FRB's SAR Enforcement

The Federal Reserve Board has reached a consent agreement with the Barnes Banking Company of Kaysville, Utah. The agreement states the goal of maintaining financial soundness. To this end, the agreement requires Barnes to take strong actions to strengthen its program for identifying customers and reporting suspicious activity.

The agreement requires Barnes to develop an enhanced customer due diligence program within 60 days of the agreement. The program must include procedures to identify customers and to make "timely, accurate, and complete reporting of known or suspected criminal activity."

The ingredients specified for this program are not new. It is significant to see the elements highlighted in an enforcement action for practices that took place before FinCEN's final Customer Identification rule. This enforcement action thus serves to underscore the fact that these customer identification practices (formerly known as Know Your Customer) are not new at all but merely being formalized. As far as the FRB is concerned, this is what you should have been doing all along.

Financial institutions should maintain risk focused assessments of their customers. The risk focused assessment is to identify the categories of customers who do not require monitoring and to determine the level of enhanced due diligence necessary for customers that the institution has reason to believe present increased risk.

The customers who do not require monitoring, the low risk customers, can be established by the routine nature of their transactions. Innocence is established by normalcy. It is also established by routine, even if that customer's routine does not match the norm. As long as a customer stays within that customer's established or expected pattern, that customer is not a risk.

High risk customers trigger special activities on the part of the financial institution. For these customers, the institution must have procedures to determine the amount of documentation necessary to confirm the identify and business activity of the customer. The institution must have adequate procedures to understand what each such customer's normal and expected transactions will be.

Finally, the institution must have procedures to report suspicious activities. Failure to report when required is now clearly an enforceable infraction. Compliance specialists often debate whether or not to file a suspicious activity report when the situation is not clearly illicit or when the required reporting trigger is not met. This enforcement action puts forward the principle of reporting when in doubt.

Then there is the compliance side of the program. This consists of adequate controls to ensure BSA compliance and independent testing. Barnes has agreed to conduct independent audits "frequently." All audits will be fully documented and conducted with appropriate segregation of duties.
Barnes has also agreed to designate a "qualified officer" to manage BSA and related matters. This BSA manager will have "adequate resources to implement and maintain an effective program.

Finally, there is training. The agreement calls for regular training of all appropriate personnel. This includes tellers, operations staff, and all customer contact personnel. The agreement does not specify that training for lenders is required but presumably lenders could and should be included in the group of "appropriate personnel."

This agreement outlines the basic nature of a customer identification program and places emphasis on suspicious activity reporting. The importance of suspicious activity identification and reporting is not waiting for FinCEN's rule.

Note, in this enforcement agreement, the emphasis that the FRB places on risk and process management. This is the theme in many compliance arenas. It is not enough to transmit or drop down instructions. When it comes to suspicious activity, the process must work from the bottom up and the outside in as well as from the top down. If you feel that this is overreacting, remember the adage, better safe than sorry.

ACTION STEPS

Review your BSA program and compare it to the elements in this consent agreement. Be sure you have all your bases covered.
Talk with branch managers about how they identify suspicious activity. Be sure that what is suspected is actually reported. The front line is the critical source of information and observation.
Review your BSA training. Does it meet the frequency requirement? Does it cover everything staff needs to know?
Don't overlook OFAC. Confirm that everyone handling customer assets is aware of OFAC requirements and their responsibilities.
Does front line staff know that they should report suspicious activity? Do they know to whom their reports should go - and when?
Ask selected staff to show you how they check the OFAC list. Evaluate whether what they do is enough.