Professional Documents
Culture Documents
Out
Out
by
Kimberly Silva
Utica College
December 2017
ProQuest 10688856
Published by ProQuest LLC (2017 ). Copyright of the Dissertation is held by the Author.
All rights reserved.
This work is protected against unauthorized copying under Title 17, United States Code
Microform Edition © ProQuest LLC.
ProQuest LLC.
789 East Eisenhower Parkway
P.O. Box 1346
Ann Arbor, MI 48106 - 1346
© Copyright 2017 by Kimberly Silva
ii
Abstract
Financial institutions are responsible for multiple financial crime related compliance activities
to almost every department of the financial institution (FI), making it complex to manage, and
AML compliance requirements in community banks are the same as in larger banks.
Proportionately, the costs of maintaining AML compliance can be greater than in their larger
counterparts. Community banks play a vital role in the health of the U.S. economy, and their
collective success is essential to a healthy financial system. The challenge for these smaller
The purpose of this research was to explore the specific challenges facing smaller FI’s,
and examine program changes and enhancements that could result in increased compliance
The outcome of the research is a recommendation to remediate, but not enhance, existing
iii
Acknowledgments
Thank you to Dr. Choo, and the faculty and staff at Utica College for an enlightening and
enjoyable two years. Thank you, and best wishes to my cohort colleagues, especially MJ Noe
and John Flynn, for your friendship and support. My sincere gratitude to attorney Stephen R.
Ucci for his gracious time and exceptional talents as my second reader. Most of all, much love
and appreciation to my wonderful sons, Benjamin and Jonathan, for their patience,
iv
Table of Contents
v
List of Illustrative Materials
Figure 1 – FinCEN Suspicious Activity Report, March 1, 2012 – December 31, 2016....14
Figure 2 – Typical week of a compliance officer in 2017 ................................................24
Figure 3 – Project Management Process............................................................................34
vi
Anti-Money Laundering and Counter Terrorism Financing Compliance Challenges in
Community Banks
regulatory requirements has proven to be an expensive, inefficient endeavor for the nation’s
community banks. The burden imposed by the Dodd-Frank Wall Street Reform and Consumer
Protection Act of 2010 (Dodd-Frank), has forced community banks to reduce product and service
offerings, and has increased bank consolidations. Budget constraints are influencing staffing
decisions, and increasing the regulatory risks that lead to penalties and fines. Potential changes in
the regulatory landscape, if implemented, will decrease current capital requirements, but not
impact AML/CTF compliance directly (Burnet, 2015). Technology advancements have the
potential to create efficiencies in AML/CTF monitoring, but are not readily available in the
marketplace (Bajpai, 2017). Community banks play an important role in the economy, servicing
a large portion of the country’s small businesses, and underwriting a significant portion of
The purpose of this research was to evaluate and discuss the challenges faced by
community banks in complying with AML/CTF regulations. The research begins by describing
where community banks fit within the United States banking system, followed by an overview of
the primary regulatory agencies charged with oversight and enforcement. A summary of
breadth and complexity of the program within financial institutions. Current proposals for
regulatory changes, and efforts to improve the efficiency of compliance monitoring software are
The research utilized included a U.S. Department of the Treasury report, trade group
proposals and statements, white papers produced by law firms and advisory firms, news articles,
1
and industry blog postings. The research encompassed a range of perspectives and
recommendations, including enhancing the data provided to the Financial Crimes Enforcement
Network (FinCEN) for analysis by law enforcement and intelligence professionals, and using
advancements in artificial intelligence (AI) to replace compliance staff. The intended benefactor
of this research is senior management and compliance leadership within community banks,
whose responsibilities include maintaining current AML/CTF compliance while positioning their
The U.S. banking system is classified into eight segments, segregated by size and
type. Regional and mid-sized banks represent approximately 31%, or $6.7 trillion, in assets.
Community banks and credit unions account for $2.7 in total assets. For simplicity throughout
the project, regional, mid-sized, and community banks will be referred to as community banks.
These community banks have a more simplified structure than the eight U.S. global
systematically important banks (G-SIB) banks that represent approximately 50% of total
depository assets. Overall representation of U.S. G-SIB’s has decreased from 58% in 2008,
highlighting the increasing impact of community banks on the U.S. economy. The capital ratios
of community banks are often equal to or higher than G-SIB institutions, and community banks
are structured to predominately provide depository services, consumer and business lending, and
The AML/CTF regulatory requirements of community banks are not scaled relative to the
size of the institution or the products and services it offers. “A recent survey released by the
American Bankers Association found that more than 46 percent of American small banks
surveyed said that due to regulatory compliance burdens, they had to reduce their product
2
offerings, including loan and deposit accounts. The survey also found that customer service had
suffered because of higher compliance costs, as community banks struggle to comply with fewer
staff and much smaller budgets (Trulio, 2015).” A 2017 Accenture report found that 89% of
financial services executives anticipate increasing compliance department expenses in the next
two years.
Low interest rates contribute to budget constraints, and as an operational cost center,
compliance staffing and budgets are often one of the first areas reduced. The recent financial
crisis weakened the financial strength of some community banks, further diverting funding of
compliance activities. Electronic banking innovations and new services create compliance risks
that are not being fully integrated into the AML/CTF program. As a result, although AML/CTF
compliance has not changed, the risk of compliance failures has increased (Macro, 2013).
There are five federal banking regulatory agencies that oversee AML/CTF
compliance in U.S. based financial institutions. The Board of Governors of the Federal Reserve
System (FRB) oversees state-chartered banks that are part of the Federal Reserve System, as well
as several types of holding companies. The Office of the Comptroller of the Currency (OCC)
regulates federally charted banks. Federally chartered banks contain the word National, or the
characters N.A., in their bank names. The Federal Deposit Insurance Company (FDIC) regulates
federally charted banks not overseen by the FRB. The Consumer Financial Protection Bureau
services and products. The National Credit Union Administration (NCUA) oversees federally
chartered credit unions (Protiviti, 2017). AML/CTF compliance in credit unions is not included
this research.
3
The Internal Revenue Service (IRS) provides oversight of nonprofit, governmental, and
other entities, like money service businesses (MSB), that are subject to oversight and regulation
pursuant to the Bank Secrecy Act (BSA), not covered by other federal regulatory agencies.
Agencies delegated authority over the securities market, broker-dealers, commodity futures, and
the options markets include the Securities and Exchange Commission (SEC), the Commodity
Futures Trading Commission (CFTC), and the Financial Industry Regulatory Authority
(FINRA), among others specific to housing, gaming, and other non-depository activity (Protiviti,
2017).
activities is conducted by the applicable government agency, and may include multiple agencies.
Within each agency, there are individual offices that have authority and jurisdiction over
specified areas of investigation. For example, the Financial Crimes Enforcement Network
(FinCEN), the Office of Foreign Assets Control (OFAC), the Office of Terrorism and Financial
Intelligence (TFI), and the Office of Terrorist Financing and Financial Crimes (TFFC), are all
Other Departments that may participate in AML/CTF investigations include (Treasury, 2015)
4
• U.S. Department of Energy (DOE)
The Federal Financial Institutions Examination Council (FFIEC) Bank Secrecy Act/Anti-
Money Laundering Examination Manual, last updated in 2014, is the guidance utilized by
financial institutions in complying with AML/CTF and OFAC requirements. The manual
outlines the standards, requirements, and expectations of a compliant AML program. It provides
guidance on risk management and the appropriate report forms. To ensure clarity and
consistency, the manual is also the framework for bank examiners (Protiviti, 2017).
Banking regulations in the United States exist to deter and detect money laundering and
terrorist financing activities within financial institutions. Information collected by banks provides
information to law enforcement officials and aids national security policies. The FFIEC exam
manual, which contains the procedures necessary to be compliant with requirements, has
numerous components. Programs and services that come under examination include (FFIEC,
2014)
5
• Payable through Accounts
• Pouch Activities
Governor Daniel Tarillo stated in a 2009 speech that over 75% of agricultural, and 50% of small
business loans originate from community banks (Lux, 2016). In his June 2017 report regarding
Executive Order 13772, U.S. Treasury Secretary Steven T. Mnuchin stated that compliance
burdens have contributed to the slow recovery of community banks. “Requirements of Dodd-
Frank are overseen by multiple regulatory agencies with shared or joint rule-making
responsibilities and overlapping mandates. This complicated oversight structure has raised the
cost of compliance for the depository sector, particularly for the mid-sized and community
financial institutions. The Treasury is recommending that community banks be exempted from
A February 2017 report compiled by The Clearing House, a trade group that advocates
regulatory, public policy, and legislative issues on behalf of large and G-SIB’s, is suggesting that
the burden for monitoring AML/CTF should largely rest with FinCEN. The report contends that
current AML/CTF programs are ineffective in reducing criminal activity, and suggests numerous
revisions for consideration and further study. The same report supports pending legislation
requiring the reporting of beneficial ownership at the time of incorporation, instead of the point
6
In its 2017 report, the Clearing House identified core problems with the existing
within financial institutions. The report contends that a primary driver of a financial institutions
compliance is motivated by reputation and compliance risk, rather than national security. As a
result, banks are de-risking perceived high risk accounts, pushing criminal transactions towards
developing and underserved countries and communities less equipped to monitor activity. The
report also states privacy rules and lack of centralization limit the quality of data and prevent
U.S. House Financial Services Committee Task Force to Investigate Terrorism Financing made
information flow between the banking industry and government agencies, and better leveraging
Subcommittee on Terrorism and Illicit Finance was created to assist in the efforts to end terrorist
financing. Enforcement is a continued focus by regulatory agencies like FinCEN and the OCC.
In 2016, failure to file accurate and timely Suspicious Activity Reports (SARs) resulted in
The specialized nature, high liability, and increasing demand for trained professionals has
driven up the cost of recruiting and retaining staff on stagnant or decreasing budgets. Jack Kelly
of Compliance Search Group in New York stated in a 2014 Thomson Reuters article that,
“Hiring has gone up across the board…from senior level to junior level and everything in
between.” In April 2017, a regulation proposed by the New York Department of Financial
Services took effect requiring compliance officers to certify that the financial institution
7
maintains a functional transaction monitoring system. Modeled after portions of Sarbanes-Oxley,
the legislation includes adherence to OFAC requirements as well as AML/CTF compliance, and
allows for criminal penalties if the certification is intentionally incorrect or false. While the
federal government does not impose the same regulations, the Justice Department is increasing
its efforts against corporate misconduct by seeking to hold seeking to hold executives and
compliance officers accountable. A federal district court upheld the independent liability of
compliance professionals and CEO’s for failure to monitor compliance conduct, and willfully
As with other areas of technology, programs become outdated quickly, different versions of the
same software may no longer be compatible, and not all vendor programs can be bridged and
merged. The result is legacy software that is not integrated across the enterprise, increasing both
the cost of information technology, and the risk of not identifying transactions that should be
reported. Storing data is less expensive than migrating and integrating it, which may result in a
decision not to move it to a new platform. Assimilating accumulated data becomes an expensive
and complex project requiring skilled personnel, scope planning, reviewing, cleaning, and
verifying the information. Even with modern migration tools, data sometimes cannot be merged
on relevant information to gather and report on cyber-events and cyber-enabled crimes. The
The merging of cybersecurity and AML/CTF compliance efforts is a new approach that
8
regulators are advocating. Previously, compliance activities in these two areas have been
A 2017 report by Boston Consulting Group states that regulatory changes that financial
institutions track has tripled to an average of 200 per day since 2011 (Bajpai, 2017). Advances in
transactions without human error, ethical considerations, or emotion. IBM’s Watson has the
potential to cross check fields of data, customer files, and transactions, reducing time and labor
now spent finding potential compliance concerns. As with other technologies, the software is
only as reliable and accurate as its programming and utilization by humans. Compliance will
9
Literature Review
In order for community banks to develop compliance programs that provide relevant,
quality data in the fight against financial crime, a thorough understanding of FinCEN, the
Department of the Treasury. The Bank Secrecy Act (BSA) is the nation’s most comprehensive
Federal anti-money laundering and counter-terrorism statute. The Treasury Department has
delegated the implementation, oversight, and enforcement of the BSA to FinCEN. Congress
authorizes FinCEN to share information with other local, state, federal, and international
agencies. The mission of FinCEN is to safeguard the financial system and the country’s national
security by protecting it from money laundering and other illicit activity. In addition to issuing,
interpreting, and enforcing regulations, FinCEN collects, processes, and protects the information
it receives from community banks and other organizations. There are eighty SAR review teams
across the country, coordinated through the U.S. Attorney’s offices in the U.S. Department of
Justice (DOJ). Distributed by geographical jurisdictions, the teams review all SARs received.
