Federal Deposit Insurance Corporation
Office of Inspector General
Federal Deposit Insurance Corporation - Office of Inspector General

Hearing on Bank Secrecy Act Compliance and Enforcement before the Senate Committee on Banking, Housing and Urban Affairs

Testimony Before the Committee on Banking, Housing, and Urban Affairs United States Senate

June 3, 2004

Hearing on Bank Secrecy Act Compliance and Enforcement

Statement of Gaston L. Gianni, Jr. Inspector General

Mr. Chairman, Mr. Sarbanes, and Members of the Committee, I am pleased to testify before you today as you conduct this hearing on the federal financial regulatory agencies’ enforcement of the Bank Secrecy Act (BSA). We appreciate and thank the Committee for its interest in gaining a greater understanding of how the government is combating terrorist financing and money laundering. The Committee, the regulators, and our office clearly have a mutual interest in assuring the public that the best possible efforts are made to deter such dangerous and illegal activities.

Today, I will present a historical perspective on the Bank Secrecy Act and discuss the BSA-related work my office has done over the past several years. I will also offer our views on the challenges that the Congress and the financial regulators face going forward in this critical area.

THE BANK SECRECY ACT OF 1970

The Bank Secrecy Act of 1970 requires all financial institutions to maintain appropriate records and to file certain reports that are used in criminal, tax, or regulatory investigations and proceedings. The BSA’s implementing regulation, 31 C.F.R. Part 103, is also used to aid law enforcement agencies in the investigation of suspected criminal activity such as illegal drug activities, income tax evasion, and money laundering by organized crime. The BSA consists of two parts—Title I, Financial Recordkeeping, and Title II, Reports of Currency in Foreign Transactions. •Title I authorizes the Secretary of the Treasury (Treasury Department) to issue regulations requiring institutions to maintain certain records related to financial transactions.

•Title II directs the Treasury Department to prescribe regulations governing the reporting of certain transactions by and through financial institutions in excess of $10,000. A financial institution must file a Currency Transaction Report (CTR) with the Treasury Department for each cash transaction over $10,000 or multiple cash transactions by an individual in 1 business day or over a period of days aggregating over $10,000. The BSA also requires financial institutions to file Suspicious Activity Reports (SAR) with the Treasury Department when suspected money laundering activity, terrorist financing, or other BSA violations occur, such as the use of shell entities, check kiting, or embezzlement.

BSA REQUIREMENTS FOR FDIC-SUPERVISED INSTITUTIONS

The FDIC is currently the primary federal regulator for approximately 5,300 financial institutions. In that role, the Corporation has implemented rules and regulations in addition to those issued by the Treasury Department that require each FDIC-supervised institution to develop and administer a BSA program to ensure compliance with the BSA and 31 C.F.R. Part 103. Institutions’ BSA programs should include: •a written BSA program approved by the institution’s board of directors,

•a system of internal controls to assure ongoing compliance,

•independent testing for compliance with the BSA and 31 C.F.R. Part 103 to be conducted by bank personnel or an outside party,

•designation of individual(s) responsible for coordinating and monitoring compliance with the BSA, and

•training in BSA requirements for appropriate personnel

EXAMINATION AUTHORITY AND PROCEDURES

Although the Treasury Department has overall authority for BSA enforcement and compliance, its regulations delegate authority to financial institution regulatory agencies, including the FDIC, to examine financial institutions for compliance. In this capacity, the FDIC has authority to (1) examine the institutions it supervises for compliance with the BSA, (2) refer BSA violations to the Treasury Department, and (3) impose regulatory actions for BSA violations. The FDIC is also required by the Federal Deposit Insurance Act (FDI Act) to: •prescribe regulations requiring insured depository institutions to establish and maintain procedures reasonably designed to ensure and monitor compliance with the BSA,

•review such procedures during their examinations of these institutions, and

•enforce compliance with the BSA monetary transaction recordkeeping and report requirements.

The Division of Supervision and Consumer Protection (DSC) at the FDIC is responsible for promoting the safety and soundness of FDIC-supervised institutions, and examining financial institutions’ compliance with applicable laws and regulations such as the BSA.

According to the Chairman’s testimony for today’s hearing, the FDIC has conducted almost 11,000 BSA examinations since 2000.

