Is Your BSA Program in Shape?  

Introduction

As summertime approaches, many Americans go through the process of checking their fitness to determine whether or not they are ready for “prime time” on the beach.  For those who find themselves not quite ready- a fitness check and plan for “getting in shape” is the best approach.  We suggest to you that the same is true for your BSA/AML program.  Is your BSA program in “fighting shape” for the year?  Let’s do a quick review:

The BSA Risk Assessment

When was the last time that your compliance committee and the Board reviewed the risk assessment and approved it?  If the last approval was more than 12 months ago, it is time to do some checking!  It is not enough to simply assert that not much has changed, so the old policy can just be re-approved!  There are some questions you should ask; were there any changes in the Banks’ policies, procedures, staff, products offered, or the demographics of the surrounding community?  If the answer to any of these questions is yes, then changes to the BSA/AML assessment are required!  

The OFAC Risk Assessment   

All of the same questions that should be asked for the BSA Risk assessment should be asked for the OFAC risk assessment.  In addition to these questions, you should check on the lists of countries on the OFAC list.  Another area that has begun too catch the eye of regulators is the Bank’s policy on vendors.  Does your Bank run an OFAC check on all new vendors?  If not, your OFAC assessment is out of shape and needs a tune up!  

CIP/KYC

When was the last time that you reviewed the criteria that you use to risk rate accounts?  Do you include the NAICIS codes for businesses in your risk rating?  Have you validated that the rating weights that you are using  still have the right impact?  Industry risk ratings change and the Bank’s experience with clients can also impact the weight given a particular type of transaction or account relationship.  If the ratings have not changed in over a year, then it is time to review. 

High Risk Accounts  

Have you considered the idea that the high risk account list should be dynamic?  With the exception of MSB’s the customers who are on this list should be there due to some actual activity that the customer has conducted.  This activity should be monitored for a time and a determination should be made whether or not this activity is normal for the customer.  Once activity is determined to be normal, the customer should drop. 

SAR Filings

Is there a reason that SAR filings have either dipped or increased dramatically?  For that matter, do you have information on why SAR filings tend to be the same.  It could well be the case that that the some of the SAR repeat filings should be closed.  Have you checked the criteria being used to investigate and file SARS?  If not, now might be a good time for a quick SAR “workout”! 

CTR Exemptions

Are you making sure that this list is all that it can be?  Too often, we see Banks that file too many CTR’s than is necessary.  A review of frequent CTR fillers might reveal several customers who are eligible for exemption. 

 

Training

Is your training an afterthought?  Too often even though training is required under this regulation, it often gets put aside until the very end of the year.  Moreover, the effort expended on training tends to be minimal.  In our experience, the more the staff gets trained, the more active they become in the overall BSA/AML compliance effort.    

As we approach summer and get ready for the heat, it is a good idea to make sure your BSA program is in shape!   

Getting Your Board Involved with Compliance 

 

Compliance?  Why Bother? 

One of the things that we hear from our compliance officers is that the Board “does not really care about compliance”.  For so many small community Banks that consider themselves Business Banks. The idea of compliance is something along the lines of a sigh, an eye roll and an annoyance!  

“We don’t do consumer loans, so there is no need to worry about these things!”  or “if we have some consumer issues, we will hire somebody” are some of the common statements that we hear from the Board members s of our clients.  

And while it is easy to understand the sentiment, it is important to point out that even at Banks with minimal consumer activity; there are areas where compliance with consumer regulations is required.   In particular, Regulation B (Equal Credit Opportunity Act), the Community Reinvestment Act , the Unfair, Deceptive and Abusive Practices Act (UDAAP) and Fair Lending regulations.  We discussed the application of these regulations in our Blog entitled “is Fair lending an Issue at Business Banks?”   Additionally, all banks must comply with the requirements of Bank Secrecy Act and Anti-Money Laundering regulations.  The reach of these regulations goes deep into commercial lending and business transaction. 

Compliance is Required no matter how big or small or the character of the Bank

In addition to the ongoing need to comply with the above regulations, business banks must be aware of the fact that one or two loans may trigger the need to comply with various other regulations such as the Home Mortgage Disclosure Act (HMDA), The Real Estate Settlement Procedures Act (RESPA), the Safe Act and several others!   Like or not, the need to keep abreast of consumer regulation exists for all banks.   Quite often it is the “accidental” consumer transaction or two that results in tremendous headaches for our clients.  

For the compliance officer who is constantly trying to sound the alarm, that a strong compliance management program is required regardless of the character of the Bank, one of the biggest obstacles can be the reluctance of senior management to take compliance seriously.  This is where the Board comes in!

