Old National Bancorp was in the midst of its 2011 regulatory examination when the company's chief risk officer, Candice Rickard, learned there might be a problem. The Evansville, Ind.-based bank had received sparkling reviews on its Bank Secrecy Act compliance for five years in a row, yet this year things had gotten rougher. Now, Old National was on the cusp of receiving a consent order from the Comptroller's office, requiring it to beef up its anti-money-laundering program.

"It was a shock for us," Rickard recalls. "The message was, 'You were fine before, but now you're all broken.' Nothing had really changed except they were raising the bar. Expectations were higher, and they literally brought it to us in the format of an unsatisfactory review."

The consent order issued in June 2012 demanded, among other things, that the $9.7 billion-asset company devise a "BSA action plan," conduct a "BSA risk assessment," revise "BSA internal controls" and hire a BSA officer.

The bank also installed a new automated system and doubled staffing on BSA-related matters, all in the name of generating data that might someday help disrupt a would-be terrorist, drug dealer, Ponzi scammer or the like.

Total price tag for the enhancements: Roughly $4 million in upfront capital expenditures for systems and consultants, along with as much as $5 million in ongoing annual expenses — plus $500,000 in civil money penalties for the trouble.

In January, the OCC terminated Old National's consent order. CEO Bob Jones calls the episode a "personal embarrassment" and wonders aloud why the same tough rules that apply to a big bank in New York or Miami are applied to a smaller bank in the rural Midwest. "Are there a lot of money-launderers in Paoli, Indiana? Probably not," he says.

Even so, Jones says he accepts his bank's growing role as a deputy in the war on terror, and claims Old National is a better institution today for the experience. "Despite all of the pain and cost, in the long-run it was good for us," he says.

"Our first strategic imperative is to continue improving our risk profile," Jones explains. "When you get hit between the eyes with a sledgehammer, it accelerates that process and creates greater awareness."

Jones' ambivalence is widely shared. Bankers uniformly say they want to do the right thing in defense of their country, but many are struggling with a BSA/AML compliance regime that feels increasingly harsh and capricious.

Few dare talk about their concerns publicly, for fear of alienating regulators. Privately, they say that BSA exams have become more rigorous and focused in recent years, digging deeper into the weeds of processes, systems and controls. Foot-dragging and shortcomings are being met with stiffer monetary penalties and lengthy lists of demands for systems improvements and additional personnel.

Yet it's not clear that even the regulators know exactly what they want from bank BSA programs. Instead, critics say, they're looking to the private sector for the latest in best practices and then seeking to transmit those ideas to the rest of the industry through regulatory decree.

BSA officers report combing through consent orders and regulatory pronouncements with urgency, looking for clues of subtle changes and what's coming next. "We are now in an era of 'regulation by enforcement action,'" says Teresa Pesce, head of the Americas AML practice at consulting firm KPMG.

"Banks feel that they can no longer look at the statutes and regulations to know what to do," Pesce says. "They have to look at the most-recent regulatory guidance or enforcement action against their peers, and then try to plug those holes, as opposed to creating more thoughtful and sustainable programs."

First passed in 1970 to help nab drug dealers and tax evaders, the BSA has evolved into a costly, time-consuming compliance obligation. The law requires banks to file a Currency Transaction Report with FinCEN, the Financial Crimes Enforcement Network, whenever someone engages in a currency transaction of $10,000 or more. They also must file a Suspicious Activity Report when things don't smell quite right, and pick up the phone and call when something potentially urgent crosses their desks.

Banks also are sometimes asked to comb their records to determine whether they have maintained an account or conducted a transaction with someone identified by any of those entities as a possible money launderer or terrorist. The information is used by federal authorities, state and local law enforcement and even friendly foreign governments to help catch bad guys.

"In a perfect world, the government would look at every transaction, but that's not realistic in terms of privacy or size," says Robert Axelrod, a director of Deloitte Financial Advisory Services' forensic unit. "So instead, the government asks the financial institutions already in that role to share their knowledge about problematic transactions."

What's behind the stepped up BSA enforcement is open to debate. Some point to the lingering anger of Congress and the public over Wall Street's role in the financial crisis, and the failure of regulators to catch it. Others note that with banks having largely cleaned up their credit problems, quieting the safety and soundness risks that had dominated regulators' concerns in recent years, all those examiners hired at the peak of the crisis now have more time on their hands.

Christopher Laursen, chairman of the financial institutions and banking practice at NERA Economic Consulting and a former OCC examiner, says examiners assigned to smaller banks can advance their careers by playing tough.

