Effective AML Programs? How About Effective AML Laws and Regulations!

Demonstrating AML/CTF Effectiveness in the private sector requires (1) compliance with laws and regulations, (2) providing highly useful information to law enforcement, and (3) mitigating the bank’s AML/CTF risks. But what if an AML/CFT law or regulation requires activity that does not produce highly useful information for law enforcement or help the private financial sector mitigate AML/CFT risk? Section 6216 of the AML Act of 2020 may provide the means to answer that question.

On June 30, 2021 the Wolfsberg Group, an association of thirteen global banks which aims to develop frameworks and guidance for the management of financial crime risks, published the third of three statements on defining, developing, and demonstrating an effective Anti-Money Laundering (AML) and Combating Terrorist Financing (CTF) compliance program for financial institutions (FIs).

In the first statement, the Wolfsberg member banks defined what an effective AML/CFT compliance program looked like. They concluded that an effective AML/CTF program has three key elements (what they call “the Wolfsberg Factors”):

1. Complying with AML/CTF laws and regulations;
2. Providing highly useful information to relevant government agencies in defined priority areas; and
3. Establishing a reasonable and risk-based set of controls to mitigate the risks of an FI being used to facilitate illicit activity

In the second statement, the Wolfsberg banks suggested five steps FIs could take to develop and evolve their AML/CTF programs, with a goal of focusing less on inputs and “check the box” compliance, and more on effective outcomes:

1. Assess Risk in Defined Priority Areas
2. Implement/Enhance Controls
3. Prioritize Resources
4. Engage with Law Enforcement
5. Demonstrate AML/CTF Programme Effectiveness

The third Statement on Demonstrating Effectiveness, published on June 30, 2021, was introduced as follows:

The Wolfsberg Group is pleased to publish its statement setting out how Financial Institutions (FIs) can assess risk in defined priority areas and demonstrate their Anti-Money Laundering/Combatting Terrorist Financing (AML/CTF) programme effectiveness. The document builds on the Group’s prior effectiveness statements to underline that the starting point for an effective AML/CTF programme should be an understanding of the priority risks identified by countries or supra-national bodies in their own assessments of AML/CTF risks and the applicability of those risks to the FI.

The Group believes that an FI’s effectiveness related to designated priorities or the AML/CTF programme overall should be measured based on its compliance with law and regulations, how it is designed to provide highly useful information to government authorities in defined priority areas, and how the FI builds and maintains a reasonable and risk-based set of controls to mitigate the risks of the FI being used to facilitate illicit activity.

The Group remains committed to further dialogue with policy makers, supervisors, law enforcement agencies and other stakeholders on effectiveness in AML/CTF in order to achieve our shared goal of fostering the increased effectiveness of the global financial crime risk management framework.

In this third statement, the Wolfsberg banks went through the three key elements or Wolfsberg Factors, and suggested ways that FIs could evaluate and then demonstrate – presumably to their directors and regulators and supervisors – that their AML/CFT programs were effective.

The Wolfsberg Factors are on YouTube!

Deloitte Risk & Financial Advisory’s Clint Stinger, Principal and AML & Sanctions Services Leader, and Bank of America’s Craig Timm, Managing Director of Financial Crimes Compliance, have filmed a three-part series of conversations on strategic AML priorities. These well-done, roughly 90-second videos, are available on YouTube. In Part 3, titled “how banks can reallocate resources to higher-value AML activities”, Craig sets out these three Wolfsberg Factors as a series of questions to ask when self-evaluating an FI’s AML/CFT program: (1) is it the law? (2) Is it producing highly useful information for law enforcement? (3) Is it helping me mitigate my risks? Craig then goes on to say that “for everything that’s not actually required by law, is it producing one of those other two outcomes … and if it’s not, that’s exactly the stuff I would think about stopping, and reallocating those resources to other areas.”

I agree. And Craig’s views are consistent with what Wolfsberg has written (Bank of America is a member of Wolfsberg). In its third statement, Wolfsberg wrote:

“Where an FI can demonstrate, for a specific threat or for the AML/CTF programme overall, that it has complied with applicable AML/CTF laws and regulations, designed its programme to provide highly useful information to government authorities, and implemented a reasonable and risk-based set of controls to prevent and detect financial crime, this should be considered as strong evidence of the FI’s effectiveness.”

