The Bank Secrecy Act/Anti-Money Laundering area of compliance is always evolving. As an example, we are currently transitioning the name of this specialized area of compliance from Bank Secrecy Act (BSA) to Anti-Money Laundering and Combating the Financing of Terrorism (AML/CFT) to coincide with the term’s examiners are now using within their documents and reports.
In this article we wanted to share common trends from our 2023 audits to give your institution an opportunity to review your program and ensure you have that robust system of internal controls.
- Adequate AML Risk Assessment (AMLRA) – When creating or updating a risk-based AMLRA, it is important that this document demonstrates a clear understanding of the institution’s risk profile. The purpose of the risk assessment is to document risks and controls as the basis for the development of policies and procedures. The risk categories should be unique to the institution based on its size and complexity and consider its unique products and services, geographical footprint, and customer base. An evaluation of transaction data, staffing, FinCEN priorities, and results of regulatory audits and exams should also be considered. An Office of Foreign Assets Control (OFAC) Risk Assessment may be included within this document or evaluated separately.
TCA has a few recommendations when completing your AML/CFT Risk Assessment. The inherent risk associated with each category should first be evaluated based on the volume of activity (qualitative) and analysis of the risk factor (qualitative) risk. Once inherent risk is identified and rated, considering the effectiveness of internal controls and risk mitigation strategies can be used to determine residual risk. If there were any gaps identified within the mitigating controls, the institution may seek to further enhance the controls to reduce those risks, or the Board of Directors may determine they are willing to accept the risk.
After creating a scoring methodology classifying the current risks in each category, such as “High,” “Moderate,” or “Low,” the institution should be able to demonstrate an understanding of the direction of its AML/CFT risks. Institutions may choose to incorporate executive summaries that include year-to-year changes to support the determination that risk is stable, increasing, or decreasing, before providing a statement on the overall conclusion of risk. For more information, see TCA’s AML Risk Assessment Article.
- Risk-Based Enhanced Due Diligence (EDD) – Regulatory expectations require institutions to apply risk-based approaches when developing customer risk profiles. Customers who are identified as posing higher-than-normal risk may require additional verification and due diligence information at account opening.
To minimize the risk posed by high-risk persons and entities, institutions should develop effective risk-based Enhanced Due Diligence (EDD) procedures for the onboarding process and beyond. Risk factors for higher -risk customers should include at a minimum identifying the nature and purpose of the relationship, expected activity, beneficial owner identification, the location of the business, expected use of ancillary services (wire transfers, monetary instruments, bill payment, etc.), understanding the customers of a business, volume of currency transactions, and primary trade area.
The amounts and types of information obtained and verified may need to increase as the associated risk is determined to be higher. Such additional information may include negative news searches, requests for additional financial statements, and verifying the source of funds.
Finally, EDD procedures should define the frequency and required documentation of ongoing monitoring that is commensurate with the customer’s risk profile. The procedures should include triggers for maintaining and updating customer information. Often, TCA sees deficiencies in documenting what is being reviewed as part of the EDD process. Adequate documentation of the EDD process will not only ensure that the institution gets credit for these efforts (from auditors and examiners), but also provides sufficient information for staff who may need to reference the EDD in future investigations or who must also perform EDD reviews. TCA has published articles on CDD and EDD to help further this discussion.
- Training – Training is one of the five pillars of a satisfactory AML/CFT program. Many may think this is an annual checkbox, but it is critical to keep staff awareness high, establish accountability for compliance, and ensure that there is adequate understanding of AML/CFT responsibilities. This is a multi-faceted pillar and TCA dives deeper into the topic in this article. Ultimately, training as a baseline should address expectations for the Board, new employees, existing employees, and those with an advanced role in managing AML/CFT risk. It is not only about understanding the regulatory requirements, but the applicability to your institution’s risk profile. In regard to web-based training, findings include missing enrollments, repetitive course assignments each year that do not enhance staff learning, or courses not being assigned based upon job function. It is critical that there is a secondary review process to ensure all staff is assigned training and the assignments reflect the job function. Don’t forget to monitor for completion consistent with internal policy. If your policy says courses must be completed by November 30th, this is the baseline to which an auditor or an examiner will test. If you truly mean December 31st, adjust your policy so that it accurately reflects your practices.
