Joint Statement on Risk-Focused BSA/AML Supervision Highlights the Importance of Risk Assessments and Independent Testing
On July 22, 2019, the federal bank regulatory agencies and the Financial Crimes Enforcement Network (FinCEN) (collectively, the Agencies) issued a Joint Statement on Risk-Focused Bank Secrecy Act/Anti-Money Laundering Supervision.1 The Joint Statement is the third statement from a working group tasked with improving the effectiveness of the Bank Secrecy Act/anti-money laundering (BSA/AML) regime. While the first two statements were notable for encouraging banks to consider novel approaches to enhancing their BSA/AML compliance programs,2 this Joint Statement primarily reinforces basic concepts of risk-based compliance programs and risk-based supervision. Although the Joint Statement does not establish any new requirements, it does serve as a reminder as to how the federal bank regulatory agencies scope their BSA/AML examinations and, therefore, how banks should design and evaluate their compliance programs in order to meet their BSA requirements and satisfy examiner expectations.
Specifically, the Joint Statement reiterates that the federal bank regulatory agencies "evaluate the adequacy of a bank's BSA/AML compliance program relative to its risk profile, and that bank's compliance with applicable laws and regulations." That is, examiners do not adopt a one-size-fits-all approach to conducting BSA/AML examinations. Rather, the scope of a BSA/AML examination is tailored to each bank's unique risk-profile (e.g., its size, customer base, products and services offered, and geographic location), and each bank will be assessed on its "ability to identify, measure, monitor, and control [those] risks." While this likely is not news to most readers, the Joint Statement is still helpful in two regards. First, as with the working group's October 3, 2018 joint statement on sharing BSA/AML compliance resources, the focus on risk-based approaches in this Joint Statement appears to signal that the Agencies are aware of, and are attempting to address, the burdens of BSA/AML compliance programs on community banks.
Second, the Joint Statement specifies that examiners determine a bank's risk profile based on such inputs as the bank's BSA/AML risk assessment, independent testing, and findings from prior examinations. This Joint Statement therefore serves as a good reminder for banks to:
- Review their BSA/AML risk assessments to ensure they are thorough and reflect the current products and services offered, the bank's customer base, and other risk categories. The risk assessment is often the first and most regularly reviewed bank-created document during a BSA/AML examination, and the quality of the risk assessment can significantly influence the examiners' overall view of the BSA/AML program.
- Ensure that their BSA/AML independent testing (audit), among other things: (a) is performed every 12-18 months (depending on the institution's risk profile) by individuals knowledgeable of the BSA requirements and the bank's risk profile; (b) includes a review of the current risk assessment itself; and (c) considers management's efforts to address BSA/AML deficiencies noted in prior audits.
- Ensure that they have sufficiently addressed (or are reasonably in the process of addressing) prior BSA/AML examination findings.
Finally, the Joint Statement also addresses the concern of de-risking. As regulatory and criminal penalties against financial institutions for BSA/AML compliance deficiencies have increased, financial institutions have responded, at times, with a better-safe-than-sorry approach and exited entire products or entire categories of customers. The Joint Statement reiterates the Agencies' prior statements that "banks are encouraged to manage customer relationships and mitigate risks based on customer relationships rather than declining to provide banking services to entire categories of customers." In other words, the Agencies continue to expect that banks will develop and implement controls commensurate with the risk presented by customer relationships and products offered, and to the extent banks continue banking high-risk customers or onboard new high-risk customers, their BSA/AML compliance programs should be adjusted accordingly.
* * *
Banks interested in assistance with reviewing and enhancing their BSA/AML risk assessments and independent testing, or with BSA/AML examination remediation may contact any of authors of this Advisory or their usual Arnold & Porter contact. The firm's Financial Services team would be pleased to assist with any questions about the Joint Statement or BSA/AML compliance more broadly.
© Arnold & Porter Kaye Scholer LLP 2019 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.
On October 3, 2018, the Agencies issued a joint statement encouraging certain smaller banks to consider sharing BSA/AML compliance resources. The Agencies issued a second joint statement on December 3, 2018, which encouraged banks to consider adopting innovative fintech solutions to combat money laundering and terrorist financing.