We live in a challenging, painful time that pushes people to commit fraud. Mark Treichel sits with Deborah Arndell, the President of ARMOR Advisory Services, to discuss Bank Secrecy Act best practices. First, regulatory agencies need to get people who have experience within institutions. The reality is, you never know what you'll get during onsite examinations. That's why regulators need to have prior exposure to understand the work they have to do. Second, it's crucial to know how the Bank Secrecy Act is a compliance function. The point of compliance is to identify and correct issues and implement processes to prevent those from reoccurring. Do you want to learn more? Don't miss out on this information-packed episode!
Listen to the podcast here
Bank Secrecy Act With Subject Matter Expert Deborah Arndell
In this episode, I'm joined by Deborah Arndell who's the President of ARMOR Advisory Services. Deborah, how are you?
I'm doing well, Mark. Thank you.
I'm excited to have Deborah on. We're going to talk a little bit about the Bank Secrecy Act and a few other things. Before we get into that, Deborah, why don't you tell me a little bit about your career, where you've been, and what you're doing now?
Thanks, Mark. I've been in financial services for 25 years. About half of that was inside of institutions working in compliance, retail, and operations. As part of that work, I've done a broad array of tasks and I’ve been in a number of different positions, including Chief Compliance Officer, BS/AML officer, Chief Risk Officer, Fraud Manager in institutions anywhere from $150 million all the way up to $86 billion in asset sizes.
I've been regulated by the OCC, the FDIC, the NCUA and various state regulators. I've dealt with a lot of various situations including drug trafficking, people trafficking, identity theft rings, significant internal fraud situations, murders, cyber events. I've also spent a couple of years in the audit world, going from that 30-foot view within the institution to that 3,000-foot view in audit, looking at how institutions do things more broadly across my geography, which was the Northeast. I was managing audits for BSA/AML, lending deposits and personal trusts, as well as helping handle some projects across the United States where subject matter expertise in fraud and BSA/AML was needed as well.
I then left the audit world and went into supervision, which allowed me the 30,000-foot view across the United States, as well as some international countries at how things are done. I was with the Federal Reserve Bank of New York. I was an examiner in charge, senior examiner, supervisory examiner and eventually, the officer in supervision responsible for compliance across all of the portfolios at the New York Fed, including community banks, regional, large domestic, small and large foreign, as well as the systemically important financial institutions like Chase, Citi, Deutsche, Goldman. I also sat on the Board of Governors’ Compliance Management Group representing the Second District and helped to drive policy and make changes within the larger Federal Reserve System.
I left the New York Fed and started my own advisory practice. This is the sixth year of that. I say consultant but I consider myself more of a trusted advisor and a strategic partner to my clients. In those six years, the work has also been fairly representative of the variety I've had historically, whether that was inside of institutions or with audit and supervision. That's having designed, managed, and executed AML look backs, being involved in doing a detailed analysis of automated AML solutions, helping banks and credit unions strengthen or rebuild BSA/AML, vendor management.
All the consumer protection laws, fraud, information security, information technology, cyber security, dealing with some mergers and acquisitions. Just stepping in in a number of roles to assist those institutions in moving the programs forward or in some cases, rebuilding them after there has been heavy regulatory scrutiny. That brings me to now and being a guest of this show and being able to dig into some of the risk topics.
Deborah, that's quite a resume. You hit it from all three sides. You worked within the banks for the regulatory body and now, you're a consultant/advisor to the bodies that you used to work for. Comparing that with the journey that I took, I had 33 years at NCUA. I had the regulatory view and now I have that consultant advisory view. I've had a few a-ha moments when I changed sides and the things that I learned becoming an advisor that I didn't realize when I was at NCUA. I want to ask you. When you moved to the Fed and found yourself working on the regulatory side, what were the biggest takeaways once you were sitting on that side of the fence that you hadn't realized when you were working at banks and credit unions?
The primary observation for me is that it's important that the regulatory agencies have people that work there that have actual experience within institutions. The Federal Reserve was trying very diligently to bring in people that had that background. The reality is that when you have an examiner onsite, you never really know who you're going to get. You want to get someone who's rational, logical, and reasonable. A lot of times, that's largely tied to what their exposure and experience has been historically in understanding the work that you do.
You can compare this to my time in law school, where you have a tenured professor who teaches you the theory of the law and you have an adjunct professor who teaches you the application of the law. Sometimes those two are very different. One of the things that I loved about my time at the Fed was seeing how they started to bring in more people with that background so that you could apply that information and understand the theory and the application of those laws so that you could provide better advisory oversight to institutions, and not play the gotcha mentality that a lot of people are fearful of. That was the primary observation. This is a shift in the way that at least the Federal Reserve is starting to look at the people that work there, and the people that are out in the field evaluating these institutions.
That's a great point. It's the wisdom of crowds. If everybody that the regulator has started at the regulator and doesn't have any real-world experience, that leaves blind spots. NCUA went through a very similar time period where we realized at NCUA at the time that we needed to get some hands-on expertise. It led to the formation of some specialist positions where for the most part, the agency would go outside and bring people from the outside again so we could expand the agency's understanding of particular disciplines. That makes perfect sense.
From some of our previous conversations, you cover a lot of different risk management areas in what you do as an advisor but in many instances, people particularly seek you out for Bank Secrecy Act work. That's how you and I came to know each other relative to a couple of credit unions that we're both familiar with. What led you down the path of the Bank Secrecy Act becoming particular expertise that you excel in? Could you go into that a little bit?
My career in financial services got started in customer service, answering phone calls in a call center. It was incredibly interesting to hear about the things that were going on behind the scenes with the customers. It piqued my curiosity about fraud when we had customers we knew were engaging in it or were the victims of it. I ended up leaving customer service and going to the fraud department, eventually running that department for a very large institution, about $13 billion at the time, across 7 or 8 states.
Fraud is an incredible adrenaline rush. There would be an event and the staff were like meerkats popping up over the cubicles. Everybody was excited. It's 9 to 10 hours of adrenaline rush. What wasn't to love about it? You learn so much. You got to deep dive into the systems. You knew every stroke of every teller key and how to find things. It was this incredible environment. The thing with fraud is as that when activity hits a certain threshold, it is reportable under the Bank Secrecy Act. I was therefore exposed to BSA/AML.
A few years later is when 9/11 happened and the introduction of the USA Patriot Act. I was charged with deciphering all of that and figuring out how to implement that across the organization. When I started law school, which was around that same time, I was automatically moved into compliance because of the legal component of that. That began this lifelong love of this law. I don't know if it's a coincidence or not, but it was first introduced the year I was born. I think we were meant to be together.
Before we dive into the Bank Secrecy Act, anti-money laundering and where we go there, fraud can be scary and exciting but it's an adrenaline rush when hit with it. One of the things about fraud is controls and the opportunity. With the world that we've lived in for the last few years, with credit union staff being a little bit less on-site, perhaps over a full two-year period. NCUA exams have been off-site for 2021. What are your thoughts on what that might do for an opportunity as it relates to either within the credit union or at the member level?
We live in an incredibly difficult and challenging time. When we talk about banking, people are surprised when first I start talking about psychology and human beings and how we react to things. We as human beings either head towards pleasure or move away from pain. Those are the two things we do. And given those two things in front of us, we will always move away from pain before we move towards pleasure. In this time of the pandemic and with the COVID benefits fraud and the remote work environment, we've got crypto, marijuana-based businesses, talk of inflation due to the Russia-Ukraine war, we are so busy moving away from pain now.
Do the right thing and the best you can at the time with what you have.
This is going to reveal itself in the next 12 to 18 months. The impact that all of this is going to have on the people that do this work. Having a banking background and having done so much with credit unions now, I have a new appreciation for how different they are but also how similar they are. The credit union aspect that I love is that it is member driven. They own it and the people side truly matters, whereas process has a tendency in banking to eclipse the people side of the business. Most people are trying to do the right thing. They're trying to do the best they can at the time with what they have. The unfortunate reality is that when human beings are put into positions of pain, they react in ways that they may not have done historically without that factor.
For example, with the loss of jobs or with loss of family or with feeling the stress and the overwhelm of COVID, people are behaving in ways that we wouldn't historically expect them to. Fraud is certainly on the increase. With the remote work environment, the bigger challenge is how do we continue to identify those situations that we need to triage immediately, but balance that with our member needs. How do we focus on potentially expanding what we provide to our members to prevent them from needing to act in a way that may be fraudulent that they wouldn't do under normal circumstances?
It's going to play out in relatively short order now that we're starting to see the light at the end of the tunnel, but we have seen an increase in fraud. We're seeing an increase in fraud with our members. Not just new members, which historically has been the red flag, We’re seeing it with existing members as well. It's like the person whose family is starving, and they steal food. Would they normally do that? Probably not but under the circumstances, when push comes to shove and that pain is too great, we do things that we didn't think we were capable of doing. I don't know if that answers your question.
It does. You've homed in on what I've been thinking as well. When you frame it in pain versus pleasure side of it, there are things that are going on as you stated in the world. It puts people in situations where they may make choices that they might not otherwise make if the playing cards that they had in their hands at that time were different and all that stuff.
That's a great way to look at it. The question for credit unions is, what can we do to get ahead of this? I'll give you an example. We knew there was going to be a run-on funds coming out of ATMs when the pandemic first hit. We knew that we were going to have larger sums of funds coming out. We immediately changed an internal policy that we're still going to file documents and do the things we have to do, but we are not going to put the same pressure on members to not take those funds out, to have to jump through hoops to get those funds out. We want to make sure that we are assisting them, but we still want them to be safe. Is there another way for us to ensure that they get the money but they're not walking out of a branch with them? Do we need to implement new ceilings or increase limitations?
