The Bank Secrecy Act and the corresponding interagency examination manual are two documents that all compliance and business line personnel should review carefully to ensure that banking institutions are properly addressing BSA/AML compliance and risk management issues. With the additional provisions implemented by the USA PATRIOT Act, it has become imperative for banking institutions to monitor their transactions more rigorously and identify and report any unusual or suspicious behavior.
The recent release of the FFIEC Bank Secrecy Act/Anti-Money Laundering Examination Manual in June should further promote compliance in this area.1 The manual does not set forth any new policies, but it is a compilation of existing regulatory requirements, supervisory expectations, and sound practices in the BSA/AML area. It was developed jointly by the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision, in collaboration with the Financial Crimes Enforcement Network.
Banking institutions have instituted various BSA/AML monitoring systems, but they all generally fall into one of two categories: manual transaction monitoring and automated account monitoring. Commonly, banks that are small to mid-size use manual systems, while larger institutions use automated systems. A manual transaction system consists of a review of reports that are provided by the bank’s management information system (MIS) or vendor systems. Examples of some of the reports provided by a manual transaction monitoring system include, but are not limited to, currency activity reports, monetary instrument sales reports, large item reports, and nonsufficient funds (NSF) reports. Management is responsible for reviewing these reports to identify and report suspicious activity and take action, as appropriate. During an examination, examiners will review management’s processes and the adequacy of the reports to ensure that they are commensurate with the bank’s BSA/AML risk profile and appropriately cover its high risk products, services, customers, and geographic locations.
Banks that are large, operate in multiple locations, or have a higher-risk customer base primarily rely on automated account monitoring systems. These systems can capture a wide range of account activities, including, but not limited to, deposits, withdrawals, funds transfers, and automated teller machine (ATM) transactions. Such systems are typically computer-program driven and are either developed in-house or purchased from vendors. Automated systems can be either rule-based systems or intelligent systems. Rule-based systems detect suspicious transactions that are outside of management-established rules. Such systems can consist of a few or many rules and can apply complex or multiple filters as necessary. Intelligent systems are adaptive systems that can change their analysis over time based on many factors, such as activity patterns, recent trends, and changes in the customer base. During an examination at an institution that uses an automated account monitoring system, examiners will also review management’s processes and the adequacy of reporting, paying particular attention to the rules and assumptions underlying the filtering process.
The Technology Solution
Properly implementing an effective monitoring system is crucial to successfully complying with established BSA/AML regulations. Following the establishment of stricter compliance regulations, many institutions’ supervisory agencies have found that monitoring systems are inadequate or inappropriate for the institution’s purposes. So what technological steps can banks take to ensure BSA/AML compliance? The variety of products and emerging technologies does not make that question easy to answer, and the Federal Reserve does not endorse any particular vendor or product. However, when assessing MIS, bank management should first assess the present systems. Management should determine whether the bank’s systems for monitoring and reporting suspicious activities are adequate, given the bank’s size, complexity, location, products, type of customer served, and staff resources. Management should then assess the systems in light of updated regulations.
Any deficiencies may very well be caused by both changes to regulations and outdated technology. Bankers need not look very far for technological solutions. Vendors of monitoring systems are providing ubiquitous access to their products and services. Some of the technological advances that are becoming popular and necessary in today’s compliance atmosphere are more advanced client risk assessments and transaction risk measurements. Ultimately, it is up to bank management to review the many offerings and choose what will best suit the bank’s compliance needs. Implementing a technological fix to a monitoring problem is not enough. Management should also ensure that staff are competent in their understanding and use of the system.
With the many risks associated with noncompliance with BSA/AML regulations, including enforcement actions and damage to an institution’s reputation, it is vital for both bankers and regulators to adjust to the changing landscape of BSA/AML technology.
With all the possibilities for improved compliance that these systems provide, they also come with a larger price tag. The high cost of some automated filtering products makes acquiring them much harder for small to mid-tier banks. This conclusion has increased concerns that criminal activity could filter down to these smaller institutions. However, regardless of institution size, automated monitoring tools are not a panacea. There is no substitute for knowing your customer, and examiners will review all BSA-related processes to ensure that “know-your-customer red flags” will be recognized when they present themselves.
A Final Thought
The theory is that with an improved means of collecting information comes improved compliance. As banks continue to find more effective ways of collecting, processing, and reporting BSA/AML data, it is important for regulators to remain informed about these new monitoring systems. Ultimately, the success of the BSA/AML exam procedures and the promulgating regulations resides in the knowledge and experience of both bankers and examiners, fused with the continuing advancements and proper use of BSA/AML technology.
The guidance and procedures contained in the FFIEC BSA/AML Examination Manual can help banking institutions understand relevant laws and regulations, including:
The manual is available at www.ffiec.gov/bsa_aml_infobase/pages_manual/manual_online.htm
The manual will be revised and updated as necessary as new regulations and guidance are issued, technology advances, and money laundering risks evolve. For more information, please contact your institution’s central point of contact or assigned manager at the Reserve Bank.
The views expressed in this article are those of the author and are not necessarily those of this Reserve Bank or the Federal Reserve System.