Supervisory Actions Taken for Bank Secrecy Act Violations
March 31, 2004
Audit Report No. 04-017
Material has been redacted from this document to protect personal privacy, confidential or privileged information. |
|
Federal Deposit Insurance Corporation
Office of Audits
Office of Inspector General
Washington, D.C. 20434
DATE: March 31, 2004
MEMORANDUM TO: Michael J. Zamorski, Director, Division of Supervision and Consumer Protection
FROM: Russell A. Rau [Electronically produced version; original signed by Russell Rau], Assistant Inspector General for Audits
SUBJECT: Supervisory Actions Taken for Bank Secrecy Act Violations (Audit Report Number 04-017)
This report presents the results of the Office of Inspector General’s (OIG)
audit of the Federal Deposit Insurance Corporation's (FDIC) process for ensuring
corrective actions are taken by bank management to address violations (Note:
According to the Division of Supervision and Consumer Protection’s Manual of
Examination Policies, examiners report and document in the reports of examination
those situations that appear to be contraventions of law or regulation. Because
examiners are not final adjudicators, examiners qualify findings by referring
to them as "apparent violations." Our final report use the term “violations” when
referring to situations identified, reported, and/or cited in the reports of
examinations and the FDIC’s automated tracking and reporting system. The OIG
has not made a judgment on the legalities related to the “apparent” violations
discussed in this report) of the Bank Secrecy Act (BSA) of 1970. We initiated
this audit in response to interest expressed by staff of the Subcommittee on
Oversight and Investigations, House Committee on Financial Services. The objective
of this audit was to determine whether the FDIC Division of Supervision and
Consumer Protection (DSC) adequately follows up on BSA violations reported
in examinations of FDIC-supervised financial institutions (Note: The FDIC is
the primary federal regulator of state-chartered institutions that are not
members of the Federal Reserve System. Such institutions also include state-licensed
insured branches of foreign banks and state-chartered mutual savings banks.
According to the FDIC’s Letter to Stakeholders, 3rd Quarter 2003, the number
of FDIC-supervised institutions totaled 5,343 as of September 30, 2003) to
ensure that they take appropriate corrective action. To accomplish our objective,
we reviewed the steps taken by the DSC to ensure institutions have implemented
effective corrective action to address these violations.(Note: For purposes
of this report, a distinction is made between corrective action taken by bank
management to address BSA violations and supervisory action taken by the FDIC
to ensure compliance. FDIC’s supervisory actions may include efforts to follow
up with bank management after examinations, including correspondence, and follow-up
visitations or examinations, and the use of regulatory action. Regulatory action
is defined to include informal actions (such as bank board resolutions or memorandums
of understanding) and formal enforcement actions (such as cease and desist
orders) to prompt management action.) Appendix I of this report discusses our
objective, scope, and methodology in detail. An acronyms list and a glossary
of terms used in this report are provided in Appendix VII and Appendix VIII,
respectively.
BACKGROUND
The Bank Secrecy Act of 1970, Public Law 91-508, codified to 31 U.S.C. Section 5311 et seq., requires financial institutions to maintain appropriate records and to file certain reports that are used in criminal, tax, or regulatory investigations or proceedings. Congress enacted the BSA to prevent banks and other financial service providers from being used as intermediaries for, or to hide the transfer or deposit of, money derived from criminal activity. The BSA’s implementing regulation, 31 Code of Federal Regulations (C.F.R.) Part 103, is used to aid law enforcement agencies in the investigation of suspected criminal activity such as illegal drug activities, income tax evasion, and money laundering ((Note: Money laundering is the process by which criminals or criminal organizations seek to disguise the illicit nature of their proceeds by introducing them into the stream of legitimate commerce and finance.) by organized crime.
The BSA consists of two parts -- Title I, Financial Recordkeeping, and Title
II, Reports of Currency in Foreign Transactions.
- Title I authorizes the Secretary of the Treasury (Treasury Department) (Note:
For reporting purposes, we will refer to the Secretary of the Treasury as
the "Treasury Department.")
- Title II directs the Treasury Department to prescribe regulations governing the reporting of certain transactions by and through financial institutions in excess of $10,000 into, out of, and within the United States. A financial institution must file a Currency Transaction Report (CTR) (Note: According to DSC’s Manual
of Examination Policies, Financial Recordkeeping and Reporting Regulations, dated February 1999, law enforcement agencies have found CTRs to be useful in tracking cash generated by illicit drug traffickers. Accordingly, comprehensive examination procedures have assisted in detecting possible money laundering resulting from drug trafficking in federally insured financial institutions.) with the Treasury Department for each cash transaction over $10,000 or multiple cash transactions by an individual in 1 business day or over a period of days aggregating over $10,000. The BSA also requires financial institutions to file Suspicious Activity Reports (SARs) with the Treasury Department when suspected money laundering activity or BSA violations occur.
Emphasis on anti-money laundering efforts has risen significantly in recent years, especially since the events of September 11, 2001. For example, in response to those events, the Congress enacted the United and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001, Public Law 107-56 (USA PATRIOT Act, hereafter referred to as the PATRIOT Act), which expands the Treasury Department’s authority initially established under the BSA to regulate the activities of U.S. financial institutions, particularly their relations with individuals and entities with foreign ties.(Note: Hereinafter, all references to the BSA will include the PATRIOT Act amendments.) The provisions of the PATRIOT Act were designed to facilitate the prevention, detection, and prosecution of international money laundering and the financing of terrorism.
BSA Requirements for FDIC-Supervised Institutions
Section 326.8(b) of the FDIC’s Rules and Regulations, codified to 12 C.F.R. Part 326, requires each FDIC-supervised institution to develop and administer a program to ensure compliance with the BSA and 31 C.F.R. Part 103. The institutions’ boards of directors must approve the compliance program in writing, and in accordance with Section 326.8(c), the program should include four minimum requirements:
- a system of internal controls to assure ongoing compliance,
- independent testing for compliance with the BSA and 31 C.F.R. Part 103 to be conducted by bank personnel or an outside party,
- designation of individual(s) responsible for coordinating and monitoring compliance with the BSA, and
- training in BSA requirements for appropriate personnel.
Appendix II details the minimum requirements for FDIC-supervised financial institutions.
Examination Authority
The Treasury Department has overall authority for BSA enforcement and compliance; however, its regulations delegate authority to financial institution regulatory agencies, including the FDIC, to examine financial institutions for compliance. In this capacity, the FDIC has authority to (1) examine the institutions it supervises for compliance with the BSA, (2) refer BSA violations to the Treasury Department, and (3) impose regulatory actions for BSA violations. The FDIC is also required by the Federal Deposit Insurance Act (FDI Act) to:
- prescribe regulations requiring insured depository institutions to establish and maintain procedures reasonably designed to ensure and monitor compliance with the BSA,
- review such procedures during their examinations of these institutions, and
- enforce compliance with the BSA monetary transaction recordkeeping and report requirements.
The FDIC also issues regulations, Financial Institution Letters (FILs),(Note: The FDIC uses FILs to correspond with the financial institutions that it supervises. FILs may be issued for a variety of reasons, including notification of BSA requirements and other issues of principal interest to those responsible for operating a bank or savings association.) and other guidance to the financial institutions that it supervises; updates Corporation examination and training materials; and ensures that DSC examiners are adequately trained to monitor BSA compliance. DSC requires examiners to use risk-focused examination procedures to assess BSA compliance. (Note: On August 15, 2003, the DSC issued interim guidance in Transmittal 03-042, Bank
Secrecy Act Examination Procedures, updating the BSA risk-focused approach. The objective of this approach is to effectively evaluate the safety and soundness of the bank, including the assessment of risk management systems, financial condition, and compliance with applicable laws and regulations, while focusing resources on the bank’s highest risks.) To accomplish this, examiners may use (1) core procedures that are considered during the basic review, (2) expanded procedures that are used to target concerns identified during the basic review, and (3) impact analyses to assess the seriousness of identified deficiencies. To assess the impact of deficiencies identified during the basic and expanded reviews, examiners determine whether BSA violations and weaknesses:
- are serious and indicate the need for civil money penalties,
- necessitate referrals to law enforcement agencies,
- necessitate a cease and desist order for cases in which a mandatory BSA compliance program was not established or maintained, and
- affect the safety and soundness of the institution.
Appendix III provides DSC’s control and performance standards and the associated risks that examiners may consider in assessing an institution’s BSA compliance program.
Referrals to the Treasury Department
According to referral guidelines issued by the Treasury Department’s Office of Financial Enforcement in October 1990, the Treasury Department has a zero tolerance level for violations of the BSA but recognizes that BSA violations are of a varying nature. The guidelines were designed to assist the financial institution regulatory agencies in determining which BSA violations by banks warrant referral to the Treasury Department “for review and possible assessment of civil and/or criminal penalties” because referrals had been made “that were not significant enough to warrant penalties.” The guidelines do not define what constitutes a significant violation. Rather, the guidelines state, “Because the determination process often is subjective, sound examiner judgment and experience also are required.” To assist with the determination process, the guidelines instruct examiners to “assess all of the facts and circumstances surrounding the violations,” including whether:
- the violations represent an isolated incident caused by human error;
- the deficiencies are indicative of significant noncompliance with the BSA and/or systemic weaknesses in the institution’s BSA compliance program;
- the types and nature of the violations are serious;
- the violations are the result of blatant, willful, or flagrant disregard for BSA requirements;
- there is a pattern of noncompliance with one or more sections of the regulations;
- the violations result from inadequate policies, procedures, or training programs; and
- the violations result from a nonexistent or seriously deficient compliance program.
DSC procedures require examiners to use the Treasury Department’s guidelines to determine when a referral is appropriate.
Regulatory Actions for Noncompliance
Failure by a financial institution to comply with the BSA can result in regulatory sanctions by either the Treasury Department or the FDIC. The BSA and its underlying regulations give the Treasury Department the authority to assess civil money penalties for violations and to authorize criminal prosecution. The FDIC is required to report all identified BSA violations to the Treasury Department and to refer violations that warrant penalties. Such referrals, however, do not preclude the FDIC from taking regulatory action when BSA violations are identified. As cited in 12 U.S.C. 1818(s), the FDIC shall issue a cease and desist order to any FDIC-supervised institution that fails to establish and maintain appropriate BSA procedures or to correct any previously reported problem with the procedures. DSC Transmittal 92-094, Bank
Secrecy Act Compliance Examinations, dated July 30, 1992, provides guidance for implementing this authority. Appendix IV summarizes the Treasury Department and FDIC authority for enforcing compliance with BSA requirements.
RESULTS OF AUDIT
The FDIC needs to strengthen its follow-up process for BSA violations and has initiatives underway to reassess and update its BSA policies and procedures. Of the 5,662 financial institutions that the FDIC supervised on average for the period January 1, 1997 through September 30, 2003, FDIC’s tracking system (Note: The DSC uses FDIC’s Virtual Supervisory Information on the Net system (ViSION) to track apparent BSA violations cited in FDIC reports of examination. The DSC also uses ViSION to report BSA violations to the Treasury Department.) for BSA violations identified:
- 2,672 financial institutions, or approximately 47 percent, as being cited for one or more BSA violations; and
- 458 financial institutions, or approximately 17 percent of the 2,672
institutions, as having repeat BSA violations. (Note: Although ViSION identified
458 institutions as having repeat violations, DSC reported that violations
involving different sections of the regulation may be grouped under the same
violation code in ViSION, thus incorrectly identifying some violations as repeats.
However, because ViSION is DSC’s system for tracking apparent violations of
BSA, ViSION was used to select the sampled institutions for our audit and to
obtain a general estimate of the percentage of FDIC-supervised institutions
with repeat violations. Of the 19 institutions in our sample that were selected
because they were identified in ViSION as having repeat violations, we confirmed
that 18 had repeat violations.)
Of the sample of 41 institutions we selected
to review, 27 had repeat violations.(Note: Our sample of 41 institutions
included 22 institutions selected randomly by regional/area office and 19 institutions
judgmentally selected because they were identified in ViSION as having
repeat violations. As noted in footnote 11, we confirmed that 18 of those
19
institutions
had repeat violations. In addition, 9 of the 22 institutions that were
selected randomly also had repeat violations, resulting in 27 institutions
with repeat
violations. In addition, after issuance of the draft report to DSC for
written comment, the OIG identified one more institution that had a repeat
violation.
However, because the DSC did not have an opportunity to review the circumstances
related to that repeat violation and provide a response, the OIG did
not adjust the number of repeat institutions included in this report.) Of those
27, 17
institutions (63 percent) were not subject to regulatory action for their
repeat violations, although other supervisory efforts may have been in
progress.
Of
the 10 institutions that were subject to regulatory action, only 1 was
subject to a cease and desist order. DSC policy states that repeat violations
cannot
be tolerated and that cease and desist orders should be initiated in
such cases. In addition, Section 8(s) of the FDI Act states that, “If the appropriate
Federal banking agency determines that an insured depository institution … has
failed to correct any problem with the [BSA] procedures … which was previously
reported … by
such agency, the agency shall issue an order … requiring such depository
institution to cease and desist from its violation….” However, according
to the FDIC’s
Legal Division, enforcement authority always involves some element of discretion,
including consideration of the nature of the violation and supervisory
judgment as to how best to address the violation. Appendix V provides
a recap of the
institutions we reviewed, the types of BSA violations identified, whether
the institutions
were cited for repeat violations, and the types of regulatory actions taken. For the 41 banks in our sample, we reviewed 82 reports (Note: The 82 reports include 81 examination reports and 1 follow-up visitation report that cited at least one BSA violation for the 41 sampled institutions and that were included in ViSION. The official draft report states that we reviewed 80 examination reports, but after issuance of the draft report to DSC for written comment, the OIG identified 2 additional examination reports that cited BSA violations and had been included in our analyses.) that cited apparent and often multiple BSA violations. For 25 (30 percent) of those 82 reports, the DSC waited until the next examination to follow up on some or all of the BSA violations. In addition, we noted that not all BSA deficiencies described in DSC’s examination reports were cited in the violations section of the reports. (Note: Based on discussions with DSC officials, cited violations are those violations included in the Violations
of Laws and Regulations schedule of the examination reports and should be recorded in ViSION.) Also, DSC’s regional offices took various approaches to handling violations related to the filing of CTRs and to referring bank violations to the Treasury Department.
We also observed that DSC regional and field offices exercised wide discretion in deciding whether and when to follow up on the violations or take regulatory action. In some cases, more than 1 to 5 years passed before (1) bank management took corrective action that was effective to prevent repeat violations or (2) the DSC applied regulatory actions to address continuing violations. Additionally, the FDIC typically alternates examinations with state banking authorities, but the state examinations usually did not cover BSA compliance. As a result, 2 to 3 years can sometimes elapse until the next FDIC examination without any follow-up on BSA violations.
As a result of these conditions, the FDIC has not always ensured that all identified BSA violations have been included and tracked in ViSION and, therefore, has not ensured complete reporting to the Treasury Department. Further, the FDIC’s supervisory actions have not ensured to the greatest extent possible that institutions are in compliance with both the Treasury’s and the FDIC’s anti-money laundering requirements.
In responding to our observations, DSC officials explained that they focus their efforts on BSA compliance based on their assessment of the risk of money laundering activity for their supervised institutions. DSC provided us with information on a number of cases not included in our sample for which they believed supervisory efforts were successful in addressing BSA concerns. Additionally, we noted that DSC is taking steps to update its BSA guidance and is conducting a reassessment of its BSA-related policies and procedures. Furthermore, the FDIC is conducting a review of regulatory burden and is researching ways to reduce the burden of BSA filing requirements for financial institutions without hampering efforts to combat money laundering and terrorist financing.
FOLLOW-UP FOR BSA VIOLATIONS SHOULD BE STRENGTHENED
For most of the 82 reports with BSA violations in our sample, the DSC initiated timely follow-up and other supervisory actions or obtained timely evidence of bank corrective actions. However, in some cases, BSA violations were repeatedly identified in multiple examination reports before bank management took corrective action or the FDIC took regulatory action to address the repeat violations. Further, for 25 (30 percent) of the examination reports, the DSC waited until the next examination to determine whether a bank had corrected some or all of its violations. According to one DSC official, each regional office exercises discretion in assessing bank compliance with BSA requirements. The decision on whether and at what time to follow up on BSA violations is a decentralized process and, in many cases, is based on the FDIC’s view from experience that the institution represents a relatively “low risk” in terms of potential money laundering activities. This decentralized process has resulted in a wide range of follow-up actions for BSA violations and of elapsed time before supervisory actions are taken. As a result, the BSA compliance programs of some institutions have remained weak for extended periods.
We sampled 41 of the 2,672 financial institutions with BSA violations for detailed review. Of those 41 institutions:
- 35 institutions (86 percent) were cited for violations related to the Treasury Department’s financial recordkeeping and reporting requirements as prescribed in 31 C.F.R. Part 103, and
- 29 institutions (71 percent) were cited for deficient BSA programs that did not meet the minimum requirements of the FDIC Rules and Regulations.
Regarding the Treasury Department’s Regulations at 31 C.F.R. Part 103, these financial institutions were most frequently cited for:
- failure to file CTRs for nonexempted transactions over $10,000 (22 institutions);
- failure to maintain records on sales of monetary instruments of $3,000 through $10,000 (16 institutions);
- failure to furnish information required in CTRs (14 institutions);
- untimely filing of CTRs or failure to retain CTRs for 5 years (13 institutions); and
- failure to treat multiple transactions totaling over $10,000 as a single transaction
(10 institutions).
Regarding the FDIC’s Rules and Regulations Section 326.8, the 41 financial institutions in our sample were most frequently cited for:
- lack of independent testing of BSA compliance (16 institutions),
- failure to develop or implement an adequate BSA compliance program (15 institutions),
- inadequate system of internal controls for BSA compliance (10 institutions), and
- failure to provide adequate BSA training (7 institutions).
Appendix VI summarizes the types of BSA violations and the numbers of institutions that had violations for the 41 sampled financial institutions for the period January 1, 1997 through September 30, 2003. These BSA violations included those recorded in ViSION and those not recorded in ViSION that had been cited in examination reports.
Responsibilities Prescribed by BSA Laws, Regulations, and Policies
Based on our review of applicable BSA laws, regulations, and policies, the DSC is responsible to take the following steps in identifying and addressing BSA violations:
- Examine FDIC-supervised institutions for compliance (12 U.S.C. 1818(s), Compliance with Monetary Transaction Recordkeeping and Report Requirements; 31 C.F.R. 103.56(b), Enforcement; Section 10(b), Examinations, of the FDI Act; and 12 C.F.R. 337.12, Frequency of Examinations, of the FDIC Regulations and Statements of General Policy).
- Identify and report BSA violations in reports of examination and report the violations to Treasury (DSC Transmittal 92-094, dated July 30, 1992; and Manual of Examination Policies, Financial Recordkeeping and Reporting Regulations, Section 9.4).
- Give institutions an opportunity to correct violations within a reasonable period after being notified of violations (DSC Transmittal 92-094, dated July 30, 1992).
- Verify corrective measures with a follow-up visitation/examination if needed (DSC Transmittal 92-094).
- Initiate a cease and desist order if an institution has failed to establish or maintain BSA procedures or failed to correct any previously reported problem with the procedures (12 U.S.C. 1818(s) and DSC Transmittal 92-094).
- Impose civil money penalties for violations of cease and desist orders
(12 U.S.C. 1818(i)(2)(ii)).
- Refer significant violations to the Treasury Department (Bank Secrecy
Act Referral Guidelines for Financial Institutions, as incorporated into DSC Transmittal 91-020, dated January 31, 1991).
The FDIC Process for Follow-up and Other Supervisory Actions
The FDIC does not have a standard, nondiscretionary approach for determining when and how to follow up on BSA violations. The process used to identify, track, and report BSA violations is decentralized and is based on the judgment of DSC examiners, field office supervisors, case managers, and regional office management. (Note: One FDIC area office uses a BSA Watchlist to assist in monitoring compliance with BSA-related laws and regulations. DSC officials stated that for those institutions that are included on the watchlist, a follow-up visitation should be performed 6 months to 1 year after the examination that prompted inclusion, and an on-site follow-up should occur at least every 12 months thereafter until removal from the watchlist. Removal from the watchlist is considered if the on-site follow-up confirms adequate correction of prior BSA deficiencies.) DSC officials stated that they apply a risk-focused approach to BSA compliance, taking into consideration the specific demographics of each financial institution when deciding whether to pursue supervisory actions and the type of action necessary. According to DSC, those demographics may include the “overall profile” of an institution, including its location, asset size, history of bank management in taking corrective actions, history of violations, size of bank staff, assessment of risk related to anti-money laundering and the BSA, and composite rating. Nevertheless, our review of DSC’s examinations for the sampled banks raised concerns about instances where the FDIC:
- did not take regulatory or enforcement actions for repeat violations, or
- waited until the next examination to follow up on violations and verify whether corrective actions taken by bank management were effective.
In addition, we noted that DSC examiners sometimes cited BSA deficiencies in the violations section of the examination reports and other times did not. We also noted that DSC’s regional offices took varying approaches for handling violations related to the filing of CTRs and for referring institution violations to the Treasury Department.
Handling of Repeat Violations
With respect to regulatory actions, the DSC imposed such actions on 10 (37 percent) of the 27 institutions we sampled that had repeat violations and on 1 institution that did not have repeat violations. Of those 11 institutions for which regulatory actions were imposed:
-
a cease and desist order was imposed for one institution,
- memorandums of understanding were imposed for six institutions,
- bank board resolutions were imposed for four institutions, and
- a state determination letter was imposed for one institution. (Note: The numbers total 12 because for 1 institution, both a memorandum of understanding and a bank board resolution had been imposed.)
Ten of these institutions had violations that related to both Treasury Department’s Part 103 and the FDIC’s Section 326.8, and one institution had violations related to Treasury Department’s Part 103.
As shown in Table 1 on the next page, the regulatory actions were taken for institutions with varying composite ratings and a wide range of asset sizes.
Table 1: Analysis of Composite Rating and Asset Size for Institutions for Which
Regulatory Actions Were Imposed
Composite Rating |
Range of Assets Size (millions) |
Number of Institutions for Which Regulatory Actions Were
Imposed |
Type of Regulatory Action Taken |
Number of Institutions with Informal Action |
Number of Institutions with Formal Action |
Composite rating "2" |
$5 - $122 |
4 |
4 |
0 |
Composite rating "3" |
$23 - $190 |
4 |
4 |
0 |
Composite rating "4" |
$10 - $72 |
3 |
2 |
1 |
TOTALS |
|
11 |
10 |
1 |
(Note: The composite ratings are those at time of violation for which enforcement
action was issued. Asset size is based on September 30, 2003 data obtained from
the FDICnet Institution Information/Institution Directory.)
Source: OIG review of the Formal and Informal Action Tracking System (FIAT)
data, reports of examination, supplemental information provided by the DSC, and
the FDICnet Institution Information/Institution Directory.
Although regulatory actions were taken for 10 of the 27 institutions in our
sample that had repeat violations, regulatory actions were not imposed for
the other 17 institutions that had repeat violations. DSC’s memorandum on Bank
Secrecy Act Compliance Examinations (Transmittal Number 92-094) states
that repeat violations cannot be tolerated. Furthermore, FDI Act section
8(s), codified at 12 U.S.C. 1818(s), states, “the agency shall issue an order … to
cease and desist” when the institution “has failed to correct any problem
with the [BSA] procedures … previously reported to the depository institution….” Nevertheless,
a cease and desist order was issued to only 1 institution in our sample that
had repeat violations; 17 institutions (63 percent of the institutions in
our sample) with repeat violations were not subject to regulatory action
by the FDIC.
According to the FDIC’s Legal Division, enforcement authority always involves some element of discretion. Such discretion may include consideration of the nature of the violation, supervisory judgment as to how best to address the violation, whether to apply formal or informal action, and consideration of workload priorities and resource constraints. Also, the Legal Division indicated that Section 8(s) establishes two key factors for consideration: (1) has the institution established a BSA program? and (2) are there any problems with the program? Minor violations that are not covered by one of these factors would not merit a cease and desist order under Section 8(s). However, of the 17 institutions with repeat violations that were not subject to regulatory action, only 2 institutions did not have program violations.
The DSC’s Formal and Informal Action Procedures Manual does not specifically address BSA violations, yet it does state that the belief that bank management has recognized deficiencies and will take corrective action(s) is not sufficient, in and of itself, to preclude taking regulatory action. In determining the appropriate regulatory action, DSC officials explained that, in the context of a risk-focused examination, they consider several areas: bank management’s willingness to address supervisory concerns and management’s history of responding to those concerns, demonstration of a good faith effort at correcting noted deficiencies, the condition of the institution, the overall risk posed by the identified weaknesses, and other factors.
Follow-up on Violations
DSC’s process for following up on violations cited in reports of examination includes:
- a request for the report to be considered in the bank’s next board meeting, with a record of actions taken entered into the minutes;
- a request for bank management to provide a response indicating the actions taken to eliminate each cited violation or deficiency; and
- follow-up of the corrective actions at the next examination.
Because of the significance of BSA violations, we checked whether follow-up occurred before the next examination. Specifically, for the institutions included in our sample, we checked how often and by what method DSC followed up on whether corrective actions had been taken. We considered evidence related to DSC’s follow-up actions or the banks’ corrective actions and information from the Treasury Department. As a result of our analysis of the process and our review of the 82 reports that cited apparent BSA violations, we found that:
- For 20 reports, DSC followed up or pursued regulatory action for certain violations before the next examination, including additional correspondence, visitations, and regulatory actions such as bank board resolutions, memorandums of understanding, or cease and desist orders.
-
For 42 reports, DSC received evidence from bank management, Treasury’s Financial Crimes Enforcement Network (FinCEN), or the Internal Revenue Service (IRS) that certain violations had been corrected before the next examination, and in many of these instances, corrective action took place before the examination was completed.
-
For 25 reports, DSC waited until the next examination to assess the adequacy of bank corrective actions for certain violations.(Note: Note that the numbers do not total 82 because DSC used different follow-up actions for some examination reports that cited multiple violations.)
In one case, a subsequent state examination followed up on violations cited by the DSC and pursued the matter until the bank took corrective action. Most state examinations, however, did not cover BSA compliance.
Table 2 provides examples of the variety of follow-up and regulatory actions taken by the FDIC to address BSA violations. These examples are specifically related to violations cited for FDIC’s Rules and Regulations Section 326.8. Appendix II provides a detailed description of the requirements in FDIC’s Rules and Regulations Section 326.8.
Table 2: Supervisory Actions Taken for Similar BSA Violations
INSTITUTION IDENTIFICATION NUMBER |
VIOLATION |
SUPERVISORY ACTIONS |
4 |
326.8(b) |
The violation was cited during an , 1997 examination. It is a repeat violation initially cited during the institution's , 1996, examination. A bank board resolution (BBR) was adopted , 1998, more than 2 years after initial citation. |
12 |
326.8(b) |
Violation was initially cited during the , 1998
examination for a combination of deficiencies in the bank's BSA
Compliance program, including lack of independent testing. Bank officials
informed the FDIC that the 1998 violation had been corrected prior to
the state 1999 examination by having a Certified Public Accounting firm
conduct independent testing in 1998. The 1999 state examination
did not identify any BSA violations. The bank was cited for a repeat
violation during the FDIC examination on , 2000 because independent
testing had not been conducted since 1998 and the bank had not kept the
BSA program current and approved annually. The , 2002 state
examination cited the bank for lack of independent testing because no
testing had been conducted since 1998. The , 2003 examination
did not report this violation. No supervisory action was taken by the
FDIC. FDIC officials stated ". . . that it should be noted that
Part 326 does not specify the frequency of the required independent testing.
The Guidelines for Monitoring Bank Secrecy Act Compliance (issued by
FIL 29-96) indicate that annual testing should be conducted, but guidelines
cannot be "violated" – there can be violations only
of regulations." |
15 |
326.8(b) |
As a result of violations related to safety
and soundness, the FDIC and bank management signed a memorandum of understanding
(MOU) on , 1999, which placed numerous requirements on the institution
for compliance. Although the MOU did not specifically address BSA violations,
it did refer to the requirement to correct violations of all laws. After
the , 2000 examination during which BSA violations were reported,
the FDIC continued the MOU. The institution's progress report for 2000 indicated that all violations had been corrected. The MOU was
terminated , 2001. |
1 |
326.8(c)(2) |
The violation was reported during the ,
2000 FDIC examination. Based on that examination, bank management agreed
to have testing performed in 2000. However, the violation was
identified as a repeat violation during the , 2002 state examination.
Bank management provided evidence that the independent testing was completed
on , 2002—almost 2 years after initial citation. |
19 |
326.8(c)(2) |
Violation was initially cited during the , 1999 examination and was repeated during the , 2001 and , 2003 examinations. As a result of the , 2001 examination,
the state regulatory agency placed the bank under a Determination Letter,
which was related to various safety and soundness concerns and required
the bank to correct all violations of law, including the apparent BSA
infractions. The institution was required to provide quarterly progress
reports. The , 2003 quarterly report indicated that the BSA violation
had been addressed and reviewed. The next examination conducted in
2003 indicated that all BSA violations had been corrected, and no additional
violations were cited. |
29 |
326.8 BSA Compliance Program
and 326.8(c)(2) |
Violations of 326.8(b) BSA Compliance Program and
326.8(c)(2) lack of independent testing were cited during the 1998 examination,
and a violation of 326.8(b) was cited during the 2000 examination. FDIC's
comments for this institution indicated that officials did not consider
the violations to be systemic; bank management promised appropriate action;
and given the positive relationship with the regulatory agencies in the
past, there was no reason to think that corrective action would not be
taken; and enforcement action did not appear warranted. Further, FDIC
officials stated that bank management was able to demonstrate a good
faith effort at correcting the noted deficiencies and that although it
took two examination cycles to clear the violations, improvement was
noted at each examination. |
33 |
326.8(c)(2) |
Violation was cited during the , 2001 examination.
The institution provided evidence that corrective action was taken 14
months after the examination. |
37 |
326.8(c)(2) |
Violation was first cited during the , 1997
examination and was included as repeat violation during the , 1999
and , 2002 examinations. The FDIC issued a cease and desist
order effective , 2002, pursuant to Section 8(s)—over 5
years after initial citation—solely for violations related to lack
of independent testing and employee training for BSA. The FDIC conducted
a visitation on , 2002 and determined the bank to be in substantial
compliance with most provisions of the order. The order was terminated
, 2002. |
(Note: The number shown in the first column represents the identification number assigned for the institution. Since most of the institutions included in the OIG sample are open banks, the names of the institutions are not used for identification purposes. The numbers correspond with data shown in Appendix V.)
Source: OIG review of ViSION data, reports of examination, and supplemental information provided by DSC regional and area office officials.
As evidenced by Table 2, supervisory approaches and the time taken for follow-up on BSA violations varied.
Inconsistencies in Describing Deficiencies and Citing Violations
In reviewing DSC’s reports of examination, we observed several instances of BSA deficiencies described in the reports but not cited in the Violations
of Laws and Regulations section of the reports. On the other hand, we also noted instances of similar BSA deficiencies that were cited as violations. Deficiencies that are described in the reports of examination not cited as violations may receive less attention from bank management or in follow-up by the DSC. According to DSC officials, the examiners exercise judgment in determining the significance of BSA concerns. That judgment includes determining whether the weaknesses constitute:
-
apparent violation of laws or regulations, meriting inclusion in the violations section of the examination report, or
- noncompliance with DSC guidelines, meriting only mention in the report as matters for bank management’s attention, which may be sufficient to eliminate concern.
For example, DSC officials stated that citing an institution for a lack of independent testing would be appropriate if no testing was being conducted; however, the institution would not be cited in cases in which independent testing was being conducted but the frequency or areas of coverage could be enhanced. However, we noted several instances of inconsistency in the handling of BSA deficiencies.
Deficiencies Described and Cited as Violations
During an examination conducted in 2003, a bank was cited for
-
failure to develop a BSA compliance program and provide for the continued administration of such program because the bank had weak internal controls and did not provide annual independent testing,
- lack of independent testing of BSA compliance because the bank’s BSA policy did not address annual independent testing, and
- failure to provide adequate BSA training because the bank’s BSA policy did not address annual training to be provided to all employees.
