Dusting Off Your Asset/Liability Management Policies

Directors reviewing their bank’s asset/liability management policy in the wake of recent bank failures should avoid merely reacting to the latest crisis.

Managing the balance sheet has come under a microscope since a run on deposits brought down Silicon Valley Bank, the banking subsidiary of SVB Financial Group, and Signature Bank, leading regulators to close the two large institutions. While most community banks do not have the same deposit concentrations that caused these banks to fail, bank boards should ask their own questions about their organization’s asset/liability strategies.

A bank’s asset/liability management policy spells out how it will manage a mismatch between its assets and liabilities that could arise from changing interest rates or liquidity requirements. It essentially provides the bank with guidelines for managing interest rate risk and liquidity risk, and it should be reviewed by the board on an annual basis.

“With both Silicon Valley Bank and Signature Bank, you had business models that were totally different from a regular bank, whether it’s a community bank, or a regional or even a super regional, the composition of their asset portfolios, the composition of their funding sources, were really different,” says Frank “Rusty” Conner, a partner at the law firm Covington & Burling. “Anytime you have a semi-crisis or crisis like we’ve had, you’re going to reassess things.”

Conner identifies three key flaws at play today that mirror the savings and loan crisis of the 1980s and 90s: an over-concentration in certain assets, a mismatch between the maturities of assets and liabilities, and waiting too long to recognize losses.

Those are all lessons that directors should consider when they revisit their bank’s asset/liability management policies and programs, he says.“Is there any vulnerability in our policies that relates to concentration or mismatch, or failing to address losses early?”

In order to do that, directors need to understand their bank’s policies well enough to ask intelligent and challenging questions of the bank’s management. The board may or may not have that particular subject matter expertise on its risk, audit or asset/liability committee, or in general, says Brian Nappi, a managing director with Crowe LLP.

“I don’t think there’s a deficiency in policies per se,” he adds. “It’s the execution.”

Nappi recommends that boards seek to “connect the dots” between their company’s business strategy and how that could fare in a changing interest rate environment.

Conner raises a similar point, questioning why some banks had so much money invested in government securities when the Federal Reserve was telegraphing its intent to eventually raise interest rates.

“That whole issue just looks so clear in hindsight now, and maybe that’s unfair,” he says. “But why is it that we didn’t anticipate that, and are we in a better position today to anticipate similar types of developments in the future?”

Boards could consider bringing in an outside expert to review the asset/liability management policy, says Brandon Koeser, a senior analyst with RSM US. A fresh set of eyes, such as an accounting firm, consultant or even a law firm, can help the board understand if its framework is generally in line with other institutions of its size and whether it’s keeping pace with changes in the broader economy.

“You also want to think about the [asset/liability management] program itself, separate from the policy, and how often you’re actually going through and reviewing to make sure that it’s keeping pace with change,” Koeser adds.

Steps to Take: Revisiting the Asset/Liability Management Policy

  • Establish and understand risk limits.
  • Consider how to handle policy exceptions.
  • Define executive authority for interest rate risk management.
  • Outline reports the board needs to monitor interest rate risk.
  • Establish the frequency for receiving those reports.
  • Evaluate liquidity risk exposure to adverse scenarios.
  • Understand key assumptions in liquidity stress testing models.
  • Review guidelines around the composition of assets and liabilities.
  • Monitor investment activities and performance of securities.
  • Review contingency funding plans.

Directors should also ask management about any liquidity stress testing the bank may be engaging in. Do directors fully understand the key assumptions in the bank’s stress testing models, and do they grasp how those key assumptions could change potential outcomes?

And if executives tell the board that the bank’s balance sheet can withstand a 30% run off of deposits in a short period of time, directors shouldn’t be satisfied with that answer, says Matt Pieniazek, CEO of Darling Consulting Group, a firm that specializes in asset/liability management. The board should press management to understand exactly how bad losses would need to be to break the bank.

“Directors don’t know enough to ask the question sometimes. They’re afraid to show their stress testing breaking the bank,” he says. “They need to have the opposite mindset. You need to understand exactly what it would take to break the bank. What would it take to create a liquidity crisis? How bad would it have to get?”

Sometimes policies tend to be too rigid or not descriptive enough, adds Pieniazek.

“The purpose of policies is not to put straighBtjackets around people,” he says. “If you have to look to policies for guidance, you want to make sure that they have an appropriate amount of flexibility and not too much unnecessary restrictiveness.”

