Bank Directors: What the Regulators, and Your Consultants, Aren’t Telling You About How to Satisfy Your AML/CFT Program Responsibilities

Fifteen Directors’ Tips

In a recent LinkedIn post, a consulting firm published a blog titled “The Importance of a Board-level Masterclass in Anti-Money Laundering”[1] It was very well done. For example:

“The Board of Directors of a financial institution has a fiduciary duty to ensure that a robust compliance programme is in place within the firm and that a solid and effective control framework is in place. The Board needs to set the “tone from the top” to ensure that the firm is effectively promoting a “culture of compliance”. Most financial institutions have well established procedures and policies for dealing with credit risk and market risk but the practice of dealing with Know Your Customer (KYC) and Anti-Money Laundering (AML) risk is not nearly so well advanced. As a result, the flow of critical information to risk committees and boards is often not fit for purpose.”

Among other pieces of advice, the blog provided that the “Board of directors must have a solid understanding of its own role in the oversight of the AML programme … Executive Directors and Non-Executive Directors need to know the right questions to ask … Executive Directors and Non-Executive Directors should know what best practice is in terms of AML management information and oversight for Boards.”

This is good advice.

And there are other great resources for boards and directors. All of the big consulting firms specialize in advising and training boards of directors. See, for example, Deloitte’s Global Center for Corporate Governance, “2020 Director’s Alert: Reimagining governance and oversight amid digital disruption”[2] and the Board of Directors Center of Excellence – a “non-profit organization providing business leaders the forum and expertise needed to meet the ever-changing challenges of corporate governance … focused on connecting, educating and enabling our members to: (A) Prepare for and be hired as qualified professional board members, and (B) Learn industry best practices, access best in class content and develop relevant relationships to serve their respective boards.”[3]

And of course the American Bankers Association has some excellent training materials for bank directors. In fact, the ABA’s “board oversight” training for BSA/AML/OFAC is particularly good. Its 4-minute (approximately) online module:

“Explores a bank board’s key responsibility for overseeing the creation and maintenance of a culture of compliance with Bank Secrecy Act/anti-money laundering rules and the Office of Foreign Assets Control trade sanctions. This includes reviewing risk assessment findings, information systems and the resources devoted to compliance, as well as the bank’s BSA/AML/OFAC policies and programs.”

After which, the ABA notes that “[a]fter successfully completing the course, you will be able to: Describe the unique roles of BSA/AML and OFAC rules in ensuring safety and security; Explain the BSA responsibilities assigned to the board of directors; Explore the five components of a strong BSA/AML program.”[4]

The Office of the Comptroller of the Currency (OCC) offers some excellent training for community bank directors.[5] The Compliance Risk session looks particularly compelling. The brochure provides:

“Effective oversight of consumer laws and regulations can reduce the risk of financial loss, ensure quality service for customers, and preserve a sound reputation. Directors must recognize the scope and implications of the legislation and consumer protection regulations, such as the Bank Secrecy Act and the Equal Credit Opportunity Act. This one day workshop focuses on compliance red flags, hot topics, and common OCC examination findings related to compliance risk. Be ready to respond to the rapidly changing financial services industry and to fulfill your responsibilities with confidence …”

And when it comes to compliance risk, the OCC’s brochure describes what directors need to know:

  • Understand the critical elements of an effective compliance risk management program.
  • Review major compliance risks and critical regulations, such as the Bank Secrecy Act and the Equal Credit Opportunity Act.
  • Identify compliance red flags and hot topics.
  • Learn about common OCC examination findings related to compliance risk.

The OCC workshop attendees will “[w]ork with and learn from experienced OCC examiners who lead this one-day workshop, which includes discussions of best practices, lectures, and hands-on exercises designed for directors and senior management of national community banks and federal savings associations.”[6]

In February 2021 the Federal Reserve published a Supervisory Release titled “Supervisory Guidance for Boards of Directors”[7] that laid out five key attributes of an effective board:

(1) Sets clear, aligned, and consistent direction regarding the firm’s strategy and risk tolerance.

