Define effectiveness. That’s what anti-money laundering compliance directors and legal experts want the US Treasury’s Financial Crimes Enforcement Network (FinCEN) to do after it announced late last month that it would update regulations issued under the Bank Secrecy Act (BSA).
“Does anybody know what effective means?” was the question posed by over a dozen AML compliance managers at US banks and brokerage firms who spoke with FinOps Report. All believe that the devil is in the detail of how difficult it will be to implement FinCEN’s requirements. However, they still predict they will have more work with greater liability. No one thinks that FinCEN’s new requirements will make the job any easier, despite its claims to the contrary.
FinCEN’s timing of its advanced notice of proposed rulemaking (ANPR) calling for financial institutions to potentially create “effective and reasonably-designed programs” follows numerous reports on the “FinCEN papers” — a flurry of media attention alleging some of the world’s largest banks allowed at least $2 trillion worth of criminal activity to go unchecked based on leaked confidential suspicious activity reports (SARs) filed with FinCEN between 2009 and 2017. Those banks, which include Deutsche Bank, JP Morgan, HSBC, and BNY Mellon, insist they did their jobs by the book and any criticisms for submitting the required SARs are misguided. Despite the eerie coincidence of events, FINRA’s timing of its ANPR is unrelated to the “FinCEN papers, but is the aftermath of a series of meetings between FinCEN officials and senior bankers participating in the Bank Secrecy Act Advisory Group (BSAG), a forum for examining the efficacy of the BSA. The ongoing meetings, which began in June 2019, established that regulators should allow banks to “place greater emphasis on providing information with a high degree of usefulness to government authorities based on national AML priorities to promote greater outputs over auditable processes,” FinCEN says.
The new potential mandate for “effective” AML programs marks a dramatic shift in focus from the current metric of reasonably-designed to meet the requirements of the BSA, the 1970 legislation considered the cornerstone of US AML requirements. The last significant changes to BSA regulations were the implementation of customer due diligence and beneficial ownership requirements in 2006. As FinCEN notes, the term “effective” has no specific consistent definition in existing regulation and if it is translated as useful one of the critical obligations imposed by the BSA — filing SARs — could get a lot harder. The litmus test for filing is merely a suspicion of illegal activity; no proof is needed. It is then up to FinCEN to further evaluate and contact law enforcement, if necessary. Financial firms investigate business activity based on alerts generated at client onboarding, as part of routine due diligence, and as part of transaction monitoring. Most alerts are false positives so not all lead to SARs. Financial firms typically err on the side of caution and file too many SARs to protect themselves from the possibility FinCEN will fine them for not having filed a particular SAR.
No one thinks that overturning that defensive approach and filing fewer SARs is an option. “Given that FinCEN has to look through so many SARs it is critical that the narrative in SARs provides a sufficient amount of information to help FinCEN understand why the SAR was filed,” says Robert Appleton, a partner in the law firm of Murphy & McGonigle in New York specializing in anti-corruption and AML. SARs include boxes an AML compliance officer checks off on the suspected activity and a narrative section to explain why the transaction merits further review. What looks like an easy task to accomplish — adding a few lines here and there– could end up becoming a mindboggling and time-consuming chore. “Financial firms may not have the time to be as detailed or write as clearly as FinCEN would like due to the volume of SARs filed.” says Ross Delston, an independent AML attorney in Washington, D.C. “Wordsmithing isn’t the priority. Completing each one quickly enough is.”
Financial firms never know whether their SARs resulted in any criminal investigation or charges. In order for the effectiveness regime to take hold, FinCEN will need to provide more detailed guidance to ensure high quality SARs that are more useful to law enforcement, says Delston. If it doesn’t, AML managers will remain in the dark about how to change their current process for filing SARs. Another alternative would be for AML compliance departments to create “tactical or strategic value SARs” by prioritizing SARs into those that FinCEN must act upon immediately. However, if such a change were to take place, financial firms would be even more concerned about whether they had made the right decisions.
