New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

establish a proper AML program #119

Closed
chadwhitacre opened this Issue Dec 29, 2014 · 77 comments

Comments

Projects
None yet
5 participants
@chadwhitacre
Contributor

chadwhitacre commented Dec 29, 2014

To date, we've drafted off of Balanced for compliance with AML regulations. Now that they're going out of business, we may need to take more control of our processing infrastructure (gratipay/gratipay.com#67), and that means owning AML compliance. Getting turned down by Payoneer (gratipay/gratipay.com#481) and Transpay (gratipay/gratipay.com#417) —update: and Citizens (gratipay/gratipay.com#3366) —indicates that we're not yet mature enough in this area. What are we lacking?

Transpay provided some guidance at gratipay/gratipay.com#417 (comment). Then, over at #118 (comment), I discovered this PDF. I think mostly we need to collect better identity information for our users. Yes?

@chrisdev

This comment has been minimized.

Show comment
Hide comment
@chrisdev

chrisdev Dec 29, 2014

@whit537 is this not mainly a balancedpayment responsibility?
They are the one who enforce Know Your Customer https://support.balancedpayments.com/hc/en-us/articles/201836340-What-is-Merchant-underwriting-or-KYC-
They have the market place agreement https://www.balancedpayments.com/terms/marketplaceagreement.

We should try to be helpful to Balanced, but they are the ones who are PCI compliant.
Also I'm not saying that we can't enforce some of our own moral rules above what Balanced requires. To a certain extent Its in gratipay's best interest as our due diligence efforts may eventually result In lower CC charge-backs.
However, maybe we should at this stage adapt a more passive mode when it comes to these issues.
KYC is the fundamental building block of AML compliance but this thing can quickly become a burden to all concerned. For example, Banks in T&T now have to capture if the customer is either a Politician/Judicial/Police or Government official or is a "close" relative of such individual as part of their KYC obligations?
In a small country this is having wide reaching impact with lots of unintended consequences

@whit537 is this not mainly a balancedpayment responsibility?
They are the one who enforce Know Your Customer https://support.balancedpayments.com/hc/en-us/articles/201836340-What-is-Merchant-underwriting-or-KYC-
They have the market place agreement https://www.balancedpayments.com/terms/marketplaceagreement.

We should try to be helpful to Balanced, but they are the ones who are PCI compliant.
Also I'm not saying that we can't enforce some of our own moral rules above what Balanced requires. To a certain extent Its in gratipay's best interest as our due diligence efforts may eventually result In lower CC charge-backs.
However, maybe we should at this stage adapt a more passive mode when it comes to these issues.
KYC is the fundamental building block of AML compliance but this thing can quickly become a burden to all concerned. For example, Banks in T&T now have to capture if the customer is either a Politician/Judicial/Police or Government official or is a "close" relative of such individual as part of their KYC obligations?
In a small country this is having wide reaching impact with lots of unintended consequences

@chadwhitacre

This comment has been minimized.

Show comment
Hide comment
@chadwhitacre

chadwhitacre Jan 5, 2015

Contributor

This is probably a subset of #122.

Contributor

chadwhitacre commented Jan 5, 2015

This is probably a subset of #122.

@chadwhitacre

This comment has been minimized.

Show comment
Hide comment
@chadwhitacre

chadwhitacre Apr 27, 2015

Contributor

Ticket description updated. Previously:

Reticketed from #180

digest this:

"International Standards on Combating Money Laundering and the Financing of Terrorism & Proliferation"
http://www.fatf-gafi.org/media/fatf/documents/recommendations/pdfs/FATF_Recommendations.pdf

Contributor

chadwhitacre commented Apr 27, 2015

Ticket description updated. Previously:

Reticketed from #180

digest this:

"International Standards on Combating Money Laundering and the Financing of Terrorism & Proliferation"
http://www.fatf-gafi.org/media/fatf/documents/recommendations/pdfs/FATF_Recommendations.pdf

@chadwhitacre

This comment has been minimized.

