BSA Exams: Lessons Learned by Experts

One of the most valuable sessions at ABA's National Regulatory Conference was a session on lessons learned in managing BSA examinations. The panel included examiners and bankers.

John Atkinson, AVP at the Atlanta Federal Reserve Bank, gave the pivotal weather report. "We raise the bar each time we come in." If you haven't had a BSA exam recently, this may be the most important bit of information. Atkinson stressed that BSA is a "dynamic area" and that it is marked with a great deal of risk.

Identifying Risk
The crux of managing a BSA program and surviving the exam is to effectively identify risk and then manage it. After September 11, we see risk differently. Much more is risky and we know that the stakes are very high. Failure in a BSA program faces the familiar penalties. But failure also risks the safety of our communities.

Atkinson recommends that the first step in building or revising a BSA program is to identify what, for your institution, is high risk. This very important step sets your goals and lays a foundation for all other analysis.

Mike Kelsey, Chief Compliance Officer with PNC Bank, pointed out that risk involves both customers and transactions. It is not enough to simply take steps to know the customer. A program should also analyze transactions.

Tom Fleming, BSA Specialist with the OCC, advised managers to look more broadly than the traditional new account and window transaction. He urged managers to look at their existing accounts as well as new accounts. Customers can migrate from low-risk to high-risk. The program should be alert to this and be able to identify the trend.

Due diligence, according to Atkinson, can be lacking when money comes in to the institution. However, those funds may ultimately be used for illegal purposes. Financial institutions, he says, do an excellent job with due diligence before letting money out of the bank - for example, loan underwriting - but these programs are less strong when it comes to letting money in.

The panel listed a number of indicators of risk including customers who move often, customers who use ATMs following unusual patterns, simultaneous transactions, and using cash and cash systems for structuring.

Ana Foster, Compliance Officer with Cambridge Trust Company in Cambridge, MA, said that they found everything to be high risk on their first run-through. They then sat down and prioritized all of the "high risks." It was necessary to make some practical decisions.

To evaluate the risk, look at the logic of the transaction. Then test that logic against the customer's profile. If it doesn't make sense, your alarms should be warming up if not actually going off.

Other risks include sleeper accounts (opened and left almost dormant for a long period of time before being put to use) and out-of-area accounts. These indicators should be included as part of your program.

Common Program Weaknesses
There can be a huge difference between a compliance program that dots "i"s and crosses "t"s and one that emphasizes process. Examiners are now looking for process. Too often, examiners find that the BSA program is not sufficiently empowered. The BSA program must have sufficient authority to have an impact on process within the institution. Atkinson stressed that all business units must work actively and cooperate fully with the BSA program.

Ana Foster advised that your program must have the active participation of deposit operations. Sooner or later, the money has to move and it is usually deposit operations that handles this transaction. They must understand the requirements and the issues. BSA team meetings are an excellent opportunity to get this information across. The success of the BSA program relies on deposit operations so their representation is critical.

Atkinson stressed the need for good documentation as a baseline when an account is opened. The institution should be able to look at each or any customer and evaluate their behavior against what was expected when the account was opened.

Reports, including CTRs, are no better than their content. Atkinson recommends that the institutions's audit actually verify information in the reports. An audit that merely confirms that the CTR is completed correctly on its face may not be enough.

The Role of SARs
Suspicious activity reporting applies to any and all activity in the institution. The SAR system should therefore cover the entire institution and all of its activities. The reporting system is actually dependent on the front line - those with customer contact and those who handle transactions. They are the first and best judge of whether something is suspicious. However, if they don't say or do something, the situation will go unreported.

All staff should be aware of the institution's obligation to report suspicious activity and to keep those reports confidential. Front line staff should be given a procedure for dealing with anything suspicious. The entire front line should have designated persons to whom they report any suspicious activity.

Keep training current and establish a system to funnel information about possible suspicious activities to a point where the responsibility to prepare a report resides.

SARs now comprise a vital part of the database used by law enforcement in the investigation of terrorism. One of the most serious weaknesses in SARs filed is the narrative section. Fleming stated that many narrative sections are incomplete and therefore not useful to law enforcement.

For example, a narrative section that says "see attached" is not going to be useful when entered into a database. The narrative section should briefly and concisely describe the suspicious activity.

Final Tips
Mike Kelsey is an advocate of using automated tools to manage the BSA program. The bigger the institution, the more important the tools become. But, he warns, be sure you can analyze the information you get. Any automated system should support the institution and its capability. Producing more information or analysis than you can use effectively can be dangerous. If you are shopping for an automated system, take this into account. Think very carefully about the reports and what you will do with them.

The terrorists used techniques to move funds that are basically similar to the activity of other criminal money laundering. Fleming suggests that if your management is concerned about terrorism, the anti-money laundering program and suspicious activity reporting should be the core of your program.

ACTION STEPS

Find a quiet corner and sit down and study your BSA program. Look for its strongest and weakest points.
Review the list of team members and consider whether all important areas are represented. If you don't have a team, get one going.
Be sure to include deposit operations. Meet separately with deposit operations staff to learn in detail what they do so that you are prepared on ways to involve them on the BSA team.
Schedule a BSA team meeting. Send out an agenda that identifies the risk areas mentioned in this article. Ask the team to come ready to discuss the way in which those transactions do or don't occur in their areas of responsibility.
Encourage front line staff to report to their managers whenever a situation or a customer strikes them as unusual or simply "fishy." This is the best way to identify new trends.
Establish an information funnel for identifying suspicious or "fishy" transactions at the front line and reporting the information up the line. Then be sure everyone knows what to do.