According to the ACAMS CAMS Study Guide, 6th Edition, Chapter 4, Section 4.2, the AML Specialist at a bank should take the following actions upon receiving a confidential alert from law enforcement about suspected money launderers:
Involve the bank’s legal and compliance function to address the gravity of the matter and ensure that the bank’s response is appropriate and lawful. The legal and compliance function can also advise on the bank’s obligations and rights under the relevant laws and regulations, such as the General Data Protection Regulation (GDPR), the Bank Secrecy Act (BSA), and the USA PATRIOT Act.
Perform a search on the bank’s client data platform to determine if the bank has had any business with the named individuals or any related parties. The search should include current and past accounts, transactions, wire transfers, and other relevant records. The AML Specialist should also review any existing customer due diligence (CDD) and enhanced due diligence (EDD) information on the potential suspects and update them as necessary.
The other options are not recommended or required actions for the AML Specialist at a bank in this scenario:
Sending out an email to all of the bank’s client advisors to request information on any of the individuals could compromise the confidentiality of the alert and expose the bank to legal and reputational risks. It could also alert the suspects or their associates and hinder the law enforcement investigation.
Reporting findings back to law enforcement only if they are of any significance is not sufficient or compliant with the bank’s obligations to cooperate with law enforcement and report any suspicious activity. The AML Specialist should report any relevant information or findings to law enforcement as soon as possible, regardless of their significance, and follow the established procedures and protocols for information sharing and reporting.
Responding to law enforcement that their request without a judicial order would breach the bank’s GDPR duty with respect to its clients is not accurate or helpful. The GDPR does not prohibit the bank from sharing personal data with law enforcement for the purposes of preventing, detecting, or investigating money laundering or other criminal activities, as long as the bank has a legal basis and safeguards for doing so. The bank should consult with its legal and compliance function to determine the best way to respond to the law enforcement request and balance its GDPR obligations with its anti-money laundering (AML) duties.
[References:, ACAMS CAMS Study Guide, 6th Edition, Chapter 4, Section 4.2, General Data Protection Regulation (GDPR), Bank Secrecy Act (BSA), USA PATRIOT Act, , , ]
Submit