Supporting Statement
Bank Secrecy Act/Money Laundering Risk Assessment
OMB Control No. 1557-0231
A. Justification.
1. Circumstances that make the collection necessary:
The OCC conducts an annual data collection, known as the Money Laundering Risk (MLR) System, from community banks (national banks and federal savings associations) to assist OCC examiners in supervising Bank Secrecy Act (BSA) and sanctions compliance. The MLR system enhances the ability of examiners and bank management to identify and evaluate BSA/money laundering and Office of Foreign Assets Control (OFAC) sanctions risks associated with banks’ products, services, customers, and geographies. At this time, the OCC is requesting to renew the MLR community bank data collection and to expand the data collection to all financial institutions supervised by the OCC, including midsize and large banks (including Federal savings associations and Federal branches and agencies).
The OCC developed the MLR System to gather and analyze uniform information from OCC-supervised banks. The OCC has collected uniform MLR data from community banks since 2005. The MLR information provides OCC examiners with the ability to identify higher-risk products, services, and customers for examination scoping, planning, and transaction testing. The MLR is an important tool for the OCC’s BSA/Anti-Money Laundering (AML)/OFAC supervision activities because it allows the agency to better identify those institutions, and areas within institutions, that pose heightened risk. This information assists the OCC in allocating examination resources, improves examination scopes, augments transaction testing capabilities, and provides for enhanced and effective bank supervision. Some banks use the data as a part of their own risk assessment process.
2. Use of the information:
The OCC uses the information generated through the MLR to evaluate and examine money laundering and terrorist financing risks associated with each bank’s products, services, customers, and geographies. The OCC evaluates this information on a strategic level (i.e., across the population of all supervised banks), at the OCC district level, at the OCC supervisory office level, and on an individual bank basis. As new products and services are introduced, existing products and services change, and banks expand through mergers and acquisitions, banks’ evaluation of money laundering and terrorist financing risks is expected to evolve as well. The MLR risk assessment is an important tool for the OCC’s BSA/AML/OFAC supervision activities because it allows the agency to better identify those institutions, and areas within institutions, that pose heightened risk and to allocate examination resources accordingly. The OCC uses this information on an annual and multiyear basis to evaluate BSA/money laundering and OFAC risks in individual banks.
The OCC also provides MLR bank-specific and anonymized peer group information to each individual reporting bank. Peer group data can be used by banks to determine outliers, inconsistencies, or deviations from standard norms. Banks can also conduct comparison and trend analyses concerning their data and peer data.
3. Consideration of the use of improved information technology:
OCC banks reporting MLR information may use a variety of information technology formats that permit review by OCC examiners. The OCC recently updated the annual Risk Summary Form (RSF) to a fully automated format that makes data entry quick and efficient and provides an electronic record for all parties. Additionally, the MLR RSF online system allows bankers to upload an XML file to complete the RSF. This XML file must comply with formatting style and validation requirements to be accepted into the OCC’s secure system. If the file is valid, the RSF is prepopulated with data ready to be submitted to the OCC.
4. Efforts to identify duplication:
The required information is unique, permits systemic analysis, is not duplicative or redundant, and is not collected in any other format from OCC-supervised institutions. Wire transaction and automated clearing house (ACH) data obtained from the Federal Reserve Banks for OCC-supervised institutions is not sufficiently granular for MLR purposes. Wire transaction data is limited to domestic wires only and does not include international wires, geographic locations, or whether the wires were sent Payable Upon Proper Identification (PUPID). Similarly, ACH data is limited to domestic ACH data and does not include cross-border ACH or international ACH (IAT) data or geographies. In addition, not all OCC-supervised institutions may initiate/send or receive international wires or ACH transactions through a Federal Reserve Bank.
5. If the collection of information impacts small businesses or other small entities, describe any methods used to minimize burden.
We received feedback from community banks, many of which are small entities, that the burden for reporting MLR data is minimal. The community banks expressed that reporting MLR data is not an onerous process. The OCC believes most of the data requested for MLR purposes is readily available and will not require substantial investment in technology or systems to collect and report. The OCC does not require the acquisition of additional software to collect and report MLR data. Some institutions, particularly community banks, collect and organize data on Excel spreadsheets using existing bank reports received on a daily, weekly, or monthly basis, as the reports become available throughout the period covered by the reporting period. The MLR data being provided to the OCC generally derives from the bank’s own BSA risk assessment. Feedback received from banks reporting MLR data indicates that the MLR process has the positive impact of enhancing or confirming the accuracy of the bank’s risk assessment.