The information is accessible by law enforcement agencies across the government, and is shared
with foreign financial intelligence units and international AML/CTF counterparts. FinCEN
serves as the financial intelligence unit for the United States within the global community.
FinCEN’s database is one of the largest repositories of information that is available to domestic
law enforcement. FinCEN collects both the SAR and the CTR reports that community banks file.
A currency transaction report (CTR), FinCEN Form 112, is filed with FinCEN when a
currency transaction of more than ten thousand dollars is processed through a financial
institution. For CTR purposes, currency is defined as the coin or paper legal tender of the country
10
of issuance. A Suspicious Activity Report (SAR), FinCEN Form 111, is filed when suspicious
activity, or potential suspicious activity, is detected. The SAR has five sections; subject
information, information about the dates and type of suspicious activity, information about the
financial institution reporting the activity, and a narrative of the suspicious activity (FinCEN).
In July 2016, FinCEN began requiring financial institutions to identify and verify the
beneficial owners of legal entity customers, with an applicability date of May 11, 2018.
Beneficial owners are the individuals who own or control the legal entity customers of a
financial institution (FinCEN). The Office of the Federal Register, which is the daily journal of
the United States Government, reports that FinCEN published Regulatory Impact Assessment 80
FR 80308 in December 2015 citing annualized quantified costs from the beneficial ownership
requirement between $148 and $287 million (Federal Register, page 29398).
Artificial Intelligence (AI) is a form of machine learning where the machine has the
ability to refine and improve its performance on a given task without exact directions on how to
accomplish it. With AI, the software learns by its own examples, rather than being programmed
for a specific purpose. Supervised machine learning systems are trained with examples, and the
more data and examples it encounters, the more accurate the outcomes are. The outputs from the
analysis serve as a feedback loop for the software, allowing it to refine its algorithms, and is
referred to as learning. AI uses behavior based analytics instead of rules based searches and is
now being utilized to aid in the fight against financial crime. AI can reduce staffing costs in
financial institutions, and increase the quality of data being provided to law enforcement
(Brynjolfsson, 2017).
11
Unlike humans, an AI enabled AML program automatically and continually mines data
for trends, abnormalities, and relationships. It adapts its environment as it receives feedback,
learning and changing to reach better conclusions. Artificial intelligence can monitor large
volumes of non-linear data and numerous variables, uncovering sophisticated schemes. Unlike
manual systems, which operate independent of each other, multiple sources could be scanned as
a singular data set, increasing the probability of uncovering matches. Unstructured data and
information from external sources could potentially be pooled with existing data, providing a
depth of insight and analysis not available under current AML scanning programs (Brynjolfsson,
2017).
and requirements. The intuitive power of AI could create additional risk and identity related
questions based on customer responses. In addition to verifying the true identity of the new
customer, an AML system driven by AI could detect links to other parties including ultimate
beneficial owners, PEPs, and sanctioned entities. The KYC file can be transformed into a
comprehensive view of the customer that more easily red flags questionable transactions
(Brynjolfsson, 2017).
When conducting name search matches, current systems look for common alternatives
based on the existing rules based system. Linguistic matches are limited to the linear
search capability, achieving the objectives of law enforcement. Current systems do not
incorporate other customer information that may aid transaction monitoring. Benford’s analysis,
indicators of encrypted messages, and duplicate invoices are all examples of information that is
analyzed and added to the customer profile. Systems that learn and adapt as methods and tools of
12
conducting unlawful behavior evolves will more accurately uncover information valuable to law
A powerful benefit of AI for the AML compliance programs of community banks is the
reduction in false positives. Current suspicious activity monitoring methods require human
analysts to look at every transaction prompted by the systems rule based system. Individuals and
organizations perpetrating financial crimes use complex placement and layering tactics to evade
rules-based monitoring. Artificial Intelligence can more easily identify connections across
customers, product lines, and business services. It can also search additional data fields like
telephone numbers, geographical identifiers, and IP addresses to improve the quality of the
outcomes. When the quality of suspicious activity alerts improves, reducing false positives, it
reduces staffing needs within the bank, and allows for a higher quality of analysis. In its March
2017 SAR Stats Technical Bulletin, FinCEN reported that in excess of 958,000 suspicious
activity reports were filed in 2016 by depository institutions. As David McLaughlin, CEO and
founder of QuantaVerse writes in a recent post for the Association of Certified Financial Crime
Specialists, “To conduct such analysis, AI systems utilize agents which are highly specialized
algorithms responsible for collecting and interpreting data, modeling behaviors, detecting
anomalies, inferring relationships, and identifying issues.” David also comments that AI allows
13
Global fight on financial crime
Criminals, including terrorists, human and arms traffickers, drug dealers, and organized
criminals, use the banking system to disguise the origin of their funds and to give it the
appearance of legally gained assets. Money laundering techniques have become increasingly
sophisticated, but typically have three stages; placement, layering, and integration. The United
States Department of State defines these stages by the following definition: Placement – the
proves of placing, through deposits, wire transfers, or other means, unlawful proceeds into
financial institutions; Layering - the process of separating the proceeds of criminal activity from
14
their origin through the use of layers of complex financial transactions, and Integration – the
process of using an apparently legitimate transaction to disguise the illicit proceeds. Advances in
technology and globalization of the financial services sector has made money laundering an
increasingly global threat. Money laundering impacts national security, equitable commerce, the
integrity of the financial system (Department of State). The Financial Action Task Force (FATF)
cites a report by the United Nations Office on Drugs and Crime estimating that in 2009, money
laundered as a result of proceeds from drug trafficking and organized crime was 2.7% of global
gross domestic product (GDP). U.S. currency is a commonly held currency globally because it is
anonymous, often easier to exchange for local currency, and where political and economic
Technavio, a leading market research company with global coverage, published a research report
entitled, Global Anti Money Laundering Software Market 2016-2020. The report, which
analyzes emerging trends and leading third party vendors, made the following statements on the
status of AML software: “The deployment of AML software is an expensive process, as it has
defining requirements and its implementation takes a long time. This increases the criticality of
the process because once the deployment begins, it becomes very costly to make any
and extra time and money to ensure data integration and data quality. Most AML
software vendors charge additional fees for software updates, which include improved
technical support if they have not purchased the latest version”. A lack of cross-functional
collaboration within organizations dilutes the ability to achieve business goals, and decreases
15
valuable operational insight. The report cites the financial and banking sector as the major end-
users of AML software due to the high regulatory scrutiny and responsibility. It also lists
community banks among the most vulnerable to money laundering and financial crime risk
(Technavio, 2016).
