Learning from Enforcement Actions
Commonly cited violations have long been a source of important information for the design and management of compliance programs. Recently, the types of violations and management weaknesses that have resulted in enforcement actions have provided ideas on how to focus attention on compliance programs.
Two recent enforcement actions illustrate these points. The written agreements are with Gold Bank, Leawood, KS (August 26, 2003) and Ridgedale State Bank, Minnetonka, MN (July 29, 2003).
There are common themes to each of these enforcement actions: qualified staff, adequate resources, and independence of function.Both enforcement actions stress that each manager, employee, or bank director must have the qualifications to do the job. Management cannot get by merely by moving people into slots. If there are no qualified candidates within the bank, management must hire from outside. In addition, the banks must allocate adequate resources to do the job.
Training is also a required element. The Ridgedale agreement even requires the directors and officers of the bank to "familiarize themselves with applicable provisions of federal and state laws and regulations."
Ridgedale Bank must retain a consultant to evaluate each senior officer and the bank's auditor to determine whether they possess the ability, experience, and qualifications to perform their job and individuals in the bank who have potential for advancement. This latter exercise is to ensure that the bank maintains enough depth in staff to ensure successor management.
Independence and Reporting
A clear signal emerging from these agreements is that the regulators expect board audit committees to play a strong and independent role. The Gold Bank agreement requires the board of directors to review the internal audit program and the audit committee to ensure that the audit committee is independent and effective and that internal audits are adequate.
The Ridgedale Bank agreement requires the directors to "maintain effective control over and supervision of the Bank's senior management, major operations, and activities." The board must require an independent audit function, effective internal controls, risk management, and "training programs for the board of directors, management, and staff."
Ridgedale bank directors must designate resources that are adequate to ensure that internal audits are conducted by qualified staff and performed for all areas that need attention. The audits must also be completed as scheduled.
Anti-money laundering is a trigger for enforcement actions. Like flood insurance, violations tend to occur because of system and procedure failures. When an examiner finds more than an isolated instance, the examiner has usually found a pattern. That pattern leads to enforcement and civil money penalties.
Gold Bank must implement anti-money laundering procedures. In addition to program augmentation and wire transfer controls, the bank must develop and implement independent testing for compliance with BSA and training of all appropriate personnel.
As a separate item, Gold Bank must develop a written customer due diligence program that contains all the elements of the CIP as well as the concepts of due diligence. This program must ensure that "all known or suspected violations of law and suspicious activities are properly identified, reviewed, documented and reported." It is not enough to report only what is identified. This agreement requires the bank to have a program that can and will identify and report all illegal and suspicious activities.
Gold Bank is required to prepare an "acceptable" written plan to improve the bank's technology function and information security. The plan must cover all applicable requirements for protecting nonpublic customer information. The program must also enable the bank to respond to future changes.
A key element of the information security program must be the qualifications of staff managing the program. The program must have both qualified staff and sufficient resources to be effective.
Regulation W also reared its head in the Gold Bank case. The case involved violations of both Regulation W and Regulation O. The resulting agreement requires written procedures for and independent monitoring of transactions between parts of the holding company and with insiders.
- Compare your written anti-money laundering program with the requirements in the enforcement cases. Be sure that your program has controls and independent reviews that meet regulatory standards.
- Use the Information security examination procedures to evaluate your information security program. If the program shows weaknesses, take steps now to cure them.
- Review the in-house and outside training that is available to staff. Consider whether staff has the qualifications and access to training that are needed for their jobs.
- Review the structure of the Audit Committee and the way you provide information to it. The lines of reporting should be direct.
No-one who has a conflict of interest should have the ability to review and change reports.
Copyright © 2003 Compliance Action. Originally appeared in Compliance Action, Vol. 8, No. 9, 9/03
First published on 09/01/2003