On February 25, 2021, the Federal Financial Institutions Examination Council (“FFIEC”) released updates to the Bank Secretary Act/Anti-Money Laundering (“BSA/AML”) Examination Manual (the “Manual”), which provides guidance to examiners for evaluating a financial institution’s BSA/AML compliance program and its compliance with related regulatory requirements.
First, the Manual adds a new introductory section, Assessing Compliance with [BSA] Regulatory Requirements. Second, the Manual updates the sections pertaining to Customer Identification Program (“CIP”), Currency Transaction Reporting (“CTR”), and Transactions of Exempt Persons. The Manual explains that, consistent with prior updates, that the “updates should not be interpreted as new instructions or as a new or increased focus on certain areas,” but are intended to “offer further transparency into the examination process and support risk-focused examination work.”
The 2021 updates are not quite as substantial as the 2020 updates to the Manual, which pertained to scoping and planning of examinations; the review of a financial institution’s BSA/AML risk assessment; the assessment of an institution’s BSA/AML compliance program; and guidance for examiners on developing conclusions and finalizing the examination. Nonetheless, the updates provide useful insight into what examiners regard as important for BSA/AML compliance.
The Manual’s New Introduction
The FFIEC’s risk-focused approach to BSA/AML supervision is highlighted by the new introductory section, which provides an overview of how examiners should establish their exam scope and plan for examinations. Of course, written policies and procedures alone are not sufficient to comply with BSA regulatory requirements. Instead, an institution’s processes should align with each bank’s unique risk profile. Likewise, examination procedures used to determine compliance will vary and should be tailored to each bank. Specifically, “[e]xaminers should focus their review of risk management practices and compliance with BSA regulatory requirements on areas of greatest [money laundering, terrorist financing] and other illicit financial activity risks. Examiners will assess whether the bank has developed and implemented adequate processes to identify, measure, monitor, and control those risks and comply with BSA regulatory requirements.” Specific examination procedures will depend on factors such as the bank’s risk profile, size or complexity, the quality of its independent testing, any changes to its BSA/AML compliance officer or department, expansionary activities, and new innovations and technologies.
Although examiners always must perform some risk-focused testing during each examination cycle, in the form of testing specific transactions or performing analytical or other reviews, testing may not be necessary for every regulation or BSA/AML area examined. Moreover, the Manual observes in the new introductory section that “not all of the examination and testing procedures included in this Manual are likely to applicable to every bank or during every examination.”
Customer Identification Program
The Manual updates the section on a bank’s CIP. The Manual explains that “minor weakness, deficiencies, and technical violations alone are not indicative of an inadequate CIP.” The updates to the CIP section include:
Examiner Assessment of the CIP Process
The Manual adds a subsection titled “Examiner Assessment of the CIP Process,” which again emphasizes the need for a risk-focused examination. Examiners should determine whether the bank’s internal controls are designed to assure ongoing compliance with the requirements and are commensurate with the bank’s size, complexity, and organizational structure.
The Manual observes that “[e]xaminers may review other information, such as recent independent testing or audit reports, to aid in their assessment” of the bank’s CIP compliance.” Further, examiners should “consider general internal control concepts, such as dual controls, segregation of duties, and management approval for certain actions, as they relate to the bank’s CIP. Other internal controls may include BSA compliance officer or other senior management approval for staff actions that deviate from the bank’s CIP policies, procedures or processes.” The Manual fortunately cautions examiners to remember that “the bank may have limited instances of noncompliance with the CIP rule (such as isolated or technical violations) or minor deviations from the bank’s CIP policies, procedures and processes without resulting in an inadequate CIP.”
The Manual adds a nearly identical new subsection titled “Examiner Assessment” to the CTR and Transactions of Exempt Person sections, discussed below, as well.
Customer Information Required
The Manual updates this subsection to add language regarding the opening of an account for a customer who has applied for, but has not yet received, a tax identification number (“TIN”), and an alternate process for obtaining CIP identifying information for credit card accounts:
- TIN – The bank’s CIP must include procedures to confirm that the TIN application was filed before the customer opened the account and the TIN must be received within a reasonable amount of time after the account is opened; and
- Credit Card Account – the bank may obtain CIP identifying information from a third-party source prior to extending credit to the customer.
Record Keeping and Retention Requirements
The Manual clarifies that a bank’s CIP must include “procedures for making and maintaining a record of all information obtained to identify and verify a customer’s identity.”
A new provision clarifies that a bank may keep copies of identifying documents that it uses to verify a customer’s identity, but the CIP rules do not require it. If a bank does retain copies of identifying documents, it must be done in accordance with the record keeping requirements of 31 C.F.R. § 1010.430, “Nature of Records and Retention Period.” The Manual warns against improperly using any document which contains a picture of an individual, such as a driver’s license, in connection with any aspect of a credit transaction.
