All financial institutions are subject to the Bank Secrecy Act, the primary anti-money laundering law in the U.S., but compliance programs vary widely depending on a particular bank’s size and complexity. Boards in particular are responsible for overseeing their bank’s BSA/AML compliance program and ensuring a culture of compliance throughout the organization, says Ashley Farrell, director in the risk advisory practice at Baker Tilly. And weak compliance can have serious implications for a bank.
Regulators have worked on a variety of anti-redlining proposals in recent months, including a joint initiative by the Department of Justice, the Consumer Financial Protection Bureau, and the Office of the Comptroller of the Currency.
These proposals come in tandem with recent initiatives from the Securities and Exchange Commission to increase the emphasis on ESG factors, a set of non-financial environmental, social and governance factors that publicly filed companies can use to identify material risks and growth opportunities.
Though anti-redlining legislation initially came into law when Congress enacted the Community Reinvestment Act in 1977, it has recently seen a refocus in the Combatting Redlining Initiative led by the DOJ Civil Rights Division’s Housing and Civil Enforcement Section. During Acting Comptroller Michael Hsu’s initial unveiling of this initiative, he highlighted the importance of providing “fair and equitable access to credit — to everyone” in order to build wealth among minority and underrepresented groups. He emphasized that modern redlining, as compared to its 20th century predecessor, is “often more subtle, harder to detect, and resource-intensive to find.”
Initial reactions to the initiative expected it to focus on the redlining seen in the Trustmark Corp. settlement, where the Jackson, Mississippi-based bank discriminated against Black and Hispanic neighborhoods by “deliberately not marketing, offering, or originating home loans to consumers in majority Black and Hispanic neighborhoods in the Memphis metropolitan area,” according to the CFPB. The $17.6 billion bank settled for a $5 million penalty.
But in recent weeks, though a final rule is not yet in place, the acting comptroller made it clear the focus is not only on direct discrimination, but also on indirect discrimination through climate redlining. Climate redlining occurs when certain minority communities are subject to heightened climate change risks based on where they are located; those heightened risks pose a disproportionate impact on minority groups.
Though official rules have yet to be proposed related to the policies, banks can take the following actions in preparation:
1. Review any neutral algorithms used in the lending process. Redlining is not always overt; it may be a byproduct of algorithms that appear neutral on the surface but disproportionately target minority communities based on targeting certain income brackets, risk factors or the demographic compensation of the surrounding area. Bankers should make time to carefully review the factors being input into their institution’s algorithms and consider whether those factors might create inadvertent bias.
2. Review any policies related to geographic filtering. Minority groups are disproportionately impacted by the effects of climate change; this disparate impact is expected to grow as the frequency of climate events increases. Rising water, more frequent fires and extreme weather events are all examples of events some banks might choose to geographically exclude in order to keep lending risk portfolios low. But by filtering out these events and impacts, banks may be inadvertently redlining. Banks should take the time to carefully examine any exclusions they make based on geography or weather history in preparation of any final rules, and compare them to demographic information on the bank’s lending practices.
3. Review branch locations. One of the reasons regulators found Trustmark to have engaged in redlining practices was its lack of branch locations in majority Black and Hispanic communities. This meant that not only were those residents not able to receive banking services, they also were not being marketed to when it came to potential lending opportunities. Banks should review the footprints of their branches relative to the demographics in the cities in which they are located to determine whether they are over- or under-represented in certain demographics.
4. Public bank holding companies should review ESG factors. With both proxy season and annual filing season upon publicly traded companies, now is a good time for publicly traded bank holding companies to evaluate their current treatment of environmental, social and governance risks. If a bank identifies that it may be inadvertently engaging in redlining, the affiliated bank holding company should carefully think through potential disclosures.
Among a bank board of directors’ many obligations is the responsibility to assure the bank complies with Bank Secrecy Act and other anti-money laundering laws and regulations.
This includes providing oversight for senior management and the BSA compliance officer, staying abreast of internal AML developments and reporting within the bank, and considering external market factors and regulatory developments. But even in a regulatory environment where penalties for BSA/AML violations have increased in amount, frequency and reputational importance, some boards are slowly reacting to recent Congressional legislation designed to further incentivize bank employees to blow the whistle on perceived or actual AML lapses. Here are five things bank boards need to know one year after the implementation of the Anti-Money Laundering Act of 2020 (AMLA).
