When to Hold ‘Em and When to File ‘Em A Two Part Series on SAR Filings-Part Two

When to Hold ‘Em and When to File ‘Em- A two Part Series on SAR Filings

Part Two- The Decision

In the first part of this series we noted that Suspicious Activity Reports (“SARs”) are an essential part of the world financial crimes monitoring network.   There are analysts at an agency called FinCen that read all of the SARs and capture data about the various schemes that criminals employ in attempts to launder money.   We also noted that filing of SARs has become an area of stress for BSA staff at financial institutions. On one hand, there is a concern that failure to file a SAR might result in criticism by regulators. There are also concerns that filing SARs is a pointless exercise that creates more administrative work and accomplishes little.   After all, a proper filing involves research transactions, performing analysis and drawing conclusions that must be documented. Moreover, almost all SAR’s require a second filing 90 days later to discuss whether the suspected activity has continued.

At the end of the day, whether or not a SAR should be filed is the decision of the financial institution. It is the expectation of regulators that this decision should be part of a well-established and defined process.   According the FFIEC BSA examination manual the process should include five component parts; identification of unusual activity, managing alerts, SAR decision making, SAR completion and Monitoring on continuing activity.

  • Identification or alert of unusual activity;   This is the part of any BSA compliance program that combines human intelligence and software. All financial institution staff are required to receive annual training on BSA/AML. One of the main reasons for this requirement is that staff is expected to be able to identify activities that don’t fit into normal patterns or activities for their customers. For example, a longtime customer who normally receives his payroll and pay bills out of his account suddenly deposits $15,000. The expectation is that the staff members of the institutions should gently, but firmly find out the source of this unusual deposit. Of course there are many reasonable answers for how the customer came across this money.

Monitoring software should perform a similar functions.   The whole point of using software is to aggregate transactions so of a customer so that any transactions that fall outside of the normal or expected create an alert and follow-up.

  • Managing Alerts: Managing alerts is important so that institutional resources are focused on the highest area of risk. Not every customer at your institution is engaged in nefarious activity. In fact, the vast majority are good people who are simply conducting banking activity.   Much like the boy who cried “wolf” in the children’s fairy tale, there can be a such thing as too many BSA/AML warnings. The expectation of regulators is that you will adjust your monitoring to create warnings for activity that is truly suspicious or out of the pattern of normal activity.   This is at the heart of the requirement that financial institutions perform model validation on a regular basis.[1] There should be a formal and well established method for reviewing alerts and resolving them in a timely and comprehensive manner.
  • SAR Decision Making:   There has to be a clear process for making SAR decisions and there also has to be an ultimate decision maker for whether or not the SAR will be filed.       The individual decision about whether or not to file a SAR rests with the financial institution.       The FFIEC BSA Manual makes this clear
    • In those instances where the bank has an established SAR decision-making process, has followed existing policies, procedures, and processes, and has determined not to file a SAR, the bank should not be criticized for the failure to file a SAR unless the failure is significant or accompanied by evidence of bad faith.
  • SAR completion and filing: there should be a clearly defined process for who performs the research necessary to complete the SAR in a timely and complete manner. The SAR narrative should tell the story in that it should clearly identify the who, what, where, when and why the activity is considered suspicious. The SAR should be filed within 30 days of the time the activity is determined to be suspicious.
  • Monitoring and SAR filing on continuing activity: Once the SAR is filed, there should be a process in place to continue to monitor the customer to determine if additional suspicious activity is continuing.   At the conclusion of 90 days of monitoring, there should be a follow-up SAR that tells “the rest of the story”. Was the activity repeated, or was it just a bump in the road? [2]

The Decision

So you have your system in place. Your staff is well trained to look for unusual activity and your software is monitoring for suspicious behavior.   The questions still remains, just what exactly is suspicious?   Unfortunately, there simply is no one right or wrong answer to that question. Suspicious is in the eye of the beholder.   This is why the “know your customer” component is critical to a strong BSA compliance program. The more that you know about your customer and what they are doing, the more obvious suspicious activity becomes.

As a best practice, if there aren’t several members of your institutions staff that fully understand the business model of a client, it is a bad idea to continue the relationship. Regulators expect that financial institutions have the ability to know the source of funds, the customer base, and the typical transaction flow of the peers of your customer. For example, suppose you have a customer who sells fresh flowers. The expectation would be that staff members at your institution understand how a fresh flower stand works, what typical receipts there might be, who the customers of the stand are and how transactions are conducted. Does the customer sell for cash only? Why? What level of cash is normal for a flower stand?   Is it likely that a flower stand would send or receive wires?   The point is that that the more that is known about the business, then the more likely that unusual activity can be determined.

In addition to knowing the business, the institution must have the means to monitor activity in a transparent manner. Through a combination of software, direct conversations and onsite visitations with the client, the institution should maintain a clear picture of normal transaction activity.

In the event that a transaction seems unusual, there is absolutely nothing wrong with asking the customer directly. In many, if not most cases, there is a completely acceptable explanation. Most customer will have no trouble with providing documentation to support their activities. Small business owners are generally proud of their accomplishments and don’t mind discussing a large sale or adding a new client.   Of course, when a client is unwilling or unable to provide an explanation and present documentation, there may be trouble.   The decision to file or not to file is one that your institution must be able to live with and defend through documentation.

Defensive SARs- Don’t do it!

In many cases banks don’t truly know or believe that activity is suspicious, but file a SAR “defensively”.   The idea here is that we can tell whether or not the activity is unusual or simply don’t have the time to do the necessary research to make a determination, so filing a SAR is seen as a temporary fix. However, defensive SARs are a sign of weakness or deficiencies in a BSA compliance program. If there is not sufficient time, or a complete understanding of the business model of the client to properly monitor and research the activity of a customer, as a best practice, the customer should be considered for de-risking (account closure). Simply filing SARs defensively is staving off the inevitable.