The Best Way to get Compliance to go away as a Problem is to have the Board Involved

For all banks, the Board of Directors is ultimately responsible for the success of failure of the operation.  In that regard, it is the Board which sets the tone for the priorities at the institutions they oversee.  Getting the members of the Board to actively participate in the administration of the compliance program will send a strong message to the staff at the Bank.   

A Board that is well informed asks questions and follows up on management reports will greatly enhance the overall compliance program and elevate the level of compliance to its proper level. 

The more than staff at the Bank realizes that the Board takes compliance seriously, the more that compliance issues will become a thing of the past.  Task number one then for the Compliance Officer is to get the buy in of the Board of Directors.  

The Board Should Receive Annual Compliance Training

The Bank Secrecy Act is one of the few regulations that specifically requires Boards to receive annual training.  As a result, BSA training is generally the only class that we regularly see Board members taking on a regular basis.   In our opinion, this is a grave mistake!  Board members should take regular and comprehensive classes on all areas of importance to the Bank, including compliance.   We recommend that the Compliance Officer should be a pest when it comes to this training and continue to insist that the Board receive training on at a minimum, the “big four “  (Regulation B, CRA Fair Lending and UDAAP).     The more the Board understands the requirements of these regulations, the more they will insist on being informed of the compliance effort at the Bank.    

The Board should be informed and ask questions –A Compliance Committee is a great idea! 

One of the most effective tools that we have observed is the formulation and implementation of a compliance committee, composed of senior management and reporting to the Board or a committee of the Board.   By meeting at least quarterly to discuss issues that directly impact the Bank’s compliance program and reporting these issues to the Board, management can communicate concerns and ensure that all appropriate parties are held accountable for their compliance efforts.    In addition, the compliance committee adds a level of gravitas to the compliance effort and sends the message to all staff that the Bank considers compliance as an essential part of the Bank’s overall success. 

Make the Board Understand that Lack of Compliance = Lack of Growth and Public Humiliation!

We often hear the axiom that no Bank has ever failed exclusively on compliance issues.  And while that may be true, many a bank has been severely hampered by compliance concerns.  Enforcement action as a result of compliance can include a Consent Order prohibiting the Bank from growing or expanding.  A bank may be prevented from offering new product lines until such time as a compliance concern is addressed.  Ultimately, if an institution is ordered to pay civil money penalties, a public notices is issued.  The bank’s customers, competitors and the general community can be made aware of compliance concerns the Bank is suffering.  The damage to reputation in these situations is difficult and takes a long time to repair.

So even if compliance is not a profit center, it can be a profit reducer if not properly administrated! 

Is Fair Lending an Issue for "Business banks"

We hear this question often; generally from our clients that consider themselves "business banks" (banks that engage in very little or consumer lending). The theory behind this question is that since there is little consumer activity, the chances that there might be a fair lending is exponentially deceased. The fact is that limited consumer activity can not only raise the risk, in extreme cases it can be the source of a fair lending complaint by regulators!

What' is the Fair Lending Law?

There is no one Fair lending law. When regulator perform a fair lending analysis they are actually looking at the banks' performance under a series of regulations and laws that are collectively referred to as Fair Lending. These rules include but are not limited to the following:

 Regulation B (Equal Credit Opportunity Act);

 Regulation BB (Community Reinvestment Act);

 UDAAP(Unfair Deceptive and Abusive Acts):

Regulation Z(Truth in Lending Act);

The Holden Act (California)

The Fair Lending Review

There are two key issues in a fair lending review;

Disparate treatment of customers and

Disparate impact of a practice on customers

Each of these questions contains its own analysis. Disparate treatment of customers asks the question whether or not the banks is treating similarly situated customers in a different and unfair manner. For example borrower A has a credit score of 800, a DSCR of 1.5 and has collateral that allows for a LTV of 50%. Borrower B has all of the same characteristics. Borrower A is granted credit while borrower B is declined. In this case, examiners will analyze the files if these two applicants side-by-side to determine whether or not Borrower B was illegally or unfairly declined. This not to say that bank must approve all qualified applicants- it simply means that the reasons for declining a loan must be legal and related to business decisions

Disparate impact asks the question whether a business practice or policy has an unfair or outsized impact on a protected group. Consider a bank policy that requires all business loan customers to own a home. While this may generally be seen as a sound (albeit conservative) policy, in a community where home ownership is enjoyed only by men or the level of home ownership of people of color is minimal- the effect of this policy can be be to unfairly exclude a large portion of legally protected borrowers.

Using these two analyses, regulators can and have applied fair lending regulations at business banks. Although fair lending rules are clearly directed at consumer protection the regulatory agencies have recently made it clear that they will apply these laws and rules to the points where commercial and consumer loans intersect

So even if you consider yourself a business bank, we strongly recommend a fair lending assessment. A sound assessment sound include the following:

Policies and procedures

The credit and lending policies and procedures should require a system if secondary review for credit decisions. This system should allow for a periodic analysis of declines versus similarly situated approvals. The Board or it designated committe should be informed on a regular basis of exceptions to policy. In this manner the

Management of the bank can track whether or not policies and procedures are yielding the desired results. One special note exceptions to policy are often allowed for various reasons. As a best practice tracking these exceptions compiles information to protect the bank against claims of disparate treatment.