1. Congress uncapped whistleblower awards
Congress enacted the AMLA in January 2021, which significantly revised the existing whistleblower provisions of the BSA and sought to bolster AML enforcement. Prior to the AMLA, the BSA’s whistleblower provisions were sparse and rarely invoked. The prior law allowed whistleblower rewards for information relating to a violation of the BSA, but capped the award amount at $150,000, which contributed to the law being underutilized. The new law removed that cap; now, whistleblowers who voluntarily provide original information to their employer or the departments of Treasury or Justice could collect up to 30% of amounts collected in actions where over $1 million in sanctions are ordered. As the industry knows, 30% of recent fines is substantial. If a whistleblower qualified in connection with the three 2021 actions from the Financial Crimes Enforcement Network, or FinCEN, their awards could have amounted up to $2.4 million, $30 million and $117 million, respectively.
2. Looking to prior precedent.
The new AML whistleblower program is largely modeled on the Securities and Exchange Commission’s successful program established under the Dodd-Frank Act, which may provide a window into the future of AML enforcement. The SEC’s program has been a resounding success over the past 10 years, resulting in more than 52,400 tips as well as $1.2 billion awarded to 238 individuals. According to the SEC’s recent Annual Report to Congress, fiscal year 2021 was a record-breaking year for the program in terms of tips received and amounts awarded to whistleblowers: $564 million was awarded to 108 individuals.
3. Employees can blow the whistle to their managers
Unlike the SEC’s program, a “whistleblower” under the new AML program includes employees who provide information to an employer — including as a part of their job duties — in addition to those who report to Treasury or DOJ. This means employees can blow the whistle if they observe compliance failures, and everyday interactions between management and financial intelligence unit investigators could be deemed whistleblower tips that trigger anti-retaliation protections and a possible award.
4. Tips are already being filed
Even though FinCEN has not issued rules implementing this new whistleblower law, tipsters do not need to wait to file a complaint with their employer or the government. Banks should react accordingly. In fact, it was recently reported that a tip has already been made to FinCEN detailing a wide-ranging money laundering scheme, and one lawyer has reported several inquiries received from internal compliance personnel interested in blowing the whistle. There is also recent precedent that the government does not need to wait until regulations are written to provide awards: In November 2021, the National Highway Traffic Safety Administration announced a $24 million award — its first ever — even though the agency is still writing its rules. In other words, the doors are open to AML whistleblowers now.
Number of SEC Whistleblower Tips
5. Boards should not wait to act
Boards should consider the implications and the expanded legal risk of the AMLA whistleblower law on their existing whistleblower programs. Among other steps that can be taken now, boards should provide oversight to senior management in:
Developing enterprise-wide training tailored to specific positions within the bank, including for directors, that covers how to identify a tip for purposes of the new AML law, how to respond to an internal whistleblower and best practices to protect the bank from retaliation lawsuits.
Reviewing and updating policies and procedures for internal whistleblowers.
Assessing internal reporting structures, including hotlines and other channels.
And triaging recent internal tips and conducting reviews of the response, where appropriate.
This year has been a significant and active one in the world of anti-money laundering (AML) compliance. Digital payments are taking the world by storm, regulators are cracking down on new types of fraud and the U.S. government has pledged to be more proactive in enforcing AML laws.
Regulators have not been idle, issuing fines to banks around the globe totalling $10.6 billion in 2020. But it hasn’t been enough to deter fraud rates. What can banks expect for AML regulations for the remainder of 2021, and how can they prepare? Here are the main trends in AML compliance of 2021, and their impact on financial institutions.
1. Much-Needed Updates From Anti-Money Laundering Act of 2020 The Anti-Money Laundering Act of 2020 (AMLA) is arguably the most transformative AML law in a generation. AMLA amends the Bank Secrecy Act (BSA) for the first time since 2001 and modernize it for today’s money-laundering and fraud climate. For several years, regulators have focused on modernizing AML compliance programs at banks, encouraging innovation and improving the coordination and transfer of information between financial institutions. AMLA could have a significant impact toward these goals when coupled with regulators’ ongoing efforts.
