PREPARED REMARKS OF JAMES H. FREIS, JR. DIRECTOR, FINANCIAL CRIMES ENFORCEMENT NETWORK U.S. DEPARTMENT OF THE TREASURY

20100520.pdf148.78 KB

DELIVERED AT THE INSTITUTE OF INTERNATIONAL BANKERS 2010 AML CONFERENCE

NEW YORK, NY

May 20, 2010

It is a pleasure to be back with you today at the Institute of International Bankers' International Banking Anti-Money Laundering Seminar. It was at this seminar three years ago that I gave my first public speech to a large banking industry group, not long after having assumed my current responsibilities as Director of FinCEN. I felt particularly at home here in New York and among international bankers, as I have been throughout my career.

Last time, I began my remarks by emphasizing that FinCEN's mission of combating abuses of financial crime contributes to the broader Treasury Department goal of promoting financial stability. We discussed the importance of an ongoing dialogue between the government and the financial industry to further these shared goals, and I am pleased to continue today in particular the productive working relationship between FinCEN and the IIB to this end. When I last spoke here, anti-money laundering/counter-terrorist financing (AML/CFT) issues were among the foremost topics in financial industry discussions, reflecting the fact that, globally, regulatory requirements in this area had evolved more in the preceding decade than in any other aspect of financial regulation. Those of us who participated here three years ago might recall that the predominant issue of discussion throughout that seminar was the then recently announced initiative from the Wolfsberg Group and Clearinghouse banks with respect to cover payments, designed to enhance transparency in international wire transfers. Through a global collaborative effort, that proposal has since become reality with the launch in late 2009 of the new SWIFT 202-COV message type. This has been an extraordinarily successful example of industry and governmental actors working together to promote efforts to mitigate risks to the global financial system.

What a difference three years can make in terms of the primary focus of discussion. It is well understood in the international banking community that the economic and financial events of the past few yearsⁱhave led to discussions at all levels about weaknesses in our global financial system and the need for regulatory reform to help address some of those weaknesses. Within the context of such discussions, it is fair to ask any regulator "how might you be affected by the changes underway in the financial industry?" It is a question FinCEN has to ask of itself even though the AML/CFT regulatory framework administered by FinCEN has not been among the issues under close scrutiny for change or possible regulatory reform. There would nonetheless be indirect effects, making it necessary for FinCEN to take into account any changes to financial institutions we regulate or the financial supervisors to which FinCEN delegates responsibility to examine for compliance with Bank Secrecy Act regulations. In the most basic sense, to be effective, any regulator must be attuned to changes taking place within its industry or industries.

For a regulator to give a good answer to the question of how any type of changes might affect it, the regulator should focus on a number of things. First, the regulator has to think of its "line of business." (I use the term "line of business" broadly, because, as I'll discuss shortly, it goes beyond a recitation of the regulator's mission statement.) The regulator then has to survey the potential changes on the horizon. A key premise underlying the approach to global AML/CFT regulation is that any means of financial intermediation could be subject to abuse. Hence, it is implicit that attention must be paid to the development of new ways to move money or other forms of value. In the present context, we must also be mindful of guiding principles and recommendations that are surfacing in discussions of financial regulatory reform. Finally, the regulator then needs to compare how the way it currently approaches its tasking relates to the far-reaching improvements advocated for the future. Let me try to apply this method to FinCEN, and to the current Bank Secrecy Act regulation in the United States.

What is FinCEN's Business?

With respect to the first question, what is FinCEN's "business?" As I mentioned before, we need to think of this broadly. While it is one thing to identify an organization's main purpose, it is another to correctly identify the fields in which it must operate in order to effect that purpose. The example of the railroad industry's history in the United States comes to mind as an illustration. Decline in the private railroad sector occurred when executives in that industry saw themselves as being in the business of providing railroads, rather than in the business of providing transportation. In other words, they focused on the delivery of a product, rather than the addressing of customer needs.ⁱⁱ