(2) Actively manages information flow and board discussions by directing senior management to provide directors with information that is sufficient in scope, detail, and analysis to enable sound, well-informed decisions and consider potential risks.

(3) Oversees and holds senior management accountable for effectively implementing the firm’s strategy, consistent with its risk appetite, while maintaining an effective risk management framework and system of internal controls.

(4) Assesses and supports, through its risk and audit committees, the independence and stature of independent risk management and internal audit functions.

(5) Maintains a capable Board composition, governance structure, and practices that support the firm’s safety and soundness and the ability to promote compliance with laws and regulations consistent with the firm’s size, complexity, scope of operations, and risk profile.

All of these guidance documents, online and in-person director training workshops, and other publications are valuable resources for bank directors, who are responsible for setting or approving their bank’s overall strategy and overseeing, and sometimes approving, much of what management does. In the case of BSA/AML, the duties of the directors are spelled out in some detail in the FFIEC BSA/AML Examination Manual. For example, up until changes to the Manual made in April 15, 2020, the bank regulators had these expectations for bank directors:

“The board of directors, acting through senior management, is ultimately responsible for ensuring that the bank maintains an effective BSA/AML internal control structure, including suspicious activity monitoring and reporting.  The board of directors and management should create a culture of compliance to ensure staff adherence to the bank’s BSA/AML policies, procedures, and processes.” – 2014 Exam Manual, page 29 (emphasis added).

“The board of directors is responsible for ensuring that the BSA compliance officer has sufficient authority and resources (monetary, physical, and personnel) to administer an effective BSA/AML compliance program based on the bank’s risk profile …” – 2014 BSA Exam Manual, page 32 (emphasis added).

The April 15, 2020 update to the Manual changed that language to:

“The board of directors is ultimately responsible for the bank’s BSA/AML compliance and should provide oversight for senior management and the BSA compliance officer in the implementation of the bank’s board-approved BSA/AML compliance program … The board of directors is responsible for ensuring that the BSA compliance officer has appropriate authority, independence, and access to resources to administer an adequate BSA/AML compliance program based on the bank’s ML/TF and other illicit financial activity risk profile.  The BSA compliance officer should regularly report the status of ongoing compliance with the BSA to the board of directors and senior management so that they can make informed decisions about existing risk exposure and the overall BSA/AML compliance program.” – 2020 BSA Exam Manual Update, page 29 (emphasis added)

Whether the regulators expect an effective program (2014 language) or an adequate program (2020 language), these are immense responsibilities, and of course directors cannot meet those responsibilities without going through training (whether it be by a global, first-class consulting firm like Deloitte, a bespoke, specialized firm like The Board of Directors Center of Excellence or The Lysis Group, or even the ABA and OCC). Director training is not only critical, it is required. The updated BSA Exam Manual provides, in part:

“The board of directors and senior management should receive foundational training and be informed of changes and new developments in the BSA, including its implementing regulations, the federal banking agencies’ regulations, and supervisory guidance. While the board of directors may not require the same degree of training as banking operations personnel, the training should provide board members with sufficient understanding of the bank’s risk profile and BSA regulatory requirements. Without a general understanding of the BSA, it is more difficult for the board of directors to provide adequate oversight of the BSA/AML compliance program, including approving the written BSA/AML compliance program, establishing appropriate independence for the BSA/AML compliance function, and providing sufficient BSA/AML resources.” – 2020 BSA Exam Manual Update, page 32.

So it appears from all of this that bank directors have detailed, onerous responsibilities when it comes to BSA/AML; they need to be trained and aware of the risks; they need to be able to make effective judgments about whether their bank’s BSA/AML program is adequate (or, perhaps, effective). But directors are not day-to-day managers of their banks, and they rely on materials presented to them on a monthly, quarterly, or even annual basis by auditors, BSA compliance officers, and other senior management in the bank. But as we all know, reality can be different from theory, and as all directors will tell you, the boardroom is different from the classroom. And as the great American philosopher Yogi Berra said, “in theory there is no difference between theory and practice: in practice there is.”

