Public demand for better corporate governance and new regulatory requirements has resulted in a new way of thinking about compliance risk management. As a result, many organizations are driving compliance performance in an integrated manner, linking governance, risk, and compliance.
Compliance risk is the current and prospective risk to earnings or capital arising from violations of, or nonconformance with, laws, rules, regulations, internal policies and procedures, or ethical standards. Compliance risk can also exist when governing laws or rules related to specific bank products or activities may be ambiguous or untested.1 Effectively managing compliance risk can help prevent damage to an institution’s reputation and also reduce legal risk and the potential for fines and civil money penalties that could result from violations of laws and regulations.
In today’s highly complex and competitive banking environment, there is ongoing concern raised by financial institutions regarding the time spent on regulatory compliance. The costs associated with implementing an effective compliance program can be significant, and the addition of new laws and regulations can seem overwhelming. For smaller institutions with limited resources, the impact may be felt to a greater degree. In addition, management’s focus on the institution’s strategic vision may be diverted at times in order to attend to compliance issues.
A financial institution’s compliance program should be an integral part of its overall risk-management process. The compliance function plays a very important role in identifying, evaluating, and addressing legal and reputational risks. In 2004, COSO released its enterprise risk management integrated framework, and some financial institutions have implemented enterprisewide risk management programs.2
The COSO framework is structured to identify potential events that may affect an organization, and it establishes how an organization will manage compliance risk based on its strategic plan and risk appetite. Effective compliance management is one of the objectives of an enterprisewide risk management program.
As part of an enterprisewide risk management program, the compliance function should look at all business lines and activities on an entitywide basis to identify the potential effect of the legal and reputational risks of individual business lines on each other and the organization as a whole. Management should evaluate all of the risks associated with both current and planned business activities.
Regarding compliance with the Bank Secrecy Act (BSA) and related Anti-Money Laundering (AML) regulations specifically, this is an area of significant concern for financial institutions. With the passage of the USA PATRIOT Act in 2001, the Bank Secrecy Act was significantly amended, and as a result, the compliance process in this area became more complex. Concern is centered on the level of compliance burden associated with BSA/AML regulatory requirements.
The Benefits of Effective Compliance Management
An effective compliance program can impact an organization’s bottom line by reducing legal and reputational costs. Therefore, management should strive to not focus solely on compliance as a generator of costs and should identify the benefits it can add to financial performance.
In addition to reduced legal and reputational risk, there can be additional benefits to effectively managing compliance risk. An effective compliance program can also identify operational weaknesses. This can be useful in improving an institution’s overall internal controls. In addition, effective compliance management sets a positive tone from the top of the organization and establishes a strong compliance culture.
Implementing an enterprisewide compliance program can help with managing risk across business lines. Process improvements can result, thereby enhancing operational efficiency and improving financial performance. Achieving greater efficiency may also help an institution implement its strategic plans.
The Importance of BSA/AML Compliance
As collectors of financial information, banks are in a unique position in the payments system as collectors of financial information to be able to identify questionable or suspicious payments or activities. The filing of Suspicious Activity Reports (SARs) alerts law enforcement and federal bank regulators to known or suspected violations of a law or suspicious activity being conducted at a financial institution.
A coordinated effort among financial institutions, federal regulators, and law enforcement helps to implement BSA/AML requirements. Compliance with the regulations is critical to ensure effective use of reported information in combating financial crimes, including money laundering and financing of terrorists and other illicit undertakings.
While there is no foolproof method for detecting fraud or money laundering activity, financial institutions are expected to have a sound BSA/AML compliance program. Processes and procedures should be established to identify suspicious activity, and they should be tailored to the risk and complexity of individual business lines. There should be adequate training on the processes and procedures at all staff levels, and adequate controls should exist in order to ensure ongoing compliance.
For all areas of regulatory compliance, there must be an effective cost-benefit balance. For compliance with BSA/AML requirements, the cost of compliance must be balanced with the benefit received from the reported information in fighting financial crimes. Regulators are continually looking for ways to ease the burden on financial institutions, increase the coordination among the different regulatory agencies, and improve communication efficiencies while ensuring that law enforcement receives useful information.
To that end, on June 30, 2005, the Federal Financial Institutions Examination Council (FFIEC) released a new BSA/AML examination manual. The manual is the product of a collaborative effort among federal banking regulators and the U.S. Department of the Treasury's Financial Crimes Enforcement Network (FinCEN). It does not set new standards, but rather it is a compilation of existing regulatory requirements, supervisory expectations, and sound practices in the BSA/AML compliance area. To promote consistency among regulators, the manual also includes the examination procedures that will be used by each agency's examiners and provided to state banking agencies.
Business goals and effective compliance with laws and regulations can both be achieved. Compliance with the Bank Secrecy Act and all laws and regulations has a significant impact on an organization’s overall performance. Managing an effective compliance program can provide many benefits to improve overall performance and to facilitate the achievement of business goals.
The views expressed in this article are those of the author and are not necessarily those of this Reserve Bank or the Federal Reserve System.