Bank Secrecy Act
EXPANDED EXAMINATION OVERVIEW AND PROCEDURES FOR CONSOLIDATED AND OTHER TYPES OF BSA/AML COMPLIANCE PROGRAM STRUCTURES
BSA/AML Compliance Program
Objective. Assess the structure and management of the organization’s BSA/AML compliance program and if applicable, the organization’s consolidated or partially consolidated approach to BSA/AML compliance.
Every bank must have a comprehensive BSA/AML compliance program that addresses BSA requirements applicable to all operations of the organization.166Neither FinCEN nor banking agency rules impose a specific BSA/AML compliance program obligation on Bank Holding Companies, Unitary Savings and Loan Holding Companies, and parents of Industrial Loan Companies. Nevertheless, these entities, as a result of their primary business function (e.g., insurance company or broker-dealer), may be subject to a BSA/AML compliance program obligation under Treasury rules or rules of other agencies. Banking organizations have discretion as to how the BSA/AML compliance program is structured and managed. A banking organization may structure and manage the BSA/AML compliance program or some parts of the program within a legal entity; with some degree of consolidation across entities within an organization; or as part of a comprehensive enterprise risk management framework.
Many large, complex banking organizations aggregate risk of all types (e.g., compliance, operational, credit, interest rate risk, etc.) on a firm-wide basis in order to maximize efficiencies and better identify, monitor, and control all types of risks within or across affiliates, subsidiaries, lines of business, or jurisdictions.167For further detail, refer to Compliance Risk Management Programs and Oversight at Large Banking Organizations with Complex Compliance Profiles, Federal Reserve BoardSR Letter 08-8, October 16, 2008 (FRB Guidance). The FRB Guidance generally addresses overall compliance functions within large, complex firms, and endorses for all firms the principles set forth in the Basel Committee on Banking Supervision's guidance, Compliance and the compliance function in banks(April 2005). In such organizations, management of BSA risk is generally the responsibility of a corporate compliance function that supports and oversees the BSA/AML compliance program.
Other banking organizations may adopt a structure that is less centralized but still consolidates some or all aspects of BSA/AML compliance. For example, risk assessment, internal controls (e.g., suspicious activity monitoring), independent testing, or training may be managed centrally. Such centralization can effectively maximize efficiencies and enhance assessment of risks and implementation of controls across business lines, legal entities, and jurisdictions of operation. For instance, a centralized BSA/AML risk assessment function may enable a banking organization to determine its overall risk exposure to a customer doing business with the organization in multiple business lines or jurisdictions.168For additional guidance, refer to the expanded overview section, "Foreign Branches and Offices of U.S. Banks," page 164, and the Basel Committee on Banking Supervision's guidance Consolidated Know Your Customer (KYC) Risk Management. Regardless of how a consolidated BSA/AML compliance program is organized, it should reflect the organization’s business structure, size, and complexity, and be designed to effectively address risks, exposures, and applicable legal requirements across the organization.
A consolidated approach should also include the establishment of corporate standards for BSA/AML compliance that reflect the expectations of the organization’s board of directors, with senior management working to ensure that the BSA/AML compliance program implements these corporate standards. Individual lines of business policies would then supplement the corporate standards and address specific risks within the line of business or department.
A consolidated BSA/AML compliance program typically includes a central point where BSA/AML risks throughout the organization are aggregated. Refer to "Consolidated BSA/AML Compliance Risk Assessment," page 28. Under a consolidated approach, risk should be assessed both within and across all business lines, legal entities, and jurisdictions of operation. Programs for global organizations should incorporate the AML laws and requirements of the various jurisdictions in which they operate. Internal audit should assess the level of compliance with the consolidated BSA/AML compliance program.
Examiners should be aware that some complex, diversified banking organizations may have various subsidiaries that hold different types of licenses and banking charters or may organize business activities and BSA/AML compliance program components across their legal entities. For instance, a highly diversified banking organization may establish or maintain accounts using multiple legal entities that are examined by multiple regulators. This action may be taken in order to maximize efficiencies, enhance tax benefits, adhere to jurisdictional regulations, etc. This methodology may present a challenge to an examiner reviewing BSA/AML compliance in a legal entity within an organization. As appropriate, examiners should coordinate efforts with other regulatory agencies in order to address these challenges or ensure the examination scope appropriately covers the legal entity examined.
