top of page

Subscribe to our Resources Mailing List

Thanks for submitting!

Understanding and Learning From Regulatory Enforcement Actions

Updated: Jul 5, 2022

In this blog we will break down what an enforcement action is as well as some lessons learned from the BSA related consent order with Washington Federal. This material can be… dense. But it is great information in understanding the tools available to regulators and what they look for when visiting your institution.

Understanding Supervisory Action Types

Let’s start with remediation tools used by the Office of the Comptroller of the Currency. The below graphic highlights the main types of supervisory action.

Typically, concerns and corresponding corrective actions in a formal or informal enforcement action have previously been communicated to the financial institution in the form of a matter requiring attention (MRA) or Violation of Law (VOL).

An informal enforcement action is typically considered when the financial institution’s condition is sound, but deficiencies haven’t been corrected in a timely manner. A formal enforcement action is typically considered when deficiencies are severe, repeat, and affect the safety and soundness of the institution.

Washington Federal, the case we are discussing, is subject to a consent order. So, what’s a consent order? A consent order is virtually identical to a cease-and-desist order except the financial institution’s board has consented to the document’s issuance. Okay, you say what’s a cease and desist order? A cease-and-desist order requires a financial institution to cease and desist from the unsafe or unsound practice or violation and to take affirmative action to correct or remedy any conditions resulting from any violation or practice.

To provide context, when we deconstruct an enforcement action and lessons learned, the situation will typically be the result of years of compounding or ignored deficiencies that have resulted in a severe situation that typically leaves the financial institution in troubled condition.

Unpacking the WaFd Situation:

Washington Federal, National Association, doing business as WaFd, agreed to a consent order with the OCC in February 2018. Here is the original enforcement action. The consent order was driven by violations of 12 U.S.C. § 1818(s) and its implementing regulation, 12 CFR § 21.21 (location where the Bank Secrecy Act is codified for national banks). In addition the financial institution violated 12 CFR § 21.11. Please note this is not an easy story to break down in a short blog post. As the initial consent order alone is twenty eight pages and the following formal enforcement action associated with the civil money penalty is another eight. What we can see at a high level is:

  1. There was at least one BSA pillar violation (given 21.21 is where the pillars of the BSA program are codified). Pillars include:

  2. Designated BSA Officer

  3. System of Internal Controls

  4. Training Program

  5. Internal Audit

  6. There was a deficiency in the suspicious activity reporting (SAR) process (given 21.11 codifies SAR requirements for national banks)

Where We Are Now:

If you weren’t familiar with consent orders, now you are (congrats). And three years after WaFd’s original enforcement action, one would think this was a thing of the past. Well, in September WaFd released the following Press Release related to a $2.5 million civil money penalty associated with the same issue. The process to resolve a formal enforcement action can be long and arduous. Let’s look at some of the key pieces that got us here, and what to think about in our own programs.

Key Findings:

Below are all articles from the consent order. The text in italics is a summary of what was required in the consent order. We’ve also listed questions you can ask yourself or your team to see if your program may have areas that can be enhanced.

1. Comptroller’s Findings

Identifies that the financial institution has deficiencies in its Bank Secrecy Act / Anti-Money Laundering compliance program.

2. Compliance Committee

The financial institution must have a three-person committee of Board members who are responsible for overseeing compliance with this consent order.

  • Is a committee necessary given the size and complexity of your institution? Why or why not?

  • Does your financial institution have a board level committee overseeing compliance and BSA?

3. BSA Officer and Staff

The financial institution needs a permanent, qualified, and experienced BSA Officer who has the authority, time, and resources to fulfill the duties of the position. In addition to just the BSA Officer, the financial institution needs an adequate infrastructure to support staff and the BSA Officer in completing their roles and responsibilities.

  • Has your financial institution evaluated the resources needed to identify, measure, monitor, and control risk? (this should consider staff and technology)

  • Does the BSA officer at your financial institution have a direct line to the board?

