Priorities in an Environment with Increased Enforcement of AML Compliance

Federal regulators are cracking down on financial institutions and individuals who fail to comply with Bank Secrecy Act and anti-money laundering regulations. Over the past two years, there has been a sharp increase in both the number of enforcement actions and the severity of penalties. More than 130 enforcement actions, accounting for over $5 billion in monetary penalties, have been brought against financial institutions and individuals for BSA/AML violations since 2002, and 80 percent of those penalties ($4.1 billion) have been levied since 2012, according to a March 2014 report released by NERA Economic Consulting.

Legislation proposed in Congress would reinforce the Bank Secrecy Act (BSA) by promoting individual accountability, broadening government reach and expanding penalties for individuals in the financial services industry, including bank leaders, compliance officers and independent contractors. The bill, ‘‘Holding Individuals Accountable and Deterring Money Laundering Act’’ (H.R. 3317) is designed to strengthen global enforcement of anti-money laundering (AML) legislation.

Even if H.R. 3317 does not become law, the financial services industry appears to be experiencing a trend toward individual accountability.

The Financial Crimes Enforcement Network (Fin-CEN) recently notified the former compliance chief at MoneyGram International, Inc., that he may face a $5 million fine over widespread BSA/AML compliance failures. FinCEN’s notice clearly reflects the government’s intention to hold individuals accountable for widespread BSA/AML deficiencies.

Proponents of H.R. 3317, including many in the financial industry, say that it would more effectively enforce the BSA by cracking down on money laundering violations by major financial institutions. Opponents fear that the bill’s penalties carry career-ending implications for compliance officers and may limit the interest in top compliance officer positions.

My firm, Kaufman Rossin, recently surveyed Florida bankers and broker-dealers on AML compliance. When asked what effect they believed H.R. 3317 would have on their financial institutions if it was passed, 55 percent of the respondents said they believed the law would have a positive impact. Less than five percent of respondents believed the impact would be negative.

Regardless of what happens with the bill, federal regulators’ increased scrutiny and enforcement of BSA/AML compliance is a trend that is expected to continue (102 BBR 743, 4/22/14). Financial institutions should be mindful of the four pillars of a BSA/AML compliance program discussed in the 2010 Federal Financial Institutions Examination Council (FFIEC) Examination Manual and summarized below.

1. Maintain a system of internal controls

A bank’s board of directors is ultimately responsible for ensuring that an effective BSA/AML internal control structure is maintained. Internal controls can include the policies, procedures and processes designed to mitigate risks and comply with regulatory requirements. The level of sophistication of a bank’s internal controls should be commensurate with the size, structure, risks and complexity of the bank.

The FFIEC Examination Manual outlines several guidelines for internal controls as part of a BSA/AML compliance program. For a full listing of those guidelines, please consult the manual. Following are some of those guidelines:

  • Identify banking operations that are more vulnerable to abuse by money launderers, provide for periodic updates to the bank’s risk profile and provide for a compliance program tailored to manage risks.
  • Inform the board of directors and senior management of compliance initiatives, deficiencies and necessary corrective action.
  • Identify a person or persons responsible for BSA/AML compliance.
  • Meet all regulatory recordkeeping and reporting requirements, provide recommendations for AML compliance and update internal programs in response to regulation changes.
  • Implement risk-based customer due-diligence policies and procedures.
  • Provide sufficient controls and monitoring systems for timely detection and reporting of suspicious activity.
  • Identify reportable transactions and accurately file all required reports, including Suspicious Activity Reports and Currency Transaction Reports.
  • Provide a system for program continuity.

Banks should document BSA/AML internal controls related to the bank’s products, services, customers, entities, geographic location and distribution channels.

This process may help a bank identify internal controlgaps that could expose the bank to BSA/AML risk. If gaps are identified, internal controls may need to be revised to address any deficiencies.

For example, if a bank adds new products or services or significant customer accounts through acquisition of another financial institution, the bank should consider assessing its current internal control structure to determine if the current structure can withstand the additional products, services and workload that may arise as the bank expands.

2. Designate a BSA compliance officer

The BSA compliance officer, who is typically designated by the board of directors, is charged with managing all aspects of the bank’s AML compliance program and is responsible for monitoring and coordinating dayto- day BSA/AML compliance.

The designated BSA compliance officer should have sufficient authority and resources to administer an effectiv compliance program based on the bank’s risk assessment and profile. He or she should have knowledge of relevant regulations and a sufficient understanding of the bank’s products, services, customers and geographic locations, as well as potential BSA/AML risks associated with those activities. There should be a line of communication between the BSA compliance officer and the bank’s board of directors and senior management.

3. Train the appropriate personnel

Banks should ensure that the appropriate personnel receive training on applicable aspects of the BSA rules and regulations. This training should be ongoing, should include regulatory requirements and information about the bank’s internal AML policies, procedures and processes and, to the extent possible, should be tailored to job-specific duties. The BSA compliance officer should receive periodic training that is relevant and appropriate given changes to regulatory requirements and the bank’s BSA/AML risk profile.

The board of directors should also receive periodic training to help them understand the BSA/AML regulatory requirements, risks posed to the bank and potential penalties for non-compliance. Without an understanding of the bank’s general BSA/AML regulatory requirements, the board of directors may not be able to effectively provide oversight of the BSA/AML compliance program.

In many cases, weaknesses that are identified in an anti-money laundering compliance program can be tied back to a lack of training in that area. Many enforcement actions that I have seen require enhancements to the BSA/AML training program.

Banks may want to consider including a section on BSA/AML-specific training in the bank’s BSA/AML risk assessment. The bank’s training plan and calendar, training and testing materials, the dates of training sessions, and attendance records should be retained by the bank.

Appropriate BSA/AML training can help bank employees, senior management and directors understand BSA/AML regulatory requirements as well as the bank’s policies, procedures and processes for compliance.

4. Independently test BSA compliance

The BSA/AML compliance program should be tested periodically by an independent party such as the internal audit department, outside auditors, consultants or other qualified independent parties. The timing of the program testing should be commensurate with the AML risk profile of the bank. Many of my clients have their BSA/AML compliance programs tested on at least an annual basis. Testing should be a risk-based evaluation of the effectiveness of the Bank Secrecy Act compliance program.

In Kaufman Rossin’s 2014 AML compliance survey of Florida bankers and broker-dealers, 66 percent of respondents said that their financial institution had a specialized independent BSA/AML testing team. When asked about their confidence that the testing would identify any existing material problems, 92 percent said they were confident in their independent testing program.

Smaller institutions typically don’t have internal audit departments and often outsource independent testing of BSA compliance. However, banks of any size can benefit from expertise that third-party service providers have to offer. Service providers with the right qualifications can offer information and recommendations about best practices from across the industry.

Surviving a Changing Regulatory Environment

In November 2013, I attended the ABA Money Laundering Enforcement Conference where FinCEN Director Jennifer Shasky Calvery emphasized individual and corporate responsibility for BSA/AML compliance. ‘‘As director, I feel it is imperative that not only should those who violate the BSA be held accountable, but those who violate the BSA must take responsibility,’’ she said (101 BBR 850, 11/26/13).

Director Calvery also said FinCEN established a stand-alone Enforcement Division, and ‘‘ . . . strong enforcement efforts may be needed. Not only do such actions correct the bad behavior of those on the receiving end, they also ensure that financial institutions that have been diligent in their efforts do not lose business to competitors seeking to cut corners with respect to AML.’’

H.R. 3317 would empower FinCEN to independently pursue legal action against individuals in BSA/AML cases. Under the bill, individuals deemed to have willfully evaded an institution’s BSA program or controls may be subjected to compensation claw-backs and could also face imprisonment of up to 20 years.

In an environment of increased regulatory enforcement, it is more important than ever for financial institutions to be mindful of the four pillars of BSA/AML compliance. Implementing a strong internal controls system, designating a BSA compliance officer, investing in periodic and ongoing BSA/AML training, and engaging a qualified independent party to conduct periodic independent testing of the BSA/AML compliance program are steps that can help banks properly evaluate and monitor risks and vulnerabilities that could potentially lead to BSA/AML violations. Continued education for board members, senior management, compliance officers and other banking employees is also important in an evolving regulatory landscape.

_____

Jason Chorlins, CPA, CFE, CAMS, CITP, is a risk advisory services manager in Kaufman Rossin’s Miami office.  Kaufman Rossin is one of the top accounting firms in the U.S. Jason can be reached at jchorlins@kaufmanrossin.com.


Jason Chorlins, CPA, CFE, CAMS, CITP, is a Risk Advisory Services Principal at Kaufman Rossin, one of the Top 100 CPA and advisory firms in the U.S.