Navigating Four Common Post-Signing Requests for Additional Information

Consolidation in the banking industry is heating up. Regulatory compliance costs, declining economies of scale, tiny net interest margins, shareholder liquidity demands, concerns about possible changes in tax laws and succession planning continue driving acquisitions for strategic growth.

Unlike many industries, where the signing and closing of an acquisition agreement may be nearly simultaneous, the execution of a definitive acquisition agreement in the bank space is really just the beginning of the acquisition process. Once the definitive agreement is executed, the parties begin compiling the information necessary to complete the regulatory applications that must be submitted to the appropriate state and federal bank regulatory agencies. Upon receipt and a quick review of a filed application, the agencies send an acknowledgement letter and likely a request for additional information. The comprehensive review begins under the relevant statutory factors and criteria found in the Bank Merger Act, Bank Holding Company Act or other relevant statutes or regulations. Formal review generally takes 30 to 60 days after an application is “complete.”

The process specifically considers, among other things: (1) competitive factors; (2) the financial and managerial resources and future prospects of the company or companies and the banks concerned; (3) the supervisory records of the financial institutions involved; (4) the convenience and needs of the communities to be served and the banks’ Community Reinvestment Act (CRA) records; (5) the effectiveness of the banks in combating money laundering activities; and (6) the extent to which a proposal would result in greater or more concentrated risks to the stability of the United States banking or financial system.

During this process, the applicant and regulator will exchange questions, answers, and clarifications back and forth in order to satisfy the applicable statutory factors or decision criteria towards final approval of the transaction. Each of the requests for additional information and clarifications are focused on making sure that the application record is complete. Just because information or documents are shared during the course of the supervisory process does not mean that the same information or documents will not be requested during the application process. The discussions and review of materials during the supervisory process is separate from the “application record,” so it helps bank management teams to be prepared to reproduce information already shared with the supervisory teams. A best practice for banks is to document what happens during the supervisory process so they have it handy in case something specific is re-requested as part of an application.

Recently, we consistently received a number of requests for additional information that include questions not otherwise included in the standard application forms. Below, we review four of the more common requests.

1. Impact of the Covid-19 Pandemic. Regulators are requesting additional information focused on the impact of the coronavirus pandemic. Both state and federal regulators are requesting a statement on the impact of the Covid-19 pandemic that discusses the impact on capital, asset quality, earnings, liquidity and the local economy. State and federal agencies are including a request to discuss trends in delinquency loan modifications and problem loans when reviewing the impact on asset quality, and an estimate for the volume of temporary surge deposits when reviewing the impact on liquidity.

2. Additional, Specific Financial Information. Beyond the traditional pro forma balance sheets and income statements that banks are accustomed to providing as part of the application process, we are receiving rather extensive requests for additional financial information and clarifications. Two specific requests are particular noteworthy. First, a request for financial information around potential stress scenarios, which we are receiving for acquirors and transactions of all sizes.

Second, and almost as a bolt-on to the stress scenario discussion, are the requests related to capital planning. These questions focus on the acquiror’s plan where financial targets are not met or the need to raise capital arises due to a stressed environment. While not actually asking for a capital plan, the agencies have not been disappointed to receive one in response to this line of inquiry.

3. List of Shareholders. Regardless of whether the banks indicate potential changes in the ownership structure of an acquiror or whether the consideration is entirely cash from the acquiror, agencies (most commonly the Federal Reserve), are requesting a pro forma shareholder listing for the acquiror. Specifically, this shareholder listing should break out those shareholders acting in concert that will own, control, or hold with power to vote 5% or more of an acquiring BHC. Consider this an opportunity for both the acquiror and the Federal Reserve to make sure control filings related to the acquiror are up to date.

4. Integration. Finally, requests for additional information from acquirors have consistently included a request for a discussion on integration of the target, beyond the traditional due diligence line of inquiry included in the application form. The questions focus on how the acquiror will effectively oversee the integration of the target, given the increase in assets size. Acquirors are expected to include a discussion of plan’s to bolster key risk management functions, internal controls, and policies and procedures. Again, we are receiving this request regardless of the size of the acquiror, target or transaction, even in cases where the target is less than 10% of the size of the acquiror.

These are four of the more common requests for additional information that we have encountered as deal activity heats up. As consolidation advances and more banks file applications, staff at the state and federal agencies may take longer to review and respond to applications matters. We see these common requests above as an opportunity to provide more material in the initial phase of the application process, in order to shorten the review timeframe and back and forth as much as possible. In any event, acquirors should be prepared to respond to these requests as part of navigating the regulatory process post-signing.

