On August 13 the federal banking agencies issued a joint statement on updates to their guidance on enforcing BSA/AML requirements. See https://www.fdic.gov/news/press-releases/2020/pr20091a.pdf. There is some new language that may be relevant for most financial institutions.
The FDIC and OCC press releases provided that the joint statement is:
… updating their existing enforcement guidance to enhance transparency regarding how they evaluate enforcement actions that are required by statute when financial institutions fail to meet Bank Secrecy Act/anti-money laundering (BSA/AML) obligations. The statement clarifies that isolated or technical violations or deficiencies are generally not considered the kinds of problems that would result in an enforcement action. The statement also addresses how the agencies evaluate violations of individual components (known as pillars) of the BSA/AML compliance program. It also describes how the agencies incorporate the customer due diligence regulations and recordkeeping requirements issued by the U.S. Department of the Treasury as part of the internal controls pillar of the financial institution’s BSA/AML compliance program. The statement, issued by the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, and the Office of the Comptroller of the Currency, updates and supersedes the Interagency Statement on Enforcement of BSA/AML Requirements issued on July 19, 2007, to promote a consistent approach to the application of Section 8(s) of the Federal Deposit Insurance Act and Section 206(q) of the Federal Credit Union Act. The Financial Crimes Enforcement Network simultaneously issued a “Statement on Enforcement of the Bank Secrecy Act” that sets forth its approach to enforcement in circumstances of non-compliance with the BSA.
In fact, FinCEN didn’t issue its statement until August 18th. The FinCEN press release provides:
As the primary regulator and administrator of the Bank Secrecy Act (BSA), the Financial Crimes Enforcement Network (FinCEN) today issued a statement that sets forth its approach to enforcing the rules and regulations within the BSA. Through this statement, FinCEN aims to provide clarity and transparency to its approach when contemplating compliance or enforcement actions against covered financial institutions that violate the BSA. Today’s statement outlines the administrative actions available to FinCEN, and provides an overview of the information FinCEN analyzes in order to determine the appropriate outcome to violations of the BSA. FinCEN also encourages financial institutions to voluntarily and promptly report violations, and to candidly and completely cooperate with any investigation. “FinCEN is committed to being transparent about its approach to BSA enforcement. It is not a ‘gotcha’ game,” said FinCEN Director Kenneth A. Blanco. “The information required by the BSA saves lives, and protects our communities and people from harm. It is a national security issue.” The statement describes FinCEN’s enforcement authorities, dispositions, and the factors it evaluates in determining the appropriate response and enforcement of BSA violations.
FinCEN’s statement is very different than the prudential regulators’ statement. FinCEN sets out the six possible actions it can take – from no action, to a civil money penalty, to referring a matter for criminal prosecution – and the ten factors it will take into consideration when assessing possible violations. The key factors are:
- Nature and seriousness of the violations;
- Pervasiveness of wrongdoing within an entity, including management’s complicity in, condoning or enabling of, or knowledge of the conduct underlying the violations;
- History of similar violations, or misconduct in general, including prior criminal, civil, and regulatory enforcement actions;
- Presence or absence of prompt, effective action to terminate the violations upon discovery, including self-initiated remedial measures;
- Timely and voluntary disclosure of the violations to FinCEN;
- Quality and extent of cooperation with FinCEN and other relevant agencies, including as to potential wrongdoing by its directors, officers, employees, agents, and counterparties.
Number 6 is important: FinCEN expects that institutions’ cooperation includes identifying potential individual wrongdoers. This is consistent with federal criminal prosecution. The Department of Justice Manual includes a lengthy section on the criminal prosecution of companies, and that (i) prosecutors should first consider the criminal liability of those involved in or responsible for the criminal activity of the company; and (ii) a company cannot get “cooperation credit” without providing to the DOJ the names and particulars of all those employees (or directors) involved in or responsible for the conduct in question. So here, FinCEN is letting financial institutions know that for those institutions to get cooperation credit they need to provide the names and particulars of the people involved in the regulatory violations.
But back to the prudential regulators’ updated and clarified guidance.
First, the prudential regulators did not include anything about the liability of directors, officers, or employees in their joint statement. They could have, as the statutory provision the agencies rely on – section 8(s) of the FDI Act, codified at 12 USC s. 1818(s) – allows for cease and desist orders, and civil money penalties, against institutions and against institution-affiliated parties.
Second, although the interagency statement indicated that it “updates and supersedes the Interagency Statement on Enforcement of BSA/AML Requirements issued on July 19, 2007”, it did not indicate that the 2007 statement has been part of the FFIEC BSA/AML Exam Manual since 2007. It is the current Appendix R in the 2014 edition of the Exam Manual.
Since the agencies indicated that the August 2020 statement updates and supersedes the 2007 statement, which is set out in Appendix R, I compared the August 2020 joint statement with Appendix R to see what differences there were (it’s pretty common for the agencies to publish a new statement or rule that is purported to simply update or clarify an existing statement or rule, when in fact there are substantive changes). There were many small changes in wording, and the 2020 joint statement incorporates the new customer due diligence and beneficial ownership rules that were issued in May 2016. The 2020 joint statement included two new examples of when a mandatory cease and desist order would issue: both of those are particularly relevant to financial institutions.
