Agency Information Collection Activities: Information Collection Extension With Revision; Submission for OMB Review; Bank Secrecy Act/Money Laundering Risk Assessment

AGENCY:

Office of the Comptroller of the Currency (OCC), Treasury.

ACTION:

Notice and request for comments.

SUMMARY:

The OCC, as part of its continuing effort to reduce paperwork and respondent burden, invites the general public and other Federal agencies to take this opportunity to comment on a proposed information collection, as required by the Paperwork Reduction Act of 1995 (44 U.S.C. chapter 35) (PRA).

In accordance with the requirements of the PRA, the OCC may not conduct or sponsor, and the respondent is not required to respond to, an information collection unless it displays a currently valid Office of Management and Budget (OMB) control number.

The OCC is soliciting comments concerning an information collection titled “Bank Secrecy Act/Money Laundering Risk Assessment,” also known as the Money Laundering Risk (MLR) System.

The OCC is also announcing that the proposed collection of information with extension has been submitted to OMB for review and clearance under the PRA.

DATES:

Comments must be submitted by September 7, 2016.

ADDRESSES:

Because paper mail in the Washington, DC area and at the OCC is subject to delay, commenters are encouraged to submit comments by email, if possible. Comments may be sent to: Legislative and Regulatory Activities Division, Office of the Comptroller of the Currency, Attention: 1557-0231, 400 7th Street SW., Suite 3E-218, Mail Stop 9W-11, Washington, DC 20219. In addition, comments may be sent by fax to (571) 465-4326 or by electronic mail to prainfo@occ.treas.gov. You may personally inspect and photocopy comments at the OCC, 400 7th Street SW., Washington, DC 20219. For security reasons, the OCC requires that visitors make an appointment to inspect comments. You may do so by calling (202) 649-6700, or for persons who are deaf or hard of hearing, TTY, (202) 649-5597. Upon arrival, visitors will be required to present valid government-issued photo identification and submit to security screening in order to inspect and photocopy comments.

All comments received, including attachments and other supporting materials, are part of the public record and subject to public disclosure. Do not include any information in your comment or supporting materials that you consider confidential or inappropriate for public disclosure.

Additionally, please send a copy of your comments by mail to: OCC Desk Officer, 1557-0231, U.S. Office of Management and Budget, 725 17th Street NW., #10235, Washington, DC 20503, or by email to: oira_submission@omb.eop.gov.

FOR FURTHER INFORMATION CONTACT:

Shaquita Merritt, OCC Clearance Officer, (202) 649-5490, or for persons who are deaf or hard of hearing, TTY, (202) 649-5597, Legislative and Regulatory Activities Division, Office of the Comptroller of the Currency, 400 7th Street SW., Washington, DC 20219.

SUPPLEMENTARY INFORMATION:

In compliance with 44 U.S.C. 3507, the OCC has submitted the following proposed collection of information to OMB for review and clearance.

Bank Secrecy Act/Anti-Money Laundering Risk Assessment

The MLR System enhances the ability of examiners and bank management to identify and evaluate any Bank Secrecy Act (BSA)/Money Laundering (ML) and Office of Foreign Assets Control (OFAC) sanctions risks associated with the banks' products, services, customers, and locations. As new products and services are introduced, existing products and services change, and banks expand through mergers and acquisitions, a bank's management's evaluation of potential new money laundering and terrorist financing risks is expected to evolve as well. The MLR risk assessment is an important tool for the OCC's BSA/Anti-Money Laundering (AML)/OFAC supervision activities because it allows the OCC to better identify those institutions, and areas within institutions, that pose heightened risk, and allocate examination resources accordingly. This risk assessment is critical to protect financial institutions of all sizes from potential abuse from money laundering or terrorist financing. Absent an appropriate risk assessment, applicable controls cannot be effectively implemented for lines of business, products, or entities, which would elevate BSA, AML, and OFAC compliance risks.

The OCC will collect MLR information for all financial institutions supervised by the OCC.

OMB Control No.: 1557-0231.

Type of Review: Regular.

Frequency of Response: Annual.

Burden Estimates:

Community Bank and Federal Branches and Agencies populations:

Estimated Number of Respondents: 1,450.

Estimated Number of Responses: 1,450.

Frequency of Response: Annually.

Estimated Annual Burden: 8,700 hours.

