Don’t let this happen to your institution: Regulators provide BSA guidance through enforcement actions

Regulatory Guidance on Enforcement Standards

There has been substantial concern by the financial community over the perception that the numerous regulatory agencies have interpreted and enforced the BSA/AML regulations inconsistently. To resolve these concerns, the federal banking regulators recently issued an “Interagency Statement on Enforcement of Bank Secrecy Act/ Anti-Money Laundering Requirements” setting out the agencies' policy on the circumstances in which an agency will issue a Cease and Desist Order as a result of noncompliance with certain Bank Secrecy Act/Anti-Money Laundering (BSA/AML) requirements
The joint statement outlines that an agency will issue a Cease and Desist Order against a banking organization or a credit union for noncompliance with BSA Compliance Program requirements in the following circumstances.

1. Failure to establish and maintain a reasonably designed BSA Compliance Program

This can occur when the institution:

• Doesn’t have a written BSA Compliance Program, including a customer identification program, that adequately covers the four required program elements (a system of internal controls, independent testing, a designated BSA officer and training); or
• Fails to implement a BSA Compliance Program that adequately covers the required program elements; or
• Has defects in its BSA Compliance Program in one or more program elements that indicate that either the written Compliance Program or its implementation is not effective, for example, where the deficiencies are coupled with other aggravating factors, such as (i) highly suspicious activity creating a significant potential for unreported money laundering or terrorist financing, (ii) patterns of structuring to evade reporting requirements, (iii) significant insider complicity, or (iv) systemic failures to file Currency Transaction Reports, Suspicious Activity Reports, or other required BSA reports.

In determining whether an organization has failed to implement a BSA Compliance Program, an agency will also consider the application of the organization's Program across its business lines and activities. In the case of institutions with multiple lines of business, deficiencies affecting only some lines of business or activities would need to be evaluated to determine if the deficiencies are so severe or significant in scope as to result in a conclusion that the institution has not implemented an effective overall program.

2. Failure to correct a previously reported problem with the BSA Compliance Program

A history of deficiencies in an institution's BSA Compliance Program in a variety of different areas, or in the same general areas, may result in a Cease and Desist Order on that basis. An agency will issue a Cease and Desist Order whenever an institution fails to correct a problem with BSA/AML compliance identified during the supervisory process.
In order to be considered a "problem" a deficiency reported to the institution ordinarily would involve a serious defect in one or more of the required components of the institution's BSA Compliance Program or implementation that a report of examination or other written supervisory communication identifies as requiring communication to the institution's board of directors or senior management as a matter that must be corrected. For example, failure to take any action in response to an express criticism in an examination report regarding a failure to appoint a qualified compliance officer could be viewed as an uncorrected problem that would result in a Cease and Desist Order.
An agency will ordinarily not issue a Cease and Desist for failure to correct a BSA Compliance Program problem unless the deficiencies subsequently found by the agency are “substantially the same” as those previously reported to the institution.

3. Suspicious Activity Reporting Requirements

The agencies will cite a violation of the SAR regulations, and will take appropriate supervisory action, if the organization's failure to file a SAR (or SARs) evidences a systemic breakdown in its policies, procedures, or processes to identify and research suspicious activity, involves a pattern or practice of noncompliance with the filing requirement, or represents a significant or egregious situation.

Clear Direction from Regulators

The guidance clarifies the regulators BSA enforcement policy. If a BSA program does not adequately implement a system of internal controls, it may face the possibility of enforcement action, particularly if:

• It is accompanied by the aggravating factors mentioned above;
• It has been previously cited as a problem; or
• It relates to systemic or widespread flaws in the SAR reporting system.

The need for automation should be viewed in light of the financial institutions ability to meet the requirements of regulators in the most efficient and cost effective manner.

Enforcement Actions

The other way that financial institutions can learn about expectations regarding BSA/AML compliance is through the use of enforcement actions taken against financial institutions that have been deficient in their compliance. Here are a few examples of recent enforcement actions that demonstrate specific needs for BSA/AML compliance programs.

The enforcement actions have impacted all sizes and types of financial institutions from large national banks-to-small credit unions and international financial institutions to regional banks.

National Bank

Earlier this year, the Federal Reserve and the Financial Crimes Enforcement Network (FinCEN) announced this Civil Money Penalty assessment resulting in the payment of $65 million. Among the major problems was the institution’s account activity monitoring was not risk focused and not designed to uncover activity with an elevated potential for money laundering. This resulted in a failure to detect suspicious activity, particularly for accounts with high risk relationships. In addition, a wholly-owned subsidiary, failed to file over 1,000 SARs in a timely manner.

