How compliance software helps stop criminals in their tracks

Criminals view community banks as easier targets for their money-laundering activities. What are the warning signs, and how can community banks protect themselves?

By Karen Epper Hoffman

There is no shortage of crooks using their legitimate bank to launder cash earned from illegal pursuits. According to PwC, money-laundering transactions account for an estimated $1 trillion to $2 trillion, or 2 to 5 percent, of global GDP every year. Community banks are a preferred transaction channel for money launderers due to their smaller size and limited fraud-detection budgets, and a perception that their employees are less adept at spotting suspicious activity.

“The biggest challenge is in the monitoring for Bank Secrecy Act [BSA] and anti-money-laundering [AML] activity,” says Chris Cook, executive vice president for Farmers Bank & Trust, based in Marion, Ky. He notes that his $185 million-asset institution lacks the same compliance budget and staff of larger banks. “A larger bank can just buy any software they need.”

But considering its size and rural locale, Farmers Bank & Trust is arguably better staffed than similar community banks; it boasts one BSA officer, who is responsible for the community bank’s overall policies and procedures, and two assistant BSA officers, one who oversees Currency Transaction Reports and exemptions, and another who monitors customer activity, including Office of Foreign Assets Control (OFAC) reporting. All three are full-time employees but also hold duties outside of compliance, says Cook.

“This is a challenging area for institutions of all sizes, particularly for community banks,” says Daniel P. Stipano, partner at Buckley Sandler LLP and former deputy chief counsel at the Office of the Comptroller of the Currency. “Money launderers, drug traffickers and bad actors will look for weak links, and in many cases, community banks simply don’t have the same resources and the same expertise as larger institutions.”

While that does not necessarily mean that community banks face a greater threat than their bigger bank rivals, some of them have taken the “de-risking” route: terminating certain high-risk categories of customer accounts, services or businesses to avoid the AML risk by these accounts, Stipano says.

“A BSA/AML risk assessment is critical to establishing an effective AML program,” he adds. “All institutions should do a satisfactory risk review. Once they have done that, the bank is in a better position to understand and mitigate its AML risk.”

Red flags
Understanding what constitutes potential illicit activity can be a challenge. From the acquiring bank perspective, signs of trafficking or money laundering by merchants include “multiple payment vehicles within one website, multiple encrypted or password-protected website areas, foreign-based hosting, and cryptocurrency connections and acceptance vehicles,” according to Darrel Anderson, president of Conformance Technologies, whose InConRadar monitors for suspicious activity.

For example, Anderson’s company’s solution might scan merchant websites for suspicious words and, if found, validate their use with the registered merchant category code specified during underwriting. For example, he says, if the business is a bar and grill, finding the terms “FDA” and “bitcoin” on its website would throw up a red flag, because there’s no legitimate reason for them to be there. “These conditions, along with thousands of others, trigger alerts, which lets the bank know they need to review a merchant and its business practices,” he says.

Dan Stitt, director of financial crime analysis for QuantaVerse, an AI for financial crime software company, has worked in federal law enforcement and banking for more than two decades. Over the years, he says, law enforcement has seen “both great and horrible compliance programs.”

“Typically, the smaller the bank, the more interaction they have with the customer,” Stitt says. But with smaller budgets and staff in place, “their systems are not as advanced. And criminals can be pretty sophisticated.” Some savvy money launderers or criminal rings might also move from bank to bank, opening multiple accounts to avoid detection.

While effective BSA/AML compliance software options have been available for many years, Stipano says these generally effective solutions often come with challenges, including generating “a lot of false positives, and requiring a lot of human monitoring. This whole area is ripe for disruptive technology,” he adds, referencing the growing application of machine learning, data analytics and emerging artificial intelligence.

“A BSA/AML risk assessment is critical to establishing an effective AML program. All institutions should do a satisfactory risk review. Once they have done that, the bank is in a better position to understand and mitigate its AML risk.”
—Daniel P. Stipano, Buckley Sandler LLP

Sticking to the rules
Compliance is a key area to consider. Community banks may be wary of using tools and solutions that regulators have not officially approved or endorsed. “The consequences of getting it wrong can be severe,” Stipano says. “Enforcement actions have been particularly harsh in the BSA area over the past five or six years…. These cases capture headlines.”

Farmers Bank & Trust has hired Computer Services, Inc. (CSI) for several years to provide a monitoring program and an annual review of the community bank’s BSA practices. Cook says that the cost of CSI’s monitoring service represents less than 10 percent of the bank’s BSA budget, and its review costs less than 5 percent of the budget.

While there is no regulatory requirement that a financial institution obtain a BSA/AML automated transaction-monitoring system, Ledra Finley, risk and compliance services manager for CSI, says there are definite benefits. An automated system uses analytics to help a financial institution identify customer activity that does not fall within “normal” activity for that customer. It may also pinpoint suspicious transaction-level activity based on specific parameters.

Some challenges community banks face in implementing and running an effective BSA/AML program include finding employees with the skills and knowledge to develop and maintain the program, and having sufficient financial and personnel resources devoted to management of the program, she says. “It is also important to implement a strong compliance culture,” Finley adds, “that starts with the board and senior management.”

Once all staff members are on board, Finley advises training employees to watch for several potential indicators of money laundering (see sidebar). “The first line of defense at a financial institution is the employee,” she says. “It is important to train them to be alert to something that just doesn’t seem right for a customer and to report such activity to their supervisor or the BSA officer for investigation.”

Compliance calendar

A quick look at upcoming regulatory changes
Jan. 1, 2018
Effective date for final rule implementing changes to the Home Mortgage Disclosure Act (HMDA)
April 1, 2018
Effective date for final rule implementing requirements for prepaid accounts (Regulation E)
April 1, 2018
Effective date for Mortgage Servicing Amendment (Regulations X and Z and FDCPA)
May 11, 2018
Effective date for customer due diligence requirements (beneficial owner rule)
July 1, 2018
Effective date for final rule amending Regulation CC

For compliance deadlines
further into the future, you can see ICBA’s online regulatory calendar at

Two red flags

Community banks’ closer customer relationships can help identify suspicious activity—if employees know what to look for. Here are two warning signs.

  1. Information that doesn’t add up, whether it’s multiple tax ID numbers, sizeable transaction activity yet a slim resume, or insufficient information about the business or its owners.
  2. Unpredictable business activity. Unexpected transactions, or transactions that seem out of character for a particular type of business, could be a sign that something is afoot.

If employees spot these or other warning signs, they should file a suspicious activity report (SAR) so the matter can be investigated further.

Karen Epper Hoffman is a financial writer in Washington state.