Reserve, OCC, etc.) have provided little to no guidance. The industry is now a de facto agent of law enforcement. The Riggs Bank Investigation by the Subcommittee Minority Staff1 has recommended regulators to: Require prompt correction of AML deficiencies; Make greater use of formal enforcement tools; Develop a policy requiring mandatory enforcement actions; and Issue final regulations and revised examination guidelines by year end.

The Scale of the Problem The International Monetary Fund, for example, has stated that the aggregate size of money laundering in the world could be somewhere between two and five percent of the world’s gross domestic product. Using 1996 statistics, these percentages would indicate that money laundering ranged between US Dollar (USD) 590 billion and USD 1.5 trillion. The lower figure is roughly equivalent to the value of the total output of an economy the size of Spain. In the US, the estimated earning of criminal activity (2000 statistics) is 779 billion or about 8% of the GDP. The figures stated above are speculative at best.

Anti-Money Laundering Compliance An Anti-Money Laundering Compliance Program Designed to assist institutions and businesses in their fight against money laundering and terrorist financing Required since 1987 (roots extend back to the Bank Secrecy Act of 1970) Requirement has been recently (October, 2001) extended to all financial institutions, including securities dealers, money services businesses and many other businesses including jewelers and precious gem dealers.

AML Regulations Bank Secrecy Act (1970) - legal principle under which banks are allowed to protect personal information about their customers. The Bank Secrecy Act sets out the four minimum requirements for an AML compliance program: Written internal policies, procedures and controls A duly-designated AML Compliance Officer On-going employee training program Independent audit function to test the AML programs USA Patriot Act (2001) – combined the BSA AML requirements with the trade sanctions imposed by OFAC (Office of Foreign Assets Control). The USA Patriot Act delivers four primary directives to financial institutions: Identify clients and account holders, both private and commercial Block transactions with entities identified on the OFAC and other interdiction lists Determine and report suspicious activities with out blocking them Share information with other Financial Service Providers (FSPs) to aid in determining suspicious activity

AML Regulations The United States became the first country to criminalize money laundering through a 1986 law that is considered the most powerful in the world. The law, Title 18, USC Sec. 1956, applies to the proceeds of more than 200 crimes. The most powerful of the three laws, Sec. 1956, imposes heavy penalties – up to 20 years in prison – and it has broad reach. It also includes a unique provision that permits undercover stings with funds “represented to be the proceeds of specified unlawful activity.” The Laundering of Monetary Instruments - Title 18, USC Sec. 1956 Monetary Transactions in Property Derived from Specified Unlawful Activity Law- Title 18, USC Sec. 1957 Prohibition of Unlicensed Money Transmitting Businesses Law - Title 18, USC Sec. 1960

AML Regulations USA Patriot Act – Title III Section 311 Secretary of the Treasury (Secretary) the authority to designate a foreign jurisdiction, institution(s), class(es) of transactions, or type(s) of account(s) as a “primary money laundering concern” and to impose certain “special measures” Section 312 Special Due Diligence Programs for certain foreign correspondent and private banking accounts Section 313 Prohibition on US Correspondent Accounts with Shell Banks Section 319 (b) Availability of Records – Correspondent Bank Certifications 120 hour rule Section 314 (a) Cooperation Among Financial Institutions, Their Regulatory Authorities and Law Enforcement Authorities Section 314 (b) Voluntary Information Sharing Among Financial Institutions Section 326 Customer Identification Program (CIP) Section 327 Consideration of an Anti-Money Laundering Record

Key AML Regulators Office of Foreign Assets Control (OFAC) An office of the U.S. Department of the Treasury. Administers and enforces economic and trade sanctions based on U.S. foreign policy and national security goals against targeted foreign countries, terrorists, international narcotics traffickers, and those engaged in activities related to the unapproved proliferation of weapons of mass destruction Financial Crimes Enforcement Network (FinCEN) Created in 1990 to administrator the Bank Secrecy Act. FinCEN role is issue regulations and to impose civil penalties for violations. FinCEN has delegated examination authority to each Federal Banking Agencies. Originally a department of the U.S. Department of Treasury it was elevated to bureau status in of the U.S. Department of the Treasury to combat money laundering

Key AML Regulators (cont’d) Federal Banking Agencies (FBAs) Office of the Comptroller of the Currency (OCC) Federal Reserve Office of Thrift Supervision (OTS) Federal Deposit Insurance Corporation (FDIC) Securities and Exchange Commission (SEC) Internal Revenue Service (IRS) OCC - Established in 1863 and serves to charter, regulate, and supervise all national banks and the federal branches and agencies of foreign banks in the U.S. Federal Reserve - A quasi-governmental, decentralized central bank. It is composed of a central Board of Governors in Washington, D.C., twelve regional Federal Reserve Banks located in major cities throughout the nation, numerous member banks and other entities.

