The High Cost of the Suspicious Activity Report

Bank boards know all too well about the reputational toll and hefty fines from lapses in regulatory compliance. But governance usually doesn’t tend to drill down into specific practice areas and their finer-grained costs.

An ounce of prevention, though less expensive than the proverbial cure, still runs pretty high in Bank Secrecy Act and anti-money laundering (BSA/AML) compliance programs. Directors might want to ask for a more-detailed picture from their bank’s AML team at the next board meeting. Not just to follow up on the damage-control response to the FinCEN Files media spectacle, but also in terms of profit and loss and team morale issues.

Suspicious activity reports (SARs) can get very expensive. We conservatively estimate that about $180 million in annual BSA/AML analyst salaries in the U.S. goes just to preparing the SAR form. But there’s also a huge opportunity to do better for society.

What are SARs? Some might say they are a headache-inducing form that demands a whole lot of painstaking and tedious detail, and then never quite fulfills its ultimate purpose of stopping criminals. Unfortunately, there’s a lot of truth to that description. What should — and could — SARs be?

  • An essential tool for fighting crime.
  • An effective communication channel for AML collaboration.
  • An invaluable resource for law enforcement to identify, track, and prosecute criminals.

At the risk of overstating the obvious, not every “suspicious” activity leads to criminal activity. Though banks do have the power to block the flow of funds, financial crime regulators (in the U.S., that’s the Financial Crimes Enforcement Network, or FinCEN) and jurisdictional law enforcement (such as district attorneys) hold the authority to go after the criminals. A bank’s primary responsibility in AML is to provide relevant information from the financial vantage point.

The level of detail can make all the difference in the usefulness of these reports. A complete and accurate SAR, filed with ample, highly relevant information, provides texture and nuance for regulators to make strong decisions about which cases deserve the attention of law enforcement. Prosecutors can then use information from SARs to build criminal cases. A future with somewhat fewer illicit arms sales or much less human trafficking could hinge on a few form fields.

The status quo for most bank AML compliance programs entails a substantial amount of manual inputs. Lacking automation, providing more high quality detail in SARs demands more time. U.S. financial institutions filed 2.3 million SARs in 2019. An AML analyst can command, on average, an annual salary of $75,000. These figures, plus some other industry-specific estimates and general human resources conventions, fed into my calculation above for the total annual SARs tab for U.S. financial institutions. And that $180 million figure doesn’t even account for the nine out of 10 investigations that don’t lead to a SAR filing — yet typically do result in more monitoring.

Manual processes, even with the best intentions of highly skilled AML teams, are inherently prone to human error. I also suspect these professionals would rather focus on the aspects of their work that demand the subtle discernment of human judgement. Some of the lowest-hanging fruit for using technology in AML investigations include automation that can:

  • Populate the SAR form with case information.
  • Organize case data from fragmented sources across the bank and vendors.
  • Visualize trends in the case to spot strange behaviors.
  • Quickly separate false positives from true positives.
  • Capture the insights of investigators as structured data, creating clean data that can be used for analytics and machine learning.
  • Validate and quickly transmit the SAR to expedite information flow.
  • Securely store the case information for future analytics and audits.
  • Keep casework across the team thorough and efficient.

Investigating and reporting suspicious financial activity is both an enormous expense for banks and a systemically important resource for protecting society. It’s worth investing in automation technology that will make a bank’s BSA/AML compliance program more efficient and effective.

How a specific bank might move forward in leveraging compliance automation technology will vary on a wide range of factors. Adopting this sort of technology isn’t an all-or-nothing proposition. A careful analysis of a bank’s AML practice area can identify minor changes that are likely to have an outsize impact in the fight against crime.

FinCEN Files Underline BSA/AML System Mess

On its face, BuzzFeed’s reporting package on the details of 2,100 leaked suspicious activity reports (SARs) it obtained seems bad for many of the big banks mentioned. The articles take institutions to task for processing “trillions of dollars of suspicious transactions despite their own staff’s warnings that they might be related to crime.”

But the biggest scandal from the leaks may not be what it says about big banks — the biggest scandal is what it reveals about the anti-money laundering system at large. The leaks aptly demonstrate the system’s immense flaws.

These would hardly be news to bankers, who have known and complained about the system for years. They are on the cusp of winning reforms that, while not fixing the system as a whole, could lessen the burden on banks to report customers’ beneficial owners.

But the deeper issue is that the system encourages the proliferation of anti-money laundering filings, often without regard to whether they are truly related to any criminal activity.

