Loud and Clear: FinCEN Demands a Culture of Compliance

Coming from the agency that regularly files enforcement actions against financial institutions for failing to comply with the BSA, written guidance about the relationship among culture, compliance failures, and enforcement bears special notice. Indeed, the Advisory coincided with an Aug. 12'speech delivered by FinCEN Director Jennifer Shasky Calvery at the 2014 Mid-Atlantic AML Conference in Washington (available at http://1.usa.gov/1pjZupx) (the “Speech”). In the Speech, Director Calvery suggested that the enforcement cases she had overseen as a Justice Department prosecutor and senior manager, as well as at FinCEN, would likely have turned out better for the targets had the culture been different: “I can say without a doubt that a strong culture of compliance could have made all the difference.” Speech, at 10.

But what is a culture of compliance? Regulators frequently cite its importance, but most fail to define it in a way that makes it easy to understand, and therefore to follow. The Advisory tries to remedy this by suggesting six principles to strengthening culture. Although Director Calvery correctly observed in her Speech that it “does not say anything that you have not heard before,” this should not be misread to dismiss the Advisory's importance. To the contrary, the mere issuance of the Advisory signals renewed emphasis across the regulatory community on culture, and its wording provides a useful guide on how the government will assess compliance culture in the future.

FinCEN's Six Principles

1. Leadership Should Be Engaged

Unsurprisingly, FinCEN stresses the importance of engaging an institution's leadership, including its board and senior management. It suggests that such engagement “be visible within the organization, as such commitment influences the attitudes of others within the organization.” Advisory, at 2. When combined with the government's renewed emphasis on individual accountability for AML/CTF violations, the Advisory underscores that compliance is not just for compliance personnel, but for the highest levels.

Missing from the Advisory, which focuses on upper management, is the importance of changing culture from the “bottom up.” Many organizations have delivered strong messages from their leaders, and made genuine efforts to change cultural attitudes. But often, the key to true culture change is the contribution of informal leaders at all levels of the organization. If a baseball manager tells his team to respect the umpire, the players may or may not listen; but if the respected old-timer in the clubhouse is on board, the ump will surely have no more trouble. That principle applies all over, and banks are no exception. Winning over informal leaders is crucial to the success of an organization's AML/CTF program.

2. Compliance Should Not Be Compromised by Revenue Interests

In many ways, FinCEN's warning not to let financial incentives defeat AML directives gets to the nub of the entire AML/CTF problem. After all, financial institutions are in business to make money, and these incentives are sometimes in direct conflict with appropriately assessing and monitoring risk and reporting suspicious activity, as the law requires. This may well be where culture change is most important.

Less than a year ago, in assessing a multi-million-dollar civil penalty on a community bank, FinCEN chastised the bank for focusing on revenue generation “rather than the associated risks.” Matter of Saddle River Valley Bank, No. 2013-02, Assessment of Civil Money Penalty, at 5. In that case, a majority of the bank's revenue in one particular business line involved suspect activity. Faced with properly instituting an AML program, and thereby potentially losing revenue from the suspect activity, or failing to assess the risks properly, the bank went the latter route and was punished for it. This cautionary tale for larger institutions ' whose revenue imperatives are orders of magnitude greater ' ended with the bank's ultimate demise.

Relatedly,'the Comptroller of the Currency has stated forcefully that “weaknesses in a bank's BSA/AML program are serious safety and soundness concerns.” OCC Bulletin 2012-30 (Sept. 28, 2012).'For that and other reasons, the'real benefit to a bank's bottom line more likely lies in adequately addressing all of its AML/CTF risks.

3. Information Should Be Shared Throughout the Organization

Banks are often big places, and like many large organizations, not every part knows what the others are doing. FinCEN tells us that internal departments need to talk to each other: “[t]here is information in various departments within a financial institution that may be useful and should be shared with the compliance staff.” Advisory, at 3. One example noted is that of the legal department sharing information about subpoenas received, which should trigger reviews of customer risk ratings and account activity. Other examples abound.

