BSA Success = “Culture of Compliance”

Introduction

On March, 3, 2015, the New York Regional Director for the FDIC, John Conneely, conducted a regulatory teleconference along with Special Activities Case Managers Kristi Keating and Rebecca Williams, which focused on BSA hot topics, trends and tips to maintain Bank Secrecy Act/Anti-Money Laundering (BSA/AML) compliance. This article is intended to educate board members, management and BSA Officers on the six principles of promoting a culture of compliance. To read the complete transcript of the call, click here.   

Creating a culture of compliance

Creating a culture of compliance benefits the overall financial intuition (FI) as a way of mitigating the FI’s BSA/AML risk; however, achieving that culture can be challenging. Much of Keating’s comments referenced a FinCEN advisory released in August 2014, which outlined six principles to “strengthen its BSA/AML compliance culture” because “regardless of its size and business model, a financial institution with a poor culture of compliance is likely to have shortcomings in its BSA/AML program.” (FinCEN, 2014) Here are the six ways FinCEN suggests that you can create a culture of compliance:

1. Leadership must understand their bank’s BSA/AML risks, how to mitigate that risk through the BSA/AML program and receive periodic training to understand the requirements of BSA/AML regulations. It is imperative that leadership is supportive of the BSA/AML staff and their plans. If leadership does not value the importance of BSA/AML compliance, support the BSA/AML budget or allocate the proper staff, there are sure to be shortcomings.
2. Revenue interests should not limit the authority or autonomy of BSA/AML staff to maintain compliance. It would be irresponsible of a bank to allow revenue interests to jeopardize efforts to “effectively manage and mitigate BSA deficiencies and risks” (Conneely et al, 2015). Further, “it is always better for management to allocate sufficient attention and resources to the BSA/AML program up front rather than face the much higher cost of remediation and possible penalties later” (Conneely et al, 2015).
3. Create a process of sharing information from one department to another within the FI. If a department of the organization has information that would have been helpful to, so far as to say, prevent an event, then it was the failure of that institution to communicate with each other. “It is important for all business lines to share information with the BSA department.” (Conneely et al, 2015).
4. Success of the BSA/AML program relies heavily on hiring and/or training the proper BSA/AML staff and providing them the proper technological tools to manage BSA/AML risk. The latter will depend on your risk appetite and transaction volume, but the appropriate staff is imperative to success. And remember, it’s not always about just the BSA Officer, though again depending on your size, the right support staff is also important.
5. Ensure your BSA/AML program is the right one for your FI. Your BSA/AML program should be reviewed by an independent third party to ensure that the program your staff is following is correct for your risk appetite and working as it is intended. Dare I go out on a limb to include that the program along with the model (technology or spreadsheet), including the data, should be put to the test. “Leadership should ensure that the party testing the program (whether internal or external) is independent, qualified, unbiased and does not have conflicting business interests that may influence the outcome of the compliance program test.” (FinCEN, 2014). The FFIEC Examination Manual emphasizes that “the person performing the independent testing must not be involved in any part of the bank’s BSA/AML compliance program (for example, developing policies and procedures or conducting training).” (FFIEC, 2014). A couple of examples might be that your audit department (internal or external) can’t perform the test because they audit your department annually and even more so, they may lack the technological experience in dealing with the software; or  someone from IT might have the technological experience with the software, but lack the compliance regulation understanding. The beauty of this particular principle is that while it is looking for what may be wrong, it’s really putting your program to the test and allows you to remediate any issues before a visit by your regulator.
6. Similar to the first principle, it’s important that leadership fully understand the functions and reports, such as SARs and CTRs are used by law enforcement. These reports provide the basis of new investigations, additional information for existing investigations, and following trends. They can be used to investigate such activity as a terrorist organization, drug trafficking, fraud schemes, insider threats, and cyber-related threats. By bringing any suspicious activity to light, it can also protect your own FI by establishing trends about your customers.

Industry examples of culture of compliance principles

The short answer for what seems to be the growing pressure on BSA/AML compliance is that times have changed but then in some cases the policies, procedures and/or programs have not. With each year, we see new FI products or services, new technology, new regulations to manage the BSA/AML risk and new criminals. Here are just a few of the reasons for the increasing attention on BSA/AML.

