June 17, 2020
Steven Dietz, Financial Crimes Advisory Lead
Bank Executives, AML Officers and AML management staff often deal with many stresses in their day-to-day activities. Among the many stresses Executives and AML professionals face, whether it be designing adequate programs, whether risk scoring and transaction monitoring tools are capturing optimal levels of risk and activity, managing and answering to increasing costs, or business lines that implement processes or standards that cause some form of regulatory impact, etc., regulator relationships become an added stress – but they don’t have to be that stressful. Regulatory relationships are inherently more difficult in the AML space because AML is a more subjective compliance/risk management discipline – most requirements and regulatory expectations are not specifically set out – so different examiners can and do interpret the adequacy of a bank’s AML program differently. Sure, having to meet regulatory expectations and trying to meet the various nuances of regulator expectations is stressful. However, the direct relationship with regulators does not have to be combative or negative. In our experience and in observing the industry, we have noticed 3 myths about relationships between banks and regulators.
Myth 1: Regulator relationships are always difficult battles
Myth 2: Regulators do not care about rising AML compliance costs
Myth 3: Regulators are not willing to deviate from the old way of doing things
REGULATOR RELATIONSHIPS ARE ALWAYS DIFFICULT BATTLES
What is the Underlying Sentiment of the Myth?
Regulators are looking to punish banks and examiners have ulterior motives or agendas.
Why is it a Myth?
- The majority of AML fines and/or enforcement actions were truly caused by egregious failures in AML Programs
- Establishing credibility and proactivity with regulatory representatives provides a foundation for open and collaborative communication
- Not trying to do the bare minimum as a strategy goes a long way
US Bank and HSBC failures resulted from some of the most egregious and deliberate actions to minimize obligations from an AML Program perspective. US Bank’s enforcement action even culminated in the Financial Crimes Enforcement Network (“FinCEN”) levying a fine against one of its former executives. The Federal Deposit Insurance Corporation (“FDIC”) issued a civil money penalty to the Bancorp Bank in December 2019 resulting from its failure to comply with a consent order issued back in 2014. There are too many enforcement actions to highlight in this white paper, however, as you read through the past enforcement actions, there was some action, or lack of action, whether deliberate or inadvertent that occurred. Each of the enforcement actions detailed aspects of egregious failures when looking at them in hindsight. It may seem that regulators are looking to punish banks, however, by choosing to be proactive, learning from other failures and establishing a culture of compliance, the chances of engaging in a more meaningful relationship with regulators increase. That’s a big way banks can establish credibility with the regulatory authority. Former US Attorney General Brent Snyder said, “If senior management does not actively support and cultivate a culture of compliance, the company will have a paper compliance program, not an effective one.”
Often times it’s easy to fall into a defensive strategy in approaching conversations with regulators. Maintaining a professional demeanor, respectfully showcasing technical BSA/AML knowledge, and proactively reaching out to examiners-in-charge on new initiatives or ideas naturally lead to establishing that credibility. The proactivity naturally leads to a collaborative tone among all parties. In our experience, lead officials will provide some things to consider when approaching an initiative or idea. Additionally, a bank is able to gauge the initial reaction of the regulators and determine whether implementing an initiative would meet severe scrutiny later on. Regulators are willing and committed to engagement with the private sector – “Early engagement can promote a better understanding of these approaches…as well as provide a means to discuss expectations regarding compliance and risk management.” Below are some additional ways to establish credibility:
- The BSA/AML Officer is perceived as knowledgeable and experienced enough – with strong day-to-day oversight of the AML program and having sufficient stature within the organization and ability to challenge
- Your bank is perceived as meeting or exceeding rules, laws, regulations and industry standards for AML compliance
- Addressing MRAs, regulatory, and audit findings as soon as possible – before examiners return
Lastly, effective exam management is effective in establishing credibility coupled with domain knowledge. Simply put, organization and attentiveness during the examination is key. That can be done by doing the following:
- Maintaining well documented AML Programs including policies, procedures, processes, methodologies and strategies – a strong AML program can nonetheless be criticized by examiners because of a lack of appropriate, detailed documentation
- Having a single or small group serving as the point(s)-of-contact to disseminate requests and communications, etc.
- Providing request items and responses to questions timely – don’t take weeks to provide data or answers
- Being honest with regulators about problems or issues – transparency goes a long way
- Checking in with regulators regularly depending on how they like to approach updates
We have been in an eternal state of increasing costs within the financial crimes industry for many years now. Therefore, it is natural for senior and executive level management to figure out ways to contain or even reduce costs. It is a natural business reaction that occurs even without malicious intent. In each of the AML Program failures, there was a presence of a deliberate minimalist approach. Obviously, if regulators feel risks are not covered as a result of minimalism as a strategy, there can be tensions within the relationship. Wanting to contain costs or even reduce costs is not bad. That’s how for-profit organizations work. Reducing costs by deliberately minimizing risk controls is where the issues arise. There are effective ways of managing risks while containing costs. We live in a world of tremendous technological advances including robotics process automation and other efficiency tools like machine learning.
