BLOG VIEW: The U.S. Department of the Treasury, through the Financial Crimes Enforcement Network (FinCEN), issued a final rule in February 2012 requiring nonbank residential mortgage lenders and originators to establish anti-money laundering (AML) programs and to report suspicious activities under the Bank Secrecy Act (BSA). The BSA is designed to alert law enforcement of criminal and terrorist activity. The BSA requires U.S. financial institutions (including non-bank residential mortgage lenders/brokers) to assist U.S. government agencies in detecting and preventing money laundering.
Despite the issuance of this final rule more than six years ago, many nonbank mortgage lenders/brokers are not complying with the requirements of the BSA and, as a result, regulators are beginning to take note in their examinations.
A compliant AML program for a residential mortgage lender/broker includes: 1) designating a competent individual to serve as the company’s BSA/AML compliance officer; 2) conducting an AML Risk Assessment; 3) drafting and implementing written internal policies and procedures; 4) establishing an ongoing training program; and 5) conducting an independent audit of the company’s AML program every 12 to 18 months. An AML program must also include the maintenance of a “red flags” program and a customer identification program, the filing of suspicious activity reports (SARs), when required, and compliance with Section 314 of the U.S. Patriot Act and Office of Foreign Assets Control (OFAC) regulations.
Most mortgage companies have designated a BSA/AML compliance officer and have an AML policy and procedure in place; however, many mortgage companies do not comply with one or more of the other AML requirements.
For example, more often than not, mortgage companies are not conducting an AML risk assessment. This needs to be completed at least every 12 to 18 months, and lenders should be modifying identified activities based on the company’s operations and growth. The risk assessment should consider the current and future state of items such as the company’s size, products, customer base and geographic area of operation. The Conference for State Bank Supervisors (CSBS) has issued a tool to assist mortgage companies in completing such risk assessments. This tool can be found at https://www.csbs.org/bsa-aml-self-assessment-tool.
Another BSA requirement that is frequently lacking or unfulfilled is ongoing training. Mortgage companies must train their personnel at least annually in all applicable aspects of AML regulations. A best practice for lenders is to provide AML training to all new employees within 30 days of hire.
Additionally, the BSA/AML compliance officer must receive periodic training that is relevant and appropriate given changes to regulatory requirements, as well as the activities and overall AML risk profile of the company. All AML training needs to be adequately tailored to a company’s operations. For example, mortgage companies should specifically train their personnel on the types of suspicious activity and “red flags” they are likely to come across, such as mortgage fraud related items.
Finally, mortgage companies must document their training programs by maintaining training and testing materials, the dates of training sessions and attendance records. Lenders that are not conducting this annual training should immediately do so, and there are a host of vendors that can assist in providing AML training and tracking tools at a fairly reasonable cost.
Another aspect lenders seem to be overlooking is independent testing/audits. Although the specific nature of the testing will be somewhat dependent on the company’s size and risk profile, the AML audit can be performed by an independent third party or an employee of the company, provided the employee has no role whatsoever in the AML functions being tested (including reporting to the BSA/AML officer), and possesses enough knowledge of BSA regulations to be qualified to perform the audit.
By far, the area of most noncompliance by mortgage companies pertaining to AML requirements is with regard to the filing of SARs. FinCEN highlights the importance of SAR filing by mortgage companies indicating that mortgage companies are the, “primary providers of mortgage finance … and are in a unique position to assess and identify money laundering risks and fraud.”
The BSA lists several situations where a mortgage company must file a SAR. A SAR requires basic company information, information about the individuals involved and information about the suspicious activity or transaction. FinCEN requires all filings to be submitted electronically through its website.
Many mortgage companies take the view that transactions are only reportable only if they involve currency. Not only is this view incorrect, it’s also quite risky. While many of the requirements for the filing of a SAR involve currency, there is also a requirement for a transaction to be reported if a mortgage company knows, suspects or has reason to suspect that a transaction involves the use of the loan or company to facilitate criminal activity.
Given this, mortgage companies must file a SAR every time they suspect fraud – whether it is income, employment, occupancy or some other type of fraud. If a mortgage company has not filed any SARs, or only a few, in the past six years, it could be a sign that the company does not have a compliant AML program or a weak one for that matter.
As such, it is not uncommon for an examiner to ask to review any adverse action notices for the past several years or to speak with the underwriting department to discuss whether they have denied any transactions for suspected or known fraud. In most instances, such fraudulent or suspicious situations are reported to an employee’s manager and not the BSA/AML compliance officer.
It is not surprising that these companies are often the ones that either do not conduct AML training or do not customize their AML training to specifically discuss mortgage fraud, rather than just situations involving large money laundering schemes and currency. Furthermore, it is a best practice for the BSA/AML compliance officer to review all QC reports in an effort to identify any activity that could require the filing of a SAR.
There are many mortgage companies with strong AML programs in place. These companies expend the resources, time and money to ensure they comply with all the BSA requirements. Given the substantial civil and criminal penalties set forth in the statute and the significant increase in state examination questions related to AML items, it is recommended that lenders take a long, hard look at their AML programs and ensure all requirements are properly satisfied.
Michael Barone is executive director of compliance for MQMR, where he oversees all compliance and regulatory guidance with clients and prospective clients.