A Little More on OFAC OFAC’s Focus: Compliance with OFAC: Identifies persons for designation; Assists U.S. persons in complying with the sanctions prohibitions through its compliance and licensing efforts Penalizes U.S. persons violating the prohibitions Works with other U.S. Government agencies Coordinates and works with other nations to implement similar strategies Compliance with OFAC: A bank’s main compliance responsibility is to ensure that suspect items are interdicted. In developing OFAC compliance program, focus should be on providing enough information to key staff in all areas of operations to enable them to recognize and stop suspect transactions.

Who is Liable Under OFAC? Any bank organized or located in the United States is responsible by law to block virtually all property that comes within the bank’s possession or control in which there is an interest of a blocked individual or entity. Over the past several years, OFAC has had to impose millions of dollars in civil penalties involving U.S. Banks. The majority of the fines resulted from bank’s failure to block illicit transfers when there was a reference to a targeted country Main difference between OFAC and BSA compliance is OFAC tends to “freeze” rather than “seize” assets. OFAC will often block transactions in an attempt to apply political pressure on hostile governments.

Compliance with OFAC Regulations require the following: Block accounts and other property of specified countries, entities, and individuals. Prohibit or reject unlicensed trade and financial transactions with specified countries, entities and individuals. Unlike the BSA, the laws and OFAC-issued regulations apply not only to the U.S. banks, their domestic branches, agencies, and international banking facilities, but also their foreign branches, and often overseas offices and subsidiaries. The Specially Designated Nationals (SDNs) list is comprised of thousands of individuals and entities that are primarily located outside of the blocked countries. Blocked countries currently include Cuba, Iran, Libya, North Korea, Sudan, and Syria.

Compliance with OFAC Blocked Transactions Prohibited Transactions U.S. law requires that assets and accounts be blocked when such property is located in the United States, is held by U. S. individuals or entities, or comes into the possession or control of U.S. individuals or entities. Transactions with anyone on the SDN list are required to by law to be blocked and reported to OFAC. Banks must block transactions that: Are by or on behalf of a blocked individual or entity Are to or through a blocked entity Are in connection with a transaction in which a blocked individual or entity as an interest Prohibited Transactions In some cases, and underlying transaction may be prohibited but there is no blockable interest in the transaction. In these cases, the transaction is simply rejected and not processed. Blocked Transactions: If a US bank receives instructions to make a funds transfer payment that falls into on e of these categories, it must execute the payment order and place the funds into a blocked account. A blocked account is a segregated interest bearing account (at a commercially reasonable rate), which holds the customers property until the target is delisted, the sanctions program is rescinded, or the customer obtains an OFAC license authorizing the release of the property. A payment order cannot be canceled or amended after it is received by a U. S. bank in the absence of an authorization from OFAC. Prohibited Transactions: Ex: The Sudanese Sanctions Regulations prohibit transactions in support of commercial activitites in Sudan. Therefore a US bank would have to reject the funds transfer between two companies, which are not SDNs involving an export to a company in Sudan that also is not an SDN. Because Sudanese Sanctions would only require blocking transactions with the Government of Sudan or SDNs, there would be no blockable interest in the funds between the two companies. However, because the transactions would constitute support of Sudanese commercial activity, which is prohibited, the US bank cannot process the transaction and would just reject it.

OFAC Licenses OFAC has the authority, through a licensing process, to permit certain transactions that would otherwise be prohibited under it regulations. Specific licenses are issued on a case-by-case basis and require an application to OFAC. If the transactions conforms with U.S. foreign policy under a particular program, the license will be issued. When a customer claims to hold a specific license, the bank should still verify the transactions conforms to the terms of the license and retain a copy.

OFAC Reporting Banks must report all blocking to OFAC within ten days of the occurrence and annually on September 30th concerning assets blocked as of June 30th. Prohibited transactions that are rejected must also be reported with in ten days of occurrence. Banks must keep a full and accurate record of each blocked or rejected transaction for at least five years after the date of the transaction.

