Updated Bank Secrecy Act compliance exam guide focuses on risk

FFIEC makes it clear that financial institutions' anti-money laundering programs must account for changing risks. In this expert tip, Dan Fisher explains how to ensure your BSA program meets examiners' scrutiny.

The Federal Financial Institutions Examination Council (FFIEC) in May updated and published its Bank Secrecy Act/Anti-Money Laundering Examination Manual. The manual serves as the common blueprint that examination or regulatory resources may use when examining your institution. Once you begin to review the manual, you will quickly realize the areas of concern that draw the attention of financial industry regulators.

A principal theme of the new Bank Secrecy Act compliance manual is the attention given to risk, specifically in the area of risk factors and risk mitigation. My interpretation, from an industry perspective, of the revised manual is that examiners don't believe enough effort is devoted to truly understanding the changing risk model and in particular, how electronic banking significantly increases risk.

Account for changing risk profiles in BSA compliance

The FFIEC expects financial institutions to monitor their changing risk profile. Technology is being used more often when offering new products. The most significant trend is the opening of new accounts (without face-to-face contact) and electronically funding the account.

The FFIEC makes it clear in its 2010 BSA/AML examination update that a compliance program must be commensurate with the risk profile of the organization. Electronically opening accounts (i.e. using the Internet) without face-to-face contact and funding the account perhaps using an ACH transaction is considered a higher risk activity.

Furthermore, the manual, in response to this trend, states that "policy statements" alone are not sufficient to maintain an effective compliance program. More needs to be done and the emphasis is on process.

The expectation is clear: If your risk profile has changed -- meaning your institution has implemented a number of electronic initiatives that extend beyond the traditional banking borders -- your organization should have made a corresponding and significant change to its approach to Bank Secrecy Act compliance.

Building a more robust BSA/AML compliance program

Technology significantly changes the risk. Electronics have become the de facto standard and building a more robust program is predicated on taking a deeper look at risk.

The FFIEC points out that with electronic banking, particularly when it includes electronic payments, traditional methods of after-the-fact monitoring systems can be manipulated. Electronic payments happen instantly and the FFIEC is not referring to wire transfers. The concern has to do with remote deposit capture, ACH, and the growing use of one time debits and cross-border transactions. More importantly, there is a growing concern that institutions will have trouble indentifying where the scanner used for RDC at a commercial customer may be located. In other words, the scanner may be located today in the county (when you installed it), but out of the country tomorrow.

The manual also states that banks without a robust BSA/AML monitoring system (see page 228) may be exposed to additional risk when accounts are opened over the Internet without face-to-face contact.

The changing banking paradigm requires an organization to completely reassess their Bank Secrecy Act compliance program. The reassessment should begin with:

  1. Conducting an electronic inventory of the products and services that are being currently being offered and reassess them based on monitoring capability.
    1. Monitoring should be real time or near real time.
    2. If the process is after-the-fact (manual based) then you should develop an interim step to improve the timeliness of monitoring and then contract with your vendor for a different solution.
    3. Identify any existing weaknesses and develop a tactical strategy to mitigate them short term pending a more permanent solution.
  2. Establish a corporate and vendor management policy that states: No new product should be purchased or installed without first including, as part of the "due diligence" selection process, BSA/AML monitoring and intervention consideration.
    1. Establish, as part of the RFP, monitoring functionality that is immediate, not after the fact.
  3. Develop an intelligent monitoring program template and include this as a mission-critical element of the RFP selection process for new technology and a strategic statement for vendors providing your existing technology.
    1. Monitoring should be rules based and consistent with your customer risk profile.
    2. Notification should use push messaging using a variety of communications technology.
    3. Office of Foreign Access Control (OFAC) and FinCEN's Section 314 (a) scans should be part of the transaction flow.

A new approach

In essence, you should redesign your approach to risk and start developing your program in terms of real-time systems relative to BSA/AML. The objective over time is to have a system in place that informs the organization what is happening when it happens.

A robust Bank Secrecy Act compliance program and system is "NOW" focused. The more you know now, the better your BSA/AML compliance program will be.

About the author:

Dan Fisher is president and CEO of The Copper River Group, a consulting firm based in Fargo, N.D. that focuses on technology, payment systems research and consulting for community financial institutions. For nearly 30 years, Fisher has worked in the financial industry using technology to improve the bottom line. He has served as a director of the Federal Reserve Board of Minneapolis, chairman of the American Bankers Association Payment Systems Committee, and member of the Independent Community Bankers of America Payments Committee. He has written numerous articles on banking technology and the payments system, has authored or co-authored six books including "Capturing Your Customer! The New Technology of Remote Deposit" You can contact him at [email protected]

Dig Deeper on Financial services compliance requirements