What happened

On August 13, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration and the Office of the Comptroller of the Currency (collectively, the Agencies) issued a joint statement to clarify Bank Secrecy Act/anti-money laundering (BSA/AML) obligations. The joint statement contains the caveat that the Agencies are not creating new expectations or standards, but does set forth clarifying guidance on incorporating the customer due diligence regulations issued by the Department of Treasury into a financial institution’s BSA/AML compliance program.

The joint statement provides a brief overview of the four pillars of BSA/AML compliance before discussing how the customer due diligence regulations, which went into effect in 2018, should be integrated into the internal controls pillar. A BSA/AML compliance program must also include, in addition to a Customer Identification Program, appropriate risk-based procedures for conducting ongoing customer due diligence including, but not limited to, (1) developing a customer risk profile, (2) conducting ongoing monitoring to identify and report suspicious transactions, and (3) maintaining and updating customer information, including the beneficial ownership of customers. The BSA/AML compliance program must also address the additional reporting and recordkeeping requirements from the Treasury Department’s 2016 regulations.

The other sections of the joint statement closely mirror the language in a 2007 interagency statement issued by the Agencies along with the former Office of Thrift Supervision. This includes the discussion of how supervisory concerns will be communicated by the Agencies and when enforcement authority must or may be exercised.

The Agencies explain that they will issue a mandatory cease and desist order for (1) failing to establish and maintain a reasonably designed BSA/AML compliance program, (2) failing to implement an adequate BSA/AML program, and (3) failing to correct a previously reported problem with a BSA/AML compliance program. The joint statement also explains when discretion may be used to issue formal or informal enforcement actions for nonprogram violations of reporting and recordkeeping requirements.

The Agencies also provide specific examples of failures that may result in a cease and desist order or enforcement action, such as:

• Rapid expansion of relationships with foreign affiliates or third parties without proper controls
• An inadequate system of internal controls to confirm customers’ identities
• Failing to identify risks relating to money laundering or other illicit financial transactions
• Insufficient resources to effectively implement a BSA/AML compliance program
• Failing to resolve deficiencies uncovered during independent audits and testing
• Failing to train staff adequately
• Failing to rectify deficiencies previously reported to the board of directors or senior management following an Agency examination

On August 18, the Financial Crimes Enforcement Network (FinCEN) issued a statement describing its approach to BSA enforcement. The statement includes the restriction that FinCEN will not treat the failure to comply with a standard announced only in guidance as a violation of law and will instead seek to establish violations of law based only on applicable statutes and regulations. The statement provides a list of the different types of enforcement action that it may take and some of the range of factors that it considers when determining the appropriate disposition after identifying actual or possible violations of the BSA.

Why it matters

One notable distinction between the new joint statement and the 2007 statement is the addition of language that violations of the nonprogram requirements that are isolated or technical are generally not the kinds of problems that would result in an enforcement action. This seems to represent a further shift in enforcement focus to the four pillars of the BSA/AML compliance program.