A Look at AML Audits - Can you Audit Without a Risk Assessment?

We deal with known risks by establishing a plan to mitigate them. In the case of AML plans for mortgage companies, we face the risk of allowing financial crimes to go undiscovered and enter the financial system through our business. 

We create compliance plans as multi-tiered tools to deal with the risk. The tiers are the four (or five, depending on your business) pillars of an AML plan 

1. the plan itself - which identifies the risks your business encounters and how you mitigate them
2. training - your employees learn how to identify and report red flags
3. compliance officer - the person who implements the procedures, files reports, and ensures the activity, such as training, audits, risk assessments, etc., takes place 
4. an audit or exam - reviews your plan, determines if it is sufficient for the risks you face, and identifies if you are following it
5. ongoing review of accounts - if we are servicing, for instance

Static Plans DO NOT Address the Risks - Make Sure you know what they are

We conduct hundreds of AML audits, and the BIGGEST problem we see is that AML plans don't address the risks the business faces explicitly. Furthermore, the audits or tests we see focus on whether the AML plan contains arcane legal citations or reviews a sampling of closed loan files. This is not where the risk is.  

In the mortgage business, we are experts in looking for fraud - documenting sources of funds and ferreting out suspicious income and transactions. This doesn't mean that fraud and suspicious activity doesn't make it through (CoreLogic reports 1 in 131, or 0.76% of loans, are fraudulent). Still, it does mean that the MAJORITY of incidences probably aren't in the files that make it through to closing. So it makes sense to focus our efforts on loans that don't go through a complete underwriting process. 

None of the AML plans and audits we have reviewed focus on risk assessments. Hawaii is the only state we have encountered where they are requesting a specific AML risk assessment - (Bravo! Mahalo!). New York requires large-scale risk assessments of the entire operation, including AML. 

This leads me to conclude that people don't know what a risk assessment is or even why you do one. The purpose of the Risk Assessment is to look at YOUR business for areas of risk. Only then can you create a strategy to mitigate money laundering activity? 

How to Conduct a Risk Assessment?

Depending on the firm's scope, our risk assessments create a binary decision tree instead of a complex "relative risk rating" approach - e.g., low, medium, and high. We do it this way because the risk increases on an absolute basis. One red flag doesn't necessarily indicate fraud or money laundering activity; however, two levels of risk means that we should, at a minimum, document that we validated there were no red flags. We refer to this as "risk layering," where two or more inherent risks exist in a file. 

• Higher risk components - Company-wide
• Geography
• Business model -
• delegated, non-delegated, 
• retail/wholesale, etc. 
• Origination strategy - 
• direct/indirect
• relationship/transactional
• Higher risk components - Loan Level
• Loan Type
• Gift Letter
• ALT/Non-QM
• Investment
• Borrower Type
• Self-employed
• Real Estate
• Medical
• Cash Business

This allows us to have a methodical elevation of the review of the file. 

We do this because things that don't matter to the underwriter from an approval perspective (the loan meets guidelines) often matter for detecting and reviewing red flags. In our business, we review files for these elements, and it always surprises us how often these are overlooked. Examples include:

Deposits not needed for down payment or closing costs - the underwriter isn't concerned about whether a borrower has a $100,000 CD in one bank if he has the $20,000 he needs for closing seasoned in another account. The money has been there forever, and the account doesn't move. But does it make sense that someone who makes $60,000 a year has $100,000 stashed in an account they don't touch? Especially when they have a lot of debt? No, it doesn't. That's a SAR.

Income and Expenses from a side business - the underwriter doesn't include the borrower's side business which involves cash in the computation. He or she has enough income to qualify for the loan. The side job (documented by frequent small dollar cash deposits) is a compensating factor, and the borrower didn't need to provide tax returns because she was on salary. That makes perfect sense, except that if there is more than $5,000 of this kind of activity in the loan file (e.g., 2 months' bank statements), then that triggers a SAR report for "smurfing."

• Focus on engagements/applications/rate quotes/pre-quals which do not complete
• The greatest risk lies in loans or prospects not reviewed by underwriting/credit.

North Carolina Mortgage Licensing and Examinations - What have we learned?

It should surprise no one that NCCOB - the nation's FIRST state regulator to initiate anti-predatory lending laws, and one of the first to initiate robust pre-licensing training, AND was a leader in pre-Dodd-Frank regulation - has now taken the flag as one of the most detail-oriented examiners. 

