iGenerally speaking, banks and other financial institutions fall under the guise of federal anti-money laundering (AML) statutes, like the Bank Secrecy Act (BSA). These AML laws require financial institutions to take strict precautions to prevent customers from laundering their money.
In order to satisfy those requirements, financial institutions should conduct an effective risk management program focusing on risk assessments to determine what compliance measures they need to take, and then conduct audits of those compliance measures to make sure that they are working. Failing to conduct these assessments and audits can expose your bank, credit union, or other covered entity to the legal liabilities and reputational harm that can come with non-compliance.
AML Risk Assessments
The most important first step in all AML compliance efforts is the AML risk assessment. This risk assessment uses key risk indicators to monitor increasing risk exposures of various financial institutions. Without one, any compliance protocol or AML compliance program that a financial institution composes for itself is blind.
The reality is that all financial institutions are different. Just look at the wide variety of “financial institutions” that are covered by the BSA, at 31 U.S.C. § 5312(a)(2):
-
Credit unions
-
Banks that are insured by the Federal Deposit Insurance Corporation (FDIC)
-
Insurance companies
-
Casinos
-
Travel agencies
And these are only five types of entities that fall within the BSA’s definition of a “financial institution.” There are 21 others.
Even companies that fall under the same type of entity, though, can be facing drastically different risks when it comes to money laundering and terrorist financing. Credit unions that only serve a small geographic area are generally going to have fewer risks than those that operate across the country. However, even if a credit union’s reach is very small, if its clientele is composed of a lot of people who have international connections or who conduct business outside of the country, its legal exposure to AML laws can balloon quite quickly.
Close scrutiny of a financial institution’s particular business practices is essential for assessing the risks that they face under AML statutes. As Dr. Nick Oberheiden, founding partner of the AML compliance law firm Oberheiden P.C., frequently tells financial institution clients, “Details matter when discussing a financial institution’s risks of legal liability under federal anti-money laundering laws. The limits of your institution’s business practices can eliminate entire swaths of statutory and regulatory requirements, making it easier to focus your compliance efforts on what it most needed to keep your business running smoothly and efficiently. Reaching this goal of a thorough but efficient compliance stratagem, however, requires the legal advice of an attorney with a nuanced understanding of anti-money laundering laws.”
Compliance Measures Should Be Unique and Address Your Particular Risks
Only after the complete AML risk assessments have been performed should a compliance strategy even begin to be contemplated. Crafting a compliance plan before ascertaining a financial institution’s specific AML risks would waste time and effort, as the assessment would reveal areas that are of little practical concern to your bank, but which would have already been thoroughly covered by your compliance strategy.
In fact, creating a compliance plan that is uniquely tailored to your financial institution, rather than just a generic, cookie-cutter compliance outline, is itself a legal requirement. The Financial Crimes Enforcement Network (FinCEN) is the bureau of the U.S. Department of the Treasury that promulgates regulations to enforce anti-money laundering laws. One of those regulations, 31 C.F.R. § 1010.610, describes the required due diligence programs for detecting money laundering as being “appropriate, specific, [and] risk-based.”
Not only are generalized, copy/pasted compliance protocols unlikely to be effective in preventing money laundering at your financial institution; but they also might not satisfy the minimum requirements of federal law enforcement agencies.
Auditing Your Compliance Measures is a Core Component of Compliance
Something that lots of managers and senior executives at financial institutions do not fully appreciate is the fundamental importance that audits have in an adequate compliance strategy. When many executives see that their compliance protocols have been adopted and are in place, they think that they are done and that the company can move on and shift its budget elsewhere.
That is not the case at all.
Once in place, all compliance protocols, including those that further your anti-money laundering efforts, have to be maintained and tested to ensure that they are doing what they are supposed to do. It is not unheard of for aspects of a compliance strategy to sound all-encompassing on paper, only to prove to be inadequate in practice. These shortcomings will not be detected if a financial institution creates a compliance plan and then does not subject it to rigorous internal audits.
Additionally, even a perfectly crafted compliance plan can still benefit from a good audit procedure. Just because the internal policies and rules are in place does not mean that everyone in your financial institution is following them. A single employee’s failure to adhere to their role in the company’s anti-money laundering compliance protocol can expose the entire institution to legal liability for noncompliance, as well as the reputational harm that can come with an announcement of a federal law enforcement investigation.
Audits are also essential to uncover inside schemes to launder money within the financial institution. It is not uncommon for criminal enterprises and bad actors to try to get one of their agents inside a financial institution or bank, and then use that insider to launder money or commit other financial crimes. Banks and other financial institutions have a strong interest in uncovering these inside jobs – not only to root out money laundering and comply with their legal obligations but also to avoid the stain on their reputation that would come if the inside agent was first discovered by law enforcement, rather than through an internal audit.
In the end, auditing your financial institution’s AML compliance protocols is a worthwhile investment. It shows law enforcement that you are taking compliance seriously. It can uncover shortcomings or holes in the compliance mechanisms that are in place. And it can protect the integrity and reputation of the financial institution, itself.
