1. Anti-Money Laundering and OFAC Compliance for Financial Institutions
[DATE]
[NAME OF PRESENTER]
[TITLE OF PRESENTER]

2. Introduction
The United Nations Office on Drugs and Crime has estimated that globally $800 billion to $2 trillion are laundered annually, or 2% to 5% of global GDP.
US anti-money laundering (AML) laws and regulations apply to a wide range of financial institutions, including [BANK].
Separately, the Office of Foreign Assets Control (OFAC) administers a series of laws that impose economic sanctions against hostile targets to further US foreign policy and national security objectives. [BANK] is also subject to these requirements.

3. Introduction (cont'd) This presentation explains:
The governing US AML and OFAC laws and regulations.
The actions that [BANK] must take or refrain from taking to ensure compliance.
Enforcement trends, including significant recent enforcement actions.

4. What is Money Laundering?

5. What is Money Laundering?
Money laundering is the process of making illegally-gained proceeds ("dirty money") appear legal ("clean").
Presenter Notes:
This is the official definition offered by the U.S. Treasury Department's Financial Crimes Enforcement Network (FinCEN).
The US federal bank regulators generally define money laundering as transactions intended to do any of the following:
Disguise the true source of the transaction's funds.
Disguise the ultimate disposition of the transaction's funds.
Eliminate any audit trail and make it appear as though the funds came through legitimate sources.
Evade income taxes.

6. Stages of Money Laundering
Placement
Illegitimate funds introduced into the financial system.
2. Layering
First attempt at disguising the source of the funds.
3. Integration
Laundered money integrated into the financial system.
Presenter Notes:
Placement is when illegitimate funds are introduced into the financial system or retail economy by some means. Example: using "dirty money" to purchase high-priced merchandise or traveler's checks. Criminal funds are easiest to detect at this stage.
Layering is the first attempt at concealing or disguising the source of the funds. The money launderer creates complex layers of financial transactions to cause confusion and obscure the criminal source of the funds. Examples include:
Wiring or transferring money through numerous accounts.
Shuffling money between shell companies.
Buying merchandise in another person's name.
Integration is when the "cleaned" money is integrated into the financial system through additional transactions, often by purchasing stocks, bonds, and insurance. At this point, it is difficult to distinguish legal from illegal funds.
These stages may overlap, especially if there is a continuous source of "dirty" money.

7. Money Laundering: Illustration

8. US Anti-Money Laundering
and OFAC Laws and Regulations

9. Bank Secrecy Act (BSA) The BSA requires financial institutions to:
Keep records of cash purchases of negotiable instruments.
File reports of cash transactions exceeding $10,000 (daily aggregate amount).
Report suspicious activity that might signify:
Money laundering.
Tax evasion.
Other criminal activities.

10. USA PATRIOT Act of 2001 (PATRIOT Act)
The PATRIOT Act amended the BSA and requires:
Government-institution information sharing and voluntary information sharing among financial institutions.
A program for verification of customer identity.
Enhanced due diligence programs.
AML programs across the financial services industry.
Presenter Notes:
The PATRIOT Act also requires a bank's AML record to be considered as part of any Bank Merger Act application.

11. Office of Foreign Assets Control
The US Treasury's Office of Foreign Assets Control (OFAC)'s regulations prohibit all US persons from engaging in transactions with certain specified persons and countries.
Specifically, [BANK] must:
Block accounts and other assets of "Specially Designated Nationals" (SDNs) and "Blocked Persons."
Prohibit unlicensed trade and financial transactions with specified countries.
Block or reject prohibited transactions with SDNs and Blocked Persons.
Presenter Notes:
SDNs and Blocked Persons consist of various entities and individuals, and may include certain targeted foreign countries and foreign leaders, terrorists, international drug traffickers, and persons engaging in activities relating to the proliferation of weapons of mass destruction.
OFAC administers laws to impose economic and trade sanctions against SDNs and Blocked Persons. Sanctions include:
Blocking assets.
Trade embargoes.
Prohibiting unlicensed trade or financial transactions.
Travel bans.
Other financial and commercial prohibitions.
OFAC regulations apply to all US persons and entities, including financial institutions, their branches and agencies, international banking facilities, and domestic and overseas branches, offices, and subsidiaries.
The Treasury Department provides an updated list of OFAC sanctions programs and country information at

