Identifying high-risk areas and allocating sufficient resources to manage them is one of the major benefits of a strong risk management program. Failing to prioritize high-risk areas—and then ignoring even higher-risk segments within that area—invites steep regulatory agency penalties, especially when required by federal law.
For proof, look no further than the $4 billion-asset community bank that was just fined $8 million by the Financial Crimes Enforcement Network (FinCEN) for violations of the Bank Secrecy Act (BSA). FinCEN says the bank willfully failed to file at least 17 suspicious activity reports (SARs) for several customers that were ultimately charged with tax evasion and money laundering associated with illegal sports gambling and chemical trafficking.
Let’s take a look at some of the risk management mistakes that could have contributed to this substantial fine as well as the internal controls and how the bank failed to include all four pillars of a strong BSA/AML compliance program.
Insufficient staffing and resources
FinCEN says the bank failed to allocate sufficient resources to BSA. The bank typically had between six and eight BSA staffers, including a BSA officer and BSA analysts. Three of the analysts reviewed cases and provided quality control reviews—but they didn’t have time to dig very deep. FinCEN says the analysts reviewed about 100 alerts per day so they often didn’t have time to review supporting documents even though they were available.
Every banker knows that BSA is a common source of regulatory violations, making BSA compliance a high-risk area. Supplying adequate resources helps mitigate this risk, something that is likely to be obvious to the bank in retrospect. Skimping on talent and resources may have saved the bank a few dollars up front, but ultimately cost it an additional $8 million. It would have been far more cost effective to invest in adequate BSA resources from the beginning.
BSA gone bad: Good design, poor execution
In theory, the bank had a reasonable anti-money laundering (AML) monitoring system. It reviewed transactions and generated alerts of possible suspicious activity based on predetermined criteria. Alerts were sent to an AML analyst to review. If the analyst determined the activity was suspicious, the alert was supposed to be raised to a SAR committee, and, if necessary, a SAR would be filed. In practice, however, the Bank’s AML program failed to operate as designed.
That’s not what happened though. (Where did things break down?)
Unjustifiably raising the alert threshold. BSA staff was overwhelmed and didn’t have enough time to devote to the alerts generated by the AML monitoring system. Casting the concept of risk management aside, the BSA officer decided the best way to manage the workload was to reduce the number of alerts received, FinCEN says.
In a subversion of Know Your Customer rules, the BSA exempted customers whose activities they decided were “well known” and often created system alerts. There was no documentation supporting this decision, which eliminated at least 1,000 case alerts in 2019.
One-and-done SARS. A repeat alert can be a sign of a pattern of suspicious activity, but that’s now how this bank saw it. After filing a SAR, BSA analysts would clear future alerts, giving the reason as “A SAR was previously filed and is not due for review at this time.” For one customer, this happened almost monthly.
Ignoring valuable tools. A smart risk management strategy would have involved placing extra attention on high-risk customers in a high-risk area. The bank’s AML monitoring system was capable of producing “High Risk Reports” and generate monthly worklist items. The bank didn’t do this.
Risk management should be ongoing—including customer due diligence
Risk management never ends. Circumstances are always changing, requiring risk to be risk assessed. This includes customer due diligence (CDD). In a pattern we’ve seen many times, the bank never retroactively examined existing customer due diligence documents when circumstances changed or rules changed—even though it was policy. Meanwhile, account officers were tasked with supplying missing customer information from CDD questionnaires instead of having the BSA officers reach out to the customers.
Back on track
Since FinCEN began its investigation, the bank has increased its AML staffing by hiring experienced BSA managers and a director of financial crimes with substantial experience. These new staffers replaced the ones that retired or resigned. The new team has looked back at previous suspicious activity, filing 17 SARs.
What can we take away from this enforcement action?
Even if your financial institution has a strong BSA program, there are valuable takeaways from this enforcement action. A written BSA/AML compliance program should be built on the following four pillars:
- Internal controls
- The designation of a BSA/AML officer
- A BSA/AML training program
- Independent testing to test programs
Here are the 4 Pillars of a Strong BSA/AML Compliance Program
In In this case, it looks like the bank failed to incorporate two key pillars into its BSA/AML risk assessment: internal controls and independent testing.
- Internal controls. Internal controls like policies and procedures should be based on risk—not convenience. Is it hard to review tons of automated alerts? Absolutely. It’s worthwhile to review whether alert thresholds and parameters are flagging too many irrelevant transactions and make and document adjustments accordingly. It’s not okay to screen out legitimate suspicious activity because of insufficient resources.
- Independent testing. You’re not managing risk if you’re not proactively testing internal controls. Policies, procedures, and other internal controls exist for a reason. Independent testing is important to ensure internal controls are working and policies and procedures are being followed by the frontline. Your institution might have the most thorough BSA risk assessment in the world, but if you’re not proactively testing internal controls and taking action based on those findings, your risk assessment will be inaccurate. It will be based on hypothetical mitigation strategies, not the ones actually in place.
Internal controls and independent testing are an important of any risk management program, including BSA/AML risk assessments. Make sure your institution is proactive with these two key pillars.
Exam Coming Up? Get Risk and Compliance Management Software Now
Creating Reliable Risk Assessments
Subscribe to the Nsight Blog
Share this
Why You Need to Assess the Risk of Russian Sanctions on Your Institution
3 Reasons Why BSA/AML Risk Assessments Are Essential for Compliance
