Anti-Money Laundering (AML) Program: Compliance and Supervisory Procedures


Scratch Financial, Inc. Anti-Money Laundering (AML) Program: Compliance and Supervisory Procedures

Updated as of May, 2019

1. Firm Policy

It is the policy of the firm to prohibit and actively prevent money laundering and any activity that facilitates money laundering or the funding of terrorist or criminal activities by complying with all applicable requirements under the Bank Secrecy Act (BSA) and its implementing regulations.

Money laundering is generally defined as engaging in acts designed to conceal or disguise the true origins of criminally derived proceeds so that the proceeds appear to have derived from legitimate origins or constitute legitimate assets. Generally, money laundering occurs in three stages. Cash first enters the financial system at the "placement" stage, where the cash generated from criminal activities is converted into monetary instruments, such as money orders or traveler's checks, or deposited into accounts at financial institutions. At the "layering" stage, the funds are transferred or moved into other accounts or other financial institutions to further separate the money from its criminal origin. At the "integration" stage, the funds are reintroduced into the economy and used to purchase legitimate assets or to fund other criminal activities or legitimate businesses.

Terrorist financing may not involve the proceeds of criminal conduct, but rather an attempt to conceal either the origin of the funds or their intended use, which could be for criminal purposes. Legitimate sources of funds are a key difference between terrorist financiers and traditional criminal organizations. In addition to charitable donations, legitimate sources include foreign government sponsors, business ownership and personal employment. Although the motivation differs between traditional money launderers and terrorist financiers, the actual methods used to fund terrorist operations can be the same as or similar to methods used by other criminals to launder funds. Funding for terrorist attacks does not always require large sums of money and the associated transactions may not be complex.

Our AML policies, procedures and internal controls are designed to ensure compliance with all applicable BSA regulations and FINRA rules and will be reviewed and updated on a regular basis to ensure appropriate policies, procedures and internal controls are in place to account for both changes in regulations and changes in our business.

Rules: 31 C.F.R. § 103.120(c).

2. AML Compliance Person Designation and Duties

The firm has designated the Chief Risk Officer as its Anti-Money Laundering Program Compliance Person (AML Compliance Person), with full responsibility for the firm’s AML program. The Chief Risk Officer has a working knowledge of the BSA and its implementing regulations and is qualified by experience, knowledge and training. The duties of the AML Compliance Person will include monitoring the firm’s compliance with AML obligations and overseeing communication and training for employees. The AML Compliance Person will also ensure that the firm keeps and maintains all of the required AML records and will ensure that Suspicious Activity Reports (SAR-SFs) are filed with the Financial Crimes Enforcement Network (FinCEN) when appropriate. The AML Compliance Person is vested with full responsibility and authority to enforce the firm’s AML program.

Rules: 31 C.F.R. § 103.120; FINRA Rule 3310, NASD Rule 1160.

3. Giving AML Information to Federal Law Enforcement Agencies and Other Financial Institutions

a. FinCEN Rqueests Under USA PATRIOT Act Section 314(a)

We will respond to a Financial Crimes Enforcement Network (FinCEN) request concerning accounts and transactions (a 314(a) Request) by immediately searching our records to determine whether we maintain or have maintained any account for, or have engaged in any transaction with, each individual, entity or organization named in the 314(a) Request as outlined in the Frequently Asked Questions (FAQ) located on FinCEN’s secure Web site. We understand that we have 14 days (unless otherwise specified by FinCEN) from the transmission date of the request to respond to a 314(a) Request. Unless otherwise stated in the 314(a) Request or specified by FinCEN, we are required to search those documents outlined in FinCEN’s FAQ. If we find a match, the Chief Risk Officer will report it to FinCEN via FinCEN’s Web-based 314(a) Secure Information Sharing System within 14 days or within the time requested by FinCEN in the request. If the search parameters differ from those mentioned above (for example, if FinCEN limits the search to a geographic location), the Chief Risk Officer will structure our search accordingly.

If the Chief Risk Officer searches our records and does not find a matching account or transaction, then the Chief Risk Officer will not reply to the 314(a) Request. We will maintain documentation that we have performed the required search by maintaining a log showing the date of the request, the number of accounts searched, the name of the individual conducint the search and a notation of whether or not a match was found.

We will not disclose the fact that FinCEN has requested or obtained information from us, except to the extent necessary to comply with the information request. the Chief Risk Officer will review, maintain and implement procedures to protect the security and confidentiality of requests from FinCEN similar to those procedures established to satisfy the requirements of Section 501 of the Gramm-Leach-Bliley Act with regard to the protection of customers’ nonpublic information.

We will direct any questions we have about the 314(a) Request to the requesting federal law enforcement agency as designated in the request.

Unless otherwise stated in the 314(a) Request, we will not be required to treat the information request as continuing in nature, and we will not be required to treat the periodic 314(a) Requests as a government provided list of suspected terrorists for purposes of the customer identification and verification requirements.

Rule: 31 C.F.R. § 103.100.

b. National Security Letters

National Security Letters (NSLs) are written investigative demands that may be issued by the local Federal Bureau of Investigation and other federal government authorities conducting counterintelligence and counterterrorism investigations to obtain, among other things, financial records of broker-dealers. NSLs are highly confidential. No Scratchpay employee can disclose to any person that a government authority or the FBI has sought or obtained access to records. Scratchpay will maintain complete confidentiality regarding the NSL. If a Suspicious Activity Report (SAR-SF) is filed after receiving a NSL, the SAR-SF shall not contain any reference to the receipt or existence of the NSL.

c. Grand Jury Subpoenas

We understand that the receipt of a grand jury subpoena concerning a customer does not in itself require that we file a Suspicious Activity Report (SAR-SF). When we receive a grand jury subpoena, we will conduct a risk assessment of the customer subject to the subpoena as well as review the customer’s account activity. If we uncover suspicious activity during our risk assessment and review, we will elevate that customer’s risk assessment and file a SAR-SF in accordance with the SAR-SF filing requirements. We understand that none of our officers, employees or agents may directly or indirectly disclose to the person who is the subject of the subpoena its existence, its contents or the information we used to respond to it. To maintain the confidentiality of any grand jury subpoena we receive, we will process and maintain the subpoena by limiting its circulation to the Chief Risk Officer, COO, and CEO. If we file a SAR-SF after receiving a grand jury subpoena, the SAR-SF will not contain any reference to the receipt or existence of the subpoena. The SAR-SF will only contain detailed information about the facts and circumstances of the detected suspicious activity.

d. Voluntary Information Sharing With Other Financial Institutions Under USA PATRIOT Act Section 314(b)

We will share information with other financial institutions regarding individuals, entities, organizations and countries for purposes of identifying and, where appropriate, reporting activities that we suspect may involve possible terrorist activity or money laundering. the Chief Risk Officer will ensure that the firm files with FinCEN an initial notice before any sharing occurs and annual notices thereafter. We will use the notice form found at FinCEN’s Web site. Before we share information with another financial institution, we will take reasonable steps to verify that the other financial institution has submitted the requisite notice to FinCEN, either by obtaining confirmation from the financial institution or by consulting a list of such financial institutions that FinCEN will make available. We understand that this requirement applies even to financial institutions with which we are affiliated, and that we will obtain the requisite notices from affiliates and follow all required procedures.

We will employ strict procedures both to ensure that only relevant information is shared and to protect the security and confidentiality of this information, for example, by segregating it from the firm’s other books and records and [describe any other procedures].

We also will employ procedures to ensure that any information received from another financial institution shall not be used for any purpose other than:

  • identifying and, where appropriate, reporting on money laundering or terrorist activities;
  • determining whether to establish or maintain an account, or to engage in a transaction; or
  • assisting the financial institution in complying with performing such activities.

Rule: 31 C.F.R. § 103.110.

4. Customer Identification Program

Rule: 31 C.F.R. §103.122(a)(1)(i)(ii) and 103.122(a)(4)(i)(ii).

