After broad review of AML, cyber rules, FinCEN pushes expansion of sharing, stays firm on thresholds
Thursday, March 23, 2017
Posted by: Brian Monroe
By Brian Monroe
March 23, 2017
Federal agencies are working to expand bank information sharing safe harbors to all crimes and better standardize financial crime compliance exams in addition to creating a new program to more rigorously review cybersecurity countermeasures for the most at-risk institutions.
The preview of current and upcoming changes for entities subject to anti-money laundering (AML) rules comes courtesy of the voluminous Federal Financial Institutions Examination Council (FFIEC) Joint Report to Congress under the Economic Growth and Regulatory Paperwork Reduction Act (EGRPRA). The report is a mammoth document with key updates on compliance concerns, current initiatives and potential future fixes.
But the just-released, 440-page tome does a bit more than reduce paperwork.
The joint report is a broad review of federal regulations applicable to financial institutions to glean what areas can be pruned or snipped. It is the final product of an expansive effort started in 2014 and covering everything from the Bank Secrecy Act (BSA) to cyber, capital requirements to safety and soundness, and more.
Among the many financial crime compliance issues noted in the report, several key challenges bubbled to the surface, including a desire to lower current filing thresholds for customer identification and suspicious activity, the high costs and technical sophistication of monitoring systems and a call for more consistency in AML exams across multiple examiners and regulators.
The EGRPRA itself is a federal law enacted in 1996 that directs the FFIEC and its member agencies to review and “eliminate unnecessary regulations to the extent that such action is appropriate" at least once every decade. The review must include “an analysis of whether the agencies are able to address the regulatory burdens associated with such issues by regulation, or whether these burdens must be addressed by legislative action.”
The principal areas identified for modifications to achieve meaningful burden reduction are regulations governing capital, regulatory reporting, real estate appraisals, and examination frequency, according to the report, ensconcing AML rules and cyber updates in the mix.
The exhaustive report is informed by 230 written comments and 120 oral comments across the spectrum of stakeholders involved in bank oversight and exams. The latest EGRPRA report is only the second, with the first being completed in 2007.
Update needed for SAR, CTR thresholds
On the AML side, some 40 commenters addressed financial crime compliance issues, with a recurring theme being a desire to raise the current threshold for currency transaction reports and suspicious activity reports (CTRs and SARs), from their current $10,000 and $5,000 levels.
That request will stay unrequited for now as the Treasury agency with purview over CTR and SAR thresholds, the Financial Crimes Enforcement Network (FinCEN), stated it wouldn’t budge.
Even at levels that haven’t changed since the 1970s, FinCEN stated the data is a gold mine for law enforcement. Even so, several commenters “offered alternatives to filing a CTR on individual transactions,” including an aggregate filing and bulk data downloads.
Other challenges mentioned by commenters included the “overall increasing cost and burden of BSA compliance,” resource fears tied to the new beneficial ownership rule, wanting “greater clarity regarding customer due diligence requirements and supervisory expectations, and BSA examination consistency.”
The costs and burdens of AML compliance were particularly harped-on issues by commenters.
The report highlighted the “high cost of software generally needed or expected to be used to comply with various aspects of the BSA,” a nod to the fact that the depth of data on customers is growing, the sophistication of monitoring systems is rising, and penalties for monitoring missteps are hitting record levels.
“One commentator stated that automated systems are expensive and drain staff resources, noting that there is often a need to hire dedicated compliance staff to oversee the conversion to, and running of, the new system,” according to the report.
In its response to that issue, the agencies stated they expect banks to have AML programs “commensurate with their money laundering and terrorist financing risks,” adding that the “sophistication of monitoring systems should be dictated by the bank’s risk profile, with particular emphasis on the composition of higher-risk products, services, customers, entities, and geographies.”
Conversely, banks that engage in “lower-volume and lower-risk activities with low risk customers within the institution’s geographic footprint are not expected to have automated systems but must have an effective BSA compliance program,” according to the agencies.
