Examiners Should Focus on Risk, Not Technical Perfection
On April 15, 2020, the Federal Financial Institutions Examination Council (“FFIEC”) released updates to the Bank Secretary Act/Anti-Money Laundering (“BSA/AML”) examination manual (the “Manual”). As the FFIEC Interagency press release described, the Manual provides “instructions to examiners when assessing the adequacy of a bank’s BSA/AML compliance program.” The “release of the updated sections provides further transparency into the BSA/AML examination process and does not establish new requirements.” The press release further stated the revisions were made to, among other objectives, emphasize examiners should be “tailoring BSA/AML examination to a bank’s risk profile,” to “ensure language clearly distinguishes between mandatory regulatory requirements and supervisory expectations” for examiners, and to “incorporate regulatory changes since the last update of the Manual in 2014.”
The Federal Deposit Insurance Corporation (“FDIC”) also issued a press release regarding the updates. Its statement recognized “financial institutions are faced with uncertainty during this unprecedented time,” therefore the FDIC cautioned the update, “which supports tailored examination work, has been in process for an extended period and should not be interpreted as new instructions or as an augmented focus.”
The updates focus on four steps in the examination process:
- Scoping and Planning
- BSA/AML Risk Assessment
- Assessing the BSA Compliance Program
- Developing Conclusions and Finalizing the Examination
The updates emphasize examiners should take a “risk-focused” approach to tailor the review of a regulated institution’s BSA/AML compliance program, meaning the examination should be tailored to the risk profile of that specific institution. The Manual updates incorporate guidance on more recent developments such as Customer Due Diligence (“CDD”) and Beneficial Ownership requirements and a recognition of innovations in collaborations among smaller institutions. Importantly, the Manual reminds examiners that banks have flexibility in the design of their BSA/AML compliance programs, and that minor weaknesses, deficiencies, and technical violations alone do not indicate an inadequate program.
Risk-Focused BSA/AML Supervision in the Examiner’s Scoping and Planning
The Manual instructs examiners to tailor BSA/AML examinations to a bank’s risk profile, including examination and testing procedures, and conducting risk-focused testing or analytical reviews. As a first step, the examiner needs to understand the bank’s risk profile to tailor the examination plan. The Manual updates suggest examiners consider reviewing:
- The bank’s BSA/AML risk assessment.
- Independent testing or audits.
- Analyses and conclusions from previous examinations.
- Management’s responses, including the current status of issues, regarding independent testing or audit results and examination findings.
- The bank’s information technology sources, systems, and processes used in the BSA/AML compliance program, including offsite and ongoing monitoring.
- Information received from the bank in response to the request letter.
- BSA reporting available from the Financial Crimes Enforcement Network (FinCEN) including SARs, CTRs, and CTR exemption information.
- Correspondence between the bank and its regulators.
- If appropriate, review the bank’s policies, procedures, and processes for complying with Office of Foreign Assets Control (“OFAC”)-administered laws and regulations.
Information gained at this time will aid the examiner in deciding the scope of the examination.
Notably, “[i]f the bank’s independent testing is adequate, findings from the independent testing may be leveraged to reduce the examination areas covered and the testing necessary to assess the bank’s BSA/AML compliance program.” To determine the adequacy, the examiner should consider whether testing was independent – which the Manual later clarifies could include testing “conducted by the internal audit department, outside auditors, consultants, or other qualified independent parties,” or “bank staff who are not involved in the function being tested.” The examiner should also consider “whether the independent audit assessed all appropriate [Money Laundering/ Terrorist Financing (“ML/TF”)] and other illicit financial activity risks within the bank’s operations, and consider whether access was provided to the appropriate independent testing scope and supporting workpapers.”
In addition to the minimum examination and testing procedures, the Manual updates emphasize the examiner should consider the following in determining whether additional examination is necessary: the bank’s risk profile, size or complexity, and organizational structure; changes to the bank’s BSA/AML compliance officer or department; and additional relevant factors.
Importance of the BSA/AML Risk Assessment
The development of the BSA/AML risk assessment generally involves the identification of specific risk categories (e.g., products, services, customers, and geographic locations) unique to the bank. The Manual states the bank and examiner should consider, for example, “the number and dollar amount of domestic and international funds transfers, the nature of private banking customers or foreign correspondent accounts, the existence of payable through accounts, and the domestic and international geographic locations where the bank conducts or transacts business.”
The bank may need to update its BSA/AML risk assessment “when new products, services, and customer types are introduced or the bank expands through mergers and acquisitions.” However, the Manual clarifies “there is no requirement to update the BSA/AML risk assessment on a continuous or specified periodic basis.”
The Manual cautions “[i]mproper identification and assessment of risk can have a cascading effect, creating deficiencies in multiple areas of internal controls and resulting in an overall weakened BSA/AML compliance program.”
If the bank has not developed a BSA/AML risk assessment, the examiner must develop one for the bank based on available information, though the expectation is that the “examiner-developed BSA/AML risk assessment generally is not as comprehensive as one developed by the bank.”
