FFIEC BSA/AML Exam Manual Updates—Implications for Banks
The Federal Financial Institutions Examination Council (FFIEC) released the fifth phase of updates to the FFIEC Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Examination Manual (the Manual) on August 2, 2023.
While the Manual is not intended to serve as guidance for the banking industry, it provides valuable insights into the federal banking agencies' examination processes and how they evaluate the effectiveness of a bank's BSA/AML compliance program. The most significant changes and updates in this current phase were made to the section on Due Diligence Programs for Correspondent Accounts for Foreign Financial Institutions (the Correspondent Banking Section). While these updates largely reiterate regulatory requirements, the manner in which those requirements are framed by examiners largely drives the outcome of BSA/AML exams. Beyond framing, the revisions also include critical new examples of risk factors and controls that may be appropriate to oversight of correspondent banking relationships.
This Update analyzes the key issues raised by this revised guidance and provides some considerations as to the practical implications these revisions may have for financial institutions.
Critical Revisions to the Manual
Foreign correspondent banking is considered a relatively high risk activity for banks, as it has been identified by the U.S. Department of the Treasury's (the Treasury) 2020 National Strategy for Combatting Terrorist and Other Illicit Financing as a significant threat to the U.S. financial system for terrorist and illicit financing. Banks have encountered significant challenges in this area, and over the past two decades, foreign correspondent banking has been the focus of some of the largest regulatory and criminal enforcement actions taken against banks relating to BSA/AML compliance. To address these risks, Financial Crimes Enforcement Network's (FinCEN) regulations at 31 C.F.R. § 1010.610 apply to correspondent accounts established on behalf of a broad category of "foreign banks," which goes beyond traditional financial institutions to include dealers in foreign exchange, money transmitters, and foreign branches or offices of a U.S. bank.
General and Enhanced Due Diligence (EDD) Requirements
The revised foreign Correspondent Banking Section effectively describes the general and enhanced due diligence requirements with which banks are required to comply under FinCEN's current regulations as follows:
- General due diligence procedures apply to all correspondent accounts that include: (1) determining whether the account is subject to EDD requirements; (2) assessing the money laundering risk presented by the account based on a consideration of all relevant factors set forth in the regulation; and (3) applying risk-based procedures and controls to each account reasonably designed to detect and report known or suspected money laundering activity, including a periodic review of the account sufficient to determine consistency with information obtained.
- EDD procedures apply to a correspondent account maintained for a foreign bank operating under a banking license that is either offshore, issued by a country designated as noncooperative with international principles, or issued by a foreign country warranting special measures.
EDD procedures set forth in the regulation and described in the revised Manual include: (1) conducting enhanced scrutiny that includes obtaining/considering information relating to the foreign banks AML program; monitoring transactions to, from, or through the correspondent account in a manner designed to identify suspicious activity; and obtaining information specific to payable through accounts; (2) determining whether the foreign bank maintains nested relationships and, if so, taking reasonable steps to assess and mitigate money laundering risks including the identity of the foreign bank; and (3) determining the identity of each owner of a nonpublic foreign bank.
Risk-Based Due Diligence Policies, Procedures, and Controls
In its commentary to the final rule, FinCEN indicated that an effective general due diligence program will provide for a range of due diligence measures, based on an institution's risk assessment of a correspondent account and that there should be a stratification of money laundering risk based on a review of the relevant risk factors to determine which accounts may require increased measures. The revised foreign Correspondent Banking Section supports this approach and clarifies that "increased" measures may apply to accounts that a bank determines to have a high risk of money laundering, even when the specified EDD measures are not triggered under FinCEN's regulation, and these "increased" due diligence measures may include any or all of the elements specifically set forth in the regulation for EDD.
FinCEN's regulation does not prescribe the elements of increased due diligence that should be associated with specific risk factors, but a bank's general due diligence program should identify risk factors that would warrant the bank conducting additional scrutiny of a particular account. The revised Manual goes further, providing some new or revised examples of risk factors and controls for foreign correspondent accounts including:
- Standards for conducting and documenting analysis associated with the due diligence process, including guidance for resolving issues when insufficient, contradictory, or inaccurate information is obtained.
- Management and staff responsibilities, including procedures, authority, and responsibility for opening and reviewing accounts; reevaluating and approving changes to risk profiles; and other controls related to managing these accounts, as applicable.
