This article resulted from a discussion between Indra Elangovan, Head of Strategic Advisory at Travillian, and Sarah Beth Felix, CEO and Founder of Palmera Consulting, Co-Founder and Chief AML Officer of Acceleron Bank and Cofounder of Hyper S-Research LLC.
Board of Directors are responsible for overseeing third-party management risks. Recent enforcement actions highlight board failures, talent deficiencies, and a lack of internal control mechanisms. In addition, the board engagement tips below guide Boards to ensure effective oversight of third-party risk management.
1. Can we discuss the recent enforcement actions and consent orders? I’d also like to dive into the specific deficiencies identified and explain why a “clean” audit isn’t necessarily a good audit from a board of director’s perspective.
The orders being published weekly by various regulatory agencies are a gift, not to the banks receiving them, but to the rest of the banks that think they are doing just fine.
A history of clean audits is usually what boards and executive management target. While that is a good goal for all other areas, it really should not be their target when it comes to AML and sanctions. The role of the audit function is to be the bank’s partner. Audits should highlight areas where growth and change are needed.
In addition, the boards view of why there are audit findings should be focused solely on how they need to do their jobs better — not why the AML officer and his or her team weren’t perfect. Often, executive management negotiates with soft auditors to get them to lower risk ratings and move items from findings to observations before audit findings get to the board. That practice should be stopped, immediately.
The best way for the board to know about the findings is to ask for the first draft audit report and Facetime the AML officer to discuss it.
In terms of the main themes from the recent orders, we are seeing these top issues repeatedly, regardless of bank size or product offerings:
a. Ineffective board knowledge, which leads to ineffective board oversight and enforcement of regulatory requirements.
b. Inadequate staffing for both AML/sanctions and non-AML compliance. Looking through the past six orders, it is apparent that low staff numbers were behind all other pillar violations, including CDD failures and SAR issues.
c. Lack of authority for the AML officer. This can be a touchy subject because the first response is typically, “They do have the right authority; they report to the board.” But that isn’t how a bank gives the AML Officer the correct amount of authority. And the federal regulatory agencies know that.
All three of them use the term “executive authority” in various orders to drive home the new way in which boards should view and treat the AML officer position. Is that AML officer on the same level as the CLO? The CRO? Why not?
d. Lack of customized training from the board to the frontline. The automated yearly training churned out by various large organizations is proving to be ineffective. The training must deal specifically with the threats that are particular to that division or operational area.
For example, commercial lenders should receive training about how commercial lines of credit, letters of credit, and loans are used in the second and third phases of money laundering. Then, they should know to incorporate FinCEN advisories specific to these areas. The mortgage team must receive training regarding how a home is a popular tool used by various illicit actors to wash dirty money between the first and second phases of money laundering.
2. Board governance is at the forefront of recent enforcement actions and consent orders, highlighting significant board failures, particularly in talent deficiencies and control mechanisms. How should bank boards rethink their oversight roles in response to these issues?
Every order published in the past 18 months has been very critical of the bank’s board, citing issues that range from lack of experience to lack of communication to poor oversight as the ultimate reasons for all deficiencies in the orders.
Boards have historically been focused on the growth of the bank — loans and deposits — with very little focus on risks that can stop growth and detract from net income. Boards should ensure that they have a person with AML experience — or at least someone with general compliance officer experience. There are countless retired federal law enforcement officers, retired regulators, retired AML and compliance officers who would be great additions to any bank board.
3. Could you comment on third-party risk management from your perspective and the failures of sponsor banks? In addition, discuss best practices and provide insights on the Data Landscape Program.
The federal agencies have released two TPRM guidance documents — one last year in June — with their high-level expectations of how they want banks and boards to manage risks regarding any third-party relationships.
The issue with that guidance is that it conflates the risk and oversight needed with a vendor who provides consulting services with a third party that uses the bank’s rails to send/receive payments on behalf of fourth, fifth, and sometimes sixth parties, unknown to the bank. Those are two different animals and should not be lumped under one blanket TPRM guidance. But they are.
