Over the past year, we have seen at least 27 Bank Secrecy Act (BSA) enforcement actions from an array of financial institution supervisory agencies. Banks of all sizes, including community banks, continue to be hit with cease and desist (C&D) orders, formal agreements, consent orders and even civil money penalties (CMP). Five of these actions involved monetary penalties of some sort totaling nearly $4 billion — all but about $109 million coming from one case with four federal agency actions against one bank, and one $100,000 CMP imposed against an individual for BSA noncompliance. These enforcement actions remind us that even community banks and thrifts must have thorough and well-managed BSA compliance programs.

The enforcement actions do not spell out specifics of what the agencies found at each institution, but they do give us important insights into what the regulators will expect during your next BSA compliance exam.

Community banks should evaluate their BSA compliance programs in light of the corrective actions that these institutions are required to take.

Another important issue that financial institution management should remember is that the USA PATRIOT Act made BSA compliance as important as Community Reinvestment Act (CRA) compliance in getting an application approved. The Act adds BSA as a factor for consideration in merger transactions. The agency must take into consideration “the effectiveness of any insured depository institution involved in the proposed merger transaction in combating money laundering activities.” This means that banks and thrifts must have more than a written BSA program. They must be able to demonstrate that the program works.

BSA Compliance Programs

All insured banks and thrifts are required to develop, administer and maintain a program that assures and monitors compliance with the BSA and its implementing regulations, including recordkeeping and reporting requirements. Such a program can help protect a bank against possible criminal and civil penalties and asset forfeitures.

At a minimum, a bank’s internal compliance program must be written, approved by the board of directors and noted as such in the board meeting minutes. The program must include at least the following elements:

• A system of internal controls to assure ongoing compliance.
• Independent testing of compliance.
• Daily coordination and monitoring of compliance by a designated person.
• Training for appropriate personnel.
• Risk-based customer due diligence/beneficial ownership procedures.

Internal Controls

Senior management is responsible for assuring an effective system of internal controls for the BSA, including suspicious activity reporting, and must demonstrate its commitment to compliance by:

• Establishing a comprehensive program and set of controls, including account opening, monitoring and currency reporting procedures.
• Requiring that senior management be kept informed of compliance efforts, audit reports, identified compliance deficiencies and corrective action taken — to assure ongoing compliance.
• Making BSA compliance a condition of employment.
• Incorporating compliance with the BSA and its implementing regulations into job descriptions and performance evaluations of bank personnel.

Independent Testing of Compliance

The bank’s internal or external auditors should be able to:

• Attest to the overall integrity and effectiveness of management systems and controls, and BSA technical compliance.
• Test transactions in all areas of the bank with emphasis on high-risk areas, products and services to ensure the bank is following prescribed regulations.
• Assess employees’ knowledge of regulations and procedures.
• Assess the adequacy, accuracy and completeness of training programs.
• Assess the adequacy of the bank’s process for identifying suspicious activity.

Internal review or audit findings should be incorporated after each assessment into a board and senior management report and reviewed promptly. Appropriate follow-up should be ensured.

Regulators increasingly expect the BSA audit or testing program to also include these elements:

• Confirmation of the integrity and accuracy of management information reports used in the anti-money laundering (AML) compliance program.
• Overall integrity and effectiveness of the program.
• Evaluation of management’s efforts to resolve violations and deficiencies.
• Evaluation of the effectiveness of the suspicious activity monitoring systems.
• Review of the BSA risk assessment for reasonableness given the bank’s risk profile.

BSA Compliance Officer

A bank or thrift must designate a qualified bank employee as its BSA compliance officer, who has day-to-day responsibility for managing all aspects of the BSA compliance program and compliance with all BSA regulations. The BSA compliance officer may delegate certain BSA compliance duties to other employees but not compliance responsibility.

The bank’s board of directors and senior management must ensure that the BSA compliance officer has sufficient authority and resources — time, funding, staffing — to administer effectively a comprehensive BSA compliance program. And, the BSA officer must have a direct reporting channel to the board of directors.

