Over the past few years Bank Secrecy Act (BSA)/Anti-Money Laundering (AML) compliance has crept back to the top of regulators’ minds and increased examiner expectations, so perhaps it is time to take another look at what your Board of Directors should know about BSA/AML.
BSA/AML compliance, like all types of compliance activities and efforts, requires dedication, adequate resources, and a great deal of focus. The 2014 Federal Financial Institutions Examination Council’s (FFIEC’s) BSA Examination Manual (a new version is expected before the end of this year) discusses board expectations throughout the 400+ page manual. So it is a good place to look while determining what level of involvement your Board should have in oversight of the BSA/AML program.
Tone From the Top
Your Board of Directors is responsible for approving the BSA/AML compliance program and, while acting through senior management, is also ultimately responsible for ensuring the financial institution maintains an effective BSA/AML internal control structure including suspicious activity monitoring and reporting. The Board is also responsible for setting an appropriate culture of BSA/AML compliance, establishing clear policies regarding the management of key BSA/AML risks, and ensuring employee accountability for adherence to these policies.
Your Board should confirm that senior management is fully capable, qualified, and properly motivated to manage the BSA/AML compliance risks arising from your institution’s business activities in a manner that is consistent with Board expectations. It is up to the Board to ensure the BSA/AML compliance function has an appropriately prominent status within the institution.
Your Board should confirm that its views about the importance of BSA/AML compliance are communicated across all levels of the financial institution. The Board should also ensure that senior management has established appropriate incentives, including compensation, to integrate BSA/AML compliance objectives into management goals and across the institution and that corrective actions, including disciplinary measures, if appropriate, are taken when serious BSA/AML compliance failures are identified.
Your Board of Directors is responsible for the designation of a qualified individual as the BSA compliance officer to coordinate and monitor all aspects of the BSA/AML compliance program, including day-to-day monitoring, and your institution’s adherence to the BSA and its implementation of regulations. However, remember, the Board of Directors is still ultimately responsible for your institution’s BSA/AML compliance and should ensure the BSA compliance officer has sufficient authority and resources (monetary, physical, and personnel) to administer an effective BSA/AML compliance program based on your institution’s risk profile. The BSA compliance officer is responsible for carrying out the direction of the Board and monitoring employee adherence to your institution’s BSA/AML policies, procedures, and processes.
Policies, Risk Assessments, and Reports
The BSA/AML compliance program must be approved by the Board (or by an approved committee acting under the express authority of your financial institution’s Board of Directors to approve the BSA compliance programs), and the approval must be noted in the minutes. This approval should not be a one-and-done approach, rather review and approval should occur annually, or any time the risk profile is altered through changes in your institution’s products, services, consumer base, or geographies.
The Customer Identification Program (CIP) rule implements section 326 of the USA PATRIOT Act and requires every institution to implement a written CIP that is appropriate for its size and type of business and includes certain minimum requirements. Therefore, the CIP must be incorporated into your institution’s BSA/AML compliance program, and thus it is also subject to approval by the Board of Directors (or approved committee).
The risk assessment, which provides a comprehensive analysis of the BSA/AML risks in a concise and organized presentation, should be shared and communicated with all business lines across your institution including the Board of Directors, management, and appropriate staff as needed. Using the risk assessment to form the audit scope ensures that your Board of Directors and auditors focus testing on the areas of greatest concern. The testing assists the Board and management in identifying areas of weakness or in need of enhancements or stronger controls.
Audit findings and examination reports should be reported in a timely manner to your Board of Directors or a designated Board committee. The Board or designated committee and the audit staff should regularly track audit deficiencies and document corrective actions.
Management should regularly provide sufficient information on its SAR filings to the Board of Directors or designated committee to fulfill its fiduciary duties while remaining mindful of the confidential nature of the SARs.
However, if reports to your Board stop here, the Board and the BSA team are missing out on an important opportunity. So much of what the BSA team does daily is unseen. This can include reviewing OFAC matches, 314(a) matches, 314(b) requests, and CTR filings; working on CIP exceptions; clearing false positive alerts from an automated surveillance monitoring system; responding to law enforcement requests; or working with examiners and auditors. As a best practice, why not create a template that can be provided either monthly or quarterly to the Board covering additional important focus areas within the BSA/AML framework? BSA officers are busy, and sometimes all of the work that is done doesn’t get noticed, especially when things are running smoothly.
Some of the additional areas recommended for inclusion in the summary memo to your Board are:
- Number of CTRs filed in the period
- Number of current CTR exempt consumers
- Number of SARs (new and continuing) filed in the period (with summary detail only)
- Number of high-risk consumer reviews completed in the period
- Number of OFAC matches and false positives in the period
- Number of FinCEN 314(a) matches and false positives
- Number of FinCEN 314(b) requests
- Number of new account CIP exceptions for the period
- Number of alerts cleared, and cases created within the institution’s automated surveillance monitoring system for the period
- Number of law enforcement requests during the period
- Hot topics from the current period
- Internal and external training attended by the BSA team, and completion rates of BSA training for employees (new and existing) and the Board (as applicable)
Don’t forget to include information from any trust, wealth management, or other distinct areas of your institution, as applicable, in these reports.
Depending on how fancy and visual your Board likes to get, perhaps consider adding graphs of trending analysis to this report to help demonstrate increases or decreases in certain areas from period to period.
Not only does this provide great information to the Board on a regular basis, it also goes a long way in preparation for your next BSA examination.
Your Board of Directors and senior management should be informed of changes and new developments in the BSA, its implementing regulations and directives, and the federal banking agencies’ regulations. While the Board of Directors may not require the same degree of training as banking operations personnel, Board members need to understand the importance of BSA/AML regulatory requirements, the ramifications of noncompliance, and the risks posed to your institution. Without a general understanding of the BSA, your Board of Directors cannot adequately provide BSA/AML oversight; approve BSA/AML policies, procedures, and processes; or provide sufficient BSA/AML resources.
Long gone are the days when a board was only required to know what BSA stood for. For at least a decade, the BSA officer has been responsible for regularly providing the necessary BSA information to the board, while the board is expected to fully support and promote a strong BSA culture. If you have not done so already, review the information received by your Board of Directors surrounding your BSA program and ensure the Board has the information, knowledge, and tools necessary to effectively oversee BSA risk within your financial institution.