Expect an initial examination within the first 12 months of licensing. Existing licensees who have never been examined should expect one, and this normally coincides with a complaint or other inconsistency.

For those licensed in the state, NCCOB (North Carolina Commissioner of Banks) has clearly and transparently posted its expectations. Yet over and over we see brokers and lenders alike responding with surprise to examination findings and questionnaires. When we review the findings to help licensees comply we aren't surprised, just a little disappointed at what some might call willful blindness.

We have a great deal of respect for the rational approach that the regulator has taken. Nothing in the findings represent anything that brokers or lenders shouldn't be responsible for. If anything, our concern is that these problems exist elsewhere and propagate because of a lack of oversight.

Broker Fee Agreements

It's illegal to collect a fee without the customer's explicit agreement. These files show missing or incorrect broker fee agreements, or incorrectly completed lender financing agreements. The common response or argument is that the LE or CD provides the customer's tacit agreement. However, it's usually too late at that point; the information on the LE/CD should come from the financing or broker agreement.

For our customers, we devote a section of our quality control plan for correct completion and retention of financing or fee agreements.

BSA/Anti-Money Laundering Plans

We sell both stand-alone anti-money laundering plans, or better yet, QC (Quality Control) plans that identify the full set of FinCEN (FINancial Crimes Enforcement Network) identified Red Flags. Our BSA/AML (Bank Secrecy Act/Anti-Money Laundering) plans use these to identify potential SARs (Suspicious Activity Reports) for reporting.

Most people don't read them.

Otherwise, they would know that they include:

• A SAR Reporting Workflow
• A Compliance Officer (You have to put the person's name where it says "Insert Compliance Officer here")
• Initial and Periodic Training (We give this away here, or provide a checklist to ensure you have taken AML specific training as part of your Continuing Education)
• Both FinCEN and Industry Specific Red Flags

When we see a finding related to "deficient AML plans" these all fall under that category.

Missing Documents in Audit Files

Inexcusably, many files reflect missing exhibits or data reflected in reporting doesn't match loan files. THIS IS JOB ONE of a quality control plan! Time spent retrieving documents from investors, closing agents or even borrowers represents lost loan production time; wouldn't you rather spend time originating than chasing old loan file exhibits? 

This is the reason our QC Plan has a closed loan checklist. Click to download NCCOB's version here. We find it interesting that the checklist they provide bears some resemblance to the one in your plan:

1099's - Beware EVERYONE

We recently wrote an article on 1099 compensation of originators. NCCOB takes the position that originators are employees. Unless you follow the recommendations in our article, expect an issue with 1099 payments. Further, BRANCH MANAGERS ARE EMPLOYEES by definition; you can't be a contract manager. No Branch Manager 1099s. Also, you can't have branches in homes.

Contract Processors and other unlicensed entities

As above, compensating 3rd parties for work normally done by employees, such as processing, should automatically prompt you to require licensing of that individual or service.

State Examinations - AML/BSA Compliance - Self-Audit Checklist to Ensure Compliance

The Anti-Money Laundering rule (AML) implemented by the Bank Secrecy Act (BSA) creates many questions for lenders and brokers. We know that state examiners focus on a number of specific issues. A recent spate of calls reveals that New York, Indiana, Texas and Pennsylvania have questionnaires and examiners that ask pointed questions about the AML/BSA compliance program for mortgage originators.  To ensure that you are hitting all of the requirements we have compiled a self-audit checklist for you to use to evaluate and collect data.  You should run through this checklist annually.

Use the BSA/AML Self-Audit Checklist for mortgage originators, to ensure you keep all of the information needed for an examination.  Members may download the original form for customization from http://www.mortgagepolicymanual.com/updates-and-downloads.html or mortgagemanuals.com/updatesanddownloads.htm

Compliance Officer Training

New York's examination findings sometimes cite a recommendation for the compliance officer to have training.  The FinCEN rule requires training, but does not say that it must come from a certified 3rd party.  FinCEN offers training on its website, and many compliance providers provide training for a fee. Familiarity with the rule - actually reading your policy - also counts as training.

Here is a video that instructs the Compliance Officer how to register for the FinCEN portal to report SARs

Quality Control and AML

We do not recommend that firms maintain a separate Anti-Money Laundering Plan, but rather that they integrate the AML process with their Quality Control function.  After all, FinCEN wrote the AML rule as a fraud detection/reporting requirement, and that is exactly what the quality control plan should do.  As a consequence, make sure your quality control plan has a robust red flag feature.