The “FinCEN Files” are in part built on the premise that when a bank files a suspicious activity report, it truly believes that the transaction is related to financial crime or terrorism. BuzzFeed says the system “contains a crucial loophole” — although banks are required to alert the Financial Crimes Enforcement Network via a SAR, they are not obligated “to halt the suspicious activity or stop serving shadowy clients.”

But as the story later acknowledges and any banker can tell you, filing a SAR doesn’t necessarily mean the bank thinks there’s criminal activity going on. Banks are actively encouraged to file SARs for anything that seems even potentially fishy. The consequences of not filing a SAR can be severe, including extra scrutiny from regulators, an enforcement order or steep fines. Bank officers have been fired for failing to file SARs on activity that later turned out to be criminal.

The result? Banks have filed defensively for well over a decade. It’s so bad that at one point, a former FinCEN director used to tell a story about how a bank had filed a SAR because an employee’s bacon was stolen from the office fridge.

Predictably, this means banks and credit unions file a tremendous amount of SARs. There were some 839,000 filed by depository institutions in 2014. That rose to 1.1 million by 2019, a 32% jump. Does anyone think that all those SARs represent real criminal activity? Requiring banks to stop processing all those transactions wouldn’t close a loophole, it would violate due process. In many cases, banks are even told by law enforcement agencies to continue to process suspicious transactions. Such “keep open” letters are a way for law enforcement to continue to track potential criminals.

The “FinCEN Files” do make a great point when it says “the majority of these reports … are never even read, much less investigated.” We’ve built an entire money laundering system around the annual filing of millions of SARs and currency transaction reports (CTRs), the vast majority of which will never be seen by a human being.

If you listen to the way law enforcement agencies tell it, this is a feature, not a bug, of the system. Those agencies want banks to file SARs and CTRs because it creates a virtual warehouse of financial information they can use to track down leads. The more data they have, the better.

This approach assumes there is no cost for banks to do all of this, when the cost is in excess of $25 billion annually, according to some estimates. If banks weren’t spending a huge chunk of resources and time chasing down every potential dodgy transaction, they probably could be using it on other activities, like lending in their communities.

This approach would be acceptable if the current system actually worked, but it’s not clear it does. The amount of money laundered each year is roughly 2% to 5% of global GDP, or between $800 billion to $2 trillion, according to the United Nations Office on Drugs and Crime. Some estimates say law enforcement catches less than 1% of that.

Privately, many banking officials will tell you the vast majority of financial crimes are still going undetected. While the current system is great at catching unsophisticated criminals, the ones who know what they’re doing can find elaborate ways around the system.

Don’t get me wrong. If a bank is knowingly facilitating criminal activity — as has happened in the past and some of these 2,100 SARs show — they should be punished to the fullest extent of the law. But the biggest takeaway of this story is that our system is inefficient, costly and — worst of all — does not seem to work very well.

FinCEN Files: What Community Banks Should Know

Big banks processed transactions on the behalf of Ponzi schemes, businesses accused of money laundering and a family of an individual for whom Interpol had issued a notice for his arrest — all while diligently filing suspicious activity reports, or SARs.

That’s the findings from a cache of 2,000 leaked SARs filed by banks such as JPMorgan Chase & Co, Bank of America Corp., Citibank and American Express Co. to the U.S. Treasury Department’s Financial Crimes Enforcement Network, or FinCEN. These files, which media outlets dubbed the “FinCEN Files,” encompassed more than $2 trillion in transactions between 1999 and 2017.

Community banks, which are also required to file SARs as part of Bank Secrecy Act/anti-money laundering laws, may think they are exempt from the scrutiny and revelations applied to the biggest banks in the FinCEN Files. Not so. Bank Director spoke with two attorneys that work with banks on BSA/AML issues for what community banks should take away from the FinCEN Files.

Greater Curiosity
Community banks should exercise curiosity about transaction trends in their own SARs that may add up to a red flag — whether that’s transaction history, circumstances and similarities to other cases that proved nefarious. Banks should ask themselves if these SARs contain details that indicated the bank should’ve done something more, such as not complete the transaction.

“That is probably the biggest go-forward lesson for banks: Make sure that your policies and procedures are such that — when someone is looking at this in hindsight and evaluating whether you should have done something more — you can demonstrate that you had the proper policies and procedures in place to identify when something more needed to be done,” says James Stevens, a partner at Troutman Pepper.

Although it may be obvious, Stevens says banks should be “vigilantly evaluating” transactions not just for whether they merit a SAR, but whether they should be completed at all.

