Why Anti-Money Laundering Programs Aren’t Just for Banks Anymore

If you think your company doesn’t have to worry all that much about money laundering because you are not a big bank, think again.

While regulators have traditionally gone after big banks for anti-money laundering compliance deficiencies, their watchful eyes are shifting to smaller depository institutions and a wide variety of non-banks.

Increasing regulatory scrutiny of transactions by casinos, money transmitters, and even the fashion industry is increasing the need for non-banks to get more serious about AML programs. “Regulators are moving beyond traditional banks to look for potential financial crime activities,” says Micah Willbrand, director of global AML product marketing for NICE Actimize, a provider of compliance and risk management products for the financial services industry.

Recent enforcement efforts against non-banks include:

In September 2014, more than 1,000 federal, state, and local law enforcement officials swept through Los Angeles’ Fashion District, armed with search and arrest warrants for businesses suspected of money laundering.  Investigators found evidence that many businesses routinely accepted bulk cash on behalf of drug trafficking organizations based in Mexico and Colombia.

In August 2014, Las Vegas Sands, an international casino operator, surrendered $47 million to the government as part of a non-prosecution agreement after it failed to report suspicious transactions made by an alleged drug kingpin.

In 2013, the owners of Woody Toys received jail time and forfeited nearly $2 million after federal investigators uncovered their involvement in a so-called “black market peso exchange.” In the scam, foreign toy retailers and U.S. toymakers conspired to help convert illicit pesos into clean U.S. dollars.

The warning from U.S. Attorney André Birotte following the Sands settlement: “All companies, especially casinos, are now on notice that America’s anti-money laundering laws apply to all people and every corporation, even if that company risks losing its most profitable customer.”

“Regulators are moving beyond traditional banks for potential financial crime activities. They are increasingly coming under the cross hairs of regulators as governments spread the net to prevent illegally gained money from entering the financial system.”
Micah Willbrand, Director of Global AML Product Marketing, NICE Actimize

Companies are listening. Earlier this year, Walmart bolstered existing AML efforts by increasing AML compliance staff, enhancing customer receipts for international remittances, and revising training modules for 70,000 field associates to educate them about money laundering risks.

Long Time Coming

The crackdown on non-banks shouldn’t be much of a surprise. Enacted in 1970, the Bank Secrecy Act was always intended to reach beyond federally insured depository banks if needed. Over the years, other efforts to strike against money laundering emerged, including the Money Laundering Control Act of 1986. The aftermath of the 9/11 attack on the World Trade Center in 2001 and the passage of the Patriot Act as a tool to curb terrorist financing set the stage for an uptick in investigations and enforcement  of anti-money laundering laws.

The new focus on non-banks is largely a matter of regulatory evolution, Jonathan Lopez, a partner at the law firm Orrick, Herrington & Sutcliffe. says. Lopez, a former Department of Justice prosecutor, compares AML regulations to the Foreign Corrupt Practices Act, another law dating back to the 1970s that has become more vigorously invoked in recent years.

“Regulators are just moving down the chain with the focus on following the money,” Willbrand adds. Because the traditional banking system “has a pretty good handle” on AML controls and most have needed systems and internal controls in place, regulators now “want to go to the weaker points in the financial system.”

A backdrop to all this is that what constitutes a “bank” is rapidly changing. In the United Kingdom, for example, retailer Tesco is the third largest savings institution. Sweden’s IKEA has its own banks. Domestically, Amazon, Facebook, Walmart, and Apple dabble with financial products and services. “Money is going to fundamentally change over the next decade and it is going to be tough for the current regulatory regimes to keep up with that,” Willbrand says.

While regulatory demands were once a barrier to plunging into the financial world, the potential for profitability is enticing and more companies are willing to take on the cost of compliance. Amazon and Facebook are currently registered with the federal government as money transmitters; Uber and Airbnb have applied for that status in California. 

AML, ASAP

Given their increased odds for regulatory enforcement, non-banks would be well-served to re-evaluate their AML compliance programs, say compliance experts. To aid that task, FinCEN and other regulators issue regular guidance updates, the most recent ones addressing armored car companies and money services businesses.