This enforcement action illustrates a need for improved customer transaction monitoring, risk scoring customer accounts to determine high risk customers and putting systems in place to ensure that SARs are filed accurately and on-time.

Credit Unions

NCUA issued two Cease and Desist Orders in February and June of 2007, respectively. The institutions were ordered to develop a comprehensive BSA risk assessment and then to “develop and maintain a list of high and moderate risk members based on the results of the risk assessment”. In one case the credit union was required to produce the list within 90 days of the date of the order. The account activities for high risk members were required to be reviewed and analyzed monthly and moderate risk members reviewed and analyzed quarterly.

The key deficiency in these cases had to do with lack of Customer Due Diligence (CDD). The regulations require that financial institutions determine the amount of BSA risk for each account. These institutions didn’t have adequate procedures in place to risk rate their member base. In the absence of performing such risk assessments they had no ability to determine members that had a higher risk of money laundering or terrorist financing.

International Bank

In this written enforcement agreement with the Federal Reserve and New York State Banking Department from March of 2007 it required the financial institution to:

• Have procedures to ensure that the program has adequate resources, “including sufficient staff levels and systems infrastructure” to implement and maintain and effective AML program;
• Have procedures to ensure that customer due diligence ratings for existing accounts were periodically assessed and other information obtained following the initial risk rating of the customer; and
  
• Install, test and activate “improved transaction monitoring software appropriate for the customer accounts and transactions”.

This case indicates a need for BSA/AML automation due to insufficient staff levels and a need to perform risk rating of the customer base and Customer Due Diligence.

Regional Bank

The FDIC and the Hawaii Division of Financial Institutions issued this Cease and Desist Order in November 2006 requiring the following:

• A written Customer Due Diligence program;
• The selection, testing and implementation of an automated suspicious activity monitoring system. The system, at a minimum, needed to analyze large cash transactions, wire transfers, foreign exchange services and cash purchases of monetary instruments.
• Collection of sufficient Customer Due Diligence information for proper operation of the suspicious activity monitoring system.

This indicates a need for both Customer Due Diligence and improved customer account monitoring to detect suspicious activity.

The Need for BSA Automation

While few of the Cease and Desist Orders and assessments of Civil Money Penalties specifically require the financial institutions to automate their BSA compliance process, the depth of customer transaction monitoring and customer due diligence make it almost impossible to remain compliant in the absence of BSA automation.

Here are some of the areas that make your BSA compliance program more efficient and effective by automating:

Automated Verification and List Checking

Verification of personal information may be achieved in three ways:

• Positive verification ensures that information provided by an applicant matches information available from trusted third party sources. You can verify a potential customer's identity by comparing the applicant's answers to application questions against information in a trusted database to see if the information supplied by the applicant matches information in the database. Correct answers give you a level of confidence that the applicant is who they say they are.
• Negative verification ensures that information provided has not previously been associated with fraudulent activity. For example, applicant information can be compared against fraud databases to determine whether any of the information is associated with known incidents of fraud. Lack of a negative match doesn’t mean the situation is not fraudulent, but a match of a name to such a list puts you on notice that there may be further investigation required.
• Logical verification ensures that information provided is logically consistent (e.g., do the telephone number and street address match). This is very significant, particularly in cases of identity theft since the person attempting the fraud will often provide some correct information on the victim, but will provide false address or phone number information so that the victim will not be contacted.

Each of these three approaches support a Customer Identification Program (CIP) and a combination of the three of them presents a very effective tool for financial institutions.

Automated verification has many different aspects:

• Data Collection – some identifying information on the prospective customer is absolutely required, other information is useful. Having uniform data input is important for verification.
• Automated Nondocumentary Verification - There are 2 types of verification: documentary and nondocumentary. Financial institutions are accustomed to seeing drivers’ licenses, passports or other documents. But what about non face-to-face situations? What about a person with no ID or an unfamiliar ID? What if there are questions about whether the ID presented is real? You can use a system with the positive, negative and logical verification described above, either by itself or in addition to documents, for verification.
• Record Retention – It isn’t a good idea to have ID data in account files. A uniform CIP retention system promotes better information security, better ability to retrieve data, and represents a more organized approach. Some information must be retained for five years after the account is closed, which can represent a very long period of time for some accounts.
• The OFAC list includes terrorists, money launderers and drug traffickers. In addition to guarding against the possibility of being fined for OFAC violations, a system for detecting such persons represents protection for your institution.
• Politically exposed persons, or PEPs, are at high risk for using the proceeds of foreign corruption. These are considered very high-risk customers. They are also difficult to detect since there isn’t one specified list like in the case with OFAC . Automated tools can check a large range of databases to find not only foreign officials, but those persons or entities related to them that pose risk and also meet the definition of PEPs.
• Finally, the 314(a) list, which is issued every two weeks by FINCEN, is composed of individuals and entities that are under active investigation by law enforcement. You need to be aware of any such customers and their transactions to protect your institution as well as for compliance purposes.

