Tuesday, June 18, 2013
[ – ] Text Size [ + ] | Print Page
Home > Bank Resources > Bank Resources Publications > SRC Insights > 2005 > Fourth Quarter
SRC Insights: Fourth Quarter 2005
An Examiner’s Perspective on Understanding and Implementing BSA/AML Recommendations
Does this story sound familiar? A banking institution is preparing for an upcoming bank examination, which will include a review of its Bank Secrecy Act and Anti-Money Laundering (BSA/AML) compliance program. Management is fairly confident that the program will be deemed adequate because they have reviewed the BSA/AML laws and regulations and implemented a compliance program based on the necessary requirements. However, when the examination is complete and the examiner provides management with an assessment of the program, a list of recommendations for improvement is included.
Often, management wants to incorporate the examiners’ recommendations into their existing program, but they may be unsure of where to begin or how to implement the recommendations, or they simply may not have a clear understanding of the recommendations. Understanding the qualities of an effective BSA/AML compliance program and implementing such a program can be challenging. Certain exam recommendations are common among many banking institutions. This article will highlight some of those areas that commonly receive regulatory scrutiny, discuss why they are important, and elaborate on why implementing these recommendations can make a BSA/AML program more effective and efficient.
Risk Assessments
At a minimum, a BSA/AML compliance program will include the following:
- A system of internal controls to ensure ongoing compliance
- An independent compliance testing program
- A designated individual responsible for coordinating and monitoring day-to-day compliance
- An ongoing training program for appropriate personnel
In addition, several elements can make a banking institution’s BSA/AML program more efficient. One of these elements and a recognized best practice is the development of a BSA/AML risk assessment. Many banking institutions know what risk assessments are and how they work but frequently do not implement one. A risk assessment can serve as a valuable tool for any banking institution that wants to manage its BSA/AML risk effectively. The key is to understand the bank’s risk exposure and develop the necessary policies, procedures, systems, and controls to mitigate the risk.
A risk assessment should identify and measure risk across product and business lines, the customer base, and geographic locations. This will enable management to better target those activities that are considered to be of a higher risk and therefore require enhanced monitoring. The risk assessment is an evolving process and should grow as new products and services are introduced, existing products and services change, or the bank expands through acquisitions and mergers.
A reference tool for developing a risk assessment is the new FFIEC BSA/AML Examination Manual.1 The manual provides guidance on identifying and measuring BSA/AML risk using a risk scale of low, moderate, or high. Keep in mind that certain products, services, and customer relationships pose a higher risk to the banking institution than others do. The level and degree to which the institution understands and accepts that risk should be outlined in the risk assessment.
BSA/AML Audit Program—The Scope Process
The independent testing or audit of a banking institution’s BSA/AML compliance program is one of the minimum requirements of a BSA/AML compliance program. An audit serves as the banking institution’s first line of defense for mitigating risk associated with the program, because, by design, it identifies areas of weakness or areas that may require additional enhancements or stronger internal controls. Each audit should be conducted using a risk-based approach, which will vary depending on the banking institution’s size, complexity, risk profile, and geographic location.
Banking institutions understand the importance of independently testing their BSA/AML program, but some continue to rely on internal audit to set the tone and scope of the BSA/AML audit. There is nothing functionally incorrect with this type of independent testing process if the audit includes a risk-based evaluation of all banking operations, departments, and subsidiaries subject to BSA laws and regulations. Management should have input into the audit scoping process. Giving the independent tester sole responsibility for the scope of the audit may not be effective in ensuring compliance.
A breakdown in the testing process can occur if the scope of the audit is limited and focused only on particular aspects of the BSA program. For example, it is beneficial for a banking institution to assess regulatory compliance of its customer identification program (CIP). For many institutions, this review equates to testing the account opening process where most of the account relationships are formed, which is usually at the branch level. However, other areas of operations, such as trust, lending, or e-banking, are also affected by CIP requirements, and these areas often are not subject to a BSA/AML audit. This exclusion can increase a banking institution’s risk exposure.
At a minimum, an audit should include the following:
- An evaluation of the overall integrity and effectiveness of the banking institution’s BSA/AML compliance program, including policies, procedures, and processes
- A review of the risk assessment, if one is established
- An appropriate level of transaction testing to verify adherence to BSA requirements
- A review of the staff training program
- An assessment of the banking institution’s monitoring and reporting systems
- An evaluation of management’s efforts to resolve deficiencies noted in prior audit reports and regulatory examinations
- A review of any other areas that management considers to be significant
Designation of the BSA Officer and Related Responsibilities
The designation of the BSA officer is one of the most important decisions a banking institution can make for its BSA/AML compliance program. The BSA officer is responsible for the bank’s overall compliance with BSA laws and regulations. Therefore, the individual selected should be dedicated to the compliance process and possess the necessary skills required for the position. Approved by the board of directors, the BSA officer is primarily responsible for coordinating and monitoring day-to-day BSA/AML compliance, managing all aspects of the BSA/AML program, and ensuring the banking institution’s adherence to BSA and other regulatory requirements.
Ideally, the individual selected to perform the BSA duties should be someone who is knowledgeable of BSA laws and regulations; understands the institution’s products and business lines, customers, geographic locations, and the risks associated with these activities; and is completely dedicated to the program. Realistically, however, this does not always occur. For some institutions, a limitation in staffing creates a situation where the individual selected to serve as the BSA officer is also involved in other day-to-day operational duties of the banking institution. For other institutions, the BSA functions are delegated to various employees, and no one individual is specifically designated as the BSA officer. Both situations can be problematic.
Suspicious Activity Reports (SARs): The Narratives
All banking institutions are required to file SARs that are complete, thorough, and timely. The information provided in these reports enables banking institutions to combat terrorism, terrorist financing, money laundering, and other financial crimes by providing valuable information on emerging trends and patterns to the Financial Crimes Enforcement Network (FinCEN) and other law enforcement agencies.
Unfortunately, many banking institutions file SARs that contain limited, incorrect, or disordered information, making any further investigative analysis somewhat difficult to perform. The care a banking institution takes in writing its SAR narratives is crucial in giving law enforcement the necessary information to determine whether the described conduct is criminal in nature. If the SAR narratives are not clear, nothing can be done.
The golden rule for writing a complete SAR narrative is to incorporate the five elements of information gathering: who, what, when, where, and why.2
- Who is conducting the suspicious activity? The SAR narrative should contain information describing the suspect or suspects and, if known, their occupation, position, or title within the business; the nature of the business; and any other related information.
- What was used to facilitate the suspicious activity? The SAR narrative should list the instruments used to conduct the suspicious activity. If the banking institution describes a flow of funds, the SAR narrative should include all related information to track the transactions from the origination point to the final destination.
- When did the suspicious activity take place? The SAR narrative should detail the periods of when the suspicious activity was first noticed and how long the activity lasted. Whenever possible, the individual dates and the amounts of each transaction should be detailed in the form rather than totaled.
- Where did the suspicious activity occur? The SAR narrative should indicate whether the transaction occurred at one location or multiple locations. If the transaction involved a foreign jurisdiction, that information should also be included in the narrative.
- Why is the activity considered suspicious? The SAR narrative should describe why the activity is unusual to the customer. An analysis of what is normal for that particular customer should be compared to similar customers of the banking institution to support the bank’s suspicion of the subject.
Additionally, how the activity was conducted is equally as important and should be indicated on the SAR form. One thing to note is that SAR forms should not be accompanied by any supporting documentation and should not reference the term “see attached” in the narrative section. When a banking institution submits the form to the IRS Detroit Computing Center, the only information entered into the database is the information documented in the narrative section of the SAR. Any supplemental information submitted in conjunction with the SAR form will not be tracked in the system. The documentation used by the banking institution to support the SAR filing should be maintained by the bank for a period of no less than five years and should be readily accessible to law enforcement and regulatory agencies for review.
BSA Policies and Procedures
No BSA/AML program would be complete without the implementation of a formal, documented BSA/AML policy. The policy assists a banking institution in establishing the compliance culture, as set forth by its board of directors. It is a living document that should provide guidance on bank and regulatory requirements and should illustrate the parameters for staff adherence. Processes and related procedures conducted in conjunction with the BSA/AML program also should be documented within the bank’s BSA policy.
Too often, however, banking institutions either neglect to formalize their processes and procedures, or they devise a policy but fail to implement amendments as laws and regulations change. This failure can potentially compromise a banking institution’s ability to comply with BSA laws and regulations, as well as bank-approved practices. It is important that all functions tied to a bank’s BSA/AML program be detailed and documented in the policy. Management should review the policy and have it approved by the board of directors annually or as amendments are made.
Summary
Assessing a banking institution’s BSA/AML compliance program is an integral part of the supervisory process and is of high supervisory concern. Ultimately, banking regulatory agencies strive to ensure that the institutions they supervise understand the importance of an effective BSA/AML compliance program. Therefore, it is in the best interest of any banking institution to proactively implement reasonable and prudent measures to minimize the risk associated with its BSA/AML program. The timely implementation of recommendations together with a forward-thinking approach will establish a program that continues to comply with BSA laws and regulations while adhering to the risk appetite of the banking institution.
- 1 The FFIEC BSA/AML Examination Manual is available online at www.ffiec.gov/bsa_aml_infobase/pages_manual/
manual_online.htm.
- 2 Additional guidance on preparing SAR Naratives can be found in the FFIEC BSA/AML Examination Manual.
The views expressed in this article are those of the author and are not necessarily those of this Reserve Bank or the Federal Reserve System.
In This Issue
SVP Commentary on...Effective Compliance Management and the Bank Secrecy Act
The New Bank Secrecy Act/Anti-Money Laundering Examination Procedures Manual
An Examiner's Perspective on Understanding and Implementing BSA/AML Recommendations
Technology and BSA: Perfect Together
Bank Secrecy Act Regulation.A Coordinated Effort
Complete Issue
(1.23 MB, 12 pages)
Contact Us
Federal Reserve Bank
of Philadelphia
Supervision, Regulation & Credit
Ten Independence Mall
Philadelphia, PA 19106-1574
FEDERAL RESERVE BANK OF PHILADELPHIA . TEN INDEPENDENCE MALL . PHILADELPHIA, PA 19106-1574 . TEL: (215) 574-6000
Research & Data | Education | Consumer Credit & Payments | Bank Resources | Community Development | Newsroom | Careers | Publications
About the Fed | Contact | FAQs | Feeds 
| Site Map | Terms of Use | Privacy Policy | Web Feedback 
| PDF Reader | Home
Copyright 2013. All rights reserved. Links with the orange box icon () go to pages outside of the Federal Reserve Bank of Philadelphia’s website.
