Banking on the Border: Managing High Gross Risk Bank Relationships by Testing the Comprehensiveness of the AML Risk Assessment Jaime Verástegui
Banking on the Border: Managing High Gross Risk Bank Relationships by Testing the Comprehensiveness of the AML Risk Assessment Jaime Verástegui
2
Index
I). - Executive Summary ......................................................................3
Personal and Commercial Clients .....................................................5
Products and Services ......................................................................5
II). - Risk Assessment ..........................................................................5
Customer Risk .................................................................................5
Product Risk ....................................................................................7
Employee Risk .................................................................................8
III). - Auditing the Risk Assessment: The Third Line of Defense Role ....8
IV). - Points to Consider when Conducting a Branch Audit ................ 16
V). - Summary .................................................................................. 17
3
I). - Executive Summary
This paper is intended to provide a set of risk-based recommendations when assessing the
comprehensiveness of the AML risk assessment within the retail banking industry that has in
its portfolio a volatile combination of high-risk customers, high-risk geography and high-risk
products.
The Southwest border is recognized as a hot money laundering area since Mexico is utilized by
drug lords as a gateway to transport their illicit drugs to the U.S. and consequently to move the
funds obtained for trading these substances. According to the State Department, about 95
percent of the cocaine flow to the U.S. is transported through the Mexico-Central America
corridor from South America.1 The Government of Mexico continues to improve its law
framework in order to combat these criminal organizations, e.g., by reinforcing bilateral
intelligence strategies. However, according to the press and the local media, the state and
municipal law enforcement entities have been involved with acts that include the facilitation of
narcotics transportation or contraband. These local authorities are apparently also obstructing
the federal and military operations.
Thus, fragile judicial and police institutions, as well as proximity to the U.S. territory (considered
the largest consumer economy in the world), have made Mexico the center of one of the
world's most complex drug networks.
Therefore, it is undeniable that the ill-gotten proceeds obtained from these criminal activities
are constantly moved through the Mexico–U.S. border. In order to do this, lawbreakers are
always evolving the typologies they use while they keep using the U.S. banking system to
launder their illicit funds throughout the Southwest. A bank with branches in the U.S. and
conveniently located near the border as well as in Mexico could be used to facilitate the
transfer of funds between the drug dealers in the U.S. and these cartels.
U.S. bank branches located near the Southwest border may be also affected by the changes in
the Mexican regulations. On June 15, 2010 the Mexican finance ministry, Secretaría de
Hacienda y Crédito Público de México (SHCP), announced new anti-money laundering (AML)
regulations that restrict the amounts of physical cash (banknotes and coins) denominated in
U.S. dollars that Mexican banks are allowed to receive (MX Restrictions).2
1 Congressional Research Service: Latin America and the Caribbean: Illicit Drug Trafficking and U.S. Counterdrug Programs 2 FinCEN: Newly Released Mexican Regulations Imposing Restrictions on Mexican Banks for Transactions in U.S. Currency , FIN-2013-A007
4
It is well known that an important portion of the U.S. currency in Mexico is obtained from illegal
activity, specifically the trade of narcotics in the U.S., some of the proceeds of which are
smuggled as bulk cash into Mexico. Much of the U.S. currency within Mexico, regardless of
source, is intermediated through multiple transactions and ultimately makes its way into the
global financial system before being repatriated back to the U.S. This process is similar to that in
most countries with respect to the processing of non-local currency. The Mexican Currency
(MX) Restrictions stipulate the following:
For legal entities (in Spanish "personas morales") and trusts that are customers, U.S.
currency transactions will be prohibited, unless such customer is based in or conducts
most of its business within a tourist area (to be identified by SHCP at a later date),
within twenty miles of the U.S. border, or within the States of Baja California or South
Baja California. In these cases the bank may receive an aggregate limit of $7,000 in U.S.
currency from its customer per calendar month.
For individuals who are customers, the aggregate limit in U.S. currency that the bank
may receive from its customer per calendar month shall be $4,000.
That is why is so important for a bank operating along the states adjacent to the Mexican
border to understand and acknowledge the gross risk (also known as inherent risk) as a result of
an unpredictable combination of high-risk customers, products and geography. Each line of
defense in the financial institution will play a key role when establishing, operating and
reviewing its AML program, which in all its stages should be “risk-based.”
An extensive AML independent review should take into consideration the following: 1) an
assessment of the adequacy of the AML compliance program as well as its assertiveness, 2) a
suitable testing of transactions in order to validate the bank’s capacity to comply with the BSA
record keeping requirements, 3) a deep analysis of the financial institution’s risk assessment
in order to determine if the bank is able to accept and manage the net risk (residual risk), 4) a
review of the bank’s policies and procedures, 5) an evaluation of the training program as well
as, 6) an audit on its AML monitoring systems in order to verify its efficaciousness and
adherence to the BSA requirements amongst other audit-related considerations.
All the aforementioned audit steps are important in order to determine the financial
institution’s overall risk appetite and how realistic this is in comparison to the actual residual
risk. However, this article will emphasize the third one for segmentation purposes.
5
Personal and Commercial Clients
Typical customers will be non-resident aliens (NRAs) and/or foreign-based corporations or
entities primarily residing/based in Mexico and some of them might be senior public figures
(SPFs) and/or politically exposed persons (PEPs).
Products and Services
Typical products might include demand deposit accounts (DDAs), time deposit accounts and
credit cards. Services might include wire transfers, ACHs and correspondent banking.
II). - Risk Assessment
The assessment should be focused on three segments:
Customer (and geography) risk
Product risk
Employee risk
Customer Risk
It becomes difficult for a bank to validate and confirm a form of identification coming from an NRA, as well as the source of funds and source of wealth. Also the fact of having Mexico as the NRA’s home country may increase the account risk due this country’s profile. Finally, it is also relevant to take into account the assumption that some of these NRAs might be PEPs and/or SPFs which; will aggregate even more risk to the bank relationship due to the current levels of corruption found in the Federal and Local governments.
The bank’s front-line employees (branch personnel such as tellers, relationship managers, etc.),
being the first line of defense, must understand their roles and responsibilities pertaining to the
bank AML compliance program and its requirements and expectations.
6
The risk components to take into account when assessing NRAs and SPFs include:
The purpose of the account as well as the volume of transactions expected.
The NRA’s home state (see map below)
(Baja California: The Tijuana Cartel; Chihuahua: The Juarez Cartel; Tamaulipas: The Gulf
Cartel; Sinaloa: The Sinaloa Cartel; Colima: The Colima Cartel; Michoacán: La Familia and
the Valencia Cartel; Oaxaca: The Oaxaca Cartel and Nationwide: The Federation Cartel3)
The forms of identification used by the customer according to the Bank’s CIP
requirements (e.g., Mexican Passport, Consular Identification Card also known as
“Matrícula Consular”);
The source of funds as well as the source of wealth;
Whether the NRA is considered an SPF or a PEP;
3 Brian Haddock : Inside the Mexican drug cartels – how to live rich in a poor country
7
The sort of products and services to be utilized (e.g., potential velocity,
involvement of third parties, and the financial institution’s inability to quickly
distinguish the purposes of small payments);
Account signers, including any other beneficial owners besides the account
holder; and
The presence of gatekeepers or any professional service provider which might
involve multiple clients (e.g., an attorney conducting transactions on behalf of
his clients who have no direct relationships with the bank throughout assets
transfers, investments services, settlements, etc.) which complicates the process
of identifying the beneficial owners of these accounts.
All these elements are critical, as this is the best opportunity for the bank to gather
information (for all its customers) pertaining to their actual financial capacity, true
beneficiaries, source of funds, etc.
