Changes in Store for the Anti-Money Laundering Framework

The anti-money laundering framework hasn’t seen any meaningful revisions in the decades since the passage of the 2001 USA Patriot Act, but that’s about to change.

Revisions to the U.S. anti-money laundering framework could roll out as early as next year, following the passage of major modernization bills in 2021 that are intended to align the AML regime to better match the capabilities that criminal actors employ.

The Anti-Money Laundering Act of 2020, sometimes shortened to AMLA, and the Corporate Transparency Act both passed in January 2021 as part of the National Defense Authorization Act. These pieces of legislation are an attempt to comprehensively modernize the government’s regulatory infrastructure when it comes to combatting money laundering, terrorism financing and other financial crimes, says Bradley Wallace, director of compliance at bank technology provider CSI.

The acts will spur the creation of roughly 40 rules or mandates for various actors, Wallace says, most of them coming from or impacting FinCEN, the financial intelligence unit of the U.S. Department of the Treasury.

The updates acknowledge that the AML framework needed to be more efficient in combatting money laundering, while still responding to new challenges and threats, says Rhonda Thomas-Whitley, SVP and senior regulatory counsel for the Independent Community Bankers of America. It remains to be seen what these rules or requirements will look like and how they will impact banks’ reporting requirements.

One change that is already in the works is a beneficial ownership database, which fulfills a component of the Corporate Transparency Act. Next year, companies in the U.S. will need to report their beneficial ownership information to FinCEN directly in addition to reporting the information to their financial institutions.

ICBA advocated for the government to collect and verify this information at the time of account opening and to share collected information with banks to avoid duplicative efforts, explains Thomas-Whitley. She notes that financial institutions are still required to separately collect this information as part of their customer due diligence.

ICBA has also raised concerns with FinCEN’s proposed form for business use and that community banks may be obligated to furnish missing information to FinCEN to help fulfill these obligations of the Corporate Transparency Act, Thomas-Whitley said.

It is difficult to overstate how much change has happened in banking since 2001, when the USA PATRIOT Act passed: Digital channels and innovation have created opportunities for banks to reach new customers. New channels create vulnerabilities for criminals to exploit. FinCEN intends to issue a notice of proposed rulemaking pursuant to the AML Act of 2020 that incorporates a risk assessment requirement for financial institutions. Although currently not required, most community banks do conduct risk assessments. As they continue to evolve from a technology, capability, business line or products perspective, they should continue to think about conducting risk assessments to ensure their AML programs respond to those changes in the meantime, Thomas-Whitley says.

But even without a mandate, Wallace sees one potential outcome of the act being more banks using technology to break down information silos to better monitor and connect customer behavior. Adopting modern technology to update AML compliance should help banks with two important tasks: monitoring and interrupting fraud and complying with anti-money laundering rules. The digitization of the banking industry, coupled with the pandemic’s shift away from physical spaces, accelerated fraudulent behavior. Holly Sais Phillippi, CEO of fraud and AML solutions provider Alessa, says criminals may have laundered some fraudulently obtained money as they moved it around.

“The main impact on banks is going to be a shift on focus from simple reporting requirements … to a holistic, rich risk management process system within the bank,” Wallace says. “It’s going to be identifying, sharing, managing and reporting. Banks need to review and grow their risk management program in relation to the acts and all of the subsequent FinCEN rules that will come down.”

Overview of the AML Act of 2020, Corporate Transparency Act:

  • Mandates beneficial ownership disclosure and transparency requirements.
  • Creates a beneficial ownership database that reporting entities, including banks, can use.
  • Mandates changes to the regulatory frameworks for anti-money laundering and combatting the financing of terrorism (CFT).
  • Promotes public and private partnership and engagement opportunities and introduces new staff and programs for AML expertise.
  • Promotes international cooperation on financial crime matters, while protecting U.S. financial intelligence.
  • Strengthens enforcement tools to deter money laundering and other financial crimes.
  • Invigorates BSA whistleblower provisions.
  • Expands BSA’s regulatory scope to include businesses like service centers for valuable substitutes of currency, such as cryptocurrency and digital assets.

Source: Bradley Wallace, CSI

The High Cost of the Suspicious Activity Report

Bank boards know all too well about the reputational toll and hefty fines from lapses in regulatory compliance. But governance usually doesn’t tend to drill down into specific practice areas and their finer-grained costs.

An ounce of prevention, though less expensive than the proverbial cure, still runs pretty high in Bank Secrecy Act and anti-money laundering (BSA/AML) compliance programs. Directors might want to ask for a more-detailed picture from their bank’s AML team at the next board meeting. Not just to follow up on the damage-control response to the FinCEN Files media spectacle, but also in terms of profit and loss and team morale issues.

