The US BSA/AML Regime – Have We Just Gone From Aspiring to be “Effective” to Merely Being “Adequate”?

On April 15, 2020, federal and state banking agencies updated parts of the BSA/AML Examination Manual (“Manual”), a document that was first published in 2005 and has been revised and re-published four times since, with the last full edition published in November 2014. The Manual provides what and how examiners examine banks and other financial institutions (collectively, “banks”) for compliance with BSA/AML laws and regulations. Just as important, the Manual is the blueprint that allows banks to build and maintain their programs, and for bank auditors to audit those programs, with some confidence that they’re meeting regulatory requirements and their regulators’ expectations.

OCC Comptroller Otting’s statement on the release of the revisions to the Manual included the following statement:

Today, the FFIEC agencies published updates to the BSA/AML Examination Manual that represent a significant step forward in our efforts to improve how we ensure banks have effective programs to safeguard the banking system against financial crime, particularly money laundering and terrorist financing.[1](emphasis added)

Ensuring that banks have effective programs is critical. This “effectiveness” standard is how the United States itself is judged by the Financial Action Task Force, or FATF, which rates its member countries’ technical compliance with its Recommendations as well as how effective their BSA/AML regimes are in fighting financial crime.

“Effectiveness” is a hot topic in financial crimes risk management. Just last December, the Wolfsberg Group issued its statement on effectiveness.[2] The opening paragraphs of that statement are instructive:

The Wolfsberg Group – Statement on Effectiveness

Making AML/CTF Programmes more effective

The Wolfsberg Group (the Group) is an association of thirteen global banks, founded in 2000, which aims to develop frameworks and guidance for the management of financial crime risk in general, with a more recent and strategic focus on enhancing the effectiveness of global Anti-Money Laundering/Counter Terrorist Financing (AML/CTF) programmes. The topic of effectiveness has also been more widely discussed across the AML/CTF community in recent years.

In 2013, the Financial Action Task Force (FATF) determined that jurisdictions simply having reasonable legal frameworks in place for financial crime prevention was no longer sufficient.  FATF stated that “each country must enforce these measures, and ensure that the operational, law enforcement and legal components of an AML/CFT system work together effectively to deliver results: the 11 immediate outcomes.”  As a result, FATF changed the way it conducted mutual evaluations of its member states, no longer focusing solely on technical compliance with its 40 Recommendations, but also evaluating the overall effectiveness of the AML/CTF regime based on evidence that the outcomes were being achieved.

Notwithstanding FATF’s approach, Financial Institutions (FIs) still tend to be examined by national supervisors almost exclusively on the basis of technical compliance rather than focussing on the practical element of whether AML/CTF programmes are really making a difference in the fight against financial crime.  The Group believes that, in practice, there is as yet insufficient consideration of whether an FI’s AML/CTF programme is effective in achieving the overall goals of the AML/CTF regime which go beyond technical compliance. As a result, FIs devote a significant amount of resources to practices designed to maximise technical compliance, while not necessarily optimising the detection or deterrence of illicit activity.  The Group believes that jurisdictions should adopt the FATF’s focus on effective outcomes and therefore, that an FI’s AML/CTF programme should have three key elements:

    1. Comply with AML/CTF laws and regulations
    2. Provide highly useful information to relevant government agencies in defined priority areas
    3. Establish a reasonable and risk-based set of controls to mitigate the risks of an FI being used to facilitate illicit activity

The Group believes that supervisors and/or relevant government agencies should assess the effectiveness of an FI’s AML/CTF programme based on the above criteria, recognising that no two FIs are the same and each FI’s risk mitigation strategy must be tailored to meet its risk appetite.

This certainly seems in line with Comptroller Otting’s statement that these new BSA Exam Manual updates will help “ensure banks have effective programs to safeguard the banking system against financial crime”.

So if these updates are, in fact, a significant step forward to improve how the OCC ensures banks have effective BSA/AML programs, how come the OCC – and the other federal and state examiners – seem to have lowered their examination standards from assessing whether banks have effective programs, to assessing whether banks have adequate programs?

First, since I’m making a stink about the difference between effective and adequate, I’ll pause and offer some definitions. I went to one source only: Merriam-Webster. Here’s what I found:

Effective – producing a decided, decisive, or desired effect: as in an effective policy.

Adequate – sufficient for a specific need or requirement; as in adequate time. Also, good enough, or of a quality that is acceptable but not better than acceptable: as in a machine that does an adequate job[3]

These seem in line with what we expect: effective is a higher standard than adequate. Being an effective leader is better than being an adequate leader. And having an effective program is better than having an adequate program.

