Community Bankers of Iowa Monthly Banker Update April 2014 | Page 21

Board and Senior Management Liability for BSA/AML Violations Written By: Jeff Andersen, Attorney - Dickinson, Mackaman, Tyler & Hagen, P.C. In a recent survey of community banks, the majority of surveyed banks stated that the DoddFrank Act will be substantially more burdensome than Bank Secrecy Act (“BSA”) compliance.1 Unfortunately, that result is not indicative of lessening BSA compliance burdens – it’s due to the unprecedented volume and complexity of DoddFrank regulations. BSA and Anti-Money Laundering (“AML”) compliance burdens are not going away. In fact, recent remarks by current Comptroller of the Currency Thomas Curry indicate that scrutiny of BSA/AML compliance may be on the rise. In a March 17th, 2014 speech before the Association of Certified Anti-Money Laundering Specialists, Comptroller of the Currency Thomas Curry emphasized the role of a bank’s Board and senior management in BSA/AML compliance: “The fact is, when we look at the issues underlying BSA infractions, they can almost always be traced back to decisions and actions of the institution’s Board and senior management.” Given the inseverable link between the Board and BSA/ AML compliance, Curry seeks to increase management accountability, stating: “[i]t’s one thing to impose significant civil money penalties or to lower the bank’s management rating. But those are actions that are absorbed by the shareholder and by the institution broadly.... The question I would pose from a risk management and corporate governance standpoint is whether it’s time to require large complex banks to establish clear lines of accountability that make it possible to hold senior executives responsible for serious compliance breakdowns that lead to BSA program violations.” Curry limits his remarks about management accountability to “large complex banks,” but most compliance pressures exerted on large banks trickle down to community banks. Moreover, the BSA/AML rules are not different for large banks, instead it’s the application of the rules that will be different – the foundation of BSA/AML compliance is a bank’s individual risk assessment and the complexity of a large bank’s operations will make their BSA/AML compliance program look much different than that of a community bank. The variation of the compliance program based on the risk assessment does not, however, vary the potential liability for non-compliance. When assessing the BSA/AML compliance program and its attendant risks, bank directors and management should keep in mind that the business judgment rule does not apply to regulator actions. The business judgment rule generally protects directors from shareholder liability when a breach of the duty of care or loyalty is alleged. If the directors were informed and acted honestly and in good faith, the business judgment rule will provide directors with some level of protection. Regulators, however, are not bound by the business judgment rule. If directors have failed in their duty to establish a strong BSA/AML compliance program, good faith reliance on senior management will likely not be an effective defense. Although senior management and staff are integral to BSA/ AML compliance, the ultimate responsibility flows from the Board. That is why the reports generated by a BSA audit or independent test are generally made directly to the Board. This does not mean that the Board has to be involved in the dayto-day functions of the BSA/AML compliance program. In his speech, Curry identifies four pillars of management oversight: 1) the culture of compliance; 2) the resources committed to BSA compliance; 3) the strength of the bank’s information technology and monitoring process; and 4) the quality of risk management. While the Board is expected to delegate the functions of the BSA/AML compliance it is ultimately responsible for the compliance culture and structure within which the compliance program functions. What can a Board do to avoid any potential BSA/AML liability? It can instill a solid BSA/AML compliance management structure that fits the bank’s risk assessment. This structure should have clearly communicated reporting lines and adequate checks and balances. This structure should be a part of a larger compliance management system that ensures open and honest communication and timely remediation and follow-through on any problems. This structure cannot be static – it needs to be periodically reviewed so it can evolve to meet changes in the risks faced by the bank. The Board needs to buy-in to that structure so a culture of compliance can be cultivated. Without Board buy-in and oversight, even a strong foundation can start to show some cracks over time. For example, an integral part of that buy-in and oversight is ensuring that appropriate BSA training is given to all levels of the bank at least annually. The Board, senior management, and staff should all receive BSA/ AML training tailored to their job function when they start and at least annually thereafter. The bad news is there is a risk of Board liability for BSA/AML violations and scrutiny appears to be on the rise. The good news is that the risk can and should be effectively mitigated at most Iowa community banks without a substantial increase in cost and time. A strong BSA/AML compliance program, as part of a healthy compliance management system, can substantially reduce the risk of liability. Jeff Andersen is an attorney at Dickinson, Mackaman, Tyler & Hagen, P.C. in Des Moines. He can be reached at 515-2464515 or [email protected]. “How are Small Banks Faring Under Dodd-Frank,” Mercatus Center, George Mason University. February 2014. 1 CBI BANKER UPDATE | APRIL 2014 21