We have established, documented and maintained a written Customer Identification Program (CIP). We will collect certain minimum customer identification information from each customer who opens an account; utilize risk-based measures to verify the identity of each customer who opens an account; record customer identification information and the verification methods and results; provide the required adequate CIP notice to customers that we will seek identification information to verify their identities; and compare customer identification information with government-provided lists of suspected terrorists, once such lists have been issued by the government. See Section 5.g. (Notice to Customers) for additional information.

Rule: 31 C.F.R. §103.122.

a. Required Customer Information - Merchants

Prior to establishing a relationship with Scratchpay, new merchants are required to provide the following information:

  1. name of the clinic;
  2. name of contact person;
  3. email address of contact person;
  4. phone number of contact person;
  5. email address for payment authorizations (may be the same as email address above);
  6. bank account routing number and account number;
  7. clinic address

b. Required Customer Information - Borrowers

Prior to establishing a relationship with Scratchpay, borrowers are required to provide the following information into Scratchpay’s web-based application form:

  1. name;
  2. date of birth (for an individual);
  3. a mailing address, which will be a residential street address;
  4. a social security number; and
  5. a mobile telephone number

Rule: 31 C.F.R. §103.122(b)(2)(i)(A) & § 103.122(b)(2)(i)(B).

c. Customers Who Refuse to Provide Information

If a potential or existing customer either refuses to provide the information described above when requested, or appears to have intentionally provided misleading information, our firm will not open a new account and, after considering the risks involved, consider closing any existing account. In either case, our AML Compliance Person will be notified so that we can determine whether we should report the situation to FinCEN on a SAR-SF. Customers who fail to complete any required part of the application form will not be able to advance to the next step in the process.

d. Verification process - merchants

Scratchpay takes several steps to ensure that we can verify the existence of new merchant (clinic) partners and that we are comfortable with the inherent risk associated with these partners.

  1. Find the clinic’s web site and verify that it appears to be a legitimate veterinary business.
  2. Verify that web site contains the clinic’s name.
  3. Verify that contact person’s email address contains the clinic’s name.

If any of the above steps yields an unsatisfactory result, we contact the clinic via telephone (either the number provided during signup or the number obtained from the web site) and conduct further investigation. This step may involve gathering the business’ taxpayer identification number, financial statements, articles of incorporation, or similar documentation.

Based upon the results of this process, VP of Business Development will make a determination as to whether or not to launch the new merchant partner. The Chief Risk Officer reviews these decisions on a regular basis.

e. Verification process - borrowers

Scratchpay takes several steps to verify the identity of new borrowers. These include:

  1. Verifying the customer’s mobile telephone number via SMS text verification.
  2. Obtaining a credit report and a credit score for each applicant via Experian. Experian returns a score that indicates their confidence level regarding the applicant’s identity.
  3. Evaluation of any previous interactions between applicant and Scratchpay, including previous applications by applicant or applicant’s family members.

The company has developed algorithms that make an automated decision as to whether or not the information provided allows us to form a reasonable belief that we know the true identity of the customer (e.g. whether the information is logical or contains inconsistencies). These algorithms are reviewed and revised on an ongoing basis to ensure that the approval process is sufficient.

f. Recordkeeping

We will document our verification, including all identifying information provided by a customer, the methods used and results of verification, and the resolution of any discrepancies identified in the verification process. We will keep records containing a description of any document that we relied on to verify a customer’s identity, noting the type of document, any identification number contained in the document, the place of issuance, and if any, the date of issuance and expiration date. With respect to non-documentary verification, we will retain documents that describe the methods and the results of any measures we took to verify the identity of a customer. We will also keep records containing a description of the resolution of each substantive discrepancy discovered when verifying the identifying information obtained. We will retain records of all identification information for five years after the account has been closed; we will retain records made about verification of the customer's identity for five years after the record is made.

Rule: 31 C.F.R. §103.122(b)(3).

g. Notice to Customers

We will provide notice to customers that the firm is requesting information from them to verify their identities, as required by federal law. We post messages to this effect on our web site that customers must acknowledge in order to advance through the application process.

5. General Customer Due Diligence

It is important to our AML and SAR-SF reporting program that we obtain sufficient information about each customer to allow us to evaluate the risk presented by that customer and to detect and report suspicious activity. When we open an account for a customer, the due diligence we perform may be in addition to customer information obtained for purposes of our CIP.

For accounts that we have deemed to be higher risk (either due to high loan volume, high anticipated loan volume, or potential suspicious activity), we will obtain additional information to ensure a reasonable level of comfort with the customer’s business activity. This information may include:

  • the customer’s (or beneficial owner’s) occupation or type of business;
  • financial statements;
  • banking references;
  • domicile (where the customer’s business is organized);
  • description of customer’s primary trade area and whether international transactions are expected to be routine;
  • description of the business operations and anticipated transaction volume;
  • explanations for any changes in account activity.

We will also ensure that the customer information for high risk customers remains accurate by updating this information on an ongoing basis of at least once per year.

6. Compliance with FinCEN’s Issuance of Special Measures Against Foreign Jurisdictions, Financial Institutions or International Transactions of Primary Money Laundering Concern

We do not maintain any accounts (including correspondent accounts) with any foreign jurisdiction or financial institution. However, if FinCEN issues a final rule imposing a special measure against one or more foreign jurisdictions or financial institutions, classes of international transactions or types of accounts deeming them to be of primary money laundering concern, we understand that we must read FinCEN’s final rule and follow any prescriptions or prohibitions contained in that rule.

7. Monitoring Accounts for Suspicious Activity

We will monitor account activity for unusual size, volume, pattern or type of transactions, taking into account risk factors and red flags that are appropriate to our business. (Red flags are identified in Section 7.b. below.) Monitoring will be conducted primarily by evaluating the activity and loan volume of individual merchants on a monthly basis. The AML Compliance Person or his or her designee will be responsible for this monitoring, will review any activity that our monitoring system detects, will determine whether any additional steps are required, will document when and how this monitoring is carried out, and will report suspicious activities to the appropriate authorities.

The AML Compliance Person or his or her designee will conduct an appropriate investigation and review relevant information from internal or third-party sources before a SAR-SF is filed.

a. Emergency Notification to Law Enforcement by Telephone In situations involving violations that require immediate attention, such as terrorist financing or ongoing money laundering schemes, we will contact our relevant bank partner and discuss next steps for involving law enforcement.

b. Red Flags Red flags that signal possible money laundering or terrorist financing include, but are not limited to:

Customers – Insufficient or Suspicious Information

  • Customer with no discernable reason for using the firm’s service.

  • No business web site or web site that does not contain the stated name of the business.

  • Customer with email address that does not contain the name of the business.

Activity Inconsistent With Business

  • Transactions patterns show a sudden change inconsistent with normal activities.

  • Maintains multiple accounts, or maintains accounts in the names of family members or corporate entities with no apparent business or other purpose.

  • Appears to be acting as an agent for an undisclosed principal, but is reluctant to provide information.

Other Suspicious Customer Activity

  • Unexplained high level of transaction volume.

  • Law enforcement subpoenas.

  • Payment by third-party check or money transfer without an apparent connection to the customer.

c. Responding to Red Flags and Suspicious Activity

When an employee of the firm detects any red flag, or other activity that may be suspicious, he or she will notify the CEO. Under the direction of the AML Compliance Person, the firm will determine whether or not and how to further investigate the matter. This may include gathering additional information internally or from third-party sources, freezing the account, and contacting our bank partners to discuss involving appropriate authorities.

8. Suspicious Transactions and BSA Reporting

a. Potential SAR-SF filings

We will contact our banking partners to discuss the filing of SAR-SFs with FinCEN for any transactions (including deposits and transfers) conducted or attempted by, at or through our firm involving $5,000 or more of funds or assets (either individually or in the aggregate) where we know, suspect or have reason to suspect:

  1. the transaction involves funds derived from illegal activity or is intended or conducted in order to hide or disguise funds or assets derived from illegal activity as part of a plan to violate or evade federal law or regulation or to avoid any transaction reporting requirement under federal law or regulation;
  2. the transaction is designed, whether through structuring or otherwise, to evade any requirements of the BSA regulations;
  3. the transaction has no business or apparent lawful purpose or is not the sort in which the customer would normally be expected to engage, and after examining the background, possible purpose of the transaction and other facts, we know of no reasonable explanation for the transaction; or
  4. the transaction involves the use of the firm to facilitate criminal activity.

