By Caroline Brown, Carlton Greene and Erik Woodhouse
Fraud historically increases during disaster-related events, and the COVID-19 pandemic is not an exception. Financial institutions subject to the Bank Secrecy Act now face the confluence of an increased number of fraud schemes that aim to take advantage of the pandemic coupled with customers engaging in new behaviors as they adjust their business operations to the virus.
Add to that evolving regulatory guidance, novel challenges created by a new remote work environment, and additional compliance challenges under the CARES Act, and compliance teams at financial institutions find themselves in a situation that is anything but business as usual.
Despite the disruption of the COVID-19 pandemic, banks are still required to do what they have always been required to do. That leaves it up to them to determine how they’re going to keep their anti-money laundering compliance processes operating smoothly. First, financial institutions have to assess what flexibility they have to make adjustments to their internal operations, an important aspect of which is customer due diligence. Next, banks have to determine what they’re going to broadcast externally, including communications with regulators.
Internal considerations
Here are five essential areas of focus for financial institutions as they navigate these changed circumstances:
Messaging and coordination. Effective internal communication right now is essential. This is a crucial time to remind compliance teams that their health and safety comes first. Managers should take care to acknowledge that employees are balancing a multitude of responsibilities working from home and caring for themselves and others. The way that companies treat employees and look after their welfare during these current challenges will have a lasting effect on group cohesion and effectiveness moving forward.
Next, leadership must communicate that, while there may be logistical challenges, this is not a time to sacrifice the quality of AML oversight, and, on the contrary, teams will have to be vigilant against emerging new risks, even as they find new ways to keep their processes running effectively.
Internal coordination. Many financial institutions are used to running their compliance teams through in-person meetings and informal face-to-face interactions on the margins, which is nearly impossible when the majority of employees are working remotely. Financial institutions will need new rituals that maintain communication. This is important both to keep group cohesion and esprit de corps, but also to create pathways to quickly identify and address challenges that compliance teams experience. This includes not only the normal challenges of administering an AML compliance program, but also novel logistical challenges relating to the pandemic.
Risk assessment. Not only is there an increased risk of fraud from illegitimate actors during the pandemic, but legitimate actors—customers—are engaging in new behaviors. Many customers may have changed the scale of their operations and their supply chains as a result of the pandemic, and also may have applied for loans, for example, through the Paycheck Protection Program. Those changes are going to alter what normal behavior looks like for routine customers and may skew the baseline for what looks like suspicious activity.
Financial institutions may wish to anticipate and account for those changes when considering the nature and purpose of customer relationships and developing customer risk profiles. Customers also may encounter difficulties in doing things a financial institution normally might expect them to do for its compliance program—producing certain documents, for example. Accordingly, financial institutions should assess what they might be able to do to accommodate those difficulties and, in turn, how those adjustments may affect operations.
Automation and redundancy. Financial institutions should anticipate that a lot of their routine activities must now be done remotely, such as alert management, and should take care to build and test systems before deploying them. The cross-training of employees is also useful in anticipating potential extended absences of personnel. These and other best practices are set forth in the Federal Financial Institutions Examination Council’s guidance, which banks should be sure to review. While financial institutions should consider internal resources, they should also think through the availability of third parties and have alternative plans at the ready should those third parties no longer be able to accommodate their demands.
Contingency plans. Financial institutions should forecast where things might go from here and anticipate both worsening and improving conditions. Financial institutions might think about how they will re-establish the AML program operations that they had in place before pivoting to remote work and what they might do to ensure any additional transitions to prior practices are handled effectively. Conversely, alternative means of operating a program in a pandemic that were intended initially as short-term measures may become medium- or longer-term necessities and require planning to allow for this.
Customer due diligence
Many financial institutions operated with electronic documents and conducted some diligence remotely before changed circumstances under COVID-19—it’s been possible to open accounts remotely for a long time, but the pandemic may change the degree of reliance on such methods and the type of circumstances in which they will be permitted. Financial institutions may wish to carefully consider the scope of their flexibility to allow remote verification in more circumstances and with new types of information used for verification, as well as documenting new policies and internal processes for such verification, ensuring adequate personnel to execute these new methods, and conducting appropriate training. Financial institutions also should anticipate and account for some hiccups and delays associated with such new methods.
The question of innovation
While regulators continue to encourage financial institutions to innovate in order to address resource constraints and other challenges presented by COVID-19, these directives are couched in terms of keeping that innovation within a risk-based approach. That can create uncertainty in determining the boundaries of innovation. This question of when changes can be made is especially important during the pandemic, as many banks have new, more efficient ways to conduct their processes, and may want validation that they can continue these practices in the long term, even after a pandemic.
The question of whether to move forward with innovation is a legal question as well as a technological one.
As a first step, banks may wish to examine the flexibility in the BSA rules that may allow a compliance program to operate differently; for example, to make changes to the type of information that compliance teams gather and whether there’s room to make changes to a firm’s investigative processes surrounding red flags and suspicious activity.
The BSA is designed to be a risk-based program with some flexibility and anticipates that financial institutions might change their programs to accommodate and address risk. If financial institutions look at inherent flexibilities first, you may find that you have some flexibility already available to you that’s within the scope of the law.
External considerations
FinCEN, federal banking regulators, and even the Office of Foreign Assets Control have suggested some forbearance with respect to pandemic-related delays in reporting and other AML-related processes. However, these regulators encourage financial institutions to communicate with regulators about such issues as they arise. Accordingly, to the extent that a financial institution might face such delays, or make other pandemic-related adjustments to its program, it should be sure to communicate timely with regulators about them.
At the same time, it is equally important to document any delays or changes. This includes documenting when the institution took the action, why it took the action, what risk it saw with the action, why it thought the change was justified, and what it did to try and address any risk associated with the change.
Doing so will go a long way to establish the institution’s awareness of the issue, to provide evidence that the institution had a rational decision-making process for it, and to help regulators put in context the challenges that the institution faced at the time it made the decision.
While regulators are very busy right now dealing with external inquiries and making changes to the way that they conduct their own mission, they are also motivated to gather information and provide rapid relief Communication with regulators, therefore, can result in a quick response. Even if they cannot respond immediately, the communication serves as a useful data point that regulators might take into consideration down the line.
If a financial institution reaches out to a regulator with an inquiry, it should be very clear about the timeline drivers and the consequences it might face if it doesn’t receive a timely response. Regulators are handling a number of inquiries, so helping them understand why the timing is important and why you need a rapid response might aid in moving your inquiry to the top of the queue.
Finally, keep a very close eye on updates from the regulators. Regulators have been very busy issuing guidance, and the pace of that guidance is going to continue. Subsequent guidance may resolve ambiguities or offer additional clarification that might go a long way to affecting a financial institution’s AML program during these challenging circumstances.
Caroline Brown and Carlton Greene are partners in Crowell and Moring’s international trade and white collar and regulatory enforcement groups. Erik Woodhouse is counsel in the firm’s international trade group. The authors have extensive experience working on AML and sanctions matters in previous roles at the U.S. Departments of Justice, State, and the Treasury.
