In recent years, U.S. federal and state authorities have imposed an increasing number of enforcement actions and heavy fines for violations of Bank Secrecy Act/Anti-Money Laundering (BSA/AML) and sanctions rules. For example, the Office of Foreign Assets Control (OFAC) has cited both domestic and foreign banks for facilitating prohibited transactions by non-U.S. persons (including through or by overseas subsidiaries or affiliates); exporting or re-exporting U.S.-origin goods, technology, or services to OFAC-sanctioned persons or countries; and using the U.S. financial system (or processing payments to or through U.S. financial institutions) for commercial transactions involving OFAC-sanctioned persons or countries.
In many of these actions, regulators have emphasized the need for sustainability in financial institutions’ AML and sanctions programs. Authorities have repeatedly found the following:
- failure of management to cultivate a culture of compliance;
- a lack of authority and autonomy within compliance teams;
- insufficient resources dedicated to compliance; and
- inadequate internal controls.
Key root causes have included the misinterpretation of relevant statutes and a failure to understand the applicability of specific statutes.
To meet regulators’ expectations, banks need to consider enhancing compliance programs with control elements that span all program pillars, including executive management and governance, culture and conduct, issue management, risk assessments, customer due diligence/enhanced due diligence, model risk management, suspicious activity investigations and reporting, and training.
Sustainability Depends on Strong Management
The cornerstone of a sound BSA/AML and OFAC compliance program is competent, knowledgeable, and empowered management who embody a culture of compliance, in an organization with clearly defined roles, responsibilities, and methods for accountability. Financial institutions should assess the engagement and knowledge of executive management in financial crime compliance including current inherent risks and the risk-based design and operating effectiveness of risk mitigants, as well as areas of emerging risk and regulatory concern. An essential program element to support effective management oversight is a comprehensive set of key performance or key risk indicators conveyed succinctly via recurring and standardized management reporting.
Further, when a financial institution has foreign ownership, the institution must consider parent company oversight and requirements for implementing global as well as local standards specific to the jurisdiction in which it operates. The compliance organizational structure should also be assessed, since decentralized compliance functions may lead to the inconsistent application of program requirements, management negligence, or competing stakeholder interests—especially when embedded within first-line functions.
Risk Assessments Support Sustainable Programs
Regulators expect financial crime compliance programs to be risk-based to ensure sustainability. Therefore, financial institutions should complete a periodic risk assessment that captures all inherent risks (products/services, customers, geographies, etc.) across all lines of business/legal entities. The design and operating effectiveness of program components and key controls should also be assessed, to derive an accurate estimation of residual risk.
The risk assessment should be detailed in a written methodology document. It should be grounded in a quantitative methodology that can be executed dynamically to identify and measure quantity and directionality of risk, with qualitative overlays incorporated as needed. The institution’s executive management and board should carefully review and consider the financial crime risk assessment when prioritizing investments and determining program resource allocation.
Continuous Enhancement of Key Controls
Controls commonly cited in enforcement actions include customer due diligence/enhanced due diligence reviews and suspicious activity investigations and reporting. Issues often involve the lack of timeliness and quality. In response, appropriate roles-based training, detailed and up-to-date written procedures, and efficient design and execution of processes should be implemented so that reviews, investigations, and suspicious activity reports/suspicious transaction reports are completed timely, fully, and accurately. Clients identified to be outside of a financial institution’s risk appetite should be subject to a defined review and escalation protocol.
Ensuring Robust Tools, Methods, and Data
Since financial crime compliance programs use various technology or quantitative tools and methods to support key program areas (e.g., customer risk rating, geographic risk model, automated transaction monitoring, and watchlist screening), financial institutions should ensure that a robust model risk management framework has been implemented with appropriately designated responsibilities for model development, use, and independent model validation. For example, automated and manual transaction monitoring methods should be based on a transaction monitoring coverage assessment, where specific coverage is mapped to the inherent risks identified in the institution’s financial crime risk assessment. Such framework helps to ensure that models are determined to be conceptually sound and fit for purpose on a periodic basis, and that they are also subject to ongoing performance monitoring, tuning, and optimization to maximize effectiveness and efficiency.
Since all models, tools, and methods depend on ingested data to produce correct output and minimize false positives, financial institutions should consider conducting end-to-end assessments of data governance and data/information technology infrastructure. Key elements for consideration include:
- data quality and completeness;
- whether data is siloed or in a centralized and normalized data hub or other central repository, since data partitions create conflicting and sometimes inaccurate model results;
- challenges with data integration/aggregation across multiple data sources; and
- outsourced data subject to third-party risk management and principles of reliance.
All models should clearly specify data lineage and key data elements within model documentation to ensure that coverage is comprehensive.
Audit Function Must Ensure Integrity
Lastly, a financial institution’s internal audit function must have sufficient autonomy and resources to effectively carry out its assurance role as the third line of defense. This includes:
- hiring and retaining qualified and experienced staff;
- executing an audit risk assessment process;
- audit planning, tracking, and reporting;
- a well-designed and user-friendly method for logging, tracking, and reporting issues; and
- standards and requirements for issue closure.
The primary objective of a sustainable compliance program is to improve/manage a bank’s risk profile through more effective and efficient management of risk. The approach focuses on identifying and managing material risk while reducing inefficient activities. Ongoing risk-based prioritization requires that organizations objectively measure residual risk exposures and understand where the critical breakpoints occur. The portfolio of controls needs to be actively managed over the life cycle of each control. Executive management should have a clear view of program performance, and the compliance function should be provided the requisite resources to assess, enhance, and implement controls as needed to ensure adherence to the financial institution’s risk appetite.