第三章 防制洗錢及打擊資恐立法例
第一節 美國對於防制洗錢及打擊資恐監理新趨勢
國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
第三章 防制洗錢及打擊資恐立法例
第一節 美國對於防制洗錢及打擊資恐監理新趨勢
美國對於銀行之監理採雙軌制,即銀行同時須遵守聯邦法規及各州州法。聯邦 法規主要須遵守 1970 年銀行秘密法(Bank Secrecy Act,BSA)、1986 年洗錢防制法 (Money Laundering Control Act)、2001 年愛國者法案73(PATRIOT Act)及海外帳 戶稅收遵從法(Foreign Account Tax Compliance Act,FATCA)等,另有關金融犯罪執 法網(FinCEN)、美國聯邦金融機構檢查委員會訂頒銀行秘密法/防制洗錢檢查手冊 等規範均為銀行須遵守之法規;至於各州州法部分,例如紐約州近期公布之網路安 全規範(part500)及交易監控及篩選程序(part504)等,另亦視各州監理主管機關之監 理強度要求而不同。惟因我國兆豐商業銀行遭美國紐約州金融服務署重罰 1.8 億美 元,為利銀行同業借鏡兆豐案及瞭解紐約州之監理態度,本文僅就紐約州之監理態 度及其近期與洗錢防制有關之 part504 規範予以介紹。
第一項 紐約州金融服務署對外商銀行的執法方向
第一目 紐約州金融服務署之監理方向
2011 年紐約州政府將轄下銀行署和保險署兩機構合併,成立紐約州金融服務署,
並將其定位為得主動行使職權的管理機關。2013 年,針對金融服務署的執法架構 及新增法律授權,以及該署執法方向,外國銀行有必要注意金融服務署的法規授權
73「Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001」,中文意義為「透過使用適當之手段來阻止或避免恐怖主義以團結並強化美 國的法律」,簡稱為「USA PATRIOT Act」,而「patriot」即是「愛國者」之意。
‧
Lawsky)的政策聲明、2011 至 2013 年間金融服務署的高調行事風格,以及金融服 務署不少高層主管都曾在紐約州總檢察署(「the New York Office of the Attorney General,OAG)任職的事實。因此,美國紐約州金融服務署是個積極好鬥的金融 管理機關75(an aggressive financial regulator)。美國紐約州金融服務署(NYDFS)於 2011 至 2015 年間,總共為公庫課到 60 億 斯基「全新有創意的法人處罰(new and creative corporate penalties)77」指示,吊銷兩 家經營受該署規範金融機構業務的顧問公司營業執照,其中一家吊照期限甚至長達
75Debevoise & Plimpton / D & P,Client Update(June 16, 2016)/The Outlook in Enforcement Actions against Foreign Banks at the New NYDFS,詳見
http://www.debevoise.com/~/media/files/insights/publications/2016/06/20160616c_the_outlook_in_enfo rcement_actions_against_foreign_banks_at_the_new_nydfs.pdf。(visited march 5, 2017)
76Greg Farrell, Vullo Nomination Signals Shift at N.Y. Dept. of Financial Services, BLOOMBERG NEWS, Jan. 25, 2016。詳見 http://www.insurancejournal.com/news/east/2016/01/25/396152.htm
,visited march 5, 2017。
77Remarks of Superintendent Benjamin M.Lawsky on Fin.Regulatory Enforcement at the Exchequer Club,Washington,D.C.(Mar.19,2014).同前註 75 之註 2。
78See Karen Freifeld & Aruna Viswanatha, Cuomo Intervened in BNP Deal to get $1 Billion More for NY State Fund, REUTERS, July 30, 2014。詳見
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
NYDFS 又大幅修改法令規章及金檢規範展現改革魄力,包括 2014 年該署為將 金融產業網路安全納入改革,特別對金融檢查流程新增好幾則有關於網路安全的問 項。在新增問項之下,金融機構必須向金檢人員提交下列資訊:1.本機構所僱用安 全專員的相關資料;2.本機構遴選第三人服務提供者的背景資料調查流程;3.本機 構 IT 投資組合於過去 24 個月內的任何重大變動以及其他多項主題。這些都是業者 接受新增網路安全金融檢查時,所需面對的全新課題;但麻煩的是該署竟針對在紐 約市營業規模較大的外商銀行,大幅拉長金檢流程及時間。此外,NYDFS 又於 2015 年宣布實施銀行交易監控及篩選計畫新規定,要求所有根據紐約州銀行法取得執照 和辦理登記的銀行業建立防制洗錢交易監控程序及觀察名單篩檢程序,以符合法遵 規範,並要求銀行應每年提交遵循證明書,聲明確認銀行法遵程序符合法律規章要 求。依新法規之規定,金融機構提交的年度證明書若有任何「不正確或不實」,則 該機構法遵人員甚至需負擔刑事責任79,這反映該署對銀行 BSA/AML 遵循力推個 人責任制的態度傾向。
