The Expanded Expectations of Corporate Governance in BSA… · The Expanded Expectations of...
Transcript of The Expanded Expectations of Corporate Governance in BSA… · The Expanded Expectations of...
The Expanded Expectations of Corporate Governance in BSA/AML
and the Impact on the Audit Function
Kathe M. Dunne, CAMS, AAP
KMD Consulting Solutions
March 2014
The Expanded Expectations of Corporate Governance in BSA/AML
2 03/2014
Table of Contents
I. Executive Summary ....................................................................................................3
II. Background .................................................................................................................5
III. History of Governance of BSA/AML by the FFIEC ....................................................7
IV. Regulatory Actions against Financial Institutions ....................................................8
A. Banesco USA - FDIC-13-166b ......................................................................................8
B. Citibank, N.A. – OCC AA-EC-12-18 ..............................................................................8
C. Recap of Order Elements ..............................................................................................8
V. Department of Treasury and Congressional Actions .............................................11
A. Regulatory Agencies ...................................................................................................11
B. United States Congress ..............................................................................................13
VI. A Proposed Methodology for Auditing BSA Governance ......................................14
A. How to Review Governance in a BSA/AML Program...................................................15
1. Potential Elements for Review .............................................................................15
2. Optional Scoring of the Elements .........................................................................15
B. 10 Elements of BSA/AML Governance - Review Table ...............................................17
VII. Conclusion ................................................................................................................20
Bibliography ............................................................................................................................21
The Expanded Expectations of Corporate Governance in BSA/AML
3 03/2014
I. Executive Summary
Most financial industry observers and participants agree that regulatory review of the Bank
Secrecy/ anti-money laundering (BSA/AML) compliance function in depository financial
institutions increased significantly immediately following the passage of the USA PATRIOT
Act in 2001. It took several years for specific regulatory guidance to catch up to the law in
the form of the Federal Financial Institutions Examination Council (FFIEC) BSA/AML
Examination Manual. Until recently, depository financial institutions have done reasonably
well auditing the (BSA/AML) program using this manual as a primary reference.
Significant and blatant BSA/AML violations have been discovered over the past three years
(e.g., the masking of certain transactions and the rerouting of payments to prevent
detection) that resulted in an uproar in the public sector calling for action on the part of the
government. The public wants to know “Who is to blame?” and “Who will pay?” for these
infractions. These significant violations have resulted in large fines for the involved
institutions, but with limited accountability assigned to the management of the institutions.
Congress is now hearing testimony from other government agencies including the Financial
Crimes Enforcement Network (FinCEN) and the Office of the Comptroller of the Currency
(OCC) regarding the enforcement of and violations to the BSA. Several things have been
made clear through this process:
In the past, financial institutions that were assessed a civil money penalties by
FinCEN were permitted to consent to the assessment “without admitting or
denying” the alleged facts; this is no longer permitted.1
Jennifer Shasky Calvery, named as the new director of FinCEN in September 2012,
has proceeded very aggressively to address responsibility and accountability issues
within the financial institution environment as it relates to BSA/AML.
In Senate testimony, FinCEN indicated that it would more often obtain injunctions
against individuals who violate the BSA and fine banks and their partners, directors,
officers and employees.2
Business decisions for budgeting or line of business concerns should no longer be
viewed by the board of directors as viable options when it concerns BSA/AML
compliance matters.3
1 Remarks of Jennifer Shasky Calvery, Director FinCEN, ABA/ABA Money Laundering Enforcement Conference (11/19/2013)
2 Statement made by David Cohen, the head of the Treasury Department’s Terrorism and Financial Intelligence office, in written
testimony to the Senate Banking Committee . 3 Testimony of Testimony of the Office of the Comptroller of the Currency before Committee on Banking, Housing, & Urban Affairs
of the U.S. Senate (3/7/2013)
The Expanded Expectations of Corporate Governance in BSA/AML
4 03/2014
Actions within the regulatory agencies, FinCEN, and the Congress have made it very clear
that the board of directors and the senior management of financial institutions need to take
control and responsibility of the BSA/AML functions within their institutions or specific
BSA/AML actions will be dictated to them.
