The Expanded Expectations of Corporate Governance in BSA/AML and the Impact on the Audit Function

Transcription

1 The Expanded Expectations of Corporate Governance in BSA/AML and the Impact on the Audit Function Kathe M. Dunne, CAMS, AAP KMD Consulting Solutions March 2014

2 Table of Contents I. Executive Summary...3 II. Background...5 III. History of Governance of BSA/AML by the FFIEC...7 IV. Regulatory Actions against Financial Institutions...8 A. Banesco USA - FDIC b...8 B. Citibank, N.A. OCC AA-EC C. Recap of Order Elements...8 V. Department of Treasury and Congressional Actions...11 A. Regulatory Agencies...11 B. United States Congress...13 VI. A Proposed Methodology for Auditing BSA Governance...14 A. How to Review Governance in a BSA/AML Program Potential Elements for Review Optional Scoring of the Elements...15 B. 10 Elements of BSA/AML Governance - Review Table...17 VII. Conclusion...20 Bibliography /2014

3 I. Executive Summary Most financial industry observers and participants agree that regulatory review of the Bank Secrecy/ anti-money laundering (BSA/AML) compliance function in depository financial institutions increased significantly immediately following the passage of the USA PATRIOT Act in It took several years for specific regulatory guidance to catch up to the law in the form of the Federal Financial Institutions Examination Council (FFIEC) BSA/AML Examination Manual. Until recently, depository financial institutions have done reasonably well auditing the (BSA/AML) program using this manual as a primary reference. Significant and blatant BSA/AML violations have been discovered over the past three years (e.g., the masking of certain transactions and the rerouting of payments to prevent detection) that resulted in an uproar in the public sector calling for action on the part of the government. The public wants to know Who is to blame? and Who will pay? for these infractions. These significant violations have resulted in large fines for the involved institutions, but with limited accountability assigned to the management of the institutions. Congress is now hearing testimony from other government agencies including the Financial Crimes Enforcement Network (FinCEN) and the Office of the Comptroller of the Currency (OCC) regarding the enforcement of and violations to the BSA. Several things have been made clear through this process: In the past, financial institutions that were assessed a civil money penalties by FinCEN were permitted to consent to the assessment without admitting or denying the alleged facts; this is no longer permitted. 1 Jennifer Shasky Calvery, named as the new director of FinCEN in September 2012, has proceeded very aggressively to address responsibility and accountability issues within the financial institution environment as it relates to BSA/AML. In Senate testimony, FinCEN indicated that it would more often obtain injunctions against individuals who violate the BSA and fine banks and their partners, directors, officers and employees. 2 Business decisions for budgeting or line of business concerns should no longer be viewed by the board of directors as viable options when it concerns BSA/AML compliance matters. 3 1 Remarks of Jennifer Shasky Calvery, Director FinCEN, ABA/ABA Money Laundering Enforcement Conference (11/19/2013) 2 Statement made by David Cohen, the head of the Treasury Department s Terrorism and Financial Intelligence office, in written testimony to the Senate Banking Committee. 3 Testimony of Testimony of the Office of the Comptroller of the Currency before Committee on Banking, Housing, & Urban Affairs of the U.S. Senate (3/7/2013) 3 03/2014

4 Actions within the regulatory agencies, FinCEN, and the Congress have made it very clear that the board of directors and the senior management of financial institutions need to take control and responsibility of the BSA/AML functions within their institutions or specific BSA/AML actions will be dictated to them. The governance of the BSA/AML function in a financial institution identifies the level of control and responsibility the board of directors and senior management has defined and assigned throughout the institution as it relates to the BSA. Like other BSA/AML program elements, the effectiveness of governance should be audited, but with what criteria? And how should auditors measure those criteria? This paper proposes governance criteria and methodology for the measurement of the criteria. This research is intended to help financial institutions to adequately prepare and protect not only their institutions, but their board of directors, senior anagement, and employees from civil and possible criminal action. 4 03/2014

