BSA/AML Compliance ProgramOverview

Objective. Assess the adequacy of the banks BSA/AML compliance program. Determine
whether the bank has developed, administered, and maintained an effective program for
compliance with the BSA and all of its implementing regulations.

Review of the banks written policies, procedures, and processes is a first step in determining the
overall adequacy of the BSA/AML compliance program. The completion of applicable core and,
if warranted, expanded examination procedures is necessary to support the overall conclusions
regarding the adequacy of the BSA/AML compliance program. Examination findings should be
discussed with the banks management, and significant findings must be included in the report of
examination or supervisory correspondence.

The BSA/AML compliance program30 must be written, approved by the board of directors,31 and
noted in the board minutes. A bank must have a BSA/AML compliance program commensurate
with its respective BSA/AML risk profile. Refer to the core overview section, "BSA/AML Risk
Assessment," page 18, for additional guidance on developing a BSA/AML risk assessment. Refer
to Appendix I (Risk Assessment Link to the BSA/AML Compliance Program") for a chart
depicting the risk assessments link to the BSA/AML compliance program. Furthermore, the
BSA/AML compliance program must be fully implemented and reasonably designed to meet the
BSA requirements.32 Policy statements alone are not sufficient; practices must coincide with the
banks written policies, procedures, and processes. The BSA/AML compliance program must
provide for the following minimum requirements:

A system of internal controls to ensure ongoing compliance.

Independent testing of BSA/AML compliance.

Designate an individual or individuals responsible for managing BSA compliance (BSA

compliance officer).

Training for appropriate personnel.

In addition, a CIP must be included as part of the BSA/AML compliance program. Refer to the
core overview section, "Customer Identification Program," page 47, for additional guidance.

Internal Controls
The board of directors, acting through senior management, is ultimately responsible for ensuring
that the bank maintains an effective BSA/AML internal control structure, including suspicious
activity monitoring and reporting. The board of directors and management should create a
culture of compliance to ensure staff adherence to the banks BSA/AML policies, procedures,
and processes. Internal controls are the banks policies, procedures, and processes designed to
limit and control risks and to achieve compliance with the BSA. The level of sophistication of
the internal controls should be commensurate with the size, structure, risks, and complexity of
the bank. Large complex banks are more likely to implement departmental internal controls for
BSA/AML compliance. Departmental internal controls typically address risks and compliance
requirements unique to a particular line of business or department and are part of a
comprehensive BSA/AML compliance program.

Internal controls should:

Identify banking operations (i.e., products, services, customers, entities, and geographic
locations) more vulnerable to abuse by money launderers and criminals; provide for
periodic updates to the banks risk profile; and provide for a BSA/AML compliance
program tailored to manage risks.

Inform the board of directors, or a committee thereof, and senior management, of

compliance initiatives, identified compliance deficiencies, and corrective action taken,
and notify directors and senior management of SARs filed.

Identify a person or persons responsible for BSA/AML compliance.

Provide for program continuity despite changes in management or employee composition

or structure.

Meet all regulatory recordkeeping and reporting requirements, meet recommendations for
BSA/AML compliance, and provide for timely updates in response to changes in
regulations.33

Implement risk-based CDD policies, procedures, and processes.

Identify reportable transactions and accurately file all required reports including SARs,
CTRs, and CTR exemptions. (Banks should consider centralizing the review and report-
filing functions within the banking organization.)

Provide for dual controls and the segregation of duties to the extent possible. For
example, employees that complete the reporting forms (such as SARs, CTRs, and CTR
exemptions) generally should not also be responsible for the decision to file the reports or
grant the exemptions.

Provide sufficient controls and systems for filing CTRs and CTR exemptions.

Provide sufficient controls and monitoring systems for timely detection and reporting of
suspicious activity.
 Provide for adequate supervision of employees that handle currency transactions,
complete reports, grant exemptions, monitor for suspicious activity, or engage in any
other activity covered by the BSA and its implementing regulations.

Incorporate BSA compliance into the job descriptions and performance evaluations of
bank personnel, as appropriate.

Train employees to be aware of their responsibilities under the BSA regulations and
internal policy guidelines.