The FFIEC BSA/AML Examination Manual

Let’s first take a look at the language from the existing Manual, or rather the parts of the Manual that were just changed. As explained in the “Introduction” section of the 2014 Manual (which is over 440 pages long, by the way):

“… the manual is structured to allow examiners to tailor the BSA/AML examination scope and procedures to the specific risk profile of the banking organization.  The manual consists of the following sections:

    • Introduction
    • Core Examination Overview and Procedures for Assessing the BSA/AML Compliance Program
    • Core Examination Overview and Procedures for Regulatory Requirements and Related Topics
    • Expanded Examination Overview and Procedures for Consolidated and Other Types of BSA/AML Compliance Program Structures
    • Expanded Examination Overview and Procedures for Products and Services
    • Expanded Examination Overview and Procedures for Persons and Entities
    • Appendixes

The core and expanded overview sections provide narrative guidance and background information on each topic; each overview is followed by examination procedures.  The “Core Examination Overview and Procedures for Assessing the BSA/AML Compliance Program” and the “Core Examination Overview and Procedures for Regulatory Requirements and Related Topics” (core) sections serve as a platform for the BSA/AML examination and, for the most part, address legal and regulatory requirements of the BSA/AML compliance program.  The “Scoping and Planning” and the “BSA/AML Risk Assessment” sections help the examiner develop an appropriate examination plan based on the risk profile of the bank.  There may be instances where a topic is covered in both the core and expanded sections (e.g., funds transfers and foreign correspondent banking).  In such instances, the core overview and examination procedures address the BSA requirements while the expanded overview and examination procedures address the AML risks of the specific activity.

At a minimum, examiners should use the following examination procedures included within the “Core Examination Overview and Procedures for Assessing the BSA/AML Compliance Program” section of this manual to ensure that the bank has an adequate BSA/AML compliance program commensurate with its risk profile:

    • Scoping and Planning (refer to page 11)
    • BSA/AML Risk Assessment (refer to page 18)
    • BSA/AML Compliance Program (refer to page 28)
    • Developing Conclusions and Finalizing the Examination (refer to page 40)”

It is these last four bulleted sections that form the basis for all exams of banks’ BSA programs. And it is these four bulleted sections that were updated on April 15, 2020. A side-by-side comparison of the 2014 BSA Exam Manual (partial) table of contents and the April 2020 updates (complete) shows clearly what the regulators have focused on:

The regulatory agencies didn’t touch the 2014 Manual’s Introduction section. What they focused on are the sections on the four “pillars” of a BSA/AML compliance program. Where the 2014 Manual goes through each of the four pillars in a total of five pages, and then includes examination procedures for the overall compliance program at the end, the new 2020 update takes a different approach: it breaks out each of the four pillars, and has objectives and examination procedures for each. It is a more detailed and comprehensive approach.

So the 2014 Introduction section remains in place. That section uses three different adjectives in describing bank’s programs:

  • Page 1: “An effective BSA/AML compliance program requires sound risk management …”
  • Page 2: “… ensure that the bank has an adequate BSA/AML compliance program commensurate with its risk profile”
  • Page 6: “The federal banking agencies work to ensure that the organizations they supervise understand the importance of having an effective BSA/AML compliance program in place.”
  • Page 7: “Banking organizations must develop, implement, and maintain effective AML programs that address the ever-changing strategies of money launderers and terrorists who attempt to gain access to the U.S. financial system.  A sound BSA/AML compliance program is critical in deterring and preventing [money laundering, terrorist financing, and other illicit financial transactions] at, or through, banks and other financial institutions.”

In the four “pillar” sections that were updated in 2020, the words “effective” or “effectiveness” appear four times in forty-three pages. Those words appeared seventeen times in the old 2014 version.

Let’s go through those sections, with a focus on the differences in the use of the words “effective” and “adequate”.

Scoping & Planning

The 2014 “Scoping and Planning” section begins on page 11 with “The BSA/AML examination is intended to assess the effectiveness of the bank’s BSA/AML compliance program and the bank’s compliance with the regulatory requirements pertaining to the BSA, including a review of risk management practices.”

The 2020 “Scoping and Planning” section begins on page 1 with: “Examiners assess whether the bank has developed and implemented adequate processes to identify, measure, monitor, and control those risks and comply with BSA regulatory requirements.”

So the regulators have shifted from effective to adequate.

The 2014 “Scoping and Planning” section then continues with a reference to risk assessment. At page 11: “risk assessment has been given its own section to emphasize its importance in the examination process and in the bank’s design of effective risk-based controls.”

The 2020 update provides, on page 4: “The BSA/AML Risk Assessment section provides information and procedures for examiners in determining whether the bank has developed a risk assessment process that adequately identifies the ML/TF and other illicit financial activity risks within its banking operations.”

