I have a question about 314a reviews and institution documentation and record retention practices.

I recently had an audit of my AML-BSA program and an exception was noted on confirming our research on 314a requests. My researcher keeps the tracking numbers of the names researched, but the names of individuals and the FinCEN 314a list are not kept - they are destroyed.

How is your institution providing evidence that 314a searches are conducted, when my understanding is you must destroy any printed copies of the 314a trnasmissions after research is completed?

Any advice or links to regulatory guidance on this is appreciated.

I attended a 2 day BSA seminar last month and this was discussed. The problem is there is no language that says to discard or not to discard the original 314(a)list. It is the Banks discretion as to how they handle the search. A few banks say that they keep a sign-off sheet with the tracking #'s on it and that was ok with the regulators. Others said that they keep a sign-off sheet from each department with one copy of the original 314(a) request and the regulators again were satisfied.

I think they have done a good job of describing the options that examiners should find "acceptable" in the revised examination procedures:

5. Review the financial institution’s internal controls and determine whether its documentation to evidence compliance with section 314(a) requests is adequate. This documentation could include, for example the following:
• Copies of section 314(a) requests.
• A log that records the tracking numbers and includes a sign-off column.
• Copies of the cover page of the requests, with a financial institution sign-off, that the records were checked, the date of the search and search results (e.g., positive/negative).
• For positive matches, copies of the form returned to FinCEN and the supporting documentation should be retained.

Although it is obviously permissible, I would discard the first option, keeping copies of the lists, for a variety of reasons.

There was an attorney with the Federal Reserve who stated during a BSA workshop from the Fed that, under no circumstances, are you to retain the list!

This was in direct contrast to what everyone else was saying at the time. The discussion on this topic went back and forth, and it turns out that FinCEN was appalled to find out that banks would be keeping copies of the list.

"Destroy the list after you have finished your search!" was what they said. The list is supposed to be as (or more) confidential than a Grand Jury Subpoena. The thought of multiple hard copies of the list sitting in file cabinet drawers of banks made FinCEN and law enforcement blanche.

I thought the issue had been settled, but the new exam manual seems to have muddled that point again.

Tweedle-dee and tweedle-dum......

The regulation states that "Each financial institution shall maintain adequate procedures to protect the security and confidentiality of requests from FinCEN for information under this section. The requirements of this paragraph (b)(2)(iv)(C) shall be deemed satisfied to the extent that a financial institution applies to such information procedures that the institution has established to satisfy the requirements of section 501 of the Gramm-Leach-Bliley Act (15 U.S.C. 6801), and applicable regulations issued thereunder, with regard to the protection of its customers' nonpublic personal information."

I cannot find anywhere where it states the lists must be destroyed, only that the information must be protected to the same extent that our customers' information is.

Bonnie isn't suggesting the lists must be destroyed. She is pointing out the irony in the fact that a senior Fed attorney speaking to a group of bankers at a public program insisted they must be destroyed. My recollection is that he was adamant about it when challenged by members of the audience. Nevertheless, several months later, the examination procedures clearly indicate that the lists may be retained as a method of evidencing compliance. There was a lot of confusion on this point and the end result is 180 degrees different than the first advice that was given.

Keeping the lists generates a requirement for security equal to that you provide to your own customers' information. Destroying them eliminates that burden without compromising the bank's ability to demonstrate compliance. Again, I would discard the option to keep them, but the examination procedures make it plain that the choice is the bank's.