Does this story sound familiar? A banking institution is preparing for an upcoming bank examination, which will include a review of its Bank Secrecy Act and Anti-Money Laundering (BSA/AML) compliance program. Management is fairly confident that the program will be deemed adequate because they have reviewed the BSA/AML laws and regulations and implemented a compliance program based on the necessary requirements. However, when the examination is complete and the examiner provides management with an assessment of the program, a list of recommendations for improvement is included.
Often, management wants to incorporate the examiners’ recommendations into their existing program, but they may be unsure of where to begin or how to implement the recommendations, or they simply may not have a clear understanding of the recommendations. Understanding the qualities of an effective BSA/AML compliance program and implementing such a program can be challenging. Certain exam recommendations are common among many banking institutions. This article will highlight some of those areas that commonly receive regulatory scrutiny, discuss why they are important, and elaborate on why implementing these recommendations can make a BSA/AML program more effective and efficient.
At a minimum, a BSA/AML compliance program will include the following:
In addition, several elements can make a banking institution’s BSA/AML program more efficient. One of these elements and a recognized best practice is the development of a BSA/AML risk assessment. Many banking institutions know what risk assessments are and how they work but frequently do not implement one. A risk assessment can serve as a valuable tool for any banking institution that wants to manage its BSA/AML risk effectively. The key is to understand the bank’s risk exposure and develop the necessary policies, procedures, systems, and controls to mitigate the risk.
A risk assessment should identify and measure risk across product and business lines, the customer base, and geographic locations. This will enable management to better target those activities that are considered to be of a higher risk and therefore require enhanced monitoring. The risk assessment is an evolving process and should grow as new products and services are introduced, existing products and services change, or the bank expands through acquisitions and mergers.
A reference tool for developing a risk assessment is the new FFIEC BSA/AML Examination Manual.1 The manual provides guidance on identifying and measuring BSA/AML risk using a risk scale of low, moderate, or high. Keep in mind that certain products, services, and customer relationships pose a higher risk to the banking institution than others do. The level and degree to which the institution understands and accepts that risk should be outlined in the risk assessment.
BSA/AML Audit Program—The Scope Process
The independent testing or audit of a banking institution’s BSA/AML compliance program is one of the minimum requirements of a BSA/AML compliance program. An audit serves as the banking institution’s first line of defense for mitigating risk associated with the program, because, by design, it identifies areas of weakness or areas that may require additional enhancements or stronger internal controls. Each audit should be conducted using a risk-based approach, which will vary depending on the banking institution’s size, complexity, risk profile, and geographic location.
Banking institutions understand the importance of independently testing their BSA/AML program, but some continue to rely on internal audit to set the tone and scope of the BSA/AML audit. There is nothing functionally incorrect with this type of independent testing process if the audit includes a risk-based evaluation of all banking operations, departments, and subsidiaries subject to BSA laws and regulations. Management should have input into the audit scoping process. Giving the independent tester sole responsibility for the scope of the audit may not be effective in ensuring compliance.
A breakdown in the testing process can occur if the scope of the audit is limited and focused only on particular aspects of the BSA program. For example, it is beneficial for a banking institution to assess regulatory compliance of its customer identification program (CIP). For many institutions, this review equates to testing the account opening process where most of the account relationships are formed, which is usually at the branch level. However, other areas of operations, such as trust, lending, or e-banking, are also affected by CIP requirements, and these areas often are not subject to a BSA/AML audit. This exclusion can increase a banking institution’s risk exposure.
At a minimum, an audit should include the following:
Designation of the BSA Officer and Related Responsibilities
The designation of the BSA officer is one of the most important decisions a banking institution can make for its BSA/AML compliance program. The BSA officer is responsible for the bank’s overall compliance with BSA laws and regulations. Therefore, the individual selected should be dedicated to the compliance process and possess the necessary skills required for the position. Approved by the board of directors, the BSA officer is primarily responsible for coordinating and monitoring day-to-day BSA/AML compliance, managing all aspects of the BSA/AML program, and ensuring the banking institution’s adherence to BSA and other regulatory requirements.
Ideally, the individual selected to perform the BSA duties should be someone who is knowledgeable of BSA laws and regulations; understands the institution’s products and business lines, customers, geographic locations, and the risks associated with these activities; and is completely dedicated to the program. Realistically, however, this does not always occur. For some institutions, a limitation in staffing creates a situation where the individual selected to serve as the BSA officer is also involved in other day-to-day operational duties of the banking institution. For other institutions, the BSA functions are delegated to various employees, and no one individual is specifically designated as the BSA officer. Both situations can be problematic.
Suspicious Activity Reports (SARs): The Narratives
All banking institutions are required to file SARs that are complete, thorough, and timely. The information provided in these reports enables banking institutions to combat terrorism, terrorist financing, money laundering, and other financial crimes by providing valuable information on emerging trends and patterns to the Financial Crimes Enforcement Network (FinCEN) and other law enforcement agencies.
Unfortunately, many banking institutions file SARs that contain limited, incorrect, or disordered information, making any further investigative analysis somewhat difficult to perform. The care a banking institution takes in writing its SAR narratives is crucial in giving law enforcement the necessary information to determine whether the described conduct is criminal in nature. If the SAR narratives are not clear, nothing can be done.
The golden rule for writing a complete SAR narrative is to incorporate the five elements of information gathering: who, what, when, where, and why.2
Additionally, how the activity was conducted is equally as important and should be indicated on the SAR form. One thing to note is that SAR forms should not be accompanied by any supporting documentation and should not reference the term “see attached” in the narrative section. When a banking institution submits the form to the IRS Detroit Computing Center, the only information entered into the database is the information documented in the narrative section of the SAR. Any supplemental information submitted in conjunction with the SAR form will not be tracked in the system. The documentation used by the banking institution to support the SAR filing should be maintained by the bank for a period of no less than five years and should be readily accessible to law enforcement and regulatory agencies for review.
BSA Policies and Procedures
No BSA/AML program would be complete without the implementation of a formal, documented BSA/AML policy. The policy assists a banking institution in establishing the compliance culture, as set forth by its board of directors. It is a living document that should provide guidance on bank and regulatory requirements and should illustrate the parameters for staff adherence. Processes and related procedures conducted in conjunction with the BSA/AML program also should be documented within the bank’s BSA policy.
Too often, however, banking institutions either neglect to formalize their processes and procedures, or they devise a policy but fail to implement amendments as laws and regulations change. This failure can potentially compromise a banking institution’s ability to comply with BSA laws and regulations, as well as bank-approved practices. It is important that all functions tied to a bank’s BSA/AML program be detailed and documented in the policy. Management should review the policy and have it approved by the board of directors annually or as amendments are made.
Assessing a banking institution’s BSA/AML compliance program is an integral part of the supervisory process and is of high supervisory concern. Ultimately, banking regulatory agencies strive to ensure that the institutions they supervise understand the importance of an effective BSA/AML compliance program. Therefore, it is in the best interest of any banking institution to proactively implement reasonable and prudent measures to minimize the risk associated with its BSA/AML program. The timely implementation of recommendations together with a forward-thinking approach will establish a program that continues to comply with BSA laws and regulations while adhering to the risk appetite of the banking institution.
The views expressed in this article are those of the author and are not necessarily those of this Reserve Bank or the Federal Reserve System.