Boards and bank executives must therefore be very careful in how they categorize their landscape of third parties.
In May of this year, the agencies released a TPRM guidance document targeting community banks. That one, again, conflates the two disparate types of third parties, but it does outline some key questions and considerations that a board should expect to see in the assessments of their third parties.
Interestingly, the May 2024 guidance addresses data issues and supports a good data practice we have seen from the agencies over the past year: When a bank, no matter how small, has not established a data landscape to reconcile what data sits where, the critical ranking of that data, the availability of it, the accuracy of it and the impact for which systems when it isn’t accurate, it shows. It shows up in compliance-related consent orders. Without available, accurate, and accessible data, any AML and sanctions program will have issues.
4. How can banks navigate the delicate balance between third-party risk management and fostering innovation?
Banks must innovate or they will die off. But banks will also die off if they don’t go about innovating correctly. Haphazardly assuming that third parties will appropriately address all unique risks, vulnerabilities, and threats unique to that bank is reckless and can hinder innovation.
The secret here is to know exactly what the bank’s shortcomings are (vulnerabilities, technically) prior to onboarding new fintechs or third parties that are responsible for innovation.
Oftentimes, boards and executive management refer to clean audits and clean exams as the green light to move forward. These results, however, should not be taken as a green light.
The board must speak directly to the AML officer, asking:
- What is needed?
- What is the AML officer seeing?
- What regulatory trends and stumbling blocks to look out for?
If the AML officer references clean audits/exams, it should be a sign to the board to get an outsider’s point of view. There are high-level indicators of unknown and unmitigated risk that any savvy advisor can find. Fix those areas first. Then look to innovate.
A board wouldn’t want to build a multimillion-dollar home on a shaky foundation. It leads only to expensive repairs or a complete bulldozing of the home to start over.
Board Engagement Tips
The following are recommended actions before an upcoming board meeting:
- Request the AML officer attend directly (not their boss). If your bank already does this, ask the AML officer to report on the trends and issues he or she is seeing. Encourage a deeper dig than just the standard SAR/CTR/high-risk customer reporting and trends.
- Google “human trafficking” and “drug trafficking” in your community. Let those news headlines feed into your view of the importance of the AML function. Lending isn’t the only important area for boards.
- If you are reviewing audit reports, prepare notes/questions if the audit reports are clean. If any audit report indicates findings, look closer. Are these findings material to the effectiveness of a program?
For example, consider audit reports that show two late CTRs, two late CIP issues, and nine late high-risk customer reviews. Most of these issues are fluff, not really dealing with the heart of an AML program. If anything, these results may show the board that the AML officer may need more staff or better technology.
Moving Forward
Here are some recommendations for your next board meeting:
- Ask the board secretary to ensure that any discussions regarding AML and sanctions are fully noted, including any debates, questions, answers, and other details. This diligence indicates an active board, not one just receiving information.
- Ask the AML officer if he or she has everything they need to do the job. Determine all needs and fixes before onboarding any third parties.
- Ask the AML officer about any noted trends in human trafficking and drug trafficking. If there are no SARs filed for those within the past 12 months, ask why? Do they need better technology? People who can write SQL? Something else?
More Information
For more information please e-mail Indra Elangovan directly at ielangovan@travilliangroup.com or to read the rest of the Travillian Next Bank Board Insights series please click one of the links below:
Part I: A Thriving Bank Requires a Thriving Board – Let’s Make it Happen!
Part II: Risk Governance with Contributing Guest Michele Wucker
Part III: How to Dress For SUCCESSion
Part IV: Are Bank Boards Risky Enough?
Part V: A Panel Discussion on Strategic Board Talent and Expertise
Part VI: Crucial Steps for Board Members in Ensuring Effective BSA/AML Oversight
Part VII: From Good to Great, Elevate Your Bank’s Performance with Boardroom Mastery!