The governance of the BSA/AML function in a financial institution identifies the level of
control and responsibility the board of directors and senior management has defined and
assigned throughout the institution as it relates to the BSA. Like other BSA/AML program
elements, the effectiveness of governance should be audited, but with what criteria? And
how should auditors measure those criteria?
This paper proposes governance criteria and methodology for the measurement of the
criteria. This research is intended to help financial institutions to adequately prepare and
protect not only their institutions, but their board of directors, senior anagement, and
employees from civil and possible criminal action.
The Expanded Expectations of Corporate Governance in BSA/AML
5 03/2014
II. Background
In the past several years, failures of the BSA/AML programs of several large domestic and
international financial institutions have changed the regulatory landscape for all U.S.
depository and non-depository financial institutions regardless of size. Arguably, most or all
of these reflect a failure of the board or senior management to establish a tone of
compliance that permeates the institution.
The identification of significant gaps in monitoring programs, identification of the processing
of non-allowable transactions and failures to identify and halt money laundering through
these institutions has resulted in an uproar in the public sector. Coming on the heels of the
“too big to fail” banking crisis of 2008–2009 where many large institutions were funded with
taxpayers money, it is disturbing to the populace that these same institutions may be
funding terrorist organizations through money laundering schemes using their institutions.
The U.S. Congress began to review these situations in detail in 2012 through various
testimony regarding the actions of specific financial institutions as well as testimony by the
OCC. The OCC provided significant testimony before the Committee of Homeland Security
and Governmental Affairs in 2012 regarding the “role the OCC—and the other financial
institution regulators—play in examining financial institutions for compliance in this [BSA]
area.”
Regulatory exams, once a fairly private concern between an institution and its regulators,
became part of national news; regulators were being criticized publically by the Congress,
news media, and the citizens of the U.S. The question that appeared to be at the forefront
was “Who is to blame?”
These factors came together and resulted in reports of the regulatory agencies stepping up
the depth of their BSA/AML audits/reviews in many areas but significantly in the area of the
governance of the BSA/AML function within financial institutions.
In 2013, when the Department of Justice (DOJ) deemed the management of the largest
institutions “Too Big to Jail” for BSA/AML infractions, it brought the issue to the forefront
once again resulting in a proposed bill in Congress regarding criminal penalties for financial
institution executives.
It has become increasingly important for financial institutions to clearly understand the
heightened expectations surrounding the governance of the BSA/AML function.
The Expanded Expectations of Corporate Governance in BSA/AML
6 03/2014
The objective of this white paper is to:
Review the history of the governance of the BSA/AML function in depository financial
institutions based upon regulatory guidance;
Extrapolate and present data from consent orders (OCC, FDIC, Federal Reserve
Bank) regarding the expectations concerning governance;
Review Congressional testimony and actions that can impact future institutional
plans; and
Propose one methodology for auditing the effectiveness of the governance of the
BSA/AML function within a depository financial institution.
The Expanded Expectations of Corporate Governance in BSA/AML
7 03/2014
III. History of Governance of BSA/AML by the FFIEC
The BSA/AML Examination Manual published by the Federal Financial Institutions
Examination Council (FFIEC) provides some guidance on expectations of BSA/AML
governance in financial institutions. This has evolved over various versions of the manual:
The most recent version of the FFIEC manual provides a defining statement regarding
governance:
“The board of directors is responsible for
approving the BSA/AML compliance
program and for overseeing the structure
and management of the bank’s BSA/AML
compliance function. The board is
responsible for setting an appropriate
culture of BSA/AML compliance,
establishing clear policies regarding the
management of key BSA/AML risks, and
ensuring that these policies are adhered to
in practice.”4
The newest statements regarding
governance represents a significant
expansion over previous versions and
addresses some key areas not mentioned
previously as noted below. Since 2012, this
expansion has been actively used in
regulatory audits for BSA/AML compliance.
The board should ensure that:
1. Senior management is fully qualified and properly motivated to manage the
BSA/AML compliance risks;
2. Compliance personnel are sufficiently independent and have authority and status to
conduct their jobs;
3. There are appropriate resources to conduct compliance activities; and
4. Senior Management establishes incentives, compensation and goals tied to
BSA/AML compliance objectives.
