Bank Secrecy Act
Scoping and Planning
Objective. Identify the bank’s BSA/AML risks, develop the examination scope, and document the plan. This process includes determining examination staffing needs and technical expertise, and selecting examination procedures to be completed.
To facilitate the examiner’s understanding of the bank’s risk profile and to adequately establish the scope of the BSA/AML examination, the examiner should complete the following steps, in conjunction with the review of the bank’s BSA/AML risk assessment:
1. Review prior examination or inspection reports, related workpapers, and management’s responses to any previously identified BSA issues; identify completed examination procedures; obtain BSA contact information; identify reports and processes the bank uses to detect unusual activity; identify previously noted higher-risk banking operations; review recommendations for the next examination. In addition, contact bank management as appropriate to discuss the following:
- BSA/AML compliance program.
- BSA/AML risk assessment.
- Suspicious activity monitoring and reporting systems.
- Level and extent of automated BSA/AML systems.
For the above topics, refer to the appropriate overview and examination procedures sections in the manual for guidance.
2. Develop list of BSA items to be incorporated into the integrated examination request letter. If the BSA portion of the examination is a stand-alone examination, send the request letter to the bank. Review the request letter documents provided by the bank. Refer to Appendix H (Request Letter Items (Core and Expanded)).
3. Review correspondence between the bank and its primary regulator, if not already completed by the examiner in charge or other dedicated examination personnel. In addition, review correspondence that the bank or the primary regulators have received from, or sent to, outside regulatory and law enforcement agencies relating to BSA/AML compliance. Communications, particularly those received from FinCEN, and the IRS Enterprise Computing Center – Detroit (formerly the Detroit Computing Center) may document matters relevant to the examination, such as the following:
- Filing errors for SARs, CTRs, and CTR exemptions.
- Civil money penalties issued by or in process from FinCEN.
- Law enforcement subpoenas or seizures.
- Notification of mandatory account closures of noncooperative foreign customers holding correspondent accounts as directed by the Secretary of the Treasury or the U.S. Attorney General.
4. Review SARs, CTRs, and CTR exemption information obtained from downloads from the BSA-reporting database. The number of SARs, CTRs, and CTR exemptions filed should be obtained for a defined time period, as determined by the examiner. Consider the following information, and analyze the data for unusual patterns, such as:
- Volume of activity, and whether it is commensurate with the customer’s occupation or type of business.
- Number and dollar volume of transactions involving higher-risk customers.
- Volume of CTRs in relation to the volume of exemptions (i.e., whether additional exemptions resulted in significant decreases in CTR filings).
- Volume of SARs and CTRs in relation to the bank’s size, asset or deposit growth, and geographic location.
The federal banking agencies do not have targeted volumes or “quotas” for SAR and CTR filings for a given bank size or geographic location. Examiners should not criticize a bank solely because the number of SARs or CTRs filed is lower than SARs or CTRs filed by “peer” banks. However, as part of the examination, examiners must review significant changes in the volume or nature of SARs and CTRs filed and assess potential reasons for these changes.
5. Review internal and external audit reports and workpapers for BSA/AML compliance, as necessary, to determine the comprehensiveness and quality of audits, findings, and management responses and corrective action. A review of the independent audit’s scope, procedures, and qualifications will provide valuable information on the adequacy of the BSA/AML compliance program.
6. While OFAC regulations are not part of the BSA, evaluation of OFAC compliance is frequently included in BSA/AML examinations. It is not the federal banking agencies’ primary role to identify OFAC violations, but rather to evaluate the sufficiency of a bank’s implementation of policies, procedures, and processes to ensure compliance with OFAC laws and regulations. To facilitate the examiner’s understanding of the bank’s risk profile and to adequately establish the scope of the OFAC examination, the examiner should complete the following steps:
- Review the bank’s OFAC risk assessment. The risk assessment, which may be incorporated into the bank’s overall BSA/AML risk assessment, should consider the various types of products, services, customers, entities, transactions, and geographic locations in which the bank is engaged, including those that are processed by, through, or to the bank to identify potential OFAC exposure.
- Review the bank’s independent testing of its OFAC compliance program.
- Review correspondence received from OFAC and, as needed, the civil penalties area on OFAC’s Web site to determine whether the bank had any warning letters, fines, or penalties imposed by OFAC since the most recent examination.
- Review correspondence between the bank and OFAC (e.g., periodic reporting of prohibited transactions and, if applicable, annual OFAC reports on blocked property).
In addition to the above, at larger, more complex banking organizations, examiners may complete various types of examinations throughout the supervisory plan or cycle to assess OFAC compliance. These reviews may focus on one or more business lines.
7. On the basis of the above examination procedures, in conjunction with the review of the bank’s BSA/AML risk assessment, develop an initial examination plan. The examiner should adequately document the plan, as well as any changes to the plan that occur during the examination. The scoping and planning process should ensure that the examiner is aware of the bank’s BSA/AML compliance program, OFAC compliance program, compliance history, and risk profile (i.e., products, services, customers, entities, transactions, and geographic locations).
As necessary, additional core and expanded examination procedures may be completed. While the examination plan may change at any time as a result of on-site findings, the initial risk assessment will enable the examiner to establish a reasonable scope for the BSA/AML review. In order for the examination process to be successful, examiners must maintain open communication with the bank’s management and discuss relevant concerns as they arise.