On November 26, 2014, the FFIEC release the revised Bank Secrecy Act/Anti-Money Laundering Examination Manual. The manual includes revised risk-based procedures, current guidance on risk-based policies, safeguard operations for money laundering and terrorist financing, and much more. The FFIEC recommended that financial institutions “should familiarize themselves with these revisions and make the necessary updates to their BSA compliance programs.”
Now six months have passed and we’re here to ask “ does your organization know the BSA/AML Exam Manual as well as it should?” If you’re not sure how to answer that question, don’t worry; we’ve got the basics covered.
The new manual seems to represent a move towards recognition of technology. This includes a focus on electronic filing of the new SAR and CTR as well as new sections for prepaid access and BSA e-filing.
As with other versions, there are two primary sections of the new examination manual: Core Procedures and Expanded Procedures.
Core Procedures
Let’s take a look at the Core procedures first. This section focuses on the more general areas of BSA/AML. Not much in this section has been changed, although the Iran Sanctions have been given their own section. Without question, it emphasizes the importance of utilizing the institution’s risk assessment to establish the scope of the examination. This places the responsibility for conducting a meaningful risk assessment on the shoulders of a proactive institution. Doing so is one way to ensure that your BSA/AML program is commensurate with your risk profile. Providing regulators a risk assessment also allows you to exert a measure of control over the examination process, because the absence of such documentation leaves it to your examiner to establish the context for your examination. As emphasized in our Risk Watch episode called Taking Control of Your Examination, such a practice is akin to rolling the dice. Bottom line: a risk assessment may be the most important action your institution can take, whether you conduct it internally or seek external assistance.
As for SARs, the Core Procedures section emphasizes that while the use of attachments in SARs is an enhancement, using the statement “See Attachment” as a replacement for the SAR narrative is not acceptable This section has also been updated with important information about the electronic filing of SARs and CTRs.
The core procedures section also promotes the overall expansion of OFAC with the need to designate an individual within your institution as responsible for OFAC compliance. The manual states that OFAC compliance isn’t merely the meaningless monitoring for “hits,” but rather emphasizes the need for successful monitoring of hits. Based on our interaction with clients and the new manual, it seems that OFAC is increasingly being emphasized.
Expanded Procedures
Now let’s move onto the new Expanded Procedures section. This section provides insight into various areas of compliance, rather than simply providing examination procedures. As such, it remains a useful training guide for any institution and merits periodic review by all applicable departments.
Areas of discussion within the procedures section are extensive and include the following:
- BSA/AML compliance program structures,
- Foreign branches and offices of U.S. banks,
- Parallel banking,
- Correspondent accounts
- Electronic banking,
- Funds transfer
- Insurance, and more.
The guidelines are largely similar to prior versions. However, for those institutions with applicable transactions, we recommend reviewing the new, expanded exam procedures for bulk shipments of currency and prepaid access (such as e-cash).
New Steps Required
For those tasked with conducting reviews, there are also some new steps to keep in mind.
- The first has to do with private ATMs. If applicable, the new procedures note that determination is needed whether the financial institution obtains information from the independent sales organization (or ISO) where an ATM is located regarding due diligence on its sub-ISO arrangements.
- The second has to do with NBFIs, or non-bank financial institutions. The new procedures include a step to determine the extent of the financial institution’s relationships with NBFIs and, for institutions with significant relationships with NBFIs, the need to review the institution’s risk assessment of this activity. (So, once again, we find an emphasis on risk assessments.)
- And finally, MSBs, or money services businesses. The new procedures include the need to determine whether the financial institution has policies, procedures, and processes in place for accounts opened or maintained for MSBs. The important thing here is to ensure that sound due diligence and identification procedures are implemented.
Those are the main sections, but there are also helpful sections regarding nonresident aliens and foreign individuals, as well as accounts for PEPs (or politically exposed persons), embassies, foreign consulates, foreign missions, professional service providers, NGOs (or non-government organizations), business entities (both domestic and foreign), and cash-intensive businesses, if those areas are applicable to your institution.
Overall, it would seem that the message is clear: institutions should remain active in maintaining a robust and dynamic program commensurate to their risk profile. In layman’s terms? Do your risk assessment!
Coppelia Padgett is senior analyst and resident SCRA Act expert for AffirmX. She began her career as a compliance examiner for the FDIC working primarily out of Los Angeles. She left the FDIC to found Triac in 1992. This consulting firm grew to serve the compliance needs of hundreds of financial institutions in the Los Angeles metropolitan area and around the United States. In 2011, Ms. Padgett joined AffirmX as a researcher, senior analyst, and writer. She graduated magna cum laude from the University of Tulsa with a degree in Economics.