5 II. Background In the past several years, failures of the BSA/AML programs of several large domestic and international financial institutions have changed the regulatory landscape for all U.S. depository and non-depository financial institutions regardless of size. Arguably, most or all of these reflect a failure of the board or senior management to establish a tone of compliance that permeates the institution. The identification of significant gaps in monitoring programs, identification of the processing of non-allowable transactions and failures to identify and halt money laundering through these institutions has resulted in an uproar in the public sector. Coming on the heels of the too big to fail banking crisis of where many large institutions were funded with taxpayers money, it is disturbing to the populace that these same institutions may be funding terrorist organizations through money laundering schemes using their institutions. The U.S. Congress began to review these situations in detail in 2012 through various testimony regarding the actions of specific financial institutions as well as testimony by the OCC. The OCC provided significant testimony before the Committee of Homeland Security and Governmental Affairs in 2012 regarding the role the OCC and the other financial institution regulators play in examining financial institutions for compliance in this [BSA] area. Regulatory exams, once a fairly private concern between an institution and its regulators, became part of national news; regulators were being criticized publically by the Congress, news media, and the citizens of the U.S. The question that appeared to be at the forefront was Who is to blame? These factors came together and resulted in reports of the regulatory agencies stepping up the depth of their BSA/AML audits/reviews in many areas but significantly in the area of the governance of the BSA/AML function within financial institutions. In 2013, when the Department of Justice (DOJ) deemed the management of the largest institutions Too Big to Jail for BSA/AML infractions, it brought the issue to the forefront once again resulting in a proposed bill in Congress regarding criminal penalties for financial institution executives. It has become increasingly important for financial institutions to clearly understand the heightened expectations surrounding the governance of the BSA/AML function. 5 03/2014

6 The objective of this white paper is to: Review the history of the governance of the BSA/AML function in depository financial institutions based upon regulatory guidance; Extrapolate and present data from consent orders (OCC, FDIC, Federal Reserve Bank) regarding the expectations concerning governance; Review Congressional testimony and actions that can impact future institutional plans; and Propose one methodology for auditing the effectiveness of the governance of the BSA/AML function within a depository financial institution. 6 03/2014

7 III. History of Governance of BSA/AML by the FFIEC The BSA/AML Examination Manual published by the Federal Financial Institutions Examination Council (FFIEC) provides some guidance on expectations of BSA/AML governance in financial institutions. This has evolved over various versions of the manual: The most recent version of the FFIEC manual provides a defining statement regarding governance: The board of directors is responsible for approving the BSA/AML compliance program and for overseeing the structure and management of the bank s BSA/AML compliance function. The board is responsible for setting an appropriate culture of BSA/AML compliance, establishing clear policies regarding the management of key BSA/AML risks, and ensuring that these policies are adhered to in practice. 4 The board also should ensure that senior management has established appropriate incentives to integrate BSA/AML compliance objectives into management goals and compensation structure across the organization FFIEC BSA/AML Examination Manual Senior management is responsible for communicating and reinforcing the BSA/AML compliance culture established by the board, and implementing and enforcing the boardapproved BSA/AML compliance program. FFIEC BSA/AML Examination Manual The newest statements regarding governance represents a significant expansion over previous versions and addresses some key areas not mentioned previously as noted below. Since 2012, this expansion has been actively used in regulatory audits for BSA/AML compliance. The board should ensure that: 1. Senior management is fully qualified and properly motivated to manage the BSA/AML compliance risks; 2. Compliance personnel are sufficiently independent and have authority and status to conduct their jobs; 3. There are appropriate resources to conduct compliance activities; and 4. Senior Management establishes incentives, compensation and goals tied to BSA/AML compliance objectives. 4 Federal Financial Institutions Examination Council (FFIEC) BSA/AML Examination Manual (2010) p /2014

