“Cause you know sometimes words have two meanings” [i]
As the AML community clearly knows, the Federal Financial Examination Council (FFIEC) has been working for quite some time on the updates to the last iteration from 2014. Now we have the first in what promises to be a series of updates, released on tax day. The changes in wording and other modifications are encouraging, but only time will tell regarding their impact in practice.
Having been involved in the 2005 (and first) rollout of the FFIEC’s work, and a strong supporter of their transparency and commitment to outreach to the regulated, it has been frustrating to see the manual become the proverbial “bible” used by examiners and internal auditors. Too many times, examiners (and auditors) have defaulted to “it’s in the manual” instead of dialogue and “risk-focused” review - a message this version emphasizes.
Since I remain old school (and yes old), I thought I would review this version; covering the wording with the hope that exams will improve through clarity on regulatory expectations versus mandates.
The Interagency Statement
The “cover note” to the 2020 changes stresses that these updates do not establish new requirements. Reminding the public that these updates are “instructions” to examiners, it importantly states to examiners that “banks have flexibility in the design of their BSA/AML compliance programs” and in a comment that should be welcomed in the event of this being the case, “minor weaknesses, deficiencies, and technical violations alone are not indicative of an inadequate program.”
In the somewhat controversial area of risk assessment, the statement allows for “no particular method or format” of the assessment (at this point, no sense in mentioning there actually is no requirement because that ship has sailed), and instructs examiners that “there is no requirement” for assessments on a continuous or specified periodic basis” - even though if there is a “significant change in a bank’s risk profile” updates may be necessary.
We will see…
The revisions in this edition are designed to “emphasize and enhance the Agencies’ risk-focused approach” to supervision; a veiled response to some examples of what others have bemoaned as a “check the box” mentality.
In the “scoping and planning” section, the manual points out that OFAC reviews are not part of every exam cycle, but when they are, the examiners should review the bank’s OFAC risk assessment and related independent testing.
In the risk assessment portion, building on the interagency statement, examiners are told to review the bank’s assessment and if none was developed, they are to discuss that fact with management. If the assessment is incomplete or inadequate, the examiners then must develop the risk assessment for the bank.
One interesting part of these updates is the section on SARs. I can recite many examples of banks complaining for years that examiners have questioned the number of SARs filed relative to other banks in the region. Here is the language now:
“Examiners should not criticize a bank solely because the number of SARs or CTRs filed is lower than the number of SARs or CTRs filed by “peer” banks. However, as part of the examination, examiners should consider significant changes in the volume or nature of BSA filings and assess potential reasons for these changes.”
Not sure what that means? Same, but we’ll see…
In what I see as a reference to private-public partnership as a positive exam consideration, there is a section that directs examiners to consider communications such as:
- Law enforcement letters acknowledging that the bank provided highly useful information, as necessary and relevant, and
- Participation in law enforcement-related information exchanges, as necessary and relevant.
The AML community has always wanted active consideration of the proactive work that we all know happens regularly.
In the same regard, our community has struggled over the years in gaining the appropriate internal independence and authority regarding our AML programs. The updates continue the regulators’ call for BSA officers (however titled) to be competent in the subject matter, having access to adequate resources, there being no undue influence from business lines, and there being appropriate independence.
In the last section of the updates regarding finalizing the exam conclusion, there is a reference to systemic or repeat violations that may be considered. Those indicators are logical but they add a reference to a previously issued statement that says in part:
“The Agencies will cite a violation of the SAR regulations, and will take appropriate supervisory action, if the organization's failure to file a SAR (or SARs) evidences a systemic breakdown in its policies, procedures, or processes to identify and research suspicious activity, involves a pattern or practice of noncompliance with the filing requirement, or represents a significant or egregious situation.”
So does that mean no more arguing with a bank that did not file a SAR, documented why no filing, but the examiner rejected the decision?
More to come…
All in all, the FFIEC is trying to get it right. The training of the examiners will be key to ensuring that words don’t have two meanings in these cases.