Midsize Bank population:

Estimated Number of Respondents: 47.

Estimated Number of Responses: 47.

Frequency of Response: Annually.

Estimated Annual Burden: 1,175 hours.

Large Bank population:

Estimated Number of Respondents: 38.

Estimated Number of Responses: 38.

Frequency of Response: Annually.

Estimated Annual Burden: 3,040 hours.

The OCC issued a 60-day Federal Register notice on January 4, 2016, soliciting comments concerning combining this existing community bank information collection with expansion to all OCC-supervised institutions. Eight comments were received: Four from OCC-supervised banks, two from industry associations, one from a bank holding company and one from an individual. Of the five comments received from a bank holding company or a bank, three were from midsize banks, and the remaining two comments were from community banks.

1. Comments on Practical Utility of the Data Collection

Comments were invited on whether the collection of information is necessary for the proper performance of the functions of the agency, including whether the information has practical utility. Two commenters stated concern for either the small degree of practical utility or no practical utility obtained by requiring all OCC-supervised banks to report MLR data and linked the cost/benefit value of the cost of gathering and reporting the data to the benefit derived to the bank or to the OCC. An additional commenter stated that they saw no prudential or supervisory benefit to expanding the annual MLR data collection requirement to midsize or large banks when the OCC has access to the information on a dynamic basis. One commenter stated that the OCC must clearly demonstrate that costs and burdens associated with MLR do not outweigh the benefits. One commenter stated that the collection of MLR data is not necessary because the OCC already has access to the data through its supervisory process, including the current BSA/AML risk assessment expectation.

Six commenters stated that the one-size-fits-all approach or proposed mandatory uniform approach for collecting MLR data from all OCC-supervised banks is inconsistent or at odds with the Federal Financial Institutions Examination Council (FFIEC) BSA/AML Examination Manual (Manual), as the FFIEC Manual provides for a variety of effective methods and formats to be used in completing a risk assessment. Two commenters stated that requiring only OCC-supervised banks to report MLR data would create the equivalent of an “uneven playing field” for national banks and Federal thrifts and agencies. One commenter stated that the OCC should explain why collecting rudimentary MLR summary data is needed when there are relatively few BSA enforcement actions and other supervisory actions related to the BSA. One commenter stated that the proposal does not provide analysis of why extending the MLR to all financial institutions would enhance the ability of examiners and bank management to identify and evaluate BSA/ML and sanctions risks. The commenter further stated that the proposal does not explain how BSA/AML/OFAC risk assessment provided through the MLR System enhances the OCC's understanding of such risks or why this information is necessary for the OCC to address supervisory concerns about those financial institutions.

Collecting MLR data from all supervised banks will yield substantial information that will provide a high degree of utility for the OCC in meeting its supervisory obligations under applicable statutes and regulations. The purpose of the MLR System is to support the OCC's supervisory objectives by allowing for the identification and analysis of BSA/ML and OFAC sanctions risks across the population of all OCC-supervised banks, to assist examiners in carrying out risk-based supervision pursuant to the FFIEC Manual, and to meet the OCC's supervisory obligations under applicable statutes and regulations. Whether to collect MLR data is not in any way linked to whether an institution is the subject of a BSA/AML/OFAC enforcement or any other type of supervisory action. MLR data is simply data about a bank's products, services, customers, and geographies that is gathered prior to examinations to promote effectiveness and efficiency in OCC examination scoping and transaction testing. The expansion of the MLR System to all OCC-supervised institutions will allow contemporaneous data to be analyzed consistently across the agency and thus will allow the OCC to better identify those institutions, and areas within institutions, that pose heightened BSA/ML, and OFAC risk. The data collected through the MLR process is not collected by the OCC in any similar format.

The MLR is not intended to supplant banks' full BSA and OFAC risk assessments. The OCC's evaluation of a bank's full risk assessment is performed during regular examinations. In addition to the OCC's uses, the MLR data can be used by banks as the first step in the two-step process of the banks' BSA and OFAC risk assessments. The first step in any risk assessment process is to gather data, and the MLR data gathered should be substantially similar to information needed to perform those internal bank analyses of BSA and OFAC risks.

Additionally, the self-reported MLR data are provided back to the bank along with peer data so that the bank can conduct comparison and trend analyses concerning their data and peer data.

