BSA/AML Manual

DEVELOPING CONCLUSIONS AND FINALIZING THE EXAM

Objective: Formulate conclusions about the adequacy of the bank’s BSA/AML compliance program, relative to its risk profile, and the bank’s compliance with BSA regulatory requirements; develop an appropriate supervisory response; and communicate BSA/AML examination findings to the bank.

In the final phase of the BSA/AML examination, examiners should assemble all findings from the examination and testing procedures completed. From those findings, examiners should develop and document conclusions about the adequacy of the bank’s BSA/AML compliance program, relative to its risk profile, and the bank’s compliance with BSA regulatory requirements. When formulating conclusions, examiners are reminded that banks have flexibility in the design of their BSA/AML compliance programs, which will vary based on the bank’s risk profile, size or complexity, and organizational structure. Examiners should primarily focus on whether the bank has established appropriate processes to manage ML/TF and other illicit financial activity risks, and that the bank has complied with BSA requirements.

Examiners should discuss with the bank their preliminary conclusions, which may include strengths, weaknesses, any deficiencies or violations, if applicable, and necessary remediation of any deficiencies or violations. Minor weaknesses, deficiencies, and technical violations alone are not indicative of an inadequate BSA/AML compliance program and should not be communicated as such. Conclusions regarding the adequacy of the bank’s BSA/AML compliance program and any significant findings should be presented in a written format for inclusion in the report of examination (ROE).^[22]ROE may include other formal supervisory correspondence, such as Supervisory Letters.

In formulating a written conclusion for the ROE, examiners do not need to discuss every procedure performed during the examination. Written comments should convey to the reader whether the overall BSA/AML compliance program is adequate. The comments should cover areas or subjects pertinent to examiner findings and conclusions. Examiners should prepare workpapers in sufficient detail to support discussions in the ROE. To the extent items are discussed in the workpapers but not the ROE, the workpapers should appropriately document each item, as well as any other aspect of the bank’s BSA/AML compliance program that merits attention but may not rise to the level of findings included in the ROE. Examiners should organize and reference workpapers and document conclusions and supporting information within internal agency systems, as appropriate. 

Examiners should determine and document what supervisory response, if any, is recommended. The BSA/AML examination findings may include violations of laws or regulations or other deficiencies. Any substantive deficiencies in the BSA/AML compliance program, including violations, should be included in the ROE in such a manner that allows the reader to understand the cause of the deficiencies. The extent to which violations and other deficiencies affect the examiner’s evaluation of the adequacy of the bank’s BSA/AML compliance program and the bank’s compliance with BSA regulatory requirements is based on the nature, duration, and severity of the problem. In some cases, the appropriate supervisory response is for the bank to correct the violations or other deficiencies as part of the normal supervisory process. These remediation efforts should be documented in the ROE. In appropriate circumstances, however, an agency may take either informal or formal enforcement actions to address violations of BSA regulatory requirements.^[23]The “Interagency Statement on Enforcement of Bank Secrecy Act/Anti-Money Laundering Requirements” (refer to Appendix R) explains the basis for the federal banking agencies’ enforcement of specific requirements of the BSA.

Violations or deficiencies can be caused by a number of issues including, but not limited to, the following:

• Management has not appropriately assessed the bank’s ML/TF and other illicit financial activity risks.
• Management has not created or enhanced policies, procedures, and processes.
• Management or employees disregard, are unaware of, or misunderstand regulatory requirements or internal policies, procedures, or processes.
• Management has not adjusted the BSA/AML compliance program commensurate with growth in higher-risk operations (products, services, customers, and geographic locations).
• Management has not provided sufficient staffing for the bank’s risk profile.
• Management has not appropriately communicated changes in internal policies, procedures, and processes.

Systemic or Repeat Violations

Systemic or repeat violations involve either a substantive deficiency or a repeated failure to comply with BSA regulatory requirements, including the requirement to establish and maintain a reasonably designed BSA/AML compliance program. A substantive deficiency or repeated failure to comply with BSA regulatory requirements could negatively affect the bank’s ability to manage ML/TF and other illicit financial activity risks. Systemic violations are the result of substantively deficient systems or processes that fail to obtain, analyze, or maintain required information, or to report customers, accounts, or transactions, as required under various provisions of the BSA. Repeat violations are repetitive occurrences of the same or similar issues. 

When evaluating whether deficiencies constitute systemic or repeat violations, examiners must analyze the pertinent facts and the totality of circumstances, including whether the deficiencies are frequently recurring, regular, or usual, and whether the deficiencies are of the same or similar nature.

