The Bank Secrecy Act requires financial institutions to establish an anti-money laundering (AML) compliance program to prevent and detect financial crime. Failure to institute an effective program can subject an institution to significant regulatory oversight and penalties. AML compliance missteps have caught numerous banks in the United States and abroad flatfooted with inadequate compliance programs, resulting in massive fines and government scrutiny that distracts from core business missions.

Given the importance of AML compliance, financial institutions are increasingly turning to outside experts and consultants to assess the sufficiency of their AML programs. These ad hoc "assisted self-assessments"—often called "gap analyses"—are typically commissioned by chief compliance officers, senior management, or boards of directors either proactively or as a result of an unfavorable internal audit or exam findings, which can give rise to a fear of future enforcement actions. Voluntary self-assessments are important to a sustainable and vigorous AML program, but, if they're not implemented properly, these voluntary self-assessments can open financial institutions up to serious risk. Lawyers advising financial institutions and their directors should therefore think carefully about when to commence these reviews and how to manage them.

The primary risk in any AML program is straightforward: that a gap analysis actually identifies some unknown problem with an organization's AML compliance program but company officials fail to fix the problem. This can occur when, for example, a compliance manager either fails to perceive the significance of a reported deficiency or fails to garner the resources or management support necessary for effective remediation. Needless to say, a financial institution that runs a gap analysis, finds an error, but fails to fix it is at a far greater risk of exposure—and potentially perceived culpability—than a financial institution with a similar error that never ran any gap analysis at all.

A secondary risk is that an assessment identifies AML gaps that senior management disagrees are true deficiencies. In practice this happens with some understandable frequency: Although they sound technical, AML compliance programs (and assessments of their quality) are driven by human judgment. Even programs and assessments run by sophisticated algorithms or other seemingly objective mechanisms rely on human judgment in creation and implementation. Whether an identified deficiency constitutes a true problem is often in the eyes of the beholder. And some gap analysis experts may not clearly differentiate between recommendations and true errors, which means that management might perceive an expert's recommendations as "nice to have" but not "must have"—particularly given resource constraints, technological capabilities, and evolving industry standards. Unfortunately, regulators may take a different view particularly when they have previously criticized an institution's AML program.

Importantly, both of these risks are predicated on the notion that regulators may one day be able to access gap analyses and evaluate—for better or worse—a financial institution's response to any assessments. Indeed, AML program assessments are usually written, either in full report or summary form. And as such, regulators and prosecutors regularly ask financial institutions to produce gap analysis reports and subsequently use those reports—and inadequate responses to identified deficiencies—as the basis for bringing enforcement actions. Merely labeling a report "draft" or "preliminary" may not shield it from a regulatory or prosecutorial production request.

Last year's Department of Justice prosecution of Rabobank, N.A., is a textbook example of the risks attendant to commissioning (and not disclosing) gap analysis reports. According to the government, Rabobank had concealed from regulators a report written by an AML consulting firm detailing AML deficiencies at the bank. The bank had contracted with the consultant to provide an independent, written assessment of the bank's compliance program, and the consultant emailed several preliminary versions of the report to the bank. Examiners from the Office of the Comptroller of the Currency (OCC) learned of the assessment from a Rabobank whistleblower and repeatedly asked bank executives for a copy, including any "preliminary or partial" assessments, but the bank failed to provide the report. That failure, along with other alleged concealments by bank executives, resulted in Rabobank pleading guilty to criminally conspiring to defraud the OCC and to obstruct the regulator's AML examination of the bank. Rabobank ultimately had to forfeit over $368 million. Press Release, U.S. Dept. of Justice, Rabobank, N.A. Pleads Guilty, Agrees to Pay Over $360 Million (Feb. 7, 2018). The bank wasn't alone in receiving punishment: The OCC imposed a $50,000 fine on the bank's chief compliance officer personally and banned him from employment in the industry. In the Matter of Laura Akhoshi, former Chief Compliance Officer, Notice of Charges for Order of Prohibition and Assessment of a Civil Money Penalty (OCC, April 16, 2018).

The Rabobank prosecution should not discourage institutions from seeking AML program assessments by outside experts. Nor should it discourage institutions from getting drafts from consultants, which can help avoid erroneous findings and prevent a consultant from misunderstanding an institution's processes, systems, or procedures. These assessments will continue to be common in the industry, driven in part by compliance officers and senior managers seeking independent validation of their programs and protection from any attempt by the government to hold individuals personally liable for AML deficiencies.

But the Rabobank case should make financial institutions take pause and carefully consider which consultants they will hire and how to implement a gap analysis. Financial institutions should always expect that a gap-assessment report and the company's responses to that report will one day be reviewed by regulators, rendering it extremely important for management to document a company's reactions to a gap analysis report and the reasons an institution declines to implement expert recommendations. And any consultant that promises to shield her report from a regulator—and even oral assessments can be subject to a regulatory document request compelling production of "any and all assessments"—is promising something she cannot deliver.

Just as a company's reaction to a gap analysis is essential, so, too, is a company's approach to commissioning and running gap analyses in the first place. The following set of six best-practices AML assessment recommendations will aid compliance officers, senior management, and boards of directors to set up their financial institutions for AML success and to ensure their institutions fulfill their Bank Secrecy Act obligations to help the government combat financial crime.