For training on internal policy and procedures, we often see this is occurring, however it goes undocumented. If the BSA Officer sends an e-mail to reinforce or update a procedure, this is training. If there is a staff meeting with training, document it. It is critical that an institution gives credit for the additional training completed to demonstrate staff awareness of internal policies and procedures in addition to general knowledge of the regulations.
- Board Communication – The Board must ensure there are adequate resources for the AML/CFT compliance program and hold management accountable for complying with the regulatory requirements. It also must be notified of all suspicious activity reports (SARs) the institution files. The reality is this is a complex regulatory area of compliance that crosses business lines and relies upon many individuals participating throughout the institution. How does your Board of Directors know a program has adequate resources? It is necessary for your Board to receive annual training, designate a qualified BSA Officer, review the policy annually, and review the risk assessment to demonstrate its understanding of the institution’s risks and controls… Ongoing Board reporting is subjective, and TCA sees different methods of communicating AML/CFT information to the Boards of our client institutions. There is no one size fits all. In order for the Board to better understand the day-to-day volumes of the BSA Program, some clients provide the Board with a monthly scorecard or dashboard for the BSA Program. Information that has been included in this report goes beyond SAR information, and may include information about the automated monitoring system (AMS) alert volumes, OFAC matches, 314(a) information sharing, investigations not resulting in a SAR, EDD reviews, CTR reporting, new regulatory guidance, trends in risk factors, etc. Reports to the Board should include any areas of the program which are not in compliance with policy, such as past due reports or activities. This allows for a greater awareness for the Board of the day to day, as well as for the BSA Officer to identify if there is a need for additional resources, refining a process, conducting additional training, or maybe calibrating a system. Often, during independent reviews, TCA can tell there is a potential resource concern and one of the first steps is to identify where the areas of struggle are and then communicate with the Board.
- FinCEN Technical Reports – During AML/CFT reviews, TCA has noted various technical errors relating to the completion of Currency Transaction Reports (CTRs) and Suspicious Activity Reports (SARs). According to FinCEN’s FAQ #1, the expectations in completing the critical and non-critical items on a CTR/SAR stipulate that institutions should complete all those items for which they have relevant information, regardless of whether they are deemed critical.
For those items marked with an asterisk, or “critical”, institutions must either provide the relevant information or check the “Unknown” box on the CTR or SAR reports.
For non-critical items, FinCEN expects institutions to provide complete filing information based on available relevant information and consistent with regulatory expectations. Including all information known to the institution that may be beneficial to law enforcement and, therefore, is required. However, there is no further burden to collect additional information for non-critical fields if it is not known and documented within the institution’s records. Those non-critical fields where information is not known may be left blank. Entries including “N/A” or “Same as Above” are not acceptable.
To avoid the potential for errors or need for back filing, internal controls should be established to review CTRS and SARs prior to submission. Such reviews should ensure timeliness, completion of the critical and non-critical fields (where appropriate), the accuracy of amounts, and the integrity of physical addresses, identification, account numbers, names, and stated branch locations of activity. If errors are frequently noted, additional training on the CTR and/or SAR filing instructions should be provided to staff.
In addition to a comprehensive review of the critical and non-critical fields cited above, SARs should be reviewed for complete narratives that identify the five essential elements of – Who? What? When? Where? Why? and How? Pre-submission SAR reviews should also check that the identified category type and character of suspicious activity is consistent with what transpired and documented within the narrative. Please see TCA’s SAR narrative article.
Keep in mind – TCA is your compliance partner who can conduct your risk-based independent AML/CFT review. Most policies require this independent evaluation every 12 to 18 months, so please contact [email protected] if you would like us to discuss a potential engagement.
TCA – A Better Way!
