BSA/AML Manual

RISK-FOCUSED BSA/AML SUPERVISION

Objective: Based on the bank’s risk profile, determine the BSA/AML examination activities necessary to assess the adequacy of the bank’s BSA/AML compliance program and the bank’s compliance with BSA regulatory requirements. 

The agencies use a risk-focused approach for planning and performing BSA/AML examinations, which is reinforced in the “Joint Statement on the Risk-Focused Approach to BSA/AML Supervision.”^[4]“Joint Statement on the Risk-Focused Approach to BSA/AML Supervision,” issued by the Board of Governors of the Federal Reserve System (Federal Reserve), the Federal Deposit Insurance Corporation (FDIC), the Financial Crimes Enforcement Network (FinCEN), the National Credit Union Administration (NCUA), and the Office of the Comptroller of the Currency (OCC), July 22, 2019. Examiners should assess the adequacy of the bank’s BSA/AML compliance program, relative to its risk profile, and the bank’s compliance with BSA regulatory requirements. The extent of BSA/AML examination activities necessary to assess the bank generally depends on the bank’s risk profile and the quality of risk management processes to identify, measure, monitor, and control risks, and to report potential ML/TF and other illicit financial activity. Given that banks vary in size, complexity, and organizational structure, each bank has a unique risk profile, and the scope of a BSA/AML examination varies by bank. 

To conduct risk-focused BSA/AML examinations, examiners should tailor their examination plans, including examination and testing procedures, to each bank’s risk profile. To understand the bank’s risk profile, examiners should consider available information including, but not limited to, the following:

• The bank’s BSA/AML risk assessment.
• Independent testing or audits.
• Analyses and conclusions from previous examinations.
• Management’s responses, including the current status of issues, regarding independent testing or audit results and examination findings.
• Offsite and ongoing monitoring.
• Information received from the bank in response to the request letter.
• Other communications with the bank.
• BSA reporting available from the Financial Crimes Enforcement Network (FinCEN).

As explained in more detail below, examiners should review the bank’s BSA/AML risk assessment and independent testing when evaluating the bank’s ability to identify, measure, monitor, and control risks. BSA/AML risk assessments and independent testing that properly consider and test all risk areas (including products, services, customers, and geographic locations in which the bank operates and conducts business) are used in determining the BSA/AML examination and testing procedures that should be performed.^[5]As appropriate, examiners should consider aspects of these risk areas, including transaction activity (such as the number and dollar amount of cash and wire transfer activity) and distribution channels (such as mobile banking or third parties), which may impact the risks.

BSA/AML Risk Assessment

The scoping and planning process is guided by examiner review of the BSA/AML risk assessment for the bank. The information contained in the BSA/AML risk assessment assists examiners in developing an understanding of the bank’s risk profile, risk-focusing the examination scope, and assessing the adequacy of the bank’s overall BSA/AML compliance program and its compliance with BSA regulatory requirements. 

The BSA/AML Risk Assessment section provides information and procedures for examiners in determining whether the bank has developed a risk assessment process that adequately identifies the ML/TF and other illicit financial activity risks within its banking operations. If the bank has not developed a BSA/AML risk assessment, this fact should be discussed with management. Whenever the bank has not completed a BSA/AML risk assessment, or the BSA/AML risk assessment is inadequate, examiners must develop a BSA/AML risk assessment for the bank. 

Independent Testing

Examiners should obtain and evaluate independent testing (audit) report(s) of the bank’s BSA/AML compliance program, including any scope and supporting workpapers. The independent testing should be conducted by the internal audit department, outside auditors, consultants, or other qualified independent parties (not involved in the function being tested or other BSA-related functions at the bank that may present a conflict of interest or lack of independence). Independent testing results should be reported directly to the board of directors or a designated board committee composed primarily, or completely, of outside directors. 

The scope and quality of independent testing may provide examiners with information regarding the bank’s particular risks, how these risks are being managed and controlled, and the status of the bank’s BSA compliance. Independent testing report(s) and supporting workpapers can assist examiners in understanding audit coverage and the quality and quantity of transaction testing that was performed as part of the independent testing. This knowledge assists examiners in risk-focusing the BSA/AML examination plan by identifying areas for greater (or lesser) review, and by identifying when additional examination and testing procedures may be necessary.

If the bank’s independent testing is adequate, findings from the independent testing may be leveraged to reduce the examination areas covered and the testing necessary to assess the bank’s BSA/AML compliance program. To determine the adequacy of the bank’s independent testing, examiners should determine whether the testing was independent and assessed all appropriate ML/TF and other illicit financial activity risks within the bank’s operations. Examiners must have access to the appropriate independent testing scope and supporting workpapers to leverage findings from the bank’s independent testing. Refer to the BSA/AML Independent Testing section for more information. 

