Skip to content
 

Managing BSA: Essential Program Elements

One of the best sessions at ABA's National Regulatory Conference was presented by John Atkinson, with the Federal Reserve Bank of Atlanta and Pam Johnson, Director with Deutsche Bank Trust Company. The session, titled "AML - Enhanced Due Diligence Monitoring: How to Develop and Manage an AML Program" covered the basics and also included some sage advice.

The program started with the basic program elements of a sound anti-money laundering program. While familiar to most experienced compliance managers, it never hurts to do a quick review. In addition to discussing the basic elements, the speakers put their own special spins on the program elements and shared recommendations with the audience.

It should be no surprise that AML program elements include:

  • Board Approval
  • A Written Program
  • Designation of an Accountable Officer
  • Training
  • An Independent review or audit, and
  • A System of Internal Controls.

Having the essential elements is one thing. Getting them right is another. That takes the advice of experts.

The Board
First, your board must approve your program. This actually means a little more than appears. Your board should do more than simply approve the program. The board should understand the program, agree with the goals, be aware of the steps you must take to carry out the program, have some idea of how bank staff is involved, and be aware of anti-money laundering issues and understand how they present risk to the institution.

Accountability
Second, no program works unless there is accountability. Ultimately, accountability depends on the board. Either the board imposes accountability or the program will have weaknesses. Motivating the board and those accountable should not be too difficult. As Pam Johnson pointed out, the bottom line is "if you get a $25 million penalty, the bonus pool gets pretty thin."

Accountability means much more than holding the BSA officer accountable. All staff in the bank must have clear accountabilities and responsibilities. A successful program involves much of the institution, not simply one person. Other program elements, such as training and procedures, support this broad sharing of accountabilities throughout the institution.

Independence
As with compliance, the positioning of the anti-money laundering program is important. Many institutions combine compliance with BSA while others manage BSA separately from compliance. Either approach is acceptable as long as there is the key element of having an independent reporting structure.

Lead responsibility for the anti-money laundering program, as for the compliance program, should not be placed in business lines where managers of the business lines must choose between goals that often conflict. Accountability should sit in the business line, but the business line should not be put in the position of choosing priorities for sales goals and for
compliance.

This independence of compliance is a growing trend, even in smaller institutions. Examiners are increasingly seeing an independent reporting system for compliance, much like that for audit. This avoids conflicts between business lines and compliance.

Authority
With any program, someone has to be in charge. The person in charge must also have the authority to execute the program. Thus, an effective program must have designated oversight responsibility with proper authority.

While every organization differs, there is a simple test for the anti-money laundering manager: does he or she have sufficient authority to make and drive changes in the organization?

No program is effective without senior level support. Senior management as well as the board are key. The management team establishes the organization's culture which hopefully is one of integrity and compliance.

The program also relies on clear identification of individual employee responsibility. Ideally, the responsibilities and accountabilities are designed to minimize conflicts with business goals. Look at structure of incentives, bonuses and performance measurements to be sure there isn't a built-in conflict.

Johnson advised that you use opportunities to brief management whenever they occur. For example, she suggests using the required SAR reporting to the Board as an opportunity to flag problems and changes. In short, insert a quick briefing.

Training
No compliance program is complete without training. In fact, no compliance program can even function without training. Staff needs instruction on what to do and how to do it. Both Atkinson and Johnson stressed that all staff should be trained and directors also.

In the case of BSA, training must be periodic. Training should also include the latest developments. This helps staff to understand what to look for and why they are looking. Using current events also makes the subject more interesting and more real.

If necessary and/or if possible, design and present training that is tailored by function. The best training relates to the job the learner must do. In selecting and presenting training, it is critical to look at competency. This, after all, is the fundamental purpose for training.

Finally, remember to document the training. Documentation includes the date, a list of trainees, materials used to train, and copies or records of any tests administered.

Independent Audit
The most common program weakness that examiners find is the lack of an independent audit or review. Too often the audit is not independent. On occasion, the institution simply fails to conduct an audit at all. This independent audit is an annual responsibility.

Risk of money laundering and related crimes exists within the institution as well as without. An independent audit is key to evaluate the effectiveness of the program as well as to identify any problems within the organization. To accomplish this, the audit must be independent from business lines and from compliance responsibility. A self assessment by compliance is not independent.