Communication and Training

The FDIC has taken steps to ensure that its supervised financial institutions and examiners are aware of BSA requirements and that its examinations of financial institutions include a review of BSA requirements. The FDIC also issues regulations, Financial Institution Letters, and other guidance to the financial institutions that it supervises; updates Corporation examination and training materials; and ensures that DSC examiners are adequately trained to monitor BSA compliance.

Risk-focused Examination Procedures

DSC requires examiners to use risk-focused examination procedures to assess BSA compliance. To accomplish this, examiners may use (1) core procedures that are considered during the basic review, (2) expanded procedures that are used to target concerns identified during the basic review, and (3) impact analyses to assess the seriousness of identified deficiencies. To assess the impact of deficiencies identified during the basic and expanded reviews, examiners determine whether BSA violations and weaknesses: •are serious and indicate the need for civil money penalties,

•necessitate referrals to law enforcement agencies,

•necessitate a cease and desist order for cases in which a mandatory BSA compliance program was not established or maintained, or other supervisory action to correct prior noncompliance, and

•affect the safety and soundness of the institution.

WHEN VIOLATIONS SHOULD BE REFERRED TO THE TREASURY DEPARTMENT

According to referral guidelines issued by the Treasury Department’s Office of Financial Enforcement in October 1990, the Treasury Department has a zero tolerance level for violations of the BSA but recognizes that BSA violations are of a varying nature. The guidelines state, “Because the determination process often is subjective, sound examiner judgment and experience also are required.” To assist with the determination process for referrals to the Treasury Department, the guidelines instruct examiners to “assess all of the facts and circumstances surrounding the violations,” including whether: •the violations represent an isolated incident caused by human error;

•the deficiencies are indicative of significant noncompliance with the BSA and/or systemic weaknesses in the institution’s BSA compliance program;

•the types and nature of the violations are serious;

•the violations are the result of blatant, willful, or flagrant disregard for BSA requirements;

•there is a pattern of noncompliance with one or more sections of the regulations;

•the violations result from inadequate policies, procedures, or training programs; and

•the violations result from a nonexistent or seriously deficient compliance program.

DSC procedures require examiners to use the Treasury Department’s guidelines to determine when a referral is appropriate.

THE TREASURY DEPARTMENT OR THE FDIC CAN TAKE REGULATORY ACTIONS WHEN BSA VIOLATIONS ARE IDENTIFIED

Failure by a financial institution to comply with the BSA can result in regulatory sanctions by either the Treasury Department or the FDIC. The BSA and its underlying regulations give the Treasury Department the authority to assess civil money penalties for violations and to authorize criminal prosecution. The FDIC is required to report all identified BSA violations and to refer violations that warrant penalties to the Treasury Department’s Financial Crimes Enforcement Network (FinCEN). The FinCEN was established to administer BSA and provide a government-wide, multi-source intelligence and analytical network. Such referrals, however, do not preclude the FDIC from taking regulatory action when BSA violations are identified. For example, as cited in 12 U.S.C. 1818(s), the FDIC shall issue a cease and desist order to any FDIC-supervised institution that fails to establish and maintain appropriate BSA procedures or to correct any previously reported problem with the procedures.

The Corporation has reported that, since 2001, it has issued 30 formal enforcement actions against 25 financial institutions and 3 individuals to address BSA violations—25 of these actions were cease and desist orders. Regulatory action, however, also includes informal actions such as bank board resolutions or memorandums of understanding to facilitate corrective action(s) from bank management. Since 2001, the Corporation reports that FDIC-supervised institutions have entered into 53 informal actions with BSA-related provisions. Finally, the FDIC often uses other supervisory actions such as correspondence and follow-up visitations or examinations to promote compliance with BSA and implementing guidance.

BSA BECAME A HIGHER PRIORITY AFTER THE EVENTS OF SEPTEMBER 11

Prior to the tragic events of September 11, 2001, BSA had played a significant role in preventing banks and other financial service providers from being used as intermediaries for, or to hide the transfer or deposit of, money derived from criminal activity associated with organized crime and international drug traffickers. BSA became more of a national priority following September 11.

The USA PATRIOT Act

In October 2001, the Congress enacted the United and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001—the USA PATRIOT Act. This Act expanded the Treasury Department’s authority initially established under the BSA to regulate the activities of U.S. financial institutions, particularly their relations with individuals and entities with foreign ties. Provisions of the USA PATRIOT Act augmented the BSA money laundering provisions, making it a useful tool in tracing terrorist financing activities. The Act also elevated the status of FinCEN within the Treasury Department and emphasized its role in fighting terrorist financing. In addition to administering the BSA, FinCEN is responsible for expanding the regulatory framework to other industries (such as insurance and securities brokers and dealers) vulnerable to money laundering, terrorist financing, and other crimes.

