Learning from the Citibank order
* * *
I don't typically do a blog so soon after the last one, but the Comptroller of the Currency's April 5 Citibank order made me think that a quick snapshot of themes may be appropriate.
I will leave to others the burden of producing a detailed analysis of what can only be seen as a major action against a major financial institution, but wanted to isolate a few areas and pose some questions.
A reminder here: All enforcement actions are fact-specific, negotiated, and leave much appropriately out of the public eye. With that in mind--where do we go from here?
A touch of the familiar for a start
Overall, the order requires the bank to take comprehensive corrective actions to improve its BSA compliance program. This is typical language and can be found in virtually any BSA action.
Specifically, the Office of the Comptroller of the Currency (OCC) found that "the bank's BSA compliance program had deficiencies with respect to internal controls, customer due diligence, the independent BSA and anti-money laundering audit function, monitoring of its remote deposit capture and international cash letter instrument processing in connection with foreign correspondent banking, and suspicious activity reporting related to that monitoring."
All of these findings are "of statutory and regulatory requirements to maintain an adequate BSA compliance program, file suspicious activity reports, and conduct appropriate due diligence on foreign correspondent accounts."
The announcement makes clear that Citibank is already working on the identified deficiencies.
A warning about need to target high-risk customers
So what happened? According to OCC:
"The Bank has internal control weaknesses including the incomplete identification of high risk customers in multiple areas of the bank, inability to assess and monitor client relationships on a bank-wide basis, inadequate scope of periodic reviews of customers..."
What this tells me is that if you have high-risk customers, you must determine if they have accounts in various areas of the bank. Further, this order underscores the critical need to have an "enterprise-wide" view of clients. While community banks generally do not have this challenge, mid-size and large banks need to quickly determine if they can and do view customers throughout the institution.
The order insists that the bank's compliance staff have leverage, to give BSA requirements some internal teeth; the latter part of the following quote, which I've italicized for emphasis, is very interesting:
"The Bank shall ensure that compliance staff has the appropriate level of authority to implement the BSA/AML Compliance Program and, as needed, question account relationships and business plans. Compliance staff shall maintain independence from the business line, and not be subject to any form of evaluation or performance input from the business line."
The above is certainly a goal for all compliance officers. For all too long, compliance has not received the same respect at financial institutions as other officer-level bankers-a respect that I believe is clearly deserved. The AML and related compliance teams are not "check the box" staff who relish saying no to new products or delivery mechanisms. Instead, as compliance continues to mature and staffs bring both legal and business backgrounds to institutions, ensuring that compliance has the "appropriate levels of authority" should be easier to accomplish.
The price of respect, and the suitability of measurements
The flip side of obtaining a new respect is that more attention will be paid to quality of effort:
"The Bank shall develop appropriate objectives and means to measure the effectiveness of compliance management officers and compliance management personnel within each line of business and for those with responsibilities across lines of business.
"This evaluation shall include assessments of the function's organizational structure, enterprise-wide effectiveness, the competency of management, accountability, staffing requirements, internal controls, customer due diligence processes, risk assessment processes, suspicious activity monitoring systems, audit/independent testing, and training."
Two key points here, in my view.
First, while much of the above measurements of effectiveness seem logical, do we really do an adequate job of reviewing an institution's organizational structure?
Second, how can we best determine the "competency of management," especially in overseeing compliance?
What strikes me as the most important part of this review is the concept of accountability.
All too often we have seen the wrong staff held accountable for problems. How do we address this challenge-a challenge, I might add, in all parts of society?
Again, where do we go from here?
Risk Assessment--the cornerstone of all AML programs
In the Order, OCC also outlined its views on performing a risk assessment. In a relevant part, the agency indicated that a comprehensive assessment must include:
"An assessment of the AML risk associated with each line of business, and an enterprise-wide assessment of AML risk for higher risk products, customers, and services. This review shall include, but is not limited to, an assessment of risk associated with foreign correspondent banking, pre-paid cards and mobile banking, cash-intensive businesses, remote deposit capture, private banking, and other higher risk products, services, customers, or geographies."
There is nothing new here, but the Order goes on to direct the development of a comprehensive approach to quantifying BSA/AML risk for new and existing customers:
"The quantification of risk shall encompass a customer's entire relationship with the Bank, include the purpose of the account, actual or anticipated activity in the account (e.g., type and volume (number and dollar) of transaction activity engaged in), nature of the customer's business or occupation, customer location (e.g., customers' geographic location and where they transact business), types of products and services used by the customer, material changes in the customer's relationship with the Bank, as well as other factors discussed within the [Federal Financial Institutions Examination Council] BSA/AML Examination Manual."
What's important here is the reference to the FFIEC Manual. It is clear that the manual is essential reading for all compliance officers--a point you would think obvious but, trust me, bears repeating.
"The identification of specific lines of business, geographies, products or processes where controls are not commensurate with the level of AML risk exposure."
This line is particularly compelling and needs to be understood and incorporated by institutions of all sizes:
"The risk assessment shall be refreshed periodically, the timeframe for which shall not exceed twelve months, or whenever there is a significant change in AML risk within the bank or line of business. The AML risk assessments shall also be independently reviewed for the adequacy of methodology and accuracy of findings."
The question here is the timeframe for risk assessment---is 12 months a standard or just required in this situation? I'd recommend that you have conversations with your examiners so you understand their expectations. The point regarding "a significant change in AML risk" forcing a refresh of risk assessment is an important element that should be spelled out in your policies and procedures.
*Pink Floyd used the line, "where do we go from here" but the actual title of the song was "Keep Talking"-something the AML community should do to better understand this Order and its ramifications to everyday compliance.
- About John Byrne, CAMS
- Byrne is Executive Vice-President of the Association of Certified Anti-Money Laundering Specialists (ACAMS). He has written extensively on AML issues for 25 years and has appeared on television and testified before many congressional committees on AML-related policy issues. Prior to joining ACAMS, John was the Global Regulatory Relations Executive at Bank of America. Previous to that, he worked for the American Bankers Association for 22 years and was responsible for ABA's lobbying, regulatory, and educational efforts on money laundering, and other compliance issues. He received the ABA's Distinguished Services Award and was also the first private sector recipient of the “Director's Medal for Exceptional Service” from the Treasury Department's Financial Crimes Enforcement Network (FinCEN). Byrne can be e-mailed at email@example.com.
And don't miss John's updates on Twitter! You can find him at @jbacams2011.>>> Click here to see his wefollow Twitter page
You can get word about these columns the week they are posted by subscribing to ABA Banking Journal Editors Report e-letter. It's free and takes only a minute to sign up for. Click here.