Posted by Brian Monroe - bmonroe@acfcs.org 07/08/2022
Joint Statement By Regulators On The AML Risk-Based Approach Provides More Confusion Than Clarity
The skinny:
- A new joint statement by regulators on the endless twisting knot of the anti-money laundering risk-based approach has brought more confusion than clarity and has the sector guessing on the government’s true motives behind the cryptic message – and what new expectations lurk in the shadows.
- At issue: The seemingly innocuous “statement” couched as a gentle “reminder” from top banking regulators to “reinforce” the idea that customers don’t have a “single level of uniform” financial crime risk has the industry guessing why this, why now, what do you really mean and what do you want us to do differently.
- Moreover, some compliance professionals have even noted a potentially “dangerous” line in the two-page “Joint Statement on the Risk-Based Approach to Assessing Customer Relationships and Conducting Customer Due Diligence” that could sabotage programs and empower budget overlords looking for any excuse to cut compliance expenses.
The View from the Top is a new ACFCS series connecting, collaborating and sharing the knowledge of the sector’s brightest minds to light your darkest days.
A new joint statement by regulators on the endless twisting knot of the anti-money laundering risk-based approach has brought more confusion than clarity and has the sector guessing on the government’s true motives behind the cryptic message – and what new expectations lurk in the shadows.
At issue: The seemingly innocuous “statement” couched as a gentle “reminder” from top banking regulators to “reinforce” the idea that customers don’t have a “single level of uniform” financial crime risk has the industry guessing why this, why now, what do you really mean and what do you want us to do differently.
The joint statement is also not easily ignored as it hails from architects and regulatory agencies that have in recent years doled out multi-billion-dollar penalties for “egregious” AML compliance failings: the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) and top banking and credit union regulators, including the Office of the Comptroller of the Currency (OCC).
To read the full statement, click here.
The statement reiterates that banks “are neither prohibited nor discouraged from providing banking services to customers of any specific class or type” and that as a “general matter,” federal regulators don’t direct banks “to open, close, or maintain specific accounts.”
Instead, these government overseers “encourage banks to manage customer relationships and mitigate risks based on customer relationships, rather than decline to provide banking services to entire categories of customers.”
That verbiage is a clear nod to a growing trend over the last decade of banks dropping certain types of customers or jettisoning certain regions deemed to present too high a risk for financial crime.
Such actions have been widely decried by federal law enforcement agencies who then lose access to those financial intelligence streams.
As to why regulators released the statement now?
It takes some reading of the tea leaves, but there is a lot going on behind the scenes in the fincrime compliance space globally and in the United States.
So using national and international trends to focus on “effectiveness” and outcomes of compliance programs and investigations, rather than simply the budget, number of warm bodies and filed reports, here are some potential reasons:
- Quality, not quantity: Federal law enforcement agencies are pushing regulators to remind banks that investigators want better suspicious activity reports – which can only happen if banks do more thorough investigations on the truly risky entities potentially tied to organized criminal groups, fraud rings and crypto scammers.
- Prioritize the priorities: FinCEN as well could be nudging its regulatory brethren and sisteren to remind banks about the broader goals of the Anti-Money Laundering Act (AMLA) and National AML Priorities so banks refocus their risk lens in those areas, which would broadly align with law enforcement investigative focus areas.
- Go with the flow (of intelligence): FinCEN could also be working another angle to support law enforcement intelligence needs – reopening financial information spigots that have gone dry due to de-risking. By re-risking back to certain parts of the world, or opening the doors back to, say, PEPs and gatekeepers, that resumes the flow of vital financial intelligence in the forms of SARs and transaction reports.
Ironically, while the joint statement goes out of its way to say certain groups shouldn’t always be subjected to a blanket risk category – for example, high – regulators then go on to list a bevy of historically high-risk groups mentioned specifically in the interagency AML exam manual as those that may need enhanced due diligence (EDD), including:
- independent automated teller machine owners or operators,
- nonresident aliens and foreign individuals
- charities and nonprofit organizations
- professional service providers
- cash intensive businesses
- nonbank financial institutions
- politically exposed persons.
The tension and dichotomy of dramedy: the very regulators who created the AML exam manual, and listed examples of entities that may require EDD, are now trying to tell you “not” to assume high-risk for broad categories of customers – but to instead engage in thoughtful, nuanced risk-scoring of all entities, and let the chips fall where they may.
Reminder of RBA expectations in AML exam manual also accidentally reminds budget overlords industry bible ‘does not establish requirements for banks’
Moreover, some fincrime compliance professionals have even noted a potentially “dangerous” line in the two-page “Joint Statement on the Risk-Based Approach to Assessing Customer Relationships and Conducting Customer Due Diligence.”
Those are just some of the issues raised by Sarah Beth Felix, a fincrime compliance professional with nearly two decades of experience and Founder and President of Palmera Consulting, in a social media post.
