Strategic BSA/AML Compliance in a Financial Institution Merger

Mergers of Financial Institutions (FIs) are an increasingly common industry trend. A merger creates a number of challenges for Bank Secrecy Act (BSA) Officers who are tasked with developing an integration plan, while ensuring ongoing compliance with the relevant laws and regulations. A merger impacts all aspects of the FI’s BSA Program, from the Enterprise-Wide Risk Assessment (ERA) through process implementation. When FIs find themselves in the midst of a merger, developing a strategic approach to help facilitate the merging of policies, procedures, and processes, while simultaneously remaining compliant with applicable laws and regulations, can prove highly beneficial. Let’s delve into what such an approach might look like.

Phase 1: Pre-Merger Due Diligence

Prior to the merger, the acquiring institution may engage in preliminary efforts to establish a foundation for the seamless integration of the acquiring and acquired institutions’ BSA programs. Since BSA Officers have the unique ability to identify BSA/AML issues that may arise during the merger, it is wise to include the acquired’s BSA Officer on the team conducting due diligence. The due diligence should commence with a review of the Target’s most recent ERA.

As discussed in a prior article, Risky Business: A Responsible Evaluation of Enterprise-wide AML/OFAC Risk, the ERA is designed to provide critical insight into the acquired’s customer base; existing products, services and channels; geographic footprint; and transactional environment. Moreover, the due diligence team should carefully scrutinize the institution’s risks, potential deficiencies, and areas of concern identified within the acquired FI’s ERA.

If the acquired FI does not have an ERA available for review prior to the merger, then the team should request information pertaining to the acquired FI’s aforementioned inherent risk categories, along with other factors that pose money laundering and terrorism financing risks to the institution. Additional sources for this information include internal and external audit reports and regulatory findings pertaining to the acquired FI’s BSA Department. Performing this due diligence prior to finalizing the merger provides the acquiring institution with the ability to appropriately identify potential risks and challenges that may result from the merger, and help the FI develop a strategic and methodical approach to mitigate them.

Some of the relevant questions that FIs should consider during Phase 1 are:

• What are the primary BSA/AML risk factors for the acquired institution?
• What types of controls does the institution have in place to mitigate the risk?
• How effective are those controls?
• Has the acquired institution undergone a regulatory examination that yielded adverse results?

Phase 2: Integration Process

Once the merger is finalized, the real work begins. A robust BSA program requires three key ingredients: people, processes, and technologies. Each of these ingredients is necessary to ensure adequate compliance with AML laws and regulations. This is a useful framework to guide the integration process and fully comply with the applicable laws and regulations.

People

This ingredient evaluates three components: staffing needs, training of BSA personnel, and the BSA Officer’s qualifications. Each of these components is essential, but it is important to note that adequate training of BSA personnel and having a qualified BSA Officer are required pillars of a BSA program.

Without appropriate staffing levels, a merger may cause a backlog of alerts, cases, and Enhanced Due Diligence (EDDs) efforts, due to an increase in volumes or technology issues. A staffing evaluation performs an analysis of the workload, including alert, case, and suspicious activity report (SAR) volumes, as well as watch list monitoring and frequency of currency transaction reports (CTRs) being filed.

The FI should initially expect a temporary increase in alert, case, and SAR volumes because there are essentially two customer bases involved in a merger – the acquiring institution’s customers and the acquired FI’s customers. As a result, the FI may need to conduct two staffing evaluations – one for temporary use during the integration process and one for the business as usual (BAU) operations for use on a permanent basis after the integration phase is complete.

In order to ensure adequate coverage of the increased workload, the FI may need to utilize an outside vendor or contractors on a temporary basis during the integration phase. However, once the acquired FI’s customers are fully integrated into the BAU operations, the number of full-time employees (FTEs) should scale over time, triggering the use of a second staffing evaluation.