8 IV. Regulatory Actions against Financial Institutions How have these regulatory expectations as evidenced in the FFIEC Examination Manual translated to regulatory actions? Many of the major actions in 2012 and 2013 against financial institutions have discussed governance of the BSA/AML function as a factor in the action. In some cases, the regulatory authority has been very detailed regarding the requirements it is imposing on the board of directors and senior management within the institution. In all of these cases, however, they are calling out the boards of directors and senior management for failing to prevent the BSA problems their institutions are experiencing and requiring specific corrective actions. So, let us take a look at two specific enforcement actions: one, FDIC regulated and two, OCC regulated. A. Banesco USA - FDIC b Banesco USA, an $850 million U.S.-based subsidiary of an international bank was issued a consent order by the FDIC in November of 2013 based solely on their BSA violations. The order made clear that the FDIC regulators were not satisfied with the involvement of the board of directors or senior management in the BSA program and had very specific requirements for each aspect of the program, including many elements of governance. The order contained some very specific language regarding the actions regulators were requiring of the institution in order to comply. The FDIC goes as far as to require the board to meet on an approved schedule with specific items to review as well as to require the bank to assess their staff abilities, experience and qualifications to perform BSA duties. B. Citibank, N.A. OCC AA-EC The Citibank, N.A. consent order issued on April 5, 2012 has been much more publicized and may be familiar to the reader. This cease and desist order, issued by the OCC, addresses BSA/AML specifically and covers about 50 BSA compliance issues. For the purposes of this document, we will address many of the items related to governance that the OCC included in a section they titled Management and Accountability, 5 the first time this section has been seen in an order by the author. C. Recap of Order Elements 5 Citibank, N.A., OCC Consent Order AA-EC (4/5/2012) p /2014

9 Orders Regarding Board Participation: 1. Board will increase its participation in the affairs of the bank, assuming full responsibility for the approval of sound policies and objectives and for the supervision of all of the bank's activities including BSA risk rating, BSA staffing, BSA training, BSA compliance (Banesco USA) The bank will develop procedures for informing management and the board of any suspicious or high risk activities conducted internally by the bank and by bank customers(banesco USA) The board will incorporate BSA and Office of Foreign Assets Control (OFAC) compliance into the performance evaluation process for both senior management and line of business management. These processes will likely move downstream to employee positions below senior managers and line of business managers (Citibank, N.A.). Orders Regarding Staffing: 4. Board will designate a qualified officer responsible for managing, coordinating, and monitoring the bank's BSA Compliance Plan (BSA Officer) (Banesco USA) Board will analyze and assess the bank's staffing needs to determine the appropriate number of qualified staff for the bank's BSA Department (Banesco USA). 9 Orders Regarding Staff Competency, Authority, and Accountability: 6. Clear lines of authority and responsibility have been established for BSA/AML compliance (Citibank, N.A.). 7. Compliance management is competent, independent and dedicated on a full-time basis (Citibank, N.A.). 8. An appropriate level of authority has been provided to the compliance staff to implement the BSA/AML compliance program (Citibank, N.A.). 9. Compliance staff will been given the authority to question account relationships and business plans (Citibank, N.A.). 10. Compliance staff will operate independently from the business lines, and not be subject to any form of evaluation or performance input from the business lines (Citibank, N.A.). 6 Banesco USA, FDIC Consent Order FDIC b OFR FI-13 (11/22/2013) p.2 7 Banesco USA, FDIC Consent Order FDIC b OFR FI-13 (11/22/2013) p.2 8 Banesco USA, FDIC Consent Order FDIC b OFR FI-13 (11/22/2013) p Banesco USA, FDIC Consent Order FDIC b OFR FI-13 (11/22/2013) p /2014

10 11. Bank will hold senior management and line of business management accountable for effectively implementing bank policies and procedures, and fulfilling BSA/AML and OFAC obligations (Citibank, N.A.). 12. The Bank will develop appropriate objectives and means to measure the effectiveness of compliance management officers and compliance management personnel within each line of business and for those with responsibilities across lines of business (Citibank, N.A.). Orders Regarding Policy and Procedure 13. Written bank policies and procedures will be developed or modified to clearly outline the BSA/AML and OFAC responsibilities of senior management, and relevant business line employees, including, but not limited to, relationship managers, foreign correspondent banking personnel, private banking staff, and business development staff (Citibank, N.A.) (Banesco USA). 10 These consent orders set the regulatory expectations higher than seen previously in consent orders. It appears from the way these items are addressed that there are issues to be addressed regarding the actions, responsibilities, and accountability of the board of directors, senior management and business line management. There has been concern voiced within the industry regarding some of these items particularly as they pertain to measurement and evaluation criteria that may impact compensation. 10 Banesco USA, FDIC Consent Order FDIC b OFR FI-13 (11/22/2013) p /2014

