Termination of Bank Secrecy Act/Anti-Money Laundering Consent Orders

This is the accessible text file for FDIC OIG report number EVAL-22-002 entitled 'Termination of Bank Secrecy Act/Anti-Money Laundering Consent Orders'.

This text file was formatted by the FDIC OIG to be accessible to users with visual impairments.

We have maintained the structural and data integrity of the original printed product in this text file to the extent possible. Accessibility features, such as descriptions of tables, footnotes, and the text of the Corporation’s comments, are provided but may not exactly duplicate the presentation or format of the printed version.

The portable document format (PDF) file also posted on our Web site is an exact electronic replica of the printed version.

[FDIC OIG logo]

Termination of Bank Secrecy Act/Anti-Money Laundering Consent Orders

December 2021

EVAL-22-002

Evaluation Report

Audits, Evaluations, and Cyber

REDACTED VERSION

PUBLICLY AVAILABLE

The redactions contained in this report are based upon requests from FDIC senior management to protect the Agency’s information from disclosure.

Integrity Independence Accuracy Objectivity Accountability

Executive Summary

Termination of Bank Secrecy Act/Anti-Money Laundering Consent Orders

Money laundering facilitates crimes such as drug trafficking and terrorism by making proceeds from illegal activity appear to be legal. It is estimated that global money laundering is between $800 billion to $2 trillion each year. The Financial Recordkeeping and Reporting of Currency and Foreign Transaction Reporting Act of 1970 often referred to as the Bank Secrecy Act (BSA), and subsequent laws, established anti-money laundering (AML) recordkeeping and reporting requirements for financial institutions. Federal bank regulators play a key role in helping to ensure that banks maintain adequate BSA/AML compliance programs to assist U.S. government agencies in detecting and preventing money laundering. Examining banks for compliance with BSA/AML requirements is an essential element in identifying potential weaknesses in their BSA/AML programs.

When a financial institution is not in compliance with BSA/AML requirements, the Federal Deposit Insurance Corporation (FDIC) may issue a Consent Order—a type of formal enforcement action that bank management agrees to. A BSA/AML Consent Order contains specific provisions for improvements to the bank’s BSA/AML program within a specified period of time. Examiners must review a bank’s progress in addressing Consent Order provisions and recommend termination of the Order when appropriate corrective actions have been taken to resolve Order provisions.

The evaluation objective was to determine whether the FDIC (i) considered factors similar to other Federal bank regulators in terminating BSA/AML Consent Orders; (ii) terminated BSA/AML Consent Orders in accordance with FDIC-established guidance; (iii) monitored FDIC Regional Office termination decision-making to ensure consistency across the Regions; and (iv) documented its actions.

Results

The factors considered by the FDIC to terminate Consent Orders differed from the factors used by the Board of Governors of the Federal Reserve System (Federal Reserve Board) and the Office of the Comptroller of the Currency (OCC). As a result, for one of our sampled Consent Orders, the FDIC and the Federal Reserve Board assessed similar facts about the bank and its holding company, but came to different conclusions regarding the timing for terminating their respective BSA/AML Consent Orders. The Federal Reserve Board maintained its Consent Order for almost [redacted] months longer than the FDIC, while the FDIC terminated its Order and included uncorrected provisions in an informal enforcement action. The issuance and termination of Consent Orders are made public, but informal actions are not public documents. In terminating its Consent Order, the FDIC limited transparency and may have given the public—including bank customers and investors—the impression that the bank had complied with all previously-issued BSA/AML Consent Order provisions.

In addition, for the 10 Consent Orders reviewed in our sample, we found that:

• Six Consent Order terminations appeared to be within FDIC guidance, because the banks addressed provisions prior to termination of the Order.

• For four Consent Order terminations, FDIC guidance did not address how to apply the terms “substantial compliance” and “partially met”. As a result, the FDIC could not be certain that these four Consent Orders were terminated using a consistent interpretation of these terms. It appeared that the four banks partially met at least some of the provisions of these Orders. However, the term “partially met” provides extremely wide latitude to terminate a Consent Order when any portion of it—large or small, significant or insignificant—is met.

Clear guidance is important to ensure that FDIC Regional Offices consistently apply termination guidance to support a coherent, FDIC-wide approach to BSA/AML Consent Order terminations. Without clear guidance, Regional Office personnel may apply their own interpretation to Consent Order termination terminology. Inconsistent implementation of termination standards across Regional Offices could lead to differential treatment of similarly-situated banks depending on the examiners reviewing the bank and the location of the bank within the FDIC’s Regional Office structure.

We also found that termination decisions were not centrally monitored. Monitoring decisions across Regional Offices would serve as an important internal control to identify the potential for inconsistent application of Consent Order termination guidance across Regional Offices.

Further, the FDIC did not did not consistently prepare and maintain in its systems of record documentation to support the monitoring of, and termination decision-making for, BSA/AML Consent Orders. The omitted documentation limited the support for, the FDIC’s BSA/AML Consent Order-related activities. In addition, because the FDIC did not correctly document Consent Order terminations in its enforcement action tracking system the FDIC (1) provided nine incorrect reports to the FDIC Board of Directors concerning enforcement actions; and (2) did not report three BSA/AML Consent Order terminations in a quarterly report to the Financial Crimes Enforcement Network within the Department of the Treasury. The FDIC also did not have adequate controls to identify terminated Consent Orders for publishing, and as a result, did not publish in a timely manner the BSA/AML Consent Order terminations for two banks in our sample population of 40 BSA/AML Consent Orders (5 percent) on its public website, as required by law.

Recommendations

This report contains 10 recommendations that are intended to enhance the FDIC’s BSA/AML Consent Order termination guidance and procedures to promote termination consistency with other Federal bank regulators and across Regions; implement central monitoring of Regional Office decisions; train personnel on documentation and record-keeping guidance; and implement control procedures for ensuring termination reporting is accurate. The FDIC concurred with seven recommendations, partially concurred with two recommendations, and non-concurred with one recommendation.

[End of Executive Summary]

Contents

BACKGROUND

EVALUATION RESULTS

FDIC Factors for Termination Decisions Differed from Other Federal Bank Regulators

Guidance Needed for Terminating Consent Orders Where Banks Are in Partial Compliance

The FDIC Needs a Centralized Process for Monitoring Decisions to Terminate Consent Orders

FDIC Regional Offices Did Not Consistently Document BSA/AML Consent Order Monitoring and Termination Decision-Making

FDIC COMMENTS AND OIG EVALUATION

Appendices

1. Objective, Scope, and Methodology

2. Acronyms and Abbreviations

3. FDIC Comments

4. Summary of the FDIC’s Corrective Actions

Tables

1. OIG Analysis of 10 Sampled Consent Orders Terminated January 1, 2017 through June 30, 2019

2. Terminated BSA/AML Consent Orders January 1, 2017 through June 30, 2019

End of Contents

[FDIC OIG Letterhead; Federal Deposit Insurance Corporation Office of Inspector General, Audits, Evaluations, and Cyber]

December 1, 2021

Subject: Termination of Bank Secrecy Act/Anti-Money Laundering Consent Orders

According to the United Nations Office on Drugs and Crime, the estimated amount of global money laundering in one year is between $800 billion to $2 trillion.1 The Department of the Treasury’s 2018 National Money Laundering Risk Assessment estimated that the amount of money laundering annually in the United States is $300 billion.

Footnote: 1 - The United Nations Office on Drugs and Crime.

The Financial Recordkeeping and Reporting of Currency and Foreign Transaction Reporting Act of 1970,2 often referred to as the Bank Secrecy Act (BSA), and subsequent laws, established anti-money laundering (AML) recordkeeping and reporting requirements for financial institutions. Pursuant to these requirements, banks file reports on currency transactions exceeding $10,000 that identify the source, volume, and movement of currency into and out of financial institutions. These reports assist U.S. government agencies in the detection and prevention of money laundering and income tax evasion. For example, these reports have been found to have “a high degree of usefulness in criminal, tax, or regulatory investigations or proceedings, or in the conduct of intelligence or counterintelligence activities, including analysis, to protect against international terrorism.”3

Footnote: 2 - 31 U.S.C. §§ 5311 et seq.

Footnote: 3 - 31 U.S.C. § 5311.

BSA/AML requirements are also set forth in 31 U.S.C. Section 5318(h), and implementing regulations issued by the Department of the Treasury at 31 C.F.R. Chapter X, Section 1020.210(a) and the FDIC at 12 C.F.R. Part 326, Subpart B (BSA/AML Regulations). The purpose of these laws and regulations is for banks to have compliance programs in place to collect information and file reports concerning customers and financial transactions. Examples of information collected and reported by banks pursuant to the above laws and regulations include:

. Keeping records of cash purchases of negotiable instruments;

. Filing reports of cash transactions exceeding $10,000 (daily aggregate amount); and

. Reporting suspicious activity that might signal criminal activity (e.g., money laundering, tax evasion) in the form of Suspicious Activity Reports.

In addition, in response to the terrorist attacks of September 11, 2001, the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT Act) was enacted. The USA PATRIOT Act, among other things, made terrorist financing a crime and required rigorous customer identification. Examples of these requirements include “verifying the identity of any person seeking to open an account to the extent reasonable and practicable; maintaining records of the information used to verify a person’s identity, including name, address, and other identifying information; and consulting lists of known or suspected terrorists or terrorist organizations provided to the financial institution by any government agency to determine whether a person seeking to open an account appears on any such list.”4

Footnote: 4 - 31 U.S.C. § 5318(l).

Federal bank regulators play a key role in helping to ensure that banks maintain adequate, comprehensive BSA/AML compliance programs. Bank compliance programs include policies, procedures, and processes to identify and report currency transactions and suspicious activities, and provide details of these activities to law enforcement.

[Text box]

Formal Enforcement Action: Formal actions are legally enforceable and published on the FDIC website. Examples of formal enforcement actions are Consent Orders or Cease and Desist Orders.

Informal Enforcement Action: Informal actions are voluntary commitments made by a bank’s Board of Directors that are not legally enforceable and are not publicly disclosed or published. Examples of informal enforcement actions are a Bank Board Resolution or a Memorandum of Understanding.

[end of text box]

Examining banks for compliance with BSA/AML requirements is an essential element in identifying potential weaknesses in their BSA/AML programs. Through bank examinations, regulators can make recommendations for BSA/AML program enhancements, or in the case of severe deficiencies, put in place formal or informal enforcement actions to require program improvements and hold banks accountable for implementing and maintaining BSA/AML compliance programs.

A Consent Order is a type of formal enforcement action that is issued by the FDIC. A Consent Order documents that a bank is not in compliance with the BSA/AML requirements. The Consent Order is agreed to by a bank and contains specific provisions for program improvements, usually within a specified period of time. Examiners are instructed to review a bank’s progress in addressing the Consent Order provisions and recommend termination of the Consent Order when appropriate corrective actions have been taken to resolve Order provisions.

Consent Orders are formal administrative actions that are enforceable in U.S. District Courts to stop violations of laws, rules, or regulations and require banks to take actions to correct violations. If a bank fails to comply with a Consent Order, the FDIC can impose civil money penalties, petition a U.S. District Court to enforce the Consent Order, or terminate the bank’s deposit insurance. Where a bank official has caused a bank to violate such a Consent Order, the FDIC can seek to remove the bank official.

