The regulatory expectations surrounding the banking of money service businesses (MSBs) are a frequent source of confusion for financial institutions. Many financial institutions are surprised to receive deficiencies and matters requiring attention in examinations, even though they believe they have followed the regulatory guidance. Because of this confusion, the National Credit Union Administration (NCUA) has announced that it intends to make providing services to MSBs or other types of high-risk businesses a supervisory priority this year, with field staff tasked with targeting this area. This article will discuss potential problem areas for credit unions with MSB customers.
MSBs and regulation
MSBs are defined generally as businesses transacting largely with cash: currency dealers, check cashers, issuers and redeemers of traveler’s checks, money orders, stored value, money transmitters, and the U.S. Postal Service. MSBs are regulated by the Internal Revenue Service, and with just a few exceptions, all MSBs must register with the Department of the Treasury. In addition to the IRS, most states have Money Transmitter requirements regulated by their DFIs (development finance institution or equivalent) that certain types of MSBs are subject to follow.
The FFIEC guidance regarding MSBs clearly states that the Bank Secrecy Act (BSA) does not require, and neither FinCEN nor the federal banking agencies expect, financial institutions to serve as the de facto regulator of their MSB customers. Specifically, the guidance states:
“While banks are expected to manage risk associated with all accounts, including MSB accounts, banks will not be held responsible for the MSB’s BSA/AML program.”
It is the expectation that the risk assessment of a particular MSB will determine the level of due diligence required. In a low risk environment, “a bank is not routinely expected to perform further due diligence beyond the minimum due diligence expectations.” Additionally, “unless indicated by the risk assessment of the MSB, banks are not expected to routinely review an MSB’s BSA/AML program.” The initial due diligence expectations are clearly stated by the FFIEC, with the NCUA providing additional guidance in documents such as 14-CU-10 referencing SL No. 14-05.
Understandably, many institutions take the written guidance at face value. They perform a risk assessment, obtain and review the due diligence information commensurate with the risk of the MSB, board the merchant, and enjoy the deposits and revenue associated with the banking of MSB accounts, believing that they are not responsible for the MSB’s BSA/AML program. This sounds too good to be true, and unfortunately does not hold up well in reality.
Regulatory Guidance in the Real World
In the real world, credit unions are often cited for problems in their MSB programs. Because of this, the NCUA now expects heightened due diligence and monitoring. Significant civil money penalties have been levied in more extreme circumstances involving multiple violations of consent orders. Just this past month, a California financial institution was fined $7 million for failure to adequately monitor the activity of their MSB customers.
So the question becomes: how do credit unions reconcile the written regulatory guidance with the real-life experience of banking MSBs? The key to this answer rests in the fact that financial institutions are responsible for managing the risks associated with all accounts. In order to accurately determine the risks of a particular account, credit unions must perform continual risk assessment on an ongoing basis.
This risk assessment includes having sufficient insight into the activities of your MSB customers to determine if their risk profile has changed after boarding. Some warning signs to monitor might include:
- Changes in transaction volumes, products offered, locations or markets;
- Changes in management or beneficial ownership;
- Changes in their BSA/AML policies and procedures;
- Changes in the types or volume of CTRs and SARs being filed;
- Changes in transactional risk indicators
Only by continuously asking these questions can banks ensure that they have the appropriate checks in place to account for the risk profile of their MSB customers.
How Data Automation Can Help
In discussion with a number of third-party bank auditors, as well as banks servicing MSB clients, the problem areas seem to be across the board:
- Poor and/or missing documentation,
- Insufficient baseline and transactional analysis,
- Inability to monitor reputational risk,
- Deficiencies in determining unusual activity and AML,
- Inconsistency in obtaining information necessary to perform proper risk analysis.
One common theme is that virtually all institutions with these deficiency characteristics rely upon manual processes to monitor their MSB customers. But the traditional concept of adding FTEs as the solution to the problem often yields poor results. Examiners today increasingly expect automation, as technology is recognized as the key to banking MSBs in a responsible, sustainable, and profitable manner.
Our MSB clients receive numerous data points from a number of third-parties. These sources go well beyond a core API or extract, and can include wire files, ACH files, ATM records, cardholder and merchant transactional files, and image cash letters, for example. These files also arrive in differing formats.
Utilizing new tools and solutions developed specifically for MSBs and other cash intensive businesses are critical to the successful banking of these industries. It is these advanced technologies that will enable credit unions to parse and analyze volumes of data that otherwise go either unnoticed or spot checked at best. They also assist with documentation and the other common areas of deficiency. Technology is the great equalizer that enables institutions of all sizes to service industries that were previously limited to only the largest of banks. Leverage these solutions to help your institution successfully bank MSBs.
This article was originally published on NWCUA.org.