Suspicious activity reports (SARs) can get very expensive. We conservatively estimate that about $180 million in annual BSA/AML analyst salaries in the U.S. goes just to preparing the SAR form. But there’s also a huge opportunity to do better for society.

What are SARs? Some might say they are a headache-inducing form that demands a whole lot of painstaking and tedious detail, and then never quite fulfills its ultimate purpose of stopping criminals. Unfortunately, there’s a lot of truth to that description. What should — and could — SARs be?

  • An essential tool for fighting crime.
  • An effective communication channel for AML collaboration.
  • An invaluable resource for law enforcement to identify, track, and prosecute criminals.

At the risk of overstating the obvious, not every “suspicious” activity leads to criminal activity. Though banks do have the power to block the flow of funds, financial crime regulators (in the U.S., that’s the Financial Crimes Enforcement Network, or FinCEN) and jurisdictional law enforcement (such as district attorneys) hold the authority to go after the criminals. A bank’s primary responsibility in AML is to provide relevant information from the financial vantage point.

The level of detail can make all the difference in the usefulness of these reports. A complete and accurate SAR, filed with ample, highly relevant information, provides texture and nuance for regulators to make strong decisions about which cases deserve the attention of law enforcement. Prosecutors can then use information from SARs to build criminal cases. A future with somewhat fewer illicit arms sales or much less human trafficking could hinge on a few form fields.

The status quo for most bank AML compliance programs entails a substantial amount of manual inputs. Lacking automation, providing more high quality detail in SARs demands more time. U.S. financial institutions filed 2.3 million SARs in 2019. An AML analyst can command, on average, an annual salary of $75,000. These figures, plus some other industry-specific estimates and general human resources conventions, fed into my calculation above for the total annual SARs tab for U.S. financial institutions. And that $180 million figure doesn’t even account for the nine out of 10 investigations that don’t lead to a SAR filing — yet typically do result in more monitoring.

Manual processes, even with the best intentions of highly skilled AML teams, are inherently prone to human error. I also suspect these professionals would rather focus on the aspects of their work that demand the subtle discernment of human judgement. Some of the lowest-hanging fruit for using technology in AML investigations include automation that can:

  • Populate the SAR form with case information.
  • Organize case data from fragmented sources across the bank and vendors.
  • Visualize trends in the case to spot strange behaviors.
  • Quickly separate false positives from true positives.
  • Capture the insights of investigators as structured data, creating clean data that can be used for analytics and machine learning.
  • Validate and quickly transmit the SAR to expedite information flow.
  • Securely store the case information for future analytics and audits.
  • Keep casework across the team thorough and efficient.

Investigating and reporting suspicious financial activity is both an enormous expense for banks and a systemically important resource for protecting society. It’s worth investing in automation technology that will make a bank’s BSA/AML compliance program more efficient and effective.

How a specific bank might move forward in leveraging compliance automation technology will vary on a wide range of factors. Adopting this sort of technology isn’t an all-or-nothing proposition. A careful analysis of a bank’s AML practice area can identify minor changes that are likely to have an outsize impact in the fight against crime.

FinCEN Files Underline BSA/AML System Mess

On its face, BuzzFeed’s reporting package on the details of 2,100 leaked suspicious activity reports (SARs) it obtained seems bad for many of the big banks mentioned. The articles take institutions to task for processing “trillions of dollars of suspicious transactions despite their own staff’s warnings that they might be related to crime.”

But the biggest scandal from the leaks may not be what it says about big banks — the biggest scandal is what it reveals about the anti-money laundering system at large. The leaks aptly demonstrate the system’s immense flaws.

These would hardly be news to bankers, who have known and complained about the system for years. They are on the cusp of winning reforms that, while not fixing the system as a whole, could lessen the burden on banks to report customers’ beneficial owners.

But the deeper issue is that the system encourages the proliferation of anti-money laundering filings, often without regard to whether they are truly related to any criminal activity.

The “FinCEN Files” are in part built on the premise that when a bank files a suspicious activity report, it truly believes that the transaction is related to financial crime or terrorism. BuzzFeed says the system “contains a crucial loophole” — although banks are required to alert the Financial Crimes Enforcement Network via a SAR, they are not obligated “to halt the suspicious activity or stop serving shadowy clients.”

But as the story later acknowledges and any banker can tell you, filing a SAR doesn’t necessarily mean the bank thinks there’s criminal activity going on. Banks are actively encouraged to file SARs for anything that seems even potentially fishy. The consequences of not filing a SAR can be severe, including extra scrutiny from regulators, an enforcement order or steep fines. Bank officers have been fired for failing to file SARs on activity that later turned out to be criminal.

The result? Banks have filed defensively for well over a decade. It’s so bad that at one point, a former FinCEN director used to tell a story about how a bank had filed a SAR because an employee’s bacon was stolen from the office fridge.

Predictably, this means banks and credit unions file a tremendous amount of SARs. There were some 839,000 filed by depository institutions in 2014. That rose to 1.1 million by 2019, a 32% jump. Does anyone think that all those SARs represent real criminal activity? Requiring banks to stop processing all those transactions wouldn’t close a loophole, it would violate due process. In many cases, banks are even told by law enforcement agencies to continue to process suspicious transactions. Such “keep open” letters are a way for law enforcement to continue to track potential criminals.

The “FinCEN Files” do make a great point when it says “the majority of these reports … are never even read, much less investigated.” We’ve built an entire money laundering system around the annual filing of millions of SARs and currency transaction reports (CTRs), the vast majority of which will never be seen by a human being.

If you listen to the way law enforcement agencies tell it, this is a feature, not a bug, of the system. Those agencies want banks to file SARs and CTRs because it creates a virtual warehouse of financial information they can use to track down leads. The more data they have, the better.

This approach assumes there is no cost for banks to do all of this, when the cost is in excess of $25 billion annually, according to some estimates. If banks weren’t spending a huge chunk of resources and time chasing down every potential dodgy transaction, they probably could be using it on other activities, like lending in their communities.

This approach would be acceptable if the current system actually worked, but it’s not clear it does. The amount of money laundered each year is roughly 2% to 5% of global GDP, or between $800 billion to $2 trillion, according to the United Nations Office on Drugs and Crime. Some estimates say law enforcement catches less than 1% of that.

Privately, many banking officials will tell you the vast majority of financial crimes are still going undetected. While the current system is great at catching unsophisticated criminals, the ones who know what they’re doing can find elaborate ways around the system.

Don’t get me wrong. If a bank is knowingly facilitating criminal activity — as has happened in the past and some of these 2,100 SARs show — they should be punished to the fullest extent of the law. But the biggest takeaway of this story is that our system is inefficient, costly and — worst of all — does not seem to work very well.

FinCEN Files: What Community Banks Should Know

Big banks processed transactions on the behalf of Ponzi schemes, businesses accused of money laundering and a family of an individual for whom Interpol had issued a notice for his arrest — all while diligently filing suspicious activity reports, or SARs.

That’s the findings from a cache of 2,000 leaked SARs filed by banks such as JPMorgan Chase & Co, Bank of America Corp., Citibank and American Express Co. to the U.S. Treasury Department’s Financial Crimes Enforcement Network, or FinCEN. These files, which media outlets dubbed the “FinCEN Files,” encompassed more than $2 trillion in transactions between 1999 and 2017.

Community banks, which are also required to file SARs as part of Bank Secrecy Act/anti-money laundering laws, may think they are exempt from the scrutiny and revelations applied to the biggest banks in the FinCEN Files. Not so. Bank Director spoke with two attorneys that work with banks on BSA/AML issues for what community banks should take away from the FinCEN Files.

Greater Curiosity
Community banks should exercise curiosity about transaction trends in their own SARs that may add up to a red flag — whether that’s transaction history, circumstances and similarities to other cases that proved nefarious. Banks should ask themselves if these SARs contain details that indicated the bank should’ve done something more, such as not complete the transaction.

“That is probably the biggest go-forward lesson for banks: Make sure that your policies and procedures are such that — when someone is looking at this in hindsight and evaluating whether you should have done something more — you can demonstrate that you had the proper policies and procedures in place to identify when something more needed to be done,” says James Stevens, a partner at Troutman Pepper.

Although it may be obvious, Stevens says banks should be “vigilantly evaluating” transactions not just for whether they merit a SAR, but whether they should be completed at all.

Size Doesn’t Matter
When it comes to BSA/AML risk profiles and capabilities, Stevens says size doesn’t matter. Technology has leveled the playing field for many banks, allowing smaller banks to license and access the capabilities that were once the domain of larger banks. It doesn’t make a difference in a bank’s risk profile; customers are its biggest determinant of a bank’s BSA/AML risk. Higher-risk customers, whether through business line or geography, will pose more risk for a bank, no matter its size.

But banks should know they may always be caught in between serving customers and regulatory activity. Carleton Goss, counsel at Hunton Andrews Kurth, points out that changing state laws mean some financial institutions can serve cannabis businesses that are legal in the state but still need to file SARs at the federal level. Banks may even find themselves being asked by law enforcement agencies to keep a suspicious account open to facilitate greater monitoring and reporting.

“There’s definitely a tension between serving customers and preventing criminal activity,” he says. “You don’t always know the extent of the activities that you’ve reported — the way the SAR reporting obligation is worded, you don’t even have to be definitively sure that a crime has occurred.”

“Front Page of the Newspaper” Test
Reporting in recent years continues to cast a spotlight on BSA/AML laws. Before the FinCEN Files, there was the 2016 Panama Papers. Stevens says that while banks have assumed that SARs would remain confidential and posed only legal or compliance risk, they should still be sensitive to the potential reputational risks of doing business with certain customers — even if the transactions they complete for them are technically compliant with existing law.

