The Board of Governors of the Federal Reserve System (Federal Reserve), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), and the Office of the Comptroller of the Currency (OCC) (the "Agencies"), have issued a joint statement on the circumstances in which an Agency will issue a mandatory cease and desist order to address noncompliance with certain Bank Secrecy Act/anti-money laundering (BSA/AML) requirements. The statement focuses particularly on compliance provisions of the Federal Deposit Insurance Act (FDIA) and Federal Credit Union Act (FCUA).

Under the FDIA and FCUA, the Agencies are directed to implement rules regarding and examine institutions' compliance with BSA/AML requirements, which includes having a program which (1) is reasonably designed to assure and monitor the institution’s compliance with the requirements of the BSA and its implementing regulations and (2) have, at a minimum, the following components or pillars: 

  • A system of internal controls to ensure ongoing compliance with the BSA
  • Independent testing for BSA/AML compliance
  • A designated individual or individuals responsible for coordinating and monitoring BSA/AML compliance
  • Training for appropriate personnel
  • A Customer Identification Program with risk-based procedures that enable the institution to form a reasonable belief that it knows the true identity of its customers

The institution must also have risk-based procedures for ongoing customer monitoring.

The Agencies will issue a cease and desist order for the following failures:

  1. Failure to establish and maintain a reasonably designed BSA/AML Compliance program, taking into account risks posed by the business and changes to operations.

For example, if an institution rapidly expands its business relationships through its foreign affiliates and businesses without identifying and implementing controls to mitigate new risks. Certain deficiencies would not be sufficient to render a program ineffective on their own, such as training deficiencies, unless such training deficiencies were so severe that the BSA/AML program as a whole was ineffective.

2.  Failure to correct a previously reported problem with the BSA/AML Compliance program.

However, an Agency will not typically issue a cease and desist order for failure to correct a BSA/AML compliance program problem unless the problems subsequently found by the Agency are substantially the same as those previously reported to the institution. For problems which require a significant amount of time to remediate, the Agencies may not issue an order if the institution has made significant progress since the previous finding.

The Agencies may also take other formal or informal actions for failures such as a violation of SAR regulations, record keeping or other reporting requirements.

This Statement is an example of regulatory bodies' increasing focus on the design and effectiveness of controls to mitigate actual risks within an institution's business, and the expectation that institutions will continuously test, update and improve their controls.

See our post here to see how the R&G insights lab can help your firm.