BSA/AML and OFAC Compliance: Top 10 Issues Facing Financial Institutions in 2017: #3
The more things change, the more they stay the same. Such is the case with the challenge of complying with the Bank Secrecy Act (BSA) and anti-money laundering (AML) and economic sanctions rules for financial institutions. Even as new technologies, markets, and participants emerge in gray areas of regulation, BSA/AML compliance challenges are remarkably consistent across industries. New rules and guidance issued throughout 2016, along with the often debilitating nature of any hiccup in compliance with these rules, means that BSA/AML and economic sanctions compliance remain atop the list of risks for financial institutions.
FinCEN’s Final Rule and Enforcement Actions
One of the most significant regulatory developments in 2016 was the issuance of the Financial Crimes Enforcement Network’s (FinCEN) final rule on customer due diligence and beneficial ownership requirements (Final Rule). FinCEN issued the Final Rule on May 11, 2016, and it became effective on July 11, 2016; however, covered financial institutions—including federally regulated banks, federally insured credit unions, mutual funds, brokers and dealers in securities, futures commission merchants, and introducing brokers in commodities—have until May 11, 2018, to come into full compliance with the Final Rule.
The Final Rule requires covered financial institutions to establish and maintain written procedures designed to identify and verify, at the time a new account is opened, the beneficial owners of legal entity customers. Note that this requirement applies to each new account opened, not only to each new customer. Financial institutions may comply by reasonably relying on information provided by the individual or entity opening the account, but only where the financial institution does not otherwise have any knowledge that would call into question the reliability of such information.
The Final Rule also requires financial institutions to implement risk-based procedures for conducting customer due diligence, which many institutions already have in place. These procedures must focus on understanding the nature and purpose of customer relationships in order to develop a customer risk profile. Financial institutions must also conduct ongoing monitoring, identify and report suspicious transactions, and maintain and update customer information. These new specific requirements, in addition to the existing rules, impose significant obligations to obtain and verify customer information. As such, financial institutions should consider enhancing their compliance policies, processes, record keeping, information technology practices, and employee training before the Final Rule’s May 11, 2018, compliance deadline.
FinCEN has also been active with enforcement actions that have focused heavily on failures to implement even the basic contours of a BSA/AML program. In particular, FinCEN has targeted inadequate risk assessments, failures in customer due diligence, and inconsistent transaction monitoring. Enforcement actions specifically highlight failures to risk rate customers adequately and failures to detect and timely report suspicious activity to FinCEN. FinCEN has also criticized financial institutions focused on growth rather than making necessary adjustments to their BSA/AML compliance plans that adequately address the implications of growth. Additionally, FinCEN has scrutinized whether institutions had sufficient BSA/AML compliance training programs and independent and knowledgeable BSA compliance officers. Going forward, financial institutions should increase their sensitivity to risk assessments, customer due diligence, transaction monitoring, and other areas of compliance mentioned in these recent enforcement actions.
OFAC’s Sanctions Regulations
Financial institutions should also be mindful of compliance obligations with respect to economic sanctions regulations administered by the Office of Foreign Assets Control (OFAC). OFAC enforces economic and trade sanctions against countries and individuals deemed to be threats to the national security or foreign policy of the United States. The most basic compliance requirement for financial institutions is to cross-reference new and existing customers against OFAC’s Sanctions and Specially Designated Nationals (SDN) lists, which are continuously updated with new names, institutions, and countries. Unfortunately, some financial institutions have failed to satisfy this requirement, and have paid a heavy toll. In order to avoid potential violations and related civil liability, we suggest making OFAC compliance a consistent focus of financial institutions’ compliance programs.
New State-level Regulations
Finally, in addition to heightened efforts at the federal level, financial institutions are also facing new state regulations. For example, New York’s new anti-terrorism and money laundering rules became effective January 1, 2017. These rules require New York-licensed financial institutions to maintain reasonably designed transaction monitoring and watch list filtering programs. Each financial institution must submit a compliance finding on these programs to the Superintendent of New York’s Department of Financial Services every year, with a first annual deadline of April 15, 2018. Based on the New York rules, we expect that financial institutions may see an added layer of BSA/AML considerations as other states may explore similar initiatives.