FROM DOC_DB.DOCUMENT D, DOC_DB.REPORTS R, DOC_DB.BACKGROUND B
*
ERROR at line 2:
ORA-00942: table or view does not exist
-------------------------Indexing Terms-------------------------
REPORTNUM: GAO-06-386
TITLE: BANK SECRECY ACT: Opportunities Exist for FinCEN
and the Banking Regulators to Further
Strengthen the Framework for Consistent BSA Oversight
DATE: 04/28/2006
-----------------------------------------------------------------
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO Product. **
** **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced. Tables are included, but **
** may not resemble those in the printed version. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
******************************************************************
GAO-06-386
* Report to the Committee on Banking, Housing, and Urban Affairs, U.S.
Senate
* April 2006
* BANK SECRECY ACT
* Opportunities Exist for FinCEN and the Banking Regulators to
Further Strengthen the Framework for Consistent BSA Oversight
* Contents
* Executive Summary
* Purpose
* Background
* Results in Brief
* Principal Findings
* Regulators Used Similar Procedures for BSA Examinations Pre-2005,
but Their Application Could Vary Widely
* Examiners Took Similar Steps to Prepare for, Determine the
Scope of, and Report on BSA Examinations
* Since 2004, State Banking Departments Have Become More
Involved in BSA Compliance
* Regulators Have Promoted Consistency in Examinations in Recent
Years by Adopting Interagency Procedures and Expanding Training
* New Interagency Procedures Create a Framework for Consistent
BSA Examination Processes
* Regulators Have Increased Their Focus on BSA-Related Skills
and Training
* Regulators Improved Tracking of BSA Examination and Violations
Data, but Differences in Terminology Could Result in
Inconsistencies
* Changes to Regulators' Data Systems Have Enabled Them to
Better Track BSA Data
* Differences Remain in Regulators' Guidance and Terminology
for Classification of BSA Noncompliance
* Regulators and FinCEN Increased Coordination on BSA Enforcement,
and Criminal Cases against Depository Institutions Were Limited
* Most BSA Noncompliance Is Addressed during Examinations, but
Regulators Recently Increased Coordination on Formal
Enforcement Actions
* Justice Has Pursued a Limited Number of Cases against
Depository Institutions for BSA Noncompliance
* Recommendations for Executive Action
* Agency Comments and GAO Evaluation
* Introduction
* Successive Legislation Has Expanded the Responsibility to Combat
Money Laundering
* Regulators and Other Federal Agencies Carry Out BSA Requirements
* Regulators Generally Address BSA Issues through Safety and
Soundness or Targeted Examinations
* Objectives, Scope, and Methodology
* Regulators Used Similar Procedures for BSA Examinations, but under
Pre-2005 Guidance, Their Application Could Vary Widely
* Examiners Took Similar Steps to Prepare for, Determine Scope of,
and Report on BSA Examinations
* Planning Activities for Examinations Culminate in a Risk
Profile
* Examiners Used Risk Profiles to Determine the Scope of
Examinations
* Examinations Concluded with Supervisory Consultation,
Reporting, and, When Needed, Corrective Actions
* Under Pre-2005 Guidance, Documentation Requirements Varied
Widely
* Since 2004, State Banking Departments Have Become More Involved
in BSA Reviews and Increased Information Sharing with FinCEN
* In 2004, Many State Banking Departments Reported That They
Did Not Examine for BSA Compliance
* Some State Banking Departments Recently Began Reviewing for
BSA Compliance; Others Have Intensified Existing BSA Reviews
* State Banking Departments, Regulators, and FinCEN Also Have
Recently Increased Coordination on BSA-Related Examination
Activities
* Regulators Have Promoted Consistency in BSA Examinations through
Interagency Procedures and BSA Training
* New Interagency Procedures Create Framework for Consistent
BSA/AML Examination Processes
* New Examination Procedures Organize Information on BSA Risk
Assessments and Link Assessments to Scoping and Planning
* New Examination Procedures Add Uniformity to Assessment of
Independent Audit Function
* New Examination Procedures Require Transaction Testing,
Regardless of the Institution's BSA Risk Level
* Regulators Revised Examination Tools for Documenting BSA
Procedures to Conform to the FFIEC Examination Manual
* In Recent Years, Regulators Have Intensified Focus on BSA-Related
Skills and Issues in Examiner Training
* Each Regulator Provides BSA/AML Training to Its Examiners
* Regulators Participated in Joint Efforts to Train Examiners
on New Interagency Procedures
* Some Regulators Are Developing More BSA/AML Expert Staff to
Serve in a Variety of Roles
* Systems Improvements Help Regulators Track BSA Examination and
Violation Data, but Differences in Terminology Remain
* Regulators Use Supervisory and Quality Assurance Reviews and
Tracking Systems to Monitor BSA Examinations
* Data System Improvements Have Allowed the Regulators to Better
Track BSA- Related Information
* Changes to Regulators' Data Systems Have Improved Tracking
Capabilities
* BSA-Related Violations Increased in Recent Years; Violations
of Currency Transaction Reporting Requirements Were
Frequently Cited
* In Recent Years, Some Regulators Have Been Citing BSA
Violations with Greater Specificity Than Before
* Regulators Now Share More Specific BSA- Related Examination and
Violation Data with FinCEN
* Differences Remain in the Regulators' Guidance and Terminology
for Classification of BSA Compliance Problems
* Regulators' Guidance on How to Cite and Classify BSA-Related
Compliance Problems Leaves Key Terms Undefined and Varies in
Scope
* Examiners Generally Did Not Agree on When a BSA Program
Compliance Deficiency Amounted to a BSA Violation
* Examiners Cited Institutions Differently for Apparently
Similar Problems, but Regulators Noted Several Factors That
Could Have Caused Differences
* Regulators and FinCEN Increased Coordination on BSA Enforcement;
Criminal Cases Were Limited
* Regulators Address Most BSA-Related Compliance Problems within
the Examination Framework
* Regulators Assess Many Factors in Deciding on Formal Actions
against Significant BSA- Related Compliance Problems
* Regulators Do Not Derive Authority for Formal Enforcement
Actions, Including CMPs, from the BSA
* Critical Reviews of Regulators' BSA Oversight Have Prompted Some
Regulators to Change Examiner Procedures and Guidance
* Unlike the Regulators, FinCEN Has Delegated Enforcement Authority
under the BSA
* From 2000 to 2005, FinCEN Imposed CMPs in 11 Cases but, in
Recent Years, Assessed Them Concurrently with Relevant
Regulators
* Riggs Bank
* The New York Branch of Arab Bank, PLC
* FinCEN Does Not Believe the Lack of Delegated Authority to
Impose CMPs under the BSA Has Significantly Affected
Enforcement
* Justice Has Pursued a Limited Number of Criminal Cases against
Depository Institutions for BSA Noncompliance
* In Some Cases, Law Enforcement Investigations First
Identified BSA Failures
* Disposition of Criminal Cases against Depository
Institutions Has Varied but Included Monetary Penalties in
Each Case
* Change to the U.S. Attorneys' Manual Formalized Practice of
Obtaining Centralized Approval before Pursuing Cases against
Depository Institutions
* Conclusions and Recommendations
* Regulators Have Created a Framework for Consistency in BSA
Examinations
* Regulators Have Improved Their Systems for Monitoring BSA
Examination Results
* Regulators, FinCEN, and Justice Have Improved Coordination on BSA
Enforcement Actions
* Concluding Observations
* Recommendations for Executive Action
* Agency Comments and Our Evaluation
* Under Pre-2005 Guidance, Regulators' Documentation Requirements Varied
Widely
* Regulators Required Documentation of "Major" Procedures; Planning
and Scoping Procedures More Often Were Documented for Large
Institutions
* Regulators' Former Examination Guidance Allowed Variation in
Documentation of Transaction Testing
* Comments from FinCEN and the Federal Banking Regulators
* Comments from the Department of Justice
* GAO Contact and Staff Acknowledgments
* Related GAO Products
* PDF6-Ordering Information.pdf
* Order by Mail or Phone
Report to the Committee on Banking, Housing, and Urban Affairs, U.S.
Senate
April 2006
BANK SECRECY ACT
Opportunities Exist for FinCEN and the Banking Regulators to Further
Strengthen the Framework for Consistent BSA Oversight
Contents
Tables
Figures
April 28, 2006Letter
The Honorable Richard Shelby Chairman The Honorable Paul Sarbanes Ranking
Minority Member Committee on Banking, Housing, and Urban Affairs United
States Senate
This report responds to your request that we review the examination and
enforcement programs for Bank Secrecy Act (BSA) compliance that the
federal banking, thrift, and credit union regulators use at depository
institutions in the United States. Specifically, our objectives were to
determine how (1) the regulators examined for BSA compliance at the
depository institutions they supervise, (2) the regulators have updated
examination procedures and trained examiners since the passage of the USA
PATRIOT Act, (3) the regulators identify and track BSA violations to
ensure timely corrective actions at the institutions they examine, and (4)
enforcement actions are taken for violations of the BSA.
As agreed with you, unless you publicly release its contents earlier, we
plan no further distribution of this report until 30 days from its issue
date. At that time, we will send copies of this report to the Chairman and
Ranking Minority Member of the House Committee on Financial Services; the
Departments of Homeland Security, Justice, and the Treasury; the Board of
Governors of the Federal Reserve System; the Federal Deposit Insurance
Corporation; the Office of the Comptroller of the Currency; the Office of
Thrift Supervision; the National Credit Union Administration; and other
interested parties. We will make copies available to others upon request.
In addition, this report will be available at no cost on our Web site at
http://www.gao.gov .
If you or your staff have any questions regarding this report, please
contact me at (202) 512-2717 or [email protected] . Contact points for our
Offices of Congressional Relations and Public Affairs may be found on the
last page of this report. GAO staff who made major contributions to this
report are listed in appendix IV.
Yvonne D. Jones, Director, Financial Markets and Community Investment
Executive Summary
Purpose
Since 1970, when Congress passed the Bank Secrecy Act (BSA), the United
States has been expanding its framework for preventing, detecting, and
prosecuting money laundering with new laws and amendments to the BSA.1 The
purpose of the BSA is to prevent financial institutions from being used as
intermediaries for the transfer or deposit of money derived from criminal
activity and to provide a paper trail for law enforcement agencies in
their investigations of possible money laundering. Over the years, the BSA
has evolved into an important tool to help a number of regulatory and law
enforcement agencies detect money laundering, drug trafficking, terrorist
financing, and other financial crimes. The most recent comprehensive
enhancements to the BSA occurred in October 2001 under title III of the
USA PATRIOT Act (PATRIOT Act).2 This title is referred to as the
International Money Laundering Abatement and Anti-Terrorist Financing Act
of 2001. Title III made a number of amendments to the anti-money
laundering (AML) provisions of the BSA intended to facilitate the
prevention, detection, and prosecution of money laundering and terrorist
financing. For example, by requiring every financial institution to
establish an AML program, the PATRIOT Act extended AML program
requirements to financial institutions that had not previously been
subject to federal financial regulation.3
In recent years, noncompliance with BSA requirements among depository
institutions has raised concerns in Congress about the ability of the
federal banking regulators (regulators) to oversee BSA compliance at
depository institutions and to ensure, through examinations, that these
institutions have the controls in place to identify suspicious activity
that could be
related to money laundering or terrorist financing.4 The accurate and
timely recording of BSA examinations results is important for ensuring
that timely and appropriate federal enforcement actions are taken against
noncompliance. In 2004 and 2005, investigations of depository institution
customers by various law enforcement agencies and congressional
investigators resulted in several highly publicized cases and significant
penalties for BSA noncompliance by the institutions. During hearings on
BSA oversight and enforcement, congressional committees have focused on
the timeliness of regulators' enforcement actions for BSA noncompliance.
The Senate Committee on Banking, Housing, and Urban Affairs asked GAO to
undertake a review of the examination and enforcement programs for BSA
compliance that the federal banking, thrift, and credit union regulators
use at depository institutions in the United States. Specifically, GAO's
objectives were to determine how (1) the regulators examined for BSA
compliance at the depository institutions they supervise, (2) the
regulators have updated examination procedures and trained examiners since
the passage of the PATRIOT Act, (3) the regulators identify and track BSA
violations to ensure timely corrective actions at the institutions they
examine, and (4) enforcement actions are taken for violations of the BSA.
Background
The regulatory system for the BSA involves several different federal
agencies. The Department of the Treasury's (Treasury) Financial Crimes
Enforcement Network (FinCEN) is the administrator of the BSA and has the
authority to enforce the act through the assessment of penalties,
including civil money penalties (CMP).5 In 1994, the Secretary of the
Treasury delegated to the Director of FinCEN overall authority for
enforcement of, and compliance with, the BSA and its implementing
regulations. In the same year, the Secretary also delegated BSA
examination authority to the regulators.6 As part of a reorganization, in
2004, FinCEN created an Office of Compliance to oversee and work with
regulators on BSA examination and compliance matters.
The regulators examine a variety of institutions for BSA compliance,
including but not limited to national banks, state member banks, state
nonmember banks, thrifts, and credit unions. The regulators review
depository institutions for compliance with the BSA as part of their
safety and soundness examinations or in targeted examinations focused on
BSA compliance. Safety and soundness examinations are periodic on-site
examinations conducted to assess an institution's financial condition;
policies and procedures; and adherence to laws and regulations, such as
the BSA. These examinations generally are conducted every 12 to 18 months
at institutions, such as community banks, midsize banks, savings
associations, and credit unions, on the basis of the regulator's rating of
the institution's risk. At large complex banking organizations and large
banks, these examinations are conducted on a continuous basis in cycles of
36 months. The Board of Governors of the Federal Reserve System (Federal
Reserve), the Federal Deposit Insurance Corporation (FDIC), and the
National Credit Union Administration (NCUA) share safety and soundness
examination responsibility with state banking departments for
state-chartered institutions.7
The regulators take a risk-focused approach to safety and soundness
examinations, including reviews for BSA compliance. That is, the
examination is targeted to the institution's key areas of risk or specific
problems. In BSA examinations, the risk-focused approach enables
regulators to apply the appropriate scrutiny and devote examination
resources to business lines or areas within depository institutions that
pose the greatest risk for BSA noncompliance, such as wire transfers,
private banking, international correspondent banking, large cash
transactions, and other high-risk areas.
Other departments are involved in BSA enforcement. The Department of
Justice (Justice) pursues charges against depository institutions for
criminal noncompliance with the BSA. The Department of Homeland Security's
Bureau of Immigration and Customs Enforcement and the Internal Revenue
Service's Criminal Investigation division also investigate cases involving
money laundering and terrorist financing activities.
Results in Brief
Before 2005, each regulator used separately developed, but similar,
examination procedures to assess compliance with BSA program requirements;
however, the application of some examination procedures could vary widely.
Examiners reviewed institutions for these requirements as part of safety
and soundness examinations, using procedures that generally were similar
across all five regulators and that included steps related to planning and
scoping; the creation of risk profiles; and supervisory consultation,
reporting, and corrective actions, when appropriate. While the regulators
specified certain procedures, the overall risk-focused approach they used
for BSA examinations required examiners to exercise professional judgment
in determining the extent to which certain procedures would be conducted.
According to examiners, differences in product risks, the varying sizes
and complexity of the institutions, and other factors could affect how
examiners made decisions, such as assessing the scope of the examination
and determining the extent of transaction testing conducted. However,
under pre-2005 BSA-related examination guidance, the application and
documentation of certain procedures could vary widely. For example, GAO's
review of the regulators' manuals and guidance for BSA examinations and of
a sample of examinations conducted over a 4 1/2-year period found fewer
requirements for and less documentation of transaction testing in
examinations of smaller institutions. GAO's review indicated more
documentation of examination planning procedures for larger institutions.
As recently as 2004, about one-third of state banking departments reported
that they were not examining depository institutions for BSA compliance;
however, as of November 2005, 45 state banking departments reported
examining for BSA compliance. In addition, many state banking departments
increased their coordination with the regulators and FinCEN, and, as of
March 2006, 36 state banking departments had signed memorandums of
understanding (MOU) with FinCEN.
During the course of GAO's review, the regulators jointly developed and,
in June 2005, issued an interagency BSA examination procedures manual and
subsequently conducted nationwide training on the new procedures for
examiners and others, in an effort to establish more consistency in
examination procedures and application. The new procedures retain the
risk-focused approach of the prior procedures, but recognize that,
depending on the specific characteristics of the product, service, or
customer, the risks vary from one institution to another. The manual also
states that as new products or services are introduced, institution
management's evaluation of money laundering and terrorist-financing risks
should evolve. Thus, the manual requires examiners to apply a higher level
of scrutiny to lines of business that carry a higher risk for potential
money laundering or noncompliance with the BSA. However, the new
procedures also link institutions' risk assessments to risk profiles,
introduce more uniformity into the assessment of the BSA independent audit
function, and require transaction testing in all examinations regardless
of the institution's risk profile. As a result, the new procedures provide
a uniform framework that could result in greater consistency in BSA
examinations across the regulators. In recent years, regulators also have
intensified their focus on BSA-related skills and examiner training
relating to BSA compliance. For example, the regulators regularly train
examiners on examination procedures and provide them with up-to-date
guidance on changes or new requirements, such as those stemming from the
PATRIOT Act or the interagency procedures. Following the issuance of the
interagency procedures, the regulators held a series of training sessions
and other events for federal and state examiners. Additionally, some
regulators have increased the number of examiners with BSA specialization,
many of whom serve as resources for other examiners in the field.
Recent improvements to one of the primary mechanisms used to monitor BSA
examinations allowed regulators to better record and track BSA-related
information. However, differences in the terminology that regulators use
to classify compliance problems may result in inconsistencies. Although
the regulators were recording and tracking BSA-related examination and
violation information from 2000 to 2004, recent system improvements have
allowed some regulators to better track and cite BSA violations than in
the past. For example, systems upgrades currently allow FDIC to
distinguish violations under specific categories, rather than one general
category. Also, regulator data showed that the number of BSA-related
violations generally increased from 2000 to 2004. The systems upgrades
also allowed regulators to more readily produce information for other
users, such as FinCEN. Under an MOU into which the regulators and FinCEN
entered in September 2004, the regulators now share with FinCEN more
specific data on BSA examinations and violations data. For example, the
regulators provide FinCEN with quarterly reports on the number of
examinations conducted and the number and type of violations cited.
Furthermore, FinCEN has begun to provide the regulators with analytical
reports that help identify compliance problems and trends across
regulators and to disseminate information about AML issues. FinCEN plans
to provide the regulators with additional reports, such as those on AML
issues across industries, in the future. All of the regulators have begun
to analyze the violation data internally for their own purposes, but
FinCEN and the regulators have not yet discussed whether these data
indicate a need for additional guidance to examiners. Despite their
enhanced systems and reporting, GAO found differences in the regulators'
guidance and the terminology they used to classify BSA problems-with
guidance varying in scope and many key terms undefined. In addition, in
developing the MOU, FinCEN and the regulators acknowledged that the
regulators do not use the same terminology to describe BSA noncompliance.
GAO's review of 138 examinations found a variety of terms used to describe
BSA noncompliance, and examiners appeared to use different terms for
apparently similar problems. For example, in addition to the term
"violation," examiners used the terms "apparent violation," "weakness,"
"deficiency," and "exception" when referring to BSA noncompliance. To
avoid any uncertainty over what information was included, the wording in
the MOU called for banking regulators to notify FinCEN of "significant BSA
violations or deficiencies."
According to regulatory officials, most cases of BSA/AML noncompliance are
corrected within the examination framework through supervisory actions,
such as bringing the problem to the attention of institution management
and obtaining a commitment to take corrective action, or through informal
actions, such as letters that document such commitments. Both the
regulators and FinCEN can undertake formal enforcement actions, which
range from public written agreements with the institution to CMPs.
According to the regulators, formal enforcement actions are used to
address cases involving pervasive, repeated noncompliance; failure to
respond to supervisory warnings; and other factors. For example, from 2000
to 2005, FinCEN assessed CMPs in 11 cases. Starting in 2004, more of these
CMPs were assessed in conjunction with the relevant regulator, and the
penalties were significantly higher. However, only FinCEN has delegated
authority under the BSA to assess CMPs; the regulators do so under
separate authorities. In 1994, the Secretary of the Treasury was directed
by statute to delegate the authority to assess CMPs under the BSA to the
regulators, with such limitations as the Secretary deemed necessary.
However, according to FinCEN officials, this was not done, partly because
of challenges involved in crafting a delegation that would result in
consistent and accountable BSA enforcement. Furthermore, FinCEN officials
said that these challenges increased substantially with the addition of
new types of institutions subject to BSA compliance requirements under the
PATRIOT Act. FinCEN officials said that because of the increased
cooperation on BSA compliance with the regulators in recent years, they
were not aware that the lack of delegated authority had produced any
significant enforcement ramifications. For example, they pointed out that
FinCEN now is involved earlier in the regulators' enforcement process and
engages in joint actions with the regulators with more frequency than in
the years preceding adoption of the MOU. Furthermore, FinCEN officials
said they had no plans to pursue this delegation.
While FinCEN and the regulators can take a variety of actions against
depository institutions, under federal statute, Justice takes action
against depository institutions, for money laundering offenses and certain
BSA offenses. From 2002 to 2005, Justice pursued criminal charges against
six depository institutions for noncompliance with the BSA. In general,
these cases were identified through criminal investigations of the
institutions' customers. The criminal cases have raised concerns in the
banking industry that depository institutions would be targeted for
criminal investigation. However, Justice officials emphasized that willful
and pervasive violations by the institutions were important factors in
these cases. Some cases resulted in guilty pleas and others resulted in
deferred prosecution agreements, contingent on the depository
institutions' cooperation and implementation of corrective actions. In
each case, the depository institution paid a monetary penalty.
Principal Findings
Regulators Used Similar Procedures for BSA Examinations Pre-2005, but
Their Application Could Vary Widely
Before 2005, the regulators used separate examination guidance to review
BSA compliance at depository institutions, although the examination
procedures generally were similar. However, the ways in which procedures
were applied could vary, as could their documentation. In recent years,
more state banking departments-which generally use federal BSA examination
procedures-have conducted BSA examinations and increased their
coordination with the regulators and FinCEN.
Examiners Took Similar Steps to Prepare for, Determine the Scope of, and
Report on BSA Examinations
Before 2005, the regulators used separate examination guidance to review
BSA compliance at depository institutions, although the examination
procedures generally were similar. Examination activities included
planning and scoping; creation of risk profiles; and supervisory
consultation, reporting, and corrective actions. In addition to
undertaking these procedures, examiners also have exercised professional
judgment in determining the manner or extent to which certain procedures
were conducted. In general, the procedures that examiners have used (and
continue to use) to prepare for and report on examinations were
similar-planning and scoping activities were to result in the creation of
a risk profile for the institution to be examined. Examiners were then to
conduct risk-assessment procedures to evaluate an institution's potential
for BSA noncompliance, money laundering, or terrorist financing. To
perform the risk assessments, examiners were to gather and analyze
information from the institutions or other sources about operational
procedures or activities that might expose the institution to risk in
these areas. Examiners also were to draw on similar sources of information
to create the risk profiles, including the institution's internal
assessments and information from other federal agencies. In addition,
examiners were to assess the institution's internal controls and
independent audit function, as well as the institution's BSA/AML program,
officer, and training.
Examiners were to use an institution's risk profile to determine the
nature and extent of procedures to be performed during the examination. If
the institution's risk profile was low, examiners generally were to
conduct what are variously referred to as basic, core, or limited
examination procedures. In addition to the basic procedures previously
mentioned, examiners could perform transaction testing, depending on the
regulator's examination requirements. If an institution's risk profile was
high or examiners identified BSA compliance problems (e.g., with the
institution's BSA/AML policies, procedures, programs, or internal
controls), examiners generally were to conduct expanded procedures in
high-risk areas or the areas of identified deficiencies.
Finally, in concluding the examinations, examiners were to consult with
their supervisors on examinations findings, include recommendations in
examination reports, and consult with institutions' management about any
corrective actions. Subsequently, examiners were to prepare the report of
examination-detailing the scope, compliance risk, findings, recommended
corrective actions, and management's commitment to take corrective action.
The report of examination is also to indicate any corrective actions
completed by management before the end of the examination. Examiners were
to perform follow-up activities between examinations, or at the next
scheduled examination, to verify compliance with corrective actions.
Under pre-2005 guidance, the regulators did not consistently require or
document transaction testing. The regulators required transaction testing
in examinations of larger institutions with higher asset levels, but not
always at smaller institutions. From each regulator, GAO reviewed about 30
examinations that were conducted between January 2000 and June 2004. This
review, when coupled with GAO's review of regulator guidance and
examination manuals, showed instances where documentation of examination
procedures varied widely and regulators did not consistently require or
document transaction testing. Our examination review found less
documentation of transaction testing in examinations at smaller
institutions with lower assets-such as the community banks and savings
associations-than at larger institutions with higher assets. The Office of
Thrift Supervision (OTS), FDIC, and NCUA examination guidance permitted
examiners to exercise their professional judgment in determining whether
to perform transaction testing. The Office of the Comptroller of the
Currency (OCC) required transaction testing for large banks, and the
Federal Reserve required that some transaction testing be performed in all
examinations.
Since 2004, State Banking Departments Have Become More Involved in BSA
Compliance
As recently as 2004, about one-third of state banking departments reported
not examining for BSA compliance; however, state banking departments since
have taken a more active role in conducting these reviews. In some states,
federal examiners independently reviewed institutions or reviewed
institutions jointly with examiners from state banking departments.
According to a Federal Reserve official, the frequency of these
examinations and the decision of whether to perform the review jointly
depended on the institution's risk level. In addition, during the course
of GAO's work and in response to an FDIC Inspector General recommendation,
FDIC announced in 2004 that its examiners would conduct reviews for BSA
compliance during examinations of FDIC-supervised institutions led by
state banking departments that do not cover BSA compliance. The number of
state banking departments that conduct these reviews has increased in
recent years. According to officials from some state banking departments,
because of the increased attention to AML and terrorist-financing issues
following September 11, 2001, some state banking departments began
examining for BSA compliance or expanded the scope of existing reviews.
Results of a Conference of State Bank Supervisors query of its members
indicated that, as of November 2005, 45 state banking departments were
reviewing for BSA compliance.8 In general, whether recently examining for
BSA compliance or continuing well-established procedures, state examiners
used the regulators' examination procedures to examine for BSA compliance.
Beginning in 2004, state banking departments, the regulators, and FinCEN
increased coordination on BSA-related examination and information-sharing
activities. In addition, the regulators also began training state
examiners on reviewing for BSA compliance. As of March 2006, 36 state
banking departments had signed MOUs with FinCEN aimed at further improving
coordination of BSA/AML activities. According to FinCEN, these agreements
provide the framework for enhanced collaboration and information sharing
between federal and state agencies that will allow FinCEN to better
administer the BSA, while simultaneously assisting state agencies to
better fulfill their roles as financial institution departments. In March
2006, FinCEN was receiving data for the fourth quarter of 2005 from the
states.
Regulators Have Promoted Consistency in Examinations in Recent Years by
Adopting Interagency Procedures and Expanding Training
During the course of GAO's work, the regulators took a number of steps to
promote consistency of BSA examinations, including issuing new interagency
procedures and revising and expanding examiner training. To disseminate
new information and increase knowledge of the BSA and related issues, the
regulators have increased training on the BSA and the PATRIOT Act and have
coordinated efforts to educate staff on the interagency procedures. Some
regulators also have focused on developing more BSA/AML specialist
examiners.