FINCEN: DON’T DROP IT LIKE IT’S HOT

The following, issued on Nov. 10 by the Financial Crimes Enforcement Network , responds to the increasing practice of “de-risking” by banks. Despite the current regulatory and enforcement climate, FinCEN urges financial institutions to treat business relationships on a case-by-case basis and not arbitrarily sever relationships.
Money services businesses, including money transmitters important to the global flow of remittances, are losing access to banking services, which may in part be a result of concerns about regulatory scrutiny, the perceived risks presented by money services business accounts, and the costs and burdens associated with maintaining such accounts.
MSBs play an important role in a transparent financial system, particularly because they often provide financial services to people less likely to use traditional banking services and because of their prominent role in providing remittance services. FinCEN believes it is important to reiterate the fact that banking organizations can serve the MSB industry while meeting their Bank Secrecy Act obligations.
Currently, there is concern that banks are indiscriminately terminating the accounts of all MSBs, or refusing to open accounts for any MSBs, thereby eliminating them as a category of customers. Such a wholesale approach runs counter to the expectation that financial institutions can and should assess the risks of customers on a case-by-case basis. Similarly, a blanket direction by U.S. banks to their foreign correspondents not to process fund transfers of any foreign MSBs, simply because they are MSBs, also runs counter to the risk-based approach. Refusing financial services to an entire segment of the industry can lead to an overall reduction in financial sector transparency that is critical to making the sector resistant to the efforts of illicit actors. This is particularly important with MSB remittance operations.
FinCEN does not support the wholesale termination of MSB accounts without regard to the risks presented or the bank’s ability to manage the risk.
Source: Treasury Department.

Concerns about incomplete or inaccurate reports filed by armored car services, for example,  recently led FinCEN to issue a Geographic Targeting Order that requires enhanced reporting by armored car services operating near the Mexican border. It clarified that Currency and Monetary Instruments Reports must be filed when $10,000 or more in currency is moved across the U.S. border. These reports must provide: the identity of those handling the currency, its origination and destination, and a full description of the type and U.S. dollar equivalent of all currency on-hand.

Recent guidance for casinos clarified that gaming at slot machines and video lottery terminals, although exempted from currency transaction reports, is not exempt from the filing of Suspicious Activity Reports. Casinos are required to “establish risk-based internal controls” to ensuring compliance with that requirement. Another advisory clarifies that casinos are required to retain all records of a customer's gaming activity for five years.

Guidance alone, however, may not be enough. Banks, for example, are struggling with contradictory guidance and enforcement. Last month, FinCEN responded to the practice of “de-risking” by warning banks to not arbitrarily sever business relationships as a blanket response to increased risk and regulation.  “Such a wholesale approach runs counter to the expectation that financial institutions can and should assess the risks of customers on a case-by-case basis,” it wrote.

But word and deed don’t mesh very well. If risk assessments are best left for banks to consider on a case-by-case basis, then why did the Justice Department’s “Operation Choke Point” initiative this year pressure them to sever high-risk business relationships and close the accounts of firearms dealers, porn stars and strip club workers, marijuana dispensaries, and others?  “Regulators are telling banks they can’t dump e-cigarette retailers, but then coming in and asking, ‘Why do you have this business; it is very risky and could bring down your entire bank.’ You have these public/private conversations that don’t make any sense and are frustrating,” Willbrand says.

“It’s playing both sides,” John Byrne, executive vice president of the Association of Certified Anti-Money Laundering Specialists, says. “Compliance officers will have to rethink the firm’s risk assessments and risk appetite.”

The confusion over bank guidance should inspire non-banks to look elsewhere for additional help. Byrne’s advice for best practices in AML compliance is to study enforcement actions, as many provide insight into the controls and training regulators demand. “It is fundamental for anyone hoping their AML program passes muster to know exactly what regulators will look for during an investigation,” he says.

Creating Effective AML Programs

“Enforcement actions speak for themselves,” Lopez says.  While the laws focus on intangibles like having a program that is “reasonable” and “effective,” the responses to criminal activity are clear cut. “One can take lessons learned from them without too much trouble,” he says.

Vague legislative terms, like “effective,” can vary greatly among business types and will continue to evolve, Lopez adds. “Because technology has enabled financial institutions to do more with the information they have, it is very unclear where the goal post is on reasonableness given the advancements in information technology,” he says.

Setting aside that confusion, there are a variety of factors investigators will rely upon when assessing whether a company or its employees aided money laundering. Among them are indications of reckless disregard and widespread knowledge of the activity. Components of an effective compliance program include: having a designated compliance officer; adequate training for employees; developing a customer acceptance and maintenance program; ongoing risk assessments; monitoring for large or suspicious transactions; verifying customer information; and compiling customer risk ratings. 

When considering a potentially risky business endeavor, banks and non-banks alike “have to be very careful and make sure your programs and policies are all up-to-date,” Byrne says. “You should also have conversations with your regulator prior to creating those relationships.”

Companies may want to break down the barrier between Big Data efforts and compliance screens. “Businesses collect tons of user data for marketing purposes, while the exact same data is collected by banks, but for compliance purposes,” Willbrand says.

Does a product line have money laundering risk; if so how should we address it? “If you ask those two questions, no matter what answer you come up with, as long as it is thoughtful and can be supported, it will be difficult for regulators to make a criminal case based on willfulness,” Lopez says.  If your program to mitigate risk should fail, the ability to identify that failure and address it will likely be a great defense, he says.

“Plan for the inevitable,” is Willbrand’s advice. “At least have a plan on what you are going to do,” he says. “Regulators very rarely fine you for a single transaction. They fine you because you don’t have a process in place, or don’t have a plan to have a process. That’s where most companies get in trouble.”