12. Office of Foreign Assets Control (cont'd)
Examples of transactions that are subject to blocking or rejection include:
Cash deposits.
Personal, official, and traveler's checks.
Drafts.
Loans.
Obligations.
Letters of credit.
Credit cards.
Bills of sale.
Wire transfers.
Investments.
Presenter Notes:
Other examples include:
Warehouse receipts.
Evidences of title.
Negotiable instruments, such as money orders.
Trade acceptances.
Contracts.
Trust assets.
[BANK] must notify OFAC of blocked or rejected transactions within ten days of their occurrence. [BANK] must also report all blocked property to OFAC annually by September 30th.

13. Compliance Requirements
for Banks

14. Compliance Requirements for Banks: Overview
The BSA requires covered banking institutions to institute a compliance program. The program must include, at a minimum:
Internal controls to ensure ongoing compliance.
Procedures for independent testing.
Designated persons responsible for coordinating and monitoring the compliance program.
Training.
A Customer Identification Program (CIP).
Presenter Notes:
The compliance program must be written, approved by the board of directors, and noted in the board minutes.

15. Internal Controls Requirement
[BANK] should have internal controls in place that:
Identify banking operations that are vulnerable to abuse, provide for periodic updates to the bank's risk profile, and provide for a BSA/AML compliance program tailored to manage risks.
Inform the board of directors and senior management of compliance initiatives, identified compliance deficiencies, corrective action taken, and any SARs filed.
Identify a person responsible for BSA/AML compliance.
Provide for program continuity despite changes in management or employee composition or structure.
Meet all regulatory recordkeeping and reporting requirements and provide for timely updates in response to changes in regulations.
Presenter Notes:
"Internal controls" are [BANK]'s policies, procedures, and processes designed to limit and control risks and to achieve compliance with the BSA.
The board of directors, acting through senior management, is responsible for ensuring that [BANK] maintains an effective BSA/AML internal control structure.

16. Internal Controls Requirement (cont'd)
Implement risk-based customer due diligence policies, procedures, and processes.
Identify reportable transactions and accurately file all required reports.
Provide for dual controls and the segregation of duties if possible (for example, employees responsible for completing reporting forms generally should not also be responsible for the decision to file the reports or grant the exemptions).
Provide sufficient controls and systems for filing CTRs and CTR exemptions.
Provide sufficient controls and monitoring systems for timely detection and reporting of suspicious activity.
Presenter Notes:
"Dual controls": For example, employees that complete the reporting forms (such as SARs) generally should not also be responsible for the decision to file the reports or grant the exemptions.

17. Internal Controls Requirement (cont'd)
Provide for adequate supervision of employees that handle currency transactions, complete reports, grant exemptions, or monitor for suspicious activity.
Incorporate BSA compliance into the job descriptions and performance evaluations of bank personnel, as appropriate.
Train employees to be aware of their responsibilities under the BSA regulations and internal policy guidelines.

18. Independent Testing Requirement
[BANK]'s testing for compliance should include, at a minimum:
A test of the bank's internal procedures for monitoring compliance with the BSA.
A sampling of large currency transactions, followed by a review of currency transaction report filings.
A test of the validity and reasonableness of the customer exemptions granted by the financial institution.
A test of procedures for identifying suspicious transactions and the filing of suspicious activity reports (SARs).
A test of the adequacy of the customer due diligence program and the CIP.

19. Independent Testing Requirement (cont'd)
A review of documentation on transactions that management initially identified as unusual or suspicious, but, after research, determined that SAR filings were not warranted.
A test of procedures and information systems to review compliance with the OFAC regulations.
A review of management reporting of BSA-related activities and compliance efforts.
A test of the financial institution's recordkeeping system for compliance with the BSA.
Documentation of the scope of the testing procedures performed and the findings of the testing.
Presenter Notes:
The testing should be conducted by [BANK]'s internal audit department, outside auditors, qualified consultants, or by employees who are not involved in the currency transaction reporting or suspicious activity reporting functions.
Testing must include procedures related to high-risk accounts and activities.
Although not required by regulation, the bank regulatory agencies recommend this review be conducted at least annually.
All findings from the audit should be provided in a written report and promptly reported to the board of directors or an appropriate board committee. The testing should assist the board of directors and management in identifying areas of weakness or areas where stronger controls are needed.