In addition, the management assessment section of the examination report stated that an outside firm had performed a limited review of BSA and recommended that the scope of independent testing be expanded.
In another example, during a 2000 examination, examiners cited a bank
for lack of independent testing. The examination report noted that the bank’s
BSA policy provided for a system of independent testing for compliance with
the BSA, but that independent testing had not been conducted. Additionally,
the report stated that the independent review did not address exemptions, (Note:
The term “exemption” refers to instances in which banks are not required to
file CTRs for transactions by certain categories of “Exempt Persons.” Exemptions
are further defined in Appendix VIII.) a test of the bank’s recordkeeping system
and the recordkeeping requirements for wire transfers and the sale of monetary
instruments.
During an 2000 examination, a bank was cited for overall noncompliance with the BSA compliance program requirements because of noted “weaknesses” in the bank’s training efforts and independent testing procedures. The report further stated that while independent testing was not conducted in 1998 or 1999, the testing that was conducted in 2000 was too narrow in scope and did not review wire transfer activity. The examiner cited the bank for failure to develop or implement an adequate BSA compliance program, indicating overall noncompliance with BSA regulations, and did not limit the violation specifically to a lack of independent testing.
Deficiencies Described and Not Cited as Violations
In contrast to deficiencies cited as violations, we noted instances in which significant deficiencies were described by examiners but were not cited as specific violations:
In a 1997 examination report, DSC did not cite a bank for lack of independent testing even though the report specifically stated that bank management did not adhere to the policy guideline that required comprehensive audits of the BSA function. In addition, the report stated that certain transactions (currency) were not properly reported and that numerous errors in transaction reports were the result of the inadequate review and audit procedures. These deficiencies resulted in several violations cited in the 1997 report, such as failure to file CTRs, failure to properly document CTRs, and inadequate verification of customers’ identification, but not lack of independent testing. Further, the 2000 examination report stated that (1) the lack of independent testing of the BSA program and weaknesses in internal reviews of CTRs resulted in apparent violations, (2) the apparent violations related to the failure to provide for independent testing of the BSA program and the filing of CTRs with incomplete and inaccurate information, and (3) the independent testing deficiency was noted at the 1997 examination and remains uncorrected. The examiners cited the institution for failure to develop or implement an adequate BSA compliance program. For the subsequent examinations conducted in 2001 by the state regulatory agency and in 2002 by the FDIC, no violations related to independent testing were noted. The state examination noted that independent testing was being performed.
In another examination report for an 1997 examination, examiners described the bank’s BSA compliance program as severely lacking and further stated that there were serious deficiencies in the program. The examination report indicated that the BSA compliance program did not address record retention; internal procedures for detection, prevention, and reporting of large currency transactions and suspicious transactions related to money laundering activities; or written procedural guidelines for meeting the reporting and recordkeeping requirements of the BSA regulations. In addition, examiners noted that the program lacked an effective system of internal controls to ensure ongoing compliance. Further, examiners noted that no formal auditing procedures were evidenced that would confirm the integrity and accuracy of the systems for reporting large currency transactions. The bank’s internal auditor did perform a limited review, but did not include a review of tellers’ work or independent testing of currency transactions. Audit procedures also were lacking for adherence to recordkeeping and/or retention requirements. As a result of this examination, the bank was cited in the violations section of the examination report only for an inadequate system of internal controls and various violations related to Treasury Department’s Part 103. The bank’s deficiencies related to the lack of independent testing did not result in the citation of an apparent violation. In a joint examination conducted in 1998, the institution was cited for a lack of independent testing, an inadequate system of internal controls, and a violation related to Treasury Department’s Part 103.
In a 2003 report of examination, examiners stated that the frequency of independent testing was inadequate and that the frequency of testing should be increased to monitor the integrity of internal controls and procedures and assure compliance with related regulations and bank policy. The report also described deficiencies related to an inadequate system of internal controls. The examiners recommended that both the manual cash log and the automated system be used to ensure CTRs were filed and that tellers received training on the sequencing of cash transactions. However, the bank was not cited for a lack of internal controls to address the identified deficiencies or a lack of independent testing. Although a BSA data entry form was attached to the back of the examination report, indicating a citation for the lack of independent testing, the violation was not included in the violations section of the examination report and did not appear in ViSION. The bank was cited only for one violation—failure to file CTRs.
DSC officials stated that banks are not required to conduct independent testing on an annual basis, although annual testing is recommended in DSC Guidelines
for Monitoring Bank Secrecy Act Compliance, dated August 1, 1996. DSC officials stated that because Section 326.8(c) states that independent testing should be conducted by bank personnel or an outside party and does not specifically require “annual” testing, BSA weaknesses involving a lack of annual testing should not be cited as violations. DSC officials added that banks cannot violate “guidelines”—rather, violations should be cited for noncompliance of laws or regulations only. However, our review of examination reports indicated that examiners were not consistent in this area. When citing violations related to independent testing, the examiners sometimes stated in their reports that banks were required to perform annual testing and used the DSC’s guidelines rather than the regulations as the basis for citing such violations. DSC officials also stated that banks would not necessarily be cited for a violation of independent testing if at least some testing was being conducted; however, examiners did cite some violations when testing needed to be expanded.
DSC officials also stated that examination reports go through multiple levels of review. Specifically, officials stated that the reports of examination are reviewed at the field supervisory and case manager level, and by regional office management, who all have the opportunity to reclassify these deficiencies as violations if they think a case warrants such reclassification. In addition, DSC officials stated that examiners are expected to use their judgment in determining whether BSA deficiencies should be cited as violations. Officials added that examiners include these deficiencies in reports of examination as a means to bring those issues to bank management’s attention. Further, bank management is required to address not only the cited violations, but also weaknesses that are described in reports of examinations.
Handling of Violations Related to CTRs
We also noted variations in the handling of violations related to CTRs. While conducting examinations, examiners identified instances in which financial institutions had improperly exempted customers from currency transaction reporting requirements or otherwise failed to file CTRs in accordance with 31 C.F.R. Part 103. According to DSC Transmittal 1993-149, Extension of Filing Deadline for Currency Reports Filed Transaction on Magnetic Tape, dated October 14, 1993, CTRs must be filed with the IRS within 15 days following the date of the transaction (25 days if the financial institution files electronically). For those institutions that did not file CTRs within the specified timeframe, FinCEN requests that examiners have bank officials request permission to backfile CTRs. DSC regional offices did not handle violations related to the backfiling of CTRs in a consistent manner. Some offices required the institutions to request permission to backfile, while other offices allowed the institutions, in cases that involved one or two CTRs, to file without requesting permission to backfile.
Handling of Referrals to the Treasury Department
DSC referrals of bank violations to the Treasury Department were infrequent. According to information provided by the DSC, 34 referrals were made from January 1, 1997 to December 31, 2003, and 28 referrals (82 percent) were made by 1 DSC regional office. DSC officials added that since the FDIC reports summary information on BSA violations to the Treasury Department through ViSION, Treasury sometimes requests copies of applicable examination reports based on Treasury’s analysis of the violations. The following actions have resulted from the referrals made by the FDIC from January 1, 1997 through December 31, 2003
-
27 institutions received cautionary letters or letters of warning from the Treasury Department,
- 1 institution received a civil money penalty,
- 3 referrals were resolved by other means, and
- 3 referrals were still open.
The Treasury Department’s 1990 referral guidelines state that one of the reasons the guidelines were issued was that referrals had been made that were not significant enough to warrant penalties. Consequently, it may be advisable for DSC to discuss the referral guidelines with the Treasury Department and to request clarification. Treasury’s priorities and approaches to penalties for BSA violations may have changed since the guidelines were issued over 13 years ago.
Timeliness of Follow-up and Other Supervisory Actions
The timeliness of follow-up and other supervisory actions varied among the regional and area offices. The time period ranged from immediate (during the examination process) to over 5 years for bank management corrective action, FDIC verification of corrective action, or FDIC regulatory action. During the extended time frames, subsequent examinations determined that some previously cited BSA violations remained uncorrected even though bank management may have indicated it would take corrective action.
For 27 of the 41 financial institutions we reviewed, the examination reports or supplemental information provided by DSC showed that bank management promptly addressed certain BSA violations during the examinations or within a 12-month period after the examinations as noted below:
- Violations at 14 institutions related to the Treasury Department’s Part 103 only -- the financial recordkeeping and reporting requirements for CTRs and exemption status for specific customers;
-
Violations at 4 institutions related to Treasury Department’s Part 103 and the FDIC’s Section 326.8.
-
Violations at 4 institutions related to Treasury Department’s Part 103, the FDIC’s Section 326.8, and Section 353.3.
-
Violations at 3 institutions related to the FDIC’s Rules and Regulations, Section 326.8 only.
-
Violations at 2 institutions related to the Treasury Department’s Part 103 and the FDIC’s Rules and Regulations, Section 353.3.
In other cases, bank management did not take action to correct cited BSA violations
within a 12-month period. In these cases, more than 1-5 years elapsed before
bank management took corrective action or the FDIC took regulatory action to
address the violations as shown in Table 3. These cases included violations
cited for both Treasury’s Part 103 and the FDIC’s Rules and Regulations, Section
326.8 and Section 353.3.
Table 3: Time Taken to Address BSA Violations
LENGTH OF TIME FOR ACTION |
NUMBER OF INSTITUTIONS (see note) |
12 months or less |
27 |
13 months - 24 months |
13 |
25 months - 36 months |
16 |
37 months - 48 months |
10 |
49 months - 60 months |
1 |
More than 60 months |
8 |
(Note: The number of institutions will exceed the 41 sampled institutions because
the length of time varied
for institutions with multiple BSA violations.)
Source: OIG analysis of ViSION data and review of evaluation reports and supplemental
information provided by DSC for the 41 sampled
institutions.
DSC officials stated that follow-up on BSA violations often occurs at the next FDIC examination rather than between examinations. Although the FDIC can conduct visitations between regularly scheduled examinations, we identified only a few visitations based on information provided by the DSC that addressed BSA violations.
Generally, the FDIC alternated examinations of the sampled institutions with state regulatory agency examinations for those institutions. However, 45 of the 72 examination reports we reviewed from state regulatory agencies did not specifically address BSA compliance. Therefore, the FDIC could not rely on those examinations to determine whether bank management took corrective actions to address previously cited violations or to identify any new BSA violations. Consequently, follow-up by the FDIC on some previously cited BSA violations did not occur until the next FDIC examination, generally 24 to 36 months after the violations were initially identified.
The following examples illustrate inadequate follow-up on BSA violations and regulatory actions imposed and the timeliness of those actions.
- During a joint examination conducted in 1997, examiners identified significant deficiencies in the bank’s BSA policies and operating procedures. Examiners concluded that the bank’s BSA compliance program was inadequate and in immediate need of revision. The bank was cited for:
- failure to have an adequate written bank board of directors-approved BSA compliance program,
- lack of independent testing of BSA compliance,
- failure to designate individuals responsible for BSA compliance,
- failure to provide adequate BSA training—overall noncompliance with the FDIC’s Section 326.8 minimum requirements—and
- one violation related to Treasury’s Part 103.
The bank’s president promised to take corrective action necessary for the cited violations. At the 1999 examination, the bank was cited for having an inadequate system of internal controls and lack of independent testing. During the 2002 examination, the bank was cited for numerous violations of Treasury’s Part 103, an inadequate system of internal controls for BSA compliance, and SAR violations. FDIC officials stated that no follow-up visitation was conducted for this institution after the 1999 examination and that given the promise of corrective action by the bank president within 90 days of receipt of the report, as stated in the report of examination, further follow-up was apparently determined to be unnecessary. In 2003, however, the FDIC entered into a Memorandum of Understanding with the bank for various safety and soundness issues and BSA compliance concerns.
- During examinations conducted in 1997, 1999, and 2002, a bank was cited for violations related to the lack of independent testing of BSA compliance, failure to provide adequate BSA training, and violations related to the Treasury Department’s Part 103. However, no adequate bank corrective action or supervisory action was taken until after the 2002 examination. The FDIC issued a cease and desist order effective , 2002, more than 5 years after the violations were initially cited. Violations related to the lack of independent testing and failure to provide adequate BSA training were repeat violations during the 1999 and 2002 examinations. The DSC issued a cease and desist order on , 2002 which was terminated in 2002.
- During an examination conducted in 1998, a bank was cited for violations related to a lack of independent testing for BSA compliance and failure to designate individual(s) responsible for BSA compliance. Violations of lack of independent testing was cited again during the 2001 and 2003 examinations—three consecutive FDIC examinations. Supervisory action was not taken until 2003, when the FDIC, state regulatory authority, and the bank signed a memorandum of understanding to correct the BSA violations, more than 5 years after the violations were initially cited.
- During an 1998 examination, a bank was cited for violations related to the failure to file CTRs, failure to furnish information on CTRs, improper exemptions, and failure to develop or implement an adequate BSA compliance program. The next examination, conducted in 2001, cited the bank for: failure to follow identification procedures or failure to record identification method, untimely filing of CTRs or failure to retain CTRs for 5 years, failure to furnish information required in CTRs, and failure to develop or implement an adequate BSA compliance program. DSC officials stated that the violations cited in the 1998 examination and repeat violations cited in the 2001 examination triggered a supervisory response requiring a progress report from the bank and the on-site visitation conducted in 2001.
DSC conducted a follow-up visit in 2001 and cited the bank for continued violations for: failure to file CTRs for nonexempted transactions over $10,000, untimely filing of CTRs or failure to retain CTRs for 5 years, and failure to furnish information required in CTRs. The visitation showed that bank management’s documentation of BSA training efforts needed improvement, the scope of the independent review needed to be enhanced, and internal controls could be strengthened. The visitation also noted a couple of previously cited violations involving transactions prior to the 2001 examination that either had not been corrected or the bank had not retained evidence of correction. Further, the visitation identified new violations related to the failure to furnish information required in CTRs, no record at FinCEN of IRS receipt of CTRs, and untimely filings of CTRs or failure to retain CTRs for 5 years. Based on the progress report and the visitation, DSC concluded, however, that the bank was making a good faith effort to comply with BSA and deemed that no further supervisory efforts were necessary other than regular examinations.
In contrast to the previous examples, DSC took prompt action for an institution with similar violations. During a joint examination conducted in 2003 by the FDIC and the state regulatory agency, the examiner concluded that the bank’s BSA program was less than satisfactory and further stated that the bank was in apparent violation of virtually every requirement of Section 326.8 of the FDIC Rules and Regulations. The bank was cited for the following violations related to the Treasury Department’s Part 103, FDIC’s Section 326.8 and Section 353:
- failure to file CTRs for nonexempted transactions over $10,000;
- failure to treat multiple transactions totaling over $10,000 as a single transaction;
- failure to develop or implement an adequate BSA compliance program;
- failure to have adequate written board-approved BSA compliance program;
- inadequate system of internal controls for BSA compliance;
- lack of independent testing of BSA compliance;
- failure to designate individuals responsible for BSA compliance;
- failure to provide adequate BSA training; and
- various violations related to SARs.
Within 6 months after the examination, the FDIC issued a proposed cease and desist order. The bank responded with evidence that it had taken material steps to improve its BSA compliance. DSC conducted a visitation the following month to assess the bank’s progress and concluded that the bank had exerted considerable effort in addressing the violations but that additional effort was necessary to make the bank’s BSA program satisfactory. After the visitation, the DSC provided an MOU to the institution to address the remaining concerns. The MOU became effective in 2004.
As discussed previously, the DSC conducts examinations of its supervised institutions
on a 12- or 18- month cycle and usually alternates examinations with state
regulatory authorities. Since the state regulators do not usually review BSA
compliance at their examinations, 2 to 3 years can elapse until the next FDIC
examination without any follow-up on BSA violations. This delay in ensuring
that BSA violations are corrected could result in additional or continued BSA
violations and could hinder the detection of criminal activity.
CONCLUSION AND RECOMMENDATIONS
The DSC has adequately followed up on some BSA violations to ensure bank management has taken appropriate corrective action. However, the DSC could better ensure that prompt and effective actions are taken by bank management to ensure compliance with BSA regulations.
In light of the increased congressional interest in BSA compliance and emphasis on national security concerns, DSC should re-evaluate and update its examination guidance to help ensure adequate DSC follow-up and timely corrective action by bank management. DSC should also discuss and update the referral policy with the Treasury Department, encourage state coverage of BSA compliance, and develop alternative processes to compensate for the lack of state coverage of BSA compliance. We noted that DSC is currently conducting a reassessment of its BSA-related policies and procedures to update its BSA guidance and may be able to address our recommendations in conjunction with this assessment.
Recommendations
We recommend that the Director, DSC:
- Re-evaluate and update examination guidance to strengthen monitoring and follow-up processes for BSA violations, including:
- prompt, appropriate, and consistent regulatory action in cases where management action is not timely, including cease and desist orders for repeat violations as appropriate;
- consistent and timely follow-up of BSA violations between examinations to ensure management is taking corrective action;
- consistent citation and recordation of all apparent violations in reports of examination and in ViSION; and
- a consistent approach to the backfiling of CTRs.
- Review DSC’s implementation of the process for referring institution violations of BSA to the Treasury Department, and discuss with Treasury the need to update or modify the referral guidelines based on changes in priority and approach in recent years.
- Coordinate with state regulatory agencies to cover BSA compliance in state examinations of FDIC-supervised institutions and for those states that do not cover BSA compliance, develop an alternative FDIC process to address BSA compliance when relying on alternating state examinations.
CORPORATION COMMENTS AND OIG EVALUATION
On March 22, 2004, the DSC Director provided a written response to the draft report. The response is presented in Appendix IX to this report. DSC concurred with the three recommendations. As part of its appended response, DSC provided a legal opinion by the FDIC General Counsel and an unaudited DSC internal assessment of its program to evaluate bank compliance with the BSA.
In addressing Congress’s intent in Section 8(s) of the FDI Act, which states that the appropriate federal banking “agency shall issue an order… requiring such depository institution to cease and desist from its violation” in cases of repeat violations of requirements for establishing and maintaining BSA procedures, the General Counsel’s legal opinion provides the following guidance:
The absence of a mandate to bring a cease and desist action to address every violation of Section 8(s) or the regulations does not imply that the alternative is to take no action. To the contrary, the statutory intent must be to take an appropriate corrective action based upon the severity of the problem, the risks it poses, and the bank’s willingness to comply expeditiously.
The audit, however, identified cases where DSC had not taken regulatory action to address repeat violations of these BSA requirements. We also observed numerous violations for which bank management indicated a willingness to take corrective actions to prevent recurrence of those violations. However, in several cases, corrective action either was not implemented or was implemented but was not effective in preventing repeat violations. In our opinion, a bank’s indicated willingness to correct violations should be only one factor considered in determining whether to impose regulatory action. This conclusion is also supported by the FDIC’s Formal
and Informal Action Procedures Manual, which states that “The belief that the institution’s management has recognized the deficiencies and will institute corrective action is not a sufficient basis, in and of itself, to preclude taking corrective action.”
DSC’s response provided detailed analyses and comments on several issues that relate to DSC’s overall BSA program. Because our audit focused on supervisory actions taken in response to BSA violations, not DSC’s overall BSA program, we offer no response to these comments. However, in reviewing DSC’s other comments that relate generally to our audit and specifically to our audit results and scope, there are several issues that warranted further discussion and clarification.
General DSC Comments on Audit
- DSC Statement:
“. . . the DSC’s approach has been to differentiate between serious BSA program problems within an institution versus isolated and technical weaknesses. In practice, isolated and technical weaknesses can be addressed within the normal course of supervisory process.”
OIG Response:
During this audit, DSC officials initially stated that they do not “. . . generally characterize BSA violations as either substantive or technical,” consistent with the “zero tolerance” policy espoused by the Treasury Department. Accordingly, we included in the universe for the selected sample all BSA violations recorded in ViSION. We based our analyses and conclusions on the premise that DSC’s approach to such violations would not differentiate between substantive and technical violations. After being provided the preliminary results of the audit, DSC then indicated that, in fact, it does differentiate between BSA violations based on significance, but could provide no basis upon which these determinations are made. Contrary to DSC’s assertion, for the sample of institutions we reviewed, we found little or no evidence to indicate that there was a distinction made among BSA violations in deciding whether or in what manner follow-up action would be taken.
- DSC Statement:
“Therefore, we do not concur with the inference that the FDIC’s supervisory actions are materially lacking or that an increased risk of money laundering exists in the institutions for which we are the primary federal regulator.”
OIG Response:
We continue to conclude that the FDIC needs to strengthen its follow-up process for BSA violations, based on the following:
- Of the 41 institutions sampled, 27 institutions (66 percent) had repeat violations for multiple examinations; 17 (63 percent) of the 27 institutions did not have any type of regulatory action imposed.
- Of the 17 institutions for which no regulatory actions had been taken, 15 had repeat violations related to FDIC’s Section 326.8, which establishes the minimum requirements for a BSA compliance program.
- We reviewed 82 reports for the 41 sampled institutions. Twenty-five (30 percent) of the reports cited violations for which the DSC waited until the next examination to follow up. Additionally, in many cases, alternating examinations conducted by state regulatory agencies did not address BSA and/or did not follow up on previous violations cited in FDIC reports of examinations. For those states that do not assess BSA compliance, 2 to 3 years could elapse without BSA examination coverage for institutions in those states.
- DSC regional and field offices are inconsistent in deciding whether or when to follow up on BSA violations or to take regulatory action.
- Numerous reports of examination described deficient BSA compliance programs but did not cite violations, which we have concluded may receive less attention from bank management and from the DSC in its follow-up efforts.
- Inconsistencies exist among DSC regional offices in deciding how to handle violations related to the backfiling of CTRs.
- Inconsistencies exist among DSC regional offices in making referrals to the Treasury Department; of the 34 referrals made by the FDIC, 28 (82 percent) were made by 1 DSC regional office.
- All identified BSA violations have not been included and tracked in the FDIC’s automated system, ViSION, and as a result, not all BSA violations have been reported to the Treasury Department.
These problems, taken collectively, represent increased risk of illegal activity going undetected and unreported.
- DSC Statement:
“In 38 of the 41 cases, we found the supervisory actions to be consistent with the problems identified and the risks posed by the circumstances.”
OIG response:
These 38 cases included 25 institutions with repeat violations and 13 institutions that did not have repeat violations. Of these 25 institutions with repeat violations, 15 institutions
(60 percent) had been cited for violations of the FDIC’s Rules and Regulations Section 326.8, indicating noncompliant BSA programs for multiple examinations. Ten institutions (40 percent) had been cited for repeat violations related to either the Treasury Department’s Part 103 or the FDIC’s Section 353.3, indicating noncompliance with Treasury’s reporting and recordkeeping requirements related to CTRs or SARs. Many of these institutions with repeat violations were not subject to any regulatory action. In our opinion, regulatory action was appropriate under these circumstances.
- DSC Statement:
“The OIG also did not look at supervisory actions taken in instances of serious BSA program deficiencies, analyze the risk for money laundering in the sample institutions, have discussions with examiners, or assess the BSA examination process.”
OIG response:
DSC has introduced matters that were not the subject of this audit. We selected a sample of institutions with BSA violations identified by FDIC examiners. We did not add to our sample those institutions for which DSC considered that it had done a good job of addressing BSA program deficiencies. Similarly, we did not alter our sample to focus on institutions that DSC now considers being at higher risk for illegal activities. There was no evidence to indicate that DSC had systematically analyzed the risks at our sample institutions. The documented risk analyses provided to us after our audit had started were not contemporaneously prepared with the BSA examinations performed. We did not include the entire BSA compliance examination program in the scope of our audit. Therefore, we did not interview examiners or review examination working papers. Those activities were not required to meet our audit objectives. Rather, we focused on actions taken on reported violations. During the audit, however, we did provide our analysis of BSA actions to DSC and requested DSC to address the questions we raised and provide its input on our preliminary findings. In doing so, we relied on DSC management to enlist appropriate staff, including examiners, in providing its responses and any additional evidence of supervisory actions for us to consider in reaching our conclusions.
- DSC Statement:
“We do not concur with the OIG’s criticism that recommendations for improvement and the supporting discussion may be confused with apparent violations of the BSA.”
OIG Response:
The requirements for an adequate BSA compliance program based on the FDIC’s Rules and Regulations Section 326.8 are explicit. Each FDIC-supervised institution is required to develop and administer a program to ensure compliance with the BSA and 31 C.F.R. Part 103. The institutions’ boards of directors must approve the compliance program in writing and in accordance with Section 326.8(c). The program should include four minimum requirements:
-
a system of internal controls to assure ongoing compliance,
- independent testing for compliance with the BSA and 31 C.F.R. Part 103 to be conducted by bank personnel or an outside party,
- designation of individual(s) responsible for coordinating and monitoring compliance with the BSA, and
- training in BSA requirements for appropriate personnel.
Accordingly, our position is that institutions not meeting the minimum requirements specified by Section 326.8 do not have an adequate BSA compliance program and have violated the BSA. We noted cases in which FDIC examiners described deficiencies in institutions’ BSA compliance programs, including cases in which the programs did not meet the minimum requirements outlined in Section 326.8. However, the examiners did not specifically cite the deficiencies as BSA violations.
We continue to conclude that deficiencies described in the reports of examination, but not cited as violations in the Violations
of Laws and Regulations section of the reports or recorded in ViSION, receive less attention from bank management and/or in follow-up by the DSC. Documentation provided by DSC on follow-up of examination results did not identify responses from bank management on deficiencies that were described but not cited as violations in reports of examination. In addition, we identified multiple examinations that described but did not cite violations, allowing them to continue for extended periods. In some cases, subsequent examinations cited the violation. We also noted that examiners were inconsistent in citing BSA violations – the same violations at different institutions were being treated dissimilarly for examination report purposes.
General Comments on Audit Results:
- Our determination of the adequacy of follow-up for BSA violations that had been
cited for the sampled institutions was based on the (1) timeliness of corrective action by bank management and/or follow-up by the FDIC and (2) effectiveness of follow-up in preventing repeat BSA violations. We continue to conclude that it is ineffective to wait for follow-up until subsequent examinations, especially when state regulatory agencies do not review BSA. In addition, we continue to conclude that BSA violations, particularly repeat violations, should be followed up in a timely, effective manner, regardless of an institution’s location, asset size, deposit base, familiarity with its customer base, stability of management and employee base, and number of reportable transactions. Delays or inadequate follow-up can send the wrong message to possible wrongdoers – that BSA violations receive less attention at certain types of institutions, such as those that do not fit DSC’s high-risk profile. Also, more serious consideration of other forms of regulatory action, up to and including cease and desist orders, is warranted.
- DSC stated that our evaluation of the adequacy of follow-up for the 41 sampled institutions did not consider DSC’s categorization of “BSA/AML risk profiles” (BSA/anti-money laundering). However, according to DSC, the division did not have BSA risk-profile definitions and had no plans to define BSA risk profile(s). During the audit, DSC requested regional and area office officials to (1) evaluate BSA risk for the institutions included in our sample so that DSC could make an evaluation of each situation and (2) focus on the institutions that we identified as receiving less than “adequate” corrective action by the bank or follow-up by DSC personnel. In the regions’ efforts to evaluate each institution and in cases where the audit report identified deficiencies, DSC also asked the regions to assess the money-laundering vulnerability of each institution based on factors relevant to each institution and to the specific situations we identified. We concluded that those assessments were not prepared contemporaneously with the examinations, but were made only for the purpose of responding to our audit. Therefore, the assessments were not official management tools to assist in planning or conducting the examinations. However, in reviewing information DSC provided in its official written response relative to the BSA risk profiles, including whether the institutions were located in Metropolitan Statistical Areas (MSAs) and High Intensity Money Laundering and Related Financial Crime Areas (HIFCAs), we noted the following for the institutions for which regulatory actions had been taken by the DSC or initiated by state regulatory agencies:
- Our review of the 41 sampled institutions identified 11 for which regulatory actions had been taken. Of these 11 institutions, 9 (80 percent) were not located in MSAs and 9 (80 percent) were not located in HIFCAs.
- According to the examination reports that prompted regulatory action, four institutions had composite ratings of 2 and management ratings of 2. DSC considered three of the four institutions to have a “low” BSA risk profile. The remaining institution was located in an HIFCA.
- According to the examination reports that prompted regulatory action, four institutions had composite ratings of 3 and management ratings of 3. One of the four institutions was considered by the DSC to have a “high” BSA risk profile. The remaining three institutions were not located in either an MSA or HIFCA.
- According to the examination reports that prompted regulatory action, three institutions had composite ratings of 4 and management ratings of 3, 4, or 5.
-
The one institution with a 3 management rating was issued a cease and desist order; the institution was not located in either an MSA or HIFCA and had a “low” BSA risk profile according to DSC.
- The institution with a 4 management rating was issued a memorandum of understanding and had a “moderate/low” BSA risk profile according to DSC.
- The institution with a 5 management rating was issued a determination letter but had a “low” BSA risk profile according to DSC.
Based on this analysis, neither the institution’s BSA risk profile nor its location in an MSA or HIFCA appeared to play a significant role in determining whether to impose actions against the institutions. Only 1 of the 11 institutions had a high BSA risk profile assigned by the DSC, and only 2 were located in HIFCAs. Additionally, actions were not imposed on three institutions with repeat BSA violations which DSC identified as having a “moderate” or “moderate/high” risk profile.
- Our review of information provided by the DSC regarding referrals made to FinCEN for FDIC-supervised institutions showed that there were 208 referrals during the audit scope period of January 1, 1997 through September 30, 2003. Of those 208 referrals, DSC made only 34 referrals (16 percent), and the remaining referrals were made by other sources, such as FinCEN, the IRS, or the institutions themselves. As previously indicated, 28 of these 34 referrals were made by 1 of the 6 DSC regions.
General Comments on Audit Scope
- We informed the DSC of our audit scope and methodology for achieving the audit objective. The objective was to review a sample of BSA violations for the audit scope period to determine whether DSC adequately follows up on BSA violations reported by examinations of FDIC-supervised financial institutions to ensure that institutions take appropriate corrective action. Accordingly, we limited the audit results and findings to issues specifically related to the agreed-upon audit objective. We based our conclusions on the FDIC’s automated system data, supplemental data provided by the DSC, and our review of reports of examination from both the Corporation and state regulatory agencies. The FDIC did not inform us until the end of our field work that it had identified inaccuracies in BSA data resident in its information systems resulting from the conversion from a prior system to ViSION. For the institutions in our sample, we verified the data used in this audit to the reports of examination and DSC’s supplemental data.
- The banks which DSC referred to in its response as “inactive” became inactive more than 12 months after the examinations for which BSA violations had been cited. Accordingly, we did not delete those institutions from the sample selection. In addition, two other institutions referenced in DSC’s response had been deleted from our sample analyses and were not included in our findings and conclusions.
- DSC’s comment that we did not request reports of examination for one of the sampled institutions is incorrect because we made a global request for all reports of examination associated with the institutions in our sample, including the FDIC's examination reports and those from state regulatory agencies.
- DSC stated that the community banks it supervises have a strong inherent deterrent to money laundering because they operate in areas where bank management’s knowledge of customers is high, making criminal activity harder to disguise. This information is relevant to the examination and potentially to reporting BSA violations, but not to the pursuit of corrective action on known BSA violations. We did not assess how well management for the 41 sampled institutions knows their customers, but limited our assessment of BSA compliance to (1) results described in the examination reports and captured in ViSION and (2) information on the regulatory actions imposed for noncompliance.
During our audit, the FDIC did not have a corporate objective specifically related to BSA. However, in the course of preparing our final report, we became aware that such an objective recently had been established. The Corporation's final 2004 Corporate Performance Objectives, as approved by the FDIC Chairman, includes the following objective:
Implement revised examination and enforcement strategies/guidance, as appropriate, to address OIG/GAO [General Accounting Office] audit findings relating to the Bank Secrecy Act, anti-money laundering programs, and counter-terrorist financing. Develop and implement a communications strategy to facilitate industry understanding of newly implemented regulations in these areas.
