In March 2014, Thomas J. Curry, Comptroller of the Currency, spoke before the Association of Certified Anti-Money Laundering Specialists about the Bank Secrecy Act (BSA) and Anti-Money Laundering law (AML) compliance. While he generally spoke positively about the efforts of banking institutions to meet the requirements of the BSA, he was also quick to point out that most of the headlines surrounding banks and the BSA are negative.
In other words, the media will seek out banks that are not in compliance. As a result, the industry as a whole must do more.
Curry noted that BSA infractions can, “almost always be traced back to decisions and actions of the institution’s board and senior management.” The underlying deficiencies that lead to these poor decisions fall into four areas:
In general, compliance is conforming to particular expectations, standards, or behaviors, where risk is an exposure to potential loss or injury. When we think of compliance in the security arena, it often means that you are following prescribed standards, which could be regulatory, industry best practices, or standards that are otherwise customized or company specific.
While compliance and risk often follow the same path, a compliance audit or survey is often performed with a one-size-fits-all “compliance only” approach, as opposed to one that requires more complex reasoning.
Some may question the rationale of compliance if risk is not a constant consideration. Lack of experience, industry knowledge, or even simply lack of time can hinder the ability to take a more risk-based direction. After all, taking a compliance only approach simplifies the security audit process by allowing for uniform application, reduced subjectivity and error in assessment, and strong performance metrics capability.