20. Designated Persons Requirement
[BANK]'s board of directors must designate a senior official (BSA compliance officer) responsible for BSA compliance.
The board is responsible for ensuring that the BSA compliance officer has sufficient authority to administer an effective BSA/AML compliance program.
The BSA compliance officer should be fully knowledgeable of the BSA and all related regulations. The officer should also understand the bank's products, services, customers, entities, and geographic locations, and the potential money laundering and terrorist financing risks associated with those activities.
Other individuals in each office, department, or regional headquarters should be given responsibility for day-to-day compliance.

21. Training Requirement
[BANK]'s training program must provide training for all operational personnel whose duties may require knowledge of the BSA, including:
Tellers.
New accounts personnel.
Lending personnel.
Bookkeeping personnel.
Wire room personnel.
International department personnel.
Information technology personnel.

22. Training Requirement (cont'd)
The training should cover:
The bank's BSA policies and procedures.
The three stages of money laundering.
Red flags to assist in the identification of money laundering.
Identification and examples of suspicious transactions.
The purpose and importance of a strong customer due diligence program and CIP requirements.
Internal procedures for currency transaction reports and SAR filings.
Procedures for reporting BSA matters, including SAR filings, to senior management and the board of directors.
Procedures for conveying any new BSA rules, regulations, or internal policy changes to all appropriate personnel in a timely manner.
OFAC policies and procedures.
Presenter Notes:
[BANK] should document its training programs and keep records of training and testing materials, the dates of training sessions, and attendance. These records should be available for examiner review.

23. Customer Identification Program (CIP)
[BANK] must have a written CIP that allows it to form a reasonable belief that it knows the true identity of each customer.
The CIP must implement reasonable procedures to:
Verify the identity of any person seeking to open an account.
Maintain records of the information used to verify the person's identity.
Determine whether the person appears on any government-provided lists of known or suspected terrorists or terrorist organizations.

24. Customer Identification Program (CIP) (cont'd)
At a minimum, [BANK] must obtain the following identifying information from each customer before opening an account:
Name.
Date of birth for individuals.
Address.
Identification number.
Based on its risk assessment, [BANK] may require additional identifying information for certain customers or product lines.
Presenter Notes:
Verification: The CIP must contain risk-based procedures for verifying the identity of the customer within a reasonable amount of time after the account is opened. If using documentary methods to verify a customer's identity, the identification must provide evidence of a customer's nationality or residence and bear a photo or similar safeguard (for example, a driver's license or passport). [BANK] is encouraged to review more than a single document to ensure that it has a reasonable belief that it knows the customer's true identity.
For entities (not individuals), [BANK] should obtain documents showing the legal existence of the entity, such as certified articles of incorporation, a partnership agreement, or a trust instrument.
Recordkeeping and Retention Requirements: At a minimum, [BANK] must retain the identifying information obtained at account opening until five years after the account is closed. [BANK] must also keep a description of the following for five years after the record was made:
Any document that was relied on to verify identity, noting the type of document, identification number, place of issuance, date of issuance, and expiration date.
The method and the results of any measures undertaken to verify identity.
The results of any substantive discrepancy discovered when verifying identity.
Comparison with Government Lists: [BANK]'s CIP must include procedures for determining whether the customer appears on any federal government list of known or suspected terrorists or terrorist organizations.

25. Customer Identification Program (CIP) (cont'd)
The CIP must include procedures for providing customers with adequate notice that the bank is requesting information to verify their identities.
Sample notice language:
"Important Information About Procedures for Opening a New Account
To help the government fight the funding of terrorism and money laundering activities, Federal law requires all financial institutions to obtain, verify, and record information that identifies each person who opens an account.
What this means for you: When you open an account, we will ask for your name, address, date of birth, and other information that will allow us to identify you. We may also ask to see your driver's license or other identifying documents."

