Preparing for a Bank Secrecy Act - Anti-Money Laundering Examination
December 19, 2014
As the regulators continue to turn the heat up on financial institutions related to the Bank Secrecy Act (“BSA”) and Anti-Money Laundering (“AML”), there are now discussions of making individuals (compliance officers) responsible for system lapses. Numerous cases are being brought by SEC/FINRA enforcement naming AML compliance personnel on a two-legged basis especially as it relates to questions regarding beneficial ownership where AML personnel never knew who the true beneficial owner was because they didn’t go far enough back in un-layering the entities as well as not having a systemized process for surveillance of suspicious activity on a routine basis. It is now becoming more and more evident that having a robust and functioning BSA/AML program is a necessity in order to avoid fines and sanctions.
In most cases, an institution will receive advance notice (generally a few weeks) that it will be undergoing a BSA/AML examination. However, in an effort to help you be best prepared, listed below are a few areas to review now that will likely be important during your next BSA/AML examination:
- Knowledge of Your Customers.
- Enhanced due diligence is essential for financial entities doing business worldwide today. A robust Customer Identification Program/Customer Due Diligence/Enhanced Due Diligence (“CIP/CDD/EDD”) is a must. Review new account documentation to verify that the minimum amount of required client information (name, date of birth, government identification number and address) is being obtained and properly reviewed. For instances where a third party provides CIP review and verification, be sure to have on hand a written agreement that outlines the requirements for client identification performed by the third party. For non-resident aliens, a copy of the alien identification card should be reviewed and passport information (number, issuing country, etc.) should be noted.
- An Office of Foreign Asset Control (“OFAC”) policy is a necessary part of an overall customer identification program. New and existing customers are to be checked not only against the OFAC Specially Designated Nationals (SDN) list but also, depending upon where business is being done, against other lists such as the Her Majesty’s Treasury List (“HMTL”) or the European Union List. For further information, refer to the FFIEC Bank Secrecy Act Anti-Money Laundering Examination Manual (http://www.ffiec.gov/bsa_aml_infobase/default.htm). Wire transactions should be reviewed on both ends. Employee transactions should be reviewed. Small amount transactions should not be overlooked as they can provide evidence of much larger issues. The overall process should be documented and provide specific guidelines for review.
- Clients should also be reviewed for those doing business in high-risk geographical location (High-Intensity Money Laundering and Related Financial Crime Areas (“HIFCA”) and High-Intensity Drug Trafficking Areas (“HIDTA”)) or high risk businesses (casinos, money servicing businesses, art dealers, jewelry merchants).
- AML Risk Assessment. Consider the following when evaluating the adequacy of your AML Risk Assessment.
- Was it recently completed/does it need to be updated?
- Was it reviewed and signed off by the board of directors?
- Does it cover any new products offered by the institution?
- Has the customer base been expanded – does it include any high-risk areas?
- Does it include a review of customer identification program (“CIP”) risk and Office of Foreign Assets Control (“OFAC”) risk?
- BSA/AML Related Policies. In general, at least the following four elements should be in place for a satisfactory BSA/AML examination:
- a system of BSA/AML internal controls,
- BSA/AML training,
- Independent BSA/AML testing, and
- the appointment of a designated BSA/AML compliance officer.
All policies related to the BSA should be reviewed and approved annually by the board of directors. Those policies must include BSA, CIP, OFAC, suspicious activity reporting (“SAR”) and training requirements among others. These policies should be reviewed by the BSA/AML officer to verify that they include all new products and that they are up-to-date. Comprehensive annual training is required for all staff, including the board of directors. All training materials and attendance records must be made available at the request of the examiners. All employees hired subsequent to the previous examination must receive BSA/AML training.
Adequate documentation should be available to support all SARs. If utilizing an automated process, the system may provide the supporting documentation. If a manual process is being used, documentation (such as daily reports, memos, transaction copies) related to the SAR (whether filed or not) should be kept on hand to show that suspicious activity is being identified and researched.
Banks and financial institutions that accept currency should have Currency Transaction Report (“CTR”) related policies and controls. The BSA/AML compliance officer should review CTRs filed and CTR control exception reports in an effort to expose any errors that can be corrected prior to an examination. Reporting exemptions from CTRs should be reviewed for cash-intensive businesses (grocery stores, bodegas, gas stations, etc.) to confirm eligibility and annual reviews of the exemptions.
- Annual Independent Testing. Several key questions need to be asked in this area.
- Was the annual independent testing performed by a qualified, independent team and were qualifications verified?
- Did the independent testing cover all of the institutions business lines?
- Was transactional testing completed and sufficiently broad in scope?
- Was previous testing completed with appropriate frequency and timely?
A review of the FFIEC Bank Secrecy Act Anti-Money Laundering Examination Manual can help you confirm if all areas required to be tested were included. A review of testing scope, working papers, and related documentation will bring to light potentially confusing information that could lead to avoidable examination findings.
- 314a/b Information Sharing Process. The BSA/AML compliance officer should routinely review and document receipt of and responses to all FinCEN 314a requests for information. Records should be kept in a separate, secured file to limit access. 314a coversheets should be signed off to indicate that they have been reviewed with responses. Before BSA/AML examiners review such records, another check should be performed to remove potentially misleading information or omissions. Records supporting 314b information sharing arrangements should be confirmed for completeness as well.
In all things BSA/AML related: Regulators will take the position that if it’s not documented, it didn’t happen. Complete and easily understood documentation of controls is one of the best ways to avoid AML examination findings and potential fines and sanctions. So even if one can say they performed a test, if there is nothing to evidence the assertion, testing and examination teams will conclude it was not done. The FFIEC BSA/AML Manual (http://www.ffiec.gov/bsa_aml_infobase/default.htm) is a great source to use for reference in what to expect during a BSA/AML examination. A last-minute check of vulnerable areas can help prevent many potential examination questions and concerns.