There Comes a Time

After a SAR has been filed for the first time on a customer, as a best practice, it is worth considering how the filing might change the relationship between the institution and the customer.   If the possibility exists that there is activity that may be considered suspicious or unusual on an ongoing basis there are really only two clear choices.   The first is to study the business plan of the customer and to gather sufficient information to document that the activity is normal and customary. The concept of suspicious activity is one of context. That is, if we return to the flower shop example above, does it make sense that wires might be going to an obscure bank in Europe? It does indeed if you find out that there is a rare flower that exists in that part of the world and the flower shop has made a marketing point of being able to deliver the rare flower in your area. Moreover, if the flower shop owner is able to show shipping details of the flower, insurance bills, bills of lading or other similar documents that prove the shipment of flowers, then the wires are ordinary and customary.

The other option is to consider the account for de-risking. Many institutions let ego, or the pursuit of fee income get in the way of safe and sound operating. When a customers’ operations are way ahead of the capabilities and resources of the institution, it is time, as Kenny Rodgers would say, to know when to walk away and know when to run.

[1] This should not be confused with data validation.  Model validation is a test of the efficacy of the software settings.

[2] FFIEC BSA Manual Systems to Identify, Research, and Report Suspicious Activity

Please join us this Thursday February 18, 2016 at 10am PST for a FREE webinar “To File or Not to File a SAR.”

Please join us this Thursday February 18, 2016 at 10am PST for a FREE webinar “To File or Not to File a SAR.” You may register at We hope to see you there!

When to Hold’em and When to File ’em

When to Hold ‘em and when to File ‘em – a Two Part Series on SAR Filings    

Amongst the many ongoing tensions of running a Bank Secrecy Act (“BSA”) compliance program, the decision about whether or not to file a Suspicious Activity Report (“SAR”) often becomes a daily test.   To paraphrase the lyric of Kenny Rodgers, you have to know when to hold ‘em and when to file ‘em”.

There was a period of time a few years ago when filing SAR’s became the remedy for all “ills” in the BSA area.  Many small institutions found themselves filing as many as 60-70 SAR’s a month.  In extreme cases, more than a quarter of all customers had either a new SAR or a follow-up SAR being processed.   In those cases, an inordinate amount of time and resources were being spent on processing forms that said essentially, that there was “no change’ and the customer was still doing what had caused the initial report to be filed.

While there is no definitive answer to the ongoing questions of when to file a SAR, there are some guidelines that can be used to help with the process.

The Point of it all with SAR’s 

Why do we even have SAR’s and what in the world are they used for?  According to the FFIEC’s (Federal Financial Institutions Examination Council”) BSA handbook, SAR’s are a critical component of the national BSA program.

Suspicious activity reporting forms the cornerstone of the BSA reporting system. It is critical to the United States’ ability to utilize financial information to combat terrorism, terrorist financing, money laundering, and other financial crimes. [1]

According to FinCen, the organization that reads and acts on SAR, the purpose of SARs is:

The purpose of the Suspicious Activity Report (SAR) is to report known or suspected violations of law or suspicious activity observed by financial institutions subject to the regulations of the Bank Secrecy Act (BSA). In many instances, SARs have been instrumental in enabling law enforcement to initiate or supplement major money laundering or terrorist financing investigations and other criminal cases. Information provided in SAR forms also presents the Department of the Treasury’s Financial Crimes Enforcement Network (FinCen) with a method of identifying emerging trends and patterns associated with financial crimes. The information about those trends and patterns is vital to law enforcement agencies and provides valuable feedback to financial institutions.[2]

For the BSA Officer who sometimes feels that these reports are being prepared only so that they can disappear into the ether, take heart.  Your SAR’s area read and they are acted upon in many instances.

In her comments to the International Bankers annual anti-money laundering seminar, FinCen Director, Jennifer Calvery[3]  described the federal government’s efforts to fight the terror group commonly known as ISIS.    She noted that although much of the activity of that group is in Syria and Iraq, the fact of the matter is that they have to have trading partners around the world to get the supplies that they need to wage war.   There are several things that FinCen and similar agencies are trying to accomplish to stop them; disrupting revenue streams by denying funds wherever possible, limited the access to the international financial system and finally, punishing any individual or group that helps ISIS.

Here is one example that has been cited:

… [A] Case originated in 2008 with BSA data concerning an individual who was later convicted of conspiring to provide and providing material support to the Pakistani Taliban. The defendant funneled money to Pakistan as Taliban insurgents fought for greater control in northwest Pakistan.  BSA data was critical in uncovering the diverse and complex methods the individual used to send money from the United States to Pakistan, each of which was designed to conceal and support his activities. Investigators uncovered at least three methods: 1) wire transfers from the United States to Pakistan, where an associate picked up and administered the funds; 2) transfers of funds from cashier’s checks drawn on U.S. banks to a bank in Pakistan where co-conspirators could draw checks; and 3) bulk cash carried by family members and other travelers from the United States to Pakistan.  [4]

So ultimately, regardless of the size of your institution, the SAR’s that you file are part of something much bigger.  You are deputies in the fight against some very dark forces including human traffickers, drug dealers and terrorists and the information that you provide is critical in this fight.

A Balancing Act

The decision to file a SAR must be a balancing act.  For the BSA Officer at most financial institutions there remains the fear that the decision not to file a SAR might result of heavy regulatory criticism.  It is sometimes the case that institutions will file a SAR even when they feel that they are totally informed about the transactions and do not feel it is suspicious.    Filing a SAR to avoid regulatory criticism is commonly called “defensive SAR filing”.   While almost no institution will admit to doing so, a large number have actually filed defensively.

As a best practice, the SAR process should also be tied to the “de-risking” consideration process at your institution.  There are many times when a customer engages in a suspicious transaction that is a onetime thing.  Perhaps there a large cash transaction and the explanation from the customer is somewhat sketchy.  A SAR is filed and the account is closely monitored for the next 180 days.   There is no other unusual or suspicious activity.   In these cases no additional SAR needs to be filed.