4. BSA/AML Risk Assessment

The financial institution must have a comprehensive analysis of vulnerabilities to money laundering and financial crime. In addition to identifying these vulnerabilities, implementing steps to control and limit risk.

  • Is your risk assessment holistic? Does it look at products and services, customers and entities, types of transactions, geographic exposure, data sensitivity, data accuracy, process weaknesses, business line specific weaknesses, compound risk across business lines, and more as relevant to the financial institution?

  • Is your risk assessment performed annually?

  • Does your risk assessment inform strategy?

5. BSA Internal Controls

The financial institution must have a written program of policies and procedures to provide for compliance with the BSA.

  • Do your policies and procedures as written cover requirements and procedures for initial and ongoing due diligence, transaction monitoring, high risk customer requirements, the BSA risk assessment, SAR and CTR filing, and other requirements of the BSA?

  • If you need resources for this space take a look through the FFIEC BSA manual.

6. Suspicious Activity Monitoring (SAM)

A financial institution must have timely and appropriate review of transaction activity and disposition of suspicious activity alerts, and timely filing of SARs.

  • Does your financial institution have timely identification, investigation, and disposition of suspicious activity? It may be prudent to document the financial institution’s definition of timely and how that definition is supported.

  • How do you document the review and disposition of an alert?

  • Does your financial institution have processes in place to elevate the risk level of a customer given certain types or levels of alerts? If not, what would prompt a customer to migrate risk levels?

7. Automated Monitoring System

The financial institution must have a suspicious activity monitoring system that is tailored to the risk profile and operations of the financial institution. Logic, parameters, rules, and other factors should be appropriate to identify client activity that is abnormal.

  • How does your financial institution review rules and thresholds for suspicious activity monitoring? More importantly, are you comfortable with what the vendor is doing?

  • How frequently is independent testing of thresholds and filters performed?

  • How do you validate data that is input into the system is accurate and the necessary information? (Consider model risk management guidance)

  • How are staff trained to understand the SAM system? Will your SAM vendor provide training to your staff?

8. Account/Transaction Activity Review

This article involves a lookback of existing transactions to determine if suspicious activity was identified timely by the financial institution.

9. Customer Due Diligence and Enhanced Due Diligence

Policies and procedures must have clear definitions of low-, moderate-, and high- risk customers and the methodology for assigning these levels should consider factors such as type of customer, types of products or services, location, occupation, expected activity, etc.

  • How does your financial institution evaluate customers at onboarding? Does that review consider all relevant risk factors?

  • How does your financial institution ensure that risk ratings remain accurate relative to the customer’s profile and activity?

  • What are the processes to acquire required customer information? How did you select the frequency at which you would collect that information?

  • How frequently do you review high risk customers? (The consent order for WaFd requires the review be performed every 12 months)

  • How do you deviate the frequency of high risk reviews for different customer types? (For example money service business, cannabis, or general cash intensive)

10. BSA/AML Audit

The financial institution must implement an audit that includes the minimum requirements found in the FFIEC BSA/AML manual. The program must detect irregularities in financial institution operations, assess compliance with laws, rules, and regulations, evaluate adherence to policies and procedures, test audit findings, and establish an audit plan.

  • Does the internal audit over BSA cover the full program (laws, regulations, rules, policies, and procedures) and include testing to ensure validity?

  • Is the internal auditor independent?

11. BSA/AML Training

The financial institution must have a comprehensive training program in place that ensures all appropriate financial institution employees understand their role in maintaining compliance with the BSA?

  • Is your training program specific to the different roles and responsibilities of employees at the financial institution? If not, why?

  • Who provides training? Is the depth and quality of that training adequate?

Final Takeaways:

An enforcement action is not a first step for regulators in enforcing compliance with rules, regulations, or safety and soundness standards. But it is a tool that can be used when deficiencies are severe and/or repeated without remediation. While many of the above articles are more than likely the result of severe and repeated deficiencies, they are still an indicator of what regulators look for and expect in a program. If you do choose to read through the consent order, keep in mind these requirements will not transfer identically to your institution as requirements differ based on the size and complexity of the financial institution.

19 views0 comments