26. Customer Identification Program (CIP) (cont'd)
[BANK] may rely on another bank's CIP procedures if these conditions are met:
Reliance on the other bank's CIP is reasonable under the circumstances.
The other bank is required to maintain a BSA/AML program and is regulated by a federal banking agency.
The other bank enters into a contract with [BANK] requiring it to certify annually that:
It has implemented its AML program.
It will perform the specified requirements of [BANK]'s CIP.
Presenter Notes:
[BANK] may rely on another bank's CIP procedures where a customer or potential customer is opening or has opened a bank account or established a similar formal banking or business relationship with the other bank.
[BANK]'s CIP must have procedures that specify when it will rely on another bank's CIP obligations for its own customers.
The CIP Rule requires that, at a minimum, the bank retain for at least five years:
After the account is closed, the customer information obtained at account opening.
After the record was made, a description of:
Any document that was relied on to verify a customer's identity, noting the type of document, the identification number, the place of issuance, and, if any, the date of issuance and expiration date.
The method and the results of any measures undertaken to verify the customer's identity.
The results of any substantive discrepancy discovered while verifying the customer's identity.

27. Enhanced Due Diligence Procedures
For certain high-risk customers, [BANK] should consider obtaining additional client information, including:
Purpose of the account.
Source of funds and wealth.
Individuals with ownership or control over the account, such as beneficial owners, signatories, or guarantors.
Occupation or type of business.
Financial statements.
Presenter Notes:
[BANK] may determine that a customer poses a higher risk because of the customer's:
Business activity.
Ownership structure.
Anticipated or actual volume and types of transactions, including transactions involving higher-risk jurisdictions.
[BANK] should consider obtaining the additional information both at account opening and throughout the relationship.

28. Enhanced Due Diligence Procedures (cont'd)
Bank references.
Domicile (where the business is organized).
Proximity of the customer's residence, place of employment, or place of business to the bank.
Description of the customer's primary trade area and whether international transactions are expected to be routine.
Description of the business operations, the anticipated volume of currency and total sales, and a list of major customers and suppliers.
Explanations for changes in account activity.
Presenter Notes:
[BANK] must use enhanced due diligence procedures for:
Private banking accounts created for non-US persons.
Correspondent banking accounts created or maintained for non-US financial institutions.
[BANK] may also be required to use these procedures for:
Pass-through checking accounts marketed to foreign banks that would not otherwise be able to offer their customers access to the US banking system.
Wire transfers.
Accounts of nonresident aliens.
Senior foreign political figures.
Embassies and foreign consulates.
Charities that conduct business with non-US persons or entities.

29. Recordkeeping Requirements
[BANK] must maintain specific records related to its BSA and AML requirements.
Records must generally be kept for five years.
[BANK] must keep records of every funds transfer of $3,000 or more that it originates, receives, or acts as an intermediary for.
[BANK] must keep records of every cash sale of between $3,000 and $10,000 of:
Checks.
Drafts.
Cashier's checks.
Money orders.
Traveler's checks.

30. Recordkeeping Requirements (cont'd)
The information required to be collected and retained depends on [BANK]'s role in the funds transfer.
If [BANK] acts as an originator's bank, for example, it must collect and retain the:
Name and address of the originator.
Amount of the payment order.
Date of the payment order.
Any payment instructions.
Identity of the beneficiary's institution.
If available, the beneficiary's name and address, account number, and any other specific identifier.
Presenter Notes:
For each payment order of $3,000 or more that [BANK] accepts as a beneficiary's bank, [BANK] must retain a record of the payment order.

31. Reporting Requirements
[BANK] must file various reports under the BSA, including:
Currency Transaction Reports (IRS Form 4789).
Reports of International Transportation of Currency or Monetary Instruments (US Customs Form 4790).
Foreign Bank and Financial Accounts Reports (Treasury Department Form ).
Suspicious Activity Reports (Treasury Department Form ; OCC Form , ).

32. Currency Transaction Reports
[BANK] must file a currency transaction report each time any of the following transactions of more than $10,000 occurs:
Deposit.
Withdrawal.
Currency exchange.
Other payment or transfer.
Presenter Notes:
For purposes of determining whether the more than $10,000 threshold is met, multiple transactions during any one business day must be treated as a single transaction if [BANK] has knowledge that the transactions are conducted by (or on behalf of) the same person.
Transactions at all of [BANK]'s branches must be aggregated for purposes of determining whether they must be reported.
Certain exemptions may apply for:
US operations of other banks.
US, state, or local governmental agencies or departments.
Any entity exercising governmental authority within the US.
Companies whose common stock are listed on the NYSE, the American stock exchange, or NASDAQ.

