The third of a three-part series on the new landscape of anti-money laundering enforcement
Dealing with high-risk clients in an era of enhanced AML enforcement
To identify and trace criminal activity, federal law enforcement relies on the mandatory filing of suspicious activity reports (SARs) by financial institutions subject to the Bank Secrecy Act (BSA). Because of the importance of SARs to law enforcement efforts, regulators do not require—and indeed have no interest in requiring—that financial institutions refuse to maintain accounts for clients with higher risk profiles, such as certain money services businesses (MSBs).
In January 2015, Treasury Under Secretary David Cohen made this very point, remarking that through MSBs, the government has “access to crucial information that regulators and law enforcement depend on every day to prevent the abuse of the financial system.” He went on to express concern that “banks have been indiscriminately terminating the accounts of all MSBs, or refusing to open accounts for any MSBs.” Pointing out that regulators do not—contrary to a conclusion that some may draw from recently enhanced enforcement efforts—expect banks to be “infallible,” Cohen said that what regulators do expect “is that [banks] take seriously the variety of illicit finance risks that different clients present, and assess and address those risks on a client-by-client basis.” In theory, such assessment and monitoring should benefit both the institution, which is thus in a better position to comply with its SARs filing obligations, and the government, which can put the filed SARs to law enforcement use.
In practice, a heightened AML enforcement atmosphere has led financial institutions to worry that servicing higher risk clients entails a commensurate increased risk that suspicious transactions will occur without being flagged and reported, potentially leading to massive fines and other penalties. Because regulators have not imposed a bright-line prohibition on servicing high-risk businesses, financial institutions must weigh a number of factors in deciding how to service such clients without unintentionally running afoul of their BSA/anti-money laundering obligations.
The Treasury Department’s Financial Crimes Enforcement Network (FinCEN), the primary regulator responsible for enforcing the SAR filing requirements, has issued guidance intended to help banks identify and appropriately assess, monitor, and comply with SAR obligations as to MSBs. While this guidance leaves a large degree of discretion to the bank to determine, based on the individual circumstances of each client, the appropriate level of monitoring and diligence, some expectations are clear.
For instance, FinCEN acknowledges that there are many different types of MSBs, offering a broad range of services to different types of customers, and that very different levels of diligence might be required from one MSB to the next depending on their risk profiles. At a minimum, however, FinCEN and other bank regulators expect that a financial institution opening or maintaining an account for an MSB will:
- Apply the bank’s Customer Identification Program
- If the MSB is required to register with FinCEN, confirm that it has done so
- If the MSB is required to comply with state or local licensing requirements, confirm that it has done so
- If the client is an agent of an MSB rather than a principal MSB (and therefore not required to register with FinCEN), confirm the status as agent
- Conduct a basic BSA/AML risk assessment to determine whether additional diligence is necessary
Additional diligence may be necessary depending on such factors as the MSB’s customer base, the geographies in which it operates, the types of services it offers, the size and character of its typical transactions, and its history as a business. Of course, as with any client, an MSB that initially appears to have a low risk profile requiring only basic diligence will require reassessment if suspicious transactions by that MSB are later detected.
10 considerations for maintaining an effective BSA/AML compliance program
- Do not neglect operations and technology. In the control environment, increasingly, adequate AML monitoring means automated monitoring on complex platforms.
- Create a strong compliance culture. As discussed in the previous articles in this series, ingraining AML policies and procedures into the firm-wide business culture can only be done through a strong message from the board and senior management, as well as a strong reporting structure.
- Test. Ensure that policies and procedures are consistently monitoring for high-risk and potentially suspicious behavior and that alerts are effectively and consistently communicated.
- Audit. An independent audit function should be evaluating your AML compliance program before the regulators do.
- Manage risk appetite. Regularly engage in risk assessments to determine whether or not the institution’s control environment is adequate to manage high-risk clients, geographies, and businesses.
- Document. If you haven’t documented it, for purposes of your regulators, you haven’t done it.
- Reach out to regulators. Get regulators involved before launching a new product that is of concern or that is technologically progressive. Otherwise you could find yourself subject to new requirements of which you might otherwise be unaware.
- Train. Regularly reassess the quality and currentness of your BSA/AML training program and tools.
- Evaluate the chief BSA/AML compliance officer. The chief BSA/AML compliance officer and his or her staff must be both qualified and independent. It is crucial for the compliance team to keep up with trends and changes in the regulatory environment.
- Incentivize. Compliance awareness should be rewarded and compliance disregard penalized. This can be accomplished, in part, by making compliance part of employees’ reviews and appraisals.
Republished with permission. This article first appeared in Inside Counsel on April 17, 2015.