(1) Implement a policy or framework. Financial institutions should establish a clear policy or framework governing when AML compliance assessments are authorized and how they are conducted. These assessments should not be initiated and effectuated ad hoc, particularly because the desire to conduct an assessment may be motivated by a high-pressure situation in which company officials are concerned about potential deficiencies and legal or regulatory violations that may have occurred. Compliance assessments are similar to internal corporate investigations, including that they are often triggered by fears that the company could be exposed to significant criminal or regulatory liability. Having a clear plan established in advance ensures an orderly, thoughtful AML gap analysis procedure and can limit the risks attendant to rapid-fire and purely reactive investigatory processes.

(2) Find the right outside AML consultant. Financial institutions should do adequate due diligence on an outside AML consultant given the serious implications of a flawed assessment. A financial institution should require background information on the people who will direct the review and should look for references from other financial institutions and/or legal counsel. Red flags include issues with timeliness and cost overruns, indicative of potentially sloppy performance. A financial institution should demand that a consultant assign its A team, as the resources of many experts can be stretched. And, equally important, a financial institution should consider excluding consultants who worked previously on these issues for the institution, as those consultants may not be perceived as independent.

(3) Determine whether the assessment should be conducted at the direction of counsel. When a company is facing potential regulatory enforcement actions or an ongoing criminal law enforcement investigation, a financial institution should strongly consider pursuing an assessment only under the direction of legal counsel. Although the results of a counsel-directed assessment are not guaranteed to be immune from disclosure, where legal counsel directs the review, the assertion of attorney-client privilege is at its most defensible. And where experienced outside counsel has already been retained for related matters, that counsel should unquestionably oversee the work of outside AML experts, because the investigation fits more comfortably within the umbrella of legal advice, rather than business or compliance decisions, which may not be protected by attorney-client privilege. As the Rabobank prosecution demonstrated, a program-wide assessment can lead to serious risks and liability for a company, rendering it most protective of a company's interests to have broad-ranged investigations run by counsel and protected by attorney-client privilege.

(4) Define the objective and scope of the assessment. Scopes of gap analyses can vary widely. Some circumstances may require a broad "soup-to-nuts" program review, whereas others may require a more incremental approach, focusing on specific compliance functions flagged in a recent audit or regulatory or law enforcement finding. To that end, before a gap analysis commences, management should clearly define the scope of the assessment and its objectives. Broad findings from an AML consultant carry serious risks with little attendant upside: The simple conclusion from an outside expert that a financial institution has an "effective" AML compliance program will carry almost no weight with regulators and prosecutors—but an alternative conclusion can be dispositive. The goals and scope of a gap analysis should be made clear at the outset.

(5) Provide a clear statement of work. A financial institution should be clear and forthright not only as to the direction of the investigation (see above) but also regarding the required work product. Given the risks that any report—whether in final or draft form—could find its way into the hands of a regulator, a financial institution should not leave to a consultant the decision of how fulsome final work product will be. If a financial institution wants only topline conclusions, it should have that choice. If a financial institution is prepared to receive, react to, and ultimately to produce to the government a more fulsome report, it should have that choice as well. The statement of work should include both a timeframe for deliverables—including, if desired, timeline for the financial institution to review drafts without compromising the independence of the experts—and should specify clearly which company employees should have access to any written work product. But in any event, a statement of work should set expectations and ensure that the client—not the consultant—retains ultimate authority on end product. And, needless to say, if counsel is directing the assessment, any statement of work should be executed by counsel, in consultation with the financial institution client.

(6) Implement and own an action plans post-assessment. Recommendations can typically span across multiple business units, including compliance, technology, operations, risk, audit and lines of business. Once the financial institution decides to undertake an assessment, it should designate one particular unit and specific company employees as the owner of the post-assessment implementation plans. This person or group must not only "own" implementation of areas under their normal area of responsibility but also must have the authority to ensure that other units implement relevant recommendations. Each action plan should have a project manager with work streams and a coded Red, Amber, Green "RAG" rating systems for different work streams, which can help the project owners monitor implementation and alert others that a work stream is not on track and may need additional resources or attention. The owner of a project plan should always be cognizant that employees who self-identify the need for help may not be the norm; managers in other areas, and particularly those less familiar with AML compliance, may fail to recognize that they have come up short of the consultants' recommended changes. Simply put, work streams that fail to complete their deliverables are low hanging fruit for regulatory scrutiny and criticism, and an effective action plan can ensure that no such fruit waits to be plucked.

AML consultants are valuable resources in the ever-changing legal, regulatory, and technological AML universe, but financial institutions should enter into any relationship with a consultant with clear-eyed expectations and sober risk assessments. Competent legal counsel can assist and mitigate risks for financial institutions seeking in good-faith to comply with their federal obligations to monitor for financial crimes. And the best-practices identified here can help protect companies and ensure that their compliance units can help facilitate, rather than consume, healthy business.

Matthew L. Biben is a litigation partner in the New York office of Gibson, Dunn and Crutcher and is co-chair of the firm's financial institutions group. Lee R. Crain, an associate at the firm, assisted in the preparation of this article.