Lawsky AML Proposal May Scare Off Compliance Talent, Industry Warns

WASHINGTON — An idea to use public accounting rules as a model for grading certain bank anti-money-laundering procedures is drawing groans from critics who say the costs could outweigh the benefits.

Benjamin Lawsky, New York State banking superintendent, recently proposed subjecting AML compliance to a similar level of accountability that top managers who verify financial statements face in the Sarbanes-Oxley Act. The 2002 law imposes criminal penalties for executives who knowingly certify false information in quarterly or annual reports.

But industry representatives warn such a move would complicate AML procedures by adding steps that could slow down the response to money-laundering threats. Critics also say heightening the personal accountability for executives involved in Bank Secrecy Act compliance could further thin the field of AML specialists.

"Purely from the perspective of the market, it is going to make those jobs far more risky and make it more difficult to attract folks who perhaps do not want to be put in that position and have other options," said Kevin Petrasic, a partner at Paul Hastings.

Lawsky has pointed to cases where filtering systems, which banks rely on to automate monitoring of suspicious transactions, became flawed when the sensitivity of filtering was suppressed. Reiterating steps he discussed last month, Lawsky told a Washington audience this past week his office is planning "random audits" of filtering systems, but he added that there also needs to be greater accountability for the quality of monitoring.

"Since we can't audit every institution, we are thinking about a Sarbanes-Oxley type model where at least we have some responsible executives in the institution who can certify that this filtering system … is operating well," Lawsky said at a March 2 conference sponsored by the Institute of International Bankers. His comments echoed those made last year by Comptroller of Currency Thomas Curry, who suggested that enforcement actions for AML mistakes should name individuals responsible for mishaps rather than just the institution as a whole.

Under Sarbanes-Oxley, the responsibility to certify financial statements for accuracy falls on the chief executive officer and chief financial officer. But in many cases, executives rely on "sub-certifications" from other managers, although such approval from lower-level staff is not required by the law.

Observers said it is still not clear if a similar model for BSA/AML compliance would require certification from a bank's top brass or from the compliance officer responsible for AML. A spokesperson for Lawsky said his office is "still in the process of considering and determining those issues."

But some warned that even requiring the sign-off from the CEO could apply pressure that trickles down to lower level compliance officers. Such scrutiny could make the already difficult search for qualified AML officers even more so.

"Banks are having trouble finding people that are compliance specialists — especially in BSA — and when you add this to the mix, … as a compliance officer you have to think, 'Do I want to put myself on the line?'" said Robert Rowe, vice president and associate chief counsel at the American Bankers Association.

However, some AML experts suggested that a Sarbanes-Oxley model for ensuring the quality of AML programs may have advantages too.

John Byrne, executive vice president at the Association of Certified Anti-Money Laundering Specialists, said stricter consequences for a poor system could give AML officers a louder voice within an institution.

"There should be more authority for the AML officer to oversee everything related to compliance," he said. But he agreed that, without such authority, "to hold them personally responsible is a very broad threat that is a tad bit unfair in this environment without looking at the governance structure."

Daniel R. Alonso, managing director and general counsel at the consulting firm Exiger, said if the DFS moves forward with the plan he would hope that the people certifying a program would be at the highest levels of the bank.

"Compliance officers are in a very difficult situation," Alonso said. "I would not favor putting these certifications at the compliance officer or even compliance chief level."

Michael McDonald, of Michael McDonald & Associates, said the ultimate responsibility for certifying a strong AML system should fall on the corporate suite. He pointed to cases of top executives pressuring AML officers to cut corners.

"I have got a problem … if they are looking at affixing personal liability to a compliance officer when there seems to be no effort to holding top management responsible for policies, procedures and direction of an institution," he said.

In his Washington speech, Lawsky suggested the audits of banks' filtering systems would involve the New York regulator monitoring transactions independently and then comparing the results to that of the bank.

"Hopefully, when we compare a firm's system and a system we know is operating well, we will see very little difference," Lawsky said. He added, "This is not supposed to be a game of gotcha. This is supposed to be a way to ensure that some of our most important systems are working well."

Observers said the state's proposal would intensify pressure on banks to have effective AML systems, regardless of who within the bank is ultimately liable for mishaps.

"All of these developments raise the stakes for getting this right and having an AML program that survives the regulatory scrutiny that is common in this industry," said John Caruso, a principal in KPMG LLP's Regulatory Enforcement and Compliance services network.

Alonso pointed out that adopting the Sarbanes-Oxley model for certifying AML systems would be a huge administrative undertaking.

"Sarbanes-Oxley tells CEOs that they have to set up processes to deal with the certification. A lot of them have committees and there are sub-certifications within a company, so it is a whole new bureaucracy," he said.

Rowe said imposing such certification requirements could complicate banks' efforts to make their BSA/AML programs run smoothly. "While having that certification … sounds good in theory, it slows things down because you have to have all kinds of audits, verification, double checking," he said.

Others said aggressive rules on personal liability for AML compliance from a state regulator could also conflict with federal supervision.

"It would make sense if they were coordinated with other regulators, because having multiple reviews sometimes can result in inconsistent requirements," Byrne said.

For reprint and licensing requests for this article, click here.
Law and regulation Enforcement Compliance AML Bank technology
MORE FROM AMERICAN BANKER