Bank Secrecy Act
BSA/AML Compliance Program Structures
Objective. Assess the structure and management of the banking organization’s BSA/AML compliance program, and, if applicable, the banking organization’s consolidated or partially consolidated approach to BSA/AML compliance. A BSA/AML compliance program may be structured in a variety of ways, and an examiner should perform procedures based on the structure of the organization. Completion of these procedures may require communication with other regulators.
1. Review the structure and management of the BSA/AML compliance program. Communicate with peers at other federal and state banking agencies, as necessary, to confirm their understanding of the organization’s BSA/AML compliance program. This approach promotes consistent supervision and lessens regulatory burden for the banking organization. Determine the extent to which the structure of the BSA/AML compliance program affects the organization being examined, by considering:
- The existence of consolidated or partially consolidated operations or functions responsible for day-to-day BSA/AML operations, including, but not limited to, the centralization of suspicious activity monitoring and reporting, currency transaction reporting, currency exemption review and reporting, or recordkeeping activities.
- The consolidation of operational units, such as financial intelligence units, dedicated to and responsible for monitoring transactions across activities, business lines, or legal entities. (Assess the variety and extent of information that data or transaction sources (e.g., banks, broker/dealers, trust companies, Edge Act and agreement corporations, insurance companies, or foreign branches) are entering into the monitoring and reporting systems).
- The extent to which the banking organization (or a corporate-level unit, such as audit or compliance) performs regular independent testing of BSA/AML activities.
- Whether and to what extent a corporate-level unit sponsors BSA/AML training.
2. Review testing for BSA/AML compliance throughout the banking organization, as applicable, and identify program deficiencies.
3. Review board minutes to determine the adequacy of MIS and of reports provided to the board of directors. Ensure that the board of directors has received appropriate notification of SARs filed.
4. Review policies, procedures, processes, and risk assessments formulated and implemented by the organization’s board of directors, a board committee thereof, or senior management. As part of this review, assess effectiveness of the organization’s ability to perform the following responsibilities:
- Manage the BSA/AML compliance program and provide adequate oversight.
- Set and communicate corporate standards that reflect the expectations of the organization’s board of directors and provide for clear allocation of BSA/AML compliance responsibilities.
- Promptly identify and effectively measure, monitor, and control key risks throughout the organization.
- Develop an adequate risk assessment and the policies, procedures, and processes to comprehensively manage those risks.
- Develop procedures for evaluation, approval, and oversight of risk limits, new business initiatives, and strategic changes.
- Oversee the compliance of subsidiaries with applicable regulatory requirements (e.g., country and industry requirements).
- Oversee the compliance of subsidiaries with the requirements of the BSA/AML compliance program.
- Identify weaknesses in the BSA/AML compliance program and implement necessary and timely corrective action, at both the organizational and subsidiary levels.
5. To ensure compliance with regulatory requirements, review the organization’s procedures for monitoring and filing SARs.153 For additional guidance, refer to the core overview and examination procedures, "Suspicious Activity Reporting," pages 67 to 80 and 81 to 85, respectively.
6. Once the examiner has completed the above procedures, the examiner should discuss their findings with the following parties, as appropriate:
- Examiner in charge.
- Person (or persons) responsible for ongoing supervision of the organization and subsidiary banks, as appropriate.
- Corporate management.
7. On the basis of examination procedures completed, form a conclusion about the adequacy of the BSA/AML compliance program structures and management including, if applicable, the effectiveness of the consolidated or partially consolidated approach to compliance.