Many banks’ policy limits concerning the use of wholesale funding — such as Federal Home Loan Bank advances and brokered deposits — are too strict and unnecessarily constrained, Pieniazek says. “A lot of them will have limits, but they’re inadequate or the limits are not sufficient, both individually and in the aggregate.”

An example of this might be a policy that stipulates the bank can tap FHLB funding for up to 25% of its assets and the Federal Reserve discount window for up to 15% but restricts the bank from going above 35% in the aggregate.

Along those lines, directors should make sure management can identify all qualifying collateral the bank might use to borrow from the Federal Reserve or FHLB, taking into account collateral that may have been pledged elsewhere. And directors should revisit any overly rigid policies that could tie executives’ arms in a liquidity crunch. A policy stipulating that a bank will sell securities first may prove too inflexible if it means having to sell those securities at a loss, for instance.

A board will also want to understand whether its asset/liability management plan considers the life cycle of a possible bank run. In that kind of scenario, how much would the bank depend upon selling assets in order to meet those liquidity needs? And what’s the plan if some of its securities are underwater when that happens?

While the most recent banking crisis doesn’t necessarily mean bank boards need to overhaul their asset/liability management policies, they should at least review those policies with some key questions and lessons in mind.

“If your regulator comes in, and they see dust on the cover of the ALM policy,” says Koeser, “and they see that the liquidity stress test or scenario analysis aren’t appropriately incorporating shocks or stressors, it could be a difficult conversation to have with your regulator on why there weren’t changes.”

Additional Resources
Bank Director’s Board Structure Guidelines include a resource focused on ALCO Committee Structure. The Online Training Series includes units on managing interest rate risk and model validation. For more about stress testing to incorporate liquidity, read “Bank Failures Reveal Stress Testing Gaps.”

Current Compliance Priorities in Bank Regulatory Exams

Updated examination practices, published guidance and public statements from federal banking agencies can provide insights for banks into where regulators are likely to focus their efforts in coming months. Of particular focus are safety and soundness concerns and consumer protection compliance priorities.

Safety and Soundness Concerns
Although they are familiar topics to most bank leaders, several safety and soundness matters merit particular attention.

  • Bank Secrecy Act/anti-money laundering (BSA/AML) laws. After the Federal Financial Institutions Examination Council updated its BSA/AML examination manual in 2021, recent subsequent enforcement actions issued by regulators clearly indicate that BSA/AML compliance remains a high supervisory priority. Banks should expect continued pressure to modernize their compliance programs to counteract increasingly sophisticated financial crime and money laundering schemes.
  • In November 2021, banking agencies issued new rules requiring prompt reporting of cyberattacks; compliance was required by May 2022. Regulators also continue to press for multifactor authentication for online account access, increased vigilance against ransomware payments and greater attention to risk management in cloud environments.
  • Third-party risk management. The industry recently completed its first cycle of exams after regulators issued new interagency guidance last fall on how banks should conduct due diligence for fintech relationships. This remains a high supervisory priority, given the widespread use of fintechs as technology providers. Final interagency guidance on third-party risk, expected before the end of 2022, likely will ramp up regulatory activities in this area even further.
  • Commercial real estate loan concentrations. In summer 2022, the Federal Deposit Insurance Corp. observed in its “Supervisory Insights” that CRE asset quality remains high, but it cautioned that shifts in demand and the end of pandemic-related assistance could affect the segment’s performance. Executives should anticipate a continued focus on CRE concentrations in coming exams.

In addition to those perennial concerns, several other current priorities are attracting regulatory scrutiny.

  • Crypto and digital assets. The Federal Reserve, the Office of the Comptroller of the Currency, and the FDIC have each issued requirements that banks notify their primary regulator prior to engaging in any crypto and digital asset-related activities. The agencies have also indicated they plan to issue further coordinated guidance on the rapidly emerging crypto and digital asset sector.
  • Climate-related risk. After the Financial Stability Oversight Council identified climate change as an emerging threat to financial stability in October 2021, banking agencies began developing climate-related risk management standards. The OCC and FDIC have issued draft principles for public comment that would initially apply to banks over $100 billion in assets. All agencies have indicated climate financial risk will remain a supervisory priority.
  • Merger review. In response to congressional pressure and a July 2021 presidential executive order, banking agencies are expected to begin reviewing the regulatory framework governing bank mergers soon.

