Bank of America (BoA) has been slapped with a Cease and Desist Order by the OCC requiring that it must do better and quickly. BoA has one of the best reputations and perceived as one of the leaders in the industry in AML/CTF. Whilst rumours of pending regulatory action and remedial action long underway at BoA has been circulating for some time, not least with the onboarding of significant additional resources, the OCC has now detailed its findings. Whilst the contents of the Order remind the Bank of what’s needed to comply with US BSA and Sanctions Compliance, the levels of remediation are extensive and relate to 3 areas called out for apparent deficiencies, though the improvements required will only be fully known and or appreciated (albeit privately) once to be appointed (so called ) independent consultant reviews are carried out into historic programme activity. The 3 areas aren’t discrete as they cover i) TM and SAR filing, ii) CDD and iii) Other Programme issues including Sanctions but pretty much everything else in an AML programme combined. In particular according to the OCC:
1 – The Bank had a breakdown in P&P and processes to identify evaluate and report suspicious activity, including the Banks systemic failure to ensure that it’s transaction monitoring systems had appropriate thresholds for determining when transaction alerts should trigger a case investigation; the Banks failure to ensure sufficient resources dedicated to case investigations and non compliance with the SAR filing requirements, resulting in violations.
2 – The Bank failed to make appropriate substantial progress towards correcting a deficiency related to the Banks CDD processes that was previously reported to the Bank by the OCC. The Bank is required to update its CDD programme by revising it and ensuring it is risk based and that risk ratings for customers include standard, elevated and high risk customers, with clear definitions. Whilst the OCC doesn’t identify the specific weaknesses identified and to be corrected, it includes areas that CDD programmes should cover suggesting i) more CDD information is required in some cases, ii) that all accounts for customers need to be aggregated so that the risk is assessed at the customer level and not just at the account level, particular so that high risk customers and their accounts can be identified and reports run and risks actively monitored for this important segment.
3 – The Bank engaged in unsafe or unsound practices related to its Sanctions compliance; BSA Compliance including risk assessment; internal controls; governance; TM and models; suspicious activity monitoring; investigation and reporting; due diligence; BSA Officer; staffing; internal audit; and training. Key findings and or actions include the need to revise and improve both annual AML and Sanctions Risk Assessments and to have annual assessments of the BSA Officer which includes the leadership, knowledge, training, and skills of the BSA Officer and staff and the staffing levels for the function prepared for management and reviewed by the new Compliance Committee (see below) annually. The Committee must also ensure BSA compliance responsibilities are clear and performance relevant for “senior managers and lines of business heads and independent contractors”. The breadth of the call out for improvements is extensive affecting all 3 lines of defence including specifics on the audit function and the appointment process of the BSA Officer (likely the most recent former BSA Officer)
Whilst there is no fine, the costs of remediation and the requirements will be challenging and expensive. Whilst wholesale business restrictions are not mandated, the Bank is reminded that new products and services and entry into new markets must be subject to a thorough AML risk review and mitigating controls be in place to address any risks before launch or entry. Restrictions have though been introduced, requiring pre approval from regulators with respect to “new product or service with high BSA or Sanctions Risks” or in cases of expansion “into a new market with high BSA or Sanctions risk”.
Essentially an Action Plan must be constructed quickly with results from the work of 3 appointed Independent consultants to look into TM validation, TM Look-back and NI Look-back (Negotiable Instruments). A new Bank Compliance Committee is to be established (likely to be already in place) to oversee the response and efforts.
A TM validation consultant to review and report on the “effectiveness of the Banks TM systems”. The “TM Validation Consultant shall determine whether the corrective actions taken by the Bank are effective to address deficiencies identified in its TM systems, including determining whether the systems, roles, thresholds, filters and event scenarios are tailored to the Banks BSA risk profile and operations and provide for appropriate and effective identification of unusual or potentially suspicious activity, appropriate and effective investigations, and compliance within applicable laws and regulations”.
This would appear therefore to be the OCCs definition of what effective TM looks like. This is an expansive definition and will allow the TM Validation Consultant the ability to not only question whether the TM system was operating within expected parameters, but whether those parameters were themselves appropriate. Whilst this may be appropriate to some degree, the OCC has provided the TM Validation Consultant with an opportunity not just to assess BoA compliance with applicable regulations but against other standards or better practices or third examples which will inevitably be a consultants gold mine being the highest industry standards/practices/examples or potential industry standards/practices/examples. Consultants don’t have this information or validated benchmarking data, though they won’t admit it. Pending the appoint ment if such consultants, other consultants will be helping BoA fix the TM weaknesses, so it’s definitely Xmas time all year for US AML consultants that get to work on this one.
TM Validation Consultant is likely to want to re review the Banks AML Risk Assessment, its conclusions and application and to determine whether a risk appetite it has no place or little expertise to review or come to a decision is reasonable. Arriving at and second guessing risk appetite decisions which can be high level and or quite specific and even process related, should not be second guessed unless they are in violation of laws and regulations, unless known to and or approved and or supported by supervisors, or are demonstrably unreasonable. This is not the only example of post audit type obligations to be given to independent consultants in this Cease and Desist Order where traditionally consultants have shied away from. Consultants prefer to act as described not flatteringly in Teddy Roosevelt’s, “men in the ring” as outsiders looking in and judging activity against a defined standard and have to date been wary of being in the ring themselves making complex difficult decisions where experience and judgement is required and where each case is different, though personal accountability is missing when judging after the fact. For more examples – see below.
