On January 19, 2017, Western Union Financial Services, Inc. agreed to pay civil penalties and restitution to victims of fraud totaling $586 million to resolve actions brought by the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN), Department of Justice (DOJ), and Federal Trade Commission (FTC) for violations of the Bank Secrecy Act’s (BSA) anti-money laundering (AML) requirements. The actions arose from allegations that Western Union violated the BSA by failing to (1) implement and maintain an effective, risk-based AML program to properly vet and monitor third-party agents, and (2) file timely suspicious activity reports (SARs). Significantly, regulators determined that Western Union, which is classified as a money services business for purposes of the BSA, failed to properly monitor third-party agents to ensure that these agents were not utilizing Western Union to facilitate money laundering and other illicit, fraudulent transactions.
In addition to the monetary sanctions, regulators also required that Western Union implement procedures and training aimed at increasing scrutiny and periodic reporting regarding SAR reporting and disclose corrective actions taken against third-party agents who fail to comply with AML requirements. In addition, Western Union agreed to the appointment of an independent compliance auditor who will monitor whether Western Union is conducting thorough and ongoing due diligence on all prospective and existing Western Union agents. In making the enhanced monitoring part of the consent order, regulators are clearly signaling their expectation that financial institutions in the money services business (MSBs) implement AML programs which effectively account for and mitigate the risks of illicit activity posed by money transfers facilitated by third-party agents. Financial institutions that offer money services products, such as domestic and international money transfers, should review their AML compliance program to ensure proper monitoring of any third-party agents used to facilitate these transactions.
What is an AML compliance program?
The BSA, among other things, requires certain regulated entities, including financial institutions, to develop and implement AML compliance programs reasonably designed to assure and monitor compliance with the BSA and its implementing regulations. In recent years, regulators have also made it clear that the AML compliance programs must be tailored to the products offered, customer demographics, and the transaction history. Due to the unique regulatory risks faced by each financial institution, there are no shortcuts for developing a proper AML program. That said, at a minimum, a financial institution’s AML compliance program must include:
- A system of internal controls to ensure ongoing compliance;
- Independent testing of AML compliance;
- Designation of an individual or individuals responsible for managing BSA compliance;
- A comprehensive training program for appropriate personnel; and
- A customer identification program.
In sum, financial institutions must take a hard look at their individual characteristics and develop an AML program that is reasonably designed to prevent parties from using financial systems for illicit purposes.
What additional measures are required for MSBs partnering with third-party agents to facilitate transactions?
The BSA requires all MSBs, both principals and their agents, to establish and maintain an effective written AML program reasonably designed to prevent the MSB from being used to facilitate illicit financial activities. Although responsibility for developing AML policies, procedures, and internal controls can be allocated between a principal and agent, both parties remain liable for failing to implement an appropriate AML program. Moreover, each MSB remains independently liable and wholly responsible for implementing an adequate AML program. Accordingly, MSBs that do business through foreign and domestic third-party agents must implement risk-based policies, procedures, and controls that are reasonably designed to identify and minimize money laundering and other illicit financing risks associated with money transfers.
Regulators also expect MSBs to tailor their AML programs to reflect the risks associated with their particular business services, clients, size, locations, and circumstances. The risk factors that should be considered in monitoring third-party agents include, but are not limited to:
- Whether the owners are known or suspected to be associated with criminal conduct or terrorism;
- Whether the agent has an established and adhered to AML program;
- The nature of the markets the agent serves and the extent to which the market presents an increased risk for money laundering or terrorist financing;
- The services an agent is expected to provide and the agent’s anticipated level of activity; and
- The nature and duration of the relationship.
Furthermore, FinCEN has made it clear that AML programs for MSBs involving foreign third-party agents must include:
- Procedures for conducting reasonable, risk-based due diligence on potential and existing foreign agents and counterparties to help ensure that these entities and individuals are not complicit in illegal activity involving the financial institutions’ services, including reasonable procedures to evaluate, on an ongoing basis, the operations of those foreign agents and counterparties;
- Procedures for risk-based monitoring and review of transactions from, to, or through the United States that are conducted through foreign agents and counterparties sufficient to enable the financial institutions to identify and properly report suspicious activities; and
- Procedures for responding to foreign agents or counterparties that present unreasonable risks of money laundering or the financing of terrorism, including procedures that provide for the implementation of corrective action by the foreign agent or counterparty or termination of the relationship where corrective action will not adequately address the unacceptable risk of money laundering.
In sum, an effective AML program must comprehensively evaluate the risks posed by third-party agents, after thorough consideration of the location, background, and circumstances of each agent.
Lessons from the Western Union Enforcement Action
The latest set of government enforcement actions against Western Union is a continuation of regulators’ focus on institution-specific, comprehensive AML compliance programs, and highlights the importance of implementing policies and procedures that effectively monitor third-party agents and mitigate the risk of illicit activity. Financial institutions must have policies and procedures in place that reflect the reality of the risks posed by certain transactions or third-party venders. In light of the deficiencies regulators identified in Western Union’s AML program, financial institutions offering money services products must carefully scrutinize their relationships with third-party agents and other parties involved in all financial transactions and implement procedures tailored to their business environment. To be sure, the Western Union enforcement action should serve as a potent cautionary tale for financial institutions to continually evaluate their AML programs to account for the risks posed by both foreign and domestic third-party agents.
Finally, these actions follow a trend in enforcement actions by federal and state regulators that all regulated entities should understand. Regulators continue to bring enforcement actions against financial services providers that do not have adequate third-party risk management policies in place because these regulators, including FinCEN, the DOJ, FTC, and Consumer Financial Protection Bureau, continue to rely on the principles behind Operation Chokepoint to protect consumers and businesses from financial harm. Given this significant regulatory trend, any time a financial institution considers contracting with a third party, service provider, or agent to perform a service related to its core business functions, it should conduct due diligence on that provider and if that provider is hired, continue to monitor whether that business is complying with applicable laws in carrying out its services.