Regulatory compliance costs, particularly those related to the Bank Secrecy Act and anti-money laundering and economic sanctions regulations (BSA/AML), impose a significant burden on banks and financial institutions. Smaller banks, especially regional banks, community banks, and credit unions that typically service a small geographic area of specific communities, feel this burden more acutely. Many community banks in rural areas face a challenge in finding experts who are experienced, are qualified, and have the right background, credentials, and education. Furthermore, the available resources often have a limited perspective from their experience with other community banks and may therefore be unable to share broader knowledge and good practices, especially in relation to addressing emerging AML risk topics.
To address concerns emanating from the rising compliance costs, the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the U.S. Department of Treasury’s Financial Crimes Enforcement Network (FinCEN) published a joint statement in October 2018 that banks should consider entering into collaborative arrangements to share resources make their BSA/AML programs more efficient and cost-effective. According to the interagency guidance, “Collaborative arrangements involve two or more banks with the objective of participating in a common activity or pooling resources to achieve a common goal. Banks use collaborative arrangements to pool human, technology, or other resources to reduce costs, increase operational efficiencies, and leverage specialized expertise.”
Resource sharing could significantly reduce banks’ BSA/AML compliance costs. Apart from the obvious cost benefits, resource sharing also allows access to specialized expertise that may be expensive or unnecessary for each bank to develop in-house. James Stevens, a Partner at law firm Troutman Sanders LLP, says, “I have not seen any clients actually take advantage of this yet, but I think many of them should consider it. Banks are required to have complicated BSA compliance programs in place and creating and maintaining programs with the appropriate level of sophistication is time-consuming, requires specialized expertise, and is expensive. As suggested by the regulators, I think it would be a great idea for banks to collaborate when it comes to things like preparation of policies, training, and internal controls. I think the key is to keep it to the parts of the program that do not involved shared employees or shared data, as the risks associated with that type of sharing probably outweigh the benefits."
While adoption by banks has been slow so far, recent market trends and behaviors are exerting tremendous pressure on banks and their compliance departments and highlight the urgent need to strongly reconsider the benefits afforded by collaborative resource sharing arrangements:
Collaboration is most suitable for banks with risk-averse business operations, considering their product and service mix, customer segments, and the geographies they serve. Many community banks would be ideally placed to take advantage of resource sharing. . All banks are required to establish and maintain a BSA/AML program that includes policies and procedures reasonably designed to ensure compliance with "BSA regulations.
Such programs must include the following Five Pillars:
In examining each of these areas, we see how banks might collaborate for greater cost efficiencies while managing their individual AML risks.
Banks might be able to safely and effectively share resources in the development, enhancement, and review of BSA/AML policies and procedures, including “Know Your Customer” (KYC) and customer identification and due diligence procedures.
The sharing of a BSA/AML officer among banks could prove to be challenging due to the confidential nature of suspicious activity reports and the ability of the BSA officer to effectively coordinate and monitor each bank’s day-to-day BSA/AML compliance. In addition, the sharing of a BSA officer may create challenges with effective communication between the officer and each bank’s board of directors and senior management.
Smaller community banks may not have an in-house internal audit department or other personnel who have a sufficient degree of independence from the BSA/AML compliance area to effectively perform independent testing engagements. In such a scenario, banks may enter into agreements with other banks to have their compliance or operations personnel perform independent testing. Alternatively, banks may engage third-party service providers that have the necessary expertise to serve as a shared service independent testing firm for multiple banks in the region. In either case, banks need to exercise care and put appropriate safeguards in place to ensure the confidentiality of sensitive business data, especially suspicious activity reporting information. They should also take care to ensure that the person or persons performing independent testing are not also providing some other shared service to the bank that impairs their independence.
Training and education also lend themselves to a collaborative arrangement. Community banks in certain areas may not have access to BSA/AML experts or may find hiring personnel with the specialized knowledge required to provide training cost prohibitive. Banks could share the cost of bringing in a qualified third-party trainer.
Banks can potentially outsource elements of implementing a customer due diligence (CDD) program to third parties that specialize in this area. Due to the sensitivity of handling and sharing customer information with competing banks, CDD program implementation / ongoing maintenance is not amenable to resource sharing arrangements with other banks that may be competing for the same customers’ business.
While resource sharing could be very beneficial to banks, appropriate oversight and monitoring mechanisms are vital. Service-level agreements (SLAs) that clearly spell out the terms and conditions of the collaborative arrangements, details of service provided, confidentiality protocols, key performance indicators, and key risk indicators need to be defined. A clear definition of monitoring and oversight controls is key to determining whether established criteria for success are being met or to suggest course corrections if they are not. Management must periodically review performance under the SLAs in line with the existing regulatory guidance regarding third-party and service-provider risk management. Protection of confidential data, including confidential supervisory information on competitive strategies and business plans; data on suspicious activity reports (SARs), especially related to SAR suspects; and protection of customer data under privacy/data protection laws like the Gramm-Leach-Bliley Act and California Consumer Protection Act, is paramount. Oversight and monitoring controls will provide a transparent view of the key risks and whether appropriate mitigation strategies are in place at each bank. This will enable the board of directors to fulfill its corporate governance and oversight obligations. It is important to note that implementing resource-sharing arrangements does not relieve a bank of its responsibilities to maintain an effective compliance program that adheres to the BSA requirements.
Outsourcing or sharing resources provides banks with greater access to subject matter experts who have experience working with many types of financial institutions and sizes of banks on a wide variety of issues. Banks thus gain better insights and practices that can help enhance their BSA/AML programs in line with regulatory expectations. Further, using outsourced resources can be cost-effective, considering the fixed costs of employing full-time staff, including salaries, insurance costs, and benefits. Outsourcing or resource-sharing arrangements can help banks move to a more flexible “as-needed” cost structure. Attorney James Stevens also says, “By leveraging outsourced service providers, banks can get overflow staffing, technical expertise, and lower costs than if they try to implement and maintain all aspects of these programs on their own. Banks are and have always been the ultimate outsourcers when it comes to other mission-critical operations – like IT – and I think they should consider using that same model in other areas of banking today that require time, expertise, and funding that they may not have.”
Current societal and business conditions make entering into collaborative resource-sharing agreements between banks increasingly compelling. However, while significant benefits can accrue from sharing resources to manage BSA/AML obligations more efficiently and effectively, banks should remain diligent in their execution of collaborative arrangements and put appropriate safeguards and monitoring mechanisms in place to mitigate risks.