No question, a BSA exam is a scary event.
But while no one enjoys a visit from the examiners, the good news, according to an April 6th update from the FDIC, is that “the vast majority of examinations” end up finding financial institutions compliant. From 2007 through 2016, the FDIC says that only around one percent of examinations resulted in formal BSA/AML enforcement actions.
When violations do occur, the FDIC says that they tend to fall into four buckets: currency transaction reporting, required information sharing, suspicious activity reporting, and inadequate internal controls.
Here, too, the FDIC points out that the news for banks is encouraging. In the decade between 2007 and 2016, the number of violations in each of these categories, with the exception of suspicious activity reporting, has fallen, sometimes quite dramatically.
Common Violations
Below is a deeper dive into the four most common BSA violations and how community bankers can stay on the right side of the examiners.
Currency Transaction Reporting (CTR)
The number of annual violations in this category declined from a high of 500-plus in 2007 to around 200 in 2016.
A currency transaction report, or CTR, is a report that US financial institutions are required to provide to the Financial Crime Enforcement Network (FinCEN) for transactions exceeding $10,000. For smaller transactions, banks might decide to fill out a Suspicious Activity Report and a CTR if a customer appears to be structuring (breaking a large transaction into multiple smaller transactions), or taking other deliberate steps to avoid reporting.
Within a CTR, banks are asked to verify and record the name and address of an individual presenting a $10,000-plus currency transaction, as well as his/her account number and Social Security number or taxpayer identification number.
For individuals who are not US residents, identification must be made by passport or alien identification card. For more information, FFIEC provides a detailed explanation of precisely what information should be collected.
While there are several possible BSA compliance deficiencies for currency transaction reporting, one major one is failure to file a CTR in a timely fashion.
Generally speaking, though, examiners are interested in seeing a bank’s policies, procedures, and internal controls for reporting currency transactions. Examiners will typically review correspondence from FinCEN’s BSA E-Filing system, as well as independent testing or audit reports.
One internal control best practice that FFIEC recommends is obtaining approval from the BSA compliance officer (or another senior manager) whenever a staff member wants to override existing CTR practices.
Required Information Sharing
Violations in this area dipped below 100 incidents a year by 2016, down from over 150 incidents in 2007, according to the FDIC.
Since 2002, financial institutions have been required to comply with regulatory requirements for information sharing designed to deter money laundering and terrorist activities. Sometimes called “314(a) information requests,” they became a requirement under section 314(a) of the USA PATRIOT Act.
Information-sharing requirements were broadened in 2010, when FinCEN amended its rules to allow state, local, and certain foreign law enforcement agencies access to this information-sharing program.
When it comes to information-sharing compliance, examiners want to see that financial institutions have developed and implemented “comprehensive policies, procedures, and processes for responding to section 314(a) requests,” according to FFIEC. In addition, documentation that all required searches were performed is essential.
“[I]nformation sharing compliance deficiencies may be corrected,” according to the FDIC, “by designating persons responsible for conducting searches, keeping contact information up to date with FinCEN, and establishing policies, procedures and processes that clearly outline methods for conducting and documenting information sharing request searches, as well as reporting the results of those searches, as necessary.”
Suspicious Activity Reporting (SAR)
SAR violations are the one category that has seen an uptick in violations in recent years. The FDIC notes that SAR violations increased from around 175 in 2007 to nearly 220 in 2016.
“Compliance deficiencies related to suspicious activity reporting can be prevented with trained staff and the implementation of systems to identify, research, and report unusual activity,” says the FDIC.
Although successful enforcement actions by FinCEN in this area are rare, these actions can be extremely informative. Typically consent orders cite a breakdown or underdevelopment in process, as shown in a recent consent order which cited the willful failure to timely and accurately file SARs due to an underdeveloped system.
Inadequate Internal Controls
This BSA violation has consistently been the least publicly cited of the four most common violations out there. In the decade between 2007 and 2016, for instance, there were never more than 100 violations in any given year. However, internal controls will frequently be cited as recommendations and MRAs.
In its BSA-AML Exam Manual, the FFIEC lists several ways that examiners can determine whether a bank’s internal controls are designed to assure ongoing compliance with BSA requirements.
Among the most important steps for bankers to take are creating program continuity even when there are changes in operations or employee composition; providing for timely updates when regulations change; incorporating dual controls and the segregation of duties to whatever extent possible; and creating management information systems to inform the board of directors and senior management of program status, compliance deficiencies, and any corrective actions taken.
Want to make sure your BSA program isn't falling into one of these four traps? Our team of former regulators and financial professionals are here to help. Check out our advisory services for help avoiding these common pitfalls.