In addition to independence, the annual BSA audit must have a full scope and not take an abbreviated approach. Examiners see too many annual BSA audits that don't do a thorough review of the program. The independent audit must include a thorough top-to-bottom review of the program and how it works. This means doing much more than looking at policies to see if they match legal requirements. This means reviewing specific work that has been done and evaluating its effectiveness.

The independent audit should include five key elements. It should verify compliance with the institution's policies, verify that the institution's policies and procedures are consistent with and sufficient to comply with regulations, verify the integrity of automated systems, and test transactions. Finally, the independent review is not complete until management has reviewed the findings, developed a response and taken corrective actions.

Internal controls
If each program element was a bucket, the biggest bucket would be internal controls. Controls ensure that things happen as intended. Without controls, most systems fall apart.

As with the policies, controls should be based on a risk focused approach. Each institution faces unique risks based on its market, its size, its business lines and its resources. Controls should respond to the level and nature of risk the institution faces.

The first level of control is to have written policies and procedures. As basic as this seems, it provides the guidance that all staff needs. Atkinson stressed that good procedures should answer employees' questions. They should be a comprehensive resource document.

Johnson said that she often sees weaknesses in documentation. Many banks do good things but fail to write them down. She reminded the audience that examiners need proof. A written record constitutes proof. As an example, both speakers recommended that the institution document any decision not to file a SAR. The documentation demonstrates process. While this is not a requirement, it is a good practice and it also demonstrates the effectiveness of compliance.

The written program should specifically address CIP. It is a regulatory requirement that the CIP be included in the BSA policy and program. This must include written standards for customer identification.

CIP, however, is only the beginning. CIP did not extinguish and replace KYC; it is a new and additional requirement. As Johnson put it, "CIP is the first part of KYC." CIP is the method of establishing the customer's identity before going forward. In contrast, Know Your Customer is ongoing.

Another control is effective monitoring for detecting suspicious activities. Everyone who may encounter or discover a suspicious activity should be included in the procedures, should have clear responsibility, and should have adequate training. Procedures should also specify the information reporting and gathering process. Any individual within the organization that spots something suspicious must know whom to notify about the activity. The entire process should then be monitored and reviewed.

Make sure that your anti-money laundering program addresses OFAC. It simply doesn't make sense to deal with OFAC requirements as a separate process. Both OFAC and 314(a) procedures are closely related to each other and to the rest of the BSA compliance program.

Finally, controls should include compliance self assessments. This is not a substitute for the independent audit. It is more like having regular check-ups than the more thorough independent audit. But self-assessments are important in identifying weaknesses as they develop and changes as they occur.

Making a good program better
Atkinson and Johnson wrapped up their session with suggestions on how to make a good program better. First, place your emphasis on managing risk. Just as the guidance says, your program should be based on risk. As risk changes, so should your program.

Second, stay up to date. Developments in anti-money laundering and OFAC happen at high speed. You cannot rely on last year's knowledge.

Third, don't let your program be static. Maintain an ongoing evaluation of risk and make program changes as needed.

Fourth, maintain program consistency across your organization. Anti-money laundering should be everyone's priority. If your program is effective, you will have good, consistent performance across the organization. If that doesn't happen, you should go back to the starting point with policies, procedures, and training.

Finally, preventing terrorism and stopping money laundering is a team effort. The process works best when you maintain a good relationship with law enforcement and your regulators.

ACTION STEPS

  • Review your BSA policy and program to be sure that it addresses all legal requirements.
  • Review your CIP program to see how it is working. Now is a good time to make any adjustments.
  • Review the training calendar for BSA. Check who was trained and how recently. Then schedule refresher training.
  • Review your procedures to evaluate whether they provide sufficiently specific guidance on identifying and reporting suspicious activities.
  • Compare BSA responsibilities and accountabilities to business goals. Look for conflicts and consider ways to minimize the conflict.

Copyright © 2004 Compliance Action. Originally appeared in Compliance Action, Vol. 9, No. 8, 8/04

First published on 08/01/2004

Filed under: 
Compliance
Filed under compliance as: 
Anti-Money Laundering
Audit
Bonuses
CIP
Directors
Due Diligence
Employee
Federal Reserve
Internal Controls
IT
Know Your Customer
Management
Money Laundering
OFAC
Policies
Reporting
SAR
Suspicious Activity

Report a problem with this page

Search Topics