We provide practical insights and recommendations on effective board oversight derived from regulatory guidance and recent enforcement examples.

October 28, 2020

Atlantic Community Bankers Bank (ACBB), based in Camp Hill, PA, entered into an agreement with its regulator, the Federal Reserve Bank of Philadelphia, on September 28 to improve its Bank Secrecy Act/Anti-Money Laundering (BSA/AML) and Office of Foreign Assets Control (OFAC) compliance program. Among the many provisions of the enforcement action, ACBB is required to improve board oversight and governance which includes:

  • enhancing the audit committee’s oversight by establishing the frequency of its meetings, and maintain adequate and complete meeting minutes
  • ensuring oversight of senior management and the BSA officer over implementation of the board-approved compliance program
  • ensuring adherence to the bank’s policies, procedures, and standards
  • ensuring that identified BSA/AML and OFAC related issues are appropriately tracked, escalated, and reviewed by senior management
  • ensuring that those that oversee the program have appropriate subject matter expertise and involvement
  • having appropriate staffing levels and resources for the program
  • improving board reporting

The enforcement action is yet another reminder for financial institutions of the importance of board involvement in, and appropriate oversight of, the BSA/AML and OFAC program. Yet, while guidance from bank regulators and enforcement authorities makes clear that effective oversight requires knowledgeable and active engagement from directors, these requirements are often abstract. Here, we provide practical insights and recommendations on effective board oversight derived from regulatory guidance and recent enforcement examples, with a focus on: tone at the top, adequate staffing and resources, staying informed, and monitoring and independent testing.

Corporate governance and board oversight have seized the spotlight in recent years. Among other measures, boards of all financial institutions are required to adopt and implement a BSA/AML compliance program that includes, at a minimum:

  1. an effective system of internal policies, procedures, and controls
  2. a BSA/AML compliance officer
  3. periodic officer, director, and employee training
  4. independent testing of the BSA/AML program
  5. a risk-based customer due diligence program

Bank regulators expect BSA/AML compliance programs to be reasonably designed to assure and monitor compliance with the BSA and its implementing regulations. Similarly, in accordance with the U.S. Sentencing Guidelines and Justice Manual, compliance programs are intended to establish standards and procedures to detect and prevent criminal conduct.

With the backdrop of these five pillars, financial institution board members have two overarching responsibilities:

  1. to approve BSA/AML compliance programs that are reasonably designed to prevent and detect violations
  2. to exercise reasonable oversight to ensure that such programs are reasonably effective

The consequences of oversight failure can be severe. In extreme cases, board members may face individual civil and criminal liability. More commonly, failure of board oversight results in high penalties, enforcement actions, ongoing and expensive monitoring, and reputational harm to the institution.

Civil liability for board members may include claims for breach of fiduciary duties by both shareholders and financial institution regulators. As first established under Delaware’s Caremark holding, and later expanded by its progeny, directors’ duty of care includes oversight. Under Caremark, directors have a “duty to be active monitors of corporate performance,” including monitoring or overseeing the corporation’s operations and being informed of risks or problems requiring attention. To that end, boards must implement and oversee a compliance program to detect potential violations of law, regulations or corporate policy. Compliance programs must enable the board to track and analyze compliance issues, direct remediation steps, and ensure that compliance issues do not recur.

Board members can also face criminal liability. As highlighted by the September 2015 Yates Memorandum, the Department of Justice (DOJ) has made prosecuting individuals an enforcement priority in corporate investigations, with particular emphasis on identifying senior-level officials and directors who are involved in any alleged misconduct.

The effectiveness of a bank’s compliance program is taken into consideration by bank examiners, prosecutors, and sentencing judges. Oversight can thus also influence charging decisions and assessment of corporate fines and penalties.

Board Responsibilities

The examination manual of the Federal Financial Institutions Examination Council (FFIEC) states that the board of directors “has primary responsibility for ensuring that the bank has a comprehensive and effective BSA/AML compliance program and oversight framework that is reasonably designed to ensure compliance with BSA/AML regulation.”

While competent oversight begins with the tone at the top, the board should also clearly understand the relationship between the bank’s customers and services and their risk profile. With this knowledge, the board can establish internal policies, procedures, and controls to determine the number and type of staff needed to manage the BSA/AML program.

Additionally, while board members are not expected to be experts in every law or regulation impacting BSA/AML compliance, they are expected to be educated enough to understand and oversee their own compliance programs. This knowledge should include an understanding of the expected number of alerts and investigations, the percentage of false positives, and the results of above- and below-threshold testing for transaction monitoring scenarios.

Finally, enforcement actions frequently revolve around failure to identify program deficiencies, lack of or delays in reacting to unresolved deficiencies, or failure to update policies and procedures in response to shifting regulatory guidance or newly identified risks of enforcement actions. Board members should ensure that their BSA/AML officer and senior management have the requisite knowledge and experience to perform their roles in the financial institution’s BSA/AML program and periodically obtain an independent assessment of the program’s staffing structure, size, experience, qualifications, authority, independence, and the adequacy of its technological resources, including peer benchmarking and projections of future needs.

Creating a Culture of Compliance: Tone at the Top

Effective board oversight begins with the tone at the top. Bank regulators expect board members to set an appropriate culture of compliance, establish clear policies regarding the management of key BSA/AML risks, and verify adherence to these policies in practice.

Failure to convey an appropriate tone at the top is often cited in enforcement actions. Specifically, boards must confirm that compliance policies and procedures are clear, adhered to, and endorsed across all levels of the organization. The significance of compliance must go beyond policy statements by, for example: 1) incorporating compliance as a factor in measuring employee and management performance and compensation, including clawback provisions; 2) establishing spot awards or other types of recognition for employees and managers who demonstrate prioritizing compliance; 3) communicating reminders for employees about the importance of compliance, such as posters in common areas, periodic emails from senior management, screensavers, reminders on the institution’s intranet, periodic training, and the like.

Boards should understand BSA/AML risk in their organization by developing a risk appetite for material activities and holding senior management responsible for adherence. This includes actively reviewing compliance reporting on changes in risk environment and red flag identification, as well as ensuring that appropriate responses are made in a timely fashion. Highlighted below are examples of key actions board members can take derived from regulatory guidance:

  • Demonstrate clear and unequivocal expectations about compliance not only within the institution but also to third-party providers
  • Ensure that the BSA/AML compliance function has an appropriately prominent status within the organization
  • Ensure that the board’s views about the importance of BSA/AML compliance are understood and communicated across all levels
  • Ensure that efforts to manage and mitigate BSA/AML deficiencies and risks are not compromised by revenue interests
  • Ensure that senior management has established appropriate incentives to integrate compliance objectives into the management goals and compensation structure
  • Ensure that appropriate disciplinary and other actions are taken when serious compliance failures are identified

Finally, boards must make sure there is an appropriate whistleblower and reporting program in place and that employees are encouraged and rewarded for reporting instances of non-compliance and/or areas of concern.

Staffing and Resources

While the tone at the top is essential to maintaining an effective BSA/AML program, regulators and enforcement authorities expect BSA/AML compliance to be more than just a paper program. Board members are ultimately responsible for the bank’s BSA/AML program and are expected to exercise oversight over individual(s) designated by the board to manage day-to-day compliance with the BSA requirements., Key indicators of effective oversight in this context include:

  1. hiring qualified staff
  2. providing such staff with adequate decision-making authority, independence, and resources
  3. allowing access to the board to report compliance issues
  4. holding staff accountable for implementing an effective compliance management system

To avoid the mistakes made by others, board members should review the qualifications, experience, background, and credentials of existing and prospective senior-level BSA/AML staff to ensure that they have a level of experience commensurate with the bank’s size, complexity, and risk profile. The board should consider interviewing more senior-level prospective candidates who will be performing BSA/AML functions. If unable to recruit qualified candidates, the board should take advantage of interagency guidance that encourages financial institutions to share BSA/AML resources.

As described in applicable guidance, sharing resources “… may also provide access to specialized expertise that may otherwise be challenging to acquire without the collaboration.” Sharing resources also includes utilizing outside consultants.

Staying Informed and Responding to the Detection of BSA/AML Violations

As part of their responsibility to oversee the BSA/AML program, board members must understand the importance of these regulatory requirements, the ramifications of non-compliance, and the risks posed to the bank. Without such understanding, the FFIEC says the board “cannot adequately provide BSA/AML oversight, approve BSA/AML policies, procedures, and processes, or provide sufficient BSA/AML resources.”

The board must be aware of the trends and status of the program’s alerts and investigations, be properly trained in a manner appropriate for their position, and stay apprised of changes to BSA/AML rules, regulations, and trends.

Additionally, the board must hold management accountable for taking prompt and adequate corrective action in response to identified deficiencies and/or violations, whether identified internally or by an outside regulator. Such corrective action must be tailored to prevent similar conduct.

One of the many issues often identified by the regulators is the inadequacy of the BSA/AML program reports provided by management to the board. Examples of specific reporting obligations include the following:

  • any trends in unusual or suspicious activity that have been identified and reported by the bank, as well as the product lines, departments and branches in which suspicious activity has occurred
  • high-risk accounts by line of business and type of business, countries of origin, location of the customers’ businesses and residences, average dollar and transaction volume of activity
  • information regarding any type of grand jury or law enforcement subpoena received by the bank, any other law enforcement inquiry directed to the bank, and any action taken by the bank on the affected account
  • information regarding pouch activity, politically exposed persons (PEPs), and foreign correspondent accounts
  • any additional information deemed necessary or appropriate by the BSA officer or the bank

Board members can obtain information by attending appropriate board-specific training, requesting and reviewing BSA/AML reports, and keeping apprised of new rules, regulations, and trends.

Training

The board should receive training tailored to the risk profile of the entity and designed to provide them sufficient understanding to be able to confirm that BSA/AML training is being conducted for all relevant individuals at the institution. While boards may not require the same degree of training as, for example, operations personnel, they must nevertheless be well acquainted with the regulatory requirements, the ramifications of non-compliance, and the entity’s specific BSA/AML risks. Boards need enough knowledge of the BSA systems and procedures in place to be able to provide effective oversight, approve BSA/AML policies, and assess the consequences and impact of the data and KPIs being reported by management.

Reporting

The board must receive sufficient reporting on key risk indicators that includes accurate information on the number of alerts, the number of investigations, the number of SARs filed, and whether SARs are being filed in a timely manner. They must be kept aware of, and in some cases consulted on, important SAR/No-SAR decisions and whether the results of multiple SARs filed for a single customer or customers warrant termination of a relationship.

Awareness of Rules, Regulations, and Trends

Along with receiving reports and appropriate training, boards should be made aware of new BSA/AML rules, regulations, and trends, and have a grasp on how the financial institution is attempting to comply. Similarly, boards should review recent enforcement actions, such as those described in this series, and seek solid understanding as to whether their own financial institution has similar issues and/or how the enforcement action may affect them. This information is critical to allow directors to ask thoughtful questions that can help ensure an efficient and effective BSA/AML compliance program.

Board members should also review any reports of examinations or other supervisory activity and relevant correspondence from the institution’s supervisors, and periodically assess compliance policies and procedures to foresee a need for changes to adapt to newly identified risks or deficiencies.

Monitoring and Independent Testing

Board members may not delegate responsibilities for overseeing the establishment of a system of internal controls and the internal and external audit functions. The core tools for effective BSA/AML oversight in these areas includes:

  • monitoring and auditing a system of internal controls
  • periodic risk assessments
  • periodic evaluations of effectiveness

A sound framework of internal controls is essential to preventing and detecting fraud, and a reliable and objective audit function provides assurance to the board that the bank’s internal controls are sufficiently robust to identify, test, and report on key risks in the bank. Periodic risk assessments and evaluations help the board monitor the compliance program and internal controls for responses to compliance failures and emerging or evolving risk.

Among the most common internal controls for BSA/AML programs is the transaction monitoring system. To avoid the mistakes of others, boards must periodically review the independent model validation for the BSA/AML transaction monitoring system to assess whether the system is adequately designed and operating effectively and that thresholds are appropriate. This should also include obtaining a periodic independent assessment of the bank’s overall risk governance and risk management practices.

Additionally, persons conducting BSA/AML testing should report directly to the board of directors or to a designated board committee comprised of independent directors. Any violations, policy or procedure exceptions, or other deficiencies noted should be reported to the board or designated committee and the audit staff should track and document deficiencies and corrective actions.

Boards Must Be Active in Oversight Role

Federal Reserve Chairman Powell has said, “Across a range of responsibilities, we simply expect much more of boards of directors than ever before. There is no reason to expect that to change.”

These heightened expectations with respect to the BSA/AML programs of financial institutions put more pressure than ever on boards to ensure that their institutions are operating in compliance with applicable laws and regulatory expectations, and they are not going anywhere anytime soon. To meet these standards, boards must stay current on all important regulatory developments and take an active approach to satisfying the board’s oversight role. By doing so, they will be able to reduce their potential exposure to penalties and fines, enforcement actions, and other liability related to ineffective oversight and other egregious conduct.

Co-authored by:

James Stevens, JD
Partner, Troutman Pepper
+1.404.885.3721
james.stevens@troutman.com