Checklist:  Prepare Yourself for Your Next Exam: Bank Secrecy Act/Anti-Money Laundering/Office of Foreign Assets Control (“BSA/AML/OFAC”)

by Kris Welch

BSA/AML examinations have a significant impact on the rating given to your bank’s management in a Safety and Soundness Examination. With the published 2010 Federal Financial Institutions Examination Council (“FFIEC”) Bank Secrecy Act/Anti-Money Laundering Examination Manual and the 2008 FFIEC Bank Secrecy Act/Anti-Money Laundering Examination Manual for Money Services Business, on-site examinations are more predictable in their scope and content. Following the to-do-list for your next BSA/AML/OFAC exam could save you time and money. The best way to prepare for your exam is to test the elements of your BSA/AML/OFAC program and immediately correct any deficiencies before your examiners find them.

  1. Review the findings from the last BSA/AML/OFAC examiner’s report or independent report and verify that all the deficiencies have been corrected.
  2. Verify the BSA/AML/OFAC risk assessment and the written BSA/AML/OFAC program were updated and approved by the board within the last 12 months.
  3. Validate that all products and/ or services have been included in the risk assessment.
  4. Make sure that all documentation utilized in completing the BSA/AML/OFAC risk assessment is available. Numerical support should be available to support each risk assessed.
  5. Review the BSA/AML/OFAC training records and validate that the records have adequately been documented. If any employees have missed the training, conduct a make-up session. Also, confirm that the board of directors received BSA/ AML/OFAC training and that it was documented in the board minutes.
  6. Review the 314(a) log and related documentation validating entries are recorded at least every two weeks and the results of the searches have been clearly documented.
  7. Verify the Section 314(b) notification form filed with FinCEN provides an effective date for the sharing of information that is within the previous 12 months, if you are an information sharer.
  8. Determine the types of noncustomer transactions that the bank may have and validate that OFAC is being checked in these circumstances. Noncustomer transactions may include payees on monetary instruments; “on us” checks cashed at the bank, ATM deposits from noncustomers, originator and beneficiaries on incoming and outgoing wires, sales of traveler’s checks, guarantors, principals, and powers of attorney.
  9. Validate the OFAC SDN list is being downloaded and is the most updated current list.
  10. From your core system, download a report showing all the key Customer Identification Program (CIP) data, sorted by fields such as the date of birth, tax identification number, etc. Look for missing data or false data, such as numbers with all nines or all zeros.
  11. Review the current list of high risk customers and verify the documentation of enhanced due diligence is available for each customer on the list and verify enhanced due diligence was performed within the last three months.
  12. Review the named suspects in all Suspicious Activity Report (“SAR”) filings. If these are bank customers, verify that they were added to the high-risk list and that continued enhanced due diligence is being performed every 90 days.
  13. Review all policies, procedures and processes for responding to law enforcement inquiries and requests.
  14. Verify that the program utilized to detect suspicious activity covers all areas of the bank, including: deposits, lending, investment/brokerage, trust, insurance, funds transfers, monetary instrument purchases, balance fluctuations, nonsufficient funds, kiting suspects, electronic banking activity, Automated Clearing House (“ACH”) activity, remote deposit capture, brokered deposits, suspects named in law enforcement actions and criminal subpoenas, money services businesses, nonresident alien accounts and privately owned ATM account activity.
  15. Review your reporting system to validate the system is correctly aggregating all activity for currency transaction report (“CTR”) reporting.
  16. Review all SAR and CTR filings with FinCEN are accurate and complete.
  17. Review all exemptions and validate that the account is still eligible for exemption and the documentation is current.
  18. Scan logs utilized to capture recordkeeping data on cash purchases of monetary instruments between $3,000 and $10,000, and review for any missing data.
  19. Review wire transfer logs for all wires received or sent to foreign countries especially those with strict privacy and secrecy laws and countries with non-cooperative tax havens. If a SAR was not filed, be prepared to explain the legitimate purpose of these wires.
  20. Verrify all deposit broker relationships have been identified and included in the BSA/AML risk assessment.

This article is an extract from the Inaugural Edition of Chartwell Compass prepared especially for Fiserv.