Like everything else we do, you have to be prepared for it to be on the front page of the newspaper,” he says.

Media reports mean that regulatory pressure and public outrage could continue to build, which could heighten regulatory expectations.

“Whenever you see a large event like the FinCEN files, there tends to be pressure on the regulators to ‘up their game’ to avoid giving people the perception that they were somehow asleep at the wheel or missed something,” Goss says. “It would be fair for the industry to expect a little bit more scrutiny than they otherwise would on their next BSA exam.”

How And Where Blockchain Fits in Traditional Banking


blockchain-12-26-18.pngMany banks haven’t found an efficient way to deal with issues like payment clearing inefficiencies, consumer fraud, and the general limitations of fiat currencies.

Blockchain, however, may be the go-to solution for many of these challenges.

Issues Traditional Banks Face Today
Traditional banks and financial institutions have faced some challenges for decades, but we have yet to see the technical innovations to mitigate or eliminate them, including inefficient payment clearing processes, fraud and currency options.

Inefficient Payment Clearing Processes
One of the biggest roadblocks that banks face today is how to quickly clear payments while complying with regulatory procedures. The number of payment clearing options available in 2018, is not different from the options available in 2008 – a decade ago.

In the U.S., for example, same-day ACH is likely considered to be the biggest improvement during this decade. Only in recent years have cross-border fintech applications emerged that reduce payment clearing costs and wait times. For the most part, we are still stuck with old architectures that lack innovation, efficiency and the data to make a meaningful impact on money laundering and fraud reduction.

Inability to Stop Fraud
Fraud has always been notoriously difficult to stop. Unfortunately, this remains the case even today. Fraud costs are so high in the US, that interchange fees paid by merchants are some of the highest in the world. Despite an increase of available identity fraud detection systems, banks are still unable to make a material improvement in fraud reduction.

For banks, this leads to financial losses in cases where funds are paid to the fraud victim. For customers, this can reduce trust in the bank. For merchants, it means higher fees for facilities, which creates higher costs for customers. Additionally, customers often wait to receive a new bank card. In 2017 alone, the cost the data lost to identity theft totaled $16.8 billion.

Limited Number of Currency Options
Fiat currencies are limited by geography and slim competition.

When we think about fiat currency around the globe, we have seen a steady move towards standardization. This presents risks for banks and consumers. For example, a heavy reliance upon a single national currency relies upon factors like economic growth and monetary policy.

Twenty-eight nations have experienced hyperinflation during the past 25 years. Not only did banks fail in some cases, but entire economies collapsed. Because there were no currency choices, the problem could not be easily avoided.

This process continues to happen in many locations globally.

Benefits of Blockchain Over Traditional Systems
There are ways blockchain can reduce or eliminate these issues for financial institutions.

More Efficient Approval Systems
When compared to traditional payment approval processes, many blockchains are already more efficient. Instead of waiting days for payments to go through clearinghouses, a well-designed blockchain can complete the verification process in minutes or seconds. More importantly, blockchain also offers a more transparent and immutable option.

With innovations like KYC (Know Your Customer) and KYT (Know Your Transaction) transactions conducted via blockchain, banks can be more capable of preventing finance-related crimes. This means traditional finance can more effectively comply with laws for AML (Anti-Money Laundering), ATF and more.

In addition, legitimate transactions can be approved at a lower cost.

No More Fraud
While fraud seems like a pervasive issue in society, this can be reduced using technology. Blockchain can change how people prove identity and access services.

Instead of having to wait to stop a case of fraud, blockchain can stop transactions before they ever occur. The Ivy Network will have smart contracts which will allow banks and financial institutions to review a transaction and supporting KYC and KYT before accepting the deposit. Because blockchain transactions are immutable, we could see a reduction in counterfeiting of paper currency and consumer products.

Increased Digital Payment Options
While blockchain has many use cases, this is one example of how technology can change finance and the global economy. In the early days of cryptocurrency, there was really only bitcoin. Now, there is a range of coins and tokens like Ivy that serve important purposes within existing regulatory and legislative frameworks.

One of the biggest misconceptions is crypto and fiat payment systems have to be direct competitors. By creating a blockchain protocol that links fiat and cryptocurrency, businesses and consumers can have more, better market choices and use cases for cryptocurrency.

At the same time, financial institutions can serve an important role in the future of digital payments and fiat-crypto currency conversions.

As financial institutions look to solve many challenges they face around payment clearing inefficiencies, consumer fraud, and the limitations of fiat currencies, blockchain is a viable solution. Financial institutions that fail to embrace blockchain’s potential will face heightened monetary and reputational risks, and miss opportunities for growth and innovation.