ESG Principles at Work in Diversifying Governance

Before environmental, social, and governance (ESG) matters became commercially and culturally significant, the lack of diversity and inclusion within governance structures was noted by stakeholders but not scrutinized.

The shifting tides now means that organizations lacking diversity in their corporate leadership could be potentially subjected to shareholder lawsuits, increased regulation and directives by state laws, investment bank requirements, and potential industry edicts.

Board and management diversity is undoubtedly a high-priority issue in the banking and financial services sectors. Numerous reports establish minority groups have historically been denied access to capital, which is mirrored by the lack of minority representation on the boards of financial institutions.

Some progress has been made. For example, for the first time in its 107-year history, white men held fewer than half of the board seats at the Federal Reserve’s 12 regional outposts. This was part of an intentional effort, as Fed leaders believe a more representative body of leaders will better understand economic conditions and make better policy decisions. However, further analysis reflects such diversity predominantly among the two-thirds of directors who are not bankers, while the experienced banking directors are mainly white males.

Board Diversity Lawsuits
The current pending shareholder suits have been primarily filed by the same group of firms and targeted many companies listed by a recent Newsweek article as not having a Black director. None of these suits involve financial institutions, but it is not hard to foresee such cases coming in the future. The lawsuits generally assert that the defendants breached their fiduciary duties and made false or misleading public statements regarding a company’s commitment to diversity. The Courts have summarily dismissed at least two suits, but a legal victory may not even be the goal in some cases.

Recently, Google’s parent settled its #MeToo derivative litigation and agreed to create a $310 million diversity, equity, and inclusion fund to support global diversity and inclusion initiatives within Google over the next ten years. The fund will also support various ESG programs outside Google focused on the digital and technology industries.

Regulatory, Industry, and Shareholder Efforts
Federal and state regulatory efforts preceded these recent lawsuits. The U.S. Securities and Exchange Commission has issued compliance interpretations advising companies on the disclosure of diversity characteristics upon which they rely when nominating board members and is expected to push more disclosure in the future. Additionally, the U.S. House of Representatives considered a bill in November 2019 requiring issuers of securities to disclose the racial, ethnic, and gender composition of their boards of directors and executive officers and any plans to promote such diversity.

These efforts will likely filter into boardrooms and may spur additional board regulation at the state level. In 2019, California became the first state to require headquartered public companies to have a minimum number of female directors or face sanctions, increasing 2021. In June 2020, New York began requiring companies to report how many of their directors are women. As other states follow California’s lead regarding board composition, we can expect more claims to be filed across the country.

At the industry level, the Nasdaq stock exchange filed a proposal with the SEC to adopt regulations that would require most listed companies to elect at least one woman director and one director from an underrepresented minority or who identify as LGBTQ+. If adopted, the tiered requirements would force non-compliant companies to disclose such failures in the company’s annual meeting proxy statement or on its website.

In the private sector, institutional investors, such as BlackRock and Vanguard Group, have encouraged companies to pursue ESG goals and disclose their boards’ racial diversity, using proxy votes to advance such efforts. Separately, Institutional Shareholder Services and some non-profit organizations have either encouraged companies to disclose their diversity efforts or signed challenges and pledges to increase the diversity on their boards. Goldman Sachs Group has made clear it will only assist companies to go public if they have at least one diverse board member.

Concrete Plans Can Decrease Director Risk
Successful institutions know their diversity commitment cannot be rhetorical and is measured by the number of their diverse board and management leaders. As pending lawsuits and legislation leverage diversity statements to form the basis of liability or regulatory culpability, financial institutions should ensure that their actions fully support their diversity proclamations. Among other things, boards should:

  • Take the lead from public and private efforts and review and, if necessary, reform board composition to open or create seats for diverse directors.
  • When recruiting new board members, identify and prioritize salient diversity characteristics; if necessary, utilize a diversity-focused search consultant to ensure a diverse pool of candidates.
  • Develop a quantifiable plan for diversity issues by reviewing and augmenting governance guidelines, board committee efforts, and executive compensation criteria.
  • Create and promote diversity and inclusion goals and incorporate training at the board and management levels.
  • Require quarterly board reporting on diversity and inclusion programs to reveal trends and progress towards stated goals.

As companies express their commitment to the board and C-level diversity and other ESG efforts, they should create and follow concrete plans with defined goals and meticulously measure their progress.

Why a Solid Risk Management Framework Helps Manage Change

Who owns risk management at your bank?

If your bank limits that function to the teams that report to the chief risk officer, it’s fumbling on two fronts: It’s failing to drive accountability across every corner of the enterprise, and it’s conceding its edge in a marketplace that’s never been more competitive.

