Evaluate Your BSA/AML Program -- Before Your Exam

By BOL Guru John Burnett

One of the most important things a bank can do to avoid a severe case of post-exam woes is to do a self-evaluation of its BSA/AML program. Any bank can use readily-available regulatory information to fashion an introspective probe of its program, identify possible weaknesses, and institute changes well before that inevitable message arrives announcing your impending exam.

Recent research into the "state of the BSA/AML exam" tells me that the FDIC's October 17, 2003, Financial Institution Letter (FIL-79-2003) continues to be the only "published standard" for AML/BSA examination procedures, as federal regulators and their constituencies continue to struggle with the development of enhanced exam processes in the wake of the USA PATRIOT Act. As this article is being written, the OCC has not yet published its updated exam procedures, although rumor has it that we might see them this spring. For now, the FDIC's procedures seem to be the de facto standard.

I recently looked back at the FDIC FIL to see whether it still seemed viable as a guide for bankers (some "standards" aren't). I wasn't disappointed, since there continues to be a great deal of help there for anyone interested. I suspect that any updated exam guidance from other regulators will include some differences in >
Included with the FDIC's FIL were a copy of the FDIC's basic BSA/AML exam procedures, and samples of the two "BSA Request Lists" to be given to financial institutions under its jurisdiction in preparation for those exams. The exam procedures themselves provide a substantial framework for a bank's self-assessment of its BSA/AML programs. But the Request Lists struck me as a concise "roadmap" or checklist that a bank might use to better understand its responsibilities as the exam procedures evolve.

Each of the FDIC's Request Lists is reproduced below (without the introductory paragraph) in the form of a bulleted list, followed by some guidance on the significance of each of the requested items in a bank's AML/BSA compliance program.

Pre-examination (offsite) BSA Request List

Name and title of individual(s) responsible for monitoring Bank Secrecy Act/anti-money laundering (AML) activities and handling Section 314(a) information requests.

What is the relationship between these individuals and bank management? Is it a close working arrangement that fosters compliance with the AML rules? Do these individuals have sufficient authority (real and perceived) and influence in your organization?
Copy of management's AML risk assessment of all major business lines, products, and services.

Have you completed your assessment? Have you looked at risk as a product of volume, complexity, regulation, staff turnover, regulator focus? Have you looked at more than simply cash transactions? Have you analyzed each of the bank's lines of business to determine how it might be abused by money launderers?
Completed BSA Officer's Questionnaire.

There's no use in engaging in "puffery" in your questionnaire. As has often been said, "The truth will out." Be certain, however, that you accurately respond to the questionnaire.
Copy of most recent Board approved BSA/AML policy and procedures.

When did your Board last review your policy and procedures? Does the Board support the bank's AML efforts? Are board members committed to providing the staffing and other assets needed to implement what they've agreed to as policy? Does your policy reflect the current regulatory environment, or is it dated? There's nothing in the rules that requires you to review policy annually, but with the pace of change, BSA/AML policies really need to be kept current, and an annual review seems to have become the de facto standard.
Copy of most recent Board approved Customer Identification Program.

Your bank probably adopted a policy for its CIP in the fall of 2003. You've operated under it for a little over a year now. What needs to be changed? What in the policy is being ignored by your staff? What's the disconnect, if any, between the policy and what's happening "on the front lines"? If your policy needs revision, put a team on it, and get it revised. You can be cited if what you're actually doing conforms to the regulation but not to your policy.
Copy of policy and procedures relating to Office of Foreign Asset Control (OFAC) sanctions.

Here's another place that policy vs. practice can haunt you. If your policy or procedures call for verification of parties to a given transaction, is your staff conforming? Do they understand the risks involved in allowing a transaction with an OFAC-listed party? Have you reviewed the bank's transaction set to update the list of instances in which OFAC-checking is appropriate? If you have multiple customer databases, are they all being "scrubbed" against each update to the OFAC lists? If your bank rarely, if ever, has a verified OFAC "hit," your procedures in the event of such an event might need to be "dusted off" and reviewed.
Copy of policy and procedures relating to Suspicious Activity Report (SAR) reporting and monitoring requirements.