OFAC Risk Assessment Fundamental Elements of a sound OFAC program include assessment of: Specific product lines Customer Base Nature of Transactions Identification of high-risk areas for OFAC transactions Account and Transaction Parties Based on the bank’s risk profile, they should establish policies, procedures and processes for reviewing transactions and transactions parties.

OFAC Internal Controls An effective OFAC program should include internal controls for identifying suspect accounts and transactions and reporting to OFAC. Internal controls should include the following elements: Flag and review suspect transactions – manually, interdiction software, or both. Updating OFAC lists – timely updating as the list as OFAC updates the list frequently. Reporting – OFAC should be notified as soon as possible in the case of narcotics or terrorism. However, most other items should be reported within ten day of occurrence. Maintaining License Information – OFAC recommends that banks consider maintaining copies of customers’ OFAC licenses on file for at least five years.

OFAC Internal Controls Independent Testing Every bank should conduct an independent test of it’s OFAC program that is performed by internal audit, outside auditors or other independent parties. An in-depth audit should be conducted at least once a year. For larger banks, frequency and are of testing should be based on the perceived risk of a specific area of business. Responsible Individual Every bank should designate a qualified individual to monitor day-to-day compliance of the OFAC program. Training The bank should provide adequate training for all appropriate employees. This training should be consistent with the bank’s risk and employee responsibility.

Internal Audit Considerations Evaluating AML Risks and Compliance with U.S. AML Regulations

Enterprise Wide BSA/AML Compliance Program Risk Considerations The ability to assess BSA/AML risk on a consolidated basis across all activities, business lines, and legal entities allows the holding company to view its risks and worldwide exposure inside a larger risk management framework. Audit Objective Evaluate the adequacy of the enterprise-wide BSA/AML compliance program. Determine reporting lines and how effectively the program manages risk in an integrated fashion across affiliates, business lines, and risk types.

Entity Risk Profile Risk Considerations Audit Objective The bank’s BSA/AML compliance program is not tailored to its specific risks The bank does not have a consolidated understanding of its risk exposure across all activities, business units and legal entities Entity risks related to products, services, customers and geographic locations are not properly identified, updated and incorporated into the BSA/AML compliance program. Audit Objective Assess the adequacy of the Entity Risk Profile development and updating process

Entity Risk Profile (cont’d) AML Programs must be implemented on a risk-based approach. This means that the following factors need to be taken in into consideration with policies and procedures to support the AML program are implemented. Risk rate the following: Clients Examples: High net worth individuals Financial Institutions Non-traditional banking businesses Money Services Business Charitable Organizations/Not for Profits Any type of business identified by Government Authorities as high risk for Money Laundering Products & Services Examples: Correspondent Banking Private Banking Payable Through Wire Transfers Official Items Geographic Regions Examples: Areas listed by the Financial Action Task Force (FATF) Middle East Latin America

Internal Controls Risk Considerations Audit Objective The level of sophistication of the internal controls should be commensurate with the size, structure, risks and complexity of the financial institution. If internal controls are inadequate, the financial institution may not be able to detect, report and monitor suspicious activity in compliance with the BSA. Audit Objective To determine whether internal controls ensure compliance with the BSA and provide sufficient risk management, especially for high-risk operations (products, services, customers, and geographic locations).

Governance and Oversight Risk Considerations The board, acting through senior management, is ultimately responsible for ensuring that the financial institution maintains an effective BSA/AML internal control structure, including suspicious activity monitoring and reporting. Their oversight is a crucial element of a sound risk management and control environment. Audit Objective To determine whether the board and senior management’s oversight of the bank’s BSA /AML Compliance program is sufficient to effectively monitor and address identified risks. The board and senior management should create a culture of compliance to ensure staff adherence to the Bank’s BSA/AML policies, procedures, and processes.

Training Risk Considerations Audit Objective A failure to sufficiently train such personnel in applicable aspects of the BSA may result in the bank’s failure to prevent, detect and/or monitor suspicious activity. The board of directors must also receive adequate training in BSA. Without a general understanding of the BSA, the board of directors cannot adequately provide BSA/AML oversight; approve BSA/AML policies, procedures, and processes; or provide sufficient BSA/AML resources. Audit Objective Evaluate the adequacy of the entity’s training program. Assess the currentness, completeness, accuracy and presentation effectiveness of the training program.