Among the questions that the FI should ask to determine staffing needs are:

• How long does it take, on average, for one FTE to complete specific operational activities, tasks and/or processes, and how does this compare to the industry standard run time?
• What are the FI’s current operational volumes?
• What are the annual hours required to complete the FI’s operational activities, tasks and/or processes?

One of the pillars of a BSA program is a comprehensive training program for the institution’s personnel. There are two components to a strong BSA training program—training for all FI employees and training specifically designed for BSA personnel. The first step is to develop the curriculum for enterprise-wide BSA training. This curriculum should include an overview of the BSA/AML laws and regulations that enable employees to understand the significance of the rules and requirements that mandate compliance.

The curriculum should also provide BSA/AML red flags training, focusing on red flags specific to the respective business lines. In doing so, the curriculum is tailored to the money laundering and terrorism financing red flags that each respective business unit is expected to encounter. A process for referring potentially suspicious activity for further investigation to the FI’s BSA department should also be established and implemented. The FI’s front-line staff can be an invaluable resource for BSA department to appropriately identify unusual customer behavior observed in the FI’s branches.

The second step is to develop the curriculum for BSA personnel. The FI’s BSA department requires a specialized training program that provides more in-depth and targeted training on assessing customer transactions, writing well-reasoned narratives, and compliance with the FI’s BSA policies and procedures. The training program may also need to include remedial training if the acquired institution did not provide its staff with adequate training opportunities.

Beyond the curriculum, the timing of training is also critical. BSA training should be conducted enterprise-wide as soon as is practical. Moreover, the Bank’s training policy must include ongoing training opportunities on a periodic basis and incorporate emerging BSA/AML trends. Without a strong training program, regulators may determine that the FI is in violation of a BSA pillar, resulting in regulatory penalties.

The FI should consider the following questions when developing a training program for the merged entity:

• How often will training be conducted?
• Who will conduct the training, and who will receive the training?
• Does the FI need specialized training based on the acquired institution’s customer base?

The third component to the people ingredient is maintaining a BSA Officer. Like the training program, regulators identify maintaining a knowledgeable BSA Officer as a required pillar of the FI’s BSA program. The BSA Officer is responsible for oversight of the FI’s BSA program and must possess the requisite knowledge, skills, and abilities to successfully carry out this function. At a minimum, the BSA Officer should have an adequate understanding of the factors that promote enterprise-wide inherent risk and common money laundering and terrorism financing typologies.

Regulators tend to pay special attention to the BSA Officer’s authority, which should include the ability to unilaterally override decisions related to report suspicious activity, if necessary. As a merger inevitably impacts enterprise-wide risk, the acquiring institution’s BSA Officer should be prepared to conduct a new ERA in an effort to reevaluate the risks inherited as a result of the merger.

To evaluate the BSA Officer’s qualifications, the FI should consider the following questions:

• What is the level of the BSA Officer’s prior experience related to BSA/AML?
• How familiar is the BSA Officer with applicable BSA/AML laws and regulations?
• Does the BSA Officer have an adequate understanding of BSA/AML laws and regulations?
• How extensive is the BSA Officer’s knowledge of money laundering and terrorism financing typologies, risks, and mitigation strategies?
• Does the BSA Officer have an understanding of current and emerging trends within the BSA/AML landscape and how they can potentially impact FIs?

Processes

The primary processes for the BSA/AML department involve its Know Your Customer (KYC) program and transaction monitoring strategy. The acquiring institution will need to reevaluate its existing processes to ensure compliance with these two elements.

Let’s first discuss the KYC aspect. The FI must establish processes for its KYC program, which includes maintaining a Customer Identification Program (CIP), Customer Due Diligence (CDD) policies and procedures, a Customer Risk Rating (CRR) methodology, and Enhanced Due Diligence (EDD) policies and procedures. The KYC process may be exceptionally difficult during a merger due to two major areas of concern. First, the acquiring institution and acquired institution may not collect the same amount and/or type of customer information at account opening and for CDD/EDD. Essentially, the KYC process during the merger requires an inventory of the available information about each customer to determine whether the FI collected the necessary documentation to verify the customer’s identity and understand the customer’s anticipated activity.