Regulatory Issues to Watch In 2018


regulation-5-22-18.pngAs 2018 unfolds, all eyes in the financial services industry continue to look to Washington,D.C. In addition to monitoring legislative moves toward regulatory reform and leadership changes at federal regulatory agencies, bank executives also are looking for indications of expected areas of regulatory focus in the near term.

Regulatory Relief and Leadership Changes
Both the U.S. House of Representatives and the Senate began 2018 with a renewed focus on regulatory reform, which includes rollbacks of some of the more controversial provisions of the Dodd-Frank Wall Street Reform and Consumer Protection Act, the sweeping reform passed after the 2008 financial crisis. These legislative actions are ongoing, and the final outcomes remain uncertain. Moreover, even after a final bill is signed, regulatory agencies will need time to incorporate the results into their supervisory efforts and exam processes.

Meanwhile, the federal financial institution regulatory agencies are adjusting to recent leadership changes. The Federal Reserve (Fed), Office of the Comptroller of the Currency (OCC), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), and Consumer Financial Protection Bureau (CFPB) have new leaders in place or forthcoming, some of whom have been vocal supporters of a more “common sense” approach to financial regulation and who generally are supportive of regulatory relief. In the case of the CFPB, the ultimate direction of the agency could remain uncertain until a permanent director is appointed later in 2018.

Regulators’ Priorities in 2018
Notwithstanding the regulatory reform efforts, following are some areas likely to draw the most intense scrutiny from regulatory agencies during 2018 examination cycles:

Credit-related issues. While asset quality continues to be generally sound industrywide, concerns over deteriorating underwriting standards and credit concentrations continue to attract significant regulatory attention, accounting for the largest share of matters requiring attention (MRAs) and matters requiring board attention (MRBAs).

The federal banking regulators have encouraged banks in recent months to maintain sound credit standards within risk tolerances, understand the potential credit risks that might be exposed if the economy weakens, and generally strengthen their credit risk management systems by incorporating forward-looking risk indicators and establishing a sound governance framework. At the portfolio level, regulators are particularly alert to high concentrations in commercial real estate, commercial and industrial, agriculture, and auto loans, according to the FDIC.

Information technology and cybersecurity risk. The Federal Financial Institutions Examination Council (FFIEC) updated its Cybersecurity Assessment Tool in May 2017. Although its use is voluntary, federal and state banking regulators typically consider a bank’s use of the FFIEC tool or some other recognized assessment or framework as part of their assessment of an organization’s cybersecurity risk management, controls, and resilience.

On a broader scale, in February 2018, the Department of Justice announced a new cybersecurity task force. Although the task force is not directed specifically at the financial services industry, its first report, expected to be released this summer, could provide useful insight into the scope of the task force’s activities and potential guidance into what types of regulatory actions and controls to expect in the coming years.

Bank Secrecy Act and anti-money laundering (BSA/AML) compliance. The industry has seen a steady increase in enforcement actions—some of which have included severe sanctions— when regulators perceived banks had pared back resources in this area too severely. Compliance with Office of Foreign Assets Controls (OFAC) requirements and efforts to prevent terrorist financing are also continuing to draw regulatory scrutiny.

Consumer lending practices. Regulatory priorities in this area are likely to remain somewhat fluid given the leadership changes occurring at the CFPB, where a permanent director is to be appointed by September. Additionally, legislative efforts that could affect the structure and authority of the bureau also are underway.

Third-party and vendor risk management. It has been nearly five years since the OCC released OCC Bulletin 2013-29, which expanded the scope of banks’ third-party risk management responsibilities and established the expectation for a formal, enterprise-wide third-party risk management effort. Since then, regulatory agencies have issued several follow-up publications, such as OCC Bulletin 2017-7, which spells out supplemental exam procedures. Also in 2017, the FDIC’s Office of Inspector General issued a report with guidance regarding third-party contract terms, business continuity planning, and incident response provisions, and the Fed published an article, “The Importance of Third-Party Vendor Risk Management Programs,” which includes a useful overview of third-party risk issues.

Despite the industry’s hopes for regulatory relief in some areas, all financial services organizations should continue to focus on maintaining sound risk management policies and practices that reflect today’s environment of continuing change and growing competitive pressures.

RegTech: A New Name for an Old Friend


regtech-3-20-18.pngWith all of the buzz around regtech, it’s easy to forget that banks have leveraged technology for compliance and reporting for decades. But thanks to recent developments in data architecture, artificial intelligence and more, regtech is on the rise, and it’s evolving into something a lot more sophisticated.

The definition of regtech is simple. According to New-York-based analytics firm CB Insights, regtech is “technology that addresses regulatory challenges and facilitates the delivery of compliance requirements.” Regtech can be as simple as using an Excel spreadsheet for financial reporting or as complex as using adaptive algorithms to monitor markets. By studying the evolution of regtech, banks can begin to decipher which technologies are aspirational and which ones are crucial to navigating today’s demanding regulatory regime.