6. Consequences to the Federal program if the collection were conducted less frequently:
The annual data collection cycle is closely related to the OCC’s statutory examination cycle requirements. In addition, conducting the MLR less frequently would be harmful to the OCC’s risk-based supervisory approach by making it more difficult to determine which banks pose the greatest BSA/money laundering and sanctions risk and thus making examinations less efficient. It would also impede OCC-supervised banks from being able to address appropriately their unique BSA/money laundering risks.
7. Special circumstances that would cause an information collection to be conducted in a manner inconsistent with 5 CFR part 1320:
The information collection will be conducted in a manner consistent with 5 CFR part 1320.
8. Efforts to consult with persons outside the agency:
60-day Federal Register Notice
The OCC issued a 60-day Federal Register notice on January 4, 2016, soliciting comments concerning combining this existing community bank information collection with expansion to all OCC-supervised institutions.1 The OCC received eight comments: four from OCC-supervised banks, two from industry associations, one from a bank holding company, and one from an individual. Of the five comments received from a bank holding company or a bank, three were from midsize banks, and the remaining two comments were from community banks.
Comments on practical utility of the data collection
The OCC invited comment on whether the collection of information is necessary for the proper performance of the functions of the agency, including whether the information has practical utility. Two commenters stated concern for either the small degree of practical utility or no practical utility obtained by requiring all OCC-supervised banks to report MLR data and linked the cost/benefit value of the cost of gathering and reporting the data to the benefit derived to the bank or to the OCC. An additional commenter stated that they saw no prudential or supervisory benefit to expanding the annual MLR data collection requirement to midsize or large banks when the OCC has access to the information on a dynamic basis. One commenter stated that the OCC must clearly demonstrate that costs and burdens associated with the MLR do not outweigh the benefits. One commenter stated that the collection of MLR data is not necessary because the OCC already has access to the data through its supervisory process, including the current BSA/AML risk assessment expectation.
Six commenters stated that the one-size-fits-all approach or proposed mandatory uniform approach for collecting MLR data from all OCC-supervised banks is inconsistent or at odds with the Federal Financial Institutions Examination Council (FFIEC) BSA/AML Examination Manual (Manual), as the FFIEC Manual provides for a variety of effective methods and formats to be used in completing a risk assessment. Two commenters stated that requiring only OCC-supervised banks to report MLR data would create the equivalent of an “uneven playing field” for national banks and “Federal thrifts and agencies”. One commenter stated that the OCC should explain why collecting rudimentary MLR summary data is needed when there are relatively few BSA enforcement actions and other supervisory actions related to the BSA. One commenter stated that the proposal does not provide analysis of why extending the MLR to all financial institutions would enhance the ability of examiners and bank management to identify and evaluate BSA/ML and sanctions risks. The commenter further stated that the proposal does not explain how BSA/AML/OFAC risk assessment provided through the MLR System enhances the OCC’s understanding of such risks or why this information is necessary for the OCC to address supervisory concerns about those financial institutions.
Collecting MLR data from all supervised banks will yield substantial information that will provide a high degree of utility for the OCC in meeting its supervisory obligations under applicable statutes and regulations.2 The purpose of the MLR System is to support the OCC’s supervisory objectives by allowing for the identification and analysis of BSA/ML and OFAC sanctions risks across the population of all OCC-supervised banks, to assist examiners in carrying out risk-based supervision pursuant to the FFIEC Manual, to meet the OCC’s supervisory obligations under applicable statutes and regulations,3 and to identify institutions, businesses, and product lines with higher risks so that the OCC can appropriately allocate examination resources to those banks, businesses, and product lines. A key principle of BSA/AML risk management is that banks must ensure that their systems and controls are commensurate with the risks being undertaken. The MLR System information provides valuable information concerning risks that need to be reviewed as part of the supervisory process to avoid examination resources being focused on low risk activities, which can result in distorted or inaccurate examination conclusions. The benefit of collecting MLR data is not in any way linked to whether an institution is the subject of a BSA/AML/OFAC enforcement or any other type of supervisory action. MLR data is information about a bank’s products, services, customers, and geographies that is gathered prior to examinations to promote effectiveness and efficiency in OCC examination scoping and transaction testing. The expansion of the MLR System to all OCC-supervised institutions will allow contemporaneous data to be analyzed consistently across the agency and thus will allow the OCC to better identify those institutions, and areas within institutions, that pose heightened BSA/ML and OFAC risk. The data collected through the MLR process is not otherwise collected by the OCC in any similar format.
