The federal regulator of the nation’s largest and most complex banks will be giving more attention over the next year to key financial crime program areas, such as how banks capture, place and groom compliance talent, identify and gauge risk and ward off cyber hacking threats.
The US Treasury’s Office of the Comptroller of the Currency (OCC) made its concerns around anti-money laundering (AML), cybersecurity and a range of other programs clear for banks large and small in its Semiannual Risk Perspective released last week.
The 41-page document is an industrywide foreshadowing of where examiners will give extra scrutiny due to worries that certain banks – particularly large, sophisticated operations that operate in multiple jurisdictions – don’t have adequate financial crime risk governance and control structures to keep out money launderers, fraudsters or corrupt political heavyweights.
The document is informed by the agency’s high-profile failures, such as the $1.9 billion penalty against HSBC in which the OCC got called before congress in 2012 and quickly pledged changes, such as not allow banks to hold as many rolling informal matters requiring attention [MRAs], would make more informal actions formal and make financial crime infractions a pillar violation that could affect deposit insurance rates.
Overall, the number of formal AML actions has “remained consistent” in recent years, between 10 and 16 since 2010, while the monetary penalties have mushroomed, going from $5.2 million in 2010 to $552 million in 2013 and $351 million in 2014, with a drop to six actions and cumulative penalties of $500,000 so far in 2015.
The OCC report highlighted key troubling trends in banks, including that some are “taking on additional risks by expanding into new, less familiar, or higher-risk products without adequate due diligence or appropriate risk management and controls.”
The financial crime program issues noted by the OCC – such as capturing and retaining key talent, aligning monitoring with risks and lowering costs without sacrificing controls – are “perennial issues, but the regulator is highlighting them because they are becoming more complicated to solve,” said Marie Kerr, an independent AML consultant and systems expert in Annapolis, MD.
In the current environment of many large domestic and foreign banks under enforcement actions, there is a massive focus on who banks are hiring in AML and what are their qualifications, she said.
“Right now, it’s tough to find people who know AML, fraud and systems,” Kerr said. “I have done a lot of work with big banks, and they put the wrong people in certain program areas a lot. I understand everyone has their place, but to solve a problem as immense [as financial crime], you need all of the available talent in the talent pool” and understanding across disciplines.
As well, the regulator noted that due to a “challenging operating environment,” some institutions are shirking their AML duties in a quest to boost profits and are not trying to tackle risk holistically, leading to a lack of key oversight and expertise in the most high risk areas, including:
- Some banks are lowering overhead expenses by reducing control functions, exiting less profitable businesses, closing offices, and outsourcing critical control functions to third parties without establishing appropriate risk management processes.
- As part of their strategy to deal with competitive pressures and to lower overhead expenses, banks are leveraging technology such as cloud computing and mobile banking, which can increase exposure to technological and operational risk.
- As a result, on the cybersecurity side, examiners will be reviewing banks’ programs for assessing and mitigating the evolving threat environment and cyber resilience, including reviewing assessments of data and network protection practices, business continuity practices, risks from vendors, and compliance with any new guidance.
- Management succession planning, attracting appropriate expertise, and retaining key experienced personnel are growing issues for many banks, particularly in the areas of credit, Bank Secrecy Act and anti-money laundering (BSA/AML), compliance management, enterprise risk management, and internal audit.
On the financial crime side, the OCC wants to see programs that “continually evolve to address changing customer profiles, advanced money laundering schemes, the rapid pace of technological change, and the overall risk that money laundering and terrorist financing activities create,” including a “well-staffed program.”
A critical part of the initiative is responding to OCC formal and informal actions, the agency stated. Examiners will “continue to focus on timely corrective action on outstanding concerns addressed in [matters requiring attention (MRAs)] and [enforcement actions] and will communicate clearly any additional actions needed to fully remediate an identified deficiency.”
It’s also no surprise the agency highlighted the role of third parties in AML and cybersecurity lapses, she said.
Because when banks outsource AML duties, customer service or data management, that could make it easier for criminals to exploit weaknesses and hack into systems through lax security protocols outside of the bank, but which give access through third-party portals and flimsy systems, Kerr said.
“Some banks don’t realize they are still responsible for the risks they outsource, even if the mistake is made by the third-party,” she said, adding that criminal hacking groups are getting more creative, savvy and sophisticated and are actively looking for vulnerabilities in such relationships to get at bank accounts and customer details.