FIN-2014-A007
Issued Date
August 11, 2014
Subject
Advisory to U.S. Financial Institutions on Promoting a Culture of Compliance
Shortcomings identified in recent Anti-Money Laundering (AML) enforcement actions confirm that the culture of an organization is critical to its compliance. Although enforcement actions are specific to the subject financial institution and the characteristics of the situation, certain general lessons could be gleaned from these actions that could be instructive to the leadership of all financial institutions required to comply with the Bank Secrecy Act (BSA). Accordingly, the Financial Crimes Enforcement Network (FinCEN) issues this Advisory to highlight general principles illustrating how financial institutions and their leadership may improve and strengthen organizational compliance with
BSA obligations.1
Regardless of its size and business model, a financial institution with a poor culture of compliance is likely to have shortcomings in its BSA/AML program. A financial institution can strengthen its BSA/AML compliance culture by ensuring that (1) its leadership activelysupports and understands compliance efforts; (2) efforts to manage and mitigate BSA/AMLdeficiencies and risks are not compromised by revenue interests; (3) relevant information from the various departments within the organization is shared with compliance staff to further BSA/AML efforts; (4) the institution devotes adequate resources to its compliance function; (5) the compliance program is effective by, among other things, ensuring that it is tested by an independent and competent party; and (6) its leadership and staff understand the purpose of its BSA/AML efforts and how its reporting is used. This advisory describes each of these areas in more detail below. Financial institutions should consider how to incorporate the guidance outlined in this advisory in a manner that is commensurate with their risk profile and business model.
FinCEN Guidance to Financial Institutions
Leadership Should Be Engaged
A financial institution’s leadership is responsible for performance in all areas of the institution including compliance with the BSA. As applicable, an institution’s leadership may include its board of directors, senior and executive management, owners and operators. These leaders are responsible for understanding an institution’s responsibilities regarding compliance with the BSA and creating a culture of compliance at that institution. The commitment of an organization’s leaders should be visible within the organization, as such commitment influences the attitudes of others within the organization.
For a BSA/AML compliance program to be effective, it should have the demonstrable support of the leadership (as appropriate based on the financial institution’s size and structure). The institution’s leaders should also receive periodic BSA/AML training that is tailored to their roles. In addition to supporting a culture of compliance, an appropriate understanding of BSA/AML obligations and compliance will help an organization’s leadership make informed decisions with regard to the allocation of resources to the BSA/
AML function. The leaders of the organization should also remain informed of the state of BSA/AML compliance within the institution.
Compliance Should Not Be Compromised By Revenue Interests
Compliance staff should be empowered with sufficient authority and autonomy to implement an institution’s AML program. An institution’s interest in revenue should not compromise efforts to effectively manage and mitigate BSA/AML deficiencies and risks, including submission of appropriate and accurate reports to
FinCEN. An effective governance structure should allow for the BSA/AML compliance function to work independently and to take any appropriate actions to address and mitigate any risks that may arise from an institution’s business line and to file any necessary reports, such as Suspicious Activity Reports (SARs).
For example, for Money Services Businesses (MSBs), principal MSBs often derive a significant percentage of their revenue from the activity of their agents. When principal MSBs learn of possible inappropriate activity by an agent, the activity should be investigated thoroughly and appropriate action taken regardless of the impact on revenue. The findings from the investigation should be considered when determining whether an agent is terminated, and the sales unit should not have express or implied authority to veto the decision because of the agent’s sales activity.
Information Should Be Shared Throughout the Organization
Several recent enforcement actions noted that the subject institution had relevant information in its possession that was not made available to BSA/AML compliance staff. This may have resulted from a lack of an appropriate mechanism for sharing information, a lack of appreciation of the significance or relevance of the information to BSA/AML compliance or an intentional decision to prevent compliance officers or staff from having access to the information.