These are the things we need to think about, which is why my background is so broad because all of these areas are interconnected. Here we are talking about BSA/AML and fraud. There's also now this whole business continuity disaster recovery piece, the pandemic testing. If institutions had gone through that process and could have sat around a table and said, “Let's predict the worst-case scenario. What are some of the things that we would want to do for our members? What are some of the things that we would want to get ahead of?” That's what that process is for. That's one of the reasons I love BCDR. It's that, “Let's test it. Let's see what's going to happen.”
Now we're going to see a lot more institutions doing pandemic testing, but it is critical for us to try and understand if we could project and predict. What are we going to do? What are all the things that could go wrong? How do we at least try to be a little bit preventative and proactive? We were caught with our pants down a little bit even though there was no cause for that.
Deborah, every January, NCUA comes out with their examination priority letter. I've spoken at CUNA GAC on this topic. I have two other shows where we walk through the eleven priorities that NCUA established. One priority that is always on a letter to credit unions is the Bank Secrecy Act. In our previous conversations, you and I had talked about the Anti-Money Laundering Act of 2020, which is coming into play. There are some changes in the rules that are coming forth. Can you speak to what’s your take on NCUA’s priority letter, specifically on the Bank Secrecy Act and perhaps the Anti-Money Laundering Act of 2022, and what that might mean for credit unions out there moving forward?
NCUA seems very focused on the Anti-Money Laundering Act of 2020. I think most of the prudential regulators are. Not a lot has happened with the rulemaking behind it. I do want to talk about at least a few of the significant portions of it. Eventually, what's going to happen is we’re starting to see a few updates to the FFIEC BSA/AML examination manual, but that manual is for examiners. That is not meant as a rule chain, the rules are promulgated and communicated by the prudential regulators. So, no need to jump just yet.
In 2022, we're going to start to see FinCEN kick in some of the rules to be promulgated into regulation or statute. As far as the act goes, there are some key provisions and people have probably looked at these, and we could talk in detail about a number of them. The ones that probably stand out the most are related to the whistleblower rewards and protection simply because the Bank Secrecy Act has had a whistleblower component within its requirements or regulation since its inception.
Previously, it always said that the treasury may pay rewards to those that provide the original information that led to the government's recovery of funds. Now, it says shall pay that award. That small shift is pretty powerful. Also, it eliminated the previous cap, which was only a $150,000 award and replaced it with a ceiling that's 30% of the government's actual collection if the sanctions that are imposed are exceeding $1 million.
They're going to take some other factors into consideration. There are some other things to talk about there but the fact the cap has been removed and replaced with something significantly higher, speaks to the intention behind it. We need to get this information. We need to move forward with it. We don't want to penalize people for wanting to do the right thing. We want to incentivize them to do the right thing. The other thing is that the new protection provisions will prohibit employers from engaging in retaliatory behavior, whether it's threatening, harassing, discharging or demoting people. The protection applies to those where the information is specifically tied to money laundering and BSA violations. Those who report the suspected wrongdoing to their employer versus to the government directly are going to be afforded protection by this change in the law as well.
What's critical here is that this new section exempted employers who are FDIC and Federal Credit Union Act-insured institutions. That means that for most people at credit unions, the employees of most banks and credit unions are going to have to continue to rely on the existing whistleblower protection statutes like those that are under the Federal Deposit Insurance Act and the Federal Credit Union Act in seeking redress. Some of this doesn't apply to some of the people that will be reading this.
I'm thinking out loud that the reason is since NCUA and FDIC have mechanisms under which they can be protected, they didn't want to create which rule might rule. They felt comfortable that the NCUA and FDIC rule said another way that the FDIC and NCUA rule afforded appropriate protection, which is why they're carved out.
That's usually what happens. As long as the laws are fairly equivalent, and the protections afforded are equivalent. Anytime we can avoid undue confusion, that makes sense.
In the different roles you've played from the adviser, from an employee and a regulator, I'm sure you've been exposed to, if not all, different software and tools that are out there for financial institutions in their toolbox. I'm sure you've seen some good software and tools that financial institutions utilize. In that regard, I'm not asking you to say what your favorites are, but what is a good infrastructure for BSA, the credit union?
Are you asking me specifically about the monitoring tool?
Anything that my question triggers. Anything that pops into your head relative to that statement.
You're not going to have to do more. You’re going to have to do better.
I suspect the question is the one I get the most, which is, “What's the best automated AML solution that we can use?” There's no good answer to that. I always say that automated AML solutions are much like a financial institution. For the most part, they're similar. There might be some minor differences but ultimately, we end up going to the place that serves our own personal needs best. With automated AML solutions, the reality is that most credit unions are using Verafin. It's a little bit different from other automated tools in the fact that it is risk-based instead of rules-based. With a rules-based system, you could have hundreds of different scenarios that are nuanced. If somebody deposits X amount within this timeframe and does this within this timeframe, then we're going to trigger an alert.
