Between the endless amounts of information BSA professionals need to sift through to piece together regulatory expectations, industry trends, and emerging threats to increasing regulatory scrutiny, preparing for BSA exams can be complex and time consuming. Regulatory hot topics and exam findings from 2019 give us a good road map for 2020 exam preparation.
Your bank or credit union can leverage data from exam findings and consent orders to enhance your institution’s BSA program and improve the results of your next exam. After all, regulatory scrutiny for money laundering and financial crimes is most likely not going to be deregulated any time soon.
In a recent webinar, John Geiringer, partner at the law firm Barrack Ferrazzano, reviewed exam findings and consent orders from 2019. Geiringer suggested using this data to reverse engineer your exam experience for 2020 and start the year on a proactive note. Here are four action items your financial institution can take to prepare for its next exam.
Create a culture of compliance
One of the more important takeaways from 2019 exams is that all institutions, regardless of size or risk profile, must have a strong culture of compliance, as directed by FinCEN’s advisory. Despite the fact that this advisory was issued several years ago, it is cited frequently in exam findings. The advisory states that financial institutions with a poor culture of compliance are likely to have shortcomings in their BSA/AML program. It is critical for leadership and the board of directors to be engaged in all areas of the institution, including compliance with the BSA. Their commitment should be visible within the organization — if it isn’t, regulators will take notice. This is a must-have risk management concept.
Avoid conflicts of interest between profits and compliance
The advisory further states that revenue interests should not compromise compliance. While all financial institutions are driven by revenue, compliance with regulatory requirements must go hand in hand with business interests. Enforcement actions can lead to cease and desist of any mergers or acquisitions, new branches, and in some cases no lending or other growth avenues. These actions are public, so the reputational and strategic risks are real. Of course, BSA is a heavy cost center, but the cost to comply is significantly less expensive than a regulatory civil money penalty. BSA compliance must be adjusted to fit each institution and its evolving risk.
Ensure there are adequate resources
To have a successful BSA program, and, thus, successful BSA exams, it is critical that BSA departments have access to adequate human and technological resources. This includes a qualified, experienced BSA officer that has sufficient authority to administer the BSA program. The failure to devote enough staff for proper BSA compliance can lead to systemic failures. Failing to provide funds for up-to-date technology may lead to missing critical suspicious activity, the core of the BSA. BSA officers should be confident in their position and ready to share this advisory with leadership and the board if the institution is at risk.
Set proper internal controls
Other common 2019 exam findings include a lack of adequate internal controls. This may consist of an internal audit function that must be autonomous of the compliance function, preferable reporting to the Board or a committee of the Board. If you use internal staff, be sure they are adequately trained to perform the compliance functions that they are auditing.
Internal controls could also refer to an audit function outsourced to an independent third party that must be experienced in BSA. One final piece of internal controls frequently cited is lack of a quality control (QC) function, the first line of defense. Larger institutions should have a formal QC process and staff accordingly, and smaller institutions should have a QC program including, at a minimum, a random sample check of the riskier functions of the division. This should all be documented in procedures and adhered to.
Some specific internal control common findings center around policies and procedures. Common “hot spots” Geiringer sees in exam findings are that the internal controls are not clearly written, they’re not comprehensive, and they’re not current. “I often see old citations from the old way that FinCEN cited in their regulations,” Geiringer said. “As soon as I see something like that, I know that these policies and procedures have not been freshened up in a while, and that can be a signal to regulators as well — even if that cite was perfectly fine back then, it’s simply a signal that perhaps this bank isn’t paying attention to at least the optics of freshening up their policies and procedures.” Other ways to bolster internal controls include:
- Ensure policies and procedures are organized and tailored (don’t copy and paste your policies from other organizations!)
- Ensure policies and procedures are useful to train others within the institution
- Document evidence of adherence to a QC program barrier
Staying in the practice of reading published enforcement actions and remaining proactive will assist in keeping your institution out of the headlines. As a BSA professional, keep your guard up and be mindful of trends, and you’ll remain prepared for your next exam.
Terri Luttrell, CAMS-Audit, Abrigo