Bank Secrecy Act
Opportunities Exist for FinCEN and the Banking Regulators to Further Strengthen the Framework for Consistent BSA Oversight
Gao ID: GAO-06-386 April 28, 2006
The U.S. government's framework for preventing, detecting, and prosecuting money laundering has been expanding through additional pieces of legislation since the passage of the Bank Secrecy Act (BSA) in 1970. In recent years, noncompliance with BSA requirements has raised concerns in Congress about the ability of federal banking regulators to oversee compliance at depository institutions and ensure that these institutions have the controls necessary to identify suspicious activity. In light of these concerns, GAO was asked to determine how federal banking regulators examine for BSA compliance and identify and track violations to ensure timely corrective action. GAO also was asked to determine how enforcement actions are taken for violations of the BSA.
Before 2005, each regulator used separately developed, but similar, examination procedures to assess compliance with the BSA. However, in 2005, in an effort to establish more consistency in examination procedures and application, the regulators, with participation from the Financial Crimes Enforcement Network (FinCEN), jointly developed and issued an interagency BSA examination procedures manual. The manual describes risk assessments for BSA examinations and recognizes that the risks evolve and vary among institutions. They also conducted nationwide training on the new procedures for examiners and others. The new procedures retain the risk-focused approach of the prior procedures, requiring examiners to apply a higher level of scrutiny to the institution's lines of business that carry a higher risk for potential money laundering or noncompliance with the BSA. The regulators are committed to updating the manual annually. Recent improvements to the automated tracking systems the regulators use to monitor BSA examinations have allowed regulators to better record and track BSA-related information. The regulators' data showed that the number of BSA-related violations generally increased from 2000 to 2004. Among the frequently cited violations in 2003 and 2004 were violations issued in connection with currency transaction reporting requirements. The system upgrades also allowed regulators to more readily produce information for other users, such as FinCEN, which has overall responsibility for BSA administration. Under a September 2004, memorandum of understanding signed by the regulators and FinCEN, the regulators now share more specific BSA-related examination and violation data with FinCEN. The regulators have been conducting their own analyses of these data, and FinCEN has begun to provide analytic reports to the regulators that help identify compliance problems. FinCEN and the regulators have not yet worked through these data together to determine if additional guidance is needed to correct problems they are seeing. Also, despite their enhanced systems and reporting, GAO found differences in the regulators' guidance and the terminology used to classify certain BSA problems--with guidance varying in scope and many key terms undefined. Most cases of BSA noncompliance are corrected within the examination framework through supervisory or informal actions, such as bringing the problem to the attention of institution management, or letters that document management's commitment to take corrective action. Both the regulators and FinCEN undertake formal enforcement actions, which range from public written agreements with the institution to civil money penalties. From 2000 to 2005, FinCEN, often in conjunction with the relevant regulator, assessed these penalties in 11 cases, with significantly higher penalties in recent years. The Department of Justice takes action against depository institutions for certain BSA offenses, and, since 2002, Justice has pursued legal action against six depository institutions for violation of the BSA.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director:
Team:
Phone:
GAO-06-386, Bank Secrecy Act: Opportunities Exist for FinCEN and the Banking Regulators to Further Strengthen the Framework for Consistent BSA Oversight
This is the accessible text file for GAO report number GAO-06-386
entitled 'Bank Secrecy Act: Opportunities Exist for FinCEN and the
Banking Regulators to Further Strengthen the Framework for Consistent
BSA Oversight' which was released on May 30, 2006.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to the Committee on Banking, Housing, and Urban Affairs, U.S.
Senate:
April 2006:
Bank Secrecy Act:
Opportunities Exist for FinCEN and the Banking Regulators to Further
Strengthen the Framework for Consistent BSA Oversight:
GAO-06-386:
GAO Highlights:
Highlights of GAO-06-386, a report to the Committee on Banking,
Housing, and Urban Affairs, U.S. Senate.
Why GAO Did This Study:
The U.S. government‘s framework for preventing, detecting, and
prosecuting money laundering has been expanding through additional
pieces of legislation since the passage of the Bank Secrecy Act (BSA)
in 1970. In recent years, noncompliance with BSA requirements has
raised concerns in Congress about the ability of federal banking
regulators to oversee compliance at depository institutions and ensure
that these institutions have the controls necessary to identify
suspicious activity. In light of these concerns, GAO was asked to
determine how federal banking regulators examine for BSA compliance and
identify and track violations to ensure timely corrective action. GAO
also was asked to determine how enforcement actions are taken for
violations of the BSA.
What GAO Found:
Before 2005, each regulator used separately developed, but similar,
examination procedures to assess compliance with the BSA. However, in
2005, in an effort to establish more consistency in examination
procedures and application, the regulators, with participation from the
Financial Crimes Enforcement Network (FinCEN), jointly developed and
issued an interagency BSA examination procedures manual. The manual
describes risk assessments for BSA examinations and recognizes that the
risks evolve and vary among institutions. They also conducted
nationwide training on the new procedures for examiners and others. The
new procedures retain the risk-focused approach of the prior
procedures, requiring examiners to apply a higher level of scrutiny to
the institution‘s lines of business that carry a higher risk for
potential money laundering or noncompliance with the BSA. The
regulators are committed to updating the manual annually.
Recent improvements to the automated tracking systems the regulators
use to monitor BSA examinations have allowed regulators to better
record and track BSA-related information. The regulators‘ data showed
that the number of BSA-related violations generally increased from 2000
to 2004. Among the frequently cited violations in 2003 and 2004 were
violations issued in connection with currency transaction reporting
requirements. The system upgrades also allowed regulators to more
readily produce information for other users, such as FinCEN, which has
overall responsibility for BSA administration. Under a September 2004,
memorandum of understanding signed by the regulators and FinCEN, the
regulators now share more specific BSA-related examination and
violation data with FinCEN. The regulators have been conducting their
own analyses of these data, and FinCEN has begun to provide analytic
reports to the regulators that help identify compliance problems.
FinCEN and the regulators have not yet worked through these data
together to determine if additional guidance is needed to correct
problems they are seeing. Also, despite their enhanced systems and
reporting, GAO found differences in the regulators‘ guidance and the
terminology used to classify certain BSA problems”with guidance varying
in scope and many key terms undefined.
Most cases of BSA noncompliance are corrected within the examination
framework through supervisory or informal actions, such as bringing the
problem to the attention of institution management, or letters that
document management‘s commitment to take corrective action. Both the
regulators and FinCEN undertake formal enforcement actions, which range
from public written agreements with the institution to civil money
penalties. From 2000 to 2005, FinCEN, often in conjunction with the
relevant regulator, assessed these penalties in 11 cases, with
significantly higher penalties in recent years. The Department of
Justice takes action against depository institutions for certain BSA
offenses, and, since 2002, Justice has pursued legal action against six
depository institutions for violation of the BSA.
What GAO Recommends:
To further strengthen BSA oversight, GAO recommends that FinCEN and the
regulators communicate emerging risks through updates of the
interagency examination manual and other guidance; periodically review
BSA violation data to determine if additional guidance is needed; and,
jointly assess the feasibility of developing a uniform classification
system for BSA compliance problems. FinCEN and the regulators supported
these recommendations and said they are committed to ongoing
interagency coordination to address them.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-386].
To view the full product, including the scope and methodology, click on
the link above. For more information, contact Yvonne Jones at (202) 512-
2717 or jonesy@gao.gov.
[End of Section]
Contents:
Letter:
Executive Summary:
Purpose:
Background:
Results in Brief:
Principal Findings:
Regulators Used Similar Procedures for BSA Examinations Pre-2005, but
Their Application Could Vary Widely:
Regulators Have Promoted Consistency in Examinations in Recent Years by
Adopting Interagency Procedures and Expanding Training:
Regulators Improved Tracking of BSA Examination and Violations Data,
but Differences in Terminology Could Result in Inconsistencies:
Regulators and FinCEN Increased Coordination on BSA Enforcement, and
Criminal Cases against Depository Institutions Were Limited:
Recommendations for Executive Action:
Agency Comments and GAO Evaluation:
Chapter 1:
Successive Legislation Has Expanded the Responsibility to Combat Money
Laundering:
Regulators and Other Federal Agencies Carry Out BSA Requirements:
Regulators Generally Address BSA Issues through Safety and Soundness or
Targeted Examinations:
Objectives, Scope, and Methodology:
Chapter 2:
Examiners Took Similar Steps to Prepare for, Determine Scope of, and
Report on BSA Examinations:
Since 2004, State Banking Departments Have Become More Involved in BSA
Reviews and Increased Information Sharing with FinCEN:
Chapter 3:
New Interagency Procedures Create Framework for Consistent BSA/AML
Examination Processes:
Regulators Revised Examination Tools for Documenting BSA Procedures to
Conform to the FFIEC Examination Manual:
In Recent Years, Regulators Have Intensified Focus on BSA-Related
Skills and Issues in Examiner Training:
Chapter 4:
Regulators Use Supervisory and Quality Assurance Reviews and Tracking
Systems to Monitor BSA Examinations:
Data System Improvements Have Allowed the Regulators to Better Track
BSA-Related Information:
Regulators Now Share More Specific BSA-Related Examination and
Violation Data with FinCEN:
Differences Remain in the Regulators' Guidance and Terminology for
Classification of BSA Compliance Problems:
Chapter 5:
Regulators Address Most BSA-Related Compliance Problems within the
Examination Framework:
Regulators Assess Many Factors in Deciding on Formal Actions against
Significant BSA-Related Compliance Problems:
Regulators Do Not Derive Authority for Formal Enforcement Actions,
Including CMPs, from the BSA:
Critical Reviews of Regulators' BSA Oversight Have Prompted Some
Regulators to Change Examiner Procedures and Guidance:
Unlike the Regulators, FinCEN Has Delegated Enforcement Authority under
the BSA:
Justice Has Pursued a Limited Number of Criminal Cases against
Depository Institutions for BSA Noncompliance:
Chapter 6:
Regulators Have Created a Framework for Consistency in BSA
Examinations:
Regulators Have Improved Their Systems for Monitoring BSA Examination
Results:
Regulators, FinCEN, and Justice Have Improved Coordination on BSA
Enforcement Actions:
Concluding Observations:
Recommendations for Executive Action:
Agency Comments and Our Evaluation:
Appendixes:
Appendix I: Under Pre-2005 Guidance, Regulators' Documentation
Requirements Varied Widely:
Regulators Required Documentation of "Major" Procedures; Planning and
Scoping Procedures More Often Were Documented for Large Institutions:
Regulators' Former Examination Guidance Allowed Variation in
Documentation of Transaction Testing:
Appendix II: Comments from FinCEN and the Federal Banking Regulators:
Appendix III: Comments from the Department of Justice:
Appendix IV: GAO Contact and Staff Acknowledgments:
Related GAO Products:
Tables:
Table 1: Data Collection Instrument Sample:
Table 2: BSA/AML Training, by Regulator (2004-2005):
Table 3: 2005 FFIEC Examination Manual Training:
Table 4: Examiner Career Path to BSA Specialization, by Regulator:
Table 5: BSA/AML Examinations, Violations, and Enforcement Actions, by
Regulator (Fiscal Year 2005):
Table 6: Examples of Formal Enforcement Actions Taken against
Depository Institutions for BSA-Related Compliance Problems (2004-
2005):
Table 7: Number of Referrals from the Banking Regulators to FinCEN
(2001-2004):
Table 8: CMPs Assessed Solely by FinCEN and Concurrently with the
Regulators (2000-2005):
Table 9: Depository Institutions against Which Justice Has Pursued
Charges for Criminal Violation of the BSA (2002-2005):
Figures:
Figure 1: BSA Examination Procedures:
Figure 2: FFIEC Manual Links Components Necessary for BSA Compliance:
Figure 3: BSA-Related Violations and Examinations, by Regulator (2000-
2004):
Figure 4: Frequently Cited BSA-Related Violations, by Regulator (2000-
2004):
Abbreviations:
AML: anti-money laundering:
BSA: Bank Secrecy Act:
CAMELS: Capital, Assets, Management, Earnings, Liquidity, and
Sensitivity:
CIP: Customer Identification Program:
CMP: civil money penalty:
CSBS: Conference of State Banking Supervisors:
CTR: Currency Transaction Report:
FDI Act: Federal Deposit Insurance Act:
FDIC: Federal Deposit Insurance Corporation:
FFIEC: Federal Financial Institutions Examination Council:
FinCEN: Financial Crimes Enforcement Network:
HIFCA: high-intensity financial crimes area:
ICE: Immigration and Customs Enforcement:
IG: Inspector General:
IRS: Internal Revenue Service:
MLCA: Money Laundering Control Act of 1986:
MLSA: Money Laundering Suppression Act of 1994:
MOU: memorandum of understanding:
NCUA: National Credit Union Administration:
OCC: Office of the Comptroller of the Currency:
OFAC: Office of Foreign Assets Control:
OTS: Office of Thrift Supervision:
SAR: Suspicious Activity Report:
Letter:
April 28, 2006:
The Honorable Richard Shelby:
Chairman:
The Honorable Paul Sarbanes:
Ranking Minority Member:
Committee on Banking, Housing, and Urban Affairs:
United States Senate:
This report responds to your request that we review the examination and
enforcement programs for Bank Secrecy Act (BSA) compliance that the
federal banking, thrift, and credit union regulators use at depository
institutions in the United States. Specifically, our objectives were to
determine how (1) the regulators examined for BSA compliance at the
depository institutions they supervise, (2) the regulators have updated
examination procedures and trained examiners since the passage of the
USA PATRIOT Act, (3) the regulators identify and track BSA violations
to ensure timely corrective actions at the institutions they examine,
and (4) enforcement actions are taken for violations of the BSA.
As agreed with you, unless you publicly release its contents earlier,
we plan no further distribution of this report until 30 days from its
issue date. At that time, we will send copies of this report to the
Chairman and Ranking Minority Member of the House Committee on
Financial Services; the Departments of Homeland Security, Justice, and
the Treasury; the Board of Governors of the Federal Reserve System; the
Federal Deposit Insurance Corporation; the Office of the Comptroller of
the Currency; the Office of Thrift Supervision; the National Credit
Union Administration; and other interested parties. We will make copies
available to others upon request. In addition, this report will be
available at no cost on our Web site at [Hyperlink,
http://www.gao.gov].
If you or your staff have any questions regarding this report, please
contact me at (202) 512-2717 or jonesy@gao.gov. Contact points for our
Offices of Congressional Relations and Public Affairs may be found on
the last page of this report. GAO staff who made major contributions to
this report are listed in appendix IV.
Signed by:
Yvonne D. Jones,
Director, Financial Markets and Community Investment:
[End of section]
Executive Summary:
Purpose:
Since 1970, when Congress passed the Bank Secrecy Act (BSA), the United
States has been expanding its framework for preventing, detecting, and
prosecuting money laundering with new laws and amendments to the
BSA.[Footnote 1] The purpose of the BSA is to prevent financial
institutions from being used as intermediaries for the transfer or
deposit of money derived from criminal activity and to provide a paper
trail for law enforcement agencies in their investigations of possible
money laundering. Over the years, the BSA has evolved into an important
tool to help a number of regulatory and law enforcement agencies detect
money laundering, drug trafficking, terrorist financing, and other
financial crimes. The most recent comprehensive enhancements to the BSA
occurred in October 2001 under title III of the USA PATRIOT Act
(PATRIOT Act).[Footnote 2] This title is referred to as the
International Money Laundering Abatement and Anti-Terrorist Financing
Act of 2001. Title III made a number of amendments to the anti-money
laundering (AML) provisions of the BSA intended to facilitate the
prevention, detection, and prosecution of money laundering and
terrorist financing. For example, by requiring every financial
institution to establish an AML program, the PATRIOT Act extended AML
program requirements to financial institutions that had not previously
been subject to federal financial regulation.[Footnote 3]
In recent years, noncompliance with BSA requirements among depository
institutions has raised concerns in Congress about the ability of the
federal banking regulators (regulators) to oversee BSA compliance at
depository institutions and to ensure, through examinations, that these
institutions have the controls in place to identify suspicious activity
that could be related to money laundering or terrorist
financing.[Footnote 4] The accurate and timely recording of BSA
examinations results is important for ensuring that timely and
appropriate federal enforcement actions are taken against
noncompliance. In 2004 and 2005, investigations of depository
institution customers by various law enforcement agencies and
congressional investigators resulted in several highly publicized cases
and significant penalties for BSA noncompliance by the institutions.
During hearings on BSA oversight and enforcement, congressional
committees have focused on the timeliness of regulators' enforcement
actions for BSA noncompliance.
The Senate Committee on Banking, Housing, and Urban Affairs asked GAO
to undertake a review of the examination and enforcement programs for
BSA compliance that the federal banking, thrift, and credit union
regulators use at depository institutions in the United States.
Specifically, GAO's objectives were to determine how (1) the regulators
examined for BSA compliance at the depository institutions they
supervise, (2) the regulators have updated examination procedures and
trained examiners since the passage of the PATRIOT Act, (3) the
regulators identify and track BSA violations to ensure timely
corrective actions at the institutions they examine, and (4)
enforcement actions are taken for violations of the BSA.
Background:
The regulatory system for the BSA involves several different federal
agencies. The Department of the Treasury's (Treasury) Financial Crimes
Enforcement Network (FinCEN) is the administrator of the BSA and has
the authority to enforce the act through the assessment of penalties,
including civil money penalties (CMP).[Footnote 5] In 1994, the
Secretary of the Treasury delegated to the Director of FinCEN overall
authority for enforcement of, and compliance with, the BSA and its
implementing regulations. In the same year, the Secretary also
delegated BSA examination authority to the regulators.[Footnote 6] As
part of a reorganization, in 2004, FinCEN created an Office of
Compliance to oversee and work with regulators on BSA examination and
compliance matters.
The regulators examine a variety of institutions for BSA compliance,
including but not limited to national banks, state member banks, state
nonmember banks, thrifts, and credit unions. The regulators review
depository institutions for compliance with the BSA as part of their
safety and soundness examinations or in targeted examinations focused
on BSA compliance. Safety and soundness examinations are periodic on-
site examinations conducted to assess an institution's financial
condition; policies and procedures; and adherence to laws and
regulations, such as the BSA. These examinations generally are
conducted every 12 to 18 months at institutions, such as community
banks, midsize banks, savings associations, and credit unions, on the
basis of the regulator's rating of the institution's risk. At large
complex banking organizations and large banks, these examinations are
conducted on a continuous basis in cycles of 36 months. The Board of
Governors of the Federal Reserve System (Federal Reserve), the Federal
Deposit Insurance Corporation (FDIC), and the National Credit Union
Administration (NCUA) share safety and soundness examination
responsibility with state banking departments for state-chartered
institutions.[Footnote 7]
The regulators take a risk-focused approach to safety and soundness
examinations, including reviews for BSA compliance. That is, the
examination is targeted to the institution's key areas of risk or
specific problems. In BSA examinations, the risk-focused approach
enables regulators to apply the appropriate scrutiny and devote
examination resources to business lines or areas within depository
institutions that pose the greatest risk for BSA noncompliance, such as
wire transfers, private banking, international correspondent banking,
large cash transactions, and other high-risk areas.
Other departments are involved in BSA enforcement. The Department of
Justice (Justice) pursues charges against depository institutions for
criminal noncompliance with the BSA. The Department of Homeland
Security's Bureau of Immigration and Customs Enforcement and the
Internal Revenue Service's Criminal Investigation division also
investigate cases involving money laundering and terrorist financing
activities.
Results in Brief:
Before 2005, each regulator used separately developed, but similar,
examination procedures to assess compliance with BSA program
requirements; however, the application of some examination procedures
could vary widely. Examiners reviewed institutions for these
requirements as part of safety and soundness examinations, using
procedures that generally were similar across all five regulators and
that included steps related to planning and scoping; the creation of
risk profiles; and supervisory consultation, reporting, and corrective
actions, when appropriate. While the regulators specified certain
procedures, the overall risk-focused approach they used for BSA
examinations required examiners to exercise professional judgment in
determining the extent to which certain procedures would be conducted.
According to examiners, differences in product risks, the varying sizes
and complexity of the institutions, and other factors could affect how
examiners made decisions, such as assessing the scope of the
examination and determining the extent of transaction testing
conducted. However, under pre-2005 BSA-related examination guidance,
the application and documentation of certain procedures could vary
widely. For example, GAO's review of the regulators' manuals and
guidance for BSA examinations and of a sample of examinations conducted
over a 4 1/2-year period found fewer requirements for and less
documentation of transaction testing in examinations of smaller
institutions. GAO's review indicated more documentation of examination
planning procedures for larger institutions. As recently as 2004, about
one-third of state banking departments reported that they were not
examining depository institutions for BSA compliance; however, as of
November 2005, 45 state banking departments reported examining for BSA
compliance. In addition, many state banking departments increased their
coordination with the regulators and FinCEN, and, as of March 2006, 36
state banking departments had signed memorandums of understanding (MOU)
with FinCEN.
During the course of GAO's review, the regulators jointly developed
and, in June 2005, issued an interagency BSA examination procedures
manual and subsequently conducted nationwide training on the new
procedures for examiners and others, in an effort to establish more
consistency in examination procedures and application. The new
procedures retain the risk-focused approach of the prior procedures,
but recognize that, depending on the specific characteristics of the
product, service, or customer, the risks vary from one institution to
another. The manual also states that as new products or services are
introduced, institution management's evaluation of money laundering and
terrorist-financing risks should evolve. Thus, the manual requires
examiners to apply a higher level of scrutiny to lines of business that
carry a higher risk for potential money laundering or noncompliance
with the BSA. However, the new procedures also link institutions' risk
assessments to risk profiles, introduce more uniformity into the
assessment of the BSA independent audit function, and require
transaction testing in all examinations regardless of the institution's
risk profile. As a result, the new procedures provide a uniform
framework that could result in greater consistency in BSA examinations
across the regulators. In recent years, regulators also have
intensified their focus on BSA-related skills and examiner training
relating to BSA compliance. For example, the regulators regularly train
examiners on examination procedures and provide them with up-to-date
guidance on changes or new requirements, such as those stemming from
the PATRIOT Act or the interagency procedures. Following the issuance
of the interagency procedures, the regulators held a series of training
sessions and other events for federal and state examiners.
Additionally, some regulators have increased the number of examiners
with BSA specialization, many of whom serve as resources for other
examiners in the field.
Recent improvements to one of the primary mechanisms used to monitor
BSA examinations allowed regulators to better record and track BSA-
related information. However, differences in the terminology that
regulators use to classify compliance problems may result in
inconsistencies. Although the regulators were recording and tracking
BSA-related examination and violation information from 2000 to 2004,
recent system improvements have allowed some regulators to better track
and cite BSA violations than in the past. For example, systems upgrades
currently allow FDIC to distinguish violations under specific
categories, rather than one general category. Also, regulator data
showed that the number of BSA-related violations generally increased
from 2000 to 2004. The systems upgrades also allowed regulators to more
readily produce information for other users, such as FinCEN. Under an
MOU into which the regulators and FinCEN entered in September 2004, the
regulators now share with FinCEN more specific data on BSA examinations
and violations data. For example, the regulators provide FinCEN with
quarterly reports on the number of examinations conducted and the
number and type of violations cited. Furthermore, FinCEN has begun to
provide the regulators with analytical reports that help identify
compliance problems and trends across regulators and to disseminate
information about AML issues. FinCEN plans to provide the regulators
with additional reports, such as those on AML issues across industries,
in the future. All of the regulators have begun to analyze the
violation data internally for their own purposes, but FinCEN and the
regulators have not yet discussed whether these data indicate a need
for additional guidance to examiners. Despite their enhanced systems
and reporting, GAO found differences in the regulators' guidance and
the terminology they used to classify BSA problems--with guidance
varying in scope and many key terms undefined. In addition, in
developing the MOU, FinCEN and the regulators acknowledged that the
regulators do not use the same terminology to describe BSA
noncompliance. GAO's review of 138 examinations found a variety of
terms used to describe BSA noncompliance, and examiners appeared to use
different terms for apparently similar problems. For example, in
addition to the term "violation," examiners used the terms "apparent
violation," "weakness," "deficiency," and "exception" when referring to
BSA noncompliance. To avoid any uncertainty over what information was
included, the wording in the MOU called for banking regulators to
notify FinCEN of "significant BSA violations or deficiencies."
According to regulatory officials, most cases of BSA/AML noncompliance
are corrected within the examination framework through supervisory
actions, such as bringing the problem to the attention of institution
management and obtaining a commitment to take corrective action, or
through informal actions, such as letters that document such
commitments. Both the regulators and FinCEN can undertake formal
enforcement actions, which range from public written agreements with
the institution to CMPs. According to the regulators, formal
enforcement actions are used to address cases involving pervasive,
repeated noncompliance; failure to respond to supervisory warnings; and
other factors. For example, from 2000 to 2005, FinCEN assessed CMPs in
11 cases. Starting in 2004, more of these CMPs were assessed in
conjunction with the relevant regulator, and the penalties were
significantly higher. However, only FinCEN has delegated authority
under the BSA to assess CMPs; the regulators do so under separate
authorities. In 1994, the Secretary of the Treasury was directed by
statute to delegate the authority to assess CMPs under the BSA to the
regulators, with such limitations as the Secretary deemed necessary.
However, according to FinCEN officials, this was not done, partly
because of challenges involved in crafting a delegation that would
result in consistent and accountable BSA enforcement. Furthermore,
FinCEN officials said that these challenges increased substantially
with the addition of new types of institutions subject to BSA
compliance requirements under the PATRIOT Act. FinCEN officials said
that because of the increased cooperation on BSA compliance with the
regulators in recent years, they were not aware that the lack of
delegated authority had produced any significant enforcement
ramifications. For example, they pointed out that FinCEN now is
involved earlier in the regulators' enforcement process and engages in
joint actions with the regulators with more frequency than in the years
preceding adoption of the MOU. Furthermore, FinCEN officials said they
had no plans to pursue this delegation.
While FinCEN and the regulators can take a variety of actions against
depository institutions, under federal statute, Justice takes action
against depository institutions, for money laundering offenses and
certain BSA offenses. From 2002 to 2005, Justice pursued criminal
charges against six depository institutions for noncompliance with the
BSA. In general, these cases were identified through criminal
investigations of the institutions' customers. The criminal cases have
raised concerns in the banking industry that depository institutions
would be targeted for criminal investigation. However, Justice
officials emphasized that willful and pervasive violations by the
institutions were important factors in these cases. Some cases resulted
in guilty pleas and others resulted in deferred prosecution agreements,
contingent on the depository institutions' cooperation and
implementation of corrective actions. In each case, the depository
institution paid a monetary penalty.
Principal Findings:
Regulators Used Similar Procedures for BSA Examinations Pre-2005, but
Their Application Could Vary Widely:
Before 2005, the regulators used separate examination guidance to
review BSA compliance at depository institutions, although the
examination procedures generally were similar. However, the ways in
which procedures were applied could vary, as could their documentation.
In recent years, more state banking departments--which generally use
federal BSA examination procedures--have conducted BSA examinations and
increased their coordination with the regulators and FinCEN.
Examiners Took Similar Steps to Prepare for, Determine the Scope of,
and Report on BSA Examinations:
Before 2005, the regulators used separate examination guidance to
review BSA compliance at depository institutions, although the
examination procedures generally were similar. Examination activities
included planning and scoping; creation of risk profiles; and
supervisory consultation, reporting, and corrective actions. In
addition to undertaking these procedures, examiners also have exercised
professional judgment in determining the manner or extent to which
certain procedures were conducted. In general, the procedures that
examiners have used (and continue to use) to prepare for and report on
examinations were similar--planning and scoping activities were to
result in the creation of a risk profile for the institution to be
examined. Examiners were then to conduct risk-assessment procedures to
evaluate an institution's potential for BSA noncompliance, money
laundering, or terrorist financing. To perform the risk assessments,
examiners were to gather and analyze information from the institutions
or other sources about operational procedures or activities that might
expose the institution to risk in these areas. Examiners also were to
draw on similar sources of information to create the risk profiles,
including the institution's internal assessments and information from
other federal agencies. In addition, examiners were to assess the
institution's internal controls and independent audit function, as well
as the institution's BSA/AML program, officer, and training.
Examiners were to use an institution's risk profile to determine the
nature and extent of procedures to be performed during the examination.
If the institution's risk profile was low, examiners generally were to
conduct what are variously referred to as basic, core, or limited
examination procedures. In addition to the basic procedures previously
mentioned, examiners could perform transaction testing, depending on
the regulator's examination requirements. If an institution's risk
profile was high or examiners identified BSA compliance problems (e.g.,
with the institution's BSA/AML policies, procedures, programs, or
internal controls), examiners generally were to conduct expanded
procedures in high-risk areas or the areas of identified deficiencies.
Finally, in concluding the examinations, examiners were to consult with
their supervisors on examinations findings, include recommendations in
examination reports, and consult with institutions' management about
any corrective actions. Subsequently, examiners were to prepare the
report of examination--detailing the scope, compliance risk, findings,
recommended corrective actions, and management's commitment to take
corrective action. The report of examination is also to indicate any
corrective actions completed by management before the end of the
examination. Examiners were to perform follow-up activities between
examinations, or at the next scheduled examination, to verify
compliance with corrective actions.
Under pre-2005 guidance, the regulators did not consistently require or
document transaction testing. The regulators required transaction
testing in examinations of larger institutions with higher asset
levels, but not always at smaller institutions. From each regulator,
GAO reviewed about 30 examinations that were conducted between January
2000 and June 2004. This review, when coupled with GAO's review of
regulator guidance and examination manuals, showed instances where
documentation of examination procedures varied widely and regulators
did not consistently require or document transaction testing. Our
examination review found less documentation of transaction testing in
examinations at smaller institutions with lower assets--such as the
community banks and savings associations--than at larger institutions
with higher assets. The Office of Thrift Supervision (OTS), FDIC, and
NCUA examination guidance permitted examiners to exercise their
professional judgment in determining whether to perform transaction
testing. The Office of the Comptroller of the Currency (OCC) required
transaction testing for large banks, and the Federal Reserve required
that some transaction testing be performed in all examinations.
Since 2004, State Banking Departments Have Become More Involved in BSA
Compliance:
As recently as 2004, about one-third of state banking departments
reported not examining for BSA compliance; however, state banking
departments since have taken a more active role in conducting these
reviews. In some states, federal examiners independently reviewed
institutions or reviewed institutions jointly with examiners from state
banking departments. According to a Federal Reserve official, the
frequency of these examinations and the decision of whether to perform
the review jointly depended on the institution's risk level. In
addition, during the course of GAO's work and in response to an FDIC
Inspector General recommendation, FDIC announced in 2004 that its
examiners would conduct reviews for BSA compliance during examinations
of FDIC-supervised institutions led by state banking departments that
do not cover BSA compliance. The number of state banking departments
that conduct these reviews has increased in recent years. According to
officials from some state banking departments, because of the increased
attention to AML and terrorist-financing issues following September 11,
2001, some state banking departments began examining for BSA compliance
or expanded the scope of existing reviews. Results of a Conference of
State Bank Supervisors query of its members indicated that, as of
November 2005, 45 state banking departments were reviewing for BSA
compliance.[Footnote 8] In general, whether recently examining for BSA
compliance or continuing well-established procedures, state examiners
used the regulators' examination procedures to examine for BSA
compliance.
Beginning in 2004, state banking departments, the regulators, and
FinCEN increased coordination on BSA-related examination and
information-sharing activities. In addition, the regulators also began
training state examiners on reviewing for BSA compliance. As of March
2006, 36 state banking departments had signed MOUs with FinCEN aimed at
further improving coordination of BSA/AML activities. According to
FinCEN, these agreements provide the framework for enhanced
collaboration and information sharing between federal and state
agencies that will allow FinCEN to better administer the BSA, while
simultaneously assisting state agencies to better fulfill their roles
as financial institution departments. In March 2006, FinCEN was
receiving data for the fourth quarter of 2005 from the states.
