Your financial institution’s board or senior management has decided that it is time to offer services to a money services business (MSB), or maybe more than one.
As the Bank Secrecy Act (BSA) officer, you are now tasked with making it happen.
What do you do? Where do you start?
All money services businesses are not created equal
MSBs are defined in the regulation and are a subset of the much broader group of businesses known as non-bank financial institutions (NBFI). The BSA, the current Federal Financial Institutions Examination Council’s (FFIEC) Examination Manual and your regulators generally consider MSBs and NBFIs as higher-risk businesses requiring ongoing review and management.
All MSBs do not pose the same level of risk and thus should not all be treated with a broad-brush approach.
There are significant differences among MSBs with regard to risk and compliance with the BSA.
It is important to understand whether an MSB is operating as an agent for another company (such as Western Union or Money Gram), which is lower risk, or independently (higher risk). Also, consider whether the services they offer are domestic only or international money transfers and whether they involve countries known to be of heightened concern for money laundering or terrorist financing.
Maybe they only perform check cashing services, currency exchanges or issue stored value cards, and the volume is not high but does occasionally exceed the $1,000 threshold in sales to a single person on a single day. Internally risk rate your MSBs to identify those that pose a higher risk than others and ensure your risk assessment and monitoring activities support those decisions.
A different wave of MSBs recently surfacing at financial institutions are virtual currency exchangers, which bring a new level of risk that has yet to be fully understood by many regulatory examiners.
Examination guidance for institutions is slim; however, the Financial Crimes Enforcement Network (FinCEN) issued FIN-2019-G001, Application of FinCEN’s Regulations to Certain Business Models Involving Convertible Virtual Currencies (CVCs),on May 9, 2019.
The guidance was intended to help financial institutions comply with their obligations under the BSA as they relate to current and emerging business models involving CVC. FinCEN’s regulatory approach to the issues most frequently raised by industry, law enforcement and other regulatory bodies within this evolving financial environment is described in the guidance. This is a must read if your institution is going to bank these types of businesses.
Understanding your MSBs’ business models is critical in determining the risks they pose to your institution.
Benefits for banking MSBs
While it may seem that there is nothing but risks involved in banking MSBs, there are certain financial and community benefits. Institutions can and do generate fee income for check, wire and deposit processing, management of a vault delivery service, origination of loans and general management of MSB relationships. And by banking MSBs, institutions are enriching the communities they operate in by helping that entity provide financial services to many unbanked and underbanked individuals.
Policy, procedure, risk assessment, written board acknowledgement
To ensure board involvement, review board minutes where MSBs were discussed or attend the next board meeting to hear directly from the board what its wishes are for strategic plans, growth expectations and risk tolerances related to banking MSBs. It may require some training of the board to help them understand the different types of MSBs and what the regulator’s expectations are for ongoing monitoring of these higher-risk businesses.
Remember that there are more risks than just compliance. Ensure you and your board have thought through the credit, operational, reputational and legal risks as well. Reaching out to your regulator to talk through opportunities like this is always a good idea, but if you are already under regulatory scrutiny, it should be one of your first steps.
Ensure that your institution’s BSA/AML policy, procedure and risk assessment are in alignment and updated to address that MSBs are not prohibited. You may want to carve out certain categories of businesses that your institution will bank versus an open door to all types of MSBs.
Customer Identification Program/Customer Due Diligence/Enhanced Due Diligence (CIP/CDD/EDD)
Review your existing new account and enhanced due diligence worksheets.
Are they detailed enough to allow for a clear identification of the type of MSB it is, the services it offers and its expected account activity? What expectation do you have for your front-line staff?
Will they be expected to gather all the necessary documentation and open the account at their desks, or will it be escalated to the BSA department for gathering documentation and performing a review prior to opening an account?
Go beyond the standard customer identification information and customer due diligence gathering by obtaining enough information to understand the business structure, its purpose, business locations and markets served. Also, identify the beneficial owners, control person, related entities, source and use of funds, as well as the nature of credits and debits that will flow through your financial institution.
Front-line staff training
Whatever operational method you determine fits your institution, train your front-line employees to understand what MSBs the institution wants to bank and those it is not ready to bank. The tellers need to understand how their branch traffic or cash volume needs may change. Will the cash come through the branch directly or via a virtual vault, or even be left at the night drop for processing?
Information package request to MSBs
Get to know the business. If they are local, set up a face-to-face meeting. Be upfront and discuss what the compliance expectations will be both initially while your institution is learning about them, as well as later when patterns become normal, expected and understood.
Legitimate, well-run (often larger and higher-risk) MSBs understand their requirements under the BSA and are often prepared to provide a package of information showing their compliance with registration, licensing (if applicable), assignment of a BSA officer, written programs, risk assessments, hiring and training practices, suspicious activity reporting, currency transaction reporting, record keeping requirements for monetary instrument sales, currency exchanges, independent testing, agent practices (if applicable) and OFAC compliance.
They also are generally prepared to provide all applicable customer identification information and beneficial ownership documentation.
Sound familiar? That’s right, MSBs must have a BSA program similar to that of financial institutions.
That does not mean that smaller less sophisticated MSBs should get a pass because they don’t know or understand what is needed.
Help them become better MSBs by talking with the principals of the business or those in the compliance or operational roles who will be your direct contacts. Let them know what the regulatory expectations are and don’t be shy about explaining the circumstances under which your institution may need to terminate the relationship.
Expected periodic monitoring (transactional and globally)
It shouldn’t need to be said — since it is often the first thought for a BSA officer but may be the last thought for the board — that it is important to consider whether existing resources are enough to take on these new MSBs. The regulatory expectations to monitor MSBs on a periodic basis are high, so be sure resources are adequate to manage these ongoing requirements.
When possible, try to have an MSB’s entire banking relationship with you. It will make understanding its operations, lending activities and overall business much easier. It will also increase transparency of the MSB’s operations, allowing a clearer view of the entire portfolio risk.
Whether your policy indicates you are to monitor these accounts monthly or quarterly (or perhaps some other frequency), follow that plan because your examiners are likely to hold you accountable to it.
At least annually, perform a full corporate review of MSBs: confirm current corporate ownership and the BSA officer status, determine whether locations or operations have significantly increased or changed and whether new services are being offered, obtain the annual independently performed compliance review, ask to see the compliance program, risk assessment, and training records and verify the registration and licensing requirements, as applicable, are current.
Also, be sure to perform online negative media searches (if you don’t have software that does this more frequently) and consider site visits, although if you have a lending relationship with the MSB, these may already be performed by a lender. If so, provide them with a checklist of the things that you would like them to review (as listed above in the Information package request to MSBs section).
You will need to document all your efforts in a clear and organized manner so your regulators can see the steps you have taken to ensure you know your MSBs and their businesses.
All in all, the decision on what types of businesses you bank is a management and board decision; however, knowing the appropriate questions to ask and steps to take is key for ensuring compliance with regulator expectations.