Size Doesn’t Matter
When it comes to BSA/AML risk profiles and capabilities, Stevens says size doesn’t matter. Technology has leveled the playing field for many banks, allowing smaller banks to license and access the capabilities that were once the domain of larger banks. It doesn’t make a difference in a bank’s risk profile; customers are its biggest determinant of a bank’s BSA/AML risk. Higher-risk customers, whether through business line or geography, will pose more risk for a bank, no matter its size.

But banks should know they may always be caught in between serving customers and regulatory activity. Carleton Goss, counsel at Hunton Andrews Kurth, points out that changing state laws mean some financial institutions can serve cannabis businesses that are legal in the state but still need to file SARs at the federal level. Banks may even find themselves being asked by law enforcement agencies to keep a suspicious account open to facilitate greater monitoring and reporting.

“There’s definitely a tension between serving customers and preventing criminal activity,” he says. “You don’t always know the extent of the activities that you’ve reported — the way the SAR reporting obligation is worded, you don’t even have to be definitively sure that a crime has occurred.”

“Front Page of the Newspaper” Test
Reporting in recent years continues to cast a spotlight on BSA/AML laws. Before the FinCEN Files, there was the 2016 Panama Papers. Stevens says that while banks have assumed that SARs would remain confidential and posed only legal or compliance risk, they should still be sensitive to the potential reputational risks of doing business with certain customers — even if the transactions they complete for them are technically compliant with existing law.

Like everything else we do, you have to be prepared for it to be on the front page of the newspaper,” he says.

Media reports mean that regulatory pressure and public outrage could continue to build, which could heighten regulatory expectations.

“Whenever you see a large event like the FinCEN files, there tends to be pressure on the regulators to ‘up their game’ to avoid giving people the perception that they were somehow asleep at the wheel or missed something,” Goss says. “It would be fair for the industry to expect a little bit more scrutiny than they otherwise would on their next BSA exam.”

How Innovative Banks Capitalize on Cryptocurrency

This summer, three new developments in the relationship between banks and cryptocurrency players signaled a shift in attitudes toward digital assets.

In May, JPMorgan Chase & Co. began providing banking services to leading crypto exchanges Coinbase and Gemini Trust Co., — a notable change given that Chairman and CEO Jamie Dimon called the seminal cryptocurrency Bitcoin “a fraud” just three years ago. In July, the acting comptroller for the Office of the Comptroller of the Currency, Brian Brooks — who served as the chief legal officer for Coinbase prior to his appointment — released an interpretation letter confirming that financial institutions can bank cryptocurrency clients and could even serve as digital asset custodians. And this month, the popular crypto exchange Kraken secured a special purpose banking charter in Wyoming, marking the first time a crypto company gained banking powers, including direct access to payment rails.

Cryptocurrency is gaining wider acceptance as a legitimate commercial enterprise. But, like other money services businesses, these companies still find it difficult to obtain basic banking services. This is despite the fact that crypto is becoming more mainstream among consumers and in the financial markets. The industry is booming with a market capitalization equivalent to over $330 billion, according to CoinMarketCap, but it’s currently served by just a handful of banks.

The best-known institutions playing in the cryptocurrency space are New York-based Signature Bank and Silvergate Capital Corp., the parent company of La Jolla, California-based Silvergate Bank.

Signature’s CEO Joseph DePaolo confirmed in the company’s second-quarter earnings call that $1 billion of the bank’s deposits in quarter came from digital asset customers. And at just $1.9 billion in total assets, Silvergate Bank earned over $2.3 million in fees in the second quarter from its crypto-related clients. These gains weren’t from the activity taking place on the banks’ respective payment platforms. They came from typical commercial banking services — providing solutions for deposits, cash management and foreign exchange.

One community bank hoping to realize similar benefits from banking crypto businesses is Provident Bancorp. The $1.4 billion asset institution based in Amesbury, Massachusetts, which recently rebranded as BankProv, aims to treat crypto companies as it would any other legal commercial customer. Crypto customers may have heightened technology expectations compared to other clients, and present heightened compliance burdens for their banks. But the way CEO David Mansfield sees it, these are all things BankProv needs to address anyway.

It really pushes traditional, mainstream corporate banking to the next level,” he explains, “so it fits with some of our other strategic goals being a commercially focused bank.”

Before BankProv launched its digital asset offering, it did a lot of groundwork.