So to try to bridge that gap between theory and reality, and classroom and boardroom, here are fifteen practical tips for bank directors that I have gleaned from personally reporting to a bank board for over thirteen years and from speaking with many of my peers who have done the same in other banks around the country and around the world. You won’t see these tips in traditional director training manuals or in the Federal Reserve’s guidance on what makes an effective board.

Director Tip #1 – Ask Yourself Whether You Can Critically Read Board Reports Loaded Onto a Tablet

This may be a generational thing, but is there anyone out there who can critically read a complex and detailed financial risk report, in whatever format, on a tablet device? Tablet technology allows you to key in notes and comments … but not really and you rarely do. You can use electronic “stickies” … but not really, and you rarely do. And you certainly can’t be halfway through a report and ask yourself, “hold it, didn’t they write something different a few pages ago?” and then actually scroll back and find that something different. Even if you can scroll back and find what you’re looking for, you certainly can’t easily find your way back from whence you came. Face it, paper reports are much simpler: you take a pen or pencil in hand, make margin notes, draw arrows, underline, pose written questions and reminders to yourself. You sometimes take a highlighter for emphasis. And it’s easy to flip back and forth. And of course, those brilliant half-clear, half-colored margin Post-it NotesTM that “flag” important sections don’t work on tablets (other than to remind you what your log in password is).

So if your bank has gone to tablets (or even laptops), and you really aren’t as effective as you could be because you can’t scroll back and forth, can’t easily take notes, can’t flag important passages, etc., then insist on printed materials. Which takes you to the second reason not to fall for the tablet trick …

Director Tip #2 – Always Compare This Period’s Report with Last Period’s Report

This is the second reason why tablets (or laptops) aren’t the best when it comes to board reports: you can’t (easily) compare what management has sent you this quarter against what they sent you last quarter. Now, many (all?) board reports will have period-over-period (whether monthly, quarterly, yearly periods) charts and graphs and tables, showing the progression of whatever has or has not progressed. But the narrative often changes from period to period. A good example could be the section on “Top AML Risks Facing Our Bank” which may list four or five risks. Are they the same four or five risks, month after month? This may not be easy to determine, unless you have last month’s report (and even the month prior to that) on your desk, side by side by side.

Which leads to the third tip …

Director Tip #3 – How is the Material Being Presented, and is that Presentation Changing Over Time?

Every bank, and every board, has its own style and set of expectations when it comes to the length and format of board reports. But look very closely at how information is being presented. Charts, tables, graphs, narratives all can take the same basic information and present it so the message is different. Every time you see a chart/table/graph, ask yourself two questions: (1) what information are they trying to convey? And (2) is there anything they are trying to hide? And pay close attention to the narrative that accompanies a chart, table, or graph: does the narrative match what is in the graphic?

Director Tip #4 – Does the Body of the Report Conform to the Executive Summary?

When it comes to board reports, executive summaries can be as dangerous as they are helpful. Directors may have a board “package” of material that runs into hundreds of pages, with seven to ten (or more) sections or topics in that package. Each section may have a one-page executive summary that purports to – obviously – provide the executive (the director) with a summary of the ten, twenty, or thirty page body of the report. Some directors won’t have time to read anything but the executive summary for many of the topics; instead, they’ll focus their time on the one or two topics that are of greatest interest or have the thorniest issues. But – and here’s a warning – if something eventually goes wrong, a regulator or prosecutor or plaintiff’s attorney can say that you had the materials and therefore knew about [whatever]: after all, it was right there in the body of the board report, on page 32, even if it wasn’t in the Executive Summary.

