To identify and trace criminal activity, federal law enforcementrelies on the mandatory filing of suspicious activity reports byfinancial institutions subject to the Bank Secrecy Act. Because ofthe importance of SARs to law enforcement efforts, regulators donot require — and indeed have no interest in requiring — thatfinancial institutions refuse to maintain accounts for clients withhigher risk profiles, such as certain money servicesbusinesses.

In January 2015, Treasury Under Secretary David Cohen made thisvery point, remarking that through MSBs, the government has “accessto crucial information that regulators and law enforcement dependon every day to prevent the abuse of the financial system.” He wenton to express concern that “banks have been indiscriminatelyterminating the accounts of all MSBs, or refusing to open accountsfor any MSBs.” Pointing out that regulators do not — contrary to aconclusion that some may draw from recently enhanced enforcementefforts — expect banks to be “infallible,” Cohen said that whatregulators do expect “is that [banks] take seriously the variety ofillicit finance risks that different clients present, and assessand address those risks on a client-by-client basis.” In theory,such assessment and monitoring should benefit both the institution,which is thus in a better position to comply with its SARs filingobligations, and the government, which can put the filed SARs tolaw enforcement use.

In practice, a heightened AML enforcement atmosphere has ledfinancial institutions to worry that servicing higher risk clientsentails a commensurate increased risk that suspicious transactionswill occur without being flagged and reported, potentially leadingto massive fines and other penalties. Because regulators have notimposed a bright-line prohibition on servicing high-riskbusinesses, financial institutions must weigh a number of factorsin deciding how to service such clients without unintentionallyrunning afoul of their BSA/anti-money laundering obligations.

The Treasury Department's Financial Crimes Enforcement Network,the primary regulator responsible for enforcing the SAR filingrequirements, has issued guidance intended to help banks identifyand appropriately assess, monitor and comply with SAR obligationsas to MSBs. While this guidance leaves a large degree of discretionto the bank to determine, based on the individual circumstances ofeach client, the appropriate level of monitoring and diligence,some expectations are clear.

For instance, FinCEN acknowledged that thereare many different types of MSBs, offering a broad range ofservices to different types of customers, and that very differentlevels of diligence might be required from one MSB to the nextdepending on their risk profiles. At a minimum, however, FinCEN andother bank regulators expect that a financial institution openingor maintaining an account for an MSB will:

• Apply the bank's Customer Identification Program;
• If the MSB is required to register with FinCEN, confirm that ithas done so;
• If the MSB is required to comply with state or local licensingrequirements, confirm that it has done so;
• If the client is an agent of an MSB rather than a principal MSB(and therefore not required to register with FinCEN), confirm thestatus as agent; and
• Conduct a basic BSA/AML risk assessment to determine whetheradditional diligence is necessary.

Additional diligence may be necessary depending on such factorsas the MSB's customer base, the geographies in which it operates,the types of services it offers, the size and character of itstypical transactions, and its history as a business. Of course, aswith any client, an MSB that initially appears to have a low riskprofile requiring only basic diligence will require reassessment ifsuspicious transactions by that MSB are later detected.

10 Considerations for Maintaining an Effective BSA/AMLCompliance Program

1. Do not neglect operations and technology. In the controlenvironment, increasingly, adequate AML monitoring means automatedmonitoring on complex platforms.
2. Create a strong compliance culture. As discussed in theprevious articles in this series, ingraining AML policies andprocedures into the firm-wide business culture can only be donethrough a strong message from the board and senior management, aswell as a strong reporting structure.
3. Test. Ensure that policies and procedures are consistentlymonitoring for high-risk and potentially suspicious behavior andthat alerts are effectively and consistently communicated.
4. Audit. An independent audit function should be evaluating yourAML compliance program before the regulatorsdo.
5. Manage risk appetite. Regularly engage in risk assessments todetermine whether or not the institution's control environment isadequate to manage high-risk clients, geographies andbusinesses.
6. Document. If you haven't documented it, for purposes of yourregulators, you haven't done it.
7. Reach out to regulators. Get regulators involved beforelaunching a new product that is of concern or that istechnologically progressive. Otherwise you could find yourselfsubject to new requirements of which you might otherwise beunaware.
8. Train. Regularly reassess the quality and currentness of yourBSA/AML training program and tools.
9. Evaluate the chief BSA/AML compliance officer. The chiefBSA/AML compliance officer and his or her staff must be bothqualified and independent. It is crucial for the compliance team tokeep up with trends and changes in the regulatory environment.
10. Incentivize. Compliance awareness should be rewarded andcompliance disregard penalized. This can be accomplished, in part,by making compliance part of employees' reviews andappraisals.