United States: Best Practices For AML Compliance Self-Assessments

The Bank Secrecy Act requires financial institutions to establish an anti-money laundering (AML) compliance program to prevent and detect financial crime. Failure to institute an effective program can subject an institution to significant regulatory oversight and penalties. AML compliance missteps have caught numerous banks in the United States and abroad flatfooted with inadequate compliance programs, resulting in massive fines and government scrutiny that distracts from core business missions.

Given the importance of AML compliance, financial institutions are increasingly turning to outside experts and consultants to assess the sufficiency of their AML programs. These ad hoc "assisted self-assessments"— often called "gap analyses"—are typically commissioned by chief compliance officers, senior management, or boards of directors either proactively or as a result of an unfavorable internal audit or exam findings, which can give rise to a fear of future enforcement actions. Voluntary selfassessments are important to a sustainable and vigorous AML program, but, if they're not implemented properly, these voluntary self-assessments can open financial institutions up to serious risk. Lawyers advising financial institutions and their directors should therefore think carefully about when to commence these reviews and how to manage them.

The primary risk in any AML program is straightforward: that a gap analysis actually identifies some unknown problem with an organization's AML compliance program but company officials

fail to fix the problem. This can occur when, for example, a compliance manager either fails to perceive the significance of a reported deficiency or fails to garner the resources or management support necessary for effective remediation. Needless to say, a financial institution that runs a gap analysis, finds an error, but fails to fix it is at a far greater risk of exposure—and potentially perceived culpability—than a financial institution with a similar error that never ran any gap analysis at all.

A secondary risk is that an assessment identifies AML gaps that senior management disagrees are true deficiencies. In practice this happens with some understandable frequency: Although they sound technical, AML compliance programs (and assessments of their quality) are driven by human judgment. Even programs and assessments run by sophisticated algorithms or other seemingly objective mechanisms rely on human judgment in creation and implementation. Whether an identified deficiency constitutes a true problem is often in the eyes of the beholder. And some gap analysis experts may not clearly differentiate between recommendations and true errors, which means that management might perceive an expert's recommendations as "nice to have" but not "must have"—particularly given resource constraints, technological capabilities, and evolving industry standards. Unfortunately, regulators may take a different view particularly when they have previously criticized an institution's AML program.

Importantly, both of these risks are predicated on the notion that regulators may one day be able to access gap analyses and evaluate—for better or worse— a financial institution's response to any assessments. Indeed, AML program assessments are usually written, either in full report or summary form. And as such, regulators and prosecutors regularly ask financial institutions to produce gap analysis reports and subsequently use those reports— and inadequate responses to identified deficiencies—as the basis for bringing enforcement actions. Merely labeling a report "draft" or "preliminary" may not shield it from a regulatory or prosecutorial production request.

Last year's Department of Justice prosecution of Rabobank, N.A., is a textbook example of the risks attendant to commissioning (and not disclosing) gap analysis reports. According to the government, Rabobank had concealed from regulators a report written by an AML consulting firm detailing AML deficiencies at the bank. The bank had contracted with the consultant to provide an independent, written assessment of the bank's compliance program,

and the consultant emailed several preliminary versions of the report to the bank. Examiners from the Office of the Comptroller of the Currency (OCC) learned of the assessment from a Rabobank whistleblower and repeatedly asked bank executives for a copy, including any "preliminary or partial" assessments, but the bank failed to provide the report. That failure, along with other alleged concealments by bank executives, resulted in Rabobank pleading guilty to criminally conspiring to defraud the OCC and to obstruct the regulator's AML examination of the bank. Rabobank ultimately had to forfeit over $368 million. Press Release, U.S. Dept. of Justice, Rabobank, N.A. Pleads Guilty, Agrees to Pay Over $360 Million (Feb. 7, 2018). The bank wasn't alone in receiving punishment: The OCC imposed a $50,000 fine on the bank's chief compliance officer personally and banned him from employment in the industry. In the Matter of Laura Akhoshi, former Chief Compliance Officer, Notice of Charges for Order of Prohibition and Assessment of a Civil Money Penalty (OCC, April 16, 2018).

The Rabobank prosecution should not discourage institutions from seeking AML program assessments by outside experts. Nor should it discourage institutions from getting drafts from consultants, which can help avoid erroneous findings and prevent a consultant from misunderstanding an institution's processes, systems, or procedures. These assessments will continue to be common in the industry, driven in part by compliance officers and senior managers seeking independent validation of their programs and protection from any attempt by the government to hold individuals personally liable for AML deficiencies.

To view the full article click here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.