We support this objective as a positive action on the part of the Corporation because the objective will prompt a concerted effort and focus attention on strengthening follow-up on reported BSA violations.
DSC Responses to OIG Recommendations
Presented below are DSC’s responses to the specific recommendations made in our audit. The recommendations are considered resolved, undispositioned, and open until the corrective actions are implemented.
Recommendation 1: Re-evaluate and update examination guidance to strengthen monitoring and follow-up processes for BSA violations, including:
- prompt, appropriate, and consistent regulatory action in cases where management action is not timely, including cease and desist orders for repeat violations as appropriate;
- consistent and timely follow-up of BSA violations between examinations to ensure management is taking corrective action;
- consistent citation and recordation of all apparent violations in reports of examination and in ViSION; and
- a consistent approach to the backfiling of CTRs.
DSC agreed with this recommendation. By March 30, 2005, and as part of current initiatives to revisit and update FDIC guidance and with inter-agency cooperation, the DSC will address formal supervisory actions, follow-up actions, citation of apparent violations and recordkeeping, and backfiling of CTRs. The DSC will also work with the FDIC Legal Division to clarify and update, as necessary, enforcement action guidance on BSA.
Recommendation 2: Review DSC’s implementation of the process for referring institution violations of BSA to the Treasury Department, and discuss with Treasury the need to update or modify the referral guidelines based on changes in priority and approach in recent years.
DSC agreed with the recommendation. By year-end 2004, the DSC representative to the Financial Crimes Enforcement Network’s Bank Secrecy Act Advisory Group will introduce the question raised on referral guidelines at an upcoming meeting of the group.
Recommendation 3: Coordinate with state regulatory agencies to cover BSA compliance in state examinations of FDIC-supervised institutions and for those states that do not cover BSA compliance, develop an alternative FDIC process to address BSA compliance when relying on alternating state examinations.
DSC agreed with this recommendation. DSC stated that it is focused on strengthening processes to address variations in the state examination coverage of BSA and believes this action will increase the consistency and reliability of the follow-up to its BSA examinations. DSC expects to complete its review and revisions to BSA guidelines and procedures for BSA coverage during state examinations by March 30, 2005.
APPENDIX I
OBJECTIVE, SCOPE, AND METHODOLOGY
Objective
The audit objective was to determine whether the Federal Deposit Insurance Corporation (FDIC) Division of Supervision and Consumer Protection (DSC) adequately follows up on reported Bank Secrecy Act (BSA) violations to ensure that institutions take appropriate corrective action. To accomplish our objective, we reviewed supervisory actions that DSC has taken to ensure compliance, including efforts to follow up with bank management after examinations and the use of regulatory actions to prompt management action. We conducted the audit in accordance with generally accepted government auditing standards from November 2003 through January 2004.
Scope and Methodology
We held an entrance conference and conducted interviews with officials from DSC headquarters and DSC’s regional and area offices. In addition, we held periodic briefings with DSC officials and solicited their opinions and comments regarding the BSA violations and supervisory actions included in our review. We also interviewed officials in DSC’s Special Activities Section who are responsible, along with regional offices, for coordinating and monitoring DSC’s field and regional efforts for identifying, reporting, and tracking BSA violations and issuing related enforcement actions.
To gain an understanding of procedures that the DSC uses to determine compliance with the BSA, we reviewed the DSC Manual
of Examination Policies, and various transmittals, directives, and guidelines issued by the FDIC or the Treasury Department. Further, we reviewed DSC memoranda to obtain an understanding of the processes and procedures used to identify, report, track, and follow up on BSA violations. We also interviewed officials responsible for the Virtual Supervisory Information On the Net system (ViSION), the automated system used by the DSC to compile information on BSA violations as well as to track these violations.
We also reviewed data from applicable FDIC automated systems; reviewed information from other sources, including FDIC and state reports of examination (ROEs); and analyzed DSC supplemental data, including information from FDIC correspondence files and data on the overall profile of financial institutions. To determine the number and type of BSA violations identified during DSC’s examinations of FDIC-supervised institutions from January 1, 1997 to September 30, 2003, we obtained and reviewed ViSION data that included the following:
- each institution’s certificate number, name, and location;
- dates of ROEs that reported BSA violations;
- BSA violation codes, descriptions, and numbers of occurrences; and
- types of violations (including repeat and nonrepeat violations).
Table 4 provides a synopsis of the ViSION data, by DSC regional and area offices.
Table 4: FDIC-Supervised Financial Institutions With
BSA Violations From January 1, 1997 Through September 30, 2003 and Financial
Institutions
with Repeat Violations Based on ViSION Data
DSC Regional or Area Office |
Number of Financial Institutions With BSA Violations (1) |
Number of Financial Institutions with Repeat BSA Violations
(2) |
Percent of Regional/Area Office Institutions with Repeat
BSA Violations |
Atlanta |
234 |
44 |
19 |
Boston |
142 |
23 |
16 |
Chicago |
446 |
43 |
10 |
Dallas |
284 |
52 |
18 |
Kansas |
963 |
205 |
21 |
Memphis |
348 |
68 |
20 |
New York |
72 |
3 |
4 |
San Francisco |
183 |
20 |
11 |
Totals |
2,672 |
458 |
17 |
1) Total number of financial institutions that had one or more BSA violations recorded in ViSION for examinations completed during the period noted.
2) Total number of financial institutions that had one or more BSA violations
recorded in ViSION for examinations completed during the noted period, with at
least one of those violations identified as a repeat violation.
Source: OIG review of ViSION data on BSA violations for the noted period.
Based on the ViSION data, we selected a random sample (Note: From the random
sample of institutions with BSA violations, we judgmentally selected three
institutions from each regional and area office for detailed review. We restricted
the sample size to three rather than five due to the constricted time frame
to complete the audit. The selection of those institutions for review was
based strictly on the randomly generated numbers without giving any consideration
for the institutions' violations recorded in ViSION or demographic information.
We later made adjustments to the number of randomly selected institutions reviewed
as shown in Table 5) from the universe of BSA violations and a judgment sample
of repeat violations. Of the
total
2,672 financial institutions for which BSA violations had been reported in
ViSION, we reviewed 41 institutions in detail. The random sample consisted
of 22 institutions selected from the 8 DSC regional or area offices, and the
other 19 institutions consisted of a judgment sample of institutions with repeat
violations. Of those 19 institutions, we confirmed that 18 had repeat violations.
The random sample of 22 institutions also included 9 institutions with repeat
violations so that, in total, 27 institutions with repeat violations were in
our sample. Table 5 provides a breakdown of those 41 institutions, by FDIC
office.
(1) Includes financial institutions that (1) became inactive or merged with
another institution less than 12 months after BSA violations were identified,
(2) were cited for BSA violations in examinations conducted less that 12 months
before the end of the audit scope period, and (3) were determined not to be institutions
with repeat violations, which was the initial basis for their selection.
Source: OIG review of ViSION data on BSA violations for the period January 1,
1997 through September 30, 2003; and FDIC institution directory information on
the status of financial institutions.
Our specific objectives in reviewing the sampled financial institutions were to determine:
- the types of BSA violations identified during examinations;
- the types of corrective actions that financial institution management implemented or the supervisory actions FDIC pursued for BSA violations;
- differences in the type of BSA violations and actions recorded in ViSION and in the ROEs; and
- whether enforcement actions were recorded in the FDIC’s Formal and Informal Action Tracking system (FIAT)(Note: FIAT is the FDIC’s system for tracking the status of informal supervisory actions and formal enforcement actions. In conjunction with reviewing information from FIAT, we also reviewed FDIC’s Formal
and Informal Action Procedures Manual.) for BSA violations identified for the sampled institutions.
In addition, we requested that DSC provide all ROEs for the sampled 41 financial institutions for the period January 1, 1997 through September 30, 2003. Nine of those ROEs were not available for review, primarily for examinations conducted January 1, 1997 through December 31, 1999, because the ROEs either had been archived and were not retrieved or were state examination reports that had not been retained and, therefore, were not available. Because the FDIC and state regulatory agencies usually alternated examination responsibilities and may occasionally conduct joint examinations, we also requested and reviewed available state examination reports for the sampled financial institutions for the same period. We reviewed 200 ROEs—128 ROEs from the FDIC and 72 ROEs from state regulatory agencies.
To determine the number and type of regulatory actions related to BSA in general and specifically for our sampled institutions, we reviewed reports on formal and informal actions recorded in FIAT and supplemental information that DSC provided. We also discussed the FDIC’s position on the circumstances for which the FDIC might consider formal or informal actions for BSA violations.
We provided specific questions on the BSA violations to DSC officials and requested that they provide supplemental information on (1) related corrective actions taken by bank management or regulatory actions imposed by the FDIC and (2) follow-up activities conducted by the FDIC on those violations. For those institutions that were cited for BSA violations related to the filing of Currency Transaction Reports (CTR), we used the FDIC’s CTR Backfiling Request report for the period January 1, 1999, through September 30, 2003, in conjunction with supplemental information from DSC, to determine whether CTRs had been filed for the previously cited violations. Because DSC examiners were not required to track BSA violations related to Suspicious Activity Reports (SAR) in the FDIC’s ViSION system prior to October 2003, our review of SAR violations was limited to information obtained from ROEs provided to us for the sampled institutions.
Our verification of computer-processed data was limited to comparing data obtained from ViSION to data reported in the ROEs and DSC’s supplemental information. We identified inconsistencies in some of the ViSION data when compared to the ROEs and supplemental information. According to DSC officials, the March 2003 conversion from a prior system to ViSION may have led to incomplete records in ViSION for information predating the conversion, and system data entered prior to the conversion may not be fully complete or accurate because edit checks were less thorough in the previous system. To compensate for these inconsistencies, we based our observations on a pooling of the data available from multiple hardcopy and electronic sources and did not rely on any one source except in making our initial sample selection from the data in ViSION. However, we did not validate DSC’s assertions and there is a risk that our audit procedures may not have identified instances, if any, where violations were not included in the prior system and thus not reported to Treasury.
Management Controls Reviewed
We gained an understanding of the management control activities associated with the identification, reporting, and tracking of BSA violations by reviewing DSC’s policies and examination procedures and by performing limited testing of ViSION data. Additionally, we reviewed FDIC’s responsibilities as a financial institution supervisor related to the following:
- The Bank Secrecy Act of 1970, codified to 31 U.S.C. Section 5311 et seq. (BSA), also known as the Currency and Foreign Transactions Reporting Act.
- Code of Federal Regulations (C.F.R.), Title 31—Money and Finance; Subtitle B—Regulations Relating to Money and Finance; Chapter 1—Monetary Offices, Department of the Treasury; Part 103—Financial Recordkeeping and Reporting of Currency and Foreign Transactions, the BSA’s implementing regulations.
- Section 8(s) of the FDI Act, codified to 12 U.S.C. 1818(s), which requires each federal banking agency, including the FDIC, to (a) prescribe regulations requiring insured depository institutions to establish and maintain procedures reasonably designed to ensure and monitor compliance with the BSA, (b) review such procedures during their examinations of these institutions, and (c) enforce compliance with the BSA monetary transaction recordkeeping and report requirements.
- Section 326.8(b) of the FDIC’s Rules and Regulations, codified to 12 C.F.R.
Section 326.8, which requires each FDIC-supervised institution to develop and
administer a program to ensure compliance with the BSA and 31 C.F.R. Part 103.
- The FDIC Rules and Regulations 12 C.F.R. Part 353 related to the filing of Suspicious Activity Reports.
- Title 12 U.S.C. 1829b, the recordkeeping requirements for insured financial institutions.
During our review, we identified actions that DSC could take to improve management controls over the corrective action process for BSA violations, as described under Results of Audit.
Government Performance and Results Act
We reviewed DSC’s performance measures under the Government Performance and Results Act, Public Law 103-62 (GPRA). We determined that the FDIC did not have a corporate performance objective specifically related to the BSA. However, according to the FDIC’s 2003 Annual
Performance Plan and as shown in Table 6 on the next page, the FDIC has established the following strategic goal and objective and annual performance goals related to its supervision and examination responsibilities that include BSA in general.
Table 6: Performance Measures Related to Supervision and Examinations
STRATEGIC GOAL |
STRATEGIC OBJECTIVE |
ANNUAL PERFORMANCE GOAL |
FDIC-supervised institutions are safe and sound. |
FDIC-supervised institutions appropriately manage risk. |
Conduct on-site safety and soundness examinations to assess
an FDIC-supervised insured depository institution's overall financial
condition, management practices and policies, and compliance with applicable
regulations.
Take prompt supervisory actions to address problems identified during
the FDIC examination of FDIC-supervised institutions identified as problem
insured depository institutions.
Monitor FDIC-supervised insured depository institutions' compliance
with formal and informal enforcement actions. |
Source: Federal Deposit Insurance Corporation 2003 Annual Performance Plan
Fraud and Illegal Acts
The limited nature of the audit objective did not require that we assess the possibility for fraud and illegal acts. Although we were alert to the possibility of fraud and illegal acts, no instances came to our attention.
Prior Audit Coverage
We reviewed the OIG’s audit report entitled Examination Assessment of
Bank Secrecy Act Compliance (Audit Report Number 01-013, dated March 30, 2001) to obtain an understanding of previous OIG audit work related to the BSA. The objective of that audit was to determine the extent to which FDIC safety and soundness examinations reviewed institutions’ compliance with the BSA. As a result of that audit, the OIG recommended improvements in the FDIC’s documentation of work related to the BSA. FDIC officials generally concurred with the OIG’s recommendations and agreed to implement procedures or issue guidance to address the OIG’s concerns. We did not follow up on these recommendations or assess the adequacy of BSA examination procedures and documentation during this current audit.
In addition, we coordinated with the U.S. General Accounting Office to determine whether there were any previous or ongoing audits or reviews related to BSA violations by FDIC-supervised institutions and associated supervisory actions. We also reviewed the applicable section of the DSC Regional Office Review Program to determine whether regional office reviews cover BSA violations and BSA-related enforcement actions. Based on these actions, we determined that except for the FDIC OIG’s BSA-related report noted above, there was no prior or ongoing work related to the objective of this audit. In addition, we contacted the OIG Counsel’s office to obtain information related to statutory requirements and analysis of enforcement authority for the Treasury Department and the FDIC.
We also reviewed Treasury Department Web sites to obtain information on the BSA and a September 2003 report entitled OTS: Enforcement Actions Taken for Bank Secrecy Act Violations, which was prepared by the Treasury Department OIG on the Office of Thrift Supervision’s BSA enforcement.
During this audit, we did not do the following:
- Determine the adequacy of the examinations that identified the BSA violations.
- Review the underlying workpapers generated by DSC examiners or interview the field office supervisors or examination staff responsible for examining the institutions included in our sample.
- Interview state banking authorities regarding their ROEs or BSA coverage.
APPENDIX II
FDIC RULES AND REGULATIONS (12 C.F.R. Section 326.8) ON BSA COMPLAINCE AND FDIC GUIDELINES FOR MONITORING COMPLIANCE WITH SECTION 326.8
Section 326.8(b)(1) |
Requires that on or before April 27, 1987 each bank shall
develop a BSA compliance program and provide for the continued administration
of such a program. |
Section 326.8(b)(1) |
Requires that the BSA compliance program shall be in writing, approved
by the board of directors and noted in the minutes. |
Section 326.8(c)(1) |
Requires that the written BSA compliance program provide for a system of internal controls to assure ongoing compliance by:
identifying all reportable transactions;
ensuring that all required reports are completed accurately and properly
filed;
ensuring that customer exemptions are properly granted and recorded;
providing for adequate supervision of employees who accept currency transactions,
complete reports, grant exemptions, or engage in any other activity covered
by 31 C.F.R. Part 103; and
establishing dual controls and providing for separation of duties.
|
Section 326.8(c)(2) |
Requires that the written BSA compliance program provide for a system
of independent testing for compliance by bank personnel or by an outside
party. Independent testing should:
be conducted at least annually, preferably by the internal audit department,
outside auditors, or consultants; and
include, at a minimum:
- a test of the institution's internal procedures for monitoring compliance
with the BSA,
- a sampling of large currency transactions followed by a review of
CTR filings,
- a test of the validity and reasonableness of the customer
exemptions granted,
- a test of the institution's recordkeeping system for BSA compliance,
and
- documentation of the scope of the testing procedures performed
and the findings.
|
Section 326.8(c)(3) |
Requires that the written BSA compliance program must provide for the
designation of an individual or individuals to coordinate and monitor day-to-day
compliance. To meet the minimum requirement:
each financial institution must designate a senior bank official to be
responsible for overall BSA compliance, and
another individual should be designated responsible for the day-to-day
compliance. |
Section 326.8(c)(4) |
Requires that the written BSA compliance program provide for the training of appropriate personnel. At a minimum, a financial institution's training program must:
provide training of all personnel whose duties may require knowledge of the BSA, including, but not limited to, tellers, new accounts personnel, lending personnel, bookeeping personnel, and wire room personnelprovide an overview of the BSA to new employees; andinclude efforts to keep executives informed on changes and new developments in BSA regulation. |
Source: OIG review of FDIC Rules and Regulations, Subpart B of Part 326, and DSC Memorandum 6462.10, entitled Guidelines for Monitoring Bank Secrecy.
APPENDIX III
CONTROL AND PERFORMANCE STANDARDS AND ASSOCIATED RISKS
MANAGEMENT AND CONTROL
STANDARDS |
ASSOCIATED RISKS |
The Board [the bank's board of directors] establishes adequate
policies and procedures in accordance with anti-money laundering laws and
regulations.
The board establishes adequate "Know Your Customer" Policies. |
Inadequate anti-money laundering and Know Your Customer policies and
procedures could involve the bank and senior management in criminal activity
and result in possible regulatory action.
The bank faces possible damage to its reputation if its name is associated
with money laundering. |
Internal reviews and audits are sufficient to identify deficiencies in
the BSA program, and reports are provided directly to senior management
and the board. |
Management may inadequately identify, communicate, and correct deficiencies.
Failure to detect existing or emerging problems could result in non-compliance
with internal policies and applicable rules and regulations. |
Management develops a system to identify large currency deposits, including
numerous small deposits that when aggregated, exceed the reporting threshold.
Management identifies, investigates, and reports suspicious transactions. |
Management's detection of possible money laundering and suspicious activities
may be impeded by a weak identification system.
A weak identification system may result in inadequate reporting to the
board and regulatory authorities. |
The board assigns responsibility for ongoing compliance with the BSA
and financial recordkeeping regulations (31 C.F.R. 103) to a qualified
and knowledgeable staff. |
An inadequate or poorly trained staff could result in non-compliance
with policies and regulations and the possible use of bank services for
money laundering activities. |
PERFORMANCE
STANDARDS |
ASSOCIATED RISKS |
Employees comply with written guidelines and policies. |
Regulatory violations and money laundering may occur is procedures are
not followed. |
Management addresses previously identified criticisms, which include
implementing procedures to correct apparent violations and adhering to
the mandatory compliance program. |
Continuing deficiencies or violations can lead to enforcement action. |
Management files required reports, including CTRs and SARs, accurately
and in a timely manner. |
Violations can result in monetary fines and penalties.
Possible money laundering activities may not be detected.
|
Source: DSC Transmittal 98-096, Bank Secrecy Act (BSA) Examination Procedures dated December 7, 1998 as supplemented by interim guidance in Transmittal 03-042, Bank Secrecy Act Examination Procedures, dated August 15, 2003.
APPENDIX IV
AUTHORITY TO TAKE ENFORCEMENT ACTIONS FOR BSA VIOLATIONS
TREASURY DEPARTMENT
12 U.S.C. 1829b |
Requires the maintenance of appropriate types of records by insured depository institutions where such records would have a high degree of usefulness in criminal, tax, or regulatory investigations or proceedings. The Secretary of the Treasury is authorized to prescribe regulations to carry out these purposes under this section. Subsection (j) of this section imposes civil penalties on any insured depository institution, officer, or employee of such institution who willfully or negligently violates the regulations prescribed under this section. The penalties assessed under this section will be carried out according to 31 U.S.C. 5321(b) and (c). |
31 U.S.C. 5311 et seq. |
Authorizes the Secretary of the Treasury to promulgate regulations requiring the reporting of certain monetary transactions. Under 31 U.S.C. 5318, the Secretary of the Treasury is authorized to require a class of domestic financial institutions, trades, or businesses to maintain appropriate procedures to ensure compliance with Subchapter II (Records and Reports on Monetary Instruments Transactions) of Chapter 53; examine any books, papers, records, or other data of domestic financial institutions, trades, or business relevant to the recordkeeping or reporting requirements of the subchapter; summon a financial institution, trade or business to appear before the Secretary and give testimony under oath; and prescribe an appropriate exemption from a requirement of the subchapter, but only in connection with investigations for the purpose of civil enforcement violations of the subchapter and 12 U.S.C. 1829b, etc. Under 31 U.S.C. 5318, the Secretary may require any financial institution and any director, officer, employee, or agent to report any suspicious transaction relevant to a possible violation of law. |
31 U.S.C. 5318 |
The Secretary may require any financial institution and any director, officer, employee, or agent to report any suspicious transaction relevant to a possible violation of law. |
31 U.S.C. 5320 |
The Secretary may bring a civil action to enjoin a violation or enforce compliance against a person believed to have violated the laws or regulations of Chapter 53, Subchapter II. |
31 U.S.C. 5321(a) |
Authorizes the imposition of civil money penalties by the Secretary of the Treasury for willful violations of Subchapter II, specifically 31 U.S.C. 5314, 5316, 5318, 5318A, and 5324; and negligent violations of any section of Chapter 53. The range of civil money penalties that may be imposed by the Department of the Treasury is outlined in 31 C.F.R. 103.57. |
31 U.S.C. 5321(e) |
The Secretary is to delegate authority to the appropriate Federal Banking Agencies to assess a civil money penalty under this section on depository institutions. The Department of the Treasury is proposing rulemaking that would delegate to the appropriate Federal banking regulatory agencies, as required by 31 U.S.C. 5321(e), the authority to assess civil money penalties on depository institutions for violations of the BSA. The regulation would prescribe the parameters of the delegated authority. |
31 C.F.R. 103.56 |
Overall authority for enforcement and compliance, including coordination and direction of procedures and activities of all agencies exercising delegated authority under Part 103, is delegated to the Assistant Secretary of the Treasury (Enforcement). Authority to examine institutions for compliance with Part 103 is delegated to the Federal Banking Agencies and to other agencies for institutions not regulated by the Federal Banking Agencies. Authority for the imposition of civil penalties is delegated to the Assistant Secretary for Enforcement. The authority to enforce the provisions of 31 U.S.C. 5314 and 31 C.F.R. 103.24 and 103.32 has been redelegated from Treasury’s Financial Crimes Enforcement Network (FinCEN) to the Internal Revenue Service by means of a Memorandum of Agreement. Such authority includes the authority to: assess and collect civil penalties under 31 U.S.C. 5321 and 31 C.F.R. 103.57; investigate possible civil violations of these provisions; employ the summons power of Subpart F of Part 103; issue administrative rulings under Subpart G of Part 103; and take any other action reasonably necessary for the enforcement of these and related provisions, including pursuit of injunctions.
|
FEDERAL DEPOSIT INSURANCE CORPORATION
12 U.S.C. 1818(s)(3) |
If the appropriate Federal Banking Agency determines that an insured depository institution has failed to establish or maintain BSA procedures or failed to correct any problem with the procedures previously reported, the agency shall issue an enforcement order requiring the institution to cease and desist from its violation. The FDIC is authorized under 12 U.S.C. 1818(i)(2)(ii) to impose a civil penalty of not more than $5,000 per day for violations of final or temporary orders issued pursuant to 12 U.S.C. 1818(s).
|
Source: Analysis by OIG Counsel's office.
APPENDIX V
BSA VIOLATIONS REPORTED FOR 41 SAMPLED FINANCIAL INSTITUTIONS
BANK |
PART 103 |
SECTION 326.8 |
REPEAT BSA VIOLATION |
REGULATORY ACTION |
1 |
No |
Yes |
Yes |
No |
2 |
Yes |
No |
No |
No |
3 |
No |
Yes |
Yes |
No |
4 |
Yes |
Yes |
Yes |
Memorandum of Understanding and Bank Board Resolution |
5 |
Yes |
No |
No |
No |
6 |
Yes |
Yes |
Yes |
No |
7 |
Yes |
No |
No |
No |
8 |
Yes |
Yes |
No |
Memorandum of Understanding |
9 |
Yes |
No |
No |
No |
10 |
Yes |
No |
Yes |
No |
11 |
Yes |
Yes |
Yes |
No |
12 |
No |
Yes |
Yes |
No |
13 |
Yes |
No |
No |
No |
14 |
Yes |
Yes |
Yes |
Memorandum of Understanding |
15 |
Yes |
Yes |
Yes |
Memorandum of Understanding |
16 |
Yes |
No |
No |
No |
17 |
Yes |
Yes |
Yes |
No |
18 |
No |
Yes |
No |
No |
19 |
Yes |
Yes |
Yes |
State Determination Letter |
20 |
Yes |
Yes |
Yes |
No |
21 |
Yes |
Yes |
No |
No |
22 |
Yes |
Yes |
Yes |
Bank Board Resolution |
23 |
Yes |
Yes |
Yes |
No |
24 |
Yes |
No |
Yes |
No |
25 |
Yes |
Yes |
Yes |
No |
26 |
Yes |
Yes |
Yes |
No |
27 |
Yes |
Yes |
Yes |
No |
28 |
Yes |
Yes |
Yes |
No |
29 |
Yes |
Yes |
Yes |
Bank Board Resolution |
30 |
Yes |
No |
No |
No |
31 |
Yes |
Yes |
No |
No |
32 |
Yes |
Yes |
Yes |
No |
33 |
No |
Yes |
No |
No |
34 |
Yes |
No |
No |
No |
35 |
Yes |
No |
Yes (Note) |
Bank Board Resolution |
36 |
Yes |
Yes |
Yes |
No |
37 |
Yes |
Yes |
Yes |
Cease and Desist Order |
38 |
Yes |
Yes |
Yes (Note) |
Memorandum of Understanding |
39 |
Yes |
Yes |
Yes |
Memorandum of Understanding |
40 |
Yes |
No |
No |
No |
41 |
No |
Yes |
Yes |
No |
|
Yes=35 No=6 |
Yes=29 No=12 |
Yes=27 No=14 |
|
(Note: Repeat status is based on Suspicious Activity Report Violations)
Source: OIG review of ViSION and ROE data and supplemental information provided by DSC.
APPENDIX VI
SUMMARY OF BSA VIOLATIONS BY TYPE OF VIOLATION
FOR 41 SAMPLED FINANCIAL INSTITUTIONS
Treasury
Violation Category |
Violation Code |
Number of Institutions with Violations |
Description of Violation |
Treasury's 31 C.F.R. Part 103 |
60000 |
22 |
Failure to file CTR for nonexempted transactions over $10,000 |
65000 |
16 |
Failure to maintain records on sales of monetary instruments of $3,000
through $10,000 |
63001 |
14 |
Failure to furnish information required in CTR |
63000 |
13 |
Untimely filing of CTR or failure to retain CTR for 5 years |
60001 |
10 |
Failure to treat multiple transactions totaling over $10,000 as a single
transaction |
64000 |
7 |
Failure to follow [customer] identification procedures or failure to
record identification method |
60004 |
5 |
Failure to properly exempt a domestic insured financial institution |
60002 |
4 |
Improper designation of exempt person |
60007 |
4 |
Failure to file CTR for transactions of an agent of an exempt person |
60006 |
3 |
Failure to document monitoring of exempt person transactions |
60003 |
2 |
Failure to file designation of exempt person form |
60005 |
2 |
Failure to perform annual review of exempt person |
67000 |
2 |
Failure to obtain Taxpayer Identification Number (TIN) or keep list of
customers with missing TINs |
62000 |
1 |
Failure to report foreign financial accounts |
65002 |
1 |
Failure to retain records of cash purchases of monetary instruments for
5 years |
68000 |
1 |
Failure to retain required records for 5 years. |
FDIC
Violation Category |
Violation Code |
Number of Institutions with Violations |
Description of Violation |
FDIC's 12 C.F.R. Section
326.8 |
80004 |
16 |
Lack of independent testing of BSA compliance |
80000 |
15 |
Failure to develop or implement adequate BSA Compliance Program |
80003 |
10 |
Inadequate system of internal controls for BSA Compliance |
80006 |
7 |
Failure to provide adequate BSA training |
80005 |
4 |
Failure to designate individuals(s) responsible for BSA compliance |
Source: OIG review of BSA violations identified in ROEs for the sampled 41 institutions
for the period January 1, 1997 through September 30, 2003 and DSC Transmittal
No. 03-048, dated October 20, 2003, entitled Bank Secrecy Act Examination
Violation Codes.
Note: Most institutions had multiple violations and, accordingly, the noted violations will not total 41. In addition, when differences were identified between the violation code recorded in ViSION and the description of the violation cited in the ROE, we used the ROE description. Accordingly, totals shown will not match totals shown in ViSION data. Some violations were “grouped” because there was no specific violation code included in DSC’s guidance on BSA violation codes for those violations. Some sampled institutions also had violations related to Suspicious Activity Reports. However, because there was no specific code related to SAR violations, they were not captured in ViSION and are not included in this table.
APPENDIX VII
ACRONYMS
BBR |
Bank Board Resolution |
BSA |
Bank Secrecy Act |
C&D |
Cease and Desist Order |
C.F.R. |
Code of Federal Regulations |
CMP |
Civil Money Penalties |
CTR |
Currency Transaction Report |
DSC |
Division of Supervision and Consumer Protection (formerly the Division
of Supervision) |
FDI Act |
Federal Deposit Insurance Act |
FDIC |
Federal Deposit Insurance Corporation |
FIAT |
Formal and Informal Action Tracking System |
FIL |
Financial Institution Letter |
FinCEN |
Financial Crimes Enforcement Network |
HIFCA |
High Intensity Money Laundering and Related Financial Crime Area |
MOU |
Memorandum of Understanding |
MSA |
Metropolitan Statistical Area |
OIG |
Office of Inspector General |
PATRIOT Act |
USA PATRIOT Act |
ROE |
Report of Examination |
SAR |
Suspicious Activity Report |
U.S.C. |
United States Code |
ViSION |
Virtual Supervisory Information on the Net |
APPENDIX VIII
GLOSSARY
Term |
Definition |
Bank Board Resolutions |
Bank board resolutions (BBRs) are informal commitments, developed and
adopted by a financial institution's board of directors (often at
the request of the FDIC), directing the institution's personnel to
take corrective action regarding specific noted deficiencies. BBRs may
also be used as a tool to strengthen and monitor the institution's
progress with regard to a particular component rating or activity. The
FDIC is not a party to these resolutions but may approve and accept them
as a means of initiating corrective action. |
The Bank Secrecy Act (BSA) of 1970 |
Codified at 31 U.S.C. 5311-5330 and gives the Treasury Department broad
powers to implement anti-money laundering regulations for financial institutions;
such regulations are implemented by the Treasury Department through 31
C.F.R. Part 103. The Act consists of two Titles: Title I, Financial Recordkeeping,
and Title II, Reports of Currency and Foreign Transactions. Title I authorizes
the Treasury Department to issue regulations requiring insured financial
institutions to maintain certain records related to financial transactions.