Blockchain technology
individual digitally timestamped data and transactions, put together in blocks, also timestamped
(IOSCO, 2017)). “A research report from Goldman Sacks offers a concise summary,
explaining the core concept of how the consensus mechanism functions on a blockchain:
copies of this database are replicated across multiple locations and computers
2) This database is made of “a chain of blocks”, with each block containing data
such as the details of the transaction – the seller, the buyer, the price, the contract
3) The transaction detail contained in each block is validated by all nodes in the
(IOSCO, 2017)
In a 2017 article for Medium.com, Chami Akmeemana, the Fintech advisor for the
16
financial institutions. “All transactions are documented immutably on the distributed ledger
providing a comprehensive, secure, precise, irreversible, and permanent financial audit trail.”
Akmeemana goes to on describe the cost savings to financial institutions, and the benefits to law
enforcement. As part of their AML regulatory compliance requirements, banks must perform
KYC searches for all new accounts. Over time, if client data relevant to KYC searches is secured
on the blockchain, banks would be able to utilize one verified source to fulfill the AML
requirement. The indelible records on the blockchain can be monitored and overseen by
A bank’s customer information, including KYC and other relevant AML documents, are
usually stored in multiple, fragmented systems. Sharing client information within the individual
institution, and among other financial institutions can reduce the time and cost of onboarding
new customers. The indelible nature of blockchain allows for increased transaction transparency.
Storing transactions on the blockchain allows regulators, law enforcement, and examiners access
On October 12, 2017, the Exchange Commission Investor Advisory Committee of the
Securities and Exchange Commission held a meeting that included a discussion on the impact of
blockchain and other distributed ledger technologies on the securities markets. Jeff Bandman,
the former Commodity Futures Trading Commission (CFTC) FinTech advisor, presented a
future scenario where regulators would oversee activities instead of entities. On September 12,
2016, the House of Representatives passed H.Res.835 – 114 Congress (2015-2016) “Whereas
th
blockchain technology with the appropriate protections has the fundamentally change the manner
in which trust and security are established in online transactions through various potential
17
applications in sectors including financial services, payments, health care, energy, property
In January 2017, FINRA joined the blockchain dialogue with its Report on Distributed
Ledger Technology. Among its comments is that the level of transparency on the blockchain is
only as clear as the information made available. Similar to the IOSCO report, FINRA recognizes
the need to safeguard proprietary information and personally identifiable information (PII). The
report also points out that private networks have the potential to keep transactional and strategic
AML Compliance
In banks of any size, sound and effective compliance is mandatory. The Society of Corporate
Compliance and Ethics defines compliance management as, “a complex responsibility requiring
measurement and reporting against a dynamic and seemingly endless array of rules, agreements,
standards, regulations, and legislations.” The primary guidance for AML compliance is the Bank
Secrecy Act (BSA), including amendments by the USA PATRIOT Act. Financial institutions
subject to the BSA must create, institute, and maintain AML programs designed to reasonably
deter money laundering and terrorist financing. A financial institutions BSA/AML compliance
program outlined in the FFIEC manual must meet the following minimum requirements:
• Designation of a BSA compliance officer responsible for managing the BSA compliance
program
18
Although not one of the four BSA/AML program pillars, A Customer Identification Program
Internal controls look at the various AML risks that exist within each business line and
function of the bank. As the risk profile of the bank changes, the internal controls are adjusted.
structure, complexity and sophistication of the internal control program should be commensurate
to the size, risks, and complexity of the bank. The policies, procedures, and processes, which
dictate the controls, monitoring systems, and reporting of the BSA/AML program are risk-
based. Independent testing is conducted through the audit function. Auditors can be internal or
external to the bank. Many banks maintain both an internal audit team, and an outside audit firm.
AML compliance is one of the few functions within a bank that is applicable to every section of
the enterprise. Traditionally, audits were risk based and used samples because it would be cost
prohibitive to test every transaction and procedure. Better technology and an increased use of
data analytics have increased the scope that an audit can cover, resulting in more accurate
findings. Audits begin with written documentation of the scope of the engagement, procedures
performed, testing conducted, and a report of findings. Included with the audit are all relevant
The Board of Directors is responsible for ensuring that the bank has a qualified,
competent BSA Compliance Officer. The BSA Compliance Officer must understand all the
financial institutions products and services, customer demographics, potential money laundering
and terrorist financing risks, as well as the BSA regulatory requirements. To accomplish the
tasks designated to the BSA Compliance Officer, the Board of Directors must ensure that the
department is adequately staffed and funded, that the BSA Compliance Officer has requisite
authority and directly reports to the Board of Directors, or a designed committee of the board.
19
Training specific to the responsibilities of the job function must be provided on an ongoing basis
and include new developments and changes to the BSA and related regulations. Banks must fully
document their training program. Training materials, dates and content of training, and
attendance are all required to be documented and available to regulatory examiners (FFIEC).
Regulatory landscape
In 2016, the law firm Wilmer Cutler Pickering Hale and Dorr LLP, special counsel to
The Clearing House, prepared written suggestions from industry experts on improving the
framework of the current AML/CTF regulatory system. Among the participants were law
enforcement experts, national security, regulatory, and domestic policy officials, as well as
fintech CEO’s and AML/CTF leadership from major financial institutions. Their position is that
the largest banks collectively spend billions of dollars annually to deter, detect, investigate, and
report financial crime and provide less than optimal results to aid law enforcement efforts. They
posit that reallocating the financial resources invested would potentially provide significant
increases to intelligence and enforcement agencies, and refocus dollars to the nation’s efforts of
In defense of their argument, the group listed the following partial list as core problems
• Lack of priority: Bank examiners are the primary compliance auditors, leading banks to
prioritize adherence to policies and procedures over results. It proposes that FinCEN
assemble an examination team for the largest financial institutions, relieving current
examination authorities of the task. The FinCEN examination team would create a more
cooperative relationship between the applicable banks and law enforcement, establishing
trust and embracing innovation. The centralized FinCEN examination team would be
20
funded through appropriation or assessments to the banks. A multi-agency advisory
group associated with the examination team would serve as a conduit to the existing
directly reported. Financial institutions would access and rely on the central database
• FIU roles: The Financial Intelligence Units (FIU) teams within banks are often staffed
with experienced former law enforcement officials. The constraints of the current
framework diminish the value they can provide to law enforcement. Additional latitude
to would give FIUs the latitude to address immediate threats and better assist law
enforcement.