4. Leadership Should Provide Adequate Human and Technological Resources

The Advisory pointedly says that an institution's compliance function must be adequate to the task, including having computer systems sufficient to monitor transactions and generate appropriate alerts. Large amounts of data can be extremely useful'in identifying patterns and greatly improving an AML/CTF program. But data is only as good as the systems that generate and crunch it, and those systems must communicate appropriately with each other.

The Advisory does not mention what various investigations and enforcement actions in the last few years have revealed: Spending large amounts of money on AML compliance does not, by itself, make an institution compliant. It may well be an appropriate beginning, but will never be enough without a genuine culture of compliance.

5. The Program Should Be Effective and Tested By an Independent, Competent Party

By emphasizing independent testing, FinCEN has taken one of the four pillars of effective AML programs under the BSA and underscored its centrality (the other three involve compliance personnel, internal controls, and training). Whether internal or external, auditors and consultants must be “independent, qualified, unbiased, and ' not have conflicting business interests.” Advisory, at 4. As demonstrated by recent enforcement actions by New York State regulators against two of the Big Four accounting firms based on claims of lost objectivity when consulting for banks, the government has made clear that independent testing must truly be independent.

6. Leadership and Staff Should Understand How BSA Reports Are Used

Finally, both the Advisory and Director Calvery's speech stress the importance of bank personnel's understanding what FinCEN and law enforcement do with the more than one million suspicious-activity reports (SARs) filed each year. The Advisory concisely describes the importance of SARs in: 1) initiating investigations; 2) expanding existing investigations; 3) sharing information internationally with other financial intelligence units; and 4) identifying significant patterns among bad actors and their networks. The idea is, simply, to encourage institutions to develop robust systems and procedures to flag suspicious activity. SARs, after all, are only useful in fighting crime when they are actually filed.

Conclusion

It appears that the Treasury Department has seen enough cases in recent years to wonder whether its ongoing message ' about the special responsibility of institutions subject to the BSA to ensure that they not be used to facilitate crime or terrorism ' is getting through. In testimony before the Senate last year, the Under Secretary of the Treasury for Terrorism and Financial Intelligence, who oversees FinCEN, said that “[t]he spate of recent high-profile enforcement actions against some of our largest, most sophisticated, and best resourced financial institutions raises troubling questions about the effectiveness of our [AML/CTF] regulatory, compliance and enforcement efforts.” Testimony of David S. Cohen Before the U.S. Senate Committee on Banking, Housing, and Urban Affairs, March 7, 2013, available at http://1.usa.gov/1tpjpLh.

In essence, FinCEN's focus on culture is both a strong plea for help from the financial community and a shot across the bow to remind it that, if anything, enforcement efforts are being stepped up. It is no longer enough to devote resources to the compliance function because of a regulatory order or because an institution wants to establish good faith in case regulators or prosecutors come knocking. The challenge today, as FinCEN forcefully tells us, is to ingrain the idea of preventing financial crime within all aspects of the business. In the end, financial institutions need to become fully engaged and manage their financial crime risks just as surely as they do their credit risks or their market risks. FinCEN, for one, is certainly watching to see that they do.

Daniel R. Alonso, a member of this newsletter's Board of Editors, is a Managing Director and General Counsel at Exiger LLC, a consulting and monitoring firm specializing in financial crime compliance. He is a former white-collar crime prosecutor with the U.S. Department of Justice, and recently served for four years as the Chief Assistant District Attorney in Manhattan.

SPECIAL OFFER: Twitter, LinkedIn, Facebook and Google+ followers can get an online subscription to Business Crimes Bulletin for only $299. Click here, select Digital Only and use promo code BCBOL299 at checkout. This offer is valid for new subscribers only.

'

The onslaught of civil and criminal enforcement actions against financial institutions for violating anti-money laundering and counter-terrorist financing (AML/CTF) laws has continued its brisk pace in the past few months, with enforcement of the AML provisions of the Bank Secrecy Act (BSA) and the sanctions regulations administered by the Office of Foreign Assets Control (OFAC) showing no signs of slowing down. From the recent convictions of a major French bank for conspiring to violate OFAC sanctions, to the deferred prosecution agreement with one of the largest U.S.-based banks for substantive BSA violations in connection with the Bernie Madoff fraud, money laundering and sanctions violations are clearly at the front of the government's collective mind.

