The OCC’s Increasing Focus on BSA-AML Compliance

In a speech last week to the Institute of International Bankers, Comptroller of the Currency Thomas J. Curry focused extensively on Bank Secrecy Act/Anti-Money Laundering (BSA/AML) compliance. Combined with the recent suggestion by Benjamin Lawsky, the Superintendent of New York’s Financial Services Department (DFS), that New York may begin requiring senior bank executives to attest to the adequacy of their institutions’ BSA/AML monitoring systems, Comptroller Curry’s speech highlights banking regulators’ increasing focus on BSA/AML compliance. Regulated institutions should therefore pay close attention to their BSA/AML compliance systems and procedures.

Background

Financial institutions’ BSA/AML obligations arise from a series of federal statutes, including the 1970 Bank Secrecy Act and the 1986 Money Laundering Control Act. Over the past few years, federal regulators have focused on institutions’ compliance with these statutes, particularly through numerous enforcement actions focusing on BSA/AML compliance, including a record $875 million settlement against HSBC in 2012 that we previously blogged about here. Two years ago, in testimony before the Senate Committee on Banking, Housing & Urban Affairs, Comptroller Curry spoke about the importance of BSA/AML compliance in combatting financial crimes and terrorism, and identified four factors as root causes BSA/AML compliance problems: (i) the strength of institutions’ compliance culture; (ii) their willingness to commit sufficient resources; (iii) the strength of their information technology and monitoring processes; and (iv) their risk management. In that testimony, Comptroller Curry emphasized the OCC’s intention to seek improved BSA/AML compliance by “work[ing] with Congress, law enforcement, other regulatory agencies, and the industry to develop and implement a coordinated and comprehensive response to the threat posed to the nation’s financial system by terrorist and criminal organizations.”

Two years on, those efforts appear to be gathering steam. In August 2014, DFS Superintendent Lawsky announced a significant enforcement action and consent order against Standard Chartered Bank for alleged BSA/AML violations, imposing a $300 million penalty and required remedial steps to address Standard Chartered’s BSA/AML compliance failures. Several months later, in December 2014, the Federal Financial Institutions Examination Council (FFIEC) released the 2014 Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Examination Manual, which significantly revised numerous areas of the manual, including on Suspicious Activity Reporting (SAR), Currency Transaction Reporting (CTR) and Foreign Correspondent Account Recordkeeping, among other areas. And in February 2015, DFS Superintendent Lawsky discussed the possibility the DFS would implement additional BSA/AML compliance measures, including (i) requiring certifications by senior executives regarding their institutions’ AML compliance, comparable to Sarbanes-Oxley financial statement certifications; and (ii) random audits of institutions’ AML systems to test whether they successfully can identify suspicious transactions.

Comptroller Curry’s March 2015 Speech

Comptroller Curry’s recent speech builds on these trends and highlights several specific issues on which the OCC is focusing in connection with BSA/AML compliance. He situated BSA/AML compliance at the heart of an international effort to combat the threat of terrorist and criminal organizations, describing BSA/AML compliance as “a source of risk that is a matter of particular and growing urgency today.” Focusing on financial institutions, Comptroller Curry noted “it is extremely important that banks of all types and sizes understand the nature of BSA/AML risk, understand their BSA/AML regulatory obligations, and understand the importance of collaboration among financial institutions and sovereign supervisors to meet the rising BSA/AML risk.”

Comptroller Curry discussed various steps the OCC has taken over the past few years to improve institutions’ BSA/AML compliance, including (1) considering it when evaluating safety and soundness; (2) assessing institutions’ management of third-party relationships; (3) reviewing whether adequate resources are devoted to BSA/AML compliance functions; (4) analyzing whether institutions assign accountability for compliance across all business lines that entail BSA/AML risk; and (5) where necessary, bringing enforcement actions. He conceded that the “vast majority of our institutions have solid [BSA/AML compliance] programs in place,” but emphasized that “this is merely a good start and it is not static.”

Indeed, Comptroller Curry recognized that institutions face certain broader challenges in complying with their BSA/AML obligations, including:

1. The growing sophistication and evolving nature of terrorist and criminal organizations and their tactics;
2. The current statutory and regulatory framework—with its focus on documentation and individual decision-making—that is ill-equipped to deal with the speed and sophistication of terrorist and criminal elements; and
3. The effects of technology in facilitating instantaneous transactions between individuals and entities on a global scale.

He discussed various steps the OCC is taking to address these issues, ranging from amending regulations and requirements that are no longer effective, to exploring new ways to use technology, to supporting legislation to expand safe harbors that encourage institutions to file Suspicious Activity Reports and share information about bad actors and financial crimes with regulators and other institutions. Comptroller Curry identified information sharing and the use of technology as key factors in achieving the goals of BSA/AML compliance.

Ultimately, however, Comptroller Curry closed his speech by focusing on the OCC’s expectation that institutions incorporate BSA/AML compliance into their overall assessment of customer risk, and the institutions’ ability to manage those risks. Among other things, he suggests this may require institutions to evaluate foreign correspondents’ risk management systems and obtain sufficient, transparent information from current and prospective customers to allow the institutions to make informed risk assessment decisions. Finally, in discreet reference to the controversy surrounding Operation Choke Point, Comptroller Curry warned that institutions cannot address these concerns by simply terminating customers, or categories of customers, based on BSA/AML risk, and instead must conduct a careful analysis of the risks presented by each individual customer and the bank’s ability to manage those risks.