Product Risk
DDAs are the accounts that allow customers to use fund transfer services, and
consequently, the AML risk is more elevated. Special attention should be paid on
funnel accounts, a new money laundering trend that according to FinCEN (May,
2014)4 begins with cartels hiring someone to open a U.S. bank account that can
receive deposits in branches in multiple states.
Once the account has been opened, many individuals working for cartels deposit cash into this
account, usually in places far from where the account was set up, in sums below $10,000 to
evade identification and currency transaction reports (CTRs). A middleman then conducts wire
transfers or writes checks to purchase goods with this money, which are shipped to foreign
countries and sold. The earnings are then transferred back to the Mexican cartels. Although this
irregular activity is generally caught through a transaction monitoring system (TMS) based on
certain preset patterns and thresholds, the branch personnel might be able to identify some of
these erratic behaviors when running transactions at a teller’s window.
4 FinCEN Advisory FIN-2014-A005, Update on U.S. Currency Restrictions in Mexico: Funnel Accounts and TBML, May 28, 2014, http://www.fincen.gov/statutes_regs/guidance/pdf/FIN-2014-A005.pdf
8
Wires are considered to have a high inherent AML risk, since funds can be moved
rapidly across the border. Therefore, there is the risk that wires may be used in
the layering and placement stages of money laundering.
ACH transfers allow the ability to send high-dollar and international transactions
that may expose the bank to high AML risks. ACH transactions can be used in the
layering and integration phases of money laundering. Therefore, these facts
must be considered when evaluating the ACH transaction risks of a particular
customer. Those ACHs that involve international transfers should be scrutinized
more deeply.
Credit and debit cards can be used internationally, including in some geographies
that are considered high risk for money laundering besides Mexico. Additional
inherent risk factors include the ability of card holders to obtain cash advances
though ATMs globally, and reliance on third parties for payment processing and
settlement cards. Another gross risk is the ability to cover payment of balances
with cash which might allow the client to overpay the current credit card balance
and later receive a refund from the bank for the overpaid amount. With regards
to debit cards, these could be used across the border by individuals that are not
necessarily the actual account signers.
Employee Risk
Generally the branch personnel authorized to open accounts for NRAs customers residing in
Mexico, receive commissions and a relevant part of their salary depends on the volume of
the accounts opened and/or the dollar amount deposited at the account opening stage. The
inherent AML risk rises when considering any potential complicity in order to skip important
steps within the KYC/CIP process that might include document manipulation, the
acceptance of non-approved or non-acceptable pieces of identification for NRAs, etc.
III). Auditing the Risk Assessment: The Third Line of Defense Role
An independent review should carry out an assessment on the bank’s current policies
and procedures as well as its adherence to them, to confirm comprehensive due
diligence and enhanced due diligence (EDD) practices as well as to make sure that risks
for NRAs and SPEs accounts have been appropriately assessed. Ongoing monitoring and
suspicious activity reports should be included in its scope as well.
9
The examination should also review the bank’s current know your customer (KYC)
program. Special attention should be paid to the Customer Identification Program (CIP)
in order to verify the identification requirements such as valid forms of ID, customer’s
name, DOB, address, etc. Also, a risk-based CIP program should take into consideration
the following:
A set of account opening procedures highlighting the right identification that
should be collected from NRAs and tested to confirm they are being followed.
Examples include but are not limited to Mexican Passports, Consular
Identification Cards, Tax Identification Number Cards, and so on.
If using both documentary and non-documentary methods, the bank should list
in its opening procedures the acceptable hard copies as well as the appropriate
checklist verifying that physical documentation was actually presented when
opening the account as well addressing the methods used to corroborate the
customer’s identity. If any relevant inconsistency arose during this process, the
resolution of it should be well-documented and kept in the bank files available
for regulators and/or auditors for at least five years.
