Loading…

The US BSA/AML Regime – Have We Just Gone From Aspiring to be “Effective” to Merely Being “Adequate”?

On April 15, 2020, federal and state banking agencies updated parts of the BSA/AML Examination Manual (“Manual”), a document that was first published in 2005 and has been revised and re-published four times since, with the last full edition published in November 2014. The Manual provides what and how examiners examine banks and other financial institutions (collectively, “banks”) for compliance with BSA/AML laws and regulations. Just as important, the Manual is the blueprint that allows banks to build and maintain their programs, and for bank auditors to audit those programs, with some confidence that they’re meeting regulatory requirements and their regulators’ expectations.

OCC Comptroller Otting’s statement on the release of the revisions to the Manual included the following statement:

Today, the FFIEC agencies published updates to the BSA/AML Examination Manual that represent a significant step forward in our efforts to improve how we ensure banks have effective programs to safeguard the banking system against financial crime, particularly money laundering and terrorist financing.[1](emphasis added)

Ensuring that banks have effective programs is critical. This “effectiveness” standard is how the United States itself is judged by the Financial Action Task Force, or FATF, which rates its member countries’ technical compliance with its Recommendations as well as how effective their BSA/AML regimes are in fighting financial crime.

“Effectiveness” is a hot topic in financial crimes risk management. Just last December, the Wolfsberg Group issued its statement on effectiveness.[2] The opening paragraphs of that statement are instructive:

The Wolfsberg Group – Statement on Effectiveness

Making AML/CTF Programmes more effective

The Wolfsberg Group (the Group) is an association of thirteen global banks, founded in 2000, which aims to develop frameworks and guidance for the management of financial crime risk in general, with a more recent and strategic focus on enhancing the effectiveness of global Anti-Money Laundering/Counter Terrorist Financing (AML/CTF) programmes. The topic of effectiveness has also been more widely discussed across the AML/CTF community in recent years.

In 2013, the Financial Action Task Force (FATF) determined that jurisdictions simply having reasonable legal frameworks in place for financial crime prevention was no longer sufficient.  FATF stated that “each country must enforce these measures, and ensure that the operational, law enforcement and legal components of an AML/CFT system work together effectively to deliver results: the 11 immediate outcomes.”  As a result, FATF changed the way it conducted mutual evaluations of its member states, no longer focusing solely on technical compliance with its 40 Recommendations, but also evaluating the overall effectiveness of the AML/CTF regime based on evidence that the outcomes were being achieved.

Notwithstanding FATF’s approach, Financial Institutions (FIs) still tend to be examined by national supervisors almost exclusively on the basis of technical compliance rather than focussing on the practical element of whether AML/CTF programmes are really making a difference in the fight against financial crime.  The Group believes that, in practice, there is as yet insufficient consideration of whether an FI’s AML/CTF programme is effective in achieving the overall goals of the AML/CTF regime which go beyond technical compliance. As a result, FIs devote a significant amount of resources to practices designed to maximise technical compliance, while not necessarily optimising the detection or deterrence of illicit activity.  The Group believes that jurisdictions should adopt the FATF’s focus on effective outcomes and therefore, that an FI’s AML/CTF programme should have three key elements:

    1. Comply with AML/CTF laws and regulations
    2. Provide highly useful information to relevant government agencies in defined priority areas
    3. Establish a reasonable and risk-based set of controls to mitigate the risks of an FI being used to facilitate illicit activity

The Group believes that supervisors and/or relevant government agencies should assess the effectiveness of an FI’s AML/CTF programme based on the above criteria, recognising that no two FIs are the same and each FI’s risk mitigation strategy must be tailored to meet its risk appetite.

This certainly seems in line with Comptroller Otting’s statement that these new BSA Exam Manual updates will help “ensure banks have effective programs to safeguard the banking system against financial crime”.

So if these updates are, in fact, a significant step forward to improve how the OCC ensures banks have effective BSA/AML programs, how come the OCC – and the other federal and state examiners – seem to have lowered their examination standards from assessing whether banks have effective programs, to assessing whether banks have adequate programs?

First, since I’m making a stink about the difference between effective and adequate, I’ll pause and offer some definitions. I went to one source only: Merriam-Webster. Here’s what I found:

Effective – producing a decided, decisive, or desired effect: as in an effective policy.

Adequate – sufficient for a specific need or requirement; as in adequate time. Also, good enough, or of a quality that is acceptable but not better than acceptable: as in a machine that does an adequate job[3]

These seem in line with what we expect: effective is a higher standard than adequate. Being an effective leader is better than being an adequate leader. And having an effective program is better than having an adequate program.

The FFIEC BSA/AML Examination Manual

Let’s first take a look at the language from the existing Manual, or rather the parts of the Manual that were just changed. As explained in the “Introduction” section of the 2014 Manual (which is over 440 pages long, by the way):

“… the manual is structured to allow examiners to tailor the BSA/AML examination scope and procedures to the specific risk profile of the banking organization.  The manual consists of the following sections:

    • Introduction
    • Core Examination Overview and Procedures for Assessing the BSA/AML Compliance Program
    • Core Examination Overview and Procedures for Regulatory Requirements and Related Topics
    • Expanded Examination Overview and Procedures for Consolidated and Other Types of BSA/AML Compliance Program Structures
    • Expanded Examination Overview and Procedures for Products and Services
    • Expanded Examination Overview and Procedures for Persons and Entities
    • Appendixes

The core and expanded overview sections provide narrative guidance and background information on each topic; each overview is followed by examination procedures.  The “Core Examination Overview and Procedures for Assessing the BSA/AML Compliance Program” and the “Core Examination Overview and Procedures for Regulatory Requirements and Related Topics” (core) sections serve as a platform for the BSA/AML examination and, for the most part, address legal and regulatory requirements of the BSA/AML compliance program.  The “Scoping and Planning” and the “BSA/AML Risk Assessment” sections help the examiner develop an appropriate examination plan based on the risk profile of the bank.  There may be instances where a topic is covered in both the core and expanded sections (e.g., funds transfers and foreign correspondent banking).  In such instances, the core overview and examination procedures address the BSA requirements while the expanded overview and examination procedures address the AML risks of the specific activity.

At a minimum, examiners should use the following examination procedures included within the “Core Examination Overview and Procedures for Assessing the BSA/AML Compliance Program” section of this manual to ensure that the bank has an adequate BSA/AML compliance program commensurate with its risk profile:

    • Scoping and Planning (refer to page 11)
    • BSA/AML Risk Assessment (refer to page 18)
    • BSA/AML Compliance Program (refer to page 28)
    • Developing Conclusions and Finalizing the Examination (refer to page 40)”

It is these last four bulleted sections that form the basis for all exams of banks’ BSA programs. And it is these four bulleted sections that were updated on April 15, 2020. A side-by-side comparison of the 2014 BSA Exam Manual (partial) table of contents and the April 2020 updates (complete) shows clearly what the regulators have focused on:

The regulatory agencies didn’t touch the 2014 Manual’s Introduction section. What they focused on are the sections on the four “pillars” of a BSA/AML compliance program. Where the 2014 Manual goes through each of the four pillars in a total of five pages, and then includes examination procedures for the overall compliance program at the end, the new 2020 update takes a different approach: it breaks out each of the four pillars, and has objectives and examination procedures for each. It is a more detailed and comprehensive approach.

So the 2014 Introduction section remains in place. That section uses three different adjectives in describing bank’s programs:

  • Page 1: “An effective BSA/AML compliance program requires sound risk management …”
  • Page 2: “… ensure that the bank has an adequate BSA/AML compliance program commensurate with its risk profile”
  • Page 6: “The federal banking agencies work to ensure that the organizations they supervise understand the importance of having an effective BSA/AML compliance program in place.”
  • Page 7: “Banking organizations must develop, implement, and maintain effective AML programs that address the ever-changing strategies of money launderers and terrorists who attempt to gain access to the U.S. financial system.  A sound BSA/AML compliance program is critical in deterring and preventing [money laundering, terrorist financing, and other illicit financial transactions] at, or through, banks and other financial institutions.”

In the four “pillar” sections that were updated in 2020, the words “effective” or “effectiveness” appear four times in forty-three pages. Those words appeared seventeen times in the old 2014 version.

Let’s go through those sections, with a focus on the differences in the use of the words “effective” and “adequate”.

Scoping & Planning

The 2014 “Scoping and Planning” section begins on page 11 with “The BSA/AML examination is intended to assess the effectiveness of the bank’s BSA/AML compliance program and the bank’s compliance with the regulatory requirements pertaining to the BSA, including a review of risk management practices.”

The 2020 “Scoping and Planning” section begins on page 1 with: “Examiners assess whether the bank has developed and implemented adequate processes to identify, measure, monitor, and control those risks and comply with BSA regulatory requirements.”

So the regulators have shifted from effective to adequate.

The 2014 “Scoping and Planning” section then continues with a reference to risk assessment. At page 11: “risk assessment has been given its own section to emphasize its importance in the examination process and in the bank’s design of effective risk-based controls.”

The 2020 update provides, on page 4: “The BSA/AML Risk Assessment section provides information and procedures for examiners in determining whether the bank has developed a risk assessment process that adequately identifies the ML/TF and other illicit financial activity risks within its banking operations.”

So the regulators will determine whether the risk assessment adequately identifies risks: not whether it effectively identifies risks.

The 2014 edition does use the term “adequate in a few places. At page 12 is a reference to the Examination Plan: “At a minimum, examiners should conduct the examination procedures included in the following sections of this manual to ensure that the bank has an adequate BSA/AML compliance program commensurate with its risk profile.” And in a mixed message, under the heading “Transaction Testing” is: “Examiners perform transaction testing to evaluate the adequacy of the bank’s compliance with regulatory requirements, determine the effectiveness of its policies, procedures, and processes, and evaluate suspicious activity monitoring systems.”

There’s no mixed message in the 2020 update, though. Under the heading “Risk-Focused Testing” on page 6 is: “Examiners perform testing to assess the adequacy of the bank’s BSA/AML compliance program, relative to its risk profile, and the bank’s compliance with BSA regulatory requirements.” And at page 8 is the new objective for risk-focused BSA/AML supervision examination procedures: “Determine the examination activities necessary to assess the adequacy of the bank’s BSA/AML compliance program, relative to its risk profile, and the bank’s compliance with BSA regulatory requirements.”

So again, it’s fair to say (write) that the regulators have shifted from effective/effectiveness to adequate/adequacy.

Page 34 of the 2014 Manual sets out the objectives of the exam procedures: “Assess the adequacy of the bank’s BSA/AML compliance program. Determine whether the bank has developed, administered, and maintained an effective program for compliance with the BSA and all of its implementing regulations.”

Page 18 of the 2020 update sets out the objective when assessing the BSA/AML compliance program: “Assess whether the bank has designed, implemented, and maintains an adequate BSA/AML compliance program that complies with BSA regulatory requirements.” And at page 20: the objective of “assessing the BSA/AML compliance program examination procedures” is to “[d]etermine whether the bank has designed, implemented, and maintains an adequate BSA/AML compliance program that complies with BSA regulatory requirements.”

Internal Controls

There are some interesting differences in the main section on the system of internal controls – one of the four pillars of a BSA/AML compliance program.[4]

The 2014 Manual sets out the objectives for the overall BSA/AML compliance program: “Assess the adequacy of the bank’s BSA/AML compliance program.  Determine whether the bank has developed, administered, and maintained an effective program for compliance with the BSA and all of its implementing regulations.” (page 28). The 2014 Manual then goes through each of the four pillars, and does so in five pages, then includes examination procedures for the overall compliance program. The 2020 update takes a different approach: it breaks out each of the four pillars, and has objectives and examination procedures for each.

The 2020 update doesn’t use the terms effective or adequate in the Internal Controls section. Rather, it refers to “ongoing” compliance (“[t]he board of directors, acting through senior management, is ultimately responsible for ensuring that the bank maintains a system of internal controls to assure ongoing compliance with BSA regulatory requirements.”).

Independent Testing

As to independent testing, the 2020 update includes an Objective: “Assess the adequacy of the bank’s independent testing program” (page 24). The objective of the exam procedures is to “[d]etermine whether the bank has designed, implemented, and maintains an adequate BSA/AML independent testing program for compliance with BSA regulatory requirements”. There isn’t similar language or detail in the 2014 Manual.

BSA Compliance Officer

The changes to the BSA Compliance Officer pillar are extensive. The 2020 update includes an objective: to “[c]onfirm that the bank’s board of directors has designated a qualified individual or individuals (BSA compliance officer) responsible for coordinating and monitoring day-to-day compliance with BSA regulatory requirements. Assess whether the BSA compliance officer has the appropriate authority, independence, access to resources, and competence to effectively execute all duties.” (page 29). In this section is the following: ” The board of directors is responsible for ensuring that the BSA compliance officer has appropriate authority, independence, and access to resources to administer an adequate BSA/AML compliance program based on the bank’s ML/TF and other illicit financial activity risk profile.”

The objective of the exam procedures for this pillar is to “[c]onfirm that the bank’s board of directors has designated a qualified individual or individuals (BSA compliance officer) responsible for coordinating and monitoring day-to-day compliance with BSA regulatory requirements.  Determine whether the BSA compliance officer has the appropriate authority, independence, access to resources, and competence to effectively execute all duties”.

The 2014 Manual provides that “[t]he board of directors, acting through senior management, is ultimately responsible for ensuring that the bank maintains an effective BSA/AML internal control structure, including suspicious activity monitoring and reporting.” (page 29). And at page 32: “[t]he board of directors is responsible for ensuring that the BSA compliance officer has sufficient authority and resources (monetary, physical, and personnel) to administer an effective BSA/AML compliance program based on the bank’s risk profile.”

To summarize: the 2014 Manual provided that the board is responsible for ensuring the BSA Compliance Officer has sufficient authority and resources to administer an effective program. The 2020 updates provide that the board is now responsible for ensuring the BSA Compliance Officer has appropriate authority and resources to administer an adequate program. What has not changed, though, with the 2020 update is this: “the board of directors is ultimately responsible for the bank’s BSA/AML compliance.”

