Banking on the Border: Managing High Gross Risk Bank ... · The bank’s front-line employees (branch personnel such as tellers, relationship managers, etc.), being the first line

Banking on the Border: Managing High Gross Risk Bank Relationships by Testing the Comprehensiveness of the AML Risk Assessment Jaime Verástegui

2

Index

I). - Executive Summary ......................................................................3

Personal and Commercial Clients .....................................................5

Products and Services ......................................................................5

II). - Risk Assessment ..........................................................................5

Customer Risk .................................................................................5

Product Risk ....................................................................................7

Employee Risk .................................................................................8

III). - Auditing the Risk Assessment: The Third Line of Defense Role ....8

IV). - Points to Consider when Conducting a Branch Audit ................ 16

V). - Summary .................................................................................. 17

3

I). - Executive Summary

This paper is intended to provide a set of risk-based recommendations when assessing the

comprehensiveness of the AML risk assessment within the retail banking industry that has in

its portfolio a volatile combination of high-risk customers, high-risk geography and high-risk

products.

The Southwest border is recognized as a hot money laundering area since Mexico is utilized by

drug lords as a gateway to transport their illicit drugs to the U.S. and consequently to move the

funds obtained for trading these substances. According to the State Department, about 95

percent of the cocaine flow to the U.S. is transported through the Mexico-Central America

corridor from South America.1 The Government of Mexico continues to improve its law

framework in order to combat these criminal organizations, e.g., by reinforcing bilateral

intelligence strategies. However, according to the press and the local media, the state and

municipal law enforcement entities have been involved with acts that include the facilitation of

narcotics transportation or contraband. These local authorities are apparently also obstructing

the federal and military operations.

Thus, fragile judicial and police institutions, as well as proximity to the U.S. territory (considered

the largest consumer economy in the world), have made Mexico the center of one of the

world's most complex drug networks.

Therefore, it is undeniable that the ill-gotten proceeds obtained from these criminal activities

are constantly moved through the Mexico–U.S. border. In order to do this, lawbreakers are

always evolving the typologies they use while they keep using the U.S. banking system to

launder their illicit funds throughout the Southwest. A bank with branches in the U.S. and

conveniently located near the border as well as in Mexico could be used to facilitate the

transfer of funds between the drug dealers in the U.S. and these cartels.

U.S. bank branches located near the Southwest border may be also affected by the changes in

the Mexican regulations. On June 15, 2010 the Mexican finance ministry, Secretaría de

Hacienda y Crédito Público de México (SHCP), announced new anti-money laundering (AML)

regulations that restrict the amounts of physical cash (banknotes and coins) denominated in

U.S. dollars that Mexican banks are allowed to receive (MX Restrictions).2

1 Congressional Research Service: Latin America and the Caribbean: Illicit Drug Trafficking and U.S. Counterdrug Programs 2 FinCEN: Newly Released Mexican Regulations Imposing Restrictions on Mexican Banks for Transactions in U.S. Currency , FIN-2013-A007

4

It is well known that an important portion of the U.S. currency in Mexico is obtained from illegal

activity, specifically the trade of narcotics in the U.S., some of the proceeds of which are

smuggled as bulk cash into Mexico. Much of the U.S. currency within Mexico, regardless of

source, is intermediated through multiple transactions and ultimately makes its way into the

global financial system before being repatriated back to the U.S. This process is similar to that in

most countries with respect to the processing of non-local currency. The Mexican Currency

(MX) Restrictions stipulate the following:

For legal entities (in Spanish "personas morales") and trusts that are customers, U.S.

currency transactions will be prohibited, unless such customer is based in or conducts

most of its business within a tourist area (to be identified by SHCP at a later date),

within twenty miles of the U.S. border, or within the States of Baja California or South

Baja California. In these cases the bank may receive an aggregate limit of $7,000 in U.S.

currency from its customer per calendar month.

For individuals who are customers, the aggregate limit in U.S. currency that the bank

may receive from its customer per calendar month shall be $4,000.