Regulators Have Promoted Consistency in Examinations in Recent Years by
Adopting Interagency Procedures and Expanding Training:
During the course of GAO's work, the regulators took a number of steps
to promote consistency of BSA examinations, including issuing new
interagency procedures and revising and expanding examiner training. To
disseminate new information and increase knowledge of the BSA and
related issues, the regulators have increased training on the BSA and
the PATRIOT Act and have coordinated efforts to educate staff on the
interagency procedures. Some regulators also have focused on developing
more BSA/AML specialist examiners.
New Interagency Procedures Create a Framework for Consistent BSA
Examination Processes:
In June 2005, the regulators, in collaboration with FinCEN, issued a
new BSA/AML examination manual through the Federal Financial
Institutions Examination Council (FFIEC).[Footnote 9] In the
regulators' view, the FFIEC Bank Secrecy Act Anti-Money Laundering
Examination Manual (FFIEC Examination Manual) is the product of best
practices among the regulators and aims to promote procedural
consistency in the conduct of BSA examinations at all depository
institutions. In contrast to previous guidance, the FFIEC Examination
Manual organizes guidance on risk assessment procedures primarily in
one place--that is, in the core overview scoping and planning section.
The manual also comprehensively describes risk assessments for BSA
examinations, taking examiners from the planning stages to using
conclusions to develop risk profiles. The manual recognizes that,
depending on the specific characteristics of the product, service, or
customer, the risks are not always the same. The manual also states
that as new products or services are introduced, the institution's
management's evaluation of money laundering and terrorist-financing
risks should evolve. The FFIEC core examination procedures provide
uniform guidance for examiners to follow when validating the
independent audit as part of the planning and scoping of the BSA
examination. The expanded sections of the manual provide guidance on
specific lines of business or products that may present unique
challenges and exposures for which institutions should institute the
appropriate policies, procedures, and processes.
Furthermore, the FFIEC Examination Manual requires transaction testing
at each examination, regardless of the institution's BSA risk level,
and emphasizes the importance of transaction testing for making
conclusions about the integrity of the institution's overall controls
and risk management processes. The manual emphasizes the importance of
transaction testing for making conclusions about the integrity of the
institution's overall controls and risk management processes, and
further requires that transaction testing be conducted to evaluate the
adequacy of the institution's compliance with regulatory requirements
and the effectiveness of its policies, procedures, processes, and
suspicious activity monitoring systems. According to the manual,
examiners perform transaction testing to evaluate the adequacy of an
institution's compliance with regulatory requirements or to determine
whether its policies, procedures, processes, and suspicious activity
monitoring systems are effective.
Regulators Have Increased Their Focus on BSA-Related Skills and
Training:
Although each regulator provides BSA/AML training to its examiners,
each approaches training differently. OTS and NCUA require all new
staff to attend a basic AML training course. OTS and NCUA used regional
conferences to train examiners on BSA issues. The Federal Reserve
requires all staff seeking to obtain an examiner commission to
successfully complete a BSA/AML proficiency test.[Footnote 10] FDIC
requires all examination staff to obtain BSA/AML training through
classroom or Web-based training. OCC offers four different training
schools as well as specialized BSA/AML training on a voluntary basis to
certain staff. In addition to their own training, regulators also used
interagency or outside venues to train staff. Regulators also updated
their AML training to cover all of the relevant provisions of the
PATRIOT Act.
After the issuance of the new procedures on June 30, 2005, FFIEC
coordinated a far-reaching effort to train examiners and the industry
on the new procedures, holding a series of training events across the
country. State banking departments also participated in training on the
FFIEC Examination Manual.
Although safety and soundness and compliance examiners primarily
perform BSA/AML examinations, some regulators use examiners with
specialized skill to provide training, serve as a resource to other
examiners, or assist on complex examinations. All of the regulators
offer career paths and options for becoming a BSA subject matter
expert.[Footnote 11] More recently, some regulators have planned to
train or increase substantially the number of subject matter experts
they have to help meet PATRIOT Act requirements and address the
increasing complexity of BSA examinations.
Regulators Improved Tracking of BSA Examination and Violations Data,
but Differences in Terminology Could Result in Inconsistencies:
The regulators use various internal control mechanisms to monitor BSA
examinations, and recent improvements in their automated examination
and enforcement data systems have enabled them to better track and
report BSA information. The regulators are able to more readily share
BSA-related information, a particularly important ability in light of
the MOU regulators signed with FinCEN in September 2004. However, the
regulators differ on how they classify and define some BSA compliance
problems.
Changes to Regulators' Data Systems Have Enabled Them to Better Track
BSA Data:
Regulators use automated data systems to store and track examination
data and information on supervisory and enforcement actions. Since
2000, all of the regulators have changed or upgraded their data systems
to improve their recording and monitoring capabilities. To varying
degrees, previous iterations of these data systems limited regulators'
ability to monitor and report BSA-related examination results in a
comprehensive and timely manner. For example, before 2001, NCUA
manually collected information on BSA-related violations; however, in
2001, NCUA began to redesign its information technology system. NCUA's
system now allows it to track more BSA data, including violations and
any corrective actions institutions had implemented. Similarly, until
the late 1990s, OTS generally tracked BSA data manually, but currently
OTS has an Internet-based system that comprehensively tracks BSA
examination results. FDIC upgraded its systems to better track
violations and the status of corrective actions. OCC has separate
systems to track BSA results for large banks and midsize and community
banks. OCC's improvements to its system for data on large banks include
the increased ability to search the full text of examinations,
including BSA reviews. The Federal Reserve for some years has had
national supervisory data systems that maintain both data and
electronic copies of examination and enforcement documents. These
systems were, and continue to be, accessible to all appropriate
supervisory staff across the Federal Reserve System. Until recently,
the national data system (national examiner database) did not
separately track BSA/AML violation data. In 2003, the Federal Reserve
began to enhance its national examiner database to capture BSA/AML
violations or other BSA examination-related data.
GAO's review of the regulators' data indicated that the number of BSA-
related violations generally increased in recent years. Among the
frequently cited violations in 2003 and 2004 were violations issued in
connection with currency transaction reporting requirements.
Furthermore, some regulators cited more BSA violations with greater
specificity in later years. For example, FDIC officials indicated that
FDIC's current data system, which was implemented in 2003, now
specifies subsections of BSA-related regulations that institutions have
violated.
In September 2004, the regulators and FinCEN entered into an MOU under
which the regulators provide FinCEN with quarterly reports on the
number of BSA-related examinations they have conducted, the number and
types of BSA violations they cited, and the institutions they cited for
repeat violations. The MOU requires FinCEN, in turn, to provide the
regulators with reports and analyses of the data submitted by the
regulators. As of February 2006, the regulators had provided FinCEN
with five quarters of data and two annual reports.[Footnote 12] FinCEN
provided the regulators with aggregated data, which identified certain
compliance issues that the regulators could work to address with the
institutions they supervise. FinCEN's longer term goal is to provide
BSA compliance analyses across the financial services sector. All of
the regulators have begun to analyze for their own purposes the BSA
compliance data they receive from FinCEN. FinCEN and the regulators
have not yet discussed as a group the implications of the violation
data, and whether there was a need for additional guidance to examiners
so that they could address problem areas that the regulators have been
identifying.
Differences Remain in Regulators' Guidance and Terminology for
Classification of BSA Noncompliance:
Although the regulators and FinCEN increasingly have been enhancing and
coordinating information sharing and reporting, differences in how the
regulators classify BSA compliance problems remain. For example,
regulators differ in the guidance they provide examiners for
determining what constitutes a violation, with one regulator not
providing any written guidance and others differing in the degree of
guidance provided. Furthermore, the regulators' instructions on BSA
enforcement, which also provide guidance for interpreting or
classifying BSA problems, do not clearly define the terms--intended as
criteria for determining the seriousness or scope of a compliance
problem--on which those classifications would be based. When GAO
reviewed the regulators' BSA examinations, it generally found that the
distinction between violations and deficiencies appeared to be that
violations represented some action or inaction prohibited by the BSA
and implementing regulations, and deficiencies did not. Additionally,
there appears to be no clear consensus among examiners regarding how to
distinguish between BSA deficiencies and violations.
FinCEN officials said that, in drafting the terms of the MOU, the issue
of different terminology was discussed, and that FinCEN and the
regulators agreed not to impose any requirements for standardized
terminology in the MOU itself. Instead, the MOU requires the regulators
to provide FinCEN with information on instances of "significant"
noncompliance, regardless of whether the regulator classified it as a
violation or a deficiency--that is, all problems for which the
regulator is taking supervisory action are to be reported to FinCEN.
FinCEN officials said they had to work with the regulators to determine
the appropriate information to be provided.
In GAO's review of the regulators' examinations, examiners appeared to
have classified apparently similar BSA problems differently. In some
cases, examiners cited institutions with "deficiencies," and, in other
cases, they cited institutions with "violations." As a result, examiner
judgment likely plays a greater role in classifying BSA problems. In
turn, this could increase the potential for inconsistencies in
classifying compliance problems and subsequent citations. However,
regulators emphasized that other factors, such as an institution's risk
profile or the diversity of its operations and products, also help
explain the differences in the way BSA compliance problems were cited
and classified.
Regulators and FinCEN Increased Coordination on BSA Enforcement, and
Criminal Cases against Depository Institutions Were Limited:
Although the regulators can use a variety of tools to address BSA-
related compliance problems, according to the regulators, most BSA-
related problems are resolved during the course of an examination.
FinCEN also uses a range of enforcement tools to address BSA
noncompliance problems, and FinCEN alone can assess CMPs under the BSA.
FinCEN and the regulators have increased coordination on enforcement
since their September 2004 MOU. While FinCEN and the regulators pursue
a variety of enforcement actions for BSA compliance problems, Justice
has pursued a limited number of criminal cases against depository
institutions for BSA violations.
Most BSA Noncompliance Is Addressed during Examinations, but Regulators
Recently Increased Coordination on Formal Enforcement Actions:
Although regulators use a broad range of actions to address BSA
compliance, according to the regulators, most problems in BSA-related
compliance are corrected within the examination framework through
supervisory actions. GAO's review of 138 examinations--which were
conducted between January 1, 2000, and June 30, 2004, and contained BSA
violations--also indicated that the regulators most frequently
addressed BSA compliance problems through supervisory actions. The
regulators largely obtained oral commitments to correct identified
problems from an institution during meetings with its management or
boards of directors. Representatives of some regulators noted that if
supervisory actions proved insufficient or problems required stronger
action, the regulators generally would use informal enforcement
actions, such as commitment letters, reflecting specific commitments to
take corrective actions in response to problems or concerns. Informal
enforcement actions are exercises of the regulators' authority to
supervise financial institutions and generally are used to address BSA
noncompliance that is limited in scope and technical in nature. To
address significant BSA/AML program and BSA violations, the regulators
generally use formal enforcement actions. Formal enforcement actions
are written documents that are disclosed to the public and are
generally more severe than supervisory and informal actions and
generally are enforceable through the assessment of CMPs and through
the federal court system.
The regulators are not authorized under the BSA to take formal
enforcement actions for violations--that delegated authority rests
solely with FinCEN. Title 12 of the United States Code authorizes the
regulators to take formal enforcement action if they determine that a
depository institution is engaging in unsafe or unsound practices or
has violated any applicable law or regulation. The regulators have
interpreted this authority to include violations of the BSA and its
implementing regulations when taking formal enforcement actions aimed
at addressing violations of BSA/AML program requirements. FinCEN, the
administrator of the BSA, takes enforcement action against BSA
compliance problems at financial institutions, including, but not
limited to, depository institutions. Unlike the regulators, FinCEN can
take such action because it is specifically authorized to do so in the
BSA and its implementing regulations. According to officials at FinCEN
and the regulators, coordination among these agencies on enforcement
issues has improved dramatically in recent years.
Justice Has Pursued a Limited Number of Cases against Depository
Institutions for BSA Noncompliance:
From 2002 to 2005, Justice, either through its Criminal Division or its
U.S. Attorneys' Offices, has pursued investigations of six depository
institutions for criminal violation of the BSA.[Footnote 13] The
disposition of the criminal cases has varied, but each case included
monetary penalties. Justice officials said that the number of cases in
which the depository institution was the criminal BSA offender was
limited, and that the department had pursued significantly more cases
against individuals for BSA offenses. According to a senior Justice
official, egregious failures to perform a minimal level of due
diligence over a number of years triggered the cases against the
depository institutions. Additionally, Justice officials and
investigators said that most investigations of depository institutions'
criminal violations of the BSA generally originated during law
enforcement investigations of the institutions' customers. In July
2005, Justice amended the U.S. Attorney's Manual to direct prosecutors
to formalize coordination on cases against financial institutions for
money laundering and certain BSA offenses.
Recommendations for Executive Action:
This report makes three recommendations to build on the current level
of coordination, continue to improve BSA administration, and ensure
that emerging compliance risks are addressed. GAO recommends that the
Director of FinCEN and the Comptroller of the Currency, the Chairman of
the Federal Reserve, the Chairman of FDIC, the Director of OTS, and the
Chairman of NCUA, (1) work together to make sure emerging risks in
money laundering and terrorist financing are effectively communicated
to examiners and the industry through updates of the interagency
examination manual and other guidance, as appropriate; (2) periodically
meet to review BSA violation data to determine if they indicate a need
for additional guidance; and (3) jointly assess the feasibility of
developing a uniform classification system for BSA compliance problems.
Agency Comments and GAO Evaluation:
GAO provided a draft of this report for review and comment to the
Departments of Homeland Security, Justice, and the Treasury; the Board
of Governors of the Federal Reserve System; the Federal Deposit
Insurance Corporation; the National Credit Union Administration; the
Office of the Comptroller of the Currency; and the Office of Thrift
Supervision. The Department of Homeland Security, Justice, and the
regulators provided technical comments, which were incorporated into
this report where appropriate.
FinCEN and the regulators provided written comments on the draft report
in a joint letter, which is reprinted in appendix II. In their letter,
they said they support GAO's recommendations and are committed to
ongoing interagency coordination to address them through the formal
processes they have in place, particularly the FFIEC BSA/AML Working
Group. They also said that they are committed to their role in ensuring
that depository institutions are in compliance with BSA/AML
requirements, and that they will continue to devote significant
resources to make certain institutions correct deficiencies in their
BSA/AML programs as promptly as possible.
Justice also provided written comments, which are reprinted in appendix
III. In its letter, Justice said that the draft report provided an
instructive perspective where it examined the evolution of the
relationship between FinCEN, the regulators, and the banks, but that
the draft did not provide the same perspective when examining how the
examination process meets the needs of law enforcement as the end users
of the information. GAO's objectives were to review how the regulators
examine for BSA compliance, track and resolve violations, and take
enforcement actions. While a review of the reports that depository
institutions produce under the BSA that law enforcement uses in its
investigations would be instructive, it was outside of the scope of
this review. Justice also said that, as a direct result of the success
and efforts by the regulated industry, drug traffickers have been
forced to seek alternate methods and means of using those institutions
to launder their illicit proceeds. Justice further commented that
banking regulator practices and the examination process have
historically focused more on the placement of those funds into the
financial system, and that current investigative efforts suggest that
it may prove beneficial to adapt and focus on the layering of those
proceeds. To this end, Justice suggested a need for greater outreach
and collaboration between law enforcement and regulators familiar with
evolving trends. Finally, Justice said that the draft report reflected
the efforts made with the revisions to the examination manual and
commented that these are positive developments that should bring
continuity to examination practice, which will be welcomed by the
industry.
[End of section]
Chapter 1:
Introduction:
Since the enactment of the Bank Secrecy Act (BSA) in 1970, the U.S.
government's framework for preventing, detecting, and prosecuting money
laundering has evolved through amendments to the BSA and the enactment
of additional related legislation.[Footnote 14] The most recent
comprehensive amendments to the BSA were made through the Uniting and
Strengthening America by Providing Appropriate Tools Required to
Intercept and Obstruct Terrorism Act (PATRIOT Act) of 2001.[Footnote
15] Key legislation has supplemented or amended the BSA, expanding its
reporting, record-keeping, and enforcement provisions. Federal
financial regulators and other federal agencies work within this
framework to carry out BSA requirements. The regulators have
responsibility for examining depository institutions for compliance
with BSA requirements, while overall responsibility for BSA
administration rests with the Department of the Treasury (Treasury),
through the Financial Crimes Enforcement Network (FinCEN).[Footnote 16]
The regulators conduct reviews of BSA compliance as part of their
regular examination process. They take a risk-focused approach targeted
to the institution's key areas of risk or specific problems.
Successive Legislation Has Expanded the Responsibility to Combat Money
Laundering:
The federal government's framework for preventing, detecting, and
prosecuting money laundering has been expanded through additional
legislation since its inception in 1970 with the BSA.[Footnote 17] The
BSA required, for the first time, that financial institutions maintain
records and reports that financial regulators and law enforcement
agencies have determined have a high degree of usefulness in criminal,
tax, and regulatory matters. The BSA authorizes the Secretary of the
Treasury to issue regulations on the reporting of certain currency
transactions. The BSA has the following three main objectives: create
an investigative audit trail through regulatory reporting standards;
impose civil and criminal penalties for noncompliance; and improve the
detection of criminal, tax, and regulatory violations.
The reporting system initially implemented under the BSA was by itself
an insufficient response to combat underlying money laundering activity
because, before 1986, the BSA contained sanctions for failing to file
reports or for doing so untruthfully, but it did not contain sanctions
for money laundering. The Money Laundering Control Act of 1986 (MLCA)
made money laundering a criminal offense, separate from any BSA
reporting violations.[Footnote 18] The MLCA created criminal liability
for individuals or entities that conduct monetary transactions knowing
that the proceeds involved were obtained from unlawful activity, and
the act made it a criminal offense to knowingly structure transactions
to avoid BSA reporting. Penalties under the MLCA include imprisonment,
fines, and forfeiture. The MCLA also directed each regulator to
prescribe regulations requiring insured depository institutions to
establish and maintain procedures reasonably designed to ensure and
monitor compliance with the reporting requirements of the BSA. To
further assist the effectiveness of the BSA, pursuant to this
requirement, the regulators promulgated regulations requiring insured
depository institutions to establish and maintain procedures designed
to ensure compliance with the requirements of the BSA--a BSA and Anti-
Money Laundering (AML) program (BSA/AML program).[Footnote 19]
The Annunzio-Wylie Anti-Money Laundering Act of 1992 (Annunzio-Wylie)
amended the BSA in a number of ways.[Footnote 20] It authorized
Treasury to require financial institutions to report any suspicious
transaction relevant to a possible violation of a law. It also
authorized Treasury to require financial institutions to carry out AML
programs and promulgate record-keeping rules relating to funds transfer
transactions. Annunzio-Wylie also made the operation of an illegal
money-transmitting business a crime.
The Money Laundering Suppression Act of 1994 (MLSA) sought to improve
the BSA in at least two notable ways.[Footnote 21] First, to ensure
that bank examiners use the most effective means through the
examination process to identify and report money laundering, the MLSA
directed the regulators, in consultation with the Secretary of the
Treasury and the appropriate law enforcement agencies, to enhance the
regulators' training and examination procedures to improve their
identification of money laundering schemes. To assist the regulators in
this process, the MLSA also required each appropriate law enforcement
agency to regularly share information with the regulators regarding
emerging money laundering schemes. Second, the MLSA sought to improve
the timeliness with which BSA civil penalty cases were processed.
Before the enactment of the MLSA, Treasury's Office of Financial
Enforcement processed BSA civil penalty cases using a cumbersome
process that often prevented the office from pursuing cases because the
statute of limitations had expired. Accordingly, the MLSA amended the
BSA to direct the Secretary to delegate any authority to assess civil
money penalties (CMP) on depository institutions to the appropriate
regulators, which already had penalty authority and experience under
other banking laws.
As authorized by Annunzio-Wylie, in 1996, FinCEN issued a rule
requiring banks and other depository institutions to report, using a
Suspicious Activity Report (SAR) form, certain suspicious transactions
involving possible violation of law or regulation, including money
laundering. During the same year, the regulators issued regulations
requiring all depository institutions to report suspected money
laundering, as well as other suspicious activities, using the SAR form.
The regulators also placed SAR requirements on the subsidiaries,
including broker-dealer firms, of the depository institutions and their
holding companies under their jurisdiction.
In the wake of the September 11, 2001, terrorist attacks, Congress
enacted the PATRIOT Act on October 26, 2001, prompted, in part, by an
enhance awareness that combating terrorist financing as part of the
U.S. government's overall AML efforts was important because terrorist
financing and money laundering both involve similar techniques. Title
III of the PATRIOT Act, among other things, expanded Treasury's
authority to regulate the activities of U.S. financial institutions;
required the promulgation of regulations; imposed additional due
diligence requirements; established new customer identification
requirements; and required financial institutions to maintain AML
programs. In addition, title III defined new money laundering crimes
and increased penalties for previously established crimes.
Regulators and Other Federal Agencies Carry Out BSA Requirements:
Implementation of the BSA's regulatory and enforcement structure
involves many different federal agencies. The Secretary of the Treasury
delegated overall authority for enforcement of, and compliance with,
the BSA and its implementing regulations to the Director of FinCEN. In
addition, FinCEN has the authority to issue regulations; collects,
analyzes, and maintains the reports and information filed by financial
institutions under the BSA; makes those reports available to law
enforcement and regulators; and ensures financial institution
compliance through enforcement actions aimed at applying the
regulations in a consistent manner across the financial services
industry. FinCEN also plays a role in analyzing BSA information to
support law enforcement.
Although FinCEN is responsible for ensuring compliance with BSA
regulations, FinCEN does not examine financial institutions, including
depository institutions, for compliance. Rather, in 1994, the Secretary
of the Treasury delegated BSA examination authority to the regulators.
The five regulators that oversee financial institutions and examine
them for compliance with the BSA and implementing regulations are the
Board of Governors of the Federal Reserve System (Federal Reserve), the
Office of the Comptroller of the Currency (OCC), the Office of Thrift
Supervision (OTS), the Federal Deposit Insurance Corporation (FDIC),
and the National Credit Union Administration (NCUA). The specific
regulatory configuration depends on the type of charter the depository
institution chooses. Banks are regulated at the federal level alone if
they are chartered by a federal regulator, such as OCC or OTS, or by
federal and state banking departments if they are state-chartered
institutions. State banking departments supervise commercial and
savings banks with state bank charters, while the Federal Reserve or
FDIC serve as the primary federal regulator for these institutions. OTS
is the supervisor for state-chartered savings associations.
In August 2004, FinCEN created an Office of Compliance to oversee and
work with the federal financial regulators on BSA examination and
compliance matters. FinCEN signed a memorandum of understanding (MOU)
with the banking regulators in September 2004 that laid out procedures
for the exchange of certain BSA information. The MOU requires that the
regulators provide information on examination policies and procedures
and on significant BSA violations or deficiencies that have occurred at
the financial institutions they supervise, including relevant portions
of examination reports and information on follow-up and resolution. The
MOU also requires FinCEN to provide information to the regulators,
including information on FinCEN enforcement actions and analytical
products that will identify various patterns and trends in BSA
compliance.
Furthermore, agencies under the Departments of the Treasury, Justice,
and Homeland Security are to coordinate with each other and with
federal financial regulators in combating money laundering and
terrorist financing. In addition to FinCEN, the Internal Revenue
Service (IRS), through its Criminal Investigation division, uses BSA
information and investigates possible cases of money laundering.
Justice components involved in efforts to combat money laundering and
terrorist financing include the Criminal Division's Asset Forfeiture
and Money Laundering Section and Counterterrorism Section; the Federal
Bureau of Investigation; the Bureau of Alcohol, Tobacco, Firearms, and
Explosives; the Drug Enforcement Administration; the Executive Office
for U.S. Attorneys; and U.S. Attorneys' Offices. The Department of
Homeland Security's Bureau of Immigration and Customs Enforcement (ICE)
also investigates cases involving money laundering and terrorist-
financing activities.
Regulators Generally Address BSA Issues through Safety and Soundness or
Targeted Examinations:
The regulators conduct reviews of BSA compliance as part of their
safety and soundness examinations or as targeted examinations focused
on BSA compliance.[Footnote 22] Safety and soundness examinations are
periodic on-site examinations conducted to assess an institution's
financial condition; policies and procedures; and adherence to laws and
regulations, such as the BSA. Generally, these examinations are
performed every 12 to 18 months for institutions, including community
banks, midsize banks, savings associations, and credit unions, among
others, based on the institutions' risk.
More specifically, the frequency of safety and soundness examinations
is dependent on the CAMELS rating assigned by the regulator to the
institutions.[Footnote 23] For example, if institutions are rated low
risk, a rating of "1" or "2," examinations would be performed every 18
months. If rated as a higher risk, institutions would be examined at
least annually. Examination frequency can also be affected by alternate-
year examination program arrangements between the regulators and state
banking departments.[Footnote 24] At large complex banking
organizations and large banks, some regulators conduct on-site targeted
examinations on a continuous basis in cycles of 36 months.
Additionally, the regulators perform targeted (BSA/AML-focused)
examinations of banks. The regulators may perform targeted examinations
on an "as-needed" basis, because of an unforeseen risk requiring more
immediate attention, or to determine whether the institution had taken
corrective actions to address problems identified during regular
examinations.
The regulators take a risk-focused approach to BSA examinations, which
are targeted to the institution's key areas of risk or specific
problems. This approach recognizes that attempts to launder money,
finance terrorism, or conduct other illegal activities through a bank
can come from many different sources, and certain products, services,
customers, and geographic locations may be more vulnerable or have been
historically abused by money launderers and criminals. In BSA
examinations, the risk-focused approach enables regulators to apply the
appropriate scrutiny and devote examination resources to business lines
or areas within depository institutions that pose the greatest risk for
BSA noncompliance, such as funds transfers, private banking,
international correspondent banking, and large cash transactions.
According to some regulators, the risk-focused approach promotes a more
efficient and effective manner of conducting BSA examinations and
provides other benefits. In addition to focusing on the major areas of
risk, this approach enables examiners to identify risks proactively,
determine how well risks are managed over time, and streamline
documentation to support areas of risk. It also reduces the regulatory
burden on institutions by limiting examinations of institutions to
specific areas of risk and allows regulators to schedule examinations
according to the institutions' level of risk, thereby resulting in less
frequent examinations for lower risk institutions. The risk-focused
approach further encourages compliance of institutions by factoring the
institutions' risk mitigation or management of risks or corrective
actions into the institutions' risk level.
Objectives, Scope, and Methodology:
As requested by the Senate Committee on Banking, Housing, and Urban
Affairs, we conducted a review of the examination and enforcement
programs of the federal banking, thrift, and credit union regulators
that was directed at compliance with the BSA by depository institutions
in the United States. Specifically, our objectives were to determine
how (1) the regulators examined for BSA compliance by the depository
institutions they supervise, (2) the regulators have updated
examination procedures and trained examiners since the passage of the
PATRIOT Act, (3) the regulators identify and track BSA violations to
ensure timely corrective actions at the institutions they examine, and
(4) enforcement actions are taken for violations of the BSA.
To determine how the regulators assess BSA compliance, we conducted
structured interviews with examiners and policy officials from each of
the regulators as well as several state banking departments.[Footnote
25] Additionally, we reviewed the results of an inquiry of the BSA-
related examination and enforcement practices of state banking
departments conducted by an industry organization. We also reviewed BSA
amendments and other relevant federal banking statutes and collected
data on the number of examinations that included a BSA-related
violation and that were conducted by each regulator between January 1,
2000, and June 30, 2004. In general, the regulators produced these data
from their respective information systems and reporting processes used
to collect and track information on examinations and violations.
Because there was some variability in how the regulators defined
examinations and violations, these data were not comparable.
From May 2004 through July 2004, we conducted reliability assessments
of most regulators' BSA-related data and related information systems
and determined that they were generally reliable for our purposes. Our
data reliability assessments generally involved the testing of data
relating to BSA violations and enforcement actions for completeness and
accuracy, and interviewing and obtaining written responses from
officials about the management of these data. Through the data
reliability assessments, we determined that for our purposes, the data
from OCC, FDIC, OTS, and NCUA were complete and accurate. However, we
could not complete our assessment of the Federal Reserve's systems
because Federal Reserve officials were unable to provide us, in a
timely manner, with the system-related information that we
requested.[Footnote 26] Although the Federal Reserve collected summary
information about BSA-related examinations and violations from January
1, 2000, to January 1, 2003, at the time of our request, the Federal
Reserve did not track certain specific BSA data in its systems.
Therefore, Federal Reserve officials were unable to provide us with
certain information in a manner that would have allowed us to complete
our testing.
We selected 30 examinations each from OCC, FDIC, OTS, and NCUA that
identified BSA-related violations. The Federal Reserve identified 26
examinations, conducted between January 1, 2000, and June 30, 2004,
that involved a BSA-related violation. We initially selected all 26
examinations for our review, but reviewed only 18 of the 26
examinations. We eliminated 6 examinations from the review because they
involved multiple reviews of individual institutions that covered
different examination target areas but shared common examination
documentation, which complicated our ability to isolate different
events within examinations. We eliminated an additional 2 examinations
because they took place before our sample time frame. In total, we
reviewed 138 examinations.
Although we randomly selected individual examinations from each
regulator, the number of sampled examinations is small and is not
representative of the universe of total examinations that each
regulator conducts annually. Therefore, we could not use the results of
our sample review to generalize about the regulators' application of
examination procedures. However, our review of the examinations allowed
us to describe how regulators applied their respective BSA/AML
examination procedures in the sampled examinations. Table 1 shows the
sample size for each regulator that we reviewed.
Table 1: Data Collection Instrument Sample:
Regulator: FDIC;
Number of BSA examinations with one or more BSA violations from which
we sampled: 713;
Sample size: 30.
Regulator: Federal Reserve;
Number of BSA examinations with one or more BSA violations from which
we sampled: 26;
Sample size: 18.
Regulator: NCUA;
Number of BSA examinations with one or more BSA violations from which
we sampled: 873;
Sample size: 30.
Regulator: OCC;
Number of BSA examinations with one or more BSA violations from which
we sampled: 624;
Sample size: 30.
Regulator: OTS;
Number of BSA examinations with one or more BSA violations from which
we sampled: 703;
Sample size: 30.
Regulator: Total;
Number of BSA examinations with one or more BSA violations from which
we sampled: [Empty];
Sample size: 138.
Source: GAO.
[End of table]
After selecting our sample of examinations, we requested from each of
the regulators the examination reports and related work papers
associated with each examination. To review the examination
documentation, we developed a data collection instrument by reviewing
the BSA requirements and the examination procedures developed by the
regulators. We used the data collection instrument to collect
information on several aspects of BSA examinations, including the BSA
activities reviewed and tested by examiners as well the nature of the
violations identified in each examination. The conclusions that we made
about the sampled examinations were based solely on what examiners
identified and documented during their examinations. Because we did not
interview the examiners who conducted the sampled examinations or
conduct additional examinations of these depository institutions, we
made no judgments about whether examiners properly identified BSA
noncompliance during the examinations. After one GAO analyst reviewed
each examination using the data collection instrument, an additional
GAO analyst reviewed the same examination using the data collection
instrument a second time to ensure the reliability of our coding of the
review questions and the accuracy of data entry.
To determine how BSA violations were resolved, we performed additional
analysis of a subset of our sample examinations with repeat BSA
violations. We selected a small number of institutions with repeat
violations for additional analysis. As part of this analysis, we (1)
reviewed, to the extent available, reports of examination and
supporting documentation provided by the regulators in which the
violations were initially identified and (2) attempted to track them to
the most current report of examination available, to determine the
status of corrective action. However, the documentation we reviewed did
not allow us to reach any conclusions on how the repeat violations in
our sample were resolved; therefore, this analysis is not included in
the report.
To determine the extent to which the regulators updated examination
procedures and trained examiners, we reviewed the regulators'
examination policies, guidance, and procedures. We also collected
information on examiner training courses related to AML and the number
of examiners trained in 2004 and 2005. We interviewed examiners and
policy officials on their examination guidance and training programs,
including the newly issued Federal Financial Institutions Examination
Council's (FFIEC) Bank Secrecy Act Anti-Money Laundering Examination
Manual (FFIEC Examination Manual). We observed one AML training course
taught by FFIEC and also participated in the FFIEC Examination Manual
outreach events that were provided to industry and examination staff in
August 2005.
