According to the Financial Crimes Enforcement Network (FinCEN), a financial institution with a poor “culture of compliance” is likely to have shortcomings in its Bank Secrecy Act/Anti-Money Laundering (BSA/AML) program.
A recent FinCEN advisory (FIN-2014-A007) highlighted six general principles gleaned from enforcement actions that, if followed, could help financial institutions and their leadership improve and strengthen organizational compliance with BSA obligations.
To promote a BSA/AML compliance culture, credit unions should ensure:
• Leadership actively supports and understands compliance efforts;
• Revenue interests don’t compromise efforts to manage and mitigate BSA/AML deficiencies and risks;
• Other departments within the organization share relevant information with compliance staff to further BSA/AML efforts;
• The institution devotes adequate resources to its compliance function;
• The compliance program is effective by, among other things, enlisting an independent and competent party to evaluate it; and
• Leadership and staff understand the purpose of its BSA/AML efforts and law enforcement’s use of the reports.
Let's go into more detail on each of these points:
1. Leaders must engage
Creating a culture of compliance starts at the top. For a credit union’s BSA/AML compliance program to be effective, the institution’s leadership—its board of directors and executive/senior management— must provide “demonstrable support,” the FinCEN advisory states.
These leaders’ commitment should be visible within the organization, because their behavior will influence other employees’ attitudes.
An institution’s leaders should receive periodic BSA/AML training tailored to their roles. An appropriate understanding of BSA/AML obligations and compliance will help management make informed decisions about allocating resources to that function. The organization’s leaders should monitor BSA/AML compliance efforts.
2. Revenue interests shouldn’t compromise compliance
The FinCEN advisory underscores that BSA/ AML compliance staff “should be empowered with sufficient authority and autonomy to implement an institution’s AML program,” and “an institution’s revenue interests shouldn’t compromise efforts to effectively manage and mitigate BSA/AML deficiencies and risks, including submission of appropriate and accurate reports to FinCEN.”
To illustrate this principle, FinCEN uses the example of a money services business (MSB) and suspected rogue agent. MSBs derive a significant percentage of their revenue from agents’ activity. Nevertheless, the MSB must accept the findings of the BSA/ AML officer’s investigation when determining whether to terminate an agent—regardless of the impact on revenue.
In other words, BSA/ AML compliance should never take a back seat to the success of a credit union’s business lines. Credit unions should always investigate and report BSA violations.
3. Each department should share information throughout the organization
FinCEN notes recent enforcement actions where the institution possessed relevant information but didn’t make it available to BSA/ AML compliance staff. Why? Maybe the institution lacked an appropriate mechanism for sharing information.
Perhaps staff didn’t appreciate the information’s significance or relevance to BSA/AML compliance. In the worst-case scenario, the credit union might have intentionally prevented compliance officers or staff from accessing the information.
Each department at the credit union might possess information the BSA compliance officers could find useful. For example, information developed by the security/fraud prevention area could also assist the institution in complying with BSA/ AML obligations.
Staff should also alert compliance officers when they receive subpoenas issued by government agencies. These subpoenas might trigger reviews of related members’ risk ratings and account activity for suspicious transactions.
4. Leadership should provide adequate resources
Credit unions must designate an individual to coordinate and monitor day-to-day BSA compliance. The BSA compliance officer should be knowledgeable and have sufficient authority to administer the program.
The institution should devote appropriate support staff to its BSA/AML compliance program based on its size and risk profile.
Management’s failure to devote sufficient staff to the BSA/AML compliance function might lead to other failures. For example, at many financial institutions staff review transaction monitoring systems alerts.
Without adequate resources, staff might not be able to design alerts that capture appropriate risks or dismiss these risks improperly. And a backlog of alerts might result in the untimely reporting of suspicious activity.
Credit unions also should allocate appropriate technological resources to BSA/AML compliance. Institutions with higher risk profiles—including those with substantially higher volumes of activity—might need to use automated systems to identify and monitor suspicious activity.
5. An independent and competent party should test the BSA program
An effective BSA/AML compliance program includes a proper ongoing risk assessment, sound risk-based “customer” due diligence, appropriate detection and reporting of suspicious activity, and independent program testing. While recognizing the importance of all components of an effective compliance program, FinCEN stresses the need for independent testing.
Credit unions should ensure the party testing the program—whether internal or external—is independent, qualified, unbiased, and has no conflicting business interests that might influence the outcome.
Safeguarding the integrity and independence of compliance program testing enables an institution to locate, and take appropriate corrective actions to address, BSA/AML deficiencies.
6. Leadership and staff should understand how law enforcement uses BSA reports
“Leadership and staff at all levels in a financial institution should understand that they aren’t simply generating reports for the sake of compliance, but rather recognize the purpose that BSA reports serve and how the information is used,” the FinCEN advisory states.
Law enforcement uses data generated from currency transaction reports (CTRs) and SARs to:
• Confront serious threats, including terrorist organizations, rogue nations, weapons of mass destruction proliferators, foreign corruption, and, increasingly, some cyberthreats;
• Assist in the fight against transnational criminal organizations, including those involved in drug trafficking and massive fraud schemes targeting the U.S. government, our businesses, and our people; and
• Protect institutions from bad actors, including insider threats, fraud, and cyberthreats such as spear phishing, account takeovers, and distributed denial of service attacks.
To strengthen their compliance culture, credit unions should consider underscoring the purpose of FinCEN’s BSA/AML regimen as part of their ongoing training requirements.
Find “FIN-2014-A007: Advisory to U.S. Financial Institutions on Promoting a Culture of Compliance” at fincen.gov. Please note this FinCEN advisory doesn’t change any existing expectations or obligations under current BSA/ AML requirements.
VALERIE Y. MOSS is CUNA’s senior director of compliance analysis. Contact CUNA’s compliance department at firstname.lastname@example.org.