In its Summer 2017 issue of Supervisory Insights, published last week, the Federal Deposit Insurance Corporation (“FDIC”) provides some insight into its examination process and outcomes for Bank Secrecy Act (“BSA”)/Anti-Money Laundering (“AML”) compliance in an article entitled The Bank Secrecy Act: A Supervisory Update (“Supervisory Update”). Although the Supervisory Update also summarizes the BSA and its history, we will focus here on the discussion of FDIC examinations.
The Supervisory Update notes that the focus of a BSA/AML exam “is to assess whether the institution has established and maintains a BSA compliance program that is commensurate with the institution’s money laundering and terrorist financing risks.” Fortunately, serious problems are rare: “Although deficiencies may be identified during examinations, the vast majority of FDIC-supervised institutions are able to address any BSA compliance deficiencies identified through the supervisory process in the normal course, without the need for a formal enforcement action.”
Commonly Identified Violations
The Supervisory Update states that BSA compliance deficiencies often are technical recordkeeping or reporting matters which can be addressed readily. The most common apparent violations of the BSA cited by the FDIC relate to deficiencies involving:
Currency Transaction Report (“CTR,” or FinCEN Form 112) filings;
Suspicious Activity Report (“SAR,” or FinCEN Form 111) filings;
Information sharing requirements (referring to information sharing between financial institutions and law enforcement, under Section 314(a) of the Patriot Act); and
Inadequate systems of internal controls.
The Supervisory Update provides this below graphic setting forth the number of these types of apparent violations that were cited over the previous 10 years. It appears that the incidence of violations involving CTRs were relatively high years ago, but that such citations have steadily decreased; conversely, the number of apparent violations involving SARs appears to be slowly increasing over time, albeit with sporadic decreases.
Many BSA/AML enforcement actions, including actions brought by FinCEN, the Department of Justice, the SEC, and the New York Department of Financial Services focus on an alleged failure to file SARs. The Supervisory Update, not surprisingly, states that staff training and the implementation of systems to identify, research, and report unusual activity — all commensurate with an institution’s overall risk profile — can minimize deficiencies related to suspicious activity reporting, and that adequate documentation should support decisions to file or not to file a SAR. The Supervisory Update also acknowledges implicitly the sometimes subjective nature of deciding whether to file a SAR: “Because SAR decision making requires review, analysis, and judgment of transactions, institutions should maintain effective internal control systems that establish appropriate policies, procedures, and processes for suspicious activity monitoring and reporting.”
Formal Enforcement Actions: Rare Cases
According to the Supervisory Update, although “[t]echnical violations alone do not warrant criticism of an institution’s BSA compliance program, [they] may be indicators of more significant deficiencies with BSA compliance program components. For instance, multiple apparent violations for failure to file CTRs may be the result of deficiencies in the institution’s monitoring process and could be indicative of a problem with one or more BSA compliance program components, such as the internal controls and training components.” Further, “[c]ompliance deficiencies often result in citations of apparent violations, but citations of violations do not necessarily result in the issuance of enforcement actions.” In cases in which management fails to take prompt remedial action, corrective actions are not implemented effectively, or there are serious compliance deficiencies, the FDIC also will consider first a range of corrective options (including informal enforcement actions, such as a memorandum of understanding), depending upon the severity of the deficiencies, the willingness and ability of management to correct the deficiencies, and the money laundering and terrorist financing risks at issue.
Section 8(s) of the Federal Deposit Insurance Act, codified as 12 U.S.C. 1818(s), provides that the FDIC shall issue a cease-and-desist order against an institution that has failed to establish and maintain a BSA compliance program or has failed to correct any problem with its BSA compliance program that was previously reported to the institution. How often does the FDIC invoke this power? The Supervisory Update states that approximately one percent of examinations over the last ten years resulted in formal enforcement actions, which would involve cease-and-desist orders or consent orders, and provides the following graphic:
The FDIC states in the Supervisory Update that it will issue a cease-and-desist order when the examined institution:
Fails to have a written BSA compliance program, including a Customer Identification Program (“CIP”) that adequately covers the required program components (i.e., internal controls, independent testing, designated compliance personnel, and training);
Fails to implement a BSA compliance program that adequately covers the required program components;
Has defects in its BSA compliance program in one or more program components that indicate that either the written program or its implementation is not effective; or
Fails to correct a previously-reported problem with its BSA compliance program. Such a deficiency generally would involve a serious defect in one or more of the required BSA compliance program components, and would have been identified in a report of examination or other written supervisory communication as requiring communication to the institution’s board of directors or senior management as a matter that must be corrected.
The Supervisory Update presumably provide some guideposts for outcomes in BSA/AML exams conducted by other regulators, although it is unclear how firmly the numerical information can be extrapolated. Bear in mind that the FDIC conducts only a limited amount of BSA/AML exams, and only for certain types of financial institutions. As the Supervisory Update explains, the FDIC conducts BSA/AML exams only for insured state-chartered institutions that are not members of the Federal Reserve System, and of this population group, only for the minority of States which do not conduct BSA/AML examinations through their own state bank regulatory agencies. Further, the Office of the Comptroller of the Currency examines national banks for BSA/AML compliance; the Federal Reserve examines state-chartered banks that are members of the Federal Reserve System; and the National Credit Union Administration examines federally-insured credit unions.