To read the full post and be part of the conversation, click here.
What is it and why?
The joint statement notes that while the Federal Financial Institutions Examination Council (FFIEC) Bank Secrecy Act/ Anti-Money Laundering (BSA/AML) Examination Manual provides guidance to examiners for carrying out AML compliance exams, “it does not establish requirements for banks.”
The phrase “does not establish requirements for banks” could be interpreted anew by budget bean counters that fewer, not more, resources are needed to calibrate, calculate and prognosticate on risk stratum and future potential illicit inclinations.
“Now, if the C-suite were to read it they would probably hyper-focus on this statement which can gut the effort and resources that AMLOs and BSAOs need to have for an #effective #AML program,” Felix wrote in her post, which garnered two dozen comments.
“This is a dangerous statement to make without further explanation to the [financial institutions (FIs)] who are the readers,” she said.
If examiners are going to be “expecting this type of #duediligence on customers… then why set the FIs up for failure by stating these requirements are not for the FIs? It doesn’t make sense.”
So what did the “statement” remind banks of in terms of regulatory AML duties?
Banks must apply a risk-based approach to CDD, including when developing the risk profiles of their customers. More specifically, banks must adopt appropriate risk-based procedures for conducting ongoing CDD that, among other things, enable banks to:
- (i) understand the nature and purpose of customer relationships for the purpose of developing a customer risk profile, and
- (ii) conduct ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information.
How can a regulator help me do better at what I’m doing…by reminding me to do what I’m already doing?
So why does this reminder – which does not have the force of laws, regulations or even more weighty guidance – result in so much discussion, derision, fuming and fretting from the fincrime compliance community?
The missive is fresh frustration and compliance consternation from the perspective of longtime professionals, moaning, groaning and bemoaning that this is simply more of regulators doing what they do best.
What is that?
Reminding you to do what you are already doing – without saying the secret nebulous reasons why they decided to put this statement out now – but not offering any new helpful, practical details on how to do it better.
Or worse, laying the groundwork for a new game of “gotcha,” as in future exams.
The collective unexpressed fear in the hearts of fincrime fighters?
Examiners, as they have in the past, will say things like, “well, didn’t you see the joint statement on CDD for the AML RBA? And you didn’t do anything differently? Well, clearly, we have a ‘safety and soundness’ issue here. Let’s bump this up to an MRIA, shall we.”
MRA and MRIA are letter strings compliance veterans have come to loathe.
They stand for an AML compliance program failing in the form of a “matter requiring attention” and the more heavily reviewed and reviled, “matter requiring immediate attention.”
These letters are seared into the collective psyche of the compliance professional as, in some cases, they have spiraled out of control into regulatory flashpoints, forming the foundation of high-profile enforcement actions and hefty monetary penalties.
So why is a flub in CDD, EDD or risk ranking guaranteed to rile your regulator?
Because failings in AML risk ranking can then cascade into lax transaction monitoring protocols and missed suspicious activity reports on the individuals, companies and regions most apt to actually be tied to criminal groups laundering money.
Offering a “reminder” about longstanding compliance duties without offering concrete operational steps on how to do them better to both more effectively comply with examiner expectations and law enforcement needs leaves the industry guessing how to respond.
“It’s like playing a game of keep-away,” Felix wrote. “Let’s tell the FIs that the risk mitigation standards outlined in the Exam Manual are not for them, but then let’s also measure them against said standards? I’m #confused.”
The anathema of effectiveness: further enabling the ‘managing the management of BSA/AML risk management’
Fellow longtime fincrime fighters agreed.
“SPOT ON!!!!!! I read the joint statement and thought ‘what’s really going on here?’ The statement will only make life more difficult for BSA Officers,” said Jim Richards, the former head of AML at Wells Fargo, in a social media post.
To read the post and be part of the conversation, click here.
Richards also offered his own perspective on the “dangerously negligent” paragraph noting that the AML exam manual doesn’t establish requirements for banks.
“The last sentence is technically accurate: laws and regulations establish the requirements: the Manual describes those requirements,” he said. “But the Manual does so much more than provide guidance to examiners: it provides guidance to BSA Officers, to bank auditors, to prosecutors, and others.”
But he saved his most virulent vitriol for the bloated and corpulent RBA regime itself.
A draconian dynamic that seems designed to give examiners easy avenues for AML criticism due to the subjectivity of what is “the right way,” vagaries that have frustrated passionate, dedicate fincrime compliance teams while enriching an army of legal and regulatory functionaries and technocrats.
“As to the vaunted Risk-Based Approach (how private sector banks are supposed to approach AML compliance) and Risk-Focused Approach (how regulators examine banks’ Risk-Based Approach) … it’s all a ruse, a gotcha-game, a fall-back for lazy supervision,” Richards said.
“On a positive side, think of all the compliance personnel, auditors, examiners, consultants, and lawyers that have made a career out of managing the management of BSA/AML risk management!”