On April 15, 2020, the FFIEC released an update to the Bank Secrecy Act/Anti-Money Laundering Examination Manual. The last update was in 2014. The recent update does not establish new requirements, but is intended to clearly distinguish the mandatory regulatory requirements and supervisory expectations for assessing the adequacy of your institution’s BSA/AML compliance program.
The manual updates have been in process for an extended period of time and should not be interpreted as new instructions or as a new or increased focus. The updates offer further transparency into the examination process. The updates provide instructions to examiners for risk-focusing BSA/AML examinations and the examiners’ approach in assessing your institution’s BSA/AML compliance program.
The board of governors of the Fed, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency and State Liaison Committee revised the sections of the examination manual in collaboration with Treasury’s Financial Crimes Enforcement Network. These agencies also made clarifications about the difference between mandatory regulatory requirements and supervisory expectations set forth in the guidance.
The revisions are identified in the table of contents with a 2020 date and include:
Risk-focused BSA/AML supervision: The examiners are provided with instructions for tailoring the examination to an institution’s risk profile. This includes testing procedures as well as conducting risk focused testing or analytical reviews. For an examiner to understand your institution’s risk profile, the examiner should consider information that includes, but is not limited to the following:
- The institution’s BSA/AML risk assessment
- Independent testing and/or audits
- Analyses and conclusions from the previous examinations
- Management’s responses, including the current status of issues with regard to independent testing/audits and examination findings
Assessing the BSA/AML compliance program: The update provides instructions for examiners for assessing the adequacy of your institution’s BSA/AML program and includes a minimum set of procedures by creating separate individual sections for the following:
- Internal controls
- Independent testing
- BSA compliance officer
- Customer iIdentification program with risked-based procedures for initial and ongoing customer due diligence and compliance with beneficial ownership requirements for legal entity customers
BSA/AML risk assessment: There are no particular methods or format requirements that your bank must use and the update reminds examiners of this. The risk categories can vary based on your institution’s size, complexity and organization structure. There is also no requirement for the risk assessment updates on a continuous or a specified periodic basis. However, updates may occur as needed, to align the risk assessment with significant changes in your institution’s risk profile.
Developing conclusions and finalizing the exam: Examiners are reminded that banks have flexibility in the design of their BSA/AML programs and minor weaknesses, deficiencies and technical violations alone are not indicative of an inadequate program. Examiners should develop and document conclusions based on your institution’s risk profile, size/complexity and organizational structure with a primary focus on whether the bank has established appropriate processes to manage money laundering and any other type of illicit financial activity risk and that your bank has complied with BSA requirements.
For more information, go to FFIEC BSA/AML examination manual updates.