11 V. Department of Treasury and Congressional Actions Many of the major BSA/AML enforcement actions in 2012 and in the first half of 2013 have cited the lack of effective corporate governance as an issue. As discussed in the previous section, this element was called out more specifically in orders starting in 2012 than in orders in previous years. In consent orders reviewed by this author, very few orders prior to 2012 mentioned governance other than to recap the generic responsibilities of the board of directors. Additionally, while the DOJ deemed the management of the largest institutions Too Big to Jail, the Department of Treasury and the Congress have been addressing this issue of the responsibility and accountability in governance differently. Specific references to each of the major enforcement areas are addressed below. A. Regulatory Agencies The regulatory agencies have been the recipients of much of the public criticism regarding BSA/AML compliance. In particular, it appears that the OCC has come under the greatest media scrutiny likely due to their authority over the largest BSA depository financial institution offenders in recent history. The scrutiny has extended to Congress, probably for the same reason. Within the past 18 months, the OCC was called to publically testify before two committees of the U.S. Senate on matters related to BSA. Although a broad range of topics were covered in the testimony of Comptroller Curry to the Senate Banking Committee on March 7, 2013, the compliance issues related to the governance of BSA in financial institutions are of the greatest interest. Comptroller Curry gave the following items as requirements that appeared in OCC enforcement actions and that he envisioned would appear in the future guidance A designated BSA officer with sufficient knowledge, funding, authority, independence, compensation, and supporting staff to perform his or her assigned responsibilities and maintain effective compliance with the BSA and its implementing regulations. 2. An effective governance structure to allow the BSA officer and the compliance function to administer the program independently by reporting directly to the board of directors, or a committee thereof, with clear lines of responsibility beginning with senior management and including each line of business that is required to comply with the BSA. 11 Thomas J. Curry, Testimony of the Office of the Comptroller of the Currency before Committee on Banking, Housing, & Urban Affairs of the U.S. Senate (3/7/2013) p /2014

12 3. Clearly defined channels for informing the board of directors, or a committee thereof, and senior management, of compliance initiatives, compliance risks, new product development, identified compliance deficiencies, and corrective actions undertaken. 4. Compliance staff with the appropriate level of authority and independence to implement the BSA/AML compliance program and, as needed, question account relationships, new products and services and business plans. 5. Policies and procedures that clearly outline the BSA/AML responsibilities of senior management and relevant business line employees, and that hold senior management and line of business management accountable for effectively implementing bank policies and procedures, and fulfilling BSA/AML obligations. 6. A well-defined succession plan for ensuring the program s continuity despite changes in management, staffing, or structure, and policies and procedures to ensure that problems with excessive turnover of compliance staff or the BSA officer function are identified and appropriately addressed by the board. OCC Testimony Some recent cases have involved the lack of strong corporate governance principles necessary to create a culture of compliance within the organization. These cases reflected an imbalance in both the independence of the compliance function and organizational incentives that emphasized revenues and growth over balanced risk management. Thomas J. Curry Comptroller of the Currency March 7, Policies and procedures to ensure that the bank s risk profile is periodically updated to reflect higher risk banking operations (products, services, customers, entities, and geographic locations) and new products and services. 8. An enterprise-wide management information system that provides reports and feedback that enables management to more effectively identify, monitor, and manage the organization s BSA risk on a timely basis. 9. A strong BSA/AML audit function that ensures that identified deficiencies are promptly addressed and corrected. Although the above items are not part of official regulatory guidance, they are, in part, already incorporated into the FFIEC BSA/AML Examination Manual. In an update on OCC actions, Comptroller Curry recently commented on regulatory guidance of BSA/AML governance and indicated that the agency would push for the 12 03/2014

13 changes during bank examinations rather than through regulations or guidance 12 official guidance, the regulatory agencies will review these issues using their own interpretation during examinations. Lacking B. United States Congress The Holding Individuals Accountable and Deterring Money Laundering Act introduced on October 12, 2013 in the U.S. House of Representatives, amends provisions of the BSA of 1970 relating to money laundering violations. There are many provisions to this act, but the following impact the subject of this research. 13 Significantly increases civil monetary penalties for both institutions and individuals for willful and negligent violations of the BSA. Strengthens the range of civil powers available to regulators to sanction individuals, including fines for which the individual would be held personally liable and greater authority to remove and ban bad actors from the industry. Requires new corporate governance standards to create direct lines of access to the board for the heads of compliance and establishes direct lines of legal responsibility for board members and top executives for BSA violations, including any officers or employees who are in a position responsible for materially affecting compliance. 12 Remarks of Thomas J. Curry, Comptroller of the Currency, ACAMS 19th Annual International AML and Financial Crime Conference (3/17/2014) 13 See Proposed Legislation - H.R.3317 Holding Individuals Accountable and Deterring Money Laundering Act (10/24/2013) 13 03/2014

