By Brian Monroe
February 23, 2017
The oldest banking association in the United States, representing the nation’s largest and most influential banks, is proposing a drastic overhaul of compliance rules that it says will bolster the quality of intelligence to law enforcement, boost innovation and resources and reduce regulatory penalties.
In many ways, the proposals released last week by the Clearing House Association (CHA) would be a tectonic shift in financial crime compliance focus. The changes would give banks more freedom to prioritize current risks on a more real-time basis, guided by the very law enforcement investigators they are trying to serve, rather than regulators focused on assessing procedures.
At the heart of the 30-page report by the association, founded in 1853, is a disconnect plaguing the anti-money laundering compliance sector for decades that has only intensified since the September 11, 2001 terrorist attacks: banks can’t serve two masters. The results are evident as institutions in recent years have paid record penalties soaring into the billions of dollars.
Condensed to its essence, the report gives voice to the whispered frustrations and secret wishes for harmony among some members of the compliance community: On one side, law enforcement agencies are seeking fewer suspicious activity reports (SARs) with richer intelligence value, while examiners tell banks they can be penalized for missing any filing that in their view could be illicit.
“In sum, under the current regime, national security, law enforcement, and intelligence agencies—the end users of [anti-money laundering/counter-financing of terrorism (AML/CFT)] information—focus on outcomes, while those who grade the financial institutions for compliance focus on auditable processes,” according to the report.
The report identifies a bevy of problems, solutions and areas for future study, including raising SAR dollar thresholds, giving banks more credit for creating useful and meaningful SARs, enacting new legislation to capture beneficial ownership data, expanding information sharing safe harbors to cover cyber events and fostering the creation of fintech “sandboxes” free of examiner exsanguination.
“The ClearingHouse report attempts to bridge a chasm that would appeal to both sides of the new administration’s divide on bank regulation generally and BSA/AML regulation in particular,” said Ross Delston, a Washington, DC-based independent attorney and anti-money laundering compliance consultant.
“Will the administration view BSA/AML compliance by the nation’s largest banks as a regulatory burden or as furthering national security and law enforcement objectives? The report’s answer? Both. Unfortunately, in my view it accomplishes neither.”
Delston disagrees that enforcement actions against many banks stem from, as the report calls it, “imaginative deviation” and a focus on new ideas and innovation.
“While it may be true that some banks have been penalized for deviating from established norms, the vast number of BSA/AML penalties have been for a bank’s failure to comply with the fundamentals – onboarding of customers, monitoring of customers, accounts and transactions, and filing of SARs. Hence, the factual basis of the report is questionable,” he said.
FinCEN would be large, in charge
But possibly the most radical reform on the agenda – which broadly would put more onus on the government to capture and pool more raw data from banks to find criminal connections individual institutions could miss – is an initiative to make the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) the country’s top banking regulator for the largest, riskiest and most international operations.
That line item alone would upend current examination paradigms spread between the Office of the Comptroller of the Currency, Federal Reserve and, to a lesser degree, the Federal Deposit Insurance Corp, and a scattershot of state agencies with varying expertise, methodologies and enforcement philosophies.
FinCEN currently has few examiners that actually visit banks, but has historically coordinated with federal regulators and investigators on significant AML penalties. The bureau has also taken a more aggressive enforcement approach in recent years and levied singular penalties of its own accord against banks, casinos and individual compliance officers.
But the report lays out several arguments as to why FinCEN should take the reins of AML exams for banks, and possibly even money service businesses.
Overall, under the proposed framework, FinCEN would be in a prime position to analyze key criminal trends, issue more precise compliance guidance on an individualized basis to banks and then analyze in context how those banks are complying. Institutions would be given more credit for SAR craftsmanship, a weighting that could give a pass for minor program foibles, according to the report.
Implementing this approach would likely mean very substantial logistical and cultural hurdles for the bureau.
“In other words, the work of the Fed, the OCC and the FDIC, each of which has thousands of trained examiners, many of whom have received specialized training in BSA/AML compliance, each with over fifty years of history and institutional culture of performing on-site supervision, should be replaced by an agency with not one examiner, no history or culture of supervision, and no budget or personnel with which to accomplish this goal,” Delston said.
“It would be like gutting a just-caught fish and then throwing it back in the water so that it could swim away – after which you would have neither dinner nor a viable fish,” he said.
Letter of the law, versus the spirit
The conclusions and resultant proposals came from two meetings last year with dozens of current and former government officials, regulators, investigators and private sector senior level compliance officers, the report says.
In private and public forums, top compliance professionals have bemoaned the law enforcement/regulators dichotomy, where focusing on one area can mean being at cross purposes in another.
“If I have the option to file a SAR early, but lose key details, or file a SAR a little bit past the deadline to make a better SAR for law enforcement, I will do it,” said a compliance officer at a large U.S. bank in a conversation with this reporter in 2013. “Because that is what the spirit of the law requires, not the letter of the law, even if it gets me in trouble with examiners.”
