The world of FinCrime is more dynamic than ever, with fraud escalating thanks to an increase in mobile payments precipitated by the pandemic and security concerns rising over the Russian conflict in Ukraine. The anti-money laundering (AML) industry waits patiently for further regulations and guidance on the Anti-Money Laundering Act of 2020 (AMLA), specifically expectations for aligning with the eight FinCEN priorities. What does this mean for the current regulatory focus for financial institutions? A panel of experts from top regulatory and supervisory agencies recently spoke at the Hawaii Bankers Association (HBA) BSA/AML Symposium to give insight into what they will be looking for in the 2022 examinations. Below are the top ten regulatory hot topics, in no order of importance.
Sanctions are fast becoming the most crucial focus of the year. Be assured that your regulators will look at your sanctions program more closely than at prior exams, and rightly so. Office of Foreign Assets Control (OFAC) compliance should be a high focus as sanctions become more complex and require constant diligence. Pay close attention to added Russian entities and individuals and understand your scanning logic. If your institution does not have automated OFAC scanning, now may be the time to invest in reputable software. Consider adding an enhanced section on Russian sanctions to your OFAC policy to show your regulators that you understand the magnitude of this situation. The reputational risk alone is significant to your institution if you let a sanctioned Russian transaction fall through the cracks. If your institution needs assistance enhancing your sanctions program, a downloadable “Key Components of a Strong Sanctions Compliance Program” may help.
2. AMLA Preparation
With the passing of AMLA on Jan. 1, 2021, the most sweeping regulatory changes since the USA PATRIOT Act were put into motion. The AML industry is waiting for guidance from FinCEN on regulatory expectations around the requirements, particularly associated with the eight FinCEN priorities. A joint interagency statement issued June 2021 made it clear there were no immediate expectations from the regulators for financial institutions to act until rules and guidance were released. However, the panel suggested thinking and planning around AMLA requirements and informing executive management of expected changes. According to the panel, financial institutions should be prepared to answer the “how are you planning” questions during their 2022 exams.
3. Beneficial Ownership Information
As part of AMLA, the Corporate Transparency Act (CTA) includes enhanced requirements around beneficial ownership information and establishes the beneficial owner database for legal entity customers. There have been three stages of implementation so far, with a final rule and changes to the 2018 customer due diligence (CDD) legislation still forthcoming. Financial institutions must continue to comply with the CDD rule today but should carefully follow all future changes and be ready to implement them. There will likely be a grace period for implementing any changes, as was given with the 2018 rule, and banks and credit unions must be fully informed when that time comes. It should be noted that CDD is one of the most common regulatory findings and is further discussed in the common deficiencies later in this article.
In general, traditional financial institutions have a low-risk tolerance for banking cryptocurrency. Few banks and credit unions are settling cryptocurrency accounts, posing a higher risk for illicit activity. At the most, banks and credit unions may knowingly or unknowingly provide services for cryptocurrency exchanges, such as Coinbase or Binance. The COVID-19 pandemic increased the need to move funds virtually, and cryptocurrency usage filled this need. Regulators advise financial institutions to have risk-based cryptocurrency policies and procedures for their enterprise-wide risk assessment. Once the risk is assessed, create procedures around the residual risk. After all, there is a big difference between financial institutions that purchase cryptocurrency or hold it as a fiduciary and those that process cryptocurrency for customers or act as a clearinghouse for cryptocurrency exchanges. Each scenario has different risks and different due diligence expectations. A financial institution must understand the nature and purpose of each account associated with cryptocurrency and its expected activity and know their customer’s customers. Consider this one of the higher risk areas of BSA, and make sure your financial institution’s cryptocurrency policies are included in your risk assessment.
Speakers on the HBA panel predict that we may not see legislative clarity on the cannabis industry at the federal level for a while due to partisan disagreements. Therefore, continued due diligence is necessary for financial institutions, whether they are knowingly providing traditional services to cannabis-related businesses (CRBs) or not. The Secure and Fair Enforcement Banking Act of 2021 (SAFE Act) will undoubtedly help the AML industry and the regulators by authorizing safe harbor to financial institutions providing services to the cannabis industry and has passed the House for the third time. But with priorities shifting due to current global threats, the cannabis banking topic is not likely to move in Congress anytime soon. Regardless, financial institutions should continue to shore up policies and procedures around CRBs.
