Navigating Compliance Hurdles as a BSA Officer

In December 2024, the FDIC issued an AML-related order to an institution for violations of law. The order revealed that a BSA Officer at that institution informed the FDIC he was as concerned about losing a customer as he was about identifying and reporting suspicious activity.  It’s important for the general public to understand that this BSA Officer represents an exception to the rule. Most BSA Officers are committed to following laws and regulations, doing what’s right, and managing institutional risks. This commitment stems partly from knowing they can face personal liability and civil monetary penalties for willful negligence in Bank Secrecy Act violations. Additionally, as a fundamental pillar of the Bank Secrecy Act, the BSA Officer role faces intense scrutiny during audits and examinations, leading most officers to take their responsibilities seriously.

As BSA Officers carry out their professional duties, however, they often encounter hurdles that can impede their ability to perform their duties effectively, comply with regulations, and protect their careers. Anyone who’s ever been a BSA Officer can likely relate.

This article explores two common challenges BSA Officers can face, along with practical actions and risk management strategies they can employ to protect themselves while seeking new opportunities. 

Hurdle #1: Communication Breakdown

The reporting, communications, and requests submitted by the BSA Officer either don't reach senior management and the Board, or undergo significant editing by managers that appears to minimize risk and obscure critical information.

Challenge: This often occurs when BSA Officers request additional resources or systems for risk management. While proper organizational positioning and direct reporting lines would help, BSA Officers typically can't restructure their reporting relationships unilaterally. They can advocate for better reporting structures by:

• Referencing relevant consent order language
• Documenting instances where critical risk communications didn't reach leadership
• Highlighting examples of risk-related editing that altered their message

Recommended action: BSA Officers in this situation should document the times their risk-based reporting or communication did not reach its intended target, document how it was edited to downplay or mask risk, and document outcomes. They should also document their requests. Most importantly, BSA Officers should avoid falling into the ‘silence trap’ — halting requests, reporting, and communications because they know the effort is in vain. This is a very dangerous trap for BSA Officers to fall into because once they stop communicating, they can become liable. In other words, the BSA Officer should continue to carry out their responsibilities, even when faced with resistance. The BSA Officer should also communicate their concerns to auditors and examiners whenever possible. The above actions may not change the situation for the BSA Officer, but it can help shield the BSA Officer from personal liability.

Caveat: It goes without saying the BSA Officer should never, ever, purposely withhold information from auditors and examiners. Purposely withholding information from examiners might be a violation of the law in itself. If BSA Officers prepare information based on auditor or examination requests, and submit it as requested, and management decides to withhold it, that should be documented by the BSA Officer. This is a high-stakes situation, and there has been at least one consent order during the past five years in which a BSA Officer was found to have withheld information from an examiner, resulting in severe penalties.

Hurdle #2: Resistance to Risk Management Recommendations

Management pushes back against or ignores BSA Officer recommendations regarding customer relationships and third-party risk management.

Challenge: This commonly occurs when BSA Officers recommend:

• Exiting customer relationships
• Enhancing customer due diligence (CDD)
• Increasing enhanced due diligence (EDD) for Fintech partners

While BSA Officers oversee the risk management program, none of the above can happen without the agreement of management and those in the first line of defense who will carry out those tasks. Obtaining additional CDD and EDD involves procedural changes in the departments that perform that gathering. Very seldom can the BSA Department perform those tasks on their own because they tend not to be customer-facing.

Recommended action: BSA Officers should be creative in finding ways to gather and analyze what data they can — perhaps considering technology solutions to help. This demonstrates the BSA Officer’s acknowledgement that they need to do something, even if management doesn’t agree with the BSA Officer’s recommendation: “I’m being blocked from doing ABC, but maybe I can do XYZ instead.” 

The BSA Officer should also consider presenting language from 2023 and 2024 consent orders related to insufficient CDD and EDD on certain customer types and third parties, as there are numerous orders addressing this topic.

Lastly, as mentioned above, the BSA Officer should document their recommendations (especially to exit a customer relationship), and the outcome of those recommendations.

Caveat: Be prepared to explain to examiners your risk mitigation efforts when unable to implement preferred solutions, particularly regarding high-risk relationships with multiple SAR filings. As always, the BSA Officer needs to be able to explain to the examiner what they recommended, the outcome, and what the BSA Officer did instead to mitigate risk.

Final Considerations

In extreme risk situations where BSA Officers cannot adequately manage risk or exit the institution, whistleblowing remains an option. At least one of the significant consent order situations in the past few years has involved an internal whistleblower. However, most officers choose to resign when risk management becomes untenable, following the principle that it's "better to be unemployed than unemployable." When faced with such a decision, many officers will pick the former. BSA Officers that are as concerned about losing a customer as they are about identifying and reporting suspicious activity could very well become the latter.