Show comment
Hide comment
@chadwhitacre

chadwhitacre May 28, 2015

Contributor

FINRA provides a template for small firms (Word format 164 KB) to assist them in fulfilling their responsibilities to establish the AML compliance program required by the Bank Secrecy Act and its implementing regulations and FINRA Rule 3310. The template provides text examples, instructions, relevant rules and Web sites and other resources that are useful for developing an AML plan for a small firm.

http://www.finra.org/industry/anti-money-laundering-template-small-firms

Contributor

chadwhitacre commented May 28, 2015

FINRA provides a template for small firms (Word format 164 KB) to assist them in fulfilling their responsibilities to establish the AML compliance program required by the Bank Secrecy Act and its implementing regulations and FINRA Rule 3310. The template provides text examples, instructions, relevant rules and Web sites and other resources that are useful for developing an AML plan for a small firm.

http://www.finra.org/industry/anti-money-laundering-template-small-firms

@chadwhitacre

This comment has been minimized.

Show comment
Hide comment
@chadwhitacre

chadwhitacre May 28, 2015

Contributor

[T]he Financial Industry Regulatory Authority, Inc. (FINRA) is a private corporation that acts as a self-regulatory organization (SRO).

http://en.wikipedia.org/wiki/Financial_Industry_Regulatory_Authority

Contributor

chadwhitacre commented May 28, 2015

[T]he Financial Industry Regulatory Authority, Inc. (FINRA) is a private corporation that acts as a self-regulatory organization (SRO).

http://en.wikipedia.org/wiki/Financial_Industry_Regulatory_Authority

@chadwhitacre

This comment has been minimized.

Show comment
Hide comment
@chadwhitacre

chadwhitacre May 28, 2015

Contributor

An anti-money laundering (AML) program is a set of procedures designed to guard against someone using the firm to facilitate money laundering or terrorist financing. The main components that must be included are: 1) internal policies, procedures, and controls reasonably designed to assure compliance with the Bank Secrecy Act and implementing regulations; 2) appointment of a designated compliance officer to oversee the program's day-to-day operations; 3) an ongoing training program; and 4) an independent audit.

https://www.nfa.futures.org/NFA-faqs/compliance-faqs/anti-money-laundering/

Contributor

chadwhitacre commented May 28, 2015

An anti-money laundering (AML) program is a set of procedures designed to guard against someone using the firm to facilitate money laundering or terrorist financing. The main components that must be included are: 1) internal policies, procedures, and controls reasonably designed to assure compliance with the Bank Secrecy Act and implementing regulations; 2) appointment of a designated compliance officer to oversee the program's day-to-day operations; 3) an ongoing training program; and 4) an independent audit.

https://www.nfa.futures.org/NFA-faqs/compliance-faqs/anti-money-laundering/

@chadwhitacre chadwhitacre changed the title from better understand our obligations wrt AML/CFT to write an AML policy May 28, 2015

@chadwhitacre

This comment has been minimized.

Show comment
Hide comment
@chadwhitacre

chadwhitacre May 28, 2015

Contributor

Just got off the horn with @clone1018. He's going to take a first pass at this tonight. The task is to skim the FATF recommendations (130 pp.), and then write an AML program for Gratipay, starting with FINRA's template (51 pp.).

@clone1018 I sent you an invite to edit this doc:

Gratipay AML Program

Here's a clean copy of the template for reference:

AML Program Template

Contributor

chadwhitacre commented May 28, 2015

Just got off the horn with @clone1018. He's going to take a first pass at this tonight. The task is to skim the FATF recommendations (130 pp.), and then write an AML program for Gratipay, starting with FINRA's template (51 pp.).

@clone1018 I sent you an invite to edit this doc:

Gratipay AML Program

Here's a clean copy of the template for reference:

AML Program Template

@chadwhitacre

This comment has been minimized.

Show comment
Hide comment
Contributor

chadwhitacre commented May 28, 2015

@chadwhitacre chadwhitacre changed the title from write an AML policy to establish a proper AML program May 28, 2015

@clone1018

This comment has been minimized.

Show comment
Hide comment
@clone1018

clone1018 May 29, 2015

Contributor

I took a first look tonight, only got about half way done. I have the
document downloaded and I'll be doing more tomorrow morning. This will be
at least a weekend project.

On Thu, May 28, 2015 at 3:17 PM Chad Whitacre notifications@github.com
wrote:

!m @clone1018 https://github.com/clone1018


Reply to this email directly or view it on GitHub
#119 (comment)
.

Contributor

clone1018 commented May 29, 2015

I took a first look tonight, only got about half way done. I have the
document downloaded and I'll be doing more tomorrow morning. This will be
at least a weekend project.

On Thu, May 28, 2015 at 3:17 PM Chad Whitacre notifications@github.com
wrote:

!m @clone1018 https://github.com/clone1018


Reply to this email directly or view it on GitHub
#119 (comment)
.