6. Non-Bank Financial Institutions
Non-Bank Financial Institutions (NBFIs) are under increased regulatory scrutiny. Financial institutions should know which types of NBFIs they provide services to and conduct a thorough risk assessment on each NBFI category. Regulators want to see enhanced due diligence (EDD) on those NBFIs that present a higher risk to the institution, such as money services businesses and other non-depository institutions requiring AML/BSA programs. Banks and credit unions may be asked to provide copies of their NBFI customer’s AML program during their exam, so being proactive in obtaining a copy from each customer at onboarding and updating it throughout the life of the account would be prudent. An NBFI AML program can be lighter than a full-service traditional bank or credit union program. Still, it should address the five BSA pillars and the enhanced due diligence suggestions laid out in the FFIEC BSA Examination Manual. Noted deficiencies for NBFI AML programs include not being robust, not securing an independent audit, failing to do customer due diligence (CDD) on mortgages, and appointing a BSA Officer with no training or expertise. The panel suggests paying close attention to mortgage companies and money transmitters.
7. Innovation and Technology
Another regulatory focus coming out of AMLA is the innovation and technology needs of financial institutions, regardless of asset size. The financial market is rapidly changing regarding payment methods, and AMLA requires financial institutions to modernize their technology to handle new emerging threats. Further rules and guidance will determine the expectations and requirements, but these will undoubtedly be risk-focused. For financial institutions using artificial intelligence (AI), regulators will want to see best practices in place. There should be model validations to ensure AI is working as it should be. After all, AI is developed by humans, and mistakes can happen. Manage with caution and have a good quality assurance process in place.
8. Partnerships with FinTechs
The increased demand and competition for immediate digital payment methods have created opportunities for FinTech firms to partner with traditional financial institutions generally more conservative in developing innovative technologies, or lack expertise and resources for development. From a regulatory perspective, these partnerships can be cloudy at best, which is a new focus during exams. FinTech partners and any third-party vendor management must have an appropriate AML program, including proper CDD, adequate controls and audit function, and suspicious activity referral procedures. Financial institutions should obtain a copy of their partner’s AML program and test to be sure they comply with program requirements.
9. Change management
Change management has been critical during the last two years as the pandemic caused a shift to remote working. Enhanced controls are needed to ensure data security and processes align with expectations, and regulators may ask what steps a financial institution has taken to adapt during the pandemic. Added quality assurance measures may be needed to address the challenges of managing a remote work team. Regulators will also consider how financial institutions have handled the “great resignation.” Retaining talent has proven difficult for some traditional institutions as remote work in the industry has become more acceptable. AML professionals have opportunities nationwide, which include those outside of traditional banking. Experienced BSA professionals have long been in high demand, and this shift has caused a significant strain on financial institutions’ ability to staff their BSA teams with experienced, qualified officers and investigators. Regulators will not want to know why a BSA team is understaffed or underqualified; they want the deficiency corrected. Staffing issues must be addressed, and according to the HBA panel, you may be asked how your institution is attracting and retaining talent within your BSA team. The great resignation has also affected technology talent, which has a significant crossover effect for BSA.
10. Revisiting Common Deficiencies
Wrapping up the top ten hot topics are common deficiencies cited by regulators during recent exams. Be assured that regulatory bodies share information and stay updated on other consent orders. As money laundering and fraud appear to be on the rise in many areas, financial institutions should review these common deficiencies of AML programs and fill in any identified gaps before their next audit or exam.
- Backlogs in BSA related processes, such as processing alerts, cases, and EDD high-risk reviews
- Changes in transaction monitoring systems leading to the backlog described above
- Staffing turnover leads to inadequate or inexperienced staffing
- Lack of adequate controls, either an independent audit function or internal quality assurance processes
- Risk Assessment is not updated with current products/services or markets
- Alerts closed with inadequate or no documentation
- No SAR decision with cut and paste templates – while templates are acceptable, they should always include and support reasons why the activity is not suspicious
- Inadequate analysis for No SAR decisions. Using “known customer” to justify these decisions is insufficient. Each potentially suspicious transaction must be analyzed.
Although there have been drops in regulatory BSA findings for 2020 and into 2021, the panel believes this was primarily due to pandemic restrictions, increased off-site examinations, and a focus shift away from BSA to asset quality and liquidity. Regulators have seen an increase in BSA focus during the first quarter of 2022, and with the Russian invasion of Ukraine, OFAC will be in the spotlight more than ever. Keeping these top ten hot topics in mind will assist your financial institution in passing your next exam with flying colors.
- Planning now around AMLA requirements and informing executive management of expected changes will put your financial institution in a position to move forward with anticipated rules and guidance.
- Financial institutions should review the common deficiencies in AML programs that regulators cite and fill gaps identified before their next audit or exam.
- Regulators have seen an increase in BSA focus during the first quarter of 2022, and now with the crisis with the Russian invasion of Ukraine, OFAC will be in the spotlight more than ever.
Terri Luttrell, Abrigo’s Compliance & Engagement Director, is CAMS-Audit certified and has over 20 years in the banking industry. She has worked in both medium and large community banks in compliance/fraud, commercial lending, and deposit operations. As an AML consultant, Terri has helped institutions develop BSA/OFAC programs to ensure all regulatory requirements are met and successfully managed a team of AML investigators for a large cross-border institution, among other engagements.