APPENDIX R: ENFORCEMENT GUIDANCE
Joint Statement on Enforcement of Bank Secrecy Act/Anti-Money Laundering Requirements309This statement supersedes the Interagency Statement on Enforcement of BSA/AML Requirements issued by the Agencies in July 2007 and is intended to set forth general policy guidance. It does not compel or preclude an enforcement or other supervisory action as appropriate in a specific factual situation.
The Board of Governors of the Federal Reserve System (“Federal Reserve”), the Federal Deposit Insurance Corporation (“FDIC”), the National Credit Union Administration (“NCUA”), and the Office of the Comptroller of the Currency (“OCC”), (an “Agency” or collectively the “Agencies”), are issuing this statement to set forth the Agencies’ policy on the circumstances in which an Agency will issue a mandatory cease and desist order to address noncompliance with certain Bank Secrecy Act/anti-money laundering (“BSA/AML”) requirements,310This statement does not address the assessment of civil money penalties for violations of the BSA or its implementing regulations. The Agencies have such authority under their general enforcement statutes. 12 U.S.C. §§ 1786(k)(2) and 1818(i)(2). Likewise, the Financial Crimes Enforcement Network (“FinCEN”) has independent authority to assess civil money penalties under the BSA. particularly in light of the specific BSA/AML compliance provisions in section 8(s) of the Federal Deposit Insurance Act (“FDIA”) and section 206(q) of the Federal Credit Union Act (“FCUA”) (hereafter referred to as “sections 8(s) and 206(q)”).31112 U.S.C. §§ 1786(q), 1818(s). This interagency statement also describes the circumstances in which an Agency may use its discretion to issue formal or informal enforcement actions or use other supervisory actions to address BSA-related violations or unsafe or unsound banking practices or other deficiencies. This statement does not create new expectations or standards. Rather, it is intended to further clarify the Agencies’ enforcement of the BSA and the conditions that require the issuance of a mandatory cease and desist order under sections 8(s) and 206(q). Whenever the Agencies undertake an enforcement action, whether mandatory under sections 8(s)(3) and 206(q)(3) or otherwise, they will tailor that action to address the deficiencies that are specific to the institution,312The term “institution” refers to banks, as defined in 31 C.F.R. § 1010.100(d), and includes each agent, agency, branch or office within the United States of banks, savings associations, credit unions, and foreign banks. as identified during the supervisory process.313It should also be noted that BSA/AML enforcement actions can have a significant impact on an institution’s ability to engage in certain corporate activities and expansion since the effectiveness of an institution’s efforts in combating money laundering are expressly required to be considered by the Agencies when evaluating proposals subject to the Bank Merger Act, 12 U.S.C. § 1828(c)(11), and the Bank Holding Company Act, 12 U.S.C. § 1842(c)(6).
BSA/AML Compliance Program Requirement.
Under section 8(s) of the FDIA and section 206(q) of the FCUA, each of the Agencies is directed to prescribe regulations requiring each insured depository institution to establish and maintain procedures reasonably designed to assure and monitor the institution’s compliance with the requirements of the BSA (collectively, these procedures form the basis of each institution’s “BSA/AML compliance program”). Sections 8(s) and 206(q) require that each Agency’s examination of an institution include a review of the institution’s BSA/AML compliance program and that reports of examination describe any problem with the BSA/AML compliance program. Finally, sections 8(s) and 206(q) state that if an institution has failed to establish and maintain a BSA/AML compliance program or has failed to correct any problem with the BSA/AML compliance program previously reported to the institution by the appropriate Agency, the appropriate Agency shall issue a cease and desist order against the institution.
