On August 13th,the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, and Office of the Comptroller of the Currency (the Agencies) issued joint guidance to clarify and update policies addressing the enforcement of the Bank Secrecy Act’s (BSA’s) anti-money laundering (AML) program requirement. The guidance, which replaces a prior interagency statement from 2007, interprets a unique provision of the BSA regulatory enforcement that requires federal banking agencies to issue cease and desist (C&D) orders when depository institutions and credit unions fail to establish and maintain adequate AML programs, or correct deficiencies previously identified by their regulators. The guidance also illustrates when C&D orders or informal enforcement actions may be appropriate.
Amendments to the 2007 Interagency Statement
The current guidance amends the 2007 interagency statement in three principal ways:
- The guidance makes it express that isolated or technical deficiencies in AML programs will not generally result in a C&D order.
- The guidance provides more detailed descriptions and examples of the “pillars” of BSA/AML compliance programs (i.e., internal controls, independent testing, designated BSA/AML personnel, and training). It also updates these descriptions and examples to incorporate FinCEN’s customer due diligence (CDD) rule. In particular, the guidance states that, under the CDD rule, a financial institution must understand the nature and purpose of a customer relationship to develop a customer risk profile, conduct ongoing monitoring for suspicious transactions, and maintain and update customer information, including beneficial ownership information.
- The guidance provides specific examples of compliance failures that typically would (or would not) result in a C&D order. Certain of these examples are noted below.
C&D Orders for Failure to Establish and Maintain Adequate AML Programs
The guidance explains that the Agencies will issue a C&D order for failure to establish and maintain an adequate AML program where, among other things, an institution:
- Fails to have a written BSA/AML compliance program, including a customer identification program, that adequately covers the required program components or pillars (i.e., internal controls, independent testing, designated BSA/AML personnel, and training);
- Fails to adequately implement its written program (institution-issued policy statements alone are not sufficient; the program as actually implemented must be consistent with the institution’s written policies, procedures, and processes);
- Has defects in its BSA/AML compliance program in one or more components or pillars that indicate that either the written BSA/AML compliance program or its implementation is not effective, for example, where the deficiencies are coupled with other aggravating factors, including (i) the presence of “highly suspicious activity” or (ii) the systemic failure to file suspicious activity reports or currency transaction reports.
C&D Orders for Failure to Correct Identified Deficiencies
The guidance states that the statutory requirement to issue a C&D order for uncorrected deficiencies applies to deficiencies that are “substantially the same” as those formally communicated in a report of examination or other written document (e.g., a supervisory letter), as a violation of law or a matter that must be corrected (e.g., an MRA/MRIA).
Importantly, the guidance recognizes that some deficiencies may take time to remediate. Where corrective actions take “more time to implement than initially anticipated,” a C&D is not required, “provided the Agency determines that the institution has made acceptable substantial progress toward correcting the problem.” Similarly, corrective actions that are only partially effective will not always result in C&D orders. For example, “if a violation is cited in a previous report of examination for failure to designate a qualified BSA compliance officer, and the institution has appointed an otherwise qualified person . . . but the examiners recommend additional training for the person, an Agency may determine not to issue a cease and desist order.”
Other Issues Addressed
The final part of the guidance details situations where the Agencies may take formal or informal actions to address BSA/AML deficiencies other than the BSA/AML program requirement, including deficiencies relating to suspicious activity reporting requirements. In this connection, the guidance states that the Agencies will take “appropriate supervisory action, if the institution’s failure to file reports reveals a systemic breakdown in its policies, procedures, or processes to identify and research suspicious activity, involves a pattern or practice of noncompliance with the filing requirement, or represents a significant or egregious situation.”