To determine the extent to which the regulators monitored their
respective BSA/AML examination programs, we reviewed the regulators'
documentation relating to their systems, interviewed policy officials
on their monitoring policies, and reviewed Inspectors General (IG)
reports. We followed up on issues raised by the IGs, and obtained
written responses from and interviewed data management personnel.
Additionally, we reviewed the MOU adopted by FinCEN and the regulators
and interviewed examiners and policy officials from each of the
regulators and FinCEN on the MOU requirements, on case referrals to
FinCEN, and on the different terminologies the regulators use to
describe noncompliance with the BSA.
To determine how enforcement actions are taken for violations of the
BSA, we reviewed relevant BSA amendments, Treasury regulations and
guidance, banking statutes, and documentation of selected closed
examinations involving BSA violations. To determine how action is taken
against criminal violation of the BSA by depository institutions, we
reviewed public documentation on the associated investigations and case
dispositions. In certain cases, we interviewed investigators involved
in selected closed cases. We also interviewed officials at FinCEN, ICE,
Justice, and the regulators regarding depository institutions' criminal
BSA violations.
We conducted our work in New York, New York; San Francisco, California;
and Washington, D.C., between January 2004 and March 2006 in accordance
with generally accepted government auditing standards. We requested
comments on a draft of this report from the heads, or their designees,
of the Departments of Homeland Security, Justice, and the Treasury; the
Board of Governors of the Federal Reserve System; the Federal Deposit
Insurance Corporation; the National Credit Union Administration; the
Office of the Comptroller of the Currency; and the Office of Thrift
Supervision. FinCEN and the regulators provided written comments in a
joint letter, which is reprinted in appendix II. Justice also provided
written comments, which are reprinted in appendix III. The Department
of Homeland Security, Justice, and the regulators provided technical
comments, which we incorporated where appropriate.
[End of section]
Chapter 2:
Regulators Used Similar Procedures for BSA Examinations, but under Pre-
2005 Guidance, Their Application Could Vary Widely:
Before 2005, the regulators used separate examination guidance to
review BSA compliance at depository institutions, although the
examination procedures generally were similar. Examination activities
included planning and scoping; creation of risk profiles; and
supervisory consultation, reporting, and corrective actions. In
addition to undertaking these procedures, examiners also exercised
professional judgment in determining the manner or extent to which
certain procedures were conducted. Although the basic examination
procedures were similar for all of the regulators, under pre-2005
guidance, documentation requirements and documentation of certain
procedures could vary widely. In addition, most state banking
departments that review state-chartered depository institutions for BSA
compliance generally use federal BSA examination procedures. In recent
years, more state banking departments have conducted BSA examinations
and increased their coordination with the regulators and FinCEN.
Examiners Took Similar Steps to Prepare for, Determine Scope of, and
Report on BSA Examinations:
In general, the procedures that examiners have used (and continue to
use) to prepare for and report on examinations were similar (see fig.
1).[Footnote 27] For example, guidance called for planning and scoping
activities to result in the creation of a risk profile for the
institution to be examined. Examiners also were to draw on similar
sources of information to create the risk profiles, including the
institution's internal assessments and information from other federal
agencies. Examiners were then to use the profiles to determine the
scope of the examinations. Finally, in concluding the examinations,
guidance called for examiners to consult with their supervisors on
examinations findings, include recommendations in examination reports,
and confer with institutions' management about any corrective actions.
Figure 1: BSA Examination Procedures:
[See PDF for image]
[A] as of June 30, 2005, transaction testing was required in all BSA
examinations.
[End of figure]
Planning Activities for Examinations Culminate in a Risk Profile:
In planning, guidance called for examiners to conduct risk-assessment
procedures to evaluate an institution's potential for BSA
noncompliance, money laundering, or terrorist financing. To perform the
risk assessments, examiners were to gather and analyze information from
the institutions or other sources about operational procedures or
activities that might expose the institutions to risk in these areas.
More specifically, the examiners could use other sources, such as prior
examination reports and related work papers. Examiners also gathered
information from the institutions themselves, such as documents on BSA/
AML policies and programs, audit reports, and products and services
offered. Finally, examiners were to draw upon information, such as SARs
and Currency Transaction Reports (CTR), which financial institutions
filed with the IRS.[Footnote 28]
In evaluating the information, examiners were to focus on certain
products, services, or activities of the institution where the risks
for BSA noncompliance, money laundering, or terrorist financing might
be higher. These included products, services, or activities such as (1)
international wire transfers, monetary instruments, trusts, or private
banking;[Footnote 29] (2) large or increased volumes of cash
transactions; (3) operations located in offshore areas that are at high
risk for money laundering activities or in high-intensity financial
crimes areas (HIFCA);[Footnote 30] (4) large or increased numbers of
CTR and SAR filings; (5) customers found on the Office of Foreign
Assets Control's (OFAC) specially designated list;[Footnote 31] or (6)
international correspondent banking.
In addition to analyzing information from the previously discussed
sources, examiners were to assess the adequacy of an institution's
compliance or risk management systems for identifying, measuring,
monitoring, and controlling BSA risks that might stem from banking
operations. This assessment entailed a review of the institution's
internal controls, and independent audit function, as well as the
institution's BSA program, officer, and training. For example, OCC's
BSA examination procedures for community banks required examiners to
review the bank's quality of risk management, consisting of its
policies, processes, personnel, and control systems (including
internal/external audit programs). Specifically, examiners were to
validate the two fundamental components of any bank's risk management
system--internal controls and audits. Federal Reserve examiners also
were required to assess the adequacy of the institution's controls over
BSA risks and, as such, evaluate the institution's internal controls;
audit function; BSA program officer; and training. FDIC required
examiners to review the institution's internal controls and audit
procedures as part of its risk management assessment. OTS's examination
manual required examiners to determine whether the institution
implemented an internal audit or conducted a management review or self-
assessment of its BSA program.
According to the regulators' procedures, evaluating the adequacy of the
independent audit function was a major factor in assessing the
institution's risk. To do so, examiners were to assess the auditor's
independence, competency, and experience; the scope or coverage of BSA
risk areas; the frequency of audits and transaction testing; audit
results; and other factors as required by the regulators' examination
guidance. Furthermore, according to examiners, their assessments of the
independent audit function could be a factor in determining whether to
perform additional procedures, such as transaction testing. For
example, according to NCUA examiners, they might interview the credit
union's internal auditor to determine the auditor's independence,
competency, and knowledge of BSA compliance. The examiners also would
use their professional judgment to assess the adequacy of the coverage
given by the independent auditor to the BSA compliance review. If
examiners determined that the independent audit function or audit
report was inadequate or unreliable, they might decide to perform
transaction testing or additional testing.
Finally, as a result of the risk-assessment process, examiners then
would formulate an initial risk profile on the institution; this
initial assessment might be adjusted during or after the examination.
The institution's BSA risk profile could be expressed in terms of risk
level, such as high, moderate or satisfactory, or low. Examiners
exercised professional judgment throughout this process to weigh the
factors considered and determine the institution's level of risk.
Examiners Used Risk Profiles to Determine the Scope of Examinations:
Examiners were to use an institution's risk profile to determine the
nature and extent of procedures to be performed during the examination.
If the institution's risk profile was low, examiners generally were to
conduct what are variously referred to as basic, core, or limited
examination procedures. These procedures included reviews of an
institution's:
* written, approved BSA/AML program, policies, and procedures to ensure
that the institution's BSA/AML program adequately covered all of the
BSA-required program elements;
* BSA officer or designated staff to coordinate day-to-day BSA
monitoring;
* BSA training provided to the appropriate staff;
* OFAC compliance procedures;
* correction of a deficiency of a BSA program requirement noted in a
previous report of examination;[Footnote 32]
* product lines and services, including wire transfers, deposit-taking
facilities, sales of monetary instruments, and exemptions from
reporting procedures;
* internal controls for detecting, preventing, and correcting BSA/AML
violations;
* Know Your Customer program;[Footnote 33]
* Customer Identification Program;[Footnote 34] and:
* compliance with record-keeping and reporting requirements, such as
CTRs and SARs.
In addition to the basic procedures previously discussed, examiners
could perform transaction testing, depending on the regulator's
examination requirements. Transaction testing could cover the
institution's cash transactions, monetary instruments, wire transfers,
SARs, CTRs, exemptions, or samples of the institution's accounts
previously tested by its independent auditor. Examiners also could deem
transaction testing necessary on the basis of the institution's risk
profile or examination results. For example, examiners might discover
that an institution failed to file CTRs or that the institution's
independent audit was inadequate; as a result, they would perform
transaction testing to determine the nature and extent of potential BSA
issues or problems.
If an institution's risk profile was high or examiners identified BSA
compliance problems (e.g., with the institution's BSA/AML policies,
procedures, programs, or internal controls), examiners generally were
to conduct expanded procedures in high-risk areas or the areas of
identified deficiencies. Expanded procedures generally involved (1)
more in-depth reviews of the institution's compliance with BSA, AML,
and OFAC requirements and (2) transaction testing. Such reviews or
testing might cover various areas, including record keeping and
retention, exemptions, sales of monetary instruments, funds transfers,
transactions that are payable upon proper identification, international
brokered deposits, foreign correspondent banking, pouch activity, and
private banking.
Examinations Concluded with Supervisory Consultation, Reporting, and,
When Needed, Corrective Actions:
As a result of applying BSA examination procedures, examiners might
identify BSA compliance deficiencies or violations.[Footnote 35] Using
the regulators' guidance on BSA corrective actions and enforcement,
examiners were to determine whether an institution's actions or
inactions should be classified as BSA deficiencies or violations.
Examiners then were to consult with their supervisors concerning their
findings of BSA violations, particularly violations that were deemed to
warrant formal enforcement actions, such as written agreements, cease-
and-desist orders, and CMPs (for more information, see ch. 5).
Examiners were to submit recommended findings of BSA violations and
proposed corrective actions to their supervisors and then discuss the
results of the examination with the institution's management and board
of directors. In these discussions, examiners generally were to secure
management's commitment to comply with the proposed corrective actions.
Subsequently, guidance called for examiners to prepare the report of
examination, detailing the scope, compliance risk, findings, corrective
actions, and management's commitment to take corrective action; the
corrective actions taken by management before the end of the
examination; or the proposed enforcement actions. During the
examination and at the conclusion of the examination, examiners were to
enter examination data and results of the examination into the
regulators' respective automated reporting systems (see ch. 4).
Examiners were to perform follow-up activities between examinations, or
at the next scheduled examination, to verify compliance with corrective
actions. Finally, regulatory management was to notify FinCEN of
significant BSA violations found as a result of the examination.
Examiners sometimes recommended or provided input into the decision to
notify FinCEN of significant BSA compliance problems.
Under Pre-2005 Guidance, Documentation Requirements Varied Widely:
The regulators' pre-2005 requirements for documentation of examination
procedures and their documentation of those procedures could vary
widely. From each regulator, we reviewed approximately 30 BSA
examinations that were conducted under guidance current between January
1, 2000, and June 30, 2004. Because the sample was small, we could not
generalize the results of our analysis to make conclusions about how
regulators applied the examination procedures to all BSA examinations
conducted during this period. However, when coupled with our review of
regulator guidance and examination manuals, the results of the
examination review illustrated instances where the regulators'
documentation of examination procedures varied widely. Individual
regulator guidance issued prior to June 2005, required documentation of
"major" procedures and conclusions, and our review indicated more
documentation of examination planning procedures at larger
institutions.
Under pre-2005 guidance, the regulators did not consistently require or
document transaction testing. The regulators required transaction
testing in examinations of larger institutions with higher asset
levels, but not always at smaller institutions. The OCC BSA examination
manual for large banks required transaction testing, at a minimum, to
form conclusions about the integrity of the bank's overall control and
risk management processes and of its overall quantity of risk. OCC
examiners stated that transaction testing was required for all high-
risk areas of large banks, and we found documentation of transaction
testing in 3 of 4 large bank examinations. The Federal Reserve's BSA
examination manual required that some transaction testing be performed
in all examinations, and the nature and extent of transaction testing
could vary, depending on the institution's level of risk. For example,
if the institution engaged in high-risk areas, such as private banking,
foreign correspondent banking, or international banking, Federal
Reserve examiners were required to perform transaction testing in those
areas. Our review of Federal Reserve examinations indicated that
examiners performed extensive transaction testing at most of the banks.
We found documentation of transaction testing in 17 of 18 Federal
Reserve examinations we reviewed, including those of large and smaller
institutions.
Our examination review found less documentation of transaction testing
in examinations at smaller institutions with lower assets, such as the
community banks, savings associations, and credit unions supervised by
OCC, OTS, FDIC, and NCUA. These regulators' examination guidance
permitted examiners to exercise their professional judgment in
determining whether to perform transaction testing. See appendix I for
more information from our examination review.
Since 2004, State Banking Departments Have Become More Involved in BSA
Reviews and Increased Information Sharing with FinCEN:
As recently as 2004, about one-third of state banking departments
reported not examining for BSA compliance; however, state banking
departments have since taken a more active role in conducting these
reviews. According to state banking department officials, the increased
attention to AML and terrorist-financing issues after September 11, led
state banking departments to begin examining for BSA compliance or to
expand the scope of their reviews. The state banking departments
examining for BSA compliance generally used the same procedures as the
regulators. Lastly, state banking departments, the regulators, and
FinCEN have increased their coordination of BSA and AML compliance-
related efforts.
In 2004, Many State Banking Departments Reported That They Did Not
Examine for BSA Compliance:
According to a July 2004 Conference of State Banking Supervisors (CSBS)
inquiry of banking departments on BSA and AML practices, 35 state
banking departments were examining for BSA compliance, either during
joint examinations with federal examiners or independently as part of
the alternate-year examination programs.[Footnote 36] In some states,
federal examiners independently reviewed institutions or reviewed
institutions jointly with examiners from state banking departments.
According to a Federal Reserve official, the frequency of these
examinations and the decision of whether to perform the review jointly
depended on the institution's risk level. An FDIC official said that
FDIC reviewed depository institutions for BSA compliance on average
every 36 months. Of the remaining state banking departments, at least
15 were not reviewing for BSA compliance. Similarly, a March 2004 FDIC
Inspector General (FDIC IG) report indicated that out of 72 examination
reports reviewed from state banking departments, 45 did not
specifically address BSA compliance. As a result, depository
institutions in some states were not being examined for BSA compliance
at each examination.
CSBS officials said that in the past, BSA compliance coverage varied
among state banking departments, in part, because of differing
philosophies about their responsibilities for determining BSA
compliance. Specifically, some state banking departments did not
interpret BSA-related supervision as a state-level responsibility.
According to CSBS officials, departments in these states interpreted
their examination responsibilities as determining depository
institutions' safety and soundness and compliance with state laws. CSBS
officials said that, in general, this supervisory approach was driven
largely by state budget constraints and the allocation of examination
fees to states' general funds, rather than to examination programs.
Some State Banking Departments Recently Began Reviewing for BSA
Compliance; Others Have Intensified Existing BSA Reviews:
According to CSBS officials, although the regulators are the entities
that are legally responsible for conducting BSA reviews, state banking
departments have become more active in conducting these reviews over
the last 2 years. For example, the Virginia Bureau of Financial
Institutions began examining for BSA compliance in September 2004.
Similarly, the Delaware Office of the State Bank Commissioner began
conducting BSA reviews in January 2005.[Footnote 37] Additionally,
officials from some state banking departments noted that the increased
attention to AML and terrorist-financing issues following September 11,
led some state banking departments to begin examining for BSA
compliance or to expand the scope of existing reviews. For example, in
late 2004, the Louisiana Office of Financial Institutions began
conducting independent BSA reviews as part of its safety and soundness
examination. The Florida Office of Financial Regulation intensified its
BSA examinations; since September 11, it has been reviewing for BSA
compliance as part of every safety and soundness examination. State
banking departments also have been independently examining for BSA
compliance. For example, the Georgia Department of Banking and Finance
began examining depository institutions for BSA compliance in early
2004. According to an official from this state banking department,
Georgia is performing BSA reviews with federal examiners on an
alternating schedule. Furthermore, officials from other state banking
departments said that although their state examiners had reviewed for
BSA compliance in filing, reporting, and record keeping for some time,
their departments more recently began to devote additional training
resources to BSA compliance. For example, one state banking department
official said that the agency's examiners were able to review more than
the institution's BSA policy for BSA compliance than they did in the
past. In response to a CSBS inquiry of state banking departments, as of
November 2005, 45 state banking departments were reviewing for BSA
compliance.[Footnote 38]
In general, whether recently examining for BSA compliance or continuing
established procedures, state examiners used the same procedures the
regulators used to examine for BSA compliance. State examiners
generally described using the key steps that federal examiners take in
reviewing for AML compliance, which included reviewing the
institution's policies and procedures, recent CTRs and SARs, training
efforts, and independent audit reports. Similar to federal examiners,
state examiners described performing transaction testing to varying
degrees, based primarily on the risk presented by the institution being
examined. According to CSBS officials, state examiners reviewed state-
chartered banks using FDIC's BSA examination procedures. State
examiners and Federal Reserve officials said that state examiners
generally used the Federal Reserve procedures for banks that are
supervised by the Federal Reserve, but examiners sometimes used FDIC
procedures for small institutions supervised by the Federal Reserve.
State Banking Departments, Regulators, and FinCEN Also Have Recently
Increased Coordination on BSA-Related Examination Activities:
During the course of our work, state banking departments, regulators,
and FinCEN increased coordination on BSA-related examination and
information-sharing activities. For example, in March 2004, the FDIC IG
recommended that FDIC (1) coordinate with state banking departments to
cover BSA compliance in state-led examinations of FDIC-supervised
institutions and (2) for those states that did not cover BSA
compliance, develop an alternative FDIC process to address BSA
compliance when relying on alternating state examinations. FDIC agreed
with the recommendation and, in May 2004, released a regulatory
memorandum, Policy for Bank Secrecy Act/Anti-Money Laundering
Examination Scheduling and Frequency. The memorandum requires FDIC to
conduct concurrent BSA/AML examinations at all safety and soundness
examinations conducted by state banking departments that do not perform
BSA and AML examinations, to avoid additional regulatory burdens on the
depository institution. In addition, since the issuance of the
memorandum, FDIC has conducted independent BSA examinations when state
banking departments had not done so during regularly scheduled safety
and soundness examinations.
In addition, the regulators also began training state examiners on
reviewing for BSA compliance. According to CSBS, a growing number of
states are seeking BSA training, with some states doing on-site
training with federal agencies. For example, in September 2004, the
Federal Reserve provided 2 days of training for staff at a state
banking department. In addition, officials from another state banking
department said that examiners shadowed federal examiners on BSA
reviews as part of their training. A Federal Reserve official further
explained that both the Federal Reserve and FDIC recently had provided
on-the-job training for the state examiners during joint examinations.
Finally, on June 2, 2005, FinCEN announced the signing of MOUs with 30
state banking departments and the department in Puerto Rico to further
improve coordination of BSA and AML activities.[Footnote 39] According
to FinCEN officials, as of March 2006, banking departments from 36
states and the Commonwealth of Puerto Rico, have signed MOUs. The MOUs
set forth information-sharing agreements with FinCEN that are similar
to the information-sharing agreement between FinCEN and the regulators.
According to FinCEN, these agreements provide the framework for
enhanced collaboration and information sharing between federal and
state agencies that will allow FinCEN to better administer the BSA,
while simultaneously assisting state agencies to better fulfill their
roles as financial institution departments. Furthermore, a CSBS
official said that the MOUs provide a clearer understanding of the role
of state banking departments. According to a CSBS official, in the post-
September 11 environment, state banking departments also wanted a
viable supervisory role in the BSA area because they perceived BSA
issues as affecting all regulators. In March 2006, FinCEN was receiving
data for the fourth quarter of 2005 from the states.
[End of section]
Chapter 3:
Regulators Have Promoted Consistency in BSA Examinations through
Interagency Procedures and BSA Training:
During the course of our work, the regulators took steps that promoted
consistency of BSA examinations, including issuing new interagency
procedures and revising and expanding examiner training. In particular,
the new examination procedures describe risk assessments and link them
to the creation of risk profiles. The procedures also introduce more
uniformity into the assessment of independent audit functions and, for
the first time, require transaction testing in all examinations,
regardless of the institution's risk profile. As a result, the new
procedures provide a framework for greater consistency in BSA
examinations across the regulators. To disseminate new information and
increase knowledge of BSA and related issues, the regulators have
increased training on BSA and the PATRIOT Act and coordinated efforts
to educate staff on the interagency procedures. Moreover, some
regulators have focused on developing more BSA/AML specialist
examiners.
New Interagency Procedures Create Framework for Consistent BSA/AML
Examination Processes:
As previously discussed, the regulators generally followed the same
steps for BSA examinations but differed in the application of some
procedures, such as documentation, and in what procedures they left to
examiner judgment, such as transaction testing. However, as statutory
requirements (e.g., the PATRIOT Act) changed in response to concerns
about anti-money laundering and terrorist-financing issues, the
regulators also recognized the need to enhance their guidance. On June
30, 2005, the regulators, in collaboration with FinCEN and OFAC, issued
a new BSA/AML examination manual through FFIEC, an interagency body
prescribing uniform standards for federal examinations. In addition,
they committed themselves to updating the manual at least once a year.
In the regulators' view, the FFIEC BSA/AML Examination Manual is the
product of best practices among the regulators and aims to promote
procedural consistency in the conduct of BSA/AML examinations at all
depository institutions. While both the former and new examination
procedures require examiners to evaluate the institution's risk
management systems and formulate a risk profile of the institution, the
FFIEC procedures provide a uniform process for performing risk
assessments. As a result, the manual provides examiners with more
focused guidance to follow in performing BSA/AML examinations.
Furthermore, in contrast to the previous procedures, the FFIEC
procedures also provide uniform factors for assessing the adequacy of
an institution's independent audit function and require transaction
testing in all examinations.
New Examination Procedures Organize Information on BSA Risk Assessments
and Link Assessments to Scoping and Planning:
In contrast to previous guidance, the FFIEC Examination Manual
organizes guidance on risk-assessment procedures primarily in one
place, the scoping and planning section for core examinations
procedures. The manual also comprehensively describes risk assessments
for BSA examinations, taking examiners from the planning stages to
using conclusions to develop risk profiles. Formerly, the BSA
examination manuals of most of the regulators did not describe the risk-
assessment process with the same degree of information or BSA-
specificity. For example, two regulators did not have a discrete
description of the BSA-risk assessment process, but incorporated it
with the risk-assessment process for financial examinations. Other
regulators did not explain what conclusions examiners were to draw from
their risk-assessment process, such as determining that an
institution's risk level was high, moderate, or low.
Additionally, some of the regulators' former BSA examination procedures
focused on different aspects of the risk-assessment process, such as
the institution's risk assessment of its product lines or services, or
its risk management systems, or quality of audit and internal controls,
to develop risk profiles of institutions. However, the FFIEC manual
emphasizes that all banks must have BSA/AML programs tailored to their
particular risks, and that planning and scoping for examinations should
be guided by those assessments. That is, examiners should review the
institutions' self assessments of their programs to determine if the
program (and, thus, risk management systems or controls) are
commensurate with all of the risks the institutions undertook.
In presenting guidance on how to link risk assessments to other
examination procedures, the new manual also provides a framework for
examiners to follow (see fig. 2). For example, according to an OTS
official, it provides one "road map" for everyone. A senior Federal
Reserve official referred to the manual as a "significant step toward
consistency" in the area of AML examination. Additionally, an OCC
official stated that the FFIEC procedures provide a minimum threshold
for performing examination procedures.
Figure 2: FFIEC Manual Links Components Necessary for BSA Compliance:
[See PDF for image]
[End of figure]
The manual recognizes that, depending on the specific characteristics
of the particular product, service, or customer, the risks are not
always the same. Various factors, such as number and dollar volume,
geographic location, and customer versus noncustomer, should be
considered when making a risk assessment. Because of these variables,
risks will vary from one institution to another. In formulating a risk-
based BSA/AML program, the manual states that institution management
should identify the significant risks to its institution and develop a
risk assessment tailored to its circumstances. Furthermore, as new
products and services are introduced, as existing products and services
change, or as the institution expands through mergers and acquisitions,
institution management's evaluation of the money laundering and
terrorist-financing risks should evolve. The expanded sections of the
manual provide guidance and discussions on specific lines of business
or products that may present unique challenges and exposures for which
institutions should institute the appropriate policies, procedures, and
processes.
New Examination Procedures Add Uniformity to Assessment of Independent
Audit Function:
To confirm that institutions are complying with independent audit
requirements, examiners, under former and new procedures, assess the
adequacy of the institution's independent audit function during the
scoping phase of the BSA examination or later. However, the regulators'
former procedures were not uniform; that is, while each regulator
considered multiple factors when assessing the independent audit
function, none of the regulators used the same set of factors.
In contrast, the FFIEC core examination procedures provide uniform
guidance for examiners to follow when validating the independent audit
as part of the planning and scoping of the BSA examination. Examiners
are required to determine whether the:
* BSA/AML testing (audit) was independent;
* qualifications of the person(s) performing the independent testing
would allow the institution to rely on the findings and conclusions;
* auditor's reports and work papers were valid; that is, whether the
independent testing was comprehensive, accurate, adequate, and timely;
* audit reviewed the institution's suspicious activity monitoring
systems for the ability to identify unusual activity;
* bank's audit review procedures confirmed the accuracy of management
information systems used in BSA/AML compliance;
* audit tracked previously identified deficiencies and ensured that
management corrected them; and:
* audit was adequate on the basis of a review of the audit's scope,
procedures, and work papers.
By providing a comprehensive and uniform set of factors to consider in
assessing the independent audit, examiners could validate the
independent audit on a more uniform basis. Additionally, since the
independent audit is a factor in determining the institution's risk
profile, the interagency procedures for validating the audit also may
contribute to more consistent determinations of an institution's risk
profile.
New Examination Procedures Require Transaction Testing, Regardless of
the Institution's BSA Risk Level:
The FFIEC Examination Manual requires transaction testing at each
examination, regardless of the institution's BSA risk level. Under some
of the regulators' former procedures, transaction testing was not
always required; rather, this decision was left to examiner judgment,
taking into consideration the institution's BSA risk level. The FFIEC
Examination Manual emphasizes the importance of transaction testing for
making conclusions about the integrity of the institution's overall
controls and risk management processes. The manual also requires that
transaction testing be performed to evaluate the adequacy of an
institution's compliance with regulatory requirements, and the
effectiveness of its policies, procedures, processes, and suspicious
activity monitoring systems. According to the FFIEC Examination Manual,
examiners perform transaction testing to evaluate the adequacy of an
institution's compliance with regulatory requirements, or to determine
whether its policies and procedures and suspicious activity monitoring
systems are effective.
More specifically, the manual provides examiners with two options for
performing transaction testing. Transaction testing may be performed
within the independent audit section of the examination, or it may be
completed in procedures contained elsewhere within the manual's core or
expanded sections. If transaction testing is performed within the
independent audit section, examiners are required to select a
judgmental sample that includes transactions other than those tested by
the independent auditor. Under previous guidance, examiners for some of
the regulators told us that they could choose whether to sample
transactions tested by the independent auditor. However, the new
procedures do allow examiners to determine the extent of transaction
testing to be performed, on the basis of factors such as the examiner's
judgment of risks and controls and the adequacy of the independent
audit.
If transaction testing is performed within the core or expanded
sections of the examination, the FFIEC Examination Manual delineates
the specific areas under the core and expanded procedures where
transaction testing must be performed and specifies the nature of
transaction testing that must be performed. For example, the FFIEC core
examination procedures describe transaction testing of customer due
diligence, currency transaction reporting and CTR exemptions, the
purchase and sale of monetary instruments, and funds transfers. The new
manual's expanded examination procedures are similar to the regulators'
former examination procedures in that they describe transaction testing
or reviews of specific areas, such as foreign correspondent accounts,
payable through accounts, pouch activities, funds transfers, and
foreign branches and offices of U.S. banks.
Regulators Revised Examination Tools for Documenting BSA Procedures to
Conform to the FFIEC Examination Manual:
As previously discussed, the regulators' pre-2005 requirements for
documentation of examination procedures and their documentation of
those procedures varied widely. The FFIEC Examination Manual requires
that transaction testing be performed on all examinations and provides
some guidance for documenting BSA examination procedures, including
scoping, planning, and risk assessments.
According to the regulators, after the new procedures were issued, they
revised their examination formats for capturing and documenting BSA
examination procedures to conform to the requirements of the FFIEC
Examination Manual. For example, the Federal Reserve and FDIC revised
the examination work programs that their examiners use to document
examination procedures, which are entered into the regulators'
automated examination reporting system. Our review of these work
programs showed that the formats provided for documentation of scoping,
planning, risk assessments, and transaction testing. OTS officials said
that they had revised their BSA examination work program to conform to
the requirements of the manual and require documentation of scoping,
planning, risk-assessment, and transaction-testing procedures. NCUA
officials stated that NCUA had revised its examination questionnaire to
incorporate instructions for documenting transaction-testing and other
procedures. The questionnaire, according to our review, provides for
documentation of scoping, planning, and transaction-testing procedures.
OCC officials told us that they modified their automated examination
reporting system, to provide for examiner documentation of scoping,
planning, risk-assessment, and transaction-testing procedures in
examinations of large, midsize, and community banks. These new formats
and tools for documenting transaction-testing and other procedures
likely will result in more documentation of these procedures on future
BSA/AML examinations, and will make it easier to track BSA/ AML
examination results as well.
In Recent Years, Regulators Have Intensified Focus on BSA-Related
Skills and Issues in Examiner Training:
In tandem with an increasing focus on BSA-related issues, regulators
also revised examiner training, and some regulators have increased the
number of specialized examiners. For example, the regulators have
adjusted or expanded their training to incorporate the latest mandates
and standards, such as the PATRIOT Act and the FFIEC Examination
Manual. Some regulators also trained more examiners to specialize in
BSA/AML issues.
Each Regulator Provides BSA/AML Training to Its Examiners:
Although each regulator provides BSA/AML training to its examiners,
each regulator approached training differently (see table 2). For
example, OTS and NCUA require all new staff to attend a basic training
course on AML compliance. According to OTS officials, OTS hosted a
number of regional conferences for examiners that were solely dedicated
to the BSA and the PATRIOT Act. NCUA also used regional conferences to
train examiners on BSA issues. For example, in its annual report to
FinCEN, NCUA stated that BSA compliance was addressed at the regional
conference training provided to all examiners in 2002 and 2004. The
Federal Reserve requires all staff seeking to obtain an examiner
commission to successfully complete a BSA/AML proficiency
test.[Footnote 40] FDIC requires all examination staff to obtain BSA/
AML training through classroom and Web-based training. Finally, OCC
offers four different training schools, which all provide live,
instructor-led training in AML requirements. Additionally, OCC offers
specialized BSA/AML training on a voluntary basis to commissioned staff
who participate in the Examiner Specialized Skills Program.
Table 2: BSA/AML Training, by Regulator (2004-2005):
Regulator: FDIC;
Training description: To increase its level of BSA expertise, FDIC
required all examination staff to complete formal training on AML
requirements by the end of 2004. FDIC trained every examiner on staff
(1,721) in AML requirements by establishing a curriculum comprised of
several Web-based components, including externally provided courseware,
internally developed presentations, and exercises to strengthen
knowledge of topics covered. FDIC examiners also receive AML training
through FDIC's formal examiner school, "Introduction to Examinations."
In 2005, 38 examiners received AML training through the examiner
school.
Furthermore, FDIC offered specialized AML training at outside seminars
and conferences, such as industry-sponsored events and regulatory
conferences. For example, in 2005, 72 subject matter experts attended
the FFIEC AML workshop. Also, from November 29 to December 2, 2005, 336
individuals, primarily BSA/ AML subject matter experts and other
persons with BSA/AML assessment responsibility, attended the FDIC-
sponsored "BSA/AML Subject Matter Expert Conference." The purpose of
the training conference was to provide guidance on higher-and-emerging-
risk topics to ensure a more efficient and consistent BSA/AML
examination process. FDIC also provided additional FFIEC Examination
Manual training to examiners and supervisors during 2005.
FDIC also conducts training during examinations. This training is
targeted to the individual examiner and addresses the unique business
lines and practices at the bank being examined.
Regulator: Federal Reserve;
Training description: The Federal Reserve's BSA/AML Risk Section,
formerly the Anti-Money Laundering Compliance Section, interacts on a
daily basis with the examination staff engaged in AML examinations at
the 12 Reserve Banks. Section staff offer case- specific guidance
regarding AML requirements. The BSA/AML Risk Section holds monthly
systemwide calls and semiannual fora with BSA/AML supervisory staff to
provide them with policy updates, training focused on BSA/AML issues,
and discussions of recent examination experiences. In addition,
examiners from the section participate in select examinations
throughout the country to provide on-the-job training to Federal
Reserve examiners.
Each Reserve Bank also provides ongoing training to supervision staff
to keep them informed of changes to regulations, laws, and examination
procedures. Typically, BSA/AML training is offered at each Reserve
Bank's annual examiner conference. These training sessions provide an
opportunity for the Reserve Bank's BSA/AML contacts and the subject
matter experts to alert the examination staff of recent changes to
legislation and policy directives, updates to examination procedures,
and various BSA/AML concerns noted both locally and nationwide. For
example, in March 2005, a Reserve Bank trained eight new BSA
specialists in AML requirements through a series of workshops.
According to a Federal Reserve official, the training that these new
specialists received was in addition to and more intense than the
online course that all examiners must take. Specialized AML training
also has included outside seminars and conferences, such as industry-
sponsored events and regulatory conferences. For example, in 2005, 143
examiners attended FFIEC's BSA/ AML workshop; Furthermore, as part of
the Federal Reserve's entry- level training, examiners are required to
complete an online training course. The Federal Reserve's comprehensive
training plan for staff members seeking to obtain an examiner
commission requires the individual to master a core curriculum and to
successfully pass a proficiency test in each core area. For the BSA/AML
proficiency test, an individual must demonstrate an understanding of
the concept of money laundering, the purpose of the BSA, and the
minimum requirements of regulations on BSA/AML programs and
requirements for filing SARs.
Regulator: NCUA;
Training description: All new examination staff are required to
complete a year-long training curriculum that includes instructor-led
training classes and on-the-job training in AML compliance.
Seasoned examiners are trained on an ongoing basis using a combination
of instructor-led training sessions and regional conferences. During
2005, NCUA provided classroom training to 89 examiners on AML
requirements. During August and September 2005, NCUA provided to staff
training material addressing the FFIEC Examination Manual and the
updated NCUA work paper used to document review of the BSA, in
accordance with the manual.
Regulator: OCC;
Training description: OCC offers instructor-led classroom AML training
for its examiners at its Consumer Compliance: Basic, Anti-Money-
Laundering, Bank Supervision, and FinCEN Database Training Schools.
As part of OCC's entry-level training, all examiners complete 1 week of
classroom training and 1 week of course preparation in the Consumer
Compliance: Basic School that includes BSA modules. The Anti-Money
Laundering School is designed to train participants to recognize money
laundering risks and ensure compliance with regulatory requirements.
The course heightens awareness of how financial institutions are used
in money laundering through hands-on training based upon actual
examination results. The Bank Supervision School includes classroom and
computer-based training that contains a BSA/AML module, which provides
a review of the regulatory requirements. The FinCEN Database Training
course trains examiners to access and use the FinCEN database.
As of December 2005, 166 examiners attended the Consumer Compliance:
Basic School, 89 attended the Anti-Money- Laundering and Terrorist-
Financing School, 27 attended the Bank Supervision School, and 21
attended the FinCEN Database Training School.
Additionally, OCC provided BSA training targeted to the FFIEC
Examination Manual to all compliance specialists in September 2005.
Approximately 230 examiners were in attendance. Also in 2005, 16
sessions of extensive BSA training that incorporated the FFIEC
Examination Manual was provided to examiners engaged in community and
midsize bank supervision. Approximately 567 examiners attended this
training in 2005. The training will continue in 2006.
In addition to formal course offerings, OCC periodically provides
training in the form of agencywide teleconferences and finances
external training opportunities and the industry Certified Anti-Money
Laundering Specialist certification as appropriate.
Regulator: OTS;
Training description: OTS requires all examiners administering AML
exams to complete 3 weeks of classroom training courses, called
"Compliance I" and "Compliance II," which include modules on the BSA
and the PATRIOT Act.
In addition to formal course offerings, OTS provides Web-based AML
training. During 2005, OTS recorded 1,483 participants in AML training
sessions.
Sources: FDIC, Federal Reserve, NCUA, OTS, and OCC.
[End of table]
In addition to their own training, regulators also use interagency or
outside venues to train staff. For example, the regulators sent staff
to conferences sponsored by trade associations that offered multiday
courses and provided informal resources for self-training, such as
subscriptions to online newsletters. Regulators also send examiners to
interagency AML workshops offered by FFIEC. OTS, in its annual report
to FinCEN, stated that in early 2003, FFIEC updated the workshop to
incorporate PATRIOT Act requirements. According to FDIC, the workshop
objectives focused on recognizing potential money laundering risks,
assessing the adequacy of BSA/AML programs, and maintaining up-to-date
knowledge of the rules and requirement of BSA/AML statutes and
regulations. The workshop generally ran approximately 27 hours and
included speakers and presentations by the regulators, FinCEN, IRS,
OFAC, and the Federal Bureau of Investigation. FDIC said that providing
this training in an interagency forum allowed the regulators to take a
more consistent approach to BSA/AML supervisory efforts.
Furthermore, according to the regulators, they updated their AML
training to cover of all the relevant provisions of the PATRIOT Act. As
mentioned in our May 2005 report, the regulators began offering PATRIOT
ACT training for BSA examination staff in 2002 and 2003.[Footnote 41]
This training, provided through instructor-led and Web-based courses,
introduced BSA and PATRIOT Act requirements and provided for
theoretical and hands-on training. The regulators' AML training
curricula included various techniques designed to help the examiners
recognize potential money laundering risks facing financial
institutions and helped examiners learn procedures for assessing the
soundness of an institution's AML program.
Regulators Participated in Joint Efforts to Train Examiners on New
Interagency Procedures:
Since the issuance of the new procedures on June 30, 2005, FFIEC has
coordinated a far-reaching effort to train examiners and the industry
on the new procedures, by holding a series of training events across
the country. Table 3 provides more information about the training
offered since the issuance of the interagency examination procedures.
Table 3: 2005 FFIEC Examination Manual Training:
Date: July 28, 2005;
Description: Overview of FFIEC Examination Manual;
Type/Format: Videoconference;
Audience: Federal/State examination staff;
Participation: 1,200.
Date: August 2-4, 2005;
Description: Overview of FFIEC Examination Manual;
Type/Format: Teleconference (Nationwide) Banking industry;
Audience: Financial services representatives;
Participation: 8,200.
Date: August 15-24, 2005;
San Francisco-8/15; Dallas-8/17; Chicago-8/ 19; New York-8/22; Miami-
8/24;
Description: Interagency BSA/AML Regional Banker Outreach and Examiner
Training Events (manual overview, guidance on risk assessments, and
BSA/AML Q&A);
Type/Format: Group sessions (Event also was subsequently available
through the Web for 90 days);
Audience: Bankers and examiners;
Participation: 2,000 (bankers); 1,000 (examiners); 12,434 (Web-cast
viewers as of August 23).
Sources: Federal Reserve and FDIC.
[End of table]
Senior examination and management staff from the regulators attended a
nationwide videoconference, hosted by the Federal Reserve, on July 28,
2005. According to an NCUA official, a focus group of NCUA field
examiners and office staff participated in the July 28 videoconference.
This group, in turn, participated in updating NCUA examinations forms
to incorporate the FFIEC Examination Manual requirements, identified
key sections of the manual and related concepts applicable to credit
unions for discussion with staff, and recommended training to be
conducted through standard regional processes. For instance, because
credit unions do not operate foreign correspondent accounts, staff will
be notified that information on BSA risks and transaction testing for
these accounts is available, but NCUA will not incorporate information
on those accounts into the agencywide training program.
Additionally, the Federal Reserve, FDIC, OCC, OTS, and FinCEN conducted
2-hour nationwide conference calls, hosted by FDIC, regarding the new
examination manual for the banking industry on August 2 to 4, 2005.
Furthermore, these four regulators and FinCEN conducted regional
outreach meetings aimed specifically at personnel responsible for a
financial institution's BSA/AML program. The regulators held half-day
sessions in five cities for the banking industry and examination staff.
State banking departments also participated in training on the FFIEC
Examination Manual. More specifically, according to a CSBS official,
CSBS and state banking departments participated in the FFIEC
discussions and provided feedback as the procedures were being
developed. Furthermore, another CSBS official said that state banking
departments are using the manual to conduct BSA reviews. According to a
CSBS official, state banking departments participated in the rollout
and field testing of the interagency procedures. In addition, state
examiners are scheduled to have more formalized BSA coursework through
FFIEC, FDIC, and the Federal Reserve as a result of the interagency
procedures.
Some Regulators Are Developing More BSA/AML Expert Staff to Serve in a
Variety of Roles:
Although safety and soundness and compliance examiners primarily
perform BSA/AML examinations, some regulators use examiners with
specialized skills to provide training, serve as a resource to other
examiners, or assist on complex examinations. All of the regulators
offer career paths and options for becoming a BSA subject matter expert
(see table 4).[Footnote 42] More recently, some regulators have planned
to train or increase substantially the number of subject matter experts
they have to help meet PATRIOT Act requirements and address the
increasing complexity of BSA examinations. While the regulators
prescribe no criteria for BSA/AML specialization, regulatory officials
stated that specialization could be achieved through a combination of
on-the-job training, classroom training, and industry certification.
Table 4: Examiner Career Path to BSA Specialization, by Regulator:
Regulator: FDIC;
Examiner career path: Examiners;
* become commissioned after several years of instruction, examination
experience, and successful completion of a commissioning examination;;
* may specialize in a variety of areas, including the BSA, once they
are commissioned;
and;
* receive specialized BSA training, both in the classroom and on the
job, and gain experience through BSA examinations.
Additionally, FDIC encourages and offers industry designations, such as
the Certified Anti-Money Laundering Specialist and Certified Fraud
Examiner.
Regulator: Federal Reserve;
Examiner career path: Examiners;
* must go through the Federal Reserve's examiner commissioning process
to become a commissioned examiner;;
* take two tests, one a midpoint examination taken after 18 months and
the other a pass/fail examination, to be commissioned;;
* can become specialized and work on a specialized team by showing an
aptitude for a specialized area and asking for training opportunities;
and;
* attain specialization through a combination of on-the-job and BSA
training.
The Federal Reserve does not have a requirement for BSA specialists to
obtain industry certification.
Regulator: NCUA;
Examiner career path: Examiners;
* are promoted to the principal examiner level after completing a
series of training courses and on-the-job training;;
* after supervisors and examiners jointly demonstrate to regional
management that the examiners are competent to handle complex
assignments, provide on-the-job training, and conduct team
examinations;
and;
* who receive additional training on compliance issues, including AML,
become Consumer Compliance Subject Matter Examiners.
Regulator: OCC;
Examiner career path: Examiners;
* are required to take and successfully complete the commissioned
examiner test after 5 years of experience as safety and soundness
examiners and;
* can qualify to pursue specialization in various areas, such as
capital markets, once they are commissioned.
OCC supports a range of certification and licensing for its examiners
that are related to the BSA, such as the Certified Anti-Money
Laundering Specialist and the Certified Fraud Expert. Additionally, OCC
provides a national mentoring program, Examiner Specialized Skills
Program, for more experienced staff to mentor staff with less
experience. In 2005, there were six "coaches" and 14 participants. In
total, 39 examiners have participated in the initiative.
Regulator: OTS;
Examiner career path: Examiners;
* receive certification as a Commissioned Thrift Examiner upon
successful completion of in-depth training, both in the classroom and
on the job, over a 4-to 5-year period;;
* that are commissioned serve as core safety and soundness examiners or
pursue interests in specialty examination functions, such as
compliance;;
* with many years of experience, go through an accreditation process
involving successfully passing the technical portion of a comprehensive
compliance test called the Certified Regulatory Compliance Manager;
and;
* that have attained this specialization are required to take 40 to 80
hours of additional training annually.
Sources: FDIC, Federal Reserve, NCUA, OTS, and OCC.
[End of table]
According to one of its officials, the Federal Reserve has had a long-
standing commitment to BSA/AML supervision and over time has expanded
resources specifically dedicated to BSA/AML supervision. For example,
Federal Reserve staff noted that, in 2002, a separate AML section was
formed to manage and oversee the Federal Reserve's ongoing efforts in
the area of BSA/AML. Currently, AML examination subject matter experts
interact on a daily basis with examination staff engaged in AML
examinations to offer case-specific guidance regarding AML
requirements. Moreover, according to officials at the Federal Reserve,
the growing trend among the Reserve Banks is to set up a BSA/AML
structure comprising teams of examiners who possess a mix of advanced
and intermediate BSA skills to focus on BSA/AML issues. As of December
31, 2005, 108 examiners were identified as having advanced BSA skills.
According to officials at the Federal Reserve, to qualify as a
specialized examiner in this area, examiners must show an aptitude for
BSA/AML and undergo additional training. Specialization is achieved
through a combination of on-the-job and classroom training. The Federal
Reserve also centrally tracks the skill levels of examiners with
special skill sets (e.g., BSA compliance).
In a previous report, we noted that FDIC and the Federal Reserve both
have examiners who are AML subject matter experts and serve as training
resources for other examiners.[Footnote 43] According to FDIC
officials, between June 2004 and December 2005, the number of FDIC's
AML subject matter experts more than doubled, from 150 to 347. The
officials said the increase was due, in part, to the implementing rules
of the PATRIOT Act and the importance of BSA compliance in ensuring the
safety and soundness of FDIC-supervised institutions. Both agencies
also train examiners who are primarily responsible for conducting BSA/
AML examinations. Specifically, FDIC's subject matter experts receive
specialized training in the classroom and on the job. Furthermore, in
2005, as a pilot initiative within FDIC, 19 individuals from FDIC's
Division of Supervision and Consumer Protection and the Legal Division
successfully completed an industry-recognized accreditation for AML
specialists. Following this pilot initiative, as of year-end 2005, FDIC
extended the program to approximately 37 BSA/AML risk management
examination personnel.
In response to an internal quality assurance assessment of OCC's BSA/
AML compliance supervision, which found that OCC did not direct
sufficient resources to BSA/AML compliance, in July 2005, OCC committed
to redirect staff to BSA/AML work and apply additional resources to
this area. In a November 2005 letter to Chairman Shelby, the OCC
Comptroller stated that, to increase OCC's BSA/AML resources, in
addition to other actions, OCC was developing a national pool of
experienced BSA/AML examiners to be deployed to address OCC's high-
priority and high-risk examinations. While, according to OCC officials,
OCC does not have specifically designated BSA/AML specialists, the
agency has examiners who possess specialized knowledge in performing
BSA/AML examinations. In addition, the agency has examiners specialized
in other examination disciplines, such as commercial, retail credit,
capital markets, and trust, who are also cross-trained to conduct BSA
examinations. Furthermore, OCC has a lead compliance expert in each
district office and, as of December 2005, had six full-time BSA/AML
compliance policy specialists in the Washington office dedicated to
developing policy and training and assisting on complex examinations.
OCC officials also stated that OCC supports a range of industry
certifications and licensing, and it was committed to sponsoring staff
who want to obtain professional certification as money laundering
specialists through advanced training and testing.
OTS and NCUA differ from the other regulators in that they have
developed consumer compliance subject matter examiners or consumer
compliance specialists. These examiners received additional training on
compliance issues, including BSA/AML compliance, and act as a resource
on issues that arise from the examination process. Additionally, OTS's
compliance specialists provide on-the-job training and advice during
examinations and analyze draft examination reports and reviews. As of
December 31, 2005, NCUA had 27 examiners designated as consumer
compliance subject matter examiners, and OTS had 15 dedicated
compliance specialists.
[End of section]
Chapter 4:
Systems Improvements Help Regulators Track BSA Examination and
Violation Data, but Differences in Terminology Remain:
The regulators use various internal control mechanisms to monitor BSA
examinations, and recent improvements in their automated examination
and enforcement data systems have enabled them to better track and
report BSA-related information. Until recently, the systems that
regulators used to track data on BSA violations and enforcement had
serious shortcomings, but they have updated their systems. Moreover,
regulators are able to more readily share BSA-related information,
which is a particularly important ability in light of the MOU that
regulators signed with FinCEN in September 2004. The regulators agreed
to provide FinCEN with quarterly reports on the number of BSA-related
examinations they conducted, the number and types of BSA violations
cited, and the institutions cited for repeat violations. In addition,
FinCEN agreed to provide analytical reports to the regulators and has
begun to do so. However, the regulators differ on how they classify and
define some BSA compliance problems. For example, not all of the
regulators provide written guidance on what constitutes a violation,
and existing guidance leaves key terms undefined and varies in scope.
Furthermore, our limited review of examinations indicated that
different terms were used for similar problems. As a result,
inconsistencies in recording and reporting BSA compliance problems
could occur.
Regulators Use Supervisory and Quality Assurance Reviews and Tracking
Systems to Monitor BSA Examinations:
Along with quality assurance reviews and automated tracking systems,
the regulators use supervisory (or management) reviews as the primary
means of monitoring BSA examinations. These mechanisms reflect federal
internal control standards for meeting agency objectives. Control
activities as described in the federal standards include internal
management reviews and documentation. Additionally, federal internal
control standards include monitoring to assess the quality of
performance over time. For example, most regulators review and approve
key BSA examination procedures, including scoping and planning
activities and decisions on violations, as follows:
* Examiners and officials from the Federal Reserve and OCC told us that
supervisory review and approval were required for scoping and planning
activities on BSA examinations of large banks.
* Federal Reserve and OCC officials stated that district management
approved examination plans for BSA examinations of community banks.
* FDIC officials noted that examiners were required to discuss scope
changes with managers or supervisors.
As managers communicate with examiners to stay abreast of findings and
provide guidance and approvals, they also require review or approval of
decisions to cite depository institutions with BSA violations or to
take enforcement actions. Informal corrective actions are reviewed at
the regulators' field offices, but enforcement actions require higher
level review and approval (for more information on informal and formal
enforcement actions, see ch. 5). For example, supervisors at the Board
of Governors review and approve all decisions to take enforcement
actions at the Federal Reserve. The regulators further review
examination reports and approve recommendations to notify FinCEN of
violations.
All of the regulators also use quality assurance reviews to assess and
improve the quality of BSA examinations. These reviews are designed to
serve a variety of purposes, such as identifying significant or
evolving problems, ensuring consistency in the application of
examination procedures, and ensuring the accuracy and completeness of
examination data and results and the timeliness of supervisory actions.
For example, Federal Reserve officials said that the Reserve Banks use
their quality assurance programs partly to determine whether BSA
examinations were carried out appropriately and consistently. OTS's
quality assurance program reviews BSA examinations to determine the
reliability and accuracy of examination data. OTS officials said that
2004 quality assurance reviews assessed the accuracy of OTS's input
controls over BSA violation data, examination results and reports, and
supervisory actions taken as a result of BSA examinations.
Regulators also conduct or use other reviews--operational, peer, and
IG--to assess the accuracy, completeness, and quality of BSA
examinations. For example, Federal Reserve officials said that they
assess the quality of Reserve Banks' supervision function, including
BSA examinations, through an operations review program. According to
Federal Reserve officials, recent operations reviews evaluated the
timeliness of corrective actions, tested information in BSA examination
work papers for accuracy and consistency, and evaluated the adequacy of
resources devoted to this area. OCC officials also told us that, as
part of their peer review program, examiners from OCC regional offices
performed quality reviews of each other's examinations, including BSA
examinations. Furthermore, most regulators have undergone IG reviews of
their BSA-related examination and enforcement activities and have taken
steps to implement recommendation actions. For example:
* In 2001, the Treasury IG reviewed OCC's examination coverage of trust
and private banking services. The IG recommended that OCC improve its
examination monitoring process to ensure adequate oversight of BSA
examinations covering trust and private banking services. OCC indicated
that it would conduct targeted internal quality assurance reviews of
private banking and trust services beginning in 2002.
* In 2003, the Treasury IG also reviewed OTS's enforcement actions for
BSA violations and recommended that the agency enhance its regional
reviews of examinations to ensure that substantive BSA violations were
incorporated into final reports. According to an OTS official, OTS has
implemented this recommendation.
* Since 2003, FDIC's IG also has reviewed aspects of the regulator's
BSA-related examination and enforcement activities and made several
recommendations to FDIC. For example, in 2004, the IG recommended that
FDIC coordinate with state banking departments to cover BSA compliance
in state examinations. FDIC has agreed with, and responded to, these
recommendations by issuing guidance and agreeing to schedule BSA/AML
examinations during safety and soundness examinations led by state
examiners.[Footnote 44]
Finally, regulators use automated data systems to collect, store, and
make available examination data and information on supervisory and
enforcement actions. Federal internal control standards indicate that
managers need such relevant and reliable information to carry out their
internal control and operational responsibilities. For example:
* FDIC officials said that the agency collects and stores examination
data, but it uses a separate system to record and track data on various
types of enforcement actions.
* OCC officials said that staff use data systems for large, midsize,
and community banks to retrieve information on prior BSA-related
violations and enforcement actions and to identify institutions for
BSA/AML-targeted examinations.
* Similarly, OTS officials noted that the agency's data system collects
and stores examination data, such as examination start and end dates
and violations of laws or regulations, and includes BSA-related
violations.
* Federal Reserve officials said that the agency's data systems collect
and maintain examination and enforcement data, such as examination
start and end dates and violations of laws or regulations, and include
BSA-related violations and enforcement actions.
Regulators also rely on data from these systems and other software
programs to track information on depository institutions' BSA-related
compliance problems and to assist them in taking supervisory or
enforcement actions in a timely manner. For example, FDIC officials
noted that they use FDIC's data system to produce an internal report
that, in part, lists all FDIC-supervised institutions with BSA
violations, the number and type of violations cited in examination
reports, and repeat violations. OCC and OTS officials said that they
use their data systems to produce reports on BSA-related violations for
FinCEN.
Data System Improvements Have Allowed the Regulators to Better Track
BSA-Related Information:
Since 2000, the regulators have changed or upgraded the systems they
use to record and monitor examination information. As a result, the
regulators can now better track BSA-related information. Some
regulators also have been citing BSA violations in greater number and
detail in recent years--partly as a result of improved systems and
partly as a result of factors specific to each regulator, including
revised guidance and an increased emphasis on the BSA.
Changes to Regulators' Data Systems Have Improved Tracking
Capabilities:
According to regulatory officials, since 2000, all of the regulators
have changed or upgraded their data systems to improve their recording
and monitoring capabilities. To varying degrees, previous iterations of
these data systems limited regulators' ability to monitor and report
BSA-related examination results in a comprehensive and timely manner.
For example, before 2001, NCUA manually collected information on BSA-
related violations. According to a senior NCUA official, in response to
the need to provide data to external parties, including Congress, NCUA
began to redesign its information technology system in 2001. NCUA's
current data system became fully operational in 2002, providing NCUA
with increased search capability across examination data. Furthermore,
it allows NCUA to track more BSA data, including violations and any
corrective actions institutions had implemented.
Similarly, OTS generally collected information on BSA violations
manually until the late 1990s, which is when it began automating its
examination documentation program. Moreover, the Treasury IG determined
that material data inaccuracies with OTS's BSA records could adversely
affect supervisory decisions to the extent that OTS senior managers and
regional supervisors used the system to monitor, plan, or review
individual BSA examination results. In 2003, OTS replaced its former
system to facilitate storage of examination work papers with related
examination reports. According to OTS officials, the new Internet-based
system allows greater flexibility in the examination administration
process. For example, OTS officials said that the new system tracks
comprehensive data on examinations and violations, including data on
BSA compliance. OTS also replaced a separate system used to collect
information on enforcement actions. OTS officials noted that these
current systems also provide the ability to track repeat violations,
corrective actions and associated dates of implementation, and
enforcement actions--capabilities that OTS's previous systems had
lacked.
Before 2003, FDIC's examination data system did not require entry of
BSA violation codes or information from examiners' on-site visits that
was related to BSA compliance. As a result, FDIC staff lacked
information to confirm that institution management had taken corrective
actions to address problems identified during examinations. According
to FDIC officials, in 2003, FDIC upgraded its examination data system
to a Web-based platform, to enhance overall user capabilities. FDIC
indicated that although the former examination data system captured BSA
program violations as well as financial record-keeping and reporting
violations, the upgrade to the system incorporated violations related
to the implementing rules of the PATRIOT Act and the FDIC's suspicious
activity reporting rule. FDIC indicated that in 2005, the agency also
upgraded its enforcement action data system to a Web-based platform to
allow for the selection of multiple bases for enforcement actions and
for the automated tracking of BSA-related enforcement actions.
OCC has separate systems to maintain the official electronic records of
examination and enforcement information, including information on BSA
violations and enforcement actions, for large banks, and midsize and
community banks. OCC officials said that in 2000, OCC implemented an
interim examination data system for large-bank examinations to address
a general need to store more descriptive text, such as examiner
narrative, comments, and information on contacts and communications
with banks. In late 2003, OCC began integrating this interim system
into its current examination data system for large banks to store all
the information in one system. One advantage of the system conversion
was that it provided OCC with the ability to search the full text of
examination narratives, including BSA examinations. According to OCC
officials, the redesign and systems improvements will be fully
implemented in 2006.
The Federal Reserve for some years has used national supervisory data
systems that maintain electronic records of examination and enforcement
information, including examination reports, enforcement actions, and
other relevant documents. Additionally, the Federal Reserve maintains a
national database of supervisory data specifically designed to support
its banking supervision activities. These systems were, and continue to
be, accessible to all appropriate supervisory staff across the Federal
Reserve System. However, at the beginning of our review, Federal
Reserve officials said that, unlike other examination areas, the
Federal Reserve did not collect and track most BSA-related information
through its national database. Rather, officials said that the database
maintained narrative information on BSA violations data within reports
of examination for purposes of ongoing supervision. They noted that the
Federal Reserve used a separate mechanism to centralize information on
BSA-related examination findings from the 12 Reserve Banks.[Footnote
45] Furthermore, they noted that this lack of automation and the use of
a separate mechanism limited their ability to centrally track and
extract in an automated fashion certain aspects of BSA-related
supervision across the 12 Reserve Banks. For example, at the time of
our data requests in 2004, the Federal Reserve experienced difficulty
in generating information on the total number of examinations conducted
between 2000 and 2004 that included a BSA review, and the agency was
unable to provide the number and nature of BSA-related violations
identified during this period.
During the course of our review, Federal Reserve officials said that
the Federal Reserve began to improve centralized tracking and analysis
of BSA-related data through its national examination database. In 2003,
the Federal Reserve began to enhance its national examiner database to
capture BSA/AML violations or other BSA examination-related data.
Federal Reserve officials noted that as part of those efforts, in 2004
the Federal Reserve expanded the reporting mechanism to track
examination data and expand risk categories and, in 2005, integrated
these data into the national database. Federal Reserve officials said
that the expanded version would assist in collecting more detailed
information, including the nature and frequency of BSA-related
violations and the nature of institutions' risk of BSA noncompliance.
In addition, Federal Reserve officials noted that in 2004, they began
merging more detailed BSA-related information collected from the
Reserve Banks with existing supervisory data to provide the Federal
Reserve with a national view of various BSA-related items, such as
commitments from institution management to correct identified problems
and different types of enforcement actions. According to Federal
Reserve officials, the Federal Reserve finalized the conversion of its
database, and, since the last quarter of calendar year 2005, Federal
Reserve staff have been able to extract BSA examination and enforcement
data collected by the Reserve Banks.
BSA-Related Violations Increased in Recent Years; Violations of
Currency Transaction Reporting Requirements Were Frequently Cited:
Our review of the regulators' data on BSA-related examinations and
violations from 2000 to 2004 indicated that the number of BSA-related
violations generally increased in recent years for reasons that are
specific to certain regulators. For example, as shown in figure 3, the
number of violations NCUA reported increased steadily from 2000 to
2004. NCUA officials largely attributed this increase to a change in
the implementation of a risk-focused examination approach in 2002,
communication from the NCUA Chairman regarding the importance of
correctly citing violations under the risk-focused program, and a
general increase in training and guidance for examiners. NCUA officials
also credited this increase to a recent adoption of multiple layers of
supervisory reviews and periodic reviews of BSA examination data aimed
at ensuring the accuracy, completeness, and reliability of these data.
OTS officials attributed increases in the number of violations between
2003 and 2004 to various factors, such as the implementation of a risk-
focused examination approach and implementation of a combined
compliance and safety and soundness examination. FDIC officials
attributed the spike in violations from 2003 to 2004 to a change
related to record-keeping rules for CTRs. Although OCC did not have a
large increase in the number of violations, OCC officials attributed
the increase in the number of examinations from 2003 to 2004 to a
change in the way OCC counted BSA examinations.
Figure 3: BSA-Related Violations and Examinations, by Regulator (2000-
2004):
[See PDF for image]
[End of figure]
The regulators distinguish between technical violations that are
considered minor, such as the late filing of a CTR or failure to fill
in certain boxes on a CTR form, and systemic violations, such as
failure to have a BSA/AML program. For example, data from FDIC, OCC,
and OTS show that in 2003 and 2004, citations issued in connection with
CTR requirements (31 C.F.R. §§ 103.22 and 103.27) (see fig. 4) were
among the frequently cited BSA-related violations. These violations of
the CTR requirements included a failure to (1) file CTRs and (2) file
them in a timely manner. In contrast, NCUA data indicate that in 2003
and 2004, citations issued in connection with procedures for monitoring
BSA compliance (12 C.F.R. § 748.2) and the customer identification
program (CIP) rule, which was implemented under the PATRIOT Act of May
2003 (31 C.F.R. § 103.121), were among the frequently cited BSA-related
violations. Violations of the CIP rule involved improperly verifying
the identity of customers at account opening. Other frequently cited
violations included violations of the regulators' BSA/AML program rules
pursuant to title 12 of the United States Code.
Figure 4: Frequently Cited BSA-Related Violations, by Regulator (2000-
2004):
[See PDF for image]
[End of figure]
In Recent Years, Some Regulators Have Been Citing BSA Violations with
Greater Specificity Than Before:
NCUA and FDIC cited violations with greater specificity from 2003 to
2004 than from 2000 to 2002. Our review of BSA-related violation data
from 2000 through 2001 indicated that NCUA's system generally
classified any violation of the BSA/AML program rule regulation under a
single broad category. In contrast, from 2002 to 2004, NCUA's violation
data identified the particular subsections that institutions violated.
In addition, FDIC officials noted that their data quality improved
considerably in March 2003 with the implementation of its current
examination data system, which can now specify subsections of BSA-
related regulations that institutions have violated. In late 2003, FDIC
changed the way that it tracked BSA violations. After evaluating how
its examination data system generated violation reports, FDIC concluded
that it was more useful to review the "number of banks" where specific
violations were cited, rather than to record the frequency of each
violation cited during each examination. Furthermore, FDIC officials
noted that the number-of-banks format is used by FinCEN to ensure a
more appropriate comparison from quarter to quarter and among the
regulators.
Regulators Now Share More Specific BSA-Related Examination and
Violation Data with FinCEN:
Under an MOU entered into by the regulators and FinCEN in September
2004, the regulators share more specific BSA-related examination and
violation data with FinCEN.[Footnote 46] Using their examination data
systems, the regulators provide FinCEN with quarterly reports on the
number of BSA-related examinations they have conducted, the number and
types of BSA violations cited, and the institutions cited for repeat
violations. According to FinCEN officials, as of February 2006, they
had received the aggregate data from the regulators for the fourth
quarter of 2004 and the four quarters of 2005. They also had received
two annual reports from the regulators, which included the number of
financial institutions the regulators examined and descriptions of
examination cycles, also as outlined in the MOU.