I agree with Wolfsberg. They continue:

“FIs must comply with AML/CTF laws and regulations. This is the foundation for AML/CTF programmes … Supervisors, for their part, should clearly differentiate between legal or regulatory requirements that must be met and other areas where FIs are permitted to take a risk-based approach. Today, FIs spend significant time and resources on activities that are considered ‘expectations’ of an AML/CTF programme but are not required by law or regulation. These ‘expectations’ are sometimes written in non-binding guidance, sometimes unwritten, or can be a reflection of the views of an individual examiner or auditor. However, unless these activities lead to highly useful information for government authorities or help the FI materially prevent, detect, or deter actual crime, these ‘expectations’ are often counterproductive to an effective AML/CTF programme.”

Once again, I agree. In part. But there are some fundamental issues that get in the way. An example is helpful.

Low-Dollar, One-off, Low-risk, Simple Structuring SARs Are Required by Law: But Are They Providing Useful Information to Law Enforcement or Helping to Mitigate Risk?

In the United States, it is the law – set out at 31 USC s. 1956 and detailed in regulations set out in 31 CFR s. 1010.320 – that financial institutions report certain suspicious activity or suspicious transactions by way of a Suspicious Activity Report, or SAR. Suspicious transactions that are required by this law and regulations include what are known as “structuring” SARs, where a customer or customers “structure” their cash deposits or withdrawals to avoid the $10,000 threshold for mandatory currency (cash) transaction reporting. Many of these structuring SARs will report single transactions, or even multiple transactions, that are, or aggregate to, less than $20,000. And many of these will be filed on customers that are inherently low- or lower-risk, and often have never been the subject of a SAR before this filing, and will never be the subject of a future SAR. But these one-time, low dollar, simple structuring SARs reporting first time, low-risk suspects must be filed: it’s the law.

And law enforcement rarely, if ever, shows an interest in these low-dollar, simple structuring SARs filed on low risk customers. And the only real, substantive risk to the filing bank of this type of activity is regulatory risk if the bank fails to meet the regulatory requirements on whether and how it is identifying, investigating, reporting, and documenting this activity.

With this, financial institutions couldn’t satisfy the Wolfsberg test for effectiveness. Wolfsberg writes that “where an FI can demonstrate, for a specific threat or for the AML/CTF programme overall, that it has complied with applicable AML/CTF laws and regulations, designed its programme to provide highly useful information to government authorities, and implemented a reasonable and risk-based set of controls to prevent and detect financial crime, this should be considered as strong evidence of the FI’s effectiveness.”

In the case of our simple structuring SARs – which for some institutions can be 10 percent to 20 percent of all their SARs – a financial institution cannot demonstrate effectiveness. Yes, it is complying with applicable AML/CTF laws and regulations. But no, it is not providing any useful information to law enforcement, and there’s no indication that it is mitigating true AML/CTF risk.

So I would add something to the Wolfsberg statement, and turn Craig’s statement around. In the video Craig said “for everything that’s not actually required by law, is it producing one of those other two outcomes … and if it’s not, that’s exactly the stuff I would think about stopping, and reallocating those resources to other areas.”

I’ll turn Craig’s statement around:

If an AML/CTF law or regulation requires financial institutions to do something that is not producing highly useful information for law enforcement and is not helping financial institutions mitigate their AML/CFT risks, Congress and the supervisory agencies need to eliminate or change that law or regulation so that financial institutions can reallocate those resources to other laws and regulations that are providing value.

But There’s a Problem: Regulators’ Expectations ARE the Law

Wolfsberg rightly points out that many of the “required” program elements are not required by law or regulation, but are merely regulatory expectations, whether written in guidance documents or as a reflection of the views of an individual auditor or regulator. These expectations do not have the force of law, and are, technically, unenforceable. But they drive much of what FIs do in designing and maintaining their AML/CTF programs. As Wolfsberg writes, “FIs spend significant time and resources on activities that are considered ‘expectations’ of an AML/CTF programme but are not required by law or regulation. These ‘expectations’ are sometimes written in non-binding guidance, sometimes unwritten, or can be a reflection of the views of an individual examiner or auditor. However, unless these activities lead to highly useful information for government authorities or help the FI materially prevent, detect, or deter actual crime, these ‘expectations’ are often counterproductive to an effective AML/CTF programme.”

