On December 1, 2021, the Federal Financial Institutions Examination Council (“FFIEC”) released updates to its Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Examination Manual (the “Manual”), which provides guidance to examiners for evaluating a financial institution’s BSA/AML compliance program and its compliance with related regulatory requirements. This update is the third of 2021: the FFIEC also released updates to the Manual on February 25, 2021 and June 21, 2021.
This most recent update to the Manual adds a new introductory section, Introduction – Customers. The updated Manual also includes changes to sections pertaining to Charities and Nonprofit Organizations, Independent Automated Teller Machine Owners or Operators, and Politically Exposed Persons (“PEP”). The breadth of this most recent Manual update is consistent with the previous 2021 updates. In February, FFIEC released an introductory section and updates to three sections pertaining to Customer Identification Programs (“CIP”), Currency Transaction Reporting (“CTR”), and Transactions of Exempt Persons. In June, the FFIEC released updates to four sections pertaining to International Transportation of Currency or Monetary Instruments Reporting, Purchase and Sale of Monetary Instruments Recordkeeping, Reports of Foreign Financial, and Special Measures.
Consistent with prior FFIEC Interagency press releases associated with Manual updates, the FFIEC explained that “[t]he updates should not be interpreted as new requirements or as a new or increased focus on certain areas,” but rather “provide information and considerations related to certain customers that may indicate the need for bank policies, procedures, and processes to address potential money laundering, terrorist financing, and other illicit financial activity risks.” Despite this disclaimer, the updates provide helpful insight into what examiners prioritize with regard to BSA/AML compliance.
The Manual’s Introduction Pertaining to Customer Type
The Manual’s new introductory section focuses on the principle that “no specific customer type automatically presents a higher risk of [Money Laundering and Terrorist Financing] or other illicit financial activity[,]” and that BSA/AML compliant banks “are neither prohibited nor discouraged from providing banking services to any specific class or type of customer.” Rather, the FFIEC advises that a customer’s “potential risk to a bank depends on the presence or absence of numerous factors.” The new introductory section highlights sections of the Manual pertaining to customer types such as sections addressing customer due diligence, beneficial ownership of legal entity customers, and suspicious activity reporting.
Changes to Previously Existing Sections
The updates to three previously existing sections of the Manual are twofold. First, the update broadens the objectives of these sections and adds additional detail to the subsections discussing risk factors and risk mitigation, both of which were included in the prior iterations of these sections. Second, the update adds two entirely new subsections outlining the examiner evaluation process. These new subsections regarding the examiner evaluation process, which are outlined below, are nearly identical across all three section updates.
Each of the three updated sections of the Manual includes a new subsection titled “Examiner Evaluation.” These subsections instruct examiners to “determine whether the bank’s internal controls are designed to ensure ongoing compliance and are commensurate with the bank’s risk profile.” More specifically, these subsections direct examiners to determine whether the bank’s controls “manage and mitigate” money laundering and terrorist financing (“ML/TF”) and other illicit financial activity risks for charities and other non-profit organization customers, bank-identified PEPs, or independent ATM owners or operators.
Examination and Testing Procedures
Each updated section also includes a subsection addressing Examination and Testing Procedures. The stated objective of these examination and testing procedures is to “[e]valuate the bank’s policies, procedures, and processes to assess, manage, and mitigate risks associated with customers.” Within the context of these three updated sections, the examination and testing guidance proposes a focus on customer identification, customer due diligence (“CDD”), beneficial ownership of legal entity customers, and suspicious activity reporting, as there are no BSA regulations specific to charities and other non-profit organization customers, bank identified PEPs, or independent ATM owners or operators.
There is some minimal variation in the step-by-step examination and testing procedure for each of the updated sections, but these instructions are largely identical for each of the updated sections. These instructions are outlined below:
- First, the examiner must determine whether the bank has developed and implemented appropriate, written risk-based procedures for conducting CDD. In the case of PEPs, the examiner should determine whether risk-focused testing is appropriate based on the review of a risk assessment.
- Second, the examiner must determine, as part of its CDD program, whether the bank has effective processes to develop customer risk profiles.
- Third, the examiner must determine whether the bank has policies, procedures, and processes to identify customers that may pose higher risk for money ML/TF and other illicit activities. These policies, procedures, and processes should indicate whether and when it is appropriate for the bank to obtain and review additional customer information when insufficient, inaccurate, or unverifiable information is obtained.
- Fourth, the examiner must determine whether the bank’s system for monitoring the potentially high risk customer (non-profit organization customers, PEPs, or independent ATM owners or operators) for suspicious activities is adequate given the bank’s risk profile.
- Fifth, in the context of independent ATM owners or operator customers, the examiner must determine whether the bank’s policies, procedures, and processes adequately address the preparation, filing, and retention of currency transaction reports.
- Sixth, the examiner must determine if risk-focused testing is appropriate based on the review of a risk assessment, prior examination reports, other examination information, or a review of the bank’s audit findings. If risk-focused testing is necessary, the Manual outlines the appropriate risk-focused examination procedures for the examiner to follow.
- Lastly, based on examination and testing procedures, the examiner must form a conclusion about the adequacy the bank’s of policies, procedures, and processes.
As with previous FFIEC updates, the updates to the Manual, particularly the sections regarding evaluation, examination, and testing procedures, help to clarify the expectations of examiners as covered financial institutions implement their BSA/AML policies, procedures, and processes, keeping in mind the risk based focus of the regulations.