While the exact requirements for financial institutions have not changed, Bank Secrecy Act Anti-Money Laundering (BSA/AML) compliance is once again in the spotlight. Intended to improve transparency in the exam process, recent updates to the BSA/AML Examination Manual emphasize that examiners should maintain a risk-focused approach to examinations, placing greater focus on the BSA risk assessment and the independent audit.
These developments underscore the need for institutions to have a sound and thorough BSA program verified by a trusted auditor. At RKL, we are proud to serve the regulatory compliance needs of financial institutions throughout the Mid-Atlantic with an internal audit process centered on assessment and mitigation of business and operational risk.
Recent exam findings offer an important window into common shortcomings among financial institutions and steps to address or avoid them in your own BSA program.
Common regulatory exam finding
Insufficient risk-based customer due diligence, inadequate enhanced due diligence for higher risk customers and insufficient procedures and documentation around suspicious activity detection and decision-making.
How to resolve
Information obtained during the customer due diligence (CDD) process for both consumer and business customers must be sufficient to understand the nature and purpose of the account relationship and anticipated transactional activity to determine an appropriate customer risk profile. Make sure to consider the following factors in the CDD process:
- Transactional dollar ranges
- Sales from business operations
- Major customers/suppliers
- Products and services offered
- Geographic area of business operation
- Anticipated types of account activity
Review procedures for ongoing enhanced due diligence (EDD) must be consistently followed and performed timely. Reviews should discuss significant variances in transaction volume from prior review periods and must conclude whether the activity is consistent with anticipated activity and reasonably aligned with the customer’s risk profile. Any risk rating changes that stem from the review process must be well documented and thoroughly supported.
Your financial institution’s BSA policies should include the timeframe, investigation and documentation requirements for clearing or escalating suspicious activity alerts. Monitor open cases and complete the investigation process in a timely manner. Suspicious activity reports should emphasize timely reporting, essential and accurate information and documentation of the review process.
Common regulatory exam finding
BSA/AML and Office of Foreign Assets Control (OFAC) risk assessments lack detailed analysis to identify risk within the customer base.
How to resolve
Comprehensive BSA/AML and OFAC risk assessments are the backbone of appropriate risk management controls. Make sure your financial institution’s assessments include:
- A stratification of all bank-identified, high-risk customers by business type;
- The trend analysis and statistical data for all risk factors for at least a two-year period;
- The quantitative data for wire transfers including level (dollar and number) and trend analysis for both international and domestic wire transfers;
- An assessment of the risks associated with lending and deposit relationships that involve signers/principals who reside outside the country;
- An assessment of the BSA risks associated with the financial institution’s higher risk customers, such as money service businesses, marijuana-related businesses, NGOs, online gambling, etc., as applicable; and
- The level and trend of suspicious activity alerts generated by the AML system.
Common regulatory exam finding
Noncompliance with Unlawful Internet Gambling Enforcement Act of 2006 (UIGEA)
How to resolve
If you maintain commercial deposit accounts for customers offering internet gambling, make sure to have all required documentation on file, including licenses, legal opinions and third-party certifications.
Common regulatory exam finding
BSA Compliance Officer lacks sufficient expertise, time, resources and authority to effectively establish, implement and administer the BSA/AML Compliance Program.
How to resolve
The BSA Compliance Officer should actively participate in board meetings and should present the BSA reports. He or she must be involved in discussions pertaining to new products or services, new market areas, technology changes and any event that requires investigation for potential suspicious activity report filing, such as cybersecurity events and law enforcement inquiries or subpoenas.
Common regulatory exam finding
Insufficient or irregular BSA/AML training program.
How to resolve
Design BSA/AML training in accordance with your institution’s risk profile, and allow for job-specific and expanded training. Ensure relevant team members complete training in a timely manner in accordance with their job description.
Common exam finding
Financial institutions using Anti-Money Laundering (AML) software lack standard policies and procedures for its use.
How to resolve
Update policies and procedures to address alert/case clearing timeframes and quality control, disposition standards (documentation and analyses) and schedule for board or designated committee reporting.
Your financial institution can maintain compliance by considering and evaluating current practices against these common findings. RKL has a deep bench of financial service industry experts who can help with assessment and improvement of compliance practices. Contact your RKL advisor or reach out using the form below with questions related to compliance or for assistance implementing the concepts described above.