New US AML/BSA Exam Manual Increases details on violation severity

The latest edition of the US interagency anti-money laundering exam manual landed with a thud this week, a mammoth tome updating and tweaking procedures on nearly two dozen program areas, including minor and major violations, suspicious activity reports and entity risk stratification.

The 2014 AML/BSA Examination Manual was released Monday by the Federal Financial Institutions Examination Council (FFIEC), which is made up of the top government regulatory bodies and acts to set standards on how a wide range of US financial institutions will be examined for compliance with AML laws and regulations and the Bank Secrecy Act. The group includes the Office of the Comptroller of the Currency, Federal Reserve, Financial Crimes Enforcement Network, Federal Deposit Insurance Corporation, Office of Foreign Assets Control, National Credit Union Administration and other state liaison groups.

The manual, at more than 440 pages – roughly 320 pages of exam expectations and an additional 120 pages of reference materials, examples and definitions – will likely take weeks to decipher and months or years to implement due to the challenges in changing and retuning compliance programs, related software systems and updating training procedures.

But several top issues rise to the fore immediately, areas informed by record anti-money laundering (AML) and sanctions enforcement actions and resulting political pressure since the last iteration of the manual was released in 2010.

In a few notable areas of difference with the previous edition, the 2014 version:

  • Defines systemic AML violations
  • Defines isolated AML violations
  • Updates transaction monitoring and sanctions filtering system expectations
  • Highlights the importance of timely, quality SARs

“There has been a lot of major [enforcement] actions in the area of compliance and guidance that has been released since 2010, so putting all of the requirements and regulatory expectations in one spot should help most banks,” said a consultant who works with large domestic and foreign banks.

The manual should help institutions understand where they should most strengthen their own procedures, though the heightened expectations in some areas could make it  harder for institutions that have to remodel processes more extensively.

This year’s manual gets into greater detail on what examiners consider isolated, or technical, violations and what constitutes the more serious systemic, or recurring, violations, which could result in more aggressive regulatory scrutiny, extensive remediation procedures or expensive monetary penalties.

The manual defines systemic violations as “the result of ineffective systems or controls to obtain, analyze and maintain required information or to report customers, accounts or transactions” and “repetitive occurrences of the same or similar issues.” The scope of the problems would “demonstrate a pattern or practice of noncompliance” with AML rules, according to the manual.

Examples of such serious violations would include the number of violations being high compared with the bank’s total activities, similar violations in other departments, if the violations are localized or more widespread and institutionalized, how the violations affect customer transaction reporting (CTR) and suspicious activity report (SAR) filings , weak due diligence on high risk entities, such as correspondent banks, missed, late or non-detailed SARs and failing to respond to law enforcement 314(a) requests.

Conversely, regulators define isolated violations, which could potentially be dealt with through non-public informal actions, as “limited instances of noncompliance with the [Bank Secrecy Act] BSA that occur within an otherwise adequate system of policies, procedures, and processes.”

The violations “generally do not prompt serious regulatory concern or reflect negatively on management’s supervision or commitment” to AML compliance, but multiple isolated violations “could be indicative of systemic” weaknesses, according to the manual.

Examples would include infrequent missed or late CTRs, incomplete customer details or inaccurate customer information on SARs or inadvertently not responding to a 314(a) request. Those are broad queries, typically originated by federal investigative agencies through the US. Treasury, which ask banks to look up details for certain individuals and report back any hits, such as account and transaction details, related accounts and jurisdictions involved.

The manual also goes into additional details on what is expected related to the filing of SARs, including parsing out what examiners consider the main elements of a solid report: alert identification, through employees, transaction alerts or law enforcement, managing alerts, decision making, completion and filing and monitoring and reporting on continuing activity.

Moreover, the manual puts significant emphasis on transaction filtering for sanctions programs managed by the Office of Foreign Assets Control (OFAC), which urges banks to consider creating sanctions-related  risk assessments and auditing procedures.

The document also had extensive segments on risk assessments and the related independent validation procedures for risk management models along with new changes for compliance procedures in the areas related to the oversight of foreign and domestic correspondent accounts, non-bank financial institutions, automated clearing house transactions, bulk cash and moving funds across borders and prepaid access.