Over the past few weeks it feels as if I have been drinking from a fire hose when it comes to compliance as it relates to Bank Secrecy Act / Anti-Money Laundering (BSA/AML). Most of the information reviewed was not new, but it served as a good refresher that every bank needs a robust BSA Compliance Program that fits their bank culture and risk appetite. There was also some information that was shared in a way I hadn’t thought about before.
Below, I have provided some important takeaways and reminders that stood out the most to me – and I hope you take away as much as I did, in less time. I’ve also included a BSA officer checklist to ensure nothing is overlooked and appropriate actions are taken for BSA compliance.
A New Viewpoint on BSA: 3 Takeaways
- Remember to stay alert to updates. Let me start with a link to the Anti-Money Laundering Act of 2020, which became law on January 1, 2021; however, FinCEN is continuously updating the regulatory actions related to this act. Be sure to stay up to date with the notices and comment on the ones that may affect your bank. Find them here: https://www.fincen.gov/anti-money-laundering-act-2020
- Be aware of the ‘4 components.’ The four “pillars” of BSA no longer exist, at least not using that term. The new word to use is components, rather than pillars. The four components of BSA include (the prior fifth pillar, is really just a part of internal controls):
- A system of internal controls to ensure ongoing compliance, including appropriate risk-based procedures for conducting ongoing customer due diligence (CDD)
- Independent testing of BSA compliance
- A specifically designated person or persons responsible for managing BSA compliance
- Training for appropriate personnel
- Cryptocurrency attentiveness is needed. As a decentralized digital money, you need to be aware of cryptocurrency. The most common version is Bitcoin and Ethereum, but there are thousands of cryptocurrencies in circulation. FinCEN uses the terms convertible virtual currency (CVC) or digital assets with legal tender status (LTDA). Proposed rulemaking includes requirements for banks and money service businesses (MSBs) to submit reports, keep records, and verify the identity of customers in relation to transactions above certain thresholds. This means additional questions asked during account opening or updates to determine if your customer is participating in this type of currency. One question to ask your customers is if they have a Crypto ATM or Kiosk in use at their business.
BSA Officer Checklist:
- Keep the BSA/AML compliance program up to date and relevant to what is going on.
- Keep your Board informed, by sharing a summary of recent enforcement actions and the bank’s ideas on how to mitigate these.
- Know the Red Flags listed in the FinCEN Advisories and Guidance and be sure to train to and share those red flags with the departments they affect.
- Try to have a BSA committee to review suspicious activity and decisions. Use the FFIEC manual to know what your process should be and be sure to document the discussions and decisions. https://bsaaml.ffiec.gov/manual
- The bank’s BSA/AML Risk Assessment is going to play a significant part in your examinations. https://bsaaml.ffiec.gov/manual/BSAAMLRiskAssessment/01_ep
- Use the AML/CFT Priorities to help you craft the BSA/AML Risk Management Programs https://www.fincen.gov/sites/default/files/shared/AML_CFT%20Priorities%20(June%2030%2C%202021).pdf
- Regularly check on the FinCEN Updates, Advisories, Guidance, and Notices
- Notice – tells you an advisory is coming (heads-up)
- Advisory – tells you what is coming, Red Flags to be aware of (use this for training)
- Guidance – is a clarification of questions asked
- Remember logging and maintaining a record is required even when depositing cash prior to the purchase of a negotiable instrument.
- It is important to get Beneficial Ownership Certification AT account opening, not before or after.
- Tie in cyber-related fraud to your BSA/AML activity tracking, this may require a collaboration between the BSA and IT departments.
- Cannabis related business activity is prevalent in all states, your bank must have a policy and procedures in place indicating how or if you will bank them; including what you will do when you discover an existing customer is involved in this type of business.
- As part of customer due diligence (CDD) ask about the following items:
- Privately Owned ATMs
- Bitcoin/Cyber Coin Kiosks
- Cannabis Related Business (including marijuana, hemp, CBD oil)
- Money Service Businesses
- Locations for any of the above mentioned items
- Expected activity for any of the items listed above
- Remember CDD is not just done at account opening. You must maintain and update CDD through the entire relationship.
- It is key to have management responses, including the current status of issues, regarding independent testing or audit results and examination findings.
- Downloaded information from FinCEN Query may help with your examination to:
- Identify high-volume currency customers
- Identify the volume and characteristics of SARs filed
- Identify frequent SAR subjects (this is new, but a spreadsheet filtered by subject name could suffice)
- Identify the volume and nature of CTRs and CTR exemptions
- Know what your BSA policy says and make sure you are following it. Determine if it should be a policy or just a procedure.
- Have a written schedule related to the BSA/AML department procedures, including who is responsible for each area, who is the back-up, and what training is provided to each of the employees responsible for BSA compliance.
- Use the FFIEC Examination Manual Table of Contents to update your BSA compliance program.
- Include the risk assessment
- Be sure the policy is touching on all four components and each topic under Assessing Compliance with BSA Regulatory Requirements
- The Risks Associated with Money Laundering and Terrorist Financing can be used to update your risk assessment and could become the “High Risk” account factors
Your Actions for BSA Compliance
In closing, get those policies updated to address what the bank will do – a general statement practice. Update the procedures to indicate how you are going to do what your policy says, and then make sure you have the processes (tools) in place to do those procedures, and that you are actually doing what you say you are going to do.