AuditOne Compliance Advisory: 2018 Q1

AuditOne LLC Advisory

From Bud Genovese, Chairman

The Bank Secrecy Act (BSA) and Anti-Money Laundering (AML) are at the forefront of sweeping changes.  In this edition, we cover recent updates to FinCEN BSA guidance, the launch of FinCEN Exchange, Marijuana Related Business impacts, Cryptocurrency, BSA Examination Trends and more.  Additionally, the Senate has recently stepped up efforts on bipartisan legislation designed to roll back changes made to the lending landscape by the Dodd-Frank Act.  Finally, we will share some information on recent Compliance developments and enforcement actions.  This has been prepared by Celeste Burton, Compliance Practice Director, AuditOne LLC.  We hope you enjoy! – Bud

Economic Growth, Regulatory Relief, and Consumer Protection Act

Earlier this morning, the Senate passed the Economic Growth, Regulatory Relief, and Consumer Protection Act (“the Bill”), a bipartisan bill that effectively amends and relaxes certain acts and requirements to increase access to capital for home purchases.  As stated, the Bill accomplishes the following:

  • Amends the Truth in Lending Act to allow institutions with less than $10 billion in assets to waive “Ability-To-Pay” requirements for certain residential mortgage loans. Other mortgage-lending provisions related to appraisals, mortgage data, employment of loan originators, manufactured homes, and transaction waiting periods are also modified.
  • Amends the United States Housing Act of 1937 to reduce inspection requirements and environmental-review requirements for certain smaller, rural public-housing agencies.
  • Amends the Bank Holding Company Act of 1956 to exempt banks with assets valued at less than $10 billion from the “Volcker Rule,” which prohibits banking agencies from engaging in proprietary trading or entering certain relationships with hedge funds and private-equity funds.
  • Modifies provisions relating to enhanced prudential regulation for financial institutions, including those related to stress testing, leverage requirements, and the use of municipal bonds for purposes of meeting liquidity requirements.  Certain banks are also exempted by the Bill from specified capital and leverage ratios, with federal banking agencies directed to promulgate new requirements.
  • Requires credit reporting agencies to provide credit-freeze alerts and includes consumer-credit provisions related to senior citizens, minors, and veterans.

Relaxed rules are intended to increase lenders’ appetite for consumer lending.  The potential downside is that relaxed standards might create an economic environment equivalent to what we experienced in 2008, a time that had not been seen since the Great Depression of the 1930’s.   The potential upside, however, is that while the same historical alphabet soup of consumer regulations will remain, the modified consumer disclosure rules implemented as a result of Dodd-Frank could be trimmed or removed, thereby cutting costs and potentially making borrowing more accessible and less expensive.  There will likely be changes in the House before the bill becomes law.  Stay tuned.

EconBank Secrecy Act (BSA)/Anti-Money Laundering (AML)


Marijuana Related Businesses (MRBs)

The Department of Justice (DOJ) recently issued a memorandum that encouraged all U.S. Attorneys to prosecute for marijuana-related activities. The memo also addressed the return of the Controlled Substance Act, which prohibits the cultivation, distribution and possession of marijuana, all of which are activities that can lead to charges related to money laundering and BSA. Although the Cole Memo has been rescinded, there has been no further guidance from FinCEN addressing the impact on an institution’s SAR filings or the banking of a MRB. Without further guidance from FinCEN, we encourage financial institutions to continue to file SARs as normal on MRBs and to make sure your Five Pillars are ironclad should you decide to venture into this arena.


On December 4, 2017, FinCEN announced the launch of a new program to enhance information sharing with financial institutions. Participation in FinCEN Exchange is voluntary. However, it is encouraged as it helps Treasury meet their objective to strengthen the anti-money laundering framework. FinCEN Exchange will include regularly scheduled briefings across the nation with law enforcement to obtain information related to illicit finance and national security threats. If the briefings conclude that an institution may have relevant information that law enforcement wants to obtain, 314a and 314b will likely facilitate the information exchange.