When imposed, Consent Orders are made public. These public notifications alert customers, investors, and the banking industry of a bank’s noncompliance with BSA/AML requirements. The public is also notified when a bank’s Consent Order is terminated. Once the FDIC terminates a Consent Order it cannot impose civil money penalties on the bank for failure to comply with the provisions of the Consent Order unless the failure to comply predates the termination. Likewise, upon termination, the FDIC cannot petition a U.S. District Court to enforce the Consent Order on the bank, remove bank officials, or terminate the bank’s deposit insurance for violations of that Consent Order for conduct by the bank post termination.

The FDIC’s process for issuing and terminating Consent Orders is not centralized. Instead, the Regional Offices have delegated authority to issue and terminate Consent Orders and other informal enforcement actions to help ensure banks’ compliance with the BSA/AML requirements outlined in the FDIC’s Formal and Informal Action Procedures Manual (FIAP Manual). 5

Footnote: 5 - In November 2019, this FIAP Manual was retitled Formal and Informal Enforcement Actions Manual. Unless otherwise specified, this report cites the version of the FIAP Manual that was in effect during the OIG’s review.

The evaluation objective was to determine whether the FDIC (i) considered factors similar to other Federal bank regulators in terminating BSA/AML Consent Orders; (ii) terminated BSA/AML Consent Orders in accordance with FDIC-established guidance; (iii) monitored FDIC Regional Office termination decision-making to ensure consistency across the Regions; and (iv) documented its actions.

The FDIC terminated 40 Consent Orders, identified in its system of record as containing BSA/AML provisions, from January 1, 2017 through June 30, 2019.6 We refer to these orders as BSA/AML Consent Orders, Consent Orders, or Order(s) throughout this report. We reviewed 10 of the terminated Consent Orders in detail.

Footnote: 6- One of the FDIC-terminated Consent Orders initially contained BSA/AML and safety and soundness provisions. The FDIC modified that Consent Order in 2013 to remove the BSA/AML provisions. However, the ViSION system continued to identify BSA/AML as a basis for the Consent Order at the time the FDIC terminated the Consent Order in 2019.

We conducted this evaluation in accordance with the Council of the Inspectors General on Integrity and Efficiency’s Quality Standards for Inspection and Evaluation. Appendix 1 includes additional details on our objective, scope, and methodology.

BACKGROUND

Bank Secrecy Act/Anti-Money Laundering (BSA/AML)

According to 31 C.F.R. Chapter X, Section 1020.210 and 12 C.F.R. Part 326, Subpart B, banks must implement and maintain BSA/AML compliance programs that meet the five pillars of BSA/AML. These include, at a minimum:

1. A system of internal controls to assure ongoing compliance;

2. Independent testing for compliance to be conducted by bank personnel or by an outside party;

3. Designation of an individual or individuals responsible for coordinating and monitoring day-to-day compliance;

4. Training for appropriate personnel; and

5. Appropriate risk-based procedures for conducting ongoing customer due diligence.

A bank must also comply with program regulations issued by the bank’s Federal bank regulator. Section 8(s) of the Federal Deposit Insurance Act (FDI Act) requires that the FDIC issue regulations that require any institution it supervises to establish and maintain a BSA/AML compliance program. The FDIC’s regulations require that supervised banks have written BSA/AML compliance programs that are approved by the bank Board of Directors (Board) and noted in bank Board minutes. The purpose of BSA/AML compliance programs is to require that banks identify and keep records of financial transactions to detect and prevent money laundering and other financial crimes.

The Financial Crimes Enforcement Network (FinCEN) within the Department of the Treasury is responsible for implementing, administering, and enforcing compliance with BSA/AML requirements.7 FinCEN serves as a repository of financial transaction data that is used to evaluate emerging trends in money laundering and other financial crimes and to support law enforcement investigations at the Federal, state, local, and international levels. For example, banks must file with FinCEN: (1) electronic Currency Transaction Reports for each transaction in currency of more than $10,000 by or through the bank; and (2) Suspicious Activity Reports when the bank detects a known or suspected criminal violation, a suspicious transaction, or a violation of the BSA. FinCEN also serves as the Financial Intelligence Unit within the United States to receive, analyze, and disseminate financial information concerning potential financial crimes or terrorism or for national legislation or regulation.8

Footnote: 7 - Treasury Order 180-01, Financial Crimes Enforcement Network, Department of the Treasury (July 2014 reaffirmed January 2020).

Footnote: 8 - FinCEN website, What We Do. https://www.fincen.gov/what-we-do.

FinCEN provides support to law enforcement through the collection, analysis, and sharing of financial transaction information.

The Role of Bank Regulators

Bank regulators, such as the FDIC, are required to review a bank’s BSA/AML compliance program during each bank examination.9 The Federal Financial Institutions Examination Council (FFIEC), Federal and State Bank Regulators, and FinCEN developed a Bank Secrecy Act (BSA)/Anti-Money Laundering (AML) Examination Manual (FFIEC BSA/AML Examination Manual). The FFIEC BSA/AML Examination Manual provides core examination procedures to tailor the scope of an examination and plan the examination, assess a bank’s BSA/AML risk, evaluate the BSA/AML compliance program, and develop conclusions about the adequacy of the bank’s BSA/AML compliance program.

Footnote: 9 - 12 U.S.C. § 1818(s)(2).

FDIC Regional Office examiners follow the FFIEC BSA/AML Examination Manual to assess whether FDIC-supervised institutions have adequate BSA/AML compliance programs. BSA/AML examination findings range from compliance deficiencies in an otherwise effective BSA/AML program to citing violations of the BSA/AML and its implementing rules.

Consent Orders

Section 8(b) of the FDI Act authorizes the FDIC to issue Cease and Desist Orders. Such Orders require that the bank stop any violations or non-compliant practices and may also require that the bank take action to correct these practices so that they do not occur in the future. When a bank agrees to the Cease and Desist Order, the Order is referred to as a Consent Order.10 According to a Memorandum of Understanding among Federal bank regulators and FinCEN,11 the FDIC must report to FinCEN statistics on BSA examinations, violations, and enforcement actions, including Consent Orders, and provide detailed information for significant BSA/AML violations or deficiencies.

Footnote: 10 - When a bank agrees or stipulates to the FDIC’s Cease and Desist Order, the bank waives administrative enforcement rights such as a hearing and appeal of the Order.

Footnote: 11 - Memorandum of Understanding between the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, U.S. Department of the Treasury’s Financial Crimes Enforcement Network, Office of the Comptroller of the Currency, and Office of Thrift Supervision (September 2004).

Section 8(s) of the FDI Act mandates that bank regulators “shall” issue a formal Cease and Desist Order against any bank that has failed to establish or maintain a BSA/AML compliance program, or has failed to correct any BSA/AML compliance program problem previously reported to the bank. Bank regulators may use their discretion to impose formal or informal enforcement actions for any other BSA/AML compliance program concerns.

The FDIC’s Regional Directors have delegated authority to initiate, monitor, and terminate BSA/AML Consent Orders. The FDIC’s FIAP Manual is intended to provide Regional Offices with a “uniform, consistent approach toward determining the appropriate action against financial institutions and … allow[s] the FDIC to fairly address violations of law and other weaknesses in financial institutions.” The FIAP Manual describes the steps to be followed to initiate and terminate a BSA/AML Consent Order.

Under the FIAP Manual procedures, an Examiner-in-Charge (EIC) drafts a memorandum for the Regional Director that outlines relevant facts supporting a proposed Consent Order. A Regional Office reviewer, discusses the action with the EIC and the Regional Director or Deputy Director.12 A Regional Office Special Activities Case Manager, who is a BSA/AML subject matter expert, may also participate in the discussion.13

Footnote: 12 - Regional Directors Memorandum 2017-006-RMS, Division of Risk Management Supervision (RMS) Delegations of Authority (March 21, 2017 and amended June 28, 2019), describes the delegations of authority for Consent Order terminations to Deputy Regional Directors.

Footnote: 13 - The Case Manager Procedures describes the Special Activities Case Manager review. Regional Directors Memorandum 2015-002-RMS, Enforcement of Bank Secrecy Act/Anti-Money Laundering Requirements (February 2015), also describes consulting a BSA/AML Special Activities Case Manager for pillar violations.

If it is agreed that a Consent Order is warranted, the Regional Office reviewer notifies the bank’s Board. If the Board agrees to the Consent Order, the Regional Office Legal Division personnel review and certify the Consent Order. The Regional Offices are required to provide copies of new Consent Orders, and modifications or terminations of such Orders, to Headquarters Legal personnel and RMS personnel. Headquarters Legal personnel are then required to post these documents on the FDIC’s public website. The Headquarters RMS personnel complete administrative recording of the Consent Order but do not approve or disapprove the Regional Office’s decision to issue the Consent Order. Further, Headquarters RMS personnel are required to report information about Consent Orders that the Regional Office initiated and terminated to the FDIC’s Board of Directors (FDIC Board) on a monthly basis and to FinCEN on a monthly and quarterly basis.

Consent Order Monitoring

FDIC Regional Office staff monitor banks’ compliance with Consent Orders. In addition, Regional Offices provide periodic informational reports to Headquarters containing limited information about a bank’s BSA/AML enforcement actions, including the issuance date of the BSA/AML enforcement actions, the date of the next scheduled examination or visitation, and a summary of BSA/AML areas of concern. Regional Office Case Managers oversee a portfolio of FDIC-supervised banks and play a key role in evaluating whether these banks meet the requirements for Consent Order terminations. Regional Offices use the Case Manager Procedures14 to conduct such oversight. These procedures require the following activities:

. To perform timely, comprehensive reviews of bank progress reports;

. To assess the need for supervisory action before the next scheduled examination; and

. To update the FDIC’s system of record - the Virtual Supervisory Information on the Net (ViSION) system Formal and Informal Action Tracking (FIAT) module15 - to document the receipt, review, and assessment of banks’ progress reports.

Footnote: 14 - Case Manager Procedures, Section 8, Enforcement Actions (April 2016).

Footnote: 15 - FIAT serves as a central source of information about RMS corrective actions.

Where the examiner identified evidence or information regarding a bank’s non-compliance or other concerns with the BSA/AML program, the Case Manager Procedures also requires that Case Managers promptly discuss the concern with bank management and document the concern in a letter to the bank. Significant non-compliance may require an onsite visitation at the bank between scheduled examinations.

Further, Regional Office examiners must assess outstanding Consent Orders during subsequent examinations. The FDIC’s RMS Manual of Examination Policies16 requires that examiners assess outstanding enforcement actions during examinations. Specifically, examiners must document the steps taken by the bank to comply with the Consent Order and the underlying reasons for a bank’s failure to meet any Consent Order provisions. FDIC examiners also must discuss with FDIC Regional Office management whether a new or revised Consent Order would be appropriate. The Report of Examination (ROE) includes the details of each Consent Order’s provisions and bank management’s response to each item.

Footnote: 16 - RMS Manual of Examination Policies, Section 15.1, Formal Administrative Actions (July 2016).

Consent Order Termination

Federal bank regulators have not established interagency guidance for the termination of Consent Orders.17 Therefore, each Federal regulatory agency is responsible for establishing its specific guidance for terminating Consent Orders.

Footnote: 17 - Conversely, interagency guidance has been established for initiating a Consent Order. Joint Statement on Enforcement of Bank Secrecy Act/Anti-Money Laundering Requirements (August 2020).

At the FDIC, Regional Directors may terminate a Consent Order as a result of an examination or other supervisory monitoring. According to the FDIC’s FIAP Manual, FDIC Regional Directors may terminate a Consent Order if any of the following conditions are met:

1. The bank is in material compliance with the action;

2. Deterioration or lack of compliance leads to issuance of a new or revised formal action;

3. The institution merges or is closed;

4. The institution's condition has improved sufficiently and the action is no longer needed;

5. The provisions of the Order have been partially met, and a new formal or informal action has been issued to address the outstanding provisions; or

6. Other changes render the Order unnecessary.

The FDIC’s Case Manager Procedures also states that formal and informal action terminations may occur “when substantial compliance has been achieved or the corrective program has accomplished its intended purpose.”