Verafin is risk-based, which means that it's firing from a dozen or so scenarios that are a pretty broad category, cash-in/transfer out, transfer-in/transfer-out, transfer in/cash-out, structuring, the international flow of funds, funnel accounts and human trafficking, those sorts of things. They're pretty broad. What Verafin is doing is taking and assessing risk scores based on factors that are not known to financial institutions. It's considered to be black-box proprietary to Verafin. All you get is a risk score based on the factors that they use. Anything that fires at a risk score of 80 to 100 is traditionally what most credit unions are looking at. Anything at 79 or below is considered a no alert, meaning it's still there but it's not actively populating your alert draw when you get it.
A lot of the AML products are very similar. It depends on what you're looking to get out of the system and the functionality; how it applies to the products and services that you offer. The AML tools are fairly vanilla and innocuous across the board. There's nothing that stands out for me whether we're talking about Verafin or Patriot Officer or anything through Abrigo or whoever may be providing it. The right solution depends on your asset size, complexity, products, and services, etc.
What's interesting is eventually, the BSA/AML tools are going to start incorporating artificial intelligence. With the AML Act, we're going to start to see changes in how we go about identifying some of this activity because it is getting more challenging, and then we can talk about all of the white noise you get with these systems as well, and optimization and calibration. There's a lot of chasing down to capture very little. Artificial intelligence may be able to help institutions narrow that down. Pareto’s law applies across the universe, that 20% of our effort gives us 80% of our results. The same is true in AML. We're looking at 20% of your members who are usually driving 80% of your activity.
The question is, who are those 20%? How do we get our data down to reflect those people? That's the challenge. A lot of the AML tools haven't gotten the credit they deserve but the fact that you can take something that 15 years ago we were doing manually with paper and with reports: you're trying to look at a wire report, a monetary instrument report, a cash report, and what loans does this person have, and try and do some human analysis around what that means. You can't unless it is very blatant. That rare occurrence where that person is depositing $9,900 in cash three days out of the week.
Normally, it wasn't obvious, so you had a lot more work to do. The fact that we have this new computer technology that does a lot of that for us is incredible progress. We're going to see a lot of movement in the AML space, particularly as we see the reach of this AML Act going a little bit more global now beyond foreign correspondent accounts into foreign banks themselves. We're going to have a bunch of vendors and smart people doing some work that is going to help institutions to narrow this down and further stop the chase.
It's exciting times for BSA and the tools around it with high, big data and the ability to analyze trends and different things. It's going to be an interesting next decade, it sounds like, in this whole arena. Going back to your example about a risk score that comes out of Verafin. If it's over 80, that's a red flag, if you will. If someone is using Verafin and they were to call you up and say, “Deborah, I would like to chat with you about either implementing Verafin or using this tool that we have.” What type of conversation follows that?
One of the first is most institutions have their system in place. If they're using Verafin, this is probably where I see the most opportunity for credit unions. Historically, I don't think it's a big secret that BSA/AML on the credit union side has not been as heavily scrutinized as it had been on the banking side. That has changed now. The NCUA is on top of it. We've seen massive frauds happening at high levels in credit unions. We've seen conservatorships taking place, including Municipal Credit Union in New York, where the CEO committed $10 million in fraud. Having spent two years inside that entity, helping them build and restructure some of that (I’m happy to report that they are pit pf conservatorship now),
you start to appreciate a little bit more how critical these systems are. You don't want the monetary system and credit unions to fail. We're seeing the number of credit unions decline. We want credit unions to be successful. Part of that is to take some of these other compliance areas incredibly serious and do all the right things with them. Although we like to move away from pain, we sometimes are our own worst enemy because we do things that increase our pain.
For example, we've all done this, I'm leaving the house. Do I set my alarm? “I'm only going to be gone for an hour. I'll leave it. It's fine.” Your house gets broken into, then you have to pay a lot more money to replace your goods and get a new alarm system or it's like, “I need to get there. I'll be speeding for fifteen minutes. It's not a big deal. I probably won't get caught.” You get pulled over. There's always something that we do, and we become our own worst enemy. One of the conversations I have with a lot of credit unions is you have to be preventative and proactive.
Unfortunately, I am usually called in when it is way too late. The pain is already being applied heavily to these institutions. What I would love to see as a regulator is a world where the exam reports were empty and blank because there were no violations. Everybody was doing everything correctly and I didn't need a job anymore. I say the same thing as a consultant. That’s what I would love to see and it's the reason I stepped out of regulation and supervision into the advocacy position.
I named my business ARMOR because I want to protect institutions from unnecessary penalties and scrutiny and reputational damage that comes from having poor programs. They don't need to be that way. This stuff isn't hard. It just takes some effort and some attention. The conversation I have most often is, “It's not cheap but it's going to cost you a lot more down the road.” The question isn't, “Are you going to have BSA/AML violations.”, It’s “When are you going to have them?”
With the NCUA cracking down on it now a little bit more heavily and the states also applying more pressure, we are going to see more DORs related to BSA/AML. That opens you up to additional scrutiny and potential fines from the regulators, from US Attorney's offices, District Attorney's offices, and from the reputational damage that comes from some of that, whether it's a consent order or administrative order. It's imperative that institutions see getting these programs where they should be as an investment, to get to that place where they say, “Why should I worry when an examination comes? I'm confident.”
I tell people, “I don't get paid to come in and fix your technical issues.” I will come in and fix your technical issues, but my goal is much larger. I'm like the boxing coach. I'm going to come in and give you all the confidence in the world. You're going to be able to maneuver and get this fight over quickly and as pain-free as possible. When the regulator shows up with their shovel, you're going to be able to take the shovel out of their hand, drive a backhoe over, jump out, hand the regulator the keys and say, “Dig a little bit deeper. There's nothing to see here.”
We are so confident with what we are doing that the examination doesn't cause heart palpitations. There’s no reason to take up drinking. An exam should be something that happens periodically. It's your opportunity to show the regulators, “This is who we are. This is what we've done. This is what we do. We know we're doing it right. You may find some isolated issues but there is nothing systemic here that you're going to be able to identify that's going to cause us heartburn.”
You reminded me of a John Wooden quote which is, “If you don't have time to do it right, when will you have time to do it over?” You can look at it from the cost perspective too. You're right that NCUA and credit unions have gotten better at it. What a great story it is to be able to placate the concerns of NCUA when they come in to see that you set your program up in a good way. With that, if you were a credit union out there, what would be the 3 or 4 biggest things that you would focus on relative to this whole topic?
I want to be clear. We did not finish our conversation about the AML Act, but I do want to say a few things about it then put that aside because that is not one of my top 3 or 5. The AML Act is future-facing, we're going to see how that plays out. There's a lot of worry about what it means. Essentially, it's going to put more pressure on institutions to take a much more nuanced, risk-based approach to BSA/AML. You're going to have to do more work around your risk assessments. You're going to have to make sure that your tools are well-designed and that you are tailoring things so that you can focus on what the real risk is to your institution instead of chasing down everything. I would like to note that one of the bigger issues is beneficial ownership.
The point of compliance is to identify, correct, and implement processes to prevent those from reoccurring.
Because of the changes to beneficial ownership, a lot of institutions thought, “We're not going to have to deal with that anymore.” That's not true. Now, those laws are going to run in parallel. That work hasn't stopped but the concern is always that we're going to have to do more. You're not going to have to do more. You’re going to have to do better.
With that being said, let’s move to my top items. If it was my institution, my first focus would be on the actual automated AML solution. This is the time to do what I call a metered assessment. It's a combination of a thermometer, a barometer, a seismometer, a speedometer.
It is looking and doing a full temperature, pressure, speed, force, duration check on the AML solution, or Verafin for most credit unions, that will expose those immediate critical level gaps in the design and its effectiveness. It allows institutions to formulate a plan around how to increase efficiency and save time and money and resources, and also save themselves from regulatory scrutiny. The system is the first thing. You have to get underneath Verafin.
What my experience has been with it is that most institutions have not either set it up correctly and/or are not using it to its full functionality. They are losing some of the benefits. I've been in a couple of credit unions where there are a host of issues. I spent 3 to 4 weeks going in and doing this meter assessment of Verafin. It's a combination of a little bit optimization, calibration, and validation. It allows me to say to the institution, “Here are all your gaps. Here are the more significant ones.”
Probably the most significant part of reviewing Verafin so thoroughly is one of the things that institutions don't do often enough. It is with this 80-risk score in Verafin. The question is, how do you draw that line at 80? What's going on in the 75 to 79 risk score, or below the line? Is there something down there that we're missing? A lot of this work will shed light on where you are seeing your activity. There was one credit union where I could see a clear gap. They had nothing between 70 and 79. I could look at them and say, “You don't have to do below-the-line testing because you're not seeing enough activity to warrant it,” which is a huge time-savings.
It's something you don't have to think about quarterly or semi-annually to go in and make sure you're not missing a bunch of stuff. On the flip side, is there something we can stop looking at? Even something that's 95 to 100, or above the 80 line, that does not tell you it's a higher risk. That doesn't mean you're going to be filing SARS on it. Even most of this is white noise.
The bigger questions around Verafin are let's say you have 200 transaction codes in the core, and you’ve only got 190 in Verafin. What's going on with that? Am I missing something? First of all, is all of the activity being accounted for? If it's not being accounted for, where is it housed? For example, some activity is not going to flow between your core and Verafin. A good example is a bill exchange that took place. It's transactional.
