On September 28, the Office of the Comptroller of the Currency (OCC), which regulates national banks and federal savings associations (collectively, banks), issued a bulletin that changes how deficiencies in Bank Secrecy Act and Anti-Money Laundering (BSA/AML) examination findings are assessed by examiners. This bulletin summarizes refinements to the Federal Financial Institutions Examination Council’s (FFIEC) Uniform Rating Systems and the OCC’s risk assessment system (RAS) for banks, and the risk management, operational controls, compliance and asset quality (ROCA) ratings and RAS for federal branches and agencies of foreign banking organizations.
OCC's guidance stated that "these refinements reflect the OCC’s longstanding policy that weaknesses in a bank’s BSA/AML program are serious safety and soundness concerns that require management’s prompt attention," and further stated:
Consumer Compliance Rating
Effective July 18, 2012, examiners no longer consider BSA/AML examination findings when assigning a rating under the FFIEC Uniform Interagency Consumer Compliance Rating System. This change aligns the OCC’s policy with those of the other federal banking agencies.
Management Component Rating
In keeping with current policy, examiners consider BSA/AML examination findings in a safety and soundness context when assigning the management component of the FFIEC Uniform Financial Institutions Rating System (CAMELS ratings). Serious deficiencies in a bank’s BSA/AML compliance create a presumption that the bank’s management component rating will be adversely affected because its risk management practices are less than satisfactory.
Risk Management and Compliance Component Ratings of ROCA
In keeping with current policy, examiners consider BSA/AML examination findings in a safety and soundness context when assigning the risk management component of the ROCA rating system for federal branches and agencies. Serious deficiencies in a branch or agency’s BSA/AML compliance create a presumption that the branch or agency’s risk management component rating will be adversely affected because its risk management practices are less than satisfactory. Examiners also continue to consider BSA/AML examination findings when assigning the compliance component rating of ROCA. This treatment is consistent with the other federal banking agencies and reflects that the compliance component of ROCA is not limited to consumer compliance but rather compliance with all regulatory requirements.
Risk Assessment System
While examiners no longer consider BSA/AML examination findings when assigning the interagency consumer compliance rating, BSA/AML findings are still considered when assessing compliance risk under the OCC’s RAS. Compliance risk reflects a bank’s compliance with all applicable laws and regulations. The overall quantity of risk and quality of risk management related to BSA/AML compliance, as well as the four pillars of a bank’s BSA/AML program, are considered in assessments of compliance risk. BSA/AML examination findings should also continue to be reflected in assessments of reputation, strategic, and operational risks, as warranted.