That is why is so important for a bank operating along the states adjacent to the Mexican

border to understand and acknowledge the gross risk (also known as inherent risk) as a result of

an unpredictable combination of high-risk customers, products and geography. Each line of

defense in the financial institution will play a key role when establishing, operating and

reviewing its AML program, which in all its stages should be “risk-based.”

An extensive AML independent review should take into consideration the following: 1) an

assessment of the adequacy of the AML compliance program as well as its assertiveness, 2) a

suitable testing of transactions in order to validate the bank’s capacity to comply with the BSA

record keeping requirements, 3) a deep analysis of the financial institution’s risk assessment

in order to determine if the bank is able to accept and manage the net risk (residual risk), 4) a

review of the bank’s policies and procedures, 5) an evaluation of the training program as well

as, 6) an audit on its AML monitoring systems in order to verify its efficaciousness and

adherence to the BSA requirements amongst other audit-related considerations.

All the aforementioned audit steps are important in order to determine the financial

institution’s overall risk appetite and how realistic this is in comparison to the actual residual

risk. However, this article will emphasize the third one for segmentation purposes.

5

Personal and Commercial Clients

Typical customers will be non-resident aliens (NRAs) and/or foreign-based corporations or

entities primarily residing/based in Mexico and some of them might be senior public figures

(SPFs) and/or politically exposed persons (PEPs).

Products and Services

Typical products might include demand deposit accounts (DDAs), time deposit accounts and

credit cards. Services might include wire transfers, ACHs and correspondent banking.

II). - Risk Assessment

The assessment should be focused on three segments:

Customer (and geography) risk

Product risk

Employee risk

Customer Risk

It becomes difficult for a bank to validate and confirm a form of identification coming from an NRA, as well as the source of funds and source of wealth. Also the fact of having Mexico as the NRA’s home country may increase the account risk due this country’s profile. Finally, it is also relevant to take into account the assumption that some of these NRAs might be PEPs and/or SPFs which; will aggregate even more risk to the bank relationship due to the current levels of corruption found in the Federal and Local governments.

The bank’s front-line employees (branch personnel such as tellers, relationship managers, etc.),

being the first line of defense, must understand their roles and responsibilities pertaining to the

bank AML compliance program and its requirements and expectations.

6

The risk components to take into account when assessing NRAs and SPFs include:

The purpose of the account as well as the volume of transactions expected.

The NRA’s home state (see map below)

(Baja California: The Tijuana Cartel; Chihuahua: The Juarez Cartel; Tamaulipas: The Gulf

Cartel; Sinaloa: The Sinaloa Cartel; Colima: The Colima Cartel; Michoacán: La Familia and

the Valencia Cartel; Oaxaca: The Oaxaca Cartel and Nationwide: The Federation Cartel3)

The forms of identification used by the customer according to the Bank’s CIP

requirements (e.g., Mexican Passport, Consular Identification Card also known as

“Matrícula Consular”);

The source of funds as well as the source of wealth;

Whether the NRA is considered an SPF or a PEP;

3 Brian Haddock : Inside the Mexican drug cartels – how to live rich in a poor country

7

The sort of products and services to be utilized (e.g., potential velocity,

involvement of third parties, and the financial institution’s inability to quickly

distinguish the purposes of small payments);

Account signers, including any other beneficial owners besides the account

holder; and

The presence of gatekeepers or any professional service provider which might

involve multiple clients (e.g., an attorney conducting transactions on behalf of

his clients who have no direct relationships with the bank throughout assets

transfers, investments services, settlements, etc.) which complicates the process

of identifying the beneficial owners of these accounts.

All these elements are critical, as this is the best opportunity for the bank to gather

information (for all its customers) pertaining to their actual financial capacity, true

beneficiaries, source of funds, etc.