Title II directs the Treasury Department to prescribe regulations governing
the reporting of certain transactions by and through financial institutions
in excess of $10,000 into, out of, and within the United States. |
BSA Regional Report |
A report of completed BSA examinations with violations for a specific
time period. The report is broken down by region and includes the certificate
number, institution name, city, state, examination date, examiner-in-charge,
violation code, violation description, number of violations, BSA hours,
systemic or repeated violations, and action code. |
Cease and Desist Orders |
Cease and desist orders authorized by Section 8(b) of the FDI Act may
be issued to prevent or halt violations of a law, rule, regulation, or
written agreement with the FDIC; written condition imposed by the FDIC;
or unsafe or unsound practices. |
Civil Money Penalties |
Civil money penalties (CMPs) can be imposed on financial institutions
for violations of: final and temporary orders, written agreements with
the FDIC, laws and regulations, and breaches of fiduciary duty. The Financial
Institutions Regulatory and Interest Rate Control Act of 1978 granted the
FDIC authority to levy CMPs against both insured financial institutions
and individuals for violations of statutes. The Financial Institutions
Reform, Recovery, and Enforcement Act of 1989 broadened the scope of conduct
for which CMPs can be assessed and significantly increased the amount of
the permissible penalties. |
Composite Rating |
Each financial institution is assigned a composite rating based on an
evaluation and rating of six essential components of an institution's
financial condition and operations. These component factors address the
adequacy of capital, the quality of assets, the capability of management,
the quality and level of earnings, the adequacy of liquidity, and the sensitivity
to market risk. Evaluations of the components take into consideration the
institution's size and sophistication, the nature and complexity
of its activities, and the risk profile. Composite ratings are assigned
based on a 1 to 5 numerical scale. A 1 indicates the highest rating, strongest
performance and risk management practices, and least degree of supervisory
concern, while a 5 indicates the lowest rating, weakest performance, inadequate
risk management practices and, therefore, the highest degree of supervisory
concern. |
Corrective Actions |
The FDIC may issue informal or formal actions against a financial institution
to obtain correction of noted safety and soundness or compliance deficiencies.
Those actions may be informal or formal.
•
Informal actions are voluntary commitments made by an insured financial
institution's board of directors. Such actions are designed to correct
noted safety and soundness deficiencies or ensure compliance with federal
and state banking laws. Informal actions are not legally enforceable and
are not disclosable to the public.
•
Formal actions are notices or orders issued by the FDIC against insured
financial institutions and/or individuals. Their purpose is to correct
noted safety and soundness deficiencies, ensure compliance with federal
and state banking laws, assess civil money penalties, and/or pursue removal
proceedings. Formal actions are legally enforceable. Final formal orders
are available to the public after issuance. |
Currency Transaction Report |
A financial institution in the United States generally must file a currency
transaction record for each transaction in currency over $10,000. A transaction
in currency is any transaction involving the physical transfer of currency
from one person to another and covers deposits, withdrawals, exchanges,
or transfers of currency or other payments. Currency is defined as currency
and coin of the United States or any other country as long as it is customarily
accepted as money in the country of issue. |
Department of the Treasury |
The Department of the Treasury's mission is to (1) promote prosperous
and stable American and world economies, (2) manage the Government's
finances, (3) safeguard our financial systems, (4) protect our Nation's
leaders, (5) secure a safe and drug-free America, and (6) continue to build
a strong institution. Organized into offices and bureaus, the Department
of the Treasury encompasses a wide range of programmatic and operational
activities. The Treasury's Financial Crimes Enforcement Network (FinCEN)
supports law enforcement investigative efforts against domestic and international
financial crimes. Refer to "FinCEN" for more information. |
Division of Supervision and Consumer Protection (DSC) |
The DSC promotes the safety and soundness of FDIC-supervised institutions,
protects consumers' rights, and promotes community investment initiatives
by FDIC-supervised insured depository institutions. The mission of the
DSC is to promote stability and public confidence in the nation's financial
system by:
•
examining and supervising insured financial institutions to ensure they
operate in a safe and sound manner, consumers' rights are protected, and
FDIC-supervised institutions invest in their communities; and
•
providing timely and accurate deposit insurance information to financial
institutions and the public. |
Examinations |
Sections 10(b) and (c) of the FDI Act empower examiners to make a thorough
examination of all of the affairs of the bank. Section 10(d) of the FDI
Act requires an annual full-scope on-site examination of every insured
state nonmember bank at least once during each 12-month period. Annual
examination intervals may be extended to 18 months under certain conditions.
The FDIC also alternates examination cycles with state regulatory agencies.
The statutory requirements in Section 10(d) of the FDI Act do not apply
to specialty examinations. Thus, specialty examinations are governed by
internal DSC policy, not statute. Specialty examinations, which include
BSA examinations, should generally be conducted concurrently with safety
and soundness examinations. Examinations can be risk-focused to properly
assess a financial institution's risk profile. |
Exemptions |
According to the FDIC Manual of Examination Policies, banks may exempt
certain categories of customers and are not required to file CTRs for those
classes of "Exempt Persons." Exempted entities may include,
but are not limited to:
•
A bank, to the extent of such bank's domestic operations;
•
A non-listed business, which is defined as any other commercial enterprise,
to the extent of its domestic operations, except certain operations included
under the Treasury Department's Part 103.22. Non-listed businesses
must meet certain other criteria to be eligible for exemption status.
•
A payroll customer with respect solely to withdrawals for payroll purposes
from existing transaction amounts.
Banks must verify, at least annually, the status of all entities designated
as exempt. The specific methodology for performing this assessment is largely
at the bank's discretion; however, results of the review must be
documented. |
FDIC Supervision |
The FDIC's Supervision Program promotes the safety and soundness
of FDIC-supervised institutions, protects consumers' rights, and
promotes community investment initiatives by FDIC-supervised insured depository
institutions.
As supervisor, the FDIC performs safety and soundness examinations of
FDIC-supervised institutions to assess their overall financial condition,
management practices and policies, and compliance with applicable laws
and regulations. Through the examination process, the FDIC also assesses
the adequacy of management and internal control systems to identify and
control risks. Procedures normally performed in completing this assessment
may disclose the presence of fraud or insider abuse.
The FDIC supervises FDIC-insured state-chartered banks that are not
members of the Federal Reserve System, described as state nonmember banks.
This includes state-licensed insured branches of foreign banks and state-chartered
mutual savings banks. The FDIC also has special examination authority
for state member banks that are supervised by the Federal Reserve Board,
national banks that are supervised by the Office of the Comptroller of
the Currency, and savings associations that are supervised by the Office
of Thrift Supervision. This authority is exercised in the FDIC's
role as insurer of those institutions. |
Federal Deposit Insurance Corporation |
The FDIC's mission is to maintain the stability of and public confidence
in the nation's financial system. To achieve this goal, the FDIC was created
in 1933 to insure deposits and promote safe and sound banking practices. |
Federal Reserve System |
The Federal Reserve, the central bank of the United States, was founded
by Congress in 1913 to provide the nation a safer, more flexible, and more
stable monetary and financial system. The Federal Reserve is responsible
for
(1) conducting the nation's monetary policy;
(2) supervising and regulating banking institutions and protecting the
credit rights of consumers;
(3) maintaining the stability of the financial system; and
(4) providing certain financial services to the U.S. government, the public,
financial institutions, and foreign official institutions. |
FIAT |
The Formal and Informal Action Tracking system serves as a central automated
source of information on DSC regulatory actions. When a formal or informal
action is contemplated or initiated, a record of that action is created
in FIAT. |
Financial Institution Letters |
Financial Institution Letters are addressed to the chief executive officers
of financial institutions, generally FDIC-supervised institutions, and
may announce new regulations, special alerts concerning counterfeit financial
institutions, new FDIC publications, and a variety of other matters, including
information related to the PATRIOT Act, of principal interest to those
responsible for operating a bank or savings association. Refer also to
the USA PATRIOT Act. |
FinCEN |
The Financial Crimes Enforcement Network is an office within the Office
of the Under Secretary (Enforcement) of the Department of the Treasury. |
Formal Actions |
The FDIC may issue formal actions pursuant to Section 8 of the Federal
Deposit Insurance Act. Formal actions include termination of federal deposit
insurance; cease and desist action; removal, prohibition, and suspension
actions; and civil money penalties. |
High Intensity Money Laundering and Related Financial Crime Area |
High Intensity Money Laundering and Related Financial Crime Areas (HIFCA)
is a categorization announced in the 1999 National Money Laundering Strategy
and was conceived in the Money Laundering and Financial Crimes Strategy
Act of 1998 as a means of concentrating law enforcement efforts at the
federal, state, and local levels in high intensity money laundering zones.
HIFCAs may be defined geographically, or they can also be created to address
money laundering in an industry sector, a financial institution, or groups
of financial institutions. |
Informal Actions |
Informal actions include a bank board resolution (BBR) and a Memorandum
of Understanding (MOU). DSC may recommend that an institution commit to
address specific noted deficiencies by adopting a BBR. DSC may issue an
MOU to institutions when there is reason to believe the deficiencies noted
during an examination will not be addressed adequately by a BBR. |
Insured Depository Institution |
The term insured depository institution means any bank or savings association,
the deposits of which are insured by the FDIC. |
Insured Nonmember Bank |
Any bank, including a foreign bank having a branch, the deposits of which
are insured in accordance with the provisions of the Federal Deposit Insurance
Act, which is not a member of the Federal Reserve System. The term does
not include any institution chartered or licensed by the Comptroller of
the Currency, any District of Columbia bank, or any savings association. |
Internal Control |
Internal control is an integral component of an organization's
management that provides reasonable assurance of achieving effectiveness
and efficiency of operations, reliability of financial reporting, and compliance
with applicable laws and regulations. |
Memorandum of Understanding |
A Memorandum of Understanding (MOU) is an informal agreement between
an institution and the FDIC and is signed by both parties. MOUs, usually
drafted by an FDIC official, are designed to address and correct identified
weaknesses in an institution's condition. The FDIC generally uses
MOUs instead of BBRs, especially when there is reason to believe the deficiencies
noted during an examination will not be addressed adequately by a BBR.
The use of an MOU does not rule out recourse to formal action if the FDIC
believes the institution's management is unwilling or unable to voluntarily
take necessary corrective action. |
Metropolitan Statistical Area |
Defined by the Office of Management and Budget. A Metropolitan Statistical
Area (MSA) is a large population nucleus, together within adjacent communities
that have a high degree of economic and social integration with that nucleus.
An area qualifies for recognition as an MSA in one of two ways: (1) if
it includes a city with a population of at least 50,000, or (2) if it includes
a Census Bureau-defined urbanized area (a population of at least 50,000)
with a total metropolitan population of at least 100,000 (75,000 in New
England). In addition to the county(ies) containing the main city or urbanized
area, an MSA may include additional counties that have strong economic
and social ties to the central county(ies) and meet specified requirements
of metropolitan character. The ties are determined chiefly by census data
on commuting to work. A metropolitan statistical area may contain more
than one city with a population of 50,000 and may cross state lines. |
Money Laundering |
In federal law, money laundering is the flow of cash or other valuables
derived from, or intended to facilitate, the commission of a criminal offense.
More specifically, money laundering is the process by which criminals or
criminal organizations seek to disguise the illicit nature of their proceeds
by introducing them into the stream of legitimate commerce and finance.
Federal authorities attack money laundering through regulations, criminal
sanctions, and forfeitures. |
Money Laundering Suppression Act of 1994 |
Codified to 31 U.S.C. 5301, Improvement of Identification of Money Laundering
Schemes: Required enhanced training, examinations, and referrals by banking
agencies. Each appropriate federal banking agency shall, in consultation
with the Secretary of the Treasury and other appropriate law enforcement
agencies were required to (1) review and enhance training and examination
procedures to improve the identification of money laundering schemes involving
depository institutions; and (2) review and enhance procedures for referring
cases to any appropriate law enforcement agency. In addition, the Act required
improved reporting of criminal schemes by law enforcement agencies. The
Secretary of the Treasury and each appropriate law enforcement agency shall
provide, on a regular basis, information regarding money laundering schemes
and activities involving depository institutions to each appropriate federal
banking agency in order to enhance each agency's ability to examine for
and identify money laundering activity. |
Primary Federal Regulator |
There are four federal regulators of banks and savings and loan institutions:
•
Federal Deposit Insurance Corporation (FDIC) – The primary federal
regulator responsible for state-chartered banks that are not members of
the Federal Reserve System and for state-chartered savings banks.
•
Board of Governors of the Federal Reserve System (FRB) – The primary
federal regulator responsible for state-chartered commercial bank members
of the Federal Reserve System.
•
Office of the Comptroller of the Currency (OCC) – The primary federal
regulator responsible for nationally chartered commercial banks.
•
Office of Thrift Supervision (OTS) – The primary federal regulator
responsible for federally chartered savings and loan associations, federal
savings banks, and state-chartered savings and loan associations. |
Risk Focused Supervision |
The objective of a risk-focused examination is to effectively evaluate
the safety and soundness of the bank, including the assessment of risk
management systems, financial condition, and compliance with applicable
laws and regulations, while focusing resources on the bank's highest
risks. According to DSC examination guidance, the exercise of examiner
judgment to determine the depth of review in each functional area is crucial
to the success of the risk-focused supervisory process. |
Safety and Soundness Examinations |
These periodic, on-premise examinations help maintain public confidence
in the integrity of the banking system and in individual banks, provide
the best means of determining a bank's adherence to laws and regulations,
protect the financial integrity of the deposit insurance funds, and provide
supervisory agencies with an understanding of the nature relative seriousness,
and ultimate cause of a bank's problems and thus the factual foundation
to soundly base corrective measures, recommendations, and instructions. |
Suspicious Activity Report |
A suspicious activity report (SAR) must be filed when there are suspicions
that a financial transaction falls into one or more of the following categories:
•
Is derived from illegal activity or is intended or conducted in order to
hide or disguise funds or assets derived from illegal activity.
•
Is designed to evade BSA requirements, whether through structuring or other
means.
Serves no business or apparent lawful purpose, and the financial institution
can determine no reasonable explanation for the transaction after examining
all available facts. |
Terrorism |
An act of terrorism can include both domestic and international actions
that (1) involve acts dangerous to human life that violate criminal laws
of the United States or of any state; (2) appear to be intended to intimidate
or coerce a civilian population, influence the policy of a government by
intimidation or coercion, or affect the conduct of a government by mass
destruction, assassination, or kidnapping; and (3) occur primarily within
the territorial jurisdiction of the United States. |
USA PATRIOT Act |
The United and Strengthening America by Providing Appropriate Tools Required
to Intercept and Obstruct Terrorism Act of 2001, also known as the USA
PATRIOT Act. The USA PATRIOT Act was enacted on October 26, 2001 and is
directed primarily at anti-terrorism. Title III of the Act contains several
anti-money laundering provisions that affect financial institutions. The
Secretary of the Treasury has the authority to impose provisions under
this Act on financial institutions. The Act expands requirements that are
included under the Bank Secrecy Act of 1970. |
ViSION |
Virtual Supervisory Information on the Net system, which is used to capture
data on the results of DSC's reports of examination, including identified
BSA violations and to report those violations to the Treasury Department. |
APPENDIX IX
CORPORATION COMMENTS
Federal Deposit Insurance
Corporation Washington, DC
20429
Office of the Director Division of Supervision and Consumer Protection
March 18, 2004
TO: Stephen M. Beard, Deputy Assistant Inspector General, Office of
Inspector General (OIG)
FROM: Michael J. Zamorski [Electronically produced version;
original signed by Michael J. Zamorski], Director, Division of
Supervision and Consumer Protection
CONCUR: John F. Bovenzi, [Electronically produced version; original signed by John F. Bovenzi],
Deputy to the Chairman and Chief Operating Officer
SUBJECT: Draft Report Entitled Supervisory Actions Taken for Bank Secrecy Act Violations
(Assignment Number 2004-002)
Thank you for the opportunity to provide comments with regard to the Office of Inspector General (“OIG”) draft audit report regarding Supervisory Actions Taken for Bank Secrecy Act Violations. We have very carefully considered the audit findings and your recommendations. Further, the Division of Supervision and Consumer Protection (“DSC”) conducted an internal analysis of both the sample of supervisory actions reviewed during this audit and our responsibility under the Bank Secrecy Act (“BSA”). The DSC partially concurs with your findings and recommendations. We are concerned that the limited information and inferences contained in the report may lead a reader to speculate on the severity of the exposure to money laundering and surmise that FDIC supervision is insufficient. Therefore, we do not concur with the inference that the FDIC’s supervisory actions are materially lacking or that an increased risk of money laundering exists in the institutions for which we are the primary federal regulator. To the contrary, we affirm that our supervisory approach is risk-focused, effective, timely, and consistent with the expectations of the U.S. Department of the Treasury (“Treasury”) for enforcement and referral of potential criminal activity.
Subsequent to questions raised by the OIG during the audit, DSC’s Regional and Washington offices undertook a detailed analysis of the OIG’s 41-bank sample. In 38 of the 41 cases, we found the supervisory actions to be consistent with the problems identified and the risks posed by the circumstances. In hindsight, the DSC found that in three instances supervisory actions could have been deployed in a better manner. As a result, the lessons learned have been utilized to improve our internal supervisory processes. The FDIC supervises a majority of small community-based institutions which operate with manual and non-complex automated systems. Therefore, it is not unusual that a sample of such institutions would yield apparent violations of a technical nature without exposing the institutions’ BSA programs to increased money laundering risk. Our community banks actually have a strong inherent deterrent to money laundering since they operate in areas where bank management’s knowledge of customers is high, making criminal action harder to disguise. In fact, of the 41 sample banks, 22, or 54%, are very small banks with total assets of less than $80 Million, and seven more sample banks fall in the under $150 Million range. Only two of the sample banks were larger than $1 Billion in total assets. The three institutions that DSC identified where supervisory actions could have been strengthened had total assets of $10 Million, $71 Million, and $187 Million.
According to the DSC’s analysis of the OIG’s sample banks, the FDIC initiated numerous supervisory actions, consistent with both FDIC and Treasury policy. Significantly, we noted that the OIG sample did not target geographic concentrations of higher money laundering risk or institutions where money laundering has been suspected or detected. The OIG also did not look at supervisory actions taken in instances of serious BSA program deficiencies, analyze the risk for money laundering in the sample institutions, have discussions with examiners, or assess the BSA examination process.
Program problems that may expose an institution to enhanced vulnerability to criminal activity are, as necessary, aggressively addressed with formal actions. However, in the vast majority of cases, an appropriate supervisory response does not include a formal action. The FDIC believes our supervisory approach using technical guidance, moral suasion and a gradual escalation of enforcement action is appropriate. Refer to Exhibit I for a legal interpretation of formal actions for BSA that are authorized under Section 8(s) of the Federal Deposit Insurance Act, 12 USC 1818(s). Further, please refer to Exhibit II, which illustrates the circumstances and the supervisory actions taken in the 17 sample banks referred to by the OIG report as lacking supervisory action. The FDIC’s extensive BSA supervisory program and its results are also discussed in detail in Exhibit II.
The DSC agrees that a vigilant Bank Secrecy Act supervisory program requires that appropriate supervisory actions be taken to support compliance with Treasury and FDIC guidance. Our supervisory processes are risk-focused and designed to correlate our efforts to areas of risk, thereby deploying appropriate emphasis across a continuum of low- to high-risk areas. Thorough examiner assessment and our internal supervisory reviews are critical to these determinations. We are committed to proactive, vigilant, and effective examination processes to monitor and mitigate risks in the institutions we supervise. We continue to assess potentially high-risk situations, through onsite and offsite examination programs, and we are confident that our supervision of such situations is effective and efficient.
A prominent strength of our examination process is promoting quality corporate governance through the written discussion of weaknesses and suggestions for improvement that, while not violations of law, are beneficial in guiding necessary improvements. We do not concur with the OIG’s criticism that recommendations for improvement and the supporting discussion may be confused with apparent violations of the BSA. The DSC found, after reviewing the OIG identified examples, that none of the examination reports contain evidence that apparent violations of law were incorrectly cited.
DSC has undertaken a number of initiatives to evaluate and enhance our Bank Secrecy Act guidance, and with other regulatory agencies we are part of extensive efforts to develop further improvements to detect and prevent criminal activity. The FDIC is a fully engaged partner in industry and government efforts to strengthen homeland security. Refer to Exhibit II for detailed information regarding FDIC and interagency initiatives.
OIG Recommendations and FDIC Management Response
“We (OIG) recommend that the Director, DSC:
(1) Re-evaluate and update examination guidance to strengthen monitoring and follow-up processes for BSA violations, including:
- prompt, appropriate, and consistent regulatory action in cases where management action is not timely, including cease and desist orders for repeat violations as appropriate;
- consistent and timely follow-up of BSA violations between examinations to ensure management is taking corrective action;
- consistent citation and recordation of all apparent violations in reports of examination and in ViSION; and
- a consistent approach to the backfiling of CTRs.”
FDIC Action:
By March 30, 2005, and as part of our current initiatives to revisit and update FDIC guidance and with inter-agency cooperation, we will assure that the following items are addressed during our initiatives: formal supervisory actions, follow-up actions, citation of apparent violations and record keeping, and backfiling of CTRs. Additionally, the DSC is working closely with the FDIC Legal Division to clarify, and update as necessary, enforcement action guidance for BSA, and this action will also be completed by March 30, 2005.
(2) “Review DSC’s implementation of the process for referring institution violations of BSA to the Treasury Department, and discuss with Treasury the need to update or modify the referral guidelines based on changes in priority and approach in recent years.”
FDIC Action:
By year-end 2004, the FDIC will introduce the question raised in the audit report regarding referral guidelines with the Financial Crimes Enforcement Network’s Bank Secrecy Act Advisory Group. The DSC representative in the group will request an agenda item be planned for an upcoming meeting and report to the DSC Director.
(3) “Coordinate with state regulatory agencies to cover BSA compliance in state examinations of FDIC-supervised institutions and, for those states that do not cover BSA compliance, develop an alternative FDIC process to address BSA compliance when relying on alternating state examinations.”
FDIC Action:
The DSC is focused on strengthening processes to address variations in the state examination coverage of BSA. We believe the actions that we will implement will increase the consistency and reliability of the follow-up to our BSA examinations.
The states are represented [Note: CSBS is not an official member of FFIEC, but they do have non-voting representation at both the principal level and the Task Force on Supervision] on the FFIEC by the Conference of State Bank Supervisors (“CSBS”) and are therefore part of the interagency process that reviews and issues examination guidance. As part of the current initiative to update FDIC guidance, we will review and revise as needed the guidelines and procedures for BSA coverage during state examinations. This will be completed by March 30, 2005.
Exhibit 1
Federal Deposit Insurance
Corporation Washington, DC
20429
General Counsel
March 12, 2004
TO: Michael J. Zamorski, Director, Division of
Supervision and Consumer Protection
FROM: William F. Kroener, III, [Electronically produced version signed by William F. Kroener, III], General Counsel
SUBJECT: Interpretation and Application of Section 8(s)
Introduction
We have been asked to opine on the scope of Section 8(s) of the Federal Deposit Insurance Act, 12 USC 1818(s). In brief, Section 8(s), enacted in 1986, requires the FDIC (and other Federal banking agencies) to require the institutions they supervise to establish procedures for complying with the Bank Secrecy Act (“BSA”). It provides that the banking agencies “shall” initiate cease and desist actions for certain problems with these procedures, including problems which were not corrected after the agency informed the bank. The FDIC implemented the statute by promulgating 12 CFR 326.8, and has taken a range of enforcement actions to correct problems. Although many BSA-related problems have been corrected using less formal remedies, the FDIC has issued cease and desist orders under Section 8(b) or (c) for violations that include BSA-related problems.
Issues Presented:
1. What problems or violations does Section 8(s) cover?
a. Problems with “procedures” or BSA compliance program vs. failures to comply with BSA or Treasury regulations
b. What is a violation which was “previously reported” to the bank?
2. What was Congress’s intent in saying in Section 8(s) that the FDIC “shall issue a [cease and desist] order?”
Summary
In our view, Section 8(s)(3) applies to violations that demonstrate a flaw in the BSA compliance procedures or program which are violations of Section 326.8(c) of the FDIC Rules and Regulations, 12 C.F.R. 326.8(c), not to individual violations of the BSA or implementing regulations (such as isolated instances of misfiling currency transaction reports or suspicious activity reports, or the failure to carry out a piece of an adequate written program). In addition, Section 8(s)(3)(B), with regard to previously reported problems with the procedures, applies only to failures to correct problems identified previously with respect to the procedures, not to chronologically successive violations that do not indicate that the procedures or program are flawed. Moreover, a different procedural or program flaw in each of two consecutive examinations of a bank would not, in our opinion, constitute a “repeat” violation by the bank. Therefore, many problems under and violations of Section 326.8 do not fall within the scope of Section 8(s) regardless of the interpretation of the term “shall” in Section 8(s). In addition, repeat violations of the BSA and its implementing regulations that occur despite the existence of procedures reasonably designed to assure compliance do not, in our view, necessarily fall within the purview of Section 8(s), unless those violations evidence a problem or flaw in the bank’s compliance program or procedures.
As to those violations which fall within the scope of Section 8(s), case law establishes that using the word “shall” in a statute may not require an agency to follow the statute in an absolute way. The court cases interpreting statutes most analogous to Section 8(s) interpret the word “shall” to be “directory” rather than mandatory. That is, the statute is intended to guide the agency in the orderly conduct of its business, but not to compel an unduly harsh or unreasonable result. Finally, these interpretations do not diminish the FDIC’s authority to correct any violation of the BSA or Part 326.8 by using its enforcement authority under other parts of Section 8 of the FDI Act.
Background
Section 8(s) of the FDI Act, enacted as part of the Anti-Drug Abuse Act of 1986,
Public Law No. 99-570, provides that:
- COMPLIANCE PROCEDURES REQUIRED.--Each appropriate Federal banking agency shall prescribe regulations requiring insured depository institutions to establish and maintain procedures reasonably designed to assure and monitor the compliance of such depository institutions with the requirements of subchapter II of chapter 53 of title 31, United States Code.
- Examinations of depository institutions to include review of compliance procedures.--
(A) IN GENERAL.--Each examination of an insured depository institution by the appropriate Federal banking agency shall include a review of the procedures required to be established and maintained under paragraph (1).
(B) EXAM REPORT REQUIREMENT.--The report of examination shall describe any problem with the procedures maintained by the insured depository institution.
- ORDER TO COMPLY WITH REQUIREMENTS.--If the appropriate Federal banking agency determines that an insured depository institution--
(A) has failed to establish and maintain the procedures described in paragraph (1); or
(B) has failed to correct any problem with the procedures maintained by such depository institution which was previously reported to the depository institution by such agency, the agency shall issue an order in the manner prescribed in subsection (b) or (c) requiring such depository institution to cease and desist from its violation of this subsection or regulations prescribed under this subsection. [Emphasis added.]
Shortly after enactment of Section 8(s), the FDIC and other Federal banking agencies (“FBAs”) and NCUA, in a joint rulemaking, issued parallel rules to implement Section 8(s). 52 Fed. Reg. 2858 (Jan. 27, 1987). The FDIC’s rule, 12 CFR 326.8, requires each state nonmember bank to establish and maintain a compliance program to assure and monitor the bank’s compliance with the requirements of the Bank Secrecy Act (“BSA”) and the implementing Treasury regulations, 31 CFR Part 103.
Discussion
1. What problems or violations does Section 8(s) cover?
a. Problems with “procedures” or BSA compliance program vs. failures to comply BSA or Treasury regulations
We interpret Section 8(s) to apply only to violations that demonstrate a
flaw in a bank’s BSA compliance procedures or program, not to individual violations
of the BSA or implementing regulations. The language of section 8(s) clearly
applies to problems with the “procedures,” as opposed to other statutes and
regulations that authorize sanctions for failure to file a particular report
or keep a particular record. An example of a problem which would be outside
the scope of the statute would be where a bank had adequate procedures
and training for filing Suspicious Activity Reports (SARs), but the FDIC
disagreed with the bank’s decision not to file a SAR for a particular transaction.
While there is no concrete definition of a problem with the “program” or “procedures,” some
problems clearly would be a program/procedures problem. Failing to maintain
a program at all or one or more elements that are required by Section 326.8
would be such a problem. For example, the failure to have written training
materials, the failure to update them to include important developments
such as the enactment of the USAPATRIOT Act, or the failure to ever conduct
training,
would be a program/procedures problem. It is possible that multiple problems
over time, or a failure to carry out a piece of the program over time,
could rise to the level of a program failure. For example, the failure
to file CTRs
(Note: CTR is the commonly used shorthand for Currency Transaction Reports)or
SARs for a large number of cases over a period
of years could indicate a program
failure. So could
a failure
to conduct
independent
testing for
an unduly long period. We believe that Congress intended to let the agencies
use their judgment in making these determinations.
The view that Section 8(s)’s scope is limited to flaws in the program or
procedures is supported by analyzing the statute within the overall statutory
framework, and by how the FDIC and other FBAs understood the statute and
implemented it. (Note: We note that Section 8(s) requires "procedures" to
monitor and assure compliance with the BSA and implementing regulations,
and addresses the remedies for failure to maintain procedures or correct
problems with the procedures. As will be discussed, the regulations implementing
Section 8(s) require institutions to have a "program". For purposes of
this memorandum we view a "program" and "procedures" to be interchangeable.
) In construing Congressional intent behind a statutory provision, courts
review statutory
provisions
within the overall
context of the statute and related statutes. Lexecon Inc. v. Milberg
Weiss Bershad Hynes & Lerach, 523 U.S. 26, 36 (1998). The BSA, and
its implementing regulations long predated the enactment of Section 8(s).
The BSA was enacted in 1970, and regulations implementing the BSA and governing
recordkeeping for financial transactions and reports on transportation
of currency were issued in 1972. Section 8(b) and 8(c) of the FDI Act,
which authorize the FDIC to issue, respectively, permanent or temporary
cease and
desist orders against violations of laws or regulations, also predate the
enactment of Section 8(s).
When Section 8(s) was enacted, the FDIC and FBAs already had authority to issue cease and desist orders and to impose other sanctions for failures to comply with BSA and Treasury reporting and recordkeeping requirements. The most logical interpretation of the enactment of Section 8(s) is that Congress recognized that this authority existed, but found that without a formal structure in each institution (i.e., established standard procedures constituting a program), the recordkeeping and reporting requirements were inadequate or ineffective. Therefore, it required that banks have formal procedures, or programs, and the FBAs implemented this requirement by regulation. The appropriate interpretation of Section 8(s) is that Congress intended to add a separate provision to assure that banks maintain appropriate procedure and respond to examination and other agency reports of problem with those procedures, since there was already ample authority to remedy individual failures to carry out BSA reporting and recordkeeping requirements, including issuing a cease and desist order under existing statutes.
This interpretation is bolstered by the agencies’ implementation of the statute shortly after it was enacted. One factor courts will consider in determining legislative intent is how an agency, contemporaneously with the enactment of the statute, implemented it. See Zuber v. Allen, 396 U.S. 168, 192 (1969).
The FDIC’s regulation, section 326.8(b), provides that:
Each bank shall develop and provide for the continued administration of a program reasonably designed to assure and monitor compliance with recordkeeping and reporting requirements set forth in [the BSA] and the implementing regulations issued by the Department of Treasury at 31 CFR Part 103. The compliance program shall be written, approved by the bank's board of directors, and noted in the minutes.
Section 326.8(c) provides that:
The compliance program shall, at a minimum:
- Provide for a system of internal controls to assure ongoing compliance;
- Provide for independent testing for compliance to be conducted by bank personnel or by an outside party;
- Designate an individual or individuals responsible for coordinating and monitoring day-to-day compliance; and
- Provide training for appropriate personnel.
The other FBAs and NCUA have substantively identical regulations governing the institutions under their supervision. These regulations also focus on the requirement to have a compliance “program.” 12 CFR 21.21 (OCC); 12 CFR 208.63 (FRB); 563.177 (OTS); 12 CFR 748.2 (NCUA). The fact that the agencies required a “program” rather than echoing pre-existing BSA-based regulations that govern the filing of individual reports such as SARs or CTRs is significant in our opinion.
b. What is a “problem” which was “previously reported” to the bank?
As noted above, Section 8(s) applies when a bank has failed to “correct any problem with the procedures … which was previously reported” to it. The plain language of this provision most logically applies only to repeated instances of the same flaw in the bank’s program or procedures. For example, assume that in 1998 the FDIC informed a bank that its BSA training program was out of date. At the next examination, the training program was found to be adequately updated, but the FDIC reported a particular flaw in the bank’s internal controls. We cannot conclude in such an instance that the problem with internal controls would be a problem with the bank’s procedures “which was previously reported” to the bank.
