Bank Secrecy Act
Federal Agencies Should Take Action to Further Improve Coordination and Information-Sharing Efforts
Gao ID: GAO-09-227 February 12, 2009
The legislative framework for combating money laundering began with the Bank Secrecy Act (BSA) in 1970 and most recently expanded in 2001with the USA PATRIOT Act. The Financial Crimes Enforcement Network (FinCEN) administers BSA and relies on multiple federal and state agencies to ensure financial institution compliance. GAO was asked to (1) describe how BSA compliance and enforcement responsibilities are distributed, (2) describe how agencies other than FinCEN are implementing those responsibilities and evaluate their coordination efforts, and (3) evaluate how FinCEN is implementing its BSA responsibilities. Among other things, GAO reviewed legislation, past GAO and Treasury reports, and agreements and guidance from all relevant agencies; and interviewed agency, association, and financial institution officials.
FinCEN is responsible for the administration of the BSA regulatory structure, and has delegated examination responsibility to the federal banking regulators (Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, Office of the Comptroller of the Currency, Office of Thrift Supervision, and National Credit Union Administration), the Securities and Exchange Commission (SEC), the Commodity Futures Trading Commission (CFTC), and the Internal Revenue Service (IRS). The federal banking regulators, SEC, CFTC, securities and futures self-regulatory organizations (SRO), and state agencies also have their own separate authorities to examine for compliance among institutions they supervise and take enforcement actions for noncompliance. FinCEN has retained enforcement authority for BSA and may take enforcement actions independently or concurrently with the regulators. While federal agencies have enhanced their BSA compliance programs, opportunities exist to improve interagency and state examination coordination. The federal banking regulators issued an interagency examination manual; SEC, CFTC, and their respective SROs developed BSA examination modules; and FinCEN and IRS, which examines nonbank financial institutions (NBFI), issued an examination manual for money services businesses (MSB). However, IRS has not fully coordinated MSB examination schedules with the states that also examine MSBs, potentially missing opportunities to reduce duplication and leverage resources. The federal financial regulators traditionally have different compliance approaches for their industries. With respect to BSA, multiple regulators are examining for compliance with the same legislation across industries and, for some larger holding companies, within the same institution. However, they do not have a mechanism through which all regulators discuss (without industry present) how to promote greater consistency, reduce unnecessary regulatory burden, and identify concerns across industries. Federal banking regulators reported improved transparency and coordination of enforcement actions. While FinCEN has increased regulatory resources, provided examination support, and made advances in outreach, it could improve its informationsharing efforts. FinCEN improved its system for tracking referrals but lack of a process for communication between IRS and FinCEN for IRS referrals, coupled with IRS's limited enforcement authority, may delay timely feedback to IRS-examined institutions. FinCEN completed more information-sharing memorandums of understanding (MOU) with federal and state agencies, but did not sign its MOU with CFTC until January 2009, which limited their information-sharing efforts. Some state regulators and securities and futures regulators continue to have no electronic access to BSA data. Lack of direct access to BSA data impedes their ability to identify potential risk areas on which to focus their examinations and effectively leverage resources. FinCEN officials said they finalized a data-access template in July 2008, and had begun providing more electronic access.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director:
Team:
Phone:
GAO-09-227, Bank Secrecy Act: Federal Agencies Should Take Action to Further Improve Coordination and Information-Sharing Efforts
This is the accessible text file for GAO report number GAO-09-227
entitled 'Bank Secrecy Act: Federal Agencies Should Take Action to
Further Improve Coordination and Information-Sharing Efforts' which was
released on March 17, 2009.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to the Permanent Subcommittee on Investigations, Committee on
Homeland Security and Governmental Affairs, U.S. Senate:
United States Government Accountability Office:
GAO:
February 2009:
Bank Secrecy Act:
Federal Agencies Should Take Action to Further Improve Coordination and
Information-Sharing Efforts:
GAO-09-227:
GAO Highlights:
Highlights of GAO-09-227, a report to the Permanent Subcommittee on
Investigations, Senate Committee on Homeland Security and Governmental
Affairs.
Why GAO Did This Study:
The legislative framework for combating money laundering began with the
Bank Secrecy Act (BSA) in 1970 and most recently expanded in 2001with
the USA Patriot Act. The Financial Crimes Enforcement Network (FinCEN)
administers BSA and relies on multiple federal and state agencies to
ensure financial institution compliance. GAO was asked to (1) describe
how BSA compliance and enforcement responsibilities are distributed,
(2) describe how agencies other than FinCEN are implementing those
responsibilities and evaluate their coordination efforts, and (3)
evaluate how FinCEN is implementing its BSA responsibilities. Among
other things, GAO reviewed legislation, past GAO and Treasury reports,
and agreements and guidance from all relevant agencies; and interviewed
agency, association, and financial institution officials.
What GAO Found:
FinCEN is responsible for the administration of the BSA regulatory
structure, and has delegated examination responsibility to the federal
banking regulators (Board of Governors of the Federal Reserve System,
Federal Deposit Insurance Corporation, Office of the Comptroller of the
Currency, Office of Thrift Supervision, and National Credit Union
Administration), the Securities and Exchange Commission (SEC), the
Commodity Futures Trading Commission (CFTC), and the Internal Revenue
Service (IRS). The federal banking regulators, SEC, CFTC, securities
and futures self-regulatory organizations (SRO), and state agencies
also have their own separate authorities to examine for compliance
among institutions they supervise and take enforcement actions for
noncompliance. FinCEN has retained enforcement authority for BSA and
may take enforcement actions independently or concurrently with the
regulators.
While federal agencies have enhanced their BSA compliance programs,
opportunities exist to improve interagency and state examination
coordination. The federal banking regulators issued an interagency
examination manual; SEC, CFTC, and their respective SROs developed BSA
examination modules; and FinCEN and IRS, which examines nonbank
financial institutions (NBFI), issued an examination manual for money
services businesses (MSB). However, IRS has not fully coordinated MSB
examination schedules with the states that also examine MSBs,
potentially missing opportunities to reduce duplication and leverage
resources. The federal financial regulators traditionally have
different compliance approaches for their industries. With respect to
BSA, multiple regulators are examining for compliance with the same
legislation across industries and, for some larger holding companies,
within the same institution. However, they do not have a mechanism
through which all regulators discuss (without industry present) how to
promote greater consistency, reduce unnecessary regulatory burden, and
identify concerns across industries. Federal banking regulators
reported improved transparency and coordination of enforcement actions.
While FinCEN has increased regulatory resources, provided examination
support, and made advances in outreach, it could improve its
information-sharing efforts. FinCEN improved its system for tracking
referrals but lack of a process for communication between IRS and
FinCEN for IRS referrals, coupled with IRS‘s limited enforcement
authority, may delay timely feedback to IRS-examined institutions.
FinCEN completed more information-sharing memorandums of understanding
(MOU) with federal and state agencies, but did not sign its MOU with
CFTC until January 2009, which limited their information-sharing
efforts. Some state regulators and securities and futures regulators
continue to have no electronic access to BSA data. Lack of direct
access to BSA data impedes their ability to identify potential risk
areas on which to focus their examinations and effectively leverage
resources. FinCEN officials said they finalized a data-access template
in July 2008, and had begun providing more electronic access.
What GAO Recommends:
GAO recommends that IRS better coordinate examination schedules with
state agencies; that FinCEN, the federal financial regulators, and IRS
consider developing a mechanism to regularly discuss BSA examinations
and procedures across all regulators; and that the FinCEN Director
facilitate communication on IRS referrals, and finalize electronic data-
access MOUs with state agencies and securities and futures regulators.
The federal banking regulators, SEC, CFTC, IRS, and FinCEN agreed to
implement the recommendations pertaining to their agencies.
To view the full product, including the scope and methodology, click on
[hyperlink, http://www.gao.gov/products/GAO-09-227]. For more
information, contact Jack Edwards at (202) 512-8678 or
edwardsj@gao.gov.
[End of section]
Contents:
Letter:
Results in Brief:
Background:
FinCEN Administers the BSA Framework, under which Many Regulatory
Entities Exercise Delegated and Independent Compliance and Enforcement
Authorities:
While Agencies Have Enhanced BSA Compliance Programs, Opportunities
Exist to Improve Interagency and State Examination Coordination:
FinCEN Provides Some Effective Outreach and Regulatory Support but
Could Improve Information-Sharing Efforts:
Conclusions:
Recommendations for Executive Action:
Agency Comments and Our Evaluation:
Appendix I: Objectives, Scope and Methodology:
Appendix II: Overview of Federal Agencies Involved in the BSA/AML
Framework and Related Resources:
Appendix III: Examples of BSA/AML-Related Formal Enforcement Actions:
Appendix IV: Comments from the Department of the Treasury's Financial
Crimes Enforcement Network:
Appendix V: Comments from the Internal Revenue Service:
Appendix VI: Comments from the Board of Governors of the Federal
Reserve:
Appendix VII: Comments from the Federal Deposit Insurance Corporation:
Appendix VIII: Comments from the Office of the Comptroller of the
Currency:
Appendix IX: Comments from the Office of Thrift Supervision:
Appendix X: Comments from National Credit Union Administration:
Appendix XI: Comments from Securities and Exchange Commission:
Appendix XII: Comments from the Commodity Futures Trading Commission:
Appendix XIII: GAO Contact and Staff Acknowledgments:
Tables:
Table 1: Overview of Federal Agencies with BSA/AML Compliance
Responsibilities:
Table 2: Federal Banking Regulators' BSA/AML Examinations, Most
Frequently Cited Violations, and Enforcement Actions, Fiscal Years 2005-
2008:
Table 3: Number of BSA/AML Examinations, Violations, and Enforcement
Actions in the Securities Industry, Fiscal Years 2007-2008:
Table 4: Number of SEC/SRO Rule Citations and Violations in the
Securities Industry under BSA, Fiscal Years 2007-2008:
Table 5: Number of BSA Examinations, Deficiencies, and Enforcement
Actions in the Futures Industry, Calendar Years 2005-2008:
Table 6: Summary of IRS Quarterly Reports Sent to FinCEN, Fiscal Years
2006-2008:
Table 7: Number of Institutions with Violations Most Often Cited by
IRS, FY 2007-2008:
Table 8: Justice BSA Enforcement Actions, January 2006-October 2008:
Table 9: FinCEN Budget Authority, Civilian Full-time Equivalent
Employees, and Regulatory-Dedicated Staff, Fiscal Years 2001-2007:
Table 10: Number of Cases Processed in FinCEN's Offices of Compliance
and Enforcement and Average Processing Times, Fiscal Years 2006-2008:
Table 11: BSA/AML Training, by Regulator:
Table 12: IRS BSA Performance Measures, Fiscal Years 2004-2007:
Table 13: Examples of Formal Enforcement Actions, Excluding CMPs, Taken
By Federal Financial Regulators and SROs for BSA/AML-related Compliance
Problems, Fiscal Years 2006-2008:
Table 14: Examples of CMPs Assessed by FinCEN, Federal Financial
Regulators, and SROs for BSA/AML-related Compliance Violations, Fiscal
Years 2006-2008:
Figures:
Figure 1: Overview of Federal Agencies and SROs in the BSA/AML
Framework:
Figure 2: FinCEN's Tracking Process for BSA Compliance Referrals:
Abbreviations:
AML: anti-money laundering:
BSA: Bank Secrecy Act of 1970:
BSAAG: Bank Secrecy Act Advisory Group:
CFTC: Commodity Futures Trading Commission:
CIP: customer identification program:
CMP: civil money penalty:
CMS: Case Management System:
CTR: currency transaction report:
FDIC: Federal Deposit Insurance Corporation:
Federal Reserve: Board of Governors of the Federal Reserve System:
FFIEC: Federal Financial Institutions Examination Council:
FINRA: Financial Industry Regulatory Authority:
FinCEN: Financial Crimes Enforcement Network:
IRS: Internal Revenue Service:
Justice: Department of Justice:
MOU: memorandum of understanding:
MSB: money services business:
NBFI: nonbank financial institution:
NCUA: National Credit Union Administration:
NFA: National Futures Association:
OCC: Office of the Comptroller of the Currency:
OCIE: Office of Compliance Inspections and Examinations:
OTS: Office of Thrift Supervision:
RPPD: Regulatory Policy and Programs Division:
SAR: suspicious activity report:
SEC: Securities and Exchange Commission:
SRO: self-regulatory organization:
Treasury: Department of the Treasury:
[End of section]
United States Government Accountability Office:
Washington, DC 20548:
February 12, 2009:
The Honorable Carl Levin:
Chairman:
The Honorable Tom Coburn:
Acting Ranking Member:
Permanent Subcommittee on Investigations:
Committee on Homeland Security and Governmental Affairs:
United States Senate:
The legislative framework for combating money laundering and other
financial crimes has been built over nearly four decades. The Bank
Secrecy Act of 1970 (BSA) established reporting and other anti-money
laundering (AML) requirements for domestic financial institutions.
[Footnote 1] Due to the increased sophistication of money laundering
activities and concerns about terrorist financing, Congress expanded
AML legislation to cover more types of institutions involved in a
broader range of financial transactions. In 2001, the enactment of the
USA PATRIOT Act strengthened reporting and AML requirements for
securities firms, futures firms, money services businesses (MSB), and
other financial institutions.[Footnote 2] The regulators discussed in
this report have developed programs to review financial institutions'
compliance with these reporting requirements and AML requirements.
Multiple federal and state agencies operate within the BSA framework.
The Financial Crimes Enforcement Network (FinCEN), a bureau of the U.S.
Department of the Treasury (Treasury), is the BSA administrator. The
federal financial regulators that compose the BSA compliance framework
are the federal banking regulators--the Board of Governors of the
Federal Reserve System (Federal Reserve), the Federal Deposit Insurance
Corporation (FDIC), the Office of the Comptroller of the Currency
(OCC), the Office of Thrift Supervision (OTS), and the National Credit
Union Administration (NCUA)--as well as the Securities and Exchange
Commission (SEC), and the Commodity Futures Trading Commission (CFTC).
The Internal Revenue Service (IRS) has examination responsibilities
under BSA.[Footnote 3] To different extents, four of the federal
banking regulators--the Federal Reserve, FDIC, OTS, and NCUA--share
compliance responsibilities, such as examinations of institutions that
they oversee, with state regulators. IRS, which oversees BSA/AML
compliance among some state-chartered institutions, such as MSBs, also
shares responsibilities with state regulators. The self-regulatory
organizations (SRO) that SEC and CFTC oversee also have BSA/AML
compliance responsibilities for the activities of their members.
[Footnote 4] Appendix II of this report provides an overview of the
missions and compliance and enforcement activities of these entities
and provides information on their BSA/AML-related resources and
training.
As we have reported previously, FinCEN and these agencies have
responded to the challenge of increased BSA/AML responsibilities by
finalizing new regulations to implement the USA PATRIOT Act and
applying them to industries newer to BSA/AML efforts.[Footnote 5] In
addition, the federal banking regulators, FinCEN, and SEC have taken
enforcement actions involving BSA/AML-related violations that resulted
in large penalties. But, as BSA regulation has evolved, so have
financial services firms. They generally have become fewer in number
and larger--providing more and varied services and products across one
or more traditional financial sectors (banking, securities, futures,
and insurance).[Footnote 6] The proliferation of activities across
industry lines also has made it all the more important that agencies
with compliance-monitoring and enforcement responsibilities coordinate
with each other. Given that many regulators and SROs have
responsibility for overseeing compliance with BSA, Congress has raised
questions about how effectively FinCEN and these entities are
coordinating their BSA/AML efforts and the general soundness of the
current BSA compliance and enforcement framework.
In response to your request that we review FinCEN and other federal
agencies' efforts to implement BSA, we (1) describe how BSA compliance
and enforcement efforts are distributed among federal and state
regulators, SROs, and FinCEN; (2) describe how federal agencies other
than FinCEN are implementing their BSA activities and evaluate their
coordination efforts; and (3) evaluate how FinCEN is executing its BSA
responsibilities and coordinating BSA efforts among the various
agencies.
To address our objectives, we reviewed relevant federal legislation and
prior GAO and Treasury Inspector General reports, and conducted
interviews with FinCEN, federal banking regulators, SEC, CFTC, IRS, and
Department of Justice (Justice) officials. We reviewed BSA compliance
and enforcement guidance from all relevant agencies, memorandums of
understanding (MOU), training documentation, staffing and performance
measurement data, strategic plans and annual reports, and internal
documentation. We also reviewed our collaboration best practices--which
encompass a set of key practices that can help agencies enhance and
sustain collaborative efforts.[Footnote 7] Furthermore, we interviewed
officials from selected state banking agencies (based on factors such
as geography and types of financial activities within their states) and
SROs, and officials from associations representing banking, credit
unions, MSBs, securities, and futures industries, as well as a state
regulatory association. We also interviewed officials from 20
depository institutions, 8 securities firms, and 2 futures firms. For
the depository institutions, we interviewed all 5 institutions that had
the largest number of suspicious activity report (SAR) filings and
randomly selected the remaining 15 based on their number of SAR filings
in calendar year 2007. We interviewed the 8 securities firms through
the auspices of an industry trade association and interviewed one large
and one small futures firm drawn from a list provided by a futures
regulator.
We conducted this performance audit in Washington, D.C.; New York, New
York; and Chicago, Illinois; from October 2007 to February 2009 in
accordance with generally accepted government auditing standards. Those
standards require that we plan and perform the audit to obtain
sufficient, appropriate evidence to provide a reasonable basis for our
findings and conclusions based on our audit objectives. We believe that
the evidence obtained provides a reasonable basis for our findings and
conclusions based on our audit objectives. Appendix I explains our
scope and methodology in greater detail.
Results in Brief:
BSA compliance and enforcement efforts are distributed among numerous
agencies in accordance with their jurisdictions. Under the BSA
regulatory scheme, FinCEN is responsible for the administration of BSA,
but delegated its BSA examination authority to the federal banking
regulators, SEC, CFTC, and IRS. In addition, the federal banking
regulators, SEC, CFTC, securities and futures SROs, and state agencies
have independent authority to ensure institutions they supervise comply
with all applicable laws and regulations, including BSA/AML-related
regulations. FinCEN and most federal regulators have authority to take
BSA/AML-related enforcement actions against financial institutions, in
some cases directly for violations of BSA and, in others, for
violations of rules issued by the regulators. The SROs additionally
have rules requiring compliance with BSA. IRS issues letters of
noncompliance to institutions and relies on FinCEN for formal civil
enforcement action. Justice's role in BSA enforcement is to investigate
financial institutions and individuals suspected of criminal money
laundering offenses and systemic noncompliance with BSA regulations and
prosecute those charged.
While federal agencies have enhanced their BSA/AML compliance programs,
opportunities exist to improve interagency and state examination
coordination. Notably, the federal bank regulators, in collaboration
with FinCEN, have developed uniform examination guidance that each
agency uses to examine the institutions under its jurisdiction that
have improved collaboration. Similarly, SEC and CFTC, with their
respective SROs, have developed examination guidance for the firms they
supervise, and IRS and FinCEN have issued an examination manual for
MSBs. However, IRS has not fully coordinated MSB examination schedules
with the states that license and also examine those businesses, missing
opportunities to reduce any potential examination duplication and
leverage resources. Further, because federal financial regulators have
different institutional approaches to their BSA compliance and
enforcement activities, a mechanism to promote greater consistency
through compatible activities (particularly when multiple regulators
have jurisdiction over the same entity) and to reduce unnecessary
regulatory burden is important. However, the agencies do not have such
a mechanism and thus may miss opportunities to reduce any unnecessary
regulatory burden, a concern identified by industry officials during
our interviews, and identify any BSA/AML concerns across industry.
Finally, federal banking regulators reported improved transparency and
coordination of enforcement actions among federal banking agencies and
state agencies, due in part to new interagency enforcement guidance
that clarified the circumstances under which regulators could issue a
cease and desist order for noncompliance with BSA requirements.
While FinCEN has increased regulatory-dedicated resources, provided
examination support through a variety of ways, and made advances in
outreach, it could further improve its information-sharing efforts.
With its increase in budget authority, FinCEN increased staff dedicated
to its regulatory programs, which operate from the Regulatory Policy
and Programs Division (RPPD). RPPD provides examination support by
commenting on and developing examination guidance and also headed an
initiative focused on enhancing risk-based examination approaches.
Further, according to FinCEN surveys, RPPD's outreach services were
highly rated by industry members surveyed and FinCEN also had
undertaken new initiatives, such as establishing a new Office for
Outreach Resources. While FinCEN has improved its system for tracking
BSA compliance referrals, the lack of a process that facilitates
communication between FinCEN and IRS about IRS compliance referrals
(combined with IRS's limited enforcement authorities) may delay
feedback to IRS-examined entities and allow these institutions to
continue operating without correction after deficiencies were
identified. FinCEN and IRS have been discussing how to improve the
handling of IRS referrals but have not established a mutually agreed-
upon process that facilitates communication to ensure timely feedback
to institutions. FinCEN also increased the number of information-
sharing MOUs with federal and state agencies and surveyed MOU holders.
FinCEN and most regulators reported benefits in terms of formalizing
data reporting and enforcement coordination procedures. Because FinCEN
and CFTC did not finalize their MOU until January 2009, the agencies
engaged in limited information sharing while the MOU was being drafted.
For example, CFTC officials said that once the MOU was signed, they
would consistently track violation data and provide the data to FinCEN
along with examination procedures. Without having this mechanism in
place to monitor activities, FinCEN and CFTC have not been able to
evaluate the results of their efforts to date. FinCEN has taken steps
to provide more BSA data analyses to regulators and has been discussing
additional products that may be useful for compliance activities. Some
securities, futures, and state regulators do not have direct electronic
access to BSA data, which impedes examination risk scoping and their
ability to independently verify institutions' BSA reporting. FinCEN
officials said they finalized a universal data access template in July
2008, and began providing more electronic access to state regulators.
However, FinCEN is still working on data access agreements for SROs,
and in the meantime, regulators such as SEC's SROs, which conduct the
vast majority of broker-dealer examinations, do not have direct
electronic BSA data access and must go through FinCEN or SEC to obtain
data. The lack of direct access impedes the effectiveness of
examination processes by not allowing regulators to assess the extent
of BSA activities prior to examinations, and the resulting requests for
information strains resources at FinCEN and other regulators.
We are making four recommendations to improve coordination of BSA
activities among the federal financial regulators and FinCEN. To better
leverage limited examination resources and enhance compliance with a
large population of MSBs, we recommend that IRS develop a process for
coordinating MSB examination schedules with state agencies. To build on
the progress made by FinCEN and federal agencies in coordinating BSA/
AML examination processes and to promote consistency in the application
of BSA, we recommend that FinCEN and the federal agencies consider
developing a mechanism to share and discuss BSA/AML examination
procedures and general trends regularly in a nonpublic setting.
Further, to improve its efforts to administer BSA, we recommend that
FinCEN work with IRS and develop a process that facilitates
communication on IRS referrals, and finalize and implement data-access
MOUs with several SROs conducting BSA/AML examinations and state
agencies that have no direct electronic access to BSA data. IRS agreed
with our recommendations and said actions to coordinate examination
schedules with state agencies already were underway. In their written
responses, all of the agencies agreed with our recommendation that they
consider developing a mechanism to conduct regular, nonpublic
discussions of BSA examination procedures and trends. In written
comments, the FinCEN director concurred with the intent of our
recommendations and said he hoped to be situated in the future to meet
them.
Background:
The federal government's framework for preventing, detecting, and
prosecuting money laundering has expanded over the course of more than
30 years. With the passage of the Bank Secrecy Act in 1970, for the
first time financial institutions were required to maintain records and
reports determined to be useful to financial regulators and law
enforcement agencies in criminal, tax, and regulatory matters. BSA has
three main objectives: create an investigative audit trail through
regulatory reporting standards; impose civil and criminal penalties for
noncompliance; and improve the detection of criminal, tax, and
regulatory violations.
The reporting system first implemented under BSA was insufficient to
combat underlying money laundering activity. For example, before 1986,
BSA did not contain sanctions for money laundering, although it did
contain sanctions for failing to file reports or for doing so
untruthfully. To strengthen federal AML initiatives, Congress enacted
the Money Laundering Control Act of 1986.[Footnote 8] In addition to
imposing criminal liability for money laundering violations, the act
directed each federal banking regulator to require that insured
depository institutions establish and maintain a program that would
ensure and monitor compliance with the recording-keeping and reporting
requirements of BSA.[Footnote 9]
The Annunzio-Wylie Anti-Money Laundering Act of 1992 amended BSA and
authorized Treasury to require financial institutions to report any
suspicious transaction relevant to a possible violation of a law or
regulation.[Footnote 10] It authorized Treasury to require financial
institutions to carry out AML programs and, together with the Federal
Reserve, to promulgate record-keeping rules relating to funds transfer
transactions. The act also made the operation of an unlicensed, money-
transmitting business illegal under state law a crime.
In 1994, the Secretary of the Treasury delegated overall authority for
enforcement of, and compliance with, BSA and its implementing
regulations to the Director of FinCEN. FinCEN was established within
Treasury in 1990 initially to support law enforcement by providing a
government-wide financial intelligence and analysis network, and became
a bureau in 2001. Among its current responsibilities, FinCEN issues
regulations; collects, analyzes, and maintains BSA-related reports and
information filed by financial institutions; makes those reports
available to law enforcement and regulators; and tries to ensure
financial institution compliance through enforcement actions. According
to its strategic plan, FinCEN seeks to ensure the effectiveness of the
BSA regulatory framework and facilitate interagency collaboration.
FinCEN's RPPD is responsible for BSA regulatory, compliance, and
enforcement functions. In August 2004, FinCEN created an Office of
Compliance in RPPD to oversee and work with the federal financial
regulators on BSA examination and compliance matters.
The most recent expansion of BSA legislation occurred in October 2001
with enactment of the USA PATRIOT Act. Among other things, the act
required an entity defined in BSA as a "financial institution" to have
an AML program. Each program must incorporate: (1) written AML
compliance internal policies, procedures, and internal controls; (2) an
independent review; (3) a designated compliance person to coordinate
and monitor day-to-day compliance; and (4) training for appropriate
personnel. Entities not previously required under BSA to have such a
program, such as mutual funds, broker-dealers, MSBs, certain futures
brokers, and insurance companies, were required to do so under this
act.[Footnote 11] Moreover, the act mandated that Treasury issue
regulations requiring registered securities brokers-dealers to file
SARs and provided Treasury with authority to prescribe regulations
requiring certain futures firms to submit SARs. Among its other
provisions, the act required that Treasury issue regulations setting
forth minimum standards for financial institutions regarding verifying
the identity of customers who open accounts. The USA PATRIOT Act also
required that financial institutions establish due diligence and, in
some cases, enhanced due diligence policies designed to detect and
report instances of money laundering through private banking and
correspondent accounts of non-United States persons; conduct enhanced
scrutiny of private banking accounts maintained by or on behalf of
foreign political figures or their families; and share information
relating to money laundering and terrorism with law enforcement
authorities, regulatory authorities, and financial institutions. In
addition, nonfinancial institutions also became subject to BSA currency
transaction reporting (CTR) requirements where, in the course of trade
or business, the business receives more than $10,000 in coins or
currency in one transaction (or two or more related transactions).
[Footnote 12]
FinCEN Administers the BSA Framework, under which Many Regulatory
Entities Exercise Delegated and Independent Compliance and Enforcement
Authorities:
The objectives of U.S. financial services regulation are pursued by a
complex combination of federal and state government agencies and SROs.
Generally, regulators specialize in the oversight of financial
institutions in the various financial services sectors, which stem
largely from the laws that established these agencies and defined their
missions. Under the BSA regulatory scheme, FinCEN is responsible for
the overall administration and enforcement of BSA and may take
enforcement actions, but federal and state regulators and SROs conduct
day-to-day compliance and enforcement activities. Specifically, with
respect to examinations for BSA compliance, FinCEN delegated its BSA
examination authority to the federal banking regulators, SEC, CFTC, and
IRS.[Footnote 13] The federal banking regulators, SEC, and CFTC also
use their independent authorities to examine entities under their
supervision for compliance with applicable BSA/AML requirements and
regulations.[Footnote 14] FinCEN has retained enforcement authority and
may impose civil penalties for violations.[Footnote 15] In addition,
each of the federal bank regulators also may impose civil money
penalties for significant BSA violations, and have specific authority
to initiate cease and desist proceedings against the entities they
supervise for BSA/AML violations.[Footnote 16] SEC, CFTC, and their
SROs also have authority to enforce their rules requiring BSA/AML
compliance; and IRS has very limited enforcement authority delegated by
FinCEN.[Footnote 17] Justice prosecutes criminal violations of BSA, and
several federal law enforcement agencies can conduct BSA-related
criminal investigations.
FinCEN Administers the BSA and Has Delegated Examination Authority but
Retained Enforcement Authority:
As noted previously, in 1994, the Secretary of the Treasury delegated
overall authority for compliance and enforcement of BSA and its
implementing regulations to the Director of FinCEN. Over the years, as
more financial activities and types of institutions became involved in
the BSA, Treasury delegated BSA examination authority to the federal
banking regulators; and to SEC, CFTC, and their SROs. Figure 1 shows
the federal agencies and SROs involved in examining for compliance with
BSA.
Figure 1: Overview of Federal Agencies and SROs in the BSA/AML
Framework:
[Refer to PDF for image: illustration]
Treasury Executive Office for Asset Forfeiture (U.S. Treasury Agency):
Office of Foreign Assets Control (U.S. Treasury Agency):
Office of Intelligence and Analysis (U.S. Treasury Agency):
Assistant Secretary Terrorist Financing (U.S. Treasury Agency):
- Office of Terrorist Financing and Financial Crimes (U.S. Treasury
Agency):
Financial Crimes Enforcement Network:
(Federal functional regulators or BSA examining agency):
* Internal Revenue Service (U.S. Treasury Agency):
- Small Business/Self-Employed;
- Criminal Investigation;
* Office of Thrift Supervision (U.S. Treasury Agency);
* Office of the Comptroller of the Currency (U.S. Treasury Agency);
External regulators/Examining agencies and SROs (Non-Treasury agencies
and SROs):
* Commodity Futures Trading Commission;
- Other SROs:
- National Futures Association;
- Chicago Mercantile Exchange;
- New York Mercantile Exchange;
* National Credit Union Administration;
* Federal Deposit Insurance Corporation;
* Federal Reserve System;
* Securities and Exchange Commission:
- Other SROs;
- Financial Industry Regulatory Authority.
Sources: GAO; Treasury Inspector General.
Note: During the course of our work, in August 2008 the New York
Mercantile Exchange merged with the Chicago Mercantile Group, which
itself was formed in July 2007 through the merger of the Chicago
Mercantile Exchange and the Chicago Board of Trade. We refer to these
exchanges separately in this report as each retained its separate DSRO
functions.
[End of figure]
Table 1 summarizes the types and numbers of institutions the federal
agencies examine for BSA/AML compliance, and which agency or SRO
conducts these examinations.
Table 1: Overview of Federal Agencies with BSA/AML Compliance
Responsibilities:
Federal agencies with BSA/AML compliance responsibilities:
Type of institution under supervision:
Federal banking regulators (Federal Reserve, FDIC, OCC, OTS, and NCUA):
Insured depository institutions;
SEC: Broker-dealers, Mutual funds;
CTFC: Futures firms (futures commission merchants and introducing
brokers);
IRS: MSBs, casinos, and other financial institutions not under the
supervision of a federal financial regulator.
Number of institutions under supervision for BSA/AML compliance:
Federal banking regulators (Federal Reserve, FDIC, OCC, OTS, and NCUA):
16,664 depository institutions (as of 9/30/08);
SEC: Approximately 5,550 broker-dealers, 683 mutual funds (representing
8,752 registered funds) (as of 9/30/08);
CTFC: 154 futures commission merchants and 1,645 introducing brokers;
IRS: More than 200,000 identified MSBs[A].
Which entity conducts examinations:
Federal banking regulators (Federal Reserve, FDIC, OCC, OTS, and NCUA):
* FDIC, Federal Reserve, OTS examiners examine supervised entities and
may alternate with examiners from state agencies or conduct joint
examinations.
* NCUA examiners examine all federally chartered credit unions. State
supervisory authorities conduct BSA examinations at all state-chartered
credit unions. NCUA may conduct joint examinations with states,
depending on institution risk level.
* OCC examiners examine national banks;
SEC: SEC examiners examine mutual funds and broker-dealers, and SROs
examine most broker-dealers (with SEC oversight);
CTFC: SROs conduct all examinations (with CFTC oversight);
IRS: IRS examiners – examinations mainly focus on MSBs and casinos.
Source: GAO analysis of regulator documentation and data.
[A] In this report we focused on IRS's MSB-related BSA/AML activities,
because IRS dedicated the vast majority of its BSA/AML examination
resources on MSBs and because other nonbank financial institutions,
such as insurance companies and dealers in precious metals and jewels,
are new to IRS's examination program. IRS currently has not identified
the universe of other nonbank financial institutions, such as dealers
of precious metals and jewels.
[End of table]
FinCEN retains BSA enforcement authority and may take enforcement
actions independently of, or concurrently with, other regulators.
FinCEN's Office of Enforcement conducts independent investigations of
BSA violations mostly based on referrals of BSA noncompliance from
financial regulators. FinCEN has information-sharing MOUs with the
federal banking regulators, SEC, CFTC (as of January 2009), IRS, and
some states under which these agencies provide FinCEN information on
significant BSA violations and deficiencies found during their
examinations. Less frequently, FinCEN conducts investigations based on
information from Justice and from its own in-house referrals identified
through analysis of BSA data. If a FinCEN investigation results in a
decision to take an enforcement action, FinCEN may issue a civil money
penalty, depending on the severity of the violation. FinCEN and the
financial regulators also try to coordinate enforcement actions. (We
discuss coordination of enforcement actions in more detail later in
this report.)
Many Federal and State Agencies, as well as SROs, Have Independent
Compliance and Enforcement Authorities That Encompass BSA/AML
Requirements:
Independent of Treasury-delegated authorities, the federal banking
regulators have general authorities under the federal banking laws to
conduct compliance examinations and take enforcement actions against
institutions for violations of any applicable law, including BSA. The
Federal Deposit Insurance Act specifically provides that the Federal
Reserve, FDIC, OCC, and OTS are to prescribe regulations requiring the
institutions they supervise to maintain procedures for compliance with
BSA requirements and to conduct examinations of those institutions for
compliance with reporting and AML provisions of BSA.[Footnote 18] The
Federal Credit Union Act contains the same requirement for
NCUA.[Footnote 19] Federal banking regulators examine whether
depository institutions under their supervision are in compliance with
BSA/AML requirements concurrently with their examinations for the
entities' overall safety and soundness.
Depository institutions can generally determine their regulators by
choosing a particular kind of charter--for example, commercial bank,
thrift, or credit union--which may be obtained at the state level or
the national level.[Footnote 20] While state regulators charter
institutions and participate in oversight of those institutions, all of
these institutions have a primary federal regulator if they have
federal deposit insurance. The Federal Reserve, FDIC, OTS, and NCUA
alternate or conduct joint safety and soundness examinations--including
a BSA/AML component--with state regulators, generally using the same
examination procedures (shown earlier in table 1). As recently as 2004,
about one-third of state banking departments reported not examining for
BSA compliance; however, they have taken a more active role in
conducting these reviews more recently.[Footnote 21] FinCEN currently
has information-sharing MOUs with 46 state agencies that conduct AML
examinations.
As with examinations, the Federal Reserve, FDIC, OCC, and OTS have
authority under the Federal Deposit Insurance Act to take enforcement
actions against institutions they supervise and related individuals
when they determine that an institution or related individual has
violated an applicable law or regulation. These agencies also have
specific authority to initiate cease-and-desist proceedings for failure
to establish and maintain BSA compliance procedures. NCUA also can take
enforcement actions under its legislative authorities. Furthermore,
state agencies have authority to take enforcement actions against
institutions chartered within their state that are in violation of
banking legislation.
SEC and CFTC are regulatory agencies with missions that focus on
protecting investors, preventing fraud and manipulation, and promoting
fair, orderly markets, but the regulatory frameworks for the securities
and futures industries are structured differently than those for
depository institutions. Consistent with this framework, SEC and CFTC
regulate their industries in part through oversight of SROs. SEC and
CFTC have authority under the Securities Exchange Act and the Commodity
Exchange Act, respectively, to inspect the books and records of firms
that they supervise. SEC, CFTC, and their SROs have adopted rules for
compliance with BSA/AML requirements.[Footnote 22]
More specifically, SEC's Office of Compliance Inspections and
Examination (OCIE) shares BSA examination responsibilities with
securities SROs, which have statutory responsibilities to regulate
their own members. The Financial Industry Regulatory Authority (FINRA)
provides oversight of the majority of broker-dealers in the securities
industry.[Footnote 23] Other securities self-regulatory organizations
include the Chicago Board Options Exchange and Philadelphia Stock
Exchange.[Footnote 24] OCIE and the SROs both conduct BSA/AML
examinations for broker-dealers, but only OCIE conducts routine
examinations of registered investment advisors and their affiliated
mutual funds for BSA compliance as they are not members of an SRO.
CFTC officials said that CFTC does not routinely conduct direct
examinations of the firms it supervises; instead, CFTC oversees the
examinations conducted by its SROs--the National Futures Association
(NFA),which conducts most of the audits, the Chicago Mercantile
Exchange, the New York Mercantile Exchange, the Chicago Board of Trade,
and the Kansas City Board of Trade. The SROs monitor for compliance
with BSA/AML and with their own rules, which include BSA/AML
obligations.
SEC and CFTC ultimately are responsible for enforcing compliance with
their rules and regulations and can institute enforcement actions
against firms within their jurisdiction that appear to be in violation
of those agencies' BSA-related rules. However, because the SROs
overseen by SEC and CFTC have rules requiring compliance with
applicable laws and regulations, they typically have front-line
responsibility for instituting BSA-related enforcement actions and
generally inform SEC and CFTC of such actions. The securities and
futures SROs have authority to enforce each of their respective BSA/
AML-based rules against their members--generally, broker-dealers and
futures firms. They take their own enforcement actions against their
members which may include suspending, expelling, fining, or otherwise
sanctioning member firms (and their associated persons).
While IRS performs a regulatory function with regard to nonbank
financial institutions (NBFI), IRS generally is not considered a
"regulator"; it is a bureau within Treasury whose mission is to assist
taxpayers in understanding and meeting their tax responsibilities.
Unlike the other federal agencies with regulatory functions, IRS does
not have independent authority to conduct BSA examinations.[Footnote
25] Rather, under delegation of examination authority from FinCEN, IRS
examines any financial institution not subject to BSA examination by
the federal financial regulators.[Footnote 26] Thus, institutions that
IRS examines include MSBs; casinos and card clubs; dealers of precious
metals, stones, and jewels; and certain insurance companies. IRS's
Small Business/Self-Employed Division, which reports directly to the
Deputy Commissioner for Services and Enforcement, conducts BSA
compliance examinations of these types of NBFIs. In 2004, IRS created
the Office of BSA/Fraud within the division to focus on BSA
examinations of NBFIs. As some NBFIs are state-chartered institutions,
such as MSBs, IRS also has information-sharing MOUs with many state
agencies to facilitate cooperation on examinations.
FinCEN did not delegate to IRS authority to enforce BSA requirements,
except for foreign accounts, and IRS does not have independent
authority to enforce BSA requirements.[Footnote 27] IRS can issue a
letter of noncompliance and make suggestions for corrective action to
institutions it examines for BSA compliance. If significant BSA
violations or deficiencies were found or if an institution refused to
take corrective action, IRS would refer the case to FinCEN to determine
what type, if any, of enforcement action might be appropriate. IRS
examiners also may refer cases to their Criminal Investigation unit, if
the examiners believe that a willful criminal violation may be
involved. IRS Criminal Investigation, IRS's enforcement arm,
investigates individuals and businesses suspected of criminal
violations of the Internal Revenue Code, money laundering and currency
crime, and some BSA requirements. IRS Criminal Investigation
investigates BSA criminal violations in conjunction with other tax
violations.
Justice Prosecutes Criminal BSA Violations, and Multiple Federal Law
Enforcement Agencies Can Conduct Criminal Investigations That Are BSA-
related:
While Justice prosecutes criminal violations of the BSA, several
federal law enforcement agencies in Justice and the Department of
Homeland Security can be involved in the detection and investigation of
criminal BSA activity. More specifically, Justice investigates
individuals and financial institutions that repeatedly and systemically
do not comply with BSA regulations or are involved in criminal money
laundering offenses and prosecutes those charged. Referrals to Justice
from financial regulators of suspected cases of criminal BSA/AML
violations also may trigger a Justice investigation. In addition to
prosecutions, Justice has resolved criminal investigations through
deferred or nonprosecution agreements and guilty plea agreements, which
have included fines, forfeitures, remedial actions, and timelines for
implementation.
Within the Department of Homeland Security, the Secret Service,
Immigration and Customs Enforcement, and Customs and Border Protection
all use BSA data in their investigations. According to Justice
officials, most criminal BSA cases against financial institutions start
as investigations of individuals involved in illegal activities, such
as drug trafficking or money laundering.
While Agencies Have Enhanced BSA Compliance Programs, Opportunities
Exist to Improve Interagency and State Examination Coordination:
Financial regulators have incorporated their BSA/AML responsibilities
into their supervisory approaches to compliance and enforcement, but
opportunities exist for improved coordination. Federal banking
regulators and industry representatives report that their interagency
public BSA examination manual increased collaboration on bank
examinations. SEC and CFTC have formalized their BSA/AML examination
procedures in nonpublic BSA examination modules and coordinate with
their SROs on examination issues. IRS developed an MSB examination
manual and an overall strategy for NBFI identification and examination
with FinCEN, but has not fully coordinated its MSB examination
schedules with states, missing opportunities to leverage limited
resources. Further, across financial industries, agencies have not
established a formal mechanism through which they could discuss
compliance processes and trends without industry present. The
regulators with enforcement authority issued BSA-related enforcement
actions in 2008, and the federal banking regulators improved
coordination of their enforcement actions. Officials from the federal
banking regulators reported improved transparency and consistency of
enforcement actions, due in part to new interagency guidance.
Federal Agencies Have Formalized and Cited Improvements to Examination
Procedures and Guidance; However, Opportunities Exist for Increased
Coordination:
In 2005, the federal banking regulators, in collaboration with FinCEN,
combined their BSA guidance with examination procedures and made both
publicly available in one manual. Since 1986, the federal banking
regulators have been required to ensure that institutions under their
supervision have AML programs. SEC and CFTC and their SROs use a
different approach in regulating their industries--they keep their
examination modules nonpublic, but provide public guidance to industry
through various methods. With respect to BSA, these agencies and SROs
also have coordinated and formalized their examination procedures since
the 2001 USA PATRIOT Act required institutions under their supervision
to have AML programs. IRS developed an examination manual with FinCEN
for MSBs, but does not fully coordinate its examination schedules with
state examiners. The financial regulators do not have a nonpublic forum
for regularly discussing BSA examination procedures and findings across
sectors.
Federal Banking Regulators' Manual and BSA/AML-related Training Have
Improved Collaboration and Transparency:
Through the development of an interagency BSA/AML examination manual,
guidance, and inter-and intra-agency training, the banking regulators
have increased collaboration on BSA examinations and the transparency
of the examination process. In 2005, the federal banking regulators, in
collaboration with FinCEN, published the Federal Financial Institutions
Examination Council (FFIEC) BSA/AML Examination Manual, which was
updated in 2006 and 2007. The manual provides an overview of BSA
compliance program requirements and guidance on identifying and
controlling money laundering and other illegal financial activities;
presents risk management expectations and sound practices for industry;
and identifies examination procedures. All federal and state banking
regulators use this manual when conducting BSA/AML examinations,
whether they are joint or independent examinations. As mentioned
previously, the Federal Reserve, FDIC, and OTS will conduct (on an
alternating basis) independent or joint examinations with state
agencies. NCUA conducts examinations at all federally chartered credit
unions, while state supervisory authorities conduct BSA examinations at
all state-chartered credit unions. Depending upon the risks, NCUA may
conduct joint examinations with the state authorities at the state-
chartered credit unions. OCC supervises nationally chartered banks and
federal branches of foreign banks and therefore does not share
jurisdiction with state banking regulators. Both federal and state
examiners said that the manual helped increase the consistency of
examinations among the regulators.
Federal banking regulators also generally share BSA/AML examination
workpapers and findings with their state counterparts in cases where
they share regulatory jurisdiction over an institution. For example,
NCUA officials said that their findings are shared with states to
coordinate their reports on joint examinations. State officials we
interviewed concurred, stating that they share workpapers in cases
where they have federal regulatory counterparts. Several industry
officials we interviewed also thought that the federal banking
regulators collaborated well with other federal banking regulators on
their examinations.
The new examination manual also has improved the consistency and
transparency of examinations by providing a framework for examinations,
requiring risk assessments and transaction testing, and providing
publicly available examination procedures for banks. For example, the
manual lists requirements for examination scoping and transaction
testing. Officials from one state regulator said the manual has helped
answer questions for institutions and regulators, and helped
institutions structure their AML programs. All of the federal banking
regulators and most of the state banking regulators and banking
associations we interviewed consider the process of gathering data for
banks and the risk-assessment component of the manual beneficial. As
one regulator said, the manual helps an examiner understand an
institution's products and services and the steps the institution took
to mitigate risks. Most industry officials we interviewed thought the
manual provided more consistency to and clearer guidance about the
examination process.
While regulators and industry officials said that the manual has been
beneficial overall, some banking regulator and industry association
officials said that initially it sometimes resulted in longer
examinations or additional procedures. Federal Reserve examiners noted
that it is important for examiners to apply the risk-based approach,
using the minimum procedures where appropriate, and to utilize work
previously done by a bank's independent audit, where possible.
Similarly, NCUA examiners added that initially the manual resulted in
some expanded examinations. However, by using the risk-based approach
they are able to focus their resources on the highest areas of risk.
Federal Reserve officials added that as examiners have become more
familiar with the manual since its adoption, the amount of background
reading that examiners need to do in preparing for a BSA/AML
examination has decreased. Some officials from the institutions we
interviewed were less concerned with the length of the examinations
than with some examiners interpreting the manual's requirements too
literally or having expectations beyond those expressed in the manual.
For example, an official from one large bank said that when the manual
was first implemented, regulators were examining "very close to the
manual" and interpreted it literally instead of conducting their
examinations based on risk. In another case, an official from one small
bank that files very few SARs noted that in recent examinations,
examiners unnecessarily focused on the bank's record keeping and
whether SAR reports were filed on time.
FFIEC serves as the mechanism for the banking regulators to develop
interagency BSA/AML guidance for examiners and the industry. FFIEC is
also the forum in which banking regulators and FinCEN discuss and draft
manual revisions. In addition to its role in developing the manual, the
FFIEC BSA/AML Working Group is an interagency group through which the
banking regulators develop joint examiner training, such as the AML
Workshop and Advanced BSA/AML Specialists Conference. FinCEN officials
said that FinCEN specialists also teach at these workshops. Both
federal and state banking examiners participate in FFIEC AML workshops
and other training sessions offered through their agencies or vendors.
In interagency working groups, participants share their knowledge of
and experiences with BSA, which federal banking regulator officials
have said helped them work toward achieving consistency in their
examination processes. Federal banking regulators also train examiners
within their own agencies on the new manual.
As a check on their examination programs, including their BSA/AML
examination programs, the federal banking regulators conduct quality
assurance reviews. The regulators' quality assurance reviews that we
examined, which were conducted from 2005 through 2008, indicated that
banking examiners were implementing BSA/AML compliance appropriately,
with some minor exceptions. For example, reviews from one regulator
noted that examiner staff were well trained, devoted significant
attention to BSA/AML issues, and generally had well-organized
workpapers. Reviews from a second regulator found that examiners
complied with BSA/AML guidance, quality control processes were
satisfactory, processes for determining enforcement actions and making
referrals to FinCEN were sufficient, SAR reviews were timely, and
communication between the regulator's headquarters and regions was
strong. Another regulator concluded that its examiners demonstrated
strong compliance with all issued national and regional guidance for
BSA examinations, and found adequate internal controls, no material
weaknesses in workpapers, and adequate supervisory and examination
resources for evaluating BSA compliance. While reviews generally were
positive, they also noted some weaknesses. One regulator recommended
that a regional office develop a process for a quality assurance group
to periodically review workpapers on a risk-focused basis because of
the complexity of the FFIEC BSA/AML examination procedures and also
expressed concern about turnover of qualified staff. A second regulator
noted a lack of both independent testing and identification of high-
risk accounts in one region, and inappropriate recording of a BSA
violation in a second region. A third regulator found instances where
reported BSA violations were not forwarded to the agency's
headquarters.
SEC, CFTC, and Their SROs Coordinated within Their Industries to
Formalize Examination Procedures and Also Cited Examination
Coordination across Industries:
SEC, CFTC, and their SROs share responsibility for oversight of the
securities and futures industries, and have worked together to
incorporate new BSA/AML requirements into their compliance programs.
These agencies take a different approach than the federal banking
regulators--they have separate, nonpublic procedures for their
examiners and provide public guidance to industry.
In 2006, SEC and what is now FINRA prepared a nonpublic examination
module for broker-dealers in an effort to promote consistency in BSA/
AML examinations. SEC staff said that the SEC-FINRA module generally
formalized procedures and processes that SEC and its SROs already had
in place.[Footnote 28] SEC staff added that their agency has procedures
in place for granting access to nonpublic information in response to
requests by other regulators. Furthermore, SEC provided all SRO broker-
dealer examination modules and procedures to FinCEN for its review and
input under their MOU. SEC also has a separate, nonpublic examination
module for mutual funds, which it, rather than the SROs, examines.
[Footnote 29] SEC staff explained that BSA/AML examinations of mutual
funds are more complex than examinations of broker-dealers because
mutual funds do not have their own employees and are managed by
investment advisors. Registered investment advisors are rated according
to the risk they manage, and those with a higher risk profile are
examined more frequently. SEC annually completes approximately 100
mutual fund examinations covering BSA issues.
Working through the Joint Audit Committee, the futures SROs developed a
common, nonpublic BSA/AML examination module, which the futures SROs
(except NFA) use in their BSA/AML examinations.[Footnote 30] The Joint
Audit Committee updates the BSA module annually and submits the module
to CFTC. Unlike SEC, CFTC had not provided the examination modules to
FinCEN for its review because the agencies did not have an information-
sharing MOU in place until January 2009. (We discuss MOUs in more
detail later in this report.) However, CFTC and FinCEN officials
informally have discussed procedures the futures SROs use during their
BSA/AML examinations.
In lieu of making examination modules public, SEC, CFTC, and their SROs
offer public BSA guidance and education through various methods and
venues, including the Internet and industry conferences. For example,
SEC developed BSA "source tools" for broker-dealers and mutual funds,
which compile key laws, rules, and guidance and provide regulatory
contact information. The tools are available on SEC's Web site.
Securities SROs also provide training and update members on BSA/AML
rules and guidance. In addition, FINRA has developed an AML program
template for small firms on its Web site that provides possible
language for procedures, instructions, and relevant rules and Web
sites, among other information. Similarly, CFTC provides information on
BSA/AML requirements on its Web site and participates in industry
conference panels and outreach efforts with other regulators (in
particular foreign regulators). In addition, futures SROs also may
provide training, send members updates on new BSA/AML rules and
guidance, and participate in industry conference panels to help educate
institutions on BSA/AML. For example, NFA provides Web-based training
and an AML questionnaire for futures commission merchants and
introducing brokers. Overall, industry representatives have been
complimentary about the information and education provided by SEC,
CFTC, and their SROs; however, they still expressed a desire to have
BSA/AML examination modules made public.
SEC, CFTC, and their SROs also have coordinated on multiple-regulator
and cross-industry examination issues because many institutions can be
registered with more than one SRO or join more than one exchange. For
example, broker-dealers can be members of more than one securities SRO.
FINRA (which conducts almost 90 percent of broker-dealer examinations)
meets with other securities SROs to coordinate examination schedules
and ensure that all broker-dealers are covered by examinations. FINRA
also has several regulatory agreements to conduct work on behalf of
other SROs. In the futures industry, futures commission merchants must
be members of NFA and may be clearing members of more than one contract
market. Therefore, the Joint Audit Committee assigns an SRO to be the
lead regulator, responsible for conducting examinations for each firm
with multiple memberships. Examination reports and findings are shared
among futures industry SROs where the firm is a member.
Some of the largest SEC-registered broker-dealers also may be
registered as futures commission merchants or introducing brokers on
futures exchanges. In these instances, FINRA and futures SROs may
coordinate informally on BSA/AML examinations of any futures firms that
are registered dually as securities broker-dealers. As part of FINRA's
information-sharing agreement with NFA, the two SROs meet at least
quarterly to share examination results and schedules. Other futures
industry SROs obtain FINRA examination results on an as-needed basis.
Futures SRO officials said that (1) if FINRA examined an institution's
AML program in the last 6 months and reported no major findings and (2)
the institution used the same BSA officer and procedures for its
securities and futures business, then SRO officials might refrain from
conducting the full range of their examination activities. Finally,
SEC, CFTC, and the securities and futures SROs participate in
Intermarket Surveillance Group meetings.[Footnote 31]
In addition to working together to help promote consistency in
examinations, securities and futures regulators also have programs and
procedures--similar to the quality assurance reviews of the federal
banking regulators--to review examinations or specific issues. For
instance, SEC staff told us that liaisons to each of SEC's regional
offices conduct a quarterly review of a representative sample of
examinations reports that include AML findings. They added that SEC
reviews the examination reports to ensure that AML findings are
sufficiently supported and conclusions are valid. SEC staff conducts
periodic inspections of FINRA's overall BSA/AML examination program.
The purpose of these inspections is to identify any systemic
deficiencies or trends in FINRA's BSA/AML program. During previous SEC
inspections, SEC and FINRA staff said that SEC identified a few BSA/
AML-related deficiencies in specific FINRA examinations. FINRA
officials stated that while SEC found isolated weaknesses in some
examinations, these findings did not indicate any significant trends.
FINRA officials stated they use findings from SEC's reviews to identify
areas for additional training. Similar to SEC, CFTC conducts reviews of
SROs' examinations, in which CFTC staff review SRO examinations to
ensure they are appropriately examining for compliance with futures
laws, including BSA. CFTC officials told us that these reviews have not
identified any problems with BSA/AML examination programs of the
futures SROs.
Although SEC, CFTC, and SRO officials cited coordination on BSA issues,
industry officials at large financial companies with whom we spoke had
mixed opinions on coordination among the securities and futures
regulators. For example, one industry representative said that futures
SROs and FINRA coordinated well and shared examination information. The
representative also stated that the futures SRO would not conduct its
own examination if its review of FINRA's examination workpapers showed
the FINRA to be work sufficient. However, another industry
representative indicated that they had never seen FINRA and their
futures SRO coordinate on BSA/AML examinations.
IRS Has Improved Its BSA Compliance Efforts; However, It Does Not Fully
Coordinate Examination Schedules with States:
Since our 2006 report, IRS has made improvements in its BSA/AML
compliance program by revising guidance, identifying additional NBFIs,
and coordinating with FinCEN and the states; however, IRS and state
agencies have missed opportunities to better leverage examination
resources by not coordinating their examination schedules. In response
to a December 2006 GAO recommendation, IRS updated its Internal Revenue
Manual to reflect changes in its BSA/AML program policies and
procedures and distributed the revisions to IRS staff.[Footnote 32]
In our 2006 report, we also said that IRS had identified only a portion
of the NBFI population. In 2005, IRS's database contained approximately
107,000 potential NBFIs; however, during the same year FinCEN estimated
that there could be as many as 200,000 MSBs, the largest group of NBFIs
subject to BSA requirements. Through subsequent coordination with
FinCEN and state regulators and internal identification efforts, IRS
significantly increased the number of identified MSBs. For example, at
least three or four times a year, FinCEN sends IRS lists of anywhere
from 100 to 300 potentially unregistered MSBs, which FinCEN identified
by reviewing SARs from depository institutions that mention
unregistered MSBs. Similarly, states that signed an MOU with IRS must
provide IRS lists of state-licensed and registered MSBs on a quarterly
basis. IRS officials said that the agency found about 20 percent of the
new MSB locations as a result of information provided by with the
FinCEN and states', but that most of the newly identified MSBs were
added due to internal identification efforts. According to IRS
officials, in June 2008 the database contained more than 200,000 unique
locations of MSBs.
In our 2006 report, we recommended that FinCEN and IRS develop a
documented and coordinated strategy that outlined priorities, time
frames, and resources needs for better identifying and selecting NBFIs
for examination. In response, IRS and FinCEN developed such a strategy.
[Footnote 33] Furthermore, IRS, in concert with FinCEN and state
regulators, has developed a BSA/AML examination manual for MSBs that
was released in December 2008. The manual contains an overview of AML
program requirements, discusses risks and risk-management expectations
and sound practices for industry, and details examination procedures.
The manual's main goals are to enhance consistency across BSA
examiners, promote efficient use of examination resources, and provide
guidance to examiners and MSBs about the BSA examination process.
In July and August 2008, IRS and two state regulators tested the
feasibility of conducting joint examinations using the new MSB
examination manual. Many factors complicate joint examinations--
including varying state licensing requirements, coordination of
examiner resources, the difficulties of sharing confidential
information, and differing examination scope and focus. For instance,
one state may require licensing of only money transmitters, while
another state also might require check cashiers and currency exchangers
to obtain a license. Nonetheless, some state regulators with whom we
spoke expressed a desire to conduct joint or alternating examinations
with IRS to better leverage state resources. One state regulator said
that joint examinations would allow states to issue enforcement actions
pursuant to their own state authority against institutions with AML
violations since IRS lacks enforcement authority. According to the
Money Transmitter Regulators Association, state financial regulators
already conduct joint examinations with other states to leverage
examination resources and expertise.[Footnote 34] IRS officials said
they will review and incorporate examiner comments from the joint
examination pilot and work with the Conference of State Banking
Supervisors to develop formal guidance for IRS and state examiners.
Additionally, IRS has increased the number of its information-sharing
MOUs with state financial regulators from 34 in 2005 to 43 as of
October 2008. Under the MOU, the state regulators are typically
required to provide lists of state-licensed and chartered MSBs,
examination reports, information concerning BSA noncompliance, and
examination schedules on a quarterly basis to IRS. Also on a quarterly
basis, IRS agreed to provide copies of all Letter 1112 (letters of
noncompliance sent to institutions with BSA violations), copies of all
Letter 1052 (notifications to new institutions of relevant BSA
regulations), lists of MSBs in the state, and examination schedules to
state financial regulators. According to the MOU, IRS officials and
state regulators will meet periodically to review the implementation of
the MOU. Following one state financial regulator comment on the
usefulness of the information provided in the Letter 1112, IRS
officials revised the form letter to include information on the type of
institution examined and the activities conducted by that institution.
According to IRS officials, many state agencies are not living up to
their responsibilities as stated in the MOU. IRS data show that 28 of
43 state agencies that signed an information-sharing MOU have not
provided IRS with MSB information and only 4 of 43 have provided
examination schedules. In addition, state financial regulators that
send MSB data to IRS do so using different formats, limiting the
usefulness of the data for IRS. IRS is working with states to develop a
standardized format for all state information, making it easier to
provide the information to IRS and for IRS to integrate the information
into its database.
While IRS provides MSB information to state regulators, it has not
shared its examination schedules with states, contrary to what it
agreed to do as part of their MOUs. IRS officials said they provide
state regulators with their annual workplans, which include the total
number of NBFIs to be examined but not the names of the institutions to
be examined. Therefore, the state financial regulators cannot plan
their examinations to avoid potential overlap or coordinate joint
examinations. One state agency noted that it had conducted examinations
of MSBs, only to find out later that IRS had conducted its examinations
not long before. Several state agencies said that greater coordination
and sharing of examination schedules would help reduce redundancy in
examination resources. Best practices in interagency coordination
suggest agencies should assess their relative strengths and
limitations, identify their mutual needs, and look for opportunities to
leverage each others' resources--thus obtaining additional benefits
that would not be available if they were to work separately.[Footnote
35] IRS officials said state regulators would not derive much benefit
from IRS providing examination schedules on a quarterly basis because
new case files on institutions are sent to field managers often,
sometimes weekly, and field managers and examiners have flexibility and
discretion to determine their examination schedules. In addition, some
institutions on IRS examination lists may not appear on a state
regulator's list because of varying state licensing and examination
requirements of MSBs. However, by not implementing coordination of
examination schedules with states, IRS may have missed opportunities to
leverage resources, reduce regulatory duplication, maximize the number
of MSBs to be examined, and better ensure BSA compliance with MSBs.
Federal Agencies Do Not Hold Regular, Nonpublic Discussions about BSA
Examination Issues, which Could Inhibit Their Ability to Leverage
Resources:
While all federal agencies have made improvements in their BSA
compliance efforts, they have not established a formal mechanism
through which they collectively can discuss sensitive BSA examination
processes and findings in nonpublic meetings. All federal agencies and
some SROs participate in the Bank Secrecy Act Advisory Group (BSAAG)--
a public-private working group headed by FinCEN that meets twice a year
to discuss BSA administration. BSAAG also includes a number of
subcommittees on various BSA/AML issues.[Footnote 36] Representatives
from the SROs, industry, and law enforcement agencies are present at
these meetings and on some subcommittees. Some regulatory officials
have told us that the presence of industry representatives and the
number of participants in BSAAG inhibit more detailed discussion on
some issues. Further, sensitive information, such as examination
processes and findings, cannot be discussed due to the presence of
industry.
Some federal agency officials said they have held discussions with
regulators of other industries outside of BSAAG, but the discussions
generally were held on an informal basis and were not inclusive of all
federal agencies. Some banking regulators cited their public manual as
a reason for not meeting outside of BSAAG with regulators of other
industries. FDIC officials stated, outside of meetings with other
federal banking regulators, they had met with several state MSB
regulators to understand the MSB examination process and other state
roles relating to MSBs. One of the primary goals of these meetings was
to determine if they could share information about MSB examinations
with some state regulators. SEC staff said they informally have had
discussions on BSA/AML issues with federal bank regulators and CFTC.
SEC and Federal Reserve staff cited frequent, informal communications
between the agencies on BSA issues. Further, SEC and the Federal
Reserve signed an MOU in July 2008 under which they can share
information on common interests, which could include BSA violations.
Under the MOU, if SEC or the Federal Reserve became aware of a
significant violation occurring in an institution regulated by the
other agency, they would notify the other agency and provide additional
information if requested. CFTC officials said that outside of BSAAG,
they generally discuss examination procedures only with SEC and FINRA.
Similarly, IRS officials stated they have met with regulators on an ad
hoc basis when there have been overlapping issues. FINRA officials told
us that they had very useful meetings with the Federal Reserve on two
occasions (in April and December 2008) during which they discussed BSA
examination approaches and findings. These meetings will continue on a
biannual basis. In addition, SEC and FINRA staff said that in November
2008, SEC and FINRA staff met with OCC and Federal Reserve staff to
share general information about SEC and FINRA's BSA/AML examination
programs. While they did not discuss specific examination procedures,
FINRA officials said they would be willing to do so if it were useful.
Some industry officials expressed concern about examination overlap and
suggested that if regulators collectively could discuss these issues,
the collaboration could help decrease resources expended on responding
to duplicative information requests and increase the consistency of
examination processes. Many of the largest financial institutions are
part of a bank or financial holding company structure--companies that
could include broker-dealers and futures firms, as well as banks.
Therefore, some financial institutions have multiple regulators from
various institutions. Industry representatives said that large
financial institutions employ enterprise-wide, risk-based AML programs
that have many similar elements across business lines. As no single
regulator examines BSA/AML procedures for all of the institution's
functions, in some cases they must work with several regulators to
review the same or similar policies and procedures. In addition, some
officials also mentioned that regulators sometimes arrived at different
findings when looking at the same BSA processes. For example, one
official stated that regulators of different industries reviewed a
common AML procedure and arrived at different conclusions--one
regulator approved a policy and another requested a wording change.
According to our key practices for collaboration, agencies can enhance
coordination of common missions by leveraging resources and
establishing compatible procedures.[Footnote 37] To facilitate
collaboration, agencies need to address the compatibility of standards,
policies, and procedures--including examination guidance and its
implementation. However, because banking-regulator and MSB examination
guidance is public and SEC and CFTC guidance is nonpublic, the agencies
cannot address these and other sensitive regulatory issues in the
existing interagency forum, BSAAG. As a result, the regulators may not
be able to gain the benefits of collaboration--leveraging scarce
resources and building on the experiences and improvements of other
agencies. Furthermore, by not having a mechanism that could provide an
overview of examination efforts, regulators may be missing
opportunities to (1) discuss BSA/AML concerns from the viewpoint of all
financial industries being interconnected and (2) decrease the
regulatory burden, where possible, for the institutions under
examination by multiple regulators.
Regulators with Enforcement Authority Took BSA-Related Enforcement
Actions, and Federal Banking Regulators Reported Improved Coordination
of Enforcement Actions:
The BSA/AML examinations that federal banking regulators, SEC, CFTC,
and their SROs conducted resulted in the citation of violations and the
taking of informal (in the case of the federal banking regulators) and
formal enforcement actions. In our interviews, the federal banking
regulators discussed factors potentially influencing BSA compliance in
their industry and also reported improved interagency coordination on
enforcement actions due, in part, to the issuance of new guidance. SEC
and CFTC are kept apprised of enforcement actions that their SROs take
through meetings and information-tracking efforts. In contrast, because
it does not have the enforcement authority, IRS refers the BSA
violations it finds to FinCEN, which takes an enforcement action, if
appropriate. Justice pursues cases when it believes BSA noncompliance
is criminal.
Federal Banking Regulators Have Taken Informal and Formal Enforcement
Actions to Promote BSA Compliance among Depository Institutions:
The federal banking regulators have taken informal and formal
enforcement actions against depository institutions to address BSA/AML
concerns. The federal banking regulators can only take enforcement
actions under their enabling legislation contained in Title 12 of the
United States Code, but these actions can be based on an institution's
violation of BSA.[Footnote 38] Table 2 provides aggregate numbers of
examinations, violations, and enforcement actions taken by the federal
banking regulators. Under the regulators' AML program rules, in 2008
the most frequently occurring violations concern requirements to
independently test an institution's BSA/AML compliance program, train
staff on BSA/AML, and maintain internal controls. BSA requires that
depository institutions implement and maintain a system of internal
controls to ensure an ongoing BSA compliance program. An example of
such a control is monitoring for suspicious activity, which one
regulator explained can be costly and difficult, and time consuming for
an institution to implement. With respect to training, several federal
banking regulators said that some banks' staff, even BSA compliance
officers, may lack adequate BSA/AML training, especially when such
staff are newly hired.
Table 2: Federal Banking Regulators' BSA/AML Examinations, Most
Frequently Cited Violations, and Enforcement Actions, Fiscal Years 2005-
2008:
Number of examinations:
FY 2005: 10,172;
FY 2006: 10,137;
FY 2007: 9,601;
FY 2008: 9,442.
Number of violations:
FY 2005: 8,354;
FY 2006: 10,970;
FY 2007: 8,744;
FY 2008: 6,385.
Most frequent violations cited per regulators' regulation:
Independent testing:
FY 2005: 1,470;
FY 2006: 2,383;
FY 2007: 1,263;
FY 2008: 754.
Most frequent violations cited per regulators' regulation: Internal
controls;
FY 2005: 513;
FY 2006: 1,066;
FY 2007: 1,177;
FY 2008: 724.
Most frequent violations cited per regulators' regulation: Training;
FY 2005: 839;
FY 2006: 1,211;
FY 2007: 967;
FY 2008: 788.
Most frequent violations cited per regulators' regulation: SARs;
FY 2005: 351;
FY 2006: 467;
FY 2007: 508;
FY 2008: 643.
Most frequent violations cited per regulators' regulation: Compliance
program requirements;
FY 2005: 848;
FY 2006: 1,144;
FY 2007: 594;
FY 2008: 269.
Most frequent violations cited to the BSA[A]: CIP (§103.121);
FY 2005: 1,304;
FY 2006: 999;
FY 2007: 867;
FY 2008: 641.
Most frequent violations cited to the BSA[A]: CTRs (§103.22);
FY 2005: 848;
FY 2006: 629;
FY 2007: 720;
FY 2008: 612.
Most frequent violations cited to the BSA[A]: Request for filing
reports (§103.27);
FY 2005: 630;
FY 2006: 790;
FY 2007: 788;
FY 2008: 652.
Most frequent violations cited to the BSA[A]: 314(a) (§103.100);
FY 2005: 370;
FY 2006: 629;
FY 2007: 601;
FY 2008: 469.
Most frequent violations cited to the BSA[A]: SARs (§103.18);
FY 2005: 134;
FY 2006: 197;
FY 2007: 170;
FY 2008: 98.
Number of informal enforcement actions;
FY 2005: 2,063;
FY 2006: 6,464;
FY 2007: 5,067;
FY 2008: 3,416.
Number of formal enforcement actions;
FY 2005: 74;
FY 2006: 49;
FY 2007: 65;
FY 2008: 37.
Source: GAO analysis of banking regulator and FinCEN data.
[A] 103.121--Customer identification programs for banks, savings
associations, credit unions, and certain non-federally regulated banks;
103.22--Reports of transactions in currency; 103.27--Filing of reports;
103.100--Information sharing between federal law enforcement agencies
and financial institutions; 103.18--Reports by banks of suspicious
transactions.
[End of table]
The most frequently cited violations under Treasury's BSA rules are
similar across the banking regulators. These violations concern
customer identification programs (CIP), CTRs, and requests for filing
reports. For example, a violation of CIP requirements could mean that
an institution did not implement a written CIP. An institution
violating 31 CFR 103.22 did not adhere to the requirement regarding
reporting currency transactions in excess of $10,000. Violations of 31
CFR 103.27 could mean that an institution failed to meet the filing and
record-keeping requirements for CTRs, reports of international
transportation of currency or monetary instruments, or reports of
foreign bank and financial accounts. While regulators emphasized that
no one factor could explain upward or downward trends in BSA
violations, they cited several possible factors influencing these
trends--the implementation of the FFIEC BSA/AML examination manual,
additional training for examiners and the banking industry, banking
regulators more clearly communicating their expectations to
institutions, and institutions developing better AML programs. For
example, one regulator said that implementing the examination manual
may have contributed to a decline in violations by providing guidance
to banks on identifying and controlling BSA/AML risk and promoting
consistency in the BSA/AML examination process. However, another
regulator said that the manual may have led to its increasing number of
violations by providing better guidance to examiners. Appendix III
provides further information on selected BSA/AML-related enforcement
actions taken by all financial regulators.
In response to violations, the federal banking regulators have issued
thousands of informal enforcement actions but relatively few formal
enforcement actions in recent years. For example, in fiscal year 2008,
they issued a total of 3,416 informal and 37 formal enforcement
actions. Federal banking regulators said that generally, informal
corrective actions will suffice for technical noncompliance or the
failure of a portion of the AML program that does not indicate that the
entire program has failed. If a compliance violation is significant and
remains uncorrected after an informal action has been taken against an
institution, a federal banking regulator may then decide to take a
formal enforcement action. Banking regulator officials said that formal
enforcement actions are public and generally considered more stringent
than informal actions because they address more significant or repeated
BSA violations. Formal enforcement actions can include cease and desist
orders, assessments of civil money penalties (CMP), or supervisory
agreements, and are enforceable through an administrative process or
other injunctive relief in federal district court.[Footnote 39] Federal
banking regulators said they track enforcement actions through their
various management information systems.
Federal Banking Regulators Reported Improved Transparency of
Enforcement Actions Due, in Part, to New Guidance:
Federal banking regulators reported that new interagency guidance has
helped improve the transparency of BSA enforcement. In July 2007, the
federal banking regulators issued the "Interagency Statement on
Enforcement of Bank Secrecy Act/Anti-Money Laundering Requirements,"
which clarified the circumstances under which regulators would issue a
cease and desist order against a financial institution for
noncompliance with BSA requirements. It does not address assessment of
CMPs for violations of the BSA or regulators' implementing regulations.
Regulators that we contacted typically stated that the guidance has
been beneficial. FDIC officials maintained that with the guidance, bank
officials have a better idea of the factors FDIC and other banking
regulators take into account before executing a cease-and-desist order.
They added that the interagency statement advises that the appropriate
regulator may take a different level of action depending on the
severity and scope of the bank's noncompliance. NCUA officials said
they found that the guidance has led to more consistent enforcement
actions taken among the banking regulators in response to cited
deficiencies and violations.[Footnote 40] Both Federal Reserve and OCC
officials suggested that the guidance provided more clarity about, or
added transparency to, the circumstances under which the agencies will
take formal or informal enforcement actions to address concerns
relating to a bank's AML program requirements.
Federal banking and state regulators generally coordinate when
necessary on BSA enforcement actions.[Footnote 41] For example, Federal
Reserve officials said they usually take (and terminate) actions
jointly with state regulators, and a bank must continue to comply with
a joint enforcement action until both the Federal Reserve and the state
authorities terminate the action. Accordingly, the Federal Reserve and
state regulators typically terminate enforcement actions
simultaneously. Officials from several state agencies said that as a
general rule, they took informal and formal enforcement actions jointly
with their federal counterparts, although some state agencies were
likely to coordinate only formal actions. Several state officials
reported taking few, if any, formal BSA/AML-related actions against
depository institutions, especially credit unions.
Several officials from institutions that were examined by multiple
federal banking regulators, such as OCC and the Federal Reserve, said
that these regulators coordinated well among themselves, while others
indicated they were unsure or thought coordination could be improved.
Bank officials had mixed views on coordination of enforcement actions
between federal and state regulators; some thought the extent of
coordination was sufficient, others thought it was lacking, and several
simply did not know how extensively these regulators coordinated on
enforcement.
Agencies and SROs Take Enforcement Actions in the Securities and
Futures Industries:
The enforcement actions that SEC, CFTC, and their SROs can use to
address BSA compliance can be informal or formal. All SEC enforcement
actions are public and formal actions, but the actions of its SROs
include informal and formal enforcement processes. SEC staff said that
most cited BSA/AML deficiencies are corrected through the examination
process. Most examinations conclude with an institution sending SEC a
letter stating how it will correct the compliance problem. FINRA
officials also said that firms must document the corrective action to
be taken to address any issues found during an examination. If SEC
examiners find significant deficiencies with a firm's BSA program, SEC
staff may refer this to their Division of Enforcement or an SRO for
enforcement. In accordance with its MOU, SEC also will notify FinCEN of
any significant BSA/AML deficiencies. SEC's Division of Enforcement
will assess whether to proceed with an investigation, determine whether
a violation has occurred, and if so, whether an enforcement action
should be taken against the firm or any individuals. FINRA officials
said their enforcement actions are typically fines, the amount of which
may vary depending on the egregiousness of the compliance failures, the
scope of conduct, and the overall risk of money laundering through the
firm.
In fiscal year 2008, SEC and the securities SROs took 25 formal
enforcement actions against securities firms (see table 3).
Table 3: Number of BSA/AML Examinations, Violations, and Enforcement
Actions in the Securities Industry, Fiscal Years 2007-2008:
SEC: broker-dealers;
Examinations completed: FY 2007: 371;
Examinations completed: FY 2008: 336;
Violations cited: FY 2007: 359;
Violations cited: FY 2008: 242;
Formal enforcement actions: FY 2007: 0;
Formal enforcement actions: FY 2008: 2.
SEC: mutual funds;
Examinations completed: FY 2007: 105;
Examinations completed: FY 2008: 117;
Violations cited: FY 2007: 12;
Violations cited: FY 2008: 20;
Formal enforcement actions: FY 2007: 0;
Formal enforcement actions: FY 2008: 0.
FINRA; (broker-dealers only);
Examinations completed: FY 2007: 2,195;
Examinations completed: FY 2008: 2,014;
Violations cited: FY 2007: 3,660;
Violations cited: FY 2008: 2,984;
Formal enforcement actions: FY 2007: 32;
Formal enforcement actions: FY 2008: 17.
Other SROs; (broker-dealers only);
Examinations completed: FY 2007: 259;
Examinations completed: FY 2008: 245;
Violations cited: FY 2007: 208;
Violations cited: FY 2008: 119;
Formal enforcement actions: FY 2007: 2;
Formal enforcement actions: FY 2008: 6.
Total; (broker-dealers/mutual funds);
Examinations completed: FY 2007: 2,825/105;
Examinations completed: FY 2008: 2,595/117;
Violations cited: FY 2007: 4,227/12;
Violations cited: FY 2008: 3,345/20;
Formal enforcement actions: FY 2007: 34/0;
Formal enforcement actions: FY 2008: 25/0.
Source: GAO analysis of SEC reports to FinCEN.
Note: This table includes data from fiscal years 2007 and 2008,
provided under the FinCEN MOU. Data from previous years cannot be
compared as violations were cited differently prior to the MOU, and
therefore these data are not included in the report.
[End of table]
As shown in table 4, in both fiscal years 2007 and 2008, violations in
policies and procedures and internal controls and annual independent
testing were the most common AML-program-related violations among
broker-dealers. With respect to BSA reporting requirements, in fiscal
year 2007 the most common violations among broker-dealers were related
to CIP requirements and required information sharing. In fiscal year
2008, the most common violations were CIP and SAR requirements. SEC
staff said that many of the largest securities firms have had AML
programs in place for a while and medium-sized or small firms had AML
programs that could be improved.
Table 4: Number of SEC/SRO Rule Citations and Violations in the
Securities Industry under BSA, Fiscal Years 2007-2008:
AML SEC/SRO program rule citations: broker-dealers:
Policies and procedures and internal controls:
FY 2007: 2,062;
FY 2008: 1,801.
Annual independent testing:
FY 2007: 753;
FY 2008: 678.
Training:
FY 2007: 217;
FY 2008: 129.
Policies and procedures for reporting suspicious activity:
FY 2007: 184;
FY 2008: 189.
Designate individuals for compliance:
FY 2007: 47;
FY 2008: 11.
Title 31 violations: broker-dealers:
AML program requirements: broker-dealers:
FY 2007: 3,383;
FY 2008: 2,864.
CIP (§103.122): broker-dealers:
FY 2007: 606;
FY 2008: 672.
Required information sharing:
FY 2007: 73;
FY 2008: 67.
SARs (§103.19):
FY 2007: 49;
FY 2008: 83.
Nature of records/retention period:
FY 2007: 44;
FY 2008: 19.
Title 31 violations: mutual funds:
AML program rules for mutual funds:
FY 2007: 12;
FY 2008: 18.
Source: GAO analysis of SEC reports to FinCEN.
[End of table]
SEC and its SROs routinely share information about their enforcement
activities. For example, FINRA officials said that they work with SEC
if they are both investigating an institution to ensure they are not
duplicating efforts. SEC and FINRA officials said that FINRA makes SEC
staff aware of any significant BSA/AML violations prior to an
enforcement action being taken. Further, in accordance with its MOU
with FinCEN, SEC tracks its examinations, violations, and enforcement
actions, and collects similar information from its SROs on a quarterly
basis, which it then provides to FinCEN.
While CFTC retains authority to issue enforcement actions against
futures firms, its SROs have taken all enforcement actions for BSA/AML
deficiencies to date.[Footnote 42] When CFTC becomes aware of potential
BSA/AML violations, it usually refers the violations to a firm's SRO
for investigation and potential enforcement action, although SROs
typically develop enforcement cases through the examination process. At
the conclusion of an SRO examination, the SRO issues a report to the
futures firm and notifies the firm of any deficiencies in its AML
programs. SROs require futures firms to correct any material
deficiencies prior to closing the examination. If the deficiencies are
minor, SROs may cite the deficiency in the examination report and close
the examination with no disciplinary action or require corrective
action before closing it. If examination findings are significant, then
SROs may start an investigation, during which internal committees at
the SROs may review information collected during the examination and
investigation and determine whether an enforcement action is warranted.
SROs take only formal, public enforcement actions, and all rule
violations and committee findings are made public. SROs resolve most
enforcement cases related to violations of BSA/AML SRO rules by issuing
a warning letter or assessing a fine. The amount of the fine varies
depending on the severity of the violation. SROs also may take other
types of actions for violations of their rules, such as suspension of
membership or expulsion.[Footnote 43]
NFA conducts the vast majority of examinations of futures firms and is
responsible for all formal enforcement actions taken in recent years
(see table 5). The number of BSA/AML-related enforcement actions
initiated by NFA decreased from 21 in 2006 to 10 in 2007 and 8 in 2008.
Officials added that when new requirements become effective, they
usually see an increase in deficiencies related to the new
requirements. NFA officials said they reduced the number of
deficiencies cited by requiring firms to submit written BSA compliance
programs for review during their membership application process. NFA
officials said the most common BSA violations cited since 2003 were
failure to have annual independent audits and failure to conduct annual
BSA training of relevant staff.
Table 5: Number of BSA Examinations, Deficiencies, and Enforcement
Actions in the Futures Industry, Calendar Years 2005-2008:
SRO: NFA;
Examinations completed: 2005: Chicago Board of Trade: 303;
Examinations completed: 2006: Chicago Board of Trade: 267;
Examinations completed: 2007: Chicago Board of Trade: 268;
Examinations completed: 2008: Chicago Board of Trade: 183;
Exams where BSA deficiencies were found: 2005: 191;
Exams where BSA deficiencies were found: 2006: 171;
Exams where BSA deficiencies were found: 2007: 159;
Exams where BSA deficiencies were found: 2008: 43;
Formal enforcement actions: 2005: 0;
Formal enforcement actions: 2006: 21;
Formal enforcement actions: 2007: 10;
Formal enforcement actions: 2008: 8.
SRO: Chicago Board of Trade;
Examinations completed: 2005: Chicago Board of Trade: 5;
Examinations completed: 2006: Chicago Board of Trade: 12;
Examinations completed: 2007: Chicago Board of Trade: 6;
Examinations completed: 2008: Chicago Board of Trade: 6;
Exams where BSA deficiencies were found: 2005: 0;
Exams where BSA deficiencies were found: 2006: 1;
Exams where BSA deficiencies were found: 2007: 0;
Exams where BSA deficiencies were found: 2008: 1;
Formal enforcement actions: 2005: 0;
Formal enforcement actions: 2006: 0;
Formal enforcement actions: 2007: 0;
Formal enforcement actions: 2008: 0.
SRO: New York Mercantile Exchange;
Examinations completed: 2005: Chicago Board of Trade: 3;
Examinations completed: 2006: Chicago Board of Trade: 4;
Examinations completed: 2007: Chicago Board of Trade: 3;
Examinations completed: 2008: Chicago Board of Trade: 3;
Exams where BSA deficiencies were found: 2005: 2;
Exams where BSA deficiencies were found: 2006: 1;
Exams where BSA deficiencies were found: 2007: 0;
Exams where BSA deficiencies were found: 2008: 0;
Formal enforcement actions: 2005: 0;
Formal enforcement actions: 2006: 0;
Formal enforcement actions: 2007: 0;
Formal enforcement actions: 2008: 0.
SRO: Total;
Examinations completed: 2005: Chicago Board of Trade: 324;
Examinations completed: 2006: Chicago Board of Trade: 288;
Examinations completed: 2007: Chicago Board of Trade: 281;
Examinations completed: 2008: Chicago Board of Trade: 199;
Exams where BSA deficiencies were found: 2005: 193;
Exams where BSA deficiencies were found: 2006: 174;
Exams where BSA deficiencies were found: 2007: 160;
Exams where BSA deficiencies were found: 2008: 44;
Formal enforcement actions: 2005: 0;
Formal enforcement actions: 2006: 21;
Formal enforcement actions: 2007: 10;
Formal enforcement actions: 2008: 8.
Source: CFTC data.
Note: CFTC provided GAO with year-to-date information for 2008; from
January 2008 through August 19, 2008.
[End of table]
CFTC officials said they meet quarterly with SROs to review their open
investigations and enforcement actions. If an SRO takes an enforcement
action, it will send a copy of the enforcement action to CFTC. CFTC's
Division of Enforcement regularly tracked BSA violations investigated
and charged by futures SROs, but it did not maintain statistics by the
type of violation. Additionally, CFTC receives and reviews examination
reports from all SROs, but did not compile BSA/AML examination
statistics. In anticipation of finalizing the information-sharing MOU
with FinCEN (which the agencies finalized in January 2009), CFTC
recently began collecting BSA examination information from the SROs.
(We discuss information-sharing MOUs later in this report).
IRS Does Not Have Authority to Take Enforcement Actions and Refers
Potential Violations to FinCEN:
As previously discussed, IRS does not have its own or delegated
authority to issue enforcement actions against NBFIs for BSA
violations.[Footnote 44] If IRS finds BSA violations when examining an
NBFI, it can send a letter of noncompliance (Letter 1112) and a summary
of examination findings and recommendations to the institution, and
also include an acceptance statement for the institution to sign. In
response to the statement, the institution may agree to implement the
recommendations and correct any violations. Generally, IRS would
conduct a follow-up examination within 12 months after issuing the
letter to determine if the corrective action were taken. In cases where
significant BSA violations have been found or past recommendations have
been ignored, IRS will refer the case to FinCEN to determine what, if
any, enforcement action should be taken. IRS examiners and their
managers make the initial determination to refer a case and then an IRS
BSA technical analyst reviews the case to decide whether to forward the
referral to FinCEN.[Footnote 45] IRS has referred approximately 50
cases to FinCEN since fiscal year 2006. The referrals include the facts
of the case, a summary of the examination, and the violations cited.
During fiscal year 2008, IRS reported citing 23,987 BSA violations and
issued a Letter 1112 to 5,768 different institutions (see table 6).
Table 6: Summary of IRS Quarterly Reports Sent to FinCEN, Fiscal Years
2006-2008:
Statistics from quarterly reports to FinCEN: Title 31 examinations;
FY 2007 Totals: 8,516;
FY 2008 Totals: 9,238.
Statistics from quarterly reports to FinCEN: Number of institutions
issued a Letter 1112;
FY 2007 Totals: 5,794;
FY 2008 Totals: 5,768.
Statistics from quarterly reports to FinCEN: Title 31 violations cited;
FY 2007 Totals: 33,810;
FY 2008 Totals: 23,987.
Source: IRS data and GAO analysis.
Note: IRS signed an information-sharing MOU with FinCEN in April 2005
and did not start providing quarterly reports to FinCEN until the
second quarter of 2006. Title 31 examinations are conducted to ensure
that institutions are in compliance with BSA requirements.
[End of table]
Table 7 provides a summary of the total number of institutions with one
of the five violations IRS most often cites.
Table 7: Number of Institutions with Violations Most Often Cited by
IRS, FY 2007-2008:
BSA Section: AML Program Requirements for MSBs (§103.125);
FY 2007 Totals: 9,135[A];
FY 2008 Totals: 12,778[A].
BSA Section: Registration of MSBs (§103.41);
FY 2007 Totals: 1,823[A];
FY 2008 Totals: 1,546[A].
BSA Section: Monetary Instrument Purchases (§103.29);
FY 2007 Totals: 709;
FY 2008 Totals: 713.
BSA Section: SARs (§103.20/21);
FY 2007 Totals: 534;
FY 2008 Totals: 509.
BSA Section: CTRs (§103.22/22(b)(2));
FY 2007 Totals: 422;
FY 2008 Totals: 466.
Source: GAO analysis of IRS data.
[A] These figures reflect a combination of several BSA sections.
[End of table]
Justice Pursues Criminal BSA Investigations:
Justice officials said they coordinate with financial regulators and
FinCEN during criminal BSA investigations and when taking criminal
enforcement actions. Most of Justice's BSA cases against financial
institutions start as investigations of individuals involved in illegal
activities, such as drug trafficking or money laundering. Justice
officials also said they have started investigations after receiving
referrals from federal regulators.[Footnote 46] They indicated that
having a financial regulator assigned to a Justice investigation can
help investigators better understand the financial industry and BSA
policies and procedures. Over the last 2 years, both OTS and the
Federal Reserve have assigned examiners to Justice investigations.
Justice officials work closely with institutions' regulators to obtain
and review their examination reports and workpapers, analyze SARs
filed, and determine if any civil enforcement actions were taken
against the institution. Justice officials said they will coordinate
enforcement actions with financial regulators and FinCEN when feasible-
-checking with both to see if they are planning an enforcement action
against the institution. According to Justice, the challenges of
coordinating regulatory and criminal enforcement include grand jury
secrecy requirements and the differing length and pace of
investigations and negotiations.
Justice officials said that all their BSA cases against financial
institutions have involved systemic, long-term failures in the BSA
program and substantial evidence of willful blindness on the part of
the institution toward money laundering activity taking place through
the institution. In 2005, Justice formalized procedures that require
U.S. attorneys to obtain approval from Justice's Asset Forfeiture and
Money Laundering Section in cases where financial institutions are
alleged to be BSA offenders. Attorneys are to consider factors such as
the availability of noncriminal penalties, prior instances of
misconduct, remedial actions, cooperation with the government, and
collateral consequences of conviction--when determining what type of
action, if any, should be taken. Justice officials said they instituted
the procedures to provide more review of significant AML cases (in
particular, the nature of the violation and its impact) and promote
uniformity and consistency in enforcement approaches. According to
Justice officials, the new procedures have been well received.
Over the last 3 years, Justice took four criminal BSA enforcement
actions against financial institutions (see table 8). All the actions
resulted in deferred prosecution agreements (three against depository
institutions). The remaining case represents the first criminal BSA
enforcement action against an MSB. Justice announced each of the
actions on the same day that FinCEN and the regulators announced their
civil enforcement actions. The forfeiture amounts generally correspond
to the criminal proceeds laundered by the institutions.
Table 8: Justice BSA Enforcement Actions, January 2006-October 2008:
Year: 2008;
Financial institution: Sigue Corporation and Sigue, L.L.C.
BSA-related violations or investigations: Failure to maintain an
effective AML program [31 U.S.C. 5318(h)(1) and 31 U.S.C. 5322(a)]
Disposition: Deferred prosecution agreement;
Forfeiture amount: $15,000,000 forfeiture.
Year: 2007;
Financial institution: American Express Bank International;
BSA-related violations or investigations: Failure to maintain an
effective AML program [31 U.S.C. 5318(a)(2) and (h)(1) and 31 U.S.C.
5322];
Disposition: Deferred prosecution agreement;
Forfeiture amount: $55,000,000 forfeiture.
Year: 2007;
Financial institution: Union Bank of California, N.A.
BSA-related violations or investigations: Failure to maintain an
effective AML program [31 U.S.C. 5318(h)(1) and 31 U.S.C. 5322]
Disposition: Deferred prosecution agreement;
Forfeiture amount: $21,600,000 forfeiture.
Year: 2006;
Financial institution: BankAtlantic;
BSA-related violations or investigations: Failure to maintain an
effective AML program [31 U.S.C. 5318(h)(1) and 31 U.S.C. 5322(a)]
Disposition: Deferred prosecution agreement;
Forfeiture amount: $10,000,000 forfeiture.
Source: GAO analysis of Justice data.
[End of table]
FinCEN Provides Some Effective Outreach and Regulatory Support but
Could Improve Information-Sharing Efforts:
FinCEN has increased resources dedicated to its regulatory programs and
provided some effective regulatory support and outreach to industry;
however, improvements could be made in its information-sharing efforts
with regulators. From 2001 to 2008, FinCEN staff dedicated to
regulatory efforts increased from 36 to 84. FinCEN has coordinated BSA
regulation development and supported regulators' examination processes
in various ways, including providing input on examination guidance. In
2007, FinCEN created a new unit to provide outreach efforts, such as a
helpline, that were well received by industry. FinCEN also has improved
its management of referrals from regulators by replacing a paper-based
system with an electronic one. However, the lack of an agreed-upon
process for communication on IRS referrals may delay timely feedback to
IRS-examined entities and allow these institutions to continue
operating without correction after deficiencies are identified. Since
our April 2006 report, FinCEN has increased the number of information-
sharing MOUs with federal and state regulators and has taken steps to
assess these MOUs. FinCEN and CFTC recently finalized an MOU, without
which they previously did not have an agreed-upon framework for more
consistent coordination and information sharing. FinCEN also has been
discussing how to improve analytical support with the regulators.
However, some state, securities, and futures regulators have limited
electronic access to BSA data, which impedes their risk scoping for
examinations and ability to independently verify audit information.
FinCEN officials said they finalized a regulatory data-access template
in July 2008 and have begun providing additional state regulators with
direct electronic access, and anticipate providing expanded access to
the federal functional regulators.
FinCEN Has Increased Regulatory-dedicated Resources, Collaborates with
Regulators to Develop Rules and Provides Them with Examination Support,
and Provides Well-received Outreach to Industry:
Parallel to its increase in overall budget authority, FinCEN has
increased resources dedicated to its regulatory programs. FinCEN
officials said they consult with other regulators and examining
agencies as necessary when developing rules and implementing
regulations, provides examination support to regulators, and conducts
BSA-related training sessions and events for industry and regulators.
FinCEN Has Increased Resources Dedicated to Its Regulatory Programs:
As shown in table 9, FinCEN's budget authority and regulatory-dedicated
staff have grown from fiscal year 2001 through fiscal year 2007. FinCEN
budget authority grew from $38 million in fiscal year 2001 to $73
million in fiscal year 2007. Since 2005, the bureau's budget authority
essentially has been flat. From fiscal year 2001 through fiscal year
2007, the number of FinCEN staff dedicated to regulatory policy and
programs approximately doubled, from 36 to 77. The total number of
FinCEN staff increased nearly 75 percent from 174 to 302.
Table 9: FinCEN Budget Authority, Civilian Full-time Equivalent
Employees, and Regulatory-Dedicated Staff, Fiscal Years 2001-2007:
FinCEN budget authority (in millions of dollars):
FY 2001: $38;
FY 2002: $48;
FY 2003: $52;
FY 2004: $58;
FY 2005: $72;
FY 2006: $73;
FY 2007: $73.
FinCEN civilian full-time equivalent (direct):
FY 2001: 174;
FY 2002: 200;
FY 2003: 229;
FY 2004: 249;
FY 2005: 267;
FY 2006: 296;
FY 2007: 302.
Regulatory-dedicated staff:
FY 2001: 36;
FY 2002: 51;
FY 2003: 55;
FY 2004: 59;
FY 2005: 75;
FY 2006: 76;
FY 2007: 77.
Source: U.S. Budget Appendix and GAO analysis of FinCEN data.
[End of table]
FinCEN regulatory policy and program staff work in RPPD, which consists
of the Offices of Regulatory Policy, Compliance, Enforcement,
Regulatory Analysis, and Outreach Resources. According to FinCEN
officials, these staff work on issues that involve multiple financial
sectors, although many employees have subject matter expertise for
particular industries or sectors. As of September 2008, FinCEN
officials said that RPPD had a staff of 84. Since 2001, several
regulators also have provided detailees to FinCEN to supplement
expertise in particular areas or work on specific projects. For
example, from 2007 through 2008, a detailee from the Federal Reserve
worked on an industry survey about the potential effects of rule making
related to FinCEN's cross-border wire transfer study and served as a
subject matter expert regarding payment systems.[Footnote 47] And from
2002 through 2005, two IRS detailees to FinCEN worked with RPPD to
resolve multiple outstanding compliance issues. In addition, in 2005-
2008, FDIC officials said that the agency provided 11 detailees to
assist with report processing and other assignments.
FinCEN and Regulators Collaborate on Implementing BSA Regulations:
BSA provides Treasury with overall regulatory authority to administer
the act and authorizes Treasury to issue regulations, sometimes jointly
with federal financial regulators, to implement BSA requirements.
[Footnote 48] FinCEN, the bureau within Treasury responsible for
administering BSA, has overall responsibility for Treasury's BSA
regulatory program. Within FinCEN's RPPD, FinCEN officials said that
the Office of Regulatory Policy is responsible for developing,
modifying, interpreting regulations and consults as necessary with
other regulators and examining agencies.
Depending upon the subject matter of a regulatory initiative, FinCEN
officials said their interactions with regulators on BSA implementing
regulations can range from extensive collaboration to a notification
that regulations are available. In addition to meetings with
regulators, FinCEN officials stated they obtain feedback from
regulators on BSA issues through BSAAG and its multiple subcommittees.
Referring to the USA PATRIOT Act, some federal agency officials
observed that the development of some regulations was collaborative and
an improvement compared with other processes in which the regulators
were less involved.
FinCEN officials said their work in recent years with SEC and CFTC--an
outgrowth of the USA PATRIOT Act--generally has been collaborative,
particularly given the newness of the securities and futures industries
to the BSA/AML regulatory framework. SEC staff said they often met with
FinCEN to discuss BSA issues (including rules development and related
FinCEN guidance). Also, FinCEN sometimes participated in SEC's
quarterly BSA meetings with the SROs, discussing the scope of reforms
and clarifying guidance or other issues. FINRA officials said that
FinCEN and SEC directly collaborated on rules for broker-dealers, and
FINRA was able to provide input in these discussions only through SEC.
While FINRA officials said that they coordinated well with SEC, they
felt that direct and earlier coordination with FinCEN on rule and
guidance development would have increased the efficiency of the
process.
CFTC officials stated that work with FinCEN on drafting of futures-
related BSA/AML rules and guidance has been collaborative. For
instance, as required by BSA, FinCEN and CFTC jointly issued
regulations in 2003 for futures commission merchants and introducing
brokers requiring them to establish CIPs.[Footnote 49] However,
according to CFTC officials, the rule resulted in some confusion about
its applicability in situations where more than one futures commission
merchant was involved in a transaction with the same customer.[Footnote
50] In April 2007, FinCEN and CFTC jointly issued guidance to clarify
the responsibilities in such a transaction.[Footnote 51] NFA officials
said the guidance has been well received by its members and clarified
issues surrounding a firm's BSA/AML role with its customers.
FinCEN and IRS officials had differing views on the degree of
collaboration that occurred during the revision of MSB-related
regulations. As discussed previously, FinCEN and IRS completed a
coordinated strategy in 2008 to better identify and select NBFIs for
examination. The coordinated strategy states that FinCEN would work
with regulatory partners to explore the feasibility of removing or
exempting from the definition of MSBs certain types of transactions or
subcategories of MSBs that pose relatively little risk of facilitating
financial crimes. At the time of this report, FinCEN was in the process
of incorporating revised MSB definitions into its guidance and
regulations. Although legislation does not require FinCEN to conduct
joint rule making on MSB issues, FinCEN officials stated that RPPD
staff have briefed other offices and divisions in FinCEN as well as
IRS, federal banking regulators, Treasury officials, various law
enforcement agencies, and the BSAAG NBFI subcommittee on the proposed
MSB rule making. The BSAAG NBFI subcommittee, of which IRS is a member,
also sent a list of issues for FinCEN to consider when redefining MSBs,
which FinCEN officials said they reviewed. FinCEN officials said they
met with IRS staff in May 2008 to discuss the advanced notice of
proposed rule making.
According to FinCEN officials, they also developed a majority of their
guidance and administrative rulings by reviewing questions received
from the financial industry through their Regulatory Helpline (which
institutions and regulators may call with questions) or other
correspondence. For example, FinCEN officials said they review
questions asked of the Office of Outreach Resources to determine what
issues concern industry, and the results of the reviews are forwarded
to the Office of Regulatory Policy. (We discuss the Office of Outreach
and FinCEN helplines in more detail below.)
FinCEN Supports Regulators' Examination Activities by Providing Input
on Guidance and Addressing Specific Issues:
FinCEN and RPPD's Office of Compliance provide examination support for
financial regulators in various ways. These methods include providing
input on examination guidance and working with regulators to address
specific issues (such as risk scoping). For instance, FinCEN actively
participates in FFIEC working groups to revise the FFIEC BSA/AML manual
and develop examiner training.[Footnote 52] In February 2007, FinCEN
established a working group comprising federal and state agencies, with
the goal of identifying and implementing several large initiatives to
more effectively regulate and supervise the activities of MSBs. As
previously discussed, FinCEN, IRS, and state regulators worked together
in this forum to develop an MSB BSA/AML examination manual that was
issued in December 2008. FinCEN officials said they will work with IRS
and the manual working committee to develop a roll-out plan and provide
training to IRS and state examiners, and the working group will
continue to meet to address other MSB-related issues.
FinCEN also has reviewed SEC's and its SROs' nonpublic examination
procedures. Additionally, SEC and FinCEN cooperated to develop Web-
based tools ("AML source tools") that compile applicable BSA/AML rules
and regulations for mutual funds and broker-dealers as well as other
helpful information and contacts. SEC staff stated that they also
developed "plain English" guidance on the examination process to be
made public in response to further industry requests for access to
SEC's nonpublic examination module. SEC provided the draft guidance to
FinCEN for its input; however, FinCEN officials said their review is on
hold because their staff are working on other priorities and industry
already has the AML source tools as guidance. While FinCEN has worked
similarly with CFTC on guidance to its industry, FinCEN officials said
that CFTC's SROs have not provided their examination module and
procedures to FinCEN but intended to do so after the information-
sharing MOU between FinCEN and CFTC was finalized. However, FinCEN and
CFTC officials stated they have held meetings on the examination
procedures of futures SROs.
As part of the effectiveness and efficiency initiative announced by the
Treasury Secretary in June 2007, FinCEN has been studying how the
regulatory agencies are approaching risk scoping for examinations. Its
goal is to develop new tools and guidance that would enable agencies to
better direct their examination resources. FinCEN officials stated they
evaluated tools and processes that allow examiners to analyze
information and patterns in BSA data from a specific institution to
help identify areas that may require closer review, and jointly
identified ways to enhance these tools. For example, FinCEN officials
said they and the federal banking regulators are developing an enhanced
BSA data analysis tool to incorporate into pre-examination scoping
processes that will allow the federal banking regulators to better
target their resources. Federal banking regulator officials stated that
the tool would help them better analyze BSA data information for a
particular institution, but not to conduct analyses across
institutions.
In addition to supporting regulators' examination efforts and
undertaking-process-or issue-specific initiatives, FinCEN officials
said it also has produced targeted financial institution analyses.
These are produced after a regulator makes a specific request for
detailed analytic information related to a particular institution or
individual. Office of Regulatory Analysis staff said they have
collaborated with regulators to produce 42 such reports during fiscal
year 2007 and through the first three quarters of fiscal year 2008.
With respect to its role in term's of achieving greater BSA/AML
examination consistency, FinCEN officials stated that, resources
permitting, they would like to increase their efforts in areas such as
examiner training, developing and providing additional compliance
referrals to regulators, periodically joining examiners in the field,
and conducting additional macro-level analysis of BSA compliance. (We
discuss FinCEN's analytical products in a later section.) FinCEN
officials said they have held various meeting with regulators to
discuss their examination processes, but that they have not held
meetings inclusive of all regulators. Further, as discussed previously,
without an information-sharing MOU in place, FinCEN had been unable to
obtain examination procedures for the futures industry--hindering its
ability to review issues of BSA/AML examination consistency.
Offices within FinCEN Coordinated to Provide Outreach That Was Well
Received by Industry:
FinCEN has implemented new outreach initiatives and conducted support
efforts on BSA guidance that were well received by industry. The Office
of Outreach Resources was created in 2007 and has primary
responsibility for operating the Regulatory Helpline that industry and
regulators may call with BSA-related questions. FinCEN staff also
operate the Financial Institutions Hotline, which financial
institutions may call to report suspicious activity related to
terrorist financing. For the past 3 years, FinCEN has surveyed
customers who use the Regulatory Resource Center--which includes the
Helpline and FinCEN's Web site. According to FinCEN's surveys, in all 3
years, FinCEN staff calculated more than 90 percent of respondents--
primarily industry representatives--favorably rated the guidance they
received.[Footnote 53]
FinCEN officials said that as part of its efforts to make the
administration of BSA more efficient and effective, FinCEN published
proposed rules in the Federal Register in November 2008 that
centralize, without substantive change, BSA and USA PATRIOT Act
regulations to a new chapter within the Code of Federal Regulations.
FinCEN officials said that the proposed rules would streamline BSA
regulation into general and industry-specific parts, with the goal of
enabling financial institutions to more easily identify their BSA
responsibilities.
The Office of Outreach Resources also coordinates with BSAAG and
supports speaking engagements to the financial industry and regulatory
groups. FinCEN officials told us they have facilitated BSAAG
subcommittee meetings (such as ones on banking, insurance, law
enforcement, SARs, and securities and futures) throughout the year. In
2007, FinCEN reported participating in almost 100 domestic and overseas
outreach events on BSA issues relating to banking, securities, futures,
MSBs, jewelers, casinos, insurance companies, and credit unions.
Industry officials with whom we spoke generally were positive about
FinCEN's outreach to industry, including these events and some of the
public products available on FinCEN's Web site. Banking industry
association officials felt that FinCEN had been helpful in listening to
concerns of the banking industry. Securities industry officials stated
they thought FinCEN had been very responsive to inquiries from broker-
dealers and found some of FinCEN's publicly available reports to be
very useful, including "SAR Activity Review: Trends, Tips, and Issues"
and mortgage fraud reports. FinCEN officials presented these reports at
events and included a discussion of how SARs have contributed to law
enforcement investigations. A representative of a futures firm with
whom we spoke said the firm used the SARs publications as part of its
training program. Securities SRO officials said they felt FinCEN was
doing an excellent job of industry outreach, in particular showing the
industry how BSA data filings were used effectively to prosecute money
laundering and other financial crimes.
In January 2008, FinCEN's Office of the Director--with participation
from RPPD, the Analysis and Liaison Division, the Technology Solutions
and Services Division, and the Office of Chief Counsel--began a new
outreach program to the financial community. By developing a better
understanding of the needs and operations of institutions, FinCEN
officials suggested that the agency will be in a better position to
help institutions effectively operate BSA/AML programs. The outreach
program's goals include learning how institutions' BSA/AML programs and
analytical units operate. The first stage of the outreach program is
targeted to the 15 largest depository institutions. According to
FinCEN, they will expand outreach to other depository institutions and
industry sectors, but have not finalized the timetable for the later
stages of the program.[Footnote 54]
FinCEN Has Improved Tracking for Incoming Compliance Referrals;
However, Lack of a Process for IRS Referrals Could Impede BSA
Compliance Activities:
In 2006, FinCEN implemented an automated Case Management System (CMS)
to track its processing of BSA compliance referrals, which replaces a
paper-based system. While its efforts to track referrals have improved,
FinCEN processing times for IRS referrals, combined with IRS's limited
enforcement authority, may have limited IRS's BSA compliance activities
among NBFIs.
FinCEN Has Improved Its Compliance Referral Tracking System:
According to their MOUs with FinCEN, the federal banking regulators,
SEC, and IRS are to inform FinCEN of any significant potential BSA
violations and provide BSA-relevant examination reports. In 2006,
FinCEN implemented an automated system--CMS--to track these BSA
compliance referrals.[Footnote 55] Prior to CMS, FinCEN tracked BSA
compliance referrals manually through a paper-based system. FinCEN
officials stated that CMS enables RPPD's Offices of Compliance and
Enforcement to track cases from receipt to final disposition, analyze
the data, and produce management reports.[Footnote 56] Figure 2 depicts
the overall process by which FinCEN receives and tracks these
referrals.
Figure 2: FinCEN's Tracking Process for BSA Compliance Referrals:
[Refer to PDF for image: illustration]
FinCEN:
FinCEN offices may seek additional information from each other, the
regulator, or the financial institution at any point in the process.
FinCen notifies regulators of final decisions regarding each case.
Regulators:
Federal Banking Regulators;
SEC;
IRS.
Financial Institution:
Self-initiated Potential BSA violation sent to FinCEN Office of
Compliance;
Case logged into Case Management System (CMS);
Dispositions:
Case closed; or:
FinCEN works with regulator (notification letter sent to financial
institution); or:
Regulatory Enforcement Committee:
Considerations:
* Type and frequency of violation;
* Systemic or technical in nature;
* Willful or negligent cause;
* Duration of deficiency;
* Self-disclosed or discovered through exam.
Case not referred (retuned to Office of Compliance); or:
Case referred: to:
Office of Enforcement:
Case logged into CMS;
Case closed; or:
Enforcement action (e.g., warning letter, CMP).
Sources: GAO analysis of FinCEN documentation; Art Explosion (images).
[End of figure]
As shown in figure 2, the Office of Compliance receives referrals from
regulators or referrals that are self-reported by institutions and,
after receipt, opens corresponding cases in CMS.[Footnote 57] These
matters are assessed by compliance specialists who, in making their
assessment of each referral, consider factors such as:
* the type of violation and number of times it occurred;
* whether the violation was systemic or technical;
* whether the violation was willful or a result of negligence;
* how long the deficiency existed; and:
* whether the violation surfaced through self-discovery or an
examination.
Compliance staff must complete the initial assessment within 60 days,
after which the case is reviewed by a compliance project officer, the
compliance program manager, and, finally, the assistant director of
compliance. As part of these assessments, Office of Compliance staff
may request additional data analysis from the Office of Regulatory
Analysis or additional documentation from the institution's regulator.
Federal banking regulator and SEC staff confirmed that FinCEN staff
have requested additional information about their referrals.
After a referral is assessed, Office of Compliance management decide
whether to take one of the following actions: (1) close a case with no
action; (2) send a notification letter to the institution indicating
that the regulator informed FinCEN of the matter, and nothing precludes
FinCEN from further action if FinCEN or the regulator finds that all
corrective actions have not been implemented; or (3) present the matter
to FinCEN's Regulatory Enforcement Committee. FinCEN officials
estimated that its Office of Compliance has forwarded approximately 6
percent of referrals to its Office of Enforcement. The Regulatory
Enforcement Committee consists of compliance and enforcement staff who
review the case and decide whether to forward it to the Office of
Enforcement for further investigation After it is decided that a case
is to be referred to the Office of Enforcement, the case is closed by
Office of Compliance staff in CMS and the Office of Enforcement opens a
new Enforcement case in CMS.
FinCEN officials said that the fundamentals of the enforcement
investigative process are the same, regardless of the source of the
referrals. And, as with Compliance staff, Enforcement staff may request
additional data analysis or documentation when making their decisions.
They document their investigation in a recommendation memorandum to the
Assistant Director of the Office of Enforcement. After the assistant
director has reviewed the case, Enforcement staff contact the referring
agency to discuss the matter. If no action is warranted, Enforcement
closes the case. If a CMP is warranted, Enforcement issues a charging
letter to the financial institution. The financial institution is
required to respond in writing within a specified period (usually 30
days from the date of the letter). The assistant director and an
enforcement specialist then review the financial institution's written
response to determine whether to proceed with a CMP negotiation meeting
or close the matter with an alternative action, such as a warning
letter, or no action. FinCEN Enforcement officials said that if a
warning letter is issued, it will be routed internally for approval
through the Associate Director of RPPD and a copy will be sent to the
relevant regulator. FinCEN's Director iterated in an October 2008
speech that FinCEN considers enforcement actions only when a financial
institution exhibits a systemic breakdown in BSA compliance that
results in significant violations of its BSA obligations. Table 10
shows the number of referrals RPPD received during fiscal years 2006
though 2008, the number of cases closed within the Office of Compliance
and Enforcement, and average processing times.
Table 10: Number of Cases Processed in FinCEN's Offices of Compliance
and Enforcement and Average Processing Times, Fiscal Years 2006-2008:
Fiscal year: 2006;
Total referrals received (source: regulatory agency/self-reported)[B]:
268; (242/26);
Compliance: Number of cases closed: 241;
Compliance: Average processing time (days): 198;
Enforcement[A]: Number of cases closed: 13;
Enforcement[A]: Average processing time (days): 349[D].
Fiscal year: 2007;
Total referrals received (source: regulatory agency/self-reported)[B]:
2008: 241; (220/21);
Compliance: Number of cases closed: 248;
Compliance: Average processing time (days): 275;
Enforcement[A]: Number of cases closed: 18;
Enforcement[A]: Average processing time (days): 433[D].
Fiscal year: 2008;
Total referrals received (source: regulatory agency/self-reported)[B]:
275; (225/50);
Compliance: Number of cases closed: 265;
Compliance: Average processing time (days): 208[C];
Enforcement[A]: Number of cases closed: 17;
Enforcement[A]: Average processing time (days): 277.
Source: FinCEN data from CMS.
[A] These figures were adjusted to reflect the number of days that
cases were processed minus the number of days cases were on hold
pending a law enforcement investigation.
[B] The number of cases processed in the Offices of Compliance and
Enforcement may not add up to the total number of referrals received
each fiscal year, as not all referrals may have been processed in that
year and would have carried over to the follow year.
[C] This figure is adjusted to reflect the number of days that a
compliance case was processed minus the days cases were on hold or
placed on monitor status. This figure is manually calculated and
subtracted from the "raw" number--235 days--for fiscal year 2008. In
2008, FinCEN began excluding days from the average processing time when
the referrals process was on "hold" (for example, waiting for
information from a regulator).
[D] These figures include cases that were in the Office of Enforcement
inventory prior to the creation of the Office of Compliance. The longer
processing times for these years reflect the fact that additional time
was spent by enforcement specialists to start some cases and obtain
data and information--a process now conducted by the Office of
Compliance.
[End of table]
FinCEN officials told us that they have striven to take joint or
concurrent enforcement actions with other federal and state agencies.
In very rare cases, the Office of Enforcement may initiate a case
directly--that is, without a referral. Since our last report in April
2006, FinCEN has taken one independent action against a depository
institution under BSA. The Office of Enforcement may develop a case
based on information from Justice or receive internal referrals
developed from internal review and analysis of BSA data. For instance,
FinCEN officials cited a case in which their analysis uncovered that an
institution had been leaving a description field in their SAR filings
blank. This was not a technical error, but a significant deficiency
resulting in a CMP being assessed against the institution.
In addition to receiving and processing referrals from regulators,
FinCEN may uncover and refer compliance matters of a more technical,
rather than systemic or significant, nature to the regulators. FinCEN
stated that RPPD's Office of Compliance dedicates substantial resources
to reviewing SAR filings for data quality issues and refers potential
BSA deficiencies or violations to regulators. In its 2007 annual
report, FinCEN noted that it referred 83 matters concerning potential
BSA deficiencies or violations to regulators with which it has MOUs.
Officials from most federal banking regulators confirmed that FinCEN
provided them with referrals about institutions under their supervision
that were filing incomplete or technically inaccurate SARs. FDIC
officials cited instances in which such information led to identifying
software problems that had been negatively affecting many institutions.
FDIC officials also said that FinCEN once provided them with
information regarding a possible money laundering scenario. Other
federal banking regulators stated that the referrals they received from
FinCEN were of a technical nature and did not prompt an examination.
Lack of Agreed-upon Process That Facilitates Communication about
Processing IRS Referrals Could Delay Timely Feedback to NBFIs:
According to IRS officials, long delays in processing referrals and a
lack of an agreement on time frames have limited IRS's BSA compliance
activities among NBFIs. Unlike the federal financial regulators that
have independent enforcement authority to issue informal and formal
enforcement actions, IRS officials can send only a Letter 1112 to an
institution, which includes a statement that a copy of their report is
required to be sent to FinCEN and that FinCEN will determine if
penalties under BSA are to be imposed (see discussion in previous
section).[Footnote 58] Therefore, when IRS finds an NBFI with
significant BSA deficiencies, it must refer the case to FinCEN for
further action.[Footnote 59] In fiscal years 2006--2008, IRS sent
approximately 50 referrals to FinCEN. After a referral is made to
FinCEN, IRS officials said they do not conduct a follow-up visit with
the institution to determine if corrective action has been taken until
FinCEN makes a determination on the referral, as they do not want to
take any actions that might negatively affect a potential FinCEN
enforcement action.
IRS officials believe FinCEN's response time is too long. FinCEN
officials stated that IRS referrals often require follow up for
additional information or supporting documentation which affects
processing times. As noted in table 10 above, FinCEN's average
processing time for all referrals in fiscal year 2008 was 208 days in
its Office of Compliance and an additional 277 days if a case was
referred to its Office of Enforcement. IRS and FinCEN officials met in
early 2008 to discuss processing times and what information an IRS
referral should contain. IRS officials said they have seen progress in
the last several months, with more IRS referrals being processed.
Although IRS officials stated that they would like an agreement with
FinCEN on referral processing times, no formal agreement has been
negotiated. FinCEN officials said that they do not have established
time frames for responding to referrals because response time often
varies depending on the thoroughness of the referral and the need for
follow up with the examiner. They said that processing of referrals
also depends on interagency coordination. For example, law enforcement
authorities might ask FinCEN to refrain from advancing certain cases
because of pending criminal investigations. While FinCEN and IRS
recently have been meeting more frequently to discuss IRS referrals, no
formal agreed-upon process exists to address IRS referral issues and
provide more timely feedback to IRS-examined institutions on their AML
efforts. The lack of an agreed-upon process for handling referrals,
combined with IRS's inability to take certain enforcement actions on
its own, may result in these institutions continuing to operate without
correction, potentially remaining out of compliance with BSA.
MOUs Have Improved Coordination with Federal Banking Regulators and
SEC; and FinCEN and CFTC Recently Signed an MOU:
FinCEN officials have increased the number of information-sharing MOUs
with regulatory agencies, which has improved coordination of
enforcement actions and BSA data reporting for the banking and
securities industries. FinCEN officials said that through the
information-sharing MOUs they made progress in developing their
relationships with the federal banking regulators, SEC, and IRS. Since
our April 2006 report, FinCEN had implemented an MOU with SEC (in
December 2006), and as of October 2008, established MOUs with 46 state
agencies. After several years of drafting, FinCEN and CFTC finalized
information-sharing and data-access MOUs in January 2009.
Federal Banking Regulators and FinCEN Reported That MOUs Resulted in
Improved Processes for and Coordination of BSA Reporting and
Enforcement:
FinCEN officials said that the MOU process significantly increased the
level of information sharing with the federal banking regulators since
its implementation in 2004. FinCEN officials also said that the federal
banking regulators made good faith efforts to comply with the MOU and
provided FinCEN with reports on time. Officials from most federal
banking regulators stated that their 2004 MOU significantly
strengthened interaction with FinCEN and provided structure for
coordination on enforcement actions and information sharing. In
addition, FinCEN's Director together with Treasury's Under Secretary
for Terrorism and Financial Intelligence meets quarterly with the
principals of the five federal banking regulators to discuss
coordination and BSA administration for the industry.
While federal banking regulator officials emphasized that they may take
enforcement actions independent of FinCEN under their own authorities,
they ensure that FinCEN is aware of these actions as agreed upon in the
MOU with FinCEN. Federal Reserve officials said that such information
sharing generally involves referral of all BSA/AML-related examination
issues that are resolved through informal and formal enforcement
actions. They explained that when taking an informal action--such as a
commitment letter or MOU--they provide notice to FinCEN. OTS officials
said they have quarterly meetings with FinCEN during which they discuss
any BSA-related informal or formal actions, as well as any related
matters. Moreover, federal banking regulators said they make FinCEN
aware of formal actions, such as CMPs or written agreements, well in
advance of when the actions will be taken. For example, if the
regulators are going to impose a CMP, they will inform FinCEN early
enough to ensure the process is fully coordinated. Federal Reserve
officials said that since the 2004 MOU, they imposed all BSA/AML-
related CMPs concurrently with FinCEN penalties.[Footnote 60] NCUA
officials also said they make FinCEN aware of informal and formal
actions, and would coordinate with FinCEN prior to the issuance of a
CMP, if necessary. OCC officials said they also coordinate any CMPs
with FinCEN and that in recent years FinCEN has been much quicker in
assessing CMPs in conjunction with OCC. They cited a case prior to the
implementation of the MOU--the Riggs Bank case--during which they said
they had to wait more than a year to issue a CMP in coordination with
FinCEN.[Footnote 61] FDIC and OTS also noted they have worked closely
with FinCEN in the past few years on the development of BSA/AML-related
enforcement actions against several institutions.[Footnote 62] (App.
III contains examples of BSA/AML-related enforcement actions.)
Several federal banking regulators also cited their 2004 MOU with
FinCEN as beneficial in terms of improving agencies' internal processes
for tracking violations and enforcement actions. Some federal banking
regulator officials said that as part of responding to the information-
sharing requirement of the MOU (that is, providing FinCEN with
quarterly BSA examination, violation, and enforcement data), they
established centralized, automated data collection programs that have
improved the quality of their BSA examination data. For instance, FDIC
officials said their agency internally standardized the processes for
collecting BSA data as a result of the MOU. Federal Reserve officials
also reported that enhancements to the agency's data management system
have streamlined the information it gathers for FinCEN under the MOU.
While federal banking regulators have made improvements in their
systems for collecting and reporting BSA/AML-related data, differences
remain in how they cite violations. In our 2006 report, we found that
the federal banking regulators were using different terminology to
classify BSA noncompliance and recommended that FinCEN and the federal
banking regulators discuss the feasibility of developing a uniform
classification system.[Footnote 63] Since our report, FinCEN and the
federal banking regulators established an interagency working group
that is reviewing guidance relating to the citing of BSA violations and
is considering additional guidance on citing systemic versus technical
AML violations. One federal banking regulator stated that while BSA/AML
violation is generally comparable, federal banking regulators have
different definitions for the same terms. However, to implement their
MOU, FinCEN officials said that they discussed what a "significant
violation" means and that they came to agreement (see previous
discussion).
FinCEN's MOU with SEC Has Improved Information Sharing:
SEC and FinCEN staff stated that their December 2006 MOU had been
beneficial overall, although it is still in the relatively early stages
of implementation. Pursuant to their MOU, SEC shares examination
findings with FinCEN after a significant BSA deficiency is found. For
enforcement actions, SEC provides notice to FinCEN prior to the action
becoming public. In addition, SEC receives information from the SROs
about BSA/AML-related significant deficiencies or potential enforcement
actions and provides that information to FinCEN. SEC and FinCEN staff
said the MOU is still in the early stages of implementation and SEC and
FinCEN recently met and reached agreement on steps to further
coordination.
SEC staff also said that its agency's MOU with FinCEN has provided a
framework for the quarterly collection and reporting of BSA/AML
examination, violation, and enforcement action data. While SEC staff
stated they had provided FinCEN with data prior to the MOU, it was on a
more limited basis. Prior to the MOU, SEC cited BSA violations under
provisions of the USA PATRIOT Act. Under the MOU, SEC cites BSA, which
allows for more specific citations. As a result, under the MOU, SEC
provides additional examination information regarding BSA violation
categories and subcategories. For example, SEC previously would cite a
violation relating to CIPs under Section 326 of the USA PATRIOT Act.
Because of the MOU, SEC can determine which of the multiple
subcategories of BSA it may cite for deficiencies in a firm's CIP. (See
table 3 earlier for these data.)
FinCEN and CFTC Recently Signed an MOU, without Which the Agencies
Engaged in Limited Information Sharing:
CFTC, the last federal functional regulator to sign an information-
sharing MOU with FinCEN, had no agreed-upon formal mechanism by which
to coordinate or share information with FinCEN until the MOU was
finalized in January 2009. CFTC officials stated they approached FinCEN
about developing an MOU in fall 2004. CFTC and FinCEN cited delays on
the part of both parties in moving forward with the MOU.
In fall 2008, CFTC officials said that they developed standard
procedures for obtaining BSA/AML examination information from its SROs
in anticipation of the MOU's finalization. Specifically, CFTC developed
templates that identify the episodic, quarterly, and annual report data
that will be required to be reported under the MOU and already had
received reports from its SROs as of fall 2008. Previously, CFTC did
not compile BSA/AML examination statistics, including information on
the types of violations cited. Further, FinCEN officials said that
CFTC's SROs have not provided their examination modules and procedures
to FinCEN but they intended to do so after an MOU with CFTC is
finalized.
Without an MOU in place, CFTC's and FinCEN's abilities to evaluate BSA/
AML compliance in the futures industry were limited. For example,
without examination procedures and data, similar to that provided by
other regulators, FinCEN was not able to evaluate the extent to which
BSA/AML regulations were being examined consistently in the futures
industry in relation to other sectors. Further, without such
information, FinCEN and CFTC were not able to jointly determine areas
of BSA compliance weakness and better target guidance or outreach
efforts. According to best practices for collaboration, federal
agencies engaged in collaborative efforts should create the means to
monitor, evaluate, and report their efforts. FinCEN and CFTC officials
recognized the benefits of an MOU and developed information-sharing and
data access MOUs (see later discussion on data access) that were
completed in January 2009.
IRS and FinCEN Are Discussing Methods to Improve Coordination under
Their MOU:
While some improvements have been made, FinCEN and IRS disagree on
aspects of their MOU and are discussing methods to improve
coordination. IRS officials said they asked to renegotiate the terms of
the MOU as they said that receive very little benefit from their MOU
with FinCEN but that FinCEN has declined, saying the MOU is only 3
years old. However, FinCEN officials said they are in frequent
communication with IRS regarding the operation of their MOU and
provided documentation of some of these meetings. IRS officials said
they believe some of the information they are asked to collect and
provide under the MOU is of little use to FinCEN. For example, IRS
officials did not think FinCEN made use of IRS's reports of the numbers
of Form 8300 and Report of Foreign Bank Account examinations and
violations.[Footnote 64]
According to IRS officials, FinCEN has not held a formal meeting with
IRS to discuss the implementation of the MOU, as required by the MOU.
However, FinCEN officials stated they have frequent meetings with IRS
staff on improving various aspects of BSA administration and
information-sharing processes under the MOU. For example, due to recent
meetings with FinCEN, IRS officials said that FinCEN improved its time
frames for providing responses in cases when IRS officials send FinCEN
technical questions they have about BSA compliance in their supervised
entities.
FinCEN Has Taken Steps to Assess Effectiveness of MOUs:
FinCEN officials said that in creating their 2008-2012 strategic plan,
they revised goals and performance measures to respond to an assessment
and recommendations from the Office of Management and Budget.[Footnote
65] For fiscal year 2006, the Office of Management and Budget rated
Treasury's BSA administration as "results not demonstrated," and FinCEN
received low ratings for developing outcome-based performance measures
and achieving program results. In fiscal year 2007, a FinCEN working
group examined what would constitute meaningful performance measures
for the BSA program.
The working group developed an MOU compliance metric, which measures
how effectively MOU holders believe their MOUs facilitate information
exchange. In 2008, FinCEN completed a survey of customer perceptions of
the services it provides to the federal and state agencies with which
it has information-sharing MOUs. Using results from multiple survey
questions, FinCEN staff stated they created a public performance
measure and calculated that 64 percent of MOU holders surveyed found
FinCEN's information sharing valuable in improving regulatory
consistency and compliance in the financial system.[Footnote 66] FinCEN
has set a goal of increasing results for this measure by 2 percentage
points annually. Through the survey, FinCEN officials said they also
obtained 26 written comments, 14 of which offered suggestions for
improving information-sharing MOUs (for example, by providing more
communication and feedback).
FinCEN Has Been Improving Analytical Products; However, Lack of Direct
Electronic Access to BSA Data May Limit Compliance Activities:
FinCEN has taken steps to improve analytical products for regulators to
assist them with their BSA/AML compliance efforts and has been
discussing additional products. While some regulators have direct
electronic access to BSA data, others have access only through other
agencies. For example, FINRA conducts the vast majority of broker-
dealer examinations and does not have direct electronic access to BSA
data; instead, it must go through FinCEN or SEC to obtain data. FinCEN
officials said they finalized a regulatory data-access template in July
2008 and have begun providing additional state regulators with direct
electronic access, and anticipate providing expanded access to the
federal financial regulators. A FinCEN official said that they are
working on data-access MOUs for SROs.
FinCEN Has Provided More BSA Data Analyses and Has Been Discussing
Additional Products with Regulators:
Under their information-sharing MOUs, FinCEN is to provide analytical
products to regulators. As it collects and manages all BSA-related
data, FinCEN is in an optimal position to produce analytical products
that assess BSA-related issues within and among financial sectors and
regulators. FinCEN classifies the analytical reports it produces for
its stakeholders into two categories: reactive and proactive. As
discussed earlier, FinCEN conducts targeted financial institution
analyses for regulators at their request. These analyses are considered
reactive reports. As of September 2008, FinCEN's proactive reports
included strategic BSA data assessments, "By the Numbers" reports (such
as its SAR reports), state-specific BSA data profiles, and reports of
possible unregistered and unlicensed MSBs (produced for IRS).
FinCEN stated that the issues for which it chooses to conduct
"strategic BSA data assessments" vary. For example, FinCEN officials
said it produced a residential real estate assessment after it produced
an initial report on commercial real estate as a possible venue for
money laundering. FinCEN also conducted an assessment of mortgage fraud
after its Office of Regulatory Analysis observed a spike in SAR filings
related to mortgage loan fraud. FinCEN officials said that it takes
about 4-6 months to produce such assessments, but that they expect this
time would be significantly shortened after FinCEN's planned
modernization of the BSA database.[Footnote 67] While the reports are
not produced on a regular schedule, FinCEN officials said that it has
at least one assessment underway at all times.
FinCEN also biannually produces "By the Numbers" public reports that
compile numerical data from SARs and supplement the "SAR Activity
Review--Tips, Trends, and Issues" and state-specific BSA data profiles
showing analysis of BSA filing trends within the 46 states agencies
with which FinCEN has information-sharing MOUs. FinCEN began producing
"State BSA Data Profiles" in May 2007 and said it had received input
and some positive feedback from state and federal banking regulators.
Moreover, some industry officials told us that these publicly available
SAR reviews were very useful components of FinCEN's outreach efforts.
In 2008, FinCEN, after discussions with SEC, began providing SEC with
reports of securities-related SARs filed by depository institutions.
The purpose of these reports is to alert SEC to any possible securities
violations observed by depository institutions. To compile the reports,
FinCEN analysts search on key terms provided by SEC. SEC staff said
they have found these downloads very useful to their general
enforcement and examination programs.
Approximately each quarter since June 2006, FinCEN has issued reports
on possible unregistered and unlicensed MSBs (found by reviewing SARs
filed by depository institutions). IRS officials have used the
information to contact and register previously unregistered MSBs. IRS
officials also telephone the unregistered MSBs to make sure the
entities understand their BSA obligations.
Despite the provision of more analyses, most MOU holders with whom we
spoke thought different or additional FinCEN analysis would be useful
for their BSA compliance activities and have been discussing such
products with FinCEN. In particular, some federal banking regulators
said that the summary reports of numbers of examinations, violations,
and enforcement actions among depository institutions that FinCEN
provides them on a quarterly basis were of little use as they were
compilations of data the federal banking regulators had given FinCEN.
Although FinCEN provides analyses of issues after reviewing data and
reports, federal banking regulator officials thought it would be more
beneficial to receive analytical information to assist them in
examination preplanning and scoping processes, which would allow them
to better focus their BSA/AML resources and efforts. Federal banking
regulators have cited requests regarding additional analysis made to
FinCEN through the FFIEC BSA/AML working group. For instance, several
federal banking regulators have requested state, regional, and national
analysis of CTRs and SARs by type of institution, and additional
analysis of MSBs and 314(a) hits.[Footnote 68] As they have limited
access to BSA data, federal banking regulators are unable to conduct
these analyses themselves. (We discuss data access issues in the
following section.) IRS officials said they wanted reports similar to
what FinCEN provides to law enforcement, such as analyses of potential
money laundering regarding the U.S. southwest border. IRS officials
said such reports would be helpful in determining where to allocate the
agency's examination resources. FinCEN officials said that they provide
IRS (along with the federal banking regulators) a consolidated package
containing the annual BSA data profiles for all states and certain U.S.
territories. SEC staff they have had at least two discussions with
FinCEN staff about analytic products that FinCEN could provide and they
expected further discussions would take place.
FinCEN officials stated they needed to concentrate on providing
products that could benefit multiple agencies to ensure they were using
FinCEN resources effectively. As part of its efficiency and
effectiveness initiative, FinCEN said it has identified ways it could
increase its analytical support to regulators by providing products
with useful information on macro-level risks. FinCEN officials said
they are incorporating steps into its information technology
modernization plans that will make the development of these products
more feasible. FinCEN said it has been developing analyses of 314(a)
hits to better inform regulators. In addition, one federal banking
regulator and FinCEN have agreed to different approaches for obtaining
supplemental BSA data analysis. In fall 2008, FDIC officials completed
arrangements to have an FDIC analyst work at FinCEN on a part-time
basis and that analyst began work with the Office of Regulatory
Analysis. FinCEN officials said that they are open to detailees from
more regulators as it would also help them understand better which
types of analysis are more useful to the regulators.
Regulators Have Different Levels of Direct Access to BSA Data, which
Inhibits Some Compliance Activities:
With the exception of IRS, which maintains and stores all BSA
information filed, FinCEN has developed data-access MOUs with some
financial regulators to provide them with direct electronic access to
BSA data. However, the level of access across financial regulators is
inconsistent and has inhibited agencies' compliance activities. For
example, FinCEN provides the federal banking regulators with access to
CTRs for depository institutions, SARs for depository institutions, and
other reports.[Footnote 69] Federal banking regulators access this
information through a secure system but are limited to downloading a
certain number of records at a time. Officials from some federal
banking regulators said that access to SARs or CTRs filed by
institutions other than depository institutions would be useful. One
official explained that some institutions, while regulated by others,
can be affiliated with their supervised institutions. For example, an
MSB may file a SAR on a bank's customer, but the federal banking
regulator does not have access to the SAR filed by the MSB. Unlike
other federal banking regulators, OCC officials arranged with FinCEN to
receive SAR data directly. For about 5 years, OCC has received a
monthly compact disc with SAR data for the banks it regulates. With
these data, OCC created the "SAR Data Mart," which its staff use to
take action against unlawful activity committed by depository
institution insiders and for evaluating operational risk. OCC staff
have found the ability to conduct is own analyses very useful.
SEC staff said they use their direct access to BSA data to review
approximately 100 to 150 SARs for securities and futures firms daily.
Furthermore, SEC staff said their access to these SARs has expanded
their SAR review activities and enhanced SEC's enforcement and
examination programs.
In contrast, futures and securities SROs (including FINRA) and some
state agencies that conduct BSA/AML examinations currently do not have
direct electronic access to BSA data. Some of these regulators'
requests for such access have been pending for several years. FINRA--
which conducts the majority of broker-dealer examinations (more than
2,000 in fiscal year 2008)--does not have direct electronic access to
BSA data and must request SARs through SEC and FinCEN. With direct
electronic access, FINRA and state agency officials told us they could
more effectively risk scope their examination processes. Risk scoping
by regulators may include reviewing the number of SARs and CTRs filed
by institutions under their supervision to identify areas within an
institution's program or which institutions among their supervised
entities on which to concentrate, enabling regulators to better plan
their examinations and target their resources accordingly. As discussed
above, federal banking regulators use BSA data to risk scope their
examinations. Further, due to the large number of examinations they
conduct, FINRA officials said it would strain SEC's resources if FINRA
asked SEC staff for access to every SAR filed by the institution under
review. Therefore, FINRA staff request SARs from FinCEN primarily when
FINRA staff suspect a firm may not have filed all the SARs it says it
filed. FINRA officials said they often experienced delays in receiving
the information. They also said they started to develop an MOU with
FinCEN in 2002; however, the last time FINRA discussed data access with
FinCEN was in March 2006.
CFTC is the last federal functional regulator to be provided direct
electronic access to the BSA database. CFTC officials said that they
made a formal request for direct access to BSA data in 2005. FinCEN
officials said that, until recently, FinCEN and CFTC had not agreed on
the terms of an electronic access MOU for BSA data. FinCEN and CFTC
signed a data-access MOU concurrently with their information-sharing
MOU in January 2009. Previously, if CFTC wanted BSA information, it had
to make case-by-case requests to FinCEN. Similar to FINRA, CFTC
officials said while FinCEN responded quickly to emergency BSA data
requests, nonemergency requests could take much longer. CFTC officials
said that the data-access MOU will permit CFTC to make BSA database
inquiries in certain circumstances on behalf of an SRO. They said that
they recognize the unique and highly sensitive nature of BSA data and
providing the SROs with direct access to BSA data presents certain
legal and regulatory oversight issues.
FinCEN explained it has been conducting a comprehensive evaluation of
data access issues. In September 2008, FinCEN completed a bureau-wide
initiative to better define the types of regulatory agencies to which
it will provide electronic BSA data access and the criteria and
processes for evaluating data access requests. FinCEN determined it
would consider requests from agencies that examine for BSA compliance;
supervise a financial institution for safety and soundness or financial
responsibility; issue licenses or charters to financial institutions;
or administer or enforce laws, regulations, or rules affecting
financial institutions or markets. In evaluating these requests, FinCEN
officials said that staff look at the requester's regulatory
authorities, ability to protect sensitive BSA data, and ability to
utilize confidential information. But they said that SROs present
unique issues because of their status as private actors, rather than
governmental authorities. Although FinCEN said it anticipates providing
SROs with access to appropriate data, their nongovernmental status
requires FinCEN to contemplate appropriate access restrictions. FinCEN
officials said they finalized a regulatory data-access template in July
2008 and have begun providing additional state regulators with direct
electronic access, and anticipate providing expanded access to the
federal financial regulators. A FinCEN official said that they are
working on data-access MOUs for SROs.
Without electronic access to BSA data, some regulators cannot
effectively scope risks for examinations, affecting their ability to
efficiently plan examinations and target limited resources to areas of
greatest risk. In addition, without direct access, in accordance with
their examination procedures they cannot verify information that
institutions are reporting on their BSA filings without requesting this
information from FinCEN or another regulator who has access, thereby
straining already limited resources. For example, as discussed above,
to obtain access to some SARs, some regulators (such as FINRA) must
contact FinCEN for access, further expending FinCEN's and their limited
resources.
Conclusions:
Through the USA PATRIOT Act, more activities of a larger number of
financial institutions have come under the umbrella of U.S. anti-money
laundering efforts. As the BSA regulation framework has expanded, it
also has become more complex--making it all the more important that
FinCEN and the regulators establish effective communication and
information exchanges to achieve their common goals. While the
regulators take different approaches to examination and enforcement
within their jurisdictions, they all have responsibilities in the BSA/
AML regulatory framework. Additional AML legislation has increased the
number of financial institutions that have come under the scope of BSA,
as well as regulators' interactions on these issues within and across
their respective financial sectors. At the time of our 2006 report, the
federal banking regulators and FinCEN already had achieved agreement on
how to address some key aspects of BSA compliance and enforcement and
developed a common examination manual.
Since that report, FinCEN and the regulators have made additional
progress in ensuring the soundness of the current compliance and
enforcement framework. While many improvements in the coordination
among stakeholders--FinCEN, regulators, law enforcement, and the
industries being regulated--have occurred, other working relationships
among the stakeholders are not as efficient and effective as they could
be. IRS has not fully leveraged its resources with those of state
regulators to conduct examinations of MSBs. As a result of IRS not
sharing its examination schedules with state agencies, state agency
officials told us they sometimes have scheduled examinations shortly
after IRS had completed examinations on the same institutions,
subjecting them to duplicative monitoring. With approximately 200,000
MSBs in the United States, better coordination of examination
scheduling between IRS and its state agency partners would both better
leverage limited government resources and minimize the burden placed on
those being regulated. Additionally, ongoing meetings such as those of
BSAAG provide for some exchange of information, but some important
regulatory issues cannot be discussed at meetings at which industry is
present. While it is useful to have forums in which the regulators and
the regulated exchange information, the sensitive nature of some BSA
issues and the nonpublic nature of some examination modules suggest
that an additional forum for regular information exchange among all the
regulators is called for. Whether it is coordination of efforts between
IRS and state regulators or among federal regulators, opening
additional avenues for collaboration can (1) facilitate the exchange of
best practices and better leverage limited regulatory resources, (2)
minimize the regulatory burden on those being regulated, and (3) most
importantly, see that the critical concerns embodied in BSA legislation
are efficiently and effectively carried out.
FinCEN has taken many significant steps to improve execution of its BSA
administrative and coordination responsibilities, but could make
improvements in three areas: sharing information with CFTC, improving
communication on IRS referrals and ensuring timely feedback to IRS-
examined institutions, and reconciling outstanding data access issues.
FinCEN also serves as the BSA data manager and provides the regulators
with access to critical BSA data related to their supervised entities.
With these data, regulators are able to scope risks for their
examinations, better target their resources, and independently verify
BSA data filings. However, CFTC only received electronic access in
January 2009, and securities and futures SROs, and some state agencies
do not yet have electronic access to BSA data. With today's rapidly
changing financial markets and the relationship of the futures industry
to other sectors of the financial markets, it is especially important
that SROs receive electronic access to BSA data to facilitate their
examinations. Furthermore, IRS is hampered in carrying out its BSA-
related compliance responsibilities because of uncertainties about when
FinCEN will take action on IRS's referrals. Since IRS does not have
enforcement authority in this area, it is important that IRS and FinCEN
develop a process that facilitates communication on IRS referrals.
Without timely feedback, MSBs may be allowed to continue operating in
violation of BSA statutes. Finally, delays in completing data-access
agreements present obstacles to some regulators attempting to carry out
their BSA-related responsibilities. While FinCEN is justified in its
concerns about sharing very sensitive information, the delay in
establishing information-sharing and data-access MOUs with CFTC, and
the failure to establish data access MOUs with SROs and some states
that also have important BSA-related responsibilities, presents a
different set of potential problems, such as incomplete risk-scoping of
examinations. While we commend FinCEN and CFTC for finalizing their
MOUs, the benefits of the agreements will take some time to be
realized. Until then, the potential ramifications include less
assurance on the part of regulators that these financial institutions
are complying fully with the BSA. Taking steps to resolve these areas
of concern could provide tangible benefits in the BSA-related efforts
of the regulators and build on recent improvements that FinCEN has made
in its administrative and coordination responsibilities.
Recommendations for Executive Action:
To reduce the potential for duplicative efforts and better leverage
limited examination resources, we recommend that the Commissioner of
IRS work with state agencies to develop a process by which to
coordinate MSB examination schedules between IRS and state agencies
that conduct BSA examinations of MSBs.
Further, to build on improvements made in examination processes vital
to ensuring BSA compliance, we recommend that the heads of FinCEN, the
Federal Reserve, FDIC, OTS, OCC, NCUA, SEC, CFTC, and IRS direct the
appropriate staff to consider developing or using an existing process
to share and discuss information on BSA/AML examination procedures and
general trends regularly in a nonpublic setting. We recommend that the
heads of SEC and CFTC consider including the SROs that conduct BSA
examinations.
To improve its efforts to administer BSA, we recommend that the
Director of FinCEN expeditiously take the following two actions:
* Work with the Commissioner of IRS to establish a mutually agreed-upon
process that facilitates communication on IRS referrals and ensures
timely feedback to IRS-examined institutions.
* Finalize data-access MOUs with SROs conducting BSA examinations, and
states agencies conducting AML examinations that currently have no
direct access to BSA data.
Agency Comments and Our Evaluation:
We provided a draft of this report to the heads of the Departments of
Justice and the Treasury; the Federal Reserve, FDIC, NCUA, OCC, OTS,
IRS, SEC, and CFTC. We received written comments from FinCEN, IRS, and
all the financial regulators. These comments are summarized below and
reprinted in appendixes IV-XII. All of the agencies provided technical
comments, which we incorporated into this report, where appropriate.
In its comments, IRS agreed with our recommendation that the IRS
commissioner work with state agencies to develop a process by which to
coordinate BSA examination schedules. The agency said that actions to
address our recommendation already were underway.
In their written responses, all of the agencies agreed with our
recommendation that they consider developing a mechanism or using an
existing process to conduct regular, nonpublic discussions of BSA
examination procedures and general trends to better ensure consistency
in the application of BSA. In technical comments, some agencies asked
that we be more specific about which component of their agencies should
participate in and conduct these discussions. We modified the
recommendation language to clarify that the heads of the agencies
should direct appropriate staff to undertake these actions. The Federal
Reserve commented that such discussions could build on improvements
already made in examination processes and that regular discussion of
examination procedures and general compliance trends could be
beneficial. FDIC agreed that periodic meetings with all federal
agencies responsible for BSA compliance could promote consistency and
coordination in examination and enforcement approaches and help reduce
regulatory burden. OCC commented that a number of groups and processes
already existed for sharing information and collaboration and that they
would continue to participate in these initiatives and look for
opportunities to share their practices and observations. OTS commented
that that they would collaborate and that the federal banking agencies
and FinCEN have established a number of formal committees and working
groups to promote collaboration on BSA issues. SEC agreed that the
regulators would benefit from the development of such a mechanism and
noted that it planned to attend a meeting in which FinCEN was planning
to discuss possible methods for achieving this goal. CFTC commented
that it supports all efforts to increase cooperation among regulators
in the BSA area and that it would be pleased to participate in
discussions that would allow the agency to share experiences and
expertise in developing and implementing BSA examination procedures.
In its comments, FinCEN said it concurred with the intent of our
recommendations, particularly in regard to expanding information
sharing with authorized stakeholders, and hoped to be situated in the
future to meet them. The draft report that we sent to the agencies for
comment contained a recommendation that FinCEN finalize information-
sharing and data-access MOUs with CFTC. These MOUs were signed on
January 15, 2009, so we have removed the recommendation from the final
report. In its comments, CFTC noted that the MOUs had been signed and
said that it believed these two agreements would enhance CFTC's ability
to effectively implement its BSA examination responsibilities. Through
discussions with FinCEN officials and FinCEN technical comments, FinCEN
provided us with additional information and data about our draft
recommendation on IRS referrals. We subsequently broadened the
recommendation language to clarify that FinCEN should work with IRS to
develop a process to facilitate communication on referrals and ensure
timely feedback to IRS-examined institutions. FinCEN and IRS said they
agreed with this modification. Finally, in its comments, SEC also
supported our recommendation that FinCEN finalize data-access MOUs with
SROs that conduct BSA examinations. SEC noted its view that direct
access to BSA data would permit FINRA to more effectively use its AML
resources to take a more risk-based approach to identifying firms and
areas within a firm's AML program that required examination.
As agreed with your office, unless you publicly announce the contents
of this report earlier, we plan no further distribution of this report
until 30 days from the report date. At that time, we will send copies
to interested congressional committees, Treasury, FinCEN, Federal
Reserve, FDIC, OCC, OTS, NCUA, SEC, CFTC, IRS, and Justice. The report
also will be available at no charge on the GAO Web site at [hyperlink,
http://www.gao.gov].
If you or you staff have questions about this report, please contact me
at (202) 512-8678 or edwardsj@gao.gov. Contact points for our Offices
of Congressional Relations and Public Affairs may be found on the last
page of this report. GAO staff who made major contributions to this
report are listed in appendix XIII.
Signed by:
Jack E. Edwards:
Acting Director, Financial Markets and Community Investment:
[End of section]
Appendix I: Objectives, Scope and Methodology:
Our objectives were to (1) describe how Bank Secrecy Act (BSA)
compliance and enforcement efforts are distributed among federal and
state regulators, self-regulatory organizations (SRO), and the
Financial Crimes Enforcement Network (FinCEN); (2) describe how federal
agencies other than FinCEN are implementing their BSA activities and
evaluate their coordination efforts; and (3) evaluate how FinCEN is
executing its BSA responsibilities and coordinating BSA efforts among
the various agencies.
To describe how BSA compliance and enforcement efforts are distributed
among federal regulators, SRO, and FinCEN, we reviewed and analyzed
authorities established by BSA, the USA PATRIOT Act, and other relevant
federal financial and anti-money laundering (AML) legislation. We also
reviewed prior GAO and Department of the Treasury (Treasury) Inspector
General reports on this issue. In addition, to better understand how
BSA/AML authorities were delegated and interrelate with other financial
regulatory authorities, we interviewed officials from the federal
agencies included in the BSA/AML compliance and enforcement regulatory
framework--FinCEN; the federal banking regulators: the Board of
Governors of the Federal Reserve System (Federal Reserve), Federal
Deposit Insurance Corporation (FDIC), Office of the Comptroller of the
Currency (OCC), Office of Thrift Supervision (OTS), and National Credit
Union Administration (NCUA); Securities and Exchange Commission (SEC),
Commodity Futures Trading Commission (CFTC), and the SROs they
regulate; Internal Revenue Service (IRS); and Department of Justice
(Justice).
To examine how entities with BSA/AML compliance and enforcement
responsibilities implement their BSA activities and evaluate their
coordination efforts, we reviewed prior GAO reports; available BSA/AML
examination manuals and procedures; other related guidance; reports
complied in accordance with FinCEN information-sharing memorandums of
understanding (MOU); and data maintained on the numbers of the BSA/AML
examinations, violations, and enforcement actions taken in the banking,
securities, futures, and IRS-examined industries. Further, we conducted
data reliability assessments of BSA/AML-related data and found the
information to be reliable for the purposes of this report. In
addition, we reviewed quality assurance reviews conducted by the
federal banking regulators of their BSA/AML examinations. We
interviewed officials from all of the federal agencies and their SROs
mentioned above and also spoke with officials from select state
financial regulatory agencies to obtain information on their BSA/AML
compliance and enforcement activities and how these state agencies
coordinate with federal agencies. We selected state regulators to
interview on the basis of their geography, the presence of a High
Intensity Financial Crime Area in their state, the size and variety of
the financial sectors present in their state, the existence of a money
services business (MSB) examination program in their state, and whether
they were contacted by GAO for a previous BSA/AML-related GAO report in
2006.
With respect to the federal banking regulators and their efforts to
ensure BSA compliance among depository institutions, we reviewed the
Federal Financial Institutions Examinations Council (FFIEC) BSA/AML
interagency examination manual, and GAO staff attended 3 days of
training on the manual provided to federal and state bank examiners. We
also reviewed quarterly and annual reports which included data on
examinations, violations, and enforcement actions, as well as
information on staffing and training, that were submitted by the
federal banking regulators to FinCEN per their MOU. We reviewed these
reports to assess whether regulators were in compliance with MOU
requirements and to inform our understanding of their BSA/AML
compliance activities. In addition to meetings with federal banking
regulator BSA/AML program staff, we also held interviews with groups of
examiners from each of the federal banking regulators to discuss the
manual and interagency coordination. We also spoke with a state banking
regulatory association and credit union regulatory association.
Further, to obtain industry perspective, in cooperation with another
GAO team looking at the usefulness of suspicious activity reports
(SAR), we interviewed two banking industry associations and 20
depository institutions on the impact of the manual and coordination
among federal and state banking regulators.
To select the 20 depository institutions, we grouped the depository
institutions into four categories depending on the numbers of SARs
filed in calendar year 2007. We interviewed representatives from all 5
institutions that had the largest number of SAR filings in 2007, as
well as representatives from 15 randomly selected institutions. The 15
institutions represented different categories of SAR filings: small (1-
4 SARs filed in 2007), medium (5-88), and large (more than 88--
excluding the 5 largest).
To obtain information on the BSA/AML compliance and enforcement
activities of SEC, CFTC, and IRS, we interviewed officials from these
agencies, as well as officials from securities and futures SROs; state
regulatory agencies; securities and futures firms; and securities,
futures, and money transmitter industry associations. We interviewed 8
securities firms through the auspices of an industry trade association
and interviewed one large and small futures drawn from a list provided
by a futures regulator. In addition, we reviewed available examination
modules; related training guidance; and reports provided to FinCEN by
SEC and IRS in accordance with their information-sharing MOUs that
contain data on BSA/AML examinations, violations, and enforcement
actions; as well as BSA/AML training and staffing information. We
obtained and reviewed similar information from CFTC. To describe
Justice's enforcement actions, we interviewed Justice officials,
analyzed Justice's enforcement actions, and reviewed other BSA/AML-
related Justice documentation. In order to evaluate coordination
efforts, we compared the practices of these agencies with best
practices outlined in a GAO report evaluating coordination practices
among federal agencies.[Footnote 70]
To evaluate FinCEN BSA/AML compliance and enforcement efforts, we
collected and reviewed available staffing and performance measurement
data from FinCEN, program assessments, BSA/AML-violation referral data
from its Case Management System (CMS), FinCEN analytical products,
strategic plans and annual reports, and other documentation. We also
assessed the reliability of data provided to us by FinCEN from its CMS
and found it to be reliable for the purposes of this report. In
addition, we reviewed the three surveys FinCEN conducted of users of
its Regulatory Resource Center in 2006, 2007, and 2008 and a fourth
survey it conducted of regulators with which it has information-sharing
MOUs. Despite some potential limitations associated with the surveys,
we concluded that the overall frequencies for survey questions should
be sufficiently valid and reflected the overall opinions of those
surveyed. FinCEN officials also told us that information-sharing MOU
survey respondents might have, in some cases, been providing responses
to reflect their experiences with data-access MOUs. Further, we
interviewed FinCEN officials from the Office of the Director,
Management Programs Division, the Analysis and Liaison Division, and
the Regulatory Policy and Programs Division (RPPD). We conducted
interviews with staff from each of the offices within RPPD. In
addition, we conducted interviews with officials from the federal
banking regulators, SEC, CFTC, securities and futures SROs, IRS, and
industry to discuss FinCEN's efforts.
We conducted this performance audit in Washington, D.C., New York, New
York, and Chicago, Illinois, from October 2007 to February 2009 in
accordance with generally accepted government auditing standards. Those
standards require that we plan and perform the audit to obtain
sufficient, appropriate evidence to provide a reasonable basis for our
findings and conclusions based on our audit objectives. We believe that
the evidence obtained provides a reasonable basis for our findings and
conclusions based on our audit objectives.
[End of section]
Appendix II: Overview of Federal Agencies Involved in the BSA/AML
Framework and Related Resources:
This appendix provides an overview of the compliance and enforcement
activities of the federal financial regulators and IRS and provides
information, to the extent it is available, on their BSA-related
resources and training.
Overview of Federal Agencies Involved in BSA/AML Compliance and
Enforcement:
The federal banking regulators (the Board of Governors of the Federal
Reserve System (Federal Reserve), Federal Deposit Insurance Corporation
(FDIC), Office of the Comptroller of the Currency (OCC), Office of
Thrift Supervision (OTS), and National Credit Union Administration
(NCUA)), Securities Exchange Commission (SEC), Commodity Futures
Trading Commission (CFTC), securities and futures self-regulatory
organizations (SRO), and Internal Revenue Service (IRS) play roles in
implementing BSA/AML compliance. The U.S. regulatory system is
described as "functional," so that financial products or activities are
generally regulated according to their function, no matter who offers
the product or participates in the activity. Below is a discussion of
their missions and how they undertake general compliance and
enforcement activities within their industries.
Federal Banking Regulators:
Depository institutions can generally determine their regulators by
choosing a particular kind of charter--for example, commercial bank,
thrift, or credit union. These charters may be obtained at the state
level or the national level. While state regulators charter
institutions and participate in oversight of those institutions, all of
these institutions have a primary federal regulator if they have
federal deposit insurance. Broadly, the federal banking regulators that
provide oversight for banks are the Federal Reserve, FDIC, and OCC;
thrifts--OTS; and credit unions--NCUA.[Footnote 71] Banking regulators
generally focus on ensuring the safety and soundness of their
supervised institutions. They conduct safety and soundness examinations
on-site to assess an institution's financial condition, policies and
procedures, and adherence to laws and regulations. Generally,
regulatory agencies perform these examinations every 12 to 18 months,
based on the institution's risk. The Federal Reserve, FDIC, OTS, and
NCUA (but not OCC) alternate or conduct joint safety and soundness
examinations with state regulators, generally using the same
examination procedures. State banking regulators may examine depository
institutions chartered within their jurisdictions.
Federal and state banking regulators may address compliance problems
identified through their examinations by bringing the problem to the
attention of institution management and obtaining a commitment to take
corrective action. When these actions are insufficient or weaknesses
identified are more substantive, regulators may take nonpublic,
informal enforcement actions. Informal actions (which vary among the
federal banking regulators) may include the adoption of resolutions by
an institution's board of directors, the execution of a memorandums of
understanding between an institution and the regulators, notices of
safety and soundness deficiency for compliance, commitment letters, or
corrective actions to be taken to address regulatory concerns. Informal
actions usually are taken to address violations that are limited in
scope and technical in nature. Federal banking regulators also may take
formal enforcement actions if a depository institution is engaging in
unsafe or unsound practices or has violated a law or regulation. Formal
enforcement actions are public and generally considered more stringent
than informal actions and can address more significant, repeated, or
systemic BSA violations. Formal enforcement actions include cease-and-
desist orders, assessments of civil money penalties (CMP), or
supervisory agreements. These types of actions are enforceable through
an administrative process or injunctive relief in federal district
court.
SEC and Securities SROs:
SEC's mission is to protect investors; maintain fair, orderly, and
efficient securities markets; and facilitate capital formation. SEC
regulates the securities industry in part through oversight of its
SROs. SEC, through its Office of Compliance and Examination (OCIE)
shares examination responsibilities with securities SROs, which include
examining for BSA/AML compliance. OCIE's routine examinations are
conducted according to a cycle that is based on a registrant's
perceived risk. In addition to routine examinations, OCIE also may
conduct sweep examinations to probe specific activities of a sample of
firms to identify emerging compliance problems so they can be remedied
before becoming severe or systemic. Third, OCIE conducts cause
examinations when it has reason to believe that something is wrong at a
particular firm.
SROs have statutory responsibilities to regulate their own members, and
one SRO--the Financial Industry Regulatory Association (FINRA)--
provides oversight of the majority of broker-dealers in the securities
industry. SROs conduct risk-based examinations, which include a BSA
component, of their members to ensure compliance with SRO rules and
federal securities laws. These examinations are conducted on a risk-
based cycle (similar to SEC's), and no member is examined less
frequently than every 4 years.
Through oversight inspections of the SROs, OCIE evaluates the quality
of the SROs' oversight in enforcing member compliance. At regular
intervals, OCIE conducts routine inspections of SROs' key regulatory
programs, such as SRO enforcement, arbitration, and examination
programs. Inspection of enforcement programs typically includes a
review of SRO surveillance programs for identifying potential
violations of trading rules or laws, investigating those potential
violations, and disciplining those who violate the rule or law.
SEC and its SROs also have enforcement divisions that are responsible
for investigating and prosecuting violations of securities laws or
regulations as identified through examinations; referrals from other
regulatory organizations; and tips from firm insiders, the public, and
other sources. For less significant issues, examiners may cite a
deficiency for correction through remedial actions. SEC and SRO
examiners conduct exit interviews with firms, which are usually
followed by letters discussing examination findings. SEC issues
deficiency letters that formally identify compliance failures or
internal control weaknesses at a firm.[Footnote 72] Most examinations
conclude with the firm voluntarily correcting the compliance problem
and stating the specific actions it is taking in its response to SEC.
Potential SEC enforcement sanctions include disgorgement, CMPs, cease-
and-desist orders, and injunctions. When SROs find evidence of
potential violations of securities laws or SRO rules by their members,
they can conduct disciplinary hearings and impose penalties. These
penalties can range from disciplinary letters to the imposition of
monetary fines to expulsion from trading and SRO membership.
CFTC and Futures SROs:
CFTC's primary mission is to preserve the integrity of the futures
markets and protect market users and the public from fraud,
manipulation, and abusive practices related to the sale of commodity
futures and options. While CFTC directly performs the market
surveillance and enforcement functions, CFTC carries out its regulatory
functions with respect to futures firms through SROs that act as the
primary supervisor for members of the futures industry. CFTC does not
routinely conduct direct examinations of the institutions that it
supervises; instead, it oversees their SROs'--the National Futures
Association (NFA), Chicago Mercantile Exchange, New York Mercantile
Exchange, Chicago Board of Trade, and the Kansas City Board of Trade--
examinations of futures firms. Each futures exchange is an SRO that
governs its floor brokers, traders, and member firms. NFA also
regulates every firm or individual that conducts futures trading
business with public customers. SROs are responsible for establishing
and enforcing rules governing member conduct and trading, providing for
the prevention of market manipulation, ensuring futures industry
professionals meet qualifications, and examining exchange members for
financial soundness and other regulatory purposes. SROs examine their
members for compliance with their rules, including those imposing BSA/
AML requirements. The futures SROs' examination cycles range from 9 to
18 months for futures commission merchants, but introducing brokers may
have longer examination cycles.
While CTFC does not conduct routine examinations of futures firms, it
provides oversight of futures SROs to ensure that each has an effective
self-regulatory program. CFTC's Division of Clearing and Intermediary
Oversight conducts periodic, risk-based examinations of an SRO's
compliance examination program, which may include BSA/AML issues.
During the examination, CFTC reviews the SRO's documentation of select
examinations and independently performs examinations for the same
periods to compare its results with those of the SRO's examinations.
SROs may take enforcement actions against any member that is in
violation of member rules and CFTC regulations, which include BSA/AML-
related rules. BSA/AML obligations for the futures industry are set
forth in the USA PATRIOT Act, BSA, FinCEN and CTFC regulations, and SRO
member rules. CFTC's Division of Enforcement investigates and
prosecutes alleged violations of the Commodity Exchange Act and CFTC
regulations, and reviews SRO open investigations and enforcement
actions.
IRS:
IRS is a bureau within Treasury, with the mission of helping taxpayers
understand and meet their tax responsibilities and ensuring that all
taxpayers comply with tax laws. Unlike others with BSA/AML compliance
responsibilities, IRS does not conduct examinations of compliance with
any legislation other than BSA/AML rules and regulations. FinCEN
delegated BSA examination authority to IRS for any financial
institution not subject to BSA examination by another federal
regulator. These institutions are mainly nonbank financial institutions
(NBFI) such as casinos, some credit unions, credit card operators, and
approximately 200,000 money service businesses (MSB), which are the
most numerous of the NBFIs.
IRS's Small Business/Self-Employed Division, which reports to the
Deputy Commissioner of Services and Employment, conducts BSA compliance
examinations of NBFIs. In 2004, IRS created the Office of BSA/Fraud
within the Small Business/Self-Employed Division to better focus on BSA
examinations of NBFIs. IRS's BSA program also aims to increase the
number of identified NBFIs, conduct outreach and education to NBFIs,
and refer any NBFIs to the Financial Crimes Enforcement Network
(FinCEN) or IRS Criminal Investigation for civil and criminal
enforcement actions. IRS Criminal Investigation, IRS's enforcement arm,
investigates individuals and businesses suspected of criminal
violations of the Internal Revenue Code, money laundering and currency
crime, and some BSA laws. IRS Criminal Investigation usually
investigates BSA criminal violations in conjunction with other tax
violations. IRS Criminal Investigation's first enforcement priority is
tax fraud and tax evasion, but currency reporting and money laundering
enforcement also are areas of emphasis.
Federal Agencies Generally Incorporate BSA/AML-related Staffing and
Training into Overall Compliance Programs, but Some Maintain BSA/AML-
dedicated Information on Resources:
Staffing:
The federal banking regulators, SEC, and CFTC incorporate their BSA
activities into their overall compliance programs. However, all the
regulators either track the number of hours spent on BSA/AML issues or
numbers of staff with BSA/AML-related responsibilities. All of the
regulators have staff that examine institutions for BSA/AML compliance
concurrently with their comprehensive safety and soundness compliance
examinations. The points below summarize BSA/AML-specific data (for
2008 where possible) for each regulator (IRS excepted):
* Federal Reserve. The Federal Reserve has a BSA/AML Risk Section
within its Division of Banking Supervision and Regulation, which
consists of seven staff who monitor BSA/AML compliance concerns and
liaise with staff from Federal Reserve Banks to provided guidance on
BSA/AML issues. Federal Reserve officials said they also have BSA/AML
specialists located in some Federal Reserve Banks.
* FDIC. In 2008, of the 1,680 examiners that conduct safety and
soundness examination (during which a BSA/AML examination is conducted
concurrently), 324 were BSA subject matter experts, and 117 are
certified AML specialist examiners. Further, FDIC officials estimated
the agency devoted 107.4 and 103.5 full-time equivalent positions to
BSA/AML activities in 2006 and 2007, respectively.
* OCC. OCC has a Director for BSA/AML Compliance that oversees a staff
of six full-time BSA/AML compliance specialists in its headquarters.
From 2005 through 2007, OCC officials estimated that the agency
annually devoted an average of 105 full-time equivalent positions to
the BSA, while in 2008, OCC devoted approximately 86 full-time
equivalents.
* OTS. In 2008, OTS reported that five Regional Assistant Directors for
Compliance serve as subject matter resources on BSA, in addition to 15
regional compliance specialists, and 2 national office staff that are
dedicated to BSA/AML issues. OTS officials estimated the time its
attorneys devoted to BSA/AML issues as being equivalent to two full-
time positions.
* NCUA. As of September 30, 2008, NCUA reported employing 514
examiners, which included 31 examiners designated as consumer
compliance subject matter examiners (which includes BSA/AML issues).
Each of NCUA's five regional offices has at least one BSA/AML analyst,
its Office of Examination and Insurance has two BSA/AML program
officers, and the Office of General Counsel has two attorneys that
focus on BSA issues.
* SEC. SEC has a BSA/AML team comprised of from five to seven OCIE
staff members, from three to five Division of Enforcement staff
members, and three members from the Division of Trading and Markets.
The team is responsible for monitoring its BSA/AML examination program;
providing expertise to regional offices; and maintaining communication
with FinCEN, the SROs, and other regulators on AML issues. Further, SEC
broker-dealer examination staff have an AML working group consisting of
one or more representatives from each regional office, who serve as AML
experts. FINRA has nine AML regulatory experts.
* CFTC. CFTC does not have full-time staff dedicated solely to BSA/AML
compliance; however, various staff may be involved in BSA/AML issues.
CFTC staff conduct periodic oversight examinations of SROs' compliance
examination programs, which include a review of BSA/AML procedures.
CFTC staff also devote time to BSA/AML policy issues during the rule-
making process and at other times, as requested by FinCEN. Futures SROs
include BSA/AML as part of their broader compliance examination
programs. NFA and the Chicago Mercantile Exchange have 130 and 59
examination staff respectively, all of which have been trained in BSA/
AML.
Training:
All of the regulators and their SROs that examine financial
institutions for BSA/AML compliance provide opportunities to their
staff to receive BSA/AML training--provided by the agency, working
groups (such as FFIEC), or outside vendors. FFIEC, for example,
provides both an AML workshop for examiners knowledgeable of BSA and
experienced in examining institutions for BSA program compliance and,
as of 2007, an advanced BSA/AML specialists conference for designated
BSA compliance examiners and other BSA subject matter experts. In 2007,
over 400 trainees participated in these programs. Agencies and SROs
provided several examples of BSA/AML training available to their staff
and others (see table 11).
Table 11: BSA/AML Training, by Regulator:
Regulators and SROs: Federal Reserve;
Training description: Federal Reserve staff conduct BSA/AML training
using an online training module. The Federal Reserve‘s
BSA/AML Risk Section conducts monthly telephone calls and hosts two
conferences each year with senior
BSA/AML staff.
Regulators and SROs: FDIC;
Training description: FDIC offers a certificate program for FDIC
personnel on the BSA/AML examination process. FDIC also trains
its legal and consumer compliance staff on BSA/AML; FDIC officials
added that once every 3 years, each regional office has mandatory
examiner training conferences that include BSA issues. Further, every 18
months, FDIC holds a joint conference with the Department of Justice
(Justice) that focuses on fraud aspects of AML that state bank
regulators also attend.
Regulators and SROs: OCC;
Training description: Among its training initiatives, OCC has online
training, an ’AML School,“ and provides additional training
opportunities through external conferences. The ’AML School“ is a 27-
hour classroom course, which is designed to train participants to
recognize potential money laundering risks, including suspicious
activity monitoring, and assess the adequacy of an institution‘s
policies and procedures.
Regulators and SROs: OTS;
Training description: OTS provides BSA/AML training to its examiners
through internal and external conferences, as well as meeting and
online training modules. It includes BSA/AML compliance in its advanced
compliance examiner schools.
Regulators and SROs: NCUA;
Training description: NCUA officials said that part of its core
examiner training addresses BSA, and they also provide BSA training
at the Consumer Compliance SME conferences. Examiners also obtain BSA
training from external sources.
Regulators and SROs: SEC;
Training description: SEC regularly trains staff on BSA, including
joint training with the SROs. SEC recently conducted a 3-day
training session with its SROs that focused on AML. FinCEN, Office of
Foreign Assets Control, High Intensity Financial Crime Area, and SRO
staff were among the speakers.[A]
Regulators and SROs: FINRA;
Training description: FINRA provides its examiners with training
through BSA/AML-specific online learning and telephone-in
workshops, as well as Internet broadcasts. In addition, FINRA‘s
’Compliance Boot Camp“ has included an AML component, which has been
developed into a separate ’AML Boot Camp.“ Further, FINRA holds annual
joint trainings with other SROs‘ examiners on BSA/AML compliance.
Regulators and SROs: CFTC;
Training description: CFTC periodically trains its staff on BSA,
including joint training with the SROs. Most recently, CFTC conducted
staff training jointly with NFA. The training covered, among other
things, NFA‘s AML examination protocol as well as certain money
laundering hypotheticals.
Regulators and SROs: NFA;
Training description: New NFA audit staff members receive AML training
as part of their initial audit training; and examiners receive ongoing
training, updates on regulations, guidance, or notices relating to
BSA/AML. NFA‘s Compliance Department discusses any new AML issues at
staff meetings and maintains an intranet page with AML information and
staff guidance.
Source: Regulator documentation and data.
[A] The Office of Foreign Assets Control administers and enforces
economic and trade sanctions against countries and groups of
individuals, such as terrorists and narcotics traffickers. Beginning in
2000, Treasury and Justice designated certain areas as High Intensity
Financial Crime Areas: Chicago, Illinois; Los Angeles, California; San
Francisco, California; Miami, Florida; San Juan, Puerto Rico; the
southwest border (Texas and Arizona); and New York and New Jersey. The
designations were designed to allow law enforcement to concentrate
resources in areas where money laundering or related financial crimes
were occurring at a higher-than-average rate.
[End of table]
IRS Has a BSA/AML-Specific Compliance Unit, Budget, and Performance
Measures:
Unlike the federal banking regulators, SEC, and CFTC, who incorporate
BSA activities into their compliance programs, IRS's BSA/AML activities
are managed separately in its Office of Fraud/BSA within the Small
Business/Self Employment division. This office is solely dedicated to
examining NFBIs for BSA compliance. Since IRS created the office, IRS
has tracked several BSA-specific output and efficiency performance
measures, such as number of examinations, referrals, closures, and
hours per case (see table 12). IRS also has a detailed strategic plan
devoted to BSA compliance and enforcement activities.
Table 12: IRS BSA Performance Measures, Fiscal Years 2004-2007:
Performance measure: Number of closures;
FY 2004: 3,481;
FY 2005: 3,712;
FY 2006: 6,538;
FY 2007: 8,531.
Performance measure: Hours per case:
FY 2004: [A];
FY 2005: 49;
FY 2006: 40;
FY 2007: 33.
Performance measure: Cycle time:
FY 2004: [A];
FY 2005: 218;
FY 2006: 188;
FY 2007: 132.
Case in inventory: Assigned to examiner--examination not started:
FY 2004: [B];
FY 2005: [B];
FY 2006: 3,520;
FY 2007: 2,823.
Case in inventory: Assigned to examiner--examination started:
FY 2004: [B];
FY 2005: [B];
FY 2006: 2,707;
FY 2007: 3,404.
Case in inventory: Net number of new starts:
FY 2004: [B];
FY 2005: [B];
FY 2006: 2,664;
FY 2007: 3,100.
Case in inventory: Referrals to IRS-CI:
FY 2004: 9;
FY 2005: 21;
FY 2006: 12;
FY 2007: 24.
Case in inventory: Referrals to FinCEN:
FY 2004: 8;
FY 2005: 10;
FY 2006: 14;
FY 2007: 22.
Case in inventory: Referrals to tax examiners:
FY 2004: 1,663;
FY 2005: 1,572;
FY 2006: 677;
FY 2007: [C].
Sources: GAO and IRS.
[A] Information on hours per case and cycle time was not captured until
January 2005.
[B] Information is not provided for fiscal years 2004 and 2005.
[C] The methodology for capturing this information has changed and
information is not available as a measure comparable to prior fiscal
years.
[End of table]
We previously reported that IRS lacked a measure for NBFI compliance
rates with BSA and thus could not track program effectiveness over
time. We recommended that the Secretary of Treasury direct FinCEN and
IRS to develop a documented and coordinated strategy--that would
include priorities, time frames, and resource needs, and measure the
compliance rate of NBFIs--to improve BSA compliance by NBFIs.[Footnote
73] IRS and FinCEN responded by developing such a strategy, which
identifies various NBFI categories, prioritizes actions to be taken
overall and within each category for improving BSA compliance, explains
who is responsible for the actions, and establishes the time frames for
identifying whether an action has been completed or when it is to be
completed. Similar to the other regulators, IRS's Office of BSA/Fraud
conducts quality reviews of examinations.
Over the last several years, IRS has increased the resources it devotes
to BSA compliance. In fiscal year 2007, IRS spent over $71 million and
700 full-time equivalents on BSA-related activities, which is an
increase of 3 percent and 5 percent, respectively, from 2006.
Specifically, the Small Business/Self Employment's Office of Fraud/BSA
increased its BSA field examiner staff from 372 in 2006 to 385 in 2007.
New Small Business/Self Employment employees receive Basic BSA/AML
training on both BSA and currency transaction reporting requirements
(Form 8300 examinations). Experienced BSA examiners receive specialized
training for specific industries, such as insurance companies, credit
unions, casinos, and jewelry and precious metals dealers. IRS also has
developed specific BSA training for managers and coaches of BSA
examiners. The Office of Fraud/BSA also distributes a BSA/AML
examination guide, provides BSA newsletters, and updated the Insurance
Industry Guide and Internal Revenue Manual.
[End of section]
Appendix III: Examples of BSA/AML-Related Formal Enforcement Actions:
[End of section]
In fiscal year 2008, approximately 70 BSA/AML-related formal
enforcement actions were taken by federal financial regulators--the
Board of Governors of the Federal Reserve System (Federal Reserve),
Federal Deposit Insurance Corporation (FDIC), Office of the Comptroller
of the Currency (OCC), Office of Thrift Supervision (OTS), Securities
Exchange Commission (SEC)--the National Futures Association (NFA), the
Financial Industry Regulatory Authority (FINRA), and other self-
regulatory organizations (SROs). In fiscal years 2006-2008, the
Financial Crimes Enforcement Network (FinCEN) and the federal financial
regulators and SROs jointly assessed 11 civil money penalties (CMP).
Table 13 contains examples of formal enforcement actions, excluding
CMPs, that were not taken concurrently with FinCEN.
Table 13: Examples of Formal Enforcement Actions, Excluding CMPs, Taken
By Federal Financial Regulators and SROs for BSA/AML-related Compliance
Problems, Fiscal Years 2006-2008:
Enforcement action: Cease-and-desist order;
Date: 4/2006;
Regulator: FDIC[A];
Other regulators involved in the issuance of the enforcement action:
West Virginia Division of Banking;
Depository institution: MCNB Bank and Trust Co.
Areas of significant BSA-related problems: Internal controls;
Independent audit; Independent testing; BSA compliance officer.
Enforcement action: Cease-and-desist order;
Date: 8/2006;
Regulator: FDIC;
Other regulators involved in the issuance of the enforcement action:
[Empty].
Depository institution: FirstBank of Puerto Rico;
Areas of significant BSA-related problems: BSA compliance program;
Currency transaction reporting; Suspicious activity reporting; Customer
due diligence.
Enforcement action: Cease-and-desist order;
Date: 7/2007;
Regulator: FDIC;
Other regulators involved in the issuance of the enforcement action:
[Empty];
Depository institution: Central Progressive Bank;
Areas of significant BSA-related problems: BSA compliance officer; BSA
compliance program.
Enforcement action: Cease-and-desist order;
Date: 4/2008;
Regulator: FDIC;
Other regulators involved in the issuance of the enforcement action:
[Empty];
Depository institution: Sun Security Bank;
Areas of significant BSA-related problems: Financial recordkeeping;
Currency transaction reporting; Suspicious activity reporting.
Enforcement action: Cease-and-desist order;
Date: 6/2006;
Regulator: Federal Reserve;
Other regulators involved in the issuance of the enforcement action:
Missouri Department of Economic Development;
Depository institution: Progress Bancshares, Inc.
Areas of significant BSA-related problems: Independent testing;
Customer due diligence.
Enforcement action: Written agreement;
Date: 3/2007;
Regulator: Federal Reserve;
Other regulators involved in the issuance of the enforcement action:
New York State Banking Department;
Depository institution: Banco de la Nacion Argentina;
Areas of significant BSA-related problems: BSA compliance program;
Suspicious activity reporting; Customer due diligence; Transaction
monitoring.
Enforcement action: Written agreement;
Date: 3/2007;
Regulator: Federal Reserve;
Other regulators involved in the issuance of the enforcement action:
Ohio Division of Financial Institutions;
Depository institution: North Valley Bank;
Areas of significant BSA-related problems: Suspicious activity
reporting; Customer due diligence.
Enforcement action: Written agreement;
Date: 1/2008;
Regulator: Federal Reserve;
Other regulators involved in the issuance of the enforcement action:
Indiana Department of Financial Institutions;
Depository institution: Salin Bank and Trust Company;
Areas of significant BSA-related problems: BSA compliance program;
Suspicious activity reporting; Customer due diligence.
Enforcement action: Expulsion;
Date: 4/2006;
Regulator: National Association of Securities Dealers;
Other regulators involved in the issuance of the enforcement action:
[Empty];
Depository institution: Salomon Grey Financial Corporation;
Areas of significant BSA-related problems: BSA compliance program;
Customer identification program; Suspicious activity reporting;
Training; Independent testing; Internal controls; BSA compliance
officer.
Enforcement action: Cease-and-desist order;
Date: 2/2007;
Regulator: National Credit Union Administration (NCUA);
Other regulators involved in the issuance of the enforcement action:
[Empty];
Depository institution: Dover N.J. Spanish American Federal Credit
Union;
Areas of significant BSA-related problems: BSA compliance officer;
Monitoring wire transfers; Currency transaction
reporting; Suspicious activity reporting; Internal controls.
Enforcement action: Cease-and-desist order;
Date: 6/2007;
Regulator: NCUA;
Other regulators involved in the issuance of the enforcement action:
[Empty];
Depository institution: Garden Savings Federal Credit Union;
Areas of significant BSA-related problems: BSA compliance program; BSA
compliance officer; Customer identification program; Customer due
diligence; Suspicious activity reporting; Currency transaction
reporting; BSA written procedures; Training; 314(a) requests;
Independent testing.
Enforcement action: Complaint;
Date: 8/2006;
Regulator: NFA;
Other regulators involved in the issuance of the enforcement action:
[Empty];
Depository institution: Spencer Financial, LLC;
Areas of significant BSA-related problems: Written AML policies and
procedures; Customer identification program;
314(a) requests; Training; Independent audit.
Enforcement action: Complaint;
Date: 12/2006;
Regulator: NFA;
Other regulators involved in the issuance of the enforcement action:
[Empty];
Depository institution: Steadfast Futures Options;
Areas of significant BSA-related problems: Training; Suspicious
activity reporting; Customer identification program; Independent audit.
Enforcement action: Complaint;
Date: 10/2007;
Regulator: NFA;
Other regulators involved in the issuance of the enforcement action:
[Empty];
Depository institution: Edwards Thomas Trading Co.
Areas of significant BSA-related problems: BSA compliance program;
Independent audit; Training.
Enforcement action: Complaint;
Date: 8/2008;
Regulator: NFA;
Other regulators involved in the issuance of the enforcement action:
[Empty];
Depository institution: Commodity Futures Consultants Corp.
Areas of significant BSA-related problems: Monitoring wire transfers;
Suspicious activity reporting.
Enforcement action: Written agreement;
Date: 2/2006;
Regulator: OCC;
Other regulators involved in the issuance of the enforcement action:
[Empty];
Depository institution: Maryland Bank and Trust Company, N.A.
Areas of significant BSA-related problems: BSA compliance program;
Internal controls; Training; Financial record keeping; BSA compliance
officer.
Enforcement action: Cease-and-desist order;
Date: 9/2006;
Regulator: OCC;
Other regulators involved in the issuance of the enforcement action:
[Empty];
Depository institution: Doha Bank;
Areas of significant BSA-related problems: BSA compliance program;
Monitoring wire transfers; Suspicious activity reporting; Internal
controls.
Enforcement action: Written agreement;
Date: 11/2006;
Regulator: OCC;
Other regulators involved in the issuance of the enforcement action:
[Empty];
Depository institution: FirstMerit Bank;
Areas of significant BSA-related problems: BSA compliance officer;
Internal controls; Independent audit; Training
Monitoring wire transfers.
Enforcement action: Written agreement;
Date: 3/2007;
Regulator: OCC;
Other regulators involved in the issuance of the enforcement action:
[Empty];
Depository institution: Farmers National Bank of Osborne;
Areas of significant BSA-related problems: BSA compliance program; BSA
compliance officer; Internal controls; Independent testing; Training;
Written AML polices and procedures.
Enforcement action: Written agreement;
Date: 7/2008;
Regulator: OCC;
Other regulators involved in the issuance of the enforcement action:
[Empty];
Depository institution: Granite Community Bank, N.A.
Areas of significant BSA-related problems: Internal controls;
Transaction monitoring; Monitoring wire transfers;
Currency transaction reporting; Suspicious activity reporting.
Enforcement action: Written agreement;
Date: 10/2008;
Regulator: OCC;
Other regulators involved in the issuance of the enforcement action:
[Empty];
Depository institution: Omni National Bank;
Areas of significant BSA-related problems: Internal controls;
Independent testing; Customer due diligence; Suspicious activity
reporting.
Enforcement action: Written agreement;
Date: 12/2005;
Regulator: OTS;
Other regulators involved in the issuance of the enforcement action:
[Empty];
Depository institution: Baltimore County Savings Bank, FSB;
Areas of significant BSA-related problems: BSA compliance program;
Customer identification program; Written AML policies and procedures;
Currency transaction reporting.
Enforcement action: Cease-and-desist order;
Date: 4/2006;
Regulator: OTS;
Other regulators involved in the issuance of the enforcement action:
[Empty];
Depository institution: United Trust Bank;
Areas of significant BSA-related problems: BSA compliance program;
Internal controls; Training; Independent testing; Suspicious activity
reporting; Currency transaction reporting; Customer identification
program.
Enforcement action: Cease-and-desist order;
Date: 10/2006;
Regulator: OTS;
Other regulators involved in the issuance of the enforcement action:
[Empty];
Depository institution: R-G Crown Bank;
Areas of significant BSA-related problems: BSA compliance program;
Customer identification program; Financial record keeping; BSA
compliance officer; Training; Suspicious activity reporting.
Enforcement action: Written agreement;
Date: 5/2007;
Regulator: OTS;
Other regulators involved in the issuance of the enforcement action:
[Empty];
Depository institution: First Federal Savings and Loan Association of
Greensburg;
Areas of significant BSA-related problems: BSA compliance officer;
Training; Independent testing; Internal controls; Customer
identification program; Currency transaction reporting; Suspicious
activity reporting.
Enforcement action: Cease-and-desist order;
Date: 10/2007;
Regulator: OTS;
Other regulators involved in the issuance of the enforcement action:
[Empty];
Depository institution: Washington Mutual Bank;
Areas of significant BSA-related problems: BSA compliance officer;
Training; Independent testing; Internal controls; Customer
identification program.
Enforcement action: Cease-and-desist order;
Date: 5/2006;
Regulator: SEC;
Other regulators involved in the issuance of the enforcement action:
[Empty];
Areas of significant BSA-related problems: Depository institution:
Crowell, Weedon & Co.
Customer identification program.
Enforcement action: Cease-and-desist order;
Date: 12/2007;
Regulator: SEC;
Other regulators involved in the issuance of the enforcement action:
[Empty];
Depository institution: Park Financial Group, Inc.
Areas of significant BSA-related problems: Suspicious activity
reporting.
Enforcement action: Cease-and-desist order;
Date: 7/2008;
Regulator: SEC;
Other regulators involved in the issuance of the enforcement action:
[Empty];
Depository institution: E*Trade Clearing, LLC and E*Trade Securities,
LLC;
Areas of significant BSA-related problems: Customer identification
program.
Source: GAO analysis of enforcement actions provided by federal
regulators and SROs.
Note: FinCEN only issues penalties or notification/warning letters.
FinCEN does not take any other administrative actions (such as Cease-
and-Desist Orders). Accordingly, regulators are not required to submit
notice of many of these actions to FinCEN as they were only partially
BSA-related actions.
[A] FDIC issued 7, 29, and 17 formal enforcement actions for BSA/AML-
related compliance problems in fiscal years 2006, 2007, and 2008,
respectively.
[B] The Federal Reserve issued 8, 7, and 2 formal enforcement actions
for BSA-related compliance problems in fiscal years 2006, 2007, and
2008, respectively.
[C] NCUA issued two formal enforcement actions for BSA-related
compliance problems in fiscal year 2007.
[D] NFA issued 21, 10, and 8 formal enforcement actions for BSA/AML-
related compliance problems in calendar years 2006, 2007, and 2008,
respectively. Data for calendar year 2008 is through August 19, 2008.
[E] OCC issued 19, 14, and 9 formal enforcement actions for BSA/AML-
related compliance problems in fiscal years 2006, 2007, and 2008,
respectively.
[F] OTS issued 15, 13, and 9 formal enforcement actions for BSA/AML-
related compliance problems in fiscal years 2006, 2007, and 2008,
respectively.
[G] SEC issued 2 formal enforcement actions for BSA/AML-related
compliance problems in fiscal year 2008.
[End of table]
Table 14 lists examples of BSA/AML-related CMPs issued: (1) jointly by
federal and state regulators, SROs, and FinCEN; (2) solely by FinCEN;
and (3) by federal regulators only.
Table 14: Examples of CMPs Assessed by FinCEN, Federal Financial
Regulators, and SROs for BSA/AML-related Compliance Violations, Fiscal
Years 2006-2008:
Date: 10/2005;
Financial institution or other party: Banco de Chile-New York and Banco
de Chile-Miami;
CMP amount: $3,000,000;
CMP assessed jointly by FinCEN and the designated examining authority:
[Check];
Designated examining authority with whom FinCEN jointly assessed CMP:
OCC;
CMP assessed solely by FinCEN: [Empty];
CMP assessed solely by the federal regulator: [Empty];
Federal designated examining authority: Federal Reserve and OCC.
Date: 12/2005;
Financial institution or other party: The New York branch of ABN AMRO
Bank N.V.
CMP amount: $80,000,000;
CMP assessed jointly by FinCEN and the designated examining authority:
[Check];
Designated examining authority with whom FinCEN jointly assessed CMP:
Federal Reserve, New York State Banking Department;
CMP assessed solely by FinCEN: [Empty];
CMP assessed solely by the federal regulator: [Empty];
Federal designated examining authority: Federal Reserve.
Date: 12/2005;
Financial institution or other party: Oppenheimer & Co, Inc.
CMP amount: $2,800,000;
CMP assessed jointly by FinCEN and the designated examining authority:
[Check]
Designated examining authority with whom FinCEN jointly assessed CMP:
New York Stock Exchange;
CMP assessed solely by FinCEN: [Empty];
CMP assessed solely by the federal regulator: [Empty];
Federal designated examining authority: SEC.
Date: 3/20006;
Financial institution or other party: The Tonkawa Tribe of Oklahoma and
Edward E. Street;
CMP amount: $1,000,000 and $1,500,000;
CMP assessed jointly by FinCEN and the designated examining authority:
[Empty];
Designated examining authority with whom FinCEN jointly assessed CMP:
[Empty];
CMP assessed solely by FinCEN: [Check];
CMP assessed solely by the federal regulator: [Empty];
Federal designated examining authority: Internal Revenue Service (IRS).
Date: 4/2006;
Financial institution or other party: Home Building and Loan Company;
CMP amount: $15,000;
CMP assessed jointly by FinCEN and the designated examining authority:
[Empty];
Designated examining authority with whom FinCEN jointly assessed CMP:
[Empty];
CMP assessed solely by FinCEN: [Empty];
CMP assessed solely by the federal regulator: [Check];
Federal designated examining authority: OTS.
Date: 4/2006;
Financial institution or other party: The New York Branch of
Metropolitan Bank and Trust Company;
CMP amount: $150,000;
CMP assessed jointly by FinCEN and the designated examining authority:
[Check];
Designated examining authority with whom FinCEN jointly assessed CMP:
OCC;
CMP assessed solely by FinCEN: [Empty];
CMP assessed solely by the federal regulator: [Empty];
Federal designated examining authority: OCC.
Date: 4/2006;
Financial institution or other party: BankAtlantic;
CMP amount: $10,000,000[A];
CMP assessed jointly by FinCEN and the designated examining authority:
[Check];
Designated examining authority with whom FinCEN jointly assessed CMP:
OTS;
CMP assessed solely by FinCEN: [Empty];
CMP assessed solely by the federal regulator: [Empty];
Federal designated examining authority: OTS.
Date: 5/2006;
Financial institution or other party: Frosty Food Mart;
CMP amount: $10,000;
CMP assessed jointly by FinCEN and the designated examining authority:
[Empty];
Designated examining authority with whom FinCEN jointly assessed CMP:
[Empty];
CMP assessed solely by FinCEN: [Check];
CMP assessed solely by the federal regulator: [Empty];
Federal designated examining authority: IRS.
Date: 5/2006;
Financial institution or other party: Liberty Bank of New York
CMP amount: $600,000;
CMP assessed jointly by FinCEN and the designated examining authority:
[Check];
Designated examining authority with whom FinCEN jointly assessed CMP:
FDIC, New York State Banking Department;
CMP assessed solely by FinCEN: [Empty];
CMP assessed solely by the federal regulator: [Empty];
Federal designated examining authority: FDIC.
Date: 7/2006;
Financial institution or other party: Deprez‘s Quality Jewelry and
Loans, Inc.
CMP amount: $25,000;
CMP assessed jointly by FinCEN and the designated examining authority:
[Empty];
Designated examining authority with whom FinCEN jointly assessed CMP:
[Empty];
CMP assessed solely by FinCEN: [Check];
CMP assessed solely by the federal regulator: [Empty];
Federal designated examining authority: IRS.
Date: 10/2006;
Financial institution or other party: Israeli Discount Bank of New
York;
CMP amount: $12,000,000;
CMP assessed jointly by FinCEN and the designated examining authority:
[Check];
Designated examining authority with whom FinCEN jointly assessed CMP:
FDIC, New York State Banking Department;
CMP assessed solely by FinCEN: [Empty];
CMP assessed solely by the federal regulator: [Empty];
Federal designated examining authority: FDIC.
Date: 12/2006;
Financial institution or other party: The Foster Bank;
CMP amount: $2,000,000;
CMP assessed jointly by FinCEN and the designated examining authority:
[Empty];
Designated examining authority with whom FinCEN jointly assessed CMP:
[Empty];
CMP assessed solely by FinCEN: [Check[;
CMP assessed solely by the federal regulator: [Empty];
Federal designated examining authority: FDIC.
Date: 12/2006;
Financial institution or other party: Beach Bank;
CMP amount: $800,000;
CMP assessed jointly by FinCEN and the designated examining authority:
[Check];
Designated examining authority with whom FinCEN jointly assessed CMP:
FDIC, Florida Office of Financial Regulation;
CMP assessed solely by FinCEN: [Empty];
CMP assessed solely by the federal regulator: [Empty];
Federal designated examining authority: FDIC.
Date: 2/2007;
Financial institution or other party: International Bank of Miami;
CMP amount: $250,000;
CMP assessed jointly by FinCEN and the designated examining authority:
[Empty];
Designated examining authority with whom FinCEN jointly assessed CMP:
[Empty];
CMP assessed solely by FinCEN: [Empty];
CMP assessed solely by the federal regulator: [Check];
Federal designated examining authority: OCC.
Date: 5/2007;
Financial institution or other party: United Bank of Africa, Plc;
CMP amount: $500,000;
CMP assessed jointly by FinCEN and the designated examining authority:
[Empty];
Designated examining authority with whom FinCEN jointly assessed CMP:
[Empty];
CMP assessed solely by FinCEN: [Empty];
CMP assessed solely by the federal regulator: OCC.
Date: 8/2007;
Financial institution or other party: American Express Bank
International and American Express Travel Related Services Company, Inc.
CMP amount: $20,000,000 and $5,000,000[B];
CMP assessed jointly by FinCEN and the designated examining authority:
[Check];
Designated examining authority with whom FinCEN jointly assessed CMP:
Federal Reserve
CMP assessed solely by FinCEN: [Empty];
CMP assessed solely by the federal regulator: [Empty];
Federal designated examining authority: Federal Reserve.
Date: 9/2007;
Financial institution or other party: Union Bank of California, N.A.
CMP amount: $10,000,000[C];
CMP assessed jointly by FinCEN and the designated examining authority:
[Check];
Designated examining authority with whom FinCEN jointly assessed CMP:
OCC;
CMP assessed solely by FinCEN: [Empty];
CMP assessed solely by the federal regulator: [Empty];
Federal designated examining authority: OCC.
Date: 1/2008;
Financial institution or other party: Sigue Corporation and Sigue, LLC;
CMP amount: $12,000,000[D];
CMP assessed jointly by FinCEN and the designated examining authority:
[Empty];
Designated examining authority with whom FinCEN jointly assessed CMP:
[Empty];
CMP assessed solely by FinCEN: [Check];
CMP assessed solely by the federal regulator: [Empty];
Federal designated examining authority: IRS.
Date: 4/2008;
Financial institution or other party: El Noa Noa Corporation;
CMP amount: $12,000;
CMP assessed jointly by FinCEN and the designated examining authority:
[Empty];
Designated examining authority with whom FinCEN jointly assessed CMP:
[Empty];
CMP assessed solely by FinCEN: [Check];
CMP assessed solely by the federal regulator: [Empty];
Federal designated examining authority: IRS.
Date: 4/2008;
Financial institution or other party: NY Branch United Bank of Africa
CMP amount: $15,000,000
CMP assessed jointly by FinCEN and the designated examining authority:
[Check];
Designated examining authority with whom FinCEN jointly assessed CMP:
OCC;
CMP assessed solely by FinCEN: [Empty];
CMP assessed solely by the federal regulator: [Empty];
Federal designated examining authority: OCC.
Source: GAO analysis of enforcement actions provided by federal
regulators and FinCEN.
[A] CMP issued concurrently with a Justice-deferred prosecution
agreement and accompanying $10,000,000 forfeiture.
[B] CMP issued concurrently with a Justice-deferred prosecution
agreement and accompanying $55,000,000 forfeiture by Justice and a
cease-and-desist order and $20,000,000 CMP by the Federal Reserve.
[C] CMP issued concurrently with a Justice-deferred prosecution
agreement and accompanying $21,600,000 forfeiture.
[D] CMP issued concurrently with a Justice-deferred prosecution
agreement and accompanying $15,000,000 forfeiture.
[End of table]
[End of section]
Appendix IV: Comments from the Department of the Treasury's Financial
Crimes Enforcement Network:
Department Of The Treasury:
Director:
Financial Crimes Enforcement Network:
[hyperlink, http://www.fincen.gov]
February 2, 2009:
Mr. Jack Edwards:
Acting Director, Financial Markets and Community Investment:
U.S. Government Accountability Office:
441 G Street N.W.
Washington, D.C. 20515:
Dear Mr. Edwards:
Thank you for the opportunity to review and comment on the Government
Accountability Office (GAO) draft report entitled, Bank Secrecy Act:
Federal Agencies Should Take Action to Further Improve Coordination and
Information-Sharing Efforts. One of the Department's goals is to
promote the nation's security through strengthened financial systems.
The Bank Secrecy Act (BSA) contributes to this goal by ensuring that
financial activity is safer and more transparent. As administrator of
the BSA, the Financial Crimes Enforcement Network (FinCEN) is
responsible for ensuring effective, efficient, and consistent
application of, examination for, and enforcement of the BSA.
As you know, various industries are subject to the BSA. Authority to
examine financial institutions for compliance with the requirements is
delegated to the five Federal Banking Agencies, the Securities and
Exchange Commission, the Commodity Futures Trading Commission, and the
Internal Revenue Service. Each of these agencies refers back to FinCEN
indications of significant violations, for FinCEN to consider whether
to take an enforcement action under the BSA. Ensuring consistency among
such diversity is an ongoing challenge, but a challenge that FinCEN
takes seriously and remains committed to improving. I personally have
engaged with the leadership of each of the eight aforementioned
agencies regarding BSA issues. FinCEN concurs with the intent of the
recommendations, particularly in regard to expanding information
sharing with authorized stakeholders, and hopes to be situated in the
future to meet these suggestions. In addition, FinCEN provided
technical comments under separate cover for GAO's consideration in
finalizing the audit report.
We appreciate GAO's efforts in reviewing BSA compliance and
enforcement. If you have any questions, then please feel free to
contact Jamal El-Hindi, Associate Director, Regulatory Policy and
Programs Division, at 202-354-6414.
Sincerely,
/s/
James H. Freis, Jr.
[End of section]
Appendix V: Comments from the Internal Revenue Service:
Department Of The Treasury:
Internal Revenue Service:
Deputy Commissioner:
Washington, D.C, 20224:
February 2, 2009:
Mr. Jack Edwards:
Acting Director:
Financial Markets and Community Investment:
U.S. Government Accountability Office:
441 G Street, N.W.
Washington, D.C. 20548:
Dear Mr. Edwards:
Thank you for the opportunity to review and comment on the Government
Accountability Office (GAO) draft report titled, "BANK SECRECY ACT:
Federal Agencies Should Take Action to Further Improve Coordination and
Information-Sharing Efforts " (GAO-09-227). We appreciate GAO's efforts
in reviewing the Bank Secrecy Act (BSA) programs of all financial
regulators and the report's acknowledgment of the improvements IRS has
made in its BSA compliance programs since the 2006 report.
We agree the Internal Revenue Service (IRS) has important
responsibilities in combating money laundering and other financial
crimes and concur with your recommendations. Actions to address the
recommendation to coordinate our BSA examinations with state regulators
are already underway. We are also working with states to standardize
the information reporting required by the various state memoranda of
understanding.
The report also includes two additional recommendations that impact the
IRS. The first is a joint recommendation for FinCEN and federal
regulators to engage in nonpublic discussions of BSA examination
procedures. We support this recommendation and look forward to
participating in these discussions. The other recommends the Director,
FinCEN "work with the Commissioner of IRS to establish a mutually
agreed-upon policy that provides a timeframe for making enforcement
decisions based on IRS referrals." We agree with this recommendation
and will work closely with FinCEN to develop acceptable timeframes.
If you have any questions, or if you would like to discuss this
response in more detail, please contact me or Beth Elfrey, Director,
Fraud/BSA at (202) 622-4699.
Sincerely,
Signed by:
Linda E. Stiff:
Enclosure:
GAO Recommendations and IRS Corrective Actions to GAO Draft Report:
Bank Secrecy Act: Federal Agencies Should Take Action to Further Improve
Coordination and Information-Sharing Efforts, GAO-09-227:
Recommendation: To reduce the potential for duplicative efforts and
better leverage limited examination resources, we recommend that the
Commissioner of IRS work with state agencies to develop a process by
which to coordinate MSB examination schedules between IRS and state
agencies that conduct BSA examinations of MSBs.
Comments: Small Business/Self-Employed (SB/SE), Bank Secrecy Act (BSA)
agrees to develop a process for conducting joint BSA examinations with
the states and to standardize the reporting format for states under
their memoranda of understanding (MOUs) to optimize resources when
conducting BSA examinations of money services businesses (MSBs).
Recommendation: Further, to build on improvements made in examination
processes vital to ensuring BSA compliance, we recommend that the heads
of FinCEN, the Federal Reserve, FDIC, OTS, OCC, NCUA, SEC, CFTC, and
IRS consider developing or using an existing process to conduct
regular, nonpublic discussion of BSA examination procedures and
findings across all financial regulators. We recommend that the heads
of SEC and CFTC consider including SROs that conduct BSA examinations.
Comments: SB/SE BSA agrees to participate in exploring the development
or use of existing processes to conduct regular, nonpublic discussion
of BSA examination procedures and findings. As administrator of the BSA
regulatory structure, we will look to Financial Crimes Enforcement
Network (FinCEN) to coordinate these efforts.
Recommendation: The Director, FinCEN expeditiously take the following
action:
* work with the Commissioner of IRS to establish a mutually agreed-upon
policy that provides a time frame for making enforcement decisions
based upon IRS referrals;
Comments: We agree that a mutually agreed-upon policy for timely
enforcement decisions on IRS referrals would be beneficial.
[End of section]
Appendix VI: Comments from the Board of Governors of the Federal
Reserve:
Board Of Governors:
Of The Federal Reserve System:
Elizabeth A. Duke:
Member of the Board:
Washington, D.C. 20551:
February 2, 2009:
Mr. Jack E.Edwards:
Acting Director, Financial Markets and Community Investment:
U.S. Government Accountability Office:
441 G Street, NW:
Washington, DC 20548:
Dear Mr. Edwards:
Thank you for your letter dated January 2, 2009, with a copy of the
draft GAO report entitled Bank Secrecy Act: Federal Agencies Should
Take Action to Further Improve Coordination and Information-Sharing
Efforts (GAO-09-227).
We believe the findings in the draft report are clearly set forth and
generally support the recommendation that relates to the Federal
Reserve, that is, that the heads of various federal agencies consider
the use of an interagency process for regular, nonpublic discussion of
Bank Secrecy Act examination procedures and findings across all
financial regulators. The Federal Reserve agrees with GAO's observation
that such discussions could build on improvements already made in
examination processes and that there could be a benefit in regular
discussion of examination procedures and general compliance trends
reflected in findings at supervised institutions.
As noted in the draft report, there are existing processes for
interagency communication that could serve as a venue for interagency
discussion. Federal Reserve staff currently utilizes various channels
to effectively communicate with other state and federal regulators
regarding BSA compliance issues and will carefully consider development
of these channels to regularize these discussions.
We appreciate the opportunity to review the draft report and
recommendations. Please note that Federal Reserve staff has separately
provided GAO staff with minor technical corrections to certain data in
the draft report relating to Federal Reserve supervisory activities.
Sincerely yours,
Signed by:
Elizabeth A. Duke:
[End of section]
Appendix VII: Comments from the Federal Deposit Insurance Corporation:
FDIC:
Federal Deposit Insurance Corporation:
Office of the Chairman:
550 17th Street NW,
Washington, D.C. 20429-9990:
February 2, 2009:
Jack E. Edwards, Acting Director:
Financial Markets and Community Investment:
U.S. Government Accountability Office:
441 G Street, NW:
Washington, D.C. 20548:
Dear Mr. Edwards:
Thank you for the opportunity to review and comment on the Government
Accountability Office's (GAO) report entitled, Bank Secrecy Act -
Federal Agencies Should Take Action to Further/Improve Coordination and
Information-Sharing Efforts (GAO-09-0227). In this report, the GAO was
asked to: (1) describe how Bank Secrecy Act (BSA) compliance and
enforcement responsibilities are distributed; (2) describe how agencies
other than the Financial Crimes Enforcement Network (FinCEN) are
implementing those responsibilities and evaluate their coordination
efforts; and (3) evaluate how FinCEN is implementing its BSA
responsibilities.
Only one recommendation pertains to the federal banking agencies. The
GAO recommends the FDIC, Board of Governors of the Federal Reserve,
FinCEN, National Credit Union Administration, Office of the Comptroller
of the Currency, Office of Thrift Supervision, U.S. Securities and
Exchange Commission, U.S. Commodity Futures Trading Commission, and
Internal Revenue Service consider developing or using an existing
process to conduct regular, nonpublic discussions of BSA examination
procedures and findings across all financial regulators. The FDIC
agrees that periodic meetings with all federal agencies responsible for
BSA compliance, examinations, and enforcement can promote consistency
and coordination in examination and enforcement approaches and help
reduce regulatory burden.
Sincerely,
Signed by:
Sheila C. Bair:
Chairman
[End of section]
Appendix VIII: Comments from the Office of the Comptroller of the
Currency:
Comptroller of the Currency:
Administrator of National Banks:
Washington, DC 20219:
February 4, 2009:
Mr. Jack E. Edwards:
Acting Director, Financial Markets and Community Investment:
United States Government Accountability Office:
Washington, DC 20548:
Dear Mr. Edwards:
We have received and reviewed your draft report titled "Bank Secrecy
Act: Federal Agencies Should Take Action to Further Improve
Coordination and Information-Sharing Efforts." Your report responds to
a Congressional request for a review of implementation of the Bank
Secrecy Act (BSA) by the Financial Crimes Enforcement Network (FinCEN)
and other federal agencies.
You are reporting that FinCEN administers the BSA framework, under
which many regulatory entities, including the Office of the Comptroller
of the Currency (OCC), exercise delegated and independent compliance
and enforcement authorities. You report further that FinCEN provides
some outreach and regulatory support but could improve information-
sharing efforts. Among your recommendations, you recommend that FinCEN,
the OCC, the Federal Reserve System (Board), the Federal Deposit
Insurance Corporation, Office of Thrift Supervision, the National
Credit Union Administration, the Securities and Exchange Commission,
the Commodity Futures Trading Commission, and the Internal Revenue
Service consider developing or using an existing process to conduct
regular, nonpublic discussion of BSA examinations and procedures across
all financial regulators.
We agree and, as noted in your report, there are a number of processes
in place and groups established for the purposes of sharing information
and collaboration. We will continue to participate in these initiatives
and look for opportunities to share our practices and observations, to
the extent permissible, with non-banking financial regulators in these
or other forums.
We appreciate the opportunity to comment on the draft report.
Sincerely,
Signed by:
John C. Dugan:
Comptroller of the Currency:
[End of section]
Appendix IX: Comments from the Office of Thrift Supervision:
Office of Thrift Supervision:
Department of the Treasury:
Join M. Reich, Director:
1700 G Street, N.W.,
Washington, DC 20552:
(202) 906-6590:
(202) 898-0231:
February 2, 2009:
Jack E. Edwards:
Acting Director, Financial Markets and Community Investment:
United States Government Accountability Office:
441 G Street, NW:
Washington, DC 20548:
Dear Mr. Edwards:
Thank you for the opportunity to review and comment on the Government
Accountability Office (GAO)'s draft report entitled, Federal Agencies
Should Take Action to Further Improve Coordination and Information-
Sharing Efforts (GAO 09-227). The report reviews how responsibility for
ensuring compliance with the Bank Secrecy Act (BSA) is distributed
among various agencies; describes how various agencies are implementing
their responsibilities and evaluates their coordination efforts; and
evaluates how the Financial Crimes Enforcement Network (FinCEN) is
implementing its BSA responsibilities. As the report notes, the federal
agencies have made significant progress in their coordinated efforts to
address BSA and anti-money laundering (AML) compliance at the
institutions they supervise.
GAO makes several recommendations directed to FinCEN, the Internal
Revenue Service (IRS), and other federal agencies. Among the
recommendations is for FinCEN, IRS and the federal financial regulators
to consider developing a mechanism to regularly discuss BSA
examinations and procedures across all regulators. While the Office of
Thrift Supervision (0TS) currently works closely with the Office of the
Comptroller of the Currency, Federal Deposit Insurance Corporation,
Board of Governors of the Federal Reserve System and National Credit
Union Administration (collectively the federal banking agencies) and
FinCEN on BSA related matters, OTS will collaborate with other
regulators with BSA/AML responsibilities to consider a method to
discuss BSA examinations and procedures. The federal banking agencies
and FinCEN have established a number of formal committees and working
groups to promote collaboration on BSA issues and we are strongly
committed to ensuring that the institutions we supervise are in
compliance with BSA/AML requirements.
Thank you for your efforts.
Sincerely,
Signed by:
John M. Reich:
[End of section]
Appendix X: Comments from National Credit Union Administration:
National Credit Union Administration:
Office of the Chairman:
1775 Duke Street:
Alexandria, VA 22314-3428:
703-518-6300:
February 3, 2009:
Jack E. Edwards:
Acting Director:
Financial Markets and Community Investment:
U.S. Government Accountability Office:
441 G St, NW:
Washington, DC 20548:
Dear Mr. Edwards:
Thank you for the opportunity to review and comment on the Government
Accountability Office's (GAO) draft report entitled, Bank Secrecy Act:
Federal Agencies Should Take Action to Further Improve Coordination and
Information-Sharing Efforts (GAO-09-227). This report reviews how the
Bank Secrecy Act (BSA) compliance and enforcement responsibilities are
distributed amongst the federal and state regulatory agencies;
describes how these agencies implement those responsibilities and
evaluates their coordination efforts; and evaluates how the Financial
Crimes Enforcement Network (FinCEN) is implementing its BSA
responsibilities.
The GAO recommends that FinCEN, the federal financial regulators, and
the Internal Revenue Service (IRS) consider developing or using an
existing process to conduct regular, nonpublic discussion of BSA
examination procedures and findings across all financial regulators.
The federal banking agencies and FinCEN regularly meet to discuss BSA
regulations, examination policies and procedures, training, and
compliance matters. The National Credit Union Administration (NCUA)
will work with these agencies to consider developing a process to
discuss BSA procedures with the IRS and the other financial regulators.
The NCUA remains strongly committed to our role in ensuring that credit
unions are in compliance with the requirements of the BSA. To this end,
we will continue to work with the other financial regulators to promote
collaboration on BSA examination matters.
Sincerely,
Signed by:
Michael E. Fryzel:
Chairman:
National Credit Union Administration:
El/JAG:jag:
[End of section]
Appendix XI: Comments from Securities and Exchange Commission:
Office Of Compliance Inspections And Examinations:
United States Securities And Exchange Commission:
Washington, D.C. 20549:
February 2, 2009:
Jack E. Edwards:
Acting Director:
Financial Markets and Community Investment:
U.S. Government Accountability Office:
441 G Street, N.W.
Washington, D.C. 20548:
Dear Mr. Edwards:
Thank you for the opportunity to review and comment on the General
Accountability Office's ("GAO") draft report entitled: Bank Secrecy
Act: Federal Agencies Should Take Action to Further Improve
Coordination and Information-Sharing Efforts ("Report"). The Report
describes how Bank Secrecy Act ("BSA") compliance oversight
responsibility is distributed among federal and state regulators, self
regulatory organizations ("SROs") and the Financial Crimes Enforcement
Network ("FinCEN"). The Report further describes how these entities are
implementing their respective BSA responsibilities and coordinating
efforts among one another. The SEC is proud to be one of the federal
agencies tasked with implementing the BSA's anti-money laundering
requirements for broker-dealers and mutual funds, and with the SROs, we
have taken steps to establish an aggressive and coordinated AML
examination program.
The GAO makes two recommendations that relate to the SEC: 1) that
FinCEN expeditiously finalize and implement a data-access agreement
with SROs that conduct BSA/AML examinations, and 2) that FinCEN and the
other federal agencies, including the SEC, consider developing a
mechanism for sharing information regarding BSA/AML (anti-money
laundering) examination procedures and findings. We agree with both of
these recommendations.
As noted in the Report, the Financial Industry Regulatory Authority
("FINRA"), the SRO that conducts the majority of securities broker-
dealer examinations, does not have direct electronic access to BSA data
and must instead request the data from the SEC or FinCEN. Direct access
to BSA data would permit FINRA to more effectively use its AML
resources to take a more risk-based approach to identifying firms, and
areas within a firm's AML program, that required examination. We hope
that FinCEN will provide SROs such as FINRA with direct electronic
access to BSA data in a form that will be broad enough to allow them to
properly risk-scope their examinations and effectively leverage
resources, as specifically discussed and recommended in the Report.
In addition, you recommend that FinCEN and the other federal agencies,
including the SEC, consider developing a mechanism for sharing
information regarding BSA/AML (anti-money laundering) examination
procedures and findings. We recognize that effective cooperation can
evolve over time and appreciate your suggestions for improvement. We
agree that regulators would benefit from the development of a mechanism
through which all financial regulators can discuss, on a regular non-
public basis, BSA/AML examination procedures and findings. To this end,
FinCEN plans to hold, and the SEC plans to attend, a meeting in
February 2009 to discuss with other federal regulators possible methods
for achieving this goal.
Thank you again for the opportunity to comment on the Report. We also
would like to express our appreciation for the courtesy you and your
staff extended to us during this review.
Sincerely,
Signed by:
Lori A. Richards:
Director:
Office of Compliance Inspections and Examinations:
[End of section]
Appendix XII: Comments from the Commodity Futures Trading Commission:
U.S. Commodity Futures Trading Commission:
Michael V. Dunn:
Acting Chairman:
Three Lafayette Centre, 1155 21st Street, NW,
Washington, DC 20581:
[hyperlink, http://www.cftc.gov]
February 3, 2009:
Jack Edwards:
Acting Director:
Financial Markets and Community Investment:
Government Accountability Office:
441 G St., NW:
Washington, DC 20548:
Dear Mr. Edwards:
We have received and reviewed the Government Accountability Office's
draft report titled "Bank Secrecy Act: Federal Agencies Should Take
Action to Further Improve Coordination and Information-Sharing
Efforts." We commend your staff for their hard work on this detailed
report and thank you for providing the Commodity Futures Trading
Commission ("CFTC") with the opportunity to provide comments. CFTC
staff is separately providing technical comments to GAO staff; the
below comments will focus on the report's recommendations.
Several of the report's recommendations are of particular relevance to
the CFTC. First, the report recommends that the Financial Crimes
Enforcement Network ("FinCEN"), which administers the Bank Secrecy Act
("BSA"), and the federal agencies to which it has delegated examination
authority consider developing a mechanism to share information on BSA
examination procedures and findings to better ensure consistency in the
application of the BSA, identify any cross-industry concerns, and
leverage each other's expertise. Second, the report recommends that
FinCEN expeditiously finalize and implement an information-sharing
Memorandum of Understanding ("MOU") with the CFTC. Finally, the report
recommends that FinCEN finalize and implement a data-access MOU with
the CFTC and the self-regulatory organizations (SROs) conducting
BSA/AML examinations.
As to the first recommendation, the CFTC supports all efforts to
increase cooperation among regulators in this area. We would be pleased
to participate in any discussions that bring us together with other
federal financial regulators and allow us to share our experiences and
expertise in developing and implementing BSA examination procedures.
As to the second and third recommendations, the draft report notes
throughout that FinCEN and CFTC have been involved in extensive
negotiations regarding information-sharing and data access MOUs. The
report also indicates that the two agencies expect to conclude
negotiations in mid-January. We are pleased to report that on January
15, 2009, FinCEN and CFTC finalized and signed two memoranda of
understanding concerning, respectively, information sharing and BSA
database access.
The first MOU provides for mutual information sharing between FinCEN
and the CFTC ("Information-Sharing MOU") and sets forth procedures for
the exchange of information between FinCEN and the CFTC. As a general
matter, under this MOU the CFTC will provide FinCEN with information
relating to the policies and procedures of the CFTC and the SROs that
directly examine CFTC-regulated entities for BSA compliance, and FinCEN
will provide information to the CFTC about FinCEN's administration of
the BSA.
The second MOU ("Data Access MOU") sets forth the terms under which the
CFTC can gain access to information collected pursuant to the reporting
authority of the BSA ("BSA Database"). Generally, the Data Access MOU
allows authorized CFTC personnel to make direct electronic inquiries to
retrieve information from the BSA Database and to use that information
as appropriate in the exercise of the CFTC's regulatory authority,
including BSA examination authority that is implemented through
oversight of the futures SROs. We believe that these two agreements
will enhance the CFTC's ability to effectively implement its BSA
examination responsibilities, conduct oversight of the futures markets,
and meet its enforcement mission.
Thank you again for providing us with the opportunity to comment on
this important report.
Sincerely yours,
Signed by:
Michael V. Dunn:
Acting Chairman:
[End of section]
Appendix XIII: GAO Contact and Staff Acknowledgments:
GAO Contact:
Jack E. Edwards (202) 512-8678 or edwardsj@gao.gov:
Staff Acknowledgments:
In addition to the contact named above, Barbara I. Keller (Assistant
Director), Allison M. Abrams, M'Baye Diagne, John P. Forrester, Kerstin
Larsen, Carl Ramirez, Barbara M. Roesmann, Ryan Siegel, and Paul
Thompson made key contributions to this report.
[End of section]
Footnotes:
[1] Pub. L. No. 91-508, 84 Stat. 1114 (1970) (codified as amended in 12
U.S.C. §§ 1829(b), 1951-1959; 31 U.S.C. §§ 5311-5330).
[2] The Uniting and Strengthening America by Providing Appropriate
Tools Required to Intercept and Obstruct Terrorism Act of 2001, Pub. L.
No. 107-56, 115 Stat. 272 (2001). We refer to this act as the "USA
PATRIOT Act." MSBs are defined by regulation to include any person
conducting business of more than $1,000 with the same person on the
same day in any one of the following activities: currency dealing or
exchange; check cashing; issuing, selling, or redemption of traveler's
checks, money orders, or stored value cards; or provision of money
transfer services in any amount. 31 C.F.R. § 103.11(uu). For the
purposes of this document, "futures firms" refer to futures commission
merchants and introducing brokers.
[3] Throughout the report we will use the term "federal banking
regulators" to refer collectively to the Federal Reserve, FDIC, OCC,
OTS, and NCUA.
[4] SROs are nongovernmental entities responsible for regulating their
members through the adoption and enforcement of rules and regulations
governing the business conduct of their members. Both exchanges and
membership organizations, such as the National Futures Association
(NFA) and the Financial Industry Regulatory Authority (FINRA), are
SROs. For the futures industry, the SROs must designate one SRO as the
lead regulator for compliance audits (examinations) when a futures
commission merchant is a member of more than one SRO. For the purposes
of this report, SROs also will refer to designated SROs.
[5] GAO, Bank Secrecy Act: Opportunities Exist for FinCEN and the
Banking Regulators to Further Strengthen the Framework for Consistent
BSA Oversight, [hyperlink, http://www.gao.gov/products/GAO-06-386]
(Washington, D.C.: Apr. 28, 2006); USA PATRIOT ACT: Additional Guidance
Could Improve Implementation of Regulations Related to Customer
Identification and Information Sharing Procedures, [hyperlink,
http://www.gao.gov/products/GAO-05-412] (Washington, D.C.: May 6,
2005).
[6] GAO, Financial Regulation: Industry Challenges Prompt Need to
Reconsider U.S. Regulatory Structure, [hyperlink,
http://www.gao.gov/products/GAO-05-61] (Washington, D.C.: Oct. 6,
2004).
[7] GAO, Results-Oriented Government: Practices That Can Help Enhance
and Sustain Collaboration Among Federal Agencies, [hyperlink,
http://www.gao.gov/products/GAO-06-15] (Washington, D.C.: Oct. 21,
2005).
[8] Pub. L. No. 99-570, title I, subtitle H, 100 Stat. 3207-17 (1986).
[9] Pub. L. No. 99-570, 100 Stat. 3207 (1986).
[10] Pub. L. No. 102-550, title XV, §1517(b), 106 Stat. 3672 (1992).
[11] The USA PATRIOT Act requires all financial institutions to have
AML programs unless they are exempted by FinCEN as provided in the act.
Pub. L. No. 107-56 § 352. In 2002 and 2003, FinCEN published rule
proposals that would have required commodity trading advisors,
investment advisers, and "unregistered investment companies" to have
AML programs, but these proposals were withdrawn recently pending
further consideration by FinCEN. See 73 Fed. Reg. 65567 (Nov. 4, 2008,
commodity trading advisors); 73 Fed. Reg. 65568 (Nov. 4, 2008,
investment advisers); 73 Fed. Reg. 65570 (Nov. 4, 2008, "unregistered
investment companies," defined to include certain hedge funds,
commodity pools, and real estate investment trusts that are not subject
to federal functional regulation).
[12] Pub. L. No. 107-56 § 365(a).
[13] 31 C.F.R. § 103.56. The regulation delegates examination authority
to SEC for securities broker-dealers and investment companies. The
delegation to CFTC pertains to futures commission merchants,
introducing brokers, and commodity trading advisors.
[14] See, e.g., 12 U.S.C. §§ 1818(s) (requiring federal banking
agencies to promulgate BSA regulations and conduct BSA examinations),
1786(q) (applying the same requirement to NCUA). See Procedures for
Monitoring Bank Secrecy Act (BSA) Compliance, 12 C.F.R. § 208.63
(Federal Reserve), 12 C.F.R. § 326, subpart B, (FDIC), 12 C.F.R. §
748.2, (NCUA), 12. C.F.R., (OCC), 12 C.F.R. § 563.177 (OTS). SEC and
CFTC have authority to examine the entities they regulate for
compliance with the respective agency's regulations, and those
regulations require compliance with BSA and its implementing
regulations.
[15] The regulations authorize the Assistant Secretary of Enforcement
in Treasury to impose civil penalties for BSA violations. 31 C.F.R. §
103.57.
[16] See 12 U.S.C. §§ 1818(b), (s) (institutions other than credit
unions), 1786(b), (q) (federally insured credit unions).
[17] 31 C.F.R. § 103.56(g).
[18] 12 U.S.C. § 1818(s).
[19] 12 U.S.C. § 1786(q).
[20] State-chartered commercial banks that are members of the Federal
Reserve are subject to supervision by that regulator. Other state-
chartered banks, such as nonmember state banks, and state savings
banks, with federally insured deposits are subject to FDIC oversight,
while OTS supervises state-chartered savings associations insured by
FDIC and federally chartered savings associations. Federally chartered
institutions are subject to oversight by their chartering agencies.
Generally, OCC supervises national banks and NCUA supervises federally
chartered credit unions.
[21] Beginning in 2004, state banking departments, federal banking
regulators, and FinCEN increased coordination on BSA-related
examination and information-sharing activities; and the federal banking
regulators began training state examiners to review for BSA compliance.
See [hyperlink, http://www.gao.gov/products/GAO-06-386].
[22] 17 C.F.R. §240.17a-8, issued by SEC, requires registered brokers-
dealers to comply with the reporting, record-keeping, and record
retention requirements of the regulations adopted under BSA (which
include SAR requirements and customer identification programs), and 17
C.F.R. § 270.38a-1 requires mutual funds to establish and implement
compliance programs that include provisions for compliance with AML
regulations. Similarly, CFTC regulation 17 C.F.R. § 42.2 issued by
CFTC, requires futures commission merchants and introducing brokers to
comply with the applicable provisions of BSA and FinCEN regulations.
[23] FINRA is the result of the 2007 consolidation of the former
National Association of Securities Dealers and the member regulation,
enforcement, and arbitration operations of New York Stock Exchange
Regulation, Inc.
[24] In addition to conducting the majority of broker-dealer
examinations, FINRA officials said they have several regulatory
agreements in place where they conduct regulatory work (which would
include BSA/AML examinations) on behalf of other SROs. They told us the
other securities SROs that conduct their own BSA/AML compliance
examinations review entities for BSA/AML compliance that are generally
options market makers that do not have retail customers.
[25] The only types of examination, other than BSA/AML, that IRS
conducts are tax audits.
[26] 31 C.F.R. § 103.56(b)(8).
[27] In April 2003, FinCEN signed a memorandum of agreement with IRS,
in which it delegated its enforcement authority for the Foreign Bank
Account Reports to IRS. The reporting requirements, which are grounded
in the BSA, authorize FinCEN to require residents or citizens of the
United States (or a person in, and doing business in, the United
States) to keep records and file reports concerning transactions with
any foreign financial institutions. IRS may assess and collect civil
penalties for noncompliance with the Foreign Bank Account Reports
requirements, investigate possible civil violations, employ summons
power, issue administrative rulings, and take any other action
reasonably necessary for enforcement of these provisions, including
pursuit of injunctions.
[28] SEC staff said SEC and SROs began examining broker-dealers
informally for BSA/AML procedures in 2001, prior to the implementation
of the USA PATRIOT Act. SEC developed the first BSA/AML module for
broker-dealers in 2002. Other securities SROs--which conduct about 10
percent of broker-dealer examinations--do not use the SEC-FINRA module
but have their own procedures. FINRA officials told us that other SROs
examine institutions that generally do not have retail customers.
[29] We reviewed SEC and SRO examination modules for broker-dealers and
SEC's modules for mutual funds, but as they are nonpublic we cannot
discuss their contents.
[30] The Joint Audit Committee is a committee of U.S. futures exchanges
and regulatory organizations. One of its responsibilities is to
determine the practices and procedures to be followed by each SRO in
the conduct of audits of futures commission merchants. NFA's BSA/AML
module differs slightly in that it does not include procedures for
clearing members as it does not examine these types of institutions. A
clearing member of an exchange has the ability to process and settle
trades. Nonclearing members must process and settle all trades through
a clearing member.
[31] The group provides a framework for the sharing of information and
the coordination of regulatory efforts among exchanges that trade
securities and related products. SEC, CFTC, and securities and futures
SROs participate in this group.
[32] GAO, Bank Secrecy Act: FinCEN and IRS Need to Improve and Better
Coordinate Compliance and Data Management Efforts, [hyperlink,
http://www.gao.gov/products/GAO-07-212] (Washington, D.C.: Dec. 15,
2006).
[33] The coordinated NBFI strategy outlines the following objectives:
(1) evaluating the MSB regulatory framework, (2) better identifying the
NBFI population, (3) better selecting the NBFI population, (4)
supporting risk-based examinations, and (5) outreach.
[34] The Money Transmitter Regulators Association consists of state
regulatory authorities for money transmitters and sellers of traveler's
checks, money orders, drafts, and other money instruments.
[35] [hyperlink, http://www.gao.gov/products/GAO-06-15].
[36] The BSAAG, in addition to its annual plenary meetings, has various
subcommittee meetings, including meetings on banking, insurance, law
enforcement, SARs, and securities and futures.
[37] [hyperlink, http://www.gao.gov/products/GAO-06-15].
[38] The authority of the federal banking regulators to take an
enforcement action includes, among other things, an action based upon
an institution's violation of any law. See, e.g., 12 U.S.C. §S 1818,
1786.
[39] Informal and formal actions vary by banking regulator. For
example, among the available remedies, OCC may issue a notice of
deficiency for failure to comply with applicable safety and soundness
internal control standards in the BSA area, while FDIC may enter into
an MOU to address a similar deficiency.
[40] The banking regulators use different terms to classify problems
associated with elements of institutions' BSA/AML programs. For
example, some of the banking regulators use "deficiency" and others
"violation." Also, the 2007 FFIEC interagency statement does not
clearly distinguish between a deficiency and a violation, although it
provides examples of when either deficiencies or violations can lead to
the issuance of a cease-and-desist order.
[41] OCC does not share jurisdiction with state regulators, but OCC
officials said they do share pertinent information with some state
agencies. State agencies have the authority to taken enforcement
actions against institutions chartered within their state that are in
violation of banking legislation.
[42] CFTC uses "enforcement action," while its SROs use "disciplinary
action." For the purposes of this report, we will use "enforcement
action" for both.
[43] NFA, which has been delegated registration duties by CFTC,
additionally may condition or revoke the registration of any futures
firm.
[44] In 2003, Treasury delegated enforcement authority for compliance
with foreign bank and financial accounts reporting to IRS.
[45] The Internal Revenue Manual provides guidance on the IRS referral
procedures and determination processes.
[46] Often, criminal investigations of individuals are traced to a
specific financial institution. During the initial investigation, if it
becomes apparent that certain financial institutions are being used to
launder money, investigators will look at the level of criminal
proceeds laundered through the institution and the circumstances
surrounding the activity and then determine if a separate investigation
should be opened on the institution. Investigators subsequently assess
whether the institution had sufficient systems in place to detect and
prevent criminal activity.
[47] FinCEN has been studying the feasibility and effect of
implementing a BSA-based cross-border wire transfer reporting
requirement.
[48] 31 U.S.C. § 5318. The same provision authorizes Treasury generally
to delegate BSA duties and powers to appropriate agencies that
supervise financial institutions subject to BSA requirements.
[49] 68 F.R. 25149 (May 9, 2003). The BSA requirement is set forth at
31 U.S.C. § 5318(l). Subsection (h) of that same provision calls for
FinCEN to consult with the regulators, should FinCEN promulgate
regulations setting minimum standards for AML programs. FinCEN's AML
regulations for financial institutions, which apply to futures
commission merchants and introducing brokers, are set forth at 31
C.F.R. § 103.120.
[50] According to CFTC officials, some futures commission merchants
asserted that the applicability of the rule, 31 C.F.R. § 103.123, was
not clear with respect to which futures commission merchant--the
executing or clearing broker--in a give-up arrangement had the CIP
responsibilities. A give-up transaction occurs when a broker executes
an order on an exchange for a customer and then submits the trade for
clearing with another futures commission merchant (clearing broker).
[51] Financial Crimes Enforcement Network Commodity Futures Trading
Commission Guidance FIN-2007-G001 (Apr. 20, 2007).
[52] This work addressed a prior GAO recommendation that FinCEN and the
federal banking regulators work together to ensure that emerging BSA/
AML risks are communicated effectively to examiners and the industry
through updates of the manual and other guidance. See GAO-06-386.
[53] FinCEN considers the results of these surveys to be nonpublic
information. FinCEN reports on the "understandability" of its guidance
as a performance measure in its annual report, and therefore these
public results are included in this report. In the 2006 survey, 94
percent of respondents rated the guidance from FinCEN's Regulatory
Resource Center as understandable. In the 2007 and 2008 surveys, 91
percent and 94 percent, respectively, rated guidance as understandable.
In all 3 years, the vast majority of respondents were financial
institutions and the remaining respondents were regulators or other
interested parties. Despite some potential limitations associated with
the surveys, after review we concluded that the overall frequencies for
survey questions should be sufficiently valid and reflected the overall
opinions of those surveyed.
[54] As of October 2008, FinCEN said it had held six on-site visits
with large institutions in support of this initiative.
[55] CMS is a vendor-provided software product delivered through a
secure Web portal.
[56] FinCEN officials said that the Office of Compliance generates
three reports from CMS on a monthly basis--a consolidated monthly
status report, a count of cases by date recorded, and a count of cases
by closed date. The Office of Enforcement downloads a CMS report on a
quarterly basis to calculate the average time to process enforcement
cases, which is a public performance measure.
[57] Cases are grouped in CMS by the federal regulator with delegated
examination authority for the referred institution.
[58] As stated previously, FinCEN delegated its enforcement authority
for the Foreign Bank Account Reports to IRS. A Letter 1112 is issued if
violations are found during an examination. The letter details the
violations and asks that the entity commit to correcting the apparent
violations.
[59] IRS officials will then provide the facts of the case, a summary
of the examination, and violation information in their referral to
FinCEN. IRS examiners do not recommend the type of enforcement action,
penalty, or dollar amount to FinCEN.
[60] For example, in August 2007, FinCEN, the Federal Reserve, and
Justice issued coordinated civil and criminal BSA-related enforcement
actions against American Express on the same day.
[61] In May 2004, FinCEN and OCC concurrently imposed $25 million in
CMPs against Riggs Bank, N.A. for willful and systemic BSA violations.
See GAO-06-386.
[62] For example, in late 2005, FDIC imposed a cease-and-desist order
against Israel Discount Bank in conjunction with the New York State
Department of Banking, and in 2006 followed up by issuing a CMP in
conjunction with the New York State Department of Banking and FinCEN.
In April 2006, OTS, FinCEN, and Justice took coordinated civil and
criminal BSA enforcement actions against BankAtlantic.
[63] [hyperlink, http://www.gao.gov/products/GAO-06-386].
[64] Form 8300s are similar to CTRs. For IRS-supervised entities, they
must report cash payments of more than $10,000 using Form 8300s.
[65] The Office of Management and Budget conducted this assessment in
2006 using its Program Assessment Rating Tool--a standard series of
questions meant to serve as a diagnostic performance tool. The agency
draws on available program performance and evaluation information to
form conclusions about program benefits and recommend adjustments that
may improve results.
[66] FinCEN considers most of the results of this survey to be
nonpublic information. The survey-derived information included in this
report is a publicly available performance measure that FinCEN
developed based on questions from its 2008 survey of the holders of
information-sharing MOUs. Despite some potential limitations associated
with the survey, after review we concluded that the overall frequencies
for survey questions should be sufficiently valid and reflected the
overall opinions of those surveyed.
[67] In response to a recommendation we made in GAO-07-212, FinCEN
officials said they, in collaboration with IRS, have been developing a
long-term comprehensive plan for re-engineering BSA data management
activities. FinCEN expects implementation of the plan to take from 3 to
5 years.
[68] A 314(a) hit refers to a bank identifying one of its customers as
matching an entity included on the biweekly list that FinCEN
distributes in accordance with section 314(a) of the USA PATRIOT Act to
financial institutions of individuals, entities, and organizations
engaged in or reasonably suspected of engaging in terrorist acts or
money laundering activities.
[69] These other reports include the Designation of an Exempt Person,
Report of Foreign Bank and Financial Account Forms, and Report of
International Currency of Monetary Instrument Forms.
[70] GAO, Results-Oriented Government: Practices That Can Help Enhance
and Sustain Collaboration Among Federal Agencies, [hyperlink,
http://www.gao.gov/products/GAO-06-15] (Washington, D.C.: Oct. 21,
2005).
[71] State-chartered commercial banks that are members of the Federal
Reserve are subject to supervision by that regulator. Other state-
chartered banks, such as nonmember state banks, and state savings
banks, with federally insured deposits are subject to FDIC oversight,
while OTS supervises state-chartered savings associations insured by
FDIC and federally chartered savings associations. Federally chartered
institutions are subject to oversight by their chartering agencies.
Generally, OCC supervises national banks and NCUA supervises federally
chartered credit unions.
[72] SEC uses the term "deficiency" to refer to potential violations of
specific statutory or regulatory requirements, and "weakness" to refer
to concerns that do not rise to the level of a deficiency.
[73] GAO, Bank Secrecy Act: FinCEN and IRS Need to Improve and Better
Coordinate Compliance and Data Management Efforts, [hyperlink,
http://www.gao.gov/products/GAO-07-212] (Washington, D.C.: Dec. 15,
2006).
[End of section]
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Phone:
The price of each GAO publication reflects GAO‘s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO‘s Web site,
[hyperlink, http://www.gao.gov/ordering.htm].
Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional
information.
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548: