OCC AML Priority To Target Regulatory Change

The US Office of the Comptroller of the Currency (OCC) has indicated that it will be focusing on the effectiveness of anti-money laundering (AML) systems and controls after including the topic on its list of FY 2019 annual priorities. For OCC-regulated banks, this means exams will concentrate on how up-to-date AML and Bank Secrecy Act (BSA) programs are with evolving threats and new rules.   

Reputational Risk On The Rise

Although the current US presidential administration continues to signal that regulatory relief is on the horizon, AML enforcement in the US continues to escalate. A flurry of new cases have hit the headlines since the beginning of the year, and the US remains the jurisdiction that levies the most AML fines globally. Recent enforcement trends include:

• Severe civil monetary penalties now reaching mid-size and small financial institutions
• Jurisdictions imposing mandatory certification programs for compliance personnel
• Compliance violations resulting in civil prosecution and debarment for compliance executives

These trends, combined with the new OCC AML/BSA priority, mean the likelihood that a firm – as well as individual compliance executives – could experience financial and reputational damage as a result of AML program failures has never been higher.

Getting AML/BSA Compliance Right

Specifically, the focus of the new OCC priority on the ongoing identification of risks, as well as the timely and correct implementation of regulatory change, means many AML/BSA teams could need to raise their game. Compliance teams should consider taking the following steps to ensure OCC AML exams result in a clean bill of health for their program:

1. Elevate AML information – The board and senior management must be part of the AML program’s oversight. They should regularly receive information on regulatory examination findings, matters requiring attention (MRAs), new regulatory guidance and changes in regulatory requirements. These stakeholders should also receive reports on the AML team’s operational metrics, including key issues such as the adequacy of human resources and technology in the face of new risks and regulatory change. These steps can help to ensure AML programs receive the right level of institutional oversight, support, and funding to keep pace with evolving risks and regulatory developments.
2. Undertake independent testing of the AML/BSA program – Testing should be completed by a team of subject matter experts who know all of the regulatory requirements – including any recent or pending changes. The team should also be aware of current guidance/best practices and understand regulator expectations. If an annual AML/BSA audit is conducted internally, the firm should engage an outside organization with subject matter expertise to deliver training to the audit team on new risk and regulatory developments. Failure to stay up-to-date or to make appropriate improvements may subject the organization to both compliance and reputational risk.
3. Ensure model validation is robust – Managing models and validating them can require specialized expertise – firms should engage with such expertise externally if it is not present within the AML team. US regulators also expect firms to use technology to support their AML programs. They have started to reprimand banks that don’t use technology appropriately.
4. Review human resourcing levels – Regulatory examiners today review the firm’s human resources approach within its AML program. Not only do they look to see if headcount is commensurate with the size and complexity of the firm, but they are also digging deeper to see if the team has the right experience, training, and is being compensated in line with AML discipline averages. Regulators are letting firms know if they do not meet expectations. Unfortunately, there is also an inadequate supply of qualified AML compliance professionals in the market place. Firms who have identified competency gaps should consider filling them through additional training, hiring, or outsourcing.   
5. Assess technology systems – Monitoring systems and OFAC/sanctions interdiction software must be kept up-to-date and independently validated. Failure to do so will lead to an increased risk of not detecting potentially suspicious activity, as well as conducting business with parties who appear on global sanction lists. Technology systems should be regularly reviewed and benchmarked against the firm’s compliance and business needs.
6. Ensure compliance with Customer Due Diligence (CDD) – The CDD Rule, also known as ultimate beneficial ownership, continues to be a challenge. Compliance is a significant undertaking in most jurisdictions as information is not broadly available. Banks that are concerned about their compliance with these relatively new requirements should speak to someone with knowledge of their jurisdictional requirements.

In short, rising compliance and reputational risks mean AML/BSA teams need to be more proactive when it comes to understanding their firm’s overall risk environment and managing regulatory change.