Product Risk

DDAs are the accounts that allow customers to use fund transfer services, and

consequently, the AML risk is more elevated. Special attention should be paid on

funnel accounts, a new money laundering trend that according to FinCEN (May,

2014)4 begins with cartels hiring someone to open a U.S. bank account that can

receive deposits in branches in multiple states.

Once the account has been opened, many individuals working for cartels deposit cash into this

account, usually in places far from where the account was set up, in sums below $10,000 to

evade identification and currency transaction reports (CTRs). A middleman then conducts wire

transfers or writes checks to purchase goods with this money, which are shipped to foreign

countries and sold. The earnings are then transferred back to the Mexican cartels. Although this

irregular activity is generally caught through a transaction monitoring system (TMS) based on

certain preset patterns and thresholds, the branch personnel might be able to identify some of

these erratic behaviors when running transactions at a teller’s window.

4 FinCEN Advisory FIN-2014-A005, Update on U.S. Currency Restrictions in Mexico: Funnel Accounts and TBML, May 28, 2014, http://www.fincen.gov/statutes_regs/guidance/pdf/FIN-2014-A005.pdf

8

Wires are considered to have a high inherent AML risk, since funds can be moved

rapidly across the border. Therefore, there is the risk that wires may be used in

the layering and placement stages of money laundering.

ACH transfers allow the ability to send high-dollar and international transactions

that may expose the bank to high AML risks. ACH transactions can be used in the

layering and integration phases of money laundering. Therefore, these facts

must be considered when evaluating the ACH transaction risks of a particular

customer. Those ACHs that involve international transfers should be scrutinized

more deeply.

Credit and debit cards can be used internationally, including in some geographies

that are considered high risk for money laundering besides Mexico. Additional

inherent risk factors include the ability of card holders to obtain cash advances

though ATMs globally, and reliance on third parties for payment processing and

settlement cards. Another gross risk is the ability to cover payment of balances

with cash which might allow the client to overpay the current credit card balance

and later receive a refund from the bank for the overpaid amount. With regards

to debit cards, these could be used across the border by individuals that are not

necessarily the actual account signers.

Employee Risk

Generally the branch personnel authorized to open accounts for NRAs customers residing in

Mexico, receive commissions and a relevant part of their salary depends on the volume of

the accounts opened and/or the dollar amount deposited at the account opening stage. The

inherent AML risk rises when considering any potential complicity in order to skip important

steps within the KYC/CIP process that might include document manipulation, the

acceptance of non-approved or non-acceptable pieces of identification for NRAs, etc.

III). Auditing the Risk Assessment: The Third Line of Defense Role

An independent review should carry out an assessment on the bank’s current policies

and procedures as well as its adherence to them, to confirm comprehensive due

diligence and enhanced due diligence (EDD) practices as well as to make sure that risks

for NRAs and SPEs accounts have been appropriately assessed. Ongoing monitoring and

suspicious activity reports should be included in its scope as well.

9

The examination should also review the bank’s current know your customer (KYC)

program. Special attention should be paid to the Customer Identification Program (CIP)

in order to verify the identification requirements such as valid forms of ID, customer’s

name, DOB, address, etc. Also, a risk-based CIP program should take into consideration

the following:

A set of account opening procedures highlighting the right identification that

should be collected from NRAs and tested to confirm they are being followed.

Examples include but are not limited to Mexican Passports, Consular

Identification Cards, Tax Identification Number Cards, and so on.

If using both documentary and non-documentary methods, the bank should list

in its opening procedures the acceptable hard copies as well as the appropriate

checklist verifying that physical documentation was actually presented when

opening the account as well addressing the methods used to corroborate the

customer’s identity. If any relevant inconsistency arose during this process, the

resolution of it should be well-documented and kept in the bank files available

for regulators and/or auditors for at least five years.

The non-documentary methods should address situations where: a) the bank

opens an account without having sufficient certainty that the identity documents

presented are the ones required by its CIP (assuming a post verification intent)

or simply opens the account without getting the documents whatsoever, b) the

NRA fails to present a current valid photo identification; c) the bank opens the

account without having the NRA physically present at the branch; or d) the bank

is unable to validate the actual identity of the NRA based on the available

identification.

