The U.S. Federal Reserve and the New York Department of Financial Services in an enforcement action this week ordered the Bank of Nova Scotia and its New York agency to significantly improve its anti-money laundering operations.

According to the agreement, the bank and the branch have 60 days to jointly submit a written progress report “detailing the form and manner of all actions taken” to secure compliance with the provisions of the agreement, addressing corporate governance, Bank Secrecy Act and anti-money laundering compliance, customer due diligence, suspicious activity reporting and monitoring, and OFAC compliance.

The details of that agreement are discussed below.

Corporate Governance

At a minimum, the governance program must “address, consider, and include” the following elements:

Actions the board of directors will take to maintain effective control over, and oversight of, management’s compliance with the BSA/AML requirements, OFAC regulations, and state regulations;

Measures to improve the management information systems reporting of its compliance with these requirements and regulations;

Clearly defined roles, responsibilities, and accountability regarding compliance with these requirements and regulations;

Measures to ensure that BSA/AML and OFAC compliance issues are appropriately tracked, escalated, and reviewed by senior management; and

Measures to ensure that those charged with responsibility of overseeing compliance possess appropriate subject-matter expertise and are actively involved in carrying out such responsibilities.

BSA/AML Compliance

At a minimum, the bank’s revised compliance program should provide for:

A system of internal controls designed to ensure compliance with all applicable BSA/AML requirements and state regulations;

Controls designed to ensure compliance with all applicable requirements relating to correspondent accounts for foreign financial institutions;

A comprehensive BSA/AML risk assessment that identifies and considers all products and services of the branch, customer types, and geographic locations, as appropriate, in determining inherent and residual risks;

Identification of the management information systems used to achieve compliance with the BSA/AML requirements and a timeline to review key systems to ensure they are configured to mitigate BSA/AML risks; and

Enhanced independent testing to ensure that comprehensive and timely reviews of the agency’s BSA/AML compliance program are performed on a regular basis.

Customer Due Diligence

At a minimum, the bank’s revised program should include:

Policies, procedures, and controls to ensure that the Agency collects, analyzes, and retains complete and accurate customer information for all account holders;

A revised methodology for assigning risk ratings to account holders that considers factors such as type of customer, type of products and services, and geographic locations;

A risk-focused assessment of the customer base;

Policies, procedures, and controls to ensure that foreign correspondent accounts are given the appropriate due diligence; and

Procedures to ensure that periodic reviews and evaluations are conducted and documented for all account holders.

Suspicious Activity Monitoring

At a minimum, the program should include:

A well-documented methodology for establishing monitoring rules and thresholds that consider the branch's risk profile, customer base, products, services, geographic locations, and foreign correspondent account activity;

Policies and procedures for analyzing, testing, and documenting changes to monitoring rules and thresholds; and

Enhanced monitoring and investigation criteria and procedures to ensure the timely detection, investigation, and reporting of all known or suspected violations of law and suspicious transactions.

OFAC Compliance

At a minimum, the OFAC plan should include:

A methodology for assessing OFAC risks presented by the specific product lines, customer base, and nature of transactions conducted at, by, or through the branch;

Appropriate screening procedures for identified high-risk areas;

Procedures to ensure that customer files contain complete documentation of all OFAC checks performed, including the resolution and escalation of concerns;

Procedures to ensure that the processes used to suppress repetitive false positives are periodically reviewed and updated to ensure appropriateness and relevance

Procedures to ensure the timely and appropriate reporting of inadvertent sanctions violations, including respective timeframes, responsible individuals, implementation control measures, and documentation protocol;

Procedures for the adequate escalation of information about potential sanction violations;

Effective training for all appropriate branch personnel that perform OFAC compliance-related functions in all aspects of the OFAC regulations and updating training on a regular basis; and

Independent testing of compliance with OFAC regulations.

Within 30 days after the end of each month following the date of this agreement, the bank and its branch must jointly submit a written progress report, detailing the form and manner of all actions taken to secure compliance with the provisions of this agreement and the results.