BSA Reporting Available From FinCEN

FinCEN Query is the system used to access all BSA reports. BSA/AML examination planning should include an analysis of BSA reports that the bank has filed, such as Suspicious Activity Reports (SARs), Currency Transaction Reports (CTRs), and CTR exemptions, for a defined time period. SARs, CTRs, and CTR exemptions may be exported, downloaded, or obtained directly online from FinCEN Query. Each federal banking agency has staff authorized to obtain this data from FinCEN Query. When requesting searches from FinCEN Query, examiners should contact the appropriate person(s) within their agency sufficiently in advance of the examination start date to obtain the requested information. When a bank has recently purchased or merged with another bank, examiners should obtain SARs, CTRs, and CTR exemptions data on the acquired bank.^[6]If a bank merges with a non-bank financial institution covered by BSA filing obligations (such as an insurance company, a money services business, or a broker-dealer), the examiner should obtain relevant filings from FinCEN Query.

Downloaded information from FinCEN Query may be important to the examination, as it helps examiners:

• Identify high-volume currency customers.
• Identify the volume and characteristics of SARs filed.
• Identify frequent SAR subjects.
• Identify the volume and nature of CTRs and CTR exemptions.
• Select accounts, transactions, or BSA filings for testing, if warranted.

The federal banking agencies do not have targeted volumes or “quotas” for SAR and CTR filings. Examiners should not criticize a bank solely because the number of SARs or CTRs filed is lower than the number of SARs or CTRs filed by “peer” banks. However, as part of the examination, examiners should consider significant changes in the volume or nature of BSA filings and assess potential reasons for these changes.

Information available through FinCEN Query is sensitive, and in some instances confidential, and may only be retrieved and used by examiners for official business. The dissemination of information obtained through FinCEN Query is subject to specific legal requirements, restrictions, and conditions. Examiners must adhere to the “FinCEN Re-Dissemination Guidelines for Bank Secrecy Act Information” and the “FinCEN Bank Secrecy Act Information Access Security Plan” when accessing information through FinCEN Query. These documents can be obtained through each agency’s FinCEN Query coordinator and should be reviewed by anyone accessing FinCEN Query.

Risk-Focused Testing

Examiners perform testing to assess the adequacy of the bank’s BSA/AML compliance program, relative to its risk profile, and the bank’s compliance with BSA regulatory requirements. Examiners also perform testing to assess the implementation of policies, procedures, and processes, and to evaluate controls, information technology sources, systems, and processes used for BSA compliance. 

Testing performed during BSA/AML examinations should be risk-focused and can take the form of testing specific transactions, or performing analytical or other reviews. Examiners must perform some testing during each BSA/AML examination cycle. Testing may focus on any of the regulatory requirements and may address different areas of the BSA/AML compliance program, but may not be necessary for every regulation or BSA area examined. Where transaction testing typically involves reviewing specific transactions or files, analytical reviews are usually higher level without transaction or file details, such as analyzing reports.

Under a risk-focused examination approach, the size and composition of the sample selected for testing, as well as the type of testing, should be commensurate with the bank’s risk profile and the examination scope. While examiners generally test different areas in successive examinations, it may be appropriate to test the same areas in successive examinations based on previous examination findings, as well as the bank’s risk profile and risk assessment, including any changes therein. Examiners should limit the extent and type of testing for smaller or less complex institutions with lower risk profiles for ML/TF and other illicit financial activity. Examples of testing may include the following:

• Sampling suspicious activity alerts, discussing (at a high level) the investigation process with staff, and reviewing the decision-making process regarding SAR filings.
• Determining whether reports, such as SARs and CTRs, are complete and accurate.
• Comparing filed CTRs against reportable transactions that can be identified on the bank’s large cash transaction report.
• Determining whether eligible Phase II CTR-exempt customers (non-listed businesses) have been exempted appropriately by reviewing annual reportable cash transactions.
• Confirming the bank has collected and verified Customer Identification Program (CIP) and collected customer due diligence (CDD) data on a sample of new accounts.
• Determining whether the bank has collected beneficial ownership information on a sample of legal entity customers by comparing internal reports with customer files.
• Determining whether independent testing findings have been reported to the board of directors, or to a designated board committee, by reviewing the board or committee minutes.
• Comparing staff training records with the standards outlined in the bank’s training policy.

When determining the testing to perform, examiners should consider changes in the bank’s business strategies, geographic locations, transaction activity, products, services, customer types, operations, and/or technology. Banks that have had significant changes in these areas since the previous BSA/AML examination may need more extensive testing to determine the adequacy of the BSA/AML compliance program. 

Testing should be sufficient to assess the bank’s adherence to, and the appropriateness of, its policies, procedures, and processes. Procedures for testing are found within the specific examination procedures sections of this Manual. Examiners should document in the BSA/AML examination plan the rationale regarding the extent and type of testing to be performed. The scope of testing can be expanded to address any issues or concerns identified as part of examination activities. Examiners should also document the rationale for changes to the scope of testing.