We explore 4 violations to watch out for!
1. While we wouldn’t categorize the following violation as “common,” we do see it occasionally.
Most importantly, however, is that this is a “pillar” violation. A pillar violation indicates a significant weakness in a pillar (major) component of your BSA Compliance Program. In other words, you don’t want a violation of this type.
We are specifically referring to the requirement of having an Independent BSA Audit. The audit can be conducted by the internal audit department, outside auditors, consultants, or other “qualified” independent parties. In order for the audit to be “valid” and/or adequate, the Scope of Review must include the minimum requirements set forth under the Act. We do see instances where a bank is informed by examiners during their BSA Exam that their Independent BSA Audit was invalid, and they are required to get another one as soon as possible! Although it doesn’t happen frequently, it is also not unusual for us (BCC) to also find that a bank’s previous Independent BSA Audit did not test all of the minimum requirements.
The FFIEC BSA Examination Manual states an Independent Audit should, at a minimum, include:
An evaluation of the overall adequacy and effectiveness of the BSA/AML compliance program, including policies, procedures, and processes. Typically, this evaluation will include an explicit statement about the
BSA/AML compliance program’s overall adequacy and effectiveness and compliance with applicable regulatory requirements. At the very least, the audit should contain sufficient information for the reviewer (e.g., an examiner, review auditor, or BSA officer) to reach a conclusion about the overall quality of the BSA/AML compliance program.
• A review of the bank’s risk assessment for reasonableness given the bank’s risk profile (products, services, customers, entities, and geographic locations).
• Appropriate risk-based transaction testing to verify the bank’s adherence to the BSA recordkeeping and reporting requirements (e.g., CIP, SARs, CTRs and CTR exemptions, and information sharing requests).
• An evaluation of management’s efforts to resolve violations and deficiencies noted in previous audits and regulatory examinations, including progress in addressing outstanding supervisory actions, if applicable.
• A review of staff training for adequacy, accuracy, and completeness.
• A review of the effectiveness of the suspicious activity monitoring systems (manual, automated, or a combination) used for BSA/AML compliance. Related reports may include, but are not limited to: — Suspicious activity monitoring reports. — Large currency aggregation reports. –Monetary instrument records. — Funds transfer records.
— Nonsufficient funds (NSF) reports.
— Large balance fluctuation reports.
–Account relationship reports.
An assessment of the overall process for identifying and reporting suspicious activity, including a review of filed or prepared SARs to determine their accuracy, timeliness, completeness, and effectiveness of the bank’s policy.
An assessment of the integrity and accuracy of MIS used in the BSA/AML compliance program. MIS (Management Information Systems) includes reports used to identify large currency transactions, aggregate daily currency transactions, funds transfer transactions, monetary instrument sales transactions, and analytical and trend reports.
Lastly, Auditors should document the audit scope, procedures performed, transaction testing completed, and findings of the review… All audit documentation and work papers must be available for examiners to review.
2. The most common finding or weakness we are currently seeing is the implementation of the new “ongoing customer due diligence” requirements.
These were part of the Customer Due Diligence Requirements Final Rule that took effect last year. Most banks focused in on the Beneficial Ownership portion and overlooked the bigger portion of the rule, which amended the current Anti- Money Laundering Program requirements set forth in 31 CFR 1020.210 to “explicitly” include risk-based procedures for conducting ongoing customer due diligence, to include understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile.
We are finding that many banks have not yet developed appropriate written risk-based Customer Due Diligence (CDD) procedures designed to: understand the nature and purpose of the customer relationship; develop a customer risk profile; conduct ongoing monitoring; and on a risk basis, to maintain and update customer information, including information regarding the beneficial owner(s) or legal entity customers.
In a nutshell, banks have made minimal, if any, updates to strengthen their CDD program and to meet the minimum requirements of the new rule.
Written Customer Due Diligence Procedures should address at a minimum:
- Establish risk-based procedures for conducting ongoing customer due diligence —
- Include a clear statement of responsibilities and authority for changing a risk profile; —
- Include information about steps to address instances where there is not enough information about a customer to develop an adequate risk profile;
- Outline what information will be collected
- Identify which customers can be considered “lower risk” and categorized by more general factors;
- Specify how customer information will be used to meet other regulatory requirements, e.g., OFAC expectations, risk monitoring, etc.
- Identify how customers will be classified as higher risk —
- Outline the additional steps to be taken for higher risk customers;
- Establish when customer profiles will be reviewed and who will be responsible to review them; —
- Identify who has authority to change a customer risk profile;
- Identify whether and when, based on risk, periodic reviews should be conducted to update customer information.
3. When it comes to the Beneficial Ownership rules, we are still seeing some banks using the old/original FinCEN Model Certification form.
The form was amended/corrected by FinCEN, effective September 28, 2017. The changes included an additional piece of information to be gathered on the form. Specifically, the “type” of legal entity opening the account. They also replaced the term ‘‘foreign persons’’ with “non-U.S. persons” in several places and added ‘‘Social Security Number’’ to the list of identification numbers for non-U.S. persons.
If you are using the Model form, make sure you have the current Model form. If you have developed your own form, make sure it collects the “type” of legal entity, refers to “non-U.S. persons” rather than “foreign persons,” and allows for a Social Security Number to be used for identifying non-U.S. persons, where applicable.
On a side note, we are also finding that the Certification forms are often not fully completed and/or certified/signed after the account is opened.
4. Under CIP, we still see banks that are not identifying and resolving substantive discrepancies that arise between the information collected at application and the information used to verify identity.
CIP requires the bank to document/retain a description of the resolution of any substantive discrepancy when verifying identity. While simply stating “recently moved” might explain the reason for an address discrepancy, it does not show how the bank verified or formed a “reasonable belief” that the information given was accurate. Methods such as sending a thank you letter, tracking for returned mail, obtaining a utility bill or pay stub, etc., are some examples of ways to resolve the discrepancy. Identity thieves can easily tell a bank they just moved, so the account information of their victim is mailed to them. Banks need to form a reasonable belief that the new address is actually for the person/ customer for whom you are verifying identity.
Hopefully, you didn’t find yourself caught up in any of these. If you did, it might be time to do some training to get back on the straight and narrow. As always, we are here to serve you with your compliance needs. If you’re in need of an external Compliance Review or Independent BSA Audit, we offer a variety of Onsite and Offsite reviews and would be happy to partner with you.
Kevin brings years of experience and a unique perspective on regulatory matters to our clients. A self-proclaimed geek and accredited CRCM, Kevin is also a recovering attorney with experience as in-house counsel for a large regional bank and one of the leading national title insurance providers. For reasons unknown, Kevin decided to leave the safety and serenity of his desk job to seek fortune and glory as a wandering adventurer. Like a bank compliance version of Kwai Chang Caine, The Man with No Name or Don Quixote, he now travels the land seeking to help those in need and righting compliance wrongs, wherever he may find them.
Kevin lives in Sioux Falls with his two children, who are surprisingly normal after having endured their father’s vivid imagination for their entire lives. He won’t admit to having any hobbies, because apparently “Regulations never sleep.” (While he does say this in his Batman voice, we’re pretty sure he’s joking.) From the looks of his Facebook page, he likes the outdoors and spending time with his large extended family (who seem like relatively normal people).