Regtech has and is evolving in three key phases, according to the CFA Institute Research Foundation, a nonprofit research group in Charlottesville, Virginia. The first phase was focused on quantifying and monitoring credit and market risks. A powerful illustration of the forces driving this initial phase can be seen in the Basel II accord, which was published in 2004. Basel II focused on three pillars: minimum capital requirements, supervisory review by regulators and disclosure requirements meant to enhance market discipline.

Despite the enhanced regulatory requirements of Basel II, the global financial crisis of 2008 exposed serious deficiencies in capital requirements that spurred the second and current phase of regtech’s evolution. New anti-money laundering (AML) and Know Your Customer (KYC) laws have drastically increased compliance costs. According to Medici, a financial media company, financial institutions spend more than $70 billion annually on compliance. In addition, increased fines for banks, new capital requirements and stress testing have resulted in a heavily burdened banking system. With increased regulatory requirements, we have seen a corresponding increase in technology solutions poised to meet them. The following are a few key areas banks should explore:

  • Modeling and Forecasting: Even if your bank is not subject to the Dodd-Frank Act Stress Test (DFAST) or Comprehensive Capital Analysis and Review (CCAR), it should still be able to leverage modeling and forecasting tools to manage liquidity, meet CECL (current expected credit loss) accounting standards and monitor important trends.
  • KYC/AML: Regulatory requirements that require your financial institution to “know your customer” when you onboard them often rely heavily on paper-based processes and duplicative tasks. In addition, the Bank Secrecy Act requires banks to perform intense transaction monitoring to help prevent fraud. Both of these obligations can be curtailed through the use of technology, and solutions are available to digitize client onboarding and use AI to monitor transactions.
  • Monitoring Regulations: Rules and regulations are being promulgated and revised at a rapid pace. Instead of hiring a cadre of attorneys to keep up, banks can use regtech to monitor requirements and recommend actions to keep the bank in compliance.

Banking is, by necessity, a risk-averse industry. As such, taking a leap with companies that will touch bank data, gather information from back-office software or deploy AI can seem like a scary proposition. Some regtech providers on the marketplace today are new, but some were forged through the fires of the financial crisis, and others are time-tested vendors that have been around for decades. Whether a regtech partner is established or emerging, banks can (and should) hedge their bets by communicating with their regulators and forming a plan to monitor the new technology.

The CFA Institute Research Foundation posits that we are on the precipice of phase three in the evolution of regtech. This future state will be marked by a need for regulators to develop a means of processing the large amounts of data that regtech solutions generate. In addition, regtech has the potential to enable real-time monitoring. Both advancements will require a rethinking of the regulatory framework, and more openness between banks and regulators.

Despite the portmanteau (which is usually reserved for new or unfamiliar concepts), regtech is an old friend to the banking industry. Its future may hold the keys to a new conceptualization of what oversight means. For now, though, regtech represents an opportunity for banks to leverage technology for what it was intended to do: Save humans time, labor and money.

New Anti-Money Laundering Rules Will Impact Banks


anti-money-laundering-6-8-16.pngFueled by the leak of the Panama Papers, the Financial Crimes Enforcement Network (FinCEN) has published a final regulation requiring banks to identify beneficial owners of their legal entity customers. Heralding the new regulation as a critical step in its effort to prevent criminals from using companies to hide their identity and launder criminal proceeds, the Treasury Department, buttressed by new Justice Department initiatives, is amplifying the momentum building within the anti-money laundering (AML) enforcement community to achieve unprecedented transparency across the corporate spectrum.

What the Regulation Does
In writing the regulation, FinCEN has built upon the customer due diligence mandated by existing Customer Identification Program (CIP) regulations, adding a provision requiring banks to identify and verify natural persons who are beneficial owners of legal entity customers together with one individual who has significant management responsibility. To give adequate time for retooling of CIP programs, compliance with the final regulation becomes mandatory by May 11, 2018. Once in force, it will apply to all new accounts, but will only apply to existing accounts when the bank detects information relevant to reevaluating a customer’s risk profile.

FinCEN defines “legal entity customer” to mean a corporation, LLC, or other entity created by filing a public document with the secretary of state or similar office. General partnerships and other entities formed under foreign laws are also covered, but most trusts are excluded.

The regulation permits, but does not require, the use of an official Certification Form. Information must be provided to the best knowledge of the person opening an account. A bank may rely on the information supplied by its legal entity customer so long as it knows no facts causing it to question its reliability.

Beneficial ownership is measured by an “ownership prong” requiring identification of individuals owning 25 percent equity in the legal entity customer and a “control prong” requiring identification of a single individual having significant management responsibility. FinCEN makes clear that only the identity—not the status—of beneficial owners must be verified, and verification procedures should address elements in a bank’s CIP. Updating of beneficial ownership information would be triggered only if normal monitoring detects heightened risk in the profile or activities of a legal entity customer.