4 Federal Financial Institutions Examination Council (FFIEC) BSA/AML Examination Manual (2010) p.163
“Senior management is responsible for
communicating and reinforcing the
BSA/AML compliance culture
established by the board, and
implementing and enforcing the board-
approved BSA/AML compliance
program.”
FFIEC BSA/AML Examination Manual
“The board also should ensure
that senior management has
established appropriate incentives
to integrate BSA/AML compliance
objectives into management goals
and compensation structure
across the organization…”
FFIEC BSA/AML Examination Manual
The Expanded Expectations of Corporate Governance in BSA/AML
8 03/2014
IV. Regulatory Actions against Financial Institutions
How have these regulatory expectations as evidenced in the FFIEC Examination Manual
translated to regulatory actions?
Many of the major actions in 2012 and 2013 against financial institutions have discussed
governance of the BSA/AML function as a factor in the action. In some cases, the regulatory
authority has been very detailed regarding the requirements it is imposing on the board of
directors and senior management within the institution. In all of these cases, however, they
are calling out the boards of directors and senior management for failing to prevent the BSA
problems their institutions are experiencing and requiring specific corrective actions.
So, let us take a look at two specific enforcement actions: one, FDIC regulated and two,
OCC regulated.
A. Banesco USA - FDIC-13-166b
Banesco USA, an $850 million U.S.-based subsidiary of an international bank was issued a
consent order by the FDIC in November of 2013 based solely on their BSA violations. The
order made clear that the FDIC regulators were not satisfied with the involvement of the
board of directors or senior management in the BSA program and had very specific
requirements for each aspect of the program, including many elements of governance.
The order contained some very specific language regarding the actions regulators were
requiring of the institution in order to comply.
The FDIC goes as far as to require the board to meet on an approved schedule with specific
items to review as well as to require the bank to assess their staff abilities, experience and
qualifications to perform BSA duties.
B. Citibank, N.A. – OCC AA-EC-12-18
The Citibank, N.A. consent order issued on April 5, 2012 has been much more publicized
and may be familiar to the reader. This cease and desist order, issued by the OCC,
addresses BSA/AML specifically and covers about 50 BSA compliance issues.
For the purposes of this document, we will address many of the items related to governance
that the OCC included in a section they titled “Management and Accountability,”5 the first
time this section has been seen in an order by the author.
C. Recap of Order Elements
5 Citibank, N.A., OCC Consent Order AA-EC-12-18 (4/5/2012) p.7
The Expanded Expectations of Corporate Governance in BSA/AML
9 03/2014
Orders Regarding Board Participation:
1. Board will increase its participation in the affairs of the bank, assuming full
responsibility for the approval of sound policies and objectives and for the
supervision of all of the bank's activities including BSA risk rating, BSA staffing, BSA
training, BSA compliance (Banesco USA).6
2. The bank will develop procedures for informing management and the board of any
suspicious or high risk activities conducted internally by the bank and by bank
customers(Banesco USA).7
3. The board will incorporate BSA and Office of Foreign Assets Control (OFAC)
compliance into the performance evaluation process for both senior management
and line of business management. These processes will likely move downstream to
employee positions below senior managers and line of business managers (Citibank,
N.A.).
Orders Regarding Staffing:
4. Board will designate a qualified officer responsible for managing, coordinating, and
monitoring the bank's BSA Compliance Plan (BSA Officer) (Banesco USA).8
5. Board will analyze and assess the bank's staffing needs to determine the appropriate
number of qualified staff for the bank's BSA Department (Banesco USA).9
Orders Regarding Staff Competency, Authority, and Accountability:
6. Clear lines of authority and responsibility have been established for BSA/AML
compliance (Citibank, N.A.).
7. Compliance management is competent, independent and dedicated on a full-time
basis (Citibank, N.A.).
8. An appropriate level of authority has been provided to the compliance staff to
implement the BSA/AML compliance program (Citibank, N.A.).
9. Compliance staff will been given the authority to question account relationships and
business plans (Citibank, N.A.).
10. Compliance staff will operate independently from the business lines, and not be
subject to any form of evaluation or performance input from the business lines
(Citibank, N.A.).