綜上所述,紐約州金融服務署對受規範金融機構進行銀行秘密法/洗錢防制法 及海外資產管理局所實施有關聯邦經濟及貿易制裁規定之遵法查核。經調查後發現,
受規範之金融機構因治理機制不健全、監督不力及管理高層權責不清等諸多問題影 響,而在交易監控與篩選程序上有諸多缺失。紐約州金融服務署深覺有必要對於交 易監控與篩選程序要求事項作進一步釐清,同時要求受規範金融機構董事會或高階 經理人自 107 年 4 月 15 日起,應每年向金融監理處提交符合本條規定之董事會決 議或遵法檢查報告書,以確認其皆有按紐約州第 504 條第 3 項規定步驟完成符合本 條規範要求。
http://www.reuters.com/article/us-bnp-cuomo-exclusive-idUSKBN0FZ2L720140731
,visited march 5, 2017。
79See NYDFS Proposed Part 504 of the Superintendent's Regulations (Banking Division Transaction Monitoring and Filtering Program Requirements and Certifications),December 01, 2015。
http://www.dfs.ny.gov/legal/regulations/emergency/banking/part504_txt.pdf,明定聲明不正確或不實須 負刑事責任(A Certifying Senior Officer who files an incorrect or false Annual Certification also may be subject to criminal penalties for such filing.),visted April 3,2017。
‧
以 Cover Payment 或其他程序透過 SWIFT 為 受 經 濟制 裁國 家 如 蘇
‧
CCO(Chief Compliance Officer)提2.15
‧
81詳前註 28,DFS’s investigation of Intesa’s New York branch uncovered AML/BSA violations。
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
有任何合規背景的律師在同一時 間擔任莫斯科分公司的合規負責 人,法律負責人和反洗錢主管82。 資料來源:本文自行整理
第二項 紐約州金融服務署對銀行交易監控及篩選程序要求
第一目 背景及法律依據
紐約州金融服務署(DFS)近來對數家被監理的機構進行法令遵循之檢查,以確 認其已遵守銀行秘密法/洗錢防制法(BSA/AML)之規範,以及財政部海外資產管理 局(OFAC)所實施有關聯邦經濟及貿易制裁之規定。根據檢查之結果,DFS 辨識出 這些金融機構於交易監控、篩選計畫之缺失,主要係源自缺乏健全的治理架構、監 督以及高階主管問責制度。根據經驗及定期安全性之檢查,DFS 確信金融機構在交 易監控以及篩選程序方面有其缺失。因此依據美國銀行法第 37 條(3)(4)款及金融 服務法第 302 條規定,公布金融服務署監管規範第 504 條,有關交易監控以及篩選 程序最終規範(Banking Division Transaction Monitoring and Filtering Program
Requirements and Certifications,以下簡稱 Part50483),闡明交易監控及篩選程序所 應具備之特徵,並且要求被監理機構之董事會或高階主管並每年呈報董事會決議或 本條定義之遵法聲明予監理機關,用以承諾、證明該機構已確實依本條規定實施法 令遵循。臺灣金管會為強化銀行落實防制洗錢,特檢送美國紐約州金融服務署近期 公布之防制洗錢交易監控與篩選程序最終規範、該署對外國銀行之監理思維新及網
82詳前註 30,DFS’s investigation uncovered violations.
83詳 NYDFS Proposed Part 504 of the Superintendent's Regulations (Banking Division Transaction Monitoring and Filtering Program Requirements and Certifications),December 01, 2015。
http://www.dfs.ny.gov/legal/regulations/emergency/banking/part504_txt.pdf
‧
85DFS ISSUES FINAL ANTI-TERRORISM TRANSACTION MONITORING AND FILTERING PROGRAM REGULATION(The final regulation)。See Department of Financial Services Press Release June 30, 2016,http://www.dfs.ny.gov/about/press/pr1606301.htm,visted April 3,2017。
86詳前註 85,Part504.3(a)Transaction Monitoring and Filtering Program requirements.
