On June 5, 2008, Goodwin Procter, in conjunction with Navigant Consulting, hosted a breakfast briefing in Goodwin Procter’s New York office regarding compliance with anti-money laundering (“AML”) and Office of Foreign Assets Control (“OFAC”) laws and regulations. The panelists from Goodwin Procter were Satish Kini, a partner in the firm’s Financial Services Practice, and Rich Strassberg, Chair of the firm’s White Collar Crime & Government Investigations Practice.
The Goodwin and Navigant panelists offered a variety of observations regarding the evolving nature of AML/OFAC compliance. To begin with, they noted that regulatory expectations for AML/OFAC compliance have changed in the seven years since the USA Patriot Act was initially enacted. Whereas in the past, regulators – and, particularly, the securities regulators – focused on whether financial institutions had written policies and procedures for AML/OFAC compliance, today, the focus is on effective implementation of those policies and procedures. Accordingly, institutions need to focus on matters such as training and communications (both from the top-down and bottom-up), governance structures, documentation, and systems integration.
In addition, the panelists noted that managing regulatory relationships must be viewed as a fundamental part of a well-functioning AML/OFAC compliance program. Using examples from recent enforcement actions, the panelists noted that institutions that fail to appreciate regulatory concerns and pressures may face regulatory skepticism that can complicate compliance efforts.
Implementing Risk-Based AML/OFAC Programs. The panelists observed that a key element in a well-functioning compliance program is an adequate consideration of the AML/OFAC risks posed to an institution. The panelists suggested that firms have a dynamic process to identify and manage risks presented by their specific product lines, their customer base, and the geographic reach of their operations. Institutions with enterprise-wide compliance programs were advised to assess risks both within business lines and on a consolidated basis. The best compliance programs, the panelists noted, have a feedback loop within the institution to monitor shifting risks.
The panelists also described risk-assessment pitfalls that they have observed. For example, they noted the need to avoid generic, off-the-shelf risk assessments; self-serving risk assessments; and risk assessments that fail to ask the right questions, are inadequate in scope, poorly documented, divorced from mitigation controls, or lack follow-through.
Developing an Enterprise-Wide Compliance Program. The panelists observed that regulators applaud corporate governance frameworks that provide a consolidated understanding of an organization’s risk exposure to money laundering and terrorist financing. The panelists discussed the ways in which such a risk management framework can be established, including by taking into account the organization’s risk exposure across all activities, business lines, and legal entities. The panelists advised that, in order to develop enterprise-wide compliance programs, management needs to play an active role in oversight, create a line of accountability, develop open lines of communication, and empower compliance professionals with the authority and flexibility to implement the program. Institutions also need to respond to changes in their business and develop common vocabularies across businesses (and between business and compliance) with regard to risk.
Addressing and Managing Problems. Finally, the panelists considered what to do when compliance problems arise. The panelists noted that one step may be an internal investigation to allow the firm to know the relevant facts and to demonstrate to regulators a proactive posture in addressing any problems. In this regard, the panelists noted that regulators often provide credit to institutions that self-report issues and remedy deficiencies prior to regulatory directives to do so.