On April 15, 2020, the Federal Financial Institutions Examination Council (FFIEC) released several updates to the Bank Secrecy Act/Anti-Money Laundering (BSA/AML) examination manual.1 These updates are the first revisions to the BSA/AML manual since 2014 and clarify the risk-focused approach to AML examinations that is used by the Federal Reserve, OCC, FDIC, and NCUA. In this Legal Update, we analyze the changes to the BSA/AML manual, discuss how they fit within broader AML compliance trends, and offer observations and guidance to financial institutions in view of their next BSA/AML exam.
The BSA/AML manual was first published by the FFIEC in 2005 and has been updated several times since then, most recently in 2014.2 It was initially developed by the federal banking regulators in collaboration with the Financial Crimes Enforcement Network, the Office of Foreign Assets Control, and state regulators. The BSA/AML manual is a resource that provides guidance to bank examiners who carry out AML and sanctions compliance examinations. While financial institutions are not its primary audience, the BSA/AML manual is widely relied on by the industry as a summary of legal requirements, supervisory expectations, and examination procedures for AML compliance.
Despite the manual’s being widely relied on by the industry, there have been a number of criticisms of the agencies’ approach to AML compliance examinations and how examiners used the BSA/AML manual.3 In particular, AML compliance policies and procedures are supposed to be risked-based, i.e., tailored to the specific risk profile of a financial institution. However, many have criticized AML compliance examinations as being more rules-based than risk-based, requiring institutions to adopt procedures or controls that regulators regard as essential to a successful AML compliance program, regardless of an institution’s risk profile.4 The April 2020 updates are designed to address those concerns.
Further, the updates are designed to align the examination manual to the Trump administration’s position regarding reliance on guidance as a basis for taking enforcement actions. In 2018, the US Department of Justice issued a policy that prohibited the agency from bringing civil enforcement actions on the basis of guidance that had not been subject to a public notice and comment rulemaking process.5 The Justice Department policy was embraced by the bank regulatory agencies, including the Federal Reserve, in a statement asserting that supervisory guidance does not have the force of law and may not serve as the basis of an enforcement action.6 The April 2020 updates to the BSA/AML manual are intended to implement the principles of the joint statement in a clear and direct way.
The April 2020 updates focus on the Core Examination Overview and Procedures for Assessing the BSA/AML Compliance Program sections, which constitute pages 11 to 46 of the 440-page BSA/AML manual. The regulators have indicated that they will revise other sections of the manual later. While the regulators have stated that the April 2020 updates are not intended to impose new legal requirements, they do contain substantive changes to the regulators’ approach to AML compliance examinations.
First, historically there were concerns that the BSA/AML manual did not clearly distinguish between legal requirements and supervisory expectations, and, as a consequence, some examiners treated the supervisory expectations in the manual as compulsory obligations.7 The April 2020 updates address this by more clearly distinguishing between legal requirements (as specified in law or regulation) and guidance on what the regulators regard as best practices. For example, the section on independent testing (BSA/AML Independent Testing) has been restructured to more clearly state that there is no legal requirement that applies to the frequency of testing. The revisions eliminate the prior statement that it is “sound practice” to conduct testing every 12 to 18 months and instead emphasize that risk assessments are to be updated in response to changes in products, services, customers, geographic locations, or risk profile.8
Second, some institutions have received supervisory criticism for matters requiring attention or enforcement actions for isolated, minor, or technical violations of BSA/AML manual. This is part of an unfortunate trend in which the materiality threshold for taking an action against an institution has declined while the number of actions taken has increased.9 The April 2020 updates address this concern by emphasizing in a new subsection (Risk-Focused BSA/AML Supervision) that examiners should take a risk-focused, tailored approach to AML compliance examinations that are symmetrical with the institution’s AML risk-based approach to developing an AML compliance program. This more clearly articulated guidance is consistent with the agencies’ 2019 standalone statement on AML compliance examination and incorporates the language from that statement into examiner materials.10
Of particular interest is the new sentence in the last section of the revised BSA/AML manual (Developing Conclusions and Finalizing the Exam): “Minor weaknesses, deficiencies, and technical violations alone are not indicative of an inadequate program and should not be communicated as such.”11 The April 2020 updates maintain the list of causes of violations or deficiencies from the existing manual but distinguish technical violations that may be corrected by the institution in the normal course of business. This appears designed to discourage examiners from bringing actions for minor, isolated, or technical issues.