Financial institutions are now required to have AML officers who can quickly incorporate reports into their transaction monitoring programs. It brings even more pressure for banks to modernize their operations through better technology. AMLA also allows the U.S. to subpoena records related to any account at foreign banks that maintain correspondent accounts in the United States, enabling the regulators and the government to fight money launderers who seek to take advantage of the lack of communication between countries to commit international crimes.
2. Tightening UBO Laws
Under the AMLA, the Financial Crimes Enforcement Network (FinCEN) requires certain companies to file information on the beneficial owner of the reporting company, along with the identity of the person who has applied to form or register the company. This is part of the overarching trend of gathering more information on your customers.
Customer due diligence is now a more complex and lengthy process to gather the right types of information. This goes hand in hand with the Corporate Transparency Act (CTA), which requires financial institutions to verify customer information against FinCEN’s Ultimate Business Owner (UBO) registries. Verifying UBO information can be costly and time-consuming, especially since most countries have not published public ownership registers.
3. Better Software, Better Tech Regulators around the world are pushing banks to use better software and incorporate emerging technologies. As financial fraudsters get more intelligent with their approaches, the only way for banks to fight back is with technology that matches those capabilities and can adapt to new threats. Compliance teams are increasing in size and expense. The benefit of better software is that many of these processes can become automated, which helps keep costs down.
4. Crypto Regulation The novelty of virtual currencies allows fraudsters use them to their advantage while escaping regulators’ purview. According to Chainanalysis’ 2021 Crypto Crime Report, 270 cryptocurrency addresses received $1.3 billion in illicit digital coins in 2020.
How is the U.S. approaching the regulation of cryptocurrencies? Several agencies have been involved with the regulation of virtual assets, including the U.S. Securities and Exchange Commission, Commodity Futures Trading Commission and FinCEN. From an AML perspective, the biggest change has been to require cryptocurrency exchanges to complete a Know-Your-Customer (KYC) process for every customer.
5. SAFE Banking Act The SAFE Banking Act aims to normalize cannabis banking and reduce the risk of liability for banks that offer services or loans to MRBs (marijuana-related businesses). To date, the SAFE Act has not been passed into law, and payment processing remains a confusing space for banks and MRBs alike. Under the administration of President Joseph Biden, however, there is hope that the industry will see a marijuana policy that reduces confusion at the federal level.
What are the overarching trends this year? AML laws are encouraging financial institutions to be more transparent, implement better technology and build more comprehensive customer profiles. Banks that want to be proactive will need to ensure their policies are up-to-date with the new regulations, their infrastructure can integrate more data sources and their KYC processes are automated, while also offering a great customer experience.
Bank boards know all too well about the reputational toll and hefty fines from lapses in regulatory compliance. But governance usually doesn’t tend to drill down into specific practice areas and their finer-grained costs.
An ounce of prevention, though less expensive than the proverbial cure, still runs pretty high in Bank Secrecy Act and anti-money laundering (BSA/AML) compliance programs. Directors might want to ask for a more-detailed picture from their bank’s AML team at the next board meeting. Not just to follow up on the damage-control response to the FinCEN Files media spectacle, but also in terms of profit and loss and team morale issues.
Suspicious activity reports (SARs) can get very expensive. We conservatively estimate that about $180 million in annual BSA/AML analyst salaries in the U.S. goes just to preparing the SAR form. But there’s also a huge opportunity to do better for society.
What are SARs? Some might say they are a headache-inducing form that demands a whole lot of painstaking and tedious detail, and then never quite fulfills its ultimate purpose of stopping criminals. Unfortunately, there’s a lot of truth to that description. What should — and could — SARs be?
An essential tool for fighting crime.
An effective communication channel for AML collaboration.
An invaluable resource for law enforcement to identify, track, and prosecute criminals.
At the risk of overstating the obvious, not every “suspicious” activity leads to criminal activity. Though banks do have the power to block the flow of funds, financial crime regulators (in the U.S., that’s the Financial Crimes Enforcement Network, or FinCEN) and jurisdictional law enforcement (such as district attorneys) hold the authority to go after the criminals. A bank’s primary responsibility in AML is to provide relevant information from the financial vantage point.