14 VI. A Proposed Methodology for Auditing BSA Governance Governance of the BSA/AML program within financial institutions has come to the forefront and is positioned to remain there for the foreseeable future. As evidenced in much of the testimony provided by Comptroller Curry to the U.S. Senate on March 7, 2013, several of the problems with BSA compliance can be attributed to root causes that are considered matters of governance. Curry also indicated that this is not just a problem that is confined to large financial institutions, but that higher risk products and customers have migrated to community banks. 14 It appears that these issues will be looked at for each institution regardless of size and regulatory authority. Curry also reported to the Senate Banking Committee that banks have inappropriately reduced staffing and resources in the BSA area due to austerity programs initiated during the Many of the practical problems we have seen in recent years with respect to BSA compliance can be attributed to four root causes: i. culture of compliance within the organization, ii. commitment of sufficient and expert resources, iii. strength of information technology and monitoring processes, iv. sound risk management. Thomas J. Curry Comptroller of the Currency March 7, 2013 financial crisis. In other cases, banks compliance department staff and expertise have failed to keep pace with the growth of the institution. 15 The items of governance previously discussed in this paper should first be addressed in an institution s BSA risk assessment and then incorporated appropriately into official board-approved policy, followed by inclusion into BSA/AML procedures and reporting. All of the elements of governance discussed throughout have been extrapolated and incorporated into this proposed methodology for auditing BSA governance. 14 Thomas J. Curry, Testimony of the Office of the Comptroller of the Currency before Committee on Banking, Housing, & Urban Affairs of the U.S. Senate (3/7/2013) p.4 15 Thomas J. Curry, Testimony of the Office of the Comptroller of the Currency before Committee on Banking, Housing, & Urban Affairs of the U.S. Senate (3/7/2013) p /2014

15 A. How to Review Governance in a BSA/AML Program Governance should be viewed within financial institutions as a reviewable aspect of the BSA/AML program. As such, it should be incorporated by audit staff (internal or external) as part of an independent review. How can this be accomplished? There are many audit models or formats for independent reviews of BSA/AML programs, but most only cover minimal aspects of governance. The elements are typically restricted to a review of board or committee reporting, competency of the BSA staff, and a review of sufficient resources. 1. Potential Elements for Review Elements of governance have not typically been measured quantitatively. The following table provides 10 sets of qualitative criteria that can be used to evaluate an institution s overall success in governance within their BSA/AML program. Each element has been broken down in to three levels of compliance. The level of compliance by the institution within these elements will allow the auditor to evaluate the overall compliance with governance within the BSA/AML audit. This methodology uses a similar method to that used by the FFIEC when assessing levels of risk within an institution. 16 Appendix J gives us potential measurement criteria. Using the same methodology, instead of rating the element low/medium/high risk (as we do for institution risk), we will be rating the governance elements as weak, satisfactory, or strong. A review of elements within the table will provide the auditor with a qualitative view of the strength of the governance within the institution s BSA/AML governance. 2. Optional Scoring of the Elements Some institutions and their auditors prefer to incorporate a quantitative scoring system to any type of measurement. This is not an infrequent practice when using schedule J within an institutional risk assessment. For those auditors that wish to incorporate a scoring element, one recommendation is to assign point values based upon how the institution is rated on each individual element. Point Scoring For example, using a scoring scheme using points, one can total the assigned points in each category to determine how the institution is performing overall regarding governance. The most basic utilized example: Weak = 1 point Satisfactory = 2 points Strong = 3 points 16 See Appendix J in the FFIEC Examination Manual /2014

