Is the Bank Secrecy Act unconstitutional? Not so, says the Ninth Circuit. This article explains the court’s analysis and why it matters to covered financial institutions.

What happened

To ensure compliance with the BSA, the Federal Deposit Insurance Act requires insured, non-member banks to comply with FinCEN’s BSA regulations. Among other requirements, the regulations require banks to maintain an anti-money-laundering compliance program, review the program during bank examinations, describe any problems with the program in its report of examination (ROE) and state in that report whether the bank has failed to correct any problem with its program.

The BSA’s regulations outline “four pillars” of compliance. They mandate that banks, at a minimum, provide for a system of internal controls, provide for independent testing for compliance, designate an individual(s) responsible for coordinating and monitoring day-to-day compliance, and provide training for appropriate personnel.

A bank’s failure to provide adequately for any individual pillar might result in the FDIC deeming the bank noncompliant with the BSA, a noncompliance that could lead to reputational harm, civil penalties and other adverse results. To clarify compliance requirements and provide for consistent examination procedures, the Federal Financial Institutions Examination Council publishes an Examination Manual.

In a March 12, 2018, decision, the Ninth Circuit analyzed these provisions and concluded that the BSA and its implementing regulations are not unconstitutionally vague, and that the FDIC properly relied upon the statute and the FFIEC manual when issuing a cease and desist order.

In July 2010, an FDIC examiner conducted a safety and soundness examination of a California-based bank. The examiner identified several areas that “must be corrected,” specifically highlighting the need to increase the risk rating for the customer base, and the need to monitor and analyze aggregate activity to establish a pattern of customer activity. After reviewing the findings with the examiner and the bank’s third-party auditor, bank management agreed to the recommendations.

The following year, the bank appointed the CEO’s son to be the bank’s BSA officer, in addition to his other positions as senior vice president, senior credit officer, chief financial officer, internal auditor and operations compliance officer. He revised the bank’s new customer deposit account risk assessment form and scoring methodology as well as the risk assessment form the bank used to assess customer risk. However, his changes were criticized by the bank’s third-party auditor.

The 2012 ROE concluded that the bank failed to administer a BSA compliance program in accordance with the four pillars and failed to file required Suspicious Activity Reports (SARs). The ROE also found deficiencies in the bank’s internal controls.

The examiner agreed with the bank’s auditor that the revised risk ratings were insufficient despite her earlier recommendations. Also, the bank’s independent testing failed FDIC review, in part because the auditor was also a consultant for the bank.

The examiner also concluded that the BSA officer had inadequate experience to administer the compliance program, and given his many roles at the bank, could not devote sufficient time to compliance. Finally, she found that training at the bank was insufficiently tailored to specific job functions.

The bank refused to agree to a consent order following the 2012 exam, prompting the FDIC to issue a notice of charges. An administrative law judge, hearing the matter, agreed with the FDIC that the bank had violated the BSA and its implementing regulations, and recommended that the FDIC issue a cease and desist order. The FDIC Board affirmed the ALJ, and the bank appealed to the Ninth Circuit Court of Appeals.

In its defense, the bank alleged that the BSA and its implementing regulations are unconstitutionally vague and that the FDIC conducted a biased investigation that violated the bank’s due process rights. The bank argued that neither the BSA nor its implementing regulations were precise enough to inform the bank of its required conduct, allowing the FDIC to arbitrarily determine whether its BSA compliance procedures were sufficient.

But the Ninth Circuit found the statute and its regulations satisfied constitutional scrutiny, particularly as they involved economics, where “vagueness is less of a concern because ‘the regulated enterprise may have the ability to clarify the meaning of the regulation by its own inquiry, or by resort to an administrative process.’” An agency-issued manual, such as that published by the FFIEC, “can clarify what conduct is expected of a person subject to a particular regulation and thus mitigate against vagueness,” the court added.

“The FFIEC Manual frames the examiners’ expectations in anticipation of routine compliance checks. … Indeed, the FDIC Board found that provisions of the FFIEC Manual were incorporated in the Bank’s own BSA Policy Manual, and copies of the FFIEC Manual were found scattered throughout the Bank. A BSA Officer at the Bank bearing the requisite ‘specialized knowledge’ would understand that compliance with the FFIEC Manual ensures compliance with the BSA. The BSA and its implementing regulations are not unconstitutionally vague.”

The court found no merit in the bank’s argument of investigative bias on the part of the FDIC, noting that the regulator’s examination “need not have been ‘neutral and detached.’”

Finding the four pillars regulation to be ambiguous—given the complexity and the fact that banks can design different compliance programs—the court deferred to the FFIEC manual, as it defined and provided clarifying guidance on each of the four pillars and was not plainly erroneous or inconsistent with the FDIC’s regulation.

The panel then affirmed the FDIC Board’s decision, finding substantial evidence that the bank failed to comply with all four of the pillars of BSA compliance: adequate controls, independent testing, administration and training.

Why it matters

The Ninth Circuit ruling makes clear to banks that the BSA’s four pillars (controls, testing, administration and training) remain at the forefront of anti-money-laundering compliance.

Banks are required to tailor their anti-money-laundering compliance programs based on their size, the complexity of their business and specific risks they face. While this may be somewhat subjective, the court took the position that the FFIEC Examination Manual provides sufficient guidance to banks in their efforts to comply.

To read the Ninth Circuit’s opinion, click here.