On July 22, 2019, federal bank regulators issued a joint statement providing insights into regulators’ collective approach for planning and performing Bank Secrecy Act (BSA) and anti-money laundering (AML) examinations. This is just the most recent of several joint statements from the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC), and U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) in the past year.
Previous statements addressed the sharing of compliance resources among smaller financial institutions and the role of innovation in BSA/AML compliance. This latest joint statement highlights the risk-based approach that banks and certain other federally regulated financial institutions must take to compliance and that examiners will employ during examinations. While the interagency group issuing the statements has not provided significant guidance on their purpose, the tone and substance of the statements suggest an effort to demonstrate that federal regulators are increasingly committed to transparency and engagement with regulated financial institutions.
Banks Must Apply a Risk-Based Approach to Developing and Implementing Compliance Programs
It is well-established that each bank’s BSA/AML program should be tailored to the unique risk profile of the bank. The joint statement highlights the importance that federal regulators place on banks employing such a risk-based approach, noting that a bank’s “well-developed risk assessment is a critical part of sound risk management and assists examiners in understanding the bank’s risk profile.”
For example, a large, multinational bank may conduct significant cross-border payments and have a customer base that is constantly in flux. This type of bank is expected to have a sophisticated BSA/AML program with substantial resources dedicated to addressing the inherent risks associated with its business model.
In contrast, a small, community-oriented bank is likely to engage in limited cross-border payments and have a stable, well-known customer base. This type of bank is likely to have a somewhat less-sophisticated BSA/AML program with more limited resources devoted to it. Indeed, federal regulators have explained that such banks may be good candidates to share compliance resources with similar banks in light of this lower risk profile.
The joint statement also notes that maintaining a risk-based approach to BSA/AML compliance goes beyond the general risk profile of the bank. It also requires consideration of a bank’s individual risk appetites taking into consideration both the level and type of risk. For example, a bank might choose to work with customers who run money services businesses such as check cashers. Such businesses pose inherently higher BSA/AML risks, and a bank that chooses to work with such businesses is expected to devote greater resources to mitigating those risks.
While Banks Are Aggressively De-risking, Federal Regulators Continue to Claim They Discourage It
Aggressive enforcement efforts and a regulatory environment with ever-higher expectations for banks and other financial institutions has led to a recent trend of banks engaging in “de-risking.” De-risking involves banks determining that certain customers or even whole categories of customers simply involve too great of a compliance risk to bank. In many cases, these decisions are made based on economic rather than compliance concerns. Simply put, banks are determining that the potential profits to be made from higher-risk customers are not sufficient to justify the costs of adequately monitoring the risk. As a result, money-services businesses, cryptocurrency exchanges, charities, and many other companies are finding themselves unable obtain bank accounts by traditional means.
Federal regulators have historically done nothing of substance to address this unintended consequence of aggressive regulatory oversight, and the joint statement provides no new insights for banks or the customers being de-risked. It simply reiterates the long-standing mantra from federal regulators that banks are “neither prohibited nor discouraged from providing banking services” so long as they take adequate steps to manage and mitigate risk. The joint statement also notes that “banks are encouraged to manage customer relationships and mitigate risks based on customer relationships rather than declining to provide banking services to entire categories of customers.”
Federal regulators apparently decided once again to leave for another day the question of how banks are expected to provide services to higher-risk customers without losing money or exposing themselves to enforcement risk.
Federal Bank Examiners Conduct Risk-Focused Examinations
The joint statement does provide some useful guidance on how regulators tailor examination plans and procedures based on the risk profile of a given bank. This tailored approach is generally achieved by:
- Leveraging information such as a bank’s risk assessment, independent audits, and previous examinations.
- Communicating with banks between examinations or before finalizing the scope of an examination.
- Considering a given bank’s demonstrated ability to identify, measure, monitor, and control risks.
The joint statement therefore makes it clear that examinations are significantly influenced by the information that the bank itself provides to regulators.
Banks Should Be Proactive in Identifying Risks and in Communicating with Regulators About Examinations
While the joint statement does not radically alter the compliance landscape for banks, it is a useful reminder to banks of the importance of an ongoing risk-based approach to compliance. Banks should periodically update their risk assessments to ensure that their BSA/AML programs are properly tailored to the bank’s risk profile as business evolves. In an increasingly global economy, banks must be vigilant in identifying and addressing new BSA/AML risks as they arise.
The joint statement also highlights the importance of banks being proactive in managing communications with federal regulators through the examination process. Banks should not wait for regulators to reach out before beginning to prepare for an examination. Throughout the year, banks should be conducting compliance activities with an eye toward future examinations. Before the beginning of a periodic examination, banks should be communicating with regulators to discuss the scope of the examination. Taking a proactive approach to examinations is critical to avoiding unwanted surprises during the examination itself.
Finally, should unforeseen issues arise during an examination, the existence of a record of ongoing communications with regulators is likely to give the bank credibility. This credibility with a bank’s primary regulator is critical to allow the bank the time to address any concerns and avoid referrals for enforcement.