Customer Due Diligence: How to bring clarity to screening for OFAC Sanctioned Entities and other High-Risk Entities April 7, 2009 Shaun M. Hassett, CAMS National Risk Specialist Clarity Risk & Compliance Advisors

Presentation Outline OFAC Overview OFAC Enforcement Guidelines FinCEN and OFAC Compared Performing Risk Assessments Developments to Consider (IATs and Cover Payments) Tools, Tips, Tricks to Improve Screening

OFAC Overview

OFAC Enforcement Guidelines

FinCEN and OFAC Compared

Performing Risk Assessments

Developments to Consider (IATs and Cover Payments)

Tools, Tips, Tricks to Improve Screening

OFAC Mission To administer and enforce economic and trade sanctions based on U.S. foreign policy and national security goals against selected targets: Terrorism Narcotics Trafficking WMDs and HEU Foreign governments and regimes Individuals Entities Practices Threats to: National Security Foreign Policy and /or Economy of Unites States

OFAC Mission

To administer and enforce economic and trade sanctions based on U.S. foreign policy and national security goals against selected targets:

Terrorism

Narcotics Trafficking

WMDs and HEU

Foreign governments and regimes

Individuals

Entities

Practices

Threats to:

National Security

Foreign Policy and /or

Economy of Unites States

FinCEN and OFAC Compared Primary Differences: Mission Statutory Authority Compliance Paradigm

Primary Differences:

Mission

Statutory Authority

Compliance Paradigm

FinCEN and OFAC Compared Mission OFAC “ Administer and enforce economic and trade sanctions based on U.S. foreign policy and national security goals.” FinCEN “ Safeguard the financial system from the abuses of financial crime, including terrorist financing, money laundering, and other illicit activity.”

Mission

OFAC

“ Administer and enforce economic and trade sanctions based on U.S. foreign policy and national security goals.”

FinCEN

“ Safeguard the financial system from the abuses of financial crime, including terrorist financing, money laundering, and other illicit activity.”

FinCEN and OFAC Compared Statutory Authority OFAC Trading With the Enemy Act (TWEA), P.L. 65-91, 40 Stat. 411 (Oct. 6, 1917) International Emergency Economic Powers Act (IEEPA), P. L. 95-223, 91 Stat. 1626 (Dec. 28, 1977) Various other statutes FinCEN Bank Secrecy Act, P. L. 91-508, 84 Stat. 1114, 1118 (Oct. 26, 1970) Patriot Act, P.L. 107-56, 115 Stat. 272 (Oct. 26, 2001)

Statutory Authority

OFAC

Trading With the Enemy Act (TWEA), P.L. 65-91, 40 Stat. 411 (Oct. 6, 1917)

International Emergency Economic Powers Act (IEEPA), P. L. 95-223, 91 Stat. 1626 (Dec. 28, 1977)

Various other statutes

FinCEN

Bank Secrecy Act, P. L. 91-508, 84 Stat. 1114, 1118 (Oct. 26, 1970)

Patriot Act, P.L. 107-56, 115 Stat. 272 (Oct. 26, 2001)

FinCEN and OFAC Compared Similarities: Counterterrorism/Anti-Narcotics Purpose Risk Based Compliance Reports as Enforcement Tools Multipurpose Database Public Outreach / Hotline Treasury Department Function

Similarities:

Counterterrorism/Anti-Narcotics Purpose

Risk Based Compliance

Reports as Enforcement Tools

Multipurpose Database

Public Outreach / Hotline

Treasury Department Function

FinCEN and OFAC Compared Differences in Compliance Paradigm: OFAC Strict Liability Block property Avoid transaction File Reports FinCEN Structured compliance Policies, procedures, internal controls Compliance officer Training Independent testing File reports

Differences in Compliance Paradigm:

OFAC

Strict Liability

Block property

Avoid transaction

File Reports

FinCEN

Structured compliance

Policies, procedures,

internal controls

Compliance officer

Training

Independent testing

File reports

OFAC Overview Country-Based Programs Cuba, Iran, Sudan Regime-Based Programs Burma Belarus, North Korea, Iraq I and Iraq II Liberia (former regime ) List Based Programs Narcotics Trafficking, Diamond Trading, Anti-Terrorism, WMD, Balkans, Syria, Lebanon, Congo, Ivory Coast, Zimbabwe Sanctions Program Categories

Comprehensive Programs Regime-Based Programs Cuba Balkans Iran Belarus Sudan Cote D’Ivoire Anti-Terrorism Dem. Republic of the Congo Counter Narcotics Trafficking Former Liberian Regime Non-Proliferation (WMD) of Charles Taylor Zimbabwe Limited Programs Burma (Myanmar) North Korea Syria Diamond Trading http://www.treas.gov/offices/enforcement/ofac/programs/index.shtml OFAC Overview

