It is not easy to write a BSA program. Generally, the writer of the program, when completed, heaves a sigh of relief and says, “Thank goodness I will never have to do that again”. Oh, if that were only true. Unfortunately, things change and sometimes those changes require implementing changes to a financial institution’s BSA program and policies. Too often the stress over all of the other things that the institution’s BSA officer has to accomplish pushes program review to the back burner.
Since your last BSA program and policy review has the institution begun offering new products or services? Has it grown in assets or expanded its service area? Have the demographics of its customer base changed? Has the law changed? Certainly the intensity of international terrorism and cyber-crime has changed. Do any of these things require a change in your BSA program, policies, procedures or risk assessments? It’s time for a review.
A financial institution’s BSA program must include:
- A system of internal controls to ensure ongoing compliance with internal controls designed to detect large currency transactions, including aggregating separate transactions when appropriate, and suspicious transactions;
- Independent testing which must be performed annually and may be done by the institution’s internal audit staff, but periodically the institution should consider having the testing done by an outside third party;
- The appointment of a BSA officer; and
- The training of appropriate personnel. Most institutions are good about providing training for new personnel but many are too lax in providing a refresher or updated training for existing employees. Because BSA compliance is virtually an institution-wide process virtually every employee is “appropriate” for continuing training.
A financial institution must then have a policy, or policies, implementing its program. Many of the policies that an institution must have are pretty narrowly defined by the law and regulations. Critical among these is the policy for customer identification. An institution’s customer identification policy must detail:
- The basic identifying information that the institution requires and any other information about the customer that should be obtained;
- The verification methods that the institution may use, including when documentary information is required, the documents that the institution will accept and the circumstances when it will accept them, and when it will accept non-documentary methods of verification and what the acceptable non-documentary methods are;
- How it will resolve discrepancies between the information and the verification; and
- What transactions it will allow a customer to transact while identity is being identified.
Also among the straightforward policies are the policies for large currency transaction reporting, suspicious activity reporting and recordkeeping. Other areas of the law and regulations give a financial institution quite a bit of flexibility about what its policy may be. For example, the law and regulation allows a financial institution to exempt certain customers from the requirements for reporting large currency transactions. It is up to the institution, through its policy, whether it wants to exempt allowable customers or whether it wants to report large currency transactions for every customer. It is also optional on the part of the institution whether it wants to register so that it may share information with other financial institutions. What is the institution’s policy on selling financial instruments, such as cashier’s checks, to non-customers? All of these areas where the law and regulations give the institution latitude should be spelled out in the institution’s policies.
Your institution has a BSA program and procedures. When was the last time that they were reviewed to make sure that they adequately covered the institution’s present environment and that what was set out as policy is really the best policy for the institution? If, in your review, you make any changes to the program or policies those changes must be approved by the institution’s Board of Directors. While you are reviewing your program and policies, you might also review your training program. When was the last time any ongoing training was provided? When was the training content updated to reflect current or emerging risks?
Lastly, a strong BSA Program must include risk assessments (RAs). RAs are not just about the customers; RAs should be completed for the products and services the institution offers as well as the technology to support your BSA Program. Internal controls to detect, monitor and avoid the institution’s inadvertent participation in criminal activity are essential. While risks and threats are always changing, a successful BSA/AML program is one that can foresee and address evolving risk landscape. Institutions must ensure its BSA/AML risk is thoroughly vetted and appropriately managed.
If you are the BSA officer for your institution, we didn’t intend to make more work for you, but you may have to give up your afternoon nap for a couple of days.
Want to learn more about the changing face of financial crime? Join Temenos’ financial crime guru, Amanda Gilmour on Thursday, March 31st @ 2 p.m. EST for a webinar Addressing the Changing Faces of Financial Crime as Amanda discusses the issues financial institutions increasingly face and how they can adapt to the changing market to avoid the penalties associated with breaches, along with other considerations and best practice examples.
Need assistance with your BSA Program Review? Temenos can help. Click here to read about our Compliance Audit & Consulting Service.