2. What was Congress’s intent in saying in Section 8(s) that the FDIC “shall issue a [cease and desist] order?”
First, not every problem with a bank’s program or procedures, even a problem which was “previously reported” and not corrected it by the next examination, falls under Section 8(s). As noted, Section 8(s) and the FDIC’s regulations require banks to implement procedures that are “reasonably designed” to assure and monitor BSA compliance. The FDIC cannot require a bank to have procedures that would detect or prevent every possible instance of noncompliance. Therefore certain violations would not fall under Section 8(s), particularly where an institution has a low risk of money laundering associated with it or the type of transaction carried a particularly low risk.
As to those problems which do fall within the scope of Section 8(s), we do not interpret Section 8(s) to mandate a cease and desist order in every case. We have been unable to find any legislative history relevant to interpreting Section 8(s). In such a case, one factor courts will consider in determining legislative intent is how an agency, contemporaneously with the enactment of the statute, implemented it. See Zuber v. Allen, 396 U.S. 168, 192 (1969). In the interagency Federal Register preamble issuing their rules to implement Section 8(s), the agencies stated that the statute “authorizes” the agencies to issue cease and desist orders. 52 Fed. Reg. 2858 (Jan. 27, 1987). As with its other enforcement authority, the FDIC enforces Section 8(s) taking into account its enforcement resources and using a risk-based approach.
Courts have often opined that the word “shall” in a statute does not mandate a specific action. The concept of statutes being directory rather than mandatory is traceable back at least to a 1936 United States Court of Appeals decision. In Vaughan
v. John C. Winston Co., the 10th Circuit explained that:
Whether a statutory requirement is mandatory in the sense that failure to comply therewith vitiates the action taken, or directory, can only be determined by ascertaining the legislative intent. If a requirement is so essential a part of the plan that the legislative intent would be frustrated by a noncompliance, then it is mandatory. But if the requirement is a detail of procedure which does not go to the substance of the thing done, then it is directory, and noncompliance does not invalidate the act.
83 F.2d 370, 372 (10th Cir. 1936).
Viewing Section 8(s) in its statutory context, and in keeping with the courts’ explanation, it could be both harsh and unreasonable to interpret Section 8(s) as a command that the FDIC bring a cease and desist proceeding in every situation where a repeat procedural problem has been identified. From the bank’s perspective, the commencement of a cease and desist proceeding can be very onerous. It can cause the diversion of a great deal of the bank’s resources and the attention of its officers and directors. It could also be unreasonable in many cases to initiate a cease and desist action where the problem could be fixed more quickly by informal means. Moreover, it generally takes at least 60 days in an uncontested situation, and far longer in a case where the facts are contested, to put a cease and desist order into place. We are aware that in numerous instances of violations, including repeat violations, institutions have addressed and correct problems in less than 60 days.
Consistent with this reasoning, the best interpretation is that the provision that the FDIC “shall” issue a cease and desist order is not so essential a part of the statutory plan that the legislative intent would be frustrated by “noncompliance.” In our view, the essence of Section 8(s) is to formalize banks’ compliance with the BSA, and make clear that the banking agencies should use the cease and desist order procedures of Sections 8(b) and (c) where appropriate. It is a corrective scheme, with the goal of deterring money laundering or other illicit activity, or assisting in apprehending criminals. It is unlikely that the main statutory purpose was to require cease and desist order proceedings in every case, no matter how relatively small and easily and quickly corrected the problem. It could be punitive to the banks to issue a cease and desist order in every case, even where a problem posed a relatively low risk, and was easily and quickly corrected.
Another consistent exception to the concept that statutes saying “shall” is the line of cases that deal with “prosecutorial discretion,” i.e. that courts refrain from reviewing agency decisions not to take enforcement actions despite seemingly mandatory statutory language. See Heckler v. Chaney, 470 U.S. 821, 831 (1985). A fairly recent decision by the Ninth Circuit elaborates on this doctrine. In Sierra
Club v. Whitman, 268 F.3d 898 (9th Cir. 2001), the plaintiff asserted that the Clean Water Act required the EPA to initiate an enforcement action. The statute provided that:
Whenever on the basis of any information … the Administrator finds that any person is in violation of [permit conditions], he shall issue an order requiring such person to comply ….
33 USC 1319(a)(3), quoted at 268 F.3d at 902.
The court in Whitman refused to compel the Administrator to investigate or take action against the asserted violation, explaining:
[T]he statute provides for a complex arrangement of monitoring through the permit system and enforcement mechanisms to ensure compliance. As previously recognized by the Eighth Circuit, requiring the EPA to "expend its limited resources investigating multitudinous complaints, irrespective of the magnitude of their environmental significance" could lead to an inability to investigate and enforce those violations the Administrator believes to be the most serious.
268 F.3d at 902-903.
The BSA and FDI Act and regulations present a similarly complex arrangement for monitoring and enforcing requirements. The same concerns expressed by the courts in Whitman, Heckler v. Chaney, and numerous related cases apply to Section 8(s) and lead to the interpretation that it is directory rather than mandatory.
We acknowledge that, in some cases, courts have ruled that “shall” is mandatory. However, courts generally do not make this finding on the basis of the word “shall” standing alone. Rather, they find that the statutory context compels it. E.g., Association of American Railroads v. Costle, 562 F.2d 1310, 1312(D.C. Cir. 1977). Costle is typical in that the court found that the statute spelled out the EPA’s duties in great detail. Section 8(s)’s direction to “prescribe regulations requiring insured depository institutions to establish and maintain procedures reasonably designed to assure and monitor … compliance” is very general compared with the statute that was interpreted in Costle.
The absence of a mandate to bring a cease and desist action to address every violation of Section 8(s) or the regulations does not imply that the alternative is to take no action. To the contrary, the statutory intent must be to take an appropriate corrective action based upon the severity of the problem, the risks it poses, and the bank’s willingness to comply expeditiously. For example, where there is a repeat procedural problem identified during an examination but it is immediately corrected by management, there is no need for a cease and desist order to achieve correction. Similarly, if correction immediately after an examination is assured either by an informal MOU or otherwise, there is no need for an order. In addition, where correction is mandated or obtained by a cease and desist order issued under section 8(b) as part or an overall correction program for BSA and other violations no other or separate action under section 8(s) is necessary. This has been the FDIC’s practice, and we believe it comports with the intent of the statute.
Exhibit II
Internal Assessment of the FDIC Division of Supervision
and Consumer Protection’s Program to Evaluate Bank Compliance
with the Bank Secrecy Act
Primary Objective: Provide an internal
assessment of the Division of Supervision and Consumer Protection’s responsibility under the Bank Secrecy Act, the corresponding supervisory program that ensures state non-member institutions comply with the regulatory rules that implement the BSA, and current DSC initiatives to execute BSA rule modifications.
Secondary Objective: Evaluate institutions sampled by the Office of Inspector General and discussed in the draft audit report Supervisory Actions Taken for Bank Secrecy Act Violations.
Date: March 17, 2004
Contact: Lisa D. Arquette
Special Activities Section Chief
(202) 898-8633
[Note: In the hard copy version of this report, the
OIG made the following annotation to Exhibit II] The version of Exhibit II
which follows is in a
format intended
for public
release.
It
contains
editorial changes that the Division of Supervision and Consumer Protection
(DSC) made to the original version of this Exhibit, submitted as part of
DSC’s comments, to (1) clarify the DSC analysis of the OIG’s sampled institutions
and (2) remove information that could identify specific institutions or individuals.
Due to DSC’s
editorial changes, parts of and entire pages have been left intentionally
blank.
EXECUTIVE SUMMARY
The primary objective of this document is to provide an internal assessment
of the Division of Supervision and Consumer Protection's ("DSC")
responsibility under the Bank Secrecy Act ("BSA"), the corresponding
supervisory program that ensures state non-member institutions comply with
the regulatory rules that implement the BSA, and current DSC initiatives to
execute BSA rule modifications. A secondary objective is to evaluate institutions
sampled by the Office of Inspector General ("OIG") and described
in the draft audit report, Supervisory Actions Taken for Bank Secrecy Act
Violations (refer to Appendix A).
Overall, the findings of the internal assessment suggest the DSC has developed
and implemented an effective supervisory program to monitor and enforce BSA
compliance in FDIC-supervised institutions. The DSC has established effective
policies, guidance, and practices for educating and examining FDIC-supervised
institutions, identifying areas of non-compliance with the BSA, and ensuring
that any weaknesses in an institution's BSA program are corrected.
In general, the DSC has implemented a risk-focused approach to assess compliance
with the BSA, which emphasizes a strong control and compliance environment
within FDIC-supervised institutions. The vast majority of FDIC-supervised
institutions are small, community-based, locally-owned institutions that
operate in rural or suburban environments. The institutions' customers
are well known by bank management and unusual cash transactions are uncommon.
In light of this, the DSC believes a flexible supervisory approach using
technical guidance, moral suasion and a gradual escalation of enforcement
action is appropriate.
While issuing enforcement actions has proven effective in numerous instances
where serious noncompliance with the BSA was noted, the DSC has determined
that enforcing BSA compliance is most effectively handled in the majority of
FDIC-supervised institutions within the normal course of supervisory efforts.
This supervisory approach relies upon the proven ability and willingness of
bank management to correct deficiencies and establish an adequate compliance
program. The DSC has generally relied on this approach to address technical
noncompliance where the exposure to risk of potential money laundering activities
is low based on the profile of the institution and history of management's
actions in addressing identified weaknesses.
However, the DSC responds aggressively in cases where a greater risk for potential
money laundering exists within an institution. These more serious situations
may include willful non-compliance, absence of a BSA program, or significant
apparent violations of law. The FDIC's supervisory response in various
cases often involves the use of formal and informal enforcement actions. Enforcement
actions are generally pursued when immediate corrective action is required
in order to prevent elevated risks from potential money laundering activities.
These actions have also been issued against unresponsive or ineffective management
and boards of directors. The DSC has issued several formal actions, including
Orders to Cease and Desist and Orders of Prohibition from Further Participation,
which address substantially deficient programs and illicit activities of insiders.
Additionally, informal actions have also been used to effect compliance at
institutions where policies and practices need significant improvement.
A notable change to the BSA focus and the DSC's corresponding supervisory
approach unexpectedly occurred in 2001. Prior to the terrorist events of
September 11, 2001, the emphasis behind enforcement of the BSA was primarily
directed toward the criminal activities of organized crime syndicates and
international drug trafficking organizations and preventing those entities
from utilizing the United States banking system to engage in money laundering
activities. However, since the tragic events of September 11th, the BSA has
taken on an elevated level of national priority. Efforts directed towards
this national and global initiative have been amplified to provide assistance
to the war on terror. The anti-money laundering ("AML") provisions
of the BSA were augmented (with the passage of the USA PATRIOT Act of 2001
(Note: USA PATRIOT Act is the acronym for "Uniting and Strengthening
America by Providing Appropriate Tools Required to Intercept and Obstruct
Terrorism Act of 2001." )) and have become a useful tool in tracing
terrorist financing activities The identification and prevention of potential
money laundering and terrorist financing is a primary element of bank supervision.
As a primary federal regulator, the FDIC recognizes the importance of this
issue to the banking industry and homeland security. In response, the DSC has
been proactive in the development and issuance of interagency examination guidance
and examiner training to ensure appropriate enforcement of the provisions of
the BSA and the USA PATRIOT Act. Additionally, the DSC has organized and participated
in numerous outreach programs intended to inform and educate the banking industry
of USA PATRIOT Act compliance requirements, given the rapidly changing landscape
of money laundering and terrorist financing concerns. Furthermore, while the
DSC has considerably expanded its bank supervision policies and practices in
this area; much of the DSC's efforts to proactively respond involve interagency
and joint law enforcement initiatives.
Many of these initiatives include domestic and international partnerships.
These initiatives include: participation in the Financial Actions Task Force
("FATF") and in the FATF's Working Group on Terrorist Financing
("WGTF"); participation in the Basel Committee decision-making
process in reviewing the "Know Your Customer" risk management report;
participation in working groups and technical assistance missions sponsored
by the Departments of State and Treasury, which are designed to assess vulnerabilities
to terrorist financing activity worldwide and to develop and implement plans
to assist foreign governments concerning these issues; and serving as point-of-contact
("POC") liaison between the Financial Crimes Enforcement Network
("FinCEN") and FDIC-supervised institutions in the USA PATRIOT
Act Section 314(a) terrorist-subject biweekly searches. The DSC also issues
Financial Institution Letters to relay regular updates on Specifically Designated
Nationals and Blocked Persons and Specifically Designated Global Terrorists
as required by the Department of the Treasury's ("Treasury")
Office of Foreign Assets Control ("OFAC").
Overall, the DSC has been responsive to the intent of the BSA by establishing
a comprehensive supervisory approach, which includes conducting BSA compliance
examinations and ensuring appropriate supervisory follow up when BSA concerns
exist in FDIC-supervised institutions. Additionally, the DSC has been proactive
in addressing recent changes to the BSA by being an active participant in the
USA PATRIOT Act rulemaking process, incorporating those rules into examiner
and industry guidance, providing various forms of examiner and industry training
and outreach sessions, and assisting in global anti-money laundering and counter-financing
of terrorism efforts.
RESPONSIBILITIES OF THE FDIC TO FACILITATE BSA COMPLIANCE
While the BSA statute designates the Secretary of the Treasury as the authority
to administer the BSA, (Note: FinCEN was established in April 1990 to provide
a government-wide, multi-source intelligence and analytical network. FinCEN's
operation was broadened in 1994 to include regulatory responsibilities. In
October 2001, the USA PATRIOT Act elevated FinCEN to bureau status and emphasized
its role in fighting terrorist financing. FinCEN administers the BSA (comprehensive
anti-money laundering statute) and is responsible for expanding the regulatory
framework to industries vulnerable to money laundering, terrorist financing,
and other crime. ) the Treasury regulations allow the Secretary to delegate
authority to examine financial institutions to determine compliance with the
requirements of Part 103, Treasury's Financial Reporting and Recordkeeping
Regulations. The FDIC's responsibilities under Section 103.56(b)(3) and
(e) are to examine financial institutions for compliance with Part 103 and
to make periodic reports to the Assistant Secretary of the Treasury. The DSC
reviews compliance with Part 103 at every safety and soundness examination.
Part 103 does not prescribe the frequency at which compliance should be reviewed.
The DSC conducts BSA compliance reviews concurrent with all full-scope on-site
safety and soundness examinations of every FDIC-supervised institution.
Section 8(s) of the Federal Deposit Insurance Act ("FDI Act")
provides additional BSA-related responsibilities [refer to Exhibit I for the
Legal Division's Analysis of Section 8(s)]. Section 8(s)(1) of the FDI
Act requires each appropriate Federal banking agency to prescribe regulations
requiring insured depository institutions to establish and maintain procedures
reasonably designed to assure and monitor the compliance of such depository
institutions with the requirements of Subchapter II of Chapter 53 of Title
31, United States Code. The implementing regulation for Section 8(s) of the
FDI Act is Part 326, Subpart B - Procedures for Monitoring BSA Compliance (12
CFR Section 326.8). In addition, Section 8(s)(2)(A) requires that each examination
of an insured depository institution by the appropriate Federal banking agency
shall include a review of the procedures required to be established and maintained
under Section 326.8 of the FDIC Rules and Regulations (refer to Appendix B
for BSA History and Legislative Changes).
BSA SUPERVISORY APPROACH
BSA Compliance Examination Process. The FDIC is responsible for ensuring
that state-nonmember banks comply with the BSA. At each safety and soundness
examination,
the adequacy of an institution's BSA compliance program and procedures
is assessed. After a complete analysis of the bank, which includes capital,
asset quality, management, earnings, liquidity, and sensitivity to market
risk, ratings are assigned and a report of examination is prepared. Composite
ratings
are based on a careful evaluation of an institution's managerial, operational,
financial, and compliance performance. The BSA compliance examination is
considered very important and is conducted as part of the entire examination
process.
BSA findings contribute most significantly to the management component rating,
but can have a significant influence on the composite rating, when notable
deficiencies exist.
Over the past seven years, the FDIC has conducted more than 17,750 BSA compliance
examinations. Examiners document their findings in a Report of Examination.
The DSC provides an aggregate report to FinCEN on apparent violations of
the Treasury's Financial Reporting and Recordkeeping Regulations (31 CFR
103) and the FDIC's Section 326.8 identified during examinations. Also,
the DSC makes referrals to FinCEN on significant matters and informs FinCEN
of actions that the FDIC has taken against FDIC-supervised institutions
or institution-affiliated parties ("IAPs"). Financial institutions are required to have a written BSA policy and program.
Employee training programs, audit procedures, and senior-level oversight are
also required. The DSC employs a variety of supervisory methods to ensure that
financial institutions establish and maintain an adequate BSA program. The
majority of apparent BSA violations involve minor infractions, generally isolated
to a few occurrences, and those infractions are generally corrected while the
examiners are still in the institution or shortly after their departure. Occasionally,
there are some institutions that fail to correct violations or implement adequate
compliance programs, which the DSC examiners discover at subsequent examinations.
Generally, for those institutions, the DSC performs additional monitoring through
on-site visitations conducted between the regularly scheduled examinations
and, when appropriate, takes other supervisory action. Over the past seven
years, the DSC has taken 40 formal actions and entered into 75 informal agreements
with institutions that demonstrated significant and/or recurring weaknesses
regarding BSA compliance. Risk-Focused Supervisory Strategy. The FDIC is the primary federal
regulator of approximately 5,300 insured financial institutions holding total
assets
of almost $1.7 trillion. By contrast, the Federal Reserve Board ("FRB")
supervises 935 banks with assets of $1.9 trillion, and the Office of the Comptroller
of the Currency ("OCC") supervises about 2,000 banks with assets
of $4.1 trillion. The majority of FDIC-supervised institutions are smaller
and located in less-densely populated areas. Of the 5,300 institutions supervised
by the FDIC, 2,850, or 54 percent, are not located in metropolitan areas or
MSAs (Note: MSAs or metropolitan statistical areas are defined by the Office
of Management and Budget. An MSA is a large population nucleus, together with
adjacent communities that have a high degree of economic and social integration
with that nucleus. Each MSA must contain either a minimum population of 50,000
or a Census Bureau-defined urbanized area with a total population of at least
100,000. MSAs comprise one or more counties and may include one or more outlying
counties that have close economic and social relationships with the central
county. An outlying county must have a specified level of commuting to the
central counties and also must meet certain standards regarding metropolitan
character. For example, the Washington, D.C. MSA extends from Frederick, Maryland,
to Fredericksburg, Virginia, and includes two counties in West Virginia.) and
hold 22 percent of FDIC-supervised assets. The remaining 46 percent of FDIC-supervised
banks are located in metropolitan areas and hold 78 percent of FDIC-supervised
assets. The DSC has adopted a risk-focused approach to proactively assess risk for
institutions and apply an appropriate amount of supervisory resources. In doing
so, the DSC considers an institution's BSA risk prior to and during an
examination. An examiner might consider an institution with the following characteristics
to have a low BSA risk: located in a rural area (non-MSA) or suburban area;
not located in a high-risk money laundering and related financial crimes area
(HIFCA (Note: HIFCA is a categorization announced in the 1999 National Money
Laundering Strategy and was conceived in the Money Laundering and Financial
Crimes Strategy Act of 1998 as a means of concentrating law enforcement efforts
at the federal, state, and local levels in high intensity money laundering
zones.); small asset size; small deposit base; known and stable customer base;
stable management and employee base; and relatively few reportable transactions
(as defined by CFR 103). The DSC factors an institution's risk of money
laundering into examination planning as well as into the evaluation of identified
BSA weaknesses.
An important factor in risk-focusing BSA compliance examinations is considering
whether an institution is located in a HIFCA, which may be defined geographically
or can also be created to address money laundering in an industry sector, a
financial institution, or group of financial institutions. Relevant federal,
state, and local enforcement authorities, prosecutors, and federal financial
supervisory agencies form groups that monitor activity in HIFCAs. Current HIFCA
designations for money laundering are assigned to the MSAs of New York City,
New York; Los Angeles, California; Chicago, Illinois; San Francisco, California;
and Miami, Florida. HIFCAs also include the Mexican borders of Texas and Arizona
and San Juan, Puerto Rico. Generally, institutions located in a HIFCA receive
more scrutiny for BSA compliance than the institutions located outside a HIFCA,
due to the elevated risk profile of the market area.
The DSC recognizes that an effective BSA supervisory approach must include
a flexible response towards a financial institution's money laundering
risk and the severity of the deficiencies noted. Generally, institutions that
operate within a HIFCA, have a large and diverse customer base (including high-risk
businesses), transact a large volume of reportable transactions, and are expected
to have comprehensive BSA compliance programs. When those programs are deficient,
the DSC aggressively acts to effect immediate change within those institutions.
Such responses generally involve a form of formal or informal enforcement action.
Enforcement Actions Related to the BSA. The FDIC has the authority to take
enforcement action related to BSA program problems. Enforcement actions are
generally taken when bank management willfully and knowingly neglects the BSA
rules and/or is unresponsive to identified examination weaknesses and apparent
violations of the BSA or implementing rules. Enforcement action authority is
granted by Section 8(s) of the FDI Act. While 8(s)(3) authorizes the FDIC to
issue enforcement actions against institutions for BSA program problems and
violations of law, the DSC has taken the position that this authority is discretionary
and should be used judiciously. (Note: Excerpt from the Legal Division's
analysis of Section 8(s) [see Exhibit I, Interpretation and Application of
Section 8(s), dated March 12, 2004]: "Section 8(s)(3) applies to violations
that demonstrate a flaw in the BSA compliance procedures or program which are
violations of Section 326.8(c) of the FDIC Rules and Regulations, 12 C.F.R.
326.8(c), not to individual violations of the BSA or implementing regulations
(such as isolated instances of misfiling Currency Transaction Reports ("CTRs")
or Suspicious Activity Reports ("SARs"), or the failure to carry
out a piece of an adequate written program). In addition, Section 8(s)(3)(B),
with regard to previously reported problems with the procedures, applies only
to failures to correct problems identified previously with respect to the procedures,
not to chronologically successive violations that do not indicate that the
procedures or program are flawed.")
When the DSC conducts BSA compliance examinations, weaknesses and apparent
BSA violations are documented in the report of examination and discussed with
bank management and, if serious, the institution's board of directors.
Generally bank management responds to identified weaknesses during or shortly
after the examination. In instances when corrections do not occur, and the
DSC determines that a serious program flaw continues to exist, a more aggressive
supervisory action is taken. However, it should be noted that an isolated or
technical problem or violation does not rise to the level of a serious program
flaw; initiating an enforcement action in such cases would not be an effective
manner to address those problems. (Note: Excerpt – "Moreover, a
different procedural or program flaw in each of two consecutive examinations
of a bank would not, in our opinion, constitute a "repeat" violation
of the bank. Therefore, many problems under and violations of Section 326.8
do not fall within the scope of Section 8(s) regardless of the interpretation
of the term "shall" in Section 8(s).)". Consistent with the
Legal analysis, the DSC's approach has been to differentiate between
serious BSA program problems within an institution versus isolated and technical
weaknesses. In practice, isolated and technical weaknesses can be addressed
within the normal course of supervisory process.
The DSC believes a flexible supervisory approach using technical guidance,
moral suasion, and a gradual escalation of enforcement action is appropriate.
However, a more aggressive supervisory approach is taken to effect correction
when a greater risk for potential money laundering exists within an institution
and there is willful non-compliance of the BSA, absence of a BSA program, and/or
significant apparent violations of law. (Note: Excerpt -"The absence
of a mandate to bring a cease and desist action to address every violation
of Section 8(s) or the regulations does not imply that the alternative is to
take no action. To the contrary, the statutory intent must be to take an appropriate
corrective action based upon the severity of the problem, the risks it poses,
and the bank's willingness to comply expeditiously. For example, where
there is a repeat procedural problem identified during an examination but it
is immediately corrected by management, there is no need for a cease and desist
order to achieve correction. Similarly, if correction immediately after an
examination is assured either by an informal MOU or otherwise, there is no
need for an order. In addition, where correction is mandated or obtained by
a cease and desist order issued under section 8(b) as part of an overall correction
program for BSA and other violations no other or separate action under section
8(s) is necessary. This has been the FDIC's practice, and we believe
it comports with the intent of the statute.") For example, from January
1, 1997, through September 30, 2003, FDIC institutions and IAPs were subject
to 115 formal and informal enforcement actions that addressed deficiencies
in compliance with rules implementing the BSA. These actions, in whole or in
part, address criticisms and apparent violations cited in reports of examination.
These actions consist of the following:
- Bank Board Resolutions ("BBR") require the institution's
board of directors to draft a written response addressing weaknesses cited
in FDIC reports of examination and present this document to the FDIC for notification.
- Memorandums of Understanding ("MOU") serve as a written
agreement between the institution's board of directors and the FDIC,
on specific weaknesses cited in reports of examination that include cited apparent
violations and systematic weaknesses in compliance efforts.
- Orders include provisions/requirements from the FDIC to the institution's
board of directors and senior management, which require the institution, or
IAPs, to cease and desist from activities that weakened the institution's
BSA compliance program. Orders also include the removal or prohibition of individuals
from further participation with insured institutions.
The type of enforcement action pursued by the DSC against an institution
or IAP is directly related to the severity of the offense, management's
willingness and ability to effectively implement corrective action, as well
as the extent to which the program has failed to identify and/or deter potential
money laundering. Additionally, the nature of the criticism, the response
to prior weakness or violation notifications and the overall risk profile
of the institution are factored into the type of supervisory action, as well
as any determination to assess civil money penalties. When weaknesses are
identified at institutions that have a high BSA risk profile, such as those
located within a HIFCA, the DSC has been aggressive in taking supervisory
action. Formal actions taken against institutions that operate within HIFCAs
represent more than half of the total actions taken over the audit timeframe.
Formal actions have generally been imposed on institutions or IAPs where the
activities of the individuals, or inaction, are so negligent that the bank
has allowed or has significantly increased its exposure to potential money
laundering activities. Supervisory enforcement actions taken since 1997 includes
several Section 8(e) Orders of Prohibition from Further Participation against
IAPs that not only failed to establish effective compliance programs within
their institutions, but also actively engaged in activities that intentionally
violated governing rules implementing the BSA. Also included within the summary
of enforcement actions for this time period are Section 8(b) Orders to
Cease & Desist against institutions that failed to establish adequate compliance programs
that effectively identify and report potential money laundering activities.
In many cases, the bank deficiencies and apparent violations were so egregious
and demonstrated such a blatant disregard for compliance with the BSA, that
civil money penalties were assessed (one in the amount of $7,500,000). While
these actions demonstrate the diligence of the DSC to effect immediate change
when necessary, the DSC has also effectively utilized informal actions to strengthen
the compliance efforts of its supervised institutions.
Informal actions against institutions and IAPs remain the FDIC's most
effective tool in creating an environment within the banking industry to identify
and deter potential money laundering activity in institutions where significant
weaknesses have been identified. BBRs and MOUs provide the written notice to
bank management and boards of directors that significant deficiencies exist
within BSA compliance programs; BBRs and MOUs also establish the mechanism
for corrective action. By establishing a written agreement and expedient timeframes
for correction, the FDIC has been able to strengthen the AML environment within
certain of its supervised institutions.
Included within the total number of enforcement actions are several cases
in which the FDIC has taken targeted and aggressive action against the board
of directors and senior management of certain institutions that had substantially
ineffective BSA compliance program policies and procedures in place. Some of
these cases are discussed more fully below.
Individual Enforcement Action Cases. The following case descriptions demonstrate
that the DSC takes aggressive, appropriate measures when the risk for potential
money laundering and serious BSA program problems exist.
Foreign-owned, state non-member bank and its Federally-insured foreign branches.
At the time of this enforcement action, the institution operated four separately
chartered foreign branches and a state non-member institution. In 2002, one
branch was subject to a Section 8(p) Order to Terminate Deposit Insurance,
as it was not engaged in the business of receiving deposits (other than trust
funds). Also, in 1994, the state non-member institution and its affiliates
consented to the issuance of a Section 8(b) Order to Cease & Desist for
operating in violation of FDIC Rules and Regulations that implement Treasury's
rules for BSA compliance. The Order required the prompt correction of numerous
significant violations resulting from an inadequate BSA compliance program.
The Order was terminated in 1995. All of these entities operate within HIFCAs.
A 2001 examination of the foreign branches, conducted concurrently by the
FDIC, Federal Reserve Bank ("FRB"), and a state banking department,
identified a number of deficiencies and violations, including significant BSA
compliance weaknesses. The deficiencies cited at the branches and agencies
of the foreign branches did not include the state non-member institution, which
was the subject of the previous enforcement action taken in 1994 and terminated
in 1995 (see paragraph above). Additionally, subsequent to the deficiencies
noted at the 2001 examination of the foreign branches, the FDIC initiated a
targeted BSA examination of the state non-member institution. The examination
concluded that the state non-member institution had maintained an effective
BSA compliance program.
Appropriate guidelines at these branches are considered vital since its operations
are considered to be high-risk for AML purposes, due to the large volume of
wire transfer activity and U.S. dollar-denominated checks purchased by customers
at the 700 domestic and foreign branches. As a result of the high-risk profile
of the institution and the severity of these problems, including the repetitive
nature of the BSA-related deficiencies, the supervising agencies jointly issued,
in 2001, a Section 8(b) Order to Cease & Desist and assessed a civil money
penalty against the branches. However, the state non-member institution was
not made a part of those formal actions.
State non-member institution and two principals, individually
In this instance, the state non-member institution is located in a HIFCA.
In 2003, the former president and director, stipulated to the issuance of an
Order of Prohibition from Further Participation. The Order resulted from discovery
of activities conducted by the former president on behalf of a family member
and a former bank director, which were in violation of the BSA. Specifically,
the individual, while serving as bank president willfully and repeatedly engaged
in the structuring of cash transactions to avoid reporting requirements and
attempted to conceal those activities. This matter was discovered by bank staff
in 2001, which prompted a FDIC visitation and ultimately a full-scope BSA examination,
which was jointly conducted by the FDIC and the state banking authority. The
individual resigned from the bank in 2002.
The full-scope BSA examination conducted in 2002, identified numerous deficiencies
in policies and procedures relating to BSA compliance. In 2003, the FDIC and
state regulator jointly issued a Section 8(b) Order to Cease & Desist,
which was primarily a result of the significant weaknesses in the bank's
BSA compliance program, including numerous violations of law.
The FDIC also pursued a Section 8(e) action against a former bank director
for participation in structuring cash transactions to avoid reporting requirements.
In 2004, the individual executed a Stipulation and Consent to the Issuance
of an Order of Prohibition.
Federally-insured foreign branches
In this example, a foreign bank had two United States Federally-insured foreign
branches, both of which are located in HIFCAs. Targeted BSA examinations of
both branches were conducted in 1999. These visitations identified significant
weaknesses in the branch policies and practices related to BSA compliance,
including numerous apparent violations of the rules implementing the BSA. The
FDIC issued a Section 8(b) Order to Cease and Desist in 2000, against both
branches.
FinCEN assessed a Civil Money Penalty for failure to comply with the reporting
and recordkeeping requirements of the BSA. Additionally, the branches' failure
to comply with currency transaction report ("CTR") filing requirements
exposed the entities to elevated risk of possible money laundering activities.
State-chartered savings bank and insider, individually
In 2000, the former president and chief executive officer of the institution,
stipulated to the issuance of a Section 8(e) Order of Prohibition from Further
Participation. The Order resulted from discovery of activities by the respondent
which were in violation of the BSA. Specifically, the individual, while serving
as president and chief executive officer of the bank, willfully and repeatedly
engaged in the structuring of cash deposits on behalf of a bank customer and
attempted to conceal these activities. This matter was discovered internally
by the bank BSA officer. The former president and chief executive officer was
removed from banking industry in 2001.
