Key Themes from Consent Orders

Warren Buffett once said, “When people tell me they’ve learned from experience, I tell them the trick is to learn from other people’s experience.” This is true in many areas of life, especially when it comes to BSA Consent Orders. BSA (Bank Secrecy Act) and OFAC (Office of Foreign Assets Control) personnel are wise to learn from the mistakes of others. When looking at the Consent Orders from 2021 – 2022, there are several key themes that emerge from those reports. All BSA Consent Orders herein referenced can be found at the end of the BSA section. OFAC Consent orders referenced can be found following the OFAC section.

Number 1: A Risk-Based Approach

All the exam manual updates within the last year and a half, or so, have focused on a risk-based approach directly tied to “Money Laundering/Terrorist Financing” risks. Many wondered how this specific focus of a “risk-based” approach would be evaluated by the examiners. While we do not have a specific answer to that question, Consent Orders are now echoing that theme. On April 7th, 2022, and again on June 9th, 2022, the FDIC (Federal Deposit Insurance Corporation) stated “risk-based” or “risk-basis” numerous times regarding CDD (Customer Due Diligence) procedures, monitoring for suspicious activity, risk rating of the customer base, and maintaining and updating customer information. If you are going to have a risk-based approach, you must have a BSA Risk Assessment that accurately reflects your institution’s risk. In addition, regulators have stressed that institutions should ensure risk ratings are accurate and well supported with both qualitative and quantitative data.

The OCC (Office of the Comptroller of the Currency) stated in their October 28th, 2021, order, that the BSA Risk Assessment should include adequate support for all conclusions and that it should be “appropriately supported by the underlying methodology and sufficient documentation.” This risk concept is not just for the BSA Department. The OCC in their order on March 29th, 2022, stated, “Measurement systems shall provide timely and accurate risk reports by customer, by department or division, and bank wide as appropriate; control systems to mitigate risks associated with planned new products, growth, expansion of existing lines of business, or any proposed changes in the Bank’s operating environment.”

The OCC and FinCEN in their March 17th, 2022, order, issued a $140M penalty for failures in all the pillars of the BSA. This included lacking comprehensive risk-based policies and procedures and the operational rigor needed to successfully address the risks associated with its customer base, products and services, and geographies. It is easy to see that everything in BSA is tied to risk in every area of the financial institution!

Number 2: The Board’s Responsibility

The FFIEC (Federal Financial Institutions Examination Council) Exam Manual makes it abundantly clear that the Board of Directors is ultimately responsible for the BSA program. Since the BSA Officer is the Board appointed representative in the financial institution, the Exam Manual also directs the Board to ensure the BSA Officer has “sufficient authority, independence and access to resources” to administer an adequate program based on the ML/TF risks. On March 29th, 2021, the OCC stated that the Board must analyze, and limit risks tied to new lines of business or growth the Board undertakes. They are also to hold management and personnel accountable for following the OCC guidelines for the BSA requirements.

One of the several other requirements of the Board is to ensure the BSA Officer has the time, resources, and staffing needed to implement a strong program. To ensure the BSA Officer has sufficient time, the Board must ensure the BSA Officer’s duties are limited to BSA, and he/she is not expected to wear multiple hats. That includes supplying the BSA Officer with a sufficient number of staff and ensuring that those staff members are adequately trained for their specific roles.

Again, on May 6th, 2022, the FDIC directed the Board to have oversight of the BSA and ensure a qualified officer covers the items listed below as well as any other areas that impact the BSA.

  • Third-Party Oversight (TPO) Program
  • Third-Party Relationship (TPR) customers
  • BSA/AML process/documentation backlogs
  • Issues/concerns related to Customer Identification Program (CIP) information collection
  • Verification and issues/concerns related to Customer Due Diligence (CDD)
  • Beneficial Ownership (BO) information collection and verification
  • Insider SARs

 

Number 3: The Authority of the BSA Officer

One of the five pillars of BSA is the BSA Officer. According to the FFIEC Exam Manual, the BSA Officer must have authority, independence, and access to resources within the bank. The Exam Manual even states that the actual title is not important if those three requirements are met. However, I find it interesting that the OCC in the March 24th, 2021, Consent Order for West Valley National Bank, stated that the “BSA Officer who shall be vested with sufficient executive authority, time, and resources to fulfill the duties and responsibilities of the position”. The FDIC stated this again on June 9th, 2022, for Oxford University Bank Consent Order. Is this going to be a new requirement? Only time will tell!

 

Number 4: The Requirement of Individual Accountability

Lying or refusing to obey regulations is never a good thing especially when it comes to BSA. In their November 18th, 2020, order, the FDIC fined a First Vice President/BSA Officer $10,000 for lying to the Bank’s management and the FDIC about the institution’s backlog of EDD (Enhanced Due Diligence) reviews and failure to file SARs (Suspicious Activity Reports) on time. In addition, some EDD reviews were backdated and comments by a bank analyst were deleted.