New Interagency Procedures Create a Framework for Consistent BSA
Examination Processes
In June 2005, the regulators, in collaboration with FinCEN, issued a new
BSA/AML examination manual through the Federal Financial Institutions
Examination Council (FFIEC).9 In the regulators' view, the FFIEC Bank
Secrecy Act Anti-Money Laundering Examination Manual (FFIEC Examination
Manual) is the product of best practices among the regulators and aims to
promote procedural consistency in the conduct of BSA examinations at all
depository institutions. In contrast to previous guidance, the FFIEC
Examination Manual organizes guidance on risk assessment procedures
primarily in one place-that is, in the core overview scoping and planning
section. The manual also comprehensively describes risk assessments for
BSA examinations, taking examiners from the planning stages to using
conclusions to develop risk profiles. The manual recognizes that,
depending on the specific characteristics of the product, service, or
customer, the risks are not always the same. The manual also states that
as new products or services are introduced, the institution's management's
evaluation of money laundering and terrorist-financing risks should
evolve. The FFIEC core examination procedures provide uniform guidance for
examiners to follow when validating the independent audit as part of the
planning and scoping of the BSA examination. The expanded sections of the
manual provide guidance on specific lines of business or products that may
present unique challenges and exposures for which institutions should
institute the appropriate policies, procedures, and processes.
Furthermore, the FFIEC Examination Manual requires transaction testing at
each examination, regardless of the institution's BSA risk level, and
emphasizes the importance of transaction testing for making conclusions
about the integrity of the institution's overall controls and risk
management processes. The manual emphasizes the importance of transaction
testing for making conclusions about the integrity of the institution's
overall controls and risk management processes, and further requires that
transaction testing be conducted to evaluate the adequacy of the
institution's compliance with regulatory requirements and the
effectiveness of its policies, procedures, processes, and suspicious
activity monitoring systems. According to the manual, examiners perform
transaction testing to evaluate the adequacy of an institution's
compliance with regulatory requirements or to determine whether its
policies, procedures, processes, and suspicious activity monitoring
systems are effective.
Regulators Have Increased Their Focus on BSA-Related Skills and Training
Although each regulator provides BSA/AML training to its examiners, each
approaches training differently. OTS and NCUA require all new staff to
attend a basic AML training course. OTS and NCUA used regional conferences
to train examiners on BSA issues. The Federal Reserve requires all staff
seeking to obtain an examiner commission to successfully complete a
BSA/AML proficiency test.10 FDIC requires all examination staff to obtain
BSA/AML training through classroom or Web-based training. OCC offers four
different training schools as well as specialized BSA/AML training on a
voluntary basis to certain staff. In addition to their own training,
regulators also used interagency or outside venues to train staff.
Regulators also updated their AML training to cover all of the relevant
provisions of the PATRIOT Act.
After the issuance of the new procedures on June 30, 2005, FFIEC
coordinated a far-reaching effort to train examiners and the industry on
the new procedures, holding a series of training events across the
country. State banking departments also participated in training on the
FFIEC Examination Manual.
Although safety and soundness and compliance examiners primarily perform
BSA/AML examinations, some regulators use examiners with specialized skill
to provide training, serve as a resource to other examiners, or assist on
complex examinations. All of the regulators offer career paths and options
for becoming a BSA subject matter expert.11 More recently, some regulators
have planned to train or increase substantially the number of subject
matter experts they have to help meet PATRIOT Act requirements and address
the increasing complexity of BSA examinations.
Regulators Improved Tracking of BSA Examination and Violations Data, but
Differences in Terminology Could Result in Inconsistencies
The regulators use various internal control mechanisms to monitor BSA
examinations, and recent improvements in their automated examination and
enforcement data systems have enabled them to better track and report BSA
information. The regulators are able to more readily share BSA-related
information, a particularly important ability in light of the MOU
regulators signed with FinCEN in September 2004. However, the regulators
differ on how they classify and define some BSA compliance problems.
Changes to Regulators' Data Systems Have Enabled Them to Better Track BSA
Data
Regulators use automated data systems to store and track examination data
and information on supervisory and enforcement actions. Since 2000, all of
the regulators have changed or upgraded their data systems to improve
their recording and monitoring capabilities. To varying degrees, previous
iterations of these data systems limited regulators' ability to monitor
and report BSA-related examination results in a comprehensive and timely
manner. For example, before 2001, NCUA manually collected information on
BSA-related violations; however, in 2001, NCUA began to redesign its
information technology system. NCUA's system now allows it to track more
BSA data, including violations and any corrective actions institutions had
implemented. Similarly, until the late 1990s, OTS generally tracked BSA
data manually, but currently OTS has an Internet-based system that
comprehensively tracks BSA examination results. FDIC upgraded its systems
to better track violations and the status of corrective actions. OCC has
separate systems to track BSA results for large banks and midsize and
community banks. OCC's improvements to its system for data on large banks
include the increased ability to search the full text of examinations,
including BSA reviews. The Federal Reserve for some years has had national
supervisory data systems that maintain both data and electronic copies of
examination and enforcement documents. These systems were, and continue to
be, accessible to all appropriate supervisory staff across the Federal
Reserve System. Until recently, the national data system (national
examiner database) did not separately track BSA/AML violation data. In
2003, the Federal Reserve began to enhance its national examiner database
to capture BSA/AML violations or other BSA examination-related data.
GAO's review of the regulators' data indicated that the number of
BSA-related violations generally increased in recent years. Among the
frequently cited violations in 2003 and 2004 were violations issued in
connection with currency transaction reporting requirements. Furthermore,
some regulators cited more BSA violations with greater specificity in
later years. For example, FDIC officials indicated that FDIC's current
data system, which was implemented in 2003, now specifies subsections of
BSA-related regulations that institutions have violated.
In September 2004, the regulators and FinCEN entered into an MOU under
which the regulators provide FinCEN with quarterly reports on the number
of BSA-related examinations they have conducted, the number and types of
BSA violations they cited, and the institutions they cited for repeat
violations. The MOU requires FinCEN, in turn, to provide the regulators
with reports and analyses of the data submitted by the regulators. As of
February 2006, the regulators had provided FinCEN with five quarters of
data and two annual reports.12 FinCEN provided the regulators with
aggregated data, which identified certain compliance issues that the
regulators could work to address with the institutions they supervise.
FinCEN's longer term goal is to provide BSA compliance analyses across the
financial services sector. All of the regulators have begun to analyze for
their own purposes the BSA compliance data they receive from FinCEN.
FinCEN and the regulators have not yet discussed as a group the
implications of the violation data, and whether there was a need for
additional guidance to examiners so that they could address problem areas
that the regulators have been identifying.
Differences Remain in Regulators' Guidance and Terminology for
Classification of BSA Noncompliance
Although the regulators and FinCEN increasingly have been enhancing and
coordinating information sharing and reporting, differences in how the
regulators classify BSA compliance problems remain. For example,
regulators differ in the guidance they provide examiners for determining
what constitutes a violation, with one regulator not providing any written
guidance and others differing in the degree of guidance provided.
Furthermore, the regulators' instructions on BSA enforcement, which also
provide guidance for interpreting or classifying BSA problems, do not
clearly define the terms-intended as criteria for determining the
seriousness or scope of a compliance problem-on which those
classifications would be based. When GAO reviewed the regulators' BSA
examinations, it generally found that the distinction between violations
and deficiencies appeared to be that violations represented some action or
inaction prohibited by the BSA and implementing regulations, and
deficiencies did not. Additionally, there appears to be no clear consensus
among examiners regarding how to distinguish between BSA deficiencies and
violations.
FinCEN officials said that, in drafting the terms of the MOU, the issue of
different terminology was discussed, and that FinCEN and the regulators
agreed not to impose any requirements for standardized terminology in the
MOU itself. Instead, the MOU requires the regulators to provide FinCEN
with information on instances of "significant" noncompliance, regardless
of whether the regulator classified it as a violation or a deficiency-that
is, all problems for which the regulator is taking supervisory action are
to be reported to FinCEN. FinCEN officials said they had to work with the
regulators to determine the appropriate information to be provided.
In GAO's review of the regulators' examinations, examiners appeared to
have classified apparently similar BSA problems differently. In some
cases, examiners cited institutions with "deficiencies," and, in other
cases, they cited institutions with "violations." As a result, examiner
judgment likely plays a greater role in classifying BSA problems. In turn,
this could increase the potential for inconsistencies in classifying
compliance problems and subsequent citations. However, regulators
emphasized that other factors, such as an institution's risk profile or
the diversity of its operations and products, also help explain the
differences in the way BSA compliance problems were cited and classified.
Regulators and FinCEN Increased Coordination on BSA Enforcement, and
Criminal Cases against Depository Institutions Were Limited
Although the regulators can use a variety of tools to address BSA-related
compliance problems, according to the regulators, most BSA-related
problems are resolved during the course of an examination. FinCEN also
uses a range of enforcement tools to address BSA noncompliance problems,
and FinCEN alone can assess CMPs under the BSA. FinCEN and the regulators
have increased coordination on enforcement since their September 2004 MOU.
While FinCEN and the regulators pursue a variety of enforcement actions
for BSA compliance problems, Justice has pursued a limited number of
criminal cases against depository institutions for BSA violations.
Most BSA Noncompliance Is Addressed during Examinations, but Regulators
Recently Increased Coordination on Formal Enforcement Actions
Although regulators use a broad range of actions to address BSA
compliance, according to the regulators, most problems in BSA-related
compliance are corrected within the examination framework through
supervisory actions. GAO's review of 138 examinations-which were conducted
between January 1, 2000, and June 30, 2004, and contained BSA
violations-also indicated that the regulators most frequently addressed
BSA compliance problems through supervisory actions. The regulators
largely obtained oral commitments to correct identified problems from an
institution during meetings with its management or boards of directors.
Representatives of some regulators noted that if supervisory actions
proved insufficient or problems required stronger action, the regulators
generally would use informal enforcement actions, such as commitment
letters, reflecting specific commitments to take corrective actions in
response to problems or concerns. Informal enforcement actions are
exercises of the regulators' authority to supervise financial institutions
and generally are used to address BSA noncompliance that is limited in
scope and technical in nature. To address significant BSA/AML program and
BSA violations, the regulators generally use formal enforcement actions.
Formal enforcement actions are written documents that are disclosed to the
public and are generally more severe than supervisory and informal actions
and generally are enforceable through the assessment of CMPs and through
the federal court system.
The regulators are not authorized under the BSA to take formal enforcement
actions for violations-that delegated authority rests solely with FinCEN.
Title 12 of the United States Code authorizes the regulators to take
formal enforcement action if they determine that a depository institution
is engaging in unsafe or unsound practices or has violated any applicable
law or regulation. The regulators have interpreted this authority to
include violations of the BSA and its implementing regulations when taking
formal enforcement actions aimed at addressing violations of BSA/AML
program requirements. FinCEN, the administrator of the BSA, takes
enforcement action against BSA compliance problems at financial
institutions, including, but not limited to, depository institutions.
Unlike the regulators, FinCEN can take such action because it is
specifically authorized to do so in the BSA and its implementing
regulations. According to officials at FinCEN and the regulators,
coordination among these agencies on enforcement issues has improved
dramatically in recent years.
Justice Has Pursued a Limited Number of Cases against Depository
Institutions for BSA Noncompliance
From 2002 to 2005, Justice, either through its Criminal Division or its
U.S. Attorneys' Offices, has pursued investigations of six depository
institutions for criminal violation of the BSA.13 The disposition of the
criminal cases has varied, but each case included monetary penalties.
Justice officials said that the number of cases in which the depository
institution was the criminal BSA offender was limited, and that the
department had pursued significantly more cases against individuals for
BSA offenses. According to a senior Justice official, egregious failures
to perform a minimal level of due diligence over a number of years
triggered the cases against the depository institutions. Additionally,
Justice officials and investigators said that most investigations of
depository institutions' criminal violations of the BSA generally
originated during law enforcement investigations of the institutions'
customers. In July 2005, Justice amended the U.S. Attorney's Manual to
direct prosecutors to formalize coordination on cases against financial
institutions for money laundering and certain BSA offenses.
Recommendations for Executive Action
This report makes three recommendations to build on the current level of
coordination, continue to improve BSA administration, and ensure that
emerging compliance risks are addressed. GAO recommends that the Director
of FinCEN and the Comptroller of the Currency, the Chairman of the Federal
Reserve, the Chairman of FDIC, the Director of OTS, and the Chairman of
NCUA, (1) work together to make sure emerging risks in money laundering
and terrorist financing are effectively communicated to examiners and the
industry through updates of the interagency examination manual and other
guidance, as appropriate; (2) periodically meet to review BSA violation
data to determine if they indicate a need for additional guidance; and (3)
jointly assess the feasibility of developing a uniform classification
system for BSA compliance problems.
Agency Comments and GAO Evaluation
GAO provided a draft of this report for review and comment to the
Departments of Homeland Security, Justice, and the Treasury; the Board of
Governors of the Federal Reserve System; the Federal Deposit Insurance
Corporation; the National Credit Union Administration; the Office of the
Comptroller of the Currency; and the Office of Thrift Supervision. The
Department of Homeland Security, Justice, and the regulators provided
technical comments, which were incorporated into this report where
appropriate.
FinCEN and the regulators provided written comments on the draft report in
a joint letter, which is reprinted in appendix II. In their letter, they
said they support GAO's recommendations and are committed to ongoing
interagency coordination to address them through the formal processes they
have in place, particularly the FFIEC BSA/AML Working Group. They also
said that they are committed to their role in ensuring that depository
institutions are in compliance with BSA/AML requirements, and that they
will continue to devote significant resources to make certain institutions
correct deficiencies in their BSA/AML programs as promptly as possible.
Justice also provided written comments, which are reprinted in appendix
III. In its letter, Justice said that the draft report provided an
instructive perspective where it examined the evolution of the
relationship between FinCEN, the regulators, and the banks, but that the
draft did not provide the same perspective when examining how the
examination process meets the needs of law enforcement as the end users of
the information. GAO's objectives were to review how the regulators
examine for BSA compliance, track and resolve violations, and take
enforcement actions. While a review of the reports that depository
institutions produce under the BSA that law enforcement uses in its
investigations would be instructive, it was outside of the scope of this
review. Justice also said that, as a direct result of the success and
efforts by the regulated industry, drug traffickers have been forced to
seek alternate methods and means of using those institutions to launder
their illicit proceeds. Justice further commented that banking regulator
practices and the examination process have historically focused more on
the placement of those funds into the financial system, and that current
investigative efforts suggest that it may prove beneficial to adapt and
focus on the layering of those proceeds. To this end, Justice suggested a
need for greater outreach and collaboration between law enforcement and
regulators familiar with evolving trends. Finally, Justice said that the
draft report reflected the efforts made with the revisions to the
examination manual and commented that these are positive developments that
should bring continuity to examination practice, which will be welcomed by
the industry.
IntroductionChapter 1
Since the enactment of the Bank Secrecy Act (BSA) in 1970, the U.S.
government's framework for preventing, detecting, and prosecuting money
laundering has evolved through amendments to the BSA and the enactment of
additional related legislation.1 The most recent comprehensive amendments
to the BSA were made through the Uniting and Strengthening America by
Providing Appropriate Tools Required to Intercept and Obstruct Terrorism
Act (PATRIOT Act) of 2001.2 Key legislation has supplemented or amended
the BSA, expanding its reporting, record-keeping, and enforcement
provisions. Federal financial regulators and other federal agencies work
within this framework to carry out BSA requirements. The regulators have
responsibility for examining depository institutions for compliance with
BSA requirements, while overall responsibility for BSA administration
rests with the Department of the Treasury (Treasury), through the
Financial Crimes Enforcement Network (FinCEN).3 The regulators conduct
reviews of BSA compliance as part of their regular examination process.
They take a risk-focused approach targeted to the institution's key areas
of risk or specific problems.
Successive Legislation Has Expanded the Responsibility to Combat Money
Laundering
The federal government's framework for preventing, detecting, and
prosecuting money laundering has been expanded through additional
legislation since its inception in 1970 with the BSA.4 The BSA required,
for the first time, that financial institutions maintain records and
reports that financial regulators and law enforcement agencies have
determined have a high degree of usefulness in criminal, tax, and
regulatory matters. The BSA authorizes the Secretary of the Treasury to
issue regulations on the reporting of certain currency transactions. The
BSA has the following three main objectives: create an investigative audit
trail through regulatory reporting standards; impose civil and criminal
penalties for noncompliance; and improve the detection of criminal, tax,
and regulatory violations.
The reporting system initially implemented under the BSA was by itself an
insufficient response to combat underlying money laundering activity
because, before 1986, the BSA contained sanctions for failing to file
reports or for doing so untruthfully, but it did not contain sanctions for
money laundering. The Money Laundering Control Act of 1986 (MLCA) made
money laundering a criminal offense, separate from any BSA reporting
violations.5 The MLCA created criminal liability for individuals or
entities that conduct monetary transactions knowing that the proceeds
involved were obtained from unlawful activity, and the act made it a
criminal offense to knowingly structure transactions to avoid BSA
reporting. Penalties under the MLCA include imprisonment, fines, and
forfeiture. The MCLA also directed each regulator to prescribe regulations
requiring insured depository institutions to establish and maintain
procedures reasonably designed to ensure and monitor compliance with the
reporting requirements of the BSA. To further assist the effectiveness of
the BSA, pursuant to this requirement, the regulators promulgated
regulations requiring insured depository institutions to establish and
maintain procedures designed to ensure compliance with the requirements of
the BSA-a BSA and Anti-Money Laundering (AML) program (BSA/AML program).6
The Annunzio-Wylie Anti-Money Laundering Act of 1992 (Annunzio-Wylie)
amended the BSA in a number of ways.7 It authorized Treasury to require
financial institutions to report any suspicious transaction relevant to a
possible violation of a law. It also authorized Treasury to require
financial institutions to carry out AML programs and promulgate
record-keeping rules relating to funds transfer transactions.
Annunzio-Wylie also made the operation of an illegal money-transmitting
business a crime.
The Money Laundering Suppression Act of 1994 (MLSA) sought to improve the
BSA in at least two notable ways.8 First, to ensure that bank examiners
use the most effective means through the examination process to identify
and report money laundering, the MLSA directed the regulators, in
consultation with the Secretary of the Treasury and the appropriate law
enforcement agencies, to enhance the regulators' training and examination
procedures to improve their identification of money laundering schemes. To
assist the regulators in this process, the MLSA also required each
appropriate law enforcement agency to regularly share information with the
regulators regarding emerging money laundering schemes. Second, the MLSA
sought to improve the timeliness with which BSA civil penalty cases were
processed. Before the enactment of the MLSA, Treasury's Office of
Financial Enforcement processed BSA civil penalty cases using a cumbersome
process that often prevented the office from pursuing cases because the
statute of limitations had expired. Accordingly, the MLSA amended the BSA
to direct the Secretary to delegate any authority to assess civil money
penalties (CMP) on depository institutions to the appropriate regulators,
which already had penalty authority and experience under other banking
laws.
As authorized by Annunzio-Wylie, in 1996, FinCEN issued a rule requiring
banks and other depository institutions to report, using a Suspicious
Activity Report (SAR) form, certain suspicious transactions involving
possible violation of law or regulation, including money laundering.
During the same year, the regulators issued regulations requiring all
depository institutions to report suspected money laundering, as well as
other suspicious activities, using the SAR form. The regulators also
placed SAR requirements on the subsidiaries, including broker-dealer
firms, of the depository institutions and their holding companies under
their jurisdiction.
In the wake of the September 11, 2001, terrorist attacks, Congress enacted
the PATRIOT Act on October 26, 2001, prompted, in part, by an enhance
awareness that combating terrorist financing as part of the U.S.
government's overall AML efforts was important because terrorist financing
and money laundering both involve similar techniques. Title III of the
PATRIOT Act, among other things, expanded Treasury's authority to regulate
the activities of U.S. financial institutions; required the promulgation
of regulations; imposed additional due diligence requirements; established
new customer identification requirements; and required financial
institutions to maintain AML programs. In addition, title III defined new
money laundering crimes and increased penalties for previously established
crimes.
Regulators and Other Federal Agencies Carry Out BSA Requirements
Implementation of the BSA's regulatory and enforcement structure involves
many different federal agencies. The Secretary of the Treasury delegated
overall authority for enforcement of, and compliance with, the BSA and its
implementing regulations to the Director of FinCEN. In addition, FinCEN
has the authority to issue regulations; collects, analyzes, and maintains
the reports and information filed by financial institutions under the BSA;
makes those reports available to law enforcement and regulators; and
ensures financial institution compliance through enforcement actions aimed
at applying the regulations in a consistent manner across the financial
services industry. FinCEN also plays a role in analyzing BSA information
to support law enforcement.
Although FinCEN is responsible for ensuring compliance with BSA
regulations, FinCEN does not examine financial institutions, including
depository institutions, for compliance. Rather, in 1994, the Secretary of
the Treasury delegated BSA examination authority to the regulators. The
five regulators that oversee financial institutions and examine them for
compliance with the BSA and implementing regulations are the Board of
Governors of the Federal Reserve System (Federal Reserve), the Office of
the Comptroller of the Currency (OCC), the Office of Thrift Supervision
(OTS), the Federal Deposit Insurance Corporation (FDIC), and the National
Credit Union Administration (NCUA). The specific regulatory configuration
depends on the type of charter the depository institution chooses. Banks
are regulated at the federal level alone if they are chartered by a
federal regulator, such as OCC or OTS, or by federal and state banking
departments if they are state-chartered institutions. State banking
departments supervise commercial and savings banks with state bank
charters, while the Federal Reserve or FDIC serve as the primary federal
regulator for these institutions. OTS is the supervisor for
state-chartered savings associations.
In August 2004, FinCEN created an Office of Compliance to oversee and work
with the federal financial regulators on BSA examination and compliance
matters. FinCEN signed a memorandum of understanding (MOU) with the
banking regulators in September 2004 that laid out procedures for the
exchange of certain BSA information. The MOU requires that the regulators
provide information on examination policies and procedures and on
significant BSA violations or deficiencies that have occurred at the
financial institutions they supervise, including relevant portions of
examination reports and information on follow-up and resolution. The MOU
also requires FinCEN to provide information to the regulators, including
information on FinCEN enforcement actions and analytical products that
will identify various patterns and trends in BSA compliance.
Furthermore, agencies under the Departments of the Treasury, Justice, and
Homeland Security are to coordinate with each other and with federal
financial regulators in combating money laundering and terrorist
financing. In addition to FinCEN, the Internal Revenue Service (IRS),
through its Criminal Investigation division, uses BSA information and
investigates possible cases of money laundering. Justice components
involved in efforts to combat money laundering and terrorist financing
include the Criminal Division's Asset Forfeiture and Money Laundering
Section and Counterterrorism Section; the Federal Bureau of Investigation;
the Bureau of Alcohol, Tobacco, Firearms, and Explosives; the Drug
Enforcement Administration; the Executive Office for U.S. Attorneys; and
U.S. Attorneys' Offices. The Department of Homeland Security's Bureau of
Immigration and Customs Enforcement (ICE) also investigates cases
involving money laundering and terrorist-financing activities.
Regulators Generally Address BSA Issues through Safety and Soundness or
Targeted Examinations
The regulators conduct reviews of BSA compliance as part of their safety
and soundness examinations or as targeted examinations focused on BSA
compliance.9 Safety and soundness examinations are periodic on-site
examinations conducted to assess an institution's financial condition;
policies and procedures; and adherence to laws and regulations, such as
the BSA. Generally, these examinations are performed every 12 to 18 months
for institutions, including community banks, midsize banks, savings
associations, and credit unions, among others, based on the institutions'
risk.
More specifically, the frequency of safety and soundness examinations is
dependent on the CAMELS rating assigned by the regulator to the
institutions.10 For example, if institutions are rated low risk, a rating
of "1" or "2," examinations would be performed every 18 months. If rated
as a higher risk, institutions would be examined at least annually.
Examination frequency can also be affected by alternate-year examination
program arrangements between the regulators and state banking
departments.11 At large complex banking organizations and large banks,
some regulators conduct on-site targeted examinations on a continuous
basis in cycles of 36 months.
Additionally, the regulators perform targeted (BSA/AML-focused)
examinations of banks. The regulators may perform targeted examinations on
an "as-needed" basis, because of an unforeseen risk requiring more
immediate attention, or to determine whether the institution had taken
corrective actions to address problems identified during regular
examinations.
The regulators take a risk-focused approach to BSA examinations, which are
targeted to the institution's key areas of risk or specific problems. This
approach recognizes that attempts to launder money, finance terrorism, or
conduct other illegal activities through a bank can come from many
different sources, and certain products, services, customers, and
geographic locations may be more vulnerable or have been historically
abused by money launderers and criminals. In BSA examinations, the
risk-focused approach enables regulators to apply the appropriate scrutiny
and devote examination resources to business lines or areas within
depository institutions that pose the greatest risk for BSA noncompliance,
such as funds transfers, private banking, international correspondent
banking, and large cash transactions. According to some regulators, the
risk-focused approach promotes a more efficient and effective manner of
conducting BSA examinations and provides other benefits. In addition to
focusing on the major areas of risk, this approach enables examiners to
identify risks proactively, determine how well risks are managed over
time, and streamline documentation to support areas of risk. It also
reduces the regulatory burden on institutions by limiting examinations of
institutions to specific areas of risk and allows regulators to schedule
examinations according to the institutions' level of risk, thereby
resulting in less frequent examinations for lower risk institutions. The
risk-focused approach further encourages compliance of institutions by
factoring the institutions' risk mitigation or management of risks or
corrective actions into the institutions' risk level.
Objectives, Scope, and Methodology
As requested by the Senate Committee on Banking, Housing, and Urban
Affairs, we conducted a review of the examination and enforcement programs
of the federal banking, thrift, and credit union regulators that was
directed at compliance with the BSA by depository institutions in the
United States. Specifically, our objectives were to determine how (1) the
regulators examined for BSA compliance by the depository institutions they
supervise, (2) the regulators have updated examination procedures and
trained examiners since the passage of the PATRIOT Act, (3) the regulators
identify and track BSA violations to ensure timely corrective actions at
the institutions they examine, and (4) enforcement actions are taken for
violations of the BSA.
To determine how the regulators assess BSA compliance, we conducted
structured interviews with examiners and policy officials from each of the
regulators as well as several state banking departments.12 Additionally,
we reviewed the results of an inquiry of the BSA-related examination and
enforcement practices of state banking departments conducted by an
industry organization. We also reviewed BSA amendments and other relevant
federal banking statutes and collected data on the number of examinations
that included a BSA-related violation and that were conducted by each
regulator between January 1, 2000, and June 30, 2004. In general, the
regulators produced these data from their respective information systems
and reporting processes used to collect and track information on
examinations and violations. Because there was some variability in how the
regulators defined examinations and violations, these data were not
comparable.