(a) Each regulated institution shall maintain a Transaction Monitoring Program reasonably designed for the purpose of monitoring transactions after their execution for potential BSA/AML violations and suspicious activity reporting, which system may be manual or automated, and which shall include the following attributes, to the extent they are applicable:
(1) be based on the risk assessment of the institution;
(2) be reviewed and periodically updated at risk-based intervals to take into account and reflect changes to applicable BSA/AML laws, regulations and regulatory warnings, as well as any other information determined by the institution to be relevant from the institution’s related programs and initiatives;
(3) appropriately match BSA/AML risks to the institution’s businesses, products, services, and customers/counterparties;
(4) BSA/AML detection scenarios with threshold values and amounts designed to detect potential money laundering or other suspicious or illegal activities;
(5) end-to-end, pre-and post-implementation testing of the Transaction Monitoring Program, including, as relevant, a review of governance, data mapping, transaction coding, detection scenario logic, model validation, data input and program output;
(6) documentation that articulates the institution’s current detection scenarios and the underlying assumptions, parameters, and thresholds;
(7) protocols setting forth how alerts generated by the Transaction Monitoring Program will be investigated, the process for deciding which alerts will result in a filing or other action, the operating areas and individuals responsible for making such a decision, and how the investigative and decision-making process will be documented; and
(8) be subject to an on-going analysis to assess the continued relevancy of the detection scenarios, the underlying rules, threshold values, parameters, and assumptions.
‧
87詳前註 85,Part 504.3(b) Each regulated institution shall maintain a Filtering Program, which may be manual or automated, reasonably designed for the purpose of interdicting transactions that are prohibited by OFAC, and which shall include the following attributes, to the extent applicable:
(1) be based on the risk assessment of the institution;
(2) be based on technology, processes or tools for matching names and accounts4, in each case based on the institution’s particular risks, transaction and product profiles;
(3) end-to-end, pre- and post-implementation testing of the Filtering Program, including, as relevant, a review of data matching, an evaluation of whether the OFAC sanctions list and threshold settings map to the risks of the institution, the logic of matching technology or tools, model validation, and data input and program output;
(4) be subject to on-going analysis to assess the logic and performance of the technology or tools for matching names and accounts, as well as the OFAC sanctions list and the threshold settings to see if they continue to map to the risks of the institution; and
(5) documentation that articulates the intent and design of the Filtering Program tools, processes or
‧
88詳前註 85,Part504.3(c) Each Transaction Monitoring and Filtering Program shall require the following, to the extent applicable:
(1) identification of all data sources that contain relevant data;
(2) validation of the integrity, accuracy and quality of data to ensure that accurate and complete data flows through the Transaction Monitoring and Filtering Program;
(3) data extraction and loading processes to ensure a complete and accurate transfer of data from its source to automated monitoring and filtering systems, if automated systems are used;
(4) governance and management oversight, including policies and procedures governing changes to the Transaction Monitoring and Filtering Program to ensure that changes are defined, managed, controlled, reported, and audited;
(5) vendor selection process if a third party vendor is used to acquire, install, implement, or test the Transaction Monitoring and Filtering Program or any aspect of it;
(6) funding to design, implement and maintain a Transaction Monitoring and Filtering Program that complies with the requirements of this Part;
(7) qualified personnel or outside consultant(s) responsible for the design, planning, implementation, operation, testing, validation, and on-going analysis of the Transaction Monitoring and Filtering Program, including automated systems if applicable, as well as case management, review and decision making with respect to generated alerts and potential filings; and
(8) periodic training of all stakeholders with respect to the Transaction Monitoring and Filtering Program.
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
與篩選計畫掃描;
(三)如使用自動化系統,數據之讀取及下載過程必須確保數據係完整且精確地 自載點移轉至自動監控與篩選系統;
(四)治理和管理監督,包含政策或程序修訂時,應確保與交易監控及篩選計畫 相關之變動被定義、管理、控制、報告及審查;
(五)如果交易監控與篩選計畫是由第三方提供、安裝、實施或測試,則必須確 立供應商甄選流程;
(六)編列交易監控與篩選計畫之設計、實施和維護等經費,以遵守本篇規定;
(七)交易監控與篩選計畫之設計、計畫、實施、操作、測試、驗證及後續分析,
皆須由合格人員或外部顧問負責執行,此亦包含自動化系統(如果適用);
前開規定也適用於警示和潛在申報案之相關管理、審查及決策程序,須有 合格人員或外部顧問執行;
(八)對交易監控及篩選計畫相關者進行定期之訓練。
四、應留存相關記錄備查:依 Part504.3(d)89若受規範機構發現在監控區域、系統建 置及操作流程方面有重大需要改進、更新升級或重新設計之情況時,應以書面 記錄預定或計畫中的相應改善方案或補救措施。相關紀錄應保存以供主管機關 檢查。
五、應出具遵法查核報告書:依 Part 504.490及 504.6 要求,自 107 年 4 月 15 日起,
所有被監理機構每年 4 月 15 日前都必須向主管機關提交一份董事會決議(全體
所有被監理機構每年 4 月 15 日前都必須向主管機關提交一份董事會決議(全體