Third, some have said that examiners view the BSA/AML manual as articulating the only way in which an institution can fulfill its AML compliance obligations. This led to the impression that examinations are one-size-fits-all and that risk assessments must satisfy subjective examiner views or risk directives that they be redone (in effect, a hindsight bias), an approach that is inapposite to the concept that institutions should develop risk-based assessments appropriate for their unique businesses.12
The April 2020 updates address this concern by emphasizing the flexibility that institutions have to design their AML compliance program, particularly with respect to risk assessments.13 For example, the revised BSA/AML manual explicitly recognizes that institutions may quantify risk and implement controls accordingly. It also states that there is no legal requirement for an institution to conduct continuous or periodic risk assessments unless there has been a change in its risk profile. Further, the revised manual states in the BSA/AML Risk Assessment section that if an institution has “established an appropriate BSA/AML risk assessment process, and has followed existing policies, procedures, and processes, examiners should not criticize the bank for individual risk or process decisions.”14 This new language appears to be intended to focus examiners on the process the institution uses to assess risk and avoid post-hoc critiques based on individual compliance determinations.
Fourth, some aspects of the BSA/AML manual were criticized for being imprecise. For example, the internal control section discussed limiting and controlling risks,15 while the more contemporary language in the revised manual is phrased as mitigating and managing risks, reflecting the view that institutions need not avoid risk if they are able to manage it appropriately.16 Similarly, the training section was unclear on the type of initial training that board members should receive. This was clarified in the update to indicate that board members should receive “foundational” training with updates when there are new changes and developments.
One cross-cutting change in the April 2020 updates is the removal of language instructing examiners to evaluate whether institutions have implemented effective compliance programs. The revised BSA/AML manual instead focuses on evaluating whether instructions have implemented adequate compliance programs.17 Adoption of the less rigorous “adequacy” standard appears to be a significant departure from the prior version and, as noted below, may not align with current international standards.
The April 2020 updates are likely to be a welcome change for the industry, as they align operational instructions to examiners with the policy positions that have been articulated by agency principals and senior staff. Additionally, these revisions could lead to a reduction in penalties for isolated, minor, or technical compliance issues. The US chief national bank examiner has indicated that the April 2020 updates are intended to provide examiners with the “flexibility to conduct more focused and efficient exams” of banks with lower levels of AML risk and “established and proven risk management programs,” thereby reducing the regulatory burden on such institutions.18 Banks with higher levels of AML risk, due to the geographies and customers they serve and the products and services they offer, should continue to expect a commensurate level of attention from examiners.
Notwithstanding these changes, institutions should remain attentive to AML requirements and compliance activities. Over the past several years, global standards increasingly have become more restrictive, and international financial institutions in particular cannot afford to be seen as “cutting back” or “loosening” their compliance activities in response to this US-centric release emphasizing adequate compliance.19 While the trend in the United States has been toward rationalizing AML supervision, that trend could be reversed through concerted international action and a perception on the part of US supervisors that domestic institutions are not devoting sufficient attention or resources to AML compliance.
Although the April 2020 updates should be well-received, it remains to be seen how examiners will implement them. Historically, institutions have expressed frustration that some examiners have not internalized the message from leadership and continue to enforce old or different interpretations of requirements. In recent public settings, senior agency staff have encouraged institutions to contact them if examiners do not follow current policies, but there are limits to such engagement. While institutions may appeal examiner decisions, it may be more difficult to justify appeals where facts show that the institution cut back on AML compliance activities or deviated from best practices in supervisory expectations immediately following the April 2020 updates.
Finally, AML reforms in the United States are being undertaken in a piecemeal fashion (as evidenced by the revision of one-tenth of the BSA/AML manual), and the progress of reforms may slow significantly due to the COVID-19 pandemic and the regulatory hiatus that typically precedes presidential elections. This could complicate the implementation of the changes in the April 2020 updates because institutions will need to “read” the spirit of those changes into the other parts of the BSA/AML manual when modifying compliance programs. For the moment, financial institutions should avoid wholesale revisions to their AML compliance programs. Instead, they should work to apply incremental changes reflecting the April 2020 updates and consult with senior staff at the agencies on lingering ambiguities.
1 Press Release, Federal and State Regulators Release Updates to BSA/AML Examination Manual (Apr. 15, 2020), https://www.ffiec.gov/press/pr041520.htm [hereinafter April 2020 updates]. The FFIEC includes the Board of Governors of the Federal Reserve System (“Federal Reserve”), the Office of the Comptroller of the Currency (“OCC”), the Federal Deposit Insurance Corporation (“FDIC”), the National Credit Union Administration (“NCUA”), and the State Liaison Committee; those regulators coordinated the revisions to the BSA/AML Manual with the Financial Crimes Enforcement Network (“FinCEN”).