Recognizing that every employee owns a piece of this responsibility make risk management an equal offensive and defensive pose for your organization. This empowers your employees to move nimbly, strategically and decisively when the bank encounters change, whether it’s an external regulatory pressure or an internal opportunity to launch a new product or service. In either case, your team navigates through change by building on best operational practices, which, in the end, work to your advantage.

Getting the bank into that position doesn’t happen overnight; the vision starts with the actions of your senior leaders. They set the tone and establish expectations, but everyone plays a hands-on role. When management prioritizes an environment where people can work collaboratively and have transparency into related roles, they foster consistency across your change management process that minimizes risk.

The need for a risk-aware culture aligns precisely with the signals coming out of Washington, D.C., that the stakes are getting higher. The Consumer Financial Protection Bureau hinted early at increased regulatory scrutiny, advising that it would tighten the regulatory standards it had relaxed to allow banks to quickly respond to customers’ financial hardship in 2020.

In response to the competitive and regulatory environment, your bank’s risk management framework should incorporate four key elements:

  • Start with setting the ground rules for how the bank will govern its risk. Define its risk strategy, the role the board and management will play and the committees that compose that governance structure — and don’t forget to detail their decision-making authority, approval and escalation process across those bodies. This upfront work also should introduce robust systems for ongoing monitoring and risk reporting, establish standard parameters on how the bank identifies issues and create a basic roadmap to remediate issues when they come along.
  • Operating Model. Distinguish the roles and responsibilities for every associate, with a key focus on how they manage risk generated by the core activities in that business. By taking the time to ensure all individuals, in every line of defense, understand their expected contributions, your bank will be ahead of the game because your people can act quicker and efficiently when a change needs to happen.
  • Standard Framework, Definitions and Taxonomies. In basic terms, everyone across the enterprise needs to speak the same language and assign risk ratings the same way. Calibrating these elements at the onset builds confidence that your bank gives thoughtful attention to categorize risks into the right buckets. Standardization should include assessment scales and definitions of different risks and risk events, leading to easier risk aggregation and risk reporting that enables a holistic view of risk across the enterprise.
  • Risk Appetite. Nothing is more important than establishing how much risk your organization is willing to take on in its daily business. Missing the mark can impact your customers, bottom line and reputation. Optimally, bank leaders will reestablish this risk appetite annually, but black swan events such as the pandemic should prompt more timely reviews.

Too often, banks reinvent the wheel every time a change or demand comes along. As the industry eyes increasing regulatory pressure in the year ahead, driving and promoting a robust risk management culture is no longer a “nice to have” within your organization; it’s a “need to have.”

When you reset the role and ownership of risk management as a strategic pillar in your bank’s future growth and direction you minimize your bank’s risk and actually propel your company forward.

Banks looking to check out best practices and a strategic framework for creating their enterprise risk framework should check out my latest whitepaper, Turning a Solid Risk Framework Into a Competitive Advantage.

Deal Integration Can Transform Finance, Risk and Regulatory Reporting

A number of banks announced mergers and acquisitions in 2020, capitalizing on growth opportunities against a forbidding backdrop of chronically low interest rates and anemic economic growth during the Covid-19 pandemic.

The deals ranged from more moderately sized with a few headline-grabbing mega-mergers —a trend that expected to continue through 2021.

The appeal of M&A for regional and superregional institutions in the United States is that the right transaction could create big benefits from economies of scale, and enhance the proforma company’s ability to gain business. While the number of deals announced in this environment are modest, the stakes involved in contemplating and executing them certainly are not. Nor is the work that banks will face after a combination. Once the transaction has been completed, the hard work begins.

A Closer Look From Regulators
One potential outcome is added scrutiny from the authorities; a new merged entity, with more assets and a broader range of activities, could have more complex risk calculations and reporting obligations to deal with.

Overall, regulators have sharpened their focus on banks during and after the merger process by performing additional audits, more closely scrutinizing key figures and ensuring that the M&A plan is being adhered to. Even if there are no significant changes to a firm’s profile with regulators, or if any needed changes in risk and reporting obligations are manageable, the formidable task of combining the operations of two organizations remains. A single, seamless whole must be assembled from two sets of activities, two work forces with their own culture and two sets of technological assets.

Merging the Parts, Not Just the Wholes
None of these issues is distinct from the others. Consider the technology: The proforma company will have to contend with two data systems — at least. Each company’s data management architecture has staff that makes it run using its own modus operandi developed
over years.

And that is the best-case scenario. Joining so many moving parts is no small feat, but it provides no small opportunity. Deal integration forces the constituent institutions to reassess legacy systems; when handled correctly, it can assemble a comprehensive, fully integrated whole from existing and new tech to meet the combined entity’s compliance and commercial needs.

