Money Services Businesses (“MSB”) know that one of the four pillars of the Bank Secrecy Act (“BSA”) is to have its BSA/AML Compliance Program (hereinafter the “Program”) tested periodically by a qualified, independent party. The BSA/AML Independent Review (the “Review”) provides valuable feedback to the MSB about the state of its AML Compliance Program, and it is also a document that is requested as part of regulatory examinations and bank-partner oversight.
The purpose of this article is to share insights from a Reviewer’s perspective in order to help MSBs prepare for upcoming Reviews. Keep in mind that these insights do not reflect observations from any one client, but rather, are general observations that are cumulative over time.
The FFIEC has provided guidance that says a Review is “an evaluation of the overall adequacy and effectiveness of the BSA/AML Compliance Program including policies, procedures, and processes.” It is the Reviewer’s job to evaluate that the Program is designed and implemented to meet the applicable BSA requirements and that the Program is tailored to the MSB’s AML risk profile. Reviewers take this mandate seriously and use the time before, during, and after their on-site review to gather as much information as possible to make copious observations, identify findings, and make best practices recommendations.
The initial request for documents provides a roadmap as to what will be reviewed and tested. In fact, much of the review takes place prior to the on-site. As such, the company’s AML Compliance Officer should take the time to fully review and understand the entire request list and ask clarifying questions as necessary. Providing thorough responses, and current documents that cover the review period gives the Reviewer more confidence that the Program is being actively managed. Also, identifying the request number for each document provided saves time and confusion.
Most Reviewers test transaction data, which should be requested as early in the process as possible. The MSB can then work with the Reviewer to determine the scope of the sampling, and the best way to produce the data in a secure manner that identifies the relevant fields and can be easily queried.
A Reviewer needs to have a clear understanding of the products and services that are offered under the Program. Many companies have multiple product offerings wherein some of these offerings are regulated under the BSA while others are not. Further, some MSBs choose to cover their regulated and nonregulated products under one Program, while others only cover the regulated products. Be prepared to educate the Reviewer through product descriptions, business plans, funds and data flows, legal memorandums, regulatory guidance, and other materials that explain how the products operate and the connection or exemption of the products to the BSA.
True, the Program is often in the form of a manual that is maintained by the AML Compliance Officer and his/her team. However, the Program belongs to all employees and sets the tone for a strong culture of compliance. FinCEN’s 2014-A007 advisory provided valuable feedback that, while AML sanctions are specific to individual institutional practices or lack thereof, the common thread among sanctioned companies (large and small) has been that they lacked a strong culture of compliance as promoted from the top down. We, at Chartwell, recommend that the Program be shared with all employees. One important way this can be accomplished is by providing each employee with a copy of the Program as part of the training process and/or making the Program accessible on an intranet site and communicating that accessibility.
All MSBs must have a designated AML Compliance Officer (“CO”), and regulatory guidance tells us that the CO should be appointed by the MSB’s Board of Directors (“BOD”). The appointment can be made by consent of the BOD or included in the minutes of a BOD meeting. Your CO must have sufficient AML experience and receive ongoing AML training. Also, some states have experience requirements for the AML Compliance Officer position.
Check your structure to make sure your CO has:
Procedures are in writing and a best practice is to have three levels of procedures:
Other useful tips include:
A company’s Risk Assessment must be tailored to the distinct products/services and unique industry of that company. While that may sound obvious, sometimes the Risk Assessment is too generic, and, as such, the company may not have sufficient risk mitigations in place. The tips below provide ways to develop or enhance your AML Risk Assessment process:
Oversight Programs for third parties that are instrumental in the sales, operations, or controls for your business are essential. Third parties may include Agents, Independent Sales Organizations, Foreign Correspondent Financial Institutions, contractors, vendors, and more. The initial due diligence must be done consistently, whether the third party is large and well known or a small operation. If the third party has a role in meeting your regulatory obligations, make sure that a thorough and consistent review is done based on risk and at least annually.
As we all are aware, an ongoing improvement regarding SAR elements is the narrative section. Here is a useful tip: develop a SAR narrative template that provides a flow for how to organize the critical facts, circumstances, parties, and dates. Succinct chronologies are necessary; so, highlight what happened, when, roles of the key parties, identification numbers and dollar amounts, and why the activity is deemed to be suspicious. Without this structure, there is a tendency to leave out important details, convey speculation instead of facts, and use internal acronyms or phrases that are more than likely unfamiliar to the party reviewing the filed SAR.
Program Reviewers, state, and federal examiners test the 30-day filing deadline. It is a best practice to include data in the investigative notes and in the SAR that explains when the activity became suspicious.
The requirement states that a SAR must be filed with FinCEN no later than 30 calendar days from the date of the “initial detection” of facts that may constitute a basis for filing a SAR. The time period for filing a SAR starts when an MSB, during its review, or based on other available information, has firm reason to suspect that the activity or transactions under review meet one or more of the definitions of suspicious activity.
The phrase “initial detection” should not be interpreted to mean the moment a transaction is highlighted for review as well as the date on which the transaction occurs. There are a variety of legitimate transactions that could raise suspicion simply because they are inconsistent with a customer’s historically “normal” activity. As such, each MSB should set and communicate its decision-making standards and the initial detection date should be included in its SAR and back-up documentation.
Most MSB’s provide to its employees good, basic AML training on at least an annual basis. As such, below is a list of suggestions for improving your AML Training content and recordkeeping:
OFAC laws, rules, and regulations are separate and distinct from the BSA. While a BSA Program must include OFAC compliance, it may be appropriate to have a separate OFAC Program and OFAC Risk Assessment, since OFAC applies to all dealings of U.S. Persons and not just to those within the scope of the BSA. OFAC reports must be timely filed and maintained for five years. Companies frequently have good systems for initial screenings, but fail to screen certain databases, such as employee lists, against updates.
As most MSBs use some type of interdiction software or proprietary screening method, it is very important to test OFAC controls regularly. The following is a short list of tests you can perform:
Know your BSA requirements and be prepared to show proof of compliance, which may include CTRs, FBARS, CMIRs and others not specifically addressed in this article.
In summary, each Review is unique in its own way. Chartwell’s goal is to provide Independent Reviews that not only meet the BSA requirement, but also provide valuable feedback for a better AML Compliance Program.