The above list is not designed to be all-inclusive and should be tailored to reflect the banks
BSA/AML risk profile. Additional policy guidance for specific risk areas is provided in the
expanded sections of this manual.

Independent Testing
Independent testing (audit) should be conducted by the internal audit department, outside
auditors, consultants, or other qualified independent parties. While the frequency of audit is not
specifically defined in any statute, a sound practice is for the bank to conduct independent testing
generally every 12 to 18 months, commensurate with the BSA/AML risk profile of the bank.
Banks that do not employ outside auditors or consultants or have internal audit departments may
comply with this requirement by using qualified persons who are not involved in the function
being tested. The persons conducting the BSA/AML testing should report directly to the board of
directors or to a designated board committee comprised primarily or completely of outside
directors. Banks that employ outside auditors or consultants should ensure that qualified persons
doing the BSA/AML testing are not involved in other BSA functions such as training or
developing policies and procedures that may present a conflict or lack of independence.

Those persons responsible for conducting an objective independent evaluation of the written
BSA/AML compliance program should perform testing for specific compliance with the BSA,
and evaluate pertinent management information systems (MIS). The audit should be risk based
and evaluate the quality of risk management for all banking operations, departments, and
subsidiaries. Risk-based audit programs will vary depending on the banks size, complexity,
scope of activities, risk profile, quality of control functions, geographic diversity, and use of
technology. An effective risk-based auditing program will cover all of the banks activities. The
frequency and depth of each activitys audit will vary according to the activitys risk assessment.
Risk-based auditing enables the board of directors and auditors to use the banks risk assessment
to focus the audit scope on the areas of greatest concern. The testing should assist the board of
directors and management in identifying areas of weakness or areas where there is a need for
enhancements or stronger controls.

Independent testing should, at a minimum, include:

An evaluation of the overall adequacy and effectiveness of the BSA/AML compliance

program, including policies, procedures, and processes. Typically, this evaluation will
 include an explicit statement about the BSA/AML compliance program's overall
adequacy and effectiveness and compliance with applicable regulatory requirements. At
the very least, the audit should contain sufficient information for the reviewer (e.g., an
examiner, review auditor, or BSA officer) to reach a conclusion about the overall quality
of the BSA/AML compliance program.

A review of the banks risk assessment for reasonableness given the banks risk profile
(products, services, customers, entities, and geographic locations).

Appropriate risk-based transaction testing to verify the banks adherence to the BSA
recordkeeping and reporting requirements (e.g., CIP, SARs, CTRs and CTR exemptions,
and information sharing requests).

An evaluation of managements efforts to resolve violations and deficiencies noted in

previous audits and regulatory examinations, including progress in addressing
outstanding supervisory actions, if applicable.

A review of staff training for adequacy, accuracy, and completeness.

A review of the effectiveness of the suspicious activity monitoring systems (manual,

automated, or a combination) used for BSA/AML compliance. Related reports may
include, but are not limited to:

o Suspicious activity monitoring reports.

o Large currency aggregation reports.

o Monetary instrument records.

o Funds transfer records.

o Nonsufficient funds (NSF) reports.

o Large balance fluctuation reports.

o Account relationship reports.

An assessment of the overall process for identifying and reporting suspicious activity,
including a review of filed or prepared SARs to determine their accuracy, timeliness,
completeness, and effectiveness of the banks policy.

An assessment of the integrity and accuracy of MIS used in the BSA/AML compliance
program. MIS includes reports used to identify large currency transactions, aggregate
daily currency transactions, funds transfer transactions, monetary instrument sales
transactions, and analytical and trend reports.
Auditors should document the audit scope, procedures performed, transaction testing completed,
and findings of the review. All audit documentation and workpapers should be available for
examiner review. Any violations, policy or procedures exceptions, or other deficiencies noted
during the audit should be included in an audit report and reported to the board of directors or a
designated committee in a timely manner. The board or designated committee and the audit staff
should track audit deficiencies and document corrective actions.

BSA Compliance Officer

The banks board of directors must designate a qualified individual to serve as the BSA
compliance officer.34 The BSA compliance officer is responsible for coordinating and monitoring
day-to-day BSA/AML compliance. The BSA compliance officer is also charged with managing
all aspects of the BSA/AML compliance program and with managing the banks adherence to the
BSA and its implementing regulations; however, the board of directors is ultimately responsible
for the banks BSA/AML compliance.

While the title of the individual responsible for overall BSA/AML compliance is not important,
his or her level of authority and responsibility within the bank is critical. The BSA compliance
officer may delegate BSA/AML duties to other employees, but the officer should be responsible
for overall BSA/AML compliance. The board of directors is responsible for ensuring that the
BSA compliance officer has sufficient authority and resources (monetary, physical, and
personnel) to administer an effective BSA/AML compliance program based on the banks risk
profile.

The BSA compliance officer should be fully knowledgeable of the BSA and all related
regulations. The BSA compliance officer should also understand the banks products, services,
customers, entities, and geographic locations, and the potential money laundering and terrorist
financing risks associated with those activities. The appointment of a BSA compliance officer is
not sufficient to meet the regulatory requirement if that person does not have the expertise,
authority, or time to satisfactorily complete the job.

The line of communication should allow the BSA compliance officer to regularly apprise the
board of directors and senior management of ongoing compliance with the BSA. Pertinent BSA-
related information, including the reporting of SARs filed with FinCEN, should be reported to
the board of directors or an appropriate board committee so that these individuals can make
informed decisions about overall BSA/AML compliance. The BSA compliance officer is
responsible for carrying out the direction of the board and ensuring that employees adhere to the
banks BSA/AML policies, procedures, and processes.

Training
Banks must ensure that appropriate personnel are trained in applicable aspects of the BSA.
Training should include regulatory requirements and the banks internal BSA/AML policies,
procedures, and processes. At a minimum, the banks training program must provide training for
all personnel whose duties require knowledge of the BSA. The training should be tailored to the
persons specific responsibilities. In addition, an overview of the BSA/AML requirements
typically should be given to new staff during employee orientation. Training should encompass
information related to applicable business lines, such as trust services, international, and private
banking. The BSA compliance officer should receive periodic training that is relevant and
appropriate given changes to regulatory requirements as well as the activities and overall
BSA/AML risk profile of the bank.

The board of directors and senior management should be informed of changes and new
developments in the BSA, its implementing regulations and directives, and the federal banking
agencies regulations. While the board of directors may not require the same degree of training as
banking operations personnel, they need to understand the importance of BSA/AML regulatory
requirements, the ramifications of noncompliance, and the risks posed to the bank. Without a
general understanding of the BSA, the board of directors cannot adequately provide BSA/AML
oversight; approve BSA/AML policies, procedures, and processes; or provide sufficient
BSA/AML resources.

Training should be ongoing and incorporate current developments and changes to the BSA and
any related regulations. Changes to internal policies, procedures, processes, and monitoring
systems should also be covered during training. The program should reinforce the importance
that the board and senior management place on the banks compliance with the BSA and ensure
that all employees understand their role in maintaining an effective BSA/AML compliance
program.

Examples of money laundering activity and suspicious activity monitoring and reporting can and
should be tailored to each individual audience. For example, training for tellers should focus on
examples involving large currency transactions or other suspicious activities; training for the
loan department should provide examples involving money laundering through lending
arrangements.

Banks should document their training programs. Training and testing materials, the dates of
training sessions, and attendance records should be maintained by the bank and be available for
examiner review.

EXAMINATION PROCEDURES
BSA/AML Compliance Program

Objective. Assess the adequacy of the banks BSA/AML compliance program. Determine
whether the bank has developed, administered, and maintained an effective program for
compliance with the BSA and all of its implementing regulations.

1. Review the banks board approved35 written BSA/AML compliance program36 to ensure it
contains the following required elements:
 A system of internal controls to ensure ongoing compliance.

Independent testing of BSA compliance.

A specifically designated person or persons responsible for managing BSA

compliance (BSA compliance officer).

Training for appropriate personnel.

A bank must have a BSA/AML compliance program commensurate with its respective
BSA/AML risk profile. In addition, a CIP must be included as part of the BSA/AML compliance
program.

2. Assess whether the board of directors and senior management receive adequate reports on
BSA/AML compliance.

Risk Assessment Link to the BSA/AML Compliance Program

3. On the basis of examination procedures completed in the scoping and planning process,
including the review of the risk assessment, determine whether the bank has adequately
identified the risk within its banking operations (products, services, customers, entities, and
geographic locations) and incorporated the risk into the BSA/AML compliance program. Refer
to Appendix I ("Risk Assessment Link to the BSA/AML Compliance Program") when
performing this analysis.

Internal Controls

4. Determine whether the BSA/AML compliance program includes policies, procedures, and
processes that:

Identify higher-risk banking operations (products, services, customers,

entities, and geographic locations); provide for periodic updates to the banks
risk profile; and provide for a BSA/AML compliance program tailored to
manage risks.

Inform the board of directors, or a committee thereof, and senior

management, of compliance initiatives, identified compliance deficiencies,
SARs filed, and corrective action taken.

Identify a person or persons responsible for BSA/AML compliance.

Provide for program continuity despite changes in management or employee

composition or structure.

Meet all regulatory requirements, meet recommendations for BSA/AML

compliance, and provide for timely updates to implement changes in
regulations.
 Implement risk-based CDD policies, procedures, and processes.

Identify reportable transactions and accurately file all required reports,

including SARs, CTRs, and CTR exemptions. (Banks should consider
centralizing the review and report-filing functions within the banking
organization.)

Provide for dual controls and the segregation of duties to the extent possible.
For example, employees that complete the reporting forms (such as SARs,
CTRs, and CTR exemptions) generally should not also be responsible for the
decision to file the reports or grant the exemptions.

Provide sufficient controls and monitoring systems for the timely detection
and reporting of suspicious activity.

Provide for adequate supervision of employees that handle currency

transactions, complete reports, grant exemptions, monitor for suspicious
activity, or engage in any other activity covered by the BSA and its
implementing regulations.

Train employees to be aware of their responsibilities under the BSA

regulations and internal policy guidelines.

Incorporate BSA compliance into job descriptions and performance

evaluations of appropriate personnel.

Independent Testing

5. Determine whether the BSA/AML testing (audit) is independent (e.g., performed by a person
(or persons) not involved with the banks BSA/AML compliance staff) and whether persons
conducting the testing report directly to the board of directors or to a designated board committee
comprised primarily or completely of outside directors.

6. Evaluate the qualifications of the person (or persons) performing the independent testing to
assess whether the bank can rely upon the findings and conclusions.

7. Validate the auditors reports and workpapers to determine whether the banks independent
testing is comprehensive, accurate, adequate, and timely. The independent test should address the
following:

The overall adequacy and effectiveness of the BSA/AML compliance program,

including policies, procedures, and processes. Typically, this evaluation will
include an explicit statement about the BSA/AML compliance program's
overall adequacy and effectiveness and compliance with applicable
regulatory requirements. At the very least, the audit should contain sufficient
information for the reviewer (e.g., an examiner, review auditor, or BSA
officer) to reach a conclusion about the overall quality of the BSA/AML
compliance program.
 BSA/AML risk assessment.

BSA reporting and recordkeeping requirements.

CIP implementation.

The adequacy of CDD policies, procedures, and processes and whether they
comply with internal requirements.

Personnel adherence to the banks BSA/AML policies, procedures, and

processes.

Appropriate transaction testing, with particular emphasis on higher-risk

operations (products, services, customers, and geographic locations).

Training, including its comprehensiveness, accuracy of materials, the training

schedule, and attendance tracking.

The integrity and accuracy of MIS used in the BSA/AML compliance program.
MIS includes reports used to identify large currency transactions, aggregate
daily currency transactions, funds transfer transactions, monetary instrument
sales transactions, and analytical and trend reports.

Tracking of previously identified issues and deficiencies and verification that

they have been corrected by management.

If an automated system is not used to identify or aggregate large

transactions, determine whether the audit or independent review includes a
sample test check of tellers cash proof sheets, tapes, or other
documentation to determine whether large currency transactions are
accurately identified and reported.

8. Determine whether the audits review of suspicious activity monitoring systems includes an
evaluation of the systems ability to identify unusual activity. Ensure through a validation of the
auditors reports and workpapers that the banks independent testing:

Reviews policies, procedures, and processes for suspicious activity

monitoring.

Evaluates the systems methodology for establishing and applying expected

activity or filtering criteria.

Evaluates the systems ability to generate monitoring reports.

