You Better Think Twice[i]
One of the continuing challenges for AML professionals is how to explain to boards, senior management and all staff the regulatory and legal expectations for financial institutions under all of the various AML requirements. We still hear complaints from business lines on compliance processes and the need for proper allocation of resources that are not designed for revenue enhancement. (Although I strongly disagree with that assessment and will explain in detail in a future post.) The federal banking agencies and NCUA have released an update to a previous statement from 2007 (yes, not a typo) and while they indicate that this announcement does not create “new expectations or standards,” let’s take a look at the areas of focus in how the FBAs will assess C&D’s and other actions.
Assessing a BSA Program
We are very familiar with the overall BSA program requirements or “pillars” that regulators will assess such as training, independent testing, designated officer and internal controls. The “new” reference in this interagency statement is that now internal controls will also include customer due diligence (e.g beneficial ownership) and the various recordkeeping and reporting requirements.
The agencies reference what can result in a cease and desist order for BSA program deficiencies and make an age-old point that there needs to be a written program covering all of the pillars and accompanying components but that “institution-issued policy statements alone are not sufficient; the program as implemented must be consistent with the institution’s written policies, procedures, and processes.” In other words, have the program map to the policy. Simple hortatory language is not sufficient.
Another example of a potential C&D would be deficiency of independent testing that, coupled with evidence of highly suspicious activity creates the possibility of a major money laundering or terrorist financing event. Clearly the agencies are casting about to ensure we recognize there needs to be a reasonable aspect to fines, penalties and other criticisms.
In the case of actions that are less than the more dramatic C&D’s, the statement goes to some length to outline problems that need addressing, but do not rise to a higher level of exposure. Specifically, they reference a gap in training that warrants criticism but is not so severe to harm the overall effectiveness of the BSA/AML program. Again, reasonable language.
Correcting Previous Problems
Having the privilege of conducting AML training for many years, one of the obvious points that must be made is that failure to “fix” a problem or delays in responding to examiner criticism is never acceptable. You always want to alert the regulators to any unforeseen delays and treat timelines with respect.
Once again, the agencies distinguish between delays that cannot be corrected within certain planned timeframes or are as important. For example, the failure to designate a qualified BSA officer is clearly an essential pillar but if the officer is qualified by examiner oversight but additional training is recommended and not completed by next review, it will not be considered a deficiency.
An interesting part of the statement on correction uses the example of failure to develop customer risk profiles. Where this deficiency has been identified to both the Board of Directors and senior management it is ripe for a C&D. This is considered a violation of the internal controls pillar and makes clear what the agencies think about mandatory risk assessments (we can argue semantics but seems we need risk profiles…).
Communication Remains Key
An old debate covers what examiners want from an institution and whether it matters how it is communicated. There are many frustrated compliance professionals that when “told” about a possible change, have found scarce clarity in whether the change was a recommendation or a requirement. I realize non-compliance folks would say, “why don’t you ask them?”, but in reality, it just hasn’t been that simple - trust me.
The interagency statement addresses communications, whether formal and informal, as well as written to the board, or as findings in an examination report. The agencies make clear that “the deficiencies in the compliance program must be identified in a report of examination or other written document reported to an institution’s board of directors or senior management as a violation of law or a matter that must be corrected.” They do allow for “isolated or technical violations of law and other issues or suggestions for improvement may be communicated through other means.” With all of that, in 2020 if it isn’t in writing, ask them….
The interagency statement should be carefully read, analyzed and communicated to all appropriate parties.
When you are considering a potential C&D, there is quite a bit here to digest - before you act on any BSA/AML issues, you better think twice.