• Primary purpose; compliance and enforcement are causing banks to de-risk, which runs
• Outdated SAR: The content of the current SAR should be evaluated for relevance and
usefulness. Technical resources exist to more accurately and fully analyze financial data
and suspicious activity. Inclusion of additional data can be mined in conjunction with
innovation that could lead to better quality information for law enforcement.
information.
21
• Information sharing barriers; the current system prevents information sharing of criminal
activity that is conducted across diverse geographical areas and financial institutions.
The suggestion was that the use of the 314(b) safe harbor, which allows information
Staffing
degree, many financial institutions prefer candidates with one of a number of professional
There are numerous certifications that provide expertise in AML. An internet search of job
descriptions posted by the top ten U.S. financial institutions yielded the following as most sought
after certifications:
22
Each of them requires study materials, an examination, and continuing education to maintain the
certification. Industry practice is to pay a portion or the full cost of achieving and maintaining
For the eighth year, in early 2017 Thomson Reuters conducted a global survey on the cost
of compliance and the anticipated challenges for the upcoming year. A notable trend is that
budgets, staffing size, and salaries for senior compliance positions has either flattened, or grown
at a slower rate. In the report, Ed Sibley of the Central Bank of Ireland writes, “In the context of
looming fintech disruption, we may be in an era of “peak compliance officer”; this the
automation of aspects of compliance (such as know your customer (KYC) and regulatory
reporting) will result in threats to compliance officers’ jobs…..We need to be alive to the
disruptions that are coming, to be flexible and adaptive and recognize that successful
implementation of new technologies can drive significant efficiencies and greater robustness.”
The Thomson Reuters reports cites that 15% of a compliance officer’s typical week is
spend analyzing regulatory developments. “Other compliance tasks” taking up 68% of time,
The report indicates that Brexit, the Trump presidency, and impending EU reforms have
made a period of expected calm uncertain again. Compliance officers can expect a pause in
23
compliance function automation is greater board involvement and awareness. For both
compliance teams and boards, the volume and pace of regulatory change, and more intense
Enforcement Actions
On February 16, 2017, FinCEN imposed a $7 million civil penalty against Merchants
Bank of California, N.A. for violations pursuant to the BSA. The violations outlined by FinCEN
were:
• Internal controls that did not meet the level of complexity and risk of the bank
• Failure to ensure the BSA Officer had sufficient independence and authority
24
The enforcement action states that bank leadership impeded investigation of suspicious activity,
and threatened employees with dismissal. Merchants did not have an appropriate due diligence
program for its high-risk money service business (MSB) customers, foreign correspondent
accounts, or internal controls for its remote deposit capture services. The bank failed to ensure an
independent audit commensurate with its risk profile. For a period of nine months, Merchants
had no BSA officer on staff, and delegated the responsibilities to business development
executives. Training of employees was not tailored to the specific responsibilities of the staff,
which FinCEN states led to a failure to identify suspicious activity. The gaps in Merchant Banks
AML compliance program resulted in billions of dollars of suspicious activity not being
independent community bank in Pharr, Texas, for violations of the Bank Secrecy Act. dispelling
questions about whether small banks receive AML regulatory compliance scrutiny. Lone Star
National Bank (Lone Star) failed to comply with section 312 of the USA PATRIOT ACT, which
details due diligence requirements in correspondent banking relationships. “Lone Star plainly
failed to ask obvious due diligence questions in connection with its foreign bank account
relationship, and did not follow up on inconsistencies in answers to the questions that it did ask,”
said FinCEN Acting Director Jamal El-Hindi”. “Smaller banks, just like the bigger ones, need to
fully understand and follow the 312 due diligence requirements if they open up accounts for
foreign banks. The risks can indeed be managed, but not if they are ignored.” FinCEN
specifically points out that the size of an institution is irrelevant in assessing compliance with the
BSA. The action further evidences the U.S. governments continued aggressive enforcement of
AML and other financial crime laws, reiterating the sentiments of the U.S. Treasury Department
25
in February 2017. There is no indication that rollbacks of Dodd-Frank will lessen enforcement of
AML/CTF regulations.
26
Discussion of Findings
In recent years, the challenge of combating financial crime has grown substantially. A
more technologically connected global economy has opened doors to conducting business in
high risk geographies, and given criminals more methods of disguising their ill-gotten gains and
funneling money to all corners of the world. Financial institutions are tasked with mitigating
risks within their institutions and complying with continually revised and expanded regulations
investing more money into parameter-based transaction monitoring systems, and adding internal
controls. These responses have largely been reactive and piecemeal; resources are deployed to
the weakest areas, with new vulnerabilities presenting themselves in different areas of the
organization, and the cycle repeating itself without strategic intent. The outcome is a poorly
designed and functioning AML compliance department that adds risk and cost to the bank, and
overlaying resources to whichever vulnerability has the most risk at a point-in-time adds to the
cost of compliance.
Compounding the challenges community banks face are the unknowable changes in
regulations and technology. It can be said with confidence that criminals will continue their
efforts of exploiting the financial system to aid their illicit activities. It is also safe to presume
that the United States and the global community will remain steadfast in their commitment to
fighting these crimes. However, if FinCEN alters the reporting structure for SARs or CTRs, or
changes the information it gathers, it will change the technology, staffing, and liability structure
of the banks. Likewise, if technology becomes robust and reliable enough to take over tasks now
27
done by humans, the community banks will need to allocate their compliance dollars differently.
Given that technology, staff, and regulations comprise almost the totality of an AML compliance
program, remediating and streamlining programs, and preparing for the future becomes more
onerous.