The MLR is not intended to supplant banks’ full BSA and OFAC risk assessments. The OCC’s evaluation of a bank’s full risk assessment is performed during regular examinations. In addition to the OCC’s uses, the MLR data can be used by banks as the first step in the two-step process of the banks’ BSA and OFAC risk assessments. The first step in any risk assessment process is to gather data, and the MLR data gathered should be substantially similar to information needed to perform those internal bank analyses of BSA and OFAC risks.4
Additionally, the OCC provides the bank’s self-reported MLR data back to the bank, along with anonymized peer data so that the bank can conduct comparison and trend analyses concerning their data and peer data. Peer group data can be used by banks to determine outliers, inconsistencies, or deviations from standard norms.
While the FFIEC5 Manual was developed by the agencies to ensure consistency in the application of BSA/AML requirements and to promote uniformity in the supervision of financial institutions, each agency has the ability to supplement the supervision process with their own tools. The MLR is one such tool the OCC uses in its BSA/AML supervision of banks that permits consistent identification of potentially higher-risk products, services, customers, and geographies. Expansion of the MLR to all OCC-supervised institutions will expand this utility across all OCC business lines and institution sizes.5 The FFIEC Manual sets forth both core and expanded examination procedures with the specific examination procedures to be performed dependent on the BSA/AML risk profile of the bank, the quality and quantity of independent testing, the bank’s history of BSA compliance, and other relevant factors. The MLR data is a key component of the “other relevant factors” used by the OCC for purposes of scoping the core and expanded examination procedures pursuant to the FFIEC Manual. Thus, rather than contradict the consistent and uniform approach that using the FFIEC Manual provides, the MLR System complements the Manual’s procedures for risk assessment and supervision purposes. The submission of MLR data in a consistent format allows the agency to perform effective data risk analytics. Extending the MLR to all OCC-supervised banks, Federal thrifts, and Federal branches and agencies will provide the OCC the same type of bank data to identify and evaluate BSA/ML and OFAC sanctions risks in a consistent manner, regardless of institution size.
Comments on estimate of burden
The OCC requested comment on the accuracy of the agency’s estimate of the information collection burden. One commenter questioned what the OCC included in the estimate of burden hours. Another commenter stated that they agree with the estimate of burden hours for their institution but also stated concern for peer banks, noting that cost estimates vary greatly depending on the size, structure, and reporting format currently utilized and technological resources available to each bank. Six commenters stated that the estimate of burden is too low. Two commenters noted the reduction in the estimate of burden hours from a prior proposal in 2013 regarding midsize and large bank populations, with one commenter making the assumption that technology is the reason for the reduction in hours.6
The OCC uses the legal standard for estimating burden hours under the Paperwork Reduction Act (PRA).7 The term “burden” means time, effort, or financial resources expended by persons to generate, maintain, or provide information to or for a Federal agency, including the resources expended for: (a) reviewing instructions; (b) acquiring, installing, and utilizing technology and systems; (c) adjusting the existing ways to comply with any previously applicable instructions and requirements; (d) searching data sources; (e) completing and reviewing the collection of information; and (f) transmitting, or otherwise disclosing the information. Collecting MLR data from OCC-supervised institutions is not expected to impose significant additional burden on banks because most institutions already generate or gather substantially similar data in the normal course of business in order to perform internal bank analyses of BSA/ML and OFAC risks. The burden included in the OCC’s burden estimate is mainly the additional resources required to report the MLR data in an OCC-specified format.
The OCC has ten years’ experience collecting MLR data from a large number of banks. The OCC estimates that the burden hours for midsize and large bank populations will generally be higher than for community banks, Federal thrifts, and Federal branches and agencies. This is primarily because most midsize and large banks offer more products and services, involving a potentially wider range of customer types and geographies, than less complex community banks and Federal branches and agencies.
The OCC recognizes that each bank is unique and will have a different MLR reporting experience. For example, a bank’s management information systems, structure, and complexity may impact the bank’s MLR reporting, and, therefore, the bank’s reporting burden. However, the OCC believes the data requested for MLR purposes is data that institutions will have readily available and that for the vast majority of banks will not require substantial investment in technology or systems to collect and report. The OCC reduced the estimated burden hours for midsize banks to 25 hours in 2016 from 30 hours in 2013, and for large banks, reduced the estimated burden hours to 80 hours in 2016 from 100 hours in 2013, due to implementing a fully automated MLR format. There is no change from 2013 in the estimated 2016 burden for community banks and Federal branches and agencies.
In addition, expanding the MLR System to large and midsize banks is intended to assist the OCC in targeting examination resources to the higher-risk areas of bank operations, where those resources are most needed. The intended result will be more targeted and streamlined examination processes that are more effective and use less OCC resources. For some banks, especially lower risk banks, this more targeted examination process could result in significant decreases in the extent of expanded examination procedures required.
