10 Ways to Prepare for Your Next BSA ExamKathlyn L. Farrell, CRCM, CAMS

The specter of an approaching Bank Secrecy Act (BSA) examination is enough to make a BSA officer think of changing careers. Stories of BSA/anti-money laundering (AML) civil money penalties and enforcement actions are now legend in the banking community, and every year they continue to occur, both in large and small institutions. While BSA compliance will continue to represent a high level of risk for most institutions, with effective compliance programs the risk is manageable. One good method for managing BSA/AML compliance risk is to check areas in the bank that are ripe for common violations before the exam begins. In discussions with clients and regulators, we have noted some BSA requirements in which banks are often cited as deficient. Many of these requirements are fairly easy to implement but can slip through the cracks if not monitored throughout the year. In some cases the bank may be fulfilling the requirements but not docu-menting them. It is always wise to do a quick check-up before the BSA exam draws near.

Usually a bank is informed by its regulatory agency a few months in advance that it will have a BSA examina-tion. The examination request list arrives four to six weeks prior to the exam date. The following are 10 things a BSA officer should do after learning that his or her bank will be having a BSA examination. In an ideal situ-ation, the BSA officer should review these items at least 90 days prior to the exam date. If any corrections or changes are needed, they can be implemented quickly. Checking up and making corrections in these areas will help ensure that the foundation of the bank’s BSA compliance program is sound when the examiners review it.

Update Your Risk Assessments1. By now most institutions have written BSA/AML risk assessments. (If you don’t, writing one should be your first step—see the Federal Financial Institutions Examination Council’s (FFIEC) BSA/AML Examina-tion Manual 7/06.) Risk assessments must be reviewed, updated, and approved at least annually by the board of directors. The BSA officer should check to see whether the risk assessment is or will be updated by the time of the BSA exam. The risk assessment should cover all new products and services that have been added since the previous update and cover all lines of business. For example, if the bank has added a product, such as remote deposit services or foreign correspondent banking, it should be addressed in the risk assessment. Has the bank added any locations? If so, is its customer base the same? Is the new location located in a high-risk area? These questions should be considered because the customer base is an important element of the BSA risk assessment. Check the designations of the high-risk areas them-selves—High Intensity Money Laundering and Related Financial Crime Areas (HIFCAs) and High Intensity Drug Trafficking Areas (HIDTAs)—because these are also subject to change. In addition, the bank should review customer identification program (CIP) risk and Office of Foreign Assets Control (OFAC) risk assess-ment. These may be included within the BSA risk assessment but should also be addressed separately, as these types of risk differ from each other. All risk assessments should be updated annually and have a mechanism for board approval.

Check the BSA-Related Policies 2. All BSA-related policies—BSA, CIP, OFAC, suspicious activity reports (SARs), etc.—should be reviewed and approved annually by the board of directors. The BSA officer should review the last approval date to ensure that these policies will be up to date by the time of the exam. Policies should address all high-risk areas. The BSA officer should review the policies to ensure that they cover all new products and services

and changes to lines of businesses since the date of the previous revision. The policy should also address conti-nuity in the bank’s BSA staffing. If the BSA officer is the only one familiar with the law, the bank has a problem. The policy should state how continuity is maintained. BSA policies should specifically address the four pillars of the legal requirements for a BSA program—in other words, these should be listed in the policy itself with an af-firmative statement that the bank will fulfill these requirements. The required pillars include the following:

a system of internal controls•BSA training•independent BSA testing•the appointment of a specially designated person to be responsible for BSA compliance.•

To make it easier for an examiner or auditor to locate, we recommend that these four pillars be highlighted in the policy in some fashion.

Review BSA Training Records 3. A frequently cited BSA deficiency is the lack of comprehensive training documentation for all applicable areas of the institution. BSA, CIP, suspicious activity reporting, and OFAC training should be documented for all affected employees. Not only must the training session be noted, but its content should also be included in the file for the examiners to review. All outlines, handouts, brochures that describe the training itself should be maintained in the file. The bank should remember to train not only on the generic requirements of the regulation but also on the bank’s own policies and procedures. It is a good idea for the bank’s board of directors to receive annual BSA/AML training. If the board hasn’t conducted such a review, now is a good time to schedule a session.