Training

The standards for BSA/AML training seem to have dropped, also. The 2014 Manual provided that “[t]he training program should reinforce the importance that the board and senior management place on the bank’s compliance with the BSA and ensure that all employees understand their role in maintaining an effective BSA/AML compliance program.” (page 33).

The 2020 update provides: “The training program may be used to reinforce the importance that the board of directors and senior management place on the bank’s compliance with the BSA and that all employees understand their role in maintaining an adequate BSA/AML compliance program.” (page 32).

Conclusion

The Wolfsberg Group’s December 2019 Statement on Effectiveness ended with this:

The Group believes that jurisdictions should adopt the FATF’s focus on effective outcomes and therefore, that an FI’s AML/CTF programme should have three key elements: (1) Comply with AML/CTF laws and regulations; (2) Provide highly useful information to relevant government agencies in defined priority areas; and (3) Establish a reasonable and risk-based set of controls to mitigate the risks of an FI being used to facilitate illicit activity

The Group believes that supervisors and/or relevant government agencies should assess the effectiveness of an FI’s AML/CTF programme based on the above criteria, recognising that no two FIs are the same and each FI’s risk mitigation strategy must be tailored to meet its risk appetite.

Starting in 2005 with the first FFIEC BSA/AML Examination Manual, and continuing to the last full publication in 2014, the purpose of a BSA/AML regulatory exam was to determine whether banks had an effective BSA/AML compliance program, and the directors of those banks, who were ultimately responsible for their bank’s BSA/AML compliance, were to ensure the BSA Compliance Officer had sufficient authority and resources to administer an effective program. The 2020 update appears to have lowered those bars: going forward, the purpose of a BSA/AML regulatory exam is to determine whether banks have an adequate BSA/AML compliance program, and the directors of those banks, who remain ultimately responsible for their bank’s BSA/AML compliance, are now to ensure the BSA Compliance Officer has appropriate authority and resources to administer an adequate program.

It will be interesting to see what, if any, differences this new adequate standard will bring as regulatory examiners across America will be walking into banks and credit unions and announcing, “hello, we’re here to determine whether you have an adequate program.” That is a very different greeting, and a very different exam, and possibly a very different result, than if that examiner walked in and announced, “hello, we’re here to determine whether you have an effective BSA/AML compliance program.”

Post Script

In an article I wrote in August 2019 titled  “Lessons Learned as a BSA Officer – 1998 to 2018” one of the nine lessons was that words and punctuation matter. I wrote that one should use adjectives and adverbs sparingly, if at all:

Most modifiers are unnecessary. Whether necessary or not, as a risk professional you should be aware of both your use of adjectives and adverbs, and when reading others’ use of adjectives and adverbs. When confronted with any modifier, ask yourself (i) why is that modifier being used? (ii) is it being used correctly? (iii) does it change the meaning of the sentence in a way that is unintended? (iv) is it being used consistently with other modifiers? And (v) could it limit or prevent us in the future?

In this case the state and federal banking agencies changed the adjective “effective” to “adequate” to describe the quality of the BSA/AML program they will expect to see and will examine to. I hope that this was unintended, or else five to ten years from now, after a long-held standard of effectiveness is replaced by one of mere adequacy, we could be limited in our ability to fight financial crime.

Endnotes

[1] https://www.occ.gov/news-issuances/news-releases/2020/nr-occ-2020-55.html

[2] https://www.wolfsberg-principles.com/sites/default/files/wb/pdfs/Effectiveness%201%20pager%20Wolfsberg%20Group%202019%20FINAL_Publication.pdf

[3] https://www.merriam-webster.com/

[4] The 2014 FFIEC Exam Manual “was a collaborative effort of the federal and state banking agencies” and FinCEN (2014 Manual, page 1). The Interagency Statement accompanying the 2020 update provided “The Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, and State Liaison Committee (Agencies) revised the sections in close collaboration with Treasury’s Financial Crimes Enforcement Network.” And FinCEN hasn’t (yet) issued a press release or otherwise publicly acknowledged the 2020 updates. Regardless, the agencies’ Title 12 BSA/AML compliance program includes four pillars, and FinCEN’s Title 31 BSA/AML compliance program includes five pillars.

5 + 4 = 6 … Treasury’s New PPP Math Is Creating Unnecessary Confusion, & Here’s a Proposed Solution

I’ve written two articles on the CARES Act’s Paycheck Protection Program (PPP) – the $350 billion, or $350,000,000,000, pot of federal money available for the lucky few hundred thousand or so of the roughly thirty million American small businesses that can navigate the labyrinth of regulatory requirements to apply for and be approved to get a loan that is intended to cover their payroll for 8 weeks or so. See The CARES Act and the PPP – We Know A Surge of Fraud is Coming

On April 13th the Treasury Department issued some guidance intended to clarify how the PPP lenders – mostly banks and credit unions – can satisfy some of their regulatory requirements around identifying the beneficial owners of the small businesses they’ll be lending to. In some of the more creative math I’ve seen in a while, they were somehow able to take the 5 things required under one set of regulations, combine them with the 4 things required under another set of regulations, and come up with 6 things. Instead of speeding up the delivery of the much-needed assistance to small businesses across America, their math may have the opposite effect.

Title 15 Small Business Administration (SBA) requirements

On April 2nd the SBA rolled out its requirements. Among other things, the two-page Borrower Form requires the “authorized representative” of the small business to certify a number of things, notably (for purposes of this labyrinth) five pieces of information – name, SSN/TIN, Address, Title, and Ownership Percentage – of up to five people that own 20 percent or more of the small business. And, according to the Interim Final Rule published on April 2nd, the lender (bank or credit union) can rely on that certification. And the authorized representative has to provide their name, title, and a signature.

So to summarize – for Title 15 SBA purposes, the borrower’s authorized representative needs to certify five pieces of information on as many as five legal owners of the borrower, and the bank lender can rely on that certification.

Title 31 Bank Secrecy Act (BSA) requirements

In May 2018 the federal anti-money laundering regulations were changed to add a requirement that financial institutions collect and verify “beneficial ownership” information of legal entity customers. Beneficial ownership was made up of what is called the “ownership prong” – a natural person owning twenty-five percent or more of the legal entity – and the “control prong” – one person who controlled the legal entity. The regulation also provided a Beneficial Ownership Certification form. The result was that the person opening the account had to certify a number of things, notably (for purposes of this labyrinth) four pieces of information – name, SSN/TIN, address, and Date of Birth (DOB) – of up to five people: up to four that own twenty-five percent or more of the legal entity and the single “control” person. According to the regulation, the bank can rely on that certification ““provided that it has no knowledge of facts that would reasonably call into question the reliability of such information.” And the account opener has to provide their name, title, and a signature. And the bank is required to verify that beneficial ownership information: not that the persons are the beneficial owners, because that can’t reasonably be done, but that the persons are … persons. And that verification needs to be done within a reasonable time after the account is opened.

And there are some complications in the BSA rule around existing customers opening new accounts, and whether the bank can rely on existing beneficial ownership information or not. Essentially, a bank needs to document whether and when and how it will it can rely on existing information, and that documentation is part of what is known as its “risk-based BSA compliance program”.

So to summarize – for Title 31 BSA purposes, the legal entity’s account opener needs to certify four pieces of information on as many as four legal owners and one control person, and the bank can rely on that certification unless it knows of something that calls into question the reliability of the information, and the bank needs to verify that the persons are, in fact, persons.

Title 31 BSA requirements for Title 15 SBA PPP Loans

On April 13 Treasury and the SBA revised previously published FAQs to add a question and answer relating to how the Title 31 BSA requirements relating to collection (and verification) of beneficial ownership information would be applied to the Title 15 SBA PPP loans. And FinCEN issued, for the first time, the same question and answer. These are summarized below:

Treasury FAQ:  Does the information lenders are required to collect from PPP applicants regarding every owner who has a 20% or greater ownership stake in the applicant business (i.e., owner name, title, ownership %, TIN, and address) satisfy a lender’s obligation to collect beneficial ownership information (which has a 25% ownership threshold) under the BSA?

Existing customers:  if the PPP loan is being made to an existing customer and the lender previously verified the necessary information, the lender does not need to re-verify the information.  Furthermore, if federally insured banks and credit unions have not yet collected such beneficial ownership information on existing customers, such institutions do not need to collect and verify beneficial ownership information for those customers applying for new PPP loans, unless otherwise indicated by the lender’s risk-based approach to BSA compliance.

New customers: the lender’s collection of SIX THINGS – owner name, title, ownership %, TIN, address, and date of birth – from as many as 5 natural persons with a 20% or greater ownership stake in the applicant business will be deemed to satisfy applicable BSA requirements and FinCEN regulations governing the collection of beneficial ownership information. Decisions regarding further verification of beneficial ownership information collected from new customers should be made pursuant to the lender’s risk-based approach to BSA compliance.

Leaving aside (for the moment) the vexing issue of what a bank’s risk-based BSA compliance program requires it to do for existing high risk customers applying for PPP loans, the most elaborate labyrinth the government has created is for new customers. For these new-to-the-lender customers, there appears to be a trade-off. Purely for SBA purposes, PPP lenders need to collect but perhaps not verify SIX things – the name, TIN, DOB, address, title, and ownership percentage – one of which (DOB) isn’t on the PPP Form, for up to 5 natural persons as legal owners. The April 13th guidance doesn’t say anything about the BSA “control” person – nor does it say whether the SBA Authorized Representative can be that control person. And because a lender’s risk-based BSA compliance program requires it to verify beneficial owners, the PPP lender still needs to verify that the Beneficial Owners are, in fact, human beings … not that they are, in fact, the Beneficial Owners of the Applicant Borrower. Also, for both the BSA’s “person opening the account” and the SBA’s “Authorized Representative”, the financial institution must collect the person’s name, title, and signature.

A Possible Solution to Treasury’s Math Problem

The likelihood of rampant money laundering through PPP loans is pretty slim. The likelihood of fraud, though, is 100%. How much fraud is dependent on a lot of factors, but banks are adept at lending money and keeping fraud rates down. In normal times. These are not normal times. But everyone involved in this effort wants to get the $350,000,000,000 into the hands of deserving American small businesses as soon as possible, knowing that there will be some abuses, frauds, mistakes, corruption, laziness, willful blindness, etc., etc. in the process.

But making the lenders collect six pieces of information on the owners of small businesses when neither of the applicable regulatory regimes require them to collect more than five seems to add a layer of unnecessary complexity and can only slow down the lending process.

Having to collect 5 pieces of information (but not DOB) from as many as five legal owners for SBA purposes, and to collect four pieces of information (including DOB) from as many as four legal owners AND one control person for BSA purposes, and now to have to collect SIX pieces of information (including DOB) from five persons for SBA/BSA purposes creates confusion. Treasury needs to take its own risk-based approach: satisfy SBA requirements today, BSA requirements before you forgive the loan.

So here’s my suggestion to Treasury (and the regulatory agencies): PPP lenders can rely on the certifications in the Form 2483 PPP Borrower form. Those lenders can satisfy their BSA-related beneficial ownership requirements by the earlier of (i) September 30, 2020, or (ii) before the PPP loan is forgiven. In other words, focus on the PPP borrowers and requirements today, and worry about the BSA requirements later this summer. Full stop.

The CARES Act of 2020: “Tall, Dark, or Handsome” and “Tall, Dark, and Handsome” in one bill

There is a big difference between someone who is tall, dark, and handsome – he is all three of those things – and a guy who is tall, dark, or handsome – he is one of those things. Unfortunately, the new Special Inspector General for Pandemic Recovery is the Congressional version of tall, dark, or handsome, and their peers – the Executive Director and Deputy Executive Director of the Pandemic Response Accountability Committee – are the Congressional versions of tall, dark, and handsome. Although Congress didn’t take my pre-passage advice to spruce up the SIGPR (there wasn’t time, apparently), we can still hope that they are as polished as their PRAC peers.

In an article I wrote in August 2019 titled  “Lessons Learned as a BSA Officer – 1998 to 2018” I covered nine topics:

  1. All the Cooks in the AML Kitchen aka Stakeholders
  2. All the Resources Available to You
  3. The 5 Dimensions of Risk – Up, Down, Across, Out, and Within
  4. FinTech versus Humans
  5. The 7 Cs – What Makes a Good Analyst/Investigator
  6. Tall, Dark and Handsome – Words and Punctuation Matter!
  7. SMEs v SMEs – Subject Matter Experts vs Subject Matter Enthusiasts
  8. Is Transaction Monitoring a Thing of the Past?
  9. The Importance of Courage

I thought of topic 6 – Tall, Dark and Handsome – the morning I read the Coronavirus Aid, Relief, and Economic Security Act (CARES Act) bill that the Senate and House were then negotiating. Back in 2019 I wrote the following:

Tall, Dark, and Handsome – Words (especially adjectives and adverbs) and punctuation matter!

    1. Write simply and clearly

“We know all too well that drugs are killing record numbers of Americans – and almost all of them come from overseas.”  Former AG Jeff Sessions, August 2018 speech

This is a good example of a poorly written sentence that is begging for clarity. The phrase “almost all” means very little: at least 51% and less than 100%. Second, do “almost all” drugs come from overseas, or do almost all Americans come from overseas? And finally, Mexico is the source country for 90% – 94% of heroin entering the US, and the final transit country for 90% of the cocaine entering the US. Mexico isn’t actually overseas from the US.

    1. Use Adjectives and Adverbs Sparingly, if at all

Most modifiers are unnecessary. Whether necessary or not, as a risk professional you should be very aware of both your use of adjectives and adverbs, and when reading others’ use of adjectives and adverbs. When confronted with any modifier, ask yourself (i) why is that modifier being used? (ii) is it being used correctly? (iii) does it change the meaning of the sentence in a way that is unintended? (iv) is it being used consistently with other modifiers? And (v) could it limit or prevent us in the future?