As required by sections 8(s) and 206(q), each of the Agencies has issued regulations that require any institution it supervises or insures to establish and maintain a BSA/AML compliance program. Each of these regulations imposes substantially the same requirements.31412 C.F.R. §§ 21.21 (OCC); 208.63 (Federal Reserve); 326.8(c) (FDIC); 748.2 (NCUA). The provisions of section 8(s) are also made applicable to certain banking organizations other than insured depository institutions. 12 U.S.C. §§ 1818(b)(3), (b)(4). The OCC’s regulations also apply to Federal branches and agencies of foreign banks. 12 U.S.C. § 3102(b); 12 C.F.R. § 28.13. The Federal Reserve’s regulations also apply to Edge Act and agreement corporations, and branches, agencies, and other offices of foreign banking organizations. 12 C.F.R. §§ 211.5, 211.24. BSA/AML compliance programs that comply with these Agency regulations are also deemed to comply with the Treasury Department’s regulations issued pursuant to the BSA, which separately require that financial institutions establish AML programs. See, 31 U.S.C. § 5318(h); 31 C.F.R. § 1020.210. Specifically, under each Agency’s regulations, a BSA/AML compliance program must: (1) be reasonably designed to assure and monitor the institution’s compliance with the requirements of the BSA and its implementing regulations and (2) have, at a minimum, the following components or pillars:
- a system of internal controls to assure ongoing compliance with the BSA;
- independent testing for BSA/AML compliance;
- a designated individual or individuals responsible for coordinating and monitoring BSA/AML compliance; and
- training for appropriate personnel.
A BSA/AML compliance program must include a Customer Identification Program with risk-based procedures that enable the institution to form a reasonable belief that it knows the true identity of its customers.31512 C.F.R. §§ 21.21(c)(2) (OCC); 208.63(b)(2), 211.5(m)(2), 211.24(j)(2), (Federal Reserve); 326.8(b)(2) (FDIC); 748.2(b)(2) (NCUA); 31 C.F.R. § 1020.220 (Treasury Department).
A BSA/AML compliance program must also include appropriate risk-based procedures for conducting ongoing customer due diligence as set forth in regulations issued by the U.S. Department of the Treasury (“Treasury Department”),31631 C.F.R. § 1020.210(b)(5) including, but not limited to:
- understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and
- conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information, including information regarding the beneficial owner(s) of legal entity customers.
In addition to these customer due diligence requirements, a reasonably designed BSA/AML compliance program must include procedures to address other BSA reporting and recordkeeping requirements set forth in regulations issued by the Treasury Department including, among others, beneficial ownership, foreign correspondent banking, and currency transaction reporting requirements.317See 31 C.F.R. Parts 1010 and 1020. For the purposes of sections 8(s) and 206(q), the Agencies evaluate customer due diligence and other BSA reporting and recordkeeping requirements as a part of the internal controls component of the bank’s BSA/AML compliance program.
Communication of Supervisory Concerns about BSA/AML Compliance Programs.
Sections 8(s) and 206(q) require that each Agency examine the institution’s BSA/AML compliance program, and that reports of examination describe any problem with that BSA/AML compliance program. When an Agency identifies supervisory concerns relating to an institution’s BSA/AML compliance program in the course of an examination or otherwise, the Agency may communicate those concerns by various formal and informal means. The particular method of communication used typically depends on the seriousness of the concerns and each Agency’s policies. These methods may include, but are not limited to:
- informal discussions by examiners with an institution’s management during an examination or ongoing supervision processes;
- formal discussions by examiners with the board of directors as part of or following an examination, or as part of the ongoing supervision processes;
- written communications from examiners or the Agency to an institution’s board of directors or senior management that communicate concerns regarding the implementation of its BSA/AML compliance program;
- a finding contained in the report of examination or in other formal communications from an Agency to an institution’s board of directors or senior management indicating deficiencies or weaknesses in the BSA/AML compliance program; or
- a finding contained in the report of examination or in other formal communications from the Agency to an institution’s board of directors or senior management of a violation of the regulatory requirement to implement and maintain a reasonably designed BSA/AML compliance program.
