If this is, in fact, a new standard for the assessment of U.S. financial institutions’ BSA/AML compliance programs, then I believe it is a positive development.
The April 15, 2020 revision of four of the five introductory sections of the FFIEC BSA/AML Examination Manual is 43 pages long. It begins with “Scoping and Planning” a BSA/AML examination. In the just-replaced section from the 2014 Manual, the objective of scoping and planning was to “identify the bank’s BSA/AML risks”. The new objective is to “develop an understanding of the bank’s money laundering, terrorist financing (ML/TF) and other illicit financial activity risk profile.”
In fact, the phrase “money laundering, terrorist financing and other illicit financial activity risk” or “ML/TF and other illicit financial activity risk” appears fifty-three (53) times in forty-three (43) pages in this April 2020 update.
The phrase “money laundering or terrorist financing risk” appears three (3) times in the current Manual (twice in the CDD section, once in the MSB section), but the phrase “ML/TF and other illicit financial activity” appears exactly zero (0) times in 442 pages of the 2014 BSA/AML Examination Manual.
It appears, then, that the regulatory agencies have replaced the term “BSA/AML risk” and “BSA/AML risk profile” with the phrase “ML/TF risk” and “ML/TF risk profile.”
What are the practical impacts, if any, with the regulators’ shift from examining a bank’s “BSA/AML risk profile” to examining a bank’s “ML/TF risk profile”?
Without guidance from the regulators, without knowing their intent, it’s impossible to say what, if any, practical difference there is.
What the regulators haven’t yet touched is the Introduction section of the Manual, which precedes the four sections they have updated. So, the 2014 Introduction remains. Among other things, the Introduction includes some discussion of money laundering and terrorist financing. At page 7:
Money Laundering and Terrorist Financing
The BSA is intended to safeguard the U.S. financial system and the financial institutions that make up that system from the abuses of financial crime, including money laundering, terrorist financing, and other illicit financial transactions. Money laundering and terrorist financing are financial crimes with potentially devastating social and financial effects. From the profits of the narcotics trafficker to the assets looted from government coffers by dishonest foreign officials, criminal proceeds have the power to corrupt and ultimately destabilize communities or entire economies. Terrorist networks are able to facilitate their activities if they have financial means and access to the financial system. In both money laundering and terrorist financing, criminals can exploit loopholes and other weaknesses in the legitimate financial system to launder criminal proceeds, finance terrorism, or conduct other illegal activities, and, ultimately, hide the actual purpose of their activity.
Banking organizations must develop, implement, and maintain effective AML programs that address the ever-changing strategies of money launderers and terrorists who attempt to gain access to the U.S. financial system. A sound BSA/AML compliance program is critical in deterring and preventing these types of activities at, or through, banks and other financial institutions.
At page 8:
The motivation behind terrorist financing is ideological as opposed to profit-seeking, which is generally the motivation for most crimes associated with money laundering. Terrorism is intended to intimidate a population or to compel a government or an international organization to do or abstain from doing any specific act through the threat of violence. An effective financial infrastructure is critical to terrorist operations. Terrorist groups develop sources of funding that are relatively mobile to ensure that funds can be used to obtain material and other logistical items needed to commit terrorist acts. Thus, money laundering is often a vital component of terrorist financing.
It appears, then, that the 2014 Introduction remains and provides clear direction that a sound BSA/AML compliance program is critical in deterring and preventing money laundering and terrorist financing at, or through, banks and other financial institutions. And it appears also that the 2020 updates have further emphasized the importance of focusing on ML/TF and other illicit financing activity risks as this phrase doesn’t appear at all in the old/existing Manual.
In this article I will make three observations about money laundering and terrorist financing, and all three come from a Congressional hearing that occurred almost seventeen (17) years ago – a year before the first BSA/AML Examination Manual was published – that was held by the House Financial Services Subcommittee on Oversight and Investigations. That hearing was titled “Improving Financial Oversight: A Private Sector View of Anti-Money Laundering Efforts”. It was held on May 18, 2004. The hearing transcript is available at Congressional Hearing May 2004. In full disclosure, I was one of five witnesses to appear before the Sub-Committee. The others were David Aufhauser (then a Senior Counsel, Center for Strategic and International Studies and Counsel, Williams & Connolly LLP, and previously General Counsel at the Treasury Department); John Byrne, at the time the Director of Center for Regulatory Compliance, American Bankers Association; Joe Cachey, then the Vice President, Global Compliance and Chief Compliance Officer and Counsel, Western Union Financial Services; and Steve Emerson, Executive Director, The Investigative Project.