Comprehensive Programs Regime-Based Programs

Cuba Balkans

Iran Belarus

Sudan Cote D’Ivoire

Anti-Terrorism Dem. Republic of the Congo

Counter Narcotics Trafficking Former Liberian Regime

Non-Proliferation (WMD) of Charles Taylor

Zimbabwe

Limited Programs

Burma (Myanmar)

North Korea

Syria

Diamond Trading

http://www.treas.gov/offices/enforcement/ofac/programs/index.shtml

So who or what is a ‘SDN’? OFAC “Specially Designated Nationals” Derived from classified and open source evidence Foreign governments and entities owned, controlled by or acting on behalf of those governments Individuals engaged in prohibited activity Narcotics trafficking Terrorism WMD proliferation SDN List changed 52 times in 2008 changed 19 times in 2009* * As of April 20, 2009

OFAC “Specially Designated Nationals”

Derived from classified and open source evidence

Foreign governments and entities owned, controlled by or acting on behalf of those governments

Individuals engaged in prohibited activity

Narcotics trafficking

Terrorism

WMD proliferation

SDN List

changed 52 times in 2008

changed 19 times in 2009*

* As of April 20, 2009

IEEPA Enhancement Act - October 16, 2007 (P.L. 110-96, 121 Stat 1011 ) IEEPA Penalty Increase to Greater of: $250,000.00, or Two times (2X) Transaction Amount, whichever is greater OFAC Enforcement Guidelines

IEEPA Enhancement Act - October 16, 2007

(P.L. 110-96, 121 Stat 1011 )

IEEPA Penalty Increase to Greater of:

$250,000.00, or Two times (2X) Transaction Amount, whichever is greater

Enforcement Guidelines – Structure Definitions Types of Responses to Apparent Violations General Factors Affecting Administrative Action Civil Penalties OFAC Enforcement Guidelines

Enforcement Guidelines – Structure

Definitions

Types of Responses to Apparent Violations

General Factors Affecting Administrative Action

Civil Penalties

OFAC Sanctions Sanctions Enforcement Options No Action Warning or Cautionary Letter Revocation of a License Civil Penalties Criminal Referrals

Sanctions Enforcement Options

Enforcement Guidelines – Definitions Apparent Violation Applicable Schedule Amount Transaction Value Egregious Violation Voluntary Self-Disclosure OFAC Enforcement Guidelines

Enforcement Guidelines – Definitions

Apparent Violation

Applicable Schedule Amount

Transaction Value

Egregious Violation

Voluntary Self-Disclosure

Enforcement Guidelines – OFAC Responses No Action Request Additional Information Cautionary Letter Finding of Violation Civil Monetary Penalty Criminal Referral OFAC Enforcement Guidelines

Enforcement Guidelines – OFAC Responses

No Action

Request Additional Information

Cautionary Letter

Finding of Violation

Civil Monetary Penalty

Criminal Referral

Enforcement Guidelines – General Factors Willful or Reckless Violation Awareness of Conduct Harm to Sanctions Program Objectives Individual Characteristics of Subject Person Compliance Program / Remedial Response Cooperation with OFAC OFAC Enforcement Guidelines

Enforcement Guidelines – General Factors

Willful or Reckless Violation

Awareness of Conduct

Harm to Sanctions Program Objectives

Individual Characteristics of Subject Person

Compliance Program / Remedial Response

Cooperation with OFAC

Voluntary Self-Disclosure Egregious Case (1) One-Half Transaction Value ($125k Cap) No Yes No Yes (3) One-Half Statutory Maximum (2) Applicable Schedule Amount ($250k Cap) (4) Statutory Maximum Base Penalty Calculation OFAC Enforcement Guidelines

Enforcement Guidelines – Civil Penalties Base Category Calculation Adjustment for Relevant General Factors Substantial Cooperation First Violation Other General Factors OFAC Enforcement Guidelines

Enforcement Guidelines – Civil Penalties

Base Category Calculation

Adjustment for Relevant General Factors

Substantial Cooperation

First Violation

Other General Factors

Example of Egregious Violation: Lloyds TSB Bank PLC Dual Deferred Prosecution Agreements entered 1/9/2009 Charges Knowingly and willfully violated IEEPA Intentionally Falsified Records of U.S. correspondent banks $ 350,000,000 forfeiture and penalties Penalties from DOJ and NYCDA – not directly via OFAC International Emergency Economic Powers Act (IEEPA) (Title 50 U.S. Code 1701 – 1707) Prohibits exportation of services to Iran and Sudan w/out authorization Any transaction in US that evaded & avoided sanctions Falsification of Business Records in the First Degree (NY State Penal Law 175.10) False information and omissions

