If you are an OCC regulated bank, your BSA Officer should be actively working to finish the annual Money Laundering Risk Assessment (MLR). For former OTS clients, this is the first MLR you were required to submit to the OCC. There are some changes to the form, so this article is to help guide you through some common questions we have been asked by our clients.
1. What is the MLR and do I need to file?
If you are an OCC regulated institution, you are expected to prepare this annual risk assessment. The MLR is a data collection tool for the OCC and enhances the ability of examiners and bank management to identify and evaluate Bank Secrecy Act/Money Laundering and OFAC sanctions risks associated with bank's products, services, customers and locations from a statistical standpoint. The data period is from October 1, 2011 through September 30, 2012 and the form asks 70 questions. If you ARE OCC regulated and have NOT received your MLR information, reach out to your OCC contact as soon as possible. The MLR is mandatory for all OCC small community banks this year and the due date is February 1, 2013. The OCC is considering expanding this reporting requirement to include OCC's midsize and large banks. THOMAS COMPLIANCE ASSOCIATES will let you know if this expanded reporting requirement takes effect.
2. What has changed with the 2012 MLR?
There is a new process for submitting the MLRs and there are revised categories for prepaid cards and MSBs. In regards to submitting the form, previously banks would submit it to the local OCC office, who then forwarded it to Washington. This year, filing banks will no longer submit completed Risk Summary Forms to OCC Supervisory Offices. Banks will submit Risk Summary Forms directly to the OCC's MLR System. The simplified process is more fully described in Appendix D of the 2012 Banker Guide.
The MSB category has been updated to represent current regulatory definitions and the prepaid card questions further break out the financial institution's role in providing prepaid access cards to consumers. The new fields collect statistical information on prepaid card transactions, prepaid card programs sponsored by third-parties or the MLR filing bank, prepaid cardholders, and prepaid card managers. Make sure to review the 2012 Banker Guide for additional information. Remember, not all questions might be applicable to your institution.
3. Do I need to maintain documentation to support my MLR submission?
Even though the OCC does not currently €require€ a full audit trail from where the MLR numbers are derived, it never hurts to define your bank's methodology at arriving at your conclusions. By performing this exercise, you make this process €that much stronger€ and it gives your regulator more comfort that you understand not only the risks within your products, services, customers and geographies; but also demonstrates that you understand your bank's aggregate risk. Remember, this information also can be used to enhance your overall AML Risk Assessment.
Today, January 30th, the OCC published additional information clarifying the definition of €issuing bank€ for prepaid PSCs number 14, 16, 17 and 18.
MLR PSC 14, 16, 17, and 18, do not apply unless your bank is a designated €issuing bank€ for the prepaid card program.
Most banks that sell cards are not the €issuer,€ even though their name can appear on the front of the card. Such banks are simply an outlet for selling cards. They acquire an inventory of cards, usually from a third-party participant in a card program; sell the cards; remit the sales proceeds per arrangements with the third party; and have little or no other obligation to, or association with, the card program's operations. Banks should not report information under PSC 14 if they are simply selling cards that are part of another organization's program. And if the bank is simply a seller of cards, it will likewise have nothing to report under PSCs 16, 17, or 18.
According to the OCC, the term €issuing bank€ has a meaning of its own, extending beyond the dictionary definition. The program manager of each prepaid card program contracts with, and designates, one official €issuing€ bank. Merely serving as an outlet for the sale of prepaid cards does not rise to the level of an €issuing bank.€ While €issuing banks€ may join with other outlets to sell the cards they issue, they also participate in such duties as:
- Holding/Safekeeping prepaid funds
- Settling transactions arising from customers use of the cards
- Posting card transactions and maintaining card account balances
- Monitoring and reporting fraud and suspicious activity
- Monitoring the conformity of customer transactions and activities against card features and limits
- Due diligence on customers and third party relationships
- Monitoring third-party processors
Typically, the name of a program's issuing bank appears on the back of the prepaid card. If a bank is not the €issuing€ bank, then it will report nothing under PSCs #14, 16, 17, 18.
If you have already submitted your RSF and find that you need to change the way you reported prepaid items, you can go back into your submitted RSF and change only the data in PSCs 14,16,17 and 18 as applicable ( i.e., do not change any other data in the RSF), then hit €submit€--- this will update the RSF for these specific PSCs and you should receive an automatic system-generated confirmation email.
Our BSA Review and Resource Team has prepared MLRs in prior banking careers and is here to help answer your questions.
With a staff whose professional designations include Certified Regulatory Compliance Manager, Certified Fraud Examiner, Certified Anti-Money Laundering Specialist, and Certified Information Systems Security Professional, THOMAS COMPLIANCE ASSOCIATES has your compliance needs covered.
