The federal banking agencies have issued a joint statement updating their existing enforcement guidance to enhance transparency about how they evaluate enforcement actions when financial institutions fail to meet Bank Secrecy Act/anti-money laundering (BSA/AML) obligations.
The statement from the Federal Reserve, Federal Deposit Insurance Corp. (FDIC), National Credit Union Administration (NCUA) and the Office of the Comptroller of the Currency (OCC) clarifies that isolated or technical violations or deficiencies are generally not considered the kinds of problems that would result in an enforcement action.
The statement also addresses how the agencies evaluate violations of individual components (known as pillars) of the BSA/AML compliance program. It also describes how the agencies incorporate the customer due diligence regulations and recordkeeping requirements issued by the Department of the Treasury as part of the internal controls pillar of the financial institution’s BSA/AML compliance program.
Enforcement actions for compliance program failures
The appropriate agency shall issue a cease-and-desist order based on a violation of the requirement in sections 8(s) and 206(q) to establish and maintain a reasonably designed BSA/AML compliance program where the institution:
- Fails to have a written BSA/AML compliance program, including a customer identification program, that adequately covers the required program components or pillars (internal controls, independent testing, designated BSA/AML personnel, and training); or
- Fails to implement a BSA/AML compliance program that adequately covers the required program components or pillars (institution-issued policy statements alone are not sufficient; the program as implemented must be consistent with the institution’s written policies, procedures, and processes); or
- Has defects in its BSA/AML compliance program in one or more program components or pillars that indicate that either the written BSA/AML compliance program or its implementation is not effective, for example, where the deficiencies are coupled with other aggravating factors, such as:
- (i) Highly suspicious activity creating a potential for significant money laundering, terrorist financing, or other illicit financial transactions,
- (ii) Patterns of structuring to evade reporting requirements,
- (iii) Significant insider complicity, or
- (iv) Systemic failures to file currency transaction reports (“CTRs”), suspicious activity reports (“SARs”), or other required BSA reports.
“For example, an institution would be subject to a cease-and-desist order if its system of internal controls (such as customer due diligence, procedures for monitoring suspicious activity or an appropriate risk assessment) fails with respect to either a high-risk area or multiple lines of business that significantly impact the institution’s overall BSA/AML compliance program, even if the other components or pillars are satisfactory,” the regulators said. “Similarly, a cease-and-desist order would be warranted if, for example, an institution has deficiencies in the required independent testing component or pillar of the BSA/AML compliance program and those deficiencies are coupled with evidence of highly suspicious activity, creating a potential for significant money laundering, terrorist financing, or other illicit financial transactions in the institution.”
An institution also would be subject to a cease-and-desist order if the institution fails to implement a BSA/AML compliance program that adequately covers the required program components or pillars.
“For example, an institution rapidly expands its business relationships through its foreign affiliates and businesses without identifying its money laundering and other illicit financial transaction risks; without an appropriate system of internal controls to verify customers’ identities, conduct customer due diligence, or monitor for suspicious activity related to its products and services; without providing sufficient authority, resources, or staffing to its designated BSA officer to properly oversee its BSA/AML compliance program; with deficiencies in independent testing that caused it to fail to identify problems; and with inadequate training exemplified by relevant personnel not understanding their BSA/AML responsibilities,” the guidance stated.
“However, other types of deficiencies in an institution’s BSA/AML compliance program or in implementation of one or more of the required BSA/AML compliance program components or pillars, including violations of the individual component or pillar requirements, will not necessarily result in the issuance of a cease-and-desist order, unless the deficiencies are so severe or significant as to render the BSA/AML compliance program ineffective when viewed as a whole.”
An agency also will consider the application of the institution’s BSA/AML compliance program across its business lines and activities. In the case of institutions with multiple lines of business, deficiencies affecting only some lines of business or activities would need to be evaluated to determine if the deficiencies are so severe or significant in scope as to result in a conclusion that the institution has not implemented an effective overall BSA/AML compliance program.
Failure to correct a previously reported problem
An agency shall issue a cease-and-desist order whenever an institution fails to correct a previously reported problem with its BSA/AML compliance program identified during the supervisory process.
However, to be considered a “problem” within the meaning of sections 8(s)(3)(B) and 206(q)(3)(B), a problem reported to the institution ordinarily would involve substantive deficiencies in one or more of the required components or pillars of the institution’s BSA/AML compliance program.
“For example, failure to take any action in response to an express criticism in a report of examination regarding a failure to appoint a qualified and effective BSA compliance officer could be viewed as an uncorrected previously reported problem that would result in a cease-and-desist order,” the regulators said. “Violations or deficiencies in an institution’s BSA/AML compliance program communicated to the institution in a report of examination or through other written means that are determined to be isolated or technical are generally not considered problems that would result in a mandatory cease and desist order. An agency will ordinarily not issue a cease-and-desist order under sections 8(s) or 206(q) for failure to correct a BSA/AML compliance program problem unless the problems subsequently found by the agency are substantially the same as those previously reported to the institution.”
Other enforcement actions
An agency also might take formal or informal enforcement actions against an institution based on individual component or pillar violations or BSA-related unsafe or unsound practices that might impact individual components or pillars.
“The form and content of the enforcement action in a particular case will depend on the severity of the concerns or deficiencies, the capability and cooperation of the institution’s management, and the agency’s confidence that the institution’s management will take appropriate and timely corrective action,” according to the guidance.
In appropriate circumstances, an agency may take formal or informal enforcement actions to address violations of BSA/AML requirements other than the BSA compliance program or the individual component or pillar requirements.
These other requirements include, for example, customer due diligence, beneficial ownership, foreign correspondent banking, and suspicious activity reporting and currency transaction reporting requirements. Violations of non-program requirements that are determined by the agency to be isolated or technical generally are not considered the kinds of problems that would result in an enforcement action, the regulators said.
SAR requirements
Under regulations of the agencies and the Treasury Department, institutions subject to the agencies’ supervision are required to file a SAR when they detect certain known or suspected criminal violations or suspicious transactions.
The regulations require institutions to file SARs for:
- Known or suspected criminal violations involving insider activity in any amount;
- Known or suspected criminal violations aggregating $5,000 or more when a suspect can be identified;
- Known or suspected criminal violations aggregating $25,000 or more, regardless of potential suspects; or
- Suspicious transactions of $5,000 or more that involve potential money laundering or BSA violations.
The SAR must be filed within 30 days of detecting facts that may constitute a basis for filing a SAR (or within 60 days if there is no subject).
“The agencies will cite a violation of the SAR regulations, and will take appropriate supervisory action, if the institution’s failure to file a SAR evidences a systemic breakdown in its policies, procedures, or processes to identify and research suspicious activity, involves a pattern or practice of noncompliance with the filing requirement, or represents a significant or egregious situation,” the regulators said.
Other BSA requirements
Institutions also are subject to other BSA reporting and recordkeeping requirements set forth in regulations issued by the Treasury Department.
Those requirements are reviewed in detail in the Federal Financial Institutions Exam Council (FFIEC) BSA/AML Examination Manual and include: requirements applicable to cash and monetary instrument transactions and funds transfers, CTR filing and exemption rules, due diligence, certification, and other requirements that might be applicable to customer accounts and foreign correspondent and private banking accounts.