The level of detail can make all the difference in the usefulness of these reports. A complete and accurate SAR, filed with ample, highly relevant information, provides texture and nuance for regulators to make strong decisions about which cases deserve the attention of law enforcement. Prosecutors can then use information from SARs to build criminal cases. A future with somewhat fewer illicit arms sales or much less human trafficking could hinge on a few form fields.
The status quo for most bank AML compliance programs entails a substantial amount of manual inputs. Lacking automation, providing more high quality detail in SARs demands more time. U.S. financial institutions filed 2.3 million SARs in 2019. An AML analyst can command, on average, an annual salary of $75,000. These figures, plus some other industry-specific estimates and general human resources conventions, fed into my calculation above for the total annual SARs tab for U.S. financial institutions. And that $180 million figure doesn’t even account for the nine out of 10 investigations that don’t lead to a SAR filing — yet typically do result in more monitoring.
Manual processes, even with the best intentions of highly skilled AML teams, are inherently prone to human error. I also suspect these professionals would rather focus on the aspects of their work that demand the subtle discernment of human judgement. Some of the lowest-hanging fruit for using technology in AML investigations include automation that can:
Populate the SAR form with case information.
Organize case data from fragmented sources across the bank and vendors.
Visualize trends in the case to spot strange behaviors.
Quickly separate false positives from true positives.
Capture the insights of investigators as structured data, creating clean data that can be used for analytics and machine learning.
Validate and quickly transmit the SAR to expedite information flow.
Securely store the case information for future analytics and audits.
Keep casework across the team thorough and efficient.
Investigating and reporting suspicious financial activity is both an enormous expense for banks and a systemically important resource for protecting society. It’s worth investing in automation technology that will make a bank’s BSA/AML compliance program more efficient and effective.
How a specific bank might move forward in leveraging compliance automation technology will vary on a wide range of factors. Adopting this sort of technology isn’t an all-or-nothing proposition. A careful analysis of a bank’s AML practice area can identify minor changes that are likely to have an outsize impact in the fight against crime.
On its face, BuzzFeed’s reporting package on the details of 2,100 leaked suspicious activity reports (SARs) it obtained seems bad for many of the big banks mentioned. The articles take institutions to task for processing “trillions of dollars of suspicious transactions despite their own staff’s warnings that they might be related to crime.”
But the biggest scandal from the leaks may not be what it says about big banks — the biggest scandal is what it reveals about the anti-money laundering system at large. The leaks aptly demonstrate the system’s immense flaws.
These would hardly be news to bankers, who have known and complained about the system for years. They are on the cusp of winning reforms that, while not fixing the system as a whole, could lessen the burden on banks to report customers’ beneficial owners.
But the deeper issue is that the system encourages the proliferation of anti-money laundering filings, often without regard to whether they are truly related to any criminal activity.
The “FinCEN Files” are in part built on the premise that when a bank files a suspicious activity report, it truly believes that the transaction is related to financial crime or terrorism. BuzzFeed says the system “contains a crucial loophole” — although banks are required to alert the Financial Crimes Enforcement Network via a SAR, they are not obligated “to halt the suspicious activity or stop serving shadowy clients.”
But as the story later acknowledges and any banker can tell you, filing a SAR doesn’t necessarily mean the bank thinks there’s criminal activity going on. Banks are actively encouraged to file SARs for anything that seems even potentially fishy. The consequences of not filing a SAR can be severe, including extra scrutiny from regulators, an enforcement order or steep fines. Bank officers have been fired for failing to file SARs on activity that later turned out to be criminal.
The result? Banks have filed defensively for well over a decade. It’s so bad that at one point, a former FinCEN director used to tell a story about how a bank had filed a SAR because an employee’s bacon was stolen from the office fridge.
Predictably, this means banks and credit unions file a tremendous amount of SARs. There were some 839,000 filed by depository institutions in 2014. That rose to 1.1 million by 2019, a 32% jump. Does anyone think that all those SARs represent real criminal activity? Requiring banks to stop processing all those transactions wouldn’t close a loophole, it would violate due process. In many cases, banks are even told by law enforcement agencies to continue to process suspicious transactions. Such “keep open” letters are a way for law enforcement to continue to track potential criminals.