@chadwhitacre

This comment has been minimized.

Show comment
Hide comment
@chadwhitacre

chadwhitacre May 29, 2015

Contributor

!m @clone1018

By "the document" you mean FATF, yes?

Contributor

chadwhitacre commented May 29, 2015

!m @clone1018

By "the document" you mean FATF, yes?

@clone1018

This comment has been minimized.

Show comment
Hide comment
@clone1018

clone1018 May 29, 2015

Contributor

Yeah, 2/3 done reading it now. It seems more geared to countries implementing their own FAFT programs but there's tons of nuggets of information I'm noting down.

Contributor

clone1018 commented May 29, 2015

Yeah, 2/3 done reading it now. It seems more geared to countries implementing their own FAFT programs but there's tons of nuggets of information I'm noting down.

@chadwhitacre chadwhitacre referenced this issue May 29, 2015

Closed

Radar 8 #209

@chadwhitacre

This comment has been minimized.

Show comment
Hide comment
@chadwhitacre

chadwhitacre May 29, 2015

Contributor

Had a call with @clone1018, he's going to post some notes he's been taking on FAFT. I'm going to try to put something together quickly for Citizens (gratipay/gratipay.com#3366) that captures our current state as well as where we're headed with this ticket.

Contributor

chadwhitacre commented May 29, 2015

Had a call with @clone1018, he's going to post some notes he's been taking on FAFT. I'm going to try to put something together quickly for Citizens (gratipay/gratipay.com#3366) that captures our current state as well as where we're headed with this ticket.

@clone1018

This comment has been minimized.

Show comment
Hide comment
@clone1018

clone1018 May 29, 2015

Contributor

Posted at: gratipay/gratipay.com#3366 (comment) before I saw this :)

Contributor

clone1018 commented May 29, 2015

Posted at: gratipay/gratipay.com#3366 (comment) before I saw this :)

@chadwhitacre

This comment has been minimized.

Show comment
Hide comment
@chadwhitacre

chadwhitacre May 29, 2015

Contributor

From @clone1018 at gratipay/gratipay.com#3366 (comment):

Couple of important notes from: http://www.fatf-gafi.org/media/fatf/documents/recommendations/pdfs/FATF_Recommendations.pdf

P#14D10: No anonymous accounts or fake names? May not apply.

P#63H15: Enhanced CDD measures for "high risk", mentions geographic risk factors?

P#65H17c: countries with effective AML systems are low risk

P#65H20: Enhanced CDD measures

P#65H21: Simplified CDD measures (low risk) what we should be doing

Contributor

chadwhitacre commented May 29, 2015

From @clone1018 at gratipay/gratipay.com#3366 (comment):

Couple of important notes from: http://www.fatf-gafi.org/media/fatf/documents/recommendations/pdfs/FATF_Recommendations.pdf

P#14D10: No anonymous accounts or fake names? May not apply.

P#63H15: Enhanced CDD measures for "high risk", mentions geographic risk factors?

P#65H17c: countries with effective AML systems are low risk

P#65H20: Enhanced CDD measures

P#65H21: Simplified CDD measures (low risk) what we should be doing

@clone1018

This comment has been minimized.

Show comment
Hide comment
@clone1018

clone1018 May 29, 2015

Contributor

Thanks @whit537 :D

Contributor

clone1018 commented May 29, 2015

Thanks @whit537 :D

@chadwhitacre

This comment has been minimized.

Show comment
Hide comment
@chadwhitacre

chadwhitacre May 29, 2015

Contributor

:-)

Contributor

chadwhitacre commented May 29, 2015

:-)

@chadwhitacre

This comment has been minimized.

Show comment
Hide comment
Contributor

chadwhitacre commented May 29, 2015

@chadwhitacre

This comment has been minimized.

Show comment
Hide comment
@chadwhitacre

chadwhitacre May 29, 2015

Contributor

I'm drafting a "Manage Risk" howto for IG, to include a section on AML.

Contributor

chadwhitacre commented May 29, 2015

I'm drafting a "Manage Risk" howto for IG, to include a section on AML.

@chadwhitacre

This comment has been minimized.

Show comment
Hide comment
@chadwhitacre

chadwhitacre May 29, 2015

Contributor

Bank Secrecy Act / Anti-Money Laundering Manual (FFIEC, 2014. 442 pp.)

Also in HTML:

This Federal Financial Institutions Examination Council (FFIEC) Bank Secrecy Act (BSA) /Anti-Money Laundering (AML) Examination Manual provides guidance to examiners for carrying out BSA/AML and Office of Foreign Assets Control (OFAC) examinations. An effective BSA/AML compliance program requires sound risk management; therefore, the manual also provides guidance on identifying and controlling risks associated with money laundering and terrorist financing. The manual contains an overview of BSA/AML compliance program requirements, BSA/AML risks and risk management expectations, industry sound practices, and examination procedures. The development of this manual was a collaborative effort of the federal and state banking agencies1 and the Financial Crimes Enforcement Network (FinCEN), a bureau of the U.S. Department of the Treasury, to ensure consistency in the application of the BSA/AML requirements. In addition, OFAC assisted in the development of the sections of the manual that relate to OFAC reviews. Refer to Appendices A (“BSA Laws and Regulations”), B (“BSA/AML Directives”), and C (“BSA/AML References”) for guidance.

http://www.ffiec.gov/bsa_aml_infobase/pages_manual/OLM_002.htm

Contributor

chadwhitacre commented May 29, 2015

Bank Secrecy Act / Anti-Money Laundering Manual (FFIEC, 2014. 442 pp.)

Also in HTML:

This Federal Financial Institutions Examination Council (FFIEC) Bank Secrecy Act (BSA) /Anti-Money Laundering (AML) Examination Manual provides guidance to examiners for carrying out BSA/AML and Office of Foreign Assets Control (OFAC) examinations. An effective BSA/AML compliance program requires sound risk management; therefore, the manual also provides guidance on identifying and controlling risks associated with money laundering and terrorist financing. The manual contains an overview of BSA/AML compliance program requirements, BSA/AML risks and risk management expectations, industry sound practices, and examination procedures. The development of this manual was a collaborative effort of the federal and state banking agencies1 and the Financial Crimes Enforcement Network (FinCEN), a bureau of the U.S. Department of the Treasury, to ensure consistency in the application of the BSA/AML requirements. In addition, OFAC assisted in the development of the sections of the manual that relate to OFAC reviews. Refer to Appendices A (“BSA Laws and Regulations”), B (“BSA/AML Directives”), and C (“BSA/AML References”) for guidance.

http://www.ffiec.gov/bsa_aml_infobase/pages_manual/OLM_002.htm

@chadwhitacre

This comment has been minimized.

Show comment
Hide comment
@chadwhitacre

chadwhitacre May 29, 2015

Contributor

There's also ...

This Bank Secrecy Act/Anti-Money Laundering Examination Manual for Money Services Businesses provides guidance to examiners for performing Bank Secrecy Act (BSA) examinations.

As the administrator of the BSA, the Financial Crimes Enforcement Network (FinCEN) has delegated authority to the Internal Revenue Service (IRS) to examine the anti-money laundering (AML) program of money services businesses (MSBs).

An effective AML program requires sound risk management; therefore, the manual also provides guidance on identifying and controlling risks associated with money laundering and terrorist financing. The manual contains an overview of AML program requirements, BSA/AML risks and risk management expectations, sound industry practices, and examination procedures. The development of this manual was a collaborative effort of the IRS, state agencies responsible for MSB regulation, the Money Transmitter Regulators Association (MTRA), the Conference of State Bank Supervisors (CSBS), and FinCEN, a bureau of the U.S. Department of the Treasury. The goal is to ensure consistency in the application of the BSA requirements.

Bank Secrecy Act / Anti-Money Laundering Examination Manual for Money Services Businesses (FinCEN, 2008. 159 pp.)

Contributor

chadwhitacre commented May 29, 2015

There's also ...

This Bank Secrecy Act/Anti-Money Laundering Examination Manual for Money Services Businesses provides guidance to examiners for performing Bank Secrecy Act (BSA) examinations.

As the administrator of the BSA, the Financial Crimes Enforcement Network (FinCEN) has delegated authority to the Internal Revenue Service (IRS) to examine the anti-money laundering (AML) program of money services businesses (MSBs).

An effective AML program requires sound risk management; therefore, the manual also provides guidance on identifying and controlling risks associated with money laundering and terrorist financing. The manual contains an overview of AML program requirements, BSA/AML risks and risk management expectations, sound industry practices, and examination procedures. The development of this manual was a collaborative effort of the IRS, state agencies responsible for MSB regulation, the Money Transmitter Regulators Association (MTRA), the Conference of State Bank Supervisors (CSBS), and FinCEN, a bureau of the U.S. Department of the Treasury. The goal is to ensure consistency in the application of the BSA requirements.

