New UK report on AML gaps at smaller banks parallels problems in US

A just-released thematic review by the United Kingdom’s chief financial regulator uncovering broad failings in small banks’ anti-money laundering controls mirrors compliance struggles occurring at similarly-sized US institutions, say compliance professionals.

The UK’s Financial Conduct Authority (FCA) examined 21 small banks between October 2013 and June 2014 to scrutinize anti-money laundering (AML) programs and sanctions screening systems, with their final decisions informed in part by a prior 2011 thematic review and subsequent guidance and enforcement actions following the published results.

In this latest review, the regulator found that smaller institutions had “significant and widespread weaknesses” in AML controls, particularly in the areas of customer and business risk assessments. In addition, banks continued to struggle in several areas representing the highest risk, including enhanced due diligence for politically-exposed persons (PEPs) and correspondent relationships.

Across the pond in the United States, there are also less publicized, but no less potent, compliance failings in critical program areas at potentially thousands of smaller banks, say compliance professionals, examiners and consultants.

Any gaps in the countermeasures of smaller institutions have been magnified by de-risking among the many larger banks and other institutions bruised by bad decisions and enforcement actions. As bigger institutions drop risky entities in droves, such customers seek the path of least resistance back into the financial fold at more trusting community institutions.

Smaller banks broadly in the United States have struggled with understanding the elements of a sound risk assessment, creating innovative training to engage front line personnel, and keeping the institution as a whole abreast of the latest threats and trends, said Chip Poncy, the former director of the U.S. Office of Strategic Policy for Terrorist Financing and Financial Crimes.

Overall program strength, expertise of staff and tuning transaction systems at smaller institutions is “an issue of growing importance” for federal regulators and investigators, said Poncy, now the founding partner at the Financial Integrity Network, a consulting firm.

“Big banks are de-risking and taking more conservative approaches to banking practices. That could mean a migration of risk from big banks to lesser equipped institutions,” Poncy said.

At the same time, the US is currently undergoing an internal review of its laws and institutions that started earlier this year. The initiative, spearheaded by the US Treasury and involving dozens of other government regulators and investigative agencies, comes ahead of a more rigorous upcoming evaluation next year by the Paris-based Financial Action Task Force (FATF), which sets global AML standards.

Though the US has undergone such reviews in the past, with key problems tied to the availability of beneficial ownership information, the latest round is expected to be significantly more difficult as the exam teams will be grading on the effectiveness of banks and law enforcement in identifying, intercepting and forfeiting sullied funds and convicting criminal kingpins.

Regulators fearing criminal migration

Regulators in various forums in recent years have expressed their concerns about the compliance countermeasures at smaller institutions and those openings being exploited by an influx of recently-jettisoned, risky entities looking for bank accounts.

In March 2013, the Office of the Comptroller of the Currency’s (OCC) head, Thomas Curry, told senators in a congressional hearing that organized crime groups have been more aggressive in turning to relatively smaller institutions to open accounts and attempt to launder ill-gotten proceeds.

“As some large or midsize banks have attempted to lower their risk profiles, higher risk products and customers have migrated to community banks,” he said during a hearing. “These institutions must be mindful of the resources and personnel necessary to successfully manage higher risk activities.”

More recently, in a June 2014 “Supervisory Spotlight,” the Federal Reserve Bank of San Francisco touched on the AML programs at smaller operations, stating that in the prior year period, examiners had identified an “array of BSA/AML internal controls weaknesses in community banks, which indicates that continued diligence is needed.”

In particular, regulators noted that certain areas requiring additional attention included properly tabulating the AML risk of new products and identifying high-risk customers and related activities, such as those operating private ATMs, money services businesses, anything tied to marijuana operations. Also highlighted were ensuring proper training for staff and reporting program issues to institution’s board.

One major problem for many smaller banks is that they are still using mostly manual transaction monitoring systems or, if they have upgraded to automated monitoring, they don’t understand the systems enough to customize them, said Arnie Scher, chief executive officer of Jade Information Systems, Inc. in New York City and a former compliance officer for JPMorgan.

“That can lead to data problems,” he said, adding that if the system is not picking up certain transaction or customer types or not meshing properly with other bank software programs, the institution may miss certain suspicious activities and related reports.

In addition, for many smaller banks, they don’t have the in-house talent to pick up on the more arcane nuances of AML because “maybe they were just hired for the position or the bank just someone from another department and gave them AML duties as well,” Scher said. Smaller banks can be more “marketing oriented that AML oriented. Maybe the AML officer is also the head of sales.”

Saddled with too much risk, too little understanding

Federal banking regulators have shined a spotlight on many of these persisting and emerging issues at smaller banks in recent public actions and penalties.

In several recent enforcement actions, the Federal Deposit Insurance Corp., which covers nearly 6,700 institutions, also highlighted significant AML compliance failures at smaller institutions in the areas of adequate customer due diligence, risk assessment and sanctions screening.

