Appeal of Violation of the Bank Secrecy Act (First Quarter 2017)
A federal savings association (bank) supervised by the Office of the Comptroller of the Currency (OCC) appealed the violation of 12 CFR 21.21(d)(1), “Procedures for Monitoring Bank Secrecy Act (BSA) Compliance: Contents of Compliance Program,” cited in a recently issued report of examination (ROE).
The appeal contended the bank has internal control procedures “reasonably designed” to assure compliance with BSA requirements. The appeal stated the regulation allows a bank a range of choices to design its BSA program and internal control procedures so long as there is support that the procedures are reasonably designed to assure compliance with BSA requirements. The appeal asserted the bank has been conducting periodic reviews of certain higher-risk customers at least annually. The appeal contended that the ROE comment that the bank does not review its high-risk customers annually was based on the supervisory office (SO) expanding the high-risk customer base to include spouses and other related individuals of the owner of a money service business (MSB).
The appeal asserted that, as of the examination date, there were no laws or regulations requiring banks to obtain expected activity from customers. The appeal asserted that the November 2014 Federal Financial Institutions Examination Council’s Bank Secrecy Act/Anti-Money Laundering Examination Manual (BSA Manual) states that banks should obtain information at account opening sufficient to develop an understanding of the normal and expected activity for the customer’s occupation or business operations. This understanding may be based on account type or customer classification. The appeal further stated that the BSA Manual does not require banks to obtain expected activity information from the customer and allows collection of information from third-party sources.
The appeal proclaimed that the bank’s internal control procedures have been so successful that the OCC has never cited the bank for failing to file a suspicious activity report or currency transaction report.
The appeal contended that the SO failed to distinguish between a violation and a recommendation, and the failure to collect anticipated account activity from new and existing customers could have been a suggestion in the ROE, but not a violation. The appeal stated that the SO did not appropriately apply OCC Bulletin 2007-36 in concluding that the bank violated 12 CFR 21.21(d)(1). The appeal asserted that OCC Bulletin 2007-36 recognizes that not all supervisory concerns relating to a bank’s BSA compliance program should be considered violations of the regulatory requirement to implement and maintain a reasonably designed BSA program.
The Ombudsman conducted a comprehensive review of the information and primarily relied on the following supervisory standards when formulating conclusions:
- 12 CFR 21.21, “Procedures for Monitoring Bank Secrecy Act (BSA) Compliance”
- BSA Manual
- OCC Bulletin 2007-36, “Bank Secrecy Act/Anti-Money Laundering: BSA Enforcement Policy” (August 30, 2007) (BSA Enforcement Policy)
The Ombudsman also relied on the following supervisory standards:
- OCC Bulletin 2005-19, “Bank Secrecy Act/Anti-Money Laundering: Interagency Interpretive Guidance on Providing Banking Services to Money Services Businesses Operating in the United States” (May 6, 2005)
- OCC Bulletin 2010-11, “Bank Secrecy Act/Anti-Money Laundering: Beneficial Ownership Guidance” (March 5, 2010) (Beneficial Ownership Guidance)
The Ombudsman determined that the SO appropriately concluded that the bank’s overall BSA compliance program was reasonably designed to assure compliance with the BSA, but there were internal control deficiencies that resulted in an internal control pillar violation being cited years prior that had remained outstanding.
An internal control pillar violation (12 CFR 21.21(d)) differs from an overall BSA compliance program violation (12 CFR 21.21(c)). The latter violation requires the OCC to issue a cease-and-desist (C&D) order against the bank as mandated by 12 USC 1818(s) and as described in the BSA Enforcement Policy. In the bank’s case, the SO identified internal control deficiencies within the bank’s overall BSA compliance program concerning suspicious activity and currency transaction reporting resulting in the citing of an internal control pillar violation in an ROE several years prior. During the subsequent examination, the SO identified additional internal control deficiencies concerning customer due diligence (CDD)/enhanced due diligence (EDD). During another subsequent examination, the SO identified additional internal control deficiencies concerning annual reviews of high-risk customers, independent validation of BSA software, quality control reviews, and customer risk scoring. These additional concerns identified in the two subsequent examinations relate to, and further support, the continuation of the internal control pillar violation.
In the recently issued ROE, the SO appropriately concluded that (1) the bank’s overall BSA compliance program is reasonably designed to assure compliance with the BSA and there was no overall BSA compliance program violation (12 CFR 21.2l(c)); and (2) the internal control pillar violation (12 CFR 21.21(d)) originally cited years prior remains outstanding because the bank continues to lack effective corrective actions and new internal control issues had been identified.
The Ombudsman determined that the bank’s periodic reviews are limited to the accounts noted in the appeal and the bank was not conducting periodic reviews for many more high-risk customers, as required by the BSA Manual and as necessary to effectively identify suspicious activity transactions. The SO’s transaction testing found that the bank was not conducting periodic reviews of high-risk customer accounts that the bank had designated as high risk. In addition, the SO identified problems with the bank’s risk assessment processes and some accounts that should have been elevated to high risk due to recent suspicious activity report filings, for example. The Ombudsman also agreed with the SO that the bank must identify all related accounts and ensure appropriate risk rating. The BSA Manual consistently discusses customer relationships, not accounts or transactions. The SO had identified several accounts with overlapping transactions, but the bank did not know whether the accounts were related.
The Ombudsman determined that the BSA Manual explicitly states that bank collect expected activity as part of the bank’s CDD and EDD processes. Account monitoring should identify patterns of unusual activity or deviations from expected activity for further research. In addition, the BSA Manual specifically states collection of expected activity for the following, as examples of risk relevant to the bank: surveillance monitoring, privately owned automated teller machines, MSBs, and politically exposed persons. The Beneficial Ownership Guidance also states that CDD and EDD information should be used for monitoring purposes and to determine whether there are discrepancies between information obtained regarding the account’s intended purpose and expected account activity and the actual sources of funds and uses of the account. There are various ways of collecting expected activity, but the ROE noted that the bank did not collect this information in any manner at account opening. Since the bank lacked the expected activity information on accounts previously opened, the bank was required to collect that information and, as of the recent examination, had obtained it from only half of its existing customers.
The Ombudsman determined that the absence of aggravating factors such as suspicious activity report or currency transaction report violations does not indicate absence of internal control deficiencies. The SO had identified BSA internal control weaknesses in multiple supervisory communications due to new or uncorrected internal control deficiencies that related to or further supported the violation. The SO appropriately considered the absence of these aggravating factors by not citing a BSA compliance program violation that would have mandated the issuance of a C&D, as set forth in the BSA Enforcement Policy.
The Ombudsman ruled that the appeal’s citation of the BSA Enforcement Policy for whether a violation should have been cited is not applicable in this case because the SO concluded that there is no violation of the bank’s overall BSA compliance program that would require the issuance of a C&D order under 12 USC 1818(s). In addition, the purpose of the BSA Enforcement Policy is to identify the circumstances in which the federal regulatory agencies will issue a C&D order to address noncompliance with certain BSA requirements, not to provide guidance on circumstances in which the agencies will cite a violation of law or regulation. An internal control pillar violation does not require the OCC to issue a C&D order. The OCC, however, will not note an existing violation as corrected and closed unless the bank implements effective corrective actions removing the basis for the violation. In this case, the basis for the violation were the past due and MRAs identified over several examinations. In addition, the bank’s failure to collect expected activity from new and existing customers is not the sole or most significant basis for continuing the internal controls pillar violation.