  • Removal of requirement for depository institutions to file a Designation of Exempt Person form with respect to the transfer of currency to or from any of the 12 Federal Reserve Banks (in accordance with amended 31 CFR 1020.315);
  • Updated guidelines for filing the Designation of Exempt Person form; and,
  • New guidance concerning the types of identifying information financial institutions should obtain when a federal, state or local government official engages in a transaction over a certain amount in an official capacity.



FinCEN changed the type of file format that will be accepted through the e-filing system. By May 2018, all Currency Transaction Reports (CTR)s for batch filers must be uploaded in an XML based file. The format change for Suspicious Activity Reports (SAR)s will take effect in June 2018.

Cryptocurrency is a relatively new concept in the world of banking, best described as a payment technology method that has a direct impact on money laundering efforts.  Two Acts created a path for civil and criminal regulation of cryptocurrency exchanges:

  • The Money Laundering Suppression Act of 1994, which requires Money Service Businesses (MSBs) to register with FinCEN on a biennialbasis.
  • The USA PATRIOT Act (2001), which made it a federal crime to operate a money transmitter business without a money transmitter license in any state that required such a license.

Moreover, the invention of Bitcoin in 2009 and introduction of other virtual currencies have served to increase regulatory concern for illegal behavior.  As a result, FinCEN issued interpretive guidance for virtual currency exchanges “to clarify the applicability of the regulations implementing the BSA to persons creating, obtaining, distributing, exchanging, accepting, or transmitting virtual currencies”. Virtual Currency is defined broadly in the Guidance to include all manner of items used as a medium of exchange … and any currency that “either has an equivalent value in real currency or acts as a substitute
for real currency.”  The guidance also clarified the following:

  • BSA requirements for MSBs apply equally to any cryptocurrency exchange that does business in the United States or with U.S. persons, regardless of the nationality of its ownership or its physical location.
  • Exchangers and administrators are considered money transmitters that must register as MSBs, thereby making them subject to BSA requirements to develop robust anti-money laundering compliance programs.
  • A user of virtual currency is not an MSB under FinCEN’s regulations and therefore is not subject to MSB registration, reporting, and recordkeeping regulations.
  • Money transmitters must comply with the obligations that the BSA and FinCEN place on those types of businesses.
  • For financial institutions with broker dealer subsidiaries, the SEC is responsible for enforcement of current registration, disclosure, and antifraud requirements of the securities laws applicable to those who issue or deal in cryptocurrencies.

Since 2015, there has been an increasing number of criminal complaints regarding the operation of unlicensed MSBs related to cryptocurrencies.  Three notable cases involved the following companies: E-gold, a digital gold currency and alternative payment system that was processing more than $2 billion worth of transactions per year; BTC-e, an Eastern European cryptocurrency exchange that conducted around $300 million in transactions of Bitcoin; and Ripple Labs, a company that builds products utilizing the decentralized cryptocurrency known as XRP, with sales of XRP currency totaling over $1.3 million.   Refer to Enforcement Actions Section of this Advisory for details.

The culmination of guidance on Cryptocurrency points to three primary obligations of money transmitters that we recommend be considered by lending institutions as part of Know Your Customer (KYC) programs:

  • Registered with FinCEN?
  • Have a risk-based AML and KYC program?
  • Filing suspicious activity reports (i.e., for purposefully obscured and anonymized transactions or for individuals associated with the transaction that are “widely reported as associated with criminal or civil violations of U.S. law”)?

Beneficial Ownership

Beginning May 11, 2018, financial institutions will be required to collect CIP on 25% owners of legal entity customers as well as at least one “controlling” person, requiring a drill down through multiple LLC layers as applicable.  FinCEN has not yet issued clarifying guidance on areas addressed in the new rule that suggest procedures should be “risk-based.” FinCEN did, however, recently indicate that they recognized the need for clarification by stating that they may be issuing additional guidance with a release of updated FAQs on the new rule. In addition, the regulators are updating the FFIEC BSA Examination Manual to address the new rule.


