Several financial services regulators have recently released guidance that provides transparency to financial institutions regarding the agencies' enforcement of the Bank Secrecy Act (BSA), including examples of Bank Secrecy Act/Anti-Money Laundering (BSA/AML) compliance program deficiencies that may warrant enforcement action. This guidance represents a response to calls by the banking industry for relief from BSA/AML regulatory burdens, and it brings welcomed clarity about what agencies consider when determining whether to take enforcement actions against banks and other financial institutions for perceived BSA/AML violations. The guidance and its key points are detailed below. Ultimately, these latest pronouncements by the federal banking agencies and the Financial Crimes Enforcement Network (FinCEN) confirm that regulators remain vigilant against BSA/AML violations.

Joint Statement on Enforcement of BSA/AML Requirements

On August 13, 2020, four federal banking agencies—the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, and the Office of the Comptroller of the Currency—issued a Joint Statement on Enforcement of Bank Secrecy Act / Anti-Money Laundering Requirements. The Joint Statement describes the circumstances under which each of these banking agencies is required to issue a mandatory cease-and-desist order to address a financial institution's violation of BSA/AML compliance program requirements, pursuant to the BSA/AML compliance provisions in section 8(s) of the Federal Deposit Insurance Act and section 206(q) of the Federal Credit Union Act (Sections 8(s) and 206(q)). The Joint Statement also describes the circumstances that would warrant other enforcement or supervisory actions.

As required by Sections 8(s) and 206(q), each of the banking agencies has issued regulations requiring each insured or supervised depository institution to establish and maintain an effective BSA/AML compliance program. Under each agency's regulations, a BSA/AML compliance program must (1) be reasonably designed to assure and monitor the institution's compliance with the requirements of the BSA and its implementing regulations and (2) have the following minimum "components" or "pillars": (a) a system of internal controls to assure ongoing compliance with the BSA; (b) independent testing for BSA/AML compliance; (c) a designated individual or individuals responsible for coordinating and monitoring BSA/AML compliance; and (d) training for appropriate personnel. Sections 8(s) and 206(q) require that each agency examine their supervised financial institutions' BSA/AML compliance programs and that reports of examination describe any problem with the BSA/AML compliance programs.

As explained in the Joint Statement, Sections 8(s) and 206(q) require a banking agency to issue a mandatory cease-and-desist order against a financial institution for noncompliance with BSA/AML compliance program requirements in the following situations:

  1. Failure to establish and maintain a reasonably designed BSA/AML compliance program. A banking agency must issue a cease-and-desist order if the institution fails to issue or implement a written BSA/AML compliance program that adequately covers the program components or pillars required under agency regulations. A cease-and-desist order is also mandatory if the institution has severe or significant defects in one or more of the components or pillars of its BSA/AML compliance program that cause the written BSA/AML compliance program or its implementation to be deemed ineffective (e.g., where the deficiencies are coupled with highly suspicious activity or other aggravating factors).
  2. Failure to correct any problem with the BSA/AML compliance program previously reported to the institution by the appropriate Agency. A banking agency must issue a cease-and-desist order if the institution fails to correct a previously reported problem with its BSA/AML compliance program identified during the supervisory process. Typically, a mandatory cease-and-desist order will be necessitated only for the recurrence of substantive deficiencies in one or more of the required components or pillars of the institution's BSA/AML compliance program or implementation thereof. Further, such deficiencies must have been reported to the institution's board of directors or senior management in a report of examination or other supervisory communication as a violation of law or regulation or as a matter that must be corrected.

The Joint Statement also clarifies that a banking agency may exercise discretion to take formal or informal enforcement actions or other supervisory actions against an institution for other violations of BSA/AML requirements that do not trigger a mandatory cease and desist order under Sections 8(s) and 206(q).

  • BSA/AML compliance program concerns or deficiencies that are not covered by Sections 8(s) and 206(q). A banking agency may pursue formal or informal enforcement actions against an institution to address individual component or pillar violations or BSA-related unsafe or unsound practices that may impact individual components or pillars.
  • Other violations of BSA/AML requirements under regulations of the agencies and the Treasury Department. A banking agency may cite a violation of the suspicious activity reporting regulations and take formal or informal enforcement actions if the institution's failure to file a suspicious activity report (i) reflects a systemic breakdown in its policies or procedures to identify suspicious activity, (ii) involves a pattern or practice of noncompliance with the filing requirement, or (iii) represents a significant or egregious situation. A banking agency may also take formal or informal enforcement actions to address an institution's violation of other BSA reporting and recordkeeping requirements set forth in Treasury Department regulations, such as requirements applicable to cash and monetary instrument transactions and funds transfers, CTR filing and exemption rules, due diligence, certification, and other requirements applicable to customer accounts and foreign correspondent and private banking accounts.