Then on March 19th, 2021, the OCC issued a $35,000 penalty to a former Vice President for the avoidance of KYC requirements. He willingly worked with customers to circumvent the KYC rules and showed an ongoing disregard for the safety and soundness of the bank.  Obviously, the moral of these consent orders is to follow the rules and be honest with everyone!

 

 

Number 5: The Requirement of Adequate Staffing Levels

With all the regulatory expectations on the BSA Officer is it any wonder that staffing is a key focus of Consent Orders? The OCC and FinCEN stressed this on March 17th, 2022, when they issued a $140M CMP for a bank that had many failures including staffing. They needed 178 staff members as of 2018 and by early 2021 they still had 62 vacant seats. This staffing deficiency led to the “willful failure” to file SARs.

Then the OCC on April 21st, 2022, stressed it is important to have sufficient staff with appropriate skills and expertise consistent with the Bank’s ML/TF and other illicit financial activity risk assessment. There is that risk reminder again! Then on May 6th, 2022, the FDIC made it clear in their order that a staffing assessment was needed and gave a long list of things that should be considered in that assessment involving all areas of the BSA program.

Number 6: The Importance of Robust Monitoring

Monitoring is the foundation of a solid BSA program. If this process is deficient, key risk will be missed and expose the institution to fines and penalties. Numerous consent orders have focused on this. This article will focus on just a few. For example, FinCEN’s (Financial Crimes Enforcement Network) January 15th, 2021, $390M penalty is a good reminder of the following:

  • Stay appraised of changes within the industry, business models, and customer profiles
  • Combine all its knowledge to mitigate risks
  • Volume of fund flowing through the account can be illegal even if it is consistent activity – Consistency Does Not Equal Legitimacy!
  • Don’t accept explanations on customer activity from the front line without verification

 

In addition, the OCC order on March 24th, 2021, stated that CDD should be conducted at account opening and on an ongoing basis. CDD should include triggers including changes to a customer’s risk profile that would prompt the institution to analyze the changes to consider a risk rating change. The same order gives a long list of EDD requirements tied to risk as well. The OCC order on October 28th, 2021, reminds institutions to include geographic factors in addition to adequately analyzing source and use of funds. Source and use of funds is repeated in almost every consent order and is one of the most important pieces to verify on all account reviews.

Another key order came out from FinCEN on December 16th, 2021 and involved an $8M penalty that stressed the importance of robust monitoring. One major issue was that certain customers were the subjects of criminal investigations. Other issues included:

  • They willfully ignored that information and caused millions of dollars of suspicious activity to go unreported on numerous illicit activities
  • CDD questionnaires were not updated when needed
  • High Risk reports were available, but not used
  • Customers, that were considered “well-known”, so activity was not reviewed appropriately, and they were convicted of financial crimes
  • Alerts were generated on new activity but closed with the same pre-set reason codes and new SARs were not filed

 

On March 17th, 2022, the OCC/FinCEN issued a $140M CMP that included issues with CDD/EDD policies. Account opening information was insufficient to generate accurate risk scores and arbitrarily filled in missing information. This skewed their entire risk rating process for their entire institution and attributed to improper risk ratings throughout the institution and heavily impacted the bank’s CDD/EDD reviews.

Finally, an order from the OCC on June 9th, 2022, required procedures and/or systems from each business area to produce reports to identify suspicious activity covering a broad range of time frames as appropriate. It also mentioned that the institution should identify related accounts, countries of origin, and location of businesses and residences to identify patterns of activity.

 

Number 7: Transaction Monitoring Systems

As I have often said, an inaccurate and/or ineffective monitoring and reporting system could result in the complete failure of a BSA/AML program and open the financial institution to potential fines and enforcement actions. With that in mind, it is critical institutions ensure their monitoring system has accurate data flowing into them and the system parameters are tied directly to the institution’s risk assessment.

This is clearly seen in the March 17th, 2022, $140 CMP from the OCC/FinCEN for legacy system failures to capture critical information needed for CDD. Then the bank implemented a new system without correcting deficiencies seen during their short two-month testing period. When the new system went live, the system failed to flag 1,300 cases that the old system would have flagged. The system filters were too sensitive and created an unmanageable number of alerts that resulted in a backlog of 90,000 un-reviewed alerts and 6,900 unreviewed cases!

It was also mentioned in the FDIC order on June 9th, 2022, that stressed “meaningful thresholds” for identifying accounts and customers and periodic tests of those thresholds.

Then on May 20th, 2022, the SEC (U.S. Securities and Exchange Commission) issued a $7M penalty to for a deficient implementation of their BSA automated system and failure to test the system. As a result, the system failed to reconcile the various country codes used to monitor wires. There was also a failure to ensure wire data flowed correctly into their AML system in certain other situations. As noted previously, this made it impossible to monitor the wire risk effectively.