From May 2004 through July 2004, we conducted reliability assessments of
most regulators' BSA-related data and related information systems and
determined that they were generally reliable for our purposes. Our data
reliability assessments generally involved the testing of data relating to
BSA violations and enforcement actions for completeness and accuracy, and
interviewing and obtaining written responses from officials about the
management of these data. Through the data reliability assessments, we
determined that for our purposes, the data from OCC, FDIC, OTS, and NCUA
were complete and accurate. However, we could not complete our assessment
of the Federal Reserve's systems because Federal Reserve officials were
unable to provide us, in a timely manner, with the system-related
information that we requested.13 Although the Federal Reserve collected
summary information about BSA-related examinations and violations from
January 1, 2000, to January 1, 2003, at the time of our request, the
Federal Reserve did not track certain specific BSA data in its systems.
Therefore, Federal Reserve officials were unable to provide us with
certain information in a manner that would have allowed us to complete our
testing.
We selected 30 examinations each from OCC, FDIC, OTS, and NCUA that
identified BSA-related violations. The Federal Reserve identified 26
examinations, conducted between January 1, 2000, and June 30, 2004, that
involved a BSA-related violation. We initially selected all 26
examinations for our review, but reviewed only 18 of the 26 examinations.
We eliminated 6 examinations from the review because they involved
multiple reviews of individual institutions that covered different
examination target areas but shared common examination documentation,
which complicated our ability to isolate different events within
examinations. We eliminated an additional 2 examinations because they took
place before our sample time frame. In total, we reviewed 138
examinations.
Although we randomly selected individual examinations from each regulator,
the number of sampled examinations is small and is not representative of
the universe of total examinations that each regulator conducts annually.
Therefore, we could not use the results of our sample review to generalize
about the regulators' application of examination procedures. However, our
review of the examinations allowed us to describe how regulators applied
their respective BSA/AML examination procedures in the sampled
examinations. Table 1 shows the sample size for each regulator that we
reviewed.
Table 1: Data Collection Instrument Sample
Regulator Number of BSA examinations with one or more Sample size
BSA violations from which we sampled
FDIC 713 30
Federal Reserve 26 18
NCUA 873 30
OCC 624 30
OTS 703 30
Total 138
Source: GAO.
After selecting our sample of examinations, we requested from each of the
regulators the examination reports and related work papers associated with
each examination. To review the examination documentation, we developed a
data collection instrument by reviewing the BSA requirements and the
examination procedures developed by the regulators. We used the data
collection instrument to collect information on several aspects of BSA
examinations, including the BSA activities reviewed and tested by
examiners as well the nature of the violations identified in each
examination. The conclusions that we made about the sampled examinations
were based solely on what examiners identified and documented during their
examinations. Because we did not interview the examiners who conducted the
sampled examinations or conduct additional examinations of these
depository institutions, we made no judgments about whether examiners
properly identified BSA noncompliance during the examinations. After one
GAO analyst reviewed each examination using the data collection
instrument, an additional GAO analyst reviewed the same examination using
the data collection instrument a second time to ensure the reliability of
our coding of the review questions and the accuracy of data entry.
To determine how BSA violations were resolved, we performed additional
analysis of a subset of our sample examinations with repeat BSA
violations. We selected a small number of institutions with repeat
violations for additional analysis. As part of this analysis, we (1)
reviewed, to the extent available, reports of examination and supporting
documentation provided by the regulators in which the violations were
initially identified and (2) attempted to track them to the most current
report of examination available, to determine the status of corrective
action. However, the documentation we reviewed did not allow us to reach
any conclusions on how the repeat violations in our sample were resolved;
therefore, this analysis is not included in the report.
To determine the extent to which the regulators updated examination
procedures and trained examiners, we reviewed the regulators' examination
policies, guidance, and procedures. We also collected information on
examiner training courses related to AML and the number of examiners
trained in 2004 and 2005. We interviewed examiners and policy officials on
their examination guidance and training programs, including the newly
issued Federal Financial Institutions Examination Council's (FFIEC) Bank
Secrecy Act Anti-Money Laundering Examination Manual (FFIEC Examination
Manual). We observed one AML training course taught by FFIEC and also
participated in the FFIEC Examination Manual outreach events that were
provided to industry and examination staff in August 2005.
To determine the extent to which the regulators monitored their respective
BSA/AML examination programs, we reviewed the regulators' documentation
relating to their systems, interviewed policy officials on their
monitoring policies, and reviewed Inspectors General (IG) reports. We
followed up on issues raised by the IGs, and obtained written responses
from and interviewed data management personnel.
Additionally, we reviewed the MOU adopted by FinCEN and the regulators and
interviewed examiners and policy officials from each of the regulators and
FinCEN on the MOU requirements, on case referrals to FinCEN, and on the
different terminologies the regulators use to describe noncompliance with
the BSA.
To determine how enforcement actions are taken for violations of the BSA,
we reviewed relevant BSA amendments, Treasury regulations and guidance,
banking statutes, and documentation of selected closed examinations
involving BSA violations. To determine how action is taken against
criminal violation of the BSA by depository institutions, we reviewed
public documentation on the associated investigations and case
dispositions. In certain cases, we interviewed investigators involved in
selected closed cases. We also interviewed officials at FinCEN, ICE,
Justice, and the regulators regarding depository institutions' criminal
BSA violations.
We conducted our work in New York, New York; San Francisco, California;
and Washington, D.C., between January 2004 and March 2006 in accordance
with generally accepted government auditing standards. We requested
comments on a draft of this report from the heads, or their designees, of
the Departments of Homeland Security, Justice, and the Treasury; the Board
of Governors of the Federal Reserve System; the Federal Deposit Insurance
Corporation; the National Credit Union Administration; the Office of the
Comptroller of the Currency; and the Office of Thrift Supervision. FinCEN
and the regulators provided written comments in a joint letter, which is
reprinted in appendix II. Justice also provided written comments, which
are reprinted in appendix III. The Department of Homeland Security,
Justice, and the regulators provided technical comments, which we
incorporated where appropriate.
Regulators Used Similar Procedures for BSA Examinations, but under
Pre-2005 Guidance, Their Application Could Vary WidelyChapter 2
Before 2005, the regulators used separate examination guidance to review
BSA compliance at depository institutions, although the examination
procedures generally were similar. Examination activities included
planning and scoping; creation of risk profiles; and supervisory
consultation, reporting, and corrective actions. In addition to
undertaking these procedures, examiners also exercised professional
judgment in determining the manner or extent to which certain procedures
were conducted. Although the basic examination procedures were similar for
all of the regulators, under pre-2005 guidance, documentation requirements
and documentation of certain procedures could vary widely. In addition,
most state banking departments that review state-chartered depository
institutions for BSA compliance generally use federal BSA examination
procedures. In recent years, more state banking departments have conducted
BSA examinations and increased their coordination with the regulators and
FinCEN.
Examiners Took Similar Steps to Prepare for, Determine Scope of, and
Report on BSA Examinations
In general, the procedures that examiners have used (and continue to use)
to prepare for and report on examinations were similar (see fig. 1).1 For
example, guidance called for planning and scoping activities to result in
the creation of a risk profile for the institution to be examined.
Examiners also were to draw on similar sources of information to create
the risk profiles, including the institution's internal assessments and
information from other federal agencies. Examiners were then to use the
profiles to determine the scope of the examinations. Finally, in
concluding the examinations, guidance called for examiners to consult with
their supervisors on examinations findings, include recommendations in
examination reports, and confer with institutions' management about any
corrective actions.
Figure 1: BSA Examination Procedures
aAs of June 30, 2005, transaction testing was required in all BSA
examinations.
Planning Activities for Examinations Culminate in a Risk Profile
In planning, guidance called for examiners to conduct risk-assessment
procedures to evaluate an institution's potential for BSA noncompliance,
money laundering, or terrorist financing. To perform the risk assessments,
examiners were to gather and analyze information from the institutions or
other sources about operational procedures or activities that might expose
the institutions to risk in these areas. More specifically, the examiners
could use other sources, such as prior examination reports and related
work papers. Examiners also gathered information from the institutions
themselves, such as documents on BSA/AML policies and programs, audit
reports, and products and services offered. Finally, examiners were to
draw upon information, such as SARs and Currency Transaction Reports
(CTR), which financial institutions filed with the IRS.2
In evaluating the information, examiners were to focus on certain
products, services, or activities of the institution where the risks for
BSA noncompliance, money laundering, or terrorist financing might be
higher. These included products, services, or activities such as (1)
international wire transfers, monetary instruments, trusts, or private
banking;3 (2) large or increased volumes of cash transactions; (3)
operations located in offshore areas that are at high risk for money
laundering activities or in high-intensity financial crimes areas
(HIFCA);4 (4) large or increased numbers of CTR and SAR filings; (5)
customers found on the Office of Foreign Assets Control's (OFAC)
specially designated list;5 or (6) international correspondent banking.
In addition to analyzing information from the previously discussed
sources, examiners were to assess the adequacy of an institution's
compliance or risk management systems for identifying, measuring,
monitoring, and controlling BSA risks that might stem from banking
operations. This assessment entailed a review of the institution's
internal controls, and independent audit function, as well as the
institution's BSA program, officer, and training. For example, OCC's BSA
examination procedures for community banks required examiners to review
the bank's quality of risk management, consisting of its policies,
processes, personnel, and control systems (including internal/external
audit programs). Specifically, examiners were to validate the two
fundamental components of any bank's risk management system-internal
controls and audits. Federal Reserve examiners also were required to
assess the adequacy of the institution's controls over BSA risks and, as
such, evaluate the institution's internal controls; audit function; BSA
program officer; and training. FDIC required examiners to review the
institution's internal controls and audit procedures as part of its risk
management assessment. OTS's examination manual required examiners to
determine whether the institution implemented an internal audit or
conducted a management review or self-assessment of its BSA program.
According to the regulators' procedures, evaluating the adequacy of the
independent audit function was a major factor in assessing the
institution's risk. To do so, examiners were to assess the auditor's
independence, competency, and experience; the scope or coverage of BSA
risk areas; the frequency of audits and transaction testing; audit
results; and other factors as required by the regulators' examination
guidance. Furthermore, according to examiners, their assessments of the
independent audit function could be a factor in determining whether to
perform additional procedures, such as transaction testing. For example,
according to NCUA examiners, they might interview the credit union's
internal auditor to determine the auditor's independence, competency, and
knowledge of BSA compliance. The examiners also would use their
professional judgment to assess the adequacy of the coverage given by the
independent auditor to the BSA compliance review. If examiners determined
that the independent audit function or audit report was inadequate or
unreliable, they might decide to perform transaction testing or additional
testing.
Finally, as a result of the risk-assessment process, examiners then would
formulate an initial risk profile on the institution; this initial
assessment might be adjusted during or after the examination. The
institution's BSA risk profile could be expressed in terms of risk level,
such as high, moderate or satisfactory, or low. Examiners exercised
professional judgment throughout this process to weigh the factors
considered and determine the institution's level of risk.
Examiners Used Risk Profiles to Determine the Scope of Examinations
Examiners were to use an institution's risk profile to determine the
nature and extent of procedures to be performed during the examination. If
the institution's risk profile was low, examiners generally were to
conduct what are variously referred to as basic, core, or limited
examination procedures. These procedures included reviews of an
institution's
o written, approved BSA/AML program, policies, and procedures to ensure
that the institution's BSA/AML program adequately covered all of the
BSA-required program elements;
o BSA officer or designated staff to coordinate day-to-day BSA monitoring;
o BSA training provided to the appropriate staff;
o OFAC compliance procedures;
o correction of a deficiency of a BSA program requirement noted in a
previous report of examination;6
o product lines and services, including wire transfers, deposit-taking
facilities, sales of monetary instruments, and exemptions from reporting
procedures;
o internal controls for detecting, preventing, and correcting BSA/AML
violations;
o Know Your Customer program;7
o Customer Identification Program;8 and
o compliance with record-keeping and reporting requirements, such as CTRs
and SARs.
In addition to the basic procedures previously discussed, examiners could
perform transaction testing, depending on the regulator's examination
requirements. Transaction testing could cover the institution's cash
transactions, monetary instruments, wire transfers, SARs, CTRs,
exemptions, or samples of the institution's accounts previously tested by
its independent auditor. Examiners also could deem transaction testing
necessary on the basis of the institution's risk profile or examination
results. For example, examiners might discover that an institution failed
to file CTRs or that the institution's independent audit was inadequate;
as a result, they would perform transaction testing to determine the
nature and extent of potential BSA issues or problems.
If an institution's risk profile was high or examiners identified BSA
compliance problems (e.g., with the institution's BSA/AML policies,
procedures, programs, or internal controls), examiners generally were to
conduct expanded procedures in high-risk areas or the areas of identified
deficiencies. Expanded procedures generally involved (1) more in-depth
reviews of the institution's compliance with BSA, AML, and OFAC
requirements and (2) transaction testing. Such reviews or testing might
cover various areas, including record keeping and retention, exemptions,
sales of monetary instruments, funds transfers, transactions that are
payable upon proper identification, international brokered deposits,
foreign correspondent banking, pouch activity, and private banking.
Examinations Concluded with Supervisory Consultation, Reporting, and, When
Needed, Corrective Actions
As a result of applying BSA examination procedures, examiners might
identify BSA compliance deficiencies or violations.9 Using the regulators'
guidance on BSA corrective actions and enforcement, examiners were to
determine whether an institution's actions or inactions should be
classified as BSA deficiencies or violations. Examiners then were to
consult with their supervisors concerning their findings of BSA
violations, particularly violations that were deemed to warrant formal
enforcement actions, such as written agreements, cease-and-desist orders,
and CMPs (for more information, see ch. 5). Examiners were to submit
recommended findings of BSA violations and proposed corrective actions to
their supervisors and then discuss the results of the examination with the
institution's management and board of directors. In these discussions,
examiners generally were to secure management's commitment to comply with
the proposed corrective actions.
Subsequently, guidance called for examiners to prepare the report of
examination, detailing the scope, compliance risk, findings, corrective
actions, and management's commitment to take corrective action; the
corrective actions taken by management before the end of the examination;
or the proposed enforcement actions. During the examination and at the
conclusion of the examination, examiners were to enter examination data
and results of the examination into the regulators' respective automated
reporting systems (see ch. 4). Examiners were to perform follow-up
activities between examinations, or at the next scheduled examination, to
verify compliance with corrective actions. Finally, regulatory management
was to notify FinCEN of significant BSA violations found as a result of
the examination. Examiners sometimes recommended or provided input into
the decision to notify FinCEN of significant BSA compliance problems.
Under Pre-2005 Guidance, Documentation Requirements Varied Widely
The regulators' pre-2005 requirements for documentation of examination
procedures and their documentation of those procedures could vary widely.
From each regulator, we reviewed approximately 30 BSA examinations that
were conducted under guidance current between January 1, 2000, and June
30, 2004. Because the sample was small, we could not generalize the
results of our analysis to make conclusions about how regulators applied
the examination procedures to all BSA examinations conducted during this
period. However, when coupled with our review of regulator guidance and
examination manuals, the results of the examination review illustrated
instances where the regulators' documentation of examination procedures
varied widely. Individual regulator guidance issued prior to June 2005,
required documentation of "major" procedures and conclusions, and our
review indicated more documentation of examination planning procedures at
larger institutions.
Under pre-2005 guidance, the regulators did not consistently require or
document transaction testing. The regulators required transaction testing
in examinations of larger institutions with higher asset levels, but not
always at smaller institutions. The OCC BSA examination manual for large
banks required transaction testing, at a minimum, to form conclusions
about the integrity of the bank's overall control and risk management
processes and of its overall quantity of risk. OCC examiners stated that
transaction testing was required for all high-risk areas of large banks,
and we found documentation of transaction testing in 3 of 4 large bank
examinations. The Federal Reserve's BSA examination manual required that
some transaction testing be performed in all examinations, and the nature
and extent of transaction testing could vary, depending on the
institution's level of risk. For example, if the institution engaged in
high-risk areas, such as private banking, foreign correspondent banking,
or international banking, Federal Reserve examiners were required to
perform transaction testing in those areas. Our review of Federal Reserve
examinations indicated that examiners performed extensive transaction
testing at most of the banks. We found documentation of transaction
testing in 17 of 18 Federal Reserve examinations we reviewed, including
those of large and smaller institutions.
Our examination review found less documentation of transaction testing in
examinations at smaller institutions with lower assets, such as the
community banks, savings associations, and credit unions supervised by
OCC, OTS, FDIC, and NCUA. These regulators' examination guidance permitted
examiners to exercise their professional judgment in determining whether
to perform transaction testing. See appendix I for more information from
our examination review.
Since 2004, State Banking Departments Have Become More Involved in BSA
Reviews and Increased Information Sharing with FinCEN
As recently as 2004, about one-third of state banking departments reported
not examining for BSA compliance; however, state banking departments have
since taken a more active role in conducting these reviews. According to
state banking department officials, the increased attention to AML and
terrorist-financing issues after September 11, led state banking
departments to begin examining for BSA compliance or to expand the scope
of their reviews. The state banking departments examining for BSA
compliance generally used the same procedures as the regulators. Lastly,
state banking departments, the regulators, and FinCEN have increased their
coordination of BSA and AML compliance-related efforts.
In 2004, Many State Banking Departments Reported That They Did Not Examine
for BSA Compliance
According to a July 2004 Conference of State Banking Supervisors (CSBS)
inquiry of banking departments on BSA and AML practices, 35 state banking
departments were examining for BSA compliance, either during joint
examinations with federal examiners or independently as part of the
alternate-year examination programs.10 In some states, federal examiners
independently reviewed institutions or reviewed institutions jointly with
examiners from state banking departments. According to a Federal Reserve
official, the frequency of these examinations and the decision of whether
to perform the review jointly depended on the institution's risk level. An
FDIC official said that FDIC reviewed depository institutions for BSA
compliance on average every 36 months. Of the remaining state banking
departments, at least 15 were not reviewing for BSA compliance.
Similarly, a March 2004 FDIC Inspector General (FDIC IG) report indicated
that out of 72 examination reports reviewed from state banking
departments, 45 did not specifically address BSA compliance. As a result,
depository institutions in some states were not being examined for BSA
compliance at each examination.
CSBS officials said that in the past, BSA compliance coverage varied among
state banking departments, in part, because of differing philosophies
about their responsibilities for determining BSA compliance. Specifically,
some state banking departments did not interpret BSA-related supervision
as a state-level responsibility. According to CSBS officials, departments
in these states interpreted their examination responsibilities as
determining depository institutions' safety and soundness and compliance
with state laws. CSBS officials said that, in general, this supervisory
approach was driven largely by state budget constraints and the allocation
of examination fees to states' general funds, rather than to examination
programs.
Some State Banking Departments Recently Began Reviewing for BSA
Compliance; Others Have Intensified Existing BSA Reviews
According to CSBS officials, although the regulators are the entities that
are legally responsible for conducting BSA reviews, state banking
departments have become more active in conducting these reviews over the
last 2 years. For example, the Virginia Bureau of Financial Institutions
began examining for BSA compliance in September 2004. Similarly, the
Delaware Office of the State Bank Commissioner began conducting BSA
reviews in January 2005.11 Additionally, officials from some state banking
departments noted that the increased attention to AML and
terrorist-financing issues following September 11, led some state banking
departments to begin examining for BSA compliance or to expand the scope
of existing reviews. For example, in late 2004, the Louisiana Office of
Financial Institutions began conducting independent BSA reviews as part of
its safety and soundness examination. The Florida Office of Financial
Regulation intensified its BSA examinations; since September 11, it has
been reviewing for BSA compliance as part of every safety and soundness
examination. State banking departments also have been independently
examining for BSA compliance. For example, the Georgia Department of
Banking and Finance began examining depository institutions for BSA
compliance in early 2004. According to an official from this state banking
department, Georgia is performing BSA reviews with federal examiners on an
alternating schedule. Furthermore, officials from other state banking
departments said that although their state examiners had reviewed for BSA
compliance in filing, reporting, and record keeping for some time, their
departments more recently began to devote additional training resources to
BSA compliance. For example, one state banking department official said
that the agency's examiners were able to review more than the
institution's BSA policy for BSA compliance than they did in the past. In
response to a CSBS inquiry of state banking departments, as of November
2005, 45 state banking departments were reviewing for BSA compliance.12
In general, whether recently examining for BSA compliance or continuing
established procedures, state examiners used the same procedures the
regulators used to examine for BSA compliance. State examiners generally
described using the key steps that federal examiners take in reviewing for
AML compliance, which included reviewing the institution's policies and
procedures, recent CTRs and SARs, training efforts, and independent audit
reports. Similar to federal examiners, state examiners described
performing transaction testing to varying degrees, based primarily on the
risk presented by the institution being examined. According to CSBS
officials, state examiners reviewed state-chartered banks using FDIC's BSA
examination procedures. State examiners and Federal Reserve officials said
that state examiners generally used the Federal Reserve procedures for
banks that are supervised by the Federal Reserve, but examiners sometimes
used FDIC procedures for small institutions supervised by the Federal
Reserve.
State Banking Departments, Regulators, and FinCEN Also Have Recently
Increased Coordination on BSA-Related Examination Activities
During the course of our work, state banking departments, regulators, and
FinCEN increased coordination on BSA-related examination and
information-sharing activities. For example, in March 2004, the FDIC IG
recommended that FDIC (1) coordinate with state banking departments to
cover BSA compliance in state-led examinations of FDIC-supervised
institutions and (2) for those states that did not cover BSA compliance,
develop an alternative FDIC process to address BSA compliance when relying
on alternating state examinations. FDIC agreed with the recommendation
and, in May 2004, released a regulatory memorandum, Policy for Bank
Secrecy Act/Anti-Money Laundering Examination Scheduling and Frequency.
The memorandum requires FDIC to conduct concurrent BSA/AML examinations at
all safety and soundness examinations conducted by state banking
departments that do not perform BSA and AML examinations, to avoid
additional regulatory burdens on the depository institution. In addition,
since the issuance of the memorandum, FDIC has conducted independent BSA
examinations when state banking departments had not done so during
regularly scheduled safety and soundness examinations.
In addition, the regulators also began training state examiners on
reviewing for BSA compliance. According to CSBS, a growing number of
states are seeking BSA training, with some states doing on-site training
with federal agencies. For example, in September 2004, the Federal Reserve
provided 2 days of training for staff at a state banking department. In
addition, officials from another state banking department said that
examiners shadowed federal examiners on BSA reviews as part of their
training. A Federal Reserve official further explained that both the
Federal Reserve and FDIC recently had provided on-the-job training for the
state examiners during joint examinations.
Finally, on June 2, 2005, FinCEN announced the signing of MOUs with 30
state banking departments and the department in Puerto Rico to further
improve coordination of BSA and AML activities.13 According to FinCEN
officials, as of March 2006, banking departments from 36 states and the
Commonwealth of Puerto Rico, have signed MOUs. The MOUs set forth
information-sharing agreements with FinCEN that are similar to the
information-sharing agreement between FinCEN and the regulators. According
to FinCEN, these agreements provide the framework for enhanced
collaboration and information sharing between federal and state agencies
that will allow FinCEN to better administer the BSA, while simultaneously
assisting state agencies to better fulfill their roles as financial
institution departments. Furthermore, a CSBS official said that the MOUs
provide a clearer understanding of the role of state banking departments.
According to a CSBS official, in the post-September 11 environment, state
banking departments also wanted a viable supervisory role in the BSA area
because they perceived BSA issues as affecting all regulators. In March
2006, FinCEN was receiving data for the fourth quarter of 2005 from the
states.
Regulators Have Promoted Consistency in BSA Examinations through
Interagency Procedures and BSA TrainingChapter 3
During the course of our work, the regulators took steps that promoted
consistency of BSA examinations, including issuing new interagency
procedures and revising and expanding examiner training. In particular,
the new examination procedures describe risk assessments and link them to
the creation of risk profiles. The procedures also introduce more
uniformity into the assessment of independent audit functions and, for the
first time, require transaction testing in all examinations, regardless of
the institution's risk profile. As a result, the new procedures provide a
framework for greater consistency in BSA examinations across the
regulators. To disseminate new information and increase knowledge of BSA
and related issues, the regulators have increased training on BSA and the
PATRIOT Act and coordinated efforts to educate staff on the interagency
procedures. Moreover, some regulators have focused on developing more
BSA/AML specialist examiners.
New Interagency Procedures Create Framework for Consistent BSA/AML
Examination Processes
As previously discussed, the regulators generally followed the same steps
for BSA examinations but differed in the application of some procedures,
such as documentation, and in what procedures they left to examiner
judgment, such as transaction testing. However, as statutory requirements
(e.g., the PATRIOT Act) changed in response to concerns about anti-money
laundering and terrorist-financing issues, the regulators also recognized
the need to enhance their guidance. On June 30, 2005, the regulators, in
collaboration with FinCEN and OFAC, issued a new BSA/AML examination
manual through FFIEC, an interagency body prescribing uniform standards
for federal examinations. In addition, they committed themselves to
updating the manual at least once a year. In the regulators' view, the
FFIEC BSA/AML Examination Manual is the product of best practices among
the regulators and aims to promote procedural consistency in the conduct
of BSA/AML examinations at all depository institutions. While both the
former and new examination procedures require examiners to evaluate the
institution's risk management systems and formulate a risk profile of the
institution, the FFIEC procedures provide a uniform process for performing
risk assessments. As a result, the manual provides examiners with more
focused guidance to follow in performing BSA/AML examinations.
Furthermore, in contrast to the previous procedures, the FFIEC procedures
also provide uniform factors for assessing the adequacy of an
institution's independent audit function and require transaction testing
in all examinations.
New Examination Procedures Organize Information on BSA Risk Assessments
and Link Assessments to Scoping and Planning
In contrast to previous guidance, the FFIEC Examination Manual organizes
guidance on risk-assessment procedures primarily in one place, the scoping
and planning section for core examinations procedures. The manual also
comprehensively describes risk assessments for BSA examinations, taking
examiners from the planning stages to using conclusions to develop risk
profiles. Formerly, the BSA examination manuals of most of the regulators
did not describe the risk-assessment process with the same degree of
information or BSA-specificity. For example, two regulators did not have a
discrete description of the BSA-risk assessment process, but incorporated
it with the risk- assessment process for financial examinations. Other
regulators did not explain what conclusions examiners were to draw from
their risk-assessment process, such as determining that an institution's
risk level was high, moderate, or low.
Additionally, some of the regulators' former BSA examination procedures
focused on different aspects of the risk-assessment process, such as the
institution's risk assessment of its product lines or services, or its
risk management systems, or quality of audit and internal controls, to
develop risk profiles of institutions. However, the FFIEC manual
emphasizes that all banks must have BSA/AML programs tailored to their
particular risks, and that planning and scoping for examinations should be
guided by those assessments. That is, examiners should review the
institutions' self assessments of their programs to determine if the
program (and, thus, risk management systems or controls) are commensurate
with all of the risks the institutions undertook.
In presenting guidance on how to link risk assessments to other
examination procedures, the new manual also provides a framework for
examiners to follow (see fig. 2). For example, according to an OTS
official, it provides one "road map" for everyone. A senior Federal
Reserve official referred to the manual as a "significant step toward
consistency" in the area of AML examination. Additionally, an OCC official
stated that the FFIEC procedures provide a minimum threshold for
performing examination procedures.
