New OCC comptroller’s handbook on board duties tied to risk management highlights AML expectations

 compliance written on blackboard

By Brian Monroe
bmonroe@acfcs.org
August 11, 2016

A recently released handbook from the regulator of the largest and most complex banks in the US gives new clarity, insight and granularity on management and board responsibilities tied to risk governance, including the expectations around financial crime compliance programs.

The 130-page report from the U.S. Treasury’s Office of the Comptroller of the Currency (OCC) specifically cites anti-money laundering (AML) program requirements nearly two dozen times, noting it’s a particularly challenging area that can also bleed into the other stated risk categories beyond compliance and into strategic, reputational and operational risk.

The handbook, released last month, is part of a broader initiative by the OCC to bring more understanding on what senior management and board of directors’ level individuals should know and consider when creating, updating and remediating compliance control programs. This latest release falls under the “management” prong of institution’s over-arching “safety and soundness” obligations.

OCC examiners “consider AML examination findings in a safety and soundness context when assigning the management component” according to the report. “Serious deficiencies in a bank’s BSA/AML compliance program create a presumption that the bank’s management component rating will be adversely affected because its risk management practices are less than satisfactory.”

At the same time, the OCC makes it clear that the board of directors is “responsible for ensuring the bank maintains an effective BSA/AML control structure. The board should oversee the bank’s compliance management programs. The board is responsible for creating a culture that places a high priority on compliance and holds management accountable.”

The OCC also wants to ensure banks understand that “compliance management programs,” should be higher board and management priorities and “should extend beyond consumer protection laws and factor in all applicable laws and regulations, as well as prudent ethical standards and contractual obligations.”

One thing that may surprise some compliance officers is the expectation of a specific “risk appetite statement,” that touches on financial crime compliance risks, defined as an “aggregate level and types of risk that a bank is willing to assume to achieve its strategic objectives and business plan.”

The risk statement should include “quantitative measures expressed relative to earnings, capital, risk measures, liquidity, and other relevant measures as appropriate. It should include qualitative statements to address reputation risk as well as money laundering and unethical practices.”

Banks already have to do risk assessments and create customer risk profiles when it comes to AML program rules.

Board training, updating critical

But in order to make good decisions and better understand what they are being presented, and also act as an overseer and backstop to senior management practices, the bank must have specific director “orientation and training” programs.

“Orientation programs vary according to bank size and complexity” according to the OCC, but at a minimum, the program should explain:

  • the bank’s organizational structure, corporate culture, operations, strategic plans, risk appetite, and significant issues.
  • the importance of BSA/AML regulatory requirements, the ramifications of noncompliance with the BSA, and the BSA/AML risk posed to the bank.
  • the individual and group responsibilities of board members, the roles of the various board committees, and the roles and responsibilities of senior management.

The reports and updates to the board “should provide an overall opinion on the design and effectiveness of the bank’s risk governance framework, including its system of internal controls. In smaller, less complex banks, the board should consider how internal audit reviews incorporate overall risk management.”

The OCC also detailed much more explicit instructions on how risk assessments should be crafted, what details should be in them and how they should be presented to the board, and how the board should respond.

“A well-designed risk assessment process helps the board and management address emerging risks at an early stage and allows them to develop and implement appropriate strategies to mitigate the risks before they have an adverse effect on the bank’s safety and soundness or financial condition,” according to the OCC.

The completed risk assessments should be integrated into the bank’s strategic planning process and risk management activities.

Risk assessments “should measure the inherent risk, which is the risk that an activity would pose if no controls or other mitigating factors were in place,” according to the OCC. “A residual risk rating should be assigned after controls are taken into account. The risk assessment process should be candid and self-critical.”

While these reports, and the back-end methodologies and technologies that create them, can be complex and highly technical, the board still has purview to “oversee management’s implementation of the bank’s risk assessment process,” and should “periodically receive information about the bank’s risk assessments.”

Management, the group that has been a historical foil to AML controls, should also independently “perform risk assessments on material bank activities at least annually, or more frequently as warranted.”

Water the CAMELS

Other prior handbooks have tackled several other letters that make up the “CAMELS” rating, such as capital adequacy, asset quality, management, earnings and liquidity, a necessity being that some of the related guidance in these areas had not been touched since the early 2000s.

As well, under the “management tab,” the OCC in February released a handbook on “Country Risk Management,” with only a line on AML risk.

The handbook also notes when dealing with countries considered more at risk for fraudulent schemes or are perceived to be riddled with corruption, banks should consider them a higher “operational” risk.

The tome mentions the word “de-risking,” but stays neutral and gives no added details, for or against the practice, which has become an economic, compliance and political flashpoint issue due to some countries losing access to the international financial system and potential key intelligence for law enforcement going dark.