Recent trends in Bank Secrecy Act /Anti-Money Laundering (BSA/AML) enforcement demonstrate how important it is for a bank to maintain a BSA/AML compliance program that’s commensurate with its risk. In a January 2018 report, the Congressional Research Service (CRS) observed that, in recent years, the frequency and size of penalties for BSA/AML violations have increased. At the same time, the risk of individual liability (of bank officers and directors, for example) for those violations also has grown.
To help detect and deter money laundering and terrorist financing, the BSA and related regulations require banks to develop and implement a comprehensive BSA/AML program. To maintain an effective compliance program, your bank needs to take steps including:
- Appointing a BSA compliance officer,
- Setting up a written customer-identification program (CIP), which, under rules that recently took effect, must include procedures for identifying and verifying the identity of beneficial owners of legal entity customers,
- Generating a system for monitoring transactions for suspicious activity and filing suspicious activity reports (SARs) when appropriate,
- Implementing procedures for filing currency transaction reports (CTRs) for cash transactions exceeding $10,000, for related transactions exceeding $10,000 in the aggregate and for transactions that have been structured to avoid reporting,
- Putting procedures in place for comparing your customer database and certain transactions against lists of known or suspected terrorists or terrorist organizations maintained by the Office of Foreign Assets Control (OFAC),
- Having a process for responding to Financial Crimes Enforcement Network (FinCEN) requests for information about persons suspected of involvement in terrorism or money laundering,
Creating an ongoing employee training program.The extent and intensity of the training should vary according to the responsibilities of the employee,
- Setting up independent compliance testing,
- Ensuring you have a system of internal controls designed to ensure ongoing compliance with the BSA, and,
- Compliance with the new CDD Rule.
Federal regulators expect banks to take a risk-based approach to BSA/AML compliance — that is, a bank should tailor its policies, procedures, processes and controls to its specific risk profile. (See “Risk matters.”)
According to studies cited by the CRS, penalties for BSA/AML violations have been increasingly frequent: From 2012 to 2015, nearly 90% of enforcement actions involved monetary penalties, compared to less than 50% from 2002 through 2011. Penalties have also grown in size, both in absolute terms, as well as in percentage of capital. Nearly one-third of the penalties assessed in recent years topped 10% of an institution’s capital.
In addition, during 2018 “FINRA” announced on December 17 that they had issued parallel fines against UBS Financial Services Inc. totaling $14.5 million for willful failures to comply with the Bank Secrecy Act. The U.S. Department of Justice also announced a criminal charge and a $400,000 fine two days later against Central States Capital Markets, LLC for willful BSA violations. The charge against CSCM represents the first criminal BSA charge ever brought against a U.S. broker-dealer. Finally, on December 26, 2018, FINRA announced a $10 million fine against Morgan Stanley Smith Barney LLC for AML program and supervisory failures. In addition, on October 2018 Capital One CMP was fined $100 million for BSA/AML deficiencies and March 2018 Aegis Capital assessed $1.3 million for SAR filing failures.
One notable example is HSBC, which was assessed a $665 million penalty and forfeited approximately $1.2 billion in 2012 related to its failure to maintain an effective AML program and to conduct appropriate due diligence on foreign correspondent account holders. In another noteworthy example, in 2014, JPMorgan Chase was hit with more than $800 million in penalties and forfeited $1.7 billion for its role in the Madoff Ponzi scheme.
Also in 2014, MoneyGram’s chief compliance officer was assessed a $1 million penalty in his individual capacity for willful violations of the BSA program requirements as well as failure to file SARs on a timely basis to report fraudulent telemarketing operations and other schemes.
According to the FDIC (one of several federal agencies that conduct BSA/AML examinations), the most common compliance deficiencies involve failure to meet reporting (CTRs and SARs) and information-sharing obligations, and failure to maintain adequate internal controls. In a recent publication (“The Bank Secrecy Act: A Supervisory Update,” Supervisory Insights, Summer 2017), the FDIC offered guidance on how banks can prevent these deficiencies. Often, it’s possible to prevent the most commonly cited violations by maintaining effective internal control structures. For example, to prevent information sharing deficiencies, a bank should designate a person or persons responsible for information sharing and establish policies, procedures, and processes for conducting, documenting, and reporting on information sharing request searches.
Further, to prevent SAR deficiencies, a bank should ensure its staff is properly trained; implement systems to monitor, identify, research and report unusual activity; and maintain effective, documented decision-making processes regarding whether to file SARs.
The FDIC notes that technical violations, such as failure to file timely CTRs, don’t necessarily warrant criticism of a bank’s BSA/AML program. But, they may be red flags signaling more significant deficiencies, such as problems with internal controls or training.
It’s impossible to design and implement an effective BSA/AML compliance program without first assessing your bank’s money-laundering and terrorist-financing risk. Examiners will determine whether your program is adequate through the lens of your bank’s particular risk profile.
To understand your bank’s BSA/AML compliance obligations, the first step is to conduct a risk assessment. Examiners expect your bank to develop policies, procedures, processes and controls that are adequate in light of your bank’s size, location, customer base, and mix of products and services.
For example, a bank with a significant percentage of high-risk customers (such as nonresident aliens or money service businesses) or transactions (such as international wire transfers) might need more rigorous account-opening or transaction-verification procedures — or more sophisticated technology. But for a community bank with fewer risky customers and activities, less stringent measures may suffice.
In evaluating your bank’s compliance program, it’s important to understand that your BSA/AML obligations are based on the bank’s risks, not its resources. For example, in a recent enforcement action against USB, the bank was assessed more than $500 million in penalties for willfully failing to maintain an adequate AML program and file SARs. Among its many deficiencies, the bank capped the number of alerts generated by its transaction-monitoring system based on staffing levels and resources, rather than transaction risk level.
Compliance and regulatory issues regarding Bank Secrecy Act/Anti-Money Laundering activities for banks can be complex. If you would like to benefit from our expertise in these areas or if you have further questions on this Advisory, do not hesitate to contact Heidy Duarte at: email@example.com (786) 477-5443.