Bank Secrecy Act With Subject Matter Expert Deborah Arndell



Mark Treichel sits with Deborah Arndell, the President of ARMOR Advisory Services, to discuss Bank Secrecy Act best practices. Do you want to learn more? Don't miss out on this information-packed episode!

---

Listen to the podcast here



Bank Secrecy Act With Subject Matter Expert Deborah Arndell


In this episode, I'm joined by Deborah Arndell who's the President of ARMOR Advisory Services. Deborah, how are you?


I'm doing well, Mark. Thank you.


I'm excited to have Deborah on. We're going to talk a little bit about the Bank Secrecy Act and a few other things. Before we get into that, Deborah, why don't you tell me a little bit about your career, where you've been, and what you're doing now?


Thanks, Mark. I've been in financial services for several years. I usually say a quarter of a century but that sounds so long. Within those years, I've spent about half of that inside of institutions working in retail operations. As part of that work, I've done a broad array of tasks and I’ve been in a number of different positions, including Chief Compliance Officer, BS/AML officer, Chief Risk Officer, Fraud Manager in institutions anywhere from $150 million all the way up to $86 billion in assets sizes.


I've been regulated by the OCC, the FDIC, the NCUA and various state regulators. I've dealt with a lot of various situations including drug trafficking, people trafficking, identity theft rings, significant entrepreneurial fraud situations, murders, cyber events. I've also spent a couple of years in the audit world, going from that 30-foot view within the institution to that 3,000-foot view in audit, and how institutions do things more broad across my geography, which was in the Northeast. I’m managing audits for BSA/AML, lending deposits and personal trusts, as well as helping handle some projects across the United States where subject matter expertise in fraud and BSA/AML was needed as well.


I then left the audit world and went again into supervision, which allowed me the 30,000-foot view across the United States, as well as some international countries and how things are done. I was with the Federal Reserve Bank of New York. I was an examiner in charge, senior examiner, supervisory examiner and eventually, the officer in supervision responsible for compliance across all of the portfolios at the New York Fed, including community banks, regional, large domestic, small and large foreign, as well as the systematically important financial institutions like Chase, Citi, Deutsche, Goldman. I also sat on the Board of Governors of Compliance Management Group representing the Second District and helped to drive policy and make changes within the larger Federal Reserve System.


I left the New York Fed and started my own advisory practice. This is the sixth year of that. I say consultant but I consider myself more of a trusted advisor and a strategic partner to my clients. In those six years, that has also been fairly representative of the variety I've had historically, whether that was inside of institutions or with audit and supervision. That's having designed and managed and executed as AML look backs, being involved in doing a detailed analysis of automated AML solutions, helping banks and credit unions strengthen or rebuild, and vendor management.


All the consumer protection laws, fraud, information security, information technology, cyber security, dealing with some mergers and acquisitions. I’m stepping in a number of roles to assist those institutions and moving the programs forward or in some cases, rebuilding them after there has been heavy regulatory scrutiny. That brings me to now and being a guest of this show and being able to dig into some of the risk topics.


Deborah, that's quite a resume. You hit it from all three sides. You worked within the banks for the regulatory body and now, you're a consultant/advisor to the bodies that you used to work for. Comparing that with the journey that I took, I had 33 years at NCUA. I had the regulatory view and now I have that consultant advisory view. I've had a few a-ha moments when I changed sides and the things that I learned becoming an advisor that I didn't realize when I was at NCUA. I want to ask you. When you moved to the Fed and found yourself working on the regulatory side, what were the biggest takeaways once you were sitting on that side of the fence that you hadn't realized when you were working at banks and credit unions?


WFC 11 | Bank Secrecy
Bank Secrecy: The regulatory agencies must have people who have experience within institutions.

The primary observation for me is that it's important that the regulatory agencies have people that work there that have actual experience within institutions. The Federal Reserve is trying very diligently to bring in people that had that background. The reality is that when you have an examiner onsite, you never know who you're going to get. You want to get someone who's rational, logical and reasonable. A lot of times, that's largely tied to what their exposure and experience have been historically in understanding the work that you do.


You can compare this to my time in law school, where you have a professor who teaches you the theory and you have an adjunct professor who teaches you the application of the law. Sometimes they're very different. One of the things that I loved about my time there was seeing how they started to bring in more people with that background so that you could apply that information, and understand the theory and the application of those laws so that you could provide better advisory oversight to institutions, and not play the gotcha mentality that a lot of people are fearful of. That was the primary observation. This is a shift in the way that at least the Federal Reserve is starting to look at the people that work there, and the people that are out in the field evaluating this institution.


That's a great point. It's the wisdom of crowds. If everybody that the regulator has started at the regulator and doesn't have any real-world experience, that leaves blind spots. NCUA went through a very similar time period where we realized at NCUA at the time that we needed to get some hands-on expertise. It led to the formation of some specialist positions where for the most part, the agency would go outside and bring people from the outside again so we could expand the agency's understanding of particular disciplines. That makes perfect sense.


From some of our previous conversations, you cover a lot of different risk management areas in what you do as an advisor but in many instances, people particularly seek you out for Bank Secrecy Act work. That's how you and I came to know each other relative to a couple of credit unions that we're both familiar with. What led you down the path of the Bank Secrecy Act becoming particular expertise that you excel in? Could you go into that a little bit?


