Bank Secrecy Act
CORE EXAMINATION OVERVIEW AND PROCEDURES FOR ASSESSING THE BSA/AML COMPLIANCE PROGRAM
Scoping and Planning—Overview
Objective. Identify the bank’s BSA/AML risks, develop the examination scope, and document the plan. This process includes determining examination staffing needs and technical expertise, and selecting examination procedures to be completed.
The BSA/AML examination is intended to assess the effectiveness of the bank’s BSA/AML compliance program and the bank’s compliance with the regulatory requirements pertaining to the BSA, including a review of risk management practices.
Whenever possible, the scoping and planning process should be completed before entering the bank. During this process, it may be helpful to discuss BSA/AML matters with bank management, including the BSA compliance officer, either in person or by telephone. The scoping and planning process generally begins with an analysis of:
- Off-site monitoring information.
- Prior examination reports and workpapers.
- Request letter items completed by bank management. Refer to Appendix H (“Request Letter Items (Core and Expanded)”) for additional information.
- The bank’s BSA/AML risk assessment.
- Information available from the BSA-reporting database, FinCEN Query. FinCEN Query replaced the former BSA-reporting database, the Web Currency Banking and Retrieval System, as the system of records for all BSA reports effective January 1, 2013.
- Independent reviews or audits.
Review of the Bank’s BSA/AML Risk Assessment
The scoping and planning process should be guided by the examiner’s review of the bank’s BSA/AML risk assessment. Information gained from the examiner’s review of the risk assessment will assist the scoping and planning process as well as the evaluation of the adequacy of the BSA/AML compliance program. If the bank has not developed a risk assessment, this fact should be discussed with management. For the purposes of the examination, whenever the bank has not completed a risk assessment, or the risk assessment is inadequate, the examiner must complete a risk assessment. Refer to the core overview section, “BSA/AML Risk Assessment,” pages 22 to 30, for guidance on developing a BSA/AML risk assessment. Evaluating the BSA/AML risk assessment is part of scoping and planning the examination, and the inclusion of a section on risk assessment in the manual does not mean the two processes are separate. Rather, risk assessment has been given its own section to emphasize its importance in the examination process and in the bank’s design of effective risk-based controls.
As part of the scoping and planning process, examiners should obtain and evaluate the supporting documents of the independent testing (audit) of the bank's BSA/AML compliance program. The federal banking agencies' reference to "audit" does not confer an expectation that the required independent testing must be performed by a specifically designated auditor, whether internal or external. However, the person performing the independent testing must not be involved in any part of the bank's BSA/AML compliance program (for example, developing policies and procedures or conducting training). Audit findings should be reported directly to the board of directors or a designated board committee composed primarily or completely of outside directors. The scope and quality of the audit may provide examiners with a sense of particular risks in the bank, how these risks are being managed and controlled, and the status of compliance with the BSA. The independent testing scope and workpapers can assist examiners in understanding the audit coverage and the quality and quantity of transaction testing. This knowledge will assist the examiner in determining the examination scope, identifying areas requiring greater (or lesser) scrutiny, and identifying when expanded examination procedures may be necessary.
At a minimum, examiners should conduct the examination procedures included in the following sections of this manual to ensure that the bank has an adequate BSA/AML compliance program commensurate with its risk profile:
- Scoping and Planning (refer to pages 19 to 21).
- BSA/AML Risk Assessment (refer to page 31).
- BSA/AML Compliance Program (refer to pages 38 to 43).
- Developing Conclusions and Finalizing the Examination (refer to pages 48 to 51).
The “Core Examination Overview and Procedures for Regulatory Requirements and Related Topics” section includes an overview and examination procedures for examining a bank’s policies, procedures, and processes to ensure compliance with OFAC sanctions. As part of the scoping and planning procedures, examiners must review the bank’s OFAC risk assessment and independent testing to determine the extent to which a review of the bank’s OFAC compliance program should be conducted during the examination. Refer to core overview and examination procedures, “Office of Foreign Assets Control,” pages 147 to 159, for further guidance.
The examiner should develop and document an initial examination plan commensurate with the overall BSA/AML risk profile of the bank. This plan may change during the examination as a result of on-site findings, and any changes to the plan should likewise be documented. The examiner should prepare a request letter to the bank. Suggested request letter items are detailed in Appendix H (“Request Letter Items (Core and Expanded)”). On the basis of the risk profile, quality of audit, previous examination findings, and initial examination work, examiners should complete additional core and expanded examination procedures, as appropriate. The examiner must include an evaluation of the BSA/AML compliance program within the supervisory plan or cycle. At larger, more complex banking organizations, examiners may complete various types of examinations throughout the supervisory plan or cycle to assess BSA/AML compliance. These reviews may focus on one or more business lines (e.g., private banking, trade financing, or foreign correspondent banking relationships), based upon the banking organization’s risk assessment and recent audit and examination findings.
Examiners perform transaction testing to evaluate the adequacy of the bank’s compliance with regulatory requirements, determine the effectiveness of its policies, procedures, and processes, and evaluate suspicious activity monitoring systems. Transaction testing is an important factor in forming conclusions about the integrity of the bank’s overall controls and risk management processes. Transaction testing must be performed at each examination and should be risk-based. Transaction testing can be performed either through conducting the transaction testing procedures within the independent testing (audit) section (refer to the core examination procedures, “BSA/AML Compliance Program,” pages 38 to 43, for further guidance) or completing the transaction testing procedures contained elsewhere within the core or expanded sections.
The extent of transaction testing and activities conducted is based on various factors including the examiner’s judgment of risks, controls, and the adequacy of the independent testing. Once on-site, the scope of the transaction testing can be expanded to address any issues or concerns identified during the examination. Examiners should document their decision regarding the extent of transaction testing to conduct, the activities for which it is to be performed, and the rationale for any changes to the scope of transaction testing that occur during the examination.
Information Available From BSA-Reporting Database
FinCEN Query replaced the BSA-reporting database, Web Currency Banking and Retrieval System, as the system of records for all BSA reports. Examination planning should also include an analysis of the Suspicious Activity Reports (SARs), Currency Transaction Reports (CTR), and CTR exemptions that the bank has filed. SARs, CTRs, and CTR exemptions may be exported or downloaded from or obtained directly online from the BSA-reporting database (FinCEN Query). Each federal banking agency has staff authorized to obtain this data from the BSA reporting database. When requesting searches from the BSA reporting database, the examiner should contact the appropriate person (or persons), within his or her agency, sufficiently in advance of the examination start date in order to obtain the requested information. When a bank has recently purchased or merged with another bank, the examiner should obtain SARs, CTRs, and CTR exemptions data on the acquired bank, as well.
Downloaded information can be displayed on an electronic spreadsheet, which contains all of the data included on the original document filed by the bank as well as the BSA Identification Number (BSA-ID), and the date the document was entered into the BSA-reporting database. Downloaded information may be important to the examination, as it will help examiners:
- Identify high-volume currency customers.
- Assist in selecting accounts for transaction testing.
- Identify the number and characteristics of SARs filed.
- Identify the number and nature of exemptions.