Compliance
community banks to set aside working capital, and to divert funds to revenue generating
activities and away from AML compliance efforts. Regulations that continue to increase in
volume and complexity create additional current expenditures in staffing and technology that
may not be useful long enough to cover the cost of onboarding. Banks are not strategically
managing and refining their AML compliance programs, resulting in patchwork style programs
that are less effective and don’t use resources efficiently. The June 2017 Treasury report that
recommends exempting community banks from the risk-based capital regime implementing the
Basel III standards would be a welcome relief, but there is no assurance that liberated funds will
Technology
Rapid advances in technology might work against community banks in the near term. If
the bank does not keep pace with the convenience based products of their competitors, they risk
losing customers. When they do add programs and services, they must create and implement the
related policies and procedures, training, controls, testing, and software. Onboarding of new
programs includes conducting a risk assessment of the service or product, and creation of AML
controls and protocols that match the level of risk. This process can be lengthy and should be
launch new
28
products and services more rapidly than ever, including through new platforms like mobile
AML compliance technology is not optional, even for the smallest community banks.
Banks that purchase basic compliance programs need to employ experienced staff to compensate
for the lack of intuitive features. More sophisticated systems are costly, and require educated and
experienced staff to maximize its features. To maintain the working order of the software,
systems often leads to a jump in false positive reports until the calibration of the system is
corrected. Too many reports or too few reports expose the financial institution to additional
unnecessary cost, to regulatory sanctions, and fails to meet the original objective of identifying
potential financial crime. Banks who have merged, or acquired other banks to achieve economies
of scale, partially due to the cost of compliance, bring with them legacy systems that are not
integrated with the existing systems. Systems that do not bridge information limit the ability to
automate processes like transaction monitoring and due diligence where the cost of staffing
could be offset. Software vendors frequently market programs as a panacea for the industry’s
woes. They are less forthcoming about the multitude of hurdles that often accompany new
technology.
New technologies like artificial intelligence and digital ledger technology represent both
a challenge and an opportunity. The probability that these disruptive technologies will become
mainstream is certain. The uncertain question is how quickly they become a cost effective
investment for community banks. Larger institutions with more financial resources
29
have already started implementing both AI and DLT into their AML programs. These banks
have the ability to run new and old AML technologies concurrently, and absorb the expensive
learning curve and adjustments that are inherent in adopting new technology.
New technologies often take time to deliver a return on the investment. Similar to new
products and services, new technologies that increase the ease, speed, and accuracy of
transactions are an essential investment to remain competitive but increase costs and operational
challenges in the short term. Incorporating new technologies brings additional costs, challenges,
etc when data needs to be transitioned from one platform to another. Despite technological
advances, legacy systems often do not bridge well with new programs. Additional costs need to
be budgeted for transition experts to ensure that the data is moved completely and accurately.
New technology also requires retraining of staff, along with updating of policies, procedures and
processes. Integration of AI will substantially alter the effectiveness of data analysis and reduce
the manual labor involved, but will require investments of time, capital, and effort to master to a
One of the considerations when examining the use and impact of new technologies is that
they are presented in a stand-alone manner. The potential of AI is tremendous and its potential
applications are limitless. However, a community bank needs to complete many steps before it
becomes an asset to the AML department. What tasks is AI best used for? Who is responsible for
designing and implementation? The IT department may need to contract an external consultant to
install the software. That consultant would need to work closely with the BSA officer and AML
staff to assure that the AI is delivering the expected output. The output needs to be monitored,
adjusted, and tested to provide affirmation that the output is accurate and complete. Both
technology and AML staff need to fully understand how the AI works. If the community bank
30
makes any changes to products, services, or risk tolerance, the AI needs to be altered to account
for the changes. So, although AI, or any other technology, like blockchain, holds the promise of
greater productivity and information, it is still linked to the humans who manage it, and the other
Staffing
The skills AML staff needs are evolving with the advances in technology. As criminals
discover new ways to circumvent existing deterrents in the financial system, staff need updated
education and tools to detect threats. The roles of AML staff will change in the future as well.
Analysts and investigators will move from monitoring the transactions within in the bank to
monitoring the software and AI that the bank uses. If technology can mine data and transactions
more thoroughly, it will change the information that gets sent to FinCEN. It is not known where
the balance of data mining and information analysis will be between banks and FinCEN in the
future. If technology replaces some of the tasks currently completed by humans, job functions
may be consolidated, necessitating retraining and additional training. AML staff need to
intimately understand how new products and services work on the various platforms available.
Conveniences like remote deposit capture were not available twenty years ago. Financial
institutions like Merchants Bank in California neglected to address the risks of remote deposit
Enforcement
With the changing of government administrations and political parties come different
perspectives about regulations that directly and indirectly impact AML compliance. Changes in
capital requirements for community banks will alleviate some of the financial pressure smaller
institutions currently. This may result in funds being allocated to increase compliance. The funds
31
may be allocated towards new programs, services, locations, or technology. Each of those
changes has an impact on AML compliance. Each requires the AML department to look at
policies, procedures, risk, staffing and technology. Any rollback of regulations designed to
stimulate business activity and investment introduces new risks that have to be addressed by the
AML compliance team. Changes in tax law to create incentives for companies to domicile in the
United States change the money flowing through financial institutions. Immigration law, social
unrest, health care policy; they all impact the attitudes and behavior of financial institution
customers.
What does not change is the commitment to fight global financial crime, terrorist
financing, and money laundering. There are no policy changes, political parties, or business
incentives that alter the desire to protect our nation from those that wish to do us harm; it is a
bipartisan agreement. Within sixty days of assuming office, the current administration clearly
articulated its intent to maintain and strengthen current AML related rules. It may consider
alternative ways to combat financial crime, but it will not loosen regulations to achieve
administrative objectives. As a result, community banks must maintain robust programs that are
32
Recommendations and Conclusions
The only certainty in AML compliance is that given the pace of technology in an
increasingly global economy, community banks need to evolve in order to thrive. There is no
singular solution to improving AML compliance within community banks. Inefficiencies and
redundancies, understaffing and compliance gaps, outdated or segmented technology, and lack of
support and resources are among the challenges currently facing community banks. The future
holds the promise of technologies that reduce long term costs and mitigate risk. The unknown
variables are how quickly new technologies come to market with the features and functionality
that community banks need, and if the price point will be cost prohibitive. How can smaller
financial institutions remediate or maintain existing programs, streamlining where possible, and
take a proactive approach to a future that cannot reliably predict when products will be available,
what capacities they will offer, and how much the capital investments will be?
