The following article is based on a review of the testimony of U.S. Comptroller of the Currency, Thomas J. Curry, before the Committee on Banking, Housing, and Urban Affairs of the U.S. Senate on March 7, 2013. The testimony provides insight into the supervisory approach and the enforcement practices the bank examiners of the Office of the Comptroller of the Currency (OCC) will use in their ongoing efforts to supervise National Banks and Federal Saving Associations (banks) in regards to Bank Secrecy Act (BSA) and anti-money laundering (AML) compliance.
Comptroller Curry stresses that examiners will provide rigorous supervision procedures and will apply strong enforcement actions, but will work with bankers, listen to industry concerns, and continually work to make improvements to the BSA/AML supervisory process.
Observations and background information
Comptroller Curry began his testimony by presenting BSA/AML background information. He made several observations and acknowledged several issues affecting BSA/AML compliance. These included:
- The OCC's goals are to deter money laundering, terrorist financing, and other criminal activity through the misuse of the nation's financial institutions.
- The OCC is committed to ensuring that financial institutions under its supervision have effective controls in place to safeguard them from being used to launder money, fund terrorism, and facilitate criminal activity.
- Banks have been required to report suspicious activity since the 1970s and have been required to have a BSA/AML compliance program since 1987.
- Since the 1970s and 1980s, regulatory requirements and supervisory expectations for BSA/AML compliance have increased, requiring most banks to substantially improve their BSA/AML programs.
- The majority of the 5.6 million SARs in the FinCEN database have been filed by banks supervised by the OCC.
- BSA/AML compliance is difficult, as banks have to review large volumes of transactions to identify suspicious activity.
- The sophistication and determination of money launders, terrorists, and criminals has increased significantly in the past several years.
- The technology, products, and services that banks provide to its customers can and are used by criminals to instantly and anonymously move money throughout the world.
- Money laundering schemes are becoming more complex and more international.
- Banks have had to devote larger amounts of resources to maintain effective BSA/AML programs.
- Regulators have had to significantly increase their supervisory activity for BSA/AML.
Trends and concerns
Comptroller Curry stated that many of the BSA/AML compliance problems banks have had in the past are due to weaknesses in four major areas:
- The organization's culture of compliance.
- The commitment of sufficient and expert resources.
- The strength of information technology and the account monitoring process.
- Risk management practices.
He went on to state that the issues with these four areas have led to weaknesses with basic BSA/AML principles and he pointed out a number of concerns with BSA/AML programs. The weaknesses are in the following areas:
Management — Recent supervisory concerns have shown that some banks have a weak corporate governance philosophy that results in a poor "culture of compliance." Management does not stress the importance of BSA/AML compliance, there is a lack of independence of the compliance function, revenue and growth overshadow proper risk management, and there is a lack of accountability for the BSA/AML function. In short, management does not instill the idea that BSA/AML compliance is important and that they will ensure that BSA/AML laws and regulations will be complied with.
Resources — Numerous BSA/AML weaknesses have been shown to be a direct result of a lack of sufficient and trained staff, a high employee turnover rate, and overall cutbacks in compliance departments.
BSA/AML examinations have also found that due to the financial crisis, several banks have cut the BSA/AML staff and not increased staff even as the bank has grown or developed new products and services.
Services and Products — Banks have increased their use of higher risk services and products without developing appropriate risk management strategies. These services and products include: foreign corresponding banking, cross border funds transfers, bulk cash repatriation, remote deposit capture and embassy banking.
Risks to smaller banks — Some large to midsize banks have taken steps to lower their risk exposure by reducing their level of more risky products, services and higher risk customers. Smaller banks, which sometimes don't have the staff or expertise to appropriately manage the risk from these products and customers, have accepted these products without developing the appropriate risk management systems.
Banks have developed and introduced new services and products without fully understanding the BSA/AML risks
Technology and Electronic Payment Activities — Banks have developed and introduced new services and products without fully understanding the BSA/AML risks. These include: prepaid cards, mobile phone banking, smart cards, mobile wallets, and cloud banking. Bank management needs to ensure that BSA/AML risks associated with these activities are clearly understood, and that bank employees are trained in the compliance issues related to these types of activities.