My career in financial services got started in customer service, answering phone calls in a call center. It was incredibly interesting to hear about the things that were going on behind the scenes with the customers. It piqued my curiosity about fraud when we had customers we knew were engaging in it or were the victims of it. I ended up leaving customer service and going up to the fraud department, eventually running that department for a very large institution, about $13 billion at the time, across 7 or 8 states.


Fraud is an incredible adrenaline rush. I loved having all of the staff. There would be an event and they're like meerkats popping up over the cubicles. Everybody is excited. It's 9 to 10 hours of adrenaline rush. What wasn't to love about it? You learn so much. You got to deep dive into the systems. You knew every stroke of every key and how to find things. It was this incredible environment. The thing with fraud is as that activity hits a certain threshold, it is reportable under the Bank Secrecy Act. I was unexposed to BSA/AML.


A few years later is when 9/11 happened and the introduction of the USA Patriot Act. I was charged with deciphering all of that and figuring out how to implement that across the organization. When I started law school, which was around that same time, I was automatically moved into compliance because of the legal component of that. That began this lifelong love of this law. I don't know if it's a coincidence or not but it was first introduced the year I was born. I think we were meant to be together.


Before we dive into the Bank Secrecy Act, anti-money laundering and where we go there, fraud can be scary and exciting but it's an adrenaline rush when hit with it. One of the things about fraud is controls and the opportunity. With the world that we've lived in for the last few years, with credit union staff being a little bit less on-site, perhaps over a full two-year period. NCUA exams have been off-site for 2021. What are your thoughts on what that might do for an opportunity as it relates to either within the credit union or at the member level?


If I understand the question correctly, we live in an incredibly difficult and challenging time with part of what we talk about banking. People are surprised when I start talking about psychology and human beings and how we react to things. We as human beings either head towards pleasure or move away from pain. Those are the two things we do. Given those two things in front of us, we will always move away from pain before we move towards pleasure. In this time of the pandemic and with the COVID benefits fraud and the remote work environment, we've got crypto, the marijuana-based businesses, talk of inflation in the Russia-Ukraine war, we are so busy moving away from pain now.

Do the right thing and the best you can at the time with what you have.

This is going to reveal itself in the next 12 to 18 months. The impact that all of this is going to have on the people that do this work is certainly on the map. Having a banking background and having done so much on credit unions now, I have a new appreciation for how different they are but also how similar they are. The credit union aspect that I love is that it is member-driven. They own it and the people’s side truly matters. The process has a tendency to eclipse the people’s side of the business. Most people are trying to do the right thing. They're trying to do the best they can at the time with what they have. The unfortunate reality is that when human beings are put into positions of pain, they react in ways that they may not have done historically without that little factor.


For example, with the loss of jobs or with loss of family or with feeling the stress and the overwhelm of COVID, people are behaving in ways that we wouldn't historically expect them to. Fraud is certainly on the increase. With that remote work environment, the bigger challenge is how do we continue to identify those situations that we need to triage immediately, but balance that with our members’ needs. How do we focus on potentially expanding what we provide to our members to prevent them from needing to act in a way that may be fraudulent that they wouldn't do under normal circumstances?


It's going to play out in relatively short order now that we're starting to see the light at the end of the tunnel, but we have seen an increase in fraud. We're seeing an increase in fraud with our members. Not just new members, which historically has been like the red flag. How long have they been here? Now, I'm seeing it with existing members as well. It's like the person whose family is starving and they steal food. Would they normally do that? Probably not but under the circumstances, when push comes to shove and that pain is too great, we do things that we didn't think we were capable of doing. I don't know if that answers your question.


It does. You've honed in on what I've been thinking as well. When you frame it in pain versus pleasure side of it, there are things that are going on as you stated in the world. It puts people in situations where they may make choices that they might not otherwise make if the playing cards that they had in their hands at that time were different and all that stuff.


That's a great way to look at it. The question for credit unions is, what can we do to get ahead of this? I'll give you an example. We knew there was going to be a run on funds coming out of ATMs when the pandemic first hit. We knew that we were going to have larger sums of funds coming out. We immediately changed an internal policy that we're still going to file documents and do the things we have to do, but we are not going to put the same pressure on members who do not take those funds out who have to jump through hoops to get those funds out. We want to make sure that we are assisting them but we still want them to be safe. Is there another way for us to ensure that they get those funds but they're not walking out of a branch with them?


These are the things we need to think about, which is why my background is so broad because all of these areas are interconnected. Here we are talking about BSA/AML and fraud. There's also now this whole business continuity disaster recovery piece that pandemic tested. Institutions had gone through that process and could have sat around a table and said, “Let's predict the worst-case scenario. What are some of the things that we would want to do for our members? What are some of the things that we would want to get ahead of?” That's what that process is for. That's one of the reasons I love ECDP. It's that, “Let's test it. Let's see what's going to happen.”


Now we're going to see a lot more institutions make testing but it is critical for us to try and understand if we could project and predict. What are we going to do? What are all the things that could go wrong? How do we at least try to be a little bit preventative and proactive? We were caught with our pants down a little bit even though there was no cause for that.


