On August 13, 2020, the Board of Governors of the Federal Reserve System (FRB), the Office of the Comptroller of the Currency (OCC), the Federal Deposit Insurance Corporation (FDIC), and the National Credit Union Administration (NCUA) issued a joint statement on “Enforcement of Bank Secrecy Act/Anti-Money Laundering Requirements”. This statement supersedes the original inter-agency statement on the subject issued in July 2007.
A Long Time Coming …
It is interesting to note that it took these Agencies 13 years to issue a clarification on the original statement and to set forth general policy guidelines. In particular, the statement says that it is intended to clarify the Agencies’ enforcement of the Bank Secrecy Act and the conditions that will require the issuance of a mandatory cease and desist order. It also states that whenever the Agency undertakes an enforcement action, they will tailor that action to address the deficiencies that are specific to the institution as identified during the supervisory process. The inter-agency statement also describes the circumstances in which an Agency may use its discretion to issue formal or informal enforcement actions to address BSA-related violations or unsafe or unsound banking practices or deficiencies.
Highlights of the Changes and Clarifications:
In addition to the minimum required components or pillars, the BSA compliance program must “be reasonably designed to assure and monitor the institution’s compliance with the requirements of the BSA and its implementing regulations”
- The BSA/AML compliance program must also include appropriate risk-based procedures for conducting ongoing customer due diligence as set forth in regulations issued by the U.S. Department of the Treasury including, but not limited to:
- understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and
- conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information, including information regarding the beneficial owner(s) of legal entity customers.
- An institution would also be subject to a cease and desist order if the institution fails to implement a BSA/AML compliance program that adequately covers the required program components or pillars. For example, an institution rapidly expands its business relationships through its foreign affiliates and businesses:
- without identifying its money laundering and other illicit financial transaction risks;
- without an appropriate system of internal controls to verify customers’ identities, conduct customer due diligence, or monitor for suspicious activity related to its products and services;
- without providing sufficient authority, resources, or staffing to its designated BSA officer to properly oversee its BSA/AML compliance program;
- with deficiencies in independent testing that caused it to fail to identify problems; and
- with inadequate training exemplified by relevant personnel not understanding their BSA/AML responsibilities.
- Violations or deficiencies in an institution’s BSA/AML compliance program communicated to the institution in a report of examination or through other written means that are determined to be isolated or technical are generally not considered problems that would result in a mandatory cease and desist order.
- Also, consistent with the treatment of violations of isolated or technical compliance program requirements, violations of non-program related that are determined by the Agency to be isolated or technical are generally not considered the kinds of problems that would result in an enforcement action.
- An Agency may pursue enforcement actions based on individual component or pillar violations or BSA-related unsafe or unsound practices that may impact individual components or pillars.