The “FinCEN Files” do make a great point when it says “the majority of these reports … are never even read, much less investigated.” We’ve built an entire money laundering system around the annual filing of millions of SARs and currency transaction reports (CTRs), the vast majority of which will never be seen by a human being.
If you listen to the way law enforcement agencies tell it, this is a feature, not a bug, of the system. Those agencies want banks to file SARs and CTRs because it creates a virtual warehouse of financial information they can use to track down leads. The more data they have, the better.
This approach assumes there is no cost for banks to do all of this, when the cost is in excess of $25 billion annually, according to some estimates. If banks weren’t spending a huge chunk of resources and time chasing down every potential dodgy transaction, they probably could be using it on other activities, like lending in their communities.
This approach would be acceptable if the current system actually worked, but it’s not clear it does. The amount of money laundered each year is roughly 2% to 5% of global GDP, or between $800 billion to $2 trillion, according to the United Nations Office on Drugs and Crime. Some estimates say law enforcement catches less than 1% of that.
Privately, many banking officials will tell you the vast majority of financial crimes are still going undetected. While the current system is great at catching unsophisticated criminals, the ones who know what they’re doing can find elaborate ways around the system.
Don’t get me wrong. If a bank is knowingly facilitating criminal activity — as has happened in the past and some of these 2,100 SARs show — they should be punished to the fullest extent of the law. But the biggest takeaway of this story is that our system is inefficient, costly and — worst of all — does not seem to work very well.
Big banks processed transactions on the behalf of Ponzi schemes, businesses accused of money laundering and a family of an individual for whom Interpol had issued a notice for his arrest — all while diligently filing suspicious activity reports, or SARs.
That’s the findings from a cache of 2,000 leaked SARs filed by banks such as JPMorgan Chase & Co, Bank of America Corp., Citibank and American Express Co. to the U.S. Treasury Department’s Financial Crimes Enforcement Network, or FinCEN. These files, which media outlets dubbed the “FinCEN Files,” encompassed more than $2 trillion in transactions between 1999 and 2017.
Community banks, which are also required to file SARs as part of Bank Secrecy Act/anti-money laundering laws, may think they are exempt from the scrutiny and revelations applied to the biggest banks in the FinCEN Files. Not so. Bank Director spoke with two attorneys that work with banks on BSA/AML issues for what community banks should take away from the FinCEN Files.
Greater Curiosity Community banks should exercise curiosity about transaction trends in their own SARs that may add up to a red flag — whether that’s transaction history, circumstances and similarities to other cases that proved nefarious. Banks should ask themselves if these SARs contain details that indicated the bank should’ve done something more, such as not complete the transaction.
“That is probably the biggest go-forward lesson for banks: Make sure that your policies and procedures are such that — when someone is looking at this in hindsight and evaluating whether you should have done something more — you can demonstrate that you had the proper policies and procedures in place to identify when something more needed to be done,” says James Stevens, a partner at Troutman Pepper.
Although it may be obvious, Stevens says banks should be “vigilantly evaluating” transactions not just for whether they merit a SAR, but whether they should be completed at all.
Size Doesn’t Matter When it comes to BSA/AML risk profiles and capabilities, Stevens says size doesn’t matter. Technology has leveled the playing field for many banks, allowing smaller banks to license and access the capabilities that were once the domain of larger banks. It doesn’t make a difference in a bank’s risk profile; customers are its biggest determinant of a bank’s BSA/AML risk. Higher-risk customers, whether through business line or geography, will pose more risk for a bank, no matter its size.
But banks should know they may always be caught in between serving customers and regulatory activity. Carleton Goss, counsel at Hunton Andrews Kurth, points out that changing state laws mean some financial institutions can serve cannabis businesses that are legal in the state but still need to file SARs at the federal level. Banks may even find themselves being asked by law enforcement agencies to keep a suspicious account open to facilitate greater monitoring and reporting.
“There’s definitely a tension between serving customers and preventing criminal activity,” he says. “You don’t always know the extent of the activities that you’ve reported — the way the SAR reporting obligation is worded, you don’t even have to be definitively sure that a crime has occurred.”