Bank Secrecy Act / Anti-Money Laundering Examination Manual for Money Services Businesses (FinCEN, 2008. 159 pp.)

@chadwhitacre

This comment has been minimized.

Show comment
Hide comment
@chadwhitacre

This comment has been minimized.

Show comment
Hide comment
@chadwhitacre

chadwhitacre May 29, 2015

Contributor

Gold!

Third-Party Payment Processors—Overview

Objective. Assess the adequacy of the bank’s systems to manage the risks associated with its relationships with third-party payment processors, and management’s ability to implement effective monitoring and reporting systems.

Nonbank or third-party payment processors (processors) are bank customers that provide payment-processing services to merchants and other business entities. Traditionally, processors contracted primarily with retailers that had physical locations in order to process the retailers' transactions. These merchant transactions primarily included credit card payments but also covered automated clearing house (ACH) transactions221, remotely created checks (RCC),222 and debit and prepaid cards transactions. With the expansion of the Internet, retail borders have been eliminated. Processors now provide services to a variety of merchant accounts, including conventional retail and Internet-based establishments, prepaid travel, telemarketers, and Internet gaming enterprises.

Third-party payment processors often use their commercial bank accounts to conduct payment processing for their merchant clients. For example, the processor may deposit into its account RCCs generated on behalf of a merchant client, or process ACH transactions on behalf of a merchant client. In either case, the bank does not have a direct relationship with the merchant. The increased use of RCCs by processor customers also raises the risk of fraudulent payments being processed through the processor's bank account. The Federal Deposit Insurance Corporation (FDIC), Office of the Comptroller of the Currency (OCC), and Financial Crimes Enforcement Network (FinCEN) have issued guidance regarding the risks, including the BSA/AML risks, associated with banking third-party processors.

http://www.ffiec.gov/bsa_aml_infobase/pages_manual/olm_063.htm

Contributor

chadwhitacre commented May 29, 2015

Gold!

Third-Party Payment Processors—Overview

Objective. Assess the adequacy of the bank’s systems to manage the risks associated with its relationships with third-party payment processors, and management’s ability to implement effective monitoring and reporting systems.

Nonbank or third-party payment processors (processors) are bank customers that provide payment-processing services to merchants and other business entities. Traditionally, processors contracted primarily with retailers that had physical locations in order to process the retailers' transactions. These merchant transactions primarily included credit card payments but also covered automated clearing house (ACH) transactions221, remotely created checks (RCC),222 and debit and prepaid cards transactions. With the expansion of the Internet, retail borders have been eliminated. Processors now provide services to a variety of merchant accounts, including conventional retail and Internet-based establishments, prepaid travel, telemarketers, and Internet gaming enterprises.

Third-party payment processors often use their commercial bank accounts to conduct payment processing for their merchant clients. For example, the processor may deposit into its account RCCs generated on behalf of a merchant client, or process ACH transactions on behalf of a merchant client. In either case, the bank does not have a direct relationship with the merchant. The increased use of RCCs by processor customers also raises the risk of fraudulent payments being processed through the processor's bank account. The Federal Deposit Insurance Corporation (FDIC), Office of the Comptroller of the Currency (OCC), and Financial Crimes Enforcement Network (FinCEN) have issued guidance regarding the risks, including the BSA/AML risks, associated with banking third-party processors.

http://www.ffiec.gov/bsa_aml_infobase/pages_manual/olm_063.htm

@chadwhitacre

This comment has been minimized.

Show comment
Hide comment
@chadwhitacre

chadwhitacre May 29, 2015

Contributor

Damn. That is seriously gold. That's the documentation for government regulators conducting examinations of banks regarding their third-party processor risk assessment programs. This is exactly what I've been looking for.

Contributor

chadwhitacre commented May 29, 2015

Damn. That is seriously gold. That's the documentation for government regulators conducting examinations of banks regarding their third-party processor risk assessment programs. This is exactly what I've been looking for.

@chadwhitacre

This comment has been minimized.

