Bank Secrecy Act
Business Entities (Domestic and Foreign)
Objective. Assess the adequacy of the bank’s systems to manage the risks associated with transactions involving domestic and foreign business entities, and management’s ability to implement effective due diligence, monitoring, and reporting systems.
1. Review the bank’s policies, procedures, and processes related to business entities. Evaluate the adequacy of the policies, procedures, and processes given the bank’s transactions with business entities and the risks they present. Assess whether the controls are adequate to reasonably protect the bank from money laundering and terrorist financing.
2. Review the policies and processes for opening and monitoring accounts with business entities. Determine whether the policies adequately assess the risk between different account types.
3. Determine how the bank identifies and, as necessary, completes additional due diligence on business entities. Assess the level of due diligence the bank performs when conducting its risk assessment.
4. From a review of MIS and internal risk rating factors, determine whether the bank effectively identifies and monitors higher-risk business entity accounts.
5. Determine whether the bank’s system for monitoring business entities for suspicious activities, and for reporting of suspicious activities, is adequate given the activities associated with business entities.
6. If appropriate, refer to the core examination procedures, “Office of Foreign Assets Control,” page 152, for guidance.
7. On the basis of the bank’s risk assessment of its accounts with business entities, as well as prior examination and audit reports, select a sample of these accounts. Include the following risk factors:
- An entity organized in a higher-risk jurisdiction.
- Account activity that is substantially currency based.
- An entity whose account activity consists primarily of circular-patterned funds transfers.
- A business entity whose ownership is in bearer shares, especially bearer shares that are not under bank or trusted third-party control.
- An entity that uses a wide range of bank services, particularly trust and correspondent services.
- An entity owned or controlled by other nonpublic business entities.
- Business entities for which the bank has filed SARs.
8. From the sample selected, obtain a relationship report for each selected account. It is critical that the full relationship, rather than only an individual account, be reviewed.
9. Review the due diligence information on the business entity. Assess the adequacy of that information.
10. Review account statements and, as necessary, specific transaction details. Compare expected transactions with actual activity. Determine whether actual activity is consistent with the nature and stated purpose of the account and whether transactions appear unusual or suspicious. Areas that may pose a higher risk, such as funds transfers, private banking, trust, and monetary instruments, should be a primary focus of the transaction review.
11. On the basis of examination procedures completed, including transaction testing, form a conclusion about the adequacy of policies, procedures, and processes associated with business entity relationships.