Dual Deferred Prosecution Agreements entered 1/9/2009

Charges

Knowingly and willfully violated IEEPA

Intentionally Falsified Records of U.S. correspondent banks

$ 350,000,000 forfeiture and penalties

Penalties from DOJ and NYCDA – not directly via OFAC

International Emergency Economic Powers Act (IEEPA) (Title 50 U.S. Code 1701 – 1707)

Prohibits exportation of services to Iran and Sudan w/out authorization

Any transaction in US that evaded & avoided sanctions

Falsification of Business Records in the First Degree (NY State Penal Law 175.10)

False information and omissions

Lloyds TSB Bank Issue: Stripping / Modifying Data in Payment Messages Conduct began in mid-1990’s – Ended in April 2004 for Iran & September 2007 for Sudan Stripped relevant info from payment messages to avoid OFAC sanctions for countries, banks & persons – Countries included Iran, Libya and Sudan Criminal conduct was designed to assist clients in avoiding detection by OFAC filters at US banks Caused US banks to provide prohibited services Specific written policy & payment processors for manually handling (“stripping”) US-Dollar Iranian payments

Conduct began in mid-1990’s

– Ended in April 2004 for Iran & September 2007 for Sudan

Stripped relevant info from payment messages to avoid OFAC sanctions for countries, banks & persons

– Countries included Iran, Libya and Sudan

Criminal conduct was designed to assist clients in avoiding detection by OFAC filters at US banks

Caused US banks to provide prohibited services

Specific written policy & payment processors for manually handling (“stripping”) US-Dollar Iranian payments

Identify Compliance Program Objectives AML Objectives -- Identify Risks -- Know Your Customer -- Sanctions Compliance Where Do We Start ?

Identify Compliance Program Objectives

AML Objectives

-- Identify Risks

-- Know Your Customer

-- Sanctions Compliance

Comprehensive Process Sanctions Program & AML/BSA Compliance Designate specific person(s) as BSA/AMLO and Sanctions Compliance Officer(s) AML Officer must understand the company’s business Effective Compliance requires operational and business understanding Need for senior management champions Institutionalize board and executive management audiences Evangelization on part of Compliance

Sanctions Program & AML/BSA Compliance

Designate specific person(s) as BSA/AMLO and Sanctions Compliance Officer(s)

AML Officer must understand the company’s business

Effective Compliance requires operational and business understanding

Need for senior management champions

Institutionalize board and executive management audiences

Evangelization on part of Compliance

Implementation Sanctions Program & AML/BSA Compliance Risk Assessment of your Business ( For both OFAC / Sanctions and for AML / BSA Risks) Types of Customers Types of Products/Services Offered Types of Transactions Volume of Transactions to be screened Account and Transaction Parties Geographies Served

Sanctions Program & AML/BSA Compliance

Risk Assessment of your Business

( For both OFAC / Sanctions and for AML / BSA Risks)

Types of Customers

Types of Products/Services Offered

Types of Transactions

Volume of Transactions to be screened

Account and Transaction Parties

Geographies Served

Implementation Importance of partners/relationships Within the company: Operations / Lines of Business Compliance Audit Information Technology Law enforcement Vendors (systems, data, third party providers) What systems/applications are screening data Uniformity of search methodologies used Centralized or decentralized review of matches?

Importance of partners/relationships

Within the company:

Operations / Lines of Business

Compliance

Audit

Information Technology

Law enforcement

Vendors (systems, data, third party providers)

What systems/applications are screening data

Uniformity of search methodologies used

Centralized or decentralized review of matches?

Implementation: Know what is on the Sanctions or Caution List(s) that are applicable to your Business OFAC SDN List is comprised of Multiple Sanctioned Countries, Organizations, Groups, and Individuals, representing Multiple Types of Entities Approximately 2/3 of entities located on OFAC SDN list are comprised of Hispanic Entity Surnames * * multiple factors contribute to this event OFAC Sanctioned Entities in US, plus entities in over 100 countries/territories

Know what is on the Sanctions or Caution List(s) that are applicable to your Business

OFAC SDN List is comprised of Multiple Sanctioned Countries, Organizations, Groups, and Individuals, representing Multiple Types of Entities

Approximately 2/3 of entities located on OFAC SDN list are comprised of Hispanic Entity Surnames * * multiple factors contribute to this event

OFAC Sanctioned Entities in US, plus entities in over 100 countries/territories

Know what kinds of entity data is on the various Sanctions or Caution List(s) that are applicable to your Business OFAC SDN List is not complete “ A non-exhaustive list of their names is published in the Federal Register, an official publication of the U.S. Government. This list may be obtained by calling the Office of Foreign Assets Control at 202/622-2490, or by going to OFAC Web site…” (Foreign Asset Control Regulations for the Financial Community, SDN Definition, pps. 5, 33) Implementation: OFAC and other ‘List Data’