Third-Party Relationships — Numerous enforcement actions mentioned third-party relationships. Bank management needs to ensure that policies, practices, and processes are developed and in place to mitigate the BSA/AML risks associated with these types of relationships.
Supervisory Policies and Practices
The Money Laundering Control Act of 1986 requires bank regulators to:
- Prescribe regulations to require banks to establish procedures to assure and monitor compliance with BSA/AML.
- Review the bank's BSA/AML procedures at every examination.
- Report problems to the bank.
- Issue an enforcement action if the bank fails to establish BSA/AML procedures or fails to correct a problem previously noted.
In January 1987, the OCC developed regulations to implement the requirement of the Money Laundering Control Act of 1986. The 12 C.F.R. 21.21, requires a bank to have a written BSA/AML program that must contain:
- A system of BSA/AML internal controls.
- A system of BSA/AML independent testing.
- A designated person responsible for monitoring BSA/AML compliance.
- A program for training related to BSA/AML.
The subsequent USA PATRIOT Act passed in 2001 also requires that every bank adopt a customer identification program as part of the BSA/AML program.
In 2005, the Federal Financial Institutions Examination Council (FFIEC) developed and implemented the Interagency BSA/AML Examination Manual. This manual standardized examination procedures for all banking regulatory agencies and provided for consistency in the examination process for the different types of financial institutions. The manual has been revised three times since the initial publication so that it remains current.
The OCC supervises and monitors a bank's compliance with BSA/AML by following the examination procedures in the manual during an examination. The procedures are risk-based and focus on the high-risk areas of a bank. However, every examination includes:
- Reviewing a bank's risk assessment.
- Reviewing a bank's program to ensure it includes:
- Internal controls
- Independent testing
- BSA/AML officer abilities and independence
- Reviewing the effectiveness of the bank's Office of Foreign Assets Control compliance program.
To prepare for an examination, examiners analyze BSA/AML data to include CTRs and SARs, in order to scope and plan upcoming examinations. An examination can always be expanded to include areas with higher BSA/AML risks. Another tool the examiners use is the Money Laundering Risk System, an analytical tool that analyzes high-risk banks and high-risk activities.
The OCC provides BSA/AML training for its examiners, organizes BSA conferences on a regular basis, and works with the FFIEC, other regulators, and the law enforcement community to develop external seminars, conferences, and teleconferences for the financial community. These seminars and conferences are designed to address emerging money laundering and terrorist financing issues, and to provide a forum for the discussion of the latest trends in money laundering, criminal typologies, cybercrime, fraud, terrorist financing, and other criminal schemes.
The OCC works with other regulators, the FFIEC, and the U.S. Treasury to coordinate BSA/AML efforts and to address BSA/AML issues through working groups and various task forces. These include:
- The Task Force on the U.S. AML Framework, a Treasury led group that reviews BSA/AML legislation and ensures that it is up-to-date and still relevant.
- The Bank Secrecy Act Advisory Group, a FinCEN chaired group that coordinates and discusses AML issues among the regulators and law enforcement.
- The BSAAG Delta Group, a newly formed group chaired by FinCEN and a financial industry representative. The group consists of regulators, industry members, and law enforcement with the goal of reducing the variance between compliance risk and illicit financing risks while promoting a smarter and cost effective regulatory framework.
- The FFIEC BSA Working Group, a group consisting of representatives from all regulatory agencies designed to coordinate BSA/AML examination consistency and address emerging BSA/AML issues.
- The National Interagency Bank Fraud Working Group, a Department of Justice chaired group composed of members of law enforcement and regulators designed to address bank fraud.
In addition to working with these groups, the OCC participates with the U.S. Treasury's Office of Terrorism and Financial Intelligence, FinCEN, and the Office of Foreign Assets Control, in efforts to address BSA/AML issues at the international level. The OCC hosts BSA/AML schools for foreign regulators and has participated in efforts in foreign countries to address their BSA/AML issues. The OCC also assists the U. S. delegation to FATF with specific BSA/AML concerns.
