With the extensive accumulated knowledge contained in the Federal Financial Institution Examination Council ("FFIEC") Bank Secrecy Act / Anti-Money Laundering Manual ("Manual") (and its recent updates), why is it that we are still seeing a number of Cease and Desist Orders (C&D), and record breaking Civil Monetary Penalties related to BSA / AML?
Banks / Financial Institutions have not taken the time to step back and perform thorough assessments of their compliance process as identified in the manual. These are:
Can you give specific examples of how a Bank's Compliance Program could be enhanced to ensure compliance?
A system of internal controls to ensure ongoing compliance
The Manual states that "...the Board of Directors and management should create a culture of compliance to ensure staff adherence to the bank's BSA/AML policies, procedures, and processes." This is a strong statement about the "tone from the top" for overall compliance. If you look deeper at the issues noted in the C&Ds given, you can tell that the regulators are finding basic internal control structure weaknesses that any Bank, with proper compliance culture, should have in place. For example, it was noted in one of the recent C&Ds that the "violations and failures were the result of a number of factors including, among others, inadequate procedures to ensure the timely reporting of suspicious activity and inadequate collection and analysis of CDD information, including inadequate monitoring of PEPs". These are basic controls that, due only the lack of a culture of compliance, led to such failures.
Additionally, the current economic pressures are not conducive to a better BSA/AML compliance environment. The pressure to perform financially is coming from all stakeholders. As such, organizations are willing, more than ever, to take riskier customers for as long as they are deemed profitable.
Designate an individual(s) responsible for managing BSA compliance (BSA Compliance Officer)
We are seeing a lot of qualified and knowledgeable individuals serving as BSA Compliance Officers. However, these officers are challenged by a lack of budgetary resources. In some organizations, the Compliance Officer is tasked with other duties such as CFO, COO, Branch Manager or Risk Officer.
In one recent C&D, it was stated that the violations and failures were "the result of inadequate staffing and procedures in the alert investigations unit that resulted in a significant backlog of alerts and the closure of alerts based on ineffective review".
Training for appropriate personnel
I recently received a question from a small financial institution about whether a new staff member, whose primary responsibilities were regarding back office operations (without customer contact and mostly involving clerical work, including "shredding documents") should be trained in BSA. My answer was an emphatic yes!
In small organizations, individual staff members tend to hold multiple responsibilities. Even shredding documents can reveal a fraudulent activity that requires reporting. The bottom line for training is: personnel should be trained in all applicable aspects of the BSA.
Training should additionally be provided whenever there are changes in policies and procedures, especially in the Bank's monitoring system. For example, as most monitoring systems are now fully integrated with the Bank's core banking, the proper data set-up and entry of transaction codes are essential in capturing correct information.
Independent testing of BSA/AML compliance
As stated by the manual, independent testing (audit) should be conducted by the Internal Audit Department, outside auditors, consultants, or other qualified independent parties. I would like to emphasize a key word: qualified. This means that the auditor must have the necessary knowledge and experience needed to conduct an effective review to identify areas of weakness, or areas requiring enhancements of internal control. Furthermore, the auditor should be proactive in identifying potential weaknesses. P&G encourages clients to look, review and ensure OFAC systems in place regarding the potential of concatenated words (i.e., three words joined together).
Another critical area that should be covered in the independent testing is the assessment of the integrity and accuracy of the Bank's system to monitor suspicious activity. This should include assessment of the effectiveness of the alerts that are generated to ensure that they do not create "noise" that can drown real cases.
The financial and reputation risks of non-compliance are higher now than ever before. It is imperative that Banks continuously assess their BSA / AML program to ensure strict adherence to compliance standards.
Director of Internal Audit
Philip Gonzalez, Director, has over 40 years of experience in the financial services industry, holding a wide variety of executive and senior management experience at community banks and financial institutions.