Know what kinds of entity data is on the various Sanctions or Caution List(s) that are applicable to your Business

OFAC SDN List is not complete

“ A non-exhaustive list of their names is published in the Federal Register, an official publication of the U.S. Government. This list may be obtained by calling the Office of Foreign Assets Control at 202/622-2490, or by going to OFAC Web site…”

(Foreign Asset Control Regulations for the Financial Community, SDN Definition, pps. 5, 33)

OFAC and The Palestinian Authority Representatives of the Hamas currently form the majority party within the Palestinian Legislative Council (PLC) and hold high level offices within the Palestinian Authority (PA) including the Prime Minister Hamas is targeted under 3 OFAC Terrorism sanction programs Global Terrorism Sanctions Regulations, 31 C.F.R. Part 594 Terrorism Sanctions Regulations, 31 C.F.R. Part 595 Foreign Terrorist Organizations Sanctions Regulations, 31 C.F.R. Part 597 http://www.treas.gov/offices/enforcement/ofac/programs/terror/pa.shtml Refer to General License #4 for do’s and don’ts re: Palestinian Entities Implementation: OFAC Data

OFAC and The Palestinian Authority

Representatives of the Hamas currently form the majority party within the Palestinian Legislative Council (PLC) and hold high level offices within the Palestinian Authority (PA) including the Prime Minister

Hamas is targeted under 3 OFAC Terrorism sanction programs

Global Terrorism Sanctions Regulations, 31 C.F.R. Part 594

Terrorism Sanctions Regulations, 31 C.F.R. Part 595

Foreign Terrorist Organizations Sanctions Regulations, 31 C.F.R. Part 597

http://www.treas.gov/offices/enforcement/ofac/programs/terror/pa.shtml

Refer to General License #4 for do’s and don’ts re: Palestinian Entities

OFAC and The Palestinian Authority General License #4 includes (a) definition of parts of the Palestinian Authority that U.S. persons can deal with, and (b) definition of parts of the Palestinian Authority that U.S. persons can not deal with NS-PLC List includes individuals who are PLC members who were elected on the party slate of an FTO, SDT, or SDGT. NS-PLC Listed individuals do not appear on the SDN List. Transactions involving these individuals must be rejected . Keep it simple: If you get a hit on suspected PLC entities, call OFAC… Implementation: OFAC Data

OFAC and The Palestinian Authority

General License #4 includes

(a) definition of parts of the Palestinian Authority that U.S. persons can deal with, and

(b) definition of parts of the Palestinian Authority that U.S. persons can not deal with

NS-PLC List includes individuals who are PLC members who

were elected on the party slate of an FTO, SDT, or SDGT.

NS-PLC Listed individuals do not appear on the SDN List.

Transactions involving these individuals must be rejected .

Keep it simple: If you get a hit on suspected PLC entities, call OFAC…

Other sanctions programs may be applicable to your business, depending on results of your risk assessment. There are more than 60 other sanction-like lists issued by various jurisdictions around the world. Screen against those lists that are directly applicable to your business from a regulatory or risk management perspective. Regulatory requirement versus customer suitability The following also may be applicable to your firm: Section 311 Special Measures Entities (six entities) Section 314(a) Entities* *provided you receive the list from FinCEN Import/Export: BIS, DTC, others PEPs, Criminals (financial crimes or others) and/or Negative News Implementation: What about other lists ?

Other sanctions programs may be applicable to your business, depending on results of your risk assessment.

There are more than 60 other sanction-like lists issued by various jurisdictions around the world.

Screen against those lists that are directly applicable to your business from a regulatory or risk management perspective.

Regulatory requirement versus customer suitability

The following also may be applicable to your firm:

Section 311 Special Measures Entities (six entities)

Section 314(a) Entities*

*provided you receive the list from FinCEN

Import/Export:

BIS, DTC, others

PEPs, Criminals (financial crimes or others) and/or Negative News

Identify Where Risk Factors Exist Existing Customer Records Should be screened on regular, frequent ongoing basis Monthly or quarterly screening may not be enough Screening as part of policy issuance only is insufficient New Customer / New Account May be screened in real time or batch (end of day) Also confirm/validate customer identity for new customers and customer suitability Documentary or non-documentary means Customer Due Diligence and Enhanced Due Diligence where required Due Diligence should go beyond basic CIP Program requirements Implementation: Risk Assessment

