By Sven Stumbauer, Senior Advisor, Norton Rose Fulbright
On April 15, 2020, the US Federal Financial Institutions Examination Council (FFIEC) released an updated version of certain portions of its Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Examination Manual (the Manual), which provides guidelines for examiners in assessing the adequacy of a bank’s BSA/AML-compliance program. With financial institutions and regulators focused on responding to the COVID-19 pandemic, these long-awaited revisions to the FFIEC Manual received limited attention. Although the Manual is addressed to examiners, and not all sections carry the weight of the law, it provides a good opportunity for financial institutions to gauge expectations during regulatory examinations.
The main theme of the current update can be summarized with the oft-used term risk-based approach to both BSA/AML compliance and regulatory supervision, as re-emphasized in previous public statements by regulators[i]. This should not be a surprise since money-laundering scandals continued into 2020. As has been the case during the past two decades, financial institutions continue to struggle with anti-money-laundering (AML)-compliance issues and risk-management challenges. While this is certainly not surprising, one must question why sophisticated organizations such as financial institutions continue to grapple with solving the challenges of AML compliance and face ever-increasing regulatory-enforcement actions.
Financial institutions around the globe are largely realizing that risk assessments, as conducted in the past, are not useful anymore if conducted with a “checklist” approach or by completing a simple matrix. A more agile and dynamic risk-assessment model is needed to allow boards and senior management to deploy scarce resources across areas with the highest risk in their particular financial institutions. The key question of “Do we know our true risk?” keeps on emerging, showing that boards and senior management are increasingly seeing less value in a risk assessment that is conducted to “provide updated statistics over the past 12 months, with no change in risk, while business changed significantly”.
Given that a sound AML-risk assessment serves as the baseline for developing and enhancing robust internal controls for AML compliance, the importance of adequately assessing money-laundering risk cannot be overstated. Additionally, by deploying more dynamic risk-assessment models, compliance departments can become more effective and efficient, shifting from “factories” back to their initial goal of achieving an agile oversight function and ultimately decreasing the pressure on the bottom-line—“risk assessment 2.0” should be considered by compliance departments and senior management.
The need for taking a good look at one’s risk assessment is evident from the recent revisions to the Manual. Among other things, the revisions of the Manual focus on:
Risk-focused BSA/AML supervision
While some financial institutions might be “relieved” and expect more focused and efficient regulatory examinations than in the past, future examinations are likely to be significantly more focused on money laundering and terrorist financing (ML/TF), risks that have been identified by both the financial institutions and the regulatory bodies themselves. The latter presents a greater challenge for financial institutions since the financial institution itself, its transactions and counterparties are not viewed by regulators in a vacuum, and this could potentially create a different risk profile than the one captured by the financial institution as part of its risk assessment. This means a financial institution’s risk assessment might well receive greater scrutiny than it may have during past examinations.
Risk assessment: clarified or “muddied the waters”?
Amongst the most recent revisions, the Manual also clarifies that different “methods and formats”[ii] are permitted to conduct risk assessments and that there is no expectation for a particular method or format. The 2020 update also explains that there are no required risk factors, except pointing out that the “risk assessment should provide a comprehensive analysis of the bank’s ML/TF and other illicit financial activity risks”[iii]. In practicality, this also means that regulatory examiners might consider a wider range of risk factors depending on the financial institution’s business, making it necessary for some financial institutions to take a hard look at their internal risk assessments in order to justify to regulators why certain factors were included and others not.
Also of interest is the clarification that there is no periodic requirement to conduct a risk assessment. This is contrary to the previous version of the Manual that described it as a “sound practice” to update risk assessments at least every 12 to 18 months. What remains is the expectation that financial institutions will update their risk assessments to accurately reflect their particular risks. This means that as financial institutions evolve and customer behavior changes, more frequent risk assessments might be required, increasing the regulatory exposure for some financial institutions that kept their risk assessments static for 12 to 18 months and ran the risk that a past assessment did not provide an accurate reflection of the ML/TF and other illicit financial-activity risks.
It is clear that the regulatory approach and the renewed focus on risk and risk-based approaches will necessitate significant changes at some financial institutions.
Individual accountability and liability–a significant risk for senior management and the board
Also of special interest should be the updated section entitled “BSA Compliance Officer”. The Manual indicates that the BSA compliance officers should “regularly” report the status of ongoing BSA compliance to the board of directors (BoD) and senior management so they can make informed decisions about existing risk exposure and the overall BSA/AML-compliance program. If read in context with the US Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN)-issued advisory in August 2014[iv], a clear message remains: the ultimate responsibility for AML compliance lies with the board of directors of a financial institution.
The FinCEN advisory pinpoints several deficiencies that were identified in recent BSA/AML-enforcement actions that offer important insights for financial institutions and their management and boards. In particular, the advisory reaffirms the notion that a financial institution can improve its BSA/AML-compliance culture by ensuring the following elements exist:
- Leadership is engaged.
- Compliance is not compromised by revenue interests.
- Information is shared throughout the organization.
- Leadership provides adequate human and technological resources.
- The compliance program is effective and has been tested by an independent and competent party.
- Both leadership and staff understand how their BSA reports are used.
The Manual also points to the fact that as part of a regulatory examination will be an evaluation of resources provided by the board and senior management to the BSA officer, further indicating the focus on holding individuals personally liable for breaches of AML compliance at financial institutions and identifying the root causes of those breaches.
The Manual and the previous FinCEN advisory sent a strong message to financial institutions—namely, that an entire organization, from staff to board members, may be held accountable for BSA/AML compliance. Perhaps, more importantly, the advisory is a reminder of the importance of institutions reviewing their BSA/AML engagements of senior management and boards of directors to learn whether those engagements adhere to the letter of the law and whether a true culture of compliance is in place.
Time to act is now for financial institutions
Given the timing of the release of the updated Manual in the midst of a global pandemic, the overall message is clear—the United States’ authorities and most likely other regulatory bodies around the world will continue to aggressively enforce AML compliance. Financial institutions are advised to take an immediate look at their individual compliance efforts with a particular focus on how they are identifying, categorizing and measuring their ML/TF and other illicit-financial-activity risks. These organizations need to do so not only from a pure compliance perspective but also from the perspective of operational efficiencies, effectiveness and solutions—how to operate with more smarts and agility—since the updates to the Manual indicate the increased agility of US regulators.
The race to keep up with differing compliance standards has redrawn the competitive landscape for financial institutions, and those banks that can get AML-risk management right will undoubtedly emerge as winners in the ever-increasingly global competitive landscape.
[i] Joint Statement on Risk-Focused Bank Secrecy Act/Anti-Money Laundering Supervision (July 22, 2019), https://www.fdic.gov/news/news/press/2019/pr19065a.pdf
[ii] Bank Secrecy Act/Anti-Money Laundering Examination Manual, https://www.ffiec.gov/press/PDF/FFIEC%20BSA-AML%20Exam%20Manual.pdf