33. Reports of International Transportation of Currency or Monetary Instruments
[BANK] must file a Report of International Transportation of Currency or Monetary Instruments (CMIR) each time it physically transports, mails, or ships any of the following into or out of the US that, in the aggregate, exceed $10,000:
Currency.
Traveler's checks.
Other monetary instruments.
Presenter Notes:
A CMIR must be filed with the appropriate Bureau of Customs and Border Protection officer or with the commissioner of Customs at the time of the instrument's entry into or departure from the US. When [BANK] receives currency or monetary instruments exceeding $10,000 that have been shipped from outside the US, it must file a CMIR within 15 days of receipt of the instruments (unless a report has already been filed).
However, certain exemptions may apply. For example, [BANK] is not required to report the transfer of currency or monetary instruments if they are mailed or shipped through the postal service or by common carrier. In addition, [BANK] is also not required to report overland shipments of currency or monetary instruments if they are shipped to or received from an established customer maintaining a deposit relationship with [BANK] if it reasonably concludes that the amounts do not exceed what is commensurate with the customary conduct of the business, industry or profession of the particular customer.
[BANK] is, however, required to file a CMIR to report shipments of currency or monetary instruments to foreign offices when those shipments are performed directly by bank personnel, such as currency shipments handled by bank employees using bank-owned vehicles.
Management should implement applicable policies, procedures, and processes for CMIR filing.

34. Foreign Bank and Financial Accounts Reports
[BANK] must file a Foreign Bank and Financial Accounts Report (FBAR) if it holds in the aggregate at any point in the calendar year more than a $10,000 interest in one or more bank, securities, or other financial accounts in a foreign country.
Presenter Notes:
"Financial accounts" include, among other things, accounts in which assets are held in a commingled fund and the account owner holds an equity interest in the fund (for example, a mutual fund). [BANK] must file an FBAR on its own accounts that meet this definition. [BANK] may also be obligated to file an FBAR for customer accounts if it has a financial interest in the account, or signature or other authority over the account.
An FBAR must be filed on or before June 30 for foreign financial accounts where the aggregate value exceeded $10,000 at any time during the previous calendar year.

35. Suspicious Activity Reports (SARs)
[BANK] must file reports of suspicious transactions that may possibly be involved in a legal or regulatory violation.
The report is filed with the Financial Crimes Enforcement Network (FinCEN) and must include:
The person or entity involved in the transaction.
The amount of money involved in the transaction.
The nature of the suspicious activity.
The date or date range of the suspicious activity.
Presenter Notes:
The following types of transactions may require the filing of a SAR if they are suspicious:
Deposits.
Withdrawals.
Inter-account transfers.
Exchanging currency.
Extensions of credit.
Purchases or sales of stock or securities, bonds, certificates of deposits, monetary instruments, or investment securities.
Automated clearing house transactions.
ATM transactions.
Certain activities are not subject to SARs requirements, for example:
Robberies and burglaries reported to local authorities.
Lost, missing, stolen, or counterfeit securities that are reported through the Lost and Stolen Securities Program Database.
[BANK] should file SARs for suspicious transactions even if only a part of the transaction occurred in the US. For example, if a suspicious transaction results in funds originated from, or being distributed to, outside of the US, a SAR should still be filed if it involves [BANK]'s US operations.

36. Mandatory SARs Filings
Transactions of $5,000 or more involving potential BSA violations or money laundering if the bank suspects or has reason to suspect that the transaction either:
Involves funds from illegal activities.
Is designed to evade BSA requirements.
Has no business or apparent lawful purpose or is not the type of transaction the customer would be expected to engage in.
Involves the use of the bank to facilitate criminal activity.
Known or suspected criminal violations involving at least $5,000 when a suspect is identifiable or at least $25,000 if there is no identifiable suspect.
Known or suspected violations involving insider abuse in any amount.
Presenter Notes:
[BANK] must file SARs in these situations. As discussed on the next slide, [BANK] may also voluntarily report a suspicious transaction, even if reporting is not technically required.

