BSA Enforcement: Oops! Another One!

Another Bank is now standing on the BSA penalty podium. AmSouth Bank has entered into a consent agreement with FinCEN to the tune of $10 million.

AmSouth, a $45.6 billion institution based in Birmingham, Alabama, is charged with failure to develop and maintain an adequate compliance program for BSA. According to the consent agreement, AmSouth failed to have a program with the required elements of board oversight, management involvement, policies and procedures designed to identify and report suspicious activity, training for all appropriate staff, and independent evaluation.

The program elements are not new. In fact, the program elements described in the consent agreement should be old hat to most compliance professionals. What is not old hat is the payment of $10 million for the failure to measure up to the standard.

The date of concern is April 24, 2002 - the date mandated in the USA PATRIOT Act for banks to have BSA compliance programs as defined by their regulators. FinCEN looked to the Federal Reserve's program requirements because the FRB is AmSouth's primary regulator.

What Was Missing
Federal Reserve examiners identified three required program elements that were materially deficient. These included internal controls, inadequate training, and inadequate independent testing.

Examiners and FinCEN found that internal controls were deficient in several ways. First, parts of the bank that had BSA responsibilities were not part of the BSA loop. They had no system in place for reporting suspicious activity to the BSA officer. These departments had also not been part of the program's risk assessment. The bank had failed to conduct a risk assessment of customers other than in private banking. Without the risk assessment, there was no due diligence and monitoring of high risk accounts.

Another program problem identified was that the bank's Section 314(a) system did not include the sale of monetary instruments to non-customers. Without adequate documentation of these sales, the bank was unable to review these transactions.

The policies and procedures failed to contain adequate guidance and controls for referring and reporting suspicious activity. The bank did not have adequate written instructions that directed employees on when to investigate, close or refer suspicious activity.

Training, always a critical program element, was found to be deficient. AmSouth did not provide bank-wide training prior to February 2004 on detecting and reporting suspicious activity. Because staff was not aware of what activity should be reported, not enough was actually reported. The information never entered the compliance channel.

Finally, the independent testing was materially inadequate. When regulators talk about independent testing, they mean that the audit should be a thorough evaluation and that it should include careful transaction testing. At AmSouth, examiners found that the review met only a "reasonableness and completeness" test. This may be adequate for monitoring, but not for the independent audit. Think of the independent audit as the time you put extra bleach in the laundry - just to get the whites whiter. The independent test is the process that is supposed to find whether the program has weak points. It cannot be minimized.

What is most significant about these identified deficiencies is that they come down to communication, which is a problem that can exist in any institution of any size. No BSA program will be effective unless people communicate with each other. The most important communication is passing on information about activity that may be suspicious. Without a communication system together with the environment in which communication occurs, this critical information will not land where it needs to be.

Reporting Suspicious Activity
AmSouth's program deficiencies resulted in a failure to identify suspicious activity and to file SARs. Reporting failures involved several errors, including staff's misunderstanding of what should be reported, and failures to communicate information to the correct place.

Because of the weaknesses in the program, a number of criminal activities were conducted using the bank. These included a Ponzi scheme in which several employees participated, embezzlement by a corporate customer by using forged checks, misappropriation of municipal funds, misuse of customer accounts by brokers, and several frauds involving wires.

FinCEN concluded that AmSouth's program deficiencies were willful because the bank was aware or should have been aware of the regulatory requirements. FinCEN found that the violations were systemic and serious.

ACTION STEPS

Review your BSA policy and procedures and compare the content to your regulator's program requirements. If anything is missing, fix it fast.
Review your training schedule and materials for BSA. Be sure that the training reached all the right staff and that it included treatment of CIP and suspicious activity reporting.
Prepare a brief summary of the case for your board of directors and take steps to be sure that the board is reminded of their BSA responsibilities at the next meeting.
Audit your audit. Look over the most recent audit and independent testing. Be sure that everything that should be looked at was included in the audit.
Take the time to talk with tellers and branch managers about what they see. Find out if they are telling you what you need to know. If not, schedule some special training for the purpose of establishing a line of communication.