Finally, with regard to the estimate of burden, one commenter stated that failure to make publicly available the MLR risk summary form (RSF) used to collect the data in advance undermines the PRA review process and makes it difficult to comment on the accuracy of the agency’s estimate of the burden. The OCC is permitted, but not required, to include the RSF as part of the 60-day Federal Register notice. The form is available, and was available at the time the 60-day Federal Register notice was issued, at http://www.reginfo.gov as an attachment to the OCC’s 2013 PRA submission: http://www.reginfo.gov/public/do/PRAICList?ref_nbr=201302-1557-009.
Comments on possible data enhancements
The OCC requested comment on ways to enhance the quality, utility, and clarity of the information to be collected. One commenter stated that it was difficult to translate limited MLR data into BSA/ML risks. Another commenter stated that the MLR as currently contemplated is not useful nor is it worth the costs in terms of staff hours, system modification, and training. The same commenter stated that the OCC should consider designing a customized, flexible cloud-based architecture within a secure data center. Additionally, this commenter stated that the OCC should establish an analytic team dedicated to importing, extrapolating, and analyzing the data collection from banks, with the platform designed to be flexible and dynamic to account for each individual bank’s size, geography, and business. After testing, this commenter stated, consideration should be given to rolling the platform out on a risk-based basis to OCC-regulated banks. One commenter also stated that the OCC should consider making the MLR mandatory only in instances where the bank’s own risk assessment is insufficient for the exam scoping process. Two commenters expressed concerns that the September 30 as-of report date was inconsistent with most banks that operate on a calendar-year basis.
The OCC collects the MLR data on bank customers, products, services, and geographies and analyzes the data in a way that identifies the higher-risk type customers, products, services, and geographies, consistent with the FFIEC Manual. The OCC uses the MLR data gathered to assist, across the population of reporting banks, with development of examination strategies, preparation of examination scoping to identify transactions for testing, and meeting the OCC’s obligations under applicable statutes and regulations.8 The OCC regularly reevaluates the infrastructure around the MLR and makes decisions about the most efficient and cost effective infrastructure and processes to utilize for the MLR System. An example of the OCC making changes to the MLR System was the updating of the MLR risk summary form to a fully automated data collection tool beginning in 2014. The OCC analytics team checks for data integrity issues, confirms various validity checks on the data, and analyzes the data used for OCC supervision purposes.
Through the collection of MLR data from community banks for the past ten years, the OCC has determined that this data allows the agency to better identify those institutions, and areas within institutions, that pose heightened risk of money laundering and terrorist financing and to allocate examination resources accordingly. Collecting data in a uniform fashion for the same time period from all OCC-supervised institutions is critical to developing a database that allows effective analytic reporting and benchmarking risks over time.
An approach of making MLR data reporting mandatory only in instances where the bank’s own risk assessment was insufficient would add time to the examination process rather than expediting it. First, this approach would likely delay the OCC’s mandated supervision schedule by taking away an important source of data for broad-based risk identification analysis and benchmarking that facilitates the OCC’s annual examination strategy development and pre-planning activities, which are conducted potentially months in advance of an onsite examination. Second, on an individual bank level, this type of approach would require the OCC to review each bank’s risk assessment during the exam scoping process before making a decision as to whether that bank would be required to report the MLR data, potentially extending the timeframe for each exam where the bank’s risk assessment was deemed insufficient.
In response to the commenters’ concerns that the September 30 reporting period is inconsistent with most banks’ operating on a calendar year basis, the OCC notes that this date has not presented significant concerns in the ten years’ experience during which the OCC has collected MLR data.
Comments on minimizing burden through information technology
The OCC invited comment on ways to minimize the burden of the collection on respondents, including through the use of automated collection techniques or other forms of information technology. Five commenters stated that the MLR data is duplicative of information already gathered in the normal course of bank supervision. These commenters recommended that the OCC not move forward with the proposal to extend the data collection. One commenter suggested that the OCC obtain aggregate domestic and international wire transfer and ACH transaction data, along with the various geographic locations of the international wires from the Federal Reserve Bank. One bank commenter stated they have concerns about customer privacy due to having the collection of data automated; however, there was no explanation provided. Two commenters expressed a concern for requiring that all banks submit MLR data annually, and one of those commenters stated that the frequency of the MLR data collection should be linked to the bank’s ML risk profile. Another commenter stated that MLR data should be collected on an “as needed” basis.
The OCC notes that the MLR data is not duplicative or redundant and is not collected in any other format from OCC-supervised institutions. Wire transaction and ACH data obtained from the Federal Reserve Banks for OCC-supervised institutions is not sufficiently detailed for purposes of assessing BSA/ML/OFAC risk and planning exam strategies. Wire transaction data is limited to domestic wires only and does not include international wires, geographic locations, or whether the wires were sent Payable Upon Proper Identification (PUPID). Similarly, ACH data is limited to domestic ACH data and does not include cross-border ACH or international ACH data or geographies. In addition, not all OCC-supervised institutions may initiate/send or receive international wires or ACH transactions through a Federal Reserve Bank.
The OCC plans to collect the requested data using an XML form or other prescribed form submitted through the OCC BankNet system. The OCC plans to provide a schema (XML or otherwise) to institutions in advance of the required submission and also provide a window for institutions to submit test files and receive feedback. Additionally, the OCC utilizes secure data portals to communicate with and receive data from all OCC-supervised institutions. The OCC does not plan to collect personally identifiable information for MLR purposes; therefore, it is not expected that the collection would create customer privacy concerns.
The annual filing requirement frequency ties in closely with the OCC’s statutory examination cycle requirements. Requesting MLR data less frequently than annually would limit its usefulness for the OCC’s BSA/AML/OFAC supervision responsibilities and might also negatively impact the bank’s own risk assessment process. Collecting MLR data on an “as needed” basis or tying the MLR data collection frequency to a bank’s risk profile would not allow for the consistent planning and analysis needed for such data, would lead to inefficiencies, and would diminish the ability of the OCC to assess risks over time and otherwise utilize the data in a meaningful way.
Comments on costs
The OCC invited comment on estimates of capital or start-up costs and costs of operation, maintenance, and purchase of services to provide information. One commenter stated that the initial implementation (costs) would be substantial and the ultimate data collection system requirements could result in annual burden estimates for large banks exceeding the 2013 (100 hours) and 2016 (80 hours) burden estimates. Another commenter stated that the costs of additional software would outweigh the benefits of time saved in a small institution. One commenter stated that the costs to implement would vary greatly depending on infrastructure, current risk assessment process, and resources.
While there may be a slightly higher burden during the first reporting year, the OCC believes that the data requested for MLR purposes should be readily available and will not require substantial investment in technology or systems to collect and report. The OCC does not require the acquisition of additional software to collect and report MLR data. Some institutions, particularly community banks, collect and organize the data on Excel spreadsheets using existing bank reports received on a daily, weekly, or monthly basis, as the reports become available throughout the period covered by the reporting period. However, larger and more complex institutions may find it helpful to develop an internal reporting system to gather data efficiently across their organizations in a timely and consistent manner for MLR reporting purposes. The OCC provides options for submitting the MLR data including a fully automated online risk summary form. Additionally, the MLR risk summary form online system allows bankers to upload an XML file to automatically populate the form. This XML file must comply with formatting style and validation requirements in order to be accepted into the OCC’s secure system. If the file is valid, the risk summary form is pre-populated with the data to be submitted to the OCC.
Two commenters stated that the OCC should go through the rulemaking process to gain approval to expand the MLR System to midsize and large banks. The PRA process provided the public with two opportunities to comment on the proposed information collection, similar to the public comment opportunity afforded by the Administrative Procedure Act for rulemaking actions. Consistent with the PRA, the OCC sought comment on this information collection for 60 days and sought additional comment for 30 days. However, a notice of proposed rulemaking is unnecessary. Under 12 U.S.C. 161, the Comptroller has the express authority to require banks to provide special reports as to matters within the Comptroller’s jurisdiction. BSA/AML supervision is within the jurisdiction of the OCC because the OCC has the delegated authority from the Department of Treasury’s Financial Crimes Enforcement Network (FinCEN) to examine national banks for compliance with the BSA. The OCC also has the authority under 12 U.S.C. 481 to make a thorough examination of all the affairs of a national bank. The MLR is an important part of the OCC’s BSA/AML examination processes that falls within this broad grant of authority.
The OCC has decided to expand the MLR reporting requirement to the OCC’s midsize, large bank and Federal branches and agencies populations. As discussed above, a notice of proposed rulemaking is not necessary. The OCC previously had OMB approval to include midsize and large banks in the annual data collection, but requested OMB renewal of the data collection in 2010 and 2013 only for community banks. The OCC determined in 2010 and 2013 to collect only community bank data for MLR purposes. Pursuant to OMB requirements, the OCC is requesting renewal of the existing community bank MLR data collection with expansion to midsize and large bank (including Federal branches and agencies).