But regulators’ expectations are the law, at least for banks in the United States. How can that be, if regulatory guidance and expectations do not have the force of law? The three main bank regulators in the US – the Federal Reserve, the FDIC, and the OCC – all follow a “safety and soundness” standard when regulating and supervising their respective bank populations. See, for example, the OCC’s 12 CFR Part 30 – Safety and Soundness Standards. Indeed, the mission statement of the OCC is “to ensure that national banks and federal savings associations operate in a safe and sound manner, provide fair access to financial services, treat customers fairly, and comply with applicable laws and regulations.” OCC Mission Statement

So even if those agencies can’t find an AML or CTF law or regulation that has been violated, they can simply turn to their “safety and soundness” regulations, and conclude that the bank’s actions or inactions render it unsafe or unsound. Two examples are useful: SAR filing on continuing activity, and exiting relationships because of suspicious activity.

In September 2000, the Financial Crimes Enforcement Network (FinCEN) published its first SAR Activity Review. Section 5, “Issues & Guidance”, set out “current issues of common interest with regard to the preparation and filing of SARs” and “the collective opinions of the government agencies”. Note that these were issues and guidance, not laws and regulations. Two of the four issues and guidance were:

Repeated SAR Filings on the Same Activity – One of the purposes of filing SARs is to identify violations or potential violations of law to the appropriate law enforcement authorities for criminal investigation. This is accomplished by the filing of a SAR that identifies the activity of concern. Should this activity continue over a period of time, it is useful for such information to be made known to law enforcement (and the bank supervisors). As a general rule of thumb, organizations should report continuing suspicious activity with a report being filed at least every 90 days. This will serve the purposes of notifying law enforcement of the continuing nature of the activity, as well as provide a reminder to the organization that it must continue to review the suspicious activity to determine if other actions may be appropriate, such as terminating its relationship with the customer or employee that is the subject of the filing.

Cessation of Relationship/Closure of Account – The closure of a customer account as the result of the identification of suspicious activity is a determination for an organization to make in light of the information available to the organization. A filing of a SAR, on its own, should not be the basis for terminating a customer relationship. Rather, a determination should be made with the knowledge of the facts and circumstances giving rise to the SAR filing, as well as other available information that could tend to impact on such a decision. It may be advisable to include the organization’s counsel, as well as other senior staff, in such determinations.

There are no laws or regulations that specifically address either of these. Neither section or paragraph suggests there are any laws or regulations requiring repeated SAR filings on the same activity or closing an account that is the subject of a SAR. But these have survived (in two other FinCEN SAR Activity Reviews), and the regulatory agencies now see both as potentially impacting the safety and soundness of a bank. The Federal Financial Institutions Examination Council (FFIEC), of which all the US banking and credit union federal functional regulators are part, has published a BSA/AML Examination Manual that provides the roadmap for how bank examiners are to judge an AML/CTF program. The last full version, published in 2014, includes an entire section on “SAR Filing on Continuous Activity” (beginning on page 68). As described, one of the five “key components of an effective monitoring and reporting system” is “monitoring and SAR filing on continuous activity”.

So if a bank decides that it is not going to have processes, procedures, and controls to review whether that one-time, low-risk, low-dollar SAR suspect has continued their activity (because there’s no law or regulation that says they have to, it doesn’t provide highly useful information to law enforcement, and it doesn’t help mitigate any special risks), or if a bank decides that it isn’t going to have written policies and procedures on closing accounts (because there is nothing in the law that says they have to), then that bank is exposing itself to significant regulatory risk. The OCC will likely find a violation of 12 CFR Part 30 – a safety and soundness violation for failing to have a reasonably designed BSA/AML program. After all, a program that is missing one of five key components of an effective monitoring and reporting system cannot be safe nor sound.

What Can We Do About Ineffective Laws and Regulations? Section 6216 of the AML Act of 2020 May Hold The Answer

Laws are proposed and written by Congress and, in the case of the AML Act of 2020, passed by Congress (over the veto of the President). When it comes to AML/CTF laws, Congress doesn’t appear to have much interest in making any bold changes (although that door is left slightly ajar, as explained below). But Congress clearly has an interest in reviewing and advocating for changes to, the regulatory agencies’ regulations and guidance.