“Front Page of the Newspaper” Test Reporting in recent years continues to cast a spotlight on BSA/AML laws. Before the FinCEN Files, there was the 2016 Panama Papers. Stevens says that while banks have assumed that SARs would remain confidential and posed only legal or compliance risk, they should still be sensitive to the potential reputational risks of doing business with certain customers — even if the transactions they complete for them are technically compliant with existing law.
“Like everything else we do, you have to be prepared for it to be on the front page of the newspaper,” he says.
Media reports mean that regulatory pressure and public outrage could continue to build, which could heighten regulatory expectations.
“Whenever you see a large event like the FinCEN files, there tends to be pressure on the regulators to ‘up their game’ to avoid giving people the perception that they were somehow asleep at the wheel or missed something,” Goss says. “It would be fair for the industry to expect a little bit more scrutiny than they otherwise would on their next BSA exam.”
This summer, three new developments in the relationship between banks and cryptocurrency players signaled a shift in attitudes toward digital assets.
In May, JPMorgan Chase & Co. began providing banking services to leading crypto exchanges Coinbase and Gemini Trust Co., — a notable change given that Chairman and CEO Jamie Dimon called the seminal cryptocurrency Bitcoin “a fraud” just three years ago. In July, the acting comptroller for the Office of the Comptroller of the Currency, Brian Brooks — who served as the chief legal officer for Coinbase prior to his appointment — released an interpretation letter confirming that financial institutions can bank cryptocurrency clients and could even serve as digital asset custodians. And this month, the popular crypto exchange Kraken secured a special purpose banking charter in Wyoming, marking the first time a crypto company gained banking powers, including direct access to payment rails.
Cryptocurrency is gaining wider acceptance as a legitimate commercial enterprise. But, like other money services businesses, these companies still find it difficult to obtain basic banking services. This is despite the fact that crypto is becoming more mainstream among consumers and in the financial markets. The industry is booming with a market capitalization equivalent to over $330 billion, according to CoinMarketCap, but it’s currently served by just a handful of banks.
The best-known institutions playing in the cryptocurrency space are New York-based Signature Bank and Silvergate Capital Corp., the parent company of La Jolla, California-based Silvergate Bank.
Signature’s CEO Joseph DePaolo confirmed in the company’s second-quarter earnings call that $1 billion of the bank’s deposits in quarter came from digital asset customers. And at just $1.9 billion in total assets, Silvergate Bank earned over $2.3 million in fees in the second quarter from its crypto-related clients. These gains weren’t from the activity taking place on the banks’ respective payment platforms. They came from typical commercial banking services — providing solutions for deposits, cash management and foreign exchange.
One community bank hoping to realize similar benefits from banking crypto businesses is Provident Bancorp. The $1.4 billion asset institution based in Amesbury, Massachusetts, which recently rebranded as BankProv, aims to treat crypto companies as it would any other legal commercial customer. Crypto customers may have heightened technology expectations compared to other clients, and present heightened compliance burdens for their banks. But the way CEO David Mansfield sees it, these are all things BankProv needs to address anyway.
“It really pushes traditional, mainstream corporate banking to the next level,” he explains, “so it fits with some of our other strategic goals being a commercially focused bank.”
Before BankProv launched its digital asset offering, it did a lot of groundwork.
The bank revamped its entire Bank Secrecy Act program, bringing in experts to help rewrite procedures and new technology partners like CipherTrace to provide blockchain analytics and transaction monitoring. It retooled its ACH offerings, establishing a direct connection with the Federal Reserve and expanding its timeframe for processing transactions to better serve clients on the West coast. And BankProv’s team met with crypto-related businesses for insights about what they wanted in a bank partner, which led the bank to upgrade its API capabilities. BankProv is working with San-Francisco-based fintech Treasury Prime to make it possible for crypto clients to initiate transactions directly, instead of going through an online banking portal.
At the same time, BankProv made plans for handling the new deposits generated by the business line; crypto-related companies often experience more volatility in market fluctuations than typical commercial clients.
“It’s definitely top of the regulator’s mind that they don’t want to see you using these funds to do long-term lending,” Mansfield says.
