In the last year, several Bank Secrecy Act or anti-money laundering problems have made headlines involving the large, globally connected banks: HSBC and Standard Chartered are examples. Smaller banks also get hit with fines on such issues as well. New York-based ICS Consulting Partners’ John White and Steven Lewis talked to Bank Director magazine about the current enforcement environment and what bank boards can do to protect their institutions.
What is BSA/AML?
Steven Lewis: It refers to the Bank Secrecy Act of 1970 and related anti-money laundering (AML) laws. They are designed to thwart criminal and terrorist access to the banking system. One of the best ways to cut off crime is to make it difficult to spend the money. The USA Patriot Act of 2001 was one of many laws over the years that have ratcheted up BSA/AML requirements.
Do you think regulators have gotten tougher in enforcing BSA/AML rules?
John White: I think the regulators have expanded their examinations and are drilling deeper into issues. It is no longer enough to know your customer. You have to know your customer’s customer. If the customer is engaged in international trade, for example, who is receiving the goods? They are insisting that banks have adequate management expertise, strong processes (systems) and good internal controls. However, it can be difficult for a community bank to invest the needed resources in BSA/AML personnel and systems. It requires significant effort to maintain the program at a level that will meet regulatory scrutiny. Community banks are held to the same standards as the larger banks and often supplement their resources by contracting with consulting firms to assist in implementing their programs.
What is the role of the board in all of this?
John White: The board must understand the BSA program and risk profile. Board members who have responsibility for directly interacting with BSA compliance management must have a deeper understanding of AML laws. The board must interact with BSA compliance management and determine whether the bank has adequate and sufficient expertise to manage its program. The bank must have a BSA training program for all board members. Board members have been personally fined by regulators for negligence in their oversight of the BSA program. Bank boards cannot defend themselves by claiming they have a broad knowledge base when, in fact, there wasn’t adequate corporate governance over the BSA program.
What are some best practices in terms of operations?
John White: Management must have sound policies and procedures that are approved by the board. Management must prepare a BSA risk assessment to properly understand the underlying risks, use a BSA computer system that is validated on a periodic basis and have adequate resources and a strong internal control system, including a robust training program. The bank’s compliance committee must meet regularly and understand any trends that are occurring. In addition, the committee must ascertain that suspicious activities are recognized and reported on a timely basis. Branch personnel must be well trained in properly scrutinizing new customers, noting whether they are a potential high risk. When appropriate, staff must explain to a customer that his or her profile or transaction type is not acceptable to the bank.
How should you deal with regulators on this?
John White: It is critical that the board has ongoing communication and a good relationship with the regulators. The board should also encourage management to maintain an ongoing dialogue with the regulators and proactively reach out with any questions. The key is to avoid uncertainty. If the regulators are uncomfortable with the BSA/AML program, then good communication can help to rectify the situation. A significant deficiency in this area can result in an enforcement action, which would then require remediation of the issue and subsequent validation. This can be a huge distraction to management, as working through corrective action is very time consuming and costly. A professional rapport with regulators is important as it tends to avoid confrontation and frustration.
Steven Lewis: Also, it’s not enough to say you passed the exam last year. You have to keep up with the changing environment and regulatory expectations. Regulators are raising the bar all the time and they expect you to keep up with it. One of the ways to keep up with increased regulatory expectations is to read and understand other banks’ enforcement actions and take your own preventive measures. In addition, an independent review from a third party to make sure your program is up to par can prove invaluable.