By Clarissa Rudinsky
Why establish an enterprise-wide Bank Secrecy Act/Anti-Money Laundering (BSA/AML) program? Similar to the industry’s approach to addressing credit, market and operational risk, effective control of BSA/AML risk calls for coordinated risk management to control money laundering and terrorist financing risk. An enterprise-wide BSA/AML compliance program coordinates regulatory requirements throughout an organization, across affiliates, activities, business lines or legal entities inside a larger risk management framework.
While there are currently no regulatory requirements for holding companies or lead financial institutions to adopt an enterprise-wide BSA/AML compliance program, many organizations view this as an effective tool in managing BSA/AML risks. (The lead financial institution is generally the largest financial institution in the holding company structure in terms of assets unless otherwise designated by the holding company.)
What is an enterprise-wide BSA/AML program? Quickly becoming an industry best practice, enterprise-wide BSA programs establish corporate standards for BSA/AML compliance that reflect the expectations of the organization’s board of directors. Senior management ensures that these standards are implemented across the organization through effective programs tailored to the affiliates, activities, business lines or legal entities. Each individual program reflects that entity’s business structure and is tailored to its size, complexity and legal requirements that may vary due to the specific business line or host country jurisdiction. Enterprise-wide programs that operate on a global basis consider the laws and requirements in the various jurisdictions in which they operate as well as the U.S. AML laws and requirements that they are subject to, and then incorporate all of these requirements into their program. Overall, senior management ensures the enterprise-wide BSA/AML program provides adequate oversight and structure for each individual entity’s program.
Risk assessed policies and procedures: The enterprise risk assessment process serves as the basis for the development of risk-based policies, procedures, and processes within the activities, business lines and legal entities. The individual business lines and legal entities then advise the holding company or lead financial institution on the development of risk-based policies, procedures and processes. Policies and procedures at the branch or subsidiary level should be consistent with, although not necessarily identical to, group or holding company standards. After the individual business lines’ and entities’ policies, procedures and processes are developed, they should be approved by the holding company or lead financial institution to ensure oversight of risk limits, new business initiatives and strategic changes.
The various business lines and entities provide periodic updates of the risk assessment process to the central point within the holding company or lead financial institution. These updates, along with enterprise-strategic changes (such as acquisition or change in products or services) set off ongoing enhancements to the process.
Training: The institution’s training program should also be addressed in the enterprise-wide risk program by describing who in the enterprise will be trained, how often, in what manner (lecture, classroom, via Internet, written material, etc.) and what issues will be discussed during the training sessions. Although individual business lines and entities may deal with training differently, an overall enterprise-wide standard should be established and maintained.
Who is responsible for the enterprise-wide BSA/AML program? The enterprise-wide program includes a central point where BSA/AML risks throughout the organization are consolidated. This point is usually established at either the level of the holding company or the lead financial institution. The person responsible is usually the BSA officer. The enterprise-wide program clearly lays out roles and responsibilities of all relevant parties and communicates them across the enterprise.
Internal audit plays an important role in the enterprise-wide BSA program by assessing the level of compliance with the enterprise-wide BSA/AML program across the entire organization. For example, an audit program implemented solely on an enterprise-wide basis that does not conduct transaction testing at all business lines and legal entities subject to the BSA would not be sufficient to meet regulatory requirements for independent testing for those business lines or entities. The audit function also identifies program weaknesses and recommends timely corrective action, at both the holding company and subsidiary levels.
How is an enterprise-wide BSA/AML program implemented? A holding company or a lead financial institution may decide to implement an enterprise-wide BSA/AML compliance program, either comprehensively throughout the entire organization, or within specific business functions. The existence of enterprise-wide functions responsible for day-to-day BSA/AML operations may be established, including, but not limited to, the centralization of suspicious activity monitoring and reporting, currency transaction reporting, currency transaction exemption review and reporting, and record-keeping activities.
Holding companies or lead financial institutions that centrally manage the operations and functions of their business lines or legal entities ensure that comprehensive risk management policies, procedures and processes are in place across the organization to address the entire organization’s spectrum of risk. Accordingly, organizations that centrally manage an enterprise-wide BSA/AML compliance program provide appropriate structure; advise the business lines, legal entities and foreign branches on the development of appropriate guidelines; and set risk limits consistent with their domestic and international activities.
Accordingly, the holding company or lead institution monitors the compliance throughout the organization, including how well the enterprise-wide system captures relevant data from the subsidiaries. The enterprise-wide BSA/AML compliance program takes into consideration available information about the adequacy of the individual legal entities’ or business lines’ BSA/AML programs. The enterprise-wide program should ensure that all affiliates meet their applicable regulatory requirements.
So, the question remains, should an institution establish an enterprise-wide BSA/AML program? This is a good question to discuss with senior management and the board of directors considering the enterprise’s size, organizational complexity, variety of products and services, and geographic markets served.
Clarissa Rudinsky is director of BSA/AML services at ICS, a leading provider of regulatory compliance services. For more information on ICS, contact Michele Johnson at (203) 526-1589 or visit www.icscompliance.com.