The non-documentary methods should address situations where: a) the bank
opens an account without having sufficient certainty that the identity documents
presented are the ones required by its CIP (assuming a post verification intent)
or simply opens the account without getting the documents whatsoever, b) the
NRA fails to present a current valid photo identification; c) the bank opens the
account without having the NRA physically present at the branch; or d) the bank
is unable to validate the actual identity of the NRA based on the available
identification.
The bank should maintain and retain for at least five years hard copies obtained
of the original identification documents presented by the NRAs and used to open
the account (e.g., photocopies of Mexican Passports, Consular Identification
Cards, Tax Identification Number Cards, signed W-8BEN forms, etc.).
The procedures should address in detail situations when the bank is unable to
positively verify the actual identity of the NRA by providing effective responses
to mitigate the risk. The financial institution is required to have procedures
specifying instances in which the bank should open the account and those in
which the account should not be opened, the restrictions and limitations set on
the account while the bank tries to verify the NRAs identity, and the timeframe
to make a decision about finally closing the account after several efforts in trying
to validate that identity.
10
The KYC/CIP part in the procedures should address any exemptions or any
acceptable interim documentation such as an SS-4 form to the KYC/CIP
requirements. The risk-based explanation of the rationale applied to support
these exemptions, as well the subsequent follow-up to finally determine when
the temporary documentation should be replaced by an official/permanent one.
If the NRA is trying to open a commercial account, the financial institution should
be able to confirm that the entity has been legally established throughout the
verification of business licenses, commercial agreements, board of directors’
minutes, statements from other financial institutions, business referral letters,
articles of incorporation, contract with third parties, commercial leases, etc.
Also, it is highly recommended to collect identification from the account
signatories, legal representatives and any other individual that might exercise a
relevant control over the commercial entity.
For both commercial entities and individuals, the financial institution should be
able to validate and confirm that the referrals are in compliance with the
institution’s policies and procedures and are authentic. Procedures should
clearly disclose a list of acceptable referral letters or other related documents.
The identification collection process should include the retention of key
demographics such as names, name variations, date of birth, place of birth, tax
identification numbers, lines of business, lists of suppliers and main clientele,
etc. In case the relationship manager suspects that any of the documents might
be false or altered, there should be procedures addressing further steps to
counteract any attempt to open the account at other branches
The KYC/CIP procedures should also include requirements for identification
updates, the rationale for these updates, the circumstances in which these
updates should be conducted, and the frequencies and terms of updates.
In order to validate the information and documentation provided by the NRA,
the branch personnel might conduct on-site visits to confirm the business
activity stated when opening the account and assess the actual financial capacity
of the business. For example, entities with high income and expectations of high
dollar transactions should be 100 percent able to demonstrate physical assets
that confirm their stated liquidity and annual sales. Appropriate registry and logs
of such visits should be kept available for regulators and external auditors.
Although on-site visits are not a must in EDD, banks should consider working
closely with their partners in Mexico to carry out onsite visits and fully utilized
this critical tool in the post-account opening process.
The KYC should also help to identify any business transactions carried out in
personal accounts. Special attention should be paid to the “account purpose and
11
customer line of business” fields. The ongoing process for tellers should detect
for example customers depositing checks from several individuals with the
memo line containing a sort of commercial activity, a customer receiving wires
from an entity that is not listed as the customer’s employer, and a customer
sending wires regularly to an entity or entities that are not listed in the KYC or
when these transactions are not commensurate with the client’s financial
profile.
The CIP should require an OFAC screening on each of the account signers,
including beneficial owners and/or entity that will ultimately have control over
the account to be opened.
An independent audit should also review the bank procedures specifying when EDD is
required for a more detailed understanding of a customer’s profile and activities and for
more in-depth investigations of the backgrounds of the customer and any affiliated
individuals/businesses. The independent auditor should pay special attention to
businesses that by their nature are considered very high risk and which should
automatically invoke EDD. These businesses include restaurants, travel agencies, retail
stores, convenience stores, legal service providers, accounting services, import/export
businesses, manufacturers, and dealers in cars, boats, airplanes, jewels, gems, and
metals.