As explained below, for section 8(s) or 206(q) to apply, the deficiencies in the compliance program must be identified in a report of examination or other written document reported to an institution’s board of directors or senior management as a violation of law or a matter that must be corrected. Certain isolated or technical violations of law and other issues or suggestions for improvement may be communicated through other means.
II. Enforcement Actions for BSA/AML Compliance Program Failures.
In accordance with sections 8(s)(3) and 206(q)(3), the appropriate Agency shall issue a cease and desist order against an institution for noncompliance with BSA/AML compliance program requirements in the following situations, based on a careful review of all the relevant facts and circumstances.
Failure to establish and maintain a reasonably designed BSA/AML Compliance Program.
The appropriate Agency shall issue a cease and desist order based on a violation of the requirement in sections 8(s) and 206(q) to establish and maintain a reasonably designed BSA/AML compliance program where the institution:318The examples in this document do not in any way limit the ability of an Agency to bring an enforcement action under sections 8(s) and 206(q) where the failure to have or implement a BSA/AML compliance program is demonstrated by other deficiencies. The examples are included for illustrative purposes only and do not set any thresholds or precedent for future enforcement actions.
- fails to have a written BSA/AML compliance program, including a customer identification program, that adequately covers the required program components or pillars (internal controls, independent testing, designated BSA/AML personnel, and training); or
- fails to implement a BSA/AML compliance program that adequately covers the required program components or pillars (institution-issued policy statements alone are not sufficient; the program as implemented must be consistent with the institution’s written policies, procedures, and processes); or
- has defects in its BSA/AML compliance program in one or more program components or pillars that indicate that either the written BSA/AML compliance program or its implementation is not effective, for example, where the deficiencies are coupled with other aggravating factors, such as (i) highly suspicious activity creating a potential for significant money laundering, terrorist financing, or other illicit financial transactions, (ii) patterns of structuring to evade reporting requirements, (iii) significant insider complicity, or (iv) systemic failures to file currency transaction reports (“CTRs”), suspicious activity reports (“SARs”), or other required BSA reports.
For example, an institution would be subject to a cease and desist order if its system of internal controls (such as customer due diligence, procedures for monitoring suspicious activity or an appropriate risk assessment) fails with respect to either a high-risk area or multiple lines of business that significantly impact the institution’s overall BSA/AML compliance program, even if the other components or pillars are satisfactory. Similarly, a cease and desist order would be warranted if, for example, an institution has deficiencies in the required independent testing component or pillar of the BSA/AML compliance program and those deficiencies are coupled with evidence of highly suspicious activity, creating a potential for significant money laundering, terrorist financing, or other illicit financial transactions in the institution.
An institution would also be subject to a cease and desist order if the institution fails to implement a BSA/AML compliance program that adequately covers the required program components or pillars. For example, an institution rapidly expands its business relationships through its foreign affiliates and businesses:
- without identifying its money laundering and other illicit financial transaction risks;
- without an appropriate system of internal controls to verify customers’ identities, conduct customer due diligence, or monitor for suspicious activity related to its products and services;
- without providing sufficient authority, resources, or staffing to its designated BSA officer to properly oversee its BSA/AML compliance program;
- with deficiencies in independent testing that caused it to fail to identify problems; and
- with inadequate training exemplified by relevant personnel not understanding their BSA/AML responsibilities.
However, other types of deficiencies in an institution’s BSA/AML compliance program or in implementation of one or more of the required BSA/AML compliance program components or pillars, including violations of the individual component or pillar requirements, will not necessarily result in the issuance of a cease and desist order, unless the deficiencies are so severe or significant as to render the BSA/AML compliance program ineffective when viewed as a whole. For example, an institution that has deficiencies only in its procedures for providing BSA/AML training to appropriate personnel ordinarily may be subject to examiner criticism and/or supervisory action other than the issuance of a cease and desist order, unless the training program deficiencies, viewed in light of all relevant circumstances, are so severe or significant as to result in a finding that the organization’s BSA/AML compliance program, taken as a whole, is not effective.