"As an examiner, you move to working on the larger, multinational banks by finding problems at smaller institutions," Laursen explains. "It's a risk for the smaller and midsized banks that you can run into someone who's trying to catch every technical detail to impress their bosses and move up."

But perhaps the best explanation for the stepped-up interest in BSA compliance is that the government seems to be getting better at using the information. FinCEN Director Jennifer Shasky Calvery tells of a match that was found between a phone number submitted in a SAR and one found in a computer seized from Osama Bin Laden's Pakistan compound.

"I can't go further into what they saw," she says, "but that type of lead — the ability to start putting networks together and understand who's moving money to whom — makes a real difference in the fight against terrorism."

Of course, the banker who generated that SAR has no idea of the outcome, and neither does anyone else. SARs are considered highly confidential.

While banks make headlines for BSA violations, "you won't pick up the morning paper and see a front-page story about another bank that has a strong and effective BSA compliance program," conceded Comptroller Thomas Curry in a March speech before an AML group.

As a result, bankers say they often feel they're paying large sums of money to collect vast amounts of customer information that gets dumped into a black hole. Depository institutions filed more than 800,000 SARs in 2012, an amount Axelrod says the agencies would have struggled to digest.

"One of the most frustrating things is that you feel like you keep feeding the machine and nothing comes out," Old National's Jones says.

Meanwhile, banks face the ever-present threat of cease-and-desist orders, consent orders or worse. What's most likely to earn such penalties for BSA compliance failures is a lack of good, automated systems capable of flagging potentially bad financial behavior, or well-trained people capable of analyzing what those systems spit out.

"It's all about systems and controls," says Ron Glancz, chairman the financial services group at the law firm Venable LLC in Washington.

"The government will go after you even if there's never been any money laundering, just to make sure the structure is in place to prevent it."

Shasky Calvery, FinCEN's director since 2012, promises things will only get tougher. A former prosecutor who made her mark dismantling international organized crime groups and tracking down their money, she takes credit for using FinCEN's power to hold banks — and bankers — more accountable for their AML shortcomings.

"Why now? Maybe it's the change in leadership at FinCEN," Shasky Calvery says. "To the extent that we have financial institutions that are not meeting their obligations in defending the financial system, we have the enforcement authority to deal with those outliers."

Some of the recent penalties for BSA noncompliance have been eye-popping. In January, JPMorgan Chase got hit with $2.05 billion in asset forfeitures and civil money penalties due to BSA violations connected to the Bernie Madoff Ponzi scheme. Most of Madoff's transactions flowed through the bank, the OCC found, and JPMorgan lacked the right systems and processes to catch it.

HSBC in 2012 was slapped by an alphabet soup of agencies with $1.9 billion in fines for AML deficiencies. Regulators found that the company had engaged in a "substantial number" of high-risk transactions in Mexico, and apparently violated U.S. sanctions in Sudan, Iran, Burma and Zimbabwe.

TD Bank, Citigroup and ABN Amro have been tagged, as well. But global banks aren't the only targets. Money flows like water through the global financial system, looking for the path of least resistance — in this case, smaller, less-global banks.

"If you really tighten things up at the top of the industry, people who want to launder money will search for other entry points," says Ralph Sharpe, a former OCC enforcement director and now a Venable partner. "So the emphasis on compliance trickles down to smaller banks."

That includes regional banks, such as TCF Financial and Associated Banc-Corp — both of which, like Old National, have been forced to pay civil money penalties and beef up their AML systems for BSA violations.

Strategies are being impacted by tougher enforcement. In June, The Bancorp Inc., a $4.7 billion-asset lender in Wilmington, Del., saw its share price plunge 30% in a single day following the disclosure of a BSA consent order that, among other things, requires it to slow the growth of its profitable prepaid card business. (See related story.)

Seemingly no one is immune to the crackdown. M&T Bank Corp., the Buffalo, N.Y.-based bank with a reputation for having a strong compliance shop, has seen its proposed merger with New Jersey's Hudson City Bancorp delayed for two years, because it has yet to fulfill the terms of a written BSA agreement with the Federal Reserve.

"The responsibilities of banks have changed dramatically since the domestic terrorist attacks, the 2008 financial crisis and a number of high-profile instances of money laundering," M&T Chairman and CEO Robert Wilmers wrote this year in his annual letter to shareholders. "This changed environment calls on regulators to view plans for expansion... in a different light." The deal is presently slated to close by the end of 2014.