Even More Regulations May Be Coming Down the Pike
Treasury also proposes to issue regulations targeting U.S.-based, foreign-owned, single-member limited liability companies, to require taxpayer identification numbers and eliminate exemption from U.S. reporting requirements.

Treasury also has asked Congress to pass legislation requiring a company to disclose owner names at the time it is formed. If enacted, the legislation would enable the capture of critical information when a company commences business and would give U.S. enforcement authorities access to a central registry of beneficial ownership data. Treasury officials have not indicated whether the registry would be made available to banks. Treasury is also recommending legislation requiring U.S. banks to provide foreign jurisdictions with the same information that foreign banks must provide to the IRS.

Aligning itself with Treasury, the Justice Department also is proposing legislation to combat illegal proceeds of transnational corruption. If enacted, the legislation would allow prosecutors to pursue cases directly against corrupt foreign regimes, authorize administrative subpoenas and expand substantive corruption offenses.

How to Prepare
Even though mandatory compliance with the beneficial ownership regulation is two years away, the board should have compliance personnel begin the process of amending their bank’s CIP to satisfy the requirements of the new regulation, paying particular attention to the account opening process.

With regard to account opening, banks should:

  • Determine whether and to what extent the CIP already captures beneficial ownership information.
  • Develop beneficial owner identity verification procedures for legal entity customers that meet the new regulatory definition, and determine to what extent existing CIP verification procedures should be incorporated.

With regard to account maintenance, banks should:

  • Establish criteria and “red flags” that will trigger beneficial ownership reviews and updates of legal entity customers.
  • Identify legal entity customers that meet the new regulatory definition so that the institution will be able to act when triggering events occur.
  • Consider the need, despite no regulatory requirement, for conducting standardized periodic updates of beneficial ownership information.

With two powerful agencies combining to tighten risk-based controls on money laundering and foreign corruption, it is clear that banks will need to devote increased resources to AML compliance. Board members must remain mindful that the functional regulators will continue to require the global enterprise to maintain safety and soundness by appropriately managing risk and minimizing susceptibility to illegal financial activity.

 

Do You Need an Anti-Money Laundering Dashboard?


1-9-15-Crowe.pngAnti-money laundering (AML) has been a focus of regulatory and enforcement activities for several years, and, with heightened concerns about the financing of terrorist organizations like Islamic State group, AML likely will continue to be the subject of close scrutiny. Merely establishing an AML program is not nearly enough—banks also must verify that their programs are operating effectively and efficiently. AML analytics dashboards can help bank directors and compliance officers do just that, acting as an early warning system when a program isn’t operating at desired levels.

An AML analytics dashboard is rapidly becoming a necessary tool for bank directors and compliance officers to take a proactive stance toward changes to their institutions’ AML risks and AML system and model performance. Banks can use AML analytics dashboards to improve the agility, efficiency and effectiveness of their AML programs and reduce the risk of fines and other government actions. In particular, dashboards can help banks to accomplish the following critical compliance activities.

  1. Monitor for and Raise Alerts About Risk Profile Changes
    A bank’s AML risks change in response to new regulations as well as to changes in customer base, product and service offerings, and money launderer and terrorist group behaviors. With the rapid pace of such changes, it’s no longer sufficient to examine an AML monitoring system annually—bank directors and compliance officers need the ability to view their AML risks on an ongoing basis.

    An AML analytics dashboard provides bank executives up-to-date information on the bank’s current risks in a format that is easy to digest and further analyze. By continually monitoring the firm’s AML risk indicators, executives can proactively alert management when an indicator reflects a significant change to a component of the bank’s risk profile. The dashboard then allows directors and compliance officers to examine the details of the change so they can determine what triggered it and take appropriate action to mitigate any increased AML risks. For example, an AML analytics dashboard can raise an alert if the number of customer wires to or from high-risk countries increases by a predetermined percentage within a certain period of time.

  2. Monitor AML System Performance
    Banks typically have multiple systems for AML monitoring and compliance, including transaction monitoring systems, customer due diligence and risk scoring systems, and sanctions screening systems. These systems sometimes fail due to technical issues or human errors. In addition, these systems must be periodically tuned and optimized to maintain their effectiveness.

    An AML analytics dashboard can monitor the health and performance indicators of these systems and alert bank directors and compliance managers when potential issues are identified. For example, a spike in suspicious activity alerts produced by a transaction monitoring system could indicate a system issue or an increase in money laundering activity. An AML analytics dashboard also can monitor and send notification about issues related to use of the system and compliance workflows—for example, if suspicious activity reports are not being filed in a timely fashion.