There is information in various departments within a financial institution that may be useful and should be shared with the compliance staff. For example, information developed by those in the organization combating and preventing fraud could also assist a financial institution in complying with its BSA/AML obligations. Similarly, legal departments should alert compliance departments to subpoenas received issued by government agencies to trigger reviews of related customers’ risk ratings and account activity for suspicious transactions. Additionally, in a larger organization there may be multiple affiliated institutions that could benefit from sharing of relevant information across the organization.2
For instance, in the gaming sector, this principle can be applied to casinos that develop significant information on their gaming customers for purposes of marketing or extending credit. However that information is derived, it should be provided to the compliance staff to assist in conducting customer due diligence and monitoring customers for suspicious activity. This principle can also be applied to mutual funds that receive transaction information about their customers through a frequent trading monitoring program, or other similar efforts. In those cases, information that could further the BSA/AML compliance efforts of the mutual fund should also be shared with mutual fund staff engaged in BSA/AML compliance.
Leadership Should Provide Adequate Human and Technological Resources
A required element of any BSA/AML compliance program is the designation of an individual responsible for coordinating and monitoring day-to-day compliance with the BSA. The individual should be knowledgeable of the BSA and have sufficient authority to administer the program. For the program to be effective, the institution should devote appropriate support staff to its BSA/AML compliance program based on its risk profile.
The failure of an institution’s leaders to devote sufficient staff to the BSA/AML compliance function may lead to other failures. For example, depository institutions, as well as other types of financial institutions, generally have staff that review alerts generated by transaction monitoring systems. Devoting insufficient staff or other resources to this function may result in alerts not being reasonably designed to capture appropriate risks or being dismissed improperly, or create a backlog of alerts that may result in the untimely reporting of suspicious activity.
Appropriate technological resources should also be allocated to BSA/AML compliance. Institutions with higher risk profiles, including those with substantially higher volumes of activity, may need to utilize automated systems for identifying and monitoring suspicious activity.
The Program Should Be Effective and Tested By an Independent and Competent Party
Appropriate involvement of a financial institution’s leadership should be, at a minimum, commensurate with the institution’s level of BSA/AML risk exposure. Appropriate leadership involvement allows the BSA/AML function to implement an effective compliance program. Components of an effective BSA/AML compliance program additionally include a proper ongoing risk assessment, sound risk-based customer due diligence, appropriate detection and reporting of suspicious activity and independent program testing.3
While recognizing that all the components of an effective compliance program are important, FinCEN stresses the independence that the testing of a compliance program should have. A financial institution’s leadership should ensure that the party testing the program (whether internal or external) is independent, qualified, unbiased and does not have conflicting business interests that may influence the outcome of the compliance program test. Safeguarding the integrity and independence of the compliance program testing enables an institution to locate and take appropriate corrective actions to address BSA/AML deficiencies.
Leadership and Staff Should Understand How Their BSA Reports are Used
Finally, leadership and staff at all levels in a financial institution should understand that they are not simply generating reports for the sake of compliance, but rather recognize the purpose that BSA reports serve and how the information is used. The reporting and the transparency that financial institutions provide under FinCEN’s regulations result in some of the most important information available to law enforcement and others safeguarding the nation. It is used to confront serious threats, including terrorist organizations, rogue nations, weapons of mass destruction (WMD) proliferators, foreign corruption and, increasingly, some cyber related threats. The reporting that financial institutions provide also assists in the fight against transnational criminal organizations including those involved in drug trafficking and massive fraud schemes targeting the U.S. government, our businesses and our people.
That same information may also help an institution protect itself and aid law enforcement in protecting the institution from bad actors, including insider threats, frauds and cyber-related threats such as spear phishing, account takeovers and distributed denial of service attacks, when such reports are filed. Additionally, the very existence of BSA regulations has a deterrent effect on those who would abuse the financial system. The certainty of a Currency Transaction Report (CTR) filing and the mere possibility of a
SAR filing force illicit actors to behave in ways that expose them to scrutiny and capture.
Additionally, the very existence of BSA regulations has a deterrent effect on those who would abuse the financial system. The certainty of a Currency Transaction Report (CTR) filing and the mere possibility of a SAR filing force illicit actors to behave in ways that expose them to scrutiny and capture.
The reporting that financial institutions provide is used to:
• Serve as tips to initiate investigations: BSA reports contribute critical information that is routinely analyzed, resulting in the identification of suspected criminal activity and the initiation of investigations. For instance, approximately 100 SAR review teams across the country bring together investigators and prosecutors from different governmental agencies to review reports related to their geographic area of responsibility and use the information therein to initiate criminal investigations, where appropriate.
• Expand existing investigations: The reporting aids in expanding the scope of ongoing investigations by pointing to the identities of previously unknown subjects, exposing accounts and hidden financial relationships, or revealing other information such as common addresses or phone numbers that connect seemingly unrelated participants in a criminal or terrorist organization and, in some cases, even confirming the location of suspects. Nearly 11,000 federal, state and local law enforcement and regulatory users conduct roughly 30,000 searches per day of the reporting using FinCEN’s information technology tool for making queries about known subjects.
• Promote international information exchange: The Egmont Group has developed mechanisms for the rapid exchange of sensitive information between 146 Financial Intelligence Units (FIUs) around the world. In FY 2014, based on current trends, it is estimated that FinCEN will receive approximately 1,300 incoming Egmont requests from foreign FIUs seeking information derived from BSA reporting and make approximately 700 outgoing Egmont requests on behalf of U.S. law enforcement agencies seeking similar information from foreign FIUs.
• Identify significant relationships, trends and patterns: BSA reports unmask the relationships between illicit actors and their financing networks, enabling law enforcement to target the underlying conduct of concern, and to use forfeiture and sanctions to disrupt their ability to operate and finance their illicit conduct. BSA reports also reveal trends and patterns on criminal, terrorist and other emerging threats that enable law enforcement to focus limited resources.
Understanding and communicating the context and the purpose of FinCEN’s BSA/AML regime is as important to a financial institution’s culture as understanding its underlying requirements, and financial institutions should consider including such information as part of their ongoing training requirement. Information on how BSA reports are used can be found on FinCEN’s website and is routinely shared through numerous public-private training events involving FinCEN and its many law enforcement partners.
For Further Information
Questions or comments regarding the contents of this or any other advisories should be addressed to the FinCEN Resource Center at (800) 767-2825 or (703) 905-3591. Financial institutions wanting to report suspicious transactions that may relate to terrorist activity should call the Financial Institutions Toll-Free Hotline at (866) 556-3974 (7 days a week, 24 hours a day). The purpose of the hotline is to expedite the delivery of this information to law enforcement. Financial institutions should immediately report any imminent threat to local-area law enforcement officials.
FinCEN’s mission is to safeguard the financial system from illicit use and combat money laundering and promote national security through the collection, analysis, and dissemination of financial intelligence and strategic use of financial authorities.
[1] This advisory does not change any existing expectations or obligations under BSA/AML requirements. Similarly, this advisory is not intended to change or otherwise interpret regulatory expectations or obligations that financial institutions may have outside of the BSA. Financial institutions should also be familiar with and follow the guidance and requirements of their federal functional regulator and Self-Regulatory Organization (SRO) regarding any other applicable compliance obligations, such as those relating to safety and soundness, governance programs and enterprise-wide compliance. This advisory should not be interpreted in a manner inconsistent with previous guidance issued by FinCEN or any federal functional regulator or SRO. Financial institutions may refer to detailed guidance on FinCEN’s website organized by industry as well as to guidance provided by their appropriate federal functional regulator or SRO.
[2] Likewise, information sharing between financial institutions can often result in a more comprehensive picture of suspicious activity and more useful reporting to law enforcement. For additional information about the benefits of the 314(b) information sharing program, see the
Section 314(b) Fact Sheet.
[3]BSA/AML compliance professionals should be familiar with the guidance that has been made available by the federal functional regulators, SROs and FinCEN to assist financial institutions with developing an effective compliance program. Such guidance includes, but is not limited to, industry specific examination manuals and other regulatory guidance.
Issued Date
August 11, 2014
Subject
Advisory to U.S. Financial Institutions on Promoting a Culture of Compliance
Shortcomings identified in recent Anti-Money Laundering (AML) enforcement actions confirm that the culture of an organization is critical to its compliance. Although enforcement actions are specific to the subject financial institution and the characteristics of the situation, certain general lessons could be gleaned from these actions that could be instructive to the leadership of all financial institutions required to comply with the Bank Secrecy Act (BSA). Accordingly, the Financial Crimes Enforcement Network (FinCEN) issues this Advisory to highlight general principles illustrating how financial institutions and their leadership may improve and strengthen organizational compliance with BSA obligations.1
Regardless of its size and business model, a financial institution with a poor culture of compliance is likely to have shortcomings in its BSA/AML program. A financial institution can strengthen its BSA/AML compliance culture by ensuring that (1) its leadership activelysupports and understands compliance efforts; (2) efforts to manage and mitigate BSA/AMLdeficiencies and risks are not compromised by revenue interests; (3) relevant information from the various departments within the organization is shared with compliance staff to further BSA/AML efforts; (4) the institution devotes adequate resources to its compliance function; (5) the compliance program is effective by, among other things, ensuring that it is tested by an independent and competent party; and (6) its leadership and staff understand the purpose of its BSA/AML efforts and how its reporting is used. This advisory describes each of these areas in more detail below. Financial institutions should consider how to incorporate the guidance outlined in this advisory in a manner that is commensurate with their risk profile and business model.
FinCEN Guidance to Financial Institutions
Leadership Should Be Engaged
A financial institution’s leadership is responsible for performance in all areas of the institution including compliance with the BSA. As applicable, an institution’s leadership may include its board of directors, senior and executive management, owners and operators. These leaders are responsible for understanding an institution’s responsibilities regarding compliance with the BSA and creating a culture of compliance at that institution. The commitment of an organization’s leaders should be visible within the organization, as such commitment influences the attitudes of others within the organization.
For a BSA/AML compliance program to be effective, it should have the demonstrable support of the leadership (as appropriate based on the financial institution’s size and structure). The institution’s leaders should also receive periodic BSA/AML training that is tailored to their roles. In addition to supporting a culture of compliance, an appropriate understanding of BSA/AML obligations and compliance will help an organization’s leadership make informed decisions with regard to the allocation of resources to the BSA/ AML function. The leaders of the organization should also remain informed of the state of BSA/AML compliance within the institution.
Compliance Should Not Be Compromised By Revenue Interests
Compliance staff should be empowered with sufficient authority and autonomy to implement an institution’s AML program. An institution’s interest in revenue should not compromise efforts to effectively manage and mitigate BSA/AML deficiencies and risks, including submission of appropriate and accurate reports to FinCEN. An effective governance structure should allow for the BSA/AML compliance function to work independently and to take any appropriate actions to address and mitigate any risks that may arise from an institution’s business line and to file any necessary reports, such as Suspicious Activity Reports (SARs).
For example, for Money Services Businesses (MSBs), principal MSBs often derive a significant percentage of their revenue from the activity of their agents. When principal MSBs learn of possible inappropriate activity by an agent, the activity should be investigated thoroughly and appropriate action taken regardless of the impact on revenue. The findings from the investigation should be considered when determining whether an agent is terminated, and the sales unit should not have express or implied authority to veto the decision because of the agent’s sales activity.
Information Should Be Shared Throughout the Organization
Several recent enforcement actions noted that the subject institution had relevant information in its possession that was not made available to BSA/AML compliance staff. This may have resulted from a lack of an appropriate mechanism for sharing information, a lack of appreciation of the significance or relevance of the information to BSA/AML compliance or an intentional decision to prevent compliance officers or staff from having access to the information.
There is information in various departments within a financial institution that may be useful and should be shared with the compliance staff. For example, information developed by those in the organization combating and preventing fraud could also assist a financial institution in complying with its BSA/AML obligations. Similarly, legal departments should alert compliance departments to subpoenas received issued by government agencies to trigger reviews of related customers’ risk ratings and account activity for suspicious transactions. Additionally, in a larger organization there may be multiple affiliated institutions that could benefit from sharing of relevant information across the organization.2
For instance, in the gaming sector, this principle can be applied to casinos that develop significant information on their gaming customers for purposes of marketing or extending credit. However that information is derived, it should be provided to the compliance staff to assist in conducting customer due diligence and monitoring customers for suspicious activity. This principle can also be applied to mutual funds that receive transaction information about their customers through a frequent trading monitoring program, or other similar efforts. In those cases, information that could further the BSA/AML compliance efforts of the mutual fund should also be shared with mutual fund staff engaged in BSA/AML compliance.
Leadership Should Provide Adequate Human and Technological Resources
A required element of any BSA/AML compliance program is the designation of an individual responsible for coordinating and monitoring day-to-day compliance with the BSA. The individual should be knowledgeable of the BSA and have sufficient authority to administer the program. For the program to be effective, the institution should devote appropriate support staff to its BSA/AML compliance program based on its risk profile.
The failure of an institution’s leaders to devote sufficient staff to the BSA/AML compliance function may lead to other failures. For example, depository institutions, as well as other types of financial institutions, generally have staff that review alerts generated by transaction monitoring systems. Devoting insufficient staff or other resources to this function may result in alerts not being reasonably designed to capture appropriate risks or being dismissed improperly, or create a backlog of alerts that may result in the untimely reporting of suspicious activity.
Appropriate technological resources should also be allocated to BSA/AML compliance. Institutions with higher risk profiles, including those with substantially higher volumes of activity, may need to utilize automated systems for identifying and monitoring suspicious activity.
The Program Should Be Effective and Tested By an Independent and Competent Party
Appropriate involvement of a financial institution’s leadership should be, at a minimum, commensurate with the institution’s level of BSA/AML risk exposure. Appropriate leadership involvement allows the BSA/AML function to implement an effective compliance program. Components of an effective BSA/AML compliance program additionally include a proper ongoing risk assessment, sound risk-based customer due diligence, appropriate detection and reporting of suspicious activity and independent program testing.3
While recognizing that all the components of an effective compliance program are important, FinCEN stresses the independence that the testing of a compliance program should have. A financial institution’s leadership should ensure that the party testing the program (whether internal or external) is independent, qualified, unbiased and does not have conflicting business interests that may influence the outcome of the compliance program test. Safeguarding the integrity and independence of the compliance program testing enables an institution to locate and take appropriate corrective actions to address BSA/AML deficiencies.
Leadership and Staff Should Understand How Their BSA Reports are Used
Finally, leadership and staff at all levels in a financial institution should understand that they are not simply generating reports for the sake of compliance, but rather recognize the purpose that BSA reports serve and how the information is used. The reporting and the transparency that financial institutions provide under FinCEN’s regulations result in some of the most important information available to law enforcement and others safeguarding the nation. It is used to confront serious threats, including terrorist organizations, rogue nations, weapons of mass destruction (WMD) proliferators, foreign corruption and, increasingly, some cyber related threats. The reporting that financial institutions provide also assists in the fight against transnational criminal organizations including those involved in drug trafficking and massive fraud schemes targeting the U.S. government, our businesses and our people.
That same information may also help an institution protect itself and aid law enforcement in protecting the institution from bad actors, including insider threats, frauds and cyber-related threats such as spear phishing, account takeovers and distributed denial of service attacks, when such reports are filed. Additionally, the very existence of BSA regulations has a deterrent effect on those who would abuse the financial system. The certainty of a Currency Transaction Report (CTR) filing and the mere possibility of a SAR filing force illicit actors to behave in ways that expose them to scrutiny and capture.
Additionally, the very existence of BSA regulations has a deterrent effect on those who would abuse the financial system. The certainty of a Currency Transaction Report (CTR) filing and the mere possibility of a SAR filing force illicit actors to behave in ways that expose them to scrutiny and capture.
The reporting that financial institutions provide is used to:
• Serve as tips to initiate investigations: BSA reports contribute critical information that is routinely analyzed, resulting in the identification of suspected criminal activity and the initiation of investigations. For instance, approximately 100 SAR review teams across the country bring together investigators and prosecutors from different governmental agencies to review reports related to their geographic area of responsibility and use the information therein to initiate criminal investigations, where appropriate.
• Expand existing investigations: The reporting aids in expanding the scope of ongoing investigations by pointing to the identities of previously unknown subjects, exposing accounts and hidden financial relationships, or revealing other information such as common addresses or phone numbers that connect seemingly unrelated participants in a criminal or terrorist organization and, in some cases, even confirming the location of suspects. Nearly 11,000 federal, state and local law enforcement and regulatory users conduct roughly 30,000 searches per day of the reporting using FinCEN’s information technology tool for making queries about known subjects.
• Promote international information exchange: The Egmont Group has developed mechanisms for the rapid exchange of sensitive information between 146 Financial Intelligence Units (FIUs) around the world. In FY 2014, based on current trends, it is estimated that FinCEN will receive approximately 1,300 incoming Egmont requests from foreign FIUs seeking information derived from BSA reporting and make approximately 700 outgoing Egmont requests on behalf of U.S. law enforcement agencies seeking similar information from foreign FIUs.
• Identify significant relationships, trends and patterns: BSA reports unmask the relationships between illicit actors and their financing networks, enabling law enforcement to target the underlying conduct of concern, and to use forfeiture and sanctions to disrupt their ability to operate and finance their illicit conduct. BSA reports also reveal trends and patterns on criminal, terrorist and other emerging threats that enable law enforcement to focus limited resources.
Understanding and communicating the context and the purpose of FinCEN’s BSA/AML regime is as important to a financial institution’s culture as understanding its underlying requirements, and financial institutions should consider including such information as part of their ongoing training requirement. Information on how BSA reports are used can be found on FinCEN’s website and is routinely shared through numerous public-private training events involving FinCEN and its many law enforcement partners.
For Further Information
Questions or comments regarding the contents of this or any other advisories should be addressed to the FinCEN Resource Center at (800) 767-2825 or (703) 905-3591. Financial institutions wanting to report suspicious transactions that may relate to terrorist activity should call the Financial Institutions Toll-Free Hotline at (866) 556-3974 (7 days a week, 24 hours a day). The purpose of the hotline is to expedite the delivery of this information to law enforcement. Financial institutions should immediately report any imminent threat to local-area law enforcement officials.
FinCEN’s mission is to safeguard the financial system from illicit use and combat money laundering and promote national security through the collection, analysis, and dissemination of financial intelligence and strategic use of financial authorities.
[1] This advisory does not change any existing expectations or obligations under BSA/AML requirements. Similarly, this advisory is not intended to change or otherwise interpret regulatory expectations or obligations that financial institutions may have outside of the BSA. Financial institutions should also be familiar with and follow the guidance and requirements of their federal functional regulator and Self-Regulatory Organization (SRO) regarding any other applicable compliance obligations, such as those relating to safety and soundness, governance programs and enterprise-wide compliance. This advisory should not be interpreted in a manner inconsistent with previous guidance issued by FinCEN or any federal functional regulator or SRO. Financial institutions may refer to detailed guidance on FinCEN’s website organized by industry as well as to guidance provided by their appropriate federal functional regulator or SRO.
[2] Likewise, information sharing between financial institutions can often result in a more comprehensive picture of suspicious activity and more useful reporting to law enforcement. For additional information about the benefits of the 314(b) information sharing program, see the Section 314(b) Fact Sheet.
[3]BSA/AML compliance professionals should be familiar with the guidance that has been made available by the federal functional regulators, SROs and FinCEN to assist financial institutions with developing an effective compliance program. Such guidance includes, but is not limited to, industry specific examination manuals and other regulatory guidance.