Banks are “drowning in BSA demands,” and regulators are “looking to the private sector for the latest in best practices and then seeking to transmit those ideas to the rest of the industry through regulatory decree.” FinCEN Director is quoted as saying, “To the extent that we have financial institutions that are not meeting their obligations in defending the financial system, we have the enforcement authority to deal with those outliers.”
New York Department of Finance requires board or executive officers to personally certify compliance with 22 specific BSA requirements annually
From New York Department of Financial Services
Starting January 1, 2017, NYDFS requires either the board or an executive officer of every regulated entity to personally certify the steps their institution has taken to ascertain compliance with NYDFS BSA/AML regulations. The certification covers 22 specific areas of inquiry including those related to a comprehensive BSA risk assessment and the relation of the risk assessment to the institution’s transaction monitoring systems.
FinCEN says cybersecurity is an integral part of BSA compliance
From FinCEN Cyber-Threats Advisory, October 25, 2016
“The Financial Crimes Enforcement Network (FinCEN) issues this advisory to assist financial institutions in understanding their Bank Secrecy Act (BSA) obligations regarding cyber-events and cyber-enabled crime.”
New York Department of Financial Services rule requires board or executive officers to personally certify compliance with specific cybersecurity requirements
From New York Department of Financial Services
Effective March 1, 2017, NYDFS requires that the board or executive officers of regulated financial institutions certify that the institution’s cybersecurity governance and systems dealing with encryption, app security, risk assessment, personnel, authentication, data retention, and other specific requirements comply with the DFS rules and regulations.
ABA says personal liability of officers and directors for BSA failures is on the table
From ABA Compliance
Quoting Comptroller of the Currency Thomas Curry: “The question I would pose from a risk management and corporate governance standpoint is whether it’s time to require large complex banks to establish clear lines of accountability that make it possible to hold senior executives responsible for serious compliance breakdowns that lead to BSA program violations.”
Federal Reserve: BSA Risk Assessments must be “enterprise wide” and “granular”
From the Philadelphia Federal Reserve Bank
Many institutions “do not know where to begin when attempting to develop a BSA/AML risk assessment.” The Philadelphia Federal Reserve Bank says a BSA risk assessment must document and assess, “all products, services, customers, and geographic locations” and must be considered a “living document” revised as products, services, and locations change.
Banks flock to de-risking even though it hurts banks and customers
From American Banker
Driven by fear of business loss and regulatory scrutiny and enforcement, banks are jettisoning the baby with the bathwater. “In addition to stifling banks and discouraging potential customers, de-risking has driven capital into riskier environments. Legitimate customers who have been de-risked must still address their financing needs.”
American Banker quotes OCC’s Joel Anderson as saying OCC has a “laser-like focus” on cybersecurity. Anderson says, “Our expectations are that banks are doing assessments of the risks that are presented by the various things they’re offering, and ensuring that a set of layered controls sufficiently mitigates that risk.”
FinCEN reiterates that MSB Principals are responsible for Agents’ BSA compliance
FinCEN says MSB principals can be sanctioned if they do not monitor the BSA compliance of their agents on a transactional basis “The principal must implement risk-based procedures to monitor the agents’ transactions to ensure that they are legitimate” and on an institutional basis “When conducting monitoring of their agents, principals must, at a minimum…Evaluate agents’ implementation of (BSA) policies, procedures, and controls.”
Techcrunch says that banks are turning to RegTech to meet today’s rapidly expanding cybersecurity and compliance challenges
In BSA, cybersecurity, and fraud, banks simply can’t keep up with business or regulatory challenges and are turning to innovative companies to find solutions to manage risk and avoid business and regulatory losses. “If companies fail to embrace the new regtech opportunities, they’ll face increasing costs for compliance, while simultaneously decreasing their productivity, capacity and efficiencies.”