    1. Watch out for Red Flag Words and Phrases

Intended, Primarily, Pilot, Agile Development, shall versus may, Artificial Intelligence, Machine Learning

Special Inspector General for Pandemic Recovery

Section 4018 of the CARES Act calls for the appointment of a new Special Inspector General for Pandemic Recovery. This appears to be a position similar to the TARP (Troubled Assets Relief Program) Inspector General position created after the 2007-2009 economic crisis to manage the TARP monies distributed to banks, the auto companies, and other businesses.

(I’ll point out that, just as the DMV’s vanity license department checks that proposed vanity license plates aren’t offensive, I’m sure someone in the Congressional Research Acronym Program Office checked the title for possible embarrassments. In this case, SIGPaR is much preferable to, say, Pandemic Inspector General.)

What is the federal government looking for in its new Special Inspector General for Pandemic Recovery? As seen from the screen shot of the section in the bill, “the nomination of the Special Inspector General  shall be made on the basis of integrity and demonstrated ability in accounting, auditing, financial analysis, law, management analysis, public administration, or investigations.”

To put it another way, the nomination shall be made on the basis of two things: (i) integrity, and (ii) demonstrated ability in either accounting or auditing or financial analysis or law or management analysis or public administration or investigations.

Prior to the passage of the Act, I suggested that Congress change “or” to “and” on line 8 of section 4018(b). As I wrote in my original article (published March 26th, the day vefore the bill was signed into law), “It would be great if we had a Special Inspector General for Pandemic Recovery who exhibited integrity and demonstrated ability in accounting, auditing, financial analysis, law, management analysis, public administration, and investigations. She’ll need all of those attributes to do her job, I expect.”

Unfortunately, Congress didn’t take up my suggestion.

And oddly enough, pursuant to section 15010(c)(3)(B)(ii) of the CARES Act, two other critical oversight positions created by the Act – the Executive Director and Deputy Executive Director of the Pandemic Response Accountability Committee – shall:

“(I) have demonstrated ability in accounting, auditing, and financial analysis;

(II) have experience managing oversight of large organizations and expenditures; and

(III) be full-time employees of the Committee.”

 There you have it: the legislative equivalent of “tall, dark, or handsome” (the Special Inspector General) and “tall, dark, and handsome” (the Executive Director and Deputy Executive Director of the Pandemic Response Accountability Committee) in one Bill. Yikes!

When it comes to BSA/AML compliance programs, success has a hundred fathers, but failure is, apparently, an orphan

“FinCEN Penalizes U.S. Bank Official for Corporate Anti-Money Laundering Failures”

In 1961 President John F. Kennedy commented on the failed Bay of Pigs invasion: “victory has a hundred fathers and defeat is an orphan”. This statement came to mind as I read the Treasury Department’s March 4, 2020 assessment of a $450,000 penalty against the former Chief Operational Risk Officer of US Bank for the bank’s failures to implement and maintain an effective anti-money laundering (AML) program. And although the bank itself, and its holding company US Bancorp, were sanctioned and paid hundreds of millions of dollars in penalties, it appears that no other officers or directors of US Bank were personally sanctioned.

I have previously written that running an AML program in an American financial institution is like Winston Churchill’s description of Russia in 1939: a riddle, wrapped in a mystery, inside an enigma. The riddle is how to meet your obligations to provide law enforcement with actionable, effective intelligence (the stated purpose of the US AML laws set out in Title 31 of the US Code). That riddle is wrapped in the mystery of how to satisfy the multiple regulatory agencies’ “safety and soundness” requirements set out in Title 12 of the US Code. And the enigma is the personal liability you face for failing to satisfy either or both of those things.

And that enigma of personal liability was recently brought front and center with the March 4, 2020, announcement from FinCEN that the former Chief Operational Risk Officer of US Bank, Michael LaFontaine, was hit with a $450,000 penalty for his failure to prevent BSA/AML violations during his seven to ten year tenure.

Before going further, keep this in mind: it is inconceivable that a single person could run an AML program in one of the largest banks in the United States. They would need hundreds if not thousands of others to help design, implement, modify, test, audit, oversee, and examine that program. Everyone from a first-year analyst to the Board of Directors. But it is equally inconceivable – with all the checks and balances built into the US financial sector regulatory regime, with the three lines of defense, and all the auditors, examiners, and directors – that a single person could single-handedly screw up that same AML program over a period of five years. Yet that is the conclusion that seems to have been made: no matter how many people were responsible for US Bank’s AML program over a five year period, only one was held accountable for it.

“FinCEN Penalizes U.S. Bank Official for Corporate Anti-Money Laundering Failures” – FinCEN Press Release

March 04, 2020

WASHINGTON—The Financial Crimes Enforcement Network (FinCEN) has assessed a $450,000 civil money penalty against Michael LaFontaine, former Chief Operational Risk Officer at U.S. Bank National Association (U.S. Bank), for his failure to prevent violations of the Bank Secrecy Act (BSA) during his tenure.  U.S. Bank used automated transaction monitoring software to spot potentially suspicious activity, but it improperly capped the number of alerts generated, limiting the ability of law enforcement to target criminal activity.  In addition, the bank failed to staff the BSA compliance function with enough people to review even the reduced number of alerts enabling criminals to escape detection.

“Mr. LaFontaine was warned by his subordinates and by regulators that capping the number of alerts was dangerous and ill-advised.  His actions prevented the proper filing of many, many SARs, which hindered law enforcement’s ability to fully combat crimes and protect people,” said FinCEN Director Kenneth A. Blanco.  “FinCEN encourages technological innovations to help fight money laundering, but technology must be used properly.”

In February 2018, FinCEN, in coordination with the Office of the Comptroller of the Currency (OCC) and the U.S. Department of Justice, issued a $185 million civil money penalty against U.S. Bank for, among other things, willfully violating the BSA’s requirements to implement and maintain an effective anti-money laundering (AML) program and to file Suspicious Activity Reports (SARs) in a timely manner.

Mr. LaFontaine was advised by two subordinates that they believed the existing automated system was inadequate because caps were set to limit the number of alerts.  The OCC warned U.S. Bank on several occasions that using numerical caps to limit the Bank’s monitoring programs based on the size of its staff and available resources could result in a potential enforcement action, and FinCEN had taken previous public actions against banks for the same activity.

Mr. LaFontaine received internal memos from staff claiming that significant increases in SAR volumes, law enforcement inquiries, and closure recommendations, created a situation where the AML staff “is stretched dangerously thin.”  Mr. LaFontaine failed to take sufficient action when presented with significant AML program deficiencies in the Bank’s SAR-monitoring system and the number of staff to fulfill the AML compliance role.  The Bank had maintained inappropriate alert caps for at least five years.

FinCEN has coordinated this action with the OCC and appreciates the assistance it provided.

FinCEN’s March 2020 action against Mr. LaFontaine was the third of a series of actions in the last five years against US Bank, its parent US Bancorp, and now, one of its former officers.

The US Bank Cases – 2015, 2018, and 2020

In October 2015 the OCC and US Bank entered into a Cease & Desist Order (on consent) for longstanding and extensive BSA/AML program failures and failures relating to suspicious activity monitoring and reporting. US Bank was compelled to perform a lengthy list of remedial actions, including a “look-back” of activity. Apparently, US Bank eventually satisfied the OCC, and in November 2018 that Order was lifted or terminated. But no individuals were singled out.

In February 2018 US Bank was hit with a series of orders and actions relating to (1) those aforementioned BSA/AML program and SAR failures, and (2) a multi-billion dollar, multi-year payday lending fraud that was effectuated, in part, through the fraudster’s accounts at US Bank (the so-called “Scott Tucker” fraud). Among other orders and penalties, US Bank and/or its parent US Bancorp paid a $75 million fine to the OCC, a $70 million fine to FinCEN, a $15 million fine to the Federal Reserve, and forfeited $453 million to the Department of Justice (and those forfeited funds were later distributed to the victims of the Scott Tucker fraud) in a federal civil case filed in the Southern District of New York (civil case no. 18CV01357). US Bank also consented to a one-count criminal charge and entered into a two-year Deferred Prosecution Agreement (DPA) with the US Attorney for the Southern District of New York. Finally, the Treasury Department brought a civil case against US Bank, also in the Southern District, to “reduce” the FinCEN $70 million penalty to a civil judgment: that was civil case no. 18CV01358. Again, no individuals were singled out.

The (former) Chief Operational Risk Officer was held personally accountable: but who is actually responsible for a bank’s BSA/AML compliance program?

US Bank – the 5th Largest Bank in the United States

Based on all the orders and civil and criminal complaints, it appears that the core period of time the government was concerned about were the years 2010 through 2014. Based on the Annual Reports of US Bank, during that period the bank had:

  • Between thirteen and fifteen directors each year. Eleven of those directors served from at least 2009 through 2014
  • A Managing Committee made up of:
    • 1 Chairman and CEO (the same person for the entire period);
    • Eight to ten Vice-Chairmen each year, one of which was the Chief Risk Officer in 2014; and
    • Four to six Executive Vice-Presidents each year, one of which was the Chief Risk Officer from 2005 through 2013, and one of which was Michael LaFontaine as Chief Operational Risk Officer in the 2012 and 2013 annual report

It’s fair to say that since US Bank listed these people – the Board of Directors and the Managing Committee – in its Annual Reports, these people were seen as being collectively responsible for overseeing and managing the affairs of US Bank.

OCC’s Regulations for BSA/AML Compliance – Title 12 of the Code of Federal Regulations

US Bank’s primary regulator is the OCC. The OCC’s regulations for a BSA/AML compliance program are set out at 12 CFR § 21.21. Subsection (a) describes the “purpose” for the section: “to assure that all national banks and savings associations establish and maintain procedures reasonably designed to assure and monitor their compliance with the requirements of subchapter II of chapter 53 of title 31, United States Code, and the implementing regulations promulgated thereunder by the Department of the Treasury at 31 CFR Chapter X.” So the purpose of the OCC’s BSA/AML program requirement is to assure that banks meet their requirements under FinCEN’s legislation and regulations.

12 CFR § 21.21 continues. Subsection (c) goes beyond mere procedures and compels banks to “develop and provide for the continued administration of a program reasonably designed to assure and monitor compliance with the recordkeeping and reporting requirements set forth in subchapter II of chapter 53 of title 31, United States Code and the implementing regulations issued by the Department of the Treasury at 31 CFR Chapter X. The compliance program must be written, approved by the national bank’s or savings association’s board of directors, and reflected in the minutes of the national bank or savings association.”

And then subsection (d) sets out the minimum contents that the program shall have. It shall:

(1) Provide for a system of internal controls to assure ongoing compliance;

(2) Provide for independent testing for compliance to be conducted by national bank or savings association personnel or by an outside party;

(3) Designate an individual or individuals responsible for coordinating and monitoring day-to-day compliance; and

(4) Provide training for appropriate personnel.

So the OCC’s regulations tell us how a bank’s program is documented, who approves it (the board of directors), and what it must contain (at a minimum, the four “pillars” from subsection (d) – internal controls, independent testing, a BSA compliance officer, and training). Those OCC regulations don’t specifically set out who is responsible for the program. But they do refer to subchapter II of chapter 53 of title 31, United States Code and the implementing regulations issued by the Department of the Treasury at 31 CFR Chapter X. What do those provide? Do those laws and regulations set out who is responsible for a bank’s BSA/AML program?

FinCEN’s Regulations for BSA/AML Compliance – Title 31 of the Code of Federal Regulations

31 CFR Part X, specifically § 1010.210, provides that “each financial institution (as defined in 31 U.S.C. 5312(a)(2) or (c)(1)) should refer to subpart B of its chapter X part for any additional anti-money laundering program requirements.” The subpart B for national banks, like US Bank, provides as follows:

31 CFR § 1020.210

Anti-money laundering program requirements for financial institutions regulated only by a Federal functional regulator, including banks, savings associations, and credit unions. A financial institution regulated by a Federal functional regulator that is not subject to the regulations of a self-regulatory organization shall be deemed to satisfy the requirements of 31 U.S.C. 5318(h)(1) if the financial institution implements and maintains an anti-money laundering program that:

(a) Complies with the requirements of §§1010.610 and 1010.620 of this chapter;

(b) Includes, at a minimum:

(1) A system of internal controls to assure ongoing compliance;

(2) Independent testing for compliance to be conducted by bank personnel or by an outside party;

(3) Designation of an individual or individuals responsible for coordinating and monitoring day-to-day compliance;

(4) Training for appropriate personnel; and

(5) Appropriate risk-based procedures for conducting ongoing customer due diligence, to include, but not be limited to:

(i) Understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and

(ii) Conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information. For purposes of this paragraph (b)(5)(ii), customer information shall include information regarding the beneficial owners of legal entity customers (as defined in §1010.230 of this chapter); and

(c) Complies with the regulation of its Federal functional regulator governing such programs.

So, other than the OCC regulation having only four pillars while the FinCEN regulation has five, neither the OCC nor the FinCEN BSA/AML program regulations specifically describe who, if anyone, in a bank, is actually responsible for the BSA/AML program. But we know from the Michael LaFontaine case that the Chief Operational Risk Officer was found personally accountable for the failures of the program.

Regulatory Guidance – the FFIEC BSA/AML Examination Manual

So if the answer isn’t in the regulation, perhaps it can be found in regulatory guidance. For BSA/AML purposes, the golden source for regulatory guidance is set out in the Federal Financial Institutions Examination Council (FFIEC) BSA/AML Examination Manual. All five editions of the Manual (from 2005 through 2014) provide: “The board of directors, acting through senior management, is ultimately responsible for ensuring that the bank maintains an effective BSA/AML internal control structure, including suspicious activity monitoring and reporting.” (At page 29 of the most recent (2014) edition).

