- In the latest edition of the interagency fincrime compliance exam manual, some AML professionals see a pullback from gathering global momentum to build “effective” programs to simply “adequate” aims.
- What the FFIEC AML exam manual says, even down to what words are used, has great import as it is the definitive industry bible for which compliance programs are judged, what formal actions are taken and even the potential for large penalties if failures are found to be “egregious.”
- The 2020 update does not cover all of the more than 440 pages of the 2014 exam manual, but adds 43 in-depth, nuanced pages covering some of the “core” and “pillar” exam areas, including the risk assessment, overall AML program, forming conclusions and finalizing the exam.
- The updated manual, while an overall mixed bag, does, however, have one line, a buried Easter egg, that could have teams jumping for joy: “Minor weaknesses, deficiencies, and technical violations alone are not indicative of an inadequate BSA/AML compliance program.” And the people rejoiced.
By Brian Monroe
April 16, 2020
In the latest edition of the interagency fincrime compliance exam manual, what many consider the industry bible for which programs are judged, some see a pullback from gathering global momentum to build “effective” programs to simply “adequate” aims.
That is just one of the overarching takeaways from the latest update to the Federal Financial Institution Examination Council (FFIEC) Bank Secrecy Act /Anti-Money Laundering (BSA/AML) Examination Manual, a widely scrutinized and relied upon seminal industry tome that dropped Wednesday.
The changes the examiner manual makes will be key regulatory focal points. To read the 2014 AML exam manual, click here.
Overall, the exam manual is a mixed bag for professionals, as it sharpens and clarifies some expectations related to risk ranking customers, transaction monitoring and testing and gauging overall program effectiveness, but still leaves some foundational AML prongs, including some much-needed metrics around the independent review, also called audit, unnecessarily vague.
The manual also makes much more liberal use of the word “adequate” in terms of exam expectations for the five program prongs, rather than using the term “effective” as in past iterations.
So that begs the question: with the Paris-based Financial Action Task Force (FATF), the Wolfsberg Group and other top watchdog, regulatory and policy-making bodies pushing toward an “effectiveness” standard for AML compliance, is the U.S. sliding back to just “adequate” in its latest, updated exam manual?
Some say the answer is yes.
“I think that they are working their way towards lowering expectations, unfortunately,” said Sarah Beth Felix, founder and president of Palmera Consulting.
“As you can see FinCEN was not involved in the update,” she said. “They are literally going the opposite direction of where the rest of the world is going. Wolfsberg, FATF, etc., all have started focusing on effectiveness and we are now lowering standards for examiners and for the examiners to be okay with lower bank standards.”
With shift in standards, industry is left guessing
The FFIEC didn’t update the full more than 440-page manual of “core” and “expanded” procedures, but instead changed key “pillar” portions over 43 pages, covering “Scoping and Planning”; “BSA/AML Risk Assessment”; “Assessing the BSA/AML Compliance Program”; and “Developing Conclusions and Finalizing the Exam.”
The 2020 AML manual is also informed by the December 2018 interagency “Joint Statement on Innovative Efforts” to fight financial crime, noting that innovative efforts should be given tacit credit, along with updated risk-based approach statements in July 2019, an effort to increase transparency in what has long been very a subjective examination area – how risky is that risk.
Some of the changes, according to analysis by some of the top minds in the space, including Jim Richards, Sarah Beth Felix, and Dev Odedra, include:
- Effectiveness vs. adequacy standard: Whereas the 2014 manual calls for AML officers to create an “effective” and “sound” program, in many instances where the word “effective” was used, the 2020 manual has changed the word to “adequate.”
- Reading between the lines: The 2020 manual switches terminology that some considered confusing, asking AML officers to look for “money laundering and terrorist financing (ML/TF) risks, rather than look for, in the old manual, “BSA/AML risks.”
- Quality vs. quantify: The 2020 manual, in a clear nod to stakeholder frustration, added the word “quantify” to the risk assessment process, opening the door for finer slices of risk, particularly for areas considered to be at a higher risk for money laundering, such as foreign wires and correspondent accounts.
- Figurehead appointment: The 2020 FFIEC exam manual gives more ink to the compliance officer prong of the AML program, giving more precise indicators of what an examiner should review when evaluating authority, resources and knowledge – making it clear to the board that simply appointing a compliance officer, and not supporting them, will not stand.
