Ask the AFC Guru: Lindsay Lindmier—Audit Preparation, Protecting Against Fraud and More

Ask the AFC Guru: Lindsay Lindmier

This month’s anti-financial crime (AFC) guru, Lindsay Lindmier, CAMS, CAFP, is the director of Financial Crimes and Bank Secrecy Act/Office of Foreign Assets Control (BSA/OFAC) officer at Security National Bank in Omaha, Nebraska. Security National Bank, which is a privately owned bank with an asset size of $1.4 billion, has locations in Omaha, Nebraska; Des Moines, Iowa and Dallas, Texas. Lindmier has over 20 years of traditional banking experience starting in a branch and moving to AFC roles in 2005. She has worked at multiple banks ranging in asset size from $1 billion to $94.5 billion. Lindmier is a subject-matter expert in enhanced due diligence (EDD) and is currently focused on educating Security National Bank’s customers and its community on identifying potential fraud and avoiding becoming victims of financial crime. She holds a bachelor’s degree in organizational communication from Creighton University.

Question 1: What tips would you give to financial institutions (FIs) as they prepare for an audit?

Lindsay Lindmier (LL): The very first tip I would give is to relax. I consider every audit as an opportunity for improving our program. Taking this perspective allows me to view an audit as a partnership and a tool to prepare for the next exam. Keep in mind that while having audit findings isn’t ideal, having the audit team find them and having an opportunity to correct the findings or at least have an action plan in place is better than exam findings. At least 4-5 months prior to the start of any audit I review our internal controls to ensure they have been reviewed and updated within the previous 12 months. If any changes are necessary, it allows time for implementation in our operational areas within the business lines. Additionally, I determine if there are any areas I’d like the auditors to concentrate on. Again, this in an opportunity to gain an independent review of your program. Maintaining that partnership mentality can be extremely beneficial when viewing the overall health of your program, especially if you are outsourcing to an external partner; they will have a wider view of what peer FIs are doing and how your programs align. After that, remain organized. Have a single point of contact to organize meetings, collect request list items and act as a liaison between audit and the business lines.

Question 2: What particular type of scam is on the rise and what should people do to protect against it?

LL: At our FI we continue to see check fraud due to mail theft (altered checks) and business email compromise. Depending on the size of your FI and monitoring software available, it can be very hard to monitor proactively against both types of fraud.

Overall, our success in fraud/scam prevention has been additional training, collaboration between the first and second lines of defense, and customer education. We meet multiple times a month with our customer-facing staff to ensure they are aware of local trends and to maintain an open line of communication between the first and second lines of defense. Our front-line staff are empowered to pause, ask additional questions and refuse transactions as necessary with the full support of leadership. This has led to multiple check fraud attempts being stopped at the front line. Those instances are then escalated, and we can assist our customers in protecting their accounts and identities against any potential loss.

Regarding business email compromise, we have been working with wire operations and deposit operations staff to identify red flags when repeat wire or automated clearing house (ACH) information is changed. We have provided them with red flags of potential wire fraud, and we encourage them to reach out with any potential concerns.

Lastly, and what we are particularly proud of as an institution, is our partnership with our marketing team. We have developed a yearlong anti-fraud campaign to run through social media, statement notifications and online banking messages, assisting in educating our customers on red flags to be aware of and how to protect themselves and their information from bad actors.

Question 3: What advice would you give FIs for performing EDD on higher risk customers or money services businesses?

LL: An EDD review should be summarized by why what was reviewed and if the activity is expected and reasonable for the customer. The summary should include a comparison to the previously reviewed activity. Is the activity consistent over time? Are there changes that may have significantly impacted the business? Lastly, is the risk presented by the customer acceptable? Does the reviewer recommend retaining at the current risk level?

The focal point for EDD review is the critical analysis and documentation of the results. I always like to remind my team, “I know it makes sense in your mind. But if you don’t record it, there is no way to know what you were thinking.” The critical analysis should include at least:

  • Why the customer presents a higher risk, whether it is transactional, inherent to the business/customer type, cash flow, geographical location, etc.;
  • An explanation of why those risk factors or transactions are expected; and
  • A discussion and explanation of anomalies. Anomalies would include spikes in volume surrounding cash, wires or international activity, seasonality in volume, or miscellaneous transactions not necessarily expected but explainable.

Regarding money services businesses (MSBs), the key element for a thorough EDD review is balancing the cash in/out and documenting it appropriately. When reviewing a check casher, is the dollar volume of the third-party checks being deposited commensurate with the change orders from the business? If change orders are not occurring, where is the cash coming from to supplement the check cashing? Are they supplementing from cash sales in a retail location? If so, does the foot traffic, inventory purchases and site visit support that statement? If the cash is being supplemented by providing MSB services as an agent to Western Union or other principal MSB, do the ACH debit transactions balance to the third-party checks being deposited?

Question 4: Was there an increase in de-risking by FIs in 2023?

LL: While I can’t speak to the overall trend of de-risking by all FIs, I know it continues to be a hot topic of discussion. As BSA officers, we are constantly striving to ensure we are managing strong anti-money laundering/BSA programs, and we know that higher risk customer types are scrutinized heavily by regulators. Historically, the guidance surrounding de-risking has been to remove a specific customer type solely based on the type of product or service they provide in a sweeping generalization. This should be avoided. Each FI must make the decision to onboard or maintain a certain customer risk segment based on local, state and federal laws, as well as the FI’s ability to mitigate the risk presented. The ability to mitigate the risk involves a lot of variables including resources, the ability to obtain strong due diligence, the ability to complete ongoing monitoring and the overall risk appetite set by senior leadership and/or the board of directors.

When deciding to offer a new product or service, I encourage completing a risk assessment and suggest the same process when determining to exit a product, service or customer type. Not only will this address where there are gaps in your controls, but when an auditor or examiner questions why the decision was made to “de-risk,” you are able to provide the supporting documentation explaining why it is outside of the institution’s risk appetite.

Lindsay Lindmier, CAMS, CAFP, director of Financial Crimes and BSA/OFAC officer, Security National Bank, Omaha, NE, USA,

Leave a Reply