REGULATORS DO NOT CARE ABOUT RISING AML COMPLIANCE COSTS
What is the Underlying Sentiment of the Myth?
The increase in expectations leads to higher AML cost, and the expectations keep rising causing costs to rise.
Why is it a Myth?
Lately, regulatory agencies have been making comments supporting responsible innovation due to a need to manage costs. FDIC Chairman Jelena McWilliams addressed the Committee on Banking, Housing, and Urban Development in the U.S. Senate on December 5, 2019. Chairman McWilliams said, “BSA/AML laws and regulations impose significant compliance costs on the entire system and on the individual institutions that shoulder the reporting burdens…the government also must continue to examine the rules it imposes to ensure that the system is effective and the obligations imposed on institutions are not unduly burdensome.” Each of the senior banking regulators has emphasized recently the need to “identify and implement ways to improve the efficiency and effectiveness of BSA/AML regulations, supervision, and examinations, while continuing to meet the requirements of the statute and regulations.” This is another way of their saying that they recognize the need to support cost efficiency in an AML program.
In October 2018, the agencies issued a joint statement that clarifies the permissibility of sharing BSA resources among banks with a community focus, less complex operations, and with lower risk profiles for money laundering or terrorist financing. While this is not directly helpful for large banks, it does demonstrate regulatory concern about costs. Josh Otting, the former head of the Officer of the Comptroller of the Currency (“OCC”) said in January of this year that the OCC “generally supports changes that would reduce unnecessary industry burden and compliance costs…” Lastly, FinCEN and the agencies issued a joint statement as part of interagency efforts to encourage banks to consider the use of innovative technologies for achieving AML compliance, one goal of which was to enhance productivity and cost efficiency .
REGULATORS ARE NOT WILLING TO DEVIATE FROM OLD WAY OF DOING THINGS
What is the Underlying Sentiment of the Myth?
Regulators only want you to do things in the old proven ways and deviation from that is too risky to try.
Why is it a Myth?
- Regulators issued a joint statement on responsibly implementing innovative efforts to combat money laundering and terrorist financing
- Banks are successfully implementing managed services approaches
- Providing the right oversight and controls ensures effective risk management of new and innovative processes
In general, deviating from the norm can be a scary thing, and yes, can be risky. However, taking calculated risks can prove to be successful. There are many next generation technologies that are providing great insights to risk within financial institutions. Regulators just want banks to be responsible in taking those risks. FinCEN and the regulatory agencies have recognized that innovation can serve to increase abilities in risk identification, transaction monitoring, and suspicious activity reporting and stated that they welcome this innovation. The key message from the regulators is that innovation needs to be performed responsibly and that banks continue to meet its BSA/AML compliance obligations, which is a fair expectation. New technologies could mean looking at how AML operations are managed within financial institutions.
Senior leadership within AML Programs are having to spend time performing production management-based activities or mitigating production issues. Having to manage from a production-based perspective rather than from a risk management perspective is rather costly and risk management activities can suffer. Establishing a framework by which AML senior leadership can effectively manage risks encompasses potentially engaging in managed services to perform production-based activities. This can be done effectively by:
- Hiring the right critical thinkers with robust AML experience to oversee elements of the managed service relationship
- Implementing a quality control framework that details both strategic and tactical activities and includes real-time feedback loops
- Establishing effective escalation with the managed services firm
- Developing the right blend of reporting metrics and reporting activities (e.g. daily, weekly, monthly) to position bank AML staff to identify potential operational or risk threats
- Hiring analysts, not box checkers, to serve as final decision makers
While there are many successful AML managed service operations within financial institutions, there have been multiple issues where regulators have essentially mandated to that institution to pull aspects of operations in house. In each of these situations it is important to note that those institutions received heavy scrutiny and in some cases an enforcement action due to lapses in controls. Proactively communicating and documenting new strategies with regulators shows that you have a plan and have thought through it methodically. These approaches can be successful by proving that you can perform these activities and manage risk with effective controls in place.
The key message in the discussion of implementing innovation and taking new approaches to fulfilling BSA/AML compliance obligations is crawl, walk, run. Regulators want to know a financial institution can manage risk and operations themselves before taking the next steps in developing innovative and alternative approaches to managing operations. In our experience, showcasing an ability to approach these initiatives in a safe manner with effective oversight and objective support for how they are successful, regulators obtain a level of comfort. Regulatory agencies in April of this year announced revisions to the FFIEC Manual that emphasize a risk-based approach for examiners. The Manual reminds examiners that banks have flexibility in the design of their BSA/AML compliance programs, and minor weaknesses, deficiencies, and technical violations alone are not indicative of an inadequate program.”