For the first time in five years, financial institutions have a new examination manual to pore through as they evaluate the effectiveness of their anti-money laundering compliance programs.
The Federal Financial Institutions Examination Council has released a revised Bank Secrecy Act/Anti-Money Laundering Examination Manual, incorporating regulatory changes made since the last update in 2010 and clarifying bank supervisors’ expectations when conducting reviews. By knowing what examiners are looking for, financial institutions can better assess risks and gaps that could prove problematic.
“It shouldn’t hold a lot of surprises,” says Shirley Inscoe, a senior analyst at bank consulting firm Aite Group. “Most of this has been discussed openly, but it takes quite some time for all the regulators to reach consensus on exam procedures. Every financial institution has to spend numerous hours scouring over this document to ensure their program is in compliance and to prepare for exams.”
“If you are a compliance officer, you have a shiny new manual to show to everyone,” says Robert Axelrod, director of Deloitte’s anti-money laundering group. “What’s important isn’t just what’s new in the manual, but that it drives home, once again, what is important. It is an opportunity to broadcast the important aspects of AML compliance and the expectations of regulators.”
Axelrod lists some of the more important subjects to read up on: virtual currencies, prepaid cards, rules for Suspicious Activity Reports, aggregating currency transaction reports … “These are areas where there is just more going on,” he says.
Among the revisions in the new 400-page manual is its approach to embassy, foreign consulate, and foreign mission accounts. The changes are intended to clarify the process institutions should use when deciding whether or not to accept these accounts. “It is suggesting that banks should be more flexible with embassy accounts” and rely less on “black and white” assessments on whether to accept these accounts, Axelrod says.
“The bigger changes are in areas where things have moved forward—virtual currency, a bigger section on prepaid cards, changes in the SAR rules, aggregation for currency transaction reports ... These are areas where there is just more going on.”
Robert Axelrod, Director of the Anti-Money Laundering Group, Deloitte
That black-and-white approach has been on financial regulators’ minds lately. In recent months, regulators have expressed concern about “de-risking”—that is, banks being so fearful of regulatory costs and hefty fines for AML mis-steps, they rid themselves of customers and accounts that might have even the slightest whiff of risk. Regulators, with guidance from the Treasury Department’s Financial Crimes Enforcement Network (FinCEN), have pushed back against this strategy, stressing their expectation that risk mitigation must be on a case-by-case basis and decisions should not be made arbitrarily.
“This is an area that remains controversial, and maybe that’s why they haven’t done more than dip their toe in it with embassy banking in the new manual,” Axelrod says.
The new manual completes the move away from paper filings for Suspicious Activity Reports (SARs) and Currency Transaction Reporting. Both must be filed electronically, and those forms have been updated. A notable update to SAR forms is that for the first time filers can upload documents (a spreadsheet, for example) that may be informative. The manual also clarifies when a bank can share SARs with controlling parties and affiliates.
The guide avoids most direct mentions of government sanctions, leaving those matters in the hands of the Treasury Department’s Office of Foreign Assets Control. It does, however, for the first time, address requirements in the Comprehensive Iran Sanctions, Accountability, and Divestment Act, and how the law relates to foreign correspondent account recordkeeping.
When banks deal with foreign correspondent accounts, certain screens and reporting obligations should be triggered. Among the required documentation is whether the foreign bank has processed transfers of funds within the preceding 90 days on behalf of Iran’s Islamic Revolutionary Guard Corps or any of its agents or affiliates. U.S. banks must report to FinCEN within 45 days regardless of the foreign bank’s response. U.S. banks must also request that the foreign bank agree to notify it if the foreign bank establishes a new correspondent account for an Iranian-linked financial institution. FinCEN has developed an optional certification form to provide to the foreign bank when making these inquiries. Any alternative form must request the same information as the FinCEN version.
These obligations are in addition to requirements that a bank should assess all of the information it knows about its customer in accordance with its risk-based BSA/AML compliance program, to determine whether additional actions should be taken or an SAR be filed.