Identify Where Risk Factors Exist

Existing Customer Records

Should be screened on regular, frequent ongoing basis

Monthly or quarterly screening may not be enough

Screening as part of policy issuance only is insufficient

New Customer / New Account

May be screened in real time or batch (end of day)

Also confirm/validate customer identity for new customers and customer suitability

Documentary or non-documentary means

Customer Due Diligence and Enhanced Due Diligence where required

Due Diligence should go beyond basic CIP Program requirements

Identify Where Risk Factors Exist Payment Transactions (Inbound) with submission of policy application Renewal premium of party who subsequently becomes specially designated Payments Transactions (Outbound) Screen both policyholder (customer) and beneficiary information prior to claim payment Determine nuances for various payment transaction types ( check, ACH, Fedwire, SWIFT, IATs, etc.) Other transactions Loans, Monetary Instruments, Credit Cards, e-Banking, Trust, Wealth Management, Vendors, Third Party Service Providers, etc. Implementation: Risk Assessment

Identify Where Risk Factors Exist

Payment Transactions (Inbound)

with submission of policy application

Renewal premium of party who subsequently becomes specially designated

Payments Transactions (Outbound)

Screen both policyholder (customer) and beneficiary information prior to claim payment

Determine nuances for various payment transaction types ( check, ACH, Fedwire, SWIFT, IATs, etc.)

Other transactions

Loans, Monetary Instruments, Credit Cards, e-Banking, Trust, Wealth Management, Vendors, Third Party Service Providers, etc.

Evaluate and Rate each Risk Document, Document, Document Specifically document the risk for each exposure to OFAC or other sanctions lists Specifically document AML/BSA risk Include complete information in SARs narrative as appropriate Implementation: Risk Assessment

Evaluate and Rate each Risk

Document, Document, Document

Specifically document the risk for each exposure to OFAC or other sanctions lists

Specifically document AML/BSA risk

Include complete information in SARs narrative as appropriate

Risk Management Matrix Courtesy of SightSpan - Used with Permission

Implementation: Risk Assessment Evaluate and Rate Each Risk Date: Person Submitting Request: OFAC/BSA Issue: Line(s) of Business Affected: Decision Made: Persons Involved in Decision-making Process: Associated Risk(s): Justification for Decision: Sign off from OFAC/BSA Officer: Operations / Lines of Business

Evaluate and Rate Each Risk

Date:

Person Submitting Request:

OFAC/BSA Issue:

Line(s) of Business Affected:

Decision Made:

Persons Involved in Decision-making Process:

Associated Risk(s):

Justification for Decision:

Sign off from OFAC/BSA Officer: Operations / Lines of Business

What areas should be considered? Example operational areas in Banking & Securities: Wires (EFT) Customer Accounts SWIFT messages Securities transactions ACH transactions Domestic IATs Credit cards Loans Letters of Credit Standby LC’s Documentary Collections Trust operations Vendor contracts Safe Deposit, CDs, Monetary Instruments Non-customer transactions Securities/Mutual Funds Trades Securities Instruments

Wires (EFT)

Customer Accounts

SWIFT messages

Securities transactions

ACH transactions

Domestic

IATs

Credit cards

Loans

Letters of Credit

Standby LC’s

Documentary Collections

Trust operations

Vendor contracts

Safe Deposit, CDs, Monetary Instruments

Non-customer transactions

Securities/Mutual Funds

Trades

Securities Instruments

All insurance transactions and customer relationships involving persons or companies or entities subject to US Laws/Regulations: Life Property & Casualty Commercial Lines Personal Lines Workers’ Compensation What areas should be considered? Example operational areas: Insurance

All insurance transactions and customer relationships involving persons or companies or entities subject to US Laws/Regulations:

Life

Property & Casualty

Commercial Lines

Personal Lines

Workers’ Compensation

All securities transactions and customer relationships involving persons, companies or entities that are subject to US Laws/Regulations: Parties to Trades Counterparties Clients Intermediaries Securities Instruments themselves Is the stock, bond, fund, etc. associated with a sanctioned entity? What areas should be considered? Example operational areas: Securities

All securities transactions and customer relationships involving persons, companies or entities that are subject to US Laws/Regulations:

Parties to Trades

Counterparties

Clients

Intermediaries

Securities Instruments themselves

Is the stock, bond, fund, etc. associated with a sanctioned entity?