However, there are cases when a customer engages in suspicious activity and continues to do so.  For many institutions, the process has become a continuous string of monitoring account activity and filing SARs.  However, in the event that a customer is engaging in activity that the institutions finds suspicious, the prudent course is to act on that information.   In the event that there are three or more SARs filed on a customer for the same type of activity, it is necessary to make one of two determinations:

  • The activity can be fully explained and vetted and is therefore not suspicious
  • The institution does not have the information necessary to properly monitor and manage the risk presented by the customer and therefore must terminate the relationship (“de-risk”)

Continuously filing SARs on a customer without considering the customer for de-risking is a red flag for regulators.  This is in an indication that the BSA staff of your institution does not fully understand what the customer is doing.    Once activity of a customer has been determined to be suspicious, the process for gathering additional information should begin.  Ultimately, if the BSA staff is unclear about a customer’s activity or business, he/she presents an unacceptable level of risk.    Filing a SAR defensively can be an act of simply giving up and admitting that there is insufficient information about the customer.

The Examination Process and SARs.

Again, the BSA examination manual is helpful here.  It states that what the examiners are supposed to be looking at is the SAR Decision Process.

Within this system, FinCen and the federal banking agencies recognize that, as a practical matter, it is not possible for a bank to detect and report all potentially illicit transactions that flow through the bank. Examiners should focus on evaluating a bank’s policies, procedures, and processes to identify, evaluate, and report suspicious activity. However, as part of the examination process, examiners should review individual SAR filing decisions to determine the effectiveness of the bank’s suspicious activity identification, evaluation, and reporting process[5]

It is clear from the text of the examination manual that they is no expectation that a financial institution will be able to catch every suspicious transaction that takes place.   There are simply not enough resources for that to be the reality.  Instead regulators expect financial institutions to develop systems that allow for the identification, and monitoring of the highest risk areas.

There are five key components to an effective SAR monitoring system.   The five components are:

  • Identification or alert of unusual activity (which may include: employee identification, law enforcement inquiries, other referrals, and transaction and surveillance monitoring system output).
  • Managing alerts.
  • SAR decision making.
  • SAR completion and filing.
  • Monitoring and SAR filing on continuing activity.[6]

In part two-we will discuss what each of these components mean and how to determine when to Hold ‘em and when to file ‘em.

[1] FFIEC BSA Examination Manual Suspicious Activity Reporting-Overview

[2] Guidance on Preparing a Complete & Sufficient Suspicious Activity Report Narrative (November 2003)

[3]  Comments of FinCen Director Jennifer Shasky Calvery at INSTITUTE OF INTERNATIONAL BANKERS


[4] FinCen Recognizes High-Impact Law Enforcement Cases Furthered through Financial Institution Reporting

[5] FFIEC BSA Examination Manual Suspicious Activity Reporting-Overview

[6] FFIEC BSA Manual Systems to Identify, Research, and Report Suspicious Activity



Understanding Banking Compliance Regulations


Compliance regulations have become the center of a number of discussions in the financial services industry.   Starting with the financial meltdown of 2008 the numbers of regulations that directly impact the relationship between consumers and banks have grown exponentially.   Of course, the costs associated with compliance have also grown and become a significant part of the strategic planning processes and budget for financial institutions.     Quite often, compliance regulations are derided as unnecessary and burdensome while the regulatory agencies that are charged with enforcing them are considered unreasonable or unfair.     Unfortunately, it is often the case that the reasons compliance regulations exist and the goals of compliance examiners are misunderstood.  This misunderstanding can lead to less than effective compliance management programs, mistrust of regulatory agencies and overall inefficiencies in the compliance regulation process.   Understanding the “why’s” and “what’s” of compliance can go a long way towards a stronger compliance program.

Compliance a Brief History

Although there are several theories about why banking is such a heavily regulated industry, some common themes develop when considering this topic.   Chief among the reasons that are advanced as an argument for bank regulation is the idea that banks and financial institutions must maintain stability, and the regulatory structure helps to create stability.  For example, deposit insurance helps to eliminate the fear that financial institutions will run out of money for their customers.  Another argument for regulation is the role that financial institutions play in the payment system.  This is an area that requires stability.  The ability of funds to flow freely through the financial system is one of the hallmarks of the stability of the US financial system.  A third area that is often cited is the need to promote efficiency and competition among financial institutions.

In the aftermath of the stock market crash of 1929, the banking system experienced one of its greatest crises of confidence. Significant “runs “on banks caused liquidity concerns and brought the whole US financial system to a crashing stop. The result of these events was to usher in the modern age of bank regulation.  From that time on, there have been a series of regulations and regulatory agencies that have been developed that have all been designed to promote stability and efficiency in the financial system.   Generally, financial institution rules that promote the overall stability of the financial institutions are considered “safety and soundness” rules.  Safety and soundness rules deal with the overall levels of risks that are inherent at individual banks.   Levels of capital, limits on the loans to one borrower and the ability to identify and manage the risks presented by individual customers are all examples of safety and soundness rules.

While safety and soundness rules can generally trace their lineage back to the Great Depression, consumer regulations don’t enjoy the same clear history.  For the most part, compliance regulations have been implemented following a much more indirect path.   The pattern for development of consumer protection regulations is a familiar one.

1.     A practice or product of a financial institution impacts a group of consumers in a negative way (e.g.  women or minorities do not have equal access to credit).