Supervision and enforcement
Comptroller Curry then discussed the OCC's supervision and enforcement process. The OCC has two broad enforcement actions that can be applied to banks that have weak or non-compliant BSA/AML programs; informal actions and formal actions.
An informal enforcement action is used when the BSA/AML problems are limited in scope and bank management commits to and is capable of correcting the problems. These actions are generally not public and include commitment letters, memoranda of understanding, and matters requiring board attention.
A formal enforcement action is more severe, authorized by BSA/AML laws, and is disclosed to the public. These consist of Cease & Desist (C&D) orders, formal written agreements, and civil money penalties. Formal agreements and C&D orders require the bank to take specific actions to correct deficiencies with the BSA/AML program. Civil money penalties are fines that can be levied against a bank, its officers or directors, and other individuals associated with the bank for non-compliance with BSA/AML laws and regulations.
Examiners will be fair, they will listen to and discuss issues with bankers, and they will follow the stated mission of the OCC
Although the severity of an enforcement action is generally left to the discretion of the supervisory office, there are certain instances where a BSA/AML violation is required to be raised to the level of a formal enforcement action, typically a C&D order. The Interagency Statement of Enforcement of BSA/AML Requirements, 2007 (Interagency Statement), states that a C&D order will be issued when a bank has a compliance program violation or when a bank has failed to correct a previously identified problem in the BSA/AML program. Compliance program violations include:
- A bank fails to adopt or implement a written BSA/AML compliance program that adequately covers the required four program elements: internal controls. independent testing, training, and the designation of a BSA/AML officer.
- A bank has defects in its BSA/AML program in one or more program elements indicating that the program or its implementation is not effective.
Indicators of a non-effective program can consist of:
- A weak customer due diligence program.
- Ineffective suspicious activity identification, monitoring, and reporting process.
- A poor risk assessment process.
- A weak internal controls process for high-risk areas.
Comptroller Curry acknowledged that in the case where a bank has failed to correct a previously identified problem, regulators realize that corrective action can take a considerable period of time. Therefore the Interagency Statement and the regulators do not require that an automatic C&D be issued if at the next subsequent examination the bank has shown "acceptable substantial progress" in correcting the problem.
In regards to bank supervision, the OCC has a process in place to ensure that enforcement actions are measured, fair, and consistent. The process can include the following stages:
- During the onsite examination, there is a preliminary discussion between the examiners and bank management regarding the examination findings.
- The findings are discussed with the BSA/AML compliance specialist at the district supervisory office.
- The findings are discussed with the assistant deputy comptroller of the local supervisory office.
- The findings are discussed with the District Supervision Review Committee.
- The findings are discussed the Washington Supervision Review Committee.
Improvements to the supervision process
Comptroller Curry closed his testimony by discussing the OCC's planned improvements to the BSA/AML supervision process. He stated that the OCC is committed to a fair but thorough and detailed supervisory approach to BSA/AML compliance, and to a continuous and ongoing evaluation of the BSA/AML supervision process. Enhancements to the process include:
- Senior level review of high profile and complex BSA/AML enforcement actions.
- Including the BSA/AML findings as a component in the management rating in the CAMELS rating.
- Improving the review process to provide different perspectives and a faster response to problems.
- Providing for more flexibility for citing violations.
- Adopting a more overall view of a bank's BSA/AML compliance.
Comptroller Curry and the examination staff of the OCC recognize the importance of effective BSA/AML compliance programs at U. S. financial institutions, and the role the OCC plays in ensuring that these institutions are not used to facilitate money laundering, terrorist financing, and other criminal activity. Examiners will be fair, they will listen to and discuss issues with bankers, and they will follow the stated mission of the OCC. This mission since 1863 has been in part to "regulate and supervise banks to ensure that they operate in a safe and sound manner."
Thomas E. Nollner, director, Alvarez & Marsal Financial Industry Advisory Services, Houston, TX, USA, firstname.lastname@example.org