As noted in the July 5, 2005 Alert, at the end of June, the FRB, FDIC, NCUA, OCC and OTS (the "Agencies") together with the Financial Crimes Enforcement Network ("FinCEN") jointly released an extensive Bank Secrecy Act ("BSA")/Anti-Money Laundering ("AML") Examination Manual (the "BSA Manual"). The BSA Manual codifies in one comprehensive document much of the BSA/AML compliance guidance previously issued by the Agencies and FinCEN. Importantly, the Agencies stated that the BSA Manual will be used by each of the Agencies in conducting BSA/AML examinations of the banking and thrift institutions ("banks") that they supervise.
The BSA Manual – which is over 300 pages long – provides a combination of narrative guidance, resource materials and BSA/AML examination procedures. In addition, as discussed below, there is guidance prepared jointly by the Agencies, FinCEN and the Office of Foreign Assets Control ("OFAC") related to OFAC sanctions and compliance programs. The following is a discussion, in question-and-answer format of our own creation, of the BSA Manual and the implications of its issuance to banks and other financial institutions.
1. What caused the Agencies and FinCEN to issue the BSA Manual?
Since the beginning of 2005, the Agencies and FinCEN have faced significant criticism from many quarters regarding their BSA examination and enforcement efforts. Specifically, bankers have expressed concern that the Agencies’ examiners have been applying a "zero tolerance" approach to AML deficiencies, which approach the banking community has regarded as counterproductive, since it fails to distinguish technical BSA issues from more significant problems. This approach also was blamed for, among other things, so-called "defensive filings" of Suspicious Activity Reports ("SARs"), which resulted when banks filed SARs not because they found a transaction worthy of reporting but because they feared regulatory criticism or worse for failure to report an activity. FinCEN Director William Fox and others in the regulatory community took heed of the problems and determined that one way to address the issues would be to issue interagency guidance that would both achieve consistent examination procedures and clarify examination standards.
2. What purpose does the BSA Manual serve? Does the BSA Manual create "new law" or change any existing BSA/AML requirements?
The BSA Manual is designed as a reference manual for both examiners and banks. The purpose of the BSA Manual, as noted in its introduction, is to "ensure consistency" in the application of BSA requirements among the Agencies. The BSA Manual also serves to inform depository institutions regarding compliance program requirements and examiner expectations. To this end, the BSA Manual outlines existing BSA requirements. It does not, however, create any new requirements; rather, the BSA Manual aims to clarify existing standards and ensure consistency.
Although it does not impose new standards, the BSA Manual gives important insight as to what the Agencies and FinCEN regard as industry best practices. Accordingly, banks should review the BSA Manual carefully to determine whether updates to their BSA/AML policies and procedures may be prudent. By outlining procedures that banks can expect examiners to follow when conducting BSA/AML examinations, the BSA Manual provides a good indicator of the practices regulators consider acceptable. Banks will not be required to follow all of the measures suggested by the BSA Manual, but they should consider whether such practices are appropriate given their risk profile, activities, and customers.
3. Should the issuance of the BSA Manual be viewed as a positive development by banks?
In general, we believe the issuance of the BSA Manual should be viewed as a positive development for the banking industry. The BSA Manual provides guidance on BSA/AML and OFAC compliance that generally is clearly written and that has been endorsed by the Agencies and FinCEN, as well as by OFAC and many state banking agencies. As a result, banks and their legal counsel and other advisers should be better able to predict examiners’ expectations for BSA/AML and OFAC compliance programs. Moreover, as a matter of convenience, it is useful that this guidance and the ancillary resources have been compiled in one comprehensive document.
Most importantly, in certain key areas of the BSA Manual (e.g., SAR filing and OFAC compliance), the Agencies, FinCEN and OFAC have clarified and affirmed that their examination focus is on the establishment of an effective compliance program and process, and the Agencies have explicitly disaffirmed a "zero tolerance" policy in which any compliance error automatically leads to regulatory sanctions.
One material potential negative is that the very plainly worded codification of this guidance may provide litigators with additional ammunition for claims that a bank and its board of directors failed to maintain an effective compliance system (and the board members breached their duty of care) because they failed to establish, document, test or correct a particular compliance practice.
4. How is the BSA Manual organized and what topics does it cover?
The BSA Manual is organized into five main sections: 1) an Introduction; 2) a Core Overview; 3) an Expanded Overview; 4) Core Examination Procedures; and 5) Expanded Examination Procedures. Additionally, the BSA Manual contains significant appendices, which provide relevant and useful tools for use in developing and maintaining a BSA/AML compliance program. The following is a brief description of each section and the topics covered:
- Introduction: The "Introduction" to the BSA Manual is designed to provide an overview and offers a description of the structure of the BSA Manual and how its sections work together. Additionally, the Introduction contains a useful history of AML statutes and regulations and a description of the role each of the Agencies plays in the fight against money laundering and terrorist financing.
