Citigroup will pay $97 million to settle U.S. Justice Department charges against its Banamex subsidiary, the
Los Angeles Times reports. According to the Justice Department, a lack of internal controls at Banamex USA may have enabled customers to launder money through payments sent to Mexico. The Justice Department says the bank's two-person compliance staff only conducted a small number of investigations of the 18,000 suspicious transaction alerts involving money sent to Mexico between 2007 and 2012. As part of the settlement, the Justice Department will not prosecute the bank. However, the bank has agreed to shut down Banamex USA to comply with an earlier deal with the U.S. Federal Deposit Insurance Corp. and the California Department of Business Oversight to settle a separate investigation of the suspicious payments.
Over the last three decades,
U.S. Bank Secrecy Act (BSA) Anti Money Laundering (AML) regulations have been expanded to cover not only banks and credit unions, but also a wide array of financial institutions. The Financial Crimes Enforcement Network (FinCEN), a bureau of the U.S. Treasury Department, maintains web pages for
money services businesses (MSBs),
the insurance industry,
securities and futures, and
casinos. These institutions are required to have a BSA/AML compliance program in place that is commensurate with its respective BSA/AML risk profile. The program must include four components — a solid risk profile foundation, a thorough internal controls review, independent testing/audits, and a BSA/AML compliance officer. To these components, I will add a fifth — a thorough and evergreen risk profile.
A 2016 Grant Thornton benchmarking report,
Anti-money Laundering Compliance in the Money Services Business Industry (PDF), also provides some interesting trends regarding the issues and challenges faced in meeting compliance obligations, which are relevant to this story. These two sources help highlight some lessons that should be learned from the Citigroup case, with a particular emphasis on the importance of the first three of these BSA/AML program components.
1. A solid risk profile foundation. Banks and other kinds of financial institutions frequently do not approach the development of their risk profile with sufficient discipline. A thorough risk assessment is the crucial first step in developing a compliance program, and careful identification of risks inherent in their business is needed, distinguishing between products and services, customers, and geographic locations. A risk profile must not only be operationally implemented, it also must be updated as changes occur for the institution. The MSB benchmarking report notes, "While all of the MSBs in the benchmarking population had a documented risk assessment, the majority (61 percent) were still in the process of making the risk assessment a practical reality of their business operations."
As this story notes, Citigroup set up Banamex USA, the former California Commerce Bank, as an arm of its Banco Nacional de Mexico subsidiary to make it easier for businesses and individuals to transfer funds across the border. That is a significant business change, and one wonders whether Citigroup updated its risk profile, at least for its Banco Nacional de Mexico subsidiary.
2. A thorough internal controls review. Particular aspects of FinCen's guidance regarding what is needed for an internal controls review seem relevant to Citigroup's acknowledged weaknesses, including:
- Whether the board of directors, or a committee thereof, and senior management were adequately informed of BSA/AML compliance initiatives, identified compliance deficiencies, and took corrective action. That would include notifying directors and senior management of suspicious activity reports filed with regulators.
- Compliance with requirements for establishing a person or office responsible for BSA/AML compliance, including providing for program continuity despite changes in management, employee composition, or structure. According to the news report, Banamex USA "conducted fewer than 10 investigations and filed only nine suspicious activity reports stemming from the alerts because its compliance unit was seriously understaffed with only two employees."
- Providing for dual controls and segregation of duties. For example, employees who complete the reporting forms, such as suspicious activity reports, should not also be responsible for the decision to file the reports or grant the exemptions.
- Providing sufficient controls and monitoring systems for timely detection and reporting of suspicious activity.
- Ensuring there is sufficient document and record keeping regarding transactions, particularly those with higher risks.
The MSB benchmarking report notes several observations relating to deficiencies found in several of these areas, including transaction processing, record keeping, and the handling of suspicious transactions.
3. Independent Testing (Audit). According to FinCen's guidance, independent, third-party audits of BSA/AML compliance should be conducted at least every 12 to 18 months — and more frequently for higher-risk financial institutions. These audits should include:
- An evaluation of the overall adequacy and effectiveness of the BSA/AML compliance program, including policies, procedures, and processes. Typically, this evaluation will include an explicit statement about the BSA/AML compliance program's overall adequacy, effectiveness, and compliance with applicable regulatory requirements. The audit should at least contain sufficient information for the reviewer, such as an examiner, review auditor, or BSA officer, to reach a conclusion about the overall quality of the BSA/AML compliance program.
- A review of the bank's risk assessment for reasonableness given its risk profile (products, services, customers, entities, and geographic locations).
- Appropriate risk-based transaction testing to verify the bank's adherence to the BSA record-keeping and reporting requirements.
- An evaluation of management's efforts to resolve violations and deficiencies noted in previous audits and regulatory examinations, including progress in addressing outstanding supervisory actions, if applicable.
- A review of the effectiveness of the suspicious activity monitoring systems (manual, automated, or a combination) used for BSA/AML compliance. Related reports may include suspicious activity monitoring reports, large currency aggregation reports, monetary instrument records, funds transfer records, non sufficient funds reports, large balance fluctuation reports, and account relationship reports.
Additionally, Grant Thornton's benchmarking study found that while deficiencies in AML compliance programs continue to be prevalent (incidences of around 60 percent of MSBs overall), "for those MSBs that had more than one review of their program completed, there was a decrease in documentation deficiencies such as risk assessments, policy, and procedures (66 percent deficient in 2012 and 57 percent in 2016)." We do not know whether regular audit work had been conducted on Banamex's BSA/AML compliance program. However, if such audits took place, and included the above scope, it would be surprising that senior management and regulators would not have known about the program's serious deficiencies sooner.
4. BSA/AML Compliance Officer. Every institution's board should designate a BSA/AML compliance officer. While this person may not be part of the executive team, he or she should be expert in BSA/AML regulations, have the ability and resources to design and implement a program, and ensure that both the board and senior management are aware of the organization's compliance status. While one needs to exercise caution in comparing MSBs to banks in this regard, the Grant Thornton benchmarking study found that of the MSBs studied, only "18 percent (down from 23 percent in 2012) had a compliance officer that was supported by a team providing assistance to oversee and meet the compliance program requirements."
5. BSA/AML Compliance Training. MSBs should train employees in appropriate parts of the BSA/AML program and communicate the organization's anti-money laundering responsibility to them. Employees whose jobs place them in a specific risk category should be aware of how mandated reporting and responsibilities apply. This training should be reviewed periodically, especially when people change jobs. BSA compliance also should be incorporated into the job descriptions and performance evaluations of bank personnel, as appropriate.