6 Banesco USA, FDIC Consent Order FDIC-13-166b OFR 1007 -FI-13 (11/22/2013) p.2
7 Banesco USA, FDIC Consent Order FDIC-13-166b OFR 1007 -FI-13 (11/22/2013) p.2
8 Banesco USA, FDIC Consent Order FDIC-13-166b OFR 1007 -FI-13 (11/22/2013) p.11-12
9 Banesco USA, FDIC Consent Order FDIC-13-166b OFR 1007 -FI-13 (11/22/2013) p.11
The Expanded Expectations of Corporate Governance in BSA/AML
10 03/2014
11. Bank will hold senior management and line of business management accountable for
effectively implementing bank policies and procedures, and fulfilling BSA/AML and
OFAC obligations (Citibank, N.A.).
12. The Bank will develop appropriate objectives and means to measure the
effectiveness of compliance management officers and compliance management
personnel within each line of business and for those with responsibilities across lines
of business (Citibank, N.A.).
Orders Regarding Policy and Procedure
13. Written bank policies and procedures will be developed or modified to clearly outline
the BSA/AML and OFAC responsibilities of senior management, and relevant
business line employees, including, but not limited to, relationship managers, foreign
correspondent banking personnel, private banking staff, and business development
staff (Citibank, N.A.) (Banesco USA).10
These consent orders set the regulatory expectations higher than seen previously in
consent orders. It appears from the way these items are addressed that there are issues to
be addressed regarding the actions, responsibilities, and accountability of the board of
directors, senior management and business line management. There has been concern
voiced within the industry regarding some of these items particularly as they pertain to
measurement and evaluation criteria that may impact compensation.
10
Banesco USA, FDIC Consent Order FDIC-13-166b OFR 1007 -FI-13 (11/22/2013) p.4
The Expanded Expectations of Corporate Governance in BSA/AML
11 03/2014
V. Department of Treasury and Congressional Actions
Many of the major BSA/AML enforcement actions in 2012 and in the first half of 2013 have
cited the lack of effective corporate governance as an issue. As discussed in the previous
section, this element was called out more specifically in orders starting in 2012 than in
orders in previous years. In consent orders reviewed by this author, very few orders prior to
2012 mentioned governance other than to recap the generic responsibilities of the board of
directors.
Additionally, while the DOJ deemed the management of the largest institutions “Too Big to
Jail,” the Department of Treasury and the Congress have been addressing this issue of the
responsibility and accountability in governance differently.
Specific references to each of the major enforcement areas are addressed below.
A. Regulatory Agencies
The regulatory agencies have been the recipients of much of the public criticism regarding
BSA/AML compliance. In particular, it appears that the OCC has come under the greatest
media scrutiny likely due to their authority over the largest BSA depository financial
institution offenders in recent history.
The scrutiny has extended to Congress, probably for the same reason. Within the past 18
months, the OCC was called to publically testify before two committees of the U.S. Senate
on matters related to BSA. Although a broad range of topics were covered in the testimony
of Comptroller Curry to the Senate Banking Committee on March 7, 2013, the compliance
issues related to the governance of BSA in financial institutions are of the greatest interest.
Comptroller Curry gave the following items as requirements that appeared in OCC
enforcement actions and that he envisioned would appear in the future guidance.11
1. A designated BSA officer with sufficient knowledge, funding, authority,
independence, compensation, and supporting staff to perform his or her assigned
responsibilities and maintain effective compliance with the BSA and its implementing
regulations.
2. An effective governance structure to allow the BSA officer and the compliance
function to administer the program independently by reporting directly to the board of
directors, or a committee thereof, with clear lines of responsibility beginning with
senior management and including each line of business that is required to comply
with the BSA.
11 Thomas J. Curry, “Testimony of the Office of the Comptroller of the Currency before Committee on Banking, Housing, & Urban
Affairs of the U.S. Senate (3/7/2013) p 11
The Expanded Expectations of Corporate Governance in BSA/AML
12 03/2014
3. Clearly defined channels for informing the board of directors, or a committee thereof,
and senior management, of compliance initiatives, compliance risks, new product
development, identified compliance deficiencies, and corrective actions undertaken.
4. Compliance staff with the appropriate level of authority and independence to
implement the BSA/AML compliance program and, as needed, question account
relationships, new products and services
and business plans.
