10 Ways to Prepare for Your Next BSA Ways to Prepare for Your Next BSA Exam Kathlyn L. Farrell, CRCM, CAMS The specter of an approaching Bank Secrecy Act (BSA) examination is enough to make a BSA
Post on 10-May-2018
10 Ways to Prepare for Your Next BSA ExamKathlyn L. Farrell, CRCM, CAMS
The specter of an approaching Bank Secrecy Act (BSA) examination is enough to make a BSA officer think of changing careers. Stories of BSA/anti-money laundering (AML) civil money penalties and enforcement actions are now legend in the banking community, and every year they continue to occur, both in large and small institutions. While BSA compliance will continue to represent a high level of risk for most institutions, with effective compliance programs the risk is manageable. One good method for managing BSA/AML compliance risk is to check areas in the bank that are ripe for common violations before the exam begins. In discussions with clients and regulators, we have noted some BSA requirements in which banks are often cited as deficient. Many of these requirements are fairly easy to implement but can slip through the cracks if not monitored throughout the year. In some cases the bank may be fulfilling the requirements but not docu-menting them. It is always wise to do a quick check-up before the BSA exam draws near.
Usually a bank is informed by its regulatory agency a few months in advance that it will have a BSA examina-tion. The examination request list arrives four to six weeks prior to the exam date. The following are 10 things a BSA officer should do after learning that his or her bank will be having a BSA examination. In an ideal situ-ation, the BSA officer should review these items at least 90 days prior to the exam date. If any corrections or changes are needed, they can be implemented quickly. Checking up and making corrections in these areas will help ensure that the foundation of the banks BSA compliance program is sound when the examiners review it.
Update Your Risk Assessments1. By now most institutions have written BSA/AML risk assessments. (If you dont, writing one should be your first stepsee the Federal Financial Institutions Examination Councils (FFIEC) BSA/AML Examina-tion Manual 7/06.) Risk assessments must be reviewed, updated, and approved at least annually by the board of directors. The BSA officer should check to see whether the risk assessment is or will be updated by the time of the BSA exam. The risk assessment should cover all new products and services that have been added since the previous update and cover all lines of business. For example, if the bank has added a product, such as remote deposit services or foreign correspondent banking, it should be addressed in the risk assessment. Has the bank added any locations? If so, is its customer base the same? Is the new location located in a high-risk area? These questions should be considered because the customer base is an important element of the BSA risk assessment. Check the designations of the high-risk areas them-selvesHigh Intensity Money Laundering and Related Financial Crime Areas (HIFCAs) and High Intensity Drug Trafficking Areas (HIDTAs)because these are also subject to change. In addition, the bank should review customer identification program (CIP) risk and Office of Foreign Assets Control (OFAC) risk assess-ment. These may be included within the BSA risk assessment but should also be addressed separately, as these types of risk differ from each other. All risk assessments should be updated annually and have a mechanism for board approval.
Check the BSA-Related Policies 2. All BSA-related policiesBSA, CIP, OFAC, suspicious activity reports (SARs), etc.should be reviewed and approved annually by the board of directors. The BSA officer should review the last approval date to ensure that these policies will be up to date by the time of the exam. Policies should address all high-risk areas. The BSA officer should review the policies to ensure that they cover all new products and services
and changes to lines of businesses since the date of the previous revision. The policy should also address conti-nuity in the banks BSA staffing. If the BSA officer is the only one familiar with the law, the bank has a problem. The policy should state how continuity is maintained. BSA policies should specifically address the four pillars of the legal requirements for a BSA programin other words, these should be listed in the policy itself with an af-firmative statement that the bank will fulfill these requirements. The required pillars include the following:
a system of internal controlsBSA trainingindependent BSA testingthe appointment of a specially designated person to be responsible for BSA compliance.
To make it easier for an examiner or auditor to locate, we recommend that these four pillars be highlighted in the policy in some fashion.