Register for the Portal

Your plan loses credibility if your compliance officer isn't even registered with the FinCEN portal.  It implies that you have no intention of participating in the program.  This simple fix will eliminate many citations.

State Examinations - AML/BSA Compliance - Self-Audit Checklist to Ensure Compliance

We know that state examiners focus on a number of specific issues. A recent spate of calls reveals that New York, Indiana, Texas and Pennsylvania have questionnaires and examiners that ask pointed questions about the AML/BSA compliance program for mortgage originators.  To ensure that you are hitting all of the requirements we have compiled a self-audit checklist for you to use to evaluate and collect data.  You should run through this checklist annually.

Use the BSA/AML Self-Audit Checklist for mortgage originators, to ensure you keep all of the information needed for an examination.  Members may download the original form for customization from http://www.mortgagepolicymanual.com/updates-and-downloads.html or mortgagemanuals.com/updatesanddownloads.htm

Compliance Officer Training

New York's examination findings sometimes cite a recommendation for the compliance officer to have training.  The FinCEN rule requires training, but does not say that it must come from a certified 3rd party.  FinCEN offers training on its website, and many compliance providers provide training for a fee. Familiarity with the rule - actually reading your policy - also counts as training.

Quality Control and AML

We do not recommend that firms maintain a separate Anti-Money Laundering Plan, but rather that they integrate the AML process with their Quality Control function.  After all, FinCEN wrote the AML rule as a fraud detection/reporting requirement, and that is exactly what the quality control plan should do.  As a consequence, make sure your quality control plan has a robust red flag feature.

Register for the Portal

Your plan loses credibility if your compliance officer isn't even registered with the FinCEN portal.  It implies that you have no intention of participating in the program.  This simple fix will eliminate many citations.

Updated: As AML/SAR Rule Anniversary Approaches, Little or No SAR Reporting Activity for Mortgage Brokers

Anti-Money Laundering (AML) and Suspicious Activity Reporting (SAR) for Non-Depository Mortgage Brokers and Correspondents became mandatory in August of 2012.  Two years later, we see little activity. Why?

7/18/14 Updated - New SAR Analysis from FinCEN?

It seems that FinCEN, after requiring so much input from the mortgage industry, but yet not releasing data, felt compelled to release a report.  That analysis is available here:

Click here to download FinCEN SAR Reporting Data 7/2014

Mortgage News Digest began requesting information from FinCEN's press office for statistics at the end of May.  Calls went unreturned, but this data satisfies the request.

From Mortgage News Digest June 2014 "Threats were made, and the industry scrambled to make sense of the procedures required and implement them.  Systems were automated to allow easier online reporting. Yet FinCEN still hasn't released any new data since Q2 of 2012 - almost 2 years later. How does this help us in the field?  Several calls to FinCEN went unreturned, so while there may be information in the works, we haven't seen it yet. (June 2014)

At last we have the data, but it shows anemic reporting data.  No wonder this became a low priority.

Of all product types resulting in filings, Mortgages rank #2 behind only credit cards for incidence rate.  In 2013 there were over 2500 mortgage related reports

Overall, mortgage fraud ranks behind Identity Theft and Credit Card Fraud as reported by Other Financial Institutions.  This is reflective of similar statistics by other regulated institutions, but the scale is much smaller.

Hotspots Revisited

While we knew Southern California, New York and Florida were hotspots, it may come as a surprise that Utah leads the nation in SAR reports.  Why is this?  Tribal Casinos report many transactions where chips are cashed in.  That would not be the case for the other states. 

Reviewing Closed Loans - Wrong Selection Criteria

Although the FinCEN guidelines suggest a strategy of annual audits and loan level audits, such as those conducted for quality control by most lenders, from the perspective of the initiative that spawned this requirement, the audits come too late to have any real benefit.  We have found that most mortgage brokers don't understand their role in this process.  "We haven't had any SARs!" comes the report at the audit.

These words are spoken with pride, but the revelation of NO findings may actually be a trigger for a regulator to look MORE closely, and then discover that the only loans included in the sampling are those which have already passed underwriting muster.  In today's environment brokers and small lenders alike should take the approach that the government has assigned them the role of "watchdog."  Embrace it.  File a SAR today! It's your PATRIOTic duty!

NO SAR may actually trigger an audit.  If your production staff isn't identifying red flags, you can't report.