So, make sure to read the executive summary and then read the body of the report. Make sure the two conform. If not, raise it as an issue or, better yet, insist that future reports are conforming. But what if the body of the report is so long that it’s not practical to get through it and understand it? That leads to the fifth tip …

Director Tip #5 – Put A Page Limit on the Board Reports

If the package of materials lands on your desk or in your In Box or on your iPad, and it’s ten reports and a total of hundreds and hundreds of pages of materials, and there’s no practical way you can get through all the material (and understand it), then sit down with your other directors and decide what is manageable. Then hold management to that. Honestly, if management can’t provide a periodic report on a single subject in a 15-page or less Word document, you need to re-prioritize what is going to the board.

Which takes us to the sixth tip …

Director Tip #6 – Consider adopting the Bezos Plan: No PowerPoints!

PowerPoint “decks” are a staple of most corporate meetings and many board meetings. Instead, follow the Amazon/Bezos rule, where it/he has banned PowerPoints for executive meetings and uses narrative-styled, 6-page maximum memos. In his 2017 Annual Report shareholders’ letter, Bezos writes “We don’t do PowerPoint (or any other slide-oriented) presentations at Amazon. Instead, we write narratively structured six-page memos. We silently read one at the beginning of each meeting in a kind of “study hall.” Not surprisingly, the quality of these memos varies widely. Some have the clarity of angels singing. They are brilliant and thoughtful and set up the meeting for high-quality discussion. Sometimes they come in at the other end of the spectrum.”[8]

Director Tip #7 – No Appendices, No Endnotes

Appendices are for academic papers and annual BSA/AML Program documents. Not for board reports. Nothing but mischief or way too much detail for a director is buried in an appendix. Ban them.

Footnotes are OK.[9] Endnotes are not OK. Nobody reads endnotes; in fact, nobody can read endnotes on a tablet.

Have YOU actually read the endnotes I’ve inserted in this article? No, I didn’t think so. I think I’ve made my point. So while you’re banning appendices, ban endnotes.

Director Tip #8 – Don’t Focus Solely On What Is In The Board Report

Look at not only what is in the report that should be in the report, but (i) what is in the report that should not be in the report, and (ii) what is not in the report that should be in the report.

Director Tip #9 – Hold Actual People Responsible and Accountable

Don’t allow a senior manager to present a report they didn’t author (in whole or in part) or that deals with something they are not accountable for. Some large financial institutions “bury” their BSA Officer in the Risk group or Compliance group, and the Chief Risk Officer or Chief Compliance Officer may include the BSA Officer’s report as part of their general risk or compliance report. If the BSA Officer is responsible for BSA risk – and they are – then the BSA Officer needs to write their own report and, as important, present it to the board. Understand the cycle of ownership and accountability: the board needs to know who is responsible for something, and whoever owns it, writes about it; whoever writes it, speaks to it; whoever speaks to it, owns it. And is accountable for it. And hold them accountable.

Director Tip #10 – Know What Is Being Asked Of You – And Do It

If you’re in the once-a-year board meeting where you’re being asked to “review and approve” the bank’s BSA/AML compliance program, and to reappoint the BSA compliance officer, make sure you do both of those things – review, and approve:

  1. Actually review the program document. Make sure it contains what it is supposed to contain. Compare it to the previous year’s program. Do the work needed to understand it.
  2. Ask any needed questions. Get the right answers (see Tip #12). Only approve it if you should approve it. Or approve part of it if needed.
  3. Talk to the presumptive BSA compliance officer. Make sure they have the requisite experience, training, stature, and resources to do their job. Make sure they understand the company and the BSA/AML risks the company is facing. Check their performance review(s). Ask the general auditor, general counsel, Chief Risk Officer, and CEO about the person. And then only appoint or reappoint if you’re satisfied that this person has the ability, stature, and resources to run your program (remember the Manual: “the board of directors is ultimately responsible for the bank’s BSA/AML compliance …”).

