Do you have a Bank Secrecy Act (BSA) examination looming? The best way to prepare is to test the elements that examiners will be looking at and correct any deficiencies prior to the time examiners show up on your doorstep. The following is a list of items to address in advance of the examination start date so you can take corrective actions before the examination commences.
1. Review your prior exam reports and verify all prior year issues have been addressed and corrected. This is low hanging fruit that examiners will specifically look for during their visit. If you find any uncorrected issues, resolve them immediately.
2. Verify your BSA and Office of Foreign Assets Control (OFAC) risk assessments have been updated and approved within the past 12 months, or even more recently if you have had any changes to your risk factors such as customer base, products, or services.
3. Make sure documentation is available to support the numbers and volumes used throughout the risk assessments. Information must be accurate to allow for a meaningful assessment.
4. Review your written BSA program and make sure it has been updated and approved after any major changes, such as including procedures regarding marijuana growers/cultivators or dispensaries or retailers.
5. Review all BSA-related training records to ensure they are adequately documented and completed. Make sure all applicable employees completed the training and if any of them have not yet completed the training, provide makeup sessions as soon as possible. Also, make sure you can provide evidence, either by documented Board minutes or by other method, that the Board of Directors received adequate BSA training and show what topics were covered. If there has not been any Board training in the past 12 months, schedule a training session for the next Board meeting, if possible.
6. Review your 314(a) log and make sure there are no gaps in your entries. Compare your list to the list that can be found at https://www.fincen.gov/statutes_regs/patriot/pdf/leinfosharing. pdf to ensure all requests are accounted for on your log.
7. Determine the types of noncustomer transactions that your financial institution may have and whether or not the OFAC list is being checked in these circumstances. For areas where noncustomers are not being checked against the OFAC list, make sure the OFAC risk assessment adequately supports this position. Noncustomer transactions may include payees on monetary instruments, “on us” checks that are cashed at your institution, ATM deposits from noncustomers, the noncustomer party to a wire transaction, purchases of traveler’s checks/cards, purchases of gift/prepaid cards, guarantors, principals, beneficiaries, nominee shareholders, beneficial owners, signatories, directors, powers of attorney, and even vendors that your financial institution uses.
8. If a core system download is available that would include customer identification program (CIP) data, sort by key fields such as date of birth, tax identification number, and driver’s license number searching for missing data or false information such as numbers with all nines or zeros. Look for any post office box numbers without a corresponding physical address. Also, if your financial institution is not retaining a copy of any document relied on to verify identification, verify fields such as identification number, place of issuance, date of issuance, and date of expiration were completed. Sort by city, state, and country for any unusual or foreign addresses and finally, follow up on any missing information to ensure your CIP files are complete.
9. Review your list of accounts opened with exceptions to CIP and attempt to clear any outstanding exceptions that are past the deadline if your program allows for CIP exceptions and has a deadline for obtaining any missing or incomplete information such as when a tax identification number has been applied for but not yet received at the time of account opening.
10. Review your financial institution's list of accounts with W-8BENs to ensure none are expired and they are signed and dated. Also, make sure accounts with W-8BENs or ITINs have been appropriately identified and risk rated.
11. Review the list of higher-risk customers and make sure enhanced due diligence has been conducted within your financial institution's monitoring time frames. If any reviews are found to be delinquent, perform enhanced due diligence as soon as possible and document the results.
12. Review files maintained for your remote deposit capture (RDC) customers. Make sure files are in order including standardized underwriting criteria, credit history, financial statements, ownership structure of business, types of business customers, and maximums for large dollar items. Be sure to obtain expected account activity from the RDC customer, such as the anticipated RDC number volume, dollar volume, and type, for example, payroll checks, thirdparty checks, and traveler's checks. Finally, make sure you can demonstrate that additional monitoring or reviews were performed when significant changes in the type or volume of transactions occurred.
13. Review the suspects named in recent suspicious activity report (SAR) filings. For any suspects who are current customers of your financial institution, verify enhanced due diligence is being performed every 90 days, as applicable.
14. Scan logs used to capture data about cash sales of monetary instruments between $3,000 and $10,000. Review for empty fields and correct as necessary. Review sales of monetary instruments as well as prepaid cards for any unusual activity and make sure you are able to explain the activity, if necessary.
15. Make sure all types of higher-risk customers have been identified. The last thing you want is for your examiner to tell you of a money service business (MSB) or private ATM owner customer that you were not aware of. Download the registered MSB list from FinCEN’s website for each applicable state in which your financial institution operates. Check the MSB list against your customer base to ensure you have already identified all your registered MSB customers. To detect private ATM owners, search your ACH files for a period of time for the names of known ATM servicers such as: FDRetail ATM; RBS; Worldpay; Coredata; FirstData; Datastream; Elan FS; Cash Depot; Cardtronics; CDS; EFUNDS; SWITCH; Metabank; Innobeta; MVNT;, FDC Star System; and Paymentech. A potential match could mean that your customer is an ATM owner or operator.
In conclusion, while these are only some of the procedures you should do prior to your exam, it would be a good practice to implement them as part of your ongoing monitoring process. Preparation and correction will prevent potential examination questions and concerns or last minute issues.