In 2014 alone, the Financial Crimes Enforcement Network (FinCEN) and regulatory agencies assessed over $2 billion in penalties for violating the Bank Secrecy Act (BSA.) So while lending and deposit regulations have garnered a lot of attention recently, don’t let your team become lax about BSA compliance.
BSA violations during 2014 encompassed a multitude of sins, including, but not limited to:
- failure to monitor high risk customers, especially money services businesses (MSBs)
- willfully violating the requirement to implement and maintain an effective Anti-Money Laundering (AML) program
- willfully violating the requirement to report suspicious activity
- failure to implement a discipline policy for employees who violate the BSA program
- failure to terminate known high risk agents/outlets
- failure to file timely Suspicious Activity Reports (SARs) failure to conduct effective audits of agents/outlets
- failure to conduct adequate due diligence for customers
- significant deficiencies in all aspects of the AML program, including:
- internal controls
- independent testing
- training
- failure to designate an appropriate BSA compliance officer
- systemic failure in meeting 314(a) obligations
- insufficient suspicious activity reports
- failure to provide any meaningful risk assessment for the institution’s size and type of business and blind reliance on a third-party vendor to conduct due diligence for MSBs, which held sub-accounts. Without knowing or understanding its customers or risks, the institution was unable to adequately monitor, detect, or report significant suspicious transactions and other activities taking place, including those related to money laundering and drug trafficking.
Financial institutions should place emphasis on their BSA program and provide adequate resources and training to individuals responsible for compliance with the BSA. An adequate BSA program MUST provide the following minimum requirements:
- a system of internal controls to ensure ongoing compliance
- independent testing of BSA/AML compliance designation of an individual or individuals responsible for managing BSA compliance (BSA compliance officer).
- training for appropriate personnel.
In addition, a Customer Identification Program (CIP) must be included as part of the BSA/AML compliance program.
The 2014 FFIEC BSA/AML Examination Manual1 expands on the four pillars. For those who don’t wish to read the entire manual, we’ve included some excerpts below. Everyone involved in bank management and oversight should thoroughly understand the role of internal controls, the importance of independent testing, the role and responsibilities of the BSA officer and the training that is required to fulfill the bank’s responsibilities under BSA. The manual states:
INTERNAL CONTROLS: The board of directors, acting through senior management, is ultimately responsible for ensuring that the bank maintains an effective BSA/AML internal control structure, including suspicious activity monitoring and reporting. The board of directors and management should create a culture of compliance to ensure staff adherence to the bank’s BSA/AML policies, procedures, and processes. Internal controls are the bank’s policies, procedures, and processes designed to limit and control risks and to achieve compliance with the BSA. The level of sophistication of the internal controls should be commensurate with the size, structure, risks and complexity of the bank. Large complex banks are more likely to implement departmental internal controls for BSA/AML compliance. Departmental internal controls typically address risks and compliance requirements unique to a particular line of business or department and are part of a comprehensive BSA/AML compliance program
INDEPENDENT TESTING: Independent testing should be conducted by the internal audit department, outside auditors, consultants, or other qualified independent parties. While the frequency of audit is not specifically defined in any statute, a sound practice is for the bank to conduct independent testing generally every 12 to 18 months, commensurate with the BSA/AML risk profile of the bank. Banks that do not employ outside auditors or consultants or have internal audit departments may comply with this requirement by using qualified persons who are not involved in the function being tested. The persons conducting the BSA/AML testing should report directly to the board of directors or to a designated board committee comprised primarily or completely of outside directors. Banks that employ outside auditors or consultants should ensure that qualified persons doing the BSA/AML testing are not involved in other BSA functions such as training or developing policies and procedures that may present a conflict or lack of independence.
DESIGNATION OF OFFICER: The bank’s board of directors must designate a qualified individual to serve as the BSA compliance officer (The bank must designate one or more persons to coordinate and monitor day-to-day compliance). The BSA compliance officer is responsible for coordinating and monitoring day-to-day BSA/AML compliance. The BSA compliance officer is also charged with managing all aspects of the BSA/AML compliance program and with managing the bank’s adherence to the BSA and its implementing regulations; however, the board of directors is ultimately responsible for the bank’s BSA/AML compliance.
TRAINING: Banks must ensure that appropriate personnel are trained in applicable aspects of the BSA. Training should include regulatory requirements and the bank’s internal BSA/AML policies, procedures, and processes. At a minimum, the bank’s training program must provide training for all personnel whose duties require knowledge of the BSA. The training should be tailored to the person’s specific responsibilities. In addition, an overview of the BSA/AML requirements typically should be given to new staff during employee orientation. Training should encompass information related to applicable business lines, such as trust services, international, and private banking. The BSA compliance officer should receive periodic training that is relevant and appropriate given changes to regulatory requirements as well as the activities and overall BSA/AML risk profile of the bank. The board of directors and senior management should be informed of changes and new developments in the BSA, its implementing regulations and directives, and the federal banking agencies’ regulations. While the board of directors may not require the same degree of training as banking operations personnel, they need to understand the importance of BSA/AML regulatory requirements, the ramifications of noncompliance, and the risks posed to the bank. Training should be ongoing and incorporate current developments and changes to the BSA and any related regulations. Banks should document their training programs. Training and testing materials, the dates of training sessions, and attendance records should be maintained by the bank and be available for examiner review.
The BSA and AML program should be designed to meet the requirements of the four pillars and include an adequate Customer Identification Program. Independent review of this area will assist the institution in compliance and fulfillment of obligations established by the Bank Secrecy Act. KraftCPAs is available to help you comply with the independent review requirement and with training for your employees and your board. Please contact a member of KraftCPAs banking team for more information or to discuss your needs.