Check the Scope of the Last Independent Audit 4. A common BSA error is the lack of a full-scope independent audit. The BSA officer should review the most recent audit and determine whether:

it covers the key elements of the bank’s BSA program, including all of the bank’s business lines (for example, •make sure it covers the lending and trust areas)the audit was independent and performed by a qualified person (make sure the bank has the credentials of •the auditors in writing)sufficient transactional testing was undertaken (make sure the audit included documentation of the trans-•actions that were tested, including a list or description of the samples and a description of the populations from which they were drawn)audits were conducted with sufficient frequency (12 -18 months)•all audits were reported to the board or a committee of the board•documented responses were made to the audit findings•all deficiencies were corrected or were at least addressed•

A review of the major headings in the FFIEC BSA/AML manual is a quick way to establish whether the audit touched all required areas. A bank might have enough time to squeeze in an audit prior to an exam. This might be the best approach because deficiencies will be brought to light and the bank can begin to address them. If there is not enough time to perform an audit, the bank should engage a qualified firm to perform one and have an engagement letter or agreement available to present to examiners.

Check the Bank’s OFAC Program 5. OFAC compliance within the bank can be a source of different types of deficiencies. The BSA Officer should check to see that transactions are checked against all appropriate lists on a risk basis. Following are some of the easier types of transactions to overlook:

the other end of a wire transfer (the one not involving the bank’s customer)•the payee on bank-issued cashier’s checks•the payee of on-us checks cashed in bank lobbies•expense check payees•loan guarantors without another bank relationship•safe deposit box customers•the bank’s own employees•

Some of these transactions may be so small that the bank reasonably decides to not perform OFAC checks on them. The bank may perform a risk assessment and decide to implement a policy whereby it will not check OFAC lists on small checks cashed in the bank’s lobby. This type of policy and the risk assessment behind it should be documented in writing.Also, the bank should make sure that its OFAC software checks all appropriate lists, such as the PLC (Palestinian Legislative Council), not just the OFAC Specially Designated Nationals (SDN) list. In addition, the bank should make sure that the most current list is being used. Documentation of OFAC checks is important as well. Not only should the bank’s policies and procedures specify the various OFAC responsibilities, but each type of check should be documented in some way—such as noting the check on the bank’s copy of the cashier’s check or maintaining logs of checks of the bank’s database. Documentation is equally important for indicating how the bank disposes of false positives. This process should be formalized in writing, including how it is documented.

Determine that the CIP Policy is Working in the Loan Department 6. Ensure that the bank is collecting complete CIP information on loan customers who have no other relationship with the bank. In many institutions the lending staff relies on the new accounts personnel to obtain CIP informa-tion. When the borrower has no other relationship with the bank, lenders are responsible to obtain this infor-mation. The BSA officer should sample a few of the bank’s recent loan files for such customers. In its review, the BSA officer should determine whether the bank obtained all required identity information, verified the informa-tion and maintained records of the verification documents. For example, if the bank reviews driver’s licenses or passports but does not copy the actual documents, does the bank record the document number and expiration date? Another CIP checkpoint should be a determination of whether the bank is following its own policies for obtaining new account information. If the bank’s policies state that two forms of identification are required, are both forms being obtained on a regular basis and are both being documented. A policy that is waived too often is not considered to be effective and even though a policy requiring two forms of identification goes beyond the scope of the law, the bank will get criticized if it does not follow (and document) its own board-approved policy. If the bank relies on a third party for CIP review and verification—such as a car dealer from whom it pur-chases loans—the bank should have a written agreement with the third party that sets forth the requirements for customer identification.

