I. INTRODUCTION
The Financial Crimes Enforcement Network (FinCEN) has issued an advisory to financial institutions promoting a culture of BSA/AML compliance for senior management, leadership and owners of all financial institutions subject to FinCEN regulation, regardless of size or industry sector. The guidance outlines the following six ways that financial institutions can strengthen their BSA/AML compliance culture: by ensuring that (1) its leadership actively supports and understands compliance efforts; (2) efforts to manage and mitigate BSA/AML deficiencies and risks are not compromised by revenue interests; (3) relevant information from the various departments within the organization is shared with compliance staff to further BSA/AML efforts; (4) the institution devotes adequate resources to its compliance function; (5) the compliance program is effective by, among other things, ensuring that it is tested by an independent and competent party; and (6) its leadership and staff understand the purpose of its BSA/AML efforts and how its reporting is used.
II. CULTURE OF COMPLIANCE
A. Leadership Should Be Engaged
A financial institution’s leadership is responsible for performance in all areas of the institution including compliance with the BSA. As applicable, an institution’s leadership may include its board of directors, senior and executive management, owners and operators. These leaders are responsible for understanding an institution’s responsibilities regarding compliance with the BSA and creating a culture of compliance at that institution. The commitment of an organization’s leaders should be visible within the organization, as such commitment influences the attitudes of others within the organization.
For a BSA/AML compliance program to be effective, it should have the demonstrable support of the leadership (as appropriate based on the financial institution’s size and structure). The institution’s leaders should also receive periodic BSA/AML training that is tailored to their roles. In addition to supporting a culture of compliance, an appropriate understanding of BSA/AML obligations and compliance will help an organization’s leadership make informed decisions with regard to the allocation of resources to the BSA/AML function. The leaders of the organization should also remain informed of the state of BSA/AML compliance within the institution.
B. Compliance Should Not Be Compromised By Revenue Interests
Compliance staff should be empowered with sufficient authority and autonomy to implement an institution’s AML program. An institution’s interest in revenue should not compromise efforts to effectively manage and mitigate BSA/AML deficiencies and risks, including submission of appropriate and accurate reports to FinCEN. An effective governance structure should allow for the BSA/AML compliance function to work independently and to take any appropriate actions to address and mitigate any risks that may arise from an institution’s business line and to file any necessary reports, such as Suspicious Activity Reports (SARs).
C. Information Should Be Shared Throughout the Organization
Several recent enforcement actions noted that the subject institution had relevant information in its possession that was not made available to BSA/AML compliance staff. This may have resulted from a lack of an appropriate mechanism for sharing information, a lack of appreciation of the significance or relevance of the information to BSA/AML compliance or an intentional decision to prevent compliance officers or staff from having access to the information.
There is information in various departments within a financial institution that may be useful and should be shared with the compliance staff. For example, information developed by those in the organization combating and preventing fraud could also assist a financial institution in complying with its BSA/AML obligations. Similarly, legal departments should alert compliance departments to subpoenas received issued by government agencies to trigger reviews of related customers’ risk ratings and account activity for suspicious transactions. Additionally, in a larger organization there may be multiple affiliated institutions that could benefit from sharing of relevant information across the organization.
D. Leadership Should Provide Adequate Human and Technological Resources
A required element of any BSA/AML compliance program is the designation of an individual responsible for coordinating and monitoring day-to-day compliance with the BSA. The individual should be knowledgeable of the BSA and have sufficient authority to administer the program. For the program to be effective, the institution should devote appropriate support staff to its BSA/AML compliance program based on its risk profile.
The failure of an institution’s leaders to devote sufficient staff to the BSA/AML compliance function may lead to other failures. For example, depository institutions, as well as other types of financial institutions, generally have staff that review alerts generated by transaction monitoring systems. Devoting insufficient staff or other resources to this function may result in alerts not being reasonably designed to capture appropriate risks or being dismissed improperly, or create a backlog of alerts that may result in the untimely reporting of suspicious activity.
Appropriate technological resources should also be allocated to BSA/AML compliance. Institutions with higher risk profiles, including those with substantially higher volumes of activity, may need to utilize automated systems for identifying and monitoring suspicious activity.
E. The Program Should Be Effective and Tested By an Independent and Competent Party
Appropriate involvement of a financial institution’s leadership should be, at a minimum, commensurate with the institution’s level of BSA/AML risk exposure. Appropriate leadership involvement allows the BSA/AML function to implement an effective compliance program. Components of an effective BSA/AML compliance program additionally include a proper ongoing risk assessment, sound risk-based customer due diligence, appropriate detection and reporting of suspicious activity and independent program testing.
While recognizing that all the components of an effective compliance program are important, FinCEN stresses the independence that the testing of a compliance program should have. A financial institution’s leadership should ensure that the party testing the program (whether internal or external) is independent, qualified, unbiased and does not have conflicting business interests that may influence the outcome of the compliance program test. Safeguarding the integrity and independence of the compliance program testing enables an institution to locate and take appropriate corrective actions to address BSA/AML deficiencies.
F. Leadership and Staff Should Understand How Their BSA Reports are Used
Finally, leadership and staff at all levels in a financial institution should understand that they are not simply generating reports for the sake of compliance, but rather recognize the purpose that BSA reports serve and how the information is used. The reporting and the transparency that financial institutions provide under FinCEN’s regulation is used to: serve as tips to initiate investigations; expand existing investigations; promote international information exchange; and identify significant relationships, trends and patterns.