Consumer Protection Compliance Priorities
Banks can expect the Consumer Financial Protection Bureau (CFPB) to sharpen its focus in several high-profile consumer protection areas.

  • Fair lending and unfair, deceptive, or abusive acts and practices (UDAAP). In March 2022, the CFPB updated its UDAAP exam manual and announced supervisory changes that focus on banks’ decision-making in advertising, pricing, and other activities. Expect further scrutiny — and possible complications if fintech partners resist sharing information that might reveal proprietary underwriting and pricing models.
  • Overdraft fees. Recent public statements suggest the CFPB is intensifying its scrutiny of overdraft and other fees, with an eye toward evaluating whether they might be unlawful. Banks should be prepared for additional CFPB statements, initiatives and monitoring in this area.
  • Community Reinvestment Act (CRA) reform. In May 2022, the Fed, FDIC, and OCC announced a proposed update of CRA regulations, with the goal of expanding access to banking services in underserved communities while updating the 1970s-era rules to reflect today’s mobile and online banking models. For its part, the CFPB has proposed new Section 1071 data collection rules for lenders, with the intention of tracking and improving small businesses’ access to credit.
  • Regulation E issues. A recurring issue in recent examinations involves noncompliance with notification and provisional credit requirements when customers dispute credit or debit card transactions. The Electronic Fund Transfer Act and Regulation E rules are detailed and explicit, so banks would be wise to review their disputed transaction practices carefully to avoid inadvertently falling short.

As regulator priorities continue to evolve, boards and executive teams should monitor developments closely in order to stay informed and respond effectively as new issues arise.

5 Things to Know About the New AML Whistleblower Law

Among a bank board of directors’ many obligations is the responsibility to assure the bank complies with Bank Secrecy Act and other anti-money laundering laws and regulations.

This includes providing oversight for senior management and the BSA compliance officer, staying abreast of internal AML developments and reporting within the bank, and considering external market factors and regulatory developments. But even in a regulatory environment where penalties for BSA/AML violations have increased in amount, frequency and reputational importance, some boards are slowly reacting to recent Congressional legislation designed to further incentivize bank employees to blow the whistle on perceived or actual AML lapses. Here are five things bank boards need to know one year after the implementation of the Anti-Money Laundering Act of 2020 (AMLA).

1. Congress uncapped whistleblower awards
Congress enacted the AMLA in January 2021, which significantly revised the existing whistleblower provisions of the BSA and sought to bolster AML enforcement. Prior to the AMLA, the BSA’s whistleblower provisions were sparse and rarely invoked. The prior law allowed whistleblower rewards for information relating to a violation of the BSA, but capped the award amount at $150,000, which contributed to the law being underutilized. The new law removed that cap; now, whistleblowers who voluntarily provide original information to their employer or the departments of Treasury or Justice could collect up to 30% of amounts collected in actions where over $1 million in sanctions are ordered. As the industry knows, 30% of recent fines is substantial. If a whistleblower qualified in connection with the three 2021 actions from the Financial Crimes Enforcement Network, or FinCEN, their awards could have amounted up to $2.4 million, $30 million and $117 million, respectively.

2. Looking to prior precedent.
The new AML whistleblower program is largely modeled on the Securities and Exchange Commission’s successful program established under the Dodd-Frank Act, which may provide a window into the future of AML enforcement. The SEC’s program has been a resounding success over the past 10 years, resulting in more than 52,400 tips as well as $1.2 billion awarded to 238 individuals. According to the SEC’s recent Annual Report to Congress, fiscal year 2021 was a record-breaking year for the program in terms of tips received and amounts awarded to whistleblowers: $564 million was awarded to 108 individuals.

3. Employees can blow the whistle to their managers
Unlike the SEC’s program, a “whistleblower” under the new AML program includes employees who provide information to an employer — including as a part of their job duties — in addition to those who report to Treasury or DOJ. This means employees can blow the whistle if they observe compliance failures, and everyday interactions between management and financial intelligence unit investigators could be deemed whistleblower tips that trigger anti-retaliation protections and a possible award.