Show comment
Hide comment
@chadwhitacre

chadwhitacre May 30, 2015

Contributor

Footnote 223:

FDIC Clarifying Supervisory Approach to Institutions Establishing Account Relationships with Third-Party Payment Processors, FDIC FIL-41-2014, July 28, 2014;

Payment Processor Relationships Revised Guidance, FDIC FIL-3-2012, January 31, 2012;

Risk Management Guidance: Payment Processors, OCC Bulletin 2008-12, April 24, 2008;

Risk Management Guidance: Third Party Relationships, OCC Bulletin 2013-29, October 30, 2013; and

Risk Associated with Third-Party Payment Processors, FinCEN Advisory FIN-2012-A010, October 22, 2012.

@copiesofcopies You might be interested in these. ^^^

Contributor

chadwhitacre commented May 30, 2015

Footnote 223:

FDIC Clarifying Supervisory Approach to Institutions Establishing Account Relationships with Third-Party Payment Processors, FDIC FIL-41-2014, July 28, 2014;

Payment Processor Relationships Revised Guidance, FDIC FIL-3-2012, January 31, 2012;

Risk Management Guidance: Payment Processors, OCC Bulletin 2008-12, April 24, 2008;

Risk Management Guidance: Third Party Relationships, OCC Bulletin 2013-29, October 30, 2013; and

Risk Associated with Third-Party Payment Processors, FinCEN Advisory FIN-2012-A010, October 22, 2012.

@copiesofcopies You might be interested in these. ^^^

@chadwhitacre

This comment has been minimized.

Show comment
Hide comment
@chadwhitacre

chadwhitacre May 30, 2015

Contributor

Okay! Here's what I have so far:

http://inside.gratipay.com/howto/manage-risk

I want to add a fourth section on Consumer Protection and then give it another going-over before sending it off to Citizens. Hopefully I can do that this weekend.

Contributor

chadwhitacre commented May 30, 2015

Okay! Here's what I have so far:

http://inside.gratipay.com/howto/manage-risk

I want to add a fourth section on Consumer Protection and then give it another going-over before sending it off to Citizens. Hopefully I can do that this weekend.

@chadwhitacre

This comment has been minimized.

Show comment
Hide comment
@chadwhitacre

This comment has been minimized.

Show comment
Hide comment
@chadwhitacre

chadwhitacre May 30, 2015

Contributor

FinCEN's doc has a 16-page section on anti-money laundering programs (pp. 43-61).

Contributor

chadwhitacre commented May 30, 2015

FinCEN's doc has a 16-page section on anti-money laundering programs (pp. 43-61).

@chadwhitacre

This comment has been minimized.

Show comment
Hide comment
@chadwhitacre

chadwhitacre Jun 15, 2015

Contributor

Zooming back out to here from a vendor evaluation at gratipay/gratipay.com#2449 (comment) ... it looks like fundamentally what we need to do is (a) verify the identity of the people we're doing business with, and (b) ensure that said people are not criminals (and, in particular, terrorists).

Contributor

chadwhitacre commented Jun 15, 2015

Zooming back out to here from a vendor evaluation at gratipay/gratipay.com#2449 (comment) ... it looks like fundamentally what we need to do is (a) verify the identity of the people we're doing business with, and (b) ensure that said people are not criminals (and, in particular, terrorists).

@chadwhitacre

This comment has been minimized.

Show comment
Hide comment
@chadwhitacre

chadwhitacre Jun 15, 2015

Contributor

Alright, so we need to collect identity and perform sanction screening. How are we going to do that?

Contributor

chadwhitacre commented Jun 15, 2015

Alright, so we need to collect identity and perform sanction screening. How are we going to do that?

@chadwhitacre

This comment has been minimized.

Show comment
Hide comment
@chadwhitacre

chadwhitacre Jun 15, 2015

Contributor

The third piece is suspicious activity monitoring. What does that mean and how do we do it?

Contributor

chadwhitacre commented Jun 15, 2015

The third piece is suspicious activity monitoring. What does that mean and how do we do it?

@chadwhitacre

This comment has been minimized.

Show comment
Hide comment
@chadwhitacre

chadwhitacre Jun 15, 2015

Contributor

The criteria to decide when a report must be made varies from country to country but generally is any financial transaction that does not make sense to the financial institution, is unusual for that particular client or appears to be done only for the purpose of hiding or obfuscating a transaction.

https://en.wikipedia.org/wiki/Suspicious_activity_report

Contributor

chadwhitacre commented Jun 15, 2015

The criteria to decide when a report must be made varies from country to country but generally is any financial transaction that does not make sense to the financial institution, is unusual for that particular client or appears to be done only for the purpose of hiding or obfuscating a transaction.

https://en.wikipedia.org/wiki/Suspicious_activity_report

@chadwhitacre

This comment has been minimized.

