On April 15, 2020, the Federal Financial Institutions Examination Council (FFIEC) released an updated version of certain portions of its Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Examination Manual (BSA/AML Manual), which provides guidelines for assessing the adequacy of a bank’s BSA/AML compliance program.[1] Although directed to bank examiners, the BSA/AML Manual offers insight to financial institutions about regulatory expectations for BSA/AML compliance, including how banks will be evaluated in the examination process.
The recent update to the BSA/AML Manual (“2020 Update”) is the result of a multi-year interagency process to evaluate BSA/AML effectiveness and is intended to provide further transparency and to “clarify the focus of BSA examinations by providing more focused instructions to examiners.”[2] In a press release accompanying the 2020 Update, the FFIEC acknowledged the “uncertainty faced by financial institutions during this unprecedented time,” presumably a reference to the COVID-19 pandemic, and emphasized that the revisions do not provide any new requirements and “should not be interpreted as new instructions or as a new or increased focus.”[3]
The 2020 Update revises the first section of the AML/BSA Manual, entitled “Core Examination Overview and Procedures for Assessing the BSA/AML Compliance Program.” That section covers the scoping and planning of an examination, the BSA/AML risk assessment, and the key aspects of compliance that are to be evaluated in a BSA/AML examination, including internal controls, independent testing, designation of a compliance officer, and training. According to the FFIEC press release, additional revisions to other parts of the manual will be forthcoming.
The 2020 Update contains much of the same content as the 2014 version but has an increased emphasis on a tailored risk-based approach to examination. Among other things, the 2020 Update:
- Employs the term “money laundering, terrorist financing (ML/TF), and other illicit financial activity risk,” rather than the original formulation of “BSA/AML risk,” when discussing the identification and mitigation of risk.
- Adds a new section on “Risk-Focused BSA/AML supervision,” which amplifies the need for a risk-based examination approach tailored to each bank’s specific risk profile. In addressing the need for banks to have a well-developed risk assessment, the update acknowledges that such a risk assessment is not a specific legal requirement, but notes that having one will assist banks in identifying ML/TF and other illicit financial activity risks and in developing appropriate internal controls.
- Clarifies that various methods and formats may be used to conduct a risk assessment, and that there is no expectation for a particular method or format. The 2020 Update also clarifies that there are no required risk factors.
- Clarifies that there is no requirement that banks update their BSA/AML risk assessment on any specified periodic basis. In contrast, the 2014 version of the BSA/AML Manual characterized it as “sound practice” to update risk assessments at least every 12 to 18 months.[4] The expectation that banks update their risk assessments so that they remain an accurate reflection of the bank’s risk, including in light of new products, services, and customer types, remains in full force. This may be a signal that regulatory authorities will expect more frequent updates to BSA/AML risk assessments as new products and services are introduced and customer types change.
- Adds specific reference to the need for BSA/AML compliance programs to conduct ongoing customer due diligence (CDD) and comply with beneficial ownership requirements for legal entity customers, as set forth in FinCEN regulations.
- Notes that federal banking agencies do not have target volumes or “quotas” for the filing of suspicious activity reports (SARs) and currency transaction reports (CTRs). The 2020 Update notes that examiners should not criticize a bank solely because the number of SAR and CTR filings is lower than for “peer” banks. Examiners should nonetheless consider significant changes in the volume and nature of BSA filings and assess potential reasons for these changes.
- Adds, to the list of BSA data that examiners should consider in the planning phase of an examination, the identification of frequent SAR subjects.
- Indicates that BSA compliance officers should “regularly” report the status of ongoing BSA compliance to the board of directors and senior management so they can make informed decisions about existing risk exposure and the overall BSA/AML compliance program. Examiners are directed to confirm the presence of these regular updates as part of the examination. Examiners are also directed to evaluate, against a list of non-exclusive factors, the adequacy of resources available to the compliance officer and whether the compliance officer has an appropriate level of independence.
- Revises the BSA/AML discussion of compliance training, including to note that banks should provide training for any agents who are responsible for conducting BSA-related functions on behalf of the bank and directing examiners to review whether such training was given as part of the examination process. The examination procedures for training also now specifically direct examiners to determine whether training includes the results of previous findings of noncompliance with internal policies and regulatory requirements, if applicable, and information tailored to specific risks of individual business lines or operational units.
- Streamlines the examination procedures related to internal controls, with an emphasis on mitigating and managing ML/TF and other illicit financial activity risks. The examination factor related to a bank’s monitoring systems is revised to emphasize not just the sufficiency of the bank’s information systems but whether there are internal controls that “[f]acilitate oversight” of those systems.
- Clarifies that there is no regulatory requirement establishing the required frequency of BSA/AML independent testing, nonetheless noting that that banks may conduct testing over periodic intervals and giving the example of every 12-18 months. The frequency of independent testing should be commensurate with the bank’s risk profile and the bank’s overall risk management strategy. Additionally, more frequent testing may be appropriate where errors or deficiencies in some aspect of the BSA/AML compliance program have been identified or to verify or validate mitigating or remedial actions, and in light of any expansions into new product lines, services, customer types, and geographic locations through organic growth or merger activity.
- Reminds examiners that banks have flexibility in the design of their BSA/AML compliance programs, which will vary based on the bank’s risk profile, size or complexity, and organizational structure. Examiners are directed to focus primarily on whether the bank has established appropriate processes to manage ML/TF and other illicit financial activity risks, and whether the bank has complied with BSA requirements.
Because these revisions will guide future BSA/AML examinations, banks may wish to review the new language to better understand regulatory expectations and better evaluate their own BSA/AML compliance programs.
[1] See BSA/AML Manual, April 2020 Update.
[2] See Comptroller of the Currency Statement on FFIEC BSA/AML Manual, News Release 2020-55 (April 15, 2020).
[3] See FFIEC, Federal and State Regulators Release Updates to BSA/AML Examination Manual, Press Release (April 15, 2020).
[4] See 2014 Bank Secrecy Act/ Anti-Money Laundering Examination Manual.