On July 22, 2019, the prudential regulators issued FIL-43-2019 making a joint statement on BSA/AML risk-based approaches in examinations. TCA’s BAT reviewed the statement and took away three key points: transparency, risk assessment and independent audit.
- Transparency – The statement states: “This statement is intended to improve transparency into the risk-focused approach used for planning and performing BSA/AML examinations and does not establish new requirements. Further, this statement aligns with the federal banking agencies’ long-standing practices for risk-focused safety and soundness examinations.” TCA’s BAT often hears feedback from clients that the examiners only focused on certain components of a BSA program during the audit. This statement from prudential regulators echoes the current feedback we have been hearing. Examiners are focusing on areas determined to be higher risk to your institution, but in order for this to happen, an institution still needs to ensure there is a comprehensive risk assessment and a robust independent audit.
- Risk Assessment – The statement goes on to further state: “A risk-based compliance program enables an institution to allocate compliance resources commensurate with its risk. A bank’s well-developed risk assessment is a critical part of sound risk management and assists examiners in understanding the bank’s risk profile.” A financial institution’s AML Risk Assessment is one of the most critical tools of the BSA Program because it allows a BSA Officer to not only demonstrate the risks of a BSA Program to Senior Management and the Board of Directors, but also to Examiners. The Risk Assessment serves as the road map to the Program; TCA’s In Depth article Preparing a Bank Secrecy Act Risk Assessment discussed tips for enhancing an AML Risk Assessment. Examiners rely upon this document to prepare for upcoming exams and this emphasizes the importance of updating and maintaining a current risk assessment and the role of risk assessment in a BSA program.
- Independent Audit – The statement concludes by focusing on independent audit by commenting: “Examiners review a bank’s BSA/AML risk assessment and independent testing to assess the bank’s ability to identify, measure, monitor, and control risks. Risk assessments and independent testing that properly consider and test all risk areas (including products, services, customers, and the geographic locations in which the bank operates and conducts business) are used in determining the examination procedures and transaction testing that should be performed.” It is crucial that financial institutions ensure that not only are there timely independent audits, but also comprehensive independent audit that take into consideration risk profile. The information documented during independent audits allow examiners to conduct risk-based exams. From time to time, TCA clients question the scope and depth of testing, but the BAT understands examiner expectations for a comprehensive BSA Program including strong audit to establish the risk-based approach to managing BSA.
In summary, the July statement does not create any new requirements, but emphasizes the regulators’ goals for transparency in the exam process by trying leverage off an institution’s risk assessments and independent audits.
What does this mean for your BSA program?
Institutions need to ensure that both risk assessment and independent audit are thorough and well-documented. If there are weaknesses noted in the adequacy of risk assessments or independent audits, this will more than likely lead exams with greater intensity and additional scrutiny of an institution’s BSA Program during a regulatory exam.
TCA’s BAT consists of eight BSA specialists who conduct risk-based BSA Audits and model validations. Contact TCA’s BAT at [email protected] for your customized Independent Audit Proposal.