Skip to content
This repository has been archived by the owner on Nov 16, 2022. It is now read-only.

establish a proper AML program #119

Closed
chadwhitacre opened this issue Dec 29, 2014 · 77 comments
Closed

establish a proper AML program #119

chadwhitacre opened this issue Dec 29, 2014 · 77 comments

Comments

@chadwhitacre
Copy link
Contributor

To date, we've drafted off of Balanced for compliance with AML regulations. Now that they're going out of business, we may need to take more control of our processing infrastructure (gratipay/gratipay.com#67), and that means owning AML compliance. Getting turned down by Payoneer (gratipay/gratipay.com#481) and Transpay (gratipay/gratipay.com#417) —update: and Citizens (gratipay/gratipay.com#3366) —indicates that we're not yet mature enough in this area. What are we lacking?

Transpay provided some guidance at gratipay/gratipay.com#417 (comment). Then, over at #118 (comment), I discovered this PDF. I think mostly we need to collect better identity information for our users. Yes?

@chrisdev
Copy link

@whit537 is this not mainly a balancedpayment responsibility?
They are the one who enforce Know Your Customer https://support.balancedpayments.com/hc/en-us/articles/201836340-What-is-Merchant-underwriting-or-KYC-
They have the market place agreement https://www.balancedpayments.com/terms/marketplaceagreement.

We should try to be helpful to Balanced, but they are the ones who are PCI compliant.
Also I'm not saying that we can't enforce some of our own moral rules above what Balanced requires. To a certain extent Its in gratipay's best interest as our due diligence efforts may eventually result In lower CC charge-backs.
However, maybe we should at this stage adapt a more passive mode when it comes to these issues.
KYC is the fundamental building block of AML compliance but this thing can quickly become a burden to all concerned. For example, Banks in T&T now have to capture if the customer is either a Politician/Judicial/Police or Government official or is a "close" relative of such individual as part of their KYC obligations?
In a small country this is having wide reaching impact with lots of unintended consequences

@chadwhitacre
Copy link
Contributor Author

This is probably a subset of #122.

@chadwhitacre
Copy link
Contributor Author

Ticket description updated. Previously:

Reticketed from #180

digest this:

"International Standards on Combating Money Laundering and the Financing of Terrorism & Proliferation"
http://www.fatf-gafi.org/media/fatf/documents/recommendations/pdfs/FATF_Recommendations.pdf

@chadwhitacre
Copy link
Contributor Author

FINRA provides a template for small firms (Word format 164 KB) to assist them in fulfilling their responsibilities to establish the AML compliance program required by the Bank Secrecy Act and its implementing regulations and FINRA Rule 3310. The template provides text examples, instructions, relevant rules and Web sites and other resources that are useful for developing an AML plan for a small firm.

http://www.finra.org/industry/anti-money-laundering-template-small-firms

@chadwhitacre
Copy link
Contributor Author

[T]he Financial Industry Regulatory Authority, Inc. (FINRA) is a private corporation that acts as a self-regulatory organization (SRO).

http://en.wikipedia.org/wiki/Financial_Industry_Regulatory_Authority

@chadwhitacre
Copy link
Contributor Author

An anti-money laundering (AML) program is a set of procedures designed to guard against someone using the firm to facilitate money laundering or terrorist financing. The main components that must be included are: 1) internal policies, procedures, and controls reasonably designed to assure compliance with the Bank Secrecy Act and implementing regulations; 2) appointment of a designated compliance officer to oversee the program's day-to-day operations; 3) an ongoing training program; and 4) an independent audit.

https://www.nfa.futures.org/NFA-faqs/compliance-faqs/anti-money-laundering/

@chadwhitacre chadwhitacre changed the title better understand our obligations wrt AML/CFT write an AML policy May 28, 2015
@chadwhitacre
Copy link
Contributor Author

@chadwhitacre
Copy link
Contributor Author

Just got off the horn with @clone1018. He's going to take a first pass at this tonight. The task is to skim the FATF recommendations (130 pp.), and then write an AML program for Gratipay, starting with FINRA's template (51 pp.).

