The end-of-summer proposal by FinCEN to remove the anti-money laundering exemption for smaller financial institutions, including privately insured credit unions, private banks and certain trust companies, first begs the question: Why are regulators proposing to include all banks, without exceptions, despite the obvious regulatory burden?
Regulators scrutinize larger institutions more closely than credit unions and small to midsize banks, with regard to AML. One reason is that regulators have discerned a spectrum of risk to which various types of institutions are subject. To date, larger institutions have typically been more relevant at the macroeconomic level, and have called for more scrutiny from an AML point of view. While midsize and small institutions are important to any regional or local economy, the level of risk exposure on a macro level, when it comes to money laundering and terrorist financing, has not been considered as high as that of the larger banks.
Recently, though, regulators have been seeing that through the large scale de-risking activities that large banks have been conducting, some customers of these institutions—who either are high-risk or lack a proper way for banks to assess their risk—were ousted from these bigger institutions, pushing them downstream to smaller institutions, which have not yet made the investment necessary to give them the level of controls that large institutions have already adopted. I believe this is the source of these recent proposals.
Now that the larger financial institutions are more closely controlled and have the necessary compliance mechanisms in place, regulators are addressing the smaller and more local financial services segment as a way to promote a similar level of control.
More than 600 FIs that currently don't have a federal regulator will be required to comply with AML standards. Of these, 265 are privately insured state-chartered credit unions, and another 347 are state-chartered nondepository trust companies. How will one-size-fits-all regulations affect these smaller entities? And what must they do to prepare for the expected changes?
Smaller banks and credit unions will need to get their infrastructure ready not only from a technological standpoint but also organizationally. They will need to reshape their organizations to implement the same compliance standards, practices and environment that large institutions already have in place. It will start by creating a "culture of compliance" that in larger institutions is already very evolved.
To date, smaller financial institution focus has been on how to grow their business, and not as much on how to avoid regulatory exposure. Now they will have to put in place operations and compliance strategies that fall into distinct buckets. For many organizations, a cultural change will need to take place to achieve this, and it will have to start from the top.
Separating compliance, operations and technology functions will have to be achieved, in such a way that everyone is accountable only for their area of specialty. Compliance will—and should—only manage policy. Organizationally this will mean that compliance dictates policy, while operations implements that policy in a separate arm of the organization. Finally, technology will provide the tools needed to execute on policy.
Another change that smaller institutions are going to see is a need to invest heavily in technology to ensure their compliance is refocused on Know Your Customer controls. Credit unions and banks will have to start combing their customer portfolios for politically exposed persons, as well as those who may have adverse media postings. These factors will help highlight the financial risk or reputational risk to which the organization is exposed. The scope of compliance programs will thus be extended significantly for these smaller organizations.
Smaller banks and credit unions will also have to pay attention to the level of screening they're doing. Are they trying to run screening to generate alerts only on perfect matches, for example? If yes, chances are they are accepting a level of risk that they should not accept. Other institutions may be more conservative and may employ a level of screening that creates a considerable number of alerts. Neither extreme is good—institutions have to balance their processes in a way that is effective in finding and identifying what needs to be alerted and investigated, and efficient enough to address those investigations quickly and affordably. To do this, they will need to clean up their data, adopt solid compliance technology and on-board properly trained and experienced personnel to implement the changes.
If these smaller institutions fail to comply, consequences may include defining corrective action plans that will be monitored by the regulators on an ongoing basis. On the extreme end of the spectrum, it can go all the way to a cease-and-desist order and a total shutdown of business operations.
How can small organizations afford all this change, and the technology that makes it possible to comply on this greatly heightened level? Probably the only way they can get what they need is to come together and use utilities—shared capabilities that can create the economies of scale that make solutions available at an affordable level. These capabilities may reside in Cloud-based technology for many of them, or in shared utilities for others.
It's worth noting that credit unions have an advantage in their cooperative structure, compared to community banks that tend to be siloed in their approach—they do their own thing, and rarely work together in associations to make joint decisions.
In sum, there will be a lot of work ahead for credit unions and smaller banks to come up to speed on anti-money laundering compliance. But if credit unions keep talking to one another and working in associations and partnerships, getting up to date with compliance will be a lot less painful.
Carlos Garcia-Pavia is Director of Anti-Money Laundering (AML) Compliance at LexisNexis Risk Solutions, a data, technology and analytics company. He can be reached at