In determining whether an institution has failed to implement a BSA/AML compliance program, an Agency will also consider the application of the institution’s BSA/AML compliance program across its business lines and activities. In the case of institutions with multiple lines of business, deficiencies affecting only some lines of business or activities would need to be evaluated to determine if the deficiencies are so severe or significant in scope as to result in a conclusion that the institution has not implemented an effective overall BSA/AML compliance program.
Failure to correct a previously reported problem with the BSA/AML Compliance Program.
An Agency shall, in accordance with sections 8(s) and 206(q), and based on a careful review of the relevant facts and circumstances, issue a cease and desist order whenever an institution fails to correct a previously reported problem with its BSA/AML compliance program identified during the supervisory process. However, in order to be considered a “problem” within the meaning of sections 8(s)(3)(B) and 206(q)(3)(B), a problem reported to the institution ordinarily would involve substantive deficiencies in one or more of the required components or pillars of the institution’s BSA/AML compliance program or implementation thereof that is reported to the institution’s board of directors or senior management in a report of examination or other supervisory communication as a violation of law or regulation that is not isolated or technical, or as a matter that must be corrected. For example, failure to take any action in response to an express criticism in a report of examination regarding a failure to appoint a qualified and effective BSA compliance officer could be viewed as an uncorrected previously reported problem that would result in a cease and desist order. Violations or deficiencies in an institution’s BSA/AML compliance program communicated to the institution in a report of examination or through other written means that are determined to be isolated or technical are generally not considered problems that would result in a mandatory cease and desist order.
An Agency will ordinarily not issue a cease and desist order under sections 8(s) or 206(q) for failure to correct a BSA/AML compliance program problem unless the problems subsequently found by the Agency are substantially the same as those previously reported to the institution. For example, during a previous examination, an institution’s system of internal controls was considered inadequate as a result of substantive deficiencies related to customer due diligence and suspicious activity monitoring processes. Specifically, the institution had not developed customer risk profiles to identify, monitor, and report suspicious activities related to the institution’s higher-risk businesses lines. These substantive deficiencies were identified in the previous report of examination as a problem requiring board attention and management’s correction. The subsequent report of examination determined that management had not addressed the previously reported problem with the institution’s BSA/AML compliance program. Customer risk profiles remained undeveloped to identify, monitor, and report suspicious activity related to the institution’s higher-risk business lines. As a result, the institution would be subject to a cease and desist order for failure to correct a previously reported problem with its BSA/AML compliance program.
In contrast, if an Agency notes in a previous report of examination that an institution’s training program was inadequate because it was out of date (for instance, if it did not reflect changes in the law, and at the next examination the training program is adequately updated, but flaws are discovered in the internal controls for the BSA/AML compliance program) the Agency would not issue a cease and desist order under sections 8(s) or 206(q) for failure to correct a previously reported problem and will consider the full range of potential supervisory responses. Similarly, if a violation is cited in a previous report of examination for failure to designate a qualified BSA compliance officer, and the institution has appointed an otherwise qualified person to assume that responsibility by the next examination, but the examiners recommend additional training for the person, an Agency may determine not to issue a cease and desist order under sections 8(s) or 206(q) based solely on that deficiency. Additionally, statements in a report of examination or other written document reported to the board of directors or senior management suggesting areas for improvement, identifying less serious issues, or identifying isolated or technical violations or deficiencies would generally not be considered problems for purposes of sections 8(s) and 206(q).
The Agencies also recognize that certain types of problems with an institution’s BSA/AML compliance program may not be fully correctable before the next examination or within the planned timeframes for corrective actions due to unanticipated or other issues. Remedial actions involving multiple lines of business within an institution or the adoption or conversion of automated systems may take more time to implement than initially anticipated. In these types of situations, a cease and desist order is not required, provided the Agency determines that the institution has made acceptable substantial progress toward correcting the problem.