Deborah, every January, NCUA comes out with their examination priority letter. I've spoken at CUNA GAC on this topic. I have two other shows where we walk through the eleven priorities that NCUA established. One priority that is always on a letter to credit unions is the Bank Secrecy Act. In our previous conversations, you and I had talked about the Anti-Money Laundering Act of 2020, which is coming into play. There are some changes in the rules that are coming forth. Can you speak to what’s your take on NCUA’s priority letter, specifically on the Bank Secrecy Act and perhaps the Anti-Money Laundering Act of 2022, and what that might mean for credit unions out there moving forward?


NCUA seems very focused on the Anti-Money Laundering Act of 2020. I think most of the prudential regulators are. It's fair to say that now that's counter facing. Not a lot has happened with the rule-making behind it. I do want to talk about at least a few of the significant portions of that. Eventually, what's going to happen is we’re starting to see a few updates to the FFIEC BSA/AML examination manual, but that manual is for examiners. That is not meant as a rule chain, the rules are promulgated and communicated by the prudential regulators.


WFC 11 | Bank Secrecy
Bank Secrecy: Come in and give others the confidence to maneuver and get the fight over quickly and as pain-free as possible.

In 2022, we're going to start to see fits that kick in and some of these rules coming that are in fact going to be promulgated into regulation or statute. As far as the act goes, there are some key provisions and people have probably looked at these, and we could talk in detail about a number of them. The ones that probably stand out the most are related to the whistleblower rewards and protection simply because the Bank Secrecy Act has had a whistleblower component within its requirements or regulation since its inception.


Previously, it always said that the treasury may pay rewards to those that provide the original information that led to the government's recovery of funds. Now, it's a shall pay that award. That small shift is pretty powerful. That is one of the more significant ones. Also, it eliminated the previous cap, which was only a $150,000 award and replaced it with a ceiling that's 30% of the government's actual collection if the sanctions that are imposed are exceeding $1 million.


They're going to take some other factors into consideration. There are some other things to talk about there but the fact the cap has been removed and replaced with something significantly higher. It speaks to the intention behind it. We need to get this information. We need to move forward with it. We don't want to penalize people for wanting to do the right thing. We want to incentivize them to do the right thing. The other thing is that the new protection provisions will prohibit employers from standard engaging and retaliatory behavior, whether it's threatening people, harassing people, discharging and demoting. The protection applies to those where the information is specifically tied to money laundering and BSA violations. Those who report the suspected wrongdoing to their employer versus to the government directly are going to be afforded protection by this change in the law as well.


What's critical here is that the employees of most of the banks and credit unions, this new section exempted employers who are FDIC and Federal Credit Union Act-insured institutions. They are not covered by these new provisions. That means that for most people at credit unions, the employees of most banks and credit unions are going to have to continue to rely on the existing whistleblower protection statutes like those that are under the Federal Deposit Insurance Act and the Federal Credit Union Act in seeking redress. Some of this doesn't apply to some of the people that will be reading this.


I'm thinking out loud that the reason is since NCUA and FDIC have mechanisms under which they can be protected, they didn't want to create which rule might rule. They felt comfortable that the NCUA and FDIC rule said another way that the FDIC and NCUA rule afforded appropriate protection, which is why they're carved out.


That's usually what happens. As long as the laws are fairly equivalent and the protections awards are equivalent or that this one isn't lesser than, or if it was greater than, it would still make sense to keep the previous protections in place instead. Anytime we can avoid undue confusion, that makes sense. We've seen this historically with laws that we want to start with one in place or if they're equal. We don't need both. It's good that they've removed the duplication to the extent of this.


In the different roles you've played from the adviser, from an employee and a regulator, I'm sure you've been exposed to, if not all, different software and tools that are out there for financial institutions in their toolbox. I'm sure you've seen some good software and tools that financial institutions utilize. In that regard, I'm not asking you to say what your favorites are, but what is a good infrastructure for BSA, the credit union?


Are you asking me specifically about the monitoring tool or the identification tools?


Anything that my question triggers. Anything that pops into your head relative to that statement.

You're not going to have to do more. You’re going to have to do better.

I suspect the question is the one I get the most, which is, “What's the best automated AML solution that we can use?” There's no good answer to that. I always say that automated AML solutions are much like a financial institution. For the most part, they're similar. There might be some minor differences but ultimately, we ended up going to the place that serves our own personal needs best. With automated AML solutions, the reality is that most credit unions are using Verafin. It's a little bit different from other automated tools in the fact that it is risk-based instead of rules-based. With a rules-based system, you could have hundreds of different scenarios that are nuanced. If somebody deposits X amount within this timeframe and does this within this timeframe, then we're going to trigger an alert.


Verafin is risk-based, which means that it's firing from a dozen or so scenarios that are a pretty broad category, cash-in, transfer-in, transfer-out and cash-out, structuring the international flow of funds, funnel accounts and human trafficking, those sorts of things. They're pretty broad. What Verafin is doing is taking and assessing risk scores based on factors that are not known to financial institutions. It's considered to be black-box proprietary to Verafin. All you get is a risk score based on the factors that they use. Anything that fires at a risk score of 80 to 100 is traditionally what most credit unions are looking at. Anything at 79 or below is considered a no alert, meaning it's still there but it's not actively populating your alert draw when you get it.


