Using BSA Hot Topics to Strengthen Your BSA Program in 2020

Terri Luttrell, CAMS-Audit
December 30, 2019
Read Time: min

Looking back to strengthen your BSA program

The decade is quickly coming to an end, so as we put 2019 in our rear-view mirror, it’s time for a fresh start with the new year and new decade approaching. Regulatory hot topics and exam findings from 2019 give us a good road map for 2020 exam preparation. Financial institutions can learn from past exam experiences from other institutions as well as their own, both positive and not so great. Exam findings and consent orders can become positive experiences by using the data to enhance your institution’s BSA program and improve the results of your next exam. After all, regulatory scrutiny for money laundering and financial crimes is most likely not going to be deregulated any time soon.


In a recent 
Abrigo webinar presentation by John Geiringer, partner at the law firm Barrack Ferrazzano, John recapped exam findings and consent orders from 2019. He suggests using this data to reverse engineer your exam experience for 2020 and start the year on a proactive note. Let’s recap the lessons learned from last year and discuss ways that your institution can prepare for its next exam.

Creating a Culture of Compliance

One of the more important takeaways from 2019 is that all institutions, regardless of size or risk profile, must have a strong culture of compliance, as directed by FinCEN’s advisory in 2014. Even though this advisory was issued several years ago, it is still being cited in exam findings. The advisory states that financial institutions with a poor culture of compliance are likely to have shortcomings in their BSA/AML program. It is critical for leadership and the Board of Directors to be engaged in all areas of the institution, including compliance with the BSA. Their commitment should be visible within the organization, and if it is not, regulators will take notice. This is a must-have risk management concept.

Avoid Conflicts of Interest Between Profits and Compliance

The advisory further states that revenue interests should not compromise compliance. While all financial institutions are driven by revenue, compliance with regulatory requirements must go hand in hand with business interests. Enforcement actions can lead to cease and desist of any mergers or acquisitions, new branches, and in some cases no lending or other growth avenues. These actions are public, so the reputational and strategic risks are real. Yes, BSA is a heavy cost center, but the cost to comply is much less expensive than a regulatory civil money penalty. BSA compliance must be right-sized to fit each institution and its evolving risk.

Ensure There Are Adequate Resources

Another aspect of this advisory is that leadership should provide adequate human and technological resources. This includes a qualified, experienced BSA officer that has sufficient authority to administer the BSA program. Also, the failure to devote enough staff for proper BSA compliance may lead to systemic failures. Failure to provide funds for up-to-date technology may lead to missing critical suspicious activity, which is the core of the BSA. BSA officers should be confident in their position and ready to share this advisory with leadership and the Board if the institution is at risk.

Are you proactively monitoring the Dark Web to better protect against fraud?
Learn more

Have Proper Internal Controls

Other common 2019 exam findings include a lack of adequate internal controls. This may consist of an internal audit function that must be autonomous of the compliance function, preferable reporting to the Board or a committee of the Board. If you use internal staff, be sure they are adequately trained to perform the compliance functions that they are auditing.

Internal controls could also refer to an audit function outsourced to an independent third party that must be experienced in BSA. One final piece of internal controls frequently cited is lack of a quality control (QC) function, the first line of defense. Larger institutions should have a formal QC process and staff accordingly, and smaller institutions should have a QC program including, at a minimum, a random sample check of the riskier functions of the division. This should all be documented in procedures and adhered to.

Some specific internal control common findings center around policies and procedures. These include that the policy and procedures are not:

  • Clearly written, not comprehensive, and not kept up to date
  • Organized and tailored to the unique risk of the institution (many were found to have been copied and pasted from other organizations found on the internet)
  • Useful to train others within the institution
  • Showing documented evidence of adherence to a QC program

Other common BSA findings

Other common 2019 findings include:

Suspicious Activity Monitoring & Reporting

  • Insufficient identification or alert of unusual activity – technology may be insufficient
  • No formal, documented SAR decision-making process (either an experienced approver or committee)
  • No documented escalation criteria for closing accounts and/or notifying law enforcement
  • For continuing SARs, the review did not encompass the entire relationship
  • Not all transaction types were monitored either manually or by AML software
  • Reports/alerts not reviewed within a reasonable timeframe (timeframe should be documented in procedures); alerts should have secondary reviews (or a QC sampling of such)
  • Documentation not including the date of review and date of determination of filing a SAR or a no-file determination
  • Deficient narrative – insufficient detail and does not tell the story of the suspicious activity; watch for banking acronyms that the reader may not understand
  • No-file documentation not thorough; should be as robust as a SAR narrative
  • Untimely filing of SARs
  • Lack of continued SAR filing when suspicious activity is still occurring
  • Disclosing SAR information (watch out for M & A requests, cannot disclose during due diligence)

