Enforcement against Citibank serves as reminder that compliance counts in product development
NEW YORK, April 12 (Thomson Reuters Accelus) - A financial institution’s anti-money laundering team must have the authority to question account relationships and business plans, and any objections must be taken seriously. That was one of the key lessons to be learned from the last week’s regulatory enforcement action against Citibank over AML weaknesses, experts said.
A provision of the cease-and-desist (C&D) order, levied by the Office of the Comptroller of the Currency (OCC), obliges Citibank to ensure that its compliance staff has the authority to implement a Bank Secrecy Act compliance program “and, as needed, question account relationships and business plans.” It adds that these anti-money laundering (AML) professionals “shall maintain independence from the business line, and not be subject to any form of evaluation or performance input from the business line.”
“The message appears to be that the AML compliance staff must have a greater voice in implementing the bank’s AML policies and procedures,” said Peter Djinis, a former regulatory policy official at Treasury’s Financial Crimes Enforcement Network who is now in private practice in Florida. “Generally, this is a way for the regulators to tip the compliance scales in favor of the bank’s compliance staff.”
“In other words, the regulators are suggesting that the compliance staff should have both meaningful access and support from senior management, and that should there be conflicts between the bank’s business lines and the compliance staff, the bank should have procedures to ensure that the AML concerns are appropriately considered and addressed at the highest levels within the bank.”
Getting involved in the planning process for new products can be a challenge for compliance officers, said Rob Rowe, a lawyer with the American Bankers Association’s Center for Regulatory Compliance.
“Compliance officers often say that they wish they could be involved as early in the process as possible so that they can make sure that there are no problems,” he said.
Weaknesses in Citibank’s AML internal controls, including the incomplete identification of high-risk customers in multiple business lines, contributed to the OCC’s decision to take regulatory action, the order stated. It went on to say that the bank failed to report related suspicious activity on a timely basis.
The order required the bank to ensure that new products and services are subject to “senior level” compliance review and approval to determine the amount of money laundering risk they pose.
“At a minimum, these reviews must assess the ability of the bank’s compliance program to manage the risk, the anticipated growth in both the business and the compliance function, and the ability of alert investigators to manage any anticipated increase in alert volume as a result of the new business,” the order stated.
It also barred the bank from entering into any new high-risk business lines, or expanding existing ones, without weighing related risks and compliance staffing issues and obtaining OCC approval.
This and other specific restrictions included in the order caught the eye of a retired OCC examiner and BSA compliance specialist who spoke on condition of anonymity. The source said the level of detail was unusual and added that it appeared the regulator did not want to give the bank any “wiggle room.”
“I have seen other enforcement actions that were not very specific and beat around the bush where the bank could not take much corrective action but still comply since the C&D was not very specific. But this one was very clear and very specific,” the source said.
He added that as a result of the specificity, the OCC can review the bank’s remedial actions in several months “and have a definite measurable standard to determine if the bank has complied or not.”
Rowe said that he too took note of the specificity of the OCC’s order against Citibank. He added that while it is difficult to generalize an enforcement action due to the fact that it is tailored to a single financial institution, one lesson was apparent: “All the implementation of Dodd-Frank not withstanding, BSA compliance is still very important,” he said.
(This article was produced by the Compliance Complete service of Thomson Reuters Accelus. Compliance Complete (http://accelus.thomsonreuters.com/solut ions/regulatory-intelligence/compliance- complete/) provides a single source for regulatory news, analysis, rules and developments, with global coverage of more than 230 regulators and exchanges.)