Director Tip #11 – Effort and Commitment are Great, But …

Does anyone really care which team in the 2021 Super Bowl had the hardest-working, most dedicated team? Effort and commitment are critical, and without both, any effort in a bank will fail. But from the board’s perspective, effort and commitment are table stakes. The result is the only thing that truly matters. Which leads to the next tip …

Director Tip #12 – Never Accept a “Process” Answer to a “Results” Question

An example of a “results” question and “process” answer is this exchange:

Director: “The table on page 3 of your report indicates that the group met its previous quarter’s SAR filing KPIs and it is on track to meet this quarter’s target. Is the group going to meet this quarter’s target?”

Risk Manager: “Great question, thanks for asking it! The team is fully committed to do so and they’re working non-stop to meet their goals.”

Here, the Risk Manager has avoided answering the results question (“are you going to meet your target?”) by giving what sounds like an earnest and certainly upbeat and positive answer that deals with the process (“we’re trying our hardest!”). See Tip #13 – effort and commitment is great, but in this case the Director should reply with “I didn’t ask if your team was trying hard, I asked if it was going to meet this quarter’s target, which is a ‘yes’ or ‘no’ answer, and if ‘no’, why and what are you doing about it.” Be firm. These process answers seem to crop up most often in the months preceding a regulatory action.

Director Tip #13 – Words and Punctuation Matter!

Words and punctuation matter! If you receive board reports that are poorly written and are replete with syntax and spelling errors, insist that changes be made. There is much attention being placed on machine learning and artificial intelligence, both of which require computer coding that is precise. We must have the same attention paid to precise language and precise punctuation. There is a difference between a gentleman who is “tall, dark, and handsome” (he possesses all three of those attributes) and a gentleman who is “tall, dark, or handsome” (he, unfortunately, is either tall, or dark, or handsome, but not all three).

“We know all too well that drugs are killing record numbers of Americans – and almost all of them come from overseas.” – (then) US Attorney General Jeff Sessions, August 31, 2018 speech.

This is a good example of a poorly written sentence that is begging for clarity. The phrase “almost all” means very little: at least 51% and less than 100%. Second, do “almost all” drugs come from overseas, or do almost all Americans come from overseas? And finally, Mexico is the source country for 90% – 94% of heroin entering the US, and the final transit country for 90% of the cocaine entering the US. Mexico isn’t overseas from the US (any more than Canada was the first overseas country visited by First Lady Melania Trump).

Director Tip #14 – Watch Out For Modifiers – Most Adverbs and Adjectives Have No Place in a Board Report

One of the greatest clear language culprits is the modifier: an adjective or adverb that modifies a noun or verb, respectively. As Colonel Jessup (Jack Nicholson) in “A Few Good Men” famously replied “is there any other kind?” to Lieutenant McCaffrey’s (Tom Cruise’s) questions “were the men in danger? Grave danger?”, we know that modifiers are often unnecessary. Whether necessary or not, when reading board reports a bank director should be very aware of adjectives and adverbs. When confronted with any modifier, ask yourself (i) why is that modifier being used? (ii) is it being used correctly? (iii) does it change the meaning of the sentence in a way that is unintended? (iv) is it being used consistently with other modifiers? And (v) could it limit or harm the bank (or expose me to harm) in the future?

A more practical and topical example of the use of precise language than “tall, dark, or handsome” is an interagency joint statement on “Innovative Efforts to Combat Money Laundering and Terrorist Financing” (December 3, 2018) (see https://www.occ.gov/news-issuances/news-releases/2018/nr-occ-2018-130a.pdf). In that statement, the four banking regulatory agencies and FinCEN wrote, in part:

“… pilot programs that expose gaps in a BSA/AML compliance program will not necessarily result in supervisory action with respect to that program. For example, when banks test or implement artificial intelligence-based transaction monitoring systems and identify suspicious activity that would not otherwise have been identified under existing processes, the Agencies will not automatically assume that the banks’ existing processes are deficient. In these instances, the Agencies will assess the adequacy of banks’ existing suspicious activity monitoring processes independent of the results of the pilot program. Further, the implementation of innovative approaches in banks’ BSA/AML compliance programs will not result in additional regulatory expectations.”