Components Examiners Should Consider in Assessing BSA/AML Compliance Program
The Manual provides instructions to examiners for assessing the adequacy of a bank’s BSA/AML compliance program and constitutes a minimum set of procedures for full scope BSA/AML examinations.
Banks “must establish and maintain procedures reasonably designed to assure and monitor compliance with BSA regulatory requirements (BSA/AML compliance program).” At a minimum, the “BSA/AML compliance program must be written, approved by the board of directors, and noted in the board minutes.”
The compliance program must meet following requirements:
- A system of internal controls to assure ongoing compliance.
- Independent testing for compliance to be conducted by bank personnel or by an outside party.
- Designation of an individual or individuals responsible for coordinating and monitoring day-to-day compliance (BSA compliance officer).
- Training for appropriate personnel.
The Manual updates provide detailed considerations for each category.
First, the bank’s system of internal controls should provide for continuity despite any changes in management or employee composition or structure and provide sufficient oversight for those tasked with compliance. The Manual updates stress the system should incorporate dual controls and segregation of duties to the extent possible. The system should provide for timely updates and include mechanisms to identify and inform the board or directors (or a committee) and senior management of BSA compliance initiatives and deficiencies.
Second, the compliance program should incorporate independent testing. There is no regulatory requirement for the frequency of testing. This should be commensurate with the risk profile of the bank. The Manual updates note for banks with “a community focus, less complex operations, and lower-risk profiles for ML/TF and other illicit financial activities” “utilizing a shared resource as part of a collaborative arrangement to conduct independent testing” may be appropriate. As we previously blogged here, here, and here, collaborative arrangements and shared resources have a been a topic of discussions as the financial regulatory agencies attempt to modernize the BSA/AML system.
Third, the Manual updates describe in detail the expectations of the bank’s compliance officer. This person should be: designated by the board of directors, qualified for the task, and responsible for coordinating and monitoring day to day compliance with BSA regulatory requirements. The Manual updates emphasize the board of directors’ role in ensuring the compliance officer is fully supported with “appropriate authority, independence, and access to resources to administer an adequate BSA/AML compliance program based on the bank’s ML/TF and other illicit financial activity risk profile.”
The Manual updates emphasize the board of directors’ role in ensuring the compliance officer is fully supported with “appropriate authority, independence, and access to resources to administer an adequate BSA/AML compliance program based on the bank’s ML/TF and other illicit financial activity risk profile.”
Importantly, examiners are instructed that the “[i]ndicators of independence include but are not limited to: clear lines of reporting and communication ultimately up to the board of directors or a designated board committee that do not compromise the BSA compliance officer’s independence, the ability to undertake the BSA compliance officer’s role without undue influence from the bank’s business lines, reporting of issues to senior management and the board of directors.”
Fourth, the BSA/AML training program should 1) cover the aspects of the BSA that are relevant to the bank and its risk profile and 2) be provided to appropriate personnel (including those whose duties require knowledge of or relate to BSA/AML compliance), BSA compliance officer and staff, and the board of directors and senior management. The training may be tailored to the role of the person receiving the training. The Manual provides as an example that “training for tellers should focus on examples involving large currency transactions or suspicious activities, and training for the loan department should provide examples involving money laundering through lending arrangements.” Banks should document the training programs including the testing materials, dates of training sessions and attendees. If the bank relies on another financial institution for training it should maintain appropriate documentation of the training.
Finally, in addition the compliance program “must include must include a customer identification program (CIP) with risk-based procedures that enable the bank to form a reasonable belief that it knows the true identity of its customers.” The Manual updates reiterate a prior update we discussed here, that incorporated the beneficial ownership rule and CDD requirements described by FinCEN.
Guidance to Examiners to Develop and Finalize Examination and Report
The Manual reminds examiners that banks have flexibility in the design of their BSA/AML compliance programs, and that minor weaknesses, deficiencies, and technical violations alone are not indicative of an inadequate program.
Violations or deficiencies can be caused by a number of issues including, but not limited to: not appropriately assessing the risk profile; lack of coherent policies or procedures; disregard of regulatory requirements or policies; compliance program not commensurate with growth in higher-risk operations (products, services, customers, and geographic locations); insufficient staffing; and insufficient communications of policy changes to staff.
Examiners assessing whether violations are systemic are instructed to consider the number of violations compared to the bank’s total activity level based on sampling and whether prior similar violations have occurred.
Examiners should “discuss with the bank their preliminary conclusions, which may include strengths, weaknesses, any deficiencies or violations, if applicable, and necessary remediation of any deficiencies or violations.” The final findings regarding the adequacy of the bank’s BSA/AML compliance program should be summarized in written format for inclusion in the report of examination (ROE).
These updated sections of the FFIEC manual help to clarify the expectations of examiners as covered financial institutions implement their BSA/AML programs and procedures, keeping in mind the risk based focus of the regulations, and appropriately update policies to meet enhanced due diligence expectations such as the beneficial ownership rule and enhanced CDD requirements.