Bank Secrecy Act
BSA/AML Compliance Program
Objective. Assess the adequacy of the bank’s BSA/AML compliance program. Determine whether the bank has developed, administered, and maintained an effective program for compliance with the BSA and all of its implementing regulations.
1. Review the bank’s board approved35The Federal Reserve, the FDIC, and the OCC each require the U.S. branches, agencies, and representative offices of the foreign banks they supervise operating in the United States to develop written BSA compliance programs that are approved by their respective bank's board of directors and noted in the minutes, or that are approved by delegates acting under the express authority of their respective bank's board of directors to approve the BSA compliance programs. "Express authority" means the head office must be aware of its U.S. AML program requirements and there must be some indication of purposeful delegation. For those U.S. branches, agencies, and representative office of foreign banks that were already in compliance with existing obligations under the BSA (and usual and customary business practices), the BSA compliance program requirement should not impose additional burden. Refer to 71 Fed. Reg. 13936 (March 20, 2006). Refer to expanded overview section, "Foreign Branches and Offices of U.S. Banks," page 164, for further guidance. written BSA/AML compliance program36 The Federal Reserve requires Edge and agreement corporations and U.S. branches, agencies, and other offices of foreign banks supervised by the Federal Reserve to establish and maintain procedures reasonably designed to ensure and monitor compliance with the BSA and related regulations (refer to Regulation K, 12 CFR 211.5(m)(1) and 12 CFR 211.24(j)(1)). In addition, because the BSA does not apply extraterritorially, foreign offices of domestic banks are expected to have policies, procedures, and processes in place to protect against risks of money laundering and terrorist financing (12 CFR 211.24(j)(1) and 12 CFR 326.8). to ensure it contains the following required elements:
- A system of internal controls to ensure ongoing compliance.
- Independent testing of BSA compliance.
- A specifically designated person or persons responsible for managing BSA compliance (BSA compliance officer).
- Training for appropriate personnel.
A bank must have a BSA/AML compliance program commensurate with its respective BSA/AML risk profile. In addition, a CIP must be included as part of the BSA/AML compliance program.
2. Assess whether the board of directors and senior management receive adequate reports on BSA/AML compliance.
Risk Assessment Link to the BSA/AML Compliance Program
3. On the basis of examination procedures completed in the scoping and planning process, including the review of the risk assessment, determine whether the bank has adequately identified the risk within its banking operations (products, services, customers, entities, and geographic locations) and incorporated the risk into the BSA/AML compliance program. Refer to Appendix I ("Risk Assessment Link to the BSA/AML Compliance Program") when performing this analysis.
4. Determine whether the BSA/AML compliance program includes policies, procedures, and processes that:
- Identify higher-risk banking operations (products, services, customers, entities, and geographic locations); provide for periodic updates to the bank’s risk profile; and provide for a BSA/AML compliance program tailored to manage risks.
- Inform the board of directors, or a committee thereof, and senior management, of compliance initiatives, identified compliance deficiencies, SARs filed, and corrective action taken.
- Identify a person or persons responsible for BSA/AML compliance.
- Provide for program continuity despite changes in management or employee composition or structure.
- Meet all regulatory requirements, meet recommendations for BSA/AML compliance, and provide for timely updates to implement changes in regulations.
- Implement risk-based CDD policies, procedures, and processes.
- Identify reportable transactions and accurately file all required reports, including SARs, CTRs, and CTR exemptions. (Banks should consider centralizing the review and report-filing functions within the banking organization.)
- Provide for dual controls and the segregation of duties to the extent possible. For example, employees that complete the reporting forms (such as SARs, CTRs, and CTR exemptions) generally should not also be responsible for the decision to file the reports or grant the exemptions.
- Provide sufficient controls and monitoring systems for the timely detection and reporting of suspicious activity.
- Provide for adequate supervision of employees that handle currency transactions, complete reports, grant exemptions, monitor for suspicious activity, or engage in any other activity covered by the BSA and its implementing regulations.
- Train employees to be aware of their responsibilities under the BSA regulations and internal policy guidelines.
- Incorporate BSA compliance into job descriptions and performance evaluations of appropriate personnel.
5. Determine whether the BSA/AML testing (audit) is independent (e.g., performed by a person (or persons) not involved with the bank’s BSA/AML compliance staff) and whether persons conducting the testing report directly to the board of directors or to a designated board committee comprised primarily or completely of outside directors.
6. Evaluate the qualifications of the person (or persons) performing the independent testing to assess whether the bank can rely upon the findings and conclusions.
7. Validate the auditor’s reports and workpapers to determine whether the bank’s independent testing is comprehensive, accurate, adequate, and timely. The independent test should address the following:
- The overall adequacy and effectiveness of the BSA/AML compliance program, including policies, procedures, and processes. Typically, this evaluation will include an explicit statement about the BSA/AML compliance program's overall adequacy and effectiveness and compliance with applicable regulatory requirements. At the very least, the audit should contain sufficient information for the reviewer (e.g., an examiner, review auditor, or BSA officer) to reach a conclusion about the overall quality of the BSA/AML compliance program.
- BSA/AML risk assessment.
- BSA reporting and recordkeeping requirements.
- CIP implementation.
- The adequacy of CDD policies, procedures, and processes and whether they comply with internal requirements.
- Personnel adherence to the bank’s BSA/AML policies, procedures, and processes.
- Appropriate transaction testing, with particular emphasis on higher-risk operations (products, services, customers, and geographic locations).
- Training, including its comprehensiveness, accuracy of materials, the training schedule, and attendance tracking.
- The integrity and accuracy of MIS used in the BSA/AML compliance program. MIS includes reports used to identify large currency transactions, aggregate daily currency transactions, funds transfer transactions, monetary instrument sales transactions, and analytical and trend reports.
- Tracking of previously identified issues and deficiencies and verification that they have been corrected by management.
- If an automated system is not used to identify or aggregate large transactions, determine whether the audit or independent review includes a sample test check of tellers’ cash proof sheets, tapes, or other documentation to determine whether large currency transactions are accurately identified and reported.
8. Determine whether the audit’s review of suspicious activity monitoring systems includes an evaluation of the system’s ability to identify unusual activity. Ensure through a validation of the auditor’s reports and workpapers that the bank’s independent testing:
- Reviews policies, procedures, and processes for suspicious activity monitoring.
- Evaluates the system’s methodology for establishing and applying expected activity or filtering criteria.
- Evaluates the system’s ability to generate monitoring reports.
- Determines whether the system filtering criteria are reasonable and include, at a minimum, cash, monetary instruments, funds transfers, and other higher-risk products, services, customers, or geographies, as appropriate.
9. Determine whether the audit’s review of suspicious activity reporting systems includes an evaluation of the research and referral of unusual activity. Ensure through a validation of the auditor’s reports and workpapers that the bank’s independent testing includes a review of policies, procedures, and processes for referring unusual activity from all business lines (e.g., legal, private banking, foreign correspondent banking) to the personnel or department responsible for evaluating unusual activity.
10. Review the audit scope, procedures, and workpapers to determine adequacy of the audit based on the following:
- Overall audit coverage and frequency in relation to the risk profile of the bank.
- Board reporting and supervision of, and its responsiveness to, audit findings.
- Adequacy of transaction testing, particularly for higher-risk banking operations and suspicious activity monitoring systems.
- Competency of the auditors or independent reviewers regarding BSA/AML requirements.
BSA Compliance Officer
11. Determine whether the board of directors has designated a person or persons responsible for the overall BSA/AML compliance program. Determine whether the BSA compliance officer has the necessary authority and resources to effectively execute all duties.
12. Assess the competency of the BSA compliance officer and his or her staff, as necessary. Determine whether the BSA compliance area is sufficiently staffed for the bank’s overall risk level (based on products, services, customers, entities, and geographic locations), size, and BSA/AML compliance needs. In addition, ensure that no conflict of interest exists and that staff is given adequate time to execute all duties.
13. Determine whether the following elements are adequately addressed in the training program and materials:
- The importance the board of directors and senior management place on ongoing education, training, and compliance.
- Employee accountability for ensuring BSA compliance.
- Comprehensiveness of training, considering specific risks of individual business lines.
- Training of personnel from all applicable areas of the bank.37 As part of this element, determine whether the bank conducts adequate training for any agents who are responsible for conducting CIP or other BSA-related functions on behalf of the bank.
- Frequency of training.
- Documentation of attendance records and training materials.
- Coverage of bank policies, procedures, processes, and new rules and regulations.
- Coverage of different forms of money laundering and terrorist financing as it relates to identification and examples of suspicious activity.
- Penalties for noncompliance with internal policies and regulatory requirements.
Transaction testing must include, at a minimum, either examination procedures detailed below (independent testing) or transaction testing procedures selected from within the core or expanded sections. While some transaction testing is required, examiners have the discretion to decide what testing to conduct. Examiners should document their decision regarding the extent of transaction testing to conduct and the activities where it is to be performed, as well as the rationale for any changes to the scope of transaction testing that occur during the examination. Examiners should consider the following when determining how to proceed with transaction testing:
- Accounts or customers identified in the review of information obtained from downloads from the BSA-reporting database.
- Higher-risk products and services, customer and entities, and geographic locations for which it appears from the scoping and planning process that the bank may not have appropriate internal controls.
- New products and services, customers and entities, and geographies introduced into the bank's portfolio since the previous BSA/AML examination.
14. Select a judgmental sample that includes transactions other than those tested by the independent auditor and determine whether independent testing:
- Is comprehensive, adequate, and timely.
- Has reviewed the accuracy of MIS used in the BSA/AML compliance program.
- Has reviewed suspicious activity monitoring systems to include the identification of unusual activity.
- Has reviewed whether suspicious activity reporting systems include the research and referral of unusual activity.
After the examiner has completed the review of all four required elements of the bank’s BSA/AML compliance program, the examiner should document a preliminary evaluation of the bank’s program. At this point, the examiner should revisit the initial examination plan, in order to determine whether any strengths or weaknesses identified during the review of the institution’s BSA/AML compliance program warrant adjustments to the initial planned scope. The examiner may complete the core examination procedures, "Office of Foreign Assets Control," page 152. The examiner should document and support any changes to the examination scope, then proceed to the applicable core and, if warranted, expanded examination procedures. If there are no changes to the examination scope, the examiner should proceed to the core examination procedures, "Developing Conclusions and Finalizing the Examination," page 43.