Mergers of Financial Institutions (FIs) are an increasingly common industry trend. A merger creates a number of challenges for Bank Secrecy Act (BSA) Officers who are tasked with developing an integration plan, while ensuring ongoing compliance with the relevant laws and regulations. A merger impacts all aspects of the FI’s BSA Program, from the Enterprise-Wide Risk Assessment (ERA) through process implementation. When FIs find themselves in the midst of a merger, developing a strategic approach to help facilitate the merging of policies, procedures, and processes, while simultaneously remaining compliant with applicable laws and regulations, can prove highly beneficial. Let’s delve into what such an approach might look like.
Prior to the merger, the acquiring institution may engage in preliminary efforts to establish a foundation for the seamless integration of the acquiring and acquired institutions’ BSA programs. Since BSA Officers have the unique ability to identify BSA/AML issues that may arise during the merger, it is wise to include the acquired’s BSA Officer on the team conducting due diligence. The due diligence should commence with a review of the Target’s most recent ERA.
As discussed in a prior article, Risky Business: A Responsible Evaluation of Enterprise-wide AML/OFAC Risk, the ERA is designed to provide critical insight into the acquired’s customer base; existing products, services and channels; geographic footprint; and transactional environment. Moreover, the due diligence team should carefully scrutinize the institution’s risks, potential deficiencies, and areas of concern identified within the acquired FI’s ERA.
If the acquired FI does not have an ERA available for review prior to the merger, then the team should request information pertaining to the acquired FI’s aforementioned inherent risk categories, along with other factors that pose money laundering and terrorism financing risks to the institution. Additional sources for this information include internal and external audit reports and regulatory findings pertaining to the acquired FI’s BSA Department. Performing this due diligence prior to finalizing the merger provides the acquiring institution with the ability to appropriately identify potential risks and challenges that may result from the merger, and help the FI develop a strategic and methodical approach to mitigate them.
Some of the relevant questions that FIs should consider during Phase 1 are:
Once the merger is finalized, the real work begins. A robust BSA program requires three key ingredients: people, processes, and technologies. Each of these ingredients is necessary to ensure adequate compliance with AML laws and regulations. This is a useful framework to guide the integration process and fully comply with the applicable laws and regulations.
This ingredient evaluates three components: staffing needs, training of BSA personnel, and the BSA Officer’s qualifications. Each of these components is essential, but it is important to note that adequate training of BSA personnel and having a qualified BSA Officer are required pillars of a BSA program.
Without appropriate staffing levels, a merger may cause a backlog of alerts, cases, and Enhanced Due Diligence (EDDs) efforts, due to an increase in volumes or technology issues. A staffing evaluation performs an analysis of the workload, including alert, case, and suspicious activity report (SAR) volumes, as well as watch list monitoring and frequency of currency transaction reports (CTRs) being filed.
The FI should initially expect a temporary increase in alert, case, and SAR volumes because there are essentially two customer bases involved in a merger – the acquiring institution’s customers and the acquired FI’s customers. As a result, the FI may need to conduct two staffing evaluations – one for temporary use during the integration process and one for the business as usual (BAU) operations for use on a permanent basis after the integration phase is complete.
In order to ensure adequate coverage of the increased workload, the FI may need to utilize an outside vendor or contractors on a temporary basis during the integration phase. However, once the acquired FI’s customers are fully integrated into the BAU operations, the number of full-time employees (FTEs) should scale over time, triggering the use of a second staffing evaluation.
Among the questions that the FI should ask to determine staffing needs are:
One of the pillars of a BSA program is a comprehensive training program for the institution’s personnel. There are two components to a strong BSA training program—training for all FI employees and training specifically designed for BSA personnel. The first step is to develop the curriculum for enterprise-wide BSA training. This curriculum should include an overview of the BSA/AML laws and regulations that enable employees to understand the significance of the rules and requirements that mandate compliance.
The curriculum should also provide BSA/AML red flags training, focusing on red flags specific to the respective business lines. In doing so, the curriculum is tailored to the money laundering and terrorism financing red flags that each respective business unit is expected to encounter. A process for referring potentially suspicious activity for further investigation to the FI’s BSA department should also be established and implemented. The FI’s front-line staff can be an invaluable resource for BSA department to appropriately identify unusual customer behavior observed in the FI’s branches.
The second step is to develop the curriculum for BSA personnel. The FI’s BSA department requires a specialized training program that provides more in-depth and targeted training on assessing customer transactions, writing well-reasoned narratives, and compliance with the FI’s BSA policies and procedures. The training program may also need to include remedial training if the acquired institution did not provide its staff with adequate training opportunities.
Beyond the curriculum, the timing of training is also critical. BSA training should be conducted enterprise-wide as soon as is practical. Moreover, the Bank’s training policy must include ongoing training opportunities on a periodic basis and incorporate emerging BSA/AML trends. Without a strong training program, regulators may determine that the FI is in violation of a BSA pillar, resulting in regulatory penalties.
The FI should consider the following questions when developing a training program for the merged entity:
The third component to the people ingredient is maintaining a BSA Officer. Like the training program, regulators identify maintaining a knowledgeable BSA Officer as a required pillar of the FI’s BSA program. The BSA Officer is responsible for oversight of the FI’s BSA program and must possess the requisite knowledge, skills, and abilities to successfully carry out this function. At a minimum, the BSA Officer should have an adequate understanding of the factors that promote enterprise-wide inherent risk and common money laundering and terrorism financing typologies.
Regulators tend to pay special attention to the BSA Officer’s authority, which should include the ability to unilaterally override decisions related to report suspicious activity, if necessary. As a merger inevitably impacts enterprise-wide risk, the acquiring institution’s BSA Officer should be prepared to conduct a new ERA in an effort to reevaluate the risks inherited as a result of the merger.
To evaluate the BSA Officer’s qualifications, the FI should consider the following questions:
The primary processes for the BSA/AML department involve its Know Your Customer (KYC) program and transaction monitoring strategy. The acquiring institution will need to reevaluate its existing processes to ensure compliance with these two elements.
Let’s first discuss the KYC aspect. The FI must establish processes for its KYC program, which includes maintaining a Customer Identification Program (CIP), Customer Due Diligence (CDD) policies and procedures, a Customer Risk Rating (CRR) methodology, and Enhanced Due Diligence (EDD) policies and procedures. The KYC process may be exceptionally difficult during a merger due to two major areas of concern. First, the acquiring institution and acquired institution may not collect the same amount and/or type of customer information at account opening and for CDD/EDD. Essentially, the KYC process during the merger requires an inventory of the available information about each customer to determine whether the FI collected the necessary documentation to verify the customer’s identity and understand the customer’s anticipated activity.
The difference in information collected by the acquiring institution and the acquired institution may result in CIP exceptions. The FI should establish a process that identifies CIP exceptions for the acquired institution’s customers and a process to remediate those exceptions. If there is missing information, the FI may not be abel to establish an accurate risk rating for the customer, which is the second major area of concern with respect to the KYC process. Moreover, the risk rating model FIs use to assess customer risk varies substantially. As a result, the acquiring institution may need to establish a single streamlined process for assignation of an accurate CRR to the acquired institution’s customers.
The FI should consider the following questions when evaluating its KYC program during a merger:
Having a well-thought out transaction monitoring strategy can also impact a merger. The transaction monitoring process generally includes alert remediation, case investigation, and SAR filings. The key to a sound transaction monitoring strategy during a merger is identifying methods to ensure that operational processes are not disrupted at any point. Disruptions may result in a operational backlogs, creating additional challenges to the merger.
The strategy should also include procedures for how FIs should address technological limitations. Oftentimes, the acquiring institution and the acquired institution employ different transaction monitoring software platforms, which harbor different rules and thresholds for the identification of suspicious activity. FIs often have different transaction monitoring processes and procedures, resulting in distinct degrees of tolerance for particular types of activity. As a result, the merged FI must develop guidance for its BSA personnel in order to establish standards for the identification of suspicious activity. The FI should also develop procedures for BSA personnel to perform outreach to front-line staff when additional information is required about a customer’s transactional activity.
The following questions may help guide the FIs in their transaction monitoring efforts:
The technology component requires FIs to merge their systems, which oftentimes includes core databases, alert and case management systems, and transaction monitoring platforms. Merging systems requires close collaboration between the FI’s IT department and the BSA department to ensure the BSA department has the resources required to perform its responsibilities. The BSA department should leverage IT tools and resources throughout all stages of the merger. The FI’s IT department should be involved with extracting data from the acquired institution’s systems and migrating the data to the acquiring institution’s systems. The sooner this happens, the easier it is to identify solutions to technological issues that may surface during the merger.
One of the challenges associated with this component includes potential data integrity issues. Data should be validated to ensure accurate data identification in the transaction monitoring platform. The FI may also use a merger as an opportunity to reevaluate its systems and transition to a new platform.
Some of the factors pertaining to technology that the FI should consider are:
Mapping out a strategy for a merger can be a lengthy process. Remaining proactive by performing appropriate due diligence prior to a merger and taking the necessary steps to assess potential problems and additional risk during integration can be extremely beneficial at effectively mitigating risk. Having the appropriate people, processes, and technologies situated, as well as maintaining a comprehensive ERA, will set both institutions up for a successful relationship and will ensure compliance with relevant BSA laws and regulations.
Is your financial institution well-prepared for a potential merger? Our Financial Crimes Advisory practice at AML RightSource has helped multiple institutions establish unified policies, procedures, and processes for a sound BSA program, all while maintaining the integrity of both institutions during a merger. Let us help you with your upcoming merger and/or acquisition.