Shortcomings identified in recent Anti-Money Laundering (AML) enforcement actions confirm that the culture of an organization is critical to its compliance. Although enforcement actions are specific to the subject financial institution and the characteristics of the situation, certain general lessons could be gleaned from these actions that could be instructive to the leadership of all financial institutions required to comply with the Bank Secrecy Act (BSA). Accordingly, the Financial Crimes Enforcement Network (FinCEN) issues this Advisory to highlight general principles illustrating how financial institutions and their leadership may improve and strengthen organizational compliance with BSA obligations.1
Regardless of its size and business model, a financial institution with a poor culture of compliance is likely to have shortcomings in its BSA/AML program. A financial institution can strengthen its BSA/AML compliance culture by ensuring that (1) its leadership activelysupports and understands compliance efforts; (2) efforts to manage and mitigate BSA/AMLdeficiencies and risks are not compromised by revenue interests; (3) relevant information from the various departments within the organization is shared with compliance staff to further BSA/AML efforts; (4) the institution devotes adequate resources to its compliance function; (5) the compliance program is effective by, among other things, ensuring that it is tested by an independent and competent party; and (6) its leadership and staff understand the purpose of its BSA/AML efforts and how its reporting is used. This advisory describes each of these areas in more detail below. Financial institutions should consider how to incorporate the guidance outlined in this advisory in a manner that is commensurate with their risk profile and business model.
FinCEN Guidance to Financial Institutions
Leadership Should Be Engaged
A financial institution’s leadership is responsible for performance in all areas of the institution including compliance with the BSA. As applicable, an institution’s leadership may include its board of directors, senior and executive management, owners and operators. These leaders are responsible for understanding an institution’s responsibilities regarding compliance with the BSA and creating a culture of compliance at that institution. The commitment of an organization’s leaders should be visible within the organization, as such commitment influences the attitudes of others within the organization.
For a BSA/AML compliance program to be effective, it should have the demonstrable support of the leadership (as appropriate based on the financial institution’s size and structure). The institution’s leaders should also receive periodic BSA/AML training that is tailored to their roles. In addition to supporting a culture of compliance, an appropriate understanding of BSA/AML obligations and compliance will help an organization’s leadership make informed decisions with regard to the allocation of resources to the BSA/ AML function. The leaders of the organization should also remain informed of the state of BSA/AML compliance within the institution.
Compliance Should Not Be Compromised By Revenue Interests
Compliance staff should be empowered with sufficient authority and autonomy to implement an institution’s AML program. An institution’s interest in revenue should not compromise efforts to effectively manage and mitigate BSA/AML deficiencies and risks, including submission of appropriate and accurate reports to FinCEN. An effective governance structure should allow for the BSA/AML compliance function to work independently and to take any appropriate actions to address and mitigate any risks that may arise from an institution’s business line and to file any necessary reports, such as Suspicious Activity Reports (SARs).
For example, for Money Services Businesses (MSBs), principal MSBs often derive a significant percentage of their revenue from the activity of their agents. When principal MSBs learn of possible inappropriate activity by an agent, the activity should be investigated thoroughly and appropriate action taken regardless of the impact on revenue. The findings from the investigation should be considered when determining whether an agent is terminated, and the sales unit should not have express or implied authority to veto the decision because of the agent’s sales activity.
Information Should Be Shared Throughout the Organization
Several recent enforcement actions noted that the subject institution had relevant information in its possession that was not made available to BSA/AML compliance staff. This may have resulted from a lack of an appropriate mechanism for sharing information, a lack of appreciation of the significance or relevance of the information to BSA/AML compliance or an intentional decision to prevent compliance officers or staff from having access to the information.
There is information in various departments within a financial institution that may be useful and should be shared with the compliance staff. For example, information developed by those in the organization combating and preventing fraud could also assist a financial institution in complying with its BSA/AML obligations. Similarly, legal departments should alert compliance departments to subpoenas received issued by government agencies to trigger reviews of related customers’ risk ratings and account activity for suspicious transactions. Additionally, in a larger organization there may be multiple affiliated institutions that could benefit from sharing of relevant information across the organization.2
For instance, in the gaming sector, this principle can be applied to casinos that develop significant information on their gaming customers for purposes of marketing or extending credit. However that information is derived, it should be provided to the compliance staff to assist in conducting customer due diligence and monitoring customers for suspicious activity. This principle can also be applied to mutual funds that receive transaction information about their customers through a frequent trading monitoring program, or other similar efforts. In those cases, information that could further the BSA/AML compliance efforts of the mutual fund should also be shared with mutual fund staff engaged in BSA/AML compliance.