The bank revamped its entire Bank Secrecy Act program, bringing in experts to help rewrite procedures and new technology partners like CipherTrace to provide blockchain analytics and transaction monitoring. It retooled its ACH offerings, establishing a direct connection with the Federal Reserve and expanding its timeframe for processing transactions to better serve clients on the West coast. And BankProv’s team met with crypto-related businesses for insights about what they wanted in a bank partner, which led the bank to upgrade its API capabilities. BankProv is working with San-Francisco-based fintech Treasury Prime to make it possible for crypto clients to initiate transactions directly, instead of going through an online banking portal.

At the same time, BankProv made plans for handling the new deposits generated by the business line; crypto-related companies often experience more volatility in market fluctuations than typical commercial clients.

“It’s definitely top of the regulator’s mind that they don’t want to see you using these funds to do long-term lending,” Mansfield says.

For BankProv, part of managing these deposits is deploying them toward the bank’s mortgage warehouse lending business; those loans are short-term, maturing within seven to 15 days. “[Y]ou need to find a good match on the asset side,” Mansfield explains, “because just having [deposits] sit in Fed funds at 10 basis points doesn’t do you much [good] right now.”

While BankProv officially announced that it would begin servicing digital asset customers in July 2019, the onset of Covid-19 made it difficult to get the program into full swing until recently. With travel being severely limited, BankProv made it a priority to hire new business development talent earlier this month that came with a pre-existing Rolodex of crypto contacts. The digital asset business hasn’t appeared in the company’s 2020 earnings releases so far.

Banking crypto-related clients will only make sense for some of the most forward-thinking banks; but for those that are successful in the space, the upside is significant. Mansfield believes BankProv has the attributes needed to thrive as a part of the crypto community.

“You have to be open minded and a little innovative. [I]t’s certainly not going to be right for the vast majority of banks,” he says, “and I think that’s why there’s really only two that are dominating the space right now. But I feel there’s at least room for a third.”

On the Radar For the Pandemic’s Next Phase

The banking industry must address and satisfy several competing interests as executives and the workforce adjust to the new normal of life during a pandemic.

Banks across the nation have stepped up as leaders in the fight against the Covid-19 pandemic. Now as the dust settles from the initial shock in mid-March, what are issues that your bank should be prepared to address looking forward?

When and how should we reopen our physical locations?

While banks have continued operations during the pandemic, many limited their services. It is not clear when these services will fully ramp back up. As your bank debates the best course of action for your circumstance, consider the following:

  • Prioritize health and safety by installing physical protection at branches and offices, including sneeze guards at teller windows, medical screening of employees, enhanced cleaning procedures and required use of personal protective equipment.
  • When considering return-to-work policies, be flexible and responsive to employee concerns and location-specific issues.
  • Apply the lessons learned during this period and embrace (or even improve) the technology for working remotely.
  • Task teams with understanding federal, state and local requirements related to the pandemic and the bank’s corresponding compliance obligations. These teams should meet regularly to ensure full compliance at all locations.

The ABA published a free matrix to assist banks in their reopening efforts.

We participated in the Paycheck Protection Program; now what?

There are some important post-lending matters for banks that participated in the Paycheck Protection Program to consider:

Brace for litigation. Some banks have faced lawsuits from applicants that failed to receive PPP funding. While your bank may not be able to avoid a similar lawsuit, it should avoid liability in these suits by following established procedures and demonstrating that your bankers did not deny applicants on a prohibited basis (race, religion, gender, age, among others).

Additionally, banks have encountered complaints filed by agents of borrowers seeking lender fees. You should not face liability in these suits if you did not execute a binding agreement with an agent before loan origination. Your bank’s defense will be even stronger if you mitigated this issue on the front end —for example by requiring borrowers to certify whether they used an agent, and if so, requiring the agent to complete a Form 159.

Stay current on loan forgiveness requirements. The Small Business Administration stated that it would review all PPP loans over $2 million following each loan forgiveness application submission. Thankfully for lenders, banks can rely on borrower certifications on loan forgiveness amounts. Nevertheless, agencies continue to release new guidance, and customers will rely on lenders to help them through the process.

Look for new opportunities to serve your customers and communities. There are rumors that Congress may issue a third round of PPP funding that will apply to more eligible borrowers. The Federal Reserve announced the expansion of its Main Street Lending Program, which can be a valuable source of liquidity as banks seek to meet customer needs. The SBA also released guidance on the sale of participating interests in PPP loans.

What regulatory or supervisory concerns should we be prepared to address?

Credit Decisions. Your bank must continue to balance meeting customer needs and making prudent credit decisions in the current economic environment. Many banks have started tightening credit standards, but this comes with a potential uptick in complaints about harmful lending practices. Regulators have indicated that they will scrutinize lending activity to ensure banks comply with applicable laws and meet customer needs in a safe and sound manner. The Office of the Comptroller of the Currency urged banks to “prudently document” their PPP lending decisions. The Consumer Financial Protection Bureau instructed small business owners “who believe they were discriminated against based on race, sex, or other protected category” to file complaints. Your decisions on credit parameters must be well thought out and applied uniformly.