III. Other Enforcement Actions for BSA/AML Compliance Program Component or Pillar Deficiencies.
As noted above, in addition to the situations described in this statement where an Agency will issue a cease and desist order for a violation of the BSA/AML compliance program regulation or for failure to correct a previously reported BSA/AML compliance program problem, an Agency may also take formal or informal enforcement actions against an institution for other types of BSA/AML compliance program concerns or deficiencies separate from enforcement actions taken under the authorities referred to in sections 8(s) and 206(q).319See, e.g., 12 U.S.C. §§ 1786(b); 1818(b). In these situations, depending upon the particular facts involved, an Agency may pursue enforcement actions based on individual component or pillar violations or BSA-related unsafe or unsound practices that may impact individual components or pillars. The form and content of the enforcement action in a particular case will depend on the severity of the concerns or deficiencies, the capability and cooperation of the institution’s management, and the Agency’s confidence that the institution’s management will take appropriate and timely corrective action.
IV. Enforcement Actions for Other BSA/AML Requirements.
In appropriate circumstances, an Agency may take formal or informal enforcement actions to address violations of BSA/AML requirements other than the BSA compliance program or the individual component or pillar requirements. These other requirements include, for example, customer due diligence, beneficial ownership, foreign correspondent banking, and suspicious activity reporting and currency transaction reporting requirements. Also, consistent with the treatment of violations of isolated or technical compliance program requirements, violations of these non-program requirements that are determined by the Agency to be isolated or technical are generally not considered the kinds of problems that would result in an enforcement action.
Suspicious Activity Reporting Requirements.
Under regulations of the Agencies and the Treasury Department, institutions subject to the Agencies’ supervision are required to file a SAR when they detect certain known or suspected criminal violations or suspicious transactions.32012 C.F.R. §§ 21.11; 163.180(d) (OCC); 208.62, 211.5(k), 211.24(f), 225.4(f) (Federal Reserve); Part 353 (FDIC); 748.1(c) (NCUA); 31 C.F.R. § 1020.320 (Treasury Department). Suspicious activity reporting forms the cornerstone of the BSA reporting system, and is critical to the United States’ ability to utilize financial information to combat money laundering, terrorist financing, and other illicit financial activity. The regulations require institutions to file SARs with respect to the following general types of activities:
- known or suspected criminal violations involving insider activity in any amount;
- known or suspected criminal violations aggregating $5,000 or more when a suspect can be identified;
- known or suspected criminal violations aggregating $25,000 or more, regardless of potential suspects; or
- suspicious transactions of $5,000 or more that involve potential money laundering or BSA violations.
The SAR must be filed within 30 days of detecting facts that may constitute a basis for filing a SAR (or within 60 days if there is no subject).
The Agencies will cite a violation of the SAR regulations, and will take appropriate supervisory action, if the institution’s failure to file a SAR (or SARs) evidences a systemic breakdown in its policies, procedures, or processes to identify and research suspicious activity, involves a pattern or practice of noncompliance with the filing requirement, or represents a significant or egregious situation.
Other BSA Reporting and Recordkeeping Requirements.
Institutions also are subject to other BSA reporting and recordkeeping requirements set forth in regulations issued by the Treasury Department.32131 C.F.R. Part 1010. These requirements are reviewed in detail in the FFIEC BSA/AML Examination Manual; they include, among other things, requirements applicable to cash and monetary instrument transactions and funds transfers, CTR filing and exemption rules, due diligence, certification, and other requirements that may be applicable to customer accounts and foreign correspondent and private banking accounts. As previously noted, the Agencies evaluate these additional regulatory requirements as a part of the internal control component or pillar of the institution’s BSA/AML compliance program.
|< Previous Page
Appendix Q – Abbreviations
|Next Page >
Appendix S – Key Suspicious Activity Monitoring Components