Determines whether the system filtering criteria are reasonable and include,
at a minimum, cash, monetary instruments, funds transfers, and other
higher-risk products, services, customers, or geographies, as appropriate.
9. Determine whether the audits review of suspicious activity reporting systems includes an
evaluation of the research and referral of unusual activity. Ensure through a validation of the
auditors reports and workpapers that the banks independent testing includes a review of
policies, procedures, and processes for referring unusual activity from all business lines (e.g.,
legal, private banking, foreign correspondent banking) to the personnel or department
responsible for evaluating unusual activity.

10. Review the audit scope, procedures, and workpapers to determine adequacy of the audit
based on the following:

Overall audit coverage and frequency in relation to the risk profile of the
bank.

Board reporting and supervision of, and its responsiveness to, audit findings.

Adequacy of transaction testing, particularly for higher-risk banking

operations and suspicious activity monitoring systems.

Competency of the auditors or independent reviewers regarding BSA/AML

requirements.

BSA Compliance Officer

11. Determine whether the board of directors has designated a person or persons responsible for
the overall BSA/AML compliance program. Determine whether the BSA compliance officer has
the necessary authority and resources to effectively execute all duties.

12. Assess the competency of the BSA compliance officer and his or her staff, as necessary.
Determine whether the BSA compliance area is sufficiently staffed for the banks overall risk
level (based on products, services, customers, entities, and geographic locations), size, and
BSA/AML compliance needs. In addition, ensure that no conflict of interest exists and that staff
is given adequate time to execute all duties.

Training

13. Determine whether the following elements are adequately addressed in the training program
and materials:

The importance the board of directors and senior management place on

ongoing education, training, and compliance.

Employee accountability for ensuring BSA compliance.

Comprehensiveness of training, considering specific risks of individual

business lines.

Training of personnel from all applicable areas of the bank. 37

 Frequency of training.

Documentation of attendance records and training materials.

Coverage of bank policies, procedures, processes, and new rules and

regulations.

Coverage of different forms of money laundering and terrorist financing as it

relates to identification and examples of suspicious activity.

Penalties for noncompliance with internal policies and regulatory

requirements.

Transaction Testing

Transaction testing must include, at a minimum, either examination procedures detailed below
(independent testing) or transaction testing procedures selected from within the core or expanded
sections. While some transaction testing is required, examiners have the discretion to decide
what testing to conduct. Examiners should document their decision regarding the extent of
transaction testing to conduct and the activities where it is to be performed, as well as the
rationale for any changes to the scope of transaction testing that occur during the examination.
Examiners should consider the following when determining how to proceed with transaction
testing:

Accounts or customers identified in the review of information obtained from

downloads from the BSA-reporting database.

Higher-risk products and services, customer and entities, and geographic

locations for which it appears from the scoping and planning process that the
bank may not have appropriate internal controls.

New products and services, customers and entities, and geographies

introduced into the bank's portfolio since the previous BSA/AML examination.

Independent Testing
14. Select a judgmental sample that includes transactions other than those tested by the
independent auditor and determine whether independent testing:

Is comprehensive, adequate, and timely.

Has reviewed the accuracy of MIS used in the BSA/AML compliance program.

Has reviewed suspicious activity monitoring systems to include the

identification of unusual activity.

Has reviewed whether suspicious activity reporting systems include the

research and referral of unusual activity.
Preliminary Evaluation

After the examiner has completed the review of all four required elements of the banks
BSA/AML compliance program, the examiner should document a preliminary evaluation of the
banks program. At this point, the examiner should revisit the initial examination plan, in order to
determine whether any strengths or weaknesses identified during the review of the institutions
BSA/AML compliance program warrant adjustments to the initial planned scope. The examiner
may complete the core examination procedures, "Office of Foreign Assets Control," page 152.
The examiner should document and support any changes to the examination scope, then proceed
to the applicable core and, if warranted, expanded examination procedures. If there are no
changes to the examination scope, the examiner should proceed to the core examination
procedures, "Developing Conclusions and Finalizing the Examination," page 43.

Developing Conclusions and Finalizing the

Examination - Overview

Objective. Formulate conclusions, communicate findings to management, prepare report

comments, develop an appropriate supervisory response, and close the examination.