4. Tips are already being filed
Even though FinCEN has not issued rules implementing this new whistleblower law, tipsters do not need to wait to file a complaint with their employer or the government. Banks should react accordingly. In fact, it was recently reported that a tip has already been made to FinCEN detailing a wide-ranging money laundering scheme, and one lawyer has reported several inquiries received from internal compliance personnel interested in blowing the whistle. There is also recent precedent that the government does not need to wait until regulations are written to provide awards: In November 2021, the National Highway Traffic Safety Administration announced a $24 million award — its first ever — even though the agency is still writing its rules. In other words, the doors are open to AML whistleblowers now.

Number of SEC Whistleblower Tips

The table below shows the number of whistleblower tips received by the SEC on a yearly basis since the inception of the whistleblower program. (Source: SEC 2021 Annual Report to Congress, Whistleblower Program)

5. Boards should not wait to act
Boards should consider the implications and the expanded legal risk of the AMLA whistleblower law on their existing whistleblower programs. Among other steps that can be taken now, boards should provide oversight to senior management in:

  • Developing enterprise-wide training tailored to specific positions within the bank, including for directors, that covers how to identify a tip for purposes of the new AML law, how to respond to an internal whistleblower and best practices to protect the bank from retaliation lawsuits.
  • Reviewing and updating policies and procedures for internal whistleblowers.
  • Assessing internal reporting structures, including hotlines and other channels.
  • And triaging recent internal tips and conducting reviews of the response, where appropriate.

Five Trends in AML Compliance in 2021

This year has been a significant and active one in the world of anti-money laundering (AML) compliance. Digital payments are taking the world by storm, regulators are cracking down on new types of fraud and the U.S. government has pledged to be more proactive in enforcing AML laws.

Regulators have not been idle, issuing fines to banks around the globe totalling $10.6 billion in 2020. But it hasn’t been enough to deter fraud rates. What can banks expect for AML regulations for the remainder of 2021, and how can they prepare? Here are the main trends in AML compliance of 2021, and their impact on financial institutions.

1. Much-Needed Updates From Anti-Money Laundering Act of 2020
The Anti-Money Laundering Act of 2020 (AMLA) is arguably the most transformative AML law in a generation. AMLA amends the Bank Secrecy Act (BSA) for the first time since 2001 and modernize it for today’s money-laundering and fraud climate. For several years, regulators have focused on modernizing AML compliance programs at banks, encouraging innovation and improving the coordination and transfer of information between financial institutions. AMLA could have a significant impact toward these goals when coupled with regulators’ ongoing efforts.

Financial institutions are now required to have AML officers who can quickly incorporate reports into their transaction monitoring programs. It brings even more pressure for banks to modernize their operations through better technology. AMLA also allows the U.S. to subpoena records related to any account at foreign banks that maintain correspondent accounts in the United States, enabling the regulators and the government to fight money launderers who seek to take advantage of the lack of communication between countries to commit international crimes.

2. Tightening UBO Laws
Under the AMLA, the Financial Crimes Enforcement Network (FinCEN) requires certain companies to file information on the beneficial owner of the reporting company, along with the identity of the person who has applied to form or register the company. This is part of the overarching trend of gathering more information on your customers.

Customer due diligence is now a more complex and lengthy process to gather the right types of information. This goes hand in hand with the Corporate Transparency Act (CTA), which requires financial institutions to verify customer information against FinCEN’s Ultimate Business Owner (UBO) registries. Verifying UBO information can be costly and time-consuming, especially since most countries have not published public ownership registers.

3. Better Software, Better Tech
Regulators around the world are pushing banks to use better software and incorporate emerging technologies. As financial fraudsters get more intelligent with their approaches, the only way for banks to fight back is with technology that matches those capabilities and can adapt to new threats. Compliance teams are increasing in size and expense. The benefit of better software is that many of these processes can become automated, which helps keep costs down.

4. Crypto Regulation
The novelty of virtual currencies allows fraudsters use them to their advantage while escaping regulators’ purview. According to Chainanalysis’ 2021 Crypto Crime Report, 270 cryptocurrency addresses received $1.3 billion in illicit digital coins in 2020.

How is the U.S. approaching the regulation of cryptocurrencies? Several agencies have been involved with the regulation of virtual assets, including the U.S. Securities and Exchange Commission, Commodity Futures Trading Commission and FinCEN. From an AML perspective, the biggest change has been to require cryptocurrency exchanges to complete a Know-Your-Customer (KYC) process for every customer.