Check to Ensure the Bank Has Adequate Documentation of Suspicious Activity Monitoring7. Most banks monitor regularly for suspicious activity—i.e., transactions that look potentially suspicious are ana-lyzed and researched. Because this area of BSA compliance has recently received the greatest amount of regula-tory scrutiny, it should always be monitored, especially in light of an upcoming examination. There are a couple of deficiencies that should be checked. First, does the monitoring process cover all the necessary lines of busi-ness in the bank? Almost all banks will monitor cash activity, but suspicious activity monitoring should be more inclusive. Loan activity, wires, and trust transactions are just some of the parts of the bank that should be part of the suspicious activity monitoring process. If they are not a part of this process, formulate a procedure and start monitoring them. It is better than having an examiner note the deficiency. But in some cases the bank may not adequately document the suspicious activity monitoring process. If the bank has automated this process, the software may facilitate the documentation also. However, if the bank is using a manual system to monitor (reviewing daily reports and transactions), the documentation must also be maintained manually. Documentation, including memos, entries, reports, and copies of transactions, should be kept on all potentially suspicious activity, even when a SAR is not filed. This process can be made less paper-intensive by scanning documents into electronic files and logging the information into electronic spreadsheets. However, some form of documentation is necessary to show that the bank is routinely reviewing suspicious activity.

Check the 314a Information-Sharing Procedures8. The BSA officer should check to make sure that all required records are being searched when the Financial Crimes Enforcement Network (FinCEN) 314a requests are received. Types of records that are easy to overlook are monetary instruments and wire transfers sent for noncustomers. Don’t forget to review any separate databases

that support lines of business in the bank. For example, the trust department might have its own customer data-base. One other likely 314a error is the failure to keep the records in a secure manner—either in a locked cabinet or drawer or in a password-protected electronic format. Some examiners prefer that requests themselves be shredded. However, the searches, like all other parts of your BSA program, must be documented—by signing the 314a cover sheet or the pages themselves, or by using a log sheet if the bank’s security procedures require the underlying request documentation to be destroyed.

Check Currency Transaction Report (CTR) Exemptions9. A quick check of the bank’s currency transaction report (CTR) exemption process can uncover errors that can be corrected before the exam. Check the following:

Has the bank filed an exemption on all financial institutions it uses to purchase or sell currency? These re-•quire a one-time filing.Has the bank conducted and documented annual reviews of all non-listed businesses that have Phase II •exemptions? Annual reviews should be documented to show that the person or entity still qualifies to be exempt (e.g., they have made a sufficient number of cash deposits, no suspicious activity was indicated, etc.) If the customer no longer qualifies, the bank must file a revocation of the exemption.Have all renewals of exempt customers been filed on a timely basis? If not, they should be filed as soon as •possible.Is the exemption process adequately covered in the bank’s BSA policy, including a designation of the person •with the authority to grant exemptions?

High-Risk Customer Monitoring 10. Most institutions have identified their high-risk customers. These accounts should be monitored periodically for suspicious activity. Documentation of the monitoring process should be retained. The bank should maintain a schedule for high-risk customer monitoring. These accounts may be reviewed monthly, quarterly, or annually, depending upon their degree of risk. Once again, it is hard to get credit for what is not documented. Keep files, checklists, account statements, electronic records, or memos that document the monitoring process for these customers.

ConclusionThere is, of course, much more we could mention. For example, all employees hired since the last examination should have had BSA training and should acknowledge, in writing, their BSA responsibilities. Also, the last BSA exam report should be reviewed and any deficiencies should be re-checked to avoid repeat violations. Remember to refer to the FFIEC BSA/AML Examination Manual (7/06), as this is the standard for BSA compliance. (The manual can be downloaded from FFIEC.gov).

Keep in mind, too, the cardinal rule for BSA—if it isn’t documented, it didn’t happen. Hopefully, if your BSA compli-ance program is comprehensive and strong in the essentials, just a quick check of the most vulnerable areas will prevent any inadvertent last-minute errors.

About the Author: Kathlyn L. (Lyn) Farrell, CRCM, CAMS

Lyn is the Managing Director of Risk Management Services for Sheshunoff Management Services, an Austin, Texas-based bank consulting company. She is a licensed attorney with 30 years experience in banking. She has been in-house counsel and compliance officer for small- and medium-size banks and is the author of the ABA’s Reference Guide to Regulatory Compliance and the ABA’s Law and Banking textbook.

Reach her by e-mail at lfarrell@smslp.com or by telephone at (800) 477-1772.