Can you believe it’s already September? Over half the year has passed, and most likely, a lot of that time has been spent working remotely and in virtual meetings. Given all of the time and effort dedicated to managing through COVID-19 and this “new normal”, we want to remind you about your annual BSA Board training!
On April 3, 2020, the Financial Crimes Enforcement Network (FinCEN) provided further information in response to the Coronavirus Disease 2019 (COVID-19) pandemic. While this release acknowledged the potential for CTR reporting delays (and delayed implementing the new CTR filing requirements for DBAs), there wasn’t grace granted for anything else.
While the regulation doesn’t technically require “annual” Board BSA training per se, it has become an industry expectation. The Board should be updated, at least annually, on BSA even if there are no changes. We believe doing so is a good reminder to the Board of how important BSA is. It also keeps BSA in the forefront, since the Board is ultimately responsible for BSA compliance.
Below are questions we find engaged Boards ask their BSA Officers, and are great to keep in mind when developing your Board training to ensure you’re providing them with the things they need to know to sufficiently execute their duties. The answers to some of these may be found within your independent test, but there may have been updates to your program since then as well:
Are we doing the right things, and are we doing them well? How do we compare to others? Know what enforcement actions and penalties are being imposed.
Are we sufficient, competent and effective? Is your program effective? Is suspicious activity being identified and referred /reported?
Are our program components properly positioned? Are you devoting resources and staffing to those areas of greatest concern/risk?
Are we outsourcing and in-sourcing the right processes in line with our competencies and economies? Are we properly managed and accountable in all cases? If conducting an internal independent audit, should it be outsourced? Should third-party vendors be used for OFAC, 314a, identity verification, etc.?
Top-down and bottom-up – is our program working as intended? Is enough information being reported UP to the Board/Management so they can provide appropriate direction DOWN in the form of resources, authority, etc.?
Now is a great time to start thinking about your annual BSA Board training, if you haven’t already done so. BSA is not something you want to let fall on the back burner during these unprecedented times. If you need help or want more training, we have a wide variety of BSA-related webinars available On Demand. We also have a webinar devoted specifically to annual BSA training for your Board & Management coming up on December 10, 2020.
Be sure to JOIN US on July 14, 2020, for our FREE BSA/AML Compliance Q & A
Do you have other burning questions related to BSA/AML compliance? Are you struggling with Beneficial Owners, Currency Transaction Reports, suspicious activity monitoring, etc.? If so, just register for the Forum on our website and then start pre-submitting your BSA/AML compliance questions to email@example.com (please put “July Forum” in the subject line). We will answer as many of your questions as we can during the allotted hour.
One thing that always generates a lot of questions are the beneficial ownership requirements. Did you know there are actually two different triggering events when you are required to obtain this information? The first, is the easy one. You must get beneficial owner information any time a new or existing entity customer opens up a new account. The second one; however, is very often missed or overlooked.
Click on the video to listen to Jerod explain more.
The Bank Secrecy Act/Anti-Money Laundering program beneficial ownership requirements; been around for a couple of years now. Let’s check in and make sure the triggering events are understood by all. We didn’t miss anything along the way. Hi, this is Jared Moyer with Banker’s Compliance Consulting. There’s actually two different triggering points for beneficial ownership requirements. The easy one, any time a new or existing customer opens up a new account. That one you probably all get or if you’re new to the party, that’s the easy one to get. It’s the secondary one that we’re finding when we go out and do training like this or we go and do a review in a financial institution to maybe complete their independent audit. What we’re finding is that secondary triggering point is often getting missed. The rule requires in addition to when a new or existing customer opens up a new account, that also in the normal course of business, if you get information about the customer that’s different than what you already have, that’s also a triggering point.
The other thing about that triggering point is it would also apply to anybody that was initially excluded. In other words, you had accounts that were already on your books in May of 2018 that you didn’t have to retroactively go back and identify, and then ultimately verify beneficial owners on. However, it’s not that they were exempt forever. You see, that secondary triggering point does apply to existing customer relationships. If you have somebody that opened up an account in 2005 and now in 2020, something changes with the structure of that legal entity relationship with you and maybe there’s a new beneficial owner, even though you didn’t call them beneficial owners before that point, that would now be a triggering point for beneficial ownership information to be identified and verified. Even though that existing relationship was exempt in May of 2018.