In turn, the MOU requires that FinCEN provide a compilation that
summarizes, by regulator, all of the data provided in the quarterly
reports. FinCEN has provided the regulators with these summaries as
well as an annual consolidated report.[Footnote 47] Table 5 summarizes
this information for fiscal year 2005.
Table 5: BSA/AML Examinations, Violations, and Enforcement Actions, by
Regulator (Fiscal Year 2005):
Regulator: FDIC;
Number of examinations[A]: 2,525;
Number of violations[B]: 2,576;
Number of enforcement actions[C]: 172.
Regulator: Federal Reserve;
Number of examinations[A]: 680;
Number of violations[B]: 97;
Number of enforcement actions[C]: 52.
Regulator: NCUA;
Number of examinations[A]: 4,715;
Number of violations[B]: 4,754;
Number of enforcement actions[C]: 1,824.
Regulator: OCC;
Number of examinations[A]: 1,530;
Number of violations[B]: 405;
Number of enforcement actions[C]: 42.
Regulator: OTS;
Number of examinations[A]: 722;
Number of violations[B]: 514;
Number of enforcement actions[C]: 29.
Source: FinCEN.
[A] The number of examinations conducted within each regulator's
established BSA examination cycle, including examinations conducted
jointly with state banking departments.
[B] The number of BSA violations cited under title 12 or title 31 of
the United States Code.
[C] The number of formal and informal enforcement actions taken to
address BSA compliance under either title 12 or title 31 of the United
States Code.
[End of table]
FinCEN officials noted that there are limitations to the aggregate
data. These data do not provide insight into the reasons why the
violations are occurring; rather, they are indications of issues to
follow or act upon through the supervisory process. FinCEN officials
said that these data compilations have shown increases in violations of
requirements involving CIPs, independent reviews, and BSA training.
FinCEN has shared these data with the regulators and given them areas
to be aware of for follow-up at their institutions.
According to FinCEN officials, FinCEN provided other analytical
products to the regulators as well. For example, FinCEN was directed by
the Treasury IG to undertake a SAR data quality review. As part of this
effort, FinCEN has identified problems with some SAR filings, which it
then shared with the regulators. The regulators told us that they have
found these SAR analyses to be useful because they can then direct the
specific institutions to address the problems. FinCEN also conducted a
systematic review of banking industry compliance with section 314(a) of
the PATRIOT Act and identified specific institutions that had not been
doing required searches of their accounts.[Footnote 48] As with the SAR
data problems, FinCEN has shared this information with the regulators
so that they can conduct follow-up with the institutions to rectify the
problem. FinCEN officials noted that these products are intended to
help the regulators elicit better BSA compliance. FinCEN plans to
provide additional products to the regulators, containing more
strategic and tactical analyses, in the future. In addition, FinCEN
officials noted that the provision of analysis to determine compliance
trends across industry segments and across the financial services
sector--that is, banking, securities, insurance, casinos, and others--
was a long-term project. Near-term priorities included conducting
analyses of cases of significant noncompliance sent in by the
regulators. Such analysis would include all known information and BSA-
related filings relevant to the institution or customers when
considering an enforcement action. FinCEN officials said that its
computer system is now operational, and they had begun populating it
with case data.
FinCEN officials stressed that they wanted the products they provided
to the regulators to be ones that would help the regulators do their
job. That is, that the products could help identify emerging areas in
BSA compliance that require more guidance, new regulations, or changes
to existing guidance. In general, the regulators told us that they were
pleased with the analytical products they had received from FinCEN
since signing the MOU, and that they were looking forward to receiving
additional products from FinCEN in the future, especially those that
showed BSA noncompliance trends across financial industries or in
specific geographic areas.
The regulators also have begun to analyze the BSA compliance data they
receive from FinCEN for their own purposes. For example, OTS officials
said the technology upgrades they implemented over the past few years
have made analyzing these data much easier. From these analyses, they
determined that there were a number of institutions with problems in
their BSA training programs. OTS officials in headquarters also analyze
examination results on a nationwide basis looking for BSA compliance
trends. OCC officials analyze BSA data in two ways. First, OCC
identifies common compliance problems and seeks to identify areas
needing clarification through new guidance. Second, OCC analyzes BSA
compliance data on community banks for money laundering risks to help
develop examination strategies and to determine examination scope.
According to Federal Reserve officials, since the last quarter of 2005,
the Federal Reserve has been able to analyze BSA examination and
enforcement data collected by the Reserve Banks and analyze this
information at the headquarters level for trends and consistency.
Federal Reserve officials also noted that the reports from FinCEN
supplement the Federal Reserve's monitoring and analysis of supervisory
data. FDIC officials said they have conducted trend analyses of
examination data since the issuance of the FFIEC Examination Manual and
have seen a slight decrease in BSA-related violations overall among
FDIC-supervised institutions. According to NCUA officials, NCUA
analyzes all of the data collected during the examination and
supervisory processes. For example, NCUA analyzes data that examiners
must collect, in accordance with NCUA policy, on credit unions' actions
to address significant BSA compliance problems. Furthermore, NCUA
officials said that NCUA has an initiative under way to create a
database of the information contained in the BSA questionnaires that
credit unions complete as part of the examination process, allowing
NCUA to query this information from NCUA's regions and headquarters.
NCUA officials estimated that it would take 3 years to populate the
database.
The regulators have been conducting these analyses internally, but they
have not yet collectively discussed with FinCEN the implications of the
violation data and determined whether there was a need for additional
guidance to address problem areas they have been identifying. The MOU
states that, by the effective use of information exchanged under its
provisions, FinCEN and the regulators will seek to enhance the level of
assistance and analysis that can be provided to the banking industry
and to law enforcement in the BSA compliance area. Such guidance could
provide these additional benefits.
Differences Remain in the Regulators' Guidance and Terminology for
Classification of BSA Compliance Problems:
Although the regulators and FinCEN increasingly have been enhancing and
coordinating information sharing and reporting, differences in how the
regulators classify BSA-related compliance problems remain. For
example, regulators differ in the guidance they provide to examiners
for determining what constitutes a BSA program compliance violation,
with some regulators not providing any written guidance and others
differing in the degree of guidance provided. Furthermore, the
regulators' instructions on BSA enforcement, which also provide
guidance for interpreting or classifying BSA-related problems, does not
clearly define the terms--intended as criteria for determining the
seriousness or scope of a compliance problem--on which those
classifications would be based. Additionally, there appears to be no
clear consensus among examiners on how to distinguish between BSA-
related deficiencies and violations. In our review of the regulators'
examinations, examiners appear to have classified apparently similar
BSA-related compliance problems differently. In some cases, examiners
referred to BSA program compliance problems as "deficiencies"; in other
cases, the problems were cited as "violations." As a result, examiner
judgment likely played a greater role in classifying BSA-related
compliance problems. In turn, this could increase the potential for
inconsistencies in classifying BSA-related compliance problems and
subsequent citations. However, regulators emphasized that other
factors, such as an institution's risk profile or the diversity of its
operations and products, also help explain the differences in the way
that BSA-related compliance problems were cited and classified.
Regulators' Guidance on How to Cite and Classify BSA-Related Compliance
Problems Leaves Key Terms Undefined and Varies in Scope:
When we reviewed the regulators' BSA examinations, we generally found
that the distinction between BSA/AML program compliance "violations"
and "deficiencies" appeared to be that violations represented some
action or inaction prohibited by the BSA and implementing regulations,
and deficiencies did not. Overall, regulators may cite an institution
for a BSA violation if it fails to meet the requirements of BSA/AML
programs, which encompass the following four elements:
* internal policies, procedures, and controls to ensure ongoing
compliance;
* an independent audit function to test programs;
* a designated individual who is responsible for the day-to-day
coordination and monitoring of compliance; and:
* an ongoing training program for the appropriate personnel.[Footnote
49]
Additionally, the regulators may cite institutions for failing to
correct a previously cited problem.
Typically, examiners accompanied a description of a violation with a
legal citation in examination reports. BSA/AML program compliance
deficiencies were not regarded as violations of the laws and
regulations, and examination reports generally described the
deficiencies as BSA program performance that was faulty or
insufficient.
However, the regulators have taken different approaches to providing
examiners with guidance on the classification and citation of BSA
compliance problems. For example, the Federal Reserve provides no
written guidance for determining BSA/AML program compliance violations.
Federal Reserve examiners rely on the BSA itself and relevant
regulations to classify and cite BSA compliance problems. In addition
to the BSA and related regulations, the other four regulators each
provide some written guidance for determining BSA violations. Each
regulator differs in the nature and amount of guidance provided. FDIC,
OCC, and OTS also provide guidance that addresses, to some extent, how
examiners are to distinguish BSA/AML program compliance deficiencies
from violations.
More specifically, section 8.1 of the FDIC's Risk Management Manual of
Examination Policies provides some guidance to examiners on the proper
citation of apparent violations of the BSA-related regulations in the
report of examination. An apparent violation may be cited in situations
where deficiencies in the BSA/AML program are serious or systemic in
nature, or when weaknesses and deficiencies identified in the BSA
program are significant, repeated, or pervasive. The FDIC manual also
states that an apparent violation of BSA program requirements should be
cited for a specific program deficiency to the extent that the
deficiency is attributed to internal controls, independent testing, the
individual responsible for monitoring day-to-day compliance, or
training.[Footnote 50] However, if the apparent violation is determined
to be an isolated program weakness that does not significantly impair
the effectiveness of the overall compliance program, then an apparent
violation should not be cited. FDIC's manual also provides examples of
specific issues and situations that warrant a citation of an apparent
violation.
OCC guidance provides that citing an institution for a BSA violation
and taking a subsequent cease-and-desist action are appropriate when a
bank "exhibits BSA/AML program deficiencies coupled with aggravating
factors, such as highly suspicious activity creating a significant
potential for money laundering. . .or other substantial BSA
violations." OCC's guidance also lists conditions within BSA/AML
programs, including systemic or pervasive BSA record-keeping
violations, which can be grounds for citation of a BSA violation.
Additionally, OCC's policy guidance on enforcement actions also lists
several serious problems for which a citation of a violation and
accompanying formal enforcement action might be considered appropriate.
OTS specifies that a systemic or other significant failure to file CTRs
is a BSA violation. OTS's policy guidance on enforcement actions also
lists several serious problems for which a citation of a violation and
accompanying formal enforcement action might be considered appropriate.
These include situations involving an institution's significant
problems or weaknesses with records, systems, controls, or internal
audit program. More recently, OTS provided guidance stating that their
terms "significant," "material," and "substantive" mean the same thing.
Although NCUA is one of four regulators providing written guidance, it
takes a different approach. NCUA does not recognize any difference
between program deficiencies and violations, although NCUA officials
stated that they regarded a major deficiency as a violation. Instead,
NCUA guidance focuses on qualitative factors: BSA violations must be
"significant." NCUA provides criteria for determining when a violation
is significant, and NCUA's guidance states that consistent assessment
of BSA violations is an important part of compliance with the FinCEN
MOU. NCUA categorizes significant violations in the following three
groups: "pervasive," "systemic," and "repeat." For example, pervasive
violations are described as tainting the entire operation of a credit
union and include the lack of a written BSA/AML program that adequately
covers all required elements. To apply NCUA's guidance, NCUA examiners
must first determine if a credit union's activities amounted to
significant violations and then classify the activity according to the
definitions and examples in the guidance. As a result, NCUA examiners
do not report deficiencies. Our review of 30 NCUA examinations
identified one deficiency that was described only in work papers.
Available information did not indicate whether or how the deficiency
was reported in NCUA's automated reporting system. Nevertheless, NCUA
examiners told us that they could distinguish deficiencies from
violations, and they gave us an example of a deficiency as an
institution failing to update a policy but having a procedure in place.
In addition, the regulators often do not clearly define the modifiers
or terms used to describe BSA compliance problems. For instance, the
regulators frequently use, but do not define or illustrate, the terms
"inadequate" and "adequate." FDIC's guidance describes as "inadequate"
BSA/AML programs with considerable problems, which essentially amount
to violations, but the guidance does provide any further explanation or
definition. FDIC examiners told us that they did not have standardized
criteria for characterizing the adequacy or inadequacy of a BSA
program, and that the term "adequate" could mean "satisfactory";
similarly, the term "inadequate" could mean "deficient,"
"unsatisfactory," or "needs improvement." For example, in our review of
FDIC BSA examinations, we found that examiners frequently used the
terms "adequate" or "inadequate" to refer to an institution's level of
program compliance and to describe deficiencies or violations.
The different meanings given to these terms also appear to affect how
examiners classify BSA problems. For example, NCUA officials said that
having an adequate practice but no written policy for the practice
would be counted as a BSA violation in NCUA's data system. However, a
Federal Reserve official noted that a violation would not be cited for
a practice that was deemed adequate, even though the bank's policy
might not address it. In this example, examiners would direct the
institution to take corrective action to ensure that it had a written
policy addressing the practice. We also noted that the regulators could
use many different terms to refer to the same thing. According to
Federal Reserve officials, examiners may use the terms "deficiency,"
"weakness," "inadequacy," or "exception" to mean the same thing.
Furthermore, FDIC guidance refers to violations as "apparent
violations."
FinCEN officials said that, they discussed the issue of different
terminology with regulators during the drafting of the terms of the
MOU. FinCEN and the regulators agreed not to impose any requirements
for standardized terminology in the MOU itself. Instead, they
structured the MOU to require the regulators to provide FinCEN with
information on instances of "significant" noncompliance, be it a BSA
violation under title 12 or title 31 of the United States Code,
regardless of whether the regulator classified the conduct as a
violation or a deficiency. That is, all problems against which the
regulator is taking supervisory action are to be reported to FinCEN.
This reporting of significant noncompliance is in addition to the
quarterly reports the regulators provide to FinCEN under the MOU on the
number of BSA-related examinations they have conducted, the number and
types of BSA violations cited, and the number of BSA-related
enforcements actions put in place or terminated during the quarter.
Examiners Generally Did Not Agree on When a BSA Program Compliance
Deficiency Amounted to a BSA Violation:
Although four regulators provided some guidance for determining BSA
program deficiencies and violations, examiners could not clearly
articulate what constituted a deficiency. That is, in our discussions
with the examiners, they seemed to agree that a BSA violation amounted
to noncompliance with a BSA law or regulation; however, they did not
have a uniform definition or understanding of when a BSA program
compliance deficiency rose to the level of a violation.
To illustrate, FDIC examiners said that a deficiency was the examiner's
conclusion on the basis of the institution's lack of compliance with
BSA, but a violation was a deviation from or noncompliance with a BSA
rule or regulation. NCUA examiners said that a deficiency usually
referred to problems with policies; for example, an institution might
not have updated a BSA policy for which it had procedures in place.
According to OCC examiners, a deficiency was an activity that, although
not defined or classified by the statutes as a violation, fell "below
standard" and did not reflect sound AML management. OTS examiners
stated that there were no clear definitions of BSA violations; however,
they regarded a "violation of a regulation" to be a BSA violation.
Federal Reserve examiners told us that they had difficulty determining
whether a given set of facts amounted to a BSA program deficiency or
violation, and that, as a result, a lot of examiner judgment went into
determining whether the facts supported a citation of a BSA program
deficiency or violation. They also said that they submitted program
deficiencies to headquarters for assistance in determining whether
deficiencies constituted violations and how problems should be
classified.
Examiners Cited Institutions Differently for Apparently Similar
Problems, but Regulators Noted Several Factors That Could Have Caused
Differences:
In our review of 138 BSA examinations, we identified at least 8
instances, involving 17 institutions, in which examiners cited
institutions differently for what appeared to be substantially similar
problems. For example, different regulators recognized similar
substantial or material problems in internal audits, but cited the
institutions with either a BSA program deficiency or a violation. In
one instance, Federal Reserve examiners pointed out a deficiency to the
institution because the internal audit report failed to identify and
report material weaknesses that were identified during the examination.
But FDIC examiners cited an institution with a BSA violation for its
inadequate audit testing that lacked independence and did not test or
review certain areas. Similarly, regulators issued different types of
citations to institutions that had not adequately tested their systems.
Federal Reserve examiners pointed out a deficiency to an institution
for not conducting annual independent testing at all of its 15 branches
and for failing to perform a regularly scheduled audit. However, OTS
and FDIC examiners cited institutions with violations for failing to
perform independent testing. Although examiners cited institutions with
BSA violations or deficiencies on what appeared to be substantially
similar grounds, we did not review the cited violations or deficiencies
for correctness and did not conclude that they were incorrect. The lack
of uniform, clear guidance for distinguishing between BSA/AML program
deficiencies and violations likely increases the examiners' reliance on
professional judgment to make findings of deficiencies and violations,
which in turn could result in inconsistencies in classifying
deficiencies and violations, which was apparent in some of the
examinations that we reviewed.
According to most of the regulators, multiple factors could contribute
to differences among examiner citations. For example, according to OCC
officials, an institution's risk profile, products, or commitment to
resolving problems could influence an examiner's determination. The
perceived severity of the institution's problem also could influence
the decision to issue a violation or a deficiency. One OCC official
noted that no two institutions were alike, and that the regulation was
not designed to be "one size fits all." Nevertheless, OCC recognized
the potential for inconsistent interpretations in citing violations of
its BSA regulation. In a May 2005 report sent to the Senate Committee
on Banking, Housing, and Urban Affairs, OCC stated that its guidance on
citing violations of the regulation was open to multiple and
inconsistent interpretations.[Footnote 51] As a result, OCC revised the
guidance in November 2004 to clearly state that there is a statutory
mandate that OCC will issue a cease-and- desist order for violations of
the regulation, since the OCC's review team had found inconsistent
treatment of violations of the regulation.
NCUA officials thought its classifications of BSA problems were
consistent, and that it was more important to allow the regulators to
have flexibility to interpret and classify BSA compliance problems,
given the differences in the institutions they supervised. Federal
Reserve officials stated that differences in terms used to describe
deficiencies that did not rise to the level of violations were less
important, and that consistency in the citation of violations was of
primary importance because of the more immediate supervisory
consequences of such citations.
[End of section]
Chapter 5:
Regulators and FinCEN Increased Coordination on BSA Enforcement;
Criminal Cases Were Limited:
Regulators address most BSA-related compliance problems through the
examination process. Although the regulators can use tools that range
from supervisory actions (such as moral suasion) to informal actions
(such as MOUs) and formal enforcement actions (such as the assessment
of CMPs), according to the regulators, most BSA-related problems are
resolved during the course of an examination. FinCEN also uses a range
of enforcement tools, including CMPs; but, according to FinCEN
officials, FinCEN must ensure the consistent application of CMPs across
all financial institutions, not only those supervised by the
regulators. Moreover, unlike the regulators, FinCEN was delegated
authority under the BSA to take enforcement actions for violations of
the BSA and its implementing regulations. From 2000 to 2005, FinCEN
assessed CMPs in 11 cases, with significantly higher penalties in
recent years. Although the Secretary of the Treasury has not delegated
enforcement authority to the regulators as statute directs, FinCEN
officials said there have been no significant consequences of FinCEN
and the regulators operating under independent, but overlapping,
statutory authorities to assess CMPs. Furthermore, FinCEN and the
regulators have increased coordination on enforcement consequent to
their September 2004 MOU on information sharing. For example, they have
begun to concurrently assess CMPs for significant BSA problems at
depository institutions. Criminal cases against depository institutions
for BSA violations have been limited. From 2002 to 2005, Justice,
either through its Criminal Division or its U.S. Attorneys' Offices,
has pursued legal action against six depository institutions for
criminal violation of the BSA. The increase in actions has raised some
concerns in the banking industry, although Justice officials said that
investigations of depository institutions for BSA noncompliance
generally have involved only those cases wherein institutions engaged
in willful and repeated failures to fulfill their legal duties.
Furthermore, in some cases, the alleged criminal conduct of customers
revealed to investigators the lapses at the institutions. Most criminal
investigations of depository institutions were resolved through
deferred prosecution agreements and monetary penalties. Finally,
Justice recently formalized coordination on cases where a financial
institution would be named as an unindicted coconspirator or allowed to
enter into a deferred prosecution agreement.
Regulators Address Most BSA-Related Compliance Problems within the
Examination Framework:
Each regulator's authority to take supervisory actions and informal
enforcement actions lies in its respective general authority to
supervise financial institutions and exercise discretion to carry out
the purposes of its enabling statute. Supervisory actions generally
involve communicating recommendations to institution management during
examinations or though the examination report. Although regulators use
a broad range of actions to address BSA compliance, according to the
regulators, most problems in BSA-related compliance are corrected
within the examination framework through supervisory actions. OCC
officials noted that such supervisory actions generally are used to
correct relatively minor or technical compliance problems. The
regulators typically request depository institutions' management and
directors to correct problems that were identified during examinations
and communicated through the report of examination. OTS officials noted
that addressing BSA compliance problems within the examination
framework meant that the institutions could correct the problems
promptly and the examiners could review the corrections immediately.
NCUA encourages examiners to resolve problems informally whenever
possible. Representatives of some regulators also noted that if
supervisory actions proved insufficient or problems required stronger
action, the regulators generally would use informal enforcement
actions. Informal enforcement actions are mutual agreements between the
regulator and the institution to correct an identified problem. They
generally involve written commitments from institution management to
correct the problem and are used to address problems that are not
critical, and that plausibly could be corrected through a voluntary
commitment from the institution's management. For example, OCC issues
MOUs or commitment letters, reflecting specific commitments to take
corrective actions in response to problems or concerns identified by
OCC in its supervision of a bank. The letters are then signed by the
institution's board of directors on behalf of the bank and acknowledged
by an authorized OCC official. Although informal enforcement actions
are not public and are not binding legal documents, failure to honor
the commitments could provide the regulator with evidence of the need
for formal action. The regulators noted that they generally use
informal enforcement actions against BSA noncompliance that is limited
in scope and technical in nature. According to representatives of the
regulators, the regulators generally require the institutions to inform
them after a specified time of their progress in making the
corrections, and to verify that the improvements have been made.
Furthermore, examiners can conduct verifications before or during
subsequent examinations. According to FinCEN data, the regulators took
2,048 informal enforcement actions in fiscal year 2005.
Our review of 138 examinations conducted between January 1, 2000, and
June 30, 2004, that contained a BSA-related violation, also indicated
that the regulators most frequently addressed BSA problems through
supervisory actions. The regulators generally obtained oral commitments
from institution management or used informal actions to address
problems with components of institutions' compliance programs or
limited problems with BSA filings. The regulators mostly obtained oral
commitments from institution management to correct identified problems
during meetings with management or boards of directors. For example, in
a 2002 examination, NCUA examiners identified that a credit union had
failed to update its written BSA policy to reflect the name of its new
compliance officer. The institution's board of directors agreed
immediately to correct the problem. Similarly, in a 2000 examination,
FDIC examiners determined that the bank failed to file four CTRs in a
timely manner. The examiners noted that before the examination, bank
management already had improved internal practices to avoid such
violations in the future. They obtained agreement from the bank
president to correct the four instances of CTR-related noncompliance.
Our review also identified instances of the regulators' use of informal
enforcement actions to address BSA-related noncompliance. For example,
in a 2003 examination, NCUA examiners identified a credit union's
failure to have written procedures for OFAC compliance. To address this
failure and other BSA-related noncompliance, NCUA entered into a
written agreement with the institution, called a Document of
Resolution, which indicated that the board of directors agreed to
develop and approve OFAC procedures after the completion of the
examination. In a 2003 examination, OTS examiners addressed an
institution's failure to maintain records of a small number of CTR
filings by obtaining the institution's written agreement to ensure the
appropriate record retention. Federal Reserve officials noted that
because all of the Federal Reserve examinations in our sample were of
those institutions already under a formal enforcement action, ongoing
communication with institution management about the criticisms
identified in the reports was particularly important.
Regulators Assess Many Factors in Deciding on Formal Actions against
Significant BSA-Related Compliance Problems:
In general, the regulators have taken formal enforcement actions
against violations of significant BSA/AML program requirements and BSA
violations.[Footnote 52] Formal enforcement actions are written
documents that are disclosed to the public, are more severe than
informal actions, and generally are enforceable through the assessment
of CMPs and through the federal court system. The regulators coordinate
formal enforcement actions with state banking departments, where
appropriate, and with FinCEN on cases involving significant BSA-related
compliance problems. According to FinCEN data, the regulators took 71
formal enforcement actions in fiscal year 2005.
As seen in table 6, the regulators' recent formal enforcement actions
for BSA-related compliance problems include consent orders, cease-and-
desist orders, written agreements, and CMPs.[Footnote 53] For example,
in two recent and widely publicized cases, OCC and the Federal Reserve,
respectively, entered into formal enforcement actions with the Federal
Branch of Arab Bank, PLC, and the New York Branch of ABN AMRO Bank,
N.V. (ABN AMRO).[Footnote 54] Through the respective consent orders and
CMP assessment, the institutions agreed to the numerous corrective
actions outlined by the regulators to remedy the identified BSA-related
violations.[Footnote 55]
Table 6: Examples of Formal Enforcement Actions Taken against
Depository Institutions for BSA-Related Compliance Problems (2004-
2005):
Enforcement action: Consent order;
Date: 10/2005;
Regulator: OCC;
Depository institution: Key Bank, N.A;
Areas of significant BSA- related problems included in actions: * BSA
compliance program;
* BSA compliance officer function;
* Suspicious activity reporting;
* Independent audit;
* Training.
Enforcement action: Written agreement;
Date: 10/2005;
Regulator: Federal Reserve;
Depository institution: Deutsche Bank Trust Company;
Areas of significant BSA-related problems included in actions: * BSA
compliance program;
* Independent testing;
* Training;
* Suspicious activity reporting;
* Customer due diligence.
Enforcement action: Written agreement;
Date: 06/2005;
Regulator: Federal Reserve;
Depository institution: First Citizens Bank of Butte;
Areas of significant BSA-related problems included in actions: * BSA
compliance program.
Enforcement action: Cease-and-desist order;
Date: 06/2005;
Regulator: FDIC;
Depository institution: First Community Bank of Southwestern Florida;
Areas of significant BSA-related problems included in actions:
* BSA compliance program;
* BSA compliance officer function;
* BSA compliance committee;
* Customer due diligence.
Enforcement action: Consent order;
Date: 05/2005;
Regulator: OCC;
Depository institution: InterBusiness Bank, N.A;
Areas of significant BSA-related problems included in actions: * BSA
compliance program;
* Independent testing.
Enforcement action: Cease-and-desist order;
Date: 05/2005;
Regulator: FDIC;
Depository institution: Muskegon Commerce Bank;
Areas of significant BSA-related problems included in actions: * BSA
compliance program;
* Independent testing.
Enforcement action: Consent order;
Date: 02/2005;
Regulator: OCC;
Depository institution: United Americas Bank, N.A;
Areas of significant BSA-related problems included in actions: * BSA
compliance program;
* BSA compliance officer function;
* Suspicious activity reporting.
Enforcement action: Consent order of civil money penalty;
Date: 02/ 2005;
Regulator: OCC;
Depository institution: City National Bank;
Areas of significant BSA-related problems included in actions: * BSA
compliance program;
* Customer due diligence;
* Suspicious activity reporting.
Enforcement action: Consent order;
Date: 02/2005;
Regulator: OCC;
Depository institution: Federal Branch of Arab Bank, PLC;
Areas of significant BSA-related problems included in actions: * BSA
compliance program;
* Suspicious activity reporting;
* Monitoring third-party wire transfers.
Enforcement action: Supervisory agreement;
Date: 01/2005;
Regulator: OTS;
Depository institution: First Federal Savings and Loan Association of
Edwardsville;
Areas of significant BSA-related problems included in actions: * BSA
compliance program;
* Customer identification;
* OFAC compliance;
* Training.
Enforcement action: Cease-and-desist order;
Date: 12/2004;
Regulator: OTS;
Depository institution: Guaranty Bank;
Areas of significant BSA- related problems included in actions: *
Suspicious activity reporting;
* Suspicious activity monitoring;
* Training.
Enforcement action: Civil money penalty;
Date: 12/2004;
Regulator: OTS;
Depository institution: Anchorbank, fsb;
Areas of significant BSA- related problems included in actions: * CTR
filing;
* Customer identification program;
* Training;
* Independent testing;
* Suspicious activity reporting.
Enforcement action: Written agreement;
Date: 07/2004;
Regulator: Federal Reserve;
Depository institution: ABN AMRO Bank, N.V;
Areas of significant BSA-related problems included in actions: * BSA
compliance program;
* Correspondent accounts;
* Independent audit;
* Suspicious activity reporting;
* Customer due diligence.
Source: GAO.
[End of table]
Representatives of the regulators noted that they consider a variety of
factors when determining whether to pursue formal enforcement action
for BSA-related noncompliance. They noted the importance of the
specific circumstances of each case when determining the appropriate
formal enforcement action for problems within institutions' BSA
programs. For instance, a senior FDIC official said that FDIC would
consider (1) the extent to which the institution's BSA program failed
to detect or deter potential money laundering, (2) the institution's
response to previous violation notifications, and (3) the institution's
overall risk profile. According to another FDIC representative, Federal
Deposit Insurance Act (FDI Act) specifications on enforcement actions
do not preclude FDIC from taking different action. Thus, if FDIC
determines that a bank has a positive compliance history and the bank's
management demonstrates a desire and ability to cooperate with FDIC,
the regulator might not automatically take a formal action against a
failure in a component of the institution's BSA program. Guidance on
formal enforcement actions for BSA-related compliance problems issued
separately by OCC and OTS in November 2004 and March 2004,
respectively, also noted such factors and identified other factors,
such as the regulator's confidence in the ability of the institution to
correct the problem and whether the institution independently
identified and corrected the problem. Finally, Federal Reserve
officials said that they issue cease-and-desist orders to institutions
that have violated some aspect of the BSA program requirement, but that
they sometimes enter into written agreements with the institutions for
such violations.
Regulators Do Not Derive Authority for Formal Enforcement Actions,
Including CMPs, from the BSA:
Section 8(s) of the FDI Act also authorizes the regulators to enforce
compliance with BSA program requirements. Specifically, in the event
that an insured depository institution fails to establish or maintain a
BSA program or has failed to correct any previously identified
deficiency in its BSA program, the appropriate regulator shall issue an
order requiring the institution to cease-and-desist from its
violation.[Footnote 56] Should the institution violate a cease-and-
desist order, the regulators are authorized to assess a CMP or file an
action for injunctive relief in the appropriate federal district
court.[Footnote 57] Additionally, the regulators may impose CMPs for
violations of conditions imposed by a regulator in connection with
granting an application or request; violations of written agreements
between the institution and the regulator, or any law or regulation;
unsafe or unsound practices; and breach of fiduciary duties.
However, the regulators currently do not have delegated authority under
the BSA to take formal enforcement actions for violations of the BSA.
Title 12 of the United States Code authorizes the regulators to take
certain formal enforcement actions if they determine that a depository
institution is engaging in unsafe or unsound practices or has violated
any applicable law or regulation.[Footnote 58] The regulators have
interpreted this authority to include violations of the BSA and its
implementing regulations when they take formal enforcement actions
aimed at addressing violations of the BSA/AML program requirement.
Critical Reviews of Regulators' BSA Oversight Have Prompted Some
Regulators to Change Examiner Procedures and Guidance:
Some regulators have changed procedures and examiner guidance related
to enforcement in response to weaknesses identified by internal and IG
reviews. A 2005 internal quality assurance review at OCC, conducted in
the wake of significant BSA failures at Riggs Bank, N.A. (Riggs Bank),
determined that among the sampled banks, stronger action was warranted
at 8 of 24 community banks, 1 of 6 midsize banks, and 1 of 6 large
banks. Furthermore, according to the review findings, OCC's initial
supervisory actions were not always severe enough to ensure timely
correction of the BSA/AML problems for 22 percent of the sampled
institutions. The review also determined that OCC had given banks
multiple opportunities and extended periods of time to implement
effective BSA/AML programs. In a July 2005 response to the review, a
senior OCC official stated that, over the past 18 months, one of the
actions OCC had taken to address this problem was to institute a
process where OCC staff, including experts at OCC headquarters, would
review any proposed citation relating to a BSA/AML program requirement
and an OCC Senior Deputy Comptroller would make the final decision to
cite a violation.
