March 2010 - Volume 5, Issue 64
Are Conditions Ripe for a Surge in BSA/AML Enforcement Guidelines?
Reading the Signs and Taking Cover
by Lori Moore, Director of Compliance, ATTUS Technologies Inc.
Complimentary Webinar
Compare and Contrast: Reg E and NACHA Rules

The Electronic Funds Transfer Act, implemented by Regulation E (Reg E), establishes that basic rights, liabilities and responsibilities of consumers who use electronic funds transfer services (EFT) serviced and of the financial institutions that offer these services. It is one of the most complex consumer compliance laws in effect, and the introduction of new payment products has further blurred the lines of applicability and liability. This webinar will clear the confusion as we discuss the requirements set forth under Reg E, and how compliance compares and often conflicts with other legal and contractual obligations such as the Uniform Commercial Code, NACHA Rules and card network rules.

3/25/2010 3:00PM to 4:00PM ET

register orange-bttn.gif
Sebastian Junger’s 1997 book, The Perfect Storm, is a cautionary, real-life tale of what happens when separate, yet related, events combine to create a perilous problem for those in its wake. In October 1991, three different weather systems, all potentially troublesome on their own, consolidated into one much fiercer and more massive storm that earned it its famous name. After the last two years, it’s understandable that financial institutions would like to breathe a sigh of relief as the credit crisis abates and the economy begins to recover.  Unfortunately, now is not the time to rest. There are several forces at work that have the potential to create a perfect storm of their own, a surge in the number of Bank Secrecy Act (BSA) and Anti-Money Laundering (AML) related enforcement actions (EAs) by federal regulators.

Trouble in the Air
First, the 2008 financial crisis and its aftershocks had the natural effect of focusing regulators’ examination attention squarely on safety and soundness issues over the past eighteen months. It wasn’t that they didn’t address compliance issues, such as BSA and AML, because they did in fact issue a significant number of EAs related to those laws. However, the extent of the crisis and its potential consequences for the entire economy gave them little choice but to make issues like bank capitalization and asset quality their top priority. Now, as the financial industry returns to some sense of normalcy, regulators are well aware of the need to recalibrate their focus on all areas of risk, not just safety and soundness.

Second, if the financial crisis taught regulators anything, it is the importance of identifying, addressing and resolving issues through exam findings before they present serious problems for an individual institution or become an industry-wide phenomenon that threatens all.  As a result, they are adding staff to bolster their ability to prevent a repeat or distinct crisis in the future.  At the same time, examiners themselves have shown over the last year that they are fully capable of and likely to use their authority to issue EAs where they deem appropriate.

Third, criminals, terrorists and others looking to launder money and commit fraud watch the news just like the rest of us.  They are well aware that financial institutions have their hands full trying to 1) stay solvent, 2) assist consumers in modifying mortgages, 3) deal with an unprecedented number of foreclosures and 4) respond to mounting pressure from Congress to rein in bonuses and executive pay.  What better time to slip in the back door than while the people inside are distracted and short on staff themselves?

Each of these forces alone have the potential to cause a rise in BSA and AML related EAs but together, they could result in a historic number for 2010. 

Understanding the Danger
In July of 2007, the various federal agencies that regulate financial institutions joined together to clarify their stance on BSA and AML related EAs.  Their interagency statement spells out the authority granted examiners, “The applicable statute provides that if a regulated institution fails to establish and maintain a BSA compliance program or fails to correct a previously identified problem within its BSA compliance program, the appropriate agency shall issue a formal cease and desist order.”

Along with Cease and Desist (C&D) orders, regulators have other types of formal EAs available to them, such as Written Agreements (WAs) and Prompt Corrective Action Directives (PCADs).  All of these EAs require the violating institution to remediate the issue within a specific time period.  In addition, regulators can use another type of formal EA, the Civil Money Penalty (CMP), which can either be the result of an institution’s failure to comply with a previous C&D, WA or PCAD or it can be issued on its own.  Regardless, the violating institution is required to pay a monetary penalty assessed via the CMP by the regulatory agency.  All formal EAs are publicized. 

Examiners can also issue an informal EA in order to bring attention to an intitution’s gaps in its BSA/AML program. These are not published and therefore are considered less severe. The most common type is the Memorandum of Understanding (MOU).  Financial institutions should be wary of falling into the trap of not taking informal EAs seriously. Regulators do not look kindly on institutions that fail to correct a situation originally cited and the result can be a more damaging formal EA, including a harsh CMP.

