Ola Tucker, founder of Compliance Notes, discusses the board of director’s oversight role with respect to a financial institution’s BSA/AML compliance program, as well as the specific responsibilities arising out of that role.
Anti-money laundering compliance has been a main focus of regulators and prosecutors in recent years. This is evidenced by the increase in criminal and regulatory penalties imposed against financial institutions for failures relating to their Bank Secrecy Act and anti-money laundering (BSA/AML) compliance programs. In light of this scrutiny, it is critical that financial institutions make AML compliance a top priority. Prioritizing compliance necessarily begins with the institution’s board of directors and a solid understanding of its role in the oversight of the BSA/AML program.
BSA/AML Program Requirements
An effective BSA/AML compliance program, which traditionally consisted of four pillars, now consists of five pillars. The fifth pillar arises out of the Customer Due Diligence Rule (CDD Rule), which took effect in May 2018. The five pillars include:
- Written policies, procedures and internal controls;
- A designated BSA compliance officer;
- An employee training program;
- Independent testing of the BSA/AML program; and
- Customer due diligence procedures.
Furthermore, BSA/AML compliance programs must be risk-based and tailored to the specific institution, including the institution’s size, geographic areas(s), customer base and the products and services offered.
Additionally, financial institutions are also subject to regulations of the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC), and therefore should have sanctions screening processes and policies in place. This includes procedures to ensure that screening information is current to prevent accepting, processing or facilitating prohibited financial transactions. The OFAC policy and procedures are generally a part of an institution’s overall BSA/AML compliance program.
The Board of Directors’ Fiduciary Duties
The board of directors is the primary governing body of an institution; as such, it is entrusted with certain fiduciary obligations. The duties of care and loyalty are the traditional fiduciary duties owed by directors to the institutions they govern. Out of these overarching duties arise certain responsibilities, including responsibility for the oversight of the institution’s BSA/AML compliance program. The standard for the directors’ duty to oversee and actively monitor an organization, including its compliance activity, is set out in the seminal Delaware Court of Chancery case, In re Caremark Int’l Inc. Derivative Litigation, 698 A.2d 959 (Del. Ch. 1996), which held that corporate directors have an affirmative duty to establish and exercise appropriate control over some form of internal compliance activity.
Board Oversight of AML/BSA/OFAC
In order to execute their duties effectively, directors need to understand the organization’s business, have sufficient knowledge of the specific AML risks posed to the business and also understand the regulatory environment in which the business operates. It’s necessary that directors have a general understanding of BSA/AML program requirements, including the five pillars of an effective BSA/AML compliance program, particularly since enforcement actions for AML compliance have historically related to failures in one or more of the BSA/AML program pillars.
Having knowledge and understanding of BSA/AML program requirements and corresponding risks, however, does not imply that directors are expected to be AML compliance experts. Although ultimate responsibility for the BSA/AML compliance program rests with the board of directors, their role consists of oversight; the day-to-day management of the program rests with the designated BSA compliance officer.
The board’s oversight responsibility starts with setting the proper “tone at the top” and creating a culture of compliance throughout the institution. The Federal Financial Institutions Examination Manual (FFIEC Manual), which prescribes uniform standards for the supervision of financial institutions, states,
“the board of directors and management should create a culture of compliance to ensure staff adherence to the bank’s BSA/AML policies, procedures and processes.”
In order to set the proper tone throughout the organization, the board needs to demonstrate its commitment to compliance. Directors should actively inquire about potential AML risks and the overall functioning of the BSA/AML compliance program, including any identified gaps, weaknesses or other uncorrected issues, as well as the potential need for additional resources to address any program deficiencies.
The board should request updates and tracking of any milestones to ensure flaws are addressed. The board should also critically consider whether the information it receives is sufficient to make informed decisions. This entails ensuring open and honest communication, not just with the BSA compliance officer, but with the rest of senior management. It is the board’s responsibility to hold senior management accountable for the effective implementation of the BSA/AML compliance program.
The board must also have a high-level knowledge of specific fundamental elements of the BSA/AML compliance program, as these provide insight into potential risks and key vulnerabilities. This includes knowledge of suspicious activity reports (SARs) filed with the Financial Crimes Enforcement Network (FinCEN) and the results of internal and external testing and audits. It also includes the review and approval of the company’s AML and OFAC risk assessments and its AML and OFAC policies and procedures. Knowledge of these risk indicators will help the board to better understand the internal controls needed and also allow the board to work with senior management to set an appropriate risk tolerance.
Finally, the board needs to receive regular training tailored to its oversight role. The FFIEC Manual further states that “while the board of directors may not require the same degree of training as banking operations personnel, they need to understand the importance of BSA/AML regulatory requirements, the ramifications of noncompliance and the risks posed to the bank. Without a general understanding of the BSA, the board of directors cannot adequately provide BSA/AML oversight; approve BSA/AML policies, procedures and processes; or provide sufficient BSA/AML resources.” Furthermore, directors should understand the need for employees to receive AML training as well as the need for employees to receive ongoing guidance about identifying and reporting suspicious activity.
The BSA Compliance Officer’s Role in Board Oversight
The institution’s designated BSA compliance officer is appointed by the board and is responsible for the daily operations of the BSA/AML compliance program. The compliance officer’s role also includes supporting the board in meeting their oversight duties. This is the case whether the compliance officer reports directly to the board, as is recommended in the most recent Guidance Document on the Evaluation of Corporate Compliance Programs from the Department of Justice (DOJ), or to another senior executive who in turn reports to the board.
In order to sufficiently support the board, the compliance officer must first have an understanding of the board’s role with respect to the BSA/AML program and the specific duties and responsibilities that arise out of this role. It’s fundamental that the compliance officer establish an effective relationship with the board through regular communication and training. The compliance officer should educate the board regarding the requirements of an effective BSA/AML compliance program and the board’s oversight role regarding the program. At a high level, the compliance officer should keep the board apprised of key developments in the BSA/AML program, potential risks and vulnerabilities, any flaws and the ways in which they are being addressed, applicable impending legislation and its impact and the overall health of the program. It’s also critical that the compliance officer is able to discuss significant AML concerns with the board, as well as the need for additional resources.
Conclusion
The board’s oversight of an institution’s BSA/AML compliance program is crucial to its success. Board involvement goes a long way toward promoting an institution’s culture of compliance and sends a strong message that AML compliance is a company-wide responsibility. A solid understanding, by both the board and the BSA compliance officer, of their respective roles with regard to the program – as well as regular communications between board members and the compliance officer – will help ensure a strong and effective BSA/AML compliance program. Coordination of BSA/AML efforts at the highest levels better enables the financial institution to anticipate and mitigate risk, providing it with a sound risk mitigation strategy.