The FDIC and other regulators have been using AML statutes to pursue other goals, such as stricter oversight of third-party payment processors. In November 2012, First Bank of Delaware reached a $15.5 million settlement with the Justice Department, and was stripped of its state charter. The FDIC, its primary regulator, and FinCEN concluded that the $222 million-asset company hadn't implemented effective processes for monitoring its profitable relationships with third-party payment processors, allowing financial predators to victimize its customers.

More recently, regulators have been pressing for greater accountability. JPMorgan and HSBC, among others, were forced in their consent orders to formally accept responsibility for their shortcomings — a significant change from the boilerplate "neither admit nor deny" language of past orders.

"I do feel it's important that those corporations that have done wrong admit... to the violation of the law," Shasky Calvery says. "At least at FinCEN, our general thought is that there should be an admission of guilt when a violation is found."

Regulators aren't afraid to go after individuals, either. In January, the securities industry's self-regulating body, the Financial Industry Regulatory Authority, fined the AML compliance officer at Brown Brothers Harriman, Harold Crawford, $25,000 and suspended him for a month for failing to "establish and implement an AML program reasonably designed to detect and cause the reporting of potentially suspicious activity."

Expect more compliance executives, and perhaps even some higher-ups, to get greater scrutiny. "We're seeing situations where business decisions are made that run counter to an institution's AML policy [or] counter to the advice of the compliance department, situations where the compliance department is being deprived of information required to do its job," Shasky Calvery says. 

"It's our responsibility to always consider individual culpability in these matters."

There's also talk of potential criminal prosecutions. The crackdown could have consequences. The enforcement frenzy already has created a shortage of qualified BSA compliance experts. Poaching by other banks is common, and salaries are skyrocketing.

M&T, an $88 billion-asset bank, has thus far added 285 employees and 151 non-staff consultants to manage its AML efforts, and it's likely not done yet. At some large banks, the number of staff members dedicated to BSA issues climbs into the thousands.

Throw on top of this situation the threat of individual prosecution and penalties, and the market for talent could get even tighter.

"We've heard concern from compliance professionals who feel that there's now a target on their back simply by virtue of the jobs they hold," Shasky Calvery says. "Nothing could be further from the truth. The last thing we want is for good people doing tough jobs to leave the industry."

How does a bank stay out of BSA purgatory? For starters, experts say, management and the board need to proactively make AML programs a priority.

Many recent consent orders specifically target the board and place the onus on a compliance committee to get things fixed. A few have specifically required the creation of a BSA/AML committee.

Banks' automated systems must be able to slice and dice account information in myriad ways, and raise appropriate alerts for BSA staff to examine. They also must share the output of all that analysis efficiently across the organization.

Axelrod offers the example of a private banking customer who is engaged in suspicious commerce with a risky country. "If you don't know that he's also the president of a company in your capital markets group, you might not be looking at that company's transactions as closely as you should," he explains. If your examiners discover the connection first, look out.

Consultants note that a good compliance program is integrated into the culture of the bank. Product and business-line managers are trained on the basics to look for, while the buck stops with an independent BSA officer who has a direct line of communication to the board and is empowered to override business decisions if something appears amiss.

"Compliance should not be compromised by revenue interests," Shasky Calvery says.

When in doubt, consultants advise, either ditch the business in question or document it in detail. Some banks have exited business lines, such as bulk currency or serving money-service businesses, because the risks are too great. 

Others are proactively seeking guidance and reassurance on their AML programs by engaging in dialogue with their regulators and documenting the encounters.

"You need to write down what you're going to do and why, and then put it in front of your regulators and say, 'Here are our businesses. Here's where we think our BSA risks are. Here are our thresholds for filing a SAR, and here is our process for looking at data. We don't see peer data, but you do. Does this seem right?'" Laursen says.

"If they don't respond that it's not okay, they're implicitly on the hook," he adds. "It's hard for an agency to penalize a bank if you've told them your plans."

But some banks may be feeling penalized just by the cost of installing and maintaining compliance systems to meet regulators' tough new demands.

M&T's new BSA/AML program will employ "up to 105 pieces of information from each account, ranging from financial activity to negative news searches," to identify customers at highest risk for criminal behavior, Wilmers wrote in his letter to shareholders.

The improved system's price tag thus far: $60 million.

Subscribe Now

Access to authoritative analysis and perspective and our data-driven report series.

14-Day Free Trial

No credit card required. Complete access to articles, breaking news and industry data.