the risk management blog

5 Key Components of a BSA/AML Compliance Program

byLowers & Associates | April 24, 2015
financial-security

You are most likely familiar with the Financial Crimes Enforcement Network (FinCEN) which is a bureau of the Treasury Department. FinCEN’s mission is “to safeguard the financial system from illicit use and combat money laundering and promote national security” through the use of financial services information.

Bank Secrecy Act (BSA) Anti Money Laundering (AML) regulations previously applied to banks and credit unions, but over the past three decades the law has been expanded to cover a very wide array of financial institutions, maybe even yours. Today, FinCEN maintains webpages for money services businesses (MSB), depository institutions, the insurance industry, securities and futures, casinos, and more.

The basic components of a BSA/AML compliance program include:

1. Risk Assessment
2. Internal Controls Review
3. Independent Testing (Audit)
4. BSA/AML Compliance Officer
5. BSA/AML Compliance Training

1. Risk Assessment

The many different kinds of financial institutions have different risk profiles, and each institution in a group differs from the others in the group. FinCEN recognizes this variation and does not expect a one size fits all compliance program. Nevertheless, each institution is expected to create and maintain an effective compliance program that fits its risk profile.

Therefore, the risk assessment is the crucial first step in developing a compliance program. Institutions should carefully identify the risks inherent in their business, looking at products and services, customers, and geographic locations. Then, these risk categories should be evaluated for risk, with the aggregation of the risks yielding the risk profile.

2. Internal Controls Review

The internal controls review should evaluate the policies, procedures, and processes of the financial institution with respect to their ability to achieve AML compliance. This set of practices amounts to the Anti Money Laundering Program (AMLP) of the institution, and will cover both personnel and structural elements.

Internal responsibilities should be clear, and procedures should adhere to secure standards like dual controls and segregation of duties. Mandated reporting is at the heart of AML regulations, so systems have to be designed to generate these reports, and record keeping and retention is critical.

3. Independent Testing (Audit)

A basic principle of risk management is to include independent, third party audits in the system review. For AML compliance, a review every 12 to 18 months—and possibly less for higher risk financial institutions—is the recommended best practice. This should be a risk-based audit that is responsive to the organization’s risk profile.

4. BSA/AML Compliance Officer

Every institution’s Board should designate a BSA/AML compliance officer. While this person may not be part of the C-suite, he or she should be expert in BSA/AML regulations, have the ability and resources to design and implement a program, and ensure that both the Board and senior management be aware of the organization’s compliance status.

5. BSA/AML Compliance Training

Many employees of a covered institution should be trained in appropriate parts of the BSA/AML program. In general, the anti money laundering responsibility of the organization should be communicated to every employee, and those people whose jobs place them in a specific risk category should be aware of how mandated reporting and responsibilities apply. This training should be reviewed periodically, especially when people change jobs.

The Compliance Officer should be fully trained and given frequent opportunities for refreshers. Senior management should receive enough training to model a “culture of compliance” and understand the importance of the internal reviews, audits, and compliance reports they receive.

BSA/AML compliance (and compliance with the Office of Foreign Assets Control, if applicable) are becoming inescapable components of running a financial institution of almost any kind. Like most aspects of risk management, an effective program is built on careful analysis and systematic review. Over time, these programs will not only reduce a compliance risk, but will also promote best practices for fraud control, workforce quality, and long term profitability.

ABOUT THE AUTHOR

Lowers & Associates provides comprehensive enterprise risk management solutions to organizations operating in high-risk, highly-regulated environments and organizations that value risk mitigation.
View all posts by Lowers & Associates >