Federal Banking Agencies Encourage BSA Resource Sharing
Five U.S. regulatory agencies—the Board of Governors of the Federal Reserve System (“FRB”), the Federal Deposit Insurance Corporation (“FDIC”), the National Credit Union Administration (“NCUA”), the Office of the Comptroller of the Currency (“OCC”), and the U.S. Department of Treasury’s Financial Crimes Enforcement Network (“FinCEN”)—released on October 3, 2018 an Interagency Statement on Sharing Bank Secrecy Act Resources (the “Statement”). This guidance addresses instances in which certain banks and credit unions can enter into “collaborative arrangements” to share resources to manage their Bank Secrecy Act (“BSA”) and anti-money laundering (“AML”) obligations more efficiently and more effectively.
The Statement contemplates banks sharing resources such as internal controls, independent testing, and AML/BSA training (it does not apply to collaborative arrangements formed for information sharing among financial institutions under Section 314(b) of the U.S. Patriot Act). Such resource sharing contemplates reducing costs and increasing efficiencies in the ways banks manage their BSA and AML obligations. The Statement clearly is addressed primarily to community banks, for which the costs of AML/BSA compliance can be significant, and which presumably engage in “less complex operations [and have] lower risk profiles for money laundering or terrorist financing.” The Statement potentially represents another step in an ongoing AML reform process, which increasingly acknowledges the costs of AML compliance to industry.
The term “collaborative arrangement” is defined under the Statement as two or more banks with the objective of participating in a common activity or pooling resources to achieve a common goal. Such resources include human and technological resources, and goals include reducing costs, increasing operational efficiencies, and leveraging specialized expertise. The Statement elaborates on three, non-exhaustive examples of appropriate resources to share.
First, the Statement suggests that banks can jointly conduct internal control functions, including the drafting and updating of BSA/AML policies and procedures, developing risk-based customer identification and account monitoring processes, and tailoring monitoring systems and related reports regarding the risks.
Second, the Statement suggests that banks can share independent compliance testing personnel: “[t]he shared resource may, for example, be utilized in the scoping, planning, and performance of the BSA/AML compliance program independent test with appropriate safeguards in place to ensure the confidentiality of sensitive business information.” Further, any shared resource must be qualified and not involved in other AML/BSA functions at the bank being reviewed.
Third, the Statement suggests that banks may share the cost of BSA/AML training personnel, particularly because it may be “challenging” and/or “cost prohibitive” in “some communities” to attract a qualified BSA/AML trainer.
The Statement suggests that the sharing of a BSA/AML officer is possible but could be problematic, given the confidential nature of SAR reporting and potential challenges posed to effective communication between the officer and each bank’s board of directors and senior management. The clear import of the Statement is that such arrangements should be struck only with great care.
The Statement also generally observes the risks involved in a collaborative arrangement, and suggests that such an arrangement is not appropriate for every bank. “Ultimately,” the Statement warns, “each bank is responsible for ensuring compliance with BSA requirements. Sharing resources in no way relieves a bank of this responsibility. Nothing in this [Statement] alters a bank’s existing legal and regulatory requirements.” In other words, each bank in a collaborative arrangement is equally responsible for managing the quality of services performed under the arrangement.
Not surprisingly, the Statement counsels that any arrangement – i.e., contract – with a third party should be documented; set forth precisely-defined scope, rights and responsibilities; have a framework for protecting customer data and other confidential information; and set forth a framework for managing the risks of shared resources. A bank also should provide periodic reports “as appropriate” to senior management and the board of directors regarding the functioning of the arrangement. Banks and credit unions that wish to enter into a collaborative agreement should refer to existing guidance regarding third-party relationships, such as the OCC’s 2015 publication An Opportunity for Community Banks: Working Collaboratively Together, and remain cognizant of their obligations to maintain confidential information and screen conflicts of interests implicated by a collaborative arrangement with a competitor.
It is unclear how this Statement to share resources will be received and implemented over time. It is relatively simple to declare in principle that AML resources may be shared, “as appropriate,” but effectively carrying out the details of such sharing may be difficult in practice. Presumably community banks and credit unions will welcome this opportunity to reduce their AML/BSA compliance costs, but obviously will have to be thoughtful in implementing such arrangements.