Section 6216 of the AML Act of 2020 calls for a “review of regulations and guidance”. The full text of the section is: 

SEC. 6216. REVIEW OF REGULATIONS AND GUIDANCE.
(a) IN GENERAL.—The Secretary, in consultation with the Federal functional regulators, the Financial Institutions Examination Council, the Attorney General, Federal law enforcement agencies, the Director of National Intelligence, the Secretary of Homeland Security, and the Commissioner of Internal Revenue, shall –
(1) undertake a formal review of the regulations implementing the Bank Secrecy Act and guidance related to that
Act – 
(A) to ensure the Department of the Treasury provides, on a continuing basis, for appropriate safeguards to protect the financial system from threats, including money laundering and the financing of terrorism and proliferation, to national security posed by various forms of financial crime;
(B) to ensure that those provisions will continue to require certain reports or records that are highly useful in countering financial crime; and
(C) to identify those regulations and guidance that –
(i) may be outdated, redundant, or otherwise do not promote a risk-based anti-money laundering compliance and countering the financing of terrorism regime for financial institutions; or
(ii) do not conform with the commitments of the United States to meet international standards to combat money laundering, financing of terrorism, serious tax fraud, or other financial crimes; and
(2) make appropriate changes to the regulations and guidance described in paragraph (1) to improve, as appropriate, the efficiency of those provisions.
(b) PUBLIC COMMENT.—The Secretary shall solicit public comment as part of the review required under subsection (a).
(c) REPORT.—Not later than 1 year after the date of enactment of this Act, the Secretary, in consultation with the Financial Institutions Examination Council, the Federal functional regulators, the Attorney General, Federal law enforcement agencies, the Director of National Intelligence, the Secretary of Homeland Security, and the Commissioner of Internal Revenue, shall submit to Congress a report that contains all findings and determinations made in carrying out the review required under subsection (a), including administrative or legislative recommendations.

Let’s unpack that section that calls for a review of regulations and guidance.

First, the reviewers are federal public-sector agencies. No state, local, or tribal public sector agencies, and not the private sector that bears so much responsibility for AML/CTF efforts.  But the public, which includes the private financial sector, shall be given an opportunity to comment. Fair enough.

Second, (a)(1)(A) and (B) call for those agencies to look at the positive things the regulations and guidance are providing – protecting the financial system and providing highly useful information.

Third, and the key subsection for  this purpose, is (a)(1)(C) – a call for those agencies to conduct a review to identify the negative things that those regulations and guidance are causing or encouraging. This subsection instructs the agencies to identify regulations or guidance that may be one or more of four things: (1) outdated; (2) redundant; (3) do not promote a risk-based AML/CTF regime; or (4) do not conform to international standards.

Fourth (and fifth) – those agencies must report their findings and administrative or legislative recommendations to Congress no later than January 1, 2021. So although the section is titled “regulations and guidance”, and the review and comments are on regulations and guidance, it appears that Congress intended that if the agencies believe any laws need changing, they should include those recommendations in their report.

Conclusion – Turning the Tables on Demonstrating Effectiveness

The Wolfsberg Group’s three AML/CTF effectiveness elements (complying with laws, providing highly useful information, and protecting the financial institution from AML/CTF risks) can and should be used as the criteria through which a financial institution’s program can be assessed for effectiveness. But they can equally be used as the criteria through which a country’s AML/CTF laws and regulations are assessed for effectiveness. For if a law or regulation that imposes obligations, costs, and significant penalties on financial institutions isn’t itself effective – if it doesn’t lead to highly useful information for law enforcement or doesn’t protect the financial system from significant AML/CTF risk – then that law or regulation needs to be scrapped. And with section 6216 of the AML Act of 2020, Congress appears to have given federal public sector agencies that are responsible for AML/CTF, with input from the private sector, an opportunity to make recommendations on which laws, regulations, and guidance need to be changed or deleted. As they conduct this review, and make recommendations, they should be guided by one simple principle: 

If a federal law, regulation, or guidance requires financial institutions to do something that is not producing highly useful information for law enforcement and is not helping financial institutions mitigate their AML/CFT risks, Congress and the supervisory agencies need to eliminate or change that law, regulation, or guidance so that financial institutions can better allocate resources toward higher risk customers and activities.