Mind the gaps: Recent enforcement actions and what they say about AML/CFT data management

In the past year, there have been numerous enforcement actions, many of which are related to third-party risk or were broad in describing the institution’s violations. However, two significant examples this year stand out as detailed descriptions of the issues leading to the enforcement actions: Wells Fargo Bank N.A.’s formal agreement with the Office of the Comptroller of the Currency (OCC) and TD Bank’s collective fines totaling over $3 billion among their FinCEN civil money penalty, Department of Justice fines and the OCC’s civil money penalty.

While each covered a wide array of anti-money laundering and countering the financing of terrorism (AML/CFT) deficiencies and TD Bank involved much more severe conduct, they both had a particular focus on the fundamental aspects of data management in the context of suspicious activity monitoring and sanctions screening. As such, these enforcement actions offer valuable insights for financial institutions of all sizes regarding current regulatory expectations relative to managing systems used to detect suspicious activity.

When viewed in tandem, Wells Fargo’s formal agreement serves as a useful framework for meeting regulatory expectations, while TD Bank’s FinCEN consent order provides examples to illustrate those expectations and reminds us of the consequences of failing to meet them.

Wells Fargo

The Wells Fargo formal agreement outlines the key elements of what the OCC refers to as a “data integrity program.” The critical themes throughout their summary of what constitutes a data integrity program are related to documentation, including the flow of data, transformation settings like mapping, known data defects and their impact on monitoring and other important issues. Central to all of the aforementioned are controls related to oversight. In the formal agreement, Wells Fargo and the OCC indicate that a data integrity program is one that ensures the bank:

• Develops and periodically updates comprehensive inventories of bank systems that contain data relevant to the Key Bank Secrecy Act/Anti-Money Laundering (BSA/AML) and Office of Foreign Assets Control (OFAC) sanctions compliance systems.
• Establishes clear roles and responsibilities for the management and oversight of BSA/AML and OFAC sanctions data.
• Identifies high-priority BSA/AML and OFAC sanctions use cases related to the Key BSA/AML and OFAC sanctions compliance systems.
• Documents data dictionaries and data sourcing process maps and desktop procedure(s) related to the Key BSA/AML and OFAC sanctions compliance systems.
• Creates data lineage documentation for the Key BSA/AML and OFAC sanctions compliance systems, implements controls designed to ensure the Financial Crimes Risk Management team is informed of systems-related projects impacting financial crimes use cases and remediates data defects within the lines of business and relevant enterprise functions.
• Creates comprehensive end-to-end data lineage documentation from Key BSA/AML and OFAC sanctions compliance systems to upstream sources, performs quality assurance of lineage documentation and defines an enterprise process for notification of systems-related projects
• Enhances the Financial Crimes Risk Management team’s governance and oversight of data defects, defect remediation and systems-related projects impacting financial crimes use cases.
• Maintains procedures and controls to ensure timely and accurate information is provided to the Key BSA/AML and OFAC sanctions compliance systems, including periodic data reconciliation of data feeds to Key BSA/AML and OFAC sanctions compliance systems.
• Conducts risk-based data and control testing for completeness, accuracy and control effectiveness for Key BSA/AML and OFAC sanctions compliance systems.
• Provides training to targeted audiences involved in the data supply chain.

One could say that all of the above are fundamental elements of managing model risk in an anti-financial crime environment and have been for years. However, rarely have the regulators provided this level of specificity directed towards model risk management in an AML/CFT context; this passage from the Wells Fargo/OCC formal agreement reads almost like a sneak preview, an excerpt from some future guidance issued in accordance with the AML Act of 2020.

TD Bank

TD Bank’s shortcomings are well publicized and much discussed. However, when you look beyond the attention-grabbing parts of the story, valuable teachings and reminders emerge.

For starters, an uncomfortable truth needs to be acknowledged — none of the transaction monitoring pain points TD Bank encountered are uncommon. Linking monetary instrument purchases to customers, flagging P2P activity across disparate transaction channels, parsing the country code out of debit card transactions and getting foreign wires to import with critical details — especially those sent from secondary systems or through correspondents — are frankly, everyday challenges. While for TD, the problem was top-down, at many institutions, the reason these problems often persist isn’t just cost but also the failure to see the value of fixing them.

Clearly, TD Bank’s failures went far above and beyond systems data defects, but on that subject alone, following the road map outlined within Wells Fargo’s agreement can help Institutions avoid some of the same pitfalls. That means focusing on continuous documentation, defect tracking and ongoing periodic checks with vendors for solutions to your data quality and completeness issues. Beyond that, it’s clear from TD’s violations that all of those steps should be taken with a sense of urgency that exceeds the impact of the problem.

Next steps

In the wake of this year’s landmark enforcement actions, banks and credit unions should take action to make sure their suspicious activity monitoring data is at its highest possible quality and maximize their AML systems’ capabilities. In the immediate, for BSA professionals, that means raising awareness among senior management and the board of the underlying problems at Wells Fargo and TD Bank and ensuring it remains top of mind past the 24-hour news cycle.

In addition, BSA professionals should use these enforcement actions as a launch point for revisiting their past approaches to active data defects and limitations, and areas where risk has previously been accepted. As always with these types of enforcement actions, the silver lining is that they can shock the financial industry out of complacency — do not let the opportunity go to waste.

How Wipfli can help

Regulatory compliance is an essential component of your institution’s overall well-being, and oversights can be costly — or even catastrophic. At Wipfli, our dedicated professionals provide the real-world experience you need to keep up with the regulatory environment and secure your data. Contact an advisor today to see how we can help keep you in compliance.