Regulators to Squeeze Banks on Anti-Laundering Policies
Lawmakers savaged the Treasury Department and banking regulators on Wednesday over their enforcement of anti-money laundering laws and the lack of criminal prosecutions against big banks for violating those provisions.March 7
Regulators have uncovered "surprising deficiencies" in anti-money laundering compliance at some of the nation's largest banks, Comptroller of the Currency Thomas Curry said Monday.March 4
WASHINGTON — Bankers are bracing for the start of more severe anti-money laundering exams as regulators rework their standards and prepare to issue another round of guidance tackling the issue.
The agencies, notably the Office of the Comptroller of the Currency, are feeling the heat as lawmakers blame them for not doing enough to ensure institutions are following anti-laundering standards.
Regulators are likely to make exams tougher for banks of all sizes, though officials have noted the most serious problems have arisen at the largest banks. Some of the biggest institutions — including HSBC, Citigroup and JPMorgan Chase — have recently drawn the toughest enforcement actions related to Bank Secrecy Act violations.
Facing its own scrutiny for lax oversight, the OCC has begun drafting guidance on new corporate governance processes, designed to ensure that senior bank executives and the board of directors are held responsible for anti-money laundering lapses.
"One of the areas that I focused on since becoming comptroller is really to emphasize the corporate governance aspects of BSA compliance," Comptroller Thomas Curry said at a Senate Banking Committee hearing on Thursday. "That's part of the reason why we're developing and will be issuing soon specific guidance on what the expectations are for board and management accountability. And those have also served as important parts of our enforcement orders that we have issued in the last several months."
But the OCC and other regulators are looking far beyond just issues like terrorist financing and drug trafficking — two areas that got HSBC into trouble.
Rather, the agencies have put a renewed focus on forcing banks to know their customers' entire banking relationship, as well as assess their existing and future risk. Just how much banks must know about their clients has been a source of contention for the past 12 years between banks and regulators, with some institutions arguing the agencies expect far too much.
"You will see more and more regulation around the know-your-customer piece," said Reetu Khosla, the global director of financial crime/risk solutions at the technology firm Pegasystems.
Khosla and other observers said that banks failing to do the appropriate due diligence on a customer to comply with the Bank Secrecy Act could be symptomatic of broader compliance problems, including violation of consumer protection laws.
"If a bank doesn't take a strategic approach and realize it all meshes together, there will be a greater impact on the customer experience and probably more fines" she said.
One key area for regulators this year will be how banks are identifying so-called "politically exposed persons." The definition was expanded last year to include people residing domestically in addition to senior political figures in foreign countries. That change expands the scope of such customers by at least one million people, making it far more cumbersome for banks to identify the right individuals.
"It could cause customer service issues and service level issues because it involves payments going back and forth and it could hold up payments from point A to point B," said Henry Balani, managing director at BankersAccuity.
Most banks already have comprehensive systems in place to track suspicious activity. But knowing each customer and how to assess individual risk is more dependent on human judgment, and cannot be easily outsourced to a support system. Some observers said banks may have to improve their training of personnel to look deeper for potential violations.
"I have a number of clients where, literally, the AML training amounts to all of their employees logging online to answer 50 questions and they're done," said Michael Florence, senior director at Treliant Risk Advisors.
Others focused on a need for management to get more involved and be accountable for the level of a bank's compliance.
"Time has shown us that the compliance departments can't do this alone. Line of business management has to assume ownership of the risk as the first line of defense," said Michael Dawson, a managing director at Promontory Financial Group specializing in anti-laundering compliance. "Until that happens, you will still get the anti-money laundering failures."
Balani added that most of the larger banks that the OCC is targeting for violations have sophisticated systems but still a "lack in willingness to enforce the process at the end of day."
For example, even though HSBC had systems in place, its Mexico business — which ultimately led to anti-laundering violations related to drug cartels — was at one point classified by the company as low risk.
"The technology is one thing but there's no culture in detecting these things … and that comes from the top" management, Balani said. "You have to go after the individual. Otherwise, you will certainly not see a shift in the culture of the institution."
At the Banking Committee hearing on Thursday, several lawmakers openly wondered why regulators had not recommended that the Justice Department seek criminal penalties against HSBC. Instead, the government and the bank agreed to a record $1.9 billion settlement.
For his part, Curry said that the OCC's ability to recommend criminal cases is limited, but he pledged that the agency would do more to hold individuals responsible for anti-laundering lapses.
"The health of a bank's culture starts at the top, and so it's important that senior management demonstrate a commitment to BSA/AML compliance," said Curry. "Employees need to know BSA compliance is a management priority and that the compliance function will receive the resources it needs to succeed, including training and first rate information technology."
Many observers said the OCC is likely looking for a public way to use its existing authority to punish individuals. While it cannot pursue a criminal case, the OCC could, for example, require a compensation clawback for personnel in the compliance area responsible for the violation, Dawson said.
The OCC can also still bar an individual from working in the finance industry.
Others said even if the added scrutiny does not lead to prosecutions, the threat of a big fine may still lead to better compliance. Some observers said the regulators likely got their point across with the $1.9 billion fine against HSBC.
"The objective is a name and shame. Do they need to throw people in jail to truly fix the problem? Not necessarily," Balani said. "Bankers need to consider that [the fines] have material impact on the bottom line and that means their bonuses are at risk. … It becomes a personal issue, even if folks are not being jailed."