Figure 2: FFIEC Manual Links Components Necessary for BSA Compliance
The manual recognizes that, depending on the specific characteristics of
the particular product, service, or customer, the risks are not always the
same. Various factors, such as number and dollar volume, geographic
location, and customer versus noncustomer, should be considered when
making a risk assessment. Because of these variables, risks will vary from
one institution to another. In formulating a risk-based BSA/AML program,
the manual states that institution management should identify the
significant risks to its institution and develop a risk assessment
tailored to its circumstances. Furthermore, as new products and services
are introduced, as existing products and services change, or as the
institution expands through mergers and acquisitions, institution
management's evaluation of the money laundering and terrorist- financing
risks should evolve. The expanded sections of the manual provide guidance
and discussions on specific lines of business or products that may present
unique challenges and exposures for which institutions should institute
the appropriate policies, procedures, and processes.
New Examination Procedures Add Uniformity to Assessment of Independent
Audit Function
To confirm that institutions are complying with independent audit
requirements, examiners, under former and new procedures, assess the
adequacy of the institution's independent audit function during the
scoping phase of the BSA examination or later. However, the regulators'
former procedures were not uniform; that is, while each regulator
considered multiple factors when assessing the independent audit function,
none of the regulators used the same set of factors.
In contrast, the FFIEC core examination procedures provide uniform
guidance for examiners to follow when validating the independent audit as
part of the planning and scoping of the BSA examination. Examiners are
required to determine whether the
o BSA/AML testing (audit) was independent;
o qualifications of the person(s) performing the independent testing would
allow the institution to rely on the findings and conclusions;
o auditor's reports and work papers were valid; that is, whether the
independent testing was comprehensive, accurate, adequate, and timely;
o audit reviewed the institution's suspicious activity monitoring systems
for the ability to identify unusual activity;
o bank's audit review procedures confirmed the accuracy of management
information systems used in BSA/AML compliance;
o audit tracked previously identified deficiencies and ensured that
management corrected them; and
o audit was adequate on the basis of a review of the audit's scope,
procedures, and work papers.
By providing a comprehensive and uniform set of factors to consider in
assessing the independent audit, examiners could validate the independent
audit on a more uniform basis. Additionally, since the independent audit
is a factor in determining the institution's risk profile, the interagency
procedures for validating the audit also may contribute to more consistent
determinations of an institution's risk profile.
New Examination Procedures Require Transaction Testing, Regardless of the
Institution's BSA Risk Level
The FFIEC Examination Manual requires transaction testing at each
examination, regardless of the institution's BSA risk level. Under some of
the regulators' former procedures, transaction testing was not always
required; rather, this decision was left to examiner judgment, taking into
consideration the institution's BSA risk level. The FFIEC Examination
Manual emphasizes the importance of transaction testing for making
conclusions about the integrity of the institution's overall controls and
risk management processes. The manual also requires that transaction
testing be performed to evaluate the adequacy of an institution's
compliance with regulatory requirements, and the effectiveness of its
policies, procedures, processes, and suspicious activity monitoring
systems. According to the FFIEC Examination Manual, examiners perform
transaction testing to evaluate the adequacy of an institution's
compliance with regulatory requirements, or to determine whether its
policies and procedures and suspicious activity monitoring systems are
effective.
More specifically, the manual provides examiners with two options for
performing transaction testing. Transaction testing may be performed
within the independent audit section of the examination, or it may be
completed in procedures contained elsewhere within the manual's core or
expanded sections. If transaction testing is performed within the
independent audit section, examiners are required to select a judgmental
sample that includes transactions other than those tested by the
independent auditor. Under previous guidance, examiners for some of the
regulators told us that they could choose whether to sample transactions
tested by the independent auditor. However, the new procedures do allow
examiners to determine the extent of transaction testing to be performed,
on the basis of factors such as the examiner's judgment of risks and
controls and the adequacy of the independent audit.
If transaction testing is performed within the core or expanded sections
of the examination, the FFIEC Examination Manual delineates the specific
areas under the core and expanded procedures where transaction testing
must be performed and specifies the nature of transaction testing that
must be performed. For example, the FFIEC core examination procedures
describe transaction testing of customer due diligence, currency
transaction reporting and CTR exemptions, the purchase and sale of
monetary instruments, and funds transfers. The new manual's expanded
examination procedures are similar to the regulators' former examination
procedures in that they describe transaction testing or reviews of
specific areas, such as foreign correspondent accounts, payable through
accounts, pouch activities, funds transfers, and foreign branches and
offices of U.S. banks.
Regulators Revised Examination Tools for Documenting BSA Procedures to
Conform to the FFIEC Examination Manual
As previously discussed, the regulators' pre-2005 requirements for
documentation of examination procedures and their documentation of those
procedures varied widely. The FFIEC Examination Manual requires that
transaction testing be performed on all examinations and provides some
guidance for documenting BSA examination procedures, including scoping,
planning, and risk assessments.
According to the regulators, after the new procedures were issued, they
revised their examination formats for capturing and documenting BSA
examination procedures to conform to the requirements of the FFIEC
Examination Manual. For example, the Federal Reserve and FDIC revised the
examination work programs that their examiners use to document examination
procedures, which are entered into the regulators' automated examination
reporting system. Our review of these work programs showed that the
formats provided for documentation of scoping, planning, risk assessments,
and transaction testing. OTS officials said that they had revised their
BSA examination work program to conform to the requirements of the manual
and require documentation of scoping, planning, risk-assessment, and
transaction-testing procedures. NCUA officials stated that NCUA had
revised its examination questionnaire to incorporate instructions for
documenting transaction-testing and other procedures. The questionnaire,
according to our review, provides for documentation of scoping, planning,
and transaction-testing procedures. OCC officials told us that they
modified their automated examination reporting system, to provide for
examiner documentation of scoping, planning, risk-assessment, and
transaction-testing procedures in examinations of large, midsize, and
community banks. These new formats and tools for documenting
transaction-testing and other procedures likely will result in more
documentation of these procedures on future BSA/AML examinations, and will
make it easier to track BSA/AML examination results as well.
In Recent Years, Regulators Have Intensified Focus on BSA-Related Skills
and Issues in Examiner Training
In tandem with an increasing focus on BSA-related issues, regulators also
revised examiner training, and some regulators have increased the number
of specialized examiners. For example, the regulators have adjusted or
expanded their training to incorporate the latest mandates and standards,
such as the PATRIOT Act and the FFIEC Examination Manual. Some regulators
also trained more examiners to specialize in BSA/AML issues.
Each Regulator Provides BSA/AML Training to Its Examiners
Although each regulator provides BSA/AML training to its examiners, each
regulator approached training differently (see table 2). For example, OTS
and NCUA require all new staff to attend a basic training course on AML
compliance. According to OTS officials, OTS hosted a number of regional
conferences for examiners that were solely dedicated to the BSA and the
PATRIOT Act. NCUA also used regional conferences to train examiners on BSA
issues. For example, in its annual report to FinCEN, NCUA stated that BSA
compliance was addressed at the regional conference training provided to
all examiners in 2002 and 2004. The Federal Reserve requires all staff
seeking to obtain an examiner commission to successfully complete a
BSA/AML proficiency test.1 FDIC requires all examination staff to obtain
BSA/AML training through classroom and Web-based training. Finally, OCC
offers four different training schools, which all provide live,
instructor-led training in AML requirements. Additionally, OCC offers
specialized BSA/AML training on a voluntary basis to commissioned staff
who participate in the Examiner Specialized Skills Program.
Table 2: BSA/AML Training, by Regulator (2004-2005)
Regulator Training description
FDIC To increase its level of
BSA expertise, FDIC
required all examination
staff to complete formal
training on AML
requirements by the end
of 2004. FDIC trained
every examiner on staff
(1,721) in AML
requirements by
establishing a
curriculum comprised of
several Web-based
components, including
externally provided
courseware, internally
developed presentations,
and exercises to
strengthen knowledge of
topics covered. FDIC
examiners also receive Federal The Federal
AML training through Reserve Reserve's BSA/AML
FDIC's formal examiner Risk Section,
school, "Introduction to formerly the
Examinations." In 2005, Anti-Money
38 examiners received Laundering
AML training through the Compliance
examiner school. Section, interacts
on a daily basis
Furthermore, FDIC with the
offered specialized AML examination staff
training at outside engaged in AML
seminars and examinations at
conferences, such as the 12 Reserve
industry-sponsored Banks. Section
events and regulatory staff offer
conferences. For case-specific
example, in 2005, 72 guidance regarding
subject matter experts AML requirements.
attended the FFIEC AML The BSA/AML Risk
workshop. Also, from Section holds
November 29 to December monthly systemwide
2, 2005, 336 calls and
individuals, primarily semiannual fora
BSA/AML subject matter with BSA/AML
experts and other supervisory staff
persons with BSA/AML to provide them
assessment with policy
responsibility, attended updates, training
the FDIC-sponsored focused on BSA/AML
"BSA/AML Subject Matter issues, and
Expert Conference." The discussions of
purpose of the training recent examination
conference was to experiences. In
provide guidance on addition,
higher-and-emerging-risk examiners from the
topics to ensure a more section
efficient and consistent participate in
BSA/AML examination select
process. FDIC also examinations
provided additional throughout the
FFIEC Examination Manual country to provide
training to examiners on-the-job
and supervisors during training to
2005. Federal Reserve
examiners. NCUA All new
FDIC also conducts examination
training during Each Reserve Bank staff are
examinations. This also provides required to
training is targeted to ongoing training complete a
the individual examiner to supervision year-long
and addresses the unique staff to keep them training
business lines and informed of curriculum
practices at the bank changes to that includes
being examined. regulations, laws, instructor-led
and examination training
procedures. classes and
Typically, BSA/AML on-the-job
training is training in
offered at each AML
Reserve Bank's compliance.
annual examiner
conference. These Seasoned
training sessions examiners are
provide an trained on an
opportunity for ongoing basis
the Reserve Bank's using a
BSA/AML contacts combination of
and the subject instructor-led
matter experts to training
alert the sessions and
examination staff regional
of recent changes conferences.
to legislation and During 2005,
policy directives, NCUA provided
updates to classroom
examination training to 89
procedures, and examiners on
various BSA/AML AML
concerns noted requirements.
both locally and During August
nationwide. For and September
example, in March 2005, NCUA
2005, a Reserve provided to
Bank trained eight staff training
new BSA material
specialists in AML addressing the
requirements FFIEC
through a series Examination OCC OCC offers
of workshops. Manual and the instructor-led
According to a updated NCUA classroom AML training
Federal Reserve work paper for its examiners at
official, the used to its Consumer
training that document Compliance: Basic,
these new review of the Anti-Money-Laundering,
specialists BSA, in Bank Supervision, and
received was in accordance FinCEN Database
addition to and with the Training Schools.
more intense than manual.
the online course As part of OCC's
that all examiners entry-level training,
must take. all examiners complete
Specialized AML 1 week of classroom
training also has training and 1 week of
included outside course preparation in
seminars and the Consumer
conferences, such Compliance: Basic
as School that includes
industry-sponsored BSA modules. The
events and Anti-Money Laundering
regulatory School is designed to
conferences. For train participants to
example, in 2005, recognize money
143 examiners laundering risks and
attended FFIEC's ensure compliance with
BSA/AML workshop. regulatory
requirements. The
Furthermore, as course heightens
part of the awareness of how
Federal Reserve's financial institutions
entry-level are used in money
training, laundering through
examiners are hands-on training
required to based upon actual
complete an online examination results.
training course. The Bank Supervision
The Federal School includes
Reserve's classroom and
comprehensive computer-based
training plan for training that contains
staff members a BSA/AML module,
seeking to obtain which provides a
an examiner review of the
commission regulatory
requires the requirements. The
individual to FinCEN Database
master a core Training course trains
curriculum and to examiners to access
successfully pass and use the FinCEN
a proficiency test database.
in each core area.
OTS OTS requires all For the BSA/AML As of December 2005,
examiners administering proficiency test, 166 examiners attended
AML exams to complete 3 an individual must the Consumer
weeks of classroom demonstrate an Compliance: Basic
training courses, called understanding of School, 89 attended
"Compliance I" and the concept of the
"Compliance II," which money laundering, Anti-Money-Laundering
include modules on the the purpose of the and
BSA and the PATRIOT Act. BSA, and the Terrorist-Financing
minimum School, 27 attended
In addition to formal requirements of the Bank Supervision
course offerings, OTS regulations on School, and 21
provides Web-based AML BSA/AML programs attended the FinCEN
training. During 2005, and requirements Database Training
OTS recorded 1,483 for filing SARs. School.
participants in AML
training sessions. Additionally, OCC
provided BSA training
targeted to the FFIEC
Examination Manual to
all compliance
specialists in
September 2005.
Approximately 230
examiners were in
attendance. Also in
2005, 16 sessions of
extensive BSA training
that incorporated the
FFIEC Examination
Manual was provided to
examiners engaged in
community and midsize
bank supervision.
Approximately 567
examiners attended
this training in 2005.
The training will
continue in 2006.
In addition to formal
course offerings, OCC
periodically provides
training in the form
of agencywide
teleconferences and
finances external
training opportunities
and the industry
Certified Anti-Money
Laundering Specialist
certification as
appropriate.
Sources: FDIC, Federal Reserve, NCUA, OTS, and OCC.
In addition to their own training, regulators also use interagency or
outside venues to train staff. For example, the regulators sent staff to
conferences sponsored by trade associations that offered multiday courses
and provided informal resources for self-training, such as subscriptions
to online newsletters. Regulators also send examiners to interagency AML
workshops offered by FFIEC. OTS, in its annual report to FinCEN, stated
that in early 2003, FFIEC updated the workshop to incorporate PATRIOT Act
requirements. According to FDIC, the workshop objectives focused on
recognizing potential money laundering risks, assessing the adequacy of
BSA/AML programs, and maintaining up-to-date knowledge of the rules and
requirement of BSA/AML statutes and regulations. The workshop generally
ran approximately 27 hours and included speakers and presentations by the
regulators, FinCEN, IRS, OFAC, and the Federal Bureau of Investigation.
FDIC said that providing this training in an interagency forum allowed the
regulators to take a more consistent approach to BSA/AML supervisory
efforts.
Furthermore, according to the regulators, they updated their AML training
to cover of all the relevant provisions of the PATRIOT Act. As mentioned
in our May 2005 report, the regulators began offering PATRIOT ACT training
for BSA examination staff in 2002 and 2003.2 This training, provided
through instructor-led and Web-based courses, introduced BSA and PATRIOT
Act requirements and provided for theoretical and hands-on training. The
regulators' AML training curricula included various techniques designed to
help the examiners recognize potential money laundering risks facing
financial institutions and helped examiners learn procedures for assessing
the soundness of an institution's AML program.
Regulators Participated in Joint Efforts to Train Examiners on New
Interagency Procedures
Since the issuance of the new procedures on June 30, 2005, FFIEC has
coordinated a far-reaching effort to train examiners and the industry on
the new procedures, by holding a series of training events across the
country. Table 3 provides more information about the training offered
since the issuance of the interagency examination procedures.
Table 3: 2005 FFIEC Examination Manual Training
Date Description Type/Format Audience Participation
July 28, 2005 Overview of Videoconference Federal/State 1,200
FFIEC examination
Examination staff
Manual
August 2-4, Overview of Teleconference Financial 8,200
2005 FFIEC (Nationwide) services
Examination Banking representatives
Manual industry
August 15-24, Interagency Group sessions Bankers and 2,000
2005 BSA/AML (Event also was examiners (bankers)
Regional subsequently
San Banker available 1,000
Francisco-8/15 Outreach and through the Web (examiners)
Examiner for 90 days)
Dallas-8/17 Training 12,434
Events (Web-cast
Chicago-8/19 (manual viewers as of
overview, August 23)
New York-8/22 guidance on
risk
Miami-8/24 assessments,
and BSA/AML
Q&A)
Sources: Federal Reserve and FDIC.
Senior examination and management staff from the regulators attended a
nationwide videoconference, hosted by the Federal Reserve, on July 28,
2005. According to an NCUA official, a focus group of NCUA field examiners
and office staff participated in the July 28 videoconference. This group,
in turn, participated in updating NCUA examinations forms to incorporate
the FFIEC Examination Manual requirements, identified key sections of the
manual and related concepts applicable to credit unions for discussion
with staff, and recommended training to be conducted through standard
regional processes. For instance, because credit unions do not operate
foreign correspondent accounts, staff will be notified that information on
BSA risks and transaction testing for these accounts is available, but
NCUA will not incorporate information on those accounts into the
agencywide training program.
Additionally, the Federal Reserve, FDIC, OCC, OTS, and FinCEN conducted
2-hour nationwide conference calls, hosted by FDIC, regarding the new
examination manual for the banking industry on August 2 to 4, 2005.
Furthermore, these four regulators and FinCEN conducted regional outreach
meetings aimed specifically at personnel responsible for a financial
institution's BSA/AML program. The regulators held half-day sessions in
five cities for the banking industry and examination staff.
State banking departments also participated in training on the FFIEC
Examination Manual. More specifically, according to a CSBS official, CSBS
and state banking departments participated in the FFIEC discussions and
provided feedback as the procedures were being developed. Furthermore,
another CSBS official said that state banking departments are using the
manual to conduct BSA reviews. According to a CSBS official, state banking
departments participated in the rollout and field testing of the
interagency procedures. In addition, state examiners are scheduled to have
more formalized BSA coursework through FFIEC, FDIC, and the Federal
Reserve as a result of the interagency procedures.
Some Regulators Are Developing More BSA/AML Expert Staff to Serve in a
Variety of Roles
Although safety and soundness and compliance examiners primarily perform
BSA/AML examinations, some regulators use examiners with specialized
skills to provide training, serve as a resource to other examiners, or
assist on complex examinations. All of the regulators offer career paths
and options for becoming a BSA subject matter expert (see
table 4).3 More recently, some regulators have planned to train or
increase substantially the number of subject matter experts they have to
help meet PATRIOT Act requirements and address the increasing complexity
of BSA examinations. While the regulators prescribe no criteria for
BSA/AML specialization, regulatory officials stated that specialization
could be achieved through a combination of on-the-job training, classroom
training, and industry certification.
Table 4: Examiner Career Path to BSA Specialization, by Regulator
Regulator Examiner career
path
FDIC Examiners
o become
commissioned
after several
years of
instruction,
examination
experience, and
successful
completion of a
commissioning
examination;
o may specialize
in a variety of
areas, including
the BSA, once
they are
commissioned; and
o receive
specialized BSA
training, both in
the classroom and
on the job, and
gain experience
through BSA
examinations.
Additionally,
FDIC encourages
and offers
industry
designations,
such as the
Certified
Anti-Money
Laundering
Specialist and
Certified Fraud
Examiner.
Federal Examiners
Reserve
o must go through
the Federal
Reserve's
examiner
commissioning
process to become
a commissioned
examiner;
o take two tests,
one a midpoint
examination taken
after 18 months
and the other a
pass/fail
examination, to
be commissioned;
o can become
specialized and
work on a
specialized team
by showing an
aptitude for a
specialized area
and asking for
training
opportunities;
and
o attain
specialization
through a
combination of
on-the-job and
BSA training.
The Federal
Reserve does not
have a
requirement for
BSA specialists
to obtain
industry
certification.
NCUA Examiners
o are promoted to
the principal
examiner level
after completing
a series of
training courses
and on-the-job
training;
OCC Examiners
o after
supervisors and o are required to
examiners jointly take and successfully
demonstrate to complete the
regional commissioned examiner
management that test after 5 years of
the examiners are experience as safety
competent to and soundness
handle complex examiners and
assignments,
provide o can qualify to
on-the-job pursue specialization
training, and in various areas, OTS Examiners
conduct team such as capital
examinations; and markets, once they o receive
are commissioned. certification as
o who receive a Commissioned
additional OCC supports a range Thrift Examiner
training on of certification and upon successful
compliance licensing for its completion of
issues, including examiners that are in-depth
AML, become related to the BSA, training, both
Consumer such as the Certified in the classroom
Compliance Anti-Money Laundering and on the job,
Subject Matter Specialist and the over a 4- to
Examiners. Certified Fraud 5-year period;
Expert. Additionally,
OCC provides a o that are
national mentoring commissioned
program, Examiner serve as core
Specialized Skills safety and
Program, for more soundness
experienced staff to examiners or
mentor staff with pursue interests
less experience. In in specialty
2005, there were six examination
"coaches" and 14 functions, such
participants. In as compliance;
total, 39 examiners
have participated in o with many
the initiative. years of
experience, go
through an
accreditation
process
involving
successfully
passing the
technical
portion of a
comprehensive
compliance test
called the
Certified
Regulatory
Compliance
Manager; and
o that have
attained this
specialization
are required to
take 40 to 80
hours of
additional
training
annually.
Sources: FDIC, Federal Reserve, NCUA, OTS, and OCC.
According to one of its officials, the Federal Reserve has had a
long-standing commitment to BSA/AML supervision and over time has expanded
resources specifically dedicated to BSA/AML supervision. For example,
Federal Reserve staff noted that, in 2002, a separate AML section was
formed to manage and oversee the Federal Reserve's ongoing efforts in the
area of BSA/AML. Currently, AML examination subject matter experts
interact on a daily basis with examination staff engaged in AML
examinations to offer case-specific guidance regarding AML requirements.
Moreover, according to officials at the Federal Reserve, the growing trend
among the Reserve Banks is to set up a BSA/AML structure comprising teams
of examiners who possess a mix of advanced and intermediate BSA skills to
focus on BSA/AML issues. As of December 31, 2005, 108 examiners were
identified as having advanced BSA skills. According to officials at the
Federal Reserve, to qualify as a specialized examiner in this area,
examiners must show an aptitude for BSA/AML and undergo additional
training. Specialization is achieved through a combination of on-the-job
and classroom training. The Federal Reserve also centrally tracks the
skill levels of examiners with special skill sets (e.g., BSA compliance).
In a previous report, we noted that FDIC and the Federal Reserve both have
examiners who are AML subject matter experts and serve as training
resources for other examiners.4 According to FDIC officials, between June
2004 and December 2005, the number of FDIC's AML subject matter experts
more than doubled, from 150 to 347. The officials said the increase was
due, in part, to the implementing rules of the PATRIOT Act and the
importance of BSA compliance in ensuring the safety and soundness of FDIC-
supervised institutions. Both agencies also train examiners who are
primarily responsible for conducting BSA/AML examinations. Specifically,
FDIC's subject matter experts receive specialized training in the
classroom and on the job. Furthermore, in 2005, as a pilot initiative
within FDIC, 19 individuals from FDIC's Division of Supervision and
Consumer Protection and the Legal Division successfully completed an
industry-recognized accreditation for AML specialists. Following this
pilot initiative, as of year-end 2005, FDIC extended the program to
approximately 37 BSA/AML risk management examination personnel.
In response to an internal quality assurance assessment of OCC's BSA/AML
compliance supervision, which found that OCC did not direct sufficient
resources to BSA/AML compliance, in July 2005, OCC committed to redirect
staff to BSA/AML work and apply additional resources to this area. In a
November 2005 letter to Chairman Shelby, the OCC Comptroller stated that,
to increase OCC's BSA/AML resources, in addition to other actions, OCC was
developing a national pool of experienced BSA/AML examiners to be deployed
to address OCC's high-priority and high-risk examinations. While,
according to OCC officials, OCC does not have specifically designated
BSA/AML specialists, the agency has examiners who possess specialized
knowledge in performing BSA/AML examinations. In addition, the agency has
examiners specialized in other examination disciplines, such as
commercial, retail credit, capital markets, and trust, who are also
cross-trained to conduct BSA examinations. Furthermore, OCC has a lead
compliance expert in each district office and, as of December 2005, had
six full-time BSA/AML compliance policy specialists in the Washington
office dedicated to developing policy and training and assisting on
complex examinations. OCC officials also stated that OCC supports a range
of industry certifications and licensing, and it was committed to
sponsoring staff who want to obtain professional certification as money
laundering specialists through advanced training and testing.
OTS and NCUA differ from the other regulators in that they have developed
consumer compliance subject matter examiners or consumer compliance
specialists. These examiners received additional training on compliance
issues, including BSA/AML compliance, and act as a resource on issues that
arise from the examination process. Additionally, OTS's compliance
specialists provide on-the-job training and advice during examinations and
analyze draft examination reports and reviews. As of December 31, 2005,
NCUA had 27 examiners designated as consumer compliance subject matter
examiners, and OTS had 15 dedicated compliance specialists.
Systems Improvements Help Regulators Track BSA Examination and Violation
Data, but Differences in Terminology RemainChapter 4
The regulators use various internal control mechanisms to monitor BSA
examinations, and recent improvements in their automated examination and
enforcement data systems have enabled them to better track and report
BSA-related information. Until recently, the systems that regulators used
to track data on BSA violations and enforcement had serious shortcomings,
but they have updated their systems. Moreover, regulators are able to more
readily share BSA-related information, which is a particularly important
ability in light of the MOU that regulators signed with FinCEN in
September 2004. The regulators agreed to provide FinCEN with quarterly
reports on the number of BSA-related examinations they conducted, the
number and types of BSA violations cited, and the institutions cited for
repeat violations. In addition, FinCEN agreed to provide analytical
reports to the regulators and has begun to do so. However, the regulators
differ on how they classify and define some BSA compliance problems. For
example, not all of the regulators provide written guidance on what
constitutes a violation, and existing guidance leaves key terms undefined
and varies in scope. Furthermore, our limited review of examinations
indicated that different terms were used for similar problems. As a
result, inconsistencies in recording and reporting BSA compliance problems
could occur.
Regulators Use Supervisory and Quality Assurance Reviews and Tracking
Systems to Monitor BSA Examinations
Along with quality assurance reviews and automated tracking systems, the
regulators use supervisory (or management) reviews as the primary means of
monitoring BSA examinations. These mechanisms reflect federal internal
control standards for meeting agency objectives. Control activities as
described in the federal standards include internal management reviews and
documentation. Additionally, federal internal control standards include
monitoring to assess the quality of performance over time. For example,
most regulators review and approve key BSA examination procedures,
including scoping and planning activities and decisions on violations, as
follows:
o Examiners and officials from the Federal Reserve and OCC told us that
supervisory review and approval were required for scoping and planning
activities on BSA examinations of large banks.
o Federal Reserve and OCC officials stated that district management
approved examination plans for BSA examinations of community banks.
o FDIC officials noted that examiners were required to discuss scope
changes with managers or supervisors.
As managers communicate with examiners to stay abreast of findings and
provide guidance and approvals, they also require review or approval of
decisions to cite depository institutions with BSA violations or to take
enforcement actions. Informal corrective actions are reviewed at the
regulators' field offices, but enforcement actions require higher level
review and approval (for more information on informal and formal
enforcement actions, see ch. 5). For example, supervisors at the Board of
Governors review and approve all decisions to take enforcement actions at
the Federal Reserve. The regulators further review examination reports and
approve recommendations to notify FinCEN of violations.
All of the regulators also use quality assurance reviews to assess and
improve the quality of BSA examinations. These reviews are designed to
serve a variety of purposes, such as identifying significant or evolving
problems, ensuring consistency in the application of examination
procedures, and ensuring the accuracy and completeness of examination data
and results and the timeliness of supervisory actions. For example,
Federal Reserve officials said that the Reserve Banks use their quality
assurance programs partly to determine whether BSA examinations were
carried out appropriately and consistently. OTS's quality assurance
program reviews BSA examinations to determine the reliability and accuracy
of examination data. OTS officials said that 2004 quality assurance
reviews assessed the accuracy of OTS's input controls over BSA violation
data, examination results and reports, and supervisory actions taken as a
result of BSA examinations.