Hmmm … that appears to indicate that the board of directors is ultimately responsible, but the “acting through senior management” interjection is confusing. But the details that follow (again, the same language since 2005) provide clarity:

BSA Compliance Officer

The bank’s board of directors must designate a qualified individual to serve as the BSA compliance officer.[1] The BSA compliance officer is responsible for coordinating and monitoring day-to-day BSA/AML compliance. The BSA compliance officer is also charged with managing all aspects of the BSA/AML compliance program and with managing the bank’s adherence to the BSA and its implementing regulations; however, the board of directors is ultimately responsible for the bank’s BSA/AML compliance.

While the title of the individual responsible for overall BSA/AML compliance is not important, his or her level of authority and responsibility within the bank is critical. The BSA compliance officer may delegate BSA/AML duties to other employees, but the officer should be responsible for overall BSA/AML compliance.  The board of directors is responsible for ensuring that the BSA compliance officer has sufficient authority and resources (monetary, physical, and personnel) to administer an effective BSA/AML compliance program based on the bank’s risk profile.

This seems pretty clear: the board of directors is ultimately responsible for the bank’s BSA/AML compliance program, and for ensuring that the BSA compliance officer has the tools to do their job.

In addition, the Manual makes it clear that the BSA Officer cannot be “layered”: the BSA Officer must directly report to and take direction from the Board. The Manual provides:

“The line of communication should allow the BSA compliance officer to regularly apprise the board of directors and senior management of ongoing compliance with the BSA.  Pertinent BSA-related information, including the reporting of SARs filed with FinCEN, should be reported to the board of directors or an appropriate board committee so that these individuals can make informed decisions about overall BSA/AML compliance.  The BSA compliance officer is responsible for carrying out the direction of the board and ensuring that employees adhere to the bank’s BSA/AML policies, procedures, and processes.”

Although banking and financial crimes regulations don’t specifically spell out who is responsible for a bank’s BSA/AML program, written guidance makes it clear that the Board of Directors is responsible for ensuring that a bank implements and maintains an effective BSA/AML program.

But that isn’t what has happened in this case. The former Chief Operational Risk Officer – not the Board of Directors, nor the BSA compliance officer(s) that should have reported directly to the Board, nor anyone on the Managing Committee of the bank – was held accountable. Why was that? The answer may lie in FinCEN’s assessment against Mr. LaFontaine.

The March 4, 2020 FinCEN Assessment of Civil Money Penalty

What were the allegations against Mr. LaFontaine?

Page 2 – “Mr. LaFontaine at various times had responsibility for overseeing U.S. Bank’s compliance program and therefore shares responsibility for the Bank’s violations of the requirements to implement and maintain an effective AML program and file SARs in a timely manner.”

So it appears from this that Mr. LaFontaine shared responsibility for the program violations. Who did he share that responsibility with? Some detail is provided on page 3:

Page 3 – “Beginning in or about January 2005, and continuing through his separation from U.S. Bank in or about June 2014, Mr. LaFontaine held senior positions within the Bank’s AML hierarchy, involving oversight of the Bank’s AML compliance functions, from approximately 2008 through April 2011, and then from October 2012 through June 2014. He was the Chief Compliance Officer (CCO) of the Bank from 2005 through 2010, at which time he was promoted to Senior Vice President and Deputy Risk Officer. Thereafter, in October 2012, Mr. LaFontaine was promoted again to Executive Vice President and Chief Operational Risk Officer. In this latter position, which Mr. LaFontaine held throughout the remainder of his employment at the Bank, he reported directly to the Bank’s Chief Executive Officer (CEO) [Footnote: From early 2014 to the end of his tenure, Mr. LaFontaine reported to the Bank’s new Chief Risk Officer and had direct communications with the Bank’s Board of Directors.] As Chief Operational Risk Officer, Mr. LaFontaine oversaw the Bank’s AML compliance department (which was referred to internally as Corporate AML), and he supervised the Bank’s CCO, AML Officer (AMLO), [Footnote: The AMLO did not report directly to Mr. LaFontaine following the hiring of new Chief AML and BSA officers in the spring and summer of 2012. After these hirings, the AMLO reported to the Bank’s CCO, who reported to Mr. LaFontaine] and AML staff.”

We don’t know why the Board of Directors, any one or more of the directors (and there were at least eleven of them that were directors during the entire period in question), or any other senior officers of US Bank (and there were about a dozen of them every year), weren’t held accountable. And in this case, in at least six (6) regulatory, civil, and criminal orders running to hundreds of pages filed over a five (5) year period, we didn’t find out who the government felt was responsible for this bank’s BSA/AML compliance program. Other than Mr. LaFontaine, who was held accountable.

But one of those documents had an interesting take on responsibility. Paragraph 18 of the Treasury Department’s civil complaint against US Bank (Case No 18CV01357, filed February 15, 2018) referenced the FFIEC BSA/AML Manual. The paragraph provided:

“18. Under the BSA/AML Manual, a bank’s risk profile informs the steps it must take to comply with each of the BSA’s requirements. To develop appropriate policies and controls, banks must identify “banking operations . . . more vulnerable to abuse by money launderers and criminals . . . and provide for a BSA/AML compliance program tailored to manage risks. Similarly, while banks must designate an individual officer responsible for ensuring compliance with the BSA, such designation is not alone sufficient. Instead, the BSA/AML Manual notes that banks are responsible for ensuring that their compliance functions have ‘resources (monetary, physical, and personnel) [necessary] to administer an effective BSA/AML compliance program based on the bank’s risk profile.’”

In fact, as set out above, that is not what the Manual provides: according to the Manual, published by the OCC and FinCEN, among many other FFIEC agencies, the board of directors is responsible for ensuring that the bank implements and maintains an effective AML program. Not the “bank”, nor, in this case, the Chief Operational Risk Officer.

Paragraph 31 of the February 15, 2018 civil complaint provided that “US Bank delegated the responsibility for ensuring that it met its obligations under the BSA to its AML compliance department, which it referred to internally as Corporate AML.”

It would have been more accurate to write “US Bank attempted to delegate the responsibility for ensuring that it met its obligations under the BSA to its AML compliance department, which it referred to internally as Corporate AML; but the Board of Directors retained ultimate responsibility.” As the Manual provides, the board of directors maintains ultimate responsibility for the bank’s BSA/AML compliance, with their board-appointed BSA compliance officer “charged with managing all aspects of the BSA/AML compliance program and with managing the bank’s adherence to the BSA and its implementing regulations.”

Based on everything that is in the various pleadings, orders, and press releases, it appears that Mr. LaFontaine didn’t do that part of his job that involved managing Corporate AML. As one of the senior officers in the chain of command of US Bank’s risk organization, and as a member of the Managing Committee in 2012 and 2013, he had some responsibility and accountability: he appears to have organizationally been positioned somewhere between the BSA officers and the Board, and apparently thwarted or ignored the warnings of the AML Officer and/or BSA Officer(s) – who should have been reporting to the Board.

There is much we don’t know about this case. No one person – not even a CEO or Chairman of the Board – has the ability to run an AML program, let alone screw up that program. But apparently the Government has concluded that one person alone can be found accountable for the failures of a mega-bank’s AML program. Which begs a few questions …

Question 1 – Did the OCC inform the Board of Directors that BSA/AML risks weren’t being managed?

Paragraph 58 of the February 2018 civil complaint provided that “… despite recommendations and warnings from the OCC dating back to 2008, the Bank failed to have [the transaction monitoring system] independently validated.”

The phrase “warnings from the OCC dating back to 2008” could be explored. In the section in the Manual titled “Examiner Determination of the Bank’s BSA/AML Aggregate Risk Profile” is the following: “when the risks are not appropriately controlled, examiners must communicate to management and the board of directors the need to mitigate BSA/AML risk.” At this point, we don’t know what the OCC told the board, or when. We do know that the OCC issued a public Cease & Desist Order (on consent) in 2015.

Question 2 – Where was Internal Audit?

Independent testing, or internal audit, is one of the four (Title 12) or five (Title 31) required (minimum) pillars of a BSA/AML compliance program. And the Exam Manual provides that “the persons conducting the BSA/AML testing should report directly to the board of directors or to a designated board committee comprised primarily or completely of outside directors.” (see page 30 of the 2006 Manual, page 12 of the 2014 Manual). Which begs the question: where was US Bank’s audit team during the six+ years that there was capping of alerts and staffing issues? Shouldn’t the audit function have reported to the Board that there were long-standing issues with the transaction monitoring system and AML staffing, and that the OCC had made recommendations and warnings that went unheeded?

Question 3 – Where were the BSA Officers?

As a former BSA Officer, this was the question that was most on my mind as I read the March 4, 2020 FinCEN Assessment, and re-read the 2015 OCC order and the orders and complaints from February 2018. Indeed, I was relieved when the March Assessment came out and it was not against any of the former BSA Officers. The 2015 and 2018 documents showed an organization that appeared to organizationally bury its BSA officers, didn’t empower them, didn’t give them the required access to the Board, and certainly didn’t provide sufficient resources to allow for an effective program (all of which has been corrected with US Bank’s current BSA Officer and organization). And the March 2020 FinCEN Assessment describes two AML Officers and one Chief Compliance Officer, all reporting directly or indirectly into Mr. LaFontaine, who raised serious concerns over a number of years. At page 10 of the Assessment is this:

“In or about November 2013, a meeting was scheduled, at the request of the Bank’s CEO, so that the AMLO and CCO could update the CEO on the Bank’s AML program. In advance of that meeting, the AMLO and CCO prepared a PowerPoint presentation that began with an “Overview of Significant AML Issues,” the first of which was “Alert volumes capped for both [Security Blanket] and [Q]uery detection methods.” The AMLO and CCO put the alert caps issue first because, from their perspective, it was the most pressing of the Bank’s AML issues.  The PowerPoint identified the alert caps as a “[c]overage gap” that “could potentially result in missed Suspicious Activity Reports.” It also said that the “[s]ystem configuration and use could be deemed a program weakness, with potential formal actions including fines, orders, and historical review of transactions.” Prior to the meeting with the CEO, Mr. LaFontaine reviewed the PowerPoint, yet failed to raise the issue of the alert caps with the CEO during the meeting, choosing instead to prioritize other compliance-related issues.”

This suggests that the CEO wanted to meet with the AMLO and CCO, yet eventually met only with their boss, Mr. LaFontaine. Who took the opportunity to bury the primary message that his BSA Officer wanted the CEO to hear: that they were capping the number of alerts coming from the transaction monitoring system.

A financial institution must not organizationally “bury” its BSA Officer (AML officer): their organizational reporting line must be no more than “two-down” from the CEO and within an independent risk organization (e.g., the BSA Officer reports to the Chief Risk Officer, who reports to the CEO) and – critically – the BSA Officer must personally and directly report to the Board.[2]

It appears from the US Bank documents that neither the organizational structure nor the lines of communication allowed the BSA Officer(s) to “apprise the board of directors and senior management of ongoing compliance with the BSA … so that these individuals can make informed decisions about overall BSA/AML compliance”, as the Exam Manual requires. And it wasn’t the Chief Operational Risk Officer that was “responsible for carrying out the direction of the board and ensuring that employees adhere to the bank’s BSA/AML policies, procedures, and processes” … it was the BSA Officer(s). But it appears those BSA Officer(s) were organizationally and/or culturally stymied from directly communicating to the Board. In fact, the paragraph immediately after the description of the CEO meeting provides that “[t]he above-described conduct by Mr. LaFontaine continued until May 2014 when the AMLO bypassed Mr. LaFontaine and sent an email to the Bank’s then-Chief Risk Officer referencing the alert caps issue.”] A BSA officer must not be forced to bypass or do end-runs around a blocking boss in order to raise issues.

But whose responsibility is it to ensure that the BSA officer has the organizational stature and resources to do their job, and to ensure that the BSA officer has direct access to senior management and the board? It is the responsibility of the Board of Directors. The Manual is clear: “The board of directors is responsible for ensuring that the BSA compliance officer has sufficient authority and resources (monetary, physical, and personnel) to administer an effective BSA/AML compliance program based on the bank’s risk profile.” It shouldn’t take the regulators and, perhaps, a whistle blower to get the bank to act (page 11 of the 2020 Assessment includes: “The Bank did not begin to address its deficient policies and procedures for monitoring transactions and generating alerts until June 2014, when questions from the OCC and reports from an internal complainant caused the Bank’s Chief Risk Officer to retain outside counsel to investigate the Bank’s practices.”).

But maybe the directors weren’t aware that they were responsible for ensuring that the bank implemented and maintained an effective AML program. Which then begs the question …

Question 4 – Where was the Law Department?

Boards rely heavily on in-house counsel. Among other duties, in-house counsel must ensure that the directors understand their legal and regulatory obligations. In the case of BSA/AML, as the Exam Manual clearly sets out, the BSA program must be in writing and approved by the Board. The Board must designate a qualified individual to serve as the BSA compliance officer. The Board is responsible for ensuring that the BSA compliance officer has sufficient authority and resources (monetary, physical, and personnel) to administer an effective BSA/AML compliance program.

The first and last thing in-house counsel should leave the Board with when they are conducting their annual board training and awareness is this: “folks, if you remember one thing, remember this: as directors, you are ultimately responsible for the bank’s BSA/AML compliance.”

Question 5 – Where were the other senior managers of the bank?

The most vexing thing about this is not what is written in the FinCEN assessment or accompanying press release, but what is not written. Anyone who has spent any time in AML compliance in a mid-size to large financial institution knows that there are hundreds to thousands of people involved in designing, implementing, testing, maintaining, auditing, overseeing, and examining an AML program. Nothing happens – or doesn’t happen – without the involvement of modelers, testers, auditors, examiners, and committees; without endless finance meetings, HR meetings, “credible challenge” meetings; without senior management buy-in and support; and without the monthly or quarterly meetings with the board of directors (or a committee of the board) and the annual review and approval of the program and appointment, or re-appointment, of the BSA compliance officer.