I will say there are the best tools I've seen that are not even AML related because a lot of these products are very similar. It depends on what you're looking to get out of it and the functionality and how it applies to the products and services that you offer. The coolest tools are on the fraud side. We were talking about BSA/AML but there is some overlap between these two. With fraud, I was blown away when I first started working in fraud and realized all of these protections that are in place that you don't even think about. I don't think it exists anymore but there was something called a deposit check. This was a long time ago but it was cool to think that as an institution, overnight, you would send all of your check deposits and the checks that cleared your customer accounts to this location.


I won't say where it was. They are getting information from you and US Bank, Bank of America, Wells Fargo, and they're comparing. If you've got a check deposit from Bank of America and they have the maker's information on file, they start to compare it, then they shoot out this report. It starts at priority levels. It'll start with online checks and go down the list to NSF being last. They're spinning this overnight. You're shutting down accounts before 8:00 in the morning. The business opens and you're on top of it again. I find the fraud tools are cool. The AML tools are fairly vanilla and innocuous across the board. There's nothing that stands out for me whether we're talking about Verafin or Patriot Officer or anything through Abrigo or whoever may be providing it.


What's interesting is eventually, the BSA/AML tools are going to exceed fraud tools in their coolness because we're going to start to see some artificial intelligence. With the AML Act, we're going to start to see changes in how we go about identifying some of this activity because it is getting more challenging, and then we can talk about all of the white noise you get with these systems as well, and optimization and calibration. There's a lot of chasing down to capture very little. Artificial intelligence may be able to help institutions narrow that down and say those laws that apply across the universe, that 20% of our effort gives us 80% of our results. The same is true in AML. We're looking at 20% of your members who are usually driving 80% of your activity.


The question is, who are those 20%? How do we get our data down to reflect those people? That's the challenge. A lot of the AML tools haven't gotten the credit they deserve but the fact that you can take something that several years ago, we were doing manually with paper and with reports. You're trying to look at a wire report, a monitoring issue report, a cash report, and what loans does this person have, and try and do some human analysis around what that means. You can't unless it is very blatant. That rare occurrence where that person is depositing $9,900 in cash three days out of the week.


It wasn't obvious because you had a lot more work to do. The fact that we have this new computer technology that does a lot of that for us is incredible progress. We're going to see a lot of movement in the AML space, particularly as we see the reach of this AML Act going a little bit more global now beyond correspondent accounts into foreign banks themselves. We're going to see some movement here. We're going to have a bunch of vendors and smart people doing some work that are going to help institutions to narrow this down and stop the chase.


It's exciting times for BSA and the tools around it with high, big data and the ability to analyze trends and different things. It's going to be an interesting next decade, it sounds like, in this whole arena. Going back to your example about a risk score that comes out of Verafin. If it's over 80, that's a red flag, if you will. If someone is using Verafin and they were to call you up and say, “Deborah, I would like to chat with you about either implementing Verafin or using this tool that we have.” What type of conversation follows that?



One of the first is most institutions have their system in place. If they're using Verafin, this is probably where I see the most opportunity for credit unions. Historically, I don't think it's a big secret that BSA/AML and the credit union side has not been as heavily scrutinized as it had been on the banking side. That has changed now. The NCUA is on top of this series of statutes and regulations. We've seen incredible fraud happening at high levels in credit unions. We've seen these conservatorships taking place, including municipal credit union in New York, where the CEO committed to $10 million in fraud. Having spent two years inside that entity, helping them build and restructure some of that, I’m happy to report that there are conservatorships now.


WFC 11 | Bank Secrecy
Bank Secrecy: We don't want to penalize people for wanting to do the right thing.

You start to appreciate a little bit more about how critical these systems are. You don't want the monetary system and credit unions to fail. We're seeing the numbers fall. We want credit unions to be successful. Part of that is to take some of these other compliance areas incredibly serious and do all the right things with them. Although we like to move away from pain, we sometimes are our own worst enemy because we do things that increase our pain.


For example, we've all done this, “I'm leaving the house. Do I set my alarm? I'm only going to be gone for an hour. I'll leave it. It's fine.” Your house gets broken into, then you have to pay a lot more money to place your goods and get a new alarm system or it's like, “I need to get there. I'll be speeding for fifteen minutes. It's not a big deal. I probably won't get caught.” You get pulled over. There's always something that we do and we become our own worst enemy. One of the conversations I have with a lot of credit unions is you have to be preventative and proactive.


Unfortunately, they usually called in when it was way too late. The pain is already being applied heavily to these institutions. What I would love to see as a regulator is a world where the exam reports were empty and blank because there were no violations. Everybody was doing everything correctly and I didn't need a job anymore. I say the same thing as a consultant. That’s what I would love to see and it's the reason I stepped out of regulation and supervision into the advocacy position.


