Atlantic Community Bankers Bank (ACBB), based in Camp Hill, PA, entered into an agreement with its regulator, the Federal Reserve Bank of Philadelphia, on September 28 to improve its Bank Secrecy Act/Anti-Money Laundering (BSA/AML) and Office of Foreign Assets Control (OFAC) compliance program. Among the many provisions of the enforcement action, ACBB is required to improve board oversight and governance which includes:
The enforcement action is yet another reminder for financial institutions of the importance of board involvement in, and appropriate oversight of, the BSA/AML and OFAC program. Yet, while guidance from bank regulators and enforcement authorities makes clear that effective oversight requires knowledgeable and active engagement from directors, these requirements are often abstract. Here, we provide practical insights and recommendations on effective board oversight derived from regulatory guidance and recent enforcement examples, with a focus on: tone at the top, adequate staffing and resources, staying informed, and monitoring and independent testing.
Corporate governance and board oversight have seized the spotlight in recent years. Among other measures, boards of all financial institutions are required to adopt and implement a BSA/AML compliance program that includes, at a minimum:
Bank regulators expect BSA/AML compliance programs to be reasonably designed to assure and monitor compliance with the BSA and its implementing regulations. Similarly, in accordance with the U.S. Sentencing Guidelines and Justice Manual, compliance programs are intended to establish standards and procedures to detect and prevent criminal conduct.
With the backdrop of these five pillars, financial institution board members have two overarching responsibilities:
The consequences of oversight failure can be severe. In extreme cases, board members may face individual civil and criminal liability. More commonly, failure of board oversight results in high penalties, enforcement actions, ongoing and expensive monitoring, and reputational harm to the institution.
Civil liability for board members may include claims for breach of fiduciary duties by both shareholders and financial institution regulators. As first established under Delaware’s Caremark holding, and later expanded by its progeny, directors’ duty of care includes oversight. Under Caremark, directors have a “duty to be active monitors of corporate performance,” including monitoring or overseeing the corporation’s operations and being informed of risks or problems requiring attention. To that end, boards must implement and oversee a compliance program to detect potential violations of law, regulations or corporate policy. Compliance programs must enable the board to track and analyze compliance issues, direct remediation steps, and ensure that compliance issues do not recur.
Board members can also face criminal liability. As highlighted by the September 2015 Yates Memorandum, the Department of Justice (DOJ) has made prosecuting individuals an enforcement priority in corporate investigations, with particular emphasis on identifying senior-level officials and directors who are involved in any alleged misconduct.
The effectiveness of a bank’s compliance program is taken into consideration by bank examiners, prosecutors, and sentencing judges. Oversight can thus also influence charging decisions and assessment of corporate fines and penalties.
The examination manual of the Federal Financial Institutions Examination Council (FFIEC) states that the board of directors “has primary responsibility for ensuring that the bank has a comprehensive and effective BSA/AML compliance program and oversight framework that is reasonably designed to ensure compliance with BSA/AML regulation.”
While competent oversight begins with the tone at the top, the board should also clearly understand the relationship between the bank’s customers and services and their risk profile. With this knowledge, the board can establish internal policies, procedures, and controls to determine the number and type of staff needed to manage the BSA/AML program.
Additionally, while board members are not expected to be experts in every law or regulation impacting BSA/AML compliance, they are expected to be educated enough to understand and oversee their own compliance programs. This knowledge should include an understanding of the expected number of alerts and investigations, the percentage of false positives, and the results of above- and below-threshold testing for transaction monitoring scenarios.
Finally, enforcement actions frequently revolve around failure to identify program deficiencies, lack of or delays in reacting to unresolved deficiencies, or failure to update policies and procedures in response to shifting regulatory guidance or newly identified risks of enforcement actions. Board members should ensure that their BSA/AML officer and senior management have the requisite knowledge and experience to perform their roles in the financial institution’s BSA/AML program and periodically obtain an independent assessment of the program’s staffing structure, size, experience, qualifications, authority, independence, and the adequacy of its technological resources, including peer benchmarking and projections of future needs.
Effective board oversight begins with the tone at the top. Bank regulators expect board members to set an appropriate culture of compliance, establish clear policies regarding the management of key BSA/AML risks, and verify adherence to these policies in practice.
Failure to convey an appropriate tone at the top is often cited in enforcement actions. Specifically, boards must confirm that compliance policies and procedures are clear, adhered to, and endorsed across all levels of the organization. The significance of compliance must go beyond policy statements by, for example: 1) incorporating compliance as a factor in measuring employee and management performance and compensation, including clawback provisions; 2) establishing spot awards or other types of recognition for employees and managers who demonstrate prioritizing compliance; 3) communicating reminders for employees about the importance of compliance, such as posters in common areas, periodic emails from senior management, screensavers, reminders on the institution’s intranet, periodic training, and the like.
Boards should understand BSA/AML risk in their organization by developing a risk appetite for material activities and holding senior management responsible for adherence. This includes actively reviewing compliance reporting on changes in risk environment and red flag identification, as well as ensuring that appropriate responses are made in a timely fashion. Highlighted below are examples of key actions board members can take derived from regulatory guidance:
Finally, boards must make sure there is an appropriate whistleblower and reporting program in place and that employees are encouraged and rewarded for reporting instances of non-compliance and/or areas of concern.