In 2003, the Treasury IG found that OTS's reliance on moral suasion and
thrift management assurances to comply with the BSA was not effective
in compelling thrift management to correct their BSA violations in 21
of the 68 sampled thrifts. Furthermore, the Treasury IG indicated that
the reports of examination and underlying examination work papers
supported OTS taking more forceful and timely enforcement actions
against these thrifts. In a detailed review of 9 of 11 cases where OTS
issued written enforcement actions in response to substantive BSA
violations, the Treasury IG found that in 5 cases, the enforcement
documents either were not taken in a timely manner or did not address
all of the substantive violations found by the examiners. According to
the Treasury IG, the BSA violations continued for years or BSA
compliance worsened. To address the report's findings and
recommendations, OTS management agreed to make a number of corrective
actions, including implementing enhanced supervisory review over the
examination process to better ensure that substantive violations
identified in an examination would be incorporated into the report of
examination. OTS also agreed to issue supplemental examiner guidance
(1) on when to initiate stronger enforcement action when substantive
BSA violations were found and (2) on time frames for expecting
corrective action to avoid repeated violations of the BSA and
deteriorating BSA compliance. OTS agreed to improve regional reviews to
ensure that substantive BSA violations were identified in the report of
examination. OTS officials told us that the improvements made to its
examination and enforcement data systems allow for easier monitoring of
the timeliness of institutions' corrective actions. According to an OTS
official, OTS has implemented all of the Treasury IG recommendations
made in connection with this report, including the issuance of guidance
on enforcement actions specifically for BSA-related compliance
problems.
Other reviews also identified weaknesses in how some regulators
followed up on BSA compliance problems. According to the 2005 internal
quality assurance review, in the past, OCC did not effectively follow
up on BSA/AML violations and/or Matters Requiring Attention among
sampled institutions; however, because of OCC's increased emphasis on
BSA/AML supervision in 2004 and 2005, follow-up had improved in all
areas of BSA/AML supervision.[Footnote 59] Similarly, a 2004 FDIC IG
review indicated that FDIC needed to strengthen its follow-up processes
for BSA violations. The FDIC IG determined that there was a wide range
of follow-up actions and identified a number of weaknesses in FDIC
follow-up processes through reviews of sampled institutions, relevant
procedures of FDIC regional offices, and information from FDIC's data
systems.[Footnote 60] The FDIC IG recommended that FDIC reevaluate and
update examination guidance to strengthen monitoring and follow-up
processes for BSA violations, and take or conduct, among other things,
* prompt, appropriate, and consistent regulatory action in cases where
management action is not timely, including cease-and-desist orders for
repeat violations, as appropriate, and:
* consistent and timely follow-up of BSA violations between
examinations to ensure management is taking corrective action.
According to the FDIC IG, FDIC had initiatives under way to reassess
and update its BSA policies and procedures, and the agency agreed with
the recommendations. An FDIC IG official noted that FDIC has
implemented corrective action that addresses the recommendations.
Unlike the Regulators, FinCEN Has Delegated Enforcement Authority under
the BSA:
FinCEN, the administrator of the BSA, takes enforcement action against
BSA compliance problems at financial institutions, including, but not
limited to, depository institutions. Unlike the regulators, FinCEN can
take such action because the implementing regulations of the BSA
specifically delegated authority for it to do so.[Footnote 61]
While the regulators have examination authority and deal most directly
with depository institutions, FinCEN receives information on specific
cases of depository institutions' BSA-related compliance problems
through referrals of specific cases from the regulators or through
reports from institutions filed as a result of the examination
process.[Footnote 62] In 1990, FinCEN's predecessor, the Office of
Financial Enforcement, issued guidance on referrals to the regulators
that described situations and types of violations that would warrant
referral for further action beyond any enforcement actions that the
regulators might take. OCC, FDIC, OTS, and NCUA subsequently summarized
the guidelines in their respective BSA examination policies and
procedures.[Footnote 63] According to FinCEN officials, each regulator
has referred cases for further action, but to varying degrees (see
table 7).
Table 7: Number of Referrals from the Banking Regulators to FinCEN
(2001-2004):
Agency: FDIC;
Number of referrals to FinCEN, by year: 2001: 6;
Number of referrals to FinCEN, by year: 2002: 13;
Number of referrals to FinCEN, by year: 2003: 2;
Number of referrals to FinCEN, by year: 2004: 13.
Agency: Federal Reserve;
Number of referrals to FinCEN, by year: 2001: 3;
Number of referrals to FinCEN, by year: 2002: 1;
Number of referrals to FinCEN, by year: 2003: 0;
Number of referrals to FinCEN, by year: 2004: 4.
Agency: OCC;
Number of referrals to FinCEN, by year: 2001: 0;
Number of referrals to FinCEN, by year: 2002: 0;
Number of referrals to FinCEN, by year: 2003: 1;
Number of referrals to FinCEN, by year: 2004: 1.
Agency: OTS;
Number of referrals to FinCEN, by year: 2001: 0;
Number of referrals to FinCEN, by year: 2002: 0;
Number of referrals to FinCEN, by year: 2003: 0;
Number of referrals to FinCEN, by year: 2004: 1.
Agency: NCUA;
Number of referrals to FinCEN, by year: 2001: 0;
Number of referrals to FinCEN, by year: 2002: 1;
Number of referrals to FinCEN, by year: 2003: 0;
Number of referrals to FinCEN, by year: 2004: 0.
Source: FinCEN.
[End of table]
In addition to referrals, FinCEN could become aware of BSA compliance
problems through examination-related reporting. For example, according
to FinCEN officials, if examiners discover that BSA forms have not been
filed in a timely manner, the regulators often instruct depository
institutions to contact FinCEN or the IRS for a determination on
whether BSA forms must be filed late. If such matters rise to a
significant level of noncompliance with the BSA, FinCEN reviews the
facts to determine what action to take.
FinCEN takes enforcement actions against significant BSA compliance
problems by issuing letters of warning or imposing CMPs. According to a
senior FinCEN official, such enforcement actions are intended to yield
greater compliance from the institution that was the target of the
action and serve as an example, thereby resulting in greater compliance
from the financial services industry. According to FinCEN officials,
FinCEN considers several factors when determining the severity of an
institution's violations, including the nature, number, time-span, and
rate of reporting failures. Furthermore, FinCEN takes into account
whether the violation was willful, repeated, or systemic, and whether
the violation was related to a failure in the institution's AML
program. FinCEN also considers what corrective actions the institution
has taken to address the violations and the effects of actions from
other agencies, such as the regulators or law enforcement agencies.
FinCEN officials noted that FinCEN issues letters of warning to address
cases that involve relatively significant BSA noncompliance, but do not
rise to a level that would warrant a CMP.[Footnote 64] Depending on the
nature of the case, CMPs against depository institutions could range
from $500 to $1,000,000 per violation.
From 2000 to 2005, FinCEN Imposed CMPs in 11 Cases but, in Recent
Years, Assessed Them Concurrently with Relevant Regulators:
From 2000 to 2005, FinCEN assessed CMPs against 11 depository
institutions.[Footnote 65] According to FinCEN officials, the use of
CMPs has been effective in stopping the violating activities at
depository institutions where previous enforcement actions by the
regulators had not brought about compliance. FinCEN penalized the
depository institutions for significant reporting failures resulting
from serious weaknesses in BSA compliance policies and procedures. As
seen in table 8, CMPs ranged from $100,000 to $30 million. In 7 of the
11 cases, FinCEN cited willful violation of the BSA.
Table 8: CMPs Assessed Solely by FinCEN and Concurrently with the
Regulators (2000-2005):
Year: 2005;
Depository institution: The New York Branch of ABN AMRO Bank, N.V;
CMP amount: $30 million[A];
CMP assessed solely by FinCEN: [Empty];
CMP assessed concurrently by the FinCEN and the regulator: Checked;
Regulator: Federal Reserve.
Year: 2005;
Depository institution: The New York and Miami Branches of Banco de
Chile;
CMP amount: 3 million[B];
CMP assessed solely by FinCEN: [Empty];
CMP assessed concurrently by the FinCEN and the regulator: Checked;
Regulator: OCC and Federal Reserve, respectively.
Year: 2005;
Depository institution: The New York Branch of Arab Bank, PLC;
CMP amount: 24 million;
CMP assessed solely by FinCEN: [Empty];
CMP assessed concurrently by the FinCEN and the regulator: Checked;
Regulator: OCC.
Year: 2004;
Depository institution: AmSouth Bank;
CMP amount: 10 million;
CMP assessed solely by FinCEN: [Empty];
CMP assessed concurrently by the FinCEN and the regulator: Checked;
Regulator: Federal Reserve.
Year: 2004;
Depository institution: Riggs Bank, N.A;
CMP amount: 25 million;
CMP assessed solely by FinCEN: [Empty];
CMP assessed concurrently by the FinCEN and the regulator: Checked;
Regulator: OCC.
Year: 2003;
Depository institution: Korea Exchange Bank;
CMP amount: 1.1 million;
CMP assessed solely by the FinCEN: Checked;
CMP assessed concurrently by the FinCEN and the regulator: [Empty];
Regulator: FDIC.
Year: 2003;
Depository institution: Banco Popular de Puerto Rico;
CMP amount: 20 million;
CMP assessed solely by the FinCEN: Checked;
CMP assessed concurrently by the FinCEN and the regulator: [Empty];
Regulator: Federal Reserve.
Year: 2002;
Depository institution: Great Eastern Bank of Florida;
CMP amount: 100,000;
CMP assessed solely by the FinCEN: Checked;
CMP assessed concurrently by the FinCEN and the regulator: [Empty];
Regulator: FDIC.
Year: 2002;
Depository institution: Sovereign Bank;
CMP amount: 700,000;
CMP assessed solely by the FinCEN: Checked;
CMP assessed concurrently by the FinCEN and the regulator: [Empty];
Regulator: OTS.
Year: 2000;
Depository institution: Polish and Slavic Federal Credit Union;
CMP amount: 185,000;
CMP assessed solely by the FinCEN: Checked;
CMP assessed concurrently by the FinCEN and the regulator: [Empty];
Regulator: NCUA.
Year: 2000[C];
Depository institution: Sunflower Bank, N.A;
CMP amount: 100,000;
CMP assessed solely by the FinCEN: Checked;
CMP assessed concurrently by the FinCEN and the regulator: [Empty];
Regulator: OCC.
Source: GAO.
[A] ABN AMRO Bank, N.V., consented to the assessment of a CMP by FinCEN
against the New York Branch of ABN AMRO in the amount of $30 million.
The assessment also was concurrent with a $40 million CMP assessed by
the Federal Reserve, which included an assessment by OFAC. The federal
CMPs were satisfied by one payment of $40 million. In addition, ABN
AMRO Bank consented to a separate CMP assessment against the New York
Branch by the New York State Banking Department in the amount of $20
million, as well as a $15 million CMP assessment against the Chicago
Branch by the State of Illinois Department of Financial and
Professional Regulation and a $5 million contribution to an Illinois
examiner education fund.
[B] OCC is the primary federal functional regulator of the New York
Branch of Banco de Chile, and the Federal Reserve is the primary
federal functional regulator of the Miami Branch. FinCEN assessed a $3
million CMP assessment against both branches of Banco de Chile,
concurrent with OCC's $3 million CMP assessment against the New York
Branch. The Federal Reserve issued a cease-and-desist order against the
Miami Branch but did not assess a CMP.
[C] FinCEN's documentation of the CMP assessment indicated that
Sunflower Bank, N.A., consented to the assessment on December 27, 1999,
and the Director of FinCEN signed the release of the document on
January 6, 2000.
[End of table]
In some instances, FinCEN assessed CMPs against depository institutions
separate from any enforcement action taken by the relevant regulator.
More recently, FinCEN has assessed CMPs concurrently with the
regulators.[Footnote 66] We discuss two examples in more detail in the
following sections:
Riggs Bank:
In May 2004, FinCEN and OCC concurrently imposed $25 million in CMPs
against Riggs Bank for willful and systemic BSA violations.[Footnote
67] FinCEN determined that Riggs Bank willfully violated the suspicious
activity and currency transaction reporting requirements of the BSA and
its implementing regulations, and that Riggs Bank willfully violated
the AML program requirement of the BSA and its implementing
regulations. Riggs' failure to establish and implement a BSA/AML
program adequate to meet its suspicious activity and currency
transaction reporting requirements constituted systemic violations that
demonstrated a reckless disregard of:
its obligations under the BSA. According to FinCEN, Riggs Bank further
demonstrated willfulness by failing to correct the BSA-related
compliance problems that OCC previously identified.[Footnote 68]
The New York Branch of Arab Bank, PLC:
More recently, in August 2005, FinCEN and OCC concurrently imposed a
$24 million CMP against the New York Branch of Arab Bank, PLC (Arab
Bank-New York). According to FinCEN, Arab Bank-New York failed to apply
an adequate system of internal controls to the clearing of funds
transfers, given the heightened risks of money laundering and terrorist
financing posed by the bank's customer base, correspondent
institutions, and geographic locations and by the volume of funds it
cleared.[Footnote 69] FinCEN determined that Arab Bank-New York
inappropriately limited the scope of systems and controls used to
comply with the BSA and manage the risks of money laundering and
terrorist financing--for example, by limiting the monitoring and review
of transactions to only those entities that the bank viewed as direct
customers of Arab Bank-New York. That is, it did not monitor and review
transactions for originators and beneficiaries without accounts at Arab
Bank-New York for which the bank had served as an intermediary
institution. As a result, Arab Bank-New York failed to monitor these
funds transfers for potentially suspicious activity. FinCEN also
determined that Arab Bank-New York failed to implement procedures
commensurate with the risks posed by its U.S. dollar clearing
activities. For example, according to FinCEN, the bank did not obtain
and use credible publicly available information (which included
congressional testimony, indictments in the United States, and well-
publicized research and media reports) to monitor and identify funds
transfers that warranted further investigation and did not conduct
follow-up investigations when it had identified anomalies or
potentially suspicious funds transfers.
Furthermore, FinCEN determined, in part, that Arab Bank-New York failed
to identify a number of potentially suspicious funds transfers. For
example, FinCEN cited funds transfers that the bank cleared from 2001
through 2004 for originators or beneficiaries whom OFAC and the
Department of State subsequently declared to be "specially designated
terrorists," "specially designated global terrorists," or "foreign
terrorist organizations." At the time of the funds transfers, neither
OFAC nor State had designated the originators or beneficiaries, and the
bank largely complied with the requirement to cease clearing funds
transfers once they were designated as such. However, according to
FinCEN, once the designation was made, Arab Bank-New York failed to
review information in its possession that would have shown it had
cleared funds transfers for those individuals and entities, failed to
analyze this information, and failed to file SARs. More specifically,
Arab Bank-New York did not file the majority of its SARs referencing
terrorist financing until after OCC commenced a review of its funds
transfer activity in July 2004.
FinCEN Does Not Believe the Lack of Delegated Authority to Impose CMPs
under the BSA Has Significantly Affected Enforcement:
The Secretary of the Treasury has not delegated to the regulators the
authority to assess CMPs under the BSA to address violations. Under the
BSA, the Secretary is authorized to assess CMPs against financial
institutions, including depository institutions, for violations of the
BSA.[Footnote 70] In 1994, MLSA directed the Secretary to delegate this
authority to the regulators and attach terms and conditions deemed
appropriate, including a limitation on the dollar amount of penalty
authority. The Secretary has delegated this authority to the Director
of FinCEN. In 1995, the director established an interagency group
consisting of representatives from the regulators and FinCEN to
implement the delegation by developing common guidance for the
assessment of CMPs. A subgroup of the interagency group developed a
draft delegation of CMP authority, a matrix of penalties and decision
factors, and guidance for using the matrix. However, according to
FinCEN and OCC officials, the agencies could not reach agreement.
Further complicating the matter, the statutory mandate for delegation
of CMP authority to the regulators did not include NCUA or the
Securities and Exchange Commission, which examines broker-dealers for
BSA compliance.
More recently, according to FinCEN officials, the challenges in
crafting a delegation that would result in consistent and accountable
BSA enforcement have increased substantially. For example, FinCEN
officials cited the addition, under the PATRIOT Act, of an additional
regulator, the Commodity Futures Trading Commission, to the BSA
compliance examination process.[Footnote 71] They also noted the
expanded scope of BSA regulation as more types of institutions became
subject to BSA compliance. FinCEN officials said that since 1994,
FinCEN repeatedly has evaluated the benefits and potential consequences
of delegating its CMP authority to the regulators, but currently has no
plans to pursue this delegation.
Furthermore, citing the regulators' authority to assess CMPs under the
FDI Act, FinCEN officials said that they were not aware of any
significant enforcement ramifications caused by the lack of delegated
authority. As previously mentioned, the regulators have interpreted
their authority under the FDI Act to impose CMPs for violations of any
law or regulation to include violations of the BSA. In addition, FinCEN
officials noted that through the MOU, FinCEN and the regulators have
achieved the coordination on enforcement issues, including CMP
issuance, which was intended to occur through the delegation of the
authority. For example, if pursuant to the MOU, FinCEN learns from a
regulator of a significant BSA violation or deficiency by a financial
institution, and FinCEN determines that the imposition of
administrative enforcement remedies under the BSA may be warranted,
FinCEN is to notify the institution's regulator no later than 30 days
after the determination, and before taking any public enforcement
action. Similarly, to the extent that FinCEN is not already a party to
a regulator's formal enforcement action involving a significant BSA
violation or deficiency, under the terms of the MOU, the regulators are
to notify FinCEN of formal enforcement actions no later than 30 days
after the regulator's decision to pursue the action and before such
action is made public.
According to officials at FinCEN and the regulators, coordination among
these agencies on enforcement issues has improved dramatically in
recent years. FinCEN officials noted that the regulators have involved
FinCEN in BSA supervisory and enforcement issues at earlier stages than
in the past. For example, as indicated in the MOU, the regulators now
inform FinCEN when they have recommended that an institution file CTRs
that previously had not been filed as required or inquire of FinCEN's
processing center about the need to file. FinCEN officials also pointed
out that the regulators previously notified FinCEN that they were
referring cases of noncompliance to FinCEN for potential further action
shortly before they separately took formal enforcement actions under
banking statute. According to officials from some regulators, in the
past, FinCEN sometimes would take enforcement action against an
institution on the basis of a referral from a regulator long after the
institution had come into compliance with the regulator's formal
enforcement action.
More recently, the regulators and FinCEN have been working more closely
on enforcement issues. According to Federal Reserve, FDIC, and OTS
officials, earlier communication between the regulators and FinCEN has
resolved the difference in timing of enforcement actions. As previously
described, in 2004 and 2005, FinCEN jointly issued several enforcement
actions with OCC and the Federal Reserve. Furthermore, under the MOU,
the regulators are to notify FinCEN of the resolution of any action
involving a significant BSA violation or deficiency, to the extent not
otherwise known to FinCEN, no later than 30 days after the resolution
of the action. The regulators also are to provide FinCEN with any
materials relevant to the resolution. The MOU also directs the
regulators to provide FinCEN with a quarterly assessment of the
institutions that have failed to comply with formal enforcements
actions requirements, such as requirements to take corrective measures,
develop and implement an action plan, or submit progress reports to the
regulator. FinCEN officials pointed out that situations could arise in
the future where the regulators and FinCEN would pursue different
courses of enforcement action, but as directed in the MOU, FinCEN and
the regulators would inform one another of any impending action.
Justice Has Pursued a Limited Number of Criminal Cases against
Depository Institutions for BSA Noncompliance:
Since 2002, Justice, either through its Criminal Division or its U.S.
Attorneys' Offices, has pursued investigations of six depository
institutions for criminal violation of the BSA (see table 9). Justice
officials said that cases where the depository institution was the
criminal BSA offender were limited, and that the department had pursued
significantly more cases against individuals for BSA offenses.
According to a senior official at Justice, egregious failures to
perform a minimal level of due diligence over a number of years
triggered the cases against the depository institutions.
For instance, in January 2005, Justice announced that Riggs Bank pled
guilty to a federal criminal violation of the BSA in connection with
repeated and systemic failure to accurately report suspicious
transactions associated with bank accounts owned and controlled by
Augusto Pinochet of Chile and the government of Equatorial
Guinea.[Footnote 72] Justice cited Riggs Bank's involvement in
transactions for Pinochet and his wife from 1994 to 2002 (multiple
accounts, investments, and certificates of deposits at Riggs Bank in
the United States and at its London branch). This involvement occurred
despite an outstanding 1998 attachment order issued by a Spanish
magistrate to freeze all of Pinochet's assets worldwide and despite
warrants against Pinochet that were issued for human rights crimes by
numerous countries, including Spain, Switzerland, Belgium, and France.
Additionally, from 1996 to 2004, Riggs Bank opened more than 30
accounts for the government of Equatorial Guinea, numerous Equatorial
Guinean government officials, and their family members.[Footnote 73]
Riggs Bank also opened multiple personal accounts for the Equatorial
Guinean president and his relatives and assisted in establishing
offshore shell corporations for the president and his sons. For both
the Pinochet and Equatorial Guinean government accounts, Justice
determined that Riggs Bank knew or had reason to know that these
transactions were suspicious, but failed to file any SARs until
congressional investigators, banking regulators, or law enforcement
discovered the transactions.
Similarly, in 2003, Justice and ICE investigators determined that from
1995 through 1998, Banco Popular de Puerto Rico (Banco Popular) allowed
a drug dealer to launder approximately $32 million in cash drug
proceeds. Law enforcement officials determined that the bank failed to
visit the business location, which was within a short walking distance
from the bank branch, to verify the customer's purported source of
income. Furthermore, the bank neither reported the customer's large
cash deposits--at times more than $500,000--nor filed a SAR until
February 1998, after $21 million of narcotics proceeds had been
laundered at one branch.
In another example, in 2002, the U.S. Attorney's Office for the
Southern District of New York determined (through investigations by
various law enforcement agencies) that during the 1990s, Broadway
National Bank became the institution of choice for narcotics money
launderers and other individuals who wanted to shield their financial
activities from government scrutiny. According to sentencing
documentation, from January 1996 to March 1998, approximately $123
million in cash deposits were laundered and/or structured through a
series of highly suspicious transactions, involving approximately 107
accounts.
Table 9: Depository Institutions against Which Justice Has Pursued
Charges for Criminal Violation of the BSA (2002-2005):
Year: 2005;
Depository institution: The Bank of New York;
BSA-related violations or investigations: * Failure to file SARs in a
timely and complete manner with respect to a company that presented
sham escrow agreements to other banking institutions in support of loan
applications, while aiding and abetting the fraudulent activity by
executing the sham escrow agreements (31 U.S.C. § 5318(G)(1);
31 U.S.C. § 5322)[B];
* Failure to implement an effective AML program (31 U.S.C. § 5318(h));
* Aiding and abetting the operation of an unlicensed money-
transmitting business (18 U.S.C. § 1960);
* Money laundering (18 U.S.C. § 1956);
Disposition: Nonprosecution agreement;
Monetary penalty amount: $26 million forfeiture[A].
Year: 2005;
Depository institution: Riggs Bank, N.A;
BSA-related violations or investigations: * Failure to file timely SARs
(31 U.S.C. §§ 5318(g) and 5322(b));
Disposition: Guilty plea agreement;
Monetary penalty amount: 16 million criminal fine.
Year: 2004;
Depository institution: AmSouth Bank;
BSA-related violations or investigations: * Failure to file timely and
complete SARs (31 U.S.C. §§ 5318(g)(1) and 5223(b));
Disposition: Deferred prosecution agreement;
Monetary penalty amount: 40 million forfeiture.
Year: 2003;
Depository institution: Delta National Bank & Trust Company;
BSA-related violations or investigations: * Failure to file a SAR (31
U.S.C. §§ 5318(g) and 5322);
Disposition: Guilty plea agreement;
Monetary penalty amount: 950,000 forfeiture.
Year: 2003;
Depository institution: Banco Popular de Puerto Rico;
BSA- related violations or investigations: * Failure to file timely and
complete SARs (31 U.S.C. §§ 5318(g)(1) and 5322(b));
Disposition: Deferred prosecution agreement;
Monetary penalty amount: 21.6 million forfeiture.
Year: 2002;
Depository institution: Broadway National Bank;
BSA-related violations or investigations: * Failure to establish an
adequate AML program (31 U.S.C. §§ 5318(h) and 5322(b));
* Failure to file criminal referral forms and SARs (31 U.S.C. §§
5318(g) and 5322(b));
* Aiding and abetting structuring by customers who Broadway knew were
seeking to avoid CTR filing requirements (31 U.S.C. §§ 5324(a)(3) and
5324(d)(2), and 18 U.S.C. § 2);
Disposition: Guilty plea agreement;
Monetary penalty amount: 4 million criminal fine.
Source: GAO.
[A] These charges have not been brought against The Bank of New York in
any charging document, but are listed in the nonprosecution agreement
as having been under investigation by the U.S. Attorneys' Offices in
the Eastern and Southern Districts of New York. The bank admitted that
it did not have an effective AML program and other BSA-related failures
that are discussed later in this chapter. The bank also admitted to
unlawful conduct that was unrelated to BSA compliance, including aiding
and abetting the unlawful operation of a foreign bank (12 U.S.C. §
3105(d)) and supplying a bank customer with unauthorized, materially
false, and misleading escrow agreements that The Bank of New York had
no intention of performing and that were submitted in support of loan
requests totaling tens of millions of dollars.
[B] The Bank of New York also agreed to pay $12 million in restitution
to its victims.
[End of table]
According to Justice officials, evidence that a depository institution
willfully violated the law is a key element in proving criminal
violations of the BSA. One official said that in the six recent
criminal cases against depository institutions, prosecutors sought to
demonstrate evidence of the institutions' continued disregard of the
spirit of the requirement to implement and maintain a BSA program, and
willful and flagrant indifference to a known legal duty. However, the
officials also noted that in some cases, there likely was no "smoking
gun," or single source of evidence that specifically indicated the
institution knew it was in violation of the BSA and continued the
violating conduct. In most of these cases, and in accordance with
Justice guidelines, federal prosecutors relied, in part, on the
institutions' BSA policies and procedures to demonstrate that the
institution had corporate knowledge about the violations. A Justice
official said that corporate knowledge could be individually or
collectively derived--for example, as in situations where individual
employees knew about certain aspects of the activity, or where the
institution should have known about the activity.
The recent actions brought by Justice have raised concerns in the
banking industry that institutions routinely would be targeted for
criminal investigation and prosecution for failure to properly
implement the requirements of the BSA, such as the failure to file a
SAR. For example, some banks are avoiding customers, such as money
transmitters and check cashers, who are perceived as presenting
heightened risks for BSA noncompliance. According to a senior Federal
Reserve official, some banks thus are deciding that the revenues
garnered from such customers do not cover the necessary costs of
compliance or provide an acceptable return on legal and reputational
risks. However, Justice and FinCEN officials noted that such concerns
could result from not fully understanding the actions taken in these
cases. Justice officials said that investigations of depository
institutions for criminal BSA violations generally have not involved
negligence in reporting a limited number of suspicious transactions.
Furthermore, depository institutions that have repeated BSA violations
generally would not face law enforcement investigation or charges of
criminal violation of the BSA if they were operating within the spirit
and letter of their BSA program. Rather, the institutions likely would
face administrative action from their regulators or FinCEN.
Finally, Justice officials and investigators said that most
investigations of depository institutions' criminal violations of the
BSA generally originated during law enforcement investigations of the
institutions' customers. For example, in the AmSouth Bank case,
investigation documentation indicated that the U.S. Attorney's Office
for the Southern District of Mississippi (along with the IRS and other
federal and state agencies) began an investigation of a fraudulent
promissory note scheme perpetrated by AmSouth Bank customers in 2002.
Investigators and prosecutors learned of AmSouth Bank's BSA failures
through the investigation and grand jury subpoenas related to the
customers' criminal activity. In November 2003, AmSouth formally was
advised that it was a target of a criminal investigation. Similarly,
ICE investigators involved in the Broadway National Bank and Banco
Popular cases said that the respective undercover narcotics
investigations of the banks' customers led law enforcement to open
investigations of the banks' BSA failures. In the case of Delta
National Bank and Trust Company, ICE investigators also began a
financial investigation of the bank after they concluded an undercover
money laundering investigation involving a currency exchange business.
Justice officials noted that the Riggs Bank case was the exception; the
law enforcement investigations initially focused on Riggs Bank itself.
In Some Cases, Law Enforcement Investigations First Identified BSA
Failures:
In some instances, law enforcement investigations first identified
significant BSA failures at depository institutions, rather than
examinations conducted by the regulator. For instance, according to ICE
and Federal Reserve officials, law enforcement officials informed the
Federal Reserve about their investigation of a Banco Popular customer
and the compliance problems identified during their
investigations.[Footnote 74] During 1995 and 1998, the Federal Reserve
conducted four examinations of Banco Popular, but these examinations
did not contain any criticism of the bank's BSA compliance policies or
procedures. In 1999, the Federal Reserve expanded the scope of its
regularly scheduled examination of the bank and identified significant
BSA compliance problems, which resulted in a written agreement with the
institution. Law enforcement officials also said that investigations of
AmSouth's customers revealed the institution's BSA compliance failures
within its wealth management area, while a Federal Reserve examination
did not detect these problems. In another example, in October 2003, the
New York District Attorney's Office notified FDIC of its money
laundering investigation of certain customers of an FDIC-supervised
bank. According to the FDIC IG, a 2002 examination of the institution
provided little coverage of the high-risk banking activities involved
in the New York District Attorney's Office investigation. In December
2003, FDIC initiated an already-scheduled examination of the bank and
identified significant BSA violations and a failure to ensure BSA
compliance.[Footnote 75]
Justice officials said that because investigators and prosecutors have
a different perspective on BSA enforcement than the regulators, they
sometimes identify problems that might not be identified during an
examination. One investigator noted that examinations generally do not
involve the investigative approach used in law enforcement
investigations, which are aimed at identifying underlying offenses,
such as narcotics trafficking. Representatives from the regulators said
that, through regular examinations, they seek to ensure that depository
institutions have systems and controls in place to prevent their
involvement in money laundering and to identify and report suspicious
transactions to law enforcement. For example, an OCC official explained
that the purpose of transaction testing, a key procedure in BSA
examinations, is not necessarily to detect structuring or other
evidence of criminal wrongdoing on the part of a customer. Rather,
according to the interagency procedures, its purpose is to evaluate the
adequacy of the bank's compliance with regulatory requirements;
determine the effectiveness of its policies, procedures, and processes;
and evaluate suspicious activity monitoring systems. Furthermore, the
procedures note that if a suspected violation--such as an ongoing money
laundering scheme--requires immediate attention, the depository
institution should notify the appropriate regulator and law enforcement
agencies and must also file a SAR.[Footnote 76] Our review of sampled
BSA reviews identified a number of instances where examiners identified
suspicious activity and directed the institutions to file SARs.
Disposition of Criminal Cases against Depository Institutions Has
Varied but Included Monetary Penalties in Each Case:
According to Justice officials, prosecutors sought to obtain the
appropriate dispositions of the cases against depository institutions
for criminal violation of the BSA, taking into account factors such as
the institutions' willingness to admit misconduct and cooperate with
prosecutors. Two of these cases resulted in deferred prosecution
agreements (see table 9). That is, prosecutors agreed to defer
prosecution of the institution for a specified time, while the
institution agreed to admit publicly the facts of its misconduct,
cooperate fully with prosecutors, and implement certain corrective
actions. The institutions also made payments, generally structured as
fines or forfeitures. In one case involving a deferred prosecution
agreement, Justice dismissed the charges once the agreement expired
because the institutions had complied with its obligations under the
agreement. However, if the institution had not complied with the
agreement, Justice could have taken the case to trial, using the
admission of the violation from the institution and the evidence
prosecutors obtained in cooperation with the institution (making
conviction highly probable).
For example, in January 2003, Justice and Banco Popular entered into a
deferred prosecution agreement to allow the bank to demonstrate its
good conduct. The bank agreed to waive indictment and the filing of one
count of failing to file SARs in a timely and complete manner. Justice
deferred prosecution for 1 year, taking into account the bank's
remedial actions at the time of the agreement and its willingness to:
* acknowledge responsibility for its actions,
* continue to cooperate with prosecutors,
* demonstrate future good conduct and full compliance with the BSA,
* settle pending civil claims of $21.6 million, and:
* consent to the concurrent CMP imposed by FinCEN.
In November 2005, the U.S. Attorneys' Offices for the Eastern and
Southern Districts of New York entered into a nonprosecution agreement
with The Bank of New York. The bank admitted to:
* failure to have an effective AML program;
* intentional failure to take steps to report known evidence of
suspected criminal conduct by a bank customer and bank employees;
* repeated failures on the part of the bank's senior executives and
legal counsel to perform the institution's legal duty to file a SAR
about the suspected criminal activity until the arrest of a bank
customer by federal investigators; and:
* the untimely, inaccurate, and incomplete filing of the SAR.
The Bank of New York agreed to forfeit $26 million for its illegal
conduct and implement numerous remedial actions in response to the
misconduct, including:
* creating a new senior-level position responsible for coordinating the
preparation of SARs;
* training staff on detecting and reporting suspicious activities;
* implementing policies and procedures for auditing retail branches and
identifying, investigating, and reporting illegal or suspicious
activity; and:
* appointing an independent examiner (to serve for 3 years) to monitor
and report on the bank's AML procedures and its compliance with the
nonprosecution agreement.
As they did in the deferred prosecution agreements, federal prosecutors
took several factors into account when determining the disposition of
the case. The U.S. Attorneys' Offices for the Eastern and Southern
Districts of New York agreed not to prosecute The Bank of New York
because of the bank's acceptance of responsibility for the unlawful
conduct of its executives and employees, its cooperation in the law
enforcement investigations, and its willingness to make restitution to
victims of the misconduct and take significant corrective action. The
nonprosecution agreement also was contingent upon the bank complying
with all terms of the agreement for 3 years. If the bank were to
violate the agreement, or commit other crimes, it would be subject to
prosecution, including prosecution for the criminal conduct described
in the agreement.
Although disposition varied among the six cases, Justice assessed fines
or forfeitures on each institution. According to Justice officials, the
department's goal was to determine a financial penalty that the
depository institutions would perceive as a sanction, rather than an
overly punitive penalty that would force the institution to close. The
officials also cited another goal--that is, a penalty amount that would
elicit good "corporate citizen" conduct from the institution. Justice
officials said that in these cases, prosecutors considered several
factors (listed in prosecutorial guidelines) when determining whether
to pursue such cases. For example, prosecutorial guidelines indicated
that prosecutors could consider collateral consequences when
determining whether to investigate or take other action against
criminal corporate misconduct. According to Justice officials,
prosecutors considered the potential effects on the banking market and
job losses in the communities that the institutions served. They said
that Justice obtained relevant regulatory information, such as the
institutions' capital levels and other financial analyses, through the
appropriate legal channels to assist them in determining penalty
amounts that the institutions could sustain.
Change to the U.S. Attorneys' Manual Formalized Practice of Obtaining
Centralized Approval before Pursuing Cases against Depository
Institutions:
During the course of our review, a senior Treasury official also said
that discussions had begun with Justice regarding coordination on cases
involving prosecuting depository institutions for BSA violations. In
July 2005, Justice amended the U.S. Attorneys' Manual, which governs
the rules of operation of the 93 U.S. attorneys, to require prosecutors
to obtain approval from the department's Criminal Division before
taking action against financial institutions for money laundering or
certain BSA offenses.[Footnote 77] More specifically, the manual was
amended to include section 5322 of title 31 in the requirement that
prosecutors obtain approval from the Asset Forfeiture and Money
Laundering Section of the department's Criminal Division in cases where
a financial institution would be named as an unindicted coconspirator
or allowed to enter into a deferred prosecution agreement.
Justice officials said that the change to the manual was a
formalization of existing practice. The change was a public way for the
department to inform the banking industry about the degree of
coordination and consultation between the U.S. attorneys and the
Criminal Division on these cases.
[End of section]
Chapter 6 Conclusions and Recommendations:
Because the BSA regulatory structure involves many federal agencies
other than FinCEN, which is the administrator of the BSA, coordination
among these agencies is critical to effective BSA administration and
enforcement. Particularly since the passage of the PATRIOT Act, FinCEN
and the regulators have undergone an evolutionary process that has laid
the groundwork for more consistent BSA oversight. The initial effects
of this closer coordination can be seen in the jointly developed BSA
examination procedures for depository institutions, the sharing of more
detailed BSA examination information with FinCEN, and the increase in
concurrent enforcement of BSA compliance by the regulators and FinCEN.
Although these efforts, and their effects, are significant, they also
are relatively recent. For example, many of these changes were ongoing
during the course of our work for this report. The regulators and
FinCEN continue to make refinements to overall BSA examination,
monitoring, and enforcement policies and procedures.
Regulators Have Created a Framework for Consistency in BSA
Examinations:
In particular, the regulators have made notable progress in the area of
examinations. Until passage of the PATRIOT Act, each regulator
separately developed and used examination procedures to determine
depository institutions' compliance with the BSA. In recent years, a
number of agency IG and internal quality assurance reviews have
identified inconsistencies in BSA examinations. In addition, when we
reviewed a sample of examinations from each of the regulators over a 4-
year period, we found inconsistent documentation of examination
procedures, such as transaction testing, particularly at smaller
depository institutions. We stress the importance of adequate,
accurate, and consistent documentation in examinations, as in
audits.[Footnote 78] But, we also acknowledge that some variation is
inevitable, and examiners need to be able to exercise professional
judgment in determining the scope of examinations and to allow for
differences among institutions (e.g., complexity and lines of
business). Nevertheless, the wide variation in examination policies and
procedures among regulators that existed prior to 2005 suggested that
the regulators may not have been examining banks consistently--
particularly in terms of transaction testing, a procedure that has
assumed greater importance in the current environment of increased risk
of money laundering and terrorist financing.
In this environment, on June 30, 2005, the regulators issued jointly
developed examination procedures, which currently are being used for
BSA examinations conducted not only by federal bank examiners but also
by state examiners. The interagency procedures represent a genuine step
forward in that they provide a framework for greater consistency in BSA
examinations across the regulators. At the same time, the procedures
retain the risk-focused approach used in former examination procedures,
thus allowing the regulators to direct resources to areas deemed higher
risk and use examiners' professional judgment in planning, conducting,
and concluding examinations. Furthermore, for the first time, FinCEN
also participated in the development of the examination procedures.
Although the Secretary of the Treasury delegated examination authority
for BSA compliance at depository institutions to the regulators, it is
through continuing coordination with the regulators that FinCEN works
to ensure consistent implementation.
Because the new interagency procedures have been in use for a short
period, it is too soon to judge their effect on BSA administration and
enforcement. In theory, the procedures should result in more
consistency in the conduct and results of BSA examinations. Yet, the
interagency procedures cannot be viewed as the only "fix" necessary.
BSA examinations, in and of themselves, are designed to verify that
systems are robust and function as intended--in compliance with laws
and regulations. But, the cumulative effect of AML/BSA-related
legislation, especially post-September 11, and some recent high-profile
cases of BSA noncompliance have made BSA compliance, and thus
examinations, a priority area for oversight and coordination. Congress
did not expect the regulators to substitute for law enforcement;
rather, the BSA was designed to help create a road map for law
enforcement agencies in their AML, and now counter-terrorist financing,
work. The FFIEC Examination Manual, in turn, recognizes that an
effective BSA/AML program requires sound risk management and so it
provides guidance on identifying and controlling risks associated with
money laundering and terrorist financing. The regulators and FinCEN
understand that the risks are not static and that new risks are always
emerging as criminals seek to launder their funds or use funds to
commit other crimes. The regulators and FinCEN committed to update the
manual, as appropriate, to capture developments in the BSA/AML areas.
Because of the evolving nature of risk, it is incumbent on them to use
the manual or other guidance, as appropriate, to communicate these new
risks to the industry and law enforcement so that the industry can take
measures to control for these new risks and law enforcement can
incorporate them into their investigations.
Regulators Have Improved Their Systems for Monitoring BSA Examination
Results:
As our work has shown, partly as a result of IG reporting and amid
increased attention to BSA compliance and related issues, regulators
have improved mechanisms used to track BSA-related information. As a
result, the regulators likely will be able to better report on and
correct BSA compliance problems. As an example of some of the problems
that existed before the regulators made the changes, in our limited
review of examination files, we were not always able to track how BSA
noncompliance problems were corrected. Furthermore, the regulators
increasingly have been using their examination and enforcement data
systems to monitor BSA problems at their banks and compile the
quarterly data they send to FinCEN. FinCEN and the regulators also
helped improve the quality of this information by setting some common
standards for reporting in their MOU. While each regulator is
responsible for keeping track of compliance problems among the
institutions they supervise, it remains FinCEN's responsibility, as the
BSA administrator, to (1) analyze the data it receives from all
relevant agencies and (2) share trend information with the regulators
and industry so that they better understand risks and problem areas
within their purview. FinCEN created an Office of Compliance in 2004,
in part to work with regulators on BSA examination and compliance
matters, and FinCEN has begun to share analytical information with the
regulators. The common formats and more detailed data give FinCEN the
opportunity to more readily discern those trends and share any concerns
with regulators; however, FinCEN only will be able to do this at the
aggregate level. It is up to the regulators themselves to undertake the
kind of detailed analysis required to understand and track BSA
compliance issues among the institutions they supervise, and they have
begun to do so. With five quarters of data to review, regulators have
begun to see some trends and problem areas. So that others, including
examiners, law enforcement, and the banking industry itself, can
further benefit from this analysis, it is incumbent upon the regulators
to periodically review the BSA violation data to determine whether
additional guidance is needed to address problem areas.
Although the new interagency examination procedures and improved
systems help banking regulators better understand one another's
processes and could facilitate more consistent BSA examinations across
regulators, the procedures do not directly address a documentation
issue that has implications for BSA enforcement. Because each regulator
retained different policies for documenting and classifying BSA
problems, the regulators continue to report some compliance problems
using different terms. As a result, it is difficult to make qualitative
distinctions between compliance problems. Moreover, in their MOU with
FinCEN, the regulators agreed to report all "significant" BSA problems,
without attempting to address the issue of how the different terms the
regulators use might become standardized. When developing the MOU,
FinCEN and the regulators discussed the issue of different terminology,
but they chose not to address it at that time and agreed to use the
umbrella term "significant" and see how the system worked. Although
FinCEN and the regulators have reached an accommodation, it is possible
that FinCEN is receiving more or less information than it actually
needs under the MOU. This variety of terminology can also make it
difficult for banking regulators to have a comprehensive overview of
BSA compliance at their institutions and for FinCEN to have a
comprehensive overview across regulators.
Regulators, FinCEN, and Justice Have Improved Coordination on BSA
Enforcement Actions:
The disparate nature of the BSA regulatory structure also requires
coordination in BSA enforcement. While our review of BSA violations
showed that the number of violations increased from 2000 to 2004, most
of those violations were technical in nature, often resulting from late
or incomplete filing of paperwork. Nevertheless, although relatively
rare, significant and serious violations of the BSA have had far-
reaching consequences. Over the past several years, IG reports,
particularly those on FDIC and OTS, identified inconsistencies in BSA
enforcement at those agencies. Amid increased media and congressional
attention on some depository institutions' BSA compliance failures--
such as Riggs Bank, Arab Bank-New York, and ABN AMRO Bank, N.V.--the
regulators and FinCEN increasingly have brought formal enforcement
actions against depository institutions, including significant CMPs. In
the face of separate and sometimes overlapping legal authorities to
bring formal enforcement actions against depository institutions for
significant BSA compliance problems, the regulators and FinCEN have
increased coordination on these actions by issuing them concurrently.
In addition, as part of their 2004 MOU, FinCEN and the regulators
agreed to notify one another in advance of taking separate formal
enforcement actions and sharing information concerning informal and
supervisory actions as well.
In a limited number of cases, Justice has taken action against
depository institutions for egregious failures to perform a minimal
level of due diligence over a number of years. While Justice has
resolved most of these cases through deferred prosecution agreements or
similar arrangements (where the institution agreed to take significant
corrective actions, often in connection with formal administrative
action from its regulator; forfeit a monetary penalty; and remain in
compliance with the BSA for a specified time), if the institution were
to violate the terms of the agreements, federal prosecutors would take
the cases to trial. The recent criminal action taken against depository
institutions by Justice has raised concerns within the banking industry
that their institutions routinely would be targeted for criminal
investigation and prosecution for failure to properly implement the
requirements of the BSA. However, to better coordinate the actions of
federal prosecutors, Justice recently formalized procedures that
require U.S. attorneys to obtain approval from Justice's Criminal
Division when dealing with cases that allege financial institutions are
BSA offenders. Because these changes are recent, it remains to be seen
if the new procedures will ease industry concerns and provide the
public with the communication of coordinated and consistent federal
action that Justice intended.
Concluding Observations:
Finally, in our concluding observations on BSA compliance and
enforcement, we note that significant work remains to be done with
other financial institutions. Our report concentrated on the federal
banking regulators, but the PATRIOT Act requires other types of
institutions to meet BSA requirements. Consequently, it appears more
important than ever for FinCEN to coordinate with other federal
agencies charged with examination responsibility for BSA compliance. To
that end, FinCEN signed MOUs with many state banking departments and
the IRS and has been working to sign MOUs with the securities and
futures regulators. However, according to FinCEN officials, the problem
of different terminology will be exacerbated when other financial
regulators begin reporting examination data to FinCEN on BSA
noncompliance problems. Ultimately, only FinCEN can provide a "bird's
eye" view of BSA administration--disseminating analysis and information
to the regulators and others to ensure consistency in BSA oversight,
the identification of trends and patterns in BSA compliance, and
developments in money laundering and terrorist financing.
Recommendations for Executive Action:
To build on the current level of coordination, continue to improve BSA
administration, and ensure that emerging compliance risks are
addressed, this report makes the following three recommendations to the
Director of FinCEN, the Comptroller of the Currency, the Chairman of
the Federal Reserve, the Chairman of the FDIC, the Director of OTS, and
the Chairman of NCUA:
* As emerging risks in the money laundering and terrorist-financing
areas are identified, FinCEN and the regulators should work together to
ensure these risks are effectively communicated to examiners and the
industry through updates of the interagency examination manual and
other guidance, as appropriate.
* To supplement the analyses of shared data on BSA violations, FinCEN
and the regulators should meet periodically to review the analyses and
determine whether additional guidance to examiners is needed.
* Because of the different terminology the regulators use to classify
BSA noncompliance, FinCEN and the regulators should jointly assess the
feasibility of developing a uniform classification system for BSA
noncompliance.
Agency Comments and Our Evaluation:
We received written comments on a draft of this report in a joint
letter from the Board of Governors of the Federal Reserve System, the
Federal Deposit Insurance Corporation, the National Credit Union
Administration, the Office of the Comptroller of the Currency, the
Office of Thrift Supervision, and FinCEN. We also received written
comments from the Department of Justice. These letters are reprinted in
appendixes II and III. The Departments of Homeland Security and Justice
and the regulators provided technical comments, which were incorporated
into this report where appropriate.
In their letter, FinCEN and the regulators said they support our
recommendations and are committed to ongoing interagency coordination
to address them through the formal processes they have in place,
particularly the FFIEC BSA/AML Working Group. They also said that they
are committed to their role in ensuring that depository institutions
are in compliance with BSA/AML requirements, and that they will
continue to devote significant resources to make certain institutions
correct deficiencies in their BSA/AML programs as promptly as possible.
In its letter, Justice said that the draft report provided an
instructive perspective where it examines the evolution of the
relationship between FinCEN, the regulators, and the banks, but that it
did not provide the same perspective when examining how the examination
process meets the needs of law enforcement as the end users of the
information. Our objectives were to review how the regulators examine
for BSA compliance, track and resolve violations, and take enforcement
actions. While a review of the reports that depository institutions
produce under the BSA, and that law enforcement uses in its
investigations, would be instructive, it was outside of the scope of
this review. Justice also said that, as a direct result of the success
and efforts by the regulated industry, drug traffickers have been
forced to seek alternate methods and means of using those institutions
to launder their illicit proceeds. Justice further commented that
banking regulator practices and examination process have historically
focused more on the placement of those funds into the financial system,
and that current investigative efforts suggest that it may prove
beneficial to adapt and focus on the layering of those proceeds. To
this end, Justice suggested a need for greater outreach and
collaboration between law enforcement and regulators familiar with
evolving trends. Finally, Justice said that the draft report reflected
the efforts made with the revisions to the examination manual and
commented that these are positive developments that should bring
continuity to examination practice, which will be welcomed by the
industry.
[End of section]
Appendix I: Under Pre-2005 Guidance, Regulators' Documentation
Requirements Varied Widely:
The regulators' pre-2005 requirements for documentation of examination
procedures and their documentation of those procedures varied widely.
We reviewed approximately 30 Bank Secrecy Act (BSA) examinations from
each federal banking regulator (regulator) that were conducted under
guidance current between January 1, 2000, and June 30, 2004. Because
the sample was small, we could not generalize the results of our
analysis to make conclusions about how regulators applied the
examination procedures to all BSA examinations conducted during this
period. However, when coupled with our review of regulator guidance and
examination manuals, the results of the examination review illustrated
instances where the regulators' documentation of examination procedures
varied widely and where regulators did not consistently require or
document transaction testing. For example, we found less documentation
of transaction testing in examinations at smaller institutions, such as
the community banks, savings associations, and credit unions supervised
by the Office of the Comptroller of the Currency (OCC), the Office of
Thrift Supervision (OTS), the Federal Deposit Insurance Corporation
(FDIC), and the National Credit Union Administration (NCUA), than at
large institutions. However, examination guidance permitted examiners
to exercise their professional judgment in determining whether to
perform transaction testing.
Regulators Required Documentation of "Major" Procedures; Planning and
Scoping Procedures More Often Were Documented for Large Institutions:
Individual regulator guidance issued prior to June 2005 required
documentation of "major" procedures and conclusions. Furthermore, our
review indicated more documentation of examination planning procedures
at larger institutions. For example, OCC's policies and procedures
manual instructed examiners to document essential examination
information, such as procedures performed, and the manual stated that
the documentation must support conclusions about supervisory activities
in either paper or digital form. The manual also stated that in most
cases, work papers did not need to include all of the data reviewed
during a supervisory activity, but that examiners should retain only
those documents necessary to support the scope of the supervisory
activity, significant conclusions, rating changes, or changes in a risk
profile.
* In our review of 30 OCC examination files, OCC documented planning,
scoping, or risk assessments in 7 of the 30 examinations. The sample
included 4 large, 25 smaller banks, and 1 bank without asset data. The
examination files of 3 of the 4 large banks, with assets ranging from
about $18 billion to $34 billion, contained documentation of planning,
scoping, and risk assessments. In contrast, 3 of the 25 files of
smaller banks, with assets ranging from $205 million to $366 million,
contained documentation of planning or scoping. OCC officials explained
that documentation of planning and scoping procedures for the smaller
and community banks was contained in the agency's automated examination
system, which we did not review.
The Board of Governors of the Federal Reserve System's (Federal
Reserve) commercial bank examination manual provided guidance on
documentation of examination procedures, including BSA
examinations.[Footnote 79] This guidance did not explicitly require
documentation of specific examination steps, but it specified that work
papers, as a whole, should support the information and conclusions
contained in the report of examination. The Federal Reserve examination
guidance specifically provided that the primary purposes of the work
papers were to provide written support of the examination and audit
procedures performed during the examination and the results of testing
and to formalize the examiner's conclusions. Federal Reserve examiners
told us that they documented planning and scoping decisions and risk
assessments for examinations of large, complex banking organizations in
a scoping memorandum, which describes areas to be reviewed and
procedures to be conducted, including transaction testing, examination
resources, and the expected product.
* Of the 18 Federal Reserve BSA examination files that we reviewed, all
contained documentation of planning or scoping procedures. The file
sample included 9 large banks with assets of more than $85 billion and
9 smaller banks with assets of less than $1 billion.
Similar to OCC, FDIC's guidance on documentation of examination
procedures focused on documenting major examination procedures or
conclusions. FDIC's risk management manual of examination policies
stated that work paper documentation for BSA examinations should
support the conclusions included in the Examination Documentation
module in the automated examination database. At a minimum, the
documentation should include the examiner's assessment of the bank's
BSA and anti-money laundering (AML) programs and procedures, and
related audit or internal review functions. FDIC examiners also told us
they used the Examination Documentation module to document examination
procedures, but that risk assessments should be documented in work
papers.
* In our review of 30 FDIC examination files, the agency documented
planning, scoping, or risk assessments in examinations of 17 banks,
including 6 large banks, with assets ranging from about $125 million to
$264 million, and 11 smaller banks, with assets ranging from about $9
million to $89 million.
NCUA's examiner guidance allowed examiners to determine the extent of
documentation of examination procedures. More specifically, the NCUA
examiner guide required examiners to document supervision plans for
examinations in the scope workbook and material concerns in the
examination report, but the guide also stated that examiners'
discretion would determine the extent of documentation. Although it
gave no specific requirements, NCUA directed examiners to include
documentation on the (1) extent of procedures and testing performed,
(2) review of applicable regulatory compliance, (3) analysis and
assessment of risk areas, and (4) conclusions and recommendations.
* In October 2002, NCUA began using scope workbooks to document
planning, scoping, and risk assessments in BSA examinations, according
to an NCUA official. This affected 23 of 30 examinations in our review.
Our review of a sample of the scope workbooks showed that for each BSA
review completed and documented, examiners were required to document
BSA scoping information and compliance but not BSA risk assessments.
Before October 2002, examiners used a "progress checklist" to document
the results of BSA reviews, but the checklists did not explicitly refer
to BSA reviews or risk assessments. The assets of the credit unions
whose BSA examinations we reviewed ranged from $130,000 to $246
million.
OTS's examination manual provided limited instructions for documenting
an institution's BSA program. For example, the manual referred to a
preliminary examination response kit, which is a request for a
collection of information prior to the examination. The institution
must provide information about its BSA officer, policy, and compliance
programs and must list filed Currency Transaction Reports (CTR). This
information assists examiners in determining the scope of the
examination.
* Among the 30 OTS BSA examinations reviewed, 3 files contained
documentation of planning, scoping, or risk assessments. Two files
contained asset information--the institutions had assets of $92 million
and $297 million.
Regulators' Former Examination Guidance Allowed Variation in
Documentation of Transaction Testing:
Although we found little to no documentation of transaction testing at
many institutions of smaller assets sizes, which were supervised by
OCC, FDIC, OTS and NCUA, we did not conclude that transaction testing
was not performed in all of these instances. The regulators required
transaction testing in examinations at larger institutions with higher
asset levels, but did not always require testing at smaller
institutions. Our review of the regulators' BSA examinations indicated
that documentation of transaction testing generally was more extensive
for larger institutions with higher assets than for smaller
institutions with lower assets. For example, the OCC BSA examination
manual used for examinations of large banks required transaction
testing. The manual provided that examiners were to conduct limited
transaction testing, at a minimum to form conclusions about the
integrity of the bank's overall control and risk management processes
and its overall quantity of risk. If examiners identified weaknesses or
concerns as a result, they were to select a "quantity of risk"
procedure and conduct additional targeted testing of specific areas of
concern.[Footnote 80] According to OCC examiners assigned to large
banks, transaction testing was required for all high-risk areas of
these banks.
* Our review of 30 OCC examinations, including 4 examinations of large
banks with assets ranging from about $18 billion to $34 billion, found
documentation of transaction testing in 3 of the 4 large banks. The
examination file of 1 bank did not have any asset information but
contained documentation of transaction testing. One bank was designated
as a high BSA risk and another was located in a high-intensity
financial crimes area (HIFCA).
In contrast, according to OCC's BSA examination manual for community
banks,examiners were to determine at the beginning of the supervisory
activity what transaction testing, if any, should be included, and the
extent of transaction testing was to reflect the bank's compliance risk
profile, audit coverage, and results.[Footnote 81] The manual also
stated that transaction testing was appropriate for banks with higher
risk characteristics and weak controls. Moreover, OCC examiners
assigned to community banks told us that OCC policy did not require
transaction testing of community banks at low risk for money
laundering. As a result, OCC examiners assigned to community banks
would not have to perform transaction testing if they determined that
the banks had a low BSA risk.
* Our review of examinations of 25 banks with assets ranging from $21
million to $440 million, found documentation of transaction testing in
examinations of 5 banks. OCC officials provided reasons why a number of
examinations might not have documentation of transaction testing.
First, they said that their record retention rules required the
destruction of examination work papers for examinations 3 years and
older. Application of the record retention rule could have affected
documentation for 13 examinations in our review. OCC officials also
stated that their documentation policy required examiners to document
transaction testing only if examiners identified a BSA issue or
problem, sometimes referred to as "documentation by exception."
Consequently, if examiners did not identify BSA issues or concerns
requiring transaction testing, they would not have documented
transaction testing. OCC officials further stated that "documentation
by exception" was necessary to make the maximum use of its limited
resources.
The Federal Reserve's BSA examination manual required transaction
testing of several areas to be completed by Federal Reserve examiners
or the institution at the direction of Federal Reserve examiners.
According to Federal Reserve examiners, Federal Reserve policy required
that transaction testing be performed in all BSA examinations, and the
nature and extent of transaction testing could vary depending on the
institution's level of risk. For example, if the institution was
engaged in high-risk areas, such as private banking, foreign
correspondent banking, or international banking, Federal Reserve
examiners were required to perform transaction testing in those areas
and to select a judgmental sample of transactions to test.
* Our review of Federal Reserve examination files found that Federal
Reserve examiners performed extensive transaction testing at most of
the banks. We found documentation of transaction testing in 17 of the
18 examination files, including 9 large banks with assets ranging from
about $1 billion to $85 billion, and 8 smaller banks with assets of
less than $1 billion. Of the 18 banks, 8 were designated as having a
high BSA risk level and 12 were located in HIFCAs. Examiners performed
and documented transaction testing on the 8 high-risk banks and 11 of
the 12 banks located in HIFCAs.
According to OTS's examination guidance, transaction testing at the
savings associations or thrifts it supervised should be "entirely
judgmental." Nevertheless, OTS examiners told us that they were
specifically required to document transaction testing of CTR samples.
* Our review of 30 OTS examinations of large and small savings
associations found documentation of transaction testing in 9 files. The
files for 2 of 8 savings associations, with assets from about $117
million to $370 million, contained documentation of transaction
testing, as did 4 of 13 files for savings associations with assets
ranging from about $4 million to $98 million. Nine OTS examinations
lacked documentation on asset size; however, 3 of these 9 examinations
contained documentation of transaction testing. OTS officials also
explained that they had a policy of "documenting by exception." That
is, examiners were not required to document every procedure,
particularly in examinations of low-risk institutions, or to document
anything in the work papers that did not relate to the report of
examination.
Similarly, our review of FDIC's risk management manual of examination
policies did not disclose any explicit requirements that examiners
document transaction testing in examinations of FDIC-supervised banks.
According to FDIC examiners, transaction testing was based on their
judgment and dependent on circumstances. For example, FDIC examiners
told us that transaction testing was not done on all lines of business,
but that they could sample from the independent auditor's work. FDIC
examiners also said they could test CTRs if "red flags" were
identified, select a sample of high-risk customers, or select accounts
with large volumes of transactions. Examiners also said they would
perform additional testing if they determined that the scope of the
independent audit was not adequate, or that test areas were not covered
by the independent auditor.
* Our review of 30 FDIC bank examination files found documentation of
transaction testing in 12 files, including 5 of 10 larger banks with
assets ranging from $102 million to $264 million and 7 of 20 smaller
banks with assets of less than $90 million. Two of the 5 large banks
were rated high risk and located in HIFCAs. One of the 7 smaller banks
was rated high risk. According to an FDIC official, examinations files
for small community banks might not have contained documentation of
transaction testing because the banks have few BSA-related transactions
or documents requiring transaction testing. The official gave the
example of a CTR, which many small banks may never file because they do
not have reportable transactions.
NCUA's examiner guide did not explicitly require transaction testing;
however, it stated that the risk-focused examination enabled examiners
to perform a process review of a credit union's well-managed areas
without extensive transaction testing. According to NCUA examiners, the
nature and extent of transaction testing and sampling were based on
their discretion. They also cited factors that they considered in
deciding to perform transaction testing--these factors included the
presence of large cash transactions, CTRs, and the credit union's risk
assessment, which might affect the number and types of accounts tested.
However, NCUA examiners said they would not perform transaction testing
for each of the credit union's risky areas, unless a "red flag" was
raised during the examination or the credit union's past examination
results indicated a problem area.
* Our review of 30 NCUA BSA examination files of credit unions found no
documentation of transaction testing in any of the examinations. An
NCUA official explained that documentation of transaction testing could
be lacking because the paper copy documenting transaction testing was
often destroyed after the procedures were entered into NCUA's automated
system.
[End of section]
Appendix II Comments from FinCEN and the Federal Banking Regulators:
Board of Governors of the Federal Reserve System:
Federal Deposit Insurance Corporation:
Financial Crimes Enforcement Network:
National Credit Union Administration:
Office of the Comptroller of the Currency:
Office of Thrift Supervision:
April 11, 2006:
Ms. Yvonne D. Jones:
Director, Financial Markets and Community Investment:
U.S. Government Accountability Office:
441 G Street, N.W.
Washington, D.C. 20548:
Dear Ms. Jones:
Thank you for the opportunity to review and comment on the Government
Accountability Office (GAO's draft report entitled, Bank Secrecy Act -
Opportunities Exist for FinCEN and the Banking Regulators to Further
Strengthen the Framework for Consistent BSA Oversight (GAO 06-386). The
report reviews the Bank Secrecy Act (BSA) examination and enforcement
programs of the Board of Governors of the Federal Reserve System, the
Federal Deposit Insurance Corporation, the National Credit Union
Administration, the Office of the Comptroller of the Currency, and the
Office of Thrift Supervision (collectively, the "Federal Banking
Agencies") for U.S. depository institutions as well as the role of the
Financial Crimes Enforcement Network (FinCEN). The report covers a
broad scope in an area that has undergone rapid and significant
changes. As the report notes, in the past two years, the Federal
Banking Agencies have jointly issued the Federal Financial Institutions
Examination Council BSA/AML Examination Manual (Manual) in coordination
with FinCEN, and have made many improvements in their coordinated
efforts to address BSA and anti-money laundering (AML) compliance
problems at depository institutions.
The Federal Banking Agencies and FinCEN support the GAO's
recommendations set forth in the report and are committed to ongoing
interagency coordination to address those important recommendations.
The GAO recommends:
* As emerging risks in the money laundering and terrorist financing
area are identified, we recommend that the regulators and FinCEN work
together to make sure these are effectively communicated to examiners
and industry through updates of the interagency exam manual and other
guidance, as appropriate.
* To supplement the analysis of shared data on BSA violations, FinCEN
and the regulators should meet periodically to review the analyses and
determine whether additional guidance to examiners is needed.
* In light of the different terminology the regulators use to classify
BSA noncompliance, we also recommend that FinCEN and the regulators
jointly assess the feasibility of developing a uniform classification
system for BSA noncompliance.
The Federal Banking Agencies and FinCEN have formal processes in place
to review and implement the recommendations. Specifically, under the
auspices of the FFIEC Bank Secrecy Act/Anti-Money Laundering Working
Group, the Federal Banking Agencies and FinCEN meet to discuss and
address Bank Secrecy Act regulations, policy, examination, training,
and compliance matters. The Working Group convenes monthly to ensure
that these matters are addressed expeditiously.
There are various other formal processes that promote collaboration
among the Federal Banking Agencies and FinCEN regarding issues that may
affect depository institutions. For example, the Federal Banking
Agencies actively participate as members of the Bank Secrecy Act
Advisory Group (BSAAG), which FinCEN chairs on behalf of the Secretary
of the Treasury. Comprised of regulators, law enforcement, and
representatives from industries subject to BSA rules, the BSAAG meets
semi-annually to elevate and address issues such as BSA examination
consistency, suspicious activity reporting, currency transaction
reporting, sharing of information, privacy and confidentiality of
information, and utility of BSA data.
