Bank Secrecy Act
Objective. Assess the adequacy of the bank's systems to manage the risks associated with prepaid access, and management's ability to implement effective monitoring and reporting systems.
1. Review the policies, procedures, and processes related to prepaid access. Evaluate the risks posed by the prepaid access products offered, and the adequacy of the policies, procedures, and processes given the risks such prepaid access products present. Assess whether the controls are adequate to reasonably protect the bank from money laundering and terrorist financing.
2. Review the due diligence undertaken by the bank regarding third-party service providers such as program managers, processors, marketers, merchants and distributors. Assess whether existing onboarding and ongoing oversight programs are reasonably satisfactory to protect the bank.
3. From a review of MIS and internal risk rating factors, determine whether the bank effectively identifies and monitors higher-risk prepaid access transactions, such as transactions involving unknown sources of funds (as opposed to funds received from a long-term commercial customer or federal, state or local government entity) as well as transactions involving international cash access/ATM transactions (as opposed to domestic merchandise-only transactions).
4. Determine whether the bank's prepaid access program is governed by an agreement or a contract describing each party's responsibilities and other relationship details, such as the products and services provided. At a minimum, the contract should consider each party's:
- BSA/AML and OFAC compliance requirements;
- customer base;
- due diligence procedures; and
- network obligations.
5. Determine whether the bank's system for monitoring prepaid access transactions for suspicious activities, and for reporting suspicious activities, is adequate given the bank's size, complexity, location, customer profile, and types of prepaid access products offered.
6. If appropriate, refer to the core examination procedures, "Office of Foreign Assets Control," page 152; "Third Party Payment Processors," page 239; and "Nonbank Financial Institutions," page 307, for guidance.
7. On the basis of the bank's risk assessment of its prepaid access activities, as well as prior examination and audit reports, select a sample of prepaid access transactions. From the sample selected perform the following examination procedures:
- Review the prepaid access product configuration(s), including features, how it is distributed, source of funds, and what BSA/AML risk mitigants apply.
- Review account opening documentation, including CIP, ongoing CDD, and transaction history.
- Compare expected activity with actual activity.
- Determine whether the activity is consistent with the nature of the prepaid access product, known sources of funds, and knowledge of the user's identity.
- Identify any unusual or suspicious activity.
8. On the basis of examination procedures completed, including transaction testing, form a conclusion about the adequacy of policies, procedures, and processes associated with prepaid access relationships.