There are very few, if any, areas of the world, let alone our country, that aren’t watching an unprecedented situation unfold in front of our very own eyes. Confirmed cases of COVID-19, also known as the Novel Coronavirus, have been found in more than 80% of the world’s countries, and new cases show up each day. In one form or another, the virus has reached all aspects of society – socially, business-wise and medically. Cancellations of religious services, concerts, parades, large events, restaurants, bars, limitations on group gatherings and even a “shelter-at-home” restriction in one city. This is unprecedented. We need a team of very smart people addressing the various effects on our people and their communities, the financial and economic impacts, and the global impact. We’re not here to answer those questions, so we’ll leave those up to the experts best suited to the field.
From our perspective, we’re here to help a smaller, but significantly important aspect of the financial industry space with thinking about their anti-money laundering (AML) compliance. While some regulatory bodies have released statements ensuring their member banks are still delivering services to customers and communities, AML requirements are still an obligation banks are required to follow. So, the questions are: Is your BCP ready for COVID 19? Does it address the all the banks legal and regulatory obligations – and not just those activities that are critical? Does the plan enable you to maintain a satisfactory level of compliance? Does it address operations under a scenario where many, or even, all your staff are for medical reasons or local government pronouncements/dictate/orders unable to come to the workplace?
Business Continuity Plans
At a minimum, the BCP in your institution must not put the greater financial system at risk. In fact a recent and relevant example of that is when the New York State Department of Financial Services issued a “…request for assurance to ensure your institutions have preparedness plans in place to address operational risk posed by the outbreak…” to the institutions that it oversees. It went on to request that all member banks “submit a response to DFS describing the institution’s plan of preparedness to manage the risk of disruption to its services and operations” (Industry Letter, March 10, 2020).
So, part of a reasonable BCP would be to prioritize the resources of the institution. How do you do that? First, you would likely look at maintaining overall financial system stability, critical operations/systems, and keeping the bank afloat. Second, how does your institution’s BCP pandemic planning limit impacts to the business? What types of actions does it permit to maintain business operations? What does it say about the safety and health of the institution’s employees, and the impacts of lost resources? How does it address maintaining your AML compliance? Does it address a scenario in which you’re delayed in monitoring and reporting on suspicious transactions? What will you do to remediate alert/case backlogs, should they occur? Having responses to those questions is a good example of AML compliance being included in your BCP.
We’re sure that you have tested the BCP periodically – regulators expect this. In the past this has been done specially to ensure that critical IT systems and staff can travel to and find the back-up locations. However, we are now faced with a very real possibility that staff may not be able to leave their homes. Can the bank operate remotely? Can it achieve an acceptable level of compliance in that scenario? And what can be done to mitigate any risk derived from that scenario?
If You’re In An Outbreak Area
You have likely already invoked your BCP. If you have, what does that look like for you? Are all of your employees allowed to stay home? Were only back-office employees permitted to make this move? What about your branch staff? Do they have a secure access to the required systems? Was this already established as part of the BCP? Or was it a scramble to set-up, implement, and test? Assuming you’ve worked all of that out, here are some things to consider to ensure that you don’t create an issue for yourself:
- What happens if one of your employees falls ill? What if your BCP doesn’t allow “work from home?” Be mindful of the ADA and FMLA as well as any state and local laws in dealing with employee illnesses and sick leave.
- How are you continuing to do OFAC checks in real-time? Is this done automatically? If done, manually, what protocols do you have in place to ensure it continues happening? Is there an acceptable amount of back-log in the AML transaction monitoring process? How is that determined?
- Let your regulator know, if they have not already been in touch, how COVID-19 is affecting your institution. Have there been any cases, local outbreaks, staffing issues, any impact to the business and to what business areas, including compliance. For compliance, regulators will be interested in developing problems in OFAC filtering and transaction monitoring and if there are developing backlogs. t’s also a good idea to share any plans that you do have on addressing any potential backlogs that may result.
If You’re Not In An Outbreak Area
At a minimum, this is a good time to review your BCP at your institution, and more importantly, are compliance obligations clearly addressed in the BCP and how can you minimize the pandemic’s impact on the compliance department? If your department is large enough, can it be split into “teams” with an alternating on-site (if necessary) schedule? If so, does that allow you to meet your requirements? If that’s not enough, what then? How do you plan on managing EDD reviews if your local government requests that you self-quarantine? At what point, if ever, would your bank close the branch doors and not allow for opening of new accounts? How will you handle in-person transactions or large-dollar transactions? Are compliance activities covered in your BCP for both OFAC and BSA/AML? If there is an expectation that BSA/AML transaction monitoring alert/case backlogs can come about – is there an escalation process to devote additional resources to ‘cap’ the backlog and bring about reduction? If you find that compliance does not get a sufficient mention in the BCP, it is better to start to address that now “before” the pandemic hits your geographic area.
The Crimes That Happen
Sadly, like other large-scale events, such as 9/11, bad actors find opportunities to make money. By all accounts this has already begun. FinCEN made a statement regarding such illicit activity – you can read more about it here. As launderers, and the like, pay attention to what’s happening in the world, they will also be watching the institutions they are trying to bank at. They may make mistakes, knowing that a bank may be running a skeleton crew, and they may bank, no pun intended, on the fact that there may be weaknesses that can be exploited. It is for these reasons we must be even more vigilant.
Conclusion
Depending on what news article you read on any given day, the future reports vary regarding the duration and forecasted impact the Novel Coronavirus may have on our world. However, one thing remains: AML/BSA compliance must remain a priority as well. There are experts working on the science behind a cure, but for us, we are here to help protect the financial system from the bad actors. There are bad actors who will try to benefit from situations like these, such as fraudulent scams, but also from measures or limitations the banks have in their BCP related to monitoring for AML/BSA. Together, let’s try to minimize these limitations and proactively address the worst-case scenario for our institutions.
References
The FFIEC Interagency Statement on Pandemic Planning at https://www.ffiec.gov/press/pandemicguidance.pdf
Industry Letter – March 10, 2020: Guidance To New York State Regulated Institutions on Operational Risk Arising from the Outbreak Of the Novel Coronavirus https://www.dfs.ny.gov/industry_guidance/industry_letters/il20200310_risk_coronavirus
The Financial Crimes Enforcement Network (fincen) Encourages Financial Institutions To Communicate Concerns Related To the Coronavirus Disease 2019 (covid-19) and To Remain Alert To Related Illicit Financial Activity
Additional Resources:
https://www.fdic.gov/coronavirus/faq-fi.pdf