Bank Secrecy Act (BSA) violations may be the next big regulatory target - and can be very costly. Two cases and takeaways to consider before bank examiners come knocking.

1. Banking &
Financial Services
By KEN WOLFF, PRESIDENT/CEO, AFFIRMX LLC
W
hile a climate of regulatory relief sweeps
across the industry, it is a prudent compliance
officer who keeps both feet on the ground
and considers what risks such a climate could possibly
present. Beyond awareness that regulatory enforcement
is cyclical and subject to potentially rapid changes based
on external or internal events, there’s another potentially
more-immediate threat to consider.
Although some areas have been removed from the
regulatory playing field by new thresholds, that doesn’t
mean regulators go away until the pendulum swings the
other way. Their regulatory attention will need to flow
somewhere. What are the most likely targets?
Near the top of the list of high-value candidates for
targets would have to be increased scrutiny of the Bank
Secrecy Act (BSA) in an effort to find violations that may
have gone previously undetected.
For evidence of how high high-value BSA violations
can be, one need look no further than two California
banks that were handed fines totaling $57 million
between them. In 2017, Merchants Bank of Carson,
California, was hit with a $7 million civil money penalty
for “egregious violations” of anti-money laundering (AML)
laws. Then earlier this year, Rabobank, N.A. of Roseville,
California was slapped with a $50 million penalty by the
Office of the Comptroller of the Treasury (OCC) for issues
related to its AML efforts.
If increased BSA scrutiny does begin to fill the regulatory
vacuum, a look at where Merchants Bank and Rabobank
went wrong can prove a useful exercise to make sure
your financial institution stays far away from the lines
those two institutions crossed.
Substandard Programs
Both institutions were called out for deficiencies in their
BSA program. Typically, this is the sort of thing that
gets mentioned first in examination reports and press
releases but is applied only after the fact when other
specific violations have been identified, leaving the
regulator to wonder how such things could have occurred,
unless there were giant holes in the BSA program.
In Rabobank’s case, the bank was cited for failure to
establish and maintain a compliance program that
adequately covers the required BSA/AML elements,
as well as failure to develop adequate customer due
(Continued on page 2)
1-800-ASK-CBIZ • cbiz.com/banking @CBZCBIZ BizTipsVideos JUNE 2018
GUEST ARTICLE:
ComplianceAbhorsaVacuum–IftheVoidIsFilled
withHeightenedBSAScrutiny,WouldYouBeReady?

2. diligence (CDD) and enhanced due diligence (EDD)
processes. In addition, it was cited for failures to
investigate questionable activity related to section 314(a)
of the USA PATRIOT Act, requiring banks to provide
information about customer activities related to law
enforcement subpoenas and requests.
For Merchants Bank, regulators found the bank’s BSA
program lacked a system of internal controls, failed
to provide for independent testing for compliance,
failed to designate a person responsible for monitoring
compliance and failed to provide adequate training for
personnel. In other words, out of the four pillars (now,
with the inclusion of beneficial ownership rules, five
pillars), Merchants struck out on each one.
What led to the biggest failure were Merchants’ internal
controls. Several bank insiders owned money service
businesses (MSBs) that had accounts at Merchants.
These insiders reportedly encouraged BSA staff to
process transactions without any questions and
interfered with any attempts to investigate suspicious
activity related to insider-owned accounts.
Merchants was also found to have failed to conduct
required due diligence on its foreign correspondent
accounts. Under the USA PATRIOT Act, any institution that
maintains correspondent accounts in the U.S. for foreign
financial institutions is required to subject those accounts
to due diligence. Such shortcomings can typically be
ascribed to a lack of required policies and procedures.
Sound policies and procedures that are in line with the
USA PATRIOT Act requirements would ensure that any
foreign correspondent account customers receive the
appropriate due diligence. Merchants had four banking
customers located in high-risk countries but did not
identify these customers as foreign correspondent
customers. As a result, these four customers sent and
received a combined $192 million in high-risk wire
transfers that were not included in monthly transactional
monitoring. That’s a formula for examination pain.
Missed SAR Reporting
An independent consultant reviewed Rabobank’s
transaction and account activity between January 2010
and December 2013. The consultant discovered that 472
Suspicious Activity Reports (SARs) had not been filed,
and more than $233 million in suspicious activity had not
been reported.
At Merchants, examiners found the bank failed to
detect and report suspicious activity. BSA regulations
are clear about requiring financial institutions to
report any transaction of at least $5,000 that the
institution “knows, suspects, or has reason to suspect”
(Continued from page 1)
is suspicious. Regulators charged that, for four years,
Merchants Bank failed to monitor billions of dollars of
transactions for suspicious activity.
Much of this transaction activity was related to its
MSB customers’ activity. For example, one of these
customers was a money transmitter in the basement
of the MSB owner’s private residences in New
York. Despite inquiries from law enforcement and
rejected wire transfers from other banks, Merchants
determined that the activity was not suspicious and
did not file a SAR.
Things Are Never So Bad They Can’t Get Worse
One can imagine that when auditors or consultants at
Rabobank identified deficiencies, senior officials were
none too pleased. However, what happened next, in an
effort to minimize damage, ended up making matters so
much worse.
OCC examiners requested certain materials that the
bank apparently knew would expose its shortcomings. So
senior officials made the calculated decision to attempt
to deceive the regulators as to the true state of its
operations in the hope of avoiding regulatory sanctions.
It didn’t work.
Results
The key takeaway from all of this is to take a step back
or, better yet, have an independent party with a fresh
perspective take a look at the big picture of how your
BSA/AML program is organized and what gaps might be
identified in an examination setting. Find and fix them
before the examiners come knocking. Be transparent
with the findings of the internal reviews, then show how
your institution took appropriate steps to rectify the
matter as part of a healthy BSA program.
What happened at Rabobank and Merchants Bank
should be a wake-up call to all financial institutions,
even in this era of shifting regulatory scrutiny.
Both of these scenarios played out over multi-year
timeframes – long enough to accommodate a couple
of pendulum swings.
1-800-ASK-CBIZ • cbiz.com/banking @CBZCBIZ BizTipsVideos JUNE 2018
Ken Wolff is President and CEO of
AffirmX, LLC, a Frederick, Maryland-
based firm that helps financial
services institutions reduce
compliance and risk management
workloads, anxieties and costs
through its patented Risk Intel
Center platform.