In that vein, the Treasury Department's Financial Crimes Enforcement Network (FinCEN), which implements the BSA, recently and pointedly reminded U.S. financial institutions that fulfilling their AML compliance obligations is not just about policies, procedures, and compliance personnel, but implicates the very culture of an organization. In a regulatory advisory issued on Aug. 11, 2014, FinCEN sets forth “general lessons” gleaned from its enforcement of the BSA, and flatly states that “a financial institution with a poor culture of compliance is likely to have shortcomings in its BSA/AML models.” FinCEN Advisory FIN-2014-A007 (Aug. 11, 2014) (the “Advisory”).

A Culture of Compliance

Coming from the agency that regularly files enforcement actions against financial institutions for failing to comply with the BSA, written guidance about the relationship among culture, compliance failures, and enforcement bears special notice. Indeed, the Advisory coincided with an Aug. 12'speech delivered by FinCEN Director Jennifer Shasky Calvery at the 2014 Mid-Atlantic AML Conference in Washington (available at http://1.usa.gov/1pjZupx) (the “Speech”). In the Speech, Director Calvery suggested that the enforcement cases she had overseen as a Justice Department prosecutor and senior manager, as well as at FinCEN, would likely have turned out better for the targets had the culture been different: “I can say without a doubt that a strong culture of compliance could have made all the difference.” Speech, at 10.

But what is a culture of compliance? Regulators frequently cite its importance, but most fail to define it in a way that makes it easy to understand, and therefore to follow. The Advisory tries to remedy this by suggesting six principles to strengthening culture. Although Director Calvery correctly observed in her Speech that it “does not say anything that you have not heard before,” this should not be misread to dismiss the Advisory's importance. To the contrary, the mere issuance of the Advisory signals renewed emphasis across the regulatory community on culture, and its wording provides a useful guide on how the government will assess compliance culture in the future.

FinCEN's Six Principles

1. Leadership Should Be Engaged

Unsurprisingly, FinCEN stresses the importance of engaging an institution's leadership, including its board and senior management. It suggests that such engagement “be visible within the organization, as such commitment influences the attitudes of others within the organization.” Advisory, at 2. When combined with the government's renewed emphasis on individual accountability for AML/CTF violations, the Advisory underscores that compliance is not just for compliance personnel, but for the highest levels.

Missing from the Advisory, which focuses on upper management, is the importance of changing culture from the “bottom up.” Many organizations have delivered strong messages from their leaders, and made genuine efforts to change cultural attitudes. But often, the key to true culture change is the contribution of informal leaders at all levels of the organization. If a baseball manager tells his team to respect the umpire, the players may or may not listen; but if the respected old-timer in the clubhouse is on board, the ump will surely have no more trouble. That principle applies all over, and banks are no exception. Winning over informal leaders is crucial to the success of an organization's AML/CTF program.

2. Compliance Should Not Be Compromised by Revenue Interests

In many ways, FinCEN's warning not to let financial incentives defeat AML directives gets to the nub of the entire AML/CTF problem. After all, financial institutions are in business to make money, and these incentives are sometimes in direct conflict with appropriately assessing and monitoring risk and reporting suspicious activity, as the law requires. This may well be where culture change is most important.

Less than a year ago, in assessing a multi-million-dollar civil penalty on a community bank, FinCEN chastised the bank for focusing on revenue generation “rather than the associated risks.” Matter of Saddle River Valley Bank, No. 2013-02, Assessment of Civil Money Penalty, at 5. In that case, a majority of the bank's revenue in one particular business line involved suspect activity. Faced with properly instituting an AML program, and thereby potentially losing revenue from the suspect activity, or failing to assess the risks properly, the bank went the latter route and was punished for it. This cautionary tale for larger institutions ' whose revenue imperatives are orders of magnitude greater ' ended with the bank's ultimate demise.

