First Post in a Two-Part Series

How do financial institutions get in trouble with their regulators? Recent AML enforcement actions suggest that the following two failures are at the heart of most of these actions: (1) inadequately identifying, monitoring and/or reporting suspicious activity; and (2) failing to implement adequate internal controls. And these same issues crop up year after year.

In this post, we’ll discuss these failures and their root causes and provide practical tips for ensuring that your AML program will withstand the scrutiny of regulators. In our next post, we will discuss how these practical tips apply in a specific AML enforcement action: the recent consent order between the New York Department of Financial Services and Mashreqbank. 

The U.S. financial institutions that recently found themselves in the government’s crosshairs allegedly engaged in the following behavior:

• Failing to investigate alerts on high-risk accounts where those accounts had been investigated previously, even when the new suspicious activity to which the bank had been alerted differed from the activity that it previously had investigated.
• Having a policy of not investigating or filing SARs on cash withdrawals from branches near the Mexican border if the customer said they were withdrawing cash in the U.S., rather than carrying cash into the U.S. from Mexico, in order to avoid having to file a Report of International Transportation of Currency or Monetary Instruments (CMIR).
• Capping the number of alerts from its transaction monitoring systems based on the number of staff available to review the alerts rather than on the risks posed by the transactions (and lying to regulators about it).
• Failing to report the suspicious activities of a longtime customer despite having been warned that the customer was laundering the proceeds of an illegal and fraudulent scheme through accounts at the bank.
• Failing to conduct necessary due diligence on foreign correspondent accounts.
• A brokerage company failing to file SARs on transactions that showed signs of market manipulation.
• A MSB’s failing to implement proper controls and discipline crooked agents because those agents were so profitable for the MSB, thereby enabling illegal schemes such as money laundering.

Although the behavior of these financial institutions may differ, the root causes of their failures do not. They include the following:

• An inadequate, ineffective or non-existent risk assessment.
• Elevating the business line over the compliance function.
• Offering products or using new technologies without adequate controls in place.
• Compliance programs that are not commensurate with the risks, often due to under investment in AML technology or other resources and/or lack of awareness of AML risks or controls.
• Corporate silos, both human and technological, that prevent or hinder information sharing.
• Insufficient screening of parties and relationships and lack of effective processes and controls around EDD.

So how can you ensure that your AML program is adequate? Here are some practical tips.

Promote a Culture of BSA/AML Compliance

The “Tone at the Top” matters. Management and the board must take an active role in compliance and lead by example. You should create and improve committee and reporting structures to bring senior management into a methodical and well-supported decisional role. Management should review resources and communications throughout the institution for structural credibility. Compliance should be an element of compensation and performance.

Revenue concerns must not lead to compromises on compliance. It should go without saying, but do not turn a blind eye to obvious red flags just because someone is a good or long-time customer or because the account is generating enormous fees. Do not overlook the risks attendant with a potential customer because that customer will be profitable.

Focus on Transaction Monitoring

The complete cycle of transaction monitoring is a high priority for exams. You must have adequate technical and human resources to identify and detect suspicious activity; this involves both automated monitoring and human detection of problems.

Your selection and documentation of monitoring rules and thresholds needs to be comprehensive and transparent. You cannot simply rely on your vendor telling you, “this is what others do.” Your alerts and thresholds must be risk-based and specific to you. In addition, you should analyze your SARs based on human referrals to help determine if your monitoring rules are adequate, e.g. did your staff discover suspicious activity that your monitoring system did not, or did the receipt of a subpoena trigger a SAR when it should have been the other way around?

Once you receive an alert, your investigation process should be well-documented, comprehensive and timely. And your decision as to whether or not to file a SAR should be properly documented, consistent and reasonable. After all, you may have to defend that decision to a regulator.

Your SAR decisions should be shared with senior management for trends and responses. Always think about how your regulators will view you continuing to do business with the subjects of the SARs. You also should use the SARs to help validate the risks identified in your AML risk assessment.

Improve Your Information Sharing

Corporate silos hinder information sharing. Your compliance department needs to be informed of risks and processes throughout the organization – if it is not, there is an increased risk that violations will go undetected and unreported. Further, your AML and fraud departments must communicate and share information – they should not have different case management systems that aren’t integrated.

Often customers’ profiles and customers’ transaction activity are in separate and unconnected systems – they need to be integrated so that you have a complete understanding of your customers. You need to correlate data that is spread over different product-specific transactional systems so that you can readily see trends and understand what is suspicious.

Identify and Handle High Risk Accounts Appropriately

You first have to be able to identify high risk accounts. Do you have adequate procedures in place to do so, and do you consistently follow those procedures? Regulators will closely scrutinize high risk accounts and the process of identifying them. And always keep in mind that you may have to defend your decision to onboard a high risk customer to regulators. Will you be able to do so?

Once you’ve identified high risk accounts, you should perform enhanced due diligence (EDD), update and document the Know Your Customer (KYC) information, and utilize the KYC information for risk rating, monitoring, and for periodic reviews. Of course, you should conduct enhanced monitoring of high risk accounts.

You must document the due diligence you perform, including beneficial owner due diligence and any other enhanced due diligence, as required by internal policy and regulation.

Know Your Risks and Continually Improve Your AML Program to Control Those Risks

AML Programs should be dynamic – if you are not continually enhancing your AML program to keep up with your changing risk profile, then you are bound to, at best, disappoint your regulator, and, at worst, face an enforcement action. To do this, you have to first know the risks you are facing. Do you perform regular risk assessments, including when you offer new services or products or enter new markets? Are you continually improving and implementing your customer risk rating approach? Your risk ratings should be based on a defensible calculation reflecting a balancing of risk characteristics against due diligence, monitoring and other AML Program controls.

You must regularly update your AML policies and procedures, including customer due diligence and suspicious activity monitoring. As part of this process, create and/or document procedures for handling alerts and employee reporting of potential suspicious activity. And make sure your policies and procedures require detailed documentation and consistent client due diligence requirements across all banking clients.

Regulators increasingly rely on independent (either internal or external) annual testing for reasonable assurance that major AML Program requirements have not been missed. If done internally, effective testing requires well-trained staff with appropriate experience. When used appropriately, testing will provide early warnings of deficiencies and give you credibility in the eyes of your regulator. But for that to happen, your auditors must test all areas and identify material deficiencies.

Moreover, if testing uncovers risky behavior or material deficiencies, you must escalate those findings to senior management so that they can be addressed in a timely, systemic fashion. Regulators will see a failure to address any such deficiencies as management disregarding their responsibilities, and regulators who do not trust an institution are more likely to punish gaps that might otherwise have been forgiven.Remember that most, if not all of the time AML enforcement actions are brought, it is rarely because just one thing went wrong. Generally, there were systemic issues relating to compliance. If you follow these tips, you should be able to withstand the scrutiny of your regulator.

Finally, if your examiner makes a finding, correct it, and update your procedures and processes so that you don’t receive the same finding. Repeat findings are sure to annoy your regulator. If you can’t fully correct the issue, you must be able to at least show improvement along with a plan and a timeline for completion.