Depending on how it's keyed, you may not see it. Mortgage loans are another good example. The origination side is fraught with potential laundering and fraud. Yet, you don't see that part of the transaction. What you see are the payments, but you don't see any of the documentation or any of the other red flags that may be present. First of all, there's data that isn't flowing into Verafin. The question is even though we've got this information and we're reviewing it through an alert, what do I not know about my member that I have to go out and now pull in manually? Do I have to look at gift cards manually because they're not interfacing with Verafin? Am I getting my wire details? Are the ACH details coming in there? Do I have to go somewhere else and grab them?
You have to understand your universe of what's manual and what's automated, then within that automated space, understanding, is it working well? Are there changes that need to be made? Is it picking up on stuff we don't want it to? Is it missing stuff? I would say that's probably about 50% of your problem because everything flows from that. Also, do we have administrative controls over it so that we don't have our staff making changes to parameters? That's a big no. Change management is critical. There's a lot that comes out of this assessment. We could go into a ton of detail about the things that you look for, but that's first and foremost: the system itself.
The AML solution is operating as 80% to 85% as the BSA/AML program at most credit unions. The program is essentially the system. If it's not serving you, we need to get it to serve you. We need to get your staff up to speed and train them on how to navigate Verafin so that they're going through these investigations and alert dispositions very quickly. This includes injecting an assembly line process into your alert disposition and case investigations to expedite them and come to better conclusions using a consistent methodology. I help credit unions implement road maps and investigative protocols to ensure efficiency, effectiveness, and consistency. The first two are for the institution, the third is to help prevent regulatory issues in what is escalated and what is closed.
With these automated solutions, particularly Verafin, one of the things I'm able to identify is if I think SARs have been missed and regulators may want a lookback. Nobody wants to hear a five-year look back is necessary. Nobody wants to be mandated to go back five years and repopulate every alert, redo investigations and file SARS. It happens a lot. I've done them. The result is a huge resource drain, money drain, and time drain. I can usually look at the results of this Verafin meter assessment and tell you, “Do we need to do some Self-Initiated Reviews?” I call them SIRs.
If we were to do a partial self-initiated review because it's not mandated like a look-back would be, but it's essentially a mini look-back. Let me go into the mini look-back and we'll see what's there. Is there a cause for alarm or concern? If I go in and look at some of the gaps we identified and we're seeing that with every ten I look at, five should have been SARS, then we've got some work to do. If we complete that work before the regulators identify it, it's no longer a mandated look back. You've already corrected it.
With a SIR, if a regulator does identify what they consider a potential issue or cause for a lookback, we’ve got some support to say, “No, we disagree. Here's why. Here's what we found. We did our own review.” Institutions will ask, “But if we tell the regulators that, doesn't that set up a red flag?” Well, first, your uptick in SAR filings from this assessment should be red flag enough, especially since in some cases FinCEN must be notified that you are backfiling SARs. Outside of that, the argument I've always made, and we started our conversation here, is it's important to have examiners who are rational, logical, or reasonable, people that can apply the law and understand it.
You don't always get that benefit but when you have one of those people, they truly understand that the point of compliance, and BSA is a compliance function, is to identify issues, correct those issues, and implement processes to prevent those from reoccurring. From the regulator’s perspective, you also need to understand that you may have deprived FinCEN of critical information over that timeframe, so there may be repercussions. We should not be afraid of the truth, even if it ultimately leads to punitive measures. We must do the right thing, even when it hurts.
The other thing I think that institutions don't understand is what's going on with these missed SARs? What's happening with these? Why are they important?
One of the things I've seen from conducting regulator-required lookbacks as well as the SIRs is how many members have not 2 relationships but 5, 10 different banks they do business with. They have segregated themselves across multiple institutions. You're only getting a small sliver of what that member is doing, generally. You've got this little bit of activity coming in and you're looking at it and wondering if it’s suspicious or not. I want you to think about it like this. You are taking polaroid pictures of your members. When you send in a SAR, it is like sending a Polaroid picture to FinCEN. If other institutions are also sending in Polaroids on that same member, eventually FinCEN is going to be able to make a movie. They're trying to make the movie.
Our job is to make sure that we are sending the right Polaroids, and that we are not sending in some overly exposed or underexposed junk. That's why it's critical. so, we can get those corrected.
Communication is the hardest thing we do every day, and relationship building is the most important.
Those are the two big things: the system and conducting an assessment to know if SARs have been missed. If I were to go down the list further, another important thing is the risk assessment. Risk assessments for BSA/AML, all too often at credit unions, follow the model form that's found in the FFIEC BSA/AML examination manual. It's not a bad model, but this process is not intended to be some static event that takes place. Risk assessments are dynamic and must include both quantitative and qualitative support. It is my opinion the model form provides very little of either. This isn't just true for BSA. It's also true for consumer protection, ACH, fraud, IT, cybersecurity, and all other areas where risk assessments are completed.