The Government has singled out one senior manager in the 5th largest bank in the country for failures in a critical risk program that occurred over a five or six year period: where were the other senior managers?

Which takes us back full circle to the Board of Directors …

Question 6 – If the Board of Directors is responsible for a BSA compliance program, how come the Directors were not held accountable for its failures?

We simply don’t know what the US Bank board of directors knew or didn’t know when it came to the five or six years that the bank’s AML program was, apparently, not meeting regulatory requirements. We don’t know what they approved (or didn’t approve) annually. We don’t know what management, or audit, was reporting (or not reporting) to them. We don’t know whether they understood their responsibilities under the BSA regulations and regulatory guidance. We don’t know whether their annual approval of the AML program and appointment of the BSA Officer was a rubber-stamp or a fair and credible challenge of the program, the BSA Officer, and whether the BSA Officer had the monetary, physical, and personnel resources necessary to administer an effective BSA/AML compliance program based on the bank’s risk profile (paraphrasing the Manual). But it’s fair to assume that the Government found it difficult to find anyone liable where they simply failed to do their appointed task well. “We didn’t know the AML transaction monitoring system had been capped”, or “no one told us that the AML investigations team was grossly under-staffed”, or “none of the audit reports that came to the board indicated there were any problems with the AML program” become reasonably solid defenses when someone is looking to assign blame. It is much easier to find someone liable when they were presented with a problem and failed to address it, or even worse, took actions to hide it.  That said, it may simply go back to this:

“Success has many fathers; failure is an orphan”

Michael LaFontaine was considered a rising star in the banking world. The Minneapolis/St. Paul Business Journal included him in its “40 under 40 – 2014” class. In a March 21 2014 Video Clip for the “40 Under 40” program he said “success doesn’t happen alone”. Unfortunately, it appears that the opposite is true: he appears to have been singled out and left alone when it comes to finding one person responsible for something that many were accountable for. As President Kennedy said, “victory has a hundred fathers and defeat is an orphan”. More than a dozen directors had responsibility for US Bank’s AML program; eleven served from 2009-2014; and four of those are still directors. But none were held accountable.

Conclusion

The point of this article is not to encourage the Government to impose fines on all the directors, senior management, auditors, and BSA Officers involved in a program that has failures and regulatory violations. Rather, it is to point out to all the Boards of Directors out there that they are responsible for their bank’s AML program, and with that responsibility comes accountability. Knowing that, those Boards will push the management of those banks to implement and maintain effective AML programs … and hopefully prevent another individual from the horrors of personal liability.

[1] Footnote 34 in 2014 Manual: “The bank must designate one or more persons to coordinate and monitor day-to-day compliance.  This requirement is detailed in the federal banking agencies’ BSA compliance program regulations: 12 CFR 208.63, 12 CFR 211.5(m), and 12 CFR 211.24(j) (Federal Reserve); 12 CFR 326.8 (FDIC); 12 CFR 748.2 (NCUA); 12 CFR 21.21 (OCC).”

[2] There is a third question. It doesn’t involve responsibility and accountability for a BSA program, but is important nonetheless. And that is … how do you get SAR filing rates of 30% to 80% from below-the-Line testing? Both the 2018 civil complaint and March 2020 FinCEN Assessment describe the results of a look-back conducted in 2011. Paragraph 41 of the February 2018 civil complaint provides, in part: “… in November 2011, the Bank’s AML staff concluded that, during the past year, the SAR filing rates for below threshold testing averaged between 30% and 80%. In other words, between 30% and 80% of the transactions that were reviewed during the below-threshold testing resulted in the filing of a SAR.” The most efficient transaction monitoring systems have alert-to-SAR rates of 20% – 30%. In fact, the industry laments that the “false positive” rate for most transaction monitoring systems is 95% or more, for a true positive rate of 5% or less. So having a false negative rate (which is a below-the-line testing rate) of 30% to 80% makes no sense at all. Particularly since paragraph 64 of the complaint provides that 2,121 SARs were filed as a result of a six-month look back of 24,179 alerts: an alert-to-SAR rate of about 9%. [NOTE: the average value of these “look-back” SARs was over $339,000].

Chinese Money Brokers – The First US Case Involving An Identified Threat to the US Financial System?

February 6, 2020 – US Warns of Chinese Money Brokers Integrating Illicit Cash Proceeds through Trade Based Money Laundering, or TBML

On February 6, 2020, the Treasury Department released its 2020 National Strategy for Combating Terrorist and Other Illicit Financing. 2020 National Strategy. Among other threats to the US financial system were Chinese money laundering networks, or money brokers, described at pages 24 and 25 of the Strategy …

U.S. law enforcement has seen an increase in complex schemes to launder proceeds from the sale of illegal narcotics in the United States by facilitating the exchange of cash proceeds from Mexican drug trafficking organizations to Chinese citizens residing in the United States. These money laundering schemes, run by Professional Money Laundering Networks, or PMLNs, are designed to sidestep two separate obstacles: Drug Trafficking Organizations’ (DTOs’) inability to repatriate drug proceeds into the Mexican banking system due to dollar deposit restrictions imposed by Mexico in 2010 [of $4,000 a month per individual and $1,500 a month for U.S. currency exchanges by non-accountholders] and Chinese capital flight law restrictions on Chinese citizens located in the United States that prevent them from transferring the equivalent of US$50,000 held in Chinese bank accounts for use abroad. Chinese money laundering networks facilitate the transfer of cash between these two groups.

As described in the graphic from the Strategy [below], a variety of Chinese money brokers, processors and money couriers facilitate these PMLNs. Brokers in Mexico coordinate with DTOs in order for the DTOs to receive pesos in exchange for drug profits earned in the United States. The DTO instructs a courier in the United States to provide U.S. currency to the broker’s U.S. processor. The processor then launders the cash and identifies U.S.-based buyers. In exchange for U.S. currency, the buyer will transfer renminbi (RMB) through their Chinese bank account to a Chinese account controlled by the money broker. The broker then uses the RMB to buy commodities from a Chinese manufacturer for export to Mexico. Once the goods arrive in Mexico, the broker or the DTO completes the cycle by selling the goods locally for pesos.”

 

February 3, 2020 – Owners of Underground, International Financial Institutions Plead Guilty to Operating Unlicensed Money Transmitting Business

The First Chinese Money Broker Prosecution? On February 3, 2020 – three days before the 2020 National Strategy was released, the US Attorney for the Southern District of California issued a press release that announced that Bing Han and Lei Zhang pleaded guilty in federal court for operating unlicensed money transmitting businesses. The US Attorney noted that the guilty pleas “are believed to be the first in the United States for a developing form of unlawful underground financial institution that transfers money between the United States and China, thereby circumventing domestic and foreign laws regarding monetary transfers and reporting, including United States anti-money laundering scrutiny and Chinese capital flight controls.”

The press release described the scheme as admitted in the plea agreements (which are not available online) as follows:

“Han and Zhang would collect U.S. dollars (in cash) from various third-parties in the United States and deliver that cash to a customer, typically a gambler from China who could not readily access cash in the United States due to capital controls that limit the amount of Chinese yuan an individual can convert to foreign currency at $50,000 per year. Upon receipt of the U.S. dollars, the customer (i.e., the gambler) would transfer the equivalent value of yuan (using banking apps on their cell phones in the United States) from the customer’s Chinese bank account to a Chinese bank account designated by defendant Han or Zhang. For facilitating these transactions, Zhang and Han were paid a commission based on the monetary value illegally transferred … Han and Zhang further admitted that they were regularly introduced to customers by casino hosts, who sought to increase the gambling play of the casino’s customers. By connecting cash-starved gamblers in the United States with illicit money transmitting businesses, like those operated by Han and Zhang, the casinos increased the domestic cash play of their China-based customers. All a gambler needed was a mobile device that had remote access a China-based bank account. As a result, Han and Zhang managed to transmit and convert electronic funds in China into hard currency in the United States; all while circumventing the obstacles imposed both by China’s capital controls, and the anti-money laundering scrutiny imposed on all United States financial institutions. For their efforts, the casino hosts often received a cut of Han’s or Zhang’s commission.”

This sounds very similar to what was described in the 2020 National Strategy document. AML professionals should put a reminder in their calendars for the sentencing hearings of Han and Zhang in order to learn more about these “Chinese Money Broker” crimes that pose a threat to the US financial system.

US v. Bing Han, SD CA Case 20CR00369 is scheduled for sentencing on May 1, 2020.

US v. Lei Zhang, SD CA Case 20CR00370 is scheduled for sentencing on May 4, 2020.

A Bank’s Bid for Innovative AML Solutions: Innovation Remains A Perilous Endeavor

One Bank Asked the OCC to Have an “Agile Approach to Supervisory Oversight”

On September 27, 2019 the OCC published an Interpretive Letter answering an unknown bank’s request to make some innovative changes to how it files cash structuring SARs. Tacked onto its three technical questions was a request by the bank to do this innovation along with the OCC itself through something the bank called an “agile approach to supervisory oversight.” After qualified “yes” answers to the three technical questions, the OCC’s Senior Deputy Comptroller and Chief Counsel indicated that the OCC was open to “an agile and transparent supervisory approach while the Bank is building this automated solution” but he didn’t actually write that the OCC would, in fact, adopt an agile approach. This decision provides some insight, and perhaps the first public test, of (i) the regulators’ December 2018 statement on using innovative efforts to fight money laundering, and (ii) the OCC’s April 2019 proposal around innovation pilot programs. Whether the OCC passed the test is open to discussion: what appears settled, though, is that AML innovation in the regulated financial sector remains a perilous endeavor.

Regulators’ December 2018 Joint Statement on Innovative AML Efforts

On December 3, 2018 the five main US Bank Secrecy Act (BSA) regulators issued a joint statement titled “Innovative Efforts to Combat Money Laundering and Terrorist Financing”.[1] The intent of the statement was to encourage banks to use modern-era technologies to bolster their BSA/AML compliance programs. The agencies asked banks “to consider, evaluate, and, where appropriate, responsibly implement innovative approaches to meet their Bank Secrecy Act/anti-money laundering (BSA/AML) compliance obligations, in order to further strengthen the financial system against illicit financial activity” and “[t]he Agencies recognize[d] that private sector innovation, including new ways of using existing tools or adopting new technologies, can help banks” to do so.

The statement was a very positive step to encourage private sector innovation in fighting financial crime by testing new ways of using existing tools as well as adopting new technologies.

But it wasn’t the “green light to innovate” that some people have said it is. There was some language in the statement that made it, at best, a cautionary yellow light. And the September 27th OCC letter seems to clarify that banks can innovate, but the usual regulatory oversight and potential sanctions still apply.

The Agencies’ December 2018 statement included five things that bear repeating:

  1. “The Agencies recognize that private sector innovation, including new ways of using existing tools or adopting new technologies, can help banks identify and report money laundering, terrorist financing, and other illicit financial activity by enhancing the effectiveness and efficiency of banks’ BSA/AML compliance programs. To assist banks in this effort, the Agencies are committed to continued engagement with the private sector and other interested parties.”
  2. “The Agencies will not penalize or criticize banks that maintain effective BSA/AML compliance programs commensurate with their risk profiles but choose not to pursue innovative approaches.”
  3. “While banks are expected to maintain effective BSA/AML compliance programs, the Agencies will not advocate a particular method or technology for banks to comply with BSA/AML requirements.”
  4. Where test or implemented “artificial intelligence-based transaction monitoring systems … identify suspicious activity that would not otherwise have been identified under existing processes, the Agencies will assess the adequacy of banks’ existing suspicious activity monitoring processes independent of the results of the pilot program”
  5. “… the implementation of innovative approaches in banks’ BSA/AML compliance programs will not result in additional regulatory expectations.”

Note the strong, unqualified language: “the Agencies are committed to continued engagement”, “the Agencies will not penalize or criticize”, “the Agencies will not advocate …”, “the Agencies will assess”, and “the implementation of innovative approaches will not result in additional regulatory expectations”.

The qualified “assurances” come in the paragraph about pilot programs (with emphasis added):

“Pilot programs undertaken by banks, in conjunction with existing BSA/AML processes, are an important means of testing and validating the effectiveness of innovative approaches.  While the Agencies may provide feedback, pilot programs in and of themselves should not subject banks to supervisory criticism even if the pilot programs ultimately prove unsuccessful.  Likewise, pilot programs that expose gaps in a BSA/AML compliance program will not necessarily result in supervisory action with respect to that program.  For example, when banks test or implement artificial intelligence-based transaction monitoring systems and identify suspicious activity that would not otherwise have been identified under existing processes, the Agencies will not automatically assume that the banks’ existing processes are deficient.  In these instances, the Agencies will assess the adequacy of banks’ existing suspicious activity monitoring processes independent of the results of the pilot program.  Further, the implementation of innovative approaches in banks’ BSA/AML compliance programs will not result in additional regulatory expectations.”

Here there are the qualified assurances (a qualified assurance is not an assurance, by the way): “should not” is different than “will not”; “will not necessarily” is very different than “will not”; and “not automatically assume” isn’t the same as “not assume”.  These are important distinctions. The agencies could have written something very different:

“… pilot programs in and of themselves will not subject banks to supervisory criticism even if the pilot programs ultimately prove unsuccessful.  Likewise, pilot programs that expose gaps in a BSA/AML compliance program will not result in supervisory action with respect to that program.  For example, when banks test or implement artificial intelligence-based transaction monitoring systems and identify suspicious activity that would not otherwise have been identified under existing processes, the Agencies will not assume that the banks’ existing processes are deficient …”

The OCC’s April 2019 Innovation Pilot Program

On April 30, 2019 the OCC sought public comment on its proposed Innovation Pilot Program, a voluntary program designed to provide fintech providers and financial institutions “with regulatory input early in the testing of innovative activities that could present significant opportunities or benefits to consumers, businesses, financial institutions, and communities.” See OCC Innovation Pilot Program. As the OCC has written, the Innovation Pilot Program clearly notes that the agency would not provide “statutory or regulatory waivers and does not absolve entities participating in the program from complying with applicable laws and regulations.”

