The compliance enforcement action against Wachovia may look like a Bank Secrecy Act case, but it is most significant as an enforcement action based on an inadequate compliance program. FinCEN and the Comptroller's Office jointly took action against Wachovia and imposed a total fine of $160 million-definitely not chump change-because Wachovia's BSA compliance program was not up to the job.
 
Underlining the charges that Wachovia failed to identify and report suspicious activity is the finding that Wachovia did not commit adequate resources to manage BSA to handle the risk that the institution faced through its size, locations, products, and clients. The case makes clear that simply having a compliance program-or a compliance manager-is not enough. It has to be enough of a program-which means commitment of resources - to do the necessary job.
 
Compliance: More than a box in an org chart
Too often, a CEO can be heard to say "Compliance manager? I have one of those."  And then the CEO assumes everything is fine because he or she has plugged the compliance hole.
 
But simply attempting to plug the compliance hole, alone, is not enough.
 
The compliance plug has to be the right plug for the need.
 
Children are supposed to learn this with those wooden toys where they can only pound the right plug-the square one-into the right hole-the square one. The wrong plug either won't fit or will fall right through.
 
Wachovia's BSA compliance program fell right through.
 
What was missing?
Wachovia had a BSA compliance program (I've got one of those") but it was not a program that could support the needs of the institution. The problem was that Wachovia designed the BSA compliance program to fit its budget, rather than to manage its risk.
 
Case in point: Wachovia set its BSA monitoring software to produce a level of reports that the staff could manage. Since there wasn't enough staff for the program relative to the risk, the settings were designed to limit the number of flags to investigate. As a result, real problems went undiscovered.
 
Wachovia's clients include casas de cambio that moved currency across the border. There is general agreement that these clients and their currency transactions present substantial risk. However, Wachovia did not monitor the clients nor their activities with an appropriate level of resources. The bank also failed to monitor high volumes of monetary instruments coming through the casas. The bank did not adequately monitor traveler's checks, such as checks with sequential numbers.
 
Why? Not enough staff.
 
After the investigators finished, they concluded that Wachovia failed to file over 4,300 Suspicious Activity Reports to advise of suspicious activity. That's a lot of undetected and unreported activity simply to save on the budget.
 
You've got to keep digging
Suspicious activity should be thoroughly investigated. The investigation should be documented to support a decision to file as well as any decision not to file. Then there was the "one is good enough" approach. Wachovia sometimes ignored suspicious reporting if a CTR had been filed.
 
Filing a CTR may be easier and less work-intensive than filing a SAR, but it is not sufficient to provide the necessary information to law enforcement.
 
There were also problems with customer identification. Customer Identification Program information was not always properly documented and was occasionally incomplete. Weaknesses in CIP documentation left the bank unable to establish that the information collected was accurate. Failures in CIP-and other forms of BSA due diligence-left the bank unable to adequately assess risks presented by customers and activities.
 
Risk assessment-fundamental to risk control
Risk assessment should lead to a well-documented strategy that defines the acceptable level of risk. Any decision on acceptable risk has to be based on an accurate assessment of risk. Any weaknesses in risk assessment will undermine the entire compliance program.
 
Financial institutions are responsible for identifying and investigating all suspicious activity-not merely that for which they have available time and staff.
 
Risk assessment should address what is known to be risky and also consider what could become high risk.
 
The government's consent order requires Wachovia to address risk of existing client relationships and the risk of new or developing relationships. The order also requires establishment of a protocol for exiting relationships. These concepts require the bank to address risk at a point in time, and also address change in risk as products, services, and clients change.
 
So what's to be learned from Wachovia's plight?
When they say banks should have a BSA compliance program, they really mean it.
 
The regulators are looking for a program that establishes clear lines of responsibility and accountability. The resources put into the program should be enough to do the job.
 
How to figure out what resources are needed?  Risk assessment. All that guidance on risk assessment should be used as a starting point for a compliance program. Assess and understand the risk; then develop a compliance program to address and manage the risk.
 
Then there is the issue of qualified staff.
 
In enforcement cases, emphasis on compliance skill levels is not new. In recent years, many consent orders involving compliance programs have required that staff be qualified to do the job and receive training to maintain qualifications.
 
It is not enough to plunk a person into a position. That person must have the skills to do the job and must have the resources to maintain those skills such as attending schools and conferences. Enforcement orders have contained requirements for compliance training for staff generally and specifically the specialized training that the compliance manager needs.
 
Finally, the consent contains an interesting requirement: continual reassessment of the adequacy of resources in the BSA compliance program.
 
For documentation about the case, check out these links at FinCEN's site: http://www.fincen.gov/bsaviolations.html and http://www.justice.gov/usao/fls/PressReleases/100317-02.html

About Lucy Griffin "Lucy and Nancy's Common Sense Compliance" is blogged by both Lucy Griffin and Nancy Derr-Castiglione, both longtime ABA Banking Journal contributing editors on compliance.

Lucy, a Certified Regulatory Compliance Manager, has over 30 years experience in compliance. She began as a regulator, including stints with the Federal Reserve Board, the Federal Trade Commission, and the Federal Home Loan Bank Board. For many years she managed the ABA Compliance Division. Since 1993 she has served as a compliance consultant as president of Compliance Resources, Inc., Reston, Va. She is also editor of Compliance Action newsletter and senior advisor with Paragon Compliance Group, a compliance training firm. 
 
In addition to serving as a Contributing Editor of ABA Banking Journal, Lucy serves on the faculty of ABA's National Compliance Schools board. For more than a decade she developed and administered the case study at ABA's National Graduate School of Compliance Management. She can be reached at This e-mail address is being protected from spam bots, you need JavaScript enabled to view it  

TrackBack URI for this entry

Comments (0)

Subscribe to this comment's feed