Amid intensified regulatory scrutiny and enforcement in the financial services industry, prudent risk and compliance professionals in banks of all sizes will want to check out two new reports that will help them gauge the effectiveness of their Bank Secrecy Act compliance programs.

The Bank Secrecy Act (BSA) refers to a series of laws and regulations that have been enacted in the United States to combat money laundering and terrorism financing. By law, financial institutions must monitor for suspicious activities and identify and report them to law enforcement.

To assess the current state of BSA compliance programs, the Federal Deposit Insurance Corporation (FDIC) has issued a Supervisory Update that provides an overview of the BSA/Anti-Money Laundering (AML) examination process, discusses trends in supervision and enforcement, and includes examples of rare, but significant, failures identified by FDIC examiners in BSA/AML compliance programs.

Secondly, RSM, a provider of audit, tax, and consulting services, conducted a benchmark report in which it assessed the BSA/AML compliance departments of over 100 U.S.-based commercial banks nationwide, ranging between $500 million to $20 billion in assets. The results were based on the responses of 132 senior-level officers and managers responsible for oversight of the BSA program at their respective institutions. The survey assessed several key areas, including AML functional structures, budgets, risk tolerance, staffing levels and certifications, training, and technology investments.

Examined together, both the FDIC report and RSM’s benchmark report help risk and compliance professionals take the pulse of their BSA/AML compliance programs and how they stack up against their peers—not to mention how they are perceived in the eyes of financial regulatory agencies.

For example, in RSM’s benchmark report, 95 percent of respondents said they are generally “satisfied” with the effectiveness of their BSA/AML function, as well as the quality of the risk assessments that drive their BSA compliance programs.

This sentiment appears to be supported by the FDIC’s findings. “In the vast majority of examinations, the FDIC finds that institutions generally comply with the BSA,” the FDIC said in its Supervisory Update. “When examiners find BSA compliance deficiencies, they are often technical recordkeeping or reporting matters that can be addressed in the normal course of business.”

The FDIC report went on to say that common violations of BSA regulations cited during the FDIC’s BSA/AML examinations relate to currency-transaction report filings and information-sharing requirements. Many of these violations “relate to suspicious activity report filing deficiencies and inadequate systems of internal controls,” the FDIC stated.

“Most BSA compliance program deficiencies are corrected during the normal course of the supervisory process without the need for a formal enforcement action.”
FDIC

The Supervisory Update says how banks can prevent such common violations. “For example, information-sharing compliance deficiencies may be corrected by designating persons responsible for conducting searches, keeping contact information up to date with FinCEN, and establishing policies, procedures, and processes that clearly outline methods for conducting and documenting information-sharing request searches, as well as reporting the results of those searches, as necessary.”

Compliance staffing and outsourcing. In the RSM survey, 53 percent of respondents said their financial institution has an AML officer or director function. Other commonly cited roles with AML responsibility included a compliance officer or chief risk officer.

RSM’s report also found that 76 percent of large banks have at least one certified AML professional, compared to 54 percent of small banks. Additionally, 48 percent of large banks said they employ a certified fraud professional, compared to 26 percent of small banks. And nearly all, except for one percent, have a centralized BSA/AML department.

Many banks, however, appear to have a limited number of staff who are fully dedicated to BSA/AML compliance. The RSM survey found, for example, that 70 percent of respondents said they have five or fewer full-time employees (FTEs) dedicated to BSA/AML compliance. Forty-two percent have fewer than three FTEs; 29 percent have between three and five; and 13 percent have between six and ten FTEs.

Small banks generally have less than half the number of FTEs responsible for BSA/AML compliance compared to large banks. Specifically, 87 percent of small banks have fewer than five FTEs, compared to 53 percent of large banks. And 70 percent of respondents said they do not foresee adding more FTEs in the next year.

Many times, financial institutions turn to outside resources to both increase efficiencies and leverage skillsets that they don’t have internally—in particular, BSA/AML internal audits (62 percent) and AML model validation testing (53 percent).