Board of Directors

The board must ensure that it exercises supervision and direction of the BSA/AML program. This involves making sure that the institution develops sound BSA/AML policies, procedures and processes that are approved by the board and implemented by management. The board also has to ensure that the bank maintains a designated BSA officer with qualifications commensurate with the bank’s situation. As noted above, the BSA officer must report directly to the board and be vested with sufficient authority, time and resources. The board must provide for adequate independent testing of BSA/AML compliance. The board should bear in mind that it has the ultimate responsibility for the institution’s BSA compliance.

Training

Financial institutions must ensure that appropriate bank personnel are trained in all aspects of the regulatory requirements of the BSA and the bank’s internal BSA compliance and AML policies and procedures.

An effective training program includes provisions to ensure that all bank personnel, including senior management, those who have contact with customers (whether in person or by phone), those who see customer transaction activity or those who handle cash in any way, receive appropriate training. Board members also need to receive regular BSA/AML training, though at a much higher level with less detail than institution-line employees.

The training needs to be ongoing and incorporate current developments and changes to the BSA, AML laws and agency regulations. New and different money laundering schemes involving customers and financial institutions should be addressed. It also should include examples of money laundering schemes and cases tailored to the audience and the ways in which such activities can be detected or resolved.

Another focus of the training should be on the consequences of an employee’s failure to comply with established policies and procedures (e.g., fines or termination). These programs also should provide personnel with guidance and direction in terms of bank policies and available resources.

Beneficial Ownership Procedures

The beneficial ownership rule contains three core requirements:

1. Identifying and verifying the identity of the beneficial owners of companies opening accounts;
2. Understanding the nature and purpose of customer relationships to develop customer risk profiles; and
3. Conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information.

A beneficial owner is an individual who owns more than 25% of the equity interest in a company or is the single individual who exercises control. Also subject to these requirements is the one person who has control of each legal entity customer.

Beyond the Basics

BSA enforcement actions continue to raise the bar for all financial institutions. BSA compliance programs must meet additional standards in order to be considered adequate to meet the ever-evolving challenges that arise over time:

• Customer Due Diligence (CDD): Verifying a customer’s name, address, date of birth and identification number will satisfy the basic BSA customer identification requirements. However, these four pieces of information will not be enough to help an institution determine a customer’s typical account activity. The recent C&D orders make clear that regulators expect community bank managers to use information collected as part of the institution’s CDD process to predict the type, dollar amount and volume of transactions that a customer is likely to conduct. This expectation goes beyond the new beneficial ownership rule to extend CDD expectations to the broader customer base.
  
  Several institutions subject to the recent round of enforcement actions were directed to develop specific procedures to describe how the institution will conduct customer due diligence. As computer and software technology has improved, regulators have come to expect small and large banks to gather and review information about the normal range of a customer’s banking activities. They view the CDD processes and analysis as providing the framework that enables institutions to comply with suspicious activity reporting requirements.
  
  
• Account and Transaction Monitoring: A number of institutions that received the most recent orders did not have adequate, or any, procedures for detecting and reporting suspicious activities. The enforcement actions make clear that community banks must specify in writing how the institution will analyze and use customer information to detect suspicious activities. As this area gets more complex, it becomes more difficult to try to maintain an adequate suspicious activity monitoring regimen without some form of automated monitoring.

Conclusion

The costs of being subject to an enforcement action go beyond extra regulatory scrutiny in subsequent examinations. Institutions under the latest round of actions must report the enforcement action in communications with their shareholders and spend significant sums of money to hire outside consultants to train employees, audit the revised BSA programs and backfile required reports. They also must submit planned actions to the regulators involved for prior approval, as well as report regularly (usually quarterly) on their progress in remediating the deficiencies that led to their particular enforcement action.

An interagency BSA enforcement policy statement clarifies that formal enforcement actions will not be issued for minor BSA infractions. These enforcement actions are levied against financial institutions — including community banks — with significant breakdowns in their BSA compliance systems. The consent and other orders illustrate that all banks are expected to have very specific procedures for how they will collect customer information, predict customer account activity, utilize transaction monitoring reports, and train and manage employees with BSA-related responsibilities.

Be sure that you are not an object lesson for your banking fellows. If we can help, contact us.