Taking a Look at Your Bank Secrecy Act/Anti-Money Laundering Program

When was the last time you took a close look at your financial institution’s Bank Secrecy Act/Anti-Money Laundering (BSA/AML) program? With the recent implementation of rules to strengthen the customer due diligence requirements, now is a good time to do a careful review of your program to ensure it is adequate. Financial institutions are expected to implement and maintain a sound, effective BSA/AML program that incorporates procedures to identify, measure, monitor, and manage risks and is reviewed and revised as necessary on an ongoing basis.

Risk Assessment

Your BSA/AML program should be based on a risk assessment that is reviewed at least annually and whenever there are changes that may affect your institution’s risk profile. Some of these changes are the addition of branches, increased occurrence of situations requiring Currency Transaction Reports or Suspicious Activity Reports, turnover of key personnel, or new products or services. For example, if your institution offers remote deposit capture or mobile banking, associated risks should be considered in your risk assessment. Be sure all of your other products and services are considered in your risk assessment as well.

Program

Your BSA/AML program will be based on the risk assessment and must be commensurate with your institution’s BSA/AML risk profile. Your program should also include the components named in the FFIEC’s 2014 Bank Secrecy Act/Anti-Money Laundering Examination Manual. Currently, the following elements, considered to be the four pillars, are required to be included in the written program: 

• System of policies, procedures, and related internal controls to ensure ongoing compliance
• Independent testing of BSA/AML compliance
• Specifically designated person or persons responsible for managing BSA compliance (BSA compliance officer)
• Training for appropriate personnel

While it is already required that you include a Customer Identification Program (CIP) in your program, beginning May 11, 2018, your BSA/AML program will need to be expanded to include a fifth pillar— the specific regulatory requirement to understand the nature of a customer relationship and conduct ongoing monitoring to maintain and update your customers’ information and identify and report suspicious activity. In addition, by that date, you will need to implement additional procedures to identify beneficial ownership of certain entities. Watch for a future article on these topics.

As a rule, you will need to review and update your program if your institution experiences any changes, such as new products or services, new locations, turnover of key personnel, or procedural changes, and if BSA/AML requirements change.

Procedures and Internal Controls

Your procedures and internal controls should identify your institution’s products, services, customers, and locations more susceptible to money laundering or criminal activity, for example, large currency transactions and suspicious activity. Your internal controls should be designed to manage potential risks and ensure program continuity even when there are changes in key personnel. Your procedures and internal controls should include:

• Keeping the Board of Directors and senior management informed of compliance initiatives, compliance deficiencies and corrective action taken, and Suspicious Activity Reports filed. The frequency of this reporting should be addressed in the program.
• Ensuring all recordkeeping and reporting requirements are met. Procedures could include how records will be maintained (e.g., hard copies or electronic images) and responsibilities for destroying old records.
• Addressing recommendations for BSA/AML compliance and providing timely updates in response to regulatory changes.
• Implementing risk-based customer due diligence policies, procedures, and processes.
• Identifying reportable transactions and ensuring all required reports are filed.
• Implementing dual controls and segregation of duties, whenever possible, to ensure compliance with procedures.

Independent Testing

Independent testing should be performed every 12 to 18 months depending on your institution’s risks and should include an evaluation of the overall adequacy and effectiveness of your BSA/AML compliance program and its policies, procedures, and processes. The risk assessment should also be reviewed to evaluate its reasonableness based on your institution’s risk profile.

Appropriate risk-based transaction testing should be performed to verify your institution’s adherence to the various recordkeeping and reporting requirements, including testing of Currency Transaction Reports and exemptions, Suspicious Activity Reports, CIP, and information sharing requests.

Independent testing should also look at management’s efforts to resolve previously cited violations and deficiencies, the adequacy, accuracy, and completeness of staff training, the effectiveness of suspicious activity monitoring systems, and should involve performing an assessment of the integrity and accuracy of systems and system reports used to identify large currency transactions, aggregated daily currency transactions, wire transfers, sales of monetary instruments, and any analytical and trend reports used for monitoring purposes.

BSA Officer

Your financial institution should appoint an experienced BSA officer who is able to identify areas that pose BSA/AML risks and implement procedures to mitigate or control these risks. The BSA officer should be accountable for the BSA program and ensure that all employees and the Board of Directors receive adequate ongoing training.

Training

The training provided to employees should be specific to their jobs and include your financial institution’s policies and procedures. The training should cover types of suspicious activities and how to report this activity. Training could be performed online but should also include in-person training. Conclusion Your BSA/AML program should continuously be reviewed and revised as products, services, employees, and laws and regulations change. Make time to ensure that what is in place is appropriate and ensure employees are apprised of any changes.