In FinCEN's case, our mission is to enhance U.S. national security, detect criminal activity, and safeguard financial systems from abuse by promoting transparency in the U.S. and international financial systems. We work to achieve this through three main mission areas: (a) the issuance of regulation to financial services industries, (b) the provision of analysis and liaison services to law enforcement and other regulatory authorities, and (c) the fostering and promotion of international cooperation and information sharing. These, in a sense, are among FinCEN's products. The business lines in which we need to operate to achieve our mission, however, are three-fold. FinCEN needs to be first in the financial system regulatory business,ⁱⁱⁱto be able to align its specific AML/CFT requirements with the way system participants are already obligated to operate, and therefore introduce systemic protection in a cost-effective manner;^iv; second, we also need to be involved and integrated into the broader safety and soundness regulatory business;^vand, third, as a financial intelligence unit, FinCEN must be in the specific business of detecting and preventing money laundering and terrorist financing within a major portion of the financial intermediary population.

Our main regulatory tool resides in our authority to impose basic standards of behavior, minimum standards of knowledge, and consistent standards of transparency. In general terms, behavior, knowledge, and transparency relate to the three requirement types contained in the BSA: (a) risk assessment, (b) verification/ recordkeeping/ transaction monitoring, and (c) reporting. Some of these requirements are rule-based, but most are risk-based, which justifies referring to the whole set of requirements as 'standards.'

These general standards - again, basic standards of behavior, minimum standards of knowledge, and consistent standards of transparency - are core to everything that FinCEN does on the regulatory front. They are also core to several other broader regulatory efforts. Obviously, within the context of current regulatory reform efforts, any reform or evolution of these general standards will have an impact on our mission.

Evolution on the Horizon

So, how does FinCEN's sphere of business address some of the issues arising all around us in these dynamic times? How does our current AML/CFT regulatory regime align with these new (or in some cases, rediscovered) principles and standards for financial regulation? Is there a need for us to change the way we approach our issues, or is there a commonality of goals between what FinCEN practices and guiding principles for financial reform?

I predict that unlike certain other areas of financial regulation, the changes in the foreseeable future with respect to AML/CFT regulation likely are more to be in the nature of evolution, maturation, and integration than any type of radical break with the past. One commonality to expect together with other regulatory areas - either old or new - is a focus on effective implementation.

The primary reason that I believe the focus on AML/CFT issues will continue is that the principle I espoused here three years ago is no less true today: combating abuses of financial crime is a part of promoting financial stability. For the sole purposes of our discussion today, in analogizing to broader principles being discussed to help strengthen financial systems, I will offer a thought on the nature of "systemic" risk and "contagion" in the AML/CFT arena. People commonly refer to money laundering in the three stages of placement, layering, and integration. Any financial services provider can be victimized by a criminal attempting to introduce proceeds of crime into the financial system. One of the reasons risk-based controls must be comprehensively applied across various types of financial services providers and globally, is that a single weak actor can be the vulnerability that allows the infection of tainted funds to be introduced into the formal financial system. Once that has been accomplished, the contagion can quickly spread, as more and financial services providers are unwittingly and perhaps unknowingly tainted during the layering and integration stages. The best approach to mitigating such risks remains to strengthen the first lines of defense, but we also must understand and take efforts to mitigate the vulnerability that any risk once introduced can spread quickly throughout the financial system. Unlike other areas of risk, the "systemic" implications of AML/CFT may appear regardless of the size of the transaction, which rather reflects the interconnected nature of financial institutions, where dispersion as opposed to concentration, can be an AML/CFT risk enhancer.

Alignment of Goals

It is also useful - at least at the most basic level - to look, if not at the details, then at some of the main principles guiding discussions as to potential changes in the financial industry. For example, when the leaders of the Group of Twenty (G-20) countries met in Washington in November 2008, they committed to implementing policies consistent with five common principles for reform of financial markets and regulatory regimes so as to avoid future financial crises:

Strengthening Transparency and Accountability
Enhancing Sound Regulation
Promoting Integrity in Financial Markets
Reinforcing International Cooperation; and
Reforming International Financial Institutions. ^vi

The third principle with respect to promoting integrity incorporates AML/CFT obligations. In fact, the G 20 finance ministers and central bank governors have long included, and oft reiterated, the importance of implementation of AML/CFT standards, together with financial prudential standards and efforts to fight tax evasion and corruption, as essential to promoting market integrity.^vii

