At the ACAMS Hollywood conference, a panel of financial compliance experts discussed the government's pending rule-making on anti-money laundering procedures.
HOLLYWOOD, Fla. — As financial institutions await impending regulations on how to best implement the national anti-money laundering (AML) priorities that the U.S. Treasury Department outlined in late June, compliance professionals are weighing their firms’ exposure to the specified areas of government focus, checking controls, and adjusting risk assessments, bankers said during an AML conference on Monday.
“I really believe that if we do this right, this can have by far the biggest impact on AML since the (USA) PATRIOT Act, but more importantly, have a true impact on crime and really make the world a safer place,” said Craig Timm, managing director of financial crimes & emerging risk at Bank of America. Timm moderated the bankers panel at the Association of Certified Anti-Money Laundering Specialists (ACAMS) annual conference. “It’s so important,” he added. “We’re at a cusp right now where this is a really big deal.”
The AML Act of 2020 required Treasury’s Financial Crimes Enforcement Network (FinCEN) to issue National AML/CFT Priorities as part of a legislative effort to clarify on what areas financial institutions should focus their efforts to police transactions for illicit activity more effectively.
The priorities, publicly announced on June 30, included corruption, cyber-crime, domestic and international terrorist financing, fraud, transnational criminal organizations, drug trafficking organizations, human trafficking and human smuggling, and proliferation financing. FinCEN said at the time that it would propose regulations to bring the priorities into force “in the coming months.” The technical deadline for the regulations was the end of 2021, but the new rules have yet to be issued. Many experts believe a proposed rule will be issued in the coming weeks along with a requirement that firms’ AML programs be “effective and reasonably designed.”
Financial institutions were “glad to see” the FinCEN priorities announced in June because it provided clarity regarding the criminal activity on which Treasury wants the private sector to focus, said panelist Lisa Grigg, chief of enterprise financial crimes compliance at US Bank.
Looking for vulnerabilities and checking controls
Most institutions reacted by looking at their portfolios and the suspicious activity reports (SARs) they have filed related to the criminal activities enumerated, Grigg said. “At my institution, how vulnerable am I to certain types of activities that we’re seeing with the priorities?” she asked. “That can be influenced by a lot of different factors — locations, customers that you serve, whether you have a correspondent bank — all those types of things can influence certainly where you might see yourself as vulnerable to these activities.”
Grigg advised that the next step is assessing whether appropriate controls are in place, such as whether it is clear how your institution will look for the ‘red flags’ signaling specific crimes. “Most institutions are just looking at their vulnerability and assessing ‘What’s my risk?’ and ‘What controls do I maybe already have in place?’ And ‘How am I dealing with these types of priorities?'” she said, adding that none of the priorities named by FinCEN “are foreign to our industry.”
Measuring exposure to prioritized crimes
Another panelist, Andrea Sharrin, a former FinCEN official who now serves as head of financial crimes for the Americas and global investment banking at Barclays, suggested that institutions should be weighing the question, “What is my specific exposure to these priorities?”
“There’s going to be an anticipation that not every institution is going to have the same level of exposure to each one of these priority areas,” Sharrin explained, noting that some institutions are choosing an area of exposure — such as their SARs filings — and doing a “deep dive into that.”
“That’s where you can really make a difference,” she added.
Sharrin said that another interesting aspect of FinCEN’s implementing regulations those items that aren’t on the list of FinCEN priorities and how businesses incorporate that into their risk assessment. “I would imagine regulators are going to expect that you still cover those risks, that you still identify them, you still look at them, you still make sure that your program still reasonably mitigates those risks.”
Adjusting risk assessments
Timm agreed that institutions should be considering how to adjust their risk assessments. “We’ve started to revamp our risk assessment process,” he said. “We don’t know what the regulations are going to say, but it’s almost certain that, at least from my view, that we’re going to have to be able to demonstrate that we understand the risk and the priority areas.” That includes knowing how those risks impact your institution, and how you can demonstrate that you’re doing a good job in risk management.
When his team identifies a risk, Timm said they ask themselves if we’re taking the appropriate actions, such as changing the risk rating, exiting the client, or other similar actions. “We look at each of the priorities through those lenses and we think that if we can demonstrate we’re doing those three, then that’s an effective program and that’s where the government wants to go.”
Priorities a potential ‘game-changer’
Panelist Dan Stipano, a partner with Davis Polk, who spent more than 30 years at the Office of the Comptroller of the Currency in senior legal and enforcement roles, noted that these priorities “were intended — and have the potential — to be a game-changer in terms of how AML compliance is done, and maybe more importantly, how it’s measured by regulators, by examiners.”
“But whether it achieves that all depends on the implementation and I, personally, am kind of skeptical that it’s going to play out that way,” Stipano said.
Indeed, the fact the AML Act of 2020 required that FinCEN issue a list of priorities “really resulted from longstanding complaints by the financial services industry — particularly large banks and perhaps other large institutions — that they do all this good stuff for law enforcement… but they don’t get any credit for that,'” Stipano explained. “When you get examined, the emphasis is much more on check-the-box compliance with the technical regulations that apply to your institution.” Unfortunately, that means you could be an institution that does a great deal to help law enforcement and put the bad guys in prison and still end up with a cease-and-desist order or some other enforcement action, he added.
Stipano said he thinks this is a legislative response to how firms follow the rules. “The government is now being forced to tell financial institutions what [it thinks] is important — these eight priorities — and if you successfully incorporate them into your program, then in a perfect world, you should get good marks from your examiners when you’re examined,” he said, adding again however, that he is “skeptical that it will play out that way.”