2.      The offending practice receives widespread attention of the public

3.      The public outcry receives the attention of government

4.       Legislation is passed to directly change the practice or product.

This has been the pattern time and time again in the development of all of the notable consumer protection regulations that have been enacted in the financial services industries.   For example, Regulation Z (the Truth in Lending Act) was passed after public outcry about the lack of complete information detailing the costs of borrowing from banks.  From the flood insurance rules, the SAFE Act to the Servicemen’s Civil Relief Act, each of the significant consumer protection regulations has followed this same pattern and path. While it can be passionately argued that regulation is not always the most efficient means to prevent bad practices, waiting for market discipline to self-regulate has historically caused more harm than good.

It is important to remember that consumer compliance regulations, regardless of the design or requirements, have similar goals in common; to prevent policies or practices that have caused real people harm in the past.   Moreover, it is also the case that financial institution practices that hurt people have not been prevented by consumer regulations.  In fact, the reason that the Consumer Financial Protection Bureau was created was to further strengthen the protections for consumers.

“…CFPB will be the single, consumer-focused regulating authority, consolidating the existing authorities scattered throughout the Federal government under one roof.  And, the Bureau’s oversight includes the large banks and credit unions that had historically been regulated by the Federal government, as well as independent and privately owned “non-bank financial institutions” that had never been regulated before.

This means that for the first time, the Federal government will be able to regulate the activities of independent payday lenders, private mortgage lenders and servicers, debt collectors, credit reporting agencies, and private student loan companies.” [1]

A Peek Inside Consumer Regulations

In addition to their similar origins, consumer regulations also share similar approaches to addressing problems.  The institutions to which these regulations apply are required to either disclose information to customers or collect information about customers. Regardless of the actions that are required of the financial institution, the overall goal of consumer compliance regulations is to provide as much information as possible to the general public.   Data that is collected is used to study the impact of financial institution practices. For example, the data from the HMDA LAR (Loan Application Register) is used to study trends in housing and the experience of women and minorities at institutions that originate mortgages. Regulatory disclosures, such as the Truth in Lending disclosures are meant to give the customer the ability to easily compare the costs of a loan from one institution to the next.  The finance charges and fees are all supposed to be listed in a uniform manner to allow a customer to lay offers for a loan side by side.

Ultimately, consumer regulations are supposed to level the playing field between financial institutions who have significant resources and unsophisticated borrowers who have limited resources.

Compliance Examinations

When examiners conduct a compliance examination, the ultimate goal is to determine the strength and effectiveness of the compliance management program (‘CMP”).  The CMP is comprised of the policies and procedures that cover compliance, the internal controls that have been established, independent reviews and training of staff.  The examination team will take a step-by-step approach.

First, there will be analysis to determine that each of the critical components of the CMP have been established.  Policies and procedures are reviewed to make sure that they are comprehensive and up to date.  Do these documents give staff information on the expectations of the Board and senior management?  Further, in the case of procedures, do they direct staff on the proper steps to take to conduct transactions?   The compliance examiners will also review training programs and analyze whether they are keeping staff appropriately informed of applicable regulations.   Finally, this portion of the examination will analyze independent review (audits) to make sure that the scope is appropriate.

Next the examiners make a determination about the overall effectiveness of the CMP.  For example, the most complete written policies and procedures in the world have no impact if the results of independent reviews are ignored.   The CMP must have the ability to determine the roots of noncompliance and a plan for corrective action.

As a third step, the compliance examination reviews the ability of the senior management at the financial institution to identify risks and to take action to mitigate risks. Many times, when there are regulatory concerns at financial institutions, the root cause is the inability of staff to recognize why an activity is risky or the extent of the risk.   For example, an institution that serves a large number of high risks clients, must have the ability to determine what makes them high risk and precisely how to monitor activities to look for suspicious behavior.   Before a bank takes on an MSB (“Money Service Business”) as a client, there should be sufficient staff knowledge of MSB’s.  The institution should also have the software ability to closely monitor transactions of MSB’s.

Finally, the compliance examination staff will review the skill sets and knowledge of the staff who are charged with keeping the institution incompliance.   A highly experienced and knowledgeable staff can serve as a strong counterbalance to limited policies and procedures, for example. On the other hand, staff who are unfamiliar with compliance regulations will be expected to have significant resources to use.

The compliance rating is based upon the overall effectiveness of the CMP at a financial institution.

Compliance regulations are the direct result of bad behaviors of financial institutions. Most of the regulation are designed to give the consuming public maximum information.  Compliance will be a part of banking on an ongoing basis.  Embrace your inner compliance officer.

[1] Consumer Financial Protection Bureau 101: Why We Need a Consumer Watchdog JANUARY 4, 2012 AT 11:13 AM ET BY MEGAN SLACK blog

Why Are There BSA Regulations?

Why ARE There BSA/AML Regulations?    

As anyone in compliance can attest, there are myriad consumer compliance regulations.  For financial institutions, these regulations are regarded as anything from a nuisance, to the very bane of the existence of banks.  However, in point of fact, there are no bank consumer regulations that were not earned by misbehavior in the past.  Like it or not these regulations exist to prevent bad behavior and/or to encourage certain practices.   We believe that one of the keys to strengthening a compliance program is to encourage your staff to understand why these regulations exist and what it is the regulations are designed to accomplish.  To further this cause, we have designed a series of blogs that from time to time throughout the year, will address these questions about various banking regulations.  We call this series “Why is there….”

BSA- the Early Years  

Since the beginning of crime, there has been a need to hide the ill-gotten gains of criminal activity.  Early bad guys held their loot in caves.  Later, treasure chests provided a means of hiding criminal wealth.   However, despite the form that ancient loot took, the goal was and has always been to reduce assets to currency so that it can be used in exchange for other goods and services.   The need to take illicit assets or money and hide its source is known commonly as “money laundering”.  Criminals of all sorts engage in money laundering and have become exceedingly sophisticated in their pursuit of hiding the sources and uses of their money.

