A Tougher Bank Secrecy Act
By Pat McElroy
For the last couple of years, Bank Secrecy Act compliance headlines have focused on big banks, big fines and high-profile violations. Recently, however, we’ve been seeing a quiet but definite shift in examiner attention.
In June 2005, new exam procedures came online. Now community banks are feeling the heat, and in many cases the problems aren’t specific, substantive violations but overall inadequacies in the management of the BSA compliance program.
For example, a medium-size bank in the South suspected they might not have a good enough BSA program, even though their previous exams had been satisfactory.
We were engaged to conduct a thorough review of their program. The good news was that we didn’t find any specific reporting violations. The bad news was that their overall program fell short in all four key areas the examiners would look at, and since they waited until the last minute to ask for help, there was no time for them to implement the specific steps we were able to give them to fix things before their examination.
This bank is now having serious discussions with the regulators about possible supervisory actions.
The end result was that putting off the review of their BSA program wound up costing the bank much, much more in time, staff and money than it needed to if they had acted sooner.
The Four Areas You Need to Watch
The regulators are looking closely at four key factors in assessing the adequacy of your BSA program:
1) How good is the bank’s system of internal controls to ensure ongoing compliance?
2) Is the bank doing independent testing? Is the testing adequate?
3) Is a specific qualified individual responsible for BSA compliance?
4) Does the bank provide adequate BSA compliance program training to all employees?
Of these four, number one, the quality of the bank’s system of internal controls, is the most critical to the examiners. Banks are required to perform a comprehensive overall BSA/AML risk assessment that covers products and services, customers and locations. Is your location high-risk? What kind of customers are you doing business with? Do you have a lot of currency transactions or other high-risk transactions?
The government has created two area designations: high-intensity drug trafficking areas and high intensity financial crime areas. The government has identified the areas and your BSA program has to reflect a higher level of attention if your bank is in a designated area, whether or not you think you’re actually affected.
A risk assessment of your bank’s products and services is also part of the mix. Certain bank products obviously carry higher risk than others, such as checking vs. savings, but some are not so obvious. Sale of monetary instruments, like cashier’s checks, are more high-risk for money laundering, and commercial checking accounts carry more risk because of the higher transaction volumes and amounts.
Mandatory reports are another problem area. Currency transaction reports are usually automated, but suspicious activity reports (SARs) are not. Your bank may have systems to kick out potential suspicious activity for further investigation, but the examiners are often citing banks for not enough investigations or SAR filings, and inadequate documentation of decisions not to file a SAR.
For example, your computer tells you a customer is depositing $7,000-$8,000 in cash a few times a week. A closer look shows that the business is a restaurant, so the deposit pattern is consistent with the type of business and isn’t suspicious. If the internal systems are inadequate, that reasoning doesn’t get documented properly, so at exam there’s no obvious reason for the decision and it becomes a red flag.
In the banks we’ve worked with since the new, more stringent exams started, we’ve seen a laundry list of common problems with internal systems:
• Inadequate BSA/AML risk assessment;
• Inadequate documentation showing exempt businesses obtain less than 50 percent of revenues from ineligible activities;
• No SARs filed on unregistered money services businesses (MSBs);
• Inadequate written procedures to identify, track, investigate and report suspicious activity;
• Unfamiliarity with parameters on AML software;
• Lack of independent testing of validity of AML software;
• Inadequate documentation of reasons not to file SARs;
• Lack of or inadequate central files on high-risk customers;
• Lack of or inadequate identification of high-risk customers at account opening;
• Lack of or inadequate monitoring of high-risk customers;
• Lack of risk-grading accounts at time of opening; and
• Inadequate documentation regarding MSBs.
While internal systems are the hottest area for the regulators right now, the other three areas also have their share of common problems:
• Insufficient scope,
• Testing not completed in all key areas,
• Testing not completed according to risk,
• Inadequate due diligence completed by bank on outside firm, and
• Bank failed to review work papers to ensure compliance with engagement letter. Designated Individual Responsible for BSA Compliance:
• Part-time BSA officer doesn’t have time to do job properly, and
• Insufficient staffing levels in suspicious activity investigation area.
• Policy doesn’t adequately address training standards;
• Training not risk-based, not job-specific; and
• Training not adequately documented and tracked.
Training is often a weak link. It’s very common for us to recommend that the bank enhance training all across the board, from directors on down.
Many banks have relied on computer-based training (CBT) programs, and these can be good learning tools. Used alone, however, CBT is simply not good enough. Training needs to be focused on what each employee is actually doing, and reflect how the bank actually operates. We’ve helped many of our clients to develop these kinds of programs, and have even provided on-site training where that best met the bank’s needs.
Your Next Exam
The bottom line is your next exam. As the mid-size southwestern bank we cited above discovered, success in previous exams (before the new examination procedures) is no guarantee that your bank’s BSA compliance program will pass muster next time.
Make sure your bank has time to thoroughly review your program and take the necessary steps to fix problems well before the examiners arrive. You can use the above checklists to get started. If you have any questions or would like additional information, please call Kristin Morgan at (512) 703-1577.
Pat McElroy Jr. is managing director of risk management for Sheshunoff Management Services, based in Austin, Texas. He has more than 30 years of experience in the banking industry, and is a frequent speaker at banking industry conferences and seminars throughout the United States.