Common sense plus hard work makes a beginning.
By Steve Cocheo, executive editor,
Better BSA exams start by giving your existing program a tough once-over
How seriously does your bank’s workforce take Bank Secrecy Act and anti-money-laundering duties? As an indicator of the compliance atmosphere in your shop, when was the last time one of your employees failed a Bank Secrecy Act test?
Not a real-life test, such as someone attempting to structure deposits. But rather, when was the last time a new employee, or an experienced employee receiving refresher training, failed one of the bank’s own BSA/AML quizzes?
Chances are, suggested Brian J. Wimpling, everyone who takes your bank’s tests passes.
While this may send employees back to the front lines with some confidence in their ability to detect potential laundering or terrorist activity, it should give a compliance officer pause, said the former law enforcement agent who is currently senior vice-president, BSA Department for $2.6 billion-assets Capital City Bank, Tallahassee, Fla. Is the bank’s training so ironclad and foolproof that everyone is passing simply because they really know all about this arcane area absolutely cold? asked Wimpling. Or, more typically, was the test pitched to produce passing grades?
Hold them accountable
“You’ve got to think of what your bank is trying to accomplish” with its training, Wimpling told listeners at the ABA Regulatory Compliance Conference earlier this year. If everyone is passing with flying colors, the bank may not be testing them hard enough. In the end, it may not be training them hard enough.
What caused Wimpling to begin thinking this way was a personal review of the last 30 major government enforcement actions dealing with BSA/AML problems. He said he noted that lack of adequate training surfaced in every one of the cases.
Training, whether for staff, officers, or directors, is only a piece of a bank’s BSA/AML compliance effort, said Wimpling, but it’s a major piece. He believes that it must be backed up to protect the bank from gaps that may be there from the start, or that develop over time. One means of providing that backup is to show employees where in their organization they can find additional help and answers when confronted with BSA/AML challenges. Another is to backstop employees in high-turnover positions, such as the teller line, with automation that can make up for areas where they lack sufficient practical experience or didn’t “get it” when they received their training.
Wimpling’s fellow panelist Anna M. Rentschler suggested that employees ought to be held accountable for poor compliance performance. “If you are going to have the carrot, you have to have the stick,” said Rentschler, vice-president and BSA officer, at Central Bancompany, an $8.5 billion-assets, 13-bank holding company headquartered in Jefferson City, Mo. She suggested that customer service representatives who earn sales incentives should be denied that extra pay if their compliance record is poor. Rentschler said they shouldn’t be rewarded if the compliance department must later “clean up their messes.”
Taking a fresh, hard look at the bank’s BSA/AML program, and acting on the answers to the questions asked and answered, was the theme of a conference session that Wimpling and Rentschler presented. They were joined by Dan D. Soto, compliance managing director for anti-money-laundering and Bank Secrecy Act compliance, at Wachovia, Charlotte, N.C. The trio’s theme was “AML Program Tuneup.”
Does what you have work?
Rentschler pointed out that one of the basics of BSA compliance is whether the bank’s program fits its situation, in terms of client base, market conditions, and local knowledge. In small towns, she noted, where everyone knows everyone, there is a natural awareness of what’s going on in town—and who’s going through town—that staffs at larger institutions don’t enjoy. On the other hand, she pointed out that sometimes smaller communities are surprised to find out that they have a drug problem and the corresponding money laundering challenges attached.
So understanding the risks in a bank’s market is critical, and coming up with a BSA risk assessment that fits that market is the challenge.
“It needn’t be 100 pages long,” said Rentschler, “but it should have enough detail to document what you are doing.”
The bigger the institution, the greater the challenge is to have all players working on the basis of the same risk assessments and working from a common perspective of what constitutes this or that level of risk. One source of help that many bankers don’t avail themselves of is law enforcement. Rentschler noted that the filing of Suspicious Activity Reports is a good example of how law enforcement agencies can help. Banks can ask both enforcers and examiners two key questions: “What do you think is important?” and “What do you see going on in our market?”
The answers “can be really enlightening,” said Rentschler and a bank with cooperative local agencies may be able to persuade them to pass their thoughts on to employees. “Law enforcement can do a lot of training of your folks at zip cost,” she advised.
Much emphasis is put on automation in the BSA area, and while that is important, speakers noted that people represent the most expensive element in the compliance process. Much of the BSA/AML compliance process, whether it involves data collection up front or personal “radar” when dealing with customers, hinges on personal execution. Frequently this is not recognized, said Wimpling, when banks look at costs of BSA/AML compliance.
“My management team had a stroke when they found out how much we were spending on filing SARs,” said Rentschler.
Handling the bank’s risk assessment
More and more of the BSA/AML examination process revolves around the bank’s risk assessment. In a sense, the bank scripts its own examination, in that examiners will use the risk assessment as one of the yardsticks for determining how well the bank is discharging its BSA/AML compliance duties.
Capital City Bank’s first risk assessment was actually put together by a consultant. This was helpful because it meant that the bank’s risk assessment process had a strong starting point. However, the latest round was handled by Wimpling on his own. “I feel I know the bank a lot better than a consultant does,” said Wimpling. Taking charge of the risk assessment process also creates opportunities for Wimpling, as the bank’s BSA/AML officer, to speak with functional parts of the bank about issues they are seeing in their areas and about the potential risks that their lines of business pose. Wimpling said he’s learned a great deal more about banking in the process of these meetings. He feels such knowledge is important to doing his job properly. He said he has also decided, in the course of the process, that BSA officers ought to be included in the product design process, to eliminate unnecessary risks at the outset.
“It’s always easier to mitigate a risk at the front end than at the back end,” said Wimpling.
Panelists stressed the need for a heavy dose of reality in structuring risk assessments. One example concerned creation of the bank’s “watch list” of customers rating special monitoring. In theory, if a group of firms all exhibit x, y, and z behaviors and patterns, it would suggest that they be put on the watch list. However, “it is possible to have too many accounts on a watch list,” said Wachovia’s Dan Soto. If too many customers are getting special scrutiny, no one is getting special scrutiny.
“You have to triage” the list of candidates for special monitoring, said Soto. Over time, some watch-list accounts can be culled from that list.
Another example concerned geography. Government agencies may designate an area with a special priority identifier rating, such as “High Intensity Drug Trafficking Area” (HIDTA) or “High Intensity Financial Crime Area” (HIFCA). However, the bank must still assess the risks posed by its own sub-markets and customer groups.
“I don’t believe that all HIDTAs are created equal,” said Wimpling. He noted that one of his market areas is designated as a HIDTA, just as Miami, Fla., is. Yet, “the risk in Miami is a whole lot different than the risks in Palatka, Fla.,” said Wimpling, even though they both carry the same designation. “You have to dedicate your resources to your actual risks.”
Monitoring software considerations
Software does more and more of the rote detection and evaluation of BSA/AML compliance, but, again, thought has to be applied in how it is used and how much faith is put in it. Communication is also important, from the purchase of the software through to discussions with examiners about the software.
Rentschler stressed the importance of knowing for certain the monitoring system will fit with the bank’s core system.
“It’s a little late to ask that when you’ve written the check,” said Rentschler. “Do your homework.” She advised not only checking out the bank references provided by the vendor, but also trying to find users not recommended by the vendor.
Examiners should be clear on the capabilities of the system the bank has adopted, and be told up front which release the bank is using. Rentschler told of a case where the exam team asked why the bank wasn’t using a particular package to do a series of checks that the bank knew it couldn’t do. The examiner insisted it could. After discussion, it turned out the examiner had seen a demonstration by the vendor of the very latest version of the package. That version had not yet been released to banks. BJ