Evaluating BSA/AML Compliance Programs in the Wake of Recent Government Actions
Although the current administration may signal its intention to exercise a more relaxed regulatory examination environment for financial institutions, industry participants should not make the mistake of expecting a more relaxed enforcement environment, particularly in the area of anti-money laundering. This point has been underscored by numerous criminal and regulatory penalties levied against financial institutions for deficiencies in their Bank Secrecy Act and anti-money laundering (BSA/AML) programs since the beginning of 2017. With these cases, the government has signaled that AML enforcement remains a top priority. Below we discuss several takeaways from recent actions, which should help financial institutions assess the adequacy of their own BSA/AML programs and prevent similar government penalties.
Responding to Supervisory Criticisms of an AML Program Should be a Top Priority
Examination criticisms of the bank's AML program—whether communicated informally during the examination or in the exit meeting, or formally through written examination findings or matters requiring attention (MRAs)—should be properly elevated to senior management and the Board of Directors. Failing to act may subject the bank to continued criticisms and enforcement risk. Under Section 8(s) of the FDI Act, a banking agency is required to issue a cease and desist order if an AML-related MRA has not been corrected by the time of the next examination. A cease and desist order very well may require the bank to engage an independent consultant to conduct a look-back to identify previously unreported suspicious activity. With the benefit of hindsight, a look-back almost always will identify some activity requiring the bank to backfile Suspicious Activity Reports (SARs), and may reveal illicit or bad actors that took advantage of the bank's perceived AML deficiencies. As in the recent cases, the number of missed SARs can be large, attracting scrutiny from law enforcement.
Also, it should go without saying: do not obstruct the examination process. In recent cases, the government faulted banks for concealing information from regulators, even after regulators specifically requested the information. To mitigate these risks, banks should establish and train employees on the communication protocol in place when examiners are on site. For example, the bank should designate a primary point of contact for the lead examiner and all examination inquiries should be directed to such person. In addition, employees should be trained to memorialize any question or request informally made to them throughout the examination, as well as the response provided.
Maintain Adequate Staffing and Technology
Recent government actions have faulted financial institutions for having insufficient staffing and technology to adequately review suspicious activity. It is critical that bank management periodically assess the adequacy of its AML resources to assure it is commensurate with the AML risk posed to the institution.
With respect to staffing, maintaining the proper number of staff is of course important, but it is not just about head count. Examiners are increasingly citing inadequate experience and training for BSA officers and their staff, and have even faulted banks for paying AML staff below-market wages.
Similarly, with respect to technology, banks have been criticized in recent actions for failing to keep monitoring systems up to date, increasing the risk of missing suspicious transactions or activity. Banks also have been criticized for failing to have their screening software independently validated, notwithstanding regulatory guidance.
These findings do not mean that each financial institution must bolster the number of AML staff, increase AML staff salaries and ensure it always has the latest state-of-the art screening technology. The key is that a financial institution has adequate staffing and technology that corresponds to the risk profile of its customer base and activity. Recent cases demonstrate that the officers and directors of the institution must thoughtfully evaluate the adequacy of resources available to the AML department. Where requests are made for increases in AML staffing, salary or technology, officers, and directors should ensure that such requests are properly evaluated and appropriately documented.
An Orderly Transaction Monitoring System is a Key Element of a Strong AML Program
Common to many AML enforcement actions in the past several years has been the bank's inability to properly align its transaction monitoring systems to the operations and risk profile of the bank. Regulators consistently reprimand banks for either improperly tuning systems to limit the number of flags or not having the bandwidth in the financial intelligence unit (FIU) to resolve the overflow of alerts. In some cases, the government has alleged that banks manipulated their transaction monitoring systems to limit the number of suspicious activity alerts because they did not have the staffing in place to clear them. Other actions have alleged banks were instructing staff to clear suspicious activity alerts at an unreasonably high rate. Such methods inevitably increase the risk of failure to detect suspicious activity, and while regulators do not expect a perfect success rate at identifying suspicious activity, changes made to monitoring systems must be carefully implemented, documented, and tested to ensure that overall effectiveness is not compromised. Regulators may view changes made without such safeguards as nothing more than shortcuts and, possibly, evidence that the financial institution does not take AML compliance seriously. Accordingly, transaction monitoring, and the overall AML program, should be tailored to the risk profile of the bank, not staffing resources. To the extent an institution cannot provide sufficient staffing and related compliance resources to address the institution's risk profile, the institution should seek ways to reduce such risk.
Beware of AML Compliance Taking a Backseat to Attracting New Business and Maintaining Favored Customers
Management and the Board of Directors must consistently promote a culture throughout all lines of business that is focused on compliance with the BSA and other regulatory requirements. In recent cases, prosecutors have accused certain banks of being slow to close the accounts of and timely file SARs against profitable customers, even after receiving notice that the customers' accounts may have been used for illicit activity. To avoid similar scrutiny, banks must ensure effective policies and procedures are in place to properly communicate new information to appropriate departments. For example, such controls should contain explicit procedures for communicating receipt of subpoenas, 314(a) requests, national security letters, or other inquiries to the AML department or FIU, which allow bank staff to evaluate appropriate customer risk ratings and determine whether to exit the relationship. In matters involving important or wealthy customers—or customers strongly suspected to be engaged in illicit activity—a failure to close accounts or file a SAR in spite of obvious red flags increases the risk of being perceived by regulators as prioritizing profit over compliance. Such failures may also attract the attention of prosecutors.
In a similar vein, financial institutions should note that banks have been faulted for soliciting customers whose accounts were recently closed by another bank. An influx of new, high-risk customers that are known to have recently been exited by another bank will invite regulatory scrutiny.
Cases Against Individuals are on the Rise
In the last decade, government agencies have issued criminal penalties and billions of dollars in fines against financial institutions for BSA/AML deficiencies and other similar compliance failures. In the last 14 months alone, DOJ and bank regulators have issued over $2 billion in fines for AML deficiencies at financial institutions, with penalties ranging from $7 million to over $600 million in certain cases. Because BSA/AML deficiencies continue to be identified at financial institutions, prosecutors and regulators have shown an increased willingness to adopt an additional approach to AML enforcement: holding individuals personally liable. Since the beginning of 2017, several bank employees—including compliance officers—have been criminally charged, prohibited from the financial industry, or fined for willful violations of the BSA. We expect this trend to continue. In order to protect themselves from individual liability, AML personnel should continue to diligently perform their function and stay updated on industry developments (e.g., new regulations, guidance and enforcement actions) in order to detect and appropriately address the AML risks at their financial institution, as well as to communicate these risks to the executives and directors of the bank, as appropriate.
Recent actions demonstrate that, despite an easing of regulations, the government will continue to rigorously enforce BSA/AML compliance at financial institutions. If a financial institution is not adequately and timely meeting its obligations under the BSA—or correcting any BSA/AML program deficiencies promptly—it can expect government scrutiny, leading possibly to years-long investigations, costly remediation, significant fines, reputational harm, and potentially even a criminal conviction. Since AML compliance is a top priority for regulators and law enforcement, it should remain a top priority for financial institutions as well.
© Arnold & Porter Kaye Scholer LLP 2018 All Rights Reserved. NOTICE: ADVERTISING MATERIAL. Results depend upon a variety of factors unique to each matter. Prior results do not guarantee or predict a similar results in any future matter undertaken by the lawyer.