Articles & E-Books


Risk, testing guidance and transparency: Highlights of 2020 and 2021 FFIEC updates

Jul 06, 2021

The two most recent FFIEC updates to the Bank Secrecy/Anti-Money Laundering (BSA/AML) Examination Manual provides additional transparency into the examination process, reinforces a risk-focused approach to examinations and offers transaction testing guidance.

April 2020 highlights

In many ways, the FFIEC’s April 15, 2020 update was more figurative than substantive.

Guidelines for a risk-based examination process were detailed in the “Joint Statement on the Risk-Focused Approach to BSA/AML Supervision,” released in July 2019; however, since the manual is viewed as the primary source for BSA/AML compliance, integration of the guidance into the manual was important.

The revised language more clearly distinguished between supervisory expectations and mandatory regulatory agency requirements. Further, the updates clarified the more customized risk-based approach seen in regulatory examinations over the past two years.

Acknowledging the stress caused by COVID-19, members stressed that the updates did not include any new procedures — only clarifications.

Highlights of the April 2020 changes include: 

  • An emphasis on a risk-focused approach for planning and scoping BSA/AML examinations, including the financial institution’s information technology sources, systems and processes used in the BSA/AML compliance program.
  • A more tailored approach to evaluating the risk assessment. The updates recommend the risk assessment address the varying degrees of risk associated with products, services, customers and geographic locations, as well as identify and mitigate any gaps in controls. It was noted that examiners should not criticize a financial institution for individual risk or process decisions unless those decisions impact the adequacy of some aspect of the institution’s BSA/AML program.
  • Revisions to the “assessing the BSA/AML compliance program” section. The primary enhancement in this section was guidance on the “fifth pillar,” the Customer Due Diligence/Beneficial Ownership Rule, which became effective in May 2018. Specifically, BSA/AML compliance programs must also include appropriate risk-based procedures for conducting ongoing customer due diligence (CDD) and complying with beneficial ownership requirements for legal entity customers.
  • Modifications and guidance on developing conclusions and finalizing examinations. The guidance directed examiners to formulate conclusions about the adequacy of the financial institution’s BSA/AML compliance program, relative to its risk profile, and the institution’s compliance with BSA regulatory requirements; develop an appropriate supervisory response; and communicate BSA/AML examination findings to the financial institution.

February 2021 highlights

Like last year, updates released on February 25, 2021 should not be interpreted as new instructions or as a new or increased focus on certain areas; instead, they further support risk-focused examinations and — more importantly for financial institutions — offer additional transparency into the examination process, including updated information regarding transaction testing. 

The highlights include:

Assessing Compliance with BSA regulatory requirements

A new introduction titled “Assessing compliance with BSA regulatory requirements” was added that provides an overview of the testing methodology to be utilized during examinations.

Specifically, BSA testing will assess the implementation of policies, procedures and processes and evaluate controls, information technology sources, systems and processes used for BSA/AML compliance. Testing will be risk focused and could take the form of testing specific transactions or performing analytical or other reviews. 

While examiners must perform some testing during each BSA/AML examination cycle, testing may focus on any one of the regulatory requirements and may address different areas of the BSA. It may not be necessary to test for every BSA regulation. It should be noted that not all of the examination and testing procedures included in the manual are likely to be applicable to every financial institution or during every examination.

Customer identification program

Testing in “customer identification program” will include new accounts opened since the most recent examination to review for compliance with the CIP. The sample should include a cross-section of accounts as indicated by the risk assessment (e.g., consumers and businesses, loans and deposits, credit card relationships, and accounts opened via U.S. mail and online). The sample should also, on a risk basis, include the following:

  • New accounts opened using the exception for customers that have applied for a taxpayer identification number (TIN)
  • New accounts opened using documentary methods and new accounts opened using non-documentary methods
  • New accounts identified by the institution as higher risk
  • New accounts opened with incomplete verification information, if applicable
  • New accounts opened by a third party as the bank’s agent (e.g., indirect loans), if applicable

Examiners will also review any identified instances of noncompliance with the CIP rule and any deviations from the CIP to determine effective controls are in place; however, in making this determination, examiners are directed to keep in mind that financial institutions might have limited instances of noncompliance with the CIP rule (such as isolated or technical violations) or minor deviations from the CIP and related processes that do not result in an inadequate CIP.  

Currency transaction reporting

Testing will determine whether the financial institution’s internal controls are designed to ensure ongoing compliance with currency transaction reporting (CTR) requirements and are commensurate with the financial institution’s size or complexity and organizational structure. This may include reviewing processes for overriding currency aggregation systems.

CTR form testing will evaluate the following:

  • Whether CTRs are filed in accordance with FinCEN instructions for currency transactions identified by the information technology systems
  • Whether CTRs are filed within 15 calendar days after the date of the transaction
  • Whether CTRs filed contain accurate and complete information
  • Whether management has taken corrective action when errors are identified
  • Whether discrepancies exist between CTR records and the CTRs reflected in the BSA reporting database

Transactions of exempt persons

Testing will validate whether procedures and processes are in place to ensure an entity qualifies for exemption, annual reviews are completed and appropriate documentation is retained. A sample of filed DOEP forms will be selected to determine whether:

  • The reports are filed in accordance with FinCEN instructions within 30 days of the first reportable transaction that the financial institution sought to exempt.
  • The customer is eligible for designation as exempt.
  • The financial institution maintains documentation to support that designated non-listed businesses do not receive more than 50 percent of gross revenue from ineligible business activities.

In addition, since the most recent update included content revisions only in these three areas, it would be safe to assume additional revisions will be forthcoming, which is good news for financial institutions because these revisions should offer further transparency into the examination process.

How Wipfli can help

Wipfli’s team brings real-world experience to your financial institutions to meets today’s evolving compliance programs. Learn more about our compliance services on our web page or learn more from our team with these resources:


Craig E. Johnson, CRCM, CMQCS
View Profile