In Idaho, grading and packaging potatoes is a serious matter. Potatoes should be of one variety or similar varietal characteristics, of similar shape and size — either two inches in diameter or four ounces in weight — and free from injury, sunburn, and other damage. Up to 6% of the potatoes in any container may be below the requirements of the grade. The penalty for violating these provisions is a fine of up to $500, up to six months in jail, or both. As fines go, this pales in comparison to those handed out by regulators for compliance failures.The $3B penalty issued against TD Bank — the 10th largest bank in the US — for conspiracy to commit money laundering and failures in its Bank Secrecy Act (BSA) program made the headlines as the biggest anti-money laundering (AML) penalty ever issued to a bank. Community financial institutions (CFIs) are similarly scrutinized. Indeed, in Q4 2024, the Office of the Comptroller of the Currency (OCC) entered a formal agreement with a Florida-based CFI for unsafe or unsound practices relating to BSA/AML. It also issued a “cease and desist” order to a Texas-based CFI for failing to correct previously flagged BSA/AML problems involving customer due diligence and suspicious activity monitoring and identification, including from third-party payment processor accounts.Compliance Is CriticalIt’s not just the threat of large fines and the possibility of sanctions that concern financial institutions. Most CEOs and boards now recognize that inadequate AML and know your customer (KYC) processes also lead to inefficiencies and the potential for a dip in customer satisfaction. In 2023, US financial institutions spent $61B on financial crime compliance, according to a survey by Forrester Consulting for LexisNexis Risk Solutions. Four in five survey respondents faced an increase in technology costs to meet compliance requirements. Among CFIs, 78% experienced greater increases in compliance costs related to labor.The increased scrutiny by the regulators demonstrates that AML/BSA risks are to be taken seriously. Key areas of risk that CFIs should be evaluating include:
- Customer base. Risk will vary depending on whether a CFI has a stable and known customer base or a growing and evolving one, its geographic reach, whether it has foreign accounts, and the volumes of currency transactions. CFIs may also have differing levels of high-risk customers, such as those with cash-intensive businesses. Finally, as customers increasingly come through digital channels, suspicious activities are harder to detect.
- Products and services. The extent to which a CFI offers certain products will affect their risk exposure. For example, whether it offers private banking and investment management services, or a wide range of online and mobile banking services, digital wallets and payment apps, prepaid debit cards, international wire transfers, and more, can all impact the CFI’s BSA/AML risk levels.
- Third parties. Third-party collaborations, be they foreign correspondent banking, payment processor accounts or any other, can create indirect risks if those institutions or vendors lack robust AML compliance protocols.
- Evolving regulation. Regulations have become increasingly complex over the years, with updates requiring timely adjustments to compliance programs. These increasing regulatory requirements can strain institutions with limited resources and personnel, increasing the likelihood that something is missed.
- Technology innovation. A double-edged sword, technology innovation can be exploited by bad actors for their increasingly sophisticated criminal activities, but it also offers tools CFIs can leverage to protect themselves. This change in technology, however, comes at a cost and can be a challenge in terms of resources and integration with legacy systems.
Mitigation Strategies
- Start from the top. Appoint a BSA/AML officer, ideally to the C-suite, and ensure the Board has full transparency on AML matters. The need for increased Board oversight is a common theme in enforcement actions.
- Strengthen customer due diligence processes. Collect and verify customer identification information at onboarding, create an ongoing periodic review process of your customers to ensure consistent knowledge of their profile and activity, and apply stricter monitoring and vetting processes for high-risk customers.
- Invest in automated monitoring tools. Leverage technology to detect unusual activity and employ analytics to uncover hidden patterns of suspicious behavior.
- Make training a priority. As threats continue to evolve, it is critical to engage in ongoing training of staff to recognize suspicious activities and report them promptly.
- Keep up to date. Collaborate with regulators and law enforcement to stay updated on emerging threats.
- Revisit plans regularly. AML risk assessment is not a one-off. As customers, service offerings, and product mixes change, CFIs should reevaluate their risk profile and adjust their control planning accordingly.
- Independent testing and monitoring. Ensure annual AML audits are robust and thorough, focusing on the five pillars. Also, create an internal monitoring and testing program to help identify issues and control weaknesses in real time.
Failing to comply with regulatory standards can lead to significant penalties, harm an institution's reputation, and erode customer trust, highlighting the critical need to prioritize BSA/AML compliance initiatives. However, compliance should not be a simple “tick box” exercise and should not come at the expense of customer service. CFIs should aim to strike a balance between meeting regulatory requirements and streamlining their processes, so they don’t get in the way of law-abiding customers. This aspect is also being closely watched by regulators.