The difference in information collected by the acquiring institution and the acquired institution may result in CIP exceptions. The FI should establish a process that identifies CIP exceptions for the acquired institution’s customers and a process to remediate those exceptions. If there is missing information, the FI may not be abel to establish an accurate risk rating for the customer, which is the second major area of concern with respect to the KYC process. Moreover, the risk rating model FIs use to assess customer risk varies substantially. As a result, the acquiring institution may need to establish a single streamlined process for assignation of an accurate CRR to the acquired institution’s customers.

The FI should consider the following questions when evaluating its KYC program during a merger:

• What are the gaps, if any, within the KYC information available about customers?
• How can the FI remediate CIP exceptions most efficiently?
• Which customer types does the FI consider to be high-risk, and which customer types are prohibited by the FI per bank policy?
• Should the merged entity continue the banking relationship with prohibited customer types under a “grandfather” policy?
• Does the acquired FI have an established CRR methodology to assign customer risk?

Having a well-thought out transaction monitoring strategy can also impact a merger. The transaction monitoring process generally includes alert remediation, case investigation, and SAR filings. The key to a sound transaction monitoring strategy during a merger is identifying methods to ensure that operational processes are not disrupted at any point. Disruptions may result in a operational backlogs, creating additional challenges to the merger.

The strategy should also include procedures for how FIs should address technological limitations. Oftentimes, the acquiring institution and the acquired institution employ different transaction monitoring software platforms, which harbor different rules and thresholds for the identification of suspicious activity. FIs often have different transaction monitoring processes and procedures, resulting in distinct degrees of tolerance for particular types of activity. As a result, the merged FI must develop guidance for its BSA personnel in order to establish standards for the identification of suspicious activity. The FI should also develop procedures for BSA personnel to perform outreach to front-line staff when additional information is required about a customer’s transactional activity.

The following questions may help guide the FIs in their transaction monitoring efforts:

• What systems are the institutions using?
• What circumstances or events will trigger a relationship disengagement with a customer?
• Does the FI need to modify or completely alter its transaction monitoring strategy?
• How can the acquiring and acquired institutions align their alert remediation, case investigation, and SAR filing standards and procedures?
• Are there clearly defined escalation procedures for alerts and cases?

Technologies

The technology component requires FIs to merge their systems, which oftentimes includes core databases, alert and case management systems, and transaction monitoring platforms. Merging systems requires close collaboration between the FI’s IT department and the BSA department to ensure the BSA department has the resources required to perform its responsibilities. The BSA department should leverage IT tools and resources throughout all stages of the merger. The FI’s IT department should be involved with extracting data from the acquired institution’s systems and migrating the data to the acquiring institution’s systems. The sooner this happens, the easier it is to identify solutions to technological issues that may surface during the merger.

One of the challenges associated with this component includes potential data integrity issues. Data should be validated to ensure accurate data identification in the transaction monitoring platform. The FI may also use a merger as an opportunity to reevaluate its systems and transition to a new platform.

Some of the factors pertaining to technology that the FI should consider are:

• Are transaction types accurately coded and identified in the transaction monitoring software?
• Can BSA personnel use a single system for transaction monitoring or do multiple systems need to be accessed?

Mapping out a strategy for a merger can be a lengthy process. Remaining proactive by performing appropriate due diligence prior to a merger and taking the necessary steps to assess potential problems and additional risk during integration can be extremely beneficial at effectively mitigating risk. Having the appropriate people, processes, and technologies situated, as well as maintaining a comprehensive ERA, will set both institutions up for a successful relationship and will ensure compliance with relevant BSA laws and regulations.

Is your financial institution well-prepared for a potential merger? Our Financial Crimes Advisory practice at AML RightSource has helped multiple institutions establish unified policies, procedures, and processes for a sound BSA program, all while maintaining the integrity of both institutions during a merger. Let us help you with your upcoming merger and/or acquisition.