Our Website Uses Cookies 

We and the third parties that provide content, functionality, or business services on our website may use cookies to collect information about your browsing activities in order to provide you with more relevant content and promotional materials, on and off the website, and help us understand your interests and improve the website.

For more information, please contact us or consult our Privacy Notice.

Your binder contains too many pages, the maximum is 40.

We are unable to add this page to your binder, please try again later.

This page has been added to your binder.

Federal Banking Agencies Issue Joint Statement on Enforcement of Bank Secrecy Act/Anti-Money Laundering Requirements

August 14, 2020, Covington Alert

On August 13, 2020 the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, and Office of the Comptroller of the Currency (the Agencies) issued joint guidance to clarify and update their policies with respect to the enforcement of the Bank Secrecy Act’s (BSA’s) anti-money laundering (AML) program requirement.[1] The guidance, which replaces a prior interagency statement from 2007,[2] interprets a unique provision of the BSA regulatory enforcement regime that requires federal banking agencies to issue cease and desist (C&D) orders when depository institutions and credit unions fail to (i) establish and maintain adequate AML programs, or (ii) correct deficiencies previously identified by their regulators.[3] It also addresses other circumstances in which C&D orders or informal enforcement actions may be appropriate.

The guidance does not formally apply to the issuance of civil money penalties (CMPs), although it will likely be of practical relevance in assessing the appropriateness of CMPs, as well.

Amendments to the 2007 Interagency Statement

The current guidance amends the 2007 interagency statement in three principal ways:

  • Consistent with existing enforcement practice, the guidance makes it express that isolated or technical deficiencies in AML programs will not generally result in a C&D order.
  • The guidance provides more detailed descriptions and examples of the “pillars” of BSA/AML compliance programs (i.e., internal controls, independent testing, designated BSA/AML personnel, and training). It also updates these descriptions and examples to incorporate FinCEN’s customer due diligence (CDD) rule. In particular, the guidance states that, under the CDD rule, a financial institution must understand the nature and purpose of a customer relationship to develop a customer risk profile, conduct ongoing monitoring for suspicious transactions, and maintain and update customer information, including beneficial ownership information.
  • The guidance provides specific examples of compliance failures that typically would (or would not) result in a C&D order. Certain of these examples are noted below.

C&D Orders for Failure to Establish and Maintain Adequate AML Programs

The guidance explains that the Agencies will issue a C&D order for failure to establish and maintain an adequate AML program where, among other things, an institution:

  • fails to have a written BSA/AML compliance program, including a customer identification program, that adequately covers the required program components or pillars (i.e., internal controls, independent testing, designated BSA/AML personnel, and training);
  • fails to adequately implement its written program (institution-issued policy statements alone are not sufficient; the program as actually implemented must be consistent with the institution’s written policies, procedures, and processes);
  • has defects in its BSA/AML compliance program in one or more program components or pillars that indicate that either the written BSA/AML compliance program or its implementation is not effective, for example, where the deficiencies are coupled with other aggravating factors, including (i) the presence of “highly suspicious activity” or (ii) the systemic failure to file suspicious activity reports or currency transaction reports.

The guidance provides, as one example of failing to maintain an adequate AML program, the failure by an institution to appropriately expand its AML program when it expands its relationships with overseas affiliates and other overseas businesses. In contrast, more discrete deficiencies — for instance, deficiencies in procedures for providing BSA/AML training to appropriate personnel — typically will not result in C&D orders, unless, for example, they relate to particularly high-risk areas.

C&D Orders for Failure to Correct Identified Deficiencies

The guidance states that the statutory requirement to issue a C&D order for uncorrected deficiencies applies to deficiencies that are “substantially the same” as those formally communicated in a report of examination or other written document (e.g., a supervisory letter), as a violation of law (VoL) or a matter that must be corrected (e.g., an MRA/MRIA). Often, these deficiencies will relate to “required components or pillars of the institution’s BSA/AML compliance program,” which are described in the guidance based on pre-existing regulations and manuals from the Financial Crimes Enforcement Network (FinCEN) and the Federal Financial Institutions Examination Council (FFIEC).

Importantly, the guidance recognizes that some deficiencies may take time to remediate. Where corrective actions take “more time to implement than initially anticipated,” a C&D is not required, “provided the Agency determines that the institution has made acceptable substantial progress toward correcting the problem.”  Similarly, corrective actions that are only partially effective will not always result in C&D orders. For example, “if a violation is cited in a previous report of examination for failure to designate a qualified BSA compliance officer, and the institution has appointed an otherwise qualified person . . . but the examiners recommend additional training for the person, an Agency may determine not to issue a cease and desist order.”

Other Issues Addressed

The final part of the guidance details situations where the Agencies may take formal (i.e., public) or informal (i.e., nonpublic) actions to address BSA/AML deficiencies other than the BSA/AML program requirement, including deficiencies relating to suspicious activity reporting requirements. In this connection, the guidance states that the Agencies will take “appropriate supervisory action, if the institution’s failure to file [one or more suspicious activity reports] evidences a systemic breakdown in its policies, procedures, or processes to identify and research suspicious activity, involves a pattern or practice of noncompliance with the filing requirement, or represents a significant or egregious situation.”

Possible FinCEN Enforcement Statement

In a Financial Institutions Letter communicating the new guidance, the FDIC indicated that FinCEN may issue a separate “Statement on Enforcement of the Bank Secrecy Act.”  As of August 14, that Statement has not yet been published.

If you have any questions concerning the material discussed in this client alert, please contact the below members of our bank regulatory enforcement and white collar defense and investigations practices.

*      *      *

[1] “Joint Statement on Enforcement of Bank Secrecy Act/Anti-Money Laundering Requirements,” Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, and Office of the Comptroller of the Currency (Aug. 13, 2020), https://www.federalreserve.gov/newsevents/pressreleases/files/bcreg20200813a1.pdf.

[2] “Interagency Statement on Enforcement of Bank Secrecy Act/Anti-Money Laundering Requirements, Board of Governors of the Federal Reserve System, Office of Thrift Supervision, National Credit Union Administration, and Office of the Comptroller of the Currency (July 19, 2007), https://www.federalreserve.gov/newsevents/pressreleases/files/bcreg20070719a1.pdf.

[3] See 12 U.S.C. §1818(s) (depository institutions); 12 U.S.C. § 1786(q) (credit unions).

Share this article: