Agenda Item of the Month: Compliance Program

The objective of AABD's Agenda of the Month is to expand the discussion of the Board of Directors beyond the routine monthly subject matter.

For this month, AABD suggests that the Board consider adding a general discussion of the bank's compliance program concerning laws and regulations to combat money laundering and terrorism. As part of this discussion the Board should make sure that it has been informed of and approved, on an annual basis, a written Anti-Money Laundering/Bank Secrecy Act Compliance Program.

It is a year since October 26, 2001, when the President signed into law the USA Patriot Act of 2001(Act). That Act has given the federal government and the law enforcement community significant new powers to address the terrorism threat through enhanced domestic security measures, expanded surveillance powers, increased information sharing and, most importantly for the financial services community, broadened anti-money laundering requirements. The Act and the numerous regulations promulgated pursuant to it, has imposed upon the financial services industry many new and varied responsibilities.

While much needs to be done, the principal responsibility for the Board of Directors continues to be to ensure that the bank has an effective and current Anti-Money Laundering/Bank Secrecy Act Compliance Program. This has been a requirement for banks for years and under the Act it is now required by many businesses identified as "financial services." Because of the Act, the importance of the Compliance Program becomes more apparent. All financial service providers will be responsible for having one and the regulators will be focusing on a bank's program during every compliance review and examination.

The Board of Directors must review and approve on an annual basis a written Compliance Program for Anti-Money Laundering/Bank Secrecy Act protections. Each bank, based on its size and complexity of its operations, must establish its own program. The program requires each bank to take, at a minimum, the following steps:

1. Designate a compliance officer with appropriate responsibilities and authority to implement an Anti-Money Laundering/Bank Secrecy Act program. The person designated should be empowered with a commitment and support from senior management and the board of directors.

2. Establish a training program for all areas of the institution that might be subject to Bank Secrecy Act problems or money laundering vulnerability. The program should not only discuss the requirements of record keeping and reporting for cash and monetary instruments but also the appropriate procedures and practices that employees must follow both in opening and maintaining customer accounts. Recent trends and suspicious activities of which employees should be aware should also be discussed. Employees must be trained on how to detect, and what to do if they do detect, an unusual or suspicious activity.

3. Establish a testing/audit function that periodically reviews and actually tests activities in specific accounts. This system should clearly be risk focused. Financial institutions must have an adequate system to evaluate normal and abnormal activities in customer accounts and those accounts with higher risks should have increased focus.

4. Establish and maintain a Customer Identification Program (CIP) that is in writing and is approved by the board of directors. One of the major provisions of the Act directed Treasury to promulgate a regulation that requires all financial institutions to establish a CIP to: (i) verify the identity of its customers, (ii) maintain records of the review and (iii) check the names against suspected terrorist lists. Treasury has issued a rule that was to be effective as of October 25, 2002. The proposed rule requires that the CIP be part of the bank's Anti-Money Laundering/Bank Secrecy Act Compliance Program. Treasury has now delayed issuing the final rule and has indicated that once the rule becomes final, institutions will be given a period of time to comply with the requirement. It is believed that the rule will be promulgated sometime in November and institutions will have to have a final CIP program within the following 6-9 months.

5. The development of overall policies and procedures as to how the institution should function to protect itself from being used to (a) launder money (b) deal with cash and monetary instruments (c) address terrorism risks. Directors should insist that the bank conduct a threat assessment as to the areas of the bank that might be vulnerable to money laundering or terrorism and then provide policies and procedures for those areas. Two major areas that should be focused on in the policies and procedures are the bank's overall practices in Knowing Its Customers and a Suspicious Activity Reporting System (SAR). In addition to the verification provisions of the CIP (paragraph 4), to effectively protect an institution from being abused by money launders, there should be a systematic process for truly identifying customers as to their sources and usages of the bank accounts. This may include reviews and testing of various accounts depending on the nature of their risks. Policies and procedures should also address the establishment of an effective system for identifying and reporting suspicious transactions. In this regard it should be clear that the final decision as to whether a report should be filed with the government should not be made by the on-line person but through a consistent review process. The responsibility of line personnel is to alert senior management and the compliance officer to concerns so that the decision as to whether some action should be taken or a report should be filed will be made at the appropriate level.

Policies and procedures should be established to enable the institution to address the threat of terrorism. Although not required by statute, it would seem prudent for each institution to designate at least one person to be a "point of contact" to be responsible for terrorism issues. That person should be aware of the requirements of the Office of Foreign Asset Control (OFAC) and ensure that the bank has procedures in place to comply with the OFAC requirements.

Directors must insist that management present to them the bank's Anti-Money Laundering/Bank Secrecy Act Program, including the Customer Identification Program. The directors should review and approve the final written programs and the designation of the Compliance Officer, on an annual basis.

Banks have for years been required by regulation to adopt such programs and are subject to a statutorily mandated cease and desist order if they either do not have a program or do not correct it after being directed to do so by the regulator. In light of this, directors should insist on reviewing any examination report or review that raises questions or is critical of a banks program. Concerns must be addressed immediately.

It is clear that all directors need to be proactive to protect their institutions from being used wittingly or unwittingly to launder money or be conduits for terrorism. Over the past several years, we have seen numerous reports of situations where an institution's failure to do an adequate evaluation of its customer, at the outset, and during the life of an account, has led to situations where-at a minimum-the reputation of the institution was tarnished.

Compliance programs help to protect institutions and their officials from violating anti-money laundering laws. Likewise, because prosecution and regulation is in some sense a judgment business, the presence or absence of a compliance program can be a determining factor on whether an action is commenced. In a case of misconduct (October 23, 2001), the Securities and Exchange Commission chose to issue a report on its enforcement philosophy rather than to commence an enforcement action against a company. In its report, the SEC pointed out that one of the major factors it would take into consideration in its prosecutorial decision was whether a company had done self-policing prior to the misconduct, which included the establishing of effective compliance procedures with an "appropriate tone at the top."

Another incentive for having compliance program in place is the Organizational Sentencing Guidelines for Federal criminal offenses. The Guidelines include, as a significant mitigating factor in an organization's "culpability score," a company having an effective program in place, prior to the offense occurring, to prevent and detect violations of law. The sentencing guidelines focus on assuring that corporations have written compliance policies and procedures that are communicated to all employees and the organization demonstrates a commitment to compliance from the highest levels.

In light of the significant responsibilities and potential liabilities that financial institutions and their officials face, it is imperative that management and directors ensure that their institution has an adequate Anti-Money Laundering/Bank Secrecy Act Compliance Program.

Robert B. Serino, Special Advisor-Money Laundering and Bank Supervision to AABD and Senior Advisor for Financial Services for the Management Consulting /Litigation Support firm of Watkins Consulting, Inc., prepared this material and is available if members have questions. He can be reached at 301-943-5775 or rserino@watkinsconsulting.com (www.watkinsconsulting.com)