Yet even in reviewing some of the other principles above, it is apparent that there is a high-level commonality of goals with AML/CFT. The first common goal, and arguably the most important, is a shared commitment to increased transparency - that is, to the timely exchange of adequate, clear, complete, and correct information among all those stakeholders that are empowered to make the best use of it. The third principle of reinforcing international cooperation is critical to the global AML/CFT framework from the development of international standards by the Financial Action Task Force (FATF), to efforts to ensure effective implementation through mutual evaluations, to the sharing of information both among regulators and financial intelligence units, such as FinCEN.

With respect to the second principle of enhancing sound regulation, we can recall a number of areas of concern in the public debate of the last two years. For example, in any area of regulation one must be careful to avoid pro-cyclicality: in good times, compliance with BSA regulation receives a lot of attention, while during periods of crisis - when potential risk of money laundering and terrorist finance abuse may be at its highest - the commitment to BSA compliance should not slacken. Regulatory arbitrage is also a common enemy: regardless of the name of the service or the type of institutional charter, FinCEN strives to subject financial products that offer similar functionality or are exposed to similar BSA risk to consistent and comparable regulatory requirements.

On this last point, I refer back to my own experience while at the Bank for International Settlements (BIS), working with global supervisors from different industry sectors. More recently, in January 2010, the Joint Forum at the BIS published a paper on regulatory differences and recommendations for closing regulatory gaps among the banking, insurance, and securities industries.^viiiThis report contains four guiding principles:

(a) similar activities, products, and markets should be subject to similar minimum regulation and supervision;

(b) consistency in regulation across sectors is necessary; however, legitimate differences can exist across the three sectors;

(c) regulation and supervision should consider the risks posed, particularly any systemic risk, which may arise not only in large financial institutions but also through the interaction and interconnection among institutions of all sizes; and,

(d) consistent implementation of international standards is critical to avoid competitive issues and regulatory arbitrage.

These guiding principles for broader regulatory purposes sound very familiar to some of us involved in ongoing discussions about FinCEN's AML/CFT framework.

Seeing that there is an alignment of goals between what FinCEN does and what's being espoused as part of strengthening the regulatory framework, we have to ask ourselves what are the opportunities for synergy between current BSA requirements and this strengthening drive? Once again, let me draw upon my own personal experience in analogizing to the dominant theme during my time in Basel, as well as a key aspect under consideration in any plans to strengthen financial institutions - the regulatory capital framework known as Basel II. In Pillar One, BSA customer due diligence, customer profiling, and the patterns observed through transaction monitoring can be leveraged to provide more precise metrics for Operational Risk, and contribute to better liquidity and interest rate management.^ixIn Pillar Two, the cross-sectional, corporate-wide risk assessment is also an approach we support for BSA compliance.^xFinally, in Pillar Three, a well-crafted AML program - as part of a broader approach to showing an institutional culture of compliance - can be used as a launching stage to improve compliance with the market discipline and mandatory financial disclosures requirements.^xi

With respect to maturation of the AML/CFT framework, recall what I mentioned at the beginning of my remarks that many of the requirements we have today were expanded within the past decade. This posed challenges and created a steep learning curve not only for the regulated financial industry, but also for the government regulators and supervisors, law enforcement authorities, and financial intelligence units charged with implementing them. An aspect of maturity is better integration into the broader regulatory framework (keeping in mind the overall theme today of how some components of that regulatory framework may be in a state of flux). Although the foregoing examples are quite preliminary and abstract, this line of thinking about AML/CFT as it relates to broader prudential regulatory functions is something that merits further consideration.

Practical Implications

To move from the theoretical to more practical implications, let's cut to the bottom line. Given the apparent coincidence of objectives, what is the business case for, and what are the return on investment considerations that confirm that operational spending on a higher level BSA compliance might help a bank brave this most difficult period in the history of global finance? I am a strong believer in trying to reduce overall regulatory costs without losing adequate protection. Within this construct, nothing should prevent a bank from multitasking regulatory tools, that is, using them for both compliance and either cost-reduction or increased profitability.

