Anti-Money-Laundering Enforcement Gets Tougher and Smarter

Recent Bank Secrecy Act and anti-money-laundering enforcement actions show a more risk-based, rather than rules-based, approach, but also an emphasis on accountability for senior managers and board members. 

As the recent AML hearings involving HSBC demonstrate, there is a growing expectation that individuals, not just institutions, will be held accountable for lapses. The Office of the Comptroller of the Currency's 2012 enforcement actions seem to anticipate that expectation and lay a foundation for greater scrutiny of the role of managers and board members in future AML shortcomings.

In the first six months of 2012, the OCC, Federal Reserve Board, and Federal Deposit Insurance Corp. brought at least 16 enforcement actions that included BSA/AML violations.  These include the well-publicized actions against Citibank and Commerzbank, but also several other actions that included BSA/AML violations alone or in conjunction with other safety and soundness violations.

Instead of requiring expensive reviews of extended periods of time for a broad range of potential suspicious activity, the latest enforcement actions emphasize a risk-based approach to AML compliance, with several of the actions requiring a risk assessment or enhancements to an existing assessment. Some actions not only direct the institution to follow the guidance in the Federal Financial Institutions Examination Council manual, but go further to specify additional requirements such as "a detailed analysis of all pertinent data obtained regarding the specific risk categories."

The level of specificity required is noteworthy and includes, among other things, detail on the volumes and types of transactions and services by country or geographic location as well as detail on the numbers of customers that typically pose higher BSA/AML risk.  The actions also require a more holistic approach, requiring the results of the bank's Customer Identification Program and Customer Due Diligence program to be integrated in the risk assessment.

The actions also show greater regulatory flexibility in the design and conduct of look-backs, or reviews of past practices. Where the OCC required look-backs, it asked for risk-based, targeted reviews, rather than comprehensive look-backs that were sometimes found in earlier enforcement actions.  The recent actions either specify a shorter look-back period than has been specified in the past or, in the case of the Citibank action, no explicitly specified period, subject to the ability of the regulator to expand the look-back depending on the results of the more limited period. 

Also, the OCC actions allowed the institutions to conduct the review themselves and either do not explicitly mention an independent consultant or limit the role of the independent consultant to "supervising and certifying" the look-back.  This is a change from prior practice whereby the actions typically required that the bank hire an independent consultant to conduct the look-back.  Now, institutions may choose to conduct the reviews themselves, possibly out of a belief that they can do the review cheaper and better than an independent consultant can.   Whether this will be true remains to be seen.

The Fed, in its action against Commerzbank requiring a look-back, also showed some flexibility. The regulator required only a targeted review of currency transaction reports (required for transactions above $10,000) and bulk cash transactions.  However, the review period (nearly 16 months) was longer than that specified in the OCC actions, and the Fed did not explicitly allow for a two-step approach to the review in which the institution looks first at a narrower time period and reports the results to the regulators, which then decide whether a second, expanded review is necessary. The Fed also required that an independent consultant conduct the bulk cash transaction review. Of course, the terms of any one enforcement action can depend heavily on the facts of a particular situation, so the differences described here may not necessarily indicate a difference in regulatory approach to look-backs.

Greater board accountability is a theme running through many of the AML enforcement actions.  Continuing a requirement begun in earlier years, the 2012 actions call for a board-level compliance committee consisting primarily of independent directors.  Regulators would likely take a dim view of board performance if a financial institution failed to keep its obligations under the enforcement action or later had repeat issues of the same type that led to the action.  The board-level compliance committees, therefore, seem to be a precursor to greater board accountability.

The Citibank action included not only a board-level compliance committee, but also a section, or "article" on "Management and Accountability."  This article lays out requirements relating to the role and responsibility of the compliance function, but it does not stop there. The article specifies requirements relating to the role of senior management and line of business management, underscoring that such managers play a critical role as the first line of defense.  The action requires that BSA and Office of Foreign Assets Control compliance be "incorporate[d] … into the performance evaluation process for senior and line of business management." 

It seems likely that regulators will increasingly expect other institutions to incorporate BSA and OFAC compliance into the performance expectations of senior line-of-business management.  If so, compensation "clawbacks" and, possibly, increased regulatory action against individuals for BSA and OFAC compliance failures might not be far behind.

Michael Dawson is a managing director at Promontory Financial Group and coordinator of its global compliance practice, which includes AML, sanctions, and mortgage foreclosures. He served in the George W. Bush administration as Deputy Assistant Secretary of the Treasury for Critical Infrastructure Protection and Compliance Policy.