While the tone at the top is essential to maintaining an effective BSA/AML program, regulators and enforcement authorities expect BSA/AML compliance to be more than just a paper program. Board members are ultimately responsible for the bank’s BSA/AML program and are expected to exercise oversight over individual(s) designated by the board to manage day-to-day compliance with the BSA requirements., Key indicators of effective oversight in this context include:
To avoid the mistakes made by others, board members should review the qualifications, experience, background, and credentials of existing and prospective senior-level BSA/AML staff to ensure that they have a level of experience commensurate with the bank’s size, complexity, and risk profile. The board should consider interviewing more senior-level prospective candidates who will be performing BSA/AML functions. If unable to recruit qualified candidates, the board should take advantage of interagency guidance that encourages financial institutions to share BSA/AML resources.
As described in applicable guidance, sharing resources “… may also provide access to specialized expertise that may otherwise be challenging to acquire without the collaboration.” Sharing resources also includes utilizing outside consultants.
As part of their responsibility to oversee the BSA/AML program, board members must understand the importance of these regulatory requirements, the ramifications of non-compliance, and the risks posed to the bank. Without such understanding, the FFIEC says the board “cannot adequately provide BSA/AML oversight, approve BSA/AML policies, procedures, and processes, or provide sufficient BSA/AML resources.”
The board must be aware of the trends and status of the program’s alerts and investigations, be properly trained in a manner appropriate for their position, and stay apprised of changes to BSA/AML rules, regulations, and trends.
Additionally, the board must hold management accountable for taking prompt and adequate corrective action in response to identified deficiencies and/or violations, whether identified internally or by an outside regulator. Such corrective action must be tailored to prevent similar conduct.
One of the many issues often identified by the regulators is the inadequacy of the BSA/AML program reports provided by management to the board. Examples of specific reporting obligations include the following:
Board members can obtain information by attending appropriate board-specific training, requesting and reviewing BSA/AML reports, and keeping apprised of new rules, regulations, and trends.
The board should receive training tailored to the risk profile of the entity and designed to provide them sufficient understanding to be able to confirm that BSA/AML training is being conducted for all relevant individuals at the institution. While boards may not require the same degree of training as, for example, operations personnel, they must nevertheless be well acquainted with the regulatory requirements, the ramifications of non-compliance, and the entity’s specific BSA/AML risks. Boards need enough knowledge of the BSA systems and procedures in place to be able to provide effective oversight, approve BSA/AML policies, and assess the consequences and impact of the data and KPIs being reported by management.
The board must receive sufficient reporting on key risk indicators that includes accurate information on the number of alerts, the number of investigations, the number of SARs filed, and whether SARs are being filed in a timely manner. They must be kept aware of, and in some cases consulted on, important SAR/No-SAR decisions and whether the results of multiple SARs filed for a single customer or customers warrant termination of a relationship.
Along with receiving reports and appropriate training, boards should be made aware of new BSA/AML rules, regulations, and trends, and have a grasp on how the financial institution is attempting to comply. Similarly, boards should review recent enforcement actions, such as those described in this series, and seek solid understanding as to whether their own financial institution has similar issues and/or how the enforcement action may affect them. This information is critical to allow directors to ask thoughtful questions that can help ensure an efficient and effective BSA/AML compliance program.
Board members should also review any reports of examinations or other supervisory activity and relevant correspondence from the institution’s supervisors, and periodically assess compliance policies and procedures to foresee a need for changes to adapt to newly identified risks or deficiencies.
Board members may not delegate responsibilities for overseeing the establishment of a system of internal controls and the internal and external audit functions. The core tools for effective BSA/AML oversight in these areas includes:
A sound framework of internal controls is essential to preventing and detecting fraud, and a reliable and objective audit function provides assurance to the board that the bank’s internal controls are sufficiently robust to identify, test, and report on key risks in the bank. Periodic risk assessments and evaluations help the board monitor the compliance program and internal controls for responses to compliance failures and emerging or evolving risk.
Among the most common internal controls for BSA/AML programs is the transaction monitoring system. To avoid the mistakes of others, boards must periodically review the independent model validation for the BSA/AML transaction monitoring system to assess whether the system is adequately designed and operating effectively and that thresholds are appropriate. This should also include obtaining a periodic independent assessment of the bank’s overall risk governance and risk management practices.
Additionally, persons conducting BSA/AML testing should report directly to the board of directors or to a designated board committee comprised of independent directors. Any violations, policy or procedure exceptions, or other deficiencies noted should be reported to the board or designated committee and the audit staff should track and document deficiencies and corrective actions.
Federal Reserve Chairman Powell has said, “Across a range of responsibilities, we simply expect much more of boards of directors than ever before. There is no reason to expect that to change.”
These heightened expectations with respect to the BSA/AML programs of financial institutions put more pressure than ever on boards to ensure that their institutions are operating in compliance with applicable laws and regulatory expectations, and they are not going anywhere anytime soon. To meet these standards, boards must stay current on all important regulatory developments and take an active approach to satisfying the board’s oversight role. By doing so, they will be able to reduce their potential exposure to penalties and fines, enforcement actions, and other liability related to ineffective oversight and other egregious conduct.
James Stevens, JD
Partner, Troutman Pepper