Specifically, I have long been a very vocal proponent that financial institutions leverage their AML/CFT investments by more closely integrating them with longstanding efforts to - prevent fraud and other losses. A complete and correct risk assessment, customer identification program, and transaction monitoring process can pay for itself through the prevention and detection of fraud committed against the institution. To illustrate this fact and point out a particular irony, I'll refer to some statistics. The ABA 2009 Bank Fraud Survey reflects $788MM in card fraud-related losses and $1,024MM in check fraud related losses, with 80% of the bank population experiencing a loss in 2008. The FBI Internet Crime Complaint Center reported $100MM in ACH fraud-related losses for 2008, while noting that only one in seven internet-based crimes was reported to law enforcement. Revenue lost to banks because of the need to investigate, document, and properly respond to consumer fraud allegations that do not represent a loss event for the bank is not accounted. (Any banker knows that customers who lose money are not good for business, and may even be tempted to blame the bank for the loss, even to the extent of seeking redress by legal means). Looking at these facts, it is ironic to FinCEN that while the cost of implementing compliance is calculated to the penny, some banks seem to consider such a $2BN in annual losses (at least) to fraud as a type of inevitable cost of doing business.
A complete and correct risk assessment, customer identification program, and transaction monitoring process can also pay for itself in the prevention and detection of identity theft and corporate account hijacking, the accurate evaluation and pricing of new products and services, the discovery of market segments not properly served, and even in leveraging the cost of compliance with non-BSA regulations, such as consumer protection.^xii

The foregoing points are relevant to any bank, large or small, operating in one country or globally. Other significant steps FinCEN has taken over the past few years and continues to move forward that are of interest to globally active banks and those financial institutions and holding companies with activities that span multiple financial sector business lines, are meant to increase the sharing of AML/CFT information among affiliated entities and across national borders while still protecting sensitive information. The reasons behind these initiatives are simple: criminals do not respect laws, do not respect national borders, and exploit the gap between them. We need to promote greater enterprise-wide risk management to protect international banks and help them get relevant information to appropriate authorities in the range of countries in which they are active. These areas of focus and evolution illustrate what I hope will come to be known as more of a norm: in a dynamic world, one constant is FinCEN's interest in working with the financial industry to promote efficient implementation of government and industry resources in promotion of our shared goal of promoting the integrity of the financial system.

Conclusion

In conclusion - and as my personal answer to the question I posed earlier about how we work in a time of change - let me say that FinCEN does not operate in a bubble. We act within the evolving framework of financial regulation in the United States and abroad. FinCEN's current regulatory requirements already are consistent with many of the key principles identified in contemplating reform; our business line and the business line of the financial industry and the general regulatory framework are already more in line than we (both regulators and industry) might have taken the time previously to consider. I want to thank the IIB for the opportunity to deliver that message to a very special and understanding audience.