Finally, the Joint Statement clarifies that isolated or technical violations or deficiencies are generally not considered the kinds of problems that would result in an enforcement action.

FinCEN Statement on Enforcement of the BSA

In addition, the Financial Crimes Enforcement Network (FinCEN) issued its own Statement on Enforcement of the Bank Secrecy Act on August 18, 2020, which provides insight into how FinCEN evaluates the appropriate enforcement actions to take in response to violations of the BSA, in line with similar guidance previously issued by the federal banking agencies. FinCEN is the primary regulator and administrator of the BSA and has enforcement authority over all financial institutions under the BSA, including banks, credit unions, broker-dealers in securities, money services businesses, and casinos and card clubs. The FinCEN Statement explains that FinCEN may take the following enforcement actions when it identifies an actual or possible violation of the BSA or any regulation or order thereunder: (1) no action, (2) warning letter, (3) equitable remedies, (4) settlements (which may impose remedial undertakings and/or civil money penalties), (5) civil money penalties, and (6) criminal referral. In the FinCEN Statement, FinCEN also disclosed for the first time the factors that it evaluates when determining the appropriate enforcement response to BSA violations, which include:

  1. "Nature and seriousness of the violations";
  2. "Impact . . . of the violations on FinCEN's mission to safeguard the financial system from illicit use, combat money laundering, and promote national security";
  3. "Pervasiveness of wrongdoing within an entity, including management's complicity in, condoning or enabling of, or knowledge of the conduct underlying the violations";
  4. "History of similar violations, or misconduct in general";
  5. "Financial gain or other benefit resulting from, or attributable to, the violations";
  6. "Presence or absence of prompt, effective action to terminate the violations upon discovery";
  7. "Timely and voluntary disclosure of the violations to FinCEN";
  8. "Quality and extent of cooperation with FinCEN and other relevant agencies";
  9. "Systemic nature of violations"; and
  10. "Whether another agency took enforcement action for related activity."

Joint Statement on BSA Due Diligence Requirements for PEPs

Most recently, on August 21, 2020, the four banking agencies and FinCEN issued a Joint Statement on Bank Secrecy Act Due Diligence Requirements for Customers Who May Be Considered Politically Exposed Persons (PEP Statement) to clarify a financial institution's customer due diligence (CDD) requirements under the BSA and FinCEN's CDD Rule with respect to a customer who is considered to be a Politically Exposed Person (PEP). The term PEP refers to a foreign individual who has been entrusted with a prominent public function, as well as their immediate family members and close associates. By virtue of the PEP's public position or relationship, there may be a greater risk that the PEP's funds are the proceeds of corruption or other illicit activity.

Pursuant to CDD requirements, financial institutions are obligated to adopt appropriate risk-based procedures that, among other things, enable financial institutions to (i) develop customer risk profiles by identifying and verifying the beneficial owners of legal entity customers and (ii) conduct ongoing monitoring to identify and report suspicious transactions. The PEP Statement explains that there is no requirement for financial institutions to implement unique, additional due diligence steps for PEPs or to determine whether a customer should be considered to be a PEP. Rather, a financial institution's CDD procedures should be commensurate with the risks posed by the PEP's public position or relationship.

The PEP Statement states that, consistent with a risk-based approach, when a financial institution develops the PEP's customer risk profile and determines what additional customer information to collect, the financial institution may take into account a variety of factors, such as:

  • the public position of the PEP (or of the PEP's family member or associate);
  • any indication that the PEP may misuse his or her authority or influence for personal gain;
  • the type of products and services used by the PEP;
  • the volume and nature of the PEP's transactions;
  • geographies associated with the PEP's activity and domicile;
  • the PEP's official government responsibilities;
  • the level and nature of the PEP's authority or influence over government activities or officials;
  • the PEP's access to significant government assets or funds; and
  • the overall nature of the customer relationship.

Importantly, the PEP Statement cautions that the customer information and customer risk profile may impact how the financial institution complies with other regulatory requirements, since a financial institution must structure its BSA/AML compliance program based on the financial institution's assessment of risks.

Considerations for the Industry

In addition to providing transparency, each of the above statements reflects that federal agencies continue to take an active approach in the supervision and enforcement of BSA/AML compliance. To limit their exposure to the steep costs of government investigations or enforcement penalties, financial institutions should ensure that they develop and maintain robust compliance programs.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.