5. Policies and procedures that clearly outline
the BSA/AML responsibilities of senior
management and relevant business line
employees, and that hold senior
management and line of business
management accountable for effectively
implementing bank policies and
procedures, and fulfilling BSA/AML
obligations.
6. A well-defined succession plan for
ensuring the program’s continuity despite
changes in management, staffing, or
structure, and policies and procedures to
ensure that problems with excessive
turnover of compliance staff or the BSA
officer function are identified and
appropriately addressed by the board.
7. Policies and procedures to ensure that the
bank’s risk profile is periodically updated to
reflect higher risk banking operations (products, services, customers, entities, and
geographic locations) and new products and services.
8. An enterprise-wide management information system that provides reports and
feedback that enables management to more effectively identify, monitor, and
manage the organization’s BSA risk on a timely basis.
9. A strong BSA/AML audit function that ensures that identified deficiencies are
promptly addressed and corrected.
Although the above items are not part of official regulatory guidance, they are, in part,
already incorporated into the FFIEC BSA/AML Examination Manual.
In an update on OCC actions, Comptroller Curry recently commented on regulatory
guidance of BSA/AML governance and indicated that “the agency would push for the
OCC Testimony
“Some recent cases have
involved the lack of strong
corporate governance
principles necessary to create a
“culture of compliance” within
the organization. These cases
reflected an imbalance in both
the independence of the
compliance function and
organizational incentives that
emphasized revenues and
growth over balanced risk
management.”
Thomas J. Curry
Comptroller of the Currency
March 7, 2013
The Expanded Expectations of Corporate Governance in BSA/AML
13 03/2014
changes during bank examinations rather than through regulations or guidance”12 Lacking
official guidance, the regulatory agencies will review these issues using their own
interpretation during examinations.
B. United States Congress
The Holding Individuals Accountable and Deterring Money Laundering Act introduced on
October 12, 2013 in the U.S. House of Representatives, amends provisions of the BSA of
1970 relating to money laundering violations. There are many provisions to this act, but the
following impact the subject of this research.13
Significantly increases civil monetary penalties for both institutions and individuals for
willful and negligent violations of the BSA.
Strengthens the range of civil powers available to regulators to sanction individuals,
including fines for which the individual would be held personally liable and greater
authority to remove and ban bad actors from the industry.
Requires new corporate governance standards to create direct lines of access to
the board for the heads of compliance and establishes direct lines of legal
responsibility for board members and top executives for BSA violations, including
any officers or employees who are in a position responsible for materially affecting
compliance.
12
Remarks of Thomas J. Curry, Comptroller of the Currency, ACAMS 19th Annual International AML and Financial Crime
Conference (3/17/2014) 13
See Proposed Legislation - H.R.3317 Holding Individuals Accountable and Deterring Money Laundering Act (10/24/2013)
The Expanded Expectations of Corporate Governance in BSA/AML
14 03/2014
VI. A Proposed Methodology for Auditing BSA Governance
Governance of the BSA/AML program within financial institutions has come to the
forefront and is positioned to remain there for the foreseeable future. As evidenced in
much of the testimony provided by
Comptroller Curry to the U.S. Senate
on March 7, 2013, several of the
problems with BSA compliance can be
attributed to “root causes” that are
considered matters of governance.
Curry also indicated that this is not just
a problem that is confined to large
financial institutions, but that “higher
risk products and customers have
migrated to community banks.”14 It
appears that these issues will be
looked at for each institution
regardless of size and regulatory
authority.
Curry also reported to the Senate
Banking Committee that “banks have
inappropriately reduced staffing and
resources in the BSA area due to
austerity programs initiated during the
financial crisis. In other cases, banks’ compliance department staff and expertise have
failed to keep pace with the growth of the institution.”15
The items of governance previously discussed in this paper should first be addressed in
an institution’s BSA risk assessment and then incorporated appropriately into official
board-approved policy, followed by inclusion into BSA/AML procedures and reporting.
All of the elements of governance discussed throughout have been extrapolated and
incorporated into this proposed methodology for auditing BSA governance.