EDD should thoroughly identify the purpose of the account, the source of funds and
wealth, NRAs and any beneficial owner occupation and/or line of business, business
references, business location and areas of operation. When the entity has branches
in the U.S. an independent review should test the bank’s capacity to identify
whether these branches are located within a HIFCA.5
EDD should anticipate upcoming transactions in the account in order to establish
patterns that might be considered irregular. Although Mexico as a whole is
considered a high-risk geography, there are certain areas within this country that
might represent higher risks due to the presence of drug cartels. For instance,
special attention should be paid to ATM transactions to identify activity within
jurisdiction(s) unrelated to the NRA transactional profile from the original KYC
5 FinCEN: HIFCA stands for High Intensity Financial Crime Area," these high risk areas were first announced in the 1999 National Money Laundering Strategy and were conceived in the Money Laundering and Financial Crimes Strategy Act of 1998 as a means of concentrating law enforcement efforts at the federal, state, and local levels in high intensity money laundering zones.
12
In order to clearly determine the source of funds, the relationship manager should
request bank statements from other financial institutions where the customer has
accounts, as well as reference letters from these banks and/or letters from well-
known current bank customers. Other acceptable documentation to support the
stated source of funds includes title or ownership deeds, time deposit certificates
sealed by the holding bank, etc.
In order to uncover any hidden beneficial ownership, the financial institution should
obtain or share beneficial ownership information across business lines, separate
legal entities within the business and affiliated support units. The branch staff
should cross-check for beneficial ownership information in systems maintained
within the financial institution for other purposes, such as credit underwriting,
private banking, marketing, or fraud detection. Additionally, bank’s KYC should take
into consideration if the entity is operating in Mexican territories that are considered
high risk due to the cartel activities carried within their boundaries.
EDD should also determine if the NRA is an SPF and that person’s status. Historically,
some SPFs have used the financial system to funnel their unlawful activities derived
from bribery and corruption. Mexico is not the exception to this trend as the level of
corruption within the government entities in this country is well-documented. That
is why it is so vital that an independent auditor evaluates if the branch is actually
applying a deeper scrutiny to identify the true source of wealth and funds as well as
the SPF status. The source of funds and wealth should be solidly identified, for all the
account signers and beneficial owners. The purpose of the account and the
anticipated transactions volume, frequency and nature in the account should be
determined as well.
The EDD process should provide guidance to the branch personnel to appropriately
identify a customer as an SPF. The EDD verification assessment should include any
potential family member and close associate linked to the actual SPF who may be
classified within the same category.
Banks should evaluate the net risk of opening an account for an SPF. Policies and
processes should ensure senior management involvement in opening an account for
an SPF.
The documentary proof suggested by the independent reviewer when opening an
account at a branch for a SPF includes and is not limited to the following:
13
- Documents issued by a government agency or a court (including documents
filed at Companies House or foreign equivalent)
- Documents issued by other public sector organizations or local authorities
- Documents issued by businesses regulated by the Financial Services
Authority or foreign equivalent
EDD should be able to positively determine the type of products and services that
the NRA is demanding and assess the inherent risk of each.
EDD should include an OFAC screening not only at the account opening stage but
also as an ongoing process stipulated in the bank AML policies and procedures. The
procedures should also include the steps to be followed when a potential match
with the SDN list occurs including the process to rule out or confirm the match.
As a best practice, an EDD update should be carried out at least one a year due to
the high risk customer portfolio. Also, the EDD process should be reinitiated every
time an ID or other document used during account opening expires or when
someone from the bank AML operations or compliance department requests it.
An independent review should also review the policies and procedures pertaining to
wires and related recordkeeping. A review of the policy and procedures in regards to
this is critical as well as a comprehensive assessment of the filing methods and the
information entered in the documents needed prior to sending a wire.
Special attention should be paid to international wires sent to Mexico or other AML
high-risk geographies.
The independent audit should make sure that the following pieces of information were
appropriately included in the wires forms kept in the branch:
Remitter information:
- First and Last Name/Company’s name
- Account Number
- Street Address, City and State
Beneficiary information:
14
- First and Last Name/Company’s name
- Account Number
- Street Address, City and State
The independent audit should also verify that a beneficiary receiving recurrent wires is
listed in the KYC profile, and that wires being sent to any of the Mexican cartels’
operating territories receive EDD.
The independent test should also verify that a dual control exists when sending a wire.
This control should include an override process to make sure that proper authorization
levels have been involved according to the bank procedures.
Another important element to be assessed is the cash branch acceptance when wiring
funds across the border and if the CTR requirements are being satisfied accordingly. This
includes, the accuracy of the information in the CTR.
When auditing the wire documentation, the independent review should confirm that
the wired amounts, the wire purpose, the frequency of the wires, the geography where
the funds are going, the client’s financial capacity and line of business are consistent
with the client’s KYC information. It is also important to test that the systems in the
branches are properly functioning and that the branch personnel know how to use
them. It is critical to make sure that all parties related to a wire are screened against the
OFAC SDN list.
The independent review should also confirm if the branch is in compliance with other
record keeping requirements highlighted in the Joint Rule6 issued by the Treasury
Secretary and the Federal Reserve Board in 1995 requiring the collection and retention
of information pertaining to international wires for $3,000.00 or higher and any wire
instructions received by the funds originator. This is vital to identify the ultimate
beneficiary of the funds, the wire amount, the originator’s type of identification used
when remitting the funds, etc.
Other relevant items that should be closely reviewed are Concentration Accounts. The
auditor should review the bank’s policy and procedures in order to verify if the use of
concentration accounts is allowed and if the risk mitigation steps that the branch staff
needs to follow. Concentration accounts are internal accounts set up to ease the
processing and settlement of multiple or single customer transactions within a financial
6 CCH Guide to Anti-Money Laundering and Bank Secrecy, p59
15
institution, normally on the same day. The funds transfers to this type of account are
typically done through wires and ACHs.
The independent reviewer should obtain account activity reports by sampling a specific
population of concentration accounts used at the branch that involves international
wire transfers. A sound sampling methodology should include high-risk jurisdictions,
high risk customers such as NRAs and/or SPFs, etc.
The auditor should also test the adequacy of the current internal controls established to
mitigate the concentration account risks.
This should include the assessment of the dual control methods and practices,
which could include checking the dual signers on general ledger tickets in order
to identify the personnel involved in the process and verifying the approval
hierarchy is appropriate.
The reconciliation methodology as well as its frequency should also be reviewed
when assessing the risk mitigation related to this sort of account. The auditor
should identify and confirm that an individual who is independent from these
transactions is the one performing the reconciliation of these accounts
The independent test should also check the type of customer information used
when concentration accounts are utilized as well as the referenced customer
account number and the transactions registered in the concentration accounts. If
the customer-identifying information such as name, transaction amount, and
account number is separated from the financial transaction, the audit trail is lost,
and accounts may be misused or administered improperly.
It is also important to make sure that no customers have direct access to this
type of account, and to make sure that the branch staff has the capacity to
identify recurring customer names.
Due to the MX Restrictions,7 the independent reviewer should exercise a deep scrutiny
on cash transactions that involve credit card payments. A detailed review of the bank’s
Policy and procedures as well as the documentary evidence pertaining to this kind of
payments is warranted. Logs and copies of the vouchers issued when conducting these
transactions should be reviewed to rule out any attempt of Mexican nationals to
circumvent these restrictions by crossing the border to make cash payments at the U.S.
7 FinCEN: Supplement on U.S. Currency Restrictions on Banks in Mexico
16
bank branches. This practice will also help to identify any credit card overpayment
trend, which is one of the preferred typologies used by money launders to wash ill-
gotten proceeds through refund checks issued by the target financial institution.
Documentary records pertaining to cash advances should be part of the scrutiny as well
Lastly, another item that should be part of an independent review in a bank branch
located near the Mexican border is the employee risk. The independent auditor should
consider the following:
The auditor should look for any relevant certification and or license relevant to
the position as well as for any sort of files or logs validating the employee’s
references, past jobs and positions, etc.
The bank’s policy and procedures regarding the specific due diligence
recommended for the review of the branch employee accounts, especially new
employees, high performers, those with high compensations, etc.
The AML and OFAC knowledge of the branch personnel at all levels, which can be
confirmed by checking training attendance logs and through short on-site
interviews.
Any procedures put in place to detect and report unusual employee behavior
(for instance, an employee lifestyle that is not commensurate with his/her
income level, is unwilling to take vacations, etc.)
Identification of any potential hidden “exclusive relationship” between
employees and customers. These could be found through review of
documentation or recordkeeping such as account opening logs, wire forms, etc.
The revision of dual controls and separation of duties logs. Dual control (also
known as segregation of duties) reduces the probability of any potential money
laundering and/or fraud attempt by providing for separate processing by
different individuals at various stages of a transaction and for independent
reviews of the work performed. Dual control provides four main benefits: 1) the
risk of a deliberate money laundering act and or fraud is mitigated as the
complicity of two or more persons would be required in order to evade controls;
2) the risk of actual errors is mitigated as the likelihood of detection is increased;
3) the cost of remedial actions is mitigated since errors are generally detected
somewhat earlier in their lifespan; and 4) the organization’s reputation for
integrity and quality is enhanced through a system of validations and balances.
IV). Points to consider when conducting a branch audit
Before starting the audit, the independent reviewer should make a list of the
information, documents, records, policies and procedures to be reviewed. Also, it would
17
be critical to understand the intrinsic geographical components and facts within this
peculiar banking segment (please, refer to the Mexican cartel map above).
When planning the audit, it will be important as well to determine the scope of the
audit in order to establish audit limits and to be in compliance with the financial
institution standards. However, this must never interfere with the independence of the
audit.
The audit planning should address both the documents (e.g., policy and procedures,
branch manuals, etc.) and the records (e.g., KYC files, signed wire forms, transaction
logs, general ledgers, etc.) to be reviewed prior to conducting the audit.
Interviews might be considered in order to verify branch personnel’s AML knowledge as
well as to their adherence to best AML practices, such as recognizing someone at the
teller window when trying to circumvent the MX Restrictions, identifying the ultimate
beneficiary of wired funds by paying close attention to any notes the originator is trying
to plug in the originator to beneficiary information (OBI) field (names of individual or
entities that are not listed in the original KYC file as beneficiaries and or recurrent
supplier, for instance).
Parameters and plans for following up all tentative corrective action plans, including
terms and phases to remediate the issues found during the audit should be clearly
established and registered right after the branch audit has been carried out.
V). Summary
Financial institutions that have branches in Mexico and near the Southwest border are more
exposed to money laundering risk due to a unique, dangerous and volatile combination of high-
risk elements such as the drug cartels operating within Mexico and across the border, the
current customer portfolio (NRAs and SPFs) and the products and services offered to these
customers.
Money launders are using new and more sophisticated techniques to get their cash clean.
Therefore, it is vital to be aware that new financial products and technology bring new
opportunities to launder money. By testing the adequacy, efficacy and occurrence of the AML
risk assessment, the bank will be able to reduce the marginal likelihood of having criminals
using its resources to launder their ill-gotten proceeds. An independent review also probes
processes for CDD and EDD and whether they are being carried out appropriately every time an
account is opened and/or a current customer KYC profile is updated. Through the third line of
defense it is possible to demonstrate if the bank is being operated in conformity with laws and
regulations. The independent review also evaluates the bank’s staff AML knowledge and the
degree to which the employees are consistently applying the systems.