Many AML frameworks are designed specifically for banks. If your non-bank organization is required to conduct AML compliance, but follows a bank-tailored policy, it can lead to numerous missteps and potential regulator scrutiny.
For many years, the US Financial Crimes Enforcement Network (FinCEN) has imposed anti-money laundering compliance obligations on certain financial institutions. For these purposes, covered financial institutions include a range of non-banking entities, such as residential mortgage originators and lenders, money services businesses (MSBs), securities broker-dealers, and dealers in previous metals and gems.
We are often asked to review the policies and procedures that are used by non-bank financial institutions to comply with AML obligations. These reviews may be in relation to an investment by a third-party, an examination by state regulators, a secondary market transaction or a licensing application, and may be used to assess or enhance compliance efforts.
Over the years, we have noticed recurring themes in AML policies at nonbank financial institutions. Five of the most notable themes are:
1. Choose the Right Starting Point
Financial institutions are required to maintain an AML compliance program comprised of written policies, procedures and processes. A quick internet search will reveal many templates and models of AML policies. Many non-bank institutions will download or purchase an AML template without considering whether it is appropriate for their particular business. This can lead to policies that describe products the financial institution does not and cannot offer and refer to requirements and forms that are irrelevant to the institution’s business. For example, MSB and residential mortgage loan originators offer entirely different products and services and are subject to different AML obligations, but may purchase the same AML template. This quickly becomes evident if a loan originator has an AML policy that discusses how it files “Form SAR-MSB” for suspicious money services activity.
FinCEN regulates almost a dozen different types of financial institutions, each with its own AML requirements. State regulators also may examine nonbank financial institutions for compliance with FinCEN’s regulations. Therefore, financial institutions should ensure that they start with an AML template that is relevant for their business.
2. Tailor a Risk-Based Compliance Program
Financial institutions are required to adopt risk-based programs to satisfy their AML compliance obligations. In part, this means that AML compliance activities should be tailored to the specific characteristics of an institution’s business. For example, manual monitoring processes to identify suspicious activity may be sufficient for a smaller institution with “lumpy” transactions that are manually executed by individuals, such as with some residential mortgage loan originators. However, as an institution grows its business and begins to automate parts of transactions, it becomes harder to justify manual monitoring. This is particularly true if transaction volume is large and mostly automated, such as with some money services businesses.
AML policies should be tailored to reflect an appropriate risk-based compliance program. This may mean starting with a policy that describes manual monitoring activities and revising it over time as the institution adopts automated compliance controls.
3. Understand What You Are Including and Why
Sometimes a non-bank institution will engage in AML compliance activities even if it is not legally required to do so. For example, an investor may require a MSB to adopt a bank-like AML compliance program as a condition of its investment. Or a residential mortgage lender may comply with the customer identification program requirements to make it easier to sell mortgages to a bank partner or in the secondary market.
However, a financial institution should understand which compliance activities are legally required versus those that it has contractually agreed to perform, and should document that understanding. If an AML policy says that a financial institution does X, independent testers and government examiners will expect it to always do X, even if it is not legally required to do so. This can transform a breach of contract into an exam finding or enforcement penalty.
Furthermore, some AML provisions are not amenable to voluntary compliance. For example, the customer information program requirements require certain financial institutions to provide customers with adequate notice and include model language that states: “Federal law requires all financial institutions …” That language would be inappropriate for an institution to give to customers if it is complying with the customer information program requirements solely to enhance the secondary market for the product.
Therefore, it is important for financial institutions to understand which items actually belong in its AML policy and avoid the tendency toward over-inclusion.
4. Include Recordkeeping and Confidentiality Provisions
Two key items that can be easily overlooked in the AML compliance policy of a non-bank financial institution are recordkeeping and confidentiality requirements. FinCEN has established detailed recordkeeping requirements for non-bank financial institutions and generally requires institutions to maintain required records for at least five years. States also may impose recordkeeping requirements for AML-related records. Compliance with these requirements can be a challenge for smaller, nonbank financial institutions that may lack dedicated recordkeeping systems for AML compliance, particularly if these requirements are not mentioned in its AML policy.
FinCEN also requires financial institutions to maintain the confidentiality of suspicious activity reports. This has been one of its highest priority issues for many years, yet it can be easily overlooked in AML policies, particularly by nonbank financial institutions that infrequently file suspicious activity reports. However, it can quickly become a significant problem if a non-bank’s partner or counter party requests such reports or a non-bank files a report regarding insider misconduct and the insider becomes aware of the filing.
Therefore, AML policies should clearly describe all of the recordkeeping obligations that apply to a non-bank financial institution. Further, they should explain how the institution will maintain the confidentiality of any suspicious activity reports that it may file.
5. Ensure Sufficient Prominence
FinCEN and state regulators generally expect the AML compliance function to have a prominent role within a financial institution. This means that senior management and the board of directors generally should be involved in the initial approval of an AML policy and should receive periodic or annual reports on significant AML issues, including compliance failures, corrective actions and policy revisions.
Non-bank financial institutions may fail to give the AML compliance function sufficient prominence, particularly if escalation paths and reporting cadence are not defined in an AML policy. For example, an examiner may criticize an AML policy that designates a junior compliance officer as the (statutorily-mandated) AML compliance officer because that individual cannot escalate matters to the board’s attention. Similarly, an examiner may criticize a smaller, non-bank financial institution for dual-hatting an individual as the AML compliance officer if the person’s other role precludes them from devoting sufficient time to AML compliance. Without the compliance rails of an AML policy, it is easy to overlook annual reporting obligations.
Therefore, AML policies should define appropriate escalation paths to ensure that senior management and the board are made aware of significant AML compliance issues. The specific path and content will vary based on the institution’s risk profile (e.g., smaller institutions may have the board review every suspicious activity report, while larger institutions may provide quarterly reports of highlights or trends). However, it is important that the policy both empowers the AML compliance officer to report significant issues and assigns them with responsibility for reporting at appropriately defined intervals.
AML compliance is not easy, particularly for non-bank financial institutions that typically have fewer resources to devote to it. It may seem appealing to purchase a policy from the internet and slap a logo on the cover. However, FinCEN and state regulators are increasingly focusing on AML compliance at non-bank financial institutions. Therefore, compliance officers should periodically review their existing AML policies for the issues described in this article, tune their risk assessments to identify new gaps and new issues, and consider retaining external counsel to review the sufficiency of that policy.