  3. Perform “What-If” Analyses for Changes to Systems, Programs, and Models
    When performing an optimization exercise on an AML system, or implementing a new system or monitoring rule, bank directors and compliance officers must know the cost implications in advance. An AML analytics dashboard allows management to examine the implications of implementing specific system configuration changes and to perform “what-if” analyses. This is particularly valuable when conducting model tuning exercises. For example, compliance managers can evaluate in real time the staffing impact of setting a threshold for an AML monitoring rule to a particular value as compared with an alternative value.
  4. Demonstrate AML Compliance and System Effectiveness
    AML monitoring systems and models must be validated and audited on a regular basis. Regulators will conduct periodic examinations to confirm that the AML systems have been properly configured and optimized to execute the bank’s AML processes. An AML analytics dashboard can be used as part of a conversation with auditors and regulators to demonstrate how the bank’s AML models, systems, and processes are performing in real time. It also can be used to demonstrate effective oversight of the bank’s AML models.

Act Now
Implementing an AML analytics dashboard can prove time-consuming, so banks without a dashboard should start gathering the requirements now so they can reap the benefits as soon as possible. Regulators likely will begin to expect banks to have these systems in place in the relatively near future, and bank directors who want to stay ahead of the curve will make implementation a priority.

Safeguarding Your Institution’s Anti-Money Laundering Compliance Program


12-5-14-Covington.jpgThe Financial Crimes Enforcement Network (FinCEN) earlier this year issued an advisory, FinCEN Bulletin 2014-A007, “Advisory to U.S. Financial Institutions on Promoting a Culture of Compliance,” stressing the need for financial institutions to have a strong culture of anti-money laundering (AML) compliance. A financial institution without such a culture, FinCEN asserts, is likely to have shortcomings in its Bank Secrecy Act/AML compliance program.

FinCEN’s advisory is just one of the latest governmental developments that places tremendous pressure on a bank’s board of directors to focus on AML compliance. The advisory attributes a strong compliance culture to, among other factors, the board of directors’ active support and understanding of the bank’s AML compliance efforts.

The need for a bank’s board of directors to be involved with AML compliance has been emphasized repeatedly in the past year. Recent enforcement actions against all types of banks, from multinational banking organizations to small community banks, have required boards of directors to play a prominent role in understanding and ultimately executing the enforcement action. Many actions have imposed remedial requirements on the board of directors itself to strengthen board oversight of the bank’s AML compliance program.

However, significant fines, compliance costs, and reputational damage from an enforcement action are not the only risks from a deficient AML compliance program. The federal banking agencies have delayed approval of several mergers, acquisitions, and other corporate transactions due to deficiencies in one of the parties’ AML compliance program. If a federal banking agency withholds its approval for a corporate transaction due to AML compliance, the closing for the transaction can be substantially delayed, thereby having the potential to make public in a highly visible fashion the compliance deficiencies as well as any remedial measures being taken by the bank.

All of these reasons demonstrate the importance of AML compliance to a bank and the imperative that the board of directors plays a significant role in overseeing the AML compliance program.

An effective AML compliance program requires significant resources and consists of several key components. The federal banking agencies’ enforcement actions and guidance have emphasized the following components:

  • Tone at the top—FinCEN Bulletin 2014-A007 stresses the need for a culture of compliance, and this culture starts with a clear expression from the bank’s board of directors that the bank does not engage in money laundering and terrorist financing and will not tolerate deficiencies in its compliance program.
  • Risk assessment—The cornerstone of an AML compliance program is a detailed risk assessment that identifies and measures the various areas of AML risk at the bank. The risk assessment provides insight into the areas of potential exposure to the bank, prioritizes ways to reduce risk within the compliance program, and enables the board of directors to track over time areas of risk and senior management’s implementation of internal controls to reduce risk. An AML risk assessment should be sufficiently detailed, updated periodically, and accessible to functions and business units in the bank with responsibility for AML compliance.
  • Monitoring and reporting—Day-to-day AML compliance requires extensive monitoring of transactions for suspicious activity and compliance with reporting obligations. Aside from compliance with these legal requirements, however, daily monitoring and internal reporting help ensure that bank employees not only react appropriately to overtly suspicious activity but also proactively identify circumstances that, although not facially suspicious, warrant further review.
  • Independent review—An AML compliance program is required to contain a mechanism for an independent review of the program. Independent review is an essential check on the program and those employees who are responsible for its administration.
  • Training—AML training for employees has evolved substantially from its earliest forms as a single presentation made available to all employees on a company intranet page. Training can be customized to the business line or function, include frequent team updates to pass along information quickly and directly, and culminate with a mandatory test that employees must successfully pass.

Boards of directors should have confidence that senior management has taken the necessary steps to implement an effective AML compliance program that includes these components. The potential consequences for AML compliance deficiencies are simply too severe and far-reaching for a board of directors to be passive and not actively engaged with the program.