THOMAS COMPLIANCE ASSOCIATES. Bankers who understand compliance. 800-934-REGS.
1. What is the MLR and do I need to file?
If you are an OCC regulated institution, you are expected to prepare this annual risk assessment. The MLR is a data collection tool for the OCC and enhances the ability of examiners and bank management to identify and evaluate Bank Secrecy Act/Money Laundering and OFAC sanctions risks associated with bank's products, services, customers and locations from a statistical standpoint. The data period is from October 1, 2011 through September 30, 2012 and the form asks 70 questions. If you ARE OCC regulated and have NOT received your MLR information, reach out to your OCC contact as soon as possible. The MLR is mandatory for all OCC small community banks this year and the due date is February 1, 2013. The OCC is considering expanding this reporting requirement to include OCC's midsize and large banks. THOMAS COMPLIANCE ASSOCIATES will let you know if this expanded reporting requirement takes effect.
2. What has changed with the 2012 MLR?
There is a new process for submitting the MLRs and there are revised categories for prepaid cards and MSBs. In regards to submitting the form, previously banks would submit it to the local OCC office, who then forwarded it to Washington. This year, filing banks will no longer submit completed Risk Summary Forms to OCC Supervisory Offices. Banks will submit Risk Summary Forms directly to the OCC's MLR System. The simplified process is more fully described in Appendix D of the 2012 Banker Guide.
The MSB category has been updated to represent current regulatory definitions and the prepaid card questions further break out the financial institution's role in providing prepaid access cards to consumers. The new fields collect statistical information on prepaid card transactions, prepaid card programs sponsored by third-parties or the MLR filing bank, prepaid cardholders, and prepaid card managers. Make sure to review the 2012 Banker Guide for additional information. Remember, not all questions might be applicable to your institution.
3. Do I need to maintain documentation to support my MLR submission?
Even though the OCC does not currently €require€ a full audit trail from where the MLR numbers are derived, it never hurts to define your bank's methodology at arriving at your conclusions. By performing this exercise, you make this process €that much stronger€ and it gives your regulator more comfort that you understand not only the risks within your products, services, customers and geographies; but also demonstrates that you understand your bank's aggregate risk. Remember, this information also can be used to enhance your overall AML Risk Assessment.
Today, January 30th, the OCC published additional information clarifying the definition of €issuing bank€ for prepaid PSCs number 14, 16, 17 and 18.
MLR PSC 14, 16, 17, and 18, do not apply unless your bank is a designated €issuing bank€ for the prepaid card program.
Most banks that sell cards are not the €issuer,€ even though their name can appear on the front of the card. Such banks are simply an outlet for selling cards. They acquire an inventory of cards, usually from a third-party participant in a card program; sell the cards; remit the sales proceeds per arrangements with the third party; and have little or no other obligation to, or association with, the card program's operations. Banks should not report information under PSC 14 if they are simply selling cards that are part of another organization's program. And if the bank is simply a seller of cards, it will likewise have nothing to report under PSCs 16, 17, or 18.
According to the OCC, the term €issuing bank€ has a meaning of its own, extending beyond the dictionary definition. The program manager of each prepaid card program contracts with, and designates, one official €issuing€ bank. Merely serving as an outlet for the sale of prepaid cards does not rise to the level of an €issuing bank.€ While €issuing banks€ may join with other outlets to sell the cards they issue, they also participate in such duties as:
- Holding/Safekeeping prepaid funds
- Settling transactions arising from customers use of the cards
- Posting card transactions and maintaining card account balances
- Monitoring and reporting fraud and suspicious activity
- Monitoring the conformity of customer transactions and activities against card features and limits
- Due diligence on customers and third party relationships
- Monitoring third-party processors
Typically, the name of a program's issuing bank appears on the back of the prepaid card. If a bank is not the €issuing€ bank, then it will report nothing under PSCs #14, 16, 17, 18.
If you have already submitted your RSF and find that you need to change the way you reported prepaid items, you can go back into your submitted RSF and change only the data in PSCs 14,16,17 and 18 as applicable ( i.e., do not change any other data in the RSF), then hit €submit€--- this will update the RSF for these specific PSCs and you should receive an automatic system-generated confirmation email.
Our BSA Review and Resource Team has prepared MLRs in prior banking careers and is here to help answer your questions.
With a staff whose professional designations include Certified Regulatory Compliance Manager, Certified Fraud Examiner, Certified Anti-Money Laundering Specialist, and Certified Information Systems Security Professional, THOMAS COMPLIANCE ASSOCIATES has your compliance needs covered.
THOMAS COMPLIANCE ASSOCIATES. Bankers who understand compliance. 800-934-REGS.