Anywhere you're doing a risk assessment, the more time you invest in truly bringing in a robust picture of what's going on in your institution, the more you can focus on the things that matter. A good example of this is on the consumer protection side. You will have a financial institution that says, “Our commercial loans are high risk. We have to look at them annually because flood insurance is high for commercial loans.” I'm like, “Why don't you pull flood out separately?”
Commercial loans have nothing else within them that are high risk. You can move that out to a three-year review and save yourself a ton of time by solely focusing on the flood issue annually. You can manipulate the risk assessment to have it move you in the direction you want to go. It can serve you. It can be an asset to you. It doesn't have to be this terrible dark process with dementors flying around, sucking all the joy out of the room. It's your best friend because it allows you to utilize the limited resources, time, and money that a lot of credit unions have, in order to focus on the things that are impactful. With the AML Act and focus on the additional risk-based approach, this is going to be key for credit unions.
The other thing about that model form is that none of the categories are risk weighted. That means that IRS correspondence is equally weighted to the quality of your compliance program, or just above 10%. But they're not the same and they are not equal. What I like to do with risk assessments is risk weight each one of those categories and say, “This one drives about 30% of the result.” That's how important it is. IRS correspondence is less than 5%. I do the same with the mitigating controls because those too are not equal and should not be treated as such. The lack of risk weighting makes it almost impossible for any institution to calculate their overall risk beyond Moderate, and in most cases, the needle never moves past Low.
I like to go through and do a fantastic risk assessment so that you could look at your institution and say, “These are the 3, 4 or 5 things that are driving our risk score. Let's get our arms around those. Let's get better mitigating controls in place or perhaps we don't mind our residual risk being a little bit higher because of our risk appetite, but we need to be able to document that and support it.” The risk assessment is critical. It's one of my favorite things to do. I don't care what topic or regulatory area is.
We all do risk assessments every single day. Do we have locks on our doors? Do we lock our car when we pull through a driveway? Do we live in the country? Do we live in the city? Is it midnight? Is it 6:00 PM? Do we feel a little bit more confident in having our windows open because of the hour of the day or the neighborhood we live in? Do we look at the police reports to see where these people are living? Do we have exposure? Do I cross the street against the light? We are doing it all the time in our heads.
The risk assessment at financial institutions is simply a formalization of that process on paper and forcing you to document it. It's one of the best exercises. I love the dynamic nature of it. The other thing that touches the risk assessment, the fourth thing would be change management. This is critical to an organization. You've got staff changes, personnel changes, service changes, product changes, regulatory changes. Most institutions do not have a centralized process for bringing these changes into a central group of people that represent your institution, the people who are doing the work that can make the decisions. The process, simplified, is that these changes come in. This group gets together and says, “Let's tear this apart. Let's figure out who it applies to and make sure they are in the room. Let's come up with an implementation plan to get this distributed out to the organization.”
Part of that implementation plan is we have to update policies and procedures and controls, as well as update risk assessments. We have to look at our compliance review schedule to see if they can review it once the plan is implemented, but before it goes live. We also have to look at the audit schedule to see if any changes are warranted there as well. We're going to have to figure out then how do we test this, get it fully executed and implemented, and do that in a way that doesn't exclude someone that needs to be at the table. Especially those people who may need to be present not for regulatory, operational, legal or compliance reasons, but for income generation purposes.
A good example of this was when some due diligence became the requirement as part of the USA Patriot Act. People started talking about occupation and employer as part of the account opening process. I can assure you that marketing was not at the table when this conversation was taking place. That data is something that a lot of people would want to utilize. When I see that someone is getting a new account and you've got a branch that's saying, “This person is a lawyer,” when you go into the system and pull a report, what you're going to find are 2,000 different ways attorney and lawyer are interchangeable and abbreviated and misspelled. There is no consistency. When marketing needs to go in and pull a particular segment of your member base because it's going to help either target loan product marketing or advertisements to generate business, they can't do it because they weren't included in the conversation.
It has always been my mantra; communication is the hardest thing that we do every single day and relationship building is the most important. One can destroy the other in a moment. Part of what I do when I go into institutions is not the technical work. That's the easy part for me. It's how do I help you see the culture differently, to see your interactions differently, to see you as one whole unit with three incredible lines of defense that are working together to keep the regulators, the wolves, from coming in. That's ultimately what your collective goal is. Let's build those relationships. Let’s start talking and thinking about ways that we can help each other.
If I could train the branch staff better to deal with a customer or a member who may be structuring and they could get better information for me upfront and reduce me having to send requests for information on the backside we would both be happier. We're helping each other. These are the things I want institutions to be thinking about. We need to get back to the business of helping our members or serving our members. We can't do that if we're fighting about who's more important, back-office or retail, or what you're doing versus what I'm doing and why you're making my life so miserable. We have to understand each other.