- Core Overview: The "Core Overview" section provides narrative guidance relating to the legal and regulatory elements of BSA compliance that the Agencies and FinCEN have determined to be core elements of a BSA/AML compliance program. The Core Overview also prescribes a scoping and planning process that all examiners should go through in preparing for an examination prior to entering a bank. This part of the BSA Manual, thus, can be a significant tool for banks planning for BSA/AML examinations.
- Expanded Overview: The "Expanded Overview" section of the BSA Manual is designed to address the specific risks associated with identified high-risk products, services, persons and entities. The Expanded Overview provides a description of the relevant risk factors associated with each of the identified areas and certain compensating controls and risk mitigants.
- Core Examination Procedures: The "Core Examination Procedures" section prescribes specific examination procedures relating to the core elements of a bank’s BSA/AML compliance program identified in the Core Overview. The Core Examination Procedures go on to prescribe a process for examiners to develop conclusions and finalize examinations. This process includes 15 explicit items that must be covered in the Report on Examination.
- Expanded Examination Procedures: The "Expanded Examination Procedures" section prescribes specific procedures to be followed by examiners in their review of banks that engage in the specific functions that are identified by the Expanded Overview, above.
- Appendices: Lastly, the BSA Manual contains 17 appendices identifying documents and tools relevant to a bank’s BSA/AML compliance program. Several of the documents contained in the Appendices are highly useful. Among them is an appendix that sets forth the elements that may be included in a request letter from examiners to banks at the outset of an examination and other appendices that give guidance on risk matrices and on SAR quality.
5. Does the BSA Manual endorse a risk-based approach to AML compliance and, if so, what does the BSA Manual say about risk assessments?
Yes, the BSA Manual advocates a risk-based approach to BSA/AML compliance. The BSA Manual states that each bank must have a compliance program tailored to the particular money laundering risks it faces. In determining risks, the bank must weigh a number of factors, including its customer base, its product offerings, and its geographic reach. Each risk factor must be weighted depending on the relevant circumstances. Banks must be certain to consult with all business lines to have a comprehensive view of the risk of money laundering and terrorist financing across the organization.
To assist banks in developing an effective BSA/AML risk assessment process, the BSA Manual provides a graphic depiction of how an adequate risk assessment would map to the requirements of a BSA/AML compliance program. This mapping document can be found at Appendix I. Additionally, the BSA Manual provides a "Quantity of Risk Matrix" and a "Quantity of Risk Matrix OFAC Procedures" that are designed to assist banks in determining the risk of the attendant products, services and business. These can be found at Appendices J and M of the BSA Manual, respectively.
Beyond advocating a risk-based compliance program, the BSA Manual requires that if, in the course of an examination, an examiner finds that a bank has not made a risk assessment of its businesses, the examiner must discuss this fact with management before proceeding to complete a risk assessment on his or her own. Additionally, the BSA Manual provides that banks must periodically reassess the risk of each account, product or service depending on the relevant factors and circumstances.
6. One area of particular controversy recently has been the filing of SARs. Does the BSA Manual say anything about the filing of SARs?
The BSA Manual includes an ext ensive discussion concerning the filing of SARs. The BSA Manual stresses that SAR filing policies, procedures and processes should take into account all information concerning the subject of the potential SAR available at a bank from all lines of the bank’s business and that, where applicable, information to be evaluated and considered includes criminal subpoenas, National Security Letters and other governmental requests for information.
The BSA Manual also instructs that examiners "should focus on evaluating a bank’s policies, procedures and processes to identify and research suspicious activity," rather than on a bank’s decision with respect to any individual SAR. Accordingly, a bank "should not be criticized for the failure to file a SAR unless the failure is significant or accompanied by evidence of bad faith," and an examiner should not substitute his or her own judgment for the bank’s as to the propriety of filing an individual SAR.
This guidance is intended to alleviate concerns that are leading to "defensive SAR filings," and the Agencies and FinCEN explicitly recognize the subjective nature of a bank’s judgments in determining whether or not to file any particular SAR. While the recognition that the SAR filing process is an art rather than a science is helpful, it also must be noted that the ‘significance’ of a bank’s decision not to file a SAR will be reviewed by the Agencies, FinCEN and the enforcement authorities with hindsight and, in that light, a bank takes a risk -- albeit a diminished risk after the issuance of the BSA Manual -- when it determines in a "close-call" situation not to file a SAR.