2 Press Release, Bank Secrecy Act/Anti-Money Laundering Examination Manual (June 30, 2005); Press Release, Financial Regulators Release 2014 Bank Secrecy Act/Anti-Money Laundering Examination Manual (Dec. 2, 2014).
3 See, e.g., Interview with Michelle Bowman, ABA (Feb. 10, 2020) (discussing her expectation that under AML compliance reforms, “we will see a significant reduction in the number of hours that we spend in your institutions”), https://bankingjournal.aba.com/2020/02/bowman-fed-weighing-expanded-transparency-on-core-provider-exam-info/.
4 GAO, Agencies and Financial Institutions Share Information but Metrics and Feedback Not Regularly 26 (Aug. 2019), https://www.gao.gov/assets/710/701086.pdf; Greg Baer, CDD is Another Example of the Need for AML Reform, TCH (Apr. 26, 2018), https://www.theclearinghouse.org/research/articles/2018/04/20180426-baer-aml-reform-testimony.
5 Press Release, Associate Attorney General Brand Announces End To Use of Civil Enforcement Authority to Enforce Agency Guidance Documents (Jan. 25, 2018). This doctrine has become known as the “Guidance on Guidance.”
7 E.g., Associations petition banking agencies and BCFP to ensure legal clarity and certainty, BPI/ABA (Nov. 6, 2018), https://bpi.com/press-releases/bpi-and-aba-ask-regulators-to-issue-regulation-codifying-guidance-is-nonbinding/; Guidance, Supervisory Expectations, and the Rule of Law: How Do the Banking Agencies Regulate and Supervise Institutions?, Hearing Before the United States Senate Committee on Banking, Housing, and Urban Affairs, (April 30, 2019), https://www.sifma.org/resources/general/senate-banking-hearing-on-banking-agency-regulation-and-supervision/.
9 TCH, A New Paradigm: Redesigning the US AML/CFT Framework to Protect National Security and Aid Law Enforcement (Feb. 2017), https://www.theclearinghouse.org/~/media/TCH/Documents/TCH%20WEEKLY/2017/20170216_TCH_Report_AML_CFT_Framework_Redesign.pdf.
10 Joint Statement on Risk-Focused BSA/AML Supervision (July 22, 2019). This statement was seen as emphasizing the importance of a risk-focused approach to examinations, but it was unclear how the statement would be used in day-to-day supervisory activities. The April 2020 updates confirm the regulators’ commitment to the risk-focused approach laid out in the joint statement.
12 E.g., Examining the BSA/AML Regulatory Compliance Regime, Hearing Before the United States House Committee on Financial Services (June 28, 2017) (“from an examiner and banking agency perspective, the only possible safe harbor is to demand more policies and procedures”), https://financialservices.house.gov/calendar/eventsingle.aspx?EventID=400597; see also Coordinating Oversight, Upgrading and Innovating Technology, and Examiner Reform Act of 2019, H.R. 2514, 116th Cong. § 304(b) (2019) (bill to prohibit examiners from penalizing certain compliance choices), https://www.congress.gov/bill/116th-congress/house-bill/2514/text; Brett Wolf, Reform in US Anti-Money Laundering Rules Grows More Likely, But Could Take Time, Thomson Reuters(May 23, 2019), https://blogs.thomsonreuters.com/answerson/anti-money-laundering-rules-reform/;Stephanie Lyon, Supervisory Expectations During BSA/AML Examinations, NAFCU(Nov. 19, 2018), https://www.nafcu.org/compliance-blog/supervisory-expectations-during-bsaaml-examinations-bureau-updates-loan-originator-guidance.
18 Al Barbarino, OCC’s New Bank Exam Chief Talks COVID-19 and Beyond, Law360 (May 8, 2020), https://www.law360.com/cybersecurity-privacy/articles/1271079/occ-s-new-bank-exam-chief-talks-covid-19-and-beyond-.
19 See, e.g., Wolfsberg Group, Statement on “Effectiveness” (Dec. 20, 2019) (emphasizing that regulators should “focus on effective outcomes” when supervising AML compliance), https://www.wolfsberg-principles.com/sites/default/files/wb/pdfs/Effectiveness%201%20pager%20Wolfsberg%20Group%202019%20FINAL_Publication.pdf.