On July 22, 2019, the federal bank regulatory agencies1 and the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (collectively, the “Agencies”), issued a Joint Statement on Risk-Focused Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Supervision (Joint Statement). The Joint Statement emphasizes their risk-focused approach to examinations of banks’ BSA/AML compliance programs. The Joint Statement is the third statement from a working group tasked to improve the effectiveness and efficiency of the BSA/AML regime. The prior statements focused on encouraging banks to take innovative approaches to improving their BSA/AML compliance programs.2 Although the Joint Statement does not establish new requirements, it reminds banks of the Agencies’ risk-focused approach for scoping and performing BSA/AML examinations, and serves as additional guidance to banks in ensuring their BSA/AML compliance programs comply with BSA requirements and satisfy the Agencies’ expectations.
Pursuant to federal law and regulation, each bank must establish and maintain procedures reasonably designed to assure and monitor compliance with the BSA, and to develop and implement a BSA/AML program commensurate with the bank’s risk profile.3 The Agencies review the adequacy of a bank’s BSA/AML compliance programs during each examination cycle.4
The Joint Statement emphasizes that the scope of a BSA/AML examination will vary for each bank in accordance with that bank’s unique risk profile: “[e]xaminers evaluate the adequacy of a bank’s BSA/AML compliance program relative to its risk profile, and that bank’s compliance with applicable laws and regulations.”5 Examiners review the bank’s BSA/AML program to determine whether the bank has “developed and implemented effective processes to identify, measure, monitor, and control [the bank’s unique] risks.”6
The Joint Statement provides that the Agencies determine a bank’s risk profile by:
- leveraging available information, including the bank’s BSA/AML risk assessment, independent testing or audits, analyses and conclusions from previous examinations, and other information available through the off-site monitoring process or a request letter to the bank;
- contacting banks between examinations or prior to finalizing the scope of an examination; and
- considering the bank’s ability to identify, measure, monitor, and control risks.
The information obtained from assessing the bank’s risk profile assists examiners scoping and planning the examination, and initially evaluating the adequacy of the bank’s BSA/AML compliance program. The examiners review the bank’s BSA/AML risk assessment and independent testing to assess the bank’s ability to identify, measure, monitor, and control risks. Risk assessments and independent testing that properly consider and test all risk areas (including products, services, customers, and the geographic locations in which the bank operates and conducts business) are used in determining the examination procedures and transaction testing that examiners will perform.
In light of the Joint Statement, money laundering risk assessments and independent testing parameters, more than ever, now take on a prominent role in the BSA/AML examination process. Consequently, banks should ensure that their BSA/AML risk assessments are current and that independent testing and audits are adequate. BSA/AML risk assessments should accurately reflect the bank’s risk profile and evaluate the bank’s current products, services, customers, and all other applicable risk categories. The review does not produce a static result. BSA/AML risk assessments should be updated when there is a change in the bank’s risk profile (e.g., when new products and services are introduced, existing products and services change, higher-risk customers open or close accounts, the bank expands, etc.) or, in the absence of such changes, banks should periodically reassess their BSA/AML risk at least every 12 to 18 months. Furthermore, banks should ensure that their BSA/AML independent testing (i) is risk-based and evaluates the quality of risk management for all banking operations, departments and subsidiaries; (ii) is conducted by qualified independent parties; and (iii) is performed at a frequency commensurate with the bank’s risk profile. Banks should also ensure that prior BSA/AML audit and examination deficiencies/failures have been addressed or are reasonably being addressed.
The Joint Statement also addresses the Agencies’ concern of de-risking, which has resulted in some banks electing not to provide services to entire categories of customers to avoid BSA/AML risk associated with such customers. The Joint Statement reiterates the Agencies’ prior statements encouraging banks to mitigate risks by implementing controls commensurate with those risks rather than terminating entire categories of customer relationships: “banks are encouraged to manage customer relationships and mitigate risks based on customer relationships rather than declining to provide banking services to entire categories of customers.”7
Banks seeking assistance with the review and/or enhancement of their BSA/AML compliance programs including their BSA/AML risk assessments, or with BSA/AML audit or examination remediation, may contact any of the authors in this GT Alert or their GT counsel of preference. GT’s Financial Regulatory & Compliance team can assist with any questions regarding the Joint Statement and/or any other BSA/AML compliance matter.