In case you missed it, there is now a revised examination manual for Bank Secrecy Act/Anti-Money Laundering compliance.
Published under the auspices of the interagency Federal Financial Institutional Examination Counsel (FFIEC), the Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Examination Manual is the definitive resource for determining how regulators will review compliance with anti-money laundering laws. On April 15, it received a major update after a two-year process of review, during a time when institutions are facing unprecedented BSA/AML compliance challenges in the wake of the global coronavirus pandemic.
We’ve summarized the key updates here.
Background
In 1970, Congress passed the Bank Secrecy Act, 31 U.S.C. §5311 et seq., establishing requirements for record keeping and reporting by private individuals, banks and other financial institutions. These records enable law enforcement and regulatory agencies to pursue investigations of criminal, tax and regulatory violations, and they provide evidence useful in prosecuting money laundering and other financial crimes.
Other federal laws have subsequently been enacted to augment these requirements, including the Money Laundering Control Act of 1986, which, among other things, imposes criminal liability on a person or financial institution that knowingly assists in the laundering of money, and the USA PATRIOT Act, passed in the wake of the 9/11 attacks, which criminalized the financing of terrorism and augmented the existing BSA framework by strengthening customer identification procedures and improving information sharing between financial institutions and the U.S. government. Among many other changes, the USA PATRIOT Act and its implementing regulations also required federal banking agencies to consider a bank’s AML record when reviewing bank mergers, acquisitions and other applications for business combinations.
The BSA/AML Examination Manual
The federal banking agencies require each bank under their supervision to establish and maintain a BSA compliance program. In accordance with the USA PATRIOT Act, FinCEN’s regulations require certain financial institutions to establish an AML compliance program that guards against money laundering and terrorist financing and ensures compliance with the BSA and its implementing regulations.
The updates are directed toward improving and clarifying the “risk-focus of BSA examinations by providing more focused instructions to examiners.” They are also intended to provide banks more flexibility in fashioning a BSA/AML compliance program based on the institution’s risk profile for money laundering, terrorist financing and other illicit financial activities. Likewise, the regulators have made critical changes to distinguish between (i) mandatory regulatory requirements and (ii) mere supervisory expectations. These are distinctions that were difficult to discern in the prior version.
Among the key changes in the manual:
Risk-Focused BSA/AML Supervision—This is an entirely new introductory section of the manual. It provides instructions to examiners for tailoring BSA/AML examinations to a bank’s risk profile, including examination and testing procedures, and for conducting risk-focused testing or analytical reviews. There is also a new section similarly requiring that testing during the exam cycle should be risk-focused, based on an institution’s risk profile and the examination scope.
Assessing the BSA/AML Compliance Program—The manual provides instructions to examiners for assessing the adequacy of a bank’s BSA/AML compliance program and constitutes a minimum set of procedures for full-scope BSA/AML examinations.
It separates internal controls, independent testing, BSA compliance officers and training into individual sections. On internal controls, the regulators now say institutions should “mitigate and manage” risks, while the prior version used the phrase “limit and control.” On independent testing, the 2020 manual now makes clear the distinctions between regulatory requirements and supervisory expectations, including by allowing for variances in the frequency of such testing depending on risk and other considerations. Notwithstanding the distinction between requirements and expectations, banks should work to comply with both as a matter of best practices.
The revised section also includes updated regulatory references, including the more recent Customer Due Diligence Rule.
Expanded Role for BSA Compliance Officers and Senior Executives—The updated manual directs that BSA compliance officers regularly report the status of ongoing compliance to the board of directors, have access to suitable resources, be granted adequate authority and be qualified. With respect to board members and senior managers, the manual now requires that they receive “foundational training” tailored to each individual’s specific responsibilities and the activity risks applicable to specific business lines or operational units.
BSA/AML Risk Assessment—The manual provides instructions to examiners for assessing the adequacy of a bank’s BSA/AML risk assessment processes, including (i) the identification of specific risk categories (e.g., products, services, customers and geographic locations) unique to the bank, and (ii) an analysis of the information identified to better assess risk within these categories. The manual also provides instructions to examiners that there is no particular method or format a bank must use for the risk assessment and that risk categories can vary based on a bank’s size, complexity or organizational structure. The manual also instructs examiners that there is no requirement for risk assessment updates on a continuous or specified periodic basis; these updates may occur as necessary to align the risk assessment with a significant change in a bank’s risk profile.
Developing Conclusions and Finalizing the Exam—The manual reminds examiners that banks have flexibility in the design of their BSA/AML compliance programs, and that minor weaknesses, deficiencies and technical violations are not alone indicative of an inadequate program. New and revised sections of the manual are identified by a 2020 date in the table of contents and on the FFIEC BSA/AML InfoBase. The FFIEC continues to review and revise the remaining sections of the 2014 edition of the manual. Updates to the remaining manual sections will be released in phases.
Why It Matters
This is the first comprehensive update of the BSA/AML examination manual in six years, and it has arrived at a critically important time. This version makes subtle but important changes that should be extremely useful for compliance professionals and senior bank officers seeking clarity on regulators’ BSA/AML requirements and expectations. It also provides some welcome flexibility to institutions in tailoring their BSA/AML compliance program as they operate in an unstable economic environment and prepare for the regulatory scrutiny that is likely to follow.
For those institutions that are too small for significant BSA/AML operations, care should be taken to meet at least the core updated requirements of the 2020 manual. These include enhanced training protocols and a greater emphasis on having a qualified professional in the BSA compliance role.
And, of course, in reviewing compliance, financial institutions are reminded that Office of Foreign Assets Control (OFAC) regulations are not part of the BSA and that an OFAC review is not required during each examination cycle. That said, OFAC compliance programs are frequently assessed in conjunction with BSA/AML examinations. Importantly, OFAC issued its own guidance for sanctions compliance programs in May of last year.
Manatt regularly advises clients on their compliance with these and related banking laws. For further guidance, please contact the author, any member of the firm’s AML/BSA team or your contact at Manatt Financial Services.