Show comment
Hide comment
@chadwhitacre

chadwhitacre Jun 15, 2015

Contributor

We're not an MSB, but since we're subregulated by MSBs, the law for MSB AML programs is a useful starting point for us. An abbreviation of the regulations, to which the examination manual overview maps pretty directly:

An effective anti-money laundering program is one that is reasonably designed to prevent the money services business from being used to facilitate money laundering and the financing of terrorist activities. The program shall be commensurate with the risks posed by the location and size of, and the nature and volume of the financial services provided by, the money services business. The program shall be in writing, and a money services business shall make copies of the anti-money laundering program available for inspection to the Department of the Treasury upon request. At a minimum, the program shall:

  1. Incorporate policies, procedures, and internal controls reasonably designed to assure compliance with this chapter.
  2. Designate a person to assure day to day compliance with the program and this chapter.
  3. Provide education and/or training of appropriate personnel concerning their responsibilities under the program, including training in the detection of suspicious transactions to the extent that the money services business is required to report such transactions under this chapter.
  4. Provide for independent review to monitor and maintain an adequate program.

http://www.ecfr.gov/cgi-bin/text-idx?node=se31.3.1022_1210

Contributor

chadwhitacre commented Jun 15, 2015

We're not an MSB, but since we're subregulated by MSBs, the law for MSB AML programs is a useful starting point for us. An abbreviation of the regulations, to which the examination manual overview maps pretty directly:

An effective anti-money laundering program is one that is reasonably designed to prevent the money services business from being used to facilitate money laundering and the financing of terrorist activities. The program shall be commensurate with the risks posed by the location and size of, and the nature and volume of the financial services provided by, the money services business. The program shall be in writing, and a money services business shall make copies of the anti-money laundering program available for inspection to the Department of the Treasury upon request. At a minimum, the program shall:

  1. Incorporate policies, procedures, and internal controls reasonably designed to assure compliance with this chapter.
  2. Designate a person to assure day to day compliance with the program and this chapter.
  3. Provide education and/or training of appropriate personnel concerning their responsibilities under the program, including training in the detection of suspicious transactions to the extent that the money services business is required to report such transactions under this chapter.
  4. Provide for independent review to monitor and maintain an adequate program.

http://www.ecfr.gov/cgi-bin/text-idx?node=se31.3.1022_1210

@chadwhitacre

This comment has been minimized.

Show comment
Hide comment
@chadwhitacre

chadwhitacre Jun 15, 2015

Contributor

Hey @clone1018, wanna be our designated person to assure day to day compliance with the program and this chapter? :]

Contributor

chadwhitacre commented Jun 15, 2015

Hey @clone1018, wanna be our designated person to assure day to day compliance with the program and this chapter? :]

@chadwhitacre

This comment has been minimized.

Show comment
Hide comment
@chadwhitacre

chadwhitacre Jun 15, 2015

Contributor

Alright, so we need to collect identity and perform sanction screening.

We also need to verify business identity, aaaaand that's more complicated. Reticketed as gratipay/gratipay.com#3557.

Contributor

chadwhitacre commented Jun 15, 2015

Alright, so we need to collect identity and perform sanction screening.

We also need to verify business identity, aaaaand that's more complicated. Reticketed as gratipay/gratipay.com#3557.

@chadwhitacre

This comment has been minimized.

Show comment
Hide comment
@chadwhitacre

chadwhitacre Jun 15, 2015

Contributor

Learnings from sales call with ID Checker over on gratipay/gratipay.com#2449: document verification is different from identity verification. KYC refers to the latter(?), which involves checking provided information (name, address, dob) against government databases, "or a consumer credit bureau, most likely." Sanction screening is the third step in the process.

Contributor

chadwhitacre commented Jun 15, 2015

Learnings from sales call with ID Checker over on gratipay/gratipay.com#2449: document verification is different from identity verification. KYC refers to the latter(?), which involves checking provided information (name, address, dob) against government databases, "or a consumer credit bureau, most likely." Sanction screening is the third step in the process.

@chadwhitacre

This comment has been minimized.

Show comment
Hide comment
@chadwhitacre

This comment has been minimized.

