Updates to the FFIEC BSA/AML manual released

In the midst of the COVID-19 pandemic (and on tax day nonetheless), the FFIEC inconspicuously released updated sections and examination instructions to the Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Examination Manual.

The updates provide further transparency into the BSA/AML examination process and do not establish new requirements, according to an interagency statement. This is just the first update, and it focuses on the first section of the 2014 Manual, Core Examination Overview and Procedures for Assessing The BSA/AML Compliance Program. The agencies will release additional updates to the remaining sections of the manual.

A brief summary and some observations from the April 2020 updates are provided below.

Scoping and planning

Similar to the 2014 FFIEC Examination Manual, the revised version specifies that the scoping and planning process should begin with a review of the BSA/AML risk assessment, independent testing, analyses and conclusions from previous examinations, other information available through off-site and ongoing monitoring processes, and request letter items received from the financial institution.

Below are three observations:

• A significant increase in the number of references to a “risk focused” approach and scoping based on the financial institution’s “risk profile.”
• Frequent mention of understanding the money laundering, terrorist financing and other illicit financial activity risks associated with an institution. In fact, references to money laundering and terrorist financing are so common that a new acronym, ML/TF, has been added.
• Reference to a financial institution’s reliance on technology to aid in BSA/AML compliance — specifically, the new guidance states many institutions rely on technology to aid with BSA/AML compliance, and therefore the scoping and planning process should include an understanding of the institution’s information technology sources, systems and processes used in the BSA/AML compliance program. This is likely a direct result of the increase in the number of financial institutions that have invested in automated surveillance monitoring (ASM) systems since the last FFIEC manual update in 2014.

The most noticeable change was the emphasis on a risk-focused approach for planning and performing BSA/AML examinations. The revisions were largely driven by the interagency guidance outlined in the Joint Statement on the Risk-Focused Approach to BSA/AML Supervision released in July 2019.

BSA/AML risk assessment

The revisions stated examiners should assess whether the financial institution has developed a BSA/AML risk assessment that identifies its money laundering, terrorist financing and other illicit financial activity risks and ensure the institution has considered all products, services, customers and geographic locations and whether the institution analyzed the information relative to those risk categories. As noted earlier, the updates were not intended establish new requirements; however, the revised wording does suggest a more tailored approach to evaluating the risk assessment.

Three examples of revisions that support this premise include the following:

• Financial institution management should design the appropriate method or format and communicate the money laundering, terrorist financing and other illicit financial activity risks to all appropriate parties.
• Examiners should not criticize the financial institution for individual risk or process decisions, unless those decisions impact the adequacy of some aspect of the institution’s BSA/AML program.
• The financial institution may determine that some factors should be weighted more heavily than others.

Building on the July 2019 statement, the April 2020 revisions appear to be further acknowledgement that each financial institution is unique. Money laundering, terrorist financing and other illicit financial activities can occur through many different methods or channels as well as in rural and urban settings. The risk assessment should address the varying degrees of risk associated with products, services, customers and geographic locations, as appropriate, at your institution, as well as identify and mitigate any gaps in controls.

BSA/AML compliance program

The format and layout of this section had some changes; however, the overall content remained largely unchanged.

First and foremost, an effective BSA/AML compliance program must provide for the following pillar requirements:

• A system of internal controls to assure ongoing compliance
• Independent testing for compliance to be conducted by independent financial institution personnel or by an outside party
• Designation of an individual or individuals responsible for coordinating and monitoring day-to-day compliance (BSA compliance officer)
• Training for appropriate personnel

The primary enhancement in this section was guidance on the “fifth pillar,” which became effective in May 2018. Specifically, BSA/AML compliance programs must also include appropriate risk-based procedures for conducting ongoing customer due diligence and complying with beneficial ownership requirements for legal entity customers as set forth in regulations issued by Financial Crimes Enforcement Network.

Developing conclusions and finalizing the examination

Consistent with the tone established in the Scoping and Planning section, the Developing Conclusions and Finalizing the Examination section emphasized a risk-focused approach. The guidance directs examiners to formulate conclusions about the adequacy of the financial institution’s BSA/AML compliance program, relative to its risk profile, and the institution’s compliance with BSA regulatory requirements; develop an appropriate supervisory response; and communicate BSA/AML examination findings to the financial institution.

Three enhancements were noted:

• Examiners should primarily focus on whether the financial institution has established appropriate processes to manage money laundering, terrorist financing and other illicit financial activity risks and that the institution has complied with BSA requirements.
• Financial institutions have flexibility in the design of their BSA/AML compliance programs, and minor weaknesses, deficiencies and technical violations alone are not indicative of an inadequate program.
• When formulating conclusions, examiners are reminded that financial institutions have flexibility in the design of their BSA/AML compliance programs, which will vary based on the institution’s risk profile, size or complexity and organizational structure.

In many ways, the April 2020 update was more figurative than substantive.

Guidelines for a risk-based examination process were detailed in the “Joint Statement on the Risk-Focused Approach to BSA/AML Supervision” and issued about a year ago; however, since the FFIEC Exam Manual is often viewed as the source for BSA/AML compliance, integration of this guidance is important.

Further, the revised language seems to more clearly distinguish between supervisory expectations versus mandatory regulatory agency requirements.

The updates suggest there may be subtle changes to the examination process, most notably a more customized risk-based approach based on each individual financial institution’s profile; however, the regulatory examination will be the true determinant of whether the process has changed.