Regulators also conduct or use other reviews-operational, peer, and IG-to
assess the accuracy, completeness, and quality of BSA examinations. For
example, Federal Reserve officials said that they assess the quality of
Reserve Banks' supervision function, including BSA examinations, through
an operations review program. According to Federal Reserve officials,
recent operations reviews evaluated the timeliness of corrective actions,
tested information in BSA examination work papers for accuracy and
consistency, and evaluated the adequacy of resources devoted to this area.
OCC officials also told us that, as part of their peer review program,
examiners from OCC regional offices performed quality reviews of each
other's examinations, including BSA examinations. Furthermore, most
regulators have undergone IG reviews of their BSA-related examination and
enforcement activities and have taken steps to implement recommendation
actions. For example:
o In 2001, the Treasury IG reviewed OCC's examination coverage of trust
and private banking services. The IG recommended that OCC improve its
examination monitoring process to ensure adequate oversight of BSA
examinations covering trust and private banking services. OCC indicated
that it would conduct targeted internal quality assurance reviews of
private banking and trust services beginning in 2002.
o In 2003, the Treasury IG also reviewed OTS's enforcement actions for BSA
violations and recommended that the agency enhance its regional reviews of
examinations to ensure that substantive BSA violations were incorporated
into final reports. According to an OTS official, OTS has implemented this
recommendation.
o Since 2003, FDIC's IG also has reviewed aspects of the regulator's
BSA-related examination and enforcement activities and made several
recommendations to FDIC. For example, in 2004, the IG recommended that
FDIC coordinate with state banking departments to cover BSA compliance in
state examinations. FDIC has agreed with, and responded to, these
recommendations by issuing guidance and agreeing to schedule BSA/AML
examinations during safety and soundness examinations led by state
examiners.1
Finally, regulators use automated data systems to collect, store, and make
available examination data and information on supervisory and enforcement
actions. Federal internal control standards indicate that managers need
such relevant and reliable information to carry out their internal control
and operational responsibilities. For example:
o FDIC officials said that the agency collects and stores examination
data, but it uses a separate system to record and track data on various
types of enforcement actions.
o OCC officials said that staff use data systems for large, midsize, and
community banks to retrieve information on prior BSA-related violations
and enforcement actions and to identify institutions for BSA/AML-targeted
examinations.
o Similarly, OTS officials noted that the agency's data system collects
and stores examination data, such as examination start and end dates and
violations of laws or regulations, and includes BSA-related violations.
o Federal Reserve officials said that the agency's data systems collect
and maintain examination and enforcement data, such as examination start
and end dates and violations of laws or regulations, and include
BSA-related violations and enforcement actions.
Regulators also rely on data from these systems and other software
programs to track information on depository institutions' BSA-related
compliance problems and to assist them in taking supervisory or
enforcement actions in a timely manner. For example, FDIC officials noted
that they use FDIC's data system to produce an internal report that, in
part, lists all FDIC-supervised institutions with BSA violations, the
number and type of violations cited in examination reports, and repeat
violations. OCC and OTS officials said that they use their data systems to
produce reports on BSA-related violations for FinCEN.
Data System Improvements Have Allowed the Regulators to Better Track
BSA-Related Information
Since 2000, the regulators have changed or upgraded the systems they use
to record and monitor examination information. As a result, the regulators
can now better track BSA-related information. Some regulators also have
been citing BSA violations in greater number and detail in recent
years-partly as a result of improved systems and partly as a result of
factors specific to each regulator, including revised guidance and an
increased emphasis on the BSA.
Changes to Regulators' Data Systems Have Improved Tracking Capabilities
According to regulatory officials, since 2000, all of the regulators have
changed or upgraded their data systems to improve their recording and
monitoring capabilities. To varying degrees, previous iterations of these
data systems limited regulators' ability to monitor and report BSA-related
examination results in a comprehensive and timely manner. For example,
before 2001, NCUA manually collected information on BSA-related
violations. According to a senior NCUA official, in response to the need
to provide data to external parties, including Congress, NCUA began to
redesign its information technology system in 2001. NCUA's current data
system became fully operational in 2002, providing NCUA with increased
search capability across examination data. Furthermore, it allows NCUA to
track more BSA data, including violations and any corrective actions
institutions had implemented.
Similarly, OTS generally collected information on BSA violations manually
until the late 1990s, which is when it began automating its examination
documentation program. Moreover, the Treasury IG determined that material
data inaccuracies with OTS's BSA records could adversely affect
supervisory decisions to the extent that OTS senior managers and regional
supervisors used the system to monitor, plan, or review individual BSA
examination results. In 2003, OTS replaced its former system to facilitate
storage of examination work papers with related examination reports.
According to OTS officials, the new Internet-based system allows greater
flexibility in the examination administration process. For example, OTS
officials said that the new system tracks comprehensive data on
examinations and violations, including data on BSA compliance. OTS also
replaced a separate system used to collect information on enforcement
actions. OTS officials noted that these current systems also provide the
ability to track repeat violations, corrective actions and associated
dates of implementation, and enforcement actions-capabilities that OTS's
previous systems had lacked.
Before 2003, FDIC's examination data system did not require entry of BSA
violation codes or information from examiners' on-site visits that was
related to BSA compliance. As a result, FDIC staff lacked information to
confirm that institution management had taken corrective actions to
address problems identified during examinations. According to FDIC
officials, in 2003, FDIC upgraded its examination data system to a
Web-based platform, to enhance overall user capabilities. FDIC indicated
that although the former examination data system captured BSA program
violations as well as financial record-keeping and reporting violations,
the upgrade to the system incorporated violations related to the
implementing rules of the PATRIOT Act and the FDIC's suspicious activity
reporting rule. FDIC indicated that in 2005, the agency also upgraded its
enforcement action data system to a Web-based platform to allow for the
selection of multiple bases for enforcement actions and for the automated
tracking of BSA-related enforcement actions.
OCC has separate systems to maintain the official electronic records of
examination and enforcement information, including information on BSA
violations and enforcement actions, for large banks, and midsize and
community banks. OCC officials said that in 2000, OCC implemented an
interim examination data system for large-bank examinations to address a
general need to store more descriptive text, such as examiner narrative,
comments, and information on contacts and communications with banks. In
late 2003, OCC began integrating this interim system into its current
examination data system for large banks to store all the information in
one system. One advantage of the system conversion was that it provided
OCC with the ability to search the full text of examination narratives,
including BSA examinations. According to OCC officials, the redesign and
systems improvements will be fully implemented in 2006.
The Federal Reserve for some years has used national supervisory data
systems that maintain electronic records of examination and enforcement
information, including examination reports, enforcement actions, and other
relevant documents. Additionally, the Federal Reserve maintains a national
database of supervisory data specifically designed to support its banking
supervision activities. These systems were, and continue to be, accessible
to all appropriate supervisory staff across the Federal Reserve System.
However, at the beginning of our review, Federal Reserve officials said
that, unlike other examination areas, the Federal Reserve did not collect
and track most BSA-related information through its national database.
Rather, officials said that the database maintained narrative information
on BSA violations data within reports of examination for purposes of
ongoing supervision. They noted that the Federal Reserve used a separate
mechanism to centralize information on BSA-related examination findings
from the 12 Reserve Banks.2 Furthermore, they noted that this lack of
automation and the use of a separate mechanism limited their ability to
centrally track and extract in an automated fashion certain aspects of
BSA-related supervision across the 12 Reserve Banks. For example, at the
time of our data requests in 2004, the Federal Reserve experienced
difficulty in generating information on the total number of examinations
conducted between 2000 and 2004 that included a BSA review, and the agency
was unable to provide the number and nature of BSA-related violations
identified during this period.
During the course of our review, Federal Reserve officials said that the
Federal Reserve began to improve centralized tracking and analysis of
BSA-related data through its national examination database. In 2003, the
Federal Reserve began to enhance its national examiner database to capture
BSA/AML violations or other BSA examination-related data. Federal Reserve
officials noted that as part of those efforts, in 2004 the Federal Reserve
expanded the reporting mechanism to track examination data and expand risk
categories and, in 2005, integrated these data into the national database.
Federal Reserve officials said that the expanded version would assist in
collecting more detailed information, including the nature and frequency
of BSA-related violations and the nature of institutions' risk of BSA
noncompliance. In addition, Federal Reserve officials noted that in 2004,
they began merging more detailed BSA-related information collected from
the Reserve Banks with existing supervisory data to provide the Federal
Reserve with a national view of various BSA-related items, such as
commitments from institution management to correct identified problems and
different types of enforcement actions. According to Federal Reserve
officials, the Federal Reserve finalized the conversion of its database,
and, since the last quarter of calendar year 2005, Federal Reserve staff
have been able to extract BSA examination and enforcement data collected
by the Reserve Banks.
BSA-Related Violations Increased in Recent Years; Violations of Currency
Transaction Reporting Requirements Were Frequently Cited
Our review of the regulators' data on BSA-related examinations and
violations from 2000 to 2004 indicated that the number of BSA-related
violations generally increased in recent years for reasons that are
specific to certain regulators. For example, as shown in figure 3, the
number of violations NCUA reported increased steadily from 2000 to 2004.
NCUA officials largely attributed this increase to a change in the
implementation of a risk-focused examination approach in 2002,
communication from the NCUA Chairman regarding the importance of correctly
citing violations under the risk-focused program, and a general increase
in training and guidance for examiners. NCUA officials also credited this
increase to a recent adoption of multiple layers of supervisory reviews
and periodic reviews of BSA examination data aimed at ensuring the
accuracy, completeness, and reliability of these data. OTS officials
attributed increases in the number of violations between 2003 and 2004 to
various factors, such as the implementation of a risk-focused examination
approach and implementation of a combined compliance and safety and
soundness examination. FDIC officials attributed the spike in violations
from 2003 to 2004 to a change related to record-keeping rules for CTRs.
Although OCC did not have a large increase in the number of violations,
OCC officials attributed the increase in the number of examinations from
2003 to 2004 to a change in the way OCC counted BSA examinations.
Figure 3: BSA-Related Violations and Examinations, by Regulator
(2000-2004)
The regulators distinguish between technical violations that are
considered minor, such as the late filing of a CTR or failure to fill in
certain boxes on a CTR form, and systemic violations, such as failure to
have a BSA/AML program. For example, data from FDIC, OCC, and OTS show
that in 2003 and 2004, citations issued in connection with CTR
requirements (31 C.F.R. S:S: 103.22 and 103.27) (see fig. 4) were among
the frequently cited BSA-related violations. These violations of the CTR
requirements included a failure to (1) file CTRs and (2) file them in a
timely manner. In contrast, NCUA data indicate that in 2003 and 2004,
citations issued in connection with procedures for monitoring BSA
compliance (12 C.F.R. S: 748.2) and the customer identification program
(CIP) rule, which was implemented under the PATRIOT Act of May 2003 (31
C.F.R. S: 103.121), were among the frequently cited BSA-related
violations. Violations of the CIP rule involved improperly verifying the
identity of customers at account opening. Other frequently cited
violations included violations of the regulators' BSA/AML program rules
pursuant to title 12 of the United States Code.
Figure 4: Frequently Cited BSA-Related Violations, by Regulator
(2000-2004)
In Recent Years, Some Regulators Have Been Citing BSA Violations with
Greater Specificity Than Before
NCUA and FDIC cited violations with greater specificity from 2003 to 2004
than from 2000 to 2002. Our review of BSA-related violation data from 2000
through 2001 indicated that NCUA's system generally classified any
violation of the BSA/AML program rule regulation under a single broad
category. In contrast, from 2002 to 2004, NCUA's violation data identified
the particular subsections that institutions violated. In addition, FDIC
officials noted that their data quality improved considerably in March
2003 with the implementation of its current examination data system, which
can now specify subsections of BSA-related regulations that institutions
have violated. In late 2003, FDIC changed the way that it tracked BSA
violations. After evaluating how its examination data system generated
violation reports, FDIC concluded that it was more useful to review the
"number of banks" where specific violations were cited, rather than to
record the frequency of each violation cited during each examination.
Furthermore, FDIC officials noted that the number-of-banks format is used
by FinCEN to ensure a more appropriate comparison from quarter to quarter
and among the regulators.
Regulators Now Share More Specific BSA-Related Examination and Violation
Data with FinCEN
Under an MOU entered into by the regulators and FinCEN in September 2004,
the regulators share more specific BSA-related examination and violation
data with FinCEN.3 Using their examination data systems, the regulators
provide FinCEN with quarterly reports on the number of BSA-related
examinations they have conducted, the number and types of BSA violations
cited, and the institutions cited for repeat violations. According to
FinCEN officials, as of February 2006, they had received the aggregate
data from the regulators for the fourth quarter of 2004 and the four
quarters of 2005. They also had received two annual reports from the
regulators, which included the number of financial institutions the
regulators examined and descriptions of examination cycles, also as
outlined in the MOU.
In turn, the MOU requires that FinCEN provide a compilation that
summarizes, by regulator, all of the data provided in the quarterly
reports. FinCEN has provided the regulators with these summaries as well
as an annual consolidated report.4 Table 5 summarizes this information for
fiscal year 2005.
Table 5: BSA/AML Examinations, Violations, and Enforcement Actions, by
Regulator (Fiscal Year 2005)
Regulator Number of Number of Number of
examinationsa violationsb enforcement
actionsc
FDIC 2,525 2,576 172
Federal Reserve 680 97 52
NCUA 4,715 4,754 1,824
OCC 1,530 405 42
OTS 722 514 29
Source: FinCEN.
aThe number of examinations conducted within each regulator's established
BSA examination cycle, including examinations conducted jointly with state
banking departments.
bThe number of BSA violations cited under title 12 or title 31 of the
United States Code.
cThe number of formal and informal enforcement actions taken to address
BSA compliance under either title 12 or title 31 of the United States
Code.
FinCEN officials noted that there are limitations to the aggregate data.
These data do not provide insight into the reasons why the violations are
occurring; rather, they are indications of issues to follow or act upon
through the supervisory process. FinCEN officials said that these data
compilations have shown increases in violations of requirements involving
CIPs, independent reviews, and BSA training. FinCEN has shared these data
with the regulators and given them areas to be aware of for follow-up at
their institutions.
According to FinCEN officials, FinCEN provided other analytical products
to the regulators as well. For example, FinCEN was directed by the
Treasury IG to undertake a SAR data quality review. As part of this
effort, FinCEN has identified problems with some SAR filings, which it
then shared with the regulators. The regulators told us that they have
found these SAR analyses to be useful because they can then direct the
specific institutions to address the problems. FinCEN also conducted a
systematic review of banking industry compliance with section 314(a) of
the PATRIOT Act and identified specific institutions that had not been
doing required searches of their accounts.5 As with the SAR data problems,
FinCEN has shared this information with the regulators so that they can
conduct follow-up with the institutions to rectify the problem. FinCEN
officials noted that these products are intended to help the regulators
elicit better BSA compliance. FinCEN plans to provide additional products
to the regulators, containing more strategic and tactical analyses, in the
future. In addition, FinCEN officials noted that the provision of analysis
to determine compliance trends across industry segments and across the
financial services sector-that is, banking, securities, insurance,
casinos, and others-was a long-term project. Near-term priorities included
conducting analyses of cases of significant noncompliance sent in by the
regulators. Such analysis would include all known information and
BSA-related filings relevant to the institution or customers when
considering an enforcement action. FinCEN officials said that its computer
system is now operational, and they had begun populating it with case
data.
FinCEN officials stressed that they wanted the products they provided to
the regulators to be ones that would help the regulators do their job.
That is, that the products could help identify emerging areas in BSA
compliance that require more guidance, new regulations, or changes to
existing guidance. In general, the regulators told us that they were
pleased with the analytical products they had received from FinCEN since
signing the MOU, and that they were looking forward to receiving
additional products from FinCEN in the future, especially those that
showed BSA noncompliance trends across financial industries or in specific
geographic areas.
The regulators also have begun to analyze the BSA compliance data they
receive from FinCEN for their own purposes. For example, OTS officials
said the technology upgrades they implemented over the past few years have
made analyzing these data much easier. From these analyses, they
determined that there were a number of institutions with problems in their
BSA training programs. OTS officials in headquarters also analyze
examination results on a nationwide basis looking for BSA compliance
trends. OCC officials analyze BSA data in two ways. First, OCC identifies
common compliance problems and seeks to identify areas needing
clarification through new guidance. Second, OCC analyzes BSA compliance
data on community banks for money laundering risks to help develop
examination strategies and to determine examination scope. According to
Federal Reserve officials, since the last quarter of 2005, the Federal
Reserve has been able to analyze BSA examination and enforcement data
collected by the Reserve Banks and analyze this information at the
headquarters level for trends and consistency. Federal Reserve officials
also noted that the reports from FinCEN supplement the Federal Reserve's
monitoring and analysis of supervisory data. FDIC officials said they have
conducted trend analyses of examination data since the issuance of the
FFIEC Examination Manual and have seen a slight decrease in BSA-related
violations overall among FDIC-supervised institutions. According to NCUA
officials, NCUA analyzes all of the data collected during the examination
and supervisory processes. For example, NCUA analyzes data that examiners
must collect, in accordance with NCUA policy, on credit unions' actions to
address significant BSA compliance problems. Furthermore, NCUA officials
said that NCUA has an initiative under way to create a database of the
information contained in the BSA questionnaires that credit unions
complete as part of the examination process, allowing NCUA to query this
information from NCUA's regions and headquarters. NCUA officials estimated
that it would take 3 years to populate the database.
The regulators have been conducting these analyses internally, but they
have not yet collectively discussed with FinCEN the implications of the
violation data and determined whether there was a need for additional
guidance to address problem areas they have been identifying. The MOU
states that, by the effective use of information exchanged under its
provisions, FinCEN and the regulators will seek to enhance the level of
assistance and analysis that can be provided to the banking industry and
to law enforcement in the BSA compliance area. Such guidance could provide
these additional benefits.
Differences Remain in the Regulators' Guidance and Terminology for
Classification of BSA Compliance Problems
Although the regulators and FinCEN increasingly have been enhancing and
coordinating information sharing and reporting, differences in how the
regulators classify BSA-related compliance problems remain. For example,
regulators differ in the guidance they provide to examiners for
determining what constitutes a BSA program compliance violation, with some
regulators not providing any written guidance and others differing in the
degree of guidance provided. Furthermore, the regulators' instructions on
BSA enforcement, which also provide guidance for interpreting or
classifying BSA-related problems, does not clearly define the
terms-intended as criteria for determining the seriousness or scope of a
compliance problem-on which those classifications would be based.
Additionally, there appears to be no clear consensus among examiners on
how to distinguish between BSA-related deficiencies and violations. In our
review of the regulators' examinations, examiners appear to have
classified apparently similar BSA-related compliance problems differently.
In some cases, examiners referred to BSA program compliance problems as
"deficiencies"; in other cases, the problems were cited as "violations."
As a result, examiner judgment likely played a greater role in classifying
BSA-related compliance problems. In turn, this could increase the
potential for inconsistencies in classifying BSA-related compliance
problems and subsequent citations. However, regulators emphasized that
other factors, such as an institution's risk profile or the diversity of
its operations and products, also help explain the differences in the way
that BSA-related compliance problems were cited and classified.
Regulators' Guidance on How to Cite and Classify BSA-Related Compliance
Problems Leaves Key Terms Undefined and Varies in Scope
When we reviewed the regulators' BSA examinations, we generally found that
the distinction between BSA/AML program compliance "violations" and
"deficiencies" appeared to be that violations represented some action or
inaction prohibited by the BSA and implementing regulations, and
deficiencies did not. Overall, regulators may cite an institution for a
BSA violation if it fails to meet the requirements of BSA/AML programs,
which encompass the following four elements:
o internal policies, procedures, and controls to ensure ongoing
compliance;
o an independent audit function to test programs;
o a designated individual who is responsible for the day-to-day
coordination and monitoring of compliance; and
o an ongoing training program for the appropriate personnel.6
Additionally, the regulators may cite institutions for failing to correct
a previously cited problem.
Typically, examiners accompanied a description of a violation with a legal
citation in examination reports. BSA/AML program compliance deficiencies
were not regarded as violations of the laws and regulations, and
examination reports generally described the deficiencies as BSA program
performance that was faulty or insufficient.
However, the regulators have taken different approaches to providing
examiners with guidance on the classification and citation of BSA
compliance problems. For example, the Federal Reserve provides no written
guidance for determining BSA/AML program compliance violations. Federal
Reserve examiners rely on the BSA itself and relevant regulations to
classify and cite BSA compliance problems. In addition to the BSA and
related regulations, the other four regulators each provide some written
guidance for determining BSA violations. Each regulator differs in the
nature and amount of guidance provided. FDIC, OCC, and OTS also provide
guidance that addresses, to some extent, how examiners are to distinguish
BSA/AML program compliance deficiencies from violations.
More specifically, section 8.1 of the FDIC's Risk Management Manual of
Examination Policies provides some guidance to examiners on the proper
citation of apparent violations of the BSA-related regulations in the
report of examination. An apparent violation may be cited in situations
where deficiencies in the BSA/AML program are serious or systemic in
nature, or when weaknesses and deficiencies identified in the BSA program
are significant, repeated, or pervasive. The FDIC manual also states that
an apparent violation of BSA program requirements should be cited for a
specific program deficiency to the extent that the deficiency is
attributed to internal controls, independent testing, the individual
responsible for monitoring day-to-day compliance, or training.7 However,
if the apparent violation is determined to be an isolated program weakness
that does not significantly impair the effectiveness of the overall
compliance program, then an apparent violation should not be cited. FDIC's
manual also provides examples of specific issues and situations that
warrant a citation of an apparent violation.
OCC guidance provides that citing an institution for a BSA violation and
taking a subsequent cease-and-desist action are appropriate when a bank
"exhibits BSA/AML program deficiencies coupled with aggravating factors,
such as highly suspicious activity creating a significant potential for
money laundering. . .or other substantial BSA violations." OCC's guidance
also lists conditions within BSA/AML programs, including systemic or
pervasive BSA record-keeping violations, which can be grounds for citation
of a BSA violation. Additionally, OCC's policy guidance on enforcement
actions also lists several serious problems for which a citation of a
violation and accompanying formal enforcement action might be considered
appropriate. OTS specifies that a systemic or other significant failure to
file CTRs is a BSA violation. OTS's policy guidance on enforcement actions
also lists several serious problems for which a citation of a violation
and accompanying formal enforcement action might be considered
appropriate. These include situations involving an institution's
significant problems or weaknesses with records, systems, controls, or
internal audit program. More recently, OTS provided guidance stating that
their terms "significant," "material," and "substantive" mean the same
thing.
Although NCUA is one of four regulators providing written guidance, it
takes a different approach. NCUA does not recognize any difference between
program deficiencies and violations, although NCUA officials stated that
they regarded a major deficiency as a violation. Instead, NCUA guidance
focuses on qualitative factors: BSA violations must be "significant." NCUA
provides criteria for determining when a violation is significant, and
NCUA's guidance states that consistent assessment of BSA violations is an
important part of compliance with the FinCEN MOU. NCUA categorizes
significant violations in the following three groups: "pervasive,"
"systemic," and "repeat." For example, pervasive violations are described
as tainting the entire operation of a credit union and include the lack of
a written BSA/AML program that adequately covers all required elements. To
apply NCUA's guidance, NCUA examiners must first determine if a credit
union's activities amounted to significant violations and then classify
the activity according to the definitions and examples in the guidance. As
a result, NCUA examiners do not report deficiencies. Our review of 30 NCUA
examinations identified one deficiency that was described only in work
papers. Available information did not indicate whether or how the
deficiency was reported in NCUA's automated reporting system.
Nevertheless, NCUA examiners told us that they could distinguish
deficiencies from violations, and they gave us an example of a deficiency
as an institution failing to update a policy but having a procedure in
place.
In addition, the regulators often do not clearly define the modifiers or
terms used to describe BSA compliance problems. For instance, the
regulators frequently use, but do not define or illustrate, the terms
"inadequate" and "adequate." FDIC's guidance describes as "inadequate"
BSA/AML programs with considerable problems, which essentially amount to
violations, but the guidance does provide any further explanation or
definition. FDIC examiners told us that they did not have standardized
criteria for characterizing the adequacy or inadequacy of a BSA program,
and that the term "adequate" could mean "satisfactory"; similarly, the
term "inadequate" could mean "deficient," "unsatisfactory," or "needs
improvement." For example, in our review of FDIC BSA examinations, we
found that examiners frequently used the terms "adequate" or "inadequate"
to refer to an institution's level of program compliance and to describe
deficiencies or violations.
The different meanings given to these terms also appear to affect how
examiners classify BSA problems. For example, NCUA officials said that
having an adequate practice but no written policy for the practice would
be counted as a BSA violation in NCUA's data system. However, a Federal
Reserve official noted that a violation would not be cited for a practice
that was deemed adequate, even though the bank's policy might not address
it. In this example, examiners would direct the institution to take
corrective action to ensure that it had a written policy addressing the
practice. We also noted that the regulators could use many different terms
to refer to the same thing. According to Federal Reserve officials,
examiners may use the terms "deficiency," "weakness," "inadequacy," or
"exception" to mean the same thing. Furthermore, FDIC guidance refers to
violations as "apparent violations."
FinCEN officials said that, they discussed the issue of different
terminology with regulators during the drafting of the terms of the MOU.
FinCEN and the regulators agreed not to impose any requirements for
standardized terminology in the MOU itself. Instead, they structured the
MOU to require the regulators to provide FinCEN with information on
instances of "significant" noncompliance, be it a BSA violation under
title 12 or title 31 of the United States Code, regardless of whether the
regulator classified the conduct as a violation or a deficiency. That is,
all problems against which the regulator is taking supervisory action are
to be reported to FinCEN. This reporting of significant noncompliance is
in addition to the quarterly reports the regulators provide to FinCEN
under the MOU on the number of BSA-related examinations they have
conducted, the number and types of BSA violations cited, and the number of
BSA-related enforcements actions put in place or terminated during the
quarter.
Examiners Generally Did Not Agree on When a BSA Program Compliance
Deficiency Amounted to a BSA Violation
Although four regulators provided some guidance for determining BSA
program deficiencies and violations, examiners could not clearly
articulate what constituted a deficiency. That is, in our discussions with
the examiners, they seemed to agree that a BSA violation amounted to
noncompliance with a BSA law or regulation; however, they did not have a
uniform definition or understanding of when a BSA program compliance
deficiency rose to the level of a violation.
To illustrate, FDIC examiners said that a deficiency was the examiner's
conclusion on the basis of the institution's lack of compliance with BSA,
but a violation was a deviation from or noncompliance with a BSA rule or
regulation. NCUA examiners said that a deficiency usually referred to
problems with policies; for example, an institution might not have updated
a BSA policy for which it had procedures in place. According to OCC
examiners, a deficiency was an activity that, although not defined or
classified by the statutes as a violation, fell "below standard" and did
not reflect sound AML management. OTS examiners stated that there were no
clear definitions of BSA violations; however, they regarded a "violation
of a regulation" to be a BSA violation. Federal Reserve examiners told us
that they had difficulty determining whether a given set of facts amounted
to a BSA program deficiency or violation, and that, as a result, a lot of
examiner judgment went into determining whether the facts supported a
citation of a BSA program deficiency or violation. They also said that
they submitted program deficiencies to headquarters for assistance in
determining whether deficiencies constituted violations and how problems
should be classified.
