Several recent anti-money-laundering enforcement actions required the targeted banks to establish board-level compliance committees, including the recent consent order involving JPMorgan Chase. As we begin a new cycle of meetings, bank board members should reexamine what they need to know about anti-money-laundering and sanctions compliance.
At a statutory level, the board of directors is required to approve an enterprise-wide AML compliance program to include: the development of internal policies, procedures and controls; designation of a compliance officer; an ongoing employee training program and independent testing.
Additionally, regulations require boards, or a designated committee of directors or executive officers, receive information regarding suspicious activity reports.
Regulatory guidance, including the Federal Financial Institutions Examination Council's Bank Secrecy Act/AML Examination Manual, conveys additional expectations. Boards of directors should:
- understand they are ultimately responsible for the Bank's BSA/AML compliance
- help establish a culture of compliance generally, and with respect to AML compliance in particular
- establish an AML compliance risk tolerance
- review the enterprise-wide AML risk assessment to ensure that the AML program is allocating resources to bring AML risks within tolerance
- ensure that senior management has established appropriate incentives to integrate BSA/AML compliance objectives into management goals and compensation structures across the organization
- ensure that corrective actions, including disciplinary measures, if appropriate, are taken when serious BSA/AML compliance failures are identified.
AML enforcement actions that required banks to establish or maintain compliance committees typically also expect these committees to meet at least monthly and submit a written quarterly progress report to the board.
Historically, regulators have afforded banks and their boards wide latitude in how they meet these requirements and expectations. My colleagues and I know of a small bank that sought to satisfy the requirement to provide its board with information on suspicious activity reporting by depositing a stack of reports on the boardroom table and affording directors the opportunity to review them. More often compliance functions provide summary statistics, including trend analysis, to their boards along with qualitative information regarding some of the more serious suspicious activity reports.
That latitude may be changing. For example, the $10 million penalty levied against TCF Bank on January 25 tells us that it is particularly important for compliance staff to provide boards with information regarding any SAR that could involve terrorist financing – in part to ensure that management is identifying and reporting such activity.
Another example concerns risk assessments. The current FFIEC examination manual contains only high-level guidance for how to conduct a risk assessment. Instead, it notes that bank management should decide what is appropriate based on the bank's particular risk profile, so long as the format is easily understood by all appropriate parties. However, there are some indications that regulators are becoming more prescriptive. For example, the provisions of some recent enforcement actions included detailed requirements regarding risk assessments.
As expectations for board level oversight of AML and sanctions risk rise, board members may wonder: What can we do, beyond the usual measures, to stay ahead of the curve? The following best practices cost little more than time and effort, but can make a big difference:
Leave the board room and visit the factory floor. In a few rare instances have we seen board committees observe the compliance function at work. If more board members saw firsthand how a low-level analyst has literally a matter of seconds to determine whether a false positive constitutes a sanctions violation, they would have a more informed understanding of compliance resourcing and the limitations of automated systems. In addition, such direct interest by the board in the mechanics has the added benefit of reinforcing the "tone at the top" regarding the importance of compliance.
Align compensation with compliance. Some boards include compliance objectives, along with other risk management objectives, in compensation plans. A smaller number ensure that the corporate function has direct, independent input into these ratings, at least for senior business leaders. These incentives reinforce the role of business management as the first line of defense.
Expect business management lines to self-identify compliance issues. We have observed some boards that have this expectation. When the business lines fail to self-identify potential problems, these boards want to know why. Receiving reports on AML compliance lapses and whether they were self-identifiable is a fundamental step in board oversight.
Michael Dawson is a managing director at Promontory Financial Group and coordinator of its global compliance practice, which advises banks on anti-money laundering, sanctions and mortgage foreclosure issues. He served in the George W. Bush administration as a deputy assistant secretary of the Treasury.