Make sure your teams aren’t missing that secondary point of beneficial ownership, identification, and verification. This is one of many BSA/AML topics that we tackle throughout our training library at Banker’s Compliance Consulting. I invite you and your team to go check out our library of training options on our website. Better yet, give us a call. Let’s see how we can partner up with you and help you navigate your BSA/AML compliance needs.
Do you have burning questions related to BSA/AML compliance? Struggling with Beneficial Owners, Currency Transaction Reports, suspicious activity monitoring, etc.?
If so, we’d love to have you join us on July 14, 2020, for our FREE BSA/AML Compliance Q & A Forum where we’ll answer questions such as:
Question: It seems we’re always getting push-back on asking for too much due diligence information upfront, how can we justify it or know that what we’re asking is in line with other banks?
Answer: Start with the sample questions given in the FFIEC’s BSA/AML Examination Manual. There’s a reason those are provided and we don’t think they can just be ignored. You’re required to obtain enough information to have what you feel is a reasonable understanding of what the customer will be doing. So, that’s the perspective you need to take. It’s much easier to get such information at account opening than it is when something pops up during the life of the account. While that may still be necessary, getting it upfront gives you a baseline, if the account activity doesn’t match up with what was expected.
Question: How frequently should our Risk Assessment be reviewed if there have been no changes?
Answer: The risk assessment provides a comprehensive analysis of your BSA/AML risks in a concise and organized manner and enables management and the Board to identify and mitigate gaps in the bank’s controls. We believe the risk assessment should be reviewed and communicated with the Board on at least an annual basis.
Have other questions? All you have to do is register for the Forum on our website and then start pre-submitting your BSA/AML compliance questions to firstname.lastname@example.org (please put “July Forum” in the subject line). We will answer as many of your questions as we can during the allotted hour.
Independent testing, now we’re up on page 24. So we’ve gone through the system of internal controls, you have your checklist of things that you’re going to be looking for. But really keep in mind, you’re thinking through how this process works and looking for gaps in their system. On the independent testing, we actually got more guidance on how to evaluate independent testing than we had previously. Again, look at the italics on page 24 here, it’s all from that exam manual update back in April. What areas are they going to be looking at? It hasn’t changed a whole lot, they still require that this independent test must be independent.
In other words, if you have it being done internally, the people who are conducting this independent review need to be outside of the function of the BSA program. And for a lot of banks, that’s a luxury they simply don’t have. The people who have the specialized training to do BSA, they’re the ones doing the BSA. They’re the ones who are keeping the program afloat and managing it. They don’t have someone who’s completely independent who can conduct that review. So there’s special instructions on how to evaluate that.
Look at number two, things like, is there documentation of the qualifications or competence of that person conducting the BSA review? And this is something I’d encourage you to document if you have an internal, or even if you have an external person, check all of these things off if you’re managing the program. Overall audit experience, specific BSA expertise, internal versus… Is it internal or external, and are there references or some other indication that they know what they’re doing? The other thing to keep in mind here is that, all of your independent reviews should also be looking at the work papers from the previous independent reviews. They should be evaluating at least, what type of review was your previous review? And if you’re doing the independent review, you should be looking at the work papers from the previous one.
Frequency, again, they did change this a little bit. If you remember, and if you look at the bottom there, it’s every 12 to 18 months. That language is still in there, but it says, “More frequent testing may be appropriate when there were errors or deficiencies that were identified.” So keep in mind, this shouldn’t be on cruise control, and a lot of banks that go through and they set it, okay. “Our board set this at 12 months, and so we’re going to keep doing this over and over again every 12 months. And we don’t really worry about it.” Or maybe it’s 18 months. “Every 18 months, we do our independent review.”
However, what that language is saying is if it looks like there was something identified, a specific issue. Or maybe there was a change in the program, like you’ve started up your beneficial owner portion of your program and nobody’s getting it right. It’s just not working right. That may be a reason to have an independent review or independent testing, that is sooner than what may be in the program itself. And that’s something for the BSA officer to be communicating up the chain. Oh, hold on, let me get to… Another thing, when you are looking at the independent test that was conducted by maybe another person, or maybe you’re looking at the work that you did last time. Take a look at this list on 25 and 26, these are the minimum requirements. This is what every independent test should have.