I named my business ARMOR because I do want to protect institutions from unnecessary penalties and scrutiny and reputational damage that comes from having poor programs. They don't need to be that way. This stuff isn't hard. It just takes some effort and some attention. The conversation I have most often is, “It's not cheap but it's going to cost you a lot more down the road.” The question isn't, “When are you going to have BSA/AML.” It isn't, “Are you going to have them?” It’s, “When are you going to have them?”


With the NCUA cracking down on it now a little bit more heavily and the states also applying more pressure, we are going to see more DORs related to BSA/AML. That opens you up to additional scrutiny and potential fines from the regulators from US Attorney's offices, District Attorney's offices, and the reputational damage that comes from some of that, whether it's a consent order or administrative order. It's imperative that institutions see this as an investment, “Why should I worry when an examination comes? I'm confident.”


I tell people, “I don't get paid to come in and fix your technical issues.” I will come in and fix your technical issues but my goal is I'm like the boxing coach. I'm going to come in and give you all the confidence in the world. You're going to be able to maneuver and get this fight over quickly and as pain-free as possible. When the regulator shows up with their shovel, you're going to be able to take the shovel out of their hand, drive a backhoe over, jump out, hand the regulator the keys and say, “Dig a little bit deeper. There's nothing to see here.”


We are so confident with what we are doing. That examination doesn't cause heart palpitations. There’s no reason to take a break. It should be something that happens periodically. It's your opportunity to show the regulators, “This is who we are. This is what we've done. This is what we do. We know we're doing it right. You may find some isolated issues but there is nothing systemic here that you're going to be able to identify that's going to cause us heartburn.”


You reminded me of a John Wooden quote which is, “If you don't have time to do it right, when will you have time to do it over?” You can look at it from the cost perspective too. You're right that NCUA and credit unions have gotten better at it. What a great story it is to be able to placate the concerns of NCUA when they come in to see that you set your program up in a good way. With that, if you were a credit union out there, what would be the 3 or 4 biggest things that you would focus on relative to this whole topic?


I want to be clear. We did not finish our conversation about the AML Act but I want to say about that now, to put that aside because that is not one of my top 3 or 5. If that's the future-facing now, we're going to see how that plays out. There's a lot of worry about what it means. Essentially, it's going to put more pressure on institutions to take a much more nuanced risk-based approach to BSA/AML.

The point of compliance is to identify, correct, and implement processes to prevent those from reoccurring.

You're going to have to do more work around your risk assessments. You're going to have to make sure that your tools are well-designed and that you are tailoring things so that you can focus on what the real risk is to your institution instead of chasing down all this stuff. Until those laws are written, probably one of the bigger ones is beneficial ownership.


Because of the changes to beneficial ownership, a lot of institutions thought, “We're not going to have to deal with that anymore.” That's not true. Now, those laws are going to run in parallel. That work hasn't stopped but the concern is always that we're going to have to do more. You're not going to have to do more. You’re going to have to do better. With that being said, what I would say to institutions is if it was my institution, my first focus would be on the actual automated AML solution. This is the time to do what I call a metered assessment. It's a combination of a thermometer, a barometer, a seismometer, a speedometer.


It is looking at doing a full temperature pressure speed force duration check on particularly Verafin for credit unions that will expose those immediate critical level gaps in the design and its effectiveness. It allows institutions to formulate a plan around how do we increase efficiency and save time and money and resources, and also save ourselves from regulatory scrutiny. The system is the first thing. You have to get underneath Verafin.


What my experience has been with it is that most institutions have not either set it up correctly and/or are not using it to its full functionality. They are losing some of the benefits. I've been in a couple of credit unions where there are a host of issues. I spent 3 to 4 weeks going in and doing this meter assessment of Verafin. It's a combination of a little bit optimization, calibration and validation. It allows the institution, “Here are all your gaps. Here are the more significant ones.”


Probably the most significant part of reviewing Verafin so thoroughly is one of the things that institutions don't do often enough. It is with this 80 risk score in Verafin. The question is, how do you draw that line at 80? What's going on in the 75 to 79 risk score? Is there something down there that we're missing? A lot of this work will shed light on where are you seeing your activity. There was one credit union where I could see a clear gap. They had nothing between 70 and 79. I could look at them and say, “You don't have to do below-the-line testing because you're not seeing enough activity to warrant it,” which is a huge time-saving.


It's something you don't have to think about quarterly or semi-annually to go in and make sure you're not missing a bunch of stuff. On the flip side, is there something we can stop looking at? Even something that's 95 to 100 does not tell you it's a higher risk. That doesn't mean you're going to be filing SARS on it. There's a lot that comes out of this assessment. We could go into a ton of detail about the things that you look for, but that's first and foremost. That's the system itself.


The bigger questions around Verafin are let's say you have 200 transaction codes in my core and I've only got 190 in Verafin. What's going on with that? Am I missing something? First of all, is all of the activity being accounted for? If it's not being accounted for, where is it housed? For example, some activity is not going to flow between your core in Verafin. Some good examples are you're not going to see a bill exchange that took place. It's transactional but usually, that's captured in a report from a branch that says, “This person is 5,000 in, 5,000 out.”


