Bank Secrecy Act
BSA/AML Compliance Program Structures
Objective. Assess the structure and management of the banking organization’s BSA/AML compliance program, and, if applicable, the banking organization’s consolidated or partially consolidated approach to BSA/AML compliance. A BSA/AML compliance program may be structured in a variety of ways, and an examiner should perform procedures based on the structure of the organization. Completion of these procedures may require communication with other regulators.
1. Review the structure and management of the BSA/AML compliance program. Communicate with peers at other federal and state banking agencies, as necessary, to confirm their understanding of the organization’s BSA/AML compliance program. This approach promotes consistent supervision and lessens regulatory burden for the banking organization. Determine the extent to which the structure of the BSA/AML compliance program affects the organization being examined, by considering:
- The existence of consolidated or partially consolidated operations or functions responsible for day-to-day BSA/AML operations, including, but not limited to, the centralization of suspicious activity monitoring and reporting, currency transaction reporting, currency exemption review and reporting, or recordkeeping activities.
- The consolidation of operational units, such as financial intelligence units, dedicated to and responsible for monitoring transactions across activities, business lines, or legal entities. (Assess the variety and extent of information that data or transaction sources (e.g., banks, broker/dealers, trust companies, Edge Act and agreement corporations, insurance companies, or foreign branches) are entering into the monitoring and reporting systems).
- The extent to which the banking organization (or a corporate-level unit, such as audit or compliance) performs regular independent testing of BSA/AML activities.
- The sufficiency of audit in jurisdictions with restrictive privacy laws that may limit the dissemination of information.
- Whether and to what extent a corporate-level unit sponsors BSA/AML training.
2. Review testing for BSA/AML compliance throughout the banking organization, as applicable, and identify program deficiencies.
3. Review board minutes to determine the adequacy of MIS and of reports provided to the board of directors. Ensure that the board of directors has received appropriate notification of SARs filed.
4. Review policies, procedures, processes, and risk assessments formulated and implemented by the organization’s board of directors, a board committee thereof, or senior management. As part of this review, assess effectiveness of the organization’s ability to perform the following responsibilities:
- Manage the BSA/AML compliance program and provide adequate oversight.
- Set and communicate corporate standards that reflect the expectations of the organization’s board of directors and provide for clear allocation of BSA/AML compliance responsibilities.
- Promptly identify and effectively measure, monitor, and control key risks throughout the organization.
- Develop an adequate risk assessment and the policies, procedures, and processes to comprehensively manage those risks.
- Develop procedures for evaluation, approval, and oversight of risk limits, new business initiatives, and strategic changes.
- Oversee the compliance of subsidiaries with applicable regulatory requirements (e.g., country and industry requirements).
- Oversee the compliance of subsidiaries with the requirements of the BSA/AML compliance program.
- Identify weaknesses in the BSA/AML compliance program and implement necessary and timely corrective action, at both the organizational and subsidiary levels.
5. To ensure compliance with regulatory requirements, review the organization’s procedures for monitoring and filing SARs.171Bank holding companies (BHC) or any nonbank subsidiary thereof, or a foreign bank that is subject to the BHC Act or any nonbank subsidiary of such a foreign bank operating in the United States, are required to file SARs (12 CFR 225.4(f)). A BHC's nonbank subsidiaries operating only outside the United States are not required to file SARs. Certain savings and loan holding companies, and their nondepository subsidiaries, are required to file SARs pursuant to Treasury regulations (e.g., insurance companies (31 CFR 1025.320) and broker/dealers (31 CFR 1023.320). In addition, savings and loan holding companies, if not required, are strongly encouraged to file SARs in appropriate circumstances. On January 20, 2006, the Financial Crimes Enforcement Network, Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, Office of the Comptroller of the Currency, and the Office of Thrift Supervision issued guidance authorizing banking organizations to share SARs with head offices and controlling companies, whether located in the United States or abroad. Refer to the core overview section, "Suspicious Activity Reporting," page 60, for additional information. For additional guidance, refer to the core overview and examination procedures, "Suspicious Activity Reporting," pages 60 and 76, respectively.
6. Once the examiner has completed the above procedures, the examiner should discuss their findings with the following parties, as appropriate:
- Examiner in charge.
- Person (or persons) responsible for ongoing supervision of the organization and subsidiary banks, as appropriate.
- Corporate management.
7. On the basis of examination procedures completed, form a conclusion about the adequacy of the BSA/AML compliance program structures and management including, if applicable, the effectiveness of the consolidated or partially consolidated approach to compliance.