Recent anti-money-laundering (AML) enforcement actions against community banks highlight the sector’s need to modernize and leverage regulatory technology, or regtech, more effectively1 and add a banking compliance program. Pressured by the rising costs of Dodd-Frank, many community bank executives feel they have to “cut corners, especially in compliance, an area that doesn’t bring in any dollars,” according to Pam Perdue, the executive vice president of Continuity, a third-party compliance service provider for community institutions.
From an AML standpoint, community banks are struggling due to deficient oversight of their compliance third parties and a lack of functional understanding about the technologies they deploy. This regtech illiteracy has compromised suspicious activity reporting (SAR), resulting in significant monetary penalties for smaller community operators. In February 2015, for example, the Office of the Comptroller of the Currency (OCC) and the Financial Crimes Enforcement Network (FinCEN) issued a $1.5 million civil money penalty (CMP) against a community bank for failing to flag and report $6.3 million in suspicious transactions related to a judicial corruption scheme.2
According to FinCEN, this delinquent institution committed the following violations:
- Failed to identify a 2007 law enforcement subpoena submitted against individuals and entities involved in the transactions
- Failed to report repeated round-dollar transactions, often occurring on a single day
- Failed to report abnormal activity volume compared to account balances
- The bank waited two years–after the masterminds of the fraud had pled guilty to their crimes–before filing SARs
In a separate case with more devastating consequences, FinCEN and the Federal Deposit Insurance Corporation (FDIC) fined a small West Virginia bank, with only $95 million in assets, a severe $4.5 million penalty for inadequate AML policies and for allowing clients to structure transactions to avoid filing SARs.3 This fine amount, which equates to nearly five percent of the bank's total assets, reflects aggressive enforcement actions even on the smallest of institutions.
While Continuity’s Banking Compliance Index, which monitors community bank compliance actions and costs, illustrates progress, with Q4 2016 enforcement actions falling to 116 from 159 during the same period last year, new Ultimate Beneficial Ownership (UBO) rules have complicated things further. Now, community banks must upgrade their customer due diligence (CDD) practices and customer identification programs (CIPs). A renewed focus on transparent and organized compliance processes has become essential for the sector.
In order to survive in this regulatory environment that is increasingly holding community banks to the same compliance standards as large ones, smaller institutions must adopt new controls to mitigate emerging AML threats. Community banks seeking to avoid potentially crippling enforcement penalties should make the following compliance best practices an organizational priority:
- Designate a chief compliance officer
- Tailor a risk-based approach
- Upgrade regtech assets
- Ensure policies are current and comprehensive
Designate a Chief Compliance Officer
In today’s day and age, it’s extremely important that community banks designate a chief compliance officer (CCO) to oversee all Bank Secrecy Act (BSA) and AML compliance, and to spearhead employee training initiatives. A CCO helps community organizations achieve a more organized and functional compliance program. While resources can be limited, the designated CCO can be a hybrid position overseeing a variety of compliance functions in order to maximize resources and still set a powerful tone of compliance from the top. The CCO role bolsters an internal culture of accountability, while providing a key organizational buffer between business operations and regulatory relations.
The transitioning of money laundering activity from large, aggressively-supervised institutions, to smaller, low-profile banks has introduced unprecedented risk into the community bank ecosystem. A CCO is needed to implement and oversee the processes that protect the integrity of bank deposits and mitigate the hazard of enforcement action.
Tailor a Risk-Based Approach
For community banks, AML risk typically falls into three categories: (1) products and services, (2) customers and entities, and (3) geographic location.4 According to the Federal Reserve Bank of Minneapolis, “effective BSA/AML compliance programs incorporate appropriate controls to mitigate these risks through comprehensive analyses of these categories.”
Community banks should outsource risk assessment functions to a regtech-savvy, third-party specialist that has the resources to accurately diagnose their vulnerabilities and who has more robust intelligence about the overall threat landscape. After the appropriate determination has been made, community institutions should create a banking compliance program tailored to their specific distribution of risk. Like credit unions and other small banks, community operators should keep a close eye on money service businesses (MSBs).
Upgrade Regtech Assets
In a 2015 Wall Street Journal article, Continuity’s EVP of regulatory operations said “community banks that have modernized are showing very suitable efficiency ratio improvements and are making gains” against the AML compliance burden. With the new UBO regulation, community banks must invest in modern technology to enhance customer identification. Modern regtech solutions allow community banks to identify and mitigate fraud more quickly by helping to identify unseen associations or risky behaviors that could potentially warrant further investigation.
Data-driven regtech software can enhance the capabilities of community bank compliance personnel in everything from customer due diligence to transaction monitoring. Given that a February 2015 FinCEN enforcement action5 penalized a community bank for failing to identify a 2007 subpoena issued against some of its clients, the broader community banking sector should take the steps needed to avoid million-dollar settlements. This scandal highlights the need for a modern investigative technology asset.
Ensure Policies are Current and Comprehensive
According to the Banking Compliance Index, community banks had to process 115 new regulatory changes within a span of 809 hours in Q4 of 2016. The velocity and volume of regulatory reform compounds the burden for compliance officers and demands that they stay up to date on all regulatory changes. Moving forward, community banks must author policies and programs that reflect the transformative scope of AML compliance, while keeping a close eye on announcements and risk alerts from regulators such as FinCEN, the OCC, and the FDIC, to name a few. It is important to note that the quantity of regulatory changes and the volatility at which they change have no indication of decreasing anytime in the near future.
From Cost Center to Growth-Driver
In this aggressive AML enforcement regime, the best practices highlighted above will help community banks mitigate the risk of operational disruption and crippling monetary assessments. As the recent enforcement action against the West Virginia community bank5 demonstrates, the size of an institution will have no material impact on AML regulators' capacity for sympathy. While the current administration may usher in an era of deregulation in financial services, AML is sure to remain a top concern for the U.S. Treasury and other federal and state agencies. Community banks will find that staying on the regulators’ good side is the surest path to profit.
Thomson Reuters is not a consumer reporting agency and none of its services or the data contained therein constitute a ‘consumer report’ as such term is defined in the Federal Fair Credit Reporting Act (FCRA), 15 U.S.C. sec. 1681 et seq. The data provided to you may not be used as a factor in consumer debt collection decisioning, establishing a consumer’s eligibility for credit, insurance, employment, government benefits, or housing, or for any other purpose authorized under the FCRA. By accessing one of our services, you agree not to use the service or data for any purpose authorized under the FCRA or in relation to taking an adverse action relating to a consumer application.