Emerging risks in the money laundering and terrorist financing area are
considered through our participation in the aforementioned groups and
will be incorporated, as appropriate, into the interagency Manual.
Additionally, the Federal Banking Agencies, in cooperation with FinCEN,
are committed to reviewing and evaluating the BSA violation data to
determine if additional examiner guidance is necessary. Similarly, the
Federal Banking Agencies and FinCEN are currently evaluating the use of
terminology when describing noncompliance with the BSA to consider
whether uniform guidance for examiners is feasible.
We are strongly committed to our role in ensuring that depository
institutions are in compliance with BSA/AML requirements. To this end,
we will continue to devote significant resources to make certain that
the institutions fully understand our expectations and remediate
deficiencies in their BSA/AML programs as promptly as possible.
Thank you for your efforts, and if you have any questions or need
additional follow-up information, please do not hesitate to contact us.
Sincerely,
Signed by:
Susan Schmidt Bies, Governor:
Board of Governors of the Federal Federal Deposit Insurance Corporation
Reserve System:
Signed by:
Martin J. Gruenberg:
Acting Chairman:
Signed by:
Robert W. Werner, Director:
Financial Crimes Enforcement Network:
Signed by:
JoAnn M. Johnson Chairman:
National Credit Union Administration:
Signed by:
John C. Dugan, Comptroller:
Office of the Comptroller of the Currency:
Signed by:
John M. Reich, Director:
Office of Thrift Supervision:
[End of section]
Appendix III: Comments from the Department of Justice:
U.S. Department of Justice:
April 7, 2006:
Washington, D.C. 20530:
Ms. Laurie E. Ekstrand:
Director:
Homeland Security and Justice:
U.S. Government Accountability Office:
Washington, D.C. 20548:
Dear Ms. Ekstrand:
Thank you for the opportunity to review and comment on the Government
Accountability Office (GAO) draft report GAO-06-386 entitled "BANK
SECRECY ACT: Opportunities Exist for FinCEN and the Banking Regulators
to Further Strengthen the Framework for Consistent BSA Oversight." The
Department provided its technical comments under separate cover to Toni
Gillich, Senior Analyst-in-Charge, Financial Markets and Community
Investment. The comments below are the Department's formal comments for
inclusion in the GAO published report.
The draft report provides an instructive perspective where it examines
the evolution of the relationship between FinCEN, regulators, and the
banks. The report, however, does not provide the same perspective when
examining how and if the examination process meets or adequately
addresses the needs of the end-users of the information, i.e., law
enforcement aminations tend to be technical in nature, where most of
the violations that are cited are of no consequence to law enforcement_
The fines of financial institutions by regulators are quite frequently
the result of a criminal investigation, where the regulators are
engaged at the request of the criminal investigators or as an ancillary
by-product of the substantive criminal investigation.
The report highlights the regulators' role and obligations to assess
risk and BSA compliance in their examinations. Equally, it speaks to
the regulators' continuing education responsibilities, yet only
highlights very limited anecdotal examples of continuing education
among law enforcement elements, citing the Internal Revenue Service and
the Federal Bureau of Investigation, in a very limited seminar or
conference setting. The Department believes that the GAO may have
improved its analysis of continuing education by including a discussion
of the expertise and training the Drug Enforcement Administration (DEA)
could offer. The DEA has expertise gained from its experience policing
the estimated $65 billion a year drug trade within the U.S.
As a result of its enforcement and investigative experience, the DEA
has developed insight into how drug traffickers have evolved their
strategies and techniques for laundering money. Further the DEA has
gained an understanding of how traffickers identify and exploit the
limitations of the U.S. financial markets. Also, the GAO may wish to
include information about how, as a direct result of the tremendous
success and efforts by the regulated industry, the traffickers have
been forced to seek alternate methods and means of employing those
institutions to clean or launder their illicit proceeds.
The DEA has the experience to establish a methodology that may prove
more effective than that traditionally used by U.S. banking
institutions which focuses on placement in the money laundering scheme.
Banking regulator practices and the examination process have
historically focused more on placement. This result is due, in part, to
the required use of a standard examination checklist by the functional
regulators. Current investigative efforts suggest that it may prove
beneficial to adapt and focus more on layering. Further, the historical
approach does not always effectively account for the changing
demographic being served by the institution. The regulated industry,
however, is intimately familiar with their customer demographics and,
consequently, is capable of detecting, modifying, and adjusting its
risk-metrics to reflect changes in anti-money laundering (AML)
practices. The use of a technical standardized risk assessment
checklist can hinder financial institutions from addressing changes in
their customer base. Consequently, the GAO may wish to propose or at
least consider a greater outreach and collaboration between law
enforcement and functional regulators familiar with evolving trends. It
is likely that such collaboration might increase the regulators'
awareness and their ability to assess adequate AML practices.
The draft report does reflect the efforts made with the revisions to
the examination manual, all of which are positive and should bring
continuity to the examination practice, something that will be welcomed
by the regulated industry, especially where addressing the refinement
of definitions.
If you have any questions regarding our comments, please contact
Richard P. Theis, Assistant Director, Management and Planning Staff,
Audit Liaison Group.
Sincerely,
Signed by:
Paul R. Corts:
Assistant Attorney General for Administration:
cc: EOUSA Audit Liaison:
Criminal Division Audit Liaison:
DEA Audit Liaison:
FBI Audit Liaison:
[End of section]
Appendix IV: GAO Contact and Staff Acknowledgments:
GAO Contact:
Yvonne D. Jones (202) 512-2717 or jonesy@gao.gov:
GAO Acknowledgments:
In addition to the contact named above, Barbara I. Keller, Assistant
Director; Toni Gillich; M'Baye Diagne; Yola Lewis; Marc Molino;
Elizabeth Olivarez; Carl Ramirez; Omyra Ramsingh; Barbara Roesmann; and
Adam Shapiro made key contributions to this report.
[End of section]
Related GAO Products:
Terrorist Financing: Better Strategic Planning Needed to Coordinate
U.S. Efforts to Deliver Counter-Terrorism Financing Training and
Technical Assistance Abroad. GAO-06-19. Washington, D.C.: October 24,
2005.
USA PATRIOT Act: Additional Guidance Could Improve Implementation of
Regulations Related to Customer Identification and Information Sharing
Procedures. GAO-05-412. Washington, D.C.: May 6, 2005.
Information Security: IRS Needs to Remedy Serious Weaknesses Over
Taxpayer and Bank Secrecy Act Data. GAO-05-482. Washington, D.C.: April
15, 2005.
Anti-Money Laundering: Issues Concerning Depository Institution
Regulatory Oversight. GAO-04-833T. Washington, D.C.: June 3, 2004.
Combating Terrorism: Federal Agencies Face Continuing Challenges in
Addressing Terrorist Financing and Money Laundering. GAO-04-501T.
Washington, D.C.: March 4, 2004.
Terrorist Financing: U.S. Agencies Should Systematically Assess
Terrorists' Use of Alternative Financing Mechanisms. GAO-04-163.
Washington, D.C.: November 14, 2003.
Combating Money Laundering: Opportunities Exist to Improve the National
Strategy. GAO-03-813. Washington, D.C.: September 26, 2003.
Internet Gambling: An Overview of the Issues. GAO-03-89. Washington,
D.C.: December 2, 2002.
Interim Report on Internet Gambling. GAO-02-1101R. Washington, D.C.:
September 23, 2002.
Money Laundering: Extent of Money Laundering Through Credit Cards Is
Unknown. GAO-02-670. Washington, D.C.: July 22, 2002.
Anti-Money Laundering: Efforts in the Securities Industry. GAO-02-111.
Washington, D.C.: October 10, 2001.
Money Laundering: Oversight of Suspicious Activity Reporting at Bank-
Affiliated Broker-Dealers Ceased. GAO-01-474. Washington, D.C.: March
22, 2001.
Suspicious Banking Activities: Possible Money Laundering by U.S.
Corporations Formed for Russian Entities. GAO-01-120. Washington, D.C.:
October 31, 2000.
Money Laundering: Observations on Private Banking and Related Oversight
of Selected Offshore Jurisdictions. GAO/T-GGD-00-32. Washington, D.C.:
November 9, 1999.
Private Banking: Raul Salinas, Citibank, and Alleged Money Laundering.
GAO/T- OSI-00-3. Washington, D.C.: November 9, 1999.
Private Banking: Raul Salinas, Citibank, and Alleged Money Laundering.
GAO/OSI- 99-1. Washington, D.C.: October 30, 1998.
Money Laundering: Regulatory Oversight of Offshore Private Banking
Activities. GAO/GGD-98-154. Washington, D.C.: June 29, 1998.
Money Laundering: FinCEN's Law Enforcement Support Role Is Evolving.
GAO/GGD- 98-117. Washington, D.C.: June 19, 1998.
Money Laundering: FinCEN Needs to Better Manage Bank Secrecy Act Civil
Penalties. GAO/GGD-98-108. Washington, D.C.: June 15, 1998.
Money Laundering: FinCEN's Law Enforcement Support, Regulatory, and
International Roles. GAO/GGD-98-83. Washington, D.C.: April 1, 1998.
Money Laundering: FinCEN Needs to Better Communicate Regulatory
Priorities and Timelines. GAO/GGD-98-18. Washington, D.C.: February 6,
1998.
Private Banking: Information on Private Banking and Its Vulnerability
to Money Laundering. GAO/GGD-98-19R. Washington, D.C.: October 30,
1997.
Money Laundering: A Framework for Understanding U.S. Efforts Overseas.
GAO/ GGD-96-105. Washington, D.C.: May 24, 1996.
Money Laundering: U.S. Efforts to Combat Money Laundering Overseas.
GAO/T- GGD-96-84. Washington, D.C.: February 28, 1996.
(250181):
FOOTNOTES
[1] Bank Secrecy Act, titles I and II of Pub. L. No. 91-508, 84 Stat.
1114 (1970), as amended, codified at 12 U.S.C. §§ 1829b, 1951-1959, and
31 U.S.C. §§ 5311-5322.
[2] The Uniting and Strengthening America by Providing Appropriate
Tools Required to Intercept and Obstruct Terrorism Act of 2001, Pub. L.
No. 107-56, 115 Stat. 272 (2001). We refer to this act as the "PATRIOT
Act."
[3] The Secretary of the Treasury is authorized, after consultation
with the appropriate federal regulator, to prescribe minimum standards
for AML programs required by section 352(a) of the USA PATRIOT Act.
PATRIOT Act, § 352, 115 Stat. 272, 322 (2001) (codified at 31 U.S.C. §
5318(h)).
[4] GAO uses the term "regulators" to refer collectively to the federal
regulators of depository institutions, including banks, thrifts, and
federally chartered credit unions. The federal banking regulators are
the Federal Deposit Insurance Corporation, Board of Governors of the
Federal Reserve System, National Credit Union Administration, Office of
the Comptroller of the Currency, and Office of Thrift Supervision.
[5] FinCEN, originally established by order of the Secretary (Treasury
Order 105-08) on April 25, 1990, was reestablished as a bureau within
the Department of the Treasury pursuant to section 361(a)(2) of the
PATRIOT Act. In addition to the statutory duties and powers assigned to
FinCEN by the PATRIOT Act, the Director of FinCEN has other delegated
authorities related to the implementation and administration of the
BSA, as outlined in Treasury Order 108-01, dated September 26, 2002.
[6] 31 C.F.R. § 103.56(b)(1)-(5).
[7] We use the term "state banking departments" to refer to state
authorities responsible for the regulation and supervision of state-
chartered depository institutions in all 50 states, the Commonwealth of
Puerto Rico, the District of Columbia, the U.S. Virgin Islands, and the
U.S. Pacific Island Territory of Guam.
[8] The Conference of State Bank Supervisors is an organization that
represents the interests of the state banking system to federal and
state legislative and regulatory agencies.
[9] FFIEC, a formal interagency body comprising one member from each of
the regulators, prescribes uniform standards for the federal
examination of financial institutions by the regulators.
[10] Commissioned examiners are Federal Reserve, FDIC, and OCC
examiners who have received classroom training and on-the-job training
over several years and have successfully completed the commissioning
examination.
[11] Each regulator uses a different term for those examiners that
specialize in BSA compliance. In this report, we refer to these
examiners as "subject matter experts."
[12] Some of the data that the regulators provide to FinCEN are
confidential supervisory information. Because of the possible use of
sensitive information, the MOU restricts the disclosure of the
analytical products that FinCEN provides to the regulators. Other
parties would need written authorization from FinCEN to obtain these
reports.
[13] Justice's Criminal Division develops, enforces, and supervises the
application of all federal criminal laws, except those specifically
assigned to other divisions within the department. The Criminal
Division and the 93 U.S. Attorneys have the responsibility for
overseeing criminal matters under more than 900 statutes as well as
certain civil litigation. The division attorneys prosecute many
nationally significant cases, and the division formulates and
implements criminal enforcement policy.
[14] Bank Secrecy Act, titles I and II of Pub. L. No. 91-508, 84 Stat.
1114 (1970), as amended, codified at 12 U.S.C. §§ 1829b, 1951-1959, and
31 U.S.C. §§ 5311-5322.
[15] The Uniting and Strengthening America by Providing Appropriate
Tools Required to Intercept and Obstruct Terrorism Act of 2001, Pub. L.
No. 107-56, 115 Stat. 272 (2001). We refer to this act as the PATRIOT
Act.
[16] In addition to the duties delegated to FinCEN by the Secretary,
FinCEN also has specific statutory duties and powers under the PATRIOT
Act to support law enforcement efforts against domestic and
international financial crimes. 31 U.S.C. § 310; Treas. Order No. 180-
01, September 26, 2002.
[17] Currency and Foreign Transactions Reporting Act (commonly referred
to as the Bank Secrecy Act), Pub. L. No. 91-508, 84 Stat. 1114 (1970)
(codified as amended in 12 U.S.C. §§ 1829(b), 1951-1959; 31 U.S.C. §§
5311-5330).
[18] Pub. L. No. 99-570, title I, subtitle H, 100 Stat. 3207-17 (1986).
[19] Such regulations are found in various parts of title 12 of the
Code of Federal Regulations: 12 C.F.R. § 21.1-21.21 (Office of the
Comptroller of the Currency); 12 C.F.R. § 208.63 (Board of Governors of
the Federal Reserve System); 12 C.F.R. § 326.8 (Federal Deposit
Insurance Corporation); 12 C.F.R. § 563.177 (Office of Thrift
Supervision); and 12 C.F.R. § 748.2 (National Credit Union
Administration). The regulations adopted by each regulator generally
require depository institutions to establish a written compliance
program approved by their boards of directors that, at a minimum, (1)
provides for a system of internal controls to ensure ongoing
compliance, (2) provides for independent testing for compliance to be
conducted by institution personnel or an outside party, (3) designates
a compliance person to coordinate and monitor day-to-day compliance,
and (4) provides training for the appropriate personnel.
[20] Pub. L. No. 102-550, title XV, 106 Stat. 3672 (1992).
[21] Pub. L. No. 103-325, title IV, 108 Stat. 2247 (1994).
[22] The regulators also are required to review the BSA/AML programs of
insured depository institutions during their regular safety and
soundness examinations. 12 U.S.C. § 1818(s)(2).
[23] The regulators and state banking departments use the "Uniform
Financial Institutions Rating System" to assess the soundness of
financial institutions and identify those institutions requiring
special supervisory attention. Under the rating system, six essential
components of an institution's financial condition and operations are
evaluated: Capital, Assets, Management, Earnings, Liquidity, and
Sensitivity to interest-rate or market risk (CAMELS). The ratings are
assigned on a scale of 1 to 5, with 1 being the highest and 5 the
lowest. Other rating systems are used for financial institutions other
than banks, such as U.S. operations of foreign banking organizations.
NCUA uses a modified version of this rating scale.
[24] In accordance with 12 U.S.C § 1820(d), the appropriate federal
banking regulator generally shall, not less than once each 12-month
period, conduct a safety and soundness examination of each insured
depository institution. The safety and soundness examinations of
certain depository institutions may be conducted in alternate years by
state banking departments and federal banking agencies. State banking
departments conduct independent safety and soundness examinations in
accordance with the alternating examination cycle program prescribed
within section 10(d) of the Federal Deposit Insurance Act. NCUA
conducts joint examinations with the states every 18 months.
[25] We interviewed officials and/or examiners from Florida's Office of
Financial Regulation, Georgia's Department of Banking and Finance,
Illinois' Department of Financial and Professional Regulation,
Louisiana's Office of Financial Institutions, New York's State Banking
Department, Utah's Department of Financial Institutions, and Virginia's
Bureau of Financial Institutions.
[26] In July 2004, we interviewed Federal Reserve officials involved in
managing the Federal Reserve's national examination data system. We
received written responses to all of our data reliability questions in
April 2005.
[27] Before 2005, the regulators had separate BSA examination guidance,
but, in June 2005, they issued interagency examination guidance. See
chapter 3 for a discussion of the new interagency examination guidance
adopted in 2005. The new guidance has not changed the basic procedures.
[28] Examiners may access the IRS's Currency and Banking Retrieval
System to obtain CTRs, SARs, and other information, such as Reports of
Foreign Bank and Financial Accounts. Examiners also may access FinCEN's
Currency and Banking Query System, which is a sophisticated, enhanced
query system, to obtain detailed information on SARs.
[29] Most industry participants agree that the primary market for
private banking consists of high-net-worth individuals and their
business interests. Privacy and confidentiality are important elements
of private banking relationships, and banks that act as a fiduciary for
such individuals may have statutory, contractual, or ethical
obligations to uphold the customers' confidentiality.
[30] Beginning in 2000, Treasury and Justice designated certain areas
as HIFCAs: Chicago, Illinois; Los Angeles, California; San Francisco,
California; Miami, Florida; San Juan, Puerto Rico; the southwest border
(Texas and Arizona); and New York and New Jersey. HIFCA designations
were designed to allow law enforcement to concentrate resources in
areas where money laundering or related financial crimes were occurring
at a higher-than-average rate.
[31] OFAC administers and enforces economic and trade sanctions against
countries and groups of individuals, such as terrorists and narcotics
traffickers. OFAC publishes a list of individuals and companies owned
or controlled by, or acting for or on behalf of, targeted countries. It
also lists individuals, groups, and entities designated under programs
that are not country-specific. Collectively, such individuals and
companies are called "Specially Designated Nationals." Their assets are
to be blocked, and U.S. persons generally are prohibited from dealing
with them.
[32] 12 U.S.C § 1818(s).
[33] "Know Your Customer" refers to the due diligence institutions are
expected to conduct to understand the financial and transaction
profiles of their customers so that they can monitor more effectively
for unusual or suspicious transactions.
[34] Section 326 of the PATRIOT Act required the Secretary of the
Treasury and the federal functional regulators to develop regulations
establishing minimum standards for financial institutions regarding the
verification of a customer's identity in connection with opening an
account. 31 U.S.C. § 5318(l). These regulations require financial
institutions to establish a written customer identification program.
See, for example, 31 C.F.R. §§ 103.121-103.123; see also GAO, USA
PATRIOT Act: Additional Guidance Could Improve Implementation of
Regulations Related to Customer Identification and Information Sharing
Procedures, GAO-05-412 (Washington, D.C.: May 6, 2005).
[35] We discuss BSA violations and deficiencies in more detail in
chapter 4.
[36] CSBS is an organization that represents the interests of the state
banking system to federal and state legislative and regulatory
agencies. Results of the inquiry showed that CSBS contacted 50 banking
departments, the Commonwealth of Puerto Rico, and the District of
Columbia. Two of the 52 departments did not respond to the inquiry. On
the basis of these results, at least 15 banking departments were not
examining for BSA compliance.
[37] According to the CSBS officials, in most states, state laws do not
charge banking departments with examining state-chartered depository
institutions for BSA compliance or with enforcing BSA compliance.
Additionally, some banking departments are pursuing legislative changes
to allow them to share information, including BSA examination, with
other appropriate entities such as FinCEN.
[38] Results of the inquiry indicated that 49 banking departments, the
District of Columbia, the Commonwealth of Puerto Rico, and the U.S.
Pacific Island Territory of Guam participated in the inquiry. One of
the 52 participants did not respond to the inquiry. On the basis of the
results, at least 6 banking departments were not examining for BSA
compliance.
[39] The MOUs vary by state and define state banking departments' roles
and responsibilities.
[40] Commissioned examiners are Federal Reserve, FDIC, and OCC
examiners who have received classroom training and on-the-job training
over several years and have successfully completed the commissioning
examination.
[41] GAO-05-412.
[42] Each regulator uses a different term for those examiners
specializing in BSA compliance. In this report, we refer to these
examiners as "subject matter experts."
[43] GAO-05-412.
[44] These responses included issuing guidance that (1) outlines how
BSA assessment factors are considered in determining the appropriate
enforcement actions, (2) develops an internal control process to verify
that all BSA violations are promptly included in the systems used to
report to Treasury, and (3) establishes procedures to prevent
institutions with inadequate BSA/AML programs from bidding on
franchises or failed bank assets. The IG noted that FDIC was making
significant improvements in its supervision of BSA/AML programs in
response to these recommendations and the agency's own initiatives.
[45] According to Federal Reserve officials, some Reserve Banks have
developed mechanisms to collect and store data on BSA-related
information, including violations, supervisory actions, and
institutions' progress on implementing corrective actions for BSA-
related problems.
[46] Officials from FinCEN and the regulators noted that before the
adoption of the MOU, in accordance with Treasury regulation, the
regulators were required to submit some aggregate data on BSA
violations to FinCEN and its predecessor within Treasury.
[47] Some of the data that regulators provide to FinCEN are
confidential supervisory information. Accordingly, the MOU restricts
the disclosure of analytical products provided by FinCEN to the
regulators in the absence of written authorization from FinCEN.
[48] The section 314(a) regulations set forth the process by which law
enforcement agencies provide FinCEN with names and identifying
information on suspects. FinCEN distributes this information to
financial institutions across the country and requires that
institutions search their accounts to identify any matches (see GAO-05-
412).
[49] 12 C.F.R. § 326.8 (FDIC), 12 C.F.R. § 208.63 (Federal Reserve), 12
C.F.R. § 748.2 (NCUA), 12 C.F.R. § 21.21 (OCC), and 12 C.F.R. § 563.177
(OTS).
[50] Section 326.8 of the FDIC Rules and Regulations.
[51] OCC, Bank Secrecy Act/Anti-Money Laundering Supervision (May
2005).
[52] According to the September 2004 MOU signed by FinCEN and the
regulators, for purposes of the MOU, a significant violation includes a
systemic or pervasive BSA/AML program deficiency, systemic or pervasive
BSA reporting or record-keeping violations, or a situation where a
banking organization fails to respond to supervisory warnings
concerning such failures or weaknesses. A significant violation also
includes nontechnical, one-time BSA violations that demonstrate willful
or reckless disregard for the requirements of the BSA, or that create a
substantial risk of money laundering or the financing of terrorism
within the institution. The regulators' formal enforcement actions
could solely address BSA compliance problems or involve other and
unrelated safety and soundness problems at the institution.
[53] OCC uses the term "consent order" for a cease-and-desist order,
which has been entered into and becomes final through the board of
directors' execution. An authorized OCC official also signs consent
orders. Like all orders to cease and desist, the consent order is
issued pursuant to 12 U.S.C. § 1818(b). Aside from its title, a cease-
and-desist order is identical in form and legal effect to a consent
order. However, a cease-and-desist order is imposed on an involuntary
basis after issuance of an OCC Notice of Charges, a hearing before an
administrative law judge, and a final decision order issued by the
Comptroller of the Currency.
[54] The Federal Reserve has delegated authority to the Reserve Banks
to enter into written agreements with institutions (with the prior
concurrence of senior Federal Reserve officials); however, the
authority to take other types of formal enforcement actions remains
with the Federal Reserve.
[55] OCC took subsequent action that is discussed later in this
chapter.
[56] 12 U.S.C. § 1818(s). NCUA has similar authority under 12 U.S.C. §
1786(q).
[57] 12 U.S.C. §§ 1818(i)(2) and 1786(k)(2).
[58] Section 1818 authorizes the regulators to use several formal
enforcement actions.
[59] According to OCC, "Matters Requiring Attention" are informal
enforcement actions that document practices that (1) deviate from sound
fundamental principles and are likely to result in financial
deterioration if not addressed or (2) result in substantive
noncompliance with laws and regulations. Matters Requiring Attention
also involve a commitment from institution management to take
corrective action and a specified time frame for such action.
[60] In its comments on the report, FDIC generally disagreed with this
and other conclusions made in the FDIC IG report, but agreed with the
report's recommendations.
[61] 31 C.F.R. §103.56(a). Although 31 C.F.R. 103.56 refers
specifically to the "Assistant Secretary (Enforcement)," under
paragraph 8(c) of Treasury Order No. 180-01, the term the "Assistant
Secretary (Enforcement)," as used in the regulations, rules,
instructions, and forms issued or adopted for the administration and
enforcement of the BSA, is deemed to mean the Director of FinCEN.
[62] BSA regulations allow the regulators to submit evidence of
specific BSA violations to FinCEN at any time--not just in the course
of examinations. 31 C.F.R. § 103.56(e).
[63] Federal Reserve guidelines only authorize Board of Governors staff
to make referrals to FinCEN.
[64] According to FinCEN officials, FinCEN also issues Letters of
Caution to address cases involving nonsignificant, often technical, BSA
compliance problems.
[65] Since 1999, FinCEN also issued CMPs against 14 other financial
institutions, including casinos, check cashers, money exchanges, and
money remitters. FinCEN has issued CMPs against two individuals for BSA
violations.
[66] According to enforcement documents, payments of concurrent FinCEN
and OCC CMP assessments would be satisfied by one payment to the
Treasury.
[67] On May 14, 2004, the Board of Governors of the Federal Reserve
System issued a consent cease-and-desist order to Riggs National
Corporation (then a bank holding company), and Riggs International
Banking Corporation, an Edge corporation organized under section 25A of
the Federal Reserve Act (12 U.S.C. § 611), which was a wholly owned
subsidiary of Riggs Bank, Washington, D.C. Because Riggs International
Banking Corporation ceased to exist as a separate entity as of December
31, 2004, and all of Riggs International Banking Corporation's
remaining operations, accounts, property, and records were transferred
to Riggs Bank, on January 26, 2005, the Board of Governors terminated
the May 2004 order, and Riggs Bank consented to the issuance of a new
order to cease and desist.
[68] According to its consent order of CMP, OCC determined that Riggs
Bank failed to detect or investigate suspicious activities and did not
file SARs as required. Among other failures, Riggs Bank did not
investigate suspicious activities occurring in accounts related to the
countries of Saudi Arabia and Equatorial Guinea. OCC also determined
that Riggs Bank failed to adequately monitor for suspicious activity
involving cash, wire, or monetary instrument transactions.
Specifically, Riggs Bank failed to identify or monitor potentially
suspicious activity pertaining to (1) tens of millions of dollars in
cash withdrawals from accounts related to the Saudi Arabian embassy and
(2) dozens of sequentially numbered international drafts that totaled
millions of dollars that were drawn from accounts related to officials
of Saudi Arabia that were returned to the bank. Riggs Bank also did not
identify or monitor dozens of sequentially numbered cashier's checks
that were drawn from accounts related to officials of Saudi Arabia made
payable to the account holder, millions of dollars deposited into a
private investment company owned by an official of the country of
Equatorial Guinea, hundreds of thousands of dollars transferred from an
account of the country of Equatorial Guinea to the personal account of
a government official in the country, and more than a million dollars
transferred from an account of the country of Equatorial Guinea to a
private investment company owned by a Riggs Bank relationship manager.
OCC also cited problems with Riggs Bank's BSA/AML program, including
seriously deficient internal controls, inadequate independent testing,
ineffective management to oversee day-to-day BSA compliance,
ineffective training, and systemic problems with Riggs Bank's risk
management procedures.
[69] Arab Bank-New York performed the clearing function for members of
the Arab Bank Group in foreign jurisdictions and domestic and foreign
correspondent institutions independent of the Arab Bank Group. In
addition, as a member of the Clearing House Interbank Payments System
and other settlement systems in the United States, Arab Bank-New York
cleared funds transfers involving major commercial banks in the United
States. None of the originators and beneficiaries in funds transfers
that Arab Bank-New York cleared as an intermediary institution held
accounts at Arab Bank-New York.
[70] 31 U.S.C. §§ 5321 and 5330, 12 U.S.C. §§ 1829b(j) and 1953, and 31
C.F.R. § 103.57.
[71] Section 321(b) of the USA PATRIOT Act amended the definition of
"financial institutions" subject to the BSA to include futures
commission merchants, commodity trading advisors, and commodity pool
operators registered or required to be registered under the Commodity
Exchange Act. Accordingly, FinCEN amended the BSA implementing
regulations to delegate BSA examination authority to the Commodity
Futures Trading Commission with respect to futures commissions
merchants, commodity trading advisors, and introducing brokers in
commodities. 68 Fed. Reg., 65393, 65399 (2002) (codified at 31 C.F.R. §
103.56(b)(9)).
[72] According to Justice, other federal law enforcement agencies
involved in the case included the Federal Bureau of Investigation, the
United States Secret Service, and the IRS.
[73] According to Justice, Equatorial Guinea has billions of dollars of
oil reserves within its territorial waters, resulting in a significant
influx of capital from businesses in the United States and elsewhere.
By 2003, these accounts had become Riggs Bank's largest single
relationship, with balances and outstanding loans that totaled nearly
$700 million. In February 2003, the U.S. Senate Permanent Subcommittee
on Investigations of the Committee on Governmental Affairs, at the
request of Senator Carl Levin, Ranking Minority Member, and the support
of the Subcommittee Chairman, Norm Coleman, initiated a bipartisan
investigation to evaluate the enforcement and effectiveness of key AML
provisions in the PATRIOT Act, using Riggs Bank as a case history.
Following a July 2004 hearing and report on the results of the
investigation, on March 16, 2005, the subcommittee issued a separate
report identifying additional accounts connected to Pinochet at other
financial institutions.
[74] ICE and IRS-Criminal Investigation division conducted separate
investigations into multiple accounts at Banco Popular.
[75] In May 2004, FDIC issued a cease-and-desist order against the bank
for BSA violations.
[76] The procedures also indicate that if a depository institution
knows, suspects, or has reason to suspect that a customer may be linked
to terrorist activity against the United States, the bank should
immediately call FinCEN's Financial Institutions Terrorist Hotline.
[77] Justice's Criminal Division develops, enforces, and supervises the
application of all federal criminal laws, except those specifically
assigned to other divisions within the department. The Criminal
Division and the 93 U.S. attorneys have the responsibility for
overseeing criminal matters under more than 900 statutes as well as
certain civil litigation. The division attorneys prosecute many
nationally significant cases, and the division formulates and
implements criminal enforcement policy.
[78] Examination documentation is essential for supervision of
examinations; reviews of examination quality; and, ultimately,
regulator oversight of financial institutions. Moreover, the
documentation must be of a quality that would support findings and
recommendations; constitute a clear record of decision making; and
allow internal and external reviewers, auditors, and regulators to
understand the examiners' work and analyses.
[79] This manual was still in effect when we issued this report.
[80] OCC specified "quantity of risk" procedures to include the
selection and testing of various accounts, such as exemptions, sales of
monetary instruments, funds transfers, international brokered accounts,
and nonresident alien accounts.
[81] Community banks are those banks that have assets of less than $1
billion.
GAO's Mission:
The Government Accountability Office, the investigative arm of
Congress, exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability
of the federal government for the American people. GAO examines the use
of public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO's commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains
abstracts and full-text files of current reports and testimony and an
expanding archive of older products. The Web site features a search
engine to help you locate documents using key words and phrases. You
can print these documents in their entirety, including charts and other
graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as "Today's Reports," on its
Web site daily. The list contains links to the full-text document
files. To have GAO e-mail this list to you every afternoon, go to
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order
GAO Products" heading.
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office
441 G Street NW, Room LM
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm
E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Public Affairs:
Jeff Nelligan, managing director,
NelliganJ@gao.gov
(202) 512-4800
U.S. Government Accountability Office,
441 G Street NW, Room 7149
Washington, D.C. 20548: