The US Office of the Comptroller of the Currency (OCC) has imposed a $65m fine on the Royal Bank of Canada’s American unit, City National Bank, over gaps in the lender’s risk management and internal controls.
The OCC’s cease-and-desist order requires the bank to take broad and comprehensive corrective actions to improve its operational risk management – particularly in the areas of internal controls; compliance risk management, Bank Secrecy Act (BSA)/AML and fair lending – and its strategic plan, strategic risk management, and investment management practices.
The bank regulator said that the bank engaged in unsafe or unsound practices, including failure to establish effective risk management and internal controls, but the facts of this enforcement are not spelled out in its order or accompanying materials.
Instead, in its order, the OCC offers incredibly instructional language about what the bank regulator expects the bank to improve or implement when it comes to bedrock risk oversight processes in its AML and sanctions screenings, customer reviews and staffing qualifications. It also details what adequate anti-money-laundering (AML) and sanctions risk assessments should entail, noting that board minutes documenting the board’s involvement in the process must be included.
Broad and comprehensive action
The OCC spells out the procedures for a staffing assessment of personnel involved in suspicious activity report (SAR) preparation processes so the bank can identify any gaps in knowledge and experience relative to their responsibilities and address such gaps.
Plus, it mentions the need for more detailed, accurate documentation of personnel roles and responsibilities and greater authority vested in the AML Officer and AML department specifically.
It also spells out how the bank must improve its Customer Due Diligence program (CDD) through Know-Your-Customer (KYC) procedures, for example by:
- defining low-, moderate-, and high-risk customers;
- having a methodology for assigning defined risk levels to the customer base that considers the customer’s entire relationship and appropriate factors such as type of customer, purpose of the account, geographic location, level of SAR filing activity, and the expected account activity, including the volume, velocity, and frequency by dollar amount and number; and
- having processes in place to alert the bank’s personnel that required CDD information is missing or incomplete.
The OCC also spells out procedures for performing adverse media screening on all new customers, as well as a risk-based methodology for adverse media screening on all existing customers.
And it requires the bank’s board to appoint a compliance committee of at least three members, a majority of which should be directors who are not employees or officers of the bank or its subsidiaries or affiliates and submit quarterly progress reports.
Other highlights from the order include these must-have bank compliance components:
- The board must review and provide credible challenge to the BSA/AML and sanctions risk assessments and document the review of these challenges in the board minutes.
- The bank’s internal audit should conduct annual independent testing of its BSA/AML and sanctions risk assessment methodologies that conclude on its accuracy and completeness.
- Along with processes for identifying high-risk customers, the bank must implement procedures for ongoing monitoring such as documented critical analysis of the details found after an investigation.
Adverse media screening
Any number of the deficiencies noted in the OCC’s order could be examined in more detail and serve as internal training tools. But the adverse media screening directive is particularly interesting; it’s a critical component of the large set of policies, procedures, and controls that financial institutions typically use to combat money laundering and terrorist financing.
Adverse media screening involves scanning global media sources for evidence of a customer’s involvement in suspicious activity, including associations with people connected to drug syndicates, human trafficking, terrorist financing, or other illegal endeavors. Continuous media monitoring can help an institution protect against regulatory fines and penalties, plus a loss of consumer confidence, negative press, and other potential threats to the institution’s reputation and brand.
The Financial Action Task Force (FATF) – an inter-governmental body that establishes international regulatory standards for anti-money-laundering (AML) compliance — advocates a “risk-based approach” to customer relations that makes financial institutions responsible for “identifying, assessing, and understanding” money-laundering risks and taking appropriate actions to mitigate them.
Under FATF guidelines, created in 2012 and updated this past November, adverse media screening is considered one information-gathering tool among many that financial institutions are expected to use to develop accurate customer risk profiles. FATF specifically cites adverse media screening as an important part of an effective customer due diligence program, where politically exposed persons and other high-risk clients receive extra scrutiny.
Again, it’s just one of the effective safeguards that financial institutions use to guard against criminal efforts to launder money by funneling it through legitimate banking systems. But it’s a tried and true one.
City National Bank’s Statement
City National Bank said in a statement to Reuters early on Thursday that it is committed to resolving the matters identified in the OCC’s order as quickly as possible. “Our focus will continue to be on both strengthening our infrastructure and systems to reflect a bank of our size and business model,” it said.
In late September, City National disclosed that RBC had injected about $2.95b into its US unit to bolster its capital with such injections (along with other measures) geared to improving profitability at City National.