The bank should maintain and retain for at least five years hard copies obtained

of the original identification documents presented by the NRAs and used to open

the account (e.g., photocopies of Mexican Passports, Consular Identification

Cards, Tax Identification Number Cards, signed W-8BEN forms, etc.).

The procedures should address in detail situations when the bank is unable to

positively verify the actual identity of the NRA by providing effective responses

to mitigate the risk. The financial institution is required to have procedures

specifying instances in which the bank should open the account and those in

which the account should not be opened, the restrictions and limitations set on

the account while the bank tries to verify the NRAs identity, and the timeframe

to make a decision about finally closing the account after several efforts in trying

to validate that identity.

10

The KYC/CIP part in the procedures should address any exemptions or any

acceptable interim documentation such as an SS-4 form to the KYC/CIP

requirements. The risk-based explanation of the rationale applied to support

these exemptions, as well the subsequent follow-up to finally determine when

the temporary documentation should be replaced by an official/permanent one.

If the NRA is trying to open a commercial account, the financial institution should

be able to confirm that the entity has been legally established throughout the

verification of business licenses, commercial agreements, board of directors’

minutes, statements from other financial institutions, business referral letters,

articles of incorporation, contract with third parties, commercial leases, etc.

Also, it is highly recommended to collect identification from the account

signatories, legal representatives and any other individual that might exercise a

relevant control over the commercial entity.

For both commercial entities and individuals, the financial institution should be

able to validate and confirm that the referrals are in compliance with the

institution’s policies and procedures and are authentic. Procedures should

clearly disclose a list of acceptable referral letters or other related documents.

The identification collection process should include the retention of key

demographics such as names, name variations, date of birth, place of birth, tax

identification numbers, lines of business, lists of suppliers and main clientele,

etc. In case the relationship manager suspects that any of the documents might

be false or altered, there should be procedures addressing further steps to

counteract any attempt to open the account at other branches

The KYC/CIP procedures should also include requirements for identification

updates, the rationale for these updates, the circumstances in which these

updates should be conducted, and the frequencies and terms of updates.

In order to validate the information and documentation provided by the NRA,

the branch personnel might conduct on-site visits to confirm the business

activity stated when opening the account and assess the actual financial capacity

of the business. For example, entities with high income and expectations of high

dollar transactions should be 100 percent able to demonstrate physical assets

that confirm their stated liquidity and annual sales. Appropriate registry and logs

of such visits should be kept available for regulators and external auditors.

Although on-site visits are not a must in EDD, banks should consider working

closely with their partners in Mexico to carry out onsite visits and fully utilized

this critical tool in the post-account opening process.

The KYC should also help to identify any business transactions carried out in

personal accounts. Special attention should be paid to the “account purpose and

11

customer line of business” fields. The ongoing process for tellers should detect

for example customers depositing checks from several individuals with the

memo line containing a sort of commercial activity, a customer receiving wires

from an entity that is not listed as the customer’s employer, and a customer

sending wires regularly to an entity or entities that are not listed in the KYC or

when these transactions are not commensurate with the client’s financial

profile.

The CIP should require an OFAC screening on each of the account signers,

including beneficial owners and/or entity that will ultimately have control over

the account to be opened.

An independent audit should also review the bank procedures specifying when EDD is

required for a more detailed understanding of a customer’s profile and activities and for

more in-depth investigations of the backgrounds of the customer and any affiliated

individuals/businesses. The independent auditor should pay special attention to

businesses that by their nature are considered very high risk and which should

automatically invoke EDD. These businesses include restaurants, travel agencies, retail

stores, convenience stores, legal service providers, accounting services, import/export

businesses, manufacturers, and dealers in cars, boats, airplanes, jewels, gems, and

metals.