One of the most important things about transaction monitoring systems is to understand the principles upon which they work. FinCEN’s December 16th, 2021, $8M penalty highlights the need not to assume consistency means legitimacy. The software compared customers’ activity with other peers in similar peer groups. The system was unable to detect whether the original activity was legitimate. Based on the system, the analysts assumed that if activity mirrored the activity of other similar businesses, the activity was not suspicious. This caused the bank to be unable to fully understand the nature and legitimacy of customers’ activity.

 

BSA Consent Orders/Civil Penalties Referenced:

  • 11/18/2020 – FDIC – Pacific City Bank, Los Angeles CA’s First VP and BSA Officer – Link
  • 1/15/2021 – FinCEN Penalty – Capital One, National Association – Link
  • 3/19/2021 – OCC – PNC Bank, N.A., Wilmington, Delaware’s Former VP – Link
  • 3/24/2021 – OCC – West Valley National Bank in Phoenix, Arizona – Link
  • 3/29/2021 – OCC – Transact Bank, NA, Denver, Colorado – Link
  • 10/28/2021 – OCC – The Federal Savings Bank, Chicago, Illinois - Link
  • 12/16/2021 – FinCEN CMP – CommunityBank of Texas - Link
  • 3/17/2022 – FinCEN/OCC CMP – USAA Federal Savings Bank – Link
  • 4/7/2022 – FDIC – Roxboro Savings Bank, Roxboro, NC - Link
  • 4/21/2022 – OCC – Anchorage Digital Bank – Link
  • 5/6/2022 – FDIC – WEX Bank, Sandy, Utah – Link
  • 5/20/2022 – SEC – Wells Fargo – Link
  • 6/9/2022 – FDIC – Oxford University Bank, Oxford, Mississippi – Link
  • 6/17/2022 – FDIC C&D for First IC Bank – Link

 

OFAC

It is important to remember that the Office of Foreign Assets Control does not function in the same way as the various regulators function. That is because OFAC is not a bank regulator; it’s an enforcement agency. OFAC does not dictate step by step what you must do. You must take a risk-based approach here as well and determine your institution’s policies and procedures. Also, unlike BSA, first violations are subject to monetary fines. To help lessen fines from OFAC, it is important to self-disclose any violations immediately upon discovery, cooperate with OFAC and correct any problems to prevent future violations.

When looking at OFAC fines, it is easy to see similar themes as those we saw in the BSA Consent Orders. Some of the highlights from various consent orders are as follows:

 

DateLinkHighlightPenalty
12/30/2020LinkIP addresses were collected by a digital currency company for security purposes but not used for sanction compliance$98,830
2/18/2021

 

LinkIn addition to obtaining IP addresses, this digital currency company obtained names, address, emails but failed to use any of it for sanction compliance$507,375
4/29/2021LinkErroneous misunderstanding of its sanction obligations or screening and technology failures cost this company over

 

$34,000
7/23/2021LinkThis company lacked effective screening, testing, auditing, and transaction review procedures, and did not use information available to them including IP addresses for sanctions$1.4M+
8/27/2021LinkThe training and monitoring procedures did not address the possible indirect exports of financial services noted in underlying trade finance and shipping documents

·        FinCEN/BIS’s Joint Advisory on Potential Russian & Belarusian Export Control Evasion Attempts Link

 

$862,000+
7/15/2022LinkHuman error via multiple analysts and program deficiencies were the key problems for this bank

 

$430,500

 

 

In conclusion, it is critical to remember that BSA and OFAC are quite overwhelming for even a team of people let alone one BSA or OFAC Officer. That’s why risk management in these two areas must be an institution-wide effort by all employees. This process begins at the Board of Directors, filters through senior Management, and finally throughout the entire institution.

Facebooktwitterlinkedin
Follow Nancy E. Lake:
Nancy Lake has over 16 years of experience in the BSA/AML world and was CAMS certified in 2008. Nancy received her CAMS-Audit certification in 2013 and her CAMS-FCI certification in 2015. She has conducted bank wide BSA/AML training, including Board of Director training. Along with conducting monthly online training, Nancy speaks at numerous conferences through the year in the U.S., and even overseas. For six years, she was an instructor at the PA Bankers School of Banking, and for 7 ½ years Nancy served as Director of Compliance Anchor, the training and consulting division of Atlantic Community Bankers Bank.Nancy has utilized her BSA experience as an educator to assistance to financial institutions in the areas of training, risk management, and the development of sound internal programs and best practices for the past 16 years. She has previously served as BSA Officer in multiple community banks where she successfully created and implemented the entire BSA program, including one bank with numerous international MSBs. Nancy has experience working with and implementing several automated BSA/AML transaction monitoring systems. In September 2020, Nancy joined ARC Risk and Compliance as their Director of Training.