Patriot Act - 12/30/2002

Are You Ready For the Patriot Act
Are You Ready For The Patriot Act?

Unfortunately, we are not talking about our Super Bowl Champion New England Patriots. No, this is the USA Patriot Act of 2001. This act requires all financial institutions to establish due diligence policies, procedures, and controls that are reasonably designed to detect and report money laundering through correspondent banking accounts established or maintained for non-U.S. persons.

No one will ever forget the grim events of September 11, 2001. Those scenes are etched in our minds forever, and our world will never be the same. In the aftermath of 9/11, Congress enacted the Patriot Act. In a nutshell, the Patriot act is really an amendment to the Bank Secrecy Act (BSA). So, dealing with the detection and reporting of suspected money laundering activities is nothing new for you. Banks and credit unions have been dealing with Currency Transaction Reporting (CTR) and Suspicious Activity Reporting (SAR) for years. The Patriot Act just adds a new wrinkle.

The Patriot Act requires the following actions:

You must develop an Anti-Money Laundering Program (AML) which includes:

The designation of an AML Compliance Officer.
The development of internal policies, procedures and controls. The written Patriot Act policies are, for most financial institutions, being incorporated into the BSA policy.
Ongoing AML training for employees.
An independent audit function to test the effectiveness of the program. Most audit firms do a BSA audit as part of their annual audit procedures. We certainly do. We plan to incorporate the Patriot Act compliance audit into our normal BSA review.

You must develop a Customer Identification Program (CIP). This is the difficult part of Patriot Act compliance.
You must take reasonable steps to ascertain the identity of the person(s) opening the account (including any beneficiaries).
You must also take reasonable steps to ascertain the source of the funds being deposited to guard against money laundering.
You must maintain records of the information used for verification of an account holder's identity (license, SSN, passport, etc.).
And you must make a reasonable effort to determine if a person appears on a government terrorist list.
The CIP must:

Be a written program approved by Board of Directors.
Be part of the Bank Secrecy Act Policy.
Establish or revise Identity Verification Procedures, which are to be risk based, for new accounts or signers. These procedures must apply to all new account openings. Procedures must consider the types of accounts provided, the account opening methods, the types of identification data available, and must result in a reasonable belief as to the person's true identity.
Specify documentary and non-documentary verification methods. Your policies should identify the kind of documentation that will be required for each type of account. The minimum data requirements, and when and what kind of additional data may be required. Minimum data information would include the person's name, address (no PO boxes), date of birth, and identifying numbers. For individuals that would be a SSN, if a U.S. citizen. Non U.S. citizens would require additional data. For businesses or non individuals, an employer TIN would be required. Additional documentation may also be needed.
Meet record keeping requirements. Record keeping must identify the information provided by the person. Copies must be kept of all documents used. If non documentary methods were used, they must be recorded along with the results. Non documentary methods would be some of the real high tech stuff like fingerprint identification image scanning, signature capture identification screening, or even facial or retina scanning.
Identify any discrepancies and how they were resolved. And, all records must be retained for five years after the account is closed.
Provide for OFAC Screening (terrorists lists). New accounts have to be checked against terrorist/suspected terrorist lists, against OFAC lists, and against non cooperative countries and territories lists, as provided by the government.
Specify procedures to deal with "Hits". Reporting to appropriate agencies must be timely and/or as demanded.

Some of these requirements may already have been met within your existing "BSA and OFAC
Policies and Procedures". These policies need to be updated to be Patriot compliant.
Don't assume compliance. While the record keeping and the cost of compliance may be a burden, this is a good thing you are doing. In addition to meeting the new requirements and maybe helping to stop terrorism, these changes should also help to defer fraud in your institution.

What could happen if you don't follow these rules? The "USA Patriot Act" provides for
fines of $ 25,000.00 per day, in some cases of failure to comply. Fines of
$250,000.00 per day and five years of imprisonment, or both, could be assessed for intentional violations.

In summation, you need to do the following:

Assess the impact of the new regulations and determine where you are right now, and what you have to do to become compliant.
Update policies and procedures. Basically your BSA policy needs to be updated to address Patriot Act requirements.
Ensure training and understanding of these regulations with staff. Everyone in the
institution needs to be on board with this.
Support the program with appropriate technologies. Check with your data processing
vendor to see what technological advances and programs they have developed, or are
developing, that will facilitate Patriot Act compliance.
Test and Audit. As we stated earlier, don't assume compliance.