State non-member institution and two insiders, individually
This state non-member institution is located in a HIFCA. The institution stipulated
to a Section 8(b) Order to Cease & Desist in 2002, as a result of the poor
financial condition and weak management of the institution as detailed in a
2002 Report of Examination. While under the existing Order, the FDIC and state
banking regulator conducted a joint examination in 2003. During that examination
problems were identified in the institution's BSA compliance program,
including a number of apparent violations related to poor program controls,
as well as suspected illicit activities of the former president and chief executive
officer and former chief lending officer. The apparent violations included
structuring currency transactions to avoid reporting requirements, directing
bank staff not to file required CTRs and facilitating check kiting and money
laundering by bank customers.
State non-member institution
This state non-member institution is located in a HIFCA. Findings documented
in the 1998 FDIC visitation report relate to the institution's inadequate
BSA compliance efforts, significant weaknesses in policies and practices, and
numerous apparent violations of the rules implementing the BSA. As a result
of the weaknesses identified at the visitation and the repetitive pattern of
apparent violations, the FDIC issued a Section 8(b) Order to Cease and Desist.
The institution implemented acceptable and appropriate corrective actions,
and the Order was terminated in 2000.FinCEN assessed a civil money penalty
for deficient BSA compliance procedures and failure to comply with suspicious
activity report ("SAR") filing requirements.
Table 1 Summary of Individual Enforcement Action Case Activity
Institution Name |
Enforcement Action Type |
Effective Date |
CMP Assessed |
Foreign-owned, state non-member bank and affiliated Federally-insured foreign
branches |
8(b)
8(b) |
2001
1994 |
Yes
None |
State non-member institution and two principals, individually |
8(b);8(e)
8(e) |
2003
2004 |
None |
Federally-insured foreign branches |
8(b) |
2000 |
Yes |
State-chartered savings bank and insider, individually |
8(e) |
2000 |
None |
State non-member institution and two insiders, individually |
8(b) |
2003 |
None |
State non-member institution |
8(b) |
1998 |
Yes |
REFINING SUPERVISORY STRATEGIES
The FDIC is proactive in the development and implementation of measures to
comply with the USA PATRIOT Act and combat money laundering and terrorist financing.
One fundamental activity has been participation in numerous interagency working
groups formed for the purpose of drafting risk-based revisions to the BSA,
as required by the USA PATRIOT Act, and developing interpretive guidance for
the financial services community. The DSC has participated in the following
working groups, which were established for the following Sections of the USA
PATRIOT Act:
- 311- Special Measures for Jurisdictions, Financial Institutions, or International
Transactions of Primary Money Laundering Concern
- 312 -Special Due Diligence for Correspondent Accounts and Private Banking Accounts
- 313/319- Prohibition on United States Correspondent Accounts with Foreign Shell
Banks and Forfeiture of Funds in United States Interbank Accounts
- 314-Cooperative Efforts to Deter Money Laundering
- 324-Report and Recommendation (On Subtitle A- International Counter Money Laundering
and Related Measures of Title III of The Act)
- 325-Concentration Accounts at Financial Institutions
- 326-Verification of Identification
- 327-Consideration of AML Record
- 352-AML Programs
In accordance with the provisions of the USA PATRIOT Act and through cooperation
with other regulatory partners, the DSC revised the BSA Examination Procedures
(Note: When the DSC released the augmented examiner guidance to the banking
industry in October 2003, it was slightly different than the guidance released
by the FRB, OCC, and NCUA. Although the revised guidance was a result of interagency
efforts, there is one notable difference. The other agencies released guidance
for only Sections 313/319 and 314 of the USA PATRIOT Act. Our examination guidance
is comprehensive and covers all of the newly issued rules required by the USA
PATRIOT Act. Given the importance of the Customer Identification Program rule
as a gatekeeper to prevent money launderers and terrorists from having access
to U.S. banks, we believed it was necessary that examiners have guidance to
review compliance with this rule as soon as possible. ) to establish guidance
for reviewing AML and counter-terrorist financing ("CTF") compliance
programs. This guidance was released to examiners on August 15, 2003, and to
the banking community on October 17, 2003. The DSC is currently updating the
Division's Manual of Examination Policies to incorporate relevant provisions
of the USA PATRIOT Act, augment the OFAC guidance, and update a variety of
other sections. Furthermore, the DSC continues to work with other bank supervisors,
including the many State authorities that comprise the Conference of State
Bank Supervisors ("CSBS"), in issuing both examiner and industry
guidance.
Additionally and in relation to potential money laundering or terrorist financing
threats, the DSC changed the application review program to consider prohibitions
against certain types of relationships with financial institutions, particularly
foreign shell banks. The DSC has amended the Statement of Policy on Bank Merger
Transactions to consider the effectiveness of any insured depository institution
involved in a proposed merger transaction in combating money laundering activities,
including in overseas branches.
To help facilitate cooperation with law enforcement authorities in their ongoing
investigation of terrorist activities through the implementation of Section
314(a) of the USA PATRIOT Act, the DSC worked with the other federal banking
agencies to add emergency contact and Section 314(a) POC information to the
Consolidated Reports of Condition and Income ("Call Report"). The
POC line item ensures that the information is current and updated quarterly.
The FDIC is the first among the banking regulators to automate the process
that provides the most current POC information to FinCEN, who in turn distributes
Section 314(a) name search requests to financial institutions. Also, with respect
to Section 314(a) banker POC data, in 2004 the FDIC will function as the liaison
between FinCEN and the OCC.
Industry Outreach. The DSC has already taken steps to educate field staff
and members of the banking industry on USA PATRIOT Act and BSA compliance rules
at training conferences, seminars, Directors' Colleges, and FDIC-sponsored
training courses. In 2003 alone, FDIC staff discussed AML issues at approximately
130 different venues.
The DSC also implemented a written form of communication to distribute AML
guidance to the banking industry through Financial Institution Letters ("FILs").
The FDIC issues FILs addressing AML measures as well as lists of Specifically
Designated Nationals and Blocked Persons and Specifically Designated Global
Terrorists. Since 2002, the DSC has issued 16 FILs addressing BSA compliance
and AML measures. These FILs provide bankers with guidance on topics such as:
customer due diligence and detecting terrorist activity; rule changes and required
BSA forms, including changes related to the USA PATRIOT Act; and SAR Reviews,
which are prepared and issued by FinCEN. Since 2002, the DSC has also issued
68 FILs notifying the banking industry of changes to the OFAC list of terrorists
and specially designated nationals.
Furthermore, the DSC's Manual of Examination Policies as well as examination
procedures were made available to bankers via the FDIC's external website.
The DSC is in the process of incorporating BSA, AML, and CTF guidance on the
FDIC's external website.
Global Counter-Terrorist Financing Initiatives and Technical Assistance. The
DSC believes that strong governance of foreign banking programs contributes
to the stability of foreign economies, enhances trade opportunities for U.S.
companies, and reduces opportunities for money laundering. Therefore, the
DSC actively participates in working groups and technical assistance missions
sponsored by the Departments of State and Treasury to assess vulnerabilities
to terrorist financing activity worldwide and to develop and implement plans
to assist foreign governments in the enforcement efforts directed towards
financial crimes. To facilitate its commitment to these assignments, the
FDIC established a twenty-two member task force comprised of examiners and
attorneys that have received specialized AML and CTF training.
In 2002, the FDIC provided AML technical assistance and CTF training to the
governments of the Republic of Marshall Islands, Fiji, and Pakistan. Also in
2002, FDIC's staff met with supervisory and law enforcement representatives,
senior prosecutors, and financial intelligence unit directors from Brazil,
St. Lucia, Dominica, Barbados, St. Vincent and the Grenadines, Antigua, Grenada,
Chile, and Russia. Another foreign-directed BSA training program was held by
the FDIC for representatives from Germany, Armenia, Venezuela, Bosnia and Herzegovina,
Serbia, Bulgaria, Hungary, Canada, Estonia, Hong Kong, China, Indonesia, Japan,
Thailand, Czech Republic, Mozambique, and Turkey.
In 2003, FDIC experts participated in technical assessment missions to Bangladesh,
the Republic of Palau, Macau, China, and Panama and also provided AML and CTF
training to regulators from Bahrain, Egypt, Jordan, Pakistan, Qatar, Saudi
Arabia, Panama, Brazil, Argentina, Paraguay, Venezuela, Thailand, Malaysia,
Philippines, and Indonesia. Also, in 2003, FDIC met with supervisory representatives
from Anguilla, Antigua, Armenia, Aruba, Austria, the Bahamas, Barbados, Barbuda,
Belize, Brazil, British Virgin Islands, the Cayman Islands, Dominica, Estonia,
Grenada, Guyana, Haiti, Italy, Jamaica, Montserrat, Netherlands Antilles, Poland,
Russia, St. Kitts and Nevis, St. Lucia, St. Vincent and the Grenadines, Suriname,
Taiwan, Trinidad and Tobago, and the Turks and Caicos Islands. In addition,
the FDIC provided training to central bankers from Korea, Nigeria, and Bahrain
on AML and the USA PATRIOT Act. In all cases, the visitors were very interested
in the FDIC's AML examination programs and our progress in implementing
the USA PATRIOT Act provisions.
Also, the FDIC has participated in a number of meetings with the FATF on developing
anti-money laundering recommendations, including the October 2001 extraordinary
plenary held in Washington, D.C. This plenary developed several anti-terrorist
funding recommendations that are currently used as standards by the international
community when assessing a country's vulnerabilities to terrorist funding
and the adequacy of the measures it has in place to curtail such activity.
The FDIC continues to participate in FATF's WGTF through interagency
meetings held at the Treasury.
Furthermore, through participation on the Basel Committee, the FDIC has been
involved in the decision-making process that led to the approval and issuance
of a number of international guidelines on money laundering. For example, the
DSC participated in the decision-making process of the Basel Committee in reviewing
the "Know Your Customer" risk management report and evaluated the
progress report on jurisdictions with cross-border banking impediments.
Domestic Anti-Money Laundering and Counter-Terrorist Financing Initiatives.
For many years, the DSC has worked with the Treasury, FinCEN and the other
banking agencies in setting international standards, developing policies, and
implementing best practices to combat money laundering and more recently, terrorist
funding, as part of the United States AML regime. For example, the Money Laundering
Suppression Act of 1994 required the agencies, in consultation with the Treasury
and appropriate law enforcement agencies, to review and enhance their procedures
to better evaluate financial institutions' programs to identify money
laundering schemes involving depository institutions. This statute led to an
interagency project to revise examination procedures. Since then, the DSC continues
to work with the other federal and state banking agencies to issue risk-focused
examination procedures designed to evaluate a financial institution's
AML program and compliance with the BSA and rules implementing the USA PATRIOT
Act.
Since 1999, the DSC has participated in the Steering Committee to oversee
the implementation of the National Money Laundering Strategy, an annual effort
led by the Departments of Justice and Treasury. The interagency effort was
required by the Money Laundering and Financial Crimes Strategy Act of 1998.
The DSC works with each of the sub-groups charged with addressing the Strategy's
action items related to the supervision of financial institutions. The DSC
also participates in a workgroup to draft the "International Narcotics
Control Strategy Report," which is the Department of State's annual
report on illicit drug-control and money laundering activities.
Finally, another of the DSC's proactive efforts to ensure that examiners
can better identify money laundering schemes is our participation in the planning
and development of AML training for examiners that is sponsored by the Federal
Financial Institutions Examination Council ("FFIEC").
OVERALL ASSESSMENT OF DSC SUPERVISORY APPROACH
The DSC agrees that a vigilant BSA supervisory program requires that appropriate
supervisory actions be taken to support compliance with Treasury and FDIC guidance.
Our supervisory processes are risk focused and designed to correlate our efforts
to areas of risk, thereby deploying appropriate emphasis across a continuum
of low- to high-risk areas. Thorough examiner assessment and our internal supervisory
reviews are critical to these determinations. The DSC is committed to proactive,
vigilant, and effective examination processes to monitor and mitigate risks
in the institutions we supervise. The DSC continues to assess potentially high-risk
situations, through onsite and offsite examination programs, and is confident
that our supervision of such situations is effective and efficient.
Overall, the DSC has been responsive to the intent of the BSA by establishing
a comprehensive supervisory approach, which includes conducting BSA compliance
examinations and ensuring an appropriate supervisory approach when BSA concerns
exist in FDIC-supervised institutions. Additionally, the DSC has been proactive
in addressing recent changes to the BSA by being an active participant in the
USA PATRIOT Act rulemaking process, incorporating those rules into examiner
and industry guidance, providing various forms of examiner and industry training
and outreach sessions, and assisting in global AML and CTF efforts.
APPENDIX A: OIG AUDIT OF DSC's BSA
The FDIC OIG conducted an audit concerning the BSA. The draft audit report
Supervisory Actions Taken for Bank Secrecy Act Violations was issued February
20, 2004. The objective of the audit is to determine whether FDIC adequately
follows up on BSA violations reported for FDIC-supervised financial institutions,
to ensure the institutions take appropriate corrective action. The OIG's
sample for the audit consisted of a large percent (63 percent) of banks that
are not located in MSAs. Statistically, FDIC-supervised financial institutions
are located in more rural areas. Additionally, in these non-MSA institutions,
management and staff have considerably more knowledge of the customer base,
and therefore a significantly reduced risk of money laundering exists.
Appendix A provides an evaluation of institutions in the OIG's sample,
wherein the OIG determined that the DSC did not have adequate follow-up (Note:
Adequate follow up as described by the OIG must occur within 12 months.) to
the violations and criticisms cited in the sampled reports of examination (see
Table 2). Each Regional Office ("RO") provided an analysis of the
supervisory approach taken regarding each of the criticized institutions. The
following analysis discusses the OIG's concern(s), the supervisory approach
to the criticized issues, and an overall conclusion of the supervisory approach.
This analysis also considers each institution's BSA risk coupled with
the supervisory approach.
Data on Table 2 represents: (a) the 43 institutions in the OIG's original
sample (two institutions were removed from the OIG sample); (Note: Two institutions
were removed from the OIG's sample in January 2004. The reason(s) for
the removal is unknown.) (b) limited supervisory data; (c) asset-ranges; (d)
the OIG's assessment of the DSC's supervisory approach to each
institution's situation (the OIG determined that an adequate follow-up
process should occur with 12 months, and as part of that process the DSC should
issue an enforcement action for repeat violations); and (e) the DSC's
evaluation of its supervisory approach related to each institution. For the
17 institutions where the OIG determined that DSC had an adequate follow-up
process (2, 4, 6, 7, 10, 13, 15, 16, 18, 22, 28, 29, 31, 32, 35, 36, and 38),
no further analysis is provided. However, for the 24 institutions where the
OIG determined that DSC did not have an adequate follow-up process, a comprehensive
evaluation of DSC's supervisory approach is documented. Additionally,
there is an analysis regarding the supervisory approach taken for the two institutions
eliminated from the sample since those institutions were categorized as having
an inadequate follow-up process by the OIG in January 2004: the two institutions
were unexpectedly removed from the sample during the DSC analysis phase.
The DSC's assessment of its supervisory program is that appropriate
corrective measures were taken with all institutions in the sample. The DSC's
findings of the sampled institutions is that in the vast majority (38 of 41,
or 92.7 percent) of instances, the DSC responded expeditiously while incorporating
the sufficient response time for bank management to correct identified problems.
In serious cases where bank management willfully neglected BSA rules or was
unresponsive to regulatory criticism and guidance, or when the DSC identified
insider abuse, enforcement action was taken. The assessment of the OIG's
sample confirms the DSC's effective supervisory approach regarding FDIC-supervised
institutions' compliance with the BSA. However, the DSC recognizes that
in three of the 41 (7.3 percent) institutions, a more expeditious response
should have occurred.
None of the OIG's sampled institutions have money laundering problems,
reputational risk related to the BSA, or increased safety and soundness risk
to the institution. Rather, most of the institutions had internal weaknesses
that could be easily strengthened, addressed, and corrected by management and
monitored with the normal supervisory approach employed by the DSC.
The OIG sample did not target geographic concentrations of higher money laundering
risk, or institutions where money laundering has been suspected or detected.
The OIG also did not look at supervisory actions taken in instances of serious
BSA program deficiencies, analyze the risk for money laundering in the
sample institutions, have discussions with examiners, or assess the BSA examination
process.
The map inserted on page 19 (the map has been removed from this document to
protect the identities of the OIG-sampled institutions) displays the OIG's
sampled institutions delineated between metropolitan areas, non-metropolitan
areas, and HIFCAs (to show geographic areas of high-risk in regard to potential
money laundering). Only two of the 41 financial institutions included in the
OIG audit sample are located within HIFCAs. Additionally, the map inserted
on page 20 (the map has been removed from this document to protect the identities
of the OIG-sampled institutions) shows institutions identified by the OIG as
having inadequate follow-up.
The DSC closely monitors and escalates its supervisory approach, as necessary,
for institutions located in HIFCAs and other metropolitan areas as well as
institutions that have a high volume of reportable transactions. Based on our
review of the seven-year audit period, the majority of formal enforcement actions
taken by the FDIC against financial institutions and individuals occurred in
HIFCAs, which, in our opinion, supports the designation of such areas.
Table 2
[D]
This page is intentionally left blank.
This page is intentionally left blank.
OIG Bank Sample
Institution #1 Low BSA Risk
Year | Total Assets
($ Million) | Rating | BSA Violations (#) |
2003 | $101 - $125 | Highly Rated | (1)-Inadequate controls/326.8(b) |
2002 | $51 - $100 | Highly Rated
| (1)-Independent testing/326.8(c)(2) |
2000 | $51 - $100 | Highly Rated | (1)-Independent testing/326.8(c)(2) |
1999 | $51 - $100 | Highly Rated | NA |
1997 | $51 - $100 | Highly Rated | None |
State performs review of prior BSA violations.
OIG Concerns:
OIG indicated the following concern from the 2000 examination.
1. Independent testing of BSA had not been performed by bank personnel,
consultants, or external auditors. Bank management agreed to have testing
performed in 2000.
Follow-up by the state examiners during the 2002 examination indicated
that the bank was still in violation and had not performed independent BSA
testing.
Report of Examination ("ROE") dated 2003, does not specifically
address independent BSA testing.
OIG indicated the following concern from the 2003 examination.
2. Examiners found 25 cases totaling $225,000 where cash withdrawals from
checking accounts were just below $10,000. Bank management agreed to review
large cash items, continue to monitor this account, and comply with the provisions
of the BSA.
Supervisory Actions:
1. A violation of Section 326.8 (c)(2) was cited at the 2000 FDIC examination
for failure to provide for an independent test of the bank's compliance
with BSA. No other BSA violations were cited. The ROE notes that BSA practices
at the bank are adequate. The interim president stated that the bank's
external auditors would perform the test in 2000.
The bank's response letter to the ROE findings and transmittal letter,
in 2001, indicates that the bank's external auditors, had not yet conducted
a BSA review but would include a review as part of their audit.
The bank's external auditors had not reviewed BSA by the next examination,
which was conducted by the state. A violation of Section 326.8 (c) was cited
in the state's 2002 examination for failure to provide for independent
testing. The bank's auditors had conducted a BSA review by the time of
the next FDIC examination. The work papers for the 2003 FDIC examination include
documentation of the bank's external auditor performing an independent
test of BSA at their audit in 2002.
2. Bank management, in response to the ROE findings and transmittal letter,
agreed to review large cash items, continue to monitor these accounts, and
comply with the provisions of the BSA.
Assessment of Follow-up Action:
While Section 326.8(c) violations were cited at consecutive examinations, the
violations were isolated and technical in nature and the overall BSA compliance
program was considered adequate. Management obtained an independent review
of the program prior to the subsequent FDIC examination; therefore, no additional
follow-up supervisory action was necessary. Given the bank's small
asset size, rural location, low volume of reportable transactions, adequate
management, and no prior BSA supervisory concern, follow-up on management
deficiencies within the regular examination cycle is considered appropriate.
Institution #3 Low BSA Risk
Date | Total Assets
($Million) |
Rating |
BSA Violations (#) |
2002 | $126 - $150 | Highly Rated | NA |
2001 | $101 - $125 | Highly Rated | None |
1999 | $51 - $100 | Highly Rated | NA |
1998 | $51 - $100 | Highly Rated | (1)-Independent testing/326.8(c)(2) |
State performs review of prior BSA violations.
OIG Concern:
Adequate independent testing at the bank had not been conducted. This violation
was also cited in the 1995 examination. Bank management assigned an independent
employee at the bank to perform the testing.
Supervisory Actions:
The 1995 FDIC compliance examination of this $51 - $100 million bank cited
violations of Sections 326.8 (b) and (c)(2) for not having an adequate compliance
program, due to a lack of independent testing. The BSA officer was also responsible
for reviewing the adequacy of the bank's compliance program. No other
BSA exceptions were cited in the 1995 examination. The bank's 1995 response
to the ROE transmittal letter states that management had reviewed the BSA policy
and that the policy would be amended to include a system of independent testing
for compliance by bank personnel or by an outside party. The response also
stated that the subject was reviewed by the CPA firm that does the bank's
directors' audit and that testing for compliance will be included in
their report to the directors.
The 1998 ROE again noted a violation of Section 326.8(c)(2) for lack of independent
testing. The examiners recognized independent testing by the bank's CPA,
but the testing was conducted in the form of questioning employees regarding
their knowledge of BSA. The method of testing was not considered adequate independent
testing. The ROE further notes that the bank president designated an employee,
who was independent of the BSA function, during the examination to periodically
perform testing on an ongoing basis. No other BSA problems were noted.
The bank provided an audit report conducted by the bank's CPA firm in
1998, that stated that they had: (1) reviewed the bank's policy; (2)
noted that training sessions are conducted for all new hires and annually for
all staff; (3) that CTRs, the large items report, and the uncollected funds
reports are reviewed daily; (4) monthly internal audits of BSA compliance are
conducted by formal reports; and (5) the CPAs had sampled CTRs filed in 1998
for completeness and timeliness. The audit report findings stated that the
BSA system appeared to ensure BSA compliance.
Assessment of Follow-up Action:
Bank management responded to and addressed the problem within four months of
the 1995 examination. The repeat nature of the violation in the 1998 examination
is not due to a lack of testing, but to the thoroughness of testing. When
identified during the 1998 examination, the bank again responded immediately
during the examination. The bank also provided documentation from a CPA audit
in 1998 (a copy was sent to the RO) confirming the form and type of testing.
Institution #5 ("inactive") Low BSA Risk
Date | Total Assets
($Million) | Rating | BSA Violations (#) |
1999 | $101 - $125 | Highly Rated | NA |
1998 | $51 - $100 | Highly Rated | (8)- Improper
exemption or limit/103.22(b),(c) |
State performs review of prior BSA violations.
OIG Concern:
Follow-up of apparent violations cited for inappropriate exemption limits in
the 1998 ROE exceeded 12 months.
Supervisory Action:
Bank is INACTIVE. The bank had established inappropriate exemption limits for
six exempted customers, as a result of a misinterpretation of the regulation.
The violations were technical in nature involving CTRs and corrected at the
examination. The issue of backfiling was referred to the IRS. The IRS sent
a letter in 1998 to the bank discussing the issue and did not require the
bank to backfile the CTRs. The level of follow-up is appropriate for this
type of violation. The bank was merged into another institution in 2000.
Assessment of Follow-up Action:
During the examination, management corrected the exemption limits and indicated
that the IRS would be contacted concerning backfiling of CTRs. Supervisory
action was appropriate, given the isolated and technical nature of the infractions,
as well as the overall low-risk BSA profile of the institutions.
Institution Removed from OIG sample in January 2004 Low BSA Risk
Date | Total Assets
($Million) | Rating | BSA Violations (#) |
2003 | Over $500 | Highly Rated | None |
2001 | Over $500 | Highly Rated | (52) - CTR filing errors/103.27(d) |
2000 | Over $500 | Highly Rated | None |
1999 | Over $500 | Highly Rated | None |
1998 | $251 - $500 | Highly Rated |
None |
1997 |
$251 - $500 | Highly Rated | None |
State does not include BSA examination procedures within the scope of its regular examinations, but does conduct follow-up on BSA violations cited in prior examinations.
OIG Concern:
Follow-up did not occur within 12 months on violations and concerns cited in
FDIC ROE dated in 2001. Bank was subsequently (January 2004) eliminated by
OIG from final report.
Supervisory Actions:
The 2001 ROE cited apparent violations of Part 103 for incorrectly filling
out numerous CTRs. Specifically, management failed to check boxes to indicate "multiple
persons" and did not provide information for customers "doing
business as" within the appropriate areas on the forms. Management
committed to corrective action during the examination. These infractions
were considered to be technical in nature and did not result in any type
of formal action. The state conducted an examination in 2003 and determined
that the institution had corrected the deficiencies resulting in the violations
cited at the FDIC examination. Although the state ROE does not comment on
BSA, a scope memorandum provided by the state indicates that corrective action
relating to prior BSA violations would be reviewed.
Although the OIG indicates that these violations are repeated from prior examinations,
the region asserts that prior to the 2001 examination there had not been any
other violations cited in previous ROEs of this bank through the OIG's
audit period.
Bank Profile:
Bank is over $500 million in total assets serving a small state, as well as
the southern portion of an adjoining state. The county reports a population
of just over 200,000. Bank has been highly rated since 1993. Bank management
has been highly rated since 1997.
Assessment of Follow-up Action:
The apparent violations were technical in nature. The bank is financially sound
with strong management. Overall BSA compliance program is adequate and management
committed to corrective action. The RO did not pursue a formal response due
to management's commitment during the examination to correct the deficiencies.
The state followed up on the FDIC examination findings with a review of prior
violations (including BSA) within 15 months and did not repeat the criticism
in this area.
Institution Removed from OIG sample in January 2004 Low BSA Risk
Date | Total Assets
($Million) | Rating | BSA Violations (#) |
1998 |
$51 - $100 |
Highly Rated | (1)- Written BSA Policy/326.8(b);
(1)- Independent Testing/326.8(c)(2); (1)- BSA Officer/326.8(c)(3) |
Bank merged with another bank in 2000.
OIG Concern:
Follow-up did not occur within 12 months on violation cited in the 1998 FDIC
ROE. Bank was subsequently (January 2004) eliminated by OIG from final report.
Supervisory Action:
The 1998 ROE cited apparent violations of Section 326.8 for failure to have
a written BSA program, lack of method for independent testing, and failure
to designate a BSA Officer. However, examiners deemed the procedures for
BSA compliance to be satisfactory. Management committed to corrective action
during the examination. The bank merged with another institution in 2000.
Although the OIG indicates that these violations are repeated from prior examinations,
the region asserts that prior to the 1998 examination there had not been any
other violations cited in previous ROEs of this bank through the OIG's
audit period.
Bank Profile:
Bank is INACTIVE. At the time of the last examination, the bank was a $51-$100
million institution in a northeast state. The bank was highly rated at its
last examination, a rating which dates back to 1992. Bank management had
been highly rated since 1983, which includes the last five FDIC examinations.
Assessment of Follow-up Action:
The overall BSA compliance program is adequate; however, procedures were not
condensed to writing. Bank management was criticized during examination,
but formal response was not required from the institution due to a commitment
to implement corrective action. The bank merged with another institution
prior to a subsequent examination.
Institution #8 Moderate BSA Risk
Date | Total Assets
($Million) | Rating | BSA Violations (#) |
2003 | $51 - $100 | Highly Rated | None |
2002 | $51 - $100 | Highly Rated | None |
2000 | $51 - $100 | Moderately Rated | (10) - Late CTR Filings/103.27(a)
(1) - Inadequate controls/326.8(c)(1) |
1999 | $51 - $100 | Low Rated | None |
1998 | $51 - $100 | Moderately Rated | (1) - Independent testing/326.8(c)(2) |
State does include BSA examination procedures within the scope of its regular
examinations.
OIG Concern:
Follow-up did not occur within 12 months on violations and concerns noted in
1998 FDIC ROE.
Supervisory Action:
The 1998 ROE cited apparent violations of Section 326.8(c)(2) for lack of independent
testing of the BSA compliance program. During the examination, bank management
committed to corrective action. The 1999 ROE from the state bank regulator
cited numerous errors in CTRs, but did not repeat the criticism of independent
testing. Apparent violations of Sections 103.27(a)(1) and 326.8(c)(1) were
cited at the 2000 FDIC examination, due to numerous late filings of CTRs
and several deficiencies in the internal control structure of the bank. Independent
testing at the 2000 examination was deemed to be adequate. Due to the poor
financial condition of the bank and pronounced management deficiencies noted
in the 1999 state regulator ROE, the institution entered into a MOU. Provisions
within the MOU did not specify BSA weaknesses; however, there was a provision
requiring management to correct all violations cited within the ROE, which
includes those cited for BSA. Substantial compliance was not noted until
the 2002 FDIC examination.
Bank Profile:
Bank is a $51-$100 million institution in a northeast state. The bank has experienced
some problems, indicated by the low rating assessed in 1999 and moderate
rating as recently as the 2000 examination. However, the institution was
upgraded to highly rated in the 2002 examination. Bank management is currently
highly rated. However, management has been rated moderate or low at examinations
dating back to 1996.
The bank is considered a moderate BSA risk due to overall management deficiencies
within the institution, continued identification of weaknesses in the BSA compliance
program, and examiner discovery of potential transaction structuring at the
2000 and 2002 FDIC examinations. As a result of the 1998 FDIC examination,
the institution was more closely watched by the RO.
Assessment of Follow-up Action:
In general, the DSC concurs with the OIG regarding the follow-up for this bank.
The RO is unable to locate documentation supporting the actions taken to
ensure the bank corrected deficiencies noted in the 1998 ROE.
A safety and soundness MOU was entered into as a result of the 1999 state
examination; however, the state examination does not cite any BSA weaknesses,
therefore, the MOU does not address BSA. The apparent violations of BSA cited
in the 2000 ROE address different program weaknesses than those cited in 1998
and are not considered repeat violations. As a result of the findings from
the 1998 examination, the institution was more closely watched by the RO.
Institution #9 Moderate BSA Risk
Date | Total Assets
($Million) | Rating | BSA Violations (#) | 2002 | $101 - $125 | Highly Rated |
(12)- Instruments Log/103.29(a);
(4)- CTR filing errors/103.27(d);
(4)- Late CTR filings/103.27(a);
(3)- Exemption/103.22(d)(5)(i);
(1)- Identification procedures/ 103.28 |
2000 | $51 - $100 | Highly Rated | NA |
1999 | $51 - $100 | Highly Rated | None |
1997 | $51 - $100 | Highly Rated | NA |
State conducts limited-scope follow-up on banks'; corrective actions to
address violations cited at prior FDIC examinations.
OIG Concern:
The OIG cited concerns over supervisory follow-up for violations cited at the
2002 examination. All of the violations noted at this examination were attributed
to errors in CTR filings.
Supervisory Action:
The violations were largely attributed to errors in completing the CTR form
completely and within the 15-day reporting requirement. Failures to record
the sale of monetary instruments over $3,000 also resulted in apparent violations.
The examiners discussed these issues with bank management during the examination
and received a commitment to implement corrective action, including increased
training and expanded review process.
Assessment of Follow-up Action:
Given the BSA history of the bank, management's responsiveness to BSA
deficiencies, small asset size, rural location, and adequate management, supervisory
follow-up that consists of review at the next examination is considered appropriate.
Institution #11 Low BSA Risk
Date | Total Assets
($Million) | Rating | BSA Violations (#) |
2002 | $51 - $100 | Highly Rated | NA |
2001 | $51 - $100 | Highly Rated | None |
1999 | $51 - $100 | Highly Rated | NA |
1998 | $26 - $50 | Highly Rated | (6)- CTR filing/103.22(a);
(1)- Improper exemption or limit/103.22(b),(c);
(1)- Inadequate controls/326.8(b) |
The state does not examine for BSA or provide meaningful follow-up on FDIC
violations.
OIG Concern:
The OIG's draft report cited concern over FDIC supervisory follow-up
of apparent violations cited within the 1998 ROE.
- Bank president stated repeat violations will not occur and that the BSA
program is being delegated to a vice president who has a good working knowledge
of these regulations.
- The ROE states that violations of Section 103.22(b) and (c) are a repeat
from the 1995 FDIC compliance examination.
- The ROE stated repeat violations of Section 326.8 may result in potential
civil money penalties or a cease and desist order.
