Oftentimes, it may be easy to dismiss a report from a regulator with whom you have no dealings or a publication you may not have the time to get to. However, an understanding of the regulatory regime under which other financial institutions operate may provide your financial institution with insight into examination trends you may be subject to in the near future. In addition, learning how other institutions manage risk may point out areas within your own program you have overlooked. Recently, the Office of the Comptroller of the Currency (OCC) released a report that provides such guidance.
The 2018 OCC Semiannual Risk Perspective report from the National Risk Committee outlined a strong financial condition for the federal banking system (national banks and federal savings associations), with improvements from 2017 continuing through March 2018. Key risks to the industry remain and have only modestly changed over the past few years. Overall, the report outlines high operational risks to Bank Secrecy Act/Anti-Money Laundering (BSA/AML) compliance. The complexity of money laundering methods continues to pose a threat, and weaknesses in compliance programs present challenges to institutions in properly assessing and responding to risk. Third-party relationships also continue to demand the attention of those managing BSA/AML compliance.
While not all financial institutions are regulated by the OCC, this report is instructive in providing all financial institutions with foresight into upcoming regulatory inclinations and provides internal training opportunities for staff.
In the current banking environment, many financial institutions are using new delivery channels to make relationships with current customers and members more convenient and to reach new customers and members. While providing ease of access to products and services through technology, financial institutions also need to assess the risk that criminals may take advantage of vulnerabilities in these new technologies for their own nefarious gains. The OCC noted financial institutions often do not properly adjust risk assessments to reflect changes after the introduction of new products and services.
As the banking system grows more complicated, so too do the threats posed. On an almost daily basis the news features stories of new methods of social engineering and complicated phishing emails. The report pointed out that BSA/AML risk management systems are often underperforming against the evolving risks and changes in business models and regulatory requirements. This has led to the identification of deficiencies during exams and enforcement actions against regulated financial institutions.
Cyber threats and money laundering are not a new development, but the methodologies used are increasingly complex and difficult for many institutions to monitor against. Unauthorized access through malicious links leads to the threat of access to customer and member data, theft, and legal and reputational risks. As faster payments and new delivery channels such as mobile and online banking have become the norm, so has identity theft where institutions do not have procedures in place to ensure adequate security of account data or methods to deactivate access to accounts in the event of loss or theft of a device. In addition, if internal controls are not in place to properly monitor activity, a successful phishing scheme may rob customers and members of significant sums as otherwise suspicious activity appears reasonable over time.
Vendor management remains another key risk, especially for those institutions relying on an automated monitoring system or third-party agreements to complete Customer Identification Program (CIP) requirements. The largest risk factor in this realm is the difficulty in validating that systems are keeping transaction codes up to date and ensuring BSA/AML compliance with third-party relationships.
Interestingly, among the risk factors noted by the OCC are the complex and amended regulations being published by the government. The Beneficial Ownership/Customer Due Diligence regulation, the rescission of the Cole memo adding uncertainty to the provision of services to marijuana-related businesses, and changes to the Currency Transaction Report (CTR) and Suspicious Activity Report (SAR) forms have all become effective within the prior twelve months. These regulatory changes are specific to BSA/AML compliance and are in addition to lending and deposit compliance changes. As a result, the compliance management systems of many financial institutions are strained, and the implementation has required changes in management processes and has increased operational, compliance, and reputational risks.
The OCC report is frank in its assessment that some institutions have not adopted the necessary compliance risk management systems to deal with the changing banking environment. This may be due to resource constraints, the pace of regulatory changes, and BSA/AML risk assessments and written programs that are not properly updated to mirror the risk profile. Whatever the underlying reason, as new products or services are offered and there are changes to the customer or member base or geographic reach, it is important that the related risks are properly managed. Implementing the guidance in the OCC’s report is a good place to begin.
Responding to Guidance
Risk Assessment and Written Program
Updating the risk assessment is especially important. A comprehensive risk assessment provides the foundation for the BSA/AML program. As financial institutions offer new avenues of access for their customer or member base, compliance staff should focus their efforts on refining the BSA compliance programs to address any weaknesses criminals may exploit. BSA/AML programs that do not keep pace with the risks posed to financial institutions can lead to enforcement actions by regulators and the court of law and a deterioration in public opinion. As indicated in the report, regulators expect financial institutions to be aware of all regulatory changes.
As financial institutions experiment with new products and services and new access to current offerings, the risks posed should be considered. Attentiveness to system updates and regular system maintenance are specifically recommended in the report. Internal controls should be strengthened by the implementation of multiple protective solutions to detect and deter fraud and outline compliance responsibilities. In addition, financial institutions need to consider their vendor management system within the context of BSA/AML internal controls. Financial institutions need to recognize the risk third-party service providers pose, especially where those third parties are relied upon to provide products or services, and respond with appropriate due diligence.
As is often noted, procedures are only as good as the people putting them into practice. Training staff on their responsibilities should be completed at least annually. However, as new risks are identified or products and services are added, those staff who will interact with the offerings need to be aware of the expectations placed on them by regulatory requirements and the BSA/AML program. Properly trained front-line staff are a first line of defense and oftentimes those most able to identify out-of-the-norm activity.
Overall, new technologies are presenting ways to assist customers and members while at the same time introducing new exploitable vulnerabilities. It is important to be aware of key risks and know how to respond to the guidance received from a regulator, a consultant, or elsewhere and to implement the necessary internal controls. Regardless of your primarily regulator, resources such as the OCC guidance in the Semiannual Risk Perspective report provide your institution with an awareness of the impact regulatory changes have on the industry and examiner expectations, and provide you with best practices that may serve your institution well.