Another commentator, a trade association, “suggested that law enforcement and regulators are shifting their responsibilities associated with BSA, AML, and U.S. Housing and Urban Development Department data collection onto bank staff,” with one group stating they feel more like cops than compliance staffers.
Inconsistent examiners, frustrating results
On the exam front, some commenters stated they have had to deal with “inconsistent approaches in BSA examinations,” even though everyone follows the interagency AML exam manual, with 85 commenters pushing for “standard application of procedures.”
In its response, the regulatory bodies stated they have created, and routinely update the interagency exam manual and have created financial crime training for federal examiners to ensure goals, procedures and priorities are consistent. That is overseen by a formal BSA/AML Working group to analyze and refocus examiners that could be missing the mark.
Moreover, the FFIEC annually holds a BSA/AML Workshop and an Advanced BSA Specialists Conference for all FFIEC examiners “to promote consistency in the examination process and highlight emerging trends and practices.”
The comments and suggestions were not just aimed at the largest banks, but offered new paradigms to consider for smaller institutions.
The agencies suggested multiple operations collaborating to share AML duties, including “using a shared resource to assist in a variety of basic elements of required BSA programs such as training and the development of effective policies and procedures.”
Those moves “could reduce regulatory compliance costs through efficiencies gained under such arrangements and, at the same time, assist depository institutions in meeting the requirements of the BSA and effectively manage the risk that illicit financing poses to the broader U.S. financial system.”
New cyber focus in face of new attacks
On the cyber protection side, the agencies have collaborated with the FDIC, and state banking agencies to develop an information technology (IT) risk examination program, dubbed InTREx, that helps examiners focus on the latest virtual threats, get alerts to banks and also marshal examiner resources on banks systemically important or most at risk for attacks.
Federal regulators, like the rest of the U.S. government and private sector, is cognizant of the increasing creativity and success of cyber hacking groups, puncturing many of the world’s largest banks, retailers and government data nodes.
As a result, the new examination program “provides supervisory staff with risk-focused and efficient examination procedures for conducting IT reviews and assessing IT and cybersecurity risks at supervised institutions,” according to the report.
Further, under the InTREx program, “comprehensive IT examinations are conducted at institutions that present the highest IT risks and more targeted IT examinations are conducted at institutions with lower IT risks.”
In FinCEN responses, push for more sharing powers
In a comment letter appended to the letter, FinCEN started it had talked to law enforcement officials, who concluded the current SAR and CTR thresholds are “appropriate and should not be raised.”
Currently, more than 10,000 law enforcement and regulatory sources query the FinCEN AML database make more than 30,000 searches every day.
FinCEN did state, however, that it was currently working to make CTR filing more efficient for reporting entities tied to two key issues, aggregating CTRs and exempting certain cash-intensive businesses.
The bureau stated both issues would be “prioritized” at upcoming meetings of the Bank Secrecy Act Advisory Group (BSAAG), a public-private partnership where banks, regulators and FinCEN can discuss AML issues in an open, no repercussions forum.
The report's commenters also pressed FinCEN to adjust the safe harbor provisions under Patriot Act Section 314(b), which allows banks to share information with each other if the customer is suspected of engaging in money laundering or terrorist financing, to ensure institutions can explicitly share information tied to any specified unlawful activity.
FinCEN responded that the U.S. Treasury has already “provided language to Congress to amend the current safe harbor provisions accordingly. If Congress enacts these changes, FinCEN will work expeditiously to amend related implementing regulations.”
As well, FinCEN addressed commentator concerns about a perceived gulf between AML regulations and inconsistencies in examiner expectations, where regulators appear to have higher or different focal points than the letter of current laws, guidance and best practices.
In its response, FinCEN stated it will evaluate the “difference or delta between BSA reporting requirements and supervisory expectations” to address and “assess the potential burdens” for institutions implementing AML rules in a challenging regulatory environment.