Heeding the Storm Warnings
There is significant evidence to suggest that compliance programs that previously passed muster during examinations will face much more scrutiny going forward, thus raising the possibility of an EA.  A recent study conducted by Adam Shapiro and Jeanine Catalano for ABA Bank Compliance and published in the November/December 2009 issue revealed several cautionary trends. During the time studied, January 1, 2008 through June 30, 2009, they found the following:

  • Formal EAs more than tripled from first quarter 2008 to the second quarter 2009 
  • Informal EAs also rose
  • BSA and AML issues accounted for 40% of the compliance related EAs
  • The FDIC issued the most overall EAs, the most compliance related EAs and the most CMPs
  • Unlike the FDIC and FRB, the OCC issued significantly more formal EAs than informal ones
  • CMPs related to prior enforcement actions, as well as standalone CMPs, were on the rise

ATTUS itself studied a group of formal EAs from 2009 and found that the language used by regulators showed their rising level of concern about BSA and AML issues.  Given the forces and trends described above along with the sample consequences below, financial institutions have plenty of forewarning about the coming year.

Example 1: A bank receiving a C&D due to an unsatisfactory BSA and AML compliance program was given only 90 days to “implement all BSA/AML related modules with its existing or new software system.”  This included testing, policy and procedure revisions and complete employee training.   

Example 2:  A bank receiving a C&D because it was deemed to have an ineffective BSA compliance training program for its employees was ordered to develop and implement comprehensive BSA training that included the board and all staff.  It went so far as to require the bank to document employee attendance at training, provide written explanations for absences and notate when the absent employee(s) would be trained.

Example 3:  A bank receiving a C&D was compelled to assess its vulnerability to money laundering and fraud.  In short, they were ordered to perform a BSA risk assessment.

Example 4:  The chairman of the board of a bank was ordered to personally pay a CMP because of multiple BSA violations cited in previous C&Ds that were not resolved.

Charting Your Evacuation Route
Even if you believe your institution has an adequate BSA compliance program, would an examiner agree with you?  If you want to ensure that your institution doesn’t get caught up in the EA whirlwind, now is the time to take an objective look at your compliance program.  Your best bet is to review it with the same set of precepts that an examiner will use. 

  1. Is your BSA compliance program built on a solid foundation?  This includes a board approved and well qualified BSA officer; a comprehensive BSA risk assessment; and a BSA committee that regularly meets and reviews all BSA/AML issues.
  2. Do you have effective BSA policies and procedures?  They should accurately reflect the specifics of your institution, and there should be a process in place for regularly reviewing the program and getting annual approval from your board of directors.
  3. Do you have a comprehensive BSA training program?  It must encompass training for new hires, existing employees and your board of directors, including frequent updates; a curriculum that ensures all employees understand your institution’s current BSA policies and procedures and its specific pertinence to their individual jobs; and, documentation that proves your employees actually reference and use your program.
  4. Does your program meet the BSA’s strict “Know Your Customer” standard?  This means a comprehensive customer due diligence process that provides thorough knowledge of your customer base.  It also includes documentation of the risks posed by your customers.
  5. Do you have an effective process for detecting, monitoring and documenting suspicious activity through Suspicious Activity Reports (SARs)?  This includes documenting all decisions to file or not to file; communication with the board of directors and senior management about all suspicious activity; and fulfilling the narrative “critical” standard for completing SARs, which details the “who, where, when and why” of the situation.
  6. Does your institution make documentation a key element of your program?  Regardless of whether or not you have complied with all BSA and AML requirements, if your institution does not have complete documentation to prove that adherence, it won’t matter.  
  7. Does your institution arrange for an independent audit by a reputable third party?  Coordinating such timely audits allows your institution to proactively deal with weaknesses long before the examiner walks in your door.

There is Safety in Preparedness
BSA and AML play a vital part in protecting the U.S., its economy and its citizens. Given that role, as well as the evidence presented above, it is almost certain that regulators will return their full attention to these critical laws during their examinations in the coming year. Your safest bet to avoid a formal or informal EA is to thoroughly inspect your BSA and AML compliance program. If you had an independent audit conducted within the last year, use its findings and recommendations as your starting point. And if you didn’t conduct such an audit, now is the time to seriously consider one. 

Lori Moore is a Certified Regulatory Compliance Manager. She is currently the director of compliance for ATTUS Technologies Inc., and has more than 25 years of experience in the financial services industry. During her career, she has gained in-depth knowledge and practical experience within all areas of community banking and has served in key positions, including vice president of operations, BSA officer, compliance officer, internal auditor and vice president of risk management. Moore was also designated as the Outstanding Graduate of the Texas Bankers Association Operations School.

ATTUS Technologies is concerned about your privacy. We do not rent, sell or exchange email addresses.

© 2010 ATTUS Technologies. All rights reserved.
15800 John J. Delaney Drive, Suite 250, Charlotte, NC 28277.