Ready, Set, Go: Responding to Enforcement Actions

Sometimes the best way to finish a race on time is to start early. Anti-money laundering (AML) enforcement actions frequently include challenging timelines for assessing weaknesses, planning their remediation and implementing new systems and protocols. For example, major enforcement actions have asked that the institution carry out items like these, with these sorts of timeframes:

  1. Conduct a review of the current AML program within 60 days and produce a report about what you find.
  2. Revise your current program so that it at least meets each of the following 15 criteria (including know your customer, training, governance, etc.) as well as the findings of the report you just created within 30 days thereafter.
  3. Submit to the regulator an action plan outlining the milestones and dates for the proposed remediation.
  4. Change the action plan according to the requirements of the regulator that reviewed it, if the regulator asks for any changes.
  5. Implement the proposed changes within 10 days of the time that the regulator indicates approval of the plan (or the plan as amended).

This is not only a great deal of work (welcome to the world of enforcement actions), but a great deal of work in a timeframe that could seem unrealistic at first blush.  Financial institutions addressing such actions may pose the following questions:

  1. Can a meaningful review of a program be accomplished in 60 days, and can a well-thought-out revision of the program be accomplished 30 days later?
  2. What if the regulator does not respond to the action plan?  How long should we wait for approval? What if the regulator does not approve this for a year, should we wait?
  3. How could we implement big changes to a program in 10 days?

Start Six Months or More Before the Enforcement Action is Issued

These questions become much easier to answer if we consider the starting time for responding to an enforcement action.  It should not be the day that the enforcement action is issued.  Enforcement actions should not be at all surprising to the target financial institution by the time they are issued.  The text of the action has generally been discussed with the institution, drafts exchanged, sometimes even negotiated, before the action itself is issued.  The cause of the action (not always explicitly cited in the action itself) is usually a series of findings or the results of collateral governmental investigations that the institution has been aware of for some time, often for more than a year.  Here is the key point: The content of an enforcement action is highly predictable, especially if you know which regulator you are dealing with and why the action is coming. An institution in this setting should be involved in ongoing and detailed communication with its regulator and gain an understanding of the likely arc of the enforcement action composition. Consequently, it is not necessary to wait for the enforcement action to be published to start working on the tasks that the action brings about.

It is true that you cannot exactly respond to something that is not even written or final, but once the institution knows the gist of the concern motivating the action, the institution can reasonably well predict the kinds of things the action will require. In addition, each regulator has generally followed a fairly consistent structure for its AML enforcement actions, and that structure can be observed from prior actions. Regardless of the origin of the enforcement action, there is a high likelihood that the AML program, including the collection of customer information, monitoring of accounts against expected activity, resourcing, training, independent testing, quality assurance, suspicious activity monitoring escalation and model validation and a handful of other areas are going to be covered. So, setting in motion a review of the overall program (giving emphasis to the area where the criticism is motivating the action, as well as the very commonly included areas) stands a good chance of anticipating what will be needed later.  Enforcement actions sometimes ask the institution to employ a consultant for that purpose, and sometimes an independent consultant, and that can also be anticipated. 

Starting Early Overlaps with Good Practice

Can the action timeframes themselves actually be met starting at the date of the actual issuance?  They can, but sometimes only with what may be greater than necessary disruption and greater than necessary costs. Should the institution wait for the appearance of the actual enforcement action text to be instructed in writing as to what to do? This is a judgment call, but since the actions largely revolve around things that regulations, guidance and industry practice would counsel anyway, waiting for the “official” text, even if permissible, hardly seems required.  Indeed, given the nature of the things ordered, we can fairly infer that a financial institution is expected to be doing these things anyway (like having a robust way to risk rate its customers), so moving forward ahead of the issuance of the action is unlikely to generate regulatory criticism.  In fact, what may seem to be a set of unreasonable timeframes in an enforcement action may reflect a different perspective from regulators. A firm that got started working on the enforcement action six months before the action was issued would not have nearly as much trouble meeting the deadlines imposed.

Do Not Wait for Official Approval Unless There is Something Special

The last topic—do you wait for the official approval to begin implementation—is a little more difficult to answer.  Of course, you must obey the order, and the approval of the regulator may be defined in the action as a key milestone by which timeliness will be judged.  On the other hand, it is hard to construe an enforcement action to require something so difficult—to implement a complex program overhaul at the flip of a switch and having everything change within the 10 or 30 or even 90 days that these orders nominally provide.  Similarly, a long delay in regulatory approval is not necessarily a good occasion for the institution to delay implementation.  Even though the order may not literally require implementation until a formal approval from the regulator, it is prudent to make implementation effective and prompt rather than to use any delay in approval as an occasion to do nothing.  There is no mystery here as to general intent—to improve the institution’s AML program in an effective and prompt manner. Therefore, a result that allows indefinite delay against an approval, even if literally permissible, is problematic to indulge.

If we make the reasonable assumption that we largely know what the regulator expects, most of the time the implementation of the plan should not be something that—if the regulator has a comment—we should expect will require the implementation to be substantially redone. There are some things—special circumstances—such as the selection of one transaction monitoring vendor system over another or the choice of a novel fuzzy logic process, where an institution ought not to move forward blindly. However, even for these matters, the ongoing communications process with the regulator will ordinarily mitigate the risk of “starting over.”  Otherwise, bear in mind that AML programs change all the time, and if there are new conditions, they can be addressed as they are given. Most importantly, if there is a new condition and all the other changes are already finished or in process, satisfying the new condition quickly at that point is much easier.

In the same vein, the fact that implementation takes a while to roll out is generally understood.  So long as the milestones and processes are explicit and discussed throughout the action history, so that the regulators are not surprised, the implementation path can and should be realistic, if brisk. No one, and this includes the regulators, wants an implementation so hurried that it is ineffective or chaotic.


Listen for the starting gun. It is fired long before the enforcement action is written. Start running when you hear it. Communicate to the regulator well, both to understand what will be required, and to indicate what you are doing. This is never an easy process, but it can be better or worse depending on how quickly and how well you mobilize the right resources.

Robert M. Axelrod, managing director, Deloitte Transactions and Business Analytics LLP, Parsippany, NJ, USA,

This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.

Leave a Reply