Creating the ideal unified finance, risk and reporting system starts with an honest evaluation of the multiple systems of the merging partners. Executives should take particular care to assess whether the equipment and processes of the merged entity are better than the acquirer’s, or have certain features that should be incorporated.

Management also should consider the possibility that both sets of legacy systems are not up to present or future challenges. It could be that the corporate combination provides an opportunity to start over, or nearly so, and build something more suitable from the ground up. Another factor they should consider is whether the asset size of the new unified business warrants an independent verification process to supplement the risk and regulatory reporting program.

Understanding What You Have and What You Need
To get the evaluation process under way for the operational merger, a bank should list and assess its critical systems — not just for their functionality, but with respect to licensing or other contractual obligations with suppliers to determine the costs of breaking agreements.

Managers at the combined entity should look for redundancies in the partners’ systems that can be eliminated. A single organization can have a complicated back-end systems architecture, with intricate workarounds and many manual processes. Bringing together multiple organizations of similar complexity can leave the combined entity with expensive and inflexible infrastructure. A subledger and controlling functions can simplify this for finance, risk and regulatory reporting functions. They can consolidate multiple charts of accounts and general ledgers, relieving pressure on the general ledgers. Organizations in some cases can choose to migrate general ledgers to a cloud environment while retaining detailed data in a fat subledger.

Whatever choices executives make, a finance, risk and reporting system should have the latest technology, preferably based in the cloud to ensure it will be adaptable, flexible and scalable. Systems integration is critical to creating a unified financial institution that operates with optimal productivity in its regulatory compliance, reporting efforts and general business.
Integrating systems helps to assure standardization of processes and the accuracy, consistency,
agility and overall ease of use that result from it.

Best Practices to Achieve True Financial Inclusivity

According to the Federal Reserve’s report on the economic well-being of U.S. households in 2019, 6% of American adults were “unbanked” and 16% of U.S. adults make up the “underbanked” segment.

Source: Federal Reserve

With evolving technological advancements and broader access to digital innovations, financial institutions are better equipped to close the gap on financial inclusivity and reach the underserved consumers. But to do so successfully, banks first need to address a few dimensions.

Information asymmetry
Lack of credit bureau information on the so-called “credit invisible” or “thin file” portions of unbanked/underbanked credit application has been a key challenge to accurately assessing credit risk. Banks can successfully address this information asymmetry with Fair Credit Reporting Act compliant augmented data sources, such as telecom, utility or alternative financing data. Moreover, leveraging the deposits and spend behavior can help institutions understand the needs of the underbanked and unbanked better.

Pairing augmented data with artificial intelligence and machine learning algorithms can further enhance a bank’s ability to identify low risk, underserved consumers. Algorithms powered by machine learning can identify non-linear patterns, otherwise invisible to decision makers, and enhance their ability to screen applications for creditworthiness. Banks could increase loan approvals easily by 15% to 40% without taking on more risk, enhancing lives and reinforcing their commitment towards the financial inclusion.

Financial Inclusion Scope and Regulation
Like the Community Reinvestment Act, acts of law encourage banks to “help meet the credit needs of the communities in which they operate, including low- and moderate-income (LMI) neighborhoods, consistent with safe and sound banking operations.” While legislations like the CRA provide adequate guidance and framework on providing access to credit to the underserved communities, there is still much to be covered in mandating practices around deposit products.

Banks themselves have a role to play in redefining and broadening the lens through which the customer relationship is viewed. A comprehensive approach to financial inclusion cannot rest alone on the credit or lending relationships. Banks must both assess the overall banking, checking and savings needs of the underbanked and unbanked and provide for simple products catering to those needs.

Simplified Products/Processes
“Keep it simple” has generally been a mantra for success in promoting financial inclusion. A simple checking or savings account with effective check cashing facilities and a clear overdraft fee structure would attract “unbanked” who may have avoided formal banking systems due to their complexities and product configurations. Similarly, customized lending solutions with simplified term/loan requirements for customers promotes the formal credit environment.

Technology advancements in processing speed and availability of digital platforms have paved the way for banks to offer these products at a cost structure and speed that benefits everybody.

The benefits of offering more financially inclusive products cannot be overstated. Surveys indicate that consumers who have banking accounts are more likely to save money and are more financially disciplined.

From a bank’s perspective, a commitment to supporting financial inclusivity supports the entire banking ecosystem. It supports future growth through account acquisition — both from the addition of new customers into the banking system and also among millennial and Gen Z consumers with a demonstrated preference for providers that share their commitment to social responsibility initiatives.