FDIC’s Post-September 11 Initiatives

DSC has been proactive in the development and issuance of interagency examination guidance and has participated in working groups led by the Federal Financial Institutions Examination Council to develop and implement examiner training related to the enforcement of BSA and USA PATRIOT Act provisions. Additionally, DSC has organized and participated in numerous outreach programs intended to inform and educate the banking industry of USA PATRIOT Act compliance requirements. Further, DSC has indicated that it has been involved in various interagency and joint law enforcement initiatives, including: •participation in the Financial Action Task Force’s (FATF) Working Group on International Financial Institutions Issues, which establishes international anti-money laundering standards;

•participation in the Basel Committee decision-making process in reviewing the “Know Your Customer” risk management report;

•participation in working groups and technical assistance missions sponsored by the Departments of State and Treasury, which are designed to assess vulnerabilities to terrorist financing activity worldwide and to develop and implement plans to assist foreign governments concerning these issues; and

•serving as point-of-contact liaison between FinCEN and FDIC-supervised institutions in the USA PATRIOT Act Section 314(a) terrorist-subject biweekly searches.

FDIC OIG WORK THAT ADDRESSES BSA-RELATED ISSUES

My office has conducted three audits that address the FDIC’s efforts to design and implement a supervisory program to examine institutions’ compliance with provisions of the BSA and the more recently enacted USA PATRIOT Act. The first two audits addressed FDIC examiners’ planning and conduct of BSA examinations and the Corporation’s implementation of policies and procedures stemming from USA PATRIOT Act requirements. They were both conducted as part of our responsibility to provide coverage of the FDIC’s supervision activities. The third and most recent audit primarily focused on supervisory actions taken by the FDIC to ensure institutions implement effective corrective action to address BSA violations. This audit was initiated in response to interest expressed by staff of the Subcommittee on Oversight and Investigations, House Committee on Financial Services.

Overall, these audits identified that the Corporation had taken steps to implement a risk-focused examination program for BSA. However, improvements were needed to ensure that institutions were fully complying with, and the FDIC was effectively enforcing provisions of, the Act.

I will now discuss more details of each audit, with the focus being on our findings and recommendations and the FDIC’s corrective actions to address them.

Examination Assessment of Bank Secrecy Act Compliance

By way of background, in the wake of a much-publicized Bank of New York money laundering scandal in 1999, the question of whether the BSA and its implementation were effective gained renewed interest from the legislative and executive branches of the federal government. Of particular note, the Departments of Treasury and Justice jointly issued a revised National Money Laundering Strategy in March 2000 assigning responsibility for implementing parts of the strategy to bank regulatory agencies, including the FDIC, to enhance efforts to prevent money laundering. The regulatory agencies were specifically tasked with reviewing existing examination procedures, and where necessary, revising, developing, and implementing new examination procedures that would ensure anti-money laundering supervision is risk focused. In light of the interest and new requirements, we conducted an audit in 2000 to determine the extent to which the FDIC’s examiners reviewed FDIC-regulated institutions’ compliance with the BSA during the course of safety and soundness examinations.

In March 2001, we issued Audit Report No. 01-013, Examination Assessment of BSA Compliance. In the report, we concluded that examiners did not adequately document their BSA examination planning or procedures. In general, there was little justification for the examiners’ decisions to omit or include procedures based on their evaluation of risk at the institutions being reviewed. Similarly, after completing the risk-scoping process, examiners did not consistently document the work they performed as required by the Corporation’s Manual of Examination Policies. As a result, we could not always determine the extent to which examiners reviewed institutions’ compliance with BSA provisions. We also found that examiners could have improved examination planning by taking full advantage of the FinCEN databases that contain information on CTRs and SARs. At the time of our report, one region was compiling this information in a report and disseminating it to examiners. The report showed whether institutions had significant changes in the volume of SAR and CTR filings since the previous examination and could be used to determine whether the scope of the BSA examination should be expanded.