In the final phase of the BSA/AML examination, the examiner should assemble all findings from
the examination procedures completed. From those findings, the examiner should develop and
document conclusions about the BSA/AML compliance programs adequacy, discuss preliminary
conclusions with bank management, present these conclusions in a written format for inclusion
in the report of examination (ROE), and determine and document what regulatory response, if
any, is appropriate.

In some cases, the appropriate regulatory response will include the citation of a regulatory
violation. The citation of violations of law and regulation is typically done in the context of
supervisory activities. The extent to which violations affect the evaluation of a bank's BSA/AML
compliance program is based on the nature, duration, and severity of noncompliance. In some
cases, an agency may allow the bank to remedy the violation as part of the supervisory process.
In appropriate circumstances, however, an agency may take either informal or formal
enforcement actions to address violations of the BSA requirements.38

Systemic or Recurring Violations

Systemic or recurring violations of the BSA and its implementing regulations involve either a
substantial deficiency or a repeated failure to effectively and accurately record and report
information required under the BSA, if the errors or incompleteness impair the integrity of the
record or report, fail to adequately represent the transactions required to be reported, or impact
the effectiveness of the bank's suspicious activity monitoring and reporting processes. Systemic
violations are the result of ineffective systems or controls to obtain, analyze, and maintain
required information, or to report customers, accounts, or transactions, as required under various
provisions of the BSA. Recurring violations are repetitive occurrences of the same or similar
issues. Unlike isolated or inadvertent issues, systemic or recurring issues demonstrate a pattern
or practice of noncompliance with the BSA and its implementing regulations.

When evaluating whether violations represent a pattern or practice, examiners must analyze the
pertinent facts and circumstances. Repeated, regular, usual, or institutionalized practices will
typically constitute a pattern or practice. The totality of the circumstances must be considered
when assessing whether a pattern or practice exists.

Considerations in determining whether a pattern or practice exists include, but are not limited to:

Whether the number of violations is high when compared to the bank's total activity. This
evaluation usually is determined through a sampling of transactions or records. Based on
this process, determinations are made concerning the overall level of noncompliance.
However, even if the violations are few in number they could reflect systemic
noncompliance, depending on the severity (e.g., significant or egregious).

Whether there is evidence of similar violations by the bank in a series of transactions or

in different divisions or departments. This is not an exact calculation and examiners
should balance the number, significance, and frequency of violations identified
throughout the organization. Violations identified within various divisions or departments
may or may not indicate a systemic violation. These violations should be evaluated in a
broader context to determine if training or other compliance system weaknesses are also
present.

The relationship of the violations to one another (e.g., whether they all occurred in the
same area of the bank, in the same product line, in the same branch or department, or
with one employee).

The impact the violation or violations have on the bank's suspicious activity monitoring
and reporting capabilities.

Whether the violations appear to be grounded in a written or unwritten policy or

established procedure, or result from a lack of an established procedure.

Whether there is a common source or cause of the violations.

Whether the violations were the result of an isolated software problem in a BSA/AML
reporting software product and whether the bank has taken appropriate steps to address
the issue.
Systemic or recurring violations of the BSA could have a significant impact on the adequacy of
the bank's BSA/AML compliance program. When systemic instances of noncompliance are
identified, the examiner should consider the noncompliance in the context of the overall program
(internal controls, training, independent testing, responsible person) and refer to the Interagency
Enforcement Statement (refer to Appendix R) to determine whether the bank's BSA/AML
compliance program is deficient as a result of the systemic noncompliance. All systemic
violations should be brought to the attention of the bank's board of directors and management
and documented in the report of examination or supervisory correspondence.

Types of systemic or recurring violations may include, but are not limited to:

Failure to establish a due diligence program that includes a risk-based approach, and
when necessary, enhanced policies, procedures, and controls concerning foreign
correspondent accounts.

Failure to maintain a reasonably designed due diligence program for private banking
accounts for non-U.S. persons (as defined in 31 CFR 1010.620).

Frequent, consistent, or recurring late CTR or SAR filings.

A significant number of CTRs or SARs with errors or omissions of data elements.

Consistently failing to obtain or verify required customer identification information at

account opening.

Consistently failing to complete searches on 314(a) information requests.

