Compliance Abhors a Vacuum – If the Void Is Filled with Heightened BSA Scrutiny, Would You Be Ready?
While a climate of regulatory relief sweeps across the industry, it is a prudent compliance officer who keeps both feet on the ground and considers what risks such a climate could possibly present. Beyond awareness that regulatory enforcement is cyclical and subject to potentially rapid changes based on external or internal events, there's another potentially more-immediate threat to consider.
Although some areas have been removed from the regulatory playing field by new thresholds, that doesn't mean regulators go away until the pendulum swings the other way. Their regulatory attention will need to flow somewhere. What are the most likely targets?
Near the top of the list of high-value candidates for targets would have to be increased scrutiny of the Bank Secrecy Act (BSA) in an effort to find violations that may have gone previously undetected.
For evidence of how high high-value BSA violations can be, one need look no further than two California banks that were handed fines totaling $57 million between them. In 2017, Merchants Bank of Carson, California, was hit with a $7 million civil money penalty for "egregious violations" of anti-money laundering (AML) laws. Then earlier this year, Rabobank, N.A. of Roseville, California was slapped with a $50 million penalty by the Office of the Comptroller of the Treasury (OCC) for issues related to its AML efforts.
If increased BSA scrutiny does begin to fill the regulatory vacuum, a look at where Merchants Bank and Rabobank went wrong can prove a useful exercise to make sure your financial institution stays far away from the lines those two institutions crossed.
Both institutions were called out for deficiencies in their BSA program. Typically, this is the sort of thing that gets mentioned first in examination reports and press releases but is applied only after the fact when other specific violations have been identified, leaving the regulator to wonder how such things could have occurred, unless there were giant holes in the BSA program.
In Rabobank's case, the bank was cited for failure to establish and maintain a compliance program that adequately covers the required BSA/AML elements, as well as failure to develop adequate customer due diligence (CDD) and enhanced due diligence (EDD) processes. In addition, it was cited for failures to investigate questionable activity related to section 314(a) of the USA Patriot Act, requiring banks to provide information about customer activities related to law enforcement subpoenas and requests.
For Merchants Bank, regulators found the bank's BSA program lacked a system of internal controls, failed to provide for independent testing for compliance, failed to designate a person responsible for monitoring compliance and failed to provide adequate training for personnel. In other words, out of the four pillars (now, with the inclusion of beneficial ownership rules, five pillars), Merchants struck out on each one.
What led to the biggest failure were Merchants' internal controls. Several bank insiders owned money service businesses (MSBs) that had accounts at Merchants. These insiders reportedly encouraged BSA staff to process transactions without any questions and interfered with any attempts to investigate suspicious activity related to insider-owned accounts.
Merchants was also found to have failed to conduct required due diligence on its foreign correspondent accounts. Under the USA PATRIOT Act, any institution that maintains correspondent accounts in the U.S. for foreign financial institutions is required to subject those accounts to due diligence. Such shortcomings can typically be ascribed to a lack of required policies and procedures. Sound policies and procedures that are in line with the USA PATRIOT Act requirements would ensure that any foreign correspondent account customers receive the appropriate due diligence. Merchants had four banking customers located in high-risk countries but did not identify these customers as foreign correspondent customers. As a result, these four customers sent and received a combined $192 million in high-risk wire transfers that were not included in monthly transactional monitoring. That's a formula for examination pain.
Missed SAR Reporting
An independent consultant reviewed Rabobank’s transaction and account activity between January 2010 and December 2013. The consultant discovered that 472 Suspicious Activity Reports (SARs) had not been filed, and more than $233 million in suspicious activity had not been reported.
At Merchants, examiners found the bank failed to detect and report suspicious activity. BSA regulations are clear about requiring financial institutions to report any transaction of at least $5,000 that the institution “knows, suspects, or has reason to suspect” is suspicious. Regulators charged that, for four years, Merchants Bank failed to monitor billions of dollars of transactions for suspicious activity.
Much of this transaction activity was related to its MSB customers’ activity. For example, one of these customers was a money transmitter in the basement of the MSB owner’s private residences in New York. Despite inquiries from law enforcement and rejected wire transfers from other banks, Merchants determined that the activity was not suspicious and did not file a SAR.
Things Are Never So Bad They Can't Get Worse
One can imagine that when auditors or consultants at Rabobank identified deficiencies, senior officials were none too pleased. However, what happened next, in an effort to minimize damage, ended up making matters so much worse.
OCC examiners requested certain materials that the bank apparently knew would expose its shortcomings. So senior officials made the calculated decision to attempt to deceive the regulators as to the true state of its operations in the hope of avoiding regulatory sanctions.
It didn't work.
The key takeaway from all of this is to take a step back or, better yet, have an independent party with a fresh perspective take a look at the big picture of how your BSA/AML program is organized and what gaps might be identified in an examination setting. Find and fix them before the examiners come knocking. Be transparent with the findings of the internal reviews, then show how your institution took appropriate steps to rectify the matter as part of a healthy BSA program.
What happened at Rabobank and Merchants Bank should be a wake-up call to all financial institutions, even in this era of shifting regulatory scrutiny. Both of these scenarios played out over multi-year timeframes – long enough to accommodate a couple of pendulum swings.
Ken Wolff is President and CEO of AffirmX, LLC, a Frederick, Maryland-based firm that helps financial services institutions reduce compliance and risk management workloads, anxieties and costs through its patented Risk Intel Center platform. Prior to co-founding AffirmX, Ken served as managing partner of Achievence LLC, a management consulting firm in the Washington, DC metro area where he headed up the financial services practice area since 1997.