Bank Secrecy Act/Anti-Money laundering Focus. Banks may face heightened risks from new customers or new activities from existing customers. For the first time since 2014, the Federal Financial Institutions Examination Council released updates to the Bank Secrecy Act/Anti-Money Laundering (BSA/AML) examination manual. While these updates are not directly related to the pandemic, regulators may scrutinize BSA/AML efforts at your next examination. Use this updated guidance as a springboard to assess your BSA/AML compliance program now.

IT and Security Concerns. Banks used technology enabling virtual or remote interactions during the pandemic, increasing risks associated with IT security. The regulators issued a joint statement addressing security risk management, noting that bank management cannot rely on third-party service providers and must actively ensure technological security. Expect this to be an area of focus at your next examination.

Should You Buy, Sell Or Do Neither?


acquire-10-23-18.pngShould you acquire or be acquired? Some community banks are electing to do neither, and instead are attempting to forge a different path – pursuing niche business models. Each of these business models comes with its own execution and business risks. All of them, however, come with the same regulatory risk – whether the bank’s regulators will challenge or be supportive of the changes in the business model.

Some community banks are developing partnerships with non-bank financial services, or fintech, companies – companies that may have created an innovative financial product or delivery method but need a bank partner to avoid spending millions of dollars and years of time to comply with state licensing requirements. These partnerships not only drive revenue for the bank, but can also – if properly structured – drive customers as well. WebBank is a prime example of the change this model can bring. As of the close of 2007, WebBank had only $23 million in assets and $1 million in annual net income. Ten years later, WebBank had grown to $628 million in assets and $27.5 million in annual net income, a 39 percent annualized growth in both metrics.

Following the recession, bank regulators have generally been supportive of community banks developing new business models, either on their own or through the use of third party technology. As the OCC notes, technological changes and rapidly evolving consumer preferences are reshaping the financial services industry at an unprecedented rate, creating new opportunities to provide customers with more access to new product options and services. The OCC has outlined the principles to prudently manage risks associated with offering new products and services, noting that banks are motivated to implement operational efficiencies and pursue innovations to grow income.

Even though the new business model may not involve an acquisition, the opening of a new branch, a change in control, or another action that requires formal regulatory approval, a bank should never forge ahead without consulting with its regulators well before launching, or even announcing, its plan. The last thing your board will want is a lawsuit from unhappy investors if regulators shut down or curb the projected growth contemplated by a new business model.

Before introducing new activities, management and the board need to understand the risks and costs and should establish policies, procedures and controls for mitigating these risks. They should address matters such as adequate protection of customer data and compliance with consumer protection, Bank Secrecy Act, and anti-money laundering laws. Unique risks exist when a bank engages in new activities through third-party relationships, and these risks may be elevated when using turnkey and white-label products or services designed for minimal involvement by the bank in administering the new activities.

The bank should implement “speed bumps” – early warning indicators to alert the board to issues before they become problems. These speed bumps – whether voluntary by the bank or involuntary at the prompting of regulators – may slow the bank’s growth. If the new business model requires additional capital, the bank should pay close attention to whether the projected growth necessary to attract the new investors can still be achieved with these speed bumps.

Bank management should never tell their examiners that they don’t understand the bank’s new business model. Regardless of how innovative the new business model may be, the FDIC and other bank regulators will still review the bank’s performance under their standard examination methods and metrics. The FDIC has noted that modifying these standards to account for a bank’s “unique” business plan would undermine supervisory consistency, concluding that if a bank effectively manages the strategic risks, the FDIC’s standard examination methods and metrics will properly reflect that result.

Banks also need to be particularly wary of using third-party products or services that have the effect of helping the bank to generate deposits. Even if the deposits are stable and low-cost, and even if the bank does not pay fees tied to the generation of the deposits, the FDIC may say they are brokered deposits. Although the FDIC plans to review its brokered deposit regulations, it interprets the current regulations very broadly. Under the current regulations, even minor actions taken by a third party that help connect customers to a bank which offers a product the customer wants can cause any deposits generated through that product to be deemed brokered deposits.

Community banks definitely can be successful without acquiring or being acquired. However, before choosing an innovative path a bank should know how its regulators will react, and the board should recognize that although regulators may generally be supportive, they do not like to be surprised.