And Outside the Financial Sector …
Non-banks should give the revised manual a read too. Expectations for money services businesses and armored car services clarify their monitoring and reporting obligations. Replacing the traditional section on “Electronic Cash,” the new manual offers an expanded discussion of risk factors and risk mitigation related to prepaid access. Guidance regarding virtual currency administrators and exchangers makes its first appearance in this year’s edition.
Past guidance on third-party payment processors has also made its way into the document. The manual adds an expectation that banks should check available databases to ensure they are not subject to enforcement actions.
COMPLIANCE PROGRAMS BASED ON RISK ASSESSMENTS
The following is an excerpt from the Federal Financial Institutions Examination Council’s new Bank Secrecy Act/Anti-Money Laundering Examination Manual, an update to its 2010 edition.
Management should structure the bank’s BSA/AML compliance program to adequately address its risk profile, as identified by the risk assessment. Management should understand the bank’s BSA/AML risk exposure and develop the appropriate policies, procedures, and processes to monitor and control BSA/AML risks. For example, the bank’s monitoring systems to identify, research, and report suspicious activity should be risk-based, with particular emphasis on higher-risk products, services, customers, entities, and geographic locations as identified by the bank’s BSA/AML risk assessment.
Independent testing (audit) should review the bank’s risk assessment for reasonableness. Additionally, management should consider the staffing resources and the level of training necessary to promote adherence with these policies, procedures, and processes. For those banks that assume a higher-risk BSA/AML profile, management should provide a more robust BSA/AML compliance program that specifically monitors and controls the higher risks that management and the board have accepted. Refer to Appendix I (“Risk Assessment Link to the BSA/AML Compliance Program”) for a chart depicting the risk assessment’s link to the BSA/AML compliance program.
Bank’s Updating of the Risk Assessment
An effective BSA/AML compliance program controls risks associated with the bank’s products, services, customers, entities, and geographic locations; therefore, an effective risk assessment should be an ongoing process, not a one-time exercise. Management should update its risk assessment to identify changes in the bank’s risk profile, as necessary (e.g., when new products and services are introduced, existing products and services change, higher-risk customers’ open and close accounts, or the bank expands through mergers and acquisitions). Even in the absence of such changes, it is a sound practice for banks to periodically reassess their BSA/AML risks at least every 12 to 18 months.
Source: Federal Financial Institutions Examination Council.
A surprising omission is the lack of an update related to the Foreign Account Tax Compliance Act, even though FATCA’s required disclosures on beneficial ownership affect the way banks collect information about their customers, Axelrod says. Also absent is a recommended approach for statements about AML risk appetites, views on the use of independent consultants and monitors, and discussion of personal liability for executives and directors.
“Whether that should be in a banking examination model, I don’t know, but it is certainly a very topical subject and one they could have set the stage for if they wanted to,” Axelrod says of personal liability for executives.
The new manual is a reminder to financial institutions that compliance with the universe of bank regulations will continue to be costly. “It is not surprising that compliance costs will lead to more mergers in coming months and years for small institutions that just cannot afford to maintain the compliance infrastructure,” Inscoe says.
Nevertheless, Inscoe does view the new document as important, given the global focus placed on money laundering and corruption. “In some areas of the world, regulators are finally more serious about money laundering compliance,” she says. “It is good to get updated procedures out to U.S. banks now that the rest of the world is taking this issue seriously.”
Times have changed since the first manual was introduced in 2005, says Carol Van Cleef, partner at law firm Manatt, Phelps & Phillips. That first edition sent the industry into “a state of shock” and “compliance officers complained it would take months, even years to do everything in the manual.” Updates became less and less onerous as banks’ AML programs matured, she says. “Institutions are much better positioned today than they were even four years ago for taking regulatory guidance when it comes out and putting it into their compliance program.”
The prod to reassess AML programs is an important part of each manual’s release, Axelrod says. “It’s a very good framework to evaluate a program with,” he says. “It is an elaborate blueprint for all the things you need to do in an AML program.”