- Negotiating leverage: The 2020 manual also seems to deal with one of the biggest criticisms of exams in recent decades – death by a thousand cuts. In short, that dynamic is where examiners will rake a bank over the coals for ticky-tack program stumbles, missing the good it actually did to fight crime. An “adequate” standard could also give AML officers more leverage at the negotiating table when examiners find fault.
- And the people rejoice: The line that will likely cause AML officers to jump for joy, and open the door for fincrime teams to make changes to embrace innovation: “Minor weaknesses, deficiencies, and technical violations alone are not indicative of an inadequate BSA/AML compliance program and should not be communicated as such,” according to the updated manual.
As watchdogs shift to effectiveness standard, will U.S. lag behind?
The exam manual – first published in 2005 and which has been revised and re-published four times since, with the last full edition published in November 2014 – drops at a challenging time for financial crime professionals, juggling compliance duties while fighting a global COVID-19 pandemic.
The update, however, does not offer any new guidance on what examiners will expect, or what banks should do, to better balance compliance teams that have been scattered while working from home or even trimmed as some institutions engage in broad layoffs as a result of a falling economy.
The FFIEC only touches on the pandemic tangentially, with more of the statement attempting to assuage past criticisms that the manual, and really any AML guidance, is simply new laws and requirements dropped on industry without going through Congressional review and rulemaking processes.
“The agencies are aware of the uncertainty faced by financial institutions during this unprecedented time,” the FFIEC wrote in a statement. “The manual update, which supports tailored examination work, has been in process for an extended period and should not be interpreted as new instructions or as a new or increased focus.”
While it will likely be easier for a struggling bank to craft an “adequate” AML program during the coronavirus crisis, that standard stands at odds with global momentum to focus more on “effectiveness” than technical compliance.
What will ‘adequate’ AML exams, programs, look like?
Starting in 2005 with the first FFIEC BSA/AML Examination Manual, and continuing to the last full publication in 2014, the purpose of a BSA/AML regulatory exam was to “determine whether banks had an effective BSA/AML compliance program,” said Richards, the former head of AML at Wells Fargo, in analysis on the changes.
As well, the directors of those banks, who were ultimately responsible for their bank’s BSA/AML compliance, were to ensure the BSA Compliance Officer had “sufficient authority and resources to administer an effective program.”
But that could be changing.
In the four “pillar” sections that were updated in 2020, the words “effective” or “effectiveness” appear four times in forty-three pages, he said. “Those words appeared seventeen times in the old 2014 version.”
The 2020 update “appears to have lowered those bars: going forward, the purpose of a BSA/AML regulatory exam is to determine whether banks have an adequate BSA/AML compliance program,” Richards said.
In tandem, now the directors of those banks, who remain ultimately responsible for their bank’s BSA/AML compliance, are “now to ensure the BSA Compliance Officer has appropriate authority and resources to administer an adequate program.”
Will these changes lead to weaker AML programs, lighter exams and potentially more dirty money getting into the U.S. and international financial system?
Only time will tell.
“It will be interesting to see what, if any, differences this new adequate standard will bring as regulatory examiners across America will be walking into banks and credit unions and announcing, ‘hello, we’re here to determine whether you have an adequate program,’” Richards said.
“That is a very different greeting, and a very different exam, and possibly a very different result, than if that examiner walked in and announced, ‘hello, we’re here to determine whether you have an effective BSA/AML compliance program.’”
Comptroller of the Currency, Joseph Otting, has stated where he falls on the issue – which some could argue diverges from the manual he is talking about.
“The FFIEC agencies published updates to the BSA/AML Examination Manual that represent a significant step forward in our efforts to improve how we ensure banks have effective programs to safeguard the banking system against financial crime, particularly money laundering and terrorist financing,” with the emphasis added being my own.
Even while experts debate the ramifications of the updated verbiage, fincrime compliance teams can’t lose focus – or they could pay for it.
“The change in terminology by the FFIEC, from ‘effective’ to ‘adequate’ should not be taken by AML professionals and their financial institutions to mean they can relax their guard,” said Gary Ferrari, a Financial Crime/AML and Compliance Risk Management Leader and Advisor in Banking and Financial Services for more than three decades.
“This change assuredly is an accommodation more to the examiners than to the examined,” he said. “Do not be lulled into the notion that you can relax your guard and meet a standard of ‘adequacy’. Effectiveness in financial crime risk management remains the gold standard for knowledgeable and committed AML professionals.”