The government is warning banks to beef up compliance programs to defend against money laundering and related offenses. The push comes as proposed regulations trigger a shift from a flexible, risk-based approach to customer due diligence to a more prescriptive one that comes with hard-and-fast rules and thresholds.
Earlier this month, the Treasury Department’s Financial Crimes Enforcement Network released a six-page compliance advisory to financial institutions. The guidance urged banks and other financial firms to ensure that leadership supports and understands compliance efforts and that programs to manage AML risks are not compromised by revenue interests. The guidance stressed creating a “culture of compliance,” where relevant information from the various departments within the firm is shared with compliance staff and banks devote adequate resources to its compliance function.
The advisory “does not say anything that you have not heard before,” FinCEN Director Jennifer Shasky Calvery said during a recent speech before AML professionals in Washington D.C. “But formalizing government expectations for culture and compliance should be viewed as another tool to influence an organization’s leadership and “make it easier for them to live and breathe AML the same way that you do.”
The Treasury isn’t the only regulator asking banks to revisit AML compliance programs. Tomas Baxter, general counsel for the Federal Reserve Bank of New York also stressed the importance of culture and compliance for financial institutions, during a recent speech. “In a world where the consequences of rule breaking can lead to fines in the multiple of billions of dollars, lawyers and compliance officers can accurately claim that, in guarding the corporation’s integrity, they are enhancing shareholder value,” he said.
“The AML compliance environment is going to be framed in terms of culture more than it has ever been,” Bob Axelrod, a director in Deloitte’s anti-money laundering consulting practice, says.
Banks also need to ensure that they have the right people in place to deliver the message. “Having a compliance officer who is experienced and knows how to build an AML program can keep up with the regulatory requirements and changes that are happening in this environment on a day-to-day basis,” Sareena Sawhney, a director at professional services firm Marks Paneth, says. Institutionalizing the compliance message underscores the necessity to “develop a robust training program that will touch on every department at every staff level all the way up to senior management, the board of directors, and the audit committee,” she says.
Identifying Beneficial Owners
FinCEN’s message, that not just the largest banks need to take compliance more seriously, may take on a greater urgency in light of proposed rulemaking that preceded the advisory. On July 30, it issued a Notice of Proposed Rulemaking to amend existing Bank Secrecy Act regulations and crack down on anonymous shell companies. The proposed rule would clarify and strengthen the customer due diligence obligations of banks and other financial institutions—including brokers and dealers in securities, mutual funds, futures commission merchants, and introducing brokers in commodities. It adds a new requirement that these entities know and verify the true identities of who owns, controls, and profits from the companies they service.
“The AML compliance environment is going to be framed in terms of culture more than it has ever been.”
Bob Axelrod, Director, Deloitte
The proposal clarifies that customer due diligence includes core elements: identifying and verifying the identity of customers; understanding the nature and purpose of customer relationships; and conducting ongoing monitoring to maintain and update customer information and to identify and report suspicious transactions. The rulemaking would also impose new requirements that financial institutions collect beneficial ownership in a standardized format and that they identify and verify any individual who owns 25 percent of more of an entity they do business with. The proposal is currently in the midst of a 60-day public comment process.
The increased scrutiny on customer due diligence will “create the foundation for a company with the right culture to make good decisions,” Axelrod says. “If you are the board of directors for a broker-dealer and, with this enhanced level of due diligence, you discover that you do business with shell companies whose beneficial owners are all from a high-risk country, you may ask whether you want to do business with these guys. Do you want to change the types of products you offer them?”
The rule signals a shift from the traditional risk-based focus of AML efforts—letting institutions scale due diligence based on internal risk profiles—to more prescriptive rules and thresholds by setting a fixed threshold for vetting beneficial owners. Many banks, especially large ones, already have similar internal policies, Axelrod says. Some, based on risk-assessments, go as far as to identify 5-10 percent owners. The proposed rule, however, standardizes an ownership level and will force smaller financial institutions to step up their game.
“As institutions, particularly larger ones, get better at doing things, the regulators have a better understanding of what can be done, sharpen their requirements, and bring them down to smaller institutions, in part because as they push really hard on larger institutions some of the risk gets pushed out and goes to the smaller ones,” Axelrod says.