What might be just as challenging for some financial institutions as writing better SARs is developing the interrelated models and written risk assessments. One of FInCEN’s suggestions in its ANPR is that it could explicitly require all financial institutions to perform written internal risk evaluations that cover “business activities, products, services, customers and geographic locations.” Financial firms could also be forced to use models — or statistical methodologies — for customer risk profiling and transaction monitoring. Financial firms use the level of risk of a customer or a business line to determine the level of monitoring based on a predetermined number and value of transactions for each business activity. As a rule of thumb, correspondent banking and trade finance activities are more prone to money laundering than credit card, loans or trading. However, creating written risk assessments and models isn’t the norm for every financial institution. “Written risk assessments and modeling are commonly used by banks with multiple business lines, but not as much by brokerages which might now have to implement them, if FinCEN’s proposal takes effect,” says Betty Santangelo, a partner specializing in AML with the law firm of Schulte, Roth & Zabel in New York. She questions whether a one-size-fits all approach used in the banking industry is necessary for other financial sectors. After all, brokerages and other financial institutions don’t have the same types and numbers of business lines as banks do.
Given that FinCEN has yet to define effectiveness, it is unclear how the concept would be applied during exams particularly if there are no quantitative metrics. AML compliance managers are concerned they may have to write their own narratives of why they think their AML programs were effective and some are peeved with FInCEN’s implication they aren’t doing enough to prevent illegal activities from bad actors passing through their doors. “I am already doing the job of law enforcement and don’t need additional requirements,” writes one respondent in a letter responding to FinCEN’s request for comment on its proposal. (A full copy of FinCEN’s ANPR and industry feedback can be found at federalregister.gov/documents/2020/09/17/2020-anti-money-laundering-program effectiveness. Comments are due by November 16.
Some AML legal experts warn that FinCEN’s effectiveness standard could ultimately result in more enforcement action if regulators view it with the benefit of hindsight. “Enforcement authorities could point to any suspicious activity that escaped a bank’s notice to argue that a bank’s controls– even if adequately designed and resourced were not ultimately effective,” says the law firm of Covington & Burling in a recent blog entitled “Covington Alert.” If the term effectiveness is related to usefulness, unless FinCEN also provides clear and objective standards for determining usefulness to government authorities, financial firms will also be challenged. They must assess whether they are providing information that the government will subsequently determine to be useful, according to Covington & Burling.
If financial firms are to help FinCEN become more effective, say some third-party AML experts, then FinEN has to ease their administrative burdens with more specific metrics of how to fulfill the BSA rather than allowing each financial institution to design its own risk-based approach. Banks and other large financial institutions continually sift through all bad news accounts on potential and even current clients. Some consider all politically exposed persons (PEPs) — those entrusted with a prominent public function — to be high risk regardless of their role in the government function or whether their tenure has expired. While such an approach might seem safe, it will result in screening systems generating far more alerts which eat up more time from AML investigators.
A far better alternative, according to one respondent to FinCEN’s request for comment, is defining minimal policies which financial firms can build on. “There is no way FinCEN can come up with policies for every type of business line and client as there are too many variables,” says Greg Pinn, head of strategy for Merlon.ai. “However, FinCEN can define a set of actionable requirements for all institutions, regardless of size, including sanctions, PEP, and adverse news screening. The New York-headquartered Merlon.ai offers an adverse news screening platform built on artificial intelligence and natural machine processing; the application identifies, clusters, and extracts risk from huge news libraries focusing analyst attention on AML relevant risk. As a result, the time and effort spent on client onboarding is dramatically reduced. “Not every news article about a potential client is meaningful,” says Pinn. “A highly-publicized divorce may not be, but fraud, corruption, human trafficking and other illegal activities require further analyst attention.”
Even those praising FinCEN’s attempt at improving AML programs think that the focus on effectiveness won’t be meaningful if upper management allows profits to trump safety. Too much attention has been placed on how AML programs are set up but not enough on de-risking, or shutting down problematic client accounts. “What sometimes occurs is that the concerns of AML compliance directors are overridden by senior business executives on the grounds that fees generated through lucrative client accounts will exceed any potential fines from FInCEN for facilitating bad conduct,” says Steven Miller, account executive for the corporate investigations unit at business information services giant Thomson Reuters in New York. “That strategy might work for larger banks as they will still continue to win business, but will not for smaller community banks or credit unions.” Used by community banks and credit unions, Thomson Reuters’ CLEAR platform, allows AML managers to more quickly onboard customers with a risk rating based on information from public records, sanctions lists, other government lists, and news feeds.
For now, financial institutions will have to wait and pray that FinCEN’s proposals will give them the answers they need to tweak rather than overhaul their AML programs. Given that the new “FinCEN Papers” has drawn attention to the fact that the world’s largest banks may have benefitted from criminal activity, they fear that FinCEN’s new requirements will be more onerous, rather than less burdensome.