We recommended that management (1) reinforce risk focusing guidance for BSA examinations and ensure that documentation requirements for examination planning and procedures were followed and (2) require that all FDIC regions provide examiners with CTR and SAR information for the purpose of planning BSA examinations. Management implemented these recommendations. FDIC’s Implementation of the USA PATRIOT Act As discussed earlier, the USA PATRIOT Act broadened authority and required regulations to combat money laundering that were already established under the BSA to facilitate the prevention, detection, and prosecution of international money laundering and the financing of terrorism. Our review of the FDIC’s implementation of the USA PATRIOT Act focused on Title III of the Act, which is entitled the International Money Laundering Abatement and Anti-terrorist Financing Act of 2001. Title III includes provisions related to 1.international counter-money laundering and related measures,

2.BSA amendments and related improvements that supplement the United States’ authority to detect money laundering provided under the BSA, and

3.currency crimes and protection.

The objective of our audit was to determine whether the FDIC had developed and implemented adequate procedures to examine financial institutions’ compliance with the USA PATRIOT Act. We issued our final report on the audit entitled The FDIC’s Implementation of the USA PATRIOT Act, Audit Report No. 03-037, on September 5, 2003. We concluded that DSC’s existing BSA examination procedures covered certain USA PATRIOT Act, Title III requirements. In addition, DSC had advised FDIC-regulated institutions of the new requirements in cases in which the Treasury Department had issued final rules implementing the Title III provisions. However, DSC had not issued guidance to its examiners for those provisions requiring new or revised examination procedures because DSC was either coordinating the issuance of uniform procedures with an interagency steering committee or waiting for the Treasury Department to issue final rules. This delay in issuing examination guidance was of particular concern when the Treasury Department had issued final rules for Title III provisions addressing money laundering deterrents and verification of customer identification. We noted that timely issuance of examiner guidance would have helped ensure institutions’ full compliance with PATRIOT Act provisions sooner.

We recommended that the FDIC: (1) issue interim examination procedures for those sections for which the Treasury Department has already issued final rules and (2) work with its interagency counterparts to issue examination guidelines concurrently with the Treasury Department’s issuance of final rules for institutions’ implementation of Title III provisions. The FDIC concurred with both recommendations and took responsive corrective action. More specifically, the FDIC issued interim BSA examination procedures in August 2003, which included steps for reviewing institution compliance with applicable provisions of the USA PATRIOT Act and in October 2003, issued the final examination guidelines developed in consultation with the other financial institution regulators.

While not the result of our audit, FDIC has also trained its bank examination staff on the USA PATRIOT Act and incorporated BSA and Anti-Money Laundering topics into one of its core examination schools. Also, the FDIC is working with the other federal banking regulators and the Conference of State Bank Supervisors to revise examiner training programs to incorporate provisions of the USA PATRIOT Act. Furthermore, the FDIC has reported changing its application review program to consider prohibitions against certain types of relationships with financial institutions, particularly foreign shell banks. The Corporation has also amended its policies to consider the effectiveness of an insured depository institution’s anti-money laundering activities—including those of overseas branches—when evaluating a proposed merger transaction.

Supervisory Actions Taken for Bank Secrecy Act Violations

Our most recent audit related to the BSA was done in response to interest expressed by the staff of the Subcommittee on Oversight and Investigations, House Committee on Financial Services. The audit focused on actions taken by the FDIC in its supervisory capacity to ensure that FDIC-supervised institutions implement effective corrective action to address BSA violations. Our audit results in this case raised concerns related to four general areas: •Extent of Regulatory Action on Significant and Repeat Violations

•Consistency of Reporting of Deficiencies and Violations

•Timing of FDIC Follow-Up and Corrective Actions on BSA Violations

•Handling of Filings and Referrals to the IRS and Treasury Department

Audit Took Approach Consistent with Prior Treasury OIG Report on BSA

Our audit approach was modeled after a report issued by the Department of the Treasury OIG entitled OTS: Enforcement Actions Taken for Bank Secrecy Act Violations, Report No. OIG-03-095, dated September 23, 2003. The objectives of the Treasury OIG audit were to determine: •whether the Office of Thrift Supervision took timely and sufficient supervisory enforcement actions against thrifts with substantive BSA violations;

•enforcement actions, when taken, adequately addressed all substantive BSA violations identified by examiners;

•OTS’s systems to track and monitor BSA examinations results were accurate and reliable.

The Treasury OIG determined that greater use of forceful and timely enforcement sanctions were warranted for BSA violations; enforcement actions were not always taken timely or were not always thorough for substantive BSA violations(1); and BSA examination data errors existed in OTS’ automated system used to monitor the results of all examinations, including BSA.

The objective of our audit was to determine whether the FDIC adequately follows up on BSA violations reported in examinations of FDIC-supervised financial institutions to ensure that they take appropriate corrective action. The scope of our audit included examinations conducted by the FDIC or state regulatory agencies, and examinations in which the FDIC participated in a joint capacity with state regulatory agencies from January 1, 1997 through September 30, 2003. (1) The Treasury OIG defined substantive BSA violations as those that resulted from the failure to develop and implement a BSA program with the basic BSA minimum requirements and the non-filing of CTRs and SARs. The FDIC Had Cited a Significant Number of Institutions for BSA Violations

Of the 5,662 financial institutions that the FDIC supervised (on average) during the time period covered by our audit, 2,672 institutions (approximately 47 percent) had been cited for at least one BSA violation. Those violations included citations for not complying with the Treasury Department’s Financial Recordkeeping and Reporting Requirements, i.e., filing CTRs, and not adequately implementing BSA compliance programs as required by the FDIC’s Rules and Regulations. Of those 2,672 institutions, 458 (approximately 17 percent) had been cited for repeat BSA violations.

Audit Shows High Rate of Significant and Repeat Violations, Many of Which Were Not Subject to Regulatory Action

We selected a random sample of institutions with violations for detailed review. The random sample consisted of 22 institutions selected from the 8 DSC regional or area offices, and another 19 institutions consisted of a judgmental sample of institutions with repeat violations for a total of 41 institutions reviewed. We determined that •35 of the 41 institutions (86 percent) were cited for violations related to the Treasury Department’s financial recordkeeping and reporting requirements as prescribed in 31 C.F.R. Part 103, and

•29 of the 41 institutions (71 percent) were cited for deficient BSA compliance programs that did not meet the minimum requirements of the FDIC Rules and Regulations

Regarding violations of the Treasury Department’s Regulations at 31 C.F.R. Part 103, these financial institutions were most frequently cited for failing to: file CTRs for nonexempted transactions over $10,000; maintain records on sales of monetary instruments of $3,000 through $10,000; furnish information required in CTRs, file CTRs timely, or retain CTRs for 5 years; and treat multiple transactions totaling over $10,000 as a single transaction.

With respect to the FDIC’s Rules and Regulations Section 326.8, the 41 financial institutions in our sample were most frequently cited for lack of independent testing of BSA compliance; failure to develop or implement an adequate BSA compliance program; inadequate system of internal controls for BSA compliance; and failure to provide adequate BSA training.

We also determined that 27 of the 41 institutions had repeat BSA violations. Of those 27 repeat institutions, 17 institutions (63 percent) were not subject to regulatory action for their repeat violations, although other supervisory efforts such as follow-up correspondence to bank management and visitations may have been in progress. Of the 10 institutions that were subject to regulatory action, only 1 was subject to a cease and desist order (2). DSC policy states that repeat violations cannot be tolerated and that cease and desist orders should be initiated in such cases. (2)The FDIC imposed a regulatory action for one institution that did not have repeat violations bringing the total number of regulatory actions taken for the sample we reviewed to 11. In addition, Section 8(s) of the FDI Act states that, “If the appropriate Federal banking agency determines that an insured depository institution … has failed to correct any problem with the [BSA] procedures … which was previously reported … by such agency, the agency shall issue an order … requiring such depository institution to cease and desist from its violation….” In response to our audit, the FDIC concluded that it was not required to issue cease and desist orders in the case of every repeat BSA violation. The Corporation believes that enforcement authority always involves some element of discretion, including consideration of the nature of the violation and supervisory judgment as to how best to address the violation. As part of its response to our report, the Corporation provided a legal opinion by its General Counsel that addresses Congress’s intent in Section 8(s). The opinion stated that:

The absence of a mandate to bring a cease and desist action to address every violation of Section 8(s) or the regulations does not imply that the alternative is to take no action. To the contrary, the statutory intent must be to take an appropriate corrective action based upon the severity of the problem, the risk it poses, and the bank’s willingness to comply expeditiously.

We concur with the Counsel’s guidance. However, as noted previously, our audit identified cases where DSC had not taken regulatory action to address repeat violations of BSA requirements.