“There is a continuing emphasis on institutions having real data and a real basis for knowing what their customers are doing,” he adds. “These institutions are putting forth a lot of effort and having some success, but probably not the success regulators are hoping for. There is a growing sense that simply setting a large agenda for the fines and other tools regulators and the prosecutors have may not be enough to get the kind of change they want.”
A COMPLIANCE COMMITMENT
The following is from a anti-money laundering compliance advisory issued recently by the Treasury Department’s Financial Crimes Enforcement Network.
A required element of any BSA/AML compliance program is the designation of an individual responsible for coordinating and monitoring day-to-day compliance with the BSA. The individual should be knowledgeable of the BSA and have sufficient authority to administer the program. For the program to be effective, the institution should devote appropriate support staff to its BSA/AML compliance program based on its risk profile.
The failure of an institution’s leaders to devote sufficient staff to the BSA/AML compliance function may lead to other failures. For example, depository institutions, as well as other types of financial institutions, generally have staff that review alerts generated by transaction monitoring systems. Devoting insufficient staff or other resources to this function may result in alerts not being reasonably designed to capture appropriate risks or being dismissed improperly, or create a backlog of alerts that may result in the untimely reporting of suspicious activity.
Appropriate technological resources should also be allocated to BSA/AML compliance. Institutions with higher risk profiles, including those with substantially higher volumes of activity, may need to utilize automated systems for identifying and monitoring suspicious activity.
Appropriate involvement of a financial institution’s leadership should be, at a minimum, commensurate with the institution’s level of BSA/AML risk exposure. Appropriate leadership involvement allows the BSA/AML function to implement an effective compliance program. Components of an effective BSA/AML compliance program additionally include a proper ongoing risk assessment, sound risk-based customer due diligence, appropriate detection and reporting of suspicious activity and independent program testing.
While recognizing that all the components of an effective compliance program are important, FinCEN stresses the independence that the testing of a compliance program should have.
A financial institution’s leadership should ensure that the party testing the program (whether internal or external) is independent, qualified, unbiased and does not have conflicting business interests that may influence the outcome of the compliance program test. Safeguarding the integrity and independence of the compliance program testing enables an institution to locate and take appropriate corrective actions to address BSA/AML deficiencies.
Source: The Treasury Dept.
The new rules will likely lead to even more enforcement of AML violations and larger fines. “The gathering of customer information was always something that was implicit in the rules and regulations,” Axelrod says. “Now, regulators are asking it as part of the rules, which means you are much more likely to see regulatory enforcement in regard to missing customer information than you would have found before.”
Under the proposed rule a pre-existing customer with a shell company does not have to have its beneficial ownership determined. But, once the company opens another account—for payroll, cash management, or to take out a loan, for example—the due diligence requirement is triggered. “Over the course of several years, many banks are going to find that their existing clientele have to be vetted,” Axelrod says.
If a company refuses to comply with requests to provide ownership data, FinCEN says it will step in to offer guidance. “What it probably means is that FinCEN may push these companies to make disclosures or be pushed out of the banking system,” Axelrod says. “But there has been ambivalence in the government about pushing even risky customers out of the banking system entirely. So, it remains to be seen how that will be worked out. But there will be a very strong incentive not to bank these customers or to provide some extraordinary reasons why you do.”
FinCEN’s compliance advisory and proposed rule may apply to the financial industry, but other types of businesses would be wise to follow these developments, Sawhney says, adding that “money laundering doesn’t have to just take place in banks.” Businesses that need to have money-laundering monitoring and compliance programs in place include casinos and dealers in “hard goods” such as jewelry, automobiles, boats, and airplanes. Insurance companies also need to be on guard, as some bad actors overfund policies, or cancel new ones during a “free-look” period, gladly paying any penalty imposed in order to clean their cash.
“Anti-money laundering compliance is difficult, but with enforcement on the increase, at-risk businesses cannot afford anything less than strict compliance,” Sawhney says. “Any cash-intensive business needs to understand its compliance responsibilities and hold itself to the highest standards.”