Over the past few years, billions of dollars in fines have been levied against financial institutions for failure to comply with anti-money laundering (AML) requirements. Still more has been spent on AML compliance controls, systems and personnel. Despite those efforts, regulatory enforcement actions continue, and financial institutions would be well served to revisit and potentially refocus their AML compliance efforts in order to avoid running the risk of enforcement actions. In terms of enterprise value, this approach also holds true, given that most financial institutions do not want bad business.
Rooted in the Financial Institution’s Culture
To be successful, AML compliance should be aligned with the overall business objectives. Compliance should be embedded within a financial institution’s culture. Until all stakeholders are aligned, financial institutions will continue to see rising costs of AML compliance and regulatory enforcement actions, despite their ongoing investments into compliance efforts.
Board members and senior management must set the tone for the financial institution by creating a culture of compliance. Rather than manage short-term financial goals, the focus should be on reducing regulatory and shareholder risk through active involvement in compliance and preventing “bad business.”
The U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) issued an advisory on this topic in August 2014. One observation from the FinCEN advisory is that it has become particularly important that senior management and board members at financial institutions of all sizes maintain strong cultures of compliance. The FinCEN advisory outlines several deficiencies that were identified in recent BSA (Bank Secrecy Act)/AML enforcement actions that offer insights for financial institutions and their management and boards. In particular, the advisory regurgitates the notion that a financial institution can improve its BSA/AML compliance culture by ensuring the following elements exist:1
- Leadership is engaged.
- Compliance is not compromised by revenue interests.
- Information is shared throughout the organization.
- Leadership provides adequate human and technological resources.
- The compliance program is effective and has been tested by an independent and experienced party.
- Both leadership and staff understand how their compliance reports are used.
Another important step that financial institutions should take is to broaden the scope and depth of their risk assessments. Several regulatory bodies have mandated risk assessments that should be tailored not only to a company’s operations but also to its third-party relationships. That means a financial institution should assess its potential risk exposure across the entire organization, across its counterparties, across its affiliates, and with regard to the products its affiliates use.
For example, recent enforcement actions suggest that some financial institutions may still be treating their affiliates as part of the same organization, and they’re not giving much consideration to potential AML risks as they conduct business with affiliates in certain jurisdictions. Therefore, it may be necessary for a financial institution to revise policies and procedures based on the regions where it conducts business.
In another example, financial institutions might want to consider adjusting their transaction-monitoring efforts when conducting business in jurisdictions that impose currency restrictions. Further, financial institutions should evaluate both inherent and perceived risks associated with certain business activities and relationships. This approach would be far more prudent than ignoring problems or exiting certain relationships wholesale and calling it “de-risking,” as could be observed in recent times.
Who is Your Customer?
In recent years, financial regulatory bodies in the U.S. and Europe have increasingly emphasized customer due diligence (CDD) as a means of combating money laundering and terrorist financing. In May 2016, FinCEN imposed formal CDD requirements,2 and U.S. financial institutions will have until May 11, 2018 to comply with those rules. Most of the regulations that are now codified in the CDD rule have been considered regulatory expectations for some time, yet in light of the formalization of those regulations, financial institutions should consider taking the following actions:
- Review AML risk assessment, with particular focus on how current legal entities are being classified
- Review automated transaction-monitoring systems and procedures to make sure the results of their monitoring efforts are considered when reassessing or reclassifying customers based on their risk
- Make sure that CDD rule requirements are implemented seamlessly across the entire financial institution to avoid different risk classifications in different lines of business
- Develop — and periodically enhance — existing policies and procedures to meet the technical requirements of the CDD rule and to align the technical rule requirements with the financial institution’s risk appetite
The CDD rule represents a key development in the continued evolution of AML compliance, and regulators today may place even greater focus on the nature of customer relationships and transactional activity. It is critical that covered institutions determine far in advance of the deadline whether additional resources will be required.
2017 and Beyond
Although the evolving regulatory landscape poses significant challenges for financial institutions, it might also present value creation opportunities for financial institutions that get it right. Having an engaged board of directors and establishing a culture of compliance throughout the organization, a financial institution can position itself to better recognize, identify and avoid potential risk exposure to AML compliance.