Examiners Cited Institutions Differently for Apparently Similar Problems,
but Regulators Noted Several Factors That Could Have Caused Differences
In our review of 138 BSA examinations, we identified at least 8 instances,
involving 17 institutions, in which examiners cited institutions
differently for what appeared to be substantially similar problems. For
example, different regulators recognized similar substantial or material
problems in internal audits, but cited the institutions with either a BSA
program deficiency or a violation. In one instance, Federal Reserve
examiners pointed out a deficiency to the institution because the internal
audit report failed to identify and report material weaknesses that were
identified during the examination. But FDIC examiners cited an institution
with a BSA violation for its inadequate audit testing that lacked
independence and did not test or review certain areas. Similarly,
regulators issued different types of citations to institutions that had
not adequately tested their systems. Federal Reserve examiners pointed out
a deficiency to an institution for not conducting annual independent
testing at all of its 15 branches and for failing to perform a regularly
scheduled audit. However, OTS and FDIC examiners cited institutions with
violations for failing to perform independent testing. Although examiners
cited institutions with BSA violations or deficiencies on what appeared to
be substantially similar grounds, we did not review the cited violations
or deficiencies for correctness and did not conclude that they were
incorrect. The lack of uniform, clear guidance for distinguishing between
BSA/AML program deficiencies and violations likely increases the
examiners' reliance on professional judgment to make findings of
deficiencies and violations, which in turn could result in inconsistencies
in classifying deficiencies and violations, which was apparent in some of
the examinations that we reviewed.
According to most of the regulators, multiple factors could contribute to
differences among examiner citations. For example, according to OCC
officials, an institution's risk profile, products, or commitment to
resolving problems could influence an examiner's determination. The
perceived severity of the institution's problem also could influence the
decision to issue a violation or a deficiency. One OCC official noted that
no two institutions were alike, and that the regulation was not designed
to be "one size fits all." Nevertheless, OCC recognized the potential for
inconsistent interpretations in citing violations of its BSA regulation.
In a May 2005 report sent to the Senate Committee on Banking, Housing, and
Urban Affairs, OCC stated that its guidance on citing violations of the
regulation
was open to multiple and inconsistent interpretations.8 As a result, OCC
revised the guidance in November 2004 to clearly state that there is a
statutory mandate that OCC will issue a cease-and-desist order for
violations of the regulation, since the OCC's review team had found
inconsistent treatment of violations of the regulation.
NCUA officials thought its classifications of BSA problems were
consistent, and that it was more important to allow the regulators to have
flexibility to interpret and classify BSA compliance problems, given the
differences in the institutions they supervised. Federal Reserve officials
stated that differences in terms used to describe deficiencies that did
not rise to the level of violations were less important, and that
consistency in the citation of violations was of primary importance
because of the more immediate supervisory consequences of such citations.
Regulators and FinCEN Increased Coordination on BSA Enforcement; Criminal
Cases Were LimitedChapter 5
Regulators address most BSA-related compliance problems through the
examination process. Although the regulators can use tools that range from
supervisory actions (such as moral suasion) to informal actions (such as
MOUs) and formal enforcement actions (such as the assessment of CMPs),
according to the regulators, most BSA-related problems are resolved during
the course of an examination. FinCEN also uses a range of enforcement
tools, including CMPs; but, according to FinCEN officials, FinCEN must
ensure the consistent application of CMPs across all financial
institutions, not only those supervised by the regulators. Moreover,
unlike the regulators, FinCEN was delegated authority under the BSA to
take enforcement actions for violations of the BSA and its implementing
regulations. From 2000 to 2005, FinCEN assessed CMPs in 11 cases, with
significantly higher penalties in recent years. Although the Secretary of
the Treasury has not delegated enforcement authority to the regulators as
statute directs, FinCEN officials said there have been no significant
consequences of FinCEN and the regulators operating under independent, but
overlapping, statutory authorities to assess CMPs. Furthermore, FinCEN and
the regulators have increased coordination on enforcement consequent to
their September 2004 MOU on information sharing. For example, they have
begun to concurrently assess CMPs for significant BSA problems at
depository institutions. Criminal cases against depository institutions
for BSA violations have been limited. From 2002 to 2005, Justice, either
through its Criminal Division or its U.S. Attorneys' Offices, has pursued
legal action against six depository institutions for criminal violation of
the BSA. The increase in actions has raised some concerns in the banking
industry, although Justice officials said that investigations of
depository institutions for BSA noncompliance generally have involved only
those cases wherein institutions engaged in willful and repeated failures
to fulfill their legal duties. Furthermore, in some cases, the alleged
criminal conduct of customers revealed to investigators the lapses at the
institutions. Most criminal investigations of depository institutions were
resolved through deferred prosecution agreements and monetary penalties.
Finally, Justice recently formalized coordination on cases where a
financial institution would be named as an unindicted coconspirator or
allowed to enter into a deferred prosecution agreement.
Regulators Address Most BSA-Related Compliance Problems within the
Examination Framework
Each regulator's authority to take supervisory actions and informal
enforcement actions lies in its respective general authority to supervise
financial institutions and exercise discretion to carry out the purposes
of its enabling statute. Supervisory actions generally involve
communicating recommendations to institution management during
examinations or though the examination report. Although regulators use a
broad range of actions to address BSA compliance, according to the
regulators, most problems in BSA-related compliance are corrected within
the examination framework through supervisory actions. OCC officials noted
that such supervisory actions generally are used to correct relatively
minor or technical compliance problems. The regulators typically request
depository institutions' management and directors to correct problems that
were identified during examinations and communicated through the report of
examination. OTS officials noted that addressing BSA compliance problems
within the examination framework meant that the institutions could correct
the problems promptly and the examiners could review the corrections
immediately. NCUA encourages examiners to resolve problems informally
whenever possible. Representatives of some regulators also noted that if
supervisory actions proved insufficient or problems required stronger
action, the regulators generally would use informal enforcement actions.
Informal enforcement actions are mutual agreements between the regulator
and the institution to correct an identified problem. They generally
involve written commitments from institution management to correct the
problem and are used to address problems that are not critical, and that
plausibly could be corrected through a voluntary commitment from the
institution's management. For example, OCC issues MOUs or commitment
letters, reflecting specific commitments to take corrective actions in
response to problems or concerns identified by OCC in its supervision of a
bank. The letters are then signed by the institution's board of directors
on behalf of the bank and acknowledged by an authorized OCC official.
Although informal enforcement actions are not public and are not binding
legal documents, failure to honor the commitments could provide the
regulator with evidence of the need for formal action. The regulators
noted that they generally use informal enforcement actions against BSA
noncompliance that is limited in scope and technical in nature. According
to representatives of the regulators, the regulators generally require the
institutions to inform them after a specified time of their progress in
making the corrections, and to verify that the improvements have been
made. Furthermore, examiners can conduct verifications before or during
subsequent examinations. According to FinCEN data, the regulators took
2,048 informal enforcement actions in fiscal year 2005.
Our review of 138 examinations conducted between January 1, 2000, and June
30, 2004, that contained a BSA-related violation, also indicated that the
regulators most frequently addressed BSA problems through supervisory
actions. The regulators generally obtained oral commitments from
institution management or used informal actions to address problems with
components of institutions' compliance programs or limited problems with
BSA filings. The regulators mostly obtained oral commitments from
institution management to correct identified problems during meetings with
management or boards of directors. For example, in a 2002 examination,
NCUA examiners identified that a credit union had failed to update its
written BSA policy to reflect the name of its new compliance officer. The
institution's board of directors agreed immediately to correct the
problem. Similarly, in a 2000 examination, FDIC examiners determined that
the bank failed to file four CTRs in a timely manner. The examiners noted
that before the examination, bank management already had improved internal
practices to avoid such violations in the future. They obtained agreement
from the bank president to correct the four instances of CTR-related
noncompliance. Our review also identified instances of the regulators' use
of informal enforcement actions to address BSA-related noncompliance. For
example, in a 2003 examination, NCUA examiners identified a credit union's
failure to have written procedures for OFAC compliance. To address this
failure and other BSA-related noncompliance, NCUA entered into a written
agreement with the institution, called a Document of Resolution, which
indicated that the board of directors agreed to develop and approve OFAC
procedures after the completion of the examination. In a 2003 examination,
OTS examiners addressed an institution's failure to maintain records of a
small number of CTR filings by obtaining the institution's written
agreement to ensure the appropriate record retention. Federal Reserve
officials noted that because all of the Federal Reserve examinations in
our sample were of those institutions already under a formal enforcement
action, ongoing communication with institution management about the
criticisms identified in the reports was particularly important.
Regulators Assess Many Factors in Deciding on Formal Actions against
Significant BSA-Related Compliance Problems
In general, the regulators have taken formal enforcement actions against
violations of significant BSA/AML program requirements and BSA
violations.1 Formal enforcement actions are written documents that are
disclosed to the public, are more severe than informal actions, and
generally are enforceable through the assessment of CMPs and through the
federal court system. The regulators coordinate formal enforcement actions
with state banking departments, where appropriate, and with FinCEN on
cases involving significant BSA-related compliance problems. According to
FinCEN data, the regulators took 71 formal enforcement actions in fiscal
year 2005.
As seen in table 6, the regulators' recent formal enforcement actions for
BSA-related compliance problems include consent orders, cease-and-desist
orders, written agreements, and CMPs.2 For example, in two recent and
widely publicized cases, OCC and the Federal Reserve, respectively,
entered into formal enforcement actions with the Federal Branch of Arab
Bank, PLC, and the New York Branch of ABN AMRO Bank, N.V. (ABN AMRO). 3
Through the respective consent orders and CMP assessment, the
institutions agreed to the numerous corrective actions outlined by the
regulators to remedy the identified BSA-related violations.4
Table 6: Examples of Formal Enforcement Actions Taken against Depository
Institutions for BSA-Related Compliance Problems (2004-2005)
Enforcement action Date Regulator Depository Areas of
institution significant
BSA-related
problems included
in actions
Consent order 10/2005 OCC Key Bank, N.A. o BSA compliance
program
o BSA compliance
officer function
o Suspicious
activity reporting
o Independent audit
o Training
Written agreement 10/2005 Federal Deutsche Bank o BSA compliance
Reserve Trust Company program
o Independent
testing
o Training
o Suspicious
activity reporting
o Customer due
diligence
Written agreement 06/2005 Federal First Citizens o BSA compliance
Reserve Bank of Butte program
Cease-and-desist 06/2005 FDIC First Community o BSA compliance
order Bank of program
Southwestern
Florida o BSA compliance
officer function
o BSA compliance
committee
o Customer due
diligence
Consent order 05/2005 OCC InterBusiness o BSA compliance
Bank, N.A. program
o Independent
testing
Cease-and-desist 05/2005 FDIC Muskegon o BSA compliance
order Commerce Bank program
o Independent
testing
Consent order 02/2005 OCC United Americas o BSA compliance
Bank, N.A. program
o BSA compliance
officer function
o Suspicious
activity reporting
Consent order of 02/2005 OCC City National o BSA compliance
civil money penalty Bank program
o Customer due
diligence
o Suspicious
activity reporting
Consent order 02/2005 OCC Federal Branch o BSA compliance
of Arab Bank, program
PLC
o Suspicious
activity reporting
o Monitoring
third-party wire
transfers
Supervisory 01/2005 OTS First Federal o BSA compliance
agreement Savings and Loan program
Association of
Edwardsville o Customer
identification
o OFAC compliance
o Training
Cease-and-desist 12/2004 OTS Guaranty Bank o Suspicious
order activity reporting
o Suspicious
activity monitoring
o Training
Civil money penalty 12/2004 OTS Anchorbank, fsb o CTR filing
o Customer
identification
program
o Training
o Independent
testing
o Suspicious
activity reporting
Written agreement 07/2004 Federal ABN AMRO Bank, o BSA compliance
Reserve N.V. program
o Correspondent
accounts
o Independent audit
o Suspicious
activity reporting
o Customer due
diligence
Source: GAO.
Representatives of the regulators noted that they consider a variety of
factors when determining whether to pursue formal enforcement action for
BSA-related noncompliance. They noted the importance of the specific
circumstances of each case when determining the appropriate formal
enforcement action for problems within institutions' BSA programs. For
instance, a senior FDIC official said that FDIC would consider (1) the
extent to which the institution's BSA program failed to detect or deter
potential money laundering, (2) the institution's response to previous
violation notifications, and (3) the institution's overall risk profile.
According to another FDIC representative, Federal Deposit Insurance Act
(FDI Act) specifications on enforcement actions do not preclude FDIC from
taking different action. Thus, if FDIC determines that a bank has a
positive compliance history and the bank's management demonstrates a
desire and ability to cooperate with FDIC, the regulator might not
automatically take a formal action against a failure in a component of the
institution's BSA program. Guidance on formal enforcement actions for
BSA-related compliance problems issued separately by OCC and OTS in
November 2004 and March 2004, respectively, also noted such factors and
identified other factors, such as the regulator's confidence in the
ability of the institution to correct the problem and whether the
institution independently identified and corrected the problem. Finally,
Federal Reserve officials said that they issue cease-and-desist orders to
institutions that have violated some aspect of the BSA program
requirement, but that they sometimes enter into written agreements with
the institutions for such violations.
Regulators Do Not Derive Authority for Formal Enforcement Actions,
Including CMPs, from the BSA
Section 8(s) of the FDI Act also authorizes the regulators to enforce
compliance with BSA program requirements. Specifically, in the event that
an insured depository institution fails to establish or maintain a BSA
program or has failed to correct any previously identified deficiency in
its BSA program, the appropriate regulator shall issue an order requiring
the institution to cease-and-desist from its violation.5 Should the
institution violate a cease-and-desist order, the regulators are
authorized to assess a CMP or file an action for injunctive relief in the
appropriate federal district court.6 Additionally, the regulators may
impose CMPs for violations of conditions imposed by a regulator in
connection with granting an application or request; violations of written
agreements between the institution and the regulator, or any law or
regulation; unsafe or unsound practices; and breach of fiduciary duties.
However, the regulators currently do not have delegated authority under
the BSA to take formal enforcement actions for violations of the BSA.
Title 12 of the United States Code authorizes the regulators to take
certain formal enforcement actions if they determine that a depository
institution is engaging in unsafe or unsound practices or has violated any
applicable law or regulation.7 The regulators have interpreted this
authority to include violations of the BSA and its implementing
regulations when they take formal enforcement actions aimed at addressing
violations of the BSA/AML program requirement.
Critical Reviews of Regulators' BSA Oversight Have Prompted Some
Regulators to Change Examiner Procedures and Guidance
Some regulators have changed procedures and examiner guidance related to
enforcement in response to weaknesses identified by internal and IG
reviews. A 2005 internal quality assurance review at OCC, conducted in the
wake of significant BSA failures at Riggs Bank, N.A. (Riggs Bank),
determined that among the sampled banks, stronger action was warranted at
8 of 24 community banks, 1 of 6 midsize banks, and 1 of 6 large banks.
Furthermore, according to the review findings, OCC's initial supervisory
actions were not always severe enough to ensure timely correction of the
BSA/AML problems for 22 percent of the sampled institutions. The review
also determined that OCC had given banks multiple opportunities and
extended periods of time to implement effective BSA/AML programs. In a
July 2005 response to the review, a senior OCC official stated that, over
the past 18 months, one of the actions OCC had taken to address this
problem was to institute a process where OCC staff, including experts at
OCC headquarters, would review any proposed citation relating to a BSA/AML
program requirement and an OCC Senior Deputy Comptroller would make the
final decision to cite a violation.
In 2003, the Treasury IG found that OTS's reliance on moral suasion and
thrift management assurances to comply with the BSA was not effective in
compelling thrift management to correct their BSA violations in 21 of the
68 sampled thrifts. Furthermore, the Treasury IG indicated that the
reports of examination and underlying examination work papers supported
OTS taking more forceful and timely enforcement actions against these
thrifts. In a detailed review of 9 of 11 cases where OTS issued written
enforcement actions in response to substantive BSA violations, the
Treasury IG found that in 5 cases, the enforcement documents either were
not taken in a timely manner or did not address all of the substantive
violations found by the examiners. According to the Treasury IG, the BSA
violations continued for years or BSA compliance worsened. To address the
report's findings and recommendations, OTS management agreed to make a
number of corrective actions, including implementing enhanced supervisory
review over the examination process to better ensure that substantive
violations identified in an examination would be incorporated into the
report of examination. OTS also agreed to issue supplemental examiner
guidance (1) on when to initiate stronger enforcement action when
substantive BSA violations were found and (2) on time frames for expecting
corrective action to avoid repeated violations of the BSA and
deteriorating BSA compliance. OTS agreed to improve regional reviews to
ensure that substantive BSA violations were identified in the report of
examination. OTS officials told us that the improvements made to its
examination and enforcement data systems allow for easier monitoring of
the timeliness of institutions' corrective actions. According to an OTS
official, OTS has implemented all of the Treasury IG recommendations made
in connection with this report, including the issuance of guidance on
enforcement actions specifically for BSA-related compliance problems.
Other reviews also identified weaknesses in how some regulators followed
up on BSA compliance problems. According to the 2005 internal quality
assurance review, in the past, OCC did not effectively follow up on
BSA/AML violations and/or Matters Requiring Attention among sampled
institutions; however, because of OCC's increased emphasis on BSA/AML
supervision in 2004 and 2005, follow-up had improved in all areas of
BSA/AML supervision.8 Similarly, a 2004 FDIC IG review indicated that FDIC
needed to strengthen its follow-up processes for BSA violations. The FDIC
IG determined that there was a wide range of follow-up actions and
identified a number of weaknesses in FDIC follow-up processes through
reviews of sampled institutions, relevant procedures of FDIC regional
offices, and information from FDIC's data systems.9 The FDIC IG
recommended that FDIC reevaluate and update examination guidance to
strengthen monitoring and follow-up processes for BSA violations, and take
or conduct, among other things,
o prompt, appropriate, and consistent regulatory action in cases where
management action is not timely, including cease-and-desist orders for
repeat violations, as appropriate, and
o consistent and timely follow-up of BSA violations between examinations
to ensure management is taking corrective action.
According to the FDIC IG, FDIC had initiatives under way to reassess and
update its BSA policies and procedures, and the agency agreed with the
recommendations. An FDIC IG official noted that FDIC has implemented
corrective action that addresses the recommendations.
Unlike the Regulators, FinCEN Has Delegated Enforcement Authority under
the BSA
FinCEN, the administrator of the BSA, takes enforcement action against BSA
compliance problems at financial institutions, including, but not limited
to, depository institutions. Unlike the regulators, FinCEN can take
such action because the implementing regulations of the BSA specifically
delegated authority for it to do so.10
While the regulators have examination authority and deal most directly
with depository institutions, FinCEN receives information on specific
cases of depository institutions' BSA-related compliance problems through
referrals of specific cases from the regulators or through reports from
institutions filed as a result of the examination process.11 In 1990,
FinCEN's predecessor, the Office of Financial Enforcement, issued guidance
on referrals to the regulators that described situations and types of
violations that would warrant referral for further action beyond any
enforcement actions that the regulators might take. OCC, FDIC, OTS, and
NCUA subsequently summarized the guidelines in their respective BSA
examination policies and procedures.12 According to FinCEN officials, each
regulator has referred cases for further action, but to varying degrees
(see table 7).
Table 7: Number of Referrals from the Banking Regulators to FinCEN
(2001-2004)
Number of referrals to FinCEN, by year
Agency 2001 2002 2003 2004
FDIC 6 13 2 13
Federal Reserve 3 1 0 4
OCC 0 0 1 1
OTS 0 0 0 1
NCUA 0 1 0 0
Source: FinCEN.
In addition to referrals, FinCEN could become aware of BSA compliance
problems through examination-related reporting. For example, according to
FinCEN officials, if examiners discover that BSA forms have not been filed
in a timely manner, the regulators often instruct depository institutions
to contact FinCEN or the IRS for a determination on whether BSA forms must
be filed late. If such matters rise to a significant level of
noncompliance with the BSA, FinCEN reviews the facts to determine what
action to take.
FinCEN takes enforcement actions against significant BSA compliance
problems by issuing letters of warning or imposing CMPs. According to a
senior FinCEN official, such enforcement actions are intended to yield
greater compliance from the institution that was the target of the action
and serve as an example, thereby resulting in greater compliance from the
financial services industry. According to FinCEN officials, FinCEN
considers several factors when determining the severity of an
institution's violations, including the nature, number, time-span, and
rate of reporting failures. Furthermore, FinCEN takes into account whether
the violation was willful, repeated, or systemic, and whether the
violation was related to a failure in the institution's AML program.
FinCEN also considers what corrective actions the institution has taken to
address the violations and the effects of actions from other agencies,
such as the regulators or law enforcement agencies. FinCEN officials noted
that FinCEN issues letters of warning to address cases that involve
relatively significant BSA noncompliance, but do not rise to a level that
would warrant a CMP.13 Depending on the nature of the case, CMPs against
depository institutions could range from $500 to $1,000,000 per violation.
From 2000 to 2005, FinCEN Imposed CMPs in 11 Cases but, in Recent Years,
Assessed Them Concurrently with Relevant Regulators
From 2000 to 2005, FinCEN assessed CMPs against 11 depository
institutions.14 According to FinCEN officials, the use of CMPs has been
effective in stopping the violating activities at depository institutions
where previous enforcement actions by the regulators had not brought about
compliance. FinCEN penalized the depository institutions for significant
reporting failures resulting from serious weaknesses in BSA compliance
policies and procedures. As seen in table 8, CMPs ranged from $100,000 to
$30 million. In 7 of the 11 cases, FinCEN cited willful violation of the
BSA.
Table 8: CMPs Assessed Solely by FinCEN and Concurrently with the
Regulators (2000-2005)
Year Depository CMP amount CMP CMP assessed Regulator
institution assessed concurrently by
solely by FinCEN and the
FinCEN regulator
2005 The New York $30 ✔ Federal
Branch of ABN milliona Reserve
AMRO Bank, N.V.
2005 The New York 3 millionb ✔ OCC and
and Miami Federal
Branches of Reserve,
Banco de Chile respectively
2005 The New York 24 million ✔ OCC
Branch of Arab
Bank, PLC
2004 AmSouth Bank 10 million ✔ Federal
Reserve
2004 Riggs Bank, 25 million ✔ OCC
N.A.
2003 Korea Exchange 1.1 ✔ FDIC
Bank million
2003 Banco Popular 20 million ✔ Federal
de Puerto Rico Reserve
2002 Great Eastern 100,000 ✔ FDIC
Bank of Florida
2002 Sovereign Bank 700,000 ✔ OTS
2000 Polish and 185,000 ✔ NCUA
Slavic Federal
Credit Union
2000c Sunflower Bank, 100,000 ✔ OCC
N.A.
Source: GAO.
aABN AMRO Bank, N.V., consented to the assessment of a CMP by FinCEN
against the New York Branch of ABN AMRO in the amount of $30 million. The
assessment also was concurrent with a $40 million CMP assessed by the
Federal Reserve, which included an assessment by OFAC. The federal CMPs
were satisfied by one payment of $40 million. In addition, ABN AMRO Bank
consented to a separate CMP assessment against the New York Branch by the
New York State Banking Department in the amount of $20 million, as well as
a $15 million CMP assessment against the Chicago Branch by the State of
Illinois Department of Financial and Professional Regulation and a $5
million contribution to an Illinois examiner education fund.
bOCC is the primary federal functional regulator of the New York Branch of
Banco de Chile, and the Federal Reserve is the primary federal functional
regulator of the Miami Branch. FinCEN assessed a $3 million CMP assessment
against both branches of Banco de Chile, concurrent with OCC's $3 million
CMP assessment against the New York Branch. The Federal Reserve issued a
cease-and-desist order against the Miami Branch but did not assess a CMP.
cFinCEN's documentation of the CMP assessment indicated that Sunflower
Bank, N.A., consented to the assessment on December 27, 1999, and the
Director of FinCEN signed the release of the document on January 6, 2000.
In some instances, FinCEN assessed CMPs against depository institutions
separate from any enforcement action taken by the relevant regulator. More
recently, FinCEN has assessed CMPs concurrently with the regulators.15 We
discuss two examples in more detail in the following sections:
Riggs Bank
In May 2004, FinCEN and OCC concurrently imposed $25 million in CMPs
against Riggs Bank for willful and systemic BSA violations.16 FinCEN
determined that Riggs Bank willfully violated the suspicious activity and
currency transaction reporting requirements of the BSA and its
implementing regulations, and that Riggs Bank willfully violated the AML
program requirement of the BSA and its implementing regulations. Riggs'
failure to establish and implement a BSA/AML program adequate to meet its
suspicious activity and currency transaction reporting requirements
constituted systemic violations that demonstrated a reckless disregard of
its obligations under the BSA. According to FinCEN, Riggs Bank further
demonstrated willfulness by failing to correct the BSA-related compliance
problems that OCC previously identified.17
The New York Branch of Arab Bank, PLC
More recently, in August 2005, FinCEN and OCC concurrently imposed a $24
million CMP against the New York Branch of Arab Bank, PLC (Arab Bank-New
York). According to FinCEN, Arab Bank-New York failed to apply an adequate
system of internal controls to the clearing of funds transfers, given the
heightened risks of money laundering and terrorist financing posed by the
bank's customer base, correspondent institutions, and geographic locations
and by the volume of funds it cleared.18 FinCEN determined that Arab
Bank-New York inappropriately limited the scope of systems and controls
used to comply with the BSA and manage the risks of money laundering and
terrorist financing-for example, by limiting the monitoring and review of
transactions to only those entities that the bank viewed as direct
customers of Arab Bank-New York. That is, it did not monitor and review
transactions for originators and beneficiaries without accounts at Arab
Bank-New York for which the bank had served as an intermediary
institution. As a result, Arab Bank-New York failed to monitor these funds
transfers for potentially suspicious activity. FinCEN also determined that
Arab Bank-New York failed to implement procedures commensurate with the
risks posed by its U.S. dollar clearing activities. For example, according
to FinCEN, the bank did not obtain and use credible publicly available
information (which included congressional testimony, indictments in the
United States, and well-publicized research and media reports) to monitor
and identify funds transfers that warranted further investigation and did
not conduct follow-up investigations when it had identified anomalies or
potentially suspicious funds transfers.
Furthermore, FinCEN determined, in part, that Arab Bank-New York failed to
identify a number of potentially suspicious funds transfers. For example,
FinCEN cited funds transfers that the bank cleared from 2001 through 2004
for originators or beneficiaries whom OFAC and the Department of State
subsequently declared to be "specially designated terrorists," "specially
designated global terrorists," or "foreign terrorist organizations." At
the time of the funds transfers, neither OFAC nor State had designated the
originators or beneficiaries, and the bank largely complied with the
requirement to cease clearing funds transfers once they were designated as
such. However, according to FinCEN, once the designation was made, Arab
Bank-New York failed to review information in its possession that would
have shown it had cleared funds transfers for those individuals and
entities, failed to analyze this information, and failed to file SARs.
More specifically, Arab Bank-New York did not file the majority of its
SARs referencing terrorist financing until after OCC commenced a review of
its funds transfer activity in July 2004.