The first addition relates to rapid foreign expansion. The second addition relates to a failure to resolve issues relating to customer risk rating. What is important is that these are additions to the existing language, which means they are key or at least current concerns of the regulators.
Rapid Foreign Expansion
“An institution would also be subject to a cease and desist order if the institution fails to implement a BSA/AML compliance program that adequately covers the required program components or pillars. For example, an institution rapidly expands its business relationships through its foreign affiliates and businesses:
- without identifying its money laundering and other illicit financial transaction risks;
- without an appropriate system of internal controls to verify customers’ identities, conduct customer due diligence, or monitor for suspicious activity related to its products and services;
- without providing sufficient authority, resources, or staffing to its designated BSA officer to properly oversee its BSA/AML compliance program;
- with deficiencies in independent testing that caused it to fail to identify problems; and
- with inadequate training exemplified by relevant personnel not understanding their BSA/AML responsibilities.
Although these bullets are framed as failures (in the negative), they can be turned around and framed positively to provide a roadmap or checklist for an institution’s foreign expansion plans:
“For BANK NAME to continue to expand its business relationships through its foreign affiliates and businesses, it must implement a BSA/AML compliance program that adequately covers the required program components or pillars, including:
- identifying its money laundering and other illicit financial transaction risks;
- implementing an appropriate system of internal controls to verify customers’ identities, conduct customer due diligence; and monitor for suspicious activity related to the products and services;
- providing sufficient authority, resources, and staffing to its designated BSA officer to properly oversee BANK NAME’s in-country and in-region BSA/AML compliance programs;
- independent testing; and
- adequate training exemplified by relevant personnel understanding their BSA/AML responsibilities.”
Failure to Resolve Issues Relating to Customer Risk Profiles
The joint statement provides:
“An Agency will ordinarily not issue a cease and desist order under sections 8(s) or 206(q) for failure to correct a BSA/AML compliance program problem unless the problems subsequently found by the Agency are substantially the same as those previously reported to the institution. For example, during a previous examination, an institution’s system of internal controls was considered inadequate as a result of substantive deficiencies related to customer due diligence and suspicious activity monitoring processes. Specifically, the institution had not developed customer risk profiles to identify, monitor, and report suspicious activities related to the institution’s higher-risk businesses lines. These substantive deficiencies were identified in the previous report of examination as a problem requiring board attention and management’s correction. The subsequent report of examination determined that management had not addressed the previously reported problem with the institution’s BSA/AML compliance program. Customer risk profiles remained undeveloped to identify, monitor, and report suspicious activity related to the institution’s higher-risk business lines. As a result, the institution would be subject to a cease and desist order for failure to correct a previously reported problem with its BSA/AML compliance program.”
This is important language for any financial institution: a financial institution’s end-to-end high risk customer management program must address the importance of having “customer risk profiles to identify, monitor, and report suspicious activities related to the institution’s higher-risk businesses lines”.
Other Changes
There was some curious language, or changes in language, in the section on when a mandatory C&D will issue. Note that this August 2020 Joint Statement was signed by the top lawyers at each of the regulatory agencies: lawyers choose their words very carefully, and any changes in wording are deliberate and thought out.
A mandatory cease and desist order will be issued in three situations: (1) where the institution fails to have a written program that adequately covers the pillars; (2) where the institution fails to implement that program; or (3) there are defects in one or more pillars of the program and those deficiencies are coupled with other aggravating factors (and both the 2020 joint statement and 2014 appendix R have four aggravating factors). The first aggravating factor was about suspicious activity creating a potential for money laundering or terrorist financing:
2014 Appendix R – “highly suspicious activity creating a significant potential for unreported money laundering or terrorist financing …”.
2020 Joint Statement – “highly suspicious activity creating a potential for significant money laundering, terrorist financing, or other illicit financial transactions …”.
Two points.
First, the modifier “highly” suggests that the regulators aren’t concerned about run-of-the-mill cases and SARs (or failure to open cases or file SARs) on low-end, low-dollar activity.
Second is the shift in what I’ll call the “likelihood and severity” of the activity. The old standard was a low likelihood but high severity: “a potential for significant money laundering”, while the new standard is a high likelihood but low severity: “significant potential for unreported money laundering”. It is unlikely that this difference in language will create a different regulatory experience and outcome, either for any one institution or all institutions, but it is interesting nonetheless, and seems to support the agencies’ statement “that isolated or technical violations or deficiencies are generally not considered the kinds of problems that would result in an enforcement action.”
Summary & Conclusion
No substantive or immediate changes are needed to most institution’s program. All institutions must remain vigilant around foreign expansion, and ensure AML/CFT controls “keep pace” with any foreign expansion. “Expansion” includes new products and services in existing jurisdictions, not just expansion into new jurisdictions. Also, don’t forget that in order to get cooperation credit from FinCEN or the Department of Justice, an institution will need to provide authorities with the names and particulars of all persons involved in or responsible for the impugned conduct. And that includes MLROs and BSA Officers.