For BankProv, part of managing these deposits is deploying them toward the bank’s mortgage warehouse lending business; those loans are short-term, maturing within seven to 15 days. “[Y]ou need to find a good match on the asset side,” Mansfield explains, “because just having [deposits] sit in Fed funds at 10 basis points doesn’t do you much [good] right now.”
While BankProv officially announced that it would begin servicing digital asset customers in July 2019, the onset of Covid-19 made it difficult to get the program into full swing until recently. With travel being severely limited, BankProv made it a priority to hire new business development talent earlier this month that came with a pre-existing Rolodex of crypto contacts. The digital asset business hasn’t appeared in the company’s 2020 earnings releases so far.
Banking crypto-related clients will only make sense for some of the most forward-thinking banks; but for those that are successful in the space, the upside is significant. Mansfield believes BankProv has the attributes needed to thrive as a part of the crypto community.
“You have to be open minded and a little innovative. [I]t’s certainly not going to be right for the vast majority of banks,” he says, “and I think that’s why there’s really only two that are dominating the space right now. But I feel there’s at least room for a third.”
The banking industry must address and satisfy several competing interests as executives and the workforce adjust to the new normal of life during a pandemic.
Banks across the nation have stepped up as leaders in the fight against the Covid-19 pandemic. Now as the dust settles from the initial shock in mid-March, what are issues that your bank should be prepared to address looking forward?
When and how should we reopen our physical locations?
While banks have continued operations during the pandemic, many limited their services. It is not clear when these services will fully ramp back up. As your bank debates the best course of action for your circumstance, consider the following:
Prioritize health and safety by installing physical protection at branches and offices, including sneeze guards at teller windows, medical screening of employees, enhanced cleaning procedures and required use of personal protective equipment.
When considering return-to-work policies, be flexible and responsive to employee concerns and location-specific issues.
Apply the lessons learned during this period and embrace (or even improve) the technology for working remotely.
Task teams with understanding federal, state and local requirements related to the pandemic and the bank’s corresponding compliance obligations. These teams should meet regularly to ensure full compliance at all locations.
The ABA published a free matrix to assist banks in their reopening efforts.
We participated in the Paycheck Protection Program; now what?
There are some important post-lending matters for banks that participated in the Paycheck Protection Program to consider:
Brace for litigation. Some banks have faced lawsuits from applicants that failed to receive PPP funding. While your bank may not be able to avoid a similar lawsuit, it should avoid liability in these suits by following established procedures and demonstrating that your bankers did not deny applicants on a prohibited basis (race, religion, gender, age, among others).
Additionally, banks have encountered complaints filed by agents of borrowers seeking lender fees. You should not face liability in these suits if you did not execute a binding agreement with an agent before loan origination. Your bank’s defense will be even stronger if you mitigated this issue on the front end —for example by requiring borrowers to certify whether they used an agent, and if so, requiring the agent to complete a Form 159.
Stay current on loan forgiveness requirements. The Small Business Administration stated that it would review all PPP loans over $2 million following each loan forgiveness application submission. Thankfully for lenders, banks can rely on borrower certifications on loan forgiveness amounts. Nevertheless, agencies continue to release new guidance, and customers will rely on lenders to help them through the process.
Look for new opportunities to serve your customers and communities. There are rumors that Congress may issue a third round of PPP funding that will apply to more eligible borrowers. The Federal Reserve announced the expansion of its Main Street Lending Program, which can be a valuable source of liquidity as banks seek to meet customer needs. The SBA also released guidance on the sale of participating interests in PPP loans.
What regulatory or supervisory concerns should we be prepared to address?
Credit Decisions. Your bank must continue to balance meeting customer needs and making prudent credit decisions in the current economic environment. Many banks have started tightening credit standards, but this comes with a potential uptick in complaints about harmful lending practices. Regulators have indicated that they will scrutinize lending activity to ensure banks comply with applicable laws and meet customer needs in a safe and sound manner. The Office of the Comptroller of the Currency urged banks to “prudently document” their PPP lending decisions. The Consumer Financial Protection Bureau instructed small business owners “who believe they were discriminated against based on race, sex, or other protected category” to file complaints. Your decisions on credit parameters must be well thought out and applied uniformly.