NEW IAT RULES Expansion of International ACH Payments & Requirements Effective Sept. 18, 2009 Likely impact on all US Financial Institutions that do ACH transactions Mandatory capture of additional information for covered transactions OFAC screening Takes time to change systems

Expansion of International ACH Payments & Requirements

Effective Sept. 18, 2009

Likely impact on all US Financial Institutions that do ACH transactions

Mandatory capture of additional information for covered transactions

OFAC screening

Takes time to change systems

What is an IAT, and what is all the fuss about ? An IAT, or International ACH Transaction, is a credit or debit involving a bank office located outside the United States Covers all ACH transactions originating from or transmitted to an office of a financial agency outside US territorial jurisdiction Focus on whether there is a foreign financial agency involved Changes to ACH cross-border formats made in response OFAC requests and FATF Special Recommendation VII OFAC penalties for non-compliance Screening responsibilities

An IAT, or International ACH Transaction, is a credit or debit involving a bank office located outside the United States

Covers all ACH transactions originating from or transmitted to an office of a financial agency outside US territorial jurisdiction

Focus on whether there is a foreign financial agency involved

Changes to ACH cross-border formats made in response OFAC requests and FATF Special Recommendation VII

OFAC penalties for non-compliance

Screening responsibilities

Travel Rule Requirements The following information must be captured and included in IAT: Originator name Originator physical address Name of receiver (beneficiary) Physical address of receiver Account # of receiver New Record Keeping Requirements for IATs

Travel Rule Requirements

The following information must be captured and included in IAT:

Originator name

Originator physical address

Name of receiver (beneficiary)

Physical address of receiver

Account # of receiver

New Record Keeping Requirements for IATs Travel Rule Requirements (cont’d) The following information must be captured and included in IAT: Identity of Receiver’s Bank Correspondent Bank(s) me, Bank ID #, and Bank Branch Country Code Reason for the payment Unlike Travel Rule, applies for IAT transaction of any amount (not just $3,000 and up)

Travel Rule Requirements (cont’d)

The following information must be captured and included in IAT:

Identity of Receiver’s Bank

Correspondent Bank(s) me, Bank ID #, and Bank Branch Country Code

Reason for the payment

Unlike Travel Rule, applies for IAT transaction of any amount (not just $3,000 and up)

OFAC Screening Indicators for IATs The Fed, in its capacity as Gateway Operator, intends to screen inbound IAT entries for OFAC compliance It will advise the RDFI, through an OFAC screening indicator, of potential issues It may use Fedline Web to advise the RDFI of Inbound IAT transactions that contain data appearing on the OFAC SDN List The Electronic Payments Network, a private sector ACH Operator, will make an OFAC screening function available to its customer FIs as a value added services Inbound transactions that don’t run thru Fed or EPN will still be covered ODFI and Gateway Operator still have obligations to identify as IAT for Outbound transactions too

The Fed, in its capacity as Gateway Operator, intends to screen inbound IAT entries for OFAC compliance

It will advise the RDFI, through an OFAC screening indicator, of potential issues

It may use Fedline Web to advise the RDFI of Inbound IAT transactions that contain data appearing on the OFAC SDN List

The Electronic Payments Network, a private sector ACH Operator, will make an OFAC screening function available to its customer FIs as a value added services

Inbound transactions that don’t run thru Fed or EPN will still be covered

ODFI and Gateway Operator still have obligations to identify as IAT for Outbound transactions too

Optional Fields for OFAC Indicators IAT format will include 2 optional fields to convey the results of voluntary OFAC screening on the transaction Value of “0” indicates the party doing the screening did not find a potential blocked party Value of “1” indicates potential presence of a blocked party These indicators assist RDFIs and Correspondent banks processing Int’l payment by identifying entries that are highly suspect FI cannot rely on Int’l counterparts for compliance with US law

IAT format will include 2 optional fields to convey the results of voluntary OFAC screening on the transaction

Value of “0” indicates the party doing the screening did not find a potential blocked party

Value of “1” indicates potential presence of a blocked party

These indicators assist RDFIs and Correspondent banks processing Int’l payment by identifying entries that are highly suspect

FI cannot rely on Int’l counterparts for compliance with US law

OFAC Issues (cont’d) US RDFI’s and beneficiaries continue to: Ensure all aspects of inbound, cross-border transactions comply with OFAC and Need to take appropriate steps to investigate, suspend, reject, block and report on transactions For Outbound IATs the US ODFI and their Originators continue to be responsible for: Ensuring all parties to the transactions, as well as the underlying purpose, comply with OFAC regulations Need to take appropriate steps to investigate, suspend, reject, block and report on transactions

US RDFI’s and beneficiaries continue to:

Ensure all aspects of inbound, cross-border transactions comply with OFAC and

Need to take appropriate steps to investigate, suspend, reject, block and report on transactions

For Outbound IATs the US ODFI and their

Originators continue to be responsible for:

Ensuring all parties to the transactions, as well as the underlying purpose, comply with OFAC regulations

Need to take appropriate steps to investigate, suspend, reject, block and report on transactions