Supervisory Actions:
- The 1998 ROE cites a Section 326.8(b) violation for failure to implement
an adequate BSA compliance program. The ROE also warns the bank that if not
corrected, repeat violations may result in civil money penalties. The repeat
violation statement is a warning to management, not a repeat of a previously
cited Section 326.8(b) violation. The response to the 1998 ROE indicates
that the bank took action to adequately address the BSA violations. The response
details actions taken to effect correction, including the elimination of
all CTR exemptions previously granted. Since the 1998 ROE did not reflect
a repeat Section 326.8(b) violation, no formal or informal corrective action
was necessary, and positive responses from management were immediate with
the first corrective actions taken during the examination.
- The repeat violations of Sections 103.22(b) and (c) are technical issues.
The bank is located in a rural area, has a small asset size, and a low volume
of reportable transactions. The violations stem from one customer (with two
gasoline/mini-mart business accounts) whose activity had been reviewed and
who was granted exemptions for CTR filings. These exemptions had not been reviewed
on an annual basis, and the exemption amount was required to be adjusted by
$4,000. The bank's compliance program at the 1998 examination was deemed
reasonable to assure and monitor compliance with BSA. The response to the 1998
ROE indicates the bank took action to adequately address the BSA violations.
As a result, follow-up consisted of a regular-scope BSA review at the next
examination. No violations were noted at the next examination. Follow-up at
the next examination was appropriate.
- The ROE comment was a reminder to management of the potential for civil
money penalties if violations were not corrected. These comments do not imply
that civil money penalties were being considered, or that repeat violations
of Section 326.8(b) occurred.
Assessment of Follow-up Action:
Given the bank's small asset size, rural location, low volume of activity,
adequate management, and history regarding knowledge of the BSA, follow-up
that consists of review at the next examination is considered appropriate.
Subsequent examination activity supports this conclusion.
Institution #12 Low BSA Risk
Date | Total Assets
($Million) | Rating | BSA Violations (#) |
2003 | $126 - $150 | Moderately Rated | None |
2002 | $101 - $125 | Highly Rated | NA |
2000 | $51 - $100 | Highly Rated | (1) - Inadequate controls/326.8(b) | |
1999 | $51 - $100 | Highly Rated | None |
1998 | $51 - $100 | Highly Rated | (1) - Inadequate controls/326.8(b) |
State performs review of prior BSA violations.
OIG Concern:
- The 1998 ROE cited a violation for failing to provide for adequate administration
of the BSA program, which was supported by a combination of deficiencies:
the bank had not independently tested BSA compliance, had not established
procedures for detecting multiple cash transactions aggregating over $10,000
in one business day, and had not filed two CTRs. The combination of these
deficiencies led to the conclusion that the BSA program was not adequately
administered. The ROE stated bank management will implement procedures relating
to the recommendations to correct the violation of Section 326.8(b).
- At the 2000 examination, a violation of Section 326.8(b) was cited. The
president committed to reviewing BSA via independent testing and revising and
approving BSA policy.
- The 2002 state examination indicates a repeat violation. Bank management
indicated computer-generated reports will be reviewed daily and used for independent
testing.
Supervisory Actions:
- The draft audit report does not include information from the 1999 state
ROE indicating an interim period of corrective action for the Section 326.8(b)
violation. The bank corrected the independent testing deficiency as noted
by a 1998 letter to the FDIC RO from the bank's president that contained
a copy of the bank's 1998 directors' examination, conducted by
a CPA firm that included a review of BSA.
- The 2000 FDIC examination cited a violation of Section 326.8(b). That determination
was made, because the bank had not independently tested BSA since the 1998
CPA review, and had not kept its BSA policy current or approved it annually.
The FDIC examination indicates that overall procedures are generally adequate
to prevent reportable transactions from going undetected. The bank's
2000 response to the transmittal letter indicates that the bank plans for testing
of BSA in the very near future.
- In the 2002 state examination, Section 326.8 violations were noted for
lack of independent testing. Once again, the bank was found to have adequate
policies and procedures. The state considered this to be a repeat violation,
but made the determination that internal bank procedures implemented during
the examination were sufficient to correct the violation and preclude regulatory
action. The 2003 ROE notes that the BSA violations have been corrected.
Assessment of Follow-up Action:
The original violation was corrected shortly after the 1998 examination;
an intervening state examination (1999) reported no BSA concerns; and the
2000 FDIC examination violation was cited for a different combination of
deficiencies. Although the 2002 state examination again noted a violation
for no independent testing, the state was satisfied with the corrective measures
implemented during the examination. The subsequent FDIC examination (2003)
confirmed compliance. Bank management has demonstrated an ability and willingness
to correct deficiencies. Given the bank's past corrective actions,
small asset size, rural location, low volume of reportable transactions,
adequate management, and history of compliance with the BSA, follow up that
consists of review at the next examination is considered appropriate.
Institution #14 Moderate BSA Risk
Date | Total Assets
($Million) | Rating | BSA Violations (#) |
2002 | $151 - $200 | Low Rated | (17)- Late CTR filings/103.27(a);
(16)- CTR filing errors/103.27(d);
(13)- Annual review/103.22(d)(4);
(13)- Exempt documentation/103.22(d)(6)(i);
(11)- Instruments log/103.29(a);
(11)- Record retention/103.38(d);
(10)- Biennial exemption/103.22(d)(5)(i);
(2)- CTR filings/103.22(b)(i);
(1)- Inadequate program/326.8(b) |
2000 | $151 - $200 | Highly Rated | NA | |
1999 | $126 - $150 | Highly Rated | (1)-Inadequate controls/326.8(c)(1);
(1)-Independent testing/326.8(c)(2) |
1997 | $101 - $125 | Highly Rated | (1)-Inadequate controls/326.8(c)(1);
(1)-Independent testing/326.8(c)(2)
(1)-BSA Officer/326.8(c)(3)
(1)-Inadequate Training/326.8(c)(4)
(1)-CTR Filing/103.22(a) |
State does not examine for BSA. Within the past 2 or 3 years the state has
begun to perform limited follow up on violations cited at prior FDIC exams.
OIG Concern:
- Violations cited at the 1997 examination are not separately entered into
ViSION.
- None of the 94 violations cited in the 2002 ROE are listed in ViSION. The
regulations are Sections 326.8(c)(1), 103.29(a), 103.29(a)(1)(ii), 103.29(a)(2)(i),
103.29(a)(2)(ii), 103.22(b)(1), 103.27(a)(1), 103.27(d), 103.22(d), 103.22(d)(6)(i),
103.22(d)(4), 103.22(d)(5)(ii), 103.22(d)(6)(x), 353.3(a), 353.3(a)(2), 353.3(b)(1).
- Time frame for corrective action was protracted.
Supervisory Actions:
- The violations cited at the 1997 examination are included in ViSION with
the safety and soundness examination.
- The violations cited at the 2002 examination are listed in ViSION with
a 2003 examination date.
- The 1997 ROE comments noted a BSA violation, as the bank policy did not
address independent testing. The bank's CPA firm was scheduled to conduct
testing during third quarter of 1997. The 1999 ROE comments noted repeat violations
of Section 326.8(c)(1) and (2). Supervisory action occurred at the next examination.
Assessment of Follow-up Action:
The DSC concurs in general with the OIG regarding the follow up for this bank.
It appears that the violation of Sections 326.8(c) (1) and (2) existed across
examination cycles; however, follow-up action after the 2002 examination
was timely, extensive, and successful. The RO issued a MOU in 2003 to address
BSA deficiencies. A 2003 visitation was conducted to monitor progress with
the MOU. At the visitation, all deficiencies were found to have been addressed
and/or corrected, and sufficient BSA controls are in place.
Institution #17 ("inactive") Low BSA Risk
Date | Total Assets
($Million) | Rating | BSA Violations (#) |
1998 | $51 - $100 | Highly Rated | (2)- Instrument logs/103.29(a)(2);
(4)- Improper exemption or limit/103.22(b),(c);
(3)- CTR filing errors/103.27(d);
(1)- Independent testing/326.8(c)(2) |
Bank merged with another institution in 1999.
OIG Concern:
OIG indicated the following concern from the 1998 examination.
"The violation code for 103.22(b) is 60000 not 60001. The violation
code for 103.27(d) is 63001 not 63000. An additional violation 103.29(a)(2)
is in the ROE that's not in VISION. The BSA officer stated the apparent violations
resulted from oversight and more care would be taken to prevent future occurrence.
The president committed to implementing the examiner's recommendations. This
bank became inactive after this examination in 1999."
Supervisory Action:
[NOTE: The violation codes in effect at the time of this examination are based
on Regional Director Memorandum ("RD Memo") 96-085 which was
superceded in 1999 by RD Memo 99-066 which was then superceded by RD 03-048.
Thus, the violation code used to capture the 103.29(a)(2) citation was eliminated
in 1999 due to a change in the BSA regulation.]
The bank merged into another institution in 1999. The bank was highly rated
at the 1998 examination, as well as management. The bank was cited for four
BSA violations: improperly setting exemption limits; inadequate independent
testing; incomplete CTRs; and missing documentation on monetary instruments.
The first and last were repeat violations from the 1995 compliance examination.
During the examination, the bank president committed to correct the violations
cited. In 1998, the examiner-in-charge met with the bank's directorate
to present the findings of the examination and noted the BSA violations. An
e-mail in 1998, memorializes the meeting with the board of directors. Again
in 1998, the RO notified FinCEN that the RO requested that the bank contact
FinCEN for guidance on CTR backfilling.
In a letter dated in 1998, management indicated that corrective action was
taken to eliminate future BSA violations. Management also included a progress
report on each item of BSA-related criticism noted in the ROE.
Bank Profile:
The bank is INACTIVE. This institution was a $51-$100 million well-managed
institution, which was highly rated for four consecutive examination cycles
dating back to 1993. The bank's trade area was primarily rural, with
a moderate population estimated about 60,000. The money-laundering risk was
low. The board of directors and operating management were regarded as active
and conservative. Management was highly rated since 1992.
Assessment of Follow-up Action:
Supervisory action included meeting with the directorate, sending notification
to FinCEN, and receiving a progress report from bank management that indicated
corrective action. Supervisory action was completed within 100 days from
the examination start date. Adequate supervisory action was taken as the
bank corrected apparent violations during the normal course of business.
Institution #19 Low BSA Risk
Date | Total Assets
($Million) | Rating | BSA Violations (#) |
2003 | $0 - $10 | Highly Rated | NA |
2003 | $11 - $25 | Moderately Rated | (18)- CTR filing errors/103.27(d);
(1)- Inadequate controls/326.8(c)(1);
(1)- Independent testing/326.8(c)(2) |
2002 | $11 - $25 | N/A | N/A |
2002 | $11 - $25 | Low Rated | None |
2001 | $11 - $25 | Low Rated | (1) - Independent Testing/326.8(c)(2) |
2000 | $11 - $25 | Moderately Rated | NA |
1999 | $0 - $10 | Highly Rated | (1) - Independent Testing/326.8(c)(2);
(1) - BSA Officer/326.8(c)(3) |
1998 | $0 - $10 | Highly Rated | NA |
1997 | $0 - $10 | Highly Rated | None |
State does not perform BSA examinations or review prior BSA violations.
OIG Concern:
The OIG notes a repeat violation from 2001 and 2003 examinations pertaining
to Section 326.8 (c)(2), lack of adequate independent testing. Given that this
institution was placed in the inadequate follow-up period of 49 to 60 months,
it appears that the OIG criticism may stem from the violations cited in the
1999 examination.
Supervisory Action:
The RO was unable to obtain the 1997 ROE from archives by the OIG's deadline.
The 1999 ROE notes two BSA-related violations: the lack of a specially designated
individual to monitor BSA compliance; and the lack of adequate independent
testing. The ROE notes that procedures are generally adequate considering the
level of activity, size, and customer base. In a transmittal letter dated 1999,
the FDIC requested that management submit a response to the FDIC containing
its corrective measures regarding the ROE findings. The RO received correspondence
from the bank in 1999, stating that the violations had been corrected.
The 2000 examination conducted by the state did not include a review of BSA
compliance. The state entered into a MOU with the bank subsequent to this examination
to address all safety and soundness concerns.
The 2001 FDIC examination found the bank's condition deteriorated significantly.
The bank and management were rated low. The ROE noted a repeat violation for
failure to provide independent testing for the BSA program. The examiners received
management's commitment to correct the violation. The bank was later
placed under an informal corrective action in 2001 that included a provision
for the correction of violations cited during the examination, including BSA
program violation. Bank management submitted several reports detailing progress
with the informal action. The first progress report in 2001, stated that all
violations had been corrected and that an outside compliance audit had been
completed. Subsequent quarterly progress reports all state that the "BSA
violation has been addressed and reviewed. The bank will include this issue
in the next third party review."
The 2002 ROE reflects the bank's serious and ongoing deterioration.
The bank was again rated low, and considered a potential failure. The ROE states, "The
BSA violation concerning the independent testing for compliance with financial
recordkeeping requirements has been corrected." No BSA-related violations
were cited during the examination.
The 2003 ROE cites a violation of Section 326.8 of the FDIC Rules and Regulations
in addition to Section 103.27(d) for incomplete CTRs filed during 2002. A violation
of Section 326.8(c)(1) was also cited. The ROE notes that management committed
to correct the violations. The bank provided a response to the examination
dated in 2003, stating that it would adhere to the regulations.
The 2003 state bank regulator's ROE notes that management stated that
the violations had been corrected and that measures had been implemented to
prevent recurrence.
Bank Profile:
The bank is $0–$10 million institution located in a small town in
the southwestern part of the United States, with a population of less than
600.
The local economy is based on diversified manufacturing, agribusiness, oil-field
operations, and service industries. The bank is the only financial institution
in town and does not operate any branches. The bank's money-laundering
risk profile is low. The bank has a very low level of reportable transactions.
The 2001 ROE noted that the bank had only filed four CTRs since the previous
FDIC examination in 1999.
Assessment of Follow-up Action:
For the 1999 examination, supervisory action consisted of sending a transmittal
letter within 29 days of the examination start date and receiving a response
from bank management indicating that the violation was corrected within 78
days from the examination start date. The supervisory action taken was adequate
as management corrected the apparent violation during the normal course of
business.
For the 2001 examination, supervisory action consisted of an enforcement action
executed within 62 days from the examination start date. Supervisory action
taken was adequate as management reported within 64 days that the violations
were corrected. In addition, no BSA violations were cited at the subsequent
examination.
For the 2003 examination, supervisory action taken consisted of obtaining
commitments to correct violations during the examination. Supervisory action
was completed within 63 days from the start of the examination as management
indicated in a letter that the violation had been corrected.
Institution #20 Low BSA Risk
Date | Total Assets
($Million) | Rating | BSA Violations (#) |
2003 | $11 - $25 | Highly Rated | None |
2001 | $0 - $10 | Highly Rated | NA |
2000 | $0 - $10 | Highly Rated | (1)- Multiple transactions/103.22(c)(2);
(1)- Late CTR filings /103.27(a);
(1)- Instrument logs/103.29(a);
(1)- Inadequate program/326.8(b) |
1998 | $0 - $10 | Highly Rated | NA |
1997 | $0 - $10 | Highly Rated | (1)- Inadequate program/326.8(b);
(1)- Inadequate controls/326.8(c)(1);
(1)- Inadequate training/326.9(c)(4) |
State does not perform BSA examinations or review prior BSA violations.
OIG Concern:
The OIG concerns are the intervals between the 1997 and 2000 examinations as
well as the 2000 and 2003 examinations, and apparent repeat violations stemming
from the 1997 examination. As a result, the follow-up time was determined
inadequate.
The OIG indicated the following concern from the 2000 examination.
"Follow-up not determinable. The audit does not include review of regional
or field office files. The bank's BSA officer stated additional effort
would be extended to correct noted deficiencies and prevent recurrence. The
examination date is 2000. ViSION has 1999, as examination date."
Supervisory Action:
The 1997 FDIC ROE reflects BSA-related violations, including an inadequate
training program, lack of internal controls, and an inadequate independent
audit program. The confidential section of the ROE notes that no CTRs had been
filed since the previous examination, and that the bank had no exempt customers.
The bank received an overall high rating during this examination, and management
was also highly rated. Correspondence dated 1997 from the bank responding to
the examination findings states that the bank implemented a new training program
and that the BSA program had been revised to improve compliance regarding internal
controls and independent audit coverage.
The 2000 FDIC ROE notes that management had taken steps to address violations
cited at the previous examination. However, a repeat violation pertaining to
the bank's inadequate BSA training program was cited, and the ROE noted
that training had not been performed since 1997. Although management implemented
a BSA training program to address the ROE deficiency, additional follow-up
training did not occur thereafter. While no follow up was requested, the RO
was comfortable that management would respond to the ROE criticisms, as it
had in the past. Management actions were confirmed at the next FDIC examination
in 2003, where no BSA violations or criticisms were noted.
Since neither the OIG nor the RO reviewed archived files on this bank relating
to the 2000 examination, no correspondence indicating follow up was reviewed;
however, highly-rated bank management is generally found to be responsive.
Given the historical responsiveness of bank management and the overall profile
of the institution, enforcement action was not considered necessary.
Bank Profile:
The institution is an $11-$25 million institution located in a small community
with a population of approximately 500 located in the Midwest. The bank's
money-laundering risk is low. The bank has had very few, if any, transactions
reportable under the BSA regulation. Management has been highly rated since
1987.
Assessment of Follow-up Action:
Supervisory action was taken by reviewing a response from bank management that
indicated corrective action was taken by management to eliminate the apparent
violation. Supervisory action was completed within 141 days from the start
of the 1997 examination. Supervisory action taken was considered adequate
as management corrected the violation during the normal course of business.
Regarding the 2000 examination findings, since archived files were not reviewed,
follow-up action and times cannot be confirmed; however, as part of the normal
supervisory process, a transmittal letter accompanies the ROE and a response
from bank management is received within a reasonable time frame. Given the
risk profile and the historical responsiveness of bank management, in addition
to the lack of violations cited at the subsequent 2003 examination, appropriate
supervisory action was taken.
Institution #21 Low BSA Risk
Date | Total Assets
($Million) | Rating | BSA Violations (#) | >
2003 | $26 - $50 | Highly Rated | (2)- Exempt bank/103.22(d)(3)(ii);
(1)- Independent testing/326.8(c)(2) |
2001 | $26 - $50 | Highly Rated | NA |
2000 | $26 - $50 | Highly Rated | None |
State does not perform BSA examinations or review prior BSA violations.
OIG Concern:
The OIG indicated that the lack of independent testing of BSA compliance is
a repeat violation that was cited in the 2001 and 2000 examinations. Bank
management agreed in all three ROEs to address the problem.
Supervisory Action:
Examination work papers noted that "independent testing" was not
included in the audit program for 2002 and prior years due to cost. Also noted
was the intent to have this aspect of the BSA program conducted in conjunction
with the 2003 audit. A major mitigating factor is this small, rural bank's
lack of reportable transactions as they have had only three in recent history
(two in 2000 and one in 1996).
A review of the bank indicated that no BSA violations were cited in the 2000
ROE. ROE comments also indicated that the bank was in compliance with the BSA
program. Also, no violation was cited in the 2001 examination conducted by
the state.
The ROE dated 2003, cited two violations that the bank's "independent
testing had failed to discover the bank's failure to file a Designation
of Exempt Person form for a correspondent bank." The RO indicated that
the bank had been conducting independent testing, but the scope was determined
to be inadequate. Bank management indicated that the independent testing for
BSA compliance would be added to the scope of the directors' examination.
Bank Profile:
The institution is located in a small, rural community (population of approximately
1,200) in the Midwest. The bank operates from a single office, is not located
in close proximity to any major metropolitan areas, and has few large cash
transactions. While an examination of the bank's BSA compliance practices
and procedures has not resulted in serious violations, the most recent ROE
cited the inadequacy of its "independent" testing as that review
failed to note that exemptions were not filed for transactions with a correspondent
bank. Given the absence of any significant issues as well as the absence
of significant cash transactions, the bank is considered to be a low BSA
Risk.
Assessment of Follow-up Action:
No supervisory action was taken since no BSA violations were cited at the 2000
and 2001 examinations. The institution remained on a normal examination schedule.
Supervisory action was deemed appropriate given the institution's low
risk profile and lack of any reported BSA violations in the 2000 and 2001
examinations.
Institution #23 Low BSA Risk
Date | Total Assets
($Million) | Rating | BSA Violations (#) |
2003 | $51 - $100 | Highly Rated | None |
2002 | $51 - $100 | Highly Rated | N/A |
2000 | $26 - $50 | Highly Rated | (1) - Inadequate program/326.8(b)(1) |
1999 | $26 - $50 | Highly Rated | NA |
1997 | $26 - $50 | | (3)- Instrument log/103.29(a)(2);
(2)- Identity record (customer)/103.29(a)(1)(i)(ii);
(2)- CTR filings/103.22(b)(i);
(2)- Instrument log/103.29(a);
(1)- Inadequate program/326.8(b)(i).
(1)- Identity record (non-customer)/103.29(a)(2)(i)(ii); |
State does not perform BSA examinations or review prior BSA violations.
OIG Concern:
Examiner determined that the bank complied with the requirement to have independent
testing of BSA program. The violation was cited in both the 1997 and 2000
ROEs.
Supervisory Action:
This small, rural institution did not adopt an independent testing program
due to cost. However, the independent testing issue was resolved at (or shortly
following) the time the bank acquired some branches in a metropolitan area.
Even with this expansion in office facilities, the number of reportable transactions
remains nominal (nine in 2001; eleven in 2002; and ten to the date of the
2003 examination). No enforcement action was deemed necessary inasmuch as
the bank's operations were in compliance with the BSA.
The ROE dated 1997, listed 10 Section 103 violations and one BSA violation
for lack of independent testing of the BSA program. The summary comments for
this examination indicated that management promised correction, and the RO
requested a response within 60 days on significant items.
The ROE dated 2000, indicated that all BSA violations had been corrected except
for the lack of independent testing. Bank management agreed to consider including
a review of BSA as part of the bank's annual directors' examination.
Therefore, it appears the reason for not implementing the testing after the
1997 examination was due to a cost issue. The RO concluded that no follow-up
was deemed necessary based on the bank's satisfactory overall BSA compliance,
strong financial condition, and management's history of following through
on corrective action.
Bank Profile:
The institution is located in the Midwest (population approximately 1,000)
with expansion of operations into a nearby metropolitan area in 2001. The
bank is one of more than 20 institutions operating in that metropolitan area
and, as such, one of many institutions in that market. Inherent operations
are based in a small, rural community where significant cash transactions
are minimal. The violation cited was limited to the lack of independent testing,
although testing was being conducted. The bank's nature and scope of
operations indicates that the bank is considered a low BSA risk.
Assessment of Follow-up Action:
Supervisory action taken indicates that the RO did follow-up on significant
items at the 1997 examination. No enforcement action was necessary since
the bank's operations were in compliance with the BSA. The bank's
correspondence to the RO dated 1998 indicated that all BSA violations had
been corrected. At the 2000 examination, the institution was cited for lack
of independent testing; however, bank management agreed to consider independent
testing and the RO determined that no additional follow-up was necessary,
which is supported by the results of the 2003 examination. Supervisory action
was taken within an acceptable time frame. Supervisory action was appropriate
given the institution's low-risk BSA profile and willingness to comply
with regulations.
Institution #24 Moderate/High BSA Risk
Date | Total Assets
($Million) | Rating | BSA Violations (#) | >
2001 | Over $500 | Highly Rated | None |
2000 | Over $500 | Highly Rated | NA |
1999 | Over $500 | Highly Rated | Not in BITS - ROE no violation |
1998 | Over $500 | Highly Rated | NA |
1997 | Over $500 | Highly Rated | (4)- Aggregate Transaction/103.22(c)(2);
(2)- CTR filings/103.22(a) |
State does not perform BSA examinations or review prior BSA violations.
OIG Concern:
ROE states that the bank did not treat four cases of multiple transactions
totaling over $10,000 as a single transaction. Therefore, bank should have
filed CTRs for those multiple transactions. Bank management agreed that these
were infractions and planned to revise the exemptions.
Supervisory Action:
The correspondence file for this bank was not requested from archives, so the
RO had no definitive evidence of examination follow-up; however, this institution
has historically been a sound, well-run bank and one which follows through
with requested actions.
The ROE dated 1997, cited the bank for not filing two CTRs and failure to
treat four cases of multiple transactions totaling over $10,000 as a single
transaction. The ROE indicated that bank management agreed to file the required
CTRs. The OIG did not find any documentation that the corrective action was
completed. The OIG also indicated that the violation code was not correct in
ViSION; however, the RO indicated that the code is correct based on the RD
memorandum outstanding at the time of the violation. The summary comments for
the 1997 examination indicated that corrective action was initiated during
the examination.
The ROE dated 1999, did not cite any violations. The ROE stated that "improvements
had been made from the previous FDIC examination." In addition, the OIG
chart incorrectly shows this bank as having repeat violations.
Bank Profile:
This large and rapidly growing institution is (and has been)
extremely-well managed through its history and, likewise, its BSA compliance
program has exhibited similar strengths. While the bank's main office
is based in a small Midwest town (population of less than 700), they have had
a presence in the nearby city (population greater than 75,000) for many years.
Historical expansion has been predicated on communities near the city, with
recent expansion into the state's second largest market (population greater
than 150,000) generating additional growth. With the close proximity to and
in the city area as well as the newly entered nearby market, the inherent BSA
risks increased. Over the years, the bank's BSA officer has maintained
close contact with the FDIC on BSA issues, and the bank's goal of reporting
all significant transactions has occurred. The bank is considered a moderate-
to high-BSA risk based on the bank's area of operations; however, it
must be noted that the bank's response is more than adequate to meet
inherent challenges.
Assessment of Follow-up Action:
Supervisory action was completed during the examination. All documents were
filed within acceptable timeframe. No further supervisory action was deemed
necessary.
Institution #25 Moderate BSA Risk
Date | Total Assets
($Million) | Rating | BSA Violations (#) | 2004 | $51 - $100 | Highly Rated | (2) - Late filing of CTR/103.27(a) |
2001 | - | - | (5)- Late CTR filing/103.27(a);
(1)- CTR filing/103.22(b)(1);
(1)- CTR filing errors/103.27(d) |
2001 | $26 - $50 |
Highly Rated |
(11)- Late CTR filing/103.27(a);
(7)- CTR filing errors/103.27(d);
(5)- Identification method/103.28;
(1)- Biennial exemptions/103.22(d)(5)(i) |
2000 | $26 - $50 | Highly Rated | NA |
1998 | $26 - $50 | Highly Rated | (2)- Late CTR filings/103.27(a);
(1)- Inadequate program/326.8(b)(1);
(1)- CTR filing/103.22(b)(1);
(1)- Exempt bank/103.22(d)(3)(ii) |
State does not perform BSA examinations or review prior BSA violations.
OIG Concern:
OIG indicated the following concerns from the 2001 BSA visitation.
- Five CTRs were not received by the Internal Revenue Service within the prescribed
time period. Bank management agreed to address the infractions.
- Examiner identified one new violation of Section 103.27(d). In addition,
two other violations had not been corrected from the 2001 ROE resulting in
a repeat violation from the 2001 examination. Management agreed to address
the infractions.
- Examiner identified one CTR that had not been filed as required. Management
agreed to address the infraction.
Supervisory Action:
A 2001 transmittal letter for the 2001 ROE requested a progress report from
the bank by quarter-end 2001. The bank addressed the above issues in their
follow-up report dated by quarter-end 2001, which was acknowledged by the
RO in a letter dated quarter-end 2001. BSA issues were again addressed during
a RO outreach contact in 2002.
The 2001 BSA visitation report indicated that the examiner provided the bank
with information to follow-up on the inaccurate CTRs. However, subsequent verification
was not requested from the bank. The outreach contact record indicated that
the BSA concerns were being addressed.
Bank Profile:
The institution is located in the Midwest. With the addition of its most recent
office in 2001, the bank has experienced significant growth. The 1998 ROE identified
several BSA deficiencies which were also reviewed at the 2001 examination.
Deficiencies noted in the latter prompted a follow-up visit in 2001, which
disclosed management had taken significant steps to improve BSA compliance.
In view of the number of reportable transactions the bank was handling prior
to making better use of the exemption programs (both Phase I and Phase II)
and the noted growth since 2000, the bank is considered a moderate-BSA risk.
Assessment of Follow-up Action:
Supervisory action consisted of a transmittal letter to the institution in
2001, and a follow-up report from the bank dated in 2001. Additionally, a
follow-up BSA visitation was conducted in late 2001. The timeframe between
the examination of 2001, and the visitation was 192 days. Given the bank's
willingness to correct BSA violations, its favorable financial condition,
and management's history of following through on commitments to regulatory
agencies, the supervisory action taken seems appropriate. The FDIC finalized
an examination in 2004. Findings identified two isolated late CTR filings.
No other BSA problems were identified, and overall the BSA program was determined
to be effective.
Institution #26 Moderate BSA Risk
Date | Total Assets
($Million) | Rating | BSA Violations (#) |
2003 | - | - | None |
2003 | $26 - $50 | Highly Rated | (18)- Late CTR filings/103.27(a);
(13)- CTR filings/103.22(b)(1);
(1)- Instrument log/103.29(a);
(1)- Inadequate program/326.8(b)(1);
(1)- Independent testing/326.8(c)(2);
(1)- Inadequate training/326.8(c)(4) |
2002 | $26 - $50 | Highly Rated | NA |
2001 | $11 - $25 | Highly Rated | (3)-Late CTR filings/103.27(a) |
State does not perform BSA examinations or review prior BSA violations.
OIG Concern:
OIG indicated the following concern from the 2001 examination.
ROE cites a violation that the bank did not file a SAR when a customer of the
bank reported $22,000 missing from a safe deposit box. An acquaintance of
the customer reportedly forged the signature of one of the individuals with
authority to enter the safe deposit box. The next day the customer reported
the funds missing. The bank contacted local authorities. Bank management
committed to filing the report. Subsequent ROEs/visits do not seem to address
this issue.
Supervisory Action:
The bank's correspondence file contains a copy of the requisite SAR prepared
as in 2001. The 2001 ROE cited the bank for not filing a SAR with the appropriate
authorities. The ROE indicated that bank management committed to filing the
required report. The OIG did not see any subsequent documentation supporting
the filing. However, the RO has provided from the bank's correspondence
file a copy of the SAR filing dated 2001.
Bank Profile:
The institution is a relatively new institution (chartered in 2000) which is
situated in a popular vacation destination. As such, the volume of "visitors" and
attendant cash is significant. The bank's BSA compliance program was
not deemed adequate at the 2003 examination and a follow-up visitation was
conducted later in 2003. The latter onsite review noted that substantial
progress had been attained in achieving compliance with BSA and management
committed further efforts. In view of the environment in which this bank
operates, a strong BSA compliance program is deemed imperative and will be
monitored closely. The bank is considered a moderate-BSA risk.
Assessment of Follow-up Action:
The institution provided the RO with a copy of the SAR filing. The document
was filed within an acceptable timeframe. No further supervisory action was
deemed necessary.
Institution #27 Low BSA Risk
Date | Total Assets
($Million) | Rating | BSA Violations (#) |
2002 | $26 - $50 | Highly Rated | None |
2001 | $26 - $50 | Highly Rated | NA |
2000 | $26 - $50 | Highly Rated | (11)-CTR filing errors/103.27(d);
(1)- Inadequate program/326.8(b) |
1998 | $26 - $50 | Highly Rated | NA |
1997 | $26 - $50 | Highly Rated | (9)- CTR filing errors/103.27(d);
(7)- CTR filing /103.22(a);
(2)- Identification procedures/103.28 |
State does not perform BSA examinations or review prior BSA violations
OIG Concern:
OIG indicated the following concern from the 2000 examination.
"The examiners noted 11 apparent violations of Section 103.27(d). The
president stated that CTRs would be reviewed more closely before filing and
the bank would begin conducting the reviews annually. The bank had not provided
for independent testing of the BSA program. This deficiency was noted in a
prior examination conducted in 1997 and remains uncorrected as of this examination.
