FinCEN enforcement actions highlight need to check your risk profile

As financial institutions grow, they inherently will face more risks and should make sure they are updating their routines to address those risks, particularly with regard to Bank Secrecy Act (BSA) compliance.

A review of the most recent actions by the Financial Crimes Enforcement Network (FinCEN ) revealed  common issues faced by the listed parties, including: 

• The BSA/Anti-money laundering (AML) program was not adequate based on their risk profile.
• Controls outlined in the program were not in place and operating effectively.
• Adequate resources were not made available to the team responsible for BSA/AML compliance.

A summary: 

• In the case of USAA Federal Savings Bank (FinCEN consent order imposing civil money penalty, number 2022-01), regulators cited an overall failure to implement and execute an effective program. Significant staffing deficiencies and inadequate testing of the newly implemented automated monitoring system resulted in a backlog of over 90,000 unreviewed alerts.
• In the case of Community Bank of Texas, N.A. (Consent order imposing civil money penalty) regulators cited understaffing, which led to alerts or cases being cleared from the automated monitoring system without proper review, which resulted in 17 suspicious activity reports (SAR) not being filed even though the facts met the minimum filing requirements. It was noted the BSA officer applied exemptions for customers whose activity was “well-known” so that analysts would not need to review alerts generated for their activity. 
• In the case of Capitol One, N.A. (Assessment of civil money penalty number 2010-01), regulators noted the ongoing high-risk reviews failed to fully enable management to understand the nature and legitimacy of their customers’ activity and patterns therein. It was noted many of the highest-risk customers were acquired through the acquisition of another financial institution. 
• In the case against U.S. Bank National Association (FinCEN U.S. Bank Assessment FinCEN review 2.14.18 Final (3)), regulators found the bank placed “caps” on the number of alerts it would produce and review in its automated monitoring system. Exams noted that the caps resulted in the bank’s failure to investigate a large number of suspicious transactions. Examiners noted that for only a portion of the time period in question, over 2,000 SARs were not filed as required. 

Even if your institution is nowhere near the size of those noted above, the information provides good food for thought about your monitoring duties.

Many of you have had BSA responsibilities on top of your other work for a long time, and your overall responsibilities have likely increased. Does anyone have more time to focus on BSA now than they did five years ago?

If you have grown significantly, whether through organic growth or M&A activity, do you feel confident your BSA program is adequate? It’s common to hear the phrase, “We truly are a community bank that knows our customers.” While that may still be the case, it’s also true that fraud-related crimes are increasing, and fast.

It’s becoming an exception to not be filing SARs on a regular basis, and those that aren’t filing many are often asked by auditor and examiners, “How can that be?”

That question can only be answered with solid due diligence and record-keeping. A sound BSA program requires consistent and comprehensive monitoring of your customer base, with a consistent focus on those deemed higher risk.

Stay ahead of risk

The enforcement actions above are not a reflection of what occurs at most typical community financial institutions, but there are a few ways to ensure you are keeping up with your risk management: 

• Next time you update your risk assessment, take a look at your assessment from five years earlier and see how your activity and customer base has increased. Ask yourself, have the resources dedicated to BSA compliance kept up? 
• Go through your high risk (and moderate, if policy requires) customers and make sure you can either explain, or show documentation on, what exactly those customers are involved in and why they are rated high risk. If you cannot do that, ask yourself, why not? Is it due to the high number of customers, or lack of time to complete full due diligence? 
• If you feel you don’t have time to keep up, say something. Let management and the board know you may need more resources. The more data you can provide through your BSA reporting to the board, the better your case for getting additional resources. 
• If you use an automated monitoring system, have a system in place to periodically test and validate the data to ensure it is adequately capturing and alerting for suspicious activity. Setting the system to “keep alerts manageable” isn’t a good idea, as the list of enforcement actions shows.

While most of you likely have well-functioning BSA/AML programs in place, take the time to “stretch” when assessing the adequacy of your program to avoid issues later. 

How Wipfli can help

As your financial institution grows, it’s important to keep your risk profile, and risk- management practices aligned with that growth. Wipfli professionals have the background and up-to-date knowledge to help you uncover deficiencies in your risk-management practices. Our team brings real-world experience to financial institutions to meet today’s evolving compliance programs. Contact us to learn more.  

Sign up to receive additional financial institutions content and information in your inbox, or continue reading on:  

• Are you on top of the FinCEN priorities?
• How financial institutions can assess risks of nonprofits
• FinCEN issues first national AML/CFT priorities