By Vivek Agarwal
The Bank Secrecy Act (BSA) was originally passed by Congress in 1970 and is intended to safeguard U.S. financial institutions from the abuses of financial crime, including money laundering, terrorist financing, and other illicit financial transactions. It has been amended several times since then, including provisions in title III of the USA PATRIOT Act (collectively referred to as Bank Secrecy Act/Anti-Money Laundering Act or as BSA/AML).
There are severe penalties for non-compliance, as banks and individuals may incur criminal and civil liability for violating BSA laws. This may include criminal fines, imprisonment and forfeiture actions. In addition, banks risk losing their charters and bank employees are also in danger of being barred from banking.
So what makes for an effective BSA/AML compliance program? Let’s take a look at the six key ingredients.
Ingredient # 1:
Competent BSA Compliance Officer
The bank’s board of directors must designate a qualified individual to serve as the BSA compliance officer. Although the BSA compliance officer is charged with managing all aspects of the BSA/AML compliance program, the board is ultimately responsible for the bank’s compliance. It is paramount that the BSA compliance officer has sufficient authority and resources (monetary, physical and personnel) to administer an effective BSA/AML compliance program based on the bank’s risk profile. While the title of the individual is not important, his or her level of authority and responsibility within the bank is critical. He or she should be fully knowledgeable of relevant regulations as well as understand the bank’s products, services and customers, the potential risks associated with those activities, and should be able to regularly apprise the board of directors and senior management of ongoing compliance with the BSA.
Ingredient # 2:
Written Compliance Program
The BSA/AML compliance program must be written, approved by the board of directors and noted in the board minutes. A bank must have a BSA/AML compliance program commensurate with its respective BSA/AML risk profile and must be fully implemented. Policy statements alone are not sufficient – practices must coincide with the bank’s written policies, procedures, and processes.
Ingredient # 3:
Involved Board of Directors
An active, involved and knowledgeable board of directors is critical for successful implementation of the BSA/ AML compliance program. The board should be trained on the various legal and regulatory requirements, penalties for non-compliance and the institution’s risk concerning money laundering and terrorist activity. Without a general understanding of the BSA, the board of directors cannot adequately provide BSA/AML oversight; approve BSA/AML policies, procedures, and processes; or allocate sufficient BSA/AML resources.
Ingredient # 4:
Banks must ensure that appropriate personnel are trained in applicable aspects of the BSA. Training should include regulatory requirements and the bank’s internal BSA/AML policies, procedures, and processes. Holding training annually may not be enough. Training should be ongoing and incorporate current developments and changes. Training and testing materials, the dates of training sessions, and attendance records should be maintained by the bank.
Ingredient # 5:
System of internal controls
Internal controls are the bank’s policies, procedures, and processes designed to limit and control risks and to achieve compliance with the BSA. The level of sophistication of the internal controls should be commensurate with the size, structure, risks, and complexity of the bank. Some key elements the internal controls should cover are as follows:
Identification of high risk business operations
Program continuity despite changes in management
Meet regulatory record keeping and reporting requirements
Filing of reports such as suspicious activity reports (SARs) and currency transaction reports (CTRs)
Segregation of duties
Customer identification program and customer due diligence
Information sharing with regulators and board of directors
Ingredient # 6:
Periodic Independent Testing
Independent testing should be conducted by the internal audit department, outside auditors, consultants or other qualified independent parties. A sound practice is for the bank to conduct independent testing generally every 12 to 18 months, commensurate with the BSA/AML risk profile of the bank. The most important factor here is that the review or audit be performed by an independent and objective third party. The persons conducting the BSA/AML testing should report directly to the board of directors. The audit should be risk based and evaluate the effectiveness of the BSA compliance program.■
Vivek Agarwal, CPA, CFE, CISA, specializes in governance, risk and compliance services for Withum, Smith+Brown.