Photo Credit: semisatch
By Farrukh Qureshi, Associate Director,
Internal Audit - BSA/AML & OFAC
On October 3, 2018, an Interagency Statement was issued by
five agencies/regulatory bodies to provide banks with an option to enter into a
collaborative arrangement involving two or more banks to share their available
resources in order to ensure compliance with Bank Secrecy Act/Anti-Money
Laundering (“BSA/AML”) requirements. This statement summarizes some of these
requirements with advice that financial institutions should consider regarding
bank risk profiles; legal restrictions; establishing appropriate oversight; the
need to have contractual agreements between banks entering into collaborative
arrangements; and the development of policies, procedures and systems, etc.
While collaborative arrangements would be best suited for banks with a
community focus, lower-risk profiles, and less complex operations, as stated by
the Interagency Statement, the following challenges should be considered in
order for banks to determine the best route to take:
It would very difficult to find an exact/identical Risk
Profile for different banks in a collaborative arrangement. Identifying
different risk factors, assigning each risk factor a weight in the overall
profile, calculating inherent and residual risk, and designing mitigating
controls will most likely differ at some stage in the risk assessment process
for different banks.
Developing BSA/AML policies and procedures would depend on
the annual risk assessment of each participant bank. Having the same policies
and procedures for more than one participant bank in a collaborative
arrangement would be an extraordinary challenge due to the difference in risk
factors between participant banks. General guidelines regarding compliance
requirements may be the same, but processes and design of controls to achieve
compliance could be different at more than one bank.
- Banks could have different core banking system and
transaction monitoring tools. Developing and implementing the same transaction
monitoring and report extraction process would be challenging and complicated.
A possibility would be if two participant banks are using the same core banking
system and transaction monitoring system or are generating the same
output/reports. Still, the volume of transactions and customer base would be
unique for each participant bank. Defining a review and monitoring process for
each participant bank with a unique customer base, transactional activities,
geographies served, and shared automated transaction monitoring systems would
In a collaborative arrangement, if two or more banks have
the same transaction monitoring and OFAC applications, the procedures and
controls would need to address separation, mapping and transfer of transactional
and customer data and monitoring scenarios; staff access controls among
participant banks; assignment of responsibility for investigating; escalation
and disposition of alerts/cases; enforceability, accountability and
consequences related to ineffective monitoring; confidentiality, privacy, and
separation of business; customer information; and data.
- A liaison to coordinate the collaborative arrangement would
need to be assigned. Participant banks would have to write in-depth policies
and procedures, contracts detailing assigned roles, and responsibilities for
processes and monitoring activities. However, as banks would have different
staff levels, processes, designs of controls, and skill sets in compliance and
operational areas, the legitimate concerns include the method, scope and
enforceability of independent testing by auditors and regulators, assignment of
responsibility, and accountability for any failures in processes and controls.
Employee training resources may be more practical, as banks
can hire a knowledgeable, experienced trainer to provide staff training in a
collaborative arrangement and share the costs; however, there may be some
administrative challenges of having all relevant employees and management
available for such training sessions, tracking of attendance and, if needed,
customization of training based on bank business profile and exposure. If two
or more banks are similar in customer base, products and services, geographies,
processes and controls, they most likely would be competitors. How feasible
would it be to share resources with a bank’s competitor?
Banks would have to align some or most of their processes,
controls, products and services offered, and geographies served with the same
sort of organizational structure, and internal and external environment. To
create such collaborative arrangements, the costs of coming up with such
similarities would most likely surpass the benefit of a collaborative
arrangement. As stated in the Interagency Statement, sharing resources in a
collaborative arrangement does not relieve a bank from its compliance responsibility.
Perhaps entering a collaborative arrangement at this point needs a lot more
clarity and guidance, which may be available as the banking industry and
monitoring practices further evolve and participants devise certain solutions
to share resources and look for specific areas to collaborate.