Show comment
Hide comment
@chadwhitacre

chadwhitacre Jun 20, 2015

Contributor

Context: http://www.moneylaunderingconference.com/2015/. Discovered by googling the name of the SVP for AML and Sanctions Compliance at Citizens, who didn't personally sign the letter we received from them on gratipay/gratipay.com#3366. ;-)

Contributor

chadwhitacre commented Jun 20, 2015

Context: http://www.moneylaunderingconference.com/2015/. Discovered by googling the name of the SVP for AML and Sanctions Compliance at Citizens, who didn't personally sign the letter we received from them on gratipay/gratipay.com#3366. ;-)

@chadwhitacre

This comment has been minimized.

Show comment
Hide comment
@chadwhitacre

chadwhitacre Jun 20, 2015

Contributor

My favorite part of the René Bruelhart video was his answer at about 29:30 to the question, "What have you learned? What is the template for turning around these troubled situations?" tl;dr—(1) What are the real issues? Don't rush. (2) Who are your partners? Bring them in. (3) Really go for it.

First, sit back, and think about, "What are we talking about? What are the real issues here?" Don't try to make a quick fix. Sometimes it's appropriate, but, most often—especially when you have, let's say, more fundamental issues—sit back. "What are we talking about?"

And, then, who are your partners? Who are the players involved? Which are the different relevant factors you have to respect? Because quite often you're just looking to your department. You do that the whole day. You don't even know what is going on outside of the door or somewhere else within the bank or within the financial institution. So, what are the factors of a success story? What are the players you have to bring in? And then, bring them in. Because once you start a process, and you have the process to be changed two or three or four times, you will fail.

So, it's better to invest a little bit more time to set up a proper process, to really pave the path forward, and then to go for it. And there are always hurdles coming. But if you're convinced, go for it. Really go for it. And don't go into too many compromises there, because, again, if you're gonna change your game plan, you're gonna lose.

Contributor

chadwhitacre commented Jun 20, 2015

My favorite part of the René Bruelhart video was his answer at about 29:30 to the question, "What have you learned? What is the template for turning around these troubled situations?" tl;dr—(1) What are the real issues? Don't rush. (2) Who are your partners? Bring them in. (3) Really go for it.

First, sit back, and think about, "What are we talking about? What are the real issues here?" Don't try to make a quick fix. Sometimes it's appropriate, but, most often—especially when you have, let's say, more fundamental issues—sit back. "What are we talking about?"

And, then, who are your partners? Who are the players involved? Which are the different relevant factors you have to respect? Because quite often you're just looking to your department. You do that the whole day. You don't even know what is going on outside of the door or somewhere else within the bank or within the financial institution. So, what are the factors of a success story? What are the players you have to bring in? And then, bring them in. Because once you start a process, and you have the process to be changed two or three or four times, you will fail.

So, it's better to invest a little bit more time to set up a proper process, to really pave the path forward, and then to go for it. And there are always hurdles coming. But if you're convinced, go for it. Really go for it. And don't go into too many compromises there, because, again, if you're gonna change your game plan, you're gonna lose.

@mattbk

This comment has been minimized.

Show comment
Hide comment
@mattbk

mattbk Sep 20, 2015

Contributor

Just to keep on top of this because it's blocking gratipay/gratipay.com/issues/3671, what are the next steps?

Contributor

mattbk commented Sep 20, 2015

Just to keep on top of this because it's blocking gratipay/gratipay.com/issues/3671, what are the next steps?

@mattbk mattbk referenced this issue Sep 20, 2015

Closed

payout via dwolla masspay #726

0 of 1 task complete
@chadwhitacre

This comment has been minimized.

Show comment
Hide comment
@chadwhitacre

chadwhitacre Sep 21, 2015

Contributor

Next step is building a vault, so we can store personally identifying information, so we can verify identity.

Contributor

chadwhitacre commented Sep 21, 2015

Next step is building a vault, so we can store personally identifying information, so we can verify identity.

@webmaven

This comment has been minimized.

Show comment
Hide comment
@webmaven

webmaven Sep 24, 2015

@whit537 Do you actually have to build a vault? Isn't there some sort of document vault-as-a-service or open source app you could use?

@whit537 Do you actually have to build a vault? Isn't there some sort of document vault-as-a-service or open source app you could use?

@chadwhitacre

This comment has been minimized.

Show comment
Hide comment
@chadwhitacre

chadwhitacre Sep 25, 2015

Contributor

@webmaven Check out gratipay/gratipay.com#3504, some options surfaced on there.

Contributor

chadwhitacre commented Sep 25, 2015

@webmaven Check out gratipay/gratipay.com#3504, some options surfaced on there.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment