Regulatory compliance costs, particularly those related to the Bank Secrecy Act and anti-money laundering and economic sanctions regulations (BSA/AML), impose a significant burden on banks and financial institutions. Smaller banks, especially regional banks, community banks, and credit unions that typically service a small geographic area of specific communities, feel this burden more acutely. Many community banks in rural areas face a challenge in finding experts who are experienced, are qualified, and have the right background, credentials, and education. Furthermore, the available resources often have a limited perspective from their experience with other community banks and may therefore be unable to share broader knowledge and good practices, especially in relation to addressing emerging AML risk topics.

To address concerns emanating from the rising compliance costs, the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the U.S. Department of Treasury’s Financial Crimes Enforcement Network (FinCEN) published a joint statement in October 2018 that banks should consider entering into collaborative arrangements to share resources make their BSA/AML programs more efficient and cost-effective. According to the interagency guidance, “Collaborative arrangements involve two or more banks with the objective of participating in a common activity or pooling resources to achieve a common goal. Banks use collaborative arrangements to pool human, technology, or other resources to reduce costs, increase operational efficiencies, and leverage specialized expertise.”

Impetus for Renewed Focus on Resource Sharing

Resource sharing could significantly reduce banks’ BSA/AML compliance costs. Apart from the obvious cost benefits, resource sharing also allows access to specialized expertise that may be expensive or unnecessary for each bank to develop in-house. James Stevens, a Partner at law firm Troutman Sanders LLP, says, “I have not seen any clients actually take advantage of this yet, but I think many of them should consider it. Banks are required to have complicated BSA compliance programs in place and creating and maintaining programs with the appropriate level of sophistication is time-consuming, requires specialized expertise, and is expensive. As suggested by the regulators, I think it would be a great idea for banks to collaborate when it comes to things like preparation of policies, training, and internal controls. I think the key is to keep it to the parts of the program that do not involved shared employees or shared data, as the risks associated with that type of sharing probably outweigh the benefits."

While adoption by banks has been slow so far, recent market trends and behaviors are exerting tremendous pressure on banks and their compliance departments and highlight the urgent need to strongly reconsider the benefits afforded by collaborative resource sharing arrangements:

1. The COVID-19 pandemic has placed large parts of the country on lockdown and will inevitably lead to a reduction of business volume and revenue within banking. Closure of customers’ businesses, massive layoffs, and deep economic recessions will create intense cost pressures. Further, large-scale staffing reductions are likely to have a material adverse impact on business processes, including compliance, weakening internal control structures and rendering them potentially inadequate to fulfill BSA and other key compliance requirements.
   
   
2. Bank customers are increasingly withdrawing large volumes of cash in a state of panic. Many are turning to mobile apps and digital banking services, as they may be unable to physically visit the bank. This is true even among demographics that would not normally use such channels, such as the elderly. This surge is a challenge for BSA compliance teams, as the increased volume of transaction data, especially in cash, is rendering it difficult to differentiate between legitimate and potentially illegal activities. Financial intelligence units (FIUs) are further hampered by remote work requirements where full access to key information, including alert and case details and customer data such as know your customer/customer identification program (KYC/CIP) information, is not readily available (especially if stored in disparate legacy and stand-alone systems or in paper files).
   
   
3. There seems to be a marked increase in fraud, financial crimes, and cybercrimes, with many scammers attempting to take advantage of a vulnerable population already experiencing tremendous disruption due to the COVID-19 health crisis compounded by the economic crisis. Organizations are grappling with reduced work forces functioning remotely without face-to-face contact for weeks on end. Increasing cybercrime risks are evident as IT infrastructure and resources are stretched thin. IT groups have their hands full ensuring business continuity and resiliency infrastructure is set up and running smoothly and providing remote support as needed. There has been a surge in imposter scams, with bad actors posing as governmental agencies to solicit donations, seek confidential information, or install malware. Additionally, we are seeing an increase in product scams, with companies and individuals making fraudulent claims about medical products to cure COVID-19. Finally, many cases of price gouging have put pressure on FIUs’ ability to detect legitimate increases in cash activity versus illicit gains through price gouging.

Where Resource-Sharing Arrangements Can Be Most Effective

Collaboration is most suitable for banks with risk-averse business operations, considering their product and service mix, customer segments, and the geographies they serve. Many community banks would be ideally placed to take advantage of resource sharing. . All banks are required to establish and maintain a BSA/AML program that includes policies and procedures reasonably designed to ensure compliance with "BSA regulations.

Such programs must include the following Five Pillars:

1. A system of internal controls to ensure ongoing compliance
2. Designation of an individual or individuals responsible for managing BSA compliance (BSA compliance officer)
3. Independent testing of BSA/AML compliance
4. Training of appropriate personnel
5. Customer Due Diligence program and due diligence

In examining each of these areas, we see how banks might collaborate for greater cost efficiencies while managing their individual AML risks.

System of Internal Controls

Banks might be able to safely and effectively share resources in the development, enhancement, and review of BSA/AML policies and procedures, including “Know Your Customer” (KYC) and customer identification and due diligence procedures.

BSA/AML Officer

The sharing of a BSA/AML officer among banks could prove to be challenging due to the confidential nature of suspicious activity reports and the ability of the BSA officer to effectively coordinate and monitor each bank’s day-to-day BSA/AML compliance. In addition, the sharing of a BSA officer may create challenges with effective communication between the officer and each bank’s board of directors and senior management.

Independent Testing

Smaller community banks may not have an in-house internal audit department or other personnel who have a sufficient degree of independence from the BSA/AML compliance area to effectively perform independent testing engagements. In such a scenario, banks may enter into agreements with other banks to have their compliance or operations personnel perform independent testing. Alternatively, banks may engage third-party service providers that have the necessary expertise to serve as a shared service independent testing firm for multiple banks in the region. In either case, banks need to exercise care and put appropriate safeguards in place to ensure the confidentiality of sensitive business data, especially suspicious activity reporting information. They should also take care to ensure that the person or persons performing independent testing are not also providing some other shared service to the bank that impairs their independence.

BSA/AML Training

Training and education also lend themselves to a collaborative arrangement. Community banks in certain areas may not have access to BSA/AML experts or may find hiring personnel with the specialized knowledge required to provide training cost prohibitive. Banks could share the cost of bringing in a qualified third-party trainer.

Customer Due Diligence Program

Banks can potentially outsource elements of implementing a customer due diligence (CDD) program to third parties that specialize in this area. Due to the sensitivity of handling and sharing customer information with competing banks, CDD program implementation / ongoing maintenance is not amenable to resource sharing arrangements with other banks that may be competing for the same customers’ business.

Practical Considerations and Safeguards for Implementation

While resource sharing could be very beneficial to banks, appropriate oversight and monitoring mechanisms are vital. Service-level agreements (SLAs) that clearly spell out the terms and conditions of the collaborative arrangements, details of service provided, confidentiality protocols, key performance indicators, and key risk indicators need to be defined. A clear definition of monitoring and oversight controls is key to determining whether established criteria for success are being met or to suggest course corrections if they are not. Management must periodically review performance under the SLAs in line with the existing regulatory guidance regarding third-party and service-provider risk management. Protection of confidential data, including confidential supervisory information on competitive strategies and business plans; data on suspicious activity reports (SARs), especially related to SAR suspects; and protection of customer data under privacy/data protection laws like the Gramm-Leach-Bliley Act and California Consumer Protection Act, is paramount. Oversight and monitoring controls will provide a transparent view of the key risks and whether appropriate mitigation strategies are in place at each bank. This will enable the board of directors to fulfill its corporate governance and oversight obligations. It is important to note that implementing resource-sharing arrangements does not relieve a bank of its responsibilities to maintain an effective compliance program that adheres to the BSA requirements.

Outsourcing or sharing resources provides banks with greater access to subject matter experts who have experience working with many types of financial institutions and sizes of banks on a wide variety of issues. Banks thus gain better insights and practices that can help enhance their BSA/AML programs in line with regulatory expectations. Further, using outsourced resources can be cost-effective, considering the fixed costs of employing full-time staff, including salaries, insurance costs, and benefits. Outsourcing or resource-sharing arrangements can help banks move to a more flexible “as-needed” cost structure. Attorney James Stevens also says, “By leveraging outsourced service providers, banks can get overflow staffing, technical expertise, and lower costs than if they try to implement and maintain all aspects of these programs on their own. Banks are and have always been the ultimate outsourcers when it comes to other mission-critical operations – like IT – and I think they should consider using that same model in other areas of banking today that require time, expertise, and funding that they may not have.”

Keeping Safeguards in Place

Current societal and business conditions make entering into collaborative resource-sharing agreements between banks increasingly compelling. However, while significant benefits can accrue from sharing resources to manage BSA/AML obligations more efficiently and effectively, banks should remain diligent in their execution of collaborative arrangements and put appropriate safeguards and monitoring mechanisms in place to mitigate risks.