Considerations in determining whether a violation is systemic include, but are not limited to:

• Whether the number of violations is high when compared to the bank's total activity. This evaluation usually is determined through a sampling of transactions or records. Based on this process, determinations are made concerning the overall level of noncompliance. However, even if the violations are few in number, they could reflect systemic noncompliance, depending on the severity (e.g., significant or egregious).
• Whether there is evidence of similar violations by the bank in a series of transactions or in different divisions or departments. This is not an exact calculation and examiners should consider the number, significance, and frequency of violations identified throughout the organization. Violations identified within various divisions or departments may or may not indicate a systemic violation. These violations should be evaluated in a broader context to determine if training or other compliance system weaknesses are also present.
• The relationship of the violations to one another (e.g., whether the violations occurred in the same area of the bank, in the same product line, in the same branch or department, or with one employee).
• The impact the violation or violations have on the bank's suspicious activity monitoring and reporting capabilities.
• Whether the violations appear to be grounded in a written or unwritten policy or established procedure, or result from a lack of an established procedure (e.g., the bank’s currency transaction reporting thresholds are inconsistent with BSA regulations).
• Whether there is a common source or cause of the violations.
• Whether the violations were the result of errors in software programming or implementation.

Systemic or repeat violations of the BSA or other deficiencies could have a negative impact on the adequacy of the bank’s BSA/AML compliance program.^[24]The violations or deficiencies may also constitute unsafe or unsound banking practices. See 12 CFR Part 30 (OCC). When systemic instances of noncompliance are identified, examiners should consider the noncompliance in the context of the overall program (internal controls, independent testing, designated individual or individuals, and training) and refer to Appendix R – Interagency Statement on Enforcement of Bank Secrecy Act/Anti-Money Laundering Requirements for more information regarding when a bank’s BSA/AML compliance program may be deficient as a result of systemic noncompliance. All systemic violations and substantive deficiencies should be brought to the attention of the bank’s board of directors and senior management and documented in the ROE or other supervisory correspondence directed to the board of directors.

Types of systemic or repeat violations may include, but are not limited to:

• Failure to establish a due diligence program that includes a risk-based approach, and when necessary, enhanced policies, procedures, and controls concerning foreign correspondent accounts.
• Failure to maintain a reasonably designed due diligence program for private banking accounts for non-U.S. persons (as defined in 31 CFR 1010.620).
• Frequent, consistent, or recurring late currency transaction report (CTR) or suspicious activity report (SAR) filings.
• A significant number of CTRs or SARs with errors or omissions of data elements.
• Consistently failing to obtain or verify required customer identification information at account opening.
• Consistently failing to complete searches on 314(a) information requests.
• Failure to consistently maintain or retain records required by the BSA.

Also, the “Interagency Statement on Enforcement of Bank Secrecy Act/Anti-Money Laundering Requirements” provides that “[t]he Agencies will cite a violation of the SAR regulations, and will take appropriate supervisory actions, if the organization’s failure to file a SAR (or SARs) evidences a systemic breakdown in its policies, procedures, or processes to identify and research potentially suspicious activity, involves a pattern or practice of noncompliance with the filing requirement, or represents a significant or egregious situation.”^[25]Appendix R – “Interagency Statement on Enforcement of Bank Secrecy Act/ Anti-Money Laundering Requirements.”

Isolated or Technical Violations

Isolated or technical violations are limited instances of noncompliance with the BSA that occur within an otherwise adequate system of policies, procedures, and processes. These violations generally do not prompt serious regulatory concern or reflect negatively on management’s supervision or commitment to BSA compliance, unless the isolated violation represents a significant or egregious situation or is accompanied by evidence of bad faith. Corrective action for isolated or technical violations is usually undertaken by the bank within the normal course of business. 

Multiple isolated or technical violations throughout bank departments or divisions can indicate systemic or repeat violations. Examiners should consider multiple isolated or technical violations in the context of all examination findings, oversight provided by the bank’s board of directors and senior management, and the bank’s risk profile. 

Types of isolated or technical violations may include, but are not limited to:

• Failure to file or late filing of CTRs that is infrequent, not consistent, or nonrecurring.
• Failure to obtain complete customer identification information for a monetary instrument sales transaction that is isolated and infrequent.
• Infrequent, not consistent, or nonrecurring incomplete or inaccurate information in SAR data fields.
• Failure to obtain or verify required customer identification information that is infrequent, not consistent, or nonrecurring.
• Failure to complete a 314(a) information request that is inadvertent or nonrecurring.