After dealing with it for nearly 40 years, you would think bankers would understand by now how to navigate the Bank Secrecy Act, which requires them to report all suspicious transactions to the government as a way of clamping down on money laundering and other illicit activity. And yet according to results from the American Bankers Association’s 2006 Community Bank Competitiveness Survey, 87% of respondents fingered BSA as the regulation giving them the most griefu00e2u20ac”more even than the Sarbanes-Oxley Act.
However, the finding does not come as a surprise to bank compliance experts. They point to the September 11, 2001 terrorist attacks, the advent of terrorist financing, the increasing complexity of technology-driven schemesu00e2u20ac”and most of all, bank examinersu00e2u20ac”as driving forces behind the increased burden of BSA compliance.
“It’s not so much that the rules have changed,” says Rodney Biehl, vice president of audit and compliance at St. Louis-based Pulaski Bank. “The regulators have intensified the exam process.”
Any community bank guessing that it’s off the hook for closely monitoring its transaction volume under BSA given its small, mostly familiar customer base should guess again. In recent months federal banking regulators have cited a number of small institutions for BSA infractions. In May, they imposed a $600,000 fine on Liberty Bank of New York, a $60 million New York-based institution serving mostly Korean-Americans (since acquired by Wilshire Bancorp Inc. of Los Angeles), for failing to implement controls to detect and report suspicious activity. In April, $6 billion BankAtlantic Bancorp of Fort Lauderdale was slapped with a $10 million fine for similar transgressions. A good half-dozen or so other community banks have also received consent orders in 2006 obliging them to improve their BSA programs.
“It’s zero tolerance,” Biehl says.
In this new era of BSA compliance, there are four minimum requirements, as laid out in the Bank Secrecy Act/Anti-Money Laundering Examination Manual, released in June 2005. Institutions must designate an individual to coordinate compliance, conduct an independent review of the program at least annually, provide BSA training, and implement internal controls to detect, monitor, and report suspicious activity. More often than not, technology is needed to address this last requirement.
In the past, banks could be assured of being mostly in compliance with BSA by reporting transactions of more than $10,000 in the form of currency transaction reports, or CTRs. Now, “that’s the least of your concerns with BSA,” says Sue Burt, senior attorney at Wolters Kluwer Financial Services in Minneapolis, a provider of compliance software. Today’s fraudulent schemes are far more complicated, involving multiple parties, a wide range of delivery channels, and layered activities. Financial terrorist activity, for example, is difficult to detect because it generally consists of low-value, nondescript deposits and withdrawals that go to and from conventional checking and savings accounts.
Institutions should first conduct a risk assessment to help determine just how much automation they need to bring to bear on the problem. For example, offering an extensive array of Internet banking services, such as electronic bill pay, account transfers, and online account opening, increases an institution’s risk, as does having a large number of high-risk entities as customers, such as convenience stores, check cashers, import/export companies, and offshore corporations.
Software to detect suspicious transactions typically covers a range of activities. It generally compares new and existing customers against people identified as having a high potential for money laundering, a list usually supplied by the U.S. Treasury Department’s Office of Foreign Asset Control. It also monitors transactions to identify suspicious activity, generates alerts, and facilitates follow-up research and report filing.
In a May report, Aite Group, a Boston-based research firm, calculated the average cost of an anti-money-laundering system from a low of $125,000 to a high of $1.5 million. At these prices, finding an affordable solution may be a problem for the average community bank. “This is an issue small banks have to contend with,” says Eva Weber, the Aite analyst who authored the report.
A resolution appears to be emerging in the form of core processors that acquire or partner with anti-money-laundering software providers. In February 2005, Metavante Corp., the Milwaukee-based data processor, acquired Prime Associates, a provider of compliance software. “It’s a good opportunity for core processors to approach vendors and get more competitively priced solutions for smaller institutions,” Weber says.
For more than a year, Naples-based Bancshares of Florida Inc. has been using transaction monitoring software provided through its item processing vendor, says John James, an executive vice president and the bank’s director of corporate risk management. Some training was required to make sure employees were effectively watching for deviations, James says. Now the process is routine. “It all becomes part of the overall monitoring of the relationship,” he explains.
The $620 million multibank holding company has taken other steps as well to tackle BSA compliance. About a year ago, it centralized BSA activities in its corporate office and hired a full-time executive to oversee them. This person works with officers in the company’s three subsidiary banks who spend only part of their time on BSA compliance.
Under the centralized approach, the head office develops compliance policies and procedures, which saves the subsidiary banks the trouble of doing so. The board and the appropriate committee at each of the three banks approve the policies. “It’s more efficient that way,” James says.
Another, more recent change has been the formation of a compliance committee in addition to the bank’s audit committee, which was getting overly burdened with increasing regulatory requirements. “Compliance is getting so much scrutiny, we thought we should have a separate area looking at it,” James says.
Pulaski Bank, with $700 million in assets, is considering installing software from a third-party vendor to detect suspicious transactions as part of a possible move to a new core processing system, Biehl says. About a year ago, Pulaski assigned an officer of the bank to spend 85% to 90% of his time on BSA matters, such as reviewing account activity and overseeing the filing of CTRs and suspicious activity reports (SARs). The problem is that typical reports of account activity can be dozens of pages long, so software helps filter out the routine, nonsuspicious transactions. That way, “we could spend more time analyzing the data than reviewing it,” Biehl says.
But Hoi Luk, director of risk management at Bloomington, Minnesota-based RSM McGladrey, a tax and business consulting firm, warns against the notion that software would automatically lessen workloads. “Systems help summarize data, but people still need to look at it,” he says. “A system doesn’t remove the human analysis.” Luk also stresses the need to customize the software to fit the bank’s activity. “Don’t just take it off the shelf.”
In addition to identifying a BSA officer, about a year ago Pulaski formed a BSA management committee that meets monthly to review the work of the BSA officer. The board approved the formation of the management committee, whose purpose was to ensure the independence of the BSA process, and receives copies of its minutes. In addition, the board receives annual reviews of the BSA process. “I think we’ve made them aware BSA is a high priority,” Biehl says.
Pulaski also has placed emphasis on training all its employees on BSA. About a year ago it made online training available, enabling employee access 24 hours a day, seven days a week. Not doing the training is a cause for demerits in employee evaluations, Biehl says.
Richard Riese, director of the ABA center for regulatory compliance, says directors themselves should be willing to accept more BSA training. Directors “ultimately need to approve BSA programs. So it behooves them to get a better understanding and more training in this area than in the past,” he says.
Certainly, there is a lot to learn. One of the basic characteristics of BSA compliance is that judgment calls are part of the process, says Tom Vartanian, a Washington-based partner at the law firm Fried, Frank, Harris, Shriver & Jacobson LLP. A bank could spend hours evaluating a transaction, only to decide not to file an SAR, and later be chastised by regulators for not doing so. “With BSA, it’s a different design everyday,” Vartanian says. “You’re always starting from square one.”
He advises directors to be proactive, given that ultimately they are responsible for BSA compliance programs. “If something happens, don’t put your head in the sand,” Vartanian advises. “Get on it as quickly as possible. Talk to your regulators, and talk to customers to make sure that whatever the problem is, it doesn’t become your problem.”