5. SAFE Banking Act
The SAFE Banking Act aims to normalize cannabis banking and reduce the risk of liability for banks that offer services or loans to MRBs (marijuana-related businesses). To date, the SAFE Act has not been passed into law, and payment processing remains a confusing space for banks and MRBs alike. Under the administration of President Joseph Biden, however, there is hope that the industry will see a marijuana policy that reduces confusion at the federal level.

What are the overarching trends this year? AML laws are encouraging financial institutions to be more transparent, implement better technology and build more comprehensive customer profiles. Banks that want to be proactive will need to ensure their policies are up-to-date with the new regulations, their infrastructure can integrate more data sources and their KYC processes are automated, while also offering a great customer experience.

How AML Compliance Could Soon Change


AML-9-21-18.pngDespite major changes in compliance obligations starting with the Dodd-Frank Act through the more recent Economic Growth, Regulatory Relief, and Consumer Protection Act, requirements related to anti-money laundering (AML) compliance have remained largely unchanged.

The last major revision of AML compliance requirements was in 2001 with the U.S.A. PATRIOT Act amendments to the Bank Secrecy Act. This era may be coming to an end with the reintroduction earlier this summer of H.R. 6068, Counter Terrorism and Illicit Finance Act (CTIFA), and the convergence of market developments.

Although the reintroduced CTIFA bill removes a prior provision that would have required beneficial ownership information for new corporations to be collected and provided to FinCEN, the revised CTIFA would make a number of other significant changes to AML compliance requirements:

  • Increase the filing thresholds for currency transaction reports from $10,000 to $30,000 and for suspicious activity reports (SARs) from $5,000 to $10,000;
  • Require the Secretary of the Treasury to undertake a formal review of the information reporting requirements in the BSA to ensure the information is “of a high degree of usefulness” to law enforcement, and to propose changes to reduce regulatory burden;
  • Reduce impediments to the sharing of SAR information within a financial group, including with foreign branches, subsidiaries, and affiliates;
  • Create a process for FinCEN to issue no-action letters concerning the application of the BSA or any other AML law to specific conduct, including a statement whether FinCEN has any intention of taking an enforcement action with respect to such conduct;
  • Encourage the use of technological innovations such as artificial intelligence in AML compliance;
  • Establish an 18-month safe harbor from enforcement of FinCEN’s beneficial ownership and customer due diligence rule, which became effective in May 2018; and
  • Commission studies on the effectiveness of current beneficial ownership reporting regimes and cost-benefit analyses of AML requirements.

Although the CTIFA’s prospects for passage are uncertain, several of its provisions track market developments that are already bringing about change. First, innovative technologies such as artificial intelligence and blockchain increasingly are being leveraged for AML compliance solutions.

Artificial intelligence has the potential to transform terabytes of customer information into actionable AML insights including, for example, customizable pre-drafted suspicious activity report templates or customer risk profiles. These risk profiles update in real time in support of the new customer due diligence “pillar” of AML compliance. Blockchain and other distributed ledger technologies may be deployed to create standardized digital identities for customers to expedite and safeguard KYC and authentication processes.

Second, banks already are taking a hard look at their CTR and SAR processes to determine the ratio of meaningful information to noise that has been included in these reports. This augmented reporting will result in a direct benefit to the network of federal government agencies tasked with analyzing reports to find information with a high degree of usefulness in law enforcement investigations.

Third, banks are increasingly providing services to new types of high-risk businesses, such as marijuana-related businesses (“MRBs”) and cryptocurrency companies. FinCEN has for each of these industries been a pioneer in issuing guidance relatively early in the industry’s lifecycle to explain how AML compliance obligations apply, but this guidance requires updating. As just one example, FinCEN’s three-tiered system for filing SARs applies when a bank provides banking services directly to an MRB, but there are less clear SAR filing guidelines when a bank provides services to a customer that provides services to MRBs or owns shares of an MRB.

Banks continue to use FinCEN’s administrative ruling request process or the supervisory process to obtain guidance for high-risk customers, albeit in an ad hoc, non-public way. This request process is less effective than the no-action letter process contemplated in the CTIFA.

The CTIFA, if enacted, would significantly change AML compliances. At the same time, innovation and new business opportunities, among other market developments, are already contributing to AML compliance enhancements. Regardless of whether the legislation passes, the industry appears to be entering an era of change.