In early September, the regulator entered into a consent order with Tupelo, MS-based BancorpSouth Bank, stating that the institution needed to strengthen its customer due diligence, risk assessment and sanctions procedures and engage in transactional review, also called a lookback, between June 2013 and May 2014 to look for any missed instances of suspicious activity.

In late August, the FDIC also dinged Alexandria, VA-based Burke & Herbert Bank & Trust Company for AML deficiencies in a consent order to conduct a risk assessment consistent with the standards set in the interagency exam manual and craft procedures for the adequate depth of customer scrutiny at account opening, monitoring and suspicious activity reporting, all program basics.

One of the more egregious examples of a smaller bank failing to under the risk of certain entities or craft a program to mitigate those risks occurred in In September 2013 with a monetary penalty against Saddle River Valley Bank.

The U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) and OCC the federal regulator for the nation’s largest and most complex banks, penalized the Newark. N.J.-based bank $8.2 million for widespread AML failings, including not adequately monitoring $1.5 billion in transactions tied to foreign currency exchanges in Mexico and other countries.

The enforcement actions noted that the bank in July 2009 disregarded warnings on the risk of foreign money services businesses, called casas de cambio.

The bank eventually took on four operations, three of them in Mexico, and failed to conduct enhanced due diligence on the higher risk entities, detect and report suspicious activities, employ an experienced compliance officer, train its employees or have qualified individuals independently test the program.

Not keeping up with properly implementing current rules means that these smaller operations may also not be preparing for upcoming compliance changes as well that would require changes

in policies and procedures, in-house and vendor-driven software systems, customer onboarding and recordkeeping, Poncy said.

He noted that many smaller banks are lagging in terms of updating practices and systems for new rules, such as the FinCEN beneficial ownership proposal, which calls on banks to get information on the owners or corporations down to a 25 percent or added details on the individuals exercising ultimate control, Poncy said.

That can create a dynamic where more risky and less transparent shell companies are funneled to these smaller institutions because they feel they don’t have to engage in more extensive due diligence until the rules is finalized, while other larger banks with a more senior understanding have already adopted these practices, he said.

‘Weak’ efforts mean more guidance, enforcement coming

Having any chinks in the compliance chain mail in the form of weaker AML standards at smaller banks is akin to having a door left ajar for transnational organized crime groups. In the case of the US and UK, that opening leads to both nations becoming major financial centers.

Both countries are classified in the latest iteration of the US International Narcotics Strategy Report as “countries of primary concern” for being “major money laundering countries,” the amount of money laundered through these jurisdictions estimated to be in the trillions of dollars, or an average of between 2 percent and 5 percent of the gross domestic product, according to government estimates.

That context brings the conclusions of the FCA report on the compliance programs of smaller banks into stark relief, with the government charged anew with retooling laws, guidance and enforcement policies to attempt to gird the country against ever more creative criminals.

In the FCA thematic review, examiners found that a third of the banks did not have the proper resources for a sound AML program, with staff knowledge, awareness and training on key AML and sanctions risks being dubbed “weak” by evaluators, including many of the money laundering reporting officers (MLROs) charged with running the compliance programs.

The review also found that overseas banks faced “particular AML challenges when they relied on other parts of the group to carry out customer due diligence on their behalf, due to the fact that certain bank policies were “not always consistent with UK legal and regulatory requirements,” causing conflicts in sharing information across borders.

In the aftermath of the review, the FCA has commenced investigations into two banks, while four banks agreed to limit their business with certain high-risk customers until they have corrected identified compliance deficiencies.

Three of those four institutions must appoint a person to conduct a more in-depth review of the AML and sanctions controls to uncover less obvious gaps and create an action plan.

In the prior 2010-2011 review of 27 banks by the prior incarnation of the FCA, the Financial Conduct Authority, examiners also found extensive weaknesses in institutions’ AML systems, as well in the areas of higher-risk entities, such as PEPs.

As well on the subject of financial crime compliance, the FCA published proposed guidance Friday to aid in institutions to better ward off criminals, including a more pronounced tone at the top of the organization and more aggressively engaging senior management while uncovering more depth and detail tied to the beneficial owners of corporate entities.

In a separate FCA thematic review released on Friday focusing on insurance brokers, the regulator concluded that the group had inadequate AML programs and that intermediaries failed to properly assess how they could become ensconced in other financial crimes, such as corruption.

The challenge of finding qualified people on the domestic and international fronts to run these AML programs and be a bulwark against criminals but elastic enough to quickly morph processes to fend off the latest threats is not likely to get easier any time soon, said an external AML auditor.

“Smaller banks typically can’t offer the same pay to qualified AML officers,” said the person. “That has resulted in many smaller banks promoting inexperienced people internally. In one review, we found that a bank employee starting asking questions about AML compliance and the bank then gave that person the duty, along with juggling their other job tasks.”