Depending on how it's keyed, you may not see it. Mortgage loans are another good example. The origination side is fraught with potential laundering and fraud. Yet, you don't see that part of the transaction. What you see are the morsel payments but you don't see any of the documentation or any of the other red flags that may be present. First of all, there's data that isn't flowing into Verafin. The question is even though we've got this information and we're reviewing it through an alert, what do I know about my member that I have to go out and now pull in manually? Do I have to look at gift cards manually because they're not interfacing with Verafin? Am I getting my wire details? Are the ACH details coming in there? Do I have to go somewhere else and grab them?


The first thing is to understand your universe of what's manual and what's automated, then within that automated space, understanding, is it working well? Are there changes that need to be made? Is it picking up on stuff we don't want it to? Is it missing stuff? Do we have administrative controls over it so that we don't have our staff making changes to parameters? That's a big no. Change management is critical. I would say that's probably about 50% of your problem because everything flows from that.


WFC 11 | Bank Secrecy
Bank Secrecy: Anything that fires at a risk score of 80 to 100 is traditionally what most credit unions are looking at.

It's operating at about 80% to 85% of most credit unions. All program is the system. If it's not serving you, we need to get it to serve you. We need to get your staff up to speed and train them on how to navigate Verafin so that they're going through these investigations and alert dispositions very quickly. There are all these little tricks like, why are you assigning this investigator for cash and transfer-out and a bunch of structuring and also transferring cash-out? Give one person all of the cash and transfer-out because then they're thinking about the same thing as an assembly line. Assign them out that way. There are all these little tricks and stuff that we can do to expedite the amount of work that you're able to execute with fewer people in most cases.


Have you done it in a way that's not only coming to a better and a faster conclusion, but a more consistent conclusion? The reality is that we go through these scenarios because there are only about a dozen of them. Four of them are driving most of your alerts. It's those four big ones. I mentioned them a couple of times, Cash and Transfer-Out, otherwise known as CTO, Transfer and Cash-Out is known as TCO, and Transfer-Out is known as TO, and then structuring. Those are the big four. We see the highest percentage of alerts being triggered by those four scenarios.


If you have investigative protocols in place when I do look backs, and I do look backs, you're going through so many transactions and alerts so quickly. You start to see a pattern of how you go about disposing of that. Why aren't you documenting that? Let’s document what we're going to do for all CTO. What are we going to do for TO? What are we going to do for TCO? What are we going to do with structure? What are the questions we want to ask?


You start to formulate a roadmap that people follow so that when you have more than one investigator, you have consistency in your decision making as well. That has been one of the biggest complaints about regulators. Two people are coming to a different conclusion with the same set of facts. The system itself is largely the biggest concern. If you can get that analyzed and have somebody come in and say, “Here are all of the things,” that’s fantastic.


The second part of that then is with these automated solutions, particularly Verafin, one of the things I'm able to identify is if I have concerns that a regulator who is looking at you would say, “We might have a potential five-year look back here.” Nobody wants to hear a five-year look back. Nobody wants to be mandated to go back five years and repopulate every alert that may have been missed and redo investigations and file SARS. It happens a lot. I've done them. What ends up happening is a huge resource drain, money drain, and time drain. I can usually look at the results of this Verafin meter assessment and tell you, “Do we need to do some Self-Initiated Reviews?” I call them SIRs.


I can give you a better gauge of whether or not a regulator has identified an issue, we've got some support to say, “No, we disagree. Here's why. Here's what we found. We did our own review.” Institutions will be like, “We have but if we tell the regulators that, doesn't that set up a red flag?” The argument I've always made, and we started our conversation here, is it's important to have examiners who are rational, logical or reasonable, people that can apply the law and understand it. You don't always get that benefit but when you have one of those people, they truly understand that the point of compliance, and BSA is a compliance function, is to identify issues, correct those issues, and implement processes to prevent those from reoccurring.


That's what compliance is about. When institutions do that, you should be encouraged as an examiner that they're managing compliance the way that they should be. They've made some mistakes. Perhaps they had it over, perhaps there are other reasons for it, but this is what we want them to do. The point isn't to penalize. It's to make sure that the institutions are doing the right things for the monetary system. The other thing I think that institutions don't understand is what's going on with these SARS? What's happening with these? Why are they important?


One of the things I've seen from doing look-backs is how many members have not 2 relationships but 5, 10 different banks they do business with. They have segregated themselves across multiple institutions. You're only getting a small sliver of what that member is doing, generally. You've got this little bit of activity coming in and you're looking at it. You think if that’s suspicious or not. I would share it with people because I want you to think about it like this. You are taking polaroid pictures of your members. When you send in a SAR, it is like sending a Polaroid picture to FinCEN. If other institutions are also sending in Polaroids on that same member, eventually FinCEN is going to be able to make a movie. They're trying to make the movie.


Our job is to make sure that we are sending the right Polaroid, and that we are not sending in some overly exposed or underexposed junk. That's not going to move their case forward that we are making a good decision. That's why it's critical. The system itself is number one. It will always be number one, and then the self-initiated review to see if we have some issues that were identified. Is that going to cost us a historical review or can we understand?

Communication is the hardest thing we do every day, and relationship building is the most important.

If we were to do a partial self-initiated review because it's not mandated like a look-back would be, but it's essentially a mini look-back. Let me go into the mini look-back and we'll see what's there. Is there a cause for alarm or concern? If I go in and look at some of the gaps we identified and we're seeing that with every ten I look at, five should have been SARS, then we've got some work to do.


