News

Recent changes to the book that guides federal anti-money laundering exams adds pressure on financial institutions to more thoroughly assess the quality of their compliance programs and quantify their exposure to financial crime, sources told ACAMS moneylaundering.com. 

On April 15, in the first of several planned updates, the Federal Financial Institutions Examination Council, or FFIEC, unveiled 43 pages of revisions to the handbook to further outline the principles that govern AML examinations.

The updated pages reflect a wide range of adjustments, but emphasize throughout that examiners will eschew judging an institution’s compliance program against a uniform checklist in favor of grading each individually, based on the types of clients they serve, their volume of transactions, business with high-risk jurisdictions, and other unique risk factors.

“It may be useful to quantify risk by assessing the number and dollar amount of domestic and international funds transfers, the nature of private banking customers … and the domestic and international geographic locations where the bank conducts or transacts business,” the FFIEC manual now states.

The addition of the word “quantify” and other tweaks indicate that examiners expect banks to include not only qualitative descriptions in their risk assessments, but hard metrics as well, said Frank Mayer, a former senior attorney for the Federal Deposit Insurance Corp., one of the five agencies that comprises the FFIEC.

“The risk measurement concept is not new,” Mayer, now an attorney with Stevens & Lee in Philadelphia, wrote in an email. “What’s new is this [view that] risk measurement flows from the enterprise’s uniqueness in customer base [and] geography.”

The manual includes a hypothetical comparison in which two banks sending the same amount of wire transfers overseas incur different risks because 90 percent of one lender’s volume consists of “recurring, well-documented transactions for long-term customers,” while 90 percent of the second’s originates from clients who do not hold accounts.

In other areas, the revised manual appears to soften the government’s approach towards AML examinations, including by noting that “there are no specific regulatory requirements” governing how financial institutions evaluate themselves nor any “required risk categories” when conducting and completing their self assessments.

“The appropriate level and sophistication of the analysis varies by bank,” the revised manual states, slightly modifying language from the 2014 version that such analysis “may vary by bank.”

But the revised manual shows that risk assessments will play an even more important role than in the past, Dan Stipano, former deputy chief counsel for the OCC, said during an ACAMS virtual panel on financial crime trends last month.

“What they are basically saying is the type of exam that you get is going to build off that risk assessment and your audit,” said Stipano, now with the Buckley law firm in Washington, D.C. “It’s putting the risk assessment and audit in a very important place in terms of the type of exam you’re going to get.”

Since its initial publication in 2005, the manual has served as a form of guidance for compliance officers to grasp what the federal government expects of their AML programs.

The manual gained new significance in March 2018, when the 9th U.S. Circuit Court of Appeals ruled that the document held virtually the same power as a formal regulation.

Federal regulators appeared to downplay those concerns six months later, emphasizing in a 2-page statement that examiners “will not criticize a supervised financial institution for a ‘violation’ of supervisory guidance.”

Other revisions impart new standards for determining whether a chief compliance officer is qualified for his or her position, and separately instruct examiners to review any relevant “law enforcement letters acknowledging that a bank provided highly useful information” or requests to keep a high-risk account open during an investigation.

“Minor weaknesses, deficiencies, and technical violations alone are not indicative of an inadequate BSA [Bank Secrecy Act]/AML compliance program and should not be communicated as such,” regulators wrote in the manual.

The more recent emphasis on quantifiable data is noteworthy because many banks, particularly smaller ones, do not produce assessments detailed enough to gauge overall transaction volumes against the length of customer relationships, one of the manual’s apparent suggestions, said a New York-based compliance officer for an Asian lender.

But banks will closely scrutinize and seek to adopt the hypothetically sound examples of risk analysis in the manual to avoid becoming “the odd person out” during examinations, the compliance officer said on condition of anonymity.

“We get dinged on risk assessments [by our internal auditors] all the time,” the compliance officer said. “At this stage in the game they have to be quantifiable, but you’re also just as likely to get dinged if it doesn’t have qualitative information.”

Contact Daniel Bethencourt at dbethencourt@acams.org