Federal Financial Institutions Examination Council Bank Secrecy Act/Anti-Money Laundering InfoBase
Online Manual Manual Print/Search Spanish Translation Definitions Forms Red Flags FAQs FAQs

Bank Secrecy Act
Anti-Money Laundering
Examination Manual

Backward | Table of Contents | Forward

Developing Conclusions and Finalizing the Examination - Overview


Objective. Formulate conclusions, communicate findings to management, prepare report comments, develop an appropriate supervisory response, and close the examination.

In the final phase of the BSA/AML examination, the examiner should assemble all findings from the examination procedures completed. From those findings, the examiner should develop and document conclusions about the BSA/AML compliance program’s adequacy, discuss preliminary conclusions with bank management, present these conclusions in a written format for inclusion in the report of examination (ROE), and determine and document what regulatory response, if any, is appropriate.

In some cases, the appropriate regulatory response will include the citation of a regulatory violation. The citation of violations of law and regulation is typically done in the context of supervisory activities. The extent to which violations affect the evaluation of a bank's BSA/AML compliance program is based on the nature, duration, and severity of noncompliance. In some cases, an agency may allow the bank to remedy the violation as part of the supervisory process. In appropriate circumstances, however, an agency may take either informal or formal enforcement actions to address violations of the BSA requirements.38 The Interagency Enforcement Statement (refer to Appendix R) explains the basis for the federal banking agencies' enforcement of specific AML requirements of the BSA.

Systemic or Recurring Violations

Systemic or recurring violations of the BSA and its implementing regulations involve either a substantial deficiency or a repeated failure to effectively and accurately record and report information required under the BSA, if the errors or incompleteness impair the integrity of the record or report, fail to adequately represent the transactions required to be reported, or impact the effectiveness of the bank's suspicious activity monitoring and reporting processes. Systemic violations are the result of ineffective systems or controls to obtain, analyze, and maintain required information, or to report customers, accounts, or transactions, as required under various provisions of the BSA. Recurring violations are repetitive occurrences of the same or similar issues. Unlike isolated or inadvertent issues, systemic or recurring issues demonstrate a pattern or practice of noncompliance with the BSA and its implementing regulations.

When evaluating whether violations represent a pattern or practice, examiners must analyze the pertinent facts and circumstances. Repeated, regular, usual, or institutionalized practices will typically constitute a pattern or practice. The totality of the circumstances must be considered when assessing whether a pattern or practice exists.

Considerations in determining whether a pattern or practice exists include, but are not limited to:

  • Whether the number of violations is high when compared to the bank's total activity. This evaluation usually is determined through a sampling of transactions or records. Based on this process, determinations are made concerning the overall level of noncompliance. However, even if the violations are few in number they could reflect systemic noncompliance, depending on the severity (e.g., significant or egregious).
  • Whether there is evidence of similar violations by the bank in a series of transactions or in different divisions or departments. This is not an exact calculation and examiners should balance the number, significance, and frequency of violations identified throughout the organization. Violations identified within various divisions or departments may or may not indicate a systemic violation. These violations should be evaluated in a broader context to determine if training or other compliance system weaknesses are also present.
  • The relationship of the violations to one another (e.g., whether they all occurred in the same area of the bank, in the same product line, in the same branch or department, or with one employee).
  • The impact the violation or violations have on the bank's suspicious activity monitoring and reporting capabilities.
  • Whether the violations appear to be grounded in a written or unwritten policy or established procedure, or result from a lack of an established procedure.
  • Whether there is a common source or cause of the violations.
  • Whether the violations were the result of an isolated software problem in a BSA/AML reporting software product and whether the bank has taken appropriate steps to address the issue.

Systemic or recurring violations of the BSA could have a significant impact on the adequacy of the bank's BSA/AML compliance program. When systemic instances of noncompliance are identified, the examiner should consider the noncompliance in the context of the overall program (internal controls, training, independent testing, responsible person) and refer to the Interagency Enforcement Statement (refer to Appendix R) to determine whether the bank's BSA/AML compliance program is deficient as a result of the systemic noncompliance. All systemic violations should be brought to the attention of the bank's board of directors and management and documented in the report of examination or supervisory correspondence.

Types of systemic or recurring violations may include, but are not limited to:

  • Failure to establish a due diligence program that includes a risk-based approach, and when necessary, enhanced policies, procedures, and controls concerning foreign correspondent accounts.
  • Failure to maintain a reasonably designed due diligence program for private banking accounts for non-U.S. persons (as defined in 31 CFR 1010.620).
  • Frequent, consistent, or recurring late CTR or SAR filings.
  • A significant number of CTRs or SARs with errors or omissions of data elements.
  • Consistently failing to obtain or verify required customer identification information at account opening.
  • Consistently failing to complete searches on 314(a) information requests.
  • Failure to consistently maintain or retain records required by the BSA.

Also, the Interagency Enforcement Statement provides that "[t]he Agencies will cite a violation of the SAR regulations, and will take appropriate supervisory actions, if the organization's failure to file a SAR (or SARs) evidences a systemic breakdown in its policies, procedures, or processes to identify and research suspicious activity, involves a pattern or practice of noncompliance with the filing requirement, or represents a significant or egregious situation."39 Appendix R ("Interagency Enforcement Statement") (page R-5).

Isolated or Technical Violations

Isolated or technical violations are limited instances of noncompliance with the BSA that occur within an otherwise adequate system of policies, procedures, and processes. These violations generally do not prompt serious regulatory concern or reflect negatively on management's supervision or commitment to BSA compliance, unless the isolated violation represents a significant or egregious situation or is accompanied by evidence of bad faith. Multiple isolated violations throughout bank departments or divisions can be indicative of systemic or recurring system weaknesses or violations.

Corrective action for isolated violations is usually undertaken by the bank's management within the normal course of business. All violations, regardless of type or significance, should be brought to the attention of the bank's management and documented appropriately.

Types of isolated or technical violations may include, but are not limited to:

  • Failure to file or late filing of CTRs that is infrequent, not consistent, or nonrecurring.
  • Failure to obtain complete customer identification information for a monetary instrument sales transaction that is isolated and infrequent.
  • Infrequent, not consistent, or nonrecurring incomplete or inaccurate information in SAR data fields.
  • Failure to obtain or verify required customer identification information that is infrequent, not consistent, or nonrecurring.
  • Failure to complete a 314(a) information request that is inadvertent or nonrecurring.

In formulating a written conclusion, the examiner does not need to discuss every procedure performed during the examination. During discussions with management about examination conclusions, examiners should include discussions of both strengths and weaknesses of the bank's BSA/AML compliance. Examiners should document all relevant determinations and conclusions.

Backward | Table of Contents | Forward