Review BSA Training Records 3. A frequently cited BSA deficiency is the lack of comprehensive training documentation for all applicable areas of the institution. BSA, CIP, suspicious activity reporting, and OFAC training should be documented for all affected employees. Not only must the training session be noted, but its content should also be included in the file for the examiners to review. All outlines, handouts, brochures that describe the training itself should be maintained in the file. The bank should remember to train not only on the generic requirements of the regulation but also on the banks own policies and procedures. It is a good idea for the banks board of directors to receive annual BSA/AML training. If the board hasnt conducted such a review, now is a good time to schedule a session.
Check the Scope of the Last Independent Audit 4. A common BSA error is the lack of a full-scope independent audit. The BSA officer should review the most recent audit and determine whether:
it covers the key elements of the banks BSA program, including all of the banks business lines (for example, make sure it covers the lending and trust areas)the audit was independent and performed by a qualified person (make sure the bank has the credentials of the auditors in writing)sufficient transactional testing was undertaken (make sure the audit included documentation of the trans-actions that were tested, including a list or description of the samples and a description of the populations from which they were drawn)audits were conducted with sufficient frequency (12 -18 months)all audits were reported to the board or a committee of the boarddocumented responses were made to the audit findingsall deficiencies were corrected or were at least addressed
A review of the major headings in the FFIEC BSA/AML manual is a quick way to establish whether the audit touched all required areas. A bank might have enough time to squeeze in an audit prior to an exam. This might be the best approach because deficiencies will be brought to light and the bank can begin to address them. If there is not enough time to perform an audit, the bank should engage a qualified firm to perform one and have an engagement letter or agreement available to present to examiners.
Check the Banks OFAC Program 5. OFAC compliance within the bank can be a source of different types of deficiencies. The BSA Officer should check to see that transactions are checked against all appropriate lists on a risk basis. Following are some of the easier types of transactions to overlook:
the other end of a wire transfer (the one not involving the banks customer)the payee on bank-issued cashiers checksthe payee of on-us checks cashed in bank lobbiesexpense check payeesloan guarantors without another bank relationshipsafe deposit box customersthe banks own employees
Some of these transactions may be so small that the bank reasonably decides to not perform OFAC checks on them. The bank may perform a risk assessment and decide to implement a policy whereby it will not check OFAC lists on small checks cashed in the banks lobby. This type of policy and the risk assessment behind it should be documented in writing.Also, the bank should make sure that its OFAC software checks all appropriate lists, such as the PLC (Palestinian Legislative Council), not just the OFAC Specially Designated Nationals (SDN) list. In addition, the bank should make sure that the most current list is being used. Documentation of OFAC checks is important as well. Not only should the banks policies and procedures specify the various OFAC responsibilities, but each type of check should be documented in some waysuch as noting the check on the banks copy of the cashiers check or maintaining logs of checks of the banks database. Documentation is equally important for indicating how the bank disposes of false positives. This process should be formalized in writing, including how it is documented.
Determine that the CIP Policy is Working in the Loan Department 6. Ensure that the bank is collecting complete CIP information on loan customers who have no other relationship with the bank. In many institutions the lending staff relies on the new accounts personnel to obtain CIP informa-tion. When the borrower has no other relationship with the bank, lenders are responsible to obtain this infor-mation. The BSA officer should sample a few of the banks recent loan files for such customers. In its review, the BSA officer should determine whether the bank obtained all required identity information, verified the informa-tion and maintained records of the verification documents. For example, if the bank reviews drivers licenses or passports but does not copy the actual documents, does the bank record the document number and expiration date? Another CIP checkpoint should be a determination of whether the bank is following its own policies for obtaining new account information. If the banks policies state that two forms of identification are required, are both forms being obtained on a regular basis and are both being documented. A policy that is waived too often is not considered to be effective and even though a policy requiring two forms of identification goes beyond the scope of the law, the bank will get criticized if it does not follow (and document) its own board-approved policy. If the bank relies on a third party for CIP review and verificationsuch as a car dealer from whom it pur-chases loansthe bank should have a written agreement with the third party that sets forth the requirements for customer identification.