Leadership Should Provide Adequate Human and Technological Resources
A required element of any BSA/AML compliance program is the designation of an individual responsible for coordinating and monitoring day-to-day compliance with the BSA. The individual should be knowledgeable of the BSA and have sufficient authority to administer the program. For the program to be effective, the institution should devote appropriate support staff to its BSA/AML compliance program based on its risk profile.
The failure of an institution’s leaders to devote sufficient staff to the BSA/AML compliance function may lead to other failures. For example, depository institutions, as well as other types of financial institutions, generally have staff that review alerts generated by transaction monitoring systems. Devoting insufficient staff or other resources to this function may result in alerts not being reasonably designed to capture appropriate risks or being dismissed improperly, or create a backlog of alerts that may result in the untimely reporting of suspicious activity.
Appropriate technological resources should also be allocated to BSA/AML compliance. Institutions with higher risk profiles, including those with substantially higher volumes of activity, may need to utilize automated systems for identifying and monitoring suspicious activity.
The Program Should Be Effective and Tested By an Independent and Competent Party
Appropriate involvement of a financial institution’s leadership should be, at a minimum, commensurate with the institution’s level of BSA/AML risk exposure. Appropriate leadership involvement allows the BSA/AML function to implement an effective compliance program. Components of an effective BSA/AML compliance program additionally include a proper ongoing risk assessment, sound risk-based customer due diligence, appropriate detection and reporting of suspicious activity and independent program testing.3
While recognizing that all the components of an effective compliance program are important, FinCEN stresses the independence that the testing of a compliance program should have. A financial institution’s leadership should ensure that the party testing the program (whether internal or external) is independent, qualified, unbiased and does not have conflicting business interests that may influence the outcome of the compliance program test. Safeguarding the integrity and independence of the compliance program testing enables an institution to locate and take appropriate corrective actions to address BSA/AML deficiencies.
Leadership and Staff Should Understand How Their BSA Reports are Used
Finally, leadership and staff at all levels in a financial institution should understand that they are not simply generating reports for the sake of compliance, but rather recognize the purpose that BSA reports serve and how the information is used. The reporting and the transparency that financial institutions provide under FinCEN’s regulations result in some of the most important information available to law enforcement and others safeguarding the nation. It is used to confront serious threats, including terrorist organizations, rogue nations, weapons of mass destruction (WMD) proliferators, foreign corruption and, increasingly, some cyber related threats. The reporting that financial institutions provide also assists in the fight against transnational criminal organizations including those involved in drug trafficking and massive fraud schemes targeting the U.S. government, our businesses and our people.
That same information may also help an institution protect itself and aid law enforcement in protecting the institution from bad actors, including insider threats, frauds and cyber-related threats such as spear phishing, account takeovers and distributed denial of service attacks, when such reports are filed. Additionally, the very existence of BSA regulations has a deterrent effect on those who would abuse the financial system. The certainty of a Currency Transaction Report (CTR) filing and the mere possibility of a SAR filing force illicit actors to behave in ways that expose them to scrutiny and capture.
Additionally, the very existence of BSA regulations has a deterrent effect on those who would abuse the financial system. The certainty of a Currency Transaction Report (CTR) filing and the mere possibility of a SAR filing force illicit actors to behave in ways that expose them to scrutiny and capture.
The reporting that financial institutions provide is used to:
Understanding and communicating the context and the purpose of FinCEN’s BSA/AML regime is as important to a financial institution’s culture as understanding its underlying requirements, and financial institutions should consider including such information as part of their ongoing training requirement. Information on how BSA reports are used can be found on FinCEN’s website and is routinely shared through numerous public-private training events involving FinCEN and its many law enforcement partners.
For Further Information
Questions or comments regarding the contents of this or any other advisories should be addressed to the FinCEN Resource Center at (800) 767-2825 or (703) 905-3591. Financial institutions wanting to report suspicious transactions that may relate to terrorist activity should call the Financial Institutions Toll-Free Hotline at (866) 556-3974 (7 days a week, 24 hours a day). The purpose of the hotline is to expedite the delivery of this information to law enforcement. Financial institutions should immediately report any imminent threat to local-area law enforcement officials.
FinCEN’s mission is to safeguard the financial system from illicit use and combat money laundering and promote national security through the collection, analysis, and dissemination of financial intelligence and strategic use of financial authorities.