Have you reviewed how your bank handles SAR responsibilities? Do all departments understand their roles in forwarding suspicions for centralized consideration and filing? Have you shared the lessons in the AmSouth documents, particularly those about reporting illegal or suspect actions even when the bank is not affected?
Copy of procedures/program to comply with the USA PATRIOT Act Section 314(a) information requests.

Have you updated your procedures to incorporate the new Website-based process to be implemented in March 2005? You need to assign someone the responsibility of pulling down the lists; they won't come to your bank via e-mail any longer. Establish controls to ensure that the process is completed on a timely basis.
Copy of most recent independent audit results for BSA/AML/OFAC compliance (internal and/or external sources), including management's responses.

Have you reviewed the most recent audit to determine whether, in your opinion, your bank is obtaining a thorough job?
Copy of latest listing of accounts without taxpayer identification numbers (TINs).

Don't forget that, even though the rules on new accounts changed in October 2003 with the effective date of CIP regulations, the old rules still apply to accounts opened earlier. You must be able to produce a list of all deposit accounts for which you have not obtained the TIN of at least one owner.

Examination (On Site) BSA Request List

Copy of BSA/AML/OFAC training schedule with dates, attendees, and topics.

How good are your training records? Are they maintained by the Compliance Officer or by Human Resources? Are meetings at which these topics are discussed documented as part of these records? What about any computer or Web-based training in this area? When did you last review reports to determine whether there are employees who require initial or additional training? Have you included CIP as part of your training requirements and scheduling?

Designation of Exempt Person Forms for current exemptions.

Consider this a reminder that you need to retain a copy of all DEP filings. Review your file. Contact FinCEN for copies of any that are missing. Include copies of recertifications when they are filed.

Exemption files containing documentation supporting exemptions (cash history, etc.).

Don't forget to document your annual review of Phase I exemptions to verify they are still valid.

Bank-specific correspondence received from the Treasury (Financial Crimes Enforcement Network, Detroit Computing Center, Office of Foreign Asset Control, etc.) since the previous BSA examination.

If you file CTRs electronically, don't forget that you may be receiving electronic responses from Detroit following up on exceptions (such as mismatched TINs, etc.). Include copies of any responses you've made to these communications.

File of correspondence requesting taxpayer identification numbers (TINs).

Have information about any computerized mailings of forms W-9 to customers without TINs on file. Be able to document that such mailings were made. This effort can not only prove positive at exam time, but also mitigate any IRS penalties for filing year-end information reports with missing or incorrect TINs.

Log or other method used to retain required information on the purchase of monetary instruments for cash in amounts of $3,000 to $10,000.

Remember that the regulation allows you to record just the depositor's account number if you have previously obtained and recorded ID information about that customer. But if you make a sale to a customer with an older account, your records may not be adequate to provide identification information. Consider bringing your records current. Also remember that the "customer/non-customer" status is based on the individual making the purchase, even if it's being made on behalf of a business with an account at your bank.

Training file (for example, materials used for training since the previous BSA examination).

You should review this material regularly to ensure it's current. Include information that has been distributed to inform bank employees of BSA/AML/OFAC/CIP requirements. For instance, if you have shared the details of any other bank's public settlement documents (such as those made public in the Riggs or AmSouth cases) as "object lessons" for your staff, include information about what and how you shared.

Record retention schedule and procedural guidelines.

You should have this information in written (paper or electronic) form. Document how and why you do things. Make certain there is documentation about what is retained and where. Remember the standard caveat: "If it isn't documented, it doesn't happen." Don't forget to include procedures for protecting confidential customer information as files are culled.

File of Forms 4789 Currency Transaction Reports (CTRs).

Whether you file paper or electronic CTRs, your bank must keep a record. Don't forget that the retention period for all BSA-related documents is five years.

File of Forms 4790 Report of International Transportation of Currency or Monetary Instruments (CMIR).

Many banks have never filed these forms and never will. If your bank has done so, know where the file is.

File of Forms 90-22.1 for interest in foreign bank accounts.

This requires coordination with your treasury or accounting function.