Because the “bad guys’ continue to evolve, the history of the Bank Secrecy Act (“BSA”) and Anti-Money Laundering laws (“AML”)   is one of ongoing change.  The laws that make money laundering illegal can be traced back to the Bank Secrecy Act of 1970.   Since the time the BSA was passed, there have been seven major legislative changes to the overall legislative scheme that covers this area.  These changes are;

  • Money Laundering Control Act (1986)
  • Anti-Drug Abuse Act of 1988
  • Annunzio-Wylie Anti-Money Laundering Act (1992)
  • Money Laundering Suppression Act (1994)
  • Money Laundering and Financial Crimes Strategy Act (1998)
  • Uniting and Strengthening America by Providing Appropriate Tools to Restrict, Intercept   and  Obstruct Terrorism Act of 2001 (USA PATRIOT Act)
  • Intelligence Reform & Terrorism Prevention Act of 2004

As technology has changed, so have the goals of many of the criminals that want to launder money.  In addition to drug dealers, there are terrorists, human traffickers, politicians and embezzlers, all of whom are developing ways to hide their cash.

Money Laundering

What exactly is money laundering?  Well FinCen, which is the federal agency that is specifically charged with monitoring and preventing money laundering defines it this way;

Money laundering is the process of making illegally-gained proceeds (i.e. “dirty money”) appear legal (i.e. “clean”). Typically, it involves three steps: placement, layering and integration. First, the illegitimate funds are furtively introduced into the legitimate financial system. Then, the money is moved around to create confusion, sometimes by wiring or transferring through numerous accounts. Finally, it is integrated into the financial system through additional transactions until the “dirty money” appears “clean.” Money laundering can facilitate crimes such as drug trafficking and terrorism, and can adversely impact the global economy.[1]

Put another way, when criminals conduct their business, they almost always do so in cash, for what should be obvious reasons.   As early as the 1970’s federal regulators realized that without some regulatory help, financial institutions would be used as tools for disposing of the cash received from crimes.  Criminals would simply deposit their money in the bank, wait a few days and then make legitimate withdrawals.   Once the cash was co-mingled with other deposits, there would be no way to tell which money came from real legitimate effort and which was the result of crime.

Popular Schemes

Some of the more popular schemes for changing criminal cash into legitimate money include;

  • Black Market Foreign Exchange: In this enterprise, all of the participants are breaking one law or another.  On one end are importers of goods who do not want to pay the government rate for exchanging currency from US Dollars to the home currency (e.g. Peso’s).  These importers make a deal with a broker who is willing to import goods illegally.  The importer makes a deal with a criminal who has “dirty” US dollars.   The importer uses the “dirty” money to buy US goods and ships them to his own country.   The goods are then sold to the importers who pay the broker in local currency.  The criminal gets his money back in Pesos that are now “clean”
  • Investing in Legitimate Businesses: Here a criminal buys all or part of a legitimate business and simply mixes his cash in with the earnings of that business. This only works for business that already deal extensively in cash.  This is why gas stations, casinos, bars and check cashing stores are considered “high risk” for money laundering.  Because many professional service providers such as doctors and lawyers often take cash for payments, they are also considered “high risk”.
  • Smurfing: Sometimes a criminal will get a number of people working together to break up his cash deposits into small amounts.  This is called smurfing
  • Structuring: This is by far and away the most frequent form of attempted laundering.  Most people realize these days that a cash deposit above $10,000 has to be reported to the IRS.  Criminals have for years, tried to get around this limit by making deposits of smaller amounts on subsequent days. This is called structuring

Over the years there have been many different schemes for trying to avoid detecting of money laundering.  In fact there are simply too many to list here.  Suffice to say that there are criminal groups with nothing but money and time to try to figure out new and different ways to make “dirty” money clean.

What is the Money Used For? 

There are many different uses for money once it has been laundered.  Some of the more onerous uses include:

  • Drug Dealing Activity
  • Human Trafficking
  • Terrorist financing
  • Tax evasion
  • Embezzlement

As you can see, money that is laundered is used to fund extreme criminal enterprises.  This is why it critically important is that financial institutions do all that they can to lend a hand to legal authorities to stop money laundering.

Each of the changes in BSA/AML laws were designed to improve the overall monitoring of cash and cash equivalent transactions.  For small financial institutions, the changes have been ongoing and significant.  As the regulations changed, the expectations of the regulatory bodies evolved.  Today, no self-respecting banker would consider operating without a full BSA/AML compliance program.   Moreover, very few banks can get away with a manual system for tracking and aggregating the transactions of their customers.   Today, a sound BSA/AML program includes software that helps bank staff aggregate and monitor transactions of its customers.

 BSA/AML laws are really financial institution’s way of helping to keep the world a better, safer place.

[1]  “History of Money Laundering Laws”

Banking Regulations to Watch in 2016

Regulations to Watch in 2016  

The New Year brings with it many different types of celebrations and traditions.  In the world of financial institution compliance the tradition for the New Year is to await the implementation of new regulations.  For the past several years, there have been a large number of new regulations that have been implemented.  Fortunately, the pace of new regulations has slowed dramatically and 2016 will not see a large number.   In fact, there are only two significant regulatory changes that will take place in 2016.  Despite this fact, as you plan for the compliance year, remember that the supervisory emphasis of the regulatory agencies can have the same impact as new regulations.

There are several sources for regulatory changes.  Regulatory agencies respond to world events, the political environment, resources allocations, technology and many other factors.   One valuable source of information that is often overlooked are the annual plans or statements that are issued by the prudential regulators.  All three issue a plan that addresses the areas that they will emphasize in the upcoming year.   In addition, there are many organizations and agencies that list the effective dates for regulations.  Gathering information on the new regulations and regulatory initiatives is a key first step for planning the compliance year.

Two (and one/half) Significant Changes

The most significant regulatory changes that will occur in 2016 are the flood insurance rules and changes in regulation Z that will expand the ability of small creditors to make loans with terms that would otherwise make them non-qualified mortgages without fear.   There is also the TILA / RESPA Integrated Disclosure Rule aka, “TRID” that went into effect in the final quarter of 2015.