@clone1018 I sent you an invite to edit this doc:

Gratipay AML Program

Here's a clean copy of the template for reference:

AML Program Template

@chadwhitacre
Copy link
Contributor Author

!m @clone1018

@chadwhitacre chadwhitacre changed the title write an AML policy establish a proper AML program May 28, 2015
@clone1018
Copy link
Contributor

I took a first look tonight, only got about half way done. I have the
document downloaded and I'll be doing more tomorrow morning. This will be
at least a weekend project.

On Thu, May 28, 2015 at 3:17 PM Chad Whitacre [email protected]
wrote:

!m @clone1018 https://github.com/clone1018


Reply to this email directly or view it on GitHub
#119 (comment)
.

@chadwhitacre
Copy link
Contributor Author

!m @clone1018

By "the document" you mean FATF, yes?

@clone1018
Copy link
Contributor

Yeah, 2/3 done reading it now. It seems more geared to countries implementing their own FAFT programs but there's tons of nuggets of information I'm noting down.

@chadwhitacre
Copy link
Contributor Author

Had a call with @clone1018, he's going to post some notes he's been taking on FAFT. I'm going to try to put something together quickly for Citizens (gratipay/gratipay.com#3366) that captures our current state as well as where we're headed with this ticket.

@clone1018
Copy link
Contributor

Posted at: gratipay/gratipay.com#3366 (comment) before I saw this :)

@chadwhitacre
Copy link
Contributor Author

From @clone1018 at gratipay/gratipay.com#3366 (comment):

Couple of important notes from: http://www.fatf-gafi.org/media/fatf/documents/recommendations/pdfs/FATF_Recommendations.pdf

P#14D10: No anonymous accounts or fake names? May not apply.

P#63H15: Enhanced CDD measures for "high risk", mentions geographic risk factors?

P#65H17c: countries with effective AML systems are low risk

P#65H20: Enhanced CDD measures

P#65H21: Simplified CDD measures (low risk) what we should be doing

@clone1018
Copy link
Contributor

Thanks @whit537 :D

@chadwhitacre
Copy link
Contributor Author

:-)

@chadwhitacre
Copy link
Contributor Author

!m @clone1018

@chadwhitacre
Copy link
Contributor Author

I'm drafting a "Manage Risk" howto for IG, to include a section on AML.

@chadwhitacre
Copy link
Contributor Author

@chadwhitacre
Copy link
Contributor Author

Context: http://www.moneylaunderingconference.com/2015/. Discovered by googling the name of the SVP for AML and Sanctions Compliance at Citizens, who didn't personally sign the letter we received from them on gratipay/gratipay.com#3366. ;-)

@chadwhitacre
Copy link
Contributor Author

My favorite part of the René Bruelhart video was his answer at about 29:30 to the question, "What have you learned? What is the template for turning around these troubled situations?" tl;dr—(1) What are the real issues? Don't rush. (2) Who are your partners? Bring them in. (3) Really go for it.

First, sit back, and think about, "What are we talking about? What are the real issues here?" Don't try to make a quick fix. Sometimes it's appropriate, but, most often—especially when you have, let's say, more fundamental issues—sit back. "What are we talking about?"

And, then, who are your partners? Who are the players involved? Which are the different relevant factors you have to respect? Because quite often you're just looking to your department. You do that the whole day. You don't even know what is going on outside of the door or somewhere else within the bank or within the financial institution. So, what are the factors of a success story? What are the players you have to bring in? And then, bring them in. Because once you start a process, and you have the process to be changed two or three or four times, you will fail.

So, it's better to invest a little bit more time to set up a proper process, to really pave the path forward, and then to go for it. And there are always hurdles coming. But if you're convinced, go for it. Really go for it. And don't go into too many compromises there, because, again, if you're gonna change your game plan, you're gonna lose.

@mattbk
Copy link
Contributor

mattbk commented Sep 20, 2015

Just to keep on top of this because it's blocking gratipay/gratipay.com/issues/3671, what are the next steps?

@chadwhitacre
Copy link
Contributor Author

Next step is building a vault, so we can store personally identifying information, so we can verify identity.

@webmaven
Copy link

@whit537 Do you actually have to build a vault? Isn't there some sort of document vault-as-a-service or open source app you could use?

@chadwhitacre
Copy link
Contributor Author

@webmaven Check out gratipay/gratipay.com#3504, some options surfaced on there.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

6 participants
@chadwhitacre @clone1018 @webmaven @chrisdev @mattbk and others