In accordance with sections
8(s)(3) and 206(q)(3), the appropriate agency shall issue a cease
and desist order against an institution for noncompliance with BSA/AML
compliance program requirements in the following situations, based
on a careful review of all the relevant facts and circumstances.
Failure to Establish and Maintain a
Reasonably Designed BSA/AML Compliance Program
The appropriate agency shall issue a cease and desist
order based on a violation of the requirement in sections 8(s) and
206(q) to establish and maintain a reasonably designed BSA/AML compliance
program where the institution:
10
- fails to have a written BSA/AML compliance program,
including a customer identification program, that adequately covers
the required program components or pillars (internal controls, independent
testing, designated BSA/AML personnel, and training); or
- fails to implement a BSA/AML compliance program that
adequately covers the required program components or pillars (institution-issued
policy statements alone are not sufficient; the program as implemented
must be consistent with the institution’s written policies,
procedures, and processes); or
- has defects in its BSA/AML compliance program in one
or more program components or pillars that indicate that either the
written BSA/AML compliance program or its implementation is not effective,
for example, where the deficiencies are coupled with other aggravating
factors, such as (i) highly suspicious activity creating a potential
for significant money laundering, terrorist financing, or other illicit
financial transactions, (ii) patterns of structuring to evade reporting
requirements, (iii) significant insider complicity, or (iv) systemic
failures to file currency transaction reports (CTRs), suspicious activity
reports (SARs), or other required BSA reports.
For example, an institution would be subject to a cease
and desist order if its system of internal controls (such as customer
due diligence, procedures for monitoring suspicious activity or an
appropriate risk assessment) fails with respect to either a high-risk
area or multiple lines of business that significantly impact the institution’s
overall BSA/AML compliance program, even if the other components or
pillars are satisfactory. Similarly, a cease and desist order would
be warranted if, for example, an institution has deficiencies in the
required independent testing component or pillar of the BSA/AML compliance
program and those deficiencies are coupled with evidence of highly
suspicious activity, creating a potential for significant money laundering,
terrorist financing, or other illicit financial transactions in the
institution.
An institution would also be subject to a cease and desist
order if the institution fails to implement a BSA/AML compliance
program that adequately covers the required program components or
pillars. For example, an institution rapidly expands its business
relationships through its foreign affiliates and businesses:
- without identifying its money laundering and other
illicit financial transaction risks;
- without an appropriate system of internal controls
to verify customers’ identities, conduct customer due diligence,
or monitor for suspicious activity related to its products and services;
- without providing sufficient authority, resources,
or staffing to its designated BSA officer to properly oversee its
BSA/AML compliance program;
- with deficiencies in independent testing that caused
it to fail to identify problems; and
- with inadequate training exemplified by relevant
personnel not understanding their BSA/AML responsibilities.
However, other types of deficiencies in an institution’s
BSA/AML compliance program or in implementation of one or more of
the required BSA/AML compliance program components or pillars, including
violations of the individual component or pillar requirements, will
not necessarily result in the issuance of a cease and desist order,
unless the deficiencies are so severe or significant as to render
the BSA/AML compliance program ineffective when viewed as a whole.
For example, an institution that has deficiencies only in its procedures
for providing BSA/AML training to appropriate personnel ordinarily
may be subject to examiner criticism and/or supervisory action other
than the issuance of a cease and desist order, unless the training
program deficiencies, viewed in light of all relevant circumstances,
are so severe or significant as to result in a finding that the organization’s
BSA/AML compliance program, taken as a whole, is not effective.
In determining whether an institution has failed to implement
a BSA/AML compliance program, an agency will also consider the application
of the institution’s BSA/AML compliance program across its business
lines and activities. In the case of institutions with multiple lines
of business, deficiencies affecting only some lines of business or
activities would need to be evaluated to determine if the deficiencies
are so severe or significant in scope as to result in a conclusion
that the institution has not implemented an effective overall BSA/AML
compliance program.
Failure to Correct a Previously
Reported Problem with the BSA/AML Compliance Program
An agency shall, in accordance with sections
8(s) and 206(q), and based on a careful review of the relevant facts
and circumstances, issue a cease and desist order whenever an institution
fails to correct a previously reported problem with its BSA/AML compliance
program identified during the supervisory process. However, in order
to be considered a “problem” within the meaning of sections
8(s)(3)(B) and 206(q)(3)(B), a problem reported to the institution
ordinarily would involve substantive deficiencies in one or more of
the required components or pillars of the institution’s BSA/AML
compliance program or implementation thereof that is reported to the
institution’s board of directors or senior management in a report
of examination or other supervisory communication as a violation of
law or regulation that is not isolated or technical, or as a matter
that must be corrected. For example, failure to take any action in
response to an express criticism in a report of examination regarding
a failure to appoint a qualified and effective BSA compliance officer
could be viewed as an uncorrected previously reported problem that
would result in a cease and desist order. Violations or deficiencies
in an institution’s BSA/AML compliance program communicated
to the institution in a report of examination or through other written
means that are determined to be isolated or technical are generally
not considered problems that would result in a mandatory cease and
desist order.
An agency will ordinarily not issue a cease and desist
order under sections 8(s) or 206(q) for failure to correct a BSA/AML
compliance program problem unless the problems subsequently
found by the agency are substantially the same as those previously
reported to the institution. For example, during a previous examination,
an institution’s system of internal controls was considered
inadequate as a result of substantive deficiencies related to customer
due diligence and suspicious activity monitoring processes. Specifically,
the institution had not developed customer risk profiles to identify,
monitor, and report suspicious activities related to the institution’s
higher-risk businesses lines. These substantive deficiencies were
identified in the previous report of examination as a problem requiring
board attention and management’s correction. The subsequent
report of examination determined that management had not addressed
the previously reported problem with the institution’s BSA/AML
compliance program. Customer risk profiles remained undeveloped to
identify, monitor, and report suspicious activity related to the institution’s
higher-risk business lines. As a result, the institution would be
subject to a cease and desist order for failure to correct a previously
reported problem with its BSA/AML compliance program.
In contrast, if an agency notes in a previous
report of examination that an institution’s training program
was inadequate because it was out of date (for instance, if it did
not reflect changes in the law, and at the next examination the training
program is adequately updated, but flaws are discovered in the internal
controls for the BSA/AML compliance program) the agency would not
issue a cease and desist order under sections 8(s) or 206(q) for failure
to correct a previously reported problem and will consider the full
range of potential supervisory responses. Similarly, if a violation
is cited in a previous report of examination for failure to designate
a qualified BSA compliance officer, and the institution has appointed
an otherwise qualified person to assume that responsibility by the
next examination, but the examiners recommend additional training
for the person, an agency may determine not to issue a cease and desist
order under sections 8(s) or 206(q) based solely on that deficiency.
Additionally, statements in a report of examination or other written
document reported to the board of directors or senior management suggesting
areas for improvement, identifying less serious issues, or identifying
isolated or technical violations or deficiencies would generally not
be considered problems for purposes of sections 8(s) and 206(q).
The agencies also recognize that certain types of problems
with an institution’s BSA/AML compliance program may not be
fully correctable before the next examination or within the planned
timeframes for corrective actions due to unanticipated or other issues.
Remedial actions involving multiple lines of business within an institution
or the adoption or conversion of automated systems may take more time
to implement than initially anticipated. In these types of situations,
a cease and desist order is not required, provided the agency determines
that the institution has made acceptable substantial progress toward
correcting the problem.