Failure to consistently maintain or retain records required by the BSA.

Also, the Interagency Enforcement Statement provides that "[t]he Agencies will cite a violation
of the SAR regulations, and will take appropriate supervisory actions, if the organization's failure
to file a SAR (or SARs) evidences a systemic breakdown in its policies, procedures, or processes
to identify and research suspicious activity, involves a pattern or practice of noncompliance with
the filing requirement, or represents a significant or egregious situation."39

Isolated or Technical Violations

Isolated or technical violations are limited instances of noncompliance with the BSA that occur
within an otherwise adequate system of policies, procedures, and processes. These violations
generally do not prompt serious regulatory concern or reflect negatively on management's
supervision or commitment to BSA compliance, unless the isolated violation represents a
significant or egregious situation or is accompanied by evidence of bad faith. Multiple isolated
violations throughout bank departments or divisions can be indicative of systemic or recurring
system weaknesses or violations.
Corrective action for isolated violations is usually undertaken by the bank's management within
the normal course of business. All violations, regardless of type or significance, should be
brought to the attention of the bank's management and documented appropriately.

Types of isolated or technical violations may include, but are not limited to:

Failure to file or late filing of CTRs that is infrequent, not consistent, or nonrecurring.

Failure to obtain complete customer identification information for a monetary instrument

sales transaction that is isolated and infrequent.

Infrequent, not consistent, or nonrecurring incomplete or inaccurate information in SAR

data fields.

Failure to obtain or verify required customer identification information that is infrequent,

not consistent, or nonrecurring.

Failure to complete a 314(a) information request that is inadvertent or nonrecurring.

In formulating a written conclusion, the examiner does not need to discuss every procedure
performed during the examination. During discussions with management about examination
conclusions, examiners should include discussions of both strengths and weaknesses of the
bank's BSA/AML compliance. Examiners should document all relevant determinations and
conclusions.

EXAMINATION PROCEDURES
Developing Conclusions and Finalizing
the Examination

Objective. Formulate conclusions, communicate findings to management, prepare report

comments, develop an appropriate supervisory response, and close the examination.

Formulating Conclusions
1. Accumulate all pertinent findings from the BSA/AML examination procedures performed.
Evaluate the thoroughness and reliability of any risk assessment conducted by the bank. Reach
a preliminary conclusion as to whether the following requirements are met:
 The BSA/AML compliance program is effectively monitored and supervised in relation
to the banks risk profile as determined by the risk assessment. The examiner should
ascertain if the BSA/AML compliance program is effective in mitigating the banks
overall risk.

The board of directors and senior management are aware of BSA/AML regulatory
requirements, effectively oversee BSA/AML compliance, and commit, as necessary, to
corrective actions (e.g., audit and regulatory examinations).

BSA/AML policies, procedures, and processes are adequate to ensure compliance with
applicable laws and regulations and appropriately address higher-risk operations
(products, services, customers, entities, and geographic locations).

Internal controls ensure compliance with the BSA and provide sufficient risk
management, especially for higher-risk operations (products, services, customers,
entities, and geographic locations).

Independent testing (audit) is appropriate and adequately tests for compliance with
required laws, regulations, and policies. Overall audit coverage and frequency are
appropriate in relation to the risk profile of the bank. Transaction testing is adequate,
particularly for higher-risk banking operations and suspicious activity monitoring
systems.

The designated person responsible for coordinating and monitoring day-to-day

compliance is competent and has the necessary resources.

Personnel are sufficiently trained to adhere to legal, regulatory, and policy requirements.

Information and communication policies, procedures, and processes are adequate and
accurate.

All relevant determinations should be documented and explained.

Determine the Underlying Cause

2. Determine the underlying cause of policy, procedure, or process deficiencies, if identified.
These deficiencies can be the result of a number of factors, including, but not limited to, the
following:

Management has not assessed, or has not accurately assessed, the banks BSA/AML
risks.
 Management is unaware of relevant issues.

Management is unwilling to create or enhance policies, procedures, and processes.

Management or employees disregard established policies, procedures, and processes.

Management or employees are unaware of or misunderstand regulatory requirements,

policies, procedures, or processes.

Higher-risk operations (products, services, customers, entities, and geographic

locations) have grown faster than the capabilities of the BSA/AML compliance
program.