FDIC’s Reporting and Follow-Up On BSA Violations

For the 41 banks in our sample, we reviewed 82 reports of examination that cited apparent and often multiple BSA violations. We noted that not all BSA deficiencies described in DSC’s examination reports were cited in the violations section of the reports and tracked in the FDIC’s information system. For 25 (30 percent) of the 82 reports, DSC waited until the next examination to follow up on some or all of the BSA violations, and corrective actions to address cited violations often took more than 1 year. Also, DSC’s regional offices took various approaches to handling violations related to the filing of CTRs and to referring bank violations to the Treasury Department. Finally, we found that while many institutions had been cited for BSA violations, there were few referrals to the Treasury Department during the audit period, and most were made by one FDIC region.

Inconsistencies in Describing Deficiencies and Citing Violations

In reviewing DSC’s reports of examination, we observed several instances of BSA deficiencies described in the reports but not cited in the Violations of Laws and Regulations section of the reports. On the other hand, we also noted instances of BSA deficiencies similar to those described that were cited as violations. Deficiencies that are described in the reports of examination but not cited as violations may receive less attention from bank management or in follow-up by DSC. According to DSC officials, the examiners exercise judgment in determining the significance of BSA concerns. That judgment includes determining whether the weaknesses constitute: •apparent violation of laws or regulations, meriting inclusion in the violations section of the examination report, or

•noncompliance with DSC guidelines, meriting only mention in the report as matters for bank management’s attention, which may be sufficient to eliminate concern.

Follow-up and Correction of Violations Was Not Always Timely

DSC’s process for following up on violations cited in reports of examination includes: •a request for the report to be considered in the bank’s next board meeting, with a record of actions taken entered into the minutes;

•a request for bank management to provide a response indicating the actions taken to eliminate each cited violation or deficiency; and

•follow-up of the corrective actions at the next examination.

For the institutions included in our sample, we checked how often and by what method DSC followed up on whether corrective actions had been taken. We considered evidence related to DSC’s follow-up actions or the banks’ corrective actions, as well as information from the Treasury Department. As a result of our analysis of the process and our review of the 82 reports that cited apparent BSA violations, we found that: •For 20 reports, DSC followed up or pursued regulatory action for certain violations before the next examination, including additional correspondence, visitations, and regulatory actions such as bank board resolutions, memorandums of understanding, or cease and desist orders.

•For 42 reports, DSC received evidence from bank management, Treasury’s FinCEN, or the Internal Revenue Service (IRS) that certain violations had been corrected before the next examination, and in many of these instances, corrective action took place before the examination was completed.

•For 25 reports, DSC waited until the next examination to assess the adequacy of bank corrective actions for certain violations. (3)

We also observed that DSC regional and field offices exercised wide discretion in deciding whether and when to follow up on the violations or take regulatory action. In some cases, more than 1 to 5 years passed before (1) bank management took corrective action that was effective to prevent repeat violations or (2) DSC applied regulatory actions to address continuing violations. As shown below, about two-thirds of the violations took longer than 1 year to correct.

(3) Note that the numbers do not total 82 because DSC used different follow-up actions for some examination reports that cited multiple violations.



Time Taken to Address BSA Violations

Length of Time for Action

Number of Institutions (a)

12 months or less 27 13 months-24 months 13 25 months-36 months 16 37 months-48 months 10 49 months-60 months 1 More than 60 months 8

(a) The number of institutions will exceed the 41 sampled institutions because the length of time varied for institutions with multiple BSA violations.

Source: OIG analysis of ViSION data and review of evaluation reports and supplemental information provided by DSC for the 41 sampled institutions. DSC officials stated that follow-up on BSA violations often occurs at the next FDIC examination rather than between examinations. Although the FDIC can conduct visitations between regularly scheduled examinations, we identified only a few visitations based on information provided by DSC that addressed BSA violations.

Generally, the FDIC alternated examinations of the sampled institutions with state regulatory agency examinations for those institutions. However, 45 of the 72 examination reports we reviewed from state regulatory agencies did not specifically address BSA compliance. Therefore, the FDIC could not rely on those examinations to determine whether bank management took corrective actions to address previously cited violations or to identify any new BSA violations. Consequently, follow-up by the FDIC on some previously cited BSA violations did not occur until the next FDIC examination—generally 24 to 36 months after the violations were initially identified. This delay in ensuring that BSA violations are corrected could result in additional or continued BSA violations and could hinder the detection of criminal activity.