While the FFIEC Manual was developed by the agencies to ensure consistency in the application of BSA/AML requirements and to promote uniformity in the supervision of financial institutions, each agency has the ability to supplement the supervision process with their own tools. The MLR is one such tool the OCC uses in its BSA/AML supervision of banks that permits consistent identification of potentially higher-risk products, services, customers and geographies; expansion of the MLR will expand this utility across all OCC business lines and institution sizes. Rather than contradict the consistent and uniform approach that using the FFIEC Manual provides, the MLR System complements the Manual's procedures for risk assessment and supervision purposes. The submission of MLR data in a consistent format allows the agency to perform effective data risk analytics. Extending the MLR to all OCC-supervised banks, Federal thrifts, and Federal branches and agencies will provide the OCC the same type of bank data to identify and evaluate BSA/ML and sanctions risks in a consistent manner, regardless of institution size.

2. Comments on Estimate of Burden

The OCC requested comment on the accuracy of the agency's estimate of the burden of the collection of the information. One commenter questioned what the OCC included in the estimate of burden hours. Another commenter stated that they agree with the estimate of burden hours for their institution but also stated concern for peer banks, noting that cost estimates vary greatly depending on the size, structure, and reporting format currently utilized and technological resources available to each bank. Six commenters stated that the estimate of burden is too low. Two commenters noted the reduction in the estimate of burden hours from 2013 for midsize and large bank populations, with one commenter making the assumption that technology is the reason for the reduction in hours.

The OCC uses the legal standard for estimating burden hours under the PRA. The term “burden” means time, effort, or financial resources expended by persons to generate, maintain, or provide information to or for a Federal agency, including the resources expended for: (a) Reviewing instructions; (b) acquiring, installing, and utilizing technology and systems; (c) adjusting the existing ways to comply with any previously applicable instructions and requirements; (d) searching data sources; (e) completing and reviewing the collection of information; and (f) transmitting, or otherwise disclosing the information. Collecting MLR data from OCC-supervised institutions is not expected to impose significant additional burden on banks because most institutions already generate or gather substantially similar data in the normal course of business in order to perform internal bank analyses of BSA/ML and OFAC risks. The burden included in the OCC's burden estimate is mainly the additional resources required to report the MLR data in an OCC-specified format.

The OCC has ten years' experience collecting MLR data from a large number of banks. The OCC estimates that the burden hours for midsize and large bank populations will generally be higher than for community banks, Federal thrifts, and Federal branches and agencies. This is primarily because most midsize and large banks offer more products and services, involving a potentially wider range of customer types and geographies, than less complex community banks and Federal branches and agencies.

The OCC recognizes that each bank is unique and will have a different MLR reporting experience. For example, a bank's management information systems, structure, and complexity may impact the bank's MLR reporting, and, therefore, the bank's reporting burden. However, the OCC believes the data requested for MLR purposes is data that institutions will have readily available and that for the vast majority of banks, will not require substantial investment in technology or systems to collect and report. The OCC reduced the estimated burden hours for midsize banks to 25 hours in 2016 from 30 hours in 2013, and for large banks, reduced estimated burden hours to 80 hours in 2016 from 100 hours in 2013, due to implementing a fully automated MLR format. There is no change in the estimated burden for community banks and Federal branches and agencies in 2016 from 2013.

Finally, with regard to the estimate of burden, one commenter stated that failure to make publicly available the MLR risk summary form (RSF) used to collect the data in advance undermines the PRA review process and makes it difficult to comment on the accuracy of the agency's estimate of the burden. The OCC is permitted, but not required, to include the RSF as part of the 60-day Federal Register notice. The form is available, and was available at the time the 60-day Federal Register notice was issued, at http://www.reginfo.gov as an attachment to the OCC's 2013 PRA submission http://www.reginfo.gov/public/do/PRAICList?ref_nbr=201302-1557-009 .

3. Comments on Possible Data Enhancements

The OCC requested comment on ways to enhance the quality, utility, and clarity of the information to be collected. One commenter stated that it was difficult to translate limited MLR data into BSA/ML risks. Another commenter stated that the MLR as currently contemplated is not useful nor is it worth the costs in terms of staff hours, system modification and training. The same commenter stated that the OCC should consider designing a customized, flexible cloud-based architecture within a secure data center. Additionally, this commenter stated that the OCC should establish an analytic team dedicated to importing, extrapolating, and analyzing the data collection from banks, with the platform designed to be flexible and dynamic to account for each individual bank's size, geography, and business. After testing, this commenter stated, consideration should be given to rolling the platform out on a risk-based basis to OCC-regulated banks. One commenter also stated that the OCC should consider making the MLR mandatory only in instances where the bank's own risk assessment is insufficient for the exam scoping process. Two commenters expressed concerns that the September 30 as-of report date was inconsistent with most banks that operate on a calendar-year basis.

The OCC collects the MLR data on bank customers, products, services, and geographies and analyzes the data in a way that identifies the higher-risk type customers, products, services, and geographies, consistent with the FFIEC Manual. The OCC uses the MLR data gathered to assist, across the population of reporting banks, with development of examination strategies, preparation of examination scoping to identify transactions for testing, and meeting the OCC's obligations under applicable statutes and regulations. The OCC regularly reevaluates the infrastructure around the MLR and makes decisions about the most efficient and cost effective infrastructure and processes to utilize for the MLR System. An example of the OCC making changes to the MLR System was the updating of the MLR risk summary form to a fully automated data collection tool beginning in 2014. The OCC analytics team checks for data integrity issues, confirms various validity checks on the data, and analyzes the data used for OCC supervision purposes.

Through the collection of MLR data from community banks for the past ten years, the OCC has determined that this data allows the agency to better identify those institutions, and areas within institutions, that pose heightened risk of money laundering and terrorist financing and to allocate examination resources accordingly. Collecting data in a uniform fashion over the same time period from all OCC-supervised institutions is critical to developing a database that allows effective analytic reporting and benchmarking risks over time.

An approach of making MLR data reporting mandatory only in instances where the bank's own risk assessment was insufficient would add time to the examination process rather than expediting it. First, this approach would likely delay the OCC's mandated supervision schedule by taking away an important source of data for broad-based risk identification analysis and benchmarking that facilitates the OCC's annual examination strategy development and pre-planning activities, which are conducted potentially months in advance of an onsite examination. Second, on an individual bank level, this type of approach would require the OCC to review each bank's risk assessment during the exam scoping process before making a decision as to whether that bank would be required to report the MLR data, potentially extending the timeframe for each exam where the bank's risk assessment was deemed insufficient.

In response to the commenters' concerns that the September 30 reporting period is inconsistent with most banks' operating on a calendar year basis, the OCC notes that this date has not presented significant concerns in the ten years experience during which we have collected MLR data.

4. Comments on Minimizing Burden Through Information Technology

The OCC invited comment on ways to minimize the burden of the collection on respondents, including through the use of automated collection techniques or other forms of information technology. Five commenters stated that the MLR data is duplicative of information already gathered in the normal course of bank supervision. These commenters recommended that the OCC not move forward with the proposal to extend the data collection. One commenter suggested that the OCC obtain aggregate domestic and international wire transfer and ACH transaction data, along with the various geographic locations of the international wires from the Federal Reserve Bank. One bank commenter stated they have concerns about customer privacy due to having the collection of data automated; however, there was no explanation provided. Two commenters expressed a concern for requiring that all banks submit MLR data annually, and one of those commenters stated that the frequency of the MLR data collection should be linked to the bank's ML risk profile. Another commenter stated that MLR data should be collected on an “as needed” basis.

The OCC notes that the MLR data is not duplicative or redundant and is not collected in any other format from OCC-supervised institutions. Wire transaction and ACH data obtained from the Federal Reserve Banks for OCC-supervised institutions is not sufficiently detailed for purposes of assessing BSA/ML/OFAC risk and planning exam strategies. Wire transaction data is limited to domestic wires only and does not include international wires, geographic locations, or whether the wires were sent Payable Upon Proper Identification (PUPI). Similarly, ACH data is limited to domestic ACH data and does not include cross-border ACH or international ACH data or geographies. In addition, not all OCC-supervised institutions may initiate/send or receive international wires or ACH transactions through a Federal Reserve Bank.

The OCC plans to collect the requested data using an XML form or other prescribed form submitted through the OCC BankNet system. The OCC plans to provide a schema (XML or otherwise) to institutions in advance of the required submission and also provide a window for institutions to submit test files and receive feedback. Additionally, the OCC utilizes secure data portals to communicate with and receive data from all OCC-supervised institutions. The OCC does not plan to collect personally identifiable information for MLR purposes, therefore, it is not expected that the collection would create customer privacy concerns.