How AML Compliance Could Soon Change


AML-9-21-18.pngDespite major changes in compliance obligations starting with the Dodd-Frank Act through the more recent Economic Growth, Regulatory Relief, and Consumer Protection Act, requirements related to anti-money laundering (AML) compliance have remained largely unchanged.

The last major revision of AML compliance requirements was in 2001 with the U.S.A. PATRIOT Act amendments to the Bank Secrecy Act. This era may be coming to an end with the reintroduction earlier this summer of H.R. 6068, Counter Terrorism and Illicit Finance Act (CTIFA), and the convergence of market developments.

Although the reintroduced CTIFA bill removes a prior provision that would have required beneficial ownership information for new corporations to be collected and provided to FinCEN, the revised CTIFA would make a number of other significant changes to AML compliance requirements:

  • Increase the filing thresholds for currency transaction reports from $10,000 to $30,000 and for suspicious activity reports (SARs) from $5,000 to $10,000;
  • Require the Secretary of the Treasury to undertake a formal review of the information reporting requirements in the BSA to ensure the information is “of a high degree of usefulness” to law enforcement, and to propose changes to reduce regulatory burden;
  • Reduce impediments to the sharing of SAR information within a financial group, including with foreign branches, subsidiaries, and affiliates;
  • Create a process for FinCEN to issue no-action letters concerning the application of the BSA or any other AML law to specific conduct, including a statement whether FinCEN has any intention of taking an enforcement action with respect to such conduct;
  • Encourage the use of technological innovations such as artificial intelligence in AML compliance;
  • Establish an 18-month safe harbor from enforcement of FinCEN’s beneficial ownership and customer due diligence rule, which became effective in May 2018; and
  • Commission studies on the effectiveness of current beneficial ownership reporting regimes and cost-benefit analyses of AML requirements.

Although the CTIFA’s prospects for passage are uncertain, several of its provisions track market developments that are already bringing about change. First, innovative technologies such as artificial intelligence and blockchain increasingly are being leveraged for AML compliance solutions.

Artificial intelligence has the potential to transform terabytes of customer information into actionable AML insights including, for example, customizable pre-drafted suspicious activity report templates or customer risk profiles. These risk profiles update in real time in support of the new customer due diligence “pillar” of AML compliance. Blockchain and other distributed ledger technologies may be deployed to create standardized digital identities for customers to expedite and safeguard KYC and authentication processes.

Second, banks already are taking a hard look at their CTR and SAR processes to determine the ratio of meaningful information to noise that has been included in these reports. This augmented reporting will result in a direct benefit to the network of federal government agencies tasked with analyzing reports to find information with a high degree of usefulness in law enforcement investigations.

Third, banks are increasingly providing services to new types of high-risk businesses, such as marijuana-related businesses (“MRBs”) and cryptocurrency companies. FinCEN has for each of these industries been a pioneer in issuing guidance relatively early in the industry’s lifecycle to explain how AML compliance obligations apply, but this guidance requires updating. As just one example, FinCEN’s three-tiered system for filing SARs applies when a bank provides banking services directly to an MRB, but there are less clear SAR filing guidelines when a bank provides services to a customer that provides services to MRBs or owns shares of an MRB.

Banks continue to use FinCEN’s administrative ruling request process or the supervisory process to obtain guidance for high-risk customers, albeit in an ad hoc, non-public way. This request process is less effective than the no-action letter process contemplated in the CTIFA.

The CTIFA, if enacted, would significantly change AML compliances. At the same time, innovation and new business opportunities, among other market developments, are already contributing to AML compliance enhancements. Regardless of whether the legislation passes, the industry appears to be entering an era of change.

Advice for New Bank Directors


governance-8-30-17.pngIf you have recently been appointed to a bank board, chances are you’re like most new directors in that you came from outside the industry and have little knowledge of banking other than what you might have learned as a customer. If, for example, you’re the owner of a local business that relies heavily on its banking relationships to keep the enterprise going (as most small businesses do), you will certainly have an opinion about what constitutes good customer service. And also you bring your own judgment and life experience outside of banking to the task, which will no doubt be very valuable to the board. But to be an effective bank director, you’re going to have broaden your knowledge base considerably when it comes to banking. Good judgment isn’t enough. There are certain things that you will need to know.