Twenty comments were posted to the OCC’s website. A number of them included comments that innovators needed some formalized regulatory forbearance in order to be able encourage them to innovate. The Bank Policy Institute’s letter (BPI Comment), submitted by Greg Baer (a long-standing and articulate proponent of reasonable and responsible regulation), provided that:

“… the OCC should clarify publicly that a bank is not required to seek the review and approval of its examination team prior to developing or implementing a new product, process, or service; that unsuccessful pilots will not warrant an MRA or other sanction unless they constitute and unsafe and unsound practice or a violation of law; and that innovations undertaken without seeking prior OCC approval will not be subject to stricter scrutiny or a ‘strict liability’ regime. We also recommend that the OCC revisit and clarify all existing guidance on innovation to reduce the current uncertainty regarding the development of products, processes and services; outdated or unnecessary supervisory expectations should be rescinded.”

The American Bankers Association comment ABA Comment also asks for similar guidance:

“For institutions to participate confidently in a pilot, there must be internal agreement that OCC supervision and enforcement will not pursue punitive actions. In other words, the program should produce decisions that have the full support of the OCC and bind the agency to those conclusions going forward … One way for the OCC to accomplish this is to clarify that a participating bank will not be assigned Matters Requiring Attention (MRAs) if it acts in good faith as part of a Pilot Program. The nature of technological innovation means that banks must try new things, experiment, and sometimes make mistakes. The Pilot Program has been designed as a short-term limited-scale test to ensure that any mistakes made are unlikely to have an impact on the safety and soundness of an institution. Clarifying that MRAs will not be issued for mistakes made in good faith may help give banks the certainty they need to participate in a Pilot Program.”

And the Securities Industry and Financial Markets Association (SIFMA) comment letter SIFMA Comment Letter included the following:

“Relief from strict regulatory compliance is a vital prerequisite to draw firms into the test environment, precisely so that those areas of noncompliance may be identified and remediated and avoid harm to the consumers. Without offering this regulatory relief, the regulatory uncertainty associated with participating in the Pilot Program could, by itself, deter banks from participating. Similarly, the lack of meaningful regulatory relief could limit the opportunity the program provides for firms to experiment and innovate.”

So where did that leave banks that were thinking of innovative approaches to AML?  For those that choose not to pursue innovative pilot programs, it is clear that they will not be penalized or criticized, but for those that try innovative pilot programs that ultimately expose gaps in their BSA/AML compliance program, the agencies will not automatically assume that the banks’ existing processes are deficient. In response to this choice – do not innovate and not be penalized, or innovate and risk being penalized – many banks have chosen the former. As a result, advocates for those banks – the BPI and ABA, for example – have asked the OCC to clarify that it will not pursue punitive actions against banks that unsuccessfully innovate.

How has the OCC replied? It hasn’t yet finalized its Innovation Program, but it has responded to a bank’s request for guidance on some innovative approaches to monitoring for, alerting on, and filing suspicious activity reports on activity and customers that are structuring cash transactions.

A Bank’s Request to Have the OCC Help It Innovate

The OCC published an Interpretive Letter on September 27, 2019 that sheds some light on how it looks at its commitments under the December 2018 innovation statement.[2]  According to the Interpretive Letter, on February 22, 2019 an OCC-regulated bank submitted a request to streamline SARs for potential structuring activity (the Bank also sought the same or a similar ruling from FinCEN: as of this writing, FinCEN has not published a ruling). The bank asked three questions (and the OCC responded):

  1. Whether the Bank could file a structuring SAR based solely on an alert, without performing a manual investigation, and if so, under what circumstances (yes, but with some significant limitations);
  2. Whether the proposed automated generation of SAR narratives for structuring SARs was consistent with the OCC’s SAR regulations (yes, but with some significant limitations);
  3. Whether the proposed automation of SAR filings was consistent with the OCC’s BSA program regulations (yes, but with some significant limitations).

The most interesting request by the Bank, though, was its request that the OCC take an “agile approach to supervisory oversight” for the bank’s “regulatory sandbox” initiative. Pages 6 and 7 of the OCC letter provide the particulars of this request. There, the OCC writes:

“Your letter also requested regulatory relief to conduct this initiative within a “regulatory sandbox.” Your regulatory sandbox request states ‘This relief would be in the form of an agile approach to supervisory oversight, which would include the OCC’s full access, evaluation, and participation in the initiative development, but would not include regulatory outcomes such as matters requiring attention, violations of law or financial penalties. [The Bank] welcomes the OCC to consider ways to participate in reviewing the initiative outcomes outside of its standard examination processes to ensure effectiveness and provide feedback about the initiative development.’”

NOTE: I had to read the key sentence a few times to settle on its intent and meaning. That sentence is “This relief would be in the form of an agile approach to supervisory oversight, which would include the OCC’s full access, evaluation, and participation in the initiative development, but would not include regulatory outcomes such as matters requiring attention, violations of law or financial penalties.”

Was the bank saying the relief sought was an agile approach to supervisory oversight that included the OCC’s full participation in the process and no adverse regulatory outcomes? Or was the bank saying the relief sought was an agile approach to supervisory oversight that included the OCC’s full participation in the process, but did not include anything to do with adverse regulatory outcomes?

I settled on the latter meaning: that the bank was seeking the OCC’s full participation, but did not expect any regulatory forbearance.

The OCC first reiterated its position from the December 2018 joint statement by writing that it “supports responsible innovation in the national banking system that enhances the safety and soundness of the federal banking system, including responsibly implemented innovative approaches to meeting the compliance obligations under the Bank Secrecy Act.” It then wrote that it “is also open to an agile and transparent supervisory approach while the Bank is building this automated solution for filing Structuring SARs and conducting user acceptance testing.” This language is a bit different than what the OCC wrote at the top of page 2 of the letter: “the OCC is open to engaging in regular discussions between the Bank and appropriate OCC personnel, including providing proactive and
timely feedback relating to this automation proposal.”

Notably, the OCC wrote that it is “open to an agile and transparent supervisory approach”, and “open to engaging in regular discussions between the Bank and appropriate OCC personnel”, but being open to something doesn’t mean you approve of it or agree to it. In fact, the OCC didn’t appear to grant the bank’s request. In the penultimate sentence the OCC wrote: “The OCC will monitor any such changes through its ordinary supervisory processes.”

How About Forbearance to Innovate Without Fear of Regulatory Sanctions?

As set out above, in June 2019 the BPI and ABA (and eighteen others) commented on the OCC’s proposal for an innovation pilot program. The BPI commented that “the OCC should clarify publicly that … unsuccessful pilots will not warrant an MRA or other sanction unless they constitute and unsafe and unsound practice or a violation of law”, and the ABA commented that the OCC should “clarify that a participating bank will not be assigned Matters Requiring Attention (MRAs) if it acts in good faith as part of a Pilot Program”.

The OCC seems to have obliquely responded to both of those comments. In its September 2019 Interpretative Letter, the OCC took the time to write that it “will not approve a regulatory sandbox that includes forbearance on regulatory issues for the Bank’s initiative for the automation of Structuring SAR filings.” Note that the OCC made this statement even though the bank appears to have specifically indicated that the requested relief did not include forbearance from “regulatory outcomes such as matters requiring attention, violations of law or financial penalties”. And the OCC letter includes a reference to both the Interagency statement on responsible innovation and the OCC’s April 2019 Innovation Pilot Program (see footnote 25 on page 7): “banks must continue to meet their BSA/AML compliance obligations, as well as ensure the ongoing safety and soundness of the bank, when developing pilot programs and other innovative approaches.”

So although the OCC hasn’t formally responded to the comments to its June 2019 innovation program to allow banks to innovate without fear of regulatory sanction if that innovation doesn’t go well, it has made it clearer that a bank still has the choice to not innovate and not be penalized, or to innovate and risk being penalized.

(In fairness, in its Spring 2019 Semiannual Risk Perspective Report, the OCC noted that a bank’s inability to innovate is “a source of significant strategic risk.” See OCC Semiannual Risk Perspective, 2019-49 (May 20, 2019)).

Timely Feedback – Is Seven Months Timely?

As set out above, the OCC wrote that it “is open to engaging in regular discussions between the Bank and appropriate OCC personnel, including providing proactive and timely feedback …”.  The bank’s request was submitted on February 22, 2019. The OCC’s feedback was sent on September 27, 2019. So it took the OCC seven months to respond to the bank’s request for an interpretive letter. In this age of high-speed fintech disruption, seven months should not be considered “timely.” What would be timely? I would aim for 90 days.

Conclusion

This unnamed OCC-regulated bank appears to have a flashing green or cautionary yellow light from the OCC to deploy some technology and process enhancements to streamline a small percentage if its SAR monitoring, alerting, and filing.  The OCC will remain vigilant, however, warning the bank that it “must ensure that it has developed and deployed appropriate risk governance to enable the bank to identify, measure, monitor, and control for the risks associated with the automated process. The bank also has a continuing obligation to employ appropriate oversight of the automated process.”

So the message to the 1,700 or so OCC banks appears to be this: there’s no peril in not innovating, but if you decide to innovate, do so at your peril.

[1] The Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation (FDIC), the Financial Crimes Enforcement Network (FinCEN), the National Credit Union Administration, and the Office of the Comptroller of the Currency. The statement is available at https://www.occ.gov/news-issuances/news-releases/2018/nr-occ-2018-130a.pdf

[2] https://www.occ.gov/topics/charters-and-licensing/interpretations-and-actions/2019/int1166.pdf

The Current BSA/AML Regime is a Classic Fixer-Upper … and Here’s Seven Things to Fix

A 1970 Holden “Belmont” … built the same year as the first BSA-related Act was passed in the United States: the Currency and Foreign Transactions Reporting Act, PL 91-508

There is a lot of media attention around the need for a new way to tackle financial crimes risk management. Apparently the current regime is “broken” (I disagree) or in desperate need of repair (what government-run programs are not in some sort of state of disrepair?), or, at the very least, not particularly effective nor efficient. And there are a lot of suggestions from the private and public sectors on how to make the regime more effective and more efficient.  I’ll offer seven things to consider as we all work towards renovating our BSA/AML regime, to take it from its tired, dated (the last legislative change to the three statutes we call the Bank Secrecy Act was made in 2004) state to something that provides a more balanced, effective, and efficient regime.

I. Transaction Monitoring Systems

Apparently, current customer- and account-based transaction monitoring systems are highly inefficient, because for every 100 alerts they produce, five or fewer actually end up being reported to the government in a Suspicious Activity Report. The transaction monitoring software is often blamed (although bad data is the more likely culprit), and machine learning and artificial intelligence are often touted (by providers of machine learning and artificial intelligence) as the solutions. Consider the following when it comes to transaction monitoring and false positives:

  1. If a 95% false positive rate is bad … what is good? Human-generated referrals will result in SARs about 50% of the time: that might be a good standard.
  2. We have to stop tuning our transaction monitoring systems against SARs filed with law enforcement, and start tuning them against SARs used by law enforcement. I’ve written about this on many occasions, and have offered up something called the “TSV” SAR – a SAR that law enforcement indicates has Tactical or Strategic Value.
  3. High false positives rates may not be caused by bad data or poor technology at all, but by regulatory expectations – real or imagined – that financial institutions can’t afford the audit, regulatory, legal, and reputational costs of failing to identify (alert on) something unusual or anomalous that could eventually be found to have been suspicious.

(I’ve written about this on a few occasions: see, for example, RegTech Consulting Article).

It may be that transaction monitoring itself is the culprit (and not bad data, outmoded technology, or unreasonable regulatory expectations). My experience is that customer- and account-based transaction monitoring is not nearly as effective as relationship-based interaction surveillance. Let’s parse this out:

  • Customer versus relationship – focusing on a single customer is less efficient than looking at the entire relationship that customer is or could be part of. Bank’s marketing departments think in terms of households as the key relationship: credit department’s think in terms of parent and subsidiary entities and guarantors as the needed relationship in determining credit worthiness. Financial crimes departments need to also think in the same terms. It is simply more encompassing and more efficient.
  • Transaction versus interaction – customers may interact with a bank many times, through a phone call, an online session, a balance inquiry, or a mobile look-up, before they will perform an actual transaction or movement of value. Ignoring those interactions, and only focusing on transactions, doesn’t provide the full picture of that customer’s relationship with the bank.
  • Monitoring versus surveillance – monitoring is not contextual: it is simply looking at specific transaction types, in certain amounts or ranges, performed by certain customers or customer classes. Surveillance, on the other hand, is contextual: it looks at the context of certain activity compared against all activity of that customer over time, and/or of certain activity of that customer compared to other customers within its class (Whatever that class may be).

So the public sector needs to encourage the private sector to shift from a customer-based transaction monitoring regime to a relationship-based interaction surveillance regime.

II. Information Sharing

Crime and criminal organizations don’t operate in a single financial institution or even in a single jurisdiction. Yet our BSA/AML regime still encourages single entity SAR filers and doesn’t promote cross-jurisdictional information sharing.  The tools are available to better share information across a financial institution, and between financial institutions. Laws, regulations, and regulatory guidance all need to change to specifically and easily allow a single financial institution operating in multiple jurisdictions to (safely) share more information with itself, to allow multiple institutions in a single and multiple jurisdictions to (safely) share more information between them, and to allow those institutions to jointly investigate and report together. Greater encouragement and use of Section 314(b) associations and joint SAR filings are critical.