When it comes to successfully executing financial inclusion outreach, community banks are ideally positioned to meet the need — much more so than their larger competitors. While large institutions may take a broader strategy to address financial inclusion, community banks can personalize their offerings to be more relevant to underserved consumers within their own local markets.

The concept of financial inclusion has evolved in recent years. With the technological advancements in the use of alternative data and machine learning algorithms, banks are now positioned to market to and acquire new customers in a way that supports long-term profitability without adding undue risk.

Solve the Right Problem: The Path to Remediation Success

At some point, your bank will find an operation or process isn’t working or failing on intent. When that happens, don’t fall prey to the impulse to fix the wrong problem without looking below the surface for the root cause.

No matter the scenario, your best position is always to self-identify an issue and kick off remediation before a customer or regulator reports a problem. Once external forces step in, the stakes run even higher; you really can’t afford a misstep. Without question, the most common way that banks err is by starting on the wrong foot.

In my front-line experiences, I’ve seen financial institutions work ambitiously on remediating issues only to have regulators assign a failing grade. While no bank wants to be under a regulatory finding’s shadow, working smart and rejecting shortcuts is the only way to deliver the right solution and minimize future risk. With compliance costs expected to more than double and reach 10% of revenue spend by 2022, banks can’t afford to get it wrong.

Here are the steps for an effective remediation:

1.Take a breath — then dive into the deep end
Too often, companies fix what they think is the problem, only to learn that they’ve missed the mark and broken other things along the way. Not understanding the crux of the issue wastes a bank’s time, energy and resources.

If you’re dealing with a regulatory finding, be sure to engage your legal and compliance teams to ensure you understand the issue and solve for exactly what’s at risk, especially for issues with broader scope and breadth. Those leading your remediation plan should dig deeper into root problems by asking “why?” up to five times, peeling off another layer each time as you strive toward the core issue. Apply those questions to your business problem until you’ve identified the precise thing that needs to be fixed.

2. Know how to get from Point A to Point Z
Develop a roadmap to move effectively and efficiently from understanding the issue and identifying root causes to implementing solutions. From aligning on stakeholder engagement to technology resources, no solution happens overnight. Some regulatory remediation activities can take 12 to 18 months to resolve.

3. Make sure everyone’s on the same journey
Nothing derails remediation more than missed consensus on its direction and end goal. Remain focused on actions to fix your root issue, ease regulator or auditor concerns  and reduce customer complaints. Engage the right people in the right roles. Involving too many people can water down intent, while involving too few means you might miss capturing relevant insights from key parts of your business.

4. Document your journey
A comprehensive action plan can take time to execute. During that time, people in key roles might leave and business processes, and objectives, technology or regulations could change. Thorough and complete documentation keeps a record of execution activities, action plan or intent changes, and provides evidence of key decisions.

5. You’re not finished until you get an official pat on the back
Did your action plan include time to validate your work? Whether you have a third-line audit, loan review finding or a regulatory ruling, the issuer will return to confirm you solved the right problem completely. Build in solid testing to validate your solution fulfills on its intent, with no side effects that disrupt other processes. Also, if possible, check in with third-line partners regularly or when hitting major milestones to prevent surprises.

Remediation success comes with both the assessor’s endorsement, as well as sustained results from your action plan as evidenced by reporting and monitoring put into place. More importantly, don’t overlook this moment to repurpose your team’s learnings and experiences as the foundation for a repeatable remediation framework. When the next issue arises — and it will — your bank will already have a strategy and blueprint for smart action with minimal risk.

How the Edges of Financial Technology Could Change Regulation

Financial regulation in the United States follows a longstanding pattern: The presidential administration changes, the other political party takes power and the financial regulation pendulum swings. Those working in compliance inevitably need to recalibrate.

President Joe Biden’s messaging so far has aimed to minimize polarization. This bodes well for moving beyond the typical “financial deregulation” versus “more regulation” dynamic. It gives the industry an opportunity to turn our attention towards pulling the overall framework out of an old, slow, manual and paper-based reality. What the U.S. financial regulatory framework really needs are large, fundamental overhauls and modernizations that will support a healthy, ever-changing financial services marketplace — not just through the next presidential administration, but further beyond, through the next several decades.

The incoming leadership could make regulation smarter and more effective with reforms that:

  • Measure success by outcomes and evidence, as opposed to procedural adherence.
  • Leverage technology to streamline compliance for agencies as well as providers.
  • Catch up and keep up with the ongoing advancements in financial technology.

The time for these sorts of changes just so happens to be ripe.