14
Thomas J. Curry, “Testimony of the Office of the Comptroller of the Currency before Committee on Banking, Housing, & Urban
Affairs of the U.S. Senate (3/7/2013) p.4 15
Thomas J. Curry, “Testimony of the Office of the Comptroller of the Currency before Committee on Banking, Housing, & Urban
Affairs of the U.S. Senate (3/7/2013) p.3
“Many of the practical problems we
have seen in recent years with respect
to BSA compliance can be attributed to
four root causes:
i. culture of compliance within the
organization,
ii. commitment of sufficient and
expert resources,
iii. strength of information
technology and monitoring
processes,
iv. sound risk management.”
Thomas J. Curry Comptroller of the Currency
March 7, 2013
The Expanded Expectations of Corporate Governance in BSA/AML
15 03/2014
A. How to Review Governance in a BSA/AML Program
Governance should be viewed within financial institutions as a reviewable aspect of the
BSA/AML program. As such, it should be incorporated by audit staff (internal or external)
as part of an independent review.
How can this be accomplished? There are many audit models or formats for
independent reviews of BSA/AML programs, but most only cover minimal aspects of
governance. The elements are typically restricted to a review of board or committee
reporting, competency of the BSA staff, and a review of sufficient resources.
1. Potential Elements for Review Elements of governance have not typically been measured quantitatively. The following
table provides 10 sets of qualitative criteria that can be used to evaluate an institution’s
overall success in governance within their BSA/AML program. Each element has been
broken down in to three levels of compliance. The level of compliance by the institution
within these elements will allow the auditor to evaluate the overall compliance with
governance within the BSA/AML audit.
This methodology uses a similar method to that used by the FFIEC when assessing
levels of risk within an institution.16 Appendix J gives us potential “measurement” criteria.
Using the same methodology, instead of rating the element low/medium/high risk (as we
do for institution risk), we will be rating the governance elements as weak, satisfactory,
or strong.
A review of elements within the table will provide the auditor with a qualitative view of the
strength of the governance within the institution’s BSA/AML governance.
2. Optional Scoring of the Elements Some institutions and their auditors prefer to incorporate a quantitative scoring system
to any type of measurement. This is not an infrequent practice when using schedule J
within an institutional risk assessment. For those auditors that wish to incorporate a
scoring element, one recommendation is to assign point values based upon how the
institution is rated on each individual element.
Point Scoring
For example, using a scoring scheme using points, one can total the assigned points in
each category to determine how the institution is performing overall regarding
governance. The most basic utilized example:
Weak = 1 point
Satisfactory = 2 points
Strong = 3 points
16
See Appendix J in the FFIEC Examination Manual 2010
The Expanded Expectations of Corporate Governance in BSA/AML
16 03/2014
Using the above element scoring, totals for a “final” score in a 10-element audit could be
broken out as follows:
Total Points:
0-16 Points – Weak Program
17-26 Points – Satisfactory Program
27+ Points – Strong Program
Weighing
Another factor that is frequently used in quantitative scoring is the weighing of the
various elements that will properly reflect the risk associated within the institution.
For example, institutions in a big product development push may consider involvement
of the BSA staff in new product development (Element #1) of prime concern and
importance and be deserving of a higher consideration when assigning an overall risk
“score” for governance. This element may we weighed 1.5 times or 2.0 times the weight
of other elements to make up the final score.
Remember to keep in mind that weighed elements should reflect the institution’s risk and
well as their overall governance strategy.
The Expanded Expectations of Corporate Governance in BSA/AML
17 03/2014
B. 10 Elements of BSA/AML Governance - Review Table
Element Weak Satisfactory Strong
1
Involvement of BSA/AML staff in
new product development/
introduction
Little to no involvement; typically
brought into the discussion for
risk assessment when ready to
release product.
BSA department brought into the
implementation process for new
products. Involvement
documented in policy and
procedure.
BSA department approved
required in product decisions at
the start of the process.
Involvement documented in
policy and procedure.
2 Inclusion of governance in
institutional risk assessment
Standard elements - BSA officer
assignment and staff training
covered in risk assessment.
Standard elements plus reporting
structure, committees, staff
experience, education levels,
and responsibilities included in
risk assessment.
The entire previous plus
measurement of accountability
for senior management,
corporate goals for line units,
incorporation into
performance/compensation
structures.
3 Adequacy of BSA department
staff to perform duties required
Insufficient staff to perform
required functions.
