AML Programs and Recent Consent Orders: What Questions Should you be Asking?

Last year’s news headlines screamed about financial crimes: the riveting cryptocurrency saga of Sam Bankman-Fried (SBF), Binance’s landmark $4.3 billion settlement with the Department of Treasury, and Deutsche Bank’s additional fines for anti-money laundering and sanctions failings.

Other noteworthy stories entailed a parade of cybercrimes like ransomware and email scams.

For those working in the anti-money laundering sectors of financial institutions, such stories are more than a sound bite; they affect our daily work and cause us to wonder and worry about upcoming changes and whether federal examiners will adjust their approach to AML/CFT Exams.

Without a crystal ball, the best gauge of what may be coming is to monitor recent Consent Orders issued by the federal regulators and look for trends in those orders. Staying current with these trends becomes an important tool for BSA Officers, who are obligated to keep the institution’s Board of Directors apprised of developments.

TCA has analyzed eight consent orders and monetary penalties issued in 2023 by the OCC, FRB, and FDIC* that focused on BSA/AML sanctions. Here are some insights.

The Board Can’t “Shake It Off”

The consent orders hammered home the Board of Directors’ responsibility for ensuring that institutions comply with all relevant laws. Examiners accomplished their admonition of Boards with action phrases like, “the Board must,” “the Board shall,” “immediately,” and “assume responsibility.” These phrases were followed by directives for Boards to increase and enhance their oversight of BSA Programs. Examiners also made clear their expectations that Board members have BSA Compliance expertise.

Points to Ponder:

• As a BSA Officer, how are you supporting your Board of Directors? *(See below)
• What is the Board’s expertise in providing governance?
• When a big story breaks in the world of AML, how quickly does the Board acknowledge its impact on your institution?
• What meaningful statistics and trending data do you provide your Board members to help them understand the BSA Department’s work volume?

All Aboard for Training

Training is a “Pillar” that makes many bankers’ eyes roll. Common annoyances include:

• Training software systems that are clunky to use and make it challenging to extract meaningful completion data.
• Meeting deadlines feels like climbing Everest.
• Web based modules don’t include specific training for internal policies and procedures.
• Employees suffer training fatigue because of the amount of training they must complete each year.

Nonetheless, training is inescapable. The 2023 consent orders weren’t singing any new tunes about examiner expectations. We aren’t going to get a reprieve from training.

Points to Ponder:

• Is the Institution’s training software making it harder to get the Bank trained in a job-specific manner on BSA/AML/OFAC?
• Are the expectations and deadlines for completion clear and documented in a formal, written training program?
• Is the Board of Directors notified about employees who didn’t complete their training on time?
• Are employee performance metrics affected by late or incomplete training?
• How are employees acknowledged for successfully completing training and timely completion?
• Does the BSA Officer have the necessary skills to fulfill the role?

BSA/AML Officer Evaluation

There were some stinging assessments of BSA Officers in consent orders this year. One outlined four changes an institution needed to make. They were:

• The Board must establish annual objectives on measuring the BSA Officer’s effectiveness.
• The Board must analyze the institution’s risk profile and strategic direction to develop a profile of the person who would be the best fit to serve as the institution’s BSA Officer.
• The Board had to determine whether the current BSA Officer would continue in the role.
• If the BSA Officer were to continue, the Board would have to invest in training for that person and establish timelines for the professional development of the BSA Officer which included specific training for unique products and services that the institution offered.

We can all agree how much these comments can hurt. How many of us have the ego to tolerate such a process?

Being a BSA Officer isn’t the job for just anyone. Boards need to consider who in the institution has the skills and experience to maintain a successful AML/CFT Program.

Another consent order bluntly stated, “When the Bank appointed the Co-BSA Officers, it failed to appoint knowledgeable, experienced, and trained BSA Officers…None of the Co-BSA Officers have received formal, documented training to serve as BSA Officers.”

A consistent theme regarding BSA Officers was that they needed sufficient support staff and resources. The need for institutions to conduct staffing assessments keeps appearing in AML/CFT consent orders.

