Written AML program based on five pillars of BSA
Establish a written AML program: Yes, those five pillars of BSA apply to NBFIs. Here's a recap:
- An NBFI must have effective internal controls appropriate for the business's risk profile. Controls will include written policy and procedures, which include a definition of the roles and responsibilities for each stakeholder in the financial institution.
- A qualified and experienced BSA/AML compliance officer must be designated to manage the AML program. The designee must have the appropriate authority to carry out all aspects of managing an effective program.
- Periodic BSA training must be given to all employees of the NBFI. The training should be tailored to each role within the institution.
- Independent testing should be performed for the program to ensure that policies and procedures are working as expected and followed in actual practice. An internal audit function can test if they don't report through the BSA chain of command, or an outside third-party auditor may be used.
- Ongoing risk-based customer due diligence (CDD) must be conducted at account opening and throughout the duration of the customer account(s). The NBFI must understand the nature and purpose of the customer relationship. Enhanced due diligence will be required on any business or individual customer that poses a higher risk of money laundering or terrorist financing.
To implement a risk-focused AML program, an NBFI should first conduct a risk assessment. In addition to AML and sanctions risks, consider a fraud risk assessment since fraud is one of the eight FinCEN priorities.
Each NBFI will have state or federal registration and licensing requirements which must be adhered to and kept up to date. Agents of money services businesses generally do not have to register.
NBFIs have specific reporting requirements under the BSA, just as traditional financial institutions. These include currency transaction reporting, monetary instrument recording, and suspicious activity reporting. Each industry must understand the unique requirement and thresholds of their FinCEN filing requirements as they do vary among different types of services offered by the NBFI.
Sanctions apply to everyone in the United States, even individuals. NBFIs are expected to understand and comply with all Office of Foreign Asset Control (OFAC) sanctions and understand the requirements of each sanction.
NBFIs are subject to the retention requirements of the BSA data, so no mass deleting or cleaning out of files before the mandated period is allowed.
Customer risk rating
Like their traditional financial institution counterparts, NBFIs should risk rate their customers by deeper dives into potentially higher-risk clients, such as cannabis-related businesses. These higher-risk customers will require ongoing enhanced due diligence.
Suspicious activity monitoring
This is the cornerstone of a robust AML program, and NBFIs must have strong processes in place to detect and report illicit activity.
If an NBFI has a foreign presence, a person who resides in the U.S. must be designated as an agent of the NBFI, including with matters of BSA compliance.
Communication with regulators
NBFIs should instill open dialogue with their primary regulatory agency. With increased scrutiny, this relationship should not be avoided. Get in front of any questions before becoming the next headline story of what not to do in an AML program.