On July 22, 2015, the FDIC and the California Department of Business Oversight issued a Joint Order to Pay Civil Money Penalty against a Citigroup Inc. subsidiary, Banamex USA, for alleged violations of the Bank Secrecy Act. Under the Order, Banamex will pay $100 million to the FDIC and $40 million to California.
Citi’s problems began — or at least became publicly known — when the FDIC issued a Consent Order against Banamex in August 2012 for alleged “unsafe and unsound banking practices” relating to its BSA/AML program. That Order required Banamex to recruit an “experienced, qualified, competent, and knowledgeable” BSA Officer. In March 2013, the Federal Reserve followed suit with a Consent Order against Citigroup. The Fed’s Consent Order did not also direct the organization to recruit a qualified BSA Officer, but did direct Citigroup to review the effectiveness of Citigroup’s firmwide BSA/AML compliance program, with such review to include a review of the duties, responsibilities, and authority of Citigroup’s Chief BSA/AML compliance official.
One might assume from these actions that Citigroup and Banamex lacked an effective BSA Officer, though that is not necessarily the case. Almost always when a banking institution’s BSA/AML compliance program is criticized, the BSA Officer is called out in the resulting enforcement action. For example, the FDIC brought 25 public enforcement actions relating to BSA/AML compliance matters in the last twelve months. Twenty of those actions specifically required the institution to ensure that its BSA/AML program was managed by a competent BSA Officer, three more directed the institution to evaluate its BSA staff or management, or to ensure that its BSA Officer had sufficient authority within the organization.
It seems fair to conclude that a weak BSA Officer was not always the cause of the institution’s failures, even if the institution is ordered to evaluate its BSA Officer’s qualifications. Criticism of the BSA Officer just follows naturally from the regulatory findings: if the institution has a weak BSA/AML compliance program, a logical first step is to evaluate the strength of the BSA Officer. After all, designation of a qualified BSA Officer is one of the famous “4 Pillars” of an effective AML compliance program.
This article considers what an institution should look for in a qualified BSA Officer, and equally important, how an institution can ensure that its BSA/AML compliance program is designed so that the BSA Officer may do his or her job effectively. The following is drawn from published BSA/AML enforcement actions, the 2014 FFIEC Bank Secrecy Act/Anti-Money Laundering Examination Manual, an August 11, 2014 FinCEN “Advisory to U.S. Financial Institutions on Promoting a Culture of Compliance” (the “FinCEN Advisory”), and our own experiences in this area through working with banks, money services businesses and other institutions with BSA or AML obligations. (We should note that the term “BSA Officer” as used in this article, is short-hand for the individual who is responsible for BSA and AML compliance within the organization. The term is not meant to exclude the AML aspects of the role.)
#1: A Designated BSA Officer, Full or Part Time, as Appropriate for the Institution.Each institution must designate a BSA Officer. For banking institution’s the bank’s Board must appoint the BSA Officer, and this should be reflected in the minutes of the Board’s meeting.
It is very important that the designated individual have sufficient time for his or her BSA/AML duties. For larger or more complex institutions, this individual usually must be a full-time BSA Officer, with no other duties. For smaller, less complex institutions, the individual could have responsibilities in addition to BSA/AML compliance, but it should never be the case that the individual’s other responsibilities create a conflict of interest or interfere with his or her ability to effectively manage the BSA compliance program.
#2: Institution Employee. The title of the BSA Officer is not important, and the person need not even technically be an “officer” of the company. Except in rare cases, however, such as when an institution’s BSA Officer has left the company and a replacement has not yet been identified, the BSA Officer should be an actual employee, and not an outside contractor.
#3: Sufficient Authority and Independence. The BSA Officer must have sufficient executive authority (decision-making authority) and independence (autonomy) to monitor and ensure compliance.
The importance of the BSA Officer’s independence and authority is reflected in many other regulatory expectations of the BSA Officer. As noted above, for example, the BSA Officer should not face conflicts of interest that prevent him or her from making the right BSA/AML decisions for the institution. This is also part of the reason that the BSA Officer should be reporting directly to the institution’s Board and management, thus minimizing the risk that the Officer’s authority is undermined.
#4: Sufficient Resources. The institution must devote appropriate resources to its BSA/AML compliance program. This includes human resources as well as technological resources. As the FinCEN Advisory notes, compliance should never be compromised by revenue interests.
#5: Full Knowledge of the Rules and of the Institution. Of course the BSA Officer should be fully knowledgeable of the BSA and all related regulations. The BSA Officer also must understand the institution’s products, services, customers, entities, geographic locations, methods by which the products or services are delivered, and the potential money laundering, terrorist financing and other BSA/AML compliance risks associated with the foregoing. Without this broad knowledge, the BSA Officer cannot reasonably assess and address the compliance needs and risks.
#6: Training. The BSA Officer should receive at least annual BSA/AML compliance training. In many cases, particularly for larger or more complex institutions, the BSA Officer should attend training provided by outside organizations. Training that is limited to internal or computerized resources can sometimes deprive the BSA Officer of real world viewpoints and information on BSA/AML trends and risks.
#7: Reports and Reporting. The BSA Officer should always receive appropriate information from the various departments or business lines within the institution. This means not only that those departments and business lines should have clear obligations to report information to the BSA Officer, but also that management and employees receive sufficient training to understand what information should be shared and why that information is important to the compliance program.
The BSA Officer then should have clear lines of communication to regularly apprise the institution’s Board and senior management of ongoing BSA/AML compliance. The BSA Officer should always report directly to the Board (or a specific BSA committee of the board) on at least a quarterly basis. Enforcement actions typically require monthly reports to the Board, which, for many institutions, is advisable in the usual course. It is crucial that no manager or other individual stand between the BSA Officer and the Board for purposes of these reports. We don’t want to undermine the BSA Officer’s autonomy and authority, and only if the Board is receiving unfiltered information can the institution be sure that the Board is taking appropriate responsibility for the organization’s BSA compliance program.
When reporting to the Board and senior management, the BSA Officer should address SAR filings and trends; concerns relating to overall compliance; exceptions to policy; concerns relating to staffing or technological resources; and any findings (and related remediation) from BSA/AML risk assessments, audits and independent testing.
The overriding principle reflected in all of the above items is the absolute importance that the board and management be sufficiently engaged, stay informed of the state of BSA/AML compliance within the organization, and, above all, demonstrate a clear “culture of compliance” throughout the organization.
FinCEN repeatedly notes that each institution’s board and senior management is responsible for all areas of the institution’s BSA and AML compliance. This is why, for example, that each institution must dedicate adequate resources to BSA/AML compliance, and ensure clear lines of direct communication between the BSA Officer and the board and management. If the board and management treat BSA/AML compliance as a cost center to be suffered through, or convey the view that BSA/AML compliance is nothing more than another regulatory burden, it can be expected that the institution’s employees will not take these obligations seriously.
There are no bright lines or safe harbors, but by following these tips, an institution can be in a better position to ensure that it has a qualified BSA Officer and a solid BSA/AML compliance program.