The modifiers “necessarily” and “automatically” are important: the agencies did not write that “pilot programs that expose gaps in a BSA/AML compliance program will not result in supervisory action with respect to that program” or “the Agencies will not assume that the banks’ existing processes are deficient”. They left the door (wide) open for taking regulatory action against institutions where innovative pilot programs reveal gaps in their existing anti-money laundering programs.

And, of course, the ultimate BSA/AML-related example of modifiers is the FFIEC Exam Manual shift from examining to a standard of effectiveness to managing to a standard of adequate. I have written about what this change means and the possible long-term effects.[10]

Director Tip #15 – Watch Out for “Red Flag” Words and Phrases

In addition to punctuation and modifiers, there are words and phrases that compliance and risk management professionals tend to use that should be a red flag for a director. Two examples are:

  • “Intended”, as in “this product is intended to be sold only to medium-sized businesses” – read critically, this phrase also means “although this product is intended to be sold only to medium-sized businesses, there are no controls stopping us from selling it to whatever customer class we want …”. Intent is only that: intent.
  • “Primarily”, as in “this product is primarily sold to mid-size businesses”. With “primarily” comes “secondarily”: “this product is primarily sold to mid-size businesses, but we’re also selling it to whoever will buy it.”

And make sure you understand words and phrases that are now commonly used but may not be commonly understood or are intentionally (or unintentionally) so vague as to be meaningless or incapable of being measured. Examples include “implement”, “solution”, “agile development”, and “paradigm shift”.

Conclusion

Directors – and aspiring directors – have a plethora of training and awareness courses available to them, taught by some of the most brilliant and experienced consulting minds available. From these, directors will learn how to “set the ‘tone from the top’ to ensure that the firm is effectively promoting a ‘culture of compliance’”, and master “compliance red flags, hot topics, and common OCC examination findings related to compliance risk … [b]e ready to respond to the rapidly changing financial services industry, and to fulfill your responsibilities with confidence”.

But what I haven’t seen in any of these materials are some more fundamental things, or tips. Tips such as not falling for the tablet trick, or insisting on a page limit on the written materials, or holding actual people responsible and accountable. Tips such as comparing this period’s report with last period’s report, or never accepting a “process” answer to a “results” question. But if you adopt some of these tips – professionally, carefully, and in a respectful and measured way – you may be able to influence your company in a positive way by setting a tone from the very top of the company that you’re serious about being the very best director for the company and all of its stakeholders.

[1] https://www.lysisgroup.com/post/the-importance-of-a-board-level-masterclass-in-anti-money-laundering-aml

[2] https://www2.deloitte.com/content/dam/Deloitte/global/Documents/Risk/gx-risk-2020-directors-alert.pdf

[3] https://www.boardseats.org/

[4] https://www.aba.com/training-events/online-training/board-oversight-bsa-aml-ofac

[5] https://www.occ.gov/publications-and-resources/information-for/bankers/community-bank-director-workshops/index-community-bank-director-workshops.html

[6] https://www.occ.gov/publications-and-resources/information-for/bankers/community-bank-director-workshops/workshop-brochure-compliance-risk.pdf

[7] SR 21-3 / CA 21-1 attachment: Supervisory Guidance for Boards of Directors of Domestic Bank and Savings and Loan Holding Companies with Total Consolidated Assets of $100 Billion or More (Excluding Intermediate Holding Companies of Foreign Banking Organizations Established Pursuant to the Federal Reserve’s Regulation YY) and Systemically Important Nonbank Financial Companies Designated by the Financial Stability Oversight Council for Supervision by the Federal Reserve

[8] https://ir.aboutamazon.com/static-files/1bfd8929-81a0-46d7-a378-6aff9a203093

[9] My copy of the Bible, the New American Bible, Saint Joseph Edition (1991) has footnotes. So I’m not going to argue that board reports shouldn’t have footnotes.

[10] https://regtechconsulting.net/uncategorized/the-us-bsa-aml-regime-have-we-just-gone-from-aspiring-to-be-effective-to-merely-being-adequate/