Regulators Provide Greater Transparency into BSA/AML Enforcement Process

On August 13, 2020 the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, and Office of the Comptroller of the Currency (the “Agency” or collectively the “Agencies”) issued a joint statement updating and clarifying their 2007 guidance regarding how they evaluate enforcement actions when financial institutions violate or fail to meet BSA/AML requirements. The Financial Crimes Enforcement Network (“FinCEN”) followed with its own statement on August 18, 2020, setting forth its approach when considering enforcement actions against financial institutions that violate the BSA.

Below are a few highlights from the two sets of guidance:

• The joint statement repeatedly emphasizes that isolated or technical deficiencies in BSA/AML compliance programs will not generally result in cease and desist orders.
• The joint statement provides specific categories and examples of BSA/AML program failures that typically would (or would not) result in a cease and desist order. Certain of these examples are discussed below.
• Compared to the 2007 guidance, the joint statement provides more detailed descriptions and examples of the pillars of BSA/AML compliance programs, such as designated BSA/AML personnel, independent testing, internal controls, and training.
• FinCEN explains in its statement that it will base enforcement actions on violations of law, not standards of conduct contained solely in guidance documents.
• The FinCEN statement lays out the factors FinCEN considers when determining the disposition of a BSA violation. Unsurprisingly, these factors include the pervasiveness and seriousness of the conduct and the violator’s cooperation and history of wrongdoing.

All in all, the two statements, particularly the joint statement, succeed in providing greater transparency into the regulators’ decision-making processes with regards to pursuing enforcement actions for violations of the BSA and for AML program deficiencies.

Joint Statement on Enforcement of Bank Secrecy Act/Anti-Money Laundering Requirements

The guidance interprets section 8(s) of the Federal Deposit Insurance Act which mandates the Agencies issue cease and desist orders when financial institutions (“FIs”) fail to: (i) establish and maintain appropriate AML programs, or (ii) correct problems with their BSA/AML compliance programs previously identified by their regulators. It also addresses when an Agency may take other formal or informal enforcement action for additional types of BSA/AML program concerns or deficiencies, including for violations of the individual components or pillars of BSA/AML compliance programs.

When an Agency “Shall” Issue a Cease and Desist Order

An Agency “shall” issue a cease and desist order for failure to establish and maintain an adequate BSA/AML program. The joint statement lists three categories of such failures.

The first is where the FI “fails to have a written BSA/AML compliance program, including a customer identification program, that adequately covers the required program components or pillars (internal controls, independent testing, designated BSA/AML personnel, and training).” For example, a FI would be subject to a cease and desist order if (1) its system of internal controls is inadequate with respect to either a high risk part of its business or multiple lines of business that significantly impact its BSA/AML compliance program; or (2) it has deficiencies in one key component, such as testing, coupled with other issues, such as evidence of highly suspicious activity.

The second category is where the FI “fails to implement a BSA/AML compliance program that adequately covers the required program components or pillars. . . .” This would be the case where an FI rapidly grew its business relationships through its foreign affiliates and businesses (1) before conducting an appropriate AML risk assessment; (2) without implementing the internal controls necessary to verify customer identities, conduct customer due diligence or to identify and monitor suspicious activity; (3) without giving its BSA officer the authority, resources and staffing required for proper oversight of the BSA/AML program; (4) despite its failure to identify problems due to inadequate independent testing; and (5) with relevant employees failing to understand their BSA/AML responsibilities because they had not been properly trained.

The third, and final category is where the FI “has defects in its BSA/AML compliance program in one or more program components or pillars that indicate that either the written BSA/AML compliance program or its implementation is not effective, for example, where the deficiencies are coupled with other aggravating factors, such as (i) highly suspicious activity creating a potential for significant money laundering, terrorist financing, or other illicit financial transactions, (ii) patterns of structuring to evade reporting requirements, (iii) significant insider complicity, or (iv) systemic failures to file currency transaction reports (‘CTRs’), suspicious activity reports (‘SARs’), or other required BSA reports.” For a cease and desist order to issue, the deficiencies must be significant enough to render the entire BSA/AML compliance program ineffective when viewed as a whole, across all lines of business and activities.