Points to Ponder:

• How is the Board supporting its designated BSA Officer?
• As a BSA Officer, how do you document what the Institution needs to support the AML/CFT Program?
• Do BSA Officer and BSA department staff participate in additional specialized training each that state banking groups offer each year? ABA? ACAMs? And is it specifically related to AML/CFT, rather than general regulatory compliance topics?
• Is the BSA Officer keeping up with information from FinCEN, DOJ, IRS, etc.?
• Is the institution’s AML/CFT function sufficiently staffed with experienced, competent professionals with the right skills and perspective?

Do we have to hire a third-party consultant to do what in just 30-60-90…days?

Partnering with a competent consultant is crucial. Would the institution even be in a consent order if it had a good relationship with a consultant?

A good consultant will be that friend who tells you there’s parsley or a poppy seed stuck in your teeth.

If your consultant is someone who won’t mention your need to floss, do you really have a consultant who can help you out of the 30-60-90-day jam? Maybe it was the consultant who got us into that jam.

Several recent consent orders have called out institutions for not receiving robust reviews from the independent firms they’d been working with and counted on.

If the institution is required to perform a dreaded “look back,” does the institution have connections to an AML consultant who has the expertise to perform the work? Does their knowledge of SAR filing extend into how to perform an investigation, analyze customer activity, and write a comprehensive narrative that supports the recommendation?

Not all third-party consultants are created equally. If a consent order lands on your desk, the right consultant will help you. The wrong one could make matters worse.

Points to Ponder:

• Are third-party reviewers treated as your friend or enemy by your team?
• Is your third-party reviewer providing a critical analysis of your program that considers current trends in financial crime and regulator updates?
• Do you have an AML/CFT crisis team in place?

Have a finding? Track it, fix it, report it.

When an institution has findings issued against it, it’s essential that there’s an organized, formal process for informing the Board of Directors, establishing a process to correct the issue, setting a deadline, remediating the issue before the deadline, and independently validating that the issue was actually corrected. It’s also crucial to report back to the Board that the issue was resolved.

Points to Ponder:

• Is there an independent review to confirm the issue was corrected?
• If the issue isn’t remediated by the established deadline, is there a documented extension process, and does the Board know about the need for an extension?
• Has the team thoroughly documented the correction using a formalized change management process?

Third-Party Party Crasher

Recently, there’s been much news about institutions facing consent orders because of their relationships with FinTechs. These institutions are expected to monitor these FinTechs and understand their customers. Institutions with FinTech partnerships also are expected to change their BSA Compliance monitoring to include resources and processes for enhanced monitoring of the FinTechs with whom it partners.

Points to Ponder:

• When seeking additional income streams via partnerships, is FinTech willing to be transparent with the institution about its customer base, onboarding processes, risk assessments it completes, etc.?
• Will additional resources be allocated to the AML/CFT function in conjunction with the partnership?

New products, new risks

Recent consent orders have called out institutions for not consulting the BSA Officer when developing new products. A critical component of a BSA Officer’s role to understand the products and services offered by the institution. That person must assess the risks a new product will pose, how the institution’s CIP will apply to the product, or, if changes are needed, develop a monitoring process for suspicious activity (e.g., new manual processes or if updates are needed to the institution’s AML software).

Points to Ponder:

• Is the institution’s risk assessment sufficient to evaluate new products?
• Will additional BSA staff be needed to monitor new products? Do they have the training to understand the risks associated with the product?

There’s much to learn from the recent consent orders and TCA is available to act as your institution’s AML/CFT compliance partner. TCA’s AML Team consults with and provides A Better Way to identify necessary program enhancements and conduct third-party independent reviews.

Contact TCA at [email protected] for a customized quote.

*Eight recent consent orders/monetary penalties evaluated for this article.

• OCC – Lake Shore Savings Bank
• FDIC – Maxwell State Bank
• FDIC – Israel Discount Bank of New York
• FDIC – Loyal Trust Bank
• FDIC – Citizens Bank & Trust Company of Vivian, Louisiana
• FRB – Metropolitan Commercial Bank – CMP
• FRB – Gardner Bancshares Inc / Small Business Bank
• FRB – Deutsche Bank

TCA – A Better Way!