BSA Exam Manual takeaways
Pillars for AML compliance from the FFIEC
Fortunately for AML/CFT Officers, regardless of experience level, the FFIEC BSA Examination Manual already provides guidance for you to build or restructure your AML/CFT program. However, copying and pasting the recommendations into your policies and procedures will not be enough to ensure a solid program. You must understand each of the pillars to manage accordingly and educate those on the front line about the role they will play in bringing it to life. You must also instill a strong culture of compliance at your institution to ensure long-term success.
Let's examine the key takeaways for each of the current five pillars of BSA and AML compliance. Then, we’ll examine what might become the sixth AML pillar.
1. Internal controls
Many factors make the internal control pillar critical to your AML/CFT program. Not only is this a required part of BSA compliance, but controls also ensure that things are running smoothly and that you won't be caught off guard during a regulatory examination. Critical internal controls include:
- Developing policies, procedures, and processes designed to mitigate and manage money laundering and terror financing.
- Providing timely updates in response to changes in regulations to keep your AML/CFT program aligned with regulatory expectations.
- Incorporating dual controls and the segregation of duties to ensure an essential second management layer.
- Managing technological and staffing resources strictly will enable you to ensure that all AML responsibilities are met. Or, at the minimum, allow you to make your business case to senior management if resources are deficient.
- Providing for program continuity despite changes in operations, management, or employee structure to ensure that no surprises occur from issues such as a pandemic or other natural disaster.
2. Designation of an AML/CFT Officer (formerly BSA Officer)
The AML/CFT Officer pillar seems intuitive; all successful programs must have a competent leader. A well-sought-out appointment is critical. Remember these important key factors when appointing your AML/CFT Officer:
- The designated AML/CFT Officer must be approved by the board of directors and recorded in meeting minutes.
- The AML/CFT Officer must have the appropriate background and level of experience for the position. Promoting the head teller of the institution, no matter how great a staff member they may be, will probably not pass regulatory scrutiny.
- The AML/CFT Officer must have the necessary authority, independence, and access to resources to administer an adequate AML compliance program. Independence means that the reporting structure should be outside of the compliance area, and the AML/CFT Officer should be the decision maker in all matters relating to BSA. The title of this position is unimportant from a regulatory perspective, but the authority, independence, and access to resources are critical.
3. Periodic BSA training
Despite sounding straightforward, BSA training is often not implemented properly and is a common examiner finding. Ongoing training is at the heart of a solid AML compliance program. Be sure to take these steps to fulfill the BSA training requirements:
- Avoid one-size-fits all training. BSA training must be tailored to each employee's roles and responsibilities. The front-line staff is your ultimate line of defense and must have detailed BSA training. However, lenders need to know what is relevant to their job functions, and the board of directors requires high-level training to cover their fiduciary duties.
- Conduct BSA training at least annually and more often if you experience deficiencies in implementing policies and procedures. An effective AML/CFT program cannot be achieved without all team members having the necessary knowledge.
- Document training modules and dates for every staff member, including the board of directors. If one stubborn executive misses training, you will receive regulatory criticism. Remember to stress a culture of compliance if you run into this situation.
4. Independent testing
The term independent testing is used interchangeably with an audit function. This pillar is designed to assess a financial institution's compliance with AML requirements and the overall adequacy of the AML compliance program. An independent audit before an exam, either internal or by a third party, gives you the ability to shore up any gaps in your program before a regulatory exam. Takeaways for financial institutions from this pillar include:
- Independent testing should be conducted by the internal audit department, outside auditors, consultants, or other qualified independent parties.
- Those conducting the audit must have sufficient knowledge and experience with AML compliance.
- Audits should consider the entire AML/CFT program, including AML and OFAC monitoring technical resources. Periodic AML model validations will also be required to ensure that AML software is working as intended and that all critical data sources feeding into each model are identified.
5. Ongoing customer due diligence (CDD)
A cornerstone of a robust AML compliance program is adopting and implementing risk-based CDD policies, procedures, and processes for all customers, particularly those that present a higher risk for money laundering and terrorist financing. The objective of ongoing customer due diligence is to understand the nature and purpose of customer relationships, which may include understanding the types of transactions in which a customer is likely to engage. These processes assist financial institutions in determining when transactions are potentially suspicious. Below are important factors to assess when developing your CDD program:
- Each CDD program should begin with a Customer Identification Program (CIP) as outlined in the USA PATRIOT Act.
- CDD should be risk-focused. Not all customers in a higher-risk category have equal risk within an institution. Rely on your institution's unique risk assessment to determine how much due diligence is required for each customer type.
- As part of CDD, financial institutions must identify and verify beneficial owners of legal entities with an ownership interest of 25% or more. Beneficial ownership is determined under both a control prong and an ownership prong. Under the control prong, the beneficial owner is a single individual with significant responsibility to control, manage, or direct a legal entity customer. For each legal entity, the customer must identify one beneficial owner under the control prong.
- It's worth noting that the Anti-Money Laundering Act of 2020 has required FinCEN to analyze any changes needed to the CDD legislation once FinCEN establishes the beneficial ownership registry. Although details for this requirement are very late in coming to fruition, you should keep your eyes open for future updates on CDD and beneficial ownership changes.