Regulators issue guidance on AML enforcement actions
WASHINGTON — Federal banking regulators on Thursday clarified that they generally do not issue cease-and-desist orders for minor deficiencies in a bank's anti-money-laundering program or isolated violations of Bank Secrecy Act rules.
In a joint statement, the Federal Reserve, Federal Deposit Insurance Corp., Office of the Comptroller of the Currency and National Credit Union Administration updated their guidance on how they evaluate violations of AML rules.
"Violations or deficiencies in an institution’s BSA/AML compliance program communicated to the institution in a report of examination or through other written means that are determined to be isolated or technical are generally not considered problems that would result in a mandatory cease and desist order," the agencies said.
The agencies also listed four pillars for an institution’s AML compliance program. They include internal controls for ongoing AML compliance, independent testing, designating individuals to coordinate AML compliance and proper training for personnel involved AML compliance.
The agencies said financial institutions’ AML compliance programs must include customer identification programs that ensure firms “form a reasonable belief” that they know the identity of their customers.
The guidance highlighted scenarios in which regulators will issue cease-and-desist orders for AML violations.
Financial institutions that lack a "reasonably designed" AML program or do not address previously reported AML problems could face the threat of such an order, the guidance said.
For example, an institution will be issued a cease-and-desist order if it has deficiencies in the required independent testing component of the AML compliance program that are combined with signs of highly suspicious activity.
The agencies said an institution that fails to take any action in response to criticism from an exam regarding a failure to appoint a qualified and effective AML compliance officer would also likely receive a cease-and-desist order.
But the regulators said they won’t issue cease-and-desist orders unless deficiencies in an AML compliance program are “so severe or significant as to render the BSA/AML compliance program ineffective when viewed as a whole.”
In cases where an institution fails to address a previously reported problem, the agencies said they won’t issue a cease-and-desist order “unless the problems subsequently found by the Agency are substantially the same as those previously reported to the institution.”
When the agencies don’t issue cease-and-desist orders for violations of AML rules, they said that they could still take other formal or informal enforcement actions that will “depend on the severity of the concerns or deficiencies, the capability and cooperation of the institution’s management, and the Agency’s confidence that the institution’s management will take appropriate and timely corrective action.”