From willful violation to maintain an Anti-Money Laundering (AML) program to failure to conduct risk assessments, the growing number of Bank Secrecy Act (BSA) and AML enforcements can strike fear in the hearts of even the most compliant credit union.
As with any anxiety, though, the path to squelching that fear is paved with preparation.
Taking the following steps in the weeks and months prior to a BSA/AML exam will go a long way toward increasing staff—and examiner—confidence in your credit union’s compliance.
1. Ensure your risk assessment is current
Examiners will want to see that your assessment covers all lines of business and includes any new products, services, or locations that have been added in recent months.
Other things to check are that your assessment results in risk ratings (both individual and overall) and that your process includes sending the assessment by your board of directors for approval.
2. Check policies for completeness
Confirm the existence of policies for every product and service your credit union offers, and make sure your board reviews and approves those policies at least annually. Continuity in BSA staffing and the “four pillars of BSA” are examples of crucial, do-not-miss policies.
Those four pillars are internal controls, independent testing, designated BSA officer, and training.
3. Review internal controls
Start by identifying each of the credit union’s operation areas. Then, check to see that an employee has been designated as BSA officer, that this person is current with any new regulations, and that all employees have been (and will continue to be) provided with training appropriate to their specific job duties.
That training should include implementation of risk-based customer/member due diligence procedures, identification and reporting of suspicious activity, and information on the BSA expectations that have been incorporated into job descriptions and performance evaluations.
4. Dig into training curriculum
Inadequate training is a frequently cited BSA deficiency. Credit unions are expected to maintain documentation of regulatory compliance and internal policies/procedures training.
That documentation must note the training’s content, as well as its results, for both employees and board members. Ensure, as a best practice, that your credit union is providing training within a new employee’s first 30 days and no less than annually thereafter.
Check to be sure your BSA officer(s) receive separate periodic training.
5. Look at your last independent test
Examiners will be especially interested in any corrective action you have taken based on the outcomes of your prior year’s independent test.
Best practices dictate that your independent tests are conducted annually and by qualified parties. If your credit union has chosen to conduct those tests internally, be prepared to demonstrate the independence of the employee doing the test.
6. Double check scope of independent test
Watch out for missing components in your independent test.
Does it cover all lines of the business? Is transactional testing sufficient, and does it include a description of the sample population examined? Are tests being conducted at least every 18 months with outcomes reported to the board?
Here again, the action your credit union takes on findings will be incredibly important to have on hand for the examiner. Ensure your responses to findings have been documented and that all deficiencies were corrected.
The Federal Financial Institutions Examination Council’s BSA/AML Exam Handbook is a useful tool to have on hand for checking the scope of your independent test.
7. Deep dive into OFAC
Your credit union’s compliance with Office of Foreign Asset Control (OFAC) regulation is paramount. Test your OFAC-monitoring software to be sure it is working, and document those checks.
It’s not uncommon for a credit union to miss certain transactions, such as safe deposit box and those by credit union employees, in their OFAC compliance program. Ensure all covered transactions are being properly monitored.
8. Follow CIP and EDD rules
Verify your credit union is obtaining the proper type of documentation at the time of account opening. This includes executing enhanced due diligence (EDD) procedures for high-risk members.
Find out if any accounts opened with member identification program exceptions were resolved. It’s also smart to review core processing or BSA software reports to ensure there is no missing data.
If you have contracted with a third party to manage your customer identification program (CIP), check to see there is a written agreement in place covering BSA requirements.
9. Ensure suspicious activity triggers action
Be certain your employees are using adequate processes to identify suspicious activity across all lines of the business.
Do they review automated reports? What about manual reports? Do your processes account for suspicious activity by employees? Is there a procedure in place that dictates ongoing monitoring of members for whom suspicious activity reports (SAR) are filed?
Make sure all of this is documented, along with the reviews, analysis and research outcomes of all suspicious incidents (even when those incidents did not generate a SAR filing).
10. Review 314(a) and 314(b) procedures
You should be maintaining documentation to show required records are being searched.
Make sure that is happening and that all records are kept in a secured location, such as a locked cabinet or password-protected folder.
Also, ensure 314(b) notification forms filed with FinCEN contain an effective date within the last 12 months.
11. Review CTR
Your currency transaction reporting (CTR) forms are expected to be completed accurately and on time.
Make sure staff are comfortable with these forms, that they understand the importance of filing them in a timely manner, and that they are aware of relevant CTR exemption processes and procedures.
Be sure internal controls are in place to identify all transactions subject to a CTR.
12. Understand high-risk member procedures
Is there an adequate process in place for both identifying and monitoring high-risk members, as well as documenting the outcomes?
You will want to ensure your credit union is maintaining a list of such members and monitoring their activity on a periodic basis.
Be sure you are also following procedures to identify risk criteria, such as activity or business type.
13 Scrub the data
Regular data validation tests are a must, particularly in this age of constant system updates and software patches.
Verify data pulled into your core system maintains its integrity. If any issues have been identified, be able to prove corrective actions.
In recent years, examiners have found certain transactions missing from BSA/AML software. They have also noted incorrect mapping and inaccurate risk ratings for transactions.
Assign a system expert in charge of ensuring all is well with your software on a continual basis.
Preparing for a BSA exam can be daunting. But, if you follow these 13 steps, you will be well on your way to a successful exam.