Customer Due Diligence

The theory of Customer Due Diligence is that recognizing suspicious account activity requires knowledge on your part of what is expected and usual for a specific customer account.

Obviously different customers will have different needs and different transaction patterns. Some customers may have occupations or businesses that pose unusual patterns such as seasonal activities. Some have a need for higher risk services, such as cash-intensive businesses, or may be users of wire transfer services or those with foreign activities. You need to recognize those issues and focus on those that represent higher risk.

According to recent enforcement actions, you need a methodology for assigning risk levels to your customer base and a risk focused assessment of your customer base to better know your customers as well as to identify those customers with unusual needs and those representing higher risk. Then you need to focus on understanding and monitoring higher risk customers for suspicious activity.

As mentioned earlier, recent enforcement decisions have also required some institutions to have a means of producing lists of not only their high-risk customers, but their medium risk customers as well. This can be a challenging task.

Standardization is this area is difficult, but automated tools can provide a system tailored to your needs that will enable you to determine the risk associated with each customer account. By understanding what are normal and expected transactions for each customer you are better able to determine which activities are suspicious and which require more in-depth analysis.

Customer Due Diligence is a recurring area of concern in recent enforcement actions and one that is particularly challenging to those financial institutions that haven’t automated this part of their BSA compliance.

The SAR Investigation and Filing Process

Here is a telling quote from the BSA Examination Manual regarding the requirement to file suspicious activity reports with the government:

“The decision to file a SAR is an inherently subjective judgment. Examiners should focus on whether the bank has an effective SAR decision-making process, not individual SAR decisions. Examiners may review individual SAR decisions as a means to test the effectiveness of the SAR monitoring, reporting, and decision-making process. In those instances where the bank has an established SAR decision-making process, has followed existing policies, procedures, and processes, and has determined not to file a SAR, the bank should not be criticized for the failure to file a SAR unless the failure is significant or accompanied by evidence of bad faith.” – BSA/AML Examination Manual

This acknowledges that the decision of whether to file a SAR or not is an inherently subjective decision. This is something that has always concerned those faced with these difficult decisions – but at least it is recognized as such by the government. Note, however, that the focus is on having an effective process, not on the individual decisions made at your institution

This relieves some of the pressure over making mistakes and being second guessed, but emphasizes the quality of the SAR decision-making process and the tools that you use for this purpose. Automation of such a process reduces the potential for variance from your established process and gives confidence that you have an established system to rely upon. Your individual decisions are primarily used as a test of the system.

Perhaps the most important language is found at the end of the quote, if you have a good SAR process only significant or bad faith failures should be subject to criticism. This is important in a regulatory environment in which failure to file SARs can subject financial institutions to large penalties and unwanted negative publicity

So, how can automating the SAR process help?

• First, it can help in “connecting the dots”. Frequently suspicious activity is not one event but a pattern of activity that must be recognized. Assembling such information in one place is valuable.
• It can help by automating case assignment, that is, in getting the case investigation assigned to the appropriate person at your institution.
• It can help with workflow, making the investigation and decision-making process more uniform and efficient.
• It can help with deadline control. As you know there is a fixed regulatory deadline for filing SARs and untimely flings are frequently cited in enforcement actions. An automated system can flag the cases that get close to the deadline and help in avoiding late filing.
• It can help with approval – in many places the decision to file or not file a SAR must follow a designated approval process, and automation can ease that process.
  
• It can help with policy maintenance – consistency in your approach is a virtue, particularly in light of the emphasis on the effectiveness of the SAR process.
• In the end, the system will either enable you to file a SAR electronically, if that is the decision, or it will document the reasons why an SAR was not filed in a particular case.
• You can also use a dashboard-type system so that links to other relevant information, such as imaged checks or other stored documents, can be in a convenient place for reference in the course of investigation.

Conclusion

According to the report SAR by the Numbers produced by FinCEN in June of 2007, there were 162,720 SARs filed by depository institutions in the year 2000. By 2006, that number had ballooned to 567,080 – or about 3 ½ SARs for every one that was filed as recently as 2000!

Obviously, the systems that may have been effective a few years ago should be re-examined to verify that they meet the needs of this changed BSA environment. The additional emphasis in the BSA/AML Examination manual on the quality of systems, as opposed to individual decisions, provides an additional rationale for keeping up with developments in automation.

Finally, some of the enforcement actions mentioned above contain requirements that may not have been considered just a few years ago. Use these enforcement actions as valuable guidance when reviewing the needs of your compliance program and learn from their mistakes.