EDD should thoroughly identify the purpose of the account, the source of funds and

wealth, NRAs and any beneficial owner occupation and/or line of business, business

references, business location and areas of operation. When the entity has branches

in the U.S. an independent review should test the bank’s capacity to identify

whether these branches are located within a HIFCA.5

EDD should anticipate upcoming transactions in the account in order to establish

patterns that might be considered irregular. Although Mexico as a whole is

considered a high-risk geography, there are certain areas within this country that

might represent higher risks due to the presence of drug cartels. For instance,

special attention should be paid to ATM transactions to identify activity within

jurisdiction(s) unrelated to the NRA transactional profile from the original KYC

5 FinCEN: HIFCA stands for High Intensity Financial Crime Area," these high risk areas were first announced in the 1999 National Money Laundering Strategy and were conceived in the Money Laundering and Financial Crimes Strategy Act of 1998 as a means of concentrating law enforcement efforts at the federal, state, and local levels in high intensity money laundering zones.

12

In order to clearly determine the source of funds, the relationship manager should

request bank statements from other financial institutions where the customer has

accounts, as well as reference letters from these banks and/or letters from well-

known current bank customers. Other acceptable documentation to support the

stated source of funds includes title or ownership deeds, time deposit certificates

sealed by the holding bank, etc.

In order to uncover any hidden beneficial ownership, the financial institution should

obtain or share beneficial ownership information across business lines, separate

legal entities within the business and affiliated support units. The branch staff

should cross-check for beneficial ownership information in systems maintained

within the financial institution for other purposes, such as credit underwriting,

private banking, marketing, or fraud detection. Additionally, bank’s KYC should take

into consideration if the entity is operating in Mexican territories that are considered

high risk due to the cartel activities carried within their boundaries.

EDD should also determine if the NRA is an SPF and that person’s status. Historically,

some SPFs have used the financial system to funnel their unlawful activities derived

from bribery and corruption. Mexico is not the exception to this trend as the level of

corruption within the government entities in this country is well-documented. That

is why it is so vital that an independent auditor evaluates if the branch is actually

applying a deeper scrutiny to identify the true source of wealth and funds as well as

the SPF status. The source of funds and wealth should be solidly identified, for all the

account signers and beneficial owners. The purpose of the account and the

anticipated transactions volume, frequency and nature in the account should be

determined as well.

The EDD process should provide guidance to the branch personnel to appropriately

identify a customer as an SPF. The EDD verification assessment should include any

potential family member and close associate linked to the actual SPF who may be

classified within the same category.

Banks should evaluate the net risk of opening an account for an SPF. Policies and

processes should ensure senior management involvement in opening an account for

an SPF.

The documentary proof suggested by the independent reviewer when opening an

account at a branch for a SPF includes and is not limited to the following:

13

- Documents issued by a government agency or a court (including documents

filed at Companies House or foreign equivalent)

- Documents issued by other public sector organizations or local authorities

- Documents issued by businesses regulated by the Financial Services

Authority or foreign equivalent

EDD should be able to positively determine the type of products and services that

the NRA is demanding and assess the inherent risk of each.

EDD should include an OFAC screening not only at the account opening stage but

also as an ongoing process stipulated in the bank AML policies and procedures. The

procedures should also include the steps to be followed when a potential match

with the SDN list occurs including the process to rule out or confirm the match.

As a best practice, an EDD update should be carried out at least one a year due to

the high risk customer portfolio. Also, the EDD process should be reinitiated every

time an ID or other document used during account opening expires or when

someone from the bank AML operations or compliance department requests it.

An independent review should also review the policies and procedures pertaining to

wires and related recordkeeping. A review of the policy and procedures in regards to

this is critical as well as a comprehensive assessment of the filing methods and the

information entered in the documents needed prior to sending a wire.

Special attention should be paid to international wires sent to Mexico or other AML

high-risk geographies.