FinCEN Does Not Believe the Lack of Delegated Authority to Impose CMPs
under the BSA Has Significantly Affected Enforcement
The Secretary of the Treasury has not delegated to the regulators the
authority to assess CMPs under the BSA to address violations. Under the
BSA, the Secretary is authorized to assess CMPs against financial
institutions, including depository institutions, for violations of the
BSA.19 In 1994, MLSA directed the Secretary to delegate this authority to
the regulators and attach terms and conditions deemed appropriate,
including a limitation on the dollar amount of penalty authority. The
Secretary has delegated this authority to the Director of FinCEN. In 1995,
the director established an interagency group consisting of
representatives from the regulators and FinCEN to implement the delegation
by developing common guidance for the assessment of CMPs. A subgroup of
the interagency group developed a draft delegation of CMP authority, a
matrix of penalties and decision factors, and guidance for using the
matrix. However, according to FinCEN and OCC officials, the agencies could
not reach agreement. Further complicating the matter, the statutory
mandate for delegation of CMP authority to the regulators did not include
NCUA or the Securities and Exchange Commission, which examines
broker-dealers for BSA compliance.
More recently, according to FinCEN officials, the challenges in crafting a
delegation that would result in consistent and accountable BSA enforcement
have increased substantially. For example, FinCEN officials cited the
addition, under the PATRIOT Act, of an additional regulator, the Commodity
Futures Trading Commission, to the BSA compliance examination process.20
They also noted the expanded scope of BSA regulation as more types of
institutions became subject to BSA compliance. FinCEN officials said that
since 1994, FinCEN repeatedly has evaluated the benefits and potential
consequences of delegating its CMP authority to the regulators, but
currently has no plans to pursue this delegation.
Furthermore, citing the regulators' authority to assess CMPs under the FDI
Act, FinCEN officials said that they were not aware of any significant
enforcement ramifications caused by the lack of delegated authority. As
previously mentioned, the regulators have interpreted their authority
under the FDI Act to impose CMPs for violations of any law or regulation
to include violations of the BSA. In addition, FinCEN officials noted that
through the MOU, FinCEN and the regulators have achieved the coordination
on enforcement issues, including CMP issuance, which was intended to occur
through the delegation of the authority. For example, if pursuant to the
MOU, FinCEN learns from a regulator of a significant BSA violation or
deficiency by a financial institution, and FinCEN determines that the
imposition of administrative enforcement remedies under the BSA may be
warranted, FinCEN is to notify the institution's regulator no later than
30 days after the determination, and before taking any public enforcement
action. Similarly, to the extent that FinCEN is not already a party to a
regulator's formal enforcement action involving a significant BSA
violation or deficiency, under the terms of the MOU, the regulators are to
notify FinCEN of formal enforcement actions no later than 30 days after
the regulator's decision to pursue the action and before such action is
made public.
According to officials at FinCEN and the regulators, coordination among
these agencies on enforcement issues has improved dramatically in recent
years. FinCEN officials noted that the regulators have involved FinCEN in
BSA supervisory and enforcement issues at earlier stages than in the past.
For example, as indicated in the MOU, the regulators now inform FinCEN
when they have recommended that an institution file CTRs that previously
had not been filed as required or inquire of FinCEN's processing center
about the need to file. FinCEN officials also pointed out that the
regulators previously notified FinCEN that they were referring cases of
noncompliance to FinCEN for potential further action shortly before they
separately took formal enforcement actions under banking statute.
According to officials from some regulators, in the past, FinCEN sometimes
would take enforcement action against an institution on the basis of a
referral from a regulator long after the institution had come into
compliance with the regulator's formal enforcement action.
More recently, the regulators and FinCEN have been working more closely on
enforcement issues. According to Federal Reserve, FDIC, and OTS officials,
earlier communication between the regulators and FinCEN has resolved the
difference in timing of enforcement actions. As previously described, in
2004 and 2005, FinCEN jointly issued several enforcement actions with OCC
and the Federal Reserve. Furthermore, under the MOU, the regulators are to
notify FinCEN of the resolution of any action involving a significant BSA
violation or deficiency, to the extent not otherwise known to FinCEN, no
later than 30 days after the resolution of the action. The regulators also
are to provide FinCEN with any materials relevant to the resolution. The
MOU also directs the regulators to provide FinCEN with a quarterly
assessment of the institutions that have failed to comply with formal
enforcements actions requirements, such as requirements to take corrective
measures, develop and implement an action plan, or submit progress reports
to the regulator. FinCEN officials pointed out that situations could arise
in the future where the regulators and FinCEN would pursue different
courses of enforcement action, but as directed in the MOU, FinCEN and the
regulators would inform one another of any impending action.
Justice Has Pursued a Limited Number of Criminal Cases against Depository
Institutions for BSA Noncompliance
Since 2002, Justice, either through its Criminal Division or its U.S.
Attorneys' Offices, has pursued investigations of six depository
institutions for criminal violation of the BSA (see table 9). Justice
officials said that cases where the depository institution was the
criminal BSA offender were limited, and that the department had pursued
significantly more cases against individuals for BSA offenses. According
to a senior official at Justice, egregious failures to perform a minimal
level of due diligence over a number of years triggered the cases against
the depository institutions.
For instance, in January 2005, Justice announced that Riggs Bank pled
guilty to a federal criminal violation of the BSA in connection with
repeated and systemic failure to accurately report suspicious transactions
associated with bank accounts owned and controlled by Augusto Pinochet of
Chile and the government of Equatorial Guinea.21 Justice cited Riggs
Bank's involvement in transactions for Pinochet and his wife from 1994 to
2002 (multiple accounts, investments, and certificates of deposits at
Riggs Bank in the United States and at its London branch). This
involvement occurred despite an outstanding 1998 attachment order issued
by a Spanish magistrate to freeze all of Pinochet's assets worldwide and
despite warrants against Pinochet that were issued for human rights crimes
by numerous countries, including Spain, Switzerland, Belgium, and France.
Additionally, from 1996 to 2004, Riggs Bank opened more than 30 accounts
for the government of Equatorial Guinea, numerous Equatorial Guinean
government officials, and their family members.22 Riggs Bank also opened
multiple personal accounts for the Equatorial Guinean president and his
relatives and assisted in establishing offshore shell corporations for the
president and his sons. For both the Pinochet and Equatorial Guinean
government accounts, Justice determined that Riggs Bank knew or had reason
to know that these transactions were suspicious, but failed to file any
SARs until congressional investigators, banking regulators, or law
enforcement discovered the transactions.
Similarly, in 2003, Justice and ICE investigators determined that from
1995 through 1998, Banco Popular de Puerto Rico (Banco Popular) allowed a
drug dealer to launder approximately $32 million in cash drug proceeds.
Law enforcement officials determined that the bank failed to visit the
business location, which was within a short walking distance from the bank
branch, to verify the customer's purported source of income. Furthermore,
the bank neither reported the customer's large cash deposits-at times more
than $500,000-nor filed a SAR until February 1998, after $21 million of
narcotics proceeds had been laundered at one branch.
In another example, in 2002, the U.S. Attorney's Office for the Southern
District of New York determined (through investigations by various law
enforcement agencies) that during the 1990s, Broadway National Bank became
the institution of choice for narcotics money launderers and other
individuals who wanted to shield their financial activities from
government scrutiny. According to sentencing documentation, from January
1996 to March 1998, approximately $123 million in cash deposits were
laundered and/or structured through a series of highly suspicious
transactions, involving approximately 107 accounts.
Table 9: Depository Institutions against Which Justice Has Pursued Charges
for Criminal Violation of the BSA (2002-2005)
Year Depository BSA-related violations or Disposition Monetary
institution investigations penalty
amount
2005 The Bank of o Failure to file SARs in Nonprosecution $26 million
New York a timely and complete agreement forfeiturea
manner with respect to a
company that presented
sham escrow agreements to
other banking institutions
in support of loan
applications, while aiding
and abetting the
fraudulent activity by
executing the sham escrow
agreements (31 U.S.C. S:
5318(G)(1); 31 U.S.C. S:
5322)b
o Failure to implement an
effective AML program (31
U.S.C. S: 5318(h))
o Aiding and abetting the
operation of an unlicensed
money-transmitting
business (18 U.S.C. S:
1960)
o Money laundering (18
U.S.C. S: 1956)
2005 Riggs Bank, o Failure to file timely Guilty plea 16 million
N.A. SARs (31 U.S.C. S:S: agreement criminal
5318(g) and 5322(b)) fine
2004 AmSouth Bank o Failure to file timely Deferred 40 million
and complete SARs (31 prosecution forfeiture
U.S.C. S:S: 5318(g)(1) and agreement
5223(b))
2003 Delta National o Failure to file a SAR Guilty plea 950,000
Bank & Trust (31 U.S.C. S:S: 5318(g) agreement forfeiture
Company and 5322)
2003 Banco Popular o Failure to file timely Deferred 21.6 million
de Puerto Rico and complete SARs (31 prosecution forfeiture
U.S.C. S:S: 5318(g)(1) and agreement
5322(b))
2002 Broadway o Failure to establish an Guilty plea 4 million
National Bank adequate AML program (31 agreement criminal
U.S.C. S:S: 5318(h) and fine
5322(b))
o Failure to file criminal
referral forms and SARs
(31 U.S.C. S:S: 5318(g)
and 5322(b))
o Aiding and abetting
structuring by customers
who Broadway knew were
seeking to avoid CTR
filing requirements (31
U.S.C. S:S: 5324(a)(3) and
5324(d)(2), and 18 U.S.C.
S: 2)
Source: GAO.
aThese charges have not been brought against The Bank of New York in any
charging document, but are listed in the nonprosecution agreement as
having been under investigation by the U.S. Attorneys' Offices in the
Eastern and Southern Districts of New York. The bank admitted that it did
not have an effective AML program and other BSA-related failures that are
discussed later in this chapter. The bank also admitted to unlawful
conduct that was unrelated to BSA compliance, including aiding and
abetting the unlawful operation of a foreign bank (12 U.S.C. S: 3105(d))
and supplying a bank customer with unauthorized, materially false, and
misleading escrow agreements that The Bank of New York had no intention of
performing and that were submitted in support of loan requests totaling
tens of millions of dollars.
bThe Bank of New York also agreed to pay $12 million in restitution to its
victims.
According to Justice officials, evidence that a depository institution
willfully violated the law is a key element in proving criminal violations
of the BSA. One official said that in the six recent criminal cases
against depository institutions, prosecutors sought to demonstrate
evidence of the institutions' continued disregard of the spirit of the
requirement to implement and maintain a BSA program, and willful and
flagrant indifference to a known legal duty. However, the officials also
noted that in some cases, there likely was no "smoking gun," or single
source of evidence that specifically indicated the institution knew it was
in violation of the BSA and continued the violating conduct. In most of
these cases, and in accordance with Justice guidelines, federal
prosecutors relied, in part, on the institutions' BSA policies and
procedures to demonstrate that the institution had corporate knowledge
about the violations. A Justice official said that corporate knowledge
could be individually or collectively derived-for example, as in
situations where individual employees knew about certain aspects of the
activity, or where the institution should have known about the activity.
The recent actions brought by Justice have raised concerns in the banking
industry that institutions routinely would be targeted for criminal
investigation and prosecution for failure to properly implement the
requirements of the BSA, such as the failure to file a SAR. For example,
some banks are avoiding customers, such as money transmitters and check
cashers, who are perceived as presenting heightened risks for BSA
noncompliance. According to a senior Federal Reserve official, some banks
thus are deciding that the revenues garnered from such customers do not
cover the necessary costs of compliance or provide an acceptable return on
legal and reputational risks. However, Justice and FinCEN officials noted
that such concerns could result from not fully understanding the actions
taken in these cases. Justice officials said that investigations of
depository institutions for criminal BSA violations generally have not
involved negligence in reporting a limited number of suspicious
transactions. Furthermore, depository institutions that have repeated BSA
violations generally would not face law enforcement investigation or
charges of criminal violation of the BSA if they were operating within the
spirit and letter of their BSA program. Rather, the institutions likely
would face administrative action from their regulators or FinCEN.
Finally, Justice officials and investigators said that most investigations
of depository institutions' criminal violations of the BSA generally
originated during law enforcement investigations of the institutions'
customers. For example, in the AmSouth Bank case, investigation
documentation indicated that the U.S. Attorney's Office for the Southern
District of Mississippi (along with the IRS and other federal and state
agencies) began an investigation of a fraudulent promissory note scheme
perpetrated by AmSouth Bank customers in 2002. Investigators and
prosecutors learned of AmSouth Bank's BSA failures through the
investigation and grand jury subpoenas related to the customers' criminal
activity. In November 2003, AmSouth formally was advised that it was a
target of a criminal investigation. Similarly, ICE investigators involved
in the Broadway National Bank and Banco Popular cases said that the
respective undercover narcotics investigations of the banks' customers led
law enforcement to open investigations of the banks' BSA failures. In the
case of Delta National Bank and Trust Company, ICE investigators also
began a financial investigation of the bank after they concluded an
undercover money laundering investigation involving a currency exchange
business. Justice officials noted that the Riggs Bank case was the
exception; the law enforcement investigations initially focused on Riggs
Bank itself.
In Some Cases, Law Enforcement Investigations First Identified BSA
Failures
In some instances, law enforcement investigations first identified
significant BSA failures at depository institutions, rather than
examinations conducted by the regulator. For instance, according to ICE
and Federal Reserve officials, law enforcement officials informed the
Federal Reserve about their investigation of a Banco Popular customer and
the compliance problems identified during their investigations.23 During
1995 and 1998, the Federal Reserve conducted four examinations of Banco
Popular, but these examinations did not contain any criticism of the
bank's BSA compliance policies or procedures. In 1999, the Federal Reserve
expanded the scope of its regularly scheduled examination of the bank and
identified significant BSA compliance problems, which resulted in a
written agreement with the institution. Law enforcement officials also
said that investigations of AmSouth's customers revealed the institution's
BSA compliance failures within its wealth management area, while a Federal
Reserve examination did not detect these problems. In another example, in
October 2003, the New York District Attorney's Office notified FDIC of its
money laundering investigation of certain customers of an FDIC-supervised
bank. According to the FDIC IG, a 2002 examination of the institution
provided little coverage of the high-risk banking activities involved in
the New York District Attorney's Office investigation. In December 2003,
FDIC initiated an already-scheduled examination of the bank and identified
significant BSA violations and a failure to ensure BSA compliance.24
Justice officials said that because investigators and prosecutors have a
different perspective on BSA enforcement than the regulators, they
sometimes identify problems that might not be identified during an
examination. One investigator noted that examinations generally do not
involve the investigative approach used in law enforcement investigations,
which are aimed at identifying underlying offenses, such as narcotics
trafficking. Representatives from the regulators said that, through
regular examinations, they seek to ensure that depository institutions
have systems and controls in place to prevent their involvement in money
laundering and to identify and report suspicious transactions to law
enforcement. For example, an OCC official explained that the purpose of
transaction testing, a key procedure in BSA examinations, is not
necessarily to detect structuring or other evidence of criminal wrongdoing
on the part of a customer. Rather, according to the interagency
procedures, its purpose is to evaluate the adequacy of the bank's
compliance with regulatory requirements; determine the effectiveness of
its policies, procedures, and processes; and evaluate suspicious activity
monitoring systems. Furthermore, the procedures note that if a suspected
violation-such as an ongoing money laundering scheme-requires immediate
attention, the depository institution should notify the appropriate
regulator and law enforcement agencies and must also file a SAR.25 Our
review of sampled BSA reviews identified a number of instances where
examiners identified suspicious activity and directed the institutions to
file SARs.
Disposition of Criminal Cases against Depository Institutions Has Varied
but Included Monetary Penalties in Each Case
According to Justice officials, prosecutors sought to obtain the
appropriate dispositions of the cases against depository institutions for
criminal violation of the BSA, taking into account factors such as the
institutions' willingness to admit misconduct and cooperate with
prosecutors. Two of these cases resulted in deferred prosecution
agreements (see table 9). That is, prosecutors agreed to defer prosecution
of the institution for a specified time, while the institution agreed to
admit publicly the facts of its misconduct, cooperate fully with
prosecutors, and implement certain corrective actions. The institutions
also made payments, generally structured as fines or forfeitures. In one
case involving a deferred prosecution agreement, Justice dismissed the
charges once the agreement expired because the institutions had complied
with its obligations under the agreement. However, if the institution had
not complied with the agreement, Justice could have taken the case to
trial, using the admission of the violation from the institution and the
evidence prosecutors obtained in cooperation with the institution (making
conviction highly probable).
For example, in January 2003, Justice and Banco Popular entered into a
deferred prosecution agreement to allow the bank to demonstrate its good
conduct. The bank agreed to waive indictment and the filing of one count
of failing to file SARs in a timely and complete manner. Justice deferred
prosecution for 1 year, taking into account the bank's remedial actions at
the time of the agreement and its willingness to
o acknowledge responsibility for its actions,
o continue to cooperate with prosecutors,
o demonstrate future good conduct and full compliance with the BSA,
o settle pending civil claims of $21.6 million, and
o consent to the concurrent CMP imposed by FinCEN.
In November 2005, the U.S. Attorneys' Offices for the Eastern and Southern
Districts of New York entered into a nonprosecution agreement with The
Bank of New York. The bank admitted to
o failure to have an effective AML program;
o intentional failure to take steps to report known evidence of suspected
criminal conduct by a bank customer and bank employees;
o repeated failures on the part of the bank's senior executives and legal
counsel to perform the institution's legal duty to file a SAR about the
suspected criminal activity until the arrest of a bank customer by federal
investigators; and
o the untimely, inaccurate, and incomplete filing of the SAR.
The Bank of New York agreed to forfeit $26 million for its illegal conduct
and implement numerous remedial actions in response to the misconduct,
including
o creating a new senior-level position responsible for coordinating the
preparation of SARs;
o training staff on detecting and reporting suspicious activities;
o implementing policies and procedures for auditing retail branches and
identifying, investigating, and reporting illegal or suspicious activity;
and
o appointing an independent examiner (to serve for 3 years) to monitor and
report on the bank's AML procedures and its compliance with the
nonprosecution agreement.
As they did in the deferred prosecution agreements, federal prosecutors
took several factors into account when determining the disposition of the
case. The U.S. Attorneys' Offices for the Eastern and Southern Districts
of New York agreed not to prosecute The Bank of New York because of the
bank's acceptance of responsibility for the unlawful conduct of its
executives and employees, its cooperation in the law enforcement
investigations, and its willingness to make restitution to victims of the
misconduct and take significant corrective action. The nonprosecution
agreement also was contingent upon the bank complying with all terms of
the agreement for 3 years. If the bank were to violate the agreement, or
commit other crimes, it would be subject to prosecution, including
prosecution for the criminal conduct described in the agreement.
Although disposition varied among the six cases, Justice assessed fines or
forfeitures on each institution. According to Justice officials, the
department's goal was to determine a financial penalty that the depository
institutions would perceive as a sanction, rather than an overly punitive
penalty that would force the institution to close. The officials also
cited another goal-that is, a penalty amount that would elicit good
"corporate citizen" conduct from the institution. Justice officials said
that in these cases, prosecutors considered several factors (listed in
prosecutorial guidelines) when determining whether to pursue such cases.
For example, prosecutorial guidelines indicated that prosecutors could
consider collateral consequences when determining whether to investigate
or take other action against criminal corporate misconduct. According to
Justice officials, prosecutors considered the potential effects on the
banking market and job losses in the communities that the institutions
served. They said that Justice obtained relevant regulatory information,
such as the institutions' capital levels and other financial analyses,
through the appropriate legal channels to assist them in determining
penalty amounts that the institutions could sustain.
Change to the U.S. Attorneys' Manual Formalized Practice of Obtaining
Centralized Approval before Pursuing Cases against Depository Institutions
During the course of our review, a senior Treasury official also said that
discussions had begun with Justice regarding coordination on cases
involving prosecuting depository institutions for BSA violations. In July
2005, Justice amended the U.S. Attorneys' Manual, which governs the rules
of operation of the 93 U.S. attorneys, to require prosecutors to obtain
approval from the department's Criminal Division before taking action
against financial institutions for money laundering or certain BSA
offenses.26 More specifically, the manual was amended to include section
5322 of title 31 in the requirement that prosecutors obtain approval from
the Asset Forfeiture and Money Laundering Section of the department's
Criminal Division in cases where a financial institution would be named as
an unindicted coconspirator or allowed to enter into a deferred
prosecution agreement.
Justice officials said that the change to the manual was a formalization
of existing practice. The change was a public way for the department to
inform the banking industry about the degree of coordination and
consultation between the U.S. attorneys and the Criminal Division on these
cases.
Conclusions and RecommendationsChapter 6
Because the BSA regulatory structure involves many federal agencies other
than FinCEN, which is the administrator of the BSA, coordination among
these agencies is critical to effective BSA administration and
enforcement. Particularly since the passage of the PATRIOT Act, FinCEN and
the regulators have undergone an evolutionary process that has laid the
groundwork for more consistent BSA oversight. The initial effects of this
closer coordination can be seen in the jointly developed BSA examination
procedures for depository institutions, the sharing of more detailed BSA
examination information with FinCEN, and the increase in concurrent
enforcement of BSA compliance by the regulators and FinCEN. Although these
efforts, and their effects, are significant, they also are relatively
recent. For example, many of these changes were ongoing during the course
of our work for this report. The regulators and FinCEN continue to make
refinements to overall BSA examination, monitoring, and enforcement
policies and procedures.
Regulators Have Created a Framework for Consistency in BSA Examinations
In particular, the regulators have made notable progress in the area of
examinations. Until passage of the PATRIOT Act, each regulator separately
developed and used examination procedures to determine depository
institutions' compliance with the BSA. In recent years, a number of agency
IG and internal quality assurance reviews have identified inconsistencies
in BSA examinations. In addition, when we reviewed a sample of
examinations from each of the regulators over a 4-year period, we found
inconsistent documentation of examination procedures, such as transaction
testing, particularly at smaller depository institutions. We stress the
importance of adequate, accurate, and consistent documentation in
examinations, as in audits.1 But, we also acknowledge that some variation
is inevitable, and examiners need to be able to exercise professional
judgment in determining the scope of examinations and to allow for
differences among institutions (e.g., complexity and lines of business).
Nevertheless, the wide variation in examination policies and procedures
among regulators that existed prior to 2005 suggested that the regulators
may not have been examining banks consistently-particularly in terms of
transaction testing, a procedure that has assumed greater importance in
the current environment of increased risk of money laundering and
terrorist financing.
In this environment, on June 30, 2005, the regulators issued jointly
developed examination procedures, which currently are being used for BSA
examinations conducted not only by federal bank examiners but also by
state examiners. The interagency procedures represent a genuine step
forward in that they provide a framework for greater consistency in BSA
examinations across the regulators. At the same time, the procedures
retain the risk-focused approach used in former examination procedures,
thus allowing the regulators to direct resources to areas deemed higher
risk and use examiners' professional judgment in planning, conducting, and
concluding examinations. Furthermore, for the first time, FinCEN also
participated in the development of the examination procedures. Although
the Secretary of the Treasury delegated examination authority for BSA
compliance at depository institutions to the regulators, it is through
continuing coordination with the regulators that FinCEN works to ensure
consistent implementation.
Because the new interagency procedures have been in use for a short
period, it is too soon to judge their effect on BSA administration and
enforcement. In theory, the procedures should result in more consistency
in the conduct and results of BSA examinations. Yet, the interagency
procedures cannot be viewed as the only "fix" necessary. BSA examinations,
in and of themselves, are designed to verify that systems are robust and
function as intended-in compliance with laws and regulations. But, the
cumulative effect of AML/BSA-related legislation, especially
post-September 11, and some recent high-profile cases of BSA noncompliance
have made BSA compliance, and thus examinations, a priority area for
oversight and coordination. Congress did not expect the regulators to
substitute for law enforcement; rather, the BSA was designed to help
create a road map for law enforcement agencies in their AML, and now
counter-terrorist financing, work. The FFIEC Examination Manual, in turn,
recognizes that an effective BSA/AML program requires sound risk
management and so it provides guidance on identifying and controlling
risks associated with money laundering and terrorist financing. The
regulators and FinCEN understand that the risks are not static and that
new risks are always emerging as criminals seek to launder their funds or
use funds to commit other crimes. The regulators and FinCEN committed to
update the manual, as appropriate, to capture developments in the BSA/AML
areas. Because of the evolving nature of risk, it is incumbent on them to
use the manual or other guidance, as appropriate, to communicate these new
risks to the industry and law enforcement so that the industry can take
measures to control for these new risks and law enforcement can
incorporate them into their investigations.
Regulators Have Improved Their Systems for Monitoring BSA Examination
Results
As our work has shown, partly as a result of IG reporting and amid
increased attention to BSA compliance and related issues, regulators have
improved mechanisms used to track BSA-related information. As a result,
the regulators likely will be able to better report on and correct BSA
compliance problems. As an example of some of the problems that existed
before the regulators made the changes, in our limited review of
examination files, we were not always able to track how BSA noncompliance
problems were corrected. Furthermore, the regulators increasingly have
been using their examination and enforcement data systems to monitor BSA
problems at their banks and compile the quarterly data they send to
FinCEN. FinCEN and the regulators also helped improve the quality of this
information by setting some common standards for reporting in their MOU.
While each regulator is responsible for keeping track of compliance
problems among the institutions they supervise, it remains FinCEN's
responsibility, as the BSA administrator, to (1) analyze the data it
receives from all relevant agencies and (2) share trend information with
the regulators and industry so that they better understand risks and
problem areas within their purview. FinCEN created an Office of Compliance
in 2004, in part to work with regulators on BSA examination and compliance
matters, and FinCEN has begun to share analytical information with the
regulators. The common formats and more detailed data give FinCEN the
opportunity to more readily discern those trends and share any concerns
with regulators; however, FinCEN only will be able to do this at the
aggregate level. It is up to the regulators themselves to undertake the
kind of detailed analysis required to understand and track BSA compliance
issues among the institutions they supervise, and they have begun to do
so. With five quarters of data to review, regulators have begun to see
some trends and problem areas. So that others, including examiners, law
enforcement, and the banking industry itself, can further benefit from
this analysis, it is incumbent upon the regulators to periodically review
the BSA violation data to determine whether additional guidance is needed
to address problem areas.
Although the new interagency examination procedures and improved systems
help banking regulators better understand one another's processes and
could facilitate more consistent BSA examinations across regulators, the
procedures do not directly address a documentation issue that has
implications for BSA enforcement. Because each regulator retained
different policies for documenting and classifying BSA problems, the
regulators continue to report some compliance problems using different
terms. As a result, it is difficult to make qualitative distinctions
between compliance problems. Moreover, in their MOU with FinCEN, the
regulators agreed to report all "significant" BSA problems, without
attempting to address the issue of how the different terms the regulators
use might become standardized. When developing the MOU, FinCEN and the
regulators discussed the issue of different terminology, but they chose
not to address it at that time and agreed to use the umbrella term
"significant" and see how the system worked. Although FinCEN and the
regulators have reached an accommodation, it is possible that FinCEN is
receiving more or less information than it actually needs under the MOU.
This variety of terminology can also make it difficult for banking
regulators to have a comprehensive overview of BSA compliance at their
institutions and for FinCEN to have a comprehensive overview across
regulators.