If we complete that work before the regulators identify it, it's no longer a mandated look back. You've already corrected it. Those are the two big things. If I were to go down the list further, I think that another important thing is the risk assessment. Risk assessments for BSA/AML, all too often at credit unions, follow the model form that's found in the FFIC, BSA/AML examination manual. It's not a bad model, but it's not intended to be some static event that takes place. If risk assessment is dynamic, the better job you do on your risk assessment, whether that's quantitatively or qualitatively. This isn't just BSA. It's also consumer protection, ACH, fraud, IT, cybersecurity.


Anywhere you're doing a risk assessment, the more time you invest in truly bringing in a robust picture of what's going on in your institution, the more you can focus on the things that matter. A good example of this is on the consumer protection side. You will have a financial institution that says, “Our commercial loans are high risk. We have to look at them annually because flood insurance is high for commercial loans.” I'm like, “Why do you have flood insurance out of your commercial loans? Why don't you pull flood out separately?” It does impact most of your extensions of credit on real estate and looks at flood that way.


Commercial loans have nothing else within them that are high risk. You can move that out to a three-year review and save yourself a ton of time and focus on the issue. You can manipulate the risk assessment to have it move you in the direction you want to go. It can serve you. It can be an asset to you. It doesn't have to be this terrible dark process with dementors flying around, sucking all the joy out of the room. It's your best friend because it allows you to utilize the limited resources, time and money that a lot of credit unions have to focus on the things that are impactful. With the AML Act and this focus now that's going to be coming with an additional risk-based approach, this is going to serve credit unions.


The other thing about that model form is none of the categories is risk-weighted. That means that IRS correspondence is equally weighted to the quality of your compliance program. They're not the same thing. What I like to do with risk assessments is I also risk weight each one of those categories and say, “This one drives about 30% of the result.” That's how important it is. IRS correspondence is less than 5%. Even if I don't get IRS correspondence, that is not driving 10% of my risk score. It is nominal and it should be nominal.


I like to go through and do a fantastic risk assessment so that you could look at your institution to say, “These are the 3, 4 or 5 things that are driving our risk score. Let's get our arms around those. Let's get better mitigating controls in place or perhaps we don't mind our residual risk being a little bit higher but we need to be able to document that and support them.” The risk assessment is critical. It's one of my favorite things to do. I don't care what topic it is.


We all do risk assessments every single day. Do we have locks on our doors? Do we lock our car when we pull through a driveway? Do we live in the country? Do we live in the city? Is it midnight? Is it 6:00 PM? Do we feel a little bit more confident in having our windows open because of the hour of the day or the neighborhood we live in? Do we look at the police reports to see where these people are living? Do we have exposure? Do I cross the street against the light? We are doing it all the time in our heads.


The risk assessment is formalizing it on paper and forcing you to document it. It's one of the best exercises. I love the dynamic nature of it. The other thing that touches the risk assessment, the fourth thing would be change management. That's the most critical thing to an organization. You've got staff changes, personnel changes, service changes, product changes, regulatory changes. What happens at institutions is they don't have a centralized process for bringing in all these changes into a central group of people that represent your institution, the people who are doing the work that can make the decisions. All these changes come in.


This group gets together and says, “Let's tear this apart. Let's figure out who it applies to. Let's come up with an implementation plan to get this distributed out to the organization.” Part of that implementation plan is we have to update policies and procedures and go through a risk assessment. We have to look at our compliance review schedule. We also have to look at the audit. We're going to have to figure out then how do we test this, get it fully executed and implemented, and do that in a way that doesn't exclude someone that needs to be at the table.


WFC 11 | Bank Secrecy
Bank Secrecy: We want credit unions to be successful.

A good example of this was when some due diligence became the big thing as part of the SAP Trade Act. People started talking about occupation and employer as part of the account opening process. I can assure you that marketing was not at the table when this conversation was taking place. That data is something that a lot of people would want to utilize. When I see that someone is getting a new account and you've got a branch that's saying, “This person is a lawyer,” when you go into the system and pull a report, what you're going to find are 2,000 different ways, attorney and lawyer are interchangeable and abbreviated and misspelled. There is no consistency. When marketing needs to go in and pull a particular segment of your member base because it's going to help either target loan product or advertisement, they can't do it because they weren't including the conversation about why is this important to you.


How do we make sure that you get what you need? BSA, we know you need it. Branches, we know you need it. Who else needs it? Let's come up with a plan that benefits everybody and make sure that we're doing all the things that we need to do to be successful as an entity, that this is not me versus you. Every single area of every single financial institution is a customer service center. Whoever you are, that's what you do. You provide service to other people that you work with. The question is always, “How can I help you? What can I do?”


It has always been my mantra, communication is the hardest thing that we do every single day and relationship building is the most important. One can destroy the other in a moment. Part of what I do when I go into institutions is not the technical work. That's the easy part for me. It's how do I hope you see the culture differently, to see your interactions differently, to see you as one whole unit with three incredible lines of defense that are working together to keep the regulators, the wolves, from coming in. That's ultimately what your collective goal is. Let's build those relationships. Let’s start talking and thinking about ways that we can help each other.


If I could train the branch staff better to deal with a customer or a member who may be structuring and they could get better information from me upfront and reduces me having to send requests for information on the backside. We're helping each other. These are the things I want institutions to be thinking about. We need to get back to the business of helping our members or serving our members. We can't do that if we're fighting about who's more important, back-office or retail, or what you're doing versus what I'm doing and why you're making my life so miserable. We have to understand each other.


There’s so much opportunity at institutions to understand the culture in what they're doing and the people side of the business, that I can't fix the technical long-term if I can't fix the people's side as well. I see this as more of an investment that you get to come out of this with a better program and a different perspective. The passion that lights me up is how do I change the perspective around this so that long-term, it's sustainable because, without sustainability, none of these changes matters anyway. If you don't have the means to sustain it long-term and to capture change and roll it out effectively, you are eventually going to go back to where you were before. That is a terrible use of funds.


That was a long-winded way of saying, “Your system? Potential look back, change management, risk assessment.” If ever I could treat a board of directors on risk management, that to me is also critical. They need to understand and hear it. The benefit that banking boards usually have over credit union boards and supervisory committees is that banking boards get paid a lot of money to show up for the board meetings. A lot of the credit union boards are either volunteers or it's very nominal pay.


These people are doing it because they want to. They feel it's their duty to do it. I would love to help them understand the real-world implications of these things. What are the right questions to ask? What are the things that we should be thinking about and have them understand what risk is and what they can do at the very top to help the credit union be wholly successful and give those members as much money as possible?


Deborah, that's a fantastic summary. There is a lot of information there to unpack. There are a lot of things I might want to follow up on in some separate conversations. While you were getting that summary, I wrote down a few different things. Two of the words you said that I want to highlight here, but something you said reminded me of I think it's a Stephen Covey quote which is, “Seek first to understand, then to be understood.” If you can understand the other side of the equation, the other person in your organization, and what they have to deal with, then you can help them understand what it is that you're trying to do from your discipline.


The other three things I wrote down are words that start with the letter P. It's clear your passion for this topic. I don't think I've ever heard anybody speak so passionately about BSA. I can tell it's important to you. I can tell that you must serve your clients amazingly well. Another word that started with the letter P was push back. You even mentioned that credit unions have to be comfortable to push back. The reality is the credit union should know BSA better than the examiners because they're living it and breathing it every day, which should give them the confidence to push back. If you have the proper systems in place, NCUA will recognize that expertise and will embrace that pushback where the credit union feels it's appropriate to do.

Create a story that is positive and gives others their humanity.

Lastly, this goes to the systems concept. You mentioned Polaroid, as you were going through and describing the systems that are out there that you can use well or you can use poorly, I didn't think of a Polaroid. I thought of an expensive camera that might have 5,000 different things it can do with it. If you buy that camera and the only button you can push is the button that takes the picture and all the settings that are in place, you're going to get that one particular type of photo. You're missing all the other nuances of what it can provide.


It sounds to me what you can bring to the equation when someone hires you is you can explain those other 999 buttons and how it can make you serve your members better, meet the requirements of BSA better, and create a coat of ARMOR around the risks that the credit union is dealing with. Lastly, I want to thank you for your time. I know that when people read this, they might want to reread it because there were a lot of good nuggets in there that you put out there for what credit unions can do. More importantly than that, Deborah, if someone wants to get in touch with you about your services and what you do for financial institutions in general and credit unions in particular, how would they do that?


They can contact me via phone. That number is (917) 370-1008. They can visit my website, which is www.RegulatoryArmor.com. There is a contact form in there, or they can email me directly at DeborahArndell@RegulatoryArmor.com and I'll get back to them very quickly. If I could, Mark, I did want to add. I know that I sometimes don't get invited back to parties because this is the stuff I like to talk about. I wanted to say a little bit more about you mentioned Stephen Covey's comments.


One of the stories I love to tell people is where that statement comes from or where that quote comes from. It was the morning that he was on a subway in New York City. He had come from a meeting and a gentleman and three children got on the subway car with him. They were running around screaming, being loud. At some point, Stephen Covey became so frustrated. He looked at this gentleman and said, "Can you not control your children?" The gentleman looked at him and said, "You're right. I should be. Forgive us. Their mother died this morning."


It's the promise that we create stories about people all the time. If we're going to create that story, we should create one that gives them their humanity that is positive. That's what a lot of this is about. Even in institutions is how do we better understand and appreciate other people and give them value, and not only assume that they're doing things to make our lives more difficult or challenging that people are out to get us or hurt us. That we're all trying to do our jobs. Most of the time, it's a misunderstanding. We can resolve that very quickly with communication and relationships.


You taught me something about Stephen Covey there. I appreciate that. That's a good place to wrap. That's it. Thanks, everybody, for reading. I appreciate you. I hope you'll come back for our next episode. That's a wrap.



Important Links


About Deborah Arndell


A demonstrated history of working in the financial services industry. Skilled in Enterprise Risk Management, Internal Audit, Banking, Risk Assessments, and Bank Secrecy Act/Anti Money Laundering. Strong professional graduated from William Mitchell College of Law.