Let’s say, per doctor’s orders, a patient dutifully chooses a diet and exercise regime in an effort to lose weight. But a month later, when the patient weighs in, the needle hasn’t budged a whit. Some patients might swear that they’ve been doing everything right. The doctors would just point out that scales don’t lie.
Other than getting a strong talking to, the patient would pretty much be on his own to decide what to do. The doctor isn’t going to go to the house to see what a patient is really doing.
Bank examiners, however, do make house calls. And in a roundup of input from bankers, consultants, and others, the word is your next BSA/AML exam will be more exacting than ever. First, examiners want to see how well-equipped the bank is with systems and procedures—a longstanding basic. Second, they want to see how well those tools are working. Third, they are stressing impact.
Harder-nosed attitude—for a reason
Consultant Nancy Derr-Castiglione, one of ababj.com’s “Common Sense Compliance” bloggers, says exam teams want to see more than efficient form-filling. Yes, that’s important, she says, but it’s a given. Today, they are emphasizing efficacy—is the BSA/AML program accomplishing anything beyond stacking up forms? And is the assortment of tools and procedures being used properly and with an eye toward current events? The days of “buy the box and forget it” are over.
“It’s getting at the intent, rather than just the going through the motions and checking off the boxes,” says Derr-Castiglione. At smaller banks, especially, where compliance staff may be juggling everything from the new mortgage rules to UDAAP concerns, they are facing scrutiny to be sure they are keeping their BSA/AML efforts on target and current.
“I’ve heard that these days, they are checking everything very closely and that they are checking everything in the manual,” says Rob Rowe, vice-president and senior counsel, and BSA/AML expert at ABA’s Center for Regulatory Compliance.
Overall, experts say if you haven’t had a BSA/AML exam for a while, when you do, expect examiners to perform a “deeper dive” and to “suggest” that the bank consider bringing in outsiders to ensure that systems perform adequately. Attention will not only be paid to direct BSA/AML issues, but also to sanctions, as enforced by the Treasury’s Office of Foreign Asset Control.
While new issues, such as concerns about money laundering via bitcoin and other virtual currencies, have increasingly come on the radar, concern over what’s going on with plain-old American dollars has been rising.
Rowe points out that regulators are under pressure to improve the BSA/AML regime. This follows hearings held in March in the Senate Banking Committee that examined the state of affairs following a string of large-bank BSA violations. Notably, Senator Elizabeth Warren (D-Mass.) took institutions and agencies to task. And Senate Banking Chairman Tim Johnson (D-S.D.), looking back at large-bank enforcement actions, stated: “This pattern of violations is disturbing. . . . To address this threat we must understand how banks’ safeguards malfunction and assess the way the government enforces our AML rules.”
Beyond just tough talk
As usual, scrutiny not only starts at the top, but rolls downhill. So now banks of all sizes face pressure to up their game.
“All the regulators are being tougher,” says John Atkinson, director at Protiviti, Inc.
Indeed, John Byrne, executive vice-president at the Association of Certified Anti-Money Laundering Specialists, says that more bankers have been receiving “MRAs” from regulators post examination. These “matters requiring attention” go into exam reports with higher priority than simple written or oral recommendations, and indicate the rising level of concern from the agencies.
“There are more criticisms of AML programs than ever,” says Byrne, who has been involved in this area for decades and also is a blogger on ababj.com. He says bankers increasingly tell him that BSA/AML compliance has become a “moving target.” While the regulators point out that they aren’t filing unusual numbers of enforcement actions, Byrne says that formal exam criticisms are, in fact, growing.
Byrne says a banker he knows, who is not only a veteran in this area, but a former examiner, told him that he’s never seen scrutiny so intense.
The key to improving matters, says Byrne, is more increased communication between regulators and the regulated. He’s concerned because he says bankers tell him that it has become harder to have a frank exchange of views with regulators.
Due diligence, the sequel
Due diligence at the front end of a customer relationship, even enhanced due diligence procedures for higher-risk customers, has long been a basic of BSA/AML compliance. However, Atkinson, formerly of the Atlanta Federal Reserve Bank, says the regulators now expect more. They are looking for what he calls “dynamic due diligence.”
By “dynamic,” Atkinson means ongoing, periodic due diligence on existing customers, after they are already doing business with the bank. Customer companies can go through many changes over time, and regulators want to see that the bank has a process in place for keeping on top of such changes, explains Atkinson. In today’s market, companies shift gears quickly, and their business plans change. Institutions need to be sure that they continue to “know their customer.”
Atkinson says his clients are stepping up their reviews of customers—pulling out each file more often to assess what’s changed in transaction volume, business activity, and any other indication that may warrant further delving.
In a related vein, Atkinson recommends that banks take a wider view of a customer company and all its relationships with the bank. Focusing too narrowly, he says, may keep the bank from watching everything a company is doing.
Higher focus on higher risks
While there is more scrutiny overall, reports are that regulators are looking deeper into higher-risk customers, as classified by banks themselves, and specifically into certain categories of business customers.
Among these are third-party payment processors, private nonbank ATM operators, and ACH originators, such as PayPal, according to Anna Rentschler, vice-president and BSA officer for $10.4 billion-assets Central Bancompany, Jefferson City, Mo. Many of these kinds of companies aren’t officially money service businesses, according to Rentschler, but they may have sufficient characteristics in common with them to warrant closer inspection.
Rentschler says examiners also will be looking at how a bank determines to risk-categorize such businesses. She takes pains, when a new higher-risk customer is brought to the board for approval, to quantify what makes the firm riskier than others and where the risks arise. “It’s my job to bring product pitfalls to the surface, so the directors know the risks are there,” says Rentschler.
Derr-Castiglione notes that another category regulators have been examining more closely is prepaid and payroll card services. She reports that in this area, some clients have seen examiners venturing into business units—going beyond dealing with compliance staff. Instead of getting information on bank activities through compliance, they choose to get it directly from the source.
Does it work? And how well?
An area of growing attention—and expense for banks—is BSA/AML data validation. Many examiners have been suggesting to institutions that they bring in outside firms to perform audits of BSA/AML activity monitoring systems to be sure that they are performing correctly—producing reliable alerts and accurate reports of potential illicit activity.
Data integrity from end to end is one concern of the audits, according to Protiviti’s Atkinson, but there’s more to the validation process.
“The data audit is combined with a qualitative analysis of the algorithms used to target results for the banks,” Atkinson says. He says many of the firm’s clients have been proactively having reviews of systems done before exams to catch issues before examiners visit the bank.
Related to this, experts say that examiners want to see what banks have done with the systems they purchased. A vendor’s software may have powerful features, but are they all turned on? And if they have been, have the rules of the system been kept up-to-date in recognition of evolving money-laundering patterns?
Clearly, BSA/AML exams are growing more exacting. But Rentschler’s organization has found a way to ease the burden, at least organizationally. It’s been using this approach for five or six years.
Due to the geographic spread of its 13 affiliate banks, Central Bancompany’s BSA/AML exams would normally fall under two Fed district bank staffs, FDIC and multiple other federal and state regulators. In other words, an administrative nightmare, potentially.
Recognizing that all BSA/AML activity is centralized at the company, Rentschler says the bank was gradually able to convince the regulators to review all 13 banks at once, at headquarters.
One of the benefits of taking this approach is that when questions or issues come up, no regulatory ping pong becomes necessary. With representatives of every relevant agency present, says Rentschler, “the agencies decide on an answer, on site.”