Resource Documents Board of Governors of the Federal Reserve System Federal Deposit Insurance Corporation National Credit Union Administration Office of the Comptroller of the Currency Office of Thrift Supervision Financial Crimes Enforcement Network Office of Foreign Assets Control

Examination Procedures Core Procedures Expanded Procedures

Bank Secrecy Act Anti-Money Laundering Examination Manual

Backward | Table of Contents | Forward

EXAMINATION PROCEDURES

Developing Conclusions and Finalizing
the Examination

 

Objective.  Formulate conclusions, communicate findings to management, prepare report comments, develop an appropriate supervisory response, and close the examination.

Formulating Conclusions

1. Accumulate all pertinent findings from the BSA/AML examination procedures performed. Evaluate the thoroughness and reliability of any risk assessment conducted by the bank. Reach a preliminary conclusion as to whether the following requirements are met:

• The BSA/AML compliance program is effectively monitored and supervised in relation to the bank’s risk profile as determined by the risk assessment. The examiner should ascertain if the BSA/AML compliance program is effective in mitigating the bank’s overall risk.
• The board of directors and senior management are aware of BSA/AML regulatory requirements, effectively oversee BSA/AML compliance, and commit, as necessary, to corrective actions (e.g., audit and regulatory examinations).
• BSA/AML policies, procedures, and processes are adequate to ensure compliance with applicable laws and regulations and appropriately address higher-risk operations (products, services, customers, entities, and geographic locations).
• Internal controls ensure compliance with the BSA and provide sufficient risk management, especially for higher-risk operations (products, services, customers, entities, and geographic locations).
• Independent testing (audit) is appropriate and adequately tests for compliance with required laws, regulations, and policies. Overall audit coverage and frequency are appropriate in relation to the risk profile of the bank. Transaction testing is adequate, particularly for higher-risk banking operations and suspicious activity monitoring systems.
• The designated person responsible for coordinating and monitoring day-to-day compliance is competent and has the necessary resources.
• Personnel are sufficiently trained to adhere to legal, regulatory, and policy requirements.
• Information and communication policies, procedures, and processes are adequate and accurate.

All relevant determinations should be documented and explained.

Determine the Underlying Cause

2. Determine the underlying cause of policy, procedure, or process deficiencies, if identified. These deficiencies can be the result of a number of factors, including, but not limited to, the following:

• Management has not assessed, or has not accurately assessed, the bank’s BSA/AML risks.
• Management is unaware of relevant issues.
• Management is unwilling to create or enhance policies, procedures, and processes.
• Management or employees disregard established policies, procedures, and processes.
• Management or employees are unaware of or misunderstand regulatory requirements, policies, procedures, or processes.
• Higher-risk operations (products, services, customers, entities, and geographic locations) have grown faster than the capabilities of the BSA/AML compliance program.
• Changes in internal policies, procedures, and processes are poorly communicated.

3. Determine whether deficiencies or violations were previously identified by management or audit or were only identified as a result of this examination.

Discuss Findings With Examiner in Charge and Identify Necessary Action

4. Discuss preliminary findings with the examiner in charge (EIC) or examiner responsible for reviewing the bank’s overall BSA/AML compliance. Document workpapers appropriately with the following information:

• A conclusion regarding the adequacy of the BSA/AML compliance program and whether it meets all the regulatory requirements by providing the following:
• A system of internal controls.
• Independent testing for compliance.
• A specific person to coordinate and monitor the BSA/AML compliance program.
• Training of appropriate personnel.
• A conclusion as to whether the written CIP is appropriate for the bank’s size, location, and type of business.
• Any identified violations and an assessment of the severity of those violations.
• Identification of actions needed to correct deficiencies or violations and, as appropriate, the possibility of, among other things, requiring the bank to conduct more detailed risk assessments or take formal enforcement action.
• If necessary, recommendations for supervisory actions. In addition, as necessary, confer with agency supervisory management, and agency legal staff.
• An appropriate rating based on overall findings and conclusions.
• Findings that have been or will be discussed with bank management and, if applicable, any bank commitment for improvements or corrective action.

Preparing the BSA/AML Comments for the Report of Examination

5. Document your conclusion regarding the adequacy of the bank’s BSA/AML compliance program. Discuss the effectiveness of each of these elements of the bank’s BSA/AML compliance program. Indicate whether the BSA/AML compliance program meets all the regulatory requirements by providing the following:

• A system of internal controls.
• Independent testing for compliance.
• A specific person to coordinate and monitor the BSA/AML compliance program.
• Training of appropriate personnel.

The BSA/AML compliance program must also include a written Customer Identification Program (CIP) appropriate for the bank’s size, location, and type of business.

The examiner does not need to provide a written comment on every one of the following items 6 through 13. Written comments should cover only areas or subjects pertinent to the examiner’s findings and conclusions. All significant findings must be included in the ROE. The examiner should ensure that workpapers are prepared in sufficient detail to support issues discussed in the ROE. To the extent that the following items are discussed in the workpapers, but not the ROE, the examiner should ensure that the workpapers thoroughly and adequately document each review, as well as any other aspect of the bank’s BSA/AML compliance program that merits attention, but may not rise to the level of being included in the ROE. The examiner should organize and reference workpapers and document conclusions and supporting information within internal databases, as appropriate. As applicable, the examiner should prepare a discussion of the following items.

6. Describe whether the bank’s policies and procedures for law enforcement requests for information under section 314(a) of the USA PATRIOT Act (31 CFR 103.100) meet regulatory requirements.

7. If the bank maintains any foreign correspondent or private banking accounts for non-U.S. persons, describe whether the bank’s due diligence policies, procedures, and processes meet regulatory requirements under section 312 of the USA PATRIOT Act (31 CFR 103.176 and 103.178).

8. Describe the board of directors’ and senior management’s commitment to BSA/AML compliance. Consider whether management has the following:

• A strong BSA/AML compliance program fully supported by the board of directors.
• A requirement that the board of directors and senior management are kept informed of BSA/AML compliance efforts, audit reports, any compliance failures, and the status of corrective actions.

9. Describe whether the bank’s policies, procedures, and processes for SAR filings meet the regulatory requirements and are effective.

10. Describe whether the bank’s policies, procedures, and processes for large currency transactions meet the requirements of 31 CFR 103.22 and are effective.

11. If applicable, describe whether the bank’s policies, procedures, and processes for CTR exemptions meet regulatory reporting requirements, appropriately grant exemptions, and use the correct forms.

12. Describe whether the bank’s funds transfer policies, procedures, and processes meet the requirements of 31 CFR 103.33(e) and (g). Briefly discuss whether the policies, procedures, and processes include effective internal controls (e.g., separation of duties, proper authorization for sending and receiving, and posting to accounts), and provide a means to monitor transfers for CTR reporting purposes.

13. Describe the bank’s recordkeeping policies, procedures, and processes. Indicate whether they meet the requirements of 31 CFR 103.

Backward | Table of Contents | Forward