Is BSA/AML compliance still a hot issue for bank directors? In 2007, the four primary bank regulatory agencies (OCC, FDIC, OTS and Federal Reserve Board) issued a total of 43 formal enforcement actions against financial institutions that involved the Bank Secrecy Act and Anti Money Laundering regulations (BSA/AML). In virtually all of these enforcement actions the board of directors came in for criticism for failing to provide adequate appropriate oversight for the financial institution’s BSA/AML compliance.
Formal enforcement actions are expensive for the bank. In the 43 actions from 2007, most of them required the bank to take some expensive action such as hiring a consultant, hiring more full time staff, purchasing new software, upgrading or purchasing computer systems, implementing monitoring systems, etc. All of these actions require significant expenditures of funds. All of them will require more costs in the long run than if the bank had implemented the correct procedures in the first place. Even informal enforcement actions are expensive. In our experience, a memorandum of understanding (MOU) for BSA violations will end up costing a small community bank over $100,000- $200,000 in compliance costs.
The law places the responsibility for BSA/AML compliance squarely on the bank’s board of directors. The most commonly mentioned board failure in the enforcement actions was the failure to provide the appropriate degree of oversight for the bank’s BSA program. Based on the 2007 formal enforcement actions we reviewed, here is a suggested list of things a bank’s board should do avoid BSA trouble:
Hire a Qualified and Responsible BSA Officer: The law requires that all institutions have a qualified BSA officer. This means that the bank’s BSA officer must have enough education to be knowledgeable in BSA’s regulatory requirements. It also means that the BSA officer must have authority to make BSA policy decisions, including having significant involvement in the decisions whether or not to file a suspicious activity report.
Expect Regular Suspicious Activity Reports: The failure to monitor suspicious activity and file reports correctly was the major cause of BSA enforcement actions. The board should require regular reports of these activities. If months go by without any mention of it, ask questions of senior management; the board is required to hold them responsible for this requirement.
Require Annual BSA Policies: Bank management should write and update comprehensive BSA policies annually to ensure that new bank products and services are covered and that any and all regulatory changes are included. If the board is not presented with policies every year, it should ask senior management for them.
Ask for Audit Reports: The board should hold senior management responsible for implementing adequate internal controls for BSA compliance. Internal controls for BSA compliance are a requirement of the law; they are not optional. The board is responsible to hold senior management accountable for making sure the internal controls are in place and are working correctly. The best way to accomplish this is to require an annual audit of the bank’s BSA/AML compliance. The audit findings should be reported to the board with management responses to all deficiencies. If management seems too cavalier about the BSA findings or does not adequately address them, the board should probe deeper and make sure deficiencies are corrected.
Pay Attention to BSA Examination Findings: One of the easiest ways to get into BSA compliance trouble is to have repeat examination deficiencies. The bank should read the examiners findings and require senior management to commit to corrective action to ensure compliance. Once the corrective action plan is approved, the board should require reports periodically. Subsequent audits should include procedures to check previous exam deficiencies.
[This article first appeared in Western Independent Banker–Directors Digest April 2008]