1. From an operational point of view, money laundering and terrorist financing are different problems
“From a purely operational point of view, money laundering and terrorist financing are two, very, very different problems. Traditional money laundering prevention is a transaction-focused internally sourced issue where transactions lead to relational links. Terrorist financing prevention is very different. It is a relationship-focused, externally sourced issue where relational links lead to transactions.” – written testimony of Jim Richards, Operations Executive for Global Anti-Money Laundering, Bank of America, footnote 10 on page 13.
Seventeen years later, I wish I had taken a page from the FFIEC manual and added something about “money laundering is often a vital component of terrorist financing.” But in the immediate post-9/11 environment, most of our success in finding terrorist financing or the funding of terrorist operations came from getting names or other leads from law enforcement. That said, Sub-Committee Chairwoman Sue Kelly (D. NY) asked me “[c]an you identify any particular case in which your companies worked with law enforcement to stop the flow of funds to a terrorist group or an activity of some sort?” I replied:
“Madam Chairman, off the top of my head, I can think at least two particular cases: One prior to September 11 and one after September 11. In both cases, we identified what we thought was suspicious activity. Again, we are not required to detect money laundering or terrorist financing, we are required to detect and report suspicious activity. We did that. In both cases, we felt it was significant enough that we immediately contacted law enforcement, which we are entitled and indeed perhaps required to do if it is an ongoing, serious matter. And in this case, it was the Boston U.S. Attorney’s Office, and they immediately contacted us and sought the underlying records that were the basis of our suspicious activity reports. Subsequent news events confirmed that what we had reported was indeed tied to potential terrorist financing.”
So I actually contradicted myself: we reported what we thought was money laundering or suspicious activity, and subsequent events revealed that what we had actually reported was terrorist financing or the funding of terrorist activity. The FFIEC is correct: money laundering is often a vital component of terrorist financing.
2. Money laundering and terrorist financing should not just be viewed as problems, but as symptoms of problems
“… from the perspective of a bank’s risk officer, money laundering or terrorist financing is not a problem, but a symptom of an underlying operational or control problem. When looked at from this perspective, the risk officer is able to look at the filing of a SAR or the activity represented in the SAR as a symptom of an underlying problem with account opening procedures, document collection and verification procedures, branch AML training, or the monitoring or surveillance functions. Looking at money laundering or terrorist financing as a symptom rather than a problem can be an effective way to focus on and eliminate or mitigate the underlying causes.” – Written testimony of Jim Richards, page 13, footnote 10.
Seventeen years later, I wish I had written “from the perspective of a bank’s risk officer, money laundering or terrorist financing is not just a problem, but also a symptom of an underlying operational or control problem …”. Obviously, money laundering is a problem. As is terrorist financing. But the important point I was trying to make is that identifying and reporting the suspicious activity – whether related to money laundering or terrorist financing, or both – is not the end-game for the reporting financial institution. It’s equally important to take those reports – to take the problems that you’ve identified and reported – and view them as symptoms of possible problems or issues with your underlying operational controls, or policies and procedures, or training, or even auditing or independent testing, and to correct those problems. Being able to prevent money laundering or terrorist financing is the ultimate goal.
I attempted to explain this notion of symptom versus problem in answering a question from Congressman Jeb Hensarling (R. TX 5th):
Mr. Hensarling. Thank you, Madam Chair. Mr. Richards, I believe in your testimony you stated that money laundering or terrorist financing is not a problem but a symptom of a problem. Could you elaborate and explain that statement?
Mr. Richards. Yes. We believe that within the context of the total issue of operating risk, that the act of filing a suspicious activity report is not the end of your duty but indeed you take the suspicious activity reports and then you go back and look at the commonalities between them to determine whether the money laundering that you have reported or suspicious activity you are reported is caused by issues relating to account opening, failure to collect the proper identification, it might be a branch training issue where you have to train the people in the branch environment, something like that.