Today’s society has become accustomed to easily identifiable answers, and readily
available solutions. One of the reasons community banks are in their current predicament of
patchwork systems and processes, and programs is because of their reactive approach to changes
in AML compliance. Reactive management strategies are almost always more expensive, yield
subpar performance, and are ill equipped to navigate unexpected circumstances. The
recommended course of action for community banks is a phased in, multi-step and fluid process
that maintains current AML compliance programs, and creates responsive, flexible, proactive
departments able to meet the approaching changes in technology. This requires thoughtful
33
Objective
The literature and findings in this report describe how community banks play a vital role
in the nation’s economy. The burden of compliance costs and requirements have hindered these
banks in two significant ways. Existing products and services have been downsized, and new
offerings have been delayed. AML compliance risk has increased because of failure to maintain
adequate program, exposing the banks to financial penalties and reputation risk. A rapidly
advancing leap in technology presents both opportunity and challenges. Enforcement actions
demonstrate that the size of a bank is irrelevant in assessing whether the institution has an
adequate AML compliance program. The objective is for community banks to remediate
deficiencies in their existing programs, and concurrently prepare for significant changes of
Process
The specific steps in achieving the stated objective begin with a comprehensive
assessment of the current AML program. There are numerous important components to this
portion of the process, and the results inform the resources needed to prepare for the future. The
assessment is followed by a plan of work to correct current weaknesses within AML compliance.
A survey of the competitive and anticipated regulatory landscape of AML compliance creates a
framework that is ideally developed as the corrective plan of work in implemented. Here too,
there are multiple possibilities to consider, and a forecast with ‘what if’ and ‘if then’ scenarios
essential for examination and integration of changes in the regulatory and technology landscape
to be an iterative process.
34
An experienced, dedicated project manager should be designated, and be the central point
of contact (POC). The POC manages the transition process, coordinates tasks, sets priorities, and
spearheads communication with stakeholders. The POC is a trusted, objective broker in the
transition process. Sharing responsibilities and a group effort strategy does not work in
restructuring projects. The POC can be internal or external to the organization. If the POC is
internal, sufficient time must be allocated and dedicated to the process. Often internal staff carry
a full work load and are not specialists in both project management and AML compliance. The
involvement of an external consultant is limited to the project, and ends once the objectives have
been met and the internal staff are properly trained. The transformation will be incremental and
last over a period of years, so a permanent part-time or long-term contract engagement would be
a cost-effective solution. This point of contact (POC) is educated about the future of AML
compliance, and intimately understands the bank, its clients, and its culture. The POC will
inform and educate the board, and craft the transition process.
Understanding by senior leadership and the board of the dynamic, evolving nature of
35
https://image.slidesharecdn.com/projectmanagementprocess-140202232043-
phpapp01/95/project-management-training-in-indonesia-project-management-process-10-
638.jpg?cb=1391741398
In his book on enterprise risk management, James Lam reminds us of the business adage
that you cannot manage what you cannot measure. He adds to that, stating, “you cannot measure
what you cannot define”. A comprehensive assessment of the AML compliance program looks
at wide swath of areas including staffing hierarchy and roles, department structure and
evolution, internal processes and policies, communication, equipment, internal review protocols,
risk
36
tolerance and risk management strategies, internal audit findings, board engagement, ethical tone
and corporate culture, and training. It provides an inventory and risk profile of the existing
program, and reveal redundant and unproductive program elements. Each area examined
represents an essential role in the success of the department so an accurate assessment of their
competence is needed to form the foundation of next steps. The template for correcting
deficiencies and addressing vulnerabilities in the compliance program begins with a remediation
communication plan. It is a project within the overall project. Execution of this stage will have
Landscape
The next step is to examine the competitive and regulatory landscape. The needs
of the individual community bank will differ by geography, client base, size of the institution,
and competition. The urgency of refining and transforming the compliance program will partially
depend on the status of neighboring banks. A rural bank with limited competition can have a
different strategy than a community bank in a condensed, competitive market in the Northeast.
Understanding the strategic goals of the community bank will allow the POC to design an AML
program that aligns with the future. A bank that intends to grow its commercial real estate
programs and engage in foreign correspondent banking will face more regulatory risk than one
that relies on local depository accounts. It is important for the POC and the Chief Compliance
Officer to be included in the strategic discussions of the community bank. Their input informs
decisions around staffing, capital investments, risks to the institution, and budget. Best practices
in AML compliance require the compliance program to be independent, adequately funded, and
have the necessary authority to carry out its function. Direct participation will strengthen the
37
boards understanding that management of AML compliance will include uncertainty and point of
time response.
Program evolution
Community banks need to embrace the future and lay the groundwork for its arrival.
within the bank. As this report has shown, technology does not integrate quickly, easily, or
developers. However, it often does not work as seamlessly when bridged to existing programs. It
takes extensive research, time, and planning to avoid unnecessary errors. The Chief BSA officer
should begin looking at potential changes in regulations, technology, services, and business
opportunities with an eye towards its alignment with bank objectives. The Chief BSA officer
should engage in conversation with senior leadership and the board to discuss how various
decisions and directions impact AML compliance. This will help avoid costly, reactive decisions
born from a lack of planning, and mitigate compliance risk. Industry conferences, vendor
webinars, and trade organization white papers are all good starting points in acquiring new
knowledge. Eliminating solutions that don’t align with the banks goals will narrow the field of
information that needs to be researched. Each potential solution should be viewed from the lens
of how it would operate within the bank, either in conjunction with, or as a replacement to,
existing technology. Feedback from departments outside of compliance should be gathered and
given consideration. Secondary costs like training and maintenance should be included into the
integration budget.
