Bank Services – A Seismic Shift in BSA?
The guidance that was issued by the FDIC in January of 2015 (FIL5-2015) has the potential to create a significant shift in the world of BSA/AML compliance. The guidance has an innocuous title “providing banking services” and is very brief. In it, the FDIC notes that the business of banking and providing banking services has attendant risks and that some level of risk is not only acceptable, but necessary. The guidance goes even further when it points out that it is not possible to identify each and every illicit transaction. Even more interesting, the guidance notes that in cases where there is one case where a customer may have engaged in illicit activity, if the BSA/AML program is otherwise sound, there should be no problem. Finally, the guidance encourages banks to look at customers as individuals rather than taking the stand that all customers in a certain industry (read MSB’s!) are not worthy of offering banking services. We believe that this guidance has the potential to yield a seismic shift in the relationship between banks and their BSA regulators!
We often come into contact with banks that are facing something of a conundrum when it comes to their BSA/AML program. To wit, although the program is robust and includes monitoring software, there are certain customers that the regulators don’t like. Customers such as MSB’s and third party processors often get extra and most often negative attention from the regulators. In many cases, our banks have experienced the pain of being told that a particular customer should be considered for Suspicious Activity Reports (SAR) and possibly closed. The thing is, that in many of these same cases, the Bank has performed enhanced due diligence on the customer and is comfortable with the activity that they are seeing. In some cases, in response to the harsh reviews by regulators, banks have made the decision to refrain from offering a banking relationship to certain customers or entire industries. “We would love to have these customers” goes the familiar refrain, “but it is simply too much trouble! The regulators will make us close these accounts”. The truth is that these fears have been justified through experience. There have been numerous cases where a customer of a bank has been completely vetted by the bank’s BSA staff. A decision has been made to assign the customer a certain risk rating and to continue to monitor the account. Despite this status, a team of examiners have come in to the bank and made the determination that the bank should not offer accounts to the customer, or at a minimum, that the customer should have SARs filed on the activity.
One quick example is illustrative; one bank had a customer that provided hardware to hydroponic farmers. Because the term “hydroponics” is often associated with the growth and distribution of marijuana, the terms raises red flags. Taking the reputation of hydroponics into account, the bank conducted extensive due diligence on the company including frequent onsite visits and monitoring of transactions. The bank had become comfortable that the company simply sold the hardware necessary to grow crops and had no connection with illicit or illegal activity. Regulators reviewed the file, performed an internet search and found some comments from an ex-employee of the company. The gist of the comments were that the ex-employee knew how to set up a hydroponic marijuana farm. The comments did not indicate that the company that he used to work for performed any such activity. Due to the tenuous connection between the ex-employee and illegal hydroponic activity examiners demanded that a SAR should be filed on the customer and that the account should be considered for closing. The bank objected bitterly, but in the end acquiesced to the demands of the regulators. We believe that this is the very situation that is contemplated by the guidance. The Bank in this case had a very robust AML/BSA program and had performed significant due diligence on the client. The services that were being offered to the client help to facilitate the growth of an important industry within the assessment area of the bank.
We believe that there are at least two sources of support for this change. First, the FFIEC examination manual says in part…
“The decision to file a SAR is an inherently subjective judgment. Examiners should focus on whether the bank has an effective SAR decision-making process, not individual SAR decisions. Examiners may review individual SAR decisions as a means to test the effectiveness of the SAR monitoring, reporting, and decision-making process. In those instances where the bank has an established SAR decision-making process, has followed existing policies, procedures, and processes, and has determined not to file a SAR, the bank should not be criticized for the failure to file a SAR unless the failure is significant or accompanied by evidence of bad faith.”
In other words, a well-documented and well-reasoned conclusion should stand the challenge of an examiner (as long as it is also correct!). This has been the case for some time, but has not been the custom. Instead, the mere mention of suspicion has evoked the law of unintended consequences. The law of unintended consequences is defined as:
“The law of unintended consequences is the outgrowth of many theories, but was probably best defined by sociologist Robert K. Merton in 1936. Merton wrote …a treatise which covers five different ways that actions, particularly those taken on a large scale as by governments, may have unexpected consequences. These “reactions,” may be positive, negative or merely neutral, but they veer off from the intent of the initial action.”
In the case of BSA, the desire to monitor and mitigate risk had the unintended consequence of shutting out entire industries that often are critical to unbanked or underbanked communities. MSB’s such as combination grocery stores and check cashers often serve as the bank and remittance service for migrant workers and expatriates of other countries. When the local bank makes a decision to stop proving services to these entities, the customers of the MSB are forced into transactions with entities such as payday lenders and check cashing outfits.Finally, the regulators reported that they received numerous complains both anecdotally and through hearings that help them realize the unintended consequences of the status quo.
To the credit of the regulatory staff, a decision was made to clarify the direction of the FDIC and to change the current practices.
Free as a Bird?
So does this guidance mean that your bank gets one free “get out of jail card” when it has a risky customer that isn’t being properly identified and monitored? Absolutely not! Reading the guidance together with the FFIEC manual it is clear that each bank must still establish a robust compliance program in the BSA/AML area. The program should have all of the pillars of any compliance program including:
- Policies and procedures
- Management reporting and information
- Independent audit
- The guidance is actually a reward for hard work
Steps for defending a BSA decision
- Chief among the programs that a community bank must establish are the KYC and risk rating portions.
- The Bank must be able to gather sufficient information about the customer to evaluate the risks associated with the relationship.
- Once the risks are fully documented and established, the bank must establish a comprehensive plan for monitoring the customer and making decisions about the proper response to transactions observed.
- In the event that the customer has a transaction that is out of the ordinary for example, is there a procedure to talk with the customer and obtain an explanation. In the event that the explanation is incomplete or unreasonable, what are the steps that the bank will take?
- The BSA/AML risk assessment must be comprehensive and updated regularly.
- The monitoring software used should be subject to regular data validation and annual model validation
Complete written documentation of the conclusions made about potential suspicious transactions should be maintained
- When in doubt error on the side of caution! Use available resources for help when transactions are outside of your wheel house!
- The guidance is telling you that there is a reward for all of your hard work when you put together a sound BSA program. There is no need to make sweeping decisions not to offer relationships to complete industries. Just business that are behaving badly!
James DeFrantz is a Partner in Atlanta-based financial services industry consulting firm Bank Solutions Group. [email protected]