Learning is a life-long exercise, and for as long as you serve on a bank board there will always be new things to learn. But here are four areas that I think new directors should give extra attention to:

Learn About Regulation.
Banking is a complicated and highly regulated industry, and banks can pay a steep price for their compliance sins. Take the time to understand the industry’s regulatory structure and the expectations of your bank’s primary regulators, which will vary depending on the size of your institution and whether it has a state or national charter. Also, zero in on the regulations that can have the greatest impact on your bank (for example, the Bank Secrecy Act and the various consumer protection rules). The regulators will hold your board accountable for any serious compliance violations, so it’s not a responsibility to be taken lightly.

Learn How Your Bank Works.
Banking is very different from most other businesses like, say, manufacturing and retailing, or professional services like accounting and lawyering. Yours is a governance rather than an operating role, but you should still learn how your bank works inside and out so you can engage fruitfully with management. Learn how your bank makes most of its money and where its greatest risks lie. Service on the board’s audit committee would provide a very powerful introduction to the workings of your bank, because there’s very little that the audit committee doesn’t get involved in.

Learn About Technology and Try to Embrace It.
Technology tends to be a black hole for most boards. Most people in their 60s and 70s, which fits the profile of many directors who serve on bank boards, don’t understand or use technology as comfortably as those who are 20 or 30 years younger. The problem is that banking is undergoing a technological revolution that goes well beyond mobile (which gets most of the attention these days) and touches almost every area of the bank. Directors need to understand how these trends are likely to impact their institution. Some banks try to recruit at least one tech-savvy director to their board, but these people are hard to find—and even if you find one, you can’t delegate the responsibility to understand technology to that person. Regular board-level briefings from your bank’s chief technology officer, attendance at industry conferences and a commitment to read up on the topic can all help educate you. Also, experiment with some of the consumer technology that has come into financial services in recent years. If you have an iPhone, activate its wallet feature. Open a Venmo account and use it. And if you don’t use your own bank’s mobile banking app, shame on you!

Learn About Cybersecurity.
As banks become more digital, their cyber risk profile will increase ipso facto. Trying to lessen the risk by resisting the push toward digital banking isn’t a rational strategy because your institution will be left behind. The U.S. economy and our national culture are all being profoundly impacted by the digital phenomenon, and it’s a game that all banks simply have to play. Your role as a director is to make sure your bank has a good cybersecurity program and team in place, that the program conforms to the latest industry standards and regulatory expectations, and that the board is being briefed regularly.

These are not the only critical areas that new directors need to understand, of course, but they would be on my short list of things to go to school on if I had just joined a bank board. Congratulations and good luck!

Regulatory Issues to Watch In 2018


regulation-5-22-18.pngAs 2018 unfolds, all eyes in the financial services industry continue to look to Washington,D.C. In addition to monitoring legislative moves toward regulatory reform and leadership changes at federal regulatory agencies, bank executives also are looking for indications of expected areas of regulatory focus in the near term.

Regulatory Relief and Leadership Changes
Both the U.S. House of Representatives and the Senate began 2018 with a renewed focus on regulatory reform, which includes rollbacks of some of the more controversial provisions of the Dodd-Frank Wall Street Reform and Consumer Protection Act, the sweeping reform passed after the 2008 financial crisis. These legislative actions are ongoing, and the final outcomes remain uncertain. Moreover, even after a final bill is signed, regulatory agencies will need time to incorporate the results into their supervisory efforts and exam processes.

Meanwhile, the federal financial institution regulatory agencies are adjusting to recent leadership changes. The Federal Reserve (Fed), Office of the Comptroller of the Currency (OCC), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), and Consumer Financial Protection Bureau (CFPB) have new leaders in place or forthcoming, some of whom have been vocal supporters of a more “common sense” approach to financial regulation and who generally are supportive of regulatory relief. In the case of the CFPB, the ultimate direction of the agency could remain uncertain until a permanent director is appointed later in 2018.

Regulators’ Priorities in 2018
Notwithstanding the regulatory reform efforts, following are some areas likely to draw the most intense scrutiny from regulatory agencies during 2018 examination cycles:

Credit-related issues. While asset quality continues to be generally sound industrywide, concerns over deteriorating underwriting standards and credit concentrations continue to attract significant regulatory attention, accounting for the largest share of matters requiring attention (MRAs) and matters requiring board attention (MRBAs).

The federal banking regulators have encouraged banks in recent months to maintain sound credit standards within risk tolerances, understand the potential credit risks that might be exposed if the economy weakens, and generally strengthen their credit risk management systems by incorporating forward-looking risk indicators and establishing a sound governance framework. At the portfolio level, regulators are particularly alert to high concentrations in commercial real estate, commercial and industrial, agriculture, and auto loans, according to the FDIC.