Handling of Violations Related to CTRs

We also noted variations in the handling of violations related to CTRs. While conducting examinations, examiners identified instances in which financial institutions had improperly exempted customers from currency transaction reporting requirements or otherwise failed to file CTRs. According to DSC guidance, CTRs must be filed with the IRS within 15 days following the date of the transaction (25 days if the financial institution files electronically). For those institutions that did not file CTRs within the specified timeframe, FinCEN requests that examiners have bank officials request permission to backfile CTRs. DSC regional offices did not handle violations related to the backfiling of CTRs in a consistent manner. Some offices required the institutions to request permission to backfile, while other offices allowed the institutions, in cases that involved one or two CTRs, to file without requesting permission to backfile.

Handling of Referrals to the Treasury Department

DSC referrals of bank violations to the Treasury Department were infrequent. According to information provided by DSC, while 2,672 institutions were cited for violations, there were only 34 referrals made from January 1, 1997 through December 31, 2003, and most of these referrals were made by 1 DSC regional office. DSC officials added that, since the Treasury Department has access to FDIC information on BSA violations through a shared information system, further reporting is not required. The Treasury Department sometimes requests copies of applicable examination reports based on its analysis of the violations. The following actions have resulted from the referrals made by the FDIC from January 1, 1997 through December 31, 2003 •27 institutions received cautionary letters or letters of warning from the Treasury Department,

•1 institution received a civil money penalty,

•3 referrals were resolved by other means, and

•3 referrals were still open. In summary, the Treasury Department took action when referrals were made but, in our assessment, FDIC only did so infrequently. Report Recommends Strengthening Guidance Related to BSA Monitoring and Follow-Up Processes

We concluded in our report that the FDIC had adequately followed up on some BSA violations to ensure bank management has taken appropriate corrective action. However, more could be done to better ensure that prompt and effective actions are taken by bank management to ensure compliance with BSA regulations.

In light of the increased congressional interest in BSA compliance and emphasis on national security concerns, we recommended that the Corporation: •re-evaluate and update its examination guidance to help ensure adequate examiner follow-up and timely corrective action by bank management;

•discuss and update the referral policy with the Treasury Department; and

•encourage state coverage of BSA compliance, and develop alternative processes to compensate for the lack of state coverage of BSA compliance.

FDIC Management Agreed with Recommendations and Is Taking Steps to Improve Its BSA Program

DSC management agreed with our recommendations. DSC had taken steps to initiate a reevaluation and update of its guidance, with interagency cooperation, to address formal supervisory actions, follow-up actions, citation of apparent violations and recordkeeping and backfiling of CTRs. DSC also agreed to work with the FDIC Legal Division to clarify and update, as necessary, enforcement action guidance on BSA.

Further, DSC management agreed to pursue clarification of referral procedures with the Treasury Department. Finally, DSC agreed to focus on strengthening processes to address variations in the state examination coverage of BSA and believed doing so would increase the consistency and reliability of the follow-up to its BSA examinations.

LOOKING AHEAD

Mr. Chairman, the goal of identifying and cutting off terrorist funding is an essential one. The government’s success in accomplishing that goal is dependent upon collecting and analyzing necessary information, and disseminating and sharing that information among appropriate law enforcement and regulatory agencies. To that end, the Congress passed the BSA, and later, the USA PATRIOT Act, to establish requirements and coordination mechanisms for creating this free flow of information. While the FDIC has been a leader in many initiatives aimed at complying with these two Acts, we found and the Corporation has acknowledged it can do more. In light of the knowledge we have gained since September 11 and more recent terrorist threats, there are key questions that the FDIC should consider, in conjunction with the Treasury Department and the other financial regulators, as it looks to improve its BSA program. •Is risk-scoping BSA examinations and follow-up still the most effective approach to deterring money laundering and terrorist financing?

•Are the policies and procedures for reporting certain cash transactions and BSA violations to the Treasury Department, some of which date to the early 1990s, currently effective?

•Is the information reported to FinCEN by financial institutions and regulators effectively evaluated and does it ultimately result in timely preventive actions?

Mr. Chairman, we appreciate the opportunity to participate in this hearing. We are prepared to assist in addressing these issues and have additional audits planned in this area to help ensure that financial institutions, through efficient and effective supervision by the FDIC, will remain vigilant in implementing BSA programs that assist in preventing money laundering and terrorism. I would be pleased to answer any questions the Committee may have at this time

Print Print
Close