File of SARs.

Each file should have a copy of the SAR and any follow-up SARs, and of all of the reports or other documents used in the bank's research of the activity described in the reports. You should also have a file of any activity that the bank investigated and on which the bank determined not to file a SAR, including the rationale behind that decision.

Logs reflecting cash shipped to and received from the Federal Reserve Bank, correspondent banks, or between branches for the previous six months.

You should be able to review this activity to identify any unexplained changes in shipment patterns. If one of your offices has an increase in shipments (in or out), particularly of large denominations, is there related customer activity that warrants that change? Does that point out a need to investigate the reasons behind the customer's behavior? This sort of analysis presumes you have historic data on which to build a model.

Correspondence file with federal law enforcement authorities concerning disposition of accounts reported for suspicious activity.

Particularly if your bank was asked to keep an account open to enhance law enforcement's ability to pursue a case, you should keep copies of all such correspondence, since maintaining the accounts might otherwise reflect negatively upon the bank.

Reports used by the bank to detect suspicious transactions, such as the suspected kiting report, demand deposit activity report, large cash transaction report, currency aggregation report, and a report of loans secured by cash collateral.

This is an interesting list of reports. Is there someone in your bank reviewing them daily for suspicious activity? Each of these report can provide warning signs of money laundering, if not plain-vanilla check kiting (also a SAR-reportable activity). Does the bank know how to read the clues in these reports?

If the bank uses automated or manual procedures to identify anomalous transactions, be ready to explain these processes. Be prepared to demonstrate how "flags" are cleared or referred for review and potential SAR filing.

Logs or other method reflecting incoming and outgoing wire transfers.

Money laundering and terrorist financing don't always involve cash. Wire transfers are extremely effective at moving large amounts of money, and such transfers have often been involved in AML investigations. To be most effective, your wire records should be in a form that your bank can manipulate to detect patterns and trends. For example, you should be able to detect customer activity involving crediting of substantial amounts either by deposit or wire transfer, followed closely by wire transfers out of the bank, and to then determine whether such patterns are justified based on the business or customer involved.

Description of the types and volume of wire transfer activities conducted by the bank. Include methods of payment accepted for such transfers and also acceptable remitters (for example, accountholders versus non-accountholders).

See discussion for the previous item.

Listing of all payable through demand deposit relationships with foreign financial institutions.

If applicable, contract/agreement with foreign financial institutions that have payable through accounts.

If applicable, policies concerning payable through accounts (may be in BSA Policy).

For these three items, refresh your knowledge of 31 CFR 103.175 ,103.177, and 103.185.

If applicable, policies and procedures for private banking accounts.

The thrust here is to ensure that the bank's private banking customers who are non U.S. persons are identified and that their activities are subjected to enhanced AML scrutiny commensurate with the nature of the relationship, in accordance with ? 312 of USAPA.

A description of the types of transactions received via "pouch," (for example, common courier or messenger) from abroad and the bank's process for monitoring such activity.

Logs used to identify transactions received via "pouch."

"Pouch" delivery is a reference to diplomatic documents that were carried in pouches by diplomatic couriers. By longstanding tradition and treaties, diplomatic couriers and their pouches were immune from search and seizure laws. In the banking context, the term refers to transactions delivered outside of conventional channels. Does your bank have any such deliveries? If so, do you document your procedures to avoid missing key AML reporting or review requirements?

If applicable, documentation to evidence compliance with 31 CFR Section 103.177 and 103.185 (for foreign correspondent accounts).

See
omment above relative to payable through accounts.

A listing of all loans secured by cash collateral which have defaulted since the previous BSA examination, including those charged off.

The use of cash collateral loans is one method used by money launderers to avoid detection. The illicit cash is deposited, perhaps through a series of structured transactions, and left with the bank after defaulting on the loan. The launderer has effectively laundered the illicit cash.

Contracts with financial institutions and with third parties that perform all or any part of the bank's Customer Identification Program (CIP).

Consider this item a reminder that, if you are using a third party to perform any of your bank's CIP responsibilities, you need to contractually bind that party to compliance with your CIP policy and procedures.