III. Classical Music, or Jazz?

Auditors, regulators, and even a lot of FinTech companies, would prefer that AML continue to be like classical music, where every note (risk assessments and policies) is carefully written, the music is perfectly orchestrated (transaction monitoring models are static and documented), and the resulting music (SAR filings) sounds the same time and time again regardless of who plays it. This allows the auditors and regulators to have perfectly-written test scripts to audit and examine the programs, and allows the FinTech companies to produce a “solution” to a defined problem. This approach may work for fraud, where an objective event (a theft or compromise) produces a defined result (a monetary loss). But from a financial institution’s perspective, AML is neither an objective event nor a defined result, but is a subjective feeling that it is more likely than not that something anomalous or different has occurred and needs to be reported. So AML is less like classical music and more like jazz: defining, designing, tuning, and running effective anti-money laundering interaction monitoring and customer surveillance systems is like writing jazz music … the composer/arranger (FinTech) provides the artist (analyst) a foundation to freely improvise (investigate) within established and consistent frameworks, and no two investigations are ever the same, and similar facts can be interpreted a different way by different people … and a SAR may or may not be filed. AML drives auditors and examiners mad, and vexes all but a few FinTechs. So be it. Let’s acknowledge it, and encourage it.

IV. Before Creating New Tools, Let’s Use the Ones We Have

The federal government has lots of AML tools in its arsenal: it simply needs to use them in more courageous and imaginative ways. Tools such as section 311 Special Measures and 314 Information Sharing are grossly under-utilized. Information sharing is discussed above: section 311 Special Measures are reserved for the most egregious bad actors in the system, and are rarely invoked. But the reality is that financial institutions will kick out a customer or not (knowingly) provide services to entire classes of customers or in certain jurisdictions for fear of not being able to economically manage the perceived risk/reward equation of that customer or class of customer or jurisdiction. But that customer or class or jurisdiction simply goes to another financial institution in the regulated sector, or to an institution in an un- or under-regulated sector (the notion of “de-risking”). The entire financial system would be better off if, instead of de-risking a suspected bad customer or class of customer or jurisdiction, financial institutions were not encouraged to exit at all, but encouraged to keep that customer or class, and monitor for and report any suspicious activity. Then, if the government determined that the customer or class of customers was too systemically risky to be banked at all, it could use section 314 to effectively blacklist that customer or class of customers. Imposing “special measures” shouldn’t be a responsibility of private sector financial institutions guessing at whether a customer or class of customers is a bad actor: it is and should be the responsibility of the federal government using the tool it currently has available to it: Section 311.

V. … and Let’s Restore The Tool We Started With

The reporting of large cash transactions was the first AML tool the US government came up with (in 1970 as part of the Currency & Foreign Transactions Reporting Act).  Those reports, called Currency Transaction Reports, or CTRs, started out as single cash transactions on behalf of an accountholder, for more than $10,000.  They have since morphed to one or more cash transactions aggregating to more than $10,000 in a 24-hour period, by or on behalf of one or more beneficiaries.  There will be more than 18 million CTRs filed this year, and apparently law enforcement finds them an effective tool. But there is nothing more inefficient: simply put, CTRs are now the biggest resource drain in BSA/AML. Because of regulatory drift, CTRs are de facto SAR-lites … we need to get back to basic CTRs and redeploy the resources used to wrestle with the ever-expanding aggregation and “by or on behalf of” requirements, and deploy them against potential suspicious activity. And forget about increasing the threshold amount from the current “more than $10,000” standard: $10,000 is almost 5,000 times the amount of the average cash transaction in the United States today (which is $22, according to multiple reports from the Federal Reserve), and no one can argue that having a requirement to report a transaction or transactions that are 5,000 times the average is unreasonable. And it isn’t the amount that causes inefficiencies, it is the requirements to (i) aggregate multiple transactions totaling more than $10,000 in a 24-hour period, (ii) to identify and aggregate transactions “by or on behalf of” multiple parties and accountholders, and (iii) exempt, on a bank-by-bank basis, certain entities that can be exempted (but rarely are) from the CTR filing regime. If anything, we could save and redploy resources if the CTR threshold was the same as the SAR threshold – $5,000.

VI. The Clash of the Titles

And remember the “Clash of the Titles” … the protect-the-financial-system (filing great SARs) requirements of Title 31 (Money & Finance … the BSA) are trumped by the safety and soundness (program hygiene) requirements of Title 12 (Banks & Banking), and financial institutions act defensively because of the punitive measures in Title 18 (Crimes & Criminal Procedure) and Title 50 (War … OFAC’s statutes and regulations). There is a need to harmonize the Four Titles – or at least Titles 12 and 31 – and how financial institutions are examined against them. BSA/AML people are judged on whether they avoid bad TARP results (from being Tested, Audited, Regulated, and Prosecuted) rather than  on whether they provide actionable, timely intelligence to law enforcement. Today, most BSA Officers live in fear of not being able to balance all their commitments under the four titles: the great Hugh MacLeod was probably thinking of BSA Officers when he wrote: “I do the work for free. I get paid to be afraid …”

VII. A Central Registry for Beneficial Ownership Information

At the root of almost all large money laundering cases are legal entities with opaque ownership, or shell companies, where kleptocrats, fraudsters, tax evaders, and other miscreants can hide, move, and use their assets with near impunity.  Greater corporate transparency has long been seen as one of the keys to fighting financial crime (the FATF’s Recommendation 24 on corporate transparency was first published in 1993), and accessible central registries of beneficial ownership information have been proven to be the key to that greater transparency. Yet the United States is one of the few major financial centers that does not have a centralized registry of beneficial ownership information. I’ve written that without such a centralized registry, the current beneficial ownership requirements are ineffective.  See Beneficial Ownership Registry Article. Two bills currently before Congress – the Senate’s ILLICIT Cash Act (S2563) and the House’s Corporate Transparency Act (HR2513) both contemplate a centralized registry of beneficial ownership maintained by FinCEN. But both of those bills – and FATF recommendations and guidance on the same issue – fall short in that they only allow law enforcement (or “competent authorities” using the FATF term) to freely access that database. The bills before Congress allow financial institutions to access the database but only with the consent of the customer they’re asking about and only for the purposes of performing due diligence on that customer. I have proposed that those bills be changed to also allow financial institutions to query the database without the consent of the entity they’re asking about for the purposes of satisfying their suspicious activity reporting requirements.

Conclusion – Seven Fixer-Upper Projects for the BSA/AML Regime

  1. Shift from customer-centric transaction monitoring systems to relationship-based interaction surveillance systems
  2. Encourage cross-institutional and cross-jurisdictional information sharing
  3. Encourage the private sector to be more creative and innovative in its approach to AML – AML is like jazz music, not classical music
  4. Address de-risking through aggressive use of Section 311 Special Measures
  5. Simplify the CTR regime. Please. And forget about increasing the $10,000 threshold – in fact, reduce it to $5,000
  6. As long as financial institutions are judged on US Code Titles 12, 18, 31, and 50, expect them to be both ineffective and inefficient. Can Titles 12 and 31 try to get along?
  7. A central registry of beneficial ownership information that is freely accessible to financial institutions is a must have

FinCEN’s FY2020 Report to Congress Reveals its Priorities and Performance

FinCEN Needs More Resources – and a TSV SAR Feedback Loop – To Really Make a Difference in the Fight Against Crime & Corruption

Every year each US federal government department and agency submits its Congressional budget justification and annual performance report and plan: essentially a document that says to Congress “here’s our mission, here’s how we did last year, here’s what we need for next year.” FinCEN’s fiscal year 2020 (October 1, 2019 through September 30, 2020) Congressional Budget Justification and Annual Performance Report and Plan is available at

https://home.treasury.gov/system/files/266/12.-FINCEN-FY-2020-CJ.pdf

My notes on the 14-page document summarize some of the key aspects of the report.

First is a summary of what FinCEN does: its areas of responsibility. Of note is the seventh area – “bringing together the disparate interests of law enforcement, [158 foreign] FIUs, regulatory partners, and industry”. This is also an admission that the interests of the various public and private sector participants are, in fact, disparate. Which begs the questions “should there be disparate interests?” and “what can we do to bring all these participants together and forge a single, unified interest of safeguarding the financial system from illicit use, combating money laundering, and promoting national security through the strategic use of financial authorities and the collection, analysis, and dissemination of financial intelligence?” (quoting FinCEN’s mission statement).  When it comes to fighting human trafficking, drug trafficking, etc., different perspectives are healthy and expected … competing or disparate interests are counterproductive.

Second, many people will be surprised at just how small FinCEN is – from the number of people to its overall budget – given the importance of its mission. The FY2019 budget called for 332 people and a budget of $115 million. The FY2020 budget proposes an increase to 359 people and a budget of $124.7 million, with the increase in people split between two priority programs: 13 for cybercrime, and 14 for “special measures”, which includes the actual special measures section (section 311) of the Patriot Act, requests to financial institutions for data on foreign financial institution wire transfers, and Geographic Targeting Orders.  As a “participant” for 20+ years, I would like to see what FinCEN could do if it had 659 people and a budget of $224.7 million: perhaps the $100 million to fund FinCEN’s efforts to combat human trafficking, narcotics trafficking, and foreign corruption could come from a 2.8% reduction in the “new drone procurement” budget request of the Department of Defense …

Third, the data on SARs filed, total BSA reports filed, and BSA Database Users is interesting. From FY2014 through FY2018 (actuals) and through FY2020 (estimates), the number of SARs filed has gone from 1.9 million to 2.7 million, an increase of 41.5%. But in the same period, the total number of BSA reports filed – including SARs – has gone from 19.2 million to 20.9 million, an increase of only 9.2%. That tells us two things: SARs are estimated to make up about 1 out of every 8 BSA reports filed in FY2020 compared to 1 out of every 10 BSA reports filed in FY2014 (a positive trend); and the total number of non-SAR BSA filings has essentially been the same for the last 7 years. In other words, the number of CTRs, CMIRs, and FBARs is not going up.

Fourth, there is the axiomatic, reflexive gripe that the SAR database is a black-hole: that financial institutions file SARs then never hear anything back from FinCEN or law enforcement as to whether those SARs are meaningful, effective, useful.  But look at the following from page 12:

FinCEN monitors the percentage of domestic law enforcement and regulators who assert queried BSA data led to detection and deterrence of illicit activity. This performance measure looks at the value of BSA data, such as whether the data provided unknown information, supplemented or expanded known information, verified information, helped identify new leads, opened a new investigation or examination, supported an existing investigation or examination, or provided information for an investigative or examination report. In FY 2018, FinCEN narrowly missed its target of 86 percent with 85 percent of users finding value from the data. FinCEN will work toward increasing its FinCEN Portal/FinCEN Query training efforts to provide more users with the knowledge needed in order to better utilize both FinCEN Portal and FinCEN Query. In FY 2019, the target is set at 86 percent and 87 percent in FY 2020.

Looking at this in a positive light, there appears to be a feedback loop between the users of BSA data – law enforcement and the regulators – and FinCEN, where law enforcement and regulators can assert – therefore they can determine – whether BSA data (mostly SARs and CTRs) led to detection and deterrence of illicit activity: whether the data provided unknown information, supplemented or expanded known information, verified information, helped identify new leads, opened a new investigation or examination, supported an existing investigation or examination, or provided information for an investigative or examination report.

The feedback loop between the users of BSA data (law enforcement, regulators, and FinCEN) must be expanded to include the producers (financial institutions) of BSA data

I have written previously about the need to provide financial institutions with more feedback on the 20 million+ BSA reports they produce every year. See, for example: https://regtechconsulting.net/uncategorized/rules-based-monitoring-alert-to-sar-ratios-and-false-positive-rates-are-we-having-the-right-conversations/

In that article, I introduced something I call the “TSV” SAR, or “Tactical or Strategic Value” SAR. I wrote:

How do you determine whether a SAR provides value to Law Enforcement? One way would be to ask Law Enforcement, and hope you get an answer. That could prove to be difficult.  Can you somehow measure Law Enforcement interest in a SAR?  Many banks do that by tracking grand jury subpoenas received to prior SAR suspects, Law Enforcement requests for supporting documentation, and other formal and informal requests for SARs and SAR-related information. As I write above, an Alert-to-SAR rate may not be a good measure of whether an alert is, in fact, “positive”. What may be relevant is an Alert-to-TSV SAR rate.  What is a “TSV SAR”? A SAR that has Tactical or Strategic Value to Law Enforcement, where the value is determined by Law Enforcement providing a response or feedback to the filing financial institution within five years of the filing of the SAR that the SAR provided tactical (it led to or supported a particular case) or strategic (it contributed to or confirmed a typology) value. If the filing financial institution does not receive a TSV SAR response or feedback from law enforcement or FinCEN within five years of filing a SAR, it can conclude that the SAR had no tactical or strategic value to law enforcement or FinCEN, and may factor that into decisions whether to change or maintain the underlying alerting methodology. Over time, the financial institution could eliminate those alerts that were not providing timely, actionable intelligence to law enforcement, and when that information is shared across the industry, others could also reduce their false positive rates.

Tactical or Strategic Value (TSV) SAR Feedback Loop

It appears that there are already mechanisms in place for law enforcement and the regulators to determine whether the 20 million CTRs and SARs that are being filed every year provide unknown information, supplement or expand known information, verify information, help identify new leads, open a new investigation or examination, support an existing investigation or examination, or provide information for an investigative or examination report. There is a way – there is always a way if there is the will – to provide that information to the private sector filers of the CTRs and SARs. Perhaps there is a member of Congress out there that could tweak FinCEN’s Fiscal Year 2020 budget request a little bit to give it the people power and monetary resources to begin developing a TSV SAR Feedback loop. We’d all benefit.

“Get off the Pot on Pot!” – A Panel of (Two of) Three Judges of the 2nd Circuit Court of Appeals Suggests the Administration Needs to Act on Marijuana Rescheduling

Patients, Veterans, and African‐American businessman Challenge the DOJ and DEA on Marijuana Scheduling

“This is the latest in a series of cases that stretch back decades and which have long sought to strike down the federal government’s classification of
marijuana as a Schedule I drug under the Controlled Substances Act (CSA) … The current case is, however, unusual in one significant respect: among the Plaintiffs are individuals who plausibly allege that the current scheduling of marijuana poses a serious, life‐or‐death threat to exhaust their administrative remedies before seeking relief from us, but we are troubled by the Drug Enforcement Administration (DEA)’s history of dilatory proceedings. Accordingly, while we concur with the District Court’s ruling, we do not dismiss the case, but rather hold it in abeyance and retain jurisdiction in this panel to take whatever action might become appropriate if the DEA does not act with adequate dispatch.”