Structure of the BSA/AML Compliance Function
As discussed above, a banking organization has discretion as to how to structure and manage its BSA/AML compliance program. For example, a small institution may choose to combine BSA/AML compliance with other functions and utilize the same personnel in several roles. In such circumstances, there should still be adequate senior-level attention to BSA/AML compliance, and sufficient dedicated resources. As is the case in all structures, the audit function should remain independent.
A larger, more complex firm may establish a corporate BSA/AML compliance function to coordinate some or all BSA/AML responsibilities. For example, when there is delegation of BSA/AML compliance responsibilities, and BSA/AML compliance staff is located within lines of business, expectations should be clearly set forth in order to ensure effective implementation of the BSA/AML compliance program. In particular, allocation of responsibility should be clear with respect to the content and comprehensiveness of MIS reports, the depth and frequency of monitoring efforts, and the role of different parties within the banking organization (e.g., risk, business lines, operations) in BSA/AML compliance decision-making processes. Clearly communicating which functions have been delegated and which remain centralized helps to ensure consistent implementation of the BSA/AML compliance program among lines of business, affiliates, and jurisdictions. In addition, a clear line of responsibility may help to avoid conflicts of interest and ensure that objectivity is maintained.
Regardless of the management structure or size of the institution, BSA/AML compliance staff located within lines of business is not precluded from close interaction with the management and staff of the various business lines. BSA/AML compliance functions are often most effective when strong working relationships exist between compliance and business line staff.
In some compliance structures, the compliance staff reports to the management of the business line. This can occur in smaller institutions when the BSA/AML compliance staff reports to a senior bank officer; in larger institutions when the compliance staff reports to a line of business manager; or in a foreign banking organization’s U.S. operations when the staff reports to a single office or executive. These situations can present risks of potential conflicts of interest that could hinder effective BSA/AML compliance. To ensure the strength of compliance controls, an appropriate level of BSA/AML compliance independence should be maintained, for example, by:
- Providing BSA/AML compliance staff a reporting line to the corporate compliance or other independent function;
- Ensuring that BSA/AML compliance staff is actively involved in all matters affecting AML risk (e.g., new products, review or termination of customer relationships, filing determinations);
- Establishing a process for escalating and objectively resolving disputes between BSA/AML compliance staff and business line management; and
- Establishing internal controls to ensure that compliance objectivity is maintained when BSA/AML compliance staff is assigned additional bank responsibilities.
Management and Oversight of the BSA/AML Compliance Program
The board of directors and senior management of a bank have different responsibilities and roles in overseeing, and managing BSA/AML compliance risk. The board of directors has primary responsibility for ensuring that the bank has a comprehensive and effective BSA/AML compliance program and oversight framework that is reasonably designed to ensure compliance with BSA/AML regulation. Senior management is responsible for implementing the board-approved BSA/AML compliance program.
Boards of directors.169Foreign banking organizations should ensure that, with respect to their U.S. operations, the responsibilities of the board described in this section are fulfilled in an appropriate manner through their oversight structure and BSA/AML risk management framework. The board of directors is responsible for approving the BSA/AML compliance program and for overseeing the structure and management of the bank’s BSA/AML compliance function. The board is responsible for setting an appropriate culture of BSA/AML compliance, establishing clear policies regarding the management of key BSA/AML risks, and ensuring that these policies are adhered to in practice.
The board should ensure that senior management is fully capable, qualified, and properly motivated to manage the BSA/AML compliance risks arising from the organization’s business activities in a manner that is consistent with the board’s expectations. The board should ensure that the BSA/AML compliance function has an appropriately prominent status within the organization. Senior management within the BSA/AML compliance function and senior compliance personnel within the individual business lines should have the appropriate authority, independence, and access to personnel and information within the organization, and appropriate resources to conduct their activities effectively. The board should ensure that its views about the importance of BSA/AML compliance are understood and communicated across all levels of the banking organization. The board also should ensure that senior management has established appropriate incentives to integrate BSA/AML compliance objectives into management goals and compensation structure across the organization, and that corrective actions, including disciplinary measures, if appropriate, are taken when serious BSA/AML compliance failures are identified.
