Regulators Gearing up for New Bank Secrecy Push
The Office of the Comptroller of the Currency issued a cease and desist order against Citibank Thursday for violations of the Bank Secrecy Act dating back to 2006.
A compliance checklist for CEOs? That almost sounds like an oxymoron. Traditionally, bank CEOs did not give much thought to regulatory compliance unless something went wrong. However, as the regulatory environment continues to be enforcement-focused, bank CEOs must scan not only the economic landscape, but the regulatory one as well.
Bankers may have addressed most credit and capital issues, but regulators are getting ready to ramp up oversight in other areas.
Regulators are taking a fresh look at old compliance standards, including the Bank Secrecy Act, bankers say. The act, often known as BSA, has long been a common area for compliance violations and ever-evolving rules.
"You still have banks that did very little 'know your customer' work so they didn't get three forms of ID, a drop of blood and two fingerprints," says Greg Mitchell, the president and chief executive of First PacTrust Bancorp (BANC). Banks that were "not ahead of the curve have to get in compliance and it's painful."
BSA and Anti-Money Laundering (AML) violations dropped off from the double-digits in 2006 to just seven citations last year, according to BankersOnline.com, a website developed by bank consultants. Still, observers expect violations to rise as regulators have more time to focus on banks' risk management and compliance functions.
"Once we get past the worst of the crisis, compliance issues are going to come to the forefront," says Ann Graham, director of the Business Law Institute at Hamline University in St. Paul, Minn. "There's no area of the bank that this doesn't cover."
In early April, the largest bank BSA/AML violation in more than a year came against Citigroup's Citibank. It was the only citation so far this year, but the 29-page cease-and-desist order highlighting more than five years' of compliance violations and showed that regulators are taking an extensive look at operations.
"When it touches BSA, [regulators] are nothing short of tough," says Walter Moeling 4th, a partner at Bryan Cave. "It's not just the Citi folks that are getting it."
Bankers mostly worry that the thrifts that were transferred to the Office of the Comptroller of the Currency last July may find that they, too, do not meet their new regulator's standards.
"We've been telling our people to get ready for heavy seas once the OCC comes in," Mitchell says. Some thrifts "are going to be surprised."
An OCC spokesman declined to comment on thrifts but agreed that BSA/AML compliance was "an important part" of a bank's responsibility. "The OCC takes it very seriously, as evidenced by the recent Citibank enforcement action," he says.
Regulators are also looking for a more holistic approach to risk management, observers say.
"What we're seeing in the realm of BSA is that so much hinges on risk management," says Mary Beth Guard, outside general counsel at the Oklahoma Bankers Association and a co-founder of BankersOnline.com.
"Instead of the cookie cutter approach" regulators "want to look at [BSA] based on your product mix, your geographical location, size," Guard says. "All those factors play into where are those risks and how are we controlling those risks."
Enterprise risk management is a fairly new concept for many banks and not one that they can easily afford coming out of the recession. Industry observers fear many banks are ill-prepared for a new regulatory focus on old compliance policies, not to mention new policies coming in force.
"The number of rules, technical or otherwise, and subject to interpretation that bankers have to live with is astronomical," Moeling says. "I don't believe I have a single client anywhere out of 400 banks that's totally in compliance with everything."
Another concern is that many banks have been cutting costs, which likely included cuts in compliance departments.
"As institutions looked at opportunities for cutting costs, certainly compliance was a victim," says John Soffronoff, president of the compliance practice at ICS Risk Advisors. "You have this swirl of change and not as many resources" when factoring in new rules.
Guard says there are bankers who have had BSA/AML software in place for five years but never used it because the bank lacked a qualified person to review reports. "A lot of banks are at the point where they can no longer do it manually," she says. "Making that culture shift from a manual process" is challenging.
The BSA has slowly evolved into more complex reporting requirements. One of the biggest changes came after Sept. 11 when the USA Patriot Act required banks to detect and report suspicious terrorist financing through a new identification program.
In 2010, the Federal Financial Institutions Examination Council issued a 439-page manual on policies and procedures. Since then, suspicious activity reports, or SARs, have picked up. Such reports jumped 14% last year, marking the biggest one-year increase since the financial crisis, according to Fincen. The spike is partly because of a pick-up in depository transactions as the economy improves, says Fincen. spokesman, Steve Hudak. He says banks have improved reporting, especially those that combined anti-fraud and anti-money laundering systems. It's unknown how much the jump in SARs last year was tied to heightened regulatory oversight.
"Bankers are continuously getting better at spotting suspicious activity," Hudak says. "Banks are continuing to be diligent and we continue to be diligent in watching them."