Relatedly,'the Comptroller of the Currency has stated forcefully that “weaknesses in a bank's BSA/AML program are serious safety and soundness concerns.” OCC Bulletin 2012-30 (Sept. 28, 2012).'For that and other reasons, the'real benefit to a bank's bottom line more likely lies in adequately addressing all of its AML/CTF risks.

3. Information Should Be Shared Throughout the Organization

Banks are often big places, and like many large organizations, not every part knows what the others are doing. FinCEN tells us that internal departments need to talk to each other: “[t]here is information in various departments within a financial institution that may be useful and should be shared with the compliance staff.” Advisory, at 3. One example noted is that of the legal department sharing information about subpoenas received, which should trigger reviews of customer risk ratings and account activity. Other examples abound.

4. Leadership Should Provide Adequate Human and Technological Resources

The Advisory pointedly says that an institution's compliance function must be adequate to the task, including having computer systems sufficient to monitor transactions and generate appropriate alerts. Large amounts of data can be extremely useful'in identifying patterns and greatly improving an AML/CTF program. But data is only as good as the systems that generate and crunch it, and those systems must communicate appropriately with each other.

The Advisory does not mention what various investigations and enforcement actions in the last few years have revealed: Spending large amounts of money on AML compliance does not, by itself, make an institution compliant. It may well be an appropriate beginning, but will never be enough without a genuine culture of compliance.

5. The Program Should Be Effective and Tested By an Independent, Competent Party

By emphasizing independent testing, FinCEN has taken one of the four pillars of effective AML programs under the BSA and underscored its centrality (the other three involve compliance personnel, internal controls, and training). Whether internal or external, auditors and consultants must be “independent, qualified, unbiased, and ' not have conflicting business interests.” Advisory, at 4. As demonstrated by recent enforcement actions by New York State regulators against two of the Big Four accounting firms based on claims of lost objectivity when consulting for banks, the government has made clear that independent testing must truly be independent.

6. Leadership and Staff Should Understand How BSA Reports Are Used

Finally, both the Advisory and Director Calvery's speech stress the importance of bank personnel's understanding what FinCEN and law enforcement do with the more than one million suspicious-activity reports (SARs) filed each year. The Advisory concisely describes the importance of SARs in: 1) initiating investigations; 2) expanding existing investigations; 3) sharing information internationally with other financial intelligence units; and 4) identifying significant patterns among bad actors and their networks. The idea is, simply, to encourage institutions to develop robust systems and procedures to flag suspicious activity. SARs, after all, are only useful in fighting crime when they are actually filed.

Conclusion

It appears that the Treasury Department has seen enough cases in recent years to wonder whether its ongoing message ' about the special responsibility of institutions subject to the BSA to ensure that they not be used to facilitate crime or terrorism ' is getting through. In testimony before the Senate last year, the Under Secretary of the Treasury for Terrorism and Financial Intelligence, who oversees FinCEN, said that “[t]he spate of recent high-profile enforcement actions against some of our largest, most sophisticated, and best resourced financial institutions raises troubling questions about the effectiveness of our [AML/CTF] regulatory, compliance and enforcement efforts.” Testimony of David S. Cohen Before the U.S. Senate Committee on Banking, Housing, and Urban Affairs, March 7, 2013, available at http://1.usa.gov/1tpjpLh.

In essence, FinCEN's focus on culture is both a strong plea for help from the financial community and a shot across the bow to remind it that, if anything, enforcement efforts are being stepped up. It is no longer enough to devote resources to the compliance function because of a regulatory order or because an institution wants to establish good faith in case regulators or prosecutors come knocking. The challenge today, as FinCEN forcefully tells us, is to ingrain the idea of preventing financial crime within all aspects of the business. In the end, financial institutions need to become fully engaged and manage their financial crime risks just as surely as they do their credit risks or their market risks. FinCEN, for one, is certainly watching to see that they do.

Daniel R. Alonso, a member of this newsletter's Board of Editors, is a Managing Director and General Counsel at Exiger LLC, a consulting and monitoring firm specializing in financial crime compliance. He is a former white-collar crime prosecutor with the U.S. Department of Justice, and recently served for four years as the Chief Assistant District Attorney in Manhattan.