ACAMS Today had the opportunity to speak with William J. Fox, managing director, global financial crimes compliance executive for Bank of America and an ACAMS advisory board member.
Fox is global financial crimes compliance executive for Bank of America Corporation, one of the largest financial institutions in the world. He is responsible for directing the company’s Anti-Money Laundering, Economic Sanctions, and Anti-Bribery/Anti-Corruption Programs.
Prior to joining Bank of America in 2006, Fox served as the director of the Financial Crimes Enforcement Network (FinCEN), the U.S. Financial Intelligence Unit. Fox was appointed by treasury secretary John Snow in 2003. Among other things, Fox led FinCEN’s administration of the Bank Secrecy Act of 1970, as amended by the USA PATRIOT Act of 2001. Before his appointment as FinCEN director, Fox served in the Department of the Treasury from 2001 to 2003 Associate Deputy General Counsel. He was the principal assistant and senior advisor to the Treasury’s General Counsel on issues related to terrorist financing and financial crime. Fox received a Presidential Meritorious Rank Award for his work on these issues.
ACAMS Today: As managing director, global financial crimes compliance executive for Bank of America you have implemented a successful approach to combating financial crimes, explain for our readers your definition of financial crimes?
William Fox: At our firm, Financial Crimes from a “compliance” perspective are Anti-Money Laundering laws; Economic Sanctions laws; and, laws relating to Anti-Bribery and Anti-Corruption. For example, in the U.S., it is compliance with the Bank Secrecy Act and USA PATRIOT Act; sanctions laws such as the Trading with the Enemy Act and the International Emergency Economic Powers Act; and, anti-corruption laws such as the Foreign Corrupt Practices Act.
AT: How do you integrate the new direction of financial crimes within the pre-existing AML framework?
WF: The biggest integration we have accomplished at our firm is that we have moved both the “compliance” aspects of fraud investigation and reporting into our team as well as the compliance assets dedicated to anti-bribery and anti-corruption. Having these groups together creates not only efficiency, but greater effectiveness as well.
AT: Is Bank of America at the beginning, middle or toward the end of the process of joining both the AML and fraud divisions?
WF: We have a strategy defined and we are executing it against that strategy, so I would say we are at the end of the project. Defining the strategy and gathering the necessary facts to do the job correctly usually are the tasks that take more time; however, executing against the defined strategy is always the harder piece. We gave ourselves a self-imposed deadline which is the first quarter of 2013. We are confident that we will meet our deadline.
An important point here is that we are not integrating the entire fraud function. We have a large group of employees dedicated to fraud detection, mitigation and collection. These “operational” functions of fraud will still remain separate. We have only moved the employees who were working on the compliance aspects of fraud (i.e., the employees who analyze, investigate and report fraud-related activity that is suspicious). So at our firm today, we have created two swim lanes: 1) Fraud detection, mitigation and collection which is related more to operations or operational risk and 2) The compliance aspect of fraud, which is a fraud function.
Firms can make mistakes when they mash everything together and organize by topic, not by function. The thinking runs along these lines — it is all crime, it has to be related. The fact of the matter is that it is not. If you really think about it, the functions are very different. At our firm, we decided to focus on function. AML, for example, has always been a compliance function. In other words — but for complying with the law and managing reputational risk — most firms would not have allocated significant resources to AML if it were not for the laws that require them to do so. Fraud is different. Fraud hits the bottom line. Every dollar a company loses to fraud comes out of the bottom line. In addition, fraud is a terrible experience for customers. Fraud detection and mitigation has been with financial firms since the beginning of time — for operational reasons. At our firm, we came to the conclusion it would be better to focus on function rather than topic.
AT: In this integration process, where do you draw the line with regards to the limited resources faced by AML professionals?
WF: It is critical to have the right resources — human and systems — in order to administer the function. If financial firms have learned anything from the HSBC hearing, it is that being under resourced in these areas is a road to nowhere. If you have done everything you can to make your function as efficient as possible and you still need resources you need to raise your hand and let management know; particularly as it relates to the detection, investigation and reporting as pieces of financial crimes. All AML compliance officers have a fiduciary responsibility to their firms to perform these functions as efficiently as we possibly can and still comply with the law. At the same time, once you reach that point if you find that your resources are lacking, you have to raise your hand and let management know — and, in my judgment management has to respond.
AT: What would you do if management does not respond?
WF: The first thing you need to do is make sure that you are doing everything possible and that everything is running smoothly and efficiently. You owe that to your firm. You cannot have redundant processes; you cannot have weak operations that are not running at full capacity. If you have done everything you can and you still need additional resources and your firm says no to your request, you need to think long and hard if you want to stay at that firm. Also, with the current climate at least in the U.S., I do not think that there is a firm out there that would not provide you with needed resources if you present your case and demonstrate that your department is working as efficiently as possible. My firm has been extremely supportive in this way.
AT: What advice would you give on how AML professionals can still meet their ever increasing responsibilities and requirements?
WF: You need to know your firm, know your risks and what it takes to cover those risks so that you can effectively comply with the law. This will be different for every firm out there. It all goes back to your risk assessment. Understanding your risk is key to building an effective program: understanding your business model, your products, your clients and the geographies where you operate. Then you design your control environment to address those risks, ensuring that you have a fundamentally sound overall program. I believe you also must make your program and processes as efficient as you possibly can, while still ensuring they are effective.
AT: From an operative perspective how do you go about a financial crimes investigation? What should be the key steps in the investigation process?
WF: From a systemic perspective, we have developed systems and processes that allow us to consolidate and view alerts holistically — whether generated by transaction monitoring systems or received from sources outside the firm. Once those alerts reach a certain risk threshold, we create a “case,” which is reviewed by an investigator. That investigator makes the initial recommendation with the facts in the “case” that demonstrate activity that is suspicious and needs to be reported. That recommendation is reviewed and a decision is made. If the decision is that the matter is suspicious, we file the report with the appropriate authority.
In our view, there are three principal phases to any investigation: 1) Detection; 2) Analysis and/or further Investigation; and, 3) Reporting.
One key recommendation I have for anyone in an AML compliance role is to make friends with appropriate law enforcement (LE) authorities. Keep close contact with them. When you file a SAR send LE a copy. This will let LE know that you are on top of suspicious activity at your firm and that you are paying attention. It is important to develop relationships with your local LE.
AT: Should the approach on filing a SAR be amended in light of the integration of financial crimes into the AML regime?
WF: No not really. But, whether you integrate or not, you must find a way to show a holistic picture of the activity you are reporting. This can be a hard thing to do for firms of any size. It is embarrassing when one department is filing a SAR for a client for some activity suspected to be money laundering and another department in the firm is filing a SAR on the same client for suspected fraud. You need to remove such conflicts within your institution. One of the benefits of putting fraud and AML together is that this will help you present a holistic view of the client activity. But ultimately the approach is the same. You still need to detect, analyze and report.
AT: At the ACAMS NYC Forum in September you identified seven key risks, could you give a brief summation of your comments?
WF: As background, I was listening to the HSBC hearing from my desk. I had already read the PSI report and as I continued to listen to the hearing I realized this was a game changer. Not only because of the allegations made against HSBC but also because the sub-committee’s allegations relating to the OCC. After listening to the hearing, I went back and read every enforcement action that the government had taken in the AML space since 2001. I also read every Senate PSI report relating to money laundering. When you do that, it is pretty amazing how consistent the government has been on the risks that they really care about. I think you can boil this down to seven key buckets of risk. It is our view that — assuming you have a sound fundamental program — if you can build a strong control environment around these key buckets of risk, you have done much to protect your firm from significant adverse action.
The seven key buckets of risk we have identified are:
- Correspondent Banking — and all attendant products and services, e.g., pouch activities; dollar drafts; wire payments; remote deposit capture, etc.
- Cash/Currency — particularly handling of bulk cash, e.g., wholesale banknotes; cash vault services; incoming “bulk” cash into banking centers, etc.
- Private Banking — particularly private banking with non-transparent entities and vehicles, e.g., PICs; PHCs; Bearer Share Entities; Trusts, etc.
- Embassy (Foreign Mission) Banking/Mission Personnel/Senior Political Figures or PEPs — Providing banking services to embassies or foreign missions and the diplomats who work in the missions — or to senior political figures that could be moving proceeds of corruption.
- Non-Bank Financial Institutions — Providing services for MSBs, Third Party Payment Processors; CheckCashers, etc.
- Non-Transparent Entities — Providing banking services to non-transparent legal entities, e.g., LLCs.
- Economic Sanctions/Stripping — Stripping information from payment messages or transactions to avoid economic sanctions filters.
We are conducting enterprise-wide risk assessments of these key risk areas — with a deep assessment of internal controls decked against those risks and will report them out to the business this month. We will then work together with the business lines to ensure that we have strong controls decked against these risks. We have already met with senior management and told them about the environment and what to expect. That is really a key first step. You also need to meet with the regulators and apprise them of your plans — whatever you decide to do. My advice is to be proactive. Engage the heightened environment with appropriate action — do not sit back and let the environment engage you.
This is what we are doing to respond to the environment. I am not saying this is what others should do; but, what AML professionals need to recognize is that the AML environment has changed significantly and you have to decide for your firm what that means and design the right response. Again, I would go out and meet the challenge proactively. Do not wait for the challenge to come to you. This is what we are trying to do at Bank of America.
AT: In your opinion, what are the biggest challenges facing financial crimes prevention professionals in 2013?
WF: As AML professionals, I think we are in a place where we will now have to prove everything. In today’s environment, we’re all from Missouri . . . the key phrase we will hear will be “SHOW ME.”