Independent Testing

  • BSA Officers were involved in the audit process; must be autonomous and only comment, correct, and track findings
  • Level of scope of testing insufficient; must be right-sized based on institution risk and dive down into true transaction testing
  • Automated system not properly optimized or incoming source data incomplete
  • No succession planning for the BSA Officer

Training

  • Better Board of Director training needed – should be in person; the Board has the fiduciary responsibility for the institution and needs to understand BSA to be charged with oversight and the culture of compliance
  • Updated annual training needed – not the same computer-based training every year; needs to be refreshed to add new threats and innovative products/services
  • Should include policies & procedures for certain lines of business
  • Should be documented with types of training and which individuals received training; if it is not documented it didn’t happen

Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD)

  • Onboarding deficiencies – all customers must be risk-rated at account opening by truly assessing the risks (this is one of the most common findings)
  • Not gathering expected customer activity at account opening and understanding the customer’s expected transactional patterns
  • No policy on account opening refusal
  • Insufficient and/or infrequent monitoring of higher risk accounts
  • Written procedures should be risk-based; what type of EDD should be conducted on various customers such as cash-intensive businesses, PEPs, MRBs, MSBs, etc.
  • Procedures should include how often EDD reviews will be performed for moderate risk customers and high-risk customers
  • No explicit formalized CDD requirements for beneficial owners
  • Unreliable risk rating and inability to detect suspicious activity within higher-risk accounts
  • Not able to determine whether the actual activity is reasonable for customer/line of business
  • Unusual activity or variance from expected activity is not properly analyzed and is not reasonably explained
  • EDD review did not encompass related accounts; it must review the entire customer relationship
  • EDD review did not have thorough documentation with supporting evidence

OFAC

  • Insufficient OFAC risk assessment; this can be part of your overall BSA risk assessment or separate, but must be thorough enough to identify your institution’s overall OFAC risk
  • No formal assessment of interdiction systems for sensitive rates (i.e., fuzzy logic)
  • Violations discovered that were not self-disclosed – self-disclosure can lessen OFAC penalties significantly
  • OFAC scanning should be conducted on entities where an OFAC subject has a 50% or greater interest in the entity

Pillar violations carry more weight

While this list is extensive, it still only covers the more common findings from 2019. Many of these are pillar violations in the form of deficiencies. As a reminder, the five pillars of BSA are:

  • Internal Controls
  • Designation of a BSA/AML Officer
  • Training
  • Independent Testing
  • Customer Due Diligence

When regulatory findings encompass a pillar violation, the nature and seriousness increase significantly. Examiners have a statutory barrier when it comes to pillar violation flexibility, and enforcement actions are common.

Staying in the practice of reading published enforcement actions and remaining proactive will assist in keeping your institution out of the headlines. As a BSA professional, keep your guard up and be mindful of trends, and you’ll remain prepared for your next exam. Abrigo wishes you and your institution a very fruitful but cautious 2020!

About the Author

Terri Luttrell, CAMS-Audit

Terri Luttrell is a seasoned AML professional and former director and AML/OFAC officer with over 20 years in the banking industry, working both in medium and large community and commercial banks ranging from $2 billion to $330 billion in asset size. She has successfully worked with institutions in developing BSA/OFAC programs, optimizing various automated solutions, and streamlining processes while ensuring all regulatory requirements are met. As the Compliance and Engagement Director at Abrigo, Terri provides insights that contribute and support long-term banking strategies based on analysis of market and industry trends, competitor developments, and financial and regulatory technology changes. She is an audit-certified anti-money laundering specialist and a board member of the Central Texas chapter of the Association of Certified Anti-Money Laundering Specialists (ACAMS). Terri earned her bachelor’s degree in business administration, specializing in business and finance, from the University of North Texas.

Full Bio

About Abrigo

Abrigo is a leading technology provider of compliance, credit risk, and lending solutions that community financial institutions use to manage risk and drive growth. Our software automates key processes — from anti-money laundering to fraud detection to lending solutions — empowering our customers by addressing their Enterprise Risk Management needs.

Make Big Things Happen.

 

Looking for Banker’s Toolbox? You are in the Right Place!

Banker’s Toolbox is now Abrigo, giving you a single source for all your enterprise risk management needs. Use the login button here, or the link in the top navigation, to log in to Banker’s Toolbox Community Online.

Make yourself at home!