ⁱFor a chronological list of events related to the crisis, refer to the Financial Crisis Timeline site at the Federal Reserve Bank of St. Louis ( http://timeline.stlouisfed.org/).
ⁱⁱTheodore Levitt, "Marketing Myopia", Harvard Business Review 38 (July-August 1960), 45-57, at 45 (a seminal work on the importance of defining what the "business" of an entity is).
ⁱⁱⁱBy "financial system regulatory business," FinCEN means the whole range of payment products and systems that move value among physical and legal persons, mostly representing exchanges of monetary value for monetary value (as in the case of money transmission), but also covering certain exchanges of monetary value for goods or services (such as the Form 8300), transportation of monetary value (such as the CMIR), or storage of monetary value outside of the U.S. (such as the FBAR). FinCEN is in the "systemic" financial regulatory business, in that its brief is not restricted to the specific charter of a particular person (or lack thereof), or to the specific payment system in which a particular payment instrument is cleared or settled, but to the vulnerability of any payment instrument or payment system to the risk of abuse by money laundering or terrorist financing. While currently the BSA statutes contain a list of "financial institutions," (a) such list contains open-ended definitions, and (b) FinCEN is authorized to augment it if certain conditions are met.
^ivNothing in FinCEN's mission statement states that the protection of the financial system must be achieved "at any cost." Any protection measure that causes or contributes to cause the extinction of a specific payment instrument or payment system may be self-defeating. Therefore, it is in the interest of FinCEN itself to allow for the most cost-effective way of obtaining the best level of protection possible, given an existing legal and regulatory framework.
^vWhile FinCEN is not a 'safety and soundness' regulator, in the sense that it may not employ 'prompt corrective action' even in the absence of an actual compliance violation, most Federal and State bank functional regulators include BSA/AML as part of their safety and soundness examination. Furthermore, an egregious BSA/AML violation might cause the loss of an institution's charter; such a harsh consequence for non-compliance is not commonly shared by other types of financial regulation, such as the ones protecting investors or consumers. For a working definition of 'unsafe and unsound practices," see Section 15.1 (Formal Administrative Actions) of FDIC's Risk Management Manual of Examination Policies, at http://www.fdic.gov/regulations/safety/manual/index.html.
^viDeclaration, Summit on Financial Markets and the World Economy, Washington (15 November 2008), available at http://www.g20.org/Documents/g20_summit_declaration.pdf.
^viiSee, e.g., Communiqué, Meeting of G-20 Finance Ministers and Central Bank Governors, Montreal (25 October 2000) at 2, available at http://www.g20.org/Documents/2000_canada.pdf.
^viiiBIS -The Joint Forum: "Review of the Differentiated Nature and Scope of Financial Regulation. Key Issues and Recommendations," January 2010. The working group of the Joint Forum that authored the paper was formed by 19 individual regulators, and 4 international and standard-setting organizations. Out of the 19 regulators, 5 represented the U.S. (Board of Governors of the Federal Reserve System, Federal Reserve Bank of New York, OCC, SEC, and State of Florida Office of Insurance Regulation).
^ixPillar One of the Basel II Regulatory Capital Agreement originally included a capital charge to cover credit, market, and operational risk. These measures have been recently supplemented by a leverage ratio, short- and medium-term liquidity coverage charges, and a surcharge based on exposure to interest rate mismatching.
^xPillar Two of the Basel II Regulatory Capital Agreement involves local supervisory expectations. On July 31, 2008 the U.S. federal banking agencies issued guidance on their expectations about the risk management procedures implemented by banks that wished to use the advanced methods for regulatory capital calculation (73 F.R.44620 - "Supervisory Review Process of Capital Adequacy (Pillar 2) Related to the Implementation of the Basel II Advanced Capital Framework"). These expectations include an internal capital adequacy assessment process (ICAAP) that measures the economic capital (as opposed to regulatory capital) required by each bank's risk profile.
The BSA regulation does not stipulate a particular model of corporate risk assessment. The 2010 update to the FFIEC BSA/AML Examination Manual incorporated a section on BSA/AML Compliance Program Structures, however, which states that "every bank must have a comprehensive BSA/AML compliance program that addresses BSA requirements applicable to all operations of the organization", and leaves the interpretation of what is meant by "organization" to the reader (i.e., just the operations lodged at the bank? the bank and its subsidiaries? the bank, subsidiaries, and affiliates?). The Board of Governors of the Federal Reserve System subjects bank holding companies with assets over $50BN to a consolidated, comprehensive compliance program (FRB SR Letter 08-8, October 16, 2008, "Compliance Risk Management Programs and Oversight at Large Banking Organizations with Complex Compliance Profiles"). Furthermore, in 2004, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) proposed the following enterprise (enterprise-wide) risk management definition: "ERM is a process, effected by an entity's board of directors, management, and other personnel, applied in strategy-setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives."
^xiPillar Three of the Basel II Regulatory Capital Agreement consists of general transparency requirements that would facilitate market discipline. In the U.S., the Securities and Exchange Commission 2007 Guidance regarding management's report on internal control over financial reporting under Section 404 of the Sarbanes-Oxley Act of 2002 could be considered part of such requirements.
^xiiFor example, to verify compliance with regulations related to suitability requirements or implemented as a consequence of anti-discrimination laws and the Community Reinvestment Act, banks might actually require customer identification procedures more complete than the ones specified by the BSA.