The case is available at http://www.ca2.uscourts.gov/:

Court of Appeals Docket #: 18-859 Docketed: 03/29/2018
Nature of Suit: 2440 CIVIL RIGHTS-Other
Washington v. Barr
Appeal From: SDNY (NEW YORK CITY)
Fee Status: Paid
Case Type Information:
     1) Civil
     2) United States
     3) –
Originating Court Information:
     District: 0208-1 : 17-cv-5625
     Trial Judge: Alvin Hellerstein, U.S. District Judge

As the Court indicates, the plaintiffs all have compelling reasons to have the Government act. The plaintiffs are:

  1. An African‐American businessman working in the medical marijuana space. He would like to expand his business into whole‐plant cannabis products and take advantage of the federal Minority Business Enterprise Program, but, he alleges, he is impeded from so doing by the drug’s scheduling.
  2. The Cannabis Cultural Association, Inc. (CCA) is a not‐for‐profit organization dedicated to assisting people of color develop a presence in the cannabis industry. CCA is particularly focused on the way past convictions for possession, cultivation, distribution, and use of marijuana have disproportionately affected people of color and prevented minorities from participating in the new state‐legal marijuana industry.
  3. Two children with dreadful medical problems. [One] suffers from chronic and intractable seizures; [the other] from Leigh’s disease. They allege that they exhausted traditional treatment options before finding success medicating with cannabis. They claim that marijuana has saved their lives. Because of its Schedule I classification, however, they cannot bring their life‐saving medicine with them when they travel onto federal lands or into states where marijuana is illegal. For [one], these travel limitations also mean that she cannot take full advantage of the veteran’s benefits to which she is entitled through her father. In addition, both live in constant fear that their parents might be subject to arrest and prosecution for their involvement in their children’s medical treatment.
  4. One is a veteran of the war in Iraq and suffers from post‐traumatic stress disorder. After his honorable discharge, he became suicidal and was adjudged 70% disabled. He alleges that he pursued conventional therapies unsuccessfully. In despair, he turned to medical marijuana. This, he claims, has allowed him to manage his symptoms. He further asserts, like [another plaintiff], that marijuana’s Schedule I classification restricts his ability to travel and to take full advantage of his veteran’s benefits.
  5. Defendants are the United States, the Attorney General, the Department of Justice, the Acting Administrator of the DEA, and the DEA itself. They are
    responsible for implementing the CSA and, more particularly, for updating the classification of controlled substances.
The CSA Scheduling Process

The Court describes the process used to schedule, reschedule, or deschedule drugs in footnote 3 on page 8 of its May 30th order:

The CSA places in the Attorney General the power to schedule, reschedule, or deschedule drugs. See 21 U.S.C. § 811(a). The Attorney General has promulgated rules delegating this power to the head of the DEA. See 28 C.F.R. § 0.100(b). The CSA further requires that, before scheduling, rescheduling, or descheduling a drug, the Attorney General “shall . . . request from the Secretary [of Health and Human Services] a scientific and medical evaluation[ of the drug], and [the Secretary’s] recommendations, as to whether such drug or other substance should be so controlled or removed,” which “shall be binding on the Attorney General as to such scientific and medical matters.” 21 U.S.C. § 811(b). The process for reviewing a drug’s scheduling can be initiated by the Attorney General, the Secretary of Health and Human Services, or “on the petition of any interested party.” Id. § 811(a).

And then at page 13:

When Congress enacted the CSA, it put, by legislative fiat, certain drugs directly into schedules. See Controlled Substances Act, Pub. L. No. 91‐513, § 202, 84 Stat. 1236, 1247‐52 (1970) (codified at 21 U.S.C. § 812); see also Gonzales v. Raich, 545 U.S. 1, 14 (2005). But the statute contemplated that these initial lists would be regularly revised and updated by the Attorney General, in consultation with the Secretary of Health and Human Services, and that this would be done according to a specific procedure and set of standards.

It is Health & Human Services, not the DOJ or the DEA, that will decide whether to reschedule marijuana

The Court considered the plaintiffs’ arguments that the former Attorney General and Administrator of the DEA were biased against marijuana, and thus would not act appropriately. But the Court concludes that any bias by the AG or DEA is not relevant, because “on the medical and scientific claims central to Plaintiffs’ argument, it is the opinion of the Secretary of Health and Human Services that matters, not the judgment of the Attorney General or the head of the DEA.”

How long does it take to decide petitions to reschedule drugs? Nine years.

“Plaintiffs argue that the administrative process will prolong their ordeal intolerably. And their argument is not without force. Plaintiffs document that the average delay in deciding petitions to reclassify drugs under the CSA is approximately nine years.”

Rescheduling marijuana requires action by the Administration

At page 16:

A sensible response to our evolving understanding about the effects of marijuana might require creating new policies just as much as changing old ones. This kind of constructive governmental work, mixing adjudication and program‐design, creating policy through the balancing of competing legitimate interests, is not generally best accomplished by federal courts on their own; it is, however, the stock‐in‐trade of administration. See, e.g., James M. Landis, The Administrative Process (1938). Assuming, of course, that one can get the administrative agency to act.

It is this last sentence – assuming, of course, that one can get the administrative agency to act – that is the key aspect of this decision, and how the Court left it.

Conclusion: The Court warns the Administration to get off the pot on pot, or it will step in

At pages 25-26:

Unless the Plaintiffs seek agency review and so inform us within six months, we will affirm the District Court’s judgment dismissing this case. (And if only some Plaintiffs seek agency review, we will dismiss the complaint as to those who do not.) But if Plaintiffs do seek agency review, and the agency fails to act with alacrity, Plaintiffs may return directly to us, under our retained jurisdiction. To be clear, we repeat that this case remains in our purview only to the extent that the agency does not respond to Plaintiffs with adequate, if deliberate, speed. In other words, we retain jurisdiction exclusively for the purpose of inducing the agency to act promptly.

Artificial Intelligence – Who Is On The Hook When Things Go Wrong With Your AI System? You Are!

“Organisations and individuals developing, deploying or operating AI systems should be held accountable for their proper functioning”

For all the upstart fintechs out there that are trumpeting their innovative Artificial Intelligence-based solutions that can solve a financial institution’s financial crimes problems! … note that you may be held accountable when that AI system doesn’t quite turn out like your marketing materials suggested. Legal responsibility for something you design, build, and deploy is not a new concept, but how that “something” – in this case, the AI system you developed and installed at a client bank – actually works, and reacts, and adapts, over time could very be new ground that hasn’t been explored before. But many smart people are thinking about AI developers’ accountability, and other AI-related issues, and many of those have produced some principles to guide us as we develop and implement AI-based systems.

On May 22, 2019 the OECD published a Council Recommendation on Artificial Intelligence. At its core, the recommendation is for the adoption of five complimentary “value-based principles for responsible stewardship of trustworthy artificial intelligence. The link is Artificial intelligence and the actual recommendation is https://legalinstruments.oecd.org/en/instruments/OECD-LEGAL-0449#_ga=2.200835047.853048335.1559167756-681244095.1559167756

What’s the big deal about artificial intelligence?

The OECD recognized a number of things about AI that are worth including:

  • AI has pervasive, far-reaching and global implications that are transforming societies, economic sectors and the world of work, and are likely to increasingly do so in the future;
  • AI has the potential to improve the welfare and well-being of people, to contribute to positive sustainable global economic activity, to increase innovation and productivity, and to help respond to key global challenges;
  • At the same time, these transformations may have disparate effects within, and between societies and economies, notably regarding economic shifts, competition, transitions in the labour market, inequalities, and implications for democracy and human rights, privacy and data protection, and digital security;
  • Trust is a key enabler of digital transformation; that, although the nature of future AI applications and their implications may be hard to foresee, the trustworthiness of AI systems is a key factor for the diffusion and adoption of AI; and that a well-informed whole-of-society public debate is necessary for capturing the beneficial potential of the technology, while limiting the risks associated with it;
  • Given the rapid development and implementation of AI, there is a need for a stable policy environment that promotes a human-centric approach to trustworthy AI, that fosters research, preserves economic incentives to innovate, and that applies to all stakeholders according to their role and the context;
  • certain existing national and international legal, regulatory and policy frameworks already have relevance to AI, including those related to human rights, consumer and personal data protection, intellectual property rights, responsible business conduct, and competition, while noting that the appropriateness of some frameworks may need to be assessed and new approaches developed; and
  • Embracing the opportunities offered, and addressing the challenges raised, by AI applications, and empowering stakeholders to engage is essential to fostering adoption of trustworthy AI in society, and to turning AI trustworthiness into a competitive parameter in the global marketplace.

What is “Artificial Intelligence”?

The recommendation includes some helpful definitions of the major terms:

Artificial Intelligence System: a machine-based system that can, for a given set of human-defined objectives, make predictions, recommendations, or decisions influencing real or virtual environments. AI systems are designed to operate with varying levels of autonomy.

Artificial Intelligence System Lifecycle: four phases which can be sequential but may be iterative:

(i) design, data and models – a context-dependent sequence encompassing planning and design, data collection and processing, as well as model building;

(ii) verification and validation;

(iii) deployment; and

(iv) operation and monitoring

Artificial Intelligence Actors: AI actors are those who play an active role in the AI system lifecycle, including organisations and individuals that deploy or operate AI.

Is an OECD Recommendation binding on a country that has adopted it?

OECD Recommendations are not legally binding but they are highly influential and have many times formed the basis of international standards and helped governments design national legislation. For example, the OECD Privacy Guidelines adopted in 1980 and stating that there should be limits to the collection of personal data underlie many privacy laws and frameworks in the United States, Europe and Asia.

So the AI Principles are not binding, but the OECD provided five recommendations to governments:

  1. Facilitate public and private investment in research & development to spur innovation in trustworthy AI.
  2. Foster accessible AI ecosystems with digital infrastructure and technologies and mechanisms to share data and knowledge.
  3. Ensure a policy environment that will open the way to deployment of trustworthy AI systems.
  4. Empower people with the skills for AI and support workers for a fair transition.
  5. Co-operate across borders and sectors to progress on responsible stewardship of trustworthy AI.

Who developed the OECD AI Principles?

The OECD set up a 70+ member expert group on AI to scope a set of principles. The group consisted of representatives of 20 governments as well as leaders from the business (Google, Facebook, Microsoft, Apple, but not any financial institutions), labor, civil society, academic and science communities. The experts’ proposals were taken on by the OECD and developed into the OECD AI Principles.

What is the Purpose of the OECD Principles on AI?

The OECD Principles on Artificial Intelligence promote artificial intelligence (AI) that is innovative and trustworthy and that respects human rights and democratic values. The OECD AI Principles set standards for AI that are practical and flexible enough to stand the test of time in a rapidly evolving field. They complement existing OECD standards in areas such as privacy, digital security risk management and responsible business conduct.

What are the OECD AI Principles?

The Recommendation identifies five complementary values-based principles for the responsible stewardship of trustworthy AI:

1. Inclusive growth, sustainable development and well-beingAI systems should be designed in a way that respects the rule of law, human rights, democratic values and diversity, and they should include appropriate safeguards – for example, enabling human intervention where necessary – to ensure a fair and just society. And AI should benefit people and the planet by driving inclusive growth, sustainable development and well-being.

The actual text reads: “Stakeholders should proactively engage in responsible stewardship of trustworthy AI in pursuit of beneficial outcomes for people and the planet, such as augmenting human capabilities and enhancing creativity, advancing inclusion of underrepresented populations, reducing economic, social, gender and other inequalities, and protecting natural environments, thus invigorating inclusive growth, sustainable development and well-being.

2. Human-centred values and fairness AI actors should respect the rule of law, human rights and democratic values, throughout the AI system lifecycle. These include freedom, dignity and autonomy, privacy and data protection, non-discrimination and equality, diversity, fairness, social justice, and internationally recognized labor rights. To this end, AI actors should implement mechanisms and safeguards, such as capacity for human determination, that are appropriate to the context and consistent with the state of art.

3. Transparency and explainabilityAI Actors should commit to transparency and responsible disclosure regarding AI systems. To this end, they should provide meaningful information, appropriate to the context, and consistent with the state of art to foster a general understanding of AI systems, to make stakeholders aware of their interactions with AI systems, including in the workplace, to enable those affected by an AI system to understand the outcome, and, to enable those adversely affected by an AI system to challenge its outcome based on plain and easy-to-understand information on the factors, and the logic that served as the basis for the prediction, recommendation or decision.

4. Robustness, security and safetyAI systems should be robust, secure and safe throughout their entire lifecycle so that, in conditions of normal use, foreseeable use or misuse, or other adverse conditions, they function appropriately and do not pose unreasonable safety risk. To this end, AI actors should ensure traceability, including in relation to datasets, processes and decisions made during the AI system lifecycle, to enable analysis of the AI system’s outcomes and responses to inquiry, appropriate to the context and consistent with the state of art. And AI actors should, based on their roles, the context, and their ability to act, apply a systematic risk management approach to each phase of the AI system lifecycle on a continuous basis to address risks related to AI systems, including privacy, digital security, safety and bias.

5. AccountabilityAI actors should be accountable for the proper functioning of AI systems and for the respect of the above principles, based on their roles, the context, and consistent with the state of art. Organisations and individuals developing, deploying or operating AI systems should be held accountable for their proper functioning in line with the above principles.

What countries belong to the OECD?

Australia, Austria, Belgium, Canada, Chile, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Israel, Italy, Japan, Korea, Latvia, Lithuania, Luxembourg, Mexico, Netherlands, New Zealand, Norway, Poland, Portugal, Slovak Republic, Slovenia, Spain, Sweden, Switzerland, Turkey, United Kingdom, United States