Responding to BSA/AML Enforcement: Don’t Make Matters Worse with a Shoddy Action Plan

When a financial institution incurs a Bank Secrecy Act (BSA) or anti-money laundering (AML)-related enforcement, it needs to respond with an action plan detailing how it will resolve its wrongdoing. That document will help to define the relationship between the regulator and the organization, and it may ultimately mark the difference between a slap on the wrist and a significant penalty.

In 2020, there were over 12 publicly released enforcement actions delivered against financial institutions by regulatory bodies for BSA and AML-related deficiencies. In sum, they resulted in over $225 million in fines, according to a Deloitte analysis of publicly issued enforcement actions by the Federal Reserve Board, Financial Industry Regulatory Authority (FINRA), New York State Department of Financial Services, U.S. Department of Justice, National Futures Association and the Office of the Comptroller of the Currency.

Bank Julius Baer Agrees to Pay More than $79 Million for Laundering Money in FIFA Scandalhttps://t.co/sGxQB7v3oB

— Justice Department (@TheJusticeDept) May 27, 2021

Regardless of the regulator or type of action issued, all enforcement actions require management to provide a written response in the form of a proposed action plan. A well-crafted, comprehensive action plan that is addressed in a timely manner is a critical step a financial institution can take to remediate the noted concerns and have an enforcement action lifted. Conversely, a poorly worded, incomplete action plan absent the proper time or attention will hinder a financial institution’s remediation efforts, often extending the time the enforcement action remains in effect.

Action plans set forth the financial institution’s commitments to the regulators and lay out the path for remediating the enforcement action requirements. The contents of an action plan are distinct to each financial institution and should be designed to address the specific issues that need to be remedied. That said, a well-crafted action plan typically contains specific strategies financial institutions should aim to follow. Here, we outline the four main strategies for creating an effective response:

1. Be Specific

A crucial first step in creating an effective action plan, being specific will decrease ambiguity and reduce the number of follow-up inquiries and level of scrutiny from regulators. Financial institutions should reduce or potentially eliminate the use of general statements or repetition of enforcement action deficiencies in their action plans, instead providing the specific steps the financial institution will take to rectify the deficiencies identified by its regulator. Further, financial institutions should create and submit action steps that are comprehensive and have associated milestones and/or timelines that do not over promise and carry reasonable due dates. For example, if an enforcement action requires a financial institution to perform a historical review of transactions to detect potentially suspicious activity, the financial institution should specifically describe each step in the process (e.g., determining the population, establishing rule parameters, performing data quality checks, conducting initial alert detection) and establish when each step is expected to be completed.

Managing this aspect of the action plan is more art than science. It is typically more effective to communicate upfront why a certain course of action will take time to fully implement and complete than it is to explain later why actions were over-promised and under-delivered, the latter of which may negatively impact regulatory goodwill and standing.

2. Be Deliberate

When financial institutions are deliberate with their remediation plans, they can often save time, money and resources needed to address the enforcement action.

All action items should be designed to address or be directly tied to the requirements set forth in the enforcement action. As such, a financial institution should be deliberate in documenting exactly what items it is committing to perform. These commitments become part of the official response, and – when documented thoroughly and clearly – demonstrate a financial institution’s understanding of the regulator’s concerns and plans to address them. Including elements of an unrelated enhancement effort within an action plan (e.g., in an effort to streamline corrective actions and/or reporting), even if well-intentioned, raises the risk that the financial institution will not meet its enforcement action-related commitments and deadlines and exposes the financial institution to the potential for penalties or fines.

Items unrelated to the enforcement action should generally not be included in an action plan. However, if items unrelated to the enforcement action are included, they should be clearly identified so that progress against enforcement action-specific items can be easily identified and monitored.

3. Be Consistent

A financial institution’s action plan should address the design and operating effectiveness of steps taken while also remaining consistent with standard internal governance protocols.

For example, if a financial institution decides to significantly enhance existing policies and procedures in response to an enforcement action, the associated design and operating effectiveness protocols need to be included in the action plan response to the regulator. It is not enough for our hypothetical financial institution to show that policies and procedures were updated. Instead, to address regulatory expectations, the example institution should demonstrate that the policies and procedures were documented, were approved by a senior officer or committee (as required), were rolled out and are currently in use (inclusive of performing sample testing and demonstrating sustainability of the associated process for multiple cycles of activity), following the financial institution’s standard process for disseminating policies, procedures and associated training.

When financial institutions can demonstrate that they are addressing action plan items in a timely fashion and with active management involvement, they may build goodwill with regulators.

4. Be Realistic

Addressing an enforcement action by crafting an action plan is a significant undertaking as the effort typically affects many aspects of AML compliance programs – and needs to reach all appropriate operations, be they regional, multinational or fully global. No matter how realistic an action plan is about what can be accomplished and how quickly it can be done (remember, be specific!), it’s important to allow for the flexibility needed to tackle unexpected challenges as they arise.