I. INTRODUCTION
The Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision, have issued an interagency statement, setting forth the Agencies’ policy on the circumstances in which an Agency will issue a cease and desist order to address noncompliance with certain Bank Secrecy Act/Anti-Money Laundering (“BSA/AML”) requirements.
Under federal law, each of the Agencies is directed to prescribe regulations requiring each insured depository institution to establish and maintain procedures reasonably designed to assure and monitor the institution’s compliance with the requirements of the Bank Secrecy Act (“BSA Compliance Program”). Each agency is required to review the BSA Compliance Program and describe any problem with the BSA Compliance Program in its reports of examination. If an insured depository institution has failed to establish and maintain a BSA Compliance Program or has failed to correct any problem with the BSA Compliance Program previously reported to the institution, the appropriate Agency shall issue a cease and desist order against the institution. Specifically, under each Agency’s regulations, a BSA Compliance Program must have, at a minimum, the following elements:
In addition, a BSA Compliance Program must include a Customer Identification Program with risk-based procedures that enable the institution to form a reasonable belief that it knows the true identity of its customers.
Communication of Supervisory Concerns about BSA Compliance Programs
When an Agency identifies supervisory concerns relating to a banking organization’s BSA Compliance Program in the course of an examination or otherwise, the Agency may communicate those concerns by various means. The particular method of communication used typically depends on the seriousness of the concerns. These methods include:
In order to be a “problem” with the BSA Compliance Program that will result in a cease and desist order if not corrected by the institution, deficiencies in the Program must be identified in a report of examination or other written document as requiring communication to an institution's board of directors or senior management as matters that must be corrected.
II. ENFORCEMENT ACTIONS FOR BSA COMPLIANCE PROGRAM FAILURES
The appropriate Agency will issue a cease and desist order against a banking organization for noncompliance with BSA Compliance Program requirements in the following circumstances, based on a careful review of all the relevant facts and circumstances.
A. Failure to Establish and Maintain a Reasonably Designed BSA Compliance Program
The appropriate Agency will issue a cease and desist order based on a violation to establish and maintain a reasonably designed BSA Program where the institution:
For example, an institution that has procedures to provide BSA/AML training to appropriate personnel, independent testing, and a designated BSA/AML compliance officer, would nonetheless be subject to a cease and desist order if its system of internal controls (such as customer due diligence, procedures for monitoring suspicious activity, or an appropriate risk assessment) fails with respect to a high risk area or to multiple lines of business that significantly impact the institution’s overall BSA compliance. Similarly, a cease and desist order would be warranted if, for example, an institution has deficiencies in the required independent testing element of the Program and those deficiencies are coupled with evidence of highly suspicious activity creating a significant potential for unreported money laundering or terrorist financing in the institution.
However, other types of deficiencies in an institution’s BSA Compliance Program or in implementation of one or more of the required Program elements will not necessarily result in the issuance of a cease and desist order, unless the deficiencies are so severe as to render the Program ineffective when viewed as a whole. For example, an institution that has deficiencies in its procedures for providing BSA/AML training to appropriate personnel, but has effective controls, independent testing, and a designated BSA/AML compliance officer, may ordinarily be subject to examiner criticism and/or supervisory action other than the issuance of a cease and desist order, unless the training program deficiencies, viewed in light of all relevant circumstances, are so severe as to result in a finding that the organization's Program, taken as a whole, is not effective.
In determining whether an organization has failed to implement a BSA Compliance Program, an Agency will also consider the application of the organization’s Program across its business lines and activities. In the case of institutions with multiple lines of business, deficiencies affecting only some lines of business or activities would need to be evaluated to determine if the deficiencies are so severe or significant in scope as to result in a conclusion that the institution has not implemented an effective overall program.
B. Failure to Correct a Previously Reported Problem with the BSA Compliance Program
A history of deficiencies in an institution's BSA Compliance Program in a variety of different areas, or in the same general areas, may result in a cease and desist order on that basis. An Agency will, based on a careful review of the relevant facts and circumstances, issue a cease and desist order whenever an institution fails to correct a problem with BSA/AML compliance identified during the supervisory process. In order to be considered a “problem,” however, a deficiency reported to the institution ordinarily would involve a serious defect in one or more of the required components of the institution’s BSA Compliance Program or implementation thereof that a report of examination or other written supervisory communication identifies as requiring communication to the institution’s board of directors or senior management as a matter that must be corrected. For example, failure to take any action in response to an express criticism in an examination report regarding a failure to appoint a qualified compliance officer could be viewed as an uncorrected problem that would result in a cease and desist order.
An Agency will ordinarily not issue a cease and desist order for failure to correct a BSA Compliance Program problem unless the deficiencies subsequently found by the Agency are substantially the same as those previously reported to the institution. For example, if an Agency notes in one examination report that an institution’s training program was inadequate because it was out of date (for instance if it did not reflect changes in the law), and at the next examination the training program is adequately updated, but flaws are discovered in the internal controls for the BSA/AML Program, the Agency may determine not to issue a cease and desist order for failure to correct previously reported problems and will consider the full range of potential supervisory responses.
Similarly, if an institution is cited in an examination report described above for failure to designate a qualified BSA compliance officer, and the institution by the next examination has appointed an otherwise qualified person to assume that responsibility, but the examiners recommend additional training for the person, an Agency may determine not to issue a cease and desist order based solely on that deficiency. Statements in a written examination report or other supervisory communication identifying less serious issues or suggesting areas for improvement that the examination report does not identify as requiring communication to the board of directors or senior management as matters that must be corrected would not be considered “problems” for purposes of federal law.
The Agencies recognize that certain types of problems with an institution’s BSA Compliance Program may not be fully correctable before the next examination, for example, remedial action involving adoption or conversion of computer systems. In these types of situations, a cease and desist order is not required provided the Agency determines that the institution has made acceptable substantial progress toward correcting the problem at the time of the examination immediately following the examination where the problem was first identified and reported to the institution.
C. Other Enforcement Actions for BSA Compliance Program Deficiencies
An Agency may also issue a cease and desist order or enter into a formal written agreement, or take informal enforcement action against an institution for other types of BSA/AML Program concerns. In these situations, depending upon the particular facts involved, an Agency may pursue enforcement actions based on unsafe and unsound practices or violations of law, including the BSA. The form of the enforcement action in a particular case will depend on the severity of the noncompliance, weaknesses, or deficiencies, the capability and cooperation of the institution’s management, and the Agency’s confidence that the institution will take appropriate and timely corrective action.