So that rather than looking at the end game being the filing of a suspicious activity report, you look at it as just the beginning of trying to see if there is an underlying operational issue in the bank. If you address the underlying operational issue, you may resolve the suspicious activity that is occurring in your bank. So, again, if you look at it as not a problem but a symptom, you can then drill down and see what the real underlying operational problem may be.
Mr. Hensarling. Thank you.
3. Managing money laundering and terrorist financing risks can only be done with creative, committed, and courageous professionals in the public and private sectors, working together
“The success of the financial sector’s anti-money laundering and terrorist financing prevention efforts is entirely dependent on two things: First, cooperation between and coordination by all of the parties involved: the law enforcement and intelligence communities, the regulatory community, the private sector, our trade associations, such as the ABA, and others; and, second, creative, committed professionals dedicated to this task. In my experience, Madam Chairman, the American financial sector has both.” – written testimony of Jim Richards
Just as I wish I had written “money laundering or terrorist financing is not just a problem, but also a symptom …”, seventeen years later I wish I had added “courageous” to my description of the type of professional that are dedicated to fighting money laundering, terrorist financing, and other illicit financial activity.
Since my Congressional testimony in 2004, I’ve come to realize that Winston Churchill was right when it comes to courage: “Courage is the single attribute upon which all other attributes depend”.
In an article I published in December 2018 titled “Rules-Based Monitoring, Alert-to-SAR Ratios, and False Positive Rates: Are We Having the Right Conversations?” I wrote this about the importance of courage:
“After 20+ years in the AML/CTF field – designing, building, running, tuning, and revising programs in multiple global banks – I am convinced that rules-based interaction monitoring and customer surveillance systems, running against all of the data and information available to a financial institution, managed and tuned by innovative, creative, courageous financial crimes subject matter experts, can result in an effective, efficient, proactive program that both provides timely, actionable intelligence to law enforcement and meets and exceeds all regulatory obligations. Can cloud-based, cross-institutional, machine learning-based technologies assist in those efforts? Yes! If properly deployed and if running against all of the data and information available to a financial institution, managed and tuned by innovative, creative, courageous financial crimes subject matter experts.”
And in a March 2019 article titled “Lessons Learned as a BSA Officer 1998-2018” , one of the nine lessons I described was on the importance of courage. After quoting Winston Churchill (“Courage is the single attribute upon which all other attributes depend”), I wrote:
“After the September 2001 terrorist attacks, the 9/11 Commission was set up to look at what happened, and why. In its final report issued in 2004, they concluded that the US government’s failures could be grouped into four major categories: failure of policy, failure of capabilities, failure of management, and failure of imagination. And they concluded that the “most important failure” was a lack of imagination. I believe that all four of those failures – of policy, of capabilities, of management, and of imagination – have one thing in common. A failure of courage. What do I mean by courage? Courage to speak freely – but respectfully and fairly. Courage to walk away when your principles are compromised. Courage to change. Courage to listen. Courage to compromise.”
Finally, I apparently used the word “courage” six times in a podcast I did with the esteemed Jo Ann Barefoot in April 2018, just weeks after I retired from Wells Fargo. In the show notes, Jo Ann wrote, in part, that “executing the transformation [to digitally-enabled regulation] will take imagination, vision, wisdom and even courage, which is why I invited today’s guest to join us. He is Jim Richards, founder of the new firm, RegTech Consulting, and I think he used the word “courage” six times, in our talk.”
I don’t believe there are any practical differences between BSA/AML risks, on the one hand, and money laundering, terrorist financing (ML/TF) and other illicit financial activity risks, on the other hand. But if there are differences, then a greater focus on managing – and being examined on how financial institutions manage – ML/TF and other illicit financial activity risks is a positive thing.
It will take cooperation between, coordination by, and the courage of all of the parties involved in the fight against money laundering and terrorist financing: the law enforcement and intelligence communities, the regulatory communities, private sector financial institutions, fintech disrupters and vendors of financial crimes systems, trade associations, and others. In my experience, the American financial sector has what it takes to effectively manage money laundering and terrorist financing and other illicit financial activity risks.
 In fairness, the phrase “money laundering, terrorist financing, and other illicit financial transactions” appears in the current Introduction section (page 7).