During the examination, bank management appointed an employee to perform independent
testing of the BSA program."
Supervisory Action:
The 1997 ROE prepared by the FDIC detailed three apparent violations with a
modest level of frequency. These apparent violations were not considered
systemic, and given satisfactory management, with a strong history of responding
to supervisory concerns, no enforcement action was warranted. Due to the
lack of systemic violations and management's willingness to address
supervisory concerns, no follow-up between examinations was necessary.
In 1997, the RO transmittal letter to the bank asked for follow-up on all
regulatory concerns, including BSA-related deficiencies. A few weeks later
in 1997, the bank's chairman and chief executive officer responded to
the examination findings. The chairman indicated that the bank had strengthened
the audit and review procedures to improve the BSA compliance program. He further
indicated that personnel are better trained and knowledgeable of BSA compliance,
and he also filed corrected CTRs.
The 2000 FDIC ROE cited violations of Part 103 for failure to provide all
required information on the CTR and Section 326.8 for failure to have independent
testing. The violations pertaining to Part 103 were not repeat violations.
A transmittal letter was sent from the RO in 2000, and the bank was instructed
to correct the apparent BSA-related violations. The transmittal letter also
required the bank's response to the ROE to include action taken to correct
BSA-related weaknesses. Approximately a month later, the bank's president
responded to the RO, indicating the BSA deficiencies had been corrected and
independent testing was being performed. Given the risk profile and outstanding
rating of the institution, a BSA visitation to ensure correction was not necessary.
The 2002 FDIC ROE detailed a generally adequate BSA compliance program. While
the BSA training was considered adequate, the ROE noted a minor deficiency,
in that there was lax documentation of the employee training. The adequacy
of employee training is evidenced by the correction of prior examination violations
and no further BSA-related violations. The president indicated that future
training would be better documented. There were no material weaknesses in the
BSA compliance program and no apparent BSA-related violations were cited. Consequently,
there was no need for supervisory action. It should be noted that during the
2002 examination, it was determined that there were no reportable transactions
since 2001. The overall improvement in this bank's BSA compliance supports
no enforcement actions.
Bank Profile:
The bank is a $26-$50 million institution with one office located in the Southeast.
The population of the county as reported in 2000 was approximately 30,000.
The money- laundering risk profile is low. The trade area is rural, with
an agrarian-based economy. The 2002 FDIC ROE work papers reflected a low
level of CTR filings, with no currency transaction greater than $10,000 for
approximately 10 months prior to the examination. The 2002 work papers indicate
the level of CTRs had declined between the 2000 and 2002 examinations, as
a result of a large customer closing its deposit account. Bank management
has been highly rated since 1982.
Assessment of Follow-up Action:
For the 1997 examination, supervisory action consisted of sending a transmittal
letter within 42 days of the examination start date requesting bank management
to address the deficiencies cited in the ROE. Supervisory action was completed
within 73 days of the examination start date upon receiving confirmation
from bank management that the violations were corrected. Adequate supervisory
action was taken as management corrected violations during the normal course
of business.
For the 2000 examination, supervisory action consisted of sending a transmittal
letter to the bank requesting corrective action. Supervisory action began within
48 days of the examination start date and was completed within 101 days of
the examination start date upon receiving confirmation from bank management
that the violations were corrected. Supervisory action was adequate as the
violations were corrected during the normal course of business.
Institution #30 ("inactive") Low BSA Risk
Date | Total Assets
($Million) | Rating | BSA Violations (#) |
2000 | $151 - $200 | Highly Rated | NA |
1999 | $51 - $100 | Highly Rated | None |
1998 | $26 - $50 | Highly Rated | NA |
1997 | $26 - $50 | Highly Rated | (6)-Identification method/103.28;
(1)-Improper exemption or limit/103.22(b)(1);
(1)-Exemption Form/103.22(d);
(1)-Record of Exemption/ 103.22(f);
(1)-Instrument Log/103.29(a)(1) |
State does not perform BSA examinations or review prior BSA violations.
OIG Concerns:
Length of time between follow up on violations cited at the 1997 examination
was between 25-36 months.
Supervisory Action:
The 1997 FDIC ROE cited numerous violations of Part 103, specifically pertaining
to exemptions, required information for completion of CTRs, and monetary
log data.
In 1997, the RO sent the bank a transmittal letter requesting that management
provide a written response within 45 days, detailing corrective actions to
eliminate deficiencies cited within the ROE. Bank management responded one
month later stating that additional training would be provided and audit coverage
of the BSA compliance program would be completed.
Given the risk profile of the institution and the outstanding ratings, a BSA
visitation to ensure correction was not necessary.
The 1999 ROE revealed no weaknesses, material or otherwise, in the BSA compliance
program. The examiner-in-charge noted in the ROE that the operating procedures
for managing the BSA program had improved since the last FDIC examination.
Bank Profile:
Bank is INACTIVE. This institution resulted from the merger of two institutions
in 2000, with the charter of the first bank being dissolved. The surviving
institution changed its name to Institution #30 and relocated its main office.
This institution subsequently merged into another institution in 2001. The
last FDIC ROE was completed in 1999.
The money-laundering risk at this institution prior to its merger was low.
The customer base was local and appeared well known by bank personnel. Nothing
in the ROEs indicates any unusual or suspect transactions. The last two FDIC
ROEs rated management highly. Management has been highly rated since 1982.
Assessment of Follow-up Action:
Supervisory action was taken by sending a transmittal letter requesting bank
management to eliminate deficiencies cited in the ROE. Supervisory action
was taken within 33 days of the examination start date and was completed
upon receiving a satisfactory response from management within 81 days from
the start of the examination. Adequate supervisory action was taken given
that the bank corrected the apparent violations during normal course of supervision.
Institution #33 Low BSA Risk
Date | Total Assets
($Million) | Rating | BSA Violations (#) | >
2002 | $151 - $200 | Highly Rated | NA |
2001 | $126 - $150 | Highly Rated | (1) - Independent testing/326.8(c)(2) |
1999 | $126 - $150 | Highly Rated | NA |
1998 | $126 - $150 | Highly Rated | None |
State does include BSA examination procedures within the scope of its regular
examinations.
OIG Concern:
Follow-up did not occur within 12 months on violations and concerns noted in
FDIC ROE dated in 2001.
Supervisory Action:
The 2001 FDIC ROE cited violations of Section 326.8 for a lack of independent
testing of the BSA compliance program. Violation occurred because audit of
the program was being conducted by the bank's BSA officer, thereby
inhibiting the independence of the review. The violation was not a repeat
from prior examinations and did not result in a formal action against the
bank. A letter from the chairman of the board and president of the bank,
dated two months later in 2001, in response to the examination findings,
stated that the infraction had been corrected by separating the BSA officer
from the audit function. To date, a follow-up examination has not been conducted
by the FDIC. Since the last FDIC examination, there have been two independent
reviews of BSA by the bank (2002 and 2003).
Bank Profile:
Bank is a $151-$200 million institution serving rural communities of less than
7,000 residents in the Mid-Atlantic Region. Bank has been highly rated over
the last 10 years. Bank management has also been highly rated since 1994,
which includes the last three FDIC examinations. Bank is financially strong
and has good management. The overall BSA program is adequate and the violation
was considered minor. The bank committed to correcting the infraction and
responded to the RO within 90 days of the date of the FDIC ROE.
Assessment of Follow-up Action:
In the transmittal letter sent to the bank by the RO, accompanying the FDIC
ROE, management was asked to provide a written response to examination criticisms.
Bank management provided a written response to the RO in 2001, stating that
corrective action had been implemented. This letter was sent to the RO within
90 days after the examination date.
Institution #34 Low BSA Risk
Date | Total Assets
($Million) | Rating | BSA Violations (#) |
2003 | $250 - $500 | Highly Rated | NA |
2002 | $250 - $500 | Highly Rated | (11) - Exempt filing/103.22(d) (See Note below) |
2001 | $250 - $500 | Highly Rated | NA |
2000 | $250 - $500 | Highly Rated | None |
1999 | $250 - $500 | Highly Rated | NA |
1998 | $250 - $500 | Highly Rated | None |
Note: violation was not cited in ROE, although code 6604 was entered into BSA data
entry form for examination. Comments contained in confidential section of ROE.
State does include BSA examination procedures within the scope of its regular
examinations.
OIG Concern:
Follow-up did not occur within 12 months on violations and concerns noted in
FDIC ROE dated in 2002.
Supervisory Action:
The 2002 FDIC ROE reported violations of Part 103 for failure to properly file
CTR exemption forms for customers included on its exemption list. The violations
cited were not repeat violations, and no formal action was taken against
the bank for the violations. The bank filed the exemption forms during the
examination in 2002, which corrected the infractions.
Bank Profile:
Bank is a $250-$500 million institution on the East Coast. Generally, the bank's
branches serve a rural community of less than 10,000 residents. The bank has
been highly rated since 1994. Bank management has also been highly rated 1995,
which includes the last four FDIC examinations. Bank is financially strong
with good management. Violations do not indicate systemic risk in BSA compliance
program. Overall program is considered adequate. Neither the bank nor its customer
base has been determined to be involved in high-risk activities.
Assessment of Follow-up Action:
The examination started in 2002, and concluded one month later. Bank management
filed exemptions prior to the conclusion of the examination. Copies were
provided to examiners and retained in examination work papers. No additional
follow-up supervisory action was necessary, as bank management corrected
the deficiencies during the examination. This deficiency was not repeated
at the subsequent examination.
Institution #37 Low BSA Risk
Date | Total Assets
($Million) | Rating | BSA Violations (#) |
2003 | $0 - $10 | Highly Rated | NA |
2002 | $0 - $10 | Highly Rated | (1)- Independent testing/326.8(c)(2); (1)- Inadequate
training/326.(c)(4);
(1)- Exempt designation/103.22(d)(11)(iii);
(1)- Exempt bank/103.22(d)(3)(ii);
(1)- Exempt review/103.22(d)(4) |
2000 | $0 - $10 | Highly Rated | NA |
1999 | $0 - $10 | Highly Rated | (1)- Independent testing/326.8(c)(2); (1)- Inadequate training/326.8(c)(4);
(1)- Identity record (non-customer)/103.29(A)(2)(i)(ii);
(1)- Identity record (customer)/103.29(A)(1)(i)(ii);
(1)- Exemption form/103.22(d |
1998 | $0 - $10 | Highly Rated | NA |
1997 | $0 - $10 | Highly Rated | 2)- Biennial exemptions/103.22(h)(3)(ii);
(2)- Exemption list/103.22(f);
(1)- Independent testing/326.8(c)(2);
(1)- Inadequate training/326.8(c)(4);
(1)- Exempt designation/103.22(d) |
State performs limited BSA examinations and reviews prior BSA violations.
OIG Concern:
During examinations conducted in 1997, 1999, and 2002, the bank was cited for
violations related to the lack of independent testing of BSA compliance and
failure to provide adequate BSA training. Corrective action was not taken
until after the 2002 examination. The FDIC issued a Cease and Desist Order
in 2002, more than 60 months (5 years) after the violations were initially
cited. Accordingly, the institution operated for more than 5 years without
complying with the minimum requirements of a BSA compliance program as required
by Section 326.8.
Supervisory Action:
The FDIC cited repeat BSA-related apparent violations in its 1999 and 2002
ROEs. The repeat violations pertain to the bank's BSA training program
and independent testing for BSA compliance. However, there were no repeat
violations cited for other BSA compliance requirements, indicating that the
bank's BSA compliance program was effective in practice.
1997 Examination
The 1997 FDIC ROE cited the following apparent violations: Section 326.8(c)(2),
which requires a system of independent testing for compliance with the BSA;
and Section 326.8(c)(4), which requires training of appropriate personnel.
The 1997 Summary Analysis of Examination Report (SAER) comment stated, "The
violations occurred due to management's lack of familiarity with the
regulations."
The 1999 FDIC ROE again cited apparent violations of the two above-referenced
regulations. Despite the repeat apparent violations, the FDIC pursued no supervisory
action. The 1999 SAER comment stated, "Management agreed to make corrections,
and the examiner does not believe that regulatory action is necessary."
There were no other repeat BSA-related apparent violations cited, indicating
that, despite the bank's lack of a formal employee-training program and
the lack of independent BSA compliance testing, that the bank's BSA compliance
program remained effective in practice.
The 2002 FDIC ROE again cited apparent violations of the two above-referenced
regulations (third consecutive examination). In 2002, the FDIC issued a formal
enforcement action pursuant to Section 8(s) of the FDI Act, specifically targeting
the bank's failure to comply with the BSA.
Examiners conducted visitations of the bank to review management's progress
in complying with the Order mid-year 2002, and the following quarter in 2002.
The Order was terminated a few weeks later, following the 2002 visitation,
which found the bank in compliance with BSA. Given the bank's compliance
with the Cease and Desist Order, the bank is considered a low BSA risk.
Bank management did not follow through as agreed in the 1999 and 2002 examinations;
as a result the RO issued a formal enforcement action addressing the repeat
violations for an inadequate testing of the BSA program and training of bank
personnel. The bank has since complied with the formal action which was subsequently
terminated within three months of issuance.
Bank Profile:
The bank is a $0-$10 million community bank in the West. Historically, the
bank's BSA-related activities have been negligible. The bank has filed
only twelve CTRs since 1997 (three in 1997, two in 2001, three in 2002, and
four in 2003). Management has been highly rated at every examination conducted
since the 1999 examination. Two examinations conducted in 1998 and in 1997
indicate a management rating of moderate. The most recent examination of
the institution was in 2003 resulting in a high rating.
Assessment of Follow-up Action:
The DSC concurs in general with the OIG regarding the follow-up for this bank.
A Cease and Desist Order was issued in 2002 for the bank's non-compliance
with the BSA. The bank was cited for repeated violations for lack of testing
and training which dated back to 1997. While bank management indicated their
willingness to comply, action should have been taken prior to the 2002 examination.
Institution #39 Low BSA Risk
Date | Total Assets
($Million) | Rating | BSA Violations (#) | >
2003 | $26 - $50 | Highly Rated | (1)- Independent testing/326.8(c)(2) |
2002 | $26 - $50 | Highly Rated | NA |
2001 | $26 - $50 | Highly Rated | (4)- Instrument log/103.29(a); (1)- Independent testing/326.8(c)(2) |
1999 | $26 - $50 | Highly Rated | NA |
1998 | $26 - $50 | Highly Rated | (1)- Independent testing/326.8(c)(2)
(1)- BSA Officer/326.8(c)(3) |
State performs limited BSA examinations or reviews prior BSA violations.
OIG Concern:
During its examinations conducted in 1998, 2001, and 2003, the bank was cited
for violations related to lack of independent testing of BSA compliance.
Corrective action was not taken until 2003, when the FDIC, state regulatory
agency and the bank signed an MOU to correct BSA violations, more than 60
months (5 years) without complying with the minimum requirements of a BSA
compliance program as required by Section 326.8.
Supervisory Action:
The violation cited in 1998 was corrected later that year. The bank's
BSA compliance did relapse subsequent to the 1998 examination, as determined
during the 2001 examination, but the RO chose not to pursue an enforcement
action given earlier corrections and management's promises of action.
The FDIC's 2001 examination again criticized the lack of independent
testing (and failure to obtain and retain information regarding the issuance
of four cashiers checks), but also confirmed that management did conduct independent
testing in 1998 and revised the bank's BSA policies in response to the
1998 examination. However, there was a failure to continue the independent
testing in 1999 and 2000. In 2001, management again promised corrective action
and this time agreed to contact the bank's external auditor to arrange
for ongoing independent audits of BSA compliance. Because of this commitment,
the RO did not pursue an enforcement action.
The state conducted an independent examination in 2002. The ROE addressed
BSA compliance and stated that, all [BSA] deficiencies have been corrected,
with one minor exception. Based on the examiner's assessment of the bank's
deficiencies in the BSA program, the FDIC concluded that enforcement action
was not necessary at that time.
The FDIC's 2003 ROE cited the lack of independent testing of BSA compliance.
This time, the RO did not accept management's commitment to correct the
deficiency without enforcement action. A joint MOU with the state became effective
in 2003, within 60 days of the date of the examination. Compliance testing
was required.
The Bank's report of compliance with the MOU:
The bank's progress report was received on time late 2003. The following
is a summary of the institution's compliance with each of the provisions:
- Establish a program and conduct independent testing for compliance with
BSA and 31 Code of Fed. Regs., Section 103, within 60 days and annually thereafter:
The board of directors reports compliance. The board adopted a new policy two
months ago and a vice president, who is independent of the BSA recordkeeping
function, conducted testing and reported to the board on last month. The vice
president's report indicates substantial compliance with the MOU, including
BSA recordkeeping and reporting requirements. Technical deficiencies were noted
in wire transfer records, CTRs, and CTR exemption records, but there were few
of them and corrective action has been taken. The vice president gave a positive
attestation to the overall integrity and effectiveness of management systems
and controls over BSA. The bank purchased Internet-based BSA training programs
and training has been conducted. A new BSA officer has designated who oversees
continuing training. The bank has also engaged an independent firm, to conduct
BSA compliance testing as part of the external audit for 2003.
- Provide a copy of the BSA compliance plan detailing the form and manner
of any actions taken to secure compliance with the MOU within 90 days (2003):
The required information was received in late 2003.
Management has achieved substantial compliance with the MOU, but one of the
conditions is ongoing in nature, and final determination for compliance with
the MOU will be made by field examiners onsite at the next full-scope examination
or visitation.
Bank Profile:
The institution is a very small community bank ($26-$50 million) located in
the West. Its BSA activities are minimal. The bank was cited for lack of
independent testing of BSA compliance – not violations of the other
key BSA compliance requirements. Management has been highly rated throughout
the audit period. The most recent examination of the institution was in 2003,
with a high rating.
Assessment of Follow-up Action:
The examination team cited two violations at the 1998 examination which were
partially corrected before the 2001 examination. At this examination, the
bank was cited again for a lack of testing for BSA compliance. Bank management
indicated that corrective action would be taken and based upon management's
reputation for correcting previously cited violations and deficiencies noted
in the ROE, no enforcement action was necessary. As noted in the 2002 state
examination, all [BSA] deficiencies were corrected except for one exemption
limit on a local business. There was no reason to believe that bank management
would not again correct the violations cited in the examination. However,
a 2003 examination indicated a violation for lack of independent testing
of the BSA program. A joint MOU was issued in 2003. The bank is submitting
progress reports which indicate testing of the BSA program is being performed.
Given management's prior commitments to correct violations and implement
recommendations, the actions implemented by the RO were adequate.
Institution #40 Low BSA Risk
Date | Total Assets
($Million) | Rating | BSA Violations (#) |
2003 | $251 - $500 | Highly Rated | None |
2002 | $251 - $500 | Highly Rated | NA |
2001 | $151 - $200 | Highly Rated | None |
2000 | $151 - $200 | Highly Rated | NA |
2000 | $126 - $150 | Highly Rated | None |
1998 | $101 - $125 | Highly Rated | NA |
1997 | $51 - $100 | Highly Rated | (6)- Customer record (monetary log)/103.29(a)(1);
(4)- Late CTR filings/103.27(a);
(2)- Improper exemption or limit/103.22(b)(c);
(1)- CTR filing/103.22(a);
(1)- Identity record (non-customer)/103.29(a)(2)(i)(ii);
(1)- Exemption list/103.22(f) |
State performs BSA examinations.
OIG Concern:
FDIC ROE dated in 2003, cited several deficiencies in the bank's BSA
compliance program; however, no violations were cited and no follow-up supervisory
action was taken. OIG determined FDIC response to violations cited at 1997
examination was adequate.
Supervisory Action:
In the 2003 ROE, minor recommendations were made to management and no follow-up
action was deemed necessary.
Technical violations of Part 103 were cited at the 1997 FDIC independent examination,
but no subsequent violations have been cited. ROEs subsequent to the 1997 examination
consistently indicate the bank has an adequate BSA program in place. The FDIC
last examined the bank in 2003. The examiner-in-charge, who also reviewed BSA,
concluded that the internal audit of BSA is thorough, cash transaction volume
is moderate, and the program is adequate. Minor recommendations were provided
to management, and no apparent violations were noted. It is for these reasons
that this institution is considered to have a low BSA risk profile.
Bank Profile:
The bank is a moderately-sized community bank ($251-$500 million) that engages
in traditional banking activities. Management has been highly rated at every
examination conducted in the 1997 to 2003 time frame. The most recent examination
of the institution was in 2003 with a high rating.
Assessment of Follow-up Action:
Minor deficiencies were noted in BSA compliance program at the 2003 examination.
However, no violations were cited, and management committed to corrective
action. No additional supervisory follow-up action was necessary. Furthermore,
violations from the 1997 examination were corrected during the RO review
process. The bank has not been cited for any violations since that time.
Adequate supervisory action was taken at the time of the violations.
Institution #41 Low BSA Risk
Date | Total Assets
($Million) | Rating | BSA Violations (#) |
2002 | $0 - $10 | Highly Rated | None |
2001 | $0 - $10 | Highly Rated | None |
2000 | $0 - $10 | Highly Rated | NA |
1999 | $0 - $10 | Highly Rated | (1)- Independent testing/326.8(c)(2);
(1)- Inadequate controls/326.8(c)(1) |
1998 | $0 - $10 | Highly Rated | NA |
1997 | $0 - $10 | Highly Rated | (1)- Inadequate controls/326.8(c)(1);
(1)- Inadequate training/326.8(c)(4) |
State does not perform BSA examinations but reviews prior BSA violations.
OIG Concern:
The OIG is concerned with the repeated violations of Section 326.8(c)(1) for
failure to provide for a system of internal controls to assure ongoing compliance
and Section 326.8(c)(4) for failure to provide training for appropriate personnel.
Supervisory Action:
At the 1997 examination the FDIC cited two BSA violations: failure to provide
for a system of internal controls to assure ongoing compliance; and failure
to provide training for appropriate personnel.
At the 1999 examination the FDIC again cited two BSA violations, one of which
was a repeat violation from the 1997 examination. The repeat violation was
failure to comply with Section 326.8(c)(1). The second violation was failure
to comply with Section 326.8(c)(2) and provide for independent testing for
compliance to be conducted by bank personnel or by an outside party.
FDIC staff discussed the BSA issues with management and the bank's board
following each examination. The bank achieved partial correction following
the 1997 examination, by instituting BSA training. All BSA violations were
corrected following the 1999 examination, and no violations have been cited
in subsequent examinations. For this small bank with limited resources, and
importantly, limited exposure to currency transactions, bank management's
perception was that the regulatory requirements in this area did not fully
apply to their uncommon banking operation. The FDIC's supervisory approach
was effective. The FDIC informed management and the board of the importance
and applicability of the regulations and guided the bank into full compliance.
Bank Profile:
The bank is a former thrift that converted to an industrial loan company charter
in 1986. The current owner is considered very conservative and has kept the
bank operating in much the same manner as it operated under the thrift charter.
The bank has had little growth since 1986; total assets as of quarter-end
2003, were $0-$10 million. In keeping with a traditional thrift operation,
the bank is primarily a real estate lender that portfolios the majority of
its loans. For funding, the bank uses small certificates of deposit and Federal
Home Loan Bank lines of credit. Significantly, the bank advertises as a non-cash
bank and holds very few demand deposits. And of the demand deposits held,
a substantial portion may represent disbursed loan proceeds at any given
time. The bank operates out of a business office and has no teller stations
and is considered a low-BSA risk. Management has been highly rated in the
three examinations conducted in 2002, 2001 and 1998. Management was also
moderately rated in the 1999 and 1997 examinations. The most recent examination
of the institution was in 2002, with a high rating.
Assessment of Follow-up Action:
The bank achieved partial correction following the 1997 examination by instituting
BSA training. All BSA violations were corrected following the 1999 examination,
and no violations have been cited in subsequent examinations. Follow-up was
considered adequate for the size and transactions conducted by the bank.
CONCLUSION OF DSC SUPERVISORY APPROACH TO OIG-SAMPLED INSTITUTIONS
The DSC's findings regarding the sampled institutions indicate that
in the vast majority (38 of 41, or 92.7 percent) of instances, the DSC responded
expeditiously while incorporating the sufficient response time for bank management
to correct identified problems. In serious cases where bank management willfully
neglected BSA rules or was unresponsive to regulatory criticism and guidance,
or when the DSC identified insider abuse, enforcement action was taken. The
assessment of the OIG's sample confirms the DSC's effective supervisory
approach to the BSA. There were three instances where the DSC could have acted
more quickly; however, resolution to the BSA concerns did occur.
Subsequent to questions raised by the OIG during the audit, the DSC's
Regional and Washington offices undertook a detailed analysis of the OIG's
41-bank sample. In 38 of the 41 cases, we found the supervisory actions to
be consistent with the problems identified and the risks posed by the circumstances.
In hindsight, the DSC found that three cases of supervisory actions could have
been deployed in a better manner. As a result, the lessons learned have been
utilized to improve our internal supervisory processes. The FDIC supervises
a majority of small institutions. These community-based institutions operate
with simple manual and automated systems. Therefore, it is not unusual that
a sample of such institutions would yield apparent violations of a technical
nature without exposing the institutions' BSA programs to increased money
laundering risk. Our small, community banks actually have a strong inherent
deterrent to money laundering since they operate in areas where bank management's
knowledge of customers is high, making criminal action harder to disguise.
In fact, of the 41 sample banks, 22, or 54%, are very small banks with total
assets of less than $80 Million, and seven more sample banks fall in the under
$150 Million range. Only two of the sample banks were larger than $1 Billion
in total assets. The three institutions that the DSC identified where supervisory
actions could have been strengthened had total assets of $10 Million, $70 Million,
and $187 Million.
Program problems that expose an institution to increased vulnerability to
criminal activity are, as necessary, aggressively addressed with formal actions.
However, in the vast majority of cases, an appropriate supervisory response
does not include a formal action. The FDIC believes our supervisory approach
using technical guidance, moral suasion and a gradual escalation of enforcement
action is appropriate. Refer to Exhibit I for a legal interpretation of formal
actions for BSA that are authorized under Section 8(s) of the Federal Deposit
Insurance Act, 12 USC 1818(s).
APPENDIX B: History of the BSA
The responsibility for the implementation of the BSA, including its recent
amendments required by the USA PATRIOT Act, rests with the Secretary of Department
of the Treasury. The FDIC has been charged [under Section 8(s) of the FDI Act]
to prescribe regulations requiring insured depository institutions to implement
a BSA compliance program (Section 326.8 of FDIC Rules and Regulations); review
BSA compliance procedures when conducting examinations and document deficiencies
in the ROEs; and employ supervisory action when it has been determined that
an insured depository institution has failed to establish and maintain a BSA
compliance program or has failed to correct any previously reported problem
with the BSA compliance procedures. In addition, Section 31 CFR 103.56(e) requires
the FDIC to periodically provide specific violations of 31 CFR 103 as well
as apparent violations of FDIC Rules and Regulations Part 326 Subpart B to
the Assistant Secretary of the Treasury.
On October 26, 1970, Congress passed the BSA which amended Title 31 of the
United States Code, Subtitle IV, Chapter 53, and Subchapter II. The purpose
of this subchapter (except section 5315) is to require certain reports or records
where they have a high degree of usefulness in criminal, tax, or regulatory
investigations or proceedings. The statute authorizes the Secretary of the
Treasury to prescribe filing procedures and designate financial institutions
and transactions as well as promulgate regulations to meet the requirements
of the BSA. The implementing regulations of the BSA are Treasury's regulations
Part 103 - Financial Recordkeeping and Reporting of Currency and Foreign Transactions
(31 CFR Part 103). Collectively, the Treasury regulations and the BSA statute
are commonly referred to by the banking industry as the BSA rules.
Although the BSA has been in effect for over 30 years, its significance and
priority escalated in the wake of the September 11, 2001, terrorist attacks
against the U.S. Shortly after this tragic event, the USA PATRIOT Act of 2001
was passed. This Act expanded the anti-money laundering provisions of the original
law and brought the issue of money laundering to the forefront, once again.
BSA compliance and anti-money laundering programs are now one of the highest
priorities for the industry, regulators, and law enforcement authorities. Additionally,
in March 2003, Treasury established its Executive Office for Terrorist Financing
and Financial Crimes (EOTF/FC), the office that focuses on combating money
laundering and terrorist financing. After the USA PATRIOT Act was passed, the
FinCEN was established as a formal bureau of the Treasury. The focus of the
BSA from a risk-management perspective is that an institution's failure
to implement an adequate compliance program is punishable by monetary fines
that can be assessed by FinCEN. Additionally, the FDIC can initiate enforcement
actions against FDIC-supervised institutions and IAPs for serious and/or uncorrected
problems with an institution's BSA compliance program.
BSA Legislative Changes
There have been many amendments made to the BSA statute through the years,
which in turn have required additions, deletions, and revisions to the parallel
regulations of the Treasury as well as the Federal Deposit Insurance Act. Some
of the major amendments to the BSA are:
- Money Laundering Control Act (October 27, 1986) which criminalized
money laundering and prohibited structuring transactions to avoid BSA reporting
requirements.
- Annunzio-Wylie Money Laundering Suppression Act (October 28, 1992)
which required SARs.
- Money Laundering Suppression Act (September 23, 1994) which reduced
burden involved in the CTR exemption process.
- Money Laundering and Financial Crimes Strategy Act (October 30, 1998)
which improved cooperation and coordination between regulators, law enforcement,
and the financial service industry.
- United and Strengthening America by Providing Appropriate Tools to
Restrict, Intercept, and Obstruct Terrorism Act ("USA PATRIOT ACT")
(October 26, 2001) which generally required additional due diligence on customers,
accounts, and transactions to prevent money laundering and terrorist financing
activity in domestic financial institutions.
APPENDIX X
MANAGEMENT'S RESPONSE TO RECOMMENDATIONS
The following presents the management responses that have been made on recommendations in our report and the status
of recommendations as of the date of report issuance. The information is based on management's written response to
our report (and subsequent communication with management representatives).
Please note the following definitions that relate to the management responses to the recommendations:
Resolved: (1) Management concurs with the recommendation and the planned corrective action is consistent with
the recommendation. (2) Management does not concur with the recommendation but planned alternative action is acceptable to
the OIG. (3) Management agrees to the OIG monetary benefits or a different amount, or no ($0) amount. Monetary benefits
are considered resolved as long as management provides an amount.
Dispositioned: The agreed-upon corrective action must be implemented, determined to be effective, and
the actual amounts of monetary benefits achieved through implementation identified. The OIG is responsible for determining
whether the documentation provided by management is adequate to disposition the recommendation. Once the OIG dispositions
the recommendation, it can then be closed.
Recommendation: 1
Corrective Action: Taken or Planned/Status: DSC agreed with this recommendation. The DSC will, in coordination with its current initiatives to revisit and update FDIC guidance and with inter-agency cooperation, address formal supervisory actions, follow-up actions, citation of apparent violations and record keeping, and backfiling of CTRs and will work with the FDIC Legal Division to clarify, and update as necessary, enforcement action guidance on BSA.
Expected Completion Date: March 30, 2005
Monetary Benefits: $0
Resolved -- Yes or No: Yes
Dispositioned -- Yes or No: No
Recommendation Open or Closed: Open
Recommendation: 2
Corrective Action: Taken or Planned/Status: DSC agreed with the recommendation. The DSC representative to the Financial Crimes Enforcement Network’s Bank Secrecy Act Advisory Group will introduce the question raised on referral guidelines at an upcoming meeting.
Expected Completion Date: December 31, 2004
Monetary Benefits: $0
Resolved -- Yes or No: Yes
Dispositioned -- Yes or No: No
Recommendation Open or Closed: Open
Recommendation: 3
Corrective Action: Taken or Planned/Status: DSC agreed with
this recommendation and stated that it is focused on strengthening processes
to address variations in the state examination coverage of BSA and believes
this action will increase the consistency and reliability of the follow-up
to its BSA examinations.
Expected Completion Date: March 30, 2005
Monetary Benefits: $0
Resolved -- Yes or No: Yes
Dispositioned -- Yes or No: No
Recommendation Open or Closed: Open
|