Digital or cryptocurrencies and charters for financial technologies have an awkward fit within the existing regulatory framework. Cannabis, another fringe area of finance, poses extra layers of legal and regulatory challenge, but its status could change on a dime if the new administration resolves the state and federal disconnect. All three of these peripheral business opportunities have gained significant momentum recently and may force regulators to adapt. To support these new use cases, which would otherwise break existing bank infrastructure, technology providers would have to modernize in ways that would benefit financial service compliance across the board.

As the emerging regulatory lineup takes shape from the legacies of the outgoing agency heads, the swing from the past administration to the present may not be all that dramatic. There are strange bedfellows in fintech. In the last six months of Donald Trump’s administration, there was already a balance between Acting Comptroller of the Currency Brian Brooks and U.S. Treasury Secretary Steven Mnuchin.

Brooks was indeed very active in his short tenure. Under him, the Office of the Comptroller of the Currency issued full-service national bank charters for fintech companies, published interpretive letters supporting digital currencies and published a working paper from its chief economist, Chartering the FinTech Future,” that lent support to the use of stablecoins.

In contrast, Mnuchin spent his last month in office encouraging  Financial Crimes Enforcement Network, or FinCEN, to issue a controversial proposed rulemaking that would affect crypto wallets and transactions. Critics argue this would make compliance impossible for decentralized technologies.

The Biden administration may have a similar dynamic between these two regulatory roles, albeit less dramatic. The confirmation of Treasury Secretary Janet Yellen, with her experience and moderate stance, conveys a great deal of stability. Still, she may not champion stablecoins, given her public statements on cryptocurrency.

At writing, Michael Barr is the anticipated pick for comptroller. His extensive and diverse résumé shows a long history of supporting fintech. We anticipate that he would continue the momentum towards modernization that Brooks started.

Gary Gensler, the nominated chair of the Securities and Exchange Commission, has a great deal of expertise and enthusiasm for digital currencies. Since his tenure as chair of the Commodity Futures Trading Commission during Barack Obama’s administration, he has served on faculty at MIT Sloan School of Management, teaching courses on blockchain, digital currencies and other financial technologies. Chris Brummer, the Biden administration’s anticipated choice for the CFTC, currently serves as faculty director at Georgetown University’s Institute of International Economic Law, has written books on the regulation of financial technologies and founded D.C. Fintech Week to help promote discussion of fintech innovation among policymakers.

When we get to the outer edges of finance — to crypto, charters and cannabis — the divide between political camps starts to disappear. But there’s still quite a bit of rigidity in the traditional financial industry and regulatory framework. Combining the slate of steady, open-minded regulators with the building pressures of technology yields reasonable hope for regulatory overhauls that will pull compliance along into the future.

The High Cost of the Suspicious Activity Report

Bank boards know all too well about the reputational toll and hefty fines from lapses in regulatory compliance. But governance usually doesn’t tend to drill down into specific practice areas and their finer-grained costs.

An ounce of prevention, though less expensive than the proverbial cure, still runs pretty high in Bank Secrecy Act and anti-money laundering (BSA/AML) compliance programs. Directors might want to ask for a more-detailed picture from their bank’s AML team at the next board meeting. Not just to follow up on the damage-control response to the FinCEN Files media spectacle, but also in terms of profit and loss and team morale issues.

Suspicious activity reports (SARs) can get very expensive. We conservatively estimate that about $180 million in annual BSA/AML analyst salaries in the U.S. goes just to preparing the SAR form. But there’s also a huge opportunity to do better for society.

What are SARs? Some might say they are a headache-inducing form that demands a whole lot of painstaking and tedious detail, and then never quite fulfills its ultimate purpose of stopping criminals. Unfortunately, there’s a lot of truth to that description. What should — and could — SARs be?

  • An essential tool for fighting crime.
  • An effective communication channel for AML collaboration.
  • An invaluable resource for law enforcement to identify, track, and prosecute criminals.

At the risk of overstating the obvious, not every “suspicious” activity leads to criminal activity. Though banks do have the power to block the flow of funds, financial crime regulators (in the U.S., that’s the Financial Crimes Enforcement Network, or FinCEN) and jurisdictional law enforcement (such as district attorneys) hold the authority to go after the criminals. A bank’s primary responsibility in AML is to provide relevant information from the financial vantage point.

The level of detail can make all the difference in the usefulness of these reports. A complete and accurate SAR, filed with ample, highly relevant information, provides texture and nuance for regulators to make strong decisions about which cases deserve the attention of law enforcement. Prosecutors can then use information from SARs to build criminal cases. A future with somewhat fewer illicit arms sales or much less human trafficking could hinge on a few form fields.

