When your institution is examined for compliance with any law or regulation, the measure of your efforts will be based on your ability to self-identify and self-correct any deficiencies. Ongoing monitoring of key processes helps to ensure that any errors or warning flags are identified early. Monitoring is a required element of a compliance management system (CMS). However, an effective monitoring program also provides value and more effective risk management for BSA/AML Compliance Programs. Unfortunately, many institutions are not engaged in ongoing monitoring of key BSA activities.
TCA’s BSA Action Team (BAT) completes scores of BSA audits each year for all sizes and types of banks. And we find that banks perform little or no monitoring of key reporting, recordkeeping and other BSA-related processes. This can be a deterrent to unmasking risks, especially in the current enforcement environment. FinCEN issued updated guidance on amending and correcting CTRs in March 2018 and the FinCEN help line is stating letters need to go to FinCEN and a financial institution’s regulatory authority. We have seen a long-term pattern where even minor errors on CTRs require correction and re-submission by FinCEN sometimes affecting a large universe of reporting, recordkeeping or other key activities. This can lead to costly lookbacks and perhaps more importantly, enforcement actions.
Conducting ongoing monitoring can be challenging because if your bank is like most you do not have the luxury of additional resources to do the work. A risk-based approach to doing monitoring will lessen the resources necessary and trigger alerts based on priorities.
Current examination trends indicate examiners are asking more consistently about the BSA/AML monitoring. If you don’t know where to start, begin with your BSA Risk Assessment. Focus primarily on whether you have adequate monitoring for higher risk elements or activities. Adequacy of monitoring should be assessed considering the potential of harm to the Bank.
So where should you focus your efforts? Chances are you are already performing some monitoring. A review of Customer Identification Program requirements for new accounts is most likely being or should be done. This process should also include a review of customer due diligence and as applicable, beneficial ownership requirements. Also place a heavy focus on any deficiencies previously identified through examination or audit. Repeat findings are the “kiss of death” and monitoring should seek to ensure that any remediation has been effective. High risk activities such as CTR and SAR filing should be monitored for integrity of data and timeliness of filing.
If you rely on an automated monitoring system (AMS), direct your efforts on verifying alert decisions and ensuring there is supporting documentation. Always know whether staff is current on handling system alerts. Significant backlogs of alerts are a red flag for examiners. Ongoing monitoring of the effectiveness of the AMS is a requirement per model validation guidance. This includes above- and below-the-line testing of system rules, as applicable. Depending on the reporting capabilities of the system, you may be pointed to other areas to include in your monitoring efforts. Don’t forget about training. Many banks fail to understand the importance of monitoring the progress of assigned training.
When enhancing or developing a formalized monitoring effort, make sure it is a comprehensive process. That includes documenting monitoring efforts and findings. Identifying root causes of errors helps exhibit that you take steps to correct or address the accuracy of findings and the thoroughness of proactive mediation. This comprehensive approach also will enable a quantitative analysis which can be used to communicate staff accountability, identify training opportunities and provide a path of actions for examiners demonstrating a commitment to meeting regulatory mandates
Good audit results happen when you are prepared to discuss monitoring of key BSA control during your next BSA Examination. A wise man once told me, “Those who have are always better off than those who don’t.” Translation: Being criticized for having no monitoring is much more damaging than examiner feedback to enhance monitoring.
FinCEN Finalized Exceptive Relief
TCA published a Special Release Article on September 10, 2018 about FinCEN finalizing the beneficial ownership certification relief for certain auto-renewing accounts. To learn more, please see TCA’s article.
Technical Perspective on CTR 1.3
TCA completes BSA Audits weekly for a wide variety of entities, some of which are batch-CTR filers. Here are some common concerns and recommendations:
- Check Part III Box 30 for an institution’s legal name – Make sure Part III Box 30 reflects the institution’s legal name and not a branch nickname. These are typically hard coded in the filing software during the set-up process.
- Contact Office – Some vendors are pulling in branch location name or an individual name. Make sure you follow FinCEN directions “The filing institution should enter the name of the office that should be contacted to obtain additional information about the report. It is the filing institution’s choice as to which office this should be. Examples may include the “Compliance Office,” “Security Office,” “BSA Office,” or “Risk Management Office.”
- Incorrect RSSD Numbers – If you have a new branch or made any branch changes, make sure these are updated with the Federal Reserve. If a branch has not been assigned an RSSD #, leave it blank until it is assigned.
Did you have your BSA Audit in 2018? Contact TCA’s BAT for A Better Way for your Independent Audit at [email protected]
E-Mail the BAT at [email protected] with your BSA/AML/CIP/CDD/OFAC Questions!