Bank Secrecy Act
Appendix R: Enforcement Guidance
Interagency Statement on Enforcement of Bank Secrecy Act/Anti-Money Laundering Requirements309This statement is intended to set forth general policy guidance. It is not intended to compel or preclude an enforcement or other supervisory action as necessary in a specific factual situation.
This interagency statement, jointly issued by the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and the National Credit Union Administration310Collectively the "Agencies" or individually the "Agency." sets forth the Agencies' policy on the circumstances in which an Agency will issue a cease and desist order to address noncompliance with certain Bank Secrecy Act/Anti-Money Laundering ("BSA/AML") requirements,311This statement does not address the assessment of civil money penalties for violations of the BSA or its implementing regulations. FinCEN has authority to assess such penalties under the BSA. Likewise, the Agencies also have such authority under their general enforcement statutes. 12 USC 1818(i)(2), 1786(k)(2). particularly in light of the specific BSA/AML compliance provisions in section 8(s) of the Federal Deposit Insurance Act ("FDIA") and section 206(q) of the Federal Credit Union Act (“FCUA”).31212 USC 1818(s); 12 USC 1786(q).
BSA/AML Compliance Program Requirement.
Under section 8(s) of the FDIA and section 206(q) of the FCUA, each of the Agencies is directed to prescribe regulations requiring each insured depository institution to establish and maintain procedures reasonably designed to assure and monitor the institution's compliance with the requirements of the Bank Secrecy Act ("BSA Compliance Program"). Sections 8(s) and 206(q) also require that each Agency's examinations of an insured depository institution review the BSA Compliance Program and that its reports of examination describe any problem with the BSA Compliance Program. Finally, sections 8(s) and 206(q) state that if an insured depository institution has failed to establish and maintain a BSA Compliance Program or has failed to correct any problem with the BSA Compliance Program previously reported to the institution by the appropriate Agency, the appropriate Agency shall issue a cease and desist order against the institution. As required by sections 8(s) and 206(q), each of the Agencies has issued regulations that require any institution it supervises or insures to establish and maintain a BSA Compliance Program. Each of these regulations imposes substantially the same requirements.31312 CFR 21.21 (OCC); 208.63 (Board of Governors); 326.8(c) (FDIC); 748.2 (NCUA). The provisions of section 8(s) are also made applicable to certain banking organizations other than insured depository institutions. 12 USC 1818(b)(3), (b)(4). The OCC's regulations also apply to federal branches and agencies of foreign banks. 12 USC 3102(b); 12 CFR 28.13. The Federal Reserve's regulations also apply to Edge and agreement corporations, and branches, agencies, and other offices of foreign banking organizations. 12 CFR 211.5, 211.24. BSA Compliance Programs that comply with these Agency regulations are also deemed to comply with Treasury regulations issued pursuant to the BSA, which separately requires that financial institutions establish AML programs. Refer to 31 CFR 1020.210; 31 USC 5318(h). Specifically, under each Agency's regulations, a BSA Compliance Program must have, at a minimum, the following elements:
- A system of internal controls to assure ongoing compliance with the BSA;
- Independent testing for BSA/AML compliance;
- A designated individual or individuals responsible for coordinating and monitoring BSA/AML compliance; and
- Training for appropriate personnel.
In addition, a BSA Compliance Program must include a CIP with risk-based procedures that enable the institution to form a reasonable belief that it knows the true identity of its customers.31412 CFR 21.21(b)(2) (OCC); 12 CFR 208.63(b)(2), 12 CFR 211.5(m)(2), 12 CFR 211.24(j)(2), (Board of Governors); 12 CFR 326.8(b)(2) (FDIC); 12 CFR 748.2(b)(2) (NCUA); 12 CFR 31 CFR 1020.220 (FinCEN).
Communication of Supervisory Concerns about BSA Compliance Programs.
When an Agency identifies supervisory concerns relating to a banking organization's or credit union's BSA Compliance Program in the course of an examination or otherwise, the Agency may communicate those concerns by various means. The particular method of communication used typically depends on the seriousness of the concerns. These methods include:
- Informal discussions by examiners with an institution's management during the examination process;
- Formal discussions by examiners with the board of directors as part of or following the examination process;
- Supervisory letters and other written communications from examiners or the agency to an institution's management;
- A finding contained in the report of examination or in other formal communications from an Agency to an institution's board of directors indicating deficiencies or weaknesses in the BSA Compliance Program; or
- A finding contained in the report of examination or in other formal communications from the Agency to an institution's board of directors of a violation of the regulatory requirement to implement and maintain a reasonably designed BSA Compliance Program.
As explained below, in order to be a "problem" with the BSA Compliance Program that will result in a cease and desist order under sections 8(s) or 206(q) if not corrected by the institution, deficiencies in the BSA Compliance Program must be identified in a report of examination or other written document as requiring communication to an institution's board of directors or senior management as matters that must be corrected. However, other issues or suggestions for improvement may be communicated through other means.
Enforcement Actions for BSA Compliance Program Failures.
In accordance with sections 8(s)(3) and 206(q)(3), the appropriate Agency will issue a cease and desist order against a banking organization or a credit union for noncompliance with BSA Compliance Program requirements in the following circumstances, based on a careful review of all the relevant facts and circumstances.
Failure to establish and maintain a reasonably designed BSA Compliance Program. The appropriate Agency will issue a cease and desist order based on a violation of the requirement in sections 8(s) and 206(q) to establish and maintain a reasonably designed BSA Program where the institution:
- Fails to have a written BSA Compliance Program, including a CIP that adequately covers the required program elements (i.e., internal controls, independent testing, designated compliance personnel, and training); or
- Fails to implement a BSA Compliance Program that adequately covers the required Program elements (institution-issued policy statements alone are not sufficient; the program as implemented must be consistent with the banking organization's written policies, procedures, and processes); or
- Has defects in its BSA Compliance Program in one or more program elements that indicate that either the written Compliance Program or its implementation is not effective, for example, where the deficiencies are coupled with other aggravating factors, such as (i) highly suspicious activity creating a significant potential for unreported money laundering or terrorist financing, (ii) patterns of structuring to evade reporting requirements, (iii) significant insider complicity, or (iv) systemic failures to file CTRs, SARs, or other required BSA reports.315These examples do not in any way limit the ability of an Agency to bring an enforcement action where the failure to have or to implement a BSA Compliance Program is demonstrated by other deficiencies.
For example, an institution that has procedures to provide BSA/AML training to appropriate personnel, independent testing, and a designated BSA/AML compliance officer, would nonetheless be subject to a cease and desist order if its system of internal controls (such as customer due diligence, procedures for monitoring suspicious activity, or an appropriate risk assessment) fails with respect to a higher risk area or to multiple lines of business that significantly impact the institution's overall BSA compliance. Similarly, a cease and desist order would be warranted if, for example, an institution has deficiencies in the required independent testing element of the Program and those deficiencies are coupled with evidence of highly suspicious activity creating a significant potential for unreported money laundering or terrorist financing in the institution. However, other types of deficiencies in an institution's BSA Compliance Program or in implementation of one or more of the required Program elements will not necessarily result in the issuance of a cease and desist order, unless the deficiencies are so severe as to render the Program ineffective when viewed as a whole. For example, an institution that has deficiencies in its procedures for providing BSA/AML training to appropriate personnel, but has effective controls, independent testing, and a designated BSA/AML compliance officer, may ordinarily be subject to examiner criticism and/or supervisory action other than the issuance of a cease and desist order, unless the training program deficiencies, viewed in light of all relevant circumstances, are so severe as to result in a finding that the organization's Program, taken as a whole, is not effective.
In determining whether an organization has failed to implement a BSA Compliance Program, an Agency will also consider the application of the organization's Program across its business lines and activities. In the case of institutions with multiple lines of business, deficiencies affecting only some lines of business or activities would need to be evaluated to determine if the deficiencies are so severe or significant in scope as to result in a conclusion that the institution has not implemented an effective overall program.
Failure to correct a previously reported problem with the BSA Compliance Program. A history of deficiencies in an institution's BSA Compliance Program in a variety of different areas, or in the same general areas, may result in a cease and desist order on that basis. An Agency will, in accordance with sections 8(s) and 206(q), and based on a careful review of the relevant facts and circumstances, issue a cease and desist order whenever an institution fails to correct a problem with BSA/AML compliance identified during the supervisory process. In order to be considered a "problem" within the meaning of sections 8(s)(3)(B) and 206(q)(3)(B), however, a deficiency reported to the institution ordinarily would involve a serious defect in one or more of the required components of the institution's BSA Compliance Program or implementation thereof that a report of examination or other written supervisory communication identifies as requiring communication to the institution's board of directors or senior management as a matter that must be corrected. For example, failure to take any action in response to an express criticism in an examination report regarding a failure to appoint a qualified compliance officer could be viewed as an uncorrected problem that would result in a cease and desist order.
An Agency will ordinarily not issue a cease and desist order under sections 8(s) or 206(q) for failure to correct a BSA Compliance Program problem unless the deficiencies subsequently found by the Agency are substantially the same as those previously reported to the institution. For example, if an Agency notes in one examination report that an institution's training program was inadequate because it was out of date (for instance if it did not reflect changes in the law), and at the next examination the training program is adequately updated, but flaws are discovered in the internal controls for the BSA/AML Program, the Agency may determine not to issue a cease and desist order under sections 8(s) or 206(q) for failure to correct previously reported problems and will consider the full range of potential supervisory responses. Similarly, if an institution is cited in an examination report described above for failure to designate a qualified BSA compliance officer, and the institution by the next examination has appointed an otherwise qualified person to assume that responsibility, but the examiners recommend additional training for the person, an Agency may determine not to issue a cease and desist order under sections 8(s) or 206(q) based solely on that deficiency. Statements in a written examination report or other supervisory communication identifying less serious issues or suggesting areas for improvement that the examination report does not identify as requiring communication to the board of directors or senior management as matters that must be corrected would not be considered "problems" for purposes of sections 8(s) and 206(q).
The Agencies recognize that certain types of problems with an institution's BSA Compliance Program may not be fully correctable before the next examination, for example, remedial action involving adoption or conversion of computer systems. In these types of situations, a cease and desist order is not required provided the Agency determines that the institution has made acceptable substantial progress toward correcting the problem at the time of the examination immediately following the examination where the problem was first identified and reported to the institution.
Other enforcement actions for BSA Compliance Program deficiencies. As noted above, in addition to the situations described in this Statement where an Agency will issue a cease and desist order for a violation of the BSA Compliance Program regulation or for failure to correct a previously reported Program "problem," an Agency may also issue a cease and desist order or enter into a formal written agreement, or take informal enforcement action against an institution for other types of BSA/AML Program concerns. In these situations, depending upon the particular facts involved, an Agency may pursue enforcement actions based on unsafe and unsound practices or violations of law, including the BSA. The form of the enforcement action in a particular case will depend on the severity of the noncompliance, weaknesses, or deficiencies, the capability and cooperation of the institution's management, and the Agency's confidence that the institution will take appropriate and timely corrective action.
BSA Reporting and Recordkeeping Requirements.
Suspicious activity reporting requirements. Under regulations of the Agencies and the Treasury Department, organizations subject to the Agencies' supervision are required to file a SAR when they detect certain known or suspected criminal violations or suspicious transactions.31612 CFR 21.11 and 12 CFR 163.180 (OCC); 12 CFR 208.62, 12 CFR 211.5(k), 12 CFR 211.24(f), 12 CFR 225.4(f) (Board of Governors); 12 CFR 353 (FDIC); 12 CFR 748.1(c) (NCUA); 31 CFR 1020.320 (Treasury). Suspicious activity reporting forms the cornerstone of the BSA reporting system, and is critical to the United States' ability to utilize financial information to combat money laundering, terrorist financing, and other financial crimes. The regulations require banking organizations and credit unions to file SARs with respect to the following general types of activity:
- Known or suspected criminal violations involving insider activity in any amount;
- Known or suspected criminal violations aggregating $5,000 or more when a suspect can be identified;
- Known or suspected criminal violations aggregating $25,000 or more regardless of potential suspects; or
- Suspicious transactions of $5,000 or more that involve potential money laundering or BSA violations.
The SAR must be filed within 30 days of detecting facts that may constitute a basis for filing a SAR (or within 60 days if there is no subject).
The Agencies will cite a violation of the SAR regulations, and will take appropriate supervisory action, if the organization's failure to file a SAR (or SARs) evidences a systemic breakdown in its policies, procedures, or processes to identify and research suspicious activity, involves a pattern or practice of noncompliance with the filing requirement, or represents a significant or egregious situation.
Other BSA reporting and recordkeeping requirements. Banking organizations and credit unions also are subject to other BSA reporting and recordkeeping requirements set forth in regulations issued by the Treasury Department.31731 CFR Chapter X. These requirements are reviewed in detail in the FFIEC BSA/AML Examination Manual; they include, inter alia, requirements applicable to cash and monetary instrument transactions and funds transfers, Currency Transaction Report ("CTR") filing and exemption rules, and due diligence, certification, and other requirements for foreign correspondent and private banking accounts.
Enforcement actions for nonprogram BSA/AML requirements. In appropriate circumstances, an Agency may take formal or informal enforcement actions to address violations of BSA/AML requirements other than the BSA Compliance Program requirements. These other requirements include, for example, the SAR and CTR regulatory obligations described above.
These other requirements include, for example, the SAR and CTR regulatory obligations described above.