The status quo for most bank AML compliance programs entails a substantial amount of manual inputs. Lacking automation, providing more high quality detail in SARs demands more time. U.S. financial institutions filed 2.3 million SARs in 2019. An AML analyst can command, on average, an annual salary of $75,000. These figures, plus some other industry-specific estimates and general human resources conventions, fed into my calculation above for the total annual SARs tab for U.S. financial institutions. And that $180 million figure doesn’t even account for the nine out of 10 investigations that don’t lead to a SAR filing — yet typically do result in more monitoring.

Manual processes, even with the best intentions of highly skilled AML teams, are inherently prone to human error. I also suspect these professionals would rather focus on the aspects of their work that demand the subtle discernment of human judgement. Some of the lowest-hanging fruit for using technology in AML investigations include automation that can:

  • Populate the SAR form with case information.
  • Organize case data from fragmented sources across the bank and vendors.
  • Visualize trends in the case to spot strange behaviors.
  • Quickly separate false positives from true positives.
  • Capture the insights of investigators as structured data, creating clean data that can be used for analytics and machine learning.
  • Validate and quickly transmit the SAR to expedite information flow.
  • Securely store the case information for future analytics and audits.
  • Keep casework across the team thorough and efficient.

Investigating and reporting suspicious financial activity is both an enormous expense for banks and a systemically important resource for protecting society. It’s worth investing in automation technology that will make a bank’s BSA/AML compliance program more efficient and effective.

How a specific bank might move forward in leveraging compliance automation technology will vary on a wide range of factors. Adopting this sort of technology isn’t an all-or-nothing proposition. A careful analysis of a bank’s AML practice area can identify minor changes that are likely to have an outsize impact in the fight against crime.

FinCEN Files: What Community Banks Should Know

Big banks processed transactions on the behalf of Ponzi schemes, businesses accused of money laundering and a family of an individual for whom Interpol had issued a notice for his arrest — all while diligently filing suspicious activity reports, or SARs.

That’s the findings from a cache of 2,000 leaked SARs filed by banks such as JPMorgan Chase & Co, Bank of America Corp., Citibank and American Express Co. to the U.S. Treasury Department’s Financial Crimes Enforcement Network, or FinCEN. These files, which media outlets dubbed the “FinCEN Files,” encompassed more than $2 trillion in transactions between 1999 and 2017.

Community banks, which are also required to file SARs as part of Bank Secrecy Act/anti-money laundering laws, may think they are exempt from the scrutiny and revelations applied to the biggest banks in the FinCEN Files. Not so. Bank Director spoke with two attorneys that work with banks on BSA/AML issues for what community banks should take away from the FinCEN Files.

Greater Curiosity
Community banks should exercise curiosity about transaction trends in their own SARs that may add up to a red flag — whether that’s transaction history, circumstances and similarities to other cases that proved nefarious. Banks should ask themselves if these SARs contain details that indicated the bank should’ve done something more, such as not complete the transaction.

“That is probably the biggest go-forward lesson for banks: Make sure that your policies and procedures are such that — when someone is looking at this in hindsight and evaluating whether you should have done something more — you can demonstrate that you had the proper policies and procedures in place to identify when something more needed to be done,” says James Stevens, a partner at Troutman Pepper.

Although it may be obvious, Stevens says banks should be “vigilantly evaluating” transactions not just for whether they merit a SAR, but whether they should be completed at all.

Size Doesn’t Matter
When it comes to BSA/AML risk profiles and capabilities, Stevens says size doesn’t matter. Technology has leveled the playing field for many banks, allowing smaller banks to license and access the capabilities that were once the domain of larger banks. It doesn’t make a difference in a bank’s risk profile; customers are its biggest determinant of a bank’s BSA/AML risk. Higher-risk customers, whether through business line or geography, will pose more risk for a bank, no matter its size.

But banks should know they may always be caught in between serving customers and regulatory activity. Carleton Goss, counsel at Hunton Andrews Kurth, points out that changing state laws mean some financial institutions can serve cannabis businesses that are legal in the state but still need to file SARs at the federal level. Banks may even find themselves being asked by law enforcement agencies to keep a suspicious account open to facilitate greater monitoring and reporting.

“There’s definitely a tension between serving customers and preventing criminal activity,” he says. “You don’t always know the extent of the activities that you’ve reported — the way the SAR reporting obligation is worded, you don’t even have to be definitively sure that a crime has occurred.”

“Front Page of the Newspaper” Test
Reporting in recent years continues to cast a spotlight on BSA/AML laws. Before the FinCEN Files, there was the 2016 Panama Papers. Stevens says that while banks have assumed that SARs would remain confidential and posed only legal or compliance risk, they should still be sensitive to the potential reputational risks of doing business with certain customers — even if the transactions they complete for them are technically compliant with existing law.