1. The FIs growth and risk profile has changed but their program and model hasn’t. With the FIs needs changing, the question is, does the program and model match the new reality. If not, you could be missing important information, and that could lead to a violation or worse. This relates to the fifth principle.
2. The FIs leadership does not understand or is not supportive of the BSA/AML requirements, which relates to the first principle.
3. The FIs are challenged with establishing a qualified BSA/AML department because they are not matching competitive compensation or they lack the experience necessary. Further, they are lacking the on-going training required largely due to an under-staffed department. A larger well-trained department is the investment in BSA/AML compliance for the FI. This relates to the fourth principle.
4. Some FIs are relying too much on third party consultants. As with many things that can be said, there is a time and a place for everything; in this instance it is no different. Working with experienced consultants specialized in BSA/AML is important and should be utilized when necessary. “It is up to each bank to ensure that the expertise and quality of the third party consultants is appropriate for the risk profile of their bank.” (Conneely et al, 2015).
5. Some FIs lack adequate customer due diligence (CDD) and enhanced due diligence (EDD) processes and procedures. The reason for this deficiency could be gleaned from a lack of experienced personnel or under-staffed department’s short-cutting the process.
6. Some FIs are not reporting suspicious activity, whether intentionally or not, because they lack the aforementioned CDD/EDD process and procedures, the monitoring system is insufficient, lack of experienced, trained or number of staff, or the revenue interests get in the way. This can be associated with a number of the six principles previously mentioned.
7. Some FIs narrow their transaction monitoring focus too narrow to only include cash transactions, but BSA/AML monitoring should include transactions of all types. As banking continues to evolve, FIs must create a policy and procedures, and monitor for electronic banking transactions, virtual currencies, etc.
8. Some FIs lack the experience, understanding or training of their transaction monitoring system in order to fine tune their alerts and eliminate false positives. The number of false positives can have a direct effect on the BSA/AML staff to effectively review each one, and address the appropriately, resulting in an overworked department.
9. Lastly, and while this closely relates to the fifth principle, some FIs are utilizing third party vendors that are under-qualified or have inadequate experience with BSA/AML compliance for their institution. “Management should also ensure that appropriate transaction testing is conducted and documented” (Conneely et al, 2015). The appropriate amount of transaction testing will vary at each institution based on your transaction volume, but as previously stated, it is important to test the entire model, including the data.

Conclusion

In summary, the success of a BSA/AML program relies on a number of factors, mostly relating to people, procedures, and technology. The board, management and BSA officer at minimum need to have an equal understanding of the BSA/AML requirements, the program to maintain compliance and the budget to achieve compliance. The BSA/AML staff need to have adequate experience and access to necessary training in order for them to adequately fulfill their duties. More so, the staff needs access to the tools necessary to monitor BSA/AML compliance, and should that be a software system, that it be tested and validated independently annually.

A culture of compliance simply means sharing information and awareness throughout all levels of the organization, support from the top down and communication. From these principles, we believe that it would be in a FIs best interest to institute an on-going compliance monitoring program that can help an them report on the status of their program,  what’s working and what isn’t, their staff’s efficiencies or lack thereof, and make changes as necessary. You can read more about a compliance monitoring program here. Further, we believe that working with a specialized BSA/AML company would provide any additional expertise an FI would lack when appropriate. The success of BSA compliance rests on a culture of compliance, and while it is encouraged by leadership, it is maintained with experience and expertise by the BSA/AML staff.

References

Advisory to U.S. Financial Institutions on Promoting a Culture of Compliance. (2014, August 11). Retrieved May 20, 2015, from: http://www.fincen.gov/statutes_regs/guidance/pdf/FIN-2014-A007.pdf

Bank Secrecy Act/Anti-Money Laundering Examination Manual. (2014, December 2). Retrieved May 20, 2015, from: https://www.ffiec.gov/bsa_aml_infobase/documents/BSA_AML_Man_2014.pdf

Conneely, J., Keating, K., & Williams, R. (2015, March 3). FDIC New York Regulatory Teleconference: BSA Today – Regulatory Tips, Trends, and Hot Topics. Transcript received from: https://www.fdic.gov/news/conferences/NY/2015-03-03-transcript.pdf.

If you would like to know more about ARC Risk and Compliance, and our Independent Verification and Validation (IVV) or tuning and false positive remediation services, please contact us.