Scoping and Planning


Objective: Determine the examination activities necessary to assess the adequacy of the bank’s BSA/AML compliance program, relative to its risk profile, and the bank’s compliance with BSA regulatory requirements. If included within the scope of the examination, determine appropriate OFAC compliance examination activities.

  1. Obtain and review the following documents, as appropriate:
    • Prior examination reports, supporting workpapers, management’s responses to any previously identified BSA issues, and any recommendations for the next examination.
    • The BSA/AML risk assessment, if one has been completed by the bank. If the bank has not developed a BSA/AML risk assessment, examiners must develop one. Refer to the BSA/AML Risk Assessment section for more information.
    • The bank’s internal and external BSA/AML independent testing (audit) report(s), including any scope and supporting workpapers.
    • Management’s responses, including the current status of issues, regarding independent testing or audit results and examination findings.
    • Any other information available through the offsite and ongoing monitoring process or from information received from the bank in response to the request letter. This may include:
    • BSA reporting available from FinCEN.
    • Any other information or correspondence obtained between examinations related to the BSA/AML compliance program, including systems and processes the bank uses to monitor and file on currency transactions and suspicious activity, law enforcement inquiries or engagements, or higher-risk banking operations.
  2. Determine whether independent testing is adequate and may be leveraged for use in assessing the bank’s BSA/AML compliance program and the bank’s compliance with BSA regulatory requirements. To determine the adequacy, consider whether testing was independent and assessed all appropriate ML/TF and other illicit financial activity risks within the bank’s operations, and consider whether access was provided to the appropriate independent testing scope and supporting workpapers. 
  3. Review SARs, CTRs, and CTR exemption information. As appropriate, determine accounts that should be considered for further testing. Consider and analyze the information below for unusual patterns.
    • High-volume currency customers.
    • The volume and characteristics of SARs filed.
    • Frequent SAR subjects.
    • The volume and nature of CTRs and CTR exemptions.
    • The volume of SARs and CTRs in relation to the bank’s products and services, size, asset or deposit growth, and geographic locations
  4. Review correspondence between the bank and its regulator(s), if not already completed by the examiner-in-charge or other examination personnel. In addition, review correspondence that the bank and its regulator(s) have received from, or sent to, outside regulatory and law enforcement agencies relating to BSA/AML compliance. Communications, particularly those received from FinCEN, may provide information relevant to the examination, such as the following:
    • Filing errors for SARs, CTRs, and CTR exemptions from FinCEN’s BSA E-Filing System.
    • Civil money penalties issued by, or in process from, FinCEN or state agencies.
    • Law enforcement subpoenas, seizures, or “keep-open” requests.
    • Notification of mandatory account closures of noncooperative foreign customers holding correspondent accounts as directed by the Secretary of the Treasury or the U.S. Attorney General.
    • Law enforcement letters acknowledging that the bank provided highly useful information, as necessary and relevant.
    • Participation in law enforcement-related information exchanges, as necessary and relevant.
  5. Review the bank’s information technology sources, systems, and processes used in its BSA/AML compliance program to determine whether additional examiner subject matter expertise is warranted.
  6. If included within the scope of the examination, review the bank’s policies, procedures, and processes for complying with OFAC-administered laws and regulations. This should include the bank’s OFAC risk assessment, independent testing of its OFAC compliance program, and any correspondence between the bank and OFAC (e.g., periodic reporting of prohibited transactions and, if applicable, annual OFAC reports on blocked property, voluntary self-disclosures, and Cautionary or No Action Letters from OFAC). Also, review the bank’s use of information technology sources, systems, and processes used in its OFAC compliance program to determine whether additional examiner subject matter expertise is warranted.


< Previous Page
Risk - Focused BSA/AML Supervision
Next Page >
Developing the BSA/AML Examination Plan