30-day Federal Register Notice
The OCC issued a 30-day Federal Register notice on August 8, 2016, soliciting comments concerning combining this existing community bank information collection with expansion to all OCC-supervised institutions.9 The OCC received three comments, one from an individual and two from industry associations.
Comments on practical utility of the data collection
Comments were invited on whether the collection of information is necessary for the proper performance of the functions of the agency, including whether the information has practical utility. One commenter stated that expanding the MLR data collection to include large and midsize banks could undermine the utility of the data currently collected by the OCC from smaller institutions for its own BSA/AML/OFAC supervisory and examination purposes. The OCC does not believe the data from smaller institutions would get lost in the volume of data collected from large and midsize banks, if the OCC gains OMB approval to expand the MLR System to all OCC-supervised institutions. Potential duplication of a single transaction conducted by smaller institutions that are processed through one or more large or midsize institutions, such as, for example, a wire transfer processed by one or more correspondent banks, would not significantly distort any bank’s reported data or aggregate data.
In commenting on the rationale for the MLR, one commenter stated the general consensus of bankers is the MLR is not useful to their own risk assessments. This commenter stated that (i) the design of the form is fundamentally incompatible with the bank’s own risk assessment process and the form is completed only to comply with the OCC requirements, (ii) product and service descriptions used in the MLR are misaligned with specific bank offerings, and (iii) the reporting time does not align with the calendar year used by most banks. Another commenter stated that directing banks of all sizes to use a uniform data collection template to engage in the first step of their internal assessments of potential risks could limit banks’ review of data that could reveal possible threats and potentially enable criminal activity to go undetected. Lastly, the commenter states that the MLR identifies only absolute risk and not real or actual risk confronting a national bank or federal thrift.
The FFIEC Manual provides that the development of the BSA/AML risk assessment generally involves two steps: first, identify the specific risk categories (i.e., products, services, customers, entities, transactions, and geographic locations) unique to the bank; and second, conduct a more detailed analysis of the data identified to better assess the risk within these categories. The MLR System may provide the first of the two steps of any risk assessment: to identify the bank’s products, services, customers, and geographies.10 Regardless of whether the OCC required the bank to complete the MLR RSF, for the bank’s own risk assessment purposes, the bank should be identifying their products, services, customers, and geographies. The product and service descriptions used in the MLR are broad categories consistent with those described in the FFIEC Manual. The OCC collects MLR data on the Federal fiscal year basis from October 1 of one year through September 30 of the following year. Where twelve (12) months’ of data is requested on the MLR, to reduce the data collection burden, a bank may collect the data for one quarter, and multiply that data by four to represent a full twelve (12) months’ data, to meet the MLR fiscal year reporting period from October 1 to September 30. The MLR is not intended to analyze the data collected to identify residual risk.
As noted in both the 60-day11 and 30-day12 notices published in the Federal Register, MLR data is simply data about a bank’s products, services, customers, and geographies that is gathered prior to examinations to promote effectiveness and efficiency in OCC examination scoping and transaction testing. The expansion of the MLR System to all OCC-supervised institutions will allow contemporaneous data to be analyzed consistently across the agency and thus will allow the OCC to better identify those institutions, and areas within institutions, that pose heightened BSA/ML, and OFAC risk.
One commenter commented on the lack of utility in comparing data of large institutions with diverse business lines and large quantities of data amongst “peers”. However, the utility of the MLR data collected is for both individual institutions and for developing a database that allows effective analytic reporting and benchmarking risks over time across all OCC-supervised institutions.
One commenter stated that expansion of the MLR System could result in incongruous BSA/AML/OFAC supervision and examination practices among the various agencies responsible for implementing and enforcing the BSA and its implementing regulations and guidance and OFAC sanctions programs, contrary to the uniform approach established by the banking agencies and Financial Crimes Enforcement Network (FinCEN), and could disadvantage OCC-regulated national banks, as state-chartered banks are not subject to similar requirements by their primary federal regulators.
The OCC seeks approval to collect MLR data from all OCC-supervised institutions, on bank products, services, customers, and geographies and analyze the data in a way that identifies the higher-risk type of products, services, customers, and geographies, consistent with the FFIEC Manual. The scoping of the BSA/AML examination and the use of expanded examination procedures is based upon, among other things, the BSA risks and other relevant factors, including MLR data. Each federal agency uses a variety of tools to implement the FFIEC Manual. The OCC cannot comment on the tools used by the other federal agencies, which may be applicable to state-chartered banks.