Like everything else we do, you have to be prepared for it to be on the front page of the newspaper,” he says.

Media reports mean that regulatory pressure and public outrage could continue to build, which could heighten regulatory expectations.

“Whenever you see a large event like the FinCEN files, there tends to be pressure on the regulators to ‘up their game’ to avoid giving people the perception that they were somehow asleep at the wheel or missed something,” Goss says. “It would be fair for the industry to expect a little bit more scrutiny than they otherwise would on their next BSA exam.”

How Innovative Banks Manage Cannabis-Related Businesses

The number of banks providing financial services to cannabis-related businesses (CRBs) has doubled in the last two years according to filings from the Financial Crimes Enforcement Network.

But, once a bank answers the philosophical question of whether it wants to participate in the cannabis industry, it must consider the more difficult question of how. Technology firms have sprung up to help banks fill this need, but assessing the value propositions of these solutions in such a nascent, complex industry can be a challenge.

Alan Hanson helped establish one of the first cannabis banking programs in the nation as the general counsel of Salem, Oregon-based Maps Credit Union back in 2014. In his experience, software “can gather the data, but really can’t evaluate the data” needed to manage CRB risk.

Many new compliance solutions gather data by tying into the point-of-sale systems used by CRBs and the seed-to-sale tracking systems run by the states. Hanson, now a Portland, Oregon-based attorney at Gleam Law, says these tools can typically match CRB sales to the deposits that come into the bank. However, they can’t always assess vital information, like where that money goes when it leaves a CRB account. For that, it’s important to have compliance staff that has a handle on their cannabis clients’ operations and vendor networks.

For example, if a CRB client misallocated funds from their dispensary to their grow operation, a well-trained banker could spot the discrepancy based on the use of funds to purchase special lights or tubing that aren’t required for a dispensary operation. Those types of distinctions can be harder for technology platforms to detect.

Technology is most helpful for managing the processes associated with onboarding, ongoing document collection, case management and reporting.

Some institutions, like Narragansett Financial Corp. bank unit BayCoast Bank, leverage their existing Bank Secrecy Act (BSA) solution — Verafin — for reviewing suspicious, flagged activities. The Swansea, Massachusetts-based bank supplements the BSA process with quarterly audits and support from employees with experience in both compliance and customer service. For more specialized monitoring tasks, the $1.9 billion bank uses spreadsheets and other traditional methods. As BayCoast’s number of CRB clients grows, so does its team. Chief Risk Officer Gary Vierra oversees the CRB program and estimates the bank needs one full-time employee for every eight to 10 CRB clients.

Other banks are looking to CRB-specific tools to help them get into cannabis banking without materially growing headcount. That was one of the goals for Marlborough, Massachusetts-based Main Street Bank, which has just over $1 billion in assets. It selected technology from Shield Compliance to help manage its CRB program.

Potential clients told the bank they needed a simple, single place to manage documentation requests and other communication with the bank. This led Main Street to select Shield, which provides automated compliance and document collection workflows in addition to BSA functions. Main Street’s team liked that the Shield interface mirrored Verafin, which the BSA team was already using, and estimated that the platform enabled it to launch its CRB program with about a third of the staff they would have needed otherwise.

CRB-specific compliance tools are gaining traction within banks, but there are other “silver bullet” solutions financial institutions should be wary of. The biggest one is companies that claim to help CRBs accept credit and debit card payments.

Currently major card brands do not allow CRBs to participate in their networks; forcing them to rely on cash causes significant, practical issues for these businesses and their banks. To address that pain point, some companies circumvent the prohibition by coding transactions in such a way that the networks do not recognize them as being linked to cannabis purchases — essentially masking the transactions as something else. “That’s not the way we do business,” Vierra says, “and most of the cannabis companies don’t want to do business that way either.”

Cannabis banking presents opportunities for banks to increase fee income and broaden their deposit base among a profitable niche. But with those opportunities comes the challenge of creating a compliant program for serving complex businesses. Technology can help, but banks need a solid understanding of the industry to succeed.

Potential Technology Partners:

Shield Compliance

Built by a former banker, Shield Compliance helps financial institutions manage CRB operations in a format that’s familiar to compliance officers.

Abaca

This company’s compliance specialists follow up on suspicious activity for the bank, and assist with identifying and vetting potential CRB clients.

Green Check Verified

This compliance platform provides a wealth of information to help banks understand the cannabis banking landscape nationally and within local markets.

Learn more about the technology providers in this piece by accessing their profiles in Bank Director’s FinXTech Connect platform.