It is expected that budget projections will change as new information is available. The
bank should maintain the original budget and supporting documentation and all subsequent
38
budgets. Reviewing the changes in budgets provides valuable insight into the rationale behind
decisions and the factors that prompted changes. This information is beneficial during the
project, and as a historical document for future leadership that details the reasoning for overall
strategic decisions. The roll out of new processes and systems should be run in parallel to
existing programs until it is confirmed that it is functioning properly, and has been evaluated,
measured and adjusted as needed. The test roll out process should be repeated until the bank is
As the role of compliance evolves, staff will need new and different skills. To be
successful, employees need to clearly understand what is expected of them, and their progress
should be reviewed with relevant feedback that encourages continual improvement. Other
method of transforming culture within the AML compliance program so it becomes more
dynamic and fluid is to get everyone involved in discussion at some level, validating their role on
the team. An inclusive workplace will foster communication, encourage transparency, and
inspire innovation. The staff who use the technology on a daily basis are a valuable source of
input. They understand the functionality and can offer suggestions on what works well, what to
An updated AML program that includes proactive inclusion of the future will be a
significant change for many community banks. A common mistake is not including ongoing
review and adjustments to the plan. Carving a path forward without accommodating new
understandings and change results in the same quagmire of unwinding expensive, avoidable
mistakes. Compliance is not a revenue generating activity, but it doesn’t need to be viewed as an
albatross to the bank. Done well it provides important intelligence about risks to the bank, and
39
Conclusion
In many community banks, AML compliance is dated and ineffective. Given the
anticipated disruptive changes in the regtech industry, there is no value in entirely remediating
existing systems. The key to optimal performance is balancing the maintenance of current
compliance programming with the integration of new regulations and technology. The bank
should recognize retooling of the AML compliance program as an ongoing effort, and not a fixed
project.
Community banks have decades of embedded practices designed to meet the needs of
small geographical footprints and local customers. In the coming years, the customer base might
not change, but the most effective ways to service their business needs will. A transition to a
more nimble, responsive AML compliance program is possible with new tools, a fresh approach,
40
References
Accenture. (2017). Compliance costs for financial institutions will continue to increase over the
next two years driven by regulations and emerging risks, according to global Accenture
costs-for-financial-institutions-will-continue-to-increase-over-the-next-two-years-driven-
by-regulations-and-emerging-risks-according-to-global-accenture-survey-of-
executives.htm
regulatory-and-compliance-requirements-16290f4b4ac1
American Bankers Association. (2017). Statement for the record on behalf of the American
Bankers Association before the Committee on Banking, Housing and Urban Affairs
Association of Certified Financial Crime Specialists. (2017). Why artificial intelligence is the
https://www.acfcs.org/news/367459/Why-Artificial-Intelligence-Technology-is-the-
Future-of-Financial-Crime-Mitigation.htm
Bajpai, P. (2017). How IBM’s Watson will help financial institutions save time, money in
http://www.nasdaq.com/article/how-ibms-watson-will-help-financial-institutions-save-
time-money-in-meeting-regulatory-guidelines-cm803853.
Brynjolfsson, E. and McAfee, A. (2017). The business of artificial intelligence: what it can – and
41
Burnet, B. (2015). Compliance burdens: reducing bank products and services [Blog Post].
reducing-bank-products-and-services.aspx.
Crosman, P. (2016). IBM buying Promontory clinches it; regtech is real; artificial intelligence
may not make bank compliance officers obsolete, but it could mean far fewer of them in
Dow Jones Risk and Compliance, ACAMS. (2016). Global anti-money laundering survey
http://files.acams.org/pdfs/2016/Dow_Jones_and_ACAMS_Global_Anti-
Money_Laundering_Survey_Results_2016.pdf
gafi.org/publications/?hf=10&b=0&s=desc(fatf_releasedate)
Federal Financial Institutions Examination Council (FFIEC). (2014). Bank Secrecy Act/Anti-
FinCEN. Bank Secrecy Act forms and filing requirements. Retrieved from
https://www.fincen.gov/resources/filing-information
FinCEN. (2017) FinCEN penalizes Texas bank for violations of anti-money laundering laws
https://www.fincen.gov/news/news-releases/fincen-penalizes-texas-bank-violations-anti-
money-laundering-laws-focusing
42
FinCEN. (2017). United States of America Department of the Treasury Financial Crimes
https://www.fincen.gov/sites/default/files/enforcement_action/2017-02-
27/Merchants%20Bank%20of%20California%20Assessment%20of%20CMP%2002.24.2
017.v2.pdf
Lam, James. Enterprise risk management: from incentives to controls. Second Edition. 2014.
Lux, M. and Greene, R. (2016). Dodd-Frank is hurting community banks. The New York Times.
eliminated-the-dangers-in-the-banking-system/dodd-frank-is-hurting-community-
banks?mcubz=1.
Macro, B. (2013). Assessing inherent BSA/AML risk at community banks. Federal Reserve
McLannahan, B. (2017). US banks ‘wasting billions’ trying to track crime. The Financial Times.
Mitchell, D. (2016). Money laundering laws: ineffective and expensive. Cato Institute.
Office of the Federal Register. The Daily Journal of the United States Government. Page 29398.
Protiviti. (2017)
Society of Corporate Compliance and Ethics. (2014). The complete compliance and ethics
43
Stackhouse, J. (2016). Community bank research conference looks at the changing nature of
The Clearing House. (2016). A New Paradigm: The U.S. AML/CFT framework to protect
Thompson Reuters. (2014). U.S. compliance salary report: job market in the post-crisis
compliance-salary-report-job-market-post-crisis-landscape/.
https://risk.thomsonreuters.com/en/resources/special-report/cost-compliance-2017.html
Trulio. (2015) Updated 2016. Banking trend: growth of compliance teams and spending [Blog
bottom-lines/
U.S. Department of the Treasury. (2015) National Terrorist Financing Risk Assessment.
U.S. Department of the Treasury. (2017). A financial system that creates economic opportunities
Banks and credit unions. Executive order 13772 on core principles for regulating the
WilmerHale. (2017). AML and sanctions: 2017 trends and developments. Regulatory and
government affairs.
Winkler, S. (2016). The Three Biggest Challenges in the Data Migration Process [Blog Post].
process/.
44
https://www.fincen.gov/sites/default/files/enforcement_action/2017-02-
27/Merchants%20Bank%20of%20California%20Assessment%20of%20CMP%2002.24.2017.v2.
45
Appendix
AI Artificial Intelligence
46
DOJ Department of Justice
ES Economic sanctions
47
SEC Securities and Exchange Commission
USA PATRIOT ACT Uniting and Strengthening America by Providing Appropriate Tools
48