Always helpful to pause and take stock of how well your institution fares when it comes to BSA examination “hot topics” and trends.  Some best practices that we recommend follow:

  • BSA Policy
    • Ensure written procedures address all customers and products.
  • Suspicious Activity Monitoring
    • Continually ensure software settings and rules address the Bank’s specific BSA/AML risk profile, making adjustments as warranted.
  • Risk Assessment (RA)
    • Provide meaningful historical data to support management’s analysis, including risk trends, mitigating controls, and residual risk for each product, service and customer.
    • Update the RA to include information on countries with which the Bank conducts international transactions, to provide a more accurate assessment of the inherent risk in those transactions.
    • Incorporate level and trend analysis on SARs and CTRs filed, including exempt customers to assess the risk changes within the Bank’s customer base from year to year.
  • Customer Identification Program/Customer Due Diligence/Enhanced Due Diligence
    • Ensure CIP forms contain complete information on primary identification, including a written description of the Bank’s primary method of positive identification such as government-issued driver’s license, ID Card, or passport.  Clearly evidence date of birth and OFAC checks conducted.
    • Perform enhanced due diligence on high-risk customers, including politically exposed persons, non-resident aliens, cash-intensive businesses, non-government organizations, charities, and money transmitters. Those with complex cash flows are potentially more susceptible to money laundering and terrorist financing.

Other Compliance Developments


The FFIEC issued the 2018 HMDA Getting It Right Guide.  This edition reflects changes to Regulation C taking effect January 1, 2018. While the Guide serves as a valuable resource for HMDA reporting requirements, please note that it does not include guidelines about the HMDA e-filing process.  This information is separately maintained on the FFIEC website and can be found at www. and


With the federal government shutdown on January 19, 2018, the authority of the Federal Emergency Management Agency (FEMA) to issue flood insurance policies under the National Flood Insurance Program (NFIP) lapsed.  Subsequently, on January 22, 2018, the NFIP was reauthorized (by legislation passed by Congress and signed by the President) to February 8, 2018.  After a brief government shutdown, Congress passed a $400 billion budget deal that was signed into law by the President that extended the NFIP to March 23, 2018.

FEMA guidance related to lapses can be found at  Moreover, guidance issued by the banking agencies, during the 2010 lapse, may also be useful and can be found on each agency’s website at:

Automated Clearing House (ACH) Rules

ACH Rules go into effect four times per year.  NACHA has adopted a Rule to provide a new capability for moving virtually any ACH payment faster.  The rules were implemented in three phases, commencing in September 2016.  The third and last phase will become effective March 16, 2018.  Ensure that your institution is prepared to comply, with a focus on key topics such as:

  • Origination obligations
  • Receipt posting and availability
  • Credits vs. debits
  • Implementation

Notable Enforcement Actions

  • Regulators assessed the following civil money penalties (CMP) against US Bancorp for failure to maintain satisfactory risk management and oversight of the corporation’s and its subsidiary bank’s BSA/ anti-money laundering (AML) program:
  • The  OCC imposed a $50 million CMP against Rabobank, NA (Roseville, CA) for deficiencies in its BSA/AML program.
  • Flood enforcement actions have continued.  The financial institutions recently impacted are:
    • Hantz Bank (Southfield, MI), FDIC, $14,000
    • Bank of Lake Mills (Lake Mills, WI), FDIC, $5,000
    • Goldman Sachs Bank USA (New York, NY), FRB, $90,000
    • Clear Mountain Bank (Bruceton Mills, WV), FRB, $14,000
  • The Department of Justice brought a 21-count indictment against BTC-e and a Russian National international money laundering scheme, for laundering funds from the hacking of another cryptocurrency exchange.  FinCEN also assessed a $110 million CMP against BTC-e for willfully violating AML laws, and the head of Operations and Finance was individually assessed a $12 million penalty for his role in the violations.  Initially reported in July 2017, the case has current relevance as a baseline for future enforcement activity.

AuditOne LLC – Company Overview

AuditOne LLC provides independent risk management services to financial institutions. Our sole focus is providing internal audit and credit review services to the financial institution industry. We have experience with all regulatory authorities and offer a full selection of audit services comprising Credit Review/ALLL, BSA/Compliance, IT/Information Security, ACH rules Compliance, Operations, Network Tests, Asset/Liability Management and various specialty areas. Our expertise is your edge. For more information on this article, please contact Jeremy Taylor, Co-CEO at: Contact Us or Kevin Watson, Co-CEO at: Contact Us and for information about all of our audit services see