So the regulators will determine whether the risk assessment adequately identifies risks: not whether it effectively identifies risks.

The 2014 edition does use the term “adequate in a few places. At page 12 is a reference to the Examination Plan: “At a minimum, examiners should conduct the examination procedures included in the following sections of this manual to ensure that the bank has an adequate BSA/AML compliance program commensurate with its risk profile.” And in a mixed message, under the heading “Transaction Testing” is: “Examiners perform transaction testing to evaluate the adequacy of the bank’s compliance with regulatory requirements, determine the effectiveness of its policies, procedures, and processes, and evaluate suspicious activity monitoring systems.”

There’s no mixed message in the 2020 update, though. Under the heading “Risk-Focused Testing” on page 6 is: “Examiners perform testing to assess the adequacy of the bank’s BSA/AML compliance program, relative to its risk profile, and the bank’s compliance with BSA regulatory requirements.” And at page 8 is the new objective for risk-focused BSA/AML supervision examination procedures: “Determine the examination activities necessary to assess the adequacy of the bank’s BSA/AML compliance program, relative to its risk profile, and the bank’s compliance with BSA regulatory requirements.”

So again, it’s fair to say (write) that the regulators have shifted from effective/effectiveness to adequate/adequacy.

Page 34 of the 2014 Manual sets out the objectives of the exam procedures: “Assess the adequacy of the bank’s BSA/AML compliance program. Determine whether the bank has developed, administered, and maintained an effective program for compliance with the BSA and all of its implementing regulations.”

Page 18 of the 2020 update sets out the objective when assessing the BSA/AML compliance program: “Assess whether the bank has designed, implemented, and maintains an adequate BSA/AML compliance program that complies with BSA regulatory requirements.” And at page 20: the objective of “assessing the BSA/AML compliance program examination procedures” is to “[d]etermine whether the bank has designed, implemented, and maintains an adequate BSA/AML compliance program that complies with BSA regulatory requirements.”

Internal Controls

There are some interesting differences in the main section on the system of internal controls – one of the four pillars of a BSA/AML compliance program.[4]

The 2014 Manual sets out the objectives for the overall BSA/AML compliance program: “Assess the adequacy of the bank’s BSA/AML compliance program.  Determine whether the bank has developed, administered, and maintained an effective program for compliance with the BSA and all of its implementing regulations.” (page 28). The 2014 Manual then goes through each of the four pillars, and does so in five pages, then includes examination procedures for the overall compliance program. The 2020 update takes a different approach: it breaks out each of the four pillars, and has objectives and examination procedures for each.

The 2020 update doesn’t use the terms effective or adequate in the Internal Controls section. Rather, it refers to “ongoing” compliance (“[t]he board of directors, acting through senior management, is ultimately responsible for ensuring that the bank maintains a system of internal controls to assure ongoing compliance with BSA regulatory requirements.”).

Independent Testing

As to independent testing, the 2020 update includes an Objective: “Assess the adequacy of the bank’s independent testing program” (page 24). The objective of the exam procedures is to “[d]etermine whether the bank has designed, implemented, and maintains an adequate BSA/AML independent testing program for compliance with BSA regulatory requirements”. There isn’t similar language or detail in the 2014 Manual.

BSA Compliance Officer

The changes to the BSA Compliance Officer pillar are extensive. The 2020 update includes an objective: to “[c]onfirm that the bank’s board of directors has designated a qualified individual or individuals (BSA compliance officer) responsible for coordinating and monitoring day-to-day compliance with BSA regulatory requirements. Assess whether the BSA compliance officer has the appropriate authority, independence, access to resources, and competence to effectively execute all duties.” (page 29). In this section is the following: ” The board of directors is responsible for ensuring that the BSA compliance officer has appropriate authority, independence, and access to resources to administer an adequate BSA/AML compliance program based on the bank’s ML/TF and other illicit financial activity risk profile.”

The objective of the exam procedures for this pillar is to “[c]onfirm that the bank’s board of directors has designated a qualified individual or individuals (BSA compliance officer) responsible for coordinating and monitoring day-to-day compliance with BSA regulatory requirements.  Determine whether the BSA compliance officer has the appropriate authority, independence, access to resources, and competence to effectively execute all duties”.

The 2014 Manual provides that “[t]he board of directors, acting through senior management, is ultimately responsible for ensuring that the bank maintains an effective BSA/AML internal control structure, including suspicious activity monitoring and reporting.” (page 29). And at page 32: “[t]he board of directors is responsible for ensuring that the BSA compliance officer has sufficient authority and resources (monetary, physical, and personnel) to administer an effective BSA/AML compliance program based on the bank’s risk profile.”