Check to Ensure the Bank Has Adequate Documentation of Suspicious Activity Monitoring7. Most banks monitor regularly for suspicious activityi.e., transactions that look potentially suspicious are ana-lyzed and researched. Because this area of BSA compliance has recently received the greatest amount of regula-tory scrutiny, it should always be monitored, especially in light of an upcoming examination. There are a couple of deficiencies that should be checked. First, does the monitoring process cover all the necessary lines of busi-ness in the bank? Almost all banks will monitor cash activity, but suspicious activity monitoring should be more inclusive. Loan activity, wires, and trust transactions are just some of the parts of the bank that should be part of the suspicious activity monitoring process. If they are not a part of this process, formulate a procedure and start monitoring them. It is better than having an examiner note the deficiency. But in some cases the bank may not adequately document the suspicious activity monitoring process. If the bank has automated this process, the software may facilitate the documentation also. However, if the bank is using a manual system to monitor (reviewing daily reports and transactions), the documentation must also be maintained manually. Documentation, including memos, entries, reports, and copies of transactions, should be kept on all potentially suspicious activity, even when a SAR is not filed. This process can be made less paper-intensive by scanning documents into electronic files and logging the information into electronic spreadsheets. However, some form of documentation is necessary to show that the bank is routinely reviewing suspicious activity.
Check the 314a Information-Sharing Procedures8. The BSA officer should check to make sure that all required records are being searched when the Financial Crimes Enforcement Network (FinCEN) 314a requests are received. Types of records that are easy to overlook are monetary instruments and wire transfers sent for noncustomers. Dont forget to review any separate databases
that support lines of business in the bank. For example, the trust department might have its own customer data-base. One other likely 314a error is the failure to keep the records in a secure mannereither in a locked cabinet or drawer or in a password-protected electronic format. Some examiners prefer that requests themselves be shredded. However, the searches, like all other parts of your BSA program, must be documentedby signing the 314a cover sheet or the pages themselves, or by using a log sheet if the banks security procedures require the underlying request documentation to be destroyed.
Check Currency Transaction Report (CTR) Exemptions9. A quick check of the banks currency transaction report (CTR) exemption process can uncover errors that can be corrected before the exam. Check the following:
Has the bank filed an exemption on all financial institutions it uses to purchase or sell currency? These re-quire a one-time filing.Has the bank conducted and documented annual reviews of all non-listed businesses that have Phase II exemptions? Annual reviews should be documented to show that the person or entity still qualifies to be exempt (e.g., they have made a sufficient number of cash deposits, no suspicious activity was indicated, etc.) If the customer no longer qualifies, the bank must file a revocation of the exemption.Have all renewals of exempt customers been filed on a timely basis? If not, they should be filed as soon as possible.Is the exemption process adequately covered in the banks BSA policy, including a designation of the person with the authority to grant exemptions?
High-Risk Customer Monitoring 10. Most institutions have identified their high-risk customers. These accounts should be monitored periodically for suspicious activity. Documentation of the monitoring process should be retained. The bank should maintain a schedule for high-risk customer monitoring. These accounts may be reviewed monthly, quarterly, or annually, depending upon their degree of risk. Once again, it is hard to get credit for what is not documented. Keep files, checklists, account statements, electronic records, or memos that document the monitoring process for these customers.
ConclusionThere is, of course, much more we could mention. For example, all employees hired since the last examination should have had BSA training and should acknowledge, in writing, their BSA responsibilities. Also, the last BSA exam report should be reviewed and any deficiencies should be re-checked to avoid repeat violations. Remember to refer to the FFIEC BSA/AML Examination Manual (7/06), as this is the standard for BSA compliance. (The manual can be downloaded from FFIEC.gov).
Keep in mind, too, the cardinal rule for BSAif it isnt documented, it didnt happen. Hopefully, if your BSA compli-ance program is comprehensive and strong in the essentials, just a quick check of the most vulnerable areas will prevent any inadvertent last-minute errors.
About the Author: Kathlyn L. (Lyn) Farrell, CRCM, CAMS
Lyn is the Managing Director of Risk Management Services for Sheshunoff Management Services, an Austin, Texas-based bank consulting company. She is a licensed attorney with 30 years experience in banking. She has been in-house counsel and compliance officer for small- and medium-size banks and is the author of the ABAs Reference Guide to Regulatory Compliance and the ABAs Law and Banking textbook.
Reach her by e-mail at firstname.lastname@example.org or by telephone at (800) 477-1772.