"Don't Worry - Be SAR-ry!"

As lenders and brokers we also experience the mixed message: "Keep your customer's information private at all costs."  This trust is the foundation of our business.  "If I report this information about my customer to the Federal authorities, am I not breaching that trust? Won't it come back to me through my referral sources?" These concerns have a reasonable basis, but understand this:

1. There is no direct line from the reporting activity to the investigation and prosecution.  In fact, if it is an isolated incident, it likely will not draw attention to the authorities given the number of enforcement priorities already occupying their attention.  
2. You are not allowed to disclose the fact that a SAR is in process.  
3. Your potential criminal and legal liability for being perceived as participating or assisting in perpetrating fraud is far greater if it turns out you did not report something that later gets revealed.

July 4th - PATRIOT Act

The BSA/SAR reporting requirement is based on information derived from the mandatory requirements of the PATRIOT Act (Providing Appropriate Tools Required to Intercept and Obstruct Terrorism). Your prospect may not seem to be a terrorist, but terrorist funding is commonly sourced through illegal activity like real estate investment, cash businesses, medical companies and many self-employed businessmen.  After 9-11, your company mantra - regardless of whether you are a one-man shop or a large lender - should include "If you see something, say something."

Oh, By the Way, Your Annual AML Audit Deadline is Just Around the Corner

If you initiated your AML plan in August, 2012 with everyone else who became subject to the FinCEN rule at that time, you were required to review your AML procedures annually.  Your audit would be due in August. Let us help you with that.  Call or e-mail today.

You can also receive a free, simple self-audit checklist by requesting it here:

A Wave of Compliance Manager Duties Crashing Down On You?

Compliance Manager - Mission Impossible?

Of all of the groups benefiting from the wave of regulation, one has created the hottest job in the industry today -  the "Compliance Manager."  If you wear the "Compliance Hat" you know that this is just the industry looking for another panacea - a silver bullet to manage the seemingly overwhelming task of keeping up with the rules and regs tsunami.  If you are a company owner or manager, you WANT a silver bullet (if not to just shoot yourself with!)

Reading the job descriptions in association with the Compliance Manager job posting, you would think the job is kind of amorphous; alot of "and other duties as may be assigned in order to comply with regulations..", or "and other regulatory requirements..." To me that is an anathema to the position.  We want to be as specific as possible about the job duties.  We need to specify WHAT that individual needs to do AND when.

A Simple and Practical Approach

What are the duties of the Compliance Manager?  This rubric attempts to manage the responsibilities in a finite way. Click here to add comments and suggestions to the sheet. 

We have seen a substantial growth in "Compliance Management Software", too.  This is a reaction to that same search for panacea.  Even with automation of data management, audit and reporting there still must be someone to parse the data and verify its timing and accuracy.

Since it's the human process that makes the program effective, we have upgraded our compliance manager position description to include these elements.  This also ties in with all of the requirements of the CFPB audit guidance, so that if you are anticipating a CFPB examination ensuring you have implemented.  If you are a subscriber to the updates you can get them on our Document Management Website.

AML/SAR Updates now available

AML/SAR Policy and Procedures

We have posted a draft AML/SARs policy to be included in your policies and procedures.  It cover the enhanced file review for money-laundering, self-employed businesses and the SAR reporting matrix and procedure.  Remember that our procedures already covered reviewing for fraud - this expands that review to cover the new mandate.  


Go to Mortgage Manuals Download Site to check your subscription status and download the policy. 


We have provided an update to the Quality Control Plan which addresses enhanced guidance for review of deposits and self-employed borrowers in money businesses, and provides the reporting procedures for ALL suspicious activity. 

Fraud Red Flags

It is important to note that the mortgage industry already reviews for Fraud Red Flags, and if you are a Mortgage Manuals customer, you have 95% of this in place.  This update enhances guidance for reviewing deposit Red Flags (by adding several items to the production quality control checklist).  It enhances the review of Self-Employed borrowers for transactions and structures that lend themselves to Money Laundering. 

SAR Procedures

Non-currency businesses were not previously required to report. This policy updates the QC plan by memorializing

• The process for identifying Reportable Events

• The process for reporting SARs

• Using FINCEN Reports in your own reporting

Training Programs

We were developing an AML SAR Reporting Training Program, until we realized that many of our customers already have this in place, either through the Bank AML procedures or through Continuing Education programs.  If you require a generic AML Program, please do not hesitate to contact us directly at 202-550-5626.