There’s so much opportunity at institutions to understand the culture in what they're doing and the people side of the business, that I can't fix the technical long-term if I can't fix the people's side as well. I see hiring me as more of an investment. You get to come out of this with a better program and a different perspective. The passion that lights me up is how do I change the perspective around this so that long-term, it's sustainable because, without sustainability, none of these changes matters anyway. If you don't have the means to sustain it long-term and to capture change and roll it out effectively, you are eventually going to go back to where you were before. That is a terrible use of funds.
That was a long-winded way of saying, there they are. My top concerns: 1. Your system. 2. Potential look back. 3. Risk Assessment. 4.Change management. And if I added a number 5. Board Training. If I could I would train a board of directors on risk management. They need to understand and hear it. The benefit that banking boards usually have over credit union boards and supervisory committees is that banking boards get paid a lot of money to show up for the board meetings. A lot of the credit union boards are either volunteers or it's very nominal pay.
These people are doing it because they want to. They feel it's their duty to do it. I would love to help them understand the real-world implications of these things. What are the right questions to ask? What are the things that we should be thinking about and have them understand what risk is and what they can do at the very top to help the credit union be wholly successful and give those members as much money as possible? Let’s get credit unions back, increase their numbers and get back to true community banking.
Deborah, that's a fantastic summary. There is a lot of information there to unpack. There are a lot of things I might want to follow up on in some separate conversations. While you were getting that summary, I wrote down a few different things. Two of the words you said that I want to highlight here, but something you said reminded me of I think it's a Stephen Covey quote which is, “Seek first to understand, then to be understood.” If you can understand the other side of the equation, the other person in your organization, and what they have to deal with, then you can help them understand what it is that you're trying to do from your discipline.
The other three things I wrote down are words that start with the letter P. It's clear your passion for this topic. I don't think I've ever heard anybody speak so passionately about BSA. I can tell it's important to you. I can tell that you must serve your clients amazingly well. Another word that started with the letter P was push back. You even mentioned that credit unions have to be comfortable to push back. The reality is the credit union should know BSA better than the examiners because they're living it and breathing it every day, which should give them the confidence to push back. If you have the proper systems in place, NCUA will recognize that expertise and will embrace that pushback where the credit union feels it's appropriate to do.
Lastly, this goes to the systems concept. You mentioned Polaroid, as you were going through and describing the systems that are out there that you can use well or you can use poorly, I didn't think of a Polaroid. I thought of an expensive camera that might have 5,000 different things it can do with it. If you buy that camera and the only button you can push is the button that takes the picture and all the settings that are in place, you're going to get that one particular type of photo. You're missing all the other nuances of what it can provide.
Create a story that is positive and gives others their humanity.
It sounds to me what you can bring to the equation when someone hires you is you can explain those other 999 buttons and how it can make you serve your members better, meet the requirements of BSA better, and create a coat of ARMOR around the risks that the credit union is dealing with. Lastly, I want to thank you for your time. I know that when people read this, they might want to reread it because there were a lot of good nuggets in there that you put out there for what credit unions can do. More importantly than that, Deborah, if someone wants to get in touch with you about your services and what you do for financial institutions in general and credit unions in particular, how would they do that?
They can contact me via phone. That number is (917) 370-1008. They can visit my website, which is www.RegulatoryArmor.com. There is a contact form in there, or they can email me directly at DeborahArndell@RegulatoryArmor.com and I'll get back to them very quickly. If I could, Mark, I did want to add, that I know that I sometimes don't get invited back to parties because this is the stuff I like to talk about, rather than what’s on Tik Tok or Instagram. But I wanted to say a little bit more about a Stephen Covey practice that I think will really support organizations as well as individual in their personal lives. It ties back to my comment about communication and relationship building.
One of the stories I love to tell people is one that Stephen Covey shares in his 7 Habits book. He was on a subway in New York City. He had come from a meeting and a gentleman and three children got on the subway car with him. The kids were running around screaming, being loud. At some point, Stephen Covey became so frustrated. He looked at this gentleman and said, "Can you not control your children?" The gentleman looked at him and said, "You're right. I should be. Forgive us. Their mother died this morning."
We create stories about people all the time. If we're going to create that story, we should create one that gives them their humanity; one that is positive. Even in institutions it is how do we better to understand and appreciate other people and give them value, and not only assume that they're doing things to make our lives more difficult or challenging that people are out to get us or hurt us. That we're all trying to do our jobs. Most of the time, it's a misunderstanding. We can resolve that very quickly with improved communication and stronger, established relationships.
You taught me something about Stephen Covey there. I appreciate that. That's a good place to wrap. That's it. Thanks, everybody, for reading. I appreciate you. I hope you'll come back for our next episode. That's a wrap.
About Deborah Arndell
A demonstrated history of working in the financial services industry. Skilled in Enterprise Risk Management, Internal Audit, Banking, Risk Assessments, and Bank Secrecy Act/Anti Money Laundering. Strong professional graduated from William Mitchell College of Law.