Assessing Your BSA/AML Compliance Program
Like every compliance project, when you start the process, it is important to conduct a careful assessment of risks and your company’s compliance program. With the growing risk of criminal, civil and regulatory enforcement of BSA, sanctions and AML laws, banks and other financial institutions need to dedicate some time and effort to this process.
From my experience, banks and financial institutions turn to – and rely on – technology as the primary component of every BSA/AML compliance program. Given the magnitude of the task, the reliance on technology appears to be an absolute.
Building a compliance program centered on technology, however, can create its own set of serious risks. A technology-centered program reflects careful marketing initiatives by the vendors of these competing programs. It is important to build a complete program, which recognizes the non-technology needs, factor in specific technology requirements, and brush the edges of the program with important controls and metrics.
The key focus continues to be established by the US Sentencing Guidelines: Is the company’s BSA/AML compliance program “effective”? Here are some basic steps for evaluating your bank or financial institution’s BSA/AML compliance program:
Structure: It is now beyond question – every bank and financial institution needs to empower an independent chief compliance officer. HSBC has separated its compliance function completely from the legal function. JP Morgan has announced that its Chief Compliance Officer will report directly to the Chief Operating Officer and is elevated to the senior executive staff. This is new norm and banks and other financial institutions have to start with this structural change.
Review of Written BSA/AML compliance program: The written compliance program, which should be on the company’s website, should include the following elements: a system of internal controls; a compliance officer(s); training; testing and monitoring; periodic review of performance and modifications as warranted.
Senior Management involvement and monitoring: The board of directors and senior management must receive sufficient reports which are timely and informative about the performance of the compliance program.
Risk Assessment: The BSA/AML compliance program should reflect the current risk assessment identified in an initial review of risk associated with the banks products, services, operations, customers, geographic locations and business entities.
Internal Controls: The internal controls have to include policies and procedures to accomplish the following tasks: identification of high-risk products, services, customers and geographic locations; monitoring and updating the risk profiles for each of these categories; providing periodic updates to the board (or a compliance committee) and senior management which focus on potential risk area, including weaknesses in the BSA/AML compliance program, corrective actions, the status of SARs filed or being reviewed, pending due diligence inquiries for high-risk customers and business accounts.
Customer Due Diligence: Banks and other financial institutions need to adopt more rigorous customer due diligence procedures. All too often the business desire to establish a new account outweighs the due diligence process and customers are allowed to open an account pending completion of the due diligence process. By doing so, compliance is sacrificed at the expense of business needs. The incentive for the business side to cooperate in any due diligence review is diminished once the account is opened. If the bank is serious about compliance, it should delay the opening of the account, pending completion of the due diligence review.
Reportable Transactions: The BSA/AML compliance program needs to establish standard procedures and thresholds for identifying reportable transactions (SARs, CTRs and CTR exclusions), creating a set SAR review and reporting procedure with strict deadlines for the completion of the process.
Training: A regular training program, both on-line and in-person needs to be established with appropriate record-keeping. The training program should include the board of directors, senior management and all employees involved in relevant activities.
Transaction testing: There are a number of areas to conduct transaction testing, including: high-risk areas, customers and transactions. The transactions should be different from those examined by an independent auditor.
Independent testing: Aside from monitoring and reporting functions, any good BSA/AML compliance program includes periodic audits conducted by an independent auditing company. The audit should be reported to the CCO, senior management and the board committee. The results should be carefully reviewed and recommendations for improvements should be implemented. Accounts or customers identified in the review of information obtained from downloads from the BSA-reporting database.