The District’s Increasing BSA/AML Risk Environment
Safety and Soundness Update - March 2016
Published March 14, 2016 | March 2016 issue
The District’s Bank Secrecy Act and Anti-Money Laundering (BSA/AML) risks are increasing, which requires banks to properly mitigate these risks in order to comply with BSA/AML regulations. All community banks face some degree of inherent BSA/AML risk, which falls into three main categories: (1) products and services, (2) customers and entities, and (3) geographic location. Effective BSA/AML compliance programs incorporate appropriate controls to mitigate these risks through comprehensive analyses of these categories. The results are then detailed within the BSA/AML risk assessment in order to arrive at an accurate BSA/AML risk profile. A BSA/AML risk profile that is reflective of the bank’s BSA/AML risks and controls allows management to identify and mitigate control gaps and apply appropriate risk management processes to comply with regulatory requirements.
Banks in the Ninth District are exposed to specific risk factors, including the state legalization of marijuana in conflict with federal law1 and the potential development of marijuana businesses on tribal lands. We have also identified BSA/AML compliance programs that have not kept pace with evolving BSA/AML risks. This article helps bankers understand and address these risks.
The money laundering risk posed by certain states’ legalization of marijuana has increased in the District. Currently, three District states have legalized some marijuana-related activity. More states could also take this step given national trends. The legalization of marijuana at the state level presents particular BSA/AML risks. The cash-intensive nature of the business increases the opportunity for fraud and criminal activity, and the conflict between state and federal law creates legal ambiguity.2
If a bank decides to provide services to marijuana-related businesses, bank management must also stay alert to changes in state and federal marijuana laws. For example, in December 2014, the Department of Justice issued a memorandum3 allowing tribal nations to grow and sell marijuana. Press reports suggested potential interest in the Ninth District for the development of tribal marijuana businesses. Since tribal marijuana is so new to the banking industry, and specific guidance limited, bank management might consider the BSA/AML risks and challenges presented by providing services to tribal marijuana businesses before customers ask for such services. If banks decide to provide banking services to tribal marijuana businesses, they would be required to conduct comprehensive risk analyses, adjust their risk profiles, and implement appropriate policies, procedures and controls in order to address the specific risks posed by tribal marijuana businesses. Furthermore, bank management that decides to provide such services should comply with the Financial Crimes Enforcement Network’s guidance4 regarding marijuana-related businesses.
BSA/AML Compliance Program Risk
Not all bank BSA/AML programs kept pace with the greater risks that certain activities pose to violating BSA/AML rules. Examination findings have identified programs that have remained unchanged, in spite of the banks’ growth, expansion and shifting risk profiles. The result is stagnant programs that fail to comply with the required elements5 of an effective BSA/AML compliance program. Banks can avoid the potential fallout from BSA/AML compliance program failures that may result. The bank’s board and senior management must begin by emphasizing the significance of BSA/AML compliance. The appointment of a knowledgeable BSA officer who possesses sufficient authority and resources to provide effective program oversight is a critical step in creating the appropriate compliance culture. Ongoing training also reinforces the importance of BSA/AML compliance. We have seen cases where banks do not adequately fund their BSA/AML programs. This management decision can lead to an ineffective program and exam findings.
Risk assessments should be reviewed on an ongoing basis, by comparing the assessment with the bank’s current products, service offerings and customer mix to ensure that the risk assessment is comprehensive and to identify areas that currently pose risks to the institution. Integral to this process is a strong customer due diligence program in which customer information is collected on an ongoing basis to maintain current information on activity and associated risks.
While core BSA/AML program elements have remained the same, banking products and services have become more complex and electronic in nature, making an accurate risk assessment more challenging and crucial. Effective BSA/AML compliance programs supported by the banks’ board of directors, senior management and knowledgeable BSA officers, as well as ongoing training and risk assessments, will assist banks in complying with regulatory requirements.
1 Controlled Substances Act, 21 U.S.C. § 801, et seq.
2 For a more expansive discussion of banking marijuana-related businesses, reference “BSA Expectations for Marijuana-Related Businesses,” Banking in the Ninth, June 2015, available at minneapolisfed.org/publications/banking-in-the-ninth/bsa-expectations-for-marijuana-related-businesses.
3 Memorandum from Monty Wilkinson, Director, Policy Statement Regarding Marijuana Issues in Indian County (Oct. 28, 2014).
5 BSA/AML programs must include the following minimum requirements (also known as the four pillars): (1) a system of internal controls, (2) independent testing of BSA/AML compliance, (3) designation of an individual or individuals responsible for managing BSA compliance (BSA compliance officer), and (4) training for appropriate personnel.