Regulators, FinCEN, and Justice Have Improved Coordination on BSA
Enforcement Actions
The disparate nature of the BSA regulatory structure also requires
coordination in BSA enforcement. While our review of BSA violations showed
that the number of violations increased from 2000 to 2004, most of those
violations were technical in nature, often resulting from late or
incomplete filing of paperwork. Nevertheless, although relatively rare,
significant and serious violations of the BSA have had far-reaching
consequences. Over the past several years, IG reports, particularly those
on FDIC and OTS, identified inconsistencies in BSA enforcement at those
agencies. Amid increased media and congressional attention on some
depository institutions' BSA compliance failures-such as Riggs Bank, Arab
Bank-New York, and ABN AMRO Bank, N.V.-the regulators and FinCEN
increasingly have brought formal enforcement actions against depository
institutions, including significant CMPs. In the face of separate and
sometimes overlapping legal authorities to bring formal enforcement
actions against depository institutions for significant BSA compliance
problems, the regulators and FinCEN have increased coordination on these
actions by issuing them concurrently. In addition, as part of their 2004
MOU, FinCEN and the regulators agreed to notify one another in advance of
taking separate formal enforcement actions and sharing information
concerning informal and supervisory actions as well.
In a limited number of cases, Justice has taken action against depository
institutions for egregious failures to perform a minimal level of due
diligence over a number of years. While Justice has resolved most of these
cases through deferred prosecution agreements or similar arrangements
(where the institution agreed to take significant corrective actions,
often in connection with formal administrative action from its regulator;
forfeit a monetary penalty; and remain in compliance with the BSA for a
specified time), if the institution were to violate the terms of the
agreements, federal prosecutors would take the cases to trial. The recent
criminal action taken against depository institutions by Justice has
raised concerns within the banking industry that their institutions
routinely would be targeted for criminal investigation and prosecution for
failure to properly implement the requirements of the BSA. However, to
better coordinate the actions of federal prosecutors, Justice recently
formalized procedures that require U.S. attorneys to obtain approval from
Justice's Criminal Division when dealing with cases that allege financial
institutions are BSA offenders. Because these changes are recent, it
remains to be seen if the new procedures will ease industry concerns and
provide the public with the communication of coordinated and consistent
federal action that Justice intended.
Concluding Observations
Finally, in our concluding observations on BSA compliance and enforcement,
we note that significant work remains to be done with other financial
institutions. Our report concentrated on the federal banking regulators,
but the PATRIOT Act requires other types of institutions to meet BSA
requirements. Consequently, it appears more important than ever for FinCEN
to coordinate with other federal agencies charged with examination
responsibility for BSA compliance. To that end, FinCEN signed MOUs with
many state banking departments and the IRS and has been working to sign
MOUs with the securities and futures regulators. However, according to
FinCEN officials, the problem of different terminology will be exacerbated
when other financial regulators begin reporting examination data to FinCEN
on BSA noncompliance problems. Ultimately, only FinCEN can provide a
"bird's eye" view of BSA administration-disseminating analysis and
information to the regulators and others to ensure consistency in BSA
oversight, the identification of trends and patterns in BSA compliance,
and developments in money laundering and terrorist financing.
Recommendations for Executive Action
To build on the current level of coordination, continue to improve BSA
administration, and ensure that emerging compliance risks are addressed,
this report makes the following three recommendations to the Director of
FinCEN, the Comptroller of the Currency, the Chairman of the Federal
Reserve, the Chairman of the FDIC, the Director of OTS, and the Chairman
of NCUA:
o As emerging risks in the money laundering and terrorist-financing areas
are identified, FinCEN and the regulators should work together to ensure
these risks are effectively communicated to examiners and the industry
through updates of the interagency examination manual and other guidance,
as appropriate.
o To supplement the analyses of shared data on BSA violations, FinCEN and
the regulators should meet periodically to review the analyses and
determine whether additional guidance to examiners is needed.
o Because of the different terminology the regulators use to classify BSA
noncompliance, FinCEN and the regulators should jointly assess the
feasibility of developing a uniform classification system for BSA
noncompliance.
Agency Comments and Our Evaluation
We received written comments on a draft of this report in a joint letter
from the Board of Governors of the Federal Reserve System, the Federal
Deposit Insurance Corporation, the National Credit Union Administration,
the Office of the Comptroller of the Currency, the Office of Thrift
Supervision, and FinCEN. We also received written comments from the
Department of Justice. These letters are reprinted in appendixes II and
III. The Departments of Homeland Security and Justice and the regulators
provided technical comments, which were incorporated into this report
where appropriate.
In their letter, FinCEN and the regulators said they support our
recommendations and are committed to ongoing interagency coordination to
address them through the formal processes they have in place, particularly
the FFIEC BSA/AML Working Group. They also said that they are committed to
their role in ensuring that depository institutions are in compliance with
BSA/AML requirements, and that they will continue to devote significant
resources to make certain institutions correct deficiencies in their
BSA/AML programs as promptly as possible.
In its letter, Justice said that the draft report provided an instructive
perspective where it examines the evolution of the relationship between
FinCEN, the regulators, and the banks, but that it did not provide the
same perspective when examining how the examination process meets the
needs of law enforcement as the end users of the information. Our
objectives were to review how the regulators examine for BSA compliance,
track and resolve violations, and take enforcement actions. While a review
of the reports that depository institutions produce under the BSA, and
that law enforcement uses in its investigations, would be instructive, it
was outside of the scope of this review. Justice also said that, as a
direct result of the success and efforts by the regulated industry, drug
traffickers have been forced to seek alternate methods and means of using
those institutions to launder their illicit proceeds. Justice further
commented that banking regulator practices and examination process have
historically focused more on the placement of those funds into the
financial system, and that current investigative efforts suggest that it
may prove beneficial to adapt and focus on the layering of those proceeds.
To this end, Justice suggested a need for greater outreach and
collaboration between law enforcement and regulators familiar with
evolving trends. Finally, Justice said that the draft report reflected the
efforts made with the revisions to the examination manual and commented
that these are positive developments that should bring continuity to
examination practice, which will be welcomed by the industry.
Under Pre-2005 Guidance, Regulators' Documentation Requirements Varied
WidelyAppendix I
The regulators' pre-2005 requirements for documentation of examination
procedures and their documentation of those procedures varied widely. We
reviewed approximately 30 Bank Secrecy Act (BSA) examinations from each
federal banking regulator (regulator) that were conducted under guidance
current between January 1, 2000, and June 30, 2004. Because the sample was
small, we could not generalize the results of our analysis to make
conclusions about how regulators applied the examination procedures to all
BSA examinations conducted during this period. However, when coupled with
our review of regulator guidance and examination manuals, the results of
the examination review illustrated instances where the regulators'
documentation of examination procedures varied widely and where regulators
did not consistently require or document transaction testing. For example,
we found less documentation of transaction testing in examinations at
smaller institutions, such as the community banks, savings associations,
and credit unions supervised by the Office of the Comptroller of the
Currency (OCC), the Office of Thrift Supervision (OTS), the Federal
Deposit Insurance Corporation (FDIC), and the National Credit Union
Administration (NCUA), than at large institutions. However, examination
guidance permitted examiners to exercise their professional judgment in
determining whether to perform transaction testing.
Regulators Required Documentation of "Major" Procedures; Planning and
Scoping Procedures More Often Were Documented for Large Institutions
Individual regulator guidance issued prior to June 2005 required
documentation of "major" procedures and conclusions. Furthermore, our
review indicated more documentation of examination planning procedures at
larger institutions. For example, OCC's policies and procedures manual
instructed examiners to document essential examination information, such
as procedures performed, and the manual stated that the documentation must
support conclusions about supervisory activities in either paper or
digital form. The manual also stated that in most cases, work papers did
not need to include all of the data reviewed during a supervisory
activity, but that examiners should retain only those documents necessary
to support the scope of the supervisory activity, significant conclusions,
rating changes, or changes in a risk profile.
o In our review of 30 OCC examination files, OCC documented planning,
scoping, or risk assessments in 7 of the 30 examinations. The sample
included 4 large, 25 smaller banks, and 1 bank without asset data. The
examination files of 3 of the 4 large banks, with assets ranging from
about $18 billion to $34 billion, contained documentation of planning,
scoping, and risk assessments. In contrast, 3 of the 25 files of smaller
banks, with assets ranging from $205 million to $366 million, contained
documentation of planning or scoping. OCC officials explained that
documentation of planning and scoping procedures for the smaller and
community banks was contained in the agency's automated examination
system, which we did not review.
The Board of Governors of the Federal Reserve System's (Federal Reserve)
commercial bank examination manual provided guidance on documentation of
examination procedures, including BSA examinations. 1 This guidance did
not explicitly require documentation of specific examination steps, but it
specified that work papers, as a whole, should support the information and
conclusions contained in the report of examination. The Federal Reserve
examination guidance specifically provided that the primary purposes of
the work papers were to provide written support of the examination and
audit procedures performed during the examination and the results of
testing and to formalize the examiner's conclusions. Federal Reserve
examiners told us that they documented planning and scoping decisions and
risk assessments for examinations of large, complex banking organizations
in a scoping memorandum, which describes areas to be reviewed and
procedures to be conducted, including transaction testing, examination
resources, and the expected product.
o Of the 18 Federal Reserve BSA examination files that we reviewed, all
contained documentation of planning or scoping procedures. The file sample
included 9 large banks with assets of more than $85 billion and 9 smaller
banks with assets of less than $1 billion.
Similar to OCC, FDIC's guidance on documentation of examination procedures
focused on documenting major examination procedures or conclusions. FDIC's
risk management manual of examination policies stated that work paper
documentation for BSA examinations should support the conclusions included
in the Examination Documentation module in the automated examination
database. At a minimum, the documentation should include the examiner's
assessment of the bank's BSA and anti-money laundering (AML) programs and
procedures, and related audit or internal review functions. FDIC examiners
also told us they used the Examination Documentation module to document
examination procedures, but that risk assessments should be documented in
work papers.
o In our review of 30 FDIC examination files, the agency documented
planning, scoping, or risk assessments in examinations of 17 banks,
including 6 large banks, with assets ranging from about $125 million to
$264 million, and 11 smaller banks, with assets ranging from about $9
million to $89 million.
NCUA's examiner guidance allowed examiners to determine the extent of
documentation of examination procedures. More specifically, the NCUA
examiner guide required examiners to document supervision plans for
examinations in the scope workbook and material concerns in the
examination report, but the guide also stated that examiners' discretion
would determine the extent of documentation. Although it gave no specific
requirements, NCUA directed examiners to include documentation on the (1)
extent of procedures and testing performed, (2) review of applicable
regulatory compliance, (3) analysis and assessment of risk areas, and (4)
conclusions and recommendations.
o In October 2002, NCUA began using scope workbooks to document planning,
scoping, and risk assessments in BSA examinations, according to an NCUA
official. This affected 23 of 30 examinations in our review. Our review of
a sample of the scope workbooks showed that for each BSA review completed
and documented, examiners were required to document BSA scoping
information and compliance but not BSA risk assessments. Before October
2002, examiners used a "progress checklist" to document the results of BSA
reviews, but the checklists did not explicitly refer to BSA reviews or
risk assessments. The assets of the credit unions whose BSA examinations
we reviewed ranged from $130,000 to $246 million.
OTS's examination manual provided limited instructions for documenting an
institution's BSA program. For example, the manual referred to a
preliminary examination response kit, which is a request for a collection
of information prior to the examination. The institution must provide
information about its BSA officer, policy, and compliance programs and
must list filed Currency Transaction Reports (CTR). This information
assists examiners in determining the scope of the examination.
o Among the 30 OTS BSA examinations reviewed, 3 files contained
documentation of planning, scoping, or risk assessments. Two files
contained asset information-the institutions had assets of $92 million and
$297 million.
Regulators' Former Examination Guidance Allowed Variation in Documentation
of Transaction Testing
Although we found little to no documentation of transaction testing at
many institutions of smaller assets sizes, which were supervised by OCC,
FDIC, OTS and NCUA, we did not conclude that transaction testing was not
performed in all of these instances. The regulators required transaction
testing in examinations at larger institutions with higher asset levels,
but did not always require testing at smaller institutions. Our review of
the regulators' BSA examinations indicated that documentation of
transaction testing generally was more extensive for larger institutions
with higher assets than for smaller institutions with lower assets. For
example, the OCC BSA examination manual used for examinations of large
banks required transaction testing. The manual provided that examiners
were to conduct limited transaction testing, at a minimum to form
conclusions about the integrity of the bank's overall control and risk
management processes and its overall quantity of risk. If examiners
identified weaknesses or concerns as a result, they were to select a
"quantity of risk" procedure and conduct additional targeted testing of
specific areas of concern.2 According to OCC examiners assigned to large
banks, transaction testing was required for all high-risk areas of these
banks.
o Our review of 30 OCC examinations, including 4 examinations of large
banks with assets ranging from about $18 billion to $34 billion, found
documentation of transaction testing in 3 of the 4 large banks. The
examination file of 1 bank did not have any asset information but
contained documentation of transaction testing. One bank was designated as
a high BSA risk and another was located in a high-intensity financial
crimes area (HIFCA).
In contrast, according to OCC's BSA examination manual for community
banks, examiners were to determine at the beginning of the supervisory
activity what transaction testing, if any, should be included, and the
extent of transaction testing was to reflect the bank's compliance risk
profile, audit coverage, and results.3 The manual also stated that
transaction testing was appropriate for banks with higher risk
characteristics and weak controls. Moreover, OCC examiners assigned to
community banks told us that OCC policy did not require transaction
testing of community banks at low risk for money laundering. As a result,
OCC examiners assigned to community banks would not have to perform
transaction testing if they determined that the banks had a low BSA risk.
o Our review of examinations of 25 banks with assets ranging from $21
million to $440 million, found documentation of transaction testing in
examinations of 5 banks. OCC officials provided reasons why a number of
examinations might not have documentation of transaction testing. First,
they said that their record retention rules required the destruction of
examination work papers for examinations 3 years and older. Application of
the record retention rule could have affected documentation for 13
examinations in our review. OCC officials also stated that their
documentation policy required examiners to document transaction testing
only if examiners identified a BSA issue or problem, sometimes referred to
as "documentation by exception." Consequently, if examiners did not
identify BSA issues or concerns requiring transaction testing, they would
not have documented transaction testing. OCC officials further stated that
"documentation by exception" was necessary to make the maximum use of its
limited resources.
The Federal Reserve's BSA examination manual required transaction testing
of several areas to be completed by Federal Reserve examiners or the
institution at the direction of Federal Reserve examiners. According to
Federal Reserve examiners, Federal Reserve policy required that
transaction testing be performed in all BSA examinations, and the nature
and extent of transaction testing could vary depending on the
institution's level of risk. For example, if the institution was engaged
in high-risk areas, such as private banking, foreign correspondent
banking, or international banking, Federal Reserve examiners were required
to perform transaction testing in those areas and to select a judgmental
sample of transactions to test.
o Our review of Federal Reserve examination files found that Federal
Reserve examiners performed extensive transaction testing at most of the
banks. We found documentation of transaction testing in 17 of the 18
examination files, including 9 large banks with assets ranging from about
$1 billion to $85 billion, and 8 smaller banks with assets of less than $1
billion. Of the 18 banks, 8 were designated as having a high BSA risk
level and 12 were located in HIFCAs. Examiners performed and documented
transaction testing on the 8 high-risk banks and 11 of the 12 banks
located in HIFCAs.
According to OTS's examination guidance, transaction testing at the
savings associations or thrifts it supervised should be "entirely
judgmental." Nevertheless, OTS examiners told us that they were
specifically required to document transaction testing of CTR samples.
o Our review of 30 OTS examinations of large and small savings
associations found documentation of transaction testing in 9 files. The
files for 2 of 8 savings associations, with assets from about $117 million
to $370 million, contained documentation of transaction testing, as did 4
of 13 files for savings associations with assets ranging from about $4
million to $98 million. Nine OTS examinations lacked documentation on
asset size; however, 3 of these 9 examinations contained documentation of
transaction testing. OTS officials also explained that they had a policy
of "documenting by exception." That is, examiners were not required to
document every procedure, particularly in examinations of low-risk
institutions, or to document anything in the work papers that did not
relate to the report of examination.
Similarly, our review of FDIC's risk management manual of examination
policies did not disclose any explicit requirements that examiners
document transaction testing in examinations of FDIC-supervised banks.
According to FDIC examiners, transaction testing was based on their
judgment and dependent on circumstances. For example, FDIC examiners told
us that transaction testing was not done on all lines of business, but
that they could sample from the independent auditor's work. FDIC examiners
also said they could test CTRs if "red flags" were identified, select a
sample of high-risk customers, or select accounts with large volumes of
transactions. Examiners also said they would perform additional testing if
they determined that the scope of the independent audit was not adequate,
or that test areas were not covered by the independent auditor.
o Our review of 30 FDIC bank examination files found documentation of
transaction testing in 12 files, including 5 of 10 larger banks with
assets ranging from $102 million to $264 million and 7 of 20 smaller banks
with assets of less than $90 million. Two of the 5 large banks were rated
high risk and located in HIFCAs. One of the 7 smaller banks was rated high
risk. According to an FDIC official, examinations files for small
community banks might not have contained documentation of transaction
testing because the banks have few BSA-related transactions or documents
requiring transaction testing. The official gave the example of a CTR,
which many small banks may never file because they do not have reportable
transactions.
NCUA's examiner guide did not explicitly require transaction testing;
however, it stated that the risk-focused examination enabled examiners to
perform a process review of a credit union's well-managed areas without
extensive transaction testing. According to NCUA examiners, the nature and
extent of transaction testing and sampling were based on their discretion.
They also cited factors that they considered in deciding to perform
transaction testing-these factors included the presence of large cash
transactions, CTRs, and the credit union's risk assessment, which might
affect the number and types of accounts tested. However, NCUA examiners
said they would not perform transaction testing for each of the credit
union's risky areas, unless a "red flag" was raised during the examination
or the credit union's past examination results indicated a problem area.
o Our review of 30 NCUA BSA examination files of credit unions found no
documentation of transaction testing in any of the examinations. An NCUA
official explained that documentation of transaction testing could be
lacking because the paper copy documenting transaction testing was often
destroyed after the procedures were entered into NCUA's automated system.
Comments from FinCEN and the Federal Banking RegulatorsAppendix II
Comments from the Department of JusticeAppendix III
GAO Contact and Staff AcknowledgmentsAppendix IV
Yvonne D. Jones (202) 512-2717 or [email protected]
In addition to the contact named above, Barbara I. Keller, Assistant
Director; Toni Gillich; M'Baye Diagne; Yola Lewis; Marc Molino; Elizabeth
Olivarez; Carl Ramirez; Omyra Ramsingh; Barbara Roesmann; and Adam Shapiro
made key contributions to this report.
Related GAO Products
Terrorist Financing: Better Strategic Planning Needed to Coordinate U.S.
Efforts to Deliver Counter-Terrorism Financing Training and Technical
Assistance Abroad. GAO-06-19 . Washington, D.C.: October 24, 2005.
USA PATRIOT Act: Additional Guidance Could Improve Implementation of
Regulations Related to Customer Identification and Information Sharing
Procedures. GAO-05-412 . Washington, D.C.: May 6, 2005.
Information Security: IRS Needs to Remedy Serious Weaknesses Over Taxpayer
and Bank Secrecy Act Data. GAO-05-482 . Washington, D.C.: April 15, 2005.
Anti-Money Laundering: Issues Concerning Depository Institution Regulatory
Oversight. GAO-04-833T . Washington, D.C.: June 3, 2004.
Combating Terrorism: Federal Agencies Face Continuing Challenges in
Addressing Terrorist Financing and Money Laundering. GAO-04-501T .
Washington, D.C.: March 4, 2004.
Terrorist Financing: U.S. Agencies Should Systematically Assess
Terrorists' Use of Alternative Financing Mechanisms. GAO-04-163 .
Washington, D.C.: November 14, 2003.
Combating Money Laundering: Opportunities Exist to Improve the National
Strategy. GAO-03-813 . Washington, D.C.: September 26, 2003.
Internet Gambling: An Overview of the Issues. GAO-03-89. Washington ,
D.C.: December 2, 2002.
Interim Report on Internet Gambling. GAO-02-1101R . Washington, D.C.:
September 23, 2002.
Money Laundering: Extent of Money Laundering Through Credit Cards Is
Unknown. GAO-02-670 . Washington, D.C.: July 22, 2002.
Anti-Money Laundering: Efforts in the Securities Industry. GAO-02-111 .
Washington, D.C.: October 10, 2001.
Money Laundering: Oversight of Suspicious Activity Reporting at
Bank-Affiliated Broker-Dealers Ceased. GAO-01-474 . Washington, D.C.:
March 22, 2001.
Suspicious Banking Activities: Possible Money Laundering by U.S.
Corporations Formed for Russian Entities. GAO-01-120 . Washington, D.C.:
October 31, 2000.
Money Laundering: Observations on Private Banking and Related Oversight of
Selected Offshore Jurisdictions. GAO/T-GGD-00-32 . Washington, D.C.:
November 9, 1999.
Private Banking: Raul Salinas, Citibank, and Alleged Money Laundering.
GAO/T-OSI-00-3 . Washington, D.C.: November 9, 1999.
Private Banking: Raul Salinas, Citibank, and Alleged Money Laundering.
GAO/OSI-99-1 . Washington, D.C.: October 30, 1998.
Money Laundering: Regulatory Oversight of Offshore Private Banking
Activities. GAO/GGD-98-154 . Washington, D.C.: June 29, 1998.
Money Laundering: FinCEN's Law Enforcement Support Role Is Evolving.
GAO/GGD-98-117 . Washington, D.C.: June 19, 1998.
Money Laundering: FinCEN Needs to Better Manage Bank Secrecy Act Civil
Penalties. GAO/GGD-98-108 . Washington, D.C.: June 15, 1998.
Money Laundering: FinCEN's Law Enforcement Support, Regulatory, and
International Roles. GAO/GGD-98-83 . Washington, D.C.: April 1, 1998.
Money Laundering: FinCEN Needs to Better Communicate Regulatory Priorities
and Timelines. GAO/GGD-98-18 . Washington, D.C.: February 6, 1998.
Private Banking: Information on Private Banking and Its Vulnerability to
Money Laundering. GAO/GGD-98-19R . Washington, D.C.: October 30, 1997.
Money Laundering: A Framework for Understanding U.S. Efforts Overseas.
GAO/GGD-96-105 . Washington, D.C.: May 24, 1996.
Money Laundering: U.S. Efforts to Combat Money Laundering Overseas.
GAO/T-GGD-96-84 . Washington, D.C.: February 28, 1996.
(250181)
www.gao.gov/cgi-bin/getrpt? GAO-06-386 .
To view the full product, including the scope
and methodology, click on the link above.
For more information, contact Yvonne Jones at (202) 512-2717 or
[email protected].
Highlights of GAO-06-386 , a report to the Committee on Banking, Housing,
and Urban Affairs, U.S. Senate
April 2006
BANK SECRECY ACT
Opportunities Exist for FinCEN and the Banking Regulators to Further
Strengthen the Framework for Consistent BSA Oversight
The U.S. government's framework for preventing, detecting, and prosecuting
money laundering has been expanding through additional pieces of
legislation since the passage of the Bank Secrecy Act (BSA) in 1970. In
recent years, noncompliance with BSA requirements has raised concerns in
Congress about the ability of federal banking regulators to oversee
compliance at depository institutions and ensure that these institutions
have the controls necessary to identify suspicious activity. In light of
these concerns, GAO was asked to determine how federal banking regulators
examine for BSA compliance and identify and track violations to ensure
timely corrective action. GAO also was asked to determine how enforcement
actions are taken for violations of the BSA.
What GAO Recommends
To further strengthen BSA oversight, GAO recommends that FinCEN and the
regulators communicate emerging risks through updates of the interagency
examination manual and other guidance; periodically review BSA violation
data to determine if additional guidance is needed; and, jointly assess
the feasibility of developing a uniform classification system for BSA
compliance problems. FinCEN and the regulators supported these
recommendations and said they are committed to ongoing interagency
coordination to address them.
Before 2005, each regulator used separately developed, but similar,
examination procedures to assess compliance with the BSA. However, in
2005, in an effort to establish more consistency in examination procedures
and application, the regulators, with participation from the Financial
Crimes Enforcement Network (FinCEN), jointly developed and issued an
interagency BSA examination procedures manual. The manual describes risk
assessments for BSA examinations and recognizes that the risks evolve and
vary among institutions. They also conducted nationwide training on the
new procedures for examiners and others. The new procedures retain the
risk-focused approach of the prior procedures, requiring examiners to
apply a higher level of scrutiny to the institution's lines of business
that carry a higher risk for potential money laundering or noncompliance
with the BSA. The regulators are committed to updating the manual
annually.
Recent improvements to the automated tracking systems the regulators use
to monitor BSA examinations have allowed regulators to better record and
track BSA-related information. The regulators' data showed that the number
of BSA-related violations generally increased from 2000 to 2004. Among the
frequently cited violations in 2003 and 2004 were violations issued in
connection with currency transaction reporting requirements. The system
upgrades also allowed regulators to more readily produce information for
other users, such as FinCEN, which has overall responsibility for BSA
administration. Under a September 2004, memorandum of understanding signed
by the regulators and FinCEN, the regulators now share more specific
BSA-related examination and violation data with FinCEN. The regulators
have been conducting their own analyses of these data, and FinCEN has
begun to provide analytic reports to the regulators that help identify
compliance problems. FinCEN and the regulators have not yet worked through
these data together to determine if additional guidance is needed to
correct problems they are seeing. Also, despite their enhanced systems and
reporting, GAO found differences in the regulators' guidance and the
terminology used to classify certain BSA problems-with guidance varying in
scope and many key terms undefined.
Most cases of BSA noncompliance are corrected within the examination
framework through supervisory or informal actions, such as bringing the
problem to the attention of institution management, or letters that
document management's commitment to take corrective action. Both the
regulators and FinCEN undertake formal enforcement actions, which range
from public written agreements with the institution to civil money
penalties. From 2000 to 2005, FinCEN, often in conjunction with the
relevant regulator, assessed these penalties in 11 cases, with
significantly higher penalties in recent years. The Department of Justice
takes action against depository institutions for certain BSA offenses,
and, since 2002, Justice has pursued legal action against six depository
institutions for violation of the BSA.
GAO's Mission
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting its
constitutional responsibilities and to help improve the performance and
accountability of the federal government for the American people. GAO
examines the use of public funds; evaluates federal programs and policies;
and provides analyses, recommendations, and other assistance to help
Congress make informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony
The fastest and easiest way to obtain copies of GAO documents at no cost
is through GAO's Web site ( www.gao.gov ). Each weekday, GAO posts newly
released reports, testimony, and correspondence on its Web site. To have
GAO e-mail you a list of newly posted products every afternoon, go to
www.gao.gov and select "Subscribe to Updates."
Order by Mail or Phone
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent of
Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more
copies mailed to a single address are discounted 25 percent. Orders should
be sent to:
U.S. Government Accountability Office 441 G Street NW, Room LM Washington,
D.C. 20548
To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202)
512-6061
To Report Fraud, Waste, and Abuse in Federal Programs
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: [email protected]
Automated answering system: (800) 424-5454 or (202) 512-7470
Congressional Relations
Gloria Jarmon, Managing Director, [email protected] (202) 512-4400 U.S.
Government Accountability Office, 441 G Street NW, Room 7125 Washington,
D.C. 20548
Public Affairs
Paul Anderson, Managing Director, [email protected] (202) 512-4800 U.S.
Government Accountability Office, 441 G Street NW, Room 7149 Washington,
D.C. 20548
*** End of document. ***