Are your community bank's BSA/AML programs up to date?

FinCEN recently reported that a bank willfully violated the Bank Secrecy Act, highlighting the importance of community banks updating their BSA/AML programs.

Money laundering—the process of making illegally gained proceeds appear legal or clean—can facilitate crimes such as drug trafficking and terrorism and can adversely affect the economy. Financial institutions, with their pivotal role in the financial system, are key players in the fight to identify, mitigate or quash money laundering.

While Bank Secrecy Act and anti-money laundering (BSA/AML) compliance has been fundamental to financial institutions for some time, it is not infallible. In December 2021, for instance, the Financial Crimes Enforcement Network (FinCEN) announced that it had assessed an $8 million civil money penalty on Community Bank of Texas, N.A. for willful violations of the BSA and its implementing regulations. Among the infractions, FinCEN noted that the bank willfully failed to implement and maintain an effective AML program that was reasonably designed to guard against money laundering.

How can community banks ensure their BSA/AML programs will help them avoid violations and the associated penalties? Begin with a comprehensive, up-to-date compliance program and the qualified personnel to implement and manage it, and then ensure the program is effective. What does that look like?

BSA/AML fundamentals

The 1970 passage of the BSA marked the birth of anti-money laundering laws and regulations for financial institutions. A series of additional laws, rules and revisions have led us to the current requirements. Since 1970, banks have been required to maintain an anti-money laundering program. Initially, the program was required to include four core elements or pillars:

A system of internal controls to assure ongoing compliance
Independent testing for compliance to be conducted by bank personnel or by an outside party
Designation of an individual or individuals responsible for coordinating and monitoring day-to-day compliance (BSA compliance officer)
Training for appropriate personnel

FinCEN issued a final rule in 2016 that imposed requirements for identifying and verifying beneficial owners of legal-entity customers. It requires risk-based procedures for conducting ongoing customer due diligence (CDD), to include, but not be limited to, understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile, conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information.

This rule was mandatory for all federally insured financial institutions by May 11, 2018. It added a fifth core element to the original four core elements of an effective BSA/AML compliance program.

Trust but verify

Data collection, employee training, documentation of transactions and compliance recordkeeping may all be in place and look cohesive and robust at a community bank, but without periodic independent testing and verification, the other elements of the BSA/AML program may prove meaningless.

The rules allow financial institutions to engage independent reviews by inside or outside auditors, consultants or other parties, it is incumbent upon the bank to conduct due diligence.

Let’s look at the BSA/AML program and the importance of independent reviews. According to the Federal Financial Institutions Examination Council (FFIEC) BSA/AML InfoBase, “The purpose of independent testing (audit) is to assess the bank’s compliance with BSA regulatory requirements, relative to its risk profile, and assess the overall adequacy of the BSA/AML compliance program. Independent testing should be conducted by the internal audit department, outside auditors, consultants, or other qualified independent parties.”

Regardless of the party selected, the auditor/reviewer must be truly independent, not involved in the creation or implementation of any of the functions being tested, and should report directly to the bank’s board of directors or a board-designated committee.

While the rules allow financial institutions to engage independent reviews by inside or outside auditors, consultants or other parties, it is incumbent upon the bank to conduct due diligence. It should determine:

The sufficiency of the party’s subject matter expertise and qualifications to conduct the independent BSA/AML review
The scope and sufficiency of any contract, engagement letter, or procedures covering such a review
A clear framework for the process the independent party will follow, including availability of associated workpapers for examiners, communication with bank staff, and method and frequency of reports to senior management and the board of directors.

The frequency of the BSA/AML independent review is not mandated by regulation. However, when the bank plans for an independent review, the frequency should be commensurate with its risk profile for money laundering or terrorist funding activities; complexity of operations; and significant changes in the bank’s risk profile, systems, compliance staff or processes. More frequent independent testing should be considered when errors or deficiencies in some aspects of the BSA/AML compliance program have been identified or to verify or validate mitigating or remedial actions.

While creation of the BSA/AML program is critical to the bank’s compliance with laws and regulations, a well-planned, properly structured independent review is essential to effective risk management and internal control systems. It creates a critical first-line defense against fraud, provides essential feedback to management about the effectiveness of operations and procedures, and provides vital information to the board of directors about the effectiveness of internal control systems.