37. Voluntary SARs Filings
Even if reporting is not required, [BANK] may file a report of any suspicious transaction it believes is relevant to the possible violation of any law or regulation.
The decision of whether to file a SAR should be made by [[BANK]'s compliance department/[OTHER DEPARTMENT]].
If in doubt, [BANK] should generally elect to file a SAR.
Presenter Notes:
Where [BANK] decides not to file a SAR, it should maintain strong documentation backing its decision. This documentation should include a clear summary of the reasons for not filing any supporting documents.
The board of directors and senior management are not required to be involved in SARs filing decisions. However, the board of directors must be kept notified of the financial institution's SARs filings.
Filings must generally be made within 30 days of the bank's discovery of the facts requiring the SAR filing.
If the suspicious activity requires immediate attention from the law enforcement agencies, such as suspected financing of terrorist activities, [BANK] should call them right away, even before the SAR is filed. Notifying law enforcement directly does not relieve [BANK] of the duty to file the SAR.
If a transaction triggers a SAR filing requirement, [BANK] is not required to halt execution of the transaction or close a customer's account after filing a SAR. The decision of whether to maintain or terminate a business relationship with a customer that is the subject of a SAR filing is a business decision of [BANK].

38. OFAC Compliance Program Requirements
OFAC rules do not require any specific compliance program requirements. However, an effective OFAC program should:
Implement and maintain written policies and procedures for screening transactions and new customers.
Have a compliance officer to monitor compliance and oversee blocked funds.
Conduct OFAC risk assessments for various products and departments.
Maintain guidelines and internal controls to ensure the periodic screening of all existing customer accounts.
Presenter Notes:
Although OFAC rules do not require any specific compliance program requirements, OFAC will consider the relevant federal banking regulator's most recent assessment of [BANK]'s OFAC compliance program as one of the mitigating factors should there ever be any penalty.

39. OFAC Compliance Program Requirements (cont'd)
Implement and maintain procedures for obtaining and maintaining up-to-date OFAC lists.
Ensure methods are in place for conveying timely OFAC updates.
Establish procedures for handling and reporting prohibited OFAC transactions.
Issue guidance for SAR filings on OFAC matches.
Conduct an annual internal review or audit of the OFAC processes in each affected department.
Conduct training for all appropriate employees.
Presenter Notes:
[BANK] should establish and maintain effective OFAC programs and screening capabilities in order to facilitate safe and sound banking practices. The FDIC recommends that each financial institution adopt a risk-focused, written OFAC program designed to ensure compliance with OFAC regulations.
[BANK] is not permitted to transfer responsibility for OFAC compliance to correspondent banks or a contracted third party. [BANK] is responsible for every transaction occurring by or through its systems.

40. Enforcement Trends

41. Common Compliance Program Failures
For regulated financial institutions, the most common compliance program failures include:
Failing to have a written program that adequately covers the required elements.
Failing to properly implement and maintain the program.
Defective programs allowing suspicious activity to go unreported.
Structuring transactions to avoid reporting requirements or cases of insider complicity.
Failing to file required BSA reports, such as SARs or customer transaction reports.
Presenter Notes:
In the lending context in particular, financial institutions may be required to follow CIP and other reporting requirements. Relevant covenants and warranties may also be negotiated in loan agreements.

42. Significant Recent Enforcement Actions
Commerzbank AG (2015): $1.45 billion fine and cease and desist order for failing to provide:
Sufficient risk management and legal review policies and procedures to ensure that activities conducted at its offices outside the US complied with applicable OFAC regulations.
Effective oversight to ensure Commerz New York's compliance with AML regulations.
Timely and accurate information about transactions of Commerzbank's foreign-based customers conducted through Commerz New York, resulting in Commerz New York's processing of hundreds of millions of dollars in transactions without adequate due diligence or suspicious activity reporting.

43. Significant Recent Enforcement Actions (cont'd)
BNP Paribas (2014): $8.9 billion fine for falsifying business records, conspiracy, and violating US sanctions against Cuba, Iran, and Sudan. 
HSBC Bank USA (2012): $1.92 billion fine and five-year deferred prosecution agreement (DPA) for violations including:
Failing to maintain an effective AML compliance program.
Failing to address or report alerts to possible BSA/AML violations properly.
Failing to designate high-risk customers.

44. Significant Recent Enforcement Actions (cont'd)
Standard Chartered Bank (2012, 2014): $967 million in fines for insufficient oversight of its compliance program for US economic sanctions, BSA and AML requirements, and failure to adhere to SAR requirements.

45. Questions

46. For Further Information or Questions Contact:
[LEGAL DEPARTMENT CONTACT INFORMATION]