BSA know-how: Checklists for requirements

Practical Law

The BSA and its implementing regulations require covered banking institutions to implement compliance programs, which must include, at minimum:

• Internal controls to ensure ongoing compliance with the bank’s BSA and AML requirements (see BSA/AML Internal Controls Requirement).
• Procedures for independent testing of the bank’s BSA and AML requirements, either by in-house personnel or an outside party (see BSA/AML Independent Testing Requirement).
• Designated persons responsible for coordinating and monitoring the compliance program on a day-to-day basis (see BSA/AML Designated Persons Requirement).
• Training for appropriate personnel (see BSA/AML Training Requirement).
• Customer Identification Program with risk-based procedures that allow the bank to form a reasonable belief that it knows the true identity of its subscribers (see Customer Identification Program).

The BSA compliance program must be in writing and approved by the bank’s board of directors, with approval noted in the board minutes. Best practices dictate that the board should review and approve the program annually.

BSA/AML Internal Controls Requirement

The bank must have internal controls in place designed to:

• Identify reportable transactions at a point where all of the information necessary to properly complete the required reporting forms can be obtained.
• Monitor, identify and report possible money laundering or unusual and suspicious activity.
• Ensure that all required reports are completed accurately and properly filed within required time frames.
• Ensure that customer exemptions are properly granted, recorded and reviewed as appropriate.
• Ensure that all information-sharing requests are checked in accordance with FinCEN guidelines and are fully completed within mandated time constraints.
• Ensure that the financial institution’s customer identification program (CIP) procedures comply with regulatory requirements (see Customer Identification Program).
• Ensure that procedures provide for adequate customer due diligence in relation to the risk levels of customer and account types.
• Establish procedures for screening accounts and transactions for OFAC compliance that include guidelines for responding to identified matches and reporting those to OFAC.
• Provide for adequate due diligence, monitoring and reporting of private banking activities and foreign correspondent relationships.
• Provide for adequate supervision of employees who accept currency transactions, complete reports, grant exemptions, or open new customer accounts.
• Establish dual controls and provide for separation of duties. For example, employees who complete the reporting forms should not be responsible for filing them or for granting customer exemptions.

For more information on the BSA/AML Internal Controls Requirement, see the FDIC’s BSA Manual.

BSA/AML Independent Testing Requirement

Independent testing of the BSA compliance program should be conducted by the bank’s internal audit department, outside auditors, or qualified consultants. Testing must include procedures related to high-risk accounts and activities. Although not required by regulation, the bank regulatory agencies recommend this review be conducted at least annually. Financial institutions that do not employ outside auditors or consultants or that do not operate internal audit departments can comply with this requirement by using employees who are not involved in the currency transaction reporting or suspicious activity reporting functions to conduct the reviews. All findings from the audit should be provided within a written report and promptly reported to the board of directors or an appropriate board committee.

Testing for compliance should include, at minimum:

• A test of the bank’s internal procedures for monitoring compliance with the BSA, including interviews of employees who handle cash transactions and their supervisors.
• A sampling of large currency transactions, followed by a review of currency transaction report filings.
• A test of the validity and reasonableness of the customer exemptions granted by the financial institution.
• A test of procedures for identifying suspicious transactions and the filing of suspicious activity reports (SARs) (see Filing Suspicious Activity Reports). These procedures should incorporate a review of reports used by management to identify unusual or suspicious activities.
• A review of documentation on transactions that management initially identified as unusual or suspicious, but, after research, determined that SAR filings were not warranted.
• A test of procedures and information systems to review compliance with the OFAC regulations.
• A test of the adequacy of the customer due diligence program and the CIP.
• A review of management reporting of BSA-related activities and compliance efforts.
• A test of the financial institution’s recordkeeping system for compliance with the BSA.
• Documentation of the scope of the testing procedures performed and the findings of the testing.

For more information on the BSA/AML independent testing requirement, see the FDIC’s BSA Manual.

About Practical Law

This look at the major issues and regulations in AML comes from Practical Law – an online legal know-how service. To gain access to more related know-how resources, please visit us.practicallaw.com.