FINANCIAL CRIMES
COMPLIANCE
AUDITING IN A
CONSENT ORDER
ENVIRONMENT
Jason R. Smith, CAMS-Audit
RESTRICTED
ACAMS
Advanced AML
Audit
Certification
White Paper
March 30, 2015
Table of Contents
Executive Summary ...................................................................................................... 2
Regulatory Background................................................................................................ 2
Case Study 1 - TCF National Bank ............................................................................... 3
Turning Point–Permanent Subcommittee of Investigations HSBC Report .............. 4
Case Study 2 – Ocean Bank 2007 vs. M&T Bank 2013 ............................................... 6
Solutions to Auditing in the new Consent Order Environment ................................. 7
Less Reliance on Risk-Based Auditing ........................................................................ 9
Consent Order Mapping ............................................................................................... 9
Automated and Continuous Monitoring ...................................................................... 10
Consultants and Co-Sources ..................................................................................... 11
Conclusion—Auditing for Sustainability ................................................................... 12
Works Cited ................................................................................................................. 12
RESTRICTED
1
Executive Summary
Recent consent orders are being regarded as an increasing benchmark for Bank Secrecy
Act /anti-money laundering (BSA/AML) regulatory interpretation. The question faced by
most financial institutions today is how they can adapt their audit approach to account for
this regulatory shift. This whitepaper will establish that the July 2012 Permanent
Subcommittee on Investigations (PSI) Report for HSBC was the impetus for this notable
change in the tone of consent orders. A comparison of recent consent orders versus those
published prior to the HSBC PSI report will show that regulators use these actions to
establish heightened Financial Crime Compliance (FCC) standards. The solution
proposed by this paper is adapting audit practice to fit increased regulatory scrutiny.
The threat of monetary penalties and negative media has forced financial institutions to
shift away from risk-based FCC auditing, conduct more robust testing and include
significant consent order validation work in their annual audit plan. The ongoing problem
for financial institutions is to understand how the new environment developed and how
they can stay ahead of the curve. The answer is to understand the impact the HSBC PSI
report had on banking regulators, how regulators have become more prescriptive through
their recent consent orders and how financial institutions can adapt their audit planning
for the new FCC Auditing environment.
Regulatory Background
On July 17, 2012, The Homeland Security and Government Affairs Permanent
Subcommittee on Investigations held a hearing that “examined the issue of money
laundering and terrorist financing vulnerabilities created when a global bank uses its U.S.
affiliate to provide… access to the U.S. financial system to high-risk affiliates, high-risk
correspondent banks and high-risk clients.”10 It was through this hearing, the published
Subcommittee Report, and HSBC’s $1.92 billion settlement that a shift occurred for FCC
Auditing. In short, the PSI report calls for higher examination standards and cited the
Office of the Comptroller of Currency (OCC) for ineffective AML oversight. This was the
beginning of increased regulatory standards; the vehicle regulators have used to hold
financial institutions higher standards has most noticeably been consent orders.
RESTRICTED
2
Through an analysis of OCC consent orders and guidance, it can be demonstrated that
regulatory actions prior to July 2012 were broader and less prescriptive. A comparison of
consent orders before and after the HSBC PSI report along with trends within recently
published reports and guidance, will establish that regulators are using consent orders to
drive towards heightened expectations. The increase in regulatory scrutiny has
meaningful impact for FCC auditors.
Case Study 1 - TCF National Bank
TCF National Bank provides an excellent starting point for an analysis of consent orders
before and after HSBC’s July 2012 PSI report. As a Minnesota-based national bank
holding company, TCF Financial Corporation has $19.4 billion in total assets and 379
branches in eight states, providing retail and commercial banking services.11 In July
2010, they received a consent order from the OCC. Then in January 2013, another
consent order was issued against TCF. Though only a year and a half passed between
these consent orders, the tone is different, up to and including a civil monetary penalty
assessed in 2013. The bank was ultimately assessed a $10 million civil money penalty
for deficiencies in their practices that resulted in violations in the requirement to file
suspicious activity reports (SARs).
In the July 2010 consent order, TCF was required to take specific action in regards to
their compliance committee, BSA risk assessment, customer due diligence (CDD), BSA
internal controls, independent testing, suspicious activity reporting, and conducting a
look-back.1 It is most important to note that no monetary penalty was assessed, or even
mentioned, in the 2010 consent order. Moving ahead to 2013, the overall tone of the post
HSBC PSI report consent order changed considerably. Focusing on the area of TCF’s
account and transaction activity review, we see that the original consent order mandated
a look-back of November 2008 to July 2010. The second consent order then notes the
failure to file 2,357 SARs from that look-back period, as well as a follow-up review by the
OCC in November 2011 with 13 instances of failure to properly file SARs. The 2011
investigation even noted that the 13 instances of improperly filed SARs related to
transactions indicative of possible terrorist financing.2
RESTRICTED
3
Based on these circumstances outlined in November 2011, the OCC had noted significant
deficiencies in the Bank’s BSA/AML program, including missed SARs and failure to report
possible terrorist financing. This leaves us with a question: Why did we not see a
monetary civil penalty or second consent order until January of 2013? What changed
between November of 2011 and January of 2013? I contend that HSBC’s PSI report
changed the regulatory landscape, even for this small bank.
Turning Point–Permanent Subcommittee of Investigations HSBC Report
It is a safe assumption most headlines regarding the release of the HSBC PSI report
relate to the laundry list of glaring FCC deficiencies. Most notably are lapses in controls
surrounding high-risk affiliates, circumventing of Office of Foreign Asset Control (OFAC)
prohibitions, bearer share accounts, bulk cash movement and a number of other attention
grabbing FCC failures. Though the intricate story of FCC compliance lapses at a large
international financial institution is quite compelling and covers the first 281 pages of this
voluminous 333 page document, it is the final section that will be the lasting legacy of this
report. This whitepaper will present a case that the section titled OCC: Exercising
Ineffective AML Oversight, will impact the AML programs of financial institutions for years
to come. This detailed and public disparagement of the OCC and their oversight of HSBC
has been a real game changer in the rigor of FCC oversight. The HSBC PSI report itself
gives us the most significant insight on the changing AML regulatory oversight. The report
points out a clear parallel between HSBC in 2012 and Riggs Bank in 2004. Though the
bank profiles vary greatly and the FCC deficiencies are different, the HSBC PSI report
notes that the circumstances are much the same because both reports demonstrate that
“the current OCC examination system has tolerated severe AML deficiencies for years
and given banks great leeway to address targeted AML problems without ensuring the
effectiveness of their AML program as a whole. As a result, the current OCC examination
process has allowed AML issues to accumulate into a massive problem before an OCC
enforcement action is taken.”10 Though this statement indicates the July 2004 PSI report
against Riggs Bank was harsh on the OCC, the HSBC report was much harsher.
RESTRICTED
4
The commentary in the Riggs Bank PSI report regarding OCC oversight was far less
severe than those noted in the HSBC PSI report. Much like the HSBC report, the Riggs
report criticizes the OCC’s regulatory oversight in the midst of known FCC deficiencies.
Of the 30pages within this particular section of the Riggs report, there are only a few
pages that actually outline the deficient regulatory examination and oversight. The
majority of the commentary is aimed at the inadequate controls that ultimately led to the
failure of Riggs Bank. A reader of this report is given the impression that most of the
blame falls on Riggs. That being said, the regulators do face some criticism, though very
generalized. It is also important to note that the OCC is not the only regulator noted in the
report; both the OCC and Federal Reserve were negligent in their oversight of Riggs. The
report states: “OCC examiners accurately and repeatedly identified major anti-money
laundering deficiencies at Riggs Bank, but OCC supervisors failed to take strong action
to require improvements. OCC regulators were tolerant of the bank’s weak anti-money
laundering program, too willing to rely on bank promises to correct repeat deficiencies,
and failed initially to use available enforcement tools. Federal Reserve regulators were
slow and passive.”4
Much of the commentary on the OCC’s oversight is focused on the examiner-in-charge
(EIC) assigned to Riggs Bank. The report indicates that the OCC’s testing was sufficient,
FCC breakdowns were identified and the weak controls were well known. The root
causes for the perpetuation of the weak “culture of compliance” were identified as the
OCC’s willingness to believe the promises of Riggs to make necessary change, and an
EIC who was not discharging his duties in an independent manner. The relationship the
EIC had with Riggs Bank personnel resulted in him receiving a job offer upon his
retirement from the OCC. The report states that “[b]y taking a job at Riggs in 2002, after
the OCC failed to take enforcement action against the bank in 2001 and 2002 for AML
deficiencies, the former OCC Examiner-in-Charge at Riggs created, at a minimum, an
appearance of a conflict of interest. In addition, despite federal law barring former
employees from appearing before their former agencies on certain matters, and OCC
rules barring former employees from attending meetings with the agency for two years
without prior approval from the OCC ethics office, the former Examiner attended multiple
RESTRICTED
5
meetings with OCC personnel related to Riggs’ AML compliance.”4 We are meant to
believe that the systemic FCC breakdown at Riggs and oversight by the OCC is all
because of one man.
Though there is little doubt the HSBC PSI report details longstanding FCC deficiencies
within HSBC, there is a markedly different tone that it takes on its assessment of
regulatory oversight. In particular, the report notes that despite 83 matters requiring
attention (MRAs) and two Cease and Desists (C&Ds), the “OCC supervisors took no
formal or informal enforcement action during nearly that entire period, allowing the bank’s
AML problems to fester.”10 Not holding the bank to its commitments to resolve bank-wide
problems, failure to holistically exam the bank’s AML program and categorizing legal
violations as failure to follow the AML program were cited as the root cause of the OCC’s
ineffective AML oversight. This culminated in the PSI report going so far as to say that
the OCC had systemically failed with their regulatory oversight of HSBC. Unlike the Riggs
report from eight years earlier, the OCC itself was being assessed by the subcommittee
as being jointly responsible for the perpetuation of an ineffective AML program at HSBC.
So why did this make the HSBC PSI report an FCC game changer for all financial
institutions in this country? Simply stated, the OCC was now under the gun. The OCC’s
reaction has been to act directly on the systemic failures noted in the report. The higher
expectations of the OCC, enforced through consent orders, also have a dramatic impact
on the role of audit as the third line of defense for AML.
Case Study 2 – Ocean Bank 2007 vs. M&T Bank 2013
This case study will show that this regulatory shift it not just limited to the OCC. The
Federal Reserve’s written agreement with M&T Bank in 2013 shows a dramatic change
from an older published report, including a 2007 FDIC C&D against Ocean Bank. This
change in regulatory tone is most evident when we compare reports that are six years
apart. Both banks were cited for transaction monitoring issues. In 2007, Ocean Bank was
to revise their policies/procedures for “comprehensive monitoring of high-risk accounts
with full utilization of account monitoring software, adequate systems for account
aggregation to ensure sufficient data to determine if Suspicious Activity Reports and
RESTRICTED
6
Currency Transaction Reports should be filed, and monitoring of high-risk and suspicious
activities for all types of accounts, products, services, and geographic areas.”8 This C&D
only sets high level expectations for Ocean Bank. Nowhere does it provide any insight on
the true expectations for the suspicious activity monitoring and reporting program.
M&T’s written agreement, in a post HSBC PSI environment, is much different. The
Federal Reserve’s mandate for their SAR program and transaction review is very
prescriptive. First, there is requirement to engage independent consultants for specific
high-risk transactions related to a subsidiary. Additionally, the monitoring and reporting of
these subsidiary transactions require “monitoring and investigation criteria and
procedures to ensure the timely detection, investigation, and reporting of all known or
suspected violations of law and suspicious transactions, policies regarding the level and
type of due diligence required when reviewing suspicious account activity, and escalation
of significant matters, including repetitive suspicious activity reporting and suspected
structuring activities.”9 The difference in these two regulatory actions is night and day.
Ocean Bank is left with much leeway in how they are to address their transaction
monitoring and SAR reporting. M&T is not only given expectations, the Federal Reserve
is really telling them how to resolve these issues. Through these two case studies, along
with TCF National Bank, we see that regulators are getting harsher and are using consent
orders to set higher expectations. In the case of M&T, we see a very clear picture of how
regulators envision a robust suspicious activity monitoring and reporting program.
Solutions to Auditing in the new Consent Order Environment
Now that financial institutions see the impact of the subcommittee’s report on HSBC, and
the higher expectations that have resulted, this leaves them with a very important
question: What do we do now? This, in turn, has left internal audit functions asking
themselves two questions: What are the new standards by which we audit, and how do
the regulators define an effective FCC audit function? With the complexities inherent to
auditing FCC controls, especially at large international financial institutions, there could
be countless solutions to adapt an audit program to meet the new consent order
environment.
RESTRICTED
7
Without getting into that level of detail, I contend there are five distinct areas of focus that
will be necessary for an audit department to be effective when auditing FCC. Those
recommendations are as follows:

The first recommendation is to move away from purely risk-based auditing because
audit focus becomes too confined to the areas with the greatest potential impact. This
focus on a financial institutions ability to understand and manage its risk is simply not
compatible with the “no stone unturned” expectation of regulators.

The second recommendation is to conduct a mapping of consent orders to existing
audit issues/MRAs. With financial institutions juggling various FCC issues from
multiple internal and external sources, an audit function must be made aware of all
issues and must understand the interconnectivity. It is very easy for auditors to get
bogged down in the details and lose sight of the big picture.

The third recommendation is to use automated and continuous monitoring. From a
practical standpoint, the OCC’s Heightened Expectations have increased internal
audit’s requirement to periodically provide senior management, the audit committee
and the board of directors with an assessment of the FCC Framework. To accomplish
this level of reporting, audit departments must develop a means of continuous
monitoring. One clear solution is to leverage more automated monitoring;
understanding and assessing key data is a practical way to augment internal audit’s
traditional testing of internal controls.

The fourth recommendation is to leverage independent consultants and co-sources.
It is no secret that FCC audit teams are facing greater workloads and higher scrutiny.
Co-sources are often needed to simply augment staff when an audit team does not
have the needed capacity to get the job done. Co-sources, along with outside
consultants, are also a great source of subject-matter expertise in many cases, as an
organization may lack expertise in a certain field. Independent consultants may also
be necessary as a means of validating internal audit’s work, whether required
internally by management or externally by regulators.

The final recommendation is for internal audit to validate that the controls they are
testing are sustainable. In the past, much of audits focus has been on testing the
RESTRICTED
8
design, implementation and effectiveness of AML controls. The new standard appears
to be that audit must validate that controls are fully embedded and sustainable.
Less Reliance on Risk-Based Auditing
If you were auditing in a perfect world, and in an organization with an impeccable risk
management process, risk-based auditing would be the obvious choice for an internal
audit function. A risk-based approach allows internal audit to place much of its attention
on the organization’s risk management framework. Focusing on the organization’s ability
to identify and manage its risk enables an audit team to target its testing efforts on the
framework itself, with less testing required for specific AML controls. To put it bluntly, I
believe a risk-based approach will not be an acceptable audit practice for the foreseeable
future for most financial institutions when auditing an FCC program.