16 Using the above element scoring, totals for a final score in a 10-element audit could be broken out as follows: Total Points: 0-16 Points Weak Program Points Satisfactory Program 27+ Points Strong Program Weighing Another factor that is frequently used in quantitative scoring is the weighing of the various elements that will properly reflect the risk associated within the institution. For example, institutions in a big product development push may consider involvement of the BSA staff in new product development (Element #1) of prime concern and importance and be deserving of a higher consideration when assigning an overall risk score for governance. This element may we weighed 1.5 times or 2.0 times the weight of other elements to make up the final score. Remember to keep in mind that weighed elements should reflect the institution s risk and well as their overall governance strategy /2014

17 B. 10 Elements of BSA/AML Governance - Review Table Element Weak Satisfactory Strong 1 Involvement of BSA/AML staff in new product development/ introduction Little to no involvement; typically brought into the discussion for risk assessment when ready to release product. BSA department brought into the implementation process for new products. Involvement documented in policy and procedure. BSA department approved required in product decisions at the start of the process. Involvement documented in policy and procedure. 2 Inclusion of governance in institutional risk assessment Standard elements - BSA officer assignment and staff training covered in risk assessment. Standard elements plus reporting structure, committees, staff experience, education levels, and responsibilities included in risk assessment. The entire previous plus measurement of accountability for senior management, corporate goals for line units, incorporation into performance/compensation structures. 3 Adequacy of BSA department staff to perform duties required Insufficient staff to perform required functions. Adequate staff to perform required functions. Staff available to perform optimal compliance program along with an available resources for backup when needed. 4 Competency of BSA department management staff BSA management or key personnel have not received sufficient training in BSA/AML; institution has not invested in outside training or professional certification for staff members. BSA management and key personnel have background in BSA/AML; attend regular training (outside the institution); institution supports staff members in obtaining or maintaining professional certifications. Institution requires higher level education for BSA department managers / BSA officer. Institution supports or requires professional certifications /2014

18 Element Weak Satisfactory Strong 5 BSA management empowered with an appropriate level of independence and authority to implement the compliance program Limited leadership role assumed outside the BSA department; pressure from other banking departments in evidence. Flexibility permitted to the BSA department management to implement policies, procedures and the program as approved. Decision making authorities given to BSA management to question business relationships, close accounts, provide input to business plans. 6 Effective reporting structure for the BSA officer and compliance function by reporting directly to the board of directors or an assigned committee Reports to a line unit, audit department, or an operational area. Reports to the board of directors through a committee authorized by the board of directors. Committee provides reports to the board, not the BSA officer. May report to the board of directors through a committee authorized by the board of directors or directly to the board. Presents reports, policies and procedures, directly to the board for discussion or approval. 7 Defined succession plan for key BSA/AML personnel ensuring the BSA program s continuity if changes in management, staffing or structure occur Only standard succession plan in place for institution. No specific plan for BSA/AML (if you do not have a succession plan in place for your institution, score 0) Defined backup plan for the BSA department should staffing problems occur as part of the BSA policy and procedure. Defined BSA succession plan for the institution s risk management area should there be changes in senior BSA management or other key personnel. 8 Sufficient education of the BSA department staff in basic, advanced, and timely BSA topics Little education provided to department staff other than that scheduled for BSA minimum requirements. Education provided in person or via webinar (in addition to basic yearly training) on advanced topics or new/ timely BSA/AML material. BSA department staff provided with some onsite training with opportunities to attend industry conference training for seasoned staff /2014

19 Element Weak Satisfactory Strong 9 Policies and procedures that clearly outline BSA/AML responsibilities of senior management and business line employees that hold these employees accountable for fulfilling BSA/AML obligations Policy regarding senior management and business line employee BSA responsibilities does not exist or is highly generic. Policy is specific in that it contains responsibilities regarding each senior management area and line unit. Policy is specific in that it contains responsibilities regarding each senior management area and line unit. Line unit and senior management goals and compensation tied to meeting BSA obligations. 10 Policies and procedures to ensure that the BSA risk assessment is updated on an appropriate basis Policy regarding the BSA risk assessment Update does not exist or is too generic (e.g., as needed ). Policy is specific in that it contains minimums (e.g., at least yearly). Policy is specific as noted previously and tracked by the secretary of the corporation for automatic review by the board of directors /2014