Information technology and cybersecurity risk. The Federal Financial Institutions Examination Council (FFIEC) updated its Cybersecurity Assessment Tool in May 2017. Although its use is voluntary, federal and state banking regulators typically consider a bank’s use of the FFIEC tool or some other recognized assessment or framework as part of their assessment of an organization’s cybersecurity risk management, controls, and resilience.

On a broader scale, in February 2018, the Department of Justice announced a new cybersecurity task force. Although the task force is not directed specifically at the financial services industry, its first report, expected to be released this summer, could provide useful insight into the scope of the task force’s activities and potential guidance into what types of regulatory actions and controls to expect in the coming years.

Bank Secrecy Act and anti-money laundering (BSA/AML) compliance. The industry has seen a steady increase in enforcement actions—some of which have included severe sanctions— when regulators perceived banks had pared back resources in this area too severely. Compliance with Office of Foreign Assets Controls (OFAC) requirements and efforts to prevent terrorist financing are also continuing to draw regulatory scrutiny.

Consumer lending practices. Regulatory priorities in this area are likely to remain somewhat fluid given the leadership changes occurring at the CFPB, where a permanent director is to be appointed by September. Additionally, legislative efforts that could affect the structure and authority of the bureau also are underway.

Third-party and vendor risk management. It has been nearly five years since the OCC released OCC Bulletin 2013-29, which expanded the scope of banks’ third-party risk management responsibilities and established the expectation for a formal, enterprise-wide third-party risk management effort. Since then, regulatory agencies have issued several follow-up publications, such as OCC Bulletin 2017-7, which spells out supplemental exam procedures. Also in 2017, the FDIC’s Office of Inspector General issued a report with guidance regarding third-party contract terms, business continuity planning, and incident response provisions, and the Fed published an article, “The Importance of Third-Party Vendor Risk Management Programs,” which includes a useful overview of third-party risk issues.

Despite the industry’s hopes for regulatory relief in some areas, all financial services organizations should continue to focus on maintaining sound risk management policies and practices that reflect today’s environment of continuing change and growing competitive pressures.

How Technology Alters the Reality of Regulatory Compliance


regtech-4-18-18.pngIn case you haven’t noticed, regulatory compliance is expensive. The banking industry spends an estimated $60-$70 billion a year on compliance, and many banks complain they have been forced to expand their compliance staffs in recent years just to keep up with the increase in regulations. Indeed, compliance-related activities can account for nearly 20 percent of a bank’s overhead.

The compliance function is also critically important. The three federal prudential bank regulators consider a poor compliance track record to be an indictment of a bank’s overall management capability, and they will severely punish any bank that has a significant compliance violation, especially of the Bank Secrecy Act (BSA) and related anti-money laundering (AML) regulations. Among the negative ramifications of a serious BSA violation is the inability to consummate an acquisition or execute a major business expansion. The poster child for this nightmare scenario is probably M&T Bank Corp., which acquired Hudson City Bancorp in July 2012 but was prevented by the Federal Reserve from completing the acquisition until November 2015 after the Fed uncovered deficiencies in M&T’s BSA program after the deal had been announced.

These and other issues will be topics of discussion at Bank Director’s 2018 The Reality of RegTech event, which takes place at the Nasdaq MarketSite April 18 in New York’s Times Square. Presentations focusing on regtech include an examination of some of the technologies impacting AML and know-your-customer (KYC) rules, and how artificial intelligence can be incorporated into a bank’s compliance program.

Compliance requirements like BSA, the Community Reinvestment Act, the Fair Lending Act, the Home Mortgage Disclosure Act and vendor management lend themselves well to the use of technology because they often involve large amounts of data and repetitive tasks, and the application of regtech solutions to these activities can lead to improvements in accuracy, efficiency and costs.

However, the promise of lower compliance costs may take longer to materialize since the initial investment in new technology, the time to train the compliance staff with the technology and for them to become proficient could actually raise a bank’s compliance costs in the short run. In fact, in Bank Director’s 2018 Risk Survey, 55 percent of the participating directors and senior bank executives say their compliance budget actually increased after the introduction of new technology, while 27 percent say it had no effect and just 5 percent said it decreased.

The compliance function is not the only area where technology is increasingly being used to improve bank performance. Advanced tools also help senior executive teams and boards of directors improve their management and oversight of a variety of risk exposures. The risk management challenge is not unlike the compliance challenge in that there are often large amounts of data to manage and analyze—particularly in an area like credit risk—and technology can both accelerate and improve data aggregation and analysis. The Reality of RegTech event will also offer presentations on the integration of solutions to manage credit risk, emerging enterprise risk management solutions, and advancements in operational risk management.