Coping with the new BSA compliance imperative: an exercise in ADApTation Management

RMA Journal, The, March, 2005 by Richard R. Riese

Analyze, develop, apply, and test constitute a change management process called ADApTation Management. This process can be used to take an existing BSA compliance program and ratchet it up to new compliance standards. The goal is to keep your focus on those things that matter the most.

The things that matter the most must never be at the mercy of things that matter the least.

--Johann Wolfgang Von Goethe

Although there is no evidence that Goethe's career ever included service as a chief risk officer or an examiner, his observation about maintaining one's priorities has particular relevance to the current sturm und drang surrounding BSA/AML compliance and enforcement. Listening to bankers decrying their unfunded recruitment as law enforcers, one could get the impression that BSA/AML obligations are newly minted rather than marking a generation of applicability. Yet from the Bank Secrecy Act of 1970 signed by President Nixon, through such enhancements as the Money Laundering Control Act and the Annunzio-Wylie Anti-Money Laundering Act of the Reagan and G.H.W. Bush administrations, to the more recent USA PATRIOT Act, the banking industry has long faced the escalating burden of policing the intermediation of ill-gotten or ill-intended gains.

So why is it that despite this supposed maturity in dealing with BSA/AML requirements, the management of money-laundering and terrorism-financing risk has become the bane of financial institutions when the significance of the policy underlying these laws is almost universally conceded? And what can Goethe's Maxim teach us about resolving this conflict?

The events of September 11, 2001 were the obvious catalyst for the new BSA compliance imperative. Within a few short weeks, an assortment of law enforcement wishes were bundled together into the USA PATRIOT Act (USAPA), including a number of tools for combating money laundering and terrorism financing. This was the source of new regulatory initiatives that demand risk differentiation and enhanced scrutiny of certain customer conduct, periodic "search and response" assignments from government law enforcement agencies, additional mandated record keeping, and formalized identity-verification procedures. More pressure was brought to bear on banking agencies by the findings of inspector generals critical of the regulators' patience with the pace of banks' corrections to deficient BSA programs. Finally, press reports of poor money laundering controls at high-profile institutions led to "hot seat" congressional oversight hearings that reverberated across all regulatory agencies and provided further impetus for a crackdown on BSA compliance.

The implications of the new BSA compliance imperative are manifested on a number of fronts. Institutions accustomed to a relatively static period of regulatory expectations following the withdrawal of the Know Your Customer (KYC) rule in 1998 are suddenly inundated with a series of new proscriptions. In addition, USAPA passage also extended coverage of BSA requirements to a broader spectrum of financial actors, increasing the sensitivity of the entire financial services industry to these issues--and supposedly leveling the regulatory playing field, while in actuality burdening banks with an almost thou-art-thy-brother's-keeper set of due diligence expectations.

Beyond the imposition of new legal obligations are a series of other implications. First, there is significantly greater public and political awareness about the role of banks in preventing terrorism financing. Congressional hearings, 9/11 Commission findings, and intelligence reform debates have focused a spotlight on how financial institutions can unwittingly facilitate the flow of terrorist funds. This higher visibility increases the reputation risk for banks generally but in particular for those with foreign customers or international business plans. No one wants to be featured in a news story about terrorism funding or money-laundering schemes.

Second, the new imperative has implications for the supervisory vigor of the regulatory agencies and law enforcement. Banking agencies are applying additional resources to BSA oversight and resurrecting dormant enforcement standards. Both the OTS and OCC have published new guidance invoking the statutorily mandated enforcement response contained in 1818(s) requiring cease and desist orders for remedying deficient BSA compliance programs.

Furthermore, as the banking agencies bring additional staff to the BSA supervisory process and publicly tout their oversight commitments, the examiner zeal that is kindled can outstrip agency guidance and management control. The implication of this tendency is an atmosphere of zero tolerance and examiner second-guessing that overrides the professed goal of risk-based compliance. The confluence of these implications illustrates why the new BSA imperative sweeps aside the status quo ante of supervisory expectations. This isn't your father's BSA.

To cope with the imperative currently driving BSA compliance oversight, banks need to break old habits and abandon past perspectives. This means embracing a risk-based approach to devising and executing your BSA compliance program. It does not demand starting from scratch so much as adapting existing controls to be more directly responsive to an evolving set of supervisory standards. The trick is to accomplish this adaptation while weathering an indefinite period of regulatory uncertainty. There are five fundamental steps for coping with the new BSA imperative: