Home > News & Events > Inactive Financial Institution Letters
Inactive Financial Institution Letters
May 14, 1996
|TO:|| CHIEF EXECUTIVE OFFICER
|SUBJECT:|| Guidelines for Monitoring
Bank Secrecy Act Compliance
| The Federal Deposit Insurance Corporation (FDIC) recently
revised its May 18, 1987, guidelines for monitoring Bank Secrecy
Act (BSA) compliance. These new guidelines are attached.
On May 18, 1987, the FDIC issued a policy statement entitled "Guidelines for Monitoring Bank Secrecy Act Compliance." The guidelines included the steps that banks should take to comply with Section 326.8 of the FDIC's Rules and Regulations, which governs procedures within the bank to ensure compliance with Treasury Department rules, as well as a copy of the FDIC's BSA compliance examination procedures. While the 1987 policy statement will be rescinded, the guidelines have been updated. The FDIC recently adopted revised BSA examination procedures developed by an interagency working group, which are included in the attached revised guidelines.
In addition to the new BSA examination procedures, the revised guidelines include further instructions on independent testing, training, and designating an individual or individuals to be responsible for coordinating and monitoring compliance with the Bank Secrecy Act, as well as a brief section on "Know Your Customer" policies.
The FDIC's compliance requirements are separate from the substantive reporting and recordkeeping requirements of the Bank Secrecy Act and 31 C.F.R. 103. Banks must have an effective compliance program that not only meets the minimum requirements of the FDIC's rule, but addresses the specific circumstances of each banking office. For example, banks operating from numerous locations and banks with offices in border areas or in areas where money laundering or drug trafficking is prevalent must have in place extensive controls, plans and procedures beyond the minimum regulatory requirements.
The true test of any compliance program's effectiveness is its ability to prevent violations. If examiners find numerous or serious violations of the Treasury Department's regulations, the bank's compliance program will likely be judged inadequate, and violations of Section 326.8 will be cited.
The independent testing requirement contained in Section 326.8 demands the use of examination procedures by auditors, outside parties or employees who are independent of the currency transaction reporting function. The FDIC's examination procedures may be used as a model for developing such procedures within the banking organization. It is essential that the scope of any testing procedures as well as the results of those procedures be thoroughly documented. In most cases, this will involve retaining workpapers from internal and/or external audits of BSA compliance. Procedures that are not adequately documented will not be accepted as being in compliance with the independent testing requirement.
Repeated violations of Section 326.8 may result in a cease and desist order against the bank by the FDIC. Failure to comply with such an order may result in the assessment of civil money penalties. The FDIC reports to the Treasury Department all BSA violations discovered during each examination. Those violations are reviewed by Treasury for possible civil money penalty assessment.
Beginning February 19, 1996, the FDIC's Division of Supervision officially assumed full responsibility for BSA examinations from the Division of Compliance and Consumer Affairs. Questions regarding the attached guidelines, or the examination procedures incorporated within the guidelines, should be addressed to your Division of Supervision Regional Office.
Nicholas J. Ketcha Jr.
Financial Recordkeeping and Reporting
Regulations Examination Procedures 31 C.F.R. 103 (99 kb, PDF help or hard copy),
Distribution: FDIC-Supervised Banks (Commercial and Savings)
GUIDELINES FOR MONITORING BANK SECRECY ACT COMPLIANCE
Section 326.8 of the FDIC's Rules and Regulations requires banks to develop and administer a program to assure compliance with the Bank Secrecy Act (BSA) and 31 C. F. R. 103. The compliance program must be in writing, approved by the bank's board of directors and noted in the minutes.
Section 326.8(c) sets out four minimum requirements of the compliance program. To meet the minimum requirements, a bank's compliance program should include:
The compliance testing should include, at a minimum:
It is essential that the scope of any testing procedures, and the results of those procedures, be thoroughly documented. In most cases, this will involve retention of workpapers from internal and/or external audits of BSA compliance. Procedures that are not adequately documented will not be accepted as being in compliance with the independent testing requirement.
In addition, an overview of the BSA requirements should be given to new employees and efforts should be made to keep executives informed of changes and new developments in BSA regulation.
Depending on the bank's needs, training materials can be purchased from banking associations, trade groups or outside vendors, or they can be developed by the bank. Copies of the training materials must be available in the bank for review by examiners.
An effective "Know Your Customer" policy also is essential to compliance with the BSA and may aid in preventing the financial institution from becoming a conduit for a money laundering scheme. A "know your customer" policy consists of procedures that require proper identification of every customer at the time an account is opened in order to prevent establishment of fictitious accounts. The primary objective of such a policy is to enable the financial institution to predict, with relative certainty, the types of transactions the customer is likely to be engaged in. Internal systems should then be developed for monitoring transactions which are inconsistent with each customer's "transaction profile". In addition, the bank's employee education program should provide examples of customer behavior or activity which may warrant investigation.
|Last Updated firstname.lastname@example.org|