Assessing the BSA/AML Compliance Program

BSA/AML INDEPENDENT TESTING EXAMINATION PROCEDURES

Objective: Determine whether the bank has designed, implemented, and maintains an adequate BSA/AML independent testing program for compliance with BSA regulatory requirements.

  1. Determine whether the BSA/AML independent testing (audit) is independent (i.e., performed by a person or persons not involved with the function being tested or other BSA-related functions at the bank that may present a conflict of interest or lack of independence).
  2. Determine whether independent testing addresses the overall adequacy of the BSA/AML compliance program, including policies, procedures, and processes. Typically, the report includes an explicit statement about the bank’s overall compliance with BSA regulatory requirements. At a minimum, the independent testing should contain sufficient information for the reviewer to reach a conclusion about the overall adequacy of the BSA/AML compliance program.
  3. Through a review of board minutes or other board of directors’ materials, determine whether persons conducting the independent testing reported directly to the board of directors or to a designated board committee comprised primarily, or completely, of outside directors. Determine whether independent testing results were provided to the board of directors and senior management.
  4. Review independent testing reports, scope, and supporting workpapers to determine whether they are comprehensive, accurate, adequate, and timely, relative to the bank’s risk profile. As applicable,[17]For more information, see e.g., OCC Safety and Soundness Standards, 12 C.F.R. Part 30 App. D, II.L. evaluate the qualifications and subject matter expertise of the person or persons performing the independent test. Although there are no specific regulatory requirements for the development of an independent test, consider whether the independent testing includes, as applicable, an evaluation of:
    • The BSA/AML risk assessment.
    • The relevant changes in bank activities since the last independent test.
    • The policies, procedures, and processes governing the BSA/AML compliance program and other BSA regulatory requirements, and personnel’s adherence to those policies, procedures, and processes.
    • The bank’s adherence to BSA reporting and recordkeeping requirements.
    • The bank’s information technology sources, systems, and processes used to support the BSA/AML compliance program and whether they are complete and accurate. These may include reports or automated programs used to: identify large currency transactions, aggregate daily currency transactions, record monetary instrument sales and funds transfer transactions, and provide analytical and trend reports.
    • Training for appropriate personnel and whether it is tailored to specific functions and positions and includes supporting documentation.
    • Management’s actions to appropriately and timely address any violations and other deficiencies noted in previous independent testing and regulatory examinations, including progress in addressing outstanding supervisory enforcement actions, if applicable.
  5. Determine whether independent testing includes, as applicable, an evaluation of suspicious activity monitoring systems and the system’s ability to identify potentially suspicious activity. Although there are no specific regulatory requirements for the development of an independent test, consider whether the independent testing includes, as applicable, an evaluation of:
    • The system’s methodology for monitoring transactions and accounts for potentially suspicious activity.
    • The system’s ability to generate monitoring reports.
    • Filtering criteria, as appropriate, to determine whether they are reasonable, tailored to the bank’s risk profile, and include higher-risk products, services, customers, and geographic locations.
    • Policies, procedures, and processes for suspicious activity monitoring systems.
  6. Determine whether the independent testing includes a review and evaluation of the overall suspicious activity monitoring and reporting process. Although there are no specific regulatory requirements for the development of an independent test, consider whether the independent testing includes, as applicable, an evaluation of:
    • The identification or alert process.
    • The management of alerts, research, SAR decision making, SAR completion and filing, and monitoring of continuous activity.
    • Policies, procedures, and processes for referring potentially suspicious activity from all operational areas and business lines (such as, trust services, private banking, foreign correspondent banking) to the personnel or department responsible for evaluating potentially suspicious activity.
  7. Determine whether the independent testing performed was adequate, relative to the bank’s risk profile.

 

< Previous Page
BSA/AML Independent Testing
Next Page >
BSA Compliance Officer