To summarize: the 2014 Manual provided that the board is responsible for ensuring the BSA Compliance Officer has sufficient authority and resources to administer an effective program. The 2020 updates provide that the board is now responsible for ensuring the BSA Compliance Officer has appropriate authority and resources to administer an adequate program. What has not changed, though, with the 2020 update is this: “the board of directors is ultimately responsible for the bank’s BSA/AML compliance.”

Training

The standards for BSA/AML training seem to have dropped, also. The 2014 Manual provided that “[t]he training program should reinforce the importance that the board and senior management place on the bank’s compliance with the BSA and ensure that all employees understand their role in maintaining an effective BSA/AML compliance program.” (page 33).

The 2020 update provides: “The training program may be used to reinforce the importance that the board of directors and senior management place on the bank’s compliance with the BSA and that all employees understand their role in maintaining an adequate BSA/AML compliance program.” (page 32).

Conclusion

The Wolfsberg Group’s December 2019 Statement on Effectiveness ended with this:

The Group believes that jurisdictions should adopt the FATF’s focus on effective outcomes and therefore, that an FI’s AML/CTF programme should have three key elements: (1) Comply with AML/CTF laws and regulations; (2) Provide highly useful information to relevant government agencies in defined priority areas; and (3) Establish a reasonable and risk-based set of controls to mitigate the risks of an FI being used to facilitate illicit activity

The Group believes that supervisors and/or relevant government agencies should assess the effectiveness of an FI’s AML/CTF programme based on the above criteria, recognising that no two FIs are the same and each FI’s risk mitigation strategy must be tailored to meet its risk appetite.

Starting in 2005 with the first FFIEC BSA/AML Examination Manual, and continuing to the last full publication in 2014, the purpose of a BSA/AML regulatory exam was to determine whether banks had an effective BSA/AML compliance program, and the directors of those banks, who were ultimately responsible for their bank’s BSA/AML compliance, were to ensure the BSA Compliance Officer had sufficient authority and resources to administer an effective program. The 2020 update appears to have lowered those bars: going forward, the purpose of a BSA/AML regulatory exam is to determine whether banks have an adequate BSA/AML compliance program, and the directors of those banks, who remain ultimately responsible for their bank’s BSA/AML compliance, are now to ensure the BSA Compliance Officer has appropriate authority and resources to administer an adequate program.

It will be interesting to see what, if any, differences this new adequate standard will bring as regulatory examiners across America will be walking into banks and credit unions and announcing, “hello, we’re here to determine whether you have an adequate program.” That is a very different greeting, and a very different exam, and possibly a very different result, than if that examiner walked in and announced, “hello, we’re here to determine whether you have an effective BSA/AML compliance program.”

Post Script

In an article I wrote in August 2019 titled  “Lessons Learned as a BSA Officer – 1998 to 2018” one of the nine lessons was that words and punctuation matter. I wrote that one should use adjectives and adverbs sparingly, if at all:

Most modifiers are unnecessary. Whether necessary or not, as a risk professional you should be aware of both your use of adjectives and adverbs, and when reading others’ use of adjectives and adverbs. When confronted with any modifier, ask yourself (i) why is that modifier being used? (ii) is it being used correctly? (iii) does it change the meaning of the sentence in a way that is unintended? (iv) is it being used consistently with other modifiers? And (v) could it limit or prevent us in the future?

In this case the state and federal banking agencies changed the adjective “effective” to “adequate” to describe the quality of the BSA/AML program they will expect to see and will examine to. I hope that this was unintended, or else five to ten years from now, after a long-held standard of effectiveness is replaced by one of mere adequacy, we could be limited in our ability to fight financial crime.

Endnotes

[1] https://www.occ.gov/news-issuances/news-releases/2020/nr-occ-2020-55.html

[2] https://www.wolfsberg-principles.com/sites/default/files/wb/pdfs/Effectiveness%201%20pager%20Wolfsberg%20Group%202019%20FINAL_Publication.pdf

[3] https://www.merriam-webster.com/

[4] The 2014 FFIEC Exam Manual “was a collaborative effort of the federal and state banking agencies” and FinCEN (2014 Manual, page 1). The Interagency Statement accompanying the 2020 update provided “The Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, and State Liaison Committee (Agencies) revised the sections in close collaboration with Treasury’s Financial Crimes Enforcement Network.” And FinCEN hasn’t (yet) issued a press release or otherwise publicly acknowledged the 2020 updates. Regardless, the agencies’ Title 12 BSA/AML compliance program includes four pillars, and FinCEN’s Title 31 BSA/AML compliance program includes five pillars.