Wipfli LLP - CPAs and Consultants
Affiliates Contact Us Careers Events About Wipfli
 
subscribe
Rate Content

 
View all Financial Institutions articles

Independent Audit Is Key to BSA Compliance
August 01, 2005

One look at the headlines and the news becomes perfectly clear: The regulators mean business.

Recent enforcement action involving noncompliance with the Bank Secrecy Act (BSA) is sending an unmistakable message to financial institutions - a well-defined and well-implemented BSA program must be securely in place. You can be sure that examinations conducted by regulatory agencies are painstaking in detail and come with a zero-tolerance policy.

Currently, no step is more critical to attaining a successful BSA regulatory compliance exam than the completion of an annual independent audit.

To fully comply with BSA and the Anti-Money Laundering (AML) requirements, a bank must have a thorough independent audit conducted at least annually. The independent review must verify the existence of the bank’s BSA audit program, including all policies and procedures. More importantly, it must test the effectiveness of the institution’s BSA/AML program, controls, procedures, and systems.

The independent audit should also review a bank’s risk assessment process, its Customer Identification Program (CIP), its process for identifying activities that warrant filing of Suspicious Activity Reports (SARs), and its employee training, among many other factors. Swift and proper action must be taken on any audit results that uncover weaknesses.

While an independent audit ranks high on regulators’ exam lists, it is by no means the only critical issue needed to achieve an effective compliance effort.

Six questions that matter

Banks are being held to a higher standard than ever before. That standard starts at the top with the institution’s board of directors and senior management. Here are six key questions regulators will strongly consider in the course of an exam. Banks that thoroughly address these issues can make a marked difference in their compliance results.

  1. Has the board of directors adopted a sound BSA/AML/CIP program? A bank’s board of directors must ensure that management develops and maintains a comprehensive compliance program appropriate for the size and complexity of the business. An effective program must encompass both policy and the procedures that support it.

  2. Does the bank do what it claims to? Continued board and senior management oversight is key. They must establish the frequency of audits and ensure that all compliance efforts are supported by proper documentation.

  3. Is the bank’s Anti-Money Laundering program based on a documented risk assessment? Anti-money laundering programs are closely reviewed by regulators since many violations tend to occur because of system and procedure failures.  Banks should develop risk assessment guidelines by identifying higher-risk products, activities, businesses, locations, and countries. They should conduct appropriate internal or outside training with staff and review definitions as well as examples of money laundering in all its various forms. Finally, a bank’s AML program should provide for compliance testing by an independent party.

  4. Is the bank’s Customer Identification Program based on a documented risk assessment? A bank’s CIP must include risk-based procedures for verifying the identity of each customer to the extent reasonable. Each bank must also develop procedures to account for all relevant risks, including those presented by the types of accounts maintained by the bank, the various methods of opening accounts, the types of identifying information available, and the account opening and monitoring guidelines appropriate for the bank’s size, location, products, and types of business or customer base.

  5. How does the bank handle Money Service Businesses (MSBs)? Banks that have account relationships with MSBs should perform greater due diligence given that these businesses have higher-risk profiles. It’s important to identify all MSB accounts and establish that they’ve met local licensing requirements and are registered with FinCEN. Banks should determine whether an MSB is required to comply with BSA regulations and OFAC monitoring and should establish processes for monitoring and reporting all suspicious activities.

  6. How does the bank comply with OFAC? It’s necessary to develop policies and procedures that comply with OFAC laws and regulations. These include obtaining the current list of prohibited countries, entities, and individuals; comparing new accounts and incoming/outgoing funds transfers to the OFAC list; and instituting processes for rejecting accounts after notifying the OFAC.

Meeting the challenge

BSA/AML compliance requires unconditional commitment throughout a financial institution’s entire ranks. Banks must develop comprehensive responses that are appropriate to the risks undertaken. Experts agree that effective programs include internal controls, independent testing, responsible personnel, and appropriate training.