Why C-Suite May Soon Feel Sting of BSA Enforcement

Register now

WASHINGTON — There may be an 'I' in the word 'Team' after all, at least when it comes to pinning the blame for anti-money laundering violations.

Comptroller of the Currency Thomas Curry turned heads last week when he suggested that regulators consider steps to make large-bank executives directly accountable for AML mishaps, instead of just issuing enforcement actions that are "absorbed... by the institution broadly."

His speech, which echoed previous remarks, reignited the debate over where to direct blame for Bank Secrecy Act problems. Some agree that enforcement targeting the bank as a whole allows individuals to avoid scrutiny, while others caution against penalizing officers for honest mistakes.

"There needs to be something elevating the civil and criminal culpability or exposure to those who are responsible for drafting and implementing, but also approving, the BSA compliance programs," said Michael McDonald, a former Internal Revenue Service agent and now president of the Florida consulting firm Michael McDonald & Associates. "Those programs are all approved by the board of directors. The board buys in. They can't just ignore it and say, 'It's not my problem.'"

But others warned that too much emphasis on individual liability could potentially lead to BSA compliance experts leaving the field.

"I understand [Curry's] point" but "it's sometimes too easy to talk about accountability without recognizing that... very good people might be discouraged from staying in compliance," said John Byrne, executive vice president at the Association of Certified Anti-Money Laundering Specialists. (Curry spoke at an ACAMS conference.)

Soon after Curry took the helm of the Office of the Comptroller of the Currency in 2012, the agency took heat for weak enforcement in the face of serious BSA problems at HSBC, which preceded his appointment. The OCC moved to include AML programs among factors determining a large bank's "management" rating in supervisory exams, which it had already done for midsize banks.

In both an earlier November speech and the March 17 ACAMS address, Curry said while banks are showing progress in raising the profile of BSA compliance, one of the causes behind some AML programs showing cracks is management not committing enough resources. He told the ACAMS audience that compliance failures stemming from "collective decision making" make it difficult to hold appropriate parties accountable.

"That has to be changed. Management at large banks needs to eliminate these accreted compliance weaknesses so that institutional structural flaws do not become an excuse for a lack of accountability," he said. "Where there has been a serious breakdown in BSA compliance as a result of a conscious decision not to commit the requisite resources and expertise necessary to maintain a program that meets the requirements of the law, someone has to be accountable."

Whereas "lines of responsibility are usually crystal clear at community banks," Curry said, those lines are "much less clear and... often blurred" at big banks.

"The question I would pose from a risk management and corporate governance standpoint is whether it's time to require large complex banks to establish clear lines of accountability that make it possible to hold senior executives responsible for serious compliance breakdowns that lead to BSA program violations," he said.

"I am not talking about criminal responsibility which is solely the responsibility of law enforcement. Rather, the question I am asking is this: shouldn't we, as bank supervisors, demand that institutions designate and hold senior managers responsible for BSA risk management just as they would for any other activity or line of business?"

Some observers said an increased focus on individual accountability should distinguish between discrete BSA violations — which may result from excusable errors or the mistakes of a single employee — and assigning responsibility for deficiencies in the AML program as a whole.

"To the extent that people are failing to implement adequate programs, then accountability is fair. But going past the line of holding them responsible for that to holding them liable for specific events may be going too far," said Kevin Petrasic, a partner at Paul Hastings. "Where do you draw the line?"

Indeed, Curry sounded sympathetic to instances where AML incidents occurred because of isolated circumstances.

Increased accountability in the corporate suite "doesn't mean that a senior executive in New York, for example, should be held responsible if an account officer in South America decides to turn a blind eye to suspicious transactions," Curry said at the ACAMS conference. "And it doesn't mean penalizing honest mistakes or errors in judgment or even minor failures in compliance."

He noted encouraging steps by some large banks to elevate the focus on BSA compliance.

"Some of our largest banks are increasing spending by significant amounts and adding substantial numbers of employees to this critical area," Curry said. "We are still validating results, but on their face, some of the commitments and improvements we are seeing are truly impressive."

L. Richard Fischer, a partner at Morrison Foerster, said focusing accountability on executives and board members above the level of the BSA compliance officer is a simpler proposition at a community bank than a larger institution.

"The concept doesn't bother me at all. The problem is in the execution," Fischer said, adding that Curry "speaks as if he's focusing on community banks where it's possible for the leadership of banks to have their fingers on the pulse of everything the bank is doing.

"Frankly, that's just impossible," at a big bank.

But others said the corporate culture at large U.S. companies tends to shy away from individual accountability, compared to smaller firms or in other nations.

"It is done for the smaller institutions, where regulators demand specific compliance officers be fired.... There needs to be more aggressive accountability to the level of removing specific officers or directors at the bigger banks," McDonald said.

Micah Willbrand, the global director for risk at Accuity, said just like universities tend to be held accountable for violations of athletics rules — instead of the head coach — the same is true at U.S. corporations. He noted the extended time lapse between data breaches or AML incidents at companies and when corporate officers blamed for the mishaps left the firm.

"In the U.S., we tend to want to focus on the corporate entity, rather than the individual.... I think it's an attitude within corporate culture that there needs to be a level of accountability — that the CEO will hold people accountable," Willbrand said. "It took HSBC nearly a year to fire their chief compliance officer after the fine was handed down, whereas in South Korea when there was a data breach at the same level of Target for South Korea, you had five chief information officers for banks to step down the next day because it happened on their watch."

But Byrne said regulatory enforcement that gives an institution as a whole a black eye can be sufficient.

"I don't agree that enforcement actions that show collective liability are inadequate," he said. "Reputation risk is a real byproduct of these compliance violations. Many if not most institutions take that very, very seriously."

Yet he added that Curry's urging of boards and senior level directors to prioritize a bank's BSA compliance program may help provide support to the lower level compliance officers who are carrying out the program.

"That helps us back at our institutions to hear the comptroller say, 'We need more support for what we're doing,'" Byrne said. "Boards need to take more responsibility, and I'm hearing anecdotally there is much more board training and time devoted to this part of the board meeting where AML compliance is discussed."

For reprint and licensing requests for this article, click here.
Law and regulation