Adequate staff to perform
required functions.
Staff available to perform optimal
compliance program along with
an available resources for
backup when needed.
4 Competency of BSA department
management staff
BSA management or key
personnel have not received
sufficient training in BSA/AML;
institution has not invested in
outside training or professional
certification for staff members.
BSA management and key
personnel have background in
BSA/AML; attend regular training
(outside the institution);
institution supports staff
members in obtaining or
maintaining professional
certifications.
Institution requires higher level
education for BSA department
managers / BSA officer.
Institution supports or requires
professional certifications.
The Expanded Expectations of Corporate Governance in BSA/AML
18 03/2014
Element Weak Satisfactory Strong
5
BSA management empowered
with an appropriate level of
independence and authority to
implement the compliance
program
Limited leadership role assumed
outside the BSA department;
pressure from other banking
departments in evidence.
Flexibility permitted to the BSA
department management to
implement policies, procedures
and the program as approved.
Decision making authorities
given to BSA management to
question business relationships,
close accounts, provide input to
business plans.
6
Effective reporting structure for
the BSA officer and compliance
function by reporting directly to
the board of directors or an
assigned committee
Reports to a line unit, audit
department, or an operational
area.
Reports to the board of directors
through a committee authorized
by the board of directors.
Committee provides reports to
the board, not the BSA officer.
May report to the board of
directors through a committee
authorized by the board of
directors or directly to the board.
Presents reports, policies and
procedures, directly to the board
for discussion or approval.
7
Defined succession plan for key
BSA/AML personnel ensuring
the BSA program’s continuity if
changes in management,
staffing or structure occur
Only standard succession plan
in place for institution. No
specific plan for BSA/AML (if you
do not have a succession plan in
place for your institution, score
0)
Defined backup plan for the BSA
department should staffing
problems occur as part of the
BSA policy and procedure.
Defined BSA succession plan for
the institution’s risk management
area should there be changes in
senior BSA management or
other key personnel.
8
Sufficient education of the BSA
department staff in basic,
advanced, and timely BSA topics
Little education provided to
department staff other than that
scheduled for BSA minimum
requirements.
Education provided in person or
via webinar (in addition to basic
yearly training) on advanced
topics or new/ timely BSA/AML
material.
BSA department staff provided
with some onsite training with
opportunities to attend industry
conference training for seasoned
staff.
The Expanded Expectations of Corporate Governance in BSA/AML
19 03/2014
Element Weak Satisfactory Strong
9
Policies and procedures that
clearly outline BSA/AML
responsibilities of senior
management and business line
employees that hold these
employees accountable for
fulfilling BSA/AML obligations
Policy regarding senior
management and business line
employee BSA responsibilities
does not exist or is highly
generic.
Policy is specific in that it
contains responsibilities
regarding each senior
management area and line unit.
Policy is specific in that it
contains responsibilities
regarding each senior
management area and line unit.
Line unit and senior
management goals and
compensation tied to meeting
BSA obligations.
10
Policies and procedures to
ensure that the BSA risk
assessment is updated on an
appropriate basis
Policy regarding the BSA risk
assessment Update does not
exist or is too generic (e.g., “as
needed”).
Policy is specific in that it
contains minimums (e.g., at least
yearly).
Policy is specific as noted
previously and tracked by the
secretary of the corporation for
automatic review by the board of
directors.
The Expanded Expectations of Corporate Governance in BSA/AML
20 03/2014
VII. Conclusion
BSA/AML compliance expectations have increased each year since the passage of the
USA PATRIOT Act and they are expected to continue to increase for the foreseeable
future. Additionally, the increased expectations of the larger depository financial
institutions are filtering down to both smaller depository financial institutions and non-
depository financial institutions at a rapid pace.
BSA/AML compliance can no longer be subject to business decisions by the board of
directors or budgeting decisions by operations or business line units.17 BSA/AML
compliance must be addressed by the board of directors and senior management as an
integral part of their overall responsibility and they must accept accountability for their
actions or lack of action.
The “tone at the top” (to quote Jennifer Shasky Calvery) can define how effectively an
organization will respond to regulatory requirements. The lack of a strong and supporting
“tone at the top” can provide significant challenges to organizations that are trying to
provide proper governance to all levels within the institution.
An audit of the BSA/AML governance function can help organizations in the identification
of gaps in their program and potential steps for remediation.
The 10 elements of BSA/AML governance are being proposed as a starting point to help
bring institutions in line with current OCC, FDIC and FinCEN expectations on individual
and corporate responsibility and accountability.
17
Bruemmer, Russel and Alper, Elijah, “AML: A Corporate Governance Issue”, The Banking Law Journal (November/December
2013)p. 878
21 03/2014
Bibliography
Public Law 107-56 – PATRIOT ACT (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001)
Proposed Legislation - H.R.3317 Holding Individuals Accountable and Deterring Money
Laundering Act (10/24/2013)
Kauffman, Ted, “Why DOJ Deemed Bank Execs Too Big To Jail”, Forbes (7/29/2013)
Bruemmer, Russel and Alper, Elijah, “AML: A Corporate Governance Issue”, The Banking Law
Journal (November/December 2013)
Adams, Colby, “OCC Chief Tells Bankers to Name Executives Responsible for AML
Compliance”, www.moneylaundering.com (3/17/2014)
Monroe, Brian and Adams, Colby, “Financial Institutions Paid Sharply More for AML Infractions
in 2012, Data Shows”, www.moneylaundering.com (6/4/2013)
Monroe, Brian, “In Enforcement Ramp-Up, FinCEN Will Issue Standalone Fines Against Banks”,
www.moneylaundering.com (3/14/2013)
Monroe, Brian, “As OTS Winds Down, It Seeks More AML Monetary Penalties Against
Individuals”, www.moneylaundering.com (3/29/2011)
Monroe, Brian, “OCC Fines Against 5 Miami Bankers Spark Concerns at Financial Institutions”,
www.moneylaundering.com (5/23/2011)
McMaster, Andrew G. Jr., Vice Chairman of Deloitte LLP, “Successful Onboarding for New Audit
Committee Members”, Wall Street Journal (1/24/2014)
OCC, “Testimony of the Office of the Comptroller of the Currency before the Permanent
Subcommittee on Investigations of the Committee on Homeland Security and Governmental
Affairs of the U.S. Senate”, (7/17/2012)
Thomas J. Curry, “Testimony of the Office of the Comptroller of the Currency before Committee
on Banking, Housing, & Urban Affairs of the U.S. Senate (3/7/2013)
Remarks of Thomas J. Curry, Comptroller of the Currency, ACAMS 19th Annual International
AML and Financial Crime Conference (3/17/2014)
Remarks of Jennifer Shasky Calvery, Director FinCEN, ABA/ABA Money Laundering
Enforcement Conference (11/19/2013)
Remarks of Jennifer Shasky Calvery, Director FinCEN, Securities Industry and Financial
Markets Association (1/30/2014)
KPMG, Global Anti-Money Laundering Survey, www.kpmg.com (2014)
Federal Financial Institutions Examination Council (FFIEC) BSA/AML Examination Manual
(2006)
Federal Financial Institutions Examination Council (FFIEC) BSA/AML Examination Manual
(2010)
22 03/2014
FRB Supervisory Letter, Compliance Risk Management Programs and Oversight at Large
Banking Organizations with Complex Compliance Profiles, SR 08-8 (10/16/2008)
TCF National Bank, OCC Consent Order AA-CE-10-71 (7/20/2010)
Citibank, N.A., OCC Consent Order AA-EC-12-18 (4/5/2012)
In re Citigroup Inc. (Banamex, USA) Docket No 13-004-B-HC (3/21/2013)
In re Commerzbank AG Docket Nos. 13-027-B-FB and 13-027-B-FBR (6/8/2012)
Zions First National Bank, FinCEN Assessment of Civil Money Penalty Number 2011-01
Pacific National Bank, FinCEN Assessment of Civil Money Penalty Number 2011-05
Wachovia Bank, FinCEN Assessment of Civil Money Penalty Number 2010-1
Ocean Bank, FinCEN Assessment of Civil Money Penalty Number 2011-7
One Bank & Trust, N.A., OCC Consent Order AA-EC-13-82 (10/9/2013)
Banesco USA, FDIC Consent Order FDIC-13-166b OFR 1007 -FI-13 (11/22/2013)