Customer Identification Program (“CIP”) Risk Considerations Accounts are opened without verification of owner identity Identification documentation is not reliable or adequately safeguarded Customer identification is relaxed because of certain external or certain internal referrals, including new accounts opened for existing relationships Audit Objective Assess the entity’s compliance with the statutory and regulatory requirements for the CIP

Customer Due Diligence (“CDD”) Risk Considerations Accounts are opened without review of customer background Due diligence is: ineffective or lacks appropriate checks and balances not robust enough for high risk accounts relaxed because of certain internal or certain external referrals Audit Objective Assess the appropriateness and comprehensiveness of the entity’s CDD policies, procedures, and processes for obtaining customer information and assess the value of this information in monitoring, detecting and reporting suspicious activity.

Suspicious Activity Reports (“SARs”) In April 1996, a Suspicious Activity Report (SAR) was developed to be used by all banking organizations in the United States. A banking organization is required to file a SAR whenever it detects a known or suspected criminal violation of federal law or a suspicious transaction related to money laundering activity or a violation of the BSA. Suspicious activity reporting forms the cornerstone of the BSA reporting system.

When Must A SAR Be Filed? A national bank shall file a SAR with the appropriate Federal law enforcement agencies and the Department of the Treasury in accordance with the following circumstances: Insider abuse involving any amount Violations aggregating $5,000 or more where a suspect can be identified Violations aggregating $25,000or more regardless of potential suspects Transactions aggregating $5,000 or more that involve potential money laundering or violate the Bank Secrecy Act.

The Importance of Filing a SAR 1. Identifies potential and actual illegal activity: Money Laundering Terrorist financing Other financial fraud and abuse 2. Detects and prevents flow of illicit funds 3. Establishes emerging threats through analysis of patterns and trends 4. It’s the law.

Financial Institutions Required to file SARs Banks Savings Association Savings Association Service Corporations Credit Unions Bank Holding Companies Non-bank subsidiaries of bank holding companies Edge & Agreement Corporations U.S. branches & agencies of foreign banks

SAR Reporting Deadlines A financial institution is required to file a SAR: No later than 30 calendar days after the date of initial detection of facts that may constitute a basis for the filing No later than 60 calendar days if no suspect was identified on the date of detection of the incident requiring the filing

SARs from an Audit Perspective Risk Considerations Suspicious activity is not properly defined or communicated SARs are incomplete or not filed timely SARs activity is not monitored for trends or those trends are not investigated Decisions not to file SARs are not appropriate or adequately supported Audit Objective Assess the entity’s policies, procedures, and processes, and overall compliance with statutory and regulatory requirements for monitoring, detecting, and reporting suspicious activities

Other Risk Areas Currency Transaction Reporting Information Sharing Purchase and Sale of Monetary Instruments Funds Transfers Foreign Correspondent Account Recordkeeping and Due Diligence Private Banking Due Diligence Program Special Measures Foreign Bank and Financial Accounts Reporting International Transportation of Currency or Monetary Instruments Reporting

Other Risk Areas Office of Foreign Assets Control Correspondent Accounts U.S. Dollar Drafts Payable Through Accounts Pouch Activities Foreign Branches and Offices of U.S. Banks Parallel Banking Electronic Banking Electronic Cash

Other Risk Areas Third-Party Payment Processors Brokered Deposit Referral Agents Privately-Owned Automated Teller Machine Non-deposit Investment Products Insurance Concentration Accounts Lending Activities Trade Finance Activities

Other Risk Areas Trust and Asset Management Services Nonresident Aliens and Foreign Individuals Politically Exposed Persons Embassy and Foreign Consulate Accounts Non-Bank Financial Institutions Professional Services Providers Non-Governmental Organizations and Charities Corporate Entities Cash-Intensive Businesses

Appendices

APPENDIX A: Key Terms BSA Bank Secrecy Act CIP Customer Identification Program CTR Currency Transaction Report DCN Document Control Number EFT Electronic Funds Transfer FBO Foreign Bank Organization FinCEN Financial Crimes Enforcement Network

APPENDIX A: Key Terms MLSA Money Laundering Suppression Act of 1994 OCC Office of the Comptroller of the Currency OFAC Office of Foreign Assets Control ROE Report of Examination SAR Suspicious Activity Report SEC Securities and Exchange Commission SDN Specially Designated Nationals (or Blocked Persons) TDF Treasury Department Form