7. What does the BSA Manual state about independent testing of BSA/AML compliance?
The BSA Manual recognizes that "independent testing" is an important part of a bank’s BSA/AML compliance program. The BSA Manual directs examiners to assess the results of the applicable bank’s independent testing program as part of their scoping and planning process for each examination. The scope and quality of the independent testing program are strong factors in determining the scope of the examination, and the work papers from such independent testing may provide examiners with a sense of the particular strengths and weaknesses of the bank. Additionally, the BSA Manual makes clear that a well-documented independent testing program can reduce the burden on staff during an examination.
There is no specific requirement for the frequency of the independent testing; however, the BSA Manual indicates that sound practice requires that testing be conducted on at least an annual basis. The testing program should have a risk-based focus and evaluate the quality of money laundering and terrorist financing risk management for all banking operations, departments and subsidiaries while taking into account the bank’s size, complexity, scope of activities, risk profile, quality of control functions, geographic diversity and use of technology.
Lastly, the independent testing program must be documented and tracked as if it were a formal audit program. Violations and deficiencies must be documented, and findings must be reported to the bank’s board of directors.
8. What does the BSA Manual say about compliance with the sanctions regimes administered by OFAC and is it significant that OFAC sanctions are covered by the BSA Manual?
The BSA Manual contains a useful discussion of OFAC rules and sanctions. As noted above, OFAC collaborated with the Agencies and FinCEN in developing the overview of OFAC requirements and OFAC examination procedures.
While recognizing that there are no specific regulations explicitly requiring banks to establish an OFAC program, the BSA Manual states that OFAC compliance requirements overlap with BSA/AML requirements and provides for the first time that, as a matter of sound banking practice, a bank should establish and maintain an effective, written OFAC program that reflects its OFAC risk profile. In addition, as noted above, Appendix M to the BSA Manual contains guidance to examiners on how they should assess a bank’s OFAC risk profile.
The BSA Manual states that OFAC will take into consideration the strength of a bank’s OFAC compliance policy, procedures and program when it determines whether to assess sanctions on a bank for doing business with a prohibited entity or person. In discussing the internal controls that a bank should employ when establishing and maintaining an OFAC compliance program, the Agencies stress: 1) the flagging and review of suspect transactions; 2) the timely updating of OFAC lists; 3) the timely reporting of validly blocked or rejected items under OFAC sanction programs and the filing of SARs, where appropriate; and 4) the maintenance on file of copies of customers’ OFAC licenses.
Since OFAC compliance and BSA/AML compliance issues overlap and often are the responsibility of the same group of bank employees, it is significant and helpful to the banking industry that the BSA Manual reflects OFAC compliance issues. It also is significant because prior to the issuance of the BSA Manual, written material covering OFAC compliance was sparse.
9. Does the BSA Manual distinguish between the examination procedures for (and related enforcement actions against) small and large banks?
The BSA Manual does not specifically distinguish between small banks and larger banking organizat ions, but the BSA Manual does provide specific guidance and procedures for (presumptively larger) banking organizations that choose to enter into "Enterprise Wide" BSA/AML compliance programs.
While there currently are not any, and the BSA Manual does not create any, mandates to create such an Enterprise Wide solution, many large banking organizations have found such a program to be integral to protecting the overall institution from money laundering and mitigation of the overall organization’s risk of violating BSA/AML regulatory requirements. Much like the consolidated credit, market, and operational risk systems that large banking organizations have implemented, an Enterprise Wide BSA/AML compliance program can coordinate the specific regulatory requirements across a broad organization, allowing the banking organization to have a consolidated understanding of its AML risk.
For those institutions that choose to implement an Enterprise Wide approach the BSA Manual gives some guidance as to what the program should include. First, the Enterprise Wide program should include the designation of a central point where the BSA/AML risks can be aggregated and reviewed. An Enterprise Wide program, as that of an individual bank, must be risk based and take into account all the relevant factors including the accounts and services, customers or entities, and size and complexity of the organization, as well as its legal structure. Additionally, the program must either account for all of the relevant regulatory requirements specific to each branch or subsidiary, or be clear that each branch or subsidiary is responsible for those requirements. The program also must consider the requirements of all the jurisdictions within which the banking organization operates (including international requirements). The BSA Manual notes that it is critical that examiners understand what elements of the BSA/AML compliance program are managed on an Enterprise Wide basis and which elements are managed at the individual institution level.
