Shining the light on previously undisclosed examination practices, federal banking regulators and other entities issued an important joint statement addressing their risk-focused approach to BSA/AML examinations.
The Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System, the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC) and the Financial Crimes Enforcement Network (FinCEN) said they hoped the statement would improve transparency by elaborating on how the examiners plan and perform BSA examinations.
What happened
Pursuant to the Federal Deposit Insurance Act and the Federal Credit Union Act, the federal banking agencies have prescribed regulations requiring each bank to establish and maintain procedures reasonably designed to meet the requirements of the BSA. AML programs are expected to be tailored to the size and sophistication of a bank and its particular customers, geographic reach and other risks that the institution faces.
“A risk-based compliance program enables a bank to allocate compliance resources commensurate with its risk,” according to the Joint Statement. “A bank’s well-developed risk assessment is a critical part of sound risk management and assists examiners in understanding the bank’s risk profile.”
Federal banking agency examiners evaluate the adequacy of a bank’s BSA/AML compliance program relative to its risk profile and the bank’s compliance with applicable laws and regulations, the Joint Statement explained, assessing whether the bank has developed and implemented effective processes to identify, measure, monitor and control risks.
“The federal banking agencies and FinCEN recognize that banks vary in focus and complexity, and that these differences create for each bank a unique risk profile,” the regulators wrote. “Accordingly, the scope of BSA/AML examinations varies by bank.”
Common practices for assessing a bank’s risk profile include leveraging available information (including the bank’s BSA/AML risk assessment, independent testing or audits, analyses and conclusions from previous examinations, and other information available through the off-site monitoring process or a request letter to the bank), contacting banks between exams or prior to finalizing the scope of an examination, and considering the bank’s ability to control risks.
The federal banking agencies generally allocate more resources to higher-risk areas, so the information gained from assessing the bank’s risk profile assists examiners in scoping and planning the exam, according to the Joint Statement. Examiners tailor the pre-examination request list to the bank’s risk profile, complexity and planned exam scope, based on factors such as products, services, customers and the geographic locations where the bank operates.
“The extent of examination activities necessary to evaluate a bank’s BSA/AML compliance program generally depends on a bank’s risk profile and the quality of its risk management processes to identify, measure, monitor and control risks, and to report potential money laundering, terrorist financing and other illicit financial activity,” the Joint Statement concluded. Banks that operate in compliance with applicable law, properly manage customer relationships and effectively mitigate risks by implementing controls commensurate with those risks are neither prohibited nor discouraged from providing banking services, the agencies said. Banks are encouraged to manage customer relationships and mitigate risks based on those relationships rather than declining to provide banking services to “entire categories of consumers,” the agencies added, referencing prior guidance.
To read the Joint Statement, click here.
Why it matters
The Joint Statement does not create any additional requirements or supervisory expectations for banks. Instead, it explains the risk-focused approach that the examiners take, and offers insight into the process they use. It also re-emphasizes that BSA/AML exams are based on “the unique risk profile” of each bank.