Senior management. Senior management is responsible for communicating and reinforcing the BSA/AML compliance culture established by the board, and implementing and enforcing the board-approved BSA/AML compliance program. If the banking organization has a separate BSA/AML compliance function, senior management of the function should establish, support, and oversee the organization’s BSA/AML compliance program. BSA/AML compliance staff should report to the board, or a committee thereof, on the effectiveness of the BSA/AML compliance program and significant BSA/AML compliance matters.
Senior management of a foreign banking organization’s U.S. operations should provide sufficient information relating to the U.S. operations’ BSA/AML compliance to the governance or control functions in its home country, and should ensure that responsible senior management in the home country has an appropriate understanding of the BSA/AML risk and control environment governing U.S. operations. U.S. management should assess the effectiveness of established BSA/AML control mechanisms for U.S. operations on an ongoing basis and report and escalate areas of concern as needed. As appropriate, corrective action then should be developed, implemented and validated.
Consolidated BSA/AML Compliance Programs
Banking organizations that centrally manage the operations and functions of their subsidiary banks, other subsidiaries, and business lines should ensure that comprehensive risk management policies, procedures, and processes are in place across the organization to address the entire organization’s spectrum of risk. An adequate consolidated BSA/AML compliance program provides the framework for all subsidiaries, business lines, and foreign branches to meet their specific regulatory requirements (e.g., country or industry requirements). Accordingly, banking organizations that centrally manage a consolidated BSA/AML compliance program should, among other things provide appropriate structure; and advise the business lines, subsidiaries, and foreign branches on the development of appropriate guidelines. For additional guidance, refer to the expanded overview section, "Foreign Branches and Offices of U.S. Banks," page 164.
An organization applying a consolidated BSA/AML compliance program may choose to manage only specific compliance controls (e.g., suspicious activity monitoring systems, audit) on a consolidated basis, with other compliance controls managed solely within affiliates, subsidiaries, and business lines. When this approach is taken, examiners must identify which portions of the BSA/AML compliance program are part of the consolidated BSA/AML compliance program. This information is critical when scoping and planning a BSA/AML examination.
When evaluating a consolidated BSA/AML compliance program for adequacy, the examiner should determine reporting lines and how each affiliate, subsidiary, business line, and jurisdiction fits into the overall compliance structure. This should include an assessment of how clearly roles and responsibilities are communicated across the bank or banking organization. The examiner also should assess how effectively the bank or banking organization monitors BSA/AML compliance throughout the organization, including how well the consolidated and nonconsolidated BSA/AML compliance program captures relevant data from subsidiaries.
The evaluation of a consolidated BSA/AML compliance program should take into consideration available information about the adequacy of the individual subsidiaries’ BSA/AML compliance program. Regardless of the decision to implement a consolidated BSA/AML compliance program in whole or in part, the program should ensure that all affiliates, including those operating within foreign jurisdictions, meet their applicable regulatory requirements. For example, an audit program implemented solely on a consolidated basis that does not conduct appropriate transaction testing at all subsidiaries subject to the BSA would not be sufficient to meet regulatory requirements for independent testing for those subsidiaries. If dissemination of certain information is limited and therefore transparency across the organization is restricted, audit should be aware and ensure AML controls are commensurate with those risks.
Suspicious Activity Reporting
Bank holding companies (BHC) or any nonbank subsidiary thereof, or a foreign bank that is subject to the BHC Act or any nonbank subsidiary of such a foreign bank operating in the United States, are required to file SARs.170 12 CFR 225.4(f). A BHC’s nonbank subsidiaries operating only outside the United States, are not required to file SARs. Certain savings and loan holding companies, and their nondepository subsidiaries, are required to file SARs pursuant to Treasury regulations (e.g., insurance companies (31 CFR 1025.320) and broker/dealers (31 CFR 1023.320)). In addition, savings and loan holding companies, if not required, are strongly encouraged to file SARs in appropriate circumstances. On January 20, 2006, the Financial Crimes Enforcement Network, Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, Office of the Comptroller of the Currency, and the Office of Thrift Supervision issued guidance authorizing banking organizations to share SARs with head offices and controlling companies, whether located in the United States or abroad. Refer to the core overview section, "Suspicious Activity Reporting," page 60, for additional information.