10. What are the implications for board of director oversight of BSA/AML Programs?
The BSA Manual makes clear that a bank’s board of directors must provide effective oversight of the bank’s BSA/AML program. Examiners are instructed that the board, acting through senior management, is ultimately responsible for ensuring that the bank maintains an effective BSA/AML internal control structure. To this end, the board and management are expected to create a culture of compliance to ensure staff adherence to the bank’s BSA/AML policies, procedures, and processes. The board also is expected to be informed of changes and new developments in the BSA and its implementing regulations. The board retains these responsibilities even when it has designated an employee to serve as BSA compliance officer.
11. What other noteworthy issues are addressed in the BSA Manual?
In addition to the issues noted above, the BSA Manual addresses other BSA compliance requirements, including other reporting requirements, customer identification program elements, rules applicable to foreign correspondent accounts, and procedures for sharing information with law enforcement agencies and other financial institutions.
The BSA Manual also addresses special areas not addressed directly by BSA regulations. In particular, the BSA Manual outlines examination procedures for specific types of activities and business lines, including electronic banking and payment services, various deposit and non-deposit account services, lending activities, trade finance, private banking, and trust and asset management services. For each of these areas, the BSA Manual’s guidance to examiners should be viewed as an indicator of regulatory expectations for the activity or business.
Another area addressed by the BSA Manual is the Agencies’ expectations with regard to AML compliance by foreign branches and offices of U.S. banks. The BSA Manual states that AML policies, procedures, and processes at foreign offices or branches of a U.S. bank should comply with local requirements and be consistent with the U.S. bank’s standards. As with its U.S. operations, a bank will be expected to have policies and procedures for foreign offices or branches that are appropriate to their respective risk profile. However, the BSA Manual also explains that the bank may need to tailor its AML program to address specific local or business practices.
12. Will the SEC examiners follow the BSA Manual? Has the SEC indicated any interest in AML compliance?
The BSA Manual, by its terms, does not apply to SEC-registered entities, such as broker-dealers, mutual funds, and investment advisers, and the SEC is not a co-signatory to the BSA Manual. Accordingly, as a legal matter, the SEC and its examiners are not bound by the document.
That said, the BSA Manual evidences careful thinking by regulators, including OFAC and FinCEN, on various BSA/AML and OFAC issues and is the most explicit statement to date on best practices and regulatory expectations. Moreover, FinCEN has repeatedly indicated its interest in ensuring that BSA requirements apply uniformly across the financial services industry and has issued rules, such as with respect to customer identification programs, that are the same for broker-dealers, banks, mutual funds, and other financial services providers. To this end, the BSA Manual should be viewed as a valuable resource tool for non-bank financial institutions.
The fact that the SEC is not a co-signatory to the BSA Manual does not indicate its lack of interest in BSA/AML compliance. To the contrary, the SEC and the Self-Regulatory Organizations ("SROs"), such as the National Association of Securities Dealers, have made clear that BSA/AML compliance is one of their top regulatory priorities. Indeed, press reports have indicated that the SEC’s Office of Compliance Inspections and Examinations has added AML/BSA reviews to routine broker-dealer examinations. Moreover, staff at the SEC and the SROs have been cited as saying that enforcement actions are on their way for broker-dealers and other SEC-registered entities that have material AML/BSA compliance deficiencies.
13. Will there be banking agency and/or FinCEN follow up to the BSA Manual?
The Agencies and FinCEN have planned a series of events to brief the banking industry and field examiners about the BSA Manual. The first of these events will be a series of two-hour nationwide conference calls scheduled for August 2, 3, and 4 at 1:00 pm EDT. Later in August, the banking agencies and FinCEN also will conduct half-day regional outreach meetings in San Francisco, Dallas, Chicago, New York, and Miami. The New York regional outreach event, which will take place on August 22 at 9 am EDT, will be simulcast over the Internet. Information on how banking organizations can register for these events is expected to be released soon.
* * * * * * *
The Alert will monitor updates and modifications to the BSA Manual, its impact on future enforcement actions and litigation, and parallel developments concerning BSA/AML compliance in the securities industry.
Goodwin Procter LLP is one of the nation's leading law firms, with a team of 650 attorneys and offices in Boston, New York and Washington, D.C. The firm combines in-depth legal knowledge with practical business experience to deliver innovative solutions to complex legal problems. We provide litigation, corporate law and real estate services to clients ranging from start-up companies to Fortune 500 multinationals, with a focus on matters involving private equity, technology companies, real estate capital markets, financial services, intellectual property and products liability.
This article, which may be considered advertising under the ethical rules of certain jurisdictions, is provided with the understanding that it does not constitute the rendering of legal advice or other professional advice by Goodwin Procter LLP or its attorneys. (c) 2005 Goodwin Procter LLP. All rights reserved.