Comparison with Government Lists
The Manual expands this subsection to clarify that CIP must include procedures for determining whether the customer appears on any list of known or suspected terrorists or terrorist organizations.
The Manual adds a subsection titled “Exemptions,” regarding exemptions from the CIP requirements which regulators may grant to any bank or account. The Manual notes that loans extended by banks and their subsidiaries to customers to facilitate the purchase of property or casualty insurance policies are exempted from CIP requirements, because these “premium finance loans” were determined to present a low risk of money laundering or terrorist financing.
In this new subsection, the Manual notes additional interagency guidance to issuing banks on applying CIP requirements to holders of prepaid cards, in addition to the U.S. Department of the Treasury, FinCEN, and the federal banking agencies’ Frequently Asked Questions (FAQs). Additionally, banks are encouraged to use non-documentary verification as relief for customers who cannot provide standard identification documents because of the effects of natural disasters.
Currency Transaction Reporting
The Manual updates the section on Currency Transaction Reports, or CTRs. The updates include:
Aggregation of Currency Transactions
The Manual describes more the aggregation requirement for CTRs – i.e., the circumstances when multiple related currency transactions resulting in either cash in or cash out totaling more than $10,000 must be treated as a single transaction. The Manual notes that, consistent with FinCEN guidance, common ownership does not require aggregation of separate transactions if the bank determines that the businesses are independent. Further, if a bank determines that certain transactions had no apparent purpose other than to avoid triggering a CTR filing, the bank also would need to consider if a suspicious activity report (“SAR”) was warranted.
Structured Transactions – CTR Requirements
The Manual adds a subsection titled “Structured Transactions – CTR Requirements,” which describes the structuring of transactions, which occurs “when a person, acting alone or in conjunction with, or on behalf of, other persons, conducts or attempts to conduct one or more transactions in currency, in any amount, at one or more financial institutions, on one or more days, in any manner, for the purpose of evading the CTR requirements.” Structuring is a crime, and the bank must file a SAR if it suspects that someone is structuring transactions to evade a CTR filing.
The Manual adds a new subsection titled “Identification Required,” regarding what a bank must do to verify and record the identity of an individual involved in a CTR. This subsection clarifies that a notation of “known customer” or “bank signature card on file” is insufficient; the individual’s specific identifying information must be included in the CTR.
Filing and Record Retention
CTRs of course must be filed through FinCEN’s BSA E-Filing System. The Manual clarifies that when FinCEN identifies quality errors, banks must follow the actions stipulated in FinCEN correspondences. The E-Filing System allows for tracking of filings. The Manual suggests that examiners review correspondences from FinCEN to aid in their assessment of a bank’s reporting of currency transactions.
CTR Backfiling and Amendment
The Manual expands the guidelines for backfiling and amendments of CTRs, explaining that if a bank failed to file CTRs on reportable transactions, or filed CTRs with errors, the bank must begin complying with CTR requirements as soon as it becomes aware of such errors. Under most circumstances, the bank can submit a late or amended CTR without contacting FinCEN. However, the bank should consider contacting FinCEN for guidance if (1) the bank has been instructed by its regulator to do so; (2) it is unclear if the circumstances necessitate backfiling or amending; or (3) if the bank wants to request regulatory relief from filing.
Exempt Persons for Currency Transaction Reporting
Although banks must file a CTR for each transaction of more than $10,000 in currency, banks also can exempt certain customers (referred to as Phase I and Phase II exempt persons) from CTR reporting. The Manual updates the section on CTR exemptions, including the following.
The Manual reaffirms that at least once a year banks must review the eligibility of exempt persons to determine whether they remain eligible for exemption. The Manual expands the types of customers for which banks do not need to confirm continued exemption eligibility. The Manual also clarifies that, as part of the annual review of exempt persons, the bank should review the application of the suspicious activity monitoring system for each existing account of a non-listed business or payroll customer.
The Manual adds a subsection titled “Operating Rules,” which outlines the steps a bank must take to determine the qualifications of an exempt person and document the process. Specifically, a bank must make “reasonable and prudent” steps to ensure that a person is an exempt person, and document the basis for that conclusion. For aggregated accounts, the bank can treat all exemptible accounts as a single account, but must treat each account consistently in determining the qualification of the customer as a non-listed business or payroll customer. A parent holding company, or one of its bank subsidiaries, can make the designation of an exempt person on behalf of all bank subsidiaries of the holding company. If it meets the requirements in the Phase II, a sole proprietorship may be treated as non-listed business or as a payroll customer.
Effect on Other Regulatory Requirements
The Manual updates this subsection by clarifying that nothing in the Transactions of Exempt Persons regulations relieves a bank of any other reporting or recordkeeping obligations imposed by FinCEN’s BSA regulations.