There are two primary drivers preventing risk based AML auditing. First, it is very difficult
in the current regulatory environment for any internal audit function to argue that their
FCC risk management framework is strong. Second, by their nature, money launderers,
or any internal collusive parties, will look to move their money through channels deemed
low risk. In the OCC’s testimony given during the PSI hearings regarding HSBC, it was
said that: “we are committed to keeping abreast of how new technologies and payment
systems may affect BSA/AML compliance and to provide the industry and examiners with
guidance on these emerging risks.”8 As such, risk-based auditing does not work in an
environment where a low-risk product, service, or line of business can quickly become
high risk. From a practical aspect, AML auditors must align their audit plan to their
organization’s risk; however, a purely risk-based approach will not work. AML auditors
must be diligent to stay ahead of risk.
Consent Order Mapping
In order to operate with efficiency, banks with new consent orders or other regulatory
actions must conduct a mapping of consent orders to existing audit issues/MRAs. Not
only does this become important in managing large numbers of internally and externally
identified issues, it becomes a necessary tool that enables internal audit functions to
update senior management and the board on new and existing issues, and the status of
RESTRICTED
9
corrective actions. In JPMorgan Chase’s January 2013 Consent Order, the OCC required
that “the Bank’s Audit Program shall report all internal audit and OCC identified
deficiencies to the Compliance Committee, the Bank’s Audit Committee, and to senior
compliance management. The reports shall indicate the severity of the deficiencies, the
risks, the corrective actions and timeframes.”5 Moreover, the OCC even required
JPMorgan Chase’s Audit Department to engage a monitor to review their audit work. This
is a clear indication that the regulators have defined an effective AML audit function as
one that clearly understands the interconnectivity of their various AML issues. The most
effective way to understand issues is to conduct a mapping.
Automated and Continuous Monitoring
One of the biggest practical challenges facing an FCC Audit Team is managing a
tremendous amount of data coming from various functional areas, compliance teams, and
lines of business. Adding to this challenge has been an increase in regulatory
expectations for ongoing reporting and assessment. In regards to establishing heightened
expectations, the OCC has taken the stance that an “audit plan should include ongoing
monitoring to identify emerging risks and ensure that units, product lines, services and
functions that receive a low risk rating are reevaluated with reasonable frequency. The
audit plan should be updated at least quarterly and should take into account the bank’s
risk profile as well as emerging risks and issues.”7 For large banks, the OCC’s Heightened
Expectations mean that internal audit can no longer rely so heavily on the execution of a
traditional annual audit plan. Continuous monitoring is the means for internal audit to
adapt to the changing risk profile inherent and emerging trends that exist within any large
financial institution.
Though automated and continuous monitoring are two very different auditing concepts,
they are invariably linked together. An effective and efficient continuous monitoring
program will require the use of automated monitoring. For FCC, automated monitoring
can range from simple ongoing gathering and tracking of key risk indicators, such as
OFAC/sanctions breaches, alert volumes, or SAR aging, to more complex automated
monitoring processes. These processes can include scanning client for CIP
completeness, potentially unidentified PEPs, or clients with erroneous KYC data.
RESTRICTED
10
Overall, leveraging technology to monitor FCC data will enable an audit team to be in a
position to provide prompt FCC assessments to various organizational stakeholders. This
will avoid the pitfall inherent to traditional annual audit testing. Continuous and automated
monitoring are key tools to ensure internal audit is in a position to provide a material
independent assessment of a bank’s FCC program at any given time. Overall, these two
tools will enable a financial institution be proactive and not reactive. Staying ahead of
emerging trends and internal control breakdowns is a must in today’s regulatory
environment.
Consultants and Co-Sources
Independent consultants and co-sources are two means for AML audit teams to cope with
regulatory pressure. That pressure comes in the form of higher standards, as well as
direct regulatory requirements to leverage independent consultants to validate internal
audit’s work. The OCC’s testimony given during the HSBC PSI hearings noted a trend in
banks with a “lack of sufficient staffing, high turnover rates, or the impact of compliance
cuts on the program. In some cases, banks cut staffing and resources in the BSA area
during the financial crisis. In other cases, banks’ compliance department staff and
expertise have failed to keep pace with the growth of the institution.”3 This only logical
short-term solution to staffing and subject-matter expertise shortcomings is to get
temporary help.
In a November 2013 news release, the OCC published guidelines titled the “Use and
Review of Independent Consultants in Enforcement Actions.” The bulletin notes that they
have been requiring the use of independent consultants to “address significant
deficiencies with banks’ programs related to compliance with Bank Secrecy Act and antimoney laundering laws and regulations (BSA), including reviews of banks’ BSA staffing,
risk assessment, and internal controls. The OCC has also ordered reviews by
independent consultants of the adequacy of actions already taken by banks to address
the deficiencies in their BSA programs.”6 These new guidelines are a clear indication of
the OCC’s trend in requiring outside consultants to verify internal controls, including the
assessment of internal audit.
RESTRICTED
11
Conclusion—Auditing for Sustainability
The summation of this white paper is to show that today’s regulators are expecting audit
to go beyond audit validation of implementation and operational effectiveness. There has
been an increasing need to be able to demonstrate that FCC controls are sustainable.
With recent consent orders stressing that financial institutions establish effective AML risk
assessments, perform model validation, ensure requisite staff knowledge, conduct
ongoing training, and move towards more automated controls, there is a clear trend in
making sure controls are embedded. The corrective actions noted in consent orders prior
to the HSBC PSI report were less prescriptive and tended to focus on short-term fixes.
The long-term solution for any organization is to make sure that the FCC program controls
are sustainable. FCC audit, as a third line of defense for any financial institution, must
evolve to this new regulatory expectation. In the long run, it will be the FCC programs that
embed sustainable controls that will be best suited for an ever-changing regulatory
environment.
Works Cited
1) Comptroller of the Currency of the United States of America (OCC), Consent Order
#2010-164 against TCF National Bank, Sioux Falls, South Dakota, 20 July 2010.
2) Comptroller of the Currency of the United States of America (OCC), Consent to the
Issuance of a Consent Order for a Civil Money Penalty #2013-003 against TCF
National Bank, Sioux Falls, South Dakota, 25 January 2013.
RESTRICTED
12
3) Comptroller of the Currency of the United States of America (OCC), Testimony of
the Office of the Comptroller of the Currency Before the Permanent Subcommittee of
Investigations of the Committee on Homeland Security and Governmental Affairs of
the US Senate, 17 July 1012.
4) Comptroller of the Currency of the United States of America (OCC), Money
Laundering and Foreign Corruption Enforcement and Effectiveness of the PATRIOT
Act Case Study Involving Riggs, 15 July 2014.
5) Comptroller of the Currency of the United States of America (OCC), Consent Order
#2013-002 against JPMorgan Chase Bank, N.A., Columbus, Ohio; JPMorgan Bank
and Trust Company, N.A., San Francisco, California; and Chase Bank USA, N.A.,
Newark, Delaware, 14 January 2014.
6) Comptroller of the Currency of the United States of America (OCC), Bulletin 2013-33
Use and Review of Independent Consultants in Enforcement Actions, 12 November
2013.
7) Comptroller of the Currency of the United States of America (OCC), OCC Guidelines
Establishing Heightened Standards for Certain Large Insured National Banks,
Insured Federal Savings Associations, and Insured Federal Branches; Integration of
12 CFR Parts 30 and 170, 10 January 2014.
8) Federal Deposit Insurance Corporation (FDIC), Ocean Bank Miami, Florida Order to
Cease and Desist, 16 March 2007.
9) Federal Reserve Bank of New York, Written Agreement with M&T Bank Corporation
and Manufacturers & Traders Trust Company Buffalo, New York, 17 June 2013.
10) Permanent Subcommittee on Investigations (PSI), U.S. Vulnerabilities to Money
Laundering, Drugs, and Terrorist Financing: HSBC Case History, 17 July 2012.
11) TCF Financial Corporation, TCF Bank Profile, 2015. <www.tcfbank.com/abouttcf_tcf-bank-profile.aspx>.
RESTRICTED
13