In that same vein, a second compliance officer stated in a conversation a year later that he “really wished I could do more really cool stuff for law enforcement with the sophisticated systems that I have, but I keep getting dinged on ticky-tack stuff by my regulators. I am getting so bogged down on AML minutiae. It’s death by a thousand cuts.”
Both compliance officers asked at the time not to be named.
So what are the most pressing needs to strengthen the country’s framework to fight money launderers, fraudsters and terrorists, according to the CHA? The association identified eight reforms for immediate action:
- The Department of Treasury, through its Office of Terrorism and Financial Intelligence (TFI), should take a more prominent role in coordinating AML/CFT policy across the government;
- FinCEN should reclaim sole supervisory responsibility for large, multinational financial institutions that present complex supervisory issues;
- Treasury/TFI/FinCEN should establish a robust and inclusive annual process to establish AML/CFT priorities;
- Congress should enact legislation, already pending in various forms, that requires the reporting of beneficial owner information at the time of incorporation, preventing the establishment of anonymous companies;
- Treasury TFI should strongly encourage innovation, and FinCEN should propose a safe harbor rule allowing financial institutions to innovate in an FIU “sandbox” without fear of examiner sanction;
- Policymakers should incentivize banks to work on investigations and reporting of activity of high law enforcement or national security consequence;
- Policymakers should further facilitate the flow of raw data from financial institutions to law enforcement to assist with the modernization of the current AML/CFT technological paradigm;
- Regulatory or statutory changes should be made to the safe harbor provision in the USA PATRIOT Act (Section 314(b)) to further encourage information sharing among financial institutions, and the potential use of utilities to allow for more robust analysis of data; and
- Policymakers should enhance the legal certainty regarding the use and disclosure of SARs.
“The stakes are high,” according to the report, because of the crucial role banks play in “preventing, identifying, investigating, and reporting criminal activity, including terrorist financing, money laundering and tax evasion.”
But much of that effort, and the billions of dollars spent on compliance systems, resources and expertise, is squandered, the CHA argues.
“Today, most of the resources devoted to AML/CFT compliance by the financial sector have limited law enforcement or national security benefit, and in some cases cause collateral damage to other vital U.S. interests,” according to the group, referring to the broad “de-risking” trend that has cropped up in the past few years where banks drop ties to risky regions and entities.
“A redeployment of these resources could substantially increase the national security of the country and the efficacy of its law enforcement and intelligence communities, and enhance the ability of the country to assist and influence developing nations.”
Expansion of 314(b) for cyber sharing
In a bid to give banks an edge to counter growing domestic and international cyber threats, and in a further nod to a culture of compliance convergence dropped by FinCEN last year, the report also called on Congress to expand Patriot Act Section 314(b).
That piece of legislation is a safe harbor to cover the sharing of information related to illicit finance activities potentially tied to money laundering or terrorist financing. The CHA wants protections to extend beyond those constraints and into the realm of cyber warfare.
Some believe the umbrella coverage of cyber sharing tacitly exists now, but without an explicit shield of law, banks sharing information on cyber intrusions now could open themselves up to lawsuits or could be inadvertently breaching privacy rules.
The CHA states that, “for example, the safe harbor could be revised to permit sharing also for the purpose of identifying and reporting a specified unlawful activity,” as defined in U.S. statutes, which would allow sharing on nearly every crime that can create illicit funds, including fraud, kidnapping, and dozens of others.
Moreover, as the crimes in the statute, specifically cited as 18 U.S.C. 1956(c)(7), “relate to computer fraud and abuse, such a revision would protect sharing regarding cybercrimes and identity theft without requiring that financial institutions first determine whether the crime also involves money laundering or terrorist financing,” according to the report.
In that same vein, the CHA report noted that congress must keep an open mind on the innovation front in the areas of financial information sharing and fintech and “should also expand the safe harbor to cover technology companies and other non-depository institutions, to provide greater freedom to experiment with information-sharing platforms.”
Areas of further study
The report highlights there are several loose ends still to tie up, in the form of areas of further study.
One recommendation is for AML/sanctions utilities, described as a public private database to share information among law enforcement and financial institutions to make screening more efficient, effective and timely and ensure a blacklisted entity doesn’t slip a transaction through a bank just because it has different software than another.
Banks are also pushing for Congress to enact legislation making not just SARs, but any investigatory materials related to their creation, as confidential, particularly against the probing fingers of civil litigators.
In what would be a move welcomed by compliance officers of all stripes is another recommendation that would require FinCEN, by regulation, to carve out a “clearer definition of what constitutes a reasonable AML/CFT program, including what conduct will result in an enforcement action or prosecution.”
With such a granular blueprint in place, if a bank “engages in compliance conduct that a regulator deems acceptable ex ante and illicit financial activity still occurs, the issue can be addressed through discussions between financial institutions and their regulators, with no enforcement action taken.”