By Muhamad Rizwan Khan
Chief Risk Officer, Premier International Exchange, Dubai, UAE

With editing and content additions by VP of Content Development, Brian Monroe

In the panoply of risky responsibilities that must be juggled when managing a compliance program, very high at the top of the list is adequately responding to regulatory and law enforcement inquiries.

Why? Well, there are a lot of reasons. Chiefly, because the strength, timeliness and transparency of your responses, in the eyes of examiners and investigators, will relate directly back to the perceived robustness of your overall financial crime compliance program.

What do we mean by this? Think of this as a cycle where one false step in either direction can result in added scrutiny from either party involved in countering financial criminals – from the regulators grading your anti-money laundering (AML) programs to the investigators tracking global illicit financial flows that may run right through your institution.

Let’s take a look at how this looks in practice in the United States, for instance. Some examples include:

  • Law enforcement subpoenas, National Security Letters: These can come from local, state and federal investigators. Guidance states they, should be considered as a red flag for the institution to review the subject’s activity for a possible SAR filing.
  • Patriot Act Section 314(a): This allows federal investigators to query the banking sector very broadly all at once, asking institutions if they have ties to a given individual, company or entity. If there is a hit, law enforcement then follows up the request with a formal subpoena. Consider any hits a red flag warranting a deeper review.
  • Patriot Act Section 314(b): This is a voluntary mechanism allowing banks to query participating institutions about individuals, corporations or entities. This also allows bank compliance officers to communicate with other compliance professionals to talk more about specific accounts, giving them a safe harbor to share information – with the caveat that they cannot disclose if they have, or are going to, file a suspicious activity report (SAR).
  • Regulatory requests: These are typically related to a prior or upcoming exam of an institution, but can also come related to the need for data on larger industry trends, gaps or patterns. They can come before or after an exam, and, sometimes, even during an exam.

Don’t take requests, responses lightly

Keep in mind, though, these inquiries are much more than simple requests for more information on people, policies and procedures.

Both these groups know things you don’t know.

For instance, regulators already know how the best, and worst, bank compliance programs work for small, medium and large institutions and will compare the relevance and richness of your responses to other banks, with any variance in data quality or quantity or inconsistencies leading to examiners questioning why – and if your AML program is deficient in any areas.

Key to considering how to respond to regulators is also taking into account the timing of the request.

If the regulatory request comes before an exam, the questions will likely presage areas of focus. In many cases, one of the first thing an examiner requests is the findings of the most recent AML independent audit, so ensure any past issues cited have been corrected or are in the process.

Banks in their responses should also pull back from their own institutions and be aware of what regulators have said in industry-wide enforcement orders.

In recent years, examiners of domestic banks have focused on the accuracy of customer data, the backend methodology related to customer risk assessments, the efficiency of transaction monitoring systems and ratio of alerts to number of staff and their accumulated acumen.

For the domestic operations of international banks, the regulatory focus has been a bit different.

Regulators, and also investigators, have levied hefty monetary penalties against foreign banks related to what is flowing through their correspondent portals, including any lack of insight into hidden, nested entities, the oversight of affiliate connections and any failures in risk ranking allowing foreign firms in places like Russia, China and other risky regions transact with impunity.

Conversely, if the inquiry comes after an exam, the questions could be related to areas where examiners think you missed the mark. So, it would be wise to respond with more detailed information than just data points and metrics.

The response should also include that the bank sees the bigger picture related to whatever the regulator is requesting and that the institution is aware of any related criminal trends or geopolitical power shifts.

Further, make sure to mention and highlight to examiners in your response that you have already done a deeper dive into your AML program and have uncovered any larger programmatic AML issues, and already have a plan in place to fix them, complete with estimated timetables.

Bringing problems to regulators without having a solution in place could raise the ire of examiners.

Honesty still the best policy

While admission of imperfections is painful, erring on the side of transparency is much preferred to regulators finding the problems during an exam and deciding to extend the examination or create a more rigorous remediation plan themselves.

This also better deals with one of the greatest fears of compliance officers during an exam – that the agency gets it into its collective head that the bank is hiding something.

Being upfront about program weaknesses might mean the remediation is pricier and timetable lengthened, but at least examiners won’t find what they would consider a bold lie, gaining a solid foothold to distrust the bank, with the result potentially being bringing more serious charges.

Such a dynamic, regulators feeling as if a bank has lied to them, and then finding out that the bank did, has been at the heart of many of the most high-profile and high-value monetary penalties in recent years.

For instance, federal and state regulators have chastised several foreign banks for not being honest about the depths of problems in weak AML programs.

Earlier this year, the U.S. Treasury’s Office of the Comptroller of the Currency (OCC) handed down a $50,000 penalty against former Rabobank Chief Compliance Officer Laura Akahoshi and prohibited her from working in financial institutions in a compliance capacity due to systemic failures in reporting AML data and actively concealing program weaknesses from federal examiners.

The OCC stated that Akahoshi, a former OCC examiner herself, made “false statements” and “concealed bank documents” from examiners who found issues with the California operations of the Dutch bank as far back as 2012.

Regulators levied a $368 million penalty against Rabobank in February related to obstruction charges, lying, tarrying and actively obfuscating a federal regulatory inquiry by the OCC.


Bank regulatory response checklist

In order to best be prepared to give regulators what they want before, during or after an exam, banks should be aware the domestic and international resources examiners use to collect information and some potential response tactics to leave them with the best possible impression of the overall AML program:

Resources regulators use to collect information

  • The number of alerts generated by the AML transaction monitoring system, the ratio of false positives to SARs created and the number of analysts to review them.
  • What federal law enforcement has told the national financial intelligence unit (FIU) about emerging criminal financial crime trends.
  • What foreign regulators have seen in terms of illicit trends and compliance vulnerabilities and told the home country regulator through “supervisory channels.”
  • Data collected through open source intelligence searches, meta searches and negative news searches related to suspicious activity, companies and individuals.
  • The latest red flags that have been linked directly or indirectly to money laundering and related predicate crimes, including fraud, corruption and terror financing.
  • Transactional trends involving shell companies with opaque beneficial ownership structures.
  • What regions are at a higher risk to be using foreign correspondent relationships to get funds into the international financial system.
  • Information obtained from internal hotlines/portals or queries escalated through whistleblowers, including what former employees told regulators.

Issues to consider when responding to regulator queries

  • Understand the scope of regulator query, such as is it related to customers or the compliance processes of the institution itself, expected timeframes and deadlines.
  • If the request is related to a high-profile case, compliance should work closely with the bank’s legal counsel.
  • Remember, the objective should be providing the information with full integrity, honesty and transparency. Never try to sugarcoat the health of an AML program.
  • If the regulatory query is related to a previously filed SAR or STR, make sure you understand the full scope and circumstances related to the filing.
  • If the request is related to your staff or an employee, investigate it internally.
  • If the request is related to an owner or board member, be vigilant and keep the utmost confidentiality.
  • Remember, no matter if the regulator is asking about a potential criminal, compliance process, employee or board member, strictly no tipping off.

Regulators, investigators working together – against you

In formulating responses, banks must be full aware of a very sobering realization: government investigative agencies typically know where a wide array of unsavory characters like to bank.

Federal investigators are constantly following, in the real and financial worlds, the most distant nerve endings of the criminal underworld to uncover how they move their money up to the bigger fish – the eventual real targets that will lead to crushing larger illicit networks.

At the same time, investigators are also querying their regulatory counterparts, communicating, cooperating and coordinating with each other, so try to view them as interlinked entities, cognizant of the real possibility that they can, and do, work in concert against you, but with a slightly different focus.

As a result, compliance professionals must contend with government agencies involved in investigating and prosecuting money laundering wanting to get information on individuals, companies or accounts – with the implicit meaning that, potentially, they could have done something wrong and you are banking them.

An immediate question in this scenario: Were there any compliance steps missed related to these accounts?

Some vital details to consider when responding to various requests on the law enforcement side include:

  • Subpoena snippets: For instance, banks should be able to triangulate if a customer has been the subject of multiple inquiries, such as more than one subpoena or in combination with a subpoena, 314(a) request and the like. A critical question here: Has the bank filed any SARs against the individual, or individuals, mentioned? If not, they could consider doing so.
  • Systems integration: Consider cross-training the individuals involved with responding to subpoenas with the same training as your AML team. Make sure to inform them there could be transaction records in the bank’s core systems and additional records or details captured by the AML transaction monitoring system.
  • Subplot lookback: To ensure there are no gaps or gaffes related to subpoena responses, you should consider a mini-lookback, or transactional review of a few of the most recent responses to subpoenas, the documents provided, then compare and cross-reference those figures with the transactions related to reports available to the AML side of the house.
  • Just the facts: Be aware that with all of the incredible wealth of data and financial information in a bank that could be of value to investigators, they can also get overwhelmed. If a subpoena asks for details of only certain transactions in a certain period, try to stick to that. The bank might consider certain models when giving data to the team that prepares subpoenas so the transaction filters are calibrated and data is precisely and properly limited to that request.
  • Tactical training: As we mentioned before that banks should consider cross-training the subpoena team on financial crime compliance, that tenet is doubly true for 314(a) and 314(b) requests. The intake personnel should have training beyond AML to include financial and open source investigations to better determine if there are entities hiding beyond opaque ownership structures.
  • Devilish details: When responding to subpoenas with transaction records, consider going beyond the basics. For instance, rather than noting a transaction as a “check deposit” if the person deposited both checks and cash, parse both out. As well, rather than labeled a $9,000 withdrawal as a “Misc Debit,” mention what kind of withdrawal, in the case below, a money order. Also have section to include “other” transactions to color and give better context to the transactions.

See example below:

Response fumbling gives perception of program bumbling 

On the other end of the response spectrum from investigator inquiries are regulators reviewing the AML programs at institutions to ensure they are properly designed to detect suspect transactions and prevent illicit groups from gaining entry into the international financial system.

Not surprisingly, that means whatever a regulator requests externally, it should lead to a bank to do a similar requisite bit of reviewing internally before a response is finalized – but it must be done quickly, for instance in the timeframe requested by the regulator or in a matter of weeks, not months.

For instance, if you tarry or fumble in responding to requests for information on the compliance controls around certain classes of customers, or say, the ratios of false positives to actual alerts becoming suspicious activity reports, of the information given is weak of lacks detail, an examiner will likely pounce – believing the whole of the AML program is equally shabby and threadbare.

Examiners typically ask for a lot before an exam, guided by both agency agendas and directives you don’t know about, along with the results of your most recent AML independent review – findings and results you do know about and should already have plans in place for improvement or evidence of completed projects and metrics delineating concrete upticks in effectiveness.

While satisfying both regulators and investigators may be a delicate dance, and sometimes seem like the goals are at cross purposes – banks can feel torn between following processes to appease examiners or diverting resources to create richer, timelier intelligence to law enforcement – it can be done.

But it all starts with knowing the best ways to respond to regulatory and investigative inquiries, decisions that must be thorough, thoughtful and precise, with an eye toward improving effectiveness, efficiency and creating an impenetrable bulwark against criminal entities of all stripes.

Further resources and acknowledgements:

Sarah Beth Whetzel at Palmera Consulting. For more information, click here.

Law firm Buckley Sandler. For more information, click here.

The FFIEC AML exam manual. For more information, click here.