The spirit of the Bank Secrecy Act (BSA) is, first and foremost, to identify and report suspicious activity in order to prevent financial crimes that threaten the stability of our financial infrastructure and national security. Good documentation of BSA efforts is critical because:
- If the institution does not adequately quantify its volume of high-risk transactions and assigns a low risk rating, it is likely that monitoring efforts will not be comprehensive enough to uncover suspicious activity.
- If the customer’s occupation, or type of business, and anticipated activity is not documented at account opening, it is difficult to later determine whether the actual activity or source of income is as expected or suspicious.
- If periodic, enhanced due diligence efforts are not documented, changes in the business’s legal status and activity cannot be properly compared to its historical activity, which can result in suspicious activity being overlooked.
- If documentation from an investigation doesn’t support that activity is not suspicious, examiners may conclude that management overlooked the activity and they may deem the identification and reporting controls to be weak.
Let’s go back to the fundamentals and touch on a few hot spots that continue to result in examination recommendations.
The risk assessment is a crucial feature of the BSA Program because it effectively drives the depth and complexity of policies and procedures. Approaching the risk assessment with an appropriate methodology is key to supporting the institution’s risk tolerance as set forth by the Board of Directors or Audit Committee.
A documented risk methodology should be based on the institution’s specific risk categories, such as products, services, customers, entities, transactions, and geographic locations, coupled with an analysis of risk factors such as historical trends, staff turnover, and internal controls. Documentation of this criteria will allow an institution to assign appropriate risk levels. Use of a scoring methodology should be considered because it reduces subjectivity in the calculation of risk.
Without good documentation to support the risk ratings, examiners may be uncomfortable with management’s understanding of its overall risk profile and may choose to develop their own risk assessment.
Customer Due Diligence
Documentation of initial and ongoing customer due diligence, including a detailed account of the customer relationship is imperative for the succession of information. Understanding the customer relationship is the first step in identifying activity that later deviates from the initial expectations. This includes the customer’s occupation (or other origin of income), anticipated transaction activity such as source of funds, and the frequency and types of transactions that will be passing through the account. Good documentation of customer due diligence will paint a clear picture of the customer, which can be used to assist the institution in assigning risk levels and identifying suspicious activity.
Enhanced Due Diligence
A higher-risk relationship should prompt more complex monitoring and documentation. While transaction monitoring is often the most accessible form of documentation, it should not be considered the sole measure when developing an understanding of the customer’s account activity or business operation.
At least annually (or more frequently as warranted by the various risk factors), the institution should update current business information such as state licensing and permits for business customers, and an online search should be conducted for any negative news that may heighten the risk of suspicious activity. In addition, the information originally obtained at account opening should be updated as necessary.
Transaction monitoring, either through anti-money laundering software or manual review of core system reports, is a necessary source of information; however, documentation should also include a detailed account of management’s understanding of the business operations, explanations for changes in account activity, and expectations for the coming period. In addition, consideration should be given to whether the changes in activity or identification of suspicious activity warrants an adjustment to risk profiles.
There is potential for debate when a suspicious activity report (SAR) is not filed and the institution lacks sufficient documentation to support that decision. Although the decision to file a SAR is inherently subjective, documentation to support that decision should include the relevant data that was collected as part of the investigation and a narrative of management’s reasons for deeming that the activity did not warrant the filing of a SAR. Would management want to rely on memory of facts and data from three months, six months, or even a year ago when trying to support the case with an examiner?
In addition, a suspicious activity alert generated by anti-money laundering (AML) software should be treated as “guilty until proven innocent.” When an alert is generated, remember that management specifically set rules and parameters to flag the activity as inherently suspicious based on the institution’s risk assessment. The burden is on the reviewer to fully support why the activity is not considered suspicious in each individual case. This must be documented clearly, rather than a cursory glance and a click of the “waive alert” button.
“If it’s not documented, it didn’t happen” is still the most common phrase heard within our industry. The fundamentals of BSA documentation boil down to clearly conveying managements’ opinion of the matter and supporting it with the analyzed data. In all aspects of documentation, consider the following points:
- Who is the target audience? Can any individual reading it follow the train of thought?
- Could the information easily be interpreted by another in the event of someone’s absence?
- Is the opinion/conclusion of the activity and investigation, if applicable, clearly stated?
- What data should be retained to support the conclusion?
Although we’ve touched on the impact that documentation, or lack thereof, might have on examiners and the examination, it is important to keep in mind that the most important audience is anyone within the institution that needs the information to effectively identify and report suspicious activity. A well-developed risk assessment supported by comprehensive policies and procedures, appropriate training, strong controls and, of course, robust documentation is fundamental to an effective suspicious activity monitoring program.