Bank Secrecy Act/Anti-Money laundering Focus. Banks may face heightened risks from new customers or new activities from existing customers. For the first time since 2014, the Federal Financial Institutions Examination Council released updates to the Bank Secrecy Act/Anti-Money Laundering (BSA/AML) examination manual. While these updates are not directly related to the pandemic, regulators may scrutinize BSA/AML efforts at your next examination. Use this updated guidance as a springboard to assess your BSA/AML compliance program now.
IT and Security Concerns. Banks used technology enabling virtual or remote interactions during the pandemic, increasing risks associated with IT security. The regulators issued a joint statement addressing security risk management, noting that bank management cannot rely on third-party service providers and must actively ensure technological security. Expect this to be an area of focus at your next examination.
Should you acquire or be acquired? Some community banks are electing to do neither, and instead are attempting to forge a different path – pursuing niche business models. Each of these business models comes with its own execution and business risks. All of them, however, come with the same regulatory risk – whether the bank’s regulators will challenge or be supportive of the changes in the business model.
Some community banks are developing partnerships with non-bank financial services, orfintech, companies – companies that may have created an innovative financial product or delivery method but need a bank partner to avoid spending millions of dollars and years of time to comply with state licensing requirements. These partnerships not only drive revenue for the bank, but can also – if properly structured – drive customers as well. WebBank is a prime example of the change this model can bring. As of the close of 2007, WebBank had only $23 million in assets and $1 million in annual net income. Ten years later, WebBank had grown to $628 million in assets and $27.5 million in annual net income, a 39 percent annualized growth in both metrics.
Following the recession, bank regulators have generally been supportive of community banks developing new business models, either on their own or through the use of third party technology. As the OCC notes, technological changes and rapidly evolving consumer preferences are reshaping the financial services industry at an unprecedented rate, creating new opportunities to provide customers with more access to new product options and services. The OCC has outlined the principles to prudently manage risks associated with offering new products and services, noting that banks are motivated to implement operational efficiencies and pursue innovations to grow income.
Even though the new business model may not involve an acquisition, the opening of a new branch, a change in control, or another action that requires formal regulatory approval, a bank should never forge ahead without consulting with its regulators well before launching, or even announcing, its plan. The last thing your board will want is a lawsuit from unhappy investors if regulators shut down or curb the projected growth contemplated by a new business model.
Before introducing new activities, management and the board need to understand the risks and costs and should establish policies, procedures and controls for mitigating these risks. They should address matters such as adequate protection of customer data and compliance with consumer protection, Bank Secrecy Act, and anti-money laundering laws. Unique risks exist when a bank engages in new activities through third-party relationships, and these risks may be elevated when using turnkey and white-label products or services designed for minimal involvement by the bank in administering the new activities.
The bank should implement “speed bumps” – early warning indicators to alert the board to issues before they become problems. These speed bumps – whether voluntary by the bank or involuntary at the prompting of regulators – may slow the bank’s growth. If the new business model requires additional capital, the bank should pay close attention to whether the projected growth necessary to attract the new investors can still be achieved with these speed bumps.
Bank management should never tell their examiners that they don’t understand the bank’s new business model. Regardless of how innovative the new business model may be, the FDIC and other bank regulators will still review the bank’s performance under their standard examination methods and metrics. The FDIC has noted that modifying these standards to account for a bank’s “unique” business plan would undermine supervisory consistency, concluding that if a bank effectively manages the strategic risks, the FDIC’s standard examination methods and metrics will properly reflect that result.
Banks also need to be particularly wary of using third-party products or services that have the effect of helping the bank to generate deposits. Even if the deposits are stable and low-cost, and even if the bank does not pay fees tied to the generation of the deposits, the FDIC may say they are brokered deposits. Although the FDIC plans to review its brokered deposit regulations, it interprets the current regulations very broadly. Under the current regulations, even minor actions taken by a third party that help connect customers to a bank which offers a product the customer wants can cause any deposits generated through that product to be deemed brokered deposits.
Community banks definitely can be successful without acquiring or being acquired. However, before choosing an innovative path a bank should know how its regulators will react, and the board should recognize that although regulators may generally be supportive, they do not like to be surprised.