The Federal Financial Institutions Examination Council (FFIEC), in collaboration with the Financial Crimes Enforcement Network (FinCEN), issued the revised Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Examination Manual on August 24, 2007.1 The Office of Foreign Assets Control (OFAC) collaborated on the revisions to the section that addresses compliance with sanctions enforced by OFAC. This is the second annual update to the manual since its original release in 2005, and this recent version is primarily in response to feedback from the banking industry and examination staff.
The revised manual supersedes the 2006 version and is intended to provide current and consistent guidance to banking organizations for compliance with the BSA and for safeguarding operations from money laundering and terrorist financing. The manual also further clarifies supervisory expectations and incorporates regulatory pronouncements issued since the manual's 2006 revision. Some of the significant updates involve the areas listed below.
Customer Due Diligence
Sufficient information should be obtained at account opening so the bank understands the customer's normal and expected activity and can differentiate between lower-risk and higher-risk customers. Lower-risk customers should be monitored through regular suspicious activity monitoring and customer due diligence processes, while higher-risk customers are subject to enhanced due diligence.
Suspicious Activity Reporting
The discussion on law enforcement inquiries and requests in this section has been enhanced to include guidance on grand jury subpoenas, maintaining accounts, and supporting documentation.
If a Suspicious Activity Report (SAR) is filed after receipt of a grand jury subpoena, the confidential nature of grand jury proceedings precludes the bank from referring to the receipt or existence of the subpoena in the SAR. Only the facts supporting the suspicious activity finding should be identified by the bank.
When a law enforcement agency requests an institution to keep a certain account open regardless of suspicious or potential criminal activity related to the account, the bank should ask the agency to put the request in writing and state the purpose and duration of the request. However, the bank has the ultimate decision to maintain or close the account in accordance with its own internal guidelines.
Banks are required to provide all SAR supporting documentation when requested by FinCEN or an appropriate law enforcement or supervisory agency even in the absence of legal process (e.g., subpoena). The revised manual contains a list of examples of appropriate law enforcement agencies.
Foreign Correspondent Account Recordkeeping and Due Diligence
The updated section provides newly-issued enhanced due diligence requirements for foreign correspondent accounts established or maintained for certain foreign banks.
Office of Foreign Assets Control (OFAC)
This section clarifies the guidance regarding the OFAC screening responsibilities of originating depository financial institutions (ODFI) and receiving depository financial institutions (RDFI) with respect to automatic clearinghouse (ACH) transactions. The ACH section of the manual also incorporates these revisions.
Correspondent Accounts (Foreign)
The revised manual presents additional guidance on specific procedures the bank should undertake to mitigate the risks associated with foreign correspondent accounts.
A new discussion regarding Remote Deposit Capture (RDC) has been added to the electronic banking section. RDC provides a bank customer the convenience of remotely depositing checks into a bank account, but it is a potentially high-risk electronic delivery system. The revised manual presents the risk factors and examples of risk mitigation strategies associated with RDC.
Privately-Owned Automated Teller Machines (ATMs)
Privately-owned ATMs and Independent Sales Organizations (ISOs) are particularly exposed to money laundering and fraud. Due diligence regarding these entities poses various challenges. The revised manual adds a discussion on the particular challenge posed when ISOs sell ATMs to or subcontract with third- and fourth-level companies, referred to as sub-ISOs, and the sponsoring bank is unaware of their existence. The due diligence of the ISO should include, among other risk mitigation processes, obtaining information from the ISO on its sub-ISO arrangements, such as the number and location of the ATMs, transaction and dollar volumes, and source of replenishment currency.
Trade Finance Activities
This enhanced section lists activities considered trade financing, clarifies regulatory expectations, and expands the discussion of risk mitigation and monitoring practices, such as OFAC screening and documentation review. Since trade finance is largely document-based, it is exposed to documentary fraud and a heightened risk of money laundering, terrorist financing, or the circumvention of OFAC sanctions or other restrictions.
Nonbank Financial Institutions
The expanded discussion on providing banking services to money services businesses (MSBs) includes sections on regulatory expectations, MSB risk assessment and risk mitigation, and due diligence expectations for opening and maintaining accounts for MSBs. Banks are not expected to serve as the de facto regulator of MSBs and will not be held responsible for the MSB's BSA/AML program. However, depending on the level of perceived risk and the size and complexity of the MSB, banks may review the MSB's BSA/AML program as part of their enhanced due diligence procedures.
Appendix F: Money Laundering and Terrorist Financing "Red Flags"
The appendix has been expanded with more examples of red flags for ACH transactions, lending activity, trade finance, shell company activity, and other unusual or suspicious customer activity.
Appendix R: Enforcement Guidance
This new appendix sets forth the Interagency Statement on Enforcement of Bank Secrecy Act/Anti-Money Laundering Requirements issued on July 19, 2007. The guidance presents the circumstances in which an agency will issue a cease and desist order and other enforcement actions for BSA compliance program failures and for violations of other BSA requirements. The policy statement was issued to promote consistency among the agencies in enforcing BSA/AML requirements and to promote transparency of the standards to the banking industry.
In the 2007 revision, a detailed index of various subjects has been added at the end of the manual to aid in information search and retrieval.
How are financial institutions affected by these recent revisions? The 2007 revisions became effective as of September 1, 2007. As with prior versions, the "revised manual does not set new standards; instead, it is a compilation of existing regulatory requirements, supervisory expectations, and sound practices in the BSA/AML area.2" The following minimum requirements for an effective BSA/AML compliance program have not changed:
In addition, the BSA/AML compliance program should include a Customer Identification Program (CIP).
To promote consistency, the manual includes procedures that will be used by examiners for carrying out BSA/AML and OFAC examinations. A complete copy of the revised manual is posted on FFIEC's website.
The views expressed in this article are those of the author and are not necessarily those of this Reserve Bank or the Federal Reserve System.