Credit decisions

There must be a system to that no individual with lending authority has the ability to threat the will of the Board. For example, if a particular loan officer does not believe that women should be in business and therefore refuses to grant loans to women, the end result should be a red flag for the systems that monitor credit decisions.

Advertising

A system should be in place to ensure that advertising does not send unintended messages. For example, many banks use customer testimonials in their ad copy. These ad often present compelling arguments for why customers should use the services of the bank. However these same ads can also present a strong message that unless you look like the people in the ad, you are not wanted as a customer! It is a best practice for the Board to review advertisements to ensure that the message being sent matches the desire of the Board

Community Outreach

Knowing true credit need of the surrounding community is a requirement of the Community Reinvestment Act. It is also excellent business! A critical component of a sound fair lending program is community outreach. Conducting research on the economic trends in the local community, making contact with local community groups and participating in programs designed to increase community awareness of banking provides mutual benefit

Knowing the credit needs of the Community

Despite a considered decision to do no or very little consumer lending, business bank can have significant fair lending issue. The decision by a Board that a bank will do no consumer lending can in of itself become a fair lending concern. Although this may be an extreme case it is possible. Consider a bank with a deposit base of 70% retail customers. the decision to make no consumer loans may make economic sense, but it may result a large portions of the Banks assessment area being excluded.

Fair lending does indeed apply to all banks and the failure to consider the implications for your bank can lead to deep trouble.

Remote Deposit Capture – Why is it a BSA Concern?   

One of the areas of focus of BSA/AML examinations of late has been Remote Deposit Capture and to a lesser extent mobile banking customers.  We have seen our customers receive criticism for having insufficient risk assessments and risk control programs in both of these areas.  One of the ongoing and interesting questions that we get is “What ARE the BSA concerns with RDC?”  It is true that it is easier to see the obvious risks or fraud in RDC (forged endorsements, double use of checks, altered MICR numbers, etc.), but the BSA/AML risks may not be as evident.   This article discusses some of the “sneaky BSA” issues associated with the RDC.  

 The Unintentional MSB

Once a commercial deposit relationship is established, it can be difficult for a bank to keep up with all that its clients are doing.  Many a bank has been one of the last to find out that one of its clients has decided to change its business line.  For example, a laundry mat client that has been sold on the idea of cashing checks and has “forgotten” to let its bank know!   What was once a simple commercial relationship is now an MSB!  

When a customer has an RDC setup, there is less contact and less opportunity to have discussions about the business and how it is going.  Without close monitoring, a simple RDC relationship can become an unintentional and unknown MSB.  

The $30K Bicycle

Without proper Customer Identification and Know Your Customer procedures that allow the Bank to clearly identify the expected line of business and anticipated activity for a customer, it is of course difficult to determine whether or activity in an account is unusual or suspicious.  RDC activity heightens the ability of an unscrupulous actor to hide fraudulent transactions within deposits.   The bank has to conduct complete analysis of the expected activities of its RDC customers to ensure that deposit activity is in line with the business of the customer.   Without proper documentation, the Bank can unknowingly allow a customer to sell a $30k bicycle!  

Smurfs Everywhere

Along the same lines, knowing the business lines of the customer will allow the bank to recognize what is and isn’t an acceptable level of activity.   The Bank must be able to analyze the level of activity with its customer and determine whether the level of deposits is in line with sales.   Excess activity that is not justified by the type of business, the maturity of the business, the market penetration of the business is the strong indication of “smurfing”.  This activity can easily go unnoticed when the customer is an RDC client.   The BSA program is critical to getting all of the information necessary to monitor the customer’s activity.  

Check Kiting

Because checks are deposited remotely and not under the gaze of bank staff, the temptation and the opportunity for customers to attempt to take advantage of float through “kiting” checks is heightened.  Bank must be able to notice the type of checks that are being deposited and be willing to contact customers when there are questions. 

 Its 11pm-Do you know where your RDC equipment is? 

Due to the nature of the RDC equipment, it is small and easy to move.  For most equipment the technology does not exist to allow the Bank to track its exact location.   An RDC customer may pledge not to move his/her equipment, but in truth, it is an honor system.   The possibility exists that an RDC customer may move to a restricted or undesirable area to transact business.  It is only with strong monitoring that a Bank can be fully aware of the possibility that equipment has been moved.  

While the above list does not purport to include all of the possibilities, the issues here are enough for us to take notice.  RDC is indeed a critical component of a strong BSA/AML program!