b. Currency Transaction Reports

Our firm prohibits transactions involving currency and has the following procedures to prevent such transactions: (1) we do not allow cash repayments for loans, and (2) we remit payment to our merchant partners via ACH only.

c. Currency and Monetary Instrument Transportation Reports

Our firm prohibits both the receipt of currency or other monetary instruments that have been transported, mailed or shipped to us from outside of the United States, and the physical transportation, mailing or shipment of currency or other monetary instruments by any means other than through the postal service or by common carrier.

Rules: 31 C.F.R. §§103.11, 103.23.

9. AML Recordkeeping

a. Responsibility for Required AML Records Our AML Compliance Person and his or her designee will be responsible for ensuring that AML records are maintained properly.

b. Additional Records We shall retain either the original or a microfilm or other copy or reproduction of each of the following:

  • A record of each extension of credit in an amount in excess of $10,000, except an extension of credit secured by an interest in real property. (Note: Scratchpay does not currently approve loans in excess of $10,000 and has no intentions of doing this in the future) The record shall contain the name and address of the person to whom the extension of credit is made, the amount thereof, the nature or purpose thereof and the date thereof;

  • A record of each advice, request or instruction received or given regarding any transaction resulting (or intended to result and later canceled if such a record is normally made) in the transfer of currency or other monetary instruments, funds, checks, investment securities or credit, of more than $10,000 to or from any person, account or place outside the U.S.;

  • A record of each advice, request or instruction given to another financial institution (which includes broker-dealers) or other person located within or without the U.S., regarding a transaction intended to result in the transfer of funds, or of currency, other monetary instruments, checks, investment securities or credit, of more than $10,000 to a person, account or place outside the U.S.;

  • Each document granting signature or trading authority over each customer's account;

  • Each record described in Exchange Act Rule 17a-3(a): (1) (blotters), (2) (ledgers for assets and liabilities, income, and expense and capital accounts), (3) (ledgers for cash and margin accounts), (4) (securities log), (5) (ledgers for securities in transfer, dividends and interest received, and securities borrowed and loaned), (6) (order tickets), (7) (purchase and sale tickets), (8) (confirms), and (9) (identity of owners of cash and margin accounts);

  • A record of each remittance or transfer of funds, or of currency, checks, other monetary instruments, investment securities or credit, of more than $10,000 to a person, account or place, outside the U.S.; and

  • A record of each receipt of currency, other monetary instruments, checks or investment securities and of each transfer of funds or credit, of more than $10,000 received on any one occasion directly and not through a domestic financial institution, from any person, account or place outside the U.S.

10. Training Programs

We will develop ongoing employee training under the leadership of the AML Compliance Person and senior management. Our training will occur on at least an annual basis. It will be based on our firm’s size, its customer base, and its resources and be updated as necessary to reflect any new developments in the law.

Our training will include, at a minimum: (1) how to identify red flags and signs of money laundering that arise during the course of the employees’ duties; (2) what to do once the risk is identified (including how, when and to whom to escalate unusual customer activity or other red flags for analysis and, where appropriate, the filing of SAR-SFs); (3) what employees' roles are in the firm's compliance efforts and how to perform them; (4) the firm's record retention policy; and (5) the disciplinary consequences (including civil and criminal penalties) for non-compliance with the BSA.

We will develop training in our firm, or contract for it. Delivery of the training may include educational pamphlets, videos, intranet systems, in-person lectures and explanatory memos. Currently our training program includes viewing a video within 2 months of hire. We will maintain records to show the persons trained, the dates of training and the subject matter of their training.

We will review our operations to see if certain employees, such as those in compliance, margin and corporate security, require specialized additional training. Our written procedures will be updated to reflect any such changes.

11. Senior Manager Approval

Senior management has approved this AML compliance program in writing as reasonably designed to achieve and monitor our firm’s ongoing compliance with the requirements of the BSA and the implementing regulations under it.