Ten years ago, Bank Secrecy Act (BSA)/anti-money laundering (AML) compliance was one of the biggest areas of concern for banks and their regulators. Following September 11 and the heightened regulatory focus on BSA matters, most banks found it necessary to expend significant resources to enhance or even rebuild their BSA/AML programs.
In the past few years, bank regulators have had to focus on other matters, including residential and commercial loan concentrations, adequate capitalization, and even bank failures. Banks also wisely have focused on these matters during these difficult economic times.
It is important, however, that these other matters do not push BSA/AML compliance aside. This article summarizes some of the top BSA-related issues that the Board of Directors of every bank should keep in mind.
Best Practices for the Board
It is easy in difficult financial times for the Board and management to push aside compliance matters, including BSA/AML compliance. Compliance matters can seem less important when one is worried about the bank’s very survival.
Nevertheless, compliance continues to be important. It is critical that the Board stay informed, devote adequate resources to compliance, and set the proper tone for compliance within the organization.
The following are four best practices for Boards of Directors.
1. Require Periodic and Thorough BSA Reports
One of the most important things for the Board to understand about the BSA and AML requirements is that the Board is expected to stay abreast of the institution’s progress and what is working and not working. That means that the Board needs to receive at least annual BSA/AML training, and also needs to receive regular reports on BSA/AML compliance matters from its BSA officer, including on suspicious activity report (SAR) filings and trends.
As a director, be sure to ask any questions you might have and make sure you are really understanding the institution’s full BSA/AML compliance picture. It is important that you are comfortable that these reports are thorough and accurate.
2. Devote Adequate Resources
Banks must dedicate adequate and appropriate resources to BSA/AML compliance. By this we mean all resources – adequate compliance staffing, training, computer and software systems, as well as financial resources generally. This is clearly an expense, but it is part of what all banks must face. In addition, keep in mind that the underlying reason for these laws and corresponding expenses is to protect the institution, and the US financial system generally, from abuse by money launderers, terrorist financiers, and other criminals.
If you encounter compliance weaknesses in examinations, you will find that it costs much more to fix the problem under the tight deadlines imposed by your regulator than it would have cost by addressing the issues before any regulatory criticism, and this is before the possibility of hefty fines.
3. Conduct Appropriate BSA/AML Risk Assessments
Banks are always looking for new and better ways to do business — new technology, new delivery methods, new products and services, and new geographic locations to offer products and services. It is always important to be sure that the bank’s money laundering risk assessment is updated to include all such new products and processes.
Sometimes a bank will find that the BSA/AML-related risks of a new delivery method or product are simply too great. More often, however, the bank will conclude that it simply needs to develop controls and modify its compliance systems to address the changes. If you do not include both pieces — perform a risk assessment and adjust the bank’s processes and systems as necessary to address the risks — you could be creating significant exposure for the bank in the future.
4. Set the Proper Tone
For all compliance matters it is important the Board of Directors clearly convey its expectations that the institution comply with applicable requirements. Regulators often refer to this as establishing a “culture of compliance.” As part of this culture, performance evaluations of all relevant employees should include a BSA/AML compliance component. Those employees who are not taking their training or who otherwise are performing poorly on BSA/AML compliance matters should suffer negative consequences, including with respect to salary, promotion and, for worst cases, even termination.
Some Common Mistakes
One might expect that BSA/AML weaknesses found in banks highly varied and unique to each institutions, but there actually are some clear patterns. Three common failures are summarized below.
1. Failure to Monitor Trends
The money launderers, terrorist financiers and other criminals that the BSA/AML rules are designed to protect against are always devising new ways to beat the system. Banks need to stay on top of those changes so that they are not caught off guard.
In the worst case, you find about the gaps in your system when your examiner discovers them or after your bank is publicly exposed as having facilitated money laundering or terrorist financing. That is not where a bank wants to be.
Every bank should strive to identify (and correct) its potential weaknesses before others do. There are a number of ways to do this. A first step is to conduct internal BSA/AML monitoring on an ongoing basis, in addition to formal periodic independent testing. Such monitoring does not necessarily need to be performed by an independent party, and in fact the BSA officer may be best suited to ensure on an ongoing basis that the bank’s BSA/AML compliance program is functioning properly. It also can be useful to monitor news reports and regulatory notices and guidelines, and to attend BSA conferences and networking events where bankers talk about their experiences. In this way, the institution can learn from others and take the appropriate steps before it is too late.
2. Failure to Assess New Product and Client Risks
There can be a tendency to look at a new line of business or new type of client and decide that the bank must engage in that business or pursue those clients for business reasons, but then to overlook the BSA/AML-related risks involved. This impulse may be particularly strong when it appears that all of your competitors are capturing the business opportunities. All new products, services, and lines of business need a formal risk assessment prior to implementation. This is important not only for BSA/AML reasons, but for all compliance purposes.
The regulators clearly expect each bank to perform risk assessments of their products and services, business lines, geographies and customers in a formal and documented way. This area is a particularly good illustration of the importance of good documentation. It is not enough to do a risk assessment – your records must show that you did it and that you considered appropriate factors. Based on the results of the risk assessment, you must develop and implement appropriate controls related to those products and services, business lines, geographies and customers, as well as perform monitoring that is appropriate given the risks presented.
Bank examiners expect to find a formal, documented risk assessment, and we believe that a well documented and thoughtful risk assessment can facilitate a more thoughtful examination. If your risk assessment or BSA/AML program looks weak or “thin,” the examiners will have to dig deeper. They will be irritated and they will look for things to be wrong. And they usually will find what they want to find.
3. Failure to Monitor System Effectiveness
Sometimes the systems that a bank has set up so carefully do not really do what the bank thinks they are doing. To make a BSA/AML automated monitoring system works, we need to input data and designate parameters for the types and volume (based on quantity and dollar values) of transactions/activity to flag for review. Only then does the review for potentially suspicious activity begin.
Sometimes, however, the systems do not work as intended. The system might be flagging so many transactions that it becomes difficult or impossible for the bank’s BSA team to identify the truly important transactions. Other times it appears at first that the system is working properly but transactions are being missed because of issues with the data fields that are fed into the system or timing of certain transactions.
The only way to identify these weaknesses is through careful audits on an annual or more frequent basis, where the auditor reviews in detail what the bank expects the monitoring system to be doing, and compares it to what is actually being done, culminating in a review of transactions to confirm that the system is flagging the issues that it should be.
BSA compliance, like all compliance efforts, necessarily requires focus, proper resources, and dedication by the institution. This begins and ends with the Board of Directors. Consider the Best Practices and Common Mistakes described above and judge where your institution stands today.