Flood Insurance 

The flood insurance rules are likely to impact your institution in two significant areas.  First, for loans with a residence as collateral, there is now an exception for detached structures.  No longer will you have to get insurance for that random tool shed on the property that you have taken as collateral.  There are several considerations that go with this change.

The second change impacts the way that forced placed insurance may be charged to the customer.  In some cases, the customer may be charged back to the day that the policy lapsed for flood insurance.  Again, there are several considerations to make when applying this rule to your institution.

The flood rules also apply an escrow requirement for institutions that are over $1billion in assets.  We discussed these changes in detail in a three part blog that is on our website at  For more information, please review our blogs.

Regulation Z 

Another significant change is the expansion of the ability of small creditors to enjoy qualified mortgage protections for mortgage loans.  The CFPB described the change this way;

There are a variety of provisions in the rules that affect small creditors, as well as small creditors that operate predominantly in rural or underserved areas. For instance, a provision in the Ability-to-Repay rule extends Qualified Mortgage status to loans that small creditors hold in their own portfolios, even if consumers’ debt-to-income ratio exceeds 43 percent. Small creditors that operate predominantly in rural or underserved areas can originate Qualified Mortgages with balloon payments even though balloon payments are otherwise not allowed with Qualified Mortgages. Similarly, under the Bureau’s Home Ownership and Equity Protection Act rule, such small creditors can originate high-cost mortgages with balloon payments. Also, under the Bureau’s Escrows rule, eligible small creditors that operate predominantly in rural or underserved areas are not required to establish escrow accounts for higher-priced mortgages. [1]

This expansion creates a great deal of opportunity for smaller financial institutions to consider mortgage lending.  We will discuss this opportunity in detail in blogs to come in the near future.


The regulatory change that received the most publicity last year was the TILA / RESPA Integrated Disclosure Rule which was widely known as TRID.  This rule actually was implemented in the last quarter of 2015.  Since its start, several regulatory agencies have released examination procedures that indicate how they will treat financial institutions the first time new loans are reviewed for compliance with these rules.   According to many publications, technical or individual violations will be de-emphasized.  The main area of emphasis will be on the system for compliance that has been developed by the institution.

Regulatory Emphasis

In addition to changes in regulations, it is important to glean as much information as is available from the regulatory agencies about the areas of focus for examinations.  A change in the area of focus can have the same impact as a change in regulation.  For example, in the area of flood insurance when the focus changed from the appropriate amount of insurance to a review of flood notices, a number institutions that previously had satisfactory reviews found themselves with findings and in extreme cases, civil money penalties.   It is the change in focus of the regulators that often has many an institution asking “why were we okay at the last examination, but not now?  Fortunately, many of the regulatory agencies publish strategic plans which indicate the areas that will be emphasized for the year.    Here is a brief review:


The CFPB’s Deputy Assistant Director for origination, Calvin Hagins, recently warned mortgage lenders of the four main examination priorities for 2016—loan originator compensation plans, the ability-to-repay rule, the TILA-RESPA Integrated Disclosures (TRID) rule, and marketing service agreements.

Speaking at the California MBA Legal Issues Conference, indicated that CFPB examiners will spend a substantial amount of time evaluating loan compensation schemes at every exam at every entity. [2]


The Office of the Comptroller of the Currency, in its 2016 strategic operating plan released the following priorities

  • Evaluating adequacy of compliance risk management and assessing banks’ effectiveness in identifying and responding to risks posed by new products, services, or terms.
  • Examiners will also assess compliance with the following: – new requirements for integrated mortgage disclosure under the Truth in Lending Act of 1968 and the Real Estate Settlement Procedures Act of 1974.
  • Relevant consumer laws, regulations, and guidance for banks under $10 billion in assets.
  • Flood Disaster Protection Act of 1973
  • The Servicemembers Civil Relief Act of 2003.

In addition, the OCC pointed out that fair access to credit will also be a priority;

  • Assessing banks’ efforts to meet the needs of creditworthy borrowers and to monitor banks’ compliance with the Community Reinvestment Act and fair lending laws.
  • Examiners at banks with more than $500 million in assets will continue to use the Fair Lending Risk Assessment Tool in their fair lending assessments. [3]


The FDIC’s 2015 strategic plan is still in effect and it covers several years.  While this plan is not as specific in the areas of emphasis as some of the other agencies, the plan does mention that there will be an emphasis placed on consumer protection, the CRA and Fair Lending laws. [4]  We have interpreted this language to mean that UDAAP, Fair Lending and the Community Reinvestment Act are all areas that should receive attention at your institution before, the examiners arrive.

Federal Reserve

The Federal Reserve System in its annual compliance hot topics presentation that areas of focus will include regulation C (HMDA), Regulation B spousal signature rules and UDAAP.  [5]


In the area of BSA/AML FinCEN is now taking comments about new rules for due diligence.  The original proposal was controversial in that it essentially required financial institutions to perform due diligence on the beneficiaries of accounts as well as in some cases, the customers of the financial institutions clients.  While it is evident that the proposal will be scaled back somewhat, it is also logical to assume that customer due diligence will be an area of focus for the FinCen in both the short term and the long term.

As you develop your audit plan and compliance risk assessment for the year, both new regulations and regulatory emphasis should receive strong consideration.  As a best practice, it is recommended that you contact your regulator and ask for information on areas of emphasis for 2016 and plan accordingly.

[1] CFPB Finalizes Rule to Facilitate Access to Credit in Rural and Underserved Areas- September 21, 2015

[2] Deputy Assistant Director for Originations, Calvin Hagins,  comments to California MBA Legal Issues Conference

[3] OCC Committee on Bank Supervision FY 2016 Operating Plan

[4] 2015 Strategic plan

[5] 2015 Strategic plan

Pitfalls to Avoid When Developing a Fair Lending Assessment-Part Two

Pitfalls to Avoid When Developing a Risk Assessment for Fair Lending- Part Two

In part one of this series, we made the argument that an individual risk assessment should be performed for the area of Fair Lending.   When performing the risk assessment there are several pitfalls that must be avoided.

Policies and Procedures

The review of institutions’ policies and particularly, its procedures is a basic and critical part to any risk assessment in the area of Fair Lending.

Potential Pitfall:  Policies and procedures can be fully in compliance with regulatory requirements and still have the potential for Fair Lending issues.  Review of the policies and procedures must consider both compliance with the requirements of regulations and the impact on customers!

First, these documents should be reviewed to determine that all of the required information is up to date and correct.  In this review, it is important that regulatory requirements such as “grossing up” income[1] in credit decisions, spousal signature rules and Fair Lending principles are included.  This review should also include a review of procedures to ensure that they match policies.

The second phase of the review should be completed to ensure that policies and procedures do not present the possibility of disparate impact.  In this review, the goal is to review the policies and procedures to determine the level of discretion allowed and how this discretion can be checked against Fair Lending risk.  For example, do the procedures require documentation of delays in processing loans?  Do policies and procedures emphasize the need for secondary review?

Credit Policies

Credit Policies are an area of particular concern in the Fair lending Assessment.  The review of credit policies should also be completed in two phases

Potential Pitfall: Credit policies should reflect the idea that the bank has made a reasoned decision about how it is meeting the credit needs of its community.  Policies that are fully compliant can become outdated quickly.  Review of credit policies should consider the changes in the assessment area and should reflect the business decisions of the Board.

Credit formulas and guidelines should be reviewed and validated independently to ensure that the data is valid.   Though these validations don’t need to be performed annually, it is a best practice to test the guidelines Vis a Vis adverse action trends at the bank.  Guidelines that yield an extremely high number of loan declines may need study and possibly adjustment.

In the second phase of the review, a comparison between the credit policies, the strategic plan of the bank and current economic data should be completed.  The purpose of this review is to determine that the bank’s credit policies and procedures match the credit needs of the community.   It is imperative that the Bank be able to document the business reasons for the list of products being offered.  For example, a decision by a Bank not to offer home equity loans when there is strong need for such loans in an assessment area, may be called into question during a Fair Lending examination.  A best practice is to have the economic data to demonstrate that these loans are not economically feasible at the bank, or that some other legitimate business reason exists for not making such loans.

Credit Decision Process

The credit decision process from the time of application to ultimately credit decision or withdrawal by the applicant should be assessed with an eye towards eliminating the ability of single bank employee from thwarting the will of the Board by engaging in illegal behavior

Potential Pitfall:  When reviewing adverse actions and withdrawals for timely notices, it is possible to overlook the warning signs of Fair Lending issues.

The review of adverse actions generally includes a check to make sure that notices are given within the timeframes required by Regulation B.  In addition a good review includes a check to determine that the information given is sufficient for the applicant to understand the issues that cause an adverse decision.   However, a best practice is also to review for Fair Lending ‘warning signs”.  For example, an extremely low rate of adverse actions is a strong indicator or pre-screening.  A high rate of withdrawals among protected groups is a strong indicator of discouragement.

It is a best practice to review the credit decision process to determine the ability of an individual to make credit decisions without oversight.  The more autonomy loan officers have, the more the system for secondary review should be empowered.

Lending Decisions

The traditional Fair Lending analysis focuses on a review of the approvals versus declines at the Bank.  A common practice is to review “matched pairs” which compares the low rated credit approvals with highly rated declines (loans that were barely declined).

Potential Pitfall:  If this is the heart of the analysis, then the bank is not getting the full story!  The analysis must look at the applicant’s total experience to ensure that all are getting the same considerations.

The analysis should consider:

  • Application to decision time-trends for members in protected classes
  • Comparative analysis- close decisions to approve versus decline
  • Pricing Analysis
  • Special considerations

o   Insufficient collateral frequently being given as a reason for decline

o   Large number of declines in a certain product area

  • High number of approvals versus a small number of declines

If all of the above is not part of the analysis that is being performed, then your bank may have potential Fair Lending issues that are going undetected.

Vendor Management

Financial institutions are charged with knowing and managing the results obtained from their vendors.  The regulatory agencies have made it clear that in every area from indirect auto lending to appraisals that they expect that financial institutions will monitor the results that they are getting from vendors.

Potential Pitfall:  If the review of the vendor ends with a background check, your institution may not be getting the full story.  The best practices require that the Bank pay attention to the results of the vendor’s efforts.  There has to be a general check that results are reasonable and consistent

The assessment must consider whether the results being produced are consistent and reliable.  For example, are appraisals being reviewed and compared to complaints?   Is it possible that certain appraisers consistently yield lower property values in certain income tracts?  Are flood insurance determinations being updated to match changes in the flood map?  The bank will be held accountable for the misbehavior of its vendors!

UDAAP Review

The risk assessment should include a review of the potential for UDAAP.  This is an area that is growing in scope and influence.

Potential Pitfall:  UDAAP is far reaching and can be easily overlooked.

The assessment should consider whether there is consistency in advertising and actual disclosures.  The risk assessment must look at the Bank’s products/operations from the point of view of the consumer.

Customer complaints are an area of focus for regulators.  Make sure that complaints are getting categorized and reported to the Board.  If no complaints have been received, there should be at least a policy and procedures in place to handle these once they do appear.


Many community banks use testimonials as part of their marketing.  The relationship with the community is after all, one of the strengths of being a community bank.

Potential Pitfall:   A risk assessment that exclusively covers direct compliance with Reg. Z and DD may overlook Fair Lending concerns in advertising.

Risk assessment should cover the reasons for the advertising and the markets that you are attempting to reach.  Has the bank considered expanding advertising to nontraditional communities?   Are there communities within the Bank’s assessment area that are left out of the advertising and marketing?