The independent audit should make sure that the following pieces of information were

appropriately included in the wires forms kept in the branch:

Remitter information:

- First and Last Name/Company’s name

- Account Number

- Street Address, City and State

Beneficiary information:

14

- First and Last Name/Company’s name

- Account Number

- Street Address, City and State

The independent audit should also verify that a beneficiary receiving recurrent wires is

listed in the KYC profile, and that wires being sent to any of the Mexican cartels’

operating territories receive EDD.

The independent test should also verify that a dual control exists when sending a wire.

This control should include an override process to make sure that proper authorization

levels have been involved according to the bank procedures.

Another important element to be assessed is the cash branch acceptance when wiring

funds across the border and if the CTR requirements are being satisfied accordingly. This

includes, the accuracy of the information in the CTR.

When auditing the wire documentation, the independent review should confirm that

the wired amounts, the wire purpose, the frequency of the wires, the geography where

the funds are going, the client’s financial capacity and line of business are consistent

with the client’s KYC information. It is also important to test that the systems in the

branches are properly functioning and that the branch personnel know how to use

them. It is critical to make sure that all parties related to a wire are screened against the

OFAC SDN list.

The independent review should also confirm if the branch is in compliance with other

record keeping requirements highlighted in the Joint Rule6 issued by the Treasury

Secretary and the Federal Reserve Board in 1995 requiring the collection and retention

of information pertaining to international wires for $3,000.00 or higher and any wire

instructions received by the funds originator. This is vital to identify the ultimate

beneficiary of the funds, the wire amount, the originator’s type of identification used

when remitting the funds, etc.

Other relevant items that should be closely reviewed are Concentration Accounts. The

auditor should review the bank’s policy and procedures in order to verify if the use of

concentration accounts is allowed and if the risk mitigation steps that the branch staff

needs to follow. Concentration accounts are internal accounts set up to ease the

processing and settlement of multiple or single customer transactions within a financial

6 CCH Guide to Anti-Money Laundering and Bank Secrecy, p59

15

institution, normally on the same day. The funds transfers to this type of account are

typically done through wires and ACHs.

The independent reviewer should obtain account activity reports by sampling a specific

population of concentration accounts used at the branch that involves international

wire transfers. A sound sampling methodology should include high-risk jurisdictions,

high risk customers such as NRAs and/or SPFs, etc.

The auditor should also test the adequacy of the current internal controls established to

mitigate the concentration account risks.

This should include the assessment of the dual control methods and practices,

which could include checking the dual signers on general ledger tickets in order

to identify the personnel involved in the process and verifying the approval

hierarchy is appropriate.

The reconciliation methodology as well as its frequency should also be reviewed

when assessing the risk mitigation related to this sort of account. The auditor

should identify and confirm that an individual who is independent from these

transactions is the one performing the reconciliation of these accounts

The independent test should also check the type of customer information used

when concentration accounts are utilized as well as the referenced customer

account number and the transactions registered in the concentration accounts. If

the customer-identifying information such as name, transaction amount, and

account number is separated from the financial transaction, the audit trail is lost,

and accounts may be misused or administered improperly.

It is also important to make sure that no customers have direct access to this

type of account, and to make sure that the branch staff has the capacity to

identify recurring customer names.

Due to the MX Restrictions,7 the independent reviewer should exercise a deep scrutiny

on cash transactions that involve credit card payments. A detailed review of the bank’s

Policy and procedures as well as the documentary evidence pertaining to this kind of

payments is warranted. Logs and copies of the vouchers issued when conducting these

transactions should be reviewed to rule out any attempt of Mexican nationals to

circumvent these restrictions by crossing the border to make cash payments at the U.S.

7 FinCEN: Supplement on U.S. Currency Restrictions on Banks in Mexico

16

bank branches. This practice will also help to identify any credit card overpayment

trend, which is one of the preferred typologies used by money launders to wash ill-

gotten proceeds through refund checks issued by the target financial institution.