Below, the FDIC explains the circumstances, and cites an example, of a situation that will warrant a cease and desist order.
To be considered a problem within the meaning of Section 8(s), a deficiency would generally involve a serious defect in one or more of the required BSA compliance program components, and would have been identified in a report of examination or other written supervisory communication as requiring communication to the institution’s board of directors or senior management as a matter that must be corrected.
The FDIC does not ordinarily issue a cease and desist order under Section 8(s) unless the deficiencies identified during a subsequent examination or visitation are substantially the same as those previously reported to the institution.
For example:
During an examination, the institution’s system of internal controls was considered inadequate as a result of compliance failures related to customer due diligence and suspicious activity monitoring processes. Specifically, the institution had not developed customer risk profiles to identify, monitor, and report suspicious activities related to the institution’s business customers. Additionally, the institution had not implemented an effective system to identify, research, and report suspicious activity. Notably, there was a significant number of suspicious activity monitoring system alerts that had not been properly researched and resolved.
Apparent violations were cited as a result of the institution’s inadequate system of internal controls and numerous instances where the institution failed to meet suspicious activity reporting requirements. The report of examination identified a problem with the internal controls component of the institution’s BSA compliance program, which required board attention and management’s correction. The issue was explained in the report of examination, which was reviewed by the institution’s senior management and board of directors. After the examination, an informal enforcement action was issued to address the problem.
Subsequent examination findings determined that management had not satisfactorily addressed the previously reported problem with its BSA compliance program. Customer risk profiles remained undeveloped for the institution’s business customers and suspicious activity identification, monitoring, and reporting processes remained inadequate. The number of outstanding suspicious activity monitoring system alerts had increased substantially, resulting in additional instances where the institution failed to meet suspicious activity reporting requirements. As a result, a cease and desist order was issued pursuant to Section 8(s) of the FDIC Act because of the institution’s failure to correct the previously identified problem with its BSA compliance program.
Source: FDIC

“Typically, for model validation the technical expertise is one that is hard to come by. Therefore, it’s extremely expensive and significantly time consuming to acquire that talent to bring in-house,” says Patricio Perez, partner and Southeast financial institutions leader at RSM. “It’s extremely important for banks to understand that there is a solution out there in outsourcing these kinds of activities.”

By bank size, 65 percent of large banks outsourced BSA/AML internal audits, compared to 59 percent of small banks. Furthermore, 58 percent of larger banks outsourced AML model verification testing, compared to 48 percent of small banks.

Other activities that banks sometimes outsource, as cited by respondents, include quality control reviews (8 percent); AML risk assessments (5 percent); and regulation interpretations (2 percent).

Training programs and investments. Ongoing training is a regulatory requirement for BSA/AML compliance to keep up with a rapidly evolving regulatory risk environment. As the FDIC Supervisory Update states, compliance deficiencies related to suspicious activity reporting can be prevented with trained staff and by implementing systems to identify, research, and report unusual activity. “Training and systems should be commensurate with an institution’s overall risk profile and include effective decision-making processes,” the FDIC stated.

In the RSM survey, 94 percent of respondents said their banks use Web-based BSA/AML training for employees, while 68 percent perform in-person BSA/AML training, and 43 percent leverage external training and seminars. “Regulators expect employees to stay abreast of trends and threats, and external training can provide a new perspective on risks,” the RSM report stated.

Furthermore, banks should tailor their training to the specific functions of the employee. “The more sophisticated institutions tend to have a more tailored approach to the training,” Perez says.

Training budgets may also need to be adjusted. RSM’s survey data showed that the median annual budget for BSA/ AML training is $5,000. Twenty-six percent of respondents spend between $5,000-$10,000 per year, while 19 percent spend between $10,000-$20,000, and another 19 percent have a budget between $1,000-$2,000.

When it comes to BSA/AML training budgets, 70 percent think their budget will stay the same, while 29 percent of large-bank respondents said they expect a training budget increase in the coming year. Among small financial institutions, 86 percent expect a stagnant training budget, while 12 percent projected an increase.

Due diligence and suspicious activity reports. RSM’s report found that banks file an average of 16.3 suspicious activity reports a month, with 118.6 complete investigations, 39.5 complete due diligence reviews, and 2.7 model or system validations.

“Effective decision-making processes should be supported by adequate documentation regarding decisions to file or not to file a suspicious activity report (SAR),” the FDIC stated. “Because SAR decision-making requires review, analysis, and judgment of transactions, institutions should maintain effective internal control systems that establish appropriate policies, procedures, and processes for suspicious activity monitoring and reporting.”

Most large banks (96 percent) leverage technology to identify suspicious activity, compared to 77 percent of small banks, the RSM report found. It also found that the median annual budget for suspicious activity monitoring software was $30,000, followed by case management ($20,000); customer risk scoring ($19,000); and SAR reporting ($18,000).

The good news, overall, as stated by the FDIC: “Most BSA compliance program deficiencies are corrected during the normal course of the supervisory process without the need for a formal enforcement action.” And this is important, given that BSA/AML compliance programs play an integral role in deterring and detecting bad actors who seek to misuse the U.S. financial system to launder criminal proceeds, finance terrorist acts, or move funds for other illicit purposes.

Beyond just providing benefits external to financial institutions, however, a robust BSA/AML compliance program fosters improvements in other areas, as well. For example, RSM’s analysis found that 85 percent of respondents expressed overall satisfaction with the extent of their board of director’s involvement in their BSA/AML compliance function.

“Board involvement in community banking … has evolved,” Perez says. Fifteen years ago, many board members did not understand or pay attention to BSA/AML compliance, he says, but emerging risks like terrorist financing and increased regulatory enforcement have brought with it heighted scrutiny, including board oversight.

With the BSA/AML regulatory environment for financial institutions as fluid as it is, greater involvement by the board of directors should be a welcome development, translating into more effective and efficient oversight moving forward.