Capping BSA Alerts Based On Your Staff Can Result In Violations
Most every BSA officer (and his/her staff) at one time or another has struggled with what seemed like an insurmountable number of alerts, all of which must be investigated in a timely manner. Not only is timeliness expected, but also quality investigations and an internal quality assurance program. This can all equate to several man hours, regardless of the size and risk profile of your institution.
On February 15, 2018, FinCEN issued a $185 million civil money penalty (CMP) against U.S. Bank for “willfully violating the Bank Secrecy Act”. One of the primary violations uncovered was that “U.S. Bank chose to manipulate their AML software to cap the number of suspicious activity alerts, rather than increasing staffing to comply with anti-money laundering laws in a timely manner."
As BSA professionals know, the FFIEC Exam Manual states that “suspicious activity reporting forms the cornerstone of the BSA reporting system. It is critical to the United States' ability to utilize financial information to combat terrorism, terrorist financing, money laundering, and other financial crimes.” Now THAT is a strong statement. It is also an indication that all financial institutions' suspicious activity programs will be carefully scrutinized by regulators during an exam, and any deficiencies will be serious. This means that just because you may be short staffed, you should not determine how many alerts should generate based on the staffing number your budget allows. Remember, regulators care nothing about your institution’s budget when it comes to compliance.
TIP: It might be a good idea to share a copy of U.S. Bank’s assessment with your executive team and board if you do not currently have a top down approach to compliance. It also might help you get the tools and resources you need when budget time rolls around.
Staffing requirements to ensure a strong BSA program can be costly. Therefore, it is crucial that the number of false positive alerts you are receiving are minimized. Your AML monitoring system should be optimized on a risk based approach and reviewed on a periodic basis. This means each parameter setting must be set based on a documented methodology, with appropriate testing, to ensure suspicious activity is not missed.