Strategic Plan

Examiners expect that the Bank has direct knowledge of the credit needs of the assessment area.  This should be considered as part of the risk assessment

Potential Pitfall:  Without considering the overall strategy of the Bank, it is difficult to get the full picture of how the bank is addressing Fair Lending within its community

The strategic plan is most often not considered as part of the Fair Lending assessment.  However, in many cases, the examiners will start considering an institutions strategy in offering products to its community as a consideration of Fair Lending effectiveness.

A Fair Lending risk assessment is a critical component of effective compliance management.

[1] See reg. B at 202.6(b) 5

Don’t Forget That Training is a Pillar of a Strong Compliance Program

Don’t forget that Training is a Pillar of a Strong Compliance Program   

Since regulators first embraced the risk-based approach to supervision of banks, training of staff has been recognized as one of the pillars of a strong compliance program. In its 2002 article entitled “A Banker’s Guide to Establishing and Maintaining an Effective Compliance Management Program”, the Kansas City Federal Reserve Bank discussed the importance of training to a compliance program:

“The importance of having a staff that is knowledgeable of regulatory requirements cannot be overstated. Regardless of an institution’s philosophy and policies, ultimately it is line staff who process transactions and interact with customers. If employees are not adequately trained in compliance matters, errors are certain to occur” [1]

Mark W Olson, Member of the Board of Governors of the US Federal Reserve System, also emphasized this point in his remarks at the American Bankers Association’s Regulatory Compliance Conference.  He stated in part that:

“Training on policies, procedures, and associated controls is a component of compliance-risk management that should not be overlooked. Examiners will determine whether the banking organization’s training program ensures that compliance policies, procedures, and controls are well understood and appropriately communicated throughout the organization. [2]

These are just two of several statements by regulators that make it clear that training of staff is not only important, but that is an essential component of compliance. There must be a mechanism in place to make sure that everyone associated with your institution is kept abreast of changes to regulations that directly impact its operations. In addition, when management and staff have a clear understanding of the requirements of regulations, they are more effective and efficient. While good training will not make up for unsafe and unsound practices, a well trained staff can cover a multitude of “sins”.

The Case for “Live” Training

Most financial institutions these days use some form of internet training to fulfill their compliance training needs.   Online courses are for the most part accepted as the most cost effective way to conduct training for staff.  We would like to suggest that cost efficiency may not ultimately be the most important consideration.  Most compliance programs at small institutions consist of online training programs that allow participants the ability to take tests multiple times until the desired score is achieved.  Unfortunately, a common strategy for the participants is to eschew reading the material, go straight to the test, take it, write down the answers to the questions that they got wrong and then retake the test with answer guide in hand. While this process will help to ensure that everyone has received a passing grade on the training, it does little to increase staff knowledge of regulations. This is not meant to be an indictment of online training programs at all.

Instead, it is a suggestion that a complete compliance training program must have a great deal more.  Consider the nature of compliance regulations. Whether we like to admit it or not compliance regulations have a history of being earned!  For example, Regulation B (The Equal Credit Opportunity Act) was passed to address the fact that women and minorities were being denied equal access to credit.  And the Truth in Lending Act is the result of former banking practices that mislead borrowers about the real costs of the loans they were getting.   Consumer regulations have been designed to address areas that have been proven to cause consumer financial harm

Because consumer regulations are designed to either prevent certain behaviors, collect information on the results of bank practices or to provide complete information through disclosures, a great deal is left open for interpretation.  There are even times when regulations direct that staff must interpret information to the best of their ability (Government Monitoring Information in HMDA).  Often when a regulation is misunderstood, violations result.

We have found that when management and staff alike are given the opportunity to hear a bit of the history of the regulation it makes a big difference in the overall level of compliance.  Knowing WHY a regulation was enacted goes a long way toward understanding what it is that the regulation is trying to accomplish.  Taking this idea one step further, giving staff information on what it is that the current regulation is trying to accomplish goes a long way toward obtaining positive participation in the compliance effort.

By helping to ensure that staff members understand the specifics of compliance regulations, you can greatly enhance the effectiveness of the program.  Staff who understand what it is that the regulation is trying to accomplish can feel empowered.  Whether or not staff members agree with the regulation, understanding it is key.  With the basic understanding of the regulation as a tool, the number of misinterpretations and resulting errors are greatly reduced.

Courses on consumer regulations should at least annually include information about the history and the legislative intent of the regulation.   Optimally, staff will be given the opportunity to work through case studies during the training session as these are very helpful in increasing understanding of the regulation.

Training Can be a Cost Saver
In the area of compliance, the most frequent violations of regulations are a direct result of either misunderstanding the requirements of regulations or ignorance of changes to regulations. Training courses that cover the requirements of consumer regulations are extremely effective in reducing these kinds of violations. While compliance violations rarely result in the closure of a bank, the fines, penalties and reimbursements that result can have a drastic impact on profitability.

Do not Give Training the Axe

Although the examination handbooks don’t specifically say it, the fact that training is listed as one of the “pillars” of the compliance program suggests that it is at least as important as the other pillars.  And yet, for reasons that are lost in tradition, this area often is not treated as an important part of compliance.

Even in the toughest of economic times, training of staff and management is a necessity. Through training courses that are specifically designed to meet the needs of individual organizations, financial institutions can be prepared to meet the challenges of a changing regulatory environment. As one of the most important pillars of a strong compliance program, training should never be considered a luxury!

[1]A Banker’s Guide to Establishing and Maintaining an Effective Compliance Management Program (the Guide). Federal Reserve Bank of Kansas City , 2002

[2]  Remarks by Mark W Olson, Member of the Board of Governors of the US Federal Reserve System, at the American Bankers Association’s Regulatory Compliance Conference, Orlando, 12 June 2006.


Your Partner in Balancing Compliance