- Sufficient details to distinguish between varying levels of money laundering and other illicit financial activity risks of these accounts.
- Incorporation of the bank's assessment of the money laundering risks presented by these accounts into the suspicious activity monitoring system(s).
These revised policies, procedures, and controls would be expected to vary by bank and are not regulatory requirements. However, the fact that they are included in the revised Manual as examples suggests that a bank's risk-based procedures should address each of these newly added examples for both risk assessments and internal controls related to foreign correspondent banking.
Nested Relationships
The Correspondent Banking Section includes information concerning nested or downstream correspondent banking relationships (i.e., foreign financial institution customers of foreign correspondent banks). The revised language notes that the "illicit financing risk presented by nested relationships varies depending on the characteristics of other foreign financial institutions using the correspondent account, including size or complexity, geographic location, products and services offered, markets and customers served, and the degree of transparency (e.g., in format of payment transactions)." It explicitly confirms that a determination of nested activity may be appropriate in assessing the risk presented by the foreign correspondent account under the general due diligence program applicable to all correspondent accounts even though this is not a specified regulatory requirement. It goes on to provide examples of factors that U.S. banks may consider based upon international guidance.
Knowing Your Customers' Customers (KYCC)
Notably, the revised foreign Correspondent Banking Section reiterates for examiners the long-standing regulatory position that banks generally do not need to "know their customers' customers" by adopting language from the 2016 interagency Fact Sheet on Foreign Correspondent Banking that provides:
"[U]nder existing U.S. regulations there is no general requirement for the bank to conduct due diligence on a foreign financial institution's customers. In determining the appropriate level of due diligence necessary for a foreign financial institution relationship, the bank may consider the extent to which information related to the foreign financial institution's customers is useful to assess the risks posed by the relationship. This information may also be useful to meet other obligations, such as to detect and report any known or suspected suspicious activity and to comply with U.S. sanctions."
This language is consistent with the position recently articulated by the Treasury, U.S. Department of Justice (DOJ), and U.S. Department of Commerce in their Tri-seal Compliance Guidance that clarifies the due diligence expectations within an organization's risk-based compliance program specific to sanctions and export controls. This guidance provides that effective compliance programs employ a risk-based approach to sanctions and export control compliance by developing, implementing, and routinely updating a compliance program. The compliance program must be developed based on an organization's size and sophistication, products and services, customers and counterparties, and geographic location. As a "best practice," due diligence should not only be conducted on an organization's customers, but also on intermediaries and counterparties that are involved in customer transactions. It further provides that optimal compliance programs should include controls tailored to the risk the business faces, such as diversion by third-party intermediaries, and additional due diligence should be undertaken as appropriate. Some of the red flags identified in the guidance are applicable to foreign correspondent banking and, even though the tri-seal compliance guidance is not a specific regulatory requirement, the fact that it is issued by the DOJ highlights the importance of additional due diligence in certain situations. In fact, the significance of this tri-seal document was the subject of a separate Update.
De-Risking and Account Termination
Some foreign financial institutions have experienced de-risking or the inability to maintain correspondent banking relationships in the United States, prompting the Federal banking agencies to issue more specialized guidance relating to de-risking in this area, including the 2016 Fact Sheet on Correspondent Banking and the OCC's guidance on Periodic Risk Re-evaluation of Foreign Correspondent Relationships. The intent of these de-risking documents was to provide guidance and clarity as to the agencies' approach to supervision, enforcement, and account terminations in the area of foreign correspondent banking in the hopes of stemming the de-risking problem, and these documents are referenced in the revised section.
Key Takeaways
Through these revisions, federal banking agencies have provided a helpful roadmap for developing a compliance program consistent with the regulatory requirements. Each of the items set forth in this updated section will be on the examiners' radar when conducting examinations of banks in this area. Banks need to take them seriously.
All banks engaged in foreign correspondent banking should carefully review the criteria and additional examples set forth in this revised section of the Manual. They should especially focus on the controls and processes to identify nested relationships and reporting suspicious activities. With this revised Manual and the new tri-seal guidance in hand, banks involved in correspondent banking activities should carefully evaluate whether revisions to their risk-based foreign correspondent banking programs are prudent.
For matters related to foreign correspondent banking, sanctions, and export control compliance, banks should consult with experienced counsel.
© 2023 Perkins Coie LLP