Cover Payment Basics… In a cover payment, the intermediary bank receiving the payment order related to the MT 202 does not receive the payment order related to the MT 103 Only the bank originating the cover payment can monitor and filter both legs of the cover payment (MT 103 & MT 202) The intermediary bank can only monitor & filter the MT202 The intermediary bank cannot distinguish MT 202’s which are cover payments from MT202’s used for other bank to bank payments (settlement of FX trades, overnight deposits, etc)

In a cover payment, the intermediary bank receiving the payment order related to the MT 202 does not receive the payment order related to the MT 103

Only the bank originating the cover payment can monitor and filter both legs of the cover payment (MT 103 & MT 202)

The intermediary bank can only monitor & filter the MT202

The intermediary bank cannot distinguish MT 202’s which are cover payments from MT202’s used for other bank to bank payments (settlement of FX trades, overnight deposits, etc)

The cover payment Ordering customer’s bank Beneficiary Bank Sender’s USD Correspondent MT 202 Receiver's USD Correspondent CHIPS/Fed MT 910/950 Ordering Customer Beneficiary * Example in USD Also valid for other currencies that apply cover (mainly GBP) MT 103 in USD*

The issue MT 103 in USD Ordering customer’s bank Bene’s bank Sender’s USD Correspondent MT 202 Receiver's USD Correspondent CHIPS/Fed MT 910/950 Ordering Customer UNKNOWN PARTIES IN THE COVER PAYMENT Beneficiary

Cover Payment Basics… US intermediary banks are subject to increased risk of unknowingly facilitating illicit activities US intermediary banks do not receive all the details about the customer payment (MT103) to which the cover payment (MT202) relates because the MT 202 format does not require detailed info for the original Originator and Beneficiary Info MT202COV, MT203COV and MT205COV to be implemented by SWIFT in November 2009 to address lack of transparency in cover payments. (add’l data requirements to identify parties to the transaction)

US intermediary banks are subject to increased risk of unknowingly facilitating illicit activities

US intermediary banks do not receive all the details about the customer payment (MT103) to which the cover payment (MT202) relates because the MT 202 format does not require detailed info for the original Originator and Beneficiary Info

MT202COV, MT203COV and MT205COV to be implemented by SWIFT in November 2009 to address lack of transparency in cover payments.

(add’l data requirements to identify parties to the transaction)

Implementation of Message Format Changes Both SWIFT and FRB are holding workshops and teleconferences about how changes are handled in SWIFT and in the FedWire / Fedline message processing environments  All member banks need to amend systems to populate and receive the MT202COV. Majority of SWIFT member banks will be covered by maintenance contracts with their solution provider, which usually cover changes in SWIFT Standards. May be one-off costs if not covered by maintenance contract. Check with your payment system vendor(s) to insure that you understand the processes they are undertaking to address this prior to November 2009

Both SWIFT and FRB are holding workshops and teleconferences about how changes are handled in SWIFT and in the FedWire / Fedline message processing environments



All member banks need to amend systems to populate

and receive the MT202COV.

Majority of SWIFT member banks will be covered by maintenance contracts with their solution provider, which usually cover changes in SWIFT Standards. May be one-off costs if not covered by maintenance contract.

Check with your payment system vendor(s) to insure that you understand the processes they are undertaking to address this prior to November 2009

Our Dilemma: Screening the Data Gotta Find the Bad Guys, but… Bad Guys are people, too They may not use their full names They share names with Good Guys Organizations use Acronyms Is the Cure is Worse than the Disease? We need smaller haystacks “ Find the bad guys, stop the money flow” is much easier said than done.

Gotta Find the Bad Guys, but…

Bad Guys are people, too

They may not use their full names

They share names with Good Guys

Organizations use Acronyms

Is the Cure is Worse than the Disease?

We need smaller haystacks

Understanding Our Own Data Factors to Consider in Understanding Your Data Customer Data What kind of information do you have? How complete and accurate is your customer data? Do different systems facilitate alternate information about the same customer? What kind of information is missing? Does customer information vary by customer type? How do different systems provide data for screening or review? What data elements are available in various types of transaction messages? Data preparation is an investment… not an expense

Factors to Consider in Understanding Your Data

Customer Data

What kind of information do you have?

How complete and accurate is your customer data?

Do different systems facilitate alternate information about the same customer?

What kind of information is missing?

Does customer information vary by customer type?

How do different systems provide data for screening or review?

What data elements are available in various types of transaction messages?