Changes in internal policies, procedures, and processes are poorly communicated.

3. Determine whether deficiencies or violations were previously identified by management or

audit or were only identified as a result of this examination.

Discuss Findings With Examiner in Charge and Identify

Necessary Action
4. Discuss preliminary findings with the examiner in charge (EIC) or examiner responsible for
reviewing the banks overall BSA/AML compliance. Document workpapers appropriately with
the following information:

A conclusion regarding the adequacy of the BSA/AML compliance program and

whether it meets all the regulatory requirements by providing the following:

o A system of internal controls.

o Independent testing for compliance.

o A specific person to coordinate and monitor the BSA/AML compliance

program.

o Training of appropriate personnel.

A conclusion as to whether the written CIP is appropriate for the bank's size, location,
and type of business.

Any identified violations and an assessment of the severity of those violations.

 Identification of actions needed to correct deficiencies or violations.

If necessary, recommendations for supervisory actions. In addition, as necessary, confer

with agency supervisory management, and agency legal staff.

An appropriate rating based on overall findings and conclusions.

Findings that have been or will be discussed with bank management and, if applicable,
any bank commitment for improvements or corrective action.

Preparing the BSA/AML Comments for the Report of

Examination
5. Document your conclusion regarding the adequacy of the banks BSA/AML compliance
program. Discuss the effectiveness of each of these elements of the banks BSA/AML
compliance program. Indicate whether the BSA/AML compliance program meets all the
regulatory requirements by providing the following:

A system of internal controls.

Independent testing for compliance.

A specific person to coordinate and monitor the BSA/AML compliance program.

Training of appropriate personnel.

The BSA/AML compliance program must also include a written Customer Identification
Program (CIP) appropriate for the banks size, location, and type of business.

The examiner does not need to provide a written comment on every one of the following
items 6 through 13. Written comments should cover only areas or subjects pertinent to the
examiners findings and conclusions. All significant findings must be included in the ROE. The
examiner should ensure that workpapers are prepared in sufficient detail to support issues
discussed in the ROE. To the extent that the following items are discussed in the workpapers,
but not the ROE, the examiner should ensure that the workpapers thoroughly and adequately
document each review, as well as any other aspect of the banks BSA/AML compliance
program that merits attention, but may not rise to the level of being included in the ROE. The
examiner should organize and reference workpapers and document conclusions and supporting
information within internal databases, as appropriate. As applicable, the examiner should
prepare a discussion of the following items.

6. Describe whether the banks policies and procedures for law enforcement requests for
information under section 314(a) of the USA PATRIOT Act (31 CFR 1010.520) meet
regulatory requirements.

7. If the bank maintains any foreign correspondent or private banking accounts for non-U.S.
persons, describe whether the banks due diligence policies, procedures, and processes meet
regulatory requirements under section 312 of the USA PATRIOT Act (31 CFR 1010.610 and
1010.620).

8. Describe the board of directors and senior managements commitment to BSA/AML

compliance. Consider whether management has the following:

A strong BSA/AML compliance program fully supported by the board of directors.

A requirement that the board of directors and senior management are kept informed of
BSA/AML compliance efforts, audit reports, any compliance failures, and the status of
corrective actions.

9. Describe whether the banks policies, procedures, and processes for SAR filings meet the
regulatory requirements and are effective.

10. Describe whether the banks policies, procedures, and processes for large currency
transactions meet the requirements of 31 CFR 1010.311 and 31 CFR 1010.313 and are
effective.

11. If applicable, describe whether the banks policies, procedures, and processes for CTR
exemptions meet regulatory reporting requirements, appropriately grant exemptions, and use
the correct forms.

12. Describe whether the banks funds transfer policies, procedures, and processes meet the
requirements of 31 CFR 1020.410(a) and 1010.410(f). Briefly discuss whether the policies,
procedures, and processes include effective internal controls (e.g., separation of duties, proper
authorization for sending and receiving, and posting to accounts), and provide a means to
monitor transfers for CTR reporting purposes.

13. Describe the banks recordkeeping policies, procedures, and processes. Indicate whether
they meet the requirements of 31 CFR Chapter X.

Backward | Table of Contents | Forward