The consent order against Wells Fargo Bank, N.A., dated September 12, 2024, by the Office of the Comptroller of the Currency (OCC), focuses on addressing significant deficiencies in Wells Fargo's anti-money laundering (AML) and financial crimes risk management practices. These deficiencies were identified as violations of various laws and regulations, including issues related to internal controls, suspicious activity reporting, customer due diligence, customer identification programs, beneficial ownership, and transaction reporting.
In this blog, we wanted to dial into the issues surrounding the internal control deficiencies. First, because it's a fundamental pillar of a Bank Secrecy Act (BSA) compliance program, and second, because the action plan to remediate the deficiencies focuses greatly on enhancing the internal control framework.
Notably, earlier in July this year, the Federal Deposit Insurance Corporation (FDIC) issued a consent order against The State Exchange Bank Lamont, Oklahoma bank, where the Internal Controls Pillar was also highlighted as highly deficient.
The Internal Controls Pillar
The Internal Controls pillar is a fundamental component of an effective BSA/AML compliance program, designed to ensure ongoing adherence to regulatory requirements and mitigate risks associated with money laundering, terrorist financing, and other illicit financial activities. Mandated by regulations such as 12 CFR 21.21(c)(1), this pillar requires banks to establish a comprehensive system of internal controls that is tailored to the institution's size, complexity, and organizational structure.
Effective internal controls incorporate the bank's risk assessment, provide for program continuity, facilitate IT system oversight, and enable timely regulatory updates. They should also implement dual controls and segregation of duties where possible, establish mechanisms for informing leadership of compliance issues, and clearly define BSA compliance responsibilities for bank personnel.
Most financial crime prevention teams at a bank adopt the three lines model for risk management and control. The audit requirements recommendations and actions laid out in the consent order fall clearly into the Internal Audit (3rd line of defense) and apply directly to the improvement of the overall internal controls deficiencies:
Enhancements to the Audit Program:
Wells Fargo is tasked with developing substantial improvements to its written audit program, specifically focusing on BSA/AML and OFAC sanctions. This enhanced program requires approval from the Audit Committee and is designed to ensure that the bank's compliance with BSA and OFAC sanctions is thoroughly and independently tested. The program must be tailored to the bank's risk profile and should comprehensively evaluate the adequacy of the bank's compliance programs.
Minimum Requirements for the Audit Program:
The enhanced audit program must meet several crucial criteria to ensure its effectiveness. It should assess whether the bank's risk assessment accurately reflects its risk profile and evaluate if the bank's policies, procedures, and controls are not only designed to achieve compliance but are also appropriate given the bank's specific risk landscape.
The program must verify that the bank is adhering to its established compliance framework and that its supporting technology infrastructure is adequate. Additionally, it should confirm that management is responding promptly and appropriately to any identified deficiencies, whether from internal testing or regulatory examinations. Lastly, the program must ensure that relevant personnel are receiving appropriate training on BSA/AML and OFAC sanctions compliance.
Additional Specific Requirements for the Program:
The audit program must incorporate several specific elements to ensure its comprehensiveness and effectiveness. It should include risk assessment processes that thoroughly document how the bank's products, services, customers, and geographical presence impact its risk profile and controls. The program must develop and adhere to an audit plan that is appropriately tailored to the bank's risks. It should maintain proper documentation to support decisions about which areas and controls to include or exclude from testing. Regular reviews and updates to the audit plan are required, with significant changes communicated to the Audit Committee. To ensure consistency across the enterprise, the program should include standardized audit test scripts. Finally, the bank must ensure that the audit program is supported by staff with the necessary knowledge, skills, and experience to carry out these complex responsibilities effectively.
Reporting and Validation:
The agreement places strong emphasis on timely and thorough reporting of audit findings. Management is required to promptly report any control deficiencies identified through the audit program to both the Audit Committee and senior management. These reports must provide a clear picture of the severity of any deficiencies, the associated risks, and the corrective actions required.
The Compliance Committee is tasked with ensuring that management takes swift action to address these deficiencies. Furthermore, the Audit Committee is responsible for ensuring that all corrective actions are not only implemented but also reviewed and validated promptly. This rigorous reporting and validation process is designed to create a feedback loop that continuously strengthens the bank's compliance posture.
The first two lines of defense are also clearly called out in the consent order:
First Line: Business Operations
The first line of defense in Wells Fargo's BSA/AML and OFAC sanctions compliance framework is required to be significantly strengthened. A key focus is on clearly defining roles and responsibilities within the business operations. This involves establishing clear lines of authority for compliance risk management functions, ensuring that everyone in the front line understands their specific duties in maintaining compliance. The bank is also tasked with bolstering its policies, procedures, and controls. This enhancement aims to ensure that front-line units can effectively implement the bank's enterprise-wide BSA/AML and OFAC sanctions programs, creating a robust first line of defense against financial crimes.
Another critical aspect of the first-line improvements is the enhancement of controls testing. The bank must ensure that front-line BSA/AML and OFAC sanctions controls are tested effectively by personnel with the requisite knowledge and skills. Additionally, a process for reporting the results of these tests must be established, creating a feedback loop that allows for continuous improvement. Lastly, the bank is required to improve its staffing and training processes. This involves maintaining sufficient staff with the appropriate knowledge, skills, and experience to handle compliance responsibilities effectively. Ongoing training, tailored to job-specific duties and responsibilities, must be provided to ensure that front-line staff remain up-to-date with the latest compliance requirements and best practices.
Second Line: Risk Management and Compliance
The second line of defense, focusing on risk management and compliance, is also required to undergo significant enhancements. A key element is the strengthening of the Financial Crimes Risk Management (FCRM) function. This independent second-line function must have clearly defined roles and responsibilities, supported by effective policies, procedures, and controls. The FCRM function will be responsible for critical activities such as risk rating, monitoring, issue resolution, and oversight of front-line units. These enhancements aim to create a more robust and effective second line of defense against financial crimes risks.
In addition to enhancing the FCRM function, the bank is required to strengthen its independent testing program for BSA/AML and OFAC sanctions compliance. This program must ensure that testing is conducted effectively by personnel with the necessary qualifications and expertise. Like the first line testing enhancements, a process for reporting the outcomes of these tests must be established. This will create a comprehensive view of the bank's compliance status, allowing for timely identification and resolution of any issues. By strengthening both the FCRM function and the independent testing program, Wells Fargo aims to create a more effective and resilient second line of defense in its fight against financial crimes.
The Yanez Automation Platform support for Internal Controls Pillar
As we've seen, the OCC's consent order places significant emphasis on enhancing internal controls across all three lines of defense. The Yanez Automation Platform offers solutions that directly address many of the issues highlighted in the consent order.
The platform provides a ready-to-use framework for OCC model validation for sanctions screening and an interactive learning module to support learning about OCC and OFAC frameworks for internal audits. This can be particularly valuable in addressing the audit program enhancements required by the consent order.
The Yanez model validation framework facilitates achieving all three core components: evaluation of conceptual soundness, ongoing monitoring, and outcomes analysis. It also complies with OCC sampling methodologies and includes support for back testing, benchmarking, and sensitivity analysis. Users can utilize an interactive interface to audit the results and generate a final report that can be presented to OCC auditors.
Furthermore, the platform offers an interactive AI GPT framework tuned for the regulatory frameworks of OCC and OFAC. This learning interface enables users to gain intelligence on OFAC's enforcement actions and OCC's consent orders, including aggregated information on Internal Controls deficiencies and associated remediation actions.
By leveraging these features, financial institutions can better address the challenges outlined in the Wells Fargo consent order and strengthen their own BSA/AML compliance programs.
Comentários