A Look back Consultant will also be appointed to carry out the TM SAR related look-back – looking for unreported suspicious activity as a result of the operation of the TM system. Based on the findings of the TM validation consultant the TM look-back consultant shall determine [essentially SARS left behind] but also will be asked to judge “cases in which the Bank identified suspicious activity but failed to adequately support a decision not to file a SAR, and to review the quality and accuracy of previous SAR filings to determine whether corrections or amendments are necessary to ensure that the suspicious activity identified was accurately reported.”
A look-back is a standard US regulatory response, particularly where TM has been identified as having historical weaknesses. The arguments about the value of look-backs continue, and sceptics raise many valid criticisms of their use and value, but US regulators continue to use them, either because they believe that no SAR should be left behind, or as a penalty to perceived non compliance or both.
There are always going to be plenty of SARs left behind, whatever the AML programme looks like if Banks are required to determine their own detection scenario environment and responses to AML risks. This system is though also likely to provide the best SARs too, and more than enough for FinCEN to handle, despite some SARS being left behind, but the quality and volume of SARs filed are not a consideration for regulators and will have no bearing on whether BoA had an effective TM or SAR operation. This is one of the fundamental weaknesses of the US and other supervisory systems where effectiveness equates to compliance with technical requirements which is a proxy for and not the same as combatting money laundering. This point has been made extensively to supervisors and policy makers since 2019, with no material change to the supervisory approach.
Another look back is also required focussed on Negotiable Instruments to review historical Negotiable Instruments investigations and SAR filings from a NI look-back consultant, suggesting particular weaknesses in NI monitoring, probably related to coverage was identified.
Additional Points to Clarify:
It would have been helpful to have more information in the Cease and Desist Order – for example:
- It is not clear if this relates to BoAs US operations or those also overseas. It should be assumed it’s global, as BoA runs a global programme and is subject to US laws and regulations that apply to its global operations.
- It is not clear over what period the alleged violations and or deficiencies have occurred and or the period for the look-backs, though it’s likely that some elements have longer historical periods like TM and CDD whilst others like the appointment if the BSA Officer are more recent.
- It is not clear how progressed BoA is already in its remediation, so at to have already closed the gaps identified, though with remediation advanced and ahead if consultants appointed the challenge will be in getting consultants to agree and validate what has been done.
- It is not clear who is responsible or accountable for these violations and or deficiencies and or whether any action is being taken against individuals, and their are no root causes identified suggesting wether this was a skills, a cost, or a complacency issue, but all 3 lines of defence plus board and senior management oversight will all inevitably feel responsible and could have done better.
- The role of the OCC and the results of its examination and or investigation, in particular when the CDD weaknesses were identified which were previously highlighted by the OCC and for how long the Bank had been given to address these issues, and why they had not received the necessary Bank attention and or oversight, to fix these in time as the OCC allege.
Conclusion/Final Remarks
- It begs the question if BoA can allegedly fail to comply with US BSA AML requirements to this extent across so many core AML and Sanction core programme elements, with on site supervisors present can anyone can be compliant. Without any indication of any root causes, we are left to speculate, and this is unhelpful to the wider industry.
- Coming off the back of the largest AML fine and a criminal charge against TD Bank USA, the 10th largest US bank to now this against the 2nd largest US Bank, does this say more about the state of US bank compliance or the approach from US regulators and enforcement. To be clear their are no charges against BoA and no cited actual ML, unlike in the TD Bank Case. To note also Citibank, which is the 3rd largest US Bank, is also subject to a continued Cease and Desist Order from the OCC dating back to 2020 related to deficiencies in enterprise-wide risk management, compliance risk management, data governance, and internal controls (2020 Order with a fine of $400 million), and it received a $75 million fine from the OCC in July 2024 & a $60.6m fine from the FED for failures to make sufficient progress in its remediation.
- If the 10th largest and the 2nd & 3rd largest US Banks have such large problems in combatting ML, should this be considered not just an issue for particular Banks but potentially a more systemic issue. Should third countries consider increasing the risk to high risk for US Banks they deal with including for US correspondent banks, and increase due diligence and or scrutiny and or consider business restrictions. Whilst it’s unlikely such a reaction will occur, it would not be an entirely unreasonable one, as US regulators would expect US banks to consider, for example these measures be considered by US Banks in case of similar findings in third countries were made public.
- This order raises the question as to whether being compliant or non compliant is the same as being effective or not effective, though interpretations of effectiveness divide many in the industry and lie at the heart of the challenge to unify to achieve a common purpose.
PS: BoA was known to have been one of the pioneers in trying to improve effectiveness in TM through risk scoring and alert hibernation which was suggested could reduce false positives and increase the quality of alerts and SARs. What is not revealed is whether the OCC order is in part a result of this innovation which could have increased efficiency, and reduced staffing. Clearly other issues co exist but it would have been helpful for the OCC to make clear that such an approach in itself is not problematic but that the operation of such a system and or underinvestment and or a focus on keeping down false positives at perhaps the expense of effectiveness and or evolution of the TM programme may have warranted the intervention. if any if these latter issues are at play, then there is no challenge to the TM approach itself but only to the operation of the TM system and the expectations of regulators that apply to all TM operations. Otherwise innovations in TM in particular will be undermined and moving from traditional approaches to new approaches will only be for the very courageous.
See: https://www.occ.treas.gov/news-issuances/news-releases/2024/nr-occ-2024-140.htm
credit: thefinancialcrimenews.com