20 VII. Conclusion BSA/AML compliance expectations have increased each year since the passage of the USA PATRIOT Act and they are expected to continue to increase for the foreseeable future. Additionally, the increased expectations of the larger depository financial institutions are filtering down to both smaller depository financial institutions and nondepository financial institutions at a rapid pace. BSA/AML compliance can no longer be subject to business decisions by the board of directors or budgeting decisions by operations or business line units. 17 BSA/AML compliance must be addressed by the board of directors and senior management as an integral part of their overall responsibility and they must accept accountability for their actions or lack of action. The tone at the top (to quote Jennifer Shasky Calvery) can define how effectively an organization will respond to regulatory requirements. The lack of a strong and supporting tone at the top can provide significant challenges to organizations that are trying to provide proper governance to all levels within the institution. An audit of the BSA/AML governance function can help organizations in the identification of gaps in their program and potential steps for remediation. The 10 elements of BSA/AML governance are being proposed as a starting point to help bring institutions in line with current OCC, FDIC and FinCEN expectations on individual and corporate responsibility and accountability. 17 Bruemmer, Russel and Alper, Elijah, AML: A Corporate Governance Issue, The Banking Law Journal (November/December 2013)p /2014

21 Bibliography Public Law PATRIOT ACT (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001) Proposed Legislation - H.R.3317 Holding Individuals Accountable and Deterring Money Laundering Act (10/24/2013) Kauffman, Ted, Why DOJ Deemed Bank Execs Too Big To Jail, Forbes (7/29/2013) Bruemmer, Russel and Alper, Elijah, AML: A Corporate Governance Issue, The Banking Law Journal (November/December 2013) Adams, Colby, OCC Chief Tells Bankers to Name Executives Responsible for AML Compliance, (3/17/2014) Monroe, Brian and Adams, Colby, Financial Institutions Paid Sharply More for AML Infractions in 2012, Data Shows, (6/4/2013) Monroe, Brian, In Enforcement Ramp-Up, FinCEN Will Issue Standalone Fines Against Banks, (3/14/2013) Monroe, Brian, As OTS Winds Down, It Seeks More AML Monetary Penalties Against Individuals, (3/29/2011) Monroe, Brian, OCC Fines Against 5 Miami Bankers Spark Concerns at Financial Institutions, (5/23/2011) McMaster, Andrew G. Jr., Vice Chairman of Deloitte LLP, Successful Onboarding for New Audit Committee Members, Wall Street Journal (1/24/2014) OCC, Testimony of the Office of the Comptroller of the Currency before the Permanent Subcommittee on Investigations of the Committee on Homeland Security and Governmental Affairs of the U.S. Senate, (7/17/2012) Thomas J. Curry, Testimony of the Office of the Comptroller of the Currency before Committee on Banking, Housing, & Urban Affairs of the U.S. Senate (3/7/2013) Remarks of Thomas J. Curry, Comptroller of the Currency, ACAMS 19th Annual International AML and Financial Crime Conference (3/17/2014) Remarks of Jennifer Shasky Calvery, Director FinCEN, ABA/ABA Money Laundering Enforcement Conference (11/19/2013) Remarks of Jennifer Shasky Calvery, Director FinCEN, Securities Industry and Financial Markets Association (1/30/2014) KPMG, Global Anti-Money Laundering Survey, (2014) Federal Financial Institutions Examination Council (FFIEC) BSA/AML Examination Manual (2006) Federal Financial Institutions Examination Council (FFIEC) BSA/AML Examination Manual (2010) 21 03/2014

22 FRB Supervisory Letter, Compliance Risk Management Programs and Oversight at Large Banking Organizations with Complex Compliance Profiles, SR 08-8 (10/16/2008) TCF National Bank, OCC Consent Order AA-CE (7/20/2010) Citibank, N.A., OCC Consent Order AA-EC (4/5/2012) In re Citigroup Inc. (Banamex, USA) Docket No B-HC (3/21/2013) In re Commerzbank AG Docket Nos B-FB and B-FBR (6/8/2012) Zions First National Bank, FinCEN Assessment of Civil Money Penalty Number Pacific National Bank, FinCEN Assessment of Civil Money Penalty Number Wachovia Bank, FinCEN Assessment of Civil Money Penalty Number Ocean Bank, FinCEN Assessment of Civil Money Penalty Number One Bank & Trust, N.A., OCC Consent Order AA-EC (10/9/2013) Banesco USA, FDIC Consent Order FDIC b OFR FI-13 (11/22/2013) 22 03/2014