Screen separate data separately View data in logical fields of information – separate Names from locations ANDY GROVE in NEW YORK ESPERANZA GOMEZ in PUERTO PLATA Separate Accounts in Logical Grouping Separate corporate accounts from personal accounts Certain account record types may have different screening requirements Understand what specific data is in various fields of your transaction data Do all fields need to be screened? Do all message types need to be screened? Determine how to remove or ignore prefixes in messages: /D/, /C/, //FW, //CH, etc. Mining Your Data

Screen separate data separately

View data in logical fields of information – separate Names from locations

ANDY GROVE in NEW YORK

ESPERANZA GOMEZ in PUERTO PLATA

Separate Accounts in Logical Grouping

Separate corporate accounts from personal accounts

Certain account record types may have different screening requirements

Understand what specific data is in various fields of your transaction data

Do all fields need to be screened?

Do all message types need to be screened?

Determine how to remove or ignore prefixes in messages:

/D/, /C/,

//FW, //CH, etc.

What kinds of entities are on the list? Persons, Countries/Places, Organizations, Vessels, etc. What’s in a listing? Names and Addresses Dates of Birth Passports and Other IDs Affiliations and Roles But not comprehensive, up-to-date Isn’t ABU MUSAB AL-ZARQAWI dead? Mining OFAC or other Caution List Data

What kinds of entities are on the list?

Persons, Countries/Places, Organizations, Vessels, etc.

What’s in a listing?

Names and Addresses

Dates of Birth

Passports and Other IDs

Affiliations and Roles

But not comprehensive, up-to-date

Isn’t ABU MUSAB AL-ZARQAWI dead?

Mining Names Names have components MARIA ELDA RODRIGUEZ PULIDO ABD EL-WAHAB JUAN M. DE LA CRUZ Names have structure Names follow rules Issues with cultural naming conventions

Names have components

MARIA ELDA RODRIGUEZ PULIDO

ABD EL-WAHAB

JUAN M. DE LA CRUZ

Names have structure

Names follow rules

Issues with cultural naming conventions

Addresses and IDs not very useful for sanctions Listings missing address, ID info Info less reliable if you don’t see the ID Anyone can “move” for a large enough payday For PEPs, addresses and Locations and IDs can be useful Exclude matches across borders Exceptions: National officials, Diplomats Exceptions: Addresses for relatives, Associates Dates of Birth Generally not useful in ruling out matches on transactions When screening customer data DOB can be useful to cull out false hits or false matches on clients Excluding Listed Dates of Birth, Years of Birth Single date excludes 99+% of matches Approximate Dates of Birth Mining Addresses, IDs and/or Dates of Birth

Addresses and IDs not very useful for sanctions

Listings missing address, ID info

Info less reliable if you don’t see the ID

Anyone can “move” for a large enough payday

For PEPs, addresses and Locations and IDs can be useful

Exclude matches across borders

Exceptions: National officials, Diplomats

Exceptions: Addresses for relatives, Associates

Dates of Birth

Generally not useful in ruling out matches on transactions

When screening customer data DOB can be useful to cull out false hits or false matches on clients

Excluding Listed Dates of Birth, Years of Birth

Single date excludes 99+% of matches

Approximate Dates of Birth

Summary Issues to Consider in Effective Screening Data Quality Considerations - both client data and vendor-provided data Analysis and Management of False Positives Must have analytic information available on hits Multiple ways to address false positives (check-box approach is often insufficient) Train all appropriate employees in process of developing rules to fit your particular business Training should be customized to your particular policies, procedures, internal processes and to your business

Issues to Consider in Effective Screening

Data Quality Considerations - both client data and vendor-provided data

Analysis and Management of False Positives

Must have analytic information available on hits

Multiple ways to address false positives (check-box approach is often insufficient)

Train all appropriate employees in process of developing rules to fit your particular business

Training should be customized to your particular policies, procedures, internal processes and to your business

Summary Enable better understanding of enterprise wide risks as well as specific risks Useful inn developing/implementing your policies/ procedures Perform and document Risk Analyses Gather enough information to really Know Your Customer Validate customer information against sanctions and other data and information sources Aid to your compliance efforts Better enable additional business opportunities with the customer

Enable better understanding of enterprise wide risks as well as specific risks

Useful inn developing/implementing your policies/ procedures

Perform and document Risk Analyses

Gather enough information to really Know Your Customer

Validate customer information against sanctions and other data and information sources

Aid to your compliance efforts

Better enable additional business opportunities with the customer

Have Questions or Need Additional Information ? Shaun M. Hassett, CAMS Clarity Risk & Compliance Advisors “ a passion for developing Compliance Excellence” +1.847.458.8670 (office) +1.847.652.2370 (mobile) [email_address]

Shaun M. Hassett, CAMS

Clarity Risk & Compliance Advisors

“ a passion for developing Compliance Excellence”

+1.847.458.8670 (office)

+1.847.652.2370 (mobile)

[email_address]