FDIC Sends Strong Signals of What Matters in a BSA Program.
A cautionary tale is often worth more than a thousand webinars or articles on how to get compliance right. For the bank compliance world, these cautionary tales often come in the guise of regulatory fines and consent orders, which outline what steps a financial institution needs to take to fix a broken situation.
In late August, a Mississippi-based community bank with nine branches that opened in 1869, was issued a consent order[1] with the FDIC and the Mississippi Department of Banking and Consumer Finance (MDBCF).
With this order, the bank agreed to the provisions outlined in the order without admitting or denying charges of unsound banking practices or BSA (Bank Secrecy Act) violations.
What the Regulators Demanded
The consent order reads like a how-to for creating a sound BSA program. Here are some of the major points:
Board oversight The board at the Bank was charged with creating a subcommittee to make sure that the provisions of the consent order are complied with in a timely manner.
BSA staffing The bank was asked to assess its staffing needs for its BSA department.
BSA officer Designating a qualified individual or individuals to coordinate and monitor day-to-day compliance with the BSA was another aspect of the consent order.
Customer due diligence (CDD) program At a minimum, the order says, the CDD program “shall provide for a risk focused assessment of the Bank’s customer base to determine the appropriate level of ongoing monitoring required to assure that the Bank can reasonably detect suspicious activity and determine which customers require additional due diligence necessary for those categories of customers the Bank has reason to believe pose a heightened risk of suspicious activity including, but not limited to, higher-risk accounts.” Although this statement seems to place all the onus on the Bank for determining what constitutes appropriate monitoring, the regulators then spell out what a CDD program should do. Here, the Bank is asked to have procedures to “understand the nature and purpose of customer relationships for the purpose of developing a customer risk profile.” Over time, the order says, the Bank should obtain and analyze customer information allowing it to monitor suspicious activities. Among the analysis should be the documentation of “normal and expected transactions of the customer.” The order also emphasizes timeliness of response. There should be a time limit for bank personnel to respond to activity and monitoring exceptions—and time limits for determining if exceptions require a Suspicious Activity Report, or SAR.
Internal controls The regulators are quite clear on what constitutes strong internal controls. Many of the points raised are elaborated in what’s known as the first of five pillars of compliance, which was discussed in this blog post.
Independent testing This, too, is ground that’s amply covered in the five pillars of compliance, namely in the fourth pillar.
Training Compliance training is necessary for the assistant BSA officer, but also for management, staff, and the board, the regulators say.
Some Key Takeaways
The points the regulators highlight are generally accepted practices for a robust BSA program.
The consent order places strong emphasis on taking a risk-based approach. It also highlights the importance of executive authority for the BSA officer, points that have been raised in other consent orders, as well.
Although banks tend to focus on their procedures for onboarding new customers, this consent order emphasizes the crucial importance of knowing your customers after onboarding, as well. The same customer or member you onboard today will look different from the client they become in six months. Understanding this point is the first step in designing a sound ‘Know Your Customer’ program that continues to seek knowing your clients beyond just onboarding.
Here, compliance software like RiskScout’s can do much of the heavy lifting in helping you onboard, verify and manage all of the ongoing compliance efforts involved in banking high-touch clients, including higher-risk businesses.
For additional information, our September RiskScout webinar, “Assessing & Managing Risks of Traditional Higher-Risk Clients,” can be found here.
[1]https://buckleyfirm.com/sites/default/files/Buckley%20InfoBytes%20-%20FDIc%20Consent%20Order%20-%20Bank%20of%20Holly%20Spring%20-%202022.03.10.pdf
Join the Higher Risk Banking Group
This is your private resource group for financial institutions to ask questions, get advice, and learn from experts on providing financial services to higher-risk specialty business markets including: Private ATM, Hemp & CBD, Crypto, MSB, Cannabis (THC), Fintech, and more.