Bank Secrecy Act
Objective. Assess the financial institution’s compliance with the statutory and regulatory requirements for the "Special Information Sharing Procedures to Deter Money Laundering and Terrorist Activity" (section 314 Information Requests).
Information Sharing Between Law Enforcement and Financial Institutions (Section 314(a))
1. Verify that the financial institution is currently receiving section 314(a) requests from FinCEN or from an affiliated financial institution that serves as the subject financial institution’s point of contact. If the financial institution is not receiving information requests or contact information changes, the financial institution should update its contact information with its primary regulator in accordance with the instructions at www.fincen.gov.
2. Verify that the financial institution has sufficient policies, procedures, and processes to document compliance; maintain sufficient internal controls; provide ongoing training; and independently test its compliance with 31 CFR 1010.520, which implements section 314(a) of the USA PATRIOT Act. At a minimum, the procedures should accomplish the following:
- Designate a point of contact for receiving information requests.
- Ensure that the confidentiality of requested information is safeguarded.
- Establish a process for responding to FinCEN’s requests.
- Establish a process for determining if and when a SAR should be filed.
3. Determine whether the search policies, procedures, and processes the financial institution uses to respond to section 314(a) requests are comprehensive and cover all records identified in the General Instructions for such requests. The General Instructions include searching accounts maintained by the named subject during the preceding 12 months and transactions conducted within the last six months. Financial institutions have 14 days from the transmission date of the request to respond to a section 314(a) Subject Information Form.
4. If the financial institution uses a third-party vendor to perform or facilitate searches, determine whether an agreement or procedures are in place to ensure confidentiality.
5. Review the financial institution’s internal controls and determine whether its documentation to evidence compliance with section 314(a) requests is adequate. This documentation could include, for example the following:
- Copies of section 314(a) requests.
- A log that records the tracking numbers and includes a sign-off column.
- Copies of SISS-generated search self-verification documents.
- If appropriate, request documentation from FinCEN regarding the bank's history of accessing the SISS.
- For positive matches, copies of the form returned to FinCEN (e.g., SISS-generated Subject Response Lists) and the supporting documentation should be retained.
Voluntary Information Sharing (Section 314(b))
6. Determine whether the financial institution has decided to share information voluntarily. If so, verify that the financial institution has filed a notification form with FinCEN and provides an effective date for the sharing of information that is within the previous 12 months.
7. Verify that the financial institution has policies, procedures, and processes for sharing information and receiving shared information, as specified under 31 CFR 1010.540, (which implements section 314(b) of the USA PATRIOT Act).
8. Financial institutions that choose to share information voluntarily should have policies, procedures, and processes to document compliance; maintain adequate internal controls; provide ongoing training; and independently test its compliance with 31 CFR 1010.540. At a minimum, the procedures should:
- Designate a point of contact for receiving and providing information.
- Ensure the safeguarding and confidentiality of information received and information requested.
- Establish a process for sending and responding to requests, including ensuring that other parties with whom the financial institution intends to share information (including affiliates) have filed the proper notice.
- Establish procedures for determining whether and when a SAR should be filed.
9. If the financial institution is sharing information with other entities and is not following the procedures outlined in 31 CFR 1010.540(b), notify the examiners reviewing the privacy rules.
10. Through a review of the financial institution’s documentation (including account analysis) on a sample of the information shared and received, evaluate how the financial institution determined whether a SAR was warranted. The financial institution is not required to file SARs solely on the basis of information obtained through the section 314(b) voluntary information sharing process. In fact, the information obtained through the section 314(b) voluntary information sharing process may enable the financial institution to determine that no SAR is required for transactions that may have initially appeared suspicious. The financial institution should have considered account activity in determining whether a SAR was warranted.
11. On the basis of a risk assessment, prior examination reports, and a review of the financial institution’s audit findings, select a sample of positive matches or recent requests to determine whether the following requirements have been met:
- The financial institution’s policies, procedures, and processes enable it to search all of the records identified in the General Instructions for section 314(a) requests. Such processes may be electronic, manual, or both.
- The financial institution searches appropriate records for each information request received. For positive matches:
- Verify that a response was provided to FinCEN within the designated time period (31 CFR 1010.520(b)(3)(ii)).
- Review the financial institution’s documentation (including account analysis) to evaluate how the financial institution determined whether a SAR was warranted. Financial institutions are not required to file SARs solely on the basis of a match with a named subject; instead, account activity should be considered in determining whether a SAR is warranted.
- The financial institution uses information only in the manner and for the purposes allowed and keeps information secure and confidential (31 CFR 1010.520(b)(3)(iv)). (This requirement can be verified through discussions with management.)
12. On the basis of examination procedures completed, including transaction testing, form a conclusion about the ability of policies, procedures, and processes to meet regulatory requirements associated with information sharing.