The annual filing requirement frequency ties in closely with the OCC's statutory examination cycle requirements because banks should periodically perform risk assessments of their customers, products, services, and geographies for BSA/ML and OFAC sanctions risks purposes. Requesting MLR data less frequently than annually would limit its usefulness for the OCC's BSA/AML/OFAC supervision responsibilities and might also negatively impact the bank's own risk assessment process. Collecting MLR data on an “as needed” basis or tying the MLR data collection frequency to a bank's risk profile would not allow for the consistent planning and analysis needed for such data, would lead to inefficiencies, and would diminish the ability of the OCC to assess risks over time and otherwise utilize the data in a meaningful way.

5. Comments on Costs

The OCC invited comment on estimates of capital or start-up costs and costs of operation, maintenance, and purchase of services to provide information. One commenter stated that the initial implementation (costs) would be substantial and the ultimate data collection system requirements could result in annual burden estimates for large banks exceeding the 2013 (100 hours) and 2016 (80 hours) burden estimates. Another commenter stated that the costs of additional software would outweigh the benefits of time saved in a small institution. One commenter stated that the costs to implement would vary greatly depending on infrastructure, current risk assessment process, and resources.

While there may be a slightly higher burden during the first reporting year, the OCC believes that the data requested for MLR purposes should be readily available and will not require substantial investment in technology or systems to collect and report. The OCC does not require the acquisition of additional software to collect and report MLR data. Some institutions, particularly community banks, collect and organize the data on Excel spreadsheets using existing bank reports received on a daily, weekly, or monthly basis, as the reports become available throughout the period covered by the reporting period. However, larger and more complex institutions may find it helpful to develop an internal reporting system to gather data efficiently across their organizations in a timely and consistent manner for MLR reporting purposes. The OCC provides options for submitting the MLR data including a fully automated online risk summary form. Additionally, the MLR risk summary form online system allows bankers to upload an XML file to complete the form. This XML file must comply with formatting style and validation requirements in order to be accepted into the OCC's secure system. If the file is valid, the risk summary form is pre-populated with the data ready to be submitted to the OCC.

Two commenters stated that the OCC should go through the rulemaking process to gain approval to expand the MLR System to midsize and large banks. The PRA provides the public with two opportunities to comment on a proposed information collection similar to the public comment opportunity afforded by the Administrative Procedure Act for rulemaking actions. Consistent with the PRA, the OCC previously sought comment on this information collection for 60 days and now is seeking additional comment for 30 days. However, a notice of proposed rulemaking is unnecessary. Under 12 U.S.C. 161, the Comptroller has the express authority to require banks to provide special reports as to matters within his jurisdiction. BSA/AML supervision is within the jurisdiction of the OCC as the OCC has the delegated authority from the Department of Treasury's Financial Crimes Enforcement Network (FinCEN) to examine national banks for compliance with the BSA. The OCC also has the authority under 12 U.S.C. 481 to make a thorough examination of all the affairs of a national bank. The MLR is an important part of the OCC's BSA/AML examination processes that falls within this broad grant of authority.

The OCC has decided to expand the MLR reporting requirement to the OCC's midsize, large bank and Federal branches and agencies populations. As discussed above, a notice of proposed rulemaking is not necessary. The OCC previously had OMB approval to include midsize and large banks in the annual data collection, but requested OMB renewal of the data collection in 2010 and 2013 only for community banks. The OCC determined in 2010 and 2013 to collect only community bank data for MLR purposes. Pursuant to OMB requirements, the OCC is requesting renewal of the existing community bank MLR data collection with expansion to midsize and large bank (including Federal branches and agencies).

Comments continue to be invited on:

(a) Whether the collection of information is necessary for the proper performance of the functions of the OCC, including whether the information has practical utility;

(b) The accuracy of the OCC's estimate of the burden of the collection of information;

(c) Ways to enhance the quality, utility, and clarity of the information to be collected;

(d) Ways to minimize the burden of the collection on respondents, including through the use of automated collection techniques or other forms of information technology; and

(e) Estimates of capital or start-up costs and costs of operation, maintenance, and purchase of services to provide information.