An Agency also “shall” issue a cease and desist order where a FI fails to correct a problem regulators previously identified during the supervisory process. The identified problem would need to be quite substantial, involving substantive deficiencies in one or more pillars. Moreover, the problems would have been reported to the FI’s board of directors or senior management in a supervisory communication as a violation of law or regulation that must be corrected. Failure to correct isolated or technical violations, less serious issues, or items noted as “areas for improvement” generally will not result in the issuance of a cease and desist order.

Further, an Agency usually will not issue a cease and desist order for failure to correct a previously identified problem unless the Agency subsequently finds a problem that is substantially the same as what was previously reported to the FI. For instance, if an Agency notes in a report of examination that the FI’s training program was inadequate because it failed to reflect changes in the law, and at the next examination, the training had been updated, but the Agency finds unrelated deficiencies, such as with the FI’s internal controls, the Agency would not issue a cease and desist order (but it “will consider the full range of potential supervisory responses.”)

The Agencies recognize that certain identified problems may not be fully correctable before the next examination. In that situation, so long as the FI has made “substantial progress toward correcting the problem,” a cease and desist order is not required.

When an Agency May Pursue Other Formal or Informal Enforcement Actions

The Agencies may pursue formal (public) or informal (private) enforcement actions for deficiencies in individual components of a FI’s BSA/AML compliance program or for BSA-related safe and sound practices that may impact individual components. “The form and content of the enforcement action in a particular case will depend on the severity of the concerns or deficiencies, the capability and cooperation of the institution’s management, and the Agency’s confidence that the institution’s management will take appropriate and timely corrective action.”

An Agency also may take formal or informal enforcement action to address other violations of BSA/AML requirements, such as suspicious activity and currency transaction reporting, beneficial ownership, customer due diligence, and foreign correspondent banking requirements. Once again, isolated or technical violations of these non-program requirements generally will not result in an enforcement action.

An Agency “will cite a violation and take appropriate supervisory action” if a FI’s failure to file a SAR or SARs (1) is evidence of a systemic breakdown in it policies and procedures covering suspicious activity identification, monitoring or investigation; (2) relates to a “a pattern or practice of noncompliance with the filing requirement;” or (3) results from even a single egregious or substantial situation.

FinCEN Statement on Enforcement of the Bank Secrecy Act

FinCEN’s statement describes its approach to enforcing the BSA. First, in keeping with other agencies’ positions on the role of guidance, FinCEN explains that in pursuing an enforcement action, it “will seek to establish a violation of law based on applicable statutes and regulations” and will not “treat noncompliance with a standard of conduct announced solely in a guidance document as itself a violation of law.”

The statement then lists the types of actions it may take in light of an identified violation of the BSA. These actions include: (1) taking no action; (2) issuing an informal warning letter; (3) seeking equitable remedies such as an injunction; (4) settling a matter, with the settlement possibly including corrective actions and civil money penalties; (5) assessing civil money penalties; and (6) referring the matter for criminal investigation and/or prosecution.

Finally, the statement identifies the factors FinCEN considers in determining the appropriate disposition of a BSA violation.  Those factors include: (1) the nature and seriousness of the violations; (2) the effects of the violations; (3) the pervasiveness of the wrongdoing; (4) the FI’s history of prior violations; (5) the benefit to the FI attributable to the violations; (6) whether the FI terminated and remediated the violations upon discovery; (7) voluntary disclosure; (8) cooperation with FinCEN and other relevant agencies; (9) whether the violations are evidence of a systemic breakdown; and (10) actions taken by other agencies with overlapping jurisdiction, including bank regulators.