Documentary records pertaining to cash advances should be part of the scrutiny as well

Lastly, another item that should be part of an independent review in a bank branch

located near the Mexican border is the employee risk. The independent auditor should

consider the following:

The auditor should look for any relevant certification and or license relevant to

the position as well as for any sort of files or logs validating the employee’s

references, past jobs and positions, etc.

The bank’s policy and procedures regarding the specific due diligence

recommended for the review of the branch employee accounts, especially new

employees, high performers, those with high compensations, etc.

The AML and OFAC knowledge of the branch personnel at all levels, which can be

confirmed by checking training attendance logs and through short on-site

interviews.

Any procedures put in place to detect and report unusual employee behavior

(for instance, an employee lifestyle that is not commensurate with his/her

income level, is unwilling to take vacations, etc.)

Identification of any potential hidden “exclusive relationship” between

employees and customers. These could be found through review of

documentation or recordkeeping such as account opening logs, wire forms, etc.

The revision of dual controls and separation of duties logs. Dual control (also

known as segregation of duties) reduces the probability of any potential money

laundering and/or fraud attempt by providing for separate processing by

different individuals at various stages of a transaction and for independent

reviews of the work performed. Dual control provides four main benefits: 1) the

risk of a deliberate money laundering act and or fraud is mitigated as the

complicity of two or more persons would be required in order to evade controls;

2) the risk of actual errors is mitigated as the likelihood of detection is increased;

3) the cost of remedial actions is mitigated since errors are generally detected

somewhat earlier in their lifespan; and 4) the organization’s reputation for

integrity and quality is enhanced through a system of validations and balances.

IV). Points to consider when conducting a branch audit

Before starting the audit, the independent reviewer should make a list of the

information, documents, records, policies and procedures to be reviewed. Also, it would

17

be critical to understand the intrinsic geographical components and facts within this

peculiar banking segment (please, refer to the Mexican cartel map above).

When planning the audit, it will be important as well to determine the scope of the

audit in order to establish audit limits and to be in compliance with the financial

institution standards. However, this must never interfere with the independence of the

audit.

The audit planning should address both the documents (e.g., policy and procedures,

branch manuals, etc.) and the records (e.g., KYC files, signed wire forms, transaction

logs, general ledgers, etc.) to be reviewed prior to conducting the audit.

Interviews might be considered in order to verify branch personnel’s AML knowledge as

well as to their adherence to best AML practices, such as recognizing someone at the

teller window when trying to circumvent the MX Restrictions, identifying the ultimate

beneficiary of wired funds by paying close attention to any notes the originator is trying

to plug in the originator to beneficiary information (OBI) field (names of individual or

entities that are not listed in the original KYC file as beneficiaries and or recurrent

supplier, for instance).

Parameters and plans for following up all tentative corrective action plans, including

terms and phases to remediate the issues found during the audit should be clearly

established and registered right after the branch audit has been carried out.

V). Summary

Financial institutions that have branches in Mexico and near the Southwest border are more

exposed to money laundering risk due to a unique, dangerous and volatile combination of high-

risk elements such as the drug cartels operating within Mexico and across the border, the

current customer portfolio (NRAs and SPFs) and the products and services offered to these

customers.

Money launders are using new and more sophisticated techniques to get their cash clean.

Therefore, it is vital to be aware that new financial products and technology bring new

opportunities to launder money. By testing the adequacy, efficacy and occurrence of the AML

risk assessment, the bank will be able to reduce the marginal likelihood of having criminals

using its resources to launder their ill-gotten proceeds. An independent review also probes

processes for CDD and EDD and whether they are being carried out appropriately every time an

account is opened and/or a current customer KYC profile is updated. Through the third line of

defense it is possible to demonstrate if the bank is being operated in conformity with laws and

regulations. The independent review also evaluates the bank’s staff AML knowledge and the

degree to which the employees are consistently applying the systems.

18

By designing and carrying out an appropriate independent audit of their AML risk assessment,

banks dealing with high-risk geographies, as well as with high-risk clients and products will be

furnishing reassurance on the effectiveness of their current risk management and controls.