So let’s look at it. You should have an overall evaluation of the program. So where they go through and they say, “This program is working.” Or, “There’s significant problems with this program and a number of areas.” So they have to have that overall statement about your program. And then also when you’re… And maybe you’re doing the independent tasks, but looking at things like the risk assessment, laying out what exactly the transaction testing was, evaluating the corrective actions. So I would go through and use this as a checklist, to go through and make sure both the previous independent test was proper, and has all of the bits that it was supposed to have. But then also as a checklist for you, when you’re putting your report together, that you’re hitting all of these areas if you’re doing that independent test.
On page 26 at the bottom of the page, I would circle letter K. Letter K, that is a new bit, new guidance and it does specifically address, and you can read it out there. “Did the independent testing sufficiently cover ML/TF and other illicit financial activity risks within the bank’s operations? And whether the frequency is commensurate with the bank’s risk profile.” So it’s a requirement now that your independent test specifically looks at that money laundering terrorist financing risk, and whether the program they’re looking at actually incorporates it properly. So all of these things need to be addressed by that independent test.
And then finally on page 27, as you get into it there’s, what kind of documentation is necessary? Again, the audit scope and the procedures and the transaction testing, it should all be laid out in the work papers from the review. There should be an audit report, look at letter B there, that really articulates what the findings are and what the recommendations are for management. So that they can take those findings and then really apply them to the program because keep in mind, the whole purpose of this independent review is to look for blind spots. Look for problems, and then to communicate it to management. So it should have an executive summary, it should lay out the scope, and it should have those specific findings there.
And then look at number six. I’d write in there, “Follow up.” Don’t just let a report sit out there, and if you’re looking at an independent review that had some issues that were identified. And you cannot see documentation that management followed up on it, that to me would be a problem. It’s a weakness in their system. So, was that report presented to the board? Was there some kind of division of labor, did they even address the problems? Even if it’s something that said, “Okay, our previous report made this recommendation, but we’ve evaluated it. And we decided we are not going to do this at that time, and here’s why.” That’s fine with me, at least they addressed it. Now, I may disagree with their decision, but it’s better than just leaving it blank. So keep in mind that management response and follow up is something that should be looked at, when you’re evaluating an independent review.
How can you be sure that your BSA/AML program is sufficient for the size and complexity of your institution? The answer isn’t exactly easy but one of the best tools to evaluate your program is your independent BSA/AML review. The FFIEC’s April 2020 update to their BSA/AML Examination Manual provides a lot of details as to how your independent review should function and what it should be doing.
Click on the video to listen to Kevin explain more.
Read the transcript below!
Is Your BSA / AML Program Right For You?
How can you be sure that your BSA AML program is sufficient for the size and complexity of your institution? That’s a daunting question, but one of the best tools to evaluate your program is already in your toolbox; it’s your independent review. Now, this is one of the pillars of your program, and you’ve been getting independent reviews for a lot of years now. However, there’s some new guidance that came out that is really helpful. The new BSA AML exam manual update that came out in April 2020 has a lot of details on what your independent review should be doing. It’s being evaluated to make sure that your system is correcting itself. Now, some of the rules, it starts off with making sure that your independent review is actually independent. Remember, this is another set of eyes that’s coming in completely outside of your program to take a look and see if there’s any weak spots or if there’s anything that needs to be tweaked.
It also has some rules about the qualifications and competence of the person conducting this review, how frequent should it be done? But the very helpful a portion of this new manual is the minimum requirements of your independent review. You can actually use it as a checklist to go through your review and see if you’re missing any point. Things like, does your review have an overall evaluation of your program as a whole? Is it looking at your risk assessment in depth and going through and identifying if there’s any areas that you’re missing or maybe you’re not conducting the risk assessment thoroughly enough? Is there appropriate transaction testing? Are corrective actions being acknowledged and reviewed to make sure that they’re appropriate? Are they looking at your training program to make sure that it’s appropriate for all of the people? There’s a lot of people working together here and are they getting trained appropriately for their position?
Is it looking at your SAR monitoring and reporting systems and your management information systems and having an evaluation of all three? And then also, is the management response appropriate? When there’s an issue identified, how is management responding to the issue? Are they taking corrective actions? And then finally, the term, the money laundering, terrorist financing risk component, is your program evaluating that specifically? And then finally, there are some helpful tools to go through and look, are you documenting all of your testing appropriately and has the appropriate followup occurred? Again, fortunately, this is an open book test, so you can go right to the materials and go through and evaluate your independent review to see if it is doing what it’s supposed to be doing, and that is making sure your program is appropriate for your bank.