This post was written by Michael Carpenter, Sales Solutions Architect, Ncontracts
The FDIC published its Supervisory Insights for Summer of 2017 on August 30, 2017. The publication contained two articles, one on Liquidity Risk and the other on Bank Secrecy Act (BSA) and of course all other related regulations such as the USA Patriot Act. I gravitated to the BSA content due to my career history in the field. From an Enhanced Due Diligence Analyst at KeyBank to the VP of Business Banking KYC and several stints as the BSA Officer at banks and credit unions.
WHAT THE FDIC IS FOCUSING ON NOW
The BSA article covers four general topics.
- BSA and the Board: The first portion of the release covers the importance of the BSA and how requirements carried out by entities under BSA authority is used and a history of BSA and all related regulations. BSA officers naturally develop a series of slide shows or even one training deck for use in the training our Board of Directors, new employees etc., and this is done because training is one of the pillars in a BSA Compliance Program as noted in the Bank Secrecy Act Anti-Money Laundering Examination Manual. Also, and specifically Board of Directors are trained on this topic because they are ultimately held accountable for not only the adoption of a relevant BSA program (based on the understood risk to the organization) but the effective implementation and adoption of program. Not saying anyone needs to change their training content necessarily but the presentation of BSA history and that of related laws and regulations is a good one and quite honestly can be sliced up and put onto a Powerpoint slide deck rather easily.
- BSA Examinations: The article addresses what the FDIC looks for in a BSA examination, noting that the Compliance Program will be reviewed. With that being the main point and by the volume of the content (not long at all) it can leave one saying “That’s all? Why is it that we are spending money and other resources in the amount we do on BSA?” Well, what someone not directly involved in BSA or who may be unaware of the details of each pillar in a compliance program sees is that we need a program that is written and approved by the Board and that program should include five elements (I like to use the word pillar) and I am going to go out of order here on purpose:
- Training – Everyone must understand what the BSA series of laws and regulations are and their responsibility in their roles. Training should be conducted on a periodic basis and be logged/recorded and able to be retrieved when requested.
- BSA Compliance Officer - Easy enough, right? Name someone who will be the BSA Officer for the organization why is that even an element/pillar? There is more to think about here but I’ll leave that for another writing.
- Independent Testing – This also seems like an easy enough task on its surface. Get an independent test done periodically. That test better have a sufficient scope, otherwise its relevance will be questioned regarding the fulfillment of this important part of a Compliance Program. Again, more work to be done here and that starts when the results of the test are received.
- Internal controls – This holds the most weight! This pillar of a BSA Compliance Program is where your time, money and stress of examinations lives. Policies, Procedures, Risk Assessments, Findings/Exception/Recommendations management, Transaction Monitoring, Filing and Data Validation are some of the things included in those two little words.
- Customer Due Diligence (also known as CIP) - Collect and verify your four pieces of information: Name, DOB, Identification Number and Address. Make sure you record and retain this information for the appropriate time period.So, those five pillars that didn’t seem much actually include much more, not any news to the BSA Officers, but maybe something that is shared with your Board and Executive Team (if it hasn’t been already).
- What Examinations Have Found: The good news, per the article, is that “During the past ten years, approximately one percent of examinations resulted in BSA/AML formal enforcement actions.” One out of every one hundred doesn’t seem so scary, unless of course you’re that one.
This is the content I was most interested in and as I began to read it seemed quite clear the primary issues until two little words (internal controls) started popping up. In AML examinations, deficiencies considered technical included Currency Transaction Report (CTR) filing and information sharing. In examinations addressing the BSA Compliance Program common violations included Suspicious Activity Reporting (SAR) and “inadequate systems of internal control.”
Well that narrows it down, doesn’t it? We know that those two words pack quite a punch and, in my opinion, makes or breaks an effective Compliance Program. At the end of the day, your BSA/AML Compliance Program will be tested and if you don’t have controls in place, written instructions defining responsible parties on how you will implement controls (procedures) and measures in place to test the effectiveness of your controls (Quality control/quality assurance) you might be opening yourself up to a bad report card with your grader being the FDIC.
- When does the FDIC use a Formal Enforcement Action? The last major portion of the article addresses when the FDIC uses formal enforcement actions. Various scenarios are provided showing if this then that scenarios. Technical findings that can be addressed quickly will more than likely not result in an enforcement action but is a red flag to examiners that the program is not being managed effectively to include weak, you guessed it, internal controls. Multiple aspects of a program raise the likelihood that enforcement actions will be assessed.
- The BSA Compliance Program will be tested
- A good risk assessment of your BSA compliance program will document the adequacy of your internal control systems
So, what does this mean to you and where do you start? It is not enough to just have a vendor provide information about your clients and compliance with BSA or have just an internal process for each verification. The adequacy of internal controls is measured by the frequency, quality, and quantity of the controls. This is incredibly challenging to document in an excel spreadsheet.
It’s important to remember, a thorough risk assessment is the foundation of any relevant and compliant BSA Compliance Program. A blind eye defense not including risks inherent in the products and services you offer will not protect you in an examination. The examiners will be assessing your internal controls as part of that program based on risks inherent in what you do. The appropriate risk assessment tool can alleviate these problems.