establish a proper AML program

[chadwhitacre]

To date, we've drafted off of Balanced for compliance with AML regulations. Now that they're going out of business, we may need to take more control of our processing infrastructure (gratipay/gratipay.com#67), and that means owning AML compliance. Getting turned down by Payoneer (gratipay/gratipay.com#481) and Transpay (gratipay/gratipay.com#417) —update: and Citizens (gratipay/gratipay.com#3366) —indicates that we're not yet mature enough in this area. What are we lacking?

Transpay provided some guidance at gratipay/gratipay.com#417 (comment). Then, over at #118 (comment), I discovered this PDF. I think mostly we need to collect better identity information for our users. Yes?

[chrisdev]

@whit537 is this not mainly a balancedpayment responsibility?
They are the one who enforce Know Your Customer https://support.balancedpayments.com/hc/en-us/articles/201836340-What-is-Merchant-underwriting-or-KYC-
They have the market place agreement https://www.balancedpayments.com/terms/marketplaceagreement.

We should try to be helpful to Balanced, but they are the ones who are PCI compliant.
Also I'm not saying that we can't enforce some of our own moral rules above what Balanced requires. To a certain extent Its in gratipay's best interest as our due diligence efforts may eventually result In lower CC charge-backs.
However, maybe we should at this stage adapt a more passive mode when it comes to these issues.
KYC is the fundamental building block of AML compliance but this thing can quickly become a burden to all concerned. For example, Banks in T&T now have to capture if the customer is either a Politician/Judicial/Police or Government official or is a "close" relative of such individual as part of their KYC obligations?
In a small country this is having wide reaching impact with lots of unintended consequences

[chadwhitacre]

This is probably a subset of #122.

[chadwhitacre]

Ticket description updated. Previously:

Reticketed from #180

digest this:

"International Standards on Combating Money Laundering and the Financing of Terrorism & Proliferation"
http://www.fatf-gafi.org/media/fatf/documents/recommendations/pdfs/FATF_Recommendations.pdf

[chadwhitacre]

FINRA provides a template for small firms (Word format 164 KB) to assist them in fulfilling their responsibilities to establish the AML compliance program required by the Bank Secrecy Act and its implementing regulations and FINRA Rule 3310. The template provides text examples, instructions, relevant rules and Web sites and other resources that are useful for developing an AML plan for a small firm.

http://www.finra.org/industry/anti-money-laundering-template-small-firms

[chadwhitacre]

[T]he Financial Industry Regulatory Authority, Inc. (FINRA) is a private corporation that acts as a self-regulatory organization (SRO).

http://en.wikipedia.org/wiki/Financial_Industry_Regulatory_Authority

[chadwhitacre]

An anti-money laundering (AML) program is a set of procedures designed to guard against someone using the firm to facilitate money laundering or terrorist financing. The main components that must be included are: 1) internal policies, procedures, and controls reasonably designed to assure compliance with the Bank Secrecy Act and implementing regulations; 2) appointment of a designated compliance officer to oversee the program's day-to-day operations; 3) an ongoing training program; and 4) an independent audit.

https://www.nfa.futures.org/NFA-faqs/compliance-faqs/anti-money-laundering/

[chadwhitacre]

Here's the template:

https://docs.google.com/document/d/1kJenJegSRFimWGbGL8N3uXPWEravOqTIxcKhnLv4C6Y/edit?usp=sharing

[chadwhitacre]

Just got off the horn with @clone1018. He's going to take a first pass at this tonight. The task is to skim the FATF recommendations (130 pp.), and then write an AML program for Gratipay, starting with FINRA's template (51 pp.).

@clone1018 I sent you an invite to edit this doc:

Gratipay AML Program

Here's a clean copy of the template for reference:

AML Program Template

[chadwhitacre]

!m @clone1018

[clone1018]

I took a first look tonight, only got about half way done. I have the
document downloaded and I'll be doing more tomorrow morning. This will be
at least a weekend project.

On Thu, May 28, 2015 at 3:17 PM Chad Whitacre [email protected]
wrote:

!m @clone1018 https://github.com/clone1018

—
Reply to this email directly or view it on GitHub
#119 (comment)
.

[chadwhitacre]

!m @clone1018

By "the document" you mean FATF, yes?

[clone1018]

Yeah, 2/3 done reading it now. It seems more geared to countries implementing their own FAFT programs but there's tons of nuggets of information I'm noting down.

[chadwhitacre]

Had a call with @clone1018, he's going to post some notes he's been taking on FAFT. I'm going to try to put something together quickly for Citizens (gratipay/gratipay.com#3366) that captures our current state as well as where we're headed with this ticket.

[clone1018]

Posted at: gratipay/gratipay.com#3366 (comment) before I saw this :)

[chadwhitacre]

From @clone1018 at gratipay/gratipay.com#3366 (comment):

Couple of important notes from: http://www.fatf-gafi.org/media/fatf/documents/recommendations/pdfs/FATF_Recommendations.pdf

P#14D10: No anonymous accounts or fake names? May not apply.

P#63H15: Enhanced CDD measures for "high risk", mentions geographic risk factors?

P#65H17c: countries with effective AML systems are low risk

P#65H20: Enhanced CDD measures

P#65H21: Simplified CDD measures (low risk) what we should be doing

[clone1018]

Thanks @whit537 :D

[chadwhitacre]

:-)

[chadwhitacre]

!m @clone1018

[chadwhitacre]

I'm drafting a "Manage Risk" howto for IG, to include a section on AML.

[chadwhitacre]

I just watched http://www.prolibraries.com/player/?embed=f1bb17c85deae61276ec1762cfe302e0.

[chadwhitacre]

Context: http://www.moneylaunderingconference.com/2015/. Discovered by googling the name of the SVP for AML and Sanctions Compliance at Citizens, who didn't personally sign the letter we received from them on gratipay/gratipay.com#3366. ;-)

[chadwhitacre]

My favorite part of the René Bruelhart video was his answer at about 29:30 to the question, "What have you learned? What is the template for turning around these troubled situations?" tl;dr—(1) What are the real issues? Don't rush. (2) Who are your partners? Bring them in. (3) Really go for it.

First, sit back, and think about, "What are we talking about? What are the real issues here?" Don't try to make a quick fix. Sometimes it's appropriate, but, most often—especially when you have, let's say, more fundamental issues—sit back. "What are we talking about?"

And, then, who are your partners? Who are the players involved? Which are the different relevant factors you have to respect? Because quite often you're just looking to your department. You do that the whole day. You don't even know what is going on outside of the door or somewhere else within the bank or within the financial institution. So, what are the factors of a success story? What are the players you have to bring in? And then, bring them in. Because once you start a process, and you have the process to be changed two or three or four times, you will fail.

So, it's better to invest a little bit more time to set up a proper process, to really pave the path forward, and then to go for it. And there are always hurdles coming. But if you're convinced, go for it. Really go for it. And don't go into too many compromises there, because, again, if you're gonna change your game plan, you're gonna lose.

[mattbk]

Just to keep on top of this because it's blocking gratipay/gratipay.com/issues/3671, what are the next steps?

[chadwhitacre]

Next step is building a vault, so we can store personally identifying information, so we can verify identity.

[webmaven]

@whit537 Do you actually have to build a vault? Isn't there some sort of document vault-as-a-service or open source app you could use?

[chadwhitacre]

@webmaven Check out gratipay/gratipay.com#3504, some options surfaced on there.