The FIAP Manual and Case Manager Procedures do not provide specific procedures for the termination of Consent Orders but note that the “procedures for termination are similar to those for initiating” a Consent Order as discussed above.

EVALUATION RESULTS

We concluded that the FDIC’s Consent Order termination guidance differed from other Federal bank regulators. As a result, the FDIC terminated a BSA/AML Consent Order for a bank almost [redacted] months prior to the Board of Governors of the Federal Reserve System (Federal Reserve Board) terminating its BSA/AML Consent Order for the bank’s holding company based on similar facts.

We also found that for 6 of our 10 sampled Consent Orders, the FDIC’s decision to terminate the BSA/AML Consent Order appeared to fall l within the FDIC’s established termination guidance, as noted in the FDIC’s FIAP Manual and Case Manager Procedures. For four Consent Order terminations, FDIC guidance did not address how to apply the terms “substantial compliance” and “partially met”. As a result, the FDIC could not be certain that these four Consent Orders were terminated using a consistent interpretation of these terms. It appeared that the four banks partially met at least some of the provisions of these Orders. However, the term “partially met” provides extremely wide latitude to terminate a Consent Order when any portion of it—large or small, significant or insignificant—is met.

In addition, FDIC termination decisions were not centrally monitored to ensure consistent application of Consent Order termination guidance across FDIC Regional Offices. Further, the FDIC did not did not consistently prepare and maintain in its systems of record documentation to support the monitoring of and termination decision-making for BSA/AML Consent Orders.

FDIC Factors for Termination Decisions Differed from Other Federal Bank Regulators

The factors that the FDIC used in making Consent Order termination decisions differed from the factors used by the other Federal bank regulators. The other Federal bank regulators’ policies limit situations in which they terminate Consent Orders and include uncorrected provisions in informal actions. Their policies also require that banks demonstrate compliance with Consent Order provisions over a sufficient period of time. Additionally, we interviewed Federal Reserve Board personnel and their stated practices aligned with policy requirements.18 In contrast, FDIC policies do not limit the inclusion of uncorrected provisions into informal actions nor do they require that a bank show sustained compliance with Order provisions before termination. As a result, the FDIC’s Consent Order termination policies are not aligned with other Federal bank regulators.

Footnote: 18 - We did not, however, review underlying samples of Consent Order terminations from the Federal Reserve Board and the OCC.

The Federal Reserve Board’s policy on Consent Order termination states that “[a]n enforcement action may be terminated when the Reserve Bank and Board concur that the bank has demonstrated compliance with the action over a sufficient period of time and has demonstrated significant improvement in the areas in which the bank was experiencing a problem.” Federal Reserve Board officials stated that they consider a “sufficient period of time” to be at least one examination cycle (generally 12-18 months), to validate the remediation and sustainability.

Further, Federal Reserve Board officials stated that they generally do not terminate BSA/AML Consent Orders until all Order provisions are met and therefore do not use informal enforcement actions with Consent Order terminations. Federal Reserve Board officials advised that public transparency is the driving factor behind their decision to require full compliance with BSA/AML Consent Orders. The Federal Reserve Board officials stated that they do not use informal enforcement actions to terminate Consent Orders as they do not want to give the public a false impression that Order provisions have been met when, in fact, some portion of the Order provisions have been included in an informal enforcement action.

We also reviewed the Consent Order termination criteria used by the OCC. The OCC’s Bank Enforcement Actions and Related Matters (November 2018) states that an enforcement action should not be terminated unless (i) the bank is in compliance with all articles of the enforcement action; (ii) the OCC determines that articles deemed “not in compliance” have become outdated or irrelevant to the bank’s current circumstances; or (iii) the articles deemed “not in compliance” were incorporated into a new enforcement action.

OCC policy clarifies that “a [Consent Order] article must not be deemed in compliance simply because the board and management have made progress or a good faith effort toward complying with the article.” Further, Consent Order articles that are pending examiner validation19 are not considered to be in compliance. Finally, the OCC policy notes that the replacement of a formal Consent Order with an informal enforcement action should be used under limited exceptions. These exceptions include “when the bank’s condition and risk profile have significantly improved and the severity of the existing enforcement action is inconsistent with the nature and extent of the bank’s condition, risk profile, and deficiencies.”

Footnote: 19 - Pending validation means examiners verified that management implemented the corrective actions, but insufficient time has passed for the bank to demonstrate sustained performance under the corrective actions, examiners have not validated the sustainability of the corrective actions, or examiners determine additional testing is warranted.

Federal Bank Regulators Came to Different Conclusions on One Sampled Consent Order

For one of our sampled Consent Orders, we found that the FDIC Region A Regional Office and the Federal Reserve Board came to different conclusions concerning the severity of uncorrected BSA/AML Consent Order provisions that the FDIC included in an informal enforcement action. The FDIC was the regulator of this bank, and the Federal Reserve Board was the regulator of the bank’s holding company.

The FDIC Region A Regional Office and the Federal Reserve Board initiated contemporaneous companion BSA/AML Consent Orders in [redacted] and [redacted] respectively, based on the same examination findings. Although the FDIC’s Consent Order was directed to the bank and the Federal Reserve Board’s Consent Order20 was directed to the holding company, the purpose of both Orders was to address similar weaknesses in the bank’s BSA/AML compliance program. For example, both Orders required improvements to internal controls, policies, procedures, and processes with respect to customer due diligence and suspicious activity monitoring and reporting.

Footnote: 20 - The Board of Governors of the Federal Reserve System’s (FRB) formal title for its Consent Order is Cease and Desist Order Issued Upon Consent.

The FDIC terminated its BSA/AML Consent Order in [redacted], by including uncorrected provisions in an informal enforcement action. By contrast, the Federal Reserve Board waited almost [redacted] months more before terminating its Consent Order in [redacted], in accordance with its policy of requiring sustained compliance with the Order. This policy requires terminating its Consent Order only after confirming the bank has made all of the corrections and can show that they are sustainable.

The uncorrected BSA/AML provisions that the FDIC included in an Informal enforcement action involved an upgrade and change to [redacted] systems that had not been tested or validated by the bank, as required by the Order provisions. The bank used one system to risk-rate bank customers for money laundering and the other system to monitor and report suspicious activity. These systems were critical for the bank’s BSA/AML compliance program [redacted]21 Timely and accurate reporting of this information is critical for FinCEN’s assessment of the risk of money laundering, tax evasion, or other criminal activities.

Footnote: 21 - Suspicious Activity Reports are reports that BSA/AML regulations require financial institutions to file when they suspect transactions involve money laundering, tax evasion, or other criminal activities.

The FDIC terminated the Consent Order and included uncorrected provisions in an informal enforcement action in [redacted] because, according to the FDIC, bank management had “substantially complied with many of the provisions” and had notified the FDIC that “it was committed to the timely correction of the remaining issues.”

Federal Reserve Board officials, however, stated that they did not terminate the FRB Consent Order until almost [redacted] months later because the remaining remediation work for the enterprise-wide compliance program with respect to compliance with the BSA/AML requirements had not yet been implemented, and therefore, the enterprise had not demonstrated that the systems were tested as required by the Consent Order. Further, Federal Reserve Board officials stated that they generally do not terminate Consent Orders and include uncorrected provisions in informal enforcement actions, as such an inclusion would give the false impression to the public that upon termination, the bank had corrected all Consent Order provisions.

Although both Consent Orders and informal enforcement actions move banks towards correcting existing problems; there are important implications when a Consent Order is terminated and uncorrected provisions are included in an informal enforcement action. The initiation and termination of FDIC Consent Orders are published on the FDIC’s website, but informal actions are not made public.

Therefore, in terminating Consent Orders and replacing them with an informal enforcement action, the FDIC limits transparency and may give the public—including bank customers and investors—the impression that the bank has complied with all previously-issued BSA/AML Consent Order provisions. Specifically, when entering into transactions with the bank, current and potential bank customers and investors may have a false impression that the removal of a BSA/AML Consent Order is an indication that the bank has resolved all of its issues and the Federal bank regulators have validated and verified that previously disclosed problems with the bank’s BSA/AML compliance program have been corrected.

When there are differences among the guidance and processes used by Federal bank regulators, they may decide to harmonize processes and issue joint statements to clarify regulatory treatment. For example, in July 2007 and again in August 2020, Federal bank regulators issued joint statements to clarify the circumstances in which the Federal bank regulators must initiate mandatory BSA/AML enforcement actions and when they may use their discretion to address BSA/AML compliance program deficiencies.22 These joint statements were issued in response to concerns expressed by the banking industry about the potential for Federal bank regulators to apply different standards when taking enforcement actions. The joint statements described circumstances under which bank regulators would issue mandatory Cease and Desist Orders under the terms of Section 8(s), and clarified that bank regulators had formal and informal enforcement authority to address other BSA/AML concerns.

Footnote: 22 - Interagency Statement on Enforcement of Bank Secrecy Act/Anti-Money Laundering Requirements (July 2007) and the Joint Statement on Enforcement of Bank Secrecy Act/Anti-Money Laundering Requirements (August 2020).

A similar joint statement regarding terminations of Consent Orders could reduce disparate treatment of banks based upon their regulator’s policies, guidance, and processes. It would also support the goals of promoting effective BSA/AML compliance programs and consistent treatment by Federal bank regulators.

Recommendations

We recommend that the Director, RMS:

1. Develop and implement BSA/AML Consent Order termination policies and procedures to better align with those of the other Federal bank regulators to promote consistency in terminating BSA/AML Consent Orders.

2. Coordinate with other Federal bank regulators to pursue the issuance of joint guidance that promotes consistency in terminating BSA/AML Consent Orders, including factors such as defining key terminology; demonstrating compliance with a Consent Order over a sufficient period of time; and identifying circumstances to issue an informal enforcement action after terminating a BSA Consent Order.

Guidance Needed for Terminating Consent Orders Where Banks Are in Partial Compliance

According to the FDIC’s FIAP Manual, FDIC Regional Directors may terminate a Consent Order if all provisions are addressed by the bank, or if any of the following conditions are met:

1. The bank is in material compliance with the action;

2. Deterioration or lack of compliance leads to issuance of a new or revised formal action;

3. The institution merges or is closed;

4. The institution's condition has improved sufficiently and the action is no longer needed;

5. The provisions of the Order have been partially met, and a new formal or informal action has been issued to address the outstanding provisions; or

6. Other changes render the Order unnecessary.

The FDIC’s Case Manager Procedures also states that FDIC personnel should terminate formal actions when the bank has achieved “substantial compliance”, or when the corrective program has accomplished its intended purpose. The FDIC guidance does not define these key terms - “material compliance,” “partially met,” and “substantial compliance,” – and therefore, they were subject to interpretation by FDIC personnel.23 These terms do not clearly convey the basis for the termination actions taken by the FDIC and inconsistent interpretation across the Regional Offices could result in differential treatment of similarly-situated banks.

Footnote: 23 - The FDIC eliminated use of the term ‘material compliance” in its Formal and Informal Enforcement Actions Manual (November 2019) termination guidance and replaced it with ‘substantial compliance.”

Further, FFIEC BSA/AML Examination Procedures require that examiners reach conclusions about a bank’s BSA/AML program as a whole at the conclusion of the examination. Specifically, the examiners must “[f]ormulate conclusions about the adequacy of the bank’s BSA/AML compliance program, relative to its risk profile, and the bank’s compliance with BSA regulatory requirements.” [Emphasis added.] The FFIEC guidance indicates that an adequate program must meet the requirements for establishing and maintaining an effective BSA/AML program. As mentioned previously, these requirements refer to the regulatory five-pillars of BSA/AML programs.”

Table 1 below lists the 10 Consent Orders in our sample, the FDIC’s assessment of the bank’s BSA/AML program at the termination of the Consent Order, the status of Consent Order provisions at termination, and whether the FDIC issued an informal action or recommendations to address the remaining Consent Order provisions.

[table]

Table 1: OIG Analysis of 10 Sampled Consent Orders Terminated January 1, 2017 through June 30, 2019

Table Header: Region, Bank; All provisions addressed; BSA/AML Program at Termination***; Included in an Informal Enforcement Action or Recommendations

Row 1; 1. Region A Bank 1; All provisions addressed: no; BSA/AML Program at Termination***: Needs further improvement to be fully satisfactory; Included in an Informal Enforcement Action or Recommendations: Informal Enforcement Action

Row 2; 2. Region B Bank 2; All provisions addressed: yes; BSA/AML Program at Termination***: Satisfactory; Included in an Informal Enforcement Action or Recommendations: n/a

Row 3; 3. Region C Bank 3; All provisions addressed: yes; BSA/AML Program at Termination***: Satisfactory; Included in an Informal Enforcement Action or Recommendations: n/a

Row 4; 4. Region D Bank 4; All provisions addressed: No; BSA/AML Program at Termination***: Satisfactory; Included in an Informal Enforcement Action or Recommendations: Informal Enforcement Action

Row 5; 5. Region E Bank 5; All provisions addressed: No; BSA/AML Program at Termination***: Satisfactory; Included in an Informal Enforcement Action or Recommendations: Informal Enforcement Action

Row 6; 6. Region B Bank 6; All provisions addressed: No; BSA/AML Program at Termination***, Satisfactory*; Included in an Informal Enforcement Action or Recommendations: Recommendations

Row 7; 7. Region E Bank 7; All provisions addressed: Yes; BSA/AML Program at Termination***: Satisfactory; Included in an Informal Enforcement Action or Recommendations: n/a

Row 8; 8. Region A Bank 8; All provisions addressed: Yes; BSA/AML Program at Termination***: Satisfactory; Included in an Informal Enforcement Action or Recommendations: n/a

Row 9; 9. Region D Bank 9; All provisions addressed: Yes; BSA/AML Program at Termination***: Satisfactory; Included in an Informal Enforcement Action or Recommendations: n/a

Row 10; 10. Region A Bank 10; All provisions addressed: Yes; BSA/AML Program at Termination***: Marginally Satisfactory**; Included in an Informal Enforcement Action or Recommendations: n/a

Source: OIG analysis of FDIC ROEs and supporting documentation.

* The Bank 6 Consent Order was amended to eliminate BSA provisions but was not terminated because of outstanding safety and soundness issues.

** The Bank 10 Consent Order was terminated when all provisions were met. The examination found new issues that placed the bank’s BSA/AML program as a whole as marginally satisfactory.

*** FDIC examinations use the term “satisfactory” to equate to “adequate.”

[end of table]

For 6 of 10 sampled Consent Orders, the terminations appeared to be within the parameters of FDIC guidance, because the banks addressed provisions prior to termination of the Consent Orders. For 4 of the 10 sampled Consent Orders, the FDIC terminated the BSA/AML Consent Orders before the banks had addressed all provisions of the Consent Order. 24 The examiners’ justification for three terminations was that the banks had “substantially complied” with the Order provisions and for one termination the justification was that the BSA/AML program as a whole was adequate. FDIC executives subsequently represented that in these four instances, the Consent Order provisions had been partially met and that the FDIC had taken other actions to address the outstanding provisions.

Footnote: 24 - The Consent Order for one bank was amended to eliminate BSA provisions but was not terminated because of outstanding safety and soundness issues. Uncorrected provisions were included as recommendations in the ROE.

FDIC guidance did not address how its personnel would apply the terms, “substantial compliance” and “partially met.” As a result, the FDIC could not be certain that these four Consent Orders were terminated using a consistent interpretation of these terms. It appears that the four banks partially met some of the provisions of the Consent Orders—meaning some portion of the provisions, but fewer than all of them. However, the term, “partially met,” provides extremely wide latitude to terminate a Consent Order when any portion of it—large or small, significant or insignificant— is met.

The GAO’s Standards for Internal Control in the Federal Government stress the importance of using clear terminology. Specifically, GAO states that management should “define objectives in specific and measureable terms … [that] are fully and clearly set forth so they can be easily understood.” Accordingly, guidance should provide clarity on whether the terms, “substantial compliance” and “partially met,” should be assessed using quantitative or qualitative analysis, or some combination of both.

Guidance should also address how to assess the nature or severity of the corrected and uncorrected Order provisions. Further, guidance should indicate how to apply these terms when a Consent Order covers multiple areas. For example, if an Order had both BSA/AML and safety and soundness provisions, it was not clear whether BSA/AML provisions were viewed separately or collectively with the safety and soundness provisions to measure “substantial compliance” or to determine if an Order was “partially met”.

The wide latitude to interpret “substantial compliance” and “partially met” allowed for the termination of one bank’s Consent Order, even though the FDIC examiners recognized that the bank’s BSA/AML compliance program “needs further improvement to be fully satisfactory.” Specifically, the FDIC examiners found that the bank had not tested or validated two information technology systems used to risk-rate bank customers for money laundering and monitor and report suspicious activity. Although this bank may have partially met Consent Order provisions under FDIC guidance, the bank did not have an “adequate” program to combat money laundering and terrorist financing, and thus the termination appeared to be contrary to the primary objective of the BSA/AML regulations. In fact, the FDIC examiners concluded that “additional remediation of internal control weakness is required for the BSA/AML program to be fully satisfactory.”

Further, this is the same bank discussed in our prior finding where the Federal Reserve Board did not terminate its companion Consent Order. The Federal Reserve Board maintained its Consent Order, because the bank holding company had not yet been subject to enterprise-wide remediation in order to ensure compliance with BSA/AML requirements.

When a Consent Order is issued, the Order is posted for the American viewing public on the FDIC’s website. When it is terminated, the termination of the Consent Order is also posted on the FDIC’s website, even though the termination may be based only on “partial compliance” by the bank. As a result, such action may give the inaccurate impression that the provisions of a Consent Order have been fully met, and that the bank is in compliance with BSA/AML regulations. The FDIC’s informal enforcement actions are not communicated to the public or on the FDIC’s website. Indicating that a Consent Order has been terminated on the FDIC website represents to the public—bank customers and investors— that Order provisions have been corrected, when, in actuality, some of the provisions may not have been fully corrected.

The FDIC has delegated authority for Consent Order terminations to Regional Directors. Regional Office personnel use their professional judgment to apply FDIC Consent Order termination guidance to the facts and circumstances of banks’ BSA/AML programs. Clear guidance is important to ensure that the FDIC Regional Offices consistently apply the FDIC’s BSA/AML Consent Order termination requirements to support a coherent, FDIC-wide approach to BSA/AML Consent Order terminations.

Absent clear guidance, Regional Office personnel may apply their own interpretation to Consent Order termination terminology. As a result, the application of the terms, “material compliance,” “partially met,” and “substantial compliance” can be broadly construed so that it does not clearly convey the reason for the action taken by the FDIC. Inconsistent implementation of termination standards across Regional Offices could lead to differential treatment of similarly-situated banks depending on the examiners reviewing the bank, their discretionary judgment, and the location of the bank within the FDIC’s Regional Office structure.

Recommendations

We recommend that the Director, RMS:

3. Define FDIC guidance and terminology regarding the circumstances when it is appropriate to terminate BSA/AML Consent Orders. This guidance should indicate how FDIC personnel are to measure and assess the terms, “substantial compliance” and “partially met,” in a clear and consistent manner, when determining whether to terminate BSA/AML Consent Orders.

We recommend that the Director, RMS, in coordination with the FDIC General Counsel:

4. Identify on the FDIC’s website which Consent Orders were terminated when the bank partially complied with the original provisions. This should include noting which Consent Order provisions remained uncorrected after termination.

The FDIC Needs a Centralized Process for Monitoring Decisions to Terminate Consent Orders

The Government Accountability Office Standards for Internal Control in the Federal Government25 (GAO Internal Control Standards) provides benchmarks for use by Federal policymakers and program managers that stress the importance of management’s ongoing monitoring to achieve program objectives. These monitoring activities include, for example, “regular management and supervisory activities, comparisons, reconciliations, and other routine actions.”

Footnote: 25 - GAO, Standards for Internal Control in the Federal Government (GAO-14-704G) (September 2014).

The FDIC’s policies and procedures did not require that RMS Headquarters personnel oversee or review Regional Office BSA/AML Consent Order termination decisions. The FIAP Manual and Case Manager Procedures include certain recordkeeping requirements for RMS Headquarters personnel to complete after Regional Office BSA/AML Consent Orders are terminated. These recordkeeping requirements, however, do not affect the Regional Offices’ BSA/AML Consent Order termination decisions and do not require that RMS Headquarters personnel monitor or assess Regional Office BSA/AML Consent Order termination decisions. Further, while RMS conducts triennial internal control reviews of a sample of Regional Office supervisory decisions, these reviews are not specific to BSA/AML Consent Order terminations and are completed on a Region-by-Region basis rather than cross-Regionally. As a result, the FDIC does not conduct centralized reviews across Regional Offices to ensure consistent application of BSA/AML Consent Order termination guidance throughout the country.

We reviewed information for the 40 BSA/AML Consent Order terminations completed between January 1, 2017 and June 30, 2019, and we assessed how often Consent Orders were terminated and informal actions were imposed. As shown in Table 2, 17.5 percent (7 of 40) of all FDIC BSA/AML Consent Order terminations involved the Regional Office’s use of an informal enforcement action. However, the Region A Regional Office terminated Consent Orders using informal actions at a greater rate than other Regional Offices, accounting for 4 of 7 (57 percent) of all FDIC Consent Order terminations provisions included in an informal action.

[table]

Table 2: Terminated BSA/AML Consent Orders January 1, 2017 through June 30, 2019

Table Header: Regional Office*; Termination Without Informal Action; Termination With Inclusion in an Informal Action; Total; Percentage of Terminations Without Inclusion in an Informal Action by Regional Office; Percentage of Terminations With Inclusion in an Informal Action by Regional Office

Row 1; Region A; Termination Without Informal Action: [Redacted]; Termination With Inclusion in an Informal Action: [redacted]; Total: [redacted]; Percentage of Terminations Without Inclusion in an Informal Action by Regional Office: 64% ; Percentage of Terminations With Inclusion in an Informal Action by Regional Office: 36%

Row 2; Region D; Termination Without Informal Action: [Redacted]; Termination With Inclusion in an Informal Action [redacted]; Total: [redacted]; Percentage of Terminations Without Inclusion in an Informal Action by Regional Office: 86% ; Percentage of Terminations With Inclusion in an Informal Action by Regional Office: 14%

Row 3; Region E; Termination Without Informal Action: [Redacted]; Termination With Inclusion in an Informal Action [redacted]; Total: [redacted]; Percentage of Terminations Without Inclusion in an Informal Action by Regional Office: 83% ; Percentage of Terminations With Inclusion in an Informal Action by Regional Office: 17%

Row 4; Region B; Termination Without Informal Action: [Redacted]; Termination With Inclusion in an Informal Action [redacted]; Total: [redacted]; Percentage of Terminations Without Inclusion in an Informal Action by Regional Office: 90% ; Percentage of Terminations With Inclusion in an Informal Action by Regional Office: 10%

Row 5; Region C; Termination Without Informal Action: [Redacted]; Termination With Inclusion in an Informal Action [redacted]; Total: [redacted]; Percentage of Terminations Without Inclusion in an Informal Action by Regional Office: 100% ; Percentage of Terminations With Inclusion in an Informal Action by Regional Office: 0%

Row 6; Totals; Termination Without Informal Action: [Redacted]; Termination With Inclusion in an Informal Action [redacted]; Total: 40; Percentage of Terminations Without Inclusion in an Informal Action by Regional Office: 82.50% ; Percentage of Terminations With Inclusion in an Informal Action by Regional Office: 17.5%

Source: OIG summary of the FDIC’s BSA/AML Consent Order terminations.

* The Kansas City Regional Office did not have any BSA/AML Consent Order terminations during our review period.

[end of table]

Additionally, the Region A Regional Office terminated Consent Orders and imposed informal enforcement actions for 36 percent [redacted] of all the terminations in the Region A Regional Office. By comparison, the Region C Regional Office terminated all Consent Orders without using informal enforcement actions and the Region D, Region E, and Region B Regional Offices terminated Consent Orders using informal enforcement actions at a much lower rate, between 10 and 17 percent.

The FDIC is responsible for BSA/AML Consent Order terminations across all FDIC-supervised banks. Regional Offices were delegated the authority to make Consent Order termination decisions without centralized monitoring by RMS Headquarters to ensure consistent application of FDIC-wide Consent Order termination guidance.

Monitoring decisions across Regional Offices would serve as an important internal control to identify the potential for inconsistent application of Consent Order termination guidance across Regional Offices. For example, the data may indicate that some Regional Offices are choosing to require that supervised banks fully comply with an Order before termination while other Regional Offices may allow for the termination of Consent Orders before all provisions are corrected with the inclusion of uncorrected provisions into informal enforcement actions. In these instances, there is the potential for similarly-situated banks to be treated differently for purposes of BSA/AML Consent Order terminations based on their geographic location within the FDIC’s Regional Office structure.

Through monitoring, the RMS Headquarters Office could also initiate targeted internal control reviews based on termination data to understand the underlying facts concerning data anomalies across Regional Offices and make required adjustments. Monitoring could indicate the need to strengthen guidance or training when Regional Office decision-making indicates differential treatment. Further, monitoring may serve as an additional control to detect potential regulatory capture. GAO defines regulatory capture as “when regulators act in the interest of the regulated industry, rather than in service of the public good. This can be a problem in banking regulation, where regulators may be swayed by future job offerings and more.”26

Footnote: 26 - GAO, Bank Supervision: FDIC Could Better Address Regulatory Capture Risks (September 2020).

Recommendation

We recommend that the Director, RMS:

5. Develop and implement FDIC Headquarters procedures for monitoring Regional Office decisions to terminate BSA/AML Consent Orders to ensure consistent treatment of similarly-situated banks and application of program requirements across all Regional Offices.

FDIC Regional Offices Did Not Consistently Document BSA/AML Consent Order Monitoring and Termination Decision-Making

GAO Internal Control Standards require that management maintain effective documentation of all transactions and other significant events in a manner that allows the documentation to be readily available for examination. In addition, management should design control activities so that all transactions are recorded completely, accurately, and. promptly to maintain their relevance and value to management in controlling operations and making decisions.

Regional Office personnel did not consistently prepare and maintain in the Regional Automated Document Distribution and Imaging System (RADD) documents to support monitoring of, and termination decision-making for, BSA/AML Consent Orders. In addition, Regional Office personnel did not consistently document information about BSA/AML Consent Orders in the ViSION system FIAT module. According to the GAO, effective documentation is important because it provides a means to retain organizational knowledge and to communicate that knowledge, as needed, to external parties, such as external auditors.

Incomplete Documentation of FDIC Activities

We found that the Regional Offices did not always document BSA/AML Consent Order monitoring and termination decision-making by RMS personnel in accordance with FDIC procedures. Monitoring and decision-making activities included responding to progress reports, conducting visitations, assessing BSA/AML violations, and recommending Consent Order terminations. The omitted documentation limited the support for the FDIC’s BSA/AML Consent Order monitoring and termination decision-making.

Reviewing Progress Reports. The FDIC Case Manager Procedures states that Case Managers should “perform a timely, comprehensive review of each quarterly progress report to assess and document the institution’s compliance with the enforcement action [consent order].” When reviewing bank Consent Order progress reports, “Case Managers should acknowledge receipt of the progress report by letter.” In addition, “Case Managers are expected to provide meaningful feedback to the institution in a follow-up letter and in discussions with the institution’s management.”

RMS personnel did not consistently acknowledge or respond to BSA/AML Consent Order progress reports in a timely manner.27 For one sampled Consent Order [redacted], the FDIC did not retain documentation that it acknowledged or responded to 8 of 11 (73 percent) progress reports. Timely and meaningful FDIC feedback can facilitate prompt and effective corrective action by bank personnel to address BSA/AML Consent Order provisions.

27 The FDIC Case Manager Procedures does not specify a timeframe for the response.

Conducting Visitations. Regional Directors (RD) Memo 2012-016-RMS, Meetings, Visitations, Limited-Scope Examinations, and Quarterly Progress Reports Related to Risk Management Corrective Programs (November 2012), states that:

[L]imited-scope examination or visitation activities generally should be scheduled within six months after an enforcement action is issued to evaluate an institution’s progress in addressing the corrective program. Where a decision is made to forgo or delay the interim on-site activity, the reasons should be documented in the [Regional Office] files.

For one sampled Consent Order [redacted], RMS personnel could not locate documentation to support the FDIC’s decision to forego a visitation within 6 months of issuing a BSA/AML Consent Order.

Assessing Violations. Per interagency guidance,28 a violation of a required BSA/AML Compliance Program element that is substantially the same in consecutive examinations may warrant a Consent Order to prompt compliance by the bank. The FDIC refers to such violations as “repeat pillar violations.”

28 Interagency Statement on Enforcement of Bank Secrecy Act/Anti-Money Laundering Requirements (July 2007).

For one Region A Region Consent Order [redacted], RMS personnel did not adequately document the rationale for excluding one of the bank’s business lines from the BSA examination results [redacted]. The work papers from this examination concluded that the bank had a repeat pillar violation related to the Customer Information Program for this business line, which potentially would have required the BSA/AML Consent Order for the bank to remain in place. However, the report of examination stated that the Customer Information Program for the business line “is not considered in this assessment and will be handled outside of this Report.”

The FDIC’s decision to exclude this business line from the BSA Compliance Program examination results likely influenced the FDIC’s decision to terminate the BSA/AML Consent Order for this bank [redacted] and include uncorrected provisions in an informal enforcement action. Therefore, additional documentation of this decision would have provided clear support for the FDIC’s actions.

In addition, RMS guidance29 states that examiners should document decisions not to recognize a violation of the same pillar section as a repeat pillar violation. For one sampled Consent Order [redacted], the FDIC did not retain in RADD a memorandum documenting the reasons why the FDIC concluded, for the examination [redacted], that a consecutive violation of the same pillar for the bank was not a repeat pillar violation. Such documentation is important, because examiners disagreed as to whether this pillar violation should be considered “repeat,” and as noted above, a repeat pillar violation may warrant a Consent Order.

Footnote: 29 - Regional Directors’ Memorandum 2015-003-RMS, Monitoring and Tracking of BSA/AML Problem Institutions (February 2015); [redacted] Region BSA/AML Policies and Procedures (July 2015).

At our request, RMS personnel located this memorandum in other Regional Office records. However, the FDIC should retain such important documents in the official repository for protection from loss when related RMS personnel depart the FDIC and to ensure they are readily available for review.

Recommending Consent Order Termination. Regional Directors Memorandum 2013-008-RMS, Scanning Policy for Electronic Workpaper Documentation (September 2013), states that “[e]xaminers should manage and store electronic documents using the . . . Regional Automated Document Distribution and Imaging System.” According to the FIAP Manual, Chapter 5, an important document is the Recommendation Memorandum that describes and supports the reasons for terminating a Consent Order. For one sampled Consent Order [redacted], the FDIC did not retain in RADD a copy of the Recommendation Memorandum describing and supporting the reasons for terminating the Consent Order.

At our request, RMS personnel located this memorandum in other Regional Office records. However, the FDIC should retain such important documents in the official repository for protection from loss when related RMS personnel depart the FDIC and to ensure they are readily available for review.

Incomplete Information in FDIC Systems

Consent Order Provisions. FDIC Case Manager Procedures states that Case Managers should “ensure enforcement action provisions are appropriately represented in each FIAT record when the enforcement action is finalized.” The FIAP Manual states that Regional Office Reviewers “are responsible for ensuring that tracking records are created and updated in FIAT in a timely manner.”

For two sampled Consent Orders [redacted], the Case Manager did not record all Consent Order provisions in FIAT, which hinders RMS personnel’s ability to monitor a bank’s compliance with the requirements included in each provision. For example, for one sampled Consent Order [redacted], the Case Manager did not record the progress report provision in FIAT, and therefore, FIAT did not create a progress report tab for the Case Manager to use to track the receipt and assessment of Consent Order progress reports.

Consent Order Progress Reports. The FDIC Case Manager Procedures states that Case Managers are “responsible for updating [the] FIAT module of ViSION in a timely manner to document receipt, review, and assessment of progress reports.”

For one of two sampled Consent Orders [redacted], the Case Manager did not record in FIAT the receipt date, review date, and/or assessment of the bank’s response for any of the bank progress reports related to the Consent Order because, as noted above, the Case Manager did not record the progress report provision in FIAT. For the other sampled Consent Order [redacted], the Case Manager did not record in FIAT the receipt date, review date, and/or assessment of the bank’s response for two of the five bank progress reports.

Not recording information regarding the review and follow-up on Consent Order progress reports in FIAT hinders RMS personnel’s ability to monitor a bank’s compliance with the requirements of the Consent Order. Effective monitoring helps the FDIC determine whether to terminate the Consent Order.

Consent Order Terminations. The FIAP Manual states that the Regional Office Reviewer is “responsible for ensuring that all appropriate updates are made to the FIAT record at the RO [Regional Office] level in a timely manner.” The manual identifies two codes that FDIC personnel can use to identify a Consent Order termination action. The RMS Director is required to report monthly to the FDIC Board the enforcement actions taken under delegated authority during the prior month. The report includes Consent Order terminations identified in the ViSION system FIAT records.

We found that RMS did not correctly record in the ViSION system FIAT module 7 of the sample population of 40 (17.5 percent) Consent Order terminations during the period January 1, 2017 through June 30, 2019 [redacted].30 Because of these exceptions, we reviewed ViSION system records to determine whether there were other Consent Orders that the FDIC terminated in 2019 and 2020 that were not correctly recorded. We found four additional Consent Order terminations that the FDIC had not correctly recorded in the ViSION system FIAT module [redacted].31 As a result, RMS provided nine monthly reports to the FDIC Board that contained inaccurate information.32 Therefore, RMS did not fully inform the FDIC Board of all actions taken.

Footnote: 30 - After the start of our evaluation, the FDIC documented the termination status in FIAT for the seven Consent Orders.

Footnote: 31 - Three of the Consent Orders had safety and soundness as a basis, while the fourth had BSA as a basis. After the start of our evaluation, the FDIC documented the termination status in FIAT for the four Consent Orders.

Footnote: 32 - Enforcement Actions Taken Under Delegated Authority reports for actions during the months of January 2017, May 2017, August 2017, April 2018, February 2019, March 2019, June 2019, December 2019, and January 2020.

In addition, pursuant to the Memorandum of Understanding with FinCEN and other Federal bank regulators, the FDIC is to report to FinCEN on a quarterly basis aggregate BSA-related information “intended to help FinCEN in fulfilling its role as administrator of the BSA and to assist the FDIC in fulfilling its role as a financial institution supervisor.”33 The FDIC quarterly reports to FinCEN include the “[n]umber of terminated enforcement actions by category [informal or formal] that addressed BSA compliance under either Title 12 or Title 31 of the United States Code.”34 The ViSION system FIAT module contains the source records for the information included in the quarterly reports. We found that the FDIC had not reported three of the seven aforementioned BSA/AML Consent Order terminations in an FDIC quarterly report to FinCEN [redacted].35

Footnote: 33 - Regional Directors Memorandum 2004-051, Compliance with FinCEN Memorandum of Understanding (October 2004).

Footnote: 34 - Memorandum of Understanding Section II.C. Federal Deposit Insurance Corporation Quarterly Report.

Footnote: 35 - RMS personnel stated in August 2021 that once it was discovered that the termination of three consent orders was not reported to FinCEN, RMS notified FinCEN of the terminations.

Publication of Termination or Modification of Consent Orders. Federal law36 requires the FDIC to publish and make available to the public on a monthly basis any final Orders, as well as the modification or termination of such Orders. The FDIC publishes this information on its public FDIC Enforcement Decisions and Orders website, which the FDIC Legal Division maintains.

Footnote: 36 - 12 U.S.C. § 1818(u), Public Disclosures of Final Orders and Agreements.

We found that this website did not include two BSA/AML Consent Order terminations in our sample population [redacted].37 The FDIC terminated the Consent Orders for these banks in [redacted] and [redacted] respectively, but the FDIC Enforcement Decisions and Orders website identified these two Consent Orders as active at the time of our review.

Footnote: 37 - [redacted]

As a result, the FDIC did not notify the public that the Consent Order terminations had occurred in a timely manner. On March 17, 2021, we communicated the two exceptions to Legal Division personnel, who updated the website to publish the two terminations.

In addition, Legal Division personnel indicated that each month they now reconcile Consent Order terminations on the FDIC Enforcement Decisions and Orders website to terminations in the ViSION system FIAT module. However, they had not formalized this reconciliation process into written procedures. Formalized procedures would improve the effectiveness of this reconciliation control.

Recommendations

We recommend that the Director, RMS:

6. Train personnel on RMS guidance for retaining documentation in RADD in order to support BSA/AML Consent Order monitoring and termination decisions.

7. Train personnel to record Consent Order-related activity in FIAT in a timely and complete manner in order to support decisions relevant to Consent Order terminations.

8. Implement control procedures to ensure that applicable reports to the FDIC Board of Directors include all relevant Consent Order terminations. In addition, inform the Board of the erroneous monthly reports identified in the evaluation.

9. Implement control procedures to ensure that FDIC quarterly reports to FinCEN are accurate and complete.

We recommend that the FDIC General Counsel:

10. Implement control procedures to ensure the publication of termination or modification of Consent Orders and validate the accuracy of information on the FDIC Enforcement Decisions and Orders website.

FDIC COMMENTS AND OIG EVALUATION

On November 9, 2021, the FDIC Director, Division of Risk Management Supervision, and General Counsel provided a written response to a draft of this report, which is presented in its entirety in Appendix 3. In its response, the FDIC agreed that it should clarify FDIC guidance for terminating BSA/AML Consent Orders, including the termination of Consent Orders with partial or substantial compliance. The FDIC also agreed to monitor Consent Order terminations across all Regional Offices and to train staff on the importance of documenting Consent Order decisions.

The FDIC, however, disagreed with the OIG’s position that the publication of a Consent Order termination with partial or substantial compliance leaves the public, bank customers, and bank investors with the impression that all Order provisions were fully met. The FDIC argued that such terminations did not leave an inaccurate impression.

However, as we stated in this report, when Consent Orders are issued, all Order provisions requiring correction are published on the FDIC website. For one of the banks in our sample, we noted that the Termination Order indicated that “all Order provisions were terminated”—even though there was only substantial compliance with the Order provisions. Therefore, these website postings make it appear to the public, bank customers, and bank investors that all Order provisions have been corrected, even though some previously-publicized Order provisions had not been addressed and were included by the FDIC in informal enforcement actions that were not transparent to the public.

The FDIC also stated that the Consent Order policies of the OCC were not materially different from those used by the FDIC. We disagree. As noted in our report, the OCC provides specific guidelines to examiners on assessing a bank’s compliance with Order provisions:

• The OCC makes it clear that Order provisions are not to be deemed in compliance when they are pending validation by examiners, or simply because a bank Board or management has made progress or a good faith effort towards complying with a provision.

• The OCC guidance states that replacing a Consent Order with an informal enforcement action should take place under limited exceptions.

FDIC guidance does not include these elements of the OCC’s guidance. In addition, the FDIC had previously terminated a Consent Order with provisions that were pending validation and based on the good faith effort of bank management – which was permitted under the FDIC guidance, but would not have been in accordance with the OCC direction.

The FDIC concurred with 7 of 10 report recommendations, and plans to complete corrective actions for these recommendations by May 31, 2022. Therefore, we consider these seven recommendations to be resolved. The FDIC partially concurred with two other recommendations (Recommendations 1 and 2). The FDIC’s proposed actions appear to address the intent of our recommendations and therefore, we also consider these two recommendations to be resolved. The FDIC plans to complete corrective actions for these two recommendations by March 31, 2022. Once completed, we will assess the FDIC’s corrective actions to determine if the recommendations should be closed.

The FDIC did not concur with one recommendation to identify on the FDIC’s website the Consent Orders and specific Order provisions that were terminated when the bank partially complied with the original Order provisions (Recommendation 4). The FDIC stated that the publication of instances of the inclusion of Consent Order provisions in informal enforcement actions would constitute revealing confidential supervisory information.

However, it should be noted that these Order provisions would have already been disclosed publicly as part of the initial posting of the Consent Order. Further, we believe that the FDIC should be transparent and clear in its public postings, so that the website viewer can readily understand the status of each Consent Order and its provisions. In an effort to achieve these goals, the FDIC should find a way to accurately represent the status of Consent Orders without revealing confidential information, as it determines what constitutes such information.

As previously mentioned, all Order terminations and the provisions requiring correction are posted on the FDIC website. If the FDIC does not disclose that it has terminated an Order based on partial or substantial compliance, the public, bank customers, and bank investors are left with the false impression that the bank corrected all Order provisions. For example, for one bank in our sample, the Termination Order indicated that “all Order provisions were terminated”—even though there was only substantial compliance with the Order provisions. Therefore, to ensure transparency and clarity, we consider the Recommendation to be unresolved at this time. We will work with FDIC Management during the evaluation follow-up process to try and reach resolution.

Appendix 1: Objective, Scope, and Methodology

Objective

The evaluation objective was to determine whether the FDIC (i) considered factors similar to other Federal bank regulators in terminating BSA/AML Consent Orders; (ii) terminated BSA/AML Consent Orders in accordance with its established guidance; (iii) monitored FDIC Regional Office termination decision-making to ensure consistency across the Regions; and (iv) documented its actions.

We performed our work at the FDIC’s office in Arlington, Virginia, and the Dallas Regional Office from November 2019 through February 2021.38 We conducted our work in accordance with the Council of the Inspectors General on Integrity and Efficiency’s Quality Standards for Inspection and Evaluation.

Footnote: 38- Due to mandatory telework requirements instituted by the FDIC, we conducted a portion of our work remotely.

Scope and Methodology

We reviewed BSA Consent Orders terminated between January 1, 2017 and June 30, 2019. We derived a population of 40 BSA/AML Consent Order terminations by obtaining a listing from the ViSION system FIAT module and comparing it to a listing from the FDIC Enforcement Decisions and Orders external website.39 We selected a judgmental sample of eight Consent Orders representing five of six Regions40 from the population of BSA/AML Consent Order terminations. We also conducted a limited review of two additional Consent Orders where the FDIC had included Consent Order provisions in informal enforcement actions upon termination of the Consent Order.

Footnote: 39 - https://orders.fdic.gov/s/.

Footnote: 40 - The Kansas City Region did not have any terminated BSA/AML Consent Orders during our scope period.

To address our evaluation objective, for our sampled Consent Orders, we:

. Analyzed Consent Order provisions, Consent Order initiation and termination approval documentation, examination reports, visitation reports, and correspondence between the FDIC and the bank related to the Consent Order.

. Reviewed FDIC tools for tracking and monitoring BSA/AML Consent Orders between on-site activities to ensure the FDIC made proper updates regarding the bank’s progress in meeting the terms of the Consent Order.

. Interviewed RMS personnel in Field, Regional, and Headquarters Offices to determine the decision-making process for terminating BSA/AML Consent Orders and the rationale for actions taken with respect to these Consent Orders.

. Interviewed Legal Division personnel in the Headquarters Office to understand the process for reporting Consent Order terminations on the FDIC public website.

We reviewed criteria related to the Consent Order termination and the BSA examination processes, including:

. The Bank Secrecy Act (31 U.S.C. §§ 5311-5330).

. Section 8(s) of the Federal Deposit Insurance Act.

. Section 326.8 of the FDIC Rules and Regulations.

. FDIC Formal and Informal Action Procedures Manual (December 2015).

. FDIC Case Manager Procedures (April 2016).

. FDIC RMS Manual of Examination Policies, Section 13.1, Informal Actions (April 2016), and Section 15.1 Formal Administrative Actions (July 2016).

. Regional Directors’ Memorandum 2012-016-RMS, Meetings, Visitations, Limited-Scope Examinations and Quarterly Progress Reports Related to Risk Management Corrective Programs (November 2012).

. Regional Directors’ Memorandum 2015-002-RMS, Enforcement of Bank Secrecy Act/Anti-Money Laundering Requirements (February 2015).

. Regional Directors’ Memorandum 2015-003-RMS, Monitoring and Tracking of BSA/AML Problem Institutions (February 2015).

. Regional Directors’ Memorandum 2019-020-RMS, Updated Bank Secrecy Act Violation Codes (August 2019).

. Interagency Statement on Enforcement of Bank Secrecy Act/Anti-Money Laundering Requirements (July 2007).

. Joint Statement on Enforcement of Bank Secrecy Act/Anti-Money Laundering Requirements (August 2020).

. Office of the Comptroller of the Currency’s Policies and Procedures Manual, Section PPM 5310-3: Bank Enforcement Actions and Related Matters (November 2018).

. Board of Governors of the Federal Reserve System’s Community Banking Supervision Policies and Procedures Manual (November 2018).

. Board of Governors of the Federal Reserve System’s Large Institution Supervision Coordinating Committee Program Manual (November 2020).

. Federal Financial Institutions Examination Council Bank Secrecy Act/Anti-Money Laundering Examination Manual (March 2020).

We reviewed audit and evaluation reports related to enforcement action termination and the BSA examination process, including:

. FRB OIG Evaluation Report 2019-SR-B-013, The Board can Enhance its Internal Enforcement Action Issuance and Termination Processes by Clarifying the Processes, Addressing Inefficiencies, and Improving Transparency (September 2019).

. FRB OIG Evaluation Report 2020-SR-B-006, The Board can Enhance Certain Aspects of its Enforcement Action Monitoring Process (March 2020).

. FDIC OIG Audit Report No. 05-039, Effectiveness of Supervisory Corrective Actions (September 2005).

. FDIC OIG Audit Report AUD-14-009, The FDIC’s Response to Bank Secrecy Act and Anti-Money Laundering Concerns Identified at FDIC-Supervised Institutions (August 2014).

. GAO Audit Report 19-582, Bank Secrecy Act Agencies and Financial Institutions Share Information but Metrics and Feedback Not Regularly Provided (August 2019).

. GAO Audit Report 20-46, Bank Secrecy Act Examiners Need More Information on How to Assess Banks’ Compliance Controls for Money Transmitter Accounts (December 2019).

. GAO Audit Report 20-519, Bank Supervision – FDIC Could Better Address Regulatory Capture Risk (September 2020).

In addition, we reviewed prior internal reviews conducted by the RMS Regional Offices for BSA/AML and Consent Order termination issues. We also interviewed officials from the Board of Governors of the Federal Reserve System to understand its process for terminating BSA/AML Consent Orders.

Appendix 2: Acronyms and Abbreviations

AML - Anti-Money Laundering

BSA - Bank Secrecy Act

EIC - Examiner-in-Charge

FDI Act - Federal Deposit Insurance Act

FDIC - Federal Deposit Insurance Corporation

Federal Reserve Board - Board of Governors of the Federal Reserve System

FFIEC - Federal Financial Institutions Examination Council

FIAP - Formal and Informal Action Procedures

FIAT - Formal and Informal Action Tracking

FinCEN - Financial Crimes Enforcement Network

FRB - Board of Governors of the Federal Reserve System

GAO - Government Accountability Office

OCC - Office of the Comptroller of the Currency

OIG - Office of Inspector General

RADD - Regional Automated Document Distribution and Imaging System

RMS - Division of Risk Management Supervision

USA Patriot Act - Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001

ViSION - Virtual Supervisory Information on the Net system

Appendix 3: FDIC Comments

[FDIC Letterhead; Federal Deposit Insurance Corporation 550 17th Street NW, Washington D.C. 20429-9990 Division of Risk Management Supervision and Legal]

DATE: November 9, 2021

TO: Terry L. Gibson Assistant Inspector General, Program Audits and Evaluations FDIC Office of Inspector General

FROM: Doreen R. Eberley Director, Division of Risk Management Supervision

Nicholas J. Podsiadly General Counsel

SUBJECT: Management Response to the Draft Audit Report Entitled Termination of Bank Secrecy Act/Anti-Money Laundering Consent Orders (Assignment No. 2019-013)

This memorandum contains the comments of the Federal Deposit Insurance Corporation (FDIC) on the report, Termination of Bank Secrecy Act/Anti-Money Laundering Consent Orders, Assignment No. 2019-013 (the “Report”). The stated objective of the Report was to determine whether the FDIC: (1) considered factors similar to other Federal bank regulators in terminating Bank Secrecy Act/anti-money laundering (“BSA/AML”) Consent Orders; (2) terminated BSA/AML Consent Orders in accordance with FDIC-established guidance; (3) monitored Regional Office termination decision-making to ensure consistency across the Regions; and (4) documented its actions.

The Report reviewed 10 of 40 termination decisions between January 1, 2017 and June 30, 2019. Given the limited number of BSA/AML Consent Order terminations over that period, we urged the FDIC Office of the Inspector General (“OIG”) to redact sensitive demographic, examination, and other detailed information from the Report to avoid identifying and potentially harming open and operating institutions. Information contained in or related to FDIC, Office of the Comptroller of the Currency, or Federal Reserve examination reports is confidential and is exempt from disclosure under the Freedom of Information Act. See Exemption 8 of FOIA, 5 U.S.C.A. § 552(b)(8).

In its results, the OIG references four Consent Orders terminated by the FDIC with remaining provisions placed into an informal or another formal action.1 Although these actions were consistent with longstanding FDIC policy, which was made public in 2019, OIG raises concerns that in terminating or amending these Consent Orders, the FDIC limited transparency and may have given the public—including bank customers and investors—the impression that the bank had complied with all previously issued BSA/AML Consent Order provisions. The FDIC disagrees with the premise that its termination of a Consent Order consistent with longstanding, publicly available policy limited transparency.

Footnote: 1- Three Consent Orders were terminated and remaining provisions were placed into an informal action. One Consent Order was amended to remove BSA-related provisions for which compliance had been achieved, essentially placing the remaining provisions into another formal action; examiners included BSA-related supervisory recommendations in the report of examination.

FDIC policies regarding Consent Order terminations, including those regarding BSA/AML, are set forth in the FDIC Formal and Informal Enforcement Action Manual (FIAP Manual).2 The FDIC’s FIAP Manual was first issued in 1996, and was reissued in December 2005 and December 2019.3 The FIAP Manual states that it is designed to promote consistency in the development and processing of FDIC enforcement actions. The written policy regarding terminating Consent Orders and placing remaining provisions into informal actions has been in place for over 15 years.

Footnote: 2 - See FDIC Formal and Informal Enforcement Actions Manual, page 1-8 at https://www.fdic.gov/regulations/examinations/enforcement-actions/ch-01….

Footnote: 3 - Certain chapters were updated in December 2015.

As part of FDIC Chairman Jelena McWilliams’s Trust Through Transparency Initiative, the FDIC made the updated 2019 FIAP Manual public on the Trust Through Transparency webpage,4 announcing the change through an FDIC Financial Institution Letter5 on December 2, 2019. The FDIC has since updated a few chapters of the FIAP Manual, again announcing the updates publicly through an FDIC Financial Institution Letter6 on June 18, 2020. As noted on the Trust Through Transparency webpage, the public release of the manual is intended to provide the banking industry and any other interested parties with transparency and clarity regarding the FDIC’s enforcement action program. The now-public FIAP provisions governing the termination of Consent Orders and placement of remaining provisions into informal actions remain unchanged.

Footnote: 4 - See Formal and Information Enforcement Actions Manual on Trust Through Transparency webpage at https://www.fdic.gov/about/initiatives/trust-through-transparency/.

Footnote: 5 - See Financial Institution Letter 76-2019 dated December 2, 2019, “FDIC Releases its Formal and Informal Enforcement Actions Manual” at https://www.fdic.gov/news/financial-institution-letters/.

Footnote: 6 - See Financial Institution Letter 61-2020 dated June 18, 2020, “The FDIC Updates its Enforcement Actions Manual for Flood Insurance Civil Money Penalties” at https://www.fdic.gov/news/financial-institution- letters/2019/fil19076.pdf.

The FDIC provides transparency into its enforcement action processes through the publication of the FIAP Manual rather than through any public releases of information regarding informal enforcement activity, which is considered by the FDIC and other Federal regulators to be confidential supervisory information. The FDIC believes that it is prudent and equitable to acknowledge when an institution has made substantial progress in remediating problems. In fact, the Risk Management Supervision (“RMS”) Case Manager Procedures state that, “[i]t is expected that any action issued against an institution will be terminated promptly when substantial compliance has been achieved or the corrective program has accomplished its intended purpose.”7

Footnote: 7 - See RMS Case Manager Procedures, Section 8 – Enforcement Actions, page 8-7.

The Report makes ten recommendations intended to enhance the FDIC’s BSA/AML Consent Order termination guidance and procedures. The FDIC partially or fully concurs with nine recommendations that generally seek clarification of the FDIC’s guidance for terminating BSA/AML Consent Orders, including when it is appropriate for staff to terminate a BSA/AML Consent Order that has been partially complied with and to place any remaining provisions into an informal action. However, the FDIC disagrees with a recommendation to make public informal enforcement actions and confidential supervisory information. We provide additional details on the FDIC’s response to the individual recommendations below.

Recommendation 1: Develop and implement BSA/AML Consent Order termination policies and procedures to better align with those of the other Federal bank regulators to promote consistency in terminating BSA/AML Consent Orders.

FDIC Response: The FDIC partially concurs with this recommendation.

The FDIC has already developed and implemented policies for BSA/AML Consent Order terminations in the form of the aforementioned FIAP Manual, which includes longstanding guidance on this topic. The other Federal bank regulators also have general policies regarding Consent Order terminations, including terminations regarding BSA/AML.8 The FDIC has reviewed the policies of the OCC and does not believe its policy is materially different from that of the FDIC. The Federal Reserve’s policies are not public. The FDIC agrees to discuss its policies with the other Federal bank regulators, and determine whether any action is appropriate in light of differences in our structures, mandates, regulated entities, and operating environments.

Footnote: 8 - See OCC, PPM 5310-3, “Bank Enforcement Actions and Related Matters,” page 14, available at https://www.occ.treas.gov/news-issuances/bulletins/2018/ppm-5310-3.pdf. The Board of Governors of the Federal Reserve System’s Regional Banking Organizations Policies and Procedures Manual referenced in the Report is an internal document. We note that the Inspector General for the Board of Governors of the Federal Reserve System (Board) issued a report on September 25, 2019 (SR-B-103) entitled, “The Board Can Enhance Its Internal Enforcement Action Issuance and Termination Processes by Clarifying the Processes, Addressing Inefficiencies, and Improving Transparency” (2019 Board Report). The 2019 Board Report covers a similar review period as the present Report, and its recommendations included that the Board should “(1) improve the timeliness and efficiency of its enforcement action issuance and termination processes,” and concluded that “…once determining that an institution has demonstrated substantial sustained compliance with the enforcement action provisions, more efficient processing of enforcement action terminations may allow a firm to resume or pursue certain types of business activities more quickly after satisfying the enforcement action terms.” Pages 2 and 27, available at https://oig.federalreserve.gov/reports/board-enforcement-action-issuanc….

Estimated Completion date: March 31, 2022

Recommendation 2: Coordinate with other Federal bank regulators to pursue the issuance of joint guidance that promotes consistency in terminating BSA/AML Consent Orders, including factors such as defining key terminology; demonstrating compliance with a Consent Order over a sufficient period of time; and identifying circumstances to issue an informal enforcement action after terminating a BSA Consent Order.

FDIC Response: The FDIC partially concurs with this recommendation.

The FDIC does not agree that joint guidance is needed regarding terminating BSA/AML Consent Orders, because, as described above, each agency already has guidance for terminating Consent Orders, including BSA/AML Consent Orders. The FDIC followed the longstanding procedures outlined in its FIAP Manual in terminating the Consent Orders, including the four that were terminated with partial compliance and placement of remaining provisions in an informal or formal action. Notwithstanding, as described above, the FDIC agrees to discuss its policies with the other Federal bank regulators and determine whether any action is appropriate in light of differences in our structures, mandates, regulated entities, and operating environments, including whether to revise the FDIC’s policies and procedures related to: (1) definitions of key terminology; (2) demonstration of compliance with a Consent Order over a sufficient period of time; and (3) identification or clarification of circumstances in which to issue an informal enforcement action after terminating a BSA Consent Order.

Estimated Completion date: March 31, 2022

Recommendation 3: Provide clarity surrounding circumstances when it is appropriate to terminate a BSA/AML Consent Order and include uncorrected provisions in an informal enforcement action. This should include clarity on how Regional Offices should measure and assess the terms, “substantial compliance” and “partially met,” in a clear and consistent manner, when determining whether to terminate BSA/AML Consent Orders.

FDIC Response: The FDIC concurs with this recommendation.

The FDIC does not agree with the OIG’s suggestion in the Report that termination of a Consent Order in this manner creates a lack of transparency to the public. The FDIC provides transparency into its enforcement action processes through the publication of the FIAP Manual as previously noted, rather than through any public release of information regarding informal enforcement activity.

Further, none of the four instances in which the FDIC terminated a Consent Order and included outstanding provisions in an informal or formal action were inconsistent with the longstanding FDIC policy. In each of the four cases, a commissioned examiner opined that the institutions: (a) were no longer violating the BSA pillars that resulted in the issuance of the Order and (b) had substantially complied with the provisions of the Order. Accordingly, in each case, the Region’s action clearly and unambiguously met the condition for termination outlined in the FIAP Manual (i.e., the provisions of the Order have been partially met, and a new formal or informal action had been issued to address any outstanding provisions) and the requirements of Section 8(s) of the Federal Deposit Insurance Act (i.e., the examiners did not cite continuing program or pillar violations as part of the examination or visitation that supported the termination recommendation).

Notwithstanding, the FDIC agrees that documentation should clearly support these decisions. The FDIC will provide additional direction to staff regarding when it is appropriate to terminate Consent Orders, including BSA/AML Consent Orders, and include outstanding provisions in informal enforcement actions. Additionally, the FDIC will provide more direction and examples to staff regarding how to assess “substantial compliance” when determining whether to terminate a Consent Order, including a BSA/AML Consent Order. Once the review is complete, the FDIC will provide training to RMS staff to promote consistency when consideration is given to terminating BSA/AML Consent Orders.

Estimated Completion date: May 31, 2022

Recommendation 4: Identify on the FDIC’s website which Consent Orders were terminated when the bank partially complied with the original provisions. This should include noting which Consent Order provisions remained uncorrected after termination.

FDIC Response: The FDIC does not concur with this recommendation.

The FDIC’s assessments of ongoing risks at an institution, and the agency’s efforts to implement appropriate supervisory controls to mitigate these risks through the implementation of board resolutions or other informal methods, would constitute confidential supervisory information. Requiring the agency to flag instances where ongoing, but mitigated, risks exist when terminating Orders would make public such confidential supervisory information.

The FDIC believes that clarification of terminology and training, as committed in response to other recommendations, is sufficient to address the OIG’s concerns. The FDIC has addressed how its actions and longstanding policies provide for appropriate public transparency elsewhere in this response.

Estimated Completion date: N/A

Recommendation 5: Develop and implement FDIC Headquarters procedures for monitoring Regional Office decisions to terminate BSA/AML Consent Orders to ensure consistent treatment of similarly-situated banks and application of program requirements across all Regional Offices.

FDIC Response: The FDIC concurs with this recommendation and will develop and implement monitoring procedures.

Estimated Completion date: March 31, 2022

Recommendation 6: Train personnel on RMS guidance for retaining documentation in RADD in order to support BSA/AML Consent Order monitoring and termination decisions.

FDIC Response: The FDIC concurs with this recommendation.

Training will be provided to staff regarding retaining enforcement-related documentation in RADD, including to support BSA/AML Consent Order monitoring and termination decisions. This training will be provided in conjunction with the training on procedures for processing formal and informal actions as noted in the response to Recommendation 3.

Estimated Completion date: May 31, 2022

Recommendation 7: Train personnel to record Consent Order-related activity in FIAT in a timely and complete manner in order to support decisions relevant to Consent Order terminations.

FDIC Response: The FDIC concurs with this recommendation.

RMS is currently reviewing and revising its internal step-by-step instructions for recording the initiation, modification, and termination of all types of formal and informal enforcement actions within its official system of record, the ViSION system FIAT module. The revised instructions will include definitions of data elements and terms used in the ViSION system FIAT module, and will direct staff to enter accurate and timely date information in the FIAT module. Upon issuance of the revised instructions, training will be provided to staff that will include procedures for entering data in the ViSION system FIAT module, and preparing and retaining documentation in RADD as described in the response to Recommendation 6.

Estimated Completion date: May 31, 2022

Recommendation 8: Implement control procedures to ensure that applicable reports to the FDIC Board of Directors include all relevant Consent Order terminations. In addition, inform the Board of the erroneous monthly reports identified in the evaluation.

FDIC Response: The FDIC concurs with this recommendation.

Staff is currently developing an exception report to identify Consent Order terminations that have not been entered into ViSION correctly so that all terminations are captured going forward. Any terminated Consent Orders noted through the exception report that have not previously been reported to the Board, will be reported to the Board.

Estimated Completion date: March 31, 2022

Recommendation 9: Implement control procedures to ensure that FDIC quarterly reports to FinCEN are accurate and complete.

FDIC Response: The FDIC concurs with this recommendation.

As described in the response to Recommendation 8, staff is currently developing an exception report to identify Consent Order terminations that have not been entered into ViSION correctly so that all terminations are captured going forward. Any terminated Consent Orders noted through the exception report that have not previously been reported to FinCEN, will be reported to FinCEN.

Estimated Completion date: March 31, 2022

Recommendation 10: Implement control procedures to ensure the publication of termination or modification of Consent Orders and validate the accuracy of information on the FDIC Enforcement Decisions and Orders website.

FDIC Response: The FDIC concurs with this recommendation.

The FDIC recognizes that this is an important issue, particularly given the requirements of 12 U.S.C. § 1818(u). As the Report notes, staff preparing the publication of FDIC orders has already implemented a system of comparing the monthly list of terminations/modifications received from Legal Regional Office staff with the terminations/modifications entered in the ViSION system FIAT module prepared by RMS. This interdivisional cross-check/reconciliation process helps ensure that all BSA/AML Consent Order terminations/modifications issued in a given month are published on the FDIC Enforcement Decisions and Orders (EDOS) website in a timely fashion.

On November 26, 2013, staff finalized a memorandum entitled “Monthly Report of Orders and Notices for Publication and Advance Notice of Administrative Hearings,” which outlines the procedures for publishing final enforcement orders on the FDIC EDOS website. Staff will revise the November 26, 2013, memorandum to include publication and validation procedures for Consent Order terminations/modifications, including memorializing the steps that have already been implemented.

Estimated Completion date: March 31, 2022

Appendix 4: Summary of the FDIC's Corrective Actions

[table]

This table presents management’s response to the recommendations in the report and the status of the recommendations as of the date of report issuance.

Row 1; Rec. No. 1; Corrective Action: Taken or Planned - The FDIC will discuss its BSA/AML Consent Order termination policies with the other Federal bank regulators and determine whether any action is appropriate in light of differences in structures, mandates, regulated entities and operating environments.; Expected Completion Date - March 31, 2022; Monetary Benefits: $0; Resolved:a Yes or No - Yes; Open or Closedb - Open

Row 2; Rec. No. 2; Correcetive Action: Taken or Planned - The FDIC will discuss its BSA/AML Consent Order termination policies with the other Federal bank regulators and determine whether any action is appropriate in light of differences in structures, mandates, regulated entities and operating environments, including whether to revise the FDIC’s policies and procedures related to: (1) definitions of key terminology; (2) demonstration of compliance with a Consent Order over a sufficient period of time; and (3) identification or clarification of circumstances in which to issue an informal enforcement action after terminating a BSA/AML Consent Order.; Expected Completion Date - March 31, 2022; Monetary Benefits - $0; Resolved:aYes or No - Yes; Open or Closedb - Open

Row 3; Rec. No. 3; Corrective Action: Taken or Planned - The FDIC will provide additional direction to staff regarding when it is appropriate to terminate Consent Orders, including BSA/AML Consent Orders, and include outstanding provisions in informal enforcement actions. The FDIC will provide training to RMS staff to promote consistency when consideration is given to terminating BSA/AML Consent Orders.; Expected Completion Date - May 31, 2022; Monetary Benefits - $0; Resolved:aYes or No - Yes; Open or Closedb- Open

Row 4; Rec. No. 4; Corrective Action: Taken or Planned -The FDIC did not concur with the recommendation.; Expected Completion Date - N/A; Monetary Benefits - $0; Resolved:aYes or No - No; Open or Closedb - Open

Row 5; Rec. No. 5; Corrective Action: Taken or Planned - The FDIC will develop and implement monitoring procedures to ensure consistent treatment of similarly-situated banks and application of program requirements across all Regional Offices.; Expected Completion Date - March 31, 2022; Monetary Benefits - $0; Resolved:aYes or No - Yes; Open or Closedb - Open

Row 6; Rec. No. 6; Corrective Action: Taken or Planned - The FDIC will provide training to staff regarding retaining enforcement-related documentation in RADD, including to support BSA/AML Consent Order monitoring and termination decisions.; Expected Completion Date- May 31, 2022; Monetary Benefits - $0; Resolved:aYes or No - Yes; Open or Closedb - Open

Row 7; Rec. No. 7; Corrective Action: Taken or Planned - The FDIC will provide training to staff that will include procedures for entering data in the ViSION system FIAT module, and preparing and retaining documentation in RADD.; Expected Completion Date - May 31, 2022; Monetary Benefits - $0; Resolved:aYes or No- Yes; Open or Closedb-Open

Row 8; Rec. No. 8; Corrective Action: Taken or Planned - The FDIC will develop an exception report to identify Consent Order terminations that have not been entered into ViSION correctly so that all terminations are captured going forward. The FDIC will report to the Board any terminated Consent Orders noted through the exception report that have not previously been reported to the Board.; Expected Completion Date - March 31, 2022; Monetary Benefits - $0; Resolved:aYes or No-Yes; Open or Closedb - Open

Row 9; Rec. No. 9; Corrective Action: Taken or Planned - The FDIC will develop an exception report to identify Consent Order terminations that have not been entered into ViSION correctly so that all terminations are captured going forward. The FDIC will report to the FinCEN any terminated Consent Orders noted through the exception report that have not previously been reported to the FinCEN.; Expected Completion Date - March 31, 2022; Monetary Benefits - $0; Resolved:aYes or No - Yes; Open or Closedb - Open

Row 10; Rec. No. 10; Corrective Action: Taken or Planned - The FDIC will revise its memorandum entitled “Monthly Report of Orders and Notices for Publication and Advance Notice of Administrative Hearings” to include publication and validation procedures for Consent Order terminations and modifications.; Expected Completion Date - March 31, 2022; Monetary Benefits - $0; Resolved: aYes or No - Yes; Open or Closedb - Open

a Recommendations are resolved when —

1. Management concurs with the recommendation, and the planned, ongoing, and completed corrective action is consistent with the recommendation.

2. Management does not concur with the recommendation, but alternative action meets the intent of the recommendation.

3. Management agrees to the OIG monetary benefits, or a different amount, or no ($0) amount. Monetary benefits are considered resolved as long as management provides an amount.

b Recommendations will be closed when the OIG confirms that corrective actions have been completed and are responsive.

[end of table]

[end of report]

[FDIC OIG Logo] Federal Deposit Insurance Corporation

Office of Inspector General

3501 Fairfax Drive Room VS-E-9068 Arlington, VA 22226

(703) 562-2035

The OIG’s mission is to prevent, deter, and detect waste, fraud, abuse, and misconduct in FDIC programs and operations; and to promote economy, efficiency, and effectiveness at the agency.

To report allegations of waste, fraud, abuse, or misconduct regarding FDIC programs, employees, contractors, or contracts, please contact us via our Hotline or call 1-800-964-FDIC.

FDIC OIG website, www.fdicoig.gov

Twitter, @FDIC_OIG

Oversight.gov, www.oversight.gov/