Comments on estimate of burden
The OCC requested comment on the accuracy of the agency’s estimate of the burden of the collection of the information. As noted in response to the 60-day notice comments, the OCC believes the data requested for MLR purposes is data that institutions will have readily available and that for the vast majority of banks will not require substantial investment in technology or systems to collect and report. The burden included in the OCC’s burden estimate is mainly the additional resources required to report the MLR data in an OCC-specified format. The OCC believes that with planning, such as collecting MLR-related data as the collection period progresses (rather than collecting all the data at the end of the data collection period), the MLR data collection burden can be minimalized by banks of all sizes.
One commenter stated that the OCC grossly understates the reporting burden. While this commenter acknowledged that institutions generally have the underlying data that would be collected through the MLR System, the acquisition and aggregation of the customer and transactional data would require large and midsize banks to make a number of changes to their data collection systems and operations to implement the MLR System, and in some instances, institutions might have to manually obtain the required data. Additionally, the commenter added that the institutions would likely build an audit function to allow for the reconciliation of differences in data reported from the various business lines of an institution, thereby further increasing the reporting requirement’s burden. As noted in response to the 60-day notice comments, the OCC uses the legal standard for estimating burden hours under the Paperwork Reduction Act (PRA).13
Another commenter believed that the OCC has understated the burden imposed by the data collection requirements and said the extension of the MLR to all OCC-supervised institutions threatens to accelerate de-risking. This commenter states that de-risking is often defined as closing accounts, refusing to do business with certain customers, or eliminating products and services due to the regulatory burden associated with compliance. The data reporting burden described by this commenter on “remittances, money transmittals and correspondent accounts required for the MLR is among the burdensome and time consuming process of the entire exercise.” The commenter provides an example when a bank has only a small number of a particular type of transactions to report, the bank may determine to eliminate offering that type of product or service rather than have the burden of reporting a small number of MLR data for that particular product or service. As noted earlier, MLR data is similar to the data used by banks for their own risk assessments, and is consistent with the structure of the FFIEC Manual concerning the determination of expanded examination procedures for products, services, persons, and entities. In addition, under MLR, a bank has the option to report estimated data on products, services, customers, and locations to reduce the reporting burden. From the beginning of the implementation of the OCC’s MLR System, the OCC has accepted estimated data from reporting banks. Continuing with the 2016 MLR data collection cycle, banks are encouraged to report the most accurate information possible; however, estimated data is acceptable according to the annual “MLR Guide for Bankers,” a written guidance document provided to all OCC banks reporting MLR data providing guidance for collecting and reporting MLR data.
Commenters stated the OCC was not following Executive Order 13610 “Identifying and Reducing Regulatory Burden”, the related Memorandum from the Executive Office of the President dated June 22, 2012, and Executive Order 13563 “Improving Regulation and Regulatory Review”. However, these Executive Orders and related Memorandum are not applicable because this is a non-rulemaking matter. One commenter indicated that the OCC did not take the Paperwork Reduction Act seriously because it did not adequately address the comments on burden submitted in response to the 60-day notice. The OCC fully considered those comments and responded to them in the 30-day notice.
One commenter stated that the MLR RSF should be readily accessible to the public to permit feedback. The 2015 MLR RSF was made publicly available at http://www.reginfo.gov/public/do/PRAICList?ref_nbr=201302-1557-009 when the 30-day PRA notice was published on August 8, 2016.
One commenter stated the MLR form was not designed in consultation with bankers. The OCC solicits optional feedback from each bank reporting MLR data to the OCC annually. Modifications to the RSF and the MLR System such as numbering of the products, services, and customers and having the form print in draft form are examples of suggestions provided by bankers that the OCC has implemented to ease the data collection and reporting burden.
One commenter requested that if the OCC proceeds with expanding the MLR System, a minimum period of 24 months be provided to large and midsize banks to implement the expansion requirement. The OCC is phasing in MLR reporting program for large and midsize banks. There will be a large and midsize bank pilot with select banks participating starting on or about January 2017. Data collection for all OCC-supervised banks, including large and midsize banks, will start during the November 2017 through January 2018 collection cycle. Additionally, the OCC plans to provide a guidance document for large and midsize banks to assist in their data gathering and completion of the MLR RSF.
9. Payment or gift to respondents:
None.
10. Any assurance of confidentiality:
The information will be kept private to the extent permitted by law.
11. Justification for questions of a sensitive nature:
There are no questions of a sensitive nature.
12. Burden estimate:
The OCC estimates the burden of this collection of information as follows:
Community Bank populations (includes Federal branches and agencies):
Estimated Number of Respondents: 1,450.
Estimated
Number of Responses: 1,450.
Frequency of Response:
Annually.
Estimated Annual Burden: 8,700 hours.
Midsize Bank population:
Estimated Number of Respondents: 47.
Estimated Number of Responses: 47.
Frequency of
Response: Annually.
Estimated Annual Burden:
1,175 hours.
Large Bank population:
Estimated Number of Respondents: 38.
Estimated Number of Responses: 38.
Frequency of
Response: Annually.
Estimated Annual Burden:
3,040 hours
Total Estimated Annual Burden: 12,915 hours.
12,915 x $101/hour (combination of management and technical staff) = $1,304,415.
To estimate average hourly wages we reviewed data from May 2015 for wages (by industry and occupation) from the U.S. Bureau of Labor Statistics (BLS) for depository credit intermediation (NAICS 522100). To estimate compensation costs associated with the rule, we use $101 per hour, which is based on the average of the 90th percentile for seven occupations adjusted for inflation (2 percent), plus an additional 30 percent to cover private sector benefits. Thirty percent represents the average private sector costs of employee benefits.
13. Estimate of total annual costs to respondents:
Not applicable.
14. Estimate of annualized costs to the Federal government:
Not applicable.
15. Change in burden:
Former Burden: 10,752 hours.
Current Burden: 12,915 hours.
Difference: +2,163 hours.
The
change in burden was due to the addition of the midsize and large
bank populations and Federal branches and agencies.
16. Information regarding collections whose results are to be published for statistical use:
The OCC has no plans to publish the information for statistical purposes.
17. Reasons for not displaying OMB approval expiration date:
The OCC is not requesting permission to avoid displaying the OMB approval expiration date.
18. Exceptions to the certification statement:
None.
B. Collections of Information Employing Statistical Methods.
Not applicable.
1 81 FR 143 (January 4, 2016).
2 31 U.S.C. 5311, 12 U.S.C. 1818(s)(2), and implementing regulations 12 CFR 21.21, 31; 12 CFR 21.11 and 163.180, 12 CFR Title X, and Office of Foreign Assets Control sanction established under the Trading with the Enemy Act (TWEA); 50 U.S.C. App 1-44; International Emergency Economic Powers Act (IEEPA), 50 U.S.C. 1701; 31 U.S.C. 5311; 12 U.S.C. 1818(s)(2); 12 CFR 21.21; 12 CFR 21.11 and 163.180; and 31 CFR Title X.
3 Ibid.
4 The second step of the risk assessment process entails a more detailed analysis of the data obtained during the identification stage in order to more accurately assess BSA/AML risk. This step involves evaluating data pertaining to the bank’s activities (e.g., number of: domestic and international funds transfers; private banking customers; foreign correspondent accounts payable through accounts; and domestic and international geographic locations of the bank’s business area and customer transactions) in relation to Customer Identification Program (CIP) and customer due diligence (CDD) information. The level and sophistication of analysis may vary by bank. The detailed analysis is important because within any type of product or category of customer there may be accountholders that pose varying levels of risk.
5 The FFIEC is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB), and to make recommendations to promote uniformity in the supervision of financial institutions. In 2006, the State Liaison Committee (SLC) was added to the council as a voting member. The SLC includes representatives from the Conference of State Bank Supervisors (CSBS), the American Council of State Savings Supervisors (ACSSS), and the National Association of State Credit Union Supervisors (NASCUS).
5 The OCC cannot address the tools used by the other agencies in their BSA/AML supervision roles.
6 Burden estimates for midsize and large banks were included in the 2013 MLR PRA renewal notice published in the Federal Register on March 8, 2013 (78 FR 15121) even though the OCC has not collected the data from those bank populations up to this point.
7 44 U.S.C. 3502(2).
8 31 U.S.C. 5311, 12 U.S.C. 1818(s)(2), and implementing regulations 12 CFR 21.21, 31; 12 CFR 21.11 and 163.180, 12 CFR Title X, and Office of Foreign Assets Control sanction established under the Trading with the Enemy Act (TWEA); 50 U.S.C. App 1-44; International Emergency Economic Powers Act (IEEPA), 50 U.S.C. 1701; 31 U.S.C. 5311; 12 U.S.C. 1818(s)(2); 12 CFR 21.21; 12 CFR 21.11 and 163.180; and 31 CFR Title X.
9 81 FR 152 (August 8, 2016).
10 Each bank has the option, but is not required, to utilize the MLR System data as part of its own internal risk assessment process.
11 81 FR 143 (January 4